Loading changes/bug20472 0 → 100644 +4 −0 Original line number Diff line number Diff line o Minor bugfixes (circuits): - Remove a BUG warning in circuit_pick_extend_handshake. Instead, assume all nodes support EXTEND2. Use ntor whenever a key is available. Bugfix on commit 10aa913 from 19163 in 0.2.9.3-alpha. Fixes bug 20472. src/or/circuitbuild.c +23 −42 Original line number Diff line number Diff line Loading @@ -814,7 +814,8 @@ circuit_timeout_want_to_count_circ(origin_circuit_t *circ) /** Decide whether to use a TAP or ntor handshake for connecting to <b>ei</b> * directly, and set *<b>cell_type_out</b> and *<b>handshake_type_out</b> * accordingly. * Note that TAP handshakes are only used for direct connections: * Note that TAP handshakes in CREATE cells are only used for direct * connections: * - from Tor2web to intro points not in the client's consensus, and * - from Single Onions to rend points not in the service's consensus. * This is checked in onion_populate_cpath. */ Loading @@ -823,58 +824,43 @@ circuit_pick_create_handshake(uint8_t *cell_type_out, uint16_t *handshake_type_out, const extend_info_t *ei) { /* XXXX030 Remove support for deciding to use TAP. */ /* torspec says: In general, clients SHOULD use CREATE whenever they are * using the TAP handshake, and CREATE2 otherwise. */ if (extend_info_supports_ntor(ei)) { *cell_type_out = CELL_CREATE2; *handshake_type_out = ONION_HANDSHAKE_TYPE_NTOR; return; } } else { /* XXXX030 Remove support for deciding to use TAP and EXTEND. */ *cell_type_out = CELL_CREATE; *handshake_type_out = ONION_HANDSHAKE_TYPE_TAP; } } /** Decide whether to use a TAP or ntor handshake for connecting to <b>ei</b> * directly, and set *<b>handshake_type_out</b> accordingly. Decide whether, * in extending through <b>node</b> to do so, we should use an EXTEND2 or an * EXTEND cell to do so, and set *<b>cell_type_out</b> and * *<b>create_cell_type_out</b> accordingly. * Note that TAP handshakes are only used for extend handshakes: /** Decide whether to use a TAP or ntor handshake for extending to <b>ei</b> * and set *<b>handshake_type_out</b> accordingly. Decide whether we should * use an EXTEND2 or an EXTEND cell to do so, and set *<b>cell_type_out</b> * and *<b>create_cell_type_out</b> accordingly. * Note that TAP handshakes in EXTEND cells are only used: * - from clients to intro points, and * - from hidden services to rend points. * This is checked in onion_populate_cpath. */ * This is checked in onion_populate_cpath. */ static void circuit_pick_extend_handshake(uint8_t *cell_type_out, uint8_t *create_cell_type_out, uint16_t *handshake_type_out, const node_t *node_prev, const extend_info_t *ei) { uint8_t t; circuit_pick_create_handshake(&t, handshake_type_out, ei); /* XXXX030 Remove support for deciding to use TAP. */ /* It is an error to extend if there is no previous node. */ if (BUG(node_prev == NULL)) { *cell_type_out = RELAY_COMMAND_EXTEND; *create_cell_type_out = CELL_CREATE; return; } /* It is an error for a node with a known version to be so old it does not * support ntor. */ tor_assert_nonfatal(routerstatus_version_supports_ntor(node_prev->rs, 1)); /* Assume relays without tor versions or routerstatuses support ntor. * The authorities enforce ntor support, and assuming and failing is better * than allowing a malicious node to perform a protocol downgrade to TAP. */ if (*handshake_type_out != ONION_HANDSHAKE_TYPE_TAP && (node_has_curve25519_onion_key(node_prev) || (routerstatus_version_supports_ntor(node_prev->rs, 1)))) { /* torspec says: Clients SHOULD use the EXTEND format whenever sending a TAP * handshake... In other cases, clients SHOULD use EXTEND2. */ if (*handshake_type_out != ONION_HANDSHAKE_TYPE_TAP) { *cell_type_out = RELAY_COMMAND_EXTEND2; *create_cell_type_out = CELL_CREATE2; } else { /* XXXX030 Remove support for deciding to use TAP and EXTEND. */ *cell_type_out = RELAY_COMMAND_EXTEND; *create_cell_type_out = CELL_CREATE; } Loading Loading @@ -1030,15 +1016,10 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) return - END_CIRC_REASON_INTERNAL; } { const node_t *prev_node; prev_node = node_get_by_id(hop->prev->extend_info->identity_digest); circuit_pick_extend_handshake(&ec.cell_type, &ec.create_cell.cell_type, &ec.create_cell.handshake_type, prev_node, hop->extend_info); } tor_addr_copy(&ec.orport_ipv4.addr, &hop->extend_info->addr); ec.orport_ipv4.port = hop->extend_info->port; Loading src/or/networkstatus.c +3 −3 Original line number Diff line number Diff line Loading @@ -2360,10 +2360,10 @@ client_would_use_router(const routerstatus_t *rs, time_t now, /* We'd drop it immediately for being too old. */ return 0; } if (!routerstatus_version_supports_ntor(rs, 1)) { /* We'd ignore it because it doesn't support ntor. if (!routerstatus_version_supports_extend2_cells(rs, 1)) { /* We'd ignore it because it doesn't support EXTEND2 cells. * If we don't know the version, download the descriptor so we can * check if it supports ntor. */ * check if it supports EXTEND2 cells and ntor. */ return 0; } return 1; Loading src/or/routerlist.c +8 −6 Original line number Diff line number Diff line Loading @@ -2344,9 +2344,10 @@ router_add_running_nodes_to_smartlist(smartlist_t *sl, int allow_invalid, continue; if (node_is_unreliable(node, need_uptime, need_capacity, need_guard)) continue; /* Don't choose nodes if we are certain they can't do ntor */ if (node->rs && !routerstatus_version_supports_ntor(node->rs, 1)) /* Don't choose nodes if we are certain they can't do EXTEND2 cells */ if (node->rs && !routerstatus_version_supports_extend2_cells(node->rs, 1)) continue; /* Don't choose nodes if we are certain they can't do ntor. */ if ((node->ri || node->md) && !node_has_curve25519_onion_key(node)) continue; /* Choose a node with an OR address that matches the firewall rules */ Loading Loading @@ -5609,12 +5610,13 @@ routerinfo_has_curve25519_onion_key(const routerinfo_t *ri) return 1; } /* Is rs running a tor version known to support ntor? /* Is rs running a tor version known to support EXTEND2 cells? * If allow_unknown_versions is true, return true if we can't tell * (from a versions line or a protocols line) whether it supports ntor. * (from a versions line or a protocols line) whether it supports extend2 * cells. * Otherwise, return false if the version is unknown. */ int routerstatus_version_supports_ntor(const routerstatus_t *rs, routerstatus_version_supports_extend2_cells(const routerstatus_t *rs, int allow_unknown_versions) { if (!rs) { Loading src/or/routerlist.h +2 −2 Original line number Diff line number Diff line Loading @@ -207,7 +207,7 @@ int routerinfo_incompatible_with_extrainfo(const crypto_pk_t *ri, signed_descriptor_t *sd, const char **msg); int routerinfo_has_curve25519_onion_key(const routerinfo_t *ri); int routerstatus_version_supports_ntor(const routerstatus_t *rs, int routerstatus_version_supports_extend2_cells(const routerstatus_t *rs, int allow_unknown_versions); void routerlist_assert_ok(const routerlist_t *rl); Loading Loading
changes/bug20472 0 → 100644 +4 −0 Original line number Diff line number Diff line o Minor bugfixes (circuits): - Remove a BUG warning in circuit_pick_extend_handshake. Instead, assume all nodes support EXTEND2. Use ntor whenever a key is available. Bugfix on commit 10aa913 from 19163 in 0.2.9.3-alpha. Fixes bug 20472.
src/or/circuitbuild.c +23 −42 Original line number Diff line number Diff line Loading @@ -814,7 +814,8 @@ circuit_timeout_want_to_count_circ(origin_circuit_t *circ) /** Decide whether to use a TAP or ntor handshake for connecting to <b>ei</b> * directly, and set *<b>cell_type_out</b> and *<b>handshake_type_out</b> * accordingly. * Note that TAP handshakes are only used for direct connections: * Note that TAP handshakes in CREATE cells are only used for direct * connections: * - from Tor2web to intro points not in the client's consensus, and * - from Single Onions to rend points not in the service's consensus. * This is checked in onion_populate_cpath. */ Loading @@ -823,58 +824,43 @@ circuit_pick_create_handshake(uint8_t *cell_type_out, uint16_t *handshake_type_out, const extend_info_t *ei) { /* XXXX030 Remove support for deciding to use TAP. */ /* torspec says: In general, clients SHOULD use CREATE whenever they are * using the TAP handshake, and CREATE2 otherwise. */ if (extend_info_supports_ntor(ei)) { *cell_type_out = CELL_CREATE2; *handshake_type_out = ONION_HANDSHAKE_TYPE_NTOR; return; } } else { /* XXXX030 Remove support for deciding to use TAP and EXTEND. */ *cell_type_out = CELL_CREATE; *handshake_type_out = ONION_HANDSHAKE_TYPE_TAP; } } /** Decide whether to use a TAP or ntor handshake for connecting to <b>ei</b> * directly, and set *<b>handshake_type_out</b> accordingly. Decide whether, * in extending through <b>node</b> to do so, we should use an EXTEND2 or an * EXTEND cell to do so, and set *<b>cell_type_out</b> and * *<b>create_cell_type_out</b> accordingly. * Note that TAP handshakes are only used for extend handshakes: /** Decide whether to use a TAP or ntor handshake for extending to <b>ei</b> * and set *<b>handshake_type_out</b> accordingly. Decide whether we should * use an EXTEND2 or an EXTEND cell to do so, and set *<b>cell_type_out</b> * and *<b>create_cell_type_out</b> accordingly. * Note that TAP handshakes in EXTEND cells are only used: * - from clients to intro points, and * - from hidden services to rend points. * This is checked in onion_populate_cpath. */ * This is checked in onion_populate_cpath. */ static void circuit_pick_extend_handshake(uint8_t *cell_type_out, uint8_t *create_cell_type_out, uint16_t *handshake_type_out, const node_t *node_prev, const extend_info_t *ei) { uint8_t t; circuit_pick_create_handshake(&t, handshake_type_out, ei); /* XXXX030 Remove support for deciding to use TAP. */ /* It is an error to extend if there is no previous node. */ if (BUG(node_prev == NULL)) { *cell_type_out = RELAY_COMMAND_EXTEND; *create_cell_type_out = CELL_CREATE; return; } /* It is an error for a node with a known version to be so old it does not * support ntor. */ tor_assert_nonfatal(routerstatus_version_supports_ntor(node_prev->rs, 1)); /* Assume relays without tor versions or routerstatuses support ntor. * The authorities enforce ntor support, and assuming and failing is better * than allowing a malicious node to perform a protocol downgrade to TAP. */ if (*handshake_type_out != ONION_HANDSHAKE_TYPE_TAP && (node_has_curve25519_onion_key(node_prev) || (routerstatus_version_supports_ntor(node_prev->rs, 1)))) { /* torspec says: Clients SHOULD use the EXTEND format whenever sending a TAP * handshake... In other cases, clients SHOULD use EXTEND2. */ if (*handshake_type_out != ONION_HANDSHAKE_TYPE_TAP) { *cell_type_out = RELAY_COMMAND_EXTEND2; *create_cell_type_out = CELL_CREATE2; } else { /* XXXX030 Remove support for deciding to use TAP and EXTEND. */ *cell_type_out = RELAY_COMMAND_EXTEND; *create_cell_type_out = CELL_CREATE; } Loading Loading @@ -1030,15 +1016,10 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) return - END_CIRC_REASON_INTERNAL; } { const node_t *prev_node; prev_node = node_get_by_id(hop->prev->extend_info->identity_digest); circuit_pick_extend_handshake(&ec.cell_type, &ec.create_cell.cell_type, &ec.create_cell.handshake_type, prev_node, hop->extend_info); } tor_addr_copy(&ec.orport_ipv4.addr, &hop->extend_info->addr); ec.orport_ipv4.port = hop->extend_info->port; Loading
src/or/networkstatus.c +3 −3 Original line number Diff line number Diff line Loading @@ -2360,10 +2360,10 @@ client_would_use_router(const routerstatus_t *rs, time_t now, /* We'd drop it immediately for being too old. */ return 0; } if (!routerstatus_version_supports_ntor(rs, 1)) { /* We'd ignore it because it doesn't support ntor. if (!routerstatus_version_supports_extend2_cells(rs, 1)) { /* We'd ignore it because it doesn't support EXTEND2 cells. * If we don't know the version, download the descriptor so we can * check if it supports ntor. */ * check if it supports EXTEND2 cells and ntor. */ return 0; } return 1; Loading
src/or/routerlist.c +8 −6 Original line number Diff line number Diff line Loading @@ -2344,9 +2344,10 @@ router_add_running_nodes_to_smartlist(smartlist_t *sl, int allow_invalid, continue; if (node_is_unreliable(node, need_uptime, need_capacity, need_guard)) continue; /* Don't choose nodes if we are certain they can't do ntor */ if (node->rs && !routerstatus_version_supports_ntor(node->rs, 1)) /* Don't choose nodes if we are certain they can't do EXTEND2 cells */ if (node->rs && !routerstatus_version_supports_extend2_cells(node->rs, 1)) continue; /* Don't choose nodes if we are certain they can't do ntor. */ if ((node->ri || node->md) && !node_has_curve25519_onion_key(node)) continue; /* Choose a node with an OR address that matches the firewall rules */ Loading Loading @@ -5609,12 +5610,13 @@ routerinfo_has_curve25519_onion_key(const routerinfo_t *ri) return 1; } /* Is rs running a tor version known to support ntor? /* Is rs running a tor version known to support EXTEND2 cells? * If allow_unknown_versions is true, return true if we can't tell * (from a versions line or a protocols line) whether it supports ntor. * (from a versions line or a protocols line) whether it supports extend2 * cells. * Otherwise, return false if the version is unknown. */ int routerstatus_version_supports_ntor(const routerstatus_t *rs, routerstatus_version_supports_extend2_cells(const routerstatus_t *rs, int allow_unknown_versions) { if (!rs) { Loading
src/or/routerlist.h +2 −2 Original line number Diff line number Diff line Loading @@ -207,7 +207,7 @@ int routerinfo_incompatible_with_extrainfo(const crypto_pk_t *ri, signed_descriptor_t *sd, const char **msg); int routerinfo_has_curve25519_onion_key(const routerinfo_t *ri); int routerstatus_version_supports_ntor(const routerstatus_t *rs, int routerstatus_version_supports_extend2_cells(const routerstatus_t *rs, int allow_unknown_versions); void routerlist_assert_ok(const routerlist_t *rl); Loading
