Commit 039e2a24 authored by David Goulet's avatar David Goulet 🔆 Committed by Nick Mathewson
Browse files

config: Remove TLSECGroup option



Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060
Signed-off-by: David Goulet's avatarDavid Goulet <dgoulet@torproject.org>
parent 8aedc589
......@@ -17,3 +17,5 @@
and feature no longer exists.
- WarnUnsafeSocks was deprecated in 0.2.9.2-alpha and now has been
rendered obsolete. Code has been removed and feature no longer exists.
- TLSECGroup was deprecated in 0.2.9.2-alpha and now has been rendered
obsolete. Code has been removed and feature no longer exists.
......@@ -1958,12 +1958,6 @@ is non-zero):
[[GeoIPv6File]] **GeoIPv6File** __filename__::
A filename containing IPv6 GeoIP data, for use with by-country statistics.
[[TLSECGroup]] **TLSECGroup** **P224**|**P256**::
What EC group should we try to use for incoming TLS connections?
P224 is faster, but makes us stand out more. Has no effect if
we're a client, or if our OpenSSL version lacks support for ECDHE.
(Default: P256)
[[CellStatistics]] **CellStatistics** **0**|**1**::
Relays only.
When this option is enabled, Tor collects statistics about cell
......
......@@ -494,7 +494,7 @@ static config_var_t option_vars_[] = {
V(TokenBucketRefillInterval, MSEC_INTERVAL, "100 msec"),
V(Tor2webMode, BOOL, "0"),
V(Tor2webRendezvousPoints, ROUTERSET, NULL),
V(TLSECGroup, STRING, NULL),
OBSOLETE("TLSECGroup"),
V(TrackHostExits, CSV, NULL),
V(TrackHostExitsExpire, INTERVAL, "30 minutes"),
V(TransListenAddress, LINELIST, NULL),
......@@ -664,8 +664,6 @@ static const config_deprecation_t option_deprecation_notes_[] = {
"a wide variety of application-level attacks." },
{ "ClientDNSRejectInternalAddresses", "Turning this on makes your client "
"easier to fingerprint, and may open you to esoteric attacks." },
{ "TLSECGroup", "The default is a nice secure choice; the other option "
"is less secure." },
{ "ControlListenAddress", "Use ControlPort instead." },
{ "DirListenAddress", "Use DirPort instead, possibly with the "
"NoAdvertise sub-option" },
......@@ -1537,23 +1535,6 @@ get_effective_bwburst(const or_options_t *options)
return (uint32_t)bw;
}
/** Return True if any changes from <b>old_options</b> to
* <b>new_options</b> needs us to refresh our TLS context. */
static int
options_transition_requires_fresh_tls_context(const or_options_t *old_options,
const or_options_t *new_options)
{
tor_assert(new_options);
if (!old_options)
return 0;
if (!opt_streq(old_options->TLSECGroup, new_options->TLSECGroup))
return 1;
return 0;
}
/**
* Return true if changing the configuration from <b>old</b> to <b>new</b>
* affects the guard susbsystem.
......@@ -1772,13 +1753,6 @@ options_act(const or_options_t *old_options)
log_warn(LD_BUG,"Error initializing keys; exiting");
return -1;
}
} else if (old_options &&
options_transition_requires_fresh_tls_context(old_options,
options)) {
if (router_initialize_tls_context() < 0) {
log_warn(LD_BUG,"Error initializing TLS context.");
return -1;
}
}
/* Write our PID to the PID file. If we do not have write permissions we
......@@ -3140,15 +3114,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
}
}
if (options->TLSECGroup && (strcasecmp(options->TLSECGroup, "P256") &&
strcasecmp(options->TLSECGroup, "P224"))) {
COMPLAIN("Unrecognized TLSECGroup: Falling back to the default.");
tor_free(options->TLSECGroup);
}
if (!evaluate_ecgroup_for_tls(options->TLSECGroup)) {
REJECT("Unsupported TLSECGroup.");
}
if (options->ExcludeNodes && options->StrictNodes) {
COMPLAIN("You have asked to exclude certain relays from all positions "
"in your circuits. Expect hidden services and other Tor "
......
......@@ -4466,8 +4466,6 @@ typedef struct {
int IPv6Exit; /**< Do we support exiting to IPv6 addresses? */
char *TLSECGroup; /**< One of "P256", "P224", or nil for auto */
/** Fraction: */
double PathsNeededToBuildCircuits;
......
......@@ -779,12 +779,6 @@ router_initialize_tls_context(void)
int lifetime = options->SSLKeyLifetime;
if (public_server_mode(options))
flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
if (options->TLSECGroup) {
if (!strcasecmp(options->TLSECGroup, "P256"))
flags |= TOR_TLS_CTX_USE_ECDHE_P256;
else if (!strcasecmp(options->TLSECGroup, "P224"))
flags |= TOR_TLS_CTX_USE_ECDHE_P224;
}
if (!lifetime) { /* we should guess a good ssl cert lifetime */
/* choose between 5 and 365 days, and round to the day */
......
......@@ -1312,54 +1312,6 @@ test_options_validate__node_families(void *ignored)
tor_free(msg);
}
static void
test_options_validate__tlsec(void *ignored)
{
(void)ignored;
int ret;
char *msg;
setup_capture_of_logs(LOG_DEBUG);
options_test_data_t *tdata = get_options_test_data(
"TLSECGroup ed25519\n"
"SchedulerHighWaterMark__ 42\n"
"SchedulerLowWaterMark__ 10\n");
ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
tt_int_op(ret, OP_EQ, -1);
expect_log_msg("Unrecognized TLSECGroup: Falling back to the default.\n");
tt_assert(!tdata->opt->TLSECGroup);
tor_free(msg);
free_options_test_data(tdata);
tdata = get_options_test_data("TLSECGroup P224\n"
"SchedulerHighWaterMark__ 42\n"
"SchedulerLowWaterMark__ 10\n");
mock_clean_saved_logs();
ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
tt_int_op(ret, OP_EQ, -1);
expect_no_log_msg(
"Unrecognized TLSECGroup: Falling back to the default.\n");
tt_assert(tdata->opt->TLSECGroup);
tor_free(msg);
free_options_test_data(tdata);
tdata = get_options_test_data("TLSECGroup P256\n"
"SchedulerHighWaterMark__ 42\n"
"SchedulerLowWaterMark__ 10\n");
mock_clean_saved_logs();
ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
tt_int_op(ret, OP_EQ, -1);
expect_no_log_msg(
"Unrecognized TLSECGroup: Falling back to the default.\n");
tt_assert(tdata->opt->TLSECGroup);
tor_free(msg);
done:
teardown_capture_of_logs();
free_options_test_data(tdata);
tor_free(msg);
}
static void
test_options_validate__token_bucket(void *ignored)
{
......@@ -4427,7 +4379,6 @@ struct testcase_t options_tests[] = {
LOCAL_VALIDATE_TEST(exclude_nodes),
LOCAL_VALIDATE_TEST(scheduler),
LOCAL_VALIDATE_TEST(node_families),
LOCAL_VALIDATE_TEST(tlsec),
LOCAL_VALIDATE_TEST(token_bucket),
LOCAL_VALIDATE_TEST(recommended_packages),
LOCAL_VALIDATE_TEST(fetch_dir),
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment