Loading changes/reject-tap +6 −2 Original line number Diff line number Diff line o Major bug fixes (circuit building): - Authorites should not trust the version a relay claims (if any), instead, they should check specifically for an ntor key. - Tor authorities, relays, and clients no longer support circuit-building using TAP. (The hidden service protocol still uses TAP.) - Relays make sure their own descriptor has an ntor key. - Authorites no longer trust the version a relay claims (if any), instead, they check specifically for an ntor key. Fixes bug 19163; bugfix on 0.2.4.18-rc. src/or/router.c +4 −0 Original line number Diff line number Diff line Loading @@ -2753,6 +2753,10 @@ router_dump_router_to_string(routerinfo_t *router, (const char *)router->onion_curve25519_pkey->public_key, CURVE25519_PUBKEY_LEN, BASE64_ENCODE_MULTILINE); smartlist_add_asprintf(chunks, "ntor-onion-key %s", kbuf); } else { /* Authorities will start rejecting relays without ntor keys in 0.2.9 */ log_err(LD_BUG, "A relay must have an ntor onion key"); goto err; } /* Write the exit policy to the end of 's'. */ Loading src/test/test_dir.c +15 −5 Original line number Diff line number Diff line Loading @@ -116,6 +116,7 @@ test_dir_formats(void *arg) const addr_policy_t *p; time_t now = time(NULL); port_cfg_t orport, dirport; char cert_buf[256]; (void)arg; pk1 = pk_generate(0); Loading @@ -135,6 +136,11 @@ test_dir_formats(void *arg) tor_addr_parse(&r1->ipv6_addr, "1:2:3:4::"); r1->ipv6_orport = 9999; r1->onion_pkey = crypto_pk_dup_key(pk1); /* Fake just enough of an ntor key to get by */ curve25519_keypair_t r1_onion_keypair; curve25519_keypair_generate(&r1_onion_keypair, 0); r1->onion_curve25519_pkey = tor_memdup(&r1_onion_keypair.pubkey, sizeof(curve25519_public_key_t)); r1->identity_pkey = crypto_pk_dup_key(pk2); r1->bandwidthrate = 1000; r1->bandwidthburst = 5000; Loading Loading @@ -167,11 +173,6 @@ test_dir_formats(void *arg) &kp2.pubkey, now, 86400, CERT_FLAG_INCLUDE_SIGNING_KEY); char cert_buf[256]; base64_encode(cert_buf, sizeof(cert_buf), (const char*)r2->cache_info.signing_key_cert->encoded, r2->cache_info.signing_key_cert->encoded_len, BASE64_ENCODE_MULTILINE); r2->platform = tor_strdup(platform); r2->cache_info.published_on = 5; r2->or_port = 9005; Loading Loading @@ -247,6 +248,11 @@ test_dir_formats(void *arg) strlcat(buf2, "hidden-service-dir\n", sizeof(buf2)); strlcat(buf2, "contact Magri White <magri@elsewhere.example.com>\n", sizeof(buf2)); strlcat(buf2, "ntor-onion-key ", sizeof(buf2)); base64_encode(cert_buf, sizeof(cert_buf), (const char*)r1_onion_keypair.pubkey.public_key, 32, BASE64_ENCODE_MULTILINE); strlcat(buf2, cert_buf, sizeof(buf2)); strlcat(buf2, "reject *:*\n", sizeof(buf2)); strlcat(buf2, "tunnelled-dir-server\nrouter-signature\n", sizeof(buf2)); buf[strlen(buf2)] = '\0'; /* Don't compare the sig; it's never the same Loading Loading @@ -276,6 +282,10 @@ test_dir_formats(void *arg) "router Fred 10.3.2.1 9005 0 0\n" "identity-ed25519\n" "-----BEGIN ED25519 CERT-----\n", sizeof(buf2)); base64_encode(cert_buf, sizeof(cert_buf), (const char*)r2->cache_info.signing_key_cert->encoded, r2->cache_info.signing_key_cert->encoded_len, BASE64_ENCODE_MULTILINE); strlcat(buf2, cert_buf, sizeof(buf2)); strlcat(buf2, "-----END ED25519 CERT-----\n", sizeof(buf2)); strlcat(buf2, "master-key-ed25519 ", sizeof(buf2)); Loading Loading
changes/reject-tap +6 −2 Original line number Diff line number Diff line o Major bug fixes (circuit building): - Authorites should not trust the version a relay claims (if any), instead, they should check specifically for an ntor key. - Tor authorities, relays, and clients no longer support circuit-building using TAP. (The hidden service protocol still uses TAP.) - Relays make sure their own descriptor has an ntor key. - Authorites no longer trust the version a relay claims (if any), instead, they check specifically for an ntor key. Fixes bug 19163; bugfix on 0.2.4.18-rc.
src/or/router.c +4 −0 Original line number Diff line number Diff line Loading @@ -2753,6 +2753,10 @@ router_dump_router_to_string(routerinfo_t *router, (const char *)router->onion_curve25519_pkey->public_key, CURVE25519_PUBKEY_LEN, BASE64_ENCODE_MULTILINE); smartlist_add_asprintf(chunks, "ntor-onion-key %s", kbuf); } else { /* Authorities will start rejecting relays without ntor keys in 0.2.9 */ log_err(LD_BUG, "A relay must have an ntor onion key"); goto err; } /* Write the exit policy to the end of 's'. */ Loading
src/test/test_dir.c +15 −5 Original line number Diff line number Diff line Loading @@ -116,6 +116,7 @@ test_dir_formats(void *arg) const addr_policy_t *p; time_t now = time(NULL); port_cfg_t orport, dirport; char cert_buf[256]; (void)arg; pk1 = pk_generate(0); Loading @@ -135,6 +136,11 @@ test_dir_formats(void *arg) tor_addr_parse(&r1->ipv6_addr, "1:2:3:4::"); r1->ipv6_orport = 9999; r1->onion_pkey = crypto_pk_dup_key(pk1); /* Fake just enough of an ntor key to get by */ curve25519_keypair_t r1_onion_keypair; curve25519_keypair_generate(&r1_onion_keypair, 0); r1->onion_curve25519_pkey = tor_memdup(&r1_onion_keypair.pubkey, sizeof(curve25519_public_key_t)); r1->identity_pkey = crypto_pk_dup_key(pk2); r1->bandwidthrate = 1000; r1->bandwidthburst = 5000; Loading Loading @@ -167,11 +173,6 @@ test_dir_formats(void *arg) &kp2.pubkey, now, 86400, CERT_FLAG_INCLUDE_SIGNING_KEY); char cert_buf[256]; base64_encode(cert_buf, sizeof(cert_buf), (const char*)r2->cache_info.signing_key_cert->encoded, r2->cache_info.signing_key_cert->encoded_len, BASE64_ENCODE_MULTILINE); r2->platform = tor_strdup(platform); r2->cache_info.published_on = 5; r2->or_port = 9005; Loading Loading @@ -247,6 +248,11 @@ test_dir_formats(void *arg) strlcat(buf2, "hidden-service-dir\n", sizeof(buf2)); strlcat(buf2, "contact Magri White <magri@elsewhere.example.com>\n", sizeof(buf2)); strlcat(buf2, "ntor-onion-key ", sizeof(buf2)); base64_encode(cert_buf, sizeof(cert_buf), (const char*)r1_onion_keypair.pubkey.public_key, 32, BASE64_ENCODE_MULTILINE); strlcat(buf2, cert_buf, sizeof(buf2)); strlcat(buf2, "reject *:*\n", sizeof(buf2)); strlcat(buf2, "tunnelled-dir-server\nrouter-signature\n", sizeof(buf2)); buf[strlen(buf2)] = '\0'; /* Don't compare the sig; it's never the same Loading Loading @@ -276,6 +282,10 @@ test_dir_formats(void *arg) "router Fred 10.3.2.1 9005 0 0\n" "identity-ed25519\n" "-----BEGIN ED25519 CERT-----\n", sizeof(buf2)); base64_encode(cert_buf, sizeof(cert_buf), (const char*)r2->cache_info.signing_key_cert->encoded, r2->cache_info.signing_key_cert->encoded_len, BASE64_ENCODE_MULTILINE); strlcat(buf2, cert_buf, sizeof(buf2)); strlcat(buf2, "-----END ED25519 CERT-----\n", sizeof(buf2)); strlcat(buf2, "master-key-ed25519 ", sizeof(buf2)); Loading
