Loading changes/ticket40363 0 → 100644 +9 −0 Original line number Original line Diff line number Diff line o Major features (Proposal 332, onion services, guard selection algorithm): - Clients and onion services now choose four long-lived "layer 2" guard relays for use as the middle hop in all onion circuits. These relays are kept in place for a randomized duration averaging 1 week each. This mitigates guard discovery attacks against clients and short-lived onion services such as OnionShare. Long-lived onion services that need high security should still use the Vanguards addon (https://github.com/mikeperry-tor/vanguards). Closes ticket 40363; implements proposal 333. doc/man/tor.1.txt +7 −0 Original line number Original line Diff line number Diff line Loading @@ -1749,6 +1749,13 @@ The following options are useful only for clients (that is, if the guard-n-primary-guards consensus parameter, and default to 3 if the the guard-n-primary-guards consensus parameter, and default to 3 if the consensus parameter isn't set. (Default: 0) consensus parameter isn't set. (Default: 0) [[VanguardsLiteEnabled]] **VanguardsLiteEnabled** **0**|**1**|**auto**:: This option specifies whether clients should use the vanguards-lite subsystem to protect against guard discovery attacks. If it's set to 'auto', clients will do what the vanguards-lite-enabled consensus parameter tells them to do, and will default to enable the subsystem if the consensus parameter isn't set. (Default: auto) [[UseMicrodescriptors]] **UseMicrodescriptors** **0**|**1**|**auto**:: [[UseMicrodescriptors]] **UseMicrodescriptors** **0**|**1**|**auto**:: Microdescriptors are a smaller version of the information that Tor needs Microdescriptors are a smaller version of the information that Tor needs in order to build its circuits. Using microdescriptors makes Tor clients in order to build its circuits. Using microdescriptors makes Tor clients Loading src/app/config/config.c +1 −0 Original line number Original line Diff line number Diff line Loading @@ -669,6 +669,7 @@ static const config_var_t option_vars_[] = { VAR("UseEntryGuards", BOOL, UseEntryGuards_option, "1"), VAR("UseEntryGuards", BOOL, UseEntryGuards_option, "1"), OBSOLETE("UseEntryGuardsAsDirGuards"), OBSOLETE("UseEntryGuardsAsDirGuards"), V(UseGuardFraction, AUTOBOOL, "auto"), V(UseGuardFraction, AUTOBOOL, "auto"), V(VanguardsLiteEnabled, AUTOBOOL, "auto"), V(UseMicrodescriptors, AUTOBOOL, "auto"), V(UseMicrodescriptors, AUTOBOOL, "auto"), OBSOLETE("UseNTorHandshake"), OBSOLETE("UseNTorHandshake"), V_IMMUTABLE(User, STRING, NULL), V_IMMUTABLE(User, STRING, NULL), Loading src/app/config/or_options_st.h +3 −0 Original line number Original line Diff line number Diff line Loading @@ -594,6 +594,9 @@ struct or_options_t { * If 0, use value from NumEntryGuards. */ * If 0, use value from NumEntryGuards. */ int NumPrimaryGuards; /**< How many primary guards do we want? */ int NumPrimaryGuards; /**< How many primary guards do we want? */ /** Boolean: Switch to toggle the vanguards-lite subsystem */ int VanguardsLiteEnabled; int RephistTrackTime; /**< How many seconds do we keep rephist info? */ int RephistTrackTime; /**< How many seconds do we keep rephist info? */ /** Should we always fetch our dir info on the mirror schedule (which /** Should we always fetch our dir info on the mirror schedule (which * means directly from the authorities) no matter our other config? */ * means directly from the authorities) no matter our other config? */ Loading src/core/mainloop/mainloop.c +20 −0 Original line number Original line Diff line number Diff line Loading @@ -1293,6 +1293,7 @@ signewnym_impl(time_t now) circuit_mark_all_dirty_circs_as_unusable(); circuit_mark_all_dirty_circs_as_unusable(); addressmap_clear_transient(); addressmap_clear_transient(); hs_client_purge_state(); hs_client_purge_state(); purge_vanguards_lite(); time_of_last_signewnym = now; time_of_last_signewnym = now; signewnym_is_pending = 0; signewnym_is_pending = 0; Loading Loading @@ -1370,6 +1371,7 @@ CALLBACK(save_state); CALLBACK(write_stats_file); CALLBACK(write_stats_file); CALLBACK(control_per_second_events); CALLBACK(control_per_second_events); CALLBACK(second_elapsed); CALLBACK(second_elapsed); CALLBACK(manage_vglite); #undef CALLBACK #undef CALLBACK Loading @@ -1392,6 +1394,9 @@ STATIC periodic_event_item_t mainloop_periodic_events[] = { CALLBACK(second_elapsed, NET_PARTICIPANT, CALLBACK(second_elapsed, NET_PARTICIPANT, FL(RUN_ON_DISABLE)), FL(RUN_ON_DISABLE)), /* Update vanguards-lite once per hour, if we have networking */ CALLBACK(manage_vglite, NET_PARTICIPANT, FL(NEED_NET)), /* XXXX Do we have a reason to do this on a callback? Does it do any good at /* XXXX Do we have a reason to do this on a callback? Does it do any good at * all? For now, if we're dormant, we can let our listeners decay. */ * all? For now, if we're dormant, we can let our listeners decay. */ CALLBACK(retry_listeners, NET_PARTICIPANT, FL(NEED_NET)), CALLBACK(retry_listeners, NET_PARTICIPANT, FL(NEED_NET)), Loading Loading @@ -1662,6 +1667,21 @@ mainloop_schedule_shutdown(int delay_sec) mainloop_event_schedule(scheduled_shutdown_ev, &delay_tv); mainloop_event_schedule(scheduled_shutdown_ev, &delay_tv); } } /** * Update vanguards-lite layer2 nodes, once every 15 minutes */ static int manage_vglite_callback(time_t now, const or_options_t *options) { (void)now; (void)options; #define VANGUARDS_LITE_INTERVAL (15*60) maintain_layer2_guards(); return VANGUARDS_LITE_INTERVAL; } /** Perform regular maintenance tasks. This function gets run once per /** Perform regular maintenance tasks. This function gets run once per * second. * second. */ */ Loading Loading
changes/ticket40363 0 → 100644 +9 −0 Original line number Original line Diff line number Diff line o Major features (Proposal 332, onion services, guard selection algorithm): - Clients and onion services now choose four long-lived "layer 2" guard relays for use as the middle hop in all onion circuits. These relays are kept in place for a randomized duration averaging 1 week each. This mitigates guard discovery attacks against clients and short-lived onion services such as OnionShare. Long-lived onion services that need high security should still use the Vanguards addon (https://github.com/mikeperry-tor/vanguards). Closes ticket 40363; implements proposal 333.
doc/man/tor.1.txt +7 −0 Original line number Original line Diff line number Diff line Loading @@ -1749,6 +1749,13 @@ The following options are useful only for clients (that is, if the guard-n-primary-guards consensus parameter, and default to 3 if the the guard-n-primary-guards consensus parameter, and default to 3 if the consensus parameter isn't set. (Default: 0) consensus parameter isn't set. (Default: 0) [[VanguardsLiteEnabled]] **VanguardsLiteEnabled** **0**|**1**|**auto**:: This option specifies whether clients should use the vanguards-lite subsystem to protect against guard discovery attacks. If it's set to 'auto', clients will do what the vanguards-lite-enabled consensus parameter tells them to do, and will default to enable the subsystem if the consensus parameter isn't set. (Default: auto) [[UseMicrodescriptors]] **UseMicrodescriptors** **0**|**1**|**auto**:: [[UseMicrodescriptors]] **UseMicrodescriptors** **0**|**1**|**auto**:: Microdescriptors are a smaller version of the information that Tor needs Microdescriptors are a smaller version of the information that Tor needs in order to build its circuits. Using microdescriptors makes Tor clients in order to build its circuits. Using microdescriptors makes Tor clients Loading
src/app/config/config.c +1 −0 Original line number Original line Diff line number Diff line Loading @@ -669,6 +669,7 @@ static const config_var_t option_vars_[] = { VAR("UseEntryGuards", BOOL, UseEntryGuards_option, "1"), VAR("UseEntryGuards", BOOL, UseEntryGuards_option, "1"), OBSOLETE("UseEntryGuardsAsDirGuards"), OBSOLETE("UseEntryGuardsAsDirGuards"), V(UseGuardFraction, AUTOBOOL, "auto"), V(UseGuardFraction, AUTOBOOL, "auto"), V(VanguardsLiteEnabled, AUTOBOOL, "auto"), V(UseMicrodescriptors, AUTOBOOL, "auto"), V(UseMicrodescriptors, AUTOBOOL, "auto"), OBSOLETE("UseNTorHandshake"), OBSOLETE("UseNTorHandshake"), V_IMMUTABLE(User, STRING, NULL), V_IMMUTABLE(User, STRING, NULL), Loading
src/app/config/or_options_st.h +3 −0 Original line number Original line Diff line number Diff line Loading @@ -594,6 +594,9 @@ struct or_options_t { * If 0, use value from NumEntryGuards. */ * If 0, use value from NumEntryGuards. */ int NumPrimaryGuards; /**< How many primary guards do we want? */ int NumPrimaryGuards; /**< How many primary guards do we want? */ /** Boolean: Switch to toggle the vanguards-lite subsystem */ int VanguardsLiteEnabled; int RephistTrackTime; /**< How many seconds do we keep rephist info? */ int RephistTrackTime; /**< How many seconds do we keep rephist info? */ /** Should we always fetch our dir info on the mirror schedule (which /** Should we always fetch our dir info on the mirror schedule (which * means directly from the authorities) no matter our other config? */ * means directly from the authorities) no matter our other config? */ Loading
src/core/mainloop/mainloop.c +20 −0 Original line number Original line Diff line number Diff line Loading @@ -1293,6 +1293,7 @@ signewnym_impl(time_t now) circuit_mark_all_dirty_circs_as_unusable(); circuit_mark_all_dirty_circs_as_unusable(); addressmap_clear_transient(); addressmap_clear_transient(); hs_client_purge_state(); hs_client_purge_state(); purge_vanguards_lite(); time_of_last_signewnym = now; time_of_last_signewnym = now; signewnym_is_pending = 0; signewnym_is_pending = 0; Loading Loading @@ -1370,6 +1371,7 @@ CALLBACK(save_state); CALLBACK(write_stats_file); CALLBACK(write_stats_file); CALLBACK(control_per_second_events); CALLBACK(control_per_second_events); CALLBACK(second_elapsed); CALLBACK(second_elapsed); CALLBACK(manage_vglite); #undef CALLBACK #undef CALLBACK Loading @@ -1392,6 +1394,9 @@ STATIC periodic_event_item_t mainloop_periodic_events[] = { CALLBACK(second_elapsed, NET_PARTICIPANT, CALLBACK(second_elapsed, NET_PARTICIPANT, FL(RUN_ON_DISABLE)), FL(RUN_ON_DISABLE)), /* Update vanguards-lite once per hour, if we have networking */ CALLBACK(manage_vglite, NET_PARTICIPANT, FL(NEED_NET)), /* XXXX Do we have a reason to do this on a callback? Does it do any good at /* XXXX Do we have a reason to do this on a callback? Does it do any good at * all? For now, if we're dormant, we can let our listeners decay. */ * all? For now, if we're dormant, we can let our listeners decay. */ CALLBACK(retry_listeners, NET_PARTICIPANT, FL(NEED_NET)), CALLBACK(retry_listeners, NET_PARTICIPANT, FL(NEED_NET)), Loading Loading @@ -1662,6 +1667,21 @@ mainloop_schedule_shutdown(int delay_sec) mainloop_event_schedule(scheduled_shutdown_ev, &delay_tv); mainloop_event_schedule(scheduled_shutdown_ev, &delay_tv); } } /** * Update vanguards-lite layer2 nodes, once every 15 minutes */ static int manage_vglite_callback(time_t now, const or_options_t *options) { (void)now; (void)options; #define VANGUARDS_LITE_INTERVAL (15*60) maintain_layer2_guards(); return VANGUARDS_LITE_INTERVAL; } /** Perform regular maintenance tasks. This function gets run once per /** Perform regular maintenance tasks. This function gets run once per * second. * second. */ */ Loading
