From 039e2a24da522f483909e0eb55f963dce6e3b0e5 Mon Sep 17 00:00:00 2001 From: David Goulet Date: Tue, 25 Apr 2017 14:11:23 -0400 Subject: [PATCH] config: Remove TLSECGroup option Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans up the code associated with it. Partially fixes #22060 Signed-off-by: David Goulet --- changes/bug22060 | 2 ++ doc/tor.1.txt | 6 ----- src/or/config.c | 37 +------------------------------ src/or/or.h | 2 -- src/or/router.c | 6 ----- src/test/test_options.c | 49 ----------------------------------------- 6 files changed, 3 insertions(+), 99 deletions(-) diff --git a/changes/bug22060 b/changes/bug22060 index e7d14b01a9..98c4c340e8 100644 --- a/changes/bug22060 +++ b/changes/bug22060 @@ -17,3 +17,5 @@ and feature no longer exists. - WarnUnsafeSocks was deprecated in 0.2.9.2-alpha and now has been rendered obsolete. Code has been removed and feature no longer exists. + - TLSECGroup was deprecated in 0.2.9.2-alpha and now has been rendered + obsolete. Code has been removed and feature no longer exists. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 590ded34de..8bc9c2768f 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1958,12 +1958,6 @@ is non-zero): [[GeoIPv6File]] **GeoIPv6File** __filename__:: A filename containing IPv6 GeoIP data, for use with by-country statistics. -[[TLSECGroup]] **TLSECGroup** **P224**|**P256**:: - What EC group should we try to use for incoming TLS connections? - P224 is faster, but makes us stand out more. Has no effect if - we're a client, or if our OpenSSL version lacks support for ECDHE. - (Default: P256) - [[CellStatistics]] **CellStatistics** **0**|**1**:: Relays only. When this option is enabled, Tor collects statistics about cell diff --git a/src/or/config.c b/src/or/config.c index 1af554a3fa..72063dbe3e 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -494,7 +494,7 @@ static config_var_t option_vars_[] = { V(TokenBucketRefillInterval, MSEC_INTERVAL, "100 msec"), V(Tor2webMode, BOOL, "0"), V(Tor2webRendezvousPoints, ROUTERSET, NULL), - V(TLSECGroup, STRING, NULL), + OBSOLETE("TLSECGroup"), V(TrackHostExits, CSV, NULL), V(TrackHostExitsExpire, INTERVAL, "30 minutes"), V(TransListenAddress, LINELIST, NULL), @@ -664,8 +664,6 @@ static const config_deprecation_t option_deprecation_notes_[] = { "a wide variety of application-level attacks." }, { "ClientDNSRejectInternalAddresses", "Turning this on makes your client " "easier to fingerprint, and may open you to esoteric attacks." }, - { "TLSECGroup", "The default is a nice secure choice; the other option " - "is less secure." }, { "ControlListenAddress", "Use ControlPort instead." }, { "DirListenAddress", "Use DirPort instead, possibly with the " "NoAdvertise sub-option" }, @@ -1537,23 +1535,6 @@ get_effective_bwburst(const or_options_t *options) return (uint32_t)bw; } -/** Return True if any changes from old_options to - * new_options needs us to refresh our TLS context. */ -static int -options_transition_requires_fresh_tls_context(const or_options_t *old_options, - const or_options_t *new_options) -{ - tor_assert(new_options); - - if (!old_options) - return 0; - - if (!opt_streq(old_options->TLSECGroup, new_options->TLSECGroup)) - return 1; - - return 0; -} - /** * Return true if changing the configuration from old to new * affects the guard susbsystem. @@ -1772,13 +1753,6 @@ options_act(const or_options_t *old_options) log_warn(LD_BUG,"Error initializing keys; exiting"); return -1; } - } else if (old_options && - options_transition_requires_fresh_tls_context(old_options, - options)) { - if (router_initialize_tls_context() < 0) { - log_warn(LD_BUG,"Error initializing TLS context."); - return -1; - } } /* Write our PID to the PID file. If we do not have write permissions we @@ -3140,15 +3114,6 @@ options_validate(or_options_t *old_options, or_options_t *options, } } - if (options->TLSECGroup && (strcasecmp(options->TLSECGroup, "P256") && - strcasecmp(options->TLSECGroup, "P224"))) { - COMPLAIN("Unrecognized TLSECGroup: Falling back to the default."); - tor_free(options->TLSECGroup); - } - if (!evaluate_ecgroup_for_tls(options->TLSECGroup)) { - REJECT("Unsupported TLSECGroup."); - } - if (options->ExcludeNodes && options->StrictNodes) { COMPLAIN("You have asked to exclude certain relays from all positions " "in your circuits. Expect hidden services and other Tor " diff --git a/src/or/or.h b/src/or/or.h index da3285038a..75b5fb3ba7 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -4466,8 +4466,6 @@ typedef struct { int IPv6Exit; /**< Do we support exiting to IPv6 addresses? */ - char *TLSECGroup; /**< One of "P256", "P224", or nil for auto */ - /** Fraction: */ double PathsNeededToBuildCircuits; diff --git a/src/or/router.c b/src/or/router.c index ca86c33bd6..ef54921bfe 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -779,12 +779,6 @@ router_initialize_tls_context(void) int lifetime = options->SSLKeyLifetime; if (public_server_mode(options)) flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER; - if (options->TLSECGroup) { - if (!strcasecmp(options->TLSECGroup, "P256")) - flags |= TOR_TLS_CTX_USE_ECDHE_P256; - else if (!strcasecmp(options->TLSECGroup, "P224")) - flags |= TOR_TLS_CTX_USE_ECDHE_P224; - } if (!lifetime) { /* we should guess a good ssl cert lifetime */ /* choose between 5 and 365 days, and round to the day */ diff --git a/src/test/test_options.c b/src/test/test_options.c index 2a7dfbdaef..1886797c96 100644 --- a/src/test/test_options.c +++ b/src/test/test_options.c @@ -1312,54 +1312,6 @@ test_options_validate__node_families(void *ignored) tor_free(msg); } -static void -test_options_validate__tlsec(void *ignored) -{ - (void)ignored; - int ret; - char *msg; - setup_capture_of_logs(LOG_DEBUG); - options_test_data_t *tdata = get_options_test_data( - "TLSECGroup ed25519\n" - "SchedulerHighWaterMark__ 42\n" - "SchedulerLowWaterMark__ 10\n"); - - ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); - tt_int_op(ret, OP_EQ, -1); - expect_log_msg("Unrecognized TLSECGroup: Falling back to the default.\n"); - tt_assert(!tdata->opt->TLSECGroup); - tor_free(msg); - - free_options_test_data(tdata); - tdata = get_options_test_data("TLSECGroup P224\n" - "SchedulerHighWaterMark__ 42\n" - "SchedulerLowWaterMark__ 10\n"); - mock_clean_saved_logs(); - ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); - tt_int_op(ret, OP_EQ, -1); - expect_no_log_msg( - "Unrecognized TLSECGroup: Falling back to the default.\n"); - tt_assert(tdata->opt->TLSECGroup); - tor_free(msg); - - free_options_test_data(tdata); - tdata = get_options_test_data("TLSECGroup P256\n" - "SchedulerHighWaterMark__ 42\n" - "SchedulerLowWaterMark__ 10\n"); - mock_clean_saved_logs(); - ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); - tt_int_op(ret, OP_EQ, -1); - expect_no_log_msg( - "Unrecognized TLSECGroup: Falling back to the default.\n"); - tt_assert(tdata->opt->TLSECGroup); - tor_free(msg); - - done: - teardown_capture_of_logs(); - free_options_test_data(tdata); - tor_free(msg); -} - static void test_options_validate__token_bucket(void *ignored) { @@ -4427,7 +4379,6 @@ struct testcase_t options_tests[] = { LOCAL_VALIDATE_TEST(exclude_nodes), LOCAL_VALIDATE_TEST(scheduler), LOCAL_VALIDATE_TEST(node_families), - LOCAL_VALIDATE_TEST(tlsec), LOCAL_VALIDATE_TEST(token_bucket), LOCAL_VALIDATE_TEST(recommended_packages), LOCAL_VALIDATE_TEST(fetch_dir),