mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 21:23:58 +01:00
config: Remove TLSECGroup option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans up the code associated with it. Partially fixes #22060 Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
parent
8aedc589ed
commit
039e2a24da
@ -17,3 +17,5 @@
|
|||||||
and feature no longer exists.
|
and feature no longer exists.
|
||||||
- WarnUnsafeSocks was deprecated in 0.2.9.2-alpha and now has been
|
- WarnUnsafeSocks was deprecated in 0.2.9.2-alpha and now has been
|
||||||
rendered obsolete. Code has been removed and feature no longer exists.
|
rendered obsolete. Code has been removed and feature no longer exists.
|
||||||
|
- TLSECGroup was deprecated in 0.2.9.2-alpha and now has been rendered
|
||||||
|
obsolete. Code has been removed and feature no longer exists.
|
||||||
|
@ -1958,12 +1958,6 @@ is non-zero):
|
|||||||
[[GeoIPv6File]] **GeoIPv6File** __filename__::
|
[[GeoIPv6File]] **GeoIPv6File** __filename__::
|
||||||
A filename containing IPv6 GeoIP data, for use with by-country statistics.
|
A filename containing IPv6 GeoIP data, for use with by-country statistics.
|
||||||
|
|
||||||
[[TLSECGroup]] **TLSECGroup** **P224**|**P256**::
|
|
||||||
What EC group should we try to use for incoming TLS connections?
|
|
||||||
P224 is faster, but makes us stand out more. Has no effect if
|
|
||||||
we're a client, or if our OpenSSL version lacks support for ECDHE.
|
|
||||||
(Default: P256)
|
|
||||||
|
|
||||||
[[CellStatistics]] **CellStatistics** **0**|**1**::
|
[[CellStatistics]] **CellStatistics** **0**|**1**::
|
||||||
Relays only.
|
Relays only.
|
||||||
When this option is enabled, Tor collects statistics about cell
|
When this option is enabled, Tor collects statistics about cell
|
||||||
|
@ -494,7 +494,7 @@ static config_var_t option_vars_[] = {
|
|||||||
V(TokenBucketRefillInterval, MSEC_INTERVAL, "100 msec"),
|
V(TokenBucketRefillInterval, MSEC_INTERVAL, "100 msec"),
|
||||||
V(Tor2webMode, BOOL, "0"),
|
V(Tor2webMode, BOOL, "0"),
|
||||||
V(Tor2webRendezvousPoints, ROUTERSET, NULL),
|
V(Tor2webRendezvousPoints, ROUTERSET, NULL),
|
||||||
V(TLSECGroup, STRING, NULL),
|
OBSOLETE("TLSECGroup"),
|
||||||
V(TrackHostExits, CSV, NULL),
|
V(TrackHostExits, CSV, NULL),
|
||||||
V(TrackHostExitsExpire, INTERVAL, "30 minutes"),
|
V(TrackHostExitsExpire, INTERVAL, "30 minutes"),
|
||||||
V(TransListenAddress, LINELIST, NULL),
|
V(TransListenAddress, LINELIST, NULL),
|
||||||
@ -664,8 +664,6 @@ static const config_deprecation_t option_deprecation_notes_[] = {
|
|||||||
"a wide variety of application-level attacks." },
|
"a wide variety of application-level attacks." },
|
||||||
{ "ClientDNSRejectInternalAddresses", "Turning this on makes your client "
|
{ "ClientDNSRejectInternalAddresses", "Turning this on makes your client "
|
||||||
"easier to fingerprint, and may open you to esoteric attacks." },
|
"easier to fingerprint, and may open you to esoteric attacks." },
|
||||||
{ "TLSECGroup", "The default is a nice secure choice; the other option "
|
|
||||||
"is less secure." },
|
|
||||||
{ "ControlListenAddress", "Use ControlPort instead." },
|
{ "ControlListenAddress", "Use ControlPort instead." },
|
||||||
{ "DirListenAddress", "Use DirPort instead, possibly with the "
|
{ "DirListenAddress", "Use DirPort instead, possibly with the "
|
||||||
"NoAdvertise sub-option" },
|
"NoAdvertise sub-option" },
|
||||||
@ -1537,23 +1535,6 @@ get_effective_bwburst(const or_options_t *options)
|
|||||||
return (uint32_t)bw;
|
return (uint32_t)bw;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Return True if any changes from <b>old_options</b> to
|
|
||||||
* <b>new_options</b> needs us to refresh our TLS context. */
|
|
||||||
static int
|
|
||||||
options_transition_requires_fresh_tls_context(const or_options_t *old_options,
|
|
||||||
const or_options_t *new_options)
|
|
||||||
{
|
|
||||||
tor_assert(new_options);
|
|
||||||
|
|
||||||
if (!old_options)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if (!opt_streq(old_options->TLSECGroup, new_options->TLSECGroup))
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return true if changing the configuration from <b>old</b> to <b>new</b>
|
* Return true if changing the configuration from <b>old</b> to <b>new</b>
|
||||||
* affects the guard susbsystem.
|
* affects the guard susbsystem.
|
||||||
@ -1772,13 +1753,6 @@ options_act(const or_options_t *old_options)
|
|||||||
log_warn(LD_BUG,"Error initializing keys; exiting");
|
log_warn(LD_BUG,"Error initializing keys; exiting");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
} else if (old_options &&
|
|
||||||
options_transition_requires_fresh_tls_context(old_options,
|
|
||||||
options)) {
|
|
||||||
if (router_initialize_tls_context() < 0) {
|
|
||||||
log_warn(LD_BUG,"Error initializing TLS context.");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Write our PID to the PID file. If we do not have write permissions we
|
/* Write our PID to the PID file. If we do not have write permissions we
|
||||||
@ -3140,15 +3114,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (options->TLSECGroup && (strcasecmp(options->TLSECGroup, "P256") &&
|
|
||||||
strcasecmp(options->TLSECGroup, "P224"))) {
|
|
||||||
COMPLAIN("Unrecognized TLSECGroup: Falling back to the default.");
|
|
||||||
tor_free(options->TLSECGroup);
|
|
||||||
}
|
|
||||||
if (!evaluate_ecgroup_for_tls(options->TLSECGroup)) {
|
|
||||||
REJECT("Unsupported TLSECGroup.");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (options->ExcludeNodes && options->StrictNodes) {
|
if (options->ExcludeNodes && options->StrictNodes) {
|
||||||
COMPLAIN("You have asked to exclude certain relays from all positions "
|
COMPLAIN("You have asked to exclude certain relays from all positions "
|
||||||
"in your circuits. Expect hidden services and other Tor "
|
"in your circuits. Expect hidden services and other Tor "
|
||||||
|
@ -4466,8 +4466,6 @@ typedef struct {
|
|||||||
|
|
||||||
int IPv6Exit; /**< Do we support exiting to IPv6 addresses? */
|
int IPv6Exit; /**< Do we support exiting to IPv6 addresses? */
|
||||||
|
|
||||||
char *TLSECGroup; /**< One of "P256", "P224", or nil for auto */
|
|
||||||
|
|
||||||
/** Fraction: */
|
/** Fraction: */
|
||||||
double PathsNeededToBuildCircuits;
|
double PathsNeededToBuildCircuits;
|
||||||
|
|
||||||
|
@ -779,12 +779,6 @@ router_initialize_tls_context(void)
|
|||||||
int lifetime = options->SSLKeyLifetime;
|
int lifetime = options->SSLKeyLifetime;
|
||||||
if (public_server_mode(options))
|
if (public_server_mode(options))
|
||||||
flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
|
flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
|
||||||
if (options->TLSECGroup) {
|
|
||||||
if (!strcasecmp(options->TLSECGroup, "P256"))
|
|
||||||
flags |= TOR_TLS_CTX_USE_ECDHE_P256;
|
|
||||||
else if (!strcasecmp(options->TLSECGroup, "P224"))
|
|
||||||
flags |= TOR_TLS_CTX_USE_ECDHE_P224;
|
|
||||||
}
|
|
||||||
if (!lifetime) { /* we should guess a good ssl cert lifetime */
|
if (!lifetime) { /* we should guess a good ssl cert lifetime */
|
||||||
|
|
||||||
/* choose between 5 and 365 days, and round to the day */
|
/* choose between 5 and 365 days, and round to the day */
|
||||||
|
@ -1312,54 +1312,6 @@ test_options_validate__node_families(void *ignored)
|
|||||||
tor_free(msg);
|
tor_free(msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
|
||||||
test_options_validate__tlsec(void *ignored)
|
|
||||||
{
|
|
||||||
(void)ignored;
|
|
||||||
int ret;
|
|
||||||
char *msg;
|
|
||||||
setup_capture_of_logs(LOG_DEBUG);
|
|
||||||
options_test_data_t *tdata = get_options_test_data(
|
|
||||||
"TLSECGroup ed25519\n"
|
|
||||||
"SchedulerHighWaterMark__ 42\n"
|
|
||||||
"SchedulerLowWaterMark__ 10\n");
|
|
||||||
|
|
||||||
ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
|
|
||||||
tt_int_op(ret, OP_EQ, -1);
|
|
||||||
expect_log_msg("Unrecognized TLSECGroup: Falling back to the default.\n");
|
|
||||||
tt_assert(!tdata->opt->TLSECGroup);
|
|
||||||
tor_free(msg);
|
|
||||||
|
|
||||||
free_options_test_data(tdata);
|
|
||||||
tdata = get_options_test_data("TLSECGroup P224\n"
|
|
||||||
"SchedulerHighWaterMark__ 42\n"
|
|
||||||
"SchedulerLowWaterMark__ 10\n");
|
|
||||||
mock_clean_saved_logs();
|
|
||||||
ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
|
|
||||||
tt_int_op(ret, OP_EQ, -1);
|
|
||||||
expect_no_log_msg(
|
|
||||||
"Unrecognized TLSECGroup: Falling back to the default.\n");
|
|
||||||
tt_assert(tdata->opt->TLSECGroup);
|
|
||||||
tor_free(msg);
|
|
||||||
|
|
||||||
free_options_test_data(tdata);
|
|
||||||
tdata = get_options_test_data("TLSECGroup P256\n"
|
|
||||||
"SchedulerHighWaterMark__ 42\n"
|
|
||||||
"SchedulerLowWaterMark__ 10\n");
|
|
||||||
mock_clean_saved_logs();
|
|
||||||
ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
|
|
||||||
tt_int_op(ret, OP_EQ, -1);
|
|
||||||
expect_no_log_msg(
|
|
||||||
"Unrecognized TLSECGroup: Falling back to the default.\n");
|
|
||||||
tt_assert(tdata->opt->TLSECGroup);
|
|
||||||
tor_free(msg);
|
|
||||||
|
|
||||||
done:
|
|
||||||
teardown_capture_of_logs();
|
|
||||||
free_options_test_data(tdata);
|
|
||||||
tor_free(msg);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
test_options_validate__token_bucket(void *ignored)
|
test_options_validate__token_bucket(void *ignored)
|
||||||
{
|
{
|
||||||
@ -4427,7 +4379,6 @@ struct testcase_t options_tests[] = {
|
|||||||
LOCAL_VALIDATE_TEST(exclude_nodes),
|
LOCAL_VALIDATE_TEST(exclude_nodes),
|
||||||
LOCAL_VALIDATE_TEST(scheduler),
|
LOCAL_VALIDATE_TEST(scheduler),
|
||||||
LOCAL_VALIDATE_TEST(node_families),
|
LOCAL_VALIDATE_TEST(node_families),
|
||||||
LOCAL_VALIDATE_TEST(tlsec),
|
|
||||||
LOCAL_VALIDATE_TEST(token_bucket),
|
LOCAL_VALIDATE_TEST(token_bucket),
|
||||||
LOCAL_VALIDATE_TEST(recommended_packages),
|
LOCAL_VALIDATE_TEST(recommended_packages),
|
||||||
LOCAL_VALIDATE_TEST(fetch_dir),
|
LOCAL_VALIDATE_TEST(fetch_dir),
|
||||||
|
Loading…
Reference in New Issue
Block a user