config: Remove TLSECGroup option

Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
David Goulet 2017-04-25 14:11:23 -04:00 committed by Nick Mathewson
parent 8aedc589ed
commit 039e2a24da
6 changed files with 3 additions and 99 deletions

View File

@ -17,3 +17,5 @@
and feature no longer exists. and feature no longer exists.
- WarnUnsafeSocks was deprecated in 0.2.9.2-alpha and now has been - WarnUnsafeSocks was deprecated in 0.2.9.2-alpha and now has been
rendered obsolete. Code has been removed and feature no longer exists. rendered obsolete. Code has been removed and feature no longer exists.
- TLSECGroup was deprecated in 0.2.9.2-alpha and now has been rendered
obsolete. Code has been removed and feature no longer exists.

View File

@ -1958,12 +1958,6 @@ is non-zero):
[[GeoIPv6File]] **GeoIPv6File** __filename__:: [[GeoIPv6File]] **GeoIPv6File** __filename__::
A filename containing IPv6 GeoIP data, for use with by-country statistics. A filename containing IPv6 GeoIP data, for use with by-country statistics.
[[TLSECGroup]] **TLSECGroup** **P224**|**P256**::
What EC group should we try to use for incoming TLS connections?
P224 is faster, but makes us stand out more. Has no effect if
we're a client, or if our OpenSSL version lacks support for ECDHE.
(Default: P256)
[[CellStatistics]] **CellStatistics** **0**|**1**:: [[CellStatistics]] **CellStatistics** **0**|**1**::
Relays only. Relays only.
When this option is enabled, Tor collects statistics about cell When this option is enabled, Tor collects statistics about cell

View File

@ -494,7 +494,7 @@ static config_var_t option_vars_[] = {
V(TokenBucketRefillInterval, MSEC_INTERVAL, "100 msec"), V(TokenBucketRefillInterval, MSEC_INTERVAL, "100 msec"),
V(Tor2webMode, BOOL, "0"), V(Tor2webMode, BOOL, "0"),
V(Tor2webRendezvousPoints, ROUTERSET, NULL), V(Tor2webRendezvousPoints, ROUTERSET, NULL),
V(TLSECGroup, STRING, NULL), OBSOLETE("TLSECGroup"),
V(TrackHostExits, CSV, NULL), V(TrackHostExits, CSV, NULL),
V(TrackHostExitsExpire, INTERVAL, "30 minutes"), V(TrackHostExitsExpire, INTERVAL, "30 minutes"),
V(TransListenAddress, LINELIST, NULL), V(TransListenAddress, LINELIST, NULL),
@ -664,8 +664,6 @@ static const config_deprecation_t option_deprecation_notes_[] = {
"a wide variety of application-level attacks." }, "a wide variety of application-level attacks." },
{ "ClientDNSRejectInternalAddresses", "Turning this on makes your client " { "ClientDNSRejectInternalAddresses", "Turning this on makes your client "
"easier to fingerprint, and may open you to esoteric attacks." }, "easier to fingerprint, and may open you to esoteric attacks." },
{ "TLSECGroup", "The default is a nice secure choice; the other option "
"is less secure." },
{ "ControlListenAddress", "Use ControlPort instead." }, { "ControlListenAddress", "Use ControlPort instead." },
{ "DirListenAddress", "Use DirPort instead, possibly with the " { "DirListenAddress", "Use DirPort instead, possibly with the "
"NoAdvertise sub-option" }, "NoAdvertise sub-option" },
@ -1537,23 +1535,6 @@ get_effective_bwburst(const or_options_t *options)
return (uint32_t)bw; return (uint32_t)bw;
} }
/** Return True if any changes from <b>old_options</b> to
* <b>new_options</b> needs us to refresh our TLS context. */
static int
options_transition_requires_fresh_tls_context(const or_options_t *old_options,
const or_options_t *new_options)
{
tor_assert(new_options);
if (!old_options)
return 0;
if (!opt_streq(old_options->TLSECGroup, new_options->TLSECGroup))
return 1;
return 0;
}
/** /**
* Return true if changing the configuration from <b>old</b> to <b>new</b> * Return true if changing the configuration from <b>old</b> to <b>new</b>
* affects the guard susbsystem. * affects the guard susbsystem.
@ -1772,13 +1753,6 @@ options_act(const or_options_t *old_options)
log_warn(LD_BUG,"Error initializing keys; exiting"); log_warn(LD_BUG,"Error initializing keys; exiting");
return -1; return -1;
} }
} else if (old_options &&
options_transition_requires_fresh_tls_context(old_options,
options)) {
if (router_initialize_tls_context() < 0) {
log_warn(LD_BUG,"Error initializing TLS context.");
return -1;
}
} }
/* Write our PID to the PID file. If we do not have write permissions we /* Write our PID to the PID file. If we do not have write permissions we
@ -3140,15 +3114,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
} }
} }
if (options->TLSECGroup && (strcasecmp(options->TLSECGroup, "P256") &&
strcasecmp(options->TLSECGroup, "P224"))) {
COMPLAIN("Unrecognized TLSECGroup: Falling back to the default.");
tor_free(options->TLSECGroup);
}
if (!evaluate_ecgroup_for_tls(options->TLSECGroup)) {
REJECT("Unsupported TLSECGroup.");
}
if (options->ExcludeNodes && options->StrictNodes) { if (options->ExcludeNodes && options->StrictNodes) {
COMPLAIN("You have asked to exclude certain relays from all positions " COMPLAIN("You have asked to exclude certain relays from all positions "
"in your circuits. Expect hidden services and other Tor " "in your circuits. Expect hidden services and other Tor "

View File

@ -4466,8 +4466,6 @@ typedef struct {
int IPv6Exit; /**< Do we support exiting to IPv6 addresses? */ int IPv6Exit; /**< Do we support exiting to IPv6 addresses? */
char *TLSECGroup; /**< One of "P256", "P224", or nil for auto */
/** Fraction: */ /** Fraction: */
double PathsNeededToBuildCircuits; double PathsNeededToBuildCircuits;

View File

@ -779,12 +779,6 @@ router_initialize_tls_context(void)
int lifetime = options->SSLKeyLifetime; int lifetime = options->SSLKeyLifetime;
if (public_server_mode(options)) if (public_server_mode(options))
flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER; flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
if (options->TLSECGroup) {
if (!strcasecmp(options->TLSECGroup, "P256"))
flags |= TOR_TLS_CTX_USE_ECDHE_P256;
else if (!strcasecmp(options->TLSECGroup, "P224"))
flags |= TOR_TLS_CTX_USE_ECDHE_P224;
}
if (!lifetime) { /* we should guess a good ssl cert lifetime */ if (!lifetime) { /* we should guess a good ssl cert lifetime */
/* choose between 5 and 365 days, and round to the day */ /* choose between 5 and 365 days, and round to the day */

View File

@ -1312,54 +1312,6 @@ test_options_validate__node_families(void *ignored)
tor_free(msg); tor_free(msg);
} }
static void
test_options_validate__tlsec(void *ignored)
{
(void)ignored;
int ret;
char *msg;
setup_capture_of_logs(LOG_DEBUG);
options_test_data_t *tdata = get_options_test_data(
"TLSECGroup ed25519\n"
"SchedulerHighWaterMark__ 42\n"
"SchedulerLowWaterMark__ 10\n");
ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
tt_int_op(ret, OP_EQ, -1);
expect_log_msg("Unrecognized TLSECGroup: Falling back to the default.\n");
tt_assert(!tdata->opt->TLSECGroup);
tor_free(msg);
free_options_test_data(tdata);
tdata = get_options_test_data("TLSECGroup P224\n"
"SchedulerHighWaterMark__ 42\n"
"SchedulerLowWaterMark__ 10\n");
mock_clean_saved_logs();
ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
tt_int_op(ret, OP_EQ, -1);
expect_no_log_msg(
"Unrecognized TLSECGroup: Falling back to the default.\n");
tt_assert(tdata->opt->TLSECGroup);
tor_free(msg);
free_options_test_data(tdata);
tdata = get_options_test_data("TLSECGroup P256\n"
"SchedulerHighWaterMark__ 42\n"
"SchedulerLowWaterMark__ 10\n");
mock_clean_saved_logs();
ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
tt_int_op(ret, OP_EQ, -1);
expect_no_log_msg(
"Unrecognized TLSECGroup: Falling back to the default.\n");
tt_assert(tdata->opt->TLSECGroup);
tor_free(msg);
done:
teardown_capture_of_logs();
free_options_test_data(tdata);
tor_free(msg);
}
static void static void
test_options_validate__token_bucket(void *ignored) test_options_validate__token_bucket(void *ignored)
{ {
@ -4427,7 +4379,6 @@ struct testcase_t options_tests[] = {
LOCAL_VALIDATE_TEST(exclude_nodes), LOCAL_VALIDATE_TEST(exclude_nodes),
LOCAL_VALIDATE_TEST(scheduler), LOCAL_VALIDATE_TEST(scheduler),
LOCAL_VALIDATE_TEST(node_families), LOCAL_VALIDATE_TEST(node_families),
LOCAL_VALIDATE_TEST(tlsec),
LOCAL_VALIDATE_TEST(token_bucket), LOCAL_VALIDATE_TEST(token_bucket),
LOCAL_VALIDATE_TEST(recommended_packages), LOCAL_VALIDATE_TEST(recommended_packages),
LOCAL_VALIDATE_TEST(fetch_dir), LOCAL_VALIDATE_TEST(fetch_dir),