nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-09-19 20:46:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove TAP key from extend_info_t

Browse Source
This commit is contained in:
Nick Mathewson 2024-06-24 14:15:04 -04:00
parent 07f0a2b964
commit 0428aef13a
13 changed files with 15 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/core/or/circuitbuild.c
View File

@ -411,13 +411,6 @@ onion_populate_cpath(origin_circuit_t *circ)
/* We would like every path to support ntor, but we have to allow for some
* edge cases. */
tor_assert(circuit_get_cpath_len(circ));
if (circuit_can_use_tap(circ)) {
/* Circuits from clients to intro points, and hidden services to rend
* points do not support ntor, because the hidden service protocol does
* not include ntor onion keys. This is also true for Single Onion
* Services. */
return 0;
}
if (circuit_get_cpath_len(circ) == 1) {
/* Allow for bootstrapping: when we're fetching directly from a fallback,
@ -2626,29 +2619,6 @@ build_state_get_exit_nickname(cpath_build_state_t *state)
return state->chosen_exit->nickname;
}
/* Is circuit purpose allowed to use the deprecated TAP encryption protocol?
* The hidden service protocol still uses TAP for some connections, because
* ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
static int
circuit_purpose_can_use_tap_impl(uint8_t purpose)
{
return (purpose == CIRCUIT_PURPOSE_S_CONNECT_REND ||
purpose == CIRCUIT_PURPOSE_C_INTRODUCING);
}
/* Is circ allowed to use the deprecated TAP encryption protocol?
* The hidden service protocol still uses TAP for some connections, because
* ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
int
circuit_can_use_tap(const origin_circuit_t *circ)
{
tor_assert(circ);
tor_assert(circ->cpath);
tor_assert(circ->cpath->extend_info);
return (circuit_purpose_can_use_tap_impl(circ->base_.purpose) &&
extend_info_supports_tap(circ->cpath->extend_info));
}
/* Does circ have an onion key which it's allowed to use? */
int
circuit_has_usable_onion_key(const origin_circuit_t *circ)
@ -2656,8 +2626,7 @@ circuit_has_usable_onion_key(const origin_circuit_t *circ)
tor_assert(circ);
tor_assert(circ->cpath);
tor_assert(circ->cpath->extend_info);
return (extend_info_supports_ntor(circ->cpath->extend_info) ||
circuit_can_use_tap(circ));
return extend_info_supports_ntor(circ->cpath->extend_info);
}
/** Find the circuits that are waiting to find out whether their guards are

1
src/core/or/circuitbuild.h
View File

@ -48,7 +48,6 @@ MOCK_DECL(int, circuit_all_predicted_ports_handled, (time_t now,
int circuit_append_new_exit(origin_circuit_t *circ, extend_info_t *info);
int circuit_extend_to_new_exit(origin_circuit_t *circ, extend_info_t *info);
int circuit_can_use_tap(const origin_circuit_t *circ);
int circuit_has_usable_onion_key(const origin_circuit_t *circ);
const uint8_t *build_state_get_exit_rsa_id(cpath_build_state_t *state);
MOCK_DECL(const node_t *,

2
src/core/or/circuituse.c
View File

@ -2473,7 +2473,7 @@ circuit_get_open_circ_or_launch(entry_connection_t *conn,
extend_info = extend_info_new(conn->chosen_exit_name+1,
digest,
NULL, /* Ed25519 ID */
NULL, NULL, /* onion keys */
NULL, /* onion keys */
&addr, conn->socks_request->port,
NULL,
false);

2
src/core/or/extend_info_st.h
View File

@ -34,8 +34,6 @@ struct extend_info_t {
/** IP/Port values for this hop's ORPort(s). Any unused values are set
* to a null address. */
tor_addr_port_t orports[EXTEND_INFO_MAX_ADDRS];
/** TAP onion key for this hop. */
crypto_pk_t *onion_key;
/** Ntor onion key for this hop. */
curve25519_public_key_t curve25519_onion_key;
/** True if this hop is to be used as an _exit_,

21
src/core/or/extendinfo.c
View File

@ -33,7 +33,6 @@ extend_info_t *
extend_info_new(const char *nickname,
const char *rsa_id_digest,
const ed25519_public_key_t *ed_id,
crypto_pk_t *onion_key,
const curve25519_public_key_t *ntor_key,
const tor_addr_t *addr, uint16_t port,
const protover_summary_flags_t *pv,
@ -46,8 +45,6 @@ extend_info_new(const char *nickname,
memcpy(&info->ed_identity, ed_id, sizeof(ed25519_public_key_t));
if (nickname)
strlcpy(info->nickname, nickname, sizeof(info->nickname));
if (onion_key)
info->onion_key = crypto_pk_dup_key(onion_key);
if (ntor_key)
memcpy(&info->curve25519_onion_key, ntor_key,
sizeof(curve25519_public_key_t));
@ -149,13 +146,11 @@ extend_info_from_node(const node_t *node, int for_direct_connect,
/* Retrieve the curve25519 pubkey. */
const curve25519_public_key_t *curve_pubkey =
node_get_curve25519_onion_key(node);
rsa_pubkey = node_get_rsa_onion_key(node);
if (valid_addr && node->ri) {
info = extend_info_new(node->ri->nickname,
node->identity,
ed_pubkey,
rsa_pubkey,
curve_pubkey,
&ap.addr,
ap.port,
@ -165,7 +160,6 @@ extend_info_from_node(const node_t *node, int for_direct_connect,
info = extend_info_new(node->rs->nickname,
node->identity,
ed_pubkey,
rsa_pubkey,
curve_pubkey,
&ap.addr,
ap.port,
@ -173,7 +167,6 @@ extend_info_from_node(const node_t *node, int for_direct_connect,
for_exit);
}
crypto_pk_free(rsa_pubkey);
return info;
}
@ -183,7 +176,6 @@ extend_info_free_(extend_info_t *info)
{
if (!info)
return;
crypto_pk_free(info->onion_key);
tor_free(info);
}
@ -196,22 +188,9 @@ extend_info_dup(extend_info_t *info)
tor_assert(info);
newinfo = tor_malloc(sizeof(extend_info_t));
memcpy(newinfo, info, sizeof(extend_info_t));
if (info->onion_key)
newinfo->onion_key = crypto_pk_dup_key(info->onion_key);
else
newinfo->onion_key = NULL;
return newinfo;
}
/* Does ei have a valid TAP key? */
int
extend_info_supports_tap(const extend_info_t* ei)
{
tor_assert(ei);
/* Valid TAP keys are not NULL */
return ei->onion_key != NULL;
}
/* Does ei have a valid ntor key? */
int
extend_info_supports_ntor(const extend_info_t* ei)

2
src/core/or/extendinfo.h
View File

@ -15,7 +15,6 @@
extend_info_t *extend_info_new(const char *nickname,
const char *rsa_id_digest,
const struct ed25519_public_key_t *ed_id,
crypto_pk_t *onion_key,
const struct curve25519_public_key_t *ntor_key,
const tor_addr_t *addr, uint16_t port,
const struct protover_summary_flags_t *pv,
@ -27,7 +26,6 @@ void extend_info_free_(extend_info_t *info);
#define extend_info_free(info) \
FREE_AND_NULL(extend_info_t, extend_info_free_, (info))
int extend_info_addr_is_allowed(const tor_addr_t *addr);
int extend_info_supports_tap(const extend_info_t* ei);
int extend_info_supports_ntor(const extend_info_t* ei);
int extend_info_supports_ntor_v3(const extend_info_t *ei);
int extend_info_has_preferred_onion_key(const extend_info_t* ei);

6
src/feature/client/bridges.c
View File

@ -316,7 +316,8 @@ addr_is_a_configured_bridge(const tor_addr_t *addr,
/** If we have a bridge configured whose digest matches
* <b>ei->identity_digest</b>, or a bridge with no known digest whose address
* matches <b>ei->addr</b>:<b>ei->port</b>, return 1. Else return 0.
* If <b>ei->onion_key</b> is NULL, check for address/port matches only.
* If <b>ei</b> has no onion key configured, check for address/port matches
* only.
*
* Note that if the extend_info_t contains multiple addresses, we return true
* only if _every_ address is a bridge.
@ -324,7 +325,8 @@ addr_is_a_configured_bridge(const tor_addr_t *addr,
int
extend_info_is_a_configured_bridge(const extend_info_t *ei)
{
const char *digest = ei->onion_key ? ei->identity_digest : NULL;
const char *digest = curve25519_public_key_is_ok(&ei->curve25519_onion_key)
? ei->identity_digest : NULL;
const tor_addr_port_t *ap1 = NULL, *ap2 = NULL;
if (! tor_addr_is_null(&ei->orports[0].addr))
ap1 = &ei->orports[0];

2
src/feature/hs/hs_common.c
View File

@ -1686,7 +1686,7 @@ hs_get_extend_info_from_lspecs(const smartlist_t *lspecs,
/* We do have everything for which we think we can connect successfully. */
info = extend_info_new(NULL, legacy_id,
(have_ed25519_id) ? &ed25519_pk : NULL, NULL,
(have_ed25519_id) ? &ed25519_pk : NULL,
onion_key, &ap.addr, ap.port, NULL, false);
done:
return info;

1
src/feature/relay/circuitbuild_relay.c
View File

@ -389,7 +389,6 @@ circuit_open_connection_for_extend(const struct extend_cell_t *ec,
circ->n_hop = extend_info_new(NULL /*nickname*/,
(const char*)ec->node_id,
&ec->ed_pubkey,
NULL, /*onion_key*/
NULL, /*curve25519_key*/
&chosen_ap->addr,
chosen_ap->port,

6
src/feature/relay/selftest.c
View File

@ -201,7 +201,6 @@ have_orport_for_family(int family)
static extend_info_t *
extend_info_from_router(const routerinfo_t *r, int family)
{
crypto_pk_t *rsa_pubkey;
extend_info_t *info;
tor_addr_port_t ap;
@ -224,15 +223,14 @@ extend_info_from_router(const routerinfo_t *r, int family)
/* We don't have an ORPort for the requested family. */
return NULL;
}
rsa_pubkey = router_get_rsa_onion_pkey(r->onion_pkey, r->onion_pkey_len);
info = extend_info_new(r->nickname, r->cache_info.identity_digest,
ed_id_key,
rsa_pubkey, r->onion_curve25519_pkey,
r->onion_curve25519_pkey,
&ap.addr, ap.port,
/* TODO-324: Should self-test circuits use
* congestion control? */
NULL, false);
crypto_pk_free(rsa_pubkey);
return info;
}

2
src/test/test_circuitpadding.c
View File

@ -1608,7 +1608,7 @@ simulate_single_hop_extend(circuit_t *client, circuit_t *mid_relay,
hop->extend_info = extend_info_new(
padding ? "padding" : "non-padding",
digest, NULL, NULL, NULL,
digest, NULL, NULL,
&addr, padding, NULL, false);
cpath_init_circuit_crypto(hop, whatevs_key, sizeof(whatevs_key), 0, 0);

2
src/test/test_conflux_pool.c
View File

@ -349,7 +349,7 @@ simulate_single_hop_extend(origin_circuit_t *client, int exit)
hop->extend_info = extend_info_new(
exit ? "exit" : "non-exit",
digest, NULL, NULL, NULL,
digest, NULL, NULL,
&addr, exit, NULL, exit);
cpath_init_circuit_crypto(hop, whatevs_key, sizeof(whatevs_key), 0, 0);

8
src/test/test_hs_client.c
View File

@ -1192,7 +1192,7 @@ test_socks_hs_errors(void *arg)
ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
/* Code path will log this exit so build it. */
ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest,
NULL, NULL, NULL, &addr,
NULL, NULL, &addr,
4242, NULL, false);
/* Attach socks connection to this rendezvous circuit. */
ocirc->p_streams = ENTRY_TO_EDGE_CONN(socks_conn);
@ -1287,7 +1287,7 @@ test_close_intro_circuit_failure(void *arg)
ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
/* Code path will log this exit so build it. */
ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest,
NULL, NULL, NULL, &addr,
NULL, NULL, &addr,
4242, NULL, false);
ed25519_pubkey_copy(&ocirc->hs_ident->intro_auth_pk, &intro_kp.pubkey);
@ -1314,7 +1314,7 @@ test_close_intro_circuit_failure(void *arg)
ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
/* Code path will log this exit so build it. */
ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest,
NULL, NULL, NULL, &addr,
NULL, NULL, &addr,
4242, NULL, false);
ed25519_pubkey_copy(&ocirc->hs_ident->intro_auth_pk, &intro_kp.pubkey);
@ -1337,7 +1337,7 @@ test_close_intro_circuit_failure(void *arg)
ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
/* Code path will log this exit so build it. */
ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest,
NULL, NULL, NULL, &addr,
NULL, NULL, &addr,
4242, NULL, false);
ed25519_pubkey_copy(&ocirc->hs_ident->intro_auth_pk, &intro_kp.pubkey);