mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-23 14:40:51 +01:00
Code Issues Projects Releases Wiki Activity

Remove TAP key from extend_info_t

Browse source
This commit is contained in:
Nick Mathewson 2024-06-24 14:15:04 -04:00
parent 07f0a2b964
commit 0428aef13a
13 changed files with 15 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
src/core/or/circuitbuild.c
View file

@ -411,13 +411,6 @@ onion_populate_cpath(origin_circuit_t *circ)
/* We would like every path to support ntor, but we have to allow for some /* We would like every path to support ntor, but we have to allow for some
* edge cases. */ * edge cases. */
tor_assert(circuit_get_cpath_len(circ)); tor_assert(circuit_get_cpath_len(circ));
if (circuit_can_use_tap(circ)) {
/* Circuits from clients to intro points, and hidden services to rend
* points do not support ntor, because the hidden service protocol does
* not include ntor onion keys. This is also true for Single Onion
* Services. */
return 0;
}
if (circuit_get_cpath_len(circ) == 1) { if (circuit_get_cpath_len(circ) == 1) {
/* Allow for bootstrapping: when we're fetching directly from a fallback, /* Allow for bootstrapping: when we're fetching directly from a fallback,
@ -2626,29 +2619,6 @@ build_state_get_exit_nickname(cpath_build_state_t *state)
return state->chosen_exit->nickname; return state->chosen_exit->nickname;
} }
/* Is circuit purpose allowed to use the deprecated TAP encryption protocol?
* The hidden service protocol still uses TAP for some connections, because
* ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
static int
circuit_purpose_can_use_tap_impl(uint8_t purpose)
{
return (purpose == CIRCUIT_PURPOSE_S_CONNECT_REND ||
purpose == CIRCUIT_PURPOSE_C_INTRODUCING);
}
/* Is circ allowed to use the deprecated TAP encryption protocol?
* The hidden service protocol still uses TAP for some connections, because
* ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
int
circuit_can_use_tap(const origin_circuit_t *circ)
{
tor_assert(circ);
tor_assert(circ->cpath);
tor_assert(circ->cpath->extend_info);
return (circuit_purpose_can_use_tap_impl(circ->base_.purpose) &&
extend_info_supports_tap(circ->cpath->extend_info));
}
/* Does circ have an onion key which it's allowed to use? */ /* Does circ have an onion key which it's allowed to use? */
int int
circuit_has_usable_onion_key(const origin_circuit_t *circ) circuit_has_usable_onion_key(const origin_circuit_t *circ)
@ -2656,8 +2626,7 @@ circuit_has_usable_onion_key(const origin_circuit_t *circ)
tor_assert(circ); tor_assert(circ);
tor_assert(circ->cpath); tor_assert(circ->cpath);
tor_assert(circ->cpath->extend_info); tor_assert(circ->cpath->extend_info);
return (extend_info_supports_ntor(circ->cpath->extend_info) || return extend_info_supports_ntor(circ->cpath->extend_info);
circuit_can_use_tap(circ));
} }
/** Find the circuits that are waiting to find out whether their guards are /** Find the circuits that are waiting to find out whether their guards are

1
src/core/or/circuitbuild.h
View file

@ -48,7 +48,6 @@ MOCK_DECL(int, circuit_all_predicted_ports_handled, (time_t now,
int circuit_append_new_exit(origin_circuit_t *circ, extend_info_t *info); int circuit_append_new_exit(origin_circuit_t *circ, extend_info_t *info);
int circuit_extend_to_new_exit(origin_circuit_t *circ, extend_info_t *info); int circuit_extend_to_new_exit(origin_circuit_t *circ, extend_info_t *info);
int circuit_can_use_tap(const origin_circuit_t *circ);
int circuit_has_usable_onion_key(const origin_circuit_t *circ); int circuit_has_usable_onion_key(const origin_circuit_t *circ);
const uint8_t *build_state_get_exit_rsa_id(cpath_build_state_t *state); const uint8_t *build_state_get_exit_rsa_id(cpath_build_state_t *state);
MOCK_DECL(const node_t *, MOCK_DECL(const node_t *,

2
src/core/or/circuituse.c
View file

@ -2473,7 +2473,7 @@ circuit_get_open_circ_or_launch(entry_connection_t *conn,
extend_info = extend_info_new(conn->chosen_exit_name+1, extend_info = extend_info_new(conn->chosen_exit_name+1,
digest, digest,
NULL, /* Ed25519 ID */ NULL, /* Ed25519 ID */
NULL, NULL, /* onion keys */ NULL, /* onion keys */
&addr, conn->socks_request->port, &addr, conn->socks_request->port,
NULL, NULL,
false); false);

2
src/core/or/extend_info_st.h
View file

@ -34,8 +34,6 @@ struct extend_info_t {
/** IP/Port values for this hop's ORPort(s). Any unused values are set /** IP/Port values for this hop's ORPort(s). Any unused values are set
* to a null address. */ * to a null address. */
tor_addr_port_t orports[EXTEND_INFO_MAX_ADDRS]; tor_addr_port_t orports[EXTEND_INFO_MAX_ADDRS];
/** TAP onion key for this hop. */
crypto_pk_t *onion_key;
/** Ntor onion key for this hop. */ /** Ntor onion key for this hop. */
curve25519_public_key_t curve25519_onion_key; curve25519_public_key_t curve25519_onion_key;
/** True if this hop is to be used as an _exit_, /** True if this hop is to be used as an _exit_,

21
src/core/or/extendinfo.c
View file

@ -33,7 +33,6 @@ extend_info_t *
extend_info_new(const char *nickname, extend_info_new(const char *nickname,
const char *rsa_id_digest, const char *rsa_id_digest,
const ed25519_public_key_t *ed_id, const ed25519_public_key_t *ed_id,
crypto_pk_t *onion_key,
const curve25519_public_key_t *ntor_key, const curve25519_public_key_t *ntor_key,
const tor_addr_t *addr, uint16_t port, const tor_addr_t *addr, uint16_t port,
const protover_summary_flags_t *pv, const protover_summary_flags_t *pv,
@ -46,8 +45,6 @@ extend_info_new(const char *nickname,
memcpy(&info->ed_identity, ed_id, sizeof(ed25519_public_key_t)); memcpy(&info->ed_identity, ed_id, sizeof(ed25519_public_key_t));
if (nickname) if (nickname)
strlcpy(info->nickname, nickname, sizeof(info->nickname)); strlcpy(info->nickname, nickname, sizeof(info->nickname));
if (onion_key)
info->onion_key = crypto_pk_dup_key(onion_key);
if (ntor_key) if (ntor_key)
memcpy(&info->curve25519_onion_key, ntor_key, memcpy(&info->curve25519_onion_key, ntor_key,
sizeof(curve25519_public_key_t)); sizeof(curve25519_public_key_t));
@ -149,13 +146,11 @@ extend_info_from_node(const node_t *node, int for_direct_connect,
/* Retrieve the curve25519 pubkey. */ /* Retrieve the curve25519 pubkey. */
const curve25519_public_key_t *curve_pubkey = const curve25519_public_key_t *curve_pubkey =
node_get_curve25519_onion_key(node); node_get_curve25519_onion_key(node);
rsa_pubkey = node_get_rsa_onion_key(node);
if (valid_addr && node->ri) { if (valid_addr && node->ri) {
info = extend_info_new(node->ri->nickname, info = extend_info_new(node->ri->nickname,
node->identity, node->identity,
ed_pubkey, ed_pubkey,
rsa_pubkey,
curve_pubkey, curve_pubkey,
&ap.addr, &ap.addr,
ap.port, ap.port,
@ -165,7 +160,6 @@ extend_info_from_node(const node_t *node, int for_direct_connect,
info = extend_info_new(node->rs->nickname, info = extend_info_new(node->rs->nickname,
node->identity, node->identity,
ed_pubkey, ed_pubkey,
rsa_pubkey,
curve_pubkey, curve_pubkey,
&ap.addr, &ap.addr,
ap.port, ap.port,
@ -173,7 +167,6 @@ extend_info_from_node(const node_t *node, int for_direct_connect,
for_exit); for_exit);
} }
crypto_pk_free(rsa_pubkey);
return info; return info;
} }
@ -183,7 +176,6 @@ extend_info_free_(extend_info_t *info)
{ {
if (!info) if (!info)
return; return;
crypto_pk_free(info->onion_key);
tor_free(info); tor_free(info);
} }
@ -196,22 +188,9 @@ extend_info_dup(extend_info_t *info)
tor_assert(info); tor_assert(info);
newinfo = tor_malloc(sizeof(extend_info_t)); newinfo = tor_malloc(sizeof(extend_info_t));
memcpy(newinfo, info, sizeof(extend_info_t)); memcpy(newinfo, info, sizeof(extend_info_t));
if (info->onion_key)
newinfo->onion_key = crypto_pk_dup_key(info->onion_key);
else
newinfo->onion_key = NULL;
return newinfo; return newinfo;
} }
/* Does ei have a valid TAP key? */
int
extend_info_supports_tap(const extend_info_t* ei)
{
tor_assert(ei);
/* Valid TAP keys are not NULL */
return ei->onion_key != NULL;
}
/* Does ei have a valid ntor key? */ /* Does ei have a valid ntor key? */
int int
extend_info_supports_ntor(const extend_info_t* ei) extend_info_supports_ntor(const extend_info_t* ei)

2
src/core/or/extendinfo.h
View file

@ -15,7 +15,6 @@
extend_info_t *extend_info_new(const char *nickname, extend_info_t *extend_info_new(const char *nickname,
const char *rsa_id_digest, const char *rsa_id_digest,
const struct ed25519_public_key_t *ed_id, const struct ed25519_public_key_t *ed_id,
crypto_pk_t *onion_key,
const struct curve25519_public_key_t *ntor_key, const struct curve25519_public_key_t *ntor_key,
const tor_addr_t *addr, uint16_t port, const tor_addr_t *addr, uint16_t port,
const struct protover_summary_flags_t *pv, const struct protover_summary_flags_t *pv,
@ -27,7 +26,6 @@ void extend_info_free_(extend_info_t *info);
#define extend_info_free(info) \ #define extend_info_free(info) \
FREE_AND_NULL(extend_info_t, extend_info_free_, (info)) FREE_AND_NULL(extend_info_t, extend_info_free_, (info))
int extend_info_addr_is_allowed(const tor_addr_t *addr); int extend_info_addr_is_allowed(const tor_addr_t *addr);
int extend_info_supports_tap(const extend_info_t* ei);
int extend_info_supports_ntor(const extend_info_t* ei); int extend_info_supports_ntor(const extend_info_t* ei);
int extend_info_supports_ntor_v3(const extend_info_t *ei); int extend_info_supports_ntor_v3(const extend_info_t *ei);
int extend_info_has_preferred_onion_key(const extend_info_t* ei); int extend_info_has_preferred_onion_key(const extend_info_t* ei);

6
src/feature/client/bridges.c
View file

@ -316,7 +316,8 @@ addr_is_a_configured_bridge(const tor_addr_t *addr,
/** If we have a bridge configured whose digest matches /** If we have a bridge configured whose digest matches
* <b>ei->identity_digest</b>, or a bridge with no known digest whose address * <b>ei->identity_digest</b>, or a bridge with no known digest whose address
* matches <b>ei->addr</b>:<b>ei->port</b>, return 1. Else return 0. * matches <b>ei->addr</b>:<b>ei->port</b>, return 1. Else return 0.
* If <b>ei->onion_key</b> is NULL, check for address/port matches only. * If <b>ei</b> has no onion key configured, check for address/port matches
* only.
* *
* Note that if the extend_info_t contains multiple addresses, we return true * Note that if the extend_info_t contains multiple addresses, we return true
* only if _every_ address is a bridge. * only if _every_ address is a bridge.
@ -324,7 +325,8 @@ addr_is_a_configured_bridge(const tor_addr_t *addr,
int int
extend_info_is_a_configured_bridge(const extend_info_t *ei) extend_info_is_a_configured_bridge(const extend_info_t *ei)
{ {
const char *digest = ei->onion_key ? ei->identity_digest : NULL; const char *digest = curve25519_public_key_is_ok(&ei->curve25519_onion_key)
? ei->identity_digest : NULL;
const tor_addr_port_t *ap1 = NULL, *ap2 = NULL; const tor_addr_port_t *ap1 = NULL, *ap2 = NULL;
if (! tor_addr_is_null(&ei->orports[0].addr)) if (! tor_addr_is_null(&ei->orports[0].addr))
ap1 = &ei->orports[0]; ap1 = &ei->orports[0];

2
src/feature/hs/hs_common.c
View file

@ -1686,7 +1686,7 @@ hs_get_extend_info_from_lspecs(const smartlist_t *lspecs,
/* We do have everything for which we think we can connect successfully. */ /* We do have everything for which we think we can connect successfully. */
info = extend_info_new(NULL, legacy_id, info = extend_info_new(NULL, legacy_id,
(have_ed25519_id) ? &ed25519_pk : NULL, NULL, (have_ed25519_id) ? &ed25519_pk : NULL,
onion_key, &ap.addr, ap.port, NULL, false); onion_key, &ap.addr, ap.port, NULL, false);
done: done:
return info; return info;

1
src/feature/relay/circuitbuild_relay.c
View file

@ -389,7 +389,6 @@ circuit_open_connection_for_extend(const struct extend_cell_t *ec,
circ->n_hop = extend_info_new(NULL /*nickname*/, circ->n_hop = extend_info_new(NULL /*nickname*/,
(const char*)ec->node_id, (const char*)ec->node_id,
&ec->ed_pubkey, &ec->ed_pubkey,
NULL, /*onion_key*/
NULL, /*curve25519_key*/ NULL, /*curve25519_key*/
&chosen_ap->addr, &chosen_ap->addr,
chosen_ap->port, chosen_ap->port,

6
src/feature/relay/selftest.c
View file

@ -201,7 +201,6 @@ have_orport_for_family(int family)
static extend_info_t * static extend_info_t *
extend_info_from_router(const routerinfo_t *r, int family) extend_info_from_router(const routerinfo_t *r, int family)
{ {
crypto_pk_t *rsa_pubkey;
extend_info_t *info; extend_info_t *info;
tor_addr_port_t ap; tor_addr_port_t ap;
@ -224,15 +223,14 @@ extend_info_from_router(const routerinfo_t *r, int family)
/* We don't have an ORPort for the requested family. */ /* We don't have an ORPort for the requested family. */
return NULL; return NULL;
} }
rsa_pubkey = router_get_rsa_onion_pkey(r->onion_pkey, r->onion_pkey_len);
info = extend_info_new(r->nickname, r->cache_info.identity_digest, info = extend_info_new(r->nickname, r->cache_info.identity_digest,
ed_id_key, ed_id_key,
rsa_pubkey, r->onion_curve25519_pkey, r->onion_curve25519_pkey,
&ap.addr, ap.port, &ap.addr, ap.port,
/* TODO-324: Should self-test circuits use /* TODO-324: Should self-test circuits use
* congestion control? */ * congestion control? */
NULL, false); NULL, false);
crypto_pk_free(rsa_pubkey);
return info; return info;
} }

2
src/test/test_circuitpadding.c
View file

@ -1608,7 +1608,7 @@ simulate_single_hop_extend(circuit_t *client, circuit_t *mid_relay,
hop->extend_info = extend_info_new( hop->extend_info = extend_info_new(
padding ? "padding" : "non-padding", padding ? "padding" : "non-padding",
digest, NULL, NULL, NULL, digest, NULL, NULL,
&addr, padding, NULL, false); &addr, padding, NULL, false);
cpath_init_circuit_crypto(hop, whatevs_key, sizeof(whatevs_key), 0, 0); cpath_init_circuit_crypto(hop, whatevs_key, sizeof(whatevs_key), 0, 0);

2
src/test/test_conflux_pool.c
View file

@ -349,7 +349,7 @@ simulate_single_hop_extend(origin_circuit_t *client, int exit)
hop->extend_info = extend_info_new( hop->extend_info = extend_info_new(
exit ? "exit" : "non-exit", exit ? "exit" : "non-exit",
digest, NULL, NULL, NULL, digest, NULL, NULL,
&addr, exit, NULL, exit); &addr, exit, NULL, exit);
cpath_init_circuit_crypto(hop, whatevs_key, sizeof(whatevs_key), 0, 0); cpath_init_circuit_crypto(hop, whatevs_key, sizeof(whatevs_key), 0, 0);

8
src/test/test_hs_client.c
View file

@ -1192,7 +1192,7 @@ test_socks_hs_errors(void *arg)
ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t)); ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
/* Code path will log this exit so build it. */ /* Code path will log this exit so build it. */
ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest, ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest,
NULL, NULL, NULL, &addr, NULL, NULL, &addr,
4242, NULL, false); 4242, NULL, false);
/* Attach socks connection to this rendezvous circuit. */ /* Attach socks connection to this rendezvous circuit. */
ocirc->p_streams = ENTRY_TO_EDGE_CONN(socks_conn); ocirc->p_streams = ENTRY_TO_EDGE_CONN(socks_conn);
@ -1287,7 +1287,7 @@ test_close_intro_circuit_failure(void *arg)
ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t)); ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
/* Code path will log this exit so build it. */ /* Code path will log this exit so build it. */
ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest, ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest,
NULL, NULL, NULL, &addr, NULL, NULL, &addr,
4242, NULL, false); 4242, NULL, false);
ed25519_pubkey_copy(&ocirc->hs_ident->intro_auth_pk, &intro_kp.pubkey); ed25519_pubkey_copy(&ocirc->hs_ident->intro_auth_pk, &intro_kp.pubkey);
@ -1314,7 +1314,7 @@ test_close_intro_circuit_failure(void *arg)
ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t)); ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
/* Code path will log this exit so build it. */ /* Code path will log this exit so build it. */
ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest, ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest,
NULL, NULL, NULL, &addr, NULL, NULL, &addr,
4242, NULL, false); 4242, NULL, false);
ed25519_pubkey_copy(&ocirc->hs_ident->intro_auth_pk, &intro_kp.pubkey); ed25519_pubkey_copy(&ocirc->hs_ident->intro_auth_pk, &intro_kp.pubkey);
@ -1337,7 +1337,7 @@ test_close_intro_circuit_failure(void *arg)
ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t)); ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t));
/* Code path will log this exit so build it. */ /* Code path will log this exit so build it. */
ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest, ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest,
NULL, NULL, NULL, &addr, NULL, NULL, &addr,
4242, NULL, false); 4242, NULL, false);
ed25519_pubkey_copy(&ocirc->hs_ident->intro_auth_pk, &intro_kp.pubkey); ed25519_pubkey_copy(&ocirc->hs_ident->intro_auth_pk, &intro_kp.pubkey);