diff options
author | Nick Mathewson <nickm@torproject.org> | 2024-06-24 14:15:04 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2024-06-26 11:42:36 -0400 |
commit | 0428aef13a4043d2181b52e62c019d5cb4710283 (patch) | |
tree | c0225ad1ddd257558b4182664cc48c86df961a20 | |
parent | 07f0a2b964eedd1ced201f2d1d82ec0089fac371 (diff) | |
download | tor-0428aef13a4043d2181b52e62c019d5cb4710283.tar.gz tor-0428aef13a4043d2181b52e62c019d5cb4710283.zip |
Remove TAP key from extend_info_t
-rw-r--r-- | src/core/or/circuitbuild.c | 33 | ||||
-rw-r--r-- | src/core/or/circuitbuild.h | 1 | ||||
-rw-r--r-- | src/core/or/circuituse.c | 2 | ||||
-rw-r--r-- | src/core/or/extend_info_st.h | 2 | ||||
-rw-r--r-- | src/core/or/extendinfo.c | 21 | ||||
-rw-r--r-- | src/core/or/extendinfo.h | 2 | ||||
-rw-r--r-- | src/feature/client/bridges.c | 6 | ||||
-rw-r--r-- | src/feature/hs/hs_common.c | 2 | ||||
-rw-r--r-- | src/feature/relay/circuitbuild_relay.c | 1 | ||||
-rw-r--r-- | src/feature/relay/selftest.c | 6 | ||||
-rw-r--r-- | src/test/test_circuitpadding.c | 2 | ||||
-rw-r--r-- | src/test/test_conflux_pool.c | 2 | ||||
-rw-r--r-- | src/test/test_hs_client.c | 8 |
13 files changed, 15 insertions, 73 deletions
diff --git a/src/core/or/circuitbuild.c b/src/core/or/circuitbuild.c index bbfb247b1a..bcf44ca248 100644 --- a/src/core/or/circuitbuild.c +++ b/src/core/or/circuitbuild.c @@ -411,13 +411,6 @@ onion_populate_cpath(origin_circuit_t *circ) /* We would like every path to support ntor, but we have to allow for some * edge cases. */ tor_assert(circuit_get_cpath_len(circ)); - if (circuit_can_use_tap(circ)) { - /* Circuits from clients to intro points, and hidden services to rend - * points do not support ntor, because the hidden service protocol does - * not include ntor onion keys. This is also true for Single Onion - * Services. */ - return 0; - } if (circuit_get_cpath_len(circ) == 1) { /* Allow for bootstrapping: when we're fetching directly from a fallback, @@ -2626,29 +2619,6 @@ build_state_get_exit_nickname(cpath_build_state_t *state) return state->chosen_exit->nickname; } -/* Is circuit purpose allowed to use the deprecated TAP encryption protocol? - * The hidden service protocol still uses TAP for some connections, because - * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */ -static int -circuit_purpose_can_use_tap_impl(uint8_t purpose) -{ - return (purpose == CIRCUIT_PURPOSE_S_CONNECT_REND || - purpose == CIRCUIT_PURPOSE_C_INTRODUCING); -} - -/* Is circ allowed to use the deprecated TAP encryption protocol? - * The hidden service protocol still uses TAP for some connections, because - * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */ -int -circuit_can_use_tap(const origin_circuit_t *circ) -{ - tor_assert(circ); - tor_assert(circ->cpath); - tor_assert(circ->cpath->extend_info); - return (circuit_purpose_can_use_tap_impl(circ->base_.purpose) && - extend_info_supports_tap(circ->cpath->extend_info)); -} - /* Does circ have an onion key which it's allowed to use? */ int circuit_has_usable_onion_key(const origin_circuit_t *circ) @@ -2656,8 +2626,7 @@ circuit_has_usable_onion_key(const origin_circuit_t *circ) tor_assert(circ); tor_assert(circ->cpath); tor_assert(circ->cpath->extend_info); - return (extend_info_supports_ntor(circ->cpath->extend_info) || - circuit_can_use_tap(circ)); + return extend_info_supports_ntor(circ->cpath->extend_info); } /** Find the circuits that are waiting to find out whether their guards are diff --git a/src/core/or/circuitbuild.h b/src/core/or/circuitbuild.h index c76259fc29..ac3bf52135 100644 --- a/src/core/or/circuitbuild.h +++ b/src/core/or/circuitbuild.h @@ -48,7 +48,6 @@ MOCK_DECL(int, circuit_all_predicted_ports_handled, (time_t now, int circuit_append_new_exit(origin_circuit_t *circ, extend_info_t *info); int circuit_extend_to_new_exit(origin_circuit_t *circ, extend_info_t *info); -int circuit_can_use_tap(const origin_circuit_t *circ); int circuit_has_usable_onion_key(const origin_circuit_t *circ); const uint8_t *build_state_get_exit_rsa_id(cpath_build_state_t *state); MOCK_DECL(const node_t *, diff --git a/src/core/or/circuituse.c b/src/core/or/circuituse.c index ac9005e1d4..33886e9919 100644 --- a/src/core/or/circuituse.c +++ b/src/core/or/circuituse.c @@ -2473,7 +2473,7 @@ circuit_get_open_circ_or_launch(entry_connection_t *conn, extend_info = extend_info_new(conn->chosen_exit_name+1, digest, NULL, /* Ed25519 ID */ - NULL, NULL, /* onion keys */ + NULL, /* onion keys */ &addr, conn->socks_request->port, NULL, false); diff --git a/src/core/or/extend_info_st.h b/src/core/or/extend_info_st.h index 2ab0beb7e6..5f59bd2299 100644 --- a/src/core/or/extend_info_st.h +++ b/src/core/or/extend_info_st.h @@ -34,8 +34,6 @@ struct extend_info_t { /** IP/Port values for this hop's ORPort(s). Any unused values are set * to a null address. */ tor_addr_port_t orports[EXTEND_INFO_MAX_ADDRS]; - /** TAP onion key for this hop. */ - crypto_pk_t *onion_key; /** Ntor onion key for this hop. */ curve25519_public_key_t curve25519_onion_key; /** True if this hop is to be used as an _exit_, diff --git a/src/core/or/extendinfo.c b/src/core/or/extendinfo.c index ca623f09ce..b37d9831ed 100644 --- a/src/core/or/extendinfo.c +++ b/src/core/or/extendinfo.c @@ -33,7 +33,6 @@ extend_info_t * extend_info_new(const char *nickname, const char *rsa_id_digest, const ed25519_public_key_t *ed_id, - crypto_pk_t *onion_key, const curve25519_public_key_t *ntor_key, const tor_addr_t *addr, uint16_t port, const protover_summary_flags_t *pv, @@ -46,8 +45,6 @@ extend_info_new(const char *nickname, memcpy(&info->ed_identity, ed_id, sizeof(ed25519_public_key_t)); if (nickname) strlcpy(info->nickname, nickname, sizeof(info->nickname)); - if (onion_key) - info->onion_key = crypto_pk_dup_key(onion_key); if (ntor_key) memcpy(&info->curve25519_onion_key, ntor_key, sizeof(curve25519_public_key_t)); @@ -149,13 +146,11 @@ extend_info_from_node(const node_t *node, int for_direct_connect, /* Retrieve the curve25519 pubkey. */ const curve25519_public_key_t *curve_pubkey = node_get_curve25519_onion_key(node); - rsa_pubkey = node_get_rsa_onion_key(node); if (valid_addr && node->ri) { info = extend_info_new(node->ri->nickname, node->identity, ed_pubkey, - rsa_pubkey, curve_pubkey, &ap.addr, ap.port, @@ -165,7 +160,6 @@ extend_info_from_node(const node_t *node, int for_direct_connect, info = extend_info_new(node->rs->nickname, node->identity, ed_pubkey, - rsa_pubkey, curve_pubkey, &ap.addr, ap.port, @@ -173,7 +167,6 @@ extend_info_from_node(const node_t *node, int for_direct_connect, for_exit); } - crypto_pk_free(rsa_pubkey); return info; } @@ -183,7 +176,6 @@ extend_info_free_(extend_info_t *info) { if (!info) return; - crypto_pk_free(info->onion_key); tor_free(info); } @@ -196,22 +188,9 @@ extend_info_dup(extend_info_t *info) tor_assert(info); newinfo = tor_malloc(sizeof(extend_info_t)); memcpy(newinfo, info, sizeof(extend_info_t)); - if (info->onion_key) - newinfo->onion_key = crypto_pk_dup_key(info->onion_key); - else - newinfo->onion_key = NULL; return newinfo; } -/* Does ei have a valid TAP key? */ -int -extend_info_supports_tap(const extend_info_t* ei) -{ - tor_assert(ei); - /* Valid TAP keys are not NULL */ - return ei->onion_key != NULL; -} - /* Does ei have a valid ntor key? */ int extend_info_supports_ntor(const extend_info_t* ei) diff --git a/src/core/or/extendinfo.h b/src/core/or/extendinfo.h index 6d1f20597b..3419a4e043 100644 --- a/src/core/or/extendinfo.h +++ b/src/core/or/extendinfo.h @@ -15,7 +15,6 @@ extend_info_t *extend_info_new(const char *nickname, const char *rsa_id_digest, const struct ed25519_public_key_t *ed_id, - crypto_pk_t *onion_key, const struct curve25519_public_key_t *ntor_key, const tor_addr_t *addr, uint16_t port, const struct protover_summary_flags_t *pv, @@ -27,7 +26,6 @@ void extend_info_free_(extend_info_t *info); #define extend_info_free(info) \ FREE_AND_NULL(extend_info_t, extend_info_free_, (info)) int extend_info_addr_is_allowed(const tor_addr_t *addr); -int extend_info_supports_tap(const extend_info_t* ei); int extend_info_supports_ntor(const extend_info_t* ei); int extend_info_supports_ntor_v3(const extend_info_t *ei); int extend_info_has_preferred_onion_key(const extend_info_t* ei); diff --git a/src/feature/client/bridges.c b/src/feature/client/bridges.c index a0375828a7..f4f7ac23a3 100644 --- a/src/feature/client/bridges.c +++ b/src/feature/client/bridges.c @@ -316,7 +316,8 @@ addr_is_a_configured_bridge(const tor_addr_t *addr, /** If we have a bridge configured whose digest matches * <b>ei->identity_digest</b>, or a bridge with no known digest whose address * matches <b>ei->addr</b>:<b>ei->port</b>, return 1. Else return 0. - * If <b>ei->onion_key</b> is NULL, check for address/port matches only. + * If <b>ei</b> has no onion key configured, check for address/port matches + * only. * * Note that if the extend_info_t contains multiple addresses, we return true * only if _every_ address is a bridge. @@ -324,7 +325,8 @@ addr_is_a_configured_bridge(const tor_addr_t *addr, int extend_info_is_a_configured_bridge(const extend_info_t *ei) { - const char *digest = ei->onion_key ? ei->identity_digest : NULL; + const char *digest = curve25519_public_key_is_ok(&ei->curve25519_onion_key) + ? ei->identity_digest : NULL; const tor_addr_port_t *ap1 = NULL, *ap2 = NULL; if (! tor_addr_is_null(&ei->orports[0].addr)) ap1 = &ei->orports[0]; diff --git a/src/feature/hs/hs_common.c b/src/feature/hs/hs_common.c index cd7e4890d1..e16ec89ccb 100644 --- a/src/feature/hs/hs_common.c +++ b/src/feature/hs/hs_common.c @@ -1686,7 +1686,7 @@ hs_get_extend_info_from_lspecs(const smartlist_t *lspecs, /* We do have everything for which we think we can connect successfully. */ info = extend_info_new(NULL, legacy_id, - (have_ed25519_id) ? &ed25519_pk : NULL, NULL, + (have_ed25519_id) ? &ed25519_pk : NULL, onion_key, &ap.addr, ap.port, NULL, false); done: return info; diff --git a/src/feature/relay/circuitbuild_relay.c b/src/feature/relay/circuitbuild_relay.c index 88b578c4a4..5ece5b4adc 100644 --- a/src/feature/relay/circuitbuild_relay.c +++ b/src/feature/relay/circuitbuild_relay.c @@ -389,7 +389,6 @@ circuit_open_connection_for_extend(const struct extend_cell_t *ec, circ->n_hop = extend_info_new(NULL /*nickname*/, (const char*)ec->node_id, &ec->ed_pubkey, - NULL, /*onion_key*/ NULL, /*curve25519_key*/ &chosen_ap->addr, chosen_ap->port, diff --git a/src/feature/relay/selftest.c b/src/feature/relay/selftest.c index 399b6bca6e..0a80a5d47e 100644 --- a/src/feature/relay/selftest.c +++ b/src/feature/relay/selftest.c @@ -201,7 +201,6 @@ have_orport_for_family(int family) static extend_info_t * extend_info_from_router(const routerinfo_t *r, int family) { - crypto_pk_t *rsa_pubkey; extend_info_t *info; tor_addr_port_t ap; @@ -224,15 +223,14 @@ extend_info_from_router(const routerinfo_t *r, int family) /* We don't have an ORPort for the requested family. */ return NULL; } - rsa_pubkey = router_get_rsa_onion_pkey(r->onion_pkey, r->onion_pkey_len); info = extend_info_new(r->nickname, r->cache_info.identity_digest, ed_id_key, - rsa_pubkey, r->onion_curve25519_pkey, + r->onion_curve25519_pkey, &ap.addr, ap.port, /* TODO-324: Should self-test circuits use * congestion control? */ NULL, false); - crypto_pk_free(rsa_pubkey); + return info; } diff --git a/src/test/test_circuitpadding.c b/src/test/test_circuitpadding.c index 63b7136a11..95401465c1 100644 --- a/src/test/test_circuitpadding.c +++ b/src/test/test_circuitpadding.c @@ -1608,7 +1608,7 @@ simulate_single_hop_extend(circuit_t *client, circuit_t *mid_relay, hop->extend_info = extend_info_new( padding ? "padding" : "non-padding", - digest, NULL, NULL, NULL, + digest, NULL, NULL, &addr, padding, NULL, false); cpath_init_circuit_crypto(hop, whatevs_key, sizeof(whatevs_key), 0, 0); diff --git a/src/test/test_conflux_pool.c b/src/test/test_conflux_pool.c index 05dc7b14ff..6fe3c8b65b 100644 --- a/src/test/test_conflux_pool.c +++ b/src/test/test_conflux_pool.c @@ -349,7 +349,7 @@ simulate_single_hop_extend(origin_circuit_t *client, int exit) hop->extend_info = extend_info_new( exit ? "exit" : "non-exit", - digest, NULL, NULL, NULL, + digest, NULL, NULL, &addr, exit, NULL, exit); cpath_init_circuit_crypto(hop, whatevs_key, sizeof(whatevs_key), 0, 0); diff --git a/src/test/test_hs_client.c b/src/test/test_hs_client.c index a02dca1b60..ac6f940cc7 100644 --- a/src/test/test_hs_client.c +++ b/src/test/test_hs_client.c @@ -1192,7 +1192,7 @@ test_socks_hs_errors(void *arg) ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t)); /* Code path will log this exit so build it. */ ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest, - NULL, NULL, NULL, &addr, + NULL, NULL, &addr, 4242, NULL, false); /* Attach socks connection to this rendezvous circuit. */ ocirc->p_streams = ENTRY_TO_EDGE_CONN(socks_conn); @@ -1287,7 +1287,7 @@ test_close_intro_circuit_failure(void *arg) ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t)); /* Code path will log this exit so build it. */ ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest, - NULL, NULL, NULL, &addr, + NULL, NULL, &addr, 4242, NULL, false); ed25519_pubkey_copy(ô->hs_ident->intro_auth_pk, &intro_kp.pubkey); @@ -1314,7 +1314,7 @@ test_close_intro_circuit_failure(void *arg) ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t)); /* Code path will log this exit so build it. */ ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest, - NULL, NULL, NULL, &addr, + NULL, NULL, &addr, 4242, NULL, false); ed25519_pubkey_copy(ô->hs_ident->intro_auth_pk, &intro_kp.pubkey); @@ -1337,7 +1337,7 @@ test_close_intro_circuit_failure(void *arg) ocirc->build_state = tor_malloc_zero(sizeof(cpath_build_state_t)); /* Code path will log this exit so build it. */ ocirc->build_state->chosen_exit = extend_info_new("TestNickname", digest, - NULL, NULL, NULL, &addr, + NULL, NULL, &addr, 4242, NULL, false); ed25519_pubkey_copy(ô->hs_ident->intro_auth_pk, &intro_kp.pubkey); |