config: Remove TLSECGroup option

Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans up the code associated with it. Partially fixes #22060 Signed-off-by: David Goulet <dgoulet@torproject.org>
author: David Goulet <dgoulet@torproject.org> 2017-04-25 14:11:23 -0400
committer: Nick Mathewson <nickm@torproject.org> 2017-05-09 10:30:52 -0400
commit: 039e2a24da522f483909e0eb55f963dce6e3b0e5 (patch)
tree: a60ac06bf84084532d98b3e5d0c02ebf55ade10e /src
parent: 8aedc589edf78a75092868192869fe84b5a53816 (diff)
download: tor-039e2a24da522f483909e0eb55f963dce6e3b0e5.tar.gz
tor-039e2a24da522f483909e0eb55f963dce6e3b0e5.zip
4 files changed, 1 insertions, 93 deletions
diff --git a/src/or/config.c b/src/or/config.c
index 1af554a3fa..72063dbe3e 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -494,7 +494,7 @@ static config_var_t option_vars_[] = {
   V(TokenBucketRefillInterval,   MSEC_INTERVAL, "100 msec"),
   V(Tor2webMode,                 BOOL,     "0"),
   V(Tor2webRendezvousPoints,      ROUTERSET, NULL),
-  V(TLSECGroup,                  STRING,   NULL),
+  OBSOLETE("TLSECGroup"),
   V(TrackHostExits,              CSV,      NULL),
   V(TrackHostExitsExpire,        INTERVAL, "30 minutes"),
   V(TransListenAddress,          LINELIST, NULL),
@@ -664,8 +664,6 @@ static const config_deprecation_t option_deprecation_notes_[] = {
     "a wide variety of application-level attacks." },
   { "ClientDNSRejectInternalAddresses", "Turning this on makes your client "
     "easier to fingerprint, and may open you to esoteric attacks." },
-  { "TLSECGroup", "The default is a nice secure choice; the other option "
-    "is less secure." },
   { "ControlListenAddress", "Use ControlPort instead." },
   { "DirListenAddress", "Use DirPort instead, possibly with the "
     "NoAdvertise sub-option" },
@@ -1537,23 +1535,6 @@ get_effective_bwburst(const or_options_t *options)
   return (uint32_t)bw;
 }
 
-/** Return True if any changes from <b>old_options</b> to
- * <b>new_options</b> needs us to refresh our TLS context. */
-static int
-options_transition_requires_fresh_tls_context(const or_options_t *old_options,
-                                              const or_options_t *new_options)
-{
-  tor_assert(new_options);
-
-  if (!old_options)
-    return 0;
-
-  if (!opt_streq(old_options->TLSECGroup, new_options->TLSECGroup))
-    return 1;
-
-  return 0;
-}
-
 /**
  * Return true if changing the configuration from <b>old</b> to <b>new</b>
  * affects the guard susbsystem.
@@ -1772,13 +1753,6 @@ options_act(const or_options_t *old_options)
       log_warn(LD_BUG,"Error initializing keys; exiting");
       return -1;
     }
-  } else if (old_options &&
-             options_transition_requires_fresh_tls_context(old_options,
-                                                           options)) {
-    if (router_initialize_tls_context() < 0) {
-      log_warn(LD_BUG,"Error initializing TLS context.");
-      return -1;
-    }
   }
 
   /* Write our PID to the PID file. If we do not have write permissions we
@@ -3140,15 +3114,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
     }
   }
 
-  if (options->TLSECGroup && (strcasecmp(options->TLSECGroup, "P256") &&
-                              strcasecmp(options->TLSECGroup, "P224"))) {
-    COMPLAIN("Unrecognized TLSECGroup: Falling back to the default.");
-    tor_free(options->TLSECGroup);
-  }
-  if (!evaluate_ecgroup_for_tls(options->TLSECGroup)) {
-    REJECT("Unsupported TLSECGroup.");
-  }
-
   if (options->ExcludeNodes && options->StrictNodes) {
     COMPLAIN("You have asked to exclude certain relays from all positions "
              "in your circuits. Expect hidden services and other Tor "
diff --git a/src/or/or.h b/src/or/or.h
index da3285038a..75b5fb3ba7 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -4466,8 +4466,6 @@ typedef struct {
 
   int IPv6Exit; /**< Do we support exiting to IPv6 addresses? */
 
-  char *TLSECGroup; /**< One of "P256", "P224", or nil for auto */
-
   /** Fraction: */
   double PathsNeededToBuildCircuits;
 
diff --git a/src/or/router.c b/src/or/router.c
index ca86c33bd6..ef54921bfe 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -779,12 +779,6 @@ router_initialize_tls_context(void)
   int lifetime = options->SSLKeyLifetime;
   if (public_server_mode(options))
     flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
-  if (options->TLSECGroup) {
-    if (!strcasecmp(options->TLSECGroup, "P256"))
-      flags |= TOR_TLS_CTX_USE_ECDHE_P256;
-    else if (!strcasecmp(options->TLSECGroup, "P224"))
-      flags |= TOR_TLS_CTX_USE_ECDHE_P224;
-  }
   if (!lifetime) { /* we should guess a good ssl cert lifetime */
 
     /* choose between 5 and 365 days, and round to the day */
diff --git a/src/test/test_options.c b/src/test/test_options.c
index 2a7dfbdaef..1886797c96 100644
--- a/src/test/test_options.c
+++ b/src/test/test_options.c
@@ -1313,54 +1313,6 @@ test_options_validate__node_families(void *ignored)
 }
 
 static void
-test_options_validate__tlsec(void *ignored)
-{
-  (void)ignored;
-  int ret;
-  char *msg;
-  setup_capture_of_logs(LOG_DEBUG);
-  options_test_data_t *tdata = get_options_test_data(
-                                 "TLSECGroup ed25519\n"
-                                 "SchedulerHighWaterMark__ 42\n"
-                                 "SchedulerLowWaterMark__ 10\n");
-
-  ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
-  tt_int_op(ret, OP_EQ, -1);
-  expect_log_msg("Unrecognized TLSECGroup: Falling back to the default.\n");
-  tt_assert(!tdata->opt->TLSECGroup);
-  tor_free(msg);
-
-  free_options_test_data(tdata);
-  tdata = get_options_test_data("TLSECGroup P224\n"
-                                "SchedulerHighWaterMark__ 42\n"
-                                "SchedulerLowWaterMark__ 10\n");
-  mock_clean_saved_logs();
-  ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
-  tt_int_op(ret, OP_EQ, -1);
-  expect_no_log_msg(
-            "Unrecognized TLSECGroup: Falling back to the default.\n");
-  tt_assert(tdata->opt->TLSECGroup);
-  tor_free(msg);
-
-  free_options_test_data(tdata);
-  tdata = get_options_test_data("TLSECGroup P256\n"
-                                "SchedulerHighWaterMark__ 42\n"
-                                "SchedulerLowWaterMark__ 10\n");
-  mock_clean_saved_logs();
-  ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
-  tt_int_op(ret, OP_EQ, -1);
-  expect_no_log_msg(
-            "Unrecognized TLSECGroup: Falling back to the default.\n");
-  tt_assert(tdata->opt->TLSECGroup);
-  tor_free(msg);
-
- done:
-  teardown_capture_of_logs();
-  free_options_test_data(tdata);
-  tor_free(msg);
-}
-
-static void
 test_options_validate__token_bucket(void *ignored)
 {
   (void)ignored;
@@ -4427,7 +4379,6 @@ struct testcase_t options_tests[] = {
   LOCAL_VALIDATE_TEST(exclude_nodes),
   LOCAL_VALIDATE_TEST(scheduler),
   LOCAL_VALIDATE_TEST(node_families),
-  LOCAL_VALIDATE_TEST(tlsec),
   LOCAL_VALIDATE_TEST(token_bucket),
   LOCAL_VALIDATE_TEST(recommended_packages),
   LOCAL_VALIDATE_TEST(fetch_dir),
author	David Goulet <dgoulet@torproject.org>	2017-04-25 14:11:23 -0400
committer	Nick Mathewson <nickm@torproject.org>	2017-05-09 10:30:52 -0400
commit	039e2a24da522f483909e0eb55f963dce6e3b0e5 (patch)
tree	a60ac06bf84084532d98b3e5d0c02ebf55ade10e /src
parent	8aedc589edf78a75092868192869fe84b5a53816 (diff)
download	tor-039e2a24da522f483909e0eb55f963dce6e3b0e5.tar.gz tor-039e2a24da522f483909e0eb55f963dce6e3b0e5.zip