diff options
| -rw-r--r-- | changes/prop221 | 6 | ||||
| -rw-r--r-- | doc/tor.1.txt | 8 | ||||
| -rw-r--r-- | src/or/circuitbuild.c | 8 | ||||
| -rw-r--r-- | src/or/circuituse.c | 9 | ||||
| -rw-r--r-- | src/or/command.c | 1 | ||||
| -rw-r--r-- | src/or/config.c | 2 | ||||
| -rw-r--r-- | src/or/or.h | 3 |
7 files changed, 26 insertions, 11 deletions
diff --git a/changes/prop221 b/changes/prop221 new file mode 100644 index 000000000..b2bf44bc3 --- /dev/null +++ b/changes/prop221 @@ -0,0 +1,6 @@ + o Minor features: + - Stop sending the CREATE_FAST cells by default; instead, use a + parameter in the consensus to decide whether to use + CREATE_FAST. This can improve security on connections where + Tor's circuit handshake is stronger than the available TLS + connection security levels. Implements proposal 221. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 5dc17b5f3..86928718a 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1140,15 +1140,17 @@ The following options are useful only for clients (that is, if the node "foo". Disabled by default since attacking websites and exit relays can use it to manipulate your path selection. (Default: 0) -[[FastFirstHopPK]] **FastFirstHopPK** **0**|**1**:: +[[FastFirstHopPK]] **FastFirstHopPK** **0**|**1**|**auto**:: When this option is disabled, Tor uses the public key step for the first hop of creating circuits. Skipping it is generally safe since we have already used TLS to authenticate the relay and to establish forward-secure - keys. Turning this option off makes circuit building slower. + + keys. Turning this option off makes circuit building a little + slower. Setting this option to "auto" takes advice from the authorities + in the latest consensus about whether to use this feature. + + Note that Tor will always use the public key step for the first hop if it's operating as a relay, and it will never use the public key step if it - doesn't yet know the onion key of the first hop. (Default: 1) + doesn't yet know the onion key of the first hop. (Default: auto) [[TransPort]] **TransPort** \['address':]__port__|**auto** [_isolation flags_]:: Open this port to listen for transparent proxy connections. Set this to diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index a120b4659..8e6bb59ef 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -585,16 +585,18 @@ should_use_create_fast_for_circuit(origin_circuit_t *circ) if (!circ->cpath->extend_info->onion_key) return 1; /* our hand is forced: only a create_fast will work. */ - if (!options->FastFirstHopPK) - return 0; /* we prefer to avoid create_fast */ if (public_server_mode(options)) { /* We're a server, and we know an onion key. We can choose. * Prefer to blend our circuit into the other circuits we are * creating on behalf of others. */ return 0; } + if (options->FastFirstHopPK == -1) { + /* option is "auto", so look at the consensus. */ + return networkstatus_get_param(NULL, "usecreatefast", 1, 0, 1); + } - return 1; + return options->FastFirstHopPK; } /** Return true if <b>circ</b> is the type of circuit we want to count diff --git a/src/or/circuituse.c b/src/or/circuituse.c index f098cd9bb..cb9e93191 100644 --- a/src/or/circuituse.c +++ b/src/or/circuituse.c @@ -1378,10 +1378,11 @@ circuit_build_failed(origin_circuit_t *circ) failed_at_last_hop = 1; } if (circ->cpath && - circ->cpath->state != CPATH_STATE_OPEN) { - /* We failed at the first hop. If there's an OR connection - * to blame, blame it. Also, avoid this relay for a while, and - * fail any one-hop directory fetches destined for it. */ + circ->cpath->state != CPATH_STATE_OPEN && + ! circ->base_.received_destroy) { + /* We failed at the first hop for some reason other than a DESTROY cell. + * If there's an OR connection to blame, blame it. Also, avoid this relay + * for a while, and fail any one-hop directory fetches destined for it. */ const char *n_chan_id = circ->cpath->extend_info->identity_digest; int already_marked = 0; if (circ->base_.n_chan) { diff --git a/src/or/command.c b/src/or/command.c index 5a671183b..9b3ff16f2 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -526,6 +526,7 @@ command_process_destroy_cell(cell_t *cell, channel_t *chan) log_debug(LD_OR,"Received for circID %u.",(unsigned)cell->circ_id); reason = (uint8_t)cell->payload[0]; + circ->received_destroy = 1; if (!CIRCUIT_IS_ORIGIN(circ) && cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id) { diff --git a/src/or/config.c b/src/or/config.c index 045cd3818..5fc32153e 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -242,7 +242,7 @@ static config_var_t option_vars_[] = { OBSOLETE("FallbackNetworkstatusFile"), V(FascistFirewall, BOOL, "0"), V(FirewallPorts, CSV, ""), - V(FastFirstHopPK, BOOL, "1"), + V(FastFirstHopPK, AUTOBOOL, "auto"), V(FetchDirInfoEarly, BOOL, "0"), V(FetchDirInfoExtraEarly, BOOL, "0"), V(FetchServerDescriptors, BOOL, "1"), diff --git a/src/or/or.h b/src/or/or.h index 92c0692b6..a31324850 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2898,6 +2898,9 @@ typedef struct circuit_t { * it on the output buffer. */ unsigned int n_delete_pending : 1; + /** True iff this circuit has received a DESTROY cell in either direction */ + unsigned int received_destroy : 1; + uint8_t state; /**< Current status of this circuit. */ uint8_t purpose; /**< Why are we creating this circuit? */ |