November 2013 - tor-commits - lists.torproject.org

[torspec/master] Document what we use for KH when we're doing ntor.
by nickm＠torproject.org 02 Nov '13

02 Nov '13

commit 36761c7d553df7b0160bd1180c19b4a58362c827 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Nov 1 19:43:42 2013 -0400 Document what we use for KH when we're doing ntor. KH is part of the material derived from the KDF during the onion key process. In the TAP handshake, KH played two roles: it was sent by the server towards the client to prove that the server was able to complete the TAP handshake, AND it was included as part of the RELAY_ESTABLISH_INTRO message to make it impossible to replay a RELAY_ESTABLISH_INTRO from one circuit on another circuit. With the ntor handshake, the first value of KH was removed. But we still needed a shared, circuit-specific value for hidden service code to work. This value is taken as an additional 20 bytes from the KDF. It wasn't documented in the spec, though. Adding it here. --- tor-spec.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tor-spec.txt b/tor-spec.txt index 80d9e23..0ec3b3d 100644 --- a/tor-spec.txt +++ b/tor-spec.txt @@ -1000,8 +1000,9 @@ see tor-design.pdf. When used in the ntor handshake, the first HASH_LEN bytes form the forward digest Df; the next HASH_LEN form the backward digest Db; the - next KEY_LEN form Kf, and the final KEY_LEN form Kb. Excess bytes - from K are discarded. + next KEY_LEN form Kf, the next KEY_LEN form Kb, and the final + DIGEST_LEN bytes are taken as a nonce to use in the place of KH in the + hidden service protocol. Excess bytes from K are discarded. 5.3. Creating circuits

1 0

[tlsdate/debian-master] add libtool to Build-Depends
by ioerror＠torproject.org 02 Nov '13

02 Nov '13

commit c44299df9e8c686ad1e361282f7e4e57df2b8ff1 Author: Leif Ryge <leif(a)synthesize.us> Date: Fri Jun 14 23:55:37 2013 +0000 add libtool to Build-Depends --- debian/control | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index b619cb1..be27bee 100644 --- a/debian/control +++ b/debian/control @@ -7,7 +7,8 @@ Build-Depends: autotools-dev, debhelper (>= 7.0.50~), dh-apparmor, hardening-wrapper, - libssl-dev + libssl-dev, + libtool Standards-Version: 3.9.4 Homepage: https://www.github.com/ioerror/tlsdate/

1 0

[tlsdate/debian-master] Merge pull request #113 from leif/debian-master
by ioerror＠torproject.org 02 Nov '13

02 Nov '13

commit 774198917a3f9209edd143f8ed1519a74771688f Merge: 815fc35 c44299d Author: Jacob Appelbaum <jacob(a)appelbaum.net> Date: Fri Jun 14 17:23:52 2013 -0700 Merge pull request #113 from leif/debian-master add libtool to Build-Depends debian/control | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

1 0

[tlsdate/debian-master] Merge branch 'debian-master' of github.com:ioerror/tlsdate into debian-master
by ioerror＠torproject.org 02 Nov '13

02 Nov '13

commit a5687fadbec9b5ca0b017500e71c12c29e53a3d2 Merge: 5b38f7e 7741989 Author: Jacob Appelbaum <jacob(a)appelbaum.net> Date: Sat Nov 2 00:52:08 2013 +0100 Merge branch 'debian-master' of github.com:ioerror/tlsdate into debian-master debian/control | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --cc debian/control index 40ba441,be27bee..5d9879e --- a/debian/control +++ b/debian/control @@@ -7,11 -7,10 +7,12 @@@ Build-Depends: autotools-dev debhelper (>= 7.0.50~), dh-apparmor, hardening-wrapper, - libssl-dev + libssl-dev, + libtool Standards-Version: 3.9.4 Homepage: https://www.github.com/ioerror/tlsdate/ +Vcs-Git: https://www.github.com/ioerror/tlsdate/ -b debian-master +Vcs-Browser: https://www.github.com/ioerror/tlsdate/ Package: tlsdate Architecture: any

1 0

[tlsdate/master] Bump to version 0.0.7
by ioerror＠torproject.org 02 Nov '13

02 Nov '13

commit e33b89520228fbe1689651710bc1b38bf82b3594 Author: Jacob Appelbaum <jacob(a)appelbaum.net> Date: Sat Nov 2 00:49:36 2013 +0100 Bump to version 0.0.7 --- CHANGELOG | 2 +- configure.ac | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 2fda880..2708a9f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,4 +1,4 @@ -0.0.7 TBD +0.0.7 Sat 2 Nov, 2013 Add tentative -plan9.[ch] versions of tlsdate-helper. Add -x option to tlsdated to override source proxies. Correctly check SANs against target host when using proxies. diff --git a/configure.ac b/configure.ac index 99b81de..04ea89a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([tlsdate],[0.0.6],[jacob at appelbaum.net] +AC_INIT([tlsdate],[0.0.7],[jacob at appelbaum.net] AC_CONFIG_AUX_DIR([config]) AC_CONFIG_MACRO_DIR([m4])

1 0

[tlsdate/master] Add verbose change to CHANGELOG
by ioerror＠torproject.org 02 Nov '13

02 Nov '13

commit 4403ac5f4623c697fdb2ee7be48dfee6ebaf7813 Author: Jacob Appelbaum <jacob(a)appelbaum.net> Date: Sat Nov 2 00:48:43 2013 +0100 Add verbose change to CHANGELOG --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index 1996acc..2fda880 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -22,6 +22,7 @@ Add -w option to get time from HTTPS header instead of from TLS ServerHello Update AppArmor profile Add simple systemd service file + Extra verbose output available with -vv; useful verbosity is -v 0.0.6 Mon 18 Feb, 2013 Ensure that tlsdate compiles with g++ by explicit casting rather than implicit casting by whatever compiler is compiling tlsdate.

1 0

[tlsdate/debian-master] Merge branch 'master' into debian-master
by ioerror＠torproject.org 02 Nov '13

02 Nov '13

commit 5b38f7e594fd0f5bf76eccb75efe5b1a6a1d0c8e Merge: d7ed509 e33b895 Author: Jacob Appelbaum <jacob(a)appelbaum.net> Date: Sat Nov 2 00:49:42 2013 +0100 Merge branch 'master' into debian-master CHANGELOG | 3 ++- README | 20 +++----------------- configure.ac | 2 +- 3 files changed, 6 insertions(+), 19 deletions(-)

1 0

[tlsdate/debian-master] Update README to make it timeless, so to speak
by ioerror＠torproject.org 02 Nov '13

02 Nov '13

commit cc1ccee56aa6e1fb33fc3ffc7bd109ebce5227d6 Author: Jacob Appelbaum <jacob(a)appelbaum.net> Date: Sat Nov 2 00:37:38 2013 +0100 Update README to make it timeless, so to speak --- README | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/README b/README index 79e1d01..2eccdde 100644 --- a/README +++ b/README @@ -12,6 +12,7 @@ invoke tlsdate to keep the clock in sync. Start it like so: /etc/init.d/tlsdate start + Here is an example an unprivileged user fetching the remote time: % tlsdate -V -n -H encrypted.google.com @@ -27,23 +28,7 @@ clock and printing it: Here is an example with a custom host and custom port without verification: - % sudo tlsdate -v --skip-verification -p 80 -H rgnx.net - V: tlsdate version 0.0.6 - V: We were called with the following arguments: - V: disable SSL certificate check host = rgnx.net:80 - WARNING: Skipping certificate verification! - V: time is currently 1366419507.456647065 - V: time is greater than RECENT_COMPILE_DATE - V: using TLSv1_client_method() - V: Using OpenSSL for SSL - V: opening socket to rgnx.net:80 - V: Certificate verification skipped! - V: public key is ready for inspection - V: key type: EVP_PKEY_RSA - V: keybits: 1024 - V: key length appears safe - V: server time 1366419508 (difference is about -1 s) was fetched in 338 ms - V: setting time succeeded + % sudo tlsdate --skip-verification -p 80 -H rgnx.net Here is an example where a system may not have any kind of RTC at boot. Do the time warp to restore sanity and do so with a leap of faith: @@ -59,3 +44,4 @@ HTTP services: % sudo tlsdate -V -l -t -w Wed Oct 30 18:08:46 CET 2013 +

1 0

[tlsdate/master] Update README to make it timeless, so to speak
by ioerror＠torproject.org 02 Nov '13

02 Nov '13

commit cc1ccee56aa6e1fb33fc3ffc7bd109ebce5227d6 Author: Jacob Appelbaum <jacob(a)appelbaum.net> Date: Sat Nov 2 00:37:38 2013 +0100 Update README to make it timeless, so to speak --- README | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/README b/README index 79e1d01..2eccdde 100644 --- a/README +++ b/README @@ -12,6 +12,7 @@ invoke tlsdate to keep the clock in sync. Start it like so: /etc/init.d/tlsdate start + Here is an example an unprivileged user fetching the remote time: % tlsdate -V -n -H encrypted.google.com @@ -27,23 +28,7 @@ clock and printing it: Here is an example with a custom host and custom port without verification: - % sudo tlsdate -v --skip-verification -p 80 -H rgnx.net - V: tlsdate version 0.0.6 - V: We were called with the following arguments: - V: disable SSL certificate check host = rgnx.net:80 - WARNING: Skipping certificate verification! - V: time is currently 1366419507.456647065 - V: time is greater than RECENT_COMPILE_DATE - V: using TLSv1_client_method() - V: Using OpenSSL for SSL - V: opening socket to rgnx.net:80 - V: Certificate verification skipped! - V: public key is ready for inspection - V: key type: EVP_PKEY_RSA - V: keybits: 1024 - V: key length appears safe - V: server time 1366419508 (difference is about -1 s) was fetched in 338 ms - V: setting time succeeded + % sudo tlsdate --skip-verification -p 80 -H rgnx.net Here is an example where a system may not have any kind of RTC at boot. Do the time warp to restore sanity and do so with a leap of faith: @@ -59,3 +44,4 @@ HTTP services: % sudo tlsdate -V -l -t -w Wed Oct 30 18:08:46 CET 2013 +

1 0

[tlsdate/debian-master] Add verbose change to CHANGELOG
by ioerror＠torproject.org 02 Nov '13

02 Nov '13

commit 4403ac5f4623c697fdb2ee7be48dfee6ebaf7813 Author: Jacob Appelbaum <jacob(a)appelbaum.net> Date: Sat Nov 2 00:48:43 2013 +0100 Add verbose change to CHANGELOG --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index 1996acc..2fda880 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -22,6 +22,7 @@ Add -w option to get time from HTTPS header instead of from TLS ServerHello Update AppArmor profile Add simple systemd service file + Extra verbose output available with -vv; useful verbosity is -v 0.0.6 Mon 18 Feb, 2013 Ensure that tlsdate compiles with g++ by explicit casting rather than implicit casting by whatever compiler is compiling tlsdate.

1 0