[tor-bugs] #4548 [Tor Bridge]: Implement dynamic (rakshasa) primes (part of proposal 179)

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Nov 26 00:57:13 UTC 2011 

#4548: Implement dynamic (rakshasa) primes (part of proposal 179)
------------------------+---------------------------------------------------
 Reporter:  asn         |          Owner:                    
     Type:  defect      |         Status:  needs_review      
 Priority:  normal      |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor Bridge  |        Version:                    
 Keywords:              |         Parent:  #3972             
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by asn):

 Replying to [comment:11 nickm]:
 > Replying to [comment:10 asn]:
 > > Replying to [comment:6 nickm]:
 > > > Remaining issues, in addition to those above, after second review:
 > > >
 > > >  * If this new option is going to be on-by-default, then clients
 really shouldn't pay attention to it, since they shouldn't actually need
 to have a group at all.
 > >
 > > True. I'm only doing dynamic DH stuff to bridges now.
 >
 > Hm. This seems like something all servers should want.  I didn't see the
 part that made this bridges-only; where can I find it?
 >

 f477ddcc20d5fc8c130b630854947a337881cd23 "Only bother with dynamic DH
 moduli if we are a bridge."
 If tor is not a bridge, it generates the static DH prime modulus of
 Apache, like it used to.

 Assuming that the Apache DH prime modulus is as safe as any other randomly
 generated DH modulus, why would a public relay operator want it? It takes
 time to generate and it writes gibberish about "dynamic DH stuff" in their
 logs.

 > > >  * Checking a file status right before opening it is prone to race-
 conditions; it's better just to open the file and see if you get an error.
 There should be functions in util.c to do this. (This one could get
 cleaned up later)
 > >
 > > I didn't find such functions in util.c. We need a FILE* to pass to
 BN_print_fp().
 > > I thought of using open() or fdopen() with O_CREAT and O_EXCL, but
 open() seems to be a POSIX thing.
 >
 > open is supported on Windows: http://msdn.microsoft.com/en-
 us/library/z0kc8e3z%28v=vs.71%29.aspx
 >

 Seems like I don't know how to use a search engine!
 OK will use open() then.

 > The functions I meant in util.c are start_writing_to_stdio_file and
 finish/abort_writing to file; they do the open+fdopen thing you want.
 >

 Will check them out.

 > BTW, you *can* do this with DH parameters: d2i_DHparams and i2d_DHparams
 convert DH params to and from strings, and the {d2i,i2d}_DHparams_fp
 variants read and write DH parameters on a FILE*
 >

 I want to do #4549 first, but I'll try to do this as well.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4548#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list