[tor-bugs] #6963 [Quality Assurance and Testing]: Contradiction between specs and code to detect a V2 handshake

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Mon Sep 24 18:22:08 UTC 2012 

#6963: Contradiction between specs and code to detect a V2 handshake
-------------------------------------------+--------------------------------
 Reporter:  cced                           |          Owner:  cypherpunks
     Type:  defect                         |         Status:  new        
 Priority:  normal                         |      Milestone:             
Component:  Quality Assurance and Testing  |        Version:             
 Keywords:  torspec                        |         Parent:             
   Points:                                 |   Actualpoints:             
-------------------------------------------+--------------------------------
 This is a contradiction on how to differentiate V1 and V2 handshake. It's
 confusing if someone wants to implement his own version of Tor (JTor,
 silvertunnel,...).

 [https://gitweb.torproject.org/torspec.git/blob/master:/tor-spec.txt tor-
 spec] (and
 [https://gitweb.torproject.org/torspec.git/blob?f=proposals/130-v2-conn-
 protocol.txt 130-v2-conn-protocol]):
 {{{
 In "certificates up-front" (a.k.a "the v1 handshake"),
 [...]  The initiator's ClientHello MUST NOT include any
     ciphersuites other than:
       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
       SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
       SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 }}}
 The actual implementation:
 {{{
    /* Now we need to see if there are any ciphers whose presence means
 we're
     * dealing with an updated Tor. */
    for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) {
      SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i);
      const char *ciphername = SSL_CIPHER_get_name(cipher);
      if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
          strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
          strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
          strcmp(ciphername, "(NONE)")) {
        log_debug(LD_NET, "Got a non-version-1 cipher called '%s'",
 ciphername);
        // return 1;
        goto dump_list;
      }
    }
 }}}
 So, in practice, the use of the SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 (SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA) cipher suite is considered as a sign
 of the use of the V2 handshake. This contradicts all specifications.

 (According to
 [https://gitweb.torproject.org/torspec.git/blob?f=proposals/124-tls-
 certificates.txt 124-tls-certificates] and tor.git history, two of these
 cipher suites {AES_256 and DSS} have never been used in Tor v0/1, they
 seem to be include for better censorship resistance).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6963>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list