[tor-commits] [tor/master] Prohibit the use of one entry node with an HS

nickm at torproject.org nickm at torproject.org
Wed Sep 2 15:02:21 UTC 2015


commit 07b3028db74af246ca98c2d3a86d5efde9aa33c2
Author: David Goulet <dgoulet at ev0ke.net>
Date:   Wed Sep 2 14:53:39 2015 +0200

    Prohibit the use of one entry node with an HS
    
    In a nutshell, since a circuit can not exit at its entry point, it's very
    easy for an attacker to find the hidden service guard if only one EntryNodes
    is specified since for that guard, the HS will refuse to build a rendezvous
    circuit to it.
    
    For now, the best solution is to stop tor to allow a single EntryNodes for
    an hidden service.
    
    Fixes #14917
    
    Signed-off-by: David Goulet <dgoulet at ev0ke.net>
---
 changes/bug14917   |    5 +++++
 src/or/config.c    |   14 ++++++++++++++
 src/or/routerset.c |   11 +++++++++++
 src/or/routerset.h |    1 +
 4 files changed, 31 insertions(+)

diff --git a/changes/bug14917 b/changes/bug14917
new file mode 100644
index 0000000..92a985c
--- /dev/null
+++ b/changes/bug14917
@@ -0,0 +1,5 @@
+  o Major bugfix
+    - For an hidden service, it is now prohibited to use one single
+      EntryNodes to avoid a very easy guard discovery attack. For more
+      details, see the ticket description here:
+      https://trac.torproject.org/projects/tor/ticket/14917. Fixes #14917.
diff --git a/src/or/config.c b/src/or/config.c
index cb0abab..02b3477 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -3173,6 +3173,20 @@ options_validate(or_options_t *old_options, or_options_t *options,
              "http://freehaven.net/anonbib/#hs-attack06 for details.");
   }
 
+  if (routerset_is_list(options->EntryNodes) &&
+      (routerset_len(options->EntryNodes) == 1) &&
+      (options->RendConfigLines != NULL)) {
+    tor_asprintf(msg,
+             "You have one single EntryNodes and at least one hidden service "
+             "configured. This is bad because it's very easy to locate your "
+             "entry guard which can then lead to the deanonymization of your "
+             "hidden service -- for more details, see "
+             "https://trac.torproject.org/projects/tor/ticket/14917. "
+             "For this reason, the use of one EntryNodes with an hidden "
+             "service is prohibited until a better solution is found.");
+    return -1;
+  }
+
   if (!options->LearnCircuitBuildTimeout && options->CircuitBuildTimeout &&
       options->CircuitBuildTimeout < RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT) {
     log_warn(LD_CONFIG,
diff --git a/src/or/routerset.c b/src/or/routerset.c
index 99de11e..9fe5dff 100644
--- a/src/or/routerset.c
+++ b/src/or/routerset.c
@@ -162,6 +162,17 @@ routerset_is_empty(const routerset_t *set)
   return !set || smartlist_len(set->list) == 0;
 }
 
+/** Return the number of entries in <b>set</b>. This does NOT return a
+ * negative value. */
+int
+routerset_len(const routerset_t *set)
+{
+  if (!set) {
+    return 0;
+  }
+  return smartlist_len(set->list);
+}
+
 /** Helper.  Return true iff <b>set</b> contains a router based on the other
  * provided fields.  Return higher values for more specific subentries: a
  * single router is more specific than an address range of routers, which is
diff --git a/src/or/routerset.h b/src/or/routerset.h
index 8d41de8..aca7c6e 100644
--- a/src/or/routerset.h
+++ b/src/or/routerset.h
@@ -38,6 +38,7 @@ void routerset_subtract_nodes(smartlist_t *out,
 char *routerset_to_string(const routerset_t *routerset);
 int routerset_equal(const routerset_t *old, const routerset_t *new);
 void routerset_free(routerset_t *routerset);
+int routerset_len(const routerset_t *set);
 
 #ifdef ROUTERSET_PRIVATE
 STATIC char * routerset_get_countryname(const char *c);





More information about the tor-commits mailing list