[tor-commits] [tor/master] config: Remove TLSECGroup option
nickm at torproject.org
nickm at torproject.org
Tue May 9 14:42:12 UTC 2017
commit 039e2a24da522f483909e0eb55f963dce6e3b0e5
Author: David Goulet <dgoulet at torproject.org>
Date: Tue Apr 25 14:11:23 2017 -0400
config: Remove TLSECGroup option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.
Partially fixes #22060
Signed-off-by: David Goulet <dgoulet at torproject.org>
---
changes/bug22060 | 2 ++
doc/tor.1.txt | 6 ------
src/or/config.c | 37 +------------------------------------
src/or/or.h | 2 --
src/or/router.c | 6 ------
src/test/test_options.c | 49 -------------------------------------------------
6 files changed, 3 insertions(+), 99 deletions(-)
diff --git a/changes/bug22060 b/changes/bug22060
index e7d14b0..98c4c34 100644
--- a/changes/bug22060
+++ b/changes/bug22060
@@ -17,3 +17,5 @@
and feature no longer exists.
- WarnUnsafeSocks was deprecated in 0.2.9.2-alpha and now has been
rendered obsolete. Code has been removed and feature no longer exists.
+ - TLSECGroup was deprecated in 0.2.9.2-alpha and now has been rendered
+ obsolete. Code has been removed and feature no longer exists.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 590ded3..8bc9c27 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1958,12 +1958,6 @@ is non-zero):
[[GeoIPv6File]] **GeoIPv6File** __filename__::
A filename containing IPv6 GeoIP data, for use with by-country statistics.
-[[TLSECGroup]] **TLSECGroup** **P224**|**P256**::
- What EC group should we try to use for incoming TLS connections?
- P224 is faster, but makes us stand out more. Has no effect if
- we're a client, or if our OpenSSL version lacks support for ECDHE.
- (Default: P256)
-
[[CellStatistics]] **CellStatistics** **0**|**1**::
Relays only.
When this option is enabled, Tor collects statistics about cell
diff --git a/src/or/config.c b/src/or/config.c
index 1af554a..72063db 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -494,7 +494,7 @@ static config_var_t option_vars_[] = {
V(TokenBucketRefillInterval, MSEC_INTERVAL, "100 msec"),
V(Tor2webMode, BOOL, "0"),
V(Tor2webRendezvousPoints, ROUTERSET, NULL),
- V(TLSECGroup, STRING, NULL),
+ OBSOLETE("TLSECGroup"),
V(TrackHostExits, CSV, NULL),
V(TrackHostExitsExpire, INTERVAL, "30 minutes"),
V(TransListenAddress, LINELIST, NULL),
@@ -664,8 +664,6 @@ static const config_deprecation_t option_deprecation_notes_[] = {
"a wide variety of application-level attacks." },
{ "ClientDNSRejectInternalAddresses", "Turning this on makes your client "
"easier to fingerprint, and may open you to esoteric attacks." },
- { "TLSECGroup", "The default is a nice secure choice; the other option "
- "is less secure." },
{ "ControlListenAddress", "Use ControlPort instead." },
{ "DirListenAddress", "Use DirPort instead, possibly with the "
"NoAdvertise sub-option" },
@@ -1537,23 +1535,6 @@ get_effective_bwburst(const or_options_t *options)
return (uint32_t)bw;
}
-/** Return True if any changes from <b>old_options</b> to
- * <b>new_options</b> needs us to refresh our TLS context. */
-static int
-options_transition_requires_fresh_tls_context(const or_options_t *old_options,
- const or_options_t *new_options)
-{
- tor_assert(new_options);
-
- if (!old_options)
- return 0;
-
- if (!opt_streq(old_options->TLSECGroup, new_options->TLSECGroup))
- return 1;
-
- return 0;
-}
-
/**
* Return true if changing the configuration from <b>old</b> to <b>new</b>
* affects the guard susbsystem.
@@ -1772,13 +1753,6 @@ options_act(const or_options_t *old_options)
log_warn(LD_BUG,"Error initializing keys; exiting");
return -1;
}
- } else if (old_options &&
- options_transition_requires_fresh_tls_context(old_options,
- options)) {
- if (router_initialize_tls_context() < 0) {
- log_warn(LD_BUG,"Error initializing TLS context.");
- return -1;
- }
}
/* Write our PID to the PID file. If we do not have write permissions we
@@ -3140,15 +3114,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
}
}
- if (options->TLSECGroup && (strcasecmp(options->TLSECGroup, "P256") &&
- strcasecmp(options->TLSECGroup, "P224"))) {
- COMPLAIN("Unrecognized TLSECGroup: Falling back to the default.");
- tor_free(options->TLSECGroup);
- }
- if (!evaluate_ecgroup_for_tls(options->TLSECGroup)) {
- REJECT("Unsupported TLSECGroup.");
- }
-
if (options->ExcludeNodes && options->StrictNodes) {
COMPLAIN("You have asked to exclude certain relays from all positions "
"in your circuits. Expect hidden services and other Tor "
diff --git a/src/or/or.h b/src/or/or.h
index da32850..75b5fb3 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -4466,8 +4466,6 @@ typedef struct {
int IPv6Exit; /**< Do we support exiting to IPv6 addresses? */
- char *TLSECGroup; /**< One of "P256", "P224", or nil for auto */
-
/** Fraction: */
double PathsNeededToBuildCircuits;
diff --git a/src/or/router.c b/src/or/router.c
index ca86c33..ef54921 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -779,12 +779,6 @@ router_initialize_tls_context(void)
int lifetime = options->SSLKeyLifetime;
if (public_server_mode(options))
flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
- if (options->TLSECGroup) {
- if (!strcasecmp(options->TLSECGroup, "P256"))
- flags |= TOR_TLS_CTX_USE_ECDHE_P256;
- else if (!strcasecmp(options->TLSECGroup, "P224"))
- flags |= TOR_TLS_CTX_USE_ECDHE_P224;
- }
if (!lifetime) { /* we should guess a good ssl cert lifetime */
/* choose between 5 and 365 days, and round to the day */
diff --git a/src/test/test_options.c b/src/test/test_options.c
index 2a7dfbd..1886797 100644
--- a/src/test/test_options.c
+++ b/src/test/test_options.c
@@ -1313,54 +1313,6 @@ test_options_validate__node_families(void *ignored)
}
static void
-test_options_validate__tlsec(void *ignored)
-{
- (void)ignored;
- int ret;
- char *msg;
- setup_capture_of_logs(LOG_DEBUG);
- options_test_data_t *tdata = get_options_test_data(
- "TLSECGroup ed25519\n"
- "SchedulerHighWaterMark__ 42\n"
- "SchedulerLowWaterMark__ 10\n");
-
- ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
- tt_int_op(ret, OP_EQ, -1);
- expect_log_msg("Unrecognized TLSECGroup: Falling back to the default.\n");
- tt_assert(!tdata->opt->TLSECGroup);
- tor_free(msg);
-
- free_options_test_data(tdata);
- tdata = get_options_test_data("TLSECGroup P224\n"
- "SchedulerHighWaterMark__ 42\n"
- "SchedulerLowWaterMark__ 10\n");
- mock_clean_saved_logs();
- ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
- tt_int_op(ret, OP_EQ, -1);
- expect_no_log_msg(
- "Unrecognized TLSECGroup: Falling back to the default.\n");
- tt_assert(tdata->opt->TLSECGroup);
- tor_free(msg);
-
- free_options_test_data(tdata);
- tdata = get_options_test_data("TLSECGroup P256\n"
- "SchedulerHighWaterMark__ 42\n"
- "SchedulerLowWaterMark__ 10\n");
- mock_clean_saved_logs();
- ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg);
- tt_int_op(ret, OP_EQ, -1);
- expect_no_log_msg(
- "Unrecognized TLSECGroup: Falling back to the default.\n");
- tt_assert(tdata->opt->TLSECGroup);
- tor_free(msg);
-
- done:
- teardown_capture_of_logs();
- free_options_test_data(tdata);
- tor_free(msg);
-}
-
-static void
test_options_validate__token_bucket(void *ignored)
{
(void)ignored;
@@ -4427,7 +4379,6 @@ struct testcase_t options_tests[] = {
LOCAL_VALIDATE_TEST(exclude_nodes),
LOCAL_VALIDATE_TEST(scheduler),
LOCAL_VALIDATE_TEST(node_families),
- LOCAL_VALIDATE_TEST(tlsec),
LOCAL_VALIDATE_TEST(token_bucket),
LOCAL_VALIDATE_TEST(recommended_packages),
LOCAL_VALIDATE_TEST(fetch_dir),
More information about the tor-commits
mailing list