Ticket #24509: 0001-Restricts-TAP-usage-for-circuits-to-only-v2-onion-se.2.patch

File 0001-Restricts-TAP-usage-for-circuits-to-only-v2-onion-se.2.patch, 2.0 KB (added by irl, 2 years ago)
  • src/or/circuitbuild.c

    From 1c9550ca78805e47341f91abf529602da0bd7ecb Mon Sep 17 00:00:00 2001
    From: "Iain R. Learmonth" <irl@fsfe.org>
    Date: Mon, 4 Dec 2017 13:55:31 +0000
    Subject: [PATCH] Restricts TAP usage for circuits to only v2 onion services
    
    circuit_can_use_tap() checks the circuit purpose to make sure that it's an
    onion service circuit. This change introduces an additional check to ensure
    that it is a v2 onion service, and so not v3 which would support ntor.
    
    Fixes: #24509
    ---
     src/or/circuitbuild.c | 19 +++++++++++++++++--
     1 file changed, 17 insertions(+), 2 deletions(-)
    
    diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
    index 2e6b63b4d..9062741c2 100644
    a b circuit_purpose_can_use_tap_impl(uint8_t purpose) 
    28392839          purpose == CIRCUIT_PURPOSE_C_INTRODUCING);
    28402840}
    28412841
     2842/* Is the hidden service version allowed to use the deprecated TAP encryption
     2843 * protocol? Version 3 supports ntor and so TAP should never be used for
     2844 * version 3, only for version 2.
     2845 *
     2846 * A version 3 hidden service will have circ->hs_ident, whereas a version
     2847 * 2 hidden service will have circ->rend_data. */
     2848static int
     2849circuit_rend_version_can_use_tap_impl(const origin_circuit_t *circ)
     2850{
     2851  return (circ->rend_data && !circ->hs_ident);
     2852}
     2853
    28422854/* Is circ allowed to use the deprecated TAP encryption protocol?
    28432855 * The hidden service protocol still uses TAP for some connections, because
    28442856 * ntor onion keys aren't included in HS descriptors or INTRODUCE cells. */
    circuit_can_use_tap(const origin_circuit_t *circ) 
    28482860  tor_assert(circ);
    28492861  tor_assert(circ->cpath);
    28502862  tor_assert(circ->cpath->extend_info);
    2851   return (circuit_purpose_can_use_tap_impl(circ->base_.purpose) &&
    2852           extend_info_supports_tap(circ->cpath->extend_info));
     2863  if (circuit_purpose_can_use_tap_impl(circ->base_.purpose) &&
     2864      extend_info_supports_tap(circ->cpath->extend_info)) {
     2865    return circuit_rend_version_can_use_tap_impl(circ);
     2866  }
     2867  return 0;
    28532868}
    28542869
    28552870/* Does circ have an onion key which it's allowed to use? */