Make sure keys and IP:Ports are unique in a consensus
|Reported by:||teor||Owned by:||nickm|
|Priority:||Very High||Milestone:||Tor: 0.2.8.x-final|
|Severity:||Blocker||Keywords:||TorCoreTeam201602, must-fix-before-028-rc, 027-backport, 2016-bug-retrospective|
When voting for RSA / Ed25519 key combinations, each RSA key must be unique in the vote, and and each Ed key must be unique in the vote:
- authorities must vote using the most recent descriptor signed by a RSA key, as the signature proves ownership of that key, and ignore earlier descriptors signed by that key;
- authorities must vote using the most recent descriptor signed by both a RSA and an Ed key, as the signatures prove ownership of both keys, and ignore earlier descriptors signed by either key.
When voting for RSA key / IPv4:Port combinations, there can only be one Running instance of each RSA key, and one Running instance of each IPv4:Port, in the vote:
- authorities must vote Running for only one IPv4:Port per RSA key, and only one RSA key per IPv4:Port. The IPv4:Port and RSA key must be the latest RSA key proven by reachability test to that IPv4:Port from that authority;
- authorities may vote for RSA keys that have signed a descriptor specifying an IPv4:Port, but which haven't been reachability tested, or which have been superseded by a later reachability test. (This helps us deduce internal authority state from votes.) But authorities must not vote Running for these additional RSA key or IPv4:Port instances.
Whether or not authorities can perform IPv6 reachability tests, there can only be one Running instance of each IPv6:Port in the vote:
- authorities must vote Running for at most one IPv6:Port per RSA key, and only one RSA key per IPv6:Port. The IPv6:Port and RSA key must be the latest RSA key proven by reachability test to that IPv6:Port from that authority;
- authorities that aren't on IPv6 must vote Running for at most one IPv6:Port per RSA key, and only one RSA key per IPv6:Port. If multiple RSA keys claim an IPv6:Port, the RSA key voted Running must be the one with the latest reachable IPv4:Port.
- authorities may include additional IPv6:Port instances, but must not vote them running.
When we transition to Ed25519 proofs via authenticate cells in reachability tests, similar uniqueness constraints will apply. But that's out of scope for this ticket.
Since consensuses only include Running relays, and the Running flag is assigned by a majority vote, each RSA key, Ed key, IPv4:Port, and IPv6:Port must be unique in the consensus.
Change History (22)
comment:9 follow-up: ↓ 13 Changed 14 months ago by dgoulet
- Status changed from needs_review to needs_revision
comment:12 Changed 14 months ago by nickm
- Keywords must-fix-before-028-rc added
- Milestone Tor: 0.2.7.x-final deleted
comment:15 Changed 14 months ago by nickm
- Keywords 027-backport added
- Status changed from needs_revision to needs_review
comment:21 Changed 13 months ago by nickm
- Resolution set to fixed
- Status changed from needs_review to closed