Opened 4 months ago

Last modified 4 months ago

#27190 needs_revision defect

disparate duplicate subproto handling in protover

Reported by: cyberpunks Owned by:
Priority: Medium Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: rust, 033-backport, 034-backport
Cc: nickm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

protover.c treats Link=1 Link=1 and Link=1 identically, allowing duplicate entries without complaint, though it does explicitly check for duplicates to avoid double-counting it as two votes for the same version.

protover.c also treats Link=1 Link=2 and Link=1-2 the same, while the rust implementation of protover treats Link=1 Link=2 as if it were Link=2.

Child Tickets

TicketStatusOwnerSummaryComponent
#27722newrust protover doesn't canonicalize adjacent and overlapping rangesCore Tor/Tor

Change History (8)

comment:1 Changed 4 months ago by cyberpunks

The C code already has to check for duplicates to prevent double-voting. Could both C and Rust be changed to consider it an error to have duplicate subprotocol entries?

comment:2 Changed 4 months ago by teor

Keywords: 033-backport 034-backport added

No, duplicate subprotocol entries are allowed by the spec:
https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n780

The rust code is wrong, and should be fixed.

comment:3 Changed 4 months ago by teor

Milestone: Tor: unspecified

comment:4 in reply to:  2 ; Changed 4 months ago by cyberpunks

Replying to teor:

No, duplicate subprotocol entries are allowed by the spec:

That spec seems ambiguous and could be clarified in either direction.

If it's clarified to forbid duplicates--it already says the entries should be sorted alphabetically--it would become simpler to also verify that there aren't any overlapping ranges, which the spec says shouldn't happen but the C implementation doesn't check for right now.

Also, make test-network-all passes on branch protodupes1, at least.

comment:5 in reply to:  4 Changed 4 months ago by teor

Replying to cyberpunks:

Replying to teor:

No, duplicate subprotocol entries are allowed by the spec:

That spec seems ambiguous and could be clarified in either direction.

If it's clarified to forbid duplicates--it already says the entries should be sorted alphabetically--it would become simpler to also verify that there aren't any overlapping ranges, which the spec says shouldn't happen but the C implementation doesn't check for right now.

"must" is an absolute requirement, but "should" is a recommendation:

SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.

https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n19
https://tools.ietf.org/html/rfc2119

Therefore, Tor's parser can tolerate duplicates, unsorted ranges, and overlapping ranges. I think that it's worth accepting them, to support a broad range of relay implementations. As a trivial example, it's worth accepting both "Foo=1,2" and "Foo=1-2".

But all directory authority implementations MUST generate identical consensuses:

https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n1614

Therefore:

  • all directory authority parser implementations MUST interpret edge cases as the same protocol versions, and
  • all directory authority serialisation implementations MUST generate exactly the same text for the same protocol versions.

So I think we should fix the Rust to match the C.

We can also open another ticket to clarify the spec, but I'm not sure exactly what changes to make. We don't try to specify the exact format of a consensus in the spec - we only provide enough detail to parse a consensus.

Also, make test-network-all passes on branch protodupes1, at least.

Unfortunately, those tests don't test all the edge cases. And apparently neither do our unit tests. So we should add more unit tests.

comment:6 Changed 4 months ago by teor

Status: newneeds_revision

comment:7 Changed 4 months ago by teor

Cc: nickm added

Since my last comment raises some spec issues, I'm cc'ing nickm.

comment:8 Changed 4 months ago by nickm

Milestone: Tor: unspecifiedTor: 0.3.5.x-final
Note: See TracTickets for help on using tickets.