Opened 12 years ago

Last modified 8 years ago

#797 closed defect (Fixed)

FastFirstHopPK 0 prevents tunneled directory connections from working.

Reported by: nickm Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: nickm, arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


See Erwin Lam's email from 3 August 2008 on or-talk:

It seems that in some cases we build a one-hop circuit to a server without putting its onion key in the
extend_info. This happens _at least_ when we don't know any onion key for the server, because we are
connecting to it for directory information and we don't have any descriptors yet.

You can test this yourself: run with -FastFirstHopPK 0, with a new empty datadirectory (to avoid cached data),
and with no other options set.

The right fix is probably to override should_use_create_fast_for_router so that it uses a create_fast cell
for one-hop tunnels when no onion key is known, even if FastFirstHopPK 0 is set.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (4)

comment:1 Changed 12 years ago by arma

Looks good to me. Here's a patch that does this:

Index: src/or/circuitbuild.c
--- src/or/circuitbuild.c (revision 16933)
+++ src/or/circuitbuild.c (working copy)
@@ -537,19 +537,18 @@

return 1;


-/ Return true iff we should send a create_fast cell to build a circuit

  • * starting at <b>router</b>. (If <b>router</b> is NULL, we don't have
  • * information on the router, so assume true.) */

+/ Return true iff we should send a create_fast cell to build
+ * <b>circuit</b>. */

static INLINE int

-should_use_create_fast_for_router(routerinfo_t *router,

  • origin_circuit_t *circ)

+should_use_create_fast_for_router(origin_circuit_t *circ)


or_options_t *options = get_options();

  • (void) router; /* ignore the router's version. */

  • if (!options->FastFirstHopPK) /* create_fast is disabled */

+ if (!circ->cpath->extend_info->onion_key)
+ return 1; /* our hand is forced: only a create_fast will work */
+ if (!options->FastFirstHopPK) /* we prefer to avoid create_fast */

return 0;

  • if (server_mode(options) && circ->cpath->extend_info->onion_key) {

+ if (server_mode(options)) {

/* We're a server, and we know an onion key. We can choose.

  • Prefer to blend in. */

return 0;

@@ -589,14 +588,9 @@

control_event_bootstrap(BOOTSTRAP_STATUS_CIRCUIT_CREATE, 0);

router = router_get_by_digest(circ->_base.n_conn->identity_digest);

  • fast = should_use_create_fast_for_router(router, circ);
  • if (!fast && !circ->cpath->extend_info->onion_key) {
  • log_warn(LD_CIRC,
  • "Can't send create_fast, but have no onion key. Failing.");
  • }

+ fast = should_use_create_fast_for_router(circ);

if (!fast) {

  • /* We are an OR, or we are connecting to an old Tor: we should

+ /* We are an OR and we know the right onion key: we should

  • send an old slow create cell. */

cell_type = CELL_CREATE;

Index: doc/
--- doc/ (revision 16933)
+++ doc/ (working copy)
@@ -660,11 +660,14 @@

\fBFastFirstHopPK \fR\fB0\fR|\fB1\fR\fP

-When this option is enabled and we aren't running as a server, Tor
-skips the public key step for the first hop of creating circuits. This is
-safe since we have already used TLS to authenticate the server and to
-establish forward-secure keys. Turning this option off makes circuit
-building slower.
+When this option is disabled, Tor uses the public key step for the first
+hop of creating circuits. Skipping it is generally safe since we have
+already used TLS to authenticate the relay and to establish forward-secure
+keys. Turning this option off makes circuit building slower.
+Note that Tor will always use the public key step for the first hop if
+it's operating as a relay, and it will never use the public key step if
+it doesn't yet know the onion key of the first hop.

(Default: 1)

comment:2 Changed 12 years ago by nickm

Applied (renamed the function first).

comment:3 Changed 12 years ago by nickm

flyspray2trac: bug closed.

comment:4 Changed 8 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.