]> git.ipfire.org Git - thirdparty/tor.git/commitdiff
projects / thirdparty / tor.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fa1034c)
Switch ECDHE group default logic for bridge/relay TLS
authorNick Mathewson <nickm@torproject.org>
Thu, 19 Sep 2013 14:40:41 +0000 (10:40 -0400)
committerNick Mathewson <nickm@torproject.org>
Tue, 8 Oct 2013 20:32:07 +0000 (16:32 -0400)
According to the manpage, bridges use P256 for conformity and relays
use P224 for speed. But skruffy points out that we've gotten it
backwards in the code.

In this patch, we make the default P256 for everybody.

Fixes bug 9780; bugfix on 0.2.4.8-alpha.

changes/bug9780 [new file with mode: 0644] patch | blob
doc/tor.1.txt patch | blob | blame | history
src/common/tortls.c patch | blob | blame | history

diff --git a/changes/bug9780 b/changes/bug9780
new file mode 100644 (file)
index 0000000..3cb51bd
--- /dev/null
+++ b/changes/bug9780
@@ -0,0 +1,8 @@
+  o Minor bugfixes (performance, fingerprinting):
+    - Our default TLS ecdhe groups were backwards: we meant to be using
+      P224 for relays (for performance win) and P256 for bridges (since
+      it is more common in the wild). Instead we had it backwards. After
+      reconsideration, we decided that the default should be P256 on all
+      hosts, since its security is probably better, and since P224 is
+      reportedly used quite little in the wild.  Found by "skruffy" on
+      IRC. Fix for bug 9780; bugfix on 0.2.4.8-alpha.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index b2062754612a0e9e5780c3a61e9f5f97848d85d6..38423c292fefc921fa59a37e6c6effda75b6c7fc 100644 (file)
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1642,7 +1642,7 @@ is non-zero):
     What EC group should we try to use for incoming TLS connections?
     P224 is faster, but makes us stand out more. Has no effect if
     we're a client, or if our OpenSSL version lacks support for ECDHE.
-    (Default: P224 for public servers; P256 for bridges.)
+    (Default: P256)
 
 [[CellStatistics]] **CellStatistics** **0**|**1**::
     When this option is enabled, Tor writes statistics on the mean time that
diff --git a/src/common/tortls.c b/src/common/tortls.c
index b7e5bc1a5fe3b922bc4013f64dfb512278630621..72f6c405c0261919ad2ed757e61286c9da7bade3 100644 (file)
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1369,10 +1369,8 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
       nid = NID_secp224r1;
     else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
       nid = NID_X9_62_prime256v1;
-    else if (flags & TOR_TLS_CTX_IS_PUBLIC_SERVER)
-      nid = NID_X9_62_prime256v1;
     else
-      nid = NID_secp224r1;
+      nid = NID_X9_62_prime256v1;
     /* Use P-256 for ECDHE. */
     ec_key = EC_KEY_new_by_curve_name(nid);
     if (ec_key != NULL) /*XXXX Handle errors? */
Mirror of https://git.torproject.org/tor.git