Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NOnion,Tests: unify crypto dependencies #62

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

NOnion,Tests: unify crypto dependencies #62

wants to merge 9 commits into from

Conversation

aarani
Copy link
Collaborator

@aarani aarani commented Apr 19, 2023

This commit replaces Chaos.NaCl in favour of
our custom bouncycastle.

Depends on #59

@aarani
Network: clients don't report their addrs
dfd277f 
Apparently, clients don't have to report
their IP addresses.
@aarani
Network: verify router's ip address
f5d9396 
According to spec:
Initiators SHOULD use "this OR's address" to make sure
that they have connected to another OR at its canonical address.
@aarani
Network: respect spec wrt generating NETINFO
0a095cf 
According to spec:
Clients SHOULD send "0" as their timestamp,
to avoid fingerprinting.
@aarani
Network: verify guard certs with rsa fingerprint
fe050f0 
According to spec:
```
   To authenticate the responder as having a given RSA identity only,
   the initiator MUST check the following:

     * The CERTS cell contains exactly one CertType 1 "Link" certificate.
     * The CERTS cell contains exactly one CertType 2 "ID" certificate.
     * Both certificates have validAfter and validUntil dates that
       are not expired.
     * The certified key in the Link certificate matches the
       link key that was used to negotiate the TLS connection.
     * The certified key in the ID certificate is a 1024-bit RSA key.
     * The certified key in the ID certificate was used to sign both
       certificates.
     * The link certificate is correctly signed with the key in the
       ID certificate
     * The ID certificate is correctly self-signed.

   In both cases above, checking these conditions is sufficient to
   authenticate that the initiator is talking to the Tor node with the
   expected identity, as certified in the ID certificate(s).
```
@aarani
Directory: fix broken directory-signature parsing
cf83ff1
@aarani
Directory,Tests: validate consensus data
b0edcfc 
Making sure consensus data is signed by majority
of trusted authorities is probably the most important
security check in TOR which was missing from NOnion,
this commit fixes that.

This commit also fixes an issue with parsing
directory signatures, adds digest calculation
to NetworkStatus and changes networkstatus.json
to use Indented formating to help with manual
validatation.
@aarani
Directory,Utility: EmbeddedResources for authDirs
8591ad9 
This commit moves the auth_dirs.inc file
to EmbeddedResource so end users don't have to
carry the list around with their applications.
@aarani
Directory,Tests: remove janky pem reader
7c45b97 
This commit removes janky pem reader code
in favour of Bouncycastle's PemReader.
@aarani
NOnion,Tests: unify crypto dependencies
2aab074 
This commit replaces Chaos.NaCl in favour of
our custom bouncycastle.
@aarani aarani marked this pull request as ready for review April 19, 2023 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@aarani