tor-spec.txt 80 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789
  1. Tor Protocol Specification
  2. Roger Dingledine
  3. Nick Mathewson
  4. Note: This document aims to specify Tor as currently implemented, though it
  5. may take it a little time to become fully up to date. Future versions of Tor
  6. may implement improved protocols, and compatibility is not guaranteed.
  7. Compatibility notes are given for versions 0.1.1.15-rc and later. We may or
  8. may not remove compatibility notes for other obsolete versions of Tor as they
  9. become obsolete.
  10. This specification is not a design document; most design criteria
  11. are not examined. For more information on why Tor acts as it does,
  12. see tor-design.pdf.
  13. 0. Preliminaries
  14. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
  15. NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
  16. "OPTIONAL" in this document are to be interpreted as described in
  17. RFC 2119.
  18. 0.1. Notation and encoding
  19. PK -- a public key.
  20. SK -- a private key.
  21. K -- a key for a symmetric cipher.
  22. a|b -- concatenation of 'a' and 'b'.
  23. [A0 B1 C2] -- a three-byte sequence, containing the bytes with
  24. hexadecimal values A0, B1, and C2, in that order.
  25. H(m) -- a cryptographic hash of m.
  26. We use "byte" and "octet" interchangeably. Possibly we shouldn't.
  27. 0.1.1. Encoding integers
  28. Unless we explicitly say otherwise below, all numeric values in the
  29. Tor protocol are encoded in network (big-endian) order. So a "32-bit
  30. integer" means a big-endian 32-bit integer; a "2-byte" integer means
  31. a big-endian 16-bit integer, and so forth.
  32. 0.2. Security parameters
  33. Tor uses a stream cipher, a public-key cipher, the Diffie-Hellman
  34. protocol, and a hash function.
  35. KEY_LEN -- the length of the stream cipher's key, in bytes.
  36. PK_ENC_LEN -- the length of a public-key encrypted message, in bytes.
  37. PK_PAD_LEN -- the number of bytes added in padding for public-key
  38. encryption, in bytes. (The largest number of bytes that can be encrypted
  39. in a single public-key operation is therefore PK_ENC_LEN-PK_PAD_LEN.)
  40. DH_LEN -- the number of bytes used to represent a member of the
  41. Diffie-Hellman group.
  42. DH_SEC_LEN -- the number of bytes used in a Diffie-Hellman private key (x).
  43. HASH_LEN -- the length of the hash function's output, in bytes.
  44. PAYLOAD_LEN -- The longest allowable cell payload, in bytes. (509)
  45. CELL_LEN(v) -- The length of a Tor cell, in bytes, for link protocol
  46. version v.
  47. CELL_LEN(v) = 512 if v is less than 4;
  48. = 514 otherwise.
  49. 0.3. Ciphers
  50. For a stream cipher, we use 128-bit AES in counter mode, with an IV of all
  51. 0 bytes.
  52. For a public-key cipher, we use RSA with 1024-bit keys and a fixed
  53. exponent of 65537. We use OAEP-MGF1 padding, with SHA-1 as its digest
  54. function. We leave the optional "Label" parameter unset. (For OAEP
  55. padding, see ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf)
  56. For the "ntor" handshake, we also use the Curve25519 elliptic curve group.
  57. For Diffie-Hellman, we use a generator (g) of 2. For the modulus (p), we
  58. use the 1024-bit safe prime from rfc2409 section 6.2 whose hex
  59. representation is:
  60. "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
  61. "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
  62. "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
  63. "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
  64. "49286651ECE65381FFFFFFFFFFFFFFFF"
  65. As an optimization, implementations SHOULD choose DH private keys (x) of
  66. 320 bits. Implementations that do this MUST never use any DH key more
  67. than once.
  68. [May other implementations reuse their DH keys?? -RD]
  69. [Probably not. Conceivably, you could get away with changing DH keys once
  70. per second, but there are too many oddball attacks for me to be
  71. comfortable that this is safe. -NM]
  72. For a hash function, we use SHA-1.
  73. KEY_LEN=16.
  74. DH_LEN=128; DH_SEC_LEN=40.
  75. PK_ENC_LEN=128; PK_PAD_LEN=42.
  76. HASH_LEN=20.
  77. When we refer to "the hash of a public key", we mean the SHA-1 hash of the
  78. DER encoding of an ASN.1 RSA public key (as specified in PKCS.1).
  79. All "random" values MUST be generated with a cryptographically
  80. strong pseudorandom number generator seeded from a strong entropy
  81. source, unless otherwise noted.
  82. The "hybrid encryption" of a byte sequence M with a public key PK is
  83. computed as follows:
  84. 1. If M is less than PK_ENC_LEN-PK_PAD_LEN, pad and encrypt M with PK.
  85. 2. Otherwise, generate a KEY_LEN byte random key K.
  86. Let M1 = the first PK_ENC_LEN-PK_PAD_LEN-KEY_LEN bytes of M,
  87. and let M2 = the rest of M.
  88. Pad and encrypt K|M1 with PK. Encrypt M2 with our stream cipher,
  89. using the key K. Concatenate these encrypted values.
  90. [XXX Note that this "hybrid encryption" approach does not prevent
  91. an attacker from adding or removing bytes to the end of M. It also
  92. allows attackers to modify the bytes not covered by the OAEP --
  93. see Goldberg's PET2006 paper for details. We will add a MAC to this
  94. scheme one day. -RD]
  95. 1. System overview
  96. Tor is a distributed overlay network designed to anonymize
  97. low-latency TCP-based applications such as web browsing, secure shell,
  98. and instant messaging. Clients choose a path through the network and
  99. build a ``circuit'', in which each node (or ``onion router'' or ``OR'')
  100. in the path knows its predecessor and successor, but no other nodes in
  101. the circuit. Traffic flowing down the circuit is sent in fixed-size
  102. ``cells'', which are unwrapped by a symmetric key at each node (like
  103. the layers of an onion) and relayed downstream.
  104. 1.1. Keys and names
  105. Every Tor relay has multiple public/private keypairs:
  106. These are 1024-bit RSA keys:
  107. - A long-term signing-only "Identity key" used to sign documents and
  108. certificates, and used to establish relay identity.
  109. - A medium-term TAP "Onion key" used to decrypt onion skins when accepting
  110. circuit extend attempts. (See 5.1.) Old keys MUST be accepted for at
  111. least one week after they are no longer advertised. Because of this,
  112. relays MUST retain old keys for a while after they're rotated.
  113. - A short-term "Connection key" used to negotiate TLS connections.
  114. Tor implementations MAY rotate this key as often as they like, and
  115. SHOULD rotate this key at least once a day.
  116. This is Curve25519 key:
  117. - A medium-term ntor "Onion key" used to handle onion key handshakes when
  118. accepting incoming circuit extend requests. As with TAP onion keys,
  119. old ntor keys MUST be accepted for at least one week after they are no
  120. longer advertised. Because of this, relays MUST retain old keys for a
  121. while after they're rotated.
  122. These are Ed25519 keys:
  123. - A long-term "master identity" key. This key never
  124. changes; it is used only to sign the "signing" key below. It may be
  125. kept offline.
  126. - A medium-term "signing" key. This key is signed by the master identity
  127. key, and must be kept online. A new one should be generated
  128. periodically.
  129. - A short-term "link authentication" key. Not yet used.
  130. The RSA identity key and Ed25519 master identity key together identify a
  131. router uniquely. Once a router has used an Ed25519 master identity key
  132. together with a given RSA identity key, neither of those keys may ever be
  133. used with a different key.
  134. 2. Connections
  135. Connections between two Tor relays, or between a client and a relay,
  136. use TLS/SSLv3 for link authentication and encryption. All
  137. implementations MUST support the SSLv3 ciphersuite
  138. "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" if it is available. They SHOULD
  139. support better ciphersuites if available.
  140. There are three ways to perform TLS handshakes with a Tor server. In
  141. the first way, "certificates-up-front", both the initiator and
  142. responder send a two-certificate chain as part of their initial
  143. handshake. (This is supported in all Tor versions.) In the second
  144. way, "renegotiation", the responder provides a single certificate,
  145. and the initiator immediately performs a TLS renegotiation. (This is
  146. supported in Tor 0.2.0.21 and later.) And in the third way,
  147. "in-protocol", the initial TLS renegotiation completes, and the
  148. parties bootstrap themselves to mutual authentication via use of the
  149. Tor protocol without further TLS handshaking. (This is supported in
  150. 0.2.3.6-alpha and later.)
  151. Each of these options provides a way for the parties to learn it is
  152. available: a client does not need to know the version of the Tor
  153. server in order to connect to it properly.
  154. In "certificates up-front" (a.k.a "the v1 handshake"),
  155. the connection initiator always sends a
  156. two-certificate chain, consisting of an X.509 certificate using a
  157. short-term connection public key and a second, self-signed X.509
  158. certificate containing its identity key. The other party sends a similar
  159. certificate chain. The initiator's ClientHello MUST NOT include any
  160. ciphersuites other than:
  161. TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  162. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  163. SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  164. In "renegotiation" (a.k.a. "the v2 handshake"),
  165. the connection initiator sends no certificates, and
  166. the responder sends a single connection certificate. Once the TLS
  167. handshake is complete, the initiator renegotiates the handshake, with each
  168. party sending a two-certificate chain as in "certificates up-front".
  169. The initiator's ClientHello MUST include at least one ciphersuite not in
  170. the list above -- that's how the initiator indicates that it can
  171. handle this handshake. For other considerations on the initiator's
  172. ClientHello, see section 2.1 below.
  173. In "in-protocol" (a.k.a. "the v3 handshake"), the initiator sends no
  174. certificates, and the
  175. responder sends a single connection certificate. The choice of
  176. ciphersuites must be as in a "renegotiation" handshake. There are
  177. additionally a set of constraints on the connection certificate,
  178. which the initiator can use to learn that the in-protocol handshake
  179. is in use. Specifically, at least one of these properties must be
  180. true of the certificate:
  181. * The certificate is self-signed
  182. * Some component other than "commonName" is set in the subject or
  183. issuer DN of the certificate.
  184. * The commonName of the subject or issuer of the certificate ends
  185. with a suffix other than ".net".
  186. * The certificate's public key modulus is longer than 1024 bits.
  187. The initiator then sends a VERSIONS cell to the responder, which then
  188. replies with a VERSIONS cell; they have then negotiated a Tor
  189. protocol version. Assuming that the version they negotiate is 3 or higher
  190. (the only ones specified for use with this handshake right now), the
  191. responder sends a CERTS cell, an AUTH_CHALLENGE cell, and a NETINFO
  192. cell to the initiator, which may send either CERTS, AUTHENTICATE,
  193. NETINFO if it wants to authenticate, or just NETINFO if it does not.
  194. For backward compatibility between later handshakes and "certificates
  195. up-front", the ClientHello of an initiator that supports a later
  196. handshake MUST include at least one ciphersuite other than those listed
  197. above. The connection responder examines the initiator's ciphersuite list
  198. to see whether it includes any ciphers other than those included in the
  199. list above. If extra ciphers are included, the responder proceeds as in
  200. "renegotiation" and "in-protocol": it sends a single certificate and
  201. does not request
  202. client certificates. Otherwise (in the case that no extra ciphersuites
  203. are included in the ClientHello) the responder proceeds as in
  204. "certificates up-front": it requests client certificates, and sends a
  205. two-certificate chain. In either case, once the responder has sent its
  206. certificate or certificates, the initiator counts them. If two
  207. certificates have been sent, it proceeds as in "certificates up-front";
  208. otherwise, it proceeds as in "renegotiation" or "in-protocol".
  209. To decide whether to do "renegotiation" or "in-protocol", the
  210. initiator checks whether the responder's initial certificate matches
  211. the criteria listed above.
  212. All new relay implementations of the Tor protocol MUST support
  213. backwards-compatible renegotiation; clients SHOULD do this too. If
  214. this is not possible, new client implementations MUST support both
  215. "renegotiation" and "in-protocol" and use the router's
  216. published link protocols list (see dir-spec.txt on the "protocols" entry)
  217. to decide which to use.
  218. In all of the above handshake variants, certificates sent in the clear
  219. SHOULD NOT include any strings to identify the host as a Tor relay. In
  220. the "renegotiation" and "backwards-compatible renegotiation" steps, the
  221. initiator SHOULD choose a list of ciphersuites and TLS extensions
  222. to mimic one used by a popular web browser.
  223. Even though the connection protocol is identical, we will think of the
  224. initiator as either an onion router (OR) if it is willing to relay
  225. traffic for other Tor users, or an onion proxy (OP) if it only handles
  226. local requests. Onion proxies SHOULD NOT provide long-term-trackable
  227. identifiers in their handshakes.
  228. In all handshake variants, once all certificates are exchanged, all
  229. parties receiving certificates must confirm that the identity key is as
  230. expected. (When initiating a connection, the expected identity key is
  231. the one given in the directory; when creating a connection because of an
  232. EXTEND cell, the expected identity key is the one given in the cell.) If
  233. the key is not as expected, the party must close the connection.
  234. When connecting to an OR, all parties SHOULD reject the connection if that
  235. OR has a malformed or missing certificate. When accepting an incoming
  236. connection, an OR SHOULD NOT reject incoming connections from parties with
  237. malformed or missing certificates. (However, an OR should not believe
  238. that an incoming connection is from another OR unless the certificates
  239. are present and well-formed.)
  240. [Before version 0.1.2.8-rc, ORs rejected incoming connections from ORs and
  241. OPs alike if their certificates were missing or malformed.]
  242. Once a TLS connection is established, the two sides send cells
  243. (specified below) to one another. Cells are sent serially. Standard
  244. cells are CELL_LEN(link_proto) bytes long, but variable-length cells
  245. also exist; see Section 3. Cells may be sent embedded in TLS records
  246. of any size or divided across TLS records, but the framing of TLS
  247. records MUST NOT leak information about the type or contents of the
  248. cells.
  249. TLS connections are not permanent. Either side MAY close a connection
  250. if there are no circuits running over it and an amount of time
  251. (KeepalivePeriod, defaults to 5 minutes) has passed since the last time
  252. any traffic was transmitted over the TLS connection. Clients SHOULD
  253. also hold a TLS connection with no circuits open, if it is likely that a
  254. circuit will be built soon using that connection.
  255. Client-only Tor instances are encouraged to avoid using handshake
  256. variants that include certificates, if those certificates provide
  257. any persistent tags to the relays they contact. If clients do use
  258. certificates, they SHOULD NOT keep using the same certificates when
  259. their IP address changes. Clients MAY send certificates using any
  260. of the above handshake variants.
  261. 2.1. Picking TLS ciphersuites
  262. Clients SHOULD send a ciphersuite list chosen to emulate some popular
  263. web browser or other program common on the internet. Clients may send
  264. the "Fixed Cipheruite List" below. If they do not, they MUST NOT
  265. advertise any ciphersuite that they cannot actually support, unless that
  266. cipher is one not supported by OpenSSL 1.0.1.
  267. The fixed ciphersuite list is:
  268. TLS1_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  269. TLS1_ECDHE_RSA_WITH_AES_256_CBC_SHA
  270. TLS1_DHE_RSA_WITH_AES_256_SHA
  271. TLS1_DHE_DSS_WITH_AES_256_SHA
  272. TLS1_ECDH_RSA_WITH_AES_256_CBC_SHA
  273. TLS1_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  274. TLS1_RSA_WITH_AES_256_SHA
  275. TLS1_ECDHE_ECDSA_WITH_RC4_128_SHA
  276. TLS1_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  277. TLS1_ECDHE_RSA_WITH_RC4_128_SHA
  278. TLS1_ECDHE_RSA_WITH_AES_128_CBC_SHA
  279. TLS1_DHE_RSA_WITH_AES_128_SHA
  280. TLS1_DHE_DSS_WITH_AES_128_SHA
  281. TLS1_ECDH_RSA_WITH_RC4_128_SHA
  282. TLS1_ECDH_RSA_WITH_AES_128_CBC_SHA
  283. TLS1_ECDH_ECDSA_WITH_RC4_128_SHA
  284. TLS1_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  285. SSL3_RSA_RC4_128_MD5
  286. SSL3_RSA_RC4_128_SHA
  287. TLS1_RSA_WITH_AES_128_SHA
  288. TLS1_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA
  289. TLS1_ECDHE_RSA_WITH_DES_192_CBC3_SHA
  290. SSL3_EDH_RSA_DES_192_CBC3_SHA
  291. SSL3_EDH_DSS_DES_192_CBC3_SHA
  292. TLS1_ECDH_RSA_WITH_DES_192_CBC3_SHA
  293. TLS1_ECDH_ECDSA_WITH_DES_192_CBC3_SHA
  294. SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
  295. SSL3_RSA_DES_192_CBC3_SHA
  296. [*] The "extended renegotiation is supported" ciphersuite, 0x00ff, is
  297. not counted when checking the list of ciphersuites.
  298. If the client sends the Fixed Ciphersuite List, the responder MUST NOT
  299. select any ciphersuite besides TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
  300. TLS_DHE_RSA_WITH_AES_128_CBC_SHA, and SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
  301. such ciphers might not actually be supported by the client.
  302. If the client sends a v2+ ClientHello with a list of ciphers other then
  303. the Fixed Ciphersuite List, the responder can trust that the client
  304. supports every cipher advertised in that list, so long as that ciphersuite
  305. is also supported by OpenSSL 1.0.1.
  306. Responders MUST NOT select any TLS ciphersuite that lacks ephemeral keys,
  307. or whose symmetric keys are less then KEY_LEN bits, or whose digests are
  308. less than HASH_LEN bits. Responders SHOULD NOT select any SSLv3
  309. ciphersuite other than the DHE+3DES suites listed above.
  310. 2.2. TLS security considerations
  311. Implementations MUST NOT allow TLS session resumption -- it can
  312. exacerbate some attacks (e.g. the "Triple Handshake" attack from
  313. Feb 2013), and it plays havoc with forward secrecy guarantees.
  314. 3. Cell Packet format
  315. The basic unit of communication for onion routers and onion
  316. proxies is a fixed-width "cell".
  317. On a version 1 connection, each cell contains the following
  318. fields:
  319. CircID [CIRCID_LEN bytes]
  320. Command [1 byte]
  321. Payload (padded with 0 bytes) [PAYLOAD_LEN bytes]
  322. On a version 2 or higher connection, all cells are as in version 1
  323. connections, except for variable-length cells, whose format is:
  324. CircID [CIRCID_LEN octets]
  325. Command [1 octet]
  326. Length [2 octets; big-endian integer]
  327. Payload [Length bytes]
  328. On a version 2 connection, variable-length cells are indicated by a
  329. command byte equal to 7 ("VERSIONS"). On a version 3 or
  330. higher connection, variable-length cells are indicated by a command
  331. byte equal to 7 ("VERSIONS"), or greater than or equal to 128.
  332. CIRCID_LEN is 2 for link protocol versions 1, 2, and 3. CIRCID_LEN
  333. is 4 for link protocol version 4 or higher. The VERSIONS cell itself
  334. always has CIRCID_LEN == 2 for backward compatibility.
  335. The CircID field determines which circuit, if any, the cell is
  336. associated with.
  337. The 'Command' field of a fixed-length cell holds one of the following
  338. values:
  339. 0 -- PADDING (Padding) (See Sec 7.2)
  340. 1 -- CREATE (Create a circuit) (See Sec 5.1)
  341. 2 -- CREATED (Acknowledge create) (See Sec 5.1)
  342. 3 -- RELAY (End-to-end data) (See Sec 5.5 and 6)
  343. 4 -- DESTROY (Stop using a circuit) (See Sec 5.4)
  344. 5 -- CREATE_FAST (Create a circuit, no PK) (See Sec 5.1)
  345. 6 -- CREATED_FAST (Circuit created, no PK) (See Sec 5.1)
  346. 8 -- NETINFO (Time and address info) (See Sec 4.5)
  347. 9 -- RELAY_EARLY (End-to-end data; limited)(See Sec 5.6)
  348. 10 -- CREATE2 (Extended CREATE cell) (See Sec 5.1)
  349. 11 -- CREATED2 (Extended CREATED cell) (See Sec 5.1)
  350. 12 -- PADDING_NEGOTIATE (Padding negotiation) (See Sec 7.2)
  351. Variable-length command values are:
  352. 7 -- VERSIONS (Negotiate proto version) (See Sec 4)
  353. 128 -- VPADDING (Variable-length padding) (See Sec 7.2)
  354. 129 -- CERTS (Certificates) (See Sec 4.2)
  355. 130 -- AUTH_CHALLENGE (Challenge value) (See Sec 4.3)
  356. 131 -- AUTHENTICATE (Client authentication)(See Sec 4.5)
  357. 132 -- AUTHORIZE (Client authorization) (Not yet used)
  358. The interpretation of 'Payload' depends on the type of the cell.
  359. PADDING: Payload is unused.
  360. CREATE: Payload contains the handshake challenge.
  361. CREATED: Payload contains the handshake response.
  362. RELAY: Payload contains the relay header and relay body.
  363. DESTROY: Payload contains a reason for closing the circuit.
  364. (see 5.4)
  365. Upon receiving any other value for the command field, an OR must
  366. drop the cell. Since more cell types may be added in the future, ORs
  367. should generally not warn when encountering unrecognized commands.
  368. The payload is padded with 0 bytes.
  369. PADDING cells are currently used to implement connection keepalive.
  370. If there is no other traffic, ORs and OPs send one another a PADDING
  371. cell every few minutes.
  372. CREATE, CREATED, and DESTROY cells are used to manage circuits;
  373. see section 5 below.
  374. RELAY cells are used to send commands and data along a circuit; see
  375. section 6 below.
  376. VERSIONS and NETINFO cells are used to set up connections in link
  377. protocols v2 and higher; in link protocol v3 and higher, CERTS,
  378. AUTH_CHALLENGE, and AUTHENTICATE may also be used. See section 4
  379. below.
  380. 4. Negotiating and initializing connections
  381. After Tor instances negotiate handshake with either the "renegotiation" or
  382. "in-protocol" handshakes, they must exchange a set of cells to set up
  383. the Tor connection and make it "open" and usable for circuits.
  384. When the renegotiation handshake is used, both parties immediately
  385. send a VERSIONS cell (4.1 below), and after negotiating a link
  386. protocol version (which will be 2), each send a NETINFO cell (4.5
  387. below) to confirm their addresses and timestamps. No other intervening
  388. cell types are allowed.
  389. When the in-protocol handshake is used, the initiator sends a
  390. VERSIONS cell to indicate that it will not be renegotiating. The
  391. responder sends a VERSIONS cell, a CERTS cell (4.2 below) to give the
  392. initiator the certificates it needs to learn the responder's
  393. identity, an AUTH_CHALLENGE cell (4.3) that the initiator must include
  394. as part of its answer if it chooses to authenticate, and a NETINFO
  395. cell (4.5). As soon as it gets the CERTS cell, the initiator knows
  396. whether the responder is correctly authenticated. At this point the
  397. initiator may send a NETINFO cell if it does not wish to
  398. authenticate, or a CERTS cell, an AUTHENTICATE cell (4.4), and a NETINFO
  399. cell if it does. When this handshake is in use, the first cell must
  400. be VERSIONS, VPADDING or AUTHORIZE, and no other cell type is allowed to
  401. intervene besides those specified, except for PADDING and VPADDING cells.
  402. The AUTHORIZE cell type is reserved for future use by scanning-resistance
  403. designs.
  404. [Tor versions before 0.2.3.11-alpha did not recognize the AUTHORIZE cell,
  405. and did not permit any command other than VERSIONS as the first cell of
  406. the in-protocol handshake.]
  407. 4.1. Negotiating versions with VERSIONS cells
  408. There are multiple instances of the Tor link connection protocol. Any
  409. connection negotiated using the "certificates up front" handshake (see
  410. section 2 above) is "version 1". In any connection where both parties
  411. have behaved as in the "renegotiation" handshake, the link protocol
  412. version must be 2. In any connection where both parties have behaved
  413. as in the "in-protocol" handshake, the link protocol must be 3 or higher.
  414. To determine the version, in any connection where the "renegotiation"
  415. or "in-protocol" handshake was used (that is, where the responder
  416. sent only one certificate at first and where the initiator did not
  417. send any certificates in the first negotiation), both parties MUST
  418. send a VERSIONS cell. In "renegotiation", they send a VERSIONS cell
  419. right after the renegotiation is finished, before any other cells are
  420. sent. In "in-protocol", the initiator sends a VERSIONS cell
  421. immediately after the initial TLS handshake, and the responder
  422. replies immediately with a VERSIONS cell. Parties MUST NOT send any
  423. other cells on a connection until they have received a VERSIONS cell.
  424. The payload in a VERSIONS cell is a series of big-endian two-byte
  425. integers. Both parties MUST select as the link protocol version the
  426. highest number contained both in the VERSIONS cell they sent and in the
  427. versions cell they received. If they have no such version in common,
  428. they cannot communicate and MUST close the connection. Either party MUST
  429. close the connection if the versions cell is not well-formed (for example,
  430. if it contains an odd number of bytes).
  431. Since the version 1 link protocol does not use the "renegotiation"
  432. handshake, implementations MUST NOT list version 1 in their VERSIONS
  433. cell. When the "renegotiation" handshake is used, implementations
  434. MUST list only the version 2. When the "in-protocol" handshake is
  435. used, implementations MUST NOT list any version before 3, and SHOULD
  436. list at least version 3.
  437. Link protocols differences are:
  438. 1 -- The "certs up front" handshake.
  439. 2 -- Uses the renegotiation-based handshake. Introduces
  440. variable-length cells.
  441. 3 -- Uses the in-protocol handshake.
  442. 4 -- Increases circuit ID width to 4 bytes.
  443. 5 -- Adds support for link padding and negotiation (padding-spec.txt).
  444. 4.2. CERTS cells
  445. The CERTS cell describes the keys that a Tor instance is claiming
  446. to have. It is a variable-length cell. Its payload format is:
  447. N: Number of certs in cell [1 octet]
  448. N times:
  449. CertType [1 octet]
  450. CLEN [2 octets]
  451. Certificate [CLEN octets]
  452. Any extra octets at the end of a CERTS cell MUST be ignored.
  453. CertType values are:
  454. 1: Link key certificate certified by RSA1024 identity
  455. 2: RSA1024 Identity certificate
  456. 3: RSA1024 AUTHENTICATE cell link certificate
  457. The certificate format for the above certificate types is DER encoded
  458. X509.
  459. A CERTS cell may have no more than one certificate of each CertType.
  460. To authenticate the responder, the initiator MUST check the following:
  461. * The CERTS cell contains exactly one CertType 1 "Link" certificate.
  462. * The CERTS cell contains exactly one CertType 2 "ID" certificate.
  463. * Both certificates have validAfter and validUntil dates that
  464. are not expired.
  465. * The certified key in the Link certificate matches the
  466. link key that was used to negotiate the TLS connection.
  467. * The certified key in the ID certificate is a 1024-bit RSA key.
  468. * The certified key in the ID certificate was used to sign both
  469. certificates.
  470. * The link certificate is correctly signed with the key in the
  471. ID certificate
  472. * The ID certificate is correctly self-signed.
  473. Checking these conditions is sufficient to authenticate that the
  474. initiator is talking to the Tor node with the expected identity,
  475. as certified in the ID certificate.
  476. To authenticate the initiator, the responder MUST check the
  477. following:
  478. * The CERTS cell contains exactly one CertType 3 "AUTH" certificate.
  479. * The CERTS cell contains exactly one CertType 2 "ID" certificate.
  480. * Both certificates have validAfter and validUntil dates that
  481. are not expired.
  482. * The certified key in the AUTH certificate is a 1024-bit RSA key.
  483. * The certified key in the ID certificate is a 1024-bit RSA key.
  484. * The certified key in the ID certificate was used to sign both
  485. certificates.
  486. * The auth certificate is correctly signed with the key in the
  487. ID certificate.
  488. * The ID certificate is correctly self-signed.
  489. Checking these conditions is NOT sufficient to authenticate that the
  490. initiator has the ID it claims; to do so, the cells in 4.3 and 4.4
  491. below must be exchanged.
  492. 4.3. AUTH_CHALLENGE cells
  493. An AUTH_CHALLENGE cell is a variable-length cell with the following
  494. fields:
  495. Challenge [32 octets]
  496. N_Methods [2 octets]
  497. Methods [2 * N_Methods octets]
  498. It is sent from the responder to the initiator. Initiators MUST
  499. ignore unexpected bytes at the end of the cell. Responders MUST
  500. generate every challenge independently using a strong RNG or PRNG.
  501. The Challenge field is a randomly generated string that the
  502. initiator must sign (a hash of) as part of authenticating. The
  503. methods are the authentication methods that the responder will
  504. accept. Only one authentication method is defined right now:
  505. see 4.4 below.
  506. 4.4. AUTHENTICATE cells
  507. If an initiator wants to authenticate, it responds to the
  508. AUTH_CHALLENGE cell with a CERTS cell and an AUTHENTICATE cell.
  509. The CERTS cell is as a server would send, except that instead of
  510. sending a CertType 1 cert for an arbitrary link certificate, the
  511. client sends a CertType 3 cert for an RSA AUTHENTICATE key.
  512. (This difference is because we allow any link key type on a TLS
  513. link, but the protocol described here will only work for 1024-bit
  514. RSA keys. A later protocol version should extend the protocol
  515. here to work with non-1024-bit, non-RSA keys.)
  516. An AUTHENTICATE cell contains the following:
  517. AuthType [2 octets]
  518. AuthLen [2 octets]
  519. Authentication [AuthLen octets]
  520. Responders MUST ignore extra bytes at the end of an AUTHENTICATE
  521. cell. If AuthType is 1 (meaning "RSA-SHA256-TLSSecret"), then the
  522. Authentication contains the following:
  523. TYPE: The characters "AUTH0001" [8 octets]
  524. CID: A SHA256 hash of the initiator's RSA1024 identity key [32 octets]
  525. SID: A SHA256 hash of the responder's RSA1024 identity key [32 octets]
  526. SLOG: A SHA256 hash of all bytes sent from the responder to the
  527. initiator as part of the negotiation up to and including the
  528. AUTH_CHALLENGE cell; that is, the VERSIONS cell, the CERTS cell,
  529. the AUTH_CHALLENGE cell, and any padding cells. [32 octets]
  530. CLOG: A SHA256 hash of all bytes sent from the initiator to the
  531. responder as part of the negotiation so far; that is, the
  532. VERSIONS cell and the CERTS cell and any padding cells. [32
  533. octets]
  534. SCERT: A SHA256 hash of the responder's TLS link certificate. [32
  535. octets]
  536. TLSSECRETS: A SHA256 HMAC, using the TLS master secret as the
  537. secret key, of the following:
  538. - client_random, as sent in the TLS Client Hello
  539. - server_random, as sent in the TLS Server Hello
  540. - the NUL terminated ASCII string:
  541. "Tor V3 handshake TLS cross-certification"
  542. [32 octets]
  543. RAND: A 24 byte value, randomly chosen by the initiator. (In an
  544. imitation of SSL3's gmt_unix_time field, older versions of Tor
  545. sent an 8-byte timestamp as the first 8 bytes of this field;
  546. new implementations should not do that.) [24 octets]
  547. SIG: A signature of a SHA256 hash of all the previous fields
  548. using the initiator's "Authenticate" key as presented. (As
  549. always in Tor, we use OAEP-MGF1 padding; see tor-spec.txt
  550. section 0.3.)
  551. [variable length]
  552. To check the AUTHENTICATE cell, a responder checks that all fields
  553. from TYPE through TLSSECRETS contain their unique
  554. correct values as described above, and then verifies the signature.
  555. The server MUST ignore any extra bytes in the signed data after
  556. the SHA256 hash.
  557. Initiators MUST NOT send an AUTHENTICATE cell before they have
  558. verified the certificates presented in the responder's CERTS
  559. cell, and authenticated the responder.
  560. 4.5. NETINFO cells
  561. If version 2 or higher is negotiated, each party sends the other a
  562. NETINFO cell. The cell's payload is:
  563. Timestamp [4 bytes]
  564. Other OR's address [variable]
  565. Number of addresses [1 byte]
  566. This OR's addresses [variable]
  567. The address format is a type/length/value sequence as given in section
  568. 6.4 below. The timestamp is a big-endian unsigned integer number of
  569. seconds since the Unix epoch.
  570. Implementations MAY use the timestamp value to help decide if their
  571. clocks are skewed. Initiators MAY use "other OR's address" to help
  572. learn which address their connections are originating from, if they do
  573. not know it. [As of 0.2.3.1-alpha, nodes use neither of these values.]
  574. Initiators SHOULD use "this OR's address" to make sure
  575. that they have connected to another OR at its canonical address.
  576. (See 5.3.1 below.)
  577. 5. Circuit management
  578. 5.1. CREATE and CREATED cells
  579. Users set up circuits incrementally, one hop at a time. To create a
  580. new circuit, OPs send a CREATE cell to the first node, with the first
  581. half of an authenticated handshake; that node responds with a CREATED
  582. cell with the second half of the handshake. To extend a circuit past
  583. the first hop, the OP sends an EXTEND relay cell (see section 5.1.2)
  584. which instructs the last node in the circuit to send a CREATE cell to
  585. extend the circuit.
  586. There are two kinds of CREATE and CREATED cells: The older
  587. "CREATE/CREATED" format, and the newer "CREATE2/CREATED2" format. The
  588. newer format is extensible by design; the older one is not.
  589. A CREATE2 cell contains:
  590. HTYPE (Client Handshake Type) [2 bytes]
  591. HLEN (Client Handshake Data Len) [2 bytes]
  592. HDATA (Client Handshake Data) [HLEN bytes]
  593. A CREATED2 cell contains:
  594. HLEN (Server Handshake Data Len) [2 bytes]
  595. HDATA (Server Handshake Data) [HLEN bytes]
  596. Recognized handshake types are:
  597. 0x0000 TAP -- the original Tor handshake; see 5.1.3
  598. 0x0001 reserved
  599. 0x0002 ntor -- the ntor+curve25519+sha256 handshake; see 5.1.4
  600. The format of a CREATE cell is one of the following:
  601. HDATA (Client Handshake Data) [TAP_C_HANDSHAKE_LEN bytes]
  602. or
  603. HTAG (Client Handshake Type Tag) [16 bytes]
  604. HDATA (Client Handshake Data) [TAP_C_HANDSHAKE_LEN-16 bytes]
  605. The first format is equivalent to a CREATE2 cell with HTYPE of 'tap'
  606. and length of TAP_C_HANDSHAKE_LEN. The second format is a way to
  607. encapsulate new handshake types into the old CREATE cell format for
  608. migration. See 5.1.2.1 below. Recognized HTAG values are:
  609. ntor -- 'ntorNTORntorNTOR'
  610. The format of a CREATED cell is:
  611. HDATA (Server Handshake Data) [TAP_S_HANDSHAKE_LEN bytes]
  612. (It's equivalent to a CREATED2 cell with length of TAP_S_HANDSHAKE_LEN.)
  613. As usual with DH, x and y MUST be generated randomly.
  614. In general, clients SHOULD use CREATE whenever they are using the TAP
  615. handshake, and CREATE2 otherwise. Clients SHOULD NOT send the
  616. second format of CREATE cells (the one with the handshake type tag)
  617. to a server directly.
  618. Servers always reply to a successful CREATE with a CREATED, and to a
  619. successful CREATE2 with a CREATED2. On failure, a server sends a
  620. DESTROY cell to tear down the circuit.
  621. [CREATE2 is handled by Tor 0.2.4.7-alpha and later.]
  622. 5.1.1. Choosing circuit IDs in create cells
  623. The CircID for a CREATE cell is an arbitrarily chosen nonzero integer,
  624. selected by the node (OP or OR) that sends the CREATE cell. In link
  625. protocol 3 or lower, CircIDs are 2 bytes long; in protocol 4 or
  626. higher, CircIDs are 4 bytes long.
  627. To prevent CircID collisions, when one node sends a CREATE cell to
  628. another, it chooses from only one half of the possible values based
  629. on the ORs' public identity keys. In link protocol version 3 or
  630. lower, if the sending node has a lower key, it chooses a CircID with
  631. an MSB of 0; otherwise, it chooses a CircID with an MSB of 1. (Public
  632. keys are compared numerically by modulus.)
  633. In link protocol version 4 or higher, whichever node initiated the
  634. connection sets its MSB to 1, and whichever node didn't initiate the
  635. connection sets its MSB to 0.
  636. (An OP with no public key MAY choose any CircID it wishes, since an OP
  637. never needs to process a CREATE cell.)
  638. The CircID value 0 is specifically reserved for cells that do not
  639. belong to any circuit: CircID 0 must not be used for circuits. No
  640. other CircID value, including 0x8000 or 0x80000000, is reserved.
  641. 5.1.2. EXTEND and EXTENDED cells
  642. To extend an existing circuit, the client sends a EXTEND or EXTENDED2
  643. relay cell to the last node in the circuit.
  644. An EXTEND2 cell's relay payload contains:
  645. NSPEC (Number of link specifiers) [1 byte]
  646. NSPEC times:
  647. LSTYPE (Link specifier type) [1 byte]
  648. LSLEN (Link specifier length) [1 byte]
  649. LSPEC (Link specifier) [LSLEN bytes]
  650. HTYPE (Client Handshake Type) [2 bytes]
  651. HLEN (Client Handshake Data Len) [2 bytes]
  652. HDATA (Client Handshake Data) [HLEN bytes]
  653. Link specifiers describe the next node in the circuit and how to
  654. connect to it. Recognized specifiers are:
  655. [00] TLS-over-TCP, IPv4 address
  656. A four-byte IPv4 address plus two-byte ORPort
  657. [01] TLS-over-TCP, IPv6 address
  658. A sixteen-byte IPv6 address plus two-byte ORPort
  659. [02] Legacy identity
  660. A 20-byte SHA1 identity fingerprint. At most one may be listed.
  661. Nodes MUST ignore unrecognized specifiers, and MUST accept multiple
  662. instances of specifiers other than 'legacy identity'.
  663. The relay payload for an EXTEND relay cell consists of:
  664. Address [4 bytes]
  665. Port [2 bytes]
  666. Onion skin [TAP_C_HANDSHAKE_LEN bytes]
  667. Identity fingerprint [HASH_LEN bytes]
  668. The "legacy identity" and "identity fingerprint fields are the SHA1
  669. hash of the PKCS#1 ASN1 encoding of the next onion router's identity
  670. (signing) key. (See 0.3 above.) Including this hash allows the
  671. extending OR verify that it is indeed connected to the correct target
  672. OR, and prevents certain man-in-the-middle attacks.
  673. The payload of an EXTENDED cell is the same as the payload of a
  674. CREATED cell.
  675. The payload of an EXTENDED2 cell is the same as the payload of a
  676. CREATED2 cell.
  677. [Support for EXTEND2 was added in Tor 0.2.4.8-alpha.]
  678. Clients SHOULD use the EXTEND format whenever sending a TAP
  679. handshake, and MUST use it whenever the EXTEND cell will be handled
  680. by a node running a version of Tor too old to support EXTEND2. In
  681. other cases, clients SHOULD use EXTEND2.
  682. When encoding a non-TAP handshake in an EXTEND cell, clients SHOULD
  683. use the format with 'client handshake type tag'.
  684. 5.1.3. The "TAP" handshake
  685. This handshake uses Diffie-Hellman in Z_p and RSA to compute a set of
  686. shared keys which the client knows are shared only with a particular
  687. server, and the server knows are shared with whomever sent the
  688. original handshake (or with nobody at all). It's not very fast and
  689. not very good. (See Goldberg's "On the Security of the Tor
  690. Authentication Protocol".)
  691. Define TAP_C_HANDSHAKE_LEN as DH_LEN+KEY_LEN+PK_PAD_LEN.
  692. Define TAP_S_HANDSHAKE_LEN as DH_LEN+HASH_LEN.
  693. The payload for a CREATE cell is an 'onion skin', which consists of
  694. the first step of the DH handshake data (also known as g^x). This
  695. value is hybrid-encrypted (see 0.3) to the server's onion key, giving
  696. a client handshake of:
  697. PK-encrypted:
  698. Padding [PK_PAD_LEN bytes]
  699. Symmetric key [KEY_LEN bytes]
  700. First part of g^x [PK_ENC_LEN-PK_PAD_LEN-KEY_LEN bytes]
  701. Symmetrically encrypted:
  702. Second part of g^x [DH_LEN-(PK_ENC_LEN-PK_PAD_LEN-KEY_LEN)
  703. bytes]
  704. The payload for a CREATED cell, or the relay payload for an
  705. EXTENDED cell, contains:
  706. DH data (g^y) [DH_LEN bytes]
  707. Derivative key data (KH) [HASH_LEN bytes] <see 5.2 below>
  708. Once the handshake between the OP and an OR is completed, both can
  709. now calculate g^xy with ordinary DH. Before computing g^xy, both parties
  710. MUST verify that the received g^x or g^y value is not degenerate;
  711. that is, it must be strictly greater than 1 and strictly less than p-1
  712. where p is the DH modulus. Implementations MUST NOT complete a handshake
  713. with degenerate keys. Implementations MUST NOT discard other "weak"
  714. g^x values.
  715. (Discarding degenerate keys is critical for security; if bad keys
  716. are not discarded, an attacker can substitute the OR's CREATED
  717. cell's g^y with 0 or 1, thus creating a known g^xy and impersonating
  718. the OR. Discarding other keys may allow attacks to learn bits of
  719. the private key.)
  720. Once both parties have g^xy, they derive their shared circuit keys
  721. and 'derivative key data' value via the KDF-TOR function in 5.2.1.
  722. 5.1.4. The "ntor" handshake
  723. This handshake uses a set of DH handshakes to compute a set of
  724. shared keys which the client knows are shared only with a particular
  725. server, and the server knows are shared with whomever sent the
  726. original handshake (or with nobody at all). Here we use the
  727. "curve25519" group and representation as specified in "Curve25519:
  728. new Diffie-Hellman speed records" by D. J. Bernstein.
  729. [The ntor handshake was added in Tor 0.2.4.8-alpha.]
  730. In this section, define:
  731. H(x,t) as HMAC_SHA256 with message x and key t.
  732. H_LENGTH = 32.
  733. ID_LENGTH = 20.
  734. G_LENGTH = 32
  735. PROTOID = "ntor-curve25519-sha256-1"
  736. t_mac = PROTOID | ":mac"
  737. t_key = PROTOID | ":key_extract"
  738. t_verify = PROTOID | ":verify"
  739. MULT(a,b) = the multiplication of the curve25519 point 'a' by the
  740. scalar 'b'.
  741. G = The preferred base point for curve25519 ([9])
  742. KEYGEN() = The curve25519 key generation algorithm, returning
  743. a private/public keypair.
  744. m_expand = PROTOID | ":key_expand"
  745. KEYID(A) = A
  746. To perform the handshake, the client needs to know an identity key
  747. digest for the server, and an ntor onion key (a curve25519 public
  748. key) for that server. Call the ntor onion key "B". The client
  749. generates a temporary keypair:
  750. x,X = KEYGEN()
  751. and generates a client-side handshake with contents:
  752. NODEID Server identity digest [ID_LENGTH bytes]
  753. KEYID KEYID(B) [H_LENGTH bytes]
  754. CLIENT_PK X [G_LENGTH bytes]
  755. The server generates a keypair of y,Y = KEYGEN(), and uses its ntor
  756. private key 'b' to compute:
  757. secret_input = EXP(X,y) | EXP(X,b) | ID | B | X | Y | PROTOID
  758. KEY_SEED = H(secret_input, t_key)
  759. verify = H(secret_input, t_verify)
  760. auth_input = verify | ID | B | Y | X | PROTOID | "Server"
  761. The server's handshake reply is:
  762. SERVER_PK Y [G_LENGTH bytes]
  763. AUTH H(auth_input, t_mac) [H_LENGTH bytes]
  764. The client then checks Y is in G^* [see NOTE below], and computes
  765. secret_input = EXP(Y,x) | EXP(B,x) | ID | B | X | Y | PROTOID
  766. KEY_SEED = H(secret_input, t_key)
  767. verify = H(secret_input, t_verify)
  768. auth_input = verify | ID | B | Y | X | PROTOID | "Server"
  769. The client verifies that AUTH == H(auth_input, t_mac).
  770. Both parties check that none of the EXP() operations produced the
  771. point at infinity. [NOTE: This is an adequate replacement for
  772. checking Y for group membership, if the group is curve25519.]
  773. Both parties now have a shared value for KEY_SEED. They expand this
  774. into the keys needed for the Tor relay protocol, using the KDF
  775. described in 5.2.2 and the tag m_expand.
  776. 5.1.5. CREATE_FAST/CREATED_FAST cells
  777. When initializing the first hop of a circuit, the OP has already
  778. established the OR's identity and negotiated a secret key using TLS.
  779. Because of this, it is not always necessary for the OP to perform the
  780. public key operations to create a circuit. In this case, the
  781. OP MAY send a CREATE_FAST cell instead of a CREATE cell for the first
  782. hop only. The OR responds with a CREATED_FAST cell, and the circuit is
  783. created.
  784. A CREATE_FAST cell contains:
  785. Key material (X) [HASH_LEN bytes]
  786. A CREATED_FAST cell contains:
  787. Key material (Y) [HASH_LEN bytes]
  788. Derivative key data [HASH_LEN bytes] (See 5.2.1 below)
  789. The values of X and Y must be generated randomly.
  790. Once both parties have X and Y, they derive their shared circuit keys
  791. and 'derivative key data' value via the KDF-TOR function in 5.2.1.
  792. If an OR sees a circuit created with CREATE_FAST, the OR is sure to be the
  793. first hop of a circuit. ORs SHOULD reject attempts to create streams with
  794. RELAY_BEGIN exiting the circuit at the first hop: letting Tor be used as a
  795. single hop proxy makes exit nodes a more attractive target for compromise.
  796. The CREATE_FAST handshake is currently deprecated whenever it is not
  797. necessary; the migration is controlled by the "usecreatefast"
  798. networkstatus parameter as described in dir-spec.txt.
  799. 5.2. Setting circuit keys
  800. 5.2.1. KDF-TOR
  801. This key derivation function is used by the TAP and CREATE_FAST
  802. handshakes, and in the current hidden service protocol. It shouldn't
  803. be used for new functionality.
  804. If the TAP handshake is used to extend a circuit, both parties
  805. base their key material on K0=g^xy, represented as a big-endian unsigned
  806. integer.
  807. If CREATE_FAST is used, both parties base their key material on
  808. K0=X|Y.
  809. From the base key material K0, they compute KEY_LEN*2+HASH_LEN*3 bytes of
  810. derivative key data as
  811. K = H(K0 | [00]) | H(K0 | [01]) | H(K0 | [02]) | ...
  812. The first HASH_LEN bytes of K form KH; the next HASH_LEN form the forward
  813. digest Df; the next HASH_LEN 41-60 form the backward digest Db; the next
  814. KEY_LEN 61-76 form Kf, and the final KEY_LEN form Kb. Excess bytes from K
  815. are discarded.
  816. KH is used in the handshake response to demonstrate knowledge of the
  817. computed shared key. Df is used to seed the integrity-checking hash
  818. for the stream of data going from the OP to the OR, and Db seeds the
  819. integrity-checking hash for the data stream from the OR to the OP. Kf
  820. is used to encrypt the stream of data going from the OP to the OR, and
  821. Kb is used to encrypt the stream of data going from the OR to the OP.
  822. 5.2.2. KDF-RFC5869
  823. For newer KDF needs, Tor uses the key derivation function HKDF from
  824. RFC5869, instantiated with SHA256. (This is due to a construction
  825. from Krawczyk.) The generated key material is:
  826. K = K_1 | K_2 | K_3 | ...
  827. Where H(x,t) is HMAC_SHA256 with value x and key t
  828. and K_1 = H(m_expand | INT8(1) , KEY_SEED )
  829. and K_(i+1) = H(K_i | m_expand | INT8(i+1) , KEY_SEED )
  830. and m_expand is an arbitrarily chosen value,
  831. and INT8(i) is a octet with the value "i".
  832. In RFC5869's vocabulary, this is HKDF-SHA256 with info == m_expand,
  833. salt == t_key, and IKM == secret_input.
  834. When used in the ntor handshake, the first HASH_LEN bytes form the
  835. forward digest Df; the next HASH_LEN form the backward digest Db; the
  836. next KEY_LEN form Kf, the next KEY_LEN form Kb, and the final
  837. DIGEST_LEN bytes are taken as a nonce to use in the place of KH in the
  838. hidden service protocol. Excess bytes from K are discarded.
  839. 5.3. Creating circuits
  840. When creating a circuit through the network, the circuit creator
  841. (OP) performs the following steps:
  842. 1. Choose an onion router as an exit node (R_N), such that the onion
  843. router's exit policy includes at least one pending stream that
  844. needs a circuit (if there are any).
  845. 2. Choose a chain of (N-1) onion routers
  846. (R_1...R_N-1) to constitute the path, such that no router
  847. appears in the path twice.
  848. 3. If not already connected to the first router in the chain,
  849. open a new connection to that router.
  850. 4. Choose a circID not already in use on the connection with the
  851. first router in the chain; send a CREATE cell along the
  852. connection, to be received by the first onion router.
  853. 5. Wait until a CREATED cell is received; finish the handshake
  854. and extract the forward key Kf_1 and the backward key Kb_1.
  855. 6. For each subsequent onion router R (R_2 through R_N), extend
  856. the circuit to R.
  857. To extend the circuit by a single onion router R_M, the OP performs
  858. these steps:
  859. 1. Create an onion skin, encrypted to R_M's public onion key.
  860. 2. Send the onion skin in a relay EXTEND cell along
  861. the circuit (see section 5).
  862. 3. When a relay EXTENDED cell is received, verify KH, and
  863. calculate the shared keys. The circuit is now extended.
  864. When an onion router receives an EXTEND relay cell, it sends a CREATE
  865. cell to the next onion router, with the enclosed onion skin as its
  866. payload. As special cases, if the extend cell includes a digest of
  867. all zeroes, or asks to extend back to the relay that sent the extend
  868. cell, the circuit will fail and be torn down. The initiating onion
  869. router chooses some circID not yet used on the connection between the
  870. two onion routers. (But see section 5.1.1 above, concerning choosing
  871. circIDs based on lexicographic order of nicknames.)
  872. When an onion router receives a CREATE cell, if it already has a
  873. circuit on the given connection with the given circID, it drops the
  874. cell. Otherwise, after receiving the CREATE cell, it completes the
  875. DH handshake, and replies with a CREATED cell. Upon receiving a
  876. CREATED cell, an onion router packs it payload into an EXTENDED relay
  877. cell (see section 5), and sends that cell up the circuit. Upon
  878. receiving the EXTENDED relay cell, the OP can retrieve g^y.
  879. (As an optimization, OR implementations may delay processing onions
  880. until a break in traffic allows time to do so without harming
  881. network latency too greatly.)
  882. 5.3.1. Canonical connections
  883. It is possible for an attacker to launch a man-in-the-middle attack
  884. against a connection by telling OR Alice to extend to OR Bob at some
  885. address X controlled by the attacker. The attacker cannot read the
  886. encrypted traffic, but the attacker is now in a position to count all
  887. bytes sent between Alice and Bob (assuming Alice was not already
  888. connected to Bob.)
  889. To prevent this, when an OR gets an extend request, it SHOULD use an
  890. existing OR connection if the ID matches, and ANY of the following
  891. conditions hold:
  892. - The IP matches the requested IP.
  893. - The OR knows that the IP of the connection it's using is canonical
  894. because it was listed in the NETINFO cell.
  895. - The OR knows that the IP of the connection it's using is canonical
  896. because it was listed in the server descriptor.
  897. [This is not implemented in Tor 0.2.0.23-rc.]
  898. 5.4. Tearing down circuits
  899. Circuits are torn down when an unrecoverable error occurs along
  900. the circuit, or when all streams on a circuit are closed and the
  901. circuit's intended lifetime is over. Circuits may be torn down
  902. either completely or hop-by-hop.
  903. To tear down a circuit completely, an OR or OP sends a DESTROY
  904. cell to the adjacent nodes on that circuit, using the appropriate
  905. direction's circID.
  906. Upon receiving an outgoing DESTROY cell, an OR frees resources
  907. associated with the corresponding circuit. If it's not the end of
  908. the circuit, it sends a DESTROY cell for that circuit to the next OR
  909. in the circuit. If the node is the end of the circuit, then it tears
  910. down any associated edge connections (see section 6.1).
  911. After a DESTROY cell has been processed, an OR ignores all data or
  912. destroy cells for the corresponding circuit.
  913. To tear down part of a circuit, the OP may send a RELAY_TRUNCATE cell
  914. signaling a given OR (Stream ID zero). That OR sends a DESTROY
  915. cell to the next node in the circuit, and replies to the OP with a
  916. RELAY_TRUNCATED cell.
  917. [Note: If an OR receives a TRUNCATE cell and it has any RELAY cells
  918. still queued on the circuit for the next node it will drop them
  919. without sending them. This is not considered conformant behavior,
  920. but it probably won't get fixed until a later version of Tor. Thus,
  921. clients SHOULD NOT send a TRUNCATE cell to a node running any current
  922. version of Tor if a) they have sent relay cells through that node,
  923. and b) they aren't sure whether those cells have been sent on yet.]
  924. When an unrecoverable error occurs along one connection in a
  925. circuit, the nodes on either side of the connection should, if they
  926. are able, act as follows: the node closer to the OP should send a
  927. RELAY_TRUNCATED cell towards the OP; the node farther from the OP
  928. should send a DESTROY cell down the circuit.
  929. The payload of a RELAY_TRUNCATED or DESTROY cell contains a single octet,
  930. describing why the circuit is being closed or truncated. When sending a
  931. TRUNCATED or DESTROY cell because of another TRUNCATED or DESTROY cell,
  932. the error code should be propagated. The origin of a circuit always sets
  933. this error code to 0, to avoid leaking its version.
  934. The error codes are:
  935. 0 -- NONE (No reason given.)
  936. 1 -- PROTOCOL (Tor protocol violation.)
  937. 2 -- INTERNAL (Internal error.)
  938. 3 -- REQUESTED (A client sent a TRUNCATE command.)
  939. 4 -- HIBERNATING (Not currently operating; trying to save bandwidth.)
  940. 5 -- RESOURCELIMIT (Out of memory, sockets, or circuit IDs.)
  941. 6 -- CONNECTFAILED (Unable to reach relay.)
  942. 7 -- OR_IDENTITY (Connected to relay, but its OR identity was not
  943. as expected.)
  944. 8 -- OR_CONN_CLOSED (The OR connection that was carrying this circuit
  945. died.)
  946. 9 -- FINISHED (The circuit has expired for being dirty or old.)
  947. 10 -- TIMEOUT (Circuit construction took too long)
  948. 11 -- DESTROYED (The circuit was destroyed w/o client TRUNCATE)
  949. 12 -- NOSUCHSERVICE (Request for unknown hidden service)
  950. 5.5. Routing relay cells
  951. When an OR receives a RELAY or RELAY_EARLY cell, it checks the cell's
  952. circID and determines whether it has a corresponding circuit along that
  953. connection. If not, the OR drops the cell.
  954. Otherwise, if the OR is not at the OP edge of the circuit (that is,
  955. either an 'exit node' or a non-edge node), it de/encrypts the payload
  956. with the stream cipher, as follows:
  957. 'Forward' relay cell (same direction as CREATE):
  958. Use Kf as key; decrypt.
  959. 'Back' relay cell (opposite direction from CREATE):
  960. Use Kb as key; encrypt.
  961. Note that in counter mode, decrypt and encrypt are the same operation.
  962. The OR then decides whether it recognizes the relay cell, by
  963. inspecting the payload as described in section 6.1 below. If the OR
  964. recognizes the cell, it processes the contents of the relay cell.
  965. Otherwise, it passes the decrypted relay cell along the circuit if
  966. the circuit continues. If the OR at the end of the circuit
  967. encounters an unrecognized relay cell, an error has occurred: the OR
  968. sends a DESTROY cell to tear down the circuit.
  969. When a relay cell arrives at an OP, the OP decrypts the payload
  970. with the stream cipher as follows:
  971. OP receives data cell:
  972. For I=N...1,
  973. Decrypt with Kb_I. If the payload is recognized (see
  974. section 6..1), then stop and process the payload.
  975. For more information, see section 6 below.
  976. 5.6. Handling relay_early cells
  977. A RELAY_EARLY cell is designed to limit the length any circuit can reach.
  978. When an OR receives a RELAY_EARLY cell, and the next node in the circuit
  979. is speaking v2 of the link protocol or later, the OR relays the cell as a
  980. RELAY_EARLY cell. Otherwise, older Tors will relay it as a RELAY cell.
  981. If a node ever receives more than 8 RELAY_EARLY cells on a given
  982. outbound circuit, it SHOULD close the circuit. If it receives any
  983. inbound RELAY_EARLY cells, it MUST close the circuit immediately.
  984. When speaking v2 of the link protocol or later, clients MUST only send
  985. EXTEND cells inside RELAY_EARLY cells. Clients SHOULD send the first ~8
  986. RELAY cells that are not targeted at the first hop of any circuit as
  987. RELAY_EARLY cells too, in order to partially conceal the circuit length.
  988. [Starting with Tor 0.2.3.11-alpha, relays should
  989. reject any EXTEND cell not received in a RELAY_EARLY cell.]
  990. 6. Application connections and stream management
  991. 6.1. Relay cells
  992. Within a circuit, the OP and the exit node use the contents of
  993. RELAY packets to tunnel end-to-end commands and TCP connections
  994. ("Streams") across circuits. End-to-end commands can be initiated
  995. by either edge; streams are initiated by the OP.
  996. The payload of each unencrypted RELAY cell consists of:
  997. Relay command [1 byte]
  998. 'Recognized' [2 bytes]
  999. StreamID [2 bytes]
  1000. Digest [4 bytes]
  1001. Length [2 bytes]
  1002. Data [PAYLOAD_LEN-11 bytes]
  1003. The relay commands are:
  1004. 1 -- RELAY_BEGIN [forward]
  1005. 2 -- RELAY_DATA [forward or backward]
  1006. 3 -- RELAY_END [forward or backward]
  1007. 4 -- RELAY_CONNECTED [backward]
  1008. 5 -- RELAY_SENDME [forward or backward] [sometimes control]
  1009. 6 -- RELAY_EXTEND [forward] [control]
  1010. 7 -- RELAY_EXTENDED [backward] [control]
  1011. 8 -- RELAY_TRUNCATE [forward] [control]
  1012. 9 -- RELAY_TRUNCATED [backward] [control]
  1013. 10 -- RELAY_DROP [forward or backward] [control]
  1014. 11 -- RELAY_RESOLVE [forward]
  1015. 12 -- RELAY_RESOLVED [backward]
  1016. 13 -- RELAY_BEGIN_DIR [forward]
  1017. 14 -- RELAY_EXTEND2 [forward] [control]
  1018. 15 -- RELAY_EXTENDED2 [backward] [control]
  1019. 32..40 -- Used for hidden services; see rend-spec.txt.
  1020. Commands labelled as "forward" must only be sent by the originator
  1021. of the circuit. Commands labelled as "backward" must only be sent by
  1022. other nodes in the circuit back to the originator. Commands marked
  1023. as either can be sent either by the originator or other nodes.
  1024. The 'recognized' field in any unencrypted relay payload is always set
  1025. to zero; the 'digest' field is computed as the first four bytes of
  1026. the running digest of all the bytes that have been destined for
  1027. this hop of the circuit or originated from this hop of the circuit,
  1028. seeded from Df or Db respectively (obtained in section 5.2 above),
  1029. and including this RELAY cell's entire payload (taken with the digest
  1030. field set to zero).
  1031. When the 'recognized' field of a RELAY cell is zero, and the digest
  1032. is correct, the cell is considered "recognized" for the purposes of
  1033. decryption (see section 5.5 above).
  1034. (The digest does not include any bytes from relay cells that do
  1035. not start or end at this hop of the circuit. That is, it does not
  1036. include forwarded data. Therefore if 'recognized' is zero but the
  1037. digest does not match, the running digest at that node should
  1038. not be updated, and the cell should be forwarded on.)
  1039. All RELAY cells pertaining to the same tunneled stream have the same
  1040. stream ID. StreamIDs are chosen arbitrarily by the OP. No stream
  1041. may have a StreamID of zero. Rather, RELAY cells that affect the
  1042. entire circuit rather than a particular stream use a StreamID of zero
  1043. -- they are marked in the table above as "[control]" style
  1044. cells. (Sendme cells are marked as "sometimes control" because they
  1045. can include a StreamID or not depending on their purpose -- see
  1046. Section 7.)
  1047. The 'Length' field of a relay cell contains the number of bytes in
  1048. the relay payload which contain real payload data. The remainder of
  1049. the payload is padded with NUL bytes.
  1050. If the RELAY cell is recognized but the relay command is not
  1051. understood, the cell must be dropped and ignored. Its contents
  1052. still count with respect to the digests and flow control windows, though.
  1053. 6.2. Opening streams and transferring data
  1054. To open a new anonymized TCP connection, the OP chooses an open
  1055. circuit to an exit that may be able to connect to the destination
  1056. address, selects an arbitrary StreamID not yet used on that circuit,
  1057. and constructs a RELAY_BEGIN cell with a payload encoding the address
  1058. and port of the destination host. The payload format is:
  1059. ADDRPORT [nul-terminated string]
  1060. FLAGS [4 bytes]
  1061. ADDRPORT is made of ADDRESS | ':' | PORT | [00]
  1062. where ADDRESS can be a DNS hostname, or an IPv4 address in
  1063. dotted-quad format, or an IPv6 address surrounded by square brackets;
  1064. and where PORT is a decimal integer between 1 and 65535, inclusive.
  1065. The FLAGS value has one or more of the following bits set, where
  1066. "bit 1" is the LSB of the 32-bit value, and "bit 32" is the MSB.
  1067. (Remember that all values in Tor are big-endian (see 0.1.1 above), so
  1068. the MSB of a 4-byte value is the MSB of the first byte, and the LSB
  1069. of a 4-byte value is the LSB of its last byte.)
  1070. bit meaning
  1071. 1 -- IPv6 okay. We support learning about IPv6 addresses and
  1072. connecting to IPv6 addresses.
  1073. 2 -- IPv4 not okay. We don't want to learn about IPv4 addresses
  1074. or connect to them.
  1075. 3 -- IPv6 preferred. If there are both IPv4 and IPv6 addresses,
  1076. we want to connect to the IPv6 one. (By default, we connect
  1077. to the IPv4 address.)
  1078. 4..32 -- Reserved. Current clients MUST NOT set these. Servers
  1079. MUST ignore them.
  1080. Upon receiving this cell, the exit node resolves the address as
  1081. necessary, and opens a new TCP connection to the target port. If the
  1082. address cannot be resolved, or a connection can't be established, the
  1083. exit node replies with a RELAY_END cell. (See 6.4 below.)
  1084. Otherwise, the exit node replies with a RELAY_CONNECTED cell, whose
  1085. payload is in one of the following formats:
  1086. The IPv4 address to which the connection was made [4 octets]
  1087. A number of seconds (TTL) for which the address may be cached [4 octets]
  1088. or
  1089. Four zero-valued octets [4 octets]
  1090. An address type (6) [1 octet]
  1091. The IPv6 address to which the connection was made [16 octets]
  1092. A number of seconds (TTL) for which the address may be cached [4 octets]
  1093. [Tor exit nodes before 0.1.2.0 set the TTL field to a fixed value. Later
  1094. versions set the TTL to the last value seen from a DNS server, and expire
  1095. their own cached entries after a fixed interval. This prevents certain
  1096. attacks.]
  1097. Once a connection has been established, the OP and exit node
  1098. package stream data in RELAY_DATA cells, and upon receiving such
  1099. cells, echo their contents to the corresponding TCP stream.
  1100. If the exit node does not support optimistic data (i.e. its
  1101. version number is before 0.2.3.1-alpha), then the OP MUST wait
  1102. for a RELAY_CONNECTED cell before sending any data. If the exit
  1103. node supports optimistic data (i.e. its version number is
  1104. 0.2.3.1-alpha or later), then the OP MAY send RELAY_DATA cells
  1105. immediately after sending the RELAY_BEGIN cell (and before
  1106. receiving either a RELAY_CONNECTED or RELAY_END cell).
  1107. RELAY_DATA cells sent to unrecognized streams are dropped. If
  1108. the exit node supports optimistic data, then RELAY_DATA cells it
  1109. receives on streams which have seen RELAY_BEGIN but have not yet
  1110. been replied to with a RELAY_CONNECTED or RELAY_END are queued.
  1111. If the stream creation succeeds with a RELAY_CONNECTED, the queue
  1112. is processed immediately afterwards; if the stream creation fails
  1113. with a RELAY_END, the contents of the queue are deleted.
  1114. Relay RELAY_DROP cells are long-range dummies; upon receiving such
  1115. a cell, the OR or OP must drop it.
  1116. 6.2.1. Opening a directory stream
  1117. If a Tor relay is a directory server, it should respond to a
  1118. RELAY_BEGIN_DIR cell as if it had received a BEGIN cell requesting a
  1119. connection to its directory port. RELAY_BEGIN_DIR cells ignore exit
  1120. policy, since the stream is local to the Tor process.
  1121. If the Tor relay is not running a directory service, it should respond
  1122. with a REASON_NOTDIRECTORY RELAY_END cell.
  1123. Clients MUST generate an all-zero payload for RELAY_BEGIN_DIR cells,
  1124. and relays MUST ignore the payload.
  1125. [RELAY_BEGIN_DIR was not supported before Tor 0.1.2.2-alpha; clients
  1126. SHOULD NOT send it to routers running earlier versions of Tor.]
  1127. 6.3. Closing streams
  1128. When an anonymized TCP connection is closed, or an edge node
  1129. encounters error on any stream, it sends a 'RELAY_END' cell along the
  1130. circuit (if possible) and closes the TCP connection immediately. If
  1131. an edge node receives a 'RELAY_END' cell for any stream, it closes
  1132. the TCP connection completely, and sends nothing more along the
  1133. circuit for that stream.
  1134. The payload of a RELAY_END cell begins with a single 'reason' byte to
  1135. describe why the stream is closing, plus optional data (depending on
  1136. the reason.) The values are:
  1137. 1 -- REASON_MISC (catch-all for unlisted reasons)
  1138. 2 -- REASON_RESOLVEFAILED (couldn't look up hostname)
  1139. 3 -- REASON_CONNECTREFUSED (remote host refused connection) [*]
  1140. 4 -- REASON_EXITPOLICY (OR refuses to connect to host or port)
  1141. 5 -- REASON_DESTROY (Circuit is being destroyed)
  1142. 6 -- REASON_DONE (Anonymized TCP connection was closed)
  1143. 7 -- REASON_TIMEOUT (Connection timed out, or OR timed out
  1144. while connecting)
  1145. 8 -- REASON_NOROUTE (Routing error while attempting to
  1146. contact destination)
  1147. 9 -- REASON_HIBERNATING (OR is temporarily hibernating)
  1148. 10 -- REASON_INTERNAL (Internal error at the OR)
  1149. 11 -- REASON_RESOURCELIMIT (OR has no resources to fulfill request)
  1150. 12 -- REASON_CONNRESET (Connection was unexpectedly reset)
  1151. 13 -- REASON_TORPROTOCOL (Sent when closing connection because of
  1152. Tor protocol violations.)
  1153. 14 -- REASON_NOTDIRECTORY (Client sent RELAY_BEGIN_DIR to a
  1154. non-directory relay.)
  1155. (With REASON_EXITPOLICY, the 4-byte IPv4 address or 16-byte IPv6 address
  1156. forms the optional data, along with a 4-byte TTL; no other reason
  1157. currently has extra data.)
  1158. OPs and ORs MUST accept reasons not on the above list, since future
  1159. versions of Tor may provide more fine-grained reasons.
  1160. Tors SHOULD NOT send any reason except REASON_MISC for a stream that they
  1161. have originated.
  1162. [*] Older versions of Tor also send this reason when connections are
  1163. reset.
  1164. --- [The rest of this section describes unimplemented functionality.]
  1165. Because TCP connections can be half-open, we follow an equivalent
  1166. to TCP's FIN/FIN-ACK/ACK protocol to close streams.
  1167. An exit connection can have a TCP stream in one of three states:
  1168. 'OPEN', 'DONE_PACKAGING', and 'DONE_DELIVERING'. For the purposes
  1169. of modeling transitions, we treat 'CLOSED' as a fourth state,
  1170. although connections in this state are not, in fact, tracked by the
  1171. onion router.
  1172. A stream begins in the 'OPEN' state. Upon receiving a 'FIN' from
  1173. the corresponding TCP connection, the edge node sends a 'RELAY_FIN'
  1174. cell along the circuit and changes its state to 'DONE_PACKAGING'.
  1175. Upon receiving a 'RELAY_FIN' cell, an edge node sends a 'FIN' to
  1176. the corresponding TCP connection (e.g., by calling
  1177. shutdown(SHUT_WR)) and changing its state to 'DONE_DELIVERING'.
  1178. When a stream in already in 'DONE_DELIVERING' receives a 'FIN', it
  1179. also sends a 'RELAY_FIN' along the circuit, and changes its state
  1180. to 'CLOSED'. When a stream already in 'DONE_PACKAGING' receives a
  1181. 'RELAY_FIN' cell, it sends a 'FIN' and changes its state to
  1182. 'CLOSED'.
  1183. If an edge node encounters an error on any stream, it sends a
  1184. 'RELAY_END' cell (if possible) and closes the stream immediately.
  1185. 6.4. Remote hostname lookup
  1186. To find the address associated with a hostname, the OP sends a
  1187. RELAY_RESOLVE cell containing the hostname to be resolved with a NUL
  1188. terminating byte. (For a reverse lookup, the OP sends a RELAY_RESOLVE
  1189. cell containing an in-addr.arpa address.) The OR replies with a
  1190. RELAY_RESOLVED cell containing any number of answers. Each answer is
  1191. of the form:
  1192. Type (1 octet)
  1193. Length (1 octet)
  1194. Value (variable-width)
  1195. TTL (4 octets)
  1196. "Length" is the length of the Value field.
  1197. "Type" is one of:
  1198. 0x00 -- Hostname
  1199. 0x04 -- IPv4 address
  1200. 0x06 -- IPv6 address
  1201. 0xF0 -- Error, transient
  1202. 0xF1 -- Error, nontransient
  1203. If any answer has a type of 'Error', then no other answer may be given.
  1204. For backward compatibility, if there are any IPv4 answers, one of those
  1205. must be given as the first answer.
  1206. The RELAY_RESOLVE cell must use a nonzero, distinct streamID; the
  1207. corresponding RELAY_RESOLVED cell must use the same streamID. No stream
  1208. is actually created by the OR when resolving the name.
  1209. 7. Flow control
  1210. 7.1. Link throttling
  1211. Each client or relay should do appropriate bandwidth throttling to
  1212. keep its user happy.
  1213. Communicants rely on TCP's default flow control to push back when they
  1214. stop reading.
  1215. The mainline Tor implementation uses token buckets (one for reads,
  1216. one for writes) for the rate limiting.
  1217. Since 0.2.0.x, Tor has let the user specify an additional pair of
  1218. token buckets for "relayed" traffic, so people can deploy a Tor relay
  1219. with strict rate limiting, but also use the same Tor as a client. To
  1220. avoid partitioning concerns we combine both classes of traffic over a
  1221. given OR connection, and keep track of the last time we read or wrote
  1222. a high-priority (non-relayed) cell. If it's been less than N seconds
  1223. (currently N=30), we give the whole connection high priority, else we
  1224. give the whole connection low priority. We also give low priority
  1225. to reads and writes for connections that are serving directory
  1226. information. See proposal 111 for details.
  1227. 7.2. Link padding
  1228. Link padding can be created by sending PADDING or VPADDING cells
  1229. along the connection; relay cells of type "DROP" can be used for
  1230. long-range padding. The contents of a PADDING, VPADDING, or DROP
  1231. cell SHOULD be chosen randomly, and MUST be ignored.
  1232. If the link protocol is version 5 or higher, link level padding is
  1233. enabled as per padding-spec.txt. On these connections, clients may
  1234. negotiate the use of padding with a CELL_PADDING_NEGOTIATE command
  1235. whose format is as follows:
  1236. Version [1 byte]
  1237. Command [1 byte]
  1238. ito_low_ms [2 bytes]
  1239. ito_high_ms [2 bytes]
  1240. Currently, only version 0 of this cell is defined. In it, the command
  1241. field is either 1 (stop padding) or 2 (start padding). For the start
  1242. padding command, a pair of timeout values specifying a low and a high
  1243. range bounds for randomized padding timeouts may be specified as unsigned
  1244. integer values in milliseconds. The ito_low_ms field must not be lower than
  1245. the current consensus parameter value for nf_ito_low (default: 1500).
  1246. ito_high_ms must be greater than ito_low_ms.
  1247. For more details on padding behavior, see padding-spec.txt.
  1248. 7.3. Circuit-level flow control
  1249. To control a circuit's bandwidth usage, each OR keeps track of two
  1250. 'windows', consisting of how many RELAY_DATA cells it is allowed to
  1251. originate (package for transmission), and how many RELAY_DATA cells
  1252. it is willing to consume (receive for local streams). These limits
  1253. do not apply to cells that the OR receives from one host and relays
  1254. to another.
  1255. Each 'window' value is initially set based on the consensus parameter
  1256. 'circwindow' in the directory (see dir-spec.txt), or to 1000 data cells
  1257. if no 'circwindow' value is given,
  1258. in each direction (cells that are not data cells do not affect
  1259. the window). When an OR is willing to deliver more cells, it sends a
  1260. RELAY_SENDME cell towards the OP, with Stream ID zero. When an OR
  1261. receives a RELAY_SENDME cell with stream ID zero, it increments its
  1262. packaging window.
  1263. Each of these cells increments the corresponding window by 100.
  1264. The OP behaves identically, except that it must track a packaging
  1265. window and a delivery window for every OR in the circuit.
  1266. An OR or OP sends cells to increment its delivery window when the
  1267. corresponding window value falls under some threshold (900).
  1268. If a packaging window reaches 0, the OR or OP stops reading from
  1269. TCP connections for all streams on the corresponding circuit, and
  1270. sends no more RELAY_DATA cells until receiving a RELAY_SENDME cell.
  1271. [this stuff is badly worded; copy in the tor-design section -RD]
  1272. 7.4. Stream-level flow control
  1273. Edge nodes use RELAY_SENDME cells to implement end-to-end flow
  1274. control for individual connections across circuits. Similarly to
  1275. circuit-level flow control, edge nodes begin with a window of cells
  1276. (500) per stream, and increment the window by a fixed value (50)
  1277. upon receiving a RELAY_SENDME cell. Edge nodes initiate RELAY_SENDME
  1278. cells when both a) the window is <= 450, and b) there are less than
  1279. ten cell payloads remaining to be flushed at that edge.
  1280. 8. Handling resource exhaustion
  1281. 8.1. Memory exhaustion.
  1282. If RAM becomes low, an OR should begin destroying circuits until
  1283. more memory is free again. We recommend the following algorithm:
  1284. - Set a threshold amount of RAM to recover at 10% of the total RAM.
  1285. - Sort the circuits by their 'staleness', defined as the age of the
  1286. oldest data queued on the circuit. This data can be:
  1287. * Bytes that are waiting to flush to or from a stream on that
  1288. circuit.
  1289. * Bytes that are waiting to flush from a connection created with
  1290. BEGIN_DIR.
  1291. * Cells that are waiting to flush or be processed.
  1292. - While we have not yet recovered enough RAM:
  1293. * Free all memory held by the most stale circuit, and send DESTROY
  1294. cells in both directions on that circuit. Count the amount of
  1295. memory we recovered towards the total.
  1296. 9. Subprotocol versioning
  1297. This section specifies the Tor subprotocol versioning. They are broken down
  1298. into different types with their current version numbers. Any new version
  1299. number should be added to this section.
  1300. The dir-spec.txt details how those versions are encoded. See the
  1301. "proto"/"pr" line in a descriptor and the "recommended-relay-protocols",
  1302. "required-relay-protocols", "recommended-client-protocols" and
  1303. "required-client-protocols" lines in the vote/consensus format.
  1304. Here are the rules a relay and client should follow when encountering a
  1305. protocol list in the consensus:
  1306. - When a relay lacks a protocol listed in recommended-relay-protocols,
  1307. it should warn its operator that the relay is obsolete.
  1308. - When a relay lacks a protocol listed in required-relay-protocols, it
  1309. must not attempt to join the network.
  1310. - When a client lacks a protocol listed in recommended-client-protocols,
  1311. it should warn the user that the client is obsolete.
  1312. - When a client lacks a protocol listed in required-client-protocols, it
  1313. must not connect to the network. This implements a "safe forward
  1314. shutdown" mechanism for zombie clients.
  1315. - If a client or relay has a cached consensus telling it that a given
  1316. protocol is required, and it does not implement that protocol, it
  1317. SHOULD NOT try to fetch a newer consensus.
  1318. Starting in version 0.2.9.4-alpha, the initial required protocols for
  1319. clients that we will Recommend and Require are:
  1320. Cons=1-2 Desc=1-2 DirCache=1 HSDir=2 HSIntro=3 HSRend=1 Link=4
  1321. LinkAuth=1 Microdesc=1-2 Relay=2
  1322. For relays we will Require:
  1323. Cons=1 Desc=1 DirCache=1 HSDir=2 HSIntro=3 HSRend=1 Link=3-4
  1324. LinkAuth=1 Microdesc=1 Relay=1-2
  1325. For relays, we will additionally Recommend all protocols which we
  1326. recommend for clients.
  1327. 9.1. "Link"
  1328. The "link" protocols are those used by clients and relays to initiate and
  1329. receive OR connections and to handle cells on OR connections. The "link"
  1330. protocol versions correspond 1:1 to those versions.
  1331. Two Tor instances can make a connection to each other only if they have at
  1332. least one link protocol in common.
  1333. The current "link" versions are: "1" through "4". See section 4.1 for more
  1334. information. All current Tor versions support "1-3"; version from
  1335. 0.2.4.11-alpha and on support "1-4". Eventually we will drop "1" and "2".
  1336. 9.2. "LinkAuth"
  1337. LinkAuth protocols correspond to varieties of Authenticate cells used for
  1338. the v3+ link protocools.
  1339. The current version is "1".
  1340. "2" is unused, and reserved by proposal 244.
  1341. "3" is the ed25519 link handshake of proposal 220.
  1342. 9.3. "Relay"
  1343. The "relay" protocols are those used to handle CREATE cells, and those that
  1344. handle the various RELAY cell types received after a CREATE cell. (Except,
  1345. relay cells used to manage introduction and rendezvous points are managed
  1346. with the "HSIntro" and "HSRend" protocols respectively.)
  1347. Current versions are:
  1348. "1" -- supports the TAP key exchange, with all features in Tor 0.2.3.
  1349. Support for CREATE and CREATED and CREATE_FAST and CREATED_FAST
  1350. and EXTEND and EXTENDED.
  1351. "2" -- supports the ntor key exchange, and all features in Tor
  1352. 0.2.4.19. Includes support for CREATE2 and CREATED2 and
  1353. EXTEND2 and EXTENDED2.
  1354. 9.4. "HSIntro"
  1355. The "HSIntro" protocol handles introduction points.
  1356. "3" -- supports authentication as of proposal 121 in Tor
  1357. 0.2.1.6-alpha.
  1358. "4" -- support ed25519 authentication keys which is defined by the HS v3
  1359. protocol as part of proposal 224 in Tor 0.3.0.4-alpha.
  1360. 9.5. "HSRend"
  1361. The "HSRend" protocol handles rendezvous points.
  1362. "1" -- supports all features in Tor 0.0.6.
  1363. "2" -- supports RENDEZVOUS2 cells of arbitrary length as long as they
  1364. have 20 bytes of cookie in Tor 0.2.9.1-alpha.
  1365. 9.6. "HSDir"
  1366. The "HSDir" protocols are the set of hidden service document types that can
  1367. be uploaded to, understood by, and downloaded from a tor relay, and the set
  1368. of URLs available to fetch them.
  1369. "1" -- supports all features in Tor 0.2.0.10-alpha.
  1370. "2" -- support ed25519 blinded keys request which is defined by the HS v3
  1371. protocol as part of proposal 224 in Tor 0.3.0.4-alpha.
  1372. 9.7. "DirCache"
  1373. The "DirCache" protocols are the set of documents available for download
  1374. from a directory cache via BEGIN_DIR, and the set of URLs available to
  1375. fetch them. (This excludes URLs for hidden service objects.)
  1376. "1" -- supports all features in Tor 0.2.4.19.
  1377. 9.8. "Desc"
  1378. Describes features present or absent in descriptors.
  1379. Most features in descriptors don't require a "Desc" update -- only those
  1380. that need to someday be required. For example, someday clients will need
  1381. to understand ed25519 identities.
  1382. "1" -- supports all features in Tor 0.2.4.19.
  1383. "2" -- cross-signing with onion-keys, signing with ed25519
  1384. identities.
  1385. 9.9. "Microdesc"
  1386. Describes features present or absent in microdescriptors.
  1387. Most features in descriptors don't require a "MicroDesc" update -- only
  1388. those that need to someday be required. These correspond more or less with
  1389. consensus methods.
  1390. "1" -- consensus methods 9 through 20.
  1391. "2" -- consensus method 21 (adds ed25519 keys to microdescs).
  1392. 9.10. "Cons"
  1393. Describes features present or absent in consensus documents.
  1394. Most features in consensus documents don't require a "Cons" update -- only
  1395. those that need to someday be required.
  1396. These correspond more or less with consensus methods.
  1397. "1" -- consensus methods 9 through 20.
  1398. "2" -- consensus method 21 (adds ed25519 keys to microdescs).