tor-spec.txt 45 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061
  1. $Id$
  2. Tor Protocol Specification
  3. Roger Dingledine
  4. Nick Mathewson
  5. Note: This is an attempt to specify Tor as currently implemented. Future
  6. versions of Tor will implement improved protocols, and compatibility is not
  7. guaranteed.
  8. This is not a design document; most design criteria are not examined. For
  9. more information on why Tor acts as it does, see tor-design.pdf.
  10. TODO: (very soon)
  11. - REASON_CONNECTFAILED should include an IP.
  12. - Copy prose from tor-design to make everything more readable.
  13. when do we rotate which keys (tls, link, etc)?
  14. 0. Preliminaries
  15. 0.1. Notation and encoding
  16. PK -- a public key.
  17. SK -- a private key
  18. K -- a key for a symmetric cypher
  19. a|b -- concatenation of 'a' and 'b'.
  20. [A0 B1 C2] -- a three-byte sequence, containing the bytes with
  21. hexadecimal values A0, B1, and C2, in that order.
  22. All numeric values are encoded in network (big-endian) order.
  23. H(m) -- a cryptographic hash of m.
  24. 0.2. Security parameters
  25. Tor uses a stream cipher, a public-key cipher, the Diffie-Hellman
  26. protocol, and and a hash function.
  27. KEY_LEN -- the length of the stream cipher's key, in bytes.
  28. PK_ENC_LEN -- the length of a public-key encrypted message, in bytes.
  29. PK_PAD_LEN -- the number of bytes added in padding for public-key
  30. encryption, in bytes. (The largest number of bytes that can be encrypted
  31. in a single public-key operation is therefore PK_ENC_LEN-PK_PAD_LEN.)
  32. DH_LEN -- the number of bytes used to represent a member of the
  33. Diffie-Hellman group.
  34. DH_SEC_LEN -- the number of bytes used in a Diffie-Hellman private key (x).
  35. HASH_LEN -- the length of the hash function's output, in bytes.
  36. CELL_LEN -- The length of a Tor cell, in bytes.
  37. 0.3. Ciphers
  38. For a stream cipher, we use 128-bit AES in counter mode, with an IV of all
  39. 0 bytes.
  40. For a public-key cipher, we use RSA with 1024-bit keys and a fixed
  41. exponent of 65537. We use OAEP padding, with SHA-1 as its digest
  42. function. (For OAEP padding, see
  43. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf)
  44. For Diffie-Hellman, we use a generator (g) of 2. For the modulus (p), the
  45. 1024-bit safe prime from rfc2409, (section 6.2) whose hex representation
  46. is:
  47. "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
  48. "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
  49. "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
  50. "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
  51. "49286651ECE65381FFFFFFFFFFFFFFFF"
  52. As an optimization, implementations SHOULD choose DH private keys (x) of
  53. 320 bits. Implementations that do this MUST never use any DH key more
  54. than once.
  55. For a hash function, we use SHA-1.
  56. KEY_LEN=16.
  57. DH_LEN=128; DH_GROUP_LEN=40.
  58. PK_ENC_LEN=128; PK_PAD_LEN=42.
  59. HASH_LEN=20.
  60. When we refer to "the hash of a public key", we mean the SHA-1 hash of the
  61. DER encoding of an ASN.1 RSA public key (as specified in PKCS.1).
  62. All "random" values should be generated with a cryptographically strong
  63. random number generator, unless otherwise noted.
  64. The "hybrid encryption" of a byte sequence M with a public key PK is
  65. computed as follows:
  66. 1. If M is less than PK_ENC_LEN-PK_PAD_LEN, pad and encrypt M with PK.
  67. 2. Otherwise, generate a KEY_LEN byte random key K.
  68. Let M1 = the first PK_ENC_LEN-PK_PAD_LEN-KEY_LEN bytes of M,
  69. and let M2 = the rest of M.
  70. Pad and encrypt K|M1 with PK. Encrypt M2 with our stream cipher,
  71. using the key K. Concatenate these encrypted values.
  72. (Note that this "hybrid encryption" approach does not prevent an attacker
  73. from adding or removing bytes to the end of M.)
  74. 0.4. Other parameter values
  75. CELL_LEN=512
  76. 1. System overview
  77. Onion Routing is a distributed overlay network designed to anonymize
  78. low-latency TCP-based applications such as web browsing, secure shell,
  79. and instant messaging. Clients choose a path through the network and
  80. build a ``circuit'', in which each node (or ``onion router'' or ``OR'')
  81. in the path knows its predecessor and successor, but no other nodes in
  82. the circuit. Traffic flowing down the circuit is sent in fixed-size
  83. ``cells'', which are unwrapped by a symmetric key at each node (like
  84. the layers of an onion) and relayed downstream.
  85. 2. Connections
  86. There are two ways to connect to an onion router (OR). The first is
  87. as an onion proxy (OP), which allows the OP to authenticate the OR
  88. without authenticating itself. The second is as another OR, which
  89. allows mutual authentication.
  90. Tor uses TLS for link encryption. All implementations MUST support
  91. the TLS ciphersuite "TLS_EDH_RSA_WITH_DES_192_CBC3_SHA", and SHOULD
  92. support "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" if it is available.
  93. Implementations MAY support other ciphersuites, but MUST NOT
  94. support any suite without ephemeral keys, symmetric keys of at
  95. least KEY_LEN bits, and digests of at least HASH_LEN bits.
  96. An OP or OR always sends a two-certificate chain, consisting of a
  97. certificate using a short-term connection key and a second, self-
  98. signed certificate containing the OR's identity key. The commonName of the
  99. first certificate is the OR's nickname, and the commonName of the second
  100. certificate is the OR's nickname, followed by a space and the string
  101. "<identity>".
  102. All parties receiving certificates must confirm that the identity key is
  103. as expected. (When initiating a connection, the expected identity key is
  104. the one given in the directory; when creating a connection because of an
  105. EXTEND cell, the expected identity key is the one given in the cell.) If
  106. the key is not as expected, the party must close the connection.
  107. All parties SHOULD reject connections to or from ORs that have malformed
  108. or missing certificates. ORs MAY accept or reject connections from OPs
  109. with malformed or missing certificates.
  110. Once a TLS connection is established, the two sides send cells
  111. (specified below) to one another. Cells are sent serially. All
  112. cells are CELL_LEN bytes long. Cells may be sent embedded in TLS
  113. records of any size or divided across TLS records, but the framing
  114. of TLS records MUST NOT leak information about the type or contents
  115. of the cells.
  116. TLS connections are not permanent. An OP or an OR may close a
  117. connection to an OR if there are no circuits running over the
  118. connection, and an amount of time (KeepalivePeriod, defaults to 5
  119. minutes) has passed.
  120. (As an exception, directory servers may try to stay connected to all of
  121. the ORs.)
  122. 3. Cell Packet format
  123. The basic unit of communication for onion routers and onion
  124. proxies is a fixed-width "cell". Each cell contains the following
  125. fields:
  126. CircID [2 bytes]
  127. Command [1 byte]
  128. Payload (padded with 0 bytes) [CELL_LEN-3 bytes]
  129. [Total size: CELL_LEN bytes]
  130. The CircID field determines which circuit, if any, the cell is
  131. associated with.
  132. The 'Command' field holds one of the following values:
  133. 0 -- PADDING (Padding) (See Sec 6.2)
  134. 1 -- CREATE (Create a circuit) (See Sec 4)
  135. 2 -- CREATED (Acknowledge create) (See Sec 4)
  136. 3 -- RELAY (End-to-end data) (See Sec 5)
  137. 4 -- DESTROY (Stop using a circuit) (See Sec 4)
  138. 5 -- CREATE_FAST (Create a circuit, no PK) (See sec 4)
  139. 6 -- CREATED_FAST (Circtuit created, no PK) (See Sec 4)
  140. The interpretation of 'Payload' depends on the type of the cell.
  141. PADDING: Payload is unused.
  142. CREATE: Payload contains the handshake challenge.
  143. CREATED: Payload contains the handshake response.
  144. RELAY: Payload contains the relay header and relay body.
  145. DESTROY: Payload contains a reason for closing the circuit.
  146. (see 4.4)
  147. Upon receiving any other value for the command field, an OR must
  148. drop the cell.
  149. The payload is padded with 0 bytes.
  150. PADDING cells are currently used to implement connection keepalive.
  151. If there is no other traffic, ORs and OPs send one another a PADDING
  152. cell every few minutes.
  153. CREATE, CREATED, and DESTROY cells are used to manage circuits;
  154. see section 4 below.
  155. RELAY cells are used to send commands and data along a circuit; see
  156. section 5 below.
  157. 4. Circuit management
  158. 4.1. CREATE and CREATED cells
  159. Users set up circuits incrementally, one hop at a time. To create a
  160. new circuit, OPs send a CREATE cell to the first node, with the
  161. first half of the DH handshake; that node responds with a CREATED
  162. cell with the second half of the DH handshake plus the first 20 bytes
  163. of derivative key data (see section 4.2). To extend a circuit past
  164. the first hop, the OP sends an EXTEND relay cell (see section 5)
  165. which instructs the last node in the circuit to send a CREATE cell
  166. to extend the circuit.
  167. The payload for a CREATE cell is an 'onion skin', which consists
  168. of the first step of the DH handshake data (also known as g^x).
  169. This value is hybrid-encrypted (see 0.3) to Bob's public key, giving
  170. an onion-skin of:
  171. PK-encrypted:
  172. Padding padding [PK_PAD_LEN bytes]
  173. Symmetric key [KEY_LEN bytes]
  174. First part of g^x [PK_ENC_LEN-PK_PAD_LEN-KEY_LEN bytes]
  175. Symmetrically encrypted:
  176. Second part of g^x [DH_LEN-(PK_ENC_LEN-PK_PAD_LEN-KEY_LEN)
  177. bytes]
  178. The relay payload for an EXTEND relay cell consists of:
  179. Address [4 bytes]
  180. Port [2 bytes]
  181. Onion skin [DH_LEN+KEY_LEN+PK_PAD_LEN bytes]
  182. Identity fingerprint [HASH_LEN bytes]
  183. The port and address field denote the IPV4 address and port of the next
  184. onion router in the circuit; the public key hash is the hash of the PKCS#1
  185. ASN1 encoding of the next onion router's identity (signing) key. (See 0.3
  186. above.) (Including this hash allows the extending OR verify that it is
  187. indeed connected to the correct target OR, and prevents certain
  188. man-in-the-middle attacks.)
  189. The payload for a CREATED cell, or the relay payload for an
  190. EXTENDED cell, contains:
  191. DH data (g^y) [DH_LEN bytes]
  192. Derivative key data (KH) [HASH_LEN bytes] <see 4.2 below>
  193. The CircID for a CREATE cell is an arbitrarily chosen 2-byte integer,
  194. selected by the node (OP or OR) that sends the CREATE cell. To prevent
  195. CircID collisions, when one OR sends a CREATE cell to another, it chooses
  196. from only one half of the possible values based on the ORs' public
  197. identity keys: if the sending OR has a lower key, it chooses a CircID with
  198. an MSB of 0; otherwise, it chooses a CircID with an MSB of 1.
  199. Public keys are compared numerically by modulus.
  200. As usual with DH, x and y MUST be generated randomly.
  201. (Older versions of Tor compared OR nicknames, and did it in a broken and
  202. unreliable way. To support versions of Tor earlier than 0.0.9pre6,
  203. implementations should notice when the other side of a connection is
  204. sending CREATE cells with the "wrong" MSB, and switch accordingly.)
  205. 4.1.1. CREATE_FAST/CREATED_FAST cells
  206. When initializing the first hop of a circuit, the OP has already
  207. established the OR's identity and negotiated a secret key using TLS.
  208. Because of this, it is not always necessary for the OP to perform the
  209. public key operations to create a circuit. In this case, the
  210. OP MAY send a CREATE_FAST cell instead of a CREATE cell for the first
  211. hop only. The OR responds with a CREATED_FAST cell, and the circuit is
  212. created.
  213. A CREATE_FAST cell contains:
  214. Key material (X) [HASH_LEN bytes]
  215. A CREATED_FAST cell contains:
  216. Key material (Y) [HASH_LEN bytes]
  217. Derivative key data [HASH_LEN bytes] (See 4.2 below)
  218. The values of X and Y must be generated randomly.
  219. [Versions of Tor before 0.1.0.6-rc did not support these cell types;
  220. clients should not send CREATE_FAST cells to older Tor servers.]
  221. 4.2. Setting circuit keys
  222. Once the handshake between the OP and an OR is completed, both can
  223. now calculate g^xy with ordinary DH. Before computing g^xy, both client
  224. and server MUST verify that the received g^x or g^y value is not degenerate;
  225. that is, it must be strictly greater than 1 and strictly less than p-1
  226. where p is the DH modulus. Implementations MUST NOT complete a handshake
  227. with degenerate keys. Implementations MAY discard other "weak" g^x values.
  228. (Discarding degenerate keys is critical for security; if bad keys are not
  229. discarded, an attacker can substitute the server's CREATED cell's g^y with
  230. 0 or 1, thus creating a known g^xy and impersonating the server.)
  231. (The mainline Tor implementation, in the 0.1.1.x-alpha series, discarded
  232. all g^x values less than 2^24, greater than p-2^24, or having more than
  233. 1024-16 identical bits. This served no useful purpose, and we stopped.)
  234. If CREATE or EXTEND is used to extend a circuit, the client and server
  235. base their key material on K0=g^xy, represented as a big-endian unsigned
  236. integer.
  237. If CREATE_FAST is used, the client and server base their key material on
  238. K0=X|Y.
  239. From the base key material K0, they compute KEY_LEN*2+HASH_LEN*3 bytes of
  240. derivative key data as
  241. K = H(K0 | [00]) | H(K0 | [01]) | H(K0 | [02]) | ...
  242. The first HASH_LEN bytes of K form KH; the next HASH_LEN form the forward
  243. digest Df; the next HASH_LEN 41-60 form the backward digest Db; the next
  244. KEY_LEN 61-76 form Kf, and the final KEY_LEN form Kb. Excess bytes from K
  245. are discarded.
  246. KH is used in the handshake response to demonstrate knowledge of the
  247. computed shared key. Df is used to seed the integrity-checking hash
  248. for the stream of data going from the OP to the OR, and Db seeds the
  249. integrity-checking hash for the data stream from the OR to the OP. Kf
  250. is used to encrypt the stream of data going from the OP to the OR, and
  251. Kb is used to encrypt the stream of data going from the OR to the OP.
  252. 4.3. Creating circuits
  253. When creating a circuit through the network, the circuit creator
  254. (OP) performs the following steps:
  255. 1. Choose an onion router as an exit node (R_N), such that the onion
  256. router's exit policy includes at least one pending stream that
  257. needs a circuit (if there are any).
  258. 2. Choose a chain of (N-1) onion routers
  259. (R_1...R_N-1) to constitute the path, such that no router
  260. appears in the path twice.
  261. 3. If not already connected to the first router in the chain,
  262. open a new connection to that router.
  263. 4. Choose a circID not already in use on the connection with the
  264. first router in the chain; send a CREATE cell along the
  265. connection, to be received by the first onion router.
  266. 5. Wait until a CREATED cell is received; finish the handshake
  267. and extract the forward key Kf_1 and the backward key Kb_1.
  268. 6. For each subsequent onion router R (R_2 through R_N), extend
  269. the circuit to R.
  270. To extend the circuit by a single onion router R_M, the OP performs
  271. these steps:
  272. 1. Create an onion skin, encrypted to R_M's public key.
  273. 2. Send the onion skin in a relay EXTEND cell along
  274. the circuit (see section 5).
  275. 3. When a relay EXTENDED cell is received, verify KH, and
  276. calculate the shared keys. The circuit is now extended.
  277. When an onion router receives an EXTEND relay cell, it sends a CREATE
  278. cell to the next onion router, with the enclosed onion skin as its
  279. payload. The initiating onion router chooses some circID not yet
  280. used on the connection between the two onion routers. (But see
  281. section 4.1. above, concerning choosing circIDs based on
  282. lexicographic order of nicknames.)
  283. When an onion router receives a CREATE cell, if it already has a
  284. circuit on the given connection with the given circID, it drops the
  285. cell. Otherwise, after receiving the CREATE cell, it completes the
  286. DH handshake, and replies with a CREATED cell. Upon receiving a
  287. CREATED cell, an onion router packs it payload into an EXTENDED relay
  288. cell (see section 5), and sends that cell up the circuit. Upon
  289. receiving the EXTENDED relay cell, the OP can retrieve g^y.
  290. (As an optimization, OR implementations may delay processing onions
  291. until a break in traffic allows time to do so without harming
  292. network latency too greatly.)
  293. 4.4. Tearing down circuits
  294. Circuits are torn down when an unrecoverable error occurs along
  295. the circuit, or when all streams on a circuit are closed and the
  296. circuit's intended lifetime is over. Circuits may be torn down
  297. either completely or hop-by-hop.
  298. To tear down a circuit completely, an OR or OP sends a DESTROY
  299. cell to the adjacent nodes on that circuit, using the appropriate
  300. direction's circID.
  301. Upon receiving an outgoing DESTROY cell, an OR frees resources
  302. associated with the corresponding circuit. If it's not the end of
  303. the circuit, it sends a DESTROY cell for that circuit to the next OR
  304. in the circuit. If the node is the end of the circuit, then it tears
  305. down any associated edge connections (see section 5.1).
  306. After a DESTROY cell has been processed, an OR ignores all data or
  307. destroy cells for the corresponding circuit.
  308. To tear down part of a circuit, the OP may send a RELAY_TRUNCATE cell
  309. signaling a given OR (Stream ID zero). That OR sends a DESTROY
  310. cell to the next node in the circuit, and replies to the OP with a
  311. RELAY_TRUNCATED cell.
  312. When an unrecoverable error occurs along one connection in a
  313. circuit, the nodes on either side of the connection should, if they
  314. are able, act as follows: the node closer to the OP should send a
  315. RELAY_TRUNCATED cell towards the OP; the node farther from the OP
  316. should send a DESTROY cell down the circuit.
  317. The payload of a RELAY_TRUNCATED or DESTROY cell contains a single octet,
  318. describing why the circuit is being closed or truncated. When sending a
  319. TRUNCATED or DESTROY cell because of another TRUNCATED or DESTROY cell,
  320. the error code should be propagated. The origin of a circuit always sets
  321. this error code to 0, to avoid leaking its version.
  322. The error codes are:
  323. 0 -- NONE (No reason given.)
  324. 1 -- PROTOCOL (Tor protocol violation.)
  325. 2 -- INTERNAL (Internal error.)
  326. 3 -- REQUESTED (A client sent a TRUNCATE command.)
  327. 4 -- HIBERNATING (Not currently operating; trying to save bandwidth.)
  328. 5 -- RESOURCELIMIT (Out of memory, sockets, or circuit IDs.)
  329. 6 -- CONNECTFAILED (Unable to reach server.)
  330. 7 -- OR_IDENTITY (Connected to server, but its OR identity was not
  331. as expected.)
  332. 8 -- OR_CONN_CLOSED (The OR connection that was carrying this circuit
  333. died.)
  334. [Versions of Tor prior to 0.1.0.11 didn't sent versions; implementations
  335. MUST accept empty TRUNCATED and DESTROY cells.]
  336. 4.5. Routing relay cells
  337. When an OR receives a RELAY cell, it checks the cell's circID and
  338. determines whether it has a corresponding circuit along that
  339. connection. If not, the OR drops the RELAY cell.
  340. Otherwise, if the OR is not at the OP edge of the circuit (that is,
  341. either an 'exit node' or a non-edge node), it de/encrypts the payload
  342. with the stream cipher, as follows:
  343. 'Forward' relay cell (same direction as CREATE):
  344. Use Kf as key; decrypt.
  345. 'Back' relay cell (opposite direction from CREATE):
  346. Use Kb as key; encrypt.
  347. Note that in counter mode, decrypt and encrypt are the same operation.
  348. The OR then decides whether it recognizes the relay cell, by
  349. inspecting the payload as described in section 5.1 below. If the OR
  350. recognizes the cell, it processes the contents of the relay cell.
  351. Otherwise, it passes the decrypted relay cell along the circuit if
  352. the circuit continues. If the OR at the end of the circuit
  353. encounters an unrecognized relay cell, an error has occurred: the OR
  354. sends a DESTROY cell to tear down the circuit.
  355. When a relay cell arrives at an OP, the OP decrypts the payload
  356. with the stream cipher as follows:
  357. OP receives data cell:
  358. For I=N...1,
  359. Decrypt with Kb_I. If the payload is recognized (see
  360. section 5.1), then stop and process the payload.
  361. For more information, see section 5 below.
  362. 5. Application connections and stream management
  363. 5.1. Relay cells
  364. Within a circuit, the OP and the exit node use the contents of
  365. RELAY packets to tunnel end-to-end commands and TCP connections
  366. ("Streams") across circuits. End-to-end commands can be initiated
  367. by either edge; streams are initiated by the OP.
  368. The payload of each unencrypted RELAY cell consists of:
  369. Relay command [1 byte]
  370. 'Recognized' [2 bytes]
  371. StreamID [2 bytes]
  372. Digest [4 bytes]
  373. Length [2 bytes]
  374. Data [CELL_LEN-14 bytes]
  375. The relay commands are:
  376. 1 -- RELAY_BEGIN [forward]
  377. 2 -- RELAY_DATA [forward or backward]
  378. 3 -- RELAY_END [forward or backward]
  379. 4 -- RELAY_CONNECTED [backward]
  380. 5 -- RELAY_SENDME [forward or backward]
  381. 6 -- RELAY_EXTEND [forward]
  382. 7 -- RELAY_EXTENDED [backward]
  383. 8 -- RELAY_TRUNCATE [forward]
  384. 9 -- RELAY_TRUNCATED [backward]
  385. 10 -- RELAY_DROP [forward or backward]
  386. 11 -- RELAY_RESOLVE [forward]
  387. 12 -- RELAY_RESOLVED [backward]
  388. Commands labelled as "forward" must only be sent by the originator
  389. of the circuit. Commands labelled as "backward" must only be sent by
  390. other nodes in the circuit back to the originator. Commands marked
  391. as either can be sent either by the originator or other nodes.
  392. The 'recognized' field in any unencrypted relay payload is always set
  393. to zero; the 'digest' field is computed as the first four bytes of
  394. the running digest of all the bytes that have been destined for
  395. this hop of the circuit or originated from this hop of the circuit,
  396. seeded from Df or Db respectively (obtained in section 4.2 above),
  397. and including this RELAY cell's entire payload (taken with the digest
  398. field set to zero).
  399. When the 'recognized' field of a RELAY cell is zero, and the digest
  400. is correct, the cell is considered "recognized" for the purposes of
  401. decryption (see section 4.5 above).
  402. (The digest does not include any bytes from relay cells that do
  403. not start or end at this hop of the circuit. That is, it does not
  404. include forwarded data. Therefore if 'recognized' is zero but the
  405. digest does not match, the running digest at that node should
  406. not be updated, and the cell should be forwarded on.)
  407. All RELAY cells pertaining to the same tunneled stream have the
  408. same stream ID. StreamIDs are chosen arbitrarily by the OP. RELAY
  409. cells that affect the entire circuit rather than a particular
  410. stream use a StreamID of zero.
  411. The 'Length' field of a relay cell contains the number of bytes in
  412. the relay payload which contain real payload data. The remainder of
  413. the payload is padded with NUL bytes.
  414. If the RELAY cell is recognized but the relay command is not
  415. understood, the cell must be dropped and ignored. Its contents
  416. still count with respect to the digests, though. [Before
  417. 0.1.1.10, Tor closed circuits when it received an unknown relay
  418. command. Perhaps this will be more forward-compatible. -RD]
  419. 5.2. Opening streams and transferring data
  420. To open a new anonymized TCP connection, the OP chooses an open
  421. circuit to an exit that may be able to connect to the destination
  422. address, selects an arbitrary StreamID not yet used on that circuit,
  423. and constructs a RELAY_BEGIN cell with a payload encoding the address
  424. and port of the destination host. The payload format is:
  425. ADDRESS | ':' | PORT | [00]
  426. where ADDRESS can be a DNS hostname, or an IPv4 address in
  427. dotted-quad format, or an IPv6 address surrounded by square brackets;
  428. and where PORT is encoded in decimal.
  429. [What is the [00] for? -NM]
  430. [It's so the payload is easy to parse out with string funcs -RD]
  431. Upon receiving this cell, the exit node resolves the address as
  432. necessary, and opens a new TCP connection to the target port. If the
  433. address cannot be resolved, or a connection can't be established, the
  434. exit node replies with a RELAY_END cell. (See 5.4 below.)
  435. Otherwise, the exit node replies with a RELAY_CONNECTED cell, whose
  436. payload is in one of the following formats:
  437. The IPv4 address to which the connection was made [4 octets]
  438. A number of seconds (TTL) for which the address may be cached [4 octets]
  439. or
  440. Four zero-valued octets [4 octets]
  441. An address type (6) [1 octet]
  442. The IPv6 address to which the connection was made [16 octets]
  443. A number of seconds (TTL) for which the address may be cached [4 octets]
  444. [XXXX Versions of Tor before 0.1.1.6 ignore and do not generate the TTL
  445. field. No version of Tor currently generates the IPv6 format.
  446. Tor servers before 0.1.2.0 set the TTL field to a fixed value. Later
  447. versions set the TTL to the last value seen from a DNS server, and expire
  448. their own cached entries after a fixed interval. This prevents certain
  449. attacks.]
  450. The OP waits for a RELAY_CONNECTED cell before sending any data.
  451. Once a connection has been established, the OP and exit node
  452. package stream data in RELAY_DATA cells, and upon receiving such
  453. cells, echo their contents to the corresponding TCP stream.
  454. RELAY_DATA cells sent to unrecognized streams are dropped.
  455. Relay RELAY_DROP cells are long-range dummies; upon receiving such
  456. a cell, the OR or OP must drop it.
  457. 5.3. Closing streams
  458. When an anonymized TCP connection is closed, or an edge node
  459. encounters error on any stream, it sends a 'RELAY_END' cell along the
  460. circuit (if possible) and closes the TCP connection immediately. If
  461. an edge node receives a 'RELAY_END' cell for any stream, it closes
  462. the TCP connection completely, and sends nothing more along the
  463. circuit for that stream.
  464. The payload of a RELAY_END cell begins with a single 'reason' byte to
  465. describe why the stream is closing, plus optional data (depending on
  466. the reason.) The values are:
  467. 1 -- REASON_MISC (catch-all for unlisted reasons)
  468. 2 -- REASON_RESOLVEFAILED (couldn't look up hostname)
  469. 3 -- REASON_CONNECTREFUSED (remote host refused connection) [*]
  470. 4 -- REASON_EXITPOLICY (OR refuses to connect to host or port)
  471. 5 -- REASON_DESTROY (Circuit is being destroyed)
  472. 6 -- REASON_DONE (Anonymized TCP connection was closed)
  473. 7 -- REASON_TIMEOUT (Connection timed out, or OR timed out
  474. while connecting)
  475. 8 -- (unallocated) [**]
  476. 9 -- REASON_HIBERNATING (OR is temporarily hibernating)
  477. 10 -- REASON_INTERNAL (Internal error at the OR)
  478. 11 -- REASON_RESOURCELIMIT (OR has no resources to fulfill request)
  479. 12 -- REASON_CONNRESET (Connection was unexpectedly reset)
  480. 13 -- REASON_TORPROTOCOL (Sent when closing connection because of
  481. Tor protocol violations.)
  482. (With REASON_EXITPOLICY, the 4-byte IPv4 address or 16-byte IPv6 address
  483. forms the optional data; no other reason currently has extra data.
  484. As of 0.1.1.6, the body also contains a 4-byte TTL.)
  485. OPs and ORs MUST accept reasons not on the above list, since future
  486. versions of Tor may provide more fine-grained reasons.
  487. [*] Older versions of Tor also send this reason when connections are
  488. reset.
  489. [**] Due to a bug in versions of Tor through 0095, error reason 8 must
  490. remain allocated until that version is obsolete.
  491. --- [The rest of this section describes unimplemented functionality.]
  492. Because TCP connections can be half-open, we follow an equivalent
  493. to TCP's FIN/FIN-ACK/ACK protocol to close streams.
  494. An exit connection can have a TCP stream in one of three states:
  495. 'OPEN', 'DONE_PACKAGING', and 'DONE_DELIVERING'. For the purposes
  496. of modeling transitions, we treat 'CLOSED' as a fourth state,
  497. although connections in this state are not, in fact, tracked by the
  498. onion router.
  499. A stream begins in the 'OPEN' state. Upon receiving a 'FIN' from
  500. the corresponding TCP connection, the edge node sends a 'RELAY_FIN'
  501. cell along the circuit and changes its state to 'DONE_PACKAGING'.
  502. Upon receiving a 'RELAY_FIN' cell, an edge node sends a 'FIN' to
  503. the corresponding TCP connection (e.g., by calling
  504. shutdown(SHUT_WR)) and changing its state to 'DONE_DELIVERING'.
  505. When a stream in already in 'DONE_DELIVERING' receives a 'FIN', it
  506. also sends a 'RELAY_FIN' along the circuit, and changes its state
  507. to 'CLOSED'. When a stream already in 'DONE_PACKAGING' receives a
  508. 'RELAY_FIN' cell, it sends a 'FIN' and changes its state to
  509. 'CLOSED'.
  510. If an edge node encounters an error on any stream, it sends a
  511. 'RELAY_END' cell (if possible) and closes the stream immediately.
  512. 5.4. Remote hostname lookup
  513. To find the address associated with a hostname, the OP sends a
  514. RELAY_RESOLVE cell containing the hostname to be resolved. (For a reverse
  515. lookup, the OP sends a RELAY_RESOLVE cell containing an in-addr.arpa
  516. address.) The OR replies with a RELAY_RESOLVED cell containing a status
  517. byte, and any number of answers. Each answer is of the form:
  518. Type (1 octet)
  519. Length (1 octet)
  520. Value (variable-width)
  521. TTL (4 octets)
  522. "Length" is the length of the Value field.
  523. "Type" is one of:
  524. 0x00 -- Hostname
  525. 0x04 -- IPv4 address
  526. 0x06 -- IPv6 address
  527. 0xF0 -- Error, transient
  528. 0xF1 -- Error, nontransient
  529. If any answer has a type of 'Error', then no other answer may be given.
  530. The RELAY_RESOLVE cell must use a nonzero, distinct streamID; the
  531. corresponding RELAY_RESOLVED cell must use the same streamID. No stream
  532. is actually created by the OR when resolving the name.
  533. 6. Flow control
  534. 6.1. Link throttling
  535. Each node should do appropriate bandwidth throttling to keep its
  536. user happy.
  537. Communicants rely on TCP's default flow control to push back when they
  538. stop reading.
  539. 6.2. Link padding
  540. Currently nodes are not required to do any sort of link padding or
  541. dummy traffic. Because strong attacks exist even with link padding,
  542. and because link padding greatly increases the bandwidth requirements
  543. for running a node, we plan to leave out link padding until this
  544. tradeoff is better understood.
  545. 6.3. Circuit-level flow control
  546. To control a circuit's bandwidth usage, each OR keeps track of
  547. two 'windows', consisting of how many RELAY_DATA cells it is
  548. allowed to package for transmission, and how many RELAY_DATA cells
  549. it is willing to deliver to streams outside the network.
  550. Each 'window' value is initially set to 1000 data cells
  551. in each direction (cells that are not data cells do not affect
  552. the window). When an OR is willing to deliver more cells, it sends a
  553. RELAY_SENDME cell towards the OP, with Stream ID zero. When an OR
  554. receives a RELAY_SENDME cell with stream ID zero, it increments its
  555. packaging window.
  556. Each of these cells increments the corresponding window by 100.
  557. The OP behaves identically, except that it must track a packaging
  558. window and a delivery window for every OR in the circuit.
  559. An OR or OP sends cells to increment its delivery window when the
  560. corresponding window value falls under some threshold (900).
  561. If a packaging window reaches 0, the OR or OP stops reading from
  562. TCP connections for all streams on the corresponding circuit, and
  563. sends no more RELAY_DATA cells until receiving a RELAY_SENDME cell.
  564. [this stuff is badly worded; copy in the tor-design section -RD]
  565. 6.4. Stream-level flow control
  566. Edge nodes use RELAY_SENDME cells to implement end-to-end flow
  567. control for individual connections across circuits. Similarly to
  568. circuit-level flow control, edge nodes begin with a window of cells
  569. (500) per stream, and increment the window by a fixed value (50)
  570. upon receiving a RELAY_SENDME cell. Edge nodes initiate RELAY_SENDME
  571. cells when both a) the window is <= 450, and b) there are less than
  572. ten cell payloads remaining to be flushed at that edge.
  573. 7. Directories and routers
  574. 7.1. Extensible information format
  575. Router descriptors and directories both obey the following lightweight
  576. extensible information format.
  577. The highest level object is a Document, which consists of one or more Items.
  578. Every Item begins with a KeywordLine, followed by one or more Objects. A
  579. KeywordLine begins with a Keyword, optionally followed by whitespace and more
  580. non-newline characters, and ends with a newline. A Keyword is a sequence of
  581. one or more characters in the set [A-Za-z0-9-]. An Object is a block of
  582. encoded data in pseudo-Open-PGP-style armor. (cf. RFC 2440)
  583. More formally:
  584. Document ::= (Item | NL)+
  585. Item ::= KeywordLine Object*
  586. KeywordLine ::= Keyword NL | Keyword WS ArgumentsChar+ NL
  587. Keyword = KeywordChar+
  588. KeywordChar ::= 'A' ... 'Z' | 'a' ... 'z' | '0' ... '9' | '-'
  589. ArgumentChar ::= any printing ASCII character except NL.
  590. WS = (SP | TAB)+
  591. Object ::= BeginLine Base-64-encoded-data EndLine
  592. BeginLine ::= "-----BEGIN " Keyword "-----" NL
  593. EndLine ::= "-----END " Keyword "-----" NL
  594. The BeginLine and EndLine of an Object must use the same keyword.
  595. When interpreting a Document, software MUST reject any document containing a
  596. KeywordLine that starts with a keyword it doesn't recognize.
  597. The "opt" keyword is reserved for non-critical future extensions. All
  598. implementations MUST ignore any item of the form "opt keyword ....." when
  599. they would not recognize "keyword ....."; and MUST treat "opt keyword ....."
  600. as synonymous with "keyword ......" when keyword is recognized.
  601. 7.2. Router descriptor format.
  602. Every router descriptor MUST start with a "router" Item; MUST end with a
  603. "router-signature" Item and an extra NL; and MUST contain exactly one
  604. instance of each of the following Items: "published" "onion-key" "link-key"
  605. "signing-key" "bandwidth". Additionally, a router descriptor MAY contain any
  606. number of "accept", "reject", "fingerprint", "uptime", and "opt" Items.
  607. Other than "router" and "router-signature", the items may appear in any
  608. order.
  609. The items' formats are as follows:
  610. "router" nickname address ORPort SocksPort DirPort
  611. Indicates the beginning of a router descriptor. "address"
  612. must be an IPv4 address in dotted-quad format. The last
  613. three numbers indicate the TCP ports at which this OR exposes
  614. functionality. ORPort is a port at which this OR accepts TLS
  615. connections for the main OR protocol; SocksPort is deprecated and
  616. should always be 0; and DirPort is the port at which this OR accepts
  617. directory-related HTTP connections. If any port is not supported,
  618. the value 0 is given instead of a port number.
  619. "bandwidth" bandwidth-avg bandwidth-burst bandwidth-observed
  620. Estimated bandwidth for this router, in bytes per second. The
  621. "average" bandwidth is the volume per second that the OR is willing
  622. to sustain over long periods; the "burst" bandwidth is the volume
  623. that the OR is willing to sustain in very short intervals. The
  624. "observed" value is an estimate of the capacity this server can
  625. handle. The server remembers the max bandwidth sustained output
  626. over any ten second period in the past day, and another sustained
  627. input. The "observed" value is the lesser of these two numbers.
  628. "platform" string
  629. A human-readable string describing the system on which this OR is
  630. running. This MAY include the operating system, and SHOULD include
  631. the name and version of the software implementing the Tor protocol.
  632. "published" YYYY-MM-DD HH:MM:SS
  633. The time, in GMT, when this descriptor was generated.
  634. "fingerprint"
  635. A fingerprint (a HASH_LEN-byte of asn1 encoded public key, encoded
  636. in hex, with a single space after every 4 characters) for this router's
  637. identity key.
  638. [We didn't start parsing this line until Tor 0.1.0.6-rc; it should
  639. be marked with "opt" until earlier versions of Tor are obsolete.]
  640. "hibernating" 0|1
  641. If the value is 1, then the Tor server was hibernating when the
  642. descriptor was published, and shouldn't be used to build circuits.
  643. [We didn't start parsing this line until Tor 0.1.0.6-rc; it should
  644. be marked with "opt" until earlier versions of Tor are obsolete.]
  645. "uptime"
  646. The number of seconds that this OR process has been running.
  647. "onion-key" NL a public key in PEM format
  648. This key is used to encrypt EXTEND cells for this OR. The key MUST
  649. be accepted for at least XXXX hours after any new key is published in
  650. a subsequent descriptor.
  651. "signing-key" NL a public key in PEM format
  652. The OR's long-term identity key.
  653. "accept" exitpattern
  654. "reject" exitpattern
  655. These lines, in order, describe the rules that an OR follows when
  656. deciding whether to allow a new stream to a given address. The
  657. 'exitpattern' syntax is described below.
  658. "router-signature" NL Signature NL
  659. The "SIGNATURE" object contains a signature of the PKCS1-padded
  660. hash of the entire router descriptor, taken from the beginning of the
  661. "router" line, through the newline after the "router-signature" line.
  662. The router descriptor is invalid unless the signature is performed
  663. with the router's identity key.
  664. "contact" info NL
  665. Describes a way to contact the server's administrator, preferably
  666. including an email address and a PGP key fingerprint.
  667. "family" names NL
  668. 'Names' is a whitespace-separated list of server nicknames. If two ORs
  669. list one another in their "family" entries, then OPs should treat them
  670. as a single OR for the purpose of path selection.
  671. For example, if node A's descriptor contains "family B", and node B's
  672. descriptor contains "family A", then node A and node B should never
  673. be used on the same circuit.
  674. "read-history" YYYY-MM-DD HH:MM:SS (NSEC s) NUM,NUM,NUM,NUM,NUM... NL
  675. "write-history" YYYY-MM-DD HH:MM:SS (NSEC s) NUM,NUM,NUM,NUM,NUM... NL
  676. Declare how much bandwidth the OR has used recently. Usage is divided
  677. into intervals of NSEC seconds. The YYYY-MM-DD HH:MM:SS field defines
  678. the end of the most recent interval. The numbers are the number of
  679. bytes used in the most recent intervals, ordered from oldest to newest.
  680. [We didn't start parsing these lines until Tor 0.1.0.6-rc; they should
  681. be marked with "opt" until earlier versions of Tor are obsolete.]
  682. nickname ::= between 1 and 19 alphanumeric characters, case-insensitive.
  683. exitpattern ::= addrspec ":" portspec
  684. portspec ::= "*" | port | port "-" port
  685. port ::= an integer between 1 and 65535, inclusive.
  686. addrspec ::= "*" | ip4spec | ip6spec
  687. ipv4spec ::= ip4 | ip4 "/" num_ip4_bits | ip4 "/" ip4mask
  688. ip4 ::= an IPv4 address in dotted-quad format
  689. ip4mask ::= an IPv4 mask in dotted-quad format
  690. num_ip4_bits ::= an integer between 0 and 32
  691. ip6spec ::= ip6 | ip6 "/" num_ip6_bits
  692. ip6 ::= an IPv6 address, surrounded by square brackets.
  693. num_ip6_bits ::= an integer between 0 and 128
  694. Ports are required; if they are not included in the router
  695. line, they must appear in the "ports" lines.
  696. 7.3. Directory format
  697. A Directory begins with a "signed-directory" item, followed by one each of
  698. the following, in any order: "recommended-software", "published",
  699. "router-status", "dir-signing-key". It may include any number of "opt"
  700. items. After these items, a directory includes any number of router
  701. descriptors, and a single "directory-signature" item.
  702. "signed-directory"
  703. Indicates the start of a directory.
  704. "published" YYYY-MM-DD HH:MM:SS
  705. The time at which this directory was generated and signed, in GMT.
  706. "dir-signing-key"
  707. The key used to sign this directory; see "signing-key" for format.
  708. "recommended-software" comma-separated-version-list
  709. A list of which versions of which implementations are currently
  710. believed to be secure and compatible with the network.
  711. "running-routers" whitespace-separated-list
  712. A description of which routers are currently believed to be up or
  713. down. Every entry consists of an optional "!", followed by either an
  714. OR's nickname, or "$" followed by a hexadecimal encoding of the hash
  715. of an OR's identity key. If the "!" is included, the router is
  716. believed not to be running; otherwise, it is believed to be running.
  717. If a router's nickname is given, exactly one router of that nickname
  718. will appear in the directory, and that router is "approved" by the
  719. directory server. If a hashed identity key is given, that OR is not
  720. "approved". [XXXX The 'running-routers' line is only provided for
  721. backward compatibility. New code should parse 'router-status'
  722. instead.]
  723. "router-status" whitespace-separated-list
  724. A description of which routers are currently believed to be up or
  725. down, and which are verified or unverified. Contains one entry for
  726. every router that the directory server knows. Each entry is of the
  727. format:
  728. !name=$digest [Verified router, currently not live.]
  729. name=$digest [Verified router, currently live.]
  730. !$digest [Unverified router, currently not live.]
  731. or $digest [Unverified router, currently live.]
  732. (where 'name' is the router's nickname and 'digest' is a hexadecimal
  733. encoding of the hash of the routers' identity key).
  734. When parsing this line, clients should only mark a router as
  735. 'verified' if its nickname AND digest match the one provided.
  736. "directory-signature" nickname-of-dirserver NL Signature
  737. The signature is computed by computing the digest of the
  738. directory, from the characters "signed-directory", through the newline
  739. after "directory-signature". This digest is then padded with PKCS.1,
  740. and signed with the directory server's signing key.
  741. If software encounters an unrecognized keyword in a single router descriptor,
  742. it MUST reject only that router descriptor, and continue using the
  743. others. Because this mechanism is used to add 'critical' extensions to
  744. future versions of the router descriptor format, implementation should treat
  745. it as a normal occurrence and not, for example, report it to the user as an
  746. error. [Versions of Tor prior to 0.1.1 did this.]
  747. If software encounters an unrecognized keyword in the directory header,
  748. it SHOULD reject the entire directory.
  749. 7.4. Network-status descriptor
  750. A "network-status" (a.k.a "running-routers") document is a truncated
  751. directory that contains only the current status of a list of nodes, not
  752. their actual descriptors. It contains exactly one of each of the following
  753. entries.
  754. "network-status"
  755. Must appear first.
  756. "published" YYYY-MM-DD HH:MM:SS
  757. (see 7.3 above)
  758. "router-status" list
  759. (see 7.3 above)
  760. "directory-signature" NL signature
  761. (see 7.3 above)
  762. 7.5. Behavior of a directory server
  763. lists nodes that are connected currently
  764. speaks HTTP on a socket, spits out directory on request
  765. Directory servers listen on a certain port (the DirPort), and speak a
  766. limited version of HTTP 1.0. Clients send either GET or POST commands.
  767. The basic interactions are:
  768. "%s %s HTTP/1.0\r\nContent-Length: %lu\r\nHost: %s\r\n\r\n",
  769. command, url, content-length, host.
  770. Get "/tor/" to fetch a full directory.
  771. Get "/tor/dir.z" to fetch a compressed full directory.
  772. Get "/tor/running-routers" to fetch a network-status descriptor.
  773. Post "/tor/" to post a server descriptor, with the body of the
  774. request containing the descriptor.
  775. "host" is used to specify the address:port of the dirserver, so
  776. the request can survive going through HTTP proxies.
  777. A.1. Differences between spec and implementation
  778. - The current specification requires all ORs to have IPv4 addresses, but
  779. allows servers to exit and resolve to IPv6 addresses, and to declare IPv6
  780. addresses in their exit policies. The current codebase has no IPv6
  781. support at all.
  782. B. Things that should change in a later version of the Tor protocol
  783. B.1. ... but which will require backward-incompatible change
  784. - Circuit IDs should be longer.
  785. - IPv6 everywhere.
  786. - Maybe, keys should be longer.
  787. - Maybe, key-length should be adjustable. How to do this without
  788. making anonymity suck?
  789. - Drop backward compatibility.
  790. - We should use a 128-bit subgroup of our DH prime.
  791. - Handshake should use HMAC.
  792. - Multiple cell lengths
  793. - Ability to split circuits across paths (If this is useful.)
  794. - SENDME windows should be dynamic.
  795. - Directory
  796. - Stop ever mentioning socks ports
  797. B.1. ... and that will require no changes
  798. - Mention multiple addr/port combos
  799. - Advertised outbound IP?
  800. - Migrate streams across circuits.
  801. B.2. ... and that we have no idea how to do.
  802. - UDP (as transport)
  803. - UDP (as content)
  804. - Use a better AES mode that has built-in integrity checking,
  805. doesn't grow with the number of hops, is not patented, and
  806. is implemented and maintained by smart people.