[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r16337: Allow configuration of two client authorization types for hi (in tor/branches/121-hs-authorization: doc src/or)



Author: kloesing
Date: 2008-08-01 16:30:02 -0400 (Fri, 01 Aug 2008)
New Revision: 16337

Modified:
   tor/branches/121-hs-authorization/doc/tor.1.in
   tor/branches/121-hs-authorization/src/or/rendservice.c
Log:
Allow configuration of two client authorization types for hidden services.

Modified: tor/branches/121-hs-authorization/doc/tor.1.in
===================================================================
--- tor/branches/121-hs-authorization/doc/tor.1.in	2008-08-01 20:07:42 UTC (rev 16336)
+++ tor/branches/121-hs-authorization/doc/tor.1.in	2008-08-01 20:30:02 UTC (rev 16337)
@@ -1299,14 +1299,17 @@
 service. Possible version numbers are 0 and 2. (Default: 0, 2)
 .LP
 .TP
-\fBHiddenServiceAuthorizeClient \fR\fIclient-name\fR,\fIclient-name\fR,\fI...\fP
-A list of clients that are authorized to learn existence and access the
-hidden service. Valid client names are 1 to 19 characters long and only use
-characters in A-Za-z0-9+-_ (no spaces). If this option is used multiple
-times all client names are accumulated. If this option is set, the hidden
-service is not accessible for clients without authorization any more. You
-can find generated authorization data in the hostname file. See also the
-client_keys file for more information about authorization data.
+\fBHiddenServiceAuthorizeClient \fR\fIauth-type\fR \fR\fIclient-name\fR,\fIclient-name\fR,\fI...\fP
+If configured, the hidden service is accessible for authorized clients
+only. The auth-type can either be 1 for a general-purpose authorization
+protocol or 2 for a less scalable protocol that also hides service activity
+from unauthorized clients. Only clients that are listed here are authorized
+to access the hidden service. Valid client names are 1 to 19 characters
+long and only use characters in A-Za-z0-9+-_ (no spaces). If this option is
+set, the hidden service is not accessible for clients without authorization
+any more. Generated authorization data can be found in the hostname file.
+See also the client_keys file for more information about authorization
+data.
 .LP
 .TP
 \fBRendPostPeriod \fR\fIN\fR \fBseconds\fR|\fBminutes\fR|\fBhours\fR|\fBdays\fR|\fBweeks\fP

Modified: tor/branches/121-hs-authorization/src/or/rendservice.c
===================================================================
--- tor/branches/121-hs-authorization/src/or/rendservice.c	2008-08-01 20:07:42 UTC (rev 16336)
+++ tor/branches/121-hs-authorization/src/or/rendservice.c	2008-08-01 20:30:02 UTC (rev 16337)
@@ -66,6 +66,8 @@
                             * upload time. */
   int descriptor_version; /**< Rendezvous descriptor version that will be
                            * published. */
+  int auth_type; /**< Client authorization type or 0 if no client
+                  * authorization is performed. */
   smartlist_t *clients; /**< List of rend_authorized_client_t's for
                          * clients that may access our service. */
   smartlist_t *accepted_intros; /**< List of client_access_event_t's for
@@ -159,6 +161,7 @@
   if (!service->intro_exclude_nodes)
     service->intro_exclude_nodes = tor_strdup("");
   service->intro_nodes = smartlist_create();
+  service->auth_type = 0;
 
   /* If the service is configured to publish unversioned (v0) and versioned
    * descriptors (v2 or higher), split it up into two separate services. */
@@ -176,6 +179,7 @@
     v0_service->intro_exclude_nodes = tor_strdup(service->intro_exclude_nodes);
     v0_service->intro_period_started = service->intro_period_started;
     v0_service->descriptor_version = 0; /* Unversioned descriptor. */
+    v0_service->auth_type = 0;
     rend_add_service(v0_service);
 
     service->descriptor_version = 2; /* Versioned descriptor. */
@@ -185,7 +189,6 @@
     log_warn(LD_CONFIG, "Hidden service with no ports configured; ignoring.");
     rend_service_free(service);
   } else {
-    /* KL what was this for? smartlist_set_capacity(service->ports, -1); */
     smartlist_add(rend_service_list, service);
     log_debug(LD_REND,"Configuring service with directory \"%s\"",
               service->directory);
@@ -335,10 +338,53 @@
       /* Parse comma-separated list of client names and add a
        * rend_authorized_client_t for each client to the service's list
        * of authorized clients. */
-      smartlist_t *client_names = smartlist_create();
-      smartlist_split_string(client_names, line->value, ",",
+      smartlist_t *type_names_split, *clients;
+      char *auth_type, *client_names;
+      if (service->clients) {
+        log_warn(LD_CONFIG, "Got multiple HiddenServiceAuthorizeClient "
+                 "lines for a single service.");
+        rend_service_free(service);
+        return -1;
+      }
+      service->clients = smartlist_create();
+      type_names_split = smartlist_create();
+      smartlist_split_string(type_names_split, line->value, " ", 0, 0);
+      /* BEGIN of hack to keep Domenik's Vidalia extension running. */
+      if (smartlist_len(type_names_split) == 1) {
+        auth_type = strdup("2");
+        client_names = smartlist_get(type_names_split, 0);
+      } else {
+        /* END of hack to keep Domenik's Vidalia extension running. */
+        if (smartlist_len(type_names_split) != 2) {
+          log_warn(LD_CONFIG, "HiddenServiceAuthorizeClient must be formatted "
+                   "as 'HiddenServiceAuthorizeClient auth-type client-name,"
+                   "client-name,...'.");
+          SMARTLIST_FOREACH(type_names_split, char *, cp, tor_free(cp));
+          smartlist_free(type_names_split);
+          rend_service_free(service);
+          return -1;
+        }
+        auth_type = smartlist_get(type_names_split, 0);
+        client_names = smartlist_get(type_names_split, 1);
+      }
+      smartlist_free(type_names_split);
+      if (strlen(auth_type) != 1 || strspn(auth_type, "12") != 1) {
+        log_warn(LD_CONFIG, "HiddenServiceAuthorizeClient contains "
+                 "unrecognized auth-type '%s'. Only 1 or 2 are recognized.",
+                 auth_type);
+        tor_free(auth_type);
+        tor_free(client_names);
+        rend_service_free(service);
+        return -1;
+      }
+      service->auth_type = (int)tor_parse_long(auth_type, 10, 0, INT_MAX,
+                                               NULL, NULL);
+      tor_free(auth_type);
+      clients = smartlist_create();
+      smartlist_split_string(clients, client_names, ",",
                                    SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
-      SMARTLIST_FOREACH(client_names, char *, client_name, {
+      tor_free(client_names);
+      SMARTLIST_FOREACH(clients, char *, client_name, {
         rend_authorized_client_t *client;
         size_t len = strlen(client_name);
         if (len < 1 || len > 19 ||
@@ -347,8 +393,8 @@
                    "illegal client name: '%s'. (Length must be between 1 "
                    "and 19, and valid characters are [A-Za-z0-9+-_].)",
                    client_name);
-          SMARTLIST_FOREACH(client_names, char *, cp, tor_free(cp));
-          smartlist_free(client_names);
+          SMARTLIST_FOREACH(clients, char *, cp, tor_free(cp));
+          smartlist_free(clients);
           rend_service_free(service);
           return -1;
         }
@@ -366,13 +412,11 @@
           if (found_duplicate) continue;
         }
         client = tor_malloc_zero(sizeof(rend_authorized_client_t));
-        if (!service->clients)
-          service->clients = smartlist_create();
         client->client_name = strdup(client_name);
         smartlist_add(service->clients, client);
       });
-      SMARTLIST_FOREACH(client_names, char *, cp, tor_free(cp));
-      smartlist_free(client_names);
+      SMARTLIST_FOREACH(clients, char *, cp, tor_free(cp));
+      smartlist_free(clients);
     } else {
       smartlist_t *versions;
       char *version_str;