[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r16337: Allow configuration of two client authorization types for hi (in tor/branches/121-hs-authorization: doc src/or)
Author: kloesing
Date: 2008-08-01 16:30:02 -0400 (Fri, 01 Aug 2008)
New Revision: 16337
Modified:
tor/branches/121-hs-authorization/doc/tor.1.in
tor/branches/121-hs-authorization/src/or/rendservice.c
Log:
Allow configuration of two client authorization types for hidden services.
Modified: tor/branches/121-hs-authorization/doc/tor.1.in
===================================================================
--- tor/branches/121-hs-authorization/doc/tor.1.in 2008-08-01 20:07:42 UTC (rev 16336)
+++ tor/branches/121-hs-authorization/doc/tor.1.in 2008-08-01 20:30:02 UTC (rev 16337)
@@ -1299,14 +1299,17 @@
service. Possible version numbers are 0 and 2. (Default: 0, 2)
.LP
.TP
-\fBHiddenServiceAuthorizeClient \fR\fIclient-name\fR,\fIclient-name\fR,\fI...\fP
-A list of clients that are authorized to learn existence and access the
-hidden service. Valid client names are 1 to 19 characters long and only use
-characters in A-Za-z0-9+-_ (no spaces). If this option is used multiple
-times all client names are accumulated. If this option is set, the hidden
-service is not accessible for clients without authorization any more. You
-can find generated authorization data in the hostname file. See also the
-client_keys file for more information about authorization data.
+\fBHiddenServiceAuthorizeClient \fR\fIauth-type\fR \fR\fIclient-name\fR,\fIclient-name\fR,\fI...\fP
+If configured, the hidden service is accessible for authorized clients
+only. The auth-type can either be 1 for a general-purpose authorization
+protocol or 2 for a less scalable protocol that also hides service activity
+from unauthorized clients. Only clients that are listed here are authorized
+to access the hidden service. Valid client names are 1 to 19 characters
+long and only use characters in A-Za-z0-9+-_ (no spaces). If this option is
+set, the hidden service is not accessible for clients without authorization
+any more. Generated authorization data can be found in the hostname file.
+See also the client_keys file for more information about authorization
+data.
.LP
.TP
\fBRendPostPeriod \fR\fIN\fR \fBseconds\fR|\fBminutes\fR|\fBhours\fR|\fBdays\fR|\fBweeks\fP
Modified: tor/branches/121-hs-authorization/src/or/rendservice.c
===================================================================
--- tor/branches/121-hs-authorization/src/or/rendservice.c 2008-08-01 20:07:42 UTC (rev 16336)
+++ tor/branches/121-hs-authorization/src/or/rendservice.c 2008-08-01 20:30:02 UTC (rev 16337)
@@ -66,6 +66,8 @@
* upload time. */
int descriptor_version; /**< Rendezvous descriptor version that will be
* published. */
+ int auth_type; /**< Client authorization type or 0 if no client
+ * authorization is performed. */
smartlist_t *clients; /**< List of rend_authorized_client_t's for
* clients that may access our service. */
smartlist_t *accepted_intros; /**< List of client_access_event_t's for
@@ -159,6 +161,7 @@
if (!service->intro_exclude_nodes)
service->intro_exclude_nodes = tor_strdup("");
service->intro_nodes = smartlist_create();
+ service->auth_type = 0;
/* If the service is configured to publish unversioned (v0) and versioned
* descriptors (v2 or higher), split it up into two separate services. */
@@ -176,6 +179,7 @@
v0_service->intro_exclude_nodes = tor_strdup(service->intro_exclude_nodes);
v0_service->intro_period_started = service->intro_period_started;
v0_service->descriptor_version = 0; /* Unversioned descriptor. */
+ v0_service->auth_type = 0;
rend_add_service(v0_service);
service->descriptor_version = 2; /* Versioned descriptor. */
@@ -185,7 +189,6 @@
log_warn(LD_CONFIG, "Hidden service with no ports configured; ignoring.");
rend_service_free(service);
} else {
- /* KL what was this for? smartlist_set_capacity(service->ports, -1); */
smartlist_add(rend_service_list, service);
log_debug(LD_REND,"Configuring service with directory \"%s\"",
service->directory);
@@ -335,10 +338,53 @@
/* Parse comma-separated list of client names and add a
* rend_authorized_client_t for each client to the service's list
* of authorized clients. */
- smartlist_t *client_names = smartlist_create();
- smartlist_split_string(client_names, line->value, ",",
+ smartlist_t *type_names_split, *clients;
+ char *auth_type, *client_names;
+ if (service->clients) {
+ log_warn(LD_CONFIG, "Got multiple HiddenServiceAuthorizeClient "
+ "lines for a single service.");
+ rend_service_free(service);
+ return -1;
+ }
+ service->clients = smartlist_create();
+ type_names_split = smartlist_create();
+ smartlist_split_string(type_names_split, line->value, " ", 0, 0);
+ /* BEGIN of hack to keep Domenik's Vidalia extension running. */
+ if (smartlist_len(type_names_split) == 1) {
+ auth_type = strdup("2");
+ client_names = smartlist_get(type_names_split, 0);
+ } else {
+ /* END of hack to keep Domenik's Vidalia extension running. */
+ if (smartlist_len(type_names_split) != 2) {
+ log_warn(LD_CONFIG, "HiddenServiceAuthorizeClient must be formatted "
+ "as 'HiddenServiceAuthorizeClient auth-type client-name,"
+ "client-name,...'.");
+ SMARTLIST_FOREACH(type_names_split, char *, cp, tor_free(cp));
+ smartlist_free(type_names_split);
+ rend_service_free(service);
+ return -1;
+ }
+ auth_type = smartlist_get(type_names_split, 0);
+ client_names = smartlist_get(type_names_split, 1);
+ }
+ smartlist_free(type_names_split);
+ if (strlen(auth_type) != 1 || strspn(auth_type, "12") != 1) {
+ log_warn(LD_CONFIG, "HiddenServiceAuthorizeClient contains "
+ "unrecognized auth-type '%s'. Only 1 or 2 are recognized.",
+ auth_type);
+ tor_free(auth_type);
+ tor_free(client_names);
+ rend_service_free(service);
+ return -1;
+ }
+ service->auth_type = (int)tor_parse_long(auth_type, 10, 0, INT_MAX,
+ NULL, NULL);
+ tor_free(auth_type);
+ clients = smartlist_create();
+ smartlist_split_string(clients, client_names, ",",
SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
- SMARTLIST_FOREACH(client_names, char *, client_name, {
+ tor_free(client_names);
+ SMARTLIST_FOREACH(clients, char *, client_name, {
rend_authorized_client_t *client;
size_t len = strlen(client_name);
if (len < 1 || len > 19 ||
@@ -347,8 +393,8 @@
"illegal client name: '%s'. (Length must be between 1 "
"and 19, and valid characters are [A-Za-z0-9+-_].)",
client_name);
- SMARTLIST_FOREACH(client_names, char *, cp, tor_free(cp));
- smartlist_free(client_names);
+ SMARTLIST_FOREACH(clients, char *, cp, tor_free(cp));
+ smartlist_free(clients);
rend_service_free(service);
return -1;
}
@@ -366,13 +412,11 @@
if (found_duplicate) continue;
}
client = tor_malloc_zero(sizeof(rend_authorized_client_t));
- if (!service->clients)
- service->clients = smartlist_create();
client->client_name = strdup(client_name);
smartlist_add(service->clients, client);
});
- SMARTLIST_FOREACH(client_names, char *, cp, tor_free(cp));
- smartlist_free(client_names);
+ SMARTLIST_FOREACH(clients, char *, cp, tor_free(cp));
+ smartlist_free(clients);
} else {
smartlist_t *versions;
char *version_str;