[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Second patch for proposal 121



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Nick,

this is the second patch to implement proposal 121. I switched patches 2
and 3 as compared to my original plan, so that all configuration options
can be used (however, without having an effect). The current plan for
the remaining 121 patches is as follows:

2. This second patch enables users to configure authorization data for
hidden services on client side.

3. The third patch will use authorization data on server side to
advertise hidden services and restrict access to authorized clients only.

4. Finally, the fourth patch uses authorization data to access a hidden
service.

Thanks!
- --Karsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFInhxp0M+WPffBEmURAohAAKCF5wUfuRiKmqgvHZMgZ9mdz85vDACgtJ4l
HcIn1sFkzQqBEbOrNxHRY00=
=mpqv
-----END PGP SIGNATURE-----
Index: /home/karsten/tor/tor-trunk-121-patches/src/or/config.c
===================================================================
--- /home/karsten/tor/tor-trunk-121-patches/src/or/config.c	(revision 16480)
+++ /home/karsten/tor/tor-trunk-121-patches/src/or/config.c	(working copy)
@@ -227,6 +227,7 @@
   VAR("HiddenServicePort",   LINELIST_S, RendConfigLines,    NULL),
   VAR("HiddenServiceVersion",LINELIST_S, RendConfigLines,    NULL),
   VAR("HiddenServiceAuthorizeClient",LINELIST_S,RendConfigLines, NULL),
+  V(HidServAuth,                 LINELIST, NULL),
   V(HSAuthoritativeDir,          BOOL,     "0"),
   V(HSAuthorityRecordStats,      BOOL,     "0"),
   V(HttpProxy,                   STRING,   NULL),
@@ -3154,6 +3155,16 @@
     options->MinUptimeHidServDirectoryV2 = 0;
   }
 
+  /* Parse client-side authorization for hidden services. */
+  if (options->HidServAuth) {
+    for (cl = options->HidServAuth; cl; cl = cl->next) {
+      if (rend_parse_client_auth(cl->value) < 0) {
+        log_warn(LD_CONFIG, "HidServAuth contains illegal value: '%s'; "
+                            "ignoring.", cl->value);
+      }
+    }
+  }
+
   if (options->RendPostPeriod < MIN_REND_POST_PERIOD) {
     log(LOG_WARN,LD_CONFIG,"RendPostPeriod option must be at least %d seconds."
         " Clipping.", MIN_REND_POST_PERIOD);
Index: /home/karsten/tor/tor-trunk-121-patches/src/or/or.h
===================================================================
--- /home/karsten/tor/tor-trunk-121-patches/src/or/or.h	(revision 16480)
+++ /home/karsten/tor/tor-trunk-121-patches/src/or/or.h	(working copy)
@@ -2239,6 +2239,8 @@
                    * other ORs are running. */
   config_line_t *RendConfigLines; /**< List of configuration lines
                                           * for rendezvous services. */
+  config_line_t *HidServAuth; /**< List of configuration lines for client-side
+                               * authorizations for hidden services */
   char *ContactInfo; /**< Contact info to be published in the directory. */
 
   char *HttpProxy; /**< hostname[:port] to use as http proxy, if any. */
@@ -3805,6 +3807,7 @@
 
 int rend_client_send_introduction(origin_circuit_t *introcirc,
                                   origin_circuit_t *rendcirc);
+int rend_parse_client_auth(char *config_line);
 
 /********************************* rendcommon.c ***************************/
 
@@ -3815,6 +3818,13 @@
   crypto_pk_env_t *client_key;
 } rend_authorized_client_t;
 
+/** Client-side configuration of authorization for a hidden service. */
+typedef struct rend_service_authorization_t {
+  char descriptor_cookie[REND_DESC_COOKIE_LEN];
+  char onion_address[REND_SERVICE_ID_LEN_BASE32+1+5+1];
+  int auth_type;
+} rend_service_authorization_t;
+
 /** ASCII-encoded v2 hidden service descriptor. */
 typedef struct rend_encoded_v2_service_descriptor_t {
   char desc_id[DIGEST_LEN]; /**< Descriptor ID. */
@@ -3890,6 +3900,7 @@
 void rend_get_descriptor_id_bytes(char *descriptor_id_out,
                                   const char *service_id,
                                   const char *secret_id_part);
+rend_service_authorization_t *lookup_client_auth(char *onion_address);
 
 /********************************* rendservice.c ***************************/
 
Index: /home/karsten/tor/tor-trunk-121-patches/src/or/rendclient.c
===================================================================
--- /home/karsten/tor/tor-trunk-121-patches/src/or/rendclient.c	(revision 16480)
+++ /home/karsten/tor/tor-trunk-121-patches/src/or/rendclient.c	(working copy)
@@ -713,3 +713,104 @@
   return extend_info_dup(intro->extend_info);
 }
 
+/** Client-side authorizations for hidden services; map of onion address to
+ * rend_service_authorization_t*. */
+static strmap_t *auth_hid_servs = NULL;
+
+/** Look up the client-side authorization for the hidden service with
+ * <b>onion_address</b>. Return NULL if no authorization is available for
+ * that address. */
+rend_service_authorization_t*
+lookup_client_auth(char *onion_address)
+{
+  tor_assert(onion_address);
+  if (!auth_hid_servs) return NULL;
+  return strmap_get(auth_hid_servs, onion_address);
+}
+
+/** Helper: Free storage held by rend_service_authorization_t. */
+static void
+rend_service_authorization_free(rend_service_authorization_t *auth)
+{
+  if (!auth) return;
+  tor_free(auth);
+}
+
+/** Parse <b>config_line</b> as a client-side authorization for a hidden
+ * service and add it to the local map of hidden service authorizations.
+ * Return 0 for success and -1 for failure. */
+int
+rend_parse_client_auth(char *config_line)
+{
+  char *onion_address, *descriptor_cookie;
+  char descriptor_cookie_tmp[REND_DESC_COOKIE_LEN+2];
+  char descriptor_cookie_base64ext[REND_DESC_COOKIE_LEN_BASE64+2+1];
+  smartlist_t *sl = smartlist_create();
+  rend_service_authorization_t *auth = NULL;
+  int res = -1, auth_type = 0;
+  tor_assert(config_line);
+  smartlist_split_string(sl, config_line, " ",
+                         SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 3);
+  if (smartlist_len(sl) < 2) {
+    log_warn(LD_CONFIG, "Configuration line does not consist of "
+             "\"onion-address authorization-cookie [service-name]\": '%s'",
+             config_line);
+    goto free;
+  }
+  auth = tor_malloc_zero(sizeof(rend_service_authorization_t));
+  /* Parse onion address. */
+  onion_address = smartlist_get(sl, 0);
+  if (strlen(onion_address) != 16+1+5 ||
+      strstr(onion_address, ".onion") != onion_address + 16) {
+    log_warn(LD_CONFIG, "Onion address has wrong format: '%s'",
+             onion_address);
+    goto free;
+  }
+  strlcpy(auth->onion_address, onion_address, 16+1);
+  if (!rend_valid_service_id(auth->onion_address)) {
+    log_warn(LD_CONFIG, "Onion address has wrong format: '%s'",
+             onion_address);
+    goto free;
+  }
+  /* Parse descriptor cookie. */
+  descriptor_cookie = smartlist_get(sl, 1);
+  if (strlen(descriptor_cookie) != 22) {
+    log_warn(LD_CONFIG, "Authorization cookie has wrong length: '%s'",
+             descriptor_cookie);
+    goto free;
+  }
+  /* Add trailing zero bytes (AA) to make base64-decoding happy. */
+  tor_snprintf(descriptor_cookie_base64ext,
+               REND_DESC_COOKIE_LEN_BASE64+2+1,
+               "%sAA", descriptor_cookie);
+  if (base64_decode(descriptor_cookie_tmp, REND_DESC_COOKIE_LEN+2,
+                    descriptor_cookie_base64ext,
+                    strlen(descriptor_cookie_base64ext)) < 0) {
+    log_warn(LD_CONFIG, "Decoding authorization cookie failed: '%s'",
+             descriptor_cookie);
+    goto free;
+  }
+  auth_type = (descriptor_cookie_tmp[16] >> 4) + 1;
+  if (auth_type < 1 || auth_type > 2) {
+    log_warn(LD_CONFIG, "Authorization cookie has unknown authorization type "
+             "encoded.");
+    goto free;
+  }
+  auth->auth_type = auth_type;
+  memcpy(auth->descriptor_cookie, descriptor_cookie_tmp,
+         REND_DESC_COOKIE_LEN);
+  /* Add parsed client authorization to local map. */
+  if (!auth_hid_servs)
+    auth_hid_servs = strmap_new();
+  strmap_set(auth_hid_servs, auth->onion_address, auth);
+  auth = NULL;
+  res = 0;
+ free:
+  if (sl)
+    SMARTLIST_FOREACH(sl, char *, c, tor_free(c););
+  smartlist_free(sl);
+  if (auth)
+    rend_service_authorization_free(auth);
+  return res;
+}
+

Attachment: patch-121-2.txt.sig
Description: Binary data