Re: [tor-bugs] #15588 [Tor]: Allow client authorization on control port ADD_ONION services

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#15588: Allow client authorization on control port ADD_ONION services
-------------------------------------------------+-------------------------
 Reporter:  special                              |          Owner:  special
     Type:  enhancement                          |         Status:
 Priority:  High                                 |  needs_revision
Component:  Tor                                  |      Milestone:  Tor:
 Severity:  Normal                               |  0.2.8.x-final
 Keywords:  hidden-service, control, tor-hs,     |        Version:
  028-triaged, pre028-patch                      |     Resolution:
Parent ID:  #8993                                |  Actual Points:
  Sponsor:                                       |         Points:  small
-------------------------------------------------+-------------------------

Comment (by special):

 Replying to [comment:12 nickm]:
 >    * Suggestion: this code could use base64_encode_nopad() and
 base64_decode_nopad() to handle the padding-stripping part of the logic.

 This function strips 'A=' (not '==') because the auth type is encoded in
 the high bits of the last input byte. base64_*_nopad would leave the extra
 character on encode or lose those bits on decode.

 >   * I think the ddecode function needs to check the length of
 descriptor_cookie_tmp after decoding it?  The old code does that, right?

 Done

 >   * descriptor_cookie_tmp should probably be of type uint8_t, yeah?

 Technically yes, but these are being used as char everywhere, and that's
 what base64_decode expects the buffer to be.

 >
 > dce6310a49fb6c0b08a0d5c3220d46834df24d61 : We should add documentation
 on the type of the new auth_clients argument to
 rend_service_add_ephemeral, and document that we take ownership of the
 reference.

 Done

 >
 > 11575f3be9705ff571eb24c2506f6e83ae284aa9 : Unit tests wouldn't be too
 hard to add here, and would be good for ensuring that we got the code
 right.

 Done

 >
 > (Also, how much of this have you tested in the wild, as client and as
 server, with actual authorization types?)

 There isn't an "in the wild" user of this functionality yet; it's just
 speculative for Ricochet. I haven't found any problems in controlled
 testing.

 Fixups are on the top of my feature15588 branch.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15588#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs