summaryrefslogtreecommitdiff
path: root/src/feature/hs
diff options
context:
space:
mode:
authorGeorge Kadianakis <desnacked@riseup.net>2021-02-08 13:03:07 +0200
committerGeorge Kadianakis <desnacked@riseup.net>2021-02-08 13:03:07 +0200
commitd4255253b0b417b8b02d7ba40dc4ba06b5d00d11 (patch)
tree6cc989d11072c6c630b94e031e803e0eb73eb35d /src/feature/hs
parent60823d261c9639975e4f4b029909cb37639c91c4 (diff)
parent22f55fdb2a8455b344ae094ee2706710a2b4d941 (diff)
downloadtor-d4255253b0b417b8b02d7ba40dc4ba06b5d00d11.tar.gz
tor-d4255253b0b417b8b02d7ba40dc4ba06b5d00d11.zip
Merge remote-tracking branch 'tor-gitlab/mr/212'
Diffstat (limited to 'src/feature/hs')
-rw-r--r--src/feature/hs/hs_service.c77
-rw-r--r--src/feature/hs/hs_service.h18
2 files changed, 66 insertions, 29 deletions
diff --git a/src/feature/hs/hs_service.c b/src/feature/hs/hs_service.c
index 07e3550986..f0c493d91d 100644
--- a/src/feature/hs/hs_service.c
+++ b/src/feature/hs/hs_service.c
@@ -1116,6 +1116,43 @@ client_filename_is_valid(const char *filename)
return ret;
}
+/** Parse an base32-encoded authorized client from a string.
+ *
+ * Return the key on success, return NULL, otherwise. */
+hs_service_authorized_client_t *
+parse_authorized_client_key(const char *key_str, int severity)
+{
+ hs_service_authorized_client_t *client = NULL;
+
+ /* We expect a specific length of the base64 encoded key so make sure we
+ * have that so we don't successfully decode a value with a different length
+ * and end up in trouble when copying the decoded key into a fixed length
+ * buffer. */
+ if (strlen(key_str) != BASE32_NOPAD_LEN(CURVE25519_PUBKEY_LEN)) {
+ log_fn(severity, LD_REND, "Client authorization encoded base32 public key "
+ "length is invalid: %s", key_str);
+ goto err;
+ }
+
+ client = tor_malloc_zero(sizeof(hs_service_authorized_client_t));
+ if (base32_decode((char *) client->client_pk.public_key,
+ sizeof(client->client_pk.public_key),
+ key_str, strlen(key_str)) !=
+ sizeof(client->client_pk.public_key)) {
+ log_fn(severity, LD_REND, "Client authorization public key cannot be "
+ "decoded: %s", key_str);
+ goto err;
+ }
+
+ return client;
+
+ err:
+ if (client != NULL) {
+ service_authorized_client_free(client);
+ }
+ return NULL;
+}
+
/** Parse an authorized client from a string. The format of a client string
* looks like (see rend-spec-v3.txt):
*
@@ -1162,23 +1199,7 @@ parse_authorized_client(const char *client_key_str)
goto err;
}
- /* We expect a specific length of the base32 encoded key so make sure we
- * have that so we don't successfully decode a value with a different length
- * and end up in trouble when copying the decoded key into a fixed length
- * buffer. */
- if (strlen(pubkey_b32) != BASE32_NOPAD_LEN(CURVE25519_PUBKEY_LEN)) {
- log_warn(LD_REND, "Client authorization encoded base32 public key "
- "length is invalid: %s", pubkey_b32);
- goto err;
- }
-
- client = tor_malloc_zero(sizeof(hs_service_authorized_client_t));
- if (base32_decode((char *) client->client_pk.public_key,
- sizeof(client->client_pk.public_key),
- pubkey_b32, strlen(pubkey_b32)) !=
- sizeof(client->client_pk.public_key)) {
- log_warn(LD_REND, "Client authorization public key cannot be decoded: %s",
- pubkey_b32);
+ if ((client = parse_authorized_client_key(pubkey_b32, LOG_WARN)) == NULL) {
goto err;
}
@@ -1302,7 +1323,7 @@ load_client_keys(hs_service_t *service)
}
/** Release all storage held in <b>client</b>. */
-STATIC void
+void
service_authorized_client_free_(hs_service_authorized_client_t *client)
{
if (!client) {
@@ -3682,15 +3703,17 @@ hs_service_upload_desc_to_dir(const char *encoded_desc,
/** Add the ephemeral service using the secret key sk and ports. Both max
* streams parameter will be set in the newly created service.
*
- * Ownership of sk and ports is passed to this routine. Regardless of
- * success/failure, callers should not touch these values after calling this
- * routine, and may assume that correct cleanup has been done on failure.
+ * Ownership of sk, ports, and auth_clients_v3 is passed to this routine.
+ * Regardless of success/failure, callers should not touch these values
+ * after calling this routine, and may assume that correct cleanup has
+ * been done on failure.
*
* Return an appropriate hs_service_add_ephemeral_status_t. */
hs_service_add_ephemeral_status_t
hs_service_add_ephemeral(ed25519_secret_key_t *sk, smartlist_t *ports,
int max_streams_per_rdv_circuit,
- int max_streams_close_circuit, char **address_out)
+ int max_streams_close_circuit,
+ smartlist_t *auth_clients_v3, char **address_out)
{
hs_service_add_ephemeral_status_t ret;
hs_service_t *service = NULL;
@@ -3734,6 +3757,16 @@ hs_service_add_ephemeral(ed25519_secret_key_t *sk, smartlist_t *ports,
goto err;
}
+ if (auth_clients_v3) {
+ service->config.clients = smartlist_new();
+ SMARTLIST_FOREACH(auth_clients_v3, hs_service_authorized_client_t *, c, {
+ if (c != NULL) {
+ smartlist_add(service->config.clients, c);
+ }
+ });
+ smartlist_free(auth_clients_v3);
+ }
+
/* Build the onion address for logging purposes but also the control port
* uses it for the HS_DESC event. */
hs_build_address(&service->keys.identity_pk,
diff --git a/src/feature/hs/hs_service.h b/src/feature/hs/hs_service.h
index ec0e83f2c2..6a39dee037 100644
--- a/src/feature/hs/hs_service.h
+++ b/src/feature/hs/hs_service.h
@@ -372,7 +372,8 @@ char *hs_service_lookup_current_desc(const ed25519_public_key_t *pk);
hs_service_add_ephemeral_status_t
hs_service_add_ephemeral(ed25519_secret_key_t *sk, smartlist_t *ports,
int max_streams_per_rdv_circuit,
- int max_streams_close_circuit, char **address_out);
+ int max_streams_close_circuit,
+ smartlist_t *auth_clients_v3, char **address_out);
int hs_service_del_ephemeral(const char *address);
/* Used outside of the HS subsystem by the control port command HSPOST. */
@@ -388,6 +389,15 @@ hs_service_exports_circuit_id(const ed25519_public_key_t *pk);
void hs_service_dump_stats(int severity);
void hs_service_circuit_cleanup_on_close(const circuit_t *circ);
+hs_service_authorized_client_t *
+parse_authorized_client_key(const char *key_str, int severity);
+
+void
+service_authorized_client_free_(hs_service_authorized_client_t *client);
+#define service_authorized_client_free(c) \
+ FREE_AND_NULL(hs_service_authorized_client_t, \
+ service_authorized_client_free_, (c))
+
#ifdef HS_SERVICE_PRIVATE
#ifdef TOR_UNIT_TESTS
@@ -452,12 +462,6 @@ STATIC void service_descriptor_free_(hs_service_descriptor_t *desc);
FREE_AND_NULL(hs_service_descriptor_t, \
service_descriptor_free_, (d))
-STATIC void
-service_authorized_client_free_(hs_service_authorized_client_t *client);
-#define service_authorized_client_free(c) \
- FREE_AND_NULL(hs_service_authorized_client_t, \
- service_authorized_client_free_, (c))
-
STATIC int
write_address_to_file(const hs_service_t *service, const char *fname_);