mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-11 13:43:47 +01:00
Add client auth to rend_service_add_ephemeral
This commit is contained in:
parent
d5a23ce115
commit
d15354c73b
@ -3845,13 +3845,15 @@ handle_control_add_onion(control_connection_t *conn,
|
|||||||
}
|
}
|
||||||
tor_assert(!err_msg);
|
tor_assert(!err_msg);
|
||||||
|
|
||||||
/* Create the HS, using private key pk, and port config port_cfg.
|
/* Create the HS, using private key pk, client authentication auth_type,
|
||||||
|
* the list of auth_clients, and port config port_cfg.
|
||||||
* rend_service_add_ephemeral() will take ownership of pk and port_cfg,
|
* rend_service_add_ephemeral() will take ownership of pk and port_cfg,
|
||||||
* regardless of success/failure.
|
* regardless of success/failure.
|
||||||
*/
|
*/
|
||||||
char *service_id = NULL;
|
char *service_id = NULL;
|
||||||
int ret = rend_service_add_ephemeral(pk, port_cfgs, max_streams,
|
int ret = rend_service_add_ephemeral(pk, port_cfgs, max_streams,
|
||||||
max_streams_close_circuit,
|
max_streams_close_circuit,
|
||||||
|
REND_NO_AUTH, NULL,
|
||||||
&service_id);
|
&service_id);
|
||||||
port_cfgs = NULL; /* port_cfgs is now owned by the rendservice code. */
|
port_cfgs = NULL; /* port_cfgs is now owned by the rendservice code. */
|
||||||
switch (ret) {
|
switch (ret) {
|
||||||
|
@ -828,14 +828,17 @@ rend_config_services(const or_options_t *options, int validate_only)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Add the ephemeral service <b>pk</b>/<b>ports</b> if possible, with
|
/** Add the ephemeral service <b>pk</b>/<b>ports</b> if possible, using
|
||||||
|
* client authorization <b>auth_type</b> and an optional list of
|
||||||
|
* rend_authorized_client_t in <b>auth_clients</b>, with
|
||||||
* <b>max_streams_per_circuit</b> streams allowed per rendezvous circuit,
|
* <b>max_streams_per_circuit</b> streams allowed per rendezvous circuit,
|
||||||
* and circuit closure on max streams being exceeded set by
|
* and circuit closure on max streams being exceeded set by
|
||||||
* <b>max_streams_close_circuit</b>.
|
* <b>max_streams_close_circuit</b>.
|
||||||
*
|
*
|
||||||
* Regardless of sucess/failure, callers should not touch pk/ports after
|
* Ownership of pk, ports, and auth_clients is passed to this routine.
|
||||||
* calling this routine, and may assume that correct cleanup has been done
|
* Regardless of success/failure, callers should not touch these values
|
||||||
* on failure.
|
* after calling this routine, and may assume that correct cleanup has
|
||||||
|
* been done on failure.
|
||||||
*
|
*
|
||||||
* Return an appropriate rend_service_add_ephemeral_status_t.
|
* Return an appropriate rend_service_add_ephemeral_status_t.
|
||||||
*/
|
*/
|
||||||
@ -844,6 +847,8 @@ rend_service_add_ephemeral(crypto_pk_t *pk,
|
|||||||
smartlist_t *ports,
|
smartlist_t *ports,
|
||||||
int max_streams_per_circuit,
|
int max_streams_per_circuit,
|
||||||
int max_streams_close_circuit,
|
int max_streams_close_circuit,
|
||||||
|
rend_auth_type_t auth_type,
|
||||||
|
smartlist_t *auth_clients,
|
||||||
char **service_id_out)
|
char **service_id_out)
|
||||||
{
|
{
|
||||||
*service_id_out = NULL;
|
*service_id_out = NULL;
|
||||||
@ -853,7 +858,8 @@ rend_service_add_ephemeral(crypto_pk_t *pk,
|
|||||||
rend_service_t *s = tor_malloc_zero(sizeof(rend_service_t));
|
rend_service_t *s = tor_malloc_zero(sizeof(rend_service_t));
|
||||||
s->directory = NULL; /* This indicates the service is ephemeral. */
|
s->directory = NULL; /* This indicates the service is ephemeral. */
|
||||||
s->private_key = pk;
|
s->private_key = pk;
|
||||||
s->auth_type = REND_NO_AUTH;
|
s->auth_type = auth_type;
|
||||||
|
s->clients = auth_clients;
|
||||||
s->ports = ports;
|
s->ports = ports;
|
||||||
s->intro_period_started = time(NULL);
|
s->intro_period_started = time(NULL);
|
||||||
s->n_intro_points_wanted = NUM_INTRO_POINTS_DEFAULT;
|
s->n_intro_points_wanted = NUM_INTRO_POINTS_DEFAULT;
|
||||||
@ -869,6 +875,12 @@ rend_service_add_ephemeral(crypto_pk_t *pk,
|
|||||||
rend_service_free(s);
|
rend_service_free(s);
|
||||||
return RSAE_BADVIRTPORT;
|
return RSAE_BADVIRTPORT;
|
||||||
}
|
}
|
||||||
|
if (s->auth_type != REND_NO_AUTH &&
|
||||||
|
(!s->clients || smartlist_len(s->clients) == 0)) {
|
||||||
|
log_warn(LD_CONFIG, "At least one authorized client must be specified.");
|
||||||
|
rend_service_free(s);
|
||||||
|
return RSAE_BADAUTH;
|
||||||
|
}
|
||||||
|
|
||||||
/* Enforcing pk/id uniqueness should be done by rend_service_load_keys(), but
|
/* Enforcing pk/id uniqueness should be done by rend_service_load_keys(), but
|
||||||
* it's not, see #14828.
|
* it's not, see #14828.
|
||||||
|
@ -110,6 +110,7 @@ void rend_authorized_client_free(rend_authorized_client_t *client);
|
|||||||
|
|
||||||
/** Return value from rend_service_add_ephemeral. */
|
/** Return value from rend_service_add_ephemeral. */
|
||||||
typedef enum {
|
typedef enum {
|
||||||
|
RSAE_BADAUTH = -5, /**< Invalid auth_type/auth_clients */
|
||||||
RSAE_BADVIRTPORT = -4, /**< Invalid VIRTPORT/TARGET(s) */
|
RSAE_BADVIRTPORT = -4, /**< Invalid VIRTPORT/TARGET(s) */
|
||||||
RSAE_ADDREXISTS = -3, /**< Onion address collision */
|
RSAE_ADDREXISTS = -3, /**< Onion address collision */
|
||||||
RSAE_BADPRIVKEY = -2, /**< Invalid public key */
|
RSAE_BADPRIVKEY = -2, /**< Invalid public key */
|
||||||
@ -120,6 +121,8 @@ rend_service_add_ephemeral_status_t rend_service_add_ephemeral(crypto_pk_t *pk,
|
|||||||
smartlist_t *ports,
|
smartlist_t *ports,
|
||||||
int max_streams_per_circuit,
|
int max_streams_per_circuit,
|
||||||
int max_streams_close_circuit,
|
int max_streams_close_circuit,
|
||||||
|
rend_auth_type_t auth_type,
|
||||||
|
smartlist_t *auth_clients,
|
||||||
char **service_id_out);
|
char **service_id_out);
|
||||||
int rend_service_del_ephemeral(const char *service_id);
|
int rend_service_del_ephemeral(const char *service_id);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user