mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
r14236@tombo: nickm | 2008-02-17 13:44:55 -0500
Partial fix for bug 586: Add an ephemeral __HashedControlSessionPassword. svn:r13543
This commit is contained in:
parent
4c1e516a09
commit
faa56a500b
@ -13,6 +13,11 @@ Changes in version 0.2.0.20-?? - 2008-02-??
|
|||||||
- Tune parameters for cell pool allocation to minimize amount of
|
- Tune parameters for cell pool allocation to minimize amount of
|
||||||
RAM overhead used.
|
RAM overhead used.
|
||||||
|
|
||||||
|
o Minor features (controller):
|
||||||
|
- Add a new __HashedControlSessionPassword option for controllers
|
||||||
|
to use for one-off session password hashes that shouldn't get
|
||||||
|
saved to disk by SAVECONF. Partial fix for bug 586.
|
||||||
|
|
||||||
o Minor bugfixes:
|
o Minor bugfixes:
|
||||||
- Log the correct memory chunk sizes for empty RAM chunks in mempool.c.
|
- Log the correct memory chunk sizes for empty RAM chunks in mempool.c.
|
||||||
- Directory mirrors no longer include a guess at the client's IP
|
- Directory mirrors no longer include a guess at the client's IP
|
||||||
|
@ -1560,3 +1560,8 @@ $Id$
|
|||||||
|
|
||||||
(Boolean. Default: "0".)
|
(Boolean. Default: "0".)
|
||||||
|
|
||||||
|
__HashedControlSessionPassword
|
||||||
|
|
||||||
|
As HashedControlPassword, but is not saved to the torrc file by
|
||||||
|
SAVECONF. Added in Tor 0.2.0.20-rc.
|
||||||
|
|
||||||
|
@ -306,6 +306,8 @@ static config_var_t _option_vars[] = {
|
|||||||
VAR("__AllDirActionsPrivate", BOOL, AllDirActionsPrivate, "0"),
|
VAR("__AllDirActionsPrivate", BOOL, AllDirActionsPrivate, "0"),
|
||||||
VAR("__DisablePredictedCircuits",BOOL,DisablePredictedCircuits, "0"),
|
VAR("__DisablePredictedCircuits",BOOL,DisablePredictedCircuits, "0"),
|
||||||
VAR("__LeaveStreamsUnattached",BOOL, LeaveStreamsUnattached, "0"),
|
VAR("__LeaveStreamsUnattached",BOOL, LeaveStreamsUnattached, "0"),
|
||||||
|
VAR("__HashedControlSessionPassword", LINELIST, HashedControlSessionPassword,
|
||||||
|
NULL),
|
||||||
V(MinUptimeHidServDirectoryV2, INTERVAL, "24 hours"),
|
V(MinUptimeHidServDirectoryV2, INTERVAL, "24 hours"),
|
||||||
{ NULL, CONFIG_TYPE_OBSOLETE, 0, NULL }
|
{ NULL, CONFIG_TYPE_OBSOLETE, 0, NULL }
|
||||||
};
|
};
|
||||||
@ -3155,6 +3157,17 @@ options_validate(or_options_t *old_options, or_options_t *options,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (options->HashedControlSessionPassword) {
|
||||||
|
smartlist_t *sl = decode_hashed_passwords(
|
||||||
|
options->HashedControlSessionPassword);
|
||||||
|
if (!sl) {
|
||||||
|
REJECT("Bad HashedControlSessionPassword: wrong length or bad encoding");
|
||||||
|
} else {
|
||||||
|
SMARTLIST_FOREACH(sl, char*, cp, tor_free(cp));
|
||||||
|
smartlist_free(sl);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (options->ControlListenAddress) {
|
if (options->ControlListenAddress) {
|
||||||
int all_are_local = 1;
|
int all_are_local = 1;
|
||||||
config_line_t *ln;
|
config_line_t *ln;
|
||||||
@ -3163,7 +3176,9 @@ options_validate(or_options_t *old_options, or_options_t *options,
|
|||||||
all_are_local = 0;
|
all_are_local = 0;
|
||||||
}
|
}
|
||||||
if (!all_are_local) {
|
if (!all_are_local) {
|
||||||
if (!options->HashedControlPassword && !options->CookieAuthentication) {
|
if (!options->HashedControlPassword &&
|
||||||
|
!options->HashedControlSessionPassword &&
|
||||||
|
!options->CookieAuthentication) {
|
||||||
log_warn(LD_CONFIG, "You have a ControlListenAddress set to accept "
|
log_warn(LD_CONFIG, "You have a ControlListenAddress set to accept "
|
||||||
"connections from a non-local address. This means that "
|
"connections from a non-local address. This means that "
|
||||||
"any program on the internet can reconfigure your Tor. "
|
"any program on the internet can reconfigure your Tor. "
|
||||||
@ -3179,6 +3194,7 @@ options_validate(or_options_t *old_options, or_options_t *options,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (options->ControlPort && !options->HashedControlPassword &&
|
if (options->ControlPort && !options->HashedControlPassword &&
|
||||||
|
!options->HashedControlSessionPassword &&
|
||||||
!options->CookieAuthentication) {
|
!options->CookieAuthentication) {
|
||||||
log_warn(LD_CONFIG, "ControlPort is open, but no authentication method "
|
log_warn(LD_CONFIG, "ControlPort is open, but no authentication method "
|
||||||
"has been configured. This means that any program on your "
|
"has been configured. This means that any program on your "
|
||||||
|
@ -1034,14 +1034,16 @@ handle_control_authenticate(control_connection_t *conn, uint32_t len,
|
|||||||
used_quoted_string = 1;
|
used_quoted_string = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!options->CookieAuthentication && !options->HashedControlPassword) {
|
if (!options->CookieAuthentication && !options->HashedControlPassword &&
|
||||||
|
!options->HashedControlSessionPassword) {
|
||||||
/* if Tor doesn't demand any stronger authentication, then
|
/* if Tor doesn't demand any stronger authentication, then
|
||||||
* the controller can get in with anything. */
|
* the controller can get in with anything. */
|
||||||
goto ok;
|
goto ok;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (options->CookieAuthentication) {
|
if (options->CookieAuthentication) {
|
||||||
int also_password = options->HashedControlPassword != NULL;
|
int also_password = options->HashedControlPassword != NULL ||
|
||||||
|
options->HashedControlSessionPassword != NULL;
|
||||||
if (password_len != AUTHENTICATION_COOKIE_LEN) {
|
if (password_len != AUTHENTICATION_COOKIE_LEN) {
|
||||||
if (!also_password) {
|
if (!also_password) {
|
||||||
log_warn(LD_CONTROL, "Got authentication cookie with wrong length "
|
log_warn(LD_CONTROL, "Got authentication cookie with wrong length "
|
||||||
@ -1062,17 +1064,39 @@ handle_control_authenticate(control_connection_t *conn, uint32_t len,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (options->HashedControlPassword) {
|
if (options->HashedControlPassword || options->HashedControlSessionPassword) {
|
||||||
|
int bad = 0;
|
||||||
|
smartlist_t *sl_tmp;
|
||||||
char received[DIGEST_LEN];
|
char received[DIGEST_LEN];
|
||||||
int also_cookie = options->CookieAuthentication;
|
int also_cookie = options->CookieAuthentication;
|
||||||
sl = decode_hashed_passwords(options->HashedControlPassword);
|
sl = smartlist_create();
|
||||||
if (!sl) {
|
if (options->HashedControlPassword) {
|
||||||
|
sl_tmp = decode_hashed_passwords(options->HashedControlPassword);
|
||||||
|
if (!sl_tmp)
|
||||||
|
bad = 1;
|
||||||
|
else {
|
||||||
|
smartlist_add_all(sl, sl_tmp);
|
||||||
|
smartlist_free(sl_tmp);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (options->HashedControlSessionPassword) {
|
||||||
|
sl_tmp = decode_hashed_passwords(options->HashedControlSessionPassword);
|
||||||
|
if (!sl_tmp)
|
||||||
|
bad = 1;
|
||||||
|
else {
|
||||||
|
smartlist_add_all(sl, sl_tmp);
|
||||||
|
smartlist_free(sl_tmp);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (bad) {
|
||||||
if (!also_cookie) {
|
if (!also_cookie) {
|
||||||
log_warn(LD_CONTROL,
|
log_warn(LD_CONTROL,
|
||||||
"Couldn't decode HashedControlPassword: invalid base16");
|
"Couldn't decode HashedControlPassword: invalid base16");
|
||||||
errstr="Couldn't decode HashedControlPassword value in configuration.";
|
errstr="Couldn't decode HashedControlPassword value in configuration.";
|
||||||
}
|
}
|
||||||
bad_password = 1;
|
bad_password = 1;
|
||||||
|
SMARTLIST_FOREACH(sl, char *, cp, tor_free(cp));
|
||||||
|
smartlist_free(sl);
|
||||||
} else {
|
} else {
|
||||||
SMARTLIST_FOREACH(sl, char *, expected,
|
SMARTLIST_FOREACH(sl, char *, expected,
|
||||||
{
|
{
|
||||||
|
@ -2258,6 +2258,8 @@ typedef struct {
|
|||||||
|
|
||||||
/** Base64-encoded hash of accepted passwords for the control system. */
|
/** Base64-encoded hash of accepted passwords for the control system. */
|
||||||
config_line_t *HashedControlPassword;
|
config_line_t *HashedControlPassword;
|
||||||
|
/** As HashedControlPassword, but not saved. */
|
||||||
|
config_line_t *HashedControlSessionPassword;
|
||||||
|
|
||||||
int CookieAuthentication; /**< Boolean: do we enable cookie-based auth for
|
int CookieAuthentication; /**< Boolean: do we enable cookie-based auth for
|
||||||
* the control system? */
|
* the control system? */
|
||||||
|
Loading…
Reference in New Issue
Block a user