r14236@tombo: nickm | 2008-02-17 13:44:55 -0500

Partial fix for bug 586: Add an ephemeral __HashedControlSessionPassword.


svn:r13543

ChangeLog

@@ -13,6 +13,11 @@ Changes in version 0.2.0.20-?? - 2008-02-??
     - Tune parameters for cell pool allocation to minimize amount of
       RAM overhead used.
 
+  o Minor features (controller):
+    - Add a new __HashedControlSessionPassword option for controllers
+      to use for one-off session password hashes that shouldn't get
+      saved to disk by SAVECONF.  Partial fix for bug 586.
+
   o Minor bugfixes:
     - Log the correct memory chunk sizes for empty RAM chunks in mempool.c.
     - Directory mirrors no longer include a guess at the client's IP

doc/spec/control-spec.txt

@@ -1560,3 +1560,8 @@ $Id$
 
     (Boolean. Default: "0".)
 
+  __HashedControlSessionPassword
+
+    As HashedControlPassword, but is not saved to the torrc file by
+    SAVECONF.  Added in Tor 0.2.0.20-rc.
+    

src/or/config.c

@@ -306,6 +306,8 @@ static config_var_t _option_vars[] = {
   VAR("__AllDirActionsPrivate",  BOOL,  AllDirActionsPrivate,     "0"),
   VAR("__DisablePredictedCircuits",BOOL,DisablePredictedCircuits, "0"),
   VAR("__LeaveStreamsUnattached",BOOL,  LeaveStreamsUnattached,   "0"),
+  VAR("__HashedControlSessionPassword", LINELIST, HashedControlSessionPassword,
+      NULL),
   V(MinUptimeHidServDirectoryV2, INTERVAL, "24 hours"),
   { NULL, CONFIG_TYPE_OBSOLETE, 0, NULL }
 };
@@ -3155,6 +3157,17 @@ options_validate(or_options_t *old_options, or_options_t *options,
     }
   }
 
+  if (options->HashedControlSessionPassword) {
+    smartlist_t *sl = decode_hashed_passwords(
+                                  options->HashedControlSessionPassword);
+    if (!sl) {
+      REJECT("Bad HashedControlSessionPassword: wrong length or bad encoding");
+    } else {
+      SMARTLIST_FOREACH(sl, char*, cp, tor_free(cp));
+      smartlist_free(sl);
+    }
+  }
+
   if (options->ControlListenAddress) {
     int all_are_local = 1;
     config_line_t *ln;
@@ -3163,7 +3176,9 @@ options_validate(or_options_t *old_options, or_options_t *options,
         all_are_local = 0;
     }
     if (!all_are_local) {
-      if (!options->HashedControlPassword && !options->CookieAuthentication) {
+      if (!options->HashedControlPassword &&
+          !options->HashedControlSessionPassword &&
+          !options->CookieAuthentication) {
         log_warn(LD_CONFIG, "You have a ControlListenAddress set to accept "
                  "connections from a non-local address.  This means that "
                  "any program on the internet can reconfigure your Tor. "
@@ -3179,6 +3194,7 @@ options_validate(or_options_t *old_options, or_options_t *options,
   }
 
   if (options->ControlPort && !options->HashedControlPassword &&
+      !options->HashedControlSessionPassword &&
       !options->CookieAuthentication) {
     log_warn(LD_CONFIG, "ControlPort is open, but no authentication method "
              "has been configured.  This means that any program on your "

src/or/control.c

@@ -1034,14 +1034,16 @@ handle_control_authenticate(control_connection_t *conn, uint32_t len,
     used_quoted_string = 1;
   }
 
-  if (!options->CookieAuthentication && !options->HashedControlPassword) {
+  if (!options->CookieAuthentication && !options->HashedControlPassword &&
+      !options->HashedControlSessionPassword) {
     /* if Tor doesn't demand any stronger authentication, then
      * the controller can get in with anything. */
     goto ok;
   }
 
   if (options->CookieAuthentication) {
-    int also_password = options->HashedControlPassword != NULL;
+    int also_password = options->HashedControlPassword != NULL ||
+      options->HashedControlSessionPassword != NULL;
     if (password_len != AUTHENTICATION_COOKIE_LEN) {
       if (!also_password) {
         log_warn(LD_CONTROL, "Got authentication cookie with wrong length "
@@ -1062,17 +1064,39 @@ handle_control_authenticate(control_connection_t *conn, uint32_t len,
     }
   }
 
-  if (options->HashedControlPassword) {
+  if (options->HashedControlPassword || options->HashedControlSessionPassword) {
+    int bad = 0;
+    smartlist_t *sl_tmp;
     char received[DIGEST_LEN];
     int also_cookie = options->CookieAuthentication;
-    sl = decode_hashed_passwords(options->HashedControlPassword);
-    if (!sl) {
+    sl = smartlist_create();
+    if (options->HashedControlPassword) {
+      sl_tmp = decode_hashed_passwords(options->HashedControlPassword);
+      if (!sl_tmp)
+        bad = 1;
+      else {
+        smartlist_add_all(sl, sl_tmp);
+        smartlist_free(sl_tmp);
+      }
+    }
+    if (options->HashedControlSessionPassword) {
+      sl_tmp = decode_hashed_passwords(options->HashedControlSessionPassword);
+      if (!sl_tmp)
+        bad = 1;
+      else {
+        smartlist_add_all(sl, sl_tmp);
+        smartlist_free(sl_tmp);
+      }
+    }
+    if (bad) {
       if (!also_cookie) {
         log_warn(LD_CONTROL,
                  "Couldn't decode HashedControlPassword: invalid base16");
         errstr="Couldn't decode HashedControlPassword value in configuration.";
       }
       bad_password = 1;
+      SMARTLIST_FOREACH(sl, char *, cp, tor_free(cp));
+      smartlist_free(sl);
     } else {
       SMARTLIST_FOREACH(sl, char *, expected,
       {

src/or/or.h

@@ -2258,6 +2258,8 @@ typedef struct {
 
   /** Base64-encoded hash of accepted passwords for the control system. */
   config_line_t *HashedControlPassword;
+  /** As HashedControlPassword, but not saved. */
+  config_line_t *HashedControlSessionPassword;
 
   int CookieAuthentication; /**< Boolean: do we enable cookie-based auth for
                              * the control system? */