September 2018 - tor-commits - lists.torproject.org

[translation/https_everywhere_completed] Update translations for https_everywhere_completed
by translation＠torproject.org 21 Sep '18

21 Sep '18

commit 9c8d6340322bcfd2fcfcddb375457ef965d5711c Author: Translation commit bot <translation(a)torproject.org> Date: Fri Sep 21 14:15:36 2018 +0000 Update translations for https_everywhere_completed --- ga/https-everywhere.dtd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ga/https-everywhere.dtd b/ga/https-everywhere.dtd index 1cdb764ad..8ae0cec26 100644 --- a/ga/https-everywhere.dtd +++ b/ga/https-everywhere.dtd @@ -18,6 +18,7 @@ <!ENTITY https-everywhere.options.enableMixedRulesets "Cumasaigh rialacha d'ábhar measctha"> <!ENTITY https-everywhere.options.showDevtoolsTab "Taispeáin cluaisín na n-uirlisí forbartha"> <!ENTITY https-everywhere.options.autoUpdateRulesets "Nuashonraigh rialacha go huathoibríoch"> +<!ENTITY https-everywhere.options.disabledUrlsListed "Suímh ar ar díchumasaíodh HTTPS Everywhere"> <!ENTITY https-everywhere.options.updateChannelsWarning "Rabhadh: Má úsáideann tú cainéal nuashonraithe, tugann sé deis do dhrochdhaoine ionsaí a dhéanamh ar do bhrabhsálaí. Ná hathraigh aon rud sa rannán seo mura bhfuil tú lánchinnte!"> <!ENTITY https-everywhere.options.addUpdateChannel "Cainéal Nuashonraithe Nua"> <!ENTITY https-everywhere.options.enterUpdateChannelName "Cuir isteach ainm an chainéil nuashonraithe"> @@ -38,6 +39,8 @@ <!ENTITY https-everywhere.chrome.stable_rules_description "Fórsáil ceangal criptithe leis na suímh seo:"> <!ENTITY https-everywhere.chrome.experimental_rules "Rialacha turgnamhacha"> <!ENTITY https-everywhere.chrome.experimental_rules_description "D'fhéadfadh seo a bheith ina chúis le rabhaidh nó le hearráidí. Díchumasaithe de réir réamhshocraithe."> +<!ENTITY https-everywhere.chrome.disable_on_this_site "Díchumasaigh HTTPS Everywhere ar an suíomh seo"> +<!ENTITY https-everywhere.chrome.enable_on_this_site "Cumasaigh HTTPS Everywhere ar an suíomh seo"> <!ENTITY https-everywhere.chrome.add_rule "Cuir riail i bhfeidhm ar an suíomh seo"> <!ENTITY https-everywhere.chrome.add_new_rule "Cuir riail nua i bhfeidhm ar an suíomh seo"> <!ENTITY https-everywhere.chrome.always_https_for_host "Bain úsáid as https i gcónaí leis an óstríomhaire seo">

1 0

[translation/https_everywhere] Update translations for https_everywhere
by translation＠torproject.org 21 Sep '18

21 Sep '18

commit 9d45e8d6ac9a2c81405bb1adf424b184488912cb Author: Translation commit bot <translation(a)torproject.org> Date: Fri Sep 21 14:15:28 2018 +0000 Update translations for https_everywhere --- ga/https-everywhere.dtd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ga/https-everywhere.dtd b/ga/https-everywhere.dtd index 9ca966342..8ae0cec26 100644 --- a/ga/https-everywhere.dtd +++ b/ga/https-everywhere.dtd @@ -18,7 +18,7 @@ <!ENTITY https-everywhere.options.enableMixedRulesets "Cumasaigh rialacha d'ábhar measctha"> <!ENTITY https-everywhere.options.showDevtoolsTab "Taispeáin cluaisín na n-uirlisí forbartha"> <!ENTITY https-everywhere.options.autoUpdateRulesets "Nuashonraigh rialacha go huathoibríoch"> -<!ENTITY https-everywhere.options.disabledUrlsListed "HTTPS Everywhere Sites Disabled"> +<!ENTITY https-everywhere.options.disabledUrlsListed "Suímh ar ar díchumasaíodh HTTPS Everywhere"> <!ENTITY https-everywhere.options.updateChannelsWarning "Rabhadh: Má úsáideann tú cainéal nuashonraithe, tugann sé deis do dhrochdhaoine ionsaí a dhéanamh ar do bhrabhsálaí. Ná hathraigh aon rud sa rannán seo mura bhfuil tú lánchinnte!"> <!ENTITY https-everywhere.options.addUpdateChannel "Cainéal Nuashonraithe Nua"> <!ENTITY https-everywhere.options.enterUpdateChannelName "Cuir isteach ainm an chainéil nuashonraithe"> @@ -39,8 +39,8 @@ <!ENTITY https-everywhere.chrome.stable_rules_description "Fórsáil ceangal criptithe leis na suímh seo:"> <!ENTITY https-everywhere.chrome.experimental_rules "Rialacha turgnamhacha"> <!ENTITY https-everywhere.chrome.experimental_rules_description "D'fhéadfadh seo a bheith ina chúis le rabhaidh nó le hearráidí. Díchumasaithe de réir réamhshocraithe."> -<!ENTITY https-everywhere.chrome.disable_on_this_site "Disable HTTPS Everywhere on this site"> -<!ENTITY https-everywhere.chrome.enable_on_this_site "Enable HTTPS Everywhere on this site"> +<!ENTITY https-everywhere.chrome.disable_on_this_site "Díchumasaigh HTTPS Everywhere ar an suíomh seo"> +<!ENTITY https-everywhere.chrome.enable_on_this_site "Cumasaigh HTTPS Everywhere ar an suíomh seo"> <!ENTITY https-everywhere.chrome.add_rule "Cuir riail i bhfeidhm ar an suíomh seo"> <!ENTITY https-everywhere.chrome.add_new_rule "Cuir riail nua i bhfeidhm ar an suíomh seo"> <!ENTITY https-everywhere.chrome.always_https_for_host "Bain úsáid as https i gcónaí leis an óstríomhaire seo">

1 0

[tor/master] man: Fix format typo for HiddenServiceExportCircuitID
by dgoulet＠torproject.org 21 Sep '18

21 Sep '18

commit dbc32400d54300b5011c1d129717214be3a44696 Author: David Goulet <dgoulet(a)torproject.org> Date: Fri Sep 21 09:54:22 2018 -0400 man: Fix format typo for HiddenServiceExportCircuitID Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- doc/tor.1.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 6403c1c3e..4ff26d83e 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -2848,7 +2848,7 @@ The following options are used to configure a hidden service. [[HiddenServiceExportCircuitID]] **HiddenServiceExportCircuitID** __protocol__:: The onion service will use the given protocol to expose the global circuit identifier of each inbound client circuit via the selected protocol. The only - protocol supported right now \'haproxy\'. This option is only for v3 + protocol supported right now \'haproxy'. This option is only for v3 services. (Default: none) + + The haproxy option works in the following way: when the feature is

1 0

[translation/tor-and-https_completed] Update translations for tor-and-https_completed
by translation＠torproject.org 21 Sep '18

21 Sep '18

commit 21207b98b5c286b9229d5d751edee5209265c2f8 Author: Translation commit bot <translation(a)torproject.org> Date: Fri Sep 21 13:47:03 2018 +0000 Update translations for tor-and-https_completed --- el.po | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/el.po b/el.po index db71967bb..6786628f4 100644 --- a/el.po +++ b/el.po @@ -5,8 +5,8 @@ msgid "" msgstr "" "Project-Id-Version: The Tor Project\n" "POT-Creation-Date: 2014-07-17 14:23+0000\n" -"PO-Revision-Date: 2018-04-12 19:08+0000\n" -"Last-Translator: LaScapigliata <ditri2000(a)hotmail.com>\n" +"PO-Revision-Date: 2018-09-21 13:24+0000\n" +"Last-Translator: Sofia K.\n" "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n"

1 0

[translation/tor-and-https] Update translations for tor-and-https
by translation＠torproject.org 21 Sep '18

21 Sep '18

commit b8bb37f72b63536e4738e6b7e91ff14272b5e4bc Author: Translation commit bot <translation(a)torproject.org> Date: Fri Sep 21 13:46:58 2018 +0000 Update translations for tor-and-https --- el.po | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/el.po b/el.po index db71967bb..6786628f4 100644 --- a/el.po +++ b/el.po @@ -5,8 +5,8 @@ msgid "" msgstr "" "Project-Id-Version: The Tor Project\n" "POT-Creation-Date: 2014-07-17 14:23+0000\n" -"PO-Revision-Date: 2018-04-12 19:08+0000\n" -"Last-Translator: LaScapigliata <ditri2000(a)hotmail.com>\n" +"PO-Revision-Date: 2018-09-21 13:24+0000\n" +"Last-Translator: Sofia K.\n" "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n"

1 0

[webwml/master] 0.3.5.2-alpha source release
by nickm＠torproject.org 21 Sep '18

21 Sep '18

commit 60beab3ebb1421cdfdcccc6997625548fba085d4 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Sep 21 09:45:53 2018 -0400 0.3.5.2-alpha source release --- Makefile | 2 +- include/versions.wmi | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 760297cd..01c176bf 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ # website component, and set it to needs_review. export STABLETAG=tor-0.3.4.8 -export DEVTAG=tor-0.3.5.1-alpha +export DEVTAG=tor-0.3.5.2-alpha WMLBASE=. SUBDIRS=docs eff projects press about download getinvolved donate docs/torbutton diff --git a/include/versions.wmi b/include/versions.wmi index 74d5f443..eb958a5a 100644 --- a/include/versions.wmi +++ b/include/versions.wmi @@ -1,5 +1,5 @@ <define-tag version-stable whitespace=delete>0.3.4.8</define-tag> -<define-tag version-alpha whitespace=delete>0.3.5.1-alpha</define-tag> +<define-tag version-alpha whitespace=delete>0.3.5.2-alpha</define-tag> <define-tag version-torbrowserdevelopbranch whitespace=delete>maint-7.5</define-tag>

1 0

[translation/bridgedb_completed] Update translations for bridgedb_completed
by translation＠torproject.org 21 Sep '18

21 Sep '18

commit c597e0cbc03ba6d9f32905aea0619604397ed607 Author: Translation commit bot <translation(a)torproject.org> Date: Fri Sep 21 13:45:18 2018 +0000 Update translations for bridgedb_completed --- el/LC_MESSAGES/bridgedb.po | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/el/LC_MESSAGES/bridgedb.po b/el/LC_MESSAGES/bridgedb.po index 3f596687c..2f90b454d 100644 --- a/el/LC_MESSAGES/bridgedb.po +++ b/el/LC_MESSAGES/bridgedb.po @@ -22,8 +22,8 @@ msgstr "" "Project-Id-Version: The Tor Project\n" "Report-Msgid-Bugs-To: 'https://trac.torproject.org/projects/tor/newticket?component=BridgeDB&keywo…'\n" "POT-Creation-Date: 2015-07-25 03:40+0000\n" -"PO-Revision-Date: 2018-09-21 10:03+0000\n" -"Last-Translator: A Papac <ap909219(a)protonmail.com>\n" +"PO-Revision-Date: 2018-09-21 13:27+0000\n" +"Last-Translator: Sofia K.\n" "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -174,7 +174,7 @@ msgstr "%sΛ%sήψη Γεφυρών" #: bridgedb/strings.py:43 msgid "[This is an automated message; please do not reply.]" -msgstr "[Αυτό είναι ένα αυτοματοποιημενο μήνυμα. Pαρακαλούμε μην απαντήσετε!]" +msgstr "[Αυτό είναι ένα αυτοματοποιημένο μήνυμα· παρακαλώ μην απαντήσετε.]" #: bridgedb/strings.py:45 msgid "Here are your bridges:"

1 0

[translation/bridgedb] Update translations for bridgedb
by translation＠torproject.org 21 Sep '18

21 Sep '18

commit 573cb1ec09e4045bdbdb7e6a0489013a9d99c2ab Author: Translation commit bot <translation(a)torproject.org> Date: Fri Sep 21 13:45:12 2018 +0000 Update translations for bridgedb --- el/LC_MESSAGES/bridgedb.po | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/el/LC_MESSAGES/bridgedb.po b/el/LC_MESSAGES/bridgedb.po index 3f596687c..2f90b454d 100644 --- a/el/LC_MESSAGES/bridgedb.po +++ b/el/LC_MESSAGES/bridgedb.po @@ -22,8 +22,8 @@ msgstr "" "Project-Id-Version: The Tor Project\n" "Report-Msgid-Bugs-To: 'https://trac.torproject.org/projects/tor/newticket?component=BridgeDB&keywo…'\n" "POT-Creation-Date: 2015-07-25 03:40+0000\n" -"PO-Revision-Date: 2018-09-21 10:03+0000\n" -"Last-Translator: A Papac <ap909219(a)protonmail.com>\n" +"PO-Revision-Date: 2018-09-21 13:27+0000\n" +"Last-Translator: Sofia K.\n" "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -174,7 +174,7 @@ msgstr "%sΛ%sήψη Γεφυρών" #: bridgedb/strings.py:43 msgid "[This is an automated message; please do not reply.]" -msgstr "[Αυτό είναι ένα αυτοματοποιημενο μήνυμα. Pαρακαλούμε μην απαντήσετε!]" +msgstr "[Αυτό είναι ένα αυτοματοποιημένο μήνυμα· παρακαλώ μην απαντήσετε.]" #: bridgedb/strings.py:45 msgid "Here are your bridges:"

1 0

[tor/master] Add unittest for HiddenServiceExportCircuitID.
by nickm＠torproject.org 21 Sep '18

21 Sep '18

commit b2092f1ced891737d83915f027b6776882d256b5 Author: George Kadianakis <desnacked(a)riseup.net> Date: Sat Sep 15 16:33:05 2018 +0300 Add unittest for HiddenServiceExportCircuitID. Had to move a function to test helpers. --- src/core/or/or.h | 1 + src/test/test_extorport.c | 17 +---------- src/test/test_helpers.c | 19 +++++++++++++ src/test/test_helpers.h | 3 ++ src/test/test_hs_service.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 94 insertions(+), 16 deletions(-) diff --git a/src/core/or/or.h b/src/core/or/or.h index eae027012..efc124fa6 100644 --- a/src/core/or/or.h +++ b/src/core/or/or.h @@ -26,6 +26,7 @@ #include "lib/cc/compat_compiler.h" #include "lib/cc/torint.h" #include "lib/container/map.h" +#include "lib/container/buffers.h" #include "lib/container/smartlist.h" #include "lib/crypt_ops/crypto_cipher.h" #include "lib/crypt_ops/crypto_rsa.h" diff --git a/src/test/test_extorport.c b/src/test/test_extorport.c index ff987563c..7babc81ee 100644 --- a/src/test/test_extorport.c +++ b/src/test/test_extorport.c @@ -17,6 +17,7 @@ #include "core/or/or_connection_st.h" #include "test/test.h" +#include "test/test_helpers.h" #ifdef HAVE_SYS_STAT_H #include <sys/stat.h> @@ -89,22 +90,6 @@ connection_write_to_buf_impl_replacement(const char *string, size_t len, buf_add(conn->outbuf, string, len); } -static char * -buf_get_contents(buf_t *buf, size_t *sz_out) -{ - char *out; - *sz_out = buf_datalen(buf); - if (*sz_out >= ULONG_MAX) - return NULL; /* C'mon, really? */ - out = tor_malloc(*sz_out + 1); - if (buf_get_bytes(buf, out, (unsigned long)*sz_out) != 0) { - tor_free(out); - return NULL; - } - out[*sz_out] = '\0'; /* Hopefully gratuitous. */ - return out; -} - static void test_ext_or_write_command(void *arg) { diff --git a/src/test/test_helpers.c b/src/test/test_helpers.c index c9138611d..a10821956 100644 --- a/src/test/test_helpers.c +++ b/src/test/test_helpers.c @@ -125,6 +125,25 @@ connection_write_to_buf_mock(const char *string, size_t len, buf_add(conn->outbuf, string, len); } +char * +buf_get_contents(buf_t *buf, size_t *sz_out) +{ + tor_assert(buf); + tor_assert(sz_out); + + char *out; + *sz_out = buf_datalen(buf); + if (*sz_out >= ULONG_MAX) + return NULL; /* C'mon, really? */ + out = tor_malloc(*sz_out + 1); + if (buf_get_bytes(buf, out, (unsigned long)*sz_out) != 0) { + tor_free(out); + return NULL; + } + out[*sz_out] = '\0'; /* Hopefully gratuitous. */ + return out; +} + /* Set up a fake origin circuit with the specified number of cells, * Return a pointer to the newly-created dummy circuit */ circuit_t * diff --git a/src/test/test_helpers.h b/src/test/test_helpers.h index 3196c93e6..72bf7f2f7 100644 --- a/src/test/test_helpers.h +++ b/src/test/test_helpers.h @@ -4,6 +4,8 @@ #ifndef TOR_TEST_HELPERS_H #define TOR_TEST_HELPERS_H +#define BUFFERS_PRIVATE + #include "core/or/or.h" const char *get_yesterday_date_str(void); @@ -18,6 +20,7 @@ void helper_setup_fake_routerlist(void); #define GET(path) "GET " path " HTTP/1.0\r\n\r\n" void connection_write_to_buf_mock(const char *string, size_t len, connection_t *conn, int compressed); +char *buf_get_contents(buf_t *buf, size_t *sz_out); int mock_tor_addr_lookup__fail_on_bad_addrs(const char *name, uint16_t family, tor_addr_t *out); diff --git a/src/test/test_hs_service.c b/src/test/test_hs_service.c index bceeafd14..0a1c866d6 100644 --- a/src/test/test_hs_service.c +++ b/src/test/test_hs_service.c @@ -10,6 +10,7 @@ #define CIRCUITLIST_PRIVATE #define CONFIG_PRIVATE #define CONNECTION_PRIVATE +#define CONNECTION_EDGE_PRIVATE #define CRYPTO_PRIVATE #define HS_COMMON_PRIVATE #define HS_SERVICE_PRIVATE @@ -33,6 +34,9 @@ #include "core/or/circuitbuild.h" #include "core/or/circuitlist.h" #include "core/or/circuituse.h" +#include "core/mainloop/connection.h" +#include "core/or/connection_edge.h" +#include "core/or/edge_connection_st.h" #include "lib/crypt_ops/crypto_rand.h" #include "lib/fs/dir.h" #include "feature/dirauth/dirvote.h" @@ -2003,6 +2007,70 @@ test_authorized_client_config_equal(void *arg) tor_free(config2); } +/** Test that client circuit ID gets correctly exported */ +static void +test_export_client_circuit_id(void *arg) +{ + origin_circuit_t *or_circ = NULL; + size_t sz; + char *cp1=NULL, *cp2=NULL; + connection_t *conn = NULL; + + (void) arg; + + MOCK(connection_write_to_buf_impl_, connection_write_to_buf_mock); + + hs_service_init(); + + /* Create service */ + hs_service_t *service = helper_create_service(); + /* Check that export circuit ID detection works */ + service->config.export_circuit_id = false; + tt_int_op(0, OP_EQ, + hs_service_exports_circuit_id(&service->keys.identity_pk)); + service->config.export_circuit_id = true; + tt_int_op(1, OP_EQ, + hs_service_exports_circuit_id(&service->keys.identity_pk)); + + /* Create client connection */ + conn = test_conn_get_connection(AP_CONN_STATE_CIRCUIT_WAIT, CONN_TYPE_AP, 0); + + /* Create client edge conn hs_ident */ + edge_connection_t *edge_conn = TO_EDGE_CONN(conn); + edge_conn->hs_ident = hs_ident_edge_conn_new(&service->keys.identity_pk); + edge_conn->hs_ident->orig_virtual_port = 42; + + /* Create rend circuit */ + or_circ = origin_circuit_new(); + or_circ->base_.purpose = CIRCUIT_PURPOSE_C_REND_JOINED; + edge_conn->on_circuit = TO_CIRCUIT(or_circ); + or_circ->global_identifier = 666; + + /* Export circuit ID */ + export_hs_client_circuit_id_haproxy(edge_conn, conn); + + /* Check contents */ + cp1 = buf_get_contents(conn->outbuf, &sz); + tt_str_op(cp1, OP_EQ, + "PROXY TCP6 fc00:dead:beef:4dad::0:29a ::1 666 42\r\n"); + + /* Change circ GID and see that the reported circuit ID also changes */ + or_circ->global_identifier = 22; + + /* check changes */ + export_hs_client_circuit_id_haproxy(edge_conn, conn); + cp2 = buf_get_contents(conn->outbuf, &sz); + tt_str_op(cp1, OP_NE, cp2); + + done: + UNMOCK(connection_write_to_buf_impl_); + circuit_free_(TO_CIRCUIT(or_circ)); + connection_free_minimal(conn); + hs_service_free(service); + tor_free(cp1); + tor_free(cp2); +} + struct testcase_t hs_service_tests[] = { { "e2e_rend_circuit_setup", test_e2e_rend_circuit_setup, TT_FORK, NULL, NULL }, @@ -2044,6 +2112,8 @@ struct testcase_t hs_service_tests[] = { NULL, NULL }, { "authorized_client_config_equal", test_authorized_client_config_equal, TT_FORK, NULL, NULL }, + { "export_client_circuit_id", test_export_client_circuit_id, TT_FORK, + NULL, NULL }, END_OF_TESTCASES };

1 0

[tor/master] Introduce per-service HiddenServiceExportCircuitID torrc option.
by nickm＠torproject.org 21 Sep '18

21 Sep '18

commit 27d7491f5a761c58fc687f0b816b80ff9f7a1a1d Author: George Kadianakis <desnacked(a)riseup.net> Date: Wed Sep 12 14:40:19 2018 +0300 Introduce per-service HiddenServiceExportCircuitID torrc option. Moves code to a function, better viewed with --color-moved. --- changes/bug4700 | 5 +++++ src/app/config/config.c | 1 + src/core/or/connection_edge.c | 52 ++++++++++++++++++++++++++----------------- src/feature/hs/hs_config.c | 20 ++++++++++++++++- src/feature/hs/hs_service.c | 13 +++++++++++ src/feature/hs/hs_service.h | 5 +++++ 6 files changed, 75 insertions(+), 21 deletions(-) diff --git a/changes/bug4700 b/changes/bug4700 new file mode 100644 index 000000000..3c8d9b19b --- /dev/null +++ b/changes/bug4700 @@ -0,0 +1,5 @@ + o Minor features (onion services): + - Version 3 onion services can now use the per-service + HiddenServiceExportCircuitID option to differentiate client circuits by + using the HAProxy proxy protocol which assigns IP addresses to inbound client + circuits. Closes ticket 4700. Patch by Mahrud Sayrafi. diff --git a/src/app/config/config.c b/src/app/config/config.c index 1adeb75c9..13421f103 100644 --- a/src/app/config/config.c +++ b/src/app/config/config.c @@ -457,6 +457,7 @@ static config_var_t option_vars_[] = { VAR("HiddenServiceMaxStreams",LINELIST_S, RendConfigLines, NULL), VAR("HiddenServiceMaxStreamsCloseCircuit",LINELIST_S, RendConfigLines, NULL), VAR("HiddenServiceNumIntroductionPoints", LINELIST_S, RendConfigLines, NULL), + VAR("HiddenServiceExportCircuitID", LINELIST_S, RendConfigLines, NULL), VAR("HiddenServiceStatistics", BOOL, HiddenServiceStatistics_option, "1"), V(HidServAuth, LINELIST, NULL), V(ClientOnionAuthDir, FILENAME, NULL), diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c index a85419376..8b333a6f4 100644 --- a/src/core/or/connection_edge.c +++ b/src/core/or/connection_edge.c @@ -597,6 +597,33 @@ connected_cell_format_payload(uint8_t *payload_out, return connected_payload_len; } +/* DOCDOCDOC */ +static void +send_ha_proxy_header(const edge_connection_t *edge_conn, + connection_t *conn) +{ + char buf[512]; + char dst_ipv6[39] = "::1"; + /* See RFC4193 regarding fc00::/7 */ + char src_ipv6_prefix[34] = "fc00:dead:beef:4dad:"; + /* TODO: retain virtual port and use as destination port */ + uint16_t dst_port = 443; + uint16_t src_port = 0; + uint32_t gid = 0; + + if (edge_conn->on_circuit != NULL) { + gid = TO_ORIGIN_CIRCUIT(edge_conn->on_circuit)->global_identifier; + src_port = gid & 0x0000ffff; + } + + gid = (gid == 0) ? 1 : gid; + src_port = (src_port == 0) ? 1 : src_port; + + tor_snprintf(buf, sizeof(buf), "PROXY TCP6 %s:%x %s %d %d\r\n", + src_ipv6_prefix, gid, dst_ipv6, src_port, dst_port); + connection_buf_add(buf, strlen(buf), conn); +} + /** Connected handler for exit connections: start writing pending * data, deliver 'CONNECTED' relay cells as appropriate, and check * any pending data that may have been received. */ @@ -618,28 +645,13 @@ connection_edge_finished_connecting(edge_connection_t *edge_conn) conn->state = EXIT_CONN_STATE_OPEN; - /* Include Proxy Protocol header. */ - char buf[512]; - char dst_ipv6[39] = "::1"; - /* See RFC4193 regarding fc00::/7 */ - char src_ipv6_prefix[34] = "fc00:dead:beef:4dad:"; - /* TODO: retain virtual port and use as destination port */ - uint16_t dst_port = 443; - uint16_t src_port = 0; - uint32_t gid = 0; - - if (edge_conn->on_circuit != NULL) { - gid = TO_ORIGIN_CIRCUIT(edge_conn->on_circuit)->global_identifier; - src_port = gid & 0x0000ffff; + /* If it's an onion service connection, we might want to include the proxy + * protocol header */ + if (edge_conn->hs_ident && + hs_service_exports_circuit_id(&edge_conn->hs_ident->identity_pk)) { + send_ha_proxy_header(edge_conn, conn); } - gid = (gid == 0) ? 1 : gid; - src_port = (src_port == 0) ? 1 : src_port; - - tor_snprintf(buf, sizeof(buf), "PROXY TCP6 %s:%x %s %d %d\r\n", - src_ipv6_prefix, gid, dst_ipv6, src_port, dst_port); - connection_buf_add(buf, strlen(buf), conn); - connection_watch_events(conn, READ_EVENT); /* stop writing, keep reading */ if (connection_get_outbuf_len(conn)) /* in case there are any queued relay * cells */ diff --git a/src/feature/hs/hs_config.c b/src/feature/hs/hs_config.c index eaeb58829..16bfe7c54 100644 --- a/src/feature/hs/hs_config.c +++ b/src/feature/hs/hs_config.c @@ -188,6 +188,11 @@ config_has_invalid_options(const config_line_t *line_, NULL /* End marker. */ }; + const char *opts_exclude_v2[] = { + "HiddenServiceExportCircuitID", + NULL /* End marker. */ + }; + /* Defining the size explicitly allows us to take advantage of the compiler * which warns us if we ever bump the max version but forget to grow this * array. The plus one is because we have a version 0 :). */ @@ -196,7 +201,7 @@ config_has_invalid_options(const config_line_t *line_, } exclude_lists[HS_VERSION_MAX + 1] = { { NULL }, /* v0. */ { NULL }, /* v1. */ - { NULL }, /* v2 */ + { opts_exclude_v2 }, /* v2 */ { opts_exclude_v3 }, /* v3. */ }; @@ -262,6 +267,7 @@ config_service_v3(const config_line_t *line_, hs_service_config_t *config) { int have_num_ip = 0; + bool export_circuit_id = false; /* just to detect duplicate options */ const char *dup_opt_seen = NULL; const config_line_t *line; @@ -288,6 +294,18 @@ config_service_v3(const config_line_t *line_, have_num_ip = 1; continue; } + if (!strcasecmp(line->key, "HiddenServiceExportCircuitID")) { + config->export_circuit_id = + (unsigned int) helper_parse_uint64(line->key, line->value, 0, 1, &ok); + if (!ok || export_circuit_id) { + if (export_circuit_id) { + dup_opt_seen = line->key; + } + goto err; + } + export_circuit_id = true; + continue; + } } /* We do not load the key material for the service at this stage. This is diff --git a/src/feature/hs/hs_service.c b/src/feature/hs/hs_service.c index 30d23eb77..75d7cb75e 100644 --- a/src/feature/hs/hs_service.c +++ b/src/feature/hs/hs_service.c @@ -3762,6 +3762,19 @@ hs_service_set_conn_addr_port(const origin_circuit_t *circ, return -1; } +/** Does the service with identity pubkey <b>pk</b> export the circuit IDs of + * its clients? */ +bool +hs_service_exports_circuit_id(const ed25519_public_key_t *pk) +{ + hs_service_t *service = find_service(hs_service_map, pk); + if (!service) { + return 0; + } + + return service->config.export_circuit_id; +} + /* Add to file_list every filename used by a configured hidden service, and to * dir_list every directory path used by a configured hidden service. This is * used by the sandbox subsystem to whitelist those. */ diff --git a/src/feature/hs/hs_service.h b/src/feature/hs/hs_service.h index 735266071..e541cb28b 100644 --- a/src/feature/hs/hs_service.h +++ b/src/feature/hs/hs_service.h @@ -210,6 +210,9 @@ typedef struct hs_service_config_t { /* Is this service ephemeral? */ unsigned int is_ephemeral : 1; + + /* Does this service export the circuit ID of its clients? */ + bool export_circuit_id; } hs_service_config_t; /* Service state. */ @@ -316,6 +319,8 @@ void hs_service_upload_desc_to_dir(const char *encoded_desc, const ed25519_public_key_t *blinded_pk, const routerstatus_t *hsdir_rs); +bool hs_service_exports_circuit_id(const ed25519_public_key_t *pk); + #ifdef HS_SERVICE_PRIVATE #ifdef TOR_UNIT_TESTS

1 0