[torspec/master] Add ClientAuth for the ADD_ONION control command - tor-commits

9 May 2016

commit c2865d91116c4fd2b85891472725429ba1b2c5e6
Author: John Brooks john.brooks@dereferenced.net
Date:   Sat Apr 4 15:43:25 2015 -0600
Add ClientAuth for the ADD_ONION control command
Part of #15588
---
 control-spec.txt | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/control-spec.txt b/control-spec.txt
index 1203972..8fa1579 100644
--- a/control-spec.txt
+++ b/control-spec.txt
@@ -1306,7 +1306,8 @@
   The syntax is:
     "ADD_ONION" SP KeyType ":" KeyBlob
             [SP "Flags=" Flag *("," Flag)]
-            1*(SP "Port=" VirtPort ["," Target]) CRLF
+            1*(SP "Port=" VirtPort ["," Target])
+            *(SP "ClientAuth=" ClientName [":" ClientBlob]) CRLF
KeyType =
      "NEW"     / ; The server should generate a key of algorithm KeyBlob
@@ -1323,8 +1324,10 @@
     Flag =
      "DiscardPK" / ; The server should not include the newly generated
                      private key as part of the response.
-     "Detach"      ; Do not associate the newly created Onion Service
+     "Detach"    / ; Do not associate the newly created Onion Service
                      to the current control connection.
+     "BasicAuth"   ; Client authorization is required using the "basic"
+                     method.
VirtPort = The virtual TCP Port for the Onion Service (As in the
                HiddenServicePort "VIRTPORT" argument).
@@ -1332,9 +1335,16 @@
     Target = The (optional) target for the given VirtPort (As in the
              optional HiddenServicePort "TARGET" argument).
+    ClientName = An identifier 1 to 16 characters long, using only
+                 characters in A-Za-z0-9+-_ (no spaces).
+
+    ClientBlob = Authorization data for the client, in an opaque format
+                 specific to the authorization method.
+
   The server reply format is:
     "250-ServiceID=" ServiceID CRLF
     ["250-PrivateKey=" KeyType ":" KeyBlob CRLF]
+    *("250-ClientAuth=" ClientName ":" ClientBlob CRLF)
     "250 OK" CRLF
ServiceID = The Onion Service address without the trailing ".onion"
@@ -1352,6 +1362,13 @@
   way to recreate the generated keypair and the corresponding Onion
   Service at a later date).
+  If client authorization is enabled using the "BasicAuth" flag, the
+  service will not be accessible to clients without valid authorization
+  data (configured with the "HidServAuth" option).  The list of authorized
+  clients is specified with one or more "ClientAuth" parameters.  If
+  "ClientBlob" is not specified for a client, a new credential will be
+  randomly generated and returned.
+
   Once created the new Onion Service will remain active until either the
   Onion Service is removed via "DEL_ONION", the server terminates, or the
   control connection that originated the "ADD_ONION" command is closed.
@@ -1380,7 +1397,14 @@
      S: 250-PrivateKey=RSA1024:[Blob Redacted]
      S: 250 OK
+     C: ADD_ONION NEW:BEST Flags=DiscardPK,BasicAuth Port=22
+        ClientAuth=alice:[Blob Redacted] ClientAuth=bob
+     S: 250-ServiceID=testonion1234567
+     S: 250-ClientAuth=bob:[Blob Redacted]
+     S: 250 OK
+
   [ADD_ONION was added in Tor 0.2.7.1-alpha.]
+  [ClientAuth was added in Tor 0.x.x.x.]
3.28. DEL_ONION

    