commit 767df0b55af888f135174883d9bda29c05c2d7eb Author: David Goulet <dgoulet@torproject.org> Date: Wed May 22 14:47:59 2019 -0400 prop304: Initial import for new SOCKS5 error code Part of #30382 Signed-off-by: David Goulet <dgoulet@torproject.org> --- proposals/000-index.txt | 2 + proposals/304-socks5-extending-hs-error-codes.txt | 109 ++++++++++++++++++++++ 2 files changed, 111 insertions(+) diff --git a/proposals/000-index.txt b/proposals/000-index.txt index d10f917..b7f010c 100644 --- a/proposals/000-index.txt +++ b/proposals/000-index.txt @@ -224,6 +224,7 @@ Proposals by number: 301 Don't include package fingerprints in consensus documents [ACCEPTED] 302 Hiding onion service clients using padding [ACCEPTED] 303 When and how to remove support for protocol versions [DRAFT] +304 Extending SOCKS5 Onion Service Error Codes [OPEN] Proposals by status: @@ -256,6 +257,7 @@ Proposals by status: 295 Using ADL for relay cryptography (solving the crypto-tagging attack) 296 Have Directory Authorities expose raw bandwidth list files 299 Preferring IPv4 or IPv6 based on IP Version Failure Count + 304 Extending SOCKS5 Onion Service Error Codes ACCEPTED: 188 Bridge Guards and other anti-enumeration defenses 249 Allow CREATE cells with >505 bytes of handshake data diff --git a/proposals/304-socks5-extending-hs-error-codes.txt b/proposals/304-socks5-extending-hs-error-codes.txt new file mode 100644 index 0000000..2c62dea --- /dev/null +++ b/proposals/304-socks5-extending-hs-error-codes.txt @@ -0,0 +1,109 @@ +Filename: 304-socks5-extending-hs-error-codes.txt +Title: Extending SOCKS5 Onion Service Error Codes +Author: David Goulet, George Kadianakis +Created: 22-May-2019 +Status: Open + +Note: We are extending SOCKS5 here but in terms, when Tor Browser supports + HTTPCONNECT, we should not do that anymore. + +0. Abstract + + We propose extending the SOCKS5 protocol to allow returning more meaningful + response failure onion service codes back to the client. + + This is inspired by proposal 229 [PROP229] minus the new authentication + method. + +1. Introduction + + The motivation behind this proposal is because we need a synchronous way to + return a reason on why the SOCKS5 connection failed. + + The alternative is to use a control port event but then the caller needs to + match the SOCKS failure to the control event. And tor provides no guarantee + that a control event will be emitted before the SOCKS failure or vice + versa. + + With this proposal, the client can get the reason on why the onion service + connection failed with the SOCKS5 returned error code. + +2. Proposal + +2.1. New SocksPort Flag + + In order to have backward compatibility with third party applications that + do not support the new proposed SOCKS5 error code, we propose a new + SocksPort flag that needs to be set in the tor configuration file in order + for those code to be sent back. + + The new SocksPort flag is: + + "ExtendedErrors" -- Tor will report new SOCKS5 error code detailed below + in section 2.2 (once merged, they will end up in + socks-extension.txt). + + It is possible that more codes will be added in the future so an + application using this flag should possibly expect unknown codes to be + returned. + +2.2. Onion Service Extended SOCKS5 Error Code + + We introduce the following additional SOCKS5 reply codes to be sent in the + REP field of a SOCKS5 message iff the "ExtendedErrors" on the SocksPort is + set (see section 2.1 above). + + The SOCKS5 specification [RFC1928] defines a range of code that are + "unassigned" so we'll be using those on the far end of the range in order + to inform the client of onion service failures: + + Where: + + * X'F0' Onion Service Descriptor Can Not be Found + + The requested onion service descriptor can't be found on the hashring + and thus not reachable by the client. + + * X'F1' Onion Service Descriptor Is Invalid + + The requested onion service descriptor can't be parsed or signature + validation failed. + + * X'F2' Onion Service Introduction Failed + + Client failed to introduce to the service meaning the descriptor was + found but the service is not anymore at the introduction points. The + service has likely changed its descriptor or is not running. + + * X'F3' Onion Service Rendezvous Failed + + Client failed to rendezvous with the service which means that the client + is unable to finalize the connection. + + * X'F4' Onion Service Missing Client Authorization + + Tor was able to download the requested onion service descriptor but is + unable to decrypt its content because it is missing client authorization + information for it. + + * X'F5' Onion Service Wrong Client Authorization + + Tor was able to download the requested onion service descriptor but is + unable to decrypt its content using the client authorization information + it has. This means the client access were revoked. + +3. Compatibility + + No new field or extension has been added. Only new code values from the + unassigned range are being used. We expect these to not be a problem for + backward compatibility. + + These codes are only sent back if the new proposed SocksPort flag, + "ExtendedErrors", is set and making it easier for backward and foward + compatibility. + +References: + +[PROP229] https://gitweb.torproject.org/torspec.git/tree/proposals/229-further-socks5-... + +[RFC1928] https://www.ietf.org/rfc/rfc1928.txt