[tor-commits] [torspec/master] prop304: Initial import for new SOCKS5 error code

asn at torproject.org asn at torproject.org
Thu Jun 6 11:26:52 UTC 2019 

commit 767df0b55af888f135174883d9bda29c05c2d7eb
Author: David Goulet <dgoulet at torproject.org>
Date:   Wed May 22 14:47:59 2019 -0400

    prop304: Initial import for new SOCKS5 error code
    
    Part of #30382
    
    Signed-off-by: David Goulet <dgoulet at torproject.org>
---
 proposals/000-index.txt                           |   2 +
 proposals/304-socks5-extending-hs-error-codes.txt | 109 ++++++++++++++++++++++
 2 files changed, 111 insertions(+)

diff --git a/proposals/000-index.txt b/proposals/000-index.txt
index d10f917..b7f010c 100644
--- a/proposals/000-index.txt
+++ b/proposals/000-index.txt
@@ -224,6 +224,7 @@ Proposals by number:
 301  Don't include package fingerprints in consensus documents [ACCEPTED]
 302  Hiding onion service clients using padding [ACCEPTED]
 303  When and how to remove support for protocol versions [DRAFT]
+304  Extending SOCKS5 Onion Service Error Codes [OPEN]
 
 
 Proposals by status:
@@ -256,6 +257,7 @@ Proposals by status:
    295  Using ADL for relay cryptography (solving the crypto-tagging attack)
    296  Have Directory Authorities expose raw bandwidth list files
    299  Preferring IPv4 or IPv6 based on IP Version Failure Count
+   304  Extending SOCKS5 Onion Service Error Codes
  ACCEPTED:
    188  Bridge Guards and other anti-enumeration defenses
    249  Allow CREATE cells with >505 bytes of handshake data
diff --git a/proposals/304-socks5-extending-hs-error-codes.txt b/proposals/304-socks5-extending-hs-error-codes.txt
new file mode 100644
index 0000000..2c62dea
--- /dev/null
+++ b/proposals/304-socks5-extending-hs-error-codes.txt
@@ -0,0 +1,109 @@
+Filename: 304-socks5-extending-hs-error-codes.txt
+Title: Extending SOCKS5 Onion Service Error Codes
+Author: David Goulet, George Kadianakis
+Created: 22-May-2019
+Status: Open
+
+Note: We are extending SOCKS5 here but in terms, when Tor Browser supports
+      HTTPCONNECT, we should not do that anymore.
+
+0. Abstract
+
+   We propose extending the SOCKS5 protocol to allow returning more meaningful
+   response failure onion service codes back to the client.
+
+   This is inspired by proposal 229 [PROP229] minus the new authentication
+   method.
+
+1. Introduction
+
+   The motivation behind this proposal is because we need a synchronous way to
+   return a reason on why the SOCKS5 connection failed.
+
+   The alternative is to use a control port event but then the caller needs to
+   match the SOCKS failure to the control event. And tor provides no guarantee
+   that a control event will be emitted before the SOCKS failure or vice
+   versa.
+
+   With this proposal, the client can get the reason on why the onion service
+   connection failed with the SOCKS5 returned error code.
+
+2. Proposal
+
+2.1. New SocksPort Flag
+
+   In order to have backward compatibility with third party applications that
+   do not support the new proposed SOCKS5 error code, we propose a new
+   SocksPort flag that needs to be set in the tor configuration file in order
+   for those code to be sent back.
+
+   The new SocksPort flag is:
+
+      "ExtendedErrors" -- Tor will report new SOCKS5 error code detailed below
+                          in section 2.2 (once merged, they will end up in
+                          socks-extension.txt).
+
+   It is possible that more codes will be added in the future so an
+   application using this flag should possibly expect unknown codes to be
+   returned.
+
+2.2. Onion Service Extended SOCKS5 Error Code
+
+   We introduce the following additional SOCKS5 reply codes to be sent in the
+   REP field of a SOCKS5 message iff the "ExtendedErrors" on the SocksPort is
+   set (see section 2.1 above).
+
+   The SOCKS5 specification [RFC1928] defines a range of code that are
+   "unassigned" so we'll be using those on the far end of the range in order
+   to inform the client of onion service failures:
+
+   Where:
+
+    * X'F0' Onion Service Descriptor Can Not be Found
+
+      The requested onion service descriptor can't be found on the hashring
+      and thus not reachable by the client.
+
+    * X'F1' Onion Service Descriptor Is Invalid
+
+      The requested onion service descriptor can't be parsed or signature
+      validation failed.
+
+    * X'F2' Onion Service Introduction Failed
+
+      Client failed to introduce to the service meaning the descriptor was
+      found but the service is not anymore at the introduction points. The
+      service has likely changed its descriptor or is not running.
+
+    * X'F3' Onion Service Rendezvous Failed
+
+      Client failed to rendezvous with the service which means that the client
+      is unable to finalize the connection.
+
+    * X'F4' Onion Service Missing Client Authorization
+
+      Tor was able to download the requested onion service descriptor but is
+      unable to decrypt its content because it is missing client authorization
+      information for it.
+
+    * X'F5' Onion Service Wrong Client Authorization
+
+      Tor was able to download the requested onion service descriptor but is
+      unable to decrypt its content using the client authorization information
+      it has. This means the client access were revoked.
+
+3. Compatibility
+
+   No new field or extension has been added. Only new code values from the
+   unassigned range are being used. We expect these to not be a problem for
+   backward compatibility.
+
+   These codes are only sent back if the new proposed SocksPort flag,
+   "ExtendedErrors", is set and making it easier for backward and foward
+   compatibility.
+
+References:
+
+[PROP229] https://gitweb.torproject.org/torspec.git/tree/proposals/229-further-socks5-extensions.txt
+
+[RFC1928] https://www.ietf.org/rfc/rfc1928.txt

More information about the tor-commits mailing list