[tor-dev] [RFC] control-spec: Specify add/remove/view client auth commands (client-side).
George Kadianakis
desnacked at riseup.net
Tue May 7 16:11:34 UTC 2019
George Kadianakis <desnacked at riseup.net> writes:
> Hello list,
>
> here is a control spec patch for adding v3 client auth commands to
> add/remove/view clients from the client-side (so Tor Browser -> Tor):
> https://github.com/torproject/torspec/pull/81/commits/3a26880e80617210b4729f96664ef9f0345b0b7c
>
> I'm currently unhappy with the naming of those commands, and in general
> with how easy it is to confuse them with the (non-existent) service-side
> commands. I'm wondering how to name them better so that when we add the
> respective service-side commands (at some point we should) there is no
> confusion.
>
Thanks for all the comments. I think I took everything into account, and
I'm inlining an updated version of the patch. My apologies if I forgot
something.
There will likely be updates (e.g. on the error codes) as we get to
implement this, because we always forget something.
Thanks for the feedback, very much appreciated! :)
---
+
+ 3.30. ONION_CLIENT_AUTH_ADD
+
+ The syntax is:
+ "ONION_CLIENT_AUTH_ADD" SP HSAddress
+ SP "X25519PrivKey=" PrivateKeyBlob
+ [SP "ClientName=" Nickname]
+ [SP "Type=" TYPE] CRLF
+
+ HSAddress = 56*Base32Character
+ PrivateKeyBlob = base64 encoding of x25519 key
+
+ Tells the connected Tor to add client-side v3 client auth credentials for the
+ onion service with "HSAddress". The "PrivateKeyBlob" is the x25519 private
+ key that should be used for this client, and "Nickname" is an optional
+ nickname for the client.
+
+ TYPE is a comma-separated tuple of types for this new client. For now, the
+ currently supported types are:
+ "Permanent" - This client's credentials should be stored in the filesystem.
+ If this is not set, the client's credentials are epheremal
+ and stored in memory.
+
+ On success, "250 OK" is returned. Otherwise, the following error codes exist:
+ 251 - Client with with this "PrivateKeyBlob" already existed.
+ 512 - Syntax error in "HSAddress", or "PrivateKeyBlob" or "Nickname"
+ 551 - Client with with this "Nickname" already exists
+
+ 3.31. ONION_CLIENT_AUTH_REMOVE
+
+ The syntax is:
+ "ONION_CLIENT_AUTH_REMOVE" SP HSAddress
+ SP "X25519PrivKey=" PrivateKeyBlob CRLF
+
+ Tells the connected Tor to remove the client-side v3 client auth credentials
+ for the onion service with "HSAddress" and client with key "PrivateKeyBlob".
+
+ On success "250 OK" is returned. Otherwise, the following error codes exist:
+ 512 - Syntax error in "HSAddress", or "PrivateKeyBlob".
+ 251 - Client with "PrivateKeyBlob" did not exist.
+
+ 3.32. ONION_CLIENT_AUTH_VIEW
+
+ The syntax is:
+ "ONION_CLIENT_AUTH_VIEW" [SP HSAddress] CRLF
+
+ Tells the connected Tor to list all the stored client-side v3 client auth
+ credentials for "HSAddress". If no "HSAddress" is provided, list all the
+ stored client-side v3 client auth credentials.
+
+ The server reply format is:
+ "250-ONION_CLIENT_AUTH_VIEW" [SP HSAddress] CRLF
+ *("250-CLIENT X25519PrivKey=" PrivateKeyBlob
+ [SP "ClientName=" Nickname]
+ [SP "Type=" TYPE] CRLF)
+ "250 OK" CRLF
+
+ Where "PrivateKeyBlob" is the x25519 private key of this client. "Nickname"
+ is an optional nickname for this client, which can be set either through the
+ ONION_CLIENT_AUTH_ADD command, or it's the filename of this client if the
+ credentials are stored in the filesystem.
+
+ TYPE is a comma-separated field of types for this client, the currently
+ supported types are:
+ "Permanent" - This client's credentials are stored in the filesystem.
+
+ On success "250 OK" is returned. Otherwise, the following error codes exist:
+ 512 - Syntax error in "HSAddress".
+
More information about the tor-dev
mailing list