[tor-commits] [torspec/master] prop304: Initial import for new SOCKS5 error code
asn at torproject.org
asn at torproject.org
Thu Jun 6 11:26:52 UTC 2019
commit 767df0b55af888f135174883d9bda29c05c2d7eb
Author: David Goulet <dgoulet at torproject.org>
Date: Wed May 22 14:47:59 2019 -0400
prop304: Initial import for new SOCKS5 error code
Part of #30382
Signed-off-by: David Goulet <dgoulet at torproject.org>
---
proposals/000-index.txt | 2 +
proposals/304-socks5-extending-hs-error-codes.txt | 109 ++++++++++++++++++++++
2 files changed, 111 insertions(+)
diff --git a/proposals/000-index.txt b/proposals/000-index.txt
index d10f917..b7f010c 100644
--- a/proposals/000-index.txt
+++ b/proposals/000-index.txt
@@ -224,6 +224,7 @@ Proposals by number:
301 Don't include package fingerprints in consensus documents [ACCEPTED]
302 Hiding onion service clients using padding [ACCEPTED]
303 When and how to remove support for protocol versions [DRAFT]
+304 Extending SOCKS5 Onion Service Error Codes [OPEN]
Proposals by status:
@@ -256,6 +257,7 @@ Proposals by status:
295 Using ADL for relay cryptography (solving the crypto-tagging attack)
296 Have Directory Authorities expose raw bandwidth list files
299 Preferring IPv4 or IPv6 based on IP Version Failure Count
+ 304 Extending SOCKS5 Onion Service Error Codes
ACCEPTED:
188 Bridge Guards and other anti-enumeration defenses
249 Allow CREATE cells with >505 bytes of handshake data
diff --git a/proposals/304-socks5-extending-hs-error-codes.txt b/proposals/304-socks5-extending-hs-error-codes.txt
new file mode 100644
index 0000000..2c62dea
--- /dev/null
+++ b/proposals/304-socks5-extending-hs-error-codes.txt
@@ -0,0 +1,109 @@
+Filename: 304-socks5-extending-hs-error-codes.txt
+Title: Extending SOCKS5 Onion Service Error Codes
+Author: David Goulet, George Kadianakis
+Created: 22-May-2019
+Status: Open
+
+Note: We are extending SOCKS5 here but in terms, when Tor Browser supports
+ HTTPCONNECT, we should not do that anymore.
+
+0. Abstract
+
+ We propose extending the SOCKS5 protocol to allow returning more meaningful
+ response failure onion service codes back to the client.
+
+ This is inspired by proposal 229 [PROP229] minus the new authentication
+ method.
+
+1. Introduction
+
+ The motivation behind this proposal is because we need a synchronous way to
+ return a reason on why the SOCKS5 connection failed.
+
+ The alternative is to use a control port event but then the caller needs to
+ match the SOCKS failure to the control event. And tor provides no guarantee
+ that a control event will be emitted before the SOCKS failure or vice
+ versa.
+
+ With this proposal, the client can get the reason on why the onion service
+ connection failed with the SOCKS5 returned error code.
+
+2. Proposal
+
+2.1. New SocksPort Flag
+
+ In order to have backward compatibility with third party applications that
+ do not support the new proposed SOCKS5 error code, we propose a new
+ SocksPort flag that needs to be set in the tor configuration file in order
+ for those code to be sent back.
+
+ The new SocksPort flag is:
+
+ "ExtendedErrors" -- Tor will report new SOCKS5 error code detailed below
+ in section 2.2 (once merged, they will end up in
+ socks-extension.txt).
+
+ It is possible that more codes will be added in the future so an
+ application using this flag should possibly expect unknown codes to be
+ returned.
+
+2.2. Onion Service Extended SOCKS5 Error Code
+
+ We introduce the following additional SOCKS5 reply codes to be sent in the
+ REP field of a SOCKS5 message iff the "ExtendedErrors" on the SocksPort is
+ set (see section 2.1 above).
+
+ The SOCKS5 specification [RFC1928] defines a range of code that are
+ "unassigned" so we'll be using those on the far end of the range in order
+ to inform the client of onion service failures:
+
+ Where:
+
+ * X'F0' Onion Service Descriptor Can Not be Found
+
+ The requested onion service descriptor can't be found on the hashring
+ and thus not reachable by the client.
+
+ * X'F1' Onion Service Descriptor Is Invalid
+
+ The requested onion service descriptor can't be parsed or signature
+ validation failed.
+
+ * X'F2' Onion Service Introduction Failed
+
+ Client failed to introduce to the service meaning the descriptor was
+ found but the service is not anymore at the introduction points. The
+ service has likely changed its descriptor or is not running.
+
+ * X'F3' Onion Service Rendezvous Failed
+
+ Client failed to rendezvous with the service which means that the client
+ is unable to finalize the connection.
+
+ * X'F4' Onion Service Missing Client Authorization
+
+ Tor was able to download the requested onion service descriptor but is
+ unable to decrypt its content because it is missing client authorization
+ information for it.
+
+ * X'F5' Onion Service Wrong Client Authorization
+
+ Tor was able to download the requested onion service descriptor but is
+ unable to decrypt its content using the client authorization information
+ it has. This means the client access were revoked.
+
+3. Compatibility
+
+ No new field or extension has been added. Only new code values from the
+ unassigned range are being used. We expect these to not be a problem for
+ backward compatibility.
+
+ These codes are only sent back if the new proposed SocksPort flag,
+ "ExtendedErrors", is set and making it easier for backward and foward
+ compatibility.
+
+References:
+
+[PROP229] https://gitweb.torproject.org/torspec.git/tree/proposals/229-further-socks5-extensions.txt
+
+[RFC1928] https://www.ietf.org/rfc/rfc1928.txt
More information about the tor-commits
mailing list