This could never be a full rustdoc test, since rustdoc never
runs tests for private items. Even if it were a rustdoc test,
it uses a bunch of types that aren't exposed in the right places,
and it invokes nonexistent functions, and it assumes a `self`
that isn't there.
In lieu of writing a new untested test, I've added a note to refer
the developer to where they can find working example code.
The consensus includes a listing for clients and for relays,
saying which protocol versions are _required_ for participation on
the network, and which versions are _recommended_. We have been
parsing this, but not yet exposing it.
This commit adds accessors to expose it, since we'll need that in
order to create CircTargets for introduction points and rendezvous
points.
This does the following:
- Gives every crate a `full`.
- Cause every `full` to depend on `full` from the lower-level
crates.
- Makes every feature listed _directly_ in `experimental` depend
on `__is_experimental`.
`parse_decrypt_validate` will need to "peek" inside an encrypted
descriptor (before validating it) to extract the `TimerangeBound` of the
inner layer. This is needed to compute the intersection of the
`TimerangeBound`s of both layers.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
This makes `descriptor_ensure` refetch the descriptor if either of its
layers (inner or outer) expires.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
This makes `descriptor_ensure` refetch the descriptor if it has been
cached for longer than `descriptor-lifetime` minutes.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
`parse_decrypt_validate` was marked as experimental because it was
unclear if the newly added `BadTimeBound` error kind belongs in
`ParseErrorKind`. However, we have since renamed `ParseErrorKind` to
`NetdocErrorKind` and decided to keep the new variant, so this API
doesn't need to be experimental anymore.
Closes arti #852
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
`ParseErrorSource` was originally meant to represent a parsing error,
this enum has since gained some variants that aren't really parsing
related (`Signature`, `CertSignature`, `UntimelyDescriptor`).
Since this error type is now used for general-purpose netdoc errors,
let's rename `ParseError{Kind, Source}` to `NetdocError{Kind, Source}`.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
This adds an example to the `HsDesc::parse` docs. The constants from the
example are lifted from the `parse_desc_good` test.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
This adds the `HsDesc::parse_decrypt_validate` method, which parses,
decrypts, and validates HS descriptors.
Closes#809
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
Otherwise there is too much risk of accidentally adding in another
1<<12 when we meant to add a 1<<13.
(It would be neat to have an alternative to bitflags here that would
auto-number our bitflags for us.)
1. Abbreviate the link text, and don't have it contain `crate`
which is not really great in docs.
2. Use `super::` for the link target, to find the right thing.
(`crate` doesn't seem to work in rustdoc, perhaps deliberately,
although the error messages are ridiculous and claim the
nonexistence of intermediate modules.)
3. Wrap the lines a bit more.
Fixes
cargo +stable test --locked --offline F -p tor-netdoc
cargo +stable clippy -p tor-netdoc F --all-targets
for values of F including
--all-features
--features=hs-client
--features=hs-common
--features=hs-service
(nothing)
Previously, to build descriptors for hidden services with client auth
enabled, in addition to the list of authorized clients, users of
`HsDescBuilder` were required to also provide a descriptor encryption
keypair and a descriptor cookie. This was potentially dangerous and/or
error-prone, because the ephemeral encryption key and the descriptor
cookie are expected to be randomly generated and unique for each
descriptor.
This change makes `ClientAuth` private to the `hsdesc::build` module and
updates `HsDescBuilder` to build `ClientAuth`s internally. Users now
only need to provide the list of authorized client public keys.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
This adds a test for an `encode -> decode -> encode` flow for a hidden
service descriptor with client authorization enabled.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
`AuthClient`s were originally meant to represent parsed `auth-client`
lines. In !1070, this struct was repurposed for representing individual
authorized clients in the HS descriptor encoder. However, hidden
services will likely use a list of public keys to represent the
authorized clients rather than a list of `AuthClient`s, as the
information from an `AuthClient` (`client_id`, `iv`, `encrypted_cookie`)
likely won't be immediately available to the hidden service.
This change updates the HS descriptor encoder to represent authorized
clients as a list of `curve25519::PublicKey`s. As such, it is now the
responsibility of the encoder to create the `client_id`, `iv`, and
`encrypted_cookie` using the available keys, the unencrypted descriptor
cookie, and HS subcredential.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
These crates had no changes until just a moment ago. But since
we updated the versions on some of their dependents, they have now
changed themselves. Thus they get patchlevel bumps.
```
tor-rtmock
tor-protover
tor-socksproto
tor-consdiff
tor-chanmgr
tor-dirclient
tor-hsservice
```
For these crates, the changes are nontrivial, so we
_do_ bump the versions on which their dependent crates depend.
Fortunately, since they are all pre-1.0, we don't need to
distinguish semver-additions from other changes. (Except for arti,
which _is_ post-1.0, but gets a patchlevel bump anyway.)
These are unstable crates with breaking changes:
```
tor-hscrypto
tor-hsclient
```
These have new or extended APIs:
```
safelog
tor-bytes
tor-cell
tor-linkspec
tor-llcrypto
tor-proto
tor-cert
arti-client
```
These have new unstable APIs or features:
```
tor-netdoc
tor-circmgr (also broke some unstable APIs)
arti (is post-1.0)
```
These have bugfixes only:
```
caret
tor-dirmgr
```
This fixes a broken doc link I introduced in !1070:
```
error: unresolved link to `crate::doc::hsdesc::build::inner::HsDescInnerBuilder`
--> crates/tor-netdoc/src/doc/hsdesc/build/middle.rs:34:11
|
34 | /// [`crate::doc::hsdesc::build::inner::HsDescInnerBuilder`] as described in sections
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ no item named `HsDescInnerBuilder` in module `inner`
|
= note: `-D rustdoc::broken-intra-doc-links` implied by `-D warnings`
error: could not document `tor-netdoc`
```
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
Hidden services use blinded singing keys derived from the identity key
to sign descriptor signing keys.
Before this patch, the hidden descriptor builder represented its blinded
signing keys (`blinded_id`) as plain `ed25519::Keypair`s. This was not
ideal, as there was nothing preventing the caller from accidentally
initializing `blinded_id` with an unblinded keypair.
This introduces a new `HsBlindKeypair` type to represent blinded
keypairs.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
`NetdocText` is a wrapper around a `String` and a type marker. The type
annotation proved of limited use, and made the netdoc builder API
somewhat awkward to use.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
Unlike `hsdesc::IntroPointDesc`, `hsdesc::build::IntroPointDesc`
represents link specifiers as `LinkSpec`s rather than
`UnparsedLinkSpec`s.
Since this is a general-purpose representation of an introduction point
and not merely an intermediate representation for decoding/encoding, it
will probably need to be factored out of `tor-netdoc` at some point.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
This introduces the `NetdocBuilder` trait described in
`netdoc-builder.md` and a new `tor-netdoc::doc::hsdesc::build` module,
which exports the `HsDescBuilder`. Hidden services will use
`HsDescBuilder` to build and encode hidden service descriptors.
There are several TODOs in the code that I'm planning to address
separately.
Partially addresses #745.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
These are used in multiple places (and will also be used by the HS
descriptor encoder later on), so let's make them named constants.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
This makes some code a bit more concise, as it allows us to make
`Strings` into `ItemArgument`s without calling `.as_str()`.
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
This makes our implementation behave the same as the C tor
implementation, by validating all of the expiration and signatures
on the certificates in the inner document.
(It is still not semantically necessary to check these certs: the
document in which they appear is already signed by the key with
which they are allegedly signed.)
Closes#744
These crates have had small code changes, but no API additions:
tor-config
tor-socksproto
tor-cert
tor-chanmgr
tor-ptmgr
tor-guardmgr
tor-circmgr
tor-dirclient
tor-dirmgr
arti
tor-hsservice
tor-congestion
These crates have had API extensions:
fs-mistrust
tor-llcrypto
tor-bytes
tor-checkable
tor-linkspec
tor-netdoc
tor-persist
arti-client
These are API breaks, but the crates themselves are currently
100% experimental, so there's no need to bump the minor versions
according to our semver rules.
It said to check whether C enforces an absence of extraneous bytes
at the end of the link specifiers. It does, in
`hs_desc.c:decode_link_specifiers()`, where it says:
```
if (link_specifier_list_parse(&specs, decoded,
(size_t) decoded_len) < decoded_len) {
goto err;
}
```
The comparison with "decoded_len" checks whether all the bytes were
decoded.
There's a blanket impl of Itertor for &mut impl Iterator, so this
isn't necessary, and it prevents us passing iterators by value
producing syntactic vinegar.
We want to fuzz these parsers, but there's no currently way to get
at the parsers for inner documents without going through a lot of
encryption. (Coverage-guided fuzzers are powerful, but they
can't find SHA3 preimages.)