hs-v3: Return bad address SOCKS5 extended error

If ExtendedErrors is set for the SocksPort, an invalid .onion address now
returns the 0xF6 error code per prop304.

Closes #30022

Signed-off-by: David Goulet <dgoulet@torproject.org>

diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index ed9efb6fcab13f575629259b7a263243ac5b2b68..7b4db386eae429be8d8f6702c7c772cc868c447d 100644 (file)
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1418,37 +1418,43 @@ The following options are useful only for clients (that is, if
           X'F0' Onion Service Descriptor Can Not be Found
 
             The requested onion service descriptor can't be found on the
-            hashring and thus not reachable by the client.
+            hashring and thus not reachable by the client. (v3 only)
 
           X'F1' Onion Service Descriptor Is Invalid
 
             The requested onion service descriptor can't be parsed or
-            signature validation failed.
+            signature validation failed. (v3 only)
 
           X'F2' Onion Service Introduction Failed
 
             Client failed to introduce to the service meaning the descriptor
             was found but the service is not connected anymore to the
             introduction point. The service has likely changed its descriptor
-            or is not running.
+            or is not running. (v3 only)
 
           X'F3' Onion Service Rendezvous Failed
 
             Client failed to rendezvous with the service which means that the
-            client is unable to finalize the connection.
+            client is unable to finalize the connection. (v3 only)
 
           X'F4' Onion Service Missing Client Authorization
 
             Client was able to download the requested onion service descriptor
             but is unable to decrypt its content because it is missing client
-            authorization information.
+            authorization information. (v3 only)
 
           X'F5' Onion Service Wrong Client Authorization
 
             Client was able to download the requested onion service descriptor
             but is unable to decrypt its content using the client
             authorization information it has. This means the client access
-            were revoked.
+            were revoked. (v3 only)
+
+          X'F6' Onion Service Invalid Address
+
+            The given .onion address is invalid. In one of these cases this
+            error is returned: address checksum doesn't match, ed25519 public
+            key is invalid or the encoding is invalid. (v3 only)
 
 // Anchor only for formatting, not visible in the man page.
 [[SocksPortFlagsMisc]]::

diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c
index 4b4bcff2f42f4b774f024f3eef5de63c7ea1a3f7..8ab9d7d26ec020fbfe246991c7cbb7ba0d5a2695 100644 (file)
--- a/src/core/or/connection_edge.c
+++ b/src/core/or/connection_edge.c
@@ -2123,7 +2123,7 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
     control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
                                 escaped(socks->address));
     if (addresstype == ONION_V3_HOSTNAME) {
-      conn->socks_request->socks_extended_error_code = SOCKS5_HS_IS_INVALID;
+      conn->socks_request->socks_extended_error_code = SOCKS5_HS_BAD_ADDRESS;
     }
     connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
     return -1;

diff --git a/src/lib/net/socks5_status.h b/src/lib/net/socks5_status.h
index 47d9533d51c59263f647de90db3d3b770b6f2550..a2a479dd51051e05dfc9b33783200593d1878f43 100644 (file)
--- a/src/lib/net/socks5_status.h
+++ b/src/lib/net/socks5_status.h
@@ -36,6 +36,7 @@ typedef enum {
   SOCKS5_HS_REND_FAILED             = 0xF3,
   SOCKS5_HS_MISSING_CLIENT_AUTH     = 0xF4,
   SOCKS5_HS_BAD_CLIENT_AUTH         = 0xF5,
+  SOCKS5_HS_BAD_ADDRESS             = 0xF6,
 } socks5_reply_status_t;
 
 #endif /* !defined(TOR_SOCKS5_STATUS_H) */