From 35c4185c7131e762cd5d100a3d61b9438cb403b5 Mon Sep 17 00:00:00 2001 From: Mickael E Date: Wed, 30 Jan 2019 11:29:53 -0500 Subject: [PATCH 1/2] Declare onion services as v2 for existing installs This will modify the torrc file in place to explicitly declare current onion services as v2 onion services. --- install_files/securedrop-config/DEBIAN/postinst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/install_files/securedrop-config/DEBIAN/postinst b/install_files/securedrop-config/DEBIAN/postinst index 1fef8bfad7..18db2c95f1 100755 --- a/install_files/securedrop-config/DEBIAN/postinst +++ b/install_files/securedrop-config/DEBIAN/postinst @@ -39,6 +39,16 @@ allow_apt_user_in_iptables() { "$rules_v4" fi } +# Tor 0.3.5.x series now defaults to v3 onion URLs, but SecureDrop currently +# uses v2 onion URLs. We must explictly set this definition in torrc to avoid +# breakage when upgrading from Tor 0.3.4.x to 0.3.5.x. +set_v2_hidserv_in_torrc() { + if [ -f /etc/tor/torrc ]; then + if ! grep -q HiddenServiceVersion /etc/tor/torrc ; then + perl -pi -e 's/^(HiddenServiceDir.*)$/$1\nHiddenServiceVersion 2/' /etc/tor/torrc + fi + fi +} case "$1" in configure) @@ -61,6 +71,7 @@ case "$1" in fi allow_apt_user_in_iptables + set_v2_hidserv_in_torrc ;; abort-upgrade|abort-remove|abort-deconfigure) From 17a8fa33e87847286dc32aef744224b619896687 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Fri, 1 Feb 2019 15:41:38 -0800 Subject: [PATCH 2/2] Adds config tests for v2 services in torrc Each hidden service declaration provided by the test vars must have "HiddenServiceVersion 2" immediately after the dir in the torrc. At a later date we may want to templatize these values, but for now we only support v2 Onion URLs for SD, so hardcoding is fine. --- .../staging/app/test_tor_hidden_services.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/molecule/testinfra/staging/app/test_tor_hidden_services.py b/molecule/testinfra/staging/app/test_tor_hidden_services.py index 2ab36faf1a..33816e1046 100644 --- a/molecule/testinfra/staging/app/test_tor_hidden_services.py +++ b/molecule/testinfra/staging/app/test_tor_hidden_services.py @@ -54,7 +54,7 @@ def test_tor_service_hostnames(File, Sudo, tor_service): @pytest.mark.parametrize('tor_service', sdvars.tor_services) -def test_tor_services_config(File, tor_service): +def test_tor_services_config(host, tor_service): """ Ensure torrc file contains relevant lines for Hidden Service declarations. All hidden services must include: @@ -68,7 +68,7 @@ def test_tor_services_config(File, tor_service): Check for each as appropriate. """ - f = File("/etc/tor/torrc") + f = host.file("/etc/tor/torrc") dir_regex = "HiddenServiceDir /var/lib/tor/services/{}".format( tor_service['name']) # We need at least one port, but it may be used for both config values. @@ -80,13 +80,23 @@ def test_tor_services_config(File, tor_service): except IndexError: local_port = remote_port + # Ensure that service is hardcoded to v2, for compatibility + # with newer versions of Tor, which default to v3. + version_string = "HiddenServiceVersion 2" + port_regex = "HiddenServicePort {} 127.0.0.1:{}".format( remote_port, local_port) assert f.contains("^{}$".format(dir_regex)) assert f.contains("^{}$".format(port_regex)) + service_regex = "\n".join([dir_regex, version_string, port_regex]) + if tor_service['authenticated']: auth_regex = "HiddenServiceAuthorizeClient stealth {}".format( tor_service['client']) assert f.contains("^{}$".format(auth_regex)) + service_regex += "\n{}".format(auth_regex) + + # Check for block in file, to ensure declaration order + assert service_regex in f.content_string