control-spec-v0.txt 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499
  1. $Id$
  2. TC: A Tor control protocol (Version 0)
  3. -1. Deprecation
  4. THIS PROTOCOL IS DEPRECATED. It is still documented here because Tor
  5. 0.1.1.x happens to support much of it; but the support for v0 is not
  6. maintained, so you should expect it to rot in unpredictable ways. Support
  7. for v0 will be removed some time after Tor 0.1.2.
  8. 0. Scope
  9. This document describes an implementation-specific protocol that is used
  10. for other programs (such as frontend user-interfaces) to communicate
  11. with a locally running Tor process. It is not part of the Tor onion
  12. routing protocol.
  13. We're trying to be pretty extensible here, but not infinitely
  14. forward-compatible.
  15. 1. Protocol outline
  16. TC is a bidirectional message-based protocol. It assumes an underlying
  17. stream for communication between a controlling process (the "client") and
  18. a Tor process (the "server"). The stream may be implemented via TCP,
  19. TLS-over-TCP, a Unix-domain socket, or so on, but it must provide
  20. reliable in-order delivery. For security, the stream should not be
  21. accessible by untrusted parties.
  22. In TC, the client and server send typed variable-length messages to each
  23. other over the underlying stream. By default, all messages from the server
  24. are in response to messages from the client. Some client requests, however,
  25. will cause the server to send messages to the client indefinitely far into
  26. the future.
  27. Servers respond to messages in the order they're received.
  28. 2. Message format
  29. The messages take the following format:
  30. Length [2 octets; big-endian]
  31. Type [2 octets; big-endian]
  32. Body [Length octets]
  33. Upon encountering a recognized Type, implementations behave as described in
  34. section 3 below. If the type is not recognized, servers respond with an
  35. "ERROR" message (code UNRECOGNIZED; see 3.1 below), and clients simply ignore
  36. the message.
  37. 2.1. Types and encodings
  38. All numbers are given in big-endian (network) order.
  39. OR identities are given in hexadecimal, in the same format as identity key
  40. fingerprints, but without spaces; see tor-spec.txt for more information.
  41. 3. Message types
  42. Message types are drawn from the following ranges:
  43. 0x0000-0xEFFF : Reserved for use by official versions of this spec.
  44. 0xF000-0xFFFF : Unallocated; usable by unofficial extensions.
  45. 3.1. ERROR (Type 0x0000)
  46. Sent in response to a message that could not be processed as requested.
  47. The body of the message begins with a 2-byte error code. The following
  48. values are defined:
  49. 0x0000 Unspecified error
  50. []
  51. 0x0001 Internal error
  52. [Something went wrong inside Tor, so that the client's
  53. request couldn't be fulfilled.]
  54. 0x0002 Unrecognized message type
  55. [The client sent a message type we don't understand.]
  56. 0x0003 Syntax error
  57. [The client sent a message body in a format we can't parse.]
  58. 0x0004 Unrecognized configuration key
  59. [The client tried to get or set a configuration option we don't
  60. recognize.]
  61. 0x0005 Invalid configuration value
  62. [The client tried to set a configuration option to an
  63. incorrect, ill-formed, or impossible value.]
  64. 0x0006 Unrecognized byte code
  65. [The client tried to set a byte code (in the body) that
  66. we don't recognize.]
  67. 0x0007 Unauthorized.
  68. [The client tried to send a command that requires
  69. authorization, but it hasn't sent a valid AUTHENTICATE
  70. message.]
  71. 0x0008 Failed authentication attempt
  72. [The client sent a well-formed authorization message.]
  73. 0x0009 Resource exhausted
  74. [The server didn't have enough of a given resource to
  75. fulfill a given request.]
  76. 0x000A No such stream
  77. 0x000B No such circuit
  78. 0x000C No such OR
  79. The rest of the body should be a human-readable description of the error.
  80. In general, new error codes should only be added when they don't fall under
  81. one of the existing error codes.
  82. 3.2. DONE (Type 0x0001)
  83. Sent from server to client in response to a request that was successfully
  84. completed, with no more information needed. The body is usually empty but
  85. may contain a message.
  86. 3.3. SETCONF (Type 0x0002)
  87. Change the value of a configuration variable. The body contains a list of
  88. newline-terminated key-value configuration lines. An individual key-value
  89. configuration line consists of the key, followed by a space, followed by
  90. the value. The server behaves as though it had just read the key-value pair
  91. in its configuration file.
  92. The server responds with a DONE message on success, or an ERROR message on
  93. failure.
  94. When a configuration options takes multiple values, or when multiple
  95. configuration keys form a context-sensitive group (see below), then
  96. setting _any_ of the options in a SETCONF command is taken to reset all of
  97. the others. For example, if two ORBindAddress values are configured,
  98. and a SETCONF command arrives containing a single ORBindAddress value, the
  99. new command's value replaces the two old values.
  100. To _remove_ all settings for a given option entirely (and go back to its
  101. default value), send a single line containing the key and no value.
  102. 3.4. GETCONF (Type 0x0003)
  103. Request the value of a configuration variable. The body contains one or
  104. more NL-terminated strings for configuration keys. The server replies
  105. with a CONFVALUE message.
  106. If an option appears multiple times in the configuration, all of its
  107. key-value pairs are returned in order.
  108. Some options are context-sensitive, and depend on other options with
  109. different keywords. These cannot be fetched directly. Currently there
  110. is only one such option: clients should use the "HiddenServiceOptions"
  111. virtual keyword to get all HiddenServiceDir, HiddenServicePort,
  112. HiddenServiceNodes, and HiddenServiceExcludeNodes option settings.
  113. 3.5. CONFVALUE (Type 0x0004)
  114. Sent in response to a GETCONF message; contains a list of "Key Value\n"
  115. (A non-whitespace keyword, a single space, a non-NL value, a NL)
  116. strings.
  117. 3.6. SETEVENTS (Type 0x0005)
  118. Request the server to inform the client about interesting events.
  119. The body contains a list of 2-byte event codes (see "event" below).
  120. Any events *not* listed in the SETEVENTS body are turned off; thus, sending
  121. SETEVENTS with an empty body turns off all event reporting.
  122. The server responds with a DONE message on success, and an ERROR message
  123. if one of the event codes isn't recognized. (On error, the list of active
  124. event codes isn't changed.)
  125. 3.7. EVENT (Type 0x0006)
  126. Sent from the server to the client when an event has occurred and the
  127. client has requested that kind of event. The body contains a 2-byte
  128. event code followed by additional event-dependent information. Event
  129. codes are:
  130. 0x0001 -- Circuit status changed
  131. Status [1 octet]
  132. 0x00 Launched - circuit ID assigned to new circuit
  133. 0x01 Built - all hops finished, can now accept streams
  134. 0x02 Extended - one more hop has been completed
  135. 0x03 Failed - circuit closed (was not built)
  136. 0x04 Closed - circuit closed (was built)
  137. Circuit ID [4 octets]
  138. (Must be unique to Tor process/time)
  139. Path [NUL-terminated comma-separated string]
  140. (For extended/failed, is the portion of the path that is
  141. built)
  142. 0x0002 -- Stream status changed
  143. Status [1 octet]
  144. (Sent connect=0,sent resolve=1,succeeded=2,failed=3,
  145. closed=4, new connection=5, new resolve request=6,
  146. stream detached from circuit and still retriable=7)
  147. Stream ID [4 octets]
  148. (Must be unique to Tor process/time)
  149. Target (NUL-terminated address-port string]
  150. 0x0003 -- OR Connection status changed
  151. Status [1 octet]
  152. (Launched=0,connected=1,failed=2,closed=3)
  153. OR nickname/identity [NUL-terminated]
  154. 0x0004 -- Bandwidth used in the last second
  155. Bytes read [4 octets]
  156. Bytes written [4 octets]
  157. 0x0005 -- Notice/warning/error occurred
  158. Message [NUL-terminated]
  159. <obsolete: use 0x0007-0x000B instead.>
  160. 0x0006 -- New descriptors available
  161. OR List [NUL-terminated, comma-delimited list of
  162. OR identity]
  163. 0x0007 -- Debug message occurred
  164. 0x0008 -- Info message occurred
  165. 0x0009 -- Notice message occurred
  166. 0x000A -- Warning message occurred
  167. 0x000B -- Error message occurred
  168. Message [NUL-terminated]
  169. 3.8. AUTHENTICATE (Type 0x0007)
  170. Sent from the client to the server. Contains a 'magic cookie' to prove
  171. that client is really allowed to control this Tor process. The server
  172. responds with DONE or ERROR.
  173. The format of the 'cookie' is implementation-dependent; see 4.1 below for
  174. information on how the standard Tor implementation handles it.
  175. 3.9. SAVECONF (Type 0x0008)
  176. Sent from the client to the server. Instructs the server to write out
  177. its config options into its torrc. Server returns DONE if successful, or
  178. ERROR if it can't write the file or some other error occurs.
  179. 3.10. SIGNAL (Type 0x0009)
  180. Sent from the client to the server. The body contains one byte that
  181. indicates the action the client wishes the server to take.
  182. 1 (0x01) -- Reload: reload config items, refetch directory.
  183. 2 (0x02) -- Controlled shutdown: if server is an OP, exit immediately.
  184. If it's an OR, close listeners and exit after 30 seconds.
  185. 10 (0x0A) -- Dump stats: log information about open connections and
  186. circuits.
  187. 12 (0x0C) -- Debug: switch all open logs to loglevel debug.
  188. 15 (0x0F) -- Immediate shutdown: clean up and exit now.
  189. The server responds with DONE if the signal is recognized (or simply
  190. closes the socket if it was asked to close immediately), else ERROR.
  191. 3.11. MAPADDRESS (Type 0x000A)
  192. Sent from the client to the server. The body contains a sequence of
  193. address mappings, each consisting of the address to be mapped, a single
  194. space, the replacement address, and a NL character.
  195. Addresses may be IPv4 addresses, IPv6 addresses, or hostnames.
  196. The client sends this message to the server in order to tell it that future
  197. SOCKS requests for connections to the original address should be replaced
  198. with connections to the specified replacement address. If the addresses
  199. are well-formed, and the server is able to fulfill the request, the server
  200. replies with a single DONE message containing the source and destination
  201. addresses. If request is malformed, the server replies with a syntax error
  202. message. The server can't fulfill the request, it replies with an internal
  203. ERROR message.
  204. The client may decline to provide a body for the original address, and
  205. instead send a special null address ("0.0.0.0" for IPv4, "::0" for IPv6, or
  206. "." for hostname), signifying that the server should choose the original
  207. address itself, and return that address in the DONE message. The server
  208. should ensure that it returns an element of address space that is unlikely
  209. to be in actual use. If there is already an address mapped to the
  210. destination address, the server may reuse that mapping.
  211. If the original address is already mapped to a different address, the old
  212. mapping is removed. If the original address and the destination address
  213. are the same, the server removes any mapping in place for the original
  214. address.
  215. {Note: This feature is designed to be used to help Tor-ify applications
  216. that need to use SOCKS4 or hostname-less SOCKS5. There are three
  217. approaches to doing this:
  218. 1. Somehow make them use SOCKS4a or SOCKS5-with-hostnames instead.
  219. 2. Use tor-resolve (or another interface to Tor's resolve-over-SOCKS
  220. feature) to resolve the hostname remotely. This doesn't work
  221. with special addresses like x.onion or x.y.exit.
  222. 3. Use MAPADDRESS to map an IP address to the desired hostname, and then
  223. arrange to fool the application into thinking that the hostname
  224. has resolved to that IP.
  225. This functionality is designed to help implement the 3rd approach.}
  226. [XXXX When, if ever, can mappings expire? Should they expire?]
  227. [XXXX What addresses, if any, are safe to use?]
  228. 3.12 GETINFO (Type 0x000B)
  229. Sent from the client to the server. The message body is as for GETCONF:
  230. one or more NL-terminated strings. The server replies with an INFOVALUE
  231. message.
  232. Unlike GETCONF, this message is used for data that are not stored in the
  233. Tor configuration file, but instead.
  234. Recognized key and their values include:
  235. "version" -- The version of the server's software, including the name
  236. of the software. (example: "Tor 0.0.9.4")
  237. "desc/id/<OR identity>" or "desc/name/<OR nickname>" -- the latest server
  238. descriptor for a given OR, NUL-terminated. If no such OR is known, the
  239. corresponding value is an empty string.
  240. "network-status" -- a space-separated list of all known OR identities.
  241. This is in the same format as the router-status line in directories;
  242. see tor-spec.txt for details.
  243. "addr-mappings/all"
  244. "addr-mappings/config"
  245. "addr-mappings/cache"
  246. "addr-mappings/control" -- a NL-terminated list of address mappings, each
  247. in the form of "from-address" SP "to-address". The 'config' key
  248. returns those address mappings set in the configuration; the 'cache'
  249. key returns the mappings in the client-side DNS cache; the 'control'
  250. key returns the mappings set via the control interface; the 'all'
  251. target returns the mappings set through any mechanism.
  252. 3.13 INFOVALUE (Type 0x000C)
  253. Sent from the server to the client in response to a GETINFO message.
  254. Contains one or more items of the format:
  255. Key [(NUL-terminated string)]
  256. Value [(NUL-terminated string)]
  257. The keys match those given in the GETINFO message.
  258. 3.14 EXTENDCIRCUIT (Type 0x000D)
  259. Sent from the client to the server. The message body contains two fields:
  260. Circuit ID [4 octets]
  261. Path [NUL-terminated, comma-delimited string of OR nickname/identity]
  262. This request takes one of two forms: either the Circuit ID is zero, in
  263. which case it is a request for the server to build a new circuit according
  264. to the specified path, or the Circuit ID is nonzero, in which case it is a
  265. request for the server to extend an existing circuit with that ID according
  266. to the specified path.
  267. If the request is successful, the server sends a DONE message containing
  268. a message body consisting of the four-octet Circuit ID of the newly created
  269. circuit.
  270. 3.15 ATTACHSTREAM (Type 0x000E)
  271. Sent from the client to the server. The message body contains two fields:
  272. Stream ID [4 octets]
  273. Circuit ID [4 octets]
  274. This message informs the server that the specified stream should be
  275. associated with the specified circuit. Each stream may be associated with
  276. at most one circuit, and multiple streams may share the same circuit.
  277. Streams can only be attached to completed circuits (that is, circuits that
  278. have sent a circuit status 'built' event).
  279. If the circuit ID is 0, responsibility for attaching the given stream is
  280. returned to Tor.
  281. {Implementation note: By default, Tor automatically attaches streams to
  282. circuits itself, unless the configuration variable
  283. "__LeaveStreamsUnattached" is set to "1". Attempting to attach streams
  284. via TC when "__LeaveStreamsUnattached" is false may cause a race between
  285. Tor and the controller, as both attempt to attach streams to circuits.}
  286. 3.16 POSTDESCRIPTOR (Type 0x000F)
  287. Sent from the client to the server. The message body contains one field:
  288. Descriptor [NUL-terminated string]
  289. This message informs the server about a new descriptor.
  290. The descriptor, when parsed, must contain a number of well-specified
  291. fields, including fields for its nickname and identity.
  292. If there is an error in parsing the descriptor, the server must send an
  293. appropriate error message. If the descriptor is well-formed but the server
  294. chooses not to add it, it must reply with a DONE message whose body
  295. explains why the server was not added.
  296. 3.17 FRAGMENTHEADER (Type 0x0010)
  297. Sent in either direction. Used to encapsulate messages longer than 65535
  298. bytes in length.
  299. Underlying type [2 bytes]
  300. Total Length [4 bytes]
  301. Data [Rest of message]
  302. A FRAGMENTHEADER message MUST be followed immediately by a number of
  303. FRAGMENT messages, such that lengths of the "Data" fields of the
  304. FRAGMENTHEADER and FRAGMENT messages add to the "Total Length" field of the
  305. FRAGMENTHEADER message.
  306. Implementations MUST NOT fragment messages of length less than 65536 bytes.
  307. Implementations MUST be able to process fragmented messages that not
  308. optimally packed.
  309. 3.18 FRAGMENT (Type 0x0011)
  310. Data [Entire message]
  311. See FRAGMENTHEADER for more information
  312. 3.19 REDIRECTSTREAM (Type 0x0012)
  313. Sent from the client to the server. The message body contains two fields:
  314. Stream ID [4 octets]
  315. Address [variable-length, NUL-terminated.]
  316. Tells the server to change the exit address on the specified stream. No
  317. remapping is performed on the new provided address.
  318. To be sure that the modified address will be used, this event must be sent
  319. after a new stream event is received, and before attaching this stream to
  320. a circuit.
  321. 3.20 CLOSESTREAM (Type 0x0013)
  322. Sent from the client to the server. The message body contains three
  323. fields:
  324. Stream ID [4 octets]
  325. Reason [1 octet]
  326. Flags [1 octet]
  327. Tells the server to close the specified stream. The reason should be
  328. one of the Tor RELAY_END reasons given in tor-spec.txt. Flags is not
  329. used currently. Tor may hold the stream open for a while to flush
  330. any data that is pending.
  331. 3.21 CLOSECIRCUIT (Type 0x0014)
  332. Sent from the client to the server. The message body contains two
  333. fields:
  334. Circuit ID [4 octets]
  335. Flags [1 octet]
  336. Tells the server to close the specified circuit. If the LSB of the flags
  337. field is nonzero, do not close the circuit unless it is unused.
  338. 4. Implementation notes
  339. 4.1. Authentication
  340. By default, the current Tor implementation trusts all local users.
  341. If the 'CookieAuthentication' option is true, Tor writes a "magic cookie"
  342. file named "control_auth_cookie" into its data directory. To authenticate,
  343. the controller must send the contents of this file.
  344. If the 'HashedControlPassword' option is set, it must contain the salted
  345. hash of a secret password. The salted hash is computed according to the
  346. S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier.
  347. This is then encoded in hexadecimal, prefixed by the indicator sequence
  348. "16:". Thus, for example, the password 'foo' could encode to:
  349. 16:660537E3E1CD49996044A3BF558097A981F539FEA2F9DA662B4626C1C2
  350. ++++++++++++++++**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  351. salt hashed value
  352. indicator
  353. You can generate the salt of a password by calling
  354. 'tor --hash-password <password>'
  355. or by using the example code in the Python and Java controller libraries.
  356. To authenticate under this scheme, the controller sends Tor the original
  357. secret that was used to generate the password.
  358. 4.2. Don't let the buffer get too big.
  359. If you ask for lots of events, and 16MB of them queue up on the buffer,
  360. the Tor process will close the socket.