Merge pull request #93 from alecmuffett/20210510-remove-v2-onion-creation

remove v2 onion creation

demo.d/digital-rights.tconf

@@ -1,10 +1,10 @@
 # -*- conf -*-
-# eotk (c) 2017 Alec Muffett
+# eotk (c) 2017-2021 Alec Muffett
 
 set project digital-rights
-hardmap %NEW_ONION% openrightsgroup.org
-hardmap %NEW_ONION% eff.org
-hardmap %NEW_ONION% accessnow.org
-hardmap %NEW_ONION% digitalrights.ie
+hardmap %NEW_V3_ONION% openrightsgroup.org
+hardmap %NEW_V3_ONION% eff.org
+hardmap %NEW_V3_ONION% accessnow.org
+hardmap %NEW_V3_ONION% digitalrights.ie
 
 # aside: privacy international already have privacyintyqcroe.onion

demo.d/example.tconf

@@ -228,12 +228,12 @@ foreignmap facebookcorewwwi.onion facebook.com
 # hardmaps use tor daemon configs with onions hard-coded in them
 
 set project hardexample
-hardmap %NEW_ONION% foo.local
-hardmap %NEW_ONION% bar.local
+hardmap %NEW_V3_ONION% foo.local
+hardmap %NEW_V3_ONION% bar.local
 
 # softmaps use onionbalance software to loadbalance across workers
 
 set project softexample
-softmap %NEW_ONION% example.com
-softmap %NEW_ONION% example.org
-softmap %NEW_ONION% example.net
+softmap %NEW_V3_ONION% example.com
+softmap %NEW_V3_ONION% example.org
+softmap %NEW_V3_ONION% example.net

demo.d/human-rights.tconf

@@ -2,5 +2,5 @@
 # eotk (c) 2017 Alec Muffett
 
 set project human-rights
-hardmap %NEW_ONION% aclu.org
-hardmap %NEW_ONION% liberty-human-rights.org.uk
+hardmap %NEW_V3_ONION% aclu.org
+hardmap %NEW_V3_ONION% liberty-human-rights.org.uk

demo.d/journalist-safety.tconf

@@ -2,5 +2,5 @@
 # eotk (c) 2017 Alec Muffett
 
 set project journalist-safety
-hardmap %NEW_ONION% cpj.org
-hardmap %NEW_ONION% mediadefence.org
+hardmap %NEW_V3_ONION% cpj.org
+hardmap %NEW_V3_ONION% mediadefence.org

docs.d/HOW-TO-INSTALL.md

@@ -211,9 +211,9 @@ Create a config file with a `.tconf` suffix - we'll pretend it's
 
 ```
 set project myproject
-hardmap %NEW_ONION% foo.com
-hardmap %NEW_ONION% foo.co.uk
-hardmap %NEW_ONION% foo.de
+hardmap %NEW_V3_ONION% foo.com
+hardmap %NEW_V3_ONION% foo.co.uk
+hardmap %NEW_V3_ONION% foo.de
 ```
 
 ...and then run
@@ -290,7 +290,7 @@ So if your browser tells you that you are fetching content from
 `cdn7.dublin.ireland.europe.foo.co.jp`, you should add a line like:
 
 ```
-hardmap %NEW_ONION% foo.co.jp europe ireland.europe dublin.ireland.europe
+hardmap %NEW_V3_ONION% foo.co.jp europe ireland.europe dublin.ireland.europe
 ```
 
 ...and EOTK should do the rest. All this is necessary purely for
@@ -329,9 +329,9 @@ avoid the actual "hostnames" as described above:
 
 ```
 set project fooproj
-hardmap %NEW_ONION% foo.com.au syd per
-hardmap %NEW_ONION% foo.net cdn
-hardmap %NEW_ONION% foo.aws.amazon.com
+hardmap %NEW_V3_ONION% foo.com.au syd per
+hardmap %NEW_V3_ONION% foo.net cdn
+hardmap %NEW_V3_ONION% foo.aws.amazon.com
 ```
 
 Onion mapping/translations will be applied for all sites in the same project.

docs.d/TEMPLATES.md

@@ -326,7 +326,7 @@ in [the example template configuration file](../demo.d/example.tconf)
 These are used in Template Configuration (`.tconf`) files, and do not
 represent real environment variables.
 
-* NEW_ONION
+* NEW_V3_ONION
 
 Used only in template configs (`*.tconf` files) to show the point
 where a newly created onion address should be inserted.

lib.d/do-configure.pl

@@ -1,7 +1,7 @@
 #!/bin/sh
 exec perl -wx $0 "$@";
 #!perl
-# eotk (c) 2017-2020 Alec Muffett
+# eotk (c) 2017-2021 Alec Muffett
 
 use Data::Dumper;
 
@@ -532,7 +532,7 @@ sub DoProject {
 &SetEnv("nginx_timeout", 15);
 &SetEnv("nginx_tmpfile_size", "256m");
 &SetEnv("nginx_workers", "auto");
-&SetEnv("onion_version", "2");
+&SetEnv("onion_version", "3");
 &SetEnv("preserve_before", "~".&Nonce(128)."~");
 &SetEnv("preserve_after", "~");
 &SetEnv("preserve_preamble_re", "[>@\\\\s]");

lib.d/expand-config.pl

@@ -1,7 +1,7 @@
 #!/bin/sh
 exec perl -wx $0 "$@";
 #!perl
-# eotk (c) 2017-2020 Alec Muffett
+# eotk (c) 2017-2021 Alec Muffett
 
 if (-t STDIN) { # stderr is already redirected...
     if (open(DOTS, ">/dev/tty")) {
@@ -18,14 +18,13 @@ sub GenOnion {
 sub Lookup {
     my $var = shift;
 
-    foreach $deprecated (qw(NEW_HARD_ONION NEW_SOFT_ONION)) {
+    foreach $deprecated (qw(NEW_HARD_ONION NEW_SOFT_ONION NEW_ONION)) {
         die "Lookup: $deprecated is no longer supported syntax\n"
-            if $var =~ /$deprecated/;
+            if $var eq $deprecated;
     }
 
-    if ($var =~ /^NEW_(V3_)?ONION$/) {
-        my $version = $1 ? 3 : 2;
-        return &GenOnion($version);
+    if ($var eq "NEW_V3_ONION") {
+        return &GenOnion(3); # old syntax now deprecated
     }
 
     if (defined($ENV{$var})) {

lib.d/generate-onion-key.sh

@@ -1,4 +1,5 @@
 #!/bin/sh
+# eotk (c) 2017-2021 Alec Muffett
 
 here=`pwd` # absolute pathnames are required by tor
 log=$here/__gok$$.log
@@ -17,11 +18,10 @@ HiddenServiceDir $dir
 HiddenServicePort 1 127.0.0.1:1
 EOF
 
-if [ x$ONION_VERSION = x3 ] ; then
-    echo HiddenServiceVersion 3 >> $dir/config
-else
-    echo HiddenServiceVersion 2 >> $dir/config
-fi
+case "$ONION_VERSION" in
+    3) echo HiddenServiceVersion 3 >> $dir/config ;;
+    *) echo error: the only supported value for ONION_VERSION is 3 ; exit 1 ;;
+esac
 
 tor -f $dir/config >$log 2>&1
 
@@ -40,15 +40,10 @@ kill -TERM `cat $dir/tor.pid` # shut it down
 onion=`cat $dir/hostname`
 onion=`basename $onion .onion`
 
-if [ x$ONION_VERSION = x3 ] ; then
-    pfile=$onion.v3pub.key
-    sfile=$onion.v3sec.key
-    mv $dir/hs_ed25519_public_key $pfile || exit 1
-    mv $dir/hs_ed25519_secret_key $sfile || exit 1
-else
-    file=$onion.key
-    mv $dir/private_key $file || exit 1
-fi
+pfile=$onion.v3pub.key
+sfile=$onion.v3sec.key
+mv $dir/hs_ed25519_public_key $pfile || exit 1
+mv $dir/hs_ed25519_secret_key $sfile || exit 1
 rm -r $dir $log || exit 1
 
 echo $onion

lib.d/lint.pl

@@ -6,7 +6,7 @@ exec perl -x $0 "$@";
 my %known =
     (
      # demo fakes
-     'NEW_ONION' => 1,
+     'NEW_V3_ONION' => 1,
      'SCRIPT_PAUSE' => 1,
      '' => 1, # an empty escape character
 

templates.d/nginx.conf.txt

@@ -15,7 +15,7 @@
 # X-DNS-Prefetch-Control - response security risk?
 # Via - request/response?
 
-# eotk (c) 2019-2020 Alec Muffett
+# eotk (c) 2019-2021 Alec Muffett
 
 # SECURITY NOTE: the contents of this file, when actualised, should
 # not be made world-readable nor published without redaction;
@@ -331,7 +331,7 @@ http {
 
     o2d_search_and_replace = function (i)
       -- because onion addresses are matchable, this can be done in one pass...
-      local o, num, errs = ngx.re.gsub(i, "(%LEFT_TLD_RE%)([a-z2-7]{16}(?:[a-z2-7]{40})?\\.onion)\\b", o2d_re_helper, "io")
+      local o, num, errs = ngx.re.gsub(i, "(%LEFT_TLD_RE%)([a-z2-7]{56}\\.onion)\\b", o2d_re_helper, "io")
       if errs == nil and num == 0 then
         return i -- nothing was changed, so return the original
       end