| blob | eaf0432a7da15f0e0fcab98e9405b6618b4db6fa |
1 /* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
2 * Copyright (c) 2007-2019, The Tor Project, Inc. */
3 /* See LICENSE for licensing information */
5 /**
6 * \file rendservice.c
7 * \brief The hidden-service side of rendezvous functionality.
8 **/
10 #define RENDSERVICE_PRIVATE
59 #ifdef HAVE_FCNTL_H
60 #include <fcntl.h>
61 #endif
62 #ifdef HAVE_UNISTD_H
63 #include <unistd.h>
64 #endif
65 #ifdef HAVE_SYS_STAT_H
66 #include <sys/stat.h>
67 #endif
118 /* Hidden service directory file names:
119 * new file names should be added to rend_service_add_filenames_to_list()
120 * for sandboxing purposes. */
126 /** A list of rend_service_t's for services run on this OP. */
128 /** A list of rend_service_t's for services run on this OP which is used as a
129 * staging area before they are put in the main list in order to prune dying
130 * service on config reload. */
133 /** Helper: log the deprecation warning for version 2 only once. */
134 static void
136 {
140 "Please use version 3 which is the default now. "
141 "Currently, version 2 is planned to be obsolete in "
144 }
145 }
146 /** Macro to make it very explicit that we are warning about deprecation. */
147 #define WARN_ONCE_DEPRECATION() log_once_deprecation_warning()
149 /* Like rend_get_service_list_mutable, but returns a read-only list. */
152 {
153 /* It is safe to cast away the const here, because
154 * rend_get_service_list_mutable does not actually modify the list */
156 }
158 /* Return a mutable list of hidden services.
159 * If substitute_service_list is not NULL, return it.
160 * Otherwise, check if the global rend_service_list is non-NULL, and if so,
161 * return it.
162 * Otherwise, log a BUG message and return NULL.
163 * */
166 {
169 }
171 /* If no special service list is provided, then just use the global one. */
174 /* No global HS list, which is a programmer error. */
176 }
179 }
181 /** Tells if onion service <b>s</b> is ephemeral.
182 */
183 static unsigned int
185 {
187 }
189 /** Returns a escaped string representation of the service, <b>s</b>.
190 */
193 {
195 }
197 /** Return the number of rendezvous services we have configured. */
198 int
200 {
204 }
206 /** Helper: free storage held by a single service authorized client entry. */
207 void
209 {
219 }
221 /** Helper for strmap_free. */
222 static void
224 {
226 }
228 /** Release the storage held by <b>service</b>.
229 */
230 STATIC void
232 {
241 }
248 }
253 }
260 }
263 }
265 }
267 /* Release all the storage held in rend_service_staging_list. */
268 void
270 {
276 }
277 }
279 /** Release all the storage held in both rend_service_list and
280 * rend_service_staging_list. */
281 void
283 {
289 }
291 }
293 /* Initialize the subsystem. */
294 void
296 {
302 }
304 /* Validate a <b>service</b>. Use the <b>service_list</b> to make sure there
305 * is no duplicate entry for the given service object. Return 0 if valid else
306 * -1 if not.*/
307 static int
310 {
319 }
327 }
335 }
341 }
343 /* Valid. */
345 invalid:
347 }
349 /** Add it to <b>service_list</b>, or to the global rend_service_list if
350 * <b>service_list</b> is NULL. Return 0 on success. On failure, free
351 * <b>service</b> and return -1. Takes ownership of <b>service</b>. */
352 static int
354 {
361 /* We must have a service list, even if it's a temporary one, so we can
362 * check for duplicate services */
366 }
381 #ifdef HAVE_SYS_UN_H
385 #else
387 "Service maps port %d to an AF_UNIX socket, but we "
388 "have no AF_UNIX support on this platform. This is "
394 }
395 }
396 /* The service passed all the checks */
400 /* Notify that our global service list has changed only if this new service
401 * went into our global list. If not, when we move service from the staging
402 * list to the new list, a notify is triggered. */
405 }
407 }
409 /** Return a new rend_service_port_config_t with its path set to
410 * <b>socket_path</b> or empty if <b>socket_path</b> is NULL */
413 {
423 }
425 /** Parses a virtual-port to real-port/socket mapping separated by
426 * the provided separator and returns a new rend_service_port_config_t,
427 * or NULL and an optional error string on failure.
428 *
429 * The format is: VirtualPort SEP (IP|RealPort|IP:RealPort|'socket':path)?
430 *
431 * IP defaults to 127.0.0.1; RealPort defaults to VirtualPort.
432 */
433 rend_service_port_config_t *
436 {
441 tor_addr_t addr;
454 }
461 }
463 /* No addr:port part; use default. */
479 }
485 }
491 /* else try it as an IP:port pair if it has a : or . in it */
496 }
499 /* No addr:port, no addr -- must be port. */
506 }
508 }
509 }
511 /* Allow room for unix_addr */
519 }
521 err:
527 }
532 }
534 /** Release all storage held in a rend_service_port_config_t. */
535 void
537 {
539 }
541 /* Copy relevant data from service src to dst while pruning the service lists.
542 * This should only be called during the pruning process which takes existing
543 * services and copy their data to the newly configured services. The src
544 * service replaycache will be set to NULL after this call. */
545 static void
547 {
551 /* Keep the timestamps for when the content changed and the next upload
552 * time so we can properly upload the descriptor if needed for the new
553 * service object. */
556 /* Move the replaycache to the new object. */
559 /* Copy intro point information to destination service. */
563 }
565 /* Helper: Actual implementation of the pruning on reload which we've
566 * decoupled in order to make the unit test workeable without ugly hacks.
567 * Furthermore, this function does NOT free any memory but will nullify the
568 * temporary list pointer whatever happens. */
569 STATIC void
571 {
575 /* When pruning our current service list, we must have a staging list that
576 * contains what we want to check else it's a code flow error. */
579 /* We are about to prune the current list of its dead service so set the
580 * semantic for that list to be the "old" one. */
582 /* The staging list is now the "new" list so set this semantic. */
584 /* After this, whatever happens, we'll use our new list. */
586 /* Finally, nullify the staging list pointer as we don't need it anymore
587 * and it needs to be NULL before the next reload. */
589 /* Nothing to prune if we have no service list so stop right away. */
592 }
594 /* This contains all _existing_ services that survives the relaod that is
595 * that haven't been removed from the configuration. The difference between
596 * this list and the new service list is that the new list can possibly
597 * contain newly configured service that have no introduction points opened
598 * yet nor key material loaded or generated. */
601 /* Preserve the existing ephemeral services.
602 *
603 * This is the ephemeral service equivalent of the "Copy introduction
604 * points to new services" block, except there's no copy required since
605 * the service structure isn't regenerated.
606 *
607 * After this is done, all ephemeral services will be:
608 * * Removed from old_service_list, so the equivalent non-ephemeral code
609 * will not attempt to preserve them.
610 * * Added to the new_service_list (that previously only had the
611 * services listed in the configuration).
612 * * Added to surviving_services, which is the list of services that
613 * will NOT have their intro point closed.
614 */
620 }
623 /* Copy introduction points to new services. This is O(n^2), but it's only
624 * called on reconfigure, so it's ok performance wise. */
627 /* Skip ephemeral services as we only want to copy introduction points
628 * from current services to newly configured one that already exists.
629 * The same directory means it's the same service. */
633 }
639 /* Copy needed information from old to new. */
642 /* This regular service will survive the closing IPs step after. */
648 /* For every service introduction circuit we can find, see if we have a
649 * matching surviving configured service. If not, close the circuit. */
653 /* This is a v3 circuit, ignore it. */
655 }
658 /* Keep this circuit as we have a matching configured service. */
661 }
665 }
670 /* Reason is FINISHED because service has been removed and thus the
671 * circuit is considered old/uneeded. */
673 }
675 /* Notify that our global service list has changed. */
677 }
679 /* Try to prune our main service list using the temporary one that we just
680 * loaded and parsed successfully. The pruning process decides which onion
681 * services to keep and which to discard after a reload. */
682 void
684 {
689 }
693 /* Every remaining service in the old list have been removed from the
694 * configuration so clean them up safely. */
698 }
699 }
701 /* Copy all the relevant data that the hs_service object contains over to the
702 * rend_service_t object. The reason to do so is because when configuring a
703 * service, we go through a generic handler that creates an hs_service_t
704 * object which so we have to copy the parsed values to a rend service object
705 * which is version 2 specific. */
706 static void
709 {
716 /* This value can't go above HS_CONFIG_MAX_STREAMS_PER_RDV_CIRCUIT (65535)
717 * if the code flow is right so this cast is safe. But just in case, we'll
718 * check it. */
721 HS_CONFIG_MAX_STREAMS_PER_RDV_CIRCUIT)) {
723 }
726 /* Switching ownership of the ports to the rend service object. */
730 }
732 /* Parse the hidden service configuration starting at <b>line_</b> using the
733 * already configured generic service configuration in <b>config</b>. This
734 * function will translate the config object to a rend_service_t and add it to
735 * the temporary list if valid. If <b>validate_only</b> is set, parse, warn
736 * and return as normal but don't actually add the service to the list. */
737 int
741 {
745 /* line_ can be NULL which would mean that the service configuration only
746 * have one line that is the directory directive. */
750 /* We are about to configure a version 2 service. Warn of deprecation. */
753 /* Use the staging service list so that we can check then do the pruning
754 * process using the main list at the end. */
757 }
759 /* Initialize service. */
763 /* From the hs_service object which has been used to load the generic
764 * options, we'll copy over the useful data to the rend_service_t object. */
769 /* We just hit the next hidden service, stop right now. */
771 }
772 /* Number of introduction points. */
775 /* Those are specific defaults for version 2. */
781 "HiddenServiceNumIntroductionPoints "
785 }
789 }
791 /* Parse auth type and comma-separated list of client names and add a
792 * rend_authorized_client_t for each client to the service's list
793 * of authorized clients. */
800 }
805 "should have been prevented when parsing the "
809 }
817 "unrecognized auth-type '%s'. Only 'basic' or 'stealth' "
823 }
832 }
838 /* Remove duplicate client names. */
839 {
847 }
848 }
850 {
854 "illegal client name: '%s'. Names must be "
855 "between 1 and %d characters and contain "
861 }
866 }
870 /* Ensure maximum number of clients. */
876 "client authorization entries, but only a "
877 "maximum of %d entries is allowed for "
883 }
885 }
886 }
887 /* Validate the service just parsed. */
889 /* Service is in the staging list so don't try to free it. */
891 }
893 /* Add it to the temporary list which we will use to prune our current
894 * list if any after configuring all services. */
896 /* The object has been freed on error already. */
899 }
902 err:
905 }
907 /** Add the ephemeral service <b>pk</b>/<b>ports</b> if possible, using
908 * client authorization <b>auth_type</b> and an optional list of
909 * rend_authorized_client_t in <b>auth_clients</b>, with
910 * <b>max_streams_per_circuit</b> streams allowed per rendezvous circuit,
911 * and circuit closure on max streams being exceeded set by
912 * <b>max_streams_close_circuit</b>.
913 *
914 * Ownership of pk, ports, and auth_clients is passed to this routine.
915 * Regardless of success/failure, callers should not touch these values
916 * after calling this routine, and may assume that correct cleanup has
917 * been done on failure.
918 *
919 * Return an appropriate hs_service_add_ephemeral_status_t.
920 */
921 hs_service_add_ephemeral_status_t
926 rend_auth_type_t auth_type,
929 {
931 /* Allocate the service structure, and initialize the key, and key derived
932 * parameters.
933 */
947 }
953 }
959 }
961 /* Enforcing pk/id uniqueness should be done by rend_service_load_keys(), but
962 * it's not, see #14828.
963 */
969 }
974 }
976 /* Initialize the service. */
979 }
984 }
986 /** Remove the ephemeral service <b>service_id</b> if possible. Returns 0 on
987 * success, and -1 on failure.
988 */
989 int
991 {
996 }
1001 }
1005 }
1007 /* Kill the intro point circuit for the Onion Service, and remove it from
1008 * the list. Closing existing connections is the application's problem.
1009 *
1010 * XXX: As with the comment in rend_config_services(), a nice abstraction
1011 * would be ideal here, but for now just duplicate the code.
1012 */
1021 }
1027 }
1030 /* Notify that we just removed a service from our global list. */
1037 }
1039 /* There can be 1 second's delay due to second_elapsed_callback, and perhaps
1040 * another few seconds due to blocking calls. */
1041 #define INTRO_CIRC_RETRY_PERIOD_SLOP 10
1043 /** Log information about the intro point creation rate and current intro
1044 * points for service, upgrading the log level from min_severity to warn if
1045 * we have stopped launching new intro point circuits. */
1046 static void
1048 {
1053 /* We stopped creating circuits */
1056 }
1059 {
1064 "Hidden service %s %s %d intro points in the last %d seconds. "
1074 }
1075 }
1076 }
1078 /** Replace the old value of <b>service</b>-\>desc with one that reflects
1079 * the other fields in service.
1080 */
1081 static void
1083 {
1095 /* Support intro protocols 2 and 3. */
1102 /* This intro point won't be listed in the descriptor... */
1105 /* circuit_established is set in rend_service_intro_established(), and
1106 * checked every second in rend_consider_services_intro_points(), so it's
1107 * safe to use it here */
1110 }
1112 /* ...unless this intro point is listed in the descriptor. */
1115 /* We have an entirely established intro circuit. Publish it in
1116 * our descriptor. */
1124 /* We are publishing this intro point in a descriptor for the
1125 * first time -- note the current time in the service's copy of
1126 * the intro point. */
1128 }
1129 }
1131 /* Check that we have the right number of intro points */
1135 /* Getting less than we wanted or more than we're allowed is serious */
1140 /* Getting more than we wanted is weird, but less of a problem */
1142 }
1147 /* Now log an informative message about how we might have got here. */
1149 }
1150 }
1152 /* Allocate and return a string containing the path to file_name in
1153 * service->directory. Asserts that service has a directory.
1154 * This function will never return NULL.
1155 * The caller must free this path. */
1158 {
1161 }
1163 /* Allocate and return a string containing the path to the single onion
1164 * service poison file in service->directory. Asserts that service has a
1165 * directory.
1166 * The caller must free this path. */
1169 {
1171 }
1173 /** Return True if hidden services <b>service</b> has been poisoned by single
1174 * onion mode. */
1175 static int
1177 {
1179 file_status_t fstatus;
1181 /* Passing a NULL service is a bug */
1184 }
1188 }
1195 /* If this fname is occupied, the hidden service has been poisoned.
1196 * fstatus can be FN_ERROR if the service directory does not exist, in that
1197 * case, there is obviously no private key. */
1200 }
1203 }
1205 /* Return 1 if the private key file for service exists and has a non-zero size,
1206 * and 0 otherwise. */
1207 static int
1209 {
1213 /* Only non-empty regular private key files could have been used before.
1214 * fstatus can be FN_ERROR if the service directory does not exist, in that
1215 * case, there is obviously no private key. */
1217 }
1219 /** Check the single onion service poison state of the directory for s:
1220 * - If the service is poisoned, and we are in Single Onion Mode,
1221 * return 0,
1222 * - If the service is not poisoned, and we are not in Single Onion Mode,
1223 * return 0,
1224 * - Otherwise, the poison state is invalid: the service was created in one
1225 * mode, and is being used in the other, return -1.
1226 * Hidden service directories without keys are always considered consistent.
1227 * They will be poisoned after their directory is created (if needed). */
1228 STATIC int
1231 {
1232 /* Passing a NULL service is a bug */
1235 }
1237 /* Ephemeral services are checked at ADD_ONION time */
1240 }
1242 /* Service is expected to have a directory */
1245 }
1247 /* Services without keys are always ok - their keys will only ever be used
1248 * in the current mode */
1251 }
1253 /* The key has been used before in a different mode */
1257 }
1259 /* The key exists and is consistent with the current mode */
1261 }
1263 /*** Helper for rend_service_poison_new_single_onion_dir(). Add a file to
1264 * the hidden service directory for s that marks it as a single onion service.
1265 * Tor must be in single onion mode before calling this function, and the
1266 * service directory must already have been created.
1267 * Returns 0 when a directory is successfully poisoned, or if it is already
1268 * poisoned. Returns -1 on a failure to read the directory or write the poison
1269 * file, or if there is an existing private key file in the directory. (The
1270 * service should have been poisoned when the key was created.) */
1271 static int
1274 {
1275 /* Passing a NULL service is a bug */
1278 }
1280 /* We must only poison directories if we're in Single Onion mode */
1290 }
1292 /* Make sure we're only poisoning new hidden service directories */
1297 }
1299 /* Make sure the directory was created before calling this function. */
1310 poison_fname);
1315 poison_fname);
1321 poison_fname);
1323 }
1328 }
1332 done:
1336 }
1338 /** We just got launched in Single Onion Mode. That's a non-anonymous mode for
1339 * hidden services. If s is new, we should mark its hidden service
1340 * directory appropriately so that it is never launched as a location-private
1341 * hidden service. (New directories don't have private key files.)
1342 * Return 0 on success, -1 on fail. */
1343 STATIC int
1346 {
1347 /* Passing a NULL service is a bug */
1350 }
1352 /* We must only poison directories if we're in Single Onion mode */
1355 /* Ephemeral services aren't allowed in non-anonymous mode */
1358 }
1360 /* Service is expected to have a directory */
1363 }
1369 }
1370 }
1373 }
1375 /* Return true iff the given service identity key is present on disk. This is
1376 * used to try to learn the service version during configuration time. */
1377 int
1379 {
1386 /* Load key */
1391 }
1396 }
1398 /** Load and/or generate private keys for all hidden services, possibly
1399 * including keys for client authorization.
1400 * If a <b>service_list</b> is provided, treat it as the list of hidden
1401 * services (used in unittests). Otherwise, require that rend_service_list is
1402 * not NULL.
1403 * Return 0 on success, -1 on failure. */
1404 int
1406 {
1407 /* Use service_list for unit tests */
1411 }
1424 }
1426 /** Add to <b>lst</b> every filename used by <b>s</b>. */
1427 static void
1429 {
1437 }
1439 /** Add to <b>open_lst</b> every filename used by a configured hidden service,
1440 * and to <b>stat_lst</b> every directory used by a configured hidden
1441 * service */
1442 void
1445 {
1452 }
1454 }
1456 /** Derive all rend_service_t internal material based on the service's key.
1457 * Returns 0 on success, -1 on failure.
1458 */
1459 static int
1461 {
1465 }
1469 }
1472 }
1474 /** Make sure that the directory for <b>s</b> is private, using the config in
1475 * <b>options</b>.
1476 * If <b>create</b> is true:
1477 * - if the directory exists, change permissions if needed,
1478 * - if the directory does not exist, create it with the correct permissions.
1479 * If <b>create</b> is false:
1480 * - if the directory exists, check permissions,
1481 * - if the directory does not exist, check if we think we can create it.
1482 * Return 0 on success, -1 on failure. */
1483 static int
1487 {
1488 /* Passing a NULL service is a bug */
1491 }
1493 /* Check/create directory */
1497 }
1499 /* Check if the hidden service key exists, and was created in a different
1500 * single onion service mode, and refuse to launch if it has.
1501 * This is safe to call even when create is false, as it ignores missing
1502 * keys and directories: they are always valid.
1503 */
1505 /* We can't use s->service_id here, as the key may not have been loaded */
1507 "HiddenServiceNonAnonymousMode %d, but the hidden "
1508 "service key in directory %s was created in %s mode. "
1514 );
1516 }
1518 /* Poison new single onion directories immediately after they are created,
1519 * so that we never accidentally launch non-anonymous hidden services
1520 * thinking they are anonymous. Any keys created later will end up with the
1521 * correct poisoning state.
1522 */
1530 }
1533 /* The keys for these services are linked to the server IP address */
1535 "used in single onion mode. They can not be used for "
1538 }
1539 }
1542 }
1544 /** Load and/or generate private keys for the hidden service <b>s</b>,
1545 * possibly including keys for client authorization. Return 0 on success, -1
1546 * on failure. */
1547 static int
1549 {
1553 /* Create the directory if needed which will also poison it in case of
1554 * single onion service. */
1558 /* Load key */
1569 /* Create service file */
1576 }
1577 #ifndef _WIN32
1579 /* Also verify hostname file created with group read. */
1582 fname);
1583 }
1586 /* If client authorization is configured, load or generate keys. */
1590 }
1591 }
1595 err:
1597 done:
1601 }
1603 /** Load and/or generate client authorization keys for the hidden service
1604 * <b>s</b>, which stores its hostname in <b>hfname</b>. Return 0 on success,
1605 * -1 on failure. */
1606 static int
1608 {
1619 /* Load client keys and descriptor cookies, if available. */
1630 }
1631 }
1633 /* Prepare client_keys and hostname files. */
1640 }
1647 }
1649 /* Either use loaded keys for configured clients or generate new
1650 * ones if a client is new. */
1656 /* Copy descriptor cookie from parsed entry or create new one. */
1659 REND_DESC_COOKIE_LEN);
1662 }
1663 /* For compatibility with older tor clients, this does not
1664 * truncate the padding characters, unlike rend_auth_encode_cookie. */
1670 }
1671 /* Copy client key from parsed entry or create new one if required. */
1675 /* Create private key for client. */
1680 }
1685 }
1690 }
1692 }
1693 /* Add entry to client_keys file. */
1700 }
1708 }
1711 /*
1712 * len is string length, not buffer length, but last byte is NUL
1713 * anyway.
1714 */
1718 }
1726 }
1729 }
1735 }
1737 /* Add line to hostname file. This is not the same encoding as in
1738 * client_keys. */
1744 }
1754 }
1761 err:
1767 done:
1771 }
1777 }
1779 /* Clear stack buffers that held key-derived material. */
1785 }
1787 /** Return the service whose public key has a digest of <b>digest</b>, or
1788 * NULL if no such service exists.
1789 */
1792 {
1797 }
1799 /** Return the service whose service id is <b>id</b>, or NULL if no such
1800 * service exists.
1801 */
1804 {
1809 });
1811 }
1813 /** Check client authorization of a given <b>descriptor_cookie</b> of
1814 * length <b>cookie_len</b> for <b>service</b>. Return 1 for success
1815 * and 0 for failure. */
1816 static int
1820 {
1828 }
1835 }
1837 /* Look up client authorization by descriptor cookie. */
1840 REND_DESC_COOKIE_LEN)) {
1843 }
1844 });
1851 descriptor_cookie_base64);
1853 }
1855 /* Allow the request. */
1859 }
1861 /* Can this service make a direct connection to ei?
1862 * It must be a single onion service, and the firewall rules must allow ei. */
1863 static int
1866 {
1867 /* We'll connect directly all reachable addresses, whether preferred or not.
1868 * The prefer_ipv6 argument to fascist_firewall_allows_address_addr is
1869 * ignored, because pref_only is 0. */
1873 }
1875 /* Like rend_service_use_direct_connection, but to a node. */
1876 static int
1879 {
1880 /* We'll connect directly all reachable addresses, whether preferred or not.
1881 */
1884 }
1886 /******
1887 * Handle cells
1888 ******/
1890 /** Respond to an INTRODUCE2 cell by launching a circuit to the chosen
1891 * rendezvous point.
1892 */
1893 int
1897 {
1898 /* Global status stuff */
1905 /* Service/circuit/key stuff we can learn before parsing */
1910 /* Parsed cell */
1912 /* Rendezvous point */
1914 /* XXX not handled yet */
1926 ssize_t keylen;
1928 /* Do some initial validation and logging before we parse the cell */
1934 }
1938 /* XXX: This is version 2 specific (only one supported). */
1941 /* We'll use this in a bazillion log messages */
1945 /* look up service depending on circuit. */
1949 "Internal error: Got an INTRODUCE2 cell on an intro "
1953 }
1960 "Internal error: Got an INTRODUCE2 cell on an "
1961 "intro circ (for service %s) with no corresponding "
1965 }
1966 }
1971 /* use intro key instead of service key. */
1978 /* Early parsing pass (get pk, ciphertext); type 2 is INTRODUCE2 */
1979 parsed_req =
1987 }
1989 /* make sure service replay caches are present */
1993 REND_REPLAY_TIME_INTERVAL);
1994 }
1998 }
2000 /* check for replay of PK-encrypted portion. */
2009 "Possible replay detected! We received an "
2010 "INTRODUCE2 cell with same PK-encrypted part %d "
2014 }
2017 /* Now try to decrypt it */
2025 }
2028 /* Parse the plaintext */
2036 }
2039 /* Validate the parsed plaintext parts */
2047 }
2050 /* Increment INTRODUCE2 counter */
2053 /* Find the rendezvous point */
2058 }
2060 /* Check if we'd refuse to talk to this router */
2067 }
2071 /* Check whether there is a past request with the same Diffie-Hellman,
2072 * part 1. */
2079 /* A Tor client will send a new INTRODUCE1 cell with the same rend
2080 * cookie and DH public key as its previous one if its intro circ
2081 * times out while in state CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT .
2082 * If we received the first INTRODUCE1 cell (the intro-point relay
2083 * converts it into an INTRODUCE2 cell), we are already trying to
2084 * connect to that rend point (and may have already succeeded);
2085 * drop this cell. */
2087 "INTRODUCE2 cell with same first part of "
2088 "Diffie-Hellman handshake %d seconds ago. Dropping "
2092 }
2094 /* If the service performs client authorization, check included auth data. */
2106 }
2112 }
2113 }
2115 /* Try DH handshake... */
2122 }
2130 }
2134 /* help predict this next time */
2137 /* Launch a circuit to the client's chosen rendezvous point.
2138 */
2143 /* A Single Onion Service only uses a direct connection if its
2144 * firewall rules permit direct connections to the address.
2145 *
2146 * We only use a one-hop path on the first attempt. If the first attempt
2147 * fails, we use a 3-hop path for reachability / reliability.
2148 * See the comment in rend_service_relauch_rendezvous() for details. */
2151 }
2157 }
2162 serviceid);
2165 }
2167 "Accepted intro; launching circuit to %s "
2172 /* Fill in the circuit's state. */
2197 log_error:
2204 }
2205 }
2209 err:
2214 }
2217 done:
2223 /* Free the parsed cell */
2226 /* Free rp */
2230 }
2232 /** Given a parsed and decrypted INTRODUCE2, find the rendezvous point or
2233 * return NULL and an error string if we can't. Return a newly allocated
2234 * extend_info_t* for the rendezvous point. */
2238 {
2249 }
2260 }
2263 }
2265 /* Are we in single onion mode? */
2272 "Couldn't build extend_info_t for router %s named "
2275 }
2278 }
2288 }
2291 }
2293 /* rp is always set here: extend_info_dup guarantees a non-NULL result, and
2294 * the other cases goto err. */
2297 /* Make sure the RP we are being asked to connect to is _not_ a private
2298 * address unless it's allowed. Let's avoid to build a circuit to our
2299 * second middle node and fail right after when extending to the RP. */
2304 }
2308 }
2311 err:
2314 else
2317 done:
2319 }
2321 /** Free a parsed INTRODUCE1 or INTRODUCE2 cell that was allocated by
2322 * rend_service_parse_intro().
2323 */
2324 void
2326 {
2329 }
2331 /* Free ciphertext */
2335 /* Have plaintext? */
2337 /* Zero it out just to be safe */
2341 }
2343 /* Have parsed plaintext? */
2348 /*
2349 * Nothing more to do; these formats have no further pointers
2350 * in them.
2351 */
2361 }
2368 "rend_service_free_intro() saw unknown protocol "
2371 }
2372 }
2374 /* Zero it out to make sure sensitive stuff doesn't hang around in memory */
2378 }
2380 /** Parse an INTRODUCE1 or INTRODUCE2 cell into a newly allocated
2381 * rend_intro_cell_t structure. Free it with rend_service_free_intro()
2382 * when finished. The type parameter should be 1 or 2 to indicate whether
2383 * this is INTRODUCE1 or INTRODUCE2. This parses only the non-encrypted
2384 * parts; after this, call rend_service_decrypt_intro() with a key, then
2385 * rend_service_parse_intro_plaintext() to finish parsing. The optional
2386 * err_msg_out parameter is set to a string suitable for log output
2387 * if parsing fails. This function does some validation, but only
2388 * that which depends solely on the contents of the cell and the
2389 * key; it can be unit-tested. Further validation is done in
2390 * rend_service_validate_intro().
2391 */
2393 rend_intro_cell_t *
2398 {
2405 /* First, check that the cell is long enough to be a sensible INTRODUCE */
2407 /* min key length plus digest length plus nickname length */
2415 }
2417 }
2419 /* Allocate a new parsed cell structure */
2422 /* Set the type */
2425 /* Copy in the ID */
2428 /* Copy in the ciphertext */
2435 err:
2443 }
2445 done:
2450 }
2452 /** Parse the version-specific parts of a v0 or v1 INTRODUCE1 or INTRODUCE2
2453 * cell
2454 */
2456 static ssize_t
2462 {
2477 "rend_service_parse_intro_for_v0_or_v1() called with "
2482 }
2487 "short plaintext of encrypted part in v1 INTRODUCE%d "
2493 }
2499 "couldn't find a nul-padded nickname in "
2502 }
2504 }
2514 }
2516 }
2522 err:
2524 }
2526 /** Parse the version-specific parts of a v2 INTRODUCE1 or INTRODUCE2 cell
2527 */
2529 static ssize_t
2535 {
2538 ssize_t ver_specific_len;
2540 /*
2541 * We accept version 3 too so that the v3 parser can call this with
2542 * an adjusted buffer for the latter part of a v3 cell, which is
2543 * identical to a v2 cell.
2544 */
2549 "rend_service_parse_intro_for_v2() called with "
2554 }
2556 /* 7 == version, IP and port, DIGEST_LEN == id, 2 == key length */
2560 "truncated plaintext of encrypted parted of "
2564 }
2567 }
2578 /* 7 == version, IP and port, DIGEST_LEN == id, 2 == key length */
2582 "truncated plaintext of encrypted parted of "
2586 }
2589 }
2596 "error decoding onion key in version %d "
2600 }
2603 }
2610 }
2613 }
2622 err:
2626 }
2628 /** Parse the version-specific parts of a v3 INTRODUCE1 or INTRODUCE2 cell
2629 */
2631 static ssize_t
2637 {
2640 /* This should only be called on v3 cells */
2644 "rend_service_parse_intro_for_v3() called with "
2649 }
2651 /*
2652 * Check that we have at least enough to get auth_len:
2653 *
2654 * 1 octet for version, 1 for auth_type, 2 for auth_len
2655 */
2659 "truncated plaintext of encrypted parted of "
2663 }
2666 }
2668 /*
2669 * The rend_client_send_introduction() function over in rendclient.c is
2670 * broken (i.e., fails to match the spec) in such a way that we can't
2671 * change it without breaking the protocol. Specifically, it doesn't
2672 * emit auth_len when auth-type is REND_NO_AUTH, so everything is off
2673 * by two bytes after that. Calculate ts_offset and do everything from
2674 * the timestamp on relative to that to handle this dain bramage.
2675 */
2684 }
2686 /* Check that auth len makes sense for this auth type */
2692 "wrong auth data size %d for INTRODUCE%d cell, "
2696 REND_DESC_COOKIE_LEN);
2697 }
2700 }
2701 }
2703 /* Check that we actually have everything up through the timestamp */
2707 "truncated plaintext of encrypted parted of "
2711 }
2714 }
2718 /* Okay, we can go ahead and copy auth_data */
2720 /*
2721 * We know we had an auth_len field in this case, so 4 is
2722 * always right.
2723 */
2725 }
2727 /*
2728 * From here on, the format is as in v2, so we call the v2 parser with
2729 * adjusted buffer and length. We are 4 + ts_offset octets in, but the
2730 * v2 parser expects to skip over a version byte at the start, so we
2731 * adjust by 3 + ts_offset.
2732 */
2735 v2_ver_specific_len =
2738 err_msg_out);
2740 /* Success in v2 parser */
2742 /* Failure in v2 parser; it will have provided an err_msg */
2745 err:
2747 }
2749 /** Table of parser functions for version-specific parts of an INTRODUCE2
2750 * cell.
2751 */
2753 static ssize_t
2755 rend_intro_cell_t *,
2760 rend_service_parse_intro_for_v0_or_v1,
2761 rend_service_parse_intro_for_v2,
2762 rend_service_parse_intro_for_v3 };
2764 /** Decrypt the encrypted part of an INTRODUCE1 or INTRODUCE2 cell,
2765 * return 0 if successful, or < 0 and write an error message to
2766 * *err_msg_out if provided.
2767 */
2769 int
2774 {
2778 ssize_t key_len;
2784 err_msg =
2787 }
2791 }
2793 /* Make sure we have ciphertext */
2797 "rend_intro_cell_t was missing ciphertext for "
2800 }
2803 }
2805 /* Check that this cell actually matches this service key */
2807 /* first DIGEST_LEN bytes of request is intro or service pk digest */
2814 }
2824 }
2828 }
2830 /* Make sure the encrypted part is long enough to decrypt */
2836 "got an INTRODUCE%d cell with a truncated PK-encrypted "
2839 }
2843 }
2845 /* Decrypt the encrypted part */
2846 result =
2856 }
2859 }
2868 err:
2873 }
2875 done:
2879 /* clean up potentially sensitive material */
2885 }
2887 /** Parse the plaintext of the encrypted part of an INTRODUCE1 or
2888 * INTRODUCE2 cell, return 0 if successful, or < 0 and write an error
2889 * message to *err_msg_out if provided.
2890 */
2892 int
2896 {
2904 err_msg =
2907 }
2911 }
2913 /* Check that we have plaintext */
2917 }
2920 }
2922 /* In all formats except v0, the first byte is a version number */
2925 /* v0 has no version byte (stupid...), so handle it as a fallback */
2928 /* Copy the version into the parsed cell structure */
2931 /* Call the version-specific parser from the table */
2932 ver_specific_len =
2939 }
2941 /** The rendezvous cookie and Diffie-Hellman stuff are version-invariant
2942 * and at the end of the plaintext of the encrypted part of the cell.
2943 */
2963 REND_COOKIE_LEN);
2966 DH1024_KEY_LEN);
2967 }
2969 /* Flag it as being fully parsed */
2975 err:
2980 }
2982 done:
2987 }
2989 /** Do validity checks on a parsed intro cell after decryption; some of
2990 * these are not done in rend_service_parse_intro_plaintext() itself because
2991 * they depend on a lot of other state and would make it hard to unit test.
2992 * Returns >= 0 if successful or < 0 if the intro cell is invalid, and
2993 * optionally writes out an error message for logging. If an err_msg
2994 * pointer is provided, it is the caller's responsibility to free any
2995 * provided message.
2996 */
2998 int
3001 {
3012 }
3018 /* This is an informative message, not an error, as in the old code */
3023 }
3024 }
3026 err:
3028 }
3030 /** Called when we fail building a rendezvous circuit at some point other
3031 * than the last hop: launches a new circuit to the same rendezvous point.
3032 */
3033 void
3035 {
3047 }
3052 /* You'd think Single Onion Services would want to retry the rendezvous
3053 * using a direct connection. But if it's blocked by a firewall, or the
3054 * service is IPv6-only, or the rend point avoiding becoming a one-hop
3055 * proxy, we need a 3-hop connection. */
3064 }
3074 }
3076 /** Launch a circuit to serve as an introduction point for the service
3077 * <b>service</b> at the introduction point <b>nickname</b>
3078 */
3079 static int
3082 {
3089 /* Are we in single onion mode?
3090 *
3091 * We only use a one-hop path on the first attempt. If the first attempt
3092 * fails, we use a 3-hop path for reachability / reliability.
3093 * (Unlike v3, retries is incremented by the caller after it calls this
3094 * function.)
3095 */
3098 /* Do we have a descriptor for the node?
3099 * We've either just chosen it from the consensus, or we've just reviewed
3100 * our intro points to see which ones are still valid, and deleted the ones
3101 * that aren't in the consensus any more. */
3104 /* The service has kept an intro point after it went missing from the
3105 * consensus. If we did anything else here, it would be a consensus
3106 * distinguisher. Which are less of an issue for single onion services,
3107 * but still a bug. */
3109 }
3110 /* Can we connect to the node directly? If so, replace launch_ei
3111 * (a multi-hop extend_info) with one suitable for direct connection. */
3115 /* rend_service_use_direct_connection_node and extend_info_from_node
3116 * disagree about which addresses on this node are permitted. This
3117 * should never happen. Avoiding the connection is a safe response. */
3119 }
3122 }
3123 }
3124 /* launch_ei is either intro->extend_info, or has been replaced with a valid
3125 * extend_info for single onion service direct connection. */
3127 /* We must have the same intro when making a direct connection. */
3130 DIGEST_LEN));
3151 );
3154 }
3155 /* We must have the same exit node even if cannibalized or direct connection.
3156 */
3159 DIGEST_LEN));
3169 }
3171 /** Return the number of introduction points that are established for the
3172 * given service. */
3173 static unsigned int
3175 {
3180 );
3182 }
3184 /** Return the number of introduction points that are or are being
3185 * established for the given service. This function iterates over all
3186 * circuit and count those that are linked to the service and are waiting
3187 * for the intro point to respond. */
3188 static unsigned int
3190 {
3200 num_ipos++;
3201 }
3202 }
3203 }
3206 }
3208 /* Given a buffer of at least RELAY_PAYLOAD_SIZE bytes in <b>cell_body_out</b>,
3209 write the body of a legacy ESTABLISH_INTRO cell in it. Use <b>intro_key</b>
3210 as the intro point auth key, and <b>rend_circ_nonce</b> as the circuit
3211 crypto material. On success, fill <b>cell_body_out</b> and return the number
3212 of bytes written. On fail, return -1.
3213 */
3214 ssize_t
3219 {
3228 /* Build the payload for a RELAY_ESTABLISH_INTRO cell. */
3234 }
3249 }
3254 err:
3258 }
3260 /** Called when we're done building a circuit to an introduction point:
3261 * sends a RELAY_ESTABLISH_INTRO cell.
3262 */
3263 void
3265 {
3277 /* XXX: This is version 2 specific (only on supported). */
3289 }
3291 /* Take the current amount of expiring nodes and the current amount of IP
3292 * circuits and compute how many valid IP circuits we have. */
3295 /* Let's avoid an underflow. The valid_ip_circuits is initialized to 0 in
3296 * case this condition turns out false because it means that all circuits
3297 * are expiring so we need to keep this circuit. */
3300 }
3302 /* If we already have enough introduction circuits for this service,
3303 * redefine this one as a general circuit or close it, depending.
3304 * Subtract the amount of expiring nodes here because the circuits are
3305 * still opened. */
3308 /* Remove the intro point associated with this circuit, it's being
3309 * repurposed or closed thus cleanup memory. */
3314 }
3317 /* XXXX in some future version, we can test whether the transition is
3318 allowed or not given the actual nodes in the circuit. But for now,
3319 this case, we might as well close the thing. */
3327 "circuit, but we already have enough. Redefining purpose to "
3332 CIRCUIT_PURPOSE_HS_VANGUARDS);
3335 }
3337 {
3340 }
3341 {
3345 }
3349 }
3350 }
3357 /* Send the ESTABLISH_INTRO cell */
3358 {
3359 ssize_t len;
3366 }
3369 RELAY_COMMAND_ESTABLISH_INTRO,
3375 }
3376 }
3378 /* We've attempted to use this circuit */
3383 err:
3385 done:
3390 }
3392 /** Called when we get an INTRO_ESTABLISHED cell; mark the circuit as a
3393 * live introduction point, and note that the service descriptor is
3394 * now out-of-date. */
3395 int
3399 {
3406 /* XXX: This is version 2 specific (only supported one for now). */
3414 }
3420 }
3423 /* We've just successfully established a intro circuit to one of our
3424 * introduction point, account for it. */
3428 "Introduction circuit established without a rend_intro_point_t "
3432 }
3434 /* We might not have every introduction point ready but at this point we
3435 * know that the descriptor needs to be uploaded. */
3443 /* Getting a valid INTRODUCE_ESTABLISHED means we've successfully
3444 * used the circ */
3448 err:
3451 }
3453 /** Called once a circuit to a rendezvous point is established: sends a
3454 * RELAY_COMMAND_RENDEZVOUS1 cell.
3455 */
3456 void
3458 {
3473 /* XXX: This is version 2 specific (only one supported). */
3475 NULL);
3478 /* Declare the circuit dirty to avoid reuse, and for path-bias. We set the
3479 * timestamp regardless of its content because that circuit could have been
3480 * cannibalized so in any cases, we are about to use that circuit more. */
3483 /* This may be redundant */
3493 "Done building circuit %u to rendezvous with "
3498 /* Clear the 'in-progress HS circ has timed out' flag for
3499 * consistency with what happens on the client side; this line has
3500 * no effect on Tor's behaviour. */
3503 /* If hop is NULL, another rend circ has already connected to this
3504 * rend point. Close this circ. */
3510 }
3512 /* Remove our final cpath element from the reference, so that no
3513 * other circuit will try to use it. Store it in
3514 * pending_final_cpath for now to ensure that it will be freed if
3515 * our rendezvous attempt fails. */
3525 }
3527 /* All we need to do is send a RELAY_RENDEZVOUS1 cell... */
3534 }
3536 DIGEST_LEN);
3538 /* Send the cell */
3540 RELAY_COMMAND_RENDEZVOUS1,
3545 }
3550 /* Append the cpath entry. */
3552 /* set the windows to default. these are the windows
3553 * that the service thinks the client has.
3554 */
3561 /* Change the circuit purpose. */
3566 err:
3568 done:
3574 }
3576 /*
3577 * Manage introduction points
3578 */
3580 /** Return the (possibly non-open) introduction circuit ending at
3581 * <b>intro</b> for the service whose public key is <b>pk_digest</b>.
3582 * (<b>desc_version</b> is ignored). Return NULL if no such service is
3583 * found.
3584 */
3587 {
3597 }
3598 }
3603 CIRCUIT_PURPOSE_S_ESTABLISH_INTRO))) {
3608 }
3609 }
3611 }
3613 /** Return the corresponding introdution point using the circuit <b>circ</b>
3614 * found in the <b>service</b>. NULL is returned if not found. */
3617 {
3623 intro_point,
3626 });
3629 }
3631 /** Return a pointer to the rend_intro_point_t corresponding to the
3632 * service-side introduction circuit <b>circ</b>. */
3635 {
3648 });
3655 });
3658 }
3660 /** Upload the rend_encoded_v2_service_descriptor_t's in <b>descs</b>
3661 * associated with the rend_service_descriptor_t <b>renddesc</b> to
3662 * the responsible hidden service directories OR the hidden service
3663 * directories specified by <b>hs_dirs</b>; <b>service_id</b> and
3664 * <b>seconds_valid</b> are only passed for logging purposes.
3665 */
3666 void
3670 {
3677 /** If any HSDirs are specified, they should be used instead of
3678 * the responsible directories */
3682 /* Determine responsible dirs. */
3691 }
3692 }
3701 /* Don't upload descriptor if we succeeded in doing so last time. */
3706 "hidden service directory %s; we don't have its "
3711 }
3712 /* Send publish request. */
3714 /* We need the service ID to identify which service did the upload
3715 * request. Lookup is made in rend_service_desc_has_uploaded(). */
3717 REND_NO_AUTH);
3733 "service '%s' with descriptor ID '%s' with validity "
3734 "of %d seconds to hidden service directory '%s' on "
3738 seconds_valid,
3740 hs_dir_ip,
3746 /* Remember successful upload to this router for next time. */
3750 }
3752 }
3758 }
3761 /* Remember which routers worked this time, so that we don't upload the
3762 * descriptor to them again. */
3769 }
3770 });
3771 }
3772 done:
3775 }
3777 /** Encode and sign an up-to-date service descriptor for <b>service</b>,
3778 * and upload it/them to the responsible hidden service directories.
3779 */
3780 static void
3782 {
3795 /* Either upload a single descriptor (including replicas) or one
3796 * descriptor for each authorized client in case of authorization
3797 * type 'stealth'. */
3806 /* Do nothing here. */
3817 }
3818 /* Encode the current descriptor. */
3822 client_key,
3823 client_cookies);
3830 }
3833 /* Post the current descriptors to the hidden service directories. */
3835 serviceid);
3837 seconds_valid);
3838 }
3839 /* Free memory for descriptors. */
3843 /* Update next upload time. */
3849 else
3852 /* Post also the next descriptors, if necessary. */
3857 client_key,
3858 client_cookies);
3865 }
3868 seconds_valid);
3869 }
3870 /* Free memory for descriptors. */
3874 }
3875 }
3883 }
3884 }
3886 /* If not uploaded, try again in one minute. */
3890 /* Unmark dirty flag of this service. */
3892 }
3894 /** Return the number of INTRODUCE2 cells this hidden service has received
3895 * from this intro point. */
3896 static int
3898 {
3900 }
3902 /** Return non-zero iff <b>intro</b> should 'expire' now (i.e. we
3903 * should stop publishing it in new descriptors and eventually close
3904 * it). */
3905 static int
3908 {
3912 /* Don't expire an intro point if we haven't even published it yet. */
3914 }
3918 /* This intro point has been used too many times. Expire it now. */
3920 }
3923 /* This intro point has been published, but we haven't picked an
3924 * expiration time for it. Pick one now. */
3927 INTRO_POINT_LIFETIME_MAX_SECONDS);
3929 /* Start the expiration timer now, rather than when the intro
3930 * point was first published. There shouldn't be much of a time
3931 * difference. */
3935 }
3937 /* This intro point has a time to expire set already. Use it. */
3939 }
3941 /** Iterate over intro points in the given service and remove the invalid
3942 * ones. For an intro point object to be considered invalid, the circuit
3943 * _and_ node need to have disappeared.
3944 *
3945 * If the intro point should expire, it's placed into the expiring_nodes
3946 * list of the service and removed from the active intro nodes list.
3947 *
3948 * If <b>exclude_nodes</b> is not NULL, add the valid nodes to it.
3949 *
3950 * If <b>retry_nodes</b> is not NULL, add the valid node to it if the
3951 * circuit disappeared but the node is still in the consensus. */
3952 static void
3956 {
3959 /* Remove any expired nodes that doesn't have a circuit. */
3961 intro) {
3966 }
3967 /* No more circuit, cleanup the into point object. */
3973 intro) {
3974 /* Find the introduction point node object. */
3977 /* Find the intro circuit, this might be NULL. */
3981 /* Add the valid node to the exclusion list so we don't try to establish
3982 * an introduction point to it again. */
3985 }
3987 /* First, make sure we still have a valid circuit for this intro point.
3988 * If we dont, we'll give up on it and make a new one. */
3994 /* We've lost the circuit for this intro point, flag it so it can be
3995 * accounted for when considiring uploading a descriptor. */
3998 /* Node is gone or we've reached our maximum circuit creationg retry
3999 * count, clean up everything, we'll find a new one. */
4004 /* We've just killed the intro point, nothing left to do. */
4006 }
4008 /* The intro point is still alive so let's try to use it again because
4009 * we have a published descriptor containing it. Keep the intro point
4010 * in the intro_nodes list because it's still valid, we are rebuilding
4011 * a circuit to it. */
4014 }
4015 }
4016 /* else, the circuit is valid so in both cases, node being alive or not,
4017 * we leave the circuit and intro point object as is. Closing the
4018 * circuit here would leak new consensus timing and freeing the intro
4019 * point object would make the intro circuit unusable. */
4021 /* Now, check if intro point should expire. If it does, queue it so
4022 * it can be cleaned up once it has been replaced properly. */
4027 /* We might have put it in the retry list if so, undo. */
4030 }
4033 /* Intro point is expired, we need a new one thus don't consider it
4034 * anymore has a valid established intro point. */
4036 }
4038 }
4040 /** A new descriptor has been successfully uploaded for the given
4041 * <b>rend_data</b>. Remove and free the expiring nodes from the associated
4042 * service. */
4043 void
4045 {
4056 }
4059 intro) {
4064 END_CIRC_REASON_FINISHED);
4065 }
4069 }
4071 /** Don't try to build more than this many circuits before giving up
4072 * for a while. Dynamically calculated based on the configured number of
4073 * introduction points for the service, n_intro_points_wanted. */
4074 static int
4076 {
4077 /* Allow all but one of the initial connections to fail and be
4078 * retried. (If all fail, we *want* to wait, because something is broken.) */
4081 /* For the normal use case, 3 intro points plus 2 extra for performance and
4082 * allow that twice because once every 24h or so, we can do it twice for two
4083 * descriptors that is the current one and the next one. So (3 + 2) * 2 ==
4084 * 12 allowed attempts for one period. */
4086 }
4088 /** For every service, check how many intro points it currently has, and:
4089 * - Invalidate introdution points based on specific criteria, see
4090 * remove_invalid_intro_points comments.
4091 * - Pick new intro points as necessary.
4092 * - Launch circuits to any new intro points.
4093 *
4094 * This is called once a second by the main loop.
4095 */
4096 void
4098 {
4101 /* Are we in single onion mode? */
4104 /* List of nodes we need to _exclude_ when choosing a new node to
4105 * establish an intro point to. */
4107 /* List of nodes we need to retry to build a circuit on them because the
4108 * node is valid but circuit died. */
4119 /* Number of intro points we want to open and add to the intro nodes
4120 * list of the service. */
4122 /* Have an unsigned len so we can use it to compare values else gcc is
4123 * not happy with unmatching signed comparaison. */
4125 /* Different service are allowed to have the same introduction point as
4126 * long as they are on different circuit thus why we clear this list. */
4130 /* Cleanup the invalid intro points and save the node objects, if any,
4131 * in the exclude_nodes and retry_nodes lists. */
4134 /* This retry period is important here so we don't stress circuit
4135 * creation. */
4138 /* One period has elapsed:
4139 * - if we stopped, we can try building circuits again,
4140 * - if we haven't, we reset the circuit creation counts. */
4147 /* We have failed too many times in this period; wait for the next
4148 * one before we try to initiate any more connections. */
4151 }
4153 /* Let's try to rebuild circuit on the nodes we want to retry on. */
4160 /* Unable to launch a circuit to that intro point, remove it from
4161 * the valid list so we can create a new one. */
4165 }
4169 /* Avoid mismatched signed comparaison below. */
4172 /* Quiescent state, we have more or the equal amount of wanted node for
4173 * this service. Proceed to the next service. We can have more nodes
4174 * because we launch extra preemptive circuits if our intro nodes list was
4175 * originally empty for performance reasons. */
4178 }
4180 /* Number of intro points we want to open which is the wanted amount minus
4181 * the current amount of valid nodes. We know that this won't underflow
4182 * because of the check above. */
4185 /* We want to end up with n_intro_points_wanted intro points, but if
4186 * we have no intro points at all (chances are they all cycled or we
4187 * are starting up), we launch NUM_INTRO_POINTS_EXTRA extra circuits
4188 * and use the first n_intro_points_wanted that complete. See proposal
4189 * #155, section 4 for the rationale of this which is purely for
4190 * performance.
4191 *
4192 * The ones after the first n_intro_points_to_open will be converted
4193 * to 'general' internal circuits in rend_service_intro_has_opened(),
4194 * and then we'll drop them from the list of intro points. */
4196 }
4209 /* If we are in single onion mode, retry node selection for a 3-hop
4210 * path */
4213 "Unable to find an intro point that we can connect to "
4218 }
4222 "We only have %d introduction points established for %s; "
4226 n_intro_points_to_open);
4228 }
4229 /* Add the chosen node to the exclusion list in order to avoid picking
4230 * it again in the next iteration. */
4233 /* extend_info is for clients, so we want the multi-hop primary ORPort,
4234 * even if we are a single onion service and intend to connect to it
4235 * directly ourselves. */
4239 }
4247 INTRO_POINT_MAX_LIFETIME_INTRODUCTIONS);
4252 /* Establish new introduction circuit to our chosen intro point. */
4258 /* This funcion will be called again by the main loop so this intro
4259 * point without a intro circuit will be retried on or removed after
4260 * a maximum number of attempts. */
4261 }
4262 }
4266 }
4268 #define MIN_REND_INITIAL_POST_DELAY (30)
4269 #define MIN_REND_INITIAL_POST_DELAY_TESTING (5)
4271 /** Regenerate and upload rendezvous service descriptors for all
4272 * services, if necessary. If the descriptor has been dirty enough
4273 * for long enough, definitely upload; else only upload when the
4274 * periodic timeout has expired.
4275 *
4276 * For the first upload, pick a random time between now and two periods
4277 * from now, and pick it independently for each service.
4278 */
4279 void
4281 {
4287 MIN_REND_INITIAL_POST_DELAY_TESTING :
4288 MIN_REND_INITIAL_POST_DELAY);
4293 /* The fixed lower bound of rendinitialpostdelay seconds ensures that
4294 * the descriptor is stable before being published. See comment below. */
4297 /* Single Onion Services prioritise availability over hiding their
4298 * startup time, as their IP address is publicly discoverable anyway.
4299 */
4302 }
4303 }
4304 /* Does every introduction points have been established? */
4312 /* if it's time, or if the directory servers have a wrong service
4313 * descriptor and ours has been stable for rendinitialpostdelay seconds,
4314 * upload a new one of each format. */
4317 }
4318 }
4319 }
4321 /** True if the list of available router descriptors might have changed so
4322 * that we should have a look whether we can republish previously failed
4323 * rendezvous service descriptors. */
4326 /** Called when our internal view of the directory has changed, so that we
4327 * might have router descriptors of hidden service directories available that
4328 * we did not have before. */
4329 void
4331 {
4333 }
4335 /** Consider republication of v2 rendezvous service descriptors that failed
4336 * previously, but without regenerating descriptor contents.
4337 */
4338 void
4340 {
4354 /* If we failed in uploading a descriptor last time, try again *without*
4355 * updating the descriptor's contents. */
4357 }
4358 }
4359 }
4361 /** Log the status of introduction points for all rendezvous services
4362 * at log severity <b>severity</b>.
4363 */
4364 void
4366 {
4386 }
4389 }
4390 }
4391 }
4393 /** Given <b>conn</b>, a rendezvous exit stream, look up the hidden service for
4394 * <b>circ</b>, and look up the port and address based on conn-\>port.
4395 * Assign the actual conn-\>addr and conn-\>port. Return -2 on failure
4396 * for which the circuit should be closed, -1 on other failure,
4397 * or 0 for success.
4398 */
4399 int
4402 {
4419 }
4421 /* Enforce the streams-per-circuit limit, and refuse to provide a
4422 * mapping if this circuit will exceed the limit. */
4423 #define MAX_STREAM_WARN_INTERVAL 600
4428 "Maximum streams per circuit limit reached on rendezvous "
4437 }
4438 }
4441 /* Successfully set the port to the connection. We are done. */
4443 }
4451 else
4453 }
4455 /* Are HiddenServiceSingleHopMode and HiddenServiceNonAnonymousMode consistent?
4456 */
4457 static int
4459 {
4460 /* !! is used to make these options boolean */
4463 }
4465 /* Do the options allow onion services to make direct (non-anonymous)
4466 * connections to introduction or rendezvous points?
4467 * Must only be called after options_validate_single_onion() has successfully
4468 * checked onion service option consistency.
4469 * Returns true if tor is in HiddenServiceSingleHopMode. */
4470 int
4472 {
4475 }
4477 /* Do the options allow us to reveal the exact startup time of the onion
4478 * service?
4479 * Single Onion Services prioritise availability over hiding their
4480 * startup time, as their IP address is publicly discoverable anyway.
4481 * Must only be called after options_validate_single_onion() has successfully
4482 * checked onion service option consistency.
4483 * Returns true if tor is in non-anonymous hidden service mode. */
4484 int
4486 {
4489 }
4491 /* Is non-anonymous mode enabled using the HiddenServiceNonAnonymousMode
4492 * config option?
4493 * Must only be called after options_validate_single_onion() has successfully
4494 * checked onion service option consistency.
4495 */
4496 int
4498 {
4501 }
4503 #ifdef TOR_UNIT_TESTS
4505 STATIC void
4507 {
4509 }
4511 STATIC void
4513 {
4515 }