| blob | e812a06ce663ae0879fc70bfaf6ac6e40bfe686d |
1 /* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
2 * Copyright (c) 2007-2015, The Tor Project, Inc. */
3 /* See LICENSE for licensing information */
5 /**
6 * \file rendclient.c
7 * \brief Client code to access location-hidden services.
8 **/
35 /** Purge all potentially remotely-detectable state held in the hidden
36 * service client code. Called on SIGNAL NEWNYM. */
37 void
39 {
44 }
46 /** Called when we've established a circuit to an introduction point:
47 * send the introduction request. */
48 void
50 {
56 }
58 /** Send the establish-rendezvous cell along a rendezvous circuit. if
59 * it fails, mark the circ for close and return -1. else return 0.
60 */
61 static int
63 {
70 /* Set timestamp_dirty, because circuit_expire_building expects it,
71 * and the rend cookie also means we've used the circ. */
74 /* We've attempted to use this circuit. Probe it if we fail */
78 RELAY_COMMAND_ESTABLISH_RENDEZVOUS,
80 REND_COOKIE_LEN,
82 /* circ is already marked for close */
85 }
88 }
90 /** Extend the introduction circuit <b>circ</b> to another valid
91 * introduction point for the hidden service it is trying to connect
92 * to, or mark it and launch a new circuit if we can't extend it.
93 * Return 0 on success or possible success. Return -1 and mark the
94 * introduction circuit for close on permanent failure.
95 *
96 * On failure, the caller is responsible for marking the associated
97 * rendezvous circuit for close. */
98 static int
100 {
110 }
111 // XXX: should we not re-extend if hs_circ_has_timed_out?
123 /* connection_ap_handshake_attach_circuit will launch a new intro circ. */
125 }
128 }
130 /** Called when we're trying to connect an ap conn; sends an INTRODUCE1 cell
131 * down introcirc if possible.
132 */
133 int
136 {
143 off_t dh_offset;
153 #ifndef NON_ANONYMOUS_MODE_ENABLED
156 #endif
160 /* An invalid onion address is not possible else we have a big issue. */
163 /* If the descriptor is not found or the intro points are not usable
164 * anymore, trigger a fetch. */
166 "query %s didn't have valid rend desc in cache. "
170 {
174 AP_CONN_STATE_CIRCUIT_WAIT,
178 }
179 }
183 }
185 /* first 20 bytes of payload are the hash of the service's pk */
188 intro, {
193 }
194 });
197 "have a v2 rend desc with %d intro points. "
210 }
211 }
216 }
218 /* Initialize the pending_final_cpath and start the DH handshake. */
228 }
233 }
234 }
236 /* If version is 3, write (optional) auth data and timestamp. */
244 REND_DESC_COOKIE_LEN);
246 }
247 /* Once this held a timestamp. */
253 }
255 /* write the remaining items into tmp */
257 /* version 2 format */
260 /* nul pads */
269 REND_COOKIE_LEN);
272 /* Version 0. */
276 REND_COOKIE_LEN);
278 }
285 }
288 /*XXX maybe give crypto_pk_public_hybrid_encrypt a max_len arg,
289 * to avoid buffer overflows? */
292 tmp,
299 }
304 /* Copy the rendezvous cookie from rendcirc to introcirc, so that
305 * when introcirc gets an ack, we can change the state of the right
306 * rendezvous circuit. */
308 REND_COOKIE_LEN);
312 RELAY_COMMAND_INTRODUCE1,
315 /* introcirc is already marked for close. leave rendcirc alone. */
319 }
321 /* Now, we wait for an ACK or NAK on this circuit. */
323 CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT);
324 /* Set timestamp_dirty, because circuit_expire_building expects it
325 * to specify when a circuit entered the _C_INTRODUCE_ACK_WAIT
326 * state. */
333 perm_err:
337 cleanup:
342 }
344 /** Called when a rendezvous circuit is open; sends a establish
345 * rendezvous circuit as appropriate. */
346 void
348 {
353 /* generate a rendezvous cookie, store it in circ */
356 }
357 }
359 /**
360 * Called to close other intro circuits we launched in parallel.
361 */
362 static void
364 {
365 /* abort parallel intro circs, if any */
378 }
379 }
380 }
382 }
384 /** Called when get an ACK or a NAK for a REND_INTRODUCE1 cell.
385 */
386 int
389 {
399 }
402 #ifndef NON_ANONYMOUS_MODE_ENABLED
404 #endif
407 /* For path bias: This circuit was used successfully. Valid
408 * nacks and acks count. */
412 /* It's an ACK; the introduction point relayed our introduction request. */
413 /* Locate the rend circ which is waiting to hear about this ack,
414 * and tell it.
415 */
419 #ifndef NON_ANONYMOUS_MODE_ENABLED
421 #endif
423 CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED);
424 /* Set timestamp_dirty, because circuit_expire_building expects
425 * it to specify when a circuit entered the
426 * _C_REND_READY_INTRO_ACKED state. */
430 }
431 /* close the circuit: we won't need it anymore. */
433 CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
436 /* close any other intros launched in parallel */
439 /* It's a NAK; the introduction point didn't relay our request. */
441 /* Remove this intro point from the set of viable introduction
442 * points. If any remain, extend to a new one and try again.
443 * If none remain, refetch the service descriptor.
444 */
451 /* There are introduction points left. Re-extend the circuit to
452 * another intro point and try again. */
454 /* XXXX If that call failed, should we close the rend circuit,
455 * too? */
458 /* Close circuit because no more intro points are usable thus not
459 * useful anymore. Change it's purpose before so we don't report an
460 * intro point failure again triggering an extra descriptor fetch. */
462 CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
464 }
465 }
467 }
469 /** The period for which a hidden service directory cannot be queried for
470 * the same descriptor ID again. */
471 #define REND_HID_SERV_DIR_REQUERY_PERIOD (15 * 60)
473 /** Contains the last request times to hidden service directories for
474 * certain queries; each key is a string consisting of the
475 * concatenation of a base32-encoded HS directory identity digest and
476 * base32-encoded HS descriptor ID; each value is a pointer to a time_t
477 * holding the time of the last request for that descriptor ID to that
478 * HS directory. */
481 /** Returns last_hid_serv_requests_, initializing it to a new strmap if
482 * necessary. */
485 {
489 }
491 #define LAST_HID_SERV_REQUEST_KEY_LEN (REND_DESC_ID_V2_LEN_BASE32 + \
492 REND_DESC_ID_V2_LEN_BASE32)
494 /** Look up the last request time to hidden service directory <b>hs_dir</b>
495 * for descriptor ID <b>desc_id_base32</b>. If <b>set</b> is non-zero,
496 * assign the current time <b>now</b> and return that. Otherwise, return the
497 * most recent request time, or 0 if no such request has been sent before.
498 */
499 static time_t
503 {
511 hsdir_id_base32,
512 desc_id_base32);
513 /* XXX023 tor_assert(strlen(hsdir_desc_comb_id) ==
514 LAST_HID_SERV_REQUEST_KEY_LEN); */
520 last_request_ptr);
524 hsdir_desc_comb_id);
526 }
528 /** Clean the history of request times to hidden service directories, so that
529 * it does not contain requests older than REND_HID_SERV_DIR_REQUERY_PERIOD
530 * seconds any more. */
531 static void
533 {
549 }
550 }
551 }
553 /** Remove all requests related to the descriptor ID <b>desc_id</b> from the
554 * history of times of requests to hidden service directories.
555 * <b>desc_id</b> is an unencoded descriptor ID of size DIGEST_LEN.
556 *
557 * This is called from rend_client_note_connection_attempt_ended(), which
558 * must be idempotent, so any future changes to this function must leave it
559 * idempotent too. */
560 static void
562 {
567 /* Key is stored with the base32 encoded desc_id. */
569 DIGEST_LEN);
575 /* XXX023 tor_assert(strlen(key) == LAST_HID_SERV_REQUEST_KEY_LEN); */
577 REND_DESC_ID_V2_LEN_BASE32,
578 desc_id_base32,
579 REND_DESC_ID_V2_LEN_BASE32)) {
584 }
585 }
586 }
588 /** Purge the history of request times to hidden service directories,
589 * so that future lookups of an HS descriptor will not fail because we
590 * accessed all of the HSDir relays responsible for the descriptor
591 * recently. */
592 void
594 {
595 /* Don't create the table if it doesn't exist yet (and it may very
596 * well not exist if the user hasn't accessed any HSes)... */
598 /* ... and let get_last_hid_serv_requests re-create it for us if
599 * necessary. */
605 }
606 }
608 /** This returns a good valid hs dir that should be used for the given
609 * descriptor id.
610 *
611 * Return NULL on error else the hsdir node pointer. */
614 {
625 /* Determine responsible dirs. Even if we can't get all we want, work with
626 * the ones we have. If it's empty, we'll notice below. */
629 /* Clean request history first. */
632 /* Only select those hidden service directories to which we did not send a
633 * request recently and for which we have a router descriptor here. */
642 }
645 }
648 excluded_some =
654 }
660 "service directories, because we requested them all "
664 "requested hidden service: they are all either down or "
666 }
668 /* Remember that we are requesting a descriptor from this hidden service
669 * directory now. */
671 }
674 }
676 /** Determine the responsible hidden service directories for <b>desc_id</b>
677 * and fetch the descriptor with that ID from one of them. Only
678 * send a request to a hidden service directory that we have not yet tried
679 * during this attempt to connect to this hidden service; on success, return 1,
680 * in the case that no hidden service directory is left to ask for the
681 * descriptor, return 0, and in case of a failure -1. */
682 static int
685 {
690 #ifdef ENABLE_TOR2WEB_MODE
693 #else
695 #endif
702 /* Automatically pick an hs dir if none given. */
706 /* No suitable hs dir can be found, stop right now. */
708 }
709 }
711 /* Add a copy of the HSDir identity digest to the query so we can track it
712 * on the control port. */
717 /* Encode descriptor cookie for logging purposes. Also, if the cookie is
718 * malformed, no fetch is triggered thus this needs to be done before the
719 * fetch request. */
727 }
728 /* Remove == signs. */
733 }
735 /* Send fetch request. (Pass query and possibly descriptor cookie so that
736 * they can be written to the directory connection and be referred to when
737 * the response arrives. */
739 DIR_PURPOSE_FETCH_RENDDESC_V2,
740 ROUTER_PURPOSE_GENERAL,
741 how_to_fetch,
742 desc_id_base32,
744 rend_query);
746 "service '%s' with descriptor ID '%s', auth type %d, "
747 "and descriptor cookie '%s' to hidden service "
756 desc_id_base32);
758 }
760 /** Fetch a v2 descriptor using the given descriptor id. If any hsdir(s) are
761 * given, they will be used instead.
762 *
763 * On success, 1 is returned. If no hidden service is left to ask, return 0.
764 * On error, -1 is returned. */
765 static int
768 {
776 }
778 /* Using the given hsdir list, trigger a fetch on each of them. */
780 /* This should always be a success. */
785 /* Everything went well. */
788 end:
790 }
792 /** Fetch a v2 descriptor using the onion address in the given query object.
793 * This will compute the descriptor id for each replicas and fetch it on the
794 * given hsdir(s) if any or the responsible ones that are choosen
795 * automatically.
796 *
797 * On success, 1 is returned. If no hidden service is left to ask, return 0.
798 * On error, -1 is returned. */
799 static int
801 {
808 /* Randomly iterate over the replicas until a descriptor can be fetched
809 * from one of the consecutive nodes, or no options are left. */
812 }
825 /* Normally, on failure the descriptor_id is untouched but let's be
826 * safe in general in case the function changes at some point. */
828 }
832 /* Not equal from what we currently have so purge the last hid serv
833 * request cache and update the descriptor ID with the new value. */
838 }
840 /* Trigger the fetch with the computed descriptor ID. */
843 /* Either on success or failure, as long as we tried a fetch we are
844 * done here. */
846 }
847 }
849 /* If we come here, there are no hidden service directories left. */
851 "service directories to fetch descriptors, because "
855 end:
858 }
860 /** Fetch a v2 descriptor using the given query. If any hsdir are specified,
861 * use them for the fetch.
862 *
863 * On success, 1 is returned. If no hidden service is left to ask, return 0.
864 * On error, -1 is returned. */
865 int
867 {
872 /* Depending on what's available in the rend data query object, we will
873 * trigger a fetch by HS address or using a descriptor ID. */
880 /* Query data is invalid. */
883 }
885 error:
887 }
889 /** Unless we already have a descriptor for <b>rend_query</b> with at least
890 * one (possibly) working introduction point in it, start a connection to a
891 * hidden service directory to fetch a v2 rendezvous service descriptor. */
892 void
894 {
899 /* Are we configured to fetch descriptors? */
904 }
905 /* Before fetching, check if we already have a usable descriptor here. */
911 }
917 /* Close pending connections on error or if no hsdir can be found. */
919 }
921 }
923 /** Cancel all rendezvous descriptor fetches currently in progress.
924 */
925 void
927 {
933 /* It's a rendezvous descriptor fetch in progress -- cancel it
934 * by marking the connection for close.
935 *
936 * Even if this connection has already reached EOF, this is
937 * enough to make sure that if the descriptor hasn't been
938 * processed yet, it won't be. See the end of
939 * connection_handle_read; connection_reached_eof (indirectly)
940 * processes whatever response the connection received. */
945 "Marking for close dir conn fetching rendezvous "
951 }
953 }
955 }
957 /** Mark <b>failed_intro</b> as a failed introduction point for the
958 * hidden service specified by <b>rend_query</b>. If the HS now has no
959 * usable intro points, or we do not have an HS descriptor for it,
960 * then launch a new renddesc fetch.
961 *
962 * If <b>failure_type</b> is INTRO_POINT_FAILURE_GENERIC, remove the
963 * intro point from (our parsed copy of) the HS descriptor.
964 *
965 * If <b>failure_type</b> is INTRO_POINT_FAILURE_TIMEOUT, mark the
966 * intro point as 'timed out'; it will not be retried until the
967 * current hidden service connection attempt has ended or it has
968 * appeared in a newly fetched rendezvous descriptor.
969 *
970 * If <b>failure_type</b> is INTRO_POINT_FAILURE_UNREACHABLE,
971 * increment the intro point's reachability-failure count; if it has
972 * now failed MAX_INTRO_POINT_REACHABILITY_FAILURES or more times,
973 * remove the intro point from (our parsed copy of) the HS descriptor.
974 *
975 * Return -1 if error, 0 if no usable intro points remain or service
976 * unrecognized, 1 if recognized and some intro points remain.
977 */
978 int
982 {
989 /* Either invalid onion address or cache entry not found. */
1003 }
1004 }
1005 /* The intro points are not checked here if they are usable or not because
1006 * this is called when an intro point circuit is closed thus there must be
1007 * at least one intro point that is usable and is about to be flagged. */
1016 failure_type);
1018 /* fall through */
1031 {
1039 failure_type,
1044 }
1045 }
1047 }
1049 }
1050 }
1058 /* move all pending streams back to renddesc_wait */
1059 /* NOTE: We can now do this faster, if we use pending_entry_connections */
1061 AP_CONN_STATE_CIRCUIT_WAIT,
1065 }
1068 }
1073 }
1075 /** Called when we receive a RENDEZVOUS_ESTABLISHED cell; changes the state of
1076 * the circuit to C_REND_READY.
1077 */
1078 int
1081 {
1084 /* we just got an ack for our establish-rendezvous. switch purposes. */
1090 }
1094 /* Set timestamp_dirty, because circuit_expire_building expects it
1095 * to specify when a circuit entered the _C_REND_READY state. */
1098 /* From a path bias point of view, this circuit is now successfully used.
1099 * Waiting any longer opens us up to attacks from malicious hidden services.
1100 * They could induce the client to attempt to connect to their hidden
1101 * service and never reply to the client's rend requests */
1104 /* XXXX This is a pretty brute-force approach. It'd be better to
1105 * attach only the connections that are waiting on this circuit, rather
1106 * than trying to attach them all. See comments bug 743. */
1107 /* If we already have the introduction circuit built, make sure we send
1108 * the INTRODUCE cell _now_ */
1111 }
1113 /** The service sent us a rendezvous cell; join the circuits. */
1114 int
1117 {
1128 }
1134 }
1138 /* first DH_KEY_LEN bytes are g^y from the service. Finish the dh
1139 * handshake...*/
1146 DH_KEY_LEN,
1150 }
1151 /* ... and set up cpath. */
1155 /* Check whether the digest is right... */
1159 }
1164 /* All is well. Extend the circuit. */
1167 /* set the windows to default. these are the windows
1168 * that the client thinks the service has.
1169 */
1173 /* Now that this circuit has finished connecting to its destination,
1174 * make sure circuit_get_open_circ_or_launch is willing to return it
1175 * so we can actually use it. */
1185 err:
1189 }
1191 /** Find all the apconns in state AP_CONN_STATE_RENDDESC_WAIT that are
1192 * waiting on <b>query</b>. If there's a working cache entry here with at
1193 * least one intro point, move them to the next state. */
1194 void
1196 {
1218 /* either this fetch worked, or it failed but there was a
1219 * valid entry from before which we should reuse */
1223 /* restart their timeout values, so they get a fair shake at
1224 * connecting to the hidden service. */
1236 }
1238 }
1240 /** Clear temporary state used only during an attempt to connect to the
1241 * hidden service with <b>rend_data</b>. Called when a connection attempt
1242 * has ended; it is possible for this to be called multiple times while
1243 * handling an ended connection attempt, and any future changes to this
1244 * function must ensure it remains idempotent. */
1245 void
1247 {
1252 /* Ignore return value; we find an entry, or we don't. */
1256 }
1258 /* Clear the timed_out flag on all remaining intro points for this HS. */
1263 }
1265 /* Remove the HS's entries in last_hid_serv_requests. */
1269 replica++) {
1272 }
1277 /* We only have an ID for a fetch. Probably used by HSFETCH. */
1279 }
1280 }
1282 /** Return a newly allocated extend_info_t* for a randomly chosen introduction
1283 * point for the named hidden service. Return NULL if all introduction points
1284 * have been tried and failed.
1285 */
1286 extend_info_t *
1288 {
1298 /* XXX: Should we refetch the descriptor here if the IPs are not usable
1299 * anymore ?. */
1301 }
1303 /* See if we can get a node that complies with ExcludeNodes */
1306 /* If not, and StrictNodes is not set, see if we can return any old node
1307 */
1311 }
1313 /** As rend_client_get_random_intro, except assume that StrictNodes is set
1314 * iff <b>strict</b> is true. If <b>warnings</b> is false, don't complain
1315 * to the user when we're out of nodes, even if StrictNodes is true.
1316 */
1321 {
1329 /* We'll keep a separate list of the usable nodes. If this becomes empty,
1330 * no nodes are usable. */
1334 /* Remove the intro points that have timed out during this HS
1335 * connection attempt from our list of usable nodes. */
1339 });
1341 again:
1344 /* We only want to warn if StrictNodes is really set. Otherwise
1345 * we're just about to retry anyways.
1346 */
1349 }
1352 }
1356 /* Do we need to look up the router or is the extend info complete? */
1362 else
1369 }
1380 }
1382 }
1383 /* Check if we should refuse to talk to this router. */
1387 n_excluded++;
1390 }
1394 }
1396 /** Return true iff any introduction points still listed in <b>entry</b> are
1397 * usable. */
1398 int
1400 {
1408 }
1410 /** Client-side authorizations for hidden services; map of onion address to
1411 * rend_service_authorization_t*. */
1414 /** Look up the client-side authorization for the hidden service with
1415 * <b>onion_address</b>. Return NULL if no authorization is available for
1416 * that address. */
1417 rend_service_authorization_t*
1419 {
1423 }
1425 /** Helper: Free storage held by rend_service_authorization_t. */
1426 static void
1428 {
1430 }
1432 /** Helper for strmap_free. */
1433 static void
1435 {
1437 }
1439 /** Release all the storage held in auth_hid_servs.
1440 */
1441 void
1443 {
1446 }
1449 }
1451 /** Parse <b>config_line</b> as a client-side authorization for a hidden
1452 * service and add it to the local map of hidden service authorizations.
1453 * Return 0 for success and -1 for failure. */
1454 int
1457 {
1479 }
1481 /* Parse onion address. */
1486 onion_address);
1488 }
1492 onion_address);
1494 }
1495 /* Parse descriptor cookie. */
1499 descriptor_cookie);
1501 }
1502 /* Add trailing zero bytes (AA) to make base64-decoding happy. */
1507 descriptor_cookie_base64ext,
1510 descriptor_cookie);
1512 }
1518 }
1521 REND_DESC_COOKIE_LEN);
1526 }
1529 }
1532 err:
1534 done:
1543 }
1547 }