Merge branch 'bug24895_029_02' into bug24895_031_02

5 files changed, 35 insertions, 2 deletions

diff --git a/changes/bug24895 b/changes/bug24895
new file mode 100644
index 0000000000..7edde94a0b
--- /dev/null
+++ b/changes/bug24895
@@ -0,0 +1,8 @@
+  o Major bugfixes (onion services):
+    - Fix an "off by 2" error in counting rendezvous failures on the onion
+      service side. While we thought we would stop the rendezvous attempt
+      after one failed circuit, we were actually making three circuit attempts
+      before giving up. Now switch to a default of 2, and allow the consensus
+      parameter "hs_service_max_rdv_failures" to override. Fixes bug 24895;
+      bugfix on 0.0.6.
+
diff --git a/src/or/hs_common.c b/src/or/hs_common.c
index 7cef5a8e2c..c9af3f6887 100644
--- a/src/or/hs_common.c
+++ b/src/or/hs_common.c
@@ -344,3 +344,20 @@ rend_data_get_pk_digest(const rend_data_t *rend_data, size_t *len_out)
   }
 }
 
+/* Default, minimum and maximum values for the maximum rendezvous failures
+ * consensus parameter. */
+#define MAX_REND_FAILURES_DEFAULT 2
+#define MAX_REND_FAILURES_MIN 1
+#define MAX_REND_FAILURES_MAX 10
+
+/** How many times will a hidden service operator attempt to connect to
+ * a requested rendezvous point before giving up? */
+int
+hs_get_service_max_rend_failures(void)
+{
+  return networkstatus_get_param(NULL, "hs_service_max_rdv_failures",
+                                 MAX_REND_FAILURES_DEFAULT,
+                                 MAX_REND_FAILURES_MIN,
+                                 MAX_REND_FAILURES_MAX);
+}
+
diff --git a/src/or/hs_common.h b/src/or/hs_common.h
index a8fded652a..7eef5fc97e 100644
--- a/src/or/hs_common.h
+++ b/src/or/hs_common.h
@@ -52,6 +52,7 @@
 int hs_check_service_private_dir(const char *username, const char *path,
                                  unsigned int dir_group_readable,
                                  unsigned int create);
+int hs_get_service_max_rend_failures(void);
 
 void rend_data_free(rend_data_t *data);
 rend_data_t *rend_data_dup(const rend_data_t *data);
diff --git a/src/or/hs_service.c b/src/or/hs_service.c
index 205ef11c92..b3eec13046 100644
--- a/src/or/hs_service.c
+++ b/src/or/hs_service.c
@@ -11,6 +11,7 @@
 #include "rendservice.h"
 #include "circuitlist.h"
 #include "circpathbias.h"
+#include "networkstatus.h"
 
 #include "hs_intropoint.h"
 #include "hs_service.h"
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index b1e8a2f0cd..2a3594918e 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -2159,7 +2159,8 @@ rend_service_receive_introduction(origin_circuit_t *circuit,
 
   /* Launch a circuit to the client's chosen rendezvous point.
    */
-  for (i=0;i<MAX_REND_FAILURES;i++) {
+  int max_rend_failures=hs_get_service_max_rend_failures();
+  for (i=0;i<max_rend_failures;i++) {
     int flags = CIRCLAUNCH_NEED_CAPACITY | CIRCLAUNCH_IS_INTERNAL;
     if (circ_needs_uptime) flags |= CIRCLAUNCH_NEED_UPTIME;
     /* A Single Onion Service only uses a direct connection if its
@@ -3067,8 +3068,13 @@ rend_service_relaunch_rendezvous(origin_circuit_t *oldcirc)
   }
   oldcirc->hs_service_side_rend_circ_has_been_relaunched = 1;
 
+  /* We check failure_count >= hs_get_service_max_rend_failures()-1 below, and
+   * the -1 is because we increment the failure count for our current failure
+   * *after* this clause. */
+  int max_rend_failures = hs_get_service_max_rend_failures() - 1;
+
   if (!oldcirc->build_state ||
-      oldcirc->build_state->failure_count > MAX_REND_FAILURES ||
+      oldcirc->build_state->failure_count >= max_rend_failures ||
       oldcirc->build_state->expiry_time < time(NULL)) {
     log_info(LD_REND,
              "Attempt to build circuit to %s for rendezvous has failed "