Merge remote-tracking branch 'asn/bug20852_v1'

5 files changed, 26 insertions, 9 deletions

diff --git a/src/or/hs_cache.c b/src/or/hs_cache.c
index e5bd0e49a7..43cd8c3258 100644
--- a/src/or/hs_cache.c
+++ b/src/or/hs_cache.c
@@ -15,6 +15,7 @@
 #include "config.h"
 #include "hs_common.h"
 #include "hs_descriptor.h"
+#include "networkstatus.h"
 #include "rendcache.h"
 
 /* Directory descriptor cache. Map indexed by blinded key. */
@@ -366,6 +367,18 @@ hs_cache_handle_oom(time_t now, size_t min_remove_bytes)
   return bytes_removed;
 }
 
+/**
+ * Return the maximum size of an HS descriptor we are willing to accept as an
+ * HSDir.
+ */
+unsigned int
+hs_cache_get_max_descriptor_size(void)
+{
+  return (unsigned) networkstatus_get_param(NULL,
+                                            "HSV3MaxDescriptorSize",
+                                            HS_DESC_MAX_LEN, 1, INT32_MAX);
+}
+
 /* Initialize the hidden service cache subsystem. */
 void
 hs_cache_init(void)
diff --git a/src/or/hs_cache.h b/src/or/hs_cache.h
index 01abb8002f..ba95e73338 100644
--- a/src/or/hs_cache.h
+++ b/src/or/hs_cache.h
@@ -44,6 +44,8 @@ void hs_cache_free_all(void);
 void hs_cache_clean_as_dir(time_t now);
 size_t hs_cache_handle_oom(time_t now, size_t min_remove_bytes);
 
+unsigned int hs_cache_get_max_descriptor_size(void);
+
 /* Store and Lookup function. They are version agnostic that is depending on
  * the requested version of the descriptor, it will be re-routed to the
  * right function. */
diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c
index 00d10757ed..ad6b32606c 100644
--- a/src/or/hs_descriptor.c
+++ b/src/or/hs_descriptor.c
@@ -15,13 +15,14 @@
 #include "ed25519_cert.h" /* Trunnel interface. */
 #include "parsecommon.h"
 #include "rendcache.h"
+#include "hs_cache.h"
 #include "torcert.h" /* tor_cert_encode_ed22519() */
 
 /* Constant string value used for the descriptor format. */
 #define str_hs_desc "hs-descriptor"
 #define str_desc_cert "descriptor-signing-key-cert"
 #define str_rev_counter "revision-counter"
-#define str_encrypted "encrypted"
+#define str_superencrypted "superencrypted"
 #define str_signature "signature"
 #define str_lifetime "descriptor-lifetime"
 /* Constant string value for the encrypted part of the descriptor. */
@@ -35,7 +36,7 @@
 #define str_intro_point_start "\n" str_intro_point " "
 /* Constant string value for the construction to encrypt the encrypted data
  * section. */
-#define str_enc_hsdir_data "hsdir-encrypted-data"
+#define str_enc_hsdir_data "hsdir-superencrypted-data"
 /* Prefix required to compute/verify HS desc signatures */
 #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
 
@@ -56,7 +57,7 @@ static token_rule_t hs_desc_v3_token_table[] = {
   T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ),
   T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ),
   T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ),
-  T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
+  T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ),
   T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ),
   END_OF_TABLE
 };
@@ -751,7 +752,7 @@ desc_encode_v3(const hs_descriptor_t *desc,
                            desc->plaintext_data.revision_counter);
   }
 
-  /* Build the encrypted data section. */
+  /* Build the superencrypted data section. */
   {
     char *enc_b64_blob=NULL;
     if (encode_encrypted_data(desc, &enc_b64_blob) < 0) {
@@ -762,7 +763,7 @@ desc_encode_v3(const hs_descriptor_t *desc,
                            "-----BEGIN MESSAGE-----\n"
                            "%s"
                            "-----END MESSAGE-----",
-                           str_encrypted, enc_b64_blob);
+                           str_superencrypted, enc_b64_blob);
     tor_free(enc_b64_blob);
   }
 
@@ -1492,7 +1493,7 @@ desc_decode_plaintext_v3(smartlist_t *tokens,
   }
 
   /* Extract the encrypted data section. */
-  tok = find_by_keyword(tokens, R3_ENCRYPTED);
+  tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
   tor_assert(tok->object_body);
   if (strcmp(tok->object_type, "MESSAGE") != 0) {
     log_warn(LD_REND, "Service descriptor encrypted data section is invalid");
@@ -1701,8 +1702,9 @@ hs_desc_decode_plaintext(const char *encoded,
   tor_assert(encoded);
   tor_assert(plaintext);
 
+  /* Check that descriptor is within size limits. */
   encoded_len = strlen(encoded);
-  if (encoded_len >= HS_DESC_MAX_LEN) {
+  if (encoded_len >= hs_cache_get_max_descriptor_size()) {
     log_warn(LD_REND, "Service descriptor is too big (%lu bytes)",
              (unsigned long) encoded_len);
     goto err;
diff --git a/src/or/hs_descriptor.h b/src/or/hs_descriptor.h
index a6fe96ad96..6cc60c774c 100644
--- a/src/or/hs_descriptor.h
+++ b/src/or/hs_descriptor.h
@@ -54,7 +54,7 @@
   HS_DESC_ENCRYPTED_SALT_LEN + \
   HS_DESC_PLAINTEXT_PADDING_MULTIPLE + DIGEST256_LEN
 /* Maximum length in bytes of a full hidden service descriptor. */
-#define HS_DESC_MAX_LEN 32768 // XXX justify
+#define HS_DESC_MAX_LEN 50000 /* 50kb max size */
 /* The minimum amount of fields a descriptor should contain. The parsing of
  * the fields are version specific so the only required field, as a generic
  * view of a descriptor, is 1 that is the version field. */
diff --git a/src/or/parsecommon.h b/src/or/parsecommon.h
index 3019df63eb..15e9f7ae85 100644
--- a/src/or/parsecommon.h
+++ b/src/or/parsecommon.h
@@ -154,7 +154,7 @@ typedef enum {
   R3_DESC_LIFETIME,
   R3_DESC_SIGNING_CERT,
   R3_REVISION_COUNTER,
-  R3_ENCRYPTED,
+  R3_SUPERENCRYPTED,
   R3_SIGNATURE,
   R3_CREATE2_FORMATS,
   R3_AUTHENTICATION_REQUIRED,