aboutsummaryrefslogtreecommitdiff
path: root/src/feature/hs
AgeCommit message (Collapse)Author
2021-10-19hs: Improve warning for bad service versionDavid Goulet
Now that we don't have version 2, it gives us: [warn] HiddenServiceVersion must be between 3 and 3, not 2. This commit changes it to: [warn] HiddenServiceVersion must be 3, not 2. Part of #40476 Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-09-30hs-v2: Disable version 2 introduction pointDavid Goulet
Upon receiving a v2 introduction request, the relay will close the circuit and send back a tor protocol error. Part of #40476 Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-09-30hs-v2: Disable version 2 serviceDavid Goulet
The minimum service version is raised from 2 to 3 which effectively disable loading or creating an onion service v2. As for ADD_ONION, for version 2, a 551 error is returned: "551 Failed to add Onion Service" Part of #40476 Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-06-10Fix TROVE-2021-006: Out-of-bounds read on v3 desc parsingGeorge Kadianakis
2021-01-12hs-v3: Require reasonably live consensusDavid Goulet
Some days before this commit, the network experienced a DDoS on the directory authorities that prevented them to generate a consensus for more than 5 hours straight. That in turn entirely disabled onion service v3, client and service side, due to the subsystem requiring a live consensus to function properly. We know require a reasonably live consensus which means that the HSv3 subsystem will to its job for using the best consensus tor can find. If the entire network is using an old consensus, than this should be alright. If the service happens to use a live consensus while a client is not, it should still work because the client will use the current SRV it sees which might be the previous SRV for the service for which it still publish descriptors for. If the service is using an old one and somehow can't get a new one while clients are on a new one, then reachability issues might arise. However, this is a situation we already have at the moment since the service will simply not work if it doesn't have a live consensus while a client has one. Fixes #40237 Signed-off-by: David Goulet <dgoulet@torproject.org>
2020-06-29Merge remote-tracking branch 'tor-github/pr/1725/head' into maint-0.3.5Nick Mathewson
2020-03-17Fix TROVE-2020-003.George Kadianakis
Given that ed25519 public key validity checks are usually not needed and (so far) they are only necessary for onion addesses in the Tor protocol, we decided to fix this specific bug instance without modifying the rest of the codebase (see below for other fix approaches). In our minimal fix we check that the pubkey in hs_service_add_ephemeral() is valid and error out otherwise.
2020-03-17Trivial bugfixes found during TROVE investigation.George Kadianakis
2020-02-12hs-v3: Remove BUG() that can occur normallyDavid Goulet
Fixes #28992 Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-11-25Merge remote-tracking branch 'tor-github/pr/1464' into maint-0.3.5teor
2019-11-25Merge remote-tracking branch 'tor-github/pr/1395' into maint-0.3.5teor
2019-10-24hs-v3: Remove a BUG() caused by an acceptable raceDavid Goulet
hs_client_purge_state() and hs_cache_clean_as_client() can remove a descriptor from the client cache with a NEWNYM or simply when the descriptor expires. Which means that for an INTRO circuit being established during that time, once it opens, we lookup the descriptor to get the IP object but hey surprised, no more descriptor. The approach here is minimalist that is accept the race and close the circuit since we can not continue. Before that, the circuit would stay opened and the client wait the SockTimeout. Fixers #28970. Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-10-07hs-v3: Make service pick the exact amount of intro pointsDavid Goulet
When encoding introduction points, we were not checking if that intro points had an established circuit. When botting up, the service will pick, by default, 3 + 2 intro points and the first 3 that establish, we use them and upload the descriptor. However, the intro point is removed from the service descriptor list only when the circuit has opened and we see that we have already enough intro points, it is then removed. But it is possible that the service establishes 3 intro points successfully before the other(s) have even opened yet. This lead to the service encoding extra intro points in the descriptor even though the circuit is not opened or might never establish (#31561). Fixes #31548 Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-08-23hs: v3 single onion services fall back to 3-hop intro for unreachable nodesteor
Previously, v3 single onion services failed when all intro nodes were unreachable via a 1-hop path. Now, we select intros that are only available via a 3-hop path, and use a 3-hop path to connect to them. Fixes bug 23507; bugfix on 0.3.2.1-alpha.
2019-08-23hs: Always use a 3-hop path when a v3 single onion intro failsteor
Previously, we always used a 1-hop path, no matter how many times a v3 single onion intro failed. Fixes bug 23818; bugfix on 0.3.2.1-alpha.
2019-08-23hs: Always use a 3-hop path when a v3 single onion rend failsteor
Previously, we used a 1-hop path when a single onion rend failed immediately, and a 3-hop path when it failed after trying to build a circuit. Fixes bug 23818; bugfix on 0.3.2.1-alpha.
2019-05-22Merge remote-tracking branch 'nickm/ticket30454_034_01_squashed' into ↵David Goulet
ticket30454_035_01
2019-05-10Don't pass a NULL into a %s when logging client auth file load failureNick Mathewson
Fortunately, in 0.3.5.1-alpha we improved logging for various failure cases involved with onion service client auth. Unfortunately, for this one, we freed the file right before logging its name. Fortunately, tor_free() sets its pointer to NULL, so we didn't have a use-after-free bug. Unfortunately, passing NULL to %s is not defined. Fortunately, GCC 9.1.1 caught the issue! Unfortunately, nobody has actually tried building Tor with GCC 9.1.1 before. Or if they had, they didn't report the warning. Fixes bug 30475; bugfix on 0.3.5.1-alpha.
2019-02-08Merge branch 'ticket29040_1_changes' into maint-0.3.5Nick Mathewson
2019-01-24hs-v3: add an option param to safe log functionsSuphanat Chunhapanya
We add an option param to safe_str and safe_str_client because in some case we need to use those functions before global_options is set.
2019-01-24hs-v3: fix use after free in client auth configSuphanat Chunhapanya
We accidentally use `auth` after freeing it in client_service_authorization_free. The way to solve it is to free after using it.
2019-01-23Log an HSDesc we failed to parse at Debug loglevelrl1987
2019-01-16Bump copyright date to 2019.Nick Mathewson
2019-01-11Merge remote-tracking branch 'tor-github/pr/563' into maint-0.3.5Nick Mathewson
2018-12-05Merge remote-tracking branch 'tor-github/pr/546' into maint-0.3.5Nick Mathewson
2018-12-04hs-v3: Don't BUG() if descriptor is found on SOCKS connection retryDavid Goulet
When retrying all SOCKS connection because new directory information just arrived, do not BUG() if a connection in state AP_CONN_STATE_RENDDESC_WAIT is found to have a usable descriptor. There is a rare case when this can happen as detailed in #28669 so the right thing to do is put that connection back in circuit wait state so the descriptor can be retried. Fixes #28669 Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-12-04hs-v3: Add the helper function mark_conn_as_waiting_for_circuitDavid Goulet
This helper function marks an entry connection as pending for a circuit and changes its state to AP_CONN_STATE_CIRCUIT_WAIT. The timestamps are set to now() so it can be considered as new. No behaviour change, this helper function will be used in next commit. Part of #28669 Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-12-04conn: Use connection_ap_mark_as_waiting_for_renddesc()David Goulet
Use the helper function connection_ap_mark_as_waiting_for_renddesc() introduced in previous commit everywhere in the code where an AP connection state is transitionned to AP_CONN_STATE_RENDDESC_WAIT. Part of #28669 Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-11-16Merge remote-tracking branch 'dgoulet/ticket27471_035_02' into maint-0.3.5Nick Mathewson
2018-11-13Merge branch 'tor-github/pr/487' into maint-0.3.5David Goulet
2018-10-30Merge branch 'tor-github/pr/438' into maint-0.3.5David Goulet
2018-10-30Merge branch 'tor-github/pr/415' into maint-0.3.5David Goulet
2018-10-30Detect the onion service version and then check for invalid options unless ↵Neel Chauhan
we have set HiddenServiceVersion
2018-10-23Documentation: Move the hs_service_descriptor_t elements around.George Kadianakis
Move the elements around to concentrate mutable and immutable elements together. This commit changes no code, check with --color-moved.
2018-10-23Documentation: Document which descriptor elements are (im)mutable.George Kadianakis
2018-10-23Func rename: Make it clear that update_all_descriptors() does intro points.George Kadianakis
With the new refresh_service_descriptor() function we had both refresh_service_descriptor() and update_service_descriptor() which is basically the same thing. This commit renames update_service_descriptor() to update_service_descriptor_intro_points() to make it clear it's not a generic refresh and it's only about intro points. Commit changes no code.
2018-10-22hs-v3: Create desc signing key cert before uploadingDavid Goulet
Before this commit, we would create the descriptor signing key certificate when first building the descriptor. In some extreme cases, it lead to the expiry of the certificate which triggers a BUG() when encoding the descriptor before uploading. Ticket #27838 details a possible scenario in which this can happen. It is an edge case where tor losts internet connectivity, notices it and closes all circuits. When it came back up, the HS subsystem noticed that it had no introduction circuits, created them and tried to upload the descriptor. However, in the meantime, if tor did lack a live consensus because it is currently seeking to download one, we would consider that we don't need to rotate the descriptors leading to using the expired signing key certificate. That being said, this commit does a bit more to make this process cleaner. There are a series of things that we need to "refresh" before uploading a descriptor: signing key cert, intro points and revision counter. A refresh function is added to deal with all mutable descriptor fields. It in turn simplified a bit the code surrounding the creation of the plaintext data. We keep creating the cert when building the descriptor in order to accomodate the unit tests. However, it is replaced every single time the descriptor is uploaded. Fixes #27838 Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-10-18hs-v3: Close client intro circuits if the descriptor is replacedDavid Goulet
When storing a descriptor in the client cache, if we are about to replace an existing descriptor, make sure to close every introduction circuits of the old descriptor so we don't have leftovers lying around. Ticket 27471 describes a situation where tor is sending an INTRODUCE1 cell on an introduction circuit for which it doesn't have a matching intro point object (taken from the descriptor). The main theory is that, after a new descriptor showed up, the introduction points changed which led to selecting an introduction circuit not used by the service anymore thus for which we are unable to find the corresponding introduction point within the descriptor we just fetched. Closes #27471. Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-10-18hs-v3: Always generate the descriptor cookieDavid Goulet
It won't be used if there are no authorized client configured. We do that so we can easily support the addition of a client with a HUP signal which allow us to avoid more complex code path to generate that cookie if we have at least one client auth and we had none before. Fixes #27995 Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-10-17merge in some fixes i found in a sandboxRoger Dingledine
2018-10-16Fix typo in comment for hs_cell_parse_introduce2()Neel Chauhan
2018-10-15Merge branch 'maint-0.3.4'Nick Mathewson
2018-10-15Merge branch 'maint-0.3.4'Nick Mathewson
2018-10-12Merge remote-tracking branch 'tor-github/pr/380'Nick Mathewson
2018-10-05Add newline between hs_client_get_random_intro_from_edge() and ↵Neel Chauhan
hs_client_receive_introduce_ack()
2018-10-01Move routerparse and parsecommon to their own module.Nick Mathewson
2018-09-26Merge branch 'router_split'Nick Mathewson
2018-09-26Merge remote-tracking branch 'dgoulet/bug27550_035_01'Nick Mathewson
2018-09-25Revise things that had included router.h beforeNick Mathewson
Make them only include the headers that they needed, and sort their headers while we're at it.
2018-09-25Move key-loading and crosscert-checking out of feature/relayNick Mathewson
This is also used by onion services, so it needs to go in another module.