From 16386a8cd15997acebdc1bd4ee047274b5c2730a Mon Sep 17 00:00:00 2001 From: "teor (Tim Wilson-Brown)" Date: Mon, 11 Jul 2016 13:12:10 +1000 Subject: Count unix sockets when counting client listeners Users can't run an anonymous client and non-anonymous single onion service at the same time. We need to know whether we have any client ports or sockets open to do this check. When determining whether a client port (SOCKS, Trans, NATD, DNS) is set, count unix sockets when counting client listeners. This has no user-visible behaviour change, because these options are set once and never read in the current tor codebase. Don't count sockets when setting ControlPort_set, that's what ControlSocket is for. (This will be reviewed in #19665.) Don't count sockets when counting server listeners, because the code that uses these options expects to count externally-visible ports. (And it would change the behaviour of Tor.) --- src/or/or.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'src/or/or.h') diff --git a/src/or/or.h b/src/or/or.h index 34089ad994..574f184a13 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3604,9 +3604,13 @@ typedef struct { /** @name port booleans * - * Derived booleans: True iff there is a non-listener port on an AF_INET or - * AF_INET6 address of the given type configured in one of the _lines - * options above. + * Derived booleans: For server ports and ControlPort, true iff there is a + * non-listener port on an AF_INET or AF_INET6 address of the given type + * configured in one of the _lines options above. + * For client ports, also true if there is a unix socket configured. + * If you are checking for client ports, you may want to use: + * SocksPort_set || TransPort_set || NATDPort_set || DNSPort_set + * rather than SocksPort_set. * * @{ */ -- cgit v1.2.3-54-g00ecf From b560f852f220f5630f6bf5a300d15b40c9c235cf Mon Sep 17 00:00:00 2001 From: "teor (Tim Wilson-Brown)" Date: Thu, 14 Jul 2016 14:04:02 +1000 Subject: Implement Prop #260: Single Onion Services Add experimental OnionServiceSingleHopMode and OnionServiceNonAnonymousMode options. When both are set to 1, every hidden service on a tor instance becomes a non-anonymous Single Onion Service. Single Onions make one-hop (direct) connections to their introduction and renzedvous points. One-hop circuits make Single Onion servers easily locatable, but clients remain location-anonymous. This is compatible with the existing hidden service implementation, and works on the current tor network without any changes to older relays or clients. Implements proposal #260, completes ticket #17178. Patch by teor & asn. squash! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Implement Prop #260: Single Onion Services Redesign single onion service poisoning. When in OnionServiceSingleHopMode, each hidden service key is poisoned (marked as non-anonymous) on creation by creating a poison file in the hidden service directory. Existing keys are considered non-anonymous if this file exists, and anonymous if it does not. Tor refuses to launch in OnionServiceSingleHopMode if any existing keys are anonymous. Similarly, it refuses to launch in anonymous client mode if any existing keys are non-anonymous. Rewrite the unit tests to match and be more comprehensive. Adds a bonus unit test for rend_service_load_all_keys(). --- changes/feature17178 | 15 +++ doc/tor.1.txt | 35 +++++- src/or/circuitbuild.c | 9 +- src/or/circuitstats.c | 28 ++++- src/or/config.c | 160 +++++++++++++++++++++---- src/or/config.h | 2 + src/or/connection_edge.c | 29 ++++- src/or/directory.c | 12 +- src/or/directory.h | 3 + src/or/main.c | 13 ++- src/or/or.h | 21 ++++ src/or/rendclient.c | 49 ++++++-- src/or/rendclient.h | 3 + src/or/rendcommon.c | 48 ++++++++ src/or/rendcommon.h | 6 + src/or/rendservice.c | 299 +++++++++++++++++++++++++++++++++++++++++++---- src/or/rendservice.h | 9 +- src/test/test_hs.c | 207 ++++++++++++++++++++++++++++++++ src/test/test_options.c | 149 +++++++++++++++++++++++ 19 files changed, 1020 insertions(+), 77 deletions(-) create mode 100644 changes/feature17178 (limited to 'src/or/or.h') diff --git a/changes/feature17178 b/changes/feature17178 new file mode 100644 index 0000000000..465f491e85 --- /dev/null +++ b/changes/feature17178 @@ -0,0 +1,15 @@ + o Major features (onion services): + - Add experimental OnionServiceSingleHopMode and + OnionServiceNonAnonymousMode options. When both are set to 1, every + hidden service on a tor instance becomes a non-anonymous Single Onion + Service. Single Onions make one-hop (direct) connections to their + introduction and renzedvous points. One-hop circuits make Single Onion + servers easily locatable, but clients remain location-anonymous. + This is compatible with the existing hidden service implementation, and + works on the current tor network without any changes to older relays or + clients. + Implements proposal #260, completes ticket #17178. Patch by teor & asn. + o Minor bug fixes (Tor2web): + - Prevent Tor2web clients running hidden services, these services are + not anonymous due to the one-hop client paths. + Fixes bug #19678. Patch by teor. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 0687991e1f..bd25a614a8 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1425,7 +1425,9 @@ The following options are useful only for clients (that is, if non-hidden-service hostnames through Tor. It **must only** be used when running a tor2web Hidden Service web proxy. To enable this option the compile time flag --enable-tor2web-mode must be - specified. (Default: 0) + specified. Since Tor2webMode is non-anonymous, you can not run an + anonymous Hidden Service on a tor version compiled with Tor2webMode. + (Default: 0) [[Tor2webRendezvousPoints]] **Tor2webRendezvousPoints** __node__,__node__,__...__:: A list of identity fingerprints, nicknames, country codes and @@ -2375,6 +2377,37 @@ The following options are used to configure a hidden service. Number of introduction points the hidden service will have. You can't have more than 10. (Default: 3) +[[OnionServiceSingleHopMode]] **OnionServiceSingleHopMode** **0**|**1**:: + **Experimental - Non Anonymous** Hidden Services on a tor instance in + OnionServiceSingleHopMode make one-hop (direct) circuits between the onion + service server, and the introduction and rendezvous points. (Onion service + descriptors are still posted using 3-hop paths, to avoid onion service + directories blocking the service.) + This option makes every hidden service instance hosted by a tor instance a + Single Onion Service. One-hop circuits make Single Onion servers easily + locatable, but clients remain location-anonymous. However, the fact that a + client is accessing a Single Onion rather than a Hidden Service may be + statistically distinguishable. + + **WARNING:** Once a hidden service directory has been used by a tor + instance in OnionServiceSingleHopMode, it can **NEVER** be used again for + a hidden service. It is best practice to create a new hidden service + directory, key, and address for each new Single Onion Service and Hidden + Service. It is not possible to run Single Onion Services and Hidden + Services from the same tor instance: they should be run on different + servers with different IP addresses. + + OnionServiceSingleHopMode requires OnionServiceNonAnonymousMode to be set + to 1. Since a Single Onion is non-anonymous, you can not to run an + anonymous SOCKSPort on the same tor instance as a Single Onion service. + (Default: 0) + +[[OnionServiceNonAnonymousMode]] **OnionServiceNonAnonymousMode** **0**|**1**:: + Makes hidden services non-anonymous on this tor instance. Allows the + non-anonymous OnionServiceSingleHopMode. Enables direct connections in the + server-side hidden service protocol. + (Default: 0) + TESTING NETWORK OPTIONS ----------------------- diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 2e7ea2f79a..69a8a9c5ec 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -28,6 +28,7 @@ #include "connection_edge.h" #include "connection_or.h" #include "control.h" +#include "crypto.h" #include "directory.h" #include "entrynodes.h" #include "main.h" @@ -38,14 +39,14 @@ #include "onion_tap.h" #include "onion_fast.h" #include "policies.h" -#include "transports.h" #include "relay.h" +#include "rendcommon.h" #include "rephist.h" #include "router.h" #include "routerlist.h" #include "routerparse.h" #include "routerset.h" -#include "crypto.h" +#include "transports.h" static channel_t * channel_connect_for_circuit(const tor_addr_t *addr, uint16_t port, @@ -1996,7 +1997,9 @@ onion_pick_cpath_exit(origin_circuit_t *circ, extend_info_t *exit_ei) cpath_build_state_t *state = circ->build_state; if (state->onehop_tunnel) { - log_debug(LD_CIRC, "Launching a one-hop circuit for dir tunnel."); + log_debug(LD_CIRC, "Launching a one-hop circuit for dir tunnel%s.", + (rend_allow_non_anonymous_connection(get_options()) ? + ", or intro or rendezvous connection" : "")); state->desired_path_len = 1; } else { int r = new_route_len(circ->base_.purpose, exit_ei, nodelist_get_list()); diff --git a/src/or/circuitstats.c b/src/or/circuitstats.c index f4db64ebca..fe8860e9c9 100644 --- a/src/or/circuitstats.c +++ b/src/or/circuitstats.c @@ -21,6 +21,8 @@ #include "control.h" #include "main.h" #include "networkstatus.h" +#include "rendclient.h" +#include "rendservice.h" #include "statefile.h" #undef log @@ -81,12 +83,14 @@ get_circuit_build_timeout_ms(void) /** * This function decides if CBT learning should be disabled. It returns - * true if one or more of the following four conditions are met: + * true if one or more of the following conditions are met: * * 1. If the cbtdisabled consensus parameter is set. * 2. If the torrc option LearnCircuitBuildTimeout is false. * 3. If we are a directory authority * 4. If we fail to write circuit build time history to our state file. + * 5. If we are compiled or configured in Tor2web mode + * 6. If we are configured in Single Onion mode */ int circuit_build_times_disabled(void) @@ -94,14 +98,30 @@ circuit_build_times_disabled(void) if (unit_tests) { return 0; } else { + const or_options_t *options = get_options(); int consensus_disabled = networkstatus_get_param(NULL, "cbtdisabled", 0, 0, 1); - int config_disabled = !get_options()->LearnCircuitBuildTimeout; - int dirauth_disabled = get_options()->AuthoritativeDir; + int config_disabled = !options->LearnCircuitBuildTimeout; + int dirauth_disabled = options->AuthoritativeDir; int state_disabled = did_last_state_file_write_fail() ? 1 : 0; + /* LearnCircuitBuildTimeout and Tor2webMode/OnionServiceSingleHopMode are + * incompatible in two ways: + * + * - LearnCircuitBuildTimeout results in a low CBT, which + * Single Onion use of one-hop intro and rendezvous circuits lowers + * much further, producing *far* too many timeouts. + * + * - The adaptive CBT code does not update its timeout estimate + * using build times for single-hop circuits. + * + * If we fix both of these issues someday, we should test + * these modes with LearnCircuitBuildTimeout on again. */ + int tor2web_disabled = rend_client_allow_non_anonymous_connection(options); + int single_onion_disabled = rend_service_allow_non_anonymous_connection( + options); if (consensus_disabled || config_disabled || dirauth_disabled || - state_disabled) { + state_disabled || tor2web_disabled || single_onion_disabled) { #if 0 log_debug(LD_CIRC, "CircuitBuildTime learning is disabled. " diff --git a/src/or/config.c b/src/or/config.c index 136958c6aa..f7f1f571ce 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -18,6 +18,7 @@ #include "circuitlist.h" #include "circuitmux.h" #include "circuitmux_ewma.h" +#include "circuitstats.h" #include "config.h" #include "connection.h" #include "connection_edge.h" @@ -297,6 +298,8 @@ static config_var_t option_vars_[] = { V(HidServAuth, LINELIST, NULL), V(CloseHSClientCircuitsImmediatelyOnTimeout, BOOL, "0"), V(CloseHSServiceRendCircuitsImmediatelyOnTimeout, BOOL, "0"), + V(OnionServiceSingleHopMode, BOOL, "0"), + V(OnionServiceNonAnonymousMode,BOOL, "0"), V(HTTPProxy, STRING, NULL), V(HTTPProxyAuthenticator, STRING, NULL), V(HTTPSProxy, STRING, NULL), @@ -1558,10 +1561,10 @@ options_act(const or_options_t *old_options) if (consider_adding_dir_servers(options, old_options) < 0) return -1; -#ifdef NON_ANONYMOUS_MODE_ENABLED - log_warn(LD_GENERAL, "This copy of Tor was compiled to run in a " - "non-anonymous mode. It will provide NO ANONYMITY."); -#endif + if (rend_non_anonymous_mode_enabled(options)) { + log_warn(LD_GENERAL, "This copy of Tor was compiled or configured to run " + "in a non-anonymous mode. It will provide NO ANONYMITY."); + } #ifdef ENABLE_TOR2WEB_MODE /* LCOV_EXCL_START */ @@ -1723,8 +1726,27 @@ options_act(const or_options_t *old_options) monitor_owning_controller_process(options->OwningControllerProcess); + /* We must create new keys after we poison the directories, because our + * poisoning code checks for existing keys, and refuses to modify their + * directories. */ + + /* If we use the insecure OnionServiceSingleHopMode, make sure we poison any + new hidden service directories, so that we never accidentally launch the + non-anonymous hidden services thinking they are anonymous. */ + if (running_tor && rend_service_allow_non_anonymous_connection(options)) { + if (options->RendConfigLines && !num_rend_services()) { + log_warn(LD_BUG,"Error: hidden services configured, but not parsed."); + return -1; + } + if (rend_service_poison_new_single_onion_dirs(NULL) < 0) { + log_warn(LD_GENERAL,"Failed to mark new hidden services as Single " + "Onion."); + return -1; + } + } + /* reload keys as needed for rendezvous services. */ - if (rend_service_load_all_keys()<0) { + if (rend_service_load_all_keys(NULL)<0) { log_warn(LD_GENERAL,"Error loading rendezvous service keys"); return -1; } @@ -2796,6 +2818,88 @@ warn_about_relative_paths(or_options_t *options) } } +/* Validate options related to OnionServiceSingleHopMode. + * Modifies some options that are incompatible with OnionServiceSingleHopMode. + * On failure returns -1, and sets *msg to an error string. + * Returns 0 on success. */ +STATIC int +options_validate_single_onion(or_options_t *options, char **msg) +{ + /* You must set OnionServiceNonAnonymousMode to 1 to use + * OnionServiceSingleHopMode */ + if (options->OnionServiceSingleHopMode && + !rend_service_non_anonymous_mode_enabled(options)) { + REJECT("OnionServiceSingleHopMode does not provide any server anonymity. " + "It must be used with OnionServiceNonAnonymousMode set to 1."); + } + + /* If you have OnionServiceNonAnonymousMode set, you must use + * OnionServiceSingleHopMode. */ + if (rend_service_non_anonymous_mode_enabled(options) && + !options->OnionServiceSingleHopMode) { + REJECT("OnionServiceNonAnonymousMode does not provide any server " + "anonymity. It must be used with OnionServiceSingleHopMode set to " + "1."); + } + + /* If you run an anonymous client with an active Single Onion service, the + * client loses anonymity. */ + const int client_port_set = (options->SocksPort_set || + options->TransPort_set || + options->NATDPort_set || + options->DNSPort_set); + if (options->OnionServiceSingleHopMode && client_port_set && + !options->Tor2webMode) { + REJECT("OnionServiceSingleHopMode is incompatible with using Tor as an " + "anonymous client. Please set Socks/Trans/NATD/DNSPort to 0, or " + "OnionServiceSingleHopMode to 0, or use the non-anonymous " + "Tor2webMode."); + } + + /* If you run a hidden service in non-anonymous mode, the hidden service + * loses anonymity, even if SOCKSPort / Tor2web mode isn't used. */ + if (!options->OnionServiceSingleHopMode && options->RendConfigLines + && options->Tor2webMode) { + REJECT("Non-anonymous (Tor2web) mode is incompatible with using Tor as a " + "hidden service. Please remove all HiddenServiceDir lines, or use " + "a version of tor compiled without --enable-tor2web-mode, or use " + "the non-anonymous OnionServiceSingleHopMode."); + } + + if (options->OnionServiceSingleHopMode + && options->UseEntryGuards) { + /* Single Onion services do not (and should not) use entry guards + * in any meaningful way. Further, Single Onions causes the hidden + * service code to do things which break the path bias + * detector, and it's far easier to turn off entry guards (and + * thus the path bias detector with it) than to figure out how to + * make a piece of code which cannot possibly help Single Onions, + * compatible with OnionServiceSingleHopMode. + */ + log_notice(LD_CONFIG, + "OnionServiceSingleHopMode is enabled; disabling " + "UseEntryGuards."); + options->UseEntryGuards = 0; + } + + /* Check if existing hidden service keys were created with a different + * setting of OnionServiceNonAnonymousMode, and refuse to launch if they + * have. We'll poison new keys in options_act() just before we create them. + */ + if (rend_service_list_verify_single_onion_poison(NULL, options) < 0) { + log_warn(LD_GENERAL, "We are configured with OnionServiceSingleHopMode " + "%d, but one or more hidden service keys were created in %s " + "mode. This is not allowed.", + rend_service_non_anonymous_mode_enabled(options) ? 1 : 0, + rend_service_non_anonymous_mode_enabled(options) ? + "an anonymous" : "a non-anonymous" + ); + return -1; + } + + return 0; +} + /** Return 0 if every setting in options is reasonable, is a * permissible transition from old_options, and none of the * testing-only settings differ from default_options unless in @@ -3291,25 +3395,11 @@ options_validate(or_options_t *old_options, or_options_t *options, options->PredictedPortsRelevanceTime = MAX_PREDICTED_CIRCS_RELEVANCE; } -#ifdef ENABLE_TOR2WEB_MODE - if (options->Tor2webMode && options->LearnCircuitBuildTimeout) { - /* LearnCircuitBuildTimeout and Tor2webMode are incompatible in - * two ways: - * - * - LearnCircuitBuildTimeout results in a low CBT, which - * Tor2webMode's use of one-hop rendezvous circuits lowers - * much further, producing *far* too many timeouts. - * - * - The adaptive CBT code does not update its timeout estimate - * using build times for single-hop circuits. - * - * If we fix both of these issues someday, we should test - * Tor2webMode with LearnCircuitBuildTimeout on again. */ - log_notice(LD_CONFIG,"Tor2webMode is enabled; turning " - "LearnCircuitBuildTimeout off."); - options->LearnCircuitBuildTimeout = 0; - } + /* Check the Single Onion Service options */ + if (options_validate_single_onion(options, msg) < 0) + return -1; +#ifdef ENABLE_TOR2WEB_MODE if (options->Tor2webMode && options->UseEntryGuards) { /* tor2web mode clients do not (and should not) use entry guards * in any meaningful way. Further, tor2web mode causes the hidden @@ -3353,6 +3443,17 @@ options_validate(or_options_t *old_options, or_options_t *options, return -1; } + /* OnionServiceSingleHopMode: one hop between the onion service server and + * intro and rendezvous points */ + if (options->OnionServiceSingleHopMode) { + log_warn(LD_CONFIG, + "OnionServiceSingleHopMode is set. Every hidden service on this " + "tor instance is NON-ANONYMOUS. If OnionServiceSingleHopMode is " + "disabled, Tor will refuse to launch hidden services from the " + "same directories, to protect against config errors. This " + "setting is for experimental use only."); + } + if (!options->LearnCircuitBuildTimeout && options->CircuitBuildTimeout && options->CircuitBuildTimeout < RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT) { log_warn(LD_CONFIG, @@ -4295,6 +4396,19 @@ options_transition_allowed(const or_options_t *old, return -1; } + if (old->OnionServiceSingleHopMode != new_val->OnionServiceSingleHopMode) { + *msg = tor_strdup("While Tor is running, changing " + "OnionServiceSingleHopMode is not allowed."); + return -1; + } + + if (old->OnionServiceNonAnonymousMode != + new_val->OnionServiceNonAnonymousMode) { + *msg = tor_strdup("While Tor is running, changing " + "OnionServiceNonAnonymousMode is not allowed."); + return -1; + } + if (old->DisableDebuggerAttachment && !new_val->DisableDebuggerAttachment) { *msg = tor_strdup("While Tor is running, disabling " diff --git a/src/or/config.h b/src/or/config.h index 7db66a31b9..208659acb7 100644 --- a/src/or/config.h +++ b/src/or/config.h @@ -166,6 +166,8 @@ extern struct config_format_t options_format; STATIC port_cfg_t *port_cfg_new(size_t namelen); STATIC void port_cfg_free(port_cfg_t *port); STATIC void or_options_free(or_options_t *options); +STATIC int options_validate_single_onion(or_options_t *options, + char **msg); STATIC int options_validate(or_options_t *old_options, or_options_t *options, or_options_t *default_options, diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index dc6b0930ca..8ad0f0c71d 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -27,6 +27,7 @@ #include "control.h" #include "dns.h" #include "dnsserv.h" +#include "directory.h" #include "dirserv.h" #include "hibernate.h" #include "main.h" @@ -2271,6 +2272,7 @@ connection_ap_handshake_send_begin(entry_connection_t *ap_conn) char payload[CELL_PAYLOAD_SIZE]; int payload_len; int begin_type; + const or_options_t *options = get_options(); origin_circuit_t *circ; edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(ap_conn); connection_t *base_conn = TO_CONN(edge_conn); @@ -2314,10 +2316,31 @@ connection_ap_handshake_send_begin(entry_connection_t *ap_conn) begin_type = ap_conn->use_begindir ? RELAY_COMMAND_BEGIN_DIR : RELAY_COMMAND_BEGIN; + + /* Check that circuits are anonymised, based on their type. */ if (begin_type == RELAY_COMMAND_BEGIN) { -#ifndef NON_ANONYMOUS_MODE_ENABLED - tor_assert(circ->build_state->onehop_tunnel == 0); -#endif + /* This connection is a standard OR connection. + * Make sure its path length is anonymous, or that we're in a + * non-anonymous mode. */ + assert_circ_anonymity_ok(circ, options); + } else if (begin_type == RELAY_COMMAND_BEGIN_DIR) { + /* This connection is a begindir directory connection. + * Look at the linked directory connection to access the directory purpose. + * (This must be non-NULL, because we're doing begindir.) */ + tor_assert(base_conn->linked); + connection_t *linked_dir_conn_base = base_conn->linked_conn; + tor_assert(linked_dir_conn_base); + /* Sensitive directory connections must have an anonymous path length. + * Otherwise, directory connections are typically one-hop. + * This matches the earlier check for directory connection path anonymity + * in directory_initiate_command_rend(). */ + if (is_sensitive_dir_purpose(linked_dir_conn_base->purpose)) { + assert_circ_anonymity_ok(circ, options); + } + } else { + /* This code was written for the two connection types BEGIN and BEGIN_DIR + */ + tor_assert_unreached(); } if (connection_edge_send_command(edge_conn, begin_type, diff --git a/src/or/directory.c b/src/or/directory.c index d37b5c2e0f..52b14b9bae 100644 --- a/src/or/directory.c +++ b/src/or/directory.c @@ -1085,7 +1085,7 @@ directory_initiate_command(const tor_addr_t *or_addr, uint16_t or_port, * dir_purpose reveals sensitive information about a Tor * instance's client activities. (Such connections must be performed * through normal three-hop Tor circuits.) */ -static int +int is_sensitive_dir_purpose(uint8_t dir_purpose) { return ((dir_purpose == DIR_PURPOSE_HAS_FETCHED_RENDDESC_V2) || @@ -1140,12 +1140,10 @@ directory_initiate_command_rend(const tor_addr_port_t *or_addr_port, log_debug(LD_DIR, "Initiating %s", dir_conn_purpose_to_string(dir_purpose)); -#ifndef NON_ANONYMOUS_MODE_ENABLED - tor_assert(!(is_sensitive_dir_purpose(dir_purpose) && - !anonymized_connection)); -#else - (void)is_sensitive_dir_purpose; -#endif + if (is_sensitive_dir_purpose(dir_purpose)) { + tor_assert(anonymized_connection || + rend_non_anonymous_mode_enabled(options)); + } /* use encrypted begindir connections for everything except relays * this provides better protection for directory fetches */ diff --git a/src/or/directory.h b/src/or/directory.h index f04e7ab315..9477948aa0 100644 --- a/src/or/directory.h +++ b/src/or/directory.h @@ -132,7 +132,10 @@ int download_status_get_n_failures(const download_status_t *dls); int download_status_get_n_attempts(const download_status_t *dls); time_t download_status_get_next_attempt_at(const download_status_t *dls); +/* Yes, these two functions are confusingly similar. + * Let's sort that out in #20077. */ int purpose_needs_anonymity(uint8_t dir_purpose, uint8_t router_purpose); +int is_sensitive_dir_purpose(uint8_t dir_purpose); #ifdef TOR_UNIT_TESTS /* Used only by directory.c and test_dir.c */ diff --git a/src/or/main.c b/src/or/main.c index 03c2b7ed58..76f9f38d3c 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2833,11 +2833,6 @@ tor_init(int argc, char *argv[]) "Expect more bugs than usual."); } -#ifdef NON_ANONYMOUS_MODE_ENABLED - log_warn(LD_GENERAL, "This copy of Tor was compiled to run in a " - "non-anonymous mode. It will provide NO ANONYMITY."); -#endif - if (network_init()<0) { log_err(LD_BUG,"Error initializing network; exiting."); return -1; @@ -2849,6 +2844,14 @@ tor_init(int argc, char *argv[]) return -1; } + /* The options are now initialised */ + const or_options_t *options = get_options(); + + if (rend_non_anonymous_mode_enabled(options)) { + log_warn(LD_GENERAL, "This copy of Tor was compiled or configured to run " + "in a non-anonymous mode. It will provide NO ANONYMITY."); + } + #ifndef _WIN32 if (geteuid()==0) log_warn(LD_GENERAL,"You are running Tor as root. You don't need to, " diff --git a/src/or/or.h b/src/or/or.h index 574f184a13..dd3ab8a03a 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3701,6 +3701,27 @@ typedef struct { * they reach the normal circuit-build timeout. */ int CloseHSServiceRendCircuitsImmediatelyOnTimeout; + /** Onion Services in OnionServiceSingleHopMode make one-hop (direct) + * circuits between the onion service server, and the introduction and + * rendezvous points. (Onion service descriptors are still posted using + * 3-hop paths, to avoid onion service directories blocking the service.) + * This option makes every hidden service instance hosted by + * this tor instance a Single Onion Service. One-hop circuits make Single + * Onion servers easily locatable, but clients remain location-anonymous. + * OnionServiceSingleHopMode requires OnionServiceNonAnonymousMode to be set + * to 1. + * Use rend_service_allow_non_anonymous_connection() or + * rend_service_reveal_startup_time() instead of using this option directly. + */ + int OnionServiceSingleHopMode; + /* Makes hidden service clients and servers non-anonymous on this tor + * instance. Allows the non-anonymous OnionServiceSingleHopMode. Enables + * direct connections in the hidden service protocol. + * Use rend_service_non_anonymous_mode() instead of using this option + * directly. + */ + int OnionServiceNonAnonymousMode; + int ConnLimit; /**< Demanded minimum number of simultaneous connections. */ int ConnLimit_; /**< Maximum allowed number of simultaneous connections. */ int ConnLimit_high_thresh; /**< start trying to lower socket usage if we diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 3a742fec0a..9d16e3b716 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -134,6 +134,7 @@ int rend_client_send_introduction(origin_circuit_t *introcirc, origin_circuit_t *rendcirc) { + const or_options_t *options = get_options(); size_t payload_len; int r, v3_shift = 0; char payload[RELAY_PAYLOAD_SIZE]; @@ -150,10 +151,8 @@ rend_client_send_introduction(origin_circuit_t *introcirc, tor_assert(rendcirc->rend_data); tor_assert(!rend_cmp_service_ids(introcirc->rend_data->onion_address, rendcirc->rend_data->onion_address)); -#ifndef NON_ANONYMOUS_MODE_ENABLED - tor_assert(!(introcirc->build_state->onehop_tunnel)); - tor_assert(!(rendcirc->build_state->onehop_tunnel)); -#endif + assert_circ_anonymity_ok(introcirc, options); + assert_circ_anonymity_ok(rendcirc, options); r = rend_cache_lookup_entry(introcirc->rend_data->onion_address, -1, &entry); @@ -387,6 +386,7 @@ int rend_client_introduction_acked(origin_circuit_t *circ, const uint8_t *request, size_t request_len) { + const or_options_t *options = get_options(); origin_circuit_t *rendcirc; (void) request; // XXXX Use this. @@ -398,10 +398,9 @@ rend_client_introduction_acked(origin_circuit_t *circ, return -1; } + tor_assert(circ->build_state); tor_assert(circ->build_state->chosen_exit); -#ifndef NON_ANONYMOUS_MODE_ENABLED - tor_assert(!(circ->build_state->onehop_tunnel)); -#endif + assert_circ_anonymity_ok(circ, options); tor_assert(circ->rend_data); /* For path bias: This circuit was used successfully. Valid @@ -416,9 +415,7 @@ rend_client_introduction_acked(origin_circuit_t *circ, log_info(LD_REND,"Received ack. Telling rend circ..."); rendcirc = circuit_get_ready_rend_circ_by_rend_data(circ->rend_data); if (rendcirc) { /* remember the ack */ -#ifndef NON_ANONYMOUS_MODE_ENABLED - tor_assert(!(rendcirc->build_state->onehop_tunnel)); -#endif + assert_circ_anonymity_ok(rendcirc, options); circuit_change_purpose(TO_CIRCUIT(rendcirc), CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED); /* Set timestamp_dirty, because circuit_expire_building expects @@ -1552,3 +1549,35 @@ rend_parse_service_authorization(const or_options_t *options, return res; } +/* Can Tor client code make direct (non-anonymous) connections to introduction + * or rendezvous points? + * Returns true if tor was compiled with NON_ANONYMOUS_MODE_ENABLED, and is + * configured in Tor2web mode. */ +int +rend_client_allow_non_anonymous_connection(const or_options_t *options) +{ + /* Tor2web support needs to be compiled in to a tor binary. */ +#ifdef NON_ANONYMOUS_MODE_ENABLED + /* Tor2web */ + return options->Tor2webMode ? 1 : 0; +#else + (void)options; + return 0; +#endif +} + +/* At compile-time, was non-anonymous mode enabled via + * NON_ANONYMOUS_MODE_ENABLED ? */ +int +rend_client_non_anonymous_mode_enabled(const or_options_t *options) +{ + (void)options; + /* Tor2web support needs to be compiled in to a tor binary. */ +#ifdef NON_ANONYMOUS_MODE_ENABLED + /* Tor2web */ + return 1; +#else + return 0; +#endif +} + diff --git a/src/or/rendclient.h b/src/or/rendclient.h index e90dac07ab..b8f8c2f871 100644 --- a/src/or/rendclient.h +++ b/src/or/rendclient.h @@ -51,5 +51,8 @@ rend_service_authorization_t *rend_client_lookup_service_authorization( const char *onion_address); void rend_service_authorization_free_all(void); +int rend_client_allow_non_anonymous_connection(const or_options_t *options); +int rend_client_non_anonymous_mode_enabled(const or_options_t *options); + #endif diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c index 01b0766cf0..12dd0f44e5 100644 --- a/src/or/rendcommon.c +++ b/src/or/rendcommon.c @@ -1067,3 +1067,51 @@ rend_auth_decode_cookie(const char *cookie_in, uint8_t *cookie_out, return res; } +/* Is this a rend client or server that allows direct (non-anonymous) + * connections? + * Clients must be specifically compiled and configured in this mode. + * Onion services can be configured to start in this mode. + * Prefer rend_client_allow_non_anonymous_connection() or + * rend_service_allow_non_anonymous_connection() whenever possible, so that + * checks are specific to Single Onion Services or Tor2web. */ +int +rend_allow_non_anonymous_connection(const or_options_t* options) +{ + return (rend_client_allow_non_anonymous_connection(options) + || rend_service_allow_non_anonymous_connection(options)); +} + +/* Is this a rend client or server in non-anonymous mode? + * Clients must be specifically compiled in this mode. + * Onion services can be configured to start in this mode. + * Prefer rend_client_non_anonymous_mode_enabled() or + * rend_service_non_anonymous_mode_enabled() whenever possible, so that checks + * are specific to Single Onion Services or Tor2web. */ +int +rend_non_anonymous_mode_enabled(const or_options_t *options) +{ + return (rend_client_non_anonymous_mode_enabled(options) + || rend_service_non_anonymous_mode_enabled(options)); +} + +/* Make sure that tor only builds one-hop circuits when they would not + * compromise user anonymity. + * + * One-hop circuits are permitted in Tor2webMode or OnionServiceSingleHopMode. + * + * Tor2webMode and OnionServiceSingleHopMode are also allowed to make + * multi-hop circuits. For example, single onion HSDir circuits are 3-hop to + * prevent denial of service. + */ +void +assert_circ_anonymity_ok(origin_circuit_t *circ, + const or_options_t *options) +{ + tor_assert(options); + tor_assert(circ); + tor_assert(circ->build_state); + + if (circ->build_state->onehop_tunnel) { + tor_assert(rend_allow_non_anonymous_connection(options)); + } +} diff --git a/src/or/rendcommon.h b/src/or/rendcommon.h index 88cf512f4a..090e6f25e0 100644 --- a/src/or/rendcommon.h +++ b/src/or/rendcommon.h @@ -77,5 +77,11 @@ int rend_auth_decode_cookie(const char *cookie_in, rend_auth_type_t *auth_type_out, char **err_msg_out); +int rend_allow_non_anonymous_connection(const or_options_t* options); +int rend_non_anonymous_mode_enabled(const or_options_t *options); + +void assert_circ_anonymity_ok(origin_circuit_t *circ, + const or_options_t *options); + #endif diff --git a/src/or/rendservice.c b/src/or/rendservice.c index fa147ba98e..0ba9205c6e 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -20,6 +20,7 @@ #include "main.h" #include "networkstatus.h" #include "nodelist.h" +#include "policies.h" #include "rendclient.h" #include "rendcommon.h" #include "rendservice.h" @@ -949,6 +950,208 @@ rend_service_update_descriptor(rend_service_t *service) } } +static const char *sos_poison_fname = "non_anonymous_hidden_service"; + +/* Allocate and return a string containing the path to the single onion + * poison file in service. + * The caller must free this path. + * Returns NULL if there is no directory for service. */ +static char * +sos_poison_path(const rend_service_t *service) +{ + char *poison_path; + + tor_assert(service->directory); + + tor_asprintf(&poison_path, "%s%s%s", + service->directory, PATH_SEPARATOR, sos_poison_fname); + + return poison_path; +} + +/** Return True if hidden services service> has been poisoned by single + * onion mode. */ +static int +service_is_single_onion_poisoned(const rend_service_t *service) +{ + char *poison_fname = NULL; + file_status_t fstatus; + + if (!service->directory) { + return 0; + } + + poison_fname = sos_poison_path(service); + tor_assert(poison_fname); + + fstatus = file_status(poison_fname); + tor_free(poison_fname); + + /* If this fname is occupied, the hidden service has been poisoned. */ + if (fstatus == FN_FILE || fstatus == FN_EMPTY) { + return 1; + } + + return 0; +} + +/* Return 1 if the private key file for service exists and has a non-zero size, + * and 0 otherwise. */ +static int +rend_service_private_key_exists(const rend_service_t *service) +{ + char *private_key_path = rend_service_path(service, private_key_fname); + const file_status_t private_key_status = file_status(private_key_path); + tor_free(private_key_path); + /* Only non-empty regular private key files could have been used before. */ + return private_key_status == FN_FILE; +} + +/** Check the single onion service poison state of all existing hidden service + * directories: + * - If each service is poisoned, and we are in OnionServiceSingleHopMode, + * return 0, + * - If each service is not poisoned, and we are not in + * OnionServiceSingleHopMode, return 0, + * - Otherwise, the poison state is invalid, and a service that was created in + * one mode is being used in the other, return -1. + * Hidden service directories without keys are not checked for consistency. + * When their keys are created, they will be poisoned (if needed). + * If a service_list is provided, treat it + * as the list of hidden services (used in unittests). */ +int +rend_service_list_verify_single_onion_poison(const smartlist_t *service_list, + const or_options_t *options) +{ + const smartlist_t *s_list; + /* If no special service list is provided, then just use the global one. */ + if (!service_list) { + if (!rend_service_list) { /* No global HS list. Nothing to see here. */ + return 0; + } + + s_list = rend_service_list; + } else { + s_list = service_list; + } + + int consistent = 1; + SMARTLIST_FOREACH_BEGIN(s_list, const rend_service_t *, s) { + if (service_is_single_onion_poisoned(s) != + rend_service_allow_non_anonymous_connection(options) && + rend_service_private_key_exists(s)) { + consistent = 0; + } + } SMARTLIST_FOREACH_END(s); + + return consistent ? 0 : -1; +} + +/*** Helper for rend_service_poison_new_single_onion_dirs(). When in single + * onion mode, add a file to this hidden service directory that marks it as a + * single onion hidden service. Returns 0 when a directory is successfully + * poisoned, or if it is already poisoned. Returns -1 on a failure to read + * the directory or write the poison file, or if there is an existing private + * key file in the directory. (The service should have been poisoned when the + * key was created.) */ +static int +poison_new_single_onion_hidden_service_dir(const rend_service_t *service) +{ + /* We must only poison directories if we're in Single Onion mode */ + tor_assert(rend_service_allow_non_anonymous_connection(get_options())); + + int fd; + int retval = -1; + char *poison_fname = NULL; + + if (!service->directory) { + log_info(LD_REND, "Ephemeral HS started in OnionServiceSingleHopMode."); + return 0; + } + + /* Make sure we're only poisoning new hidden service directories */ + if (rend_service_private_key_exists(service)) { + log_warn(LD_BUG, "Tried to single onion poison a service directory after " + "the private key was created."); + return -1; + } + + poison_fname = sos_poison_path(service); + + switch (file_status(poison_fname)) { + case FN_DIR: + case FN_ERROR: + log_warn(LD_FS, "Can't read single onion poison file \"%s\"", + poison_fname); + goto done; + case FN_FILE: /* single onion poison file already exists. NOP. */ + case FN_EMPTY: /* single onion poison file already exists. NOP. */ + log_debug(LD_FS, "Tried to re-poison a single onion poisoned file \"%s\"", + poison_fname); + break; + case FN_NOENT: + fd = tor_open_cloexec(poison_fname, O_RDWR|O_CREAT|O_TRUNC, 0600); + if (fd < 0) { + log_warn(LD_FS, "Could not create single onion poison file %s", + poison_fname); + goto done; + } + close(fd); + break; + default: + tor_assert(0); + } + + retval = 0; + + done: + tor_free(poison_fname); + + return retval; +} + +/** We just got launched in OnionServiceSingleHopMode. That's a non-anoymous + * mode for hidden services; hence we should mark all new hidden service + * directories appropriately so that they are never launched as + * location-private hidden services again. (New directories don't have private + * key files.) + * If a service_list is provided, treat it as the list of hidden + * services (used in unittests). + * Return 0 on success, -1 on fail. */ +int +rend_service_poison_new_single_onion_dirs(const smartlist_t *service_list) +{ + /* We must only poison directories if we're in Single Onion mode */ + tor_assert(rend_service_allow_non_anonymous_connection(get_options())); + + const smartlist_t *s_list; + /* If no special service list is provided, then just use the global one. */ + if (!service_list) { + if (!rend_service_list) { /* No global HS list. Nothing to see here. */ + return 0; + } + + s_list = rend_service_list; + } else { + s_list = service_list; + } + + SMARTLIST_FOREACH_BEGIN(s_list, const rend_service_t *, s) { + if (!rend_service_private_key_exists(s)) { + if (poison_new_single_onion_hidden_service_dir(s) < 0) { + return -1; + } + } + } SMARTLIST_FOREACH_END(s); + + /* The keys for these services are linked to the server IP address */ + log_notice(LD_REND, "The configured onion service directories have been " + "used in single onion mode. They can not be used for anonymous " + "hidden services."); + + return 0; +} + /** Load and/or generate private keys for all hidden services, possibly * including keys for client authorization. Return 0 on success, -1 on * failure. */ @@ -1372,6 +1575,19 @@ rend_check_authorization(rend_service_t *service, return 1; } +/* Can this service make a direct connection to ei? + * It must be a single onion service, and the firewall rules must allow ei. */ +static int +rend_service_use_direct_connection(const or_options_t* options, + const extend_info_t* ei) +{ + /* The prefer_ipv6 argument to fascist_firewall_allows_address_addr is + * ignored, because pref_only is 0. */ + return (rend_service_allow_direct_connection(options) && + fascist_firewall_allows_address_addr(&ei->addr, ei->port, + FIREWALL_OR_CONNECTION, 0, 0)); +} + /****** * Handle cells ******/ @@ -1421,9 +1637,7 @@ rend_service_receive_introduction(origin_circuit_t *circuit, goto err; } -#ifndef NON_ANONYMOUS_MODE_ENABLED - tor_assert(!(circuit->build_state->onehop_tunnel)); -#endif + assert_circ_anonymity_ok(circuit, options); tor_assert(circuit->rend_data); /* We'll use this in a bazillion log messages */ @@ -1627,6 +1841,11 @@ rend_service_receive_introduction(origin_circuit_t *circuit, for (i=0;ichosen_exit))); + /* You'd think Single Onion Services would want to retry the rendezvous + * using a direct connection. But if it's blocked by a firewall, or the + * service is IPv6-only, or the rend point avoiding becoming a one-hop + * proxy, we need a 3-hop connection. */ newcirc = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_CONNECT_REND, oldstate->chosen_exit, CIRCLAUNCH_NEED_CAPACITY|CIRCLAUNCH_IS_INTERNAL); @@ -2566,6 +2796,11 @@ rend_service_launch_establish_intro(rend_service_t *service, rend_intro_point_t *intro) { origin_circuit_t *launched; + int flags = CIRCLAUNCH_NEED_UPTIME|CIRCLAUNCH_IS_INTERNAL; + + if (rend_service_allow_direct_connection(get_options())) { + flags = flags | CIRCLAUNCH_ONEHOP_TUNNEL; + } log_info(LD_REND, "Launching circuit to introduction point %s for service %s", @@ -2576,8 +2811,7 @@ rend_service_launch_establish_intro(rend_service_t *service, ++service->n_intro_circuits_launched; launched = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, - intro->extend_info, - CIRCLAUNCH_NEED_UPTIME|CIRCLAUNCH_IS_INTERNAL); + intro->extend_info, flags); if (!launched) { log_info(LD_REND, @@ -2651,9 +2885,7 @@ rend_service_intro_has_opened(origin_circuit_t *circuit) int reason = END_CIRC_REASON_TORPROTOCOL; tor_assert(circuit->base_.purpose == CIRCUIT_PURPOSE_S_ESTABLISH_INTRO); -#ifndef NON_ANONYMOUS_MODE_ENABLED - tor_assert(!(circuit->build_state->onehop_tunnel)); -#endif + assert_circ_anonymity_ok(circuit, get_options()); tor_assert(circuit->cpath); tor_assert(circuit->rend_data); @@ -2720,6 +2952,7 @@ rend_service_intro_has_opened(origin_circuit_t *circuit) log_info(LD_REND, "Established circuit %u as introduction point for service %s", (unsigned)circuit->base_.n_circ_id, serviceid); + circuit_log_path(LOG_INFO, LD_REND, circuit); /* Use the intro key instead of the service key in ESTABLISH_INTRO. */ crypto_pk_t *intro_key = circuit->intro_key; @@ -2849,9 +3082,7 @@ rend_service_rendezvous_has_opened(origin_circuit_t *circuit) tor_assert(circuit->base_.purpose == CIRCUIT_PURPOSE_S_CONNECT_REND); tor_assert(circuit->cpath); tor_assert(circuit->build_state); -#ifndef NON_ANONYMOUS_MODE_ENABLED - tor_assert(!(circuit->build_state->onehop_tunnel)); -#endif + assert_circ_anonymity_ok(circuit, get_options()); tor_assert(circuit->rend_data); /* Declare the circuit dirty to avoid reuse, and for path-bias */ @@ -2871,6 +3102,7 @@ rend_service_rendezvous_has_opened(origin_circuit_t *circuit) "Done building circuit %u to rendezvous with " "cookie %s for service %s", (unsigned)circuit->base_.n_circ_id, hexcookie, serviceid); + circuit_log_path(LOG_INFO, LD_REND, circuit); /* Clear the 'in-progress HS circ has timed out' flag for * consistency with what happens on the client side; this line has @@ -3547,7 +3779,8 @@ rend_consider_services_intro_points(void) * pick it again in the next iteration. */ smartlist_add(exclude_nodes, (void*)node); intro = tor_malloc_zero(sizeof(rend_intro_point_t)); - intro->extend_info = extend_info_from_node(node, 0); + intro->extend_info = extend_info_from_node(node, + rend_service_allow_direct_connection(options)); intro->intro_key = crypto_pk_new(); const int fail = crypto_pk_generate_key(intro->intro_key); tor_assert(!fail); @@ -3592,8 +3825,9 @@ rend_consider_services_upload(time_t now) { int i; rend_service_t *service; - int rendpostperiod = get_options()->RendPostPeriod; - int rendinitialpostdelay = (get_options()->TestingTorNetwork ? + const or_options_t *options = get_options(); + int rendpostperiod = options->RendPostPeriod; + int rendinitialpostdelay = (options->TestingTorNetwork ? MIN_REND_INITIAL_POST_DELAY_TESTING : MIN_REND_INITIAL_POST_DELAY); @@ -3604,6 +3838,12 @@ rend_consider_services_upload(time_t now) * the descriptor is stable before being published. See comment below. */ service->next_upload_time = now + rendinitialpostdelay + crypto_rand_int(2*rendpostperiod); + /* Single Onion Services prioritise availability over hiding their + * startup time, as their IP address is publicly discoverable anyway. + */ + if (rend_service_reveal_startup_time(options)) { + service->next_upload_time = now + rendinitialpostdelay; + } } /* Does every introduction points have been established? */ unsigned int intro_points_ready = @@ -3844,11 +4084,30 @@ rend_service_set_connection_addr_port(edge_connection_t *conn, return -2; } -/* Stub that should be replaced with the #17178 version of the function - * when merging. */ +/* Do the options allow onion services to make direct (non-anonymous) + * connections to introduction or rendezvous points? + * Returns true if tor is in OnionServiceSingleHopMode. */ int -rend_service_allow_direct_connection(const or_options_t *options) +rend_service_allow_non_anonymous_connection(const or_options_t *options) { - (void)options; - return 0; + return options->OnionServiceSingleHopMode ? 1 : 0; +} + +/* Do the options allow us to reveal the exact startup time of the onion + * service? + * Single Onion Services prioritise availability over hiding their + * startup time, as their IP address is publicly discoverable anyway. + * Returns true if tor is in OnionServiceSingleHopMode. */ +int +rend_service_reveal_startup_time(const or_options_t *options) +{ + return rend_service_allow_non_anonymous_connection(options); +} + +/* Is non-anonymous mode enabled using the OnionServiceNonAnonymousMode + * config option? */ +int +rend_service_non_anonymous_mode_enabled(const or_options_t *options) +{ + return options->OnionServiceNonAnonymousMode ? 1 : 0; } diff --git a/src/or/rendservice.h b/src/or/rendservice.h index d39d7bde5b..0cf448e207 100644 --- a/src/or/rendservice.h +++ b/src/or/rendservice.h @@ -164,6 +164,11 @@ void rend_service_port_config_free(rend_service_port_config_t *p); void rend_authorized_client_free(rend_authorized_client_t *client); +int rend_service_list_verify_single_onion_poison( + const smartlist_t *service_list, + const or_options_t *options); +int rend_service_poison_new_single_onion_dirs(const smartlist_t *service_list); + /** Return value from rend_service_add_ephemeral. */ typedef enum { RSAE_BADAUTH = -5, /**< Invalid auth_type/auth_clients */ @@ -187,7 +192,9 @@ void directory_post_to_hs_dir(rend_service_descriptor_t *renddesc, const char *service_id, int seconds_valid); void rend_service_desc_has_uploaded(const rend_data_t *rend_data); -int rend_service_allow_direct_connection(const or_options_t *options); +int rend_service_allow_non_anonymous_connection(const or_options_t *options); +int rend_service_reveal_startup_time(const or_options_t *options); +int rend_service_non_anonymous_mode_enabled(const or_options_t *options); #endif diff --git a/src/test/test_hs.c b/src/test/test_hs.c index 1daa1552e9..297fb0e97f 100644 --- a/src/test/test_hs.c +++ b/src/test/test_hs.c @@ -8,12 +8,14 @@ #define CONTROL_PRIVATE #define CIRCUITBUILD_PRIVATE +#define RENDSERVICE_PRIVATE #include "or.h" #include "test.h" #include "control.h" #include "config.h" #include "rendcommon.h" +#include "rendservice.h" #include "routerset.h" #include "circuitbuild.h" #include "test_helpers.h" @@ -496,6 +498,209 @@ test_hs_auth_cookies(void *arg) return; } +static int mock_get_options_calls = 0; +static or_options_t *mock_options = NULL; + +static void +reset_options(or_options_t *options, int *get_options_calls) +{ + memset(options, 0, sizeof(or_options_t)); + options->TestingTorNetwork = 1; + + *get_options_calls = 0; +} + +static const or_options_t * +mock_get_options(void) +{ + ++mock_get_options_calls; + tor_assert(mock_options); + return mock_options; +} + +/* Test that single onion poisoning works. */ +static void +test_single_onion_poisoning(void *arg) +{ + or_options_t opt; + mock_options = &opt; + reset_options(mock_options, &mock_get_options_calls); + MOCK(get_options, mock_get_options); + + int ret = -1; + mock_options->DataDirectory = tor_strdup(get_fname("test_data_dir")); + rend_service_t *service_1 = tor_malloc_zero(sizeof(rend_service_t)); + char *dir1 = tor_strdup(get_fname("test_hs_dir1")); + rend_service_t *service_2 = tor_malloc_zero(sizeof(rend_service_t)); + char *dir2 = tor_strdup(get_fname("test_hs_dir2")); + smartlist_t *services = smartlist_new(); + + (void) arg; + + /* No services, no problem! */ + mock_options->OnionServiceSingleHopMode = 0; + mock_options->OnionServiceNonAnonymousMode = 0; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Either way, no problem. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Create directories for both services */ + +#ifdef _WIN32 + ret = mkdir(mock_options->DataDirectory); + tt_assert(ret == 0); + ret = mkdir(dir1); + tt_assert(ret == 0); + ret = mkdir(dir2); +#else + ret = mkdir(mock_options->DataDirectory, 0700); + tt_assert(ret == 0); + ret = mkdir(dir1, 0700); + tt_assert(ret == 0); + ret = mkdir(dir2, 0700); +#endif + tt_assert(ret == 0); + + service_1->directory = dir1; + service_2->directory = dir2; + smartlist_add(services, service_1); + /* But don't add the second service yet. */ + + /* Service directories, but no previous keys, no problem! */ + mock_options->OnionServiceSingleHopMode = 0; + mock_options->OnionServiceNonAnonymousMode = 0; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Either way, no problem. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Poison! Poison! Poison! + * This can only be done in OnionServiceSingleHopMode. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_poison_new_single_onion_dirs(services); + tt_assert(ret == 0); + /* Poisoning twice is a no-op. */ + ret = rend_service_poison_new_single_onion_dirs(services); + tt_assert(ret == 0); + + /* Poisoned service directories, but no previous keys, no problem! */ + mock_options->OnionServiceSingleHopMode = 0; + mock_options->OnionServiceNonAnonymousMode = 0; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Either way, no problem. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Now add some keys, and we'll have a problem. */ + ret = rend_service_load_all_keys(services); + tt_assert(ret == 0); + + /* Poisoned service directories with previous keys are not allowed. */ + mock_options->OnionServiceSingleHopMode = 0; + mock_options->OnionServiceNonAnonymousMode = 0; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret < 0); + + /* But they are allowed if we're in non-anonymous mode. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Re-poisoning directories with existing keys is a no-op, because + * directories with existing keys are ignored. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_poison_new_single_onion_dirs(services); + tt_assert(ret == 0); + /* And it keeps the poison. */ + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Now add the second service: it has no key and no poison file */ + smartlist_add(services, service_2); + + /* A new service, and an existing poisoned service. Not ok. */ + mock_options->OnionServiceSingleHopMode = 0; + mock_options->OnionServiceNonAnonymousMode = 0; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret < 0); + + /* But ok to add in non-anonymous mode. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Now remove the poisoning from the first service, and we have the opposite + * problem. */ + char *poison_path = rend_service_sos_poison_path(service_1); + ret = unlink(poison_path); + tor_free(poison_path); + tt_assert(ret == 0); + + /* Unpoisoned service directories with previous keys are ok, as are empty + * directories. */ + mock_options->OnionServiceSingleHopMode = 0; + mock_options->OnionServiceNonAnonymousMode = 0; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* But the existing unpoisoned key is not ok in non-anonymous mode, even if + * there is an empty service. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret < 0); + + /* Poisoning directories with existing keys is a no-op, because directories + * with existing keys are ignored. But the new directory should poison. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_poison_new_single_onion_dirs(services); + tt_assert(ret == 0); + /* And the old directory remains unpoisoned. */ + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret < 0); + + /* And the new directory should be ignored, because it has no key. */ + mock_options->OnionServiceSingleHopMode = 0; + mock_options->OnionServiceNonAnonymousMode = 0; + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret == 0); + + /* Re-poisoning directories without existing keys is a no-op. */ + mock_options->OnionServiceSingleHopMode = 1; + mock_options->OnionServiceNonAnonymousMode = 1; + ret = rend_service_poison_new_single_onion_dirs(services); + tt_assert(ret == 0); + /* And the old directory remains unpoisoned. */ + ret = rend_service_list_verify_single_onion_poison(services, mock_options); + tt_assert(ret < 0); + + done: + /* TODO: should we delete the directories here? */ + rend_service_free(service_1); + rend_service_free(service_2); + smartlist_free(services); + UNMOCK(get_options); + tor_free(mock_options->DataDirectory); +} + struct testcase_t hs_tests[] = { { "hs_rend_data", test_hs_rend_data, TT_FORK, NULL, NULL }, @@ -508,6 +713,8 @@ struct testcase_t hs_tests[] = { NULL, NULL }, { "hs_auth_cookies", test_hs_auth_cookies, TT_FORK, NULL, NULL }, + { "single_onion_poisoning", test_single_onion_poisoning, TT_FORK, + NULL, NULL }, END_OF_TESTCASES }; diff --git a/src/test/test_options.c b/src/test/test_options.c index 87f896607a..cd1821a77e 100644 --- a/src/test/test_options.c +++ b/src/test/test_options.c @@ -2757,6 +2757,154 @@ test_options_validate__rend(void *ignored) tor_free(msg); } +static void +test_options_validate__single_onion(void *ignored) +{ + (void)ignored; + int ret; + char *msg; + options_test_data_t *tdata = NULL; + int previous_log = setup_capture_of_logs(LOG_WARN); + + /* Test that OnionServiceSingleHopMode must come with + * OnionServiceNonAnonymousMode */ + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "SOCKSPort 0\n" + "OnionServiceSingleHopMode 1\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, -1); + tt_str_op(msg, OP_EQ, "OnionServiceSingleHopMode does not provide any " + "server anonymity. It must be used with " + "OnionServiceNonAnonymousMode set to 1."); + tor_free(msg); + free_options_test_data(tdata); + + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "SOCKSPort 0\n" + "OnionServiceSingleHopMode 1\n" + "OnionServiceNonAnonymousMode 0\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, -1); + tt_str_op(msg, OP_EQ, "OnionServiceSingleHopMode does not provide any " + "server anonymity. It must be used with " + "OnionServiceNonAnonymousMode set to 1."); + tor_free(msg); + free_options_test_data(tdata); + + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "SOCKSPort 0\n" + "OnionServiceSingleHopMode 1\n" + "OnionServiceNonAnonymousMode 1\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, 0); + tt_ptr_op(msg, OP_EQ, NULL); + free_options_test_data(tdata); + + /* Test that SOCKSPort must come with Tor2webMode if + * OnionServiceSingleHopMode is 1 */ + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "SOCKSPort 5000\n" + "OnionServiceSingleHopMode 1\n" + "OnionServiceNonAnonymousMode 1\n" + "Tor2webMode 0\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, -1); + tt_str_op(msg, OP_EQ, "OnionServiceSingleHopMode is incompatible with using " + "Tor as an anonymous client. Please set Socks/Trans/NATD/DNSPort " + "to 0, or OnionServiceSingleHopMode to 0, or use the " + "non-anonymous Tor2webMode."); + tor_free(msg); + free_options_test_data(tdata); + + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "SOCKSPort 0\n" + "OnionServiceSingleHopMode 1\n" + "OnionServiceNonAnonymousMode 1\n" + "Tor2webMode 0\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, 0); + tt_ptr_op(msg, OP_EQ, NULL); + free_options_test_data(tdata); + + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "SOCKSPort 5000\n" + "OnionServiceSingleHopMode 0\n" + "Tor2webMode 0\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, 0); + tt_ptr_op(msg, OP_EQ, NULL); + free_options_test_data(tdata); + + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "SOCKSPort 5000\n" + "OnionServiceSingleHopMode 1\n" + "OnionServiceNonAnonymousMode 1\n" + "Tor2webMode 1\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, 0); + tt_ptr_op(msg, OP_EQ, NULL); + free_options_test_data(tdata); + + /* Test that a hidden service can't be run with Tor2web + * Use OnionServiceNonAnonymousMode instead of Tor2webMode, because + * Tor2webMode requires a compilation #define */ + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "OnionServiceNonAnonymousMode 1\n" + "HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/\n" + "HiddenServicePort 80 127.0.0.1:8080\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, -1); + tt_str_op(msg, OP_EQ, "OnionServiceNonAnonymousMode does not provide any " + "server anonymity. It must be used with OnionServiceSingleHopMode " + "set to 1."); + tor_free(msg); + free_options_test_data(tdata); + + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "OnionServiceNonAnonymousMode 1\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, -1); + tt_str_op(msg, OP_EQ, "OnionServiceNonAnonymousMode does not provide any " + "server anonymity. It must be used with OnionServiceSingleHopMode " + "set to 1."); + free_options_test_data(tdata); + + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/\n" + "HiddenServicePort 80 127.0.0.1:8080\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, 0); + tt_ptr_op(msg, OP_EQ, NULL); + free_options_test_data(tdata); + + tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES + "OnionServiceNonAnonymousMode 1\n" + "HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/\n" + "HiddenServicePort 80 127.0.0.1:8080\n" + "OnionServiceSingleHopMode 1\n" + "SOCKSPort 0\n" + ); + ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + tt_int_op(ret, OP_EQ, 0); + tt_ptr_op(msg, OP_EQ, NULL); + + done: + policies_free_all(); + teardown_capture_of_logs(previous_log); + free_options_test_data(tdata); + tor_free(msg); +} + static void test_options_validate__accounting(void *ignored) { @@ -4379,6 +4527,7 @@ struct testcase_t options_tests[] = { LOCAL_VALIDATE_TEST(port_forwarding), LOCAL_VALIDATE_TEST(tor2web), LOCAL_VALIDATE_TEST(rend), + LOCAL_VALIDATE_TEST(single_onion), LOCAL_VALIDATE_TEST(accounting), LOCAL_VALIDATE_TEST(proxy), LOCAL_VALIDATE_TEST(control), -- cgit v1.2.3-54-g00ecf From 75ebbed5576d402ef2929ee043ab2170bff5cc2b Mon Sep 17 00:00:00 2001 From: teor Date: Thu, 18 Aug 2016 13:19:22 +1000 Subject: Make Single Onion Service intro points respect ReachableAddresses --- src/or/or.h | 3 +- src/or/rendservice.c | 102 ++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 91 insertions(+), 14 deletions(-) (limited to 'src/or/or.h') diff --git a/src/or/or.h b/src/or/or.h index dd3ab8a03a..12459ddfa0 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -5077,7 +5077,8 @@ typedef struct rend_encoded_v2_service_descriptor_t { * the service side) and in rend_service_descriptor_t (on both the * client and service side). */ typedef struct rend_intro_point_t { - extend_info_t *extend_info; /**< Extend info of this introduction point. */ + extend_info_t *extend_info; /**< Extend info for connecting to this + * introduction point via a multi-hop path. */ crypto_pk_t *intro_key; /**< Introduction key that replaces the service * key, if this descriptor is V2. */ diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 0ba9205c6e..8b96f77d45 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1581,13 +1581,25 @@ static int rend_service_use_direct_connection(const or_options_t* options, const extend_info_t* ei) { - /* The prefer_ipv6 argument to fascist_firewall_allows_address_addr is + /* We'll connect directly all reachable addresses, whether preferred or not. + * The prefer_ipv6 argument to fascist_firewall_allows_address_addr is * ignored, because pref_only is 0. */ - return (rend_service_allow_direct_connection(options) && + return (rend_service_allow_non_anonymous_connection(options) && fascist_firewall_allows_address_addr(&ei->addr, ei->port, FIREWALL_OR_CONNECTION, 0, 0)); } +/* Like rend_service_use_direct_connection, but to a node. */ +static int +rend_service_use_direct_connection_node(const or_options_t* options, + const node_t* node) +{ + /* We'll connect directly all reachable addresses, whether preferred or not. + */ + return (rend_service_allow_non_anonymous_connection(options) && + fascist_firewall_allows_node(node, FIREWALL_OR_CONNECTION, 0)); +} + /****** * Handle cells ******/ @@ -2797,29 +2809,71 @@ rend_service_launch_establish_intro(rend_service_t *service, { origin_circuit_t *launched; int flags = CIRCLAUNCH_NEED_UPTIME|CIRCLAUNCH_IS_INTERNAL; - - if (rend_service_allow_direct_connection(get_options())) { - flags = flags | CIRCLAUNCH_ONEHOP_TUNNEL; + const or_options_t *options = get_options(); + extend_info_t *launch_ei = intro->extend_info; + extend_info_t *direct_ei = NULL; + + /* Are we in single onion mode? */ + if (rend_service_allow_non_anonymous_connection(options)) { + /* Do we have a descriptor for the node? + * We've either just chosen it from the consensus, or we've just reviewed + * our intro points to see which ones are still valid, and deleted the ones + * that aren't in the consensus any more. */ + const node_t *node = node_get_by_id(launch_ei->identity_digest); + if (BUG(!node)) { + /* The service has kept an intro point after it went missing from the + * consensus. If we did anything else here, it would be a consensus + * distinguisher. Which are less of an issue for single onion services, + * but still a bug. */ + return -1; + } + /* Can we connect to the node directly? If so, replace launch_ei + * (a multi-hop extend_info) with one suitable for direct connection. */ + if (rend_service_use_direct_connection_node(options, node)) { + direct_ei = extend_info_from_node(node, 1); + if (BUG(!direct_ei)) { + /* rend_service_use_direct_connection_node and extend_info_from_node + * disagree about which addresses on this node are permitted. This + * should never happen. Avoiding the connection is a safe response. */ + return -1; + } + flags = flags | CIRCLAUNCH_ONEHOP_TUNNEL; + launch_ei = direct_ei; + } } + /* launch_ei is either intro->extend_info, or has been replaced with a valid + * extend_info for single onion service direct connection. */ + tor_assert(launch_ei); + /* We must have the same intro when making a direct connection. */ + tor_assert(tor_memeq(intro->extend_info->identity_digest, + launch_ei->identity_digest, + DIGEST_LEN)); log_info(LD_REND, - "Launching circuit to introduction point %s for service %s", + "Launching circuit to introduction point %s%s%s for service %s", safe_str_client(extend_info_describe(intro->extend_info)), + direct_ei ? " via direct address " : "", + direct_ei ? safe_str_client(extend_info_describe(direct_ei)) : "", service->service_id); rep_hist_note_used_internal(time(NULL), 1, 0); ++service->n_intro_circuits_launched; launched = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, - intro->extend_info, flags); + launch_ei, flags); if (!launched) { log_info(LD_REND, - "Can't launch circuit to establish introduction at %s.", - safe_str_client(extend_info_describe(intro->extend_info))); + "Can't launch circuit to establish introduction at %s%s%s.", + safe_str_client(extend_info_describe(intro->extend_info)), + direct_ei ? " via direct address " : "", + direct_ei ? safe_str_client(extend_info_describe(direct_ei)) : "" + ); + extend_info_free(direct_ei); return -1; } - /* We must have the same exit node even if cannibalized. */ + /* We must have the same exit node even if cannibalized or direct connection. + */ tor_assert(tor_memeq(intro->extend_info->identity_digest, launched->build_state->chosen_exit->identity_digest, DIGEST_LEN)); @@ -2830,6 +2884,7 @@ rend_service_launch_establish_intro(rend_service_t *service, launched->intro_key = crypto_pk_dup_key(intro->intro_key); if (launched->base_.state == CIRCUIT_STATE_OPEN) rend_service_intro_has_opened(launched); + extend_info_free(direct_ei); return 0; } @@ -3669,6 +3724,9 @@ rend_consider_services_intro_points(void) int i; time_t now; const or_options_t *options = get_options(); + /* Are we in single onion mode? */ + const int allow_direct = rend_service_allow_non_anonymous_connection( + get_options()); /* List of nodes we need to _exclude_ when choosing a new node to * establish an intro point to. */ smartlist_t *exclude_nodes; @@ -3764,8 +3822,24 @@ rend_consider_services_intro_points(void) router_crn_flags_t flags = CRN_NEED_UPTIME|CRN_NEED_DESC; if (get_options()->AllowInvalid_ & ALLOW_INVALID_INTRODUCTION) flags |= CRN_ALLOW_INVALID; + router_crn_flags_t direct_flags = flags; + direct_flags |= CRN_PREF_ADDR; + direct_flags |= CRN_DIRECT_CONN; + node = router_choose_random_node(exclude_nodes, - options->ExcludeNodes, flags); + options->ExcludeNodes, + allow_direct ? direct_flags : flags); + /* If we are in single onion mode, retry node selection for a 3-hop + * path */ + if (allow_direct && !node) { + log_info(LD_REND, + "Unable to find an intro point that we can connect to " + "directly for %s, falling back to a 3-hop path.", + safe_str_client(service->service_id)); + node = router_choose_random_node(exclude_nodes, + options->ExcludeNodes, flags); + } + if (!node) { log_warn(LD_REND, "We only have %d introduction points established for %s; " @@ -3779,8 +3853,10 @@ rend_consider_services_intro_points(void) * pick it again in the next iteration. */ smartlist_add(exclude_nodes, (void*)node); intro = tor_malloc_zero(sizeof(rend_intro_point_t)); - intro->extend_info = extend_info_from_node(node, - rend_service_allow_direct_connection(options)); + /* extend_info is for clients, so we want the multi-hop primary ORPort, + * even if we are a single onion service and intend to connect to it + * directly ourselves. */ + intro->extend_info = extend_info_from_node(node, 0); intro->intro_key = crypto_pk_new(); const int fail = crypto_pk_generate_key(intro->intro_key); tor_assert(!fail); -- cgit v1.2.3-54-g00ecf From 41f96078c23e3ef1c39a853841332cac3e133a94 Mon Sep 17 00:00:00 2001 From: teor Date: Tue, 6 Sep 2016 16:22:07 +1000 Subject: Refactor UseEntryNodes so the original configured value is preserved Parse the value to UseEntryNodes_option, then set UseEntryNodes before validating options. This way, Authorities, Tor2web, and Single Onion Services don't write spurious "UseEntryNodes 0" lines to their configs. Document the fact that these tor configurations ignore UseEntryNodes in the manual page. Also reorder options validation so we modify UseEntryNodes first, then check its value against EntryNodes. And silence a warning about disabled UseEntryNodes for hidden services when we're actually in non-anonymous single onion service mode. --- changes/feature17178 | 7 +++++++ doc/tor.1.txt | 4 +++- src/or/config.c | 19 +++++++++++++------ src/or/or.h | 12 ++++++++++-- 4 files changed, 33 insertions(+), 9 deletions(-) (limited to 'src/or/or.h') diff --git a/changes/feature17178 b/changes/feature17178 index df6aae3ced..060b85aa47 100644 --- a/changes/feature17178 +++ b/changes/feature17178 @@ -21,3 +21,10 @@ o Minor bug fixes (circuits): - Use CircuitBuildTimeout whenever LearnCircuitBuildTimeout is disabled. Fixes bug #19678 in commit 5b0b51ca3 in 0.2.4.12-alpha. Patch by teor. + o Minor bug fixes (options): + - Stop changing the configured value of UseEntryGuards on authorities + and Tor2web clients. + Fixes bug #20074 in commits 51fc6799 in tor-0.1.1.16-rc and + acda1735 in tor-0.2.4.3-alpha. Patch by teor. + - Check the consistency of UseEntryGuards and EntryNodes more reliably. + Fixes bug #20074 in commit 686aaa5c in tor-0.2.4.12-alpha. Patch by teor. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index bd25a614a8..f353637d67 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1184,7 +1184,9 @@ The following options are useful only for clients (that is, if If this option is set to 1, we pick a few long-term entry servers, and try to stick with them. This is desirable because constantly changing servers increases the odds that an adversary who owns some servers will observe a - fraction of your paths. (Default: 1) + fraction of your paths. Entry Guards can not be used by Directory + Authorities, Single Onion Services, and Tor2web clients. In these cases, + the this option is ignored. (Default: 1) [[UseEntryGuardsAsDirGuards]] **UseEntryGuardsAsDirGuards** **0**|**1**:: If this option is set to 1, and UseEntryGuards is also set to 1, diff --git a/src/or/config.c b/src/or/config.c index 36b2062271..48f1ab98e7 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -437,7 +437,7 @@ static config_var_t option_vars_[] = { OBSOLETE("TunnelDirConns"), V(UpdateBridgesFromAuthority, BOOL, "0"), V(UseBridges, BOOL, "0"), - V(UseEntryGuards, BOOL, "1"), + VAR("UseEntryGuards", BOOL, UseEntryGuards_option, "1"), V(UseEntryGuardsAsDirGuards, BOOL, "1"), V(UseGuardFraction, AUTOBOOL, "auto"), V(UseMicrodescriptors, AUTOBOOL, "auto"), @@ -2926,6 +2926,12 @@ options_validate(or_options_t *old_options, or_options_t *options, tor_assert(msg); *msg = NULL; + /* Set UseEntryGuards from the configured value, before we check it below. + * We change UseEntryGuards whenn it's incompatible with other options, + * but leave UseEntryGuards_option with the original value. + * Always use the value of UseEntryGuards, not UseEntryGuards_option. */ + options->UseEntryGuards = options->UseEntryGuards_option; + warn_about_relative_paths(options); if (server_mode(options) && @@ -3301,10 +3307,6 @@ options_validate(or_options_t *old_options, or_options_t *options, if (options->UseBridges && options->EntryNodes) REJECT("You cannot set both UseBridges and EntryNodes."); - if (options->EntryNodes && !options->UseEntryGuards) { - REJECT("If EntryNodes is set, UseEntryGuards must be enabled."); - } - options->MaxMemInQueues = compute_real_max_mem_in_queues(options->MaxMemInQueues_raw, server_mode(options)); @@ -3419,8 +3421,13 @@ options_validate(or_options_t *old_options, or_options_t *options, REJECT("Tor2webRendezvousPoints cannot be set without Tor2webMode."); } + if (options->EntryNodes && !options->UseEntryGuards) { + REJECT("If EntryNodes is set, UseEntryGuards must be enabled."); + } + if (!(options->UseEntryGuards) && - (options->RendConfigLines != NULL)) { + (options->RendConfigLines != NULL) && + !rend_service_non_anonymous_mode_enabled(options)) { log_warn(LD_CONFIG, "UseEntryGuards is disabled, but you have configured one or more " "hidden services on this Tor instance. Your hidden services " diff --git a/src/or/or.h b/src/or/or.h index 12459ddfa0..7104a5cae3 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3963,8 +3963,16 @@ typedef struct { int TokenBucketRefillInterval; char *AccelName; /**< Optional hardware acceleration engine name. */ char *AccelDir; /**< Optional hardware acceleration engine search dir. */ - int UseEntryGuards; /**< Boolean: Do we try to enter from a smallish number - * of fixed nodes? */ + + /** Boolean: Do we try to enter from a smallish number + * of fixed nodes? */ + int UseEntryGuards_option; + /** Internal variable to remember whether we're actually acting on + * UseEntryGuards_option -- when we're a non-anonymous Tor2web client or + * Single Onion Service, it is alwasy false, otherwise we use the value of + * UseEntryGuards_option. */ + int UseEntryGuards; + int NumEntryGuards; /**< How many entry guards do we try to establish? */ int UseEntryGuardsAsDirGuards; /** Boolean: Do we try to get directory info * from a smallish number of fixed nodes? */ -- cgit v1.2.3-54-g00ecf From f686fa2ee600f6670bab7531d404eaf5f8ea91ff Mon Sep 17 00:00:00 2001 From: teor Date: Tue, 13 Sep 2016 11:55:23 +1000 Subject: Comments: prefer circuit_build_times_disabled() to LearnCircuitBuildTimeout --- src/or/or.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/or/or.h') diff --git a/src/or/or.h b/src/or/or.h index 7104a5cae3..07f94b7505 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3777,7 +3777,8 @@ typedef struct { * unattached before we fail it? */ int LearnCircuitBuildTimeout; /**< If non-zero, we attempt to learn a value * for CircuitBuildTimeout based on timeout - * history */ + * history. Use circuit_build_times_disabled() + * rather than checking this value directly. */ int CircuitBuildTimeout; /**< Cull non-open circuits that were born at * least this many seconds ago. Used until * adaptive algorithm learns a new value. */ -- cgit v1.2.3-54-g00ecf From 365ca3ca0f5d9d391a2156436d1a7c620906e23a Mon Sep 17 00:00:00 2001 From: teor Date: Tue, 13 Sep 2016 17:20:46 +1000 Subject: Refactor Single Onion code to improve consistency * Check consistency between the two single onion torrc options * Use the more relevant option each time we check for single onion mode * Clarify log messages * Clarify comments * Otherwise, no behaviour change --- src/or/circuitstats.c | 2 +- src/or/config.c | 72 ++++++++++++++++++++++++------------------------- src/or/control.c | 21 ++++++++------- src/or/or.h | 7 +++-- src/or/rendcommon.c | 8 +++--- src/or/rendservice.c | 56 +++++++++++++++++++++++++------------- src/test/test_options.c | 8 +++--- 7 files changed, 96 insertions(+), 78 deletions(-) (limited to 'src/or/or.h') diff --git a/src/or/circuitstats.c b/src/or/circuitstats.c index 296f852c79..3d64113521 100644 --- a/src/or/circuitstats.c +++ b/src/or/circuitstats.c @@ -104,7 +104,7 @@ circuit_build_times_disabled(void) int config_disabled = !options->LearnCircuitBuildTimeout; int dirauth_disabled = options->AuthoritativeDir; int state_disabled = did_last_state_file_write_fail() ? 1 : 0; - /* LearnCircuitBuildTimeout and Tor2webMode/OnionServiceSingleHopMode are + /* LearnCircuitBuildTimeout and Tor2web/Single Onion Services are * incompatible in two ways: * * - LearnCircuitBuildTimeout results in a low CBT, which diff --git a/src/or/config.c b/src/or/config.c index 48f1ab98e7..6d168c4b74 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1730,17 +1730,17 @@ options_act(const or_options_t *old_options) * poisoning code checks for existing keys, and refuses to modify their * directories. */ - /* If we use the insecure OnionServiceSingleHopMode, make sure we poison any + /* If we use non-anonymous single onion services, make sure we poison any new hidden service directories, so that we never accidentally launch the non-anonymous hidden services thinking they are anonymous. */ - if (running_tor && rend_service_allow_non_anonymous_connection(options)) { + if (running_tor && rend_service_non_anonymous_mode_enabled(options)) { if (options->RendConfigLines && !num_rend_services()) { log_warn(LD_BUG,"Error: hidden services configured, but not parsed."); return -1; } if (rend_service_poison_new_single_onion_dirs(NULL) < 0) { - log_warn(LD_GENERAL,"Failed to mark new hidden services as Single " - "Onion."); + log_warn(LD_GENERAL,"Failed to mark new hidden services as non-anonymous" + "."); return -1; } } @@ -2818,63 +2818,61 @@ warn_about_relative_paths(or_options_t *options) } } -/* Validate options related to OnionServiceSingleHopMode. - * Modifies some options that are incompatible with OnionServiceSingleHopMode. +/* Validate options related to single onion services. + * Modifies some options that are incompatible with single onion services. * On failure returns -1, and sets *msg to an error string. * Returns 0 on success. */ STATIC int options_validate_single_onion(or_options_t *options, char **msg) { - /* You must set OnionServiceNonAnonymousMode to 1 to use - * OnionServiceSingleHopMode */ + /* The two single onion service options must have matching values. */ if (options->OnionServiceSingleHopMode && - !rend_service_non_anonymous_mode_enabled(options)) { + !options->OnionServiceNonAnonymousMode) { REJECT("OnionServiceSingleHopMode does not provide any server anonymity. " "It must be used with OnionServiceNonAnonymousMode set to 1."); } - - /* If you have OnionServiceNonAnonymousMode set, you must use - * OnionServiceSingleHopMode. */ - if (rend_service_non_anonymous_mode_enabled(options) && + if (options->OnionServiceNonAnonymousMode && !options->OnionServiceSingleHopMode) { REJECT("OnionServiceNonAnonymousMode does not provide any server " "anonymity. It must be used with OnionServiceSingleHopMode set to " "1."); } + /* Now that we've checked that the two options are consistent, we can safely + * call the rend_service_* functions that abstract these options. */ + /* If you run an anonymous client with an active Single Onion service, the * client loses anonymity. */ const int client_port_set = (options->SocksPort_set || options->TransPort_set || options->NATDPort_set || options->DNSPort_set); - if (options->OnionServiceSingleHopMode && client_port_set && + if (rend_service_non_anonymous_mode_enabled(options) && client_port_set && !options->Tor2webMode) { - REJECT("OnionServiceSingleHopMode is incompatible with using Tor as an " + REJECT("OnionServiceNonAnonymousMode is incompatible with using Tor as an " "anonymous client. Please set Socks/Trans/NATD/DNSPort to 0, or " - "OnionServiceSingleHopMode to 0, or use the non-anonymous " + "OnionServiceNonAnonymousMode to 0, or use the non-anonymous " "Tor2webMode."); } /* If you run a hidden service in non-anonymous mode, the hidden service * loses anonymity, even if SOCKSPort / Tor2web mode isn't used. */ - if (!options->OnionServiceSingleHopMode && options->RendConfigLines - && options->Tor2webMode) { + if (!rend_service_non_anonymous_mode_enabled(options) && + options->RendConfigLines && options->Tor2webMode) { REJECT("Non-anonymous (Tor2web) mode is incompatible with using Tor as a " "hidden service. Please remove all HiddenServiceDir lines, or use " "a version of tor compiled without --enable-tor2web-mode, or use " - "the non-anonymous OnionServiceSingleHopMode."); + " OnionServiceNonAnonymousMode."); } - if (options->OnionServiceSingleHopMode + if (rend_service_allow_non_anonymous_connection(options) && options->UseEntryGuards) { - /* Single Onion services do not (and should not) use entry guards - * in any meaningful way. Further, Single Onions causes the hidden - * service code to do things which break the path bias + /* Single Onion services only use entry guards when uploading descriptors, + * all other connections are one-hop. Further, Single Onions causes the + * hidden service code to do things which break the path bias * detector, and it's far easier to turn off entry guards (and * thus the path bias detector with it) than to figure out how to - * make a piece of code which cannot possibly help Single Onions, - * compatible with OnionServiceSingleHopMode. + * make path bias compatible with single onions. */ log_notice(LD_CONFIG, "OnionServiceSingleHopMode is enabled; disabling " @@ -2882,12 +2880,12 @@ options_validate_single_onion(or_options_t *options, char **msg) options->UseEntryGuards = 0; } - /* Check if existing hidden service keys were created with a different - * setting of OnionServiceNonAnonymousMode, and refuse to launch if they + /* Check if existing hidden service keys were created in a different + * single onion service mode, and refuse to launch if they * have. We'll poison new keys in options_act() just before we create them. */ if (rend_service_list_verify_single_onion_poison(NULL, options) < 0) { - log_warn(LD_GENERAL, "We are configured with OnionServiceSingleHopMode " + log_warn(LD_GENERAL, "We are configured with OnionServiceNonAnonymousMode " "%d, but one or more hidden service keys were created in %s " "mode. This is not allowed.", rend_service_non_anonymous_mode_enabled(options) ? 1 : 0, @@ -3427,7 +3425,7 @@ options_validate(or_options_t *old_options, or_options_t *options, if (!(options->UseEntryGuards) && (options->RendConfigLines != NULL) && - !rend_service_non_anonymous_mode_enabled(options)) { + !rend_service_allow_non_anonymous_connection(options)) { log_warn(LD_CONFIG, "UseEntryGuards is disabled, but you have configured one or more " "hidden services on this Tor instance. Your hidden services " @@ -3450,15 +3448,15 @@ options_validate(or_options_t *old_options, or_options_t *options, return -1; } - /* OnionServiceSingleHopMode: one hop between the onion service server and - * intro and rendezvous points */ - if (options->OnionServiceSingleHopMode) { + /* Single Onion Services: non-anonymous hidden services */ + if (rend_service_non_anonymous_mode_enabled(options)) { log_warn(LD_CONFIG, - "OnionServiceSingleHopMode is set. Every hidden service on this " - "tor instance is NON-ANONYMOUS. If OnionServiceSingleHopMode is " - "disabled, Tor will refuse to launch hidden services from the " - "same directories, to protect against config errors. This " - "setting is for experimental use only."); + "OnionServiceNonAnonymousNode is set. Every hidden service on " + "this tor instance is NON-ANONYMOUS. If " + "the OnionServiceNonAnonymousMode option is changed, Tor will " + "refuse to launch hidden services from the same directories, to " + "protect your anonymity against config errors. This setting is " + "for experimental use only."); } if (!options->LearnCircuitBuildTimeout && options->CircuitBuildTimeout && diff --git a/src/or/control.c b/src/or/control.c index 8f3909b27d..8962075e1e 100644 --- a/src/or/control.c +++ b/src/or/control.c @@ -4249,7 +4249,7 @@ handle_control_add_onion(control_connection_t *conn, int max_streams = 0; int max_streams_close_circuit = 0; rend_auth_type_t auth_type = REND_NO_AUTH; - /* Default to anonymous if no flag is given */ + /* Default to adding an anonymous hidden service if no flag is given */ int non_anonymous = 0; for (size_t i = 1; i < arg_len; i++) { static const char *port_prefix = "Port="; @@ -4288,10 +4288,9 @@ handle_control_add_onion(control_connection_t *conn, * exceeded. * * 'BasicAuth' - Client authorization using the 'basic' method. * * 'NonAnonymous' - Add a non-anonymous Single Onion Service. If this - * flag is present, OnionServiceSingleHopMode and - * OnionServiceNonAnonymousMode must both be 1. If - * this flag is absent, both these options must be - * 0. + * flag is present, tor must be in non-anonymous + * hidden service mode. If this flag is absent, + * tor must be in anonymous hidden service mode. */ static const char *discard_flag = "DiscardPK"; static const char *detach_flag = "Detach"; @@ -4388,15 +4387,17 @@ handle_control_add_onion(control_connection_t *conn, smartlist_len(auth_clients) > 16)) { connection_printf_to_buf(conn, "512 Too many auth clients\r\n"); goto out; - } else if (non_anonymous != rend_service_allow_non_anonymous_connection( + } else if (non_anonymous != rend_service_non_anonymous_mode_enabled( get_options())) { - /* If we failed, and non-anonymous is set, Tor must be in anonymous mode. + /* If we failed, and the non-anonymous flag is set, Tor must be in + * anonymous hidden service mode. * The error message changes based on the current Tor config: - * 512 Tor is in anonymous onion mode - * 512 Tor is in non-anonymous onion mode + * 512 Tor is in anonymous hidden service mode + * 512 Tor is in non-anonymous hidden service mode * (I've deliberately written them out in full here to aid searchability.) */ - connection_printf_to_buf(conn, "512 Tor is in %sanonymous onion mode\r\n", + connection_printf_to_buf(conn, "512 Tor is in %sanonymous hidden service " + "mode\r\n", non_anonymous ? "" : "non-"); goto out; } diff --git a/src/or/or.h b/src/or/or.h index 07f94b7505..849cd4c7a1 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3706,8 +3706,7 @@ typedef struct { * rendezvous points. (Onion service descriptors are still posted using * 3-hop paths, to avoid onion service directories blocking the service.) * This option makes every hidden service instance hosted by - * this tor instance a Single Onion Service. One-hop circuits make Single - * Onion servers easily locatable, but clients remain location-anonymous. + * this tor instance a Single Onion Service. * OnionServiceSingleHopMode requires OnionServiceNonAnonymousMode to be set * to 1. * Use rend_service_allow_non_anonymous_connection() or @@ -3716,8 +3715,8 @@ typedef struct { int OnionServiceSingleHopMode; /* Makes hidden service clients and servers non-anonymous on this tor * instance. Allows the non-anonymous OnionServiceSingleHopMode. Enables - * direct connections in the hidden service protocol. - * Use rend_service_non_anonymous_mode() instead of using this option + * non-anonymous behaviour in the hidden service protocol. + * Use rend_service_non_anonymous_mode_enabled() instead of using this option * directly. */ int OnionServiceNonAnonymousMode; diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c index 12dd0f44e5..083efd0276 100644 --- a/src/or/rendcommon.c +++ b/src/or/rendcommon.c @@ -1097,11 +1097,11 @@ rend_non_anonymous_mode_enabled(const or_options_t *options) /* Make sure that tor only builds one-hop circuits when they would not * compromise user anonymity. * - * One-hop circuits are permitted in Tor2webMode or OnionServiceSingleHopMode. + * One-hop circuits are permitted in Tor2web or Single Onion modes. * - * Tor2webMode and OnionServiceSingleHopMode are also allowed to make - * multi-hop circuits. For example, single onion HSDir circuits are 3-hop to - * prevent denial of service. + * Tor2web or Single Onion modes are also allowed to make multi-hop circuits. + * For example, single onion HSDir circuits are 3-hop to prevent denial of + * service. */ void assert_circ_anonymity_ok(origin_circuit_t *circ, diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 04894dddab..9400b591ee 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1025,10 +1025,10 @@ rend_service_private_key_exists(const rend_service_t *service) /** Check the single onion service poison state of all existing hidden service * directories: - * - If each service is poisoned, and we are in OnionServiceSingleHopMode, + * - If each service is poisoned, and we are in Single Onion Mode, + * return 0, + * - If each service is not poisoned, and we are not in Single Onion Mode, * return 0, - * - If each service is not poisoned, and we are not in - * OnionServiceSingleHopMode, return 0, * - Otherwise, the poison state is invalid, and a service that was created in * one mode is being used in the other, return -1. * Hidden service directories without keys are not checked for consistency. @@ -1054,7 +1054,7 @@ rend_service_list_verify_single_onion_poison(const smartlist_t *service_list, int consistent = 1; SMARTLIST_FOREACH_BEGIN(s_list, const rend_service_t *, s) { if (service_is_single_onion_poisoned(s) != - rend_service_allow_non_anonymous_connection(options) && + rend_service_non_anonymous_mode_enabled(options) && rend_service_private_key_exists(s)) { consistent = 0; } @@ -1063,25 +1063,25 @@ rend_service_list_verify_single_onion_poison(const smartlist_t *service_list, return consistent ? 0 : -1; } -/*** Helper for rend_service_poison_new_single_onion_dirs(). When in single - * onion mode, add a file to this hidden service directory that marks it as a - * single onion hidden service. Returns 0 when a directory is successfully - * poisoned, or if it is already poisoned. Returns -1 on a failure to read - * the directory or write the poison file, or if there is an existing private - * key file in the directory. (The service should have been poisoned when the - * key was created.) */ +/*** Helper for rend_service_poison_new_single_onion_dirs(). Add a file to + * this hidden service directory that marks it as a single onion service. + * Tor must be in single onion mode before calling this function. + * Returns 0 when a directory is successfully poisoned, or if it is already + * poisoned. Returns -1 on a failure to read the directory or write the poison + * file, or if there is an existing private key file in the directory. (The + * service should have been poisoned when the key was created.) */ static int poison_new_single_onion_hidden_service_dir(const rend_service_t *service) { /* We must only poison directories if we're in Single Onion mode */ - tor_assert(rend_service_allow_non_anonymous_connection(get_options())); + tor_assert(rend_service_non_anonymous_mode_enabled(get_options())); int fd; int retval = -1; char *poison_fname = NULL; if (!service->directory) { - log_info(LD_REND, "Ephemeral HS started in OnionServiceSingleHopMode."); + log_info(LD_REND, "Ephemeral HS started in non-anonymous mode."); return 0; } @@ -1126,7 +1126,7 @@ poison_new_single_onion_hidden_service_dir(const rend_service_t *service) return retval; } -/** We just got launched in OnionServiceSingleHopMode. That's a non-anoymous +/** We just got launched in Single Onion Mode. That's a non-anoymous * mode for hidden services; hence we should mark all new hidden service * directories appropriately so that they are never launched as * location-private hidden services again. (New directories don't have private @@ -1138,7 +1138,7 @@ int rend_service_poison_new_single_onion_dirs(const smartlist_t *service_list) { /* We must only poison directories if we're in Single Onion mode */ - tor_assert(rend_service_allow_non_anonymous_connection(get_options())); + tor_assert(rend_service_non_anonymous_mode_enabled(get_options())); const smartlist_t *s_list; /* If no special service list is provided, then just use the global one. */ @@ -4179,12 +4179,25 @@ rend_service_set_connection_addr_port(edge_connection_t *conn, return -2; } +/* Are OnionServiceSingleHopMode and OnionServiceNonAnonymousMode consistent? + */ +static int +rend_service_non_anonymous_mode_consistent(const or_options_t *options) +{ + /* !! is used to make these options boolean */ + return (!! options->OnionServiceSingleHopMode == + !! options->OnionServiceNonAnonymousMode); +} + /* Do the options allow onion services to make direct (non-anonymous) * connections to introduction or rendezvous points? + * Must only be called after options_validate_single_onion() has successfully + * checked onion service option consistency. * Returns true if tor is in OnionServiceSingleHopMode. */ int rend_service_allow_non_anonymous_connection(const or_options_t *options) { + tor_assert(rend_service_non_anonymous_mode_consistent(options)); return options->OnionServiceSingleHopMode ? 1 : 0; } @@ -4192,17 +4205,24 @@ rend_service_allow_non_anonymous_connection(const or_options_t *options) * service? * Single Onion Services prioritise availability over hiding their * startup time, as their IP address is publicly discoverable anyway. - * Returns true if tor is in OnionServiceSingleHopMode. */ + * Must only be called after options_validate_single_onion() has successfully + * checked onion service option consistency. + * Returns true if tor is in non-anonymous hidden service mode. */ int rend_service_reveal_startup_time(const or_options_t *options) { - return rend_service_allow_non_anonymous_connection(options); + tor_assert(rend_service_non_anonymous_mode_consistent(options)); + return rend_service_non_anonymous_mode_enabled(options); } /* Is non-anonymous mode enabled using the OnionServiceNonAnonymousMode - * config option? */ + * config option? + * Must only be called after options_validate_single_onion() has successfully + * checked onion service option consistency. + */ int rend_service_non_anonymous_mode_enabled(const or_options_t *options) { + tor_assert(rend_service_non_anonymous_mode_consistent(options)); return options->OnionServiceNonAnonymousMode ? 1 : 0; } diff --git a/src/test/test_options.c b/src/test/test_options.c index cd1821a77e..f01e137f8f 100644 --- a/src/test/test_options.c +++ b/src/test/test_options.c @@ -2813,10 +2813,10 @@ test_options_validate__single_onion(void *ignored) ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); tt_int_op(ret, OP_EQ, -1); - tt_str_op(msg, OP_EQ, "OnionServiceSingleHopMode is incompatible with using " - "Tor as an anonymous client. Please set Socks/Trans/NATD/DNSPort " - "to 0, or OnionServiceSingleHopMode to 0, or use the " - "non-anonymous Tor2webMode."); + tt_str_op(msg, OP_EQ, "OnionServiceNonAnonymousMode is incompatible with " + "using Tor as an anonymous client. Please set " + "Socks/Trans/NATD/DNSPort to 0, or OnionServiceNonAnonymousMode " + "to 0, or use the non-anonymous Tor2webMode."); tor_free(msg); free_options_test_data(tdata); -- cgit v1.2.3-54-g00ecf From f311c9ffa2d9cdb64b92e4ceab5b3c582b976228 Mon Sep 17 00:00:00 2001 From: teor Date: Tue, 13 Sep 2016 17:28:03 +1000 Subject: Replace OnionService* with HiddenService* in option names And make consequential line-length adjustments. --- changes/feature17178 | 4 +-- doc/tor.1.txt | 12 ++++----- src/or/config.c | 52 ++++++++++++++++++------------------ src/or/or.h | 12 ++++----- src/or/rendservice.c | 14 +++++----- src/test/test_hs.c | 70 ++++++++++++++++++++++++------------------------- src/test/test_options.c | 64 ++++++++++++++++++++++---------------------- 7 files changed, 114 insertions(+), 114 deletions(-) (limited to 'src/or/or.h') diff --git a/changes/feature17178 b/changes/feature17178 index 060b85aa47..172097cd62 100644 --- a/changes/feature17178 +++ b/changes/feature17178 @@ -1,6 +1,6 @@ o Major features (onion services): - - Add experimental OnionServiceSingleHopMode and - OnionServiceNonAnonymousMode options. When both are set to 1, every + - Add experimental HiddenServiceSingleHopMode and + HiddenServiceNonAnonymousMode options. When both are set to 1, every hidden service on a tor instance becomes a non-anonymous Single Onion Service. Single Onions make one-hop (direct) connections to their introduction and renzedvous points. One-hop circuits make Single Onion diff --git a/doc/tor.1.txt b/doc/tor.1.txt index f353637d67..ab4dcbaf60 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -2379,9 +2379,9 @@ The following options are used to configure a hidden service. Number of introduction points the hidden service will have. You can't have more than 10. (Default: 3) -[[OnionServiceSingleHopMode]] **OnionServiceSingleHopMode** **0**|**1**:: +[[HiddenServiceSingleHopMode]] **HiddenServiceSingleHopMode** **0**|**1**:: **Experimental - Non Anonymous** Hidden Services on a tor instance in - OnionServiceSingleHopMode make one-hop (direct) circuits between the onion + HiddenServiceSingleHopMode make one-hop (direct) circuits between the onion service server, and the introduction and rendezvous points. (Onion service descriptors are still posted using 3-hop paths, to avoid onion service directories blocking the service.) @@ -2392,21 +2392,21 @@ The following options are used to configure a hidden service. statistically distinguishable. **WARNING:** Once a hidden service directory has been used by a tor - instance in OnionServiceSingleHopMode, it can **NEVER** be used again for + instance in HiddenServiceSingleHopMode, it can **NEVER** be used again for a hidden service. It is best practice to create a new hidden service directory, key, and address for each new Single Onion Service and Hidden Service. It is not possible to run Single Onion Services and Hidden Services from the same tor instance: they should be run on different servers with different IP addresses. - OnionServiceSingleHopMode requires OnionServiceNonAnonymousMode to be set + HiddenServiceSingleHopMode requires HiddenServiceNonAnonymousMode to be set to 1. Since a Single Onion is non-anonymous, you can not to run an anonymous SOCKSPort on the same tor instance as a Single Onion service. (Default: 0) -[[OnionServiceNonAnonymousMode]] **OnionServiceNonAnonymousMode** **0**|**1**:: +[[HiddenServiceNonAnonymousMode]] **HiddenServiceNonAnonymousMode** **0**|**1**:: Makes hidden services non-anonymous on this tor instance. Allows the - non-anonymous OnionServiceSingleHopMode. Enables direct connections in the + non-anonymous HiddenServiceSingleHopMode. Enables direct connections in the server-side hidden service protocol. (Default: 0) diff --git a/src/or/config.c b/src/or/config.c index 6d168c4b74..949c8a973f 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -298,8 +298,8 @@ static config_var_t option_vars_[] = { V(HidServAuth, LINELIST, NULL), V(CloseHSClientCircuitsImmediatelyOnTimeout, BOOL, "0"), V(CloseHSServiceRendCircuitsImmediatelyOnTimeout, BOOL, "0"), - V(OnionServiceSingleHopMode, BOOL, "0"), - V(OnionServiceNonAnonymousMode,BOOL, "0"), + V(HiddenServiceSingleHopMode, BOOL, "0"), + V(HiddenServiceNonAnonymousMode,BOOL, "0"), V(HTTPProxy, STRING, NULL), V(HTTPProxyAuthenticator, STRING, NULL), V(HTTPSProxy, STRING, NULL), @@ -2826,15 +2826,15 @@ STATIC int options_validate_single_onion(or_options_t *options, char **msg) { /* The two single onion service options must have matching values. */ - if (options->OnionServiceSingleHopMode && - !options->OnionServiceNonAnonymousMode) { - REJECT("OnionServiceSingleHopMode does not provide any server anonymity. " - "It must be used with OnionServiceNonAnonymousMode set to 1."); - } - if (options->OnionServiceNonAnonymousMode && - !options->OnionServiceSingleHopMode) { - REJECT("OnionServiceNonAnonymousMode does not provide any server " - "anonymity. It must be used with OnionServiceSingleHopMode set to " + if (options->HiddenServiceSingleHopMode && + !options->HiddenServiceNonAnonymousMode) { + REJECT("HiddenServiceSingleHopMode does not provide any server anonymity. " + "It must be used with HiddenServiceNonAnonymousMode set to 1."); + } + if (options->HiddenServiceNonAnonymousMode && + !options->HiddenServiceSingleHopMode) { + REJECT("HiddenServiceNonAnonymousMode does not provide any server " + "anonymity. It must be used with HiddenServiceSingleHopMode set to " "1."); } @@ -2849,9 +2849,9 @@ options_validate_single_onion(or_options_t *options, char **msg) options->DNSPort_set); if (rend_service_non_anonymous_mode_enabled(options) && client_port_set && !options->Tor2webMode) { - REJECT("OnionServiceNonAnonymousMode is incompatible with using Tor as an " - "anonymous client. Please set Socks/Trans/NATD/DNSPort to 0, or " - "OnionServiceNonAnonymousMode to 0, or use the non-anonymous " + REJECT("HiddenServiceNonAnonymousMode is incompatible with using Tor as " + "an anonymous client. Please set Socks/Trans/NATD/DNSPort to 0, or " + "HiddenServiceNonAnonymousMode to 0, or use the non-anonymous " "Tor2webMode."); } @@ -2862,7 +2862,7 @@ options_validate_single_onion(or_options_t *options, char **msg) REJECT("Non-anonymous (Tor2web) mode is incompatible with using Tor as a " "hidden service. Please remove all HiddenServiceDir lines, or use " "a version of tor compiled without --enable-tor2web-mode, or use " - " OnionServiceNonAnonymousMode."); + " HiddenServiceNonAnonymousMode."); } if (rend_service_allow_non_anonymous_connection(options) @@ -2875,7 +2875,7 @@ options_validate_single_onion(or_options_t *options, char **msg) * make path bias compatible with single onions. */ log_notice(LD_CONFIG, - "OnionServiceSingleHopMode is enabled; disabling " + "HiddenServiceSingleHopMode is enabled; disabling " "UseEntryGuards."); options->UseEntryGuards = 0; } @@ -2885,9 +2885,9 @@ options_validate_single_onion(or_options_t *options, char **msg) * have. We'll poison new keys in options_act() just before we create them. */ if (rend_service_list_verify_single_onion_poison(NULL, options) < 0) { - log_warn(LD_GENERAL, "We are configured with OnionServiceNonAnonymousMode " - "%d, but one or more hidden service keys were created in %s " - "mode. This is not allowed.", + log_warn(LD_GENERAL, "We are configured with " + "HiddenServiceNonAnonymousMode %d, but one or more hidden " + "service keys were created in %s mode. This is not allowed.", rend_service_non_anonymous_mode_enabled(options) ? 1 : 0, rend_service_non_anonymous_mode_enabled(options) ? "an anonymous" : "a non-anonymous" @@ -3451,9 +3451,9 @@ options_validate(or_options_t *old_options, or_options_t *options, /* Single Onion Services: non-anonymous hidden services */ if (rend_service_non_anonymous_mode_enabled(options)) { log_warn(LD_CONFIG, - "OnionServiceNonAnonymousNode is set. Every hidden service on " + "HiddenServiceNonAnonymousMode is set. Every hidden service on " "this tor instance is NON-ANONYMOUS. If " - "the OnionServiceNonAnonymousMode option is changed, Tor will " + "the HiddenServiceNonAnonymousMode option is changed, Tor will " "refuse to launch hidden services from the same directories, to " "protect your anonymity against config errors. This setting is " "for experimental use only."); @@ -4408,16 +4408,16 @@ options_transition_allowed(const or_options_t *old, return -1; } - if (old->OnionServiceSingleHopMode != new_val->OnionServiceSingleHopMode) { + if (old->HiddenServiceSingleHopMode != new_val->HiddenServiceSingleHopMode) { *msg = tor_strdup("While Tor is running, changing " - "OnionServiceSingleHopMode is not allowed."); + "HiddenServiceSingleHopMode is not allowed."); return -1; } - if (old->OnionServiceNonAnonymousMode != - new_val->OnionServiceNonAnonymousMode) { + if (old->HiddenServiceNonAnonymousMode != + new_val->HiddenServiceNonAnonymousMode) { *msg = tor_strdup("While Tor is running, changing " - "OnionServiceNonAnonymousMode is not allowed."); + "HiddenServiceNonAnonymousMode is not allowed."); return -1; } diff --git a/src/or/or.h b/src/or/or.h index 849cd4c7a1..9179f08caf 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3701,25 +3701,25 @@ typedef struct { * they reach the normal circuit-build timeout. */ int CloseHSServiceRendCircuitsImmediatelyOnTimeout; - /** Onion Services in OnionServiceSingleHopMode make one-hop (direct) + /** Onion Services in HiddenServiceSingleHopMode make one-hop (direct) * circuits between the onion service server, and the introduction and * rendezvous points. (Onion service descriptors are still posted using * 3-hop paths, to avoid onion service directories blocking the service.) * This option makes every hidden service instance hosted by * this tor instance a Single Onion Service. - * OnionServiceSingleHopMode requires OnionServiceNonAnonymousMode to be set - * to 1. + * HiddenServiceSingleHopMode requires HiddenServiceNonAnonymousMode to be + * set to 1. * Use rend_service_allow_non_anonymous_connection() or * rend_service_reveal_startup_time() instead of using this option directly. */ - int OnionServiceSingleHopMode; + int HiddenServiceSingleHopMode; /* Makes hidden service clients and servers non-anonymous on this tor - * instance. Allows the non-anonymous OnionServiceSingleHopMode. Enables + * instance. Allows the non-anonymous HiddenServiceSingleHopMode. Enables * non-anonymous behaviour in the hidden service protocol. * Use rend_service_non_anonymous_mode_enabled() instead of using this option * directly. */ - int OnionServiceNonAnonymousMode; + int HiddenServiceNonAnonymousMode; int ConnLimit; /**< Demanded minimum number of simultaneous connections. */ int ConnLimit_; /**< Maximum allowed number of simultaneous connections. */ diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 9400b591ee..cce63f29fa 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -4179,26 +4179,26 @@ rend_service_set_connection_addr_port(edge_connection_t *conn, return -2; } -/* Are OnionServiceSingleHopMode and OnionServiceNonAnonymousMode consistent? +/* Are HiddenServiceSingleHopMode and HiddenServiceNonAnonymousMode consistent? */ static int rend_service_non_anonymous_mode_consistent(const or_options_t *options) { /* !! is used to make these options boolean */ - return (!! options->OnionServiceSingleHopMode == - !! options->OnionServiceNonAnonymousMode); + return (!! options->HiddenServiceSingleHopMode == + !! options->HiddenServiceNonAnonymousMode); } /* Do the options allow onion services to make direct (non-anonymous) * connections to introduction or rendezvous points? * Must only be called after options_validate_single_onion() has successfully * checked onion service option consistency. - * Returns true if tor is in OnionServiceSingleHopMode. */ + * Returns true if tor is in HiddenServiceSingleHopMode. */ int rend_service_allow_non_anonymous_connection(const or_options_t *options) { tor_assert(rend_service_non_anonymous_mode_consistent(options)); - return options->OnionServiceSingleHopMode ? 1 : 0; + return options->HiddenServiceSingleHopMode ? 1 : 0; } /* Do the options allow us to reveal the exact startup time of the onion @@ -4215,7 +4215,7 @@ rend_service_reveal_startup_time(const or_options_t *options) return rend_service_non_anonymous_mode_enabled(options); } -/* Is non-anonymous mode enabled using the OnionServiceNonAnonymousMode +/* Is non-anonymous mode enabled using the HiddenServiceNonAnonymousMode * config option? * Must only be called after options_validate_single_onion() has successfully * checked onion service option consistency. @@ -4224,5 +4224,5 @@ int rend_service_non_anonymous_mode_enabled(const or_options_t *options) { tor_assert(rend_service_non_anonymous_mode_consistent(options)); - return options->OnionServiceNonAnonymousMode ? 1 : 0; + return options->HiddenServiceNonAnonymousMode ? 1 : 0; } diff --git a/src/test/test_hs.c b/src/test/test_hs.c index 297fb0e97f..a9cd315a82 100644 --- a/src/test/test_hs.c +++ b/src/test/test_hs.c @@ -538,14 +538,14 @@ test_single_onion_poisoning(void *arg) (void) arg; /* No services, no problem! */ - mock_options->OnionServiceSingleHopMode = 0; - mock_options->OnionServiceNonAnonymousMode = 0; + mock_options->HiddenServiceSingleHopMode = 0; + mock_options->HiddenServiceNonAnonymousMode = 0; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); /* Either way, no problem. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); @@ -572,21 +572,21 @@ test_single_onion_poisoning(void *arg) /* But don't add the second service yet. */ /* Service directories, but no previous keys, no problem! */ - mock_options->OnionServiceSingleHopMode = 0; - mock_options->OnionServiceNonAnonymousMode = 0; + mock_options->HiddenServiceSingleHopMode = 0; + mock_options->HiddenServiceNonAnonymousMode = 0; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); /* Either way, no problem. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); /* Poison! Poison! Poison! - * This can only be done in OnionServiceSingleHopMode. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + * This can only be done in HiddenServiceSingleHopMode. */ + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_poison_new_single_onion_dirs(services); tt_assert(ret == 0); /* Poisoning twice is a no-op. */ @@ -594,14 +594,14 @@ test_single_onion_poisoning(void *arg) tt_assert(ret == 0); /* Poisoned service directories, but no previous keys, no problem! */ - mock_options->OnionServiceSingleHopMode = 0; - mock_options->OnionServiceNonAnonymousMode = 0; + mock_options->HiddenServiceSingleHopMode = 0; + mock_options->HiddenServiceNonAnonymousMode = 0; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); /* Either way, no problem. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); @@ -610,21 +610,21 @@ test_single_onion_poisoning(void *arg) tt_assert(ret == 0); /* Poisoned service directories with previous keys are not allowed. */ - mock_options->OnionServiceSingleHopMode = 0; - mock_options->OnionServiceNonAnonymousMode = 0; + mock_options->HiddenServiceSingleHopMode = 0; + mock_options->HiddenServiceNonAnonymousMode = 0; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret < 0); /* But they are allowed if we're in non-anonymous mode. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); /* Re-poisoning directories with existing keys is a no-op, because * directories with existing keys are ignored. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_poison_new_single_onion_dirs(services); tt_assert(ret == 0); /* And it keeps the poison. */ @@ -635,14 +635,14 @@ test_single_onion_poisoning(void *arg) smartlist_add(services, service_2); /* A new service, and an existing poisoned service. Not ok. */ - mock_options->OnionServiceSingleHopMode = 0; - mock_options->OnionServiceNonAnonymousMode = 0; + mock_options->HiddenServiceSingleHopMode = 0; + mock_options->HiddenServiceNonAnonymousMode = 0; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret < 0); /* But ok to add in non-anonymous mode. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); @@ -655,22 +655,22 @@ test_single_onion_poisoning(void *arg) /* Unpoisoned service directories with previous keys are ok, as are empty * directories. */ - mock_options->OnionServiceSingleHopMode = 0; - mock_options->OnionServiceNonAnonymousMode = 0; + mock_options->HiddenServiceSingleHopMode = 0; + mock_options->HiddenServiceNonAnonymousMode = 0; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); /* But the existing unpoisoned key is not ok in non-anonymous mode, even if * there is an empty service. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret < 0); /* Poisoning directories with existing keys is a no-op, because directories * with existing keys are ignored. But the new directory should poison. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_poison_new_single_onion_dirs(services); tt_assert(ret == 0); /* And the old directory remains unpoisoned. */ @@ -678,14 +678,14 @@ test_single_onion_poisoning(void *arg) tt_assert(ret < 0); /* And the new directory should be ignored, because it has no key. */ - mock_options->OnionServiceSingleHopMode = 0; - mock_options->OnionServiceNonAnonymousMode = 0; + mock_options->HiddenServiceSingleHopMode = 0; + mock_options->HiddenServiceNonAnonymousMode = 0; ret = rend_service_list_verify_single_onion_poison(services, mock_options); tt_assert(ret == 0); /* Re-poisoning directories without existing keys is a no-op. */ - mock_options->OnionServiceSingleHopMode = 1; - mock_options->OnionServiceNonAnonymousMode = 1; + mock_options->HiddenServiceSingleHopMode = 1; + mock_options->HiddenServiceNonAnonymousMode = 1; ret = rend_service_poison_new_single_onion_dirs(services); tt_assert(ret == 0); /* And the old directory remains unpoisoned. */ diff --git a/src/test/test_options.c b/src/test/test_options.c index f01e137f8f..bdcb318bb6 100644 --- a/src/test/test_options.c +++ b/src/test/test_options.c @@ -2766,37 +2766,37 @@ test_options_validate__single_onion(void *ignored) options_test_data_t *tdata = NULL; int previous_log = setup_capture_of_logs(LOG_WARN); - /* Test that OnionServiceSingleHopMode must come with - * OnionServiceNonAnonymousMode */ + /* Test that HiddenServiceSingleHopMode must come with + * HiddenServiceNonAnonymousMode */ tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES "SOCKSPort 0\n" - "OnionServiceSingleHopMode 1\n" + "HiddenServiceSingleHopMode 1\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); tt_int_op(ret, OP_EQ, -1); - tt_str_op(msg, OP_EQ, "OnionServiceSingleHopMode does not provide any " + tt_str_op(msg, OP_EQ, "HiddenServiceSingleHopMode does not provide any " "server anonymity. It must be used with " - "OnionServiceNonAnonymousMode set to 1."); + "HiddenServiceNonAnonymousMode set to 1."); tor_free(msg); free_options_test_data(tdata); tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES "SOCKSPort 0\n" - "OnionServiceSingleHopMode 1\n" - "OnionServiceNonAnonymousMode 0\n" + "HiddenServiceSingleHopMode 1\n" + "HiddenServiceNonAnonymousMode 0\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); tt_int_op(ret, OP_EQ, -1); - tt_str_op(msg, OP_EQ, "OnionServiceSingleHopMode does not provide any " + tt_str_op(msg, OP_EQ, "HiddenServiceSingleHopMode does not provide any " "server anonymity. It must be used with " - "OnionServiceNonAnonymousMode set to 1."); + "HiddenServiceNonAnonymousMode set to 1."); tor_free(msg); free_options_test_data(tdata); tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES "SOCKSPort 0\n" - "OnionServiceSingleHopMode 1\n" - "OnionServiceNonAnonymousMode 1\n" + "HiddenServiceSingleHopMode 1\n" + "HiddenServiceNonAnonymousMode 1\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); tt_int_op(ret, OP_EQ, 0); @@ -2804,26 +2804,26 @@ test_options_validate__single_onion(void *ignored) free_options_test_data(tdata); /* Test that SOCKSPort must come with Tor2webMode if - * OnionServiceSingleHopMode is 1 */ + * HiddenServiceSingleHopMode is 1 */ tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES "SOCKSPort 5000\n" - "OnionServiceSingleHopMode 1\n" - "OnionServiceNonAnonymousMode 1\n" + "HiddenServiceSingleHopMode 1\n" + "HiddenServiceNonAnonymousMode 1\n" "Tor2webMode 0\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); tt_int_op(ret, OP_EQ, -1); - tt_str_op(msg, OP_EQ, "OnionServiceNonAnonymousMode is incompatible with " + tt_str_op(msg, OP_EQ, "HiddenServiceNonAnonymousMode is incompatible with " "using Tor as an anonymous client. Please set " - "Socks/Trans/NATD/DNSPort to 0, or OnionServiceNonAnonymousMode " + "Socks/Trans/NATD/DNSPort to 0, or HiddenServiceNonAnonymousMode " "to 0, or use the non-anonymous Tor2webMode."); tor_free(msg); free_options_test_data(tdata); tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES "SOCKSPort 0\n" - "OnionServiceSingleHopMode 1\n" - "OnionServiceNonAnonymousMode 1\n" + "HiddenServiceSingleHopMode 1\n" + "HiddenServiceNonAnonymousMode 1\n" "Tor2webMode 0\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); @@ -2833,7 +2833,7 @@ test_options_validate__single_onion(void *ignored) tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES "SOCKSPort 5000\n" - "OnionServiceSingleHopMode 0\n" + "HiddenServiceSingleHopMode 0\n" "Tor2webMode 0\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); @@ -2843,8 +2843,8 @@ test_options_validate__single_onion(void *ignored) tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES "SOCKSPort 5000\n" - "OnionServiceSingleHopMode 1\n" - "OnionServiceNonAnonymousMode 1\n" + "HiddenServiceSingleHopMode 1\n" + "HiddenServiceNonAnonymousMode 1\n" "Tor2webMode 1\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); @@ -2853,29 +2853,29 @@ test_options_validate__single_onion(void *ignored) free_options_test_data(tdata); /* Test that a hidden service can't be run with Tor2web - * Use OnionServiceNonAnonymousMode instead of Tor2webMode, because + * Use HiddenServiceNonAnonymousMode instead of Tor2webMode, because * Tor2webMode requires a compilation #define */ tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES - "OnionServiceNonAnonymousMode 1\n" + "HiddenServiceNonAnonymousMode 1\n" "HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/\n" "HiddenServicePort 80 127.0.0.1:8080\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); tt_int_op(ret, OP_EQ, -1); - tt_str_op(msg, OP_EQ, "OnionServiceNonAnonymousMode does not provide any " - "server anonymity. It must be used with OnionServiceSingleHopMode " - "set to 1."); + tt_str_op(msg, OP_EQ, "HiddenServiceNonAnonymousMode does not provide any " + "server anonymity. It must be used with " + "HiddenServiceSingleHopMode set to 1."); tor_free(msg); free_options_test_data(tdata); tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES - "OnionServiceNonAnonymousMode 1\n" + "HiddenServiceNonAnonymousMode 1\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); tt_int_op(ret, OP_EQ, -1); - tt_str_op(msg, OP_EQ, "OnionServiceNonAnonymousMode does not provide any " - "server anonymity. It must be used with OnionServiceSingleHopMode " - "set to 1."); + tt_str_op(msg, OP_EQ, "HiddenServiceNonAnonymousMode does not provide any " + "server anonymity. It must be used with " + "HiddenServiceSingleHopMode set to 1."); free_options_test_data(tdata); tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES @@ -2888,10 +2888,10 @@ test_options_validate__single_onion(void *ignored) free_options_test_data(tdata); tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES - "OnionServiceNonAnonymousMode 1\n" + "HiddenServiceNonAnonymousMode 1\n" "HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/\n" "HiddenServicePort 80 127.0.0.1:8080\n" - "OnionServiceSingleHopMode 1\n" + "HiddenServiceSingleHopMode 1\n" "SOCKSPort 0\n" ); ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); -- cgit v1.2.3-54-g00ecf