10 #define RENDSERVICE_PRIVATE
23 #include "feature/client/circpathbias.h"
53 #include "feature/hs/hs_opts_st.h"
68 #ifdef HAVE_SYS_STAT_H
72 struct rend_service_t;
74 const char *pk_digest);
94 const struct rend_service_t *s);
104 size_t plaintext_len,
109 size_t plaintext_len,
113 const rend_service_t *s,
124 static const char *private_key_fname =
"private_key";
125 static const char *hostname_fname =
"hostname";
126 static const char *client_keys_fname =
"client_keys";
127 static const char *sos_poison_fname =
"onion_service_non_anonymous";
140 static bool logged_once =
false;
142 log_warn(
LD_REND,
"DEPRECATED: Onion service version 2 are deprecated. "
143 "Please use version 3 which is the default now. "
144 "Currently, version 2 is planned to be obsolete in "
145 "the Tor version 0.4.6 stable series.");
150 #define WARN_ONCE_DEPRECATION() log_once_deprecation_warning()
154 rend_get_service_list(
const smartlist_t* substitute_service_list)
158 return rend_get_service_list_mutable((
smartlist_t*)substitute_service_list);
168 rend_get_service_list_mutable(
smartlist_t* substitute_service_list)
170 if (substitute_service_list) {
171 return substitute_service_list;
189 return (s->directory == NULL);
215 if (client->client_key)
216 crypto_pk_free(client->client_key);
217 if (client->client_name)
218 memwipe(client->client_name, 0, strlen(client->client_name));
220 memwipe(client->descriptor_cookie, 0,
sizeof(client->descriptor_cookie));
240 if (service->ports) {
242 rend_service_port_config_free(p));
243 smartlist_free(service->ports);
245 if (service->private_key)
246 crypto_pk_free(service->private_key);
247 if (service->intro_nodes) {
249 rend_intro_point_free(intro););
250 smartlist_free(service->intro_nodes);
252 if (service->expiring_nodes) {
254 rend_intro_point_free(intro););
255 smartlist_free(service->expiring_nodes);
258 rend_service_descriptor_free(service->desc);
259 if (service->clients) {
261 rend_authorized_client_free(c););
262 smartlist_free(service->clients);
264 if (service->accepted_intro_dh_parts) {
272 rend_service_free_staging_list(
void)
276 rend_service_free(ptr));
289 rend_service_free(ptr));
293 rend_service_free_staging_list();
298 rend_service_init(
void)
311 rend_validate_service(
const smartlist_t *service_list,
312 const rend_service_t *service)
317 if (service->max_streams_per_circuit < 0) {
318 log_warn(
LD_CONFIG,
"Hidden service (%s) configured with negative max "
319 "streams per circuit.",
324 if (service->max_streams_close_circuit < 0 ||
325 service->max_streams_close_circuit > 1) {
326 log_warn(
LD_CONFIG,
"Hidden service (%s) configured with invalid "
327 "max streams handling.",
332 if (service->auth_type != REND_NO_AUTH &&
333 (!service->clients || smartlist_len(service->clients) == 0)) {
334 log_warn(
LD_CONFIG,
"Hidden service (%s) with client authorization but "
340 if (!service->ports || !smartlist_len(service->ports)) {
341 log_warn(
LD_CONFIG,
"Hidden service (%s) with no ports configured.",
363 smartlist_t *s_list = rend_get_service_list_mutable(service_list);
367 rend_service_free(service);
374 log_debug(
LD_REND,
"Configuring service with directory %s",
376 for (i = 0; i < smartlist_len(service->ports); ++i) {
377 p = smartlist_get(service->ports, i);
380 "Service maps port %d to %s",
386 "Service maps port %d to socket at \"%s\"",
390 "Service maps port %d to an AF_UNIX socket, but we "
391 "have no AF_UNIX support on this platform. This is "
394 rend_service_free(service);
420 const size_t pathlen = strlen(socket_path) + 1;
423 memcpy(conf->
unix_addr, socket_path, pathlen);
446 unsigned int is_unix_addr = 0;
447 const char *socket_path = NULL;
448 char *err_msg = NULL;
449 char *addrport = NULL;
453 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
454 if (smartlist_len(sl) < 1 || BUG(smartlist_len(sl) > 2)) {
455 err_msg = tor_strdup(
"Bad syntax in hidden service port configuration.");
458 virtport = (int)
tor_parse_long(smartlist_get(sl,0), 10, 1, 65535, NULL,NULL);
460 tor_asprintf(&err_msg,
"Missing or invalid port %s in hidden service "
461 "port configuration",
escaped(smartlist_get(sl,0)));
465 if (smartlist_len(sl) == 1) {
472 const char *addrport_element = smartlist_get(sl,1);
473 const char *rest = NULL;
479 tor_asprintf(&err_msg,
"Couldn't process address <%s> from hidden "
480 "service configuration", addrport_element);
484 if (rest && strlen(rest)) {
485 err_msg = tor_strdup(
"HiddenServicePort parse error: invalid port "
491 socket_path = addrport;
493 }
else if (strchr(addrport,
':') || strchr(addrport,
'.')) {
496 err_msg = tor_strdup(
"Unparseable address in hidden service port "
500 realport = p?p:virtport;
503 realport = (int)
tor_parse_long(addrport, 10, 1, 65535, NULL, NULL);
505 tor_asprintf(&err_msg,
"Unparseable or out-of-range port %s in "
506 "hidden service port configuration.",
526 if (err_msg_out != NULL) {
527 *err_msg_out = err_msg;
549 copy_service_on_prunning(rend_service_t *dst, rend_service_t *src)
557 dst->desc_is_dirty = src->desc_is_dirty;
558 dst->next_upload_time = src->next_upload_time;
560 dst->accepted_intro_dh_parts = src->accepted_intro_dh_parts;
561 src->accepted_intro_dh_parts = NULL;
563 dst->intro_period_started = src->intro_period_started;
564 dst->n_intro_circuits_launched = src->n_intro_circuits_launched;
565 dst->n_intro_points_wanted = src->n_intro_points_wanted;
573 rend_service_prune_list_impl_(
void)
576 smartlist_t *surviving_services, *old_service_list, *new_service_list;
593 if (!old_service_list) {
624 } SMARTLIST_FOREACH_END(old);
634 strcmp(old->directory, new->directory)) {
643 copy_service_on_prunning(
new, old);
648 } SMARTLIST_FOREACH_END(old);
649 } SMARTLIST_FOREACH_END(
new);
660 if (rend_circuit_pk_digest_eq(ocirc, (uint8_t *) s->pk_digest)) {
665 } SMARTLIST_FOREACH_END(s);
669 log_info(
LD_REND,
"Closing intro point %s for service %s.",
675 circuit_mark_for_close(
TO_CIRCUIT(ocirc), END_CIRC_REASON_FINISHED);
677 smartlist_free(surviving_services);
686 rend_service_prune_list(
void)
694 rend_service_prune_list_impl_();
695 if (old_service_list) {
699 rend_service_free(s));
700 smartlist_free(old_service_list);
710 service_config_shadow_copy(rend_service_t *service,
724 HS_CONFIG_MAX_STREAMS_PER_RDV_CIRCUIT)) {
725 service->max_streams_per_circuit = HS_CONFIG_MAX_STREAMS_PER_RDV_CIRCUIT;
731 smartlist_free(config->
ports);
732 config->
ports = NULL;
741 rend_config_service(
const hs_opts_t *hs_opts,
745 rend_service_t *service = NULL;
761 service = tor_malloc_zero(
sizeof(rend_service_t));
762 service->intro_period_started = time(NULL);
766 service_config_shadow_copy(service, config);
770 log_warn(
LD_CONFIG,
"HiddenServiceNumIntroductionPoints must be "
771 "between 0 and %d, not %d.",
773 hs_opts->HiddenServiceNumIntroductionPoints);
776 service->n_intro_points_wanted = hs_opts->HiddenServiceNumIntroductionPoints;
777 log_info(
LD_CONFIG,
"HiddenServiceNumIntroductionPoints=%d for %s",
778 service->n_intro_points_wanted,
escaped(service->directory));
781 if (hs_opts->HiddenServiceAuthorizeClient) {
786 const char *authname;
789 hs_opts->HiddenServiceAuthorizeClient,
" ", 0, 2);
790 if (smartlist_len(type_names_split) < 1) {
791 log_warn(
LD_BUG,
"HiddenServiceAuthorizeClient has no value. This "
792 "should have been prevented when parsing the "
794 smartlist_free(type_names_split);
797 authname = smartlist_get(type_names_split, 0);
798 if (!strcasecmp(authname,
"basic")) {
799 service->auth_type = REND_BASIC_AUTH;
800 }
else if (!strcasecmp(authname,
"stealth")) {
801 service->auth_type = REND_STEALTH_AUTH;
803 log_warn(
LD_CONFIG,
"HiddenServiceAuthorizeClient contains "
804 "unrecognized auth-type '%s'. Only 'basic' or 'stealth' "
806 (
char *) smartlist_get(type_names_split, 0));
808 smartlist_free(type_names_split);
812 if (smartlist_len(type_names_split) < 2) {
813 log_warn(
LD_CONFIG,
"HiddenServiceAuthorizeClient contains "
814 "auth-type '%s', but no client names.",
815 service->auth_type == REND_BASIC_AUTH ?
"basic" :
"stealth");
817 smartlist_free(type_names_split);
822 ",", SPLIT_SKIP_SPACE, 0);
824 smartlist_free(type_names_split);
827 int num_clients = smartlist_len(clients);
830 if (smartlist_len(clients) < num_clients) {
831 log_info(
LD_CONFIG,
"HiddenServiceAuthorizeClient contains %d "
832 "duplicate client name(s); removing.",
833 num_clients - smartlist_len(clients));
839 log_warn(
LD_CONFIG,
"HiddenServiceAuthorizeClient contains an "
840 "illegal client name: '%s'. Names must be "
841 "between 1 and %d characters and contain "
842 "only [A-Za-z0-9+_-].",
845 smartlist_free(clients);
849 client->client_name = tor_strdup(client_name);
851 log_debug(
LD_REND,
"Adding client name '%s'", client_name);
852 } SMARTLIST_FOREACH_END(client_name);
854 smartlist_free(clients);
856 if ((service->auth_type == REND_BASIC_AUTH &&
857 smartlist_len(service->clients) > 512) ||
858 (service->auth_type == REND_STEALTH_AUTH &&
859 smartlist_len(service->clients) > 16)) {
860 log_warn(
LD_CONFIG,
"HiddenServiceAuthorizeClient contains %d "
861 "client authorization entries, but only a "
862 "maximum of %d entries is allowed for "
863 "authorization type '%s'.",
864 smartlist_len(service->clients),
865 service->auth_type == REND_BASIC_AUTH ? 512 : 16,
866 service->auth_type == REND_BASIC_AUTH ?
"basic" :
"stealth");
887 rend_service_free(service);
908 int max_streams_per_circuit,
909 int max_streams_close_circuit,
912 char **service_id_out)
914 *service_id_out = NULL;
918 rend_service_t *s = tor_malloc_zero(
sizeof(rend_service_t));
921 s->auth_type = auth_type;
922 s->clients = auth_clients;
924 s->intro_period_started = time(NULL);
926 s->max_streams_per_circuit = max_streams_per_circuit;
927 s->max_streams_close_circuit = max_streams_close_circuit;
929 rend_service_free(s);
933 if (!s->ports || smartlist_len(s->ports) == 0) {
934 log_warn(
LD_CONFIG,
"At least one VIRTPORT/TARGET must be specified.");
935 rend_service_free(s);
938 if (s->auth_type != REND_NO_AUTH &&
939 (!s->clients || smartlist_len(s->clients) == 0)) {
940 log_warn(
LD_CONFIG,
"At least one authorized client must be specified.");
941 rend_service_free(s);
949 log_warn(
LD_CONFIG,
"Onion Service private key collides with an "
950 "existing service.");
951 rend_service_free(s);
955 log_warn(
LD_CONFIG,
"Onion Service id collides with an existing service.");
956 rend_service_free(s);
964 *service_id_out = tor_strdup(s->service_id);
966 log_debug(
LD_CONFIG,
"Added ephemeral Onion Service: %s", s->service_id);
978 log_warn(
LD_CONFIG,
"Requested malformed Onion Service id for removal.");
982 log_warn(
LD_CONFIG,
"Requested non-existent Onion Service id for "
987 log_warn(
LD_CONFIG,
"Requested non-ephemeral Onion Service for removal.");
998 if (!circ->marked_for_close &&
1003 !rend_circuit_pk_digest_eq(oc, (uint8_t *) s->pk_digest)) {
1006 log_debug(
LD_REND,
"Closing intro point %s for service %s.",
1010 circuit_mark_for_close(circ, END_CIRC_REASON_FINISHED);
1012 } SMARTLIST_FOREACH_END(circ);
1016 rend_service_free(s);
1018 log_debug(
LD_CONFIG,
"Removed ephemeral Onion Service: %s", service_id);
1025 #define INTRO_CIRC_RETRY_PERIOD_SLOP 10
1033 int exceeded_limit = (service->n_intro_circuits_launched >=
1035 service->n_intro_points_wanted));
1036 int severity = min_severity;
1038 if (exceeded_limit) {
1041 time_t intro_period_elapsed = time(NULL) - service->intro_period_started;
1042 tor_assert_nonfatal(intro_period_elapsed >= 0);
1048 "Hidden service %s %s %d intro points in the last %d seconds. "
1049 "Intro circuit launches are limited to %d per %d seconds.%s",
1050 service->service_id,
1051 exceeded_limit ?
"exceeded launch limit with" :
"launched",
1052 service->n_intro_circuits_launched,
1053 (
int)intro_period_elapsed,
1071 rend_service_descriptor_free(service->desc);
1072 service->desc = NULL;
1082 for (i = 0; i < smartlist_len(service->intro_nodes); ++i) {
1116 unsigned int have_intro = (
unsigned int)smartlist_len(d->
intro_nodes);
1117 if (have_intro != service->n_intro_points_wanted) {
1120 if (have_intro < service->n_intro_points_wanted ||
1127 log_fn(severity,
LD_REND,
"Hidden service %s wanted %d intro points, but "
1128 "descriptor was updated with %d instead.",
1129 service->service_id,
1130 service->n_intro_points_wanted, have_intro);
1141 rend_service_path(
const rend_service_t *service,
const char *file_name)
1152 rend_service_sos_poison_path(
const rend_service_t *service)
1154 return rend_service_path(service, sos_poison_fname);
1162 char *poison_fname = NULL;
1166 if (BUG(!service)) {
1174 poison_fname = rend_service_sos_poison_path(service);
1182 if (fstatus == FN_FILE || fstatus == FN_EMPTY) {
1192 rend_service_private_key_exists(
const rend_service_t *service)
1194 char *private_key_path = rend_service_path(service, private_key_fname);
1200 return private_key_status == FN_FILE;
1227 if (BUG(!s->directory)) {
1233 if (!rend_service_private_key_exists(s)) {
1239 rend_service_non_anonymous_mode_enabled(options)) {
1256 poison_new_single_onion_hidden_service_dir_impl(
const rend_service_t *service,
1260 if (BUG(!service)) {
1265 tor_assert(rend_service_non_anonymous_mode_enabled(options));
1269 char *poison_fname = NULL;
1272 log_info(
LD_REND,
"Ephemeral HS started in non-anonymous mode.");
1277 if (rend_service_private_key_exists(service)) {
1278 log_warn(
LD_BUG,
"Tried to single onion poison a service directory after "
1279 "the private key was created.");
1285 service->dir_group_readable, 0) < 0))
1288 poison_fname = rend_service_sos_poison_path(service);
1293 log_warn(
LD_FS,
"Can't read single onion poison file \"%s\"",
1298 log_debug(
LD_FS,
"Tried to re-poison a single onion poisoned file \"%s\"",
1304 log_warn(
LD_FS,
"Could not create single onion poison file %s",
1337 tor_assert(rend_service_non_anonymous_mode_enabled(options));
1345 if (BUG(!s->directory)) {
1349 if (!rend_service_private_key_exists(s)) {
1350 if (poison_new_single_onion_hidden_service_dir_impl(s, options)
1362 rend_service_key_on_disk(
const char *directory_path)
1392 const smartlist_t *s_list = rend_get_service_list(service_list);
1400 log_info(
LD_REND,
"Loading hidden-service keys from %s",
1405 } SMARTLIST_FOREACH_END(s);
1417 smartlist_add(lst, rend_service_path(s, private_key_fname));
1419 smartlist_add(lst, rend_service_path(s, client_keys_fname));
1437 } SMARTLIST_FOREACH_END(s);
1447 log_warn(
LD_BUG,
"Internal error: couldn't encode service ID.");
1451 log_warn(
LD_BUG,
"Couldn't compute hash of public key.");
1469 const rend_service_t *s,
1479 s->dir_group_readable, create) < 0) {
1490 log_warn(
LD_GENERAL,
"We are configured with "
1491 "HiddenServiceNonAnonymousMode %d, but the hidden "
1492 "service key in directory %s was created in %s mode. "
1493 "This is not allowed.",
1494 rend_service_non_anonymous_mode_enabled(options) ? 1 : 0,
1496 rend_service_non_anonymous_mode_enabled(options) ?
1497 "an anonymous" :
"a non-anonymous"
1507 if (create && rend_service_non_anonymous_mode_enabled(options)) {
1508 static int logged_warning = 0;
1511 log_warn(
LD_GENERAL,
"Failed to mark new hidden services as non-anonymous"
1516 if (!logged_warning) {
1518 log_notice(
LD_REND,
"The configured onion service directories have been "
1519 "used in single onion mode. They can not be used for "
1520 "anonymous hidden services.");
1543 fname = rend_service_path(s, private_key_fname);
1546 if (!s->private_key)
1554 fname = rend_service_path(s, hostname_fname);
1556 tor_snprintf(buf,
sizeof(buf),
"%s.onion\n", s->service_id);
1558 log_warn(
LD_CONFIG,
"Could not write onion address to hostname file.");
1562 if (s->dir_group_readable) {
1564 if (chmod(fname, 0640))
1565 log_warn(
LD_FS,
"Unable to make hidden hostname file %s group-readable.",
1571 if (s->auth_type != REND_NO_AUTH) {
1594 char *cfname = NULL;
1595 char *client_keys_str = NULL;
1596 strmap_t *parsed_clients = strmap_new();
1597 FILE *cfile, *hfile;
1598 open_file_t *open_cfile = NULL, *open_hfile = NULL;
1600 char service_id[16+1];
1604 cfname = rend_service_path(s, client_keys_fname);
1606 if (client_keys_str) {
1608 log_warn(
LD_CONFIG,
"Previously stored client_keys file could not "
1612 log_info(
LD_CONFIG,
"Parsed %d previously stored client entries.",
1613 strmap_size(parsed_clients));
1619 OPEN_FLAGS_REPLACE | O_TEXT,
1620 0600, &open_cfile))) {
1621 log_warn(
LD_CONFIG,
"Could not open client_keys file %s",
1627 OPEN_FLAGS_REPLACE | O_TEXT,
1628 0600, &open_hfile))) {
1637 strmap_get(parsed_clients, client->client_name);
1642 memcpy(client->descriptor_cookie, parsed->descriptor_cookie,
1650 (
char *) client->descriptor_cookie,
1652 log_warn(
LD_BUG,
"Could not base64-encode descriptor cookie.");
1656 if (parsed && parsed->client_key) {
1658 }
else if (s->auth_type == REND_STEALTH_AUTH) {
1662 log_warn(
LD_BUG,
"Error constructing client key");
1665 if (crypto_pk_generate_key(prkey)) {
1666 log_warn(
LD_BUG,
"Error generating client key");
1667 crypto_pk_free(prkey);
1671 log_warn(
LD_BUG,
"Generated client key seems invalid");
1672 crypto_pk_free(prkey);
1675 client->client_key = prkey;
1679 "client-name %s\ndescriptor-cookie %s\n",
1680 client->client_name, desc_cook_out);
1682 log_warn(
LD_BUG,
"Could not write client entry.");
1685 if (client->client_key) {
1686 char *client_key_out = NULL;
1688 &client_key_out, &len) != 0) {
1689 log_warn(
LD_BUG,
"Internal error: "
1690 "crypto_pk_write_private_key_to_string() failed.");
1694 log_warn(
LD_BUG,
"Internal error: couldn't encode service ID.");
1699 memwipe(client_key_out, 0, len);
1703 written =
tor_snprintf(buf + written,
sizeof(buf) - written,
1704 "client-key\n%s", client_key_out);
1705 memwipe(client_key_out, 0, len);
1708 log_warn(
LD_BUG,
"Could not write client entry.");
1712 strlcpy(service_id, s->service_id,
sizeof(service_id));
1715 if (fputs(buf, cfile) < 0) {
1716 log_warn(
LD_FS,
"Could not append client entry to file: %s",
1725 if (!encoded_cookie) {
1726 log_warn(
LD_BUG,
"Could not base64-encode descriptor cookie.");
1729 tor_snprintf(buf,
sizeof(buf),
"%s.onion %s # client: %s\n",
1730 service_id, encoded_cookie, client->client_name);
1731 memwipe(encoded_cookie, 0, strlen(encoded_cookie));
1734 if (fputs(buf, hfile)<0) {
1735 log_warn(
LD_FS,
"Could not append host entry to file: %s",
1739 } SMARTLIST_FOREACH_END(client);
1752 if (client_keys_str) {
1753 memwipe(client_keys_str, 0, strlen(client_keys_str));
1759 memwipe(cfname, 0, strlen(cfname));
1765 memwipe(desc_cook_out, 0,
sizeof(desc_cook_out));
1766 memwipe(service_id, 0,
sizeof(service_id));
1774 static rend_service_t *
1786 static struct rend_service_t *
1802 const char *descriptor_cookie,
1808 if (!service->clients) {
1809 log_warn(
LD_BUG,
"Can't check authorization for a service that has no "
1810 "authorized clients configured.");
1815 log_info(
LD_REND,
"Descriptor cookie is %lu bytes, but we expected "
1816 "%lu bytes. Dropping cell.",
1823 if (tor_memeq(client->descriptor_cookie, descriptor_cookie,
1824 REND_DESC_COOKIE_LEN)) {
1825 auth_client = client;
1831 base64_encode(descriptor_cookie_base64,
sizeof(descriptor_cookie_base64),
1833 log_info(
LD_REND,
"No authorization found for descriptor cookie '%s'! "
1835 descriptor_cookie_base64);
1840 log_info(
LD_REND,
"Client %s authorized for service %s.",
1841 auth_client->client_name, service->service_id);
1848 rend_service_use_direct_connection(
const or_options_t* options,
1857 return (rend_service_allow_non_anonymous_connection(options) &&
1859 FIREWALL_OR_CONNECTION, 0, 0));
1864 rend_service_use_direct_connection_node(
const or_options_t* options,
1869 return (rend_service_allow_non_anonymous_connection(options) &&
1882 const uint8_t *request,
1886 int status = 0, result;
1888 char *err_msg = NULL;
1890 const char *stage_descr = NULL, *rend_pk_digest;
1891 int reason = END_CIRC_REASON_TORPROTOCOL;
1894 rend_service_t *service = NULL;
1903 char keys[
DIGEST_LEN+CPATH_KEY_MATERIAL_LEN];
1909 int circ_needs_uptime;
1910 time_t now = time(NULL);
1918 "Got an INTRODUCE2 over a non-introduction circuit %u.",
1923 assert_circ_anonymity_ok(circuit, options);
1936 "Internal error: Got an INTRODUCE2 cell on an intro "
1937 "circ for an unrecognized service %s.",
1943 if (intro_point == NULL) {
1945 if (intro_point == NULL) {
1947 "Internal error: Got an INTRODUCE2 cell on an "
1948 "intro circ (for service %s) with no corresponding "
1949 "rend_intro_point_t.",
1955 log_info(
LD_REND,
"Received INTRODUCE2 cell for service %s on circ %u.",
1959 intro_key = circuit->intro_key;
1964 stage_descr =
"early parsing";
1970 }
else if (err_msg) {
1971 log_info(
LD_REND,
"%s on circ %u.", err_msg,
1977 if (!service->accepted_intro_dh_parts) {
1978 service->accepted_intro_dh_parts =
1991 parsed_req->ciphertext, MIN(parsed_req->ciphertext_len, keylen),
1996 "Possible replay detected! We received an "
1997 "INTRODUCE2 cell with same PK-encrypted part %d "
1998 "seconds ago. Dropping cell.",
2003 stage_descr =
"decryption";
2008 }
else if (err_msg) {
2009 log_info(
LD_REND,
"%s on circ %u.", err_msg,
2014 stage_descr =
"late parsing";
2019 }
else if (err_msg) {
2020 log_info(
LD_REND,
"%s on circ %u.", err_msg,
2025 stage_descr =
"late validation";
2030 }
else if (err_msg) {
2031 log_info(
LD_REND,
"%s on circ %u.", err_msg,
2043 err_msg_severity = LOG_PROTOCOL_WARN;
2050 log_warn(
LD_REND,
"Client asked to rendezvous at a relay that we "
2051 "exclude, and StrictNodes is set. Refusing service.");
2052 reason = END_CIRC_REASON_INTERNAL;
2056 base16_encode(hexcookie, 9, (
const char *)(parsed_req->rc), 4);
2061 service->accepted_intro_dh_parts,
2073 log_info(
LD_REND,
"We received an "
2074 "INTRODUCE2 cell with same first part of "
2075 "Diffie-Hellman handshake %d seconds ago. Dropping "
2082 if (service->clients) {
2083 if (parsed_req->version == 3 && parsed_req->u.v3.auth_len > 0) {
2085 (
const char*)parsed_req->u.v3.auth_data,
2086 parsed_req->u.v3.auth_len)) {
2087 log_info(
LD_REND,
"Authorization data in INTRODUCE2 cell are valid.");
2089 log_info(
LD_REND,
"The authorization data that are contained in "
2090 "the INTRODUCE2 cell are invalid. Dropping cell.");
2091 reason = END_CIRC_REASON_CONNECTFAILED;
2095 log_info(
LD_REND,
"INTRODUCE2 cell does not contain authentication "
2096 "data, but we require client authorization. Dropping cell.");
2097 reason = END_CIRC_REASON_CONNECTFAILED;
2105 log_warn(
LD_BUG,
"Internal error: couldn't build DH state "
2106 "or generate public key.");
2107 reason = END_CIRC_REASON_INTERNAL;
2111 (
char *)(parsed_req->dh),
2114 log_warn(
LD_BUG,
"Internal error: couldn't complete DH handshake");
2115 reason = END_CIRC_REASON_INTERNAL;
2127 for (i=0;i<max_rend_failures;i++) {
2136 if (rend_service_use_direct_connection(options, rp) && i == 0) {
2146 log_warn(
LD_REND,
"Giving up launching first hop of circuit to rendezvous "
2147 "point %s for service %s.",
2150 reason = END_CIRC_REASON_CONNECTFAILED;
2154 "Accepted intro; launching circuit to %s "
2155 "(cookie %s) for service %s.",
2157 hexcookie, serviceid);
2163 parsed_req->rc, service->auth_type);
2171 cpath->magic = CRYPT_PATH_MAGIC;
2188 "unknown %s error for INTRODUCE2", stage_descr);
2190 err_msg = tor_strdup(
"unknown error for INTRODUCE2");
2198 if (dh) crypto_dh_free(dh);
2200 circuit_mark_for_close(
TO_CIRCUIT(launched), reason);
2205 memwipe(keys, 0,
sizeof(keys));
2207 memwipe(serviceid, 0,
sizeof(serviceid));
2208 memwipe(hexcookie, 0,
sizeof(hexcookie));
2211 rend_service_free_intro(parsed_req);
2214 extend_info_free(rp);
2227 char *err_msg = NULL;
2228 const char *rp_nickname = NULL;
2229 const node_t *node = NULL;
2233 err_msg = tor_strdup(
"Bad parameters to find_rp_for_intro()");
2238 if (intro->version == 0 || intro->version == 1) {
2239 rp_nickname = (
const char *)(intro->u.v0_v1.rp);
2245 "Couldn't find router %s named in INTRODUCE2 cell",
2253 const int allow_direct = rend_service_allow_non_anonymous_connection(
2259 "Couldn't build extend_info_t for router %s named "
2260 "in INTRODUCE2 cell",
2266 }
else if (intro->version == 2) {
2268 }
else if (intro->version == 3) {
2273 "Unknown version %d in INTRODUCE2 cell",
2274 (
int)(intro->version));
2291 "Relay IP in INTRODUCE2 cell is private address.");
2293 extend_info_free(rp);
2301 *err_msg_out = err_msg;
2321 request->ciphertext_len = 0;
2324 if (request->plaintext) {
2326 memwipe(request->plaintext, 0, request->plaintext_len);
2328 request->plaintext_len = 0;
2332 if (request->parsed) {
2333 switch (request->version) {
2342 extend_info_free(request->u.v2.extend_info);
2343 request->u.v2.extend_info = NULL;
2346 if (request->u.v3.auth_data) {
2347 memwipe(request->u.v3.auth_data, 0, request->u.v3.auth_len);
2351 extend_info_free(request->u.v3.extend_info);
2352 request->u.v3.extend_info = NULL;
2356 "rend_service_free_intro() saw unknown protocol "
2363 memwipe(request, 0,
sizeof(*request));
2388 char *err_msg = NULL;
2390 if (!request || request_len <= 0)
goto err;
2391 if (!(type == 1 || type == 2))
goto err;
2401 "got a truncated INTRODUCE%d cell",
2408 rv = tor_malloc_zero(
sizeof(*rv));
2417 rv->ciphertext = tor_malloc(request_len -
DIGEST_LEN);
2419 rv->ciphertext_len = request_len -
DIGEST_LEN;
2424 rend_service_free_intro(rv);
2427 if (err_msg_out && !err_msg) {
2429 "unknown INTRODUCE%d error",
2434 if (err_msg_out) *err_msg_out = err_msg;
2448 size_t plaintext_len,
2451 const char *rp_nickname, *endptr;
2452 size_t nickname_field_len, ver_specific_len;
2454 if (intro->version == 1) {
2456 rp_nickname = ((
const char *)buf) + 1;
2458 }
else if (intro->version == 0) {
2460 rp_nickname = (
const char *)buf;
2465 "rend_service_parse_intro_for_v0_or_v1() called with "
2466 "bad version %d on INTRODUCE%d cell (this is a bug)",
2468 (
int)(intro->type));
2472 if (plaintext_len < ver_specific_len) {
2475 "short plaintext of encrypted part in v1 INTRODUCE%d "
2476 "cell (%lu bytes, needed %lu)",
2478 (
unsigned long)plaintext_len,
2479 (
unsigned long)ver_specific_len);
2483 endptr = memchr(rp_nickname, 0, nickname_field_len);
2484 if (!endptr || endptr == rp_nickname) {
2487 "couldn't find a nul-padded nickname in "
2489 (
int)(intro->type));
2494 if ((intro->version == 0 &&
2496 (intro->version == 1 &&
2500 "bad nickname in INTRODUCE%d cell",
2501 (
int)(intro->type));
2506 memcpy(intro->u.v0_v1.rp, rp_nickname, endptr - rp_nickname + 1);
2508 return ver_specific_len;
2521 size_t plaintext_len,
2526 ssize_t ver_specific_len;
2533 if (!(intro->version == 2 ||
2534 intro->version == 3)) {
2537 "rend_service_parse_intro_for_v2() called with "
2538 "bad version %d on INTRODUCE%d cell (this is a bug)",
2540 (
int)(intro->type));
2548 "truncated plaintext of encrypted parted of "
2549 "version %d INTRODUCE%d cell",
2551 (
int)(intro->type));
2569 if (plaintext_len < 7 +
DIGEST_LEN + 2 + klen) {
2572 "truncated plaintext of encrypted parted of "
2573 "version %d INTRODUCE%d cell",
2575 (
int)(intro->type));
2586 "error decoding onion key in version %d "
2597 "invalid onion key size in version %d INTRODUCE%d cell",
2607 if (intro->version == 2) intro->u.v2.extend_info = extend_info;
2608 else intro->u.v3.extend_info = extend_info;
2610 return ver_specific_len;
2613 extend_info_free(extend_info);
2625 size_t plaintext_len,
2628 ssize_t adjust, v2_ver_specific_len, ts_offset;
2631 if (intro->version != 3) {
2634 "rend_service_parse_intro_for_v3() called with "
2635 "bad version %d on INTRODUCE%d cell (this is a bug)",
2637 (
int)(intro->type));
2646 if (plaintext_len < 4) {
2649 "truncated plaintext of encrypted parted of "
2650 "version %d INTRODUCE%d cell",
2652 (
int)(intro->type));
2667 intro->u.v3.auth_type = buf[1];
2668 if (intro->u.v3.auth_type != REND_NO_AUTH) {
2669 intro->u.v3.auth_len = ntohs(
get_uint16(buf + 2));
2670 ts_offset = 4 + intro->u.v3.auth_len;
2672 intro->u.v3.auth_len = 0;
2677 if (intro->u.v3.auth_type == REND_BASIC_AUTH ||
2678 intro->u.v3.auth_type == REND_STEALTH_AUTH) {
2682 "wrong auth data size %d for INTRODUCE%d cell, "
2684 (
int)(intro->u.v3.auth_len),
2694 if (plaintext_len < (
size_t)(ts_offset)+4) {
2697 "truncated plaintext of encrypted parted of "
2698 "version %d INTRODUCE%d cell",
2700 (
int)(intro->type));
2706 if (intro->u.v3.auth_type != REND_NO_AUTH &&
2707 intro->u.v3.auth_len > 0) {
2709 intro->u.v3.auth_data = tor_malloc(intro->u.v3.auth_len);
2714 memcpy(intro->u.v3.auth_data, buf + 4, intro->u.v3.auth_len);
2723 adjust = 3 + ts_offset;
2725 v2_ver_specific_len =
2727 buf + adjust, plaintext_len - adjust,
2731 if (v2_ver_specific_len >= 0)
return v2_ver_specific_len + adjust;
2733 else return v2_ver_specific_len;
2765 char *err_msg = NULL;
2770 int result, status = -1;
2772 if (!intro || !key) {
2775 tor_strdup(
"rend_service_decrypt_intro() called with bad "
2784 if (!(intro->ciphertext) || intro->ciphertext_len <= 0) {
2787 "rend_intro_cell_t was missing ciphertext for "
2789 (
int)(intro->type));
2800 *err_msg_out = tor_strdup(
"Couldn't compute RSA digest.");
2801 log_warn(
LD_BUG,
"Couldn't compute key digest.");
2811 "got an INTRODUCE%d cell for the wrong service (%s)",
2823 if (intro->ciphertext_len < key_len) {
2826 "got an INTRODUCE%d cell with a truncated PK-encrypted "
2828 (
int)(intro->type));
2838 key, (
char *)buf,
sizeof(buf),
2839 (
const char *)(intro->ciphertext), intro->ciphertext_len,
2844 "couldn't decrypt INTRODUCE%d cell",
2845 (
int)(intro->type));
2850 intro->plaintext_len = result;
2851 intro->plaintext = tor_malloc(intro->plaintext_len);
2852 memcpy(intro->plaintext, buf, intro->plaintext_len);
2859 if (err_msg_out && !err_msg) {
2861 "unknown INTRODUCE%d error decrypting encrypted part",
2862 intro ? (
int)(intro->type) : -1);
2866 if (err_msg_out) *err_msg_out = err_msg;
2871 memwipe(key_digest, 0,
sizeof(key_digest));
2872 memwipe(service_id, 0,
sizeof(service_id));
2887 char *err_msg = NULL;
2888 ssize_t ver_specific_len, ver_invariant_len;
2895 tor_strdup(
"rend_service_parse_intro_plaintext() called with NULL "
2896 "rend_intro_cell_t");
2904 if (!(intro->plaintext) || intro->plaintext_len <= 0) {
2906 err_msg = tor_strdup(
"rend_intro_cell_t was missing plaintext");
2913 version = intro->plaintext[0];
2916 if (version > 3) version = 0;
2919 intro->version = version;
2924 intro->plaintext, intro->plaintext_len,
2926 if (ver_specific_len < 0) {
2935 ver_invariant_len = intro->plaintext_len - ver_specific_len;
2938 "decrypted plaintext of INTRODUCE%d cell was truncated (%ld bytes)",
2940 (
long)(intro->plaintext_len));
2945 "decrypted plaintext of INTRODUCE%d cell was too long (%ld bytes)",
2947 (
long)(intro->plaintext_len));
2952 intro->plaintext + ver_specific_len,
2966 if (err_msg_out && !err_msg) {
2968 "unknown INTRODUCE%d error parsing encrypted part",
2969 intro ? (
int)(intro->type) : -1);
2973 if (err_msg_out) *err_msg_out = err_msg;
2997 tor_strdup(
"NULL intro cell passed to "
2998 "rend_service_validate_intro_late()");
3004 if (intro->version == 3 && intro->parsed) {
3005 if (!(intro->u.v3.auth_type == REND_NO_AUTH ||
3006 intro->u.v3.auth_type == REND_BASIC_AUTH ||
3007 intro->u.v3.auth_type == REND_STEALTH_AUTH)) {
3011 "unknown authorization type %d",
3012 intro->u.v3.auth_type);
3028 const char *rend_pk_digest;
3029 rend_service_t *service = NULL;
3038 log_info(
LD_REND,
"Skipping relaunch of circ that failed on its first hop. "
3039 "Initiator will retry.");
3043 log_info(
LD_REND,
"Reattempting rendezvous circuit to '%s'",
3055 log_warn(
LD_BUG,
"Internal error: Trying to relaunch a rendezvous circ "
3056 "for an unrecognized service %s.",
3057 safe_str_client(serviceid));
3073 log_warn(
LD_REND,
"Couldn't relaunch rendezvous circuit to '%s'.",
3108 if (rend_service_allow_non_anonymous_connection(options) &&
3124 if (rend_service_use_direct_connection_node(options, node)) {
3126 if (BUG(!direct_ei)) {
3133 launch_ei = direct_ei;
3145 "Launching circuit to introduction point %s%s%s for service %s",
3147 direct_ei ?
" via direct address " :
"",
3149 service->service_id);
3153 ++service->n_intro_circuits_launched;
3159 "Can't launch circuit to establish introduction at %s%s%s.",
3161 direct_ei ?
" via direct address " :
"",
3164 extend_info_free(direct_ei);
3174 service->pk_digest, NULL,
3175 service->auth_type);
3179 extend_info_free(direct_ei);
3188 unsigned int num = 0;
3203 unsigned int num_ipos = 0;
3205 if (!circ->marked_for_close &&
3211 rend_circuit_pk_digest_eq(oc, (uint8_t *) service->pk_digest)) {
3216 SMARTLIST_FOREACH_END(circ);
3227 rend_service_encode_establish_intro_cell(
char *cell_body_out,
3228 size_t cell_body_out_len,
3230 const char *rend_circ_nonce)
3244 log_warn(
LD_BUG,
"Internal error; failed to establish intro point.");
3248 set_uint16(cell_body_out, htons((uint16_t)len));
3256 cell_body_out_len - len,
3257 cell_body_out, len);
3259 log_warn(
LD_BUG,
"Internal error: couldn't sign introduction request.");
3267 memwipe(auth, 0,
sizeof(auth));
3278 rend_service_t *service;
3281 unsigned int expiring_nodes_len, num_ip_circuits, valid_ip_circuits = 0;
3282 int reason = END_CIRC_REASON_TORPROTOCOL;
3283 const char *rend_pk_digest;
3297 log_warn(
LD_REND,
"Unrecognized service ID %s on introduction circuit %u.",
3298 safe_str_client(serviceid), (
unsigned)circuit->base_.
n_circ_id);
3299 reason = END_CIRC_REASON_NOSUCHSERVICE;
3305 expiring_nodes_len = (
unsigned int) smartlist_len(service->expiring_nodes);
3310 if (num_ip_circuits > expiring_nodes_len) {
3311 valid_ip_circuits = num_ip_circuits - expiring_nodes_len;
3318 if (valid_ip_circuits > service->n_intro_points_wanted) {
3323 if (intro != NULL) {
3325 rend_intro_point_free(intro);
3332 log_info(
LD_CIRC|
LD_REND,
"We have just finished an introduction "
3333 "circuit, but we already have enough. Closing it.");
3334 reason = END_CIRC_REASON_NONE;
3338 log_info(
LD_CIRC|
LD_REND,
"We have just finished an introduction "
3339 "circuit, but we already have enough. Redefining purpose to "
3340 "general; leaving as internal.");
3355 circuit->intro_key = NULL;
3356 crypto_pk_free(intro_key);
3365 "Established circuit %u as introduction point for service %s",
3366 (
unsigned)circuit->base_.
n_circ_id, serviceid);
3372 len = rend_service_encode_establish_intro_cell(buf,
sizeof(buf),
3376 reason = END_CIRC_REASON_INTERNAL;
3380 if (relay_send_command_from_edge(0,
TO_CIRCUIT(circuit),
3381 RELAY_COMMAND_ESTABLISH_INTRO,
3384 "Couldn't send introduction request for service %s on circuit %u",
3385 serviceid, (
unsigned)circuit->base_.
n_circ_id);
3396 circuit_mark_for_close(
TO_CIRCUIT(circuit), reason);
3399 memwipe(serviceid, 0,
sizeof(serviceid));
3409 const uint8_t *request,
3412 rend_service_t *service;
3419 const char *rend_pk_digest =
3424 "received INTRO_ESTABLISHED cell on non-intro circuit.");
3429 log_warn(
LD_REND,
"Unknown service on introduction circuit %u.",
3438 if (intro == NULL) {
3440 "Introduction circuit established without a rend_intro_point_t "
3441 "object for service %s on circuit %u",
3442 safe_str_client(serviceid), (
unsigned)circuit->base_.
n_circ_id);
3448 service->desc_is_dirty = time(NULL);
3452 "Received INTRO_ESTABLISHED cell on circuit %u for service %s",
3453 (
unsigned)circuit->base_.
n_circ_id, serviceid);
3461 circuit_mark_for_close(
TO_CIRCUIT(circuit), END_CIRC_REASON_TORPROTOCOL);
3471 rend_service_t *service;
3477 const char *rend_cookie, *rend_pk_digest;
3505 "Done building circuit %u to rendezvous with "
3506 "cookie %s for service %s",
3507 (
unsigned)circuit->base_.
n_circ_id, hexcookie, serviceid);
3518 log_info(
LD_REND,
"Another rend circ has already reached this rend point; "
3519 "closing this rend circ.");
3520 reason = END_CIRC_REASON_NONE;
3533 log_warn(
LD_GENERAL,
"Internal error: unrecognized service ID on "
3534 "rendezvous circuit.");
3535 reason = END_CIRC_REASON_INTERNAL;
3543 log_warn(
LD_GENERAL,
"Couldn't get DH public key.");
3544 reason = END_CIRC_REASON_INTERNAL;
3551 if (relay_send_command_from_edge(0,
TO_CIRCUIT(circuit),
3552 RELAY_COMMAND_RENDEZVOUS1,
3555 log_warn(
LD_GENERAL,
"Couldn't send RENDEZVOUS1 cell.");
3563 hop->
state = CPATH_STATE_OPEN;
3579 circuit_mark_for_close(
TO_CIRCUIT(circuit), reason);
3582 memwipe(serviceid, 0,
sizeof(serviceid));
3583 memwipe(hexcookie, 0,
sizeof(hexcookie));
3614 (uint8_t *) pk_digest,
3648 const char *serviceid;
3649 rend_service_t *service = NULL;
3662 if (service == NULL)
return NULL;
3681 const char *service_id,
int seconds_valid)
3683 int i, j, failed_upload = 0;
3687 for (i = 0; i < smartlist_len(descs); i++) {
3691 if (hs_dirs && smartlist_len(hs_dirs) > 0) {
3697 log_warn(
LD_REND,
"Could not determine the responsible hidden service "
3698 "directories to post descriptors to.");
3705 for (j = 0; j < smartlist_len(responsible_dirs); j++) {
3710 hs_dir = smartlist_get(responsible_dirs, j);
3717 log_info(
LD_REND,
"Not launching upload for for v2 descriptor to "
3718 "hidden service directory %s; we don't have its "
3719 "router descriptor. Queuing for later upload.",
3738 directory_request_free(req);
3740 rend_data_free(rend_data);
3745 log_info(
LD_REND,
"Launching upload for v2 descriptor for "
3746 "service '%s' with descriptor ID '%s' with validity "
3747 "of %d seconds to hidden service directory '%s' on "
3749 safe_str_client(service_id),
3750 safe_str_client(desc_id_base32),
3760 desc_id_base32, NULL);
3768 if (!failed_upload) {
3782 char *hsdir_id = tor_memdup(c, DIGEST_LEN);
3783 smartlist_add(renddesc->successful_uploads, hsdir_id);
3788 smartlist_free(responsible_dirs);
3789 smartlist_free(successful_uploads);
3798 time_t now = time(NULL);
3807 int seconds_valid, i, j, num_descs;
3813 num_descs = service->auth_type == REND_STEALTH_AUTH ?
3814 smartlist_len(service->clients) : 1;
3815 for (j = 0; j < num_descs; j++) {
3819 switch (service->auth_type) {
3823 case REND_BASIC_AUTH:
3827 case REND_STEALTH_AUTH:
3828 client = smartlist_get(service->clients, j);
3829 client_key = client->client_key;
3839 if (seconds_valid < 0) {
3840 log_warn(
LD_BUG,
"Internal error: couldn't encode service "
3841 "descriptor; not uploading.");
3842 smartlist_free(descs);
3843 smartlist_free(client_cookies);
3852 log_info(
LD_REND,
"Launching upload for hidden service %s",
3858 for (i = 0; i < smartlist_len(descs); i++)
3864 service->next_upload_time = now + rendpostperiod;
3866 service->next_upload_time = now + seconds_valid + 1;
3868 service->next_upload_time = now + seconds_valid -
3877 if (seconds_valid < 0) {
3878 log_warn(
LD_BUG,
"Internal error: couldn't encode service "
3879 "descriptor; not uploading.");
3880 smartlist_free(descs);
3881 smartlist_free(client_cookies);
3889 for (i = 0; i < smartlist_len(descs); i++)
3894 smartlist_free(descs);
3895 smartlist_free(client_cookies);
3898 log_info(
LD_REND,
"Successfully uploaded v2 rend descriptors!");
3900 log_info(
LD_REND,
"Successfully stored created v2 rend descriptors!");
3906 service->next_upload_time = now + 60;
3909 service->desc_is_dirty = 0;
3943 int intro_point_lifetime_seconds =
3987 rend_intro_point_free(intro);
3988 } SMARTLIST_FOREACH_END(intro);
4001 if (node && exclude_nodes) {
4007 if (intro_circ == NULL) {
4008 log_info(
LD_REND,
"Attempting to retry on %s as intro point for %s"
4009 " (circuit disappeared).",
4011 safe_str_client(service->service_id));
4014 intro->circuit_established = 0;
4020 rend_intro_point_free(intro);
4042 log_info(
LD_REND,
"Expiring %s as intro point for %s.",
4044 safe_str_client(service->service_id));
4053 intro->circuit_established = 0;
4055 } SMARTLIST_FOREACH_END(intro);
4064 rend_service_t *service;
4065 const char *onion_address;
4072 if (service == NULL) {
4080 if (intro_circ != NULL) {
4081 circuit_mark_for_close(
TO_CIRCUIT(intro_circ),
4082 END_CIRC_REASON_FINISHED);
4085 rend_intro_point_free(intro);
4086 } SMARTLIST_FOREACH_END(intro);
4120 const int allow_direct = rend_service_allow_non_anonymous_connection(
4139 unsigned int n_intro_points_to_open;
4142 unsigned int intro_nodes_len;
4160 service->intro_period_started = now;
4161 service->n_intro_circuits_launched = 0;
4162 }
else if (service->n_intro_circuits_launched >=
4164 service->n_intro_points_wanted)) {
4175 log_warn(
LD_REND,
"Error launching circuit to node %s for service %s.",
4177 safe_str_client(service->service_id));
4181 rend_intro_point_free(intro);
4184 intro->circuit_retries++;
4185 } SMARTLIST_FOREACH_END(intro);
4188 intro_nodes_len = (
unsigned int) smartlist_len(service->intro_nodes);
4194 if (intro_nodes_len >= service->n_intro_points_wanted) {
4201 n_intro_points_to_open = service->n_intro_points_wanted - intro_nodes_len;
4202 if (intro_nodes_len == 0) {
4216 for (i = 0; i < (int) n_intro_points_to_open; i++) {
4221 direct_flags |= CRN_PREF_ADDR;
4222 direct_flags |= CRN_DIRECT_CONN;
4226 allow_direct ? direct_flags : flags);
4229 if (allow_direct && !node) {
4231 "Unable to find an intro point that we can connect to "
4232 "directly for %s, falling back to a 3-hop path.",
4233 safe_str_client(service->service_id));
4240 "We only have %d introduction points established for %s; "
4242 smartlist_len(service->intro_nodes),
4243 safe_str_client(service->service_id),
4244 n_intro_points_to_open);
4260 const int fail = crypto_pk_generate_key(intro->
intro_key);
4266 INTRO_POINT_MAX_LIFETIME_INTRODUCTIONS);
4268 log_info(
LD_REND,
"Picked router %s as an intro point for %s.",
4270 safe_str_client(service->service_id));
4274 log_warn(
LD_REND,
"Error launching circuit to node %s for service %s.",
4276 safe_str_client(service->service_id));
4282 } SMARTLIST_FOREACH_END(service);
4283 smartlist_free(exclude_nodes);
4284 smartlist_free(retry_nodes);
4287 #define MIN_REND_INITIAL_POST_DELAY (30)
4288 #define MIN_REND_INITIAL_POST_DELAY_TESTING (5)
4302 rend_service_t *service;
4306 MIN_REND_INITIAL_POST_DELAY_TESTING :
4307 MIN_REND_INITIAL_POST_DELAY);
4311 if (!service->next_upload_time) {
4314 service->next_upload_time =
4319 if (rend_service_reveal_startup_time(options)) {
4320 service->next_upload_time = now + rendinitialpostdelay;
4324 unsigned int intro_points_ready =
4326 service->n_intro_points_wanted;
4327 if (intro_points_ready &&
4328 (service->next_upload_time < now ||
4329 (service->desc_is_dirty &&
4330 service->desc_is_dirty < now-rendinitialpostdelay))) {
4361 rend_service_t *service;
4372 if (service->desc && !service->desc->all_uploads_performed) {
4386 rend_service_t *service;
4388 const char *safe_name;
4395 for (
int j = 0; j < smartlist_len(service->intro_nodes); ++j) {
4396 intro = smartlist_get(service->intro_nodes, j);
4421 rend_service_t *service;
4423 const char *rend_pk_digest;
4427 log_debug(
LD_REND,
"beginning to hunt for addr/port");
4433 log_warn(
LD_REND,
"Couldn't find any service associated with pk %s on "
4434 "rendezvous circuit %u; closing.",
4435 serviceid, (
unsigned)circ->base_.
n_circ_id);
4438 if (service->max_streams_per_circuit > 0) {
4441 #define MAX_STREAM_WARN_INTERVAL 600
4442 static struct ratelim_t stream_ratelim =
4443 RATELIM_INIT(MAX_STREAM_WARN_INTERVAL);
4446 "Maximum streams per circuit limit reached on rendezvous "
4447 "circuit %u; %s. Circuit has %d out of %d streams.",
4449 service->max_streams_close_circuit ?
4451 "ignoring open stream request",
4453 service->max_streams_per_circuit);
4454 return service->max_streams_close_circuit ? -2 : -1;
4464 "No virtual port mapping exists for port %d on service %s",
4465 conn->base_.
port, serviceid);
4467 if (service->allow_unknown_ports)
4476 rend_service_non_anonymous_mode_consistent(
const or_options_t *options)
4480 !! options->HiddenServiceNonAnonymousMode);
4489 rend_service_allow_non_anonymous_connection(
const or_options_t *options)
4491 tor_assert(rend_service_non_anonymous_mode_consistent(options));
4503 rend_service_reveal_startup_time(
const or_options_t *options)
4505 tor_assert(rend_service_non_anonymous_mode_consistent(options));
4506 return rend_service_non_anonymous_mode_enabled(options);
4515 rend_service_non_anonymous_mode_enabled(
const or_options_t *options)
4517 tor_assert(rend_service_non_anonymous_mode_consistent(options));
4518 return options->HiddenServiceNonAnonymousMode ? 1 : 0;
4521 #ifdef TOR_UNIT_TESTS
4530 set_rend_rend_service_staging_list(
smartlist_t *new_list)