Commit Graph

513 Commits

Author SHA1 Message Date
David Goulet
5fa280f7ad Fix comments in rendservice.c
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-07-09 12:02:12 -04:00
David Goulet
7657194d77 Count intro circuit and not only established ones
When cleaning up extra circuits that we've opened for performance reason, we
need to count all the introduction circuit and not only the established ones
else we can end up with too many introduction points.

This also adds the check for expiring nodes when serving an INTRODUCE cell
since it's possible old clients are still using them before we have time to
close them.

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-07-09 12:02:12 -04:00
David Goulet
d67bf8b2f2 Upload descriptor when all intro points are ready
To upload a HS descriptor, this commits makes it that we wait for all
introduction point to be fully established.

Else, the HS ends up uploading a descriptor that may contain intro points
that are not yet "valid" meaning not yet established or proven to work. It
could also trigger three uploads for the *same* descriptor if every intro
points takes more than 30 seconds to establish because of desc_is_dirty
being set at each intro established.

To achieve that, n_intro_points_established varialbe is added to the
rend_service_t object that is incremented when we established introduction
point and decremented when we remove a valid intro point from our list.

The condition to upload a descriptor also changes to test if all intro
points are ready by making sure we have equal or more wanted intro points
that are ready.

The desc_id_dirty flag is kept to be able to still use the
RendInitialPostPeriod option.

This partially fixes #13483.

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-07-09 12:02:11 -04:00
David Goulet
1125a4876b Reuse intro points that failed but are still valid
There is a case where if the introduction circuit fails but the node is
still in the consensus, we clean up the intro point and choose an other one.
This commit fixes that by trying to reuse the existing intro point with a
maximum value of retry.

A retry_nodes list is added to rend_services_introduce() and when we remove
an invalid intro points that fits the use case mentionned before, we add the
node to the retry list instead of removing it. Then, we retry on them before
creating new ones.

This means that the requirement to remove an intro point changes from "if no
intro circuit" to "if no intro circuit then if no node OR we've reached our
maximum circuit creation count".

For now, the maximum retries is set to 3 which it completely arbitrary. It
should also at some point be tied to the work done on detecting if our
network is down or not.

Fixes #8239

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-07-09 12:02:11 -04:00
David Goulet
7c7bb8b97e Refactor rend_services_introduce()
The reasoning for refactoring this function is that removing the
introduction point adaptative algorithm (#4862) ended up changing quite a
bit rend_services_introduce(). Also, to fix some open issues (#8239, #8864
and #13483), this work had to be done.

First, this removes time_expiring variable in an intro point object and
INTRO_POINT_EXPIRATION_GRACE_PERIOD trickery and use an expiring_nodes list
where intro nodes that should expire are moved to that list and cleaned up
only once the new descriptor is successfully uploaded. The previous scheme
was adding complexity and arbitrary timing to when we expire an intro point.
We keep the intro points until we are sure that the new descriptor is
uploaded and thus ready to be used by clients. For this,
rend_service_desc_has_uploaded() is added to notify the HS subsystem that
the descriptor has been successfully uploaded. The purpose of this function
is to cleanup the expiring nodes and circuits if any.

Secondly, this adds the remove_invalid_intro_points() function in order to
split up rend_services_introduce() a bit with an extra modification to it
that fixes #8864. We do NOT close the circuit nor delete the intro point if
the circuit is still alive but the node was removed from the consensus. Due
to possible information leak, we let the circuit and intro point object
expire instead.

Finally, the whole code flow is simplified and large amount of documentation
has been added to mostly explain the why of things in there.

Fixes #8864

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-07-09 12:02:11 -04:00
David Goulet
adc04580f8 Add the torrc option HiddenServiceNumIntroductionPoints
This is a way to specify the amount of introduction points an hidden service
can have. Maximum value is 10 and the default is 3.

Fixes #4862

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-06-29 11:12:31 -04:00
David Goulet
8dcbdf58a7 Remove intro points adaptative algorithm
Partially fixes #4862

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-06-29 11:12:31 -04:00
David Goulet
a5b5d4bd2e Extend intro point to a 4th hop on cannibalization
Fixes #16260

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-06-17 09:32:26 -04:00
Andrea Shepard
0e0b65db4f Appease make check-spaces 2015-06-01 12:59:14 +00:00
Nick Mathewson
5dce1829bf Avoid double-free on rend_add_service() failure
Rend_add_service() frees its argument on failure; no need to free again.

Fixes bug 16228, bugfix on 0.2.7.1-alpha

Found by coverity; this is CID 1301387.
2015-05-28 13:23:09 -04:00
Yawning Angel
712bf06978 Add support for 'HiddenServiceMaxStream' to 'ADD_ONION'.
Done as a separate commit to ease backporting the tunables to 0.2.6.x.
2015-05-20 17:41:27 +00:00
Yawning Angel
db7bde08be Add "HiddenServiceMaxStreams" as a per-HS tunable.
When set, this limits the maximum number of simultaneous streams per
rendezvous circuit on the server side of a HS, with further RELAY_BEGIN
cells being silently ignored.

This can be modified via "HiddenServiceMaxStreamsCloseCircuit", which
if set will cause offending rendezvous circuits to be torn down instead.

Addresses part of #16052.
2015-05-20 17:33:59 +00:00
John Brooks
6f9e90101e Fix crash on HUP with mixed ephemeral services
Ephemeral services will be listed in rend_services_list at the end of
rend_config_services, so it must check whether directory is non-NULL
before comparing.

This crash happens when reloading config on a tor with mixed configured
and ephemeral services.

Fixes bug #16060. Bugfix on 0.2.7.1-alpha.
2015-05-16 20:01:38 -06:00
David Goulet
6346d73b8e Fix rend_config_services() indentation
Not sure what happened but whitespace gone wild! :)

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-05-14 10:27:04 -04:00
David Goulet
b6e7b57d9a Use safe_str_client() for service ID in log
Scrub the service ID in a warning log.

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-05-14 10:26:57 -04:00
Nick Mathewson
b0ea36d779 Merge remote-tracking branch 'public/bug15821_025' 2015-05-05 15:06:57 -04:00
John Brooks
2b27ce52d2 Fix out-of-bounds read in INTRODUCE2 client auth
The length of auth_data from an INTRODUCE2 cell is checked when the
auth_type is recognized (1 or 2), but not for any other non-zero
auth_type. Later, auth_data is assumed to have at least
REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds
read.

Fixed by checking auth_len before comparing the descriptor cookie
against known clients.

Fixes #15823; bugfix on 0.2.1.6-alpha.
2015-05-05 15:05:32 -04:00
Donncha O'Cearbhaill
841c4aa715 Add "+HSPOST" and related "HS_DESC" event flags to the controller.
"+HSPOST" and the related event changes allow the uploading of HS
descriptors via the control port, and more comprehensive event
monitoring of HS descriptor upload status.
2015-05-04 11:41:28 -04:00
David Goulet
9a364026d3 Use rend_data_client/service_create() in code
Every callsite that use to allocate a rend_data_t object now use the
rend_data_client/service_create() function.

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-04-30 12:35:21 -04:00
Yawning Angel
915c7438a7 Add "ADD_ONION"/"DEL_ONION" and "GETINFO onions/*" to the controller.
These commands allow for the creation and management of ephemeral
Onion ("Hidden") services that are either bound to the lifetime of
the originating control connection, or optionally the lifetime of
the tor instance.

Implements #6411.
2015-04-28 10:19:08 -04:00
Nick Mathewson
647b7d37c2 Merge remote-tracking branch 'public/bug15745_027_03' 2015-04-23 09:10:35 -04:00
Yawning Angel
196499da73 Use a custom Base64 encoder with more control over the output format. 2015-04-23 09:06:58 -04:00
David Goulet
3f41318472 Add crypto_rand_int_range() and use it
Incidently, this fixes a bug where the maximum value was never used when
only using crypto_rand_int(). For instance this example below in
rendservice.c never gets to INTRO_POINT_LIFETIME_MAX_SECONDS.

  int intro_point_lifetime_seconds =
    INTRO_POINT_LIFETIME_MIN_SECONDS +
    crypto_rand_int(INTRO_POINT_LIFETIME_MAX_SECONDS -
                    INTRO_POINT_LIFETIME_MIN_SECONDS);

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-04-21 11:06:12 -04:00
David Goulet
6f6881c432 Use a random count of INTRODUCE2 for IP rotation
An introduction point is currently rotated when the amount of INTRODUCE2
cells reached a fixed value of 16384. This makes it pretty easy for an
attacker to inflate that number and observe when the IP rotates which leaks
the popularity of the HS (amount of client that passed through the IP).

This commit makes it a random count between the current value of 16384 and
two times that.

Fixes #15745

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-04-20 17:38:31 -04:00
Nick Mathewson
a201a5396e Merge remote-tracking branch 'origin/maint-0.2.6' 2015-04-06 09:26:28 -04:00
Nick Mathewson
0475552140 Merge remote-tracking branch 'origin/maint-0.2.5' into maint-0.2.6 2015-04-06 09:26:16 -04:00
Nick Mathewson
fe69a7e1d7 Merge remote-tracking branch 'origin/maint-0.2.4' into maint-0.2.5 2015-04-06 09:25:37 -04:00
Yawning Angel
49ddd92c11 Validate the RSA key size received when parsing INTRODUCE2 cells.
Fixes bug 15600; reported by skruffy
2015-04-06 09:18:17 -04:00
Nick Mathewson
24352d0d70 Merge remote-tracking branch 'origin/maint-0.2.6' 2015-04-03 09:47:57 -04:00
George Kadianakis
929a8f199b Decrease the amount of rend circ relaunches for hidden services. 2015-04-03 09:47:40 -04:00
Nick Mathewson
3a68f2f54e const-ify the new failure vars, and one old one 2015-03-13 09:41:49 -04:00
Sebastian Hahn
badc81de5b Don't init hs intro key as side effect of an assert 2015-03-12 18:59:46 +01:00
Yawning Angel
cbd26157c5 Remove tor_strclear(), and replace previous calls with memwipe(). 2015-02-17 18:53:33 +00:00
Sebastian Hahn
37d16c3cc7 Reserve enough space for rend_service_port_config_t
In #14803, Damian noticed that his Tor sometimes segfaults. Roger noted
that his valgrind gave an invalid write of size one here. Whenever we
use FLEXIBLE_ARRAY_MEMBER, we have to make sure to actually malloc a
thing that's large enough.

Fixes bug #14803, not in any released version of Tor.
2015-02-09 04:48:16 +01:00
Nick Mathewson
097286e476 Fix some unused-argument warnings 2015-01-30 14:47:56 -05:00
Nick Mathewson
bc9ade055e Fix an uninitialized-variable warning. 2015-01-30 14:46:18 -05:00
David Goulet
44e9dafb67 Fix: test -ENOENT after config_parse_unix_port()
Check for -ENOENT instead of ENOENT after the HS port is parsed.

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-01-30 14:13:27 -05:00
David Goulet
ebc59092bc Make hidden service use the config unix prefix
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-01-28 18:01:53 -05:00
Nick Mathewson
a3de2dfde6 Merge branch 'bug11485_026_v2_squashed' 2015-01-28 14:32:19 -05:00
David Goulet
fb523b543a fixup! Refactor the use of ifdef HAVE_SYS_UN_H
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-01-28 14:30:23 -05:00
Andrea Shepard
bce824a9ad Actually make connections to HSes on AF_UNIX sockets 2015-01-28 14:30:23 -05:00
Andrea Shepard
6564291601 Handle config options for AF_UNIX hidden services rendservice.c 2015-01-28 14:30:23 -05:00
Nick Mathewson
20d0b1a04e Bump a client authorization message from debug to info.
A user wants this for 14015, and it seems fairly reasonable.
2015-01-28 09:42:28 -05:00
Andrea Shepard
03d6a31716 Groundwork for AF_UNIX hidden services in rendservice.c 2015-01-27 06:22:37 +00:00
Nick Mathewson
e7e33d4b04 Merge branch 'bug14084' 2015-01-20 14:07:37 -05:00
teor
ac2f90ed00 Speed up hidden service bootstrap by reducing the initial post delay
Drop the MIN_REND_INITIAL_POST_DELAY on a testing network to 5 seconds,
but keep the default at 30 seconds.

Reduces the hidden service bootstrap to 25 seconds from around 45 seconds.
Change the default src/test/test-network.sh delay to 25 seconds.

Closes ticket 13401.
2015-01-10 22:34:29 +11:00
Nick Mathewson
276700131a Tolerate starting up with missing hidden service directory
Fixes bug 14106; bugfix on 0.2.6.2-alpha

Found by stem tests.
2015-01-05 11:39:38 -05:00
Nick Mathewson
74cd57517c New option "HiddenServiceAllowUnknownPorts"
This allows hidden services to disable the anti-scanning feature
introduced in 0.2.6.2-alpha. With this option not set, a connection
to an unlisted port closes the circuit.  With this option set, only
a RELAY_DONE cell is sent.

Closes ticket #14084.
2015-01-03 12:34:52 -05:00
Nick Mathewson
f54e54b0b4 Bump copyright dates to 2015, in case someday this matters. 2015-01-02 14:27:39 -05:00
Nick Mathewson
ac632a784c Coalesce v0 and v1 fields of rend_intro_cell_t
This saves a tiny bit of code, and makes a longstanding coverity
false positive go away.
2014-12-30 12:07:39 -05:00