This is an automated email from the git hooks/post-receive script.
dgoulet pushed a commit to branch main in repository tor.
commit 8b41e09a775e882096364210317813c830160a5b Author: David Goulet dgoulet@torproject.org AuthorDate: Tue Jun 28 11:42:35 2022 -0400
hs: Client now solve PoW if present
At this commit, the tor main loop solves it. We might consider moving this to the CPU pool at some point.
Signed-off-by: David Goulet dgoulet@torproject.org --- src/core/or/origin_circuit_st.h | 6 ++++++ src/feature/hs/hs_circuit.c | 6 +++++- src/feature/hs/hs_circuit.h | 3 ++- src/feature/hs/hs_client.c | 19 ++++++++++++++++++- src/test/test_hs_service.c | 8 ++++---- 5 files changed, 35 insertions(+), 7 deletions(-)
diff --git a/src/core/or/origin_circuit_st.h b/src/core/or/origin_circuit_st.h index c5c255bb49..fd5424c450 100644 --- a/src/core/or/origin_circuit_st.h +++ b/src/core/or/origin_circuit_st.h @@ -212,6 +212,12 @@ struct origin_circuit_t { * (in host byte order) for response comparison. */ uint32_t pathbias_probe_nonce;
+ /** Set iff this is a hidden-service circuit for a HS with PoW defenses + * enabled, so that we know to be more lenient with timing out the + * circuit-build to allow the service time to work through the queue of + * requests. */ + unsigned int hs_with_pow_circ : 1; + /** Set iff this circuit has been given a relaxed timeout because * no circuits have opened. Used to prevent spamming logs. */ unsigned int relaxed_timeout : 1; diff --git a/src/feature/hs/hs_circuit.c b/src/feature/hs/hs_circuit.c index 006ba964fe..3f8f16955f 100644 --- a/src/feature/hs/hs_circuit.c +++ b/src/feature/hs/hs_circuit.c @@ -1095,7 +1095,8 @@ int hs_circ_send_introduce1(origin_circuit_t *intro_circ, origin_circuit_t *rend_circ, const hs_desc_intro_point_t *ip, - const hs_subcredential_t *subcredential) + const hs_subcredential_t *subcredential, + const hs_pow_solution_t *pow_solution) { int ret = -1; ssize_t payload_len; @@ -1129,6 +1130,9 @@ hs_circ_send_introduce1(origin_circuit_t *intro_circ, goto close; }
+ /* Set the PoW solution if any. */ + intro1_data.pow_solution = pow_solution; + /* If the rend circ was set up for congestion control, add that to the * intro data, to signal it in an extension */ if (TO_CIRCUIT(rend_circ)->ccontrol) { diff --git a/src/feature/hs/hs_circuit.h b/src/feature/hs/hs_circuit.h index afbff7b894..3c84abaad2 100644 --- a/src/feature/hs/hs_circuit.h +++ b/src/feature/hs/hs_circuit.h @@ -55,7 +55,8 @@ int hs_circ_handle_introduce2(const hs_service_t *service, int hs_circ_send_introduce1(origin_circuit_t *intro_circ, origin_circuit_t *rend_circ, const hs_desc_intro_point_t *ip, - const struct hs_subcredential_t *subcredential); + const struct hs_subcredential_t *subcredential, + const hs_pow_solution_t *pow_solution); int hs_circ_send_establish_rendezvous(origin_circuit_t *circ);
/* e2e circuit API. */ diff --git a/src/feature/hs/hs_client.c b/src/feature/hs/hs_client.c index 7cee3480d5..e241e6218d 100644 --- a/src/feature/hs/hs_client.c +++ b/src/feature/hs/hs_client.c @@ -613,6 +613,7 @@ send_introduce1(origin_circuit_t *intro_circ, char onion_address[HS_SERVICE_ADDR_LEN_BASE32 + 1]; const ed25519_public_key_t *service_identity_pk = NULL; const hs_desc_intro_point_t *ip; + hs_pow_solution_t *pow_solution = NULL;
tor_assert(rend_circ); if (intro_circ_is_ok(intro_circ) < 0) { @@ -668,9 +669,24 @@ send_introduce1(origin_circuit_t *intro_circ, goto perm_err; }
+ /* If the descriptor contains PoW parameters then the service is + * expecting a PoW solution in the INTRODUCE cell, which we solve here. */ + if (desc->encrypted_data.pow_params) { + log_debug(LD_REND, "PoW params present in descriptor."); + pow_solution = tor_malloc_zero(sizeof(hs_pow_solution_t)); + if (hs_pow_solve(desc->encrypted_data.pow_params, pow_solution)) { + log_warn(LD_REND, "Haven't solved the PoW yet."); + goto tran_err; + } + /* Set flag to reflect that the HS we are attempting to rendezvous has PoW + * defenses enabled, and as such we will need to be more lenient with + * timing out while waiting for the circuit to be built. */ + rend_circ->hs_with_pow_circ = 1; + } + /* Send the INTRODUCE1 cell. */ if (hs_circ_send_introduce1(intro_circ, rend_circ, ip, - &desc->subcredential) < 0) { + &desc->subcredential, pow_solution) < 0) { if (TO_CIRCUIT(intro_circ)->marked_for_close) { /* If the introduction circuit was closed, we were unable to send the * cell for some reasons. In any case, the intro circuit has to be @@ -724,6 +740,7 @@ send_introduce1(origin_circuit_t *intro_circ,
end: memwipe(onion_address, 0, sizeof(onion_address)); + tor_free(pow_solution); return status; }
diff --git a/src/test/test_hs_service.c b/src/test/test_hs_service.c index 03a4800f25..4a8a758b3f 100644 --- a/src/test/test_hs_service.c +++ b/src/test/test_hs_service.c @@ -2406,7 +2406,7 @@ test_intro2_handling(void *arg) /* Create INTRODUCE1 */ tt_assert(fast_mem_is_zero(relay_payload, sizeof(relay_payload))); retval = hs_circ_send_introduce1(intro_circ, &rend_circ, - alice_ip, &x_subcred); + alice_ip, &x_subcred, NULL);
/* Check that the payload was written successfully */ tt_int_op(retval, OP_EQ, 0); @@ -2447,7 +2447,7 @@ test_intro2_handling(void *arg) /* Create INTRODUCE1 from Alice to X through Z */ memset(relay_payload, 0, sizeof(relay_payload)); retval = hs_circ_send_introduce1(intro_circ, &rend_circ, - alice_ip, &z_subcred); + alice_ip, &z_subcred, NULL);
/* Check that the payload was written successfully */ tt_int_op(retval, OP_EQ, 0); @@ -2484,7 +2484,7 @@ test_intro2_handling(void *arg) /* Create INTRODUCE1 from Alice to X using X's subcred. */ memset(relay_payload, 0, sizeof(relay_payload)); retval = hs_circ_send_introduce1(intro_circ, &rend_circ, - alice_ip, &x_subcred); + alice_ip, &x_subcred, NULL);
/* Check that the payload was written successfully */ tt_int_op(retval, OP_EQ, 0); @@ -2577,7 +2577,7 @@ test_intro2_handling(void *arg) * service!) */ memset(relay_payload, 0, sizeof(relay_payload)); retval = hs_circ_send_introduce1(intro_circ, &rend_circ, - alice_ip, &y_subcred); + alice_ip, &y_subcred, NULL); tt_int_op(retval, OP_EQ, 0);
/* Check that the payload was written successfully */