commit 672620901b43ee7f895ef2a01f058eeb5dffe399 Author: David Goulet dgoulet@torproject.org Date: Mon Sep 10 15:04:22 2018 -0400
hs-v3: Silence some logging for client authorization
If a tor client gets a descriptor that it can't decrypt, chances are that the onion requires client authorization.
If a tor client is configured with client authorization for an onion but decryption fails, it means that the configured keys aren't working anymore.
In both cases, we'll log notice the former and log warn the latter and the rest of the decryption errors are now at info level.
Two logs statement have been removed because it was redundant and printing the fetched descriptor in the logs when 80% of it is encrypted wat not helping.
Fixes #27550
Signed-off-by: David Goulet dgoulet@torproject.org --- src/feature/dircache/directory.c | 2 +- src/feature/hs/hs_client.c | 4 ---- src/feature/hs/hs_descriptor.c | 22 ++++++++++++++++++---- 3 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/src/feature/dircache/directory.c b/src/feature/dircache/directory.c index de0bcdbfa..1f33f38c9 100644 --- a/src/feature/dircache/directory.c +++ b/src/feature/dircache/directory.c @@ -3124,7 +3124,7 @@ handle_response_fetch_hsdesc_v3(dir_connection_t *conn, case 200: /* We got something: Try storing it in the cache. */ if (hs_cache_store_as_client(body, &conn->hs_ident->identity_pk) < 0) { - log_warn(LD_REND, "Failed to store hidden service descriptor"); + log_info(LD_REND, "Failed to store hidden service descriptor"); /* Fire control port FAILED event. */ hs_control_desc_event_failed(conn->hs_ident, conn->identity_digest, "BAD_DESC"); diff --git a/src/feature/hs/hs_client.c b/src/feature/hs/hs_client.c index 6f031eb3b..7002cafae 100644 --- a/src/feature/hs/hs_client.c +++ b/src/feature/hs/hs_client.c @@ -1258,10 +1258,6 @@ hs_client_decode_descriptor(const char *desc_str, client_auht_sk, desc); memwipe(subcredential, 0, sizeof(subcredential)); if (ret < 0) { - log_warn(LD_GENERAL, "Could not parse received descriptor as client."); - if (get_options()->SafeLogging_ == SAFELOG_SCRUB_NONE) { - log_warn(LD_GENERAL, "%s", escaped(desc_str)); - } goto err; }
diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c index d0cdffdf1..9c85a729e 100644 --- a/src/feature/hs/hs_descriptor.c +++ b/src/feature/hs/hs_descriptor.c @@ -1389,7 +1389,7 @@ encrypted_data_length_is_valid(size_t len) /* Make sure there is enough data for the salt and the mac. The equality is there to ensure that there is at least one byte of encrypted data. */ if (len <= HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN) { - log_warn(LD_REND, "Length of descriptor's encrypted data is too small. " + log_info(LD_REND, "Length of descriptor's encrypted data is too small. " "Got %lu but minimum value is %d", (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN); goto err; @@ -1540,7 +1540,7 @@ decrypt_desc_layer,(const hs_descriptor_t *desc, * This is a critical check that is making sure the computed MAC matches the * one in the descriptor. */ if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) { - log_warn(LD_REND, "Encrypted service descriptor MAC check failed"); + log_info(LD_REND, "Encrypted service descriptor MAC check failed"); goto err; }
@@ -1662,7 +1662,6 @@ desc_decrypt_encrypted(const hs_descriptor_t *desc, desc->superencrypted_data.encrypted_blob_size, descriptor_cookie, 0, &encrypted_plaintext); if (!encrypted_len) { - log_warn(LD_REND, "Decrypting encrypted desc failed."); goto err; } tor_assert(encrypted_plaintext); @@ -2272,7 +2271,22 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc, * in the descriptor as a blob of bytes. */ message_len = desc_decrypt_encrypted(desc, client_auth_sk, &message); if (!message_len) { - log_warn(LD_REND, "Service descriptor decryption failed."); + /* Two possible situation here. Either we have a client authorization + * configured that didn't work or we do not have any configured for this + * onion address so likely the descriptor is for authorized client only, + * we are not. */ + if (client_auth_sk) { + /* At warning level so the client can notice that its client + * authorization is failing. */ + log_warn(LD_REND, "Client authorization for requested onion address " + "is invalid. Can't decrypt the descriptor."); + } else { + /* Inform at notice level that the onion address requested can't be + * reached without client authorization most likely. */ + log_notice(LD_REND, "Fail to decrypt descriptor for requested onion " + "address. It is likely requiring client " + "authorization."); + } goto err; } tor_assert(message);
tor-commits@lists.torproject.org