[tor-commits] [tor/master] Merge branch 'bug26627_033' into bug26627_033_merged_master

nickm at torproject.org nickm at torproject.org
Mon Jul 30 13:02:04 UTC 2018


commit fc4d08e26015e1bb271e8d9219e6f304a5375459
Merge: 9ae359754 3821081a5
Author: teor <teor at torproject.org>
Date:   Wed Jul 25 09:17:17 2018 +1000

    Merge branch 'bug26627_033' into bug26627_033_merged_master

 changes/bug26627              |  7 +++++++
 src/feature/hs/hs_circuit.c   | 20 ++++++++++++++------
 src/feature/hs/hs_service.c   | 29 ++++++++++++++++++++---------
 src/feature/hs/hs_service.h   |  5 +++--
 src/test/test_hs_cell.c       |  4 ++--
 src/test/test_hs_intropoint.c |  4 ++--
 src/test/test_hs_service.c    |  2 +-
 7 files changed, 49 insertions(+), 22 deletions(-)

diff --cc src/feature/hs/hs_circuit.c
index cd312e98b,000000000..541b165dd
mode 100644,000000..100644
--- a/src/feature/hs/hs_circuit.c
+++ b/src/feature/hs/hs_circuit.c
@@@ -1,1249 -1,0 +1,1257 @@@
 +/* Copyright (c) 2017-2018, The Tor Project, Inc. */
 +/* See LICENSE for licensing information */
 +
 +/**
 + * \file hs_circuit.c
 + **/
 +
 +#define HS_CIRCUIT_PRIVATE
 +
 +#include "core/or/or.h"
 +#include "feature/client/circpathbias.h"
 +#include "core/or/circuitbuild.h"
 +#include "core/or/circuitlist.h"
 +#include "core/or/circuituse.h"
 +#include "app/config/config.h"
 +#include "lib/crypt_ops/crypto_dh.h"
 +#include "lib/crypt_ops/crypto_rand.h"
 +#include "lib/crypt_ops/crypto_util.h"
 +#include "feature/nodelist/nodelist.h"
 +#include "core/or/policies.h"
 +#include "core/or/relay.h"
 +#include "feature/rend/rendservice.h"
 +#include "feature/stats/rephist.h"
 +#include "feature/relay/router.h"
 +
 +#include "feature/hs/hs_cell.h"
 +#include "feature/hs/hs_circuitmap.h"
 +#include "feature/hs/hs_ident.h"
 +#include "core/crypto/hs_ntor.h"
 +#include "feature/hs/hs_service.h"
 +#include "feature/hs/hs_circuit.h"
 +
 +/* Trunnel. */
 +#include "trunnel/ed25519_cert.h"
 +#include "trunnel/hs/cell_common.h"
 +#include "trunnel/hs/cell_establish_intro.h"
 +
 +#include "core/or/cpath_build_state_st.h"
 +#include "core/or/crypt_path_st.h"
 +#include "feature/nodelist/node_st.h"
 +#include "core/or/origin_circuit_st.h"
 +
 +/* A circuit is about to become an e2e rendezvous circuit. Check
 + * <b>circ_purpose</b> and ensure that it's properly set. Return true iff
 + * circuit purpose is properly set, otherwise return false. */
 +static int
 +circuit_purpose_is_correct_for_rend(unsigned int circ_purpose,
 +                                    int is_service_side)
 +{
 +  if (is_service_side) {
 +    if (circ_purpose != CIRCUIT_PURPOSE_S_CONNECT_REND) {
 +      log_warn(LD_BUG,
 +            "HS e2e circuit setup with wrong purpose (%d)", circ_purpose);
 +      return 0;
 +    }
 +  }
 +
 +  if (!is_service_side) {
 +    if (circ_purpose != CIRCUIT_PURPOSE_C_REND_READY &&
 +        circ_purpose != CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED) {
 +      log_warn(LD_BUG,
 +            "Client e2e circuit setup with wrong purpose (%d)", circ_purpose);
 +      return 0;
 +    }
 +  }
 +
 +  return 1;
 +}
 +
 +/* Create and return a crypt path for the final hop of a v3 prop224 rendezvous
 + * circuit. Initialize the crypt path crypto using the output material from the
 + * ntor key exchange at <b>ntor_key_seed</b>.
 + *
 + * If <b>is_service_side</b> is set, we are the hidden service and the final
 + * hop of the rendezvous circuit is the client on the other side. */
 +static crypt_path_t *
 +create_rend_cpath(const uint8_t *ntor_key_seed, size_t seed_len,
 +                  int is_service_side)
 +{
 +  uint8_t keys[HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN];
 +  crypt_path_t *cpath = NULL;
 +
 +  /* Do the key expansion */
 +  if (hs_ntor_circuit_key_expansion(ntor_key_seed, seed_len,
 +                                    keys, sizeof(keys)) < 0) {
 +    goto err;
 +  }
 +
 +  /* Setup the cpath */
 +  cpath = tor_malloc_zero(sizeof(crypt_path_t));
 +  cpath->magic = CRYPT_PATH_MAGIC;
 +
 +  if (circuit_init_cpath_crypto(cpath, (char*)keys, sizeof(keys),
 +                                is_service_side, 1) < 0) {
 +    tor_free(cpath);
 +    goto err;
 +  }
 +
 + err:
 +  memwipe(keys, 0, sizeof(keys));
 +  return cpath;
 +}
 +
 +/* We are a v2 legacy HS client: Create and return a crypt path for the hidden
 + * service on the other side of the rendezvous circuit <b>circ</b>. Initialize
 + * the crypt path crypto using the body of the RENDEZVOUS1 cell at
 + * <b>rend_cell_body</b> (which must be at least DH1024_KEY_LEN+DIGEST_LEN
 + * bytes).
 + */
 +static crypt_path_t *
 +create_rend_cpath_legacy(origin_circuit_t *circ, const uint8_t *rend_cell_body)
 +{
 +  crypt_path_t *hop = NULL;
 +  char keys[DIGEST_LEN+CPATH_KEY_MATERIAL_LEN];
 +
 +  /* first DH1024_KEY_LEN bytes are g^y from the service. Finish the dh
 +   * handshake...*/
 +  tor_assert(circ->build_state);
 +  tor_assert(circ->build_state->pending_final_cpath);
 +  hop = circ->build_state->pending_final_cpath;
 +
 +  tor_assert(hop->rend_dh_handshake_state);
 +  if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, hop->rend_dh_handshake_state,
 +                               (char*)rend_cell_body, DH1024_KEY_LEN,
 +                               keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
 +    log_warn(LD_GENERAL, "Couldn't complete DH handshake.");
 +    goto err;
 +  }
 +  /* ... and set up cpath. */
 +  if (circuit_init_cpath_crypto(hop,
 +                                keys+DIGEST_LEN, sizeof(keys)-DIGEST_LEN,
 +                                0, 0) < 0)
 +    goto err;
 +
 +  /* Check whether the digest is right... */
 +  if (tor_memneq(keys, rend_cell_body+DH1024_KEY_LEN, DIGEST_LEN)) {
 +    log_warn(LD_PROTOCOL, "Incorrect digest of key material.");
 +    goto err;
 +  }
 +
 +  /* clean up the crypto stuff we just made */
 +  crypto_dh_free(hop->rend_dh_handshake_state);
 +  hop->rend_dh_handshake_state = NULL;
 +
 +  goto done;
 +
 + err:
 +  hop = NULL;
 +
 + done:
 +  memwipe(keys, 0, sizeof(keys));
 +  return hop;
 +}
 +
 +/* Append the final <b>hop</b> to the cpath of the rend <b>circ</b>, and mark
 + * <b>circ</b> ready for use to transfer HS relay cells. */
 +static void
 +finalize_rend_circuit(origin_circuit_t *circ, crypt_path_t *hop,
 +                      int is_service_side)
 +{
 +  tor_assert(circ);
 +  tor_assert(hop);
 +
 +  /* Notify the circuit state machine that we are splicing this circuit */
 +  int new_circ_purpose = is_service_side ?
 +    CIRCUIT_PURPOSE_S_REND_JOINED : CIRCUIT_PURPOSE_C_REND_JOINED;
 +  circuit_change_purpose(TO_CIRCUIT(circ), new_circ_purpose);
 +
 +  /* All is well. Extend the circuit. */
 +  hop->state = CPATH_STATE_OPEN;
 +  /* Set the windows to default. */
 +  hop->package_window = circuit_initial_package_window();
 +  hop->deliver_window = CIRCWINDOW_START;
 +
 +  /* Now that this circuit has finished connecting to its destination,
 +   * make sure circuit_get_open_circ_or_launch is willing to return it
 +   * so we can actually use it. */
 +  circ->hs_circ_has_timed_out = 0;
 +
 +  /* Append the hop to the cpath of this circuit */
 +  onion_append_to_cpath(&circ->cpath, hop);
 +
 +  /* In legacy code, 'pending_final_cpath' points to the final hop we just
 +   * appended to the cpath. We set the original pointer to NULL so that we
 +   * don't double free it. */
 +  if (circ->build_state) {
 +    circ->build_state->pending_final_cpath = NULL;
 +  }
 +
 +  /* Finally, mark circuit as ready to be used for client streams */
 +  if (!is_service_side) {
 +    circuit_try_attaching_streams(circ);
 +  }
 +}
 +
 +/* For a given circuit and a service introduction point object, register the
 + * intro circuit to the circuitmap. This supports legacy intro point. */
 +static void
 +register_intro_circ(const hs_service_intro_point_t *ip,
 +                    origin_circuit_t *circ)
 +{
 +  tor_assert(ip);
 +  tor_assert(circ);
 +
 +  if (ip->base.is_only_legacy) {
 +    hs_circuitmap_register_intro_circ_v2_service_side(circ,
 +                                                      ip->legacy_key_digest);
 +  } else {
 +    hs_circuitmap_register_intro_circ_v3_service_side(circ,
 +                                         &ip->auth_key_kp.pubkey);
 +  }
 +}
 +
 +/* Return the number of opened introduction circuit for the given circuit that
 + * is matching its identity key. */
 +static unsigned int
 +count_opened_desc_intro_point_circuits(const hs_service_t *service,
 +                                       const hs_service_descriptor_t *desc)
 +{
 +  unsigned int count = 0;
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +
 +  DIGEST256MAP_FOREACH(desc->intro_points.map, key,
 +                       const hs_service_intro_point_t *, ip) {
 +    const circuit_t *circ;
 +    const origin_circuit_t *ocirc = hs_circ_service_get_intro_circ(ip);
 +    if (ocirc == NULL) {
 +      continue;
 +    }
 +    circ = TO_CIRCUIT(ocirc);
 +    tor_assert(circ->purpose == CIRCUIT_PURPOSE_S_ESTABLISH_INTRO ||
 +               circ->purpose == CIRCUIT_PURPOSE_S_INTRO);
 +    /* Having a circuit not for the requested service is really bad. */
 +    tor_assert(ed25519_pubkey_eq(&service->keys.identity_pk,
 +                                 &ocirc->hs_ident->identity_pk));
 +    /* Only count opened circuit and skip circuit that will be closed. */
 +    if (!circ->marked_for_close && circ->state == CIRCUIT_STATE_OPEN) {
 +      count++;
 +    }
 +  } DIGEST256MAP_FOREACH_END;
 +  return count;
 +}
 +
 +/* From a given service, rendezvous cookie and handshake info, create a
 + * rendezvous point circuit identifier. This can't fail. */
 +STATIC hs_ident_circuit_t *
 +create_rp_circuit_identifier(const hs_service_t *service,
 +                             const uint8_t *rendezvous_cookie,
 +                             const curve25519_public_key_t *server_pk,
 +                             const hs_ntor_rend_cell_keys_t *keys)
 +{
 +  hs_ident_circuit_t *ident;
 +  uint8_t handshake_info[CURVE25519_PUBKEY_LEN + DIGEST256_LEN];
 +
 +  tor_assert(service);
 +  tor_assert(rendezvous_cookie);
 +  tor_assert(server_pk);
 +  tor_assert(keys);
 +
 +  ident = hs_ident_circuit_new(&service->keys.identity_pk,
 +                               HS_IDENT_CIRCUIT_RENDEZVOUS);
 +  /* Copy the RENDEZVOUS_COOKIE which is the unique identifier. */
 +  memcpy(ident->rendezvous_cookie, rendezvous_cookie,
 +         sizeof(ident->rendezvous_cookie));
 +  /* Build the HANDSHAKE_INFO which looks like this:
 +   *    SERVER_PK        [32 bytes]
 +   *    AUTH_INPUT_MAC   [32 bytes]
 +   */
 +  memcpy(handshake_info, server_pk->public_key, CURVE25519_PUBKEY_LEN);
 +  memcpy(handshake_info + CURVE25519_PUBKEY_LEN, keys->rend_cell_auth_mac,
 +         DIGEST256_LEN);
 +  tor_assert(sizeof(ident->rendezvous_handshake_info) ==
 +             sizeof(handshake_info));
 +  memcpy(ident->rendezvous_handshake_info, handshake_info,
 +         sizeof(ident->rendezvous_handshake_info));
 +  /* Finally copy the NTOR_KEY_SEED for e2e encryption on the circuit. */
 +  tor_assert(sizeof(ident->rendezvous_ntor_key_seed) ==
 +             sizeof(keys->ntor_key_seed));
 +  memcpy(ident->rendezvous_ntor_key_seed, keys->ntor_key_seed,
 +         sizeof(ident->rendezvous_ntor_key_seed));
 +  return ident;
 +}
 +
 +/* From a given service and service intro point, create an introduction point
 + * circuit identifier. This can't fail. */
 +static hs_ident_circuit_t *
 +create_intro_circuit_identifier(const hs_service_t *service,
 +                                const hs_service_intro_point_t *ip)
 +{
 +  hs_ident_circuit_t *ident;
 +
 +  tor_assert(service);
 +  tor_assert(ip);
 +
 +  ident = hs_ident_circuit_new(&service->keys.identity_pk,
 +                               HS_IDENT_CIRCUIT_INTRO);
 +  ed25519_pubkey_copy(&ident->intro_auth_pk, &ip->auth_key_kp.pubkey);
 +
 +  return ident;
 +}
 +
 +/* For a given introduction point and an introduction circuit, send the
 + * ESTABLISH_INTRO cell. The service object is used for logging. This can fail
 + * and if so, the circuit is closed and the intro point object is flagged
 + * that the circuit is not established anymore which is important for the
 + * retry mechanism. */
 +static void
 +send_establish_intro(const hs_service_t *service,
 +                     hs_service_intro_point_t *ip, origin_circuit_t *circ)
 +{
 +  ssize_t cell_len;
 +  uint8_t payload[RELAY_PAYLOAD_SIZE];
 +
 +  tor_assert(service);
 +  tor_assert(ip);
 +  tor_assert(circ);
 +
 +  /* Encode establish intro cell. */
 +  cell_len = hs_cell_build_establish_intro(circ->cpath->prev->rend_circ_nonce,
 +                                           ip, payload);
 +  if (cell_len < 0) {
 +    log_warn(LD_REND, "Unable to encode ESTABLISH_INTRO cell for service %s "
 +                      "on circuit %u. Closing circuit.",
 +             safe_str_client(service->onion_address),
 +             TO_CIRCUIT(circ)->n_circ_id);
 +    goto err;
 +  }
 +
 +  /* Send the cell on the circuit. */
 +  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
 +                                   RELAY_COMMAND_ESTABLISH_INTRO,
 +                                   (char *) payload, cell_len,
 +                                   circ->cpath->prev) < 0) {
 +    log_info(LD_REND, "Unable to send ESTABLISH_INTRO cell for service %s "
 +                      "on circuit %u.",
 +             safe_str_client(service->onion_address),
 +             TO_CIRCUIT(circ)->n_circ_id);
 +    /* On error, the circuit has been closed. */
 +    goto done;
 +  }
 +
 +  /* Record the attempt to use this circuit. */
 +  pathbias_count_use_attempt(circ);
 +  goto done;
 +
 + err:
 +  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
 + done:
 +  memwipe(payload, 0, sizeof(payload));
 +}
 +
 +/* Return a string constant describing the anonymity of service. */
 +static const char *
 +get_service_anonymity_string(const hs_service_t *service)
 +{
 +  if (service->config.is_single_onion) {
 +    return "single onion";
 +  } else {
 +    return "hidden";
 +  }
 +}
 +
 +/* For a given service, the ntor onion key and a rendezvous cookie, launch a
 + * circuit to the rendezvous point specified by the link specifiers. On
 + * success, a circuit identifier is attached to the circuit with the needed
 + * data. This function will try to open a circuit for a maximum value of
 + * MAX_REND_FAILURES then it will give up. */
 +static void
 +launch_rendezvous_point_circuit(const hs_service_t *service,
 +                                const hs_service_intro_point_t *ip,
 +                                const hs_cell_introduce2_data_t *data)
 +{
 +  int circ_needs_uptime;
 +  time_t now = time(NULL);
 +  extend_info_t *info = NULL;
 +  origin_circuit_t *circ;
 +
 +  tor_assert(service);
 +  tor_assert(ip);
 +  tor_assert(data);
 +
 +  circ_needs_uptime = hs_service_requires_uptime_circ(service->config.ports);
 +
 +  /* Get the extend info data structure for the chosen rendezvous point
 +   * specified by the given link specifiers. */
 +  info = hs_get_extend_info_from_lspecs(data->link_specifiers,
 +                                        &data->onion_pk,
 +                                        service->config.is_single_onion);
 +  if (info == NULL) {
 +    /* We are done here, we can't extend to the rendezvous point.
 +     * If you're running an IPv6-only v3 single onion service on 0.3.2 or with
 +     * 0.3.2 clients, and somehow disable the option check, it will fail here.
 +     */
 +    log_fn(LOG_PROTOCOL_WARN, LD_REND,
 +           "Not enough info to open a circuit to a rendezvous point for "
 +           "%s service %s.",
 +           get_service_anonymity_string(service),
 +           safe_str_client(service->onion_address));
 +    goto end;
 +  }
 +
 +  for (int i = 0; i < MAX_REND_FAILURES; i++) {
 +    int circ_flags = CIRCLAUNCH_NEED_CAPACITY | CIRCLAUNCH_IS_INTERNAL;
 +    if (circ_needs_uptime) {
 +      circ_flags |= CIRCLAUNCH_NEED_UPTIME;
 +    }
 +    /* Firewall and policies are checked when getting the extend info. */
 +    if (service->config.is_single_onion) {
 +      circ_flags |= CIRCLAUNCH_ONEHOP_TUNNEL;
 +    }
 +
 +    circ = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_CONNECT_REND, info,
 +                                         circ_flags);
 +    if (circ != NULL) {
 +      /* Stop retrying, we have a circuit! */
 +      break;
 +    }
 +  }
 +  if (circ == NULL) {
 +    log_warn(LD_REND, "Giving up on launching a rendezvous circuit to %s "
 +                      "for %s service %s",
 +             safe_str_client(extend_info_describe(info)),
 +             get_service_anonymity_string(service),
 +             safe_str_client(service->onion_address));
 +    goto end;
 +  }
 +  log_info(LD_REND, "Rendezvous circuit launched to %s with cookie %s "
 +                    "for %s service %s",
 +           safe_str_client(extend_info_describe(info)),
 +           safe_str_client(hex_str((const char *) data->rendezvous_cookie,
 +                                   REND_COOKIE_LEN)),
 +           get_service_anonymity_string(service),
 +           safe_str_client(service->onion_address));
 +  tor_assert(circ->build_state);
 +  /* Rendezvous circuit have a specific timeout for the time spent on trying
 +   * to connect to the rendezvous point. */
 +  circ->build_state->expiry_time = now + MAX_REND_TIMEOUT;
 +
 +  /* Create circuit identifier and key material. */
 +  {
 +    hs_ntor_rend_cell_keys_t keys;
 +    curve25519_keypair_t ephemeral_kp;
 +    /* No need for extra strong, this is only for this circuit life time. This
 +     * key will be used for the RENDEZVOUS1 cell that will be sent on the
 +     * circuit once opened. */
 +    curve25519_keypair_generate(&ephemeral_kp, 0);
 +    if (hs_ntor_service_get_rendezvous1_keys(&ip->auth_key_kp.pubkey,
 +                                             &ip->enc_key_kp,
 +                                             &ephemeral_kp, &data->client_pk,
 +                                             &keys) < 0) {
 +      /* This should not really happened but just in case, don't make tor
 +       * freak out, close the circuit and move on. */
 +      log_info(LD_REND, "Unable to get RENDEZVOUS1 key material for "
 +                        "service %s",
 +               safe_str_client(service->onion_address));
 +      circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
 +      goto end;
 +    }
 +    circ->hs_ident = create_rp_circuit_identifier(service,
 +                                                  data->rendezvous_cookie,
 +                                                  &ephemeral_kp.pubkey, &keys);
 +    memwipe(&ephemeral_kp, 0, sizeof(ephemeral_kp));
 +    memwipe(&keys, 0, sizeof(keys));
 +    tor_assert(circ->hs_ident);
 +  }
 +
 + end:
 +  extend_info_free(info);
 +}
 +
 +/* Return true iff the given service rendezvous circuit circ is allowed for a
 + * relaunch to the rendezvous point. */
 +static int
 +can_relaunch_service_rendezvous_point(const origin_circuit_t *circ)
 +{
 +  tor_assert(circ);
 +  /* This is initialized when allocating an origin circuit. */
 +  tor_assert(circ->build_state);
 +  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_CONNECT_REND);
 +
 +  /* XXX: Retrying under certain condition. This is related to #22455. */
 +
 +  /* Avoid to relaunch twice a circuit to the same rendezvous point at the
 +   * same time. */
 +  if (circ->hs_service_side_rend_circ_has_been_relaunched) {
 +    log_info(LD_REND, "Rendezvous circuit to %s has already been retried. "
 +                      "Skipping retry.",
 +             safe_str_client(
 +                  extend_info_describe(circ->build_state->chosen_exit)));
 +    goto disallow;
 +  }
 +
 +  /* We check failure_count >= hs_get_service_max_rend_failures()-1 below, and
 +   * the -1 is because we increment the failure count for our current failure
 +   * *after* this clause. */
 +  int max_rend_failures = hs_get_service_max_rend_failures() - 1;
 +
 +  /* A failure count that has reached maximum allowed or circuit that expired,
 +   * we skip relaunching. */
 +  if (circ->build_state->failure_count > max_rend_failures ||
 +      circ->build_state->expiry_time <= time(NULL)) {
 +    log_info(LD_REND, "Attempt to build a rendezvous circuit to %s has "
 +                      "failed with %d attempts and expiry time %ld. "
 +                      "Giving up building.",
 +             safe_str_client(
 +                  extend_info_describe(circ->build_state->chosen_exit)),
 +             circ->build_state->failure_count,
 +             (long int) circ->build_state->expiry_time);
 +    goto disallow;
 +  }
 +
 +  /* Allowed to relaunch. */
 +  return 1;
 + disallow:
 +  return 0;
 +}
 +
 +/* Retry the rendezvous point of circ by launching a new circuit to it. */
 +static void
 +retry_service_rendezvous_point(const origin_circuit_t *circ)
 +{
 +  int flags = 0;
 +  origin_circuit_t *new_circ;
 +  cpath_build_state_t *bstate;
 +
 +  tor_assert(circ);
 +  /* This is initialized when allocating an origin circuit. */
 +  tor_assert(circ->build_state);
 +  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_CONNECT_REND);
 +
 +  /* Ease our life. */
 +  bstate = circ->build_state;
 +
 +  log_info(LD_REND, "Retrying rendezvous point circuit to %s",
 +           safe_str_client(extend_info_describe(bstate->chosen_exit)));
 +
 +  /* Get the current build state flags for the next circuit. */
 +  flags |= (bstate->need_uptime) ? CIRCLAUNCH_NEED_UPTIME : 0;
 +  flags |= (bstate->need_capacity) ? CIRCLAUNCH_NEED_CAPACITY : 0;
 +  flags |= (bstate->is_internal) ? CIRCLAUNCH_IS_INTERNAL : 0;
 +
 +  /* We do NOT add the onehop tunnel flag even though it might be a single
 +   * onion service. The reason is that if we failed once to connect to the RP
 +   * with a direct connection, we consider that chances are that we will fail
 +   * again so try a 3-hop circuit and hope for the best. Because the service
 +   * has no anonymity (single onion), this change of behavior won't affect
 +   * security directly. */
 +
 +  new_circ = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_CONNECT_REND,
 +                                           bstate->chosen_exit, flags);
 +  if (new_circ == NULL) {
 +    log_warn(LD_REND, "Failed to launch rendezvous circuit to %s",
 +             safe_str_client(extend_info_describe(bstate->chosen_exit)));
 +    goto done;
 +  }
 +
 +  /* Transfer build state information to the new circuit state in part to
 +   * catch any other failures. */
 +  new_circ->build_state->failure_count = bstate->failure_count+1;
 +  new_circ->build_state->expiry_time = bstate->expiry_time;
 +  new_circ->hs_ident = hs_ident_circuit_dup(circ->hs_ident);
 +
 + done:
 +  return;
 +}
 +
- /* Add all possible link specifiers in node to lspecs.
-  * legacy ID is mandatory thus MUST be present in node. If the primary address
-  * is not IPv4, log a BUG() warning, and return an empty smartlist.
-  * Includes ed25519 id and IPv6 link specifiers if present in the node. */
++/* Add all possible link specifiers in node to lspecs:
++ *  - legacy ID is mandatory thus MUST be present in node;
++ *  - include ed25519 link specifier if present in the node, and the node
++ *    supports ed25519 link authentication, even if its link versions are not
++ *    compatible with us;
++ *  - include IPv4 link specifier, if the primary address is not IPv4, log a
++ *    BUG() warning, and return an empty smartlist;
++ *  - include IPv6 link specifier if present in the node. */
 +static void
 +get_lspecs_from_node(const node_t *node, smartlist_t *lspecs)
 +{
 +  link_specifier_t *ls;
 +  tor_addr_port_t ap;
 +
 +  tor_assert(node);
 +  tor_assert(lspecs);
 +
 +  /* Get the relay's IPv4 address. */
 +  node_get_prim_orport(node, &ap);
 +
 +  /* We expect the node's primary address to be a valid IPv4 address.
 +   * This conforms to the protocol, which requires either an IPv4 or IPv6
 +   * address (or both). */
 +  if (BUG(!tor_addr_is_v4(&ap.addr)) ||
 +      BUG(!tor_addr_port_is_valid_ap(&ap, 0))) {
 +    return;
 +  }
 +
 +  ls = link_specifier_new();
 +  link_specifier_set_ls_type(ls, LS_IPV4);
 +  link_specifier_set_un_ipv4_addr(ls, tor_addr_to_ipv4h(&ap.addr));
 +  link_specifier_set_un_ipv4_port(ls, ap.port);
 +  /* Four bytes IPv4 and two bytes port. */
 +  link_specifier_set_ls_len(ls, sizeof(ap.addr.addr.in_addr) +
 +                            sizeof(ap.port));
 +  smartlist_add(lspecs, ls);
 +
 +  /* Legacy ID is mandatory and will always be present in node. */
 +  ls = link_specifier_new();
 +  link_specifier_set_ls_type(ls, LS_LEGACY_ID);
 +  memcpy(link_specifier_getarray_un_legacy_id(ls), node->identity,
 +         link_specifier_getlen_un_legacy_id(ls));
 +  link_specifier_set_ls_len(ls, link_specifier_getlen_un_legacy_id(ls));
 +  smartlist_add(lspecs, ls);
 +
-   /* ed25519 ID is only included if the node has it. */
-   if (!ed25519_public_key_is_zero(&node->ed25519_id)) {
++  /* ed25519 ID is only included if the node has it, and the node declares a
++     protocol version that supports ed25519 link authentication, even if that
++     link version is not compatible with us. (We are sending the ed25519 key
++     to another tor, which may support different link versions.) */
++  if (!ed25519_public_key_is_zero(&node->ed25519_id) &&
++      node_supports_ed25519_link_authentication(node, 0)) {
 +    ls = link_specifier_new();
 +    link_specifier_set_ls_type(ls, LS_ED25519_ID);
 +    memcpy(link_specifier_getarray_un_ed25519_id(ls), &node->ed25519_id,
 +           link_specifier_getlen_un_ed25519_id(ls));
 +    link_specifier_set_ls_len(ls, link_specifier_getlen_un_ed25519_id(ls));
 +    smartlist_add(lspecs, ls);
 +  }
 +
 +  /* Check for IPv6. If so, include it as well. */
 +  if (node_has_ipv6_orport(node)) {
 +    ls = link_specifier_new();
 +    node_get_pref_ipv6_orport(node, &ap);
 +    link_specifier_set_ls_type(ls, LS_IPV6);
 +    size_t addr_len = link_specifier_getlen_un_ipv6_addr(ls);
 +    const uint8_t *in6_addr = tor_addr_to_in6_addr8(&ap.addr);
 +    uint8_t *ipv6_array = link_specifier_getarray_un_ipv6_addr(ls);
 +    memcpy(ipv6_array, in6_addr, addr_len);
 +    link_specifier_set_un_ipv6_port(ls, ap.port);
 +    /* Sixteen bytes IPv6 and two bytes port. */
 +    link_specifier_set_ls_len(ls, addr_len + sizeof(ap.port));
 +    smartlist_add(lspecs, ls);
 +  }
 +}
 +
 +/* Using the given descriptor intro point ip, the node of the
 + * rendezvous point rp_node and the service's subcredential, populate the
 + * already allocated intro1_data object with the needed key material and link
 + * specifiers.
 + *
 + * If rp_node has an invalid primary address, intro1_data->link_specifiers
 + * will be an empty list. Otherwise, this function can't fail. The ip
 + * MUST be a valid object containing the needed keys and authentication
 + * method. */
 +static void
 +setup_introduce1_data(const hs_desc_intro_point_t *ip,
 +                      const node_t *rp_node,
 +                      const uint8_t *subcredential,
 +                      hs_cell_introduce1_data_t *intro1_data)
 +{
 +  smartlist_t *rp_lspecs;
 +
 +  tor_assert(ip);
 +  tor_assert(rp_node);
 +  tor_assert(subcredential);
 +  tor_assert(intro1_data);
 +
 +  /* Build the link specifiers from the extend information of the rendezvous
 +   * circuit that we've picked previously. */
 +  rp_lspecs = smartlist_new();
 +  get_lspecs_from_node(rp_node, rp_lspecs);
 +
 +  /* Populate the introduce1 data object. */
 +  memset(intro1_data, 0, sizeof(hs_cell_introduce1_data_t));
 +  if (ip->legacy.key != NULL) {
 +    intro1_data->is_legacy = 1;
 +    intro1_data->legacy_key = ip->legacy.key;
 +  }
 +  intro1_data->auth_pk = &ip->auth_key_cert->signed_key;
 +  intro1_data->enc_pk = &ip->enc_key;
 +  intro1_data->subcredential = subcredential;
 +  intro1_data->onion_pk = node_get_curve25519_onion_key(rp_node);
 +  intro1_data->link_specifiers = rp_lspecs;
 +}
 +
 +/* ========== */
 +/* Public API */
 +/* ========== */
 +
 +/* Return an introduction point circuit matching the given intro point object.
 + * NULL is returned is no such circuit can be found. */
 +origin_circuit_t *
 +hs_circ_service_get_intro_circ(const hs_service_intro_point_t *ip)
 +{
 +  tor_assert(ip);
 +
 +  if (ip->base.is_only_legacy) {
 +    return hs_circuitmap_get_intro_circ_v2_service_side(ip->legacy_key_digest);
 +  } else {
 +    return hs_circuitmap_get_intro_circ_v3_service_side(
 +                                        &ip->auth_key_kp.pubkey);
 +  }
 +}
 +
 +/* Called when we fail building a rendezvous circuit at some point other than
 + * the last hop: launches a new circuit to the same rendezvous point. This
 + * supports legacy service.
 + *
 + * We currently relaunch connections to rendezvous points if:
 + * - A rendezvous circuit timed out before connecting to RP.
 + * - The rendezvous circuit failed to connect to the RP.
 + *
 + * We avoid relaunching a connection to this rendezvous point if:
 + * - We have already tried MAX_REND_FAILURES times to connect to this RP,
 + * - We've been trying to connect to this RP for more than MAX_REND_TIMEOUT
 + *   seconds, or
 + * - We've already retried this specific rendezvous circuit.
 + */
 +void
 +hs_circ_retry_service_rendezvous_point(origin_circuit_t *circ)
 +{
 +  tor_assert(circ);
 +  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_CONNECT_REND);
 +
 +  /* Check if we are allowed to relaunch to the rendezvous point of circ. */
 +  if (!can_relaunch_service_rendezvous_point(circ)) {
 +    goto done;
 +  }
 +
 +  /* Flag the circuit that we are relaunching, to avoid to relaunch twice a
 +   * circuit to the same rendezvous point at the same time. */
 +  circ->hs_service_side_rend_circ_has_been_relaunched = 1;
 +
 +  /* Legacy services don't have a hidden service ident. */
 +  if (circ->hs_ident) {
 +    retry_service_rendezvous_point(circ);
 +  } else {
 +    rend_service_relaunch_rendezvous(circ);
 +  }
 +
 + done:
 +  return;
 +}
 +
 +/* For a given service and a service intro point, launch a circuit to the
 + * extend info ei. If the service is a single onion, a one-hop circuit will be
 + * requested. Return 0 if the circuit was successfully launched and tagged
 + * with the correct identifier. On error, a negative value is returned. */
 +int
 +hs_circ_launch_intro_point(hs_service_t *service,
 +                           const hs_service_intro_point_t *ip,
 +                           extend_info_t *ei)
 +{
 +  /* Standard flags for introduction circuit. */
 +  int ret = -1, circ_flags = CIRCLAUNCH_NEED_UPTIME | CIRCLAUNCH_IS_INTERNAL;
 +  origin_circuit_t *circ;
 +
 +  tor_assert(service);
 +  tor_assert(ip);
 +  tor_assert(ei);
 +
 +  /* Update circuit flags in case of a single onion service that requires a
 +   * direct connection. */
 +  if (service->config.is_single_onion) {
 +    circ_flags |= CIRCLAUNCH_ONEHOP_TUNNEL;
 +  }
 +
 +  log_info(LD_REND, "Launching a circuit to intro point %s for service %s.",
 +           safe_str_client(extend_info_describe(ei)),
 +           safe_str_client(service->onion_address));
 +
 +  /* Note down the launch for the retry period. Even if the circuit fails to
 +   * be launched, we still want to respect the retry period to avoid stress on
 +   * the circuit subsystem. */
 +  service->state.num_intro_circ_launched++;
 +  circ = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_ESTABLISH_INTRO,
 +                                       ei, circ_flags);
 +  if (circ == NULL) {
 +    goto end;
 +  }
 +
 +  /* Setup the circuit identifier and attach it to it. */
 +  circ->hs_ident = create_intro_circuit_identifier(service, ip);
 +  tor_assert(circ->hs_ident);
 +  /* Register circuit in the global circuitmap. */
 +  register_intro_circ(ip, circ);
 +
 +  /* Success. */
 +  ret = 0;
 + end:
 +  return ret;
 +}
 +
 +/* Called when a service introduction point circuit is done building. Given
 + * the service and intro point object, this function will send the
 + * ESTABLISH_INTRO cell on the circuit. Return 0 on success. Return 1 if the
 + * circuit has been repurposed to General because we already have too many
 + * opened. */
 +int
 +hs_circ_service_intro_has_opened(hs_service_t *service,
 +                                 hs_service_intro_point_t *ip,
 +                                 const hs_service_descriptor_t *desc,
 +                                 origin_circuit_t *circ)
 +{
 +  int ret = 0;
 +  unsigned int num_intro_circ, num_needed_circ;
 +
 +  tor_assert(service);
 +  tor_assert(ip);
 +  tor_assert(desc);
 +  tor_assert(circ);
 +
 +  /* Cound opened circuits that have sent ESTABLISH_INTRO cells or are already
 +   * established introduction circuits */
 +  num_intro_circ = count_opened_desc_intro_point_circuits(service, desc);
 +  num_needed_circ = service->config.num_intro_points;
 +  if (num_intro_circ > num_needed_circ) {
 +    /* There are too many opened valid intro circuit for what the service
 +     * needs so repurpose this one. */
 +
 +    /* XXX: Legacy code checks options->ExcludeNodes and if not NULL it just
 +     * closes the circuit. I have NO idea why it does that so it hasn't been
 +     * added here. I can only assume in case our ExcludeNodes list changes but
 +     * in that case, all circuit are flagged unusable (config.c). --dgoulet */
 +
 +    log_info(LD_CIRC | LD_REND, "Introduction circuit just opened but we "
 +                                "have enough for service %s. Repurposing "
 +                                "it to general and leaving internal.",
 +             safe_str_client(service->onion_address));
 +    tor_assert(circ->build_state->is_internal);
 +    /* Remove it from the circuitmap. */
 +    hs_circuitmap_remove_circuit(TO_CIRCUIT(circ));
 +    /* Cleaning up the hidden service identifier and repurpose. */
 +    hs_ident_circuit_free(circ->hs_ident);
 +    circ->hs_ident = NULL;
 +    if (circuit_should_use_vanguards(TO_CIRCUIT(circ)->purpose))
 +      circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_HS_VANGUARDS);
 +    else
 +      circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_C_GENERAL);
 +
 +    /* Inform that this circuit just opened for this new purpose. */
 +    circuit_has_opened(circ);
 +    /* This return value indicate to the caller that the IP object should be
 +     * removed from the service because it's corresponding circuit has just
 +     * been repurposed. */
 +    ret = 1;
 +    goto done;
 +  }
 +
 +  log_info(LD_REND, "Introduction circuit %u established for service %s.",
 +           TO_CIRCUIT(circ)->n_circ_id,
 +           safe_str_client(service->onion_address));
 +  circuit_log_path(LOG_INFO, LD_REND, circ);
 +
 +  /* Time to send an ESTABLISH_INTRO cell on this circuit. On error, this call
 +   * makes sure the circuit gets closed. */
 +  send_establish_intro(service, ip, circ);
 +
 + done:
 +  return ret;
 +}
 +
 +/* Called when a service rendezvous point circuit is done building. Given the
 + * service and the circuit, this function will send a RENDEZVOUS1 cell on the
 + * circuit using the information in the circuit identifier. If the cell can't
 + * be sent, the circuit is closed. */
 +void
 +hs_circ_service_rp_has_opened(const hs_service_t *service,
 +                              origin_circuit_t *circ)
 +{
 +  size_t payload_len;
 +  uint8_t payload[RELAY_PAYLOAD_SIZE] = {0};
 +
 +  tor_assert(service);
 +  tor_assert(circ);
 +  tor_assert(circ->hs_ident);
 +
 +  /* Some useful logging. */
 +  log_info(LD_REND, "Rendezvous circuit %u has opened with cookie %s "
 +                    "for service %s",
 +           TO_CIRCUIT(circ)->n_circ_id,
 +           hex_str((const char *) circ->hs_ident->rendezvous_cookie,
 +                   REND_COOKIE_LEN),
 +           safe_str_client(service->onion_address));
 +  circuit_log_path(LOG_INFO, LD_REND, circ);
 +
 +  /* This can't fail. */
 +  payload_len = hs_cell_build_rendezvous1(
 +                        circ->hs_ident->rendezvous_cookie,
 +                        sizeof(circ->hs_ident->rendezvous_cookie),
 +                        circ->hs_ident->rendezvous_handshake_info,
 +                        sizeof(circ->hs_ident->rendezvous_handshake_info),
 +                        payload);
 +
 +  /* Pad the payload with random bytes so it matches the size of a legacy cell
 +   * which is normally always bigger. Also, the size of a legacy cell is
 +   * always smaller than the RELAY_PAYLOAD_SIZE so this is safe. */
 +  if (payload_len < HS_LEGACY_RENDEZVOUS_CELL_SIZE) {
 +    crypto_rand((char *) payload + payload_len,
 +                HS_LEGACY_RENDEZVOUS_CELL_SIZE - payload_len);
 +    payload_len = HS_LEGACY_RENDEZVOUS_CELL_SIZE;
 +  }
 +
 +  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
 +                                   RELAY_COMMAND_RENDEZVOUS1,
 +                                   (const char *) payload, payload_len,
 +                                   circ->cpath->prev) < 0) {
 +    /* On error, circuit is closed. */
 +    log_warn(LD_REND, "Unable to send RENDEZVOUS1 cell on circuit %u "
 +                      "for service %s",
 +             TO_CIRCUIT(circ)->n_circ_id,
 +             safe_str_client(service->onion_address));
 +    goto done;
 +  }
 +
 +  /* Setup end-to-end rendezvous circuit between the client and us. */
 +  if (hs_circuit_setup_e2e_rend_circ(circ,
 +                       circ->hs_ident->rendezvous_ntor_key_seed,
 +                       sizeof(circ->hs_ident->rendezvous_ntor_key_seed),
 +                       1) < 0) {
 +    log_warn(LD_GENERAL, "Failed to setup circ");
 +    goto done;
 +  }
 +
 + done:
 +  memwipe(payload, 0, sizeof(payload));
 +}
 +
 +/* Circ has been expecting an INTRO_ESTABLISHED cell that just arrived. Handle
 + * the INTRO_ESTABLISHED cell payload of length payload_len arriving on the
 + * given introduction circuit circ. The service is only used for logging
 + * purposes. Return 0 on success else a negative value. */
 +int
 +hs_circ_handle_intro_established(const hs_service_t *service,
 +                                 const hs_service_intro_point_t *ip,
 +                                 origin_circuit_t *circ,
 +                                 const uint8_t *payload, size_t payload_len)
 +{
 +  int ret = -1;
 +
 +  tor_assert(service);
 +  tor_assert(ip);
 +  tor_assert(circ);
 +  tor_assert(payload);
 +
 +  if (BUG(TO_CIRCUIT(circ)->purpose != CIRCUIT_PURPOSE_S_ESTABLISH_INTRO)) {
 +    goto done;
 +  }
 +
 +  /* Try to parse the payload into a cell making sure we do actually have a
 +   * valid cell. For a legacy node, it's an empty payload so as long as we
 +   * have the cell, we are good. */
 +  if (!ip->base.is_only_legacy &&
 +      hs_cell_parse_intro_established(payload, payload_len) < 0) {
 +    log_warn(LD_REND, "Unable to parse the INTRO_ESTABLISHED cell on "
 +                      "circuit %u for service %s",
 +             TO_CIRCUIT(circ)->n_circ_id,
 +             safe_str_client(service->onion_address));
 +    goto done;
 +  }
 +
 +  /* Switch the purpose to a fully working intro point. */
 +  circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_S_INTRO);
 +  /* Getting a valid INTRODUCE_ESTABLISHED means we've successfully used the
 +   * circuit so update our pathbias subsystem. */
 +  pathbias_mark_use_success(circ);
 +  /* Success. */
 +  ret = 0;
 +
 + done:
 +  return ret;
 +}
 +
 +/* We just received an INTRODUCE2 cell on the established introduction circuit
 + * circ.  Handle the INTRODUCE2 payload of size payload_len for the given
 + * circuit and service. This cell is associated with the intro point object ip
 + * and the subcredential. Return 0 on success else a negative value. */
 +int
 +hs_circ_handle_introduce2(const hs_service_t *service,
 +                          const origin_circuit_t *circ,
 +                          hs_service_intro_point_t *ip,
 +                          const uint8_t *subcredential,
 +                          const uint8_t *payload, size_t payload_len)
 +{
 +  int ret = -1;
 +  time_t elapsed;
 +  hs_cell_introduce2_data_t data;
 +
 +  tor_assert(service);
 +  tor_assert(circ);
 +  tor_assert(ip);
 +  tor_assert(subcredential);
 +  tor_assert(payload);
 +
 +  /* Populate the data structure with everything we need for the cell to be
 +   * parsed, decrypted and key material computed correctly. */
 +  data.auth_pk = &ip->auth_key_kp.pubkey;
 +  data.enc_kp = &ip->enc_key_kp;
 +  data.subcredential = subcredential;
 +  data.payload = payload;
 +  data.payload_len = payload_len;
 +  data.link_specifiers = smartlist_new();
 +  data.replay_cache = ip->replay_cache;
 +
 +  if (hs_cell_parse_introduce2(&data, circ, service) < 0) {
 +    goto done;
 +  }
 +
 +  /* Check whether we've seen this REND_COOKIE before to detect repeats. */
 +  if (replaycache_add_test_and_elapsed(
 +           service->state.replay_cache_rend_cookie,
 +           data.rendezvous_cookie, sizeof(data.rendezvous_cookie),
 +           &elapsed)) {
 +    /* A Tor client will send a new INTRODUCE1 cell with the same REND_COOKIE
 +     * as its previous one if its intro circ times out while in state
 +     * CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT. If we received the first
 +     * INTRODUCE1 cell (the intro-point relay converts it into an INTRODUCE2
 +     * cell), we are already trying to connect to that rend point (and may
 +     * have already succeeded); drop this cell. */
 +    log_info(LD_REND, "We received an INTRODUCE2 cell with same REND_COOKIE "
 +                      "field %ld seconds ago. Dropping cell.",
 +             (long int) elapsed);
 +    goto done;
 +  }
 +
 +  /* At this point, we just confirmed that the full INTRODUCE2 cell is valid
 +   * so increment our counter that we've seen one on this intro point. */
 +  ip->introduce2_count++;
 +
 +  /* Launch rendezvous circuit with the onion key and rend cookie. */
 +  launch_rendezvous_point_circuit(service, ip, &data);
 +  /* Success. */
 +  ret = 0;
 +
 + done:
 +  SMARTLIST_FOREACH(data.link_specifiers, link_specifier_t *, lspec,
 +                    link_specifier_free(lspec));
 +  smartlist_free(data.link_specifiers);
 +  memwipe(&data, 0, sizeof(data));
 +  return ret;
 +}
 +
 +/* Circuit <b>circ</b> just finished the rend ntor key exchange. Use the key
 + * exchange output material at <b>ntor_key_seed</b> and setup <b>circ</b> to
 + * serve as a rendezvous end-to-end circuit between the client and the
 + * service. If <b>is_service_side</b> is set, then we are the hidden service
 + * and the other side is the client.
 + *
 + * Return 0 if the operation went well; in case of error return -1. */
 +int
 +hs_circuit_setup_e2e_rend_circ(origin_circuit_t *circ,
 +                               const uint8_t *ntor_key_seed, size_t seed_len,
 +                               int is_service_side)
 +{
 +  if (BUG(!circuit_purpose_is_correct_for_rend(TO_CIRCUIT(circ)->purpose,
 +                                        is_service_side))) {
 +    return -1;
 +  }
 +
 +  crypt_path_t *hop = create_rend_cpath(ntor_key_seed, seed_len,
 +                                        is_service_side);
 +  if (!hop) {
 +    log_warn(LD_REND, "Couldn't get v3 %s cpath!",
 +             is_service_side ? "service-side" : "client-side");
 +    return -1;
 +  }
 +
 +  finalize_rend_circuit(circ, hop, is_service_side);
 +
 +  return 0;
 +}
 +
 +/* We are a v2 legacy HS client and we just received a RENDEZVOUS1 cell
 + * <b>rend_cell_body</b> on <b>circ</b>. Finish up the DH key exchange and then
 + * extend the crypt path of <b>circ</b> so that the hidden service is on the
 + * other side. */
 +int
 +hs_circuit_setup_e2e_rend_circ_legacy_client(origin_circuit_t *circ,
 +                                             const uint8_t *rend_cell_body)
 +{
 +
 +  if (BUG(!circuit_purpose_is_correct_for_rend(
 +                                      TO_CIRCUIT(circ)->purpose, 0))) {
 +    return -1;
 +  }
 +
 +  crypt_path_t *hop = create_rend_cpath_legacy(circ, rend_cell_body);
 +  if (!hop) {
 +    log_warn(LD_GENERAL, "Couldn't get v2 cpath.");
 +    return -1;
 +  }
 +
 +  finalize_rend_circuit(circ, hop, 0);
 +
 +  return 0;
 +}
 +
 +/* Given the introduction circuit intro_circ, the rendezvous circuit
 + * rend_circ, a descriptor intro point object ip and the service's
 + * subcredential, send an INTRODUCE1 cell on intro_circ.
 + *
 + * This will also setup the circuit identifier on rend_circ containing the key
 + * material for the handshake and e2e encryption. Return 0 on success else
 + * negative value. Because relay_send_command_from_edge() closes the circuit
 + * on error, it is possible that intro_circ is closed on error. */
 +int
 +hs_circ_send_introduce1(origin_circuit_t *intro_circ,
 +                        origin_circuit_t *rend_circ,
 +                        const hs_desc_intro_point_t *ip,
 +                        const uint8_t *subcredential)
 +{
 +  int ret = -1;
 +  ssize_t payload_len;
 +  uint8_t payload[RELAY_PAYLOAD_SIZE] = {0};
 +  hs_cell_introduce1_data_t intro1_data;
 +
 +  tor_assert(intro_circ);
 +  tor_assert(rend_circ);
 +  tor_assert(ip);
 +  tor_assert(subcredential);
 +
 +  /* It is undefined behavior in hs_cell_introduce1_data_clear() if intro1_data
 +   * has been declared on the stack but not initialized. Here, we set it to 0.
 +   */
 +  memset(&intro1_data, 0, sizeof(hs_cell_introduce1_data_t));
 +
 +  /* This takes various objects in order to populate the introduce1 data
 +   * object which is used to build the content of the cell. */
 +  const node_t *exit_node = build_state_get_exit_node(rend_circ->build_state);
 +  if (exit_node == NULL) {
 +    log_info(LD_REND, "Unable to get rendezvous point for circuit %u. "
 +             "Failing.", TO_CIRCUIT(intro_circ)->n_circ_id);
 +    goto done;
 +  }
 +  setup_introduce1_data(ip, exit_node, subcredential, &intro1_data);
 +  /* If we didn't get any link specifiers, it's because our node was
 +   * bad. */
 +  if (BUG(!intro1_data.link_specifiers) ||
 +      !smartlist_len(intro1_data.link_specifiers)) {
 +    log_warn(LD_REND, "Unable to get link specifiers for INTRODUCE1 cell on "
 +             "circuit %u.", TO_CIRCUIT(intro_circ)->n_circ_id);
 +    goto done;
 +  }
 +
 +  /* Final step before we encode a cell, we setup the circuit identifier which
 +   * will generate both the rendezvous cookie and client keypair for this
 +   * connection. Those are put in the ident. */
 +  intro1_data.rendezvous_cookie = rend_circ->hs_ident->rendezvous_cookie;
 +  intro1_data.client_kp = &rend_circ->hs_ident->rendezvous_client_kp;
 +
 +  memcpy(intro_circ->hs_ident->rendezvous_cookie,
 +         rend_circ->hs_ident->rendezvous_cookie,
 +         sizeof(intro_circ->hs_ident->rendezvous_cookie));
 +
 +  /* From the introduce1 data object, this will encode the INTRODUCE1 cell
 +   * into payload which is then ready to be sent as is. */
 +  payload_len = hs_cell_build_introduce1(&intro1_data, payload);
 +  if (BUG(payload_len < 0)) {
 +    goto done;
 +  }
 +
 +  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(intro_circ),
 +                                   RELAY_COMMAND_INTRODUCE1,
 +                                   (const char *) payload, payload_len,
 +                                   intro_circ->cpath->prev) < 0) {
 +    /* On error, circuit is closed. */
 +    log_warn(LD_REND, "Unable to send INTRODUCE1 cell on circuit %u.",
 +             TO_CIRCUIT(intro_circ)->n_circ_id);
 +    goto done;
 +  }
 +
 +  /* Success. */
 +  ret = 0;
 +  goto done;
 +
 + done:
 +  hs_cell_introduce1_data_clear(&intro1_data);
 +  memwipe(payload, 0, sizeof(payload));
 +  return ret;
 +}
 +
 +/* Send an ESTABLISH_RENDEZVOUS cell along the rendezvous circuit circ. On
 + * success, 0 is returned else -1 and the circuit is marked for close. */
 +int
 +hs_circ_send_establish_rendezvous(origin_circuit_t *circ)
 +{
 +  ssize_t cell_len = 0;
 +  uint8_t cell[RELAY_PAYLOAD_SIZE] = {0};
 +
 +  tor_assert(circ);
 +  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_C_ESTABLISH_REND);
 +
 +  log_info(LD_REND, "Send an ESTABLISH_RENDEZVOUS cell on circuit %u",
 +           TO_CIRCUIT(circ)->n_circ_id);
 +
 +  /* Set timestamp_dirty, because circuit_expire_building expects it,
 +   * and the rend cookie also means we've used the circ. */
 +  TO_CIRCUIT(circ)->timestamp_dirty = time(NULL);
 +
 +  /* We've attempted to use this circuit. Probe it if we fail */
 +  pathbias_count_use_attempt(circ);
 +
 +  /* Generate the RENDEZVOUS_COOKIE and place it in the identifier so we can
 +   * complete the handshake when receiving the acknowledgement. */
 +  crypto_rand((char *) circ->hs_ident->rendezvous_cookie, HS_REND_COOKIE_LEN);
 +  /* Generate the client keypair. No need to be extra strong, not long term */
 +  curve25519_keypair_generate(&circ->hs_ident->rendezvous_client_kp, 0);
 +
 +  cell_len =
 +    hs_cell_build_establish_rendezvous(circ->hs_ident->rendezvous_cookie,
 +                                       cell);
 +  if (BUG(cell_len < 0)) {
 +    goto err;
 +  }
 +
 +  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
 +                                   RELAY_COMMAND_ESTABLISH_RENDEZVOUS,
 +                                   (const char *) cell, cell_len,
 +                                   circ->cpath->prev) < 0) {
 +    /* Circuit has been marked for close */
 +    log_warn(LD_REND, "Unable to send ESTABLISH_RENDEZVOUS cell on "
 +                      "circuit %u", TO_CIRCUIT(circ)->n_circ_id);
 +    memwipe(cell, 0, cell_len);
 +    goto err;
 +  }
 +
 +  memwipe(cell, 0, cell_len);
 +  return 0;
 + err:
 +  return -1;
 +}
 +
 +/* We are about to close or free this <b>circ</b>. Clean it up from any
 + * related HS data structures. This function can be called multiple times
 + * safely for the same circuit. */
 +void
 +hs_circ_cleanup(circuit_t *circ)
 +{
 +  tor_assert(circ);
 +
 +  /* If it's a service-side intro circ, notify the HS subsystem for the intro
 +   * point circuit closing so it can be dealt with cleanly. */
 +  if (circ->purpose == CIRCUIT_PURPOSE_S_ESTABLISH_INTRO ||
 +      circ->purpose == CIRCUIT_PURPOSE_S_INTRO) {
 +    hs_service_intro_circ_has_closed(TO_ORIGIN_CIRCUIT(circ));
 +  }
 +
 +  /* Clear HS circuitmap token for this circ (if any). Very important to be
 +   * done after the HS subsystem has been notified of the close else the
 +   * circuit will not be found.
 +   *
 +   * We do this at the close if possible because from that point on, the
 +   * circuit is good as dead. We can't rely on removing it in the circuit
 +   * free() function because we open a race window between the close and free
 +   * where we can't register a new circuit for the same intro point. */
 +  if (circ->hs_token) {
 +    hs_circuitmap_remove_circuit(circ);
 +  }
 +}
diff --cc src/feature/hs/hs_service.c
index 54204dd07,000000000..7775ac6de
mode 100644,000000..100644
--- a/src/feature/hs/hs_service.c
+++ b/src/feature/hs/hs_service.c
@@@ -1,3547 -1,0 +1,3558 @@@
 +/* Copyright (c) 2016-2018, The Tor Project, Inc. */
 +/* See LICENSE for licensing information */
 +
 +/**
 + * \file hs_service.c
 + * \brief Implement next generation hidden service functionality
 + **/
 +
 +#define HS_SERVICE_PRIVATE
 +
 +#include "core/or/or.h"
 +#include "feature/client/circpathbias.h"
 +#include "core/or/circuitbuild.h"
 +#include "core/or/circuitlist.h"
 +#include "core/or/circuituse.h"
 +#include "app/config/config.h"
 +#include "core/mainloop/connection.h"
 +#include "lib/crypt_ops/crypto_rand.h"
 +#include "lib/crypt_ops/crypto_util.h"
 +#include "lib/crypt_ops/crypto_ope.h"
 +#include "feature/dircache/directory.h"
 +#include "core/mainloop/main.h"
 +#include "feature/nodelist/networkstatus.h"
 +#include "feature/nodelist/nodelist.h"
 +#include "core/or/relay.h"
 +#include "feature/rend/rendservice.h"
 +#include "feature/relay/router.h"
 +#include "feature/relay/routerkeys.h"
 +#include "feature/nodelist/routerlist.h"
 +#include "feature/hs_common/shared_random_client.h"
 +#include "app/config/statefile.h"
 +
 +#include "feature/hs/hs_circuit.h"
 +#include "feature/hs/hs_common.h"
 +#include "feature/hs/hs_config.h"
 +#include "feature/hs/hs_control.h"
 +#include "feature/hs/hs_descriptor.h"
 +#include "feature/hs/hs_ident.h"
 +#include "feature/hs/hs_intropoint.h"
 +#include "feature/hs/hs_service.h"
 +#include "feature/hs/hs_stats.h"
 +
 +#include "feature/dircommon/dir_connection_st.h"
 +#include "core/or/edge_connection_st.h"
 +#include "core/or/extend_info_st.h"
 +#include "feature/nodelist/networkstatus_st.h"
 +#include "feature/nodelist/node_st.h"
 +#include "core/or/origin_circuit_st.h"
 +#include "app/config/or_state_st.h"
 +#include "feature/nodelist/routerstatus_st.h"
 +
 +#include "lib/encoding/confline.h"
 +#include "lib/crypt_ops/crypto_format.h"
 +
 +/* Trunnel */
 +#include "trunnel/ed25519_cert.h"
 +#include "trunnel/hs/cell_common.h"
 +#include "trunnel/hs/cell_establish_intro.h"
 +
 +#ifdef HAVE_SYS_STAT_H
 +#include <sys/stat.h>
 +#endif
 +#ifdef HAVE_UNISTD_H
 +#include <unistd.h>
 +#endif
 +
 +/* Helper macro. Iterate over every service in the global map. The var is the
 + * name of the service pointer. */
 +#define FOR_EACH_SERVICE_BEGIN(var)                          \
 +    STMT_BEGIN                                               \
 +    hs_service_t **var##_iter, *var;                         \
 +    HT_FOREACH(var##_iter, hs_service_ht, hs_service_map) {  \
 +      var = *var##_iter;
 +#define FOR_EACH_SERVICE_END } STMT_END ;
 +
 +/* Helper macro. Iterate over both current and previous descriptor of a
 + * service. The var is the name of the descriptor pointer. This macro skips
 + * any descriptor object of the service that is NULL. */
 +#define FOR_EACH_DESCRIPTOR_BEGIN(service, var)                  \
 +  STMT_BEGIN                                                     \
 +    hs_service_descriptor_t *var;                                \
 +    for (int var ## _loop_idx = 0; var ## _loop_idx < 2;         \
 +         ++var ## _loop_idx) {                                   \
 +      (var ## _loop_idx == 0) ? (var = service->desc_current) :  \
 +                                (var = service->desc_next);      \
 +      if (var == NULL) continue;
 +#define FOR_EACH_DESCRIPTOR_END } STMT_END ;
 +
 +/* Onion service directory file names. */
 +static const char fname_keyfile_prefix[] = "hs_ed25519";
 +static const char fname_hostname[] = "hostname";
 +static const char address_tld[] = "onion";
 +
 +/* Staging list of service object. When configuring service, we add them to
 + * this list considered a staging area and they will get added to our global
 + * map once the keys have been loaded. These two steps are separated because
 + * loading keys requires that we are an actual running tor process. */
 +static smartlist_t *hs_service_staging_list;
 +
 +/** True if the list of available router descriptors might have changed which
 + *  might result in an altered hash ring. Check if the hash ring changed and
 + *  reupload if needed */
 +static int consider_republishing_hs_descriptors = 0;
 +
 +/* Static declaration. */
 +static void set_descriptor_revision_counter(hs_service_descriptor_t *hs_desc,
 +                                            time_t now, bool is_current);
 +static void move_descriptors(hs_service_t *src, hs_service_t *dst);
 +
 +/* Helper: Function to compare two objects in the service map. Return 1 if the
 + * two service have the same master public identity key. */
 +static inline int
 +hs_service_ht_eq(const hs_service_t *first, const hs_service_t *second)
 +{
 +  tor_assert(first);
 +  tor_assert(second);
 +  /* Simple key compare. */
 +  return ed25519_pubkey_eq(&first->keys.identity_pk,
 +                           &second->keys.identity_pk);
 +}
 +
 +/* Helper: Function for the service hash table code below. The key used is the
 + * master public identity key which is ultimately the onion address. */
 +static inline unsigned int
 +hs_service_ht_hash(const hs_service_t *service)
 +{
 +  tor_assert(service);
 +  return (unsigned int) siphash24g(service->keys.identity_pk.pubkey,
 +                                   sizeof(service->keys.identity_pk.pubkey));
 +}
 +
 +/* This is _the_ global hash map of hidden services which indexed the service
 + * contained in it by master public identity key which is roughly the onion
 + * address of the service. */
 +static struct hs_service_ht *hs_service_map;
 +
 +/* Register the service hash table. */
 +HT_PROTOTYPE(hs_service_ht,      /* Name of hashtable. */
 +             hs_service_t,       /* Object contained in the map. */
 +             hs_service_node,    /* The name of the HT_ENTRY member. */
 +             hs_service_ht_hash, /* Hashing function. */
 +             hs_service_ht_eq)   /* Compare function for objects. */
 +
 +HT_GENERATE2(hs_service_ht, hs_service_t, hs_service_node,
 +             hs_service_ht_hash, hs_service_ht_eq,
 +             0.6, tor_reallocarray, tor_free_)
 +
 +/* Query the given service map with a public key and return a service object
 + * if found else NULL. It is also possible to set a directory path in the
 + * search query. If pk is NULL, then it will be set to zero indicating the
 + * hash table to compare the directory path instead. */
 +STATIC hs_service_t *
 +find_service(hs_service_ht *map, const ed25519_public_key_t *pk)
 +{
 +  hs_service_t dummy_service;
 +  tor_assert(map);
 +  tor_assert(pk);
 +  memset(&dummy_service, 0, sizeof(dummy_service));
 +  ed25519_pubkey_copy(&dummy_service.keys.identity_pk, pk);
 +  return HT_FIND(hs_service_ht, map, &dummy_service);
 +}
 +
 +/* Register the given service in the given map. If the service already exists
 + * in the map, -1 is returned. On success, 0 is returned and the service
 + * ownership has been transferred to the global map. */
 +STATIC int
 +register_service(hs_service_ht *map, hs_service_t *service)
 +{
 +  tor_assert(map);
 +  tor_assert(service);
 +  tor_assert(!ed25519_public_key_is_zero(&service->keys.identity_pk));
 +
 +  if (find_service(map, &service->keys.identity_pk)) {
 +    /* Existing service with the same key. Do not register it. */
 +    return -1;
 +  }
 +  /* Taking ownership of the object at this point. */
 +  HT_INSERT(hs_service_ht, map, service);
 +
 +  /* If we just modified the global map, we notify. */
 +  if (map == hs_service_map) {
 +    hs_service_map_has_changed();
 +  }
 +
 +  return 0;
 +}
 +
 +/* Remove a given service from the given map. If service is NULL or the
 + * service key is unset, return gracefully. */
 +STATIC void
 +remove_service(hs_service_ht *map, hs_service_t *service)
 +{
 +  hs_service_t *elm;
 +
 +  tor_assert(map);
 +
 +  /* Ignore if no service or key is zero. */
 +  if (BUG(service == NULL) ||
 +      BUG(ed25519_public_key_is_zero(&service->keys.identity_pk))) {
 +    return;
 +  }
 +
 +  elm = HT_REMOVE(hs_service_ht, map, service);
 +  if (elm) {
 +    tor_assert(elm == service);
 +  } else {
 +    log_warn(LD_BUG, "Could not find service in the global map "
 +                     "while removing service %s",
 +             escaped(service->config.directory_path));
 +  }
 +
 +  /* If we just modified the global map, we notify. */
 +  if (map == hs_service_map) {
 +    hs_service_map_has_changed();
 +  }
 +}
 +
 +/* Set the default values for a service configuration object <b>c</b>. */
 +static void
 +set_service_default_config(hs_service_config_t *c,
 +                           const or_options_t *options)
 +{
 +  (void) options;
 +  tor_assert(c);
 +  c->ports = smartlist_new();
 +  c->directory_path = NULL;
 +  c->max_streams_per_rdv_circuit = 0;
 +  c->max_streams_close_circuit = 0;
 +  c->num_intro_points = NUM_INTRO_POINTS_DEFAULT;
 +  c->allow_unknown_ports = 0;
 +  c->is_single_onion = 0;
 +  c->dir_group_readable = 0;
 +  c->is_ephemeral = 0;
 +}
 +
 +/* From a service configuration object config, clear everything from it
 + * meaning free allocated pointers and reset the values. */
 +static void
 +service_clear_config(hs_service_config_t *config)
 +{
 +  if (config == NULL) {
 +    return;
 +  }
 +  tor_free(config->directory_path);
 +  if (config->ports) {
 +    SMARTLIST_FOREACH(config->ports, rend_service_port_config_t *, p,
 +                      rend_service_port_config_free(p););
 +    smartlist_free(config->ports);
 +  }
 +  memset(config, 0, sizeof(*config));
 +}
 +
 +/* Helper function to return a human readable description of the given intro
 + * point object.
 + *
 + * This function is not thread-safe. Each call to this invalidates the
 + * previous values returned by it. */
 +static const char *
 +describe_intro_point(const hs_service_intro_point_t *ip)
 +{
 +  /* Hex identity digest of the IP prefixed by the $ sign and ends with NUL
 +   * byte hence the plus two. */
 +  static char buf[HEX_DIGEST_LEN + 2];
 +  const char *legacy_id = NULL;
 +
 +  SMARTLIST_FOREACH_BEGIN(ip->base.link_specifiers,
 +                          const hs_desc_link_specifier_t *, lspec) {
 +    if (lspec->type == LS_LEGACY_ID) {
 +      legacy_id = (const char *) lspec->u.legacy_id;
 +      break;
 +    }
 +  } SMARTLIST_FOREACH_END(lspec);
 +
 +  /* For now, we only print the identity digest but we could improve this with
 +   * much more information such as the ed25519 identity has well. */
 +  buf[0] = '$';
 +  if (legacy_id) {
 +    base16_encode(buf + 1, HEX_DIGEST_LEN + 1, legacy_id, DIGEST_LEN);
 +  }
 +
 +  return buf;
 +}
 +
 +/* Return the lower bound of maximum INTRODUCE2 cells per circuit before we
 + * rotate intro point (defined by a consensus parameter or the default
 + * value). */
 +static int32_t
 +get_intro_point_min_introduce2(void)
 +{
 +  /* The [0, 2147483647] range is quite large to accommodate anything we decide
 +   * in the future. */
 +  return networkstatus_get_param(NULL, "hs_intro_min_introduce2",
 +                                 INTRO_POINT_MIN_LIFETIME_INTRODUCTIONS,
 +                                 0, INT32_MAX);
 +}
 +
 +/* Return the upper bound of maximum INTRODUCE2 cells per circuit before we
 + * rotate intro point (defined by a consensus parameter or the default
 + * value). */
 +static int32_t
 +get_intro_point_max_introduce2(void)
 +{
 +  /* The [0, 2147483647] range is quite large to accommodate anything we decide
 +   * in the future. */
 +  return networkstatus_get_param(NULL, "hs_intro_max_introduce2",
 +                                 INTRO_POINT_MAX_LIFETIME_INTRODUCTIONS,
 +                                 0, INT32_MAX);
 +}
 +
 +/* Return the minimum lifetime in seconds of an introduction point defined by a
 + * consensus parameter or the default value. */
 +static int32_t
 +get_intro_point_min_lifetime(void)
 +{
 +#define MIN_INTRO_POINT_LIFETIME_TESTING 10
 +  if (get_options()->TestingTorNetwork) {
 +    return MIN_INTRO_POINT_LIFETIME_TESTING;
 +  }
 +
 +  /* The [0, 2147483647] range is quite large to accommodate anything we decide
 +   * in the future. */
 +  return networkstatus_get_param(NULL, "hs_intro_min_lifetime",
 +                                 INTRO_POINT_LIFETIME_MIN_SECONDS,
 +                                 0, INT32_MAX);
 +}
 +
 +/* Return the maximum lifetime in seconds of an introduction point defined by a
 + * consensus parameter or the default value. */
 +static int32_t
 +get_intro_point_max_lifetime(void)
 +{
 +#define MAX_INTRO_POINT_LIFETIME_TESTING 30
 +  if (get_options()->TestingTorNetwork) {
 +    return MAX_INTRO_POINT_LIFETIME_TESTING;
 +  }
 +
 +  /* The [0, 2147483647] range is quite large to accommodate anything we decide
 +   * in the future. */
 +  return networkstatus_get_param(NULL, "hs_intro_max_lifetime",
 +                                 INTRO_POINT_LIFETIME_MAX_SECONDS,
 +                                 0, INT32_MAX);
 +}
 +
 +/* Return the number of extra introduction point defined by a consensus
 + * parameter or the default value. */
 +static int32_t
 +get_intro_point_num_extra(void)
 +{
 +  /* The [0, 128] range bounds the number of extra introduction point allowed.
 +   * Above 128 intro points, it's getting a bit crazy. */
 +  return networkstatus_get_param(NULL, "hs_intro_num_extra",
 +                                 NUM_INTRO_POINTS_EXTRA, 0, 128);
 +}
 +
 +/* Helper: Function that needs to return 1 for the HT for each loop which
 + * frees every service in an hash map. */
 +static int
 +ht_free_service_(struct hs_service_t *service, void *data)
 +{
 +  (void) data;
 +  hs_service_free(service);
 +  /* This function MUST return 1 so the given object is then removed from the
 +   * service map leading to this free of the object being safe. */
 +  return 1;
 +}
 +
 +/* Free every service that can be found in the global map. Once done, clear
 + * and free the global map. */
 +static void
 +service_free_all(void)
 +{
 +  if (hs_service_map) {
 +    /* The free helper function returns 1 so this is safe. */
 +    hs_service_ht_HT_FOREACH_FN(hs_service_map, ht_free_service_, NULL);
 +    HT_CLEAR(hs_service_ht, hs_service_map);
 +    tor_free(hs_service_map);
 +    hs_service_map = NULL;
 +  }
 +
 +  if (hs_service_staging_list) {
 +    /* Cleanup staging list. */
 +    SMARTLIST_FOREACH(hs_service_staging_list, hs_service_t *, s,
 +                      hs_service_free(s));
 +    smartlist_free(hs_service_staging_list);
 +    hs_service_staging_list = NULL;
 +  }
 +}
 +
 +/* Free a given service intro point object. */
 +STATIC void
 +service_intro_point_free_(hs_service_intro_point_t *ip)
 +{
 +  if (!ip) {
 +    return;
 +  }
 +  memwipe(&ip->auth_key_kp, 0, sizeof(ip->auth_key_kp));
 +  memwipe(&ip->enc_key_kp, 0, sizeof(ip->enc_key_kp));
 +  crypto_pk_free(ip->legacy_key);
 +  replaycache_free(ip->replay_cache);
 +  hs_intropoint_clear(&ip->base);
 +  tor_free(ip);
 +}
 +
 +/* Helper: free an hs_service_intro_point_t object. This function is used by
 + * digest256map_free() which requires a void * pointer. */
 +static void
 +service_intro_point_free_void(void *obj)
 +{
 +  service_intro_point_free_(obj);
 +}
 +
 +/* Return a newly allocated service intro point and fully initialized from the
-  * given extend_info_t ei if non NULL. If is_legacy is true, we also generate
-  * the legacy key. On error, NULL is returned.
++ * given extend_info_t ei if non NULL.
++ * If is_legacy is true, we also generate the legacy key.
++ * If supports_ed25519_link_handshake_any is true, we add the relay's ed25519
++ * key to the link specifiers.
 + *
 + * If ei is NULL, returns a hs_service_intro_point_t with an empty link
 + * specifier list and no onion key. (This is used for testing.)
++ * On any other error, NULL is returned.
 + *
 + * ei must be an extend_info_t containing an IPv4 address. (We will add supoort
 + * for IPv6 in a later release.) When calling extend_info_from_node(), pass
 + * 0 in for_direct_connection to make sure ei always has an IPv4 address. */
 +STATIC hs_service_intro_point_t *
- service_intro_point_new(const extend_info_t *ei, unsigned int is_legacy)
++service_intro_point_new(const extend_info_t *ei, unsigned int is_legacy,
++                        unsigned int supports_ed25519_link_handshake_any)
 +{
 +  hs_desc_link_specifier_t *ls;
 +  hs_service_intro_point_t *ip;
 +
 +  ip = tor_malloc_zero(sizeof(*ip));
 +  /* We'll create the key material. No need for extra strong, those are short
 +   * term keys. */
 +  ed25519_keypair_generate(&ip->auth_key_kp, 0);
 +
 +  { /* Set introduce2 max cells limit */
 +    int32_t min_introduce2_cells = get_intro_point_min_introduce2();
 +    int32_t max_introduce2_cells = get_intro_point_max_introduce2();
 +    if (BUG(max_introduce2_cells < min_introduce2_cells)) {
 +      goto err;
 +    }
 +    ip->introduce2_max = crypto_rand_int_range(min_introduce2_cells,
 +                                               max_introduce2_cells);
 +  }
 +  { /* Set intro point lifetime */
 +    int32_t intro_point_min_lifetime = get_intro_point_min_lifetime();
 +    int32_t intro_point_max_lifetime = get_intro_point_max_lifetime();
 +    if (BUG(intro_point_max_lifetime < intro_point_min_lifetime)) {
 +      goto err;
 +    }
 +    ip->time_to_expire = approx_time() +
 +      crypto_rand_int_range(intro_point_min_lifetime,intro_point_max_lifetime);
 +  }
 +
 +  ip->replay_cache = replaycache_new(0, 0);
 +
 +  /* Initialize the base object. We don't need the certificate object. */
 +  ip->base.link_specifiers = smartlist_new();
 +
 +  /* Generate the encryption key for this intro point. */
 +  curve25519_keypair_generate(&ip->enc_key_kp, 0);
 +  /* Figure out if this chosen node supports v3 or is legacy only. */
 +  if (is_legacy) {
 +    ip->base.is_only_legacy = 1;
 +    /* Legacy mode that is doesn't support v3+ with ed25519 auth key. */
 +    ip->legacy_key = crypto_pk_new();
 +    if (crypto_pk_generate_key(ip->legacy_key) < 0) {
 +      goto err;
 +    }
 +    if (crypto_pk_get_digest(ip->legacy_key,
 +                             (char *) ip->legacy_key_digest) < 0) {
 +      goto err;
 +    }
 +  }
 +
 +  if (ei == NULL) {
 +    goto done;
 +  }
 +
 +  /* We'll try to add all link specifiers. Legacy is mandatory.
 +   * IPv4 or IPv6 is required, and we always send IPv4. */
 +  ls = hs_desc_link_specifier_new(ei, LS_IPV4);
 +  /* It is impossible to have an extend info object without a v4. */
 +  if (BUG(!ls)) {
 +    goto err;
 +  }
 +  smartlist_add(ip->base.link_specifiers, ls);
 +
 +  ls = hs_desc_link_specifier_new(ei, LS_LEGACY_ID);
 +  /* It is impossible to have an extend info object without an identity
 +   * digest. */
 +  if (BUG(!ls)) {
 +    goto err;
 +  }
 +  smartlist_add(ip->base.link_specifiers, ls);
 +
-   /* ed25519 identity key is optional for intro points */
-   ls = hs_desc_link_specifier_new(ei, LS_ED25519_ID);
-   if (ls) {
-     smartlist_add(ip->base.link_specifiers, ls);
++  /* ed25519 identity key is optional for intro points. If the node supports
++   * ed25519 link authentication, we include it. */
++  if (supports_ed25519_link_handshake_any) {
++    ls = hs_desc_link_specifier_new(ei, LS_ED25519_ID);
++    if (ls) {
++      smartlist_add(ip->base.link_specifiers, ls);
++    }
 +  }
 +
 +  /* IPv6 is not supported in this release. */
 +
 +  /* Finally, copy onion key from the extend_info_t object. */
 +  memcpy(&ip->onion_key, &ei->curve25519_onion_key, sizeof(ip->onion_key));
 +
 + done:
 +  return ip;
 + err:
 +  service_intro_point_free(ip);
 +  return NULL;
 +}
 +
 +/* Add the given intro point object to the given intro point map. The intro
 + * point MUST have its RSA encryption key set if this is a legacy type or the
 + * authentication key set otherwise. */
 +STATIC void
 +service_intro_point_add(digest256map_t *map, hs_service_intro_point_t *ip)
 +{
 +  hs_service_intro_point_t *old_ip_entry;
 +
 +  tor_assert(map);
 +  tor_assert(ip);
 +
 +  old_ip_entry = digest256map_set(map, ip->auth_key_kp.pubkey.pubkey, ip);
 +  /* Make sure we didn't just try to double-add an intro point */
 +  tor_assert_nonfatal(!old_ip_entry);
 +}
 +
 +/* For a given service, remove the intro point from that service's descriptors
 + * (check both current and next descriptor) */
 +STATIC void
 +service_intro_point_remove(const hs_service_t *service,
 +                           const hs_service_intro_point_t *ip)
 +{
 +  tor_assert(service);
 +  tor_assert(ip);
 +
 +  /* Trying all descriptors. */
 +  FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +    /* We'll try to remove the descriptor on both descriptors which is not
 +     * very expensive to do instead of doing loopup + remove. */
 +    digest256map_remove(desc->intro_points.map,
 +                        ip->auth_key_kp.pubkey.pubkey);
 +  } FOR_EACH_DESCRIPTOR_END;
 +}
 +
 +/* For a given service and authentication key, return the intro point or NULL
 + * if not found. This will check both descriptors in the service. */
 +STATIC hs_service_intro_point_t *
 +service_intro_point_find(const hs_service_t *service,
 +                         const ed25519_public_key_t *auth_key)
 +{
 +  hs_service_intro_point_t *ip = NULL;
 +
 +  tor_assert(service);
 +  tor_assert(auth_key);
 +
 +  /* Trying all descriptors to find the right intro point.
 +   *
 +   * Even if we use the same node as intro point in both descriptors, the node
 +   * will have a different intro auth key for each descriptor since we generate
 +   * a new one everytime we pick an intro point.
 +   *
 +   * After #22893 gets implemented, intro points will be moved to be
 +   * per-service instead of per-descriptor so this function will need to
 +   * change.
 +   */
 +  FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +    if ((ip = digest256map_get(desc->intro_points.map,
 +                               auth_key->pubkey)) != NULL) {
 +      break;
 +    }
 +  } FOR_EACH_DESCRIPTOR_END;
 +
 +  return ip;
 +}
 +
 +/* For a given service and intro point, return the descriptor for which the
 + * intro point is assigned to. NULL is returned if not found. */
 +STATIC hs_service_descriptor_t *
 +service_desc_find_by_intro(const hs_service_t *service,
 +                           const hs_service_intro_point_t *ip)
 +{
 +  hs_service_descriptor_t *descp = NULL;
 +
 +  tor_assert(service);
 +  tor_assert(ip);
 +
 +  FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +    if (digest256map_get(desc->intro_points.map,
 +                         ip->auth_key_kp.pubkey.pubkey)) {
 +      descp = desc;
 +      break;
 +    }
 +  } FOR_EACH_DESCRIPTOR_END;
 +
 +  return descp;
 +}
 +
 +/* From a circuit identifier, get all the possible objects associated with the
 + * ident. If not NULL, service, ip or desc are set if the object can be found.
 + * They are untouched if they can't be found.
 + *
 + * This is an helper function because we do those lookups often so it's more
 + * convenient to simply call this functions to get all the things at once. */
 +STATIC void
 +get_objects_from_ident(const hs_ident_circuit_t *ident,
 +                       hs_service_t **service, hs_service_intro_point_t **ip,
 +                       hs_service_descriptor_t **desc)
 +{
 +  hs_service_t *s;
 +
 +  tor_assert(ident);
 +
 +  /* Get service object from the circuit identifier. */
 +  s = find_service(hs_service_map, &ident->identity_pk);
 +  if (s && service) {
 +    *service = s;
 +  }
 +
 +  /* From the service object, get the intro point object of that circuit. The
 +   * following will query both descriptors intro points list. */
 +  if (s && ip) {
 +    *ip = service_intro_point_find(s, &ident->intro_auth_pk);
 +  }
 +
 +  /* Get the descriptor for this introduction point and service. */
 +  if (s && ip && *ip && desc) {
 +    *desc = service_desc_find_by_intro(s, *ip);
 +  }
 +}
 +
 +/* From a given intro point, return the first link specifier of type
 + * encountered in the link specifier list. Return NULL if it can't be found.
 + *
 + * The caller does NOT have ownership of the object, the intro point does. */
 +static hs_desc_link_specifier_t *
 +get_link_spec_by_type(const hs_service_intro_point_t *ip, uint8_t type)
 +{
 +  hs_desc_link_specifier_t *lnk_spec = NULL;
 +
 +  tor_assert(ip);
 +
 +  SMARTLIST_FOREACH_BEGIN(ip->base.link_specifiers,
 +                          hs_desc_link_specifier_t *, ls) {
 +    if (ls->type == type) {
 +      lnk_spec = ls;
 +      goto end;
 +    }
 +  } SMARTLIST_FOREACH_END(ls);
 +
 + end:
 +  return lnk_spec;
 +}
 +
 +/* Given a service intro point, return the node_t associated to it. This can
 + * return NULL if the given intro point has no legacy ID or if the node can't
 + * be found in the consensus. */
 +STATIC const node_t *
 +get_node_from_intro_point(const hs_service_intro_point_t *ip)
 +{
 +  const hs_desc_link_specifier_t *ls;
 +
 +  tor_assert(ip);
 +
 +  ls = get_link_spec_by_type(ip, LS_LEGACY_ID);
 +  if (BUG(!ls)) {
 +    return NULL;
 +  }
 +  /* XXX In the future, we want to only use the ed25519 ID (#22173). */
 +  return node_get_by_id((const char *) ls->u.legacy_id);
 +}
 +
 +/* Given a service intro point, return the extend_info_t for it. This can
 + * return NULL if the node can't be found for the intro point or the extend
 + * info can't be created for the found node. If direct_conn is set, the extend
 + * info is validated on if we can connect directly. */
 +static extend_info_t *
 +get_extend_info_from_intro_point(const hs_service_intro_point_t *ip,
 +                                 unsigned int direct_conn)
 +{
 +  extend_info_t *info = NULL;
 +  const node_t *node;
 +
 +  tor_assert(ip);
 +
 +  node = get_node_from_intro_point(ip);
 +  if (node == NULL) {
 +    /* This can happen if the relay serving as intro point has been removed
 +     * from the consensus. In that case, the intro point will be removed from
 +     * the descriptor during the scheduled events. */
 +    goto end;
 +  }
 +
 +  /* In the case of a direct connection (single onion service), it is possible
 +   * our firewall policy won't allow it so this can return a NULL value. */
 +  info = extend_info_from_node(node, direct_conn);
 +
 + end:
 +  return info;
 +}
 +
 +/* Return the number of introduction points that are established for the
 + * given descriptor. */
 +static unsigned int
 +count_desc_circuit_established(const hs_service_descriptor_t *desc)
 +{
 +  unsigned int count = 0;
 +
 +  tor_assert(desc);
 +
 +  DIGEST256MAP_FOREACH(desc->intro_points.map, key,
 +                       const hs_service_intro_point_t *, ip) {
 +    count += ip->circuit_established;
 +  } DIGEST256MAP_FOREACH_END;
 +
 +  return count;
 +}
 +
 +/* For a given service and descriptor of that service, close all active
 + * directory connections. */
 +static void
 +close_directory_connections(const hs_service_t *service,
 +                            const hs_service_descriptor_t *desc)
 +{
 +  unsigned int count = 0;
 +  smartlist_t *dir_conns;
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +
 +  /* Close pending HS desc upload connections for the blinded key of 'desc'. */
 +  dir_conns = connection_list_by_type_purpose(CONN_TYPE_DIR,
 +                                              DIR_PURPOSE_UPLOAD_HSDESC);
 +  SMARTLIST_FOREACH_BEGIN(dir_conns, connection_t *, conn) {
 +    dir_connection_t *dir_conn = TO_DIR_CONN(conn);
 +    if (ed25519_pubkey_eq(&dir_conn->hs_ident->identity_pk,
 +                          &service->keys.identity_pk) &&
 +        ed25519_pubkey_eq(&dir_conn->hs_ident->blinded_pk,
 +                          &desc->blinded_kp.pubkey)) {
 +      connection_mark_for_close(conn);
 +      count++;
 +      continue;
 +    }
 +  } SMARTLIST_FOREACH_END(conn);
 +
 +  log_info(LD_REND, "Closed %u active service directory connections for "
 +                    "descriptor %s of service %s",
 +           count, safe_str_client(ed25519_fmt(&desc->blinded_kp.pubkey)),
 +           safe_str_client(service->onion_address));
 +  /* We don't have ownership of the objects in this list. */
 +  smartlist_free(dir_conns);
 +}
 +
 +/* Close all rendezvous circuits for the given service. */
 +static void
 +close_service_rp_circuits(hs_service_t *service)
 +{
 +  origin_circuit_t *ocirc = NULL;
 +
 +  tor_assert(service);
 +
 +  /* The reason we go over all circuit instead of using the circuitmap API is
 +   * because most hidden service circuits are rendezvous circuits so there is
 +   * no real improvement at getting all rendezvous circuits from the
 +   * circuitmap and then going over them all to find the right ones.
 +   * Furthermore, another option would have been to keep a list of RP cookies
 +   * for a service but it creates an engineering complexity since we don't
 +   * have a "RP circuit closed" event to clean it up properly so we avoid a
 +   * memory DoS possibility. */
 +
 +  while ((ocirc = circuit_get_next_service_rp_circ(ocirc))) {
 +    /* Only close circuits that are v3 and for this service. */
 +    if (ocirc->hs_ident != NULL &&
 +        ed25519_pubkey_eq(&ocirc->hs_ident->identity_pk,
 +                          &service->keys.identity_pk)) {
 +      /* Reason is FINISHED because service has been removed and thus the
 +       * circuit is considered old/uneeded. When freed, it is removed from the
 +       * hs circuitmap. */
 +      circuit_mark_for_close(TO_CIRCUIT(ocirc), END_CIRC_REASON_FINISHED);
 +    }
 +  }
 +}
 +
 +/* Close the circuit(s) for the given map of introduction points. */
 +static void
 +close_intro_circuits(hs_service_intropoints_t *intro_points)
 +{
 +  tor_assert(intro_points);
 +
 +  DIGEST256MAP_FOREACH(intro_points->map, key,
 +                       const hs_service_intro_point_t *, ip) {
 +    origin_circuit_t *ocirc = hs_circ_service_get_intro_circ(ip);
 +    if (ocirc) {
 +      /* Reason is FINISHED because service has been removed and thus the
 +       * circuit is considered old/uneeded. When freed, the circuit is removed
 +       * from the HS circuitmap. */
 +      circuit_mark_for_close(TO_CIRCUIT(ocirc), END_CIRC_REASON_FINISHED);
 +    }
 +  } DIGEST256MAP_FOREACH_END;
 +}
 +
 +/* Close all introduction circuits for the given service. */
 +static void
 +close_service_intro_circuits(hs_service_t *service)
 +{
 +  tor_assert(service);
 +
 +  FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +    close_intro_circuits(&desc->intro_points);
 +  } FOR_EACH_DESCRIPTOR_END;
 +}
 +
 +/* Close any circuits related to the given service. */
 +static void
 +close_service_circuits(hs_service_t *service)
 +{
 +  tor_assert(service);
 +
 +  /* Only support for version >= 3. */
 +  if (BUG(service->config.version < HS_VERSION_THREE)) {
 +    return;
 +  }
 +  /* Close intro points. */
 +  close_service_intro_circuits(service);
 +  /* Close rendezvous points. */
 +  close_service_rp_circuits(service);
 +}
 +
 +/* Move every ephemeral services from the src service map to the dst service
 + * map. It is possible that a service can't be register to the dst map which
 + * won't stop the process of moving them all but will trigger a log warn. */
 +static void
 +move_ephemeral_services(hs_service_ht *src, hs_service_ht *dst)
 +{
 +  hs_service_t **iter, **next;
 +
 +  tor_assert(src);
 +  tor_assert(dst);
 +
 +  /* Iterate over the map to find ephemeral service and move them to the other
 +   * map. We loop using this method to have a safe removal process. */
 +  for (iter = HT_START(hs_service_ht, src); iter != NULL; iter = next) {
 +    hs_service_t *s = *iter;
 +    if (!s->config.is_ephemeral) {
 +      /* Yeah, we are in a very manual loop :). */
 +      next = HT_NEXT(hs_service_ht, src, iter);
 +      continue;
 +    }
 +    /* Remove service from map and then register to it to the other map.
 +     * Reminder that "*iter" and "s" are the same thing. */
 +    next = HT_NEXT_RMV(hs_service_ht, src, iter);
 +    if (register_service(dst, s) < 0) {
 +      log_warn(LD_BUG, "Ephemeral service key is already being used. "
 +                       "Skipping.");
 +    }
 +  }
 +}
 +
 +/* Return a const string of the directory path escaped. If this is an
 + * ephemeral service, it returns "[EPHEMERAL]". This can only be called from
 + * the main thread because escaped() uses a static variable. */
 +static const char *
 +service_escaped_dir(const hs_service_t *s)
 +{
 +  return (s->config.is_ephemeral) ? "[EPHEMERAL]" :
 +                                    escaped(s->config.directory_path);
 +}
 +
 +/** Move the hidden service state from <b>src</b> to <b>dst</b>. We do this
 + *  when we receive a SIGHUP: <b>dst</b> is the post-HUP service */
 +static void
 +move_hs_state(hs_service_t *src_service, hs_service_t *dst_service)
 +{
 +  tor_assert(src_service);
 +  tor_assert(dst_service);
 +
 +  hs_service_state_t *src = &src_service->state;
 +  hs_service_state_t *dst = &dst_service->state;
 +
 +  /* Let's do a shallow copy */
 +  dst->intro_circ_retry_started_time = src->intro_circ_retry_started_time;
 +  dst->num_intro_circ_launched = src->num_intro_circ_launched;
 +  /* Freeing a NULL replaycache triggers an info LD_BUG. */
 +  if (dst->replay_cache_rend_cookie != NULL) {
 +    replaycache_free(dst->replay_cache_rend_cookie);
 +  }
 +  dst->replay_cache_rend_cookie = src->replay_cache_rend_cookie;
 +
 +  src->replay_cache_rend_cookie = NULL; /* steal pointer reference */
 +}
 +
 +/* Register services that are in the staging list. Once this function returns,
 + * the global service map will be set with the right content and all non
 + * surviving services will be cleaned up. */
 +static void
 +register_all_services(void)
 +{
 +  struct hs_service_ht *new_service_map;
 +
 +  tor_assert(hs_service_staging_list);
 +
 +  /* Allocate a new map that will replace the current one. */
 +  new_service_map = tor_malloc_zero(sizeof(*new_service_map));
 +  HT_INIT(hs_service_ht, new_service_map);
 +
 +  /* First step is to transfer all ephemeral services from the current global
 +   * map to the new one we are constructing. We do not prune ephemeral
 +   * services as the only way to kill them is by deleting it from the control
 +   * port or stopping the tor daemon. */
 +  move_ephemeral_services(hs_service_map, new_service_map);
 +
 +  SMARTLIST_FOREACH_BEGIN(hs_service_staging_list, hs_service_t *, snew) {
 +    hs_service_t *s;
 +
 +    /* Check if that service is already in our global map and if so, we'll
 +     * transfer the intro points to it. */
 +    s = find_service(hs_service_map, &snew->keys.identity_pk);
 +    if (s) {
 +      /* Pass ownership of the descriptors from s (the current service) to
 +       * snew (the newly configured one). */
 +      move_descriptors(s, snew);
 +      move_hs_state(s, snew);
 +      /* Remove the service from the global map because after this, we need to
 +       * go over the remaining service in that map that aren't surviving the
 +       * reload to close their circuits. */
 +      remove_service(hs_service_map, s);
 +      hs_service_free(s);
 +    }
 +    /* Great, this service is now ready to be added to our new map. */
 +    if (BUG(register_service(new_service_map, snew) < 0)) {
 +      /* This should never happen because prior to registration, we validate
 +       * every service against the entire set. Not being able to register a
 +       * service means we failed to validate correctly. In that case, don't
 +       * break tor and ignore the service but tell user. */
 +      log_warn(LD_BUG, "Unable to register service with directory %s",
 +               service_escaped_dir(snew));
 +      SMARTLIST_DEL_CURRENT(hs_service_staging_list, snew);
 +      hs_service_free(snew);
 +    }
 +  } SMARTLIST_FOREACH_END(snew);
 +
 +  /* Close any circuits associated with the non surviving services. Every
 +   * service in the current global map are roaming. */
 +  FOR_EACH_SERVICE_BEGIN(service) {
 +    close_service_circuits(service);
 +  } FOR_EACH_SERVICE_END;
 +
 +  /* Time to make the switch. We'll clear the staging list because its content
 +   * has now changed ownership to the map. */
 +  smartlist_clear(hs_service_staging_list);
 +  service_free_all();
 +  hs_service_map = new_service_map;
 +  /* We've just register services into the new map and now we've replaced the
 +   * global map with it so we have to notify that the change happened. When
 +   * registering a service, the notify is only triggered if the destination
 +   * map is the global map for which in here it was not. */
 +  hs_service_map_has_changed();
 +}
 +
 +/* Write the onion address of a given service to the given filename fname_ in
 + * the service directory. Return 0 on success else -1 on error. */
 +STATIC int
 +write_address_to_file(const hs_service_t *service, const char *fname_)
 +{
 +  int ret = -1;
 +  char *fname = NULL;
 +  char *addr_buf = NULL;
 +
 +  tor_assert(service);
 +  tor_assert(fname_);
 +
 +  /* Construct the full address with the onion tld and write the hostname file
 +   * to disk. */
 +  tor_asprintf(&addr_buf, "%s.%s\n", service->onion_address, address_tld);
 +  /* Notice here that we use the given "fname_". */
 +  fname = hs_path_from_filename(service->config.directory_path, fname_);
 +  if (write_str_to_file(fname, addr_buf, 0) < 0) {
 +    log_warn(LD_REND, "Could not write onion address to hostname file %s",
 +             escaped(fname));
 +    goto end;
 +  }
 +
 +#ifndef _WIN32
 +  if (service->config.dir_group_readable) {
 +    /* Mode to 0640. */
 +    if (chmod(fname, S_IRUSR | S_IWUSR | S_IRGRP) < 0) {
 +      log_warn(LD_FS, "Unable to make onion service hostname file %s "
 +                      "group-readable.", escaped(fname));
 +    }
 +  }
 +#endif /* !defined(_WIN32) */
 +
 +  /* Success. */
 +  ret = 0;
 + end:
 +  tor_free(fname);
 +  tor_free(addr_buf);
 +  return ret;
 +}
 +
 +/* Load and/or generate private keys for the given service. On success, the
 + * hostname file will be written to disk along with the master private key iff
 + * the service is not configured for offline keys. Return 0 on success else -1
 + * on failure. */
 +static int
 +load_service_keys(hs_service_t *service)
 +{
 +  int ret = -1;
 +  char *fname = NULL;
 +  ed25519_keypair_t *kp;
 +  const hs_service_config_t *config;
 +
 +  tor_assert(service);
 +
 +  config = &service->config;
 +
 +  /* Create and fix permission on service directory. We are about to write
 +   * files to that directory so make sure it exists and has the right
 +   * permissions. We do this here because at this stage we know that Tor is
 +   * actually running and the service we have has been validated. */
 +  if (BUG(hs_check_service_private_dir(get_options()->User,
 +                                       config->directory_path,
 +                                       config->dir_group_readable, 1) < 0)) {
 +    goto end;
 +  }
 +
 +  /* Try to load the keys from file or generate it if not found. */
 +  fname = hs_path_from_filename(config->directory_path, fname_keyfile_prefix);
 +  /* Don't ask for key creation, we want to know if we were able to load it or
 +   * we had to generate it. Better logging! */
 +  kp = ed_key_init_from_file(fname, INIT_ED_KEY_SPLIT, LOG_INFO, NULL, 0, 0,
 +                             0, NULL);
 +  if (!kp) {
 +    log_info(LD_REND, "Unable to load keys from %s. Generating it...", fname);
 +    /* We'll now try to generate the keys and for it we want the strongest
 +     * randomness for it. The keypair will be written in different files. */
 +    uint32_t key_flags = INIT_ED_KEY_CREATE | INIT_ED_KEY_EXTRA_STRONG |
 +                         INIT_ED_KEY_SPLIT;
 +    kp = ed_key_init_from_file(fname, key_flags, LOG_WARN, NULL, 0, 0, 0,
 +                               NULL);
 +    if (!kp) {
 +      log_warn(LD_REND, "Unable to generate keys and save in %s.", fname);
 +      goto end;
 +    }
 +  }
 +
 +  /* Copy loaded or generated keys to service object. */
 +  ed25519_pubkey_copy(&service->keys.identity_pk, &kp->pubkey);
 +  memcpy(&service->keys.identity_sk, &kp->seckey,
 +         sizeof(service->keys.identity_sk));
 +  /* This does a proper memory wipe. */
 +  ed25519_keypair_free(kp);
 +
 +  /* Build onion address from the newly loaded keys. */
 +  tor_assert(service->config.version <= UINT8_MAX);
 +  hs_build_address(&service->keys.identity_pk,
 +                   (uint8_t) service->config.version,
 +                   service->onion_address);
 +
 +  /* Write onion address to hostname file. */
 +  if (write_address_to_file(service, fname_hostname) < 0) {
 +    goto end;
 +  }
 +
 +  /* Succes. */
 +  ret = 0;
 + end:
 +  tor_free(fname);
 +  return ret;
 +}
 +
 +/* Free a given service descriptor object and all key material is wiped. */
 +STATIC void
 +service_descriptor_free_(hs_service_descriptor_t *desc)
 +{
 +  if (!desc) {
 +    return;
 +  }
 +  hs_descriptor_free(desc->desc);
 +  memwipe(&desc->signing_kp, 0, sizeof(desc->signing_kp));
 +  memwipe(&desc->blinded_kp, 0, sizeof(desc->blinded_kp));
 +  /* Cleanup all intro points. */
 +  digest256map_free(desc->intro_points.map, service_intro_point_free_void);
 +  digestmap_free(desc->intro_points.failed_id, tor_free_);
 +  if (desc->previous_hsdirs) {
 +    SMARTLIST_FOREACH(desc->previous_hsdirs, char *, s, tor_free(s));
 +    smartlist_free(desc->previous_hsdirs);
 +  }
 +  crypto_ope_free(desc->ope_cipher);
 +  tor_free(desc);
 +}
 +
 +/* Return a newly allocated service descriptor object. */
 +STATIC hs_service_descriptor_t *
 +service_descriptor_new(void)
 +{
 +  hs_service_descriptor_t *sdesc = tor_malloc_zero(sizeof(*sdesc));
 +  sdesc->desc = tor_malloc_zero(sizeof(hs_descriptor_t));
 +  /* Initialize the intro points map. */
 +  sdesc->intro_points.map = digest256map_new();
 +  sdesc->intro_points.failed_id = digestmap_new();
 +  sdesc->previous_hsdirs = smartlist_new();
 +  return sdesc;
 +}
 +
 +/* Move descriptor(s) from the src service to the dst service. We do this
 + * during SIGHUP when we re-create our hidden services. */
 +static void
 +move_descriptors(hs_service_t *src, hs_service_t *dst)
 +{
 +  tor_assert(src);
 +  tor_assert(dst);
 +
 +  if (src->desc_current) {
 +    /* Nothing should be there, but clean it up just in case */
 +    if (BUG(dst->desc_current)) {
 +      service_descriptor_free(dst->desc_current);
 +    }
 +    dst->desc_current = src->desc_current;
 +    src->desc_current = NULL;
 +  }
 +
 +  if (src->desc_next) {
 +    /* Nothing should be there, but clean it up just in case */
 +    if (BUG(dst->desc_next)) {
 +      service_descriptor_free(dst->desc_next);
 +    }
 +    dst->desc_next = src->desc_next;
 +    src->desc_next = NULL;
 +  }
 +}
 +
 +/* From the given service, remove all expired failing intro points for each
 + * descriptor. */
 +static void
 +remove_expired_failing_intro(hs_service_t *service, time_t now)
 +{
 +  tor_assert(service);
 +
 +  /* For both descriptors, cleanup the failing intro points list. */
 +  FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +    DIGESTMAP_FOREACH_MODIFY(desc->intro_points.failed_id, key, time_t *, t) {
 +      time_t failure_time = *t;
 +      if ((failure_time + INTRO_CIRC_RETRY_PERIOD) <= now) {
 +        MAP_DEL_CURRENT(key);
 +        tor_free(t);
 +      }
 +    } DIGESTMAP_FOREACH_END;
 +  } FOR_EACH_DESCRIPTOR_END;
 +}
 +
 +/* For the given descriptor desc, put all node_t object found from its failing
 + * intro point list and put them in the given node_list. */
 +static void
 +setup_intro_point_exclude_list(const hs_service_descriptor_t *desc,
 +                               smartlist_t *node_list)
 +{
 +  tor_assert(desc);
 +  tor_assert(node_list);
 +
 +  DIGESTMAP_FOREACH(desc->intro_points.failed_id, key, time_t *, t) {
 +    (void) t; /* Make gcc happy. */
 +    const node_t *node = node_get_by_id(key);
 +    if (node) {
 +      smartlist_add(node_list, (void *) node);
 +    }
 +  } DIGESTMAP_FOREACH_END;
 +}
 +
 +/* For the given failing intro point ip, we add its time of failure to the
 + * failed map and index it by identity digest (legacy ID) in the descriptor
 + * desc failed id map. */
 +static void
 +remember_failing_intro_point(const hs_service_intro_point_t *ip,
 +                             hs_service_descriptor_t *desc, time_t now)
 +{
 +  time_t *time_of_failure, *prev_ptr;
 +  const hs_desc_link_specifier_t *legacy_ls;
 +
 +  tor_assert(ip);
 +  tor_assert(desc);
 +
 +  time_of_failure = tor_malloc_zero(sizeof(time_t));
 +  *time_of_failure = now;
 +  legacy_ls = get_link_spec_by_type(ip, LS_LEGACY_ID);
 +  tor_assert(legacy_ls);
 +  prev_ptr = digestmap_set(desc->intro_points.failed_id,
 +                           (const char *) legacy_ls->u.legacy_id,
 +                           time_of_failure);
 +  tor_free(prev_ptr);
 +}
 +
 +/* Copy the descriptor link specifier object from src to dst. */
 +static void
 +link_specifier_copy(hs_desc_link_specifier_t *dst,
 +                    const hs_desc_link_specifier_t *src)
 +{
 +  tor_assert(dst);
 +  tor_assert(src);
 +  memcpy(dst, src, sizeof(hs_desc_link_specifier_t));
 +}
 +
 +/* Using a given descriptor signing keypair signing_kp, a service intro point
 + * object ip and the time now, setup the content of an already allocated
 + * descriptor intro desc_ip.
 + *
 + * Return 0 on success else a negative value. */
 +static int
 +setup_desc_intro_point(const ed25519_keypair_t *signing_kp,
 +                       const hs_service_intro_point_t *ip,
 +                       time_t now, hs_desc_intro_point_t *desc_ip)
 +{
 +  int ret = -1;
 +  time_t nearest_hour = now - (now % 3600);
 +
 +  tor_assert(signing_kp);
 +  tor_assert(ip);
 +  tor_assert(desc_ip);
 +
 +  /* Copy the onion key. */
 +  memcpy(&desc_ip->onion_key, &ip->onion_key, sizeof(desc_ip->onion_key));
 +
 +  /* Key and certificate material. */
 +  desc_ip->auth_key_cert = tor_cert_create(signing_kp,
 +                                           CERT_TYPE_AUTH_HS_IP_KEY,
 +                                           &ip->auth_key_kp.pubkey,
 +                                           nearest_hour,
 +                                           HS_DESC_CERT_LIFETIME,
 +                                           CERT_FLAG_INCLUDE_SIGNING_KEY);
 +  if (desc_ip->auth_key_cert == NULL) {
 +    log_warn(LD_REND, "Unable to create intro point auth-key certificate");
 +    goto done;
 +  }
 +
 +  /* Copy link specifier(s). */
 +  SMARTLIST_FOREACH_BEGIN(ip->base.link_specifiers,
 +                          const hs_desc_link_specifier_t *, ls) {
 +    hs_desc_link_specifier_t *copy = tor_malloc_zero(sizeof(*copy));
 +    link_specifier_copy(copy, ls);
 +    smartlist_add(desc_ip->link_specifiers, copy);
 +  } SMARTLIST_FOREACH_END(ls);
 +
 +  /* For a legacy intro point, we'll use an RSA/ed cross certificate. */
 +  if (ip->base.is_only_legacy) {
 +    desc_ip->legacy.key = crypto_pk_dup_key(ip->legacy_key);
 +    /* Create cross certification cert. */
 +    ssize_t cert_len = tor_make_rsa_ed25519_crosscert(
 +                                    &signing_kp->pubkey,
 +                                    desc_ip->legacy.key,
 +                                    nearest_hour + HS_DESC_CERT_LIFETIME,
 +                                    &desc_ip->legacy.cert.encoded);
 +    if (cert_len < 0) {
 +      log_warn(LD_REND, "Unable to create enc key legacy cross cert.");
 +      goto done;
 +    }
 +    desc_ip->legacy.cert.len = cert_len;
 +  }
 +
 +  /* Encryption key and its cross certificate. */
 +  {
 +    ed25519_public_key_t ed25519_pubkey;
 +
 +    /* Use the public curve25519 key. */
 +    memcpy(&desc_ip->enc_key, &ip->enc_key_kp.pubkey,
 +           sizeof(desc_ip->enc_key));
 +    /* The following can't fail. */
 +    ed25519_public_key_from_curve25519_public_key(&ed25519_pubkey,
 +                                                  &ip->enc_key_kp.pubkey,
 +                                                  0);
 +    desc_ip->enc_key_cert = tor_cert_create(signing_kp,
 +                                            CERT_TYPE_CROSS_HS_IP_KEYS,
 +                                            &ed25519_pubkey, nearest_hour,
 +                                            HS_DESC_CERT_LIFETIME,
 +                                            CERT_FLAG_INCLUDE_SIGNING_KEY);
 +    if (desc_ip->enc_key_cert == NULL) {
 +      log_warn(LD_REND, "Unable to create enc key curve25519 cross cert.");
 +      goto done;
 +    }
 +  }
 +  /* Success. */
 +  ret = 0;
 +
 + done:
 +  return ret;
 +}
 +
 +/* Using the given descriptor from the given service, build the descriptor
 + * intro point list so we can then encode the descriptor for publication. This
 + * function does not pick intro points, they have to be in the descriptor
 + * current map. Cryptographic material (keys) must be initialized in the
 + * descriptor for this function to make sense. */
 +static void
 +build_desc_intro_points(const hs_service_t *service,
 +                        hs_service_descriptor_t *desc, time_t now)
 +{
 +  hs_desc_encrypted_data_t *encrypted;
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +
 +  /* Ease our life. */
 +  encrypted = &desc->desc->encrypted_data;
 +  /* Cleanup intro points, we are about to set them from scratch. */
 +  hs_descriptor_clear_intro_points(desc->desc);
 +
 +  DIGEST256MAP_FOREACH(desc->intro_points.map, key,
 +                       const hs_service_intro_point_t *, ip) {
 +    hs_desc_intro_point_t *desc_ip = hs_desc_intro_point_new();
 +    if (setup_desc_intro_point(&desc->signing_kp, ip, now, desc_ip) < 0) {
 +      hs_desc_intro_point_free(desc_ip);
 +      continue;
 +    }
 +    /* We have a valid descriptor intro point. Add it to the list. */
 +    smartlist_add(encrypted->intro_points, desc_ip);
 +  } DIGEST256MAP_FOREACH_END;
 +}
 +
 +/* Populate the descriptor encrypted section from the given service object.
 + * This will generate a valid list of introduction points that can be used
 + * after for circuit creation. Return 0 on success else -1 on error. */
 +static int
 +build_service_desc_encrypted(const hs_service_t *service,
 +                             hs_service_descriptor_t *desc)
 +{
 +  hs_desc_encrypted_data_t *encrypted;
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +
 +  encrypted = &desc->desc->encrypted_data;
 +
 +  encrypted->create2_ntor = 1;
 +  encrypted->single_onion_service = service->config.is_single_onion;
 +
 +  /* Setup introduction points from what we have in the service. */
 +  if (encrypted->intro_points == NULL) {
 +    encrypted->intro_points = smartlist_new();
 +  }
 +  /* We do NOT build introduction point yet, we only do that once the circuit
 +   * have been opened. Until we have the right number of introduction points,
 +   * we do not encode anything in the descriptor. */
 +
 +  /* XXX: Support client authorization (#20700). */
 +  encrypted->intro_auth_types = NULL;
 +  return 0;
 +}
 +
 +/* Populate the descriptor plaintext section from the given service object.
 + * The caller must make sure that the keys in the descriptors are valid that
 + * is are non-zero. Return 0 on success else -1 on error. */
 +static int
 +build_service_desc_plaintext(const hs_service_t *service,
 +                             hs_service_descriptor_t *desc, time_t now)
 +{
 +  int ret = -1;
 +  hs_desc_plaintext_data_t *plaintext;
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +  /* XXX: Use a "assert_desc_ok()" ? */
 +  tor_assert(!tor_mem_is_zero((char *) &desc->blinded_kp,
 +                              sizeof(desc->blinded_kp)));
 +  tor_assert(!tor_mem_is_zero((char *) &desc->signing_kp,
 +                              sizeof(desc->signing_kp)));
 +
 +  /* Set the subcredential. */
 +  hs_get_subcredential(&service->keys.identity_pk, &desc->blinded_kp.pubkey,
 +                       desc->desc->subcredential);
 +
 +  plaintext = &desc->desc->plaintext_data;
 +
 +  plaintext->version = service->config.version;
 +  plaintext->lifetime_sec = HS_DESC_DEFAULT_LIFETIME;
 +  plaintext->signing_key_cert =
 +    tor_cert_create(&desc->blinded_kp, CERT_TYPE_SIGNING_HS_DESC,
 +                    &desc->signing_kp.pubkey, now, HS_DESC_CERT_LIFETIME,
 +                    CERT_FLAG_INCLUDE_SIGNING_KEY);
 +  if (plaintext->signing_key_cert == NULL) {
 +    log_warn(LD_REND, "Unable to create descriptor signing certificate for "
 +                      "service %s",
 +             safe_str_client(service->onion_address));
 +    goto end;
 +  }
 +  /* Copy public key material to go in the descriptor. */
 +  ed25519_pubkey_copy(&plaintext->signing_pubkey, &desc->signing_kp.pubkey);
 +  ed25519_pubkey_copy(&plaintext->blinded_pubkey, &desc->blinded_kp.pubkey);
 +  /* Success. */
 +  ret = 0;
 +
 + end:
 +  return ret;
 +}
 +
 +/** Compute the descriptor's OPE cipher for encrypting revision counters. */
 +static crypto_ope_t *
 +generate_ope_cipher_for_desc(const hs_service_descriptor_t *hs_desc)
 +{
 +  /* Compute OPE key as H("rev-counter-generation" | blinded privkey) */
 +  uint8_t key[DIGEST256_LEN];
 +  crypto_digest_t *digest = crypto_digest256_new(DIGEST_SHA3_256);
 +  const char ope_key_prefix[] = "rev-counter-generation";
 +  const ed25519_secret_key_t *eph_privkey = &hs_desc->blinded_kp.seckey;
 +  crypto_digest_add_bytes(digest, ope_key_prefix, sizeof(ope_key_prefix));
 +  crypto_digest_add_bytes(digest, (char*)eph_privkey->seckey,
 +                          sizeof(eph_privkey->seckey));
 +  crypto_digest_get_digest(digest, (char *)key, sizeof(key));
 +  crypto_digest_free(digest);
 +
 +  return crypto_ope_new(key);
 +}
 +
 +/* For the given service and descriptor object, create the key material which
 + * is the blinded keypair and the descriptor signing keypair. Return 0 on
 + * success else -1 on error where the generated keys MUST be ignored. */
 +static int
 +build_service_desc_keys(const hs_service_t *service,
 +                        hs_service_descriptor_t *desc)
 +{
 +  int ret = 0;
 +  ed25519_keypair_t kp;
 +
 +  tor_assert(desc);
 +  tor_assert(!tor_mem_is_zero((char *) &service->keys.identity_pk,
 +             ED25519_PUBKEY_LEN));
 +
 +  /* XXX: Support offline key feature (#18098). */
 +
 +  /* Copy the identity keys to the keypair so we can use it to create the
 +   * blinded key. */
 +  memcpy(&kp.pubkey, &service->keys.identity_pk, sizeof(kp.pubkey));
 +  memcpy(&kp.seckey, &service->keys.identity_sk, sizeof(kp.seckey));
 +  /* Build blinded keypair for this time period. */
 +  hs_build_blinded_keypair(&kp, NULL, 0, desc->time_period_num,
 +                           &desc->blinded_kp);
 +  /* Let's not keep too much traces of our keys in memory. */
 +  memwipe(&kp, 0, sizeof(kp));
 +
 +  /* Compute the OPE cipher struct (it's tied to the current blinded key) */
 +  log_info(LD_GENERAL,
 +           "Getting OPE for TP#%u", (unsigned) desc->time_period_num);
 +  tor_assert_nonfatal(!desc->ope_cipher);
 +  desc->ope_cipher = generate_ope_cipher_for_desc(desc);
 +
 +  /* No need for extra strong, this is a temporary key only for this
 +   * descriptor. Nothing long term. */
 +  if (ed25519_keypair_generate(&desc->signing_kp, 0) < 0) {
 +    log_warn(LD_REND, "Can't generate descriptor signing keypair for "
 +                      "service %s",
 +             safe_str_client(service->onion_address));
 +    ret = -1;
 +  }
 +
 +  return ret;
 +}
 +
 +/* Given a service and the current time, build a descriptor for the service.
 + * This function does not pick introduction point, this needs to be done by
 + * the update function. On success, desc_out will point to the newly allocated
 + * descriptor object.
 + *
 + * This can error if we are unable to create keys or certificate. */
 +static void
 +build_service_descriptor(hs_service_t *service, time_t now,
 +                         uint64_t time_period_num,
 +                         hs_service_descriptor_t **desc_out)
 +{
 +  char *encoded_desc;
 +  hs_service_descriptor_t *desc;
 +
 +  tor_assert(service);
 +  tor_assert(desc_out);
 +
 +  desc = service_descriptor_new();
 +
 +  /* Set current time period */
 +  desc->time_period_num = time_period_num;
 +
 +  /* Create the needed keys so we can setup the descriptor content. */
 +  if (build_service_desc_keys(service, desc) < 0) {
 +    goto err;
 +  }
 +  /* Setup plaintext descriptor content. */
 +  if (build_service_desc_plaintext(service, desc, now) < 0) {
 +    goto err;
 +  }
 +  /* Setup encrypted descriptor content. */
 +  if (build_service_desc_encrypted(service, desc) < 0) {
 +    goto err;
 +  }
 +
 +  /* Let's make sure that we've created a descriptor that can actually be
 +   * encoded properly. This function also checks if the encoded output is
 +   * decodable after. */
 +  if (BUG(hs_desc_encode_descriptor(desc->desc, &desc->signing_kp,
 +                                    &encoded_desc) < 0)) {
 +    goto err;
 +  }
 +  tor_free(encoded_desc);
 +
 +  /* Assign newly built descriptor to the next slot. */
 +  *desc_out = desc;
 +  /* Fire a CREATED control port event. */
 +  hs_control_desc_event_created(service->onion_address,
 +                                &desc->blinded_kp.pubkey);
 +  return;
 +
 + err:
 +  service_descriptor_free(desc);
 +}
 +
 +/* Build both descriptors for the given service that has just booted up.
 + * Because it's a special case, it deserves its special function ;). */
 +static void
 +build_descriptors_for_new_service(hs_service_t *service, time_t now)
 +{
 +  uint64_t current_desc_tp, next_desc_tp;
 +
 +  tor_assert(service);
 +  /* These are the conditions for a new service. */
 +  tor_assert(!service->desc_current);
 +  tor_assert(!service->desc_next);
 +
 +  /*
 +   * +------------------------------------------------------------------+
 +   * |                                                                  |
 +   * | 00:00      12:00       00:00       12:00       00:00       12:00 |
 +   * | SRV#1      TP#1        SRV#2       TP#2        SRV#3       TP#3  |
 +   * |                                                                  |
 +   * |  $==========|-----------$===========|-----------$===========|    |
 +   * |                             ^         ^                          |
 +   * |                             A         B                          |
 +   * +------------------------------------------------------------------+
 +   *
 +   * Case A: The service boots up before a new time period, the current time
 +   * period is thus TP#1 and the next is TP#2 which for both we have access to
 +   * their SRVs.
 +   *
 +   * Case B: The service boots up inside TP#2, we can't use the TP#3 for the
 +   * next descriptor because we don't have the SRV#3 so the current should be
 +   * TP#1 and next TP#2.
 +   */
 +
 +  if (hs_in_period_between_tp_and_srv(NULL, now)) {
 +    /* Case B from the above, inside of the new time period. */
 +    current_desc_tp = hs_get_previous_time_period_num(0); /* TP#1 */
 +    next_desc_tp = hs_get_time_period_num(0);             /* TP#2 */
 +  } else {
 +    /* Case A from the above, outside of the new time period. */
 +    current_desc_tp = hs_get_time_period_num(0);    /* TP#1 */
 +    next_desc_tp = hs_get_next_time_period_num(0);  /* TP#2 */
 +  }
 +
 +  /* Build descriptors. */
 +  build_service_descriptor(service, now, current_desc_tp,
 +                           &service->desc_current);
 +  build_service_descriptor(service, now, next_desc_tp,
 +                           &service->desc_next);
 +  log_info(LD_REND, "Hidden service %s has just started. Both descriptors "
 +                    "built. Now scheduled for upload.",
 +           safe_str_client(service->onion_address));
 +}
 +
 +/* Build descriptors for each service if needed. There are conditions to build
 + * a descriptor which are details in the function. */
 +STATIC void
 +build_all_descriptors(time_t now)
 +{
 +  FOR_EACH_SERVICE_BEGIN(service) {
 +
 +    /* A service booting up will have both descriptors to NULL. No other cases
 +     * makes both descriptor non existent. */
 +    if (service->desc_current == NULL && service->desc_next == NULL) {
 +      build_descriptors_for_new_service(service, now);
 +      continue;
 +    }
 +
 +    /* Reaching this point means we are pass bootup so at runtime. We should
 +     * *never* have an empty current descriptor. If the next descriptor is
 +     * empty, we'll try to build it for the next time period. This only
 +     * happens when we rotate meaning that we are guaranteed to have a new SRV
 +     * at that point for the next time period. */
 +    if (BUG(service->desc_current == NULL)) {
 +      continue;
 +    }
 +
 +    if (service->desc_next == NULL) {
 +      build_service_descriptor(service, now, hs_get_next_time_period_num(0),
 +                               &service->desc_next);
 +      log_info(LD_REND, "Hidden service %s next descriptor successfully "
 +                        "built. Now scheduled for upload.",
 +               safe_str_client(service->onion_address));
 +    }
 +  } FOR_EACH_DESCRIPTOR_END;
 +}
 +
 +/* Randomly pick a node to become an introduction point but not present in the
 + * given exclude_nodes list. The chosen node is put in the exclude list
 + * regardless of success or not because in case of failure, the node is simply
 + * unsusable from that point on.
 + *
 + * If direct_conn is set, try to pick a node that our local firewall/policy
 + * allows us to connect to directly. If we can't find any, return NULL.
 + * This function supports selecting dual-stack nodes for direct single onion
 + * service IPv6 connections. But it does not send IPv6 addresses in link
 + * specifiers. (Current clients don't use IPv6 addresses to extend, and
 + * direct client connections to intro points are not supported.)
 + *
 + * Return a newly allocated service intro point ready to be used for encoding.
 + * Return NULL on error. */
 +static hs_service_intro_point_t *
 +pick_intro_point(unsigned int direct_conn, smartlist_t *exclude_nodes)
 +{
 +  const node_t *node;
 +  extend_info_t *info = NULL;
 +  hs_service_intro_point_t *ip = NULL;
 +  /* Normal 3-hop introduction point flags. */
 +  router_crn_flags_t flags = CRN_NEED_UPTIME | CRN_NEED_DESC;
 +  /* Single onion flags. */
 +  router_crn_flags_t direct_flags = flags | CRN_PREF_ADDR | CRN_DIRECT_CONN;
 +
 +  node = router_choose_random_node(exclude_nodes, get_options()->ExcludeNodes,
 +                                   direct_conn ? direct_flags : flags);
 +  /* Unable to find a node. When looking for a node for a direct connection,
 +   * we could try a 3-hop path instead. We'll add support for this in a later
 +   * release. */
 +  if (!node) {
 +    goto err;
 +  }
 +
 +  /* We have a suitable node, add it to the exclude list. We do this *before*
 +   * we can validate the extend information because even in case of failure,
 +   * we don't want to use that node anymore. */
 +  smartlist_add(exclude_nodes, (void *) node);
 +
 +  /* We do this to ease our life but also this call makes appropriate checks
 +   * of the node object such as validating ntor support for instance.
 +   *
 +   * We must provide an extend_info for clients to connect over a 3-hop path,
 +   * so we don't pass direct_conn here. */
 +  info = extend_info_from_node(node, 0);
 +  if (BUG(info == NULL)) {
 +    goto err;
 +  }
 +
 +  /* Let's do a basic sanity check here so that we don't end up advertising the
 +   * ed25519 identity key of relays that don't actually support the link
 +   * protocol */
 +  if (!node_supports_ed25519_link_authentication(node, 0)) {
 +    tor_assert_nonfatal(ed25519_public_key_is_zero(&info->ed_identity));
 +  } else {
 +    /* Make sure we *do* have an ed key if we support the link authentication.
 +     * Sending an empty key would result in a failure to extend. */
 +    tor_assert_nonfatal(!ed25519_public_key_is_zero(&info->ed_identity));
 +  }
 +
-   /* Create our objects and populate them with the node information. */
-   ip = service_intro_point_new(info, !node_supports_ed25519_hs_intro(node));
++  /* Create our objects and populate them with the node information.
++   * We don't care if the intro's link auth is compatible with us, because
++   * we are sending the ed25519 key to a remote client via the descriptor. */
++  ip = service_intro_point_new(info, !node_supports_ed25519_hs_intro(node),
++                               node_supports_ed25519_link_authentication(node,
++                                                                         0));
 +  if (ip == NULL) {
 +    goto err;
 +  }
 +
 +  log_info(LD_REND, "Picked intro point: %s", extend_info_describe(info));
 +  extend_info_free(info);
 +  return ip;
 + err:
 +  service_intro_point_free(ip);
 +  extend_info_free(info);
 +  return NULL;
 +}
 +
 +/* For a given descriptor from the given service, pick any needed intro points
 + * and update the current map with those newly picked intro points. Return the
 + * number node that might have been added to the descriptor current map. */
 +static unsigned int
 +pick_needed_intro_points(hs_service_t *service,
 +                         hs_service_descriptor_t *desc)
 +{
 +  int i = 0, num_needed_ip;
 +  smartlist_t *exclude_nodes = smartlist_new();
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +
 +  /* Compute how many intro points we actually need to open. */
 +  num_needed_ip = service->config.num_intro_points -
 +                  digest256map_size(desc->intro_points.map);
 +  if (BUG(num_needed_ip < 0)) {
 +    /* Let's not make tor freak out here and just skip this. */
 +    goto done;
 +  }
 +
 +  /* We want to end up with config.num_intro_points intro points, but if we
 +   * have no intro points at all (chances are they all cycled or we are
 +   * starting up), we launch get_intro_point_num_extra() extra circuits and
 +   * use the first config.num_intro_points that complete. See proposal #155,
 +   * section 4 for the rationale of this which is purely for performance.
 +   *
 +   * The ones after the first config.num_intro_points will be converted to
 +   * 'General' internal circuits and then we'll drop them from the list of
 +   * intro points. */
 +  if (digest256map_size(desc->intro_points.map) == 0) {
 +    num_needed_ip += get_intro_point_num_extra();
 +  }
 +
 +  /* Build an exclude list of nodes of our intro point(s). The expiring intro
 +   * points are OK to pick again because this is afterall a concept of round
 +   * robin so they are considered valid nodes to pick again. */
 +  DIGEST256MAP_FOREACH(desc->intro_points.map, key,
 +                       hs_service_intro_point_t *, ip) {
 +    const node_t *intro_node = get_node_from_intro_point(ip);
 +    if (intro_node) {
 +      smartlist_add(exclude_nodes, (void*)intro_node);
 +    }
 +  } DIGEST256MAP_FOREACH_END;
 +  /* Also, add the failing intro points that our descriptor encounteered in
 +   * the exclude node list. */
 +  setup_intro_point_exclude_list(desc, exclude_nodes);
 +
 +  for (i = 0; i < num_needed_ip; i++) {
 +    hs_service_intro_point_t *ip;
 +
 +    /* This function will add the picked intro point node to the exclude nodes
 +     * list so we don't pick the same one at the next iteration. */
 +    ip = pick_intro_point(service->config.is_single_onion, exclude_nodes);
 +    if (ip == NULL) {
 +      /* If we end up unable to pick an introduction point it is because we
 +       * can't find suitable node and calling this again is highly unlikely to
 +       * give us a valid node all of the sudden. */
 +      log_info(LD_REND, "Unable to find a suitable node to be an "
 +                        "introduction point for service %s.",
 +               safe_str_client(service->onion_address));
 +      goto done;
 +    }
 +    /* Valid intro point object, add it to the descriptor current map. */
 +    service_intro_point_add(desc->intro_points.map, ip);
 +  }
 +  /* We've successfully picked all our needed intro points thus none are
 +   * missing which will tell our upload process to expect the number of
 +   * circuits to be the number of configured intro points circuits and not the
 +   * number of intro points object that we have. */
 +  desc->missing_intro_points = 0;
 +
 +  /* Success. */
 + done:
 +  /* We don't have ownership of the node_t object in this list. */
 +  smartlist_free(exclude_nodes);
 +  return i;
 +}
 +
 +/** Clear previous cached HSDirs in <b>desc</b>. */
 +static void
 +service_desc_clear_previous_hsdirs(hs_service_descriptor_t *desc)
 +{
 +  if (BUG(!desc->previous_hsdirs)) {
 +    return;
 +  }
 +
 +  SMARTLIST_FOREACH(desc->previous_hsdirs, char*, s, tor_free(s));
 +  smartlist_clear(desc->previous_hsdirs);
 +}
 +
 +/** Note that we attempted to upload <b>desc</b> to <b>hsdir</b>. */
 +static void
 +service_desc_note_upload(hs_service_descriptor_t *desc, const node_t *hsdir)
 +{
 +  char b64_digest[BASE64_DIGEST_LEN+1] = {0};
 +  digest_to_base64(b64_digest, hsdir->identity);
 +
 +  if (BUG(!desc->previous_hsdirs)) {
 +    return;
 +  }
 +
 +  if (!smartlist_contains_string(desc->previous_hsdirs, b64_digest)) {
 +    smartlist_add_strdup(desc->previous_hsdirs, b64_digest);
 +  }
 +}
 +
 +/** Schedule an upload of <b>desc</b>. If <b>descriptor_changed</b> is set, it
 + *  means that this descriptor is dirty. */
 +STATIC void
 +service_desc_schedule_upload(hs_service_descriptor_t *desc,
 +                             time_t now,
 +                             int descriptor_changed)
 +
 +{
 +  desc->next_upload_time = now;
 +
 +  /* If the descriptor changed, clean up the old HSDirs list. We want to
 +   * re-upload no matter what. */
 +  if (descriptor_changed) {
 +    service_desc_clear_previous_hsdirs(desc);
 +  }
 +}
 +
 +/* Update the given descriptor from the given service. The possible update
 + * actions includes:
 + *    - Picking missing intro points if needed.
 + */
 +static void
 +update_service_descriptor(hs_service_t *service,
 +                          hs_service_descriptor_t *desc, time_t now)
 +{
 +  unsigned int num_intro_points;
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +  tor_assert(desc->desc);
 +
 +  num_intro_points = digest256map_size(desc->intro_points.map);
 +
 +  /* Pick any missing introduction point(s). */
 +  if (num_intro_points < service->config.num_intro_points) {
 +    unsigned int num_new_intro_points = pick_needed_intro_points(service,
 +                                                                 desc);
 +    if (num_new_intro_points != 0) {
 +      log_info(LD_REND, "Service %s just picked %u intro points and wanted "
 +                        "%u for %s descriptor. It currently has %d intro "
 +                        "points. Launching ESTABLISH_INTRO circuit shortly.",
 +               safe_str_client(service->onion_address),
 +               num_new_intro_points,
 +               service->config.num_intro_points - num_intro_points,
 +               (desc == service->desc_current) ? "current" : "next",
 +               num_intro_points);
 +      /* We'll build those introduction point into the descriptor once we have
 +       * confirmation that the circuits are opened and ready. However,
 +       * indicate that this descriptor should be uploaded from now on. */
 +      service_desc_schedule_upload(desc, now, 1);
 +    }
 +    /* Were we able to pick all the intro points we needed? If not, we'll
 +     * flag the descriptor that it's missing intro points because it
 +     * couldn't pick enough which will trigger a descriptor upload. */
 +    if ((num_new_intro_points + num_intro_points) <
 +        service->config.num_intro_points) {
 +      desc->missing_intro_points = 1;
 +    }
 +  }
 +}
 +
 +/* Update descriptors for each service if needed. */
 +STATIC void
 +update_all_descriptors(time_t now)
 +{
 +  FOR_EACH_SERVICE_BEGIN(service) {
 +    /* We'll try to update each descriptor that is if certain conditions apply
 +     * in order for the descriptor to be updated. */
 +    FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +      update_service_descriptor(service, desc, now);
 +    } FOR_EACH_DESCRIPTOR_END;
 +  } FOR_EACH_SERVICE_END;
 +}
 +
 +/* Return true iff the given intro point has expired that is it has been used
 + * for too long or we've reached our max seen INTRODUCE2 cell. */
 +STATIC int
 +intro_point_should_expire(const hs_service_intro_point_t *ip,
 +                          time_t now)
 +{
 +  tor_assert(ip);
 +
 +  if (ip->introduce2_count >= ip->introduce2_max) {
 +    goto expired;
 +  }
 +
 +  if (ip->time_to_expire <= now) {
 +    goto expired;
 +  }
 +
 +  /* Not expiring. */
 +  return 0;
 + expired:
 +  return 1;
 +}
 +
 +/* Go over the given set of intro points for each service and remove any
 + * invalid ones. The conditions for removal are:
 + *
 + *    - The node doesn't exists anymore (not in consensus)
 + *                          OR
 + *    - The intro point maximum circuit retry count has been reached and no
 + *      circuit can be found associated with it.
 + *                          OR
 + *    - The intro point has expired and we should pick a new one.
 + *
 + * If an intro point is removed, the circuit (if any) is immediately close.
 + * If a circuit can't be found, the intro point is kept if it hasn't reached
 + * its maximum circuit retry value and thus should be retried.  */
 +static void
 +cleanup_intro_points(hs_service_t *service, time_t now)
 +{
 +  /* List of intro points to close. We can't mark the intro circuits for close
 +   * in the modify loop because doing so calls
 +   * hs_service_intro_circ_has_closed() which does a digest256map_get() on the
 +   * intro points map (that we are iterating over). This can't be done in a
 +   * single iteration after a MAP_DEL_CURRENT, the object will still be
 +   * returned leading to a use-after-free. So, we close the circuits and free
 +   * the intro points after the loop if any. */
 +  smartlist_t *ips_to_free = smartlist_new();
 +
 +  tor_assert(service);
 +
 +  /* For both descriptors, cleanup the intro points. */
 +  FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +    /* Go over the current intro points we have, make sure they are still
 +     * valid and remove any of them that aren't. */
 +    DIGEST256MAP_FOREACH_MODIFY(desc->intro_points.map, key,
 +                                hs_service_intro_point_t *, ip) {
 +      const node_t *node = get_node_from_intro_point(ip);
 +      int has_expired = intro_point_should_expire(ip, now);
 +
 +      /* We cleanup an intro point if it has expired or if we do not know the
 +       * node_t anymore (removed from our latest consensus) or if we've
 +       * reached the maximum number of retry with a non existing circuit. */
 +      if (has_expired || node == NULL ||
 +          ip->circuit_retries > MAX_INTRO_POINT_CIRCUIT_RETRIES) {
 +        log_info(LD_REND, "Intro point %s%s (retried: %u times). "
 +                          "Removing it.",
 +                 describe_intro_point(ip),
 +                 has_expired ? " has expired" :
 +                    (node == NULL) ?  " fell off the consensus" : "",
 +                 ip->circuit_retries);
 +
 +        /* We've retried too many times, remember it as a failed intro point
 +         * so we don't pick it up again for INTRO_CIRC_RETRY_PERIOD sec. */
 +        if (ip->circuit_retries > MAX_INTRO_POINT_CIRCUIT_RETRIES) {
 +          remember_failing_intro_point(ip, desc, approx_time());
 +        }
 +
 +        /* Remove intro point from descriptor map and add it to the list of
 +         * ips to free for which we'll also try to close the intro circuit. */
 +        MAP_DEL_CURRENT(key);
 +        smartlist_add(ips_to_free, ip);
 +      }
 +    } DIGEST256MAP_FOREACH_END;
 +  } FOR_EACH_DESCRIPTOR_END;
 +
 +  /* Go over the intro points to free and close their circuit if any. */
 +  SMARTLIST_FOREACH_BEGIN(ips_to_free, hs_service_intro_point_t *, ip) {
 +    /* See if we need to close the intro point circuit as well */
 +
 +    /* XXX: Legacy code does NOT close circuits like this: it keeps the circuit
 +     * open until a new descriptor is uploaded and then closed all expiring
 +     * intro point circuit. Here, we close immediately and because we just
 +     * discarded the intro point, a new one will be selected, a new descriptor
 +     * created and uploaded. There is no difference to an attacker between the
 +     * timing of a new consensus and intro point rotation (possibly?). */
 +    origin_circuit_t *ocirc = hs_circ_service_get_intro_circ(ip);
 +    if (ocirc && !TO_CIRCUIT(ocirc)->marked_for_close) {
 +      circuit_mark_for_close(TO_CIRCUIT(ocirc), END_CIRC_REASON_FINISHED);
 +    }
 +
 +    /* Cleanup the intro point */
 +    service_intro_point_free(ip);
 +  } SMARTLIST_FOREACH_END(ip);
 +
 +  smartlist_free(ips_to_free);
 +}
 +
 +/* Set the next rotation time of the descriptors for the given service for the
 + * time now. */
 +static void
 +set_rotation_time(hs_service_t *service)
 +{
 +  tor_assert(service);
 +
 +  service->state.next_rotation_time =
 +    sr_state_get_start_time_of_current_protocol_run() +
 +    sr_state_get_protocol_run_duration();
 +
 +  {
 +    char fmt_time[ISO_TIME_LEN + 1];
 +    format_local_iso_time(fmt_time, service->state.next_rotation_time);
 +    log_info(LD_REND, "Next descriptor rotation time set to %s for %s",
 +             fmt_time, safe_str_client(service->onion_address));
 +  }
 +}
 +
 +/* Return true iff the service should rotate its descriptor. The time now is
 + * only used to fetch the live consensus and if none can be found, this
 + * returns false. */
 +static unsigned int
 +should_rotate_descriptors(hs_service_t *service, time_t now)
 +{
 +  const networkstatus_t *ns;
 +
 +  tor_assert(service);
 +
 +  ns = networkstatus_get_live_consensus(now);
 +  if (ns == NULL) {
 +    goto no_rotation;
 +  }
 +
 +  if (ns->valid_after >= service->state.next_rotation_time) {
 +    /* In theory, we should never get here with no descriptors. We can never
 +     * have a NULL current descriptor except when tor starts up. The next
 +     * descriptor can be NULL after a rotation but we build a new one right
 +     * after.
 +     *
 +     * So, when tor starts, the next rotation time is set to the start of the
 +     * next SRV period using the consensus valid after time so it should
 +     * always be set to a future time value. This means that we should never
 +     * reach this point at bootup that is this check safeguards tor in never
 +     * allowing a rotation if the valid after time is smaller than the next
 +     * rotation time.
 +     *
 +     * This is all good in theory but we've had a NULL descriptor issue here
 +     * so this is why we BUG() on both with extra logging to try to understand
 +     * how this can possibly happens. We'll simply ignore and tor should
 +     * recover from this by skipping rotation and building the missing
 +     * descriptors just after this. */
 +    if (BUG(service->desc_current == NULL || service->desc_next == NULL)) {
 +      log_warn(LD_BUG, "Service descriptor is NULL (%p/%p). Next rotation "
 +                       "time is %ld (now: %ld). Valid after time from "
 +                       "consensus is %ld",
 +               service->desc_current, service->desc_next,
 +               (long)service->state.next_rotation_time,
 +               (long)now,
 +               (long)ns->valid_after);
 +      goto no_rotation;
 +    }
 +    goto rotation;
 +  }
 +
 + no_rotation:
 +  return 0;
 + rotation:
 +  return 1;
 +}
 +
 +/* Rotate the service descriptors of the given service. The current descriptor
 + * will be freed, the next one put in as the current and finally the next
 + * descriptor pointer is NULLified. */
 +static void
 +rotate_service_descriptors(hs_service_t *service)
 +{
 +  if (service->desc_current) {
 +    /* Close all IP circuits for the descriptor. */
 +    close_intro_circuits(&service->desc_current->intro_points);
 +    /* We don't need this one anymore, we won't serve any clients coming with
 +     * this service descriptor. */
 +    service_descriptor_free(service->desc_current);
 +  }
 +  /* The next one become the current one and emptying the next will trigger
 +   * a descriptor creation for it. */
 +  service->desc_current = service->desc_next;
 +  service->desc_next = NULL;
 +
 +  /* We've just rotated, set the next time for the rotation. */
 +  set_rotation_time(service);
 +}
 +
 +/* Rotate descriptors for each service if needed. A non existing current
 + * descriptor will trigger a descriptor build for the next time period. */
 +STATIC void
 +rotate_all_descriptors(time_t now)
 +{
 +  /* XXX We rotate all our service descriptors at once. In the future it might
 +   *     be wise, to rotate service descriptors independently to hide that all
 +   *     those descriptors are on the same tor instance */
 +
 +  FOR_EACH_SERVICE_BEGIN(service) {
 +
 +    /* Note for a service booting up: Both descriptors are NULL in that case
 +     * so this function might return true if we are in the timeframe for a
 +     * rotation leading to basically swapping two NULL pointers which is
 +     * harmless. However, the side effect is that triggering a rotation will
 +     * update the service state and avoid doing anymore rotations after the
 +     * two descriptors have been built. */
 +    if (!should_rotate_descriptors(service, now)) {
 +      continue;
 +    }
 +
 +    log_info(LD_REND, "Time to rotate our descriptors (%p / %p) for %s",
 +             service->desc_current, service->desc_next,
 +             safe_str_client(service->onion_address));
 +
 +    rotate_service_descriptors(service);
 +  } FOR_EACH_SERVICE_END;
 +}
 +
 +/* Scheduled event run from the main loop. Make sure all our services are up
 + * to date and ready for the other scheduled events. This includes looking at
 + * the introduction points status and descriptor rotation time. */
 +STATIC void
 +run_housekeeping_event(time_t now)
 +{
 +  /* Note that nothing here opens circuit(s) nor uploads descriptor(s). We are
 +   * simply moving things around or removing unneeded elements. */
 +
 +  FOR_EACH_SERVICE_BEGIN(service) {
 +
 +    /* If the service is starting off, set the rotation time. We can't do that
 +     * at configure time because the get_options() needs to be set for setting
 +     * that time that uses the voting interval. */
 +    if (service->state.next_rotation_time == 0) {
 +      /* Set the next rotation time of the descriptors. If it's Oct 25th
 +       * 23:47:00, the next rotation time is when the next SRV is computed
 +       * which is at Oct 26th 00:00:00 that is in 13 minutes. */
 +      set_rotation_time(service);
 +    }
 +
 +    /* Cleanup invalid intro points from the service descriptor. */
 +    cleanup_intro_points(service, now);
 +
 +    /* Remove expired failing intro point from the descriptor failed list. We
 +     * reset them at each INTRO_CIRC_RETRY_PERIOD. */
 +    remove_expired_failing_intro(service, now);
 +
 +    /* At this point, the service is now ready to go through the scheduled
 +     * events guaranteeing a valid state. Intro points might be missing from
 +     * the descriptors after the cleanup but the update/build process will
 +     * make sure we pick those missing ones. */
 +  } FOR_EACH_SERVICE_END;
 +}
 +
 +/* Scheduled event run from the main loop. Make sure all descriptors are up to
 + * date. Once this returns, each service descriptor needs to be considered for
 + * new introduction circuits and then for upload. */
 +static void
 +run_build_descriptor_event(time_t now)
 +{
 +  /* For v2 services, this step happens in the upload event. */
 +
 +  /* Run v3+ events. */
 +  /* We start by rotating the descriptors only if needed. */
 +  rotate_all_descriptors(now);
 +
 +  /* Then, we'll try to build  new descriptors that we might need. The
 +   * condition is that the next descriptor is non existing because it has
 +   * been rotated or we just started up. */
 +  build_all_descriptors(now);
 +
 +  /* Finally, we'll check if we should update the descriptors. Missing
 +   * introduction points will be picked in this function which is useful for
 +   * newly built descriptors. */
 +  update_all_descriptors(now);
 +}
 +
 +/* For the given service, launch any intro point circuits that could be
 + * needed. This considers every descriptor of the service. */
 +static void
 +launch_intro_point_circuits(hs_service_t *service)
 +{
 +  tor_assert(service);
 +
 +  /* For both descriptors, try to launch any missing introduction point
 +   * circuits using the current map. */
 +  FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +    /* Keep a ref on if we need a direct connection. We use this often. */
 +    unsigned int direct_conn = service->config.is_single_onion;
 +
 +    DIGEST256MAP_FOREACH_MODIFY(desc->intro_points.map, key,
 +                                hs_service_intro_point_t *, ip) {
 +      extend_info_t *ei;
 +
 +      /* Skip the intro point that already has an existing circuit
 +       * (established or not). */
 +      if (hs_circ_service_get_intro_circ(ip)) {
 +        continue;
 +      }
 +
 +      ei = get_extend_info_from_intro_point(ip, direct_conn);
 +      if (ei == NULL) {
 +        /* This is possible if we can get a node_t but not the extend info out
 +         * of it. In this case, we remove the intro point and a new one will
 +         * be picked at the next main loop callback. */
 +        MAP_DEL_CURRENT(key);
 +        service_intro_point_free(ip);
 +        continue;
 +      }
 +
 +      /* Launch a circuit to the intro point. */
 +      ip->circuit_retries++;
 +      if (hs_circ_launch_intro_point(service, ip, ei) < 0) {
 +        log_info(LD_REND, "Unable to launch intro circuit to node %s "
 +                          "for service %s.",
 +                 safe_str_client(extend_info_describe(ei)),
 +                 safe_str_client(service->onion_address));
 +        /* Intro point will be retried if possible after this. */
 +      }
 +      extend_info_free(ei);
 +    } DIGEST256MAP_FOREACH_END;
 +  } FOR_EACH_DESCRIPTOR_END;
 +}
 +
 +/* Don't try to build more than this many circuits before giving up for a
 + * while. Dynamically calculated based on the configured number of intro
 + * points for the given service and how many descriptor exists. The default
 + * use case of 3 introduction points and two descriptors will allow 28
 + * circuits for a retry period (((3 + 2) + (3 * 3)) * 2). */
 +static unsigned int
 +get_max_intro_circ_per_period(const hs_service_t *service)
 +{
 +  unsigned int count = 0;
 +  unsigned int multiplier = 0;
 +  unsigned int num_wanted_ip;
 +
 +  tor_assert(service);
 +  tor_assert(service->config.num_intro_points <=
 +             HS_CONFIG_V3_MAX_INTRO_POINTS);
 +
 +/* For a testing network, allow to do it for the maximum amount so circuit
 + * creation and rotation and so on can actually be tested without limit. */
 +#define MAX_INTRO_POINT_CIRCUIT_RETRIES_TESTING -1
 +  if (get_options()->TestingTorNetwork) {
 +    return MAX_INTRO_POINT_CIRCUIT_RETRIES_TESTING;
 +  }
 +
 +  num_wanted_ip = service->config.num_intro_points;
 +
 +  /* The calculation is as follow. We have a number of intro points that we
 +   * want configured as a torrc option (num_intro_points). We then add an
 +   * extra value so we can launch multiple circuits at once and pick the
 +   * quickest ones. For instance, we want 3 intros, we add 2 extra so we'll
 +   * pick 5 intros and launch 5 circuits. */
 +  count += (num_wanted_ip + get_intro_point_num_extra());
 +
 +  /* Then we add the number of retries that is possible to do for each intro
 +   * point. If we want 3 intros, we'll allow 3 times the number of possible
 +   * retry. */
 +  count += (num_wanted_ip * MAX_INTRO_POINT_CIRCUIT_RETRIES);
 +
 +  /* Then, we multiply by a factor of 2 if we have both descriptor or 0 if we
 +   * have none.  */
 +  multiplier += (service->desc_current) ? 1 : 0;
 +  multiplier += (service->desc_next) ? 1 : 0;
 +
 +  return (count * multiplier);
 +}
 +
 +/* For the given service, return 1 if the service is allowed to launch more
 + * introduction circuits else 0 if the maximum has been reached for the retry
 + * period of INTRO_CIRC_RETRY_PERIOD. */
 +STATIC int
 +can_service_launch_intro_circuit(hs_service_t *service, time_t now)
 +{
 +  tor_assert(service);
 +
 +  /* Consider the intro circuit retry period of the service. */
 +  if (now > (service->state.intro_circ_retry_started_time +
 +             INTRO_CIRC_RETRY_PERIOD)) {
 +    service->state.intro_circ_retry_started_time = now;
 +    service->state.num_intro_circ_launched = 0;
 +    goto allow;
 +  }
 +  /* Check if we can still launch more circuits in this period. */
 +  if (service->state.num_intro_circ_launched <=
 +      get_max_intro_circ_per_period(service)) {
 +    goto allow;
 +  }
 +
 +  /* Rate limit log that we've reached our circuit creation limit. */
 +  {
 +    char *msg;
 +    time_t elapsed_time = now - service->state.intro_circ_retry_started_time;
 +    static ratelim_t rlimit = RATELIM_INIT(INTRO_CIRC_RETRY_PERIOD);
 +    if ((msg = rate_limit_log(&rlimit, now))) {
 +      log_info(LD_REND, "Hidden service %s exceeded its circuit launch limit "
 +                        "of %u per %d seconds. It launched %u circuits in "
 +                        "the last %ld seconds. Will retry in %ld seconds.",
 +               safe_str_client(service->onion_address),
 +               get_max_intro_circ_per_period(service),
 +               INTRO_CIRC_RETRY_PERIOD,
 +               service->state.num_intro_circ_launched,
 +               (long int) elapsed_time,
 +               (long int) (INTRO_CIRC_RETRY_PERIOD - elapsed_time));
 +      tor_free(msg);
 +    }
 +  }
 +
 +  /* Not allow. */
 +  return 0;
 + allow:
 +  return 1;
 +}
 +
 +/* Scheduled event run from the main loop. Make sure we have all the circuits
 + * we need for each service. */
 +static void
 +run_build_circuit_event(time_t now)
 +{
 +  /* Make sure we can actually have enough information or able to build
 +   * internal circuits as required by services. */
 +  if (router_have_consensus_path() == CONSENSUS_PATH_UNKNOWN ||
 +      !have_completed_a_circuit()) {
 +    return;
 +  }
 +
 +  /* Run v2 check. */
 +  if (rend_num_services() > 0) {
 +    rend_consider_services_intro_points(now);
 +  }
 +
 +  /* Run v3+ check. */
 +  FOR_EACH_SERVICE_BEGIN(service) {
 +    /* For introduction circuit, we need to make sure we don't stress too much
 +     * circuit creation so make sure this service is respecting that limit. */
 +    if (can_service_launch_intro_circuit(service, now)) {
 +      /* Launch intro point circuits if needed. */
 +      launch_intro_point_circuits(service);
 +      /* Once the circuits have opened, we'll make sure to update the
 +       * descriptor intro point list and cleanup any extraneous. */
 +    }
 +  } FOR_EACH_SERVICE_END;
 +}
 +
 +/* Encode and sign the service descriptor desc and upload it to the given
 + * hidden service directory.  This does nothing if PublishHidServDescriptors
 + * is false. */
 +static void
 +upload_descriptor_to_hsdir(const hs_service_t *service,
 +                           hs_service_descriptor_t *desc, const node_t *hsdir)
 +{
 +  char *encoded_desc = NULL;
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +  tor_assert(hsdir);
 +
 +  /* Let's avoid doing that if tor is configured to not publish. */
 +  if (!get_options()->PublishHidServDescriptors) {
 +    log_info(LD_REND, "Service %s not publishing descriptor. "
 +                      "PublishHidServDescriptors is set to 1.",
 +             safe_str_client(service->onion_address));
 +    goto end;
 +  }
 +
 +  /* First of all, we'll encode the descriptor. This should NEVER fail but
 +   * just in case, let's make sure we have an actual usable descriptor. */
 +  if (BUG(hs_desc_encode_descriptor(desc->desc, &desc->signing_kp,
 +                                    &encoded_desc) < 0)) {
 +    goto end;
 +  }
 +
 +  /* Time to upload the descriptor to the directory. */
 +  hs_service_upload_desc_to_dir(encoded_desc, service->config.version,
 +                                &service->keys.identity_pk,
 +                                &desc->blinded_kp.pubkey, hsdir->rs);
 +
 +  /* Add this node to previous_hsdirs list */
 +  service_desc_note_upload(desc, hsdir);
 +
 +  /* Logging so we know where it was sent. */
 +  {
 +    int is_next_desc = (service->desc_next == desc);
 +    const uint8_t *idx = (is_next_desc) ? hsdir->hsdir_index.store_second:
 +                                          hsdir->hsdir_index.store_first;
 +    char *blinded_pubkey_log_str =
 +      tor_strdup(hex_str((char*)&desc->blinded_kp.pubkey.pubkey, 32));
 +    log_info(LD_REND, "Service %s %s descriptor of revision %" PRIu64
 +                      " initiated upload request to %s with index %s (%s)",
 +             safe_str_client(service->onion_address),
 +             (is_next_desc) ? "next" : "current",
 +             desc->desc->plaintext_data.revision_counter,
 +             safe_str_client(node_describe(hsdir)),
 +             safe_str_client(hex_str((const char *) idx, 32)),
 +             safe_str_client(blinded_pubkey_log_str));
 +    tor_free(blinded_pubkey_log_str);
 +
 +    /* Fire a UPLOAD control port event. */
 +    hs_control_desc_event_upload(service->onion_address, hsdir->identity,
 +                                 &desc->blinded_kp.pubkey, idx);
 +  }
 +
 + end:
 +  tor_free(encoded_desc);
 +  return;
 +}
 +
 +/** Set the revision counter in <b>hs_desc</b>. We do this by encrypting a
 + *  timestamp using an OPE scheme and using the ciphertext as our revision
 + *  counter.
 + *
 + *  If <b>is_current</b> is true, then this is the current HS descriptor,
 + *  otherwise it's the next one. */
 +static void
 +set_descriptor_revision_counter(hs_service_descriptor_t *hs_desc, time_t now,
 +                                bool is_current)
 +{
 +  uint64_t rev_counter = 0;
 +
 +  /* Get current time */
 +  time_t srv_start = 0;
 +
 +  /* As our revision counter plaintext value, we use the seconds since the
 +   * start of the SR protocol run that is relevant to this descriptor. This is
 +   * guaranteed to be a positive value since we need the SRV to start making a
 +   * descriptor (so that we know where to upload it).
 +   *
 +   * Depending on whether we are building the current or the next descriptor,
 +   * services use a different SRV value. See [SERVICEUPLOAD] in
 +   * rend-spec-v3.txt:
 +   *
 +   * In particular, for the current descriptor (aka first descriptor), Tor
 +   * always uses the previous SRV for uploading the descriptor, and hence we
 +   * should use the start time of the previous protocol run here.
 +   *
 +   * Whereas for the next descriptor (aka second descriptor), Tor always uses
 +   * the current SRV for uploading the descriptor.  and hence we use the start
 +   * time of the current protocol run.
 +   */
 +  if (is_current) {
 +    srv_start = sr_state_get_start_time_of_previous_protocol_run();
 +  } else {
 +    srv_start = sr_state_get_start_time_of_current_protocol_run();
 +  }
 +
 +  log_info(LD_REND, "Setting rev counter for TP #%u: "
 +           "SRV started at %d, now %d (%s)",
 +           (unsigned) hs_desc->time_period_num, (int)srv_start,
 +           (int)now, is_current ? "current" : "next");
 +
 +  tor_assert_nonfatal(now >= srv_start);
 +
 +  /* Compute seconds elapsed since the start of the time period. That's the
 +   * number of seconds of how long this blinded key has been active. */
 +  time_t seconds_since_start_of_srv = now - srv_start;
 +
 +  /* Increment by one so that we are definitely sure this is strictly
 +   * positive and not zero. */
 +  seconds_since_start_of_srv++;
 +
 +  /* Check for too big inputs. */
 +  if (BUG(seconds_since_start_of_srv > OPE_INPUT_MAX)) {
 +    seconds_since_start_of_srv = OPE_INPUT_MAX;
 +  }
 +
 +  /* Now we compute the final revision counter value by encrypting the
 +     plaintext using our OPE cipher: */
 +  tor_assert(hs_desc->ope_cipher);
 +  rev_counter = crypto_ope_encrypt(hs_desc->ope_cipher,
 +                                   (int) seconds_since_start_of_srv);
 +
 +  /* The OPE module returns CRYPTO_OPE_ERROR in case of errors. */
 +  tor_assert_nonfatal(rev_counter < CRYPTO_OPE_ERROR);
 +
 +  log_info(LD_REND, "Encrypted revision counter %d to %ld",
 +           (int) seconds_since_start_of_srv, (long int) rev_counter);
 +
 +  hs_desc->desc->plaintext_data.revision_counter = rev_counter;
 +}
 +
 +/* Encode and sign the service descriptor desc and upload it to the
 + * responsible hidden service directories. If for_next_period is true, the set
 + * of directories are selected using the next hsdir_index. This does nothing
 + * if PublishHidServDescriptors is false. */
 +STATIC void
 +upload_descriptor_to_all(const hs_service_t *service,
 +                         hs_service_descriptor_t *desc)
 +{
 +  smartlist_t *responsible_dirs = NULL;
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +
 +  /* We'll first cancel any directory request that are ongoing for this
 +   * descriptor. It is possible that we can trigger multiple uploads in a
 +   * short time frame which can lead to a race where the second upload arrives
 +   * before the first one leading to a 400 malformed descriptor response from
 +   * the directory. Closing all pending requests avoids that. */
 +  close_directory_connections(service, desc);
 +
 +  /* Get our list of responsible HSDir. */
 +  responsible_dirs = smartlist_new();
 +  /* The parameter 0 means that we aren't a client so tell the function to use
 +   * the spread store consensus paremeter. */
 +  hs_get_responsible_hsdirs(&desc->blinded_kp.pubkey, desc->time_period_num,
 +                            service->desc_next == desc, 0, responsible_dirs);
 +
 +  /** Clear list of previous hsdirs since we are about to upload to a new
 +   *  list. Let's keep it up to date. */
 +  service_desc_clear_previous_hsdirs(desc);
 +
 +  /* For each responsible HSDir we have, initiate an upload command. */
 +  SMARTLIST_FOREACH_BEGIN(responsible_dirs, const routerstatus_t *,
 +                          hsdir_rs) {
 +    const node_t *hsdir_node = node_get_by_id(hsdir_rs->identity_digest);
 +    /* Getting responsible hsdir implies that the node_t object exists for the
 +     * routerstatus_t found in the consensus else we have a problem. */
 +    tor_assert(hsdir_node);
 +    /* Upload this descriptor to the chosen directory. */
 +    upload_descriptor_to_hsdir(service, desc, hsdir_node);
 +  } SMARTLIST_FOREACH_END(hsdir_rs);
 +
 +  /* Set the next upload time for this descriptor. Even if we are configured
 +   * to not upload, we still want to follow the right cycle of life for this
 +   * descriptor. */
 +  desc->next_upload_time =
 +    (time(NULL) + crypto_rand_int_range(HS_SERVICE_NEXT_UPLOAD_TIME_MIN,
 +                                        HS_SERVICE_NEXT_UPLOAD_TIME_MAX));
 +  {
 +    char fmt_next_time[ISO_TIME_LEN+1];
 +    format_local_iso_time(fmt_next_time, desc->next_upload_time);
 +    log_debug(LD_REND, "Service %s set to upload a descriptor at %s",
 +              safe_str_client(service->onion_address), fmt_next_time);
 +  }
 +
 +  smartlist_free(responsible_dirs);
 +  return;
 +}
 +
 +/** The set of HSDirs have changed: check if the change affects our descriptor
 + *  HSDir placement, and if it does, reupload the desc. */
 +STATIC int
 +service_desc_hsdirs_changed(const hs_service_t *service,
 +                            const hs_service_descriptor_t *desc)
 +{
 +  int should_reupload = 0;
 +  smartlist_t *responsible_dirs = smartlist_new();
 +
 +  /* No desc upload has happened yet: it will happen eventually */
 +  if (!desc->previous_hsdirs || !smartlist_len(desc->previous_hsdirs)) {
 +    goto done;
 +  }
 +
 +  /* Get list of responsible hsdirs */
 +  hs_get_responsible_hsdirs(&desc->blinded_kp.pubkey, desc->time_period_num,
 +                            service->desc_next == desc, 0, responsible_dirs);
 +
 +  /* Check if any new hsdirs have been added to the responsible hsdirs set:
 +   * Iterate over the list of new hsdirs, and reupload if any of them is not
 +   * present in the list of previous hsdirs.
 +   */
 +  SMARTLIST_FOREACH_BEGIN(responsible_dirs, const routerstatus_t *, hsdir_rs) {
 +    char b64_digest[BASE64_DIGEST_LEN+1] = {0};
 +    digest_to_base64(b64_digest, hsdir_rs->identity_digest);
 +
 +    if (!smartlist_contains_string(desc->previous_hsdirs, b64_digest)) {
 +      should_reupload = 1;
 +      break;
 +    }
 +  } SMARTLIST_FOREACH_END(hsdir_rs);
 +
 + done:
 +  smartlist_free(responsible_dirs);
 +
 +  return should_reupload;
 +}
 +
 +/* Return 1 if the given descriptor from the given service can be uploaded
 + * else return 0 if it can not. */
 +static int
 +should_service_upload_descriptor(const hs_service_t *service,
 +                              const hs_service_descriptor_t *desc, time_t now)
 +{
 +  unsigned int num_intro_points;
 +
 +  tor_assert(service);
 +  tor_assert(desc);
 +
 +  /* If this descriptors has missing intro points that is that it couldn't get
 +   * them all when it was time to pick them, it means that we should upload
 +   * instead of waiting an arbitrary amount of time breaking the service.
 +   * Else, if we have no missing intro points, we use the value taken from the
 +   * service configuration. */
 +  if (desc->missing_intro_points) {
 +    num_intro_points = digest256map_size(desc->intro_points.map);
 +  } else {
 +    num_intro_points = service->config.num_intro_points;
 +  }
 +
 +  /* This means we tried to pick intro points but couldn't get any so do not
 +   * upload descriptor in this case. We need at least one for the service to
 +   * be reachable. */
 +  if (desc->missing_intro_points && num_intro_points == 0) {
 +    goto cannot;
 +  }
 +
 +  /* Check if all our introduction circuit have been established for all the
 +   * intro points we have selected. */
 +  if (count_desc_circuit_established(desc) != num_intro_points) {
 +    goto cannot;
 +  }
 +
 +  /* Is it the right time to upload? */
 +  if (desc->next_upload_time > now) {
 +    goto cannot;
 +  }
 +
 +  /* Don't upload desc if we don't have a live consensus */
 +  if (!networkstatus_get_live_consensus(now)) {
 +    goto cannot;
 +  }
 +
 +  /* Do we know enough router descriptors to have adequate vision of the HSDir
 +     hash ring? */
 +  if (!router_have_minimum_dir_info()) {
 +    goto cannot;
 +  }
 +
 +  /* Can upload! */
 +  return 1;
 + cannot:
 +  return 0;
 +}
 +
 +/* Scheduled event run from the main loop. Try to upload the descriptor for
 + * each service. */
 +STATIC void
 +run_upload_descriptor_event(time_t now)
 +{
 +  /* v2 services use the same function for descriptor creation and upload so
 +   * we do everything here because the intro circuits were checked before. */
 +  if (rend_num_services() > 0) {
 +    rend_consider_services_upload(now);
 +    rend_consider_descriptor_republication();
 +  }
 +
 +  /* Run v3+ check. */
 +  FOR_EACH_SERVICE_BEGIN(service) {
 +    FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +      /* If we were asked to re-examine the hash ring, and it changed, then
 +         schedule an upload */
 +      if (consider_republishing_hs_descriptors &&
 +          service_desc_hsdirs_changed(service, desc)) {
 +        service_desc_schedule_upload(desc, now, 0);
 +      }
 +
 +      /* Can this descriptor be uploaded? */
 +      if (!should_service_upload_descriptor(service, desc, now)) {
 +        continue;
 +      }
 +
 +      log_info(LD_REND, "Initiating upload for hidden service %s descriptor "
 +                        "for service %s with %u/%u introduction points%s.",
 +               (desc == service->desc_current) ? "current" : "next",
 +               safe_str_client(service->onion_address),
 +               digest256map_size(desc->intro_points.map),
 +               service->config.num_intro_points,
 +               (desc->missing_intro_points) ? " (couldn't pick more)" : "");
 +
 +      /* At this point, we have to upload the descriptor so start by building
 +       * the intro points descriptor section which we are now sure to be
 +       * accurate because all circuits have been established. */
 +      build_desc_intro_points(service, desc, now);
 +
 +      /* Set the desc revision counter right before uploading */
 +      set_descriptor_revision_counter(desc, approx_time(),
 +                                      service->desc_current == desc);
 +
 +      upload_descriptor_to_all(service, desc);
 +    } FOR_EACH_DESCRIPTOR_END;
 +  } FOR_EACH_SERVICE_END;
 +
 +  /* We are done considering whether to republish rend descriptors */
 +  consider_republishing_hs_descriptors = 0;
 +}
 +
 +/* Called when the introduction point circuit is done building and ready to be
 + * used. */
 +static void
 +service_intro_circ_has_opened(origin_circuit_t *circ)
 +{
 +  hs_service_t *service = NULL;
 +  hs_service_intro_point_t *ip = NULL;
 +  hs_service_descriptor_t *desc = NULL;
 +
 +  tor_assert(circ);
 +
 +  /* Let's do some basic sanity checking of the circ state */
 +  if (BUG(!circ->cpath)) {
 +    return;
 +  }
 +  if (BUG(TO_CIRCUIT(circ)->purpose != CIRCUIT_PURPOSE_S_ESTABLISH_INTRO)) {
 +    return;
 +  }
 +  if (BUG(!circ->hs_ident)) {
 +    return;
 +  }
 +
 +  /* Get the corresponding service and intro point. */
 +  get_objects_from_ident(circ->hs_ident, &service, &ip, &desc);
 +
 +  if (service == NULL) {
 +    log_warn(LD_REND, "Unknown service identity key %s on the introduction "
 +                      "circuit %u. Can't find onion service.",
 +             safe_str_client(ed25519_fmt(&circ->hs_ident->identity_pk)),
 +             TO_CIRCUIT(circ)->n_circ_id);
 +    goto err;
 +  }
 +  if (ip == NULL) {
 +    log_warn(LD_REND, "Unknown introduction point auth key on circuit %u "
 +                      "for service %s",
 +             TO_CIRCUIT(circ)->n_circ_id,
 +             safe_str_client(service->onion_address));
 +    goto err;
 +  }
 +  /* We can't have an IP object without a descriptor. */
 +  tor_assert(desc);
 +
 +  if (hs_circ_service_intro_has_opened(service, ip, desc, circ)) {
 +    /* Getting here means that the circuit has been re-purposed because we
 +     * have enough intro circuit opened. Remove the IP from the service. */
 +    service_intro_point_remove(service, ip);
 +    service_intro_point_free(ip);
 +  }
 +
 +  goto done;
 +
 + err:
 +  /* Close circuit, we can't use it. */
 +  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_NOSUCHSERVICE);
 + done:
 +  return;
 +}
 +
 +/* Called when a rendezvous circuit is done building and ready to be used. */
 +static void
 +service_rendezvous_circ_has_opened(origin_circuit_t *circ)
 +{
 +  hs_service_t *service = NULL;
 +
 +  tor_assert(circ);
 +  tor_assert(circ->cpath);
 +  /* Getting here means this is a v3 rendezvous circuit. */
 +  tor_assert(circ->hs_ident);
 +  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_CONNECT_REND);
 +
 +  /* Declare the circuit dirty to avoid reuse, and for path-bias. We set the
 +   * timestamp regardless of its content because that circuit could have been
 +   * cannibalized so in any cases, we are about to use that circuit more. */
 +  TO_CIRCUIT(circ)->timestamp_dirty = time(NULL);
 +  pathbias_count_use_attempt(circ);
 +
 +  /* Get the corresponding service and intro point. */
 +  get_objects_from_ident(circ->hs_ident, &service, NULL, NULL);
 +  if (service == NULL) {
 +    log_warn(LD_REND, "Unknown service identity key %s on the rendezvous "
 +                      "circuit %u with cookie %s. Can't find onion service.",
 +             safe_str_client(ed25519_fmt(&circ->hs_ident->identity_pk)),
 +             TO_CIRCUIT(circ)->n_circ_id,
 +             hex_str((const char *) circ->hs_ident->rendezvous_cookie,
 +                     REND_COOKIE_LEN));
 +    goto err;
 +  }
 +
 +  /* If the cell can't be sent, the circuit will be closed within this
 +   * function. */
 +  hs_circ_service_rp_has_opened(service, circ);
 +  goto done;
 +
 + err:
 +  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_NOSUCHSERVICE);
 + done:
 +  return;
 +}
 +
 +/* We've been expecting an INTRO_ESTABLISHED cell on this circuit and it just
 + * arrived. Handle the INTRO_ESTABLISHED cell arriving on the given
 + * introduction circuit. Return 0 on success else a negative value. */
 +static int
 +service_handle_intro_established(origin_circuit_t *circ,
 +                                 const uint8_t *payload,
 +                                 size_t payload_len)
 +{
 +  hs_service_t *service = NULL;
 +  hs_service_intro_point_t *ip = NULL;
 +
 +  tor_assert(circ);
 +  tor_assert(payload);
 +  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_ESTABLISH_INTRO);
 +
 +  /* We need the service and intro point for this cell. */
 +  get_objects_from_ident(circ->hs_ident, &service, &ip, NULL);
 +
 +  /* Get service object from the circuit identifier. */
 +  if (service == NULL) {
 +    log_warn(LD_REND, "Unknown service identity key %s on the introduction "
 +                      "circuit %u. Can't find onion service.",
 +             safe_str_client(ed25519_fmt(&circ->hs_ident->identity_pk)),
 +             TO_CIRCUIT(circ)->n_circ_id);
 +    goto err;
 +  }
 +  if (ip == NULL) {
 +    /* We don't recognize the key. */
 +    log_warn(LD_REND, "Introduction circuit established without an intro "
 +                      "point object on circuit %u for service %s",
 +             TO_CIRCUIT(circ)->n_circ_id,
 +             safe_str_client(service->onion_address));
 +    goto err;
 +  }
 +
 +  /* Try to parse the payload into a cell making sure we do actually have a
 +   * valid cell. On success, the ip object and circuit purpose is updated to
 +   * reflect the fact that the introduction circuit is established. */
 +  if (hs_circ_handle_intro_established(service, ip, circ, payload,
 +                                       payload_len) < 0) {
 +    goto err;
 +  }
 +
 +  /* Flag that we have an established circuit for this intro point. This value
 +   * is what indicates the upload scheduled event if we are ready to build the
 +   * intro point into the descriptor and upload. */
 +  ip->circuit_established = 1;
 +
 +  log_info(LD_REND, "Successfully received an INTRO_ESTABLISHED cell "
 +                    "on circuit %u for service %s",
 +           TO_CIRCUIT(circ)->n_circ_id,
 +           safe_str_client(service->onion_address));
 +  return 0;
 +
 + err:
 +  return -1;
 +}
 +
 +/* We just received an INTRODUCE2 cell on the established introduction circuit
 + * circ. Handle the cell and return 0 on success else a negative value. */
 +static int
 +service_handle_introduce2(origin_circuit_t *circ, const uint8_t *payload,
 +                          size_t payload_len)
 +{
 +  hs_service_t *service = NULL;
 +  hs_service_intro_point_t *ip = NULL;
 +  hs_service_descriptor_t *desc = NULL;
 +
 +  tor_assert(circ);
 +  tor_assert(payload);
 +  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_INTRO);
 +
 +  /* We'll need every object associated with this circuit. */
 +  get_objects_from_ident(circ->hs_ident, &service, &ip, &desc);
 +
 +  /* Get service object from the circuit identifier. */
 +  if (service == NULL) {
 +    log_warn(LD_BUG, "Unknown service identity key %s when handling "
 +                     "an INTRODUCE2 cell on circuit %u",
 +             safe_str_client(ed25519_fmt(&circ->hs_ident->identity_pk)),
 +             TO_CIRCUIT(circ)->n_circ_id);
 +    goto err;
 +  }
 +  if (ip == NULL) {
 +    /* We don't recognize the key. */
 +    log_warn(LD_BUG, "Unknown introduction auth key when handling "
 +                     "an INTRODUCE2 cell on circuit %u for service %s",
 +             TO_CIRCUIT(circ)->n_circ_id,
 +             safe_str_client(service->onion_address));
 +    goto err;
 +  }
 +  /* If we have an IP object, we MUST have a descriptor object. */
 +  tor_assert(desc);
 +
 +  /* The following will parse, decode and launch the rendezvous point circuit.
 +   * Both current and legacy cells are handled. */
 +  if (hs_circ_handle_introduce2(service, circ, ip, desc->desc->subcredential,
 +                                payload, payload_len) < 0) {
 +    goto err;
 +  }
 +
 +  return 0;
 + err:
 +  return -1;
 +}
 +
 +/* Add to list every filename used by service. This is used by the sandbox
 + * subsystem. */
 +static void
 +service_add_fnames_to_list(const hs_service_t *service, smartlist_t *list)
 +{
 +  const char *s_dir;
 +  char fname[128] = {0};
 +
 +  tor_assert(service);
 +  tor_assert(list);
 +
 +  /* Ease our life. */
 +  s_dir = service->config.directory_path;
 +  /* The hostname file. */
 +  smartlist_add(list, hs_path_from_filename(s_dir, fname_hostname));
 +  /* The key files splitted in two. */
 +  tor_snprintf(fname, sizeof(fname), "%s_secret_key", fname_keyfile_prefix);
 +  smartlist_add(list, hs_path_from_filename(s_dir, fname));
 +  tor_snprintf(fname, sizeof(fname), "%s_public_key", fname_keyfile_prefix);
 +  smartlist_add(list, hs_path_from_filename(s_dir, fname));
 +}
 +
 +/* ========== */
 +/* Public API */
 +/* ========== */
 +
 +/* This is called everytime the service map (v2 or v3) changes that is if an
 + * element is added or removed. */
 +void
 +hs_service_map_has_changed(void)
 +{
 +  /* If we now have services where previously we had not, we need to enable
 +   * the HS service main loop event. If we changed to having no services, we
 +   * need to disable the event. */
 +  rescan_periodic_events(get_options());
 +}
 +
 +/* Upload an encoded descriptor in encoded_desc of the given version. This
 + * descriptor is for the service identity_pk and blinded_pk used to setup the
 + * directory connection identifier. It is uploaded to the directory hsdir_rs
 + * routerstatus_t object.
 + *
 + * NOTE: This function does NOT check for PublishHidServDescriptors because it
 + * is only used by the control port command HSPOST outside of this subsystem.
 + * Inside this code, upload_descriptor_to_hsdir() should be used. */
 +void
 +hs_service_upload_desc_to_dir(const char *encoded_desc,
 +                              const uint8_t version,
 +                              const ed25519_public_key_t *identity_pk,
 +                              const ed25519_public_key_t *blinded_pk,
 +                              const routerstatus_t *hsdir_rs)
 +{
 +  char version_str[4] = {0};
 +  directory_request_t *dir_req;
 +  hs_ident_dir_conn_t ident;
 +
 +  tor_assert(encoded_desc);
 +  tor_assert(identity_pk);
 +  tor_assert(blinded_pk);
 +  tor_assert(hsdir_rs);
 +
 +  /* Setup the connection identifier. */
 +  memset(&ident, 0, sizeof(ident));
 +  hs_ident_dir_conn_init(identity_pk, blinded_pk, &ident);
 +
 +  /* This is our resource when uploading which is used to construct the URL
 +   * with the version number: "/tor/hs/<version>/publish". */
 +  tor_snprintf(version_str, sizeof(version_str), "%u", version);
 +
 +  /* Build the directory request for this HSDir. */
 +  dir_req = directory_request_new(DIR_PURPOSE_UPLOAD_HSDESC);
 +  directory_request_set_routerstatus(dir_req, hsdir_rs);
 +  directory_request_set_indirection(dir_req, DIRIND_ANONYMOUS);
 +  directory_request_set_resource(dir_req, version_str);
 +  directory_request_set_payload(dir_req, encoded_desc,
 +                                strlen(encoded_desc));
 +  /* The ident object is copied over the directory connection object once
 +   * the directory request is initiated. */
 +  directory_request_upload_set_hs_ident(dir_req, &ident);
 +
 +  /* Initiate the directory request to the hsdir.*/
 +  directory_initiate_request(dir_req);
 +  directory_request_free(dir_req);
 +}
 +
 +/* Add the ephemeral service using the secret key sk and ports. Both max
 + * streams parameter will be set in the newly created service.
 + *
 + * Ownership of sk and ports is passed to this routine.  Regardless of
 + * success/failure, callers should not touch these values after calling this
 + * routine, and may assume that correct cleanup has been done on failure.
 + *
 + * Return an appropriate hs_service_add_ephemeral_status_t. */
 +hs_service_add_ephemeral_status_t
 +hs_service_add_ephemeral(ed25519_secret_key_t *sk, smartlist_t *ports,
 +                         int max_streams_per_rdv_circuit,
 +                         int max_streams_close_circuit, char **address_out)
 +{
 +  hs_service_add_ephemeral_status_t ret;
 +  hs_service_t *service = NULL;
 +
 +  tor_assert(sk);
 +  tor_assert(ports);
 +  tor_assert(address_out);
 +
 +  service = hs_service_new(get_options());
 +
 +  /* Setup the service configuration with specifics. A default service is
 +   * HS_VERSION_TWO so explicitly set it. */
 +  service->config.version = HS_VERSION_THREE;
 +  service->config.max_streams_per_rdv_circuit = max_streams_per_rdv_circuit;
 +  service->config.max_streams_close_circuit = !!max_streams_close_circuit;
 +  service->config.is_ephemeral = 1;
 +  smartlist_free(service->config.ports);
 +  service->config.ports = ports;
 +
 +  /* Handle the keys. */
 +  memcpy(&service->keys.identity_sk, sk, sizeof(service->keys.identity_sk));
 +  if (ed25519_public_key_generate(&service->keys.identity_pk,
 +                                  &service->keys.identity_sk) < 0) {
 +    log_warn(LD_CONFIG, "Unable to generate ed25519 public key"
 +                        "for v3 service.");
 +    ret = RSAE_BADPRIVKEY;
 +    goto err;
 +  }
 +
 +  /* Make sure we have at least one port. */
 +  if (smartlist_len(service->config.ports) == 0) {
 +    log_warn(LD_CONFIG, "At least one VIRTPORT/TARGET must be specified "
 +                        "for v3 service.");
 +    ret = RSAE_BADVIRTPORT;
 +    goto err;
 +  }
 +
 +  /* Build the onion address for logging purposes but also the control port
 +   * uses it for the HS_DESC event. */
 +  hs_build_address(&service->keys.identity_pk,
 +                   (uint8_t) service->config.version,
 +                   service->onion_address);
 +
 +  /* The only way the registration can fail is if the service public key
 +   * already exists. */
 +  if (BUG(register_service(hs_service_map, service) < 0)) {
 +    log_warn(LD_CONFIG, "Onion Service private key collides with an "
 +                        "existing v3 service.");
 +    ret = RSAE_ADDREXISTS;
 +    goto err;
 +  }
 +
 +  log_info(LD_CONFIG, "Added ephemeral v3 onion service: %s",
 +           safe_str_client(service->onion_address));
 +
 +  *address_out = tor_strdup(service->onion_address);
 +  ret = RSAE_OKAY;
 +  goto end;
 +
 + err:
 +  hs_service_free(service);
 +
 + end:
 +  memwipe(sk, 0, sizeof(ed25519_secret_key_t));
 +  tor_free(sk);
 +  return ret;
 +}
 +
 +/* For the given onion address, delete the ephemeral service. Return 0 on
 + * success else -1 on error. */
 +int
 +hs_service_del_ephemeral(const char *address)
 +{
 +  uint8_t version;
 +  ed25519_public_key_t pk;
 +  hs_service_t *service = NULL;
 +
 +  tor_assert(address);
 +
 +  if (hs_parse_address(address, &pk, NULL, &version) < 0) {
 +    log_warn(LD_CONFIG, "Requested malformed v3 onion address for removal.");
 +    goto err;
 +  }
 +
 +  if (version != HS_VERSION_THREE) {
 +    log_warn(LD_CONFIG, "Requested version of onion address for removal "
 +                        "is not supported.");
 +    goto err;
 +  }
 +
 +  service = find_service(hs_service_map, &pk);
 +  if (service == NULL) {
 +    log_warn(LD_CONFIG, "Requested non-existent v3 hidden service for "
 +                        "removal.");
 +    goto err;
 +  }
 +
 +  if (!service->config.is_ephemeral) {
 +    log_warn(LD_CONFIG, "Requested non-ephemeral v3 hidden service for "
 +                        "removal.");
 +    goto err;
 +  }
 +
 +  /* Close circuits, remove from map and finally free. */
 +  close_service_circuits(service);
 +  remove_service(hs_service_map, service);
 +  hs_service_free(service);
 +
 +  log_info(LD_CONFIG, "Removed ephemeral v3 hidden service: %s",
 +           safe_str_client(address));
 +  return 0;
 +
 + err:
 +  return -1;
 +}
 +
 +/* Using the ed25519 public key pk, find a service for that key and return the
 + * current encoded descriptor as a newly allocated string or NULL if not
 + * found. This is used by the control port subsystem. */
 +char *
 +hs_service_lookup_current_desc(const ed25519_public_key_t *pk)
 +{
 +  const hs_service_t *service;
 +
 +  tor_assert(pk);
 +
 +  service = find_service(hs_service_map, pk);
 +  if (service && service->desc_current) {
 +    char *encoded_desc = NULL;
 +    /* No matter what is the result (which should never be a failure), return
 +     * the encoded variable, if success it will contain the right thing else
 +     * it will be NULL. */
 +    hs_desc_encode_descriptor(service->desc_current->desc,
 +                              &service->desc_current->signing_kp,
 +                              &encoded_desc);
 +    return encoded_desc;
 +  }
 +
 +  return NULL;
 +}
 +
 +/* Return the number of service we have configured and usable. */
 +unsigned int
 +hs_service_get_num_services(void)
 +{
 +  if (hs_service_map == NULL) {
 +    return 0;
 +  }
 +  return HT_SIZE(hs_service_map);
 +}
 +
 +/* Called once an introduction circuit is closed. If the circuit doesn't have
 + * a v3 identifier, it is ignored. */
 +void
 +hs_service_intro_circ_has_closed(origin_circuit_t *circ)
 +{
 +  hs_service_t *service = NULL;
 +  hs_service_intro_point_t *ip = NULL;
 +  hs_service_descriptor_t *desc = NULL;
 +
 +  tor_assert(circ);
 +
 +  if (circ->hs_ident == NULL) {
 +    /* This is not a v3 circuit, ignore. */
 +    goto end;
 +  }
 +
 +  get_objects_from_ident(circ->hs_ident, &service, &ip, &desc);
 +  if (service == NULL) {
 +    /* This is possible if the circuits are closed and the service is
 +     * immediately deleted. */
 +    log_info(LD_REND, "Unable to find any hidden service associated "
 +                      "identity key %s on intro circuit %u.",
 +             ed25519_fmt(&circ->hs_ident->identity_pk),
 +             TO_CIRCUIT(circ)->n_circ_id);
 +    goto end;
 +  }
 +  if (ip == NULL) {
 +    /* The introduction point object has already been removed probably by our
 +     * cleanup process so ignore. */
 +    goto end;
 +  }
 +  /* Can't have an intro point object without a descriptor. */
 +  tor_assert(desc);
 +
 +  /* Circuit disappeared so make sure the intro point is updated. By
 +   * keeping the object in the descriptor, we'll be able to retry. */
 +  ip->circuit_established = 0;
 +
 + end:
 +  return;
 +}
 +
 +/* Given conn, a rendezvous edge connection acting as an exit stream, look up
 + * the hidden service for the circuit circ, and look up the port and address
 + * based on the connection port. Assign the actual connection address.
 + *
 + * Return 0 on success. Return -1 on failure and the caller should NOT close
 + * the circuit. Return -2 on failure and the caller MUST close the circuit for
 + * security reasons. */
 +int
 +hs_service_set_conn_addr_port(const origin_circuit_t *circ,
 +                              edge_connection_t *conn)
 +{
 +  hs_service_t *service = NULL;
 +
 +  tor_assert(circ);
 +  tor_assert(conn);
 +  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_REND_JOINED);
 +  tor_assert(circ->hs_ident);
 +
 +  get_objects_from_ident(circ->hs_ident, &service, NULL, NULL);
 +
 +  if (service == NULL) {
 +    log_warn(LD_REND, "Unable to find any hidden service associated "
 +                      "identity key %s on rendezvous circuit %u.",
 +             ed25519_fmt(&circ->hs_ident->identity_pk),
 +             TO_CIRCUIT(circ)->n_circ_id);
 +    /* We want the caller to close the circuit because it's not a valid
 +     * service so no danger. Attempting to bruteforce the entire key space by
 +     * opening circuits to learn which service is being hosted here is
 +     * impractical. */
 +    goto err_close;
 +  }
 +
 +  /* Enforce the streams-per-circuit limit, and refuse to provide a mapping if
 +   * this circuit will exceed the limit. */
 +  if (service->config.max_streams_per_rdv_circuit > 0 &&
 +      (circ->hs_ident->num_rdv_streams >=
 +       service->config.max_streams_per_rdv_circuit)) {
 +#define MAX_STREAM_WARN_INTERVAL 600
 +    static struct ratelim_t stream_ratelim =
 +      RATELIM_INIT(MAX_STREAM_WARN_INTERVAL);
 +    log_fn_ratelim(&stream_ratelim, LOG_WARN, LD_REND,
 +                   "Maximum streams per circuit limit reached on "
 +                   "rendezvous circuit %u for service %s. Circuit has "
 +                   "%" PRIu64 " out of %" PRIu64 " streams. %s.",
 +                   TO_CIRCUIT(circ)->n_circ_id,
 +                   service->onion_address,
 +                   circ->hs_ident->num_rdv_streams,
 +                   service->config.max_streams_per_rdv_circuit,
 +                   service->config.max_streams_close_circuit ?
 +                    "Closing circuit" : "Ignoring open stream request");
 +    if (service->config.max_streams_close_circuit) {
 +      /* Service explicitly configured to close immediately. */
 +      goto err_close;
 +    }
 +    /* Exceeding the limit makes tor silently ignore the stream creation
 +     * request and keep the circuit open. */
 +    goto err_no_close;
 +  }
 +
 +  /* Find a virtual port of that service mathcing the one in the connection if
 +   * successful, set the address in the connection. */
 +  if (hs_set_conn_addr_port(service->config.ports, conn) < 0) {
 +    log_info(LD_REND, "No virtual port mapping exists for port %d for "
 +                      "hidden service %s.",
 +             TO_CONN(conn)->port, service->onion_address);
 +    if (service->config.allow_unknown_ports) {
 +      /* Service explicitly allow connection to unknown ports so close right
 +       * away because we do not care about port mapping. */
 +      goto err_close;
 +    }
 +    /* If the service didn't explicitly allow it, we do NOT close the circuit
 +     * here to raise the bar in terms of performance for port mapping. */
 +    goto err_no_close;
 +  }
 +
 +  /* Success. */
 +  return 0;
 + err_close:
 +  /* Indicate the caller that the circuit should be closed. */
 +  return -2;
 + err_no_close:
 +  /* Indicate the caller to NOT close the circuit. */
 +  return -1;
 +}
 +
 +/* Add to file_list every filename used by a configured hidden service, and to
 + * dir_list every directory path used by a configured hidden service. This is
 + * used by the sandbox subsystem to whitelist those. */
 +void
 +hs_service_lists_fnames_for_sandbox(smartlist_t *file_list,
 +                                    smartlist_t *dir_list)
 +{
 +  tor_assert(file_list);
 +  tor_assert(dir_list);
 +
 +  /* Add files and dirs for legacy services. */
 +  rend_services_add_filenames_to_lists(file_list, dir_list);
 +
 +  /* Add files and dirs for v3+. */
 +  FOR_EACH_SERVICE_BEGIN(service) {
 +    /* Skip ephemeral service, they don't touch the disk. */
 +    if (service->config.is_ephemeral) {
 +      continue;
 +    }
 +    service_add_fnames_to_list(service, file_list);
 +    smartlist_add_strdup(dir_list, service->config.directory_path);
 +  } FOR_EACH_DESCRIPTOR_END;
 +}
 +
 +/* Called when our internal view of the directory has changed. We might have
 + * received a new batch of descriptors which might affect the shape of the
 + * HSDir hash ring. Signal that we should reexamine the hash ring and
 + * re-upload our HS descriptors if needed. */
 +void
 +hs_service_dir_info_changed(void)
 +{
 +  if (hs_service_get_num_services() > 0) {
 +    /* New directory information usually goes every consensus so rate limit
 +     * every 30 minutes to not be too conservative. */
 +    static struct ratelim_t dir_info_changed_ratelim = RATELIM_INIT(30 * 60);
 +    log_fn_ratelim(&dir_info_changed_ratelim, LOG_INFO, LD_REND,
 +                   "New dirinfo arrived: consider reuploading descriptor");
 +    consider_republishing_hs_descriptors = 1;
 +  }
 +}
 +
 +/* Called when we get an INTRODUCE2 cell on the circ. Respond to the cell and
 + * launch a circuit to the rendezvous point. */
 +int
 +hs_service_receive_introduce2(origin_circuit_t *circ, const uint8_t *payload,
 +                              size_t payload_len)
 +{
 +  int ret = -1;
 +
 +  tor_assert(circ);
 +  tor_assert(payload);
 +
 +  /* Do some initial validation and logging before we parse the cell */
 +  if (TO_CIRCUIT(circ)->purpose != CIRCUIT_PURPOSE_S_INTRO) {
 +    log_warn(LD_PROTOCOL, "Received an INTRODUCE2 cell on a "
 +                          "non introduction circuit of purpose %d",
 +             TO_CIRCUIT(circ)->purpose);
 +    goto done;
 +  }
 +
 +  if (circ->hs_ident) {
 +    ret = service_handle_introduce2(circ, payload, payload_len);
 +    hs_stats_note_introduce2_cell(1);
 +  } else {
 +    ret = rend_service_receive_introduction(circ, payload, payload_len);
 +    hs_stats_note_introduce2_cell(0);
 +  }
 +
 + done:
 +  return ret;
 +}
 +
 +/* Called when we get an INTRO_ESTABLISHED cell. Mark the circuit as an
 + * established introduction point. Return 0 on success else a negative value
 + * and the circuit is closed. */
 +int
 +hs_service_receive_intro_established(origin_circuit_t *circ,
 +                                     const uint8_t *payload,
 +                                     size_t payload_len)
 +{
 +  int ret = -1;
 +
 +  tor_assert(circ);
 +  tor_assert(payload);
 +
 +  if (TO_CIRCUIT(circ)->purpose != CIRCUIT_PURPOSE_S_ESTABLISH_INTRO) {
 +    log_warn(LD_PROTOCOL, "Received an INTRO_ESTABLISHED cell on a "
 +                          "non introduction circuit of purpose %d",
 +             TO_CIRCUIT(circ)->purpose);
 +    goto err;
 +  }
 +
 +  /* Handle both version. v2 uses rend_data and v3 uses the hs circuit
 +   * identifier hs_ident. Can't be both. */
 +  if (circ->hs_ident) {
 +    ret = service_handle_intro_established(circ, payload, payload_len);
 +  } else {
 +    ret = rend_service_intro_established(circ, payload, payload_len);
 +  }
 +
 +  if (ret < 0) {
 +    goto err;
 +  }
 +  return 0;
 + err:
 +  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
 +  return -1;
 +}
 +
 +/* Called when any kind of hidden service circuit is done building thus
 + * opened. This is the entry point from the circuit subsystem. */
 +void
 +hs_service_circuit_has_opened(origin_circuit_t *circ)
 +{
 +  tor_assert(circ);
 +
 +  /* Handle both version. v2 uses rend_data and v3 uses the hs circuit
 +   * identifier hs_ident. Can't be both. */
 +  switch (TO_CIRCUIT(circ)->purpose) {
 +  case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO:
 +    if (circ->hs_ident) {
 +      service_intro_circ_has_opened(circ);
 +    } else {
 +      rend_service_intro_has_opened(circ);
 +    }
 +    break;
 +  case CIRCUIT_PURPOSE_S_CONNECT_REND:
 +    if (circ->hs_ident) {
 +      service_rendezvous_circ_has_opened(circ);
 +    } else {
 +      rend_service_rendezvous_has_opened(circ);
 +    }
 +    break;
 +  default:
 +    tor_assert(0);
 +  }
 +}
 +
 +/* Load and/or generate keys for all onion services including the client
 + * authorization if any. Return 0 on success, -1 on failure. */
 +int
 +hs_service_load_all_keys(void)
 +{
 +  /* Load v2 service keys if we have v2. */
 +  if (rend_num_services() != 0) {
 +    if (rend_service_load_all_keys(NULL) < 0) {
 +      goto err;
 +    }
 +  }
 +
 +  /* Load or/and generate them for v3+. */
 +  SMARTLIST_FOREACH_BEGIN(hs_service_staging_list, hs_service_t *, service) {
 +    /* Ignore ephemeral service, they already have their keys set. */
 +    if (service->config.is_ephemeral) {
 +      continue;
 +    }
 +    log_info(LD_REND, "Loading v3 onion service keys from %s",
 +             service_escaped_dir(service));
 +    if (load_service_keys(service) < 0) {
 +      goto err;
 +    }
 +    /* XXX: Load/Generate client authorization keys. (#20700) */
 +  } SMARTLIST_FOREACH_END(service);
 +
 +  /* Final step, the staging list contains service in a quiescent state that
 +   * is ready to be used. Register them to the global map. Once this is over,
 +   * the staging list will be cleaned up. */
 +  register_all_services();
 +
 +  /* All keys have been loaded successfully. */
 +  return 0;
 + err:
 +  return -1;
 +}
 +
 +/* Put all service object in the given service list. After this, the caller
 + * looses ownership of every elements in the list and responsible to free the
 + * list pointer. */
 +void
 +hs_service_stage_services(const smartlist_t *service_list)
 +{
 +  tor_assert(service_list);
 +  /* This list is freed at registration time but this function can be called
 +   * multiple time. */
 +  if (hs_service_staging_list == NULL) {
 +    hs_service_staging_list = smartlist_new();
 +  }
 +  /* Add all service object to our staging list. Caller is responsible for
 +   * freeing the service_list. */
 +  smartlist_add_all(hs_service_staging_list, service_list);
 +}
 +
 +/* Allocate and initilize a service object. The service configuration will
 + * contain the default values. Return the newly allocated object pointer. This
 + * function can't fail. */
 +hs_service_t *
 +hs_service_new(const or_options_t *options)
 +{
 +  hs_service_t *service = tor_malloc_zero(sizeof(hs_service_t));
 +  /* Set default configuration value. */
 +  set_service_default_config(&service->config, options);
 +  /* Set the default service version. */
 +  service->config.version = HS_SERVICE_DEFAULT_VERSION;
 +  /* Allocate the CLIENT_PK replay cache in service state. */
 +  service->state.replay_cache_rend_cookie =
 +    replaycache_new(REND_REPLAY_TIME_INTERVAL, REND_REPLAY_TIME_INTERVAL);
 +
 +  return service;
 +}
 +
 +/* Free the given <b>service</b> object and all its content. This function
 + * also takes care of wiping service keys from memory. It is safe to pass a
 + * NULL pointer. */
 +void
 +hs_service_free_(hs_service_t *service)
 +{
 +  if (service == NULL) {
 +    return;
 +  }
 +
 +  /* Free descriptors. Go over both descriptor with this loop. */
 +  FOR_EACH_DESCRIPTOR_BEGIN(service, desc) {
 +    service_descriptor_free(desc);
 +  } FOR_EACH_DESCRIPTOR_END;
 +
 +  /* Free service configuration. */
 +  service_clear_config(&service->config);
 +
 +  /* Free replay cache from state. */
 +  if (service->state.replay_cache_rend_cookie) {
 +    replaycache_free(service->state.replay_cache_rend_cookie);
 +  }
 +
 +  /* Wipe service keys. */
 +  memwipe(&service->keys.identity_sk, 0, sizeof(service->keys.identity_sk));
 +
 +  tor_free(service);
 +}
 +
 +/* Periodic callback. Entry point from the main loop to the HS service
 + * subsystem. This is call every second. This is skipped if tor can't build a
 + * circuit or the network is disabled. */
 +void
 +hs_service_run_scheduled_events(time_t now)
 +{
 +  /* First thing we'll do here is to make sure our services are in a
 +   * quiescent state for the scheduled events. */
 +  run_housekeeping_event(now);
 +
 +  /* Order matters here. We first make sure the descriptor object for each
 +   * service contains the latest data. Once done, we check if we need to open
 +   * new introduction circuit. Finally, we try to upload the descriptor for
 +   * each service. */
 +
 +  /* Make sure descriptors are up to date. */
 +  run_build_descriptor_event(now);
 +  /* Make sure services have enough circuits. */
 +  run_build_circuit_event(now);
 +  /* Upload the descriptors if needed/possible. */
 +  run_upload_descriptor_event(now);
 +}
 +
 +/* Initialize the service HS subsystem. */
 +void
 +hs_service_init(void)
 +{
 +  /* Should never be called twice. */
 +  tor_assert(!hs_service_map);
 +  tor_assert(!hs_service_staging_list);
 +
 +  /* v2 specific. */
 +  rend_service_init();
 +
 +  hs_service_map = tor_malloc_zero(sizeof(struct hs_service_ht));
 +  HT_INIT(hs_service_ht, hs_service_map);
 +
 +  hs_service_staging_list = smartlist_new();
 +}
 +
 +/* Release all global storage of the hidden service subsystem. */
 +void
 +hs_service_free_all(void)
 +{
 +  rend_service_free_all();
 +  service_free_all();
 +}
 +
 +#ifdef TOR_UNIT_TESTS
 +
 +/* Return the global service map size. Only used by unit test. */
 +STATIC unsigned int
 +get_hs_service_map_size(void)
 +{
 +  return HT_SIZE(hs_service_map);
 +}
 +
 +/* Return the staging list size. Only used by unit test. */
 +STATIC int
 +get_hs_service_staging_list_size(void)
 +{
 +  return smartlist_len(hs_service_staging_list);
 +}
 +
 +STATIC hs_service_ht *
 +get_hs_service_map(void)
 +{
 +  return hs_service_map;
 +}
 +
 +STATIC hs_service_t *
 +get_first_service(void)
 +{
 +  hs_service_t **obj = HT_START(hs_service_ht, hs_service_map);
 +  if (obj == NULL) {
 +    return NULL;
 +  }
 +  return *obj;
 +}
 +
 +#endif /* defined(TOR_UNIT_TESTS) */
diff --cc src/feature/hs/hs_service.h
index 4cd05e389,000000000..5c5443a35
mode 100644,000000..100644
--- a/src/feature/hs/hs_service.h
+++ b/src/feature/hs/hs_service.h
@@@ -1,372 -1,0 +1,373 @@@
 +/* Copyright (c) 2016-2018, The Tor Project, Inc. */
 +/* See LICENSE for licensing information */
 +
 +/**
 + * \file hs_service.h
 + * \brief Header file containing service data for the HS subsytem.
 + **/
 +
 +#ifndef TOR_HS_SERVICE_H
 +#define TOR_HS_SERVICE_H
 +
 +#include "lib/crypt_ops/crypto_curve25519.h"
 +#include "lib/crypt_ops/crypto_ed25519.h"
 +#include "feature/hs_common/replaycache.h"
 +
 +#include "feature/hs/hs_common.h"
 +#include "feature/hs/hs_descriptor.h"
 +#include "feature/hs/hs_ident.h"
 +#include "feature/hs/hs_intropoint.h"
 +
 +/* Trunnel */
 +#include "trunnel/hs/cell_establish_intro.h"
 +
 +/* When loading and configuring a service, this is the default version it will
 + * be configured for as it is possible that no HiddenServiceVersion is
 + * present. */
 +#define HS_SERVICE_DEFAULT_VERSION HS_VERSION_TWO
 +
 +/* As described in the specification, service publishes their next descriptor
 + * at a random time between those two values (in seconds). */
 +#define HS_SERVICE_NEXT_UPLOAD_TIME_MIN (60 * 60)
 +#define HS_SERVICE_NEXT_UPLOAD_TIME_MAX (120 * 60)
 +
 +/* Service side introduction point. */
 +typedef struct hs_service_intro_point_t {
 +  /* Top level intropoint "shared" data between client/service. */
 +  hs_intropoint_t base;
 +
 +  /* Onion key of the introduction point used to extend to it for the ntor
 +   * handshake. */
 +  curve25519_public_key_t onion_key;
 +
 +  /* Authentication keypair used to create the authentication certificate
 +   * which is published in the descriptor. */
 +  ed25519_keypair_t auth_key_kp;
 +
 +  /* Encryption keypair for the "ntor" type. */
 +  curve25519_keypair_t enc_key_kp;
 +
 +  /* Legacy key if that intro point doesn't support v3. This should be used if
 +   * the base object legacy flag is set. */
 +  crypto_pk_t *legacy_key;
 +  /* Legacy key SHA1 public key digest. This should be used only if the base
 +   * object legacy flag is set. */
 +  uint8_t legacy_key_digest[DIGEST_LEN];
 +
 +  /* Amount of INTRODUCE2 cell accepted from this intro point. */
 +  uint64_t introduce2_count;
 +
 +  /* Maximum number of INTRODUCE2 cell this intro point should accept. */
 +  uint64_t introduce2_max;
 +
 +  /* The time at which this intro point should expire and stop being used. */
 +  time_t time_to_expire;
 +
 +  /* The amount of circuit creation we've made to this intro point. This is
 +   * incremented every time we do a circuit relaunch on this intro point which
 +   * is triggered when the circuit dies but the node is still in the
 +   * consensus. After MAX_INTRO_POINT_CIRCUIT_RETRIES, we give up on it. */
 +  uint32_t circuit_retries;
 +
 +  /* Set if this intro point has an established circuit. */
 +  unsigned int circuit_established : 1;
 +
 +  /* Replay cache recording the encrypted part of an INTRODUCE2 cell that the
 +   * circuit associated with this intro point has received. This is used to
 +   * prevent replay attacks. */
 +  replaycache_t *replay_cache;
 +} hs_service_intro_point_t;
 +
 +/* Object handling introduction points of a service. */
 +typedef struct hs_service_intropoints_t {
 +  /* The time at which we've started our retry period to build circuits. We
 +   * don't want to stress circuit creation so we can only retry for a certain
 +   * time and then after we stop and wait. */
 +  time_t retry_period_started;
 +
 +  /* Number of circuit we've launched during a single retry period. */
 +  unsigned int num_circuits_launched;
 +
 +  /* Contains the current hs_service_intro_point_t objects indexed by
 +   * authentication public key. */
 +  digest256map_t *map;
 +
 +  /* Contains node's identity key digest that were introduction point for this
 +   * descriptor but were retried to many times. We keep those so we avoid
 +   * re-picking them over and over for a circuit retry period.
 +   * XXX: Once we have #22173, change this to only use ed25519 identity. */
 +  digestmap_t *failed_id;
 +} hs_service_intropoints_t;
 +
 +/* Representation of a service descriptor. */
 +typedef struct hs_service_descriptor_t {
 +  /* Decoded descriptor. This object is used for encoding when the service
 +   * publishes the descriptor. */
 +  hs_descriptor_t *desc;
 +
 +  /* Descriptor signing keypair. */
 +  ed25519_keypair_t signing_kp;
 +
 +  /* Blinded keypair derived from the master identity public key. */
 +  ed25519_keypair_t blinded_kp;
 +
 +  /* When is the next time when we should upload the descriptor. */
 +  time_t next_upload_time;
 +
 +  /* Introduction points assign to this descriptor which contains
 +   * hs_service_intropoints_t object indexed by authentication key (the RSA
 +   * key if the node is legacy). */
 +  hs_service_intropoints_t intro_points;
 +
 +  /* The time period number this descriptor has been created for. */
 +  uint64_t time_period_num;
 +
 +  /* True iff we have missing intro points for this descriptor because we
 +   * couldn't pick any nodes. */
 +  unsigned int missing_intro_points : 1;
 +
 +  /** List of the responsible HSDirs (their b64ed identity digest) last time we
 +   *  uploaded this descriptor. If the set of responsible HSDirs is different
 +   *  from this list, this means we received new dirinfo and we need to
 +   *  reupload our descriptor. */
 +  smartlist_t *previous_hsdirs;
 +
 +  /** The OPE cipher for encrypting revision counters for this descriptor.
 +   *  Tied to the descriptor blinded key. */
 +  struct crypto_ope_t *ope_cipher;
 +} hs_service_descriptor_t;
 +
 +/* Service key material. */
 +typedef struct hs_service_keys_t {
 +  /* Master identify public key. */
 +  ed25519_public_key_t identity_pk;
 +  /* Master identity private key. */
 +  ed25519_secret_key_t identity_sk;
 +  /* True iff the key is kept offline which means the identity_sk MUST not be
 +   * used in that case. */
 +  unsigned int is_identify_key_offline : 1;
 +} hs_service_keys_t;
 +
 +/* Service configuration. The following are set from the torrc options either
 + * set by the configuration file or by the control port. Nothing else should
 + * change those values. */
 +typedef struct hs_service_config_t {
 +  /* Protocol version of the service. Specified by HiddenServiceVersion
 +   * option. */
 +  uint32_t version;
 +
 +  /* List of rend_service_port_config_t */
 +  smartlist_t *ports;
 +
 +  /* Path on the filesystem where the service persistent data is stored. NULL
 +   * if the service is ephemeral. Specified by HiddenServiceDir option. */
 +  char *directory_path;
 +
 +  /* The maximum number of simultaneous streams per rendezvous circuit that
 +   * are allowed to be created. No limit if 0. Specified by
 +   * HiddenServiceMaxStreams option. */
 +  uint64_t max_streams_per_rdv_circuit;
 +
 +  /* If true, we close circuits that exceed the max_streams_per_rdv_circuit
 +   * limit. Specified by HiddenServiceMaxStreamsCloseCircuit option. */
 +  unsigned int max_streams_close_circuit : 1;
 +
 +  /* How many introduction points this service has. Specified by
 +   * HiddenServiceNumIntroductionPoints option. */
 +  unsigned int num_intro_points;
 +
 +  /* True iff we allow request made on unknown ports. Specified by
 +   * HiddenServiceAllowUnknownPorts option. */
 +  unsigned int allow_unknown_ports : 1;
 +
 +  /* If true, this service is a Single Onion Service. Specified by
 +   * HiddenServiceSingleHopMode and HiddenServiceNonAnonymousMode options. */
 +  unsigned int is_single_onion : 1;
 +
 +  /* If true, allow group read permissions on the directory_path. Specified by
 +   * HiddenServiceDirGroupReadable option. */
 +  unsigned int dir_group_readable : 1;
 +
 +  /* Is this service ephemeral? */
 +  unsigned int is_ephemeral : 1;
 +} hs_service_config_t;
 +
 +/* Service state. */
 +typedef struct hs_service_state_t {
 +  /* The time at which we've started our retry period to build circuits. We
 +   * don't want to stress circuit creation so we can only retry for a certain
 +   * time and then after we stop and wait. */
 +  time_t intro_circ_retry_started_time;
 +
 +  /* Number of circuit we've launched during a single retry period. This
 +   * should never go over MAX_INTRO_CIRCS_PER_PERIOD. */
 +  unsigned int num_intro_circ_launched;
 +
 +  /* Replay cache tracking the REND_COOKIE found in INTRODUCE2 cell to detect
 +   * repeats. Clients may send INTRODUCE1 cells for the same rendezvous point
 +   * through two or more different introduction points; when they do, this
 +   * keeps us from launching multiple simultaneous attempts to connect to the
 +   * same rend point. */
 +  replaycache_t *replay_cache_rend_cookie;
 +
 +  /* When is the next time we should rotate our descriptors. This is has to be
 +   * done at the start time of the next SRV protocol run. */
 +  time_t next_rotation_time;
 +} hs_service_state_t;
 +
 +/* Representation of a service running on this tor instance. */
 +typedef struct hs_service_t {
 +  /* Onion address base32 encoded and NUL terminated. We keep it for logging
 +   * purposes so we don't have to build it everytime. */
 +  char onion_address[HS_SERVICE_ADDR_LEN_BASE32 + 1];
 +
 +  /* Hashtable node: use to look up the service by its master public identity
 +   * key in the service global map. */
 +  HT_ENTRY(hs_service_t) hs_service_node;
 +
 +  /* Service state which contains various flags and counters. */
 +  hs_service_state_t state;
 +
 +  /* Key material of the service. */
 +  hs_service_keys_t keys;
 +
 +  /* Configuration of the service. */
 +  hs_service_config_t config;
 +
 +  /* Current descriptor. */
 +  hs_service_descriptor_t *desc_current;
 +  /* Next descriptor. */
 +  hs_service_descriptor_t *desc_next;
 +
 +  /* XXX: Credential (client auth.) #20700. */
 +
 +} hs_service_t;
 +
 +/* For the service global hash map, we define a specific type for it which
 + * will make it safe to use and specific to some controlled parameters such as
 + * the hashing function and how to compare services. */
 +typedef HT_HEAD(hs_service_ht, hs_service_t) hs_service_ht;
 +
 +/* API */
 +
 +/* Global initializer and cleanup function. */
 +void hs_service_init(void);
 +void hs_service_free_all(void);
 +
 +/* Service new/free functions. */
 +hs_service_t *hs_service_new(const or_options_t *options);
 +void hs_service_free_(hs_service_t *service);
 +#define hs_service_free(s) FREE_AND_NULL(hs_service_t, hs_service_free_, (s))
 +
 +unsigned int hs_service_get_num_services(void);
 +void hs_service_stage_services(const smartlist_t *service_list);
 +int hs_service_load_all_keys(void);
 +void hs_service_lists_fnames_for_sandbox(smartlist_t *file_list,
 +                                         smartlist_t *dir_list);
 +int hs_service_set_conn_addr_port(const origin_circuit_t *circ,
 +                                  edge_connection_t *conn);
 +
 +void hs_service_map_has_changed(void);
 +void hs_service_dir_info_changed(void);
 +void hs_service_run_scheduled_events(time_t now);
 +void hs_service_circuit_has_opened(origin_circuit_t *circ);
 +int hs_service_receive_intro_established(origin_circuit_t *circ,
 +                                         const uint8_t *payload,
 +                                         size_t payload_len);
 +int hs_service_receive_introduce2(origin_circuit_t *circ,
 +                                  const uint8_t *payload,
 +                                  size_t payload_len);
 +
 +void hs_service_intro_circ_has_closed(origin_circuit_t *circ);
 +
 +char *hs_service_lookup_current_desc(const ed25519_public_key_t *pk);
 +
 +hs_service_add_ephemeral_status_t
 +hs_service_add_ephemeral(ed25519_secret_key_t *sk, smartlist_t *ports,
 +                         int max_streams_per_rdv_circuit,
 +                         int max_streams_close_circuit, char **address_out);
 +int hs_service_del_ephemeral(const char *address);
 +
 +/* Used outside of the HS subsystem by the control port command HSPOST. */
 +void hs_service_upload_desc_to_dir(const char *encoded_desc,
 +                                   const uint8_t version,
 +                                   const ed25519_public_key_t *identity_pk,
 +                                   const ed25519_public_key_t *blinded_pk,
 +                                   const routerstatus_t *hsdir_rs);
 +
 +#ifdef HS_SERVICE_PRIVATE
 +
 +#ifdef TOR_UNIT_TESTS
 +/* Useful getters for unit tests. */
 +STATIC unsigned int get_hs_service_map_size(void);
 +STATIC int get_hs_service_staging_list_size(void);
 +STATIC hs_service_ht *get_hs_service_map(void);
 +STATIC hs_service_t *get_first_service(void);
 +STATIC hs_service_intro_point_t *service_intro_point_find_by_ident(
 +                                         const hs_service_t *service,
 +                                         const hs_ident_circuit_t *ident);
 +#endif
 +
 +/* Service accessors. */
 +STATIC hs_service_t *find_service(hs_service_ht *map,
 +                                  const ed25519_public_key_t *pk);
 +STATIC void remove_service(hs_service_ht *map, hs_service_t *service);
 +STATIC int register_service(hs_service_ht *map, hs_service_t *service);
 +/* Service introduction point functions. */
 +STATIC hs_service_intro_point_t *service_intro_point_new(
-                                          const extend_info_t *ei,
-                                          unsigned int is_legacy);
++                            const extend_info_t *ei,
++                            unsigned int is_legacy,
++                            unsigned int supports_ed25519_link_handshake_any);
 +STATIC void service_intro_point_free_(hs_service_intro_point_t *ip);
 +#define service_intro_point_free(ip)                            \
 +  FREE_AND_NULL(hs_service_intro_point_t,             \
 +                          service_intro_point_free_, (ip))
 +STATIC void service_intro_point_add(digest256map_t *map,
 +                                    hs_service_intro_point_t *ip);
 +STATIC void service_intro_point_remove(const hs_service_t *service,
 +                                       const hs_service_intro_point_t *ip);
 +STATIC hs_service_intro_point_t *service_intro_point_find(
 +                                 const hs_service_t *service,
 +                                 const ed25519_public_key_t *auth_key);
 +/* Service descriptor functions. */
 +STATIC hs_service_descriptor_t *service_descriptor_new(void);
 +STATIC hs_service_descriptor_t *service_desc_find_by_intro(
 +                                         const hs_service_t *service,
 +                                         const hs_service_intro_point_t *ip);
 +/* Helper functions. */
 +STATIC void get_objects_from_ident(const hs_ident_circuit_t *ident,
 +                                   hs_service_t **service,
 +                                   hs_service_intro_point_t **ip,
 +                                   hs_service_descriptor_t **desc);
 +STATIC const node_t *
 +get_node_from_intro_point(const hs_service_intro_point_t *ip);
 +STATIC int can_service_launch_intro_circuit(hs_service_t *service,
 +                                            time_t now);
 +STATIC int intro_point_should_expire(const hs_service_intro_point_t *ip,
 +                                     time_t now);
 +STATIC void run_housekeeping_event(time_t now);
 +STATIC void rotate_all_descriptors(time_t now);
 +STATIC void build_all_descriptors(time_t now);
 +STATIC void update_all_descriptors(time_t now);
 +STATIC void run_upload_descriptor_event(time_t now);
 +
 +STATIC void service_descriptor_free_(hs_service_descriptor_t *desc);
 +#define service_descriptor_free(d) \
 +  FREE_AND_NULL(hs_service_descriptor_t, \
 +                           service_descriptor_free_, (d))
 +STATIC int
 +write_address_to_file(const hs_service_t *service, const char *fname_);
 +
 +STATIC void upload_descriptor_to_all(const hs_service_t *service,
 +                                     hs_service_descriptor_t *desc);
 +
 +STATIC void service_desc_schedule_upload(hs_service_descriptor_t *desc,
 +                                         time_t now,
 +                                         int descriptor_changed);
 +
 +STATIC int service_desc_hsdirs_changed(const hs_service_t *service,
 +                                const hs_service_descriptor_t *desc);
 +
 +#endif /* defined(HS_SERVICE_PRIVATE) */
 +
 +#endif /* !defined(TOR_HS_SERVICE_H) */





More information about the tor-commits mailing list