Implement Prop #260: Single Onion Services

  o Major features (onion services):

    - Add experimental OnionServiceSingleHopMode and

      OnionServiceNonAnonymousMode options. When both are set to 1, every

      hidden service on a tor instance becomes a non-anonymous Single Onion

      Service. Single Onions make one-hop (direct) connections to their

      introduction and renzedvous points. One-hop circuits make Single Onion

      servers easily locatable, but clients remain location-anonymous.

      This is compatible with the existing hidden service implementation, and

      works on the current tor network without any changes to older relays or

      clients.

      Implements proposal #260, completes ticket #17178. Patch by teor & asn.

  o Minor bug fixes (Tor2web):

    - Prevent Tor2web clients running hidden services, these services are

      not anonymous due to the one-hop client paths.

      Fixes bug #19678. Patch by teor.

    non-hidden-service hostnames through Tor. It **must only** be used when

    running a tor2web Hidden Service web proxy.

    To enable this option the compile time flag --enable-tor2web-mode must be

    specified. (Default: 0)

    specified. Since Tor2webMode is non-anonymous, you can not run an

    anonymous Hidden Service on a tor version compiled with Tor2webMode.

    (Default: 0)

[[Tor2webRendezvousPoints]] **Tor2webRendezvousPoints** __node__,__node__,__...__::

    A list of identity fingerprints, nicknames, country codes and

    Number of introduction points the hidden service will have. You can't

    have more than 10. (Default: 3)

[[OnionServiceSingleHopMode]] **OnionServiceSingleHopMode** **0**|**1**::

    **Experimental - Non Anonymous** Hidden Services on a tor instance in

    OnionServiceSingleHopMode make one-hop (direct) circuits between the onion

    service server, and the introduction and rendezvous points. (Onion service

    descriptors are still posted using 3-hop paths, to avoid onion service

    directories blocking the service.)

    This option makes every hidden service instance hosted by a tor instance a

    Single Onion Service. One-hop circuits make Single Onion servers easily

    locatable, but clients remain location-anonymous. However, the fact that a

    client is accessing a Single Onion rather than a Hidden Service may be

    statistically distinguishable.

    **WARNING:** Once a hidden service directory has been used by a tor

    instance in OnionServiceSingleHopMode, it can **NEVER** be used again for

    a hidden service. It is best practice to create a new hidden service

    directory, key, and address for each new Single Onion Service and Hidden

    Service. It is not possible to run Single Onion Services and Hidden

    Services from the same tor instance: they should be run on different

    servers with different IP addresses.

    OnionServiceSingleHopMode requires OnionServiceNonAnonymousMode to be set

    to 1. Since a Single Onion is non-anonymous, you can not to run an

    anonymous SOCKSPort on the same tor instance as a Single Onion service.

    (Default: 0)

[[OnionServiceNonAnonymousMode]] **OnionServiceNonAnonymousMode** **0**|**1**::

    Makes hidden services non-anonymous on this tor instance. Allows the

    non-anonymous OnionServiceSingleHopMode. Enables direct connections in the

    server-side hidden service protocol.

    (Default: 0)

TESTING NETWORK OPTIONS

-----------------------

#include "connection_edge.h"

#include "connection_or.h"

#include "control.h"

#include "crypto.h"

#include "directory.h"

#include "entrynodes.h"

#include "main.h"

#include "onion_tap.h"

#include "onion_fast.h"

#include "policies.h"

#include "transports.h"

#include "relay.h"

#include "rendcommon.h"

#include "rephist.h"

#include "router.h"

#include "routerlist.h"

#include "routerparse.h"

#include "routerset.h"

#include "crypto.h"

#include "transports.h"

static channel_t * channel_connect_for_circuit(const tor_addr_t *addr,

                                               uint16_t port,

  cpath_build_state_t *state = circ->build_state;

  if (state->onehop_tunnel) {

    log_debug(LD_CIRC, "Launching a one-hop circuit for dir tunnel.");

    log_debug(LD_CIRC, "Launching a one-hop circuit for dir tunnel%s.",

              (rend_allow_non_anonymous_connection(get_options()) ?

               ", or intro or rendezvous connection" : ""));

    state->desired_path_len = 1;

  } else {

    int r = new_route_len(circ->base_.purpose, exit_ei, nodelist_get_list());

#include "control.h"

#include "main.h"

#include "networkstatus.h"

#include "rendclient.h"

#include "rendservice.h"

#include "statefile.h"

#undef log

/**

 * This function decides if CBT learning should be disabled. It returns

 * true if one or more of the following four conditions are met:

 * true if one or more of the following conditions are met:

 *

 *  1. If the cbtdisabled consensus parameter is set.

 *  2. If the torrc option LearnCircuitBuildTimeout is false.

 *  3. If we are a directory authority

 *  4. If we fail to write circuit build time history to our state file.

 *  5. If we are compiled or configured in Tor2web mode

 *  6. If we are configured in Single Onion mode

 */

int

circuit_build_times_disabled(void)

  if (unit_tests) {

    return 0;

  } else {

    const or_options_t *options = get_options();

    int consensus_disabled = networkstatus_get_param(NULL, "cbtdisabled",

                                                     0, 0, 1);

    int config_disabled = !get_options()->LearnCircuitBuildTimeout;

    int dirauth_disabled = get_options()->AuthoritativeDir;

    int config_disabled = !options->LearnCircuitBuildTimeout;

    int dirauth_disabled = options->AuthoritativeDir;

    int state_disabled = did_last_state_file_write_fail() ? 1 : 0;

    /* LearnCircuitBuildTimeout and Tor2webMode/OnionServiceSingleHopMode are

     * incompatible in two ways:

     *

     * - LearnCircuitBuildTimeout results in a low CBT, which

     *   Single Onion use of one-hop intro and rendezvous circuits lowers

     *   much further, producing *far* too many timeouts.

     *

     * - The adaptive CBT code does not update its timeout estimate

     *   using build times for single-hop circuits.

     *

     * If we fix both of these issues someday, we should test

     * these modes with LearnCircuitBuildTimeout on again. */

    int tor2web_disabled = rend_client_allow_non_anonymous_connection(options);

    int single_onion_disabled = rend_service_allow_non_anonymous_connection(

                                                                      options);

    if (consensus_disabled || config_disabled || dirauth_disabled ||

           state_disabled) {

        state_disabled || tor2web_disabled || single_onion_disabled) {

#if 0

      log_debug(LD_CIRC,

               "CircuitBuildTime learning is disabled. "

#include "circuitlist.h"

#include "circuitmux.h"

#include "circuitmux_ewma.h"

#include "circuitstats.h"

#include "config.h"

#include "connection.h"

#include "connection_edge.h"

  V(HidServAuth,                 LINELIST, NULL),

  V(CloseHSClientCircuitsImmediatelyOnTimeout, BOOL, "0"),

  V(CloseHSServiceRendCircuitsImmediatelyOnTimeout, BOOL, "0"),

  V(OnionServiceSingleHopMode,   BOOL,     "0"),

  V(OnionServiceNonAnonymousMode,BOOL,     "0"),

  V(HTTPProxy,                   STRING,   NULL),

  V(HTTPProxyAuthenticator,      STRING,   NULL),

  V(HTTPSProxy,                  STRING,   NULL),

  if (consider_adding_dir_servers(options, old_options) < 0)

    return -1;

#ifdef NON_ANONYMOUS_MODE_ENABLED

  log_warn(LD_GENERAL, "This copy of Tor was compiled to run in a "

      "non-anonymous mode. It will provide NO ANONYMITY.");

#endif

  if (rend_non_anonymous_mode_enabled(options)) {

    log_warn(LD_GENERAL, "This copy of Tor was compiled or configured to run "

             "in a non-anonymous mode. It will provide NO ANONYMITY.");

  }

#ifdef ENABLE_TOR2WEB_MODE

/* LCOV_EXCL_START */

  monitor_owning_controller_process(options->OwningControllerProcess);

  /* We must create new keys after we poison the directories, because our

   * poisoning code checks for existing keys, and refuses to modify their

   * directories. */

  /* If we use the insecure OnionServiceSingleHopMode, make sure we poison any

     new hidden service directories, so that we never accidentally launch the

     non-anonymous hidden services thinking they are anonymous. */

  if (running_tor && rend_service_allow_non_anonymous_connection(options)) {

    if (options->RendConfigLines && !num_rend_services()) {

      log_warn(LD_BUG,"Error: hidden services configured, but not parsed.");

      return -1;

    }

    if (rend_service_poison_new_single_onion_dirs(NULL) < 0) {

      log_warn(LD_GENERAL,"Failed to mark new hidden services as Single "

               "Onion.");

      return -1;

    }

  }

  /* reload keys as needed for rendezvous services. */

  if (rend_service_load_all_keys()<0) {

  if (rend_service_load_all_keys(NULL)<0) {

    log_warn(LD_GENERAL,"Error loading rendezvous service keys");

    return -1;

  }

  }

}

/* Validate options related to OnionServiceSingleHopMode.

 * Modifies some options that are incompatible with OnionServiceSingleHopMode.

 * On failure returns -1, and sets *msg to an error string.

 * Returns 0 on success. */

STATIC int

options_validate_single_onion(or_options_t *options, char **msg)

{

  /* You must set OnionServiceNonAnonymousMode to 1 to use

   * OnionServiceSingleHopMode */

  if (options->OnionServiceSingleHopMode &&

      !rend_service_non_anonymous_mode_enabled(options)) {

    REJECT("OnionServiceSingleHopMode does not provide any server anonymity. "

           "It must be used with OnionServiceNonAnonymousMode set to 1.");

  }

  /* If you have OnionServiceNonAnonymousMode set, you must use

   * OnionServiceSingleHopMode. */

  if (rend_service_non_anonymous_mode_enabled(options) &&

      !options->OnionServiceSingleHopMode) {

    REJECT("OnionServiceNonAnonymousMode does not provide any server "

           "anonymity. It must be used with OnionServiceSingleHopMode set to "

           "1.");

  }

  /* If you run an anonymous client with an active Single Onion service, the

   * client loses anonymity. */

  const int client_port_set = (options->SocksPort_set ||

                               options->TransPort_set ||

                               options->NATDPort_set ||

                               options->DNSPort_set);

  if (options->OnionServiceSingleHopMode && client_port_set &&

      !options->Tor2webMode) {

    REJECT("OnionServiceSingleHopMode is incompatible with using Tor as an "

           "anonymous client. Please set Socks/Trans/NATD/DNSPort to 0, or "

           "OnionServiceSingleHopMode to 0, or use the non-anonymous "

           "Tor2webMode.");

  }

  /* If you run a hidden service in non-anonymous mode, the hidden service

   * loses anonymity, even if SOCKSPort / Tor2web mode isn't used. */

  if (!options->OnionServiceSingleHopMode && options->RendConfigLines

      && options->Tor2webMode) {

    REJECT("Non-anonymous (Tor2web) mode is incompatible with using Tor as a "

           "hidden service. Please remove all HiddenServiceDir lines, or use "

           "a version of tor compiled without --enable-tor2web-mode, or use "

           "the non-anonymous OnionServiceSingleHopMode.");

  }

  if (options->OnionServiceSingleHopMode

      && options->UseEntryGuards) {

    /* Single Onion services do not (and should not) use entry guards

     * in any meaningful way.  Further, Single Onions causes the hidden

     * service code to do things which break the path bias

     * detector, and it's far easier to turn off entry guards (and

     * thus the path bias detector with it) than to figure out how to

     * make a piece of code which cannot possibly help Single Onions,

     * compatible with OnionServiceSingleHopMode.

     */

    log_notice(LD_CONFIG,

               "OnionServiceSingleHopMode is enabled; disabling "

               "UseEntryGuards.");

    options->UseEntryGuards = 0;

  }

  /* Check if existing hidden service keys were created with a different

   * setting of OnionServiceNonAnonymousMode, and refuse to launch if they

   * have. We'll poison new keys in options_act() just before we create them.

   */

  if (rend_service_list_verify_single_onion_poison(NULL, options) < 0) {

    log_warn(LD_GENERAL, "We are configured with OnionServiceSingleHopMode "

             "%d, but one or more hidden service keys were created in %s "

             "mode. This is not allowed.",

             rend_service_non_anonymous_mode_enabled(options) ? 1 : 0,

             rend_service_non_anonymous_mode_enabled(options) ?

             "an anonymous" : "a non-anonymous"

             );

    return -1;

  }

  return 0;

}

/** Return 0 if every setting in <b>options</b> is reasonable, is a

 * permissible transition from <b>old_options</b>, and none of the

 * testing-only settings differ from <b>default_options</b> unless in

    options->PredictedPortsRelevanceTime = MAX_PREDICTED_CIRCS_RELEVANCE;

  }

#ifdef ENABLE_TOR2WEB_MODE

  if (options->Tor2webMode && options->LearnCircuitBuildTimeout) {

    /* LearnCircuitBuildTimeout and Tor2webMode are incompatible in

     * two ways:

     *

     * - LearnCircuitBuildTimeout results in a low CBT, which

     *   Tor2webMode's use of one-hop rendezvous circuits lowers

     *   much further, producing *far* too many timeouts.

     *

     * - The adaptive CBT code does not update its timeout estimate

     *   using build times for single-hop circuits.

     *

     * If we fix both of these issues someday, we should test

     * Tor2webMode with LearnCircuitBuildTimeout on again. */

    log_notice(LD_CONFIG,"Tor2webMode is enabled; turning "

               "LearnCircuitBuildTimeout off.");

    options->LearnCircuitBuildTimeout = 0;

  }

  /* Check the Single Onion Service options */

  if (options_validate_single_onion(options, msg) < 0)

    return -1;

#ifdef ENABLE_TOR2WEB_MODE

  if (options->Tor2webMode && options->UseEntryGuards) {

    /* tor2web mode clients do not (and should not) use entry guards

     * in any meaningful way.  Further, tor2web mode causes the hidden

    return -1;

  }

  /* OnionServiceSingleHopMode: one hop between the onion service server and

   * intro and rendezvous points */

  if (options->OnionServiceSingleHopMode) {

    log_warn(LD_CONFIG,

             "OnionServiceSingleHopMode is set. Every hidden service on this "

             "tor instance is NON-ANONYMOUS. If OnionServiceSingleHopMode is "

             "disabled, Tor will refuse to launch hidden services from the "

             "same directories, to protect against config errors. This "

             "setting is for experimental use only.");

  }

  if (!options->LearnCircuitBuildTimeout && options->CircuitBuildTimeout &&

      options->CircuitBuildTimeout < RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT) {

    log_warn(LD_CONFIG,

    return -1;

  }

  if (old->OnionServiceSingleHopMode != new_val->OnionServiceSingleHopMode) {

    *msg = tor_strdup("While Tor is running, changing "

                      "OnionServiceSingleHopMode is not allowed.");

    return -1;

  }

  if (old->OnionServiceNonAnonymousMode !=

      new_val->OnionServiceNonAnonymousMode) {

    *msg = tor_strdup("While Tor is running, changing "

                      "OnionServiceNonAnonymousMode is not allowed.");

    return -1;

  }

  if (old->DisableDebuggerAttachment &&

      !new_val->DisableDebuggerAttachment) {

    *msg = tor_strdup("While Tor is running, disabling "