Loading changes/bug1297b 0 → 100644 +20 −0 Original line number Diff line number Diff line o Minor bugfixes: - Don't close hidden service client circuits which have almost finished connecting to their destination when they reach the normal circuit-build timeout. Previously, we would close introduction circuits which are waiting for an acknowledgement from the introduction-point relay and rendezvous circuits which have been specified in an INTRODUCE1 cell sent to a hidden service after the normal CBT; now, we mark them as 'timed out', and launch another rendezvous attempt in parallel. This behaviour change can be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout option. Fixes part of bug 1297. - Don't close hidden-service-side rendezvous circuits when they reach the normal circuit-build timeout. Previously, we would close them. This behaviour change can be disabled using the new CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the remaining part of bug 1297. changes/bug4759 0 → 100644 +14 −0 Original line number Diff line number Diff line o Minor bugfixes: - Make sure we never mark the wrong rendezvous circuit as having had its introduction cell acknowleged by the introduction-point relay. Previously, when we received an INTRODUCE_ACK cell on a client-side hidden-service introduction circuit, we might have marked a rendezvous circuit other than the one we specified in the INTRODUCE1 cell as INTRO_ACKED, which would have produced a warning message and interfered with the hidden service connection-establishment process. Bugfix on 0.2.3.3-alpha, when the stream-isolation feature which might cause Tor to open multiple rendezvous circuits for the same hidden service was added. Fixes bug 4759. doc/tor.1.txt +28 −10 Original line number Diff line number Diff line Loading @@ -644,16 +644,6 @@ The following options are useful only for clients (that is, if **FascistFirewall** is set. This option is deprecated; use ReachableAddresses instead. (Default: 80, 443) **HidServAuth** __onion-address__ __auth-cookie__ [__service-name__]:: Client authorization for a hidden service. Valid onion addresses contain 16 characters in a-z2-7 plus ".onion", and valid auth cookies contain 22 characters in A-Za-z0-9+/. The service name is only used for internal purposes, e.g., for Tor controllers. This option may be used multiple times for different hidden services. If a hidden service uses authorization and this option is not set, the hidden service is not accessible. Hidden services can be configured to require authorization using the **HiddenServiceAuthorizeClient** option. **ReachableAddresses** __ADDR__[/__MASK__][:__PORT__]...:: A comma-separated list of IP addresses and ports that your firewall allows you to connect to. The format is as for the addresses in ExitPolicy, except Loading Loading @@ -683,6 +673,34 @@ The following options are useful only for clients (that is, if and some limit HTTP GET requests (which Tor uses for fetching directory information) to port 80. **HidServAuth** __onion-address__ __auth-cookie__ [__service-name__]:: Client authorization for a hidden service. Valid onion addresses contain 16 characters in a-z2-7 plus ".onion", and valid auth cookies contain 22 characters in A-Za-z0-9+/. The service name is only used for internal purposes, e.g., for Tor controllers. This option may be used multiple times for different hidden services. If a hidden service uses authorization and this option is not set, the hidden service is not accessible. Hidden services can be configured to require authorization using the **HiddenServiceAuthorizeClient** option. **CloseHSClientCircuitsImmediatelyOnTimeout** **0**|**1**:: If 1, Tor will close unfinished hidden service client circuits which have not moved closer to connecting to their destination hidden service when their internal state has not changed for the duration of the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destination hidden services. In either case, another set of introduction and rendezvous circuits for the same destination hidden service will be launched. (Default: 0) **CloseHSServiceRendCircuitsImmediatelyOnTimeout** **0**|**1**:: If 1, Tor will close unfinished hidden-service-side rendezvous circuits after the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destinations. In either case, another rendezvous circuit for the same destination client will be launched. (Default: 0) **LongLivedPorts** __PORTS__:: A list of ports for services that tend to have long-running connections (e.g. chat and interactive shells). Circuits for streams that use these Loading src/or/circuitlist.c +13 −9 Original line number Diff line number Diff line Loading @@ -930,26 +930,30 @@ circuit_unlink_all_from_or_conn(or_connection_t *conn, int reason) } } /** Return a circ such that: * - circ-\>rend_data-\>onion_address is equal to <b>rend_query</b>, and * - circ-\>purpose is equal to <b>purpose</b>. /** Return a circ such that * - circ-\>rend_data-\>onion_address is equal to * <b>rend_data</b>-\>onion_address, * - circ-\>rend_data-\>rend_cookie is equal to * <b>rend_data</b>-\>rend_cookie, and * - circ-\>purpose is equal to CIRCUIT_PURPOSE_C_REND_READY. * * Return NULL if no such circuit exists. */ origin_circuit_t * circuit_get_by_rend_query_and_purpose(const char *rend_query, uint8_t purpose) circuit_get_ready_rend_circ_by_rend_data(const rend_data_t *rend_data) { circuit_t *circ; tor_assert(CIRCUIT_PURPOSE_IS_ORIGIN(purpose)); for (circ = global_circuitlist; circ; circ = circ->next) { if (!circ->marked_for_close && circ->purpose == purpose) { circ->purpose == CIRCUIT_PURPOSE_C_REND_READY) { origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); if (ocirc->rend_data && !rend_cmp_service_ids(rend_query, ocirc->rend_data->onion_address)) !rend_cmp_service_ids(rend_data->onion_address, ocirc->rend_data->onion_address) && tor_memeq(ocirc->rend_data->rend_cookie, rend_data->rend_cookie, REND_COOKIE_LEN)) return ocirc; } } Loading src/or/circuitlist.h +2 −2 Original line number Diff line number Diff line Loading @@ -33,8 +33,8 @@ int circuit_id_in_use_on_orconn(circid_t circ_id, or_connection_t *conn); circuit_t *circuit_get_by_edge_conn(edge_connection_t *conn); void circuit_unlink_all_from_or_conn(or_connection_t *conn, int reason); origin_circuit_t *circuit_get_by_global_id(uint32_t id); origin_circuit_t *circuit_get_by_rend_query_and_purpose(const char *rend_query, uint8_t purpose); origin_circuit_t *circuit_get_ready_rend_circ_by_rend_data( const rend_data_t *rend_data); origin_circuit_t *circuit_get_next_by_pk_and_purpose(origin_circuit_t *start, const char *digest, uint8_t purpose); or_circuit_t *circuit_get_rendezvous(const char *cookie); Loading Loading
changes/bug1297b 0 → 100644 +20 −0 Original line number Diff line number Diff line o Minor bugfixes: - Don't close hidden service client circuits which have almost finished connecting to their destination when they reach the normal circuit-build timeout. Previously, we would close introduction circuits which are waiting for an acknowledgement from the introduction-point relay and rendezvous circuits which have been specified in an INTRODUCE1 cell sent to a hidden service after the normal CBT; now, we mark them as 'timed out', and launch another rendezvous attempt in parallel. This behaviour change can be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout option. Fixes part of bug 1297. - Don't close hidden-service-side rendezvous circuits when they reach the normal circuit-build timeout. Previously, we would close them. This behaviour change can be disabled using the new CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the remaining part of bug 1297.
changes/bug4759 0 → 100644 +14 −0 Original line number Diff line number Diff line o Minor bugfixes: - Make sure we never mark the wrong rendezvous circuit as having had its introduction cell acknowleged by the introduction-point relay. Previously, when we received an INTRODUCE_ACK cell on a client-side hidden-service introduction circuit, we might have marked a rendezvous circuit other than the one we specified in the INTRODUCE1 cell as INTRO_ACKED, which would have produced a warning message and interfered with the hidden service connection-establishment process. Bugfix on 0.2.3.3-alpha, when the stream-isolation feature which might cause Tor to open multiple rendezvous circuits for the same hidden service was added. Fixes bug 4759.
doc/tor.1.txt +28 −10 Original line number Diff line number Diff line Loading @@ -644,16 +644,6 @@ The following options are useful only for clients (that is, if **FascistFirewall** is set. This option is deprecated; use ReachableAddresses instead. (Default: 80, 443) **HidServAuth** __onion-address__ __auth-cookie__ [__service-name__]:: Client authorization for a hidden service. Valid onion addresses contain 16 characters in a-z2-7 plus ".onion", and valid auth cookies contain 22 characters in A-Za-z0-9+/. The service name is only used for internal purposes, e.g., for Tor controllers. This option may be used multiple times for different hidden services. If a hidden service uses authorization and this option is not set, the hidden service is not accessible. Hidden services can be configured to require authorization using the **HiddenServiceAuthorizeClient** option. **ReachableAddresses** __ADDR__[/__MASK__][:__PORT__]...:: A comma-separated list of IP addresses and ports that your firewall allows you to connect to. The format is as for the addresses in ExitPolicy, except Loading Loading @@ -683,6 +673,34 @@ The following options are useful only for clients (that is, if and some limit HTTP GET requests (which Tor uses for fetching directory information) to port 80. **HidServAuth** __onion-address__ __auth-cookie__ [__service-name__]:: Client authorization for a hidden service. Valid onion addresses contain 16 characters in a-z2-7 plus ".onion", and valid auth cookies contain 22 characters in A-Za-z0-9+/. The service name is only used for internal purposes, e.g., for Tor controllers. This option may be used multiple times for different hidden services. If a hidden service uses authorization and this option is not set, the hidden service is not accessible. Hidden services can be configured to require authorization using the **HiddenServiceAuthorizeClient** option. **CloseHSClientCircuitsImmediatelyOnTimeout** **0**|**1**:: If 1, Tor will close unfinished hidden service client circuits which have not moved closer to connecting to their destination hidden service when their internal state has not changed for the duration of the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destination hidden services. In either case, another set of introduction and rendezvous circuits for the same destination hidden service will be launched. (Default: 0) **CloseHSServiceRendCircuitsImmediatelyOnTimeout** **0**|**1**:: If 1, Tor will close unfinished hidden-service-side rendezvous circuits after the current circuit-build timeout. Otherwise, such circuits will be left open, in the hope that they will finish connecting to their destinations. In either case, another rendezvous circuit for the same destination client will be launched. (Default: 0) **LongLivedPorts** __PORTS__:: A list of ports for services that tend to have long-running connections (e.g. chat and interactive shells). Circuits for streams that use these Loading
src/or/circuitlist.c +13 −9 Original line number Diff line number Diff line Loading @@ -930,26 +930,30 @@ circuit_unlink_all_from_or_conn(or_connection_t *conn, int reason) } } /** Return a circ such that: * - circ-\>rend_data-\>onion_address is equal to <b>rend_query</b>, and * - circ-\>purpose is equal to <b>purpose</b>. /** Return a circ such that * - circ-\>rend_data-\>onion_address is equal to * <b>rend_data</b>-\>onion_address, * - circ-\>rend_data-\>rend_cookie is equal to * <b>rend_data</b>-\>rend_cookie, and * - circ-\>purpose is equal to CIRCUIT_PURPOSE_C_REND_READY. * * Return NULL if no such circuit exists. */ origin_circuit_t * circuit_get_by_rend_query_and_purpose(const char *rend_query, uint8_t purpose) circuit_get_ready_rend_circ_by_rend_data(const rend_data_t *rend_data) { circuit_t *circ; tor_assert(CIRCUIT_PURPOSE_IS_ORIGIN(purpose)); for (circ = global_circuitlist; circ; circ = circ->next) { if (!circ->marked_for_close && circ->purpose == purpose) { circ->purpose == CIRCUIT_PURPOSE_C_REND_READY) { origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); if (ocirc->rend_data && !rend_cmp_service_ids(rend_query, ocirc->rend_data->onion_address)) !rend_cmp_service_ids(rend_data->onion_address, ocirc->rend_data->onion_address) && tor_memeq(ocirc->rend_data->rend_cookie, rend_data->rend_cookie, REND_COOKIE_LEN)) return ocirc; } } Loading
src/or/circuitlist.h +2 −2 Original line number Diff line number Diff line Loading @@ -33,8 +33,8 @@ int circuit_id_in_use_on_orconn(circid_t circ_id, or_connection_t *conn); circuit_t *circuit_get_by_edge_conn(edge_connection_t *conn); void circuit_unlink_all_from_or_conn(or_connection_t *conn, int reason); origin_circuit_t *circuit_get_by_global_id(uint32_t id); origin_circuit_t *circuit_get_by_rend_query_and_purpose(const char *rend_query, uint8_t purpose); origin_circuit_t *circuit_get_ready_rend_circ_by_rend_data( const rend_data_t *rend_data); origin_circuit_t *circuit_get_next_by_pk_and_purpose(origin_circuit_t *start, const char *digest, uint8_t purpose); or_circuit_t *circuit_get_rendezvous(const char *cookie); Loading
