hs: Disallow single hop client circuit when introducing

This will effectively also deny any bridge to be used as a single hop to the
introduction point since bridge do not authenticate like clients.

Fixes #24963

Signed-off-by: David Goulet <dgoulet@torproject.org>

diff --git a/changes/ticket24963 b/changes/ticket24963
new file mode 100644 (file)
index 0000000..50adcfa
--- /dev/null
+++ b/changes/ticket24963
@@ -0,0 +1,5 @@
+  o Minor feature (onion service):
+    - Disallow single hop clients to introduce directly at the introduction
+      point. We've removed Tor2web a while back and rendezvous are blocked at
+      the relays. This is to remove load off the network from spammy clients.
+      Close ticket 24963.

diff --git a/src/feature/hs/hs_intropoint.c b/src/feature/hs/hs_intropoint.c
index 9333060e7ef00cfc0279445fc7b194e187389e4c..447f73b602ec8bb4b19ae7de22766cb245422676 100644 (file)
--- a/src/feature/hs/hs_intropoint.c
+++ b/src/feature/hs/hs_intropoint.c
@@ -10,6 +10,7 @@
 
 #include "core/or/or.h"
 #include "app/config/config.h"
+#include "core/or/channel.h"
 #include "core/or/circuitlist.h"
 #include "core/or/circuituse.h"
 #include "core/or/relay.h"
@@ -546,6 +547,14 @@ circuit_is_suitable_for_introduce1(const or_circuit_t *circ)
     return 0;
   }
 
+  /* Disallow single hop client circuit. */
+  if (channel_is_client(circ->p_chan)) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Single hop client was rejected while trying to introduce. "
+           "Closing circuit.");
+    return 0;
+  }
+
   return 1;
 }