Merge branch 'default' into 'main'

Turn off HS client connections by default

See merge request tpo/core/arti!1345

README.md

@@ -91,6 +91,27 @@ The result can be found as `target/release/arti`.
 If you run into any trouble building the program, please have a
 look at [the troubleshooting guide](doc/TROUBLESHOOTING.md).
 
+### Hidden service (`.onion` service) client support
+
+Arti has support for connecting to Onion Services aka Tor Hidden Services.
+
+However, currently it is disabled by default.
+
+This is because Arti currently lacks the
+"vanguards" feature that Tor uses to prevent guard discovery attacks over time.
+As such, you should probably stick with C Tor if you need to make a large
+number of onion service connections, or if you are using the Tor protocol
+in a way that lets an attacker control how many onion services connections that you make -
+for example, when using Arti's SOCKS support from a web browser such as Tor Browser.
+
+We plan to improve the security, and will then enable `.onion` connections by default.
+
+In the meantime, if you would like to try it out,
+you can
+enable it on the command line (`cargo run -p arti -o address_filter.allow_onion_addrs=true proxy`).
+or
+edit your config file (set `allow_onion_addrs = true` in the section `[address_filter]`)
+
 ### Custom compile-time options
 
 Arti has a number of configurable

crates/arti-client/src/address.rs

@@ -560,6 +560,20 @@ mod test {
     //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->
     use super::*;
 
+    /// Make a `StreamPrefs` with `.onion` enabled, if cfg-enabled
+    fn mk_stream_prefs() -> StreamPrefs {
+        let prefs = crate::StreamPrefs::default();
+
+        #[cfg(feature = "onion-service-client")]
+        let prefs = {
+            let mut prefs = prefs;
+            prefs.connect_to_onion_services(tor_config::BoolOrAuto::Explicit(true));
+            prefs
+        };
+
+        prefs
+    }
+
     #[test]
     fn validate_hostname() {
         // Valid hostname tests
@@ -580,7 +594,7 @@ mod test {
         use crate::err::ErrorDetail;
         fn val<A: IntoTorAddr>(addr: A) -> Result<TorAddr, ErrorDetail> {
             let toraddr = addr.into_tor_addr()?;
-            toraddr.enforce_config(&Default::default(), &Default::default())?;
+            toraddr.enforce_config(&Default::default(), &mk_stream_prefs())?;
             Ok(toraddr)
         }
 
@@ -657,7 +671,7 @@ mod test {
         fn sap(s: &str) -> Result<StreamInstructions, ErrorDetail> {
             TorAddr::from(s)
                 .unwrap()
-                .into_stream_instructions(&Default::default(), &Default::default())
+                .into_stream_instructions(&Default::default(), &mk_stream_prefs())
         }
 
         assert_eq!(
@@ -776,8 +790,8 @@ mod test {
                     prefs.connect_to_onion_services(yn);
                     prefs
                 };
-                check_stream(prefs_def(), Ok(()));
-                check_stream(prefs_of(B::Auto), Ok(()));
+                check_stream(prefs_def(), Err((EDD::OnionAddressDisabled, EK::ForbiddenStreamTarget)));
+                check_stream(prefs_of(B::Auto), Err((EDD::OnionAddressDisabled, EK::ForbiddenStreamTarget)));
                 check_stream(prefs_of(B::Explicit(true)), Ok(()));
                 check_stream(prefs_of(B::Explicit(false)), Err((EDD::OnionAddressDisabled, EK::ForbiddenStreamTarget)));
 

crates/arti-client/src/client.rs

@@ -312,7 +312,14 @@ impl StreamPrefs {
     /// If `Explicit(true)`, Onion Service connections are enabled.
     ///
     /// If `Auto`, the behaviour depends on the `address_filter.allow_onion_addrs`
-    /// configuration option, which is in turn enabled by default.
+    /// configuration option, which is in turn **disabled** by default.
+    ///
+    /// **Note**: Arti currently lacks the
+    /// "vanguards" feature that Tor uses to prevent guard discovery attacks over time.
+    /// As such, you should probably stick with C Tor if you need to make a large
+    /// number of onion service connections, or if you are using the Tor protocol
+    /// in a way that lets an attacker control how many onion services connections that you make -
+    /// for example, when using Arti's SOCKS support from a web browser such as Tor Browser.
     #[cfg(feature = "onion-service-client")]
     pub fn connect_to_onion_services(
         &mut self,

crates/arti-client/src/config.rs

@@ -72,7 +72,7 @@ pub struct ClientAddrConfig {
     ///
     /// This option is on by default.
     #[cfg(feature = "onion-service-client")]
-    #[builder(default = "true")]
+    #[builder(default = "false")]
     pub(crate) allow_onion_addrs: bool,
 }
 impl_standard_builder! { ClientAddrConfig }

crates/arti/src/arti-example-config.toml

@@ -312,7 +312,16 @@
 #allow_local_addrs = false
 
 # Should Arti make connections to hidden serivces (.onion services) ?
-#allow_onion_addrs = true
+#
+# As of this implementation, Arti's onion service support lacks the
+# "vanguards" feature that Tor uses to prevent guard discovery attacks over time.
+# As such, you should probably stick with C Tor if you need to make a large
+# number of onion service connections, or if you are using the Tor protocol
+# in a way that lets an attacker control how many onion services connections that you make -
+# for example, when using Arti's SOCKS support from a web browser such as Tor Browser.
+#
+# Therefore, the onion service client support  is currently disabled by default.
+#allow_onion_addrs = false
 
 # Rules for how long streams should wait when connecting to host or performing a
 # DNS lookup.