Merge remote-tracking branch 'dgoulet/bug27550_035_01'

changes/ticket27550

@@ -0,0 +1,5 @@
+  o Minor bugfixes (hidden service v3):
+    - Don't warn so loudly when tor is unable to decode a descriptor. This can
+      now happen as a normal use case if a client gets a descriptor with
+      client authorization but the client is not authorized. Fixes bug 27550;
+      bugfix on 0.3.5.1-alpha.

src/feature/dirclient/dirclient.c

@@ -2720,7 +2720,7 @@ handle_response_fetch_hsdesc_v3(dir_connection_t *conn,
   case 200:
     /* We got something: Try storing it in the cache. */
     if (hs_cache_store_as_client(body, &conn->hs_ident->identity_pk) < 0) {
-      log_warn(LD_REND, "Failed to store hidden service descriptor");
+      log_info(LD_REND, "Failed to store hidden service descriptor");
       /* Fire control port FAILED event. */
       hs_control_desc_event_failed(conn->hs_ident, conn->identity_digest,
                                    "BAD_DESC");

src/feature/hs/hs_client.c

@@ -1270,10 +1270,6 @@ hs_client_decode_descriptor(const char *desc_str,
                                   client_auht_sk, desc);
   memwipe(subcredential, 0, sizeof(subcredential));
   if (ret < 0) {
-    log_warn(LD_GENERAL, "Could not parse received descriptor as client.");
-    if (get_options()->SafeLogging_ == SAFELOG_SCRUB_NONE) {
-      log_warn(LD_GENERAL, "%s", escaped(desc_str));
-    }
     goto err;
   }
 

src/feature/hs/hs_descriptor.c

@@ -1540,7 +1540,7 @@ decrypt_desc_layer,(const hs_descriptor_t *desc,
    * This is a critical check that is making sure the computed MAC matches the
    * one in the descriptor. */
   if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) {
-    log_warn(LD_REND, "Encrypted service descriptor MAC check failed");
+    log_info(LD_REND, "Encrypted service descriptor MAC check failed");
     goto err;
   }
 
@@ -1662,7 +1662,6 @@ desc_decrypt_encrypted(const hs_descriptor_t *desc,
                                  desc->superencrypted_data.encrypted_blob_size,
                                  descriptor_cookie, 0, &encrypted_plaintext);
   if (!encrypted_len) {
-    log_warn(LD_REND, "Decrypting encrypted desc failed.");
     goto err;
   }
   tor_assert(encrypted_plaintext);
@@ -2272,7 +2271,22 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc,
    * in the descriptor as a blob of bytes. */
   message_len = desc_decrypt_encrypted(desc, client_auth_sk, &message);
   if (!message_len) {
-    log_warn(LD_REND, "Service descriptor decryption failed.");
+    /* Two possible situation here. Either we have a client authorization
+     * configured that didn't work or we do not have any configured for this
+     * onion address so likely the descriptor is for authorized client only,
+     * we are not. */
+    if (client_auth_sk) {
+      /* At warning level so the client can notice that its client
+       * authorization is failing. */
+      log_warn(LD_REND, "Client authorization for requested onion address "
+                        "is invalid. Can't decrypt the descriptor.");
+    } else {
+      /* Inform at notice level that the onion address requested can't be
+       * reached without client authorization most likely. */
+      log_notice(LD_REND, "Fail to decrypt descriptor for requested onion "
+                        "address. It is likely requiring client "
+                        "authorization.");
+    }
     goto err;
   }
   tor_assert(message);