56#define HS_DESCRIPTOR_PRIVATE
61#include "trunnel/ed25519_cert.h"
80#define str_hs_desc "hs-descriptor"
81#define str_desc_cert "descriptor-signing-key-cert"
82#define str_rev_counter "revision-counter"
83#define str_superencrypted "superencrypted"
84#define str_encrypted "encrypted"
85#define str_signature "signature"
86#define str_lifetime "descriptor-lifetime"
88#define str_create2_formats "create2-formats"
89#define str_intro_auth_required "intro-auth-required"
90#define str_single_onion "single-onion-service"
91#define str_intro_point "introduction-point"
92#define str_ip_onion_key "onion-key"
93#define str_ip_auth_key "auth-key"
94#define str_ip_enc_key "enc-key"
95#define str_ip_enc_key_cert "enc-key-cert"
96#define str_ip_legacy_key "legacy-key"
97#define str_ip_legacy_key_cert "legacy-key-cert"
98#define str_intro_point_start "\n" str_intro_point " "
99#define str_flow_control "flow-control"
100#define str_pow_params "pow-params"
103#define str_enc_const_superencryption "hsdir-superencrypted-data"
104#define str_enc_const_encryption "hsdir-encrypted-data"
106#define str_desc_sig_prefix "Tor onion service descriptor sig v3"
107#define str_desc_auth_type "desc-auth-type"
108#define str_desc_auth_key "desc-auth-ephemeral-key"
109#define str_desc_auth_client "auth-client"
110#define str_encrypted "encrypted"
115 const char *identifier;
117 { HS_DESC_AUTH_ED25519,
"ed25519" },
125 const char *identifier;
127 { HS_POW_DESC_V1,
"v1"},
135 T1(str_lifetime, R3_DESC_LIFETIME,
EQ(1),
NO_OBJ),
137 T1(str_rev_counter, R3_REVISION_COUNTER,
EQ(1),
NO_OBJ),
146 T1(str_desc_auth_key, R3_DESC_AUTH_KEY,
GE(1),
NO_OBJ),
147 T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT,
GE(3),
NO_OBJ),
155 T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED,
GE(1),
NO_OBJ),
156 T01(str_single_onion, R3_SINGLE_ONION_SERVICE,
ARGS,
NO_OBJ),
157 T01(str_flow_control, R3_FLOW_CONTROL,
GE(2),
NO_OBJ),
165 T1N(str_ip_onion_key, R3_INTRO_ONION_KEY,
GE(2),
OBJ_OK),
167 T1(str_ip_enc_key, R3_INTRO_ENC_KEY,
GE(2),
OBJ_OK),
168 T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT,
ARGS,
OBJ_OK),
170 T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT,
ARGS,
OBJ_OK),
179 const uint8_t *salt,
size_t salt_len,
180 const uint8_t *encrypted,
size_t encrypted_len,
181 uint8_t *mac_out,
size_t mac_len)
185 const uint64_t mac_len_netorder =
tor_htonll(mac_key_len);
186 const uint64_t salt_len_netorder =
tor_htonll(salt_len);
215 const uint8_t *secret_data,
216 size_t secret_data_len,
217 uint8_t **secret_input_out)
220 size_t secret_input_len = secret_data_len +
DIGEST256_LEN +
sizeof(uint64_t);
221 uint8_t *secret_input = NULL;
227 secret_input = tor_malloc_zero(secret_input_len);
230 memcpy(secret_input, secret_data, secret_data_len);
231 offset += secret_data_len;
238 offset +=
sizeof(uint64_t);
241 *secret_input_out = secret_input;
243 return secret_input_len;
250 const uint8_t *secret_data,
251 size_t secret_data_len,
252 const uint8_t *salt,
size_t salt_len,
253 uint8_t *key_out,
size_t key_out_len,
254 int is_superencrypted_layer)
256 uint8_t *secret_input = NULL;
257 size_t secret_input_len;
267 secret_data_len, &secret_input);
275 if (is_superencrypted_layer) {
277 strlen(str_enc_const_superencryption));
280 strlen(str_enc_const_encryption));
286 memwipe(secret_input, 0, secret_input_len);
296 const uint8_t *secret_data,
297 size_t secret_data_len,
298 const uint8_t *salt,
size_t salt_len,
299 uint8_t *key_out,
size_t key_len,
300 uint8_t *iv_out,
size_t iv_len,
301 uint8_t *mac_out,
size_t mac_len,
302 int is_superencrypted_layer)
315 salt, salt_len, kdf_key,
sizeof(kdf_key),
316 is_superencrypted_layer);
318 memcpy(key_out, kdf_key, key_len);
320 memcpy(iv_out, kdf_key + offset, iv_len);
322 memcpy(mac_out, kdf_key + offset, mac_len);
324 tor_assert((offset + mac_len) ==
sizeof(kdf_key));
325 memwipe(kdf_key, 0,
sizeof(kdf_key));
336 char *encoded_b64 = NULL;
337 link_specifier_list_t *lslist = link_specifier_list_new();
342 tor_assert(smartlist_len(specs) <= UINT8_MAX);
344 link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
350 link_specifier_list_add_spec(lslist, ls);
351 } SMARTLIST_FOREACH_END(spec);
355 ssize_t encoded_len, encoded_b64_len, ret;
357 encoded_len = link_specifier_list_encoded_len(lslist);
359 encoded = tor_malloc_zero(encoded_len);
360 ret = link_specifier_list_encode(encoded, encoded_len, lslist);
366 encoded_b64 = tor_malloc_zero(encoded_b64_len);
367 ret =
base64_encode(encoded_b64, encoded_b64_len, (
const char *) encoded,
373 link_specifier_list_free(lslist);
382 char *key_str, b64_cert[256], *encoded = NULL;
390 ip->
legacy.
cert.len, BASE64_ENCODE_MULTILINE) < 0) {
391 log_warn(
LD_REND,
"Unable to encode legacy crosscert.");
397 log_warn(
LD_REND,
"Unable to encode legacy encryption key.");
403 "-----BEGIN CROSSCERT-----\n"
405 "-----END CROSSCERT-----",
406 str_ip_legacy_key, key_str,
407 str_ip_legacy_key_cert, b64_cert);
419 char *encoded = NULL, *encoded_cert;
426 if (tor_cert_encode_ed22519(ip->
enc_key_cert, &encoded_cert) < 0) {
432 str_ip_enc_key, key_b64,
433 str_ip_enc_key_cert, encoded_cert);
445 char *encoded = NULL;
452 tor_asprintf(&encoded,
"%s ntor %s", str_ip_onion_key, key_b64);
463 char *encoded_ip = NULL;
479 if (encoded_onion_key == NULL) {
489 if (tor_cert_encode_ed22519(ip->
auth_key_cert, &encoded_cert) < 0) {
499 if (encoded_enc_key == NULL) {
511 if (encoded_legacy_key == NULL) {
523 smartlist_free(lines);
532 size_t plaintext_padded_len;
540 plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
541 padding_block_length;
543 tor_assert(!(plaintext_padded_len % padding_block_length));
544 return plaintext_padded_len;
552 uint8_t **padded_out)
563 padded = tor_malloc_zero(padded_len);
565 memcpy(padded, plaintext, plaintext_len);
566 *padded_out = padded;
575 size_t plaintext_len, uint8_t **encrypted_out,
576 int is_superencrypted_layer)
578 size_t encrypted_len;
579 uint8_t *padded_plaintext, *encrypted;
580 crypto_cipher_t *cipher;
589 if (is_superencrypted_layer) {
595 padded_plaintext = tor_memdup(plaintext, plaintext_len);
596 encrypted_len = plaintext_len;
601 HS_DESC_ENCRYPTED_BIT_SIZE);
604 encrypted = tor_malloc_zero(encrypted_len);
607 (
const char *) padded_plaintext, encrypted_len);
608 *encrypted_out = encrypted;
610 crypto_cipher_free(cipher);
612 return encrypted_len;
621 const uint8_t *secret_data,
622 size_t secret_data_len,
623 const char *plaintext,
624 char **encrypted_out,
int is_superencrypted_layer)
627 size_t encrypted_len, final_blob_len, offset = 0;
645 secret_key,
sizeof(secret_key),
646 secret_iv,
sizeof(secret_iv),
647 mac_key,
sizeof(mac_key),
648 is_superencrypted_layer);
652 strlen(plaintext), &encrypted,
653 is_superencrypted_layer);
654 memwipe(secret_key, 0,
sizeof(secret_key));
655 memwipe(secret_iv, 0,
sizeof(secret_iv));
657 final_blob_len =
sizeof(salt) + encrypted_len +
DIGEST256_LEN;
658 final_blob = tor_malloc_zero(final_blob_len);
661 build_mac(mac_key,
sizeof(mac_key), salt,
sizeof(salt),
662 encrypted, encrypted_len, mac,
sizeof(mac));
663 memwipe(mac_key, 0,
sizeof(mac_key));
666 memcpy(final_blob, salt,
sizeof(salt));
667 offset =
sizeof(salt);
669 memcpy(final_blob + offset, encrypted, encrypted_len);
670 offset += encrypted_len;
672 memcpy(final_blob + offset, mac,
sizeof(mac));
673 offset +=
sizeof(mac);
675 memwipe(salt, 0,
sizeof(salt));
676 memwipe(encrypted, 0, encrypted_len);
681 *encrypted_out = final_blob;
682 return final_blob_len;
692 char *auth_client_str = NULL;
697 char encrypted_cookie_b64[HS_DESC_ENCRYPED_COOKIE_LEN * 2];
699#define ASSERT_AND_BASE64(field) STMT_BEGIN \
700 tor_assert(!fast_mem_is_zero((char *) client->field, \
701 sizeof(client->field))); \
702 ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
703 client->field, sizeof(client->field)); \
704 tor_assert(ret > 0); \
707 ASSERT_AND_BASE64(client_id);
708 ASSERT_AND_BASE64(iv);
709 ASSERT_AND_BASE64(encrypted_cookie);
712 tor_asprintf(&auth_client_str,
"%s %s %s %s", str_desc_auth_client,
713 client_id_b64, iv_b64, encrypted_cookie_b64);
715#undef ASSERT_AND_BASE64
717 return auth_client_str;
727 char *auth_client_lines_str = NULL;
738 char *auth_client_str = NULL;
743 } SMARTLIST_FOREACH_END(client);
750 smartlist_free(auth_client_lines);
752 return auth_client_lines_str;
762 char *encoded_str = NULL;
768 log_err(
LD_BUG,
"HS desc doesn't have recognized handshake type.");
772 ONION_HANDSHAKE_TYPE_NTOR);
805 char *seed_b64 = tor_malloc_zero(seed_b64_len);
810 tor_assert((
size_t) ret == (seed_b64_len - 1));
813 char time_buf[ISO_TIME_LEN + 1];
832 if (encoded_ip == NULL) {
833 log_err(
LD_BUG,
"HS desc intro point is malformed.");
837 } SMARTLIST_FOREACH_END(ip);
845 smartlist_free(lines);
857 const char *layer2_b64_ciphertext)
859 char *layer1_str = NULL;
875 str_desc_auth_key, ephemeral_key_base64);
877 memwipe(ephemeral_key_base64, 0,
sizeof(ephemeral_key_base64));
890 "-----BEGIN MESSAGE-----\n"
892 "-----END MESSAGE-----",
893 str_encrypted, layer2_b64_ciphertext);
901 smartlist_free(lines);
914 const uint8_t *secret_data,
915 size_t secret_data_len,
916 const char *encoded_str,
917 int is_superencrypted_layer)
920 ssize_t enc_b64_len, ret_len, enc_len;
921 char *encrypted_blob = NULL;
924 encoded_str, &encrypted_blob,
925 is_superencrypted_layer);
928 enc_b64 = tor_malloc_zero(enc_b64_len);
930 ret_len =
base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
931 BASE64_ENCODE_MULTILINE);
951 const uint8_t *descriptor_cookie,
952 uint8_t **secret_data_out)
954 size_t secret_data_len;
955 uint8_t *secret_data;
960 if (descriptor_cookie) {
964 secret_data = tor_malloc(secret_data_len);
967 blinded_pubkey->pubkey,
971 HS_DESC_DESCRIPTOR_COOKIE_LEN);
976 secret_data = tor_malloc(secret_data_len);
978 blinded_pubkey->pubkey,
982 *secret_data_out = secret_data;
983 return secret_data_len;
993 const uint8_t *descriptor_cookie,
994 char **encrypted_blob_out)
997 uint8_t *secret_data = NULL;
998 size_t secret_data_len = 0;
999 char *layer2_str = NULL;
1000 char *layer2_b64_ciphertext = NULL;
1001 char *layer1_str = NULL;
1002 char *layer1_b64_ciphertext = NULL;
1023 layer2_b64_ciphertext =
1026 if (!layer2_b64_ciphertext) {
1037 layer1_b64_ciphertext =
1042 if (!layer1_b64_ciphertext) {
1050 memwipe(secret_data, 0, secret_data_len);
1056 *encrypted_blob_out = layer1_b64_ciphertext;
1066 const uint8_t *descriptor_cookie,
1070 char *encoded_str = NULL;
1084 != CERT_TYPE_SIGNING_HS_DESC) {
1085 log_err(
LD_BUG,
"HS descriptor signing key has an unexpected cert type "
1090 &encoded_cert) < 0) {
1110 char *enc_b64_blob=NULL;
1112 &enc_b64_blob) < 0) {
1117 "-----BEGIN MESSAGE-----\n"
1119 "-----END MESSAGE-----",
1120 str_superencrypted, enc_b64_blob);
1133 (
const uint8_t *) encoded_str, encoded_len,
1134 str_desc_sig_prefix, signing_kp) < 0) {
1135 log_warn(
LD_BUG,
"Can't sign encoded HS descriptor!");
1146 *encoded_out = encoded_str;
1149 log_warn(
LD_GENERAL,
"We just made an HS descriptor that's too big (%d)."
1150 "Failing.", (
int)strlen(encoded_str));
1162 smartlist_free(lines);
1182 tok->
args[0], strlen(tok->
args[0])) !=
1187 tok->
args[1], strlen(tok->
args[1])) !=
1188 sizeof(client->
iv)) {
1193 tok->
args[2], strlen(tok->
args[2])) !=
1210 size_t encoded_len, i;
1213 link_specifier_list_t *specs = NULL;
1217 encoded_len = strlen(encoded);
1218 decoded = tor_malloc(encoded_len);
1219 decoded_len =
base64_decode((
char *) decoded, encoded_len, encoded,
1221 if (decoded_len < 0) {
1225 if (link_specifier_list_parse(&specs, decoded,
1226 (
size_t) decoded_len) < decoded_len) {
1232 for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
1233 link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
1248 link_specifier_free(s));
1249 smartlist_free(results);
1253 link_specifier_list_free(specs);
1281 } SMARTLIST_FOREACH_END(auth);
1301 unsigned long type =
tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
1303 log_warn(
LD_REND,
"Unparseable value %s in create2 list",
escaped(s));
1307 case ONION_HANDSHAKE_TYPE_NTOR:
1314 } SMARTLIST_FOREACH_END(s);
1317 smartlist_free(tokens);
1331 log_warn(
LD_REND,
"Certificate for %s couldn't be parsed.", log_obj_type);
1341 log_warn(
LD_REND,
"Signing key is NOT included for %s.", log_obj_type);
1349 char expiration_str[ISO_TIME_LEN+1];
1351 log_fn(LOG_PROTOCOL_WARN,
LD_REND,
"Invalid signature for %s: %s (%s)",
1355 log_warn(
LD_REND,
"Invalid signature for %s: %s",
1373 size_t data_len,
unsigned int cert_type_wanted,
1374 const char *err_msg)
1385 log_warn(
LD_REND,
"Certificate for %s couldn't be parsed.", err_msg);
1398 tor_cert_free(cert);
1411 log_warn(
LD_REND,
"Length of descriptor's encrypted data is too small. "
1412 "Got %lu but minimum value is %d",
1447 keystream = tor_malloc_zero(keystream_len);
1459 memwipe(secret_seed, 0,
sizeof(secret_seed));
1461 *keys_out = keystream;
1462 return keystream_len;
1474 uint8_t **descriptor_cookie_out)
1477 uint8_t *keystream = NULL;
1478 size_t keystream_length = 0;
1479 uint8_t *descriptor_cookie = NULL;
1480 const uint8_t *cookie_key = NULL;
1481 crypto_cipher_t *cipher = NULL;
1494 if (BUG(
fast_mem_is_zero((
char *)client_auth_sk,
sizeof(*client_auth_sk)))) {
1516 HS_DESC_COOKIE_KEY_BIT_SIZE);
1517 descriptor_cookie = tor_malloc_zero(HS_DESC_DESCRIPTOR_COOKIE_LEN);
1526 *descriptor_cookie_out = descriptor_cookie;
1528 crypto_cipher_free(cipher);
1530 memwipe(keystream, 0, keystream_length);
1547 const uint8_t *descriptor_cookie,
1548 bool is_superencrypted_layer,
1549 char **decrypted_out))
1551 uint8_t *decrypted = NULL;
1553 uint8_t *secret_data = NULL;
1554 size_t secret_data_len = 0;
1556 const uint8_t *salt, *encrypted, *desc_mac;
1557 size_t encrypted_len, result_len = 0;
1558 const uint8_t *encrypted_blob = (is_superencrypted_layer)
1561 size_t encrypted_blob_size = (is_superencrypted_layer)
1576 salt = encrypted_blob;
1580 encrypted_len = encrypted_blob_size -
1585 desc_mac = encrypted_blob + encrypted_blob_size -
DIGEST256_LEN;
1596 secret_key,
sizeof(secret_key),
1597 secret_iv,
sizeof(secret_iv),
1598 mac_key,
sizeof(mac_key),
1599 is_superencrypted_layer);
1603 encrypted, encrypted_len, our_mac,
sizeof(our_mac));
1604 memwipe(mac_key, 0,
sizeof(mac_key));
1609 if (!
tor_memeq(our_mac, desc_mac,
sizeof(our_mac))) {
1610 log_info(
LD_REND,
"Encrypted service descriptor MAC check failed");
1617 crypto_cipher_t *cipher;
1620 HS_DESC_ENCRYPTED_BIT_SIZE);
1622 decrypted = tor_malloc_zero(encrypted_len + 1);
1624 (
const char *) encrypted, encrypted_len);
1625 crypto_cipher_free(cipher);
1630 uint8_t *end = memchr(decrypted, 0, encrypted_len);
1631 result_len = encrypted_len;
1633 result_len = end - decrypted;
1637 if (result_len == 0) {
1643 decrypted[encrypted_len] =
'\0';
1644 *decrypted_out = (
char *) decrypted;
1651 *decrypted_out = NULL;
1655 memwipe(secret_data, 0, secret_data_len);
1656 memwipe(secret_key, 0,
sizeof(secret_key));
1657 memwipe(secret_iv, 0,
sizeof(secret_iv));
1670 size_t superencrypted_len = 0;
1671 char *superencrypted_plaintext = NULL;
1678 true, &superencrypted_plaintext);
1680 if (!superencrypted_len) {
1681 log_warn(
LD_REND,
"Decrypting superencrypted desc failed.");
1689 *decrypted_out = superencrypted_plaintext;
1691 return superencrypted_len;
1702 char **decrypted_out))
1704 size_t encrypted_len = 0;
1705 char *encrypted_plaintext = NULL;
1706 uint8_t *descriptor_cookie = NULL;
1714 if (client_auth_sk) {
1720 &descriptor_cookie)) {
1723 } SMARTLIST_FOREACH_END(client);
1728 false, &encrypted_plaintext);
1730 if (!encrypted_len) {
1738 *decrypted_out = encrypted_plaintext;
1739 if (descriptor_cookie) {
1740 memwipe(descriptor_cookie, 0, HS_DESC_DESCRIPTOR_COOKIE_LEN);
1744 return encrypted_len;
1763 log_warn(
LD_REND,
"Introduction point legacy key is invalid");
1771 log_warn(
LD_REND,
"Introduction point legacy key cert is missing");
1778 log_info(
LD_REND,
"Introduction point legacy encryption key "
1779 "cross-certification has an unknown format.");
1793 log_warn(
LD_REND,
"Unable to check cross-certification on the "
1794 "introduction point legacy encryption key.");
1819 log_warn(
LD_REND,
"Descriptor did not contain intro onion keys");
1829 if (!strcmp(tok->args[0],
"ntor")) {
1831 log_warn(
LD_REND,
"Introduction point ntor onion-key is invalid");
1837 } SMARTLIST_FOREACH_END(tok);
1841 log_warn(
LD_REND,
"Descriptor did not contain ntor onion keys");
1845 smartlist_free(onion_keys);
1868 log_warn(
LD_REND,
"Introduction point is not parseable");
1877 tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
1883 log_warn(
LD_REND,
"Introduction point has invalid link specifiers");
1893 tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
1896 log_warn(
LD_REND,
"Unexpected object type for introduction auth key");
1902 "introduction point auth-key") < 0) {
1908 log_warn(
LD_REND,
"Invalid authentication key signature: %s",
1914 tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
1915 if (!strcmp(tok->
args[0],
"ntor")) {
1921 log_warn(
LD_REND,
"Introduction point ntor enc-key is invalid");
1926 log_warn(
LD_REND,
"Introduction point encryption key is unrecognized.");
1931 tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
1935 log_warn(
LD_REND,
"Introduction point ntor encryption key "
1936 "cross-certification has an unknown format.");
1941 "introduction point enc-key-cert") < 0) {
1946 log_warn(
LD_REND,
"Invalid encryption key signature: %s",
1965 hs_desc_intro_point_free(ip);
1970 smartlist_free(tokens);
2003 if (smartlist_len(chunked_desc) < 2) {
2020 } SMARTLIST_FOREACH_END(chunk);
2033 } SMARTLIST_FOREACH_END(intro_point);
2037 smartlist_free(chunked_desc);
2039 smartlist_free(intro_points);
2047 const char *encoded_desc,
size_t encoded_len)
2051 const char *sig_start;
2061 log_warn(
LD_REND,
"Service descriptor has an invalid signature length."
2062 "Expected %d but got %lu",
2069 log_warn(
LD_REND,
"Service descriptor does not contain a valid "
2075 sig_start = tor_memstr(encoded_desc, encoded_len,
"\n" str_signature
" ");
2079 log_warn(
LD_GENERAL,
"Malformed signature line. Rejecting.");
2087 (
const uint8_t *) encoded_desc,
2088 sig_start - encoded_desc,
2089 str_desc_sig_prefix,
2090 signing_pubkey) != 0) {
2091 log_warn(
LD_REND,
"Invalid signature on service descriptor");
2116 for (
int idx = 0;
pow_types[idx].identifier; idx++) {
2125 log_warn(
LD_REND,
"Unknown PoW type from descriptor.");
2130 tok->
args[1], strlen(tok->
args[1])) !=
2131 sizeof(pow_params->
seed)) {
2132 log_warn(
LD_REND,
"Unparseable seed %s in PoW params",
2138 unsigned long effort =
2141 log_warn(
LD_REND,
"Unparseable suggested effort %s in PoW params",
2148 time_t expiration_time = 0;
2150 log_warn(
LD_REND,
"Unparseable expiration time %s in PoW params",
2175 const char *encoded_desc,
size_t encoded_len)
2187 tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
2190 UINT32_MAX, &ok, NULL);
2192 log_warn(
LD_REND,
"Service descriptor lifetime value is invalid");
2198 log_warn(
LD_REND,
"Service descriptor lifetime is too big. "
2199 "Got %" PRIu32
" but max is %d",
2205 tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
2209 if (strcmp(tok->
object_type,
"ED25519 CERT") != 0) {
2210 log_warn(
LD_REND,
"Service descriptor signing cert wrong type (%s)",
2216 "service descriptor signing key") < 0) {
2227 tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
2230 UINT64_MAX, &ok, NULL);
2232 log_warn(
LD_REND,
"Service descriptor revision-counter is invalid");
2237 tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
2240 log_warn(
LD_REND,
"Desc superencrypted data section is invalid");
2254 tok = find_by_keyword(tokens, R3_SIGNATURE);
2258 encoded_desc, encoded_len)) {
2262 return HS_DESC_DECODE_OK;
2264 return HS_DESC_DECODE_PLAINTEXT_ERROR;
2272 desc_superencrypted_out)
2275 char *message = NULL;
2290 log_warn(
LD_REND,
"Service descriptor decryption failed.");
2299 log_warn(
LD_REND,
"Superencrypted service descriptor is not parseable.");
2304 tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
2306 if (strcmp(tok->
args[0],
"x25519")) {
2307 log_warn(
LD_DIR,
"Unrecognized desc auth type");
2312 tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
2315 tok->
args[0]) < 0) {
2316 log_warn(
LD_DIR,
"Bogus desc auth ephemeral key in HS desc");
2321 if (!superencrypted->
clients) {
2325 if (token->tp == R3_DESC_AUTH_CLIENT) {
2332 log_warn(
LD_REND,
"Descriptor client authorization section can't "
2339 } SMARTLIST_FOREACH_END(token);
2342 tok = find_by_keyword(tokens, R3_ENCRYPTED);
2345 log_warn(
LD_REND,
"Desc encrypted data section is invalid");
2360 ret = HS_DESC_DECODE_OK;
2370 smartlist_free(tokens);
2389 char *message = NULL;
2406 if (client_auth_sk) {
2409 log_warn(
LD_REND,
"Client authorization for requested onion address "
2410 "is invalid. Can't decrypt the descriptor.");
2411 ret = HS_DESC_DECODE_BAD_CLIENT_AUTH;
2415 log_notice(
LD_REND,
"Fail to decrypt descriptor for requested onion "
2416 "address. It is likely requiring client "
2418 ret = HS_DESC_DECODE_NEED_CLIENT_AUTH;
2428 log_warn(
LD_REND,
"Encrypted service descriptor is not parseable.");
2433 tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
2438 log_warn(
LD_REND,
"Service create2-formats does not include ntor.");
2447 log_warn(
LD_REND,
"Service descriptor authentication type has "
2448 "invalid entry(ies).");
2466 uint8_t sendme_inc =
2469 log_warn(
LD_REND,
"Service descriptor flow control sendme "
2470 "value is invalid");
2473 desc_encrypted_out->sendme_inc = sendme_inc;
2495 HS_CONFIG_V3_MAX_INTRO_POINTS) {
2496 log_warn(
LD_REND,
"Service descriptor contains too many introduction "
2497 "points. Maximum allowed is %d but we have %d",
2498 HS_CONFIG_V3_MAX_INTRO_POINTS,
2506 ret = HS_DESC_DECODE_OK;
2516 smartlist_free(tokens);
2595 desc_superencrypted)
2634 const char *encoded_desc,
2635 size_t encoded_len) =
2658 encoded_len = strlen(encoded);
2660 log_warn(
LD_REND,
"Service descriptor is too big (%lu bytes)",
2661 (
unsigned long) encoded_len);
2670 log_warn(
LD_REND,
"Service descriptor is not parseable");
2676 tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
2679 UINT32_MAX, &ok, NULL);
2681 log_warn(
LD_REND,
"Service descriptor has unparseable version %s",
2686 log_warn(
LD_REND,
"Service descriptor has unsupported version %" PRIu32,
2697 encoded, encoded_len);
2698 if (ret != HS_DESC_DECODE_OK) {
2702 ret = HS_DESC_DECODE_OK;
2707 smartlist_free(tokens);
2735 if (BUG(!subcredential ||
2737 log_warn(
LD_GENERAL,
"Tried to decrypt without subcred. Impossible!");
2744 if (ret != HS_DESC_DECODE_OK) {
2749 if (ret != HS_DESC_DECODE_OK) {
2754 if (ret != HS_DESC_DECODE_OK) {
2761 hs_descriptor_free(desc);
2766 hs_descriptor_free(desc);
2781 const uint8_t *descriptor_cookie,
2782 char **encoded_out) =
2802 const uint8_t *descriptor_cookie,
2803 char **encoded_out))
2822 descriptor_cookie, encoded_out);
2830 bool do_round_trip_test = !descriptor_cookie;
2831#ifdef TOR_UNIT_TESTS
2833 do_round_trip_test =
false;
2836 if (do_round_trip_test) {
2839 if (BUG(ret != HS_DESC_DECODE_OK)) {
2848 *encoded_out = NULL;
2865 memwipe(desc, 0,
sizeof(*desc));
2881 hs_desc_authorized_client_free(client));
2882 smartlist_free(desc->
clients);
2885 memwipe(desc, 0,
sizeof(*desc));
2902 hs_desc_intro_point_free(ip));
2907 memwipe(desc, 0,
sizeof(*desc));
2966 size_t intro_size = 0;
2977 return sizeof(*data) + intro_size;
3011 ls, link_specifier_free(ls));
3027 tor_malloc_zero(
sizeof(*client_auth));
3032 sizeof(client_auth->
iv));
3047 const uint8_t *descriptor_cookie,
3050 uint8_t *keystream = NULL;
3051 size_t keystream_length = 0;
3052 const uint8_t *cookie_key;
3053 crypto_cipher_t *cipher;
3061 sizeof(*auth_ephemeral_sk)));
3063 sizeof(*client_auth_pk)));
3065 HS_DESC_DESCRIPTOR_COOKIE_LEN));
3072 auth_ephemeral_sk, client_auth_pk,
3085 HS_DESC_COOKIE_KEY_BIT_SIZE);
3088 (
const char *) descriptor_cookie,
3089 HS_DESC_DESCRIPTOR_COOKIE_LEN);
3091 memwipe(keystream, 0, keystream_length);
3094 crypto_cipher_free(cipher);
3115 ip, hs_desc_intro_point_free(ip));
int base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
size_t base64_encode_size(size_t srclen, int flags)
static void set_uint64(void *cp, uint64_t v)
static uint64_t tor_htonll(uint64_t a)
Header file for circuitbuild.c.
Header file for config.c.
bool congestion_control_validate_sendme_increment(uint8_t sendme_inc)
bool congestion_control_enabled(void)
Public APIs for congestion control.
static uint8_t congestion_control_sendme_inc(void)
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
crypto_cipher_t * crypto_cipher_new_with_iv_and_bits(const uint8_t *key, const uint8_t *iv, int bits)
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
int curve25519_public_from_base64(curve25519_public_key_t *pkey, const char *input)
void curve25519_public_to_base64(char *output, const curve25519_public_key_t *pkey, bool pad)
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
crypto_xof_t * crypto_xof_new(void)
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
#define crypto_xof_free(xof)
#define crypto_digest_free(d)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
int ed25519_sign_prefixed(ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair)
void crypto_rand(char *to, size_t n)
void crypto_strongest_rand(uint8_t *out, size_t out_len)
Common functions for using (pseudo-)random number generators.
int crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest, size_t *len)
crypto_pk_t * crypto_pk_dup_key(crypto_pk_t *orig)
int crypto_pk_public_exponent_ok(const crypto_pk_t *env)
void memwipe(void *mem, uint8_t byte, size_t sz)
Common functions for cryptographic routines.
int tor_memeq(const void *a, const void *b, size_t sz)
#define tor_memneq(a, b, sz)
const char * escaped(const char *s)
unsigned int hs_cache_get_max_descriptor_size(void)
Header file for hs_cache.c.
link_specifier_t * link_specifier_dup(const link_specifier_t *src)
Header file containing configuration ABI/API for the HS subsystem.
static size_t build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext, size_t plaintext_len, uint8_t **encrypted_out, int is_superencrypted_layer)
void hs_desc_superencrypted_data_free_contents(hs_desc_superencrypted_data_t *desc)
STATIC size_t desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
static token_rule_t hs_desc_encrypted_v3_token_table[]
hs_desc_decode_status_t hs_desc_decode_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
int hs_desc_encode_descriptor(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static char * get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc, const char *layer2_b64_ciphertext)
static char * encode_intro_point(const ed25519_public_key_t *sig_key, const hs_desc_intro_point_t *ip)
void hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
static char * encode_legacy_key(const hs_desc_intro_point_t *ip)
static hs_desc_decode_status_t(* decode_superencrypted_handlers[])(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
static int desc_encode_v3(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static int decode_pow_params(const directory_token_t *tok, hs_pow_desc_params_t *pow_params)
static void decode_intro_points(const hs_descriptor_t *desc, hs_desc_encrypted_data_t *desc_enc, const char *data)
hs_desc_authorized_client_t * hs_desc_build_fake_authorized_client(void)
size_t hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
static size_t build_secret_data(const ed25519_public_key_t *blinded_pubkey, const uint8_t *descriptor_cookie, uint8_t **secret_data_out)
bool hs_desc_supports_congestion_control(const hs_descriptor_t *desc)
static const struct @20 intro_auth_types[]
STATIC int desc_sig_is_valid(const char *b64_sig, const ed25519_public_key_t *signing_pubkey, const char *encoded_desc, size_t encoded_len)
STATIC hs_desc_decode_status_t desc_decode_superencrypted_v3(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted_out)
static int(* encode_handlers[])(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
STATIC size_t decrypt_desc_layer(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, bool is_superencrypted_layer, char **decrypted_out)
size_t hs_desc_obj_size(const hs_descriptor_t *data)
static int decode_auth_client(const directory_token_t *tok, hs_desc_authorized_client_t *client)
STATIC hs_desc_intro_point_t * decode_introduction_point(const hs_descriptor_t *desc, const char *start)
hs_desc_decode_status_t hs_desc_decode_plaintext(const char *encoded, hs_desc_plaintext_data_t *plaintext)
static int cert_parse_and_validate(tor_cert_t **cert_out, const char *data, size_t data_len, unsigned int cert_type_wanted, const char *err_msg)
STATIC size_t build_plaintext_padding(const char *plaintext, size_t plaintext_len, uint8_t **padded_out)
static char * encode_onion_key(const hs_desc_intro_point_t *ip)
static char * get_auth_client_str(const hs_desc_authorized_client_t *client)
static char * get_all_auth_client_lines(const hs_descriptor_t *desc)
void hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
void hs_descriptor_free_(hs_descriptor_t *desc)
static char * encrypt_desc_data_and_base64(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *encoded_str, int is_superencrypted_layer)
static int encode_superencrypted_data(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, char **encrypted_blob_out)
static char * get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
STATIC smartlist_t * decode_link_specifiers(const char *encoded)
void hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)
STATIC int encrypted_data_length_is_valid(size_t len)
void hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
static token_rule_t hs_desc_v3_token_table[]
static void decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
static int decrypt_descriptor_cookie(const hs_descriptor_t *desc, const hs_desc_authorized_client_t *client, const curve25519_secret_key_t *client_auth_sk, uint8_t **descriptor_cookie_out)
hs_desc_decode_status_t hs_desc_decode_superencrypted(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
static token_rule_t hs_desc_superencrypted_v3_token_table[]
STATIC size_t desc_decrypt_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, char **decrypted_out)
void hs_desc_build_authorized_client(const hs_subcredential_t *subcredential, const curve25519_public_key_t *client_auth_pk, const curve25519_secret_key_t *auth_ephemeral_sk, const uint8_t *descriptor_cookie, hs_desc_authorized_client_t *client_out)
static void build_secret_key_iv_mac(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_len, uint8_t *iv_out, size_t iv_len, uint8_t *mac_out, size_t mac_len, int is_superencrypted_layer)
hs_desc_intro_point_t * hs_desc_intro_point_new(void)
void hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc)
static size_t encrypt_descriptor_data(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *plaintext, char **encrypted_out, int is_superencrypted_layer)
static size_t compute_padded_plaintext_length(size_t plaintext_len)
STATIC char * encode_link_specifiers(const smartlist_t *specs)
static int set_intro_point_onion_key(curve25519_public_key_t *onion_key_out, const smartlist_t *tokens)
STATIC hs_desc_decode_status_t desc_decode_encrypted_v3(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted_out)
static hs_desc_decode_status_t(* decode_plaintext_handlers[])(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
static int decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
static size_t build_descriptor_cookie_keys(const hs_subcredential_t *subcredential, const curve25519_secret_key_t *sk, const curve25519_public_key_t *pk, uint8_t **keys_out)
static int decode_intro_legacy_key(const directory_token_t *tok, smartlist_t *tokens, hs_desc_intro_point_t *ip, const hs_descriptor_t *desc)
static void build_kdf_key(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_out_len, int is_superencrypted_layer)
void hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
static token_rule_t hs_desc_intro_point_v3_token_table[]
static char * encode_enc_key(const hs_desc_intro_point_t *ip)
static hs_desc_decode_status_t(* decode_encrypted_handlers[])(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
STATIC int cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
static size_t hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
hs_desc_decode_status_t hs_desc_decode_descriptor(const char *encoded, const hs_subcredential_t *subcredential, const curve25519_secret_key_t *client_auth_sk, hs_descriptor_t **desc_out)
static const struct @21 pow_types[]
static size_t build_secret_input(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, uint8_t **secret_input_out)
void hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
static hs_desc_decode_status_t desc_decode_plaintext_v3(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
void hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client)
static void build_mac(const uint8_t *mac_key, size_t mac_key_len, const uint8_t *salt, size_t salt_len, const uint8_t *encrypted, size_t encrypted_len, uint8_t *mac_out, size_t mac_len)
Header file for hs_descriptor.c.
#define HS_DESC_CLIENT_ID_LEN
#define HS_DESC_ENCRYPTED_SALT_LEN
#define HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE
#define HS_DESC_AUTH_CLIENT_MULTIPLE
static int hs_desc_is_supported_version(uint32_t version)
#define HS_DESC_ENCRYPTED_KEY_LEN
#define HS_DESC_CERT_LIFETIME
#define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN
#define HS_DESC_MAX_LIFETIME
Header file containing PoW denial of service defenses for the HS subsystem for all versions.
#define log_fn(severity, domain, args,...)
memarea_t * memarea_new(void)
#define memarea_drop_all(area)
Master header file for Tor-specific functionality.
uint64_t tor_parse_uint64(const char *s, int base, uint64_t min, uint64_t max, int *ok, char **next)
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
void token_clear(directory_token_t *tok)
smartlist_t * find_all_by_keyword(const smartlist_t *s, directory_keyword k)
int tokenize_string(memarea_t *area, const char *start, const char *end, smartlist_t *out, const token_rule_t *table, int flags)
directory_token_t * find_opt_by_keyword(const smartlist_t *s, directory_keyword keyword)
Header file for parsecommon.c.
#define T1_END(s, t, a, o)
#define T1_START(s, t, a, o)
int tor_asprintf(char **strp, const char *fmt,...)
int protocol_list_supports_protocol(const char *list, protocol_type_t tp, uint32_t version)
const char * protover_get_supported(const protocol_type_t type)
Headers and type declarations for protover.c.
#define PROTOVER_FLOWCTRL_CC
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
uint8_t iv[CIPHER_IV_LEN]
uint8_t encrypted_cookie[HS_DESC_ENCRYPED_COOKIE_LEN]
uint8_t client_id[HS_DESC_CLIENT_ID_LEN]
smartlist_t * intro_auth_types
hs_pow_desc_params_t * pow_params
unsigned int single_onion_service
smartlist_t * intro_points
unsigned int create2_ntor
unsigned int cross_certified
struct hs_desc_intro_point_t::@22::@23 cert
curve25519_public_key_t onion_key
curve25519_public_key_t enc_key
tor_cert_t * enc_key_cert
tor_cert_t * auth_key_cert
struct hs_desc_intro_point_t::@22 legacy
smartlist_t * link_specifiers
uint64_t revision_counter
size_t superencrypted_blob_size
tor_cert_t * signing_key_cert
ed25519_public_key_t signing_pubkey
ed25519_public_key_t blinded_pubkey
uint8_t * superencrypted_blob
curve25519_public_key_t auth_ephemeral_pubkey
size_t encrypted_blob_size
hs_desc_encrypted_data_t encrypted_data
hs_desc_superencrypted_data_t superencrypted_data
hs_subcredential_t subcredential
hs_desc_plaintext_data_t plaintext_data
uint8_t seed[HS_POW_SEED_LEN]
uint32_t suggested_effort
ed25519_public_key_t signing_key
ed25519_public_key_t signed_key
unsigned signing_key_included
#define MOCK_IMPL(rv, funcname, arglist)
void format_iso_time_nospace(char *buf, time_t t)
void format_iso_time(char *buf, time_t t)
int parse_iso_time_nospace(const char *cp, time_t *t)
int rsa_ed25519_crosscert_check(const uint8_t *crosscert, const size_t crosscert_len, const crypto_pk_t *rsa_id_key, const ed25519_public_key_t *master_key, const time_t reject_if_expired_before)
int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now)
const char * tor_cert_describe_signature_status(const tor_cert_t *cert)
tor_cert_t * tor_cert_parse(const uint8_t *encoded, const size_t len)
int fast_mem_is_zero(const char *mem, size_t len)
Header file for versions.c.
#define CURVE25519_OUTPUT_LEN
#define CURVE25519_BASE64_PADDED_LEN
#define ED25519_PUBKEY_LEN
#define ED25519_SIG_BASE64_LEN
#define CURVE25519_PUBKEY_LEN