Tor 0.4.9.2-alpha-dev
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
hs_descriptor.c
Go to the documentation of this file.
1/* Copyright (c) 2016-2021, The Tor Project, Inc. */
2/* See LICENSE for licensing information */
3
4/**
5 * \file hs_descriptor.c
6 * \brief Handle hidden service descriptor encoding/decoding.
7 *
8 * \details
9 * Here is a graphical depiction of an HS descriptor and its layers:
10 *
11 * +------------------------------------------------------+
12 * |DESCRIPTOR HEADER: |
13 * | hs-descriptor 3 |
14 * | descriptor-lifetime 180 |
15 * | ... |
16 * | superencrypted |
17 * |+---------------------------------------------------+ |
18 * ||SUPERENCRYPTED LAYER (aka OUTER ENCRYPTED LAYER): | |
19 * || desc-auth-type x25519 | |
20 * || desc-auth-ephemeral-key | |
21 * || auth-client | |
22 * || auth-client | |
23 * || ... | |
24 * || encrypted | |
25 * ||+-------------------------------------------------+| |
26 * |||ENCRYPTED LAYER (aka INNER ENCRYPTED LAYER): || |
27 * ||| create2-formats || |
28 * ||| intro-auth-required || |
29 * ||| introduction-point || |
30 * ||| introduction-point || |
31 * ||| ... || |
32 * ||+-------------------------------------------------+| |
33 * |+---------------------------------------------------+ |
34 * +------------------------------------------------------+
35 *
36 * The DESCRIPTOR HEADER section is completely unencrypted and contains generic
37 * descriptor metadata.
38 *
39 * The SUPERENCRYPTED LAYER section is the first layer of encryption, and it's
40 * encrypted using the blinded public key of the hidden service to protect
41 * against entities who don't know its onion address. The clients of the hidden
42 * service know its onion address and blinded public key, whereas third-parties
43 * (like HSDirs) don't know it (except if it's a public hidden service).
44 *
45 * The ENCRYPTED LAYER section is the second layer of encryption, and it's
46 * encrypted using the client authorization key material (if those exist). When
47 * client authorization is enabled, this second layer of encryption protects
48 * the descriptor content from unauthorized entities. If client authorization
49 * is disabled, this second layer of encryption does not provide any extra
50 * security but is still present. The plaintext of this layer contains all the
51 * information required to connect to the hidden service like its list of
52 * introduction points.
53 **/
54
55/* For unit tests.*/
56#define HS_DESCRIPTOR_PRIVATE
57
58#include <stdbool.h>
59#include "core/or/or.h"
60#include "app/config/config.h"
61#include "trunnel/ed25519_cert.h" /* Trunnel interface. */
65#include "core/or/protover.h"
69#include "feature/hs/hs_cache.h"
71#include "feature/hs/hs_pow.h"
72#include "feature/nodelist/torcert.h" /* tor_cert_encode_ed22519() */
73#include "lib/memarea/memarea.h"
75#include "core/or/versions.h"
76
78
79/* Constant string value used for the descriptor format. */
80#define str_hs_desc "hs-descriptor"
81#define str_desc_cert "descriptor-signing-key-cert"
82#define str_rev_counter "revision-counter"
83#define str_superencrypted "superencrypted"
84#define str_encrypted "encrypted"
85#define str_signature "signature"
86#define str_lifetime "descriptor-lifetime"
87/* Constant string value for the encrypted part of the descriptor. */
88#define str_create2_formats "create2-formats"
89#define str_intro_auth_required "intro-auth-required"
90#define str_single_onion "single-onion-service"
91#define str_intro_point "introduction-point"
92#define str_ip_onion_key "onion-key"
93#define str_ip_auth_key "auth-key"
94#define str_ip_enc_key "enc-key"
95#define str_ip_enc_key_cert "enc-key-cert"
96#define str_ip_legacy_key "legacy-key"
97#define str_ip_legacy_key_cert "legacy-key-cert"
98#define str_intro_point_start "\n" str_intro_point " "
99#define str_flow_control "flow-control"
100#define str_pow_params "pow-params"
101/* Constant string value for the construction to encrypt the encrypted data
102 * section. */
103#define str_enc_const_superencryption "hsdir-superencrypted-data"
104#define str_enc_const_encryption "hsdir-encrypted-data"
105/* Prefix required to compute/verify HS desc signatures */
106#define str_desc_sig_prefix "Tor onion service descriptor sig v3"
107#define str_desc_auth_type "desc-auth-type"
108#define str_desc_auth_key "desc-auth-ephemeral-key"
109#define str_desc_auth_client "auth-client"
110#define str_encrypted "encrypted"
111
112/** Authentication supported types. */
113static const struct {
115 const char *identifier;
116} intro_auth_types[] = {
117 { HS_DESC_AUTH_ED25519, "ed25519" },
118 /* Indicate end of array. */
119 { 0, NULL }
121
122/** PoW supported types. */
123static const struct {
125 const char *identifier;
126} pow_types[] = {
127 { HS_POW_DESC_V1, "v1"},
128 /* Indicate end of array. */
129 { 0, NULL }
131
132/** Descriptor ruleset. */
134 T1_START(str_hs_desc, R_HS_DESCRIPTOR, EQ(1), NO_OBJ),
135 T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ),
136 T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ),
137 T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ),
138 T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ),
139 T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ),
141};
142
143/** Descriptor ruleset for the superencrypted section. */
145 T1_START(str_desc_auth_type, R3_DESC_AUTH_TYPE, GE(1), NO_OBJ),
146 T1(str_desc_auth_key, R3_DESC_AUTH_KEY, GE(1), NO_OBJ),
147 T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT, GE(3), NO_OBJ),
148 T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
150};
151
152/** Descriptor ruleset for the encrypted section. */
154 T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
155 T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, GE(1), NO_OBJ),
156 T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
157 T01(str_flow_control, R3_FLOW_CONTROL, GE(2), NO_OBJ),
158 T0N(str_pow_params, R3_POW_PARAMS, GE(1), NO_OBJ),
160};
161
162/** Descriptor ruleset for the introduction points section. */
164 T1_START(str_intro_point, R3_INTRODUCTION_POINT, EQ(1), NO_OBJ),
165 T1N(str_ip_onion_key, R3_INTRO_ONION_KEY, GE(2), OBJ_OK),
166 T1(str_ip_auth_key, R3_INTRO_AUTH_KEY, NO_ARGS, NEED_OBJ),
167 T1(str_ip_enc_key, R3_INTRO_ENC_KEY, GE(2), OBJ_OK),
168 T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT, ARGS, OBJ_OK),
169 T01(str_ip_legacy_key, R3_INTRO_LEGACY_KEY, ARGS, NEED_KEY_1024),
170 T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT, ARGS, OBJ_OK),
172};
173
174/** Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
175 * We use SHA3-256 for the MAC computation.
176 * This function can't fail. */
177static void
178build_mac(const uint8_t *mac_key, size_t mac_key_len,
179 const uint8_t *salt, size_t salt_len,
180 const uint8_t *encrypted, size_t encrypted_len,
181 uint8_t *mac_out, size_t mac_len)
182{
183 crypto_digest_t *digest;
184
185 const uint64_t mac_len_netorder = tor_htonll(mac_key_len);
186 const uint64_t salt_len_netorder = tor_htonll(salt_len);
187
188 tor_assert(mac_key);
189 tor_assert(salt);
190 tor_assert(encrypted);
191 tor_assert(mac_out);
192
193 digest = crypto_digest256_new(DIGEST_SHA3_256);
194 /* As specified in section 2.5 of proposal 224, first add the mac key
195 * then add the salt first and then the encrypted section. */
196
197 crypto_digest_add_bytes(digest, (const char *) &mac_len_netorder, 8);
198 crypto_digest_add_bytes(digest, (const char *) mac_key, mac_key_len);
199 crypto_digest_add_bytes(digest, (const char *) &salt_len_netorder, 8);
200 crypto_digest_add_bytes(digest, (const char *) salt, salt_len);
201 crypto_digest_add_bytes(digest, (const char *) encrypted, encrypted_len);
202 crypto_digest_get_digest(digest, (char *) mac_out, mac_len);
203 crypto_digest_free(digest);
204}
205
206/** Using a secret data and a given descriptor object, build the secret
207 * input needed for the KDF.
208 *
209 * secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
210 *
211 * Then, set the newly allocated buffer in secret_input_out and return the
212 * length of the buffer. */
213static size_t
215 const uint8_t *secret_data,
216 size_t secret_data_len,
217 uint8_t **secret_input_out)
218{
219 size_t offset = 0;
220 size_t secret_input_len = secret_data_len + DIGEST256_LEN + sizeof(uint64_t);
221 uint8_t *secret_input = NULL;
222
223 tor_assert(desc);
224 tor_assert(secret_data);
225 tor_assert(secret_input_out);
226
227 secret_input = tor_malloc_zero(secret_input_len);
228
229 /* Copy the secret data. */
230 memcpy(secret_input, secret_data, secret_data_len);
231 offset += secret_data_len;
232 /* Copy subcredential. */
233 memcpy(secret_input + offset, desc->subcredential.subcred, DIGEST256_LEN);
234 offset += DIGEST256_LEN;
235 /* Copy revision counter value. */
236 set_uint64(secret_input + offset,
238 offset += sizeof(uint64_t);
239 tor_assert(secret_input_len == offset);
240
241 *secret_input_out = secret_input;
242
243 return secret_input_len;
244}
245
246/** Do the KDF construction and put the resulting data in key_out which is of
247 * key_out_len length. It uses SHAKE-256 as specified in the spec. */
248static void
250 const uint8_t *secret_data,
251 size_t secret_data_len,
252 const uint8_t *salt, size_t salt_len,
253 uint8_t *key_out, size_t key_out_len,
254 int is_superencrypted_layer)
255{
256 uint8_t *secret_input = NULL;
257 size_t secret_input_len;
258 crypto_xof_t *xof;
259
260 tor_assert(desc);
261 tor_assert(secret_data);
262 tor_assert(salt);
263 tor_assert(key_out);
264
265 /* Build the secret input for the KDF computation. */
266 secret_input_len = build_secret_input(desc, secret_data,
267 secret_data_len, &secret_input);
268
269 xof = crypto_xof_new();
270 /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
271 crypto_xof_add_bytes(xof, secret_input, secret_input_len);
272 crypto_xof_add_bytes(xof, salt, salt_len);
273
274 /* Feed in the right string constant based on the desc layer */
275 if (is_superencrypted_layer) {
276 crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_superencryption,
277 strlen(str_enc_const_superencryption));
278 } else {
279 crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_encryption,
280 strlen(str_enc_const_encryption));
281 }
282
283 /* Eat from our KDF. */
284 crypto_xof_squeeze_bytes(xof, key_out, key_out_len);
285 crypto_xof_free(xof);
286 memwipe(secret_input, 0, secret_input_len);
287
288 tor_free(secret_input);
289}
290
291/** Using the given descriptor, secret data, and salt, run it through our
292 * KDF function and then extract a secret key in key_out, the IV in iv_out
293 * and MAC in mac_out. This function can't fail. */
294static void
296 const uint8_t *secret_data,
297 size_t secret_data_len,
298 const uint8_t *salt, size_t salt_len,
299 uint8_t *key_out, size_t key_len,
300 uint8_t *iv_out, size_t iv_len,
301 uint8_t *mac_out, size_t mac_len,
302 int is_superencrypted_layer)
303{
304 size_t offset = 0;
305 uint8_t kdf_key[HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN];
306
307 tor_assert(desc);
308 tor_assert(secret_data);
309 tor_assert(salt);
310 tor_assert(key_out);
311 tor_assert(iv_out);
312 tor_assert(mac_out);
313
314 build_kdf_key(desc, secret_data, secret_data_len,
315 salt, salt_len, kdf_key, sizeof(kdf_key),
316 is_superencrypted_layer);
317 /* Copy the bytes we need for both the secret key and IV. */
318 memcpy(key_out, kdf_key, key_len);
319 offset += key_len;
320 memcpy(iv_out, kdf_key + offset, iv_len);
321 offset += iv_len;
322 memcpy(mac_out, kdf_key + offset, mac_len);
323 /* Extra precaution to make sure we are not out of bound. */
324 tor_assert((offset + mac_len) == sizeof(kdf_key));
325 memwipe(kdf_key, 0, sizeof(kdf_key));
326}
327
328/* === ENCODING === */
329
330/** Encode the given link specifier objects into a newly allocated string.
331 * This can't fail so caller can always assume a valid string being
332 * returned. */
333STATIC char *
335{
336 char *encoded_b64 = NULL;
337 link_specifier_list_t *lslist = link_specifier_list_new();
338
339 tor_assert(specs);
340 /* No link specifiers is a code flow error, can't happen. */
341 tor_assert(smartlist_len(specs) > 0);
342 tor_assert(smartlist_len(specs) <= UINT8_MAX);
343
344 link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
345
346 SMARTLIST_FOREACH_BEGIN(specs, const link_specifier_t *,
347 spec) {
348 link_specifier_t *ls = link_specifier_dup(spec);
349 tor_assert(ls);
350 link_specifier_list_add_spec(lslist, ls);
351 } SMARTLIST_FOREACH_END(spec);
352
353 {
354 uint8_t *encoded;
355 ssize_t encoded_len, encoded_b64_len, ret;
356
357 encoded_len = link_specifier_list_encoded_len(lslist);
358 tor_assert(encoded_len > 0);
359 encoded = tor_malloc_zero(encoded_len);
360 ret = link_specifier_list_encode(encoded, encoded_len, lslist);
361 tor_assert(ret == encoded_len);
362
363 /* Base64 encode our binary format. Add extra NUL byte for the base64
364 * encoded value. */
365 encoded_b64_len = base64_encode_size(encoded_len, 0) + 1;
366 encoded_b64 = tor_malloc_zero(encoded_b64_len);
367 ret = base64_encode(encoded_b64, encoded_b64_len, (const char *) encoded,
368 encoded_len, 0);
369 tor_assert(ret == (encoded_b64_len - 1));
370 tor_free(encoded);
371 }
372
373 link_specifier_list_free(lslist);
374 return encoded_b64;
375}
376
377/** Encode an introduction point legacy key and certificate. Return a newly
378 * allocated string with it. On failure, return NULL. */
379static char *
381{
382 char *key_str, b64_cert[256], *encoded = NULL;
383 size_t key_str_len;
384
385 tor_assert(ip);
386
387 /* Encode cross cert. */
388 if (base64_encode(b64_cert, sizeof(b64_cert),
389 (const char *) ip->legacy.cert.encoded,
390 ip->legacy.cert.len, BASE64_ENCODE_MULTILINE) < 0) {
391 log_warn(LD_REND, "Unable to encode legacy crosscert.");
392 goto done;
393 }
394 /* Convert the encryption key to PEM format NUL terminated. */
396 &key_str_len) < 0) {
397 log_warn(LD_REND, "Unable to encode legacy encryption key.");
398 goto done;
399 }
400 tor_asprintf(&encoded,
401 "%s \n%s" /* Newline is added by the call above. */
402 "%s\n"
403 "-----BEGIN CROSSCERT-----\n"
404 "%s"
405 "-----END CROSSCERT-----",
406 str_ip_legacy_key, key_str,
407 str_ip_legacy_key_cert, b64_cert);
408 tor_free(key_str);
409
410 done:
411 return encoded;
412}
413
414/** Encode an introduction point encryption key and certificate. Return a newly
415 * allocated string with it. On failure, return NULL. */
416static char *
418{
419 char *encoded = NULL, *encoded_cert;
420 char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
421
422 tor_assert(ip);
423
424 /* Base64 encode the encryption key for the "enc-key" field. */
425 curve25519_public_to_base64(key_b64, &ip->enc_key, true);
426 if (tor_cert_encode_ed22519(ip->enc_key_cert, &encoded_cert) < 0) {
427 goto done;
428 }
429 tor_asprintf(&encoded,
430 "%s ntor %s\n"
431 "%s\n%s",
432 str_ip_enc_key, key_b64,
433 str_ip_enc_key_cert, encoded_cert);
434 tor_free(encoded_cert);
435
436 done:
437 return encoded;
438}
439
440/** Encode an introduction point onion key. Return a newly allocated string
441 * with it. Can not fail. */
442static char *
444{
445 char *encoded = NULL;
446 char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
447
448 tor_assert(ip);
449
450 /* Base64 encode the encryption key for the "onion-key" field. */
451 curve25519_public_to_base64(key_b64, &ip->onion_key, true);
452 tor_asprintf(&encoded, "%s ntor %s", str_ip_onion_key, key_b64);
453
454 return encoded;
455}
456
457/** Encode an introduction point object and return a newly allocated string
458 * with it. On failure, return NULL. */
459static char *
461 const hs_desc_intro_point_t *ip)
462{
463 char *encoded_ip = NULL;
464 smartlist_t *lines = smartlist_new();
465
466 tor_assert(ip);
467 tor_assert(sig_key);
468
469 /* Encode link specifier. */
470 {
471 char *ls_str = encode_link_specifiers(ip->link_specifiers);
472 smartlist_add_asprintf(lines, "%s %s", str_intro_point, ls_str);
473 tor_free(ls_str);
474 }
475
476 /* Onion key encoding. */
477 {
478 char *encoded_onion_key = encode_onion_key(ip);
479 if (encoded_onion_key == NULL) {
480 goto err;
481 }
482 smartlist_add_asprintf(lines, "%s", encoded_onion_key);
483 tor_free(encoded_onion_key);
484 }
485
486 /* Authentication key encoding. */
487 {
488 char *encoded_cert;
489 if (tor_cert_encode_ed22519(ip->auth_key_cert, &encoded_cert) < 0) {
490 goto err;
491 }
492 smartlist_add_asprintf(lines, "%s\n%s", str_ip_auth_key, encoded_cert);
493 tor_free(encoded_cert);
494 }
495
496 /* Encryption key encoding. */
497 {
498 char *encoded_enc_key = encode_enc_key(ip);
499 if (encoded_enc_key == NULL) {
500 goto err;
501 }
502 smartlist_add_asprintf(lines, "%s", encoded_enc_key);
503 tor_free(encoded_enc_key);
504 }
505
506 /* Legacy key if any. */
507 if (ip->legacy.key != NULL) {
508 /* Strong requirement else the IP creation was badly done. */
509 tor_assert(ip->legacy.cert.encoded);
510 char *encoded_legacy_key = encode_legacy_key(ip);
511 if (encoded_legacy_key == NULL) {
512 goto err;
513 }
514 smartlist_add_asprintf(lines, "%s", encoded_legacy_key);
515 tor_free(encoded_legacy_key);
516 }
517
518 /* Join them all in one blob of text. */
519 encoded_ip = smartlist_join_strings(lines, "\n", 1, NULL);
520
521 err:
522 SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
523 smartlist_free(lines);
524 return encoded_ip;
525}
526
527/** Given a source length, return the new size including padding for the
528 * plaintext encryption. */
529static size_t
531{
532 size_t plaintext_padded_len;
533 const int padding_block_length = HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE;
534
535 /* Make sure we won't overflow. */
536 tor_assert(plaintext_len <= (SIZE_T_CEILING - padding_block_length));
537
538 /* Get the extra length we need to add. For example, if srclen is 10200
539 * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
540 plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
541 padding_block_length;
542 /* Can never be extra careful. Make sure we are _really_ padded. */
543 tor_assert(!(plaintext_padded_len % padding_block_length));
544 return plaintext_padded_len;
545}
546
547/** Given a buffer, pad it up to the encrypted section padding requirement. Set
548 * the newly allocated string in padded_out and return the length of the
549 * padded buffer. */
550STATIC size_t
551build_plaintext_padding(const char *plaintext, size_t plaintext_len,
552 uint8_t **padded_out)
553{
554 size_t padded_len;
555 uint8_t *padded;
556
557 tor_assert(plaintext);
558 tor_assert(padded_out);
559
560 /* Allocate the final length including padding. */
561 padded_len = compute_padded_plaintext_length(plaintext_len);
562 tor_assert(padded_len >= plaintext_len);
563 padded = tor_malloc_zero(padded_len);
564
565 memcpy(padded, plaintext, plaintext_len);
566 *padded_out = padded;
567 return padded_len;
568}
569
570/** Using a key, IV and plaintext data of length plaintext_len, create the
571 * encrypted section by encrypting it and setting encrypted_out with the
572 * data. Return size of the encrypted data buffer. */
573static size_t
574build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
575 size_t plaintext_len, uint8_t **encrypted_out,
576 int is_superencrypted_layer)
577{
578 size_t encrypted_len;
579 uint8_t *padded_plaintext, *encrypted;
580 crypto_cipher_t *cipher;
581
582 tor_assert(key);
583 tor_assert(iv);
584 tor_assert(plaintext);
585 tor_assert(encrypted_out);
586
587 /* If we are encrypting the middle layer of the descriptor, we need to first
588 pad the plaintext */
589 if (is_superencrypted_layer) {
590 encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
591 &padded_plaintext);
592 /* Extra precautions that we have a valid padding length. */
594 } else { /* No padding required for inner layers */
595 padded_plaintext = tor_memdup(plaintext, plaintext_len);
596 encrypted_len = plaintext_len;
597 }
598
599 /* This creates a cipher for AES. It can't fail. */
600 cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
601 HS_DESC_ENCRYPTED_BIT_SIZE);
602 /* We use a stream cipher so the encrypted length will be the same as the
603 * plaintext padded length. */
604 encrypted = tor_malloc_zero(encrypted_len);
605 /* This can't fail. */
606 crypto_cipher_encrypt(cipher, (char *) encrypted,
607 (const char *) padded_plaintext, encrypted_len);
608 *encrypted_out = encrypted;
609 /* Cleanup. */
610 crypto_cipher_free(cipher);
611 tor_free(padded_plaintext);
612 return encrypted_len;
613}
614
615/** Encrypt the given <b>plaintext</b> buffer using <b>desc</b> and
616 * <b>secret_data</b> to get the keys. Set encrypted_out with the encrypted
617 * data and return the length of it. <b>is_superencrypted_layer</b> is set
618 * if this is the outer encrypted layer of the descriptor. */
619static size_t
621 const uint8_t *secret_data,
622 size_t secret_data_len,
623 const char *plaintext,
624 char **encrypted_out, int is_superencrypted_layer)
625{
626 char *final_blob;
627 size_t encrypted_len, final_blob_len, offset = 0;
628 uint8_t *encrypted;
629 uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
630 uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
631 uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
632
633 tor_assert(desc);
634 tor_assert(secret_data);
635 tor_assert(plaintext);
636 tor_assert(encrypted_out);
637
638 /* Get our salt. The returned bytes are already hashed. */
639 crypto_strongest_rand(salt, sizeof(salt));
640
641 /* KDF construction resulting in a key from which the secret key, IV and MAC
642 * key are extracted which is what we need for the encryption. */
643 build_secret_key_iv_mac(desc, secret_data, secret_data_len,
644 salt, sizeof(salt),
645 secret_key, sizeof(secret_key),
646 secret_iv, sizeof(secret_iv),
647 mac_key, sizeof(mac_key),
648 is_superencrypted_layer);
649
650 /* Build the encrypted part that is do the actual encryption. */
651 encrypted_len = build_encrypted(secret_key, secret_iv, plaintext,
652 strlen(plaintext), &encrypted,
653 is_superencrypted_layer);
654 memwipe(secret_key, 0, sizeof(secret_key));
655 memwipe(secret_iv, 0, sizeof(secret_iv));
656 /* This construction is specified in section 2.5 of proposal 224. */
657 final_blob_len = sizeof(salt) + encrypted_len + DIGEST256_LEN;
658 final_blob = tor_malloc_zero(final_blob_len);
659
660 /* Build the MAC. */
661 build_mac(mac_key, sizeof(mac_key), salt, sizeof(salt),
662 encrypted, encrypted_len, mac, sizeof(mac));
663 memwipe(mac_key, 0, sizeof(mac_key));
664
665 /* The salt is the first value. */
666 memcpy(final_blob, salt, sizeof(salt));
667 offset = sizeof(salt);
668 /* Second value is the encrypted data. */
669 memcpy(final_blob + offset, encrypted, encrypted_len);
670 offset += encrypted_len;
671 /* Third value is the MAC. */
672 memcpy(final_blob + offset, mac, sizeof(mac));
673 offset += sizeof(mac);
674 /* Cleanup the buffers. */
675 memwipe(salt, 0, sizeof(salt));
676 memwipe(encrypted, 0, encrypted_len);
677 tor_free(encrypted);
678 /* Extra precaution. */
679 tor_assert(offset == final_blob_len);
680
681 *encrypted_out = final_blob;
682 return final_blob_len;
683}
684
685/** Create and return a string containing a client-auth entry. It's the
686 * responsibility of the caller to free the returned string. This function
687 * will never fail. */
688static char *
690{
691 int ret;
692 char *auth_client_str = NULL;
693 /* We are gonna fill these arrays with base64 data. They are all double
694 * the size of their binary representation to fit the base64 overhead. */
695 char client_id_b64[HS_DESC_CLIENT_ID_LEN * 2];
696 char iv_b64[CIPHER_IV_LEN * 2];
697 char encrypted_cookie_b64[HS_DESC_ENCRYPED_COOKIE_LEN * 2];
698
699#define ASSERT_AND_BASE64(field) STMT_BEGIN \
700 tor_assert(!fast_mem_is_zero((char *) client->field, \
701 sizeof(client->field))); \
702 ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
703 client->field, sizeof(client->field)); \
704 tor_assert(ret > 0); \
705 STMT_END
706
707 ASSERT_AND_BASE64(client_id);
708 ASSERT_AND_BASE64(iv);
709 ASSERT_AND_BASE64(encrypted_cookie);
710
711 /* Build the final string */
712 tor_asprintf(&auth_client_str, "%s %s %s %s", str_desc_auth_client,
713 client_id_b64, iv_b64, encrypted_cookie_b64);
714
715#undef ASSERT_AND_BASE64
716
717 return auth_client_str;
718}
719
720/** Create the "client-auth" part of the descriptor and return a
721 * newly-allocated string with it. It's the responsibility of the caller to
722 * free the returned string. */
723static char *
725{
726 smartlist_t *auth_client_lines = smartlist_new();
727 char *auth_client_lines_str = NULL;
728
729 tor_assert(desc);
731 tor_assert(smartlist_len(desc->superencrypted_data.clients) != 0);
732 tor_assert(smartlist_len(desc->superencrypted_data.clients)
734
735 /* Make a line for each client */
737 const hs_desc_authorized_client_t *, client) {
738 char *auth_client_str = NULL;
739
740 auth_client_str = get_auth_client_str(client);
741
742 smartlist_add(auth_client_lines, auth_client_str);
743 } SMARTLIST_FOREACH_END(client);
744
745 /* Join all lines together to form final string */
746 auth_client_lines_str = smartlist_join_strings(auth_client_lines,
747 "\n", 1, NULL);
748 /* Cleanup the mess */
749 SMARTLIST_FOREACH(auth_client_lines, char *, a, tor_free(a));
750 smartlist_free(auth_client_lines);
751
752 return auth_client_lines_str;
753}
754
755/** Create the inner layer of the descriptor (which includes the intro points,
756 * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
757 * an error occurred. It's the responsibility of the caller to free the
758 * returned string. */
759static char *
761{
762 char *encoded_str = NULL;
763 smartlist_t *lines = smartlist_new();
764
765 /* Build the start of the section prior to the introduction points. */
766 {
767 if (!desc->encrypted_data.create2_ntor) {
768 log_err(LD_BUG, "HS desc doesn't have recognized handshake type.");
769 goto err;
770 }
771 smartlist_add_asprintf(lines, "%s %d\n", str_create2_formats,
772 ONION_HANDSHAKE_TYPE_NTOR);
773
774#ifdef TOR_UNIT_TESTS
775 if (desc->encrypted_data.test_extra_plaintext) {
776 smartlist_add(lines,
777 tor_strdup(desc->encrypted_data.test_extra_plaintext));
778 }
779#endif
780
782 smartlist_len(desc->encrypted_data.intro_auth_types)) {
783 /* Put the authentication-required line. */
785 " ", 0, NULL);
786 smartlist_add_asprintf(lines, "%s %s\n", str_intro_auth_required, buf);
787 tor_free(buf);
788 }
789
791 smartlist_add_asprintf(lines, "%s\n", str_single_onion);
792 }
793
795 /* Add flow control line into the descriptor. */
796 smartlist_add_asprintf(lines, "%s %s %u\n", str_flow_control,
797 protover_get_supported(PRT_FLOWCTRL),
799 }
800
801 /* Add PoW parameters if present. */
802 if (desc->encrypted_data.pow_params) {
803 /* Base64 the seed */
804 size_t seed_b64_len = base64_encode_size(HS_POW_SEED_LEN, 0) + 1;
805 char *seed_b64 = tor_malloc_zero(seed_b64_len);
806 int ret = base64_encode(seed_b64, seed_b64_len,
807 (char *)desc->encrypted_data.pow_params->seed,
808 HS_POW_SEED_LEN, 0);
809 /* Return length doesn't count the NUL byte. */
810 tor_assert((size_t) ret == (seed_b64_len - 1));
811
812 /* Convert the expiration time to space-less ISO format. */
813 char time_buf[ISO_TIME_LEN + 1];
816
817 /* Add "pow-params" line to descriptor encoding. */
818 smartlist_add_asprintf(lines, "%s %s %s %u %s\n", str_pow_params,
819 pow_types[desc->encrypted_data.pow_params->type].identifier,
820 seed_b64,
822 time_buf);
823 tor_free(seed_b64);
824 }
825 }
826
827 /* Build the introduction point(s) section. */
829 const hs_desc_intro_point_t *, ip) {
830 char *encoded_ip = encode_intro_point(&desc->plaintext_data.signing_pubkey,
831 ip);
832 if (encoded_ip == NULL) {
833 log_err(LD_BUG, "HS desc intro point is malformed.");
834 goto err;
835 }
836 smartlist_add(lines, encoded_ip);
837 } SMARTLIST_FOREACH_END(ip);
838
839 /* Build the entire encrypted data section into one encoded plaintext and
840 * then encrypt it. */
841 encoded_str = smartlist_join_strings(lines, "", 0, NULL);
842
843 err:
844 SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
845 smartlist_free(lines);
846
847 return encoded_str;
848}
849
850/** Create the middle layer of the descriptor, which includes the client auth
851 * data and the encrypted inner layer (provided as a base64 string at
852 * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
853 * layer plaintext. It's the responsibility of the caller to free the returned
854 * string. Can not fail. */
855static char *
857 const char *layer2_b64_ciphertext)
858{
859 char *layer1_str = NULL;
860 smartlist_t *lines = smartlist_new();
861
862 /* Specify auth type */
863 smartlist_add_asprintf(lines, "%s %s\n", str_desc_auth_type, "x25519");
864
865 { /* Print ephemeral x25519 key */
866 char ephemeral_key_base64[CURVE25519_BASE64_PADDED_LEN + 1];
867 const curve25519_public_key_t *ephemeral_pubkey;
868
869 ephemeral_pubkey = &desc->superencrypted_data.auth_ephemeral_pubkey;
870 tor_assert(!fast_mem_is_zero((char *) ephemeral_pubkey->public_key,
872
873 curve25519_public_to_base64(ephemeral_key_base64, ephemeral_pubkey, true);
874 smartlist_add_asprintf(lines, "%s %s\n",
875 str_desc_auth_key, ephemeral_key_base64);
876
877 memwipe(ephemeral_key_base64, 0, sizeof(ephemeral_key_base64));
878 }
879
880 { /* Create auth-client lines. */
881 char *auth_client_lines = get_all_auth_client_lines(desc);
882 tor_assert(auth_client_lines);
883 smartlist_add(lines, auth_client_lines);
884 }
885
886 /* create encrypted section */
887 {
889 "%s\n"
890 "-----BEGIN MESSAGE-----\n"
891 "%s"
892 "-----END MESSAGE-----",
893 str_encrypted, layer2_b64_ciphertext);
894 }
895
896 layer1_str = smartlist_join_strings(lines, "", 0, NULL);
897
898 /* We need to memwipe all lines because it contains the ephemeral key */
899 SMARTLIST_FOREACH(lines, char *, a, memwipe(a, 0, strlen(a)));
900 SMARTLIST_FOREACH(lines, char *, a, tor_free(a));
901 smartlist_free(lines);
902
903 return layer1_str;
904}
905
906/** Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
907 * returning it. <b>desc</b> is provided to derive the encryption
908 * keys. <b>secret_data</b> is also proved to derive the encryption keys.
909 * <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
910 * middle (superencrypted) layer of the descriptor. It's the responsibility of
911 * the caller to free the returned string. */
912static char *
914 const uint8_t *secret_data,
915 size_t secret_data_len,
916 const char *encoded_str,
917 int is_superencrypted_layer)
918{
919 char *enc_b64;
920 ssize_t enc_b64_len, ret_len, enc_len;
921 char *encrypted_blob = NULL;
922
923 enc_len = encrypt_descriptor_data(desc, secret_data, secret_data_len,
924 encoded_str, &encrypted_blob,
925 is_superencrypted_layer);
926 /* Get the encoded size plus a NUL terminating byte. */
927 enc_b64_len = base64_encode_size(enc_len, BASE64_ENCODE_MULTILINE) + 1;
928 enc_b64 = tor_malloc_zero(enc_b64_len);
929 /* Base64 the encrypted blob before returning it. */
930 ret_len = base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
931 BASE64_ENCODE_MULTILINE);
932 /* Return length doesn't count the NUL byte. */
933 tor_assert(ret_len == (enc_b64_len - 1));
934 tor_free(encrypted_blob);
935
936 return enc_b64;
937}
938
939/** Generate the secret data which is used to encrypt/decrypt the descriptor.
940 *
941 * SECRET_DATA = blinded-public-key
942 * SECRET_DATA = blinded-public-key | descriptor_cookie
943 *
944 * The descriptor_cookie is optional but if it exists, it must be at least
945 * HS_DESC_DESCRIPTOR_COOKIE_LEN bytes long.
946 *
947 * A newly allocated secret data is put in secret_data_out. Return the
948 * length of the secret data. This function cannot fail. */
949static size_t
951 const uint8_t *descriptor_cookie,
952 uint8_t **secret_data_out)
953{
954 size_t secret_data_len;
955 uint8_t *secret_data;
956
957 tor_assert(blinded_pubkey);
958 tor_assert(secret_data_out);
959
960 if (descriptor_cookie) {
961 /* If the descriptor cookie is present, we need both the blinded
962 * pubkey and the descriptor cookie as a secret data. */
963 secret_data_len = ED25519_PUBKEY_LEN + HS_DESC_DESCRIPTOR_COOKIE_LEN;
964 secret_data = tor_malloc(secret_data_len);
965
966 memcpy(secret_data,
967 blinded_pubkey->pubkey,
969 memcpy(secret_data + ED25519_PUBKEY_LEN,
970 descriptor_cookie,
971 HS_DESC_DESCRIPTOR_COOKIE_LEN);
972 } else {
973 /* If the descriptor cookie is not present, we need only the blinded
974 * pubkey as a secret data. */
975 secret_data_len = ED25519_PUBKEY_LEN;
976 secret_data = tor_malloc(secret_data_len);
977 memcpy(secret_data,
978 blinded_pubkey->pubkey,
980 }
981
982 *secret_data_out = secret_data;
983 return secret_data_len;
984}
985
986/** Generate and encode the superencrypted portion of <b>desc</b>. This also
987 * involves generating the encrypted portion of the descriptor, and performing
988 * the superencryption. A newly allocated NUL-terminated string pointer
989 * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
990 * on success else a negative value. */
991static int
993 const uint8_t *descriptor_cookie,
994 char **encrypted_blob_out)
995{
996 int ret = -1;
997 uint8_t *secret_data = NULL;
998 size_t secret_data_len = 0;
999 char *layer2_str = NULL;
1000 char *layer2_b64_ciphertext = NULL;
1001 char *layer1_str = NULL;
1002 char *layer1_b64_ciphertext = NULL;
1003
1004 tor_assert(desc);
1005 tor_assert(encrypted_blob_out);
1006
1007 /* Func logic: We first create the inner layer of the descriptor (layer2).
1008 * We then encrypt it and use it to create the middle layer of the descriptor
1009 * (layer1). Finally we superencrypt the middle layer and return it to our
1010 * caller. */
1011
1012 /* Create inner descriptor layer */
1013 layer2_str = get_inner_encrypted_layer_plaintext(desc);
1014 if (!layer2_str) {
1015 goto err;
1016 }
1017
1018 secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
1019 descriptor_cookie,
1020 &secret_data);
1021
1022 /* Encrypt and b64 the inner layer */
1023 layer2_b64_ciphertext =
1024 encrypt_desc_data_and_base64(desc, secret_data, secret_data_len,
1025 layer2_str, 0);
1026 if (!layer2_b64_ciphertext) {
1027 goto err;
1028 }
1029
1030 /* Now create middle descriptor layer given the inner layer */
1031 layer1_str = get_outer_encrypted_layer_plaintext(desc,layer2_b64_ciphertext);
1032 if (!layer1_str) {
1033 goto err;
1034 }
1035
1036 /* Encrypt and base64 the middle layer */
1037 layer1_b64_ciphertext =
1039 desc->plaintext_data.blinded_pubkey.pubkey,
1041 layer1_str, 1);
1042 if (!layer1_b64_ciphertext) {
1043 goto err;
1044 }
1045
1046 /* Success! */
1047 ret = 0;
1048
1049 err:
1050 memwipe(secret_data, 0, secret_data_len);
1051 tor_free(secret_data);
1052 tor_free(layer1_str);
1053 tor_free(layer2_str);
1054 tor_free(layer2_b64_ciphertext);
1055
1056 *encrypted_blob_out = layer1_b64_ciphertext;
1057 return ret;
1058}
1059
1060/** Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
1061 * newly allocated string of the encoded descriptor. On error, -1 is returned
1062 * and encoded_out is untouched. */
1063static int
1065 const ed25519_keypair_t *signing_kp,
1066 const uint8_t *descriptor_cookie,
1067 char **encoded_out)
1068{
1069 int ret = -1;
1070 char *encoded_str = NULL;
1071 size_t encoded_len;
1072 smartlist_t *lines = smartlist_new();
1073
1074 tor_assert(desc);
1075 tor_assert(signing_kp);
1076 tor_assert(encoded_out);
1077 tor_assert(desc->plaintext_data.version == 3);
1078
1079 /* Build the non-encrypted values. */
1080 {
1081 char *encoded_cert;
1082 /* Encode certificate then create the first line of the descriptor. */
1084 != CERT_TYPE_SIGNING_HS_DESC) {
1085 log_err(LD_BUG, "HS descriptor signing key has an unexpected cert type "
1086 "(%d)", (int) desc->plaintext_data.signing_key_cert->cert_type);
1087 goto err;
1088 }
1089 if (tor_cert_encode_ed22519(desc->plaintext_data.signing_key_cert,
1090 &encoded_cert) < 0) {
1091 /* The function will print error logs. */
1092 goto err;
1093 }
1094 /* Create the hs descriptor line. */
1095 smartlist_add_asprintf(lines, "%s %" PRIu32, str_hs_desc,
1096 desc->plaintext_data.version);
1097 /* Add the descriptor lifetime line (in minutes). */
1098 smartlist_add_asprintf(lines, "%s %" PRIu32, str_lifetime,
1099 desc->plaintext_data.lifetime_sec / 60);
1100 /* Create the descriptor certificate line. */
1101 smartlist_add_asprintf(lines, "%s\n%s", str_desc_cert, encoded_cert);
1102 tor_free(encoded_cert);
1103 /* Create the revision counter line. */
1104 smartlist_add_asprintf(lines, "%s %" PRIu64, str_rev_counter,
1106 }
1107
1108 /* Build the superencrypted data section. */
1109 {
1110 char *enc_b64_blob=NULL;
1111 if (encode_superencrypted_data(desc, descriptor_cookie,
1112 &enc_b64_blob) < 0) {
1113 goto err;
1114 }
1116 "%s\n"
1117 "-----BEGIN MESSAGE-----\n"
1118 "%s"
1119 "-----END MESSAGE-----",
1120 str_superencrypted, enc_b64_blob);
1121 tor_free(enc_b64_blob);
1122 }
1123
1124 /* Join all lines in one string so we can generate a signature and append
1125 * it to the descriptor. */
1126 encoded_str = smartlist_join_strings(lines, "\n", 1, &encoded_len);
1127
1128 /* Sign all fields of the descriptor with our short term signing key. */
1129 {
1131 char ed_sig_b64[ED25519_SIG_BASE64_LEN + 1];
1132 if (ed25519_sign_prefixed(&sig,
1133 (const uint8_t *) encoded_str, encoded_len,
1134 str_desc_sig_prefix, signing_kp) < 0) {
1135 log_warn(LD_BUG, "Can't sign encoded HS descriptor!");
1136 tor_free(encoded_str);
1137 goto err;
1138 }
1139 ed25519_signature_to_base64(ed_sig_b64, &sig);
1140 /* Create the signature line. */
1141 smartlist_add_asprintf(lines, "%s %s", str_signature, ed_sig_b64);
1142 }
1143 /* Free previous string that we used so compute the signature. */
1144 tor_free(encoded_str);
1145 encoded_str = smartlist_join_strings(lines, "\n", 1, NULL);
1146 *encoded_out = encoded_str;
1147
1148 if (strlen(encoded_str) >= hs_cache_get_max_descriptor_size()) {
1149 log_warn(LD_GENERAL, "We just made an HS descriptor that's too big (%d)."
1150 "Failing.", (int)strlen(encoded_str));
1151 tor_free(encoded_str);
1152 goto err;
1153 }
1154
1155 /* XXX: Trigger a control port event. */
1156
1157 /* Success! */
1158 ret = 0;
1159
1160 err:
1161 SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
1162 smartlist_free(lines);
1163 return ret;
1164}
1165
1166/* === DECODING === */
1167
1168/** Given the token tok for an auth client, decode it as
1169 * hs_desc_authorized_client_t. tok->args MUST contain at least 3 elements
1170 * Return 0 on success else -1 on failure. */
1171static int
1174{
1175 int ret = -1;
1176
1177 tor_assert(tok);
1178 tor_assert(tok->n_args >= 3);
1179 tor_assert(client);
1180
1181 if (base64_decode((char *) client->client_id, sizeof(client->client_id),
1182 tok->args[0], strlen(tok->args[0])) !=
1183 sizeof(client->client_id)) {
1184 goto done;
1185 }
1186 if (base64_decode((char *) client->iv, sizeof(client->iv),
1187 tok->args[1], strlen(tok->args[1])) !=
1188 sizeof(client->iv)) {
1189 goto done;
1190 }
1191 if (base64_decode((char *) client->encrypted_cookie,
1192 sizeof(client->encrypted_cookie),
1193 tok->args[2], strlen(tok->args[2])) !=
1194 sizeof(client->encrypted_cookie)) {
1195 goto done;
1196 }
1197
1198 /* Success. */
1199 ret = 0;
1200 done:
1201 return ret;
1202}
1203
1204/** Given an encoded string of the link specifiers, return a newly allocated
1205 * list of decoded link specifiers. Return NULL on error. */
1207decode_link_specifiers(const char *encoded)
1208{
1209 int decoded_len;
1210 size_t encoded_len, i;
1211 uint8_t *decoded;
1212 smartlist_t *results = NULL;
1213 link_specifier_list_t *specs = NULL;
1214
1215 tor_assert(encoded);
1216
1217 encoded_len = strlen(encoded);
1218 decoded = tor_malloc(encoded_len);
1219 decoded_len = base64_decode((char *) decoded, encoded_len, encoded,
1220 encoded_len);
1221 if (decoded_len < 0) {
1222 goto err;
1223 }
1224
1225 if (link_specifier_list_parse(&specs, decoded,
1226 (size_t) decoded_len) < decoded_len) {
1227 goto err;
1228 }
1229 tor_assert(specs);
1230 results = smartlist_new();
1231
1232 for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
1233 link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
1234 if (BUG(!ls)) {
1235 goto err;
1236 }
1237 link_specifier_t *ls_dup = link_specifier_dup(ls);
1238 if (BUG(!ls_dup)) {
1239 goto err;
1240 }
1241 smartlist_add(results, ls_dup);
1242 }
1243
1244 goto done;
1245 err:
1246 if (results) {
1247 SMARTLIST_FOREACH(results, link_specifier_t *, s,
1248 link_specifier_free(s));
1249 smartlist_free(results);
1250 results = NULL;
1251 }
1252 done:
1253 link_specifier_list_free(specs);
1254 tor_free(decoded);
1255 return results;
1256}
1257
1258/** Given a list of authentication types, decode it and put it in the encrypted
1259 * data section. Return 1 if we at least know one of the type or 0 if we know
1260 * none of them. */
1261static int
1263{
1264 int match = 0;
1265
1266 tor_assert(desc);
1267 tor_assert(list);
1268
1270 smartlist_split_string(desc->intro_auth_types, list, " ", 0, 0);
1271
1272 /* Validate the types that we at least know about one. */
1273 SMARTLIST_FOREACH_BEGIN(desc->intro_auth_types, const char *, auth) {
1274 for (int idx = 0; intro_auth_types[idx].identifier; idx++) {
1275 if (!strncmp(auth, intro_auth_types[idx].identifier,
1276 strlen(intro_auth_types[idx].identifier))) {
1277 match = 1;
1278 break;
1279 }
1280 }
1281 } SMARTLIST_FOREACH_END(auth);
1282
1283 return match;
1284}
1285
1286/** Parse a space-delimited list of integers representing CREATE2 formats into
1287 * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
1288static void
1290{
1291 smartlist_t *tokens;
1292
1293 tor_assert(desc);
1294 tor_assert(list);
1295
1296 tokens = smartlist_new();
1297 smartlist_split_string(tokens, list, " ", 0, 0);
1298
1299 SMARTLIST_FOREACH_BEGIN(tokens, char *, s) {
1300 int ok;
1301 unsigned long type = tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
1302 if (!ok) {
1303 log_warn(LD_REND, "Unparseable value %s in create2 list", escaped(s));
1304 continue;
1305 }
1306 switch (type) {
1307 case ONION_HANDSHAKE_TYPE_NTOR:
1308 desc->create2_ntor = 1;
1309 break;
1310 default:
1311 /* We deliberately ignore unsupported handshake types */
1312 continue;
1313 }
1314 } SMARTLIST_FOREACH_END(s);
1315
1316 SMARTLIST_FOREACH(tokens, char *, s, tor_free(s));
1317 smartlist_free(tokens);
1318}
1319
1320/** Given a certificate, validate the certificate for certain conditions which
1321 * are if the given type matches the cert's one, if the signing key is
1322 * included and if the that key was actually used to sign the certificate.
1323 *
1324 * Return 1 iff if all conditions pass or 0 if one of them fails. */
1325STATIC int
1326cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
1327{
1328 tor_assert(log_obj_type);
1329
1330 if (cert == NULL) {
1331 log_warn(LD_REND, "Certificate for %s couldn't be parsed.", log_obj_type);
1332 goto err;
1333 }
1334 if (cert->cert_type != type) {
1335 log_warn(LD_REND, "Invalid cert type %02x for %s.", cert->cert_type,
1336 log_obj_type);
1337 goto err;
1338 }
1339 /* All certificate must have its signing key included. */
1340 if (!cert->signing_key_included) {
1341 log_warn(LD_REND, "Signing key is NOT included for %s.", log_obj_type);
1342 goto err;
1343 }
1344
1345 /* The following will not only check if the signature matches but also the
1346 * expiration date and overall validity. */
1347 if (tor_cert_checksig(cert, &cert->signing_key, approx_time()) < 0) {
1348 if (cert->cert_expired) {
1349 char expiration_str[ISO_TIME_LEN+1];
1350 format_iso_time(expiration_str, cert->valid_until);
1351 log_fn(LOG_PROTOCOL_WARN, LD_REND, "Invalid signature for %s: %s (%s)",
1352 log_obj_type, tor_cert_describe_signature_status(cert),
1353 expiration_str);
1354 } else {
1355 log_warn(LD_REND, "Invalid signature for %s: %s",
1356 log_obj_type, tor_cert_describe_signature_status(cert));
1357 }
1358 goto err;
1359 }
1360
1361 return 1;
1362 err:
1363 return 0;
1364}
1365
1366/** Given some binary data, try to parse it to get a certificate object. If we
1367 * have a valid cert, validate it using the given wanted type. On error, print
1368 * a log using the err_msg has the certificate identifier adding semantic to
1369 * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
1370 * points to a newly allocated certificate object. */
1371static int
1372cert_parse_and_validate(tor_cert_t **cert_out, const char *data,
1373 size_t data_len, unsigned int cert_type_wanted,
1374 const char *err_msg)
1375{
1376 tor_cert_t *cert;
1377
1378 tor_assert(cert_out);
1379 tor_assert(data);
1380 tor_assert(err_msg);
1381
1382 /* Parse certificate. */
1383 cert = tor_cert_parse((const uint8_t *) data, data_len);
1384 if (!cert) {
1385 log_warn(LD_REND, "Certificate for %s couldn't be parsed.", err_msg);
1386 goto err;
1387 }
1388
1389 /* Validate certificate. */
1390 if (!cert_is_valid(cert, cert_type_wanted, err_msg)) {
1391 goto err;
1392 }
1393
1394 *cert_out = cert;
1395 return 0;
1396
1397 err:
1398 tor_cert_free(cert);
1399 *cert_out = NULL;
1400 return -1;
1401}
1402
1403/** Return true iff the given length of the encrypted data of a descriptor
1404 * passes validation. */
1405STATIC int
1407{
1408 /* Make sure there is enough data for the salt and the mac. The equality is
1409 there to ensure that there is at least one byte of encrypted data. */
1411 log_warn(LD_REND, "Length of descriptor's encrypted data is too small. "
1412 "Got %lu but minimum value is %d",
1413 (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
1414 goto err;
1415 }
1416
1417 return 1;
1418 err:
1419 return 0;
1420}
1421
1422/** Build the KEYS component for the authorized client computation. The format
1423 * of the construction is:
1424 *
1425 * SECRET_SEED = x25519(sk, pk)
1426 * KEYS = KDF(subcredential | SECRET_SEED, 40)
1427 *
1428 * Set the <b>keys_out</b> argument to point to the buffer containing the KEYS,
1429 * and return the buffer's length. The caller should wipe and free its content
1430 * once done with it. This function can't fail. */
1431static size_t
1433 const curve25519_secret_key_t *sk,
1434 const curve25519_public_key_t *pk,
1435 uint8_t **keys_out)
1436{
1437 uint8_t secret_seed[CURVE25519_OUTPUT_LEN];
1438 uint8_t *keystream;
1439 size_t keystream_len = HS_DESC_CLIENT_ID_LEN + HS_DESC_COOKIE_KEY_LEN;
1440 crypto_xof_t *xof;
1441
1442 tor_assert(subcredential);
1443 tor_assert(sk);
1444 tor_assert(pk);
1445 tor_assert(keys_out);
1446
1447 keystream = tor_malloc_zero(keystream_len);
1448
1449 /* Calculate x25519(sk, pk) to get the secret seed. */
1450 curve25519_handshake(secret_seed, sk, pk);
1451
1452 /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
1453 xof = crypto_xof_new();
1454 crypto_xof_add_bytes(xof, subcredential->subcred, SUBCRED_LEN);
1455 crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
1456 crypto_xof_squeeze_bytes(xof, keystream, keystream_len);
1457 crypto_xof_free(xof);
1458
1459 memwipe(secret_seed, 0, sizeof(secret_seed));
1460
1461 *keys_out = keystream;
1462 return keystream_len;
1463}
1464
1465/** Decrypt the descriptor cookie given the descriptor, the auth client,
1466 * and the client secret key. On success, return 0 and a newly allocated
1467 * descriptor cookie descriptor_cookie_out. On error or if the client id
1468 * is invalid, return -1 and descriptor_cookie_out is set to
1469 * NULL. */
1470static int
1472 const hs_desc_authorized_client_t *client,
1473 const curve25519_secret_key_t *client_auth_sk,
1474 uint8_t **descriptor_cookie_out)
1475{
1476 int ret = -1;
1477 uint8_t *keystream = NULL;
1478 size_t keystream_length = 0;
1479 uint8_t *descriptor_cookie = NULL;
1480 const uint8_t *cookie_key = NULL;
1481 crypto_cipher_t *cipher = NULL;
1482
1483 tor_assert(desc);
1484 tor_assert(client);
1485 tor_assert(client_auth_sk);
1489 tor_assert(!fast_mem_is_zero((char *) desc->subcredential.subcred,
1490 DIGEST256_LEN));
1491
1492 /* Catch potential code-flow cases of an uninitialized private key sneaking
1493 * into this function. */
1494 if (BUG(fast_mem_is_zero((char *)client_auth_sk, sizeof(*client_auth_sk)))) {
1495 goto done;
1496 }
1497
1498 /* Get the KEYS component to derive the CLIENT-ID and COOKIE-KEY. */
1499 keystream_length =
1501 client_auth_sk,
1503 &keystream);
1504 tor_assert(keystream_length > 0);
1505
1506 /* If the client id of auth client is not the same as the calculcated
1507 * client id, it means that this auth client is invalid according to the
1508 * client secret key client_auth_sk. */
1509 if (tor_memneq(client->client_id, keystream, HS_DESC_CLIENT_ID_LEN)) {
1510 goto done;
1511 }
1512 cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
1513
1514 /* This creates a cipher for AES. It can't fail. */
1515 cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client->iv,
1516 HS_DESC_COOKIE_KEY_BIT_SIZE);
1517 descriptor_cookie = tor_malloc_zero(HS_DESC_DESCRIPTOR_COOKIE_LEN);
1518 /* This can't fail. */
1519 crypto_cipher_decrypt(cipher, (char *) descriptor_cookie,
1520 (const char *) client->encrypted_cookie,
1521 sizeof(client->encrypted_cookie));
1522
1523 /* Success. */
1524 ret = 0;
1525 done:
1526 *descriptor_cookie_out = descriptor_cookie;
1527 if (cipher) {
1528 crypto_cipher_free(cipher);
1529 }
1530 memwipe(keystream, 0, keystream_length);
1531 tor_free(keystream);
1532 return ret;
1533}
1534
1535/** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
1536 * <b>encrypted_blob_size</b>. The descriptor cookie is optional. Use
1537 * the descriptor object <b>desc</b> and <b>descriptor_cookie</b>
1538 * to generate the right decryption keys; set <b>decrypted_out</b> to
1539 * the plaintext. If <b>is_superencrypted_layer</b> is set, this is
1540 * the outer encrypted layer of the descriptor.
1541 *
1542 * On any error case, including an empty output, return 0 and set
1543 * *<b>decrypted_out</b> to NULL.
1544 */
1545MOCK_IMPL(STATIC size_t,
1547 const uint8_t *descriptor_cookie,
1548 bool is_superencrypted_layer,
1549 char **decrypted_out))
1550{
1551 uint8_t *decrypted = NULL;
1552 uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
1553 uint8_t *secret_data = NULL;
1554 size_t secret_data_len = 0;
1555 uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
1556 const uint8_t *salt, *encrypted, *desc_mac;
1557 size_t encrypted_len, result_len = 0;
1558 const uint8_t *encrypted_blob = (is_superencrypted_layer)
1561 size_t encrypted_blob_size = (is_superencrypted_layer)
1564
1565 tor_assert(decrypted_out);
1566 tor_assert(desc);
1567 tor_assert(encrypted_blob);
1568
1569 /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
1570 * Make sure we have enough space for all these things. */
1571 if (!encrypted_data_length_is_valid(encrypted_blob_size)) {
1572 goto err;
1573 }
1574
1575 /* Start of the blob thus the salt. */
1576 salt = encrypted_blob;
1577
1578 /* Next is the encrypted data. */
1579 encrypted = encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN;
1580 encrypted_len = encrypted_blob_size -
1582 tor_assert(encrypted_len > 0); /* guaranteed by the check above */
1583
1584 /* And last comes the MAC. */
1585 desc_mac = encrypted_blob + encrypted_blob_size - DIGEST256_LEN;
1586
1587 /* Build secret data to be used in the decryption. */
1588 secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
1589 descriptor_cookie,
1590 &secret_data);
1591
1592 /* KDF construction resulting in a key from which the secret key, IV and MAC
1593 * key are extracted which is what we need for the decryption. */
1594 build_secret_key_iv_mac(desc, secret_data, secret_data_len,
1596 secret_key, sizeof(secret_key),
1597 secret_iv, sizeof(secret_iv),
1598 mac_key, sizeof(mac_key),
1599 is_superencrypted_layer);
1600
1601 /* Build MAC. */
1602 build_mac(mac_key, sizeof(mac_key), salt, HS_DESC_ENCRYPTED_SALT_LEN,
1603 encrypted, encrypted_len, our_mac, sizeof(our_mac));
1604 memwipe(mac_key, 0, sizeof(mac_key));
1605 /* Verify MAC; MAC is H(mac_key || salt || encrypted)
1606 *
1607 * This is a critical check that is making sure the computed MAC matches the
1608 * one in the descriptor. */
1609 if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) {
1610 log_info(LD_REND, "Encrypted service descriptor MAC check failed");
1611 goto err;
1612 }
1613
1614 {
1615 /* Decrypt. Here we are assured that the encrypted length is valid for
1616 * decryption. */
1617 crypto_cipher_t *cipher;
1618
1619 cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
1620 HS_DESC_ENCRYPTED_BIT_SIZE);
1621 /* Extra byte for the NUL terminated byte. */
1622 decrypted = tor_malloc_zero(encrypted_len + 1);
1623 crypto_cipher_decrypt(cipher, (char *) decrypted,
1624 (const char *) encrypted, encrypted_len);
1625 crypto_cipher_free(cipher);
1626 }
1627
1628 {
1629 /* Adjust length to remove NUL padding bytes */
1630 uint8_t *end = memchr(decrypted, 0, encrypted_len);
1631 result_len = encrypted_len;
1632 if (end) {
1633 result_len = end - decrypted;
1634 }
1635 }
1636
1637 if (result_len == 0) {
1638 /* Treat this as an error, so that somebody will free the output. */
1639 goto err;
1640 }
1641
1642 /* Make sure to NUL terminate the string. */
1643 decrypted[encrypted_len] = '\0';
1644 *decrypted_out = (char *) decrypted;
1645 goto done;
1646
1647 err:
1648 if (decrypted) {
1649 tor_free(decrypted);
1650 }
1651 *decrypted_out = NULL;
1652 result_len = 0;
1653
1654 done:
1655 memwipe(secret_data, 0, secret_data_len);
1656 memwipe(secret_key, 0, sizeof(secret_key));
1657 memwipe(secret_iv, 0, sizeof(secret_iv));
1658 tor_free(secret_data);
1659 return result_len;
1660}
1661
1662/** Decrypt the superencrypted section of the descriptor using the given
1663 * descriptor object <b>desc</b>. A newly allocated NUL terminated string is
1664 * put in decrypted_out which contains the superencrypted layer of the
1665 * descriptor. Return the length of decrypted_out on success else 0 is
1666 * returned and decrypted_out is set to NULL. */
1667MOCK_IMPL(STATIC size_t,
1668desc_decrypt_superencrypted,(const hs_descriptor_t *desc,char **decrypted_out))
1669{
1670 size_t superencrypted_len = 0;
1671 char *superencrypted_plaintext = NULL;
1672
1673 tor_assert(desc);
1674 tor_assert(decrypted_out);
1675
1676 superencrypted_len = decrypt_desc_layer(desc,
1677 NULL,
1678 true, &superencrypted_plaintext);
1679
1680 if (!superencrypted_len) {
1681 log_warn(LD_REND, "Decrypting superencrypted desc failed.");
1682 goto done;
1683 }
1684 tor_assert(superencrypted_plaintext);
1685
1686 done:
1687 /* In case of error, superencrypted_plaintext is already NULL, so the
1688 * following line makes sense. */
1689 *decrypted_out = superencrypted_plaintext;
1690 /* This makes sense too, because, in case of error, this is zero. */
1691 return superencrypted_len;
1692}
1693
1694/** Decrypt the encrypted section of the descriptor using the given descriptor
1695 * object <b>desc</b>. A newly allocated NUL terminated string is put in
1696 * decrypted_out which contains the encrypted layer of the descriptor.
1697 * Return the length of decrypted_out on success else 0 is returned and
1698 * decrypted_out is set to NULL. */
1699MOCK_IMPL(STATIC size_t,
1701 const curve25519_secret_key_t *client_auth_sk,
1702 char **decrypted_out))
1703{
1704 size_t encrypted_len = 0;
1705 char *encrypted_plaintext = NULL;
1706 uint8_t *descriptor_cookie = NULL;
1707
1708 tor_assert(desc);
1710 tor_assert(decrypted_out);
1711
1712 /* If the client secret key is provided, try to find a valid descriptor
1713 * cookie. Otherwise, leave it NULL. */
1714 if (client_auth_sk) {
1716 hs_desc_authorized_client_t *, client) {
1717 /* If we can decrypt the descriptor cookie successfully, we will use that
1718 * descriptor cookie and break from the loop. */
1719 if (!decrypt_descriptor_cookie(desc, client, client_auth_sk,
1720 &descriptor_cookie)) {
1721 break;
1722 }
1723 } SMARTLIST_FOREACH_END(client);
1724 }
1725
1726 encrypted_len = decrypt_desc_layer(desc,
1727 descriptor_cookie,
1728 false, &encrypted_plaintext);
1729
1730 if (!encrypted_len) {
1731 goto err;
1732 }
1733 tor_assert(encrypted_plaintext);
1734
1735 err:
1736 /* In case of error, encrypted_plaintext is already NULL, so the
1737 * following line makes sense. */
1738 *decrypted_out = encrypted_plaintext;
1739 if (descriptor_cookie) {
1740 memwipe(descriptor_cookie, 0, HS_DESC_DESCRIPTOR_COOKIE_LEN);
1741 }
1742 tor_free(descriptor_cookie);
1743 /* This makes sense too, because, in case of error, this is zero. */
1744 return encrypted_len;
1745}
1746
1747/** Given the token tok for an intro point legacy key, the list of tokens, the
1748 * introduction point ip being decoded and the descriptor desc from which it
1749 * comes from, decode the legacy key and set the intro point object. Return 0
1750 * on success else -1 on failure. */
1751static int
1753 smartlist_t *tokens,
1755 const hs_descriptor_t *desc)
1756{
1757 tor_assert(tok);
1758 tor_assert(tokens);
1759 tor_assert(ip);
1760 tor_assert(desc);
1761
1762 if (!crypto_pk_public_exponent_ok(tok->key)) {
1763 log_warn(LD_REND, "Introduction point legacy key is invalid");
1764 goto err;
1765 }
1766 ip->legacy.key = crypto_pk_dup_key(tok->key);
1767 /* Extract the legacy cross certification cert which MUST be present if we
1768 * have a legacy key. */
1769 tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY_CERT);
1770 if (!tok) {
1771 log_warn(LD_REND, "Introduction point legacy key cert is missing");
1772 goto err;
1773 }
1774 tor_assert(tok->object_body);
1775 if (strcmp(tok->object_type, "CROSSCERT")) {
1776 /* Info level because this might be an unknown field that we should
1777 * ignore. */
1778 log_info(LD_REND, "Introduction point legacy encryption key "
1779 "cross-certification has an unknown format.");
1780 goto err;
1781 }
1782 /* Keep a copy of the certificate. */
1783 ip->legacy.cert.encoded = tor_memdup(tok->object_body, tok->object_size);
1784 ip->legacy.cert.len = tok->object_size;
1785 /* The check on the expiration date is for the entire lifetime of a
1786 * certificate which is 24 hours. However, a descriptor has a maximum
1787 * lifetime of 12 hours meaning we have a 12h difference between the two
1788 * which ultimately accommodate the clock skewed client. */
1789 if (rsa_ed25519_crosscert_check(ip->legacy.cert.encoded,
1790 ip->legacy.cert.len, ip->legacy.key,
1793 log_warn(LD_REND, "Unable to check cross-certification on the "
1794 "introduction point legacy encryption key.");
1795 ip->cross_certified = 0;
1796 goto err;
1797 }
1798
1799 /* Success. */
1800 return 0;
1801 err:
1802 return -1;
1803}
1804
1805/** Dig into the descriptor <b>tokens</b> to find the onion key we should use
1806 * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
1807 * was found and well-formed, otherwise return -1 in case of errors. */
1808static int
1810 const smartlist_t *tokens)
1811{
1812 int retval = -1;
1813 smartlist_t *onion_keys = NULL;
1814
1815 tor_assert(onion_key_out);
1816
1817 onion_keys = find_all_by_keyword(tokens, R3_INTRO_ONION_KEY);
1818 if (!onion_keys) {
1819 log_warn(LD_REND, "Descriptor did not contain intro onion keys");
1820 goto err;
1821 }
1822
1823 SMARTLIST_FOREACH_BEGIN(onion_keys, directory_token_t *, tok) {
1824 /* This field is using GE(2) so for possible forward compatibility, we
1825 * accept more fields but must be at least 2. */
1826 tor_assert(tok->n_args >= 2);
1827
1828 /* Try to find an ntor key, it's the only recognized type right now */
1829 if (!strcmp(tok->args[0], "ntor")) {
1830 if (curve25519_public_from_base64(onion_key_out, tok->args[1]) < 0) {
1831 log_warn(LD_REND, "Introduction point ntor onion-key is invalid");
1832 goto err;
1833 }
1834 /* Got the onion key! Set the appropriate retval */
1835 retval = 0;
1836 }
1837 } SMARTLIST_FOREACH_END(tok);
1838
1839 /* Log an error if we didn't find it :( */
1840 if (retval < 0) {
1841 log_warn(LD_REND, "Descriptor did not contain ntor onion keys");
1842 }
1843
1844 err:
1845 smartlist_free(onion_keys);
1846 return retval;
1847}
1848
1849/** Given the start of a section and the end of it, decode a single
1850 * introduction point from that section. Return a newly allocated introduction
1851 * point object containing the decoded data. Return NULL if the section can't
1852 * be decoded. */
1854decode_introduction_point(const hs_descriptor_t *desc, const char *start)
1855{
1856 hs_desc_intro_point_t *ip = NULL;
1857 memarea_t *area = NULL;
1858 smartlist_t *tokens = NULL;
1859 const directory_token_t *tok;
1860
1861 tor_assert(desc);
1862 tor_assert(start);
1863
1864 area = memarea_new();
1865 tokens = smartlist_new();
1866 if (tokenize_string(area, start, start + strlen(start),
1867 tokens, hs_desc_intro_point_v3_token_table, 0) < 0) {
1868 log_warn(LD_REND, "Introduction point is not parseable");
1869 goto err;
1870 }
1871
1872 /* Ok we seem to have a well formed section containing enough tokens to
1873 * parse. Allocate our IP object and try to populate it. */
1875
1876 /* "introduction-point" SP link-specifiers NL */
1877 tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
1878 tor_assert(tok->n_args == 1);
1879 /* Our constructor creates this list by default so free it. */
1880 smartlist_free(ip->link_specifiers);
1882 if (!ip->link_specifiers) {
1883 log_warn(LD_REND, "Introduction point has invalid link specifiers");
1884 goto err;
1885 }
1886
1887 /* "onion-key" SP ntor SP key NL */
1888 if (set_intro_point_onion_key(&ip->onion_key, tokens) < 0) {
1889 goto err;
1890 }
1891
1892 /* "auth-key" NL certificate NL */
1893 tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
1894 tor_assert(tok->object_body);
1895 if (strcmp(tok->object_type, "ED25519 CERT")) {
1896 log_warn(LD_REND, "Unexpected object type for introduction auth key");
1897 goto err;
1898 }
1899 /* Parse cert and do some validation. */
1901 tok->object_size, CERT_TYPE_AUTH_HS_IP_KEY,
1902 "introduction point auth-key") < 0) {
1903 goto err;
1904 }
1905 /* Validate authentication certificate with descriptor signing key. */
1907 &desc->plaintext_data.signing_pubkey, 0) < 0) {
1908 log_warn(LD_REND, "Invalid authentication key signature: %s",
1910 goto err;
1911 }
1912
1913 /* Exactly one "enc-key" SP "ntor" SP key NL */
1914 tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
1915 if (!strcmp(tok->args[0], "ntor")) {
1916 /* This field is using GE(2) so for possible forward compatibility, we
1917 * accept more fields but must be at least 2. */
1918 tor_assert(tok->n_args >= 2);
1919
1920 if (curve25519_public_from_base64(&ip->enc_key, tok->args[1]) < 0) {
1921 log_warn(LD_REND, "Introduction point ntor enc-key is invalid");
1922 goto err;
1923 }
1924 } else {
1925 /* Unknown key type so we can't use that introduction point. */
1926 log_warn(LD_REND, "Introduction point encryption key is unrecognized.");
1927 goto err;
1928 }
1929
1930 /* Exactly once "enc-key-cert" NL certificate NL */
1931 tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
1932 tor_assert(tok->object_body);
1933 /* Do the cross certification. */
1934 if (strcmp(tok->object_type, "ED25519 CERT")) {
1935 log_warn(LD_REND, "Introduction point ntor encryption key "
1936 "cross-certification has an unknown format.");
1937 goto err;
1938 }
1940 tok->object_size, CERT_TYPE_CROSS_HS_IP_KEYS,
1941 "introduction point enc-key-cert") < 0) {
1942 goto err;
1943 }
1945 &desc->plaintext_data.signing_pubkey, 0) < 0) {
1946 log_warn(LD_REND, "Invalid encryption key signature: %s",
1948 goto err;
1949 }
1950 /* It is successfully cross certified. Flag the object. */
1951 ip->cross_certified = 1;
1952
1953 /* Do we have a "legacy-key" SP key NL ?*/
1954 tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY);
1955 if (tok) {
1956 if (decode_intro_legacy_key(tok, tokens, ip, desc) < 0) {
1957 goto err;
1958 }
1959 }
1960
1961 /* Introduction point has been parsed successfully. */
1962 goto done;
1963
1964 err:
1965 hs_desc_intro_point_free(ip);
1966 ip = NULL;
1967
1968 done:
1970 smartlist_free(tokens);
1971 if (area) {
1972 memarea_drop_all(area);
1973 }
1974
1975 return ip;
1976}
1977
1978/** Given a descriptor string at <b>data</b>, decode all possible introduction
1979 * points that we can find. Add the introduction point object to desc_enc as we
1980 * find them. This function can't fail and it is possible that zero
1981 * introduction points can be decoded. */
1982static void
1984 hs_desc_encrypted_data_t *desc_enc,
1985 const char *data)
1986{
1987 smartlist_t *chunked_desc = smartlist_new();
1988 smartlist_t *intro_points = smartlist_new();
1989
1990 tor_assert(desc);
1991 tor_assert(desc_enc);
1992 tor_assert(data);
1993 tor_assert(desc_enc->intro_points);
1994
1995 /* Take the desc string, and extract the intro point substrings out of it */
1996 {
1997 /* Split the descriptor string using the intro point header as delimiter */
1998 smartlist_split_string(chunked_desc, data, str_intro_point_start, 0, 0);
1999
2000 /* Check if there are actually any intro points included. The first chunk
2001 * should be other descriptor fields (e.g. create2-formats), so it's not an
2002 * intro point. */
2003 if (smartlist_len(chunked_desc) < 2) {
2004 goto done;
2005 }
2006 }
2007
2008 /* Take the intro point substrings, and prepare them for parsing */
2009 {
2010 int i = 0;
2011 /* Prepend the introduction-point header to all the chunks, since
2012 smartlist_split_string() devoured it. */
2013 SMARTLIST_FOREACH_BEGIN(chunked_desc, char *, chunk) {
2014 /* Ignore first chunk. It's other descriptor fields. */
2015 if (i++ == 0) {
2016 continue;
2017 }
2018
2019 smartlist_add_asprintf(intro_points, "%s %s", str_intro_point, chunk);
2020 } SMARTLIST_FOREACH_END(chunk);
2021 }
2022
2023 /* Parse the intro points! */
2024 SMARTLIST_FOREACH_BEGIN(intro_points, const char *, intro_point) {
2025 hs_desc_intro_point_t *ip = decode_introduction_point(desc, intro_point);
2026 if (!ip) {
2027 /* Malformed introduction point section. We'll ignore this introduction
2028 * point and continue parsing. New or unknown fields are possible for
2029 * forward compatibility. */
2030 continue;
2031 }
2032 smartlist_add(desc_enc->intro_points, ip);
2033 } SMARTLIST_FOREACH_END(intro_point);
2034
2035 done:
2036 SMARTLIST_FOREACH(chunked_desc, char *, a, tor_free(a));
2037 smartlist_free(chunked_desc);
2038 SMARTLIST_FOREACH(intro_points, char *, a, tor_free(a));
2039 smartlist_free(intro_points);
2040}
2041
2042/** Return 1 iff the given base64 encoded signature in b64_sig from the encoded
2043 * descriptor in encoded_desc validates the descriptor content. */
2044STATIC int
2045desc_sig_is_valid(const char *b64_sig,
2046 const ed25519_public_key_t *signing_pubkey,
2047 const char *encoded_desc, size_t encoded_len)
2048{
2049 int ret = 0;
2051 const char *sig_start;
2052
2053 tor_assert(b64_sig);
2054 tor_assert(signing_pubkey);
2055 tor_assert(encoded_desc);
2056 /* Verifying nothing won't end well :). */
2057 tor_assert(encoded_len > 0);
2058
2059 /* Signature length check. */
2060 if (strlen(b64_sig) != ED25519_SIG_BASE64_LEN) {
2061 log_warn(LD_REND, "Service descriptor has an invalid signature length."
2062 "Expected %d but got %lu",
2063 ED25519_SIG_BASE64_LEN, (unsigned long) strlen(b64_sig));
2064 goto err;
2065 }
2066
2067 /* First, convert base64 blob to an ed25519 signature. */
2068 if (ed25519_signature_from_base64(&sig, b64_sig) != 0) {
2069 log_warn(LD_REND, "Service descriptor does not contain a valid "
2070 "signature");
2071 goto err;
2072 }
2073
2074 /* Find the start of signature. */
2075 sig_start = tor_memstr(encoded_desc, encoded_len, "\n" str_signature " ");
2076 /* Getting here means the token parsing worked for the signature so if we
2077 * can't find the start of the signature, we have a code flow issue. */
2078 if (!sig_start) {
2079 log_warn(LD_GENERAL, "Malformed signature line. Rejecting.");
2080 goto err;
2081 }
2082 /* Skip newline, it has to go in the signature check. */
2083 sig_start++;
2084
2085 /* Validate signature with the full body of the descriptor. */
2087 (const uint8_t *) encoded_desc,
2088 sig_start - encoded_desc,
2089 str_desc_sig_prefix,
2090 signing_pubkey) != 0) {
2091 log_warn(LD_REND, "Invalid signature on service descriptor");
2092 goto err;
2093 }
2094 /* Valid signature! All is good. */
2095 ret = 1;
2096
2097 err:
2098 return ret;
2099}
2100
2101/** Given a list of tokens for PoW params, decode it as a v1
2102 * hs_pow_desc_params_t.
2103 *
2104 * Each token's args MUST contain at least 1 element.
2105 *
2106 * On success, return 0, and set <b>pow_params_out</b> to a new set of
2107 * parameters (or to NULL if there were no v1 parameters). Return -1 on
2108 * failure.
2109 */
2110static int
2112 hs_pow_desc_params_t **pow_params_out)
2113{
2114 bool found_v1 = false;
2115 int ret = -1;
2116 tor_assert(pow_params_out);
2117 *pow_params_out = NULL;
2118
2119 if (!toks)
2120 return 0;
2121
2122 SMARTLIST_FOREACH_BEGIN(toks, const directory_token_t *, tok) {
2123 tor_assert(tok->n_args >= 1);
2124
2125 if (strcmp(tok->args[0], "v1")) {
2126 // Unrecognized type; skip it.
2127 continue;
2128 }
2129
2130 if (found_v1) {
2131 log_warn(LD_REND, "Duplicate v1 PoW entries in descriptor.");
2132 goto done;
2133 }
2134 found_v1 = true;
2135 if (tok->n_args < 4) {
2136 log_warn(LD_REND, "Insufficient arguments for v1 PoW entry.");
2137 goto done;
2138 }
2139
2140 hs_pow_desc_params_t *pow_params = tor_malloc_zero(sizeof(*pow_params));
2141 *pow_params_out = pow_params;
2142 pow_params->type = HS_POW_DESC_V1;
2143
2144 if (base64_decode((char *)pow_params->seed, sizeof(pow_params->seed),
2145 tok->args[1], strlen(tok->args[1])) !=
2146 sizeof(pow_params->seed)) {
2147 log_warn(LD_REND, "Unparseable seed %s in PoW params",
2148 escaped(tok->args[1]));
2149 goto done;
2150 }
2151
2152 int ok;
2153 unsigned long effort =
2154 tor_parse_ulong(tok->args[2], 10, 0, UINT32_MAX, &ok, NULL);
2155 if (!ok) {
2156 log_warn(LD_REND, "Unparseable suggested effort %s in PoW params",
2157 escaped(tok->args[2]));
2158 goto done;
2159 }
2160 pow_params->suggested_effort = (uint32_t)effort;
2161
2162 /* Parse the expiration time of the PoW params. */
2163 time_t expiration_time = 0;
2164 if (parse_iso_time_nospace(tok->args[3], &expiration_time)) {
2165 log_warn(LD_REND, "Unparseable expiration time %s in PoW params",
2166 escaped(tok->args[3]));
2167 goto done;
2168 }
2169 /* Validation of this time is done in client_desc_has_arrived() so we can
2170 * trigger a fetch if expired. */
2171 pow_params->expiration_time = expiration_time;
2172
2173 } SMARTLIST_FOREACH_END(tok);
2174
2175 /* Success. */
2176 ret = 0;
2177
2178 done:
2179 if (ret < 0 && *pow_params_out) {
2180 tor_free(*pow_params_out); // sets it to NULL
2181 }
2182
2183 return ret;
2184}
2185
2186/** Decode descriptor plaintext data for version 3. Given a list of tokens, an
2187 * allocated plaintext object that will be populated and the encoded
2188 * descriptor with its length. The last one is needed for signature
2189 * verification. Unknown tokens are simply ignored so this won't error on
2190 * unknowns but requires that all v3 token be present and valid.
2191 *
2192 * Return 0 on success else a negative value. */
2196 const char *encoded_desc, size_t encoded_len)
2197{
2198 int ok;
2199 directory_token_t *tok;
2200
2201 tor_assert(tokens);
2202 tor_assert(desc);
2203 /* Version higher could still use this function to decode most of the
2204 * descriptor and then they decode the extra part. */
2205 tor_assert(desc->version >= 3);
2206
2207 /* Descriptor lifetime parsing. */
2208 tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
2209 tor_assert(tok->n_args == 1);
2210 desc->lifetime_sec = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2211 UINT32_MAX, &ok, NULL);
2212 if (!ok) {
2213 log_warn(LD_REND, "Service descriptor lifetime value is invalid");
2214 goto err;
2215 }
2216 /* Put it from minute to second. */
2217 desc->lifetime_sec *= 60;
2218 if (desc->lifetime_sec > HS_DESC_MAX_LIFETIME) {
2219 log_warn(LD_REND, "Service descriptor lifetime is too big. "
2220 "Got %" PRIu32 " but max is %d",
2222 goto err;
2223 }
2224
2225 /* Descriptor signing certificate. */
2226 tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
2227 tor_assert(tok->object_body);
2228 /* Expecting a prop220 cert with the signing key extension, which contains
2229 * the blinded public key. */
2230 if (strcmp(tok->object_type, "ED25519 CERT") != 0) {
2231 log_warn(LD_REND, "Service descriptor signing cert wrong type (%s)",
2232 escaped(tok->object_type));
2233 goto err;
2234 }
2236 tok->object_size, CERT_TYPE_SIGNING_HS_DESC,
2237 "service descriptor signing key") < 0) {
2238 goto err;
2239 }
2240
2241 /* Copy the public keys into signing_pubkey and blinded_pubkey */
2242 memcpy(&desc->signing_pubkey, &desc->signing_key_cert->signed_key,
2243 sizeof(ed25519_public_key_t));
2244 memcpy(&desc->blinded_pubkey, &desc->signing_key_cert->signing_key,
2245 sizeof(ed25519_public_key_t));
2246
2247 /* Extract revision counter value. */
2248 tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
2249 tor_assert(tok->n_args == 1);
2250 desc->revision_counter = tor_parse_uint64(tok->args[0], 10, 0,
2251 UINT64_MAX, &ok, NULL);
2252 if (!ok) {
2253 log_warn(LD_REND, "Service descriptor revision-counter is invalid");
2254 goto err;
2255 }
2256
2257 /* Extract the superencrypted data section. */
2258 tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
2259 tor_assert(tok->object_body);
2260 if (strcmp(tok->object_type, "MESSAGE") != 0) {
2261 log_warn(LD_REND, "Desc superencrypted data section is invalid");
2262 goto err;
2263 }
2264 /* Make sure the length of the superencrypted blob is valid. */
2266 goto err;
2267 }
2268
2269 /* Copy the superencrypted blob to the descriptor object so we can handle it
2270 * latter if needed. */
2271 desc->superencrypted_blob = tor_memdup(tok->object_body, tok->object_size);
2273
2274 /* Extract signature and verify it. */
2275 tok = find_by_keyword(tokens, R3_SIGNATURE);
2276 tor_assert(tok->n_args == 1);
2277 /* First arg here is the actual encoded signature. */
2278 if (!desc_sig_is_valid(tok->args[0], &desc->signing_pubkey,
2279 encoded_desc, encoded_len)) {
2280 goto err;
2281 }
2282
2283 return HS_DESC_DECODE_OK;
2284 err:
2285 return HS_DESC_DECODE_PLAINTEXT_ERROR;
2286}
2287
2288/** Decode the version 3 superencrypted section of the given descriptor desc.
2289 * The desc_superencrypted_out will be populated with the decoded data. */
2293 desc_superencrypted_out)
2294{
2295 hs_desc_decode_status_t ret = HS_DESC_DECODE_SUPERENC_ERROR;
2296 char *message = NULL;
2297 size_t message_len;
2298 memarea_t *area = NULL;
2299 directory_token_t *tok;
2300 smartlist_t *tokens = NULL;
2301 /* Rename the parameter because it is too long. */
2302 hs_desc_superencrypted_data_t *superencrypted = desc_superencrypted_out;
2303
2304 tor_assert(desc);
2305 tor_assert(desc_superencrypted_out);
2306
2307 /* Decrypt the superencrypted data that is located in the plaintext section
2308 * in the descriptor as a blob of bytes. */
2309 message_len = desc_decrypt_superencrypted(desc, &message);
2310 if (!message_len) {
2311 log_warn(LD_REND, "Service descriptor decryption failed.");
2312 goto err;
2313 }
2314 tor_assert(message);
2315
2316 area = memarea_new();
2317 tokens = smartlist_new();
2318 if (tokenize_string(area, message, message + message_len,
2319 tokens, hs_desc_superencrypted_v3_token_table, 0) < 0) {
2320 log_warn(LD_REND, "Superencrypted service descriptor is not parseable.");
2321 goto err;
2322 }
2323
2324 /* Verify desc auth type */
2325 tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
2326 tor_assert(tok->n_args >= 1);
2327 if (strcmp(tok->args[0], "x25519")) {
2328 log_warn(LD_DIR, "Unrecognized desc auth type");
2329 goto err;
2330 }
2331
2332 /* Extract desc auth ephemeral key */
2333 tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
2334 tor_assert(tok->n_args >= 1);
2336 tok->args[0]) < 0) {
2337 log_warn(LD_DIR, "Bogus desc auth ephemeral key in HS desc");
2338 goto err;
2339 }
2340
2341 /* Extract desc auth client items */
2342 if (!superencrypted->clients) {
2343 superencrypted->clients = smartlist_new();
2344 }
2345 SMARTLIST_FOREACH_BEGIN(tokens, const directory_token_t *, token) {
2346 if (token->tp == R3_DESC_AUTH_CLIENT) {
2347 tor_assert(token->n_args >= 3);
2348
2350 tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
2351
2352 if (decode_auth_client(token, client) < 0) {
2353 log_warn(LD_REND, "Descriptor client authorization section can't "
2354 "be decoded.");
2355 tor_free(client);
2356 goto err;
2357 }
2358 smartlist_add(superencrypted->clients, client);
2359 }
2360 } SMARTLIST_FOREACH_END(token);
2361
2362 /* Extract the encrypted data section. */
2363 tok = find_by_keyword(tokens, R3_ENCRYPTED);
2364 tor_assert(tok->object_body);
2365 if (strcmp(tok->object_type, "MESSAGE") != 0) {
2366 log_warn(LD_REND, "Desc encrypted data section is invalid");
2367 goto err;
2368 }
2369 /* Make sure the length of the encrypted blob is valid. */
2371 goto err;
2372 }
2373
2374 /* Copy the encrypted blob to the descriptor object so we can handle it
2375 * latter if needed. */
2376 tor_assert(tok->object_size <= INT_MAX);
2377 superencrypted->encrypted_blob = tor_memdup(tok->object_body,
2378 tok->object_size);
2379 superencrypted->encrypted_blob_size = tok->object_size;
2380
2381 ret = HS_DESC_DECODE_OK;
2382 goto done;
2383
2384 err:
2385 tor_assert(ret < HS_DESC_DECODE_OK);
2386 hs_desc_superencrypted_data_free_contents(desc_superencrypted_out);
2387
2388 done:
2389 if (tokens) {
2391 smartlist_free(tokens);
2392 }
2393 if (area) {
2394 memarea_drop_all(area);
2395 }
2396 if (message) {
2397 tor_free(message);
2398 }
2399 return ret;
2400}
2401
2402/** Decode the version 3 encrypted section of the given descriptor desc. The
2403 * desc_encrypted_out will be populated with the decoded data. */
2406 const curve25519_secret_key_t *client_auth_sk,
2407 hs_desc_encrypted_data_t *desc_encrypted_out)
2408{
2409 hs_desc_decode_status_t ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2410 char *message = NULL;
2411 size_t message_len;
2412 memarea_t *area = NULL;
2413 directory_token_t *tok;
2414 smartlist_t *tokens = NULL;
2415
2416 tor_assert(desc);
2417 tor_assert(desc_encrypted_out);
2418
2419 /* Decrypt the encrypted data that is located in the superencrypted section
2420 * in the descriptor as a blob of bytes. */
2421 message_len = desc_decrypt_encrypted(desc, client_auth_sk, &message);
2422 if (!message_len) {
2423 /* Two possible situation here. Either we have a client authorization
2424 * configured that didn't work or we do not have any configured for this
2425 * onion address so likely the descriptor is for authorized client only,
2426 * we are not. */
2427 if (client_auth_sk) {
2428 /* At warning level so the client can notice that its client
2429 * authorization is failing. */
2430 log_warn(LD_REND, "Client authorization for requested onion address "
2431 "is invalid. Can't decrypt the descriptor.");
2432 ret = HS_DESC_DECODE_BAD_CLIENT_AUTH;
2433 } else {
2434 /* Inform at notice level that the onion address requested can't be
2435 * reached without client authorization most likely. */
2436 log_notice(LD_REND, "Fail to decrypt descriptor for requested onion "
2437 "address. It is likely requiring client "
2438 "authorization.");
2439 ret = HS_DESC_DECODE_NEED_CLIENT_AUTH;
2440 }
2441 goto err;
2442 }
2443 tor_assert(message);
2444
2445 area = memarea_new();
2446 tokens = smartlist_new();
2447 if (tokenize_string(area, message, message + message_len,
2448 tokens, hs_desc_encrypted_v3_token_table, 0) < 0) {
2449 log_warn(LD_REND, "Encrypted service descriptor is not parseable.");
2450 goto err;
2451 }
2452
2453 /* CREATE2 supported cell format. It's mandatory. */
2454 tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
2455 tor_assert(tok);
2456 decode_create2_list(desc_encrypted_out, tok->args[0]);
2457 /* Must support ntor according to the specification */
2458 if (!desc_encrypted_out->create2_ntor) {
2459 log_warn(LD_REND, "Service create2-formats does not include ntor.");
2460 goto err;
2461 }
2462
2463 /* Authentication type. It's optional but only once. */
2464 tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
2465 if (tok) {
2466 tor_assert(tok->n_args >= 1);
2467 if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
2468 log_warn(LD_REND, "Service descriptor authentication type has "
2469 "invalid entry(ies).");
2470 goto err;
2471 }
2472 }
2473
2474 /* Is this service a single onion service? */
2475 tok = find_opt_by_keyword(tokens, R3_SINGLE_ONION_SERVICE);
2476 if (tok) {
2477 desc_encrypted_out->single_onion_service = 1;
2478 }
2479
2480 /* Get flow control if any. */
2481 tok = find_opt_by_keyword(tokens, R3_FLOW_CONTROL);
2482 if (tok) {
2483 int ok;
2484
2485 tor_asprintf(&desc_encrypted_out->flow_control_pv, "FlowCtrl=%s",
2486 tok->args[0]);
2487 uint8_t sendme_inc =
2488 (uint8_t) tor_parse_uint64(tok->args[1], 10, 0, UINT8_MAX, &ok, NULL);
2489 if (!ok || !congestion_control_validate_sendme_increment(sendme_inc)) {
2490 log_warn(LD_REND, "Service descriptor flow control sendme "
2491 "value is invalid");
2492 goto err;
2493 }
2494 desc_encrypted_out->sendme_inc = sendme_inc;
2495 }
2496
2497 /* Get PoW if any. */
2498 {
2499 smartlist_t *pow_toks = find_all_by_keyword(tokens, R3_POW_PARAMS);
2500 int r = decode_pow_params(pow_toks, &desc_encrypted_out->pow_params);
2501 smartlist_free(pow_toks);
2502 if (r < 0) {
2503 goto err;
2504 }
2505 }
2506
2507 /* Initialize the descriptor's introduction point list before we start
2508 * decoding. Having 0 intro point is valid. Then decode them all. */
2509 desc_encrypted_out->intro_points = smartlist_new();
2510 decode_intro_points(desc, desc_encrypted_out, message);
2511
2512 /* Validation of maximum introduction points allowed. */
2513 if (smartlist_len(desc_encrypted_out->intro_points) >
2514 HS_CONFIG_V3_MAX_INTRO_POINTS) {
2515 log_warn(LD_REND, "Service descriptor contains too many introduction "
2516 "points. Maximum allowed is %d but we have %d",
2517 HS_CONFIG_V3_MAX_INTRO_POINTS,
2518 smartlist_len(desc_encrypted_out->intro_points));
2519 goto err;
2520 }
2521
2522 /* NOTE: Unknown fields are allowed because this function could be used to
2523 * decode other descriptor version. */
2524
2525 ret = HS_DESC_DECODE_OK;
2526 goto done;
2527
2528 err:
2529 tor_assert(ret < HS_DESC_DECODE_OK);
2530 hs_desc_encrypted_data_free_contents(desc_encrypted_out);
2531
2532 done:
2533 if (tokens) {
2535 smartlist_free(tokens);
2536 }
2537 if (area) {
2538 memarea_drop_all(area);
2539 }
2540 if (message) {
2541 tor_free(message);
2542 }
2543 return ret;
2544}
2545
2546/** Table of encrypted decode function version specific. The function are
2547 * indexed by the version number so v3 callback is at index 3 in the array. */
2550 const hs_descriptor_t *desc,
2551 const curve25519_secret_key_t *client_auth_sk,
2552 hs_desc_encrypted_data_t *desc_encrypted) =
2553{
2554 /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2556};
2557
2558/** Decode the encrypted data section of the given descriptor and store the
2559 * data in the given encrypted data object. Return 0 on success else a
2560 * negative value on error. */
2563 const curve25519_secret_key_t *client_auth_sk,
2564 hs_desc_encrypted_data_t *desc_encrypted)
2565{
2566 hs_desc_decode_status_t ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2567 uint32_t version;
2568
2569 tor_assert(desc);
2570 /* Ease our life a bit. */
2571 version = desc->plaintext_data.version;
2572 tor_assert(desc_encrypted);
2573 /* Calling this function without an encrypted blob to parse is a code flow
2574 * error. The superencrypted parsing should never succeed in the first place
2575 * without an encrypted section. */
2577 /* Let's make sure we have a supported version as well. By correctly parsing
2578 * the plaintext, this should not fail. */
2579 if (BUG(!hs_desc_is_supported_version(version))) {
2580 goto err;
2581 }
2582 /* Extra precaution. Having no handler for the supported version should
2583 * never happened else we forgot to add it but we bumped the version. */
2586
2587 /* Run the version specific plaintext decoder. */
2588 ret = decode_encrypted_handlers[version](desc, client_auth_sk,
2589 desc_encrypted);
2590 if (ret < 0) {
2591 goto err;
2592 }
2593
2594 err:
2595 return ret;
2596}
2597
2598/** Table of superencrypted decode function version specific. The function are
2599 * indexed by the version number so v3 callback is at index 3 in the array. */
2602 const hs_descriptor_t *desc,
2603 hs_desc_superencrypted_data_t *desc_superencrypted) =
2604{
2605 /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2607};
2608
2609/** Decode the superencrypted data section of the given descriptor and store
2610 * the data in the given superencrypted data object. */
2614 desc_superencrypted)
2615{
2616 hs_desc_decode_status_t ret = HS_DESC_DECODE_SUPERENC_ERROR;
2617 uint32_t version;
2618
2619 tor_assert(desc);
2620 /* Ease our life a bit. */
2621 version = desc->plaintext_data.version;
2622 tor_assert(desc_superencrypted);
2623 /* Calling this function without an superencrypted blob to parse is
2624 * a code flow error. The plaintext parsing should never succeed in
2625 * the first place without an superencrypted section. */
2627 /* Let's make sure we have a supported version as well. By correctly parsing
2628 * the plaintext, this should not fail. */
2629 if (BUG(!hs_desc_is_supported_version(version))) {
2630 goto err;
2631 }
2632 /* Extra precaution. Having no handler for the supported version should
2633 * never happened else we forgot to add it but we bumped the version. */
2636
2637 /* Run the version specific plaintext decoder. */
2638 ret = decode_superencrypted_handlers[version](desc, desc_superencrypted);
2639 if (ret < 0) {
2640 goto err;
2641 }
2642
2643 err:
2644 return ret;
2645}
2646
2647/** Table of plaintext decode function version specific. The function are
2648 * indexed by the version number so v3 callback is at index 3 in the array. */
2651 smartlist_t *tokens,
2653 const char *encoded_desc,
2654 size_t encoded_len) =
2655{
2656 /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2658};
2659
2660/** Fully decode the given descriptor plaintext and store the data in the
2661 * plaintext data object. */
2663hs_desc_decode_plaintext(const char *encoded,
2664 hs_desc_plaintext_data_t *plaintext)
2665{
2666 int ok = 0;
2667 hs_desc_decode_status_t ret = HS_DESC_DECODE_PLAINTEXT_ERROR;
2668 memarea_t *area = NULL;
2669 smartlist_t *tokens = NULL;
2670 size_t encoded_len;
2671 directory_token_t *tok;
2672
2673 tor_assert(encoded);
2674 tor_assert(plaintext);
2675
2676 /* Check that descriptor is within size limits. */
2677 encoded_len = strlen(encoded);
2678 if (encoded_len >= hs_cache_get_max_descriptor_size()) {
2679 log_warn(LD_REND, "Service descriptor is too big (%lu bytes)",
2680 (unsigned long) encoded_len);
2681 goto err;
2682 }
2683
2684 area = memarea_new();
2685 tokens = smartlist_new();
2686 /* Tokenize the descriptor so we can start to parse it. */
2687 if (tokenize_string(area, encoded, encoded + encoded_len, tokens,
2688 hs_desc_v3_token_table, 0) < 0) {
2689 log_warn(LD_REND, "Service descriptor is not parseable");
2690 goto err;
2691 }
2692
2693 /* Get the version of the descriptor which is the first mandatory field of
2694 * the descriptor. From there, we'll decode the right descriptor version. */
2695 tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
2696 tor_assert(tok->n_args == 1);
2697 plaintext->version = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2698 UINT32_MAX, &ok, NULL);
2699 if (!ok) {
2700 log_warn(LD_REND, "Service descriptor has unparseable version %s",
2701 escaped(tok->args[0]));
2702 goto err;
2703 }
2704 if (!hs_desc_is_supported_version(plaintext->version)) {
2705 log_warn(LD_REND, "Service descriptor has unsupported version %" PRIu32,
2706 plaintext->version);
2707 goto err;
2708 }
2709 /* Extra precaution. Having no handler for the supported version should
2710 * never happened else we forgot to add it but we bumped the version. */
2713
2714 /* Run the version specific plaintext decoder. */
2715 ret = decode_plaintext_handlers[plaintext->version](tokens, plaintext,
2716 encoded, encoded_len);
2717 if (ret != HS_DESC_DECODE_OK) {
2718 goto err;
2719 }
2720 /* Success. Descriptor has been populated with the data. */
2721 ret = HS_DESC_DECODE_OK;
2722
2723 err:
2724 if (tokens) {
2726 smartlist_free(tokens);
2727 }
2728 if (area) {
2729 memarea_drop_all(area);
2730 }
2731 return ret;
2732}
2733
2734/** Fully decode an encoded descriptor and set a newly allocated descriptor
2735 * object in desc_out. Client secret key is used to decrypt the "encrypted"
2736 * section if not NULL else it's ignored.
2737 *
2738 * Return 0 on success. A negative value is returned on error and desc_out is
2739 * set to NULL. */
2741hs_desc_decode_descriptor(const char *encoded,
2742 const hs_subcredential_t *subcredential,
2743 const curve25519_secret_key_t *client_auth_sk,
2744 hs_descriptor_t **desc_out)
2745{
2746 hs_desc_decode_status_t ret = HS_DESC_DECODE_GENERIC_ERROR;
2747 hs_descriptor_t *desc;
2748
2749 tor_assert(encoded);
2750
2751 desc = tor_malloc_zero(sizeof(hs_descriptor_t));
2752
2753 /* Subcredentials are not optional. */
2754 if (BUG(!subcredential ||
2755 fast_mem_is_zero((char*)subcredential, DIGEST256_LEN))) {
2756 log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!");
2757 goto err;
2758 }
2759
2760 memcpy(&desc->subcredential, subcredential, sizeof(desc->subcredential));
2761
2762 ret = hs_desc_decode_plaintext(encoded, &desc->plaintext_data);
2763 if (ret != HS_DESC_DECODE_OK) {
2764 goto err;
2765 }
2766
2768 if (ret != HS_DESC_DECODE_OK) {
2769 goto err;
2770 }
2771
2772 ret = hs_desc_decode_encrypted(desc, client_auth_sk, &desc->encrypted_data);
2773 if (ret != HS_DESC_DECODE_OK) {
2774 goto err;
2775 }
2776
2777 if (desc_out) {
2778 *desc_out = desc;
2779 } else {
2780 hs_descriptor_free(desc);
2781 }
2782 return ret;
2783
2784 err:
2785 hs_descriptor_free(desc);
2786 if (desc_out) {
2787 *desc_out = NULL;
2788 }
2789
2790 tor_assert(ret < 0);
2791 return ret;
2792}
2793
2794/** Table of encode function version specific. The functions are indexed by the
2795 * version number so v3 callback is at index 3 in the array. */
2796static int
2797 (*encode_handlers[])(
2798 const hs_descriptor_t *desc,
2799 const ed25519_keypair_t *signing_kp,
2800 const uint8_t *descriptor_cookie,
2801 char **encoded_out) =
2802{
2803 /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2805};
2806
2807/** Encode the given descriptor desc including signing with the given key pair
2808 * signing_kp and encrypting with the given descriptor cookie.
2809 *
2810 * If the client authorization is enabled, descriptor_cookie must be the same
2811 * as the one used to build hs_desc_authorized_client_t in the descriptor.
2812 * Otherwise, it must be NULL. On success, encoded_out points to a newly
2813 * allocated NUL terminated string that contains the encoded descriptor as
2814 * a string.
2815 *
2816 * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
2817 * returned and encoded_out is set to NULL. */
2818MOCK_IMPL(int,
2820 const ed25519_keypair_t *signing_kp,
2821 const uint8_t *descriptor_cookie,
2822 char **encoded_out))
2823{
2824 int ret = -1;
2825 uint32_t version;
2826
2827 tor_assert(desc);
2828 tor_assert(encoded_out);
2829
2830 /* Make sure we support the version of the descriptor format. */
2831 version = desc->plaintext_data.version;
2832 if (!hs_desc_is_supported_version(version)) {
2833 goto err;
2834 }
2835 /* Extra precaution. Having no handler for the supported version should
2836 * never happened else we forgot to add it but we bumped the version. */
2838 tor_assert(encode_handlers[version]);
2839
2840 ret = encode_handlers[version](desc, signing_kp,
2841 descriptor_cookie, encoded_out);
2842 if (ret < 0) {
2843 goto err;
2844 }
2845
2846 /* Try to decode what we just encoded. Symmetry is nice!, but it is
2847 * symmetric only if the client auth is disabled (That is, the descriptor
2848 * cookie will be NULL) and the test-only mock plaintext isn't in use. */
2849 bool do_round_trip_test = !descriptor_cookie;
2850#ifdef TOR_UNIT_TESTS
2851 if (desc->encrypted_data.test_extra_plaintext) {
2852 do_round_trip_test = false;
2853 }
2854#endif
2855 if (do_round_trip_test) {
2856 ret = hs_desc_decode_descriptor(*encoded_out, &desc->subcredential,
2857 NULL, NULL);
2858 if (BUG(ret != HS_DESC_DECODE_OK)) {
2859 ret = -1;
2860 goto err;
2861 }
2862 }
2863
2864 return 0;
2865
2866 err:
2867 *encoded_out = NULL;
2868 return ret;
2869}
2870
2871/** Free the content of the plaintext section of a descriptor. */
2872void
2874{
2875 if (!desc) {
2876 return;
2877 }
2878
2879 if (desc->superencrypted_blob) {
2881 }
2882 tor_cert_free(desc->signing_key_cert);
2883
2884 memwipe(desc, 0, sizeof(*desc));
2885}
2886
2887/** Free the content of the superencrypted section of a descriptor. */
2888void
2890{
2891 if (!desc) {
2892 return;
2893 }
2894
2895 if (desc->encrypted_blob) {
2896 tor_free(desc->encrypted_blob);
2897 }
2898 if (desc->clients) {
2900 hs_desc_authorized_client_free(client));
2901 smartlist_free(desc->clients);
2902 }
2903
2904 memwipe(desc, 0, sizeof(*desc));
2905}
2906
2907/** Free the content of the encrypted section of a descriptor. */
2908void
2910{
2911 if (!desc) {
2912 return;
2913 }
2914
2915 if (desc->intro_auth_types) {
2916 SMARTLIST_FOREACH(desc->intro_auth_types, char *, a, tor_free(a));
2917 smartlist_free(desc->intro_auth_types);
2918 }
2919 if (desc->intro_points) {
2921 hs_desc_intro_point_free(ip));
2922 smartlist_free(desc->intro_points);
2923 }
2925 tor_free(desc->pow_params);
2926 memwipe(desc, 0, sizeof(*desc));
2927}
2928
2929/** Free the descriptor plaintext data object. */
2930void
2932{
2934 tor_free(desc);
2935}
2936
2937/** Free the descriptor plaintext data object. */
2938void
2940{
2942 tor_free(desc);
2943}
2944
2945/** Free the descriptor encrypted data object. */
2946void
2948{
2950 tor_free(desc);
2951}
2952
2953/** Free the given descriptor object. */
2954void
2956{
2957 if (!desc) {
2958 return;
2959 }
2960
2964 tor_free(desc);
2965}
2966
2967/** Return the size in bytes of the given plaintext data object. A sizeof() is
2968 * not enough because the object contains pointers and the encrypted blob.
2969 * This is particularly useful for our OOM subsystem that tracks the HSDir
2970 * cache size for instance. */
2971size_t
2973{
2974 tor_assert(data);
2975 return (sizeof(*data) + sizeof(*data->signing_key_cert) +
2977}
2978
2979/** Return the size in bytes of the given encrypted data object. Used by OOM
2980 * subsystem. */
2981static size_t
2983{
2984 tor_assert(data);
2985 size_t intro_size = 0;
2986 if (data->intro_auth_types) {
2987 intro_size +=
2988 smartlist_len(data->intro_auth_types) * sizeof(intro_auth_types);
2989 }
2990 if (data->intro_points) {
2991 /* XXX could follow pointers here and get more accurate size */
2992 intro_size +=
2993 smartlist_len(data->intro_points) * sizeof(hs_desc_intro_point_t);
2994 }
2995
2996 return sizeof(*data) + intro_size;
2997}
2998
2999/** Return the size in bytes of the given descriptor object. Used by OOM
3000 * subsystem. */
3001 size_t
3003{
3004 if (data == NULL) {
3005 return 0;
3006 }
3009 sizeof(data->subcredential));
3010}
3011
3012/** Return a newly allocated descriptor intro point. */
3015{
3016 hs_desc_intro_point_t *ip = tor_malloc_zero(sizeof(*ip));
3018 return ip;
3019}
3020
3021/** Free a descriptor intro point object. */
3022void
3024{
3025 if (ip == NULL) {
3026 return;
3027 }
3028 if (ip->link_specifiers) {
3029 SMARTLIST_FOREACH(ip->link_specifiers, link_specifier_t *,
3030 ls, link_specifier_free(ls));
3031 smartlist_free(ip->link_specifiers);
3032 }
3033 tor_cert_free(ip->auth_key_cert);
3034 tor_cert_free(ip->enc_key_cert);
3035 crypto_pk_free(ip->legacy.key);
3036 tor_free(ip->legacy.cert.encoded);
3037 tor_free(ip);
3038}
3039
3040/** Allocate and build a new fake client info for the descriptor. Return a
3041 * newly allocated object. This can't fail. */
3044{
3045 hs_desc_authorized_client_t *client_auth =
3046 tor_malloc_zero(sizeof(*client_auth));
3047
3048 crypto_rand((char *) client_auth->client_id,
3049 sizeof(client_auth->client_id));
3050 crypto_rand((char *) client_auth->iv,
3051 sizeof(client_auth->iv));
3052 crypto_rand((char *) client_auth->encrypted_cookie,
3053 sizeof(client_auth->encrypted_cookie));
3054
3055 return client_auth;
3056}
3057
3058/** Using the service's subcredential, client public key, auth ephemeral secret
3059 * key, and descriptor cookie, build the auth client so we can then encode the
3060 * descriptor for publication. client_out must be already allocated. */
3061void
3063 const curve25519_public_key_t *client_auth_pk,
3065 auth_ephemeral_sk,
3066 const uint8_t *descriptor_cookie,
3067 hs_desc_authorized_client_t *client_out)
3068{
3069 uint8_t *keystream = NULL;
3070 size_t keystream_length = 0;
3071 const uint8_t *cookie_key;
3072 crypto_cipher_t *cipher;
3073
3074 tor_assert(client_auth_pk);
3075 tor_assert(auth_ephemeral_sk);
3076 tor_assert(descriptor_cookie);
3077 tor_assert(client_out);
3078 tor_assert(subcredential);
3079 tor_assert(!fast_mem_is_zero((char *) auth_ephemeral_sk,
3080 sizeof(*auth_ephemeral_sk)));
3081 tor_assert(!fast_mem_is_zero((char *) client_auth_pk,
3082 sizeof(*client_auth_pk)));
3083 tor_assert(!fast_mem_is_zero((char *) descriptor_cookie,
3084 HS_DESC_DESCRIPTOR_COOKIE_LEN));
3085 tor_assert(!fast_mem_is_zero((char *) subcredential,
3086 DIGEST256_LEN));
3087
3088 /* Get the KEYS part so we can derive the CLIENT-ID and COOKIE-KEY. */
3089 keystream_length =
3090 build_descriptor_cookie_keys(subcredential,
3091 auth_ephemeral_sk, client_auth_pk,
3092 &keystream);
3093 tor_assert(keystream_length > 0);
3094
3095 /* Extract the CLIENT-ID and COOKIE-KEY from the KEYS. */
3096 memcpy(client_out->client_id, keystream, HS_DESC_CLIENT_ID_LEN);
3097 cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
3098
3099 /* Random IV */
3100 crypto_strongest_rand(client_out->iv, sizeof(client_out->iv));
3101
3102 /* This creates a cipher for AES. It can't fail. */
3103 cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client_out->iv,
3104 HS_DESC_COOKIE_KEY_BIT_SIZE);
3105 /* This can't fail. */
3106 crypto_cipher_encrypt(cipher, (char *) client_out->encrypted_cookie,
3107 (const char *) descriptor_cookie,
3108 HS_DESC_DESCRIPTOR_COOKIE_LEN);
3109
3110 memwipe(keystream, 0, keystream_length);
3111 tor_free(keystream);
3112
3113 crypto_cipher_free(cipher);
3114}
3115
3116/** Free an authoriezd client object. */
3117void
3119{
3120 tor_free(client);
3121}
3122
3123/** From the given descriptor, remove and free every introduction point. */
3124void
3126{
3127 smartlist_t *ips;
3128
3129 tor_assert(desc);
3130
3131 ips = desc->encrypted_data.intro_points;
3132 if (ips) {
3134 ip, hs_desc_intro_point_free(ip));
3135 smartlist_clear(ips);
3136 }
3137}
3138
3139/** Return true iff we support the given descriptor congestion control
3140 * parameters. */
3141bool
3143{
3144 tor_assert(desc);
3145
3146 /* Validate that we support the protocol version in the descriptor. */
3147 return desc->encrypted_data.flow_control_pv &&
3149 PRT_FLOWCTRL, PROTOVER_FLOWCTRL_CC);
3150}
time_t approx_time(void)
Definition: approx_time.c:32
int base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:396
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
Definition: binascii.c:215
size_t base64_encode_size(size_t srclen, int flags)
Definition: binascii.c:166
static void set_uint64(void *cp, uint64_t v)
Definition: bytes.h:96
static uint64_t tor_htonll(uint64_t a)
Definition: bytes.h:184
Header file for circuitbuild.c.
#define ARRAY_LENGTH(x)
Header file for config.c.
bool congestion_control_validate_sendme_increment(uint8_t sendme_inc)
bool congestion_control_enabled(void)
Public APIs for congestion control.
static uint8_t congestion_control_sendme_inc(void)
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
crypto_cipher_t * crypto_cipher_new_with_iv_and_bits(const uint8_t *key, const uint8_t *iv, int bits)
Definition: crypto_cipher.c:29
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Definition: crypto_cipher.c:88
#define CIPHER_IV_LEN
Definition: crypto_cipher.h:24
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
int curve25519_public_from_base64(curve25519_public_key_t *pkey, const char *input)
void curve25519_public_to_base64(char *output, const curve25519_public_key_t *pkey, bool pad)
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
crypto_xof_t * crypto_xof_new(void)
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
#define crypto_xof_free(xof)
#define crypto_digest_free(d)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
int ed25519_sign_prefixed(ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair)
int ed25519_signature_from_base64(ed25519_signature_t *sig, const char *input)
void ed25519_signature_to_base64(char *output, const ed25519_signature_t *sig)
Header for crypto_format.c.
void crypto_rand(char *to, size_t n)
Definition: crypto_rand.c:479
void crypto_strongest_rand(uint8_t *out, size_t out_len)
Definition: crypto_rand.c:342
Common functions for using (pseudo-)random number generators.
int crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest, size_t *len)
Definition: crypto_rsa.c:466
crypto_pk_t * crypto_pk_dup_key(crypto_pk_t *orig)
int crypto_pk_public_exponent_ok(const crypto_pk_t *env)
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
Common functions for cryptographic routines.
int tor_memeq(const void *a, const void *b, size_t sz)
Definition: di_ops.c:107
#define tor_memneq(a, b, sz)
Definition: di_ops.h:21
#define DIGEST256_LEN
Definition: digest_sizes.h:23
const char * escaped(const char *s)
Definition: escape.c:126
Extend-info structure.
unsigned int hs_cache_get_max_descriptor_size(void)
Definition: hs_cache.c:1186
Header file for hs_cache.c.
link_specifier_t * link_specifier_dup(const link_specifier_t *src)
Definition: hs_common.c:1751
Header file containing configuration ABI/API for the HS subsystem.
static size_t build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext, size_t plaintext_len, uint8_t **encrypted_out, int is_superencrypted_layer)
void hs_desc_superencrypted_data_free_contents(hs_desc_superencrypted_data_t *desc)
STATIC size_t desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
static token_rule_t hs_desc_encrypted_v3_token_table[]
hs_desc_decode_status_t hs_desc_decode_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
int hs_desc_encode_descriptor(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static char * get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc, const char *layer2_b64_ciphertext)
static char * encode_intro_point(const ed25519_public_key_t *sig_key, const hs_desc_intro_point_t *ip)
void hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
static char * encode_legacy_key(const hs_desc_intro_point_t *ip)
static hs_desc_decode_status_t(* decode_superencrypted_handlers[])(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
static int desc_encode_v3(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static void decode_intro_points(const hs_descriptor_t *desc, hs_desc_encrypted_data_t *desc_enc, const char *data)
hs_desc_authorized_client_t * hs_desc_build_fake_authorized_client(void)
size_t hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
static size_t build_secret_data(const ed25519_public_key_t *blinded_pubkey, const uint8_t *descriptor_cookie, uint8_t **secret_data_out)
bool hs_desc_supports_congestion_control(const hs_descriptor_t *desc)
static const struct @20 intro_auth_types[]
STATIC int desc_sig_is_valid(const char *b64_sig, const ed25519_public_key_t *signing_pubkey, const char *encoded_desc, size_t encoded_len)
STATIC hs_desc_decode_status_t desc_decode_superencrypted_v3(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted_out)
static int(* encode_handlers[])(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static int decode_pow_params(const smartlist_t *toks, hs_pow_desc_params_t **pow_params_out)
STATIC size_t decrypt_desc_layer(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, bool is_superencrypted_layer, char **decrypted_out)
size_t hs_desc_obj_size(const hs_descriptor_t *data)
static int decode_auth_client(const directory_token_t *tok, hs_desc_authorized_client_t *client)
STATIC hs_desc_intro_point_t * decode_introduction_point(const hs_descriptor_t *desc, const char *start)
hs_desc_decode_status_t hs_desc_decode_plaintext(const char *encoded, hs_desc_plaintext_data_t *plaintext)
static int cert_parse_and_validate(tor_cert_t **cert_out, const char *data, size_t data_len, unsigned int cert_type_wanted, const char *err_msg)
STATIC size_t build_plaintext_padding(const char *plaintext, size_t plaintext_len, uint8_t **padded_out)
static char * encode_onion_key(const hs_desc_intro_point_t *ip)
static char * get_auth_client_str(const hs_desc_authorized_client_t *client)
static char * get_all_auth_client_lines(const hs_descriptor_t *desc)
void hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
void hs_descriptor_free_(hs_descriptor_t *desc)
static char * encrypt_desc_data_and_base64(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *encoded_str, int is_superencrypted_layer)
static int encode_superencrypted_data(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, char **encrypted_blob_out)
static char * get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
STATIC smartlist_t * decode_link_specifiers(const char *encoded)
void hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)
STATIC int encrypted_data_length_is_valid(size_t len)
void hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
static token_rule_t hs_desc_v3_token_table[]
static void decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
static int decrypt_descriptor_cookie(const hs_descriptor_t *desc, const hs_desc_authorized_client_t *client, const curve25519_secret_key_t *client_auth_sk, uint8_t **descriptor_cookie_out)
hs_desc_decode_status_t hs_desc_decode_superencrypted(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
static token_rule_t hs_desc_superencrypted_v3_token_table[]
STATIC size_t desc_decrypt_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, char **decrypted_out)
void hs_desc_build_authorized_client(const hs_subcredential_t *subcredential, const curve25519_public_key_t *client_auth_pk, const curve25519_secret_key_t *auth_ephemeral_sk, const uint8_t *descriptor_cookie, hs_desc_authorized_client_t *client_out)
static void build_secret_key_iv_mac(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_len, uint8_t *iv_out, size_t iv_len, uint8_t *mac_out, size_t mac_len, int is_superencrypted_layer)
hs_desc_intro_point_t * hs_desc_intro_point_new(void)
void hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc)
static size_t encrypt_descriptor_data(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *plaintext, char **encrypted_out, int is_superencrypted_layer)
static size_t compute_padded_plaintext_length(size_t plaintext_len)
STATIC char * encode_link_specifiers(const smartlist_t *specs)
static int set_intro_point_onion_key(curve25519_public_key_t *onion_key_out, const smartlist_t *tokens)
STATIC hs_desc_decode_status_t desc_decode_encrypted_v3(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted_out)
static hs_desc_decode_status_t(* decode_plaintext_handlers[])(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
static int decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
static size_t build_descriptor_cookie_keys(const hs_subcredential_t *subcredential, const curve25519_secret_key_t *sk, const curve25519_public_key_t *pk, uint8_t **keys_out)
static int decode_intro_legacy_key(const directory_token_t *tok, smartlist_t *tokens, hs_desc_intro_point_t *ip, const hs_descriptor_t *desc)
static void build_kdf_key(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_out_len, int is_superencrypted_layer)
void hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
static token_rule_t hs_desc_intro_point_v3_token_table[]
static char * encode_enc_key(const hs_desc_intro_point_t *ip)
static hs_desc_decode_status_t(* decode_encrypted_handlers[])(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
STATIC int cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
static size_t hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
hs_desc_decode_status_t hs_desc_decode_descriptor(const char *encoded, const hs_subcredential_t *subcredential, const curve25519_secret_key_t *client_auth_sk, hs_descriptor_t **desc_out)
static const struct @21 pow_types[]
static size_t build_secret_input(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, uint8_t **secret_input_out)
void hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
static hs_desc_decode_status_t desc_decode_plaintext_v3(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
void hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client)
static void build_mac(const uint8_t *mac_key, size_t mac_key_len, const uint8_t *salt, size_t salt_len, const uint8_t *encrypted, size_t encrypted_len, uint8_t *mac_out, size_t mac_len)
Header file for hs_descriptor.c.
#define HS_DESC_CLIENT_ID_LEN
Definition: hs_descriptor.h:59
hs_desc_decode_status_t
Definition: hs_descriptor.h:75
hs_desc_auth_type_t
Definition: hs_descriptor.h:70
#define HS_DESC_ENCRYPTED_SALT_LEN
Definition: hs_descriptor.h:41
#define HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE
Definition: hs_descriptor.h:48
#define HS_DESC_AUTH_CLIENT_MULTIPLE
Definition: hs_descriptor.h:67
static int hs_desc_is_supported_version(uint32_t version)
#define HS_DESC_ENCRYPTED_KEY_LEN
Definition: hs_descriptor.h:55
#define HS_DESC_CERT_LIFETIME
Definition: hs_descriptor.h:39
#define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN
Definition: hs_descriptor.h:44
#define HS_DESC_MAX_LIFETIME
Definition: hs_descriptor.h:33
Header file containing PoW denial of service defenses for the HS subsystem for all versions.
#define HS_POW_SEED_LEN
Definition: hs_pow.h:41
hs_pow_desc_type_t
Definition: hs_pow.h:57
#define log_fn(severity, domain, args,...)
Definition: log.h:283
#define LD_REND
Definition: log.h:84
#define LD_BUG
Definition: log.h:86
#define LD_GENERAL
Definition: log.h:62
#define LD_DIR
Definition: log.h:88
#define tor_free(p)
Definition: malloc.h:56
memarea_t * memarea_new(void)
Definition: memarea.c:153
Header for memarea.c.
#define memarea_drop_all(area)
Definition: memarea.h:22
Master header file for Tor-specific functionality.
uint64_t tor_parse_uint64(const char *s, int base, uint64_t min, uint64_t max, int *ok, char **next)
Definition: parse_int.c:110
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
Definition: parse_int.c:78
void token_clear(directory_token_t *tok)
Definition: parsecommon.c:41
smartlist_t * find_all_by_keyword(const smartlist_t *s, directory_keyword k)
Definition: parsecommon.c:462
int tokenize_string(memarea_t *area, const char *start, const char *end, smartlist_t *out, const token_rule_t *table, int flags)
Definition: parsecommon.c:53
directory_token_t * find_opt_by_keyword(const smartlist_t *s, directory_keyword keyword)
Definition: parsecommon.c:451
Header file for parsecommon.c.
#define T0N(s, t, a, o)
Definition: parsecommon.h:252
#define T01(s, t, a, o)
Definition: parsecommon.h:262
#define NO_ARGS
Definition: parsecommon.h:269
#define T1_END(s, t, a, o)
Definition: parsecommon.h:258
@ OBJ_OK
Definition: parsecommon.h:228
@ NO_OBJ
Definition: parsecommon.h:223
@ NEED_OBJ
Definition: parsecommon.h:224
@ NEED_KEY_1024
Definition: parsecommon.h:226
#define T1_START(s, t, a, o)
Definition: parsecommon.h:256
#define T1N(s, t, a, o)
Definition: parsecommon.h:260
#define GE(n)
Definition: parsecommon.h:273
#define CONCAT_ARGS
Definition: parsecommon.h:271
#define T1(s, t, a, o)
Definition: parsecommon.h:254
#define EQ(n)
Definition: parsecommon.h:275
#define END_OF_TABLE
Definition: parsecommon.h:248
#define ARGS
Definition: parsecommon.h:267
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
int protocol_list_supports_protocol(const char *list, protocol_type_t tp, uint32_t version)
Definition: protover.c:330
const char * protover_get_supported(const protocol_type_t type)
Definition: protover.c:407
Headers and type declarations for protover.c.
#define PROTOVER_FLOWCTRL_CC
Definition: protover.h:59
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
Definition: smartlist.c:36
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
Definition: smartlist.c:279
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
struct crypto_pk_t * key
Definition: parsecommon.h:214
uint8_t iv[CIPHER_IV_LEN]
uint8_t encrypted_cookie[HS_DESC_ENCRYPED_COOKIE_LEN]
uint8_t client_id[HS_DESC_CLIENT_ID_LEN]
smartlist_t * intro_auth_types
hs_pow_desc_params_t * pow_params
unsigned int single_onion_service
smartlist_t * intro_points
unsigned int cross_certified
struct hs_desc_intro_point_t::@22::@23 cert
curve25519_public_key_t onion_key
curve25519_public_key_t enc_key
tor_cert_t * enc_key_cert
tor_cert_t * auth_key_cert
struct hs_desc_intro_point_t::@22 legacy
smartlist_t * link_specifiers
tor_cert_t * signing_key_cert
ed25519_public_key_t signing_pubkey
ed25519_public_key_t blinded_pubkey
curve25519_public_key_t auth_ephemeral_pubkey
hs_desc_encrypted_data_t encrypted_data
hs_desc_superencrypted_data_t superencrypted_data
hs_subcredential_t subcredential
hs_desc_plaintext_data_t plaintext_data
uint8_t seed[HS_POW_SEED_LEN]
Definition: hs_pow.h:67
uint32_t suggested_effort
Definition: hs_pow.h:71
time_t expiration_time
Definition: hs_pow.h:74
hs_pow_desc_type_t type
Definition: hs_pow.h:64
unsigned cert_expired
Definition: torcert.h:55
ed25519_public_key_t signing_key
Definition: torcert.h:36
uint8_t cert_type
Definition: torcert.h:46
time_t valid_until
Definition: torcert.h:38
ed25519_public_key_t signed_key
Definition: torcert.h:33
unsigned signing_key_included
Definition: torcert.h:48
#define STATIC
Definition: testsupport.h:32
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
void format_iso_time_nospace(char *buf, time_t t)
Definition: time_fmt.c:344
void format_iso_time(char *buf, time_t t)
Definition: time_fmt.c:326
int parse_iso_time_nospace(const char *cp, time_t *t)
Definition: time_fmt.c:432
int rsa_ed25519_crosscert_check(const uint8_t *crosscert, const size_t crosscert_len, const crypto_pk_t *rsa_id_key, const ed25519_public_key_t *master_key, const time_t reject_if_expired_before)
Definition: torcert.c:395
int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now)
Definition: torcert.c:244
const char * tor_cert_describe_signature_status(const tor_cert_t *cert)
Definition: torcert.c:279
tor_cert_t * tor_cert_parse(const uint8_t *encoded, const size_t len)
Definition: torcert.c:159
Header for torcert.c.
#define SIZE_T_CEILING
Definition: torint.h:126
#define tor_assert(expr)
Definition: util_bug.h:103
int fast_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:76
Header file for versions.c.
#define CURVE25519_OUTPUT_LEN
Definition: x25519_sizes.h:24
#define CURVE25519_BASE64_PADDED_LEN
Definition: x25519_sizes.h:37
#define ED25519_PUBKEY_LEN
Definition: x25519_sizes.h:27
#define ED25519_SIG_BASE64_LEN
Definition: x25519_sizes.h:45
#define CURVE25519_PUBKEY_LEN
Definition: x25519_sizes.h:20