56 #define HS_DESCRIPTOR_PRIVATE
61 #include "trunnel/ed25519_cert.h"
79 #define str_hs_desc "hs-descriptor"
80 #define str_desc_cert "descriptor-signing-key-cert"
81 #define str_rev_counter "revision-counter"
82 #define str_superencrypted "superencrypted"
83 #define str_encrypted "encrypted"
84 #define str_signature "signature"
85 #define str_lifetime "descriptor-lifetime"
87 #define str_create2_formats "create2-formats"
88 #define str_intro_auth_required "intro-auth-required"
89 #define str_single_onion "single-onion-service"
90 #define str_intro_point "introduction-point"
91 #define str_ip_onion_key "onion-key"
92 #define str_ip_auth_key "auth-key"
93 #define str_ip_enc_key "enc-key"
94 #define str_ip_enc_key_cert "enc-key-cert"
95 #define str_ip_legacy_key "legacy-key"
96 #define str_ip_legacy_key_cert "legacy-key-cert"
97 #define str_intro_point_start "\n" str_intro_point " "
98 #define str_flow_control "flow-control"
101 #define str_enc_const_superencryption "hsdir-superencrypted-data"
102 #define str_enc_const_encryption "hsdir-encrypted-data"
104 #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
105 #define str_desc_auth_type "desc-auth-type"
106 #define str_desc_auth_key "desc-auth-ephemeral-key"
107 #define str_desc_auth_client "auth-client"
108 #define str_encrypted "encrypted"
111 static const struct {
113 const char *identifier;
115 { HS_DESC_AUTH_ED25519,
"ed25519" },
123 T1(str_lifetime, R3_DESC_LIFETIME,
EQ(1),
NO_OBJ),
125 T1(str_rev_counter, R3_REVISION_COUNTER,
EQ(1),
NO_OBJ),
134 T1(str_desc_auth_key, R3_DESC_AUTH_KEY,
GE(1),
NO_OBJ),
135 T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT,
GE(3),
NO_OBJ),
143 T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED,
GE(1),
NO_OBJ),
144 T01(str_single_onion, R3_SINGLE_ONION_SERVICE,
ARGS,
NO_OBJ),
145 T01(str_flow_control, R3_FLOW_CONTROL,
GE(2),
NO_OBJ),
152 T1N(str_ip_onion_key, R3_INTRO_ONION_KEY,
GE(2),
OBJ_OK),
154 T1(str_ip_enc_key, R3_INTRO_ENC_KEY,
GE(2),
OBJ_OK),
155 T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT,
ARGS,
OBJ_OK),
157 T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT,
ARGS,
OBJ_OK),
166 const uint8_t *salt,
size_t salt_len,
167 const uint8_t *encrypted,
size_t encrypted_len,
168 uint8_t *mac_out,
size_t mac_len)
172 const uint64_t mac_len_netorder =
tor_htonll(mac_key_len);
173 const uint64_t salt_len_netorder =
tor_htonll(salt_len);
202 const uint8_t *secret_data,
203 size_t secret_data_len,
204 uint8_t **secret_input_out)
207 size_t secret_input_len = secret_data_len +
DIGEST256_LEN +
sizeof(uint64_t);
208 uint8_t *secret_input = NULL;
214 secret_input = tor_malloc_zero(secret_input_len);
217 memcpy(secret_input, secret_data, secret_data_len);
218 offset += secret_data_len;
225 offset +=
sizeof(uint64_t);
228 *secret_input_out = secret_input;
230 return secret_input_len;
237 const uint8_t *secret_data,
238 size_t secret_data_len,
239 const uint8_t *salt,
size_t salt_len,
240 uint8_t *key_out,
size_t key_out_len,
241 int is_superencrypted_layer)
243 uint8_t *secret_input = NULL;
244 size_t secret_input_len;
254 secret_data_len, &secret_input);
262 if (is_superencrypted_layer) {
264 strlen(str_enc_const_superencryption));
267 strlen(str_enc_const_encryption));
273 memwipe(secret_input, 0, secret_input_len);
283 const uint8_t *secret_data,
284 size_t secret_data_len,
285 const uint8_t *salt,
size_t salt_len,
286 uint8_t *key_out,
size_t key_len,
287 uint8_t *iv_out,
size_t iv_len,
288 uint8_t *mac_out,
size_t mac_len,
289 int is_superencrypted_layer)
302 salt, salt_len, kdf_key,
sizeof(kdf_key),
303 is_superencrypted_layer);
305 memcpy(key_out, kdf_key, key_len);
307 memcpy(iv_out, kdf_key + offset, iv_len);
309 memcpy(mac_out, kdf_key + offset, mac_len);
311 tor_assert((offset + mac_len) ==
sizeof(kdf_key));
312 memwipe(kdf_key, 0,
sizeof(kdf_key));
323 char *encoded_b64 = NULL;
324 link_specifier_list_t *lslist = link_specifier_list_new();
329 tor_assert(smartlist_len(specs) <= UINT8_MAX);
331 link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
337 link_specifier_list_add_spec(lslist, ls);
338 } SMARTLIST_FOREACH_END(spec);
342 ssize_t encoded_len, encoded_b64_len, ret;
344 encoded_len = link_specifier_list_encoded_len(lslist);
346 encoded = tor_malloc_zero(encoded_len);
347 ret = link_specifier_list_encode(encoded, encoded_len, lslist);
353 encoded_b64 = tor_malloc_zero(encoded_b64_len);
354 ret =
base64_encode(encoded_b64, encoded_b64_len, (
const char *) encoded,
360 link_specifier_list_free(lslist);
369 char *key_str, b64_cert[256], *encoded = NULL;
377 ip->
legacy.
cert.len, BASE64_ENCODE_MULTILINE) < 0) {
378 log_warn(
LD_REND,
"Unable to encode legacy crosscert.");
384 log_warn(
LD_REND,
"Unable to encode legacy encryption key.");
390 "-----BEGIN CROSSCERT-----\n"
392 "-----END CROSSCERT-----",
393 str_ip_legacy_key, key_str,
394 str_ip_legacy_key_cert, b64_cert);
406 char *encoded = NULL, *encoded_cert;
413 if (tor_cert_encode_ed22519(ip->
enc_key_cert, &encoded_cert) < 0) {
419 str_ip_enc_key, key_b64,
420 str_ip_enc_key_cert, encoded_cert);
432 char *encoded = NULL;
439 tor_asprintf(&encoded,
"%s ntor %s", str_ip_onion_key, key_b64);
450 char *encoded_ip = NULL;
466 if (encoded_onion_key == NULL) {
476 if (tor_cert_encode_ed22519(ip->
auth_key_cert, &encoded_cert) < 0) {
486 if (encoded_enc_key == NULL) {
498 if (encoded_legacy_key == NULL) {
510 smartlist_free(lines);
519 size_t plaintext_padded_len;
527 plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
528 padding_block_length;
530 tor_assert(!(plaintext_padded_len % padding_block_length));
531 return plaintext_padded_len;
539 uint8_t **padded_out)
550 padded = tor_malloc_zero(padded_len);
552 memcpy(padded, plaintext, plaintext_len);
553 *padded_out = padded;
562 size_t plaintext_len, uint8_t **encrypted_out,
563 int is_superencrypted_layer)
565 size_t encrypted_len;
566 uint8_t *padded_plaintext, *encrypted;
567 crypto_cipher_t *cipher;
576 if (is_superencrypted_layer) {
582 padded_plaintext = tor_memdup(plaintext, plaintext_len);
583 encrypted_len = plaintext_len;
588 HS_DESC_ENCRYPTED_BIT_SIZE);
591 encrypted = tor_malloc_zero(encrypted_len);
594 (
const char *) padded_plaintext, encrypted_len);
595 *encrypted_out = encrypted;
597 crypto_cipher_free(cipher);
599 return encrypted_len;
608 const uint8_t *secret_data,
609 size_t secret_data_len,
610 const char *plaintext,
611 char **encrypted_out,
int is_superencrypted_layer)
614 size_t encrypted_len, final_blob_len, offset = 0;
632 secret_key,
sizeof(secret_key),
633 secret_iv,
sizeof(secret_iv),
634 mac_key,
sizeof(mac_key),
635 is_superencrypted_layer);
639 strlen(plaintext), &encrypted,
640 is_superencrypted_layer);
641 memwipe(secret_key, 0,
sizeof(secret_key));
642 memwipe(secret_iv, 0,
sizeof(secret_iv));
644 final_blob_len =
sizeof(salt) + encrypted_len +
DIGEST256_LEN;
645 final_blob = tor_malloc_zero(final_blob_len);
648 build_mac(mac_key,
sizeof(mac_key), salt,
sizeof(salt),
649 encrypted, encrypted_len, mac,
sizeof(mac));
650 memwipe(mac_key, 0,
sizeof(mac_key));
653 memcpy(final_blob, salt,
sizeof(salt));
654 offset =
sizeof(salt);
656 memcpy(final_blob + offset, encrypted, encrypted_len);
657 offset += encrypted_len;
659 memcpy(final_blob + offset, mac,
sizeof(mac));
660 offset +=
sizeof(mac);
662 memwipe(salt, 0,
sizeof(salt));
663 memwipe(encrypted, 0, encrypted_len);
668 *encrypted_out = final_blob;
669 return final_blob_len;
679 char *auth_client_str = NULL;
684 char encrypted_cookie_b64[HS_DESC_ENCRYPED_COOKIE_LEN * 2];
686 #define ASSERT_AND_BASE64(field) STMT_BEGIN \
687 tor_assert(!fast_mem_is_zero((char *) client->field, \
688 sizeof(client->field))); \
689 ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
690 client->field, sizeof(client->field)); \
691 tor_assert(ret > 0); \
694 ASSERT_AND_BASE64(client_id);
695 ASSERT_AND_BASE64(iv);
696 ASSERT_AND_BASE64(encrypted_cookie);
699 tor_asprintf(&auth_client_str,
"%s %s %s %s", str_desc_auth_client,
700 client_id_b64, iv_b64, encrypted_cookie_b64);
702 #undef ASSERT_AND_BASE64
704 return auth_client_str;
714 char *auth_client_lines_str = NULL;
725 char *auth_client_str = NULL;
730 } SMARTLIST_FOREACH_END(client);
737 smartlist_free(auth_client_lines);
739 return auth_client_lines_str;
749 char *encoded_str = NULL;
755 log_err(
LD_BUG,
"HS desc doesn't have recognized handshake type.");
759 ONION_HANDSHAKE_TYPE_NTOR);
787 if (encoded_ip == NULL) {
788 log_err(
LD_BUG,
"HS desc intro point is malformed.");
792 } SMARTLIST_FOREACH_END(ip);
800 smartlist_free(lines);
812 const char *layer2_b64_ciphertext)
814 char *layer1_str = NULL;
830 str_desc_auth_key, ephemeral_key_base64);
832 memwipe(ephemeral_key_base64, 0,
sizeof(ephemeral_key_base64));
845 "-----BEGIN MESSAGE-----\n"
847 "-----END MESSAGE-----",
848 str_encrypted, layer2_b64_ciphertext);
856 smartlist_free(lines);
869 const uint8_t *secret_data,
870 size_t secret_data_len,
871 const char *encoded_str,
872 int is_superencrypted_layer)
875 ssize_t enc_b64_len, ret_len, enc_len;
876 char *encrypted_blob = NULL;
879 encoded_str, &encrypted_blob,
880 is_superencrypted_layer);
883 enc_b64 = tor_malloc_zero(enc_b64_len);
885 ret_len =
base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
886 BASE64_ENCODE_MULTILINE);
906 const uint8_t *descriptor_cookie,
907 uint8_t **secret_data_out)
909 size_t secret_data_len;
910 uint8_t *secret_data;
915 if (descriptor_cookie) {
919 secret_data = tor_malloc(secret_data_len);
922 blinded_pubkey->pubkey,
926 HS_DESC_DESCRIPTOR_COOKIE_LEN);
931 secret_data = tor_malloc(secret_data_len);
933 blinded_pubkey->pubkey,
937 *secret_data_out = secret_data;
938 return secret_data_len;
948 const uint8_t *descriptor_cookie,
949 char **encrypted_blob_out)
952 uint8_t *secret_data = NULL;
953 size_t secret_data_len = 0;
954 char *layer2_str = NULL;
955 char *layer2_b64_ciphertext = NULL;
956 char *layer1_str = NULL;
957 char *layer1_b64_ciphertext = NULL;
978 layer2_b64_ciphertext =
981 if (!layer2_b64_ciphertext) {
992 layer1_b64_ciphertext =
997 if (!layer1_b64_ciphertext) {
1005 memwipe(secret_data, 0, secret_data_len);
1011 *encrypted_blob_out = layer1_b64_ciphertext;
1021 const uint8_t *descriptor_cookie,
1025 char *encoded_str = NULL;
1039 != CERT_TYPE_SIGNING_HS_DESC) {
1040 log_err(
LD_BUG,
"HS descriptor signing key has an unexpected cert type "
1045 &encoded_cert) < 0) {
1065 char *enc_b64_blob=NULL;
1067 &enc_b64_blob) < 0) {
1072 "-----BEGIN MESSAGE-----\n"
1074 "-----END MESSAGE-----",
1075 str_superencrypted, enc_b64_blob);
1088 (
const uint8_t *) encoded_str, encoded_len,
1089 str_desc_sig_prefix, signing_kp) < 0) {
1090 log_warn(
LD_BUG,
"Can't sign encoded HS descriptor!");
1101 *encoded_out = encoded_str;
1104 log_warn(
LD_GENERAL,
"We just made an HS descriptor that's too big (%d)."
1105 "Failing.", (
int)strlen(encoded_str));
1117 smartlist_free(lines);
1137 tok->
args[0], strlen(tok->
args[0])) !=
1142 tok->
args[1], strlen(tok->
args[1])) !=
1143 sizeof(client->
iv)) {
1148 tok->
args[2], strlen(tok->
args[2])) !=
1165 size_t encoded_len, i;
1168 link_specifier_list_t *specs = NULL;
1172 encoded_len = strlen(encoded);
1173 decoded = tor_malloc(encoded_len);
1174 decoded_len =
base64_decode((
char *) decoded, encoded_len, encoded,
1176 if (decoded_len < 0) {
1180 if (link_specifier_list_parse(&specs, decoded,
1181 (
size_t) decoded_len) < decoded_len) {
1187 for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
1188 link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
1203 link_specifier_free(s));
1204 smartlist_free(results);
1208 link_specifier_list_free(specs);
1236 } SMARTLIST_FOREACH_END(auth);
1256 unsigned long type =
tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
1258 log_warn(
LD_REND,
"Unparseable value %s in create2 list",
escaped(s));
1262 case ONION_HANDSHAKE_TYPE_NTOR:
1269 } SMARTLIST_FOREACH_END(s);
1272 smartlist_free(tokens);
1286 log_warn(
LD_REND,
"Certificate for %s couldn't be parsed.", log_obj_type);
1296 log_warn(
LD_REND,
"Signing key is NOT included for %s.", log_obj_type);
1304 char expiration_str[ISO_TIME_LEN+1];
1306 log_fn(LOG_PROTOCOL_WARN,
LD_REND,
"Invalid signature for %s: %s (%s)",
1310 log_warn(
LD_REND,
"Invalid signature for %s: %s",
1328 size_t data_len,
unsigned int cert_type_wanted,
1329 const char *err_msg)
1340 log_warn(
LD_REND,
"Certificate for %s couldn't be parsed.", err_msg);
1353 tor_cert_free(cert);
1366 log_warn(
LD_REND,
"Length of descriptor's encrypted data is too small. "
1367 "Got %lu but minimum value is %d",
1402 keystream = tor_malloc_zero(keystream_len);
1414 memwipe(secret_seed, 0,
sizeof(secret_seed));
1416 *keys_out = keystream;
1417 return keystream_len;
1429 uint8_t **descriptor_cookie_out)
1432 uint8_t *keystream = NULL;
1433 size_t keystream_length = 0;
1434 uint8_t *descriptor_cookie = NULL;
1435 const uint8_t *cookie_key = NULL;
1436 crypto_cipher_t *cipher = NULL;
1449 if (BUG(
fast_mem_is_zero((
char *)client_auth_sk,
sizeof(*client_auth_sk)))) {
1471 HS_DESC_COOKIE_KEY_BIT_SIZE);
1472 descriptor_cookie = tor_malloc_zero(HS_DESC_DESCRIPTOR_COOKIE_LEN);
1481 *descriptor_cookie_out = descriptor_cookie;
1483 crypto_cipher_free(cipher);
1485 memwipe(keystream, 0, keystream_length);
1502 const uint8_t *descriptor_cookie,
1503 bool is_superencrypted_layer,
1504 char **decrypted_out))
1506 uint8_t *decrypted = NULL;
1508 uint8_t *secret_data = NULL;
1509 size_t secret_data_len = 0;
1511 const uint8_t *salt, *encrypted, *desc_mac;
1512 size_t encrypted_len, result_len = 0;
1513 const uint8_t *encrypted_blob = (is_superencrypted_layer)
1516 size_t encrypted_blob_size = (is_superencrypted_layer)
1531 salt = encrypted_blob;
1535 encrypted_len = encrypted_blob_size -
1540 desc_mac = encrypted_blob + encrypted_blob_size -
DIGEST256_LEN;
1551 secret_key,
sizeof(secret_key),
1552 secret_iv,
sizeof(secret_iv),
1553 mac_key,
sizeof(mac_key),
1554 is_superencrypted_layer);
1558 encrypted, encrypted_len, our_mac,
sizeof(our_mac));
1559 memwipe(mac_key, 0,
sizeof(mac_key));
1564 if (!
tor_memeq(our_mac, desc_mac,
sizeof(our_mac))) {
1565 log_info(
LD_REND,
"Encrypted service descriptor MAC check failed");
1572 crypto_cipher_t *cipher;
1575 HS_DESC_ENCRYPTED_BIT_SIZE);
1577 decrypted = tor_malloc_zero(encrypted_len + 1);
1579 (
const char *) encrypted, encrypted_len);
1580 crypto_cipher_free(cipher);
1585 uint8_t *end = memchr(decrypted, 0, encrypted_len);
1586 result_len = encrypted_len;
1588 result_len = end - decrypted;
1592 if (result_len == 0) {
1598 decrypted[encrypted_len] =
'\0';
1599 *decrypted_out = (
char *) decrypted;
1606 *decrypted_out = NULL;
1610 memwipe(secret_data, 0, secret_data_len);
1611 memwipe(secret_key, 0,
sizeof(secret_key));
1612 memwipe(secret_iv, 0,
sizeof(secret_iv));
1625 size_t superencrypted_len = 0;
1626 char *superencrypted_plaintext = NULL;
1633 true, &superencrypted_plaintext);
1635 if (!superencrypted_len) {
1636 log_warn(
LD_REND,
"Decrypting superencrypted desc failed.");
1644 *decrypted_out = superencrypted_plaintext;
1646 return superencrypted_len;
1657 char **decrypted_out))
1659 size_t encrypted_len = 0;
1660 char *encrypted_plaintext = NULL;
1661 uint8_t *descriptor_cookie = NULL;
1669 if (client_auth_sk) {
1675 &descriptor_cookie)) {
1678 } SMARTLIST_FOREACH_END(client);
1683 false, &encrypted_plaintext);
1685 if (!encrypted_len) {
1693 *decrypted_out = encrypted_plaintext;
1694 if (descriptor_cookie) {
1695 memwipe(descriptor_cookie, 0, HS_DESC_DESCRIPTOR_COOKIE_LEN);
1699 return encrypted_len;
1718 log_warn(
LD_REND,
"Introduction point legacy key is invalid");
1726 log_warn(
LD_REND,
"Introduction point legacy key cert is missing");
1733 log_info(
LD_REND,
"Introduction point legacy encryption key "
1734 "cross-certification has an unknown format.");
1748 log_warn(
LD_REND,
"Unable to check cross-certification on the "
1749 "introduction point legacy encryption key.");
1774 log_warn(
LD_REND,
"Descriptor did not contain intro onion keys");
1784 if (!strcmp(tok->args[0],
"ntor")) {
1786 log_warn(
LD_REND,
"Introduction point ntor onion-key is invalid");
1792 } SMARTLIST_FOREACH_END(tok);
1796 log_warn(
LD_REND,
"Descriptor did not contain ntor onion keys");
1800 smartlist_free(onion_keys);
1823 log_warn(
LD_REND,
"Introduction point is not parseable");
1832 tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
1838 log_warn(
LD_REND,
"Introduction point has invalid link specifiers");
1848 tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
1851 log_warn(
LD_REND,
"Unexpected object type for introduction auth key");
1857 "introduction point auth-key") < 0) {
1863 log_warn(
LD_REND,
"Invalid authentication key signature: %s",
1869 tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
1870 if (!strcmp(tok->
args[0],
"ntor")) {
1876 log_warn(
LD_REND,
"Introduction point ntor enc-key is invalid");
1881 log_warn(
LD_REND,
"Introduction point encryption key is unrecognized.");
1886 tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
1890 log_warn(
LD_REND,
"Introduction point ntor encryption key "
1891 "cross-certification has an unknown format.");
1896 "introduction point enc-key-cert") < 0) {
1901 log_warn(
LD_REND,
"Invalid encryption key signature: %s",
1920 hs_desc_intro_point_free(ip);
1925 smartlist_free(tokens);
1958 if (smartlist_len(chunked_desc) < 2) {
1975 } SMARTLIST_FOREACH_END(chunk);
1988 } SMARTLIST_FOREACH_END(intro_point);
1992 smartlist_free(chunked_desc);
1994 smartlist_free(intro_points);
2002 const char *encoded_desc,
size_t encoded_len)
2006 const char *sig_start;
2016 log_warn(
LD_REND,
"Service descriptor has an invalid signature length."
2017 "Expected %d but got %lu",
2024 log_warn(
LD_REND,
"Service descriptor does not contain a valid "
2030 sig_start = tor_memstr(encoded_desc, encoded_len,
"\n" str_signature
" ");
2034 log_warn(
LD_GENERAL,
"Malformed signature line. Rejecting.");
2042 (
const uint8_t *) encoded_desc,
2043 sig_start - encoded_desc,
2044 str_desc_sig_prefix,
2045 signing_pubkey) != 0) {
2046 log_warn(
LD_REND,
"Invalid signature on service descriptor");
2066 const char *encoded_desc,
size_t encoded_len)
2078 tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
2081 UINT32_MAX, &ok, NULL);
2083 log_warn(
LD_REND,
"Service descriptor lifetime value is invalid");
2089 log_warn(
LD_REND,
"Service descriptor lifetime is too big. "
2090 "Got %" PRIu32
" but max is %d",
2096 tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
2100 if (strcmp(tok->
object_type,
"ED25519 CERT") != 0) {
2101 log_warn(
LD_REND,
"Service descriptor signing cert wrong type (%s)",
2107 "service descriptor signing key") < 0) {
2118 tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
2121 UINT64_MAX, &ok, NULL);
2123 log_warn(
LD_REND,
"Service descriptor revision-counter is invalid");
2128 tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
2131 log_warn(
LD_REND,
"Desc superencrypted data section is invalid");
2145 tok = find_by_keyword(tokens, R3_SIGNATURE);
2149 encoded_desc, encoded_len)) {
2153 return HS_DESC_DECODE_OK;
2155 return HS_DESC_DECODE_PLAINTEXT_ERROR;
2163 desc_superencrypted_out)
2165 int ret = HS_DESC_DECODE_SUPERENC_ERROR;
2166 char *message = NULL;
2181 log_warn(
LD_REND,
"Service descriptor decryption failed.");
2190 log_warn(
LD_REND,
"Superencrypted service descriptor is not parseable.");
2195 tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
2197 if (strcmp(tok->
args[0],
"x25519")) {
2198 log_warn(
LD_DIR,
"Unrecognized desc auth type");
2203 tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
2206 tok->
args[0]) < 0) {
2207 log_warn(
LD_DIR,
"Bogus desc auth ephemeral key in HS desc");
2212 if (!superencrypted->
clients) {
2216 if (token->tp == R3_DESC_AUTH_CLIENT) {
2223 log_warn(
LD_REND,
"Descriptor client authorization section can't "
2230 } SMARTLIST_FOREACH_END(token);
2233 tok = find_by_keyword(tokens, R3_ENCRYPTED);
2236 log_warn(
LD_REND,
"Desc encrypted data section is invalid");
2251 ret = HS_DESC_DECODE_OK;
2261 smartlist_free(tokens);
2279 int ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2280 char *message = NULL;
2297 if (client_auth_sk) {
2300 log_warn(
LD_REND,
"Client authorization for requested onion address "
2301 "is invalid. Can't decrypt the descriptor.");
2302 ret = HS_DESC_DECODE_BAD_CLIENT_AUTH;
2306 log_notice(
LD_REND,
"Fail to decrypt descriptor for requested onion "
2307 "address. It is likely requiring client "
2309 ret = HS_DESC_DECODE_NEED_CLIENT_AUTH;
2319 log_warn(
LD_REND,
"Encrypted service descriptor is not parseable.");
2324 tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
2329 log_warn(
LD_REND,
"Service create2-formats does not include ntor.");
2338 log_warn(
LD_REND,
"Service descriptor authentication type has "
2339 "invalid entry(ies).");
2357 uint8_t sendme_inc =
2360 log_warn(
LD_REND,
"Service descriptor flow control sendme "
2361 "value is invalid");
2364 desc_encrypted_out->sendme_inc = sendme_inc;
2374 HS_CONFIG_V3_MAX_INTRO_POINTS) {
2375 log_warn(
LD_REND,
"Service descriptor contains too many introduction "
2376 "points. Maximum allowed is %d but we have %d",
2377 HS_CONFIG_V3_MAX_INTRO_POINTS,
2385 ret = HS_DESC_DECODE_OK;
2395 smartlist_free(tokens);
2426 int ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2474 desc_superencrypted)
2476 int ret = HS_DESC_DECODE_SUPERENC_ERROR;
2513 const char *encoded_desc,
2514 size_t encoded_len) =
2526 int ok = 0, ret = HS_DESC_DECODE_PLAINTEXT_ERROR;
2536 encoded_len = strlen(encoded);
2538 log_warn(
LD_REND,
"Service descriptor is too big (%lu bytes)",
2539 (
unsigned long) encoded_len);
2548 log_warn(
LD_REND,
"Service descriptor is not parseable");
2554 tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
2557 UINT32_MAX, &ok, NULL);
2559 log_warn(
LD_REND,
"Service descriptor has unparseable version %s",
2564 log_warn(
LD_REND,
"Service descriptor has unsupported version %" PRIu32,
2575 encoded, encoded_len);
2576 if (ret != HS_DESC_DECODE_OK) {
2580 ret = HS_DESC_DECODE_OK;
2585 smartlist_free(tokens);
2613 if (BUG(!subcredential ||
2615 log_warn(
LD_GENERAL,
"Tried to decrypt without subcred. Impossible!");
2622 if (ret != HS_DESC_DECODE_OK) {
2627 if (ret != HS_DESC_DECODE_OK) {
2632 if (ret != HS_DESC_DECODE_OK) {
2639 hs_descriptor_free(desc);
2644 hs_descriptor_free(desc);
2659 const uint8_t *descriptor_cookie,
2660 char **encoded_out) =
2680 const uint8_t *descriptor_cookie,
2681 char **encoded_out))
2700 descriptor_cookie, encoded_out);
2708 if (!descriptor_cookie) {
2711 if (BUG(ret != HS_DESC_DECODE_OK)) {
2720 *encoded_out = NULL;
2737 memwipe(desc, 0,
sizeof(*desc));
2753 hs_desc_authorized_client_free(client));
2754 smartlist_free(desc->
clients);
2757 memwipe(desc, 0,
sizeof(*desc));
2774 hs_desc_intro_point_free(ip));
2778 memwipe(desc, 0,
sizeof(*desc));
2837 size_t intro_size = 0;
2848 return sizeof(*data) + intro_size;
2882 ls, link_specifier_free(ls));
2898 tor_malloc_zero(
sizeof(*client_auth));
2903 sizeof(client_auth->
iv));
2918 const uint8_t *descriptor_cookie,
2921 uint8_t *keystream = NULL;
2922 size_t keystream_length = 0;
2923 const uint8_t *cookie_key;
2924 crypto_cipher_t *cipher;
2932 sizeof(*auth_ephemeral_sk)));
2934 sizeof(*client_auth_pk)));
2936 HS_DESC_DESCRIPTOR_COOKIE_LEN));
2943 auth_ephemeral_sk, client_auth_pk,
2956 HS_DESC_COOKIE_KEY_BIT_SIZE);
2959 (
const char *) descriptor_cookie,
2960 HS_DESC_DESCRIPTOR_COOKIE_LEN);
2962 memwipe(keystream, 0, keystream_length);
2965 crypto_cipher_free(cipher);
2986 ip, hs_desc_intro_point_free(ip));
int base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
size_t base64_encode_size(size_t srclen, int flags)
static void set_uint64(void *cp, uint64_t v)
static uint64_t tor_htonll(uint64_t a)
Header file for circuitbuild.c.
Header file for config.c.
bool congestion_control_validate_sendme_increment(uint8_t sendme_inc)
bool congestion_control_enabled(void)
Public APIs for congestion control.
static uint8_t congestion_control_sendme_inc(void)
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
crypto_cipher_t * crypto_cipher_new_with_iv_and_bits(const uint8_t *key, const uint8_t *iv, int bits)
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
int curve25519_public_from_base64(curve25519_public_key_t *pkey, const char *input)
void curve25519_public_to_base64(char *output, const curve25519_public_key_t *pkey, bool pad)
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
crypto_xof_t * crypto_xof_new(void)
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
#define crypto_xof_free(xof)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
#define crypto_digest_free(d)
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
int ed25519_sign_prefixed(ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair)
void crypto_rand(char *to, size_t n)
void crypto_strongest_rand(uint8_t *out, size_t out_len)
Common functions for using (pseudo-)random number generators.
int crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest, size_t *len)
crypto_pk_t * crypto_pk_dup_key(crypto_pk_t *orig)
int crypto_pk_public_exponent_ok(const crypto_pk_t *env)
void memwipe(void *mem, uint8_t byte, size_t sz)
Common functions for cryptographic routines.
int tor_memeq(const void *a, const void *b, size_t sz)
#define tor_memneq(a, b, sz)
const char * escaped(const char *s)
unsigned int hs_cache_get_max_descriptor_size(void)
Header file for hs_cache.c.
link_specifier_t * link_specifier_dup(const link_specifier_t *src)
Header file containing configuration ABI/API for the HS subsystem.
hs_desc_intro_point_t * hs_desc_intro_point_new(void)
static char * encode_intro_point(const ed25519_public_key_t *sig_key, const hs_desc_intro_point_t *ip)
static size_t build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext, size_t plaintext_len, uint8_t **encrypted_out, int is_superencrypted_layer)
void hs_desc_superencrypted_data_free_contents(hs_desc_superencrypted_data_t *desc)
hs_desc_authorized_client_t * hs_desc_build_fake_authorized_client(void)
static char * get_all_auth_client_lines(const hs_descriptor_t *desc)
STATIC size_t desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
static token_rule_t hs_desc_encrypted_v3_token_table[]
hs_desc_decode_status_t hs_desc_decode_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
static char * encode_legacy_key(const hs_desc_intro_point_t *ip)
int hs_desc_encode_descriptor(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
void hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
static hs_desc_decode_status_t(* decode_superencrypted_handlers[])(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
static int desc_encode_v3(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static char * encode_onion_key(const hs_desc_intro_point_t *ip)
static void decode_intro_points(const hs_descriptor_t *desc, hs_desc_encrypted_data_t *desc_enc, const char *data)
size_t hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
static size_t build_secret_data(const ed25519_public_key_t *blinded_pubkey, const uint8_t *descriptor_cookie, uint8_t **secret_data_out)
bool hs_desc_supports_congestion_control(const hs_descriptor_t *desc)
STATIC smartlist_t * decode_link_specifiers(const char *encoded)
STATIC int desc_sig_is_valid(const char *b64_sig, const ed25519_public_key_t *signing_pubkey, const char *encoded_desc, size_t encoded_len)
STATIC hs_desc_decode_status_t desc_decode_superencrypted_v3(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted_out)
static int(* encode_handlers[])(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static const struct @17 intro_auth_types[]
STATIC size_t decrypt_desc_layer(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, bool is_superencrypted_layer, char **decrypted_out)
size_t hs_desc_obj_size(const hs_descriptor_t *data)
static int decode_auth_client(const directory_token_t *tok, hs_desc_authorized_client_t *client)
hs_desc_decode_status_t hs_desc_decode_plaintext(const char *encoded, hs_desc_plaintext_data_t *plaintext)
STATIC char * encode_link_specifiers(const smartlist_t *specs)
static int cert_parse_and_validate(tor_cert_t **cert_out, const char *data, size_t data_len, unsigned int cert_type_wanted, const char *err_msg)
STATIC size_t build_plaintext_padding(const char *plaintext, size_t plaintext_len, uint8_t **padded_out)
void hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
void hs_descriptor_free_(hs_descriptor_t *desc)
static char * get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
static int encode_superencrypted_data(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, char **encrypted_blob_out)
static char * encode_enc_key(const hs_desc_intro_point_t *ip)
void hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)
STATIC int encrypted_data_length_is_valid(size_t len)
void hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
static token_rule_t hs_desc_v3_token_table[]
static void decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
static int decrypt_descriptor_cookie(const hs_descriptor_t *desc, const hs_desc_authorized_client_t *client, const curve25519_secret_key_t *client_auth_sk, uint8_t **descriptor_cookie_out)
hs_desc_decode_status_t hs_desc_decode_superencrypted(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
static token_rule_t hs_desc_superencrypted_v3_token_table[]
STATIC size_t desc_decrypt_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, char **decrypted_out)
void hs_desc_build_authorized_client(const hs_subcredential_t *subcredential, const curve25519_public_key_t *client_auth_pk, const curve25519_secret_key_t *auth_ephemeral_sk, const uint8_t *descriptor_cookie, hs_desc_authorized_client_t *client_out)
static void build_secret_key_iv_mac(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_len, uint8_t *iv_out, size_t iv_len, uint8_t *mac_out, size_t mac_len, int is_superencrypted_layer)
void hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc)
static size_t encrypt_descriptor_data(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *plaintext, char **encrypted_out, int is_superencrypted_layer)
static size_t compute_padded_plaintext_length(size_t plaintext_len)
static int set_intro_point_onion_key(curve25519_public_key_t *onion_key_out, const smartlist_t *tokens)
STATIC hs_desc_decode_status_t desc_decode_encrypted_v3(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted_out)
static hs_desc_decode_status_t(* decode_plaintext_handlers[])(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
static char * encrypt_desc_data_and_base64(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *encoded_str, int is_superencrypted_layer)
static int decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
static size_t build_descriptor_cookie_keys(const hs_subcredential_t *subcredential, const curve25519_secret_key_t *sk, const curve25519_public_key_t *pk, uint8_t **keys_out)
static char * get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc, const char *layer2_b64_ciphertext)
static int decode_intro_legacy_key(const directory_token_t *tok, smartlist_t *tokens, hs_desc_intro_point_t *ip, const hs_descriptor_t *desc)
static void build_kdf_key(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_out_len, int is_superencrypted_layer)
static char * get_auth_client_str(const hs_desc_authorized_client_t *client)
void hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
static token_rule_t hs_desc_intro_point_v3_token_table[]
static hs_desc_decode_status_t(* decode_encrypted_handlers[])(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
STATIC int cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
static size_t hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
hs_desc_decode_status_t hs_desc_decode_descriptor(const char *encoded, const hs_subcredential_t *subcredential, const curve25519_secret_key_t *client_auth_sk, hs_descriptor_t **desc_out)
static size_t build_secret_input(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, uint8_t **secret_input_out)
STATIC hs_desc_intro_point_t * decode_introduction_point(const hs_descriptor_t *desc, const char *start)
void hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
static hs_desc_decode_status_t desc_decode_plaintext_v3(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
void hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client)
static void build_mac(const uint8_t *mac_key, size_t mac_key_len, const uint8_t *salt, size_t salt_len, const uint8_t *encrypted, size_t encrypted_len, uint8_t *mac_out, size_t mac_len)
Header file for hs_descriptor.c.
#define HS_DESC_CLIENT_ID_LEN
#define HS_DESC_ENCRYPTED_SALT_LEN
#define HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE
#define HS_DESC_AUTH_CLIENT_MULTIPLE
static int hs_desc_is_supported_version(uint32_t version)
#define HS_DESC_ENCRYPTED_KEY_LEN
#define HS_DESC_CERT_LIFETIME
#define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN
#define HS_DESC_MAX_LIFETIME
#define log_fn(severity, domain, args,...)
memarea_t * memarea_new(void)
#define memarea_drop_all(area)
Master header file for Tor-specific functionality.
uint64_t tor_parse_uint64(const char *s, int base, uint64_t min, uint64_t max, int *ok, char **next)
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
void token_clear(directory_token_t *tok)
int tokenize_string(memarea_t *area, const char *start, const char *end, smartlist_t *out, const token_rule_t *table, int flags)
directory_token_t * find_opt_by_keyword(const smartlist_t *s, directory_keyword keyword)
smartlist_t * find_all_by_keyword(const smartlist_t *s, directory_keyword k)
Header file for parsecommon.c.
#define T1_END(s, t, a, o)
#define T1_START(s, t, a, o)
int tor_asprintf(char **strp, const char *fmt,...)
const char * protover_get_supported(const protocol_type_t type)
int protocol_list_supports_protocol(const char *list, protocol_type_t tp, uint32_t version)
Headers and type declarations for protover.c.
#define PROTOVER_FLOWCTRL_CC
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
uint8_t iv[CIPHER_IV_LEN]
uint8_t encrypted_cookie[HS_DESC_ENCRYPED_COOKIE_LEN]
uint8_t client_id[HS_DESC_CLIENT_ID_LEN]
smartlist_t * intro_auth_types
unsigned int single_onion_service
smartlist_t * intro_points
unsigned int create2_ntor
struct hs_desc_intro_point_t::@18::@19 cert
unsigned int cross_certified
struct hs_desc_intro_point_t::@18 legacy
curve25519_public_key_t onion_key
curve25519_public_key_t enc_key
tor_cert_t * enc_key_cert
tor_cert_t * auth_key_cert
smartlist_t * link_specifiers
uint64_t revision_counter
size_t superencrypted_blob_size
tor_cert_t * signing_key_cert
ed25519_public_key_t signing_pubkey
ed25519_public_key_t blinded_pubkey
uint8_t * superencrypted_blob
curve25519_public_key_t auth_ephemeral_pubkey
size_t encrypted_blob_size
hs_desc_encrypted_data_t encrypted_data
hs_desc_superencrypted_data_t superencrypted_data
hs_subcredential_t subcredential
hs_desc_plaintext_data_t plaintext_data
ed25519_public_key_t signing_key
ed25519_public_key_t signed_key
unsigned signing_key_included
#define MOCK_IMPL(rv, funcname, arglist)
void format_iso_time(char *buf, time_t t)
int rsa_ed25519_crosscert_check(const uint8_t *crosscert, const size_t crosscert_len, const crypto_pk_t *rsa_id_key, const ed25519_public_key_t *master_key, const time_t reject_if_expired_before)
int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now)
const char * tor_cert_describe_signature_status(const tor_cert_t *cert)
tor_cert_t * tor_cert_parse(const uint8_t *encoded, const size_t len)
int fast_mem_is_zero(const char *mem, size_t len)
Header file for versions.c.
#define CURVE25519_OUTPUT_LEN
#define CURVE25519_BASE64_PADDED_LEN
#define ED25519_PUBKEY_LEN
#define ED25519_SIG_BASE64_LEN
#define CURVE25519_PUBKEY_LEN