|
@@ -113,6 +113,15 @@ static token_rule_t hs_desc_v3_token_table[] = {
|
|
|
END_OF_TABLE
|
|
|
};
|
|
|
|
|
|
+/* Descriptor ruleset for the superencrypted section. */
|
|
|
+static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
|
|
|
+ T1_START(str_desc_auth_type, R3_DESC_AUTH_TYPE, GE(1), NO_OBJ),
|
|
|
+ T1(str_desc_auth_key, R3_DESC_AUTH_KEY, GE(1), NO_OBJ),
|
|
|
+ T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT, GE(3), NO_OBJ),
|
|
|
+ T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
|
|
|
+ END_OF_TABLE
|
|
|
+};
|
|
|
+
|
|
|
/* Descriptor ruleset for the encrypted section. */
|
|
|
static token_rule_t hs_desc_encrypted_v3_token_table[] = {
|
|
|
T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
|
|
@@ -1313,12 +1322,17 @@ encrypted_data_length_is_valid(size_t len)
|
|
|
return 0;
|
|
|
}
|
|
|
|
|
|
-/* Decrypt the encrypted section of the descriptor using the given descriptor
|
|
|
- * object desc. A newly allocated NUL terminated string is put in
|
|
|
- * decrypted_out. Return the length of decrypted_out on success else 0 is
|
|
|
- * returned and decrypted_out is set to NULL. */
|
|
|
+/** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
|
|
|
+ * <b>encrypted_blob_size</b>. Use the descriptor object <b>desc</b> to
|
|
|
+ * generate the right decryption keys; set <b>decrypted_out</b> to the
|
|
|
+ * plaintext. If <b>is_superencrypted_layer</b> is set, this is the outter
|
|
|
+ * encrypted layer of the descriptor. */
|
|
|
static size_t
|
|
|
-desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
|
|
|
+decrypt_desc_layer(const hs_descriptor_t *desc,
|
|
|
+ const uint8_t *encrypted_blob,
|
|
|
+ size_t encrypted_blob_size,
|
|
|
+ int is_superencrypted_layer,
|
|
|
+ char **decrypted_out)
|
|
|
{
|
|
|
uint8_t *decrypted = NULL;
|
|
|
uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
|
|
@@ -1328,41 +1342,33 @@ desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
|
|
|
|
|
|
tor_assert(decrypted_out);
|
|
|
tor_assert(desc);
|
|
|
- tor_assert(desc->plaintext_data.superencrypted_blob);
|
|
|
+ tor_assert(encrypted_blob);
|
|
|
|
|
|
- /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC */
|
|
|
- if (!encrypted_data_length_is_valid(
|
|
|
- desc->plaintext_data.superencrypted_blob_size)) {
|
|
|
+ /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
|
|
|
+ * Make sure we have enough space for all these things. */
|
|
|
+ if (!encrypted_data_length_is_valid(encrypted_blob_size)) {
|
|
|
goto err;
|
|
|
}
|
|
|
|
|
|
/* Start of the blob thus the salt. */
|
|
|
- salt = desc->plaintext_data.superencrypted_blob;
|
|
|
+ salt = encrypted_blob;
|
|
|
+
|
|
|
/* Next is the encrypted data. */
|
|
|
- encrypted = desc->plaintext_data.superencrypted_blob +
|
|
|
- HS_DESC_ENCRYPTED_SALT_LEN;
|
|
|
- encrypted_len = desc->plaintext_data.superencrypted_blob_size -
|
|
|
+ encrypted = encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN;
|
|
|
+ encrypted_len = encrypted_blob_size -
|
|
|
(HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
|
|
|
+ tor_assert(encrypted_len > 0); /* guaranteed by the check above */
|
|
|
|
|
|
- /* At the very end is the MAC. Make sure it's of the right size. */
|
|
|
- {
|
|
|
- desc_mac = encrypted + encrypted_len;
|
|
|
- size_t desc_mac_size = desc->plaintext_data.superencrypted_blob_size -
|
|
|
- (desc_mac - desc->plaintext_data.superencrypted_blob);
|
|
|
- if (desc_mac_size != DIGEST256_LEN) {
|
|
|
- log_warn(LD_REND, "Service descriptor MAC length of encrypted data "
|
|
|
- "is invalid (%lu, expected %u)",
|
|
|
- (unsigned long) desc_mac_size, DIGEST256_LEN);
|
|
|
- goto err;
|
|
|
- }
|
|
|
- }
|
|
|
+ /* And last comes the MAC. */
|
|
|
+ desc_mac = encrypted_blob + encrypted_blob_size - DIGEST256_LEN;
|
|
|
|
|
|
/* KDF construction resulting in a key from which the secret key, IV and MAC
|
|
|
* key are extracted which is what we need for the decryption. */
|
|
|
build_secret_key_iv_mac(desc, salt, HS_DESC_ENCRYPTED_SALT_LEN,
|
|
|
secret_key, sizeof(secret_key),
|
|
|
secret_iv, sizeof(secret_iv),
|
|
|
- mac_key, sizeof(mac_key));
|
|
|
+ mac_key, sizeof(mac_key),
|
|
|
+ is_superencrypted_layer);
|
|
|
|
|
|
/* Build MAC. */
|
|
|
build_mac(mac_key, sizeof(mac_key), salt, HS_DESC_ENCRYPTED_SALT_LEN,
|
|
@@ -1392,7 +1398,7 @@ desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
|
|
|
}
|
|
|
|
|
|
{
|
|
|
- /* Adjust length to remove NULL padding bytes */
|
|
|
+ /* Adjust length to remove NUL padding bytes */
|
|
|
uint8_t *end = memchr(decrypted, 0, encrypted_len);
|
|
|
result_len = encrypted_len;
|
|
|
if (end) {
|
|
@@ -1418,6 +1424,161 @@ desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
|
|
|
return result_len;
|
|
|
}
|
|
|
|
|
|
+/* Basic validation that the superencrypted client auth portion of the
|
|
|
+ * descriptor is well-formed and recognized. Return True if so, otherwise
|
|
|
+ * return False. */
|
|
|
+static int
|
|
|
+superencrypted_auth_data_is_valid(smartlist_t *tokens)
|
|
|
+{
|
|
|
+ /* XXX: This is just basic validation for now. When we implement client auth,
|
|
|
+ we can refactor this function so that it actually parses and saves the
|
|
|
+ data. */
|
|
|
+
|
|
|
+ { /* verify desc auth type */
|
|
|
+ const directory_token_t *tok;
|
|
|
+ tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
|
|
|
+ tor_assert(tok->n_args >= 1);
|
|
|
+ if (strcmp(tok->args[0], "x25519")) {
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ { /* verify desc auth key */
|
|
|
+ const directory_token_t *tok;
|
|
|
+ curve25519_public_key_t k;
|
|
|
+ tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
|
|
|
+ tor_assert(tok->n_args >= 1);
|
|
|
+ if (curve25519_public_from_base64(&k, tok->args[0]) < 0) {
|
|
|
+ log_warn(LD_DIR, "Bogus desc auth key in HS desc");
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /* verify desc auth client items */
|
|
|
+ SMARTLIST_FOREACH_BEGIN(tokens, const directory_token_t *, tok) {
|
|
|
+ if (tok->tp == R3_DESC_AUTH_CLIENT) {
|
|
|
+ tor_assert(tok->n_args >= 3);
|
|
|
+ }
|
|
|
+ } SMARTLIST_FOREACH_END(tok);
|
|
|
+
|
|
|
+ return 1;
|
|
|
+}
|
|
|
+
|
|
|
+/* Parse <b>message</b>, the plaintext of the superencrypted portion of an HS
|
|
|
+ * descriptor. Set <b>encrypted_out</b> to the encrypted blob, and return its
|
|
|
+ * size */
|
|
|
+STATIC size_t
|
|
|
+decode_superencrypted(const char *message, size_t message_len,
|
|
|
+ uint8_t **encrypted_out)
|
|
|
+{
|
|
|
+ int retval = 0;
|
|
|
+ memarea_t *area = NULL;
|
|
|
+ smartlist_t *tokens = NULL;
|
|
|
+
|
|
|
+ area = memarea_new();
|
|
|
+ tokens = smartlist_new();
|
|
|
+ if (tokenize_string(area, message, message + message_len, tokens,
|
|
|
+ hs_desc_superencrypted_v3_token_table, 0) < 0) {
|
|
|
+ log_warn(LD_REND, "Superencrypted portion is not parseable");
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* Do some rudimentary validation of the authentication data */
|
|
|
+ if (!superencrypted_auth_data_is_valid(tokens)) {
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* Extract the encrypted data section. */
|
|
|
+ {
|
|
|
+ const directory_token_t *tok;
|
|
|
+ tok = find_by_keyword(tokens, R3_ENCRYPTED);
|
|
|
+ tor_assert(tok->object_body);
|
|
|
+ if (strcmp(tok->object_type, "MESSAGE") != 0) {
|
|
|
+ log_warn(LD_REND, "Desc superencrypted data section is invalid");
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
+ /* Make sure the length of the encrypted blob is valid. */
|
|
|
+ if (!encrypted_data_length_is_valid(tok->object_size)) {
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* Copy the encrypted blob to the descriptor object so we can handle it
|
|
|
+ * latter if needed. */
|
|
|
+ *encrypted_out = tor_memdup(tok->object_body, tok->object_size);
|
|
|
+ retval = tok->object_size;
|
|
|
+ }
|
|
|
+
|
|
|
+ err:
|
|
|
+ SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
|
|
|
+ smartlist_free(tokens);
|
|
|
+ if (area) {
|
|
|
+ memarea_drop_all(area);
|
|
|
+ }
|
|
|
+
|
|
|
+ return retval;
|
|
|
+}
|
|
|
+
|
|
|
+/* Decrypt both the superencrypted and the encrypted section of the descriptor
|
|
|
+ * using the given descriptor object <b>desc</b>. A newly allocated NUL
|
|
|
+ * terminated string is put in decrypted_out which contains the inner encrypted
|
|
|
+ * layer of the descriptor. Return the length of decrypted_out on success else
|
|
|
+ * 0 is returned and decrypted_out is set to NULL. */
|
|
|
+static size_t
|
|
|
+desc_decrypt_all(const hs_descriptor_t *desc, char **decrypted_out)
|
|
|
+{
|
|
|
+ size_t decrypted_len = 0;
|
|
|
+ size_t encrypted_len = 0;
|
|
|
+ size_t superencrypted_len = 0;
|
|
|
+ char *superencrypted_plaintext = NULL;
|
|
|
+ uint8_t *encrypted_blob = NULL;
|
|
|
+
|
|
|
+ /** Function logic: This function takes us from the descriptor header to the
|
|
|
+ * inner encrypted layer, by decrypting and decoding the middle descriptor
|
|
|
+ * layer. In the end we return the contents of the inner encrypted layer to
|
|
|
+ * our caller. */
|
|
|
+
|
|
|
+ /* 1. Decrypt middle layer of descriptor */
|
|
|
+ superencrypted_len = decrypt_desc_layer(desc,
|
|
|
+ desc->plaintext_data.superencrypted_blob,
|
|
|
+ desc->plaintext_data.superencrypted_blob_size,
|
|
|
+ 1,
|
|
|
+ &superencrypted_plaintext);
|
|
|
+ if (!superencrypted_len) {
|
|
|
+ log_warn(LD_REND, "Decrypting superencrypted desc failed.");
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
+ tor_assert(superencrypted_plaintext);
|
|
|
+
|
|
|
+ /* 2. Parse "superencrypted" */
|
|
|
+ encrypted_len = decode_superencrypted(superencrypted_plaintext,
|
|
|
+ superencrypted_len,
|
|
|
+ &encrypted_blob);
|
|
|
+ if (!encrypted_len) {
|
|
|
+ log_warn(LD_REND, "Decrypting encrypted desc failed.");
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
+ tor_assert(encrypted_blob);
|
|
|
+
|
|
|
+ /* 3. Decrypt "encrypted" and set decrypted_out */
|
|
|
+ char *decrypted_desc;
|
|
|
+ decrypted_len = decrypt_desc_layer(desc,
|
|
|
+ encrypted_blob, encrypted_len,
|
|
|
+ 0, &decrypted_desc);
|
|
|
+ if (!decrypted_len) {
|
|
|
+ log_warn(LD_REND, "Decrypting encrypted desc failed.");
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
+ tor_assert(decrypted_desc);
|
|
|
+
|
|
|
+ *decrypted_out = decrypted_desc;
|
|
|
+
|
|
|
+ err:
|
|
|
+ tor_free(superencrypted_plaintext);
|
|
|
+ tor_free(encrypted_blob);
|
|
|
+
|
|
|
+ return decrypted_len;
|
|
|
+}
|
|
|
+
|
|
|
/* Given the start of a section and the end of it, decode a single
|
|
|
* introduction point from that section. Return a newly allocated introduction
|
|
|
* point object containing the decoded data. Return NULL if the section can't
|
|
@@ -1550,7 +1711,9 @@ decode_introduction_point(const hs_descriptor_t *desc, const char *start)
|
|
|
tor_cert_free(cross_cert);
|
|
|
SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
|
|
|
smartlist_free(tokens);
|
|
|
- memarea_drop_all(area);
|
|
|
+ if (area) {
|
|
|
+ memarea_drop_all(area);
|
|
|
+ }
|
|
|
|
|
|
return ip;
|
|
|
}
|
|
@@ -1804,10 +1967,9 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc,
|
|
|
tor_assert(desc);
|
|
|
tor_assert(desc_encrypted_out);
|
|
|
|
|
|
- /* Decrypt the encrypted data that is located in the plaintext section in
|
|
|
- * the descriptor as a blob of bytes. The following functions will use the
|
|
|
- * keys found in the same section. */
|
|
|
- message_len = desc_decrypt_data_v3(desc, &message);
|
|
|
+ /* Decrypt the superencrypted data that is located in the plaintext section
|
|
|
+ * in the descriptor as a blob of bytes. */
|
|
|
+ message_len = desc_decrypt_all(desc, &message);
|
|
|
if (!message_len) {
|
|
|
log_warn(LD_REND, "Service descriptor decryption failed.");
|
|
|
goto err;
|