|
|
@@ -104,14 +104,14 @@
|
|
|
0.3. Constants and new cell types
|
|
|
|
|
|
Relay cell types
|
|
|
- 32 -- RELAY_ESTABLISH_INTRO
|
|
|
- 33 -- RELAY_ESTABLISH_RENDEZVOUS
|
|
|
- 34 -- RELAY_INTRODUCE1
|
|
|
- 35 -- RELAY_INTRODUCE2
|
|
|
- 36 -- RELAY_RENDEZVOUS1
|
|
|
- 37 -- RELAY_RENDEZVOUS2
|
|
|
- 38 -- RELAY_INTRO_ESTABLISHED
|
|
|
- 39 -- RELAY_RENDEZVOUS_ESTABLISHED
|
|
|
+ 32 -- RELAY_COMMAND_ESTABLISH_INTRO
|
|
|
+ 33 -- RELAY_COMMAND_ESTABLISH_RENDEZVOUS
|
|
|
+ 34 -- RELAY_COMMAND_INTRODUCE1
|
|
|
+ 35 -- RELAY_COMMAND_INTRODUCE2
|
|
|
+ 36 -- RELAY_COMMAND_RENDEZVOUS1
|
|
|
+ 37 -- RELAY_COMMAND_RENDEZVOUS2
|
|
|
+ 38 -- RELAY_COMMAND_INTRO_ESTABLISHED
|
|
|
+ 39 -- RELAY_COMMAND_RENDEZVOUS_ESTABLISHED
|
|
|
40 -- RELAY_COMMAND_INTRODUCE_ACK
|
|
|
|
|
|
0.4. Version overview
|
|
|
@@ -406,7 +406,7 @@
|
|
|
The OP establishes a new introduction circuit to each introduction
|
|
|
point. These circuits MUST NOT be used for anything but hidden service
|
|
|
introduction. To establish the introduction, Bob sends a
|
|
|
- RELAY_ESTABLISH_INTRO cell, containing:
|
|
|
+ RELAY_COMMAND_ESTABLISH_INTRO cell, containing:
|
|
|
|
|
|
KL Key length [2 octets]
|
|
|
PK Introduction public key [KL octets]
|
|
|
@@ -429,15 +429,19 @@
|
|
|
check fails, the OP discards the cell; otherwise, it associates the
|
|
|
circuit with Bob's public key, and dissociates any other circuits
|
|
|
currently associated with PK. On success, the OR sends Bob a
|
|
|
- RELAY_INTRO_ESTABLISHED cell with an empty payload.
|
|
|
-
|
|
|
- Bob's OP does not include its own public key in the RELAY_ESTABLISH_INTRO
|
|
|
- cell, but the public key of a freshly generated introduction key pair.
|
|
|
- The OP also includes these fresh public keys in the v2 hidden service
|
|
|
- descriptor together with the other introduction point information. The
|
|
|
- reason is that the introduction point does not need to and therefore
|
|
|
- should not know for which hidden service it works, so as to prevent it
|
|
|
- from tracking the hidden service's activity.
|
|
|
+ RELAY_COMMAND_INTRO_ESTABLISHED cell with an empty payload.
|
|
|
+
|
|
|
+ Bob's OP uses either Bob's public key or a freshly generated, single-use
|
|
|
+ service key in the RELAY_COMMAND_ESTABLISH_INTRO cell, depending on the
|
|
|
+ configured hidden service descriptor version. The public key is used for
|
|
|
+ v0 descriptors, the service key for v2 descriptors. In the latter case, the
|
|
|
+ service keys of all introduction points are included in the v2 hidden
|
|
|
+ service descriptor together with the other introduction point information.
|
|
|
+ The reason is that the introduction point does not need to and therefore
|
|
|
+ should not know for which hidden service it works, so as to prevent it from
|
|
|
+ tracking the hidden service's activity. If the hidden service is configured
|
|
|
+ to publish both v0 and v2 descriptors, two separate sets of introduction
|
|
|
+ points are established.
|
|
|
|
|
|
1.4. Bob's OP advertises his service descriptor(s).
|
|
|
|
|
|
@@ -551,7 +555,7 @@
|
|
|
and Alice's OP does not have an established circuit to that service,
|
|
|
the OP builds a rendezvous circuit. It does this by establishing
|
|
|
a circuit to a randomly chosen OR, and sending a
|
|
|
- RELAY_ESTABLISH_RENDEZVOUS cell to that OR. The body of that cell
|
|
|
+ RELAY_COMMAND_ESTABLISH_RENDEZVOUS cell to that OR. The body of that cell
|
|
|
contains:
|
|
|
|
|
|
RC Rendezvous cookie [20 octets]
|
|
|
@@ -561,9 +565,9 @@
|
|
|
The rendezvous cookie is an arbitrary 20-byte value, chosen randomly by
|
|
|
Alice's OP.
|
|
|
|
|
|
- Upon receiving a RELAY_ESTABLISH_RENDEZVOUS cell, the OR associates the
|
|
|
- RC with the circuit that sent it. It replies to Alice with an empty
|
|
|
- RELAY_RENDEZVOUS_ESTABLISHED cell to indicate success.
|
|
|
+ Upon receiving a RELAY_COMMAND_ESTABLISH_RENDEZVOUS cell, the OR associates
|
|
|
+ the RC with the circuit that sent it. It replies to Alice with an empty
|
|
|
+ RELAY_COMMAND_RENDEZVOUS_ESTABLISHED cell to indicate success.
|
|
|
|
|
|
Alice's OP MUST NOT use the circuit which sent the cell for any purpose
|
|
|
other than rendezvous with the given location-hidden service.
|
|
|
@@ -571,7 +575,7 @@
|
|
|
1.8. Introduction: from Alice's OP to Introduction Point
|
|
|
|
|
|
Alice builds a separate circuit to one of Bob's chosen introduction
|
|
|
- points, and sends it a RELAY_INTRODUCE1 cell containing:
|
|
|
+ points, and sends it a RELAY_COMMAND_INTRODUCE1 cell containing:
|
|
|
|
|
|
Cleartext
|
|
|
PK_ID Identifier for Bob's PK [20 octets]
|
|
|
@@ -601,7 +605,7 @@
|
|
|
|
|
|
The hybrid encryption to Bob's PK works just like the hybrid
|
|
|
encryption in CREATE cells (see tor-spec). Thus the payload of the
|
|
|
- version 0 RELAY_INTRODUCE1 cell on the wire will contain
|
|
|
+ version 0 RELAY_COMMAND_INTRODUCE1 cell on the wire will contain
|
|
|
20+42+16+20+20+128=246 bytes, and the version 1 and version 2
|
|
|
introduction formats have other sizes.
|
|
|
|
|
|
@@ -612,7 +616,7 @@
|
|
|
|
|
|
If Alice has downloaded a v2 descriptor, she uses the contained public
|
|
|
key ("service-key") instead of Bob's public key to create the
|
|
|
- RELAY_INTRODUCE1 cell as described above.
|
|
|
+ RELAY_COMMAND_INTRODUCE1 cell as described above.
|
|
|
|
|
|
1.8.1. Other introduction formats we don't use.
|
|
|
|
|
|
@@ -637,24 +641,27 @@
|
|
|
|
|
|
If the Introduction Point recognizes PK_ID as a public key which has
|
|
|
established a circuit for introductions as in 1.3 above, it sends the body
|
|
|
- of the cell in a new RELAY_INTRODUCE2 cell down the corresponding circuit.
|
|
|
- (If the PK_ID is unrecognized, the RELAY_INTRODUCE1 cell is discarded.)
|
|
|
-
|
|
|
- After sending the RELAY_INTRODUCE2 cell, the OR replies to Alice with an
|
|
|
- empty RELAY_COMMAND_INTRODUCE_ACK cell. If no RELAY_INTRODUCE2 cell can
|
|
|
- be sent, the OR replies to Alice with a non-empty cell to indicate an
|
|
|
- error. (The semantics of the cell body may be determined later; the
|
|
|
- current implementation sends a single '1' byte on failure.)
|
|
|
-
|
|
|
- When Bob's OP receives the RELAY_INTRODUCE2 cell, it decrypts it with
|
|
|
- the private key for the corresponding hidden service, and extracts the
|
|
|
+ of the cell in a new RELAY_COMMAND_INTRODUCE2 cell down the corresponding
|
|
|
+ circuit. (If the PK_ID is unrecognized, the RELAY_COMMAND_INTRODUCE1 cell is
|
|
|
+ discarded.)
|
|
|
+
|
|
|
+ After sending the RELAY_COMMAND_INTRODUCE2 cell, the OR replies to Alice
|
|
|
+ with an empty RELAY_COMMAND_INTRODUCE_ACK cell. If no
|
|
|
+ RELAY_COMMAND_INTRODUCE2 cell can be sent, the OR replies to Alice with a
|
|
|
+ non-empty cell to indicate an error. (The semantics of the cell body may be
|
|
|
+ determined later; the current implementation sends a single '1' byte on
|
|
|
+ failure.)
|
|
|
+
|
|
|
+ When Bob's OP receives the RELAY_COMMAND_INTRODUCE2 cell, it decrypts it
|
|
|
+ with the private key for the corresponding hidden service, and extracts the
|
|
|
rendezvous point's nickname, the rendezvous cookie, and the value of g^x
|
|
|
chosen by Alice.
|
|
|
|
|
|
1.10. Rendezvous
|
|
|
|
|
|
Bob's OP builds a new Tor circuit ending at Alice's chosen rendezvous
|
|
|
- point, and sends a RELAY_RENDEZVOUS1 cell along this circuit, containing:
|
|
|
+ point, and sends a RELAY_COMMAND_RENDEZVOUS1 cell along this circuit,
|
|
|
+ containing:
|
|
|
RC Rendezvous cookie [20 octets]
|
|
|
g^y Diffie-Hellman [128 octets]
|
|
|
KH Handshake digest [20 octets]
|
|
|
@@ -662,7 +669,7 @@
|
|
|
(Bob's OP MUST NOT use this circuit for any other purpose.)
|
|
|
|
|
|
If the RP recognizes RC, it relays the rest of the cell down the
|
|
|
- corresponding circuit in a RELAY_RENDEZVOUS2 cell, containing:
|
|
|
+ corresponding circuit in a RELAY_COMMAND_RENDEZVOUS2 cell, containing:
|
|
|
|
|
|
g^y Diffie-Hellman [128 octets]
|
|
|
KH Handshake digest [20 octets]
|
|
|
@@ -670,10 +677,10 @@
|
|
|
(If the RP does not recognize the RC, it discards the cell and
|
|
|
tears down the circuit.)
|
|
|
|
|
|
- When Alice's OP receives a RELAY_RENDEZVOUS2 cell on a circuit which
|
|
|
- has sent a RELAY_ESTABLISH_RENDEZVOUS cell but which has not yet received
|
|
|
- a reply, it uses g^y and H(g^xy) to complete the handshake as in the Tor
|
|
|
- circuit extend process: they establish a 60-octet string as
|
|
|
+ When Alice's OP receives a RELAY_COMMAND_RENDEZVOUS2 cell on a circuit which
|
|
|
+ has sent a RELAY_COMMAND_ESTABLISH_RENDEZVOUS cell but which has not yet
|
|
|
+ received a reply, it uses g^y and H(g^xy) to complete the handshake as in
|
|
|
+ the Tor circuit extend process: they establish a 60-octet string as
|
|
|
K = SHA1(g^xy | [00]) | SHA1(g^xy | [01]) | SHA1(g^xy | [02])
|
|
|
and generate
|
|
|
KH = K[0..15]
|
|
|
@@ -692,7 +699,7 @@
|
|
|
1.11. Creating streams
|
|
|
|
|
|
To open TCP connections to Bob's location-hidden service, Alice's OP sends
|
|
|
- a RELAY_BEGIN cell along the established circuit, using the special
|
|
|
+ a RELAY_COMMAND_BEGIN cell along the established circuit, using the special
|
|
|
address "", and a chosen port. Bob's OP chooses a destination IP and
|
|
|
port, based on the configuration of the service connected to the circuit,
|
|
|
and opens a TCP stream. From then on, Bob's OP treats the stream as an
|
|
|
@@ -700,9 +707,10 @@
|
|
|
[ Except he doesn't include addr in the connected cell or the end
|
|
|
cell. -RD]
|
|
|
|
|
|
- Alice MAY send multiple RELAY_BEGIN cells along the circuit, to open
|
|
|
- multiple streams to Bob. Alice SHOULD NOT send RELAY_BEGIN cells for any
|
|
|
- other address along her circuit to Bob; if she does, Bob MUST reject them.
|
|
|
+ Alice MAY send multiple RELAY_COMMAND_BEGIN cells along the circuit, to open
|
|
|
+ multiple streams to Bob. Alice SHOULD NOT send RELAY_COMMAND_BEGIN cells
|
|
|
+ for any other address along her circuit to Bob; if she does, Bob MUST reject
|
|
|
+ them.
|
|
|
|
|
|
2. Authentication and authorization.
|
|
|
|
Karsten Loesing