/* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. * Copyright (c) 2007-2017, The Tor Project, Inc. */ /* See LICENSE for licensing information */ /** * \file rendcommon.c * \brief Rendezvous implementation: shared code between * introducers, services, clients, and rendezvous points. **/ #define RENDCOMMON_PRIVATE #include "or.h" #include "circuitbuild.h" #include "config.h" #include "control.h" #include "hs_common.h" #include "rendclient.h" #include "rendcommon.h" #include "rendmid.h" #include "hs_intropoint.h" #include "hs_client.h" #include "rendservice.h" #include "rephist.h" #include "router.h" #include "routerlist.h" #include "routerparse.h" #include "networkstatus.h" /** Return 0 if one and two are the same service ids, else -1 or 1 */ int rend_cmp_service_ids(const char *one, const char *two) { return strcasecmp(one,two); } /** Free the storage held by the service descriptor desc. */ void rend_service_descriptor_free_(rend_service_descriptor_t *desc) { if (!desc) return; if (desc->pk) crypto_pk_free(desc->pk); if (desc->intro_nodes) { SMARTLIST_FOREACH(desc->intro_nodes, rend_intro_point_t *, intro, rend_intro_point_free(intro);); smartlist_free(desc->intro_nodes); } if (desc->successful_uploads) { SMARTLIST_FOREACH(desc->successful_uploads, char *, c, tor_free(c);); smartlist_free(desc->successful_uploads); } tor_free(desc); } /** Length of the descriptor cookie that is used for versioned hidden * service descriptors. */ #define REND_DESC_COOKIE_LEN 16 /** Length of the replica number that is used to determine the secret ID * part of versioned hidden service descriptors. */ #define REND_REPLICA_LEN 1 /** Compute the descriptor ID for service_id of length * REND_SERVICE_ID_LEN and secret_id_part of length * DIGEST_LEN, and write it to descriptor_id_out of length * DIGEST_LEN. */ void rend_get_descriptor_id_bytes(char *descriptor_id_out, const char *service_id, const char *secret_id_part) { crypto_digest_t *digest = crypto_digest_new(); crypto_digest_add_bytes(digest, service_id, REND_SERVICE_ID_LEN); crypto_digest_add_bytes(digest, secret_id_part, DIGEST_LEN); crypto_digest_get_digest(digest, descriptor_id_out, DIGEST_LEN); crypto_digest_free(digest); } /** Compute the secret ID part for time_period, * a descriptor_cookie of length * REND_DESC_COOKIE_LEN which may also be NULL if no * descriptor_cookie shall be used, and replica, and write it to * secret_id_part of length DIGEST_LEN. */ static void get_secret_id_part_bytes(char *secret_id_part, uint32_t time_period, const char *descriptor_cookie, uint8_t replica) { crypto_digest_t *digest = crypto_digest_new(); time_period = htonl(time_period); crypto_digest_add_bytes(digest, (char*)&time_period, sizeof(uint32_t)); if (descriptor_cookie) { crypto_digest_add_bytes(digest, descriptor_cookie, REND_DESC_COOKIE_LEN); } crypto_digest_add_bytes(digest, (const char *)&replica, REND_REPLICA_LEN); crypto_digest_get_digest(digest, secret_id_part, DIGEST_LEN); crypto_digest_free(digest); } /** Return the time period for time now plus a potentially * intended deviation of one or more periods, based on the first byte * of service_id. */ static uint32_t get_time_period(time_t now, uint8_t deviation, const char *service_id) { /* The time period is the number of REND_TIME_PERIOD_V2_DESC_VALIDITY * intervals that have passed since the epoch, offset slightly so that * each service's time periods start and end at a fraction of that * period based on their first byte. */ return (uint32_t) (now + ((uint8_t) *service_id) * REND_TIME_PERIOD_V2_DESC_VALIDITY / 256) / REND_TIME_PERIOD_V2_DESC_VALIDITY + deviation; } /** Compute the time in seconds that a descriptor that is generated * now for service_id will be valid. */ static uint32_t get_seconds_valid(time_t now, const char *service_id) { uint32_t result = REND_TIME_PERIOD_V2_DESC_VALIDITY - ((uint32_t) (now + ((uint8_t) *service_id) * REND_TIME_PERIOD_V2_DESC_VALIDITY / 256) % REND_TIME_PERIOD_V2_DESC_VALIDITY); return result; } /** Compute the binary desc_id_out (DIGEST_LEN bytes long) for a given * base32-encoded service_id and optional unencoded * descriptor_cookie of length REND_DESC_COOKIE_LEN, * at time now for replica number * replica. desc_id needs to have DIGEST_LEN bytes * free. Return 0 for success, -1 otherwise. */ int rend_compute_v2_desc_id(char *desc_id_out, const char *service_id, const char *descriptor_cookie, time_t now, uint8_t replica) { char service_id_binary[REND_SERVICE_ID_LEN]; char secret_id_part[DIGEST_LEN]; uint32_t time_period; if (!service_id || strlen(service_id) != REND_SERVICE_ID_LEN_BASE32) { log_warn(LD_REND, "Could not compute v2 descriptor ID: " "Illegal service ID: %s", safe_str(service_id)); return -1; } if (replica >= REND_NUMBER_OF_NON_CONSECUTIVE_REPLICAS) { log_warn(LD_REND, "Could not compute v2 descriptor ID: " "Replica number out of range: %d", replica); return -1; } /* Convert service ID to binary. */ if (base32_decode(service_id_binary, REND_SERVICE_ID_LEN, service_id, REND_SERVICE_ID_LEN_BASE32) < 0) { log_warn(LD_REND, "Could not compute v2 descriptor ID: " "Illegal characters in service ID: %s", safe_str_client(service_id)); return -1; } /* Calculate current time-period. */ time_period = get_time_period(now, 0, service_id_binary); /* Calculate secret-id-part = h(time-period | desc-cookie | replica). */ get_secret_id_part_bytes(secret_id_part, time_period, descriptor_cookie, replica); /* Calculate descriptor ID: H(permanent-id | secret-id-part) */ rend_get_descriptor_id_bytes(desc_id_out, service_id_binary, secret_id_part); return 0; } /** Encode the introduction points in desc and write the result to a * newly allocated string pointed to by encoded. Return 0 for * success, -1 otherwise. */ static int rend_encode_v2_intro_points(char **encoded, rend_service_descriptor_t *desc) { size_t unenc_len; char *unenc = NULL; size_t unenc_written = 0; int i; int r = -1; /* Assemble unencrypted list of introduction points. */ unenc_len = smartlist_len(desc->intro_nodes) * 1000; /* too long, but ok. */ unenc = tor_malloc_zero(unenc_len); for (i = 0; i < smartlist_len(desc->intro_nodes); i++) { char id_base32[REND_INTRO_POINT_ID_LEN_BASE32 + 1]; char *onion_key = NULL; size_t onion_key_len; crypto_pk_t *intro_key; char *service_key = NULL; char *address = NULL; size_t service_key_len; int res; rend_intro_point_t *intro = smartlist_get(desc->intro_nodes, i); /* Obtain extend info with introduction point details. */ extend_info_t *info = intro->extend_info; /* Encode introduction point ID. */ base32_encode(id_base32, sizeof(id_base32), info->identity_digest, DIGEST_LEN); /* Encode onion key. */ if (crypto_pk_write_public_key_to_string(info->onion_key, &onion_key, &onion_key_len) < 0) { log_warn(LD_REND, "Could not write onion key."); goto done; } /* Encode intro key. */ intro_key = intro->intro_key; if (!intro_key || crypto_pk_write_public_key_to_string(intro_key, &service_key, &service_key_len) < 0) { log_warn(LD_REND, "Could not write intro key."); tor_free(onion_key); goto done; } /* Assemble everything for this introduction point. */ address = tor_addr_to_str_dup(&info->addr); res = tor_snprintf(unenc + unenc_written, unenc_len - unenc_written, "introduction-point %s\n" "ip-address %s\n" "onion-port %d\n" "onion-key\n%s" "service-key\n%s", id_base32, address, info->port, onion_key, service_key); tor_free(address); tor_free(onion_key); tor_free(service_key); if (res < 0) { log_warn(LD_REND, "Not enough space for writing introduction point " "string."); goto done; } /* Update total number of written bytes for unencrypted intro points. */ unenc_written += res; } /* Finalize unencrypted introduction points. */ if (unenc_len < unenc_written + 2) { log_warn(LD_REND, "Not enough space for finalizing introduction point " "string."); goto done; } unenc[unenc_written++] = '\n'; unenc[unenc_written++] = 0; *encoded = unenc; r = 0; done: if (r<0) tor_free(unenc); return r; } /** Encrypt the encoded introduction points in encoded using * authorization type 'basic' with client_cookies and write the * result to a newly allocated string pointed to by encrypted_out of * length encrypted_len_out. Return 0 for success, -1 otherwise. */ static int rend_encrypt_v2_intro_points_basic(char **encrypted_out, size_t *encrypted_len_out, const char *encoded, smartlist_t *client_cookies) { int r = -1, i, pos, enclen, client_blocks; size_t len, client_entries_len; char *enc = NULL, iv[CIPHER_IV_LEN], *client_part = NULL, session_key[CIPHER_KEY_LEN]; smartlist_t *encrypted_session_keys = NULL; crypto_digest_t *digest; crypto_cipher_t *cipher; tor_assert(encoded); tor_assert(client_cookies && smartlist_len(client_cookies) > 0); /* Generate session key. */ crypto_rand(session_key, CIPHER_KEY_LEN); /* Determine length of encrypted introduction points including session * keys. */ client_blocks = 1 + ((smartlist_len(client_cookies) - 1) / REND_BASIC_AUTH_CLIENT_MULTIPLE); client_entries_len = client_blocks * REND_BASIC_AUTH_CLIENT_MULTIPLE * REND_BASIC_AUTH_CLIENT_ENTRY_LEN; len = 2 + client_entries_len + CIPHER_IV_LEN + strlen(encoded); if (client_blocks >= 256) { log_warn(LD_REND, "Too many clients in introduction point string."); goto done; } enc = tor_malloc_zero(len); enc[0] = 0x01; /* type of authorization. */ enc[1] = (uint8_t)client_blocks; /* Encrypt with random session key. */ enclen = crypto_cipher_encrypt_with_iv(session_key, enc + 2 + client_entries_len, CIPHER_IV_LEN + strlen(encoded), encoded, strlen(encoded)); if (enclen < 0) { log_warn(LD_REND, "Could not encrypt introduction point string."); goto done; } memcpy(iv, enc + 2 + client_entries_len, CIPHER_IV_LEN); /* Encrypt session key for cookies, determine client IDs, and put both * in a smartlist. */ encrypted_session_keys = smartlist_new(); SMARTLIST_FOREACH_BEGIN(client_cookies, const char *, cookie) { client_part = tor_malloc_zero(REND_BASIC_AUTH_CLIENT_ENTRY_LEN); /* Encrypt session key. */ cipher = crypto_cipher_new(cookie); if (crypto_cipher_encrypt(cipher, client_part + REND_BASIC_AUTH_CLIENT_ID_LEN, session_key, CIPHER_KEY_LEN) < 0) { log_warn(LD_REND, "Could not encrypt session key for client."); crypto_cipher_free(cipher); tor_free(client_part); goto done; } crypto_cipher_free(cipher); /* Determine client ID. */ digest = crypto_digest_new(); crypto_digest_add_bytes(digest, cookie, REND_DESC_COOKIE_LEN); crypto_digest_add_bytes(digest, iv, CIPHER_IV_LEN); crypto_digest_get_digest(digest, client_part, REND_BASIC_AUTH_CLIENT_ID_LEN); crypto_digest_free(digest); /* Put both together. */ smartlist_add(encrypted_session_keys, client_part); } SMARTLIST_FOREACH_END(cookie); /* Add some fake client IDs and encrypted session keys. */ for (i = (smartlist_len(client_cookies) - 1) % REND_BASIC_AUTH_CLIENT_MULTIPLE; i < REND_BASIC_AUTH_CLIENT_MULTIPLE - 1; i++) { client_part = tor_malloc_zero(REND_BASIC_AUTH_CLIENT_ENTRY_LEN); crypto_rand(client_part, REND_BASIC_AUTH_CLIENT_ENTRY_LEN); smartlist_add(encrypted_session_keys, client_part); } /* Sort smartlist and put elements in result in order. */ smartlist_sort_digests(encrypted_session_keys); pos = 2; SMARTLIST_FOREACH(encrypted_session_keys, const char *, entry, { memcpy(enc + pos, entry, REND_BASIC_AUTH_CLIENT_ENTRY_LEN); pos += REND_BASIC_AUTH_CLIENT_ENTRY_LEN; }); *encrypted_out = enc; *encrypted_len_out = len; enc = NULL; /* prevent free. */ r = 0; done: tor_free(enc); if (encrypted_session_keys) { SMARTLIST_FOREACH(encrypted_session_keys, char *, d, tor_free(d);); smartlist_free(encrypted_session_keys); } return r; } /** Encrypt the encoded introduction points in encoded using * authorization type 'stealth' with descriptor_cookie of length * REND_DESC_COOKIE_LEN and write the result to a newly allocated string * pointed to by encrypted_out of length encrypted_len_out. * Return 0 for success, -1 otherwise. */ static int rend_encrypt_v2_intro_points_stealth(char **encrypted_out, size_t *encrypted_len_out, const char *encoded, const char *descriptor_cookie) { int r = -1, enclen; char *enc; tor_assert(encoded); tor_assert(descriptor_cookie); enc = tor_malloc_zero(1 + CIPHER_IV_LEN + strlen(encoded)); enc[0] = 0x02; /* Auth type */ enclen = crypto_cipher_encrypt_with_iv(descriptor_cookie, enc + 1, CIPHER_IV_LEN+strlen(encoded), encoded, strlen(encoded)); if (enclen < 0) { log_warn(LD_REND, "Could not encrypt introduction point string."); goto done; } *encrypted_out = enc; *encrypted_len_out = enclen; enc = NULL; /* prevent free */ r = 0; done: tor_free(enc); return r; } /** Attempt to parse the given desc_str and return true if this * succeeds, false otherwise. */ STATIC int rend_desc_v2_is_parsable(rend_encoded_v2_service_descriptor_t *desc) { rend_service_descriptor_t *test_parsed = NULL; char test_desc_id[DIGEST_LEN]; char *test_intro_content = NULL; size_t test_intro_size; size_t test_encoded_size; const char *test_next; int res = rend_parse_v2_service_descriptor(&test_parsed, test_desc_id, &test_intro_content, &test_intro_size, &test_encoded_size, &test_next, desc->desc_str, 1); rend_service_descriptor_free(test_parsed); tor_free(test_intro_content); return (res >= 0); } /** Free the storage held by an encoded v2 service descriptor. */ void rend_encoded_v2_service_descriptor_free_( rend_encoded_v2_service_descriptor_t *desc) { if (!desc) return; tor_free(desc->desc_str); tor_free(desc); } /** Free the storage held by an introduction point info. */ void rend_intro_point_free_(rend_intro_point_t *intro) { if (!intro) return; extend_info_free(intro->extend_info); crypto_pk_free(intro->intro_key); if (intro->accepted_intro_rsa_parts != NULL) { replaycache_free(intro->accepted_intro_rsa_parts); } tor_free(intro); } /** Encode a set of rend_encoded_v2_service_descriptor_t's for desc * at time now using service_key, depending on * auth_type a descriptor_cookie and a list of * client_cookies (which are both NULL if no client * authorization is performed), and period (e.g. 0 for the current * period, 1 for the next period, etc.) and add them to the existing list * descs_out; return the number of seconds that the descriptors will * be found by clients, or -1 if the encoding was not successful. */ int rend_encode_v2_descriptors(smartlist_t *descs_out, rend_service_descriptor_t *desc, time_t now, uint8_t period, rend_auth_type_t auth_type, crypto_pk_t *client_key, smartlist_t *client_cookies) { char service_id[DIGEST_LEN]; char service_id_base32[REND_SERVICE_ID_LEN_BASE32+1]; uint32_t time_period; char *ipos_base64 = NULL, *ipos = NULL, *ipos_encrypted = NULL, *descriptor_cookie = NULL; size_t ipos_len = 0, ipos_encrypted_len = 0; int k; uint32_t seconds_valid; crypto_pk_t *service_key; if (!desc) { log_warn(LD_BUG, "Could not encode v2 descriptor: No desc given."); return -1; } service_key = (auth_type == REND_STEALTH_AUTH) ? client_key : desc->pk; tor_assert(service_key); if (auth_type == REND_STEALTH_AUTH) { descriptor_cookie = smartlist_get(client_cookies, 0); tor_assert(descriptor_cookie); } /* Obtain service_id from public key. */ if (crypto_pk_get_digest(service_key, service_id) < 0) { log_warn(LD_BUG, "Couldn't compute service key digest."); return -1; } /* Calculate current time-period. */ time_period = get_time_period(now, period, service_id); /* Determine how many seconds the descriptor will be valid. */ seconds_valid = period * REND_TIME_PERIOD_V2_DESC_VALIDITY + get_seconds_valid(now, service_id); /* Assemble, possibly encrypt, and encode introduction points. */ if (smartlist_len(desc->intro_nodes) > 0) { if (rend_encode_v2_intro_points(&ipos, desc) < 0) { log_warn(LD_REND, "Encoding of introduction points did not succeed."); return -1; } switch (auth_type) { case REND_NO_AUTH: ipos_len = strlen(ipos); break; case REND_BASIC_AUTH: if (rend_encrypt_v2_intro_points_basic(&ipos_encrypted, &ipos_encrypted_len, ipos, client_cookies) < 0) { log_warn(LD_REND, "Encrypting of introduction points did not " "succeed."); tor_free(ipos); return -1; } tor_free(ipos); ipos = ipos_encrypted; ipos_len = ipos_encrypted_len; break; case REND_STEALTH_AUTH: if (rend_encrypt_v2_intro_points_stealth(&ipos_encrypted, &ipos_encrypted_len, ipos, descriptor_cookie) < 0) { log_warn(LD_REND, "Encrypting of introduction points did not " "succeed."); tor_free(ipos); return -1; } tor_free(ipos); ipos = ipos_encrypted; ipos_len = ipos_encrypted_len; break; default: log_warn(LD_REND|LD_BUG, "Unrecognized authorization type %d", (int)auth_type); tor_free(ipos); return -1; } /* Base64-encode introduction points. */ ipos_base64 = tor_calloc(ipos_len, 2); if (base64_encode(ipos_base64, ipos_len * 2, ipos, ipos_len, BASE64_ENCODE_MULTILINE)<0) { log_warn(LD_REND, "Could not encode introduction point string to " "base64. length=%d", (int)ipos_len); tor_free(ipos_base64); tor_free(ipos); return -1; } tor_free(ipos); } /* Encode REND_NUMBER_OF_NON_CONSECUTIVE_REPLICAS descriptors. */ for (k = 0; k < REND_NUMBER_OF_NON_CONSECUTIVE_REPLICAS; k++) { char secret_id_part[DIGEST_LEN]; char secret_id_part_base32[REND_SECRET_ID_PART_LEN_BASE32 + 1]; char desc_id_base32[REND_DESC_ID_V2_LEN_BASE32 + 1]; char *permanent_key = NULL; size_t permanent_key_len; char published[ISO_TIME_LEN+1]; int i; char protocol_versions_string[16]; /* max len: "0,1,2,3,4,5,6,7\0" */ size_t protocol_versions_written; size_t desc_len; char *desc_str = NULL; int result = 0; size_t written = 0; char desc_digest[DIGEST_LEN]; rend_encoded_v2_service_descriptor_t *enc = tor_malloc_zero(sizeof(rend_encoded_v2_service_descriptor_t)); /* Calculate secret-id-part = h(time-period | cookie | replica). */ get_secret_id_part_bytes(secret_id_part, time_period, descriptor_cookie, k); base32_encode(secret_id_part_base32, sizeof(secret_id_part_base32), secret_id_part, DIGEST_LEN); /* Calculate descriptor ID. */ rend_get_descriptor_id_bytes(enc->desc_id, service_id, secret_id_part); base32_encode(desc_id_base32, sizeof(desc_id_base32), enc->desc_id, DIGEST_LEN); /* PEM-encode the public key */ if (crypto_pk_write_public_key_to_string(service_key, &permanent_key, &permanent_key_len) < 0) { log_warn(LD_BUG, "Could not write public key to string."); rend_encoded_v2_service_descriptor_free(enc); goto err; } /* Encode timestamp. */ format_iso_time(published, desc->timestamp); /* Write protocol-versions bitmask to comma-separated value string. */ protocol_versions_written = 0; for (i = 0; i < 8; i++) { if (desc->protocols & 1 << i) { tor_snprintf(protocol_versions_string + protocol_versions_written, 16 - protocol_versions_written, "%d,", i); protocol_versions_written += 2; } } if (protocol_versions_written) protocol_versions_string[protocol_versions_written - 1] = '\0'; else protocol_versions_string[0]= '\0'; /* Assemble complete descriptor. */ desc_len = 2000 + smartlist_len(desc->intro_nodes) * 1000; /* far too long, but okay.*/ enc->desc_str = desc_str = tor_malloc_zero(desc_len); result = tor_snprintf(desc_str, desc_len, "rendezvous-service-descriptor %s\n" "version 2\n" "permanent-key\n%s" "secret-id-part %s\n" "publication-time %s\n" "protocol-versions %s\n", desc_id_base32, permanent_key, secret_id_part_base32, published, protocol_versions_string); tor_free(permanent_key); if (result < 0) { log_warn(LD_BUG, "Descriptor ran out of room."); rend_encoded_v2_service_descriptor_free(enc); goto err; } written = result; /* Add introduction points. */ if (ipos_base64) { result = tor_snprintf(desc_str + written, desc_len - written, "introduction-points\n" "-----BEGIN MESSAGE-----\n%s" "-----END MESSAGE-----\n", ipos_base64); if (result < 0) { log_warn(LD_BUG, "could not write introduction points."); rend_encoded_v2_service_descriptor_free(enc); goto err; } written += result; } /* Add signature. */ strlcpy(desc_str + written, "signature\n", desc_len - written); written += strlen(desc_str + written); if (crypto_digest(desc_digest, desc_str, written) < 0) { log_warn(LD_BUG, "could not create digest."); rend_encoded_v2_service_descriptor_free(enc); goto err; } if (router_append_dirobj_signature(desc_str + written, desc_len - written, desc_digest, DIGEST_LEN, service_key) < 0) { log_warn(LD_BUG, "Couldn't sign desc."); rend_encoded_v2_service_descriptor_free(enc); goto err; } written += strlen(desc_str+written); if (written+2 > desc_len) { log_warn(LD_BUG, "Could not finish desc."); rend_encoded_v2_service_descriptor_free(enc); goto err; } desc_str[written++] = 0; /* Check if we can parse our own descriptor. */ if (!rend_desc_v2_is_parsable(enc)) { log_warn(LD_BUG, "Could not parse my own descriptor: %s", desc_str); rend_encoded_v2_service_descriptor_free(enc); goto err; } smartlist_add(descs_out, enc); /* Add the uploaded descriptor to the local service's descriptor cache */ rend_cache_store_v2_desc_as_service(enc->desc_str); base32_encode(service_id_base32, sizeof(service_id_base32), service_id, REND_SERVICE_ID_LEN); control_event_hs_descriptor_created(service_id_base32, desc_id_base32, k); } log_info(LD_REND, "Successfully encoded a v2 descriptor and " "confirmed that it is parsable."); goto done; err: SMARTLIST_FOREACH(descs_out, rend_encoded_v2_service_descriptor_t *, d, rend_encoded_v2_service_descriptor_free(d);); smartlist_clear(descs_out); seconds_valid = -1; done: tor_free(ipos_base64); return seconds_valid; } /** Sets out to the first 10 bytes of the digest of pk, * base32 encoded. NUL-terminates out. (We use this string to * identify services in directory requests and .onion URLs.) */ int rend_get_service_id(crypto_pk_t *pk, char *out) { char buf[DIGEST_LEN]; tor_assert(pk); if (crypto_pk_get_digest(pk, buf) < 0) return -1; base32_encode(out, REND_SERVICE_ID_LEN_BASE32+1, buf, REND_SERVICE_ID_LEN); return 0; } /** Return true iff query is a syntactically valid service ID (as * generated by rend_get_service_id). */ int rend_valid_v2_service_id(const char *query) { if (strlen(query) != REND_SERVICE_ID_LEN_BASE32) return 0; if (strspn(query, BASE32_CHARS) != REND_SERVICE_ID_LEN_BASE32) return 0; return 1; } /** Return true iff query is a syntactically valid descriptor ID. * (as generated by rend_get_descriptor_id_bytes). */ int rend_valid_descriptor_id(const char *query) { if (strlen(query) != REND_DESC_ID_V2_LEN_BASE32) { goto invalid; } if (strspn(query, BASE32_CHARS) != REND_DESC_ID_V2_LEN_BASE32) { goto invalid; } return 1; invalid: return 0; } /** Return true iff client_name is a syntactically valid name * for rendezvous client authentication. */ int rend_valid_client_name(const char *client_name) { size_t len = strlen(client_name); if (len < 1 || len > REND_CLIENTNAME_MAX_LEN) { return 0; } if (strspn(client_name, REND_LEGAL_CLIENTNAME_CHARACTERS) != len) { return 0; } return 1; } /** Called when we get a rendezvous-related relay cell on circuit * circ. Dispatch on rendezvous relay command. */ void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint, int command, size_t length, const uint8_t *payload) { or_circuit_t *or_circ = NULL; origin_circuit_t *origin_circ = NULL; int r = -2; if (CIRCUIT_IS_ORIGIN(circ)) { origin_circ = TO_ORIGIN_CIRCUIT(circ); if (!layer_hint || layer_hint != origin_circ->cpath->prev) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "Relay cell (rend purpose %d) from wrong hop on origin circ", command); origin_circ = NULL; } } else { or_circ = TO_OR_CIRCUIT(circ); } switch (command) { case RELAY_COMMAND_ESTABLISH_INTRO: if (or_circ) r = hs_intro_received_establish_intro(or_circ,payload,length); break; case RELAY_COMMAND_ESTABLISH_RENDEZVOUS: if (or_circ) r = rend_mid_establish_rendezvous(or_circ,payload,length); break; case RELAY_COMMAND_INTRODUCE1: if (or_circ) r = hs_intro_received_introduce1(or_circ,payload,length); break; case RELAY_COMMAND_INTRODUCE2: if (origin_circ) r = hs_service_receive_introduce2(origin_circ,payload,length); break; case RELAY_COMMAND_INTRODUCE_ACK: if (origin_circ) r = hs_client_receive_introduce_ack(origin_circ,payload,length); break; case RELAY_COMMAND_RENDEZVOUS1: if (or_circ) r = rend_mid_rendezvous(or_circ,payload,length); break; case RELAY_COMMAND_RENDEZVOUS2: if (origin_circ) r = hs_client_receive_rendezvous2(origin_circ,payload,length); break; case RELAY_COMMAND_INTRO_ESTABLISHED: if (origin_circ) r = hs_service_receive_intro_established(origin_circ,payload,length); break; case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED: if (origin_circ) r = hs_client_receive_rendezvous_acked(origin_circ,payload,length); break; default: tor_fragile_assert(); } if (r == -2) log_info(LD_PROTOCOL, "Dropping cell (type %d) for wrong circuit type.", command); } /** Determine the routers that are responsible for id (binary) and * add pointers to those routers' routerstatus_t to responsible_dirs. * Return -1 if we're returning an empty smartlist, else return 0. */ int hid_serv_get_responsible_directories(smartlist_t *responsible_dirs, const char *id) { int start, found, n_added = 0, i; networkstatus_t *c = networkstatus_get_latest_consensus(); if (!c || !smartlist_len(c->routerstatus_list)) { log_warn(LD_REND, "We don't have a consensus, so we can't perform v2 " "rendezvous operations."); return -1; } tor_assert(id); start = networkstatus_vote_find_entry_idx(c, id, &found); if (start == smartlist_len(c->routerstatus_list)) start = 0; i = start; do { routerstatus_t *r = smartlist_get(c->routerstatus_list, i); if (r->is_hs_dir) { smartlist_add(responsible_dirs, r); if (++n_added == REND_NUMBER_OF_CONSECUTIVE_REPLICAS) return 0; } if (++i == smartlist_len(c->routerstatus_list)) i = 0; } while (i != start); /* Even though we don't have the desired number of hidden service * directories, be happy if we got any. */ return smartlist_len(responsible_dirs) ? 0 : -1; } /* Length of the 'extended' auth cookie used to encode auth type before * base64 encoding. */ #define REND_DESC_COOKIE_LEN_EXT (REND_DESC_COOKIE_LEN + 1) /* Length of the zero-padded auth cookie when base64 encoded. These two * padding bytes always (A=) are stripped off of the returned cookie. */ #define REND_DESC_COOKIE_LEN_EXT_BASE64 (REND_DESC_COOKIE_LEN_BASE64 + 2) /** Encode a client authorization descriptor cookie. * The result of this function is suitable for use in the HidServAuth * option. The trailing padding characters are removed, and the * auth type is encoded into the cookie. * * Returns a new base64-encoded cookie. This function cannot fail. * The caller is responsible for freeing the returned value. */ char * rend_auth_encode_cookie(const uint8_t *cookie_in, rend_auth_type_t auth_type) { uint8_t extended_cookie[REND_DESC_COOKIE_LEN_EXT]; char *cookie_out = tor_malloc_zero(REND_DESC_COOKIE_LEN_EXT_BASE64 + 1); int re; tor_assert(cookie_in); memcpy(extended_cookie, cookie_in, REND_DESC_COOKIE_LEN); extended_cookie[REND_DESC_COOKIE_LEN] = ((int)auth_type - 1) << 4; re = base64_encode(cookie_out, REND_DESC_COOKIE_LEN_EXT_BASE64 + 1, (const char *) extended_cookie, REND_DESC_COOKIE_LEN_EXT, 0); tor_assert(re == REND_DESC_COOKIE_LEN_EXT_BASE64); /* Remove the trailing 'A='. Auth type is encoded in the high bits * of the last byte, so the last base64 character will always be zero * (A). This is subtly different behavior from base64_encode_nopad. */ cookie_out[REND_DESC_COOKIE_LEN_BASE64] = '\0'; memwipe(extended_cookie, 0, sizeof(extended_cookie)); return cookie_out; } /** Decode a base64-encoded client authorization descriptor cookie. * The descriptor_cookie can be truncated to REND_DESC_COOKIE_LEN_BASE64 * characters (as given to clients), or may include the two padding * characters (as stored by the service). * * The result is stored in REND_DESC_COOKIE_LEN bytes of cookie_out. * The rend_auth_type_t decoded from the cookie is stored in the * optional auth_type_out parameter. * * Return 0 on success, or -1 on error. The caller is responsible for * freeing the returned err_msg. */ int rend_auth_decode_cookie(const char *cookie_in, uint8_t *cookie_out, rend_auth_type_t *auth_type_out, char **err_msg_out) { uint8_t descriptor_cookie_decoded[REND_DESC_COOKIE_LEN_EXT + 1] = { 0 }; char descriptor_cookie_base64ext[REND_DESC_COOKIE_LEN_EXT_BASE64 + 1]; const char *descriptor_cookie = cookie_in; char *err_msg = NULL; int auth_type_val = 0; int res = -1; int decoded_len; size_t len = strlen(descriptor_cookie); if (len == REND_DESC_COOKIE_LEN_BASE64) { /* Add a trailing zero byte to make base64-decoding happy. */ tor_snprintf(descriptor_cookie_base64ext, sizeof(descriptor_cookie_base64ext), "%sA=", descriptor_cookie); descriptor_cookie = descriptor_cookie_base64ext; } else if (len != REND_DESC_COOKIE_LEN_EXT_BASE64) { tor_asprintf(&err_msg, "Authorization cookie has wrong length: %s", escaped(cookie_in)); goto err; } decoded_len = base64_decode((char *) descriptor_cookie_decoded, sizeof(descriptor_cookie_decoded), descriptor_cookie, REND_DESC_COOKIE_LEN_EXT_BASE64); if (decoded_len != REND_DESC_COOKIE_LEN && decoded_len != REND_DESC_COOKIE_LEN_EXT) { tor_asprintf(&err_msg, "Authorization cookie has invalid characters: %s", escaped(cookie_in)); goto err; } if (auth_type_out) { auth_type_val = (descriptor_cookie_decoded[REND_DESC_COOKIE_LEN] >> 4) + 1; if (auth_type_val < 1 || auth_type_val > 2) { tor_asprintf(&err_msg, "Authorization cookie type is unknown: %s", escaped(cookie_in)); goto err; } *auth_type_out = auth_type_val == 1 ? REND_BASIC_AUTH : REND_STEALTH_AUTH; } memcpy(cookie_out, descriptor_cookie_decoded, REND_DESC_COOKIE_LEN); res = 0; err: if (err_msg_out) { *err_msg_out = err_msg; } else { tor_free(err_msg); } memwipe(descriptor_cookie_decoded, 0, sizeof(descriptor_cookie_decoded)); memwipe(descriptor_cookie_base64ext, 0, sizeof(descriptor_cookie_base64ext)); return res; } /* Is this a rend client or server that allows direct (non-anonymous) * connections? * Clients must be specifically compiled and configured in this mode. * Onion services can be configured to start in this mode. * Prefer rend_client_allow_non_anonymous_connection() or * rend_service_allow_non_anonymous_connection() whenever possible, so that * checks are specific to Single Onion Services or Tor2web. */ int rend_allow_non_anonymous_connection(const or_options_t* options) { return (rend_client_allow_non_anonymous_connection(options) || rend_service_allow_non_anonymous_connection(options)); } /* Is this a rend client or server in non-anonymous mode? * Clients must be specifically compiled in this mode. * Onion services can be configured to start in this mode. * Prefer rend_client_non_anonymous_mode_enabled() or * rend_service_non_anonymous_mode_enabled() whenever possible, so that checks * are specific to Single Onion Services or Tor2web. */ int rend_non_anonymous_mode_enabled(const or_options_t *options) { return (rend_client_non_anonymous_mode_enabled(options) || rend_service_non_anonymous_mode_enabled(options)); } /* Make sure that tor only builds one-hop circuits when they would not * compromise user anonymity. * * One-hop circuits are permitted in Tor2web or Single Onion modes. * * Tor2web or Single Onion modes are also allowed to make multi-hop circuits. * For example, single onion HSDir circuits are 3-hop to prevent denial of * service. */ void assert_circ_anonymity_ok(const origin_circuit_t *circ, const or_options_t *options) { tor_assert(options); tor_assert(circ); tor_assert(circ->build_state); if (circ->build_state->onehop_tunnel) { tor_assert(rend_allow_non_anonymous_connection(options)); } } /* Return 1 iff the given digest of a permenanent hidden service key is * equal to the digest in the origin circuit ocirc of its rend data . * If the rend data doesn't exist, 0 is returned. This function is agnostic to * the rend data version. */ int rend_circuit_pk_digest_eq(const origin_circuit_t *ocirc, const uint8_t *digest) { size_t rend_pk_digest_len; const uint8_t *rend_pk_digest; tor_assert(ocirc); tor_assert(digest); if (ocirc->rend_data == NULL) { goto no_match; } rend_pk_digest = rend_data_get_pk_digest(ocirc->rend_data, &rend_pk_digest_len); if (tor_memeq(rend_pk_digest, digest, rend_pk_digest_len)) { goto match; } no_match: return 0; match: return 1; }