Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 430ca38f70
Branches Tags
tor
/
src
/
feature
/
dirparse
/
authcert_parse.c

authcert_parse.c 6.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207 
  1. /* Copyright (c) 2001 Matej Pfajfar.
    2. 

  2.  * Copyright (c) 2001-2004, Roger Dingledine.
    3. 

  3.  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
    4. 

  4.  * Copyright (c) 2007-2018, The Tor Project, Inc. */
    5. 

  5. /* See LICENSE for licensing information */
    6. 

  6. 

  7. #include "core/or/or.h"
    8. 

  8. #include "feature/dirparse/authcert_parse.h"
    9. 

  9. #include "feature/dirparse/parsecommon.h"
    10. 

  10. #include "feature/dirparse/sigcommon.h"
    11. 

  11. #include "feature/dirparse/unparseable.h"
    12. 

  12. #include "feature/nodelist/authcert.h"
    13. 

  13. #include "lib/memarea/memarea.h"
    14. 

  14. 

  15. #include "feature/nodelist/authority_cert_st.h"
    16. 

  16. 

  17. /** List of tokens recognized in V3 authority certificates. */
    18. 

  18. static token_rule_t dir_key_certificate_table[] = {
    19. 

  19. #include "feature/dirparse/authcert_members.i"
    20. 

  20.   T1("fingerprint",      K_FINGERPRINT,              CONCAT_ARGS, NO_OBJ ),
    21. 

  21.   END_OF_TABLE
    22. 

  22. };
    23. 

  23. 

  24. /** Parse a key certificate from <b>s</b>; point <b>end-of-string</b> to
    25. 

  25.  * the first character after the certificate. */
    26. 

  26. authority_cert_t *
    27. 

  27. authority_cert_parse_from_string(const char *s, const char **end_of_string)
    28. 

  28. {
    29. 

  29.   /** Reject any certificate at least this big; it is probably an overflow, an
    30. 

  30.    * attack, a bug, or some other nonsense. */
    31. 

  31. #define MAX_CERT_SIZE (128*1024)
    32. 

  32. 

  33.   authority_cert_t *cert = NULL, *old_cert;
    34. 

  34.   smartlist_t *tokens = NULL;
    35. 

  35.   char digest[DIGEST_LEN];
    36. 

  36.   directory_token_t *tok;
    37. 

  37.   char fp_declared[DIGEST_LEN];
    38. 

  38.   char *eos;
    39. 

  39.   size_t len;
    40. 

  40.   int found;
    41. 

  41.   memarea_t *area = NULL;
    42. 

  42.   const char *s_dup = s;
    43. 

  43. 

  44.   s = eat_whitespace(s);
    45. 

  45.   eos = strstr(s, "\ndir-key-certification");
    46. 

  46.   if (! eos) {
    47. 

  47.     log_warn(LD_DIR, "No signature found on key certificate");
    48. 

  48.     return NULL;
    49. 

  49.   }
    50. 

  50.   eos = strstr(eos, "\n-----END SIGNATURE-----\n");
    51. 

  51.   if (! eos) {
    52. 

  52.     log_warn(LD_DIR, "No end-of-signature found on key certificate");
    53. 

  53.     return NULL;
    54. 

  54.   }
    55. 

  55.   eos = strchr(eos+2, '\n');
    56. 

  56.   tor_assert(eos);
    57. 

  57.   ++eos;
    58. 

  58.   len = eos - s;
    59. 

  59. 

  60.   if (len > MAX_CERT_SIZE) {
    61. 

  61.     log_warn(LD_DIR, "Certificate is far too big (at %lu bytes long); "
    62. 

  62.              "rejecting", (unsigned long)len);
    63. 

  63.     return NULL;
    64. 

  64.   }
    65. 

  65. 

  66.   tokens = smartlist_new();
    67. 

  67.   area = memarea_new();
    68. 

  68.   if (tokenize_string(area,s, eos, tokens, dir_key_certificate_table, 0) < 0) {
    69. 

  69.     log_warn(LD_DIR, "Error tokenizing key certificate");
    70. 

  70.     goto err;
    71. 

  71.   }
    72. 

  72.   if (router_get_hash_impl(s, strlen(s), digest, "dir-key-certificate-version",
    73. 

  73.                            "\ndir-key-certification", '\n', DIGEST_SHA1) < 0)
    74. 

  74.     goto err;
    75. 

  75.   tok = smartlist_get(tokens, 0);
    76. 

  76.   if (tok->tp != K_DIR_KEY_CERTIFICATE_VERSION || strcmp(tok->args[0], "3")) {
    77. 

  77.     log_warn(LD_DIR,
    78. 

  78.              "Key certificate does not begin with a recognized version (3).");
    79. 

  79.     goto err;
    80. 

  80.   }
    81. 

  81. 

  82.   cert = tor_malloc_zero(sizeof(authority_cert_t));
    83. 

  83.   memcpy(cert->cache_info.signed_descriptor_digest, digest, DIGEST_LEN);
    84. 

  84. 

  85.   tok = find_by_keyword(tokens, K_DIR_SIGNING_KEY);
    86. 

  86.   tor_assert(tok->key);
    87. 

  87.   cert->signing_key = tok->key;
    88. 

  88.   tok->key = NULL;
    89. 

  89.   if (crypto_pk_get_digest(cert->signing_key, cert->signing_key_digest))
    90. 

  90.     goto err;
    91. 

  91. 

  92.   tok = find_by_keyword(tokens, K_DIR_IDENTITY_KEY);
    93. 

  93.   tor_assert(tok->key);
    94. 

  94.   cert->identity_key = tok->key;
    95. 

  95.   tok->key = NULL;
    96. 

  96. 

  97.   tok = find_by_keyword(tokens, K_FINGERPRINT);
    98. 

  98.   tor_assert(tok->n_args);
    99. 

  99.   if (base16_decode(fp_declared, DIGEST_LEN, tok->args[0],
    100. 

  100.                     strlen(tok->args[0])) != DIGEST_LEN) {
    101. 

  101.     log_warn(LD_DIR, "Couldn't decode key certificate fingerprint %s",
    102. 

  102.              escaped(tok->args[0]));
    103. 

  103.     goto err;
    104. 

  104.   }
    105. 

  105. 

  106.   if (crypto_pk_get_digest(cert->identity_key,
    107. 

  107.                            cert->cache_info.identity_digest))
    108. 

  108.     goto err;
    109. 

  109. 

  110.   if (tor_memneq(cert->cache_info.identity_digest, fp_declared, DIGEST_LEN)) {
    111. 

  111.     log_warn(LD_DIR, "Digest of certificate key didn't match declared "
    112. 

  112.              "fingerprint");
    113. 

  113.     goto err;
    114. 

  114.   }
    115. 

  115. 

  116.   tok = find_opt_by_keyword(tokens, K_DIR_ADDRESS);
    117. 

  117.   if (tok) {
    118. 

  118.     struct in_addr in;
    119. 

  119.     char *address = NULL;
    120. 

  120.     tor_assert(tok->n_args);
    121. 

  121.     /* XXX++ use some tor_addr parse function below instead. -RD */
    122. 

  122.     if (tor_addr_port_split(LOG_WARN, tok->args[0], &address,
    123. 

  123.                             &cert->dir_port) < 0 ||
    124. 

  124.         tor_inet_aton(address, &in) == 0) {
    125. 

  125.       log_warn(LD_DIR, "Couldn't parse dir-address in certificate");
    126. 

  126.       tor_free(address);
    127. 

  127.       goto err;
    128. 

  128.     }
    129. 

  129.     cert->addr = ntohl(in.s_addr);
    130. 

  130.     tor_free(address);
    131. 

  131.   }
    132. 

  132. 

  133.   tok = find_by_keyword(tokens, K_DIR_KEY_PUBLISHED);
    134. 

  134.   if (parse_iso_time(tok->args[0], &cert->cache_info.published_on) < 0) {
    135. 

  135.      goto err;
    136. 

  136.   }
    137. 

  137.   tok = find_by_keyword(tokens, K_DIR_KEY_EXPIRES);
    138. 

  138.   if (parse_iso_time(tok->args[0], &cert->expires) < 0) {
    139. 

  139.      goto err;
    140. 

  140.   }
    141. 

  141. 

  142.   tok = smartlist_get(tokens, smartlist_len(tokens)-1);
    143. 

  143.   if (tok->tp != K_DIR_KEY_CERTIFICATION) {
    144. 

  144.     log_warn(LD_DIR, "Certificate didn't end with dir-key-certification.");
    145. 

  145.     goto err;
    146. 

  146.   }
    147. 

  147. 

  148.   /* If we already have this cert, don't bother checking the signature. */
    149. 

  149.   old_cert = authority_cert_get_by_digests(
    150. 

  150.                                      cert->cache_info.identity_digest,
    151. 

  151.                                      cert->signing_key_digest);
    152. 

  152.   found = 0;
    153. 

  153.   if (old_cert) {
    154. 

  154.     /* XXXX We could just compare signed_descriptor_digest, but that wouldn't
    155. 

  155.      * buy us much. */
    156. 

  156.     if (old_cert->cache_info.signed_descriptor_len == len &&
    157. 

  157.         old_cert->cache_info.signed_descriptor_body &&
    158. 

  158.         tor_memeq(s, old_cert->cache_info.signed_descriptor_body, len)) {
    159. 

  159.       log_debug(LD_DIR, "We already checked the signature on this "
    160. 

  160.                 "certificate; no need to do so again.");
    161. 

  161.       found = 1;
    162. 

  162.     }
    163. 

  163.   }
    164. 

  164.   if (!found) {
    165. 

  165.     if (check_signature_token(digest, DIGEST_LEN, tok, cert->identity_key, 0,
    166. 

  166.                               "key certificate")) {
    167. 

  167.       goto err;
    168. 

  168.     }
    169. 

  169. 

  170.     tok = find_by_keyword(tokens, K_DIR_KEY_CROSSCERT);
    171. 

  171.     if (check_signature_token(cert->cache_info.identity_digest,
    172. 

  172.                               DIGEST_LEN,
    173. 

  173.                               tok,
    174. 

  174.                               cert->signing_key,
    175. 

  175.                               CST_NO_CHECK_OBJTYPE,
    176. 

  176.                               "key cross-certification")) {
    177. 

  177.       goto err;
    178. 

  178.     }
    179. 

  179.   }
    180. 

  180. 

  181.   cert->cache_info.signed_descriptor_len = len;
    182. 

  182.   cert->cache_info.signed_descriptor_body = tor_malloc(len+1);
    183. 

  183.   memcpy(cert->cache_info.signed_descriptor_body, s, len);
    184. 

  184.   cert->cache_info.signed_descriptor_body[len] = 0;
    185. 

  185.   cert->cache_info.saved_location = SAVED_NOWHERE;
    186. 

  186. 

  187.   if (end_of_string) {
    188. 

  188.     *end_of_string = eat_whitespace(eos);
    189. 

  189.   }
    190. 

  190.   SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
    191. 

  191.   smartlist_free(tokens);
    192. 

  192.   if (area) {
    193. 

  193.     DUMP_AREA(area, "authority cert");
    194. 

  194.     memarea_drop_all(area);
    195. 

  195.   }
    196. 

  196.   return cert;
    197. 

  197.  err:
    198. 

  198.   dump_desc(s_dup, "authority cert");
    199. 

  199.   authority_cert_free(cert);
    200. 

  200.   SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
    201. 

  201.   smartlist_free(tokens);
    202. 

  202.   if (area) {
    203. 

  203.     DUMP_AREA(area, "authority cert");
    204. 

  204.     memarea_drop_all(area);
    205. 

  205.   }
    206. 

  206.   return NULL;
    207. 

  207. }
    208.