hs_cell.c 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950
  1. /* Copyright (c) 2017-2018, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file hs_cell.c
  5. * \brief Hidden service API for cell creation and handling.
  6. **/
  7. #include "core/or/or.h"
  8. #include "app/config/config.h"
  9. #include "lib/crypt_ops/crypto_util.h"
  10. #include "feature/rend/rendservice.h"
  11. #include "feature/hs_common/replaycache.h"
  12. #include "feature/hs/hs_cell.h"
  13. #include "core/crypto/hs_ntor.h"
  14. #include "core/or/origin_circuit_st.h"
  15. /* Trunnel. */
  16. #include "trunnel/ed25519_cert.h"
  17. #include "trunnel/hs/cell_common.h"
  18. #include "trunnel/hs/cell_establish_intro.h"
  19. #include "trunnel/hs/cell_introduce1.h"
  20. #include "trunnel/hs/cell_rendezvous.h"
  21. /* Compute the MAC of an INTRODUCE cell in mac_out. The encoded_cell param is
  22. * the cell content up to the ENCRYPTED section of length encoded_cell_len.
  23. * The encrypted param is the start of the ENCRYPTED section of length
  24. * encrypted_len. The mac_key is the key needed for the computation of the MAC
  25. * derived from the ntor handshake of length mac_key_len.
  26. *
  27. * The length mac_out_len must be at least DIGEST256_LEN. */
  28. static void
  29. compute_introduce_mac(const uint8_t *encoded_cell, size_t encoded_cell_len,
  30. const uint8_t *encrypted, size_t encrypted_len,
  31. const uint8_t *mac_key, size_t mac_key_len,
  32. uint8_t *mac_out, size_t mac_out_len)
  33. {
  34. size_t offset = 0;
  35. size_t mac_msg_len;
  36. uint8_t mac_msg[RELAY_PAYLOAD_SIZE] = {0};
  37. tor_assert(encoded_cell);
  38. tor_assert(encrypted);
  39. tor_assert(mac_key);
  40. tor_assert(mac_out);
  41. tor_assert(mac_out_len >= DIGEST256_LEN);
  42. /* Compute the size of the message which is basically the entire cell until
  43. * the MAC field of course. */
  44. mac_msg_len = encoded_cell_len + (encrypted_len - DIGEST256_LEN);
  45. tor_assert(mac_msg_len <= sizeof(mac_msg));
  46. /* First, put the encoded cell in the msg. */
  47. memcpy(mac_msg, encoded_cell, encoded_cell_len);
  48. offset += encoded_cell_len;
  49. /* Second, put the CLIENT_PK + ENCRYPTED_DATA but ommit the MAC field (which
  50. * is junk at this point). */
  51. memcpy(mac_msg + offset, encrypted, (encrypted_len - DIGEST256_LEN));
  52. offset += (encrypted_len - DIGEST256_LEN);
  53. tor_assert(offset == mac_msg_len);
  54. crypto_mac_sha3_256(mac_out, mac_out_len,
  55. mac_key, mac_key_len,
  56. mac_msg, mac_msg_len);
  57. memwipe(mac_msg, 0, sizeof(mac_msg));
  58. }
  59. /* From a set of keys, subcredential and the ENCRYPTED section of an
  60. * INTRODUCE2 cell, return a newly allocated intro cell keys structure.
  61. * Finally, the client public key is copied in client_pk. On error, return
  62. * NULL. */
  63. static hs_ntor_intro_cell_keys_t *
  64. get_introduce2_key_material(const ed25519_public_key_t *auth_key,
  65. const curve25519_keypair_t *enc_key,
  66. const uint8_t *subcredential,
  67. const uint8_t *encrypted_section,
  68. curve25519_public_key_t *client_pk)
  69. {
  70. hs_ntor_intro_cell_keys_t *keys;
  71. tor_assert(auth_key);
  72. tor_assert(enc_key);
  73. tor_assert(subcredential);
  74. tor_assert(encrypted_section);
  75. tor_assert(client_pk);
  76. keys = tor_malloc_zero(sizeof(*keys));
  77. /* First bytes of the ENCRYPTED section are the client public key. */
  78. memcpy(client_pk->public_key, encrypted_section, CURVE25519_PUBKEY_LEN);
  79. if (hs_ntor_service_get_introduce1_keys(auth_key, enc_key, client_pk,
  80. subcredential, keys) < 0) {
  81. /* Don't rely on the caller to wipe this on error. */
  82. memwipe(client_pk, 0, sizeof(curve25519_public_key_t));
  83. tor_free(keys);
  84. keys = NULL;
  85. }
  86. return keys;
  87. }
  88. /* Using the given encryption key, decrypt the encrypted_section of length
  89. * encrypted_section_len of an INTRODUCE2 cell and return a newly allocated
  90. * buffer containing the decrypted data. On decryption failure, NULL is
  91. * returned. */
  92. static uint8_t *
  93. decrypt_introduce2(const uint8_t *enc_key, const uint8_t *encrypted_section,
  94. size_t encrypted_section_len)
  95. {
  96. uint8_t *decrypted = NULL;
  97. crypto_cipher_t *cipher = NULL;
  98. tor_assert(enc_key);
  99. tor_assert(encrypted_section);
  100. /* Decrypt ENCRYPTED section. */
  101. cipher = crypto_cipher_new_with_bits((char *) enc_key,
  102. CURVE25519_PUBKEY_LEN * 8);
  103. tor_assert(cipher);
  104. /* This is symmetric encryption so can't be bigger than the encrypted
  105. * section length. */
  106. decrypted = tor_malloc_zero(encrypted_section_len);
  107. if (crypto_cipher_decrypt(cipher, (char *) decrypted,
  108. (const char *) encrypted_section,
  109. encrypted_section_len) < 0) {
  110. tor_free(decrypted);
  111. decrypted = NULL;
  112. goto done;
  113. }
  114. done:
  115. crypto_cipher_free(cipher);
  116. return decrypted;
  117. }
  118. /* Given a pointer to the decrypted data of the ENCRYPTED section of an
  119. * INTRODUCE2 cell of length decrypted_len, parse and validate the cell
  120. * content. Return a newly allocated cell structure or NULL on error. The
  121. * circuit and service object are only used for logging purposes. */
  122. static trn_cell_introduce_encrypted_t *
  123. parse_introduce2_encrypted(const uint8_t *decrypted_data,
  124. size_t decrypted_len, const origin_circuit_t *circ,
  125. const hs_service_t *service)
  126. {
  127. trn_cell_introduce_encrypted_t *enc_cell = NULL;
  128. tor_assert(decrypted_data);
  129. tor_assert(circ);
  130. tor_assert(service);
  131. if (trn_cell_introduce_encrypted_parse(&enc_cell, decrypted_data,
  132. decrypted_len) < 0) {
  133. log_info(LD_REND, "Unable to parse the decrypted ENCRYPTED section of "
  134. "the INTRODUCE2 cell on circuit %u for service %s",
  135. TO_CIRCUIT(circ)->n_circ_id,
  136. safe_str_client(service->onion_address));
  137. goto err;
  138. }
  139. if (trn_cell_introduce_encrypted_get_onion_key_type(enc_cell) !=
  140. HS_CELL_ONION_KEY_TYPE_NTOR) {
  141. log_info(LD_REND, "INTRODUCE2 onion key type is invalid. Got %u but "
  142. "expected %u on circuit %u for service %s",
  143. trn_cell_introduce_encrypted_get_onion_key_type(enc_cell),
  144. HS_CELL_ONION_KEY_TYPE_NTOR, TO_CIRCUIT(circ)->n_circ_id,
  145. safe_str_client(service->onion_address));
  146. goto err;
  147. }
  148. if (trn_cell_introduce_encrypted_getlen_onion_key(enc_cell) !=
  149. CURVE25519_PUBKEY_LEN) {
  150. log_info(LD_REND, "INTRODUCE2 onion key length is invalid. Got %u but "
  151. "expected %d on circuit %u for service %s",
  152. (unsigned)trn_cell_introduce_encrypted_getlen_onion_key(enc_cell),
  153. CURVE25519_PUBKEY_LEN, TO_CIRCUIT(circ)->n_circ_id,
  154. safe_str_client(service->onion_address));
  155. goto err;
  156. }
  157. /* XXX: Validate NSPEC field as well. */
  158. return enc_cell;
  159. err:
  160. trn_cell_introduce_encrypted_free(enc_cell);
  161. return NULL;
  162. }
  163. /* Build a legacy ESTABLISH_INTRO cell with the given circuit nonce and RSA
  164. * encryption key. The encoded cell is put in cell_out that MUST at least be
  165. * of the size of RELAY_PAYLOAD_SIZE. Return the encoded cell length on
  166. * success else a negative value and cell_out is untouched. */
  167. static ssize_t
  168. build_legacy_establish_intro(const char *circ_nonce, crypto_pk_t *enc_key,
  169. uint8_t *cell_out)
  170. {
  171. ssize_t cell_len;
  172. tor_assert(circ_nonce);
  173. tor_assert(enc_key);
  174. tor_assert(cell_out);
  175. memwipe(cell_out, 0, RELAY_PAYLOAD_SIZE);
  176. cell_len = rend_service_encode_establish_intro_cell((char*)cell_out,
  177. RELAY_PAYLOAD_SIZE,
  178. enc_key, circ_nonce);
  179. return cell_len;
  180. }
  181. /* Parse an INTRODUCE2 cell from payload of size payload_len for the given
  182. * service and circuit which are used only for logging purposes. The resulting
  183. * parsed cell is put in cell_ptr_out.
  184. *
  185. * This function only parses prop224 INTRODUCE2 cells even when the intro point
  186. * is a legacy intro point. That's because intro points don't actually care
  187. * about the contents of the introduce cell. Legacy INTRODUCE cells are only
  188. * used by the legacy system now.
  189. *
  190. * Return 0 on success else a negative value and cell_ptr_out is untouched. */
  191. static int
  192. parse_introduce2_cell(const hs_service_t *service,
  193. const origin_circuit_t *circ, const uint8_t *payload,
  194. size_t payload_len,
  195. trn_cell_introduce1_t **cell_ptr_out)
  196. {
  197. trn_cell_introduce1_t *cell = NULL;
  198. tor_assert(service);
  199. tor_assert(circ);
  200. tor_assert(payload);
  201. tor_assert(cell_ptr_out);
  202. /* Parse the cell so we can start cell validation. */
  203. if (trn_cell_introduce1_parse(&cell, payload, payload_len) < 0) {
  204. log_info(LD_PROTOCOL, "Unable to parse INTRODUCE2 cell on circuit %u "
  205. "for service %s",
  206. TO_CIRCUIT(circ)->n_circ_id,
  207. safe_str_client(service->onion_address));
  208. goto err;
  209. }
  210. /* Success. */
  211. *cell_ptr_out = cell;
  212. return 0;
  213. err:
  214. return -1;
  215. }
  216. /* Set the onion public key onion_pk in cell, the encrypted section of an
  217. * INTRODUCE1 cell. */
  218. static void
  219. introduce1_set_encrypted_onion_key(trn_cell_introduce_encrypted_t *cell,
  220. const uint8_t *onion_pk)
  221. {
  222. tor_assert(cell);
  223. tor_assert(onion_pk);
  224. /* There is only one possible key type for a non legacy cell. */
  225. trn_cell_introduce_encrypted_set_onion_key_type(cell,
  226. HS_CELL_ONION_KEY_TYPE_NTOR);
  227. trn_cell_introduce_encrypted_set_onion_key_len(cell, CURVE25519_PUBKEY_LEN);
  228. trn_cell_introduce_encrypted_setlen_onion_key(cell, CURVE25519_PUBKEY_LEN);
  229. memcpy(trn_cell_introduce_encrypted_getarray_onion_key(cell), onion_pk,
  230. trn_cell_introduce_encrypted_getlen_onion_key(cell));
  231. }
  232. /* Set the link specifiers in lspecs in cell, the encrypted section of an
  233. * INTRODUCE1 cell. */
  234. static void
  235. introduce1_set_encrypted_link_spec(trn_cell_introduce_encrypted_t *cell,
  236. const smartlist_t *lspecs)
  237. {
  238. tor_assert(cell);
  239. tor_assert(lspecs);
  240. tor_assert(smartlist_len(lspecs) > 0);
  241. tor_assert(smartlist_len(lspecs) <= UINT8_MAX);
  242. uint8_t lspecs_num = (uint8_t) smartlist_len(lspecs);
  243. trn_cell_introduce_encrypted_set_nspec(cell, lspecs_num);
  244. /* We aren't duplicating the link specifiers object here which means that
  245. * the ownership goes to the trn_cell_introduce_encrypted_t cell and those
  246. * object will be freed when the cell is. */
  247. SMARTLIST_FOREACH(lspecs, link_specifier_t *, ls,
  248. trn_cell_introduce_encrypted_add_nspecs(cell, ls));
  249. }
  250. /* Set padding in the enc_cell only if needed that is the total length of both
  251. * sections are below the mininum required for an INTRODUCE1 cell. */
  252. static void
  253. introduce1_set_encrypted_padding(const trn_cell_introduce1_t *cell,
  254. trn_cell_introduce_encrypted_t *enc_cell)
  255. {
  256. tor_assert(cell);
  257. tor_assert(enc_cell);
  258. /* This is the length we expect to have once encoded of the whole cell. */
  259. ssize_t full_len = trn_cell_introduce1_encoded_len(cell) +
  260. trn_cell_introduce_encrypted_encoded_len(enc_cell);
  261. tor_assert(full_len > 0);
  262. if (full_len < HS_CELL_INTRODUCE1_MIN_SIZE) {
  263. size_t padding = HS_CELL_INTRODUCE1_MIN_SIZE - full_len;
  264. trn_cell_introduce_encrypted_setlen_pad(enc_cell, padding);
  265. memset(trn_cell_introduce_encrypted_getarray_pad(enc_cell), 0,
  266. trn_cell_introduce_encrypted_getlen_pad(enc_cell));
  267. }
  268. }
  269. /* Encrypt the ENCRYPTED payload and encode it in the cell using the enc_cell
  270. * and the INTRODUCE1 data.
  271. *
  272. * This can't fail but it is very important that the caller sets every field
  273. * in data so the computation of the INTRODUCE1 keys doesn't fail. */
  274. static void
  275. introduce1_encrypt_and_encode(trn_cell_introduce1_t *cell,
  276. const trn_cell_introduce_encrypted_t *enc_cell,
  277. const hs_cell_introduce1_data_t *data)
  278. {
  279. size_t offset = 0;
  280. ssize_t encrypted_len;
  281. ssize_t encoded_cell_len, encoded_enc_cell_len;
  282. uint8_t encoded_cell[RELAY_PAYLOAD_SIZE] = {0};
  283. uint8_t encoded_enc_cell[RELAY_PAYLOAD_SIZE] = {0};
  284. uint8_t *encrypted = NULL;
  285. uint8_t mac[DIGEST256_LEN];
  286. crypto_cipher_t *cipher = NULL;
  287. hs_ntor_intro_cell_keys_t keys;
  288. tor_assert(cell);
  289. tor_assert(enc_cell);
  290. tor_assert(data);
  291. /* Encode the cells up to now of what we have to we can perform the MAC
  292. * computation on it. */
  293. encoded_cell_len = trn_cell_introduce1_encode(encoded_cell,
  294. sizeof(encoded_cell), cell);
  295. /* We have a much more serious issue if this isn't true. */
  296. tor_assert(encoded_cell_len > 0);
  297. encoded_enc_cell_len =
  298. trn_cell_introduce_encrypted_encode(encoded_enc_cell,
  299. sizeof(encoded_enc_cell), enc_cell);
  300. /* We have a much more serious issue if this isn't true. */
  301. tor_assert(encoded_enc_cell_len > 0);
  302. /* Get the key material for the encryption. */
  303. if (hs_ntor_client_get_introduce1_keys(data->auth_pk, data->enc_pk,
  304. data->client_kp,
  305. data->subcredential, &keys) < 0) {
  306. tor_assert_unreached();
  307. }
  308. /* Prepare cipher with the encryption key just computed. */
  309. cipher = crypto_cipher_new_with_bits((const char *) keys.enc_key,
  310. sizeof(keys.enc_key) * 8);
  311. tor_assert(cipher);
  312. /* Compute the length of the ENCRYPTED section which is the CLIENT_PK,
  313. * ENCRYPTED_DATA and MAC length. */
  314. encrypted_len = sizeof(data->client_kp->pubkey) + encoded_enc_cell_len +
  315. sizeof(mac);
  316. tor_assert(encrypted_len < RELAY_PAYLOAD_SIZE);
  317. encrypted = tor_malloc_zero(encrypted_len);
  318. /* Put the CLIENT_PK first. */
  319. memcpy(encrypted, data->client_kp->pubkey.public_key,
  320. sizeof(data->client_kp->pubkey.public_key));
  321. offset += sizeof(data->client_kp->pubkey.public_key);
  322. /* Then encrypt and set the ENCRYPTED_DATA. This can't fail. */
  323. crypto_cipher_encrypt(cipher, (char *) encrypted + offset,
  324. (const char *) encoded_enc_cell, encoded_enc_cell_len);
  325. crypto_cipher_free(cipher);
  326. offset += encoded_enc_cell_len;
  327. /* Compute MAC from the above and put it in the buffer. This function will
  328. * make the adjustment to the encrypted_len to omit the MAC length. */
  329. compute_introduce_mac(encoded_cell, encoded_cell_len,
  330. encrypted, encrypted_len,
  331. keys.mac_key, sizeof(keys.mac_key),
  332. mac, sizeof(mac));
  333. memcpy(encrypted + offset, mac, sizeof(mac));
  334. offset += sizeof(mac);
  335. tor_assert(offset == (size_t) encrypted_len);
  336. /* Set the ENCRYPTED section in the cell. */
  337. trn_cell_introduce1_setlen_encrypted(cell, encrypted_len);
  338. memcpy(trn_cell_introduce1_getarray_encrypted(cell),
  339. encrypted, encrypted_len);
  340. /* Cleanup. */
  341. memwipe(&keys, 0, sizeof(keys));
  342. memwipe(mac, 0, sizeof(mac));
  343. memwipe(encrypted, 0, sizeof(encrypted_len));
  344. memwipe(encoded_enc_cell, 0, sizeof(encoded_enc_cell));
  345. tor_free(encrypted);
  346. }
  347. /* Using the INTRODUCE1 data, setup the ENCRYPTED section in cell. This means
  348. * set it, encrypt it and encode it. */
  349. static void
  350. introduce1_set_encrypted(trn_cell_introduce1_t *cell,
  351. const hs_cell_introduce1_data_t *data)
  352. {
  353. trn_cell_introduce_encrypted_t *enc_cell;
  354. trn_cell_extension_t *ext;
  355. tor_assert(cell);
  356. tor_assert(data);
  357. enc_cell = trn_cell_introduce_encrypted_new();
  358. tor_assert(enc_cell);
  359. /* Set extension data. None are used. */
  360. ext = trn_cell_extension_new();
  361. tor_assert(ext);
  362. trn_cell_extension_set_num(ext, 0);
  363. trn_cell_introduce_encrypted_set_extensions(enc_cell, ext);
  364. /* Set the rendezvous cookie. */
  365. memcpy(trn_cell_introduce_encrypted_getarray_rend_cookie(enc_cell),
  366. data->rendezvous_cookie, REND_COOKIE_LEN);
  367. /* Set the onion public key. */
  368. introduce1_set_encrypted_onion_key(enc_cell, data->onion_pk->public_key);
  369. /* Set the link specifiers. */
  370. introduce1_set_encrypted_link_spec(enc_cell, data->link_specifiers);
  371. /* Set padding. */
  372. introduce1_set_encrypted_padding(cell, enc_cell);
  373. /* Encrypt and encode it in the cell. */
  374. introduce1_encrypt_and_encode(cell, enc_cell, data);
  375. /* Cleanup. */
  376. trn_cell_introduce_encrypted_free(enc_cell);
  377. }
  378. /* Set the authentication key in the INTRODUCE1 cell from the given data. */
  379. static void
  380. introduce1_set_auth_key(trn_cell_introduce1_t *cell,
  381. const hs_cell_introduce1_data_t *data)
  382. {
  383. tor_assert(cell);
  384. tor_assert(data);
  385. /* There is only one possible type for a non legacy cell. */
  386. trn_cell_introduce1_set_auth_key_type(cell, HS_INTRO_AUTH_KEY_TYPE_ED25519);
  387. trn_cell_introduce1_set_auth_key_len(cell, ED25519_PUBKEY_LEN);
  388. trn_cell_introduce1_setlen_auth_key(cell, ED25519_PUBKEY_LEN);
  389. memcpy(trn_cell_introduce1_getarray_auth_key(cell),
  390. data->auth_pk->pubkey, trn_cell_introduce1_getlen_auth_key(cell));
  391. }
  392. /* Set the legacy ID field in the INTRODUCE1 cell from the given data. */
  393. static void
  394. introduce1_set_legacy_id(trn_cell_introduce1_t *cell,
  395. const hs_cell_introduce1_data_t *data)
  396. {
  397. tor_assert(cell);
  398. tor_assert(data);
  399. if (data->is_legacy) {
  400. uint8_t digest[DIGEST_LEN];
  401. if (BUG(crypto_pk_get_digest(data->legacy_key, (char *) digest) < 0)) {
  402. return;
  403. }
  404. memcpy(trn_cell_introduce1_getarray_legacy_key_id(cell),
  405. digest, trn_cell_introduce1_getlen_legacy_key_id(cell));
  406. } else {
  407. /* We have to zeroed the LEGACY_KEY_ID field. */
  408. memset(trn_cell_introduce1_getarray_legacy_key_id(cell), 0,
  409. trn_cell_introduce1_getlen_legacy_key_id(cell));
  410. }
  411. }
  412. /* ========== */
  413. /* Public API */
  414. /* ========== */
  415. /* Build an ESTABLISH_INTRO cell with the given circuit nonce and intro point
  416. * object. The encoded cell is put in cell_out that MUST at least be of the
  417. * size of RELAY_PAYLOAD_SIZE. Return the encoded cell length on success else
  418. * a negative value and cell_out is untouched. This function also supports
  419. * legacy cell creation. */
  420. ssize_t
  421. hs_cell_build_establish_intro(const char *circ_nonce,
  422. const hs_service_intro_point_t *ip,
  423. uint8_t *cell_out)
  424. {
  425. ssize_t cell_len = -1;
  426. uint16_t sig_len = ED25519_SIG_LEN;
  427. trn_cell_extension_t *ext;
  428. trn_cell_establish_intro_t *cell = NULL;
  429. tor_assert(circ_nonce);
  430. tor_assert(ip);
  431. /* Quickly handle the legacy IP. */
  432. if (ip->base.is_only_legacy) {
  433. tor_assert(ip->legacy_key);
  434. cell_len = build_legacy_establish_intro(circ_nonce, ip->legacy_key,
  435. cell_out);
  436. tor_assert(cell_len <= RELAY_PAYLOAD_SIZE);
  437. /* Success or not we are done here. */
  438. goto done;
  439. }
  440. /* Set extension data. None used here. */
  441. ext = trn_cell_extension_new();
  442. trn_cell_extension_set_num(ext, 0);
  443. cell = trn_cell_establish_intro_new();
  444. trn_cell_establish_intro_set_extensions(cell, ext);
  445. /* Set signature size. Array is then allocated in the cell. We need to do
  446. * this early so we can use trunnel API to get the signature length. */
  447. trn_cell_establish_intro_set_sig_len(cell, sig_len);
  448. trn_cell_establish_intro_setlen_sig(cell, sig_len);
  449. /* Set AUTH_KEY_TYPE: 2 means ed25519 */
  450. trn_cell_establish_intro_set_auth_key_type(cell,
  451. HS_INTRO_AUTH_KEY_TYPE_ED25519);
  452. /* Set AUTH_KEY and AUTH_KEY_LEN field. Must also set byte-length of
  453. * AUTH_KEY to match */
  454. {
  455. uint16_t auth_key_len = ED25519_PUBKEY_LEN;
  456. trn_cell_establish_intro_set_auth_key_len(cell, auth_key_len);
  457. trn_cell_establish_intro_setlen_auth_key(cell, auth_key_len);
  458. /* We do this call _after_ setting the length because it's reallocated at
  459. * that point only. */
  460. uint8_t *auth_key_ptr = trn_cell_establish_intro_getarray_auth_key(cell);
  461. memcpy(auth_key_ptr, ip->auth_key_kp.pubkey.pubkey, auth_key_len);
  462. }
  463. /* Calculate HANDSHAKE_AUTH field (MAC). */
  464. {
  465. ssize_t tmp_cell_enc_len = 0;
  466. ssize_t tmp_cell_mac_offset =
  467. sig_len + sizeof(cell->sig_len) +
  468. trn_cell_establish_intro_getlen_handshake_mac(cell);
  469. uint8_t tmp_cell_enc[RELAY_PAYLOAD_SIZE] = {0};
  470. uint8_t mac[TRUNNEL_SHA3_256_LEN], *handshake_ptr;
  471. /* We first encode the current fields we have in the cell so we can
  472. * compute the MAC using the raw bytes. */
  473. tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
  474. sizeof(tmp_cell_enc),
  475. cell);
  476. if (BUG(tmp_cell_enc_len < 0)) {
  477. goto done;
  478. }
  479. /* Sanity check. */
  480. tor_assert(tmp_cell_enc_len > tmp_cell_mac_offset);
  481. /* Circuit nonce is always DIGEST_LEN according to tor-spec.txt. */
  482. crypto_mac_sha3_256(mac, sizeof(mac),
  483. (uint8_t *) circ_nonce, DIGEST_LEN,
  484. tmp_cell_enc, tmp_cell_enc_len - tmp_cell_mac_offset);
  485. handshake_ptr = trn_cell_establish_intro_getarray_handshake_mac(cell);
  486. memcpy(handshake_ptr, mac, sizeof(mac));
  487. memwipe(mac, 0, sizeof(mac));
  488. memwipe(tmp_cell_enc, 0, sizeof(tmp_cell_enc));
  489. }
  490. /* Calculate the cell signature SIG. */
  491. {
  492. ssize_t tmp_cell_enc_len = 0;
  493. ssize_t tmp_cell_sig_offset = (sig_len + sizeof(cell->sig_len));
  494. uint8_t tmp_cell_enc[RELAY_PAYLOAD_SIZE] = {0}, *sig_ptr;
  495. ed25519_signature_t sig;
  496. /* We first encode the current fields we have in the cell so we can
  497. * compute the signature from the raw bytes of the cell. */
  498. tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
  499. sizeof(tmp_cell_enc),
  500. cell);
  501. if (BUG(tmp_cell_enc_len < 0)) {
  502. goto done;
  503. }
  504. if (ed25519_sign_prefixed(&sig, tmp_cell_enc,
  505. tmp_cell_enc_len - tmp_cell_sig_offset,
  506. ESTABLISH_INTRO_SIG_PREFIX, &ip->auth_key_kp)) {
  507. log_warn(LD_BUG, "Unable to make signature for ESTABLISH_INTRO cell.");
  508. goto done;
  509. }
  510. /* Copy the signature into the cell. */
  511. sig_ptr = trn_cell_establish_intro_getarray_sig(cell);
  512. memcpy(sig_ptr, sig.sig, sig_len);
  513. memwipe(tmp_cell_enc, 0, sizeof(tmp_cell_enc));
  514. }
  515. /* Encode the cell. Can't be bigger than a standard cell. */
  516. cell_len = trn_cell_establish_intro_encode(cell_out, RELAY_PAYLOAD_SIZE,
  517. cell);
  518. done:
  519. trn_cell_establish_intro_free(cell);
  520. return cell_len;
  521. }
  522. /* Parse the INTRO_ESTABLISHED cell in the payload of size payload_len. If we
  523. * are successful at parsing it, return the length of the parsed cell else a
  524. * negative value on error. */
  525. ssize_t
  526. hs_cell_parse_intro_established(const uint8_t *payload, size_t payload_len)
  527. {
  528. ssize_t ret;
  529. trn_cell_intro_established_t *cell = NULL;
  530. tor_assert(payload);
  531. /* Try to parse the payload into a cell making sure we do actually have a
  532. * valid cell. */
  533. ret = trn_cell_intro_established_parse(&cell, payload, payload_len);
  534. if (ret >= 0) {
  535. /* On success, we do not keep the cell, we just notify the caller that it
  536. * was successfully parsed. */
  537. trn_cell_intro_established_free(cell);
  538. }
  539. return ret;
  540. }
  541. /* Parse the INTRODUCE2 cell using data which contains everything we need to
  542. * do so and contains the destination buffers of information we extract and
  543. * compute from the cell. Return 0 on success else a negative value. The
  544. * service and circ are only used for logging purposes. */
  545. ssize_t
  546. hs_cell_parse_introduce2(hs_cell_introduce2_data_t *data,
  547. const origin_circuit_t *circ,
  548. const hs_service_t *service)
  549. {
  550. int ret = -1;
  551. time_t elapsed;
  552. uint8_t *decrypted = NULL;
  553. size_t encrypted_section_len;
  554. const uint8_t *encrypted_section;
  555. trn_cell_introduce1_t *cell = NULL;
  556. trn_cell_introduce_encrypted_t *enc_cell = NULL;
  557. hs_ntor_intro_cell_keys_t *intro_keys = NULL;
  558. tor_assert(data);
  559. tor_assert(circ);
  560. tor_assert(service);
  561. /* Parse the cell into a decoded data structure pointed by cell_ptr. */
  562. if (parse_introduce2_cell(service, circ, data->payload, data->payload_len,
  563. &cell) < 0) {
  564. goto done;
  565. }
  566. log_info(LD_REND, "Received a decodable INTRODUCE2 cell on circuit %u "
  567. "for service %s. Decoding encrypted section...",
  568. TO_CIRCUIT(circ)->n_circ_id,
  569. safe_str_client(service->onion_address));
  570. encrypted_section = trn_cell_introduce1_getconstarray_encrypted(cell);
  571. encrypted_section_len = trn_cell_introduce1_getlen_encrypted(cell);
  572. /* Encrypted section must at least contain the CLIENT_PK and MAC which is
  573. * defined in section 3.3.2 of the specification. */
  574. if (encrypted_section_len < (CURVE25519_PUBKEY_LEN + DIGEST256_LEN)) {
  575. log_info(LD_REND, "Invalid INTRODUCE2 encrypted section length "
  576. "for service %s. Dropping cell.",
  577. safe_str_client(service->onion_address));
  578. goto done;
  579. }
  580. /* Check our replay cache for this introduction point. */
  581. if (replaycache_add_test_and_elapsed(data->replay_cache, encrypted_section,
  582. encrypted_section_len, &elapsed)) {
  583. log_warn(LD_REND, "Possible replay detected! An INTRODUCE2 cell with the"
  584. "same ENCRYPTED section was seen %ld seconds ago. "
  585. "Dropping cell.", (long int) elapsed);
  586. goto done;
  587. }
  588. /* Build the key material out of the key material found in the cell. */
  589. intro_keys = get_introduce2_key_material(data->auth_pk, data->enc_kp,
  590. data->subcredential,
  591. encrypted_section,
  592. &data->client_pk);
  593. if (intro_keys == NULL) {
  594. log_info(LD_REND, "Invalid INTRODUCE2 encrypted data. Unable to "
  595. "compute key material on circuit %u for service %s",
  596. TO_CIRCUIT(circ)->n_circ_id,
  597. safe_str_client(service->onion_address));
  598. goto done;
  599. }
  600. /* Validate MAC from the cell and our computed key material. The MAC field
  601. * in the cell is at the end of the encrypted section. */
  602. {
  603. uint8_t mac[DIGEST256_LEN];
  604. /* The MAC field is at the very end of the ENCRYPTED section. */
  605. size_t mac_offset = encrypted_section_len - sizeof(mac);
  606. /* Compute the MAC. Use the entire encoded payload with a length up to the
  607. * ENCRYPTED section. */
  608. compute_introduce_mac(data->payload,
  609. data->payload_len - encrypted_section_len,
  610. encrypted_section, encrypted_section_len,
  611. intro_keys->mac_key, sizeof(intro_keys->mac_key),
  612. mac, sizeof(mac));
  613. if (tor_memcmp(mac, encrypted_section + mac_offset, sizeof(mac))) {
  614. log_info(LD_REND, "Invalid MAC validation for INTRODUCE2 cell on "
  615. "circuit %u for service %s",
  616. TO_CIRCUIT(circ)->n_circ_id,
  617. safe_str_client(service->onion_address));
  618. goto done;
  619. }
  620. }
  621. {
  622. /* The ENCRYPTED_DATA section starts just after the CLIENT_PK. */
  623. const uint8_t *encrypted_data =
  624. encrypted_section + sizeof(data->client_pk);
  625. /* It's symmetric encryption so it's correct to use the ENCRYPTED length
  626. * for decryption. Computes the length of ENCRYPTED_DATA meaning removing
  627. * the CLIENT_PK and MAC length. */
  628. size_t encrypted_data_len =
  629. encrypted_section_len - (sizeof(data->client_pk) + DIGEST256_LEN);
  630. /* This decrypts the ENCRYPTED_DATA section of the cell. */
  631. decrypted = decrypt_introduce2(intro_keys->enc_key,
  632. encrypted_data, encrypted_data_len);
  633. if (decrypted == NULL) {
  634. log_info(LD_REND, "Unable to decrypt the ENCRYPTED section of an "
  635. "INTRODUCE2 cell on circuit %u for service %s",
  636. TO_CIRCUIT(circ)->n_circ_id,
  637. safe_str_client(service->onion_address));
  638. goto done;
  639. }
  640. /* Parse this blob into an encrypted cell structure so we can then extract
  641. * the data we need out of it. */
  642. enc_cell = parse_introduce2_encrypted(decrypted, encrypted_data_len,
  643. circ, service);
  644. memwipe(decrypted, 0, encrypted_data_len);
  645. if (enc_cell == NULL) {
  646. goto done;
  647. }
  648. }
  649. /* XXX: Implement client authorization checks. */
  650. /* Extract onion key and rendezvous cookie from the cell used for the
  651. * rendezvous point circuit e2e encryption. */
  652. memcpy(data->onion_pk.public_key,
  653. trn_cell_introduce_encrypted_getconstarray_onion_key(enc_cell),
  654. CURVE25519_PUBKEY_LEN);
  655. memcpy(data->rendezvous_cookie,
  656. trn_cell_introduce_encrypted_getconstarray_rend_cookie(enc_cell),
  657. sizeof(data->rendezvous_cookie));
  658. /* Extract rendezvous link specifiers. */
  659. for (size_t idx = 0;
  660. idx < trn_cell_introduce_encrypted_get_nspec(enc_cell); idx++) {
  661. link_specifier_t *lspec =
  662. trn_cell_introduce_encrypted_get_nspecs(enc_cell, idx);
  663. smartlist_add(data->link_specifiers, hs_link_specifier_dup(lspec));
  664. }
  665. /* Success. */
  666. ret = 0;
  667. log_info(LD_REND, "Valid INTRODUCE2 cell. Launching rendezvous circuit.");
  668. done:
  669. if (intro_keys) {
  670. memwipe(intro_keys, 0, sizeof(hs_ntor_intro_cell_keys_t));
  671. tor_free(intro_keys);
  672. }
  673. tor_free(decrypted);
  674. trn_cell_introduce_encrypted_free(enc_cell);
  675. trn_cell_introduce1_free(cell);
  676. return ret;
  677. }
  678. /* Build a RENDEZVOUS1 cell with the given rendezvous cookie and handshake
  679. * info. The encoded cell is put in cell_out and the length of the data is
  680. * returned. This can't fail. */
  681. ssize_t
  682. hs_cell_build_rendezvous1(const uint8_t *rendezvous_cookie,
  683. size_t rendezvous_cookie_len,
  684. const uint8_t *rendezvous_handshake_info,
  685. size_t rendezvous_handshake_info_len,
  686. uint8_t *cell_out)
  687. {
  688. ssize_t cell_len;
  689. trn_cell_rendezvous1_t *cell;
  690. tor_assert(rendezvous_cookie);
  691. tor_assert(rendezvous_handshake_info);
  692. tor_assert(cell_out);
  693. cell = trn_cell_rendezvous1_new();
  694. /* Set the RENDEZVOUS_COOKIE. */
  695. memcpy(trn_cell_rendezvous1_getarray_rendezvous_cookie(cell),
  696. rendezvous_cookie, rendezvous_cookie_len);
  697. /* Set the HANDSHAKE_INFO. */
  698. trn_cell_rendezvous1_setlen_handshake_info(cell,
  699. rendezvous_handshake_info_len);
  700. memcpy(trn_cell_rendezvous1_getarray_handshake_info(cell),
  701. rendezvous_handshake_info, rendezvous_handshake_info_len);
  702. /* Encoding. */
  703. cell_len = trn_cell_rendezvous1_encode(cell_out, RELAY_PAYLOAD_SIZE, cell);
  704. tor_assert(cell_len > 0);
  705. trn_cell_rendezvous1_free(cell);
  706. return cell_len;
  707. }
  708. /* Build an INTRODUCE1 cell from the given data. The encoded cell is put in
  709. * cell_out which must be of at least size RELAY_PAYLOAD_SIZE. On success, the
  710. * encoded length is returned else a negative value and the content of
  711. * cell_out should be ignored. */
  712. ssize_t
  713. hs_cell_build_introduce1(const hs_cell_introduce1_data_t *data,
  714. uint8_t *cell_out)
  715. {
  716. ssize_t cell_len;
  717. trn_cell_introduce1_t *cell;
  718. trn_cell_extension_t *ext;
  719. tor_assert(data);
  720. tor_assert(cell_out);
  721. cell = trn_cell_introduce1_new();
  722. tor_assert(cell);
  723. /* Set extension data. None are used. */
  724. ext = trn_cell_extension_new();
  725. tor_assert(ext);
  726. trn_cell_extension_set_num(ext, 0);
  727. trn_cell_introduce1_set_extensions(cell, ext);
  728. /* Set the legacy ID field. */
  729. introduce1_set_legacy_id(cell, data);
  730. /* Set the authentication key. */
  731. introduce1_set_auth_key(cell, data);
  732. /* Set the encrypted section. This will set, encrypt and encode the
  733. * ENCRYPTED section in the cell. After this, we'll be ready to encode. */
  734. introduce1_set_encrypted(cell, data);
  735. /* Final encoding. */
  736. cell_len = trn_cell_introduce1_encode(cell_out, RELAY_PAYLOAD_SIZE, cell);
  737. trn_cell_introduce1_free(cell);
  738. return cell_len;
  739. }
  740. /* Build an ESTABLISH_RENDEZVOUS cell from the given rendezvous_cookie. The
  741. * encoded cell is put in cell_out which must be of at least
  742. * RELAY_PAYLOAD_SIZE. On success, the encoded length is returned and the
  743. * caller should clear up the content of the cell.
  744. *
  745. * This function can't fail. */
  746. ssize_t
  747. hs_cell_build_establish_rendezvous(const uint8_t *rendezvous_cookie,
  748. uint8_t *cell_out)
  749. {
  750. tor_assert(rendezvous_cookie);
  751. tor_assert(cell_out);
  752. memcpy(cell_out, rendezvous_cookie, HS_REND_COOKIE_LEN);
  753. return HS_REND_COOKIE_LEN;
  754. }
  755. /* Handle an INTRODUCE_ACK cell encoded in payload of length payload_len.
  756. * Return the status code on success else a negative value if the cell as not
  757. * decodable. */
  758. int
  759. hs_cell_parse_introduce_ack(const uint8_t *payload, size_t payload_len)
  760. {
  761. int ret = -1;
  762. trn_cell_introduce_ack_t *cell = NULL;
  763. tor_assert(payload);
  764. /* If it is a legacy IP, rend-spec.txt specifies that a ACK is 0 byte and a
  765. * NACK is 1 byte. We can't use the legacy function for this so we have to
  766. * do a special case. */
  767. if (payload_len <= 1) {
  768. if (payload_len == 0) {
  769. ret = HS_CELL_INTRO_ACK_SUCCESS;
  770. } else {
  771. ret = HS_CELL_INTRO_ACK_FAILURE;
  772. }
  773. goto end;
  774. }
  775. if (trn_cell_introduce_ack_parse(&cell, payload, payload_len) < 0) {
  776. log_info(LD_REND, "Invalid INTRODUCE_ACK cell. Unable to parse it.");
  777. goto end;
  778. }
  779. ret = trn_cell_introduce_ack_get_status(cell);
  780. end:
  781. trn_cell_introduce_ack_free(cell);
  782. return ret;
  783. }
  784. /* Handle a RENDEZVOUS2 cell encoded in payload of length payload_len. On
  785. * success, handshake_info contains the data in the HANDSHAKE_INFO field, and
  786. * 0 is returned. On error, a negative value is returned. */
  787. int
  788. hs_cell_parse_rendezvous2(const uint8_t *payload, size_t payload_len,
  789. uint8_t *handshake_info, size_t handshake_info_len)
  790. {
  791. int ret = -1;
  792. trn_cell_rendezvous2_t *cell = NULL;
  793. tor_assert(payload);
  794. tor_assert(handshake_info);
  795. if (trn_cell_rendezvous2_parse(&cell, payload, payload_len) < 0) {
  796. log_info(LD_REND, "Invalid RENDEZVOUS2 cell. Unable to parse it.");
  797. goto end;
  798. }
  799. /* Static size, we should never have an issue with this else we messed up
  800. * our code flow. */
  801. tor_assert(trn_cell_rendezvous2_getlen_handshake_info(cell) ==
  802. handshake_info_len);
  803. memcpy(handshake_info,
  804. trn_cell_rendezvous2_getconstarray_handshake_info(cell),
  805. handshake_info_len);
  806. ret = 0;
  807. end:
  808. trn_cell_rendezvous2_free(cell);
  809. return ret;
  810. }
  811. /* Clear the given INTRODUCE1 data structure data. */
  812. void
  813. hs_cell_introduce1_data_clear(hs_cell_introduce1_data_t *data)
  814. {
  815. if (data == NULL) {
  816. return;
  817. }
  818. /* Object in this list have been moved to the cell object when building it
  819. * so they've been freed earlier. We do that in order to avoid duplicating
  820. * them leading to more memory and CPU time being used for nothing. */
  821. smartlist_free(data->link_specifiers);
  822. /* The data object has no ownership of any members. */
  823. memwipe(data, 0, sizeof(hs_cell_introduce1_data_t));
  824. }