hs_descriptor.c 86 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602
  1. /* Copyright (c) 2016-2017, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file hs_descriptor.c
  5. * \brief Handle hidden service descriptor encoding/decoding.
  6. *
  7. * \details
  8. * Here is a graphical depiction of an HS descriptor and its layers:
  9. *
  10. * +------------------------------------------------------+
  11. * |DESCRIPTOR HEADER: |
  12. * | hs-descriptor 3 |
  13. * | descriptor-lifetime 180 |
  14. * | ... |
  15. * | superencrypted |
  16. * |+---------------------------------------------------+ |
  17. * ||SUPERENCRYPTED LAYER (aka OUTER ENCRYPTED LAYER): | |
  18. * || desc-auth-type x25519 | |
  19. * || desc-auth-ephemeral-key | |
  20. * || auth-client | |
  21. * || auth-client | |
  22. * || ... | |
  23. * || encrypted | |
  24. * ||+-------------------------------------------------+| |
  25. * |||ENCRYPTED LAYER (aka INNER ENCRYPTED LAYER): || |
  26. * ||| create2-formats || |
  27. * ||| intro-auth-required || |
  28. * ||| introduction-point || |
  29. * ||| introduction-point || |
  30. * ||| ... || |
  31. * ||+-------------------------------------------------+| |
  32. * |+---------------------------------------------------+ |
  33. * +------------------------------------------------------+
  34. *
  35. * The DESCRIPTOR HEADER section is completely unencrypted and contains generic
  36. * descriptor metadata.
  37. *
  38. * The SUPERENCRYPTED LAYER section is the first layer of encryption, and it's
  39. * encrypted using the blinded public key of the hidden service to protect
  40. * against entities who don't know its onion address. The clients of the hidden
  41. * service know its onion address and blinded public key, whereas third-parties
  42. * (like HSDirs) don't know it (except if it's a public hidden service).
  43. *
  44. * The ENCRYPTED LAYER section is the second layer of encryption, and it's
  45. * encrypted using the client authorization key material (if those exist). When
  46. * client authorization is enabled, this second layer of encryption protects
  47. * the descriptor content from unauthorized entities. If client authorization
  48. * is disabled, this second layer of encryption does not provide any extra
  49. * security but is still present. The plaintext of this layer contains all the
  50. * information required to connect to the hidden service like its list of
  51. * introduction points.
  52. **/
  53. /* For unit tests.*/
  54. #define HS_DESCRIPTOR_PRIVATE
  55. #include "or.h"
  56. #include "ed25519_cert.h" /* Trunnel interface. */
  57. #include "hs_descriptor.h"
  58. #include "circuitbuild.h"
  59. #include "parsecommon.h"
  60. #include "rendcache.h"
  61. #include "hs_cache.h"
  62. #include "hs_config.h"
  63. #include "torcert.h" /* tor_cert_encode_ed22519() */
  64. /* Constant string value used for the descriptor format. */
  65. #define str_hs_desc "hs-descriptor"
  66. #define str_desc_cert "descriptor-signing-key-cert"
  67. #define str_rev_counter "revision-counter"
  68. #define str_superencrypted "superencrypted"
  69. #define str_encrypted "encrypted"
  70. #define str_signature "signature"
  71. #define str_lifetime "descriptor-lifetime"
  72. /* Constant string value for the encrypted part of the descriptor. */
  73. #define str_create2_formats "create2-formats"
  74. #define str_intro_auth_required "intro-auth-required"
  75. #define str_single_onion "single-onion-service"
  76. #define str_intro_point "introduction-point"
  77. #define str_ip_onion_key "onion-key"
  78. #define str_ip_auth_key "auth-key"
  79. #define str_ip_enc_key "enc-key"
  80. #define str_ip_enc_key_cert "enc-key-cert"
  81. #define str_ip_legacy_key "legacy-key"
  82. #define str_ip_legacy_key_cert "legacy-key-cert"
  83. #define str_intro_point_start "\n" str_intro_point " "
  84. /* Constant string value for the construction to encrypt the encrypted data
  85. * section. */
  86. #define str_enc_const_superencryption "hsdir-superencrypted-data"
  87. #define str_enc_const_encryption "hsdir-encrypted-data"
  88. /* Prefix required to compute/verify HS desc signatures */
  89. #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
  90. #define str_desc_auth_type "desc-auth-type"
  91. #define str_desc_auth_key "desc-auth-ephemeral-key"
  92. #define str_desc_auth_client "auth-client"
  93. #define str_encrypted "encrypted"
  94. /* Authentication supported types. */
  95. static const struct {
  96. hs_desc_auth_type_t type;
  97. const char *identifier;
  98. } intro_auth_types[] = {
  99. { HS_DESC_AUTH_ED25519, "ed25519" },
  100. /* Indicate end of array. */
  101. { 0, NULL }
  102. };
  103. /* Descriptor ruleset. */
  104. static token_rule_t hs_desc_v3_token_table[] = {
  105. T1_START(str_hs_desc, R_HS_DESCRIPTOR, EQ(1), NO_OBJ),
  106. T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ),
  107. T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ),
  108. T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ),
  109. T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ),
  110. T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ),
  111. END_OF_TABLE
  112. };
  113. /* Descriptor ruleset for the superencrypted section. */
  114. static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
  115. T1_START(str_desc_auth_type, R3_DESC_AUTH_TYPE, GE(1), NO_OBJ),
  116. T1(str_desc_auth_key, R3_DESC_AUTH_KEY, GE(1), NO_OBJ),
  117. T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT, GE(3), NO_OBJ),
  118. T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
  119. END_OF_TABLE
  120. };
  121. /* Descriptor ruleset for the encrypted section. */
  122. static token_rule_t hs_desc_encrypted_v3_token_table[] = {
  123. T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
  124. T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
  125. T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
  126. END_OF_TABLE
  127. };
  128. /* Descriptor ruleset for the introduction points section. */
  129. static token_rule_t hs_desc_intro_point_v3_token_table[] = {
  130. T1_START(str_intro_point, R3_INTRODUCTION_POINT, EQ(1), NO_OBJ),
  131. T1N(str_ip_onion_key, R3_INTRO_ONION_KEY, GE(2), OBJ_OK),
  132. T1(str_ip_auth_key, R3_INTRO_AUTH_KEY, NO_ARGS, NEED_OBJ),
  133. T1(str_ip_enc_key, R3_INTRO_ENC_KEY, GE(2), OBJ_OK),
  134. T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT, ARGS, OBJ_OK),
  135. T01(str_ip_legacy_key, R3_INTRO_LEGACY_KEY, ARGS, NEED_KEY_1024),
  136. T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT, ARGS, OBJ_OK),
  137. END_OF_TABLE
  138. };
  139. /* Free the content of the plaintext section of a descriptor. */
  140. STATIC void
  141. desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)
  142. {
  143. if (!desc) {
  144. return;
  145. }
  146. if (desc->superencrypted_blob) {
  147. tor_free(desc->superencrypted_blob);
  148. }
  149. tor_cert_free(desc->signing_key_cert);
  150. memwipe(desc, 0, sizeof(*desc));
  151. }
  152. /* Free the content of the encrypted section of a descriptor. */
  153. static void
  154. desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
  155. {
  156. if (!desc) {
  157. return;
  158. }
  159. if (desc->intro_auth_types) {
  160. SMARTLIST_FOREACH(desc->intro_auth_types, char *, a, tor_free(a));
  161. smartlist_free(desc->intro_auth_types);
  162. }
  163. if (desc->intro_points) {
  164. SMARTLIST_FOREACH(desc->intro_points, hs_desc_intro_point_t *, ip,
  165. hs_desc_intro_point_free(ip));
  166. smartlist_free(desc->intro_points);
  167. }
  168. memwipe(desc, 0, sizeof(*desc));
  169. }
  170. /* Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
  171. * We use SHA3-256 for the MAC computation.
  172. * This function can't fail. */
  173. static void
  174. build_mac(const uint8_t *mac_key, size_t mac_key_len,
  175. const uint8_t *salt, size_t salt_len,
  176. const uint8_t *encrypted, size_t encrypted_len,
  177. uint8_t *mac_out, size_t mac_len)
  178. {
  179. crypto_digest_t *digest;
  180. const uint64_t mac_len_netorder = tor_htonll(mac_key_len);
  181. const uint64_t salt_len_netorder = tor_htonll(salt_len);
  182. tor_assert(mac_key);
  183. tor_assert(salt);
  184. tor_assert(encrypted);
  185. tor_assert(mac_out);
  186. digest = crypto_digest256_new(DIGEST_SHA3_256);
  187. /* As specified in section 2.5 of proposal 224, first add the mac key
  188. * then add the salt first and then the encrypted section. */
  189. crypto_digest_add_bytes(digest, (const char *) &mac_len_netorder, 8);
  190. crypto_digest_add_bytes(digest, (const char *) mac_key, mac_key_len);
  191. crypto_digest_add_bytes(digest, (const char *) &salt_len_netorder, 8);
  192. crypto_digest_add_bytes(digest, (const char *) salt, salt_len);
  193. crypto_digest_add_bytes(digest, (const char *) encrypted, encrypted_len);
  194. crypto_digest_get_digest(digest, (char *) mac_out, mac_len);
  195. crypto_digest_free(digest);
  196. }
  197. /* Using a given decriptor object, build the secret input needed for the
  198. * KDF and put it in the dst pointer which is an already allocated buffer
  199. * of size dstlen. */
  200. static void
  201. build_secret_input(const hs_descriptor_t *desc, uint8_t *dst, size_t dstlen)
  202. {
  203. size_t offset = 0;
  204. tor_assert(desc);
  205. tor_assert(dst);
  206. tor_assert(HS_DESC_ENCRYPTED_SECRET_INPUT_LEN <= dstlen);
  207. /* XXX use the destination length as the memcpy length */
  208. /* Copy blinded public key. */
  209. memcpy(dst, desc->plaintext_data.blinded_pubkey.pubkey,
  210. sizeof(desc->plaintext_data.blinded_pubkey.pubkey));
  211. offset += sizeof(desc->plaintext_data.blinded_pubkey.pubkey);
  212. /* Copy subcredential. */
  213. memcpy(dst + offset, desc->subcredential, sizeof(desc->subcredential));
  214. offset += sizeof(desc->subcredential);
  215. /* Copy revision counter value. */
  216. set_uint64(dst + offset, tor_htonll(desc->plaintext_data.revision_counter));
  217. offset += sizeof(uint64_t);
  218. tor_assert(HS_DESC_ENCRYPTED_SECRET_INPUT_LEN == offset);
  219. }
  220. /* Do the KDF construction and put the resulting data in key_out which is of
  221. * key_out_len length. It uses SHAKE-256 as specified in the spec. */
  222. static void
  223. build_kdf_key(const hs_descriptor_t *desc,
  224. const uint8_t *salt, size_t salt_len,
  225. uint8_t *key_out, size_t key_out_len,
  226. int is_superencrypted_layer)
  227. {
  228. uint8_t secret_input[HS_DESC_ENCRYPTED_SECRET_INPUT_LEN];
  229. crypto_xof_t *xof;
  230. tor_assert(desc);
  231. tor_assert(salt);
  232. tor_assert(key_out);
  233. /* Build the secret input for the KDF computation. */
  234. build_secret_input(desc, secret_input, sizeof(secret_input));
  235. xof = crypto_xof_new();
  236. /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
  237. crypto_xof_add_bytes(xof, secret_input, sizeof(secret_input));
  238. crypto_xof_add_bytes(xof, salt, salt_len);
  239. /* Feed in the right string constant based on the desc layer */
  240. if (is_superencrypted_layer) {
  241. crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_superencryption,
  242. strlen(str_enc_const_superencryption));
  243. } else {
  244. crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_encryption,
  245. strlen(str_enc_const_encryption));
  246. }
  247. /* Eat from our KDF. */
  248. crypto_xof_squeeze_bytes(xof, key_out, key_out_len);
  249. crypto_xof_free(xof);
  250. memwipe(secret_input, 0, sizeof(secret_input));
  251. }
  252. /* Using the given descriptor and salt, run it through our KDF function and
  253. * then extract a secret key in key_out, the IV in iv_out and MAC in mac_out.
  254. * This function can't fail. */
  255. static void
  256. build_secret_key_iv_mac(const hs_descriptor_t *desc,
  257. const uint8_t *salt, size_t salt_len,
  258. uint8_t *key_out, size_t key_len,
  259. uint8_t *iv_out, size_t iv_len,
  260. uint8_t *mac_out, size_t mac_len,
  261. int is_superencrypted_layer)
  262. {
  263. size_t offset = 0;
  264. uint8_t kdf_key[HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN];
  265. tor_assert(desc);
  266. tor_assert(salt);
  267. tor_assert(key_out);
  268. tor_assert(iv_out);
  269. tor_assert(mac_out);
  270. build_kdf_key(desc, salt, salt_len, kdf_key, sizeof(kdf_key),
  271. is_superencrypted_layer);
  272. /* Copy the bytes we need for both the secret key and IV. */
  273. memcpy(key_out, kdf_key, key_len);
  274. offset += key_len;
  275. memcpy(iv_out, kdf_key + offset, iv_len);
  276. offset += iv_len;
  277. memcpy(mac_out, kdf_key + offset, mac_len);
  278. /* Extra precaution to make sure we are not out of bound. */
  279. tor_assert((offset + mac_len) == sizeof(kdf_key));
  280. memwipe(kdf_key, 0, sizeof(kdf_key));
  281. }
  282. /* === ENCODING === */
  283. /* Encode the given link specifier objects into a newly allocated string.
  284. * This can't fail so caller can always assume a valid string being
  285. * returned. */
  286. STATIC char *
  287. encode_link_specifiers(const smartlist_t *specs)
  288. {
  289. char *encoded_b64 = NULL;
  290. link_specifier_list_t *lslist = link_specifier_list_new();
  291. tor_assert(specs);
  292. /* No link specifiers is a code flow error, can't happen. */
  293. tor_assert(smartlist_len(specs) > 0);
  294. tor_assert(smartlist_len(specs) <= UINT8_MAX);
  295. link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
  296. SMARTLIST_FOREACH_BEGIN(specs, const hs_desc_link_specifier_t *,
  297. spec) {
  298. link_specifier_t *ls = hs_desc_lspec_to_trunnel(spec);
  299. if (ls) {
  300. link_specifier_list_add_spec(lslist, ls);
  301. }
  302. } SMARTLIST_FOREACH_END(spec);
  303. {
  304. uint8_t *encoded;
  305. ssize_t encoded_len, encoded_b64_len, ret;
  306. encoded_len = link_specifier_list_encoded_len(lslist);
  307. tor_assert(encoded_len > 0);
  308. encoded = tor_malloc_zero(encoded_len);
  309. ret = link_specifier_list_encode(encoded, encoded_len, lslist);
  310. tor_assert(ret == encoded_len);
  311. /* Base64 encode our binary format. Add extra NUL byte for the base64
  312. * encoded value. */
  313. encoded_b64_len = base64_encode_size(encoded_len, 0) + 1;
  314. encoded_b64 = tor_malloc_zero(encoded_b64_len);
  315. ret = base64_encode(encoded_b64, encoded_b64_len, (const char *) encoded,
  316. encoded_len, 0);
  317. tor_assert(ret == (encoded_b64_len - 1));
  318. tor_free(encoded);
  319. }
  320. link_specifier_list_free(lslist);
  321. return encoded_b64;
  322. }
  323. /* Encode an introduction point legacy key and certificate. Return a newly
  324. * allocated string with it. On failure, return NULL. */
  325. static char *
  326. encode_legacy_key(const hs_desc_intro_point_t *ip)
  327. {
  328. char *key_str, b64_cert[256], *encoded = NULL;
  329. size_t key_str_len;
  330. tor_assert(ip);
  331. /* Encode cross cert. */
  332. if (base64_encode(b64_cert, sizeof(b64_cert),
  333. (const char *) ip->legacy.cert.encoded,
  334. ip->legacy.cert.len, BASE64_ENCODE_MULTILINE) < 0) {
  335. log_warn(LD_REND, "Unable to encode legacy crosscert.");
  336. goto done;
  337. }
  338. /* Convert the encryption key to PEM format NUL terminated. */
  339. if (crypto_pk_write_public_key_to_string(ip->legacy.key, &key_str,
  340. &key_str_len) < 0) {
  341. log_warn(LD_REND, "Unable to encode legacy encryption key.");
  342. goto done;
  343. }
  344. tor_asprintf(&encoded,
  345. "%s \n%s" /* Newline is added by the call above. */
  346. "%s\n"
  347. "-----BEGIN CROSSCERT-----\n"
  348. "%s"
  349. "-----END CROSSCERT-----",
  350. str_ip_legacy_key, key_str,
  351. str_ip_legacy_key_cert, b64_cert);
  352. tor_free(key_str);
  353. done:
  354. return encoded;
  355. }
  356. /* Encode an introduction point encryption key and certificate. Return a newly
  357. * allocated string with it. On failure, return NULL. */
  358. static char *
  359. encode_enc_key(const hs_desc_intro_point_t *ip)
  360. {
  361. char *encoded = NULL, *encoded_cert;
  362. char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
  363. tor_assert(ip);
  364. /* Base64 encode the encryption key for the "enc-key" field. */
  365. if (curve25519_public_to_base64(key_b64, &ip->enc_key) < 0) {
  366. goto done;
  367. }
  368. if (tor_cert_encode_ed22519(ip->enc_key_cert, &encoded_cert) < 0) {
  369. goto done;
  370. }
  371. tor_asprintf(&encoded,
  372. "%s ntor %s\n"
  373. "%s\n%s",
  374. str_ip_enc_key, key_b64,
  375. str_ip_enc_key_cert, encoded_cert);
  376. tor_free(encoded_cert);
  377. done:
  378. return encoded;
  379. }
  380. /* Encode an introduction point onion key. Return a newly allocated string
  381. * with it. On failure, return NULL. */
  382. static char *
  383. encode_onion_key(const hs_desc_intro_point_t *ip)
  384. {
  385. char *encoded = NULL;
  386. char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
  387. tor_assert(ip);
  388. /* Base64 encode the encryption key for the "onion-key" field. */
  389. if (curve25519_public_to_base64(key_b64, &ip->onion_key) < 0) {
  390. goto done;
  391. }
  392. tor_asprintf(&encoded, "%s ntor %s", str_ip_onion_key, key_b64);
  393. done:
  394. return encoded;
  395. }
  396. /* Encode an introduction point object and return a newly allocated string
  397. * with it. On failure, return NULL. */
  398. static char *
  399. encode_intro_point(const ed25519_public_key_t *sig_key,
  400. const hs_desc_intro_point_t *ip)
  401. {
  402. char *encoded_ip = NULL;
  403. smartlist_t *lines = smartlist_new();
  404. tor_assert(ip);
  405. tor_assert(sig_key);
  406. /* Encode link specifier. */
  407. {
  408. char *ls_str = encode_link_specifiers(ip->link_specifiers);
  409. smartlist_add_asprintf(lines, "%s %s", str_intro_point, ls_str);
  410. tor_free(ls_str);
  411. }
  412. /* Onion key encoding. */
  413. {
  414. char *encoded_onion_key = encode_onion_key(ip);
  415. if (encoded_onion_key == NULL) {
  416. goto err;
  417. }
  418. smartlist_add_asprintf(lines, "%s", encoded_onion_key);
  419. tor_free(encoded_onion_key);
  420. }
  421. /* Authentication key encoding. */
  422. {
  423. char *encoded_cert;
  424. if (tor_cert_encode_ed22519(ip->auth_key_cert, &encoded_cert) < 0) {
  425. goto err;
  426. }
  427. smartlist_add_asprintf(lines, "%s\n%s", str_ip_auth_key, encoded_cert);
  428. tor_free(encoded_cert);
  429. }
  430. /* Encryption key encoding. */
  431. {
  432. char *encoded_enc_key = encode_enc_key(ip);
  433. if (encoded_enc_key == NULL) {
  434. goto err;
  435. }
  436. smartlist_add_asprintf(lines, "%s", encoded_enc_key);
  437. tor_free(encoded_enc_key);
  438. }
  439. /* Legacy key if any. */
  440. if (ip->legacy.key != NULL) {
  441. /* Strong requirement else the IP creation was badly done. */
  442. tor_assert(ip->legacy.cert.encoded);
  443. char *encoded_legacy_key = encode_legacy_key(ip);
  444. if (encoded_legacy_key == NULL) {
  445. goto err;
  446. }
  447. smartlist_add_asprintf(lines, "%s", encoded_legacy_key);
  448. tor_free(encoded_legacy_key);
  449. }
  450. /* Join them all in one blob of text. */
  451. encoded_ip = smartlist_join_strings(lines, "\n", 1, NULL);
  452. err:
  453. SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
  454. smartlist_free(lines);
  455. return encoded_ip;
  456. }
  457. /* Given a source length, return the new size including padding for the
  458. * plaintext encryption. */
  459. static size_t
  460. compute_padded_plaintext_length(size_t plaintext_len)
  461. {
  462. size_t plaintext_padded_len;
  463. const int padding_block_length = HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE;
  464. /* Make sure we won't overflow. */
  465. tor_assert(plaintext_len <= (SIZE_T_CEILING - padding_block_length));
  466. /* Get the extra length we need to add. For example, if srclen is 10200
  467. * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
  468. plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
  469. padding_block_length;
  470. /* Can never be extra careful. Make sure we are _really_ padded. */
  471. tor_assert(!(plaintext_padded_len % padding_block_length));
  472. return plaintext_padded_len;
  473. }
  474. /* Given a buffer, pad it up to the encrypted section padding requirement. Set
  475. * the newly allocated string in padded_out and return the length of the
  476. * padded buffer. */
  477. STATIC size_t
  478. build_plaintext_padding(const char *plaintext, size_t plaintext_len,
  479. uint8_t **padded_out)
  480. {
  481. size_t padded_len;
  482. uint8_t *padded;
  483. tor_assert(plaintext);
  484. tor_assert(padded_out);
  485. /* Allocate the final length including padding. */
  486. padded_len = compute_padded_plaintext_length(plaintext_len);
  487. tor_assert(padded_len >= plaintext_len);
  488. padded = tor_malloc_zero(padded_len);
  489. memcpy(padded, plaintext, plaintext_len);
  490. *padded_out = padded;
  491. return padded_len;
  492. }
  493. /* Using a key, IV and plaintext data of length plaintext_len, create the
  494. * encrypted section by encrypting it and setting encrypted_out with the
  495. * data. Return size of the encrypted data buffer. */
  496. static size_t
  497. build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
  498. size_t plaintext_len, uint8_t **encrypted_out,
  499. int is_superencrypted_layer)
  500. {
  501. size_t encrypted_len;
  502. uint8_t *padded_plaintext, *encrypted;
  503. crypto_cipher_t *cipher;
  504. tor_assert(key);
  505. tor_assert(iv);
  506. tor_assert(plaintext);
  507. tor_assert(encrypted_out);
  508. /* If we are encrypting the middle layer of the descriptor, we need to first
  509. pad the plaintext */
  510. if (is_superencrypted_layer) {
  511. encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
  512. &padded_plaintext);
  513. /* Extra precautions that we have a valid padding length. */
  514. tor_assert(!(encrypted_len % HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE));
  515. } else { /* No padding required for inner layers */
  516. padded_plaintext = tor_memdup(plaintext, plaintext_len);
  517. encrypted_len = plaintext_len;
  518. }
  519. /* This creates a cipher for AES. It can't fail. */
  520. cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
  521. HS_DESC_ENCRYPTED_BIT_SIZE);
  522. /* We use a stream cipher so the encrypted length will be the same as the
  523. * plaintext padded length. */
  524. encrypted = tor_malloc_zero(encrypted_len);
  525. /* This can't fail. */
  526. crypto_cipher_encrypt(cipher, (char *) encrypted,
  527. (const char *) padded_plaintext, encrypted_len);
  528. *encrypted_out = encrypted;
  529. /* Cleanup. */
  530. crypto_cipher_free(cipher);
  531. tor_free(padded_plaintext);
  532. return encrypted_len;
  533. }
  534. /* Encrypt the given <b>plaintext</b> buffer using <b>desc</b> to get the
  535. * keys. Set encrypted_out with the encrypted data and return the length of
  536. * it. <b>is_superencrypted_layer</b> is set if this is the outer encrypted
  537. * layer of the descriptor. */
  538. static size_t
  539. encrypt_descriptor_data(const hs_descriptor_t *desc, const char *plaintext,
  540. char **encrypted_out, int is_superencrypted_layer)
  541. {
  542. char *final_blob;
  543. size_t encrypted_len, final_blob_len, offset = 0;
  544. uint8_t *encrypted;
  545. uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
  546. uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
  547. uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
  548. tor_assert(desc);
  549. tor_assert(plaintext);
  550. tor_assert(encrypted_out);
  551. /* Get our salt. The returned bytes are already hashed. */
  552. crypto_strongest_rand(salt, sizeof(salt));
  553. /* KDF construction resulting in a key from which the secret key, IV and MAC
  554. * key are extracted which is what we need for the encryption. */
  555. build_secret_key_iv_mac(desc, salt, sizeof(salt),
  556. secret_key, sizeof(secret_key),
  557. secret_iv, sizeof(secret_iv),
  558. mac_key, sizeof(mac_key),
  559. is_superencrypted_layer);
  560. /* Build the encrypted part that is do the actual encryption. */
  561. encrypted_len = build_encrypted(secret_key, secret_iv, plaintext,
  562. strlen(plaintext), &encrypted,
  563. is_superencrypted_layer);
  564. memwipe(secret_key, 0, sizeof(secret_key));
  565. memwipe(secret_iv, 0, sizeof(secret_iv));
  566. /* This construction is specified in section 2.5 of proposal 224. */
  567. final_blob_len = sizeof(salt) + encrypted_len + DIGEST256_LEN;
  568. final_blob = tor_malloc_zero(final_blob_len);
  569. /* Build the MAC. */
  570. build_mac(mac_key, sizeof(mac_key), salt, sizeof(salt),
  571. encrypted, encrypted_len, mac, sizeof(mac));
  572. memwipe(mac_key, 0, sizeof(mac_key));
  573. /* The salt is the first value. */
  574. memcpy(final_blob, salt, sizeof(salt));
  575. offset = sizeof(salt);
  576. /* Second value is the encrypted data. */
  577. memcpy(final_blob + offset, encrypted, encrypted_len);
  578. offset += encrypted_len;
  579. /* Third value is the MAC. */
  580. memcpy(final_blob + offset, mac, sizeof(mac));
  581. offset += sizeof(mac);
  582. /* Cleanup the buffers. */
  583. memwipe(salt, 0, sizeof(salt));
  584. memwipe(encrypted, 0, encrypted_len);
  585. tor_free(encrypted);
  586. /* Extra precaution. */
  587. tor_assert(offset == final_blob_len);
  588. *encrypted_out = final_blob;
  589. return final_blob_len;
  590. }
  591. /* Create and return a string containing a fake client-auth entry. It's the
  592. * responsibility of the caller to free the returned string. This function will
  593. * never fail. */
  594. static char *
  595. get_fake_auth_client_str(void)
  596. {
  597. char *auth_client_str = NULL;
  598. /* We are gonna fill these arrays with fake base64 data. They are all double
  599. * the size of their binary representation to fit the base64 overhead. */
  600. char client_id_b64[8*2];
  601. char iv_b64[16*2];
  602. char encrypted_cookie_b64[16*2];
  603. int retval;
  604. /* This is a macro to fill a field with random data and then base64 it. */
  605. #define FILL_WITH_FAKE_DATA_AND_BASE64(field) STMT_BEGIN \
  606. crypto_rand((char *)field, sizeof(field)); \
  607. retval = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
  608. field, sizeof(field)); \
  609. tor_assert(retval > 0); \
  610. STMT_END
  611. { /* Get those fakes! */
  612. uint8_t client_id[8]; /* fake client-id */
  613. uint8_t iv[16]; /* fake IV (initialization vector) */
  614. uint8_t encrypted_cookie[16]; /* fake encrypted cookie */
  615. FILL_WITH_FAKE_DATA_AND_BASE64(client_id);
  616. FILL_WITH_FAKE_DATA_AND_BASE64(iv);
  617. FILL_WITH_FAKE_DATA_AND_BASE64(encrypted_cookie);
  618. }
  619. /* Build the final string */
  620. tor_asprintf(&auth_client_str, "%s %s %s %s", str_desc_auth_client,
  621. client_id_b64, iv_b64, encrypted_cookie_b64);
  622. #undef FILL_WITH_FAKE_DATA_AND_BASE64
  623. return auth_client_str;
  624. }
  625. /** How many lines of "client-auth" we want in our descriptors; fake or not. */
  626. #define CLIENT_AUTH_ENTRIES_BLOCK_SIZE 16
  627. /** Create the "client-auth" part of the descriptor and return a
  628. * newly-allocated string with it. It's the responsibility of the caller to
  629. * free the returned string. */
  630. static char *
  631. get_fake_auth_client_lines(void)
  632. {
  633. /* XXX: Client authorization is still not implemented, so all this function
  634. does is make fake clients */
  635. int i = 0;
  636. smartlist_t *auth_client_lines = smartlist_new();
  637. char *auth_client_lines_str = NULL;
  638. /* Make a line for each fake client */
  639. const int num_fake_clients = CLIENT_AUTH_ENTRIES_BLOCK_SIZE;
  640. for (i = 0; i < num_fake_clients; i++) {
  641. char *auth_client_str = get_fake_auth_client_str();
  642. tor_assert(auth_client_str);
  643. smartlist_add(auth_client_lines, auth_client_str);
  644. }
  645. /* Join all lines together to form final string */
  646. auth_client_lines_str = smartlist_join_strings(auth_client_lines,
  647. "\n", 1, NULL);
  648. /* Cleanup the mess */
  649. SMARTLIST_FOREACH(auth_client_lines, char *, a, tor_free(a));
  650. smartlist_free(auth_client_lines);
  651. return auth_client_lines_str;
  652. }
  653. /* Create the inner layer of the descriptor (which includes the intro points,
  654. * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
  655. * an error occured. It's the responsibility of the caller to free the returned
  656. * string. */
  657. static char *
  658. get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
  659. {
  660. char *encoded_str = NULL;
  661. smartlist_t *lines = smartlist_new();
  662. /* Build the start of the section prior to the introduction points. */
  663. {
  664. if (!desc->encrypted_data.create2_ntor) {
  665. log_err(LD_BUG, "HS desc doesn't have recognized handshake type.");
  666. goto err;
  667. }
  668. smartlist_add_asprintf(lines, "%s %d\n", str_create2_formats,
  669. ONION_HANDSHAKE_TYPE_NTOR);
  670. if (desc->encrypted_data.intro_auth_types &&
  671. smartlist_len(desc->encrypted_data.intro_auth_types)) {
  672. /* Put the authentication-required line. */
  673. char *buf = smartlist_join_strings(desc->encrypted_data.intro_auth_types,
  674. " ", 0, NULL);
  675. smartlist_add_asprintf(lines, "%s %s\n", str_intro_auth_required, buf);
  676. tor_free(buf);
  677. }
  678. if (desc->encrypted_data.single_onion_service) {
  679. smartlist_add_asprintf(lines, "%s\n", str_single_onion);
  680. }
  681. }
  682. /* Build the introduction point(s) section. */
  683. SMARTLIST_FOREACH_BEGIN(desc->encrypted_data.intro_points,
  684. const hs_desc_intro_point_t *, ip) {
  685. char *encoded_ip = encode_intro_point(&desc->plaintext_data.signing_pubkey,
  686. ip);
  687. if (encoded_ip == NULL) {
  688. log_err(LD_BUG, "HS desc intro point is malformed.");
  689. goto err;
  690. }
  691. smartlist_add(lines, encoded_ip);
  692. } SMARTLIST_FOREACH_END(ip);
  693. /* Build the entire encrypted data section into one encoded plaintext and
  694. * then encrypt it. */
  695. encoded_str = smartlist_join_strings(lines, "", 0, NULL);
  696. err:
  697. SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
  698. smartlist_free(lines);
  699. return encoded_str;
  700. }
  701. /* Create the middle layer of the descriptor, which includes the client auth
  702. * data and the encrypted inner layer (provided as a base64 string at
  703. * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
  704. * layer plaintext, or NULL if an error occured. It's the responsibility of the
  705. * caller to free the returned string. */
  706. static char *
  707. get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc,
  708. const char *layer2_b64_ciphertext)
  709. {
  710. char *layer1_str = NULL;
  711. smartlist_t *lines = smartlist_new();
  712. /* XXX: Disclaimer: This function generates only _fake_ client auth
  713. * data. Real client auth is not yet implemented, but client auth data MUST
  714. * always be present in descriptors. In the future this function will be
  715. * refactored to use real client auth data if they exist (#20700). */
  716. (void) *desc;
  717. /* Specify auth type */
  718. smartlist_add_asprintf(lines, "%s %s\n", str_desc_auth_type, "x25519");
  719. { /* Create fake ephemeral x25519 key */
  720. char fake_key_base64[CURVE25519_BASE64_PADDED_LEN + 1];
  721. curve25519_keypair_t fake_x25519_keypair;
  722. if (curve25519_keypair_generate(&fake_x25519_keypair, 0) < 0) {
  723. goto done;
  724. }
  725. if (curve25519_public_to_base64(fake_key_base64,
  726. &fake_x25519_keypair.pubkey) < 0) {
  727. goto done;
  728. }
  729. smartlist_add_asprintf(lines, "%s %s\n",
  730. str_desc_auth_key, fake_key_base64);
  731. /* No need to memwipe any of these fake keys. They will go unused. */
  732. }
  733. { /* Create fake auth-client lines. */
  734. char *auth_client_lines = get_fake_auth_client_lines();
  735. tor_assert(auth_client_lines);
  736. smartlist_add(lines, auth_client_lines);
  737. }
  738. /* create encrypted section */
  739. {
  740. smartlist_add_asprintf(lines,
  741. "%s\n"
  742. "-----BEGIN MESSAGE-----\n"
  743. "%s"
  744. "-----END MESSAGE-----",
  745. str_encrypted, layer2_b64_ciphertext);
  746. }
  747. layer1_str = smartlist_join_strings(lines, "", 0, NULL);
  748. done:
  749. SMARTLIST_FOREACH(lines, char *, a, tor_free(a));
  750. smartlist_free(lines);
  751. return layer1_str;
  752. }
  753. /* Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
  754. * returning it. <b>desc</b> is provided to derive the encryption
  755. * keys. <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
  756. * middle (superencrypted) layer of the descriptor. It's the responsibility of
  757. * the caller to free the returned string. */
  758. static char *
  759. encrypt_desc_data_and_base64(const hs_descriptor_t *desc,
  760. const char *encoded_str,
  761. int is_superencrypted_layer)
  762. {
  763. char *enc_b64;
  764. ssize_t enc_b64_len, ret_len, enc_len;
  765. char *encrypted_blob = NULL;
  766. enc_len = encrypt_descriptor_data(desc, encoded_str, &encrypted_blob,
  767. is_superencrypted_layer);
  768. /* Get the encoded size plus a NUL terminating byte. */
  769. enc_b64_len = base64_encode_size(enc_len, BASE64_ENCODE_MULTILINE) + 1;
  770. enc_b64 = tor_malloc_zero(enc_b64_len);
  771. /* Base64 the encrypted blob before returning it. */
  772. ret_len = base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
  773. BASE64_ENCODE_MULTILINE);
  774. /* Return length doesn't count the NUL byte. */
  775. tor_assert(ret_len == (enc_b64_len - 1));
  776. tor_free(encrypted_blob);
  777. return enc_b64;
  778. }
  779. /* Generate and encode the superencrypted portion of <b>desc</b>. This also
  780. * involves generating the encrypted portion of the descriptor, and performing
  781. * the superencryption. A newly allocated NUL-terminated string pointer
  782. * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
  783. * on success else a negative value. */
  784. static int
  785. encode_superencrypted_data(const hs_descriptor_t *desc,
  786. char **encrypted_blob_out)
  787. {
  788. int ret = -1;
  789. char *layer2_str = NULL;
  790. char *layer2_b64_ciphertext = NULL;
  791. char *layer1_str = NULL;
  792. char *layer1_b64_ciphertext = NULL;
  793. tor_assert(desc);
  794. tor_assert(encrypted_blob_out);
  795. /* Func logic: We first create the inner layer of the descriptor (layer2).
  796. * We then encrypt it and use it to create the middle layer of the descriptor
  797. * (layer1). Finally we superencrypt the middle layer and return it to our
  798. * caller. */
  799. /* Create inner descriptor layer */
  800. layer2_str = get_inner_encrypted_layer_plaintext(desc);
  801. if (!layer2_str) {
  802. goto err;
  803. }
  804. /* Encrypt and b64 the inner layer */
  805. layer2_b64_ciphertext = encrypt_desc_data_and_base64(desc, layer2_str, 0);
  806. if (!layer2_b64_ciphertext) {
  807. goto err;
  808. }
  809. /* Now create middle descriptor layer given the inner layer */
  810. layer1_str = get_outer_encrypted_layer_plaintext(desc,layer2_b64_ciphertext);
  811. if (!layer1_str) {
  812. goto err;
  813. }
  814. /* Encrypt and base64 the middle layer */
  815. layer1_b64_ciphertext = encrypt_desc_data_and_base64(desc, layer1_str, 1);
  816. if (!layer1_b64_ciphertext) {
  817. goto err;
  818. }
  819. /* Success! */
  820. ret = 0;
  821. err:
  822. tor_free(layer1_str);
  823. tor_free(layer2_str);
  824. tor_free(layer2_b64_ciphertext);
  825. *encrypted_blob_out = layer1_b64_ciphertext;
  826. return ret;
  827. }
  828. /* Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
  829. * newly allocated string of the encoded descriptor. On error, -1 is returned
  830. * and encoded_out is untouched. */
  831. static int
  832. desc_encode_v3(const hs_descriptor_t *desc,
  833. const ed25519_keypair_t *signing_kp, char **encoded_out)
  834. {
  835. int ret = -1;
  836. char *encoded_str = NULL;
  837. size_t encoded_len;
  838. smartlist_t *lines = smartlist_new();
  839. tor_assert(desc);
  840. tor_assert(signing_kp);
  841. tor_assert(encoded_out);
  842. tor_assert(desc->plaintext_data.version == 3);
  843. if (BUG(desc->subcredential == NULL)) {
  844. goto err;
  845. }
  846. /* Build the non-encrypted values. */
  847. {
  848. char *encoded_cert;
  849. /* Encode certificate then create the first line of the descriptor. */
  850. if (desc->plaintext_data.signing_key_cert->cert_type
  851. != CERT_TYPE_SIGNING_HS_DESC) {
  852. log_err(LD_BUG, "HS descriptor signing key has an unexpected cert type "
  853. "(%d)", (int) desc->plaintext_data.signing_key_cert->cert_type);
  854. goto err;
  855. }
  856. if (tor_cert_encode_ed22519(desc->plaintext_data.signing_key_cert,
  857. &encoded_cert) < 0) {
  858. /* The function will print error logs. */
  859. goto err;
  860. }
  861. /* Create the hs descriptor line. */
  862. smartlist_add_asprintf(lines, "%s %" PRIu32, str_hs_desc,
  863. desc->plaintext_data.version);
  864. /* Add the descriptor lifetime line (in minutes). */
  865. smartlist_add_asprintf(lines, "%s %" PRIu32, str_lifetime,
  866. desc->plaintext_data.lifetime_sec / 60);
  867. /* Create the descriptor certificate line. */
  868. smartlist_add_asprintf(lines, "%s\n%s", str_desc_cert, encoded_cert);
  869. tor_free(encoded_cert);
  870. /* Create the revision counter line. */
  871. smartlist_add_asprintf(lines, "%s %" PRIu64, str_rev_counter,
  872. desc->plaintext_data.revision_counter);
  873. }
  874. /* Build the superencrypted data section. */
  875. {
  876. char *enc_b64_blob=NULL;
  877. if (encode_superencrypted_data(desc, &enc_b64_blob) < 0) {
  878. goto err;
  879. }
  880. smartlist_add_asprintf(lines,
  881. "%s\n"
  882. "-----BEGIN MESSAGE-----\n"
  883. "%s"
  884. "-----END MESSAGE-----",
  885. str_superencrypted, enc_b64_blob);
  886. tor_free(enc_b64_blob);
  887. }
  888. /* Join all lines in one string so we can generate a signature and append
  889. * it to the descriptor. */
  890. encoded_str = smartlist_join_strings(lines, "\n", 1, &encoded_len);
  891. /* Sign all fields of the descriptor with our short term signing key. */
  892. {
  893. ed25519_signature_t sig;
  894. char ed_sig_b64[ED25519_SIG_BASE64_LEN + 1];
  895. if (ed25519_sign_prefixed(&sig,
  896. (const uint8_t *) encoded_str, encoded_len,
  897. str_desc_sig_prefix, signing_kp) < 0) {
  898. log_warn(LD_BUG, "Can't sign encoded HS descriptor!");
  899. tor_free(encoded_str);
  900. goto err;
  901. }
  902. if (ed25519_signature_to_base64(ed_sig_b64, &sig) < 0) {
  903. log_warn(LD_BUG, "Can't base64 encode descriptor signature!");
  904. tor_free(encoded_str);
  905. goto err;
  906. }
  907. /* Create the signature line. */
  908. smartlist_add_asprintf(lines, "%s %s", str_signature, ed_sig_b64);
  909. }
  910. /* Free previous string that we used so compute the signature. */
  911. tor_free(encoded_str);
  912. encoded_str = smartlist_join_strings(lines, "\n", 1, NULL);
  913. *encoded_out = encoded_str;
  914. if (strlen(encoded_str) >= hs_cache_get_max_descriptor_size()) {
  915. log_warn(LD_GENERAL, "We just made an HS descriptor that's too big (%d)."
  916. "Failing.", (int)strlen(encoded_str));
  917. tor_free(encoded_str);
  918. goto err;
  919. }
  920. /* XXX: Trigger a control port event. */
  921. /* Success! */
  922. ret = 0;
  923. err:
  924. SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
  925. smartlist_free(lines);
  926. return ret;
  927. }
  928. /* === DECODING === */
  929. /* Given an encoded string of the link specifiers, return a newly allocated
  930. * list of decoded link specifiers. Return NULL on error. */
  931. STATIC smartlist_t *
  932. decode_link_specifiers(const char *encoded)
  933. {
  934. int decoded_len;
  935. size_t encoded_len, i;
  936. uint8_t *decoded;
  937. smartlist_t *results = NULL;
  938. link_specifier_list_t *specs = NULL;
  939. tor_assert(encoded);
  940. encoded_len = strlen(encoded);
  941. decoded = tor_malloc(encoded_len);
  942. decoded_len = base64_decode((char *) decoded, encoded_len, encoded,
  943. encoded_len);
  944. if (decoded_len < 0) {
  945. goto err;
  946. }
  947. if (link_specifier_list_parse(&specs, decoded,
  948. (size_t) decoded_len) < decoded_len) {
  949. goto err;
  950. }
  951. tor_assert(specs);
  952. results = smartlist_new();
  953. for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
  954. hs_desc_link_specifier_t *hs_spec;
  955. link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
  956. tor_assert(ls);
  957. hs_spec = tor_malloc_zero(sizeof(*hs_spec));
  958. hs_spec->type = link_specifier_get_ls_type(ls);
  959. switch (hs_spec->type) {
  960. case LS_IPV4:
  961. tor_addr_from_ipv4h(&hs_spec->u.ap.addr,
  962. link_specifier_get_un_ipv4_addr(ls));
  963. hs_spec->u.ap.port = link_specifier_get_un_ipv4_port(ls);
  964. break;
  965. case LS_IPV6:
  966. tor_addr_from_ipv6_bytes(&hs_spec->u.ap.addr, (const char *)
  967. link_specifier_getarray_un_ipv6_addr(ls));
  968. hs_spec->u.ap.port = link_specifier_get_un_ipv6_port(ls);
  969. break;
  970. case LS_LEGACY_ID:
  971. /* Both are known at compile time so let's make sure they are the same
  972. * else we can copy memory out of bound. */
  973. tor_assert(link_specifier_getlen_un_legacy_id(ls) ==
  974. sizeof(hs_spec->u.legacy_id));
  975. memcpy(hs_spec->u.legacy_id, link_specifier_getarray_un_legacy_id(ls),
  976. sizeof(hs_spec->u.legacy_id));
  977. break;
  978. case LS_ED25519_ID:
  979. /* Both are known at compile time so let's make sure they are the same
  980. * else we can copy memory out of bound. */
  981. tor_assert(link_specifier_getlen_un_ed25519_id(ls) ==
  982. sizeof(hs_spec->u.ed25519_id));
  983. memcpy(hs_spec->u.ed25519_id,
  984. link_specifier_getconstarray_un_ed25519_id(ls),
  985. sizeof(hs_spec->u.ed25519_id));
  986. break;
  987. default:
  988. goto err;
  989. }
  990. smartlist_add(results, hs_spec);
  991. }
  992. goto done;
  993. err:
  994. if (results) {
  995. SMARTLIST_FOREACH(results, hs_desc_link_specifier_t *, s, tor_free(s));
  996. smartlist_free(results);
  997. results = NULL;
  998. }
  999. done:
  1000. link_specifier_list_free(specs);
  1001. tor_free(decoded);
  1002. return results;
  1003. }
  1004. /* Given a list of authentication types, decode it and put it in the encrypted
  1005. * data section. Return 1 if we at least know one of the type or 0 if we know
  1006. * none of them. */
  1007. static int
  1008. decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
  1009. {
  1010. int match = 0;
  1011. tor_assert(desc);
  1012. tor_assert(list);
  1013. desc->intro_auth_types = smartlist_new();
  1014. smartlist_split_string(desc->intro_auth_types, list, " ", 0, 0);
  1015. /* Validate the types that we at least know about one. */
  1016. SMARTLIST_FOREACH_BEGIN(desc->intro_auth_types, const char *, auth) {
  1017. for (int idx = 0; intro_auth_types[idx].identifier; idx++) {
  1018. if (!strncmp(auth, intro_auth_types[idx].identifier,
  1019. strlen(intro_auth_types[idx].identifier))) {
  1020. match = 1;
  1021. break;
  1022. }
  1023. }
  1024. } SMARTLIST_FOREACH_END(auth);
  1025. return match;
  1026. }
  1027. /* Parse a space-delimited list of integers representing CREATE2 formats into
  1028. * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
  1029. static void
  1030. decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
  1031. {
  1032. smartlist_t *tokens;
  1033. tor_assert(desc);
  1034. tor_assert(list);
  1035. tokens = smartlist_new();
  1036. smartlist_split_string(tokens, list, " ", 0, 0);
  1037. SMARTLIST_FOREACH_BEGIN(tokens, char *, s) {
  1038. int ok;
  1039. unsigned long type = tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
  1040. if (!ok) {
  1041. log_warn(LD_REND, "Unparseable value %s in create2 list", escaped(s));
  1042. continue;
  1043. }
  1044. switch (type) {
  1045. case ONION_HANDSHAKE_TYPE_NTOR:
  1046. desc->create2_ntor = 1;
  1047. break;
  1048. default:
  1049. /* We deliberately ignore unsupported handshake types */
  1050. continue;
  1051. }
  1052. } SMARTLIST_FOREACH_END(s);
  1053. SMARTLIST_FOREACH(tokens, char *, s, tor_free(s));
  1054. smartlist_free(tokens);
  1055. }
  1056. /* Given a certificate, validate the certificate for certain conditions which
  1057. * are if the given type matches the cert's one, if the signing key is
  1058. * included and if the that key was actually used to sign the certificate.
  1059. *
  1060. * Return 1 iff if all conditions pass or 0 if one of them fails. */
  1061. STATIC int
  1062. cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
  1063. {
  1064. tor_assert(log_obj_type);
  1065. if (cert == NULL) {
  1066. log_warn(LD_REND, "Certificate for %s couldn't be parsed.", log_obj_type);
  1067. goto err;
  1068. }
  1069. if (cert->cert_type != type) {
  1070. log_warn(LD_REND, "Invalid cert type %02x for %s.", cert->cert_type,
  1071. log_obj_type);
  1072. goto err;
  1073. }
  1074. /* All certificate must have its signing key included. */
  1075. if (!cert->signing_key_included) {
  1076. log_warn(LD_REND, "Signing key is NOT included for %s.", log_obj_type);
  1077. goto err;
  1078. }
  1079. /* The following will not only check if the signature matches but also the
  1080. * expiration date and overall validity. */
  1081. if (tor_cert_checksig(cert, &cert->signing_key, approx_time()) < 0) {
  1082. log_warn(LD_REND, "Invalid signature for %s.", log_obj_type);
  1083. goto err;
  1084. }
  1085. return 1;
  1086. err:
  1087. return 0;
  1088. }
  1089. /* Given some binary data, try to parse it to get a certificate object. If we
  1090. * have a valid cert, validate it using the given wanted type. On error, print
  1091. * a log using the err_msg has the certificate identifier adding semantic to
  1092. * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
  1093. * points to a newly allocated certificate object. */
  1094. static int
  1095. cert_parse_and_validate(tor_cert_t **cert_out, const char *data,
  1096. size_t data_len, unsigned int cert_type_wanted,
  1097. const char *err_msg)
  1098. {
  1099. tor_cert_t *cert;
  1100. tor_assert(cert_out);
  1101. tor_assert(data);
  1102. tor_assert(err_msg);
  1103. /* Parse certificate. */
  1104. cert = tor_cert_parse((const uint8_t *) data, data_len);
  1105. if (!cert) {
  1106. log_warn(LD_REND, "Certificate for %s couldn't be parsed.", err_msg);
  1107. goto err;
  1108. }
  1109. /* Validate certificate. */
  1110. if (!cert_is_valid(cert, cert_type_wanted, err_msg)) {
  1111. goto err;
  1112. }
  1113. *cert_out = cert;
  1114. return 0;
  1115. err:
  1116. tor_cert_free(cert);
  1117. *cert_out = NULL;
  1118. return -1;
  1119. }
  1120. /* Return true iff the given length of the encrypted data of a descriptor
  1121. * passes validation. */
  1122. STATIC int
  1123. encrypted_data_length_is_valid(size_t len)
  1124. {
  1125. /* Make sure there is enough data for the salt and the mac. The equality is
  1126. there to ensure that there is at least one byte of encrypted data. */
  1127. if (len <= HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN) {
  1128. log_warn(LD_REND, "Length of descriptor's encrypted data is too small. "
  1129. "Got %lu but minimum value is %d",
  1130. (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
  1131. goto err;
  1132. }
  1133. return 1;
  1134. err:
  1135. return 0;
  1136. }
  1137. /** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
  1138. * <b>encrypted_blob_size</b>. Use the descriptor object <b>desc</b> to
  1139. * generate the right decryption keys; set <b>decrypted_out</b> to the
  1140. * plaintext. If <b>is_superencrypted_layer</b> is set, this is the outter
  1141. * encrypted layer of the descriptor.
  1142. *
  1143. * On any error case, including an empty output, return 0 and set
  1144. * *<b>decrypted_out</b> to NULL.
  1145. */
  1146. MOCK_IMPL(STATIC size_t,
  1147. decrypt_desc_layer,(const hs_descriptor_t *desc,
  1148. const uint8_t *encrypted_blob,
  1149. size_t encrypted_blob_size,
  1150. int is_superencrypted_layer,
  1151. char **decrypted_out))
  1152. {
  1153. uint8_t *decrypted = NULL;
  1154. uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
  1155. uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
  1156. const uint8_t *salt, *encrypted, *desc_mac;
  1157. size_t encrypted_len, result_len = 0;
  1158. tor_assert(decrypted_out);
  1159. tor_assert(desc);
  1160. tor_assert(encrypted_blob);
  1161. /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
  1162. * Make sure we have enough space for all these things. */
  1163. if (!encrypted_data_length_is_valid(encrypted_blob_size)) {
  1164. goto err;
  1165. }
  1166. /* Start of the blob thus the salt. */
  1167. salt = encrypted_blob;
  1168. /* Next is the encrypted data. */
  1169. encrypted = encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN;
  1170. encrypted_len = encrypted_blob_size -
  1171. (HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
  1172. tor_assert(encrypted_len > 0); /* guaranteed by the check above */
  1173. /* And last comes the MAC. */
  1174. desc_mac = encrypted_blob + encrypted_blob_size - DIGEST256_LEN;
  1175. /* KDF construction resulting in a key from which the secret key, IV and MAC
  1176. * key are extracted which is what we need for the decryption. */
  1177. build_secret_key_iv_mac(desc, salt, HS_DESC_ENCRYPTED_SALT_LEN,
  1178. secret_key, sizeof(secret_key),
  1179. secret_iv, sizeof(secret_iv),
  1180. mac_key, sizeof(mac_key),
  1181. is_superencrypted_layer);
  1182. /* Build MAC. */
  1183. build_mac(mac_key, sizeof(mac_key), salt, HS_DESC_ENCRYPTED_SALT_LEN,
  1184. encrypted, encrypted_len, our_mac, sizeof(our_mac));
  1185. memwipe(mac_key, 0, sizeof(mac_key));
  1186. /* Verify MAC; MAC is H(mac_key || salt || encrypted)
  1187. *
  1188. * This is a critical check that is making sure the computed MAC matches the
  1189. * one in the descriptor. */
  1190. if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) {
  1191. log_warn(LD_REND, "Encrypted service descriptor MAC check failed");
  1192. goto err;
  1193. }
  1194. {
  1195. /* Decrypt. Here we are assured that the encrypted length is valid for
  1196. * decryption. */
  1197. crypto_cipher_t *cipher;
  1198. cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
  1199. HS_DESC_ENCRYPTED_BIT_SIZE);
  1200. /* Extra byte for the NUL terminated byte. */
  1201. decrypted = tor_malloc_zero(encrypted_len + 1);
  1202. crypto_cipher_decrypt(cipher, (char *) decrypted,
  1203. (const char *) encrypted, encrypted_len);
  1204. crypto_cipher_free(cipher);
  1205. }
  1206. {
  1207. /* Adjust length to remove NUL padding bytes */
  1208. uint8_t *end = memchr(decrypted, 0, encrypted_len);
  1209. result_len = encrypted_len;
  1210. if (end) {
  1211. result_len = end - decrypted;
  1212. }
  1213. }
  1214. if (result_len == 0) {
  1215. /* Treat this as an error, so that somebody will free the output. */
  1216. goto err;
  1217. }
  1218. /* Make sure to NUL terminate the string. */
  1219. decrypted[encrypted_len] = '\0';
  1220. *decrypted_out = (char *) decrypted;
  1221. goto done;
  1222. err:
  1223. if (decrypted) {
  1224. tor_free(decrypted);
  1225. }
  1226. *decrypted_out = NULL;
  1227. result_len = 0;
  1228. done:
  1229. memwipe(secret_key, 0, sizeof(secret_key));
  1230. memwipe(secret_iv, 0, sizeof(secret_iv));
  1231. return result_len;
  1232. }
  1233. /* Basic validation that the superencrypted client auth portion of the
  1234. * descriptor is well-formed and recognized. Return True if so, otherwise
  1235. * return False. */
  1236. static int
  1237. superencrypted_auth_data_is_valid(smartlist_t *tokens)
  1238. {
  1239. /* XXX: This is just basic validation for now. When we implement client auth,
  1240. we can refactor this function so that it actually parses and saves the
  1241. data. */
  1242. { /* verify desc auth type */
  1243. const directory_token_t *tok;
  1244. tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
  1245. tor_assert(tok->n_args >= 1);
  1246. if (strcmp(tok->args[0], "x25519")) {
  1247. log_warn(LD_DIR, "Unrecognized desc auth type");
  1248. return 0;
  1249. }
  1250. }
  1251. { /* verify desc auth key */
  1252. const directory_token_t *tok;
  1253. curve25519_public_key_t k;
  1254. tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
  1255. tor_assert(tok->n_args >= 1);
  1256. if (curve25519_public_from_base64(&k, tok->args[0]) < 0) {
  1257. log_warn(LD_DIR, "Bogus desc auth key in HS desc");
  1258. return 0;
  1259. }
  1260. }
  1261. /* verify desc auth client items */
  1262. SMARTLIST_FOREACH_BEGIN(tokens, const directory_token_t *, tok) {
  1263. if (tok->tp == R3_DESC_AUTH_CLIENT) {
  1264. tor_assert(tok->n_args >= 3);
  1265. }
  1266. } SMARTLIST_FOREACH_END(tok);
  1267. return 1;
  1268. }
  1269. /* Parse <b>message</b>, the plaintext of the superencrypted portion of an HS
  1270. * descriptor. Set <b>encrypted_out</b> to the encrypted blob, and return its
  1271. * size */
  1272. STATIC size_t
  1273. decode_superencrypted(const char *message, size_t message_len,
  1274. uint8_t **encrypted_out)
  1275. {
  1276. int retval = 0;
  1277. memarea_t *area = NULL;
  1278. smartlist_t *tokens = NULL;
  1279. area = memarea_new();
  1280. tokens = smartlist_new();
  1281. if (tokenize_string(area, message, message + message_len, tokens,
  1282. hs_desc_superencrypted_v3_token_table, 0) < 0) {
  1283. log_warn(LD_REND, "Superencrypted portion is not parseable");
  1284. goto err;
  1285. }
  1286. /* Do some rudimentary validation of the authentication data */
  1287. if (!superencrypted_auth_data_is_valid(tokens)) {
  1288. log_warn(LD_REND, "Invalid auth data");
  1289. goto err;
  1290. }
  1291. /* Extract the encrypted data section. */
  1292. {
  1293. const directory_token_t *tok;
  1294. tok = find_by_keyword(tokens, R3_ENCRYPTED);
  1295. tor_assert(tok->object_body);
  1296. if (strcmp(tok->object_type, "MESSAGE") != 0) {
  1297. log_warn(LD_REND, "Desc superencrypted data section is invalid");
  1298. goto err;
  1299. }
  1300. /* Make sure the length of the encrypted blob is valid. */
  1301. if (!encrypted_data_length_is_valid(tok->object_size)) {
  1302. goto err;
  1303. }
  1304. /* Copy the encrypted blob to the descriptor object so we can handle it
  1305. * latter if needed. */
  1306. tor_assert(tok->object_size <= INT_MAX);
  1307. *encrypted_out = tor_memdup(tok->object_body, tok->object_size);
  1308. retval = (int) tok->object_size;
  1309. }
  1310. err:
  1311. SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
  1312. smartlist_free(tokens);
  1313. if (area) {
  1314. memarea_drop_all(area);
  1315. }
  1316. return retval;
  1317. }
  1318. /* Decrypt both the superencrypted and the encrypted section of the descriptor
  1319. * using the given descriptor object <b>desc</b>. A newly allocated NUL
  1320. * terminated string is put in decrypted_out which contains the inner encrypted
  1321. * layer of the descriptor. Return the length of decrypted_out on success else
  1322. * 0 is returned and decrypted_out is set to NULL. */
  1323. static size_t
  1324. desc_decrypt_all(const hs_descriptor_t *desc, char **decrypted_out)
  1325. {
  1326. size_t decrypted_len = 0;
  1327. size_t encrypted_len = 0;
  1328. size_t superencrypted_len = 0;
  1329. char *superencrypted_plaintext = NULL;
  1330. uint8_t *encrypted_blob = NULL;
  1331. /** Function logic: This function takes us from the descriptor header to the
  1332. * inner encrypted layer, by decrypting and decoding the middle descriptor
  1333. * layer. In the end we return the contents of the inner encrypted layer to
  1334. * our caller. */
  1335. /* 1. Decrypt middle layer of descriptor */
  1336. superencrypted_len = decrypt_desc_layer(desc,
  1337. desc->plaintext_data.superencrypted_blob,
  1338. desc->plaintext_data.superencrypted_blob_size,
  1339. 1,
  1340. &superencrypted_plaintext);
  1341. if (!superencrypted_len) {
  1342. log_warn(LD_REND, "Decrypting superencrypted desc failed.");
  1343. goto err;
  1344. }
  1345. tor_assert(superencrypted_plaintext);
  1346. /* 2. Parse "superencrypted" */
  1347. encrypted_len = decode_superencrypted(superencrypted_plaintext,
  1348. superencrypted_len,
  1349. &encrypted_blob);
  1350. if (!encrypted_len) {
  1351. log_warn(LD_REND, "Decrypting encrypted desc failed.");
  1352. goto err;
  1353. }
  1354. tor_assert(encrypted_blob);
  1355. /* 3. Decrypt "encrypted" and set decrypted_out */
  1356. char *decrypted_desc;
  1357. decrypted_len = decrypt_desc_layer(desc,
  1358. encrypted_blob, encrypted_len,
  1359. 0, &decrypted_desc);
  1360. if (!decrypted_len) {
  1361. log_warn(LD_REND, "Decrypting encrypted desc failed.");
  1362. goto err;
  1363. }
  1364. tor_assert(decrypted_desc);
  1365. *decrypted_out = decrypted_desc;
  1366. err:
  1367. tor_free(superencrypted_plaintext);
  1368. tor_free(encrypted_blob);
  1369. return decrypted_len;
  1370. }
  1371. /* Given the token tok for an intro point legacy key, the list of tokens, the
  1372. * introduction point ip being decoded and the descriptor desc from which it
  1373. * comes from, decode the legacy key and set the intro point object. Return 0
  1374. * on success else -1 on failure. */
  1375. static int
  1376. decode_intro_legacy_key(const directory_token_t *tok,
  1377. smartlist_t *tokens,
  1378. hs_desc_intro_point_t *ip,
  1379. const hs_descriptor_t *desc)
  1380. {
  1381. tor_assert(tok);
  1382. tor_assert(tokens);
  1383. tor_assert(ip);
  1384. tor_assert(desc);
  1385. if (!crypto_pk_public_exponent_ok(tok->key)) {
  1386. log_warn(LD_REND, "Introduction point legacy key is invalid");
  1387. goto err;
  1388. }
  1389. ip->legacy.key = crypto_pk_dup_key(tok->key);
  1390. /* Extract the legacy cross certification cert which MUST be present if we
  1391. * have a legacy key. */
  1392. tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY_CERT);
  1393. if (!tok) {
  1394. log_warn(LD_REND, "Introduction point legacy key cert is missing");
  1395. goto err;
  1396. }
  1397. tor_assert(tok->object_body);
  1398. if (strcmp(tok->object_type, "CROSSCERT")) {
  1399. /* Info level because this might be an unknown field that we should
  1400. * ignore. */
  1401. log_info(LD_REND, "Introduction point legacy encryption key "
  1402. "cross-certification has an unknown format.");
  1403. goto err;
  1404. }
  1405. /* Keep a copy of the certificate. */
  1406. ip->legacy.cert.encoded = tor_memdup(tok->object_body, tok->object_size);
  1407. ip->legacy.cert.len = tok->object_size;
  1408. /* The check on the expiration date is for the entire lifetime of a
  1409. * certificate which is 24 hours. However, a descriptor has a maximum
  1410. * lifetime of 12 hours meaning we have a 12h difference between the two
  1411. * which ultimately accomodate the clock skewed client. */
  1412. if (rsa_ed25519_crosscert_check(ip->legacy.cert.encoded,
  1413. ip->legacy.cert.len, ip->legacy.key,
  1414. &desc->plaintext_data.signing_pubkey,
  1415. approx_time() - HS_DESC_CERT_LIFETIME)) {
  1416. log_warn(LD_REND, "Unable to check cross-certification on the "
  1417. "introduction point legacy encryption key.");
  1418. ip->cross_certified = 0;
  1419. goto err;
  1420. }
  1421. /* Success. */
  1422. return 0;
  1423. err:
  1424. return -1;
  1425. }
  1426. /* Dig into the descriptor <b>tokens</b> to find the onion key we should use
  1427. * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
  1428. * was found and well-formed, otherwise return -1 in case of errors. */
  1429. static int
  1430. set_intro_point_onion_key(curve25519_public_key_t *onion_key_out,
  1431. const smartlist_t *tokens)
  1432. {
  1433. int retval = -1;
  1434. smartlist_t *onion_keys = NULL;
  1435. tor_assert(onion_key_out);
  1436. onion_keys = find_all_by_keyword(tokens, R3_INTRO_ONION_KEY);
  1437. if (!onion_keys) {
  1438. log_warn(LD_REND, "Descriptor did not contain intro onion keys");
  1439. goto err;
  1440. }
  1441. SMARTLIST_FOREACH_BEGIN(onion_keys, directory_token_t *, tok) {
  1442. /* This field is using GE(2) so for possible forward compatibility, we
  1443. * accept more fields but must be at least 2. */
  1444. tor_assert(tok->n_args >= 2);
  1445. /* Try to find an ntor key, it's the only recognized type right now */
  1446. if (!strcmp(tok->args[0], "ntor")) {
  1447. if (curve25519_public_from_base64(onion_key_out, tok->args[1]) < 0) {
  1448. log_warn(LD_REND, "Introduction point ntor onion-key is invalid");
  1449. goto err;
  1450. }
  1451. /* Got the onion key! Set the appropriate retval */
  1452. retval = 0;
  1453. }
  1454. } SMARTLIST_FOREACH_END(tok);
  1455. /* Log an error if we didn't find it :( */
  1456. if (retval < 0) {
  1457. log_warn(LD_REND, "Descriptor did not contain ntor onion keys");
  1458. }
  1459. err:
  1460. smartlist_free(onion_keys);
  1461. return retval;
  1462. }
  1463. /* Given the start of a section and the end of it, decode a single
  1464. * introduction point from that section. Return a newly allocated introduction
  1465. * point object containing the decoded data. Return NULL if the section can't
  1466. * be decoded. */
  1467. STATIC hs_desc_intro_point_t *
  1468. decode_introduction_point(const hs_descriptor_t *desc, const char *start)
  1469. {
  1470. hs_desc_intro_point_t *ip = NULL;
  1471. memarea_t *area = NULL;
  1472. smartlist_t *tokens = NULL;
  1473. const directory_token_t *tok;
  1474. tor_assert(desc);
  1475. tor_assert(start);
  1476. area = memarea_new();
  1477. tokens = smartlist_new();
  1478. if (tokenize_string(area, start, start + strlen(start),
  1479. tokens, hs_desc_intro_point_v3_token_table, 0) < 0) {
  1480. log_warn(LD_REND, "Introduction point is not parseable");
  1481. goto err;
  1482. }
  1483. /* Ok we seem to have a well formed section containing enough tokens to
  1484. * parse. Allocate our IP object and try to populate it. */
  1485. ip = hs_desc_intro_point_new();
  1486. /* "introduction-point" SP link-specifiers NL */
  1487. tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
  1488. tor_assert(tok->n_args == 1);
  1489. /* Our constructor creates this list by default so free it. */
  1490. smartlist_free(ip->link_specifiers);
  1491. ip->link_specifiers = decode_link_specifiers(tok->args[0]);
  1492. if (!ip->link_specifiers) {
  1493. log_warn(LD_REND, "Introduction point has invalid link specifiers");
  1494. goto err;
  1495. }
  1496. /* "onion-key" SP ntor SP key NL */
  1497. if (set_intro_point_onion_key(&ip->onion_key, tokens) < 0) {
  1498. goto err;
  1499. }
  1500. /* "auth-key" NL certificate NL */
  1501. tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
  1502. tor_assert(tok->object_body);
  1503. if (strcmp(tok->object_type, "ED25519 CERT")) {
  1504. log_warn(LD_REND, "Unexpected object type for introduction auth key");
  1505. goto err;
  1506. }
  1507. /* Parse cert and do some validation. */
  1508. if (cert_parse_and_validate(&ip->auth_key_cert, tok->object_body,
  1509. tok->object_size, CERT_TYPE_AUTH_HS_IP_KEY,
  1510. "introduction point auth-key") < 0) {
  1511. goto err;
  1512. }
  1513. /* Validate authentication certificate with descriptor signing key. */
  1514. if (tor_cert_checksig(ip->auth_key_cert,
  1515. &desc->plaintext_data.signing_pubkey, 0) < 0) {
  1516. log_warn(LD_REND, "Invalid authentication key signature");
  1517. goto err;
  1518. }
  1519. /* Exactly one "enc-key" SP "ntor" SP key NL */
  1520. tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
  1521. if (!strcmp(tok->args[0], "ntor")) {
  1522. /* This field is using GE(2) so for possible forward compatibility, we
  1523. * accept more fields but must be at least 2. */
  1524. tor_assert(tok->n_args >= 2);
  1525. if (curve25519_public_from_base64(&ip->enc_key, tok->args[1]) < 0) {
  1526. log_warn(LD_REND, "Introduction point ntor enc-key is invalid");
  1527. goto err;
  1528. }
  1529. } else {
  1530. /* Unknown key type so we can't use that introduction point. */
  1531. log_warn(LD_REND, "Introduction point encryption key is unrecognized.");
  1532. goto err;
  1533. }
  1534. /* Exactly once "enc-key-cert" NL certificate NL */
  1535. tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
  1536. tor_assert(tok->object_body);
  1537. /* Do the cross certification. */
  1538. if (strcmp(tok->object_type, "ED25519 CERT")) {
  1539. log_warn(LD_REND, "Introduction point ntor encryption key "
  1540. "cross-certification has an unknown format.");
  1541. goto err;
  1542. }
  1543. if (cert_parse_and_validate(&ip->enc_key_cert, tok->object_body,
  1544. tok->object_size, CERT_TYPE_CROSS_HS_IP_KEYS,
  1545. "introduction point enc-key-cert") < 0) {
  1546. goto err;
  1547. }
  1548. if (tor_cert_checksig(ip->enc_key_cert,
  1549. &desc->plaintext_data.signing_pubkey, 0) < 0) {
  1550. log_warn(LD_REND, "Invalid encryption key signature");
  1551. goto err;
  1552. }
  1553. /* It is successfully cross certified. Flag the object. */
  1554. ip->cross_certified = 1;
  1555. /* Do we have a "legacy-key" SP key NL ?*/
  1556. tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY);
  1557. if (tok) {
  1558. if (decode_intro_legacy_key(tok, tokens, ip, desc) < 0) {
  1559. goto err;
  1560. }
  1561. }
  1562. /* Introduction point has been parsed successfully. */
  1563. goto done;
  1564. err:
  1565. hs_desc_intro_point_free(ip);
  1566. ip = NULL;
  1567. done:
  1568. SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
  1569. smartlist_free(tokens);
  1570. if (area) {
  1571. memarea_drop_all(area);
  1572. }
  1573. return ip;
  1574. }
  1575. /* Given a descriptor string at <b>data</b>, decode all possible introduction
  1576. * points that we can find. Add the introduction point object to desc_enc as we
  1577. * find them. This function can't fail and it is possible that zero
  1578. * introduction points can be decoded. */
  1579. static void
  1580. decode_intro_points(const hs_descriptor_t *desc,
  1581. hs_desc_encrypted_data_t *desc_enc,
  1582. const char *data)
  1583. {
  1584. smartlist_t *chunked_desc = smartlist_new();
  1585. smartlist_t *intro_points = smartlist_new();
  1586. tor_assert(desc);
  1587. tor_assert(desc_enc);
  1588. tor_assert(data);
  1589. tor_assert(desc_enc->intro_points);
  1590. /* Take the desc string, and extract the intro point substrings out of it */
  1591. {
  1592. /* Split the descriptor string using the intro point header as delimiter */
  1593. smartlist_split_string(chunked_desc, data, str_intro_point_start, 0, 0);
  1594. /* Check if there are actually any intro points included. The first chunk
  1595. * should be other descriptor fields (e.g. create2-formats), so it's not an
  1596. * intro point. */
  1597. if (smartlist_len(chunked_desc) < 2) {
  1598. goto done;
  1599. }
  1600. }
  1601. /* Take the intro point substrings, and prepare them for parsing */
  1602. {
  1603. int i = 0;
  1604. /* Prepend the introduction-point header to all the chunks, since
  1605. smartlist_split_string() devoured it. */
  1606. SMARTLIST_FOREACH_BEGIN(chunked_desc, char *, chunk) {
  1607. /* Ignore first chunk. It's other descriptor fields. */
  1608. if (i++ == 0) {
  1609. continue;
  1610. }
  1611. smartlist_add_asprintf(intro_points, "%s %s", str_intro_point, chunk);
  1612. } SMARTLIST_FOREACH_END(chunk);
  1613. }
  1614. /* Parse the intro points! */
  1615. SMARTLIST_FOREACH_BEGIN(intro_points, const char *, intro_point) {
  1616. hs_desc_intro_point_t *ip = decode_introduction_point(desc, intro_point);
  1617. if (!ip) {
  1618. /* Malformed introduction point section. We'll ignore this introduction
  1619. * point and continue parsing. New or unknown fields are possible for
  1620. * forward compatibility. */
  1621. continue;
  1622. }
  1623. smartlist_add(desc_enc->intro_points, ip);
  1624. } SMARTLIST_FOREACH_END(intro_point);
  1625. done:
  1626. SMARTLIST_FOREACH(chunked_desc, char *, a, tor_free(a));
  1627. smartlist_free(chunked_desc);
  1628. SMARTLIST_FOREACH(intro_points, char *, a, tor_free(a));
  1629. smartlist_free(intro_points);
  1630. }
  1631. /* Return 1 iff the given base64 encoded signature in b64_sig from the encoded
  1632. * descriptor in encoded_desc validates the descriptor content. */
  1633. STATIC int
  1634. desc_sig_is_valid(const char *b64_sig,
  1635. const ed25519_public_key_t *signing_pubkey,
  1636. const char *encoded_desc, size_t encoded_len)
  1637. {
  1638. int ret = 0;
  1639. ed25519_signature_t sig;
  1640. const char *sig_start;
  1641. tor_assert(b64_sig);
  1642. tor_assert(signing_pubkey);
  1643. tor_assert(encoded_desc);
  1644. /* Verifying nothing won't end well :). */
  1645. tor_assert(encoded_len > 0);
  1646. /* Signature length check. */
  1647. if (strlen(b64_sig) != ED25519_SIG_BASE64_LEN) {
  1648. log_warn(LD_REND, "Service descriptor has an invalid signature length."
  1649. "Exptected %d but got %lu",
  1650. ED25519_SIG_BASE64_LEN, (unsigned long) strlen(b64_sig));
  1651. goto err;
  1652. }
  1653. /* First, convert base64 blob to an ed25519 signature. */
  1654. if (ed25519_signature_from_base64(&sig, b64_sig) != 0) {
  1655. log_warn(LD_REND, "Service descriptor does not contain a valid "
  1656. "signature");
  1657. goto err;
  1658. }
  1659. /* Find the start of signature. */
  1660. sig_start = tor_memstr(encoded_desc, encoded_len, "\n" str_signature);
  1661. /* Getting here means the token parsing worked for the signature so if we
  1662. * can't find the start of the signature, we have a code flow issue. */
  1663. if (!sig_start) {
  1664. log_warn(LD_GENERAL, "Malformed signature line. Rejecting.");
  1665. goto err;
  1666. }
  1667. /* Skip newline, it has to go in the signature check. */
  1668. sig_start++;
  1669. /* Validate signature with the full body of the descriptor. */
  1670. if (ed25519_checksig_prefixed(&sig,
  1671. (const uint8_t *) encoded_desc,
  1672. sig_start - encoded_desc,
  1673. str_desc_sig_prefix,
  1674. signing_pubkey) != 0) {
  1675. log_warn(LD_REND, "Invalid signature on service descriptor");
  1676. goto err;
  1677. }
  1678. /* Valid signature! All is good. */
  1679. ret = 1;
  1680. err:
  1681. return ret;
  1682. }
  1683. /* Decode descriptor plaintext data for version 3. Given a list of tokens, an
  1684. * allocated plaintext object that will be populated and the encoded
  1685. * descriptor with its length. The last one is needed for signature
  1686. * verification. Unknown tokens are simply ignored so this won't error on
  1687. * unknowns but requires that all v3 token be present and valid.
  1688. *
  1689. * Return 0 on success else a negative value. */
  1690. static int
  1691. desc_decode_plaintext_v3(smartlist_t *tokens,
  1692. hs_desc_plaintext_data_t *desc,
  1693. const char *encoded_desc, size_t encoded_len)
  1694. {
  1695. int ok;
  1696. directory_token_t *tok;
  1697. tor_assert(tokens);
  1698. tor_assert(desc);
  1699. /* Version higher could still use this function to decode most of the
  1700. * descriptor and then they decode the extra part. */
  1701. tor_assert(desc->version >= 3);
  1702. /* Descriptor lifetime parsing. */
  1703. tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
  1704. tor_assert(tok->n_args == 1);
  1705. desc->lifetime_sec = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
  1706. UINT32_MAX, &ok, NULL);
  1707. if (!ok) {
  1708. log_warn(LD_REND, "Service descriptor lifetime value is invalid");
  1709. goto err;
  1710. }
  1711. /* Put it from minute to second. */
  1712. desc->lifetime_sec *= 60;
  1713. if (desc->lifetime_sec > HS_DESC_MAX_LIFETIME) {
  1714. log_warn(LD_REND, "Service descriptor lifetime is too big. "
  1715. "Got %" PRIu32 " but max is %d",
  1716. desc->lifetime_sec, HS_DESC_MAX_LIFETIME);
  1717. goto err;
  1718. }
  1719. /* Descriptor signing certificate. */
  1720. tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
  1721. tor_assert(tok->object_body);
  1722. /* Expecting a prop220 cert with the signing key extension, which contains
  1723. * the blinded public key. */
  1724. if (strcmp(tok->object_type, "ED25519 CERT") != 0) {
  1725. log_warn(LD_REND, "Service descriptor signing cert wrong type (%s)",
  1726. escaped(tok->object_type));
  1727. goto err;
  1728. }
  1729. if (cert_parse_and_validate(&desc->signing_key_cert, tok->object_body,
  1730. tok->object_size, CERT_TYPE_SIGNING_HS_DESC,
  1731. "service descriptor signing key") < 0) {
  1732. goto err;
  1733. }
  1734. /* Copy the public keys into signing_pubkey and blinded_pubkey */
  1735. memcpy(&desc->signing_pubkey, &desc->signing_key_cert->signed_key,
  1736. sizeof(ed25519_public_key_t));
  1737. memcpy(&desc->blinded_pubkey, &desc->signing_key_cert->signing_key,
  1738. sizeof(ed25519_public_key_t));
  1739. /* Extract revision counter value. */
  1740. tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
  1741. tor_assert(tok->n_args == 1);
  1742. desc->revision_counter = tor_parse_uint64(tok->args[0], 10, 0,
  1743. UINT64_MAX, &ok, NULL);
  1744. if (!ok) {
  1745. log_warn(LD_REND, "Service descriptor revision-counter is invalid");
  1746. goto err;
  1747. }
  1748. /* Extract the encrypted data section. */
  1749. tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
  1750. tor_assert(tok->object_body);
  1751. if (strcmp(tok->object_type, "MESSAGE") != 0) {
  1752. log_warn(LD_REND, "Service descriptor encrypted data section is invalid");
  1753. goto err;
  1754. }
  1755. /* Make sure the length of the encrypted blob is valid. */
  1756. if (!encrypted_data_length_is_valid(tok->object_size)) {
  1757. goto err;
  1758. }
  1759. /* Copy the encrypted blob to the descriptor object so we can handle it
  1760. * latter if needed. */
  1761. desc->superencrypted_blob = tor_memdup(tok->object_body, tok->object_size);
  1762. desc->superencrypted_blob_size = tok->object_size;
  1763. /* Extract signature and verify it. */
  1764. tok = find_by_keyword(tokens, R3_SIGNATURE);
  1765. tor_assert(tok->n_args == 1);
  1766. /* First arg here is the actual encoded signature. */
  1767. if (!desc_sig_is_valid(tok->args[0], &desc->signing_pubkey,
  1768. encoded_desc, encoded_len)) {
  1769. goto err;
  1770. }
  1771. return 0;
  1772. err:
  1773. return -1;
  1774. }
  1775. /* Decode the version 3 encrypted section of the given descriptor desc. The
  1776. * desc_encrypted_out will be populated with the decoded data. Return 0 on
  1777. * success else -1. */
  1778. static int
  1779. desc_decode_encrypted_v3(const hs_descriptor_t *desc,
  1780. hs_desc_encrypted_data_t *desc_encrypted_out)
  1781. {
  1782. int result = -1;
  1783. char *message = NULL;
  1784. size_t message_len;
  1785. memarea_t *area = NULL;
  1786. directory_token_t *tok;
  1787. smartlist_t *tokens = NULL;
  1788. tor_assert(desc);
  1789. tor_assert(desc_encrypted_out);
  1790. /* Decrypt the superencrypted data that is located in the plaintext section
  1791. * in the descriptor as a blob of bytes. */
  1792. message_len = desc_decrypt_all(desc, &message);
  1793. if (!message_len) {
  1794. log_warn(LD_REND, "Service descriptor decryption failed.");
  1795. goto err;
  1796. }
  1797. tor_assert(message);
  1798. area = memarea_new();
  1799. tokens = smartlist_new();
  1800. if (tokenize_string(area, message, message + message_len,
  1801. tokens, hs_desc_encrypted_v3_token_table, 0) < 0) {
  1802. log_warn(LD_REND, "Encrypted service descriptor is not parseable.");
  1803. goto err;
  1804. }
  1805. /* CREATE2 supported cell format. It's mandatory. */
  1806. tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
  1807. tor_assert(tok);
  1808. decode_create2_list(desc_encrypted_out, tok->args[0]);
  1809. /* Must support ntor according to the specification */
  1810. if (!desc_encrypted_out->create2_ntor) {
  1811. log_warn(LD_REND, "Service create2-formats does not include ntor.");
  1812. goto err;
  1813. }
  1814. /* Authentication type. It's optional but only once. */
  1815. tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
  1816. if (tok) {
  1817. if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
  1818. log_warn(LD_REND, "Service descriptor authentication type has "
  1819. "invalid entry(ies).");
  1820. goto err;
  1821. }
  1822. }
  1823. /* Is this service a single onion service? */
  1824. tok = find_opt_by_keyword(tokens, R3_SINGLE_ONION_SERVICE);
  1825. if (tok) {
  1826. desc_encrypted_out->single_onion_service = 1;
  1827. }
  1828. /* Initialize the descriptor's introduction point list before we start
  1829. * decoding. Having 0 intro point is valid. Then decode them all. */
  1830. desc_encrypted_out->intro_points = smartlist_new();
  1831. decode_intro_points(desc, desc_encrypted_out, message);
  1832. /* Validation of maximum introduction points allowed. */
  1833. if (smartlist_len(desc_encrypted_out->intro_points) >
  1834. HS_CONFIG_V3_MAX_INTRO_POINTS) {
  1835. log_warn(LD_REND, "Service descriptor contains too many introduction "
  1836. "points. Maximum allowed is %d but we have %d",
  1837. HS_CONFIG_V3_MAX_INTRO_POINTS,
  1838. smartlist_len(desc_encrypted_out->intro_points));
  1839. goto err;
  1840. }
  1841. /* NOTE: Unknown fields are allowed because this function could be used to
  1842. * decode other descriptor version. */
  1843. result = 0;
  1844. goto done;
  1845. err:
  1846. tor_assert(result < 0);
  1847. desc_encrypted_data_free_contents(desc_encrypted_out);
  1848. done:
  1849. if (tokens) {
  1850. SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
  1851. smartlist_free(tokens);
  1852. }
  1853. if (area) {
  1854. memarea_drop_all(area);
  1855. }
  1856. if (message) {
  1857. tor_free(message);
  1858. }
  1859. return result;
  1860. }
  1861. /* Table of encrypted decode function version specific. The function are
  1862. * indexed by the version number so v3 callback is at index 3 in the array. */
  1863. static int
  1864. (*decode_encrypted_handlers[])(
  1865. const hs_descriptor_t *desc,
  1866. hs_desc_encrypted_data_t *desc_encrypted) =
  1867. {
  1868. /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
  1869. desc_decode_encrypted_v3,
  1870. };
  1871. /* Decode the encrypted data section of the given descriptor and store the
  1872. * data in the given encrypted data object. Return 0 on success else a
  1873. * negative value on error. */
  1874. int
  1875. hs_desc_decode_encrypted(const hs_descriptor_t *desc,
  1876. hs_desc_encrypted_data_t *desc_encrypted)
  1877. {
  1878. int ret;
  1879. uint32_t version;
  1880. tor_assert(desc);
  1881. /* Ease our life a bit. */
  1882. version = desc->plaintext_data.version;
  1883. tor_assert(desc_encrypted);
  1884. /* Calling this function without an encrypted blob to parse is a code flow
  1885. * error. The plaintext parsing should never succeed in the first place
  1886. * without an encrypted section. */
  1887. tor_assert(desc->plaintext_data.superencrypted_blob);
  1888. /* Let's make sure we have a supported version as well. By correctly parsing
  1889. * the plaintext, this should not fail. */
  1890. if (BUG(!hs_desc_is_supported_version(version))) {
  1891. ret = -1;
  1892. goto err;
  1893. }
  1894. /* Extra precaution. Having no handler for the supported version should
  1895. * never happened else we forgot to add it but we bumped the version. */
  1896. tor_assert(ARRAY_LENGTH(decode_encrypted_handlers) >= version);
  1897. tor_assert(decode_encrypted_handlers[version]);
  1898. /* Run the version specific plaintext decoder. */
  1899. ret = decode_encrypted_handlers[version](desc, desc_encrypted);
  1900. if (ret < 0) {
  1901. goto err;
  1902. }
  1903. err:
  1904. return ret;
  1905. }
  1906. /* Table of plaintext decode function version specific. The function are
  1907. * indexed by the version number so v3 callback is at index 3 in the array. */
  1908. static int
  1909. (*decode_plaintext_handlers[])(
  1910. smartlist_t *tokens,
  1911. hs_desc_plaintext_data_t *desc,
  1912. const char *encoded_desc,
  1913. size_t encoded_len) =
  1914. {
  1915. /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
  1916. desc_decode_plaintext_v3,
  1917. };
  1918. /* Fully decode the given descriptor plaintext and store the data in the
  1919. * plaintext data object. Returns 0 on success else a negative value. */
  1920. int
  1921. hs_desc_decode_plaintext(const char *encoded,
  1922. hs_desc_plaintext_data_t *plaintext)
  1923. {
  1924. int ok = 0, ret = -1;
  1925. memarea_t *area = NULL;
  1926. smartlist_t *tokens = NULL;
  1927. size_t encoded_len;
  1928. directory_token_t *tok;
  1929. tor_assert(encoded);
  1930. tor_assert(plaintext);
  1931. /* Check that descriptor is within size limits. */
  1932. encoded_len = strlen(encoded);
  1933. if (encoded_len >= hs_cache_get_max_descriptor_size()) {
  1934. log_warn(LD_REND, "Service descriptor is too big (%lu bytes)",
  1935. (unsigned long) encoded_len);
  1936. goto err;
  1937. }
  1938. area = memarea_new();
  1939. tokens = smartlist_new();
  1940. /* Tokenize the descriptor so we can start to parse it. */
  1941. if (tokenize_string(area, encoded, encoded + encoded_len, tokens,
  1942. hs_desc_v3_token_table, 0) < 0) {
  1943. log_warn(LD_REND, "Service descriptor is not parseable");
  1944. goto err;
  1945. }
  1946. /* Get the version of the descriptor which is the first mandatory field of
  1947. * the descriptor. From there, we'll decode the right descriptor version. */
  1948. tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
  1949. tor_assert(tok->n_args == 1);
  1950. plaintext->version = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
  1951. UINT32_MAX, &ok, NULL);
  1952. if (!ok) {
  1953. log_warn(LD_REND, "Service descriptor has unparseable version %s",
  1954. escaped(tok->args[0]));
  1955. goto err;
  1956. }
  1957. if (!hs_desc_is_supported_version(plaintext->version)) {
  1958. log_warn(LD_REND, "Service descriptor has unsupported version %" PRIu32,
  1959. plaintext->version);
  1960. goto err;
  1961. }
  1962. /* Extra precaution. Having no handler for the supported version should
  1963. * never happened else we forgot to add it but we bumped the version. */
  1964. tor_assert(ARRAY_LENGTH(decode_plaintext_handlers) >= plaintext->version);
  1965. tor_assert(decode_plaintext_handlers[plaintext->version]);
  1966. /* Run the version specific plaintext decoder. */
  1967. ret = decode_plaintext_handlers[plaintext->version](tokens, plaintext,
  1968. encoded, encoded_len);
  1969. if (ret < 0) {
  1970. goto err;
  1971. }
  1972. /* Success. Descriptor has been populated with the data. */
  1973. ret = 0;
  1974. err:
  1975. if (tokens) {
  1976. SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
  1977. smartlist_free(tokens);
  1978. }
  1979. if (area) {
  1980. memarea_drop_all(area);
  1981. }
  1982. return ret;
  1983. }
  1984. /* Fully decode an encoded descriptor and set a newly allocated descriptor
  1985. * object in desc_out. Subcredentials are used if not NULL else it's ignored.
  1986. *
  1987. * Return 0 on success. A negative value is returned on error and desc_out is
  1988. * set to NULL. */
  1989. int
  1990. hs_desc_decode_descriptor(const char *encoded,
  1991. const uint8_t *subcredential,
  1992. hs_descriptor_t **desc_out)
  1993. {
  1994. int ret = -1;
  1995. hs_descriptor_t *desc;
  1996. tor_assert(encoded);
  1997. desc = tor_malloc_zero(sizeof(hs_descriptor_t));
  1998. /* Subcredentials are optional. */
  1999. if (BUG(!subcredential)) {
  2000. log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!");
  2001. goto err;
  2002. }
  2003. memcpy(desc->subcredential, subcredential, sizeof(desc->subcredential));
  2004. ret = hs_desc_decode_plaintext(encoded, &desc->plaintext_data);
  2005. if (ret < 0) {
  2006. goto err;
  2007. }
  2008. ret = hs_desc_decode_encrypted(desc, &desc->encrypted_data);
  2009. if (ret < 0) {
  2010. goto err;
  2011. }
  2012. if (desc_out) {
  2013. *desc_out = desc;
  2014. } else {
  2015. hs_descriptor_free(desc);
  2016. }
  2017. return ret;
  2018. err:
  2019. hs_descriptor_free(desc);
  2020. if (desc_out) {
  2021. *desc_out = NULL;
  2022. }
  2023. tor_assert(ret < 0);
  2024. return ret;
  2025. }
  2026. /* Table of encode function version specific. The functions are indexed by the
  2027. * version number so v3 callback is at index 3 in the array. */
  2028. static int
  2029. (*encode_handlers[])(
  2030. const hs_descriptor_t *desc,
  2031. const ed25519_keypair_t *signing_kp,
  2032. char **encoded_out) =
  2033. {
  2034. /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
  2035. desc_encode_v3,
  2036. };
  2037. /* Encode the given descriptor desc including signing with the given key pair
  2038. * signing_kp. On success, encoded_out points to a newly allocated NUL
  2039. * terminated string that contains the encoded descriptor as a string.
  2040. *
  2041. * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
  2042. * returned and encoded_out is set to NULL. */
  2043. MOCK_IMPL(int,
  2044. hs_desc_encode_descriptor,(const hs_descriptor_t *desc,
  2045. const ed25519_keypair_t *signing_kp,
  2046. char **encoded_out))
  2047. {
  2048. int ret = -1;
  2049. uint32_t version;
  2050. tor_assert(desc);
  2051. tor_assert(encoded_out);
  2052. /* Make sure we support the version of the descriptor format. */
  2053. version = desc->plaintext_data.version;
  2054. if (!hs_desc_is_supported_version(version)) {
  2055. goto err;
  2056. }
  2057. /* Extra precaution. Having no handler for the supported version should
  2058. * never happened else we forgot to add it but we bumped the version. */
  2059. tor_assert(ARRAY_LENGTH(encode_handlers) >= version);
  2060. tor_assert(encode_handlers[version]);
  2061. ret = encode_handlers[version](desc, signing_kp, encoded_out);
  2062. if (ret < 0) {
  2063. goto err;
  2064. }
  2065. /* Try to decode what we just encoded. Symmetry is nice! */
  2066. ret = hs_desc_decode_descriptor(*encoded_out, desc->subcredential, NULL);
  2067. if (BUG(ret < 0)) {
  2068. goto err;
  2069. }
  2070. return 0;
  2071. err:
  2072. *encoded_out = NULL;
  2073. return ret;
  2074. }
  2075. /* Free the descriptor plaintext data object. */
  2076. void
  2077. hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
  2078. {
  2079. desc_plaintext_data_free_contents(desc);
  2080. tor_free(desc);
  2081. }
  2082. /* Free the descriptor encrypted data object. */
  2083. void
  2084. hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
  2085. {
  2086. desc_encrypted_data_free_contents(desc);
  2087. tor_free(desc);
  2088. }
  2089. /* Free the given descriptor object. */
  2090. void
  2091. hs_descriptor_free_(hs_descriptor_t *desc)
  2092. {
  2093. if (!desc) {
  2094. return;
  2095. }
  2096. desc_plaintext_data_free_contents(&desc->plaintext_data);
  2097. desc_encrypted_data_free_contents(&desc->encrypted_data);
  2098. tor_free(desc);
  2099. }
  2100. /* Return the size in bytes of the given plaintext data object. A sizeof() is
  2101. * not enough because the object contains pointers and the encrypted blob.
  2102. * This is particularly useful for our OOM subsystem that tracks the HSDir
  2103. * cache size for instance. */
  2104. size_t
  2105. hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
  2106. {
  2107. tor_assert(data);
  2108. return (sizeof(*data) + sizeof(*data->signing_key_cert) +
  2109. data->superencrypted_blob_size);
  2110. }
  2111. /* Return the size in bytes of the given encrypted data object. Used by OOM
  2112. * subsystem. */
  2113. static size_t
  2114. hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
  2115. {
  2116. tor_assert(data);
  2117. size_t intro_size = 0;
  2118. if (data->intro_auth_types) {
  2119. intro_size +=
  2120. smartlist_len(data->intro_auth_types) * sizeof(intro_auth_types);
  2121. }
  2122. if (data->intro_points) {
  2123. /* XXX could follow pointers here and get more accurate size */
  2124. intro_size +=
  2125. smartlist_len(data->intro_points) * sizeof(hs_desc_intro_point_t);
  2126. }
  2127. return sizeof(*data) + intro_size;
  2128. }
  2129. /* Return the size in bytes of the given descriptor object. Used by OOM
  2130. * subsystem. */
  2131. size_t
  2132. hs_desc_obj_size(const hs_descriptor_t *data)
  2133. {
  2134. tor_assert(data);
  2135. return (hs_desc_plaintext_obj_size(&data->plaintext_data) +
  2136. hs_desc_encrypted_obj_size(&data->encrypted_data) +
  2137. sizeof(data->subcredential));
  2138. }
  2139. /* Return a newly allocated descriptor intro point. */
  2140. hs_desc_intro_point_t *
  2141. hs_desc_intro_point_new(void)
  2142. {
  2143. hs_desc_intro_point_t *ip = tor_malloc_zero(sizeof(*ip));
  2144. ip->link_specifiers = smartlist_new();
  2145. return ip;
  2146. }
  2147. /* Free a descriptor intro point object. */
  2148. void
  2149. hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
  2150. {
  2151. if (ip == NULL) {
  2152. return;
  2153. }
  2154. if (ip->link_specifiers) {
  2155. SMARTLIST_FOREACH(ip->link_specifiers, hs_desc_link_specifier_t *,
  2156. ls, hs_desc_link_specifier_free(ls));
  2157. smartlist_free(ip->link_specifiers);
  2158. }
  2159. tor_cert_free(ip->auth_key_cert);
  2160. tor_cert_free(ip->enc_key_cert);
  2161. crypto_pk_free(ip->legacy.key);
  2162. tor_free(ip->legacy.cert.encoded);
  2163. tor_free(ip);
  2164. }
  2165. /* Free the given descriptor link specifier. */
  2166. void
  2167. hs_desc_link_specifier_free_(hs_desc_link_specifier_t *ls)
  2168. {
  2169. if (ls == NULL) {
  2170. return;
  2171. }
  2172. tor_free(ls);
  2173. }
  2174. /* Return a newly allocated descriptor link specifier using the given extend
  2175. * info and requested type. Return NULL on error. */
  2176. hs_desc_link_specifier_t *
  2177. hs_desc_link_specifier_new(const extend_info_t *info, uint8_t type)
  2178. {
  2179. hs_desc_link_specifier_t *ls = NULL;
  2180. tor_assert(info);
  2181. ls = tor_malloc_zero(sizeof(*ls));
  2182. ls->type = type;
  2183. switch (ls->type) {
  2184. case LS_IPV4:
  2185. if (info->addr.family != AF_INET) {
  2186. goto err;
  2187. }
  2188. tor_addr_copy(&ls->u.ap.addr, &info->addr);
  2189. ls->u.ap.port = info->port;
  2190. break;
  2191. case LS_IPV6:
  2192. if (info->addr.family != AF_INET6) {
  2193. goto err;
  2194. }
  2195. tor_addr_copy(&ls->u.ap.addr, &info->addr);
  2196. ls->u.ap.port = info->port;
  2197. break;
  2198. case LS_LEGACY_ID:
  2199. /* Bug out if the identity digest is not set */
  2200. if (BUG(tor_mem_is_zero(info->identity_digest,
  2201. sizeof(info->identity_digest)))) {
  2202. goto err;
  2203. }
  2204. memcpy(ls->u.legacy_id, info->identity_digest, sizeof(ls->u.legacy_id));
  2205. break;
  2206. case LS_ED25519_ID:
  2207. /* ed25519 keys are optional for intro points */
  2208. if (ed25519_public_key_is_zero(&info->ed_identity)) {
  2209. goto err;
  2210. }
  2211. memcpy(ls->u.ed25519_id, info->ed_identity.pubkey,
  2212. sizeof(ls->u.ed25519_id));
  2213. break;
  2214. default:
  2215. /* Unknown type is code flow error. */
  2216. tor_assert(0);
  2217. }
  2218. return ls;
  2219. err:
  2220. tor_free(ls);
  2221. return NULL;
  2222. }
  2223. /* From the given descriptor, remove and free every introduction point. */
  2224. void
  2225. hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
  2226. {
  2227. smartlist_t *ips;
  2228. tor_assert(desc);
  2229. ips = desc->encrypted_data.intro_points;
  2230. if (ips) {
  2231. SMARTLIST_FOREACH(ips, hs_desc_intro_point_t *,
  2232. ip, hs_desc_intro_point_free(ip));
  2233. smartlist_clear(ips);
  2234. }
  2235. }
  2236. /* From a descriptor link specifier object spec, returned a newly allocated
  2237. * link specifier object that is the encoded representation of spec. Return
  2238. * NULL on error. */
  2239. link_specifier_t *
  2240. hs_desc_lspec_to_trunnel(const hs_desc_link_specifier_t *spec)
  2241. {
  2242. tor_assert(spec);
  2243. link_specifier_t *ls = link_specifier_new();
  2244. link_specifier_set_ls_type(ls, spec->type);
  2245. switch (spec->type) {
  2246. case LS_IPV4:
  2247. link_specifier_set_un_ipv4_addr(ls,
  2248. tor_addr_to_ipv4h(&spec->u.ap.addr));
  2249. link_specifier_set_un_ipv4_port(ls, spec->u.ap.port);
  2250. /* Four bytes IPv4 and two bytes port. */
  2251. link_specifier_set_ls_len(ls, sizeof(spec->u.ap.addr.addr.in_addr) +
  2252. sizeof(spec->u.ap.port));
  2253. break;
  2254. case LS_IPV6:
  2255. {
  2256. size_t addr_len = link_specifier_getlen_un_ipv6_addr(ls);
  2257. const uint8_t *in6_addr = tor_addr_to_in6_addr8(&spec->u.ap.addr);
  2258. uint8_t *ipv6_array = link_specifier_getarray_un_ipv6_addr(ls);
  2259. memcpy(ipv6_array, in6_addr, addr_len);
  2260. link_specifier_set_un_ipv6_port(ls, spec->u.ap.port);
  2261. /* Sixteen bytes IPv6 and two bytes port. */
  2262. link_specifier_set_ls_len(ls, addr_len + sizeof(spec->u.ap.port));
  2263. break;
  2264. }
  2265. case LS_LEGACY_ID:
  2266. {
  2267. size_t legacy_id_len = link_specifier_getlen_un_legacy_id(ls);
  2268. uint8_t *legacy_id_array = link_specifier_getarray_un_legacy_id(ls);
  2269. memcpy(legacy_id_array, spec->u.legacy_id, legacy_id_len);
  2270. link_specifier_set_ls_len(ls, legacy_id_len);
  2271. break;
  2272. }
  2273. case LS_ED25519_ID:
  2274. {
  2275. size_t ed25519_id_len = link_specifier_getlen_un_ed25519_id(ls);
  2276. uint8_t *ed25519_id_array = link_specifier_getarray_un_ed25519_id(ls);
  2277. memcpy(ed25519_id_array, spec->u.ed25519_id, ed25519_id_len);
  2278. link_specifier_set_ls_len(ls, ed25519_id_len);
  2279. break;
  2280. }
  2281. default:
  2282. tor_assert_nonfatal_unreached();
  2283. link_specifier_free(ls);
  2284. ls = NULL;
  2285. }
  2286. return ls;
  2287. }