hs_cell.c 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948
  1. /* Copyright (c) 2017, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file hs_cell.c
  5. * \brief Hidden service API for cell creation and handling.
  6. **/
  7. #include "or.h"
  8. #include "config.h"
  9. #include "rendservice.h"
  10. #include "replaycache.h"
  11. #include "util.h"
  12. #include "hs_cell.h"
  13. #include "hs_ntor.h"
  14. /* Trunnel. */
  15. #include "ed25519_cert.h"
  16. #include "hs/cell_common.h"
  17. #include "hs/cell_establish_intro.h"
  18. #include "hs/cell_introduce1.h"
  19. #include "hs/cell_rendezvous.h"
  20. /* Compute the MAC of an INTRODUCE cell in mac_out. The encoded_cell param is
  21. * the cell content up to the ENCRYPTED section of length encoded_cell_len.
  22. * The encrypted param is the start of the ENCRYPTED section of length
  23. * encrypted_len. The mac_key is the key needed for the computation of the MAC
  24. * derived from the ntor handshake of length mac_key_len.
  25. *
  26. * The length mac_out_len must be at least DIGEST256_LEN. */
  27. static void
  28. compute_introduce_mac(const uint8_t *encoded_cell, size_t encoded_cell_len,
  29. const uint8_t *encrypted, size_t encrypted_len,
  30. const uint8_t *mac_key, size_t mac_key_len,
  31. uint8_t *mac_out, size_t mac_out_len)
  32. {
  33. size_t offset = 0;
  34. size_t mac_msg_len;
  35. uint8_t mac_msg[RELAY_PAYLOAD_SIZE] = {0};
  36. tor_assert(encoded_cell);
  37. tor_assert(encrypted);
  38. tor_assert(mac_key);
  39. tor_assert(mac_out);
  40. tor_assert(mac_out_len >= DIGEST256_LEN);
  41. /* Compute the size of the message which is basically the entire cell until
  42. * the MAC field of course. */
  43. mac_msg_len = encoded_cell_len + (encrypted_len - DIGEST256_LEN);
  44. tor_assert(mac_msg_len <= sizeof(mac_msg));
  45. /* First, put the encoded cell in the msg. */
  46. memcpy(mac_msg, encoded_cell, encoded_cell_len);
  47. offset += encoded_cell_len;
  48. /* Second, put the CLIENT_PK + ENCRYPTED_DATA but ommit the MAC field (which
  49. * is junk at this point). */
  50. memcpy(mac_msg + offset, encrypted, (encrypted_len - DIGEST256_LEN));
  51. offset += (encrypted_len - DIGEST256_LEN);
  52. tor_assert(offset == mac_msg_len);
  53. crypto_mac_sha3_256(mac_out, mac_out_len,
  54. mac_key, mac_key_len,
  55. mac_msg, mac_msg_len);
  56. memwipe(mac_msg, 0, sizeof(mac_msg));
  57. }
  58. /* From a set of keys, subcredential and the ENCRYPTED section of an
  59. * INTRODUCE2 cell, return a newly allocated intro cell keys structure.
  60. * Finally, the client public key is copied in client_pk. On error, return
  61. * NULL. */
  62. static hs_ntor_intro_cell_keys_t *
  63. get_introduce2_key_material(const ed25519_public_key_t *auth_key,
  64. const curve25519_keypair_t *enc_key,
  65. const uint8_t *subcredential,
  66. const uint8_t *encrypted_section,
  67. curve25519_public_key_t *client_pk)
  68. {
  69. hs_ntor_intro_cell_keys_t *keys;
  70. tor_assert(auth_key);
  71. tor_assert(enc_key);
  72. tor_assert(subcredential);
  73. tor_assert(encrypted_section);
  74. tor_assert(client_pk);
  75. keys = tor_malloc_zero(sizeof(*keys));
  76. /* First bytes of the ENCRYPTED section are the client public key. */
  77. memcpy(client_pk->public_key, encrypted_section, CURVE25519_PUBKEY_LEN);
  78. if (hs_ntor_service_get_introduce1_keys(auth_key, enc_key, client_pk,
  79. subcredential, keys) < 0) {
  80. /* Don't rely on the caller to wipe this on error. */
  81. memwipe(client_pk, 0, sizeof(curve25519_public_key_t));
  82. tor_free(keys);
  83. keys = NULL;
  84. }
  85. return keys;
  86. }
  87. /* Using the given encryption key, decrypt the encrypted_section of length
  88. * encrypted_section_len of an INTRODUCE2 cell and return a newly allocated
  89. * buffer containing the decrypted data. On decryption failure, NULL is
  90. * returned. */
  91. static uint8_t *
  92. decrypt_introduce2(const uint8_t *enc_key, const uint8_t *encrypted_section,
  93. size_t encrypted_section_len)
  94. {
  95. uint8_t *decrypted = NULL;
  96. crypto_cipher_t *cipher = NULL;
  97. tor_assert(enc_key);
  98. tor_assert(encrypted_section);
  99. /* Decrypt ENCRYPTED section. */
  100. cipher = crypto_cipher_new_with_bits((char *) enc_key,
  101. CURVE25519_PUBKEY_LEN * 8);
  102. tor_assert(cipher);
  103. /* This is symmetric encryption so can't be bigger than the encrypted
  104. * section length. */
  105. decrypted = tor_malloc_zero(encrypted_section_len);
  106. if (crypto_cipher_decrypt(cipher, (char *) decrypted,
  107. (const char *) encrypted_section,
  108. encrypted_section_len) < 0) {
  109. tor_free(decrypted);
  110. decrypted = NULL;
  111. goto done;
  112. }
  113. done:
  114. crypto_cipher_free(cipher);
  115. return decrypted;
  116. }
  117. /* Given a pointer to the decrypted data of the ENCRYPTED section of an
  118. * INTRODUCE2 cell of length decrypted_len, parse and validate the cell
  119. * content. Return a newly allocated cell structure or NULL on error. The
  120. * circuit and service object are only used for logging purposes. */
  121. static trn_cell_introduce_encrypted_t *
  122. parse_introduce2_encrypted(const uint8_t *decrypted_data,
  123. size_t decrypted_len, const origin_circuit_t *circ,
  124. const hs_service_t *service)
  125. {
  126. trn_cell_introduce_encrypted_t *enc_cell = NULL;
  127. tor_assert(decrypted_data);
  128. tor_assert(circ);
  129. tor_assert(service);
  130. if (trn_cell_introduce_encrypted_parse(&enc_cell, decrypted_data,
  131. decrypted_len) < 0) {
  132. log_info(LD_REND, "Unable to parse the decrypted ENCRYPTED section of "
  133. "the INTRODUCE2 cell on circuit %u for service %s",
  134. TO_CIRCUIT(circ)->n_circ_id,
  135. safe_str_client(service->onion_address));
  136. goto err;
  137. }
  138. if (trn_cell_introduce_encrypted_get_onion_key_type(enc_cell) !=
  139. HS_CELL_ONION_KEY_TYPE_NTOR) {
  140. log_info(LD_REND, "INTRODUCE2 onion key type is invalid. Got %u but "
  141. "expected %u on circuit %u for service %s",
  142. trn_cell_introduce_encrypted_get_onion_key_type(enc_cell),
  143. HS_CELL_ONION_KEY_TYPE_NTOR, TO_CIRCUIT(circ)->n_circ_id,
  144. safe_str_client(service->onion_address));
  145. goto err;
  146. }
  147. if (trn_cell_introduce_encrypted_getlen_onion_key(enc_cell) !=
  148. CURVE25519_PUBKEY_LEN) {
  149. log_info(LD_REND, "INTRODUCE2 onion key length is invalid. Got %u but "
  150. "expected %d on circuit %u for service %s",
  151. (unsigned)trn_cell_introduce_encrypted_getlen_onion_key(enc_cell),
  152. CURVE25519_PUBKEY_LEN, TO_CIRCUIT(circ)->n_circ_id,
  153. safe_str_client(service->onion_address));
  154. goto err;
  155. }
  156. /* XXX: Validate NSPEC field as well. */
  157. return enc_cell;
  158. err:
  159. trn_cell_introduce_encrypted_free(enc_cell);
  160. return NULL;
  161. }
  162. /* Build a legacy ESTABLISH_INTRO cell with the given circuit nonce and RSA
  163. * encryption key. The encoded cell is put in cell_out that MUST at least be
  164. * of the size of RELAY_PAYLOAD_SIZE. Return the encoded cell length on
  165. * success else a negative value and cell_out is untouched. */
  166. static ssize_t
  167. build_legacy_establish_intro(const char *circ_nonce, crypto_pk_t *enc_key,
  168. uint8_t *cell_out)
  169. {
  170. ssize_t cell_len;
  171. tor_assert(circ_nonce);
  172. tor_assert(enc_key);
  173. tor_assert(cell_out);
  174. memwipe(cell_out, 0, RELAY_PAYLOAD_SIZE);
  175. cell_len = rend_service_encode_establish_intro_cell((char*)cell_out,
  176. RELAY_PAYLOAD_SIZE,
  177. enc_key, circ_nonce);
  178. return cell_len;
  179. }
  180. /* Parse an INTRODUCE2 cell from payload of size payload_len for the given
  181. * service and circuit which are used only for logging purposes. The resulting
  182. * parsed cell is put in cell_ptr_out.
  183. *
  184. * This function only parses prop224 INTRODUCE2 cells even when the intro point
  185. * is a legacy intro point. That's because intro points don't actually care
  186. * about the contents of the introduce cell. Legacy INTRODUCE cells are only
  187. * used by the legacy system now.
  188. *
  189. * Return 0 on success else a negative value and cell_ptr_out is untouched. */
  190. static int
  191. parse_introduce2_cell(const hs_service_t *service,
  192. const origin_circuit_t *circ, const uint8_t *payload,
  193. size_t payload_len,
  194. trn_cell_introduce1_t **cell_ptr_out)
  195. {
  196. trn_cell_introduce1_t *cell = NULL;
  197. tor_assert(service);
  198. tor_assert(circ);
  199. tor_assert(payload);
  200. tor_assert(cell_ptr_out);
  201. /* Parse the cell so we can start cell validation. */
  202. if (trn_cell_introduce1_parse(&cell, payload, payload_len) < 0) {
  203. log_info(LD_PROTOCOL, "Unable to parse INTRODUCE2 cell on circuit %u "
  204. "for service %s",
  205. TO_CIRCUIT(circ)->n_circ_id,
  206. safe_str_client(service->onion_address));
  207. goto err;
  208. }
  209. /* Success. */
  210. *cell_ptr_out = cell;
  211. return 0;
  212. err:
  213. return -1;
  214. }
  215. /* Set the onion public key onion_pk in cell, the encrypted section of an
  216. * INTRODUCE1 cell. */
  217. static void
  218. introduce1_set_encrypted_onion_key(trn_cell_introduce_encrypted_t *cell,
  219. const uint8_t *onion_pk)
  220. {
  221. tor_assert(cell);
  222. tor_assert(onion_pk);
  223. /* There is only one possible key type for a non legacy cell. */
  224. trn_cell_introduce_encrypted_set_onion_key_type(cell,
  225. HS_CELL_ONION_KEY_TYPE_NTOR);
  226. trn_cell_introduce_encrypted_set_onion_key_len(cell, CURVE25519_PUBKEY_LEN);
  227. trn_cell_introduce_encrypted_setlen_onion_key(cell, CURVE25519_PUBKEY_LEN);
  228. memcpy(trn_cell_introduce_encrypted_getarray_onion_key(cell), onion_pk,
  229. trn_cell_introduce_encrypted_getlen_onion_key(cell));
  230. }
  231. /* Set the link specifiers in lspecs in cell, the encrypted section of an
  232. * INTRODUCE1 cell. */
  233. static void
  234. introduce1_set_encrypted_link_spec(trn_cell_introduce_encrypted_t *cell,
  235. const smartlist_t *lspecs)
  236. {
  237. tor_assert(cell);
  238. tor_assert(lspecs);
  239. tor_assert(smartlist_len(lspecs) > 0);
  240. tor_assert(smartlist_len(lspecs) <= UINT8_MAX);
  241. uint8_t lspecs_num = (uint8_t) smartlist_len(lspecs);
  242. trn_cell_introduce_encrypted_set_nspec(cell, lspecs_num);
  243. /* We aren't duplicating the link specifiers object here which means that
  244. * the ownership goes to the trn_cell_introduce_encrypted_t cell and those
  245. * object will be freed when the cell is. */
  246. SMARTLIST_FOREACH(lspecs, link_specifier_t *, ls,
  247. trn_cell_introduce_encrypted_add_nspecs(cell, ls));
  248. }
  249. /* Set padding in the enc_cell only if needed that is the total length of both
  250. * sections are below the mininum required for an INTRODUCE1 cell. */
  251. static void
  252. introduce1_set_encrypted_padding(const trn_cell_introduce1_t *cell,
  253. trn_cell_introduce_encrypted_t *enc_cell)
  254. {
  255. tor_assert(cell);
  256. tor_assert(enc_cell);
  257. /* This is the length we expect to have once encoded of the whole cell. */
  258. ssize_t full_len = trn_cell_introduce1_encoded_len(cell) +
  259. trn_cell_introduce_encrypted_encoded_len(enc_cell);
  260. tor_assert(full_len > 0);
  261. if (full_len < HS_CELL_INTRODUCE1_MIN_SIZE) {
  262. size_t padding = HS_CELL_INTRODUCE1_MIN_SIZE - full_len;
  263. trn_cell_introduce_encrypted_setlen_pad(enc_cell, padding);
  264. memset(trn_cell_introduce_encrypted_getarray_pad(enc_cell), 0,
  265. trn_cell_introduce_encrypted_getlen_pad(enc_cell));
  266. }
  267. }
  268. /* Encrypt the ENCRYPTED payload and encode it in the cell using the enc_cell
  269. * and the INTRODUCE1 data.
  270. *
  271. * This can't fail but it is very important that the caller sets every field
  272. * in data so the computation of the INTRODUCE1 keys doesn't fail. */
  273. static void
  274. introduce1_encrypt_and_encode(trn_cell_introduce1_t *cell,
  275. const trn_cell_introduce_encrypted_t *enc_cell,
  276. const hs_cell_introduce1_data_t *data)
  277. {
  278. size_t offset = 0;
  279. ssize_t encrypted_len;
  280. ssize_t encoded_cell_len, encoded_enc_cell_len;
  281. uint8_t encoded_cell[RELAY_PAYLOAD_SIZE] = {0};
  282. uint8_t encoded_enc_cell[RELAY_PAYLOAD_SIZE] = {0};
  283. uint8_t *encrypted = NULL;
  284. uint8_t mac[DIGEST256_LEN];
  285. crypto_cipher_t *cipher = NULL;
  286. hs_ntor_intro_cell_keys_t keys;
  287. tor_assert(cell);
  288. tor_assert(enc_cell);
  289. tor_assert(data);
  290. /* Encode the cells up to now of what we have to we can perform the MAC
  291. * computation on it. */
  292. encoded_cell_len = trn_cell_introduce1_encode(encoded_cell,
  293. sizeof(encoded_cell), cell);
  294. /* We have a much more serious issue if this isn't true. */
  295. tor_assert(encoded_cell_len > 0);
  296. encoded_enc_cell_len =
  297. trn_cell_introduce_encrypted_encode(encoded_enc_cell,
  298. sizeof(encoded_enc_cell), enc_cell);
  299. /* We have a much more serious issue if this isn't true. */
  300. tor_assert(encoded_enc_cell_len > 0);
  301. /* Get the key material for the encryption. */
  302. if (hs_ntor_client_get_introduce1_keys(data->auth_pk, data->enc_pk,
  303. data->client_kp,
  304. data->subcredential, &keys) < 0) {
  305. tor_assert_unreached();
  306. }
  307. /* Prepare cipher with the encryption key just computed. */
  308. cipher = crypto_cipher_new_with_bits((const char *) keys.enc_key,
  309. sizeof(keys.enc_key) * 8);
  310. tor_assert(cipher);
  311. /* Compute the length of the ENCRYPTED section which is the CLIENT_PK,
  312. * ENCRYPTED_DATA and MAC length. */
  313. encrypted_len = sizeof(data->client_kp->pubkey) + encoded_enc_cell_len +
  314. sizeof(mac);
  315. tor_assert(encrypted_len < RELAY_PAYLOAD_SIZE);
  316. encrypted = tor_malloc_zero(encrypted_len);
  317. /* Put the CLIENT_PK first. */
  318. memcpy(encrypted, data->client_kp->pubkey.public_key,
  319. sizeof(data->client_kp->pubkey.public_key));
  320. offset += sizeof(data->client_kp->pubkey.public_key);
  321. /* Then encrypt and set the ENCRYPTED_DATA. This can't fail. */
  322. crypto_cipher_encrypt(cipher, (char *) encrypted + offset,
  323. (const char *) encoded_enc_cell, encoded_enc_cell_len);
  324. crypto_cipher_free(cipher);
  325. offset += encoded_enc_cell_len;
  326. /* Compute MAC from the above and put it in the buffer. This function will
  327. * make the adjustment to the encryptled_len to ommit the MAC length. */
  328. compute_introduce_mac(encoded_cell, encoded_cell_len,
  329. encrypted, encrypted_len,
  330. keys.mac_key, sizeof(keys.mac_key),
  331. mac, sizeof(mac));
  332. memcpy(encrypted + offset, mac, sizeof(mac));
  333. offset += sizeof(mac);
  334. tor_assert(offset == (size_t) encrypted_len);
  335. /* Set the ENCRYPTED section in the cell. */
  336. trn_cell_introduce1_setlen_encrypted(cell, encrypted_len);
  337. memcpy(trn_cell_introduce1_getarray_encrypted(cell),
  338. encrypted, encrypted_len);
  339. /* Cleanup. */
  340. memwipe(&keys, 0, sizeof(keys));
  341. memwipe(mac, 0, sizeof(mac));
  342. memwipe(encrypted, 0, sizeof(encrypted_len));
  343. memwipe(encoded_enc_cell, 0, sizeof(encoded_enc_cell));
  344. tor_free(encrypted);
  345. }
  346. /* Using the INTRODUCE1 data, setup the ENCRYPTED section in cell. This means
  347. * set it, encrypt it and encode it. */
  348. static void
  349. introduce1_set_encrypted(trn_cell_introduce1_t *cell,
  350. const hs_cell_introduce1_data_t *data)
  351. {
  352. trn_cell_introduce_encrypted_t *enc_cell;
  353. trn_cell_extension_t *ext;
  354. tor_assert(cell);
  355. tor_assert(data);
  356. enc_cell = trn_cell_introduce_encrypted_new();
  357. tor_assert(enc_cell);
  358. /* Set extension data. None are used. */
  359. ext = trn_cell_extension_new();
  360. tor_assert(ext);
  361. trn_cell_extension_set_num(ext, 0);
  362. trn_cell_introduce_encrypted_set_extensions(enc_cell, ext);
  363. /* Set the rendezvous cookie. */
  364. memcpy(trn_cell_introduce_encrypted_getarray_rend_cookie(enc_cell),
  365. data->rendezvous_cookie, REND_COOKIE_LEN);
  366. /* Set the onion public key. */
  367. introduce1_set_encrypted_onion_key(enc_cell, data->onion_pk->public_key);
  368. /* Set the link specifiers. */
  369. introduce1_set_encrypted_link_spec(enc_cell, data->link_specifiers);
  370. /* Set padding. */
  371. introduce1_set_encrypted_padding(cell, enc_cell);
  372. /* Encrypt and encode it in the cell. */
  373. introduce1_encrypt_and_encode(cell, enc_cell, data);
  374. /* Cleanup. */
  375. trn_cell_introduce_encrypted_free(enc_cell);
  376. }
  377. /* Set the authentication key in the INTRODUCE1 cell from the given data. */
  378. static void
  379. introduce1_set_auth_key(trn_cell_introduce1_t *cell,
  380. const hs_cell_introduce1_data_t *data)
  381. {
  382. tor_assert(cell);
  383. tor_assert(data);
  384. /* There is only one possible type for a non legacy cell. */
  385. trn_cell_introduce1_set_auth_key_type(cell, HS_INTRO_AUTH_KEY_TYPE_ED25519);
  386. trn_cell_introduce1_set_auth_key_len(cell, ED25519_PUBKEY_LEN);
  387. trn_cell_introduce1_setlen_auth_key(cell, ED25519_PUBKEY_LEN);
  388. memcpy(trn_cell_introduce1_getarray_auth_key(cell),
  389. data->auth_pk->pubkey, trn_cell_introduce1_getlen_auth_key(cell));
  390. }
  391. /* Set the legacy ID field in the INTRODUCE1 cell from the given data. */
  392. static void
  393. introduce1_set_legacy_id(trn_cell_introduce1_t *cell,
  394. const hs_cell_introduce1_data_t *data)
  395. {
  396. tor_assert(cell);
  397. tor_assert(data);
  398. if (data->is_legacy) {
  399. uint8_t digest[DIGEST_LEN];
  400. if (BUG(crypto_pk_get_digest(data->legacy_key, (char *) digest) < 0)) {
  401. return;
  402. }
  403. memcpy(trn_cell_introduce1_getarray_legacy_key_id(cell),
  404. digest, trn_cell_introduce1_getlen_legacy_key_id(cell));
  405. } else {
  406. /* We have to zeroed the LEGACY_KEY_ID field. */
  407. memset(trn_cell_introduce1_getarray_legacy_key_id(cell), 0,
  408. trn_cell_introduce1_getlen_legacy_key_id(cell));
  409. }
  410. }
  411. /* ========== */
  412. /* Public API */
  413. /* ========== */
  414. /* Build an ESTABLISH_INTRO cell with the given circuit nonce and intro point
  415. * object. The encoded cell is put in cell_out that MUST at least be of the
  416. * size of RELAY_PAYLOAD_SIZE. Return the encoded cell length on success else
  417. * a negative value and cell_out is untouched. This function also supports
  418. * legacy cell creation. */
  419. ssize_t
  420. hs_cell_build_establish_intro(const char *circ_nonce,
  421. const hs_service_intro_point_t *ip,
  422. uint8_t *cell_out)
  423. {
  424. ssize_t cell_len = -1;
  425. uint16_t sig_len = ED25519_SIG_LEN;
  426. trn_cell_extension_t *ext;
  427. trn_cell_establish_intro_t *cell = NULL;
  428. tor_assert(circ_nonce);
  429. tor_assert(ip);
  430. /* Quickly handle the legacy IP. */
  431. if (ip->base.is_only_legacy) {
  432. tor_assert(ip->legacy_key);
  433. cell_len = build_legacy_establish_intro(circ_nonce, ip->legacy_key,
  434. cell_out);
  435. tor_assert(cell_len <= RELAY_PAYLOAD_SIZE);
  436. /* Success or not we are done here. */
  437. goto done;
  438. }
  439. /* Set extension data. None used here. */
  440. ext = trn_cell_extension_new();
  441. trn_cell_extension_set_num(ext, 0);
  442. cell = trn_cell_establish_intro_new();
  443. trn_cell_establish_intro_set_extensions(cell, ext);
  444. /* Set signature size. Array is then allocated in the cell. We need to do
  445. * this early so we can use trunnel API to get the signature length. */
  446. trn_cell_establish_intro_set_sig_len(cell, sig_len);
  447. trn_cell_establish_intro_setlen_sig(cell, sig_len);
  448. /* Set AUTH_KEY_TYPE: 2 means ed25519 */
  449. trn_cell_establish_intro_set_auth_key_type(cell,
  450. HS_INTRO_AUTH_KEY_TYPE_ED25519);
  451. /* Set AUTH_KEY and AUTH_KEY_LEN field. Must also set byte-length of
  452. * AUTH_KEY to match */
  453. {
  454. uint16_t auth_key_len = ED25519_PUBKEY_LEN;
  455. trn_cell_establish_intro_set_auth_key_len(cell, auth_key_len);
  456. trn_cell_establish_intro_setlen_auth_key(cell, auth_key_len);
  457. /* We do this call _after_ setting the length because it's reallocated at
  458. * that point only. */
  459. uint8_t *auth_key_ptr = trn_cell_establish_intro_getarray_auth_key(cell);
  460. memcpy(auth_key_ptr, ip->auth_key_kp.pubkey.pubkey, auth_key_len);
  461. }
  462. /* Calculate HANDSHAKE_AUTH field (MAC). */
  463. {
  464. ssize_t tmp_cell_enc_len = 0;
  465. ssize_t tmp_cell_mac_offset =
  466. sig_len + sizeof(cell->sig_len) +
  467. trn_cell_establish_intro_getlen_handshake_mac(cell);
  468. uint8_t tmp_cell_enc[RELAY_PAYLOAD_SIZE] = {0};
  469. uint8_t mac[TRUNNEL_SHA3_256_LEN], *handshake_ptr;
  470. /* We first encode the current fields we have in the cell so we can
  471. * compute the MAC using the raw bytes. */
  472. tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
  473. sizeof(tmp_cell_enc),
  474. cell);
  475. if (BUG(tmp_cell_enc_len < 0)) {
  476. goto done;
  477. }
  478. /* Sanity check. */
  479. tor_assert(tmp_cell_enc_len > tmp_cell_mac_offset);
  480. /* Circuit nonce is always DIGEST_LEN according to tor-spec.txt. */
  481. crypto_mac_sha3_256(mac, sizeof(mac),
  482. (uint8_t *) circ_nonce, DIGEST_LEN,
  483. tmp_cell_enc, tmp_cell_enc_len - tmp_cell_mac_offset);
  484. handshake_ptr = trn_cell_establish_intro_getarray_handshake_mac(cell);
  485. memcpy(handshake_ptr, mac, sizeof(mac));
  486. memwipe(mac, 0, sizeof(mac));
  487. memwipe(tmp_cell_enc, 0, sizeof(tmp_cell_enc));
  488. }
  489. /* Calculate the cell signature SIG. */
  490. {
  491. ssize_t tmp_cell_enc_len = 0;
  492. ssize_t tmp_cell_sig_offset = (sig_len + sizeof(cell->sig_len));
  493. uint8_t tmp_cell_enc[RELAY_PAYLOAD_SIZE] = {0}, *sig_ptr;
  494. ed25519_signature_t sig;
  495. /* We first encode the current fields we have in the cell so we can
  496. * compute the signature from the raw bytes of the cell. */
  497. tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
  498. sizeof(tmp_cell_enc),
  499. cell);
  500. if (BUG(tmp_cell_enc_len < 0)) {
  501. goto done;
  502. }
  503. if (ed25519_sign_prefixed(&sig, tmp_cell_enc,
  504. tmp_cell_enc_len - tmp_cell_sig_offset,
  505. ESTABLISH_INTRO_SIG_PREFIX, &ip->auth_key_kp)) {
  506. log_warn(LD_BUG, "Unable to make signature for ESTABLISH_INTRO cell.");
  507. goto done;
  508. }
  509. /* Copy the signature into the cell. */
  510. sig_ptr = trn_cell_establish_intro_getarray_sig(cell);
  511. memcpy(sig_ptr, sig.sig, sig_len);
  512. memwipe(tmp_cell_enc, 0, sizeof(tmp_cell_enc));
  513. }
  514. /* Encode the cell. Can't be bigger than a standard cell. */
  515. cell_len = trn_cell_establish_intro_encode(cell_out, RELAY_PAYLOAD_SIZE,
  516. cell);
  517. done:
  518. trn_cell_establish_intro_free(cell);
  519. return cell_len;
  520. }
  521. /* Parse the INTRO_ESTABLISHED cell in the payload of size payload_len. If we
  522. * are successful at parsing it, return the length of the parsed cell else a
  523. * negative value on error. */
  524. ssize_t
  525. hs_cell_parse_intro_established(const uint8_t *payload, size_t payload_len)
  526. {
  527. ssize_t ret;
  528. trn_cell_intro_established_t *cell = NULL;
  529. tor_assert(payload);
  530. /* Try to parse the payload into a cell making sure we do actually have a
  531. * valid cell. */
  532. ret = trn_cell_intro_established_parse(&cell, payload, payload_len);
  533. if (ret >= 0) {
  534. /* On success, we do not keep the cell, we just notify the caller that it
  535. * was successfully parsed. */
  536. trn_cell_intro_established_free(cell);
  537. }
  538. return ret;
  539. }
  540. /* Parsse the INTRODUCE2 cell using data which contains everything we need to
  541. * do so and contains the destination buffers of information we extract and
  542. * compute from the cell. Return 0 on success else a negative value. The
  543. * service and circ are only used for logging purposes. */
  544. ssize_t
  545. hs_cell_parse_introduce2(hs_cell_introduce2_data_t *data,
  546. const origin_circuit_t *circ,
  547. const hs_service_t *service)
  548. {
  549. int ret = -1;
  550. time_t elapsed;
  551. uint8_t *decrypted = NULL;
  552. size_t encrypted_section_len;
  553. const uint8_t *encrypted_section;
  554. trn_cell_introduce1_t *cell = NULL;
  555. trn_cell_introduce_encrypted_t *enc_cell = NULL;
  556. hs_ntor_intro_cell_keys_t *intro_keys = NULL;
  557. tor_assert(data);
  558. tor_assert(circ);
  559. tor_assert(service);
  560. /* Parse the cell into a decoded data structure pointed by cell_ptr. */
  561. if (parse_introduce2_cell(service, circ, data->payload, data->payload_len,
  562. &cell) < 0) {
  563. goto done;
  564. }
  565. log_info(LD_REND, "Received a decodable INTRODUCE2 cell on circuit %u "
  566. "for service %s. Decoding encrypted section...",
  567. TO_CIRCUIT(circ)->n_circ_id,
  568. safe_str_client(service->onion_address));
  569. encrypted_section = trn_cell_introduce1_getconstarray_encrypted(cell);
  570. encrypted_section_len = trn_cell_introduce1_getlen_encrypted(cell);
  571. /* Encrypted section must at least contain the CLIENT_PK and MAC which is
  572. * defined in section 3.3.2 of the specification. */
  573. if (encrypted_section_len < (CURVE25519_PUBKEY_LEN + DIGEST256_LEN)) {
  574. log_info(LD_REND, "Invalid INTRODUCE2 encrypted section length "
  575. "for service %s. Dropping cell.",
  576. safe_str_client(service->onion_address));
  577. goto done;
  578. }
  579. /* Check our replay cache for this introduction point. */
  580. if (replaycache_add_test_and_elapsed(data->replay_cache, encrypted_section,
  581. encrypted_section_len, &elapsed)) {
  582. log_warn(LD_REND, "Possible replay detected! An INTRODUCE2 cell with the"
  583. "same ENCRYPTED section was seen %ld seconds ago. "
  584. "Dropping cell.", (long int) elapsed);
  585. goto done;
  586. }
  587. /* Build the key material out of the key material found in the cell. */
  588. intro_keys = get_introduce2_key_material(data->auth_pk, data->enc_kp,
  589. data->subcredential,
  590. encrypted_section,
  591. &data->client_pk);
  592. if (intro_keys == NULL) {
  593. log_info(LD_REND, "Invalid INTRODUCE2 encrypted data. Unable to "
  594. "compute key material on circuit %u for service %s",
  595. TO_CIRCUIT(circ)->n_circ_id,
  596. safe_str_client(service->onion_address));
  597. goto done;
  598. }
  599. /* Validate MAC from the cell and our computed key material. The MAC field
  600. * in the cell is at the end of the encrypted section. */
  601. {
  602. uint8_t mac[DIGEST256_LEN];
  603. /* The MAC field is at the very end of the ENCRYPTED section. */
  604. size_t mac_offset = encrypted_section_len - sizeof(mac);
  605. /* Compute the MAC. Use the entire encoded payload with a length up to the
  606. * ENCRYPTED section. */
  607. compute_introduce_mac(data->payload,
  608. data->payload_len - encrypted_section_len,
  609. encrypted_section, encrypted_section_len,
  610. intro_keys->mac_key, sizeof(intro_keys->mac_key),
  611. mac, sizeof(mac));
  612. if (tor_memcmp(mac, encrypted_section + mac_offset, sizeof(mac))) {
  613. log_info(LD_REND, "Invalid MAC validation for INTRODUCE2 cell on "
  614. "circuit %u for service %s",
  615. TO_CIRCUIT(circ)->n_circ_id,
  616. safe_str_client(service->onion_address));
  617. goto done;
  618. }
  619. }
  620. {
  621. /* The ENCRYPTED_DATA section starts just after the CLIENT_PK. */
  622. const uint8_t *encrypted_data =
  623. encrypted_section + sizeof(data->client_pk);
  624. /* It's symmetric encryption so it's correct to use the ENCRYPTED length
  625. * for decryption. Computes the length of ENCRYPTED_DATA meaning removing
  626. * the CLIENT_PK and MAC length. */
  627. size_t encrypted_data_len =
  628. encrypted_section_len - (sizeof(data->client_pk) + DIGEST256_LEN);
  629. /* This decrypts the ENCRYPTED_DATA section of the cell. */
  630. decrypted = decrypt_introduce2(intro_keys->enc_key,
  631. encrypted_data, encrypted_data_len);
  632. if (decrypted == NULL) {
  633. log_info(LD_REND, "Unable to decrypt the ENCRYPTED section of an "
  634. "INTRODUCE2 cell on circuit %u for service %s",
  635. TO_CIRCUIT(circ)->n_circ_id,
  636. safe_str_client(service->onion_address));
  637. goto done;
  638. }
  639. /* Parse this blob into an encrypted cell structure so we can then extract
  640. * the data we need out of it. */
  641. enc_cell = parse_introduce2_encrypted(decrypted, encrypted_data_len,
  642. circ, service);
  643. memwipe(decrypted, 0, encrypted_data_len);
  644. if (enc_cell == NULL) {
  645. goto done;
  646. }
  647. }
  648. /* XXX: Implement client authorization checks. */
  649. /* Extract onion key and rendezvous cookie from the cell used for the
  650. * rendezvous point circuit e2e encryption. */
  651. memcpy(data->onion_pk.public_key,
  652. trn_cell_introduce_encrypted_getconstarray_onion_key(enc_cell),
  653. CURVE25519_PUBKEY_LEN);
  654. memcpy(data->rendezvous_cookie,
  655. trn_cell_introduce_encrypted_getconstarray_rend_cookie(enc_cell),
  656. sizeof(data->rendezvous_cookie));
  657. /* Extract rendezvous link specifiers. */
  658. for (size_t idx = 0;
  659. idx < trn_cell_introduce_encrypted_get_nspec(enc_cell); idx++) {
  660. link_specifier_t *lspec =
  661. trn_cell_introduce_encrypted_get_nspecs(enc_cell, idx);
  662. smartlist_add(data->link_specifiers, hs_link_specifier_dup(lspec));
  663. }
  664. /* Success. */
  665. ret = 0;
  666. log_info(LD_REND, "Valid INTRODUCE2 cell. Launching rendezvous circuit.");
  667. done:
  668. if (intro_keys) {
  669. memwipe(intro_keys, 0, sizeof(hs_ntor_intro_cell_keys_t));
  670. tor_free(intro_keys);
  671. }
  672. tor_free(decrypted);
  673. trn_cell_introduce_encrypted_free(enc_cell);
  674. trn_cell_introduce1_free(cell);
  675. return ret;
  676. }
  677. /* Build a RENDEZVOUS1 cell with the given rendezvous cookie and handshake
  678. * info. The encoded cell is put in cell_out and the length of the data is
  679. * returned. This can't fail. */
  680. ssize_t
  681. hs_cell_build_rendezvous1(const uint8_t *rendezvous_cookie,
  682. size_t rendezvous_cookie_len,
  683. const uint8_t *rendezvous_handshake_info,
  684. size_t rendezvous_handshake_info_len,
  685. uint8_t *cell_out)
  686. {
  687. ssize_t cell_len;
  688. trn_cell_rendezvous1_t *cell;
  689. tor_assert(rendezvous_cookie);
  690. tor_assert(rendezvous_handshake_info);
  691. tor_assert(cell_out);
  692. cell = trn_cell_rendezvous1_new();
  693. /* Set the RENDEZVOUS_COOKIE. */
  694. memcpy(trn_cell_rendezvous1_getarray_rendezvous_cookie(cell),
  695. rendezvous_cookie, rendezvous_cookie_len);
  696. /* Set the HANDSHAKE_INFO. */
  697. trn_cell_rendezvous1_setlen_handshake_info(cell,
  698. rendezvous_handshake_info_len);
  699. memcpy(trn_cell_rendezvous1_getarray_handshake_info(cell),
  700. rendezvous_handshake_info, rendezvous_handshake_info_len);
  701. /* Encoding. */
  702. cell_len = trn_cell_rendezvous1_encode(cell_out, RELAY_PAYLOAD_SIZE, cell);
  703. tor_assert(cell_len > 0);
  704. trn_cell_rendezvous1_free(cell);
  705. return cell_len;
  706. }
  707. /* Build an INTRODUCE1 cell from the given data. The encoded cell is put in
  708. * cell_out which must be of at least size RELAY_PAYLOAD_SIZE. On success, the
  709. * encoded length is returned else a negative value and the content of
  710. * cell_out should be ignored. */
  711. ssize_t
  712. hs_cell_build_introduce1(const hs_cell_introduce1_data_t *data,
  713. uint8_t *cell_out)
  714. {
  715. ssize_t cell_len;
  716. trn_cell_introduce1_t *cell;
  717. trn_cell_extension_t *ext;
  718. tor_assert(data);
  719. tor_assert(cell_out);
  720. cell = trn_cell_introduce1_new();
  721. tor_assert(cell);
  722. /* Set extension data. None are used. */
  723. ext = trn_cell_extension_new();
  724. tor_assert(ext);
  725. trn_cell_extension_set_num(ext, 0);
  726. trn_cell_introduce1_set_extensions(cell, ext);
  727. /* Set the legacy ID field. */
  728. introduce1_set_legacy_id(cell, data);
  729. /* Set the authentication key. */
  730. introduce1_set_auth_key(cell, data);
  731. /* Set the encrypted section. This will set, encrypt and encode the
  732. * ENCRYPTED section in the cell. After this, we'll be ready to encode. */
  733. introduce1_set_encrypted(cell, data);
  734. /* Final encoding. */
  735. cell_len = trn_cell_introduce1_encode(cell_out, RELAY_PAYLOAD_SIZE, cell);
  736. trn_cell_introduce1_free(cell);
  737. return cell_len;
  738. }
  739. /* Build an ESTABLISH_RENDEZVOUS cell from the given rendezvous_cookie. The
  740. * encoded cell is put in cell_out which must be of at least
  741. * RELAY_PAYLOAD_SIZE. On success, the encoded length is returned and the
  742. * caller should clear up the content of the cell.
  743. *
  744. * This function can't fail. */
  745. ssize_t
  746. hs_cell_build_establish_rendezvous(const uint8_t *rendezvous_cookie,
  747. uint8_t *cell_out)
  748. {
  749. tor_assert(rendezvous_cookie);
  750. tor_assert(cell_out);
  751. memcpy(cell_out, rendezvous_cookie, HS_REND_COOKIE_LEN);
  752. return HS_REND_COOKIE_LEN;
  753. }
  754. /* Handle an INTRODUCE_ACK cell encoded in payload of length payload_len.
  755. * Return the status code on success else a negative value if the cell as not
  756. * decodable. */
  757. int
  758. hs_cell_parse_introduce_ack(const uint8_t *payload, size_t payload_len)
  759. {
  760. int ret = -1;
  761. trn_cell_introduce_ack_t *cell = NULL;
  762. tor_assert(payload);
  763. /* If it is a legacy IP, rend-spec.txt specifies that a ACK is 0 byte and a
  764. * NACK is 1 byte. We can't use the legacy function for this so we have to
  765. * do a special case. */
  766. if (payload_len <= 1) {
  767. if (payload_len == 0) {
  768. ret = HS_CELL_INTRO_ACK_SUCCESS;
  769. } else {
  770. ret = HS_CELL_INTRO_ACK_FAILURE;
  771. }
  772. goto end;
  773. }
  774. if (trn_cell_introduce_ack_parse(&cell, payload, payload_len) < 0) {
  775. log_info(LD_REND, "Invalid INTRODUCE_ACK cell. Unable to parse it.");
  776. goto end;
  777. }
  778. ret = trn_cell_introduce_ack_get_status(cell);
  779. end:
  780. trn_cell_introduce_ack_free(cell);
  781. return ret;
  782. }
  783. /* Handle a RENDEZVOUS2 cell encoded in payload of length payload_len. On
  784. * success, handshake_info contains the data in the HANDSHAKE_INFO field, and
  785. * 0 is returned. On error, a negative value is returned. */
  786. int
  787. hs_cell_parse_rendezvous2(const uint8_t *payload, size_t payload_len,
  788. uint8_t *handshake_info, size_t handshake_info_len)
  789. {
  790. int ret = -1;
  791. trn_cell_rendezvous2_t *cell = NULL;
  792. tor_assert(payload);
  793. tor_assert(handshake_info);
  794. if (trn_cell_rendezvous2_parse(&cell, payload, payload_len) < 0) {
  795. log_info(LD_REND, "Invalid RENDEZVOUS2 cell. Unable to parse it.");
  796. goto end;
  797. }
  798. /* Static size, we should never have an issue with this else we messed up
  799. * our code flow. */
  800. tor_assert(trn_cell_rendezvous2_getlen_handshake_info(cell) ==
  801. handshake_info_len);
  802. memcpy(handshake_info,
  803. trn_cell_rendezvous2_getconstarray_handshake_info(cell),
  804. handshake_info_len);
  805. ret = 0;
  806. end:
  807. trn_cell_rendezvous2_free(cell);
  808. return ret;
  809. }
  810. /* Clear the given INTRODUCE1 data structure data. */
  811. void
  812. hs_cell_introduce1_data_clear(hs_cell_introduce1_data_t *data)
  813. {
  814. if (data == NULL) {
  815. return;
  816. }
  817. /* Object in this list have been moved to the cell object when building it
  818. * so they've been freed earlier. We do that in order to avoid duplicating
  819. * them leading to more memory and CPU time being used for nothing. */
  820. smartlist_free(data->link_specifiers);
  821. /* The data object has no ownership of any members. */
  822. memwipe(data, 0, sizeof(hs_cell_introduce1_data_t));
  823. }