12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059 |
- /* Copyright (c) 2016-2018, The Tor Project, Inc. */
- /* See LICENSE for licensing information */
- /**
- * \file hs_descriptor.c
- * \brief Handle hidden service descriptor encoding/decoding.
- *
- * \details
- * Here is a graphical depiction of an HS descriptor and its layers:
- *
- * +------------------------------------------------------+
- * |DESCRIPTOR HEADER: |
- * | hs-descriptor 3 |
- * | descriptor-lifetime 180 |
- * | ... |
- * | superencrypted |
- * |+---------------------------------------------------+ |
- * ||SUPERENCRYPTED LAYER (aka OUTER ENCRYPTED LAYER): | |
- * || desc-auth-type x25519 | |
- * || desc-auth-ephemeral-key | |
- * || auth-client | |
- * || auth-client | |
- * || ... | |
- * || encrypted | |
- * ||+-------------------------------------------------+| |
- * |||ENCRYPTED LAYER (aka INNER ENCRYPTED LAYER): || |
- * ||| create2-formats || |
- * ||| intro-auth-required || |
- * ||| introduction-point || |
- * ||| introduction-point || |
- * ||| ... || |
- * ||+-------------------------------------------------+| |
- * |+---------------------------------------------------+ |
- * +------------------------------------------------------+
- *
- * The DESCRIPTOR HEADER section is completely unencrypted and contains generic
- * descriptor metadata.
- *
- * The SUPERENCRYPTED LAYER section is the first layer of encryption, and it's
- * encrypted using the blinded public key of the hidden service to protect
- * against entities who don't know its onion address. The clients of the hidden
- * service know its onion address and blinded public key, whereas third-parties
- * (like HSDirs) don't know it (except if it's a public hidden service).
- *
- * The ENCRYPTED LAYER section is the second layer of encryption, and it's
- * encrypted using the client authorization key material (if those exist). When
- * client authorization is enabled, this second layer of encryption protects
- * the descriptor content from unauthorized entities. If client authorization
- * is disabled, this second layer of encryption does not provide any extra
- * security but is still present. The plaintext of this layer contains all the
- * information required to connect to the hidden service like its list of
- * introduction points.
- **/
- /* For unit tests.*/
- #define HS_DESCRIPTOR_PRIVATE
- #include "core/or/or.h"
- #include "trunnel/ed25519_cert.h" /* Trunnel interface. */
- #include "feature/hs/hs_descriptor.h"
- #include "core/or/circuitbuild.h"
- #include "lib/crypt_ops/crypto_rand.h"
- #include "lib/crypt_ops/crypto_util.h"
- #include "feature/nodelist/parsecommon.h"
- #include "feature/rend/rendcache.h"
- #include "feature/hs/hs_cache.h"
- #include "feature/hs/hs_config.h"
- #include "feature/nodelist/torcert.h" /* tor_cert_encode_ed22519() */
- #include "lib/memarea/memarea.h"
- #include "lib/crypt_ops/crypto_format.h"
- #include "core/or/extend_info_st.h"
- /* Constant string value used for the descriptor format. */
- #define str_hs_desc "hs-descriptor"
- #define str_desc_cert "descriptor-signing-key-cert"
- #define str_rev_counter "revision-counter"
- #define str_superencrypted "superencrypted"
- #define str_encrypted "encrypted"
- #define str_signature "signature"
- #define str_lifetime "descriptor-lifetime"
- /* Constant string value for the encrypted part of the descriptor. */
- #define str_create2_formats "create2-formats"
- #define str_intro_auth_required "intro-auth-required"
- #define str_single_onion "single-onion-service"
- #define str_intro_point "introduction-point"
- #define str_ip_onion_key "onion-key"
- #define str_ip_auth_key "auth-key"
- #define str_ip_enc_key "enc-key"
- #define str_ip_enc_key_cert "enc-key-cert"
- #define str_ip_legacy_key "legacy-key"
- #define str_ip_legacy_key_cert "legacy-key-cert"
- #define str_intro_point_start "\n" str_intro_point " "
- /* Constant string value for the construction to encrypt the encrypted data
- * section. */
- #define str_enc_const_superencryption "hsdir-superencrypted-data"
- #define str_enc_const_encryption "hsdir-encrypted-data"
- /* Prefix required to compute/verify HS desc signatures */
- #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
- #define str_desc_auth_type "desc-auth-type"
- #define str_desc_auth_key "desc-auth-ephemeral-key"
- #define str_desc_auth_client "auth-client"
- #define str_encrypted "encrypted"
- /* Authentication supported types. */
- static const struct {
- hs_desc_auth_type_t type;
- const char *identifier;
- } intro_auth_types[] = {
- { HS_DESC_AUTH_ED25519, "ed25519" },
- /* Indicate end of array. */
- { 0, NULL }
- };
- /* Descriptor ruleset. */
- static token_rule_t hs_desc_v3_token_table[] = {
- T1_START(str_hs_desc, R_HS_DESCRIPTOR, EQ(1), NO_OBJ),
- T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ),
- T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ),
- T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ),
- T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ),
- T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ),
- END_OF_TABLE
- };
- /* Descriptor ruleset for the superencrypted section. */
- static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
- T1_START(str_desc_auth_type, R3_DESC_AUTH_TYPE, GE(1), NO_OBJ),
- T1(str_desc_auth_key, R3_DESC_AUTH_KEY, GE(1), NO_OBJ),
- T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT, GE(3), NO_OBJ),
- T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
- END_OF_TABLE
- };
- /* Descriptor ruleset for the encrypted section. */
- static token_rule_t hs_desc_encrypted_v3_token_table[] = {
- T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
- T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
- T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
- END_OF_TABLE
- };
- /* Descriptor ruleset for the introduction points section. */
- static token_rule_t hs_desc_intro_point_v3_token_table[] = {
- T1_START(str_intro_point, R3_INTRODUCTION_POINT, EQ(1), NO_OBJ),
- T1N(str_ip_onion_key, R3_INTRO_ONION_KEY, GE(2), OBJ_OK),
- T1(str_ip_auth_key, R3_INTRO_AUTH_KEY, NO_ARGS, NEED_OBJ),
- T1(str_ip_enc_key, R3_INTRO_ENC_KEY, GE(2), OBJ_OK),
- T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT, ARGS, OBJ_OK),
- T01(str_ip_legacy_key, R3_INTRO_LEGACY_KEY, ARGS, NEED_KEY_1024),
- T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT, ARGS, OBJ_OK),
- END_OF_TABLE
- };
- /* Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
- * We use SHA3-256 for the MAC computation.
- * This function can't fail. */
- static void
- build_mac(const uint8_t *mac_key, size_t mac_key_len,
- const uint8_t *salt, size_t salt_len,
- const uint8_t *encrypted, size_t encrypted_len,
- uint8_t *mac_out, size_t mac_len)
- {
- crypto_digest_t *digest;
- const uint64_t mac_len_netorder = tor_htonll(mac_key_len);
- const uint64_t salt_len_netorder = tor_htonll(salt_len);
- tor_assert(mac_key);
- tor_assert(salt);
- tor_assert(encrypted);
- tor_assert(mac_out);
- digest = crypto_digest256_new(DIGEST_SHA3_256);
- /* As specified in section 2.5 of proposal 224, first add the mac key
- * then add the salt first and then the encrypted section. */
- crypto_digest_add_bytes(digest, (const char *) &mac_len_netorder, 8);
- crypto_digest_add_bytes(digest, (const char *) mac_key, mac_key_len);
- crypto_digest_add_bytes(digest, (const char *) &salt_len_netorder, 8);
- crypto_digest_add_bytes(digest, (const char *) salt, salt_len);
- crypto_digest_add_bytes(digest, (const char *) encrypted, encrypted_len);
- crypto_digest_get_digest(digest, (char *) mac_out, mac_len);
- crypto_digest_free(digest);
- }
- /* Using a secret data and a given decriptor object, build the secret
- * input needed for the KDF.
- *
- * secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
- *
- * Then, set the newly allocated buffer in secret_input_out and return the
- * length of the buffer. */
- static size_t
- build_secret_input(const hs_descriptor_t *desc,
- const uint8_t *secret_data,
- size_t secret_data_len,
- uint8_t **secret_input_out)
- {
- size_t offset = 0;
- size_t secret_input_len = secret_data_len + DIGEST256_LEN + sizeof(uint64_t);
- uint8_t *secret_input = NULL;
- tor_assert(desc);
- tor_assert(secret_data);
- tor_assert(secret_input_out);
- secret_input = tor_malloc_zero(secret_input_len);
- /* Copy the secret data. */
- memcpy(secret_input, secret_data, secret_data_len);
- offset += secret_data_len;
- /* Copy subcredential. */
- memcpy(secret_input + offset, desc->subcredential, DIGEST256_LEN);
- offset += DIGEST256_LEN;
- /* Copy revision counter value. */
- set_uint64(secret_input + offset,
- tor_htonll(desc->plaintext_data.revision_counter));
- offset += sizeof(uint64_t);
- tor_assert(secret_input_len == offset);
- *secret_input_out = secret_input;
- return secret_input_len;
- }
- /* Do the KDF construction and put the resulting data in key_out which is of
- * key_out_len length. It uses SHAKE-256 as specified in the spec. */
- static void
- build_kdf_key(const hs_descriptor_t *desc,
- const uint8_t *secret_data,
- size_t secret_data_len,
- const uint8_t *salt, size_t salt_len,
- uint8_t *key_out, size_t key_out_len,
- int is_superencrypted_layer)
- {
- uint8_t *secret_input = NULL;
- size_t secret_input_len;
- crypto_xof_t *xof;
- tor_assert(desc);
- tor_assert(secret_data);
- tor_assert(salt);
- tor_assert(key_out);
- /* Build the secret input for the KDF computation. */
- secret_input_len = build_secret_input(desc, secret_data,
- secret_data_len, &secret_input);
- xof = crypto_xof_new();
- /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
- crypto_xof_add_bytes(xof, secret_input, secret_input_len);
- crypto_xof_add_bytes(xof, salt, salt_len);
- /* Feed in the right string constant based on the desc layer */
- if (is_superencrypted_layer) {
- crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_superencryption,
- strlen(str_enc_const_superencryption));
- } else {
- crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_encryption,
- strlen(str_enc_const_encryption));
- }
- /* Eat from our KDF. */
- crypto_xof_squeeze_bytes(xof, key_out, key_out_len);
- crypto_xof_free(xof);
- memwipe(secret_input, 0, secret_input_len);
- tor_free(secret_input);
- }
- /* Using the given descriptor, secret data, and salt, run it through our
- * KDF function and then extract a secret key in key_out, the IV in iv_out
- * and MAC in mac_out. This function can't fail. */
- static void
- build_secret_key_iv_mac(const hs_descriptor_t *desc,
- const uint8_t *secret_data,
- size_t secret_data_len,
- const uint8_t *salt, size_t salt_len,
- uint8_t *key_out, size_t key_len,
- uint8_t *iv_out, size_t iv_len,
- uint8_t *mac_out, size_t mac_len,
- int is_superencrypted_layer)
- {
- size_t offset = 0;
- uint8_t kdf_key[HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN];
- tor_assert(desc);
- tor_assert(secret_data);
- tor_assert(salt);
- tor_assert(key_out);
- tor_assert(iv_out);
- tor_assert(mac_out);
- build_kdf_key(desc, secret_data, secret_data_len,
- salt, salt_len, kdf_key, sizeof(kdf_key),
- is_superencrypted_layer);
- /* Copy the bytes we need for both the secret key and IV. */
- memcpy(key_out, kdf_key, key_len);
- offset += key_len;
- memcpy(iv_out, kdf_key + offset, iv_len);
- offset += iv_len;
- memcpy(mac_out, kdf_key + offset, mac_len);
- /* Extra precaution to make sure we are not out of bound. */
- tor_assert((offset + mac_len) == sizeof(kdf_key));
- memwipe(kdf_key, 0, sizeof(kdf_key));
- }
- /* === ENCODING === */
- /* Encode the given link specifier objects into a newly allocated string.
- * This can't fail so caller can always assume a valid string being
- * returned. */
- STATIC char *
- encode_link_specifiers(const smartlist_t *specs)
- {
- char *encoded_b64 = NULL;
- link_specifier_list_t *lslist = link_specifier_list_new();
- tor_assert(specs);
- /* No link specifiers is a code flow error, can't happen. */
- tor_assert(smartlist_len(specs) > 0);
- tor_assert(smartlist_len(specs) <= UINT8_MAX);
- link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
- SMARTLIST_FOREACH_BEGIN(specs, const hs_desc_link_specifier_t *,
- spec) {
- link_specifier_t *ls = hs_desc_lspec_to_trunnel(spec);
- if (ls) {
- link_specifier_list_add_spec(lslist, ls);
- }
- } SMARTLIST_FOREACH_END(spec);
- {
- uint8_t *encoded;
- ssize_t encoded_len, encoded_b64_len, ret;
- encoded_len = link_specifier_list_encoded_len(lslist);
- tor_assert(encoded_len > 0);
- encoded = tor_malloc_zero(encoded_len);
- ret = link_specifier_list_encode(encoded, encoded_len, lslist);
- tor_assert(ret == encoded_len);
- /* Base64 encode our binary format. Add extra NUL byte for the base64
- * encoded value. */
- encoded_b64_len = base64_encode_size(encoded_len, 0) + 1;
- encoded_b64 = tor_malloc_zero(encoded_b64_len);
- ret = base64_encode(encoded_b64, encoded_b64_len, (const char *) encoded,
- encoded_len, 0);
- tor_assert(ret == (encoded_b64_len - 1));
- tor_free(encoded);
- }
- link_specifier_list_free(lslist);
- return encoded_b64;
- }
- /* Encode an introduction point legacy key and certificate. Return a newly
- * allocated string with it. On failure, return NULL. */
- static char *
- encode_legacy_key(const hs_desc_intro_point_t *ip)
- {
- char *key_str, b64_cert[256], *encoded = NULL;
- size_t key_str_len;
- tor_assert(ip);
- /* Encode cross cert. */
- if (base64_encode(b64_cert, sizeof(b64_cert),
- (const char *) ip->legacy.cert.encoded,
- ip->legacy.cert.len, BASE64_ENCODE_MULTILINE) < 0) {
- log_warn(LD_REND, "Unable to encode legacy crosscert.");
- goto done;
- }
- /* Convert the encryption key to PEM format NUL terminated. */
- if (crypto_pk_write_public_key_to_string(ip->legacy.key, &key_str,
- &key_str_len) < 0) {
- log_warn(LD_REND, "Unable to encode legacy encryption key.");
- goto done;
- }
- tor_asprintf(&encoded,
- "%s \n%s" /* Newline is added by the call above. */
- "%s\n"
- "-----BEGIN CROSSCERT-----\n"
- "%s"
- "-----END CROSSCERT-----",
- str_ip_legacy_key, key_str,
- str_ip_legacy_key_cert, b64_cert);
- tor_free(key_str);
- done:
- return encoded;
- }
- /* Encode an introduction point encryption key and certificate. Return a newly
- * allocated string with it. On failure, return NULL. */
- static char *
- encode_enc_key(const hs_desc_intro_point_t *ip)
- {
- char *encoded = NULL, *encoded_cert;
- char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
- tor_assert(ip);
- /* Base64 encode the encryption key for the "enc-key" field. */
- if (curve25519_public_to_base64(key_b64, &ip->enc_key) < 0) {
- goto done;
- }
- if (tor_cert_encode_ed22519(ip->enc_key_cert, &encoded_cert) < 0) {
- goto done;
- }
- tor_asprintf(&encoded,
- "%s ntor %s\n"
- "%s\n%s",
- str_ip_enc_key, key_b64,
- str_ip_enc_key_cert, encoded_cert);
- tor_free(encoded_cert);
- done:
- return encoded;
- }
- /* Encode an introduction point onion key. Return a newly allocated string
- * with it. On failure, return NULL. */
- static char *
- encode_onion_key(const hs_desc_intro_point_t *ip)
- {
- char *encoded = NULL;
- char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
- tor_assert(ip);
- /* Base64 encode the encryption key for the "onion-key" field. */
- if (curve25519_public_to_base64(key_b64, &ip->onion_key) < 0) {
- goto done;
- }
- tor_asprintf(&encoded, "%s ntor %s", str_ip_onion_key, key_b64);
- done:
- return encoded;
- }
- /* Encode an introduction point object and return a newly allocated string
- * with it. On failure, return NULL. */
- static char *
- encode_intro_point(const ed25519_public_key_t *sig_key,
- const hs_desc_intro_point_t *ip)
- {
- char *encoded_ip = NULL;
- smartlist_t *lines = smartlist_new();
- tor_assert(ip);
- tor_assert(sig_key);
- /* Encode link specifier. */
- {
- char *ls_str = encode_link_specifiers(ip->link_specifiers);
- smartlist_add_asprintf(lines, "%s %s", str_intro_point, ls_str);
- tor_free(ls_str);
- }
- /* Onion key encoding. */
- {
- char *encoded_onion_key = encode_onion_key(ip);
- if (encoded_onion_key == NULL) {
- goto err;
- }
- smartlist_add_asprintf(lines, "%s", encoded_onion_key);
- tor_free(encoded_onion_key);
- }
- /* Authentication key encoding. */
- {
- char *encoded_cert;
- if (tor_cert_encode_ed22519(ip->auth_key_cert, &encoded_cert) < 0) {
- goto err;
- }
- smartlist_add_asprintf(lines, "%s\n%s", str_ip_auth_key, encoded_cert);
- tor_free(encoded_cert);
- }
- /* Encryption key encoding. */
- {
- char *encoded_enc_key = encode_enc_key(ip);
- if (encoded_enc_key == NULL) {
- goto err;
- }
- smartlist_add_asprintf(lines, "%s", encoded_enc_key);
- tor_free(encoded_enc_key);
- }
- /* Legacy key if any. */
- if (ip->legacy.key != NULL) {
- /* Strong requirement else the IP creation was badly done. */
- tor_assert(ip->legacy.cert.encoded);
- char *encoded_legacy_key = encode_legacy_key(ip);
- if (encoded_legacy_key == NULL) {
- goto err;
- }
- smartlist_add_asprintf(lines, "%s", encoded_legacy_key);
- tor_free(encoded_legacy_key);
- }
- /* Join them all in one blob of text. */
- encoded_ip = smartlist_join_strings(lines, "\n", 1, NULL);
- err:
- SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
- smartlist_free(lines);
- return encoded_ip;
- }
- /* Given a source length, return the new size including padding for the
- * plaintext encryption. */
- static size_t
- compute_padded_plaintext_length(size_t plaintext_len)
- {
- size_t plaintext_padded_len;
- const int padding_block_length = HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE;
- /* Make sure we won't overflow. */
- tor_assert(plaintext_len <= (SIZE_T_CEILING - padding_block_length));
- /* Get the extra length we need to add. For example, if srclen is 10200
- * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
- plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
- padding_block_length;
- /* Can never be extra careful. Make sure we are _really_ padded. */
- tor_assert(!(plaintext_padded_len % padding_block_length));
- return plaintext_padded_len;
- }
- /* Given a buffer, pad it up to the encrypted section padding requirement. Set
- * the newly allocated string in padded_out and return the length of the
- * padded buffer. */
- STATIC size_t
- build_plaintext_padding(const char *plaintext, size_t plaintext_len,
- uint8_t **padded_out)
- {
- size_t padded_len;
- uint8_t *padded;
- tor_assert(plaintext);
- tor_assert(padded_out);
- /* Allocate the final length including padding. */
- padded_len = compute_padded_plaintext_length(plaintext_len);
- tor_assert(padded_len >= plaintext_len);
- padded = tor_malloc_zero(padded_len);
- memcpy(padded, plaintext, plaintext_len);
- *padded_out = padded;
- return padded_len;
- }
- /* Using a key, IV and plaintext data of length plaintext_len, create the
- * encrypted section by encrypting it and setting encrypted_out with the
- * data. Return size of the encrypted data buffer. */
- static size_t
- build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
- size_t plaintext_len, uint8_t **encrypted_out,
- int is_superencrypted_layer)
- {
- size_t encrypted_len;
- uint8_t *padded_plaintext, *encrypted;
- crypto_cipher_t *cipher;
- tor_assert(key);
- tor_assert(iv);
- tor_assert(plaintext);
- tor_assert(encrypted_out);
- /* If we are encrypting the middle layer of the descriptor, we need to first
- pad the plaintext */
- if (is_superencrypted_layer) {
- encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
- &padded_plaintext);
- /* Extra precautions that we have a valid padding length. */
- tor_assert(!(encrypted_len % HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE));
- } else { /* No padding required for inner layers */
- padded_plaintext = tor_memdup(plaintext, plaintext_len);
- encrypted_len = plaintext_len;
- }
- /* This creates a cipher for AES. It can't fail. */
- cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
- HS_DESC_ENCRYPTED_BIT_SIZE);
- /* We use a stream cipher so the encrypted length will be the same as the
- * plaintext padded length. */
- encrypted = tor_malloc_zero(encrypted_len);
- /* This can't fail. */
- crypto_cipher_encrypt(cipher, (char *) encrypted,
- (const char *) padded_plaintext, encrypted_len);
- *encrypted_out = encrypted;
- /* Cleanup. */
- crypto_cipher_free(cipher);
- tor_free(padded_plaintext);
- return encrypted_len;
- }
- /* Encrypt the given <b>plaintext</b> buffer using <b>desc</b> and
- * <b>secret_data</b> to get the keys. Set encrypted_out with the encrypted
- * data and return the length of it. <b>is_superencrypted_layer</b> is set
- * if this is the outer encrypted layer of the descriptor. */
- static size_t
- encrypt_descriptor_data(const hs_descriptor_t *desc,
- const uint8_t *secret_data,
- size_t secret_data_len,
- const char *plaintext,
- char **encrypted_out, int is_superencrypted_layer)
- {
- char *final_blob;
- size_t encrypted_len, final_blob_len, offset = 0;
- uint8_t *encrypted;
- uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
- uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
- uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
- tor_assert(desc);
- tor_assert(secret_data);
- tor_assert(plaintext);
- tor_assert(encrypted_out);
- /* Get our salt. The returned bytes are already hashed. */
- crypto_strongest_rand(salt, sizeof(salt));
- /* KDF construction resulting in a key from which the secret key, IV and MAC
- * key are extracted which is what we need for the encryption. */
- build_secret_key_iv_mac(desc, secret_data, secret_data_len,
- salt, sizeof(salt),
- secret_key, sizeof(secret_key),
- secret_iv, sizeof(secret_iv),
- mac_key, sizeof(mac_key),
- is_superencrypted_layer);
- /* Build the encrypted part that is do the actual encryption. */
- encrypted_len = build_encrypted(secret_key, secret_iv, plaintext,
- strlen(plaintext), &encrypted,
- is_superencrypted_layer);
- memwipe(secret_key, 0, sizeof(secret_key));
- memwipe(secret_iv, 0, sizeof(secret_iv));
- /* This construction is specified in section 2.5 of proposal 224. */
- final_blob_len = sizeof(salt) + encrypted_len + DIGEST256_LEN;
- final_blob = tor_malloc_zero(final_blob_len);
- /* Build the MAC. */
- build_mac(mac_key, sizeof(mac_key), salt, sizeof(salt),
- encrypted, encrypted_len, mac, sizeof(mac));
- memwipe(mac_key, 0, sizeof(mac_key));
- /* The salt is the first value. */
- memcpy(final_blob, salt, sizeof(salt));
- offset = sizeof(salt);
- /* Second value is the encrypted data. */
- memcpy(final_blob + offset, encrypted, encrypted_len);
- offset += encrypted_len;
- /* Third value is the MAC. */
- memcpy(final_blob + offset, mac, sizeof(mac));
- offset += sizeof(mac);
- /* Cleanup the buffers. */
- memwipe(salt, 0, sizeof(salt));
- memwipe(encrypted, 0, encrypted_len);
- tor_free(encrypted);
- /* Extra precaution. */
- tor_assert(offset == final_blob_len);
- *encrypted_out = final_blob;
- return final_blob_len;
- }
- /* Create and return a string containing a client-auth entry. It's the
- * responsibility of the caller to free the returned string. This function
- * will never fail. */
- static char *
- get_auth_client_str(const hs_desc_authorized_client_t *client)
- {
- int ret;
- char *auth_client_str = NULL;
- /* We are gonna fill these arrays with base64 data. They are all double
- * the size of their binary representation to fit the base64 overhead. */
- char client_id_b64[HS_DESC_CLIENT_ID_LEN * 2];
- char iv_b64[CIPHER_IV_LEN * 2];
- char encrypted_cookie_b64[HS_DESC_ENCRYPED_COOKIE_LEN * 2];
- #define ASSERT_AND_BASE64(field) STMT_BEGIN \
- tor_assert(!tor_mem_is_zero((char *) client->field, \
- sizeof(client->field))); \
- ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
- client->field, sizeof(client->field)); \
- tor_assert(ret > 0); \
- STMT_END
- ASSERT_AND_BASE64(client_id);
- ASSERT_AND_BASE64(iv);
- ASSERT_AND_BASE64(encrypted_cookie);
- /* Build the final string */
- tor_asprintf(&auth_client_str, "%s %s %s %s", str_desc_auth_client,
- client_id_b64, iv_b64, encrypted_cookie_b64);
- #undef ASSERT_AND_BASE64
- return auth_client_str;
- }
- /** Create the "client-auth" part of the descriptor and return a
- * newly-allocated string with it. It's the responsibility of the caller to
- * free the returned string. */
- static char *
- get_all_auth_client_lines(const hs_descriptor_t *desc)
- {
- smartlist_t *auth_client_lines = smartlist_new();
- char *auth_client_lines_str = NULL;
- tor_assert(desc);
- tor_assert(desc->superencrypted_data.clients);
- tor_assert(smartlist_len(desc->superencrypted_data.clients) != 0);
- tor_assert(smartlist_len(desc->superencrypted_data.clients)
- % HS_DESC_AUTH_CLIENT_MULTIPLE == 0);
- /* Make a line for each client */
- SMARTLIST_FOREACH_BEGIN(desc->superencrypted_data.clients,
- const hs_desc_authorized_client_t *, client) {
- char *auth_client_str = NULL;
- auth_client_str = get_auth_client_str(client);
- smartlist_add(auth_client_lines, auth_client_str);
- } SMARTLIST_FOREACH_END(client);
- /* Join all lines together to form final string */
- auth_client_lines_str = smartlist_join_strings(auth_client_lines,
- "\n", 1, NULL);
- /* Cleanup the mess */
- SMARTLIST_FOREACH(auth_client_lines, char *, a, tor_free(a));
- smartlist_free(auth_client_lines);
- return auth_client_lines_str;
- }
- /* Create the inner layer of the descriptor (which includes the intro points,
- * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
- * an error occurred. It's the responsibility of the caller to free the
- * returned string. */
- static char *
- get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
- {
- char *encoded_str = NULL;
- smartlist_t *lines = smartlist_new();
- /* Build the start of the section prior to the introduction points. */
- {
- if (!desc->encrypted_data.create2_ntor) {
- log_err(LD_BUG, "HS desc doesn't have recognized handshake type.");
- goto err;
- }
- smartlist_add_asprintf(lines, "%s %d\n", str_create2_formats,
- ONION_HANDSHAKE_TYPE_NTOR);
- if (desc->encrypted_data.intro_auth_types &&
- smartlist_len(desc->encrypted_data.intro_auth_types)) {
- /* Put the authentication-required line. */
- char *buf = smartlist_join_strings(desc->encrypted_data.intro_auth_types,
- " ", 0, NULL);
- smartlist_add_asprintf(lines, "%s %s\n", str_intro_auth_required, buf);
- tor_free(buf);
- }
- if (desc->encrypted_data.single_onion_service) {
- smartlist_add_asprintf(lines, "%s\n", str_single_onion);
- }
- }
- /* Build the introduction point(s) section. */
- SMARTLIST_FOREACH_BEGIN(desc->encrypted_data.intro_points,
- const hs_desc_intro_point_t *, ip) {
- char *encoded_ip = encode_intro_point(&desc->plaintext_data.signing_pubkey,
- ip);
- if (encoded_ip == NULL) {
- log_err(LD_BUG, "HS desc intro point is malformed.");
- goto err;
- }
- smartlist_add(lines, encoded_ip);
- } SMARTLIST_FOREACH_END(ip);
- /* Build the entire encrypted data section into one encoded plaintext and
- * then encrypt it. */
- encoded_str = smartlist_join_strings(lines, "", 0, NULL);
- err:
- SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
- smartlist_free(lines);
- return encoded_str;
- }
- /* Create the middle layer of the descriptor, which includes the client auth
- * data and the encrypted inner layer (provided as a base64 string at
- * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
- * layer plaintext, or NULL if an error occurred. It's the responsibility of
- * the caller to free the returned string. */
- static char *
- get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc,
- const char *layer2_b64_ciphertext)
- {
- char *layer1_str = NULL;
- smartlist_t *lines = smartlist_new();
- /* Specify auth type */
- smartlist_add_asprintf(lines, "%s %s\n", str_desc_auth_type, "x25519");
- { /* Print ephemeral x25519 key */
- char ephemeral_key_base64[CURVE25519_BASE64_PADDED_LEN + 1];
- const curve25519_public_key_t *ephemeral_pubkey;
- ephemeral_pubkey = &desc->superencrypted_data.auth_ephemeral_pubkey;
- tor_assert(!tor_mem_is_zero((char *) ephemeral_pubkey->public_key,
- CURVE25519_PUBKEY_LEN));
- if (curve25519_public_to_base64(ephemeral_key_base64,
- ephemeral_pubkey) < 0) {
- goto done;
- }
- smartlist_add_asprintf(lines, "%s %s\n",
- str_desc_auth_key, ephemeral_key_base64);
- memwipe(ephemeral_key_base64, 0, sizeof(ephemeral_key_base64));
- }
- { /* Create auth-client lines. */
- char *auth_client_lines = get_all_auth_client_lines(desc);
- tor_assert(auth_client_lines);
- smartlist_add(lines, auth_client_lines);
- }
- /* create encrypted section */
- {
- smartlist_add_asprintf(lines,
- "%s\n"
- "-----BEGIN MESSAGE-----\n"
- "%s"
- "-----END MESSAGE-----",
- str_encrypted, layer2_b64_ciphertext);
- }
- layer1_str = smartlist_join_strings(lines, "", 0, NULL);
- done:
- /* We need to memwipe all lines because it contains the ephemeral key */
- SMARTLIST_FOREACH(lines, char *, a, memwipe(a, 0, strlen(a)));
- SMARTLIST_FOREACH(lines, char *, a, tor_free(a));
- smartlist_free(lines);
- return layer1_str;
- }
- /* Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
- * returning it. <b>desc</b> is provided to derive the encryption
- * keys. <b>secret_data</b> is also proved to derive the encryption keys.
- * <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
- * middle (superencrypted) layer of the descriptor. It's the responsibility of
- * the caller to free the returned string. */
- static char *
- encrypt_desc_data_and_base64(const hs_descriptor_t *desc,
- const uint8_t *secret_data,
- size_t secret_data_len,
- const char *encoded_str,
- int is_superencrypted_layer)
- {
- char *enc_b64;
- ssize_t enc_b64_len, ret_len, enc_len;
- char *encrypted_blob = NULL;
- enc_len = encrypt_descriptor_data(desc, secret_data, secret_data_len,
- encoded_str, &encrypted_blob,
- is_superencrypted_layer);
- /* Get the encoded size plus a NUL terminating byte. */
- enc_b64_len = base64_encode_size(enc_len, BASE64_ENCODE_MULTILINE) + 1;
- enc_b64 = tor_malloc_zero(enc_b64_len);
- /* Base64 the encrypted blob before returning it. */
- ret_len = base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
- BASE64_ENCODE_MULTILINE);
- /* Return length doesn't count the NUL byte. */
- tor_assert(ret_len == (enc_b64_len - 1));
- tor_free(encrypted_blob);
- return enc_b64;
- }
- /* Generate the secret data which is used to encrypt/decrypt the descriptor.
- *
- * SECRET_DATA = blinded-public-key
- * SECRET_DATA = blinded-public-key | descriptor_cookie
- *
- * The descriptor_cookie is optional but if it exists, it must be at least
- * HS_DESC_DESCRIPTOR_COOKIE_LEN bytes long.
- *
- * A newly allocated secret data is put in secret_data_out. Return the
- * length of the secret data. This function cannot fail. */
- static size_t
- build_secret_data(const ed25519_public_key_t *blinded_pubkey,
- const uint8_t *descriptor_cookie,
- uint8_t **secret_data_out)
- {
- size_t secret_data_len;
- uint8_t *secret_data;
- tor_assert(blinded_pubkey);
- tor_assert(secret_data_out);
- if (descriptor_cookie) {
- /* If the descriptor cookie is present, we need both the blinded
- * pubkey and the descriptor cookie as a secret data. */
- secret_data_len = ED25519_PUBKEY_LEN + HS_DESC_DESCRIPTOR_COOKIE_LEN;
- secret_data = tor_malloc(secret_data_len);
- memcpy(secret_data,
- blinded_pubkey->pubkey,
- ED25519_PUBKEY_LEN);
- memcpy(secret_data + ED25519_PUBKEY_LEN,
- descriptor_cookie,
- HS_DESC_DESCRIPTOR_COOKIE_LEN);
- } else {
- /* If the descriptor cookie is not present, we need only the blinded
- * pubkey as a secret data. */
- secret_data_len = ED25519_PUBKEY_LEN;
- secret_data = tor_malloc(secret_data_len);
- memcpy(secret_data,
- blinded_pubkey->pubkey,
- ED25519_PUBKEY_LEN);
- }
- *secret_data_out = secret_data;
- return secret_data_len;
- }
- /* Generate and encode the superencrypted portion of <b>desc</b>. This also
- * involves generating the encrypted portion of the descriptor, and performing
- * the superencryption. A newly allocated NUL-terminated string pointer
- * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
- * on success else a negative value. */
- static int
- encode_superencrypted_data(const hs_descriptor_t *desc,
- const uint8_t *descriptor_cookie,
- char **encrypted_blob_out)
- {
- int ret = -1;
- uint8_t *secret_data = NULL;
- size_t secret_data_len = 0;
- char *layer2_str = NULL;
- char *layer2_b64_ciphertext = NULL;
- char *layer1_str = NULL;
- char *layer1_b64_ciphertext = NULL;
- tor_assert(desc);
- tor_assert(encrypted_blob_out);
- /* Func logic: We first create the inner layer of the descriptor (layer2).
- * We then encrypt it and use it to create the middle layer of the descriptor
- * (layer1). Finally we superencrypt the middle layer and return it to our
- * caller. */
- /* Create inner descriptor layer */
- layer2_str = get_inner_encrypted_layer_plaintext(desc);
- if (!layer2_str) {
- goto err;
- }
- secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
- descriptor_cookie,
- &secret_data);
- /* Encrypt and b64 the inner layer */
- layer2_b64_ciphertext =
- encrypt_desc_data_and_base64(desc, secret_data, secret_data_len,
- layer2_str, 0);
- if (!layer2_b64_ciphertext) {
- goto err;
- }
- /* Now create middle descriptor layer given the inner layer */
- layer1_str = get_outer_encrypted_layer_plaintext(desc,layer2_b64_ciphertext);
- if (!layer1_str) {
- goto err;
- }
- /* Encrypt and base64 the middle layer */
- layer1_b64_ciphertext =
- encrypt_desc_data_and_base64(desc,
- desc->plaintext_data.blinded_pubkey.pubkey,
- ED25519_PUBKEY_LEN,
- layer1_str, 1);
- if (!layer1_b64_ciphertext) {
- goto err;
- }
- /* Success! */
- ret = 0;
- err:
- memwipe(secret_data, 0, secret_data_len);
- tor_free(secret_data);
- tor_free(layer1_str);
- tor_free(layer2_str);
- tor_free(layer2_b64_ciphertext);
- *encrypted_blob_out = layer1_b64_ciphertext;
- return ret;
- }
- /* Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
- * newly allocated string of the encoded descriptor. On error, -1 is returned
- * and encoded_out is untouched. */
- static int
- desc_encode_v3(const hs_descriptor_t *desc,
- const ed25519_keypair_t *signing_kp,
- const uint8_t *descriptor_cookie,
- char **encoded_out)
- {
- int ret = -1;
- char *encoded_str = NULL;
- size_t encoded_len;
- smartlist_t *lines = smartlist_new();
- tor_assert(desc);
- tor_assert(signing_kp);
- tor_assert(encoded_out);
- tor_assert(desc->plaintext_data.version == 3);
- if (BUG(desc->subcredential == NULL)) {
- goto err;
- }
- /* Build the non-encrypted values. */
- {
- char *encoded_cert;
- /* Encode certificate then create the first line of the descriptor. */
- if (desc->plaintext_data.signing_key_cert->cert_type
- != CERT_TYPE_SIGNING_HS_DESC) {
- log_err(LD_BUG, "HS descriptor signing key has an unexpected cert type "
- "(%d)", (int) desc->plaintext_data.signing_key_cert->cert_type);
- goto err;
- }
- if (tor_cert_encode_ed22519(desc->plaintext_data.signing_key_cert,
- &encoded_cert) < 0) {
- /* The function will print error logs. */
- goto err;
- }
- /* Create the hs descriptor line. */
- smartlist_add_asprintf(lines, "%s %" PRIu32, str_hs_desc,
- desc->plaintext_data.version);
- /* Add the descriptor lifetime line (in minutes). */
- smartlist_add_asprintf(lines, "%s %" PRIu32, str_lifetime,
- desc->plaintext_data.lifetime_sec / 60);
- /* Create the descriptor certificate line. */
- smartlist_add_asprintf(lines, "%s\n%s", str_desc_cert, encoded_cert);
- tor_free(encoded_cert);
- /* Create the revision counter line. */
- smartlist_add_asprintf(lines, "%s %" PRIu64, str_rev_counter,
- desc->plaintext_data.revision_counter);
- }
- /* Build the superencrypted data section. */
- {
- char *enc_b64_blob=NULL;
- if (encode_superencrypted_data(desc, descriptor_cookie,
- &enc_b64_blob) < 0) {
- goto err;
- }
- smartlist_add_asprintf(lines,
- "%s\n"
- "-----BEGIN MESSAGE-----\n"
- "%s"
- "-----END MESSAGE-----",
- str_superencrypted, enc_b64_blob);
- tor_free(enc_b64_blob);
- }
- /* Join all lines in one string so we can generate a signature and append
- * it to the descriptor. */
- encoded_str = smartlist_join_strings(lines, "\n", 1, &encoded_len);
- /* Sign all fields of the descriptor with our short term signing key. */
- {
- ed25519_signature_t sig;
- char ed_sig_b64[ED25519_SIG_BASE64_LEN + 1];
- if (ed25519_sign_prefixed(&sig,
- (const uint8_t *) encoded_str, encoded_len,
- str_desc_sig_prefix, signing_kp) < 0) {
- log_warn(LD_BUG, "Can't sign encoded HS descriptor!");
- tor_free(encoded_str);
- goto err;
- }
- if (ed25519_signature_to_base64(ed_sig_b64, &sig) < 0) {
- log_warn(LD_BUG, "Can't base64 encode descriptor signature!");
- tor_free(encoded_str);
- goto err;
- }
- /* Create the signature line. */
- smartlist_add_asprintf(lines, "%s %s", str_signature, ed_sig_b64);
- }
- /* Free previous string that we used so compute the signature. */
- tor_free(encoded_str);
- encoded_str = smartlist_join_strings(lines, "\n", 1, NULL);
- *encoded_out = encoded_str;
- if (strlen(encoded_str) >= hs_cache_get_max_descriptor_size()) {
- log_warn(LD_GENERAL, "We just made an HS descriptor that's too big (%d)."
- "Failing.", (int)strlen(encoded_str));
- tor_free(encoded_str);
- goto err;
- }
- /* XXX: Trigger a control port event. */
- /* Success! */
- ret = 0;
- err:
- SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
- smartlist_free(lines);
- return ret;
- }
- /* === DECODING === */
- /* Given the token tok for an auth client, decode it as
- * hs_desc_authorized_client_t. tok->args MUST contain at least 3 elements
- * Return 0 on success else -1 on failure. */
- static int
- decode_auth_client(const directory_token_t *tok,
- hs_desc_authorized_client_t *client)
- {
- int ret = -1;
- tor_assert(tok);
- tor_assert(tok->n_args >= 3);
- tor_assert(client);
- if (base64_decode((char *) client->client_id, sizeof(client->client_id),
- tok->args[0], strlen(tok->args[0])) !=
- sizeof(client->client_id)) {
- goto done;
- }
- if (base64_decode((char *) client->iv, sizeof(client->iv),
- tok->args[1], strlen(tok->args[1])) !=
- sizeof(client->iv)) {
- goto done;
- }
- if (base64_decode((char *) client->encrypted_cookie,
- sizeof(client->encrypted_cookie),
- tok->args[2], strlen(tok->args[2])) !=
- sizeof(client->encrypted_cookie)) {
- goto done;
- }
- /* Success. */
- ret = 0;
- done:
- return ret;
- }
- /* Given an encoded string of the link specifiers, return a newly allocated
- * list of decoded link specifiers. Return NULL on error. */
- STATIC smartlist_t *
- decode_link_specifiers(const char *encoded)
- {
- int decoded_len;
- size_t encoded_len, i;
- uint8_t *decoded;
- smartlist_t *results = NULL;
- link_specifier_list_t *specs = NULL;
- tor_assert(encoded);
- encoded_len = strlen(encoded);
- decoded = tor_malloc(encoded_len);
- decoded_len = base64_decode((char *) decoded, encoded_len, encoded,
- encoded_len);
- if (decoded_len < 0) {
- goto err;
- }
- if (link_specifier_list_parse(&specs, decoded,
- (size_t) decoded_len) < decoded_len) {
- goto err;
- }
- tor_assert(specs);
- results = smartlist_new();
- for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
- hs_desc_link_specifier_t *hs_spec;
- link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
- tor_assert(ls);
- hs_spec = tor_malloc_zero(sizeof(*hs_spec));
- hs_spec->type = link_specifier_get_ls_type(ls);
- switch (hs_spec->type) {
- case LS_IPV4:
- tor_addr_from_ipv4h(&hs_spec->u.ap.addr,
- link_specifier_get_un_ipv4_addr(ls));
- hs_spec->u.ap.port = link_specifier_get_un_ipv4_port(ls);
- break;
- case LS_IPV6:
- tor_addr_from_ipv6_bytes(&hs_spec->u.ap.addr, (const char *)
- link_specifier_getarray_un_ipv6_addr(ls));
- hs_spec->u.ap.port = link_specifier_get_un_ipv6_port(ls);
- break;
- case LS_LEGACY_ID:
- /* Both are known at compile time so let's make sure they are the same
- * else we can copy memory out of bound. */
- tor_assert(link_specifier_getlen_un_legacy_id(ls) ==
- sizeof(hs_spec->u.legacy_id));
- memcpy(hs_spec->u.legacy_id, link_specifier_getarray_un_legacy_id(ls),
- sizeof(hs_spec->u.legacy_id));
- break;
- case LS_ED25519_ID:
- /* Both are known at compile time so let's make sure they are the same
- * else we can copy memory out of bound. */
- tor_assert(link_specifier_getlen_un_ed25519_id(ls) ==
- sizeof(hs_spec->u.ed25519_id));
- memcpy(hs_spec->u.ed25519_id,
- link_specifier_getconstarray_un_ed25519_id(ls),
- sizeof(hs_spec->u.ed25519_id));
- break;
- default:
- tor_free(hs_spec);
- goto err;
- }
- smartlist_add(results, hs_spec);
- }
- goto done;
- err:
- if (results) {
- SMARTLIST_FOREACH(results, hs_desc_link_specifier_t *, s, tor_free(s));
- smartlist_free(results);
- results = NULL;
- }
- done:
- link_specifier_list_free(specs);
- tor_free(decoded);
- return results;
- }
- /* Given a list of authentication types, decode it and put it in the encrypted
- * data section. Return 1 if we at least know one of the type or 0 if we know
- * none of them. */
- static int
- decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
- {
- int match = 0;
- tor_assert(desc);
- tor_assert(list);
- desc->intro_auth_types = smartlist_new();
- smartlist_split_string(desc->intro_auth_types, list, " ", 0, 0);
- /* Validate the types that we at least know about one. */
- SMARTLIST_FOREACH_BEGIN(desc->intro_auth_types, const char *, auth) {
- for (int idx = 0; intro_auth_types[idx].identifier; idx++) {
- if (!strncmp(auth, intro_auth_types[idx].identifier,
- strlen(intro_auth_types[idx].identifier))) {
- match = 1;
- break;
- }
- }
- } SMARTLIST_FOREACH_END(auth);
- return match;
- }
- /* Parse a space-delimited list of integers representing CREATE2 formats into
- * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
- static void
- decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
- {
- smartlist_t *tokens;
- tor_assert(desc);
- tor_assert(list);
- tokens = smartlist_new();
- smartlist_split_string(tokens, list, " ", 0, 0);
- SMARTLIST_FOREACH_BEGIN(tokens, char *, s) {
- int ok;
- unsigned long type = tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
- if (!ok) {
- log_warn(LD_REND, "Unparseable value %s in create2 list", escaped(s));
- continue;
- }
- switch (type) {
- case ONION_HANDSHAKE_TYPE_NTOR:
- desc->create2_ntor = 1;
- break;
- default:
- /* We deliberately ignore unsupported handshake types */
- continue;
- }
- } SMARTLIST_FOREACH_END(s);
- SMARTLIST_FOREACH(tokens, char *, s, tor_free(s));
- smartlist_free(tokens);
- }
- /* Given a certificate, validate the certificate for certain conditions which
- * are if the given type matches the cert's one, if the signing key is
- * included and if the that key was actually used to sign the certificate.
- *
- * Return 1 iff if all conditions pass or 0 if one of them fails. */
- STATIC int
- cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
- {
- tor_assert(log_obj_type);
- if (cert == NULL) {
- log_warn(LD_REND, "Certificate for %s couldn't be parsed.", log_obj_type);
- goto err;
- }
- if (cert->cert_type != type) {
- log_warn(LD_REND, "Invalid cert type %02x for %s.", cert->cert_type,
- log_obj_type);
- goto err;
- }
- /* All certificate must have its signing key included. */
- if (!cert->signing_key_included) {
- log_warn(LD_REND, "Signing key is NOT included for %s.", log_obj_type);
- goto err;
- }
- /* The following will not only check if the signature matches but also the
- * expiration date and overall validity. */
- if (tor_cert_checksig(cert, &cert->signing_key, approx_time()) < 0) {
- log_warn(LD_REND, "Invalid signature for %s: %s", log_obj_type,
- tor_cert_describe_signature_status(cert));
- goto err;
- }
- return 1;
- err:
- return 0;
- }
- /* Given some binary data, try to parse it to get a certificate object. If we
- * have a valid cert, validate it using the given wanted type. On error, print
- * a log using the err_msg has the certificate identifier adding semantic to
- * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
- * points to a newly allocated certificate object. */
- static int
- cert_parse_and_validate(tor_cert_t **cert_out, const char *data,
- size_t data_len, unsigned int cert_type_wanted,
- const char *err_msg)
- {
- tor_cert_t *cert;
- tor_assert(cert_out);
- tor_assert(data);
- tor_assert(err_msg);
- /* Parse certificate. */
- cert = tor_cert_parse((const uint8_t *) data, data_len);
- if (!cert) {
- log_warn(LD_REND, "Certificate for %s couldn't be parsed.", err_msg);
- goto err;
- }
- /* Validate certificate. */
- if (!cert_is_valid(cert, cert_type_wanted, err_msg)) {
- goto err;
- }
- *cert_out = cert;
- return 0;
- err:
- tor_cert_free(cert);
- *cert_out = NULL;
- return -1;
- }
- /* Return true iff the given length of the encrypted data of a descriptor
- * passes validation. */
- STATIC int
- encrypted_data_length_is_valid(size_t len)
- {
- /* Make sure there is enough data for the salt and the mac. The equality is
- there to ensure that there is at least one byte of encrypted data. */
- if (len <= HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN) {
- log_warn(LD_REND, "Length of descriptor's encrypted data is too small. "
- "Got %lu but minimum value is %d",
- (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
- goto err;
- }
- return 1;
- err:
- return 0;
- }
- /* Decrypt the descriptor cookie given the descriptor, the auth client,
- * and the client secret key. On sucess, return 0 and a newly allocated
- * descriptor cookie descriptor_cookie_out. On error or if the client id
- * is invalid, return -1 and descriptor_cookie_out is set to
- * NULL. */
- static int
- decrypt_descriptor_cookie(const hs_descriptor_t *desc,
- const hs_desc_authorized_client_t *client,
- const curve25519_secret_key_t *client_auth_sk,
- uint8_t **descriptor_cookie_out)
- {
- int ret = -1;
- uint8_t secret_seed[CURVE25519_OUTPUT_LEN];
- uint8_t keystream[HS_DESC_CLIENT_ID_LEN + HS_DESC_COOKIE_KEY_LEN];
- uint8_t *cookie_key = NULL;
- uint8_t *descriptor_cookie = NULL;
- crypto_cipher_t *cipher = NULL;
- crypto_xof_t *xof = NULL;
- tor_assert(desc);
- tor_assert(client);
- tor_assert(client_auth_sk);
- tor_assert(!tor_mem_is_zero(
- (char *) &desc->superencrypted_data.auth_ephemeral_pubkey,
- sizeof(desc->superencrypted_data.auth_ephemeral_pubkey)));
- tor_assert(!tor_mem_is_zero((char *) client_auth_sk,
- sizeof(*client_auth_sk)));
- tor_assert(!tor_mem_is_zero((char *) desc->subcredential, DIGEST256_LEN));
- /* Calculate x25519(client_x, hs_Y) */
- curve25519_handshake(secret_seed, client_auth_sk,
- &desc->superencrypted_data.auth_ephemeral_pubkey);
- /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
- xof = crypto_xof_new();
- crypto_xof_add_bytes(xof, desc->subcredential, DIGEST256_LEN);
- crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
- crypto_xof_squeeze_bytes(xof, keystream, sizeof(keystream));
- crypto_xof_free(xof);
- /* If the client id of auth client is not the same as the calculcated
- * client id, it means that this auth client is invaild according to the
- * client secret key client_auth_sk. */
- if (tor_memneq(client->client_id, keystream, HS_DESC_CLIENT_ID_LEN)) {
- goto done;
- }
- cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
- /* This creates a cipher for AES. It can't fail. */
- cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client->iv,
- HS_DESC_COOKIE_KEY_BIT_SIZE);
- descriptor_cookie = tor_malloc_zero(HS_DESC_DESCRIPTOR_COOKIE_LEN);
- /* This can't fail. */
- crypto_cipher_decrypt(cipher, (char *) descriptor_cookie,
- (const char *) client->encrypted_cookie,
- sizeof(client->encrypted_cookie));
- /* Success. */
- ret = 0;
- done:
- *descriptor_cookie_out = descriptor_cookie;
- if (cipher) {
- crypto_cipher_free(cipher);
- }
- memwipe(secret_seed, 0, sizeof(secret_seed));
- memwipe(keystream, 0, sizeof(keystream));
- return ret;
- }
- /** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
- * <b>encrypted_blob_size</b>. The descriptor cookie is optional. Use
- * the descriptor object <b>desc</b> and <b>descriptor_cookie</b>
- * to generate the right decryption keys; set <b>decrypted_out</b> to
- * the plaintext. If <b>is_superencrypted_layer</b> is set, this is
- * the outter encrypted layer of the descriptor.
- *
- * On any error case, including an empty output, return 0 and set
- * *<b>decrypted_out</b> to NULL.
- */
- MOCK_IMPL(STATIC size_t,
- decrypt_desc_layer,(const hs_descriptor_t *desc,
- const uint8_t *encrypted_blob,
- size_t encrypted_blob_size,
- const uint8_t *descriptor_cookie,
- int is_superencrypted_layer,
- char **decrypted_out))
- {
- uint8_t *decrypted = NULL;
- uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
- uint8_t *secret_data = NULL;
- size_t secret_data_len = 0;
- uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
- const uint8_t *salt, *encrypted, *desc_mac;
- size_t encrypted_len, result_len = 0;
- tor_assert(decrypted_out);
- tor_assert(desc);
- tor_assert(encrypted_blob);
- /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
- * Make sure we have enough space for all these things. */
- if (!encrypted_data_length_is_valid(encrypted_blob_size)) {
- goto err;
- }
- /* Start of the blob thus the salt. */
- salt = encrypted_blob;
- /* Next is the encrypted data. */
- encrypted = encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN;
- encrypted_len = encrypted_blob_size -
- (HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
- tor_assert(encrypted_len > 0); /* guaranteed by the check above */
- /* And last comes the MAC. */
- desc_mac = encrypted_blob + encrypted_blob_size - DIGEST256_LEN;
- /* Build secret data to be used in the decryption. */
- secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
- descriptor_cookie,
- &secret_data);
- /* KDF construction resulting in a key from which the secret key, IV and MAC
- * key are extracted which is what we need for the decryption. */
- build_secret_key_iv_mac(desc, secret_data, secret_data_len,
- salt, HS_DESC_ENCRYPTED_SALT_LEN,
- secret_key, sizeof(secret_key),
- secret_iv, sizeof(secret_iv),
- mac_key, sizeof(mac_key),
- is_superencrypted_layer);
- /* Build MAC. */
- build_mac(mac_key, sizeof(mac_key), salt, HS_DESC_ENCRYPTED_SALT_LEN,
- encrypted, encrypted_len, our_mac, sizeof(our_mac));
- memwipe(mac_key, 0, sizeof(mac_key));
- /* Verify MAC; MAC is H(mac_key || salt || encrypted)
- *
- * This is a critical check that is making sure the computed MAC matches the
- * one in the descriptor. */
- if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) {
- log_warn(LD_REND, "Encrypted service descriptor MAC check failed");
- goto err;
- }
- {
- /* Decrypt. Here we are assured that the encrypted length is valid for
- * decryption. */
- crypto_cipher_t *cipher;
- cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
- HS_DESC_ENCRYPTED_BIT_SIZE);
- /* Extra byte for the NUL terminated byte. */
- decrypted = tor_malloc_zero(encrypted_len + 1);
- crypto_cipher_decrypt(cipher, (char *) decrypted,
- (const char *) encrypted, encrypted_len);
- crypto_cipher_free(cipher);
- }
- {
- /* Adjust length to remove NUL padding bytes */
- uint8_t *end = memchr(decrypted, 0, encrypted_len);
- result_len = encrypted_len;
- if (end) {
- result_len = end - decrypted;
- }
- }
- if (result_len == 0) {
- /* Treat this as an error, so that somebody will free the output. */
- goto err;
- }
- /* Make sure to NUL terminate the string. */
- decrypted[encrypted_len] = '\0';
- *decrypted_out = (char *) decrypted;
- goto done;
- err:
- if (decrypted) {
- tor_free(decrypted);
- }
- *decrypted_out = NULL;
- result_len = 0;
- done:
- memwipe(secret_data, 0, secret_data_len);
- memwipe(secret_key, 0, sizeof(secret_key));
- memwipe(secret_iv, 0, sizeof(secret_iv));
- tor_free(secret_data);
- return result_len;
- }
- /* Decrypt the superencrypted section of the descriptor using the given
- * descriptor object <b>desc</b>. A newly allocated NUL terminated string is
- * put in decrypted_out which contains the superencrypted layer of the
- * descriptor. Return the length of decrypted_out on success else 0 is
- * returned and decrypted_out is set to NULL. */
- static size_t
- desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
- {
- size_t superencrypted_len = 0;
- char *superencrypted_plaintext = NULL;
- tor_assert(desc);
- tor_assert(decrypted_out);
- superencrypted_len = decrypt_desc_layer(desc,
- desc->plaintext_data.superencrypted_blob,
- desc->plaintext_data.superencrypted_blob_size,
- NULL, 1, &superencrypted_plaintext);
- if (!superencrypted_len) {
- log_warn(LD_REND, "Decrypting superencrypted desc failed.");
- goto done;
- }
- tor_assert(superencrypted_plaintext);
- done:
- /* In case of error, superencrypted_plaintext is already NULL, so the
- * following line makes sense. */
- *decrypted_out = superencrypted_plaintext;
- /* This makes sense too, because, in case of error, this is zero. */
- return superencrypted_len;
- }
- /* Decrypt the encrypted section of the descriptor using the given descriptor
- * object <b>desc</b>. A newly allocated NUL terminated string is put in
- * decrypted_out which contains the encrypted layer of the descriptor.
- * Return the length of decrypted_out on success else 0 is returned and
- * decrypted_out is set to NULL. */
- static size_t
- desc_decrypt_encrypted(const hs_descriptor_t *desc,
- const curve25519_secret_key_t *client_auth_sk,
- char **decrypted_out)
- {
- size_t encrypted_len = 0;
- char *encrypted_plaintext = NULL;
- uint8_t *descriptor_cookie = NULL;
- tor_assert(desc);
- tor_assert(desc->superencrypted_data.clients);
- tor_assert(decrypted_out);
- /* If the client secret key is provided, try to find a valid descriptor
- * cookie. Otherwise, leave it NULL. */
- if (client_auth_sk) {
- SMARTLIST_FOREACH_BEGIN(desc->superencrypted_data.clients,
- hs_desc_authorized_client_t *, client) {
- /* If we can decrypt the descriptor cookie successfully, we will use that
- * descriptor cookie and break from the loop. */
- if (!decrypt_descriptor_cookie(desc, client, client_auth_sk,
- &descriptor_cookie)) {
- break;
- }
- } SMARTLIST_FOREACH_END(client);
- }
- encrypted_len = decrypt_desc_layer(desc,
- desc->superencrypted_data.encrypted_blob,
- desc->superencrypted_data.encrypted_blob_size,
- descriptor_cookie, 0, &encrypted_plaintext);
- if (!encrypted_len) {
- log_warn(LD_REND, "Decrypting encrypted desc failed.");
- goto err;
- }
- tor_assert(encrypted_plaintext);
- err:
- /* In case of error, encrypted_plaintext is already NULL, so the
- * following line makes sense. */
- *decrypted_out = encrypted_plaintext;
- if (descriptor_cookie) {
- memwipe(descriptor_cookie, 0, HS_DESC_DESCRIPTOR_COOKIE_LEN);
- }
- tor_free(descriptor_cookie);
- /* This makes sense too, because, in case of error, this is zero. */
- return encrypted_len;
- }
- /* Given the token tok for an intro point legacy key, the list of tokens, the
- * introduction point ip being decoded and the descriptor desc from which it
- * comes from, decode the legacy key and set the intro point object. Return 0
- * on success else -1 on failure. */
- static int
- decode_intro_legacy_key(const directory_token_t *tok,
- smartlist_t *tokens,
- hs_desc_intro_point_t *ip,
- const hs_descriptor_t *desc)
- {
- tor_assert(tok);
- tor_assert(tokens);
- tor_assert(ip);
- tor_assert(desc);
- if (!crypto_pk_public_exponent_ok(tok->key)) {
- log_warn(LD_REND, "Introduction point legacy key is invalid");
- goto err;
- }
- ip->legacy.key = crypto_pk_dup_key(tok->key);
- /* Extract the legacy cross certification cert which MUST be present if we
- * have a legacy key. */
- tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY_CERT);
- if (!tok) {
- log_warn(LD_REND, "Introduction point legacy key cert is missing");
- goto err;
- }
- tor_assert(tok->object_body);
- if (strcmp(tok->object_type, "CROSSCERT")) {
- /* Info level because this might be an unknown field that we should
- * ignore. */
- log_info(LD_REND, "Introduction point legacy encryption key "
- "cross-certification has an unknown format.");
- goto err;
- }
- /* Keep a copy of the certificate. */
- ip->legacy.cert.encoded = tor_memdup(tok->object_body, tok->object_size);
- ip->legacy.cert.len = tok->object_size;
- /* The check on the expiration date is for the entire lifetime of a
- * certificate which is 24 hours. However, a descriptor has a maximum
- * lifetime of 12 hours meaning we have a 12h difference between the two
- * which ultimately accommodate the clock skewed client. */
- if (rsa_ed25519_crosscert_check(ip->legacy.cert.encoded,
- ip->legacy.cert.len, ip->legacy.key,
- &desc->plaintext_data.signing_pubkey,
- approx_time() - HS_DESC_CERT_LIFETIME)) {
- log_warn(LD_REND, "Unable to check cross-certification on the "
- "introduction point legacy encryption key.");
- ip->cross_certified = 0;
- goto err;
- }
- /* Success. */
- return 0;
- err:
- return -1;
- }
- /* Dig into the descriptor <b>tokens</b> to find the onion key we should use
- * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
- * was found and well-formed, otherwise return -1 in case of errors. */
- static int
- set_intro_point_onion_key(curve25519_public_key_t *onion_key_out,
- const smartlist_t *tokens)
- {
- int retval = -1;
- smartlist_t *onion_keys = NULL;
- tor_assert(onion_key_out);
- onion_keys = find_all_by_keyword(tokens, R3_INTRO_ONION_KEY);
- if (!onion_keys) {
- log_warn(LD_REND, "Descriptor did not contain intro onion keys");
- goto err;
- }
- SMARTLIST_FOREACH_BEGIN(onion_keys, directory_token_t *, tok) {
- /* This field is using GE(2) so for possible forward compatibility, we
- * accept more fields but must be at least 2. */
- tor_assert(tok->n_args >= 2);
- /* Try to find an ntor key, it's the only recognized type right now */
- if (!strcmp(tok->args[0], "ntor")) {
- if (curve25519_public_from_base64(onion_key_out, tok->args[1]) < 0) {
- log_warn(LD_REND, "Introduction point ntor onion-key is invalid");
- goto err;
- }
- /* Got the onion key! Set the appropriate retval */
- retval = 0;
- }
- } SMARTLIST_FOREACH_END(tok);
- /* Log an error if we didn't find it :( */
- if (retval < 0) {
- log_warn(LD_REND, "Descriptor did not contain ntor onion keys");
- }
- err:
- smartlist_free(onion_keys);
- return retval;
- }
- /* Given the start of a section and the end of it, decode a single
- * introduction point from that section. Return a newly allocated introduction
- * point object containing the decoded data. Return NULL if the section can't
- * be decoded. */
- STATIC hs_desc_intro_point_t *
- decode_introduction_point(const hs_descriptor_t *desc, const char *start)
- {
- hs_desc_intro_point_t *ip = NULL;
- memarea_t *area = NULL;
- smartlist_t *tokens = NULL;
- const directory_token_t *tok;
- tor_assert(desc);
- tor_assert(start);
- area = memarea_new();
- tokens = smartlist_new();
- if (tokenize_string(area, start, start + strlen(start),
- tokens, hs_desc_intro_point_v3_token_table, 0) < 0) {
- log_warn(LD_REND, "Introduction point is not parseable");
- goto err;
- }
- /* Ok we seem to have a well formed section containing enough tokens to
- * parse. Allocate our IP object and try to populate it. */
- ip = hs_desc_intro_point_new();
- /* "introduction-point" SP link-specifiers NL */
- tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
- tor_assert(tok->n_args == 1);
- /* Our constructor creates this list by default so free it. */
- smartlist_free(ip->link_specifiers);
- ip->link_specifiers = decode_link_specifiers(tok->args[0]);
- if (!ip->link_specifiers) {
- log_warn(LD_REND, "Introduction point has invalid link specifiers");
- goto err;
- }
- /* "onion-key" SP ntor SP key NL */
- if (set_intro_point_onion_key(&ip->onion_key, tokens) < 0) {
- goto err;
- }
- /* "auth-key" NL certificate NL */
- tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
- tor_assert(tok->object_body);
- if (strcmp(tok->object_type, "ED25519 CERT")) {
- log_warn(LD_REND, "Unexpected object type for introduction auth key");
- goto err;
- }
- /* Parse cert and do some validation. */
- if (cert_parse_and_validate(&ip->auth_key_cert, tok->object_body,
- tok->object_size, CERT_TYPE_AUTH_HS_IP_KEY,
- "introduction point auth-key") < 0) {
- goto err;
- }
- /* Validate authentication certificate with descriptor signing key. */
- if (tor_cert_checksig(ip->auth_key_cert,
- &desc->plaintext_data.signing_pubkey, 0) < 0) {
- log_warn(LD_REND, "Invalid authentication key signature: %s",
- tor_cert_describe_signature_status(ip->auth_key_cert));
- goto err;
- }
- /* Exactly one "enc-key" SP "ntor" SP key NL */
- tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
- if (!strcmp(tok->args[0], "ntor")) {
- /* This field is using GE(2) so for possible forward compatibility, we
- * accept more fields but must be at least 2. */
- tor_assert(tok->n_args >= 2);
- if (curve25519_public_from_base64(&ip->enc_key, tok->args[1]) < 0) {
- log_warn(LD_REND, "Introduction point ntor enc-key is invalid");
- goto err;
- }
- } else {
- /* Unknown key type so we can't use that introduction point. */
- log_warn(LD_REND, "Introduction point encryption key is unrecognized.");
- goto err;
- }
- /* Exactly once "enc-key-cert" NL certificate NL */
- tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
- tor_assert(tok->object_body);
- /* Do the cross certification. */
- if (strcmp(tok->object_type, "ED25519 CERT")) {
- log_warn(LD_REND, "Introduction point ntor encryption key "
- "cross-certification has an unknown format.");
- goto err;
- }
- if (cert_parse_and_validate(&ip->enc_key_cert, tok->object_body,
- tok->object_size, CERT_TYPE_CROSS_HS_IP_KEYS,
- "introduction point enc-key-cert") < 0) {
- goto err;
- }
- if (tor_cert_checksig(ip->enc_key_cert,
- &desc->plaintext_data.signing_pubkey, 0) < 0) {
- log_warn(LD_REND, "Invalid encryption key signature: %s",
- tor_cert_describe_signature_status(ip->enc_key_cert));
- goto err;
- }
- /* It is successfully cross certified. Flag the object. */
- ip->cross_certified = 1;
- /* Do we have a "legacy-key" SP key NL ?*/
- tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY);
- if (tok) {
- if (decode_intro_legacy_key(tok, tokens, ip, desc) < 0) {
- goto err;
- }
- }
- /* Introduction point has been parsed successfully. */
- goto done;
- err:
- hs_desc_intro_point_free(ip);
- ip = NULL;
- done:
- SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
- smartlist_free(tokens);
- if (area) {
- memarea_drop_all(area);
- }
- return ip;
- }
- /* Given a descriptor string at <b>data</b>, decode all possible introduction
- * points that we can find. Add the introduction point object to desc_enc as we
- * find them. This function can't fail and it is possible that zero
- * introduction points can be decoded. */
- static void
- decode_intro_points(const hs_descriptor_t *desc,
- hs_desc_encrypted_data_t *desc_enc,
- const char *data)
- {
- smartlist_t *chunked_desc = smartlist_new();
- smartlist_t *intro_points = smartlist_new();
- tor_assert(desc);
- tor_assert(desc_enc);
- tor_assert(data);
- tor_assert(desc_enc->intro_points);
- /* Take the desc string, and extract the intro point substrings out of it */
- {
- /* Split the descriptor string using the intro point header as delimiter */
- smartlist_split_string(chunked_desc, data, str_intro_point_start, 0, 0);
- /* Check if there are actually any intro points included. The first chunk
- * should be other descriptor fields (e.g. create2-formats), so it's not an
- * intro point. */
- if (smartlist_len(chunked_desc) < 2) {
- goto done;
- }
- }
- /* Take the intro point substrings, and prepare them for parsing */
- {
- int i = 0;
- /* Prepend the introduction-point header to all the chunks, since
- smartlist_split_string() devoured it. */
- SMARTLIST_FOREACH_BEGIN(chunked_desc, char *, chunk) {
- /* Ignore first chunk. It's other descriptor fields. */
- if (i++ == 0) {
- continue;
- }
- smartlist_add_asprintf(intro_points, "%s %s", str_intro_point, chunk);
- } SMARTLIST_FOREACH_END(chunk);
- }
- /* Parse the intro points! */
- SMARTLIST_FOREACH_BEGIN(intro_points, const char *, intro_point) {
- hs_desc_intro_point_t *ip = decode_introduction_point(desc, intro_point);
- if (!ip) {
- /* Malformed introduction point section. We'll ignore this introduction
- * point and continue parsing. New or unknown fields are possible for
- * forward compatibility. */
- continue;
- }
- smartlist_add(desc_enc->intro_points, ip);
- } SMARTLIST_FOREACH_END(intro_point);
- done:
- SMARTLIST_FOREACH(chunked_desc, char *, a, tor_free(a));
- smartlist_free(chunked_desc);
- SMARTLIST_FOREACH(intro_points, char *, a, tor_free(a));
- smartlist_free(intro_points);
- }
- /* Return 1 iff the given base64 encoded signature in b64_sig from the encoded
- * descriptor in encoded_desc validates the descriptor content. */
- STATIC int
- desc_sig_is_valid(const char *b64_sig,
- const ed25519_public_key_t *signing_pubkey,
- const char *encoded_desc, size_t encoded_len)
- {
- int ret = 0;
- ed25519_signature_t sig;
- const char *sig_start;
- tor_assert(b64_sig);
- tor_assert(signing_pubkey);
- tor_assert(encoded_desc);
- /* Verifying nothing won't end well :). */
- tor_assert(encoded_len > 0);
- /* Signature length check. */
- if (strlen(b64_sig) != ED25519_SIG_BASE64_LEN) {
- log_warn(LD_REND, "Service descriptor has an invalid signature length."
- "Exptected %d but got %lu",
- ED25519_SIG_BASE64_LEN, (unsigned long) strlen(b64_sig));
- goto err;
- }
- /* First, convert base64 blob to an ed25519 signature. */
- if (ed25519_signature_from_base64(&sig, b64_sig) != 0) {
- log_warn(LD_REND, "Service descriptor does not contain a valid "
- "signature");
- goto err;
- }
- /* Find the start of signature. */
- sig_start = tor_memstr(encoded_desc, encoded_len, "\n" str_signature " ");
- /* Getting here means the token parsing worked for the signature so if we
- * can't find the start of the signature, we have a code flow issue. */
- if (!sig_start) {
- log_warn(LD_GENERAL, "Malformed signature line. Rejecting.");
- goto err;
- }
- /* Skip newline, it has to go in the signature check. */
- sig_start++;
- /* Validate signature with the full body of the descriptor. */
- if (ed25519_checksig_prefixed(&sig,
- (const uint8_t *) encoded_desc,
- sig_start - encoded_desc,
- str_desc_sig_prefix,
- signing_pubkey) != 0) {
- log_warn(LD_REND, "Invalid signature on service descriptor");
- goto err;
- }
- /* Valid signature! All is good. */
- ret = 1;
- err:
- return ret;
- }
- /* Decode descriptor plaintext data for version 3. Given a list of tokens, an
- * allocated plaintext object that will be populated and the encoded
- * descriptor with its length. The last one is needed for signature
- * verification. Unknown tokens are simply ignored so this won't error on
- * unknowns but requires that all v3 token be present and valid.
- *
- * Return 0 on success else a negative value. */
- static int
- desc_decode_plaintext_v3(smartlist_t *tokens,
- hs_desc_plaintext_data_t *desc,
- const char *encoded_desc, size_t encoded_len)
- {
- int ok;
- directory_token_t *tok;
- tor_assert(tokens);
- tor_assert(desc);
- /* Version higher could still use this function to decode most of the
- * descriptor and then they decode the extra part. */
- tor_assert(desc->version >= 3);
- /* Descriptor lifetime parsing. */
- tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
- tor_assert(tok->n_args == 1);
- desc->lifetime_sec = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
- UINT32_MAX, &ok, NULL);
- if (!ok) {
- log_warn(LD_REND, "Service descriptor lifetime value is invalid");
- goto err;
- }
- /* Put it from minute to second. */
- desc->lifetime_sec *= 60;
- if (desc->lifetime_sec > HS_DESC_MAX_LIFETIME) {
- log_warn(LD_REND, "Service descriptor lifetime is too big. "
- "Got %" PRIu32 " but max is %d",
- desc->lifetime_sec, HS_DESC_MAX_LIFETIME);
- goto err;
- }
- /* Descriptor signing certificate. */
- tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
- tor_assert(tok->object_body);
- /* Expecting a prop220 cert with the signing key extension, which contains
- * the blinded public key. */
- if (strcmp(tok->object_type, "ED25519 CERT") != 0) {
- log_warn(LD_REND, "Service descriptor signing cert wrong type (%s)",
- escaped(tok->object_type));
- goto err;
- }
- if (cert_parse_and_validate(&desc->signing_key_cert, tok->object_body,
- tok->object_size, CERT_TYPE_SIGNING_HS_DESC,
- "service descriptor signing key") < 0) {
- goto err;
- }
- /* Copy the public keys into signing_pubkey and blinded_pubkey */
- memcpy(&desc->signing_pubkey, &desc->signing_key_cert->signed_key,
- sizeof(ed25519_public_key_t));
- memcpy(&desc->blinded_pubkey, &desc->signing_key_cert->signing_key,
- sizeof(ed25519_public_key_t));
- /* Extract revision counter value. */
- tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
- tor_assert(tok->n_args == 1);
- desc->revision_counter = tor_parse_uint64(tok->args[0], 10, 0,
- UINT64_MAX, &ok, NULL);
- if (!ok) {
- log_warn(LD_REND, "Service descriptor revision-counter is invalid");
- goto err;
- }
- /* Extract the superencrypted data section. */
- tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
- tor_assert(tok->object_body);
- if (strcmp(tok->object_type, "MESSAGE") != 0) {
- log_warn(LD_REND, "Desc superencrypted data section is invalid");
- goto err;
- }
- /* Make sure the length of the superencrypted blob is valid. */
- if (!encrypted_data_length_is_valid(tok->object_size)) {
- goto err;
- }
- /* Copy the superencrypted blob to the descriptor object so we can handle it
- * latter if needed. */
- desc->superencrypted_blob = tor_memdup(tok->object_body, tok->object_size);
- desc->superencrypted_blob_size = tok->object_size;
- /* Extract signature and verify it. */
- tok = find_by_keyword(tokens, R3_SIGNATURE);
- tor_assert(tok->n_args == 1);
- /* First arg here is the actual encoded signature. */
- if (!desc_sig_is_valid(tok->args[0], &desc->signing_pubkey,
- encoded_desc, encoded_len)) {
- goto err;
- }
- return 0;
- err:
- return -1;
- }
- /* Decode the version 3 superencrypted section of the given descriptor desc.
- * The desc_superencrypted_out will be populated with the decoded data.
- * Return 0 on success else -1. */
- static int
- desc_decode_superencrypted_v3(const hs_descriptor_t *desc,
- hs_desc_superencrypted_data_t *
- desc_superencrypted_out)
- {
- int ret = -1;
- char *message = NULL;
- size_t message_len;
- memarea_t *area = NULL;
- directory_token_t *tok;
- smartlist_t *tokens = NULL;
- /* Rename the parameter because it is too long. */
- hs_desc_superencrypted_data_t *superencrypted = desc_superencrypted_out;
- tor_assert(desc);
- tor_assert(desc_superencrypted_out);
- /* Decrypt the superencrypted data that is located in the plaintext section
- * in the descriptor as a blob of bytes. */
- message_len = desc_decrypt_superencrypted(desc, &message);
- if (!message_len) {
- log_warn(LD_REND, "Service descriptor decryption failed.");
- goto err;
- }
- tor_assert(message);
- area = memarea_new();
- tokens = smartlist_new();
- if (tokenize_string(area, message, message + message_len,
- tokens, hs_desc_superencrypted_v3_token_table, 0) < 0) {
- log_warn(LD_REND, "Superencrypted service descriptor is not parseable.");
- goto err;
- }
- /* Verify desc auth type */
- tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
- tor_assert(tok->n_args >= 1);
- if (strcmp(tok->args[0], "x25519")) {
- log_warn(LD_DIR, "Unrecognized desc auth type");
- goto err;
- }
- /* Extract desc auth ephemeral key */
- tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
- tor_assert(tok->n_args >= 1);
- if (curve25519_public_from_base64(&superencrypted->auth_ephemeral_pubkey,
- tok->args[0]) < 0) {
- log_warn(LD_DIR, "Bogus desc auth ephemeral key in HS desc");
- goto err;
- }
- /* Extract desc auth client items */
- if (!superencrypted->clients) {
- superencrypted->clients = smartlist_new();
- }
- SMARTLIST_FOREACH_BEGIN(tokens, const directory_token_t *, token) {
- if (token->tp == R3_DESC_AUTH_CLIENT) {
- tor_assert(token->n_args >= 3);
- hs_desc_authorized_client_t *client =
- tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
- if (decode_auth_client(token, client) < 0) {
- log_warn(LD_REND, "Descriptor client authorization section can't "
- "be decoded.");
- tor_free(client);
- goto err;
- }
- smartlist_add(superencrypted->clients, client);
- }
- } SMARTLIST_FOREACH_END(token);
- /* Extract the encrypted data section. */
- tok = find_by_keyword(tokens, R3_ENCRYPTED);
- tor_assert(tok->object_body);
- if (strcmp(tok->object_type, "MESSAGE") != 0) {
- log_warn(LD_REND, "Desc encrypted data section is invalid");
- goto err;
- }
- /* Make sure the length of the encrypted blob is valid. */
- if (!encrypted_data_length_is_valid(tok->object_size)) {
- goto err;
- }
- /* Copy the encrypted blob to the descriptor object so we can handle it
- * latter if needed. */
- tor_assert(tok->object_size <= INT_MAX);
- superencrypted->encrypted_blob = tor_memdup(tok->object_body,
- tok->object_size);
- superencrypted->encrypted_blob_size = tok->object_size;
- ret = 0;
- goto done;
- err:
- tor_assert(ret < 0);
- hs_desc_superencrypted_data_free_contents(desc_superencrypted_out);
- done:
- if (tokens) {
- SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
- smartlist_free(tokens);
- }
- if (area) {
- memarea_drop_all(area);
- }
- if (message) {
- tor_free(message);
- }
- return ret;
- }
- /* Decode the version 3 encrypted section of the given descriptor desc. The
- * desc_encrypted_out will be populated with the decoded data. Return 0 on
- * success else -1. */
- static int
- desc_decode_encrypted_v3(const hs_descriptor_t *desc,
- const curve25519_secret_key_t *client_auth_sk,
- hs_desc_encrypted_data_t *desc_encrypted_out)
- {
- int ret = -1;
- char *message = NULL;
- size_t message_len;
- memarea_t *area = NULL;
- directory_token_t *tok;
- smartlist_t *tokens = NULL;
- tor_assert(desc);
- tor_assert(desc_encrypted_out);
- /* Decrypt the encrypted data that is located in the superencrypted section
- * in the descriptor as a blob of bytes. */
- message_len = desc_decrypt_encrypted(desc, client_auth_sk, &message);
- if (!message_len) {
- log_warn(LD_REND, "Service descriptor decryption failed.");
- goto err;
- }
- tor_assert(message);
- area = memarea_new();
- tokens = smartlist_new();
- if (tokenize_string(area, message, message + message_len,
- tokens, hs_desc_encrypted_v3_token_table, 0) < 0) {
- log_warn(LD_REND, "Encrypted service descriptor is not parseable.");
- goto err;
- }
- /* CREATE2 supported cell format. It's mandatory. */
- tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
- tor_assert(tok);
- decode_create2_list(desc_encrypted_out, tok->args[0]);
- /* Must support ntor according to the specification */
- if (!desc_encrypted_out->create2_ntor) {
- log_warn(LD_REND, "Service create2-formats does not include ntor.");
- goto err;
- }
- /* Authentication type. It's optional but only once. */
- tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
- if (tok) {
- if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
- log_warn(LD_REND, "Service descriptor authentication type has "
- "invalid entry(ies).");
- goto err;
- }
- }
- /* Is this service a single onion service? */
- tok = find_opt_by_keyword(tokens, R3_SINGLE_ONION_SERVICE);
- if (tok) {
- desc_encrypted_out->single_onion_service = 1;
- }
- /* Initialize the descriptor's introduction point list before we start
- * decoding. Having 0 intro point is valid. Then decode them all. */
- desc_encrypted_out->intro_points = smartlist_new();
- decode_intro_points(desc, desc_encrypted_out, message);
- /* Validation of maximum introduction points allowed. */
- if (smartlist_len(desc_encrypted_out->intro_points) >
- HS_CONFIG_V3_MAX_INTRO_POINTS) {
- log_warn(LD_REND, "Service descriptor contains too many introduction "
- "points. Maximum allowed is %d but we have %d",
- HS_CONFIG_V3_MAX_INTRO_POINTS,
- smartlist_len(desc_encrypted_out->intro_points));
- goto err;
- }
- /* NOTE: Unknown fields are allowed because this function could be used to
- * decode other descriptor version. */
- ret = 0;
- goto done;
- err:
- tor_assert(ret < 0);
- hs_desc_encrypted_data_free_contents(desc_encrypted_out);
- done:
- if (tokens) {
- SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
- smartlist_free(tokens);
- }
- if (area) {
- memarea_drop_all(area);
- }
- if (message) {
- tor_free(message);
- }
- return ret;
- }
- /* Table of encrypted decode function version specific. The function are
- * indexed by the version number so v3 callback is at index 3 in the array. */
- static int
- (*decode_encrypted_handlers[])(
- const hs_descriptor_t *desc,
- const curve25519_secret_key_t *client_auth_sk,
- hs_desc_encrypted_data_t *desc_encrypted) =
- {
- /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
- desc_decode_encrypted_v3,
- };
- /* Decode the encrypted data section of the given descriptor and store the
- * data in the given encrypted data object. Return 0 on success else a
- * negative value on error. */
- int
- hs_desc_decode_encrypted(const hs_descriptor_t *desc,
- const curve25519_secret_key_t *client_auth_sk,
- hs_desc_encrypted_data_t *desc_encrypted)
- {
- int ret;
- uint32_t version;
- tor_assert(desc);
- /* Ease our life a bit. */
- version = desc->plaintext_data.version;
- tor_assert(desc_encrypted);
- /* Calling this function without an encrypted blob to parse is a code flow
- * error. The superencrypted parsing should never succeed in the first place
- * without an encrypted section. */
- tor_assert(desc->superencrypted_data.encrypted_blob);
- /* Let's make sure we have a supported version as well. By correctly parsing
- * the plaintext, this should not fail. */
- if (BUG(!hs_desc_is_supported_version(version))) {
- ret = -1;
- goto err;
- }
- /* Extra precaution. Having no handler for the supported version should
- * never happened else we forgot to add it but we bumped the version. */
- tor_assert(ARRAY_LENGTH(decode_encrypted_handlers) >= version);
- tor_assert(decode_encrypted_handlers[version]);
- /* Run the version specific plaintext decoder. */
- ret = decode_encrypted_handlers[version](desc, client_auth_sk,
- desc_encrypted);
- if (ret < 0) {
- goto err;
- }
- err:
- return ret;
- }
- /* Table of superencrypted decode function version specific. The function are
- * indexed by the version number so v3 callback is at index 3 in the array. */
- static int
- (*decode_superencrypted_handlers[])(
- const hs_descriptor_t *desc,
- hs_desc_superencrypted_data_t *desc_superencrypted) =
- {
- /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
- desc_decode_superencrypted_v3,
- };
- /* Decode the superencrypted data section of the given descriptor and store the
- * data in the given superencrypted data object. Return 0 on success else a
- * negative value on error. */
- int
- hs_desc_decode_superencrypted(const hs_descriptor_t *desc,
- hs_desc_superencrypted_data_t *
- desc_superencrypted)
- {
- int ret;
- uint32_t version;
- tor_assert(desc);
- /* Ease our life a bit. */
- version = desc->plaintext_data.version;
- tor_assert(desc_superencrypted);
- /* Calling this function without an superencrypted blob to parse is
- * a code flow error. The plaintext parsing should never succeed in
- * the first place without an superencrypted section. */
- tor_assert(desc->plaintext_data.superencrypted_blob);
- /* Let's make sure we have a supported version as well. By correctly parsing
- * the plaintext, this should not fail. */
- if (BUG(!hs_desc_is_supported_version(version))) {
- ret = -1;
- goto err;
- }
- /* Extra precaution. Having no handler for the supported version should
- * never happened else we forgot to add it but we bumped the version. */
- tor_assert(ARRAY_LENGTH(decode_superencrypted_handlers) >= version);
- tor_assert(decode_superencrypted_handlers[version]);
- /* Run the version specific plaintext decoder. */
- ret = decode_superencrypted_handlers[version](desc, desc_superencrypted);
- if (ret < 0) {
- goto err;
- }
- err:
- return ret;
- }
- /* Table of plaintext decode function version specific. The function are
- * indexed by the version number so v3 callback is at index 3 in the array. */
- static int
- (*decode_plaintext_handlers[])(
- smartlist_t *tokens,
- hs_desc_plaintext_data_t *desc,
- const char *encoded_desc,
- size_t encoded_len) =
- {
- /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
- desc_decode_plaintext_v3,
- };
- /* Fully decode the given descriptor plaintext and store the data in the
- * plaintext data object. Returns 0 on success else a negative value. */
- int
- hs_desc_decode_plaintext(const char *encoded,
- hs_desc_plaintext_data_t *plaintext)
- {
- int ok = 0, ret = -1;
- memarea_t *area = NULL;
- smartlist_t *tokens = NULL;
- size_t encoded_len;
- directory_token_t *tok;
- tor_assert(encoded);
- tor_assert(plaintext);
- /* Check that descriptor is within size limits. */
- encoded_len = strlen(encoded);
- if (encoded_len >= hs_cache_get_max_descriptor_size()) {
- log_warn(LD_REND, "Service descriptor is too big (%lu bytes)",
- (unsigned long) encoded_len);
- goto err;
- }
- area = memarea_new();
- tokens = smartlist_new();
- /* Tokenize the descriptor so we can start to parse it. */
- if (tokenize_string(area, encoded, encoded + encoded_len, tokens,
- hs_desc_v3_token_table, 0) < 0) {
- log_warn(LD_REND, "Service descriptor is not parseable");
- goto err;
- }
- /* Get the version of the descriptor which is the first mandatory field of
- * the descriptor. From there, we'll decode the right descriptor version. */
- tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
- tor_assert(tok->n_args == 1);
- plaintext->version = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
- UINT32_MAX, &ok, NULL);
- if (!ok) {
- log_warn(LD_REND, "Service descriptor has unparseable version %s",
- escaped(tok->args[0]));
- goto err;
- }
- if (!hs_desc_is_supported_version(plaintext->version)) {
- log_warn(LD_REND, "Service descriptor has unsupported version %" PRIu32,
- plaintext->version);
- goto err;
- }
- /* Extra precaution. Having no handler for the supported version should
- * never happened else we forgot to add it but we bumped the version. */
- tor_assert(ARRAY_LENGTH(decode_plaintext_handlers) >= plaintext->version);
- tor_assert(decode_plaintext_handlers[plaintext->version]);
- /* Run the version specific plaintext decoder. */
- ret = decode_plaintext_handlers[plaintext->version](tokens, plaintext,
- encoded, encoded_len);
- if (ret < 0) {
- goto err;
- }
- /* Success. Descriptor has been populated with the data. */
- ret = 0;
- err:
- if (tokens) {
- SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
- smartlist_free(tokens);
- }
- if (area) {
- memarea_drop_all(area);
- }
- return ret;
- }
- /* Fully decode an encoded descriptor and set a newly allocated descriptor
- * object in desc_out. Client secret key is used to decrypt the "encrypted"
- * section if not NULL else it's ignored.
- *
- * Return 0 on success. A negative value is returned on error and desc_out is
- * set to NULL. */
- int
- hs_desc_decode_descriptor(const char *encoded,
- const uint8_t *subcredential,
- const curve25519_secret_key_t *client_auth_sk,
- hs_descriptor_t **desc_out)
- {
- int ret = -1;
- hs_descriptor_t *desc;
- tor_assert(encoded);
- desc = tor_malloc_zero(sizeof(hs_descriptor_t));
- /* Subcredentials are not optional. */
- if (BUG(!subcredential ||
- tor_mem_is_zero((char*)subcredential, DIGEST256_LEN))) {
- log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!");
- goto err;
- }
- memcpy(desc->subcredential, subcredential, sizeof(desc->subcredential));
- ret = hs_desc_decode_plaintext(encoded, &desc->plaintext_data);
- if (ret < 0) {
- goto err;
- }
- ret = hs_desc_decode_superencrypted(desc, &desc->superencrypted_data);
- if (ret < 0) {
- goto err;
- }
- ret = hs_desc_decode_encrypted(desc, client_auth_sk, &desc->encrypted_data);
- if (ret < 0) {
- goto err;
- }
- if (desc_out) {
- *desc_out = desc;
- } else {
- hs_descriptor_free(desc);
- }
- return ret;
- err:
- hs_descriptor_free(desc);
- if (desc_out) {
- *desc_out = NULL;
- }
- tor_assert(ret < 0);
- return ret;
- }
- /* Table of encode function version specific. The functions are indexed by the
- * version number so v3 callback is at index 3 in the array. */
- static int
- (*encode_handlers[])(
- const hs_descriptor_t *desc,
- const ed25519_keypair_t *signing_kp,
- const uint8_t *descriptor_cookie,
- char **encoded_out) =
- {
- /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
- desc_encode_v3,
- };
- /* Encode the given descriptor desc including signing with the given key pair
- * signing_kp and encrypting with the given descriptor cookie.
- *
- * If the client authorization is enabled, descriptor_cookie must be the same
- * as the one used to build hs_desc_authorized_client_t in the descriptor.
- * Otherwise, it must be NULL. On success, encoded_out points to a newly
- * allocated NUL terminated string that contains the encoded descriptor as
- * a string.
- *
- * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
- * returned and encoded_out is set to NULL. */
- MOCK_IMPL(int,
- hs_desc_encode_descriptor,(const hs_descriptor_t *desc,
- const ed25519_keypair_t *signing_kp,
- const uint8_t *descriptor_cookie,
- char **encoded_out))
- {
- int ret = -1;
- uint32_t version;
- tor_assert(desc);
- tor_assert(encoded_out);
- /* Make sure we support the version of the descriptor format. */
- version = desc->plaintext_data.version;
- if (!hs_desc_is_supported_version(version)) {
- goto err;
- }
- /* Extra precaution. Having no handler for the supported version should
- * never happened else we forgot to add it but we bumped the version. */
- tor_assert(ARRAY_LENGTH(encode_handlers) >= version);
- tor_assert(encode_handlers[version]);
- ret = encode_handlers[version](desc, signing_kp,
- descriptor_cookie, encoded_out);
- if (ret < 0) {
- goto err;
- }
- /* Try to decode what we just encoded. Symmetry is nice!, but it is
- * symmetric only if the client auth is disabled. That is, the descriptor
- * cookie will be NULL. */
- if (!descriptor_cookie) {
- ret = hs_desc_decode_descriptor(*encoded_out, desc->subcredential,
- NULL, NULL);
- if (BUG(ret < 0)) {
- goto err;
- }
- }
- return 0;
- err:
- *encoded_out = NULL;
- return ret;
- }
- /* Free the content of the plaintext section of a descriptor. */
- void
- hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)
- {
- if (!desc) {
- return;
- }
- if (desc->superencrypted_blob) {
- tor_free(desc->superencrypted_blob);
- }
- tor_cert_free(desc->signing_key_cert);
- memwipe(desc, 0, sizeof(*desc));
- }
- /* Free the content of the superencrypted section of a descriptor. */
- void
- hs_desc_superencrypted_data_free_contents(hs_desc_superencrypted_data_t *desc)
- {
- if (!desc) {
- return;
- }
- if (desc->encrypted_blob) {
- tor_free(desc->encrypted_blob);
- }
- if (desc->clients) {
- SMARTLIST_FOREACH(desc->clients, hs_desc_authorized_client_t *, client,
- hs_desc_authorized_client_free(client));
- smartlist_free(desc->clients);
- }
- memwipe(desc, 0, sizeof(*desc));
- }
- /* Free the content of the encrypted section of a descriptor. */
- void
- hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
- {
- if (!desc) {
- return;
- }
- if (desc->intro_auth_types) {
- SMARTLIST_FOREACH(desc->intro_auth_types, char *, a, tor_free(a));
- smartlist_free(desc->intro_auth_types);
- }
- if (desc->intro_points) {
- SMARTLIST_FOREACH(desc->intro_points, hs_desc_intro_point_t *, ip,
- hs_desc_intro_point_free(ip));
- smartlist_free(desc->intro_points);
- }
- memwipe(desc, 0, sizeof(*desc));
- }
- /* Free the descriptor plaintext data object. */
- void
- hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
- {
- hs_desc_plaintext_data_free_contents(desc);
- tor_free(desc);
- }
- /* Free the descriptor plaintext data object. */
- void
- hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc)
- {
- hs_desc_superencrypted_data_free_contents(desc);
- tor_free(desc);
- }
- /* Free the descriptor encrypted data object. */
- void
- hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
- {
- hs_desc_encrypted_data_free_contents(desc);
- tor_free(desc);
- }
- /* Free the given descriptor object. */
- void
- hs_descriptor_free_(hs_descriptor_t *desc)
- {
- if (!desc) {
- return;
- }
- hs_desc_plaintext_data_free_contents(&desc->plaintext_data);
- hs_desc_superencrypted_data_free_contents(&desc->superencrypted_data);
- hs_desc_encrypted_data_free_contents(&desc->encrypted_data);
- tor_free(desc);
- }
- /* Return the size in bytes of the given plaintext data object. A sizeof() is
- * not enough because the object contains pointers and the encrypted blob.
- * This is particularly useful for our OOM subsystem that tracks the HSDir
- * cache size for instance. */
- size_t
- hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
- {
- tor_assert(data);
- return (sizeof(*data) + sizeof(*data->signing_key_cert) +
- data->superencrypted_blob_size);
- }
- /* Return the size in bytes of the given encrypted data object. Used by OOM
- * subsystem. */
- static size_t
- hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
- {
- tor_assert(data);
- size_t intro_size = 0;
- if (data->intro_auth_types) {
- intro_size +=
- smartlist_len(data->intro_auth_types) * sizeof(intro_auth_types);
- }
- if (data->intro_points) {
- /* XXX could follow pointers here and get more accurate size */
- intro_size +=
- smartlist_len(data->intro_points) * sizeof(hs_desc_intro_point_t);
- }
- return sizeof(*data) + intro_size;
- }
- /* Return the size in bytes of the given descriptor object. Used by OOM
- * subsystem. */
- size_t
- hs_desc_obj_size(const hs_descriptor_t *data)
- {
- tor_assert(data);
- return (hs_desc_plaintext_obj_size(&data->plaintext_data) +
- hs_desc_encrypted_obj_size(&data->encrypted_data) +
- sizeof(data->subcredential));
- }
- /* Return a newly allocated descriptor intro point. */
- hs_desc_intro_point_t *
- hs_desc_intro_point_new(void)
- {
- hs_desc_intro_point_t *ip = tor_malloc_zero(sizeof(*ip));
- ip->link_specifiers = smartlist_new();
- return ip;
- }
- /* Free a descriptor intro point object. */
- void
- hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
- {
- if (ip == NULL) {
- return;
- }
- if (ip->link_specifiers) {
- SMARTLIST_FOREACH(ip->link_specifiers, hs_desc_link_specifier_t *,
- ls, hs_desc_link_specifier_free(ls));
- smartlist_free(ip->link_specifiers);
- }
- tor_cert_free(ip->auth_key_cert);
- tor_cert_free(ip->enc_key_cert);
- crypto_pk_free(ip->legacy.key);
- tor_free(ip->legacy.cert.encoded);
- tor_free(ip);
- }
- /* Allocate and build a new fake client info for the descriptor. Return a
- * newly allocated object. This can't fail. */
- hs_desc_authorized_client_t *
- hs_desc_build_fake_authorized_client(void)
- {
- hs_desc_authorized_client_t *client_auth =
- tor_malloc_zero(sizeof(*client_auth));
- crypto_rand((char *) client_auth->client_id,
- sizeof(client_auth->client_id));
- crypto_rand((char *) client_auth->iv,
- sizeof(client_auth->iv));
- crypto_rand((char *) client_auth->encrypted_cookie,
- sizeof(client_auth->encrypted_cookie));
- return client_auth;
- }
- /* Using the service's subcredential, client public key, auth ephemeral secret
- * key, and descriptor cookie, build the auth client so we can then encode the
- * descriptor for publication. client_out must be already allocated. */
- void
- hs_desc_build_authorized_client(const uint8_t *subcredential,
- const curve25519_public_key_t *client_auth_pk,
- const curve25519_secret_key_t *
- auth_ephemeral_sk,
- const uint8_t *descriptor_cookie,
- hs_desc_authorized_client_t *client_out)
- {
- uint8_t secret_seed[CURVE25519_OUTPUT_LEN];
- uint8_t keystream[HS_DESC_CLIENT_ID_LEN + HS_DESC_COOKIE_KEY_LEN];
- uint8_t *cookie_key;
- crypto_cipher_t *cipher;
- crypto_xof_t *xof;
- tor_assert(client_auth_pk);
- tor_assert(auth_ephemeral_sk);
- tor_assert(descriptor_cookie);
- tor_assert(client_out);
- tor_assert(subcredential);
- tor_assert(!tor_mem_is_zero((char *) auth_ephemeral_sk,
- sizeof(*auth_ephemeral_sk)));
- tor_assert(!tor_mem_is_zero((char *) client_auth_pk,
- sizeof(*client_auth_pk)));
- tor_assert(!tor_mem_is_zero((char *) descriptor_cookie,
- HS_DESC_DESCRIPTOR_COOKIE_LEN));
- tor_assert(!tor_mem_is_zero((char *) subcredential,
- DIGEST256_LEN));
- /* Calculate x25519(hs_y, client_X) */
- curve25519_handshake(secret_seed,
- auth_ephemeral_sk,
- client_auth_pk);
- /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
- xof = crypto_xof_new();
- crypto_xof_add_bytes(xof, subcredential, DIGEST256_LEN);
- crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
- crypto_xof_squeeze_bytes(xof, keystream, sizeof(keystream));
- crypto_xof_free(xof);
- memcpy(client_out->client_id, keystream, HS_DESC_CLIENT_ID_LEN);
- cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
- /* Random IV */
- crypto_strongest_rand(client_out->iv, sizeof(client_out->iv));
- /* This creates a cipher for AES. It can't fail. */
- cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client_out->iv,
- HS_DESC_COOKIE_KEY_BIT_SIZE);
- /* This can't fail. */
- crypto_cipher_encrypt(cipher, (char *) client_out->encrypted_cookie,
- (const char *) descriptor_cookie,
- HS_DESC_DESCRIPTOR_COOKIE_LEN);
- memwipe(secret_seed, 0, sizeof(secret_seed));
- memwipe(keystream, 0, sizeof(keystream));
- crypto_cipher_free(cipher);
- }
- /* Free an authoriezd client object. */
- void
- hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client)
- {
- tor_free(client);
- }
- /* Free the given descriptor link specifier. */
- void
- hs_desc_link_specifier_free_(hs_desc_link_specifier_t *ls)
- {
- if (ls == NULL) {
- return;
- }
- tor_free(ls);
- }
- /* Return a newly allocated descriptor link specifier using the given extend
- * info and requested type. Return NULL on error. */
- hs_desc_link_specifier_t *
- hs_desc_link_specifier_new(const extend_info_t *info, uint8_t type)
- {
- hs_desc_link_specifier_t *ls = NULL;
- tor_assert(info);
- ls = tor_malloc_zero(sizeof(*ls));
- ls->type = type;
- switch (ls->type) {
- case LS_IPV4:
- if (info->addr.family != AF_INET) {
- goto err;
- }
- tor_addr_copy(&ls->u.ap.addr, &info->addr);
- ls->u.ap.port = info->port;
- break;
- case LS_IPV6:
- if (info->addr.family != AF_INET6) {
- goto err;
- }
- tor_addr_copy(&ls->u.ap.addr, &info->addr);
- ls->u.ap.port = info->port;
- break;
- case LS_LEGACY_ID:
- /* Bug out if the identity digest is not set */
- if (BUG(tor_mem_is_zero(info->identity_digest,
- sizeof(info->identity_digest)))) {
- goto err;
- }
- memcpy(ls->u.legacy_id, info->identity_digest, sizeof(ls->u.legacy_id));
- break;
- case LS_ED25519_ID:
- /* ed25519 keys are optional for intro points */
- if (ed25519_public_key_is_zero(&info->ed_identity)) {
- goto err;
- }
- memcpy(ls->u.ed25519_id, info->ed_identity.pubkey,
- sizeof(ls->u.ed25519_id));
- break;
- default:
- /* Unknown type is code flow error. */
- tor_assert(0);
- }
- return ls;
- err:
- tor_free(ls);
- return NULL;
- }
- /* From the given descriptor, remove and free every introduction point. */
- void
- hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
- {
- smartlist_t *ips;
- tor_assert(desc);
- ips = desc->encrypted_data.intro_points;
- if (ips) {
- SMARTLIST_FOREACH(ips, hs_desc_intro_point_t *,
- ip, hs_desc_intro_point_free(ip));
- smartlist_clear(ips);
- }
- }
- /* From a descriptor link specifier object spec, returned a newly allocated
- * link specifier object that is the encoded representation of spec. Return
- * NULL on error. */
- link_specifier_t *
- hs_desc_lspec_to_trunnel(const hs_desc_link_specifier_t *spec)
- {
- tor_assert(spec);
- link_specifier_t *ls = link_specifier_new();
- link_specifier_set_ls_type(ls, spec->type);
- switch (spec->type) {
- case LS_IPV4:
- link_specifier_set_un_ipv4_addr(ls,
- tor_addr_to_ipv4h(&spec->u.ap.addr));
- link_specifier_set_un_ipv4_port(ls, spec->u.ap.port);
- /* Four bytes IPv4 and two bytes port. */
- link_specifier_set_ls_len(ls, sizeof(spec->u.ap.addr.addr.in_addr) +
- sizeof(spec->u.ap.port));
- break;
- case LS_IPV6:
- {
- size_t addr_len = link_specifier_getlen_un_ipv6_addr(ls);
- const uint8_t *in6_addr = tor_addr_to_in6_addr8(&spec->u.ap.addr);
- uint8_t *ipv6_array = link_specifier_getarray_un_ipv6_addr(ls);
- memcpy(ipv6_array, in6_addr, addr_len);
- link_specifier_set_un_ipv6_port(ls, spec->u.ap.port);
- /* Sixteen bytes IPv6 and two bytes port. */
- link_specifier_set_ls_len(ls, addr_len + sizeof(spec->u.ap.port));
- break;
- }
- case LS_LEGACY_ID:
- {
- size_t legacy_id_len = link_specifier_getlen_un_legacy_id(ls);
- uint8_t *legacy_id_array = link_specifier_getarray_un_legacy_id(ls);
- memcpy(legacy_id_array, spec->u.legacy_id, legacy_id_len);
- link_specifier_set_ls_len(ls, legacy_id_len);
- break;
- }
- case LS_ED25519_ID:
- {
- size_t ed25519_id_len = link_specifier_getlen_un_ed25519_id(ls);
- uint8_t *ed25519_id_array = link_specifier_getarray_un_ed25519_id(ls);
- memcpy(ed25519_id_array, spec->u.ed25519_id, ed25519_id_len);
- link_specifier_set_ls_len(ls, ed25519_id_len);
- break;
- }
- default:
- tor_assert_nonfatal_unreached();
- link_specifier_free(ls);
- ls = NULL;
- }
- return ls;
- }
|