rendcommon.c 37 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052
  1. /* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  2. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  3. /* See LICENSE for licensing information */
  4. /**
  5. * \file rendcommon.c
  6. * \brief Rendezvous implementation: shared code between
  7. * introducers, services, clients, and rendezvous points.
  8. **/
  9. #define RENDCOMMON_PRIVATE
  10. #include "or.h"
  11. #include "circuitbuild.h"
  12. #include "circuitlist.h"
  13. #include "circuituse.h"
  14. #include "config.h"
  15. #include "control.h"
  16. #include "crypto_rand.h"
  17. #include "crypto_util.h"
  18. #include "hs_client.h"
  19. #include "hs_common.h"
  20. #include "hs_intropoint.h"
  21. #include "networkstatus.h"
  22. #include "rendclient.h"
  23. #include "rendcommon.h"
  24. #include "rendmid.h"
  25. #include "rendservice.h"
  26. #include "rephist.h"
  27. #include "router.h"
  28. #include "routerlist.h"
  29. #include "routerparse.h"
  30. #include "cpath_build_state_st.h"
  31. #include "crypt_path_st.h"
  32. #include "origin_circuit_st.h"
  33. #include "rend_intro_point_st.h"
  34. #include "rend_service_descriptor_st.h"
  35. /** Return 0 if one and two are the same service ids, else -1 or 1 */
  36. int
  37. rend_cmp_service_ids(const char *one, const char *two)
  38. {
  39. return strcasecmp(one,two);
  40. }
  41. /** Free the storage held by the service descriptor <b>desc</b>.
  42. */
  43. void
  44. rend_service_descriptor_free_(rend_service_descriptor_t *desc)
  45. {
  46. if (!desc)
  47. return;
  48. if (desc->pk)
  49. crypto_pk_free(desc->pk);
  50. if (desc->intro_nodes) {
  51. SMARTLIST_FOREACH(desc->intro_nodes, rend_intro_point_t *, intro,
  52. rend_intro_point_free(intro););
  53. smartlist_free(desc->intro_nodes);
  54. }
  55. if (desc->successful_uploads) {
  56. SMARTLIST_FOREACH(desc->successful_uploads, char *, c, tor_free(c););
  57. smartlist_free(desc->successful_uploads);
  58. }
  59. tor_free(desc);
  60. }
  61. /** Length of the descriptor cookie that is used for versioned hidden
  62. * service descriptors. */
  63. #define REND_DESC_COOKIE_LEN 16
  64. /** Length of the replica number that is used to determine the secret ID
  65. * part of versioned hidden service descriptors. */
  66. #define REND_REPLICA_LEN 1
  67. /** Compute the descriptor ID for <b>service_id</b> of length
  68. * <b>REND_SERVICE_ID_LEN</b> and <b>secret_id_part</b> of length
  69. * <b>DIGEST_LEN</b>, and write it to <b>descriptor_id_out</b> of length
  70. * <b>DIGEST_LEN</b>. */
  71. void
  72. rend_get_descriptor_id_bytes(char *descriptor_id_out,
  73. const char *service_id,
  74. const char *secret_id_part)
  75. {
  76. crypto_digest_t *digest = crypto_digest_new();
  77. crypto_digest_add_bytes(digest, service_id, REND_SERVICE_ID_LEN);
  78. crypto_digest_add_bytes(digest, secret_id_part, DIGEST_LEN);
  79. crypto_digest_get_digest(digest, descriptor_id_out, DIGEST_LEN);
  80. crypto_digest_free(digest);
  81. }
  82. /** Compute the secret ID part for time_period,
  83. * a <b>descriptor_cookie</b> of length
  84. * <b>REND_DESC_COOKIE_LEN</b> which may also be <b>NULL</b> if no
  85. * descriptor_cookie shall be used, and <b>replica</b>, and write it to
  86. * <b>secret_id_part</b> of length DIGEST_LEN. */
  87. static void
  88. get_secret_id_part_bytes(char *secret_id_part, uint32_t time_period,
  89. const char *descriptor_cookie, uint8_t replica)
  90. {
  91. crypto_digest_t *digest = crypto_digest_new();
  92. time_period = htonl(time_period);
  93. crypto_digest_add_bytes(digest, (char*)&time_period, sizeof(uint32_t));
  94. if (descriptor_cookie) {
  95. crypto_digest_add_bytes(digest, descriptor_cookie,
  96. REND_DESC_COOKIE_LEN);
  97. }
  98. crypto_digest_add_bytes(digest, (const char *)&replica, REND_REPLICA_LEN);
  99. crypto_digest_get_digest(digest, secret_id_part, DIGEST_LEN);
  100. crypto_digest_free(digest);
  101. }
  102. /** Return the time period for time <b>now</b> plus a potentially
  103. * intended <b>deviation</b> of one or more periods, based on the first byte
  104. * of <b>service_id</b>. */
  105. static uint32_t
  106. get_time_period(time_t now, uint8_t deviation, const char *service_id)
  107. {
  108. /* The time period is the number of REND_TIME_PERIOD_V2_DESC_VALIDITY
  109. * intervals that have passed since the epoch, offset slightly so that
  110. * each service's time periods start and end at a fraction of that
  111. * period based on their first byte. */
  112. return (uint32_t)
  113. (now + ((uint8_t) *service_id) * REND_TIME_PERIOD_V2_DESC_VALIDITY / 256)
  114. / REND_TIME_PERIOD_V2_DESC_VALIDITY + deviation;
  115. }
  116. /** Compute the time in seconds that a descriptor that is generated
  117. * <b>now</b> for <b>service_id</b> will be valid. */
  118. static uint32_t
  119. get_seconds_valid(time_t now, const char *service_id)
  120. {
  121. uint32_t result = REND_TIME_PERIOD_V2_DESC_VALIDITY -
  122. ((uint32_t)
  123. (now + ((uint8_t) *service_id) * REND_TIME_PERIOD_V2_DESC_VALIDITY / 256)
  124. % REND_TIME_PERIOD_V2_DESC_VALIDITY);
  125. return result;
  126. }
  127. /** Compute the binary <b>desc_id_out</b> (DIGEST_LEN bytes long) for a given
  128. * base32-encoded <b>service_id</b> and optional unencoded
  129. * <b>descriptor_cookie</b> of length REND_DESC_COOKIE_LEN,
  130. * at time <b>now</b> for replica number
  131. * <b>replica</b>. <b>desc_id</b> needs to have <b>DIGEST_LEN</b> bytes
  132. * free. Return 0 for success, -1 otherwise. */
  133. int
  134. rend_compute_v2_desc_id(char *desc_id_out, const char *service_id,
  135. const char *descriptor_cookie, time_t now,
  136. uint8_t replica)
  137. {
  138. char service_id_binary[REND_SERVICE_ID_LEN];
  139. char secret_id_part[DIGEST_LEN];
  140. uint32_t time_period;
  141. if (!service_id ||
  142. strlen(service_id) != REND_SERVICE_ID_LEN_BASE32) {
  143. log_warn(LD_REND, "Could not compute v2 descriptor ID: "
  144. "Illegal service ID: %s",
  145. safe_str(service_id));
  146. return -1;
  147. }
  148. if (replica >= REND_NUMBER_OF_NON_CONSECUTIVE_REPLICAS) {
  149. log_warn(LD_REND, "Could not compute v2 descriptor ID: "
  150. "Replica number out of range: %d", replica);
  151. return -1;
  152. }
  153. /* Convert service ID to binary. */
  154. if (base32_decode(service_id_binary, REND_SERVICE_ID_LEN,
  155. service_id, REND_SERVICE_ID_LEN_BASE32) < 0) {
  156. log_warn(LD_REND, "Could not compute v2 descriptor ID: "
  157. "Illegal characters in service ID: %s",
  158. safe_str_client(service_id));
  159. return -1;
  160. }
  161. /* Calculate current time-period. */
  162. time_period = get_time_period(now, 0, service_id_binary);
  163. /* Calculate secret-id-part = h(time-period | desc-cookie | replica). */
  164. get_secret_id_part_bytes(secret_id_part, time_period, descriptor_cookie,
  165. replica);
  166. /* Calculate descriptor ID: H(permanent-id | secret-id-part) */
  167. rend_get_descriptor_id_bytes(desc_id_out, service_id_binary, secret_id_part);
  168. return 0;
  169. }
  170. /** Encode the introduction points in <b>desc</b> and write the result to a
  171. * newly allocated string pointed to by <b>encoded</b>. Return 0 for
  172. * success, -1 otherwise. */
  173. static int
  174. rend_encode_v2_intro_points(char **encoded, rend_service_descriptor_t *desc)
  175. {
  176. size_t unenc_len;
  177. char *unenc = NULL;
  178. size_t unenc_written = 0;
  179. int i;
  180. int r = -1;
  181. /* Assemble unencrypted list of introduction points. */
  182. unenc_len = smartlist_len(desc->intro_nodes) * 1000; /* too long, but ok. */
  183. unenc = tor_malloc_zero(unenc_len);
  184. for (i = 0; i < smartlist_len(desc->intro_nodes); i++) {
  185. char id_base32[REND_INTRO_POINT_ID_LEN_BASE32 + 1];
  186. char *onion_key = NULL;
  187. size_t onion_key_len;
  188. crypto_pk_t *intro_key;
  189. char *service_key = NULL;
  190. char *address = NULL;
  191. size_t service_key_len;
  192. int res;
  193. rend_intro_point_t *intro = smartlist_get(desc->intro_nodes, i);
  194. /* Obtain extend info with introduction point details. */
  195. extend_info_t *info = intro->extend_info;
  196. /* Encode introduction point ID. */
  197. base32_encode(id_base32, sizeof(id_base32),
  198. info->identity_digest, DIGEST_LEN);
  199. /* Encode onion key. */
  200. if (crypto_pk_write_public_key_to_string(info->onion_key, &onion_key,
  201. &onion_key_len) < 0) {
  202. log_warn(LD_REND, "Could not write onion key.");
  203. goto done;
  204. }
  205. /* Encode intro key. */
  206. intro_key = intro->intro_key;
  207. if (!intro_key ||
  208. crypto_pk_write_public_key_to_string(intro_key, &service_key,
  209. &service_key_len) < 0) {
  210. log_warn(LD_REND, "Could not write intro key.");
  211. tor_free(onion_key);
  212. goto done;
  213. }
  214. /* Assemble everything for this introduction point. */
  215. address = tor_addr_to_str_dup(&info->addr);
  216. res = tor_snprintf(unenc + unenc_written, unenc_len - unenc_written,
  217. "introduction-point %s\n"
  218. "ip-address %s\n"
  219. "onion-port %d\n"
  220. "onion-key\n%s"
  221. "service-key\n%s",
  222. id_base32,
  223. address,
  224. info->port,
  225. onion_key,
  226. service_key);
  227. tor_free(address);
  228. tor_free(onion_key);
  229. tor_free(service_key);
  230. if (res < 0) {
  231. log_warn(LD_REND, "Not enough space for writing introduction point "
  232. "string.");
  233. goto done;
  234. }
  235. /* Update total number of written bytes for unencrypted intro points. */
  236. unenc_written += res;
  237. }
  238. /* Finalize unencrypted introduction points. */
  239. if (unenc_len < unenc_written + 2) {
  240. log_warn(LD_REND, "Not enough space for finalizing introduction point "
  241. "string.");
  242. goto done;
  243. }
  244. unenc[unenc_written++] = '\n';
  245. unenc[unenc_written++] = 0;
  246. *encoded = unenc;
  247. r = 0;
  248. done:
  249. if (r<0)
  250. tor_free(unenc);
  251. return r;
  252. }
  253. /** Encrypt the encoded introduction points in <b>encoded</b> using
  254. * authorization type 'basic' with <b>client_cookies</b> and write the
  255. * result to a newly allocated string pointed to by <b>encrypted_out</b> of
  256. * length <b>encrypted_len_out</b>. Return 0 for success, -1 otherwise. */
  257. static int
  258. rend_encrypt_v2_intro_points_basic(char **encrypted_out,
  259. size_t *encrypted_len_out,
  260. const char *encoded,
  261. smartlist_t *client_cookies)
  262. {
  263. int r = -1, i, pos, enclen, client_blocks;
  264. size_t len, client_entries_len;
  265. char *enc = NULL, iv[CIPHER_IV_LEN], *client_part = NULL,
  266. session_key[CIPHER_KEY_LEN];
  267. smartlist_t *encrypted_session_keys = NULL;
  268. crypto_digest_t *digest;
  269. crypto_cipher_t *cipher;
  270. tor_assert(encoded);
  271. tor_assert(client_cookies && smartlist_len(client_cookies) > 0);
  272. /* Generate session key. */
  273. crypto_rand(session_key, CIPHER_KEY_LEN);
  274. /* Determine length of encrypted introduction points including session
  275. * keys. */
  276. client_blocks = 1 + ((smartlist_len(client_cookies) - 1) /
  277. REND_BASIC_AUTH_CLIENT_MULTIPLE);
  278. client_entries_len = client_blocks * REND_BASIC_AUTH_CLIENT_MULTIPLE *
  279. REND_BASIC_AUTH_CLIENT_ENTRY_LEN;
  280. len = 2 + client_entries_len + CIPHER_IV_LEN + strlen(encoded);
  281. if (client_blocks >= 256) {
  282. log_warn(LD_REND, "Too many clients in introduction point string.");
  283. goto done;
  284. }
  285. enc = tor_malloc_zero(len);
  286. enc[0] = 0x01; /* type of authorization. */
  287. enc[1] = (uint8_t)client_blocks;
  288. /* Encrypt with random session key. */
  289. enclen = crypto_cipher_encrypt_with_iv(session_key,
  290. enc + 2 + client_entries_len,
  291. CIPHER_IV_LEN + strlen(encoded), encoded, strlen(encoded));
  292. if (enclen < 0) {
  293. log_warn(LD_REND, "Could not encrypt introduction point string.");
  294. goto done;
  295. }
  296. memcpy(iv, enc + 2 + client_entries_len, CIPHER_IV_LEN);
  297. /* Encrypt session key for cookies, determine client IDs, and put both
  298. * in a smartlist. */
  299. encrypted_session_keys = smartlist_new();
  300. SMARTLIST_FOREACH_BEGIN(client_cookies, const char *, cookie) {
  301. client_part = tor_malloc_zero(REND_BASIC_AUTH_CLIENT_ENTRY_LEN);
  302. /* Encrypt session key. */
  303. cipher = crypto_cipher_new(cookie);
  304. if (crypto_cipher_encrypt(cipher, client_part +
  305. REND_BASIC_AUTH_CLIENT_ID_LEN,
  306. session_key, CIPHER_KEY_LEN) < 0) {
  307. log_warn(LD_REND, "Could not encrypt session key for client.");
  308. crypto_cipher_free(cipher);
  309. tor_free(client_part);
  310. goto done;
  311. }
  312. crypto_cipher_free(cipher);
  313. /* Determine client ID. */
  314. digest = crypto_digest_new();
  315. crypto_digest_add_bytes(digest, cookie, REND_DESC_COOKIE_LEN);
  316. crypto_digest_add_bytes(digest, iv, CIPHER_IV_LEN);
  317. crypto_digest_get_digest(digest, client_part,
  318. REND_BASIC_AUTH_CLIENT_ID_LEN);
  319. crypto_digest_free(digest);
  320. /* Put both together. */
  321. smartlist_add(encrypted_session_keys, client_part);
  322. } SMARTLIST_FOREACH_END(cookie);
  323. /* Add some fake client IDs and encrypted session keys. */
  324. for (i = (smartlist_len(client_cookies) - 1) %
  325. REND_BASIC_AUTH_CLIENT_MULTIPLE;
  326. i < REND_BASIC_AUTH_CLIENT_MULTIPLE - 1; i++) {
  327. client_part = tor_malloc_zero(REND_BASIC_AUTH_CLIENT_ENTRY_LEN);
  328. crypto_rand(client_part, REND_BASIC_AUTH_CLIENT_ENTRY_LEN);
  329. smartlist_add(encrypted_session_keys, client_part);
  330. }
  331. /* Sort smartlist and put elements in result in order. */
  332. smartlist_sort_digests(encrypted_session_keys);
  333. pos = 2;
  334. SMARTLIST_FOREACH(encrypted_session_keys, const char *, entry, {
  335. memcpy(enc + pos, entry, REND_BASIC_AUTH_CLIENT_ENTRY_LEN);
  336. pos += REND_BASIC_AUTH_CLIENT_ENTRY_LEN;
  337. });
  338. *encrypted_out = enc;
  339. *encrypted_len_out = len;
  340. enc = NULL; /* prevent free. */
  341. r = 0;
  342. done:
  343. tor_free(enc);
  344. if (encrypted_session_keys) {
  345. SMARTLIST_FOREACH(encrypted_session_keys, char *, d, tor_free(d););
  346. smartlist_free(encrypted_session_keys);
  347. }
  348. return r;
  349. }
  350. /** Encrypt the encoded introduction points in <b>encoded</b> using
  351. * authorization type 'stealth' with <b>descriptor_cookie</b> of length
  352. * REND_DESC_COOKIE_LEN and write the result to a newly allocated string
  353. * pointed to by <b>encrypted_out</b> of length <b>encrypted_len_out</b>.
  354. * Return 0 for success, -1 otherwise. */
  355. static int
  356. rend_encrypt_v2_intro_points_stealth(char **encrypted_out,
  357. size_t *encrypted_len_out,
  358. const char *encoded,
  359. const char *descriptor_cookie)
  360. {
  361. int r = -1, enclen;
  362. char *enc;
  363. tor_assert(encoded);
  364. tor_assert(descriptor_cookie);
  365. enc = tor_malloc_zero(1 + CIPHER_IV_LEN + strlen(encoded));
  366. enc[0] = 0x02; /* Auth type */
  367. enclen = crypto_cipher_encrypt_with_iv(descriptor_cookie,
  368. enc + 1,
  369. CIPHER_IV_LEN+strlen(encoded),
  370. encoded, strlen(encoded));
  371. if (enclen < 0) {
  372. log_warn(LD_REND, "Could not encrypt introduction point string.");
  373. goto done;
  374. }
  375. *encrypted_out = enc;
  376. *encrypted_len_out = enclen;
  377. enc = NULL; /* prevent free */
  378. r = 0;
  379. done:
  380. tor_free(enc);
  381. return r;
  382. }
  383. /** Attempt to parse the given <b>desc_str</b> and return true if this
  384. * succeeds, false otherwise. */
  385. STATIC int
  386. rend_desc_v2_is_parsable(rend_encoded_v2_service_descriptor_t *desc)
  387. {
  388. rend_service_descriptor_t *test_parsed = NULL;
  389. char test_desc_id[DIGEST_LEN];
  390. char *test_intro_content = NULL;
  391. size_t test_intro_size;
  392. size_t test_encoded_size;
  393. const char *test_next;
  394. int res = rend_parse_v2_service_descriptor(&test_parsed, test_desc_id,
  395. &test_intro_content,
  396. &test_intro_size,
  397. &test_encoded_size,
  398. &test_next, desc->desc_str, 1);
  399. rend_service_descriptor_free(test_parsed);
  400. tor_free(test_intro_content);
  401. return (res >= 0);
  402. }
  403. /** Free the storage held by an encoded v2 service descriptor. */
  404. void
  405. rend_encoded_v2_service_descriptor_free_(
  406. rend_encoded_v2_service_descriptor_t *desc)
  407. {
  408. if (!desc)
  409. return;
  410. tor_free(desc->desc_str);
  411. tor_free(desc);
  412. }
  413. /** Free the storage held by an introduction point info. */
  414. void
  415. rend_intro_point_free_(rend_intro_point_t *intro)
  416. {
  417. if (!intro)
  418. return;
  419. extend_info_free(intro->extend_info);
  420. crypto_pk_free(intro->intro_key);
  421. if (intro->accepted_intro_rsa_parts != NULL) {
  422. replaycache_free(intro->accepted_intro_rsa_parts);
  423. }
  424. tor_free(intro);
  425. }
  426. /** Encode a set of rend_encoded_v2_service_descriptor_t's for <b>desc</b>
  427. * at time <b>now</b> using <b>service_key</b>, depending on
  428. * <b>auth_type</b> a <b>descriptor_cookie</b> and a list of
  429. * <b>client_cookies</b> (which are both <b>NULL</b> if no client
  430. * authorization is performed), and <b>period</b> (e.g. 0 for the current
  431. * period, 1 for the next period, etc.) and add them to the existing list
  432. * <b>descs_out</b>; return the number of seconds that the descriptors will
  433. * be found by clients, or -1 if the encoding was not successful. */
  434. int
  435. rend_encode_v2_descriptors(smartlist_t *descs_out,
  436. rend_service_descriptor_t *desc, time_t now,
  437. uint8_t period, rend_auth_type_t auth_type,
  438. crypto_pk_t *client_key,
  439. smartlist_t *client_cookies)
  440. {
  441. char service_id[DIGEST_LEN];
  442. char service_id_base32[REND_SERVICE_ID_LEN_BASE32+1];
  443. uint32_t time_period;
  444. char *ipos_base64 = NULL, *ipos = NULL, *ipos_encrypted = NULL,
  445. *descriptor_cookie = NULL;
  446. size_t ipos_len = 0, ipos_encrypted_len = 0;
  447. int k;
  448. uint32_t seconds_valid;
  449. crypto_pk_t *service_key;
  450. if (!desc) {
  451. log_warn(LD_BUG, "Could not encode v2 descriptor: No desc given.");
  452. return -1;
  453. }
  454. service_key = (auth_type == REND_STEALTH_AUTH) ? client_key : desc->pk;
  455. tor_assert(service_key);
  456. if (auth_type == REND_STEALTH_AUTH) {
  457. descriptor_cookie = smartlist_get(client_cookies, 0);
  458. tor_assert(descriptor_cookie);
  459. }
  460. /* Obtain service_id from public key. */
  461. if (crypto_pk_get_digest(service_key, service_id) < 0) {
  462. log_warn(LD_BUG, "Couldn't compute service key digest.");
  463. return -1;
  464. }
  465. /* Calculate current time-period. */
  466. time_period = get_time_period(now, period, service_id);
  467. /* Determine how many seconds the descriptor will be valid. */
  468. seconds_valid = period * REND_TIME_PERIOD_V2_DESC_VALIDITY +
  469. get_seconds_valid(now, service_id);
  470. /* Assemble, possibly encrypt, and encode introduction points. */
  471. if (smartlist_len(desc->intro_nodes) > 0) {
  472. if (rend_encode_v2_intro_points(&ipos, desc) < 0) {
  473. log_warn(LD_REND, "Encoding of introduction points did not succeed.");
  474. return -1;
  475. }
  476. switch (auth_type) {
  477. case REND_NO_AUTH:
  478. ipos_len = strlen(ipos);
  479. break;
  480. case REND_BASIC_AUTH:
  481. if (rend_encrypt_v2_intro_points_basic(&ipos_encrypted,
  482. &ipos_encrypted_len, ipos,
  483. client_cookies) < 0) {
  484. log_warn(LD_REND, "Encrypting of introduction points did not "
  485. "succeed.");
  486. tor_free(ipos);
  487. return -1;
  488. }
  489. tor_free(ipos);
  490. ipos = ipos_encrypted;
  491. ipos_len = ipos_encrypted_len;
  492. break;
  493. case REND_STEALTH_AUTH:
  494. if (rend_encrypt_v2_intro_points_stealth(&ipos_encrypted,
  495. &ipos_encrypted_len, ipos,
  496. descriptor_cookie) < 0) {
  497. log_warn(LD_REND, "Encrypting of introduction points did not "
  498. "succeed.");
  499. tor_free(ipos);
  500. return -1;
  501. }
  502. tor_free(ipos);
  503. ipos = ipos_encrypted;
  504. ipos_len = ipos_encrypted_len;
  505. break;
  506. default:
  507. log_warn(LD_REND|LD_BUG, "Unrecognized authorization type %d",
  508. (int)auth_type);
  509. tor_free(ipos);
  510. return -1;
  511. }
  512. /* Base64-encode introduction points. */
  513. ipos_base64 = tor_calloc(ipos_len, 2);
  514. if (base64_encode(ipos_base64, ipos_len * 2, ipos, ipos_len,
  515. BASE64_ENCODE_MULTILINE)<0) {
  516. log_warn(LD_REND, "Could not encode introduction point string to "
  517. "base64. length=%d", (int)ipos_len);
  518. tor_free(ipos_base64);
  519. tor_free(ipos);
  520. return -1;
  521. }
  522. tor_free(ipos);
  523. }
  524. /* Encode REND_NUMBER_OF_NON_CONSECUTIVE_REPLICAS descriptors. */
  525. for (k = 0; k < REND_NUMBER_OF_NON_CONSECUTIVE_REPLICAS; k++) {
  526. char secret_id_part[DIGEST_LEN];
  527. char secret_id_part_base32[REND_SECRET_ID_PART_LEN_BASE32 + 1];
  528. char desc_id_base32[REND_DESC_ID_V2_LEN_BASE32 + 1];
  529. char *permanent_key = NULL;
  530. size_t permanent_key_len;
  531. char published[ISO_TIME_LEN+1];
  532. int i;
  533. char protocol_versions_string[16]; /* max len: "0,1,2,3,4,5,6,7\0" */
  534. size_t protocol_versions_written;
  535. size_t desc_len;
  536. char *desc_str = NULL;
  537. int result = 0;
  538. size_t written = 0;
  539. char desc_digest[DIGEST_LEN];
  540. rend_encoded_v2_service_descriptor_t *enc =
  541. tor_malloc_zero(sizeof(rend_encoded_v2_service_descriptor_t));
  542. /* Calculate secret-id-part = h(time-period | cookie | replica). */
  543. get_secret_id_part_bytes(secret_id_part, time_period, descriptor_cookie,
  544. k);
  545. base32_encode(secret_id_part_base32, sizeof(secret_id_part_base32),
  546. secret_id_part, DIGEST_LEN);
  547. /* Calculate descriptor ID. */
  548. rend_get_descriptor_id_bytes(enc->desc_id, service_id, secret_id_part);
  549. base32_encode(desc_id_base32, sizeof(desc_id_base32),
  550. enc->desc_id, DIGEST_LEN);
  551. /* PEM-encode the public key */
  552. if (crypto_pk_write_public_key_to_string(service_key, &permanent_key,
  553. &permanent_key_len) < 0) {
  554. log_warn(LD_BUG, "Could not write public key to string.");
  555. rend_encoded_v2_service_descriptor_free(enc);
  556. goto err;
  557. }
  558. /* Encode timestamp. */
  559. format_iso_time(published, desc->timestamp);
  560. /* Write protocol-versions bitmask to comma-separated value string. */
  561. protocol_versions_written = 0;
  562. for (i = 0; i < 8; i++) {
  563. if (desc->protocols & 1 << i) {
  564. tor_snprintf(protocol_versions_string + protocol_versions_written,
  565. 16 - protocol_versions_written, "%d,", i);
  566. protocol_versions_written += 2;
  567. }
  568. }
  569. if (protocol_versions_written)
  570. protocol_versions_string[protocol_versions_written - 1] = '\0';
  571. else
  572. protocol_versions_string[0]= '\0';
  573. /* Assemble complete descriptor. */
  574. desc_len = 2000 + smartlist_len(desc->intro_nodes) * 1000; /* far too long,
  575. but okay.*/
  576. enc->desc_str = desc_str = tor_malloc_zero(desc_len);
  577. result = tor_snprintf(desc_str, desc_len,
  578. "rendezvous-service-descriptor %s\n"
  579. "version 2\n"
  580. "permanent-key\n%s"
  581. "secret-id-part %s\n"
  582. "publication-time %s\n"
  583. "protocol-versions %s\n",
  584. desc_id_base32,
  585. permanent_key,
  586. secret_id_part_base32,
  587. published,
  588. protocol_versions_string);
  589. tor_free(permanent_key);
  590. if (result < 0) {
  591. log_warn(LD_BUG, "Descriptor ran out of room.");
  592. rend_encoded_v2_service_descriptor_free(enc);
  593. goto err;
  594. }
  595. written = result;
  596. /* Add introduction points. */
  597. if (ipos_base64) {
  598. result = tor_snprintf(desc_str + written, desc_len - written,
  599. "introduction-points\n"
  600. "-----BEGIN MESSAGE-----\n%s"
  601. "-----END MESSAGE-----\n",
  602. ipos_base64);
  603. if (result < 0) {
  604. log_warn(LD_BUG, "could not write introduction points.");
  605. rend_encoded_v2_service_descriptor_free(enc);
  606. goto err;
  607. }
  608. written += result;
  609. }
  610. /* Add signature. */
  611. strlcpy(desc_str + written, "signature\n", desc_len - written);
  612. written += strlen(desc_str + written);
  613. if (crypto_digest(desc_digest, desc_str, written) < 0) {
  614. log_warn(LD_BUG, "could not create digest.");
  615. rend_encoded_v2_service_descriptor_free(enc);
  616. goto err;
  617. }
  618. if (router_append_dirobj_signature(desc_str + written,
  619. desc_len - written,
  620. desc_digest, DIGEST_LEN,
  621. service_key) < 0) {
  622. log_warn(LD_BUG, "Couldn't sign desc.");
  623. rend_encoded_v2_service_descriptor_free(enc);
  624. goto err;
  625. }
  626. written += strlen(desc_str+written);
  627. if (written+2 > desc_len) {
  628. log_warn(LD_BUG, "Could not finish desc.");
  629. rend_encoded_v2_service_descriptor_free(enc);
  630. goto err;
  631. }
  632. desc_str[written++] = 0;
  633. /* Check if we can parse our own descriptor. */
  634. if (!rend_desc_v2_is_parsable(enc)) {
  635. log_warn(LD_BUG, "Could not parse my own descriptor: %s", desc_str);
  636. rend_encoded_v2_service_descriptor_free(enc);
  637. goto err;
  638. }
  639. smartlist_add(descs_out, enc);
  640. /* Add the uploaded descriptor to the local service's descriptor cache */
  641. rend_cache_store_v2_desc_as_service(enc->desc_str);
  642. base32_encode(service_id_base32, sizeof(service_id_base32),
  643. service_id, REND_SERVICE_ID_LEN);
  644. control_event_hs_descriptor_created(service_id_base32, desc_id_base32, k);
  645. }
  646. log_info(LD_REND, "Successfully encoded a v2 descriptor and "
  647. "confirmed that it is parsable.");
  648. goto done;
  649. err:
  650. SMARTLIST_FOREACH(descs_out, rend_encoded_v2_service_descriptor_t *, d,
  651. rend_encoded_v2_service_descriptor_free(d););
  652. smartlist_clear(descs_out);
  653. seconds_valid = -1;
  654. done:
  655. tor_free(ipos_base64);
  656. return seconds_valid;
  657. }
  658. /** Sets <b>out</b> to the first 10 bytes of the digest of <b>pk</b>,
  659. * base32 encoded. NUL-terminates out. (We use this string to
  660. * identify services in directory requests and .onion URLs.)
  661. */
  662. int
  663. rend_get_service_id(crypto_pk_t *pk, char *out)
  664. {
  665. char buf[DIGEST_LEN];
  666. tor_assert(pk);
  667. if (crypto_pk_get_digest(pk, buf) < 0)
  668. return -1;
  669. base32_encode(out, REND_SERVICE_ID_LEN_BASE32+1, buf, REND_SERVICE_ID_LEN);
  670. return 0;
  671. }
  672. /** Return true iff <b>query</b> is a syntactically valid service ID (as
  673. * generated by rend_get_service_id). */
  674. int
  675. rend_valid_v2_service_id(const char *query)
  676. {
  677. if (strlen(query) != REND_SERVICE_ID_LEN_BASE32)
  678. return 0;
  679. if (strspn(query, BASE32_CHARS) != REND_SERVICE_ID_LEN_BASE32)
  680. return 0;
  681. return 1;
  682. }
  683. /** Return true iff <b>query</b> is a syntactically valid descriptor ID.
  684. * (as generated by rend_get_descriptor_id_bytes). */
  685. int
  686. rend_valid_descriptor_id(const char *query)
  687. {
  688. if (strlen(query) != REND_DESC_ID_V2_LEN_BASE32) {
  689. goto invalid;
  690. }
  691. if (strspn(query, BASE32_CHARS) != REND_DESC_ID_V2_LEN_BASE32) {
  692. goto invalid;
  693. }
  694. return 1;
  695. invalid:
  696. return 0;
  697. }
  698. /** Return true iff <b>client_name</b> is a syntactically valid name
  699. * for rendezvous client authentication. */
  700. int
  701. rend_valid_client_name(const char *client_name)
  702. {
  703. size_t len = strlen(client_name);
  704. if (len < 1 || len > REND_CLIENTNAME_MAX_LEN) {
  705. return 0;
  706. }
  707. if (strspn(client_name, REND_LEGAL_CLIENTNAME_CHARACTERS) != len) {
  708. return 0;
  709. }
  710. return 1;
  711. }
  712. /** Called when we get a rendezvous-related relay cell on circuit
  713. * <b>circ</b>. Dispatch on rendezvous relay command. */
  714. void
  715. rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
  716. int command, size_t length,
  717. const uint8_t *payload)
  718. {
  719. or_circuit_t *or_circ = NULL;
  720. origin_circuit_t *origin_circ = NULL;
  721. int r = -2;
  722. if (CIRCUIT_IS_ORIGIN(circ)) {
  723. origin_circ = TO_ORIGIN_CIRCUIT(circ);
  724. if (!layer_hint || layer_hint != origin_circ->cpath->prev) {
  725. log_fn(LOG_PROTOCOL_WARN, LD_APP,
  726. "Relay cell (rend purpose %d) from wrong hop on origin circ",
  727. command);
  728. origin_circ = NULL;
  729. }
  730. } else {
  731. or_circ = TO_OR_CIRCUIT(circ);
  732. }
  733. switch (command) {
  734. case RELAY_COMMAND_ESTABLISH_INTRO:
  735. if (or_circ)
  736. r = hs_intro_received_establish_intro(or_circ,payload,length);
  737. break;
  738. case RELAY_COMMAND_ESTABLISH_RENDEZVOUS:
  739. if (or_circ)
  740. r = rend_mid_establish_rendezvous(or_circ,payload,length);
  741. break;
  742. case RELAY_COMMAND_INTRODUCE1:
  743. if (or_circ)
  744. r = hs_intro_received_introduce1(or_circ,payload,length);
  745. break;
  746. case RELAY_COMMAND_INTRODUCE2:
  747. if (origin_circ)
  748. r = hs_service_receive_introduce2(origin_circ,payload,length);
  749. break;
  750. case RELAY_COMMAND_INTRODUCE_ACK:
  751. if (origin_circ)
  752. r = hs_client_receive_introduce_ack(origin_circ,payload,length);
  753. break;
  754. case RELAY_COMMAND_RENDEZVOUS1:
  755. if (or_circ)
  756. r = rend_mid_rendezvous(or_circ,payload,length);
  757. break;
  758. case RELAY_COMMAND_RENDEZVOUS2:
  759. if (origin_circ)
  760. r = hs_client_receive_rendezvous2(origin_circ,payload,length);
  761. break;
  762. case RELAY_COMMAND_INTRO_ESTABLISHED:
  763. if (origin_circ)
  764. r = hs_service_receive_intro_established(origin_circ,payload,length);
  765. break;
  766. case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
  767. if (origin_circ)
  768. r = hs_client_receive_rendezvous_acked(origin_circ,payload,length);
  769. break;
  770. default:
  771. tor_fragile_assert();
  772. }
  773. if (r == 0 && origin_circ) {
  774. /* This was a valid cell. Count it as delivered + overhead. */
  775. circuit_read_valid_data(origin_circ, length);
  776. }
  777. if (r == -2)
  778. log_info(LD_PROTOCOL, "Dropping cell (type %d) for wrong circuit type.",
  779. command);
  780. }
  781. /** Determine the routers that are responsible for <b>id</b> (binary) and
  782. * add pointers to those routers' routerstatus_t to <b>responsible_dirs</b>.
  783. * Return -1 if we're returning an empty smartlist, else return 0.
  784. */
  785. int
  786. hid_serv_get_responsible_directories(smartlist_t *responsible_dirs,
  787. const char *id)
  788. {
  789. int start, found, n_added = 0, i;
  790. networkstatus_t *c = networkstatus_get_latest_consensus();
  791. if (!c || !smartlist_len(c->routerstatus_list)) {
  792. log_warn(LD_REND, "We don't have a consensus, so we can't perform v2 "
  793. "rendezvous operations.");
  794. return -1;
  795. }
  796. tor_assert(id);
  797. start = networkstatus_vote_find_entry_idx(c, id, &found);
  798. if (start == smartlist_len(c->routerstatus_list)) start = 0;
  799. i = start;
  800. do {
  801. routerstatus_t *r = smartlist_get(c->routerstatus_list, i);
  802. if (r->is_hs_dir) {
  803. smartlist_add(responsible_dirs, r);
  804. if (++n_added == REND_NUMBER_OF_CONSECUTIVE_REPLICAS)
  805. return 0;
  806. }
  807. if (++i == smartlist_len(c->routerstatus_list))
  808. i = 0;
  809. } while (i != start);
  810. /* Even though we don't have the desired number of hidden service
  811. * directories, be happy if we got any. */
  812. return smartlist_len(responsible_dirs) ? 0 : -1;
  813. }
  814. /* Length of the 'extended' auth cookie used to encode auth type before
  815. * base64 encoding. */
  816. #define REND_DESC_COOKIE_LEN_EXT (REND_DESC_COOKIE_LEN + 1)
  817. /* Length of the zero-padded auth cookie when base64 encoded. These two
  818. * padding bytes always (A=) are stripped off of the returned cookie. */
  819. #define REND_DESC_COOKIE_LEN_EXT_BASE64 (REND_DESC_COOKIE_LEN_BASE64 + 2)
  820. /** Encode a client authorization descriptor cookie.
  821. * The result of this function is suitable for use in the HidServAuth
  822. * option. The trailing padding characters are removed, and the
  823. * auth type is encoded into the cookie.
  824. *
  825. * Returns a new base64-encoded cookie. This function cannot fail.
  826. * The caller is responsible for freeing the returned value.
  827. */
  828. char *
  829. rend_auth_encode_cookie(const uint8_t *cookie_in, rend_auth_type_t auth_type)
  830. {
  831. uint8_t extended_cookie[REND_DESC_COOKIE_LEN_EXT];
  832. char *cookie_out = tor_malloc_zero(REND_DESC_COOKIE_LEN_EXT_BASE64 + 1);
  833. int re;
  834. tor_assert(cookie_in);
  835. memcpy(extended_cookie, cookie_in, REND_DESC_COOKIE_LEN);
  836. extended_cookie[REND_DESC_COOKIE_LEN] = ((int)auth_type - 1) << 4;
  837. re = base64_encode(cookie_out, REND_DESC_COOKIE_LEN_EXT_BASE64 + 1,
  838. (const char *) extended_cookie, REND_DESC_COOKIE_LEN_EXT,
  839. 0);
  840. tor_assert(re == REND_DESC_COOKIE_LEN_EXT_BASE64);
  841. /* Remove the trailing 'A='. Auth type is encoded in the high bits
  842. * of the last byte, so the last base64 character will always be zero
  843. * (A). This is subtly different behavior from base64_encode_nopad. */
  844. cookie_out[REND_DESC_COOKIE_LEN_BASE64] = '\0';
  845. memwipe(extended_cookie, 0, sizeof(extended_cookie));
  846. return cookie_out;
  847. }
  848. /** Decode a base64-encoded client authorization descriptor cookie.
  849. * The descriptor_cookie can be truncated to REND_DESC_COOKIE_LEN_BASE64
  850. * characters (as given to clients), or may include the two padding
  851. * characters (as stored by the service).
  852. *
  853. * The result is stored in REND_DESC_COOKIE_LEN bytes of cookie_out.
  854. * The rend_auth_type_t decoded from the cookie is stored in the
  855. * optional auth_type_out parameter.
  856. *
  857. * Return 0 on success, or -1 on error. The caller is responsible for
  858. * freeing the returned err_msg.
  859. */
  860. int
  861. rend_auth_decode_cookie(const char *cookie_in, uint8_t *cookie_out,
  862. rend_auth_type_t *auth_type_out, char **err_msg_out)
  863. {
  864. uint8_t descriptor_cookie_decoded[REND_DESC_COOKIE_LEN_EXT + 1] = { 0 };
  865. char descriptor_cookie_base64ext[REND_DESC_COOKIE_LEN_EXT_BASE64 + 1];
  866. const char *descriptor_cookie = cookie_in;
  867. char *err_msg = NULL;
  868. int auth_type_val = 0;
  869. int res = -1;
  870. int decoded_len;
  871. size_t len = strlen(descriptor_cookie);
  872. if (len == REND_DESC_COOKIE_LEN_BASE64) {
  873. /* Add a trailing zero byte to make base64-decoding happy. */
  874. tor_snprintf(descriptor_cookie_base64ext,
  875. sizeof(descriptor_cookie_base64ext),
  876. "%sA=", descriptor_cookie);
  877. descriptor_cookie = descriptor_cookie_base64ext;
  878. } else if (len != REND_DESC_COOKIE_LEN_EXT_BASE64) {
  879. tor_asprintf(&err_msg, "Authorization cookie has wrong length: %s",
  880. escaped(cookie_in));
  881. goto err;
  882. }
  883. decoded_len = base64_decode((char *) descriptor_cookie_decoded,
  884. sizeof(descriptor_cookie_decoded),
  885. descriptor_cookie,
  886. REND_DESC_COOKIE_LEN_EXT_BASE64);
  887. if (decoded_len != REND_DESC_COOKIE_LEN &&
  888. decoded_len != REND_DESC_COOKIE_LEN_EXT) {
  889. tor_asprintf(&err_msg, "Authorization cookie has invalid characters: %s",
  890. escaped(cookie_in));
  891. goto err;
  892. }
  893. if (auth_type_out) {
  894. auth_type_val = (descriptor_cookie_decoded[REND_DESC_COOKIE_LEN] >> 4) + 1;
  895. if (auth_type_val < 1 || auth_type_val > 2) {
  896. tor_asprintf(&err_msg, "Authorization cookie type is unknown: %s",
  897. escaped(cookie_in));
  898. goto err;
  899. }
  900. *auth_type_out = auth_type_val == 1 ? REND_BASIC_AUTH : REND_STEALTH_AUTH;
  901. }
  902. memcpy(cookie_out, descriptor_cookie_decoded, REND_DESC_COOKIE_LEN);
  903. res = 0;
  904. err:
  905. if (err_msg_out) {
  906. *err_msg_out = err_msg;
  907. } else {
  908. tor_free(err_msg);
  909. }
  910. memwipe(descriptor_cookie_decoded, 0, sizeof(descriptor_cookie_decoded));
  911. memwipe(descriptor_cookie_base64ext, 0, sizeof(descriptor_cookie_base64ext));
  912. return res;
  913. }
  914. /* Is this a rend client or server that allows direct (non-anonymous)
  915. * connections?
  916. * Clients must be specifically compiled and configured in this mode.
  917. * Onion services can be configured to start in this mode.
  918. * Prefer rend_client_allow_non_anonymous_connection() or
  919. * rend_service_allow_non_anonymous_connection() whenever possible, so that
  920. * checks are specific to Single Onion Services or Tor2web. */
  921. int
  922. rend_allow_non_anonymous_connection(const or_options_t* options)
  923. {
  924. return (rend_client_allow_non_anonymous_connection(options)
  925. || rend_service_allow_non_anonymous_connection(options));
  926. }
  927. /* Is this a rend client or server in non-anonymous mode?
  928. * Clients must be specifically compiled in this mode.
  929. * Onion services can be configured to start in this mode.
  930. * Prefer rend_client_non_anonymous_mode_enabled() or
  931. * rend_service_non_anonymous_mode_enabled() whenever possible, so that checks
  932. * are specific to Single Onion Services or Tor2web. */
  933. int
  934. rend_non_anonymous_mode_enabled(const or_options_t *options)
  935. {
  936. return (rend_client_non_anonymous_mode_enabled(options)
  937. || rend_service_non_anonymous_mode_enabled(options));
  938. }
  939. /* Make sure that tor only builds one-hop circuits when they would not
  940. * compromise user anonymity.
  941. *
  942. * One-hop circuits are permitted in Tor2web or Single Onion modes.
  943. *
  944. * Tor2web or Single Onion modes are also allowed to make multi-hop circuits.
  945. * For example, single onion HSDir circuits are 3-hop to prevent denial of
  946. * service.
  947. */
  948. void
  949. assert_circ_anonymity_ok(const origin_circuit_t *circ,
  950. const or_options_t *options)
  951. {
  952. tor_assert(options);
  953. tor_assert(circ);
  954. tor_assert(circ->build_state);
  955. if (circ->build_state->onehop_tunnel) {
  956. tor_assert(rend_allow_non_anonymous_connection(options));
  957. }
  958. }
  959. /* Return 1 iff the given <b>digest</b> of a permenanent hidden service key is
  960. * equal to the digest in the origin circuit <b>ocirc</b> of its rend data .
  961. * If the rend data doesn't exist, 0 is returned. This function is agnostic to
  962. * the rend data version. */
  963. int
  964. rend_circuit_pk_digest_eq(const origin_circuit_t *ocirc,
  965. const uint8_t *digest)
  966. {
  967. size_t rend_pk_digest_len;
  968. const uint8_t *rend_pk_digest;
  969. tor_assert(ocirc);
  970. tor_assert(digest);
  971. if (ocirc->rend_data == NULL) {
  972. goto no_match;
  973. }
  974. rend_pk_digest = rend_data_get_pk_digest(ocirc->rend_data,
  975. &rend_pk_digest_len);
  976. if (tor_memeq(rend_pk_digest, digest, rend_pk_digest_len)) {
  977. goto match;
  978. }
  979. no_match:
  980. return 0;
  981. match:
  982. return 1;
  983. }