1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605 |
- /* Copyright (c) 2016-2017, The Tor Project, Inc. */
- /* See LICENSE for licensing information */
- /**
- * \file hs_descriptor.c
- * \brief Handle hidden service descriptor encoding/decoding.
- *
- * \details
- * Here is a graphical depiction of an HS descriptor and its layers:
- *
- * +------------------------------------------------------+
- * |DESCRIPTOR HEADER: |
- * | hs-descriptor 3 |
- * | descriptor-lifetime 180 |
- * | ... |
- * | superencrypted |
- * |+---------------------------------------------------+ |
- * ||SUPERENCRYPTED LAYER (aka OUTER ENCRYPTED LAYER): | |
- * || desc-auth-type x25519 | |
- * || desc-auth-ephemeral-key | |
- * || auth-client | |
- * || auth-client | |
- * || ... | |
- * || encrypted | |
- * ||+-------------------------------------------------+| |
- * |||ENCRYPTED LAYER (aka INNER ENCRYPTED LAYER): || |
- * ||| create2-formats || |
- * ||| intro-auth-required || |
- * ||| introduction-point || |
- * ||| introduction-point || |
- * ||| ... || |
- * ||+-------------------------------------------------+| |
- * |+---------------------------------------------------+ |
- * +------------------------------------------------------+
- *
- * The DESCRIPTOR HEADER section is completely unencrypted and contains generic
- * descriptor metadata.
- *
- * The SUPERENCRYPTED LAYER section is the first layer of encryption, and it's
- * encrypted using the blinded public key of the hidden service to protect
- * against entities who don't know its onion address. The clients of the hidden
- * service know its onion address and blinded public key, whereas third-parties
- * (like HSDirs) don't know it (except if it's a public hidden service).
- *
- * The ENCRYPTED LAYER section is the second layer of encryption, and it's
- * encrypted using the client authorization key material (if those exist). When
- * client authorization is enabled, this second layer of encryption protects
- * the descriptor content from unauthorized entities. If client authorization
- * is disabled, this second layer of encryption does not provide any extra
- * security but is still present. The plaintext of this layer contains all the
- * information required to connect to the hidden service like its list of
- * introduction points.
- **/
- /* For unit tests.*/
- #define HS_DESCRIPTOR_PRIVATE
- #include "or.h"
- #include "ed25519_cert.h" /* Trunnel interface. */
- #include "hs_descriptor.h"
- #include "circuitbuild.h"
- #include "parsecommon.h"
- #include "rendcache.h"
- #include "hs_cache.h"
- #include "hs_config.h"
- #include "torcert.h" /* tor_cert_encode_ed22519() */
- /* Constant string value used for the descriptor format. */
- #define str_hs_desc "hs-descriptor"
- #define str_desc_cert "descriptor-signing-key-cert"
- #define str_rev_counter "revision-counter"
- #define str_superencrypted "superencrypted"
- #define str_encrypted "encrypted"
- #define str_signature "signature"
- #define str_lifetime "descriptor-lifetime"
- /* Constant string value for the encrypted part of the descriptor. */
- #define str_create2_formats "create2-formats"
- #define str_intro_auth_required "intro-auth-required"
- #define str_single_onion "single-onion-service"
- #define str_intro_point "introduction-point"
- #define str_ip_onion_key "onion-key"
- #define str_ip_auth_key "auth-key"
- #define str_ip_enc_key "enc-key"
- #define str_ip_enc_key_cert "enc-key-cert"
- #define str_ip_legacy_key "legacy-key"
- #define str_ip_legacy_key_cert "legacy-key-cert"
- #define str_intro_point_start "\n" str_intro_point " "
- /* Constant string value for the construction to encrypt the encrypted data
- * section. */
- #define str_enc_const_superencryption "hsdir-superencrypted-data"
- #define str_enc_const_encryption "hsdir-encrypted-data"
- /* Prefix required to compute/verify HS desc signatures */
- #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
- #define str_desc_auth_type "desc-auth-type"
- #define str_desc_auth_key "desc-auth-ephemeral-key"
- #define str_desc_auth_client "auth-client"
- #define str_encrypted "encrypted"
- /* Authentication supported types. */
- static const struct {
- hs_desc_auth_type_t type;
- const char *identifier;
- } intro_auth_types[] = {
- { HS_DESC_AUTH_ED25519, "ed25519" },
- /* Indicate end of array. */
- { 0, NULL }
- };
- /* Descriptor ruleset. */
- static token_rule_t hs_desc_v3_token_table[] = {
- T1_START(str_hs_desc, R_HS_DESCRIPTOR, EQ(1), NO_OBJ),
- T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ),
- T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ),
- T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ),
- T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ),
- T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ),
- END_OF_TABLE
- };
- /* Descriptor ruleset for the superencrypted section. */
- static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
- T1_START(str_desc_auth_type, R3_DESC_AUTH_TYPE, GE(1), NO_OBJ),
- T1(str_desc_auth_key, R3_DESC_AUTH_KEY, GE(1), NO_OBJ),
- T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT, GE(3), NO_OBJ),
- T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
- END_OF_TABLE
- };
- /* Descriptor ruleset for the encrypted section. */
- static token_rule_t hs_desc_encrypted_v3_token_table[] = {
- T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
- T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
- T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
- END_OF_TABLE
- };
- /* Descriptor ruleset for the introduction points section. */
- static token_rule_t hs_desc_intro_point_v3_token_table[] = {
- T1_START(str_intro_point, R3_INTRODUCTION_POINT, EQ(1), NO_OBJ),
- T1N(str_ip_onion_key, R3_INTRO_ONION_KEY, GE(2), OBJ_OK),
- T1(str_ip_auth_key, R3_INTRO_AUTH_KEY, NO_ARGS, NEED_OBJ),
- T1(str_ip_enc_key, R3_INTRO_ENC_KEY, GE(2), OBJ_OK),
- T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT, ARGS, OBJ_OK),
- T01(str_ip_legacy_key, R3_INTRO_LEGACY_KEY, ARGS, NEED_KEY_1024),
- T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT, ARGS, OBJ_OK),
- END_OF_TABLE
- };
- /* Free the content of the plaintext section of a descriptor. */
- STATIC void
- desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)
- {
- if (!desc) {
- return;
- }
- if (desc->superencrypted_blob) {
- tor_free(desc->superencrypted_blob);
- }
- tor_cert_free(desc->signing_key_cert);
- memwipe(desc, 0, sizeof(*desc));
- }
- /* Free the content of the encrypted section of a descriptor. */
- static void
- desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
- {
- if (!desc) {
- return;
- }
- if (desc->intro_auth_types) {
- SMARTLIST_FOREACH(desc->intro_auth_types, char *, a, tor_free(a));
- smartlist_free(desc->intro_auth_types);
- }
- if (desc->intro_points) {
- SMARTLIST_FOREACH(desc->intro_points, hs_desc_intro_point_t *, ip,
- hs_desc_intro_point_free(ip));
- smartlist_free(desc->intro_points);
- }
- memwipe(desc, 0, sizeof(*desc));
- }
- /* Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
- * We use SHA3-256 for the MAC computation.
- * This function can't fail. */
- static void
- build_mac(const uint8_t *mac_key, size_t mac_key_len,
- const uint8_t *salt, size_t salt_len,
- const uint8_t *encrypted, size_t encrypted_len,
- uint8_t *mac_out, size_t mac_len)
- {
- crypto_digest_t *digest;
- const uint64_t mac_len_netorder = tor_htonll(mac_key_len);
- const uint64_t salt_len_netorder = tor_htonll(salt_len);
- tor_assert(mac_key);
- tor_assert(salt);
- tor_assert(encrypted);
- tor_assert(mac_out);
- digest = crypto_digest256_new(DIGEST_SHA3_256);
- /* As specified in section 2.5 of proposal 224, first add the mac key
- * then add the salt first and then the encrypted section. */
- crypto_digest_add_bytes(digest, (const char *) &mac_len_netorder, 8);
- crypto_digest_add_bytes(digest, (const char *) mac_key, mac_key_len);
- crypto_digest_add_bytes(digest, (const char *) &salt_len_netorder, 8);
- crypto_digest_add_bytes(digest, (const char *) salt, salt_len);
- crypto_digest_add_bytes(digest, (const char *) encrypted, encrypted_len);
- crypto_digest_get_digest(digest, (char *) mac_out, mac_len);
- crypto_digest_free(digest);
- }
- /* Using a given decriptor object, build the secret input needed for the
- * KDF and put it in the dst pointer which is an already allocated buffer
- * of size dstlen. */
- static void
- build_secret_input(const hs_descriptor_t *desc, uint8_t *dst, size_t dstlen)
- {
- size_t offset = 0;
- tor_assert(desc);
- tor_assert(dst);
- tor_assert(HS_DESC_ENCRYPTED_SECRET_INPUT_LEN <= dstlen);
- /* XXX use the destination length as the memcpy length */
- /* Copy blinded public key. */
- memcpy(dst, desc->plaintext_data.blinded_pubkey.pubkey,
- sizeof(desc->plaintext_data.blinded_pubkey.pubkey));
- offset += sizeof(desc->plaintext_data.blinded_pubkey.pubkey);
- /* Copy subcredential. */
- memcpy(dst + offset, desc->subcredential, sizeof(desc->subcredential));
- offset += sizeof(desc->subcredential);
- /* Copy revision counter value. */
- set_uint64(dst + offset, tor_htonll(desc->plaintext_data.revision_counter));
- offset += sizeof(uint64_t);
- tor_assert(HS_DESC_ENCRYPTED_SECRET_INPUT_LEN == offset);
- }
- /* Do the KDF construction and put the resulting data in key_out which is of
- * key_out_len length. It uses SHAKE-256 as specified in the spec. */
- static void
- build_kdf_key(const hs_descriptor_t *desc,
- const uint8_t *salt, size_t salt_len,
- uint8_t *key_out, size_t key_out_len,
- int is_superencrypted_layer)
- {
- uint8_t secret_input[HS_DESC_ENCRYPTED_SECRET_INPUT_LEN];
- crypto_xof_t *xof;
- tor_assert(desc);
- tor_assert(salt);
- tor_assert(key_out);
- /* Build the secret input for the KDF computation. */
- build_secret_input(desc, secret_input, sizeof(secret_input));
- xof = crypto_xof_new();
- /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
- crypto_xof_add_bytes(xof, secret_input, sizeof(secret_input));
- crypto_xof_add_bytes(xof, salt, salt_len);
- /* Feed in the right string constant based on the desc layer */
- if (is_superencrypted_layer) {
- crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_superencryption,
- strlen(str_enc_const_superencryption));
- } else {
- crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_encryption,
- strlen(str_enc_const_encryption));
- }
- /* Eat from our KDF. */
- crypto_xof_squeeze_bytes(xof, key_out, key_out_len);
- crypto_xof_free(xof);
- memwipe(secret_input, 0, sizeof(secret_input));
- }
- /* Using the given descriptor and salt, run it through our KDF function and
- * then extract a secret key in key_out, the IV in iv_out and MAC in mac_out.
- * This function can't fail. */
- static void
- build_secret_key_iv_mac(const hs_descriptor_t *desc,
- const uint8_t *salt, size_t salt_len,
- uint8_t *key_out, size_t key_len,
- uint8_t *iv_out, size_t iv_len,
- uint8_t *mac_out, size_t mac_len,
- int is_superencrypted_layer)
- {
- size_t offset = 0;
- uint8_t kdf_key[HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN];
- tor_assert(desc);
- tor_assert(salt);
- tor_assert(key_out);
- tor_assert(iv_out);
- tor_assert(mac_out);
- build_kdf_key(desc, salt, salt_len, kdf_key, sizeof(kdf_key),
- is_superencrypted_layer);
- /* Copy the bytes we need for both the secret key and IV. */
- memcpy(key_out, kdf_key, key_len);
- offset += key_len;
- memcpy(iv_out, kdf_key + offset, iv_len);
- offset += iv_len;
- memcpy(mac_out, kdf_key + offset, mac_len);
- /* Extra precaution to make sure we are not out of bound. */
- tor_assert((offset + mac_len) == sizeof(kdf_key));
- memwipe(kdf_key, 0, sizeof(kdf_key));
- }
- /* === ENCODING === */
- /* Encode the given link specifier objects into a newly allocated string.
- * This can't fail so caller can always assume a valid string being
- * returned. */
- STATIC char *
- encode_link_specifiers(const smartlist_t *specs)
- {
- char *encoded_b64 = NULL;
- link_specifier_list_t *lslist = link_specifier_list_new();
- tor_assert(specs);
- /* No link specifiers is a code flow error, can't happen. */
- tor_assert(smartlist_len(specs) > 0);
- tor_assert(smartlist_len(specs) <= UINT8_MAX);
- link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
- SMARTLIST_FOREACH_BEGIN(specs, const hs_desc_link_specifier_t *,
- spec) {
- link_specifier_t *ls = hs_desc_lspec_to_trunnel(spec);
- if (ls) {
- link_specifier_list_add_spec(lslist, ls);
- }
- } SMARTLIST_FOREACH_END(spec);
- {
- uint8_t *encoded;
- ssize_t encoded_len, encoded_b64_len, ret;
- encoded_len = link_specifier_list_encoded_len(lslist);
- tor_assert(encoded_len > 0);
- encoded = tor_malloc_zero(encoded_len);
- ret = link_specifier_list_encode(encoded, encoded_len, lslist);
- tor_assert(ret == encoded_len);
- /* Base64 encode our binary format. Add extra NUL byte for the base64
- * encoded value. */
- encoded_b64_len = base64_encode_size(encoded_len, 0) + 1;
- encoded_b64 = tor_malloc_zero(encoded_b64_len);
- ret = base64_encode(encoded_b64, encoded_b64_len, (const char *) encoded,
- encoded_len, 0);
- tor_assert(ret == (encoded_b64_len - 1));
- tor_free(encoded);
- }
- link_specifier_list_free(lslist);
- return encoded_b64;
- }
- /* Encode an introduction point legacy key and certificate. Return a newly
- * allocated string with it. On failure, return NULL. */
- static char *
- encode_legacy_key(const hs_desc_intro_point_t *ip)
- {
- char *key_str, b64_cert[256], *encoded = NULL;
- size_t key_str_len;
- tor_assert(ip);
- /* Encode cross cert. */
- if (base64_encode(b64_cert, sizeof(b64_cert),
- (const char *) ip->legacy.cert.encoded,
- ip->legacy.cert.len, BASE64_ENCODE_MULTILINE) < 0) {
- log_warn(LD_REND, "Unable to encode legacy crosscert.");
- goto done;
- }
- /* Convert the encryption key to PEM format NUL terminated. */
- if (crypto_pk_write_public_key_to_string(ip->legacy.key, &key_str,
- &key_str_len) < 0) {
- log_warn(LD_REND, "Unable to encode legacy encryption key.");
- goto done;
- }
- tor_asprintf(&encoded,
- "%s \n%s" /* Newline is added by the call above. */
- "%s\n"
- "-----BEGIN CROSSCERT-----\n"
- "%s"
- "-----END CROSSCERT-----",
- str_ip_legacy_key, key_str,
- str_ip_legacy_key_cert, b64_cert);
- tor_free(key_str);
- done:
- return encoded;
- }
- /* Encode an introduction point encryption key and certificate. Return a newly
- * allocated string with it. On failure, return NULL. */
- static char *
- encode_enc_key(const hs_desc_intro_point_t *ip)
- {
- char *encoded = NULL, *encoded_cert;
- char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
- tor_assert(ip);
- /* Base64 encode the encryption key for the "enc-key" field. */
- if (curve25519_public_to_base64(key_b64, &ip->enc_key) < 0) {
- goto done;
- }
- if (tor_cert_encode_ed22519(ip->enc_key_cert, &encoded_cert) < 0) {
- goto done;
- }
- tor_asprintf(&encoded,
- "%s ntor %s\n"
- "%s\n%s",
- str_ip_enc_key, key_b64,
- str_ip_enc_key_cert, encoded_cert);
- tor_free(encoded_cert);
- done:
- return encoded;
- }
- /* Encode an introduction point onion key. Return a newly allocated string
- * with it. On failure, return NULL. */
- static char *
- encode_onion_key(const hs_desc_intro_point_t *ip)
- {
- char *encoded = NULL;
- char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
- tor_assert(ip);
- /* Base64 encode the encryption key for the "onion-key" field. */
- if (curve25519_public_to_base64(key_b64, &ip->onion_key) < 0) {
- goto done;
- }
- tor_asprintf(&encoded, "%s ntor %s", str_ip_onion_key, key_b64);
- done:
- return encoded;
- }
- /* Encode an introduction point object and return a newly allocated string
- * with it. On failure, return NULL. */
- static char *
- encode_intro_point(const ed25519_public_key_t *sig_key,
- const hs_desc_intro_point_t *ip)
- {
- char *encoded_ip = NULL;
- smartlist_t *lines = smartlist_new();
- tor_assert(ip);
- tor_assert(sig_key);
- /* Encode link specifier. */
- {
- char *ls_str = encode_link_specifiers(ip->link_specifiers);
- smartlist_add_asprintf(lines, "%s %s", str_intro_point, ls_str);
- tor_free(ls_str);
- }
- /* Onion key encoding. */
- {
- char *encoded_onion_key = encode_onion_key(ip);
- if (encoded_onion_key == NULL) {
- goto err;
- }
- smartlist_add_asprintf(lines, "%s", encoded_onion_key);
- tor_free(encoded_onion_key);
- }
- /* Authentication key encoding. */
- {
- char *encoded_cert;
- if (tor_cert_encode_ed22519(ip->auth_key_cert, &encoded_cert) < 0) {
- goto err;
- }
- smartlist_add_asprintf(lines, "%s\n%s", str_ip_auth_key, encoded_cert);
- tor_free(encoded_cert);
- }
- /* Encryption key encoding. */
- {
- char *encoded_enc_key = encode_enc_key(ip);
- if (encoded_enc_key == NULL) {
- goto err;
- }
- smartlist_add_asprintf(lines, "%s", encoded_enc_key);
- tor_free(encoded_enc_key);
- }
- /* Legacy key if any. */
- if (ip->legacy.key != NULL) {
- /* Strong requirement else the IP creation was badly done. */
- tor_assert(ip->legacy.cert.encoded);
- char *encoded_legacy_key = encode_legacy_key(ip);
- if (encoded_legacy_key == NULL) {
- goto err;
- }
- smartlist_add_asprintf(lines, "%s", encoded_legacy_key);
- tor_free(encoded_legacy_key);
- }
- /* Join them all in one blob of text. */
- encoded_ip = smartlist_join_strings(lines, "\n", 1, NULL);
- err:
- SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
- smartlist_free(lines);
- return encoded_ip;
- }
- /* Given a source length, return the new size including padding for the
- * plaintext encryption. */
- static size_t
- compute_padded_plaintext_length(size_t plaintext_len)
- {
- size_t plaintext_padded_len;
- const int padding_block_length = HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE;
- /* Make sure we won't overflow. */
- tor_assert(plaintext_len <= (SIZE_T_CEILING - padding_block_length));
- /* Get the extra length we need to add. For example, if srclen is 10200
- * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
- plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
- padding_block_length;
- /* Can never be extra careful. Make sure we are _really_ padded. */
- tor_assert(!(plaintext_padded_len % padding_block_length));
- return plaintext_padded_len;
- }
- /* Given a buffer, pad it up to the encrypted section padding requirement. Set
- * the newly allocated string in padded_out and return the length of the
- * padded buffer. */
- STATIC size_t
- build_plaintext_padding(const char *plaintext, size_t plaintext_len,
- uint8_t **padded_out)
- {
- size_t padded_len;
- uint8_t *padded;
- tor_assert(plaintext);
- tor_assert(padded_out);
- /* Allocate the final length including padding. */
- padded_len = compute_padded_plaintext_length(plaintext_len);
- tor_assert(padded_len >= plaintext_len);
- padded = tor_malloc_zero(padded_len);
- memcpy(padded, plaintext, plaintext_len);
- *padded_out = padded;
- return padded_len;
- }
- /* Using a key, IV and plaintext data of length plaintext_len, create the
- * encrypted section by encrypting it and setting encrypted_out with the
- * data. Return size of the encrypted data buffer. */
- static size_t
- build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
- size_t plaintext_len, uint8_t **encrypted_out,
- int is_superencrypted_layer)
- {
- size_t encrypted_len;
- uint8_t *padded_plaintext, *encrypted;
- crypto_cipher_t *cipher;
- tor_assert(key);
- tor_assert(iv);
- tor_assert(plaintext);
- tor_assert(encrypted_out);
- /* If we are encrypting the middle layer of the descriptor, we need to first
- pad the plaintext */
- if (is_superencrypted_layer) {
- encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
- &padded_plaintext);
- /* Extra precautions that we have a valid padding length. */
- tor_assert(!(encrypted_len % HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE));
- } else { /* No padding required for inner layers */
- padded_plaintext = tor_memdup(plaintext, plaintext_len);
- encrypted_len = plaintext_len;
- }
- /* This creates a cipher for AES. It can't fail. */
- cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
- HS_DESC_ENCRYPTED_BIT_SIZE);
- /* We use a stream cipher so the encrypted length will be the same as the
- * plaintext padded length. */
- encrypted = tor_malloc_zero(encrypted_len);
- /* This can't fail. */
- crypto_cipher_encrypt(cipher, (char *) encrypted,
- (const char *) padded_plaintext, encrypted_len);
- *encrypted_out = encrypted;
- /* Cleanup. */
- crypto_cipher_free(cipher);
- tor_free(padded_plaintext);
- return encrypted_len;
- }
- /* Encrypt the given <b>plaintext</b> buffer using <b>desc</b> to get the
- * keys. Set encrypted_out with the encrypted data and return the length of
- * it. <b>is_superencrypted_layer</b> is set if this is the outer encrypted
- * layer of the descriptor. */
- static size_t
- encrypt_descriptor_data(const hs_descriptor_t *desc, const char *plaintext,
- char **encrypted_out, int is_superencrypted_layer)
- {
- char *final_blob;
- size_t encrypted_len, final_blob_len, offset = 0;
- uint8_t *encrypted;
- uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
- uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
- uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
- tor_assert(desc);
- tor_assert(plaintext);
- tor_assert(encrypted_out);
- /* Get our salt. The returned bytes are already hashed. */
- crypto_strongest_rand(salt, sizeof(salt));
- /* KDF construction resulting in a key from which the secret key, IV and MAC
- * key are extracted which is what we need for the encryption. */
- build_secret_key_iv_mac(desc, salt, sizeof(salt),
- secret_key, sizeof(secret_key),
- secret_iv, sizeof(secret_iv),
- mac_key, sizeof(mac_key),
- is_superencrypted_layer);
- /* Build the encrypted part that is do the actual encryption. */
- encrypted_len = build_encrypted(secret_key, secret_iv, plaintext,
- strlen(plaintext), &encrypted,
- is_superencrypted_layer);
- memwipe(secret_key, 0, sizeof(secret_key));
- memwipe(secret_iv, 0, sizeof(secret_iv));
- /* This construction is specified in section 2.5 of proposal 224. */
- final_blob_len = sizeof(salt) + encrypted_len + DIGEST256_LEN;
- final_blob = tor_malloc_zero(final_blob_len);
- /* Build the MAC. */
- build_mac(mac_key, sizeof(mac_key), salt, sizeof(salt),
- encrypted, encrypted_len, mac, sizeof(mac));
- memwipe(mac_key, 0, sizeof(mac_key));
- /* The salt is the first value. */
- memcpy(final_blob, salt, sizeof(salt));
- offset = sizeof(salt);
- /* Second value is the encrypted data. */
- memcpy(final_blob + offset, encrypted, encrypted_len);
- offset += encrypted_len;
- /* Third value is the MAC. */
- memcpy(final_blob + offset, mac, sizeof(mac));
- offset += sizeof(mac);
- /* Cleanup the buffers. */
- memwipe(salt, 0, sizeof(salt));
- memwipe(encrypted, 0, encrypted_len);
- tor_free(encrypted);
- /* Extra precaution. */
- tor_assert(offset == final_blob_len);
- *encrypted_out = final_blob;
- return final_blob_len;
- }
- /* Create and return a string containing a fake client-auth entry. It's the
- * responsibility of the caller to free the returned string. This function will
- * never fail. */
- static char *
- get_fake_auth_client_str(void)
- {
- char *auth_client_str = NULL;
- /* We are gonna fill these arrays with fake base64 data. They are all double
- * the size of their binary representation to fit the base64 overhead. */
- char client_id_b64[8*2];
- char iv_b64[16*2];
- char encrypted_cookie_b64[16*2];
- int retval;
- /* This is a macro to fill a field with random data and then base64 it. */
- #define FILL_WITH_FAKE_DATA_AND_BASE64(field) STMT_BEGIN \
- crypto_rand((char *)field, sizeof(field)); \
- retval = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
- field, sizeof(field)); \
- tor_assert(retval > 0); \
- STMT_END
- { /* Get those fakes! */
- uint8_t client_id[8]; /* fake client-id */
- uint8_t iv[16]; /* fake IV (initialization vector) */
- uint8_t encrypted_cookie[16]; /* fake encrypted cookie */
- FILL_WITH_FAKE_DATA_AND_BASE64(client_id);
- FILL_WITH_FAKE_DATA_AND_BASE64(iv);
- FILL_WITH_FAKE_DATA_AND_BASE64(encrypted_cookie);
- }
- /* Build the final string */
- tor_asprintf(&auth_client_str, "%s %s %s %s", str_desc_auth_client,
- client_id_b64, iv_b64, encrypted_cookie_b64);
- #undef FILL_WITH_FAKE_DATA_AND_BASE64
- return auth_client_str;
- }
- /** How many lines of "client-auth" we want in our descriptors; fake or not. */
- #define CLIENT_AUTH_ENTRIES_BLOCK_SIZE 16
- /** Create the "client-auth" part of the descriptor and return a
- * newly-allocated string with it. It's the responsibility of the caller to
- * free the returned string. */
- static char *
- get_fake_auth_client_lines(void)
- {
- /* XXX: Client authorization is still not implemented, so all this function
- does is make fake clients */
- int i = 0;
- smartlist_t *auth_client_lines = smartlist_new();
- char *auth_client_lines_str = NULL;
- /* Make a line for each fake client */
- const int num_fake_clients = CLIENT_AUTH_ENTRIES_BLOCK_SIZE;
- for (i = 0; i < num_fake_clients; i++) {
- char *auth_client_str = get_fake_auth_client_str();
- tor_assert(auth_client_str);
- smartlist_add(auth_client_lines, auth_client_str);
- }
- /* Join all lines together to form final string */
- auth_client_lines_str = smartlist_join_strings(auth_client_lines,
- "\n", 1, NULL);
- /* Cleanup the mess */
- SMARTLIST_FOREACH(auth_client_lines, char *, a, tor_free(a));
- smartlist_free(auth_client_lines);
- return auth_client_lines_str;
- }
- /* Create the inner layer of the descriptor (which includes the intro points,
- * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
- * an error occurred. It's the responsibility of the caller to free the
- * returned string. */
- static char *
- get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
- {
- char *encoded_str = NULL;
- smartlist_t *lines = smartlist_new();
- /* Build the start of the section prior to the introduction points. */
- {
- if (!desc->encrypted_data.create2_ntor) {
- log_err(LD_BUG, "HS desc doesn't have recognized handshake type.");
- goto err;
- }
- smartlist_add_asprintf(lines, "%s %d\n", str_create2_formats,
- ONION_HANDSHAKE_TYPE_NTOR);
- if (desc->encrypted_data.intro_auth_types &&
- smartlist_len(desc->encrypted_data.intro_auth_types)) {
- /* Put the authentication-required line. */
- char *buf = smartlist_join_strings(desc->encrypted_data.intro_auth_types,
- " ", 0, NULL);
- smartlist_add_asprintf(lines, "%s %s\n", str_intro_auth_required, buf);
- tor_free(buf);
- }
- if (desc->encrypted_data.single_onion_service) {
- smartlist_add_asprintf(lines, "%s\n", str_single_onion);
- }
- }
- /* Build the introduction point(s) section. */
- SMARTLIST_FOREACH_BEGIN(desc->encrypted_data.intro_points,
- const hs_desc_intro_point_t *, ip) {
- char *encoded_ip = encode_intro_point(&desc->plaintext_data.signing_pubkey,
- ip);
- if (encoded_ip == NULL) {
- log_err(LD_BUG, "HS desc intro point is malformed.");
- goto err;
- }
- smartlist_add(lines, encoded_ip);
- } SMARTLIST_FOREACH_END(ip);
- /* Build the entire encrypted data section into one encoded plaintext and
- * then encrypt it. */
- encoded_str = smartlist_join_strings(lines, "", 0, NULL);
- err:
- SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
- smartlist_free(lines);
- return encoded_str;
- }
- /* Create the middle layer of the descriptor, which includes the client auth
- * data and the encrypted inner layer (provided as a base64 string at
- * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
- * layer plaintext, or NULL if an error occurred. It's the responsibility of
- * the caller to free the returned string. */
- static char *
- get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc,
- const char *layer2_b64_ciphertext)
- {
- char *layer1_str = NULL;
- smartlist_t *lines = smartlist_new();
- /* XXX: Disclaimer: This function generates only _fake_ client auth
- * data. Real client auth is not yet implemented, but client auth data MUST
- * always be present in descriptors. In the future this function will be
- * refactored to use real client auth data if they exist (#20700). */
- (void) *desc;
- /* Specify auth type */
- smartlist_add_asprintf(lines, "%s %s\n", str_desc_auth_type, "x25519");
- { /* Create fake ephemeral x25519 key */
- char fake_key_base64[CURVE25519_BASE64_PADDED_LEN + 1];
- curve25519_keypair_t fake_x25519_keypair;
- if (curve25519_keypair_generate(&fake_x25519_keypair, 0) < 0) {
- goto done;
- }
- if (curve25519_public_to_base64(fake_key_base64,
- &fake_x25519_keypair.pubkey) < 0) {
- goto done;
- }
- smartlist_add_asprintf(lines, "%s %s\n",
- str_desc_auth_key, fake_key_base64);
- /* No need to memwipe any of these fake keys. They will go unused. */
- }
- { /* Create fake auth-client lines. */
- char *auth_client_lines = get_fake_auth_client_lines();
- tor_assert(auth_client_lines);
- smartlist_add(lines, auth_client_lines);
- }
- /* create encrypted section */
- {
- smartlist_add_asprintf(lines,
- "%s\n"
- "-----BEGIN MESSAGE-----\n"
- "%s"
- "-----END MESSAGE-----",
- str_encrypted, layer2_b64_ciphertext);
- }
- layer1_str = smartlist_join_strings(lines, "", 0, NULL);
- done:
- SMARTLIST_FOREACH(lines, char *, a, tor_free(a));
- smartlist_free(lines);
- return layer1_str;
- }
- /* Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
- * returning it. <b>desc</b> is provided to derive the encryption
- * keys. <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
- * middle (superencrypted) layer of the descriptor. It's the responsibility of
- * the caller to free the returned string. */
- static char *
- encrypt_desc_data_and_base64(const hs_descriptor_t *desc,
- const char *encoded_str,
- int is_superencrypted_layer)
- {
- char *enc_b64;
- ssize_t enc_b64_len, ret_len, enc_len;
- char *encrypted_blob = NULL;
- enc_len = encrypt_descriptor_data(desc, encoded_str, &encrypted_blob,
- is_superencrypted_layer);
- /* Get the encoded size plus a NUL terminating byte. */
- enc_b64_len = base64_encode_size(enc_len, BASE64_ENCODE_MULTILINE) + 1;
- enc_b64 = tor_malloc_zero(enc_b64_len);
- /* Base64 the encrypted blob before returning it. */
- ret_len = base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
- BASE64_ENCODE_MULTILINE);
- /* Return length doesn't count the NUL byte. */
- tor_assert(ret_len == (enc_b64_len - 1));
- tor_free(encrypted_blob);
- return enc_b64;
- }
- /* Generate and encode the superencrypted portion of <b>desc</b>. This also
- * involves generating the encrypted portion of the descriptor, and performing
- * the superencryption. A newly allocated NUL-terminated string pointer
- * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
- * on success else a negative value. */
- static int
- encode_superencrypted_data(const hs_descriptor_t *desc,
- char **encrypted_blob_out)
- {
- int ret = -1;
- char *layer2_str = NULL;
- char *layer2_b64_ciphertext = NULL;
- char *layer1_str = NULL;
- char *layer1_b64_ciphertext = NULL;
- tor_assert(desc);
- tor_assert(encrypted_blob_out);
- /* Func logic: We first create the inner layer of the descriptor (layer2).
- * We then encrypt it and use it to create the middle layer of the descriptor
- * (layer1). Finally we superencrypt the middle layer and return it to our
- * caller. */
- /* Create inner descriptor layer */
- layer2_str = get_inner_encrypted_layer_plaintext(desc);
- if (!layer2_str) {
- goto err;
- }
- /* Encrypt and b64 the inner layer */
- layer2_b64_ciphertext = encrypt_desc_data_and_base64(desc, layer2_str, 0);
- if (!layer2_b64_ciphertext) {
- goto err;
- }
- /* Now create middle descriptor layer given the inner layer */
- layer1_str = get_outer_encrypted_layer_plaintext(desc,layer2_b64_ciphertext);
- if (!layer1_str) {
- goto err;
- }
- /* Encrypt and base64 the middle layer */
- layer1_b64_ciphertext = encrypt_desc_data_and_base64(desc, layer1_str, 1);
- if (!layer1_b64_ciphertext) {
- goto err;
- }
- /* Success! */
- ret = 0;
- err:
- tor_free(layer1_str);
- tor_free(layer2_str);
- tor_free(layer2_b64_ciphertext);
- *encrypted_blob_out = layer1_b64_ciphertext;
- return ret;
- }
- /* Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
- * newly allocated string of the encoded descriptor. On error, -1 is returned
- * and encoded_out is untouched. */
- static int
- desc_encode_v3(const hs_descriptor_t *desc,
- const ed25519_keypair_t *signing_kp, char **encoded_out)
- {
- int ret = -1;
- char *encoded_str = NULL;
- size_t encoded_len;
- smartlist_t *lines = smartlist_new();
- tor_assert(desc);
- tor_assert(signing_kp);
- tor_assert(encoded_out);
- tor_assert(desc->plaintext_data.version == 3);
- if (BUG(desc->subcredential == NULL)) {
- goto err;
- }
- /* Build the non-encrypted values. */
- {
- char *encoded_cert;
- /* Encode certificate then create the first line of the descriptor. */
- if (desc->plaintext_data.signing_key_cert->cert_type
- != CERT_TYPE_SIGNING_HS_DESC) {
- log_err(LD_BUG, "HS descriptor signing key has an unexpected cert type "
- "(%d)", (int) desc->plaintext_data.signing_key_cert->cert_type);
- goto err;
- }
- if (tor_cert_encode_ed22519(desc->plaintext_data.signing_key_cert,
- &encoded_cert) < 0) {
- /* The function will print error logs. */
- goto err;
- }
- /* Create the hs descriptor line. */
- smartlist_add_asprintf(lines, "%s %" PRIu32, str_hs_desc,
- desc->plaintext_data.version);
- /* Add the descriptor lifetime line (in minutes). */
- smartlist_add_asprintf(lines, "%s %" PRIu32, str_lifetime,
- desc->plaintext_data.lifetime_sec / 60);
- /* Create the descriptor certificate line. */
- smartlist_add_asprintf(lines, "%s\n%s", str_desc_cert, encoded_cert);
- tor_free(encoded_cert);
- /* Create the revision counter line. */
- smartlist_add_asprintf(lines, "%s %" PRIu64, str_rev_counter,
- desc->plaintext_data.revision_counter);
- }
- /* Build the superencrypted data section. */
- {
- char *enc_b64_blob=NULL;
- if (encode_superencrypted_data(desc, &enc_b64_blob) < 0) {
- goto err;
- }
- smartlist_add_asprintf(lines,
- "%s\n"
- "-----BEGIN MESSAGE-----\n"
- "%s"
- "-----END MESSAGE-----",
- str_superencrypted, enc_b64_blob);
- tor_free(enc_b64_blob);
- }
- /* Join all lines in one string so we can generate a signature and append
- * it to the descriptor. */
- encoded_str = smartlist_join_strings(lines, "\n", 1, &encoded_len);
- /* Sign all fields of the descriptor with our short term signing key. */
- {
- ed25519_signature_t sig;
- char ed_sig_b64[ED25519_SIG_BASE64_LEN + 1];
- if (ed25519_sign_prefixed(&sig,
- (const uint8_t *) encoded_str, encoded_len,
- str_desc_sig_prefix, signing_kp) < 0) {
- log_warn(LD_BUG, "Can't sign encoded HS descriptor!");
- tor_free(encoded_str);
- goto err;
- }
- if (ed25519_signature_to_base64(ed_sig_b64, &sig) < 0) {
- log_warn(LD_BUG, "Can't base64 encode descriptor signature!");
- tor_free(encoded_str);
- goto err;
- }
- /* Create the signature line. */
- smartlist_add_asprintf(lines, "%s %s", str_signature, ed_sig_b64);
- }
- /* Free previous string that we used so compute the signature. */
- tor_free(encoded_str);
- encoded_str = smartlist_join_strings(lines, "\n", 1, NULL);
- *encoded_out = encoded_str;
- if (strlen(encoded_str) >= hs_cache_get_max_descriptor_size()) {
- log_warn(LD_GENERAL, "We just made an HS descriptor that's too big (%d)."
- "Failing.", (int)strlen(encoded_str));
- tor_free(encoded_str);
- goto err;
- }
- /* XXX: Trigger a control port event. */
- /* Success! */
- ret = 0;
- err:
- SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
- smartlist_free(lines);
- return ret;
- }
- /* === DECODING === */
- /* Given an encoded string of the link specifiers, return a newly allocated
- * list of decoded link specifiers. Return NULL on error. */
- STATIC smartlist_t *
- decode_link_specifiers(const char *encoded)
- {
- int decoded_len;
- size_t encoded_len, i;
- uint8_t *decoded;
- smartlist_t *results = NULL;
- link_specifier_list_t *specs = NULL;
- tor_assert(encoded);
- encoded_len = strlen(encoded);
- decoded = tor_malloc(encoded_len);
- decoded_len = base64_decode((char *) decoded, encoded_len, encoded,
- encoded_len);
- if (decoded_len < 0) {
- goto err;
- }
- if (link_specifier_list_parse(&specs, decoded,
- (size_t) decoded_len) < decoded_len) {
- goto err;
- }
- tor_assert(specs);
- results = smartlist_new();
- for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
- hs_desc_link_specifier_t *hs_spec;
- link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
- tor_assert(ls);
- hs_spec = tor_malloc_zero(sizeof(*hs_spec));
- hs_spec->type = link_specifier_get_ls_type(ls);
- switch (hs_spec->type) {
- case LS_IPV4:
- tor_addr_from_ipv4h(&hs_spec->u.ap.addr,
- link_specifier_get_un_ipv4_addr(ls));
- hs_spec->u.ap.port = link_specifier_get_un_ipv4_port(ls);
- break;
- case LS_IPV6:
- tor_addr_from_ipv6_bytes(&hs_spec->u.ap.addr, (const char *)
- link_specifier_getarray_un_ipv6_addr(ls));
- hs_spec->u.ap.port = link_specifier_get_un_ipv6_port(ls);
- break;
- case LS_LEGACY_ID:
- /* Both are known at compile time so let's make sure they are the same
- * else we can copy memory out of bound. */
- tor_assert(link_specifier_getlen_un_legacy_id(ls) ==
- sizeof(hs_spec->u.legacy_id));
- memcpy(hs_spec->u.legacy_id, link_specifier_getarray_un_legacy_id(ls),
- sizeof(hs_spec->u.legacy_id));
- break;
- case LS_ED25519_ID:
- /* Both are known at compile time so let's make sure they are the same
- * else we can copy memory out of bound. */
- tor_assert(link_specifier_getlen_un_ed25519_id(ls) ==
- sizeof(hs_spec->u.ed25519_id));
- memcpy(hs_spec->u.ed25519_id,
- link_specifier_getconstarray_un_ed25519_id(ls),
- sizeof(hs_spec->u.ed25519_id));
- break;
- default:
- goto err;
- }
- smartlist_add(results, hs_spec);
- }
- goto done;
- err:
- if (results) {
- SMARTLIST_FOREACH(results, hs_desc_link_specifier_t *, s, tor_free(s));
- smartlist_free(results);
- results = NULL;
- }
- done:
- link_specifier_list_free(specs);
- tor_free(decoded);
- return results;
- }
- /* Given a list of authentication types, decode it and put it in the encrypted
- * data section. Return 1 if we at least know one of the type or 0 if we know
- * none of them. */
- static int
- decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
- {
- int match = 0;
- tor_assert(desc);
- tor_assert(list);
- desc->intro_auth_types = smartlist_new();
- smartlist_split_string(desc->intro_auth_types, list, " ", 0, 0);
- /* Validate the types that we at least know about one. */
- SMARTLIST_FOREACH_BEGIN(desc->intro_auth_types, const char *, auth) {
- for (int idx = 0; intro_auth_types[idx].identifier; idx++) {
- if (!strncmp(auth, intro_auth_types[idx].identifier,
- strlen(intro_auth_types[idx].identifier))) {
- match = 1;
- break;
- }
- }
- } SMARTLIST_FOREACH_END(auth);
- return match;
- }
- /* Parse a space-delimited list of integers representing CREATE2 formats into
- * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
- static void
- decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
- {
- smartlist_t *tokens;
- tor_assert(desc);
- tor_assert(list);
- tokens = smartlist_new();
- smartlist_split_string(tokens, list, " ", 0, 0);
- SMARTLIST_FOREACH_BEGIN(tokens, char *, s) {
- int ok;
- unsigned long type = tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
- if (!ok) {
- log_warn(LD_REND, "Unparseable value %s in create2 list", escaped(s));
- continue;
- }
- switch (type) {
- case ONION_HANDSHAKE_TYPE_NTOR:
- desc->create2_ntor = 1;
- break;
- default:
- /* We deliberately ignore unsupported handshake types */
- continue;
- }
- } SMARTLIST_FOREACH_END(s);
- SMARTLIST_FOREACH(tokens, char *, s, tor_free(s));
- smartlist_free(tokens);
- }
- /* Given a certificate, validate the certificate for certain conditions which
- * are if the given type matches the cert's one, if the signing key is
- * included and if the that key was actually used to sign the certificate.
- *
- * Return 1 iff if all conditions pass or 0 if one of them fails. */
- STATIC int
- cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
- {
- tor_assert(log_obj_type);
- if (cert == NULL) {
- log_warn(LD_REND, "Certificate for %s couldn't be parsed.", log_obj_type);
- goto err;
- }
- if (cert->cert_type != type) {
- log_warn(LD_REND, "Invalid cert type %02x for %s.", cert->cert_type,
- log_obj_type);
- goto err;
- }
- /* All certificate must have its signing key included. */
- if (!cert->signing_key_included) {
- log_warn(LD_REND, "Signing key is NOT included for %s.", log_obj_type);
- goto err;
- }
- /* The following will not only check if the signature matches but also the
- * expiration date and overall validity. */
- if (tor_cert_checksig(cert, &cert->signing_key, approx_time()) < 0) {
- log_warn(LD_REND, "Invalid signature for %s: %s", log_obj_type,
- tor_cert_describe_signature_status(cert));
- goto err;
- }
- return 1;
- err:
- return 0;
- }
- /* Given some binary data, try to parse it to get a certificate object. If we
- * have a valid cert, validate it using the given wanted type. On error, print
- * a log using the err_msg has the certificate identifier adding semantic to
- * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
- * points to a newly allocated certificate object. */
- static int
- cert_parse_and_validate(tor_cert_t **cert_out, const char *data,
- size_t data_len, unsigned int cert_type_wanted,
- const char *err_msg)
- {
- tor_cert_t *cert;
- tor_assert(cert_out);
- tor_assert(data);
- tor_assert(err_msg);
- /* Parse certificate. */
- cert = tor_cert_parse((const uint8_t *) data, data_len);
- if (!cert) {
- log_warn(LD_REND, "Certificate for %s couldn't be parsed.", err_msg);
- goto err;
- }
- /* Validate certificate. */
- if (!cert_is_valid(cert, cert_type_wanted, err_msg)) {
- goto err;
- }
- *cert_out = cert;
- return 0;
- err:
- tor_cert_free(cert);
- *cert_out = NULL;
- return -1;
- }
- /* Return true iff the given length of the encrypted data of a descriptor
- * passes validation. */
- STATIC int
- encrypted_data_length_is_valid(size_t len)
- {
- /* Make sure there is enough data for the salt and the mac. The equality is
- there to ensure that there is at least one byte of encrypted data. */
- if (len <= HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN) {
- log_warn(LD_REND, "Length of descriptor's encrypted data is too small. "
- "Got %lu but minimum value is %d",
- (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
- goto err;
- }
- return 1;
- err:
- return 0;
- }
- /** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
- * <b>encrypted_blob_size</b>. Use the descriptor object <b>desc</b> to
- * generate the right decryption keys; set <b>decrypted_out</b> to the
- * plaintext. If <b>is_superencrypted_layer</b> is set, this is the outter
- * encrypted layer of the descriptor.
- *
- * On any error case, including an empty output, return 0 and set
- * *<b>decrypted_out</b> to NULL.
- */
- MOCK_IMPL(STATIC size_t,
- decrypt_desc_layer,(const hs_descriptor_t *desc,
- const uint8_t *encrypted_blob,
- size_t encrypted_blob_size,
- int is_superencrypted_layer,
- char **decrypted_out))
- {
- uint8_t *decrypted = NULL;
- uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
- uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
- const uint8_t *salt, *encrypted, *desc_mac;
- size_t encrypted_len, result_len = 0;
- tor_assert(decrypted_out);
- tor_assert(desc);
- tor_assert(encrypted_blob);
- /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
- * Make sure we have enough space for all these things. */
- if (!encrypted_data_length_is_valid(encrypted_blob_size)) {
- goto err;
- }
- /* Start of the blob thus the salt. */
- salt = encrypted_blob;
- /* Next is the encrypted data. */
- encrypted = encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN;
- encrypted_len = encrypted_blob_size -
- (HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
- tor_assert(encrypted_len > 0); /* guaranteed by the check above */
- /* And last comes the MAC. */
- desc_mac = encrypted_blob + encrypted_blob_size - DIGEST256_LEN;
- /* KDF construction resulting in a key from which the secret key, IV and MAC
- * key are extracted which is what we need for the decryption. */
- build_secret_key_iv_mac(desc, salt, HS_DESC_ENCRYPTED_SALT_LEN,
- secret_key, sizeof(secret_key),
- secret_iv, sizeof(secret_iv),
- mac_key, sizeof(mac_key),
- is_superencrypted_layer);
- /* Build MAC. */
- build_mac(mac_key, sizeof(mac_key), salt, HS_DESC_ENCRYPTED_SALT_LEN,
- encrypted, encrypted_len, our_mac, sizeof(our_mac));
- memwipe(mac_key, 0, sizeof(mac_key));
- /* Verify MAC; MAC is H(mac_key || salt || encrypted)
- *
- * This is a critical check that is making sure the computed MAC matches the
- * one in the descriptor. */
- if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) {
- log_warn(LD_REND, "Encrypted service descriptor MAC check failed");
- goto err;
- }
- {
- /* Decrypt. Here we are assured that the encrypted length is valid for
- * decryption. */
- crypto_cipher_t *cipher;
- cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
- HS_DESC_ENCRYPTED_BIT_SIZE);
- /* Extra byte for the NUL terminated byte. */
- decrypted = tor_malloc_zero(encrypted_len + 1);
- crypto_cipher_decrypt(cipher, (char *) decrypted,
- (const char *) encrypted, encrypted_len);
- crypto_cipher_free(cipher);
- }
- {
- /* Adjust length to remove NUL padding bytes */
- uint8_t *end = memchr(decrypted, 0, encrypted_len);
- result_len = encrypted_len;
- if (end) {
- result_len = end - decrypted;
- }
- }
- if (result_len == 0) {
- /* Treat this as an error, so that somebody will free the output. */
- goto err;
- }
- /* Make sure to NUL terminate the string. */
- decrypted[encrypted_len] = '\0';
- *decrypted_out = (char *) decrypted;
- goto done;
- err:
- if (decrypted) {
- tor_free(decrypted);
- }
- *decrypted_out = NULL;
- result_len = 0;
- done:
- memwipe(secret_key, 0, sizeof(secret_key));
- memwipe(secret_iv, 0, sizeof(secret_iv));
- return result_len;
- }
- /* Basic validation that the superencrypted client auth portion of the
- * descriptor is well-formed and recognized. Return True if so, otherwise
- * return False. */
- static int
- superencrypted_auth_data_is_valid(smartlist_t *tokens)
- {
- /* XXX: This is just basic validation for now. When we implement client auth,
- we can refactor this function so that it actually parses and saves the
- data. */
- { /* verify desc auth type */
- const directory_token_t *tok;
- tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
- tor_assert(tok->n_args >= 1);
- if (strcmp(tok->args[0], "x25519")) {
- log_warn(LD_DIR, "Unrecognized desc auth type");
- return 0;
- }
- }
- { /* verify desc auth key */
- const directory_token_t *tok;
- curve25519_public_key_t k;
- tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
- tor_assert(tok->n_args >= 1);
- if (curve25519_public_from_base64(&k, tok->args[0]) < 0) {
- log_warn(LD_DIR, "Bogus desc auth key in HS desc");
- return 0;
- }
- }
- /* verify desc auth client items */
- SMARTLIST_FOREACH_BEGIN(tokens, const directory_token_t *, tok) {
- if (tok->tp == R3_DESC_AUTH_CLIENT) {
- tor_assert(tok->n_args >= 3);
- }
- } SMARTLIST_FOREACH_END(tok);
- return 1;
- }
- /* Parse <b>message</b>, the plaintext of the superencrypted portion of an HS
- * descriptor. Set <b>encrypted_out</b> to the encrypted blob, and return its
- * size */
- STATIC size_t
- decode_superencrypted(const char *message, size_t message_len,
- uint8_t **encrypted_out)
- {
- int retval = 0;
- memarea_t *area = NULL;
- smartlist_t *tokens = NULL;
- area = memarea_new();
- tokens = smartlist_new();
- if (tokenize_string(area, message, message + message_len, tokens,
- hs_desc_superencrypted_v3_token_table, 0) < 0) {
- log_warn(LD_REND, "Superencrypted portion is not parseable");
- goto err;
- }
- /* Do some rudimentary validation of the authentication data */
- if (!superencrypted_auth_data_is_valid(tokens)) {
- log_warn(LD_REND, "Invalid auth data");
- goto err;
- }
- /* Extract the encrypted data section. */
- {
- const directory_token_t *tok;
- tok = find_by_keyword(tokens, R3_ENCRYPTED);
- tor_assert(tok->object_body);
- if (strcmp(tok->object_type, "MESSAGE") != 0) {
- log_warn(LD_REND, "Desc superencrypted data section is invalid");
- goto err;
- }
- /* Make sure the length of the encrypted blob is valid. */
- if (!encrypted_data_length_is_valid(tok->object_size)) {
- goto err;
- }
- /* Copy the encrypted blob to the descriptor object so we can handle it
- * latter if needed. */
- tor_assert(tok->object_size <= INT_MAX);
- *encrypted_out = tor_memdup(tok->object_body, tok->object_size);
- retval = (int) tok->object_size;
- }
- err:
- SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
- smartlist_free(tokens);
- if (area) {
- memarea_drop_all(area);
- }
- return retval;
- }
- /* Decrypt both the superencrypted and the encrypted section of the descriptor
- * using the given descriptor object <b>desc</b>. A newly allocated NUL
- * terminated string is put in decrypted_out which contains the inner encrypted
- * layer of the descriptor. Return the length of decrypted_out on success else
- * 0 is returned and decrypted_out is set to NULL. */
- static size_t
- desc_decrypt_all(const hs_descriptor_t *desc, char **decrypted_out)
- {
- size_t decrypted_len = 0;
- size_t encrypted_len = 0;
- size_t superencrypted_len = 0;
- char *superencrypted_plaintext = NULL;
- uint8_t *encrypted_blob = NULL;
- /** Function logic: This function takes us from the descriptor header to the
- * inner encrypted layer, by decrypting and decoding the middle descriptor
- * layer. In the end we return the contents of the inner encrypted layer to
- * our caller. */
- /* 1. Decrypt middle layer of descriptor */
- superencrypted_len = decrypt_desc_layer(desc,
- desc->plaintext_data.superencrypted_blob,
- desc->plaintext_data.superencrypted_blob_size,
- 1,
- &superencrypted_plaintext);
- if (!superencrypted_len) {
- log_warn(LD_REND, "Decrypting superencrypted desc failed.");
- goto err;
- }
- tor_assert(superencrypted_plaintext);
- /* 2. Parse "superencrypted" */
- encrypted_len = decode_superencrypted(superencrypted_plaintext,
- superencrypted_len,
- &encrypted_blob);
- if (!encrypted_len) {
- log_warn(LD_REND, "Decrypting encrypted desc failed.");
- goto err;
- }
- tor_assert(encrypted_blob);
- /* 3. Decrypt "encrypted" and set decrypted_out */
- char *decrypted_desc;
- decrypted_len = decrypt_desc_layer(desc,
- encrypted_blob, encrypted_len,
- 0, &decrypted_desc);
- if (!decrypted_len) {
- log_warn(LD_REND, "Decrypting encrypted desc failed.");
- goto err;
- }
- tor_assert(decrypted_desc);
- *decrypted_out = decrypted_desc;
- err:
- tor_free(superencrypted_plaintext);
- tor_free(encrypted_blob);
- return decrypted_len;
- }
- /* Given the token tok for an intro point legacy key, the list of tokens, the
- * introduction point ip being decoded and the descriptor desc from which it
- * comes from, decode the legacy key and set the intro point object. Return 0
- * on success else -1 on failure. */
- static int
- decode_intro_legacy_key(const directory_token_t *tok,
- smartlist_t *tokens,
- hs_desc_intro_point_t *ip,
- const hs_descriptor_t *desc)
- {
- tor_assert(tok);
- tor_assert(tokens);
- tor_assert(ip);
- tor_assert(desc);
- if (!crypto_pk_public_exponent_ok(tok->key)) {
- log_warn(LD_REND, "Introduction point legacy key is invalid");
- goto err;
- }
- ip->legacy.key = crypto_pk_dup_key(tok->key);
- /* Extract the legacy cross certification cert which MUST be present if we
- * have a legacy key. */
- tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY_CERT);
- if (!tok) {
- log_warn(LD_REND, "Introduction point legacy key cert is missing");
- goto err;
- }
- tor_assert(tok->object_body);
- if (strcmp(tok->object_type, "CROSSCERT")) {
- /* Info level because this might be an unknown field that we should
- * ignore. */
- log_info(LD_REND, "Introduction point legacy encryption key "
- "cross-certification has an unknown format.");
- goto err;
- }
- /* Keep a copy of the certificate. */
- ip->legacy.cert.encoded = tor_memdup(tok->object_body, tok->object_size);
- ip->legacy.cert.len = tok->object_size;
- /* The check on the expiration date is for the entire lifetime of a
- * certificate which is 24 hours. However, a descriptor has a maximum
- * lifetime of 12 hours meaning we have a 12h difference between the two
- * which ultimately accommodate the clock skewed client. */
- if (rsa_ed25519_crosscert_check(ip->legacy.cert.encoded,
- ip->legacy.cert.len, ip->legacy.key,
- &desc->plaintext_data.signing_pubkey,
- approx_time() - HS_DESC_CERT_LIFETIME)) {
- log_warn(LD_REND, "Unable to check cross-certification on the "
- "introduction point legacy encryption key.");
- ip->cross_certified = 0;
- goto err;
- }
- /* Success. */
- return 0;
- err:
- return -1;
- }
- /* Dig into the descriptor <b>tokens</b> to find the onion key we should use
- * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
- * was found and well-formed, otherwise return -1 in case of errors. */
- static int
- set_intro_point_onion_key(curve25519_public_key_t *onion_key_out,
- const smartlist_t *tokens)
- {
- int retval = -1;
- smartlist_t *onion_keys = NULL;
- tor_assert(onion_key_out);
- onion_keys = find_all_by_keyword(tokens, R3_INTRO_ONION_KEY);
- if (!onion_keys) {
- log_warn(LD_REND, "Descriptor did not contain intro onion keys");
- goto err;
- }
- SMARTLIST_FOREACH_BEGIN(onion_keys, directory_token_t *, tok) {
- /* This field is using GE(2) so for possible forward compatibility, we
- * accept more fields but must be at least 2. */
- tor_assert(tok->n_args >= 2);
- /* Try to find an ntor key, it's the only recognized type right now */
- if (!strcmp(tok->args[0], "ntor")) {
- if (curve25519_public_from_base64(onion_key_out, tok->args[1]) < 0) {
- log_warn(LD_REND, "Introduction point ntor onion-key is invalid");
- goto err;
- }
- /* Got the onion key! Set the appropriate retval */
- retval = 0;
- }
- } SMARTLIST_FOREACH_END(tok);
- /* Log an error if we didn't find it :( */
- if (retval < 0) {
- log_warn(LD_REND, "Descriptor did not contain ntor onion keys");
- }
- err:
- smartlist_free(onion_keys);
- return retval;
- }
- /* Given the start of a section and the end of it, decode a single
- * introduction point from that section. Return a newly allocated introduction
- * point object containing the decoded data. Return NULL if the section can't
- * be decoded. */
- STATIC hs_desc_intro_point_t *
- decode_introduction_point(const hs_descriptor_t *desc, const char *start)
- {
- hs_desc_intro_point_t *ip = NULL;
- memarea_t *area = NULL;
- smartlist_t *tokens = NULL;
- const directory_token_t *tok;
- tor_assert(desc);
- tor_assert(start);
- area = memarea_new();
- tokens = smartlist_new();
- if (tokenize_string(area, start, start + strlen(start),
- tokens, hs_desc_intro_point_v3_token_table, 0) < 0) {
- log_warn(LD_REND, "Introduction point is not parseable");
- goto err;
- }
- /* Ok we seem to have a well formed section containing enough tokens to
- * parse. Allocate our IP object and try to populate it. */
- ip = hs_desc_intro_point_new();
- /* "introduction-point" SP link-specifiers NL */
- tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
- tor_assert(tok->n_args == 1);
- /* Our constructor creates this list by default so free it. */
- smartlist_free(ip->link_specifiers);
- ip->link_specifiers = decode_link_specifiers(tok->args[0]);
- if (!ip->link_specifiers) {
- log_warn(LD_REND, "Introduction point has invalid link specifiers");
- goto err;
- }
- /* "onion-key" SP ntor SP key NL */
- if (set_intro_point_onion_key(&ip->onion_key, tokens) < 0) {
- goto err;
- }
- /* "auth-key" NL certificate NL */
- tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
- tor_assert(tok->object_body);
- if (strcmp(tok->object_type, "ED25519 CERT")) {
- log_warn(LD_REND, "Unexpected object type for introduction auth key");
- goto err;
- }
- /* Parse cert and do some validation. */
- if (cert_parse_and_validate(&ip->auth_key_cert, tok->object_body,
- tok->object_size, CERT_TYPE_AUTH_HS_IP_KEY,
- "introduction point auth-key") < 0) {
- goto err;
- }
- /* Validate authentication certificate with descriptor signing key. */
- if (tor_cert_checksig(ip->auth_key_cert,
- &desc->plaintext_data.signing_pubkey, 0) < 0) {
- log_warn(LD_REND, "Invalid authentication key signature: %s",
- tor_cert_describe_signature_status(ip->auth_key_cert));
- goto err;
- }
- /* Exactly one "enc-key" SP "ntor" SP key NL */
- tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
- if (!strcmp(tok->args[0], "ntor")) {
- /* This field is using GE(2) so for possible forward compatibility, we
- * accept more fields but must be at least 2. */
- tor_assert(tok->n_args >= 2);
- if (curve25519_public_from_base64(&ip->enc_key, tok->args[1]) < 0) {
- log_warn(LD_REND, "Introduction point ntor enc-key is invalid");
- goto err;
- }
- } else {
- /* Unknown key type so we can't use that introduction point. */
- log_warn(LD_REND, "Introduction point encryption key is unrecognized.");
- goto err;
- }
- /* Exactly once "enc-key-cert" NL certificate NL */
- tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
- tor_assert(tok->object_body);
- /* Do the cross certification. */
- if (strcmp(tok->object_type, "ED25519 CERT")) {
- log_warn(LD_REND, "Introduction point ntor encryption key "
- "cross-certification has an unknown format.");
- goto err;
- }
- if (cert_parse_and_validate(&ip->enc_key_cert, tok->object_body,
- tok->object_size, CERT_TYPE_CROSS_HS_IP_KEYS,
- "introduction point enc-key-cert") < 0) {
- goto err;
- }
- if (tor_cert_checksig(ip->enc_key_cert,
- &desc->plaintext_data.signing_pubkey, 0) < 0) {
- log_warn(LD_REND, "Invalid encryption key signature: %s",
- tor_cert_describe_signature_status(ip->enc_key_cert));
- goto err;
- }
- /* It is successfully cross certified. Flag the object. */
- ip->cross_certified = 1;
- /* Do we have a "legacy-key" SP key NL ?*/
- tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY);
- if (tok) {
- if (decode_intro_legacy_key(tok, tokens, ip, desc) < 0) {
- goto err;
- }
- }
- /* Introduction point has been parsed successfully. */
- goto done;
- err:
- hs_desc_intro_point_free(ip);
- ip = NULL;
- done:
- SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
- smartlist_free(tokens);
- if (area) {
- memarea_drop_all(area);
- }
- return ip;
- }
- /* Given a descriptor string at <b>data</b>, decode all possible introduction
- * points that we can find. Add the introduction point object to desc_enc as we
- * find them. This function can't fail and it is possible that zero
- * introduction points can be decoded. */
- static void
- decode_intro_points(const hs_descriptor_t *desc,
- hs_desc_encrypted_data_t *desc_enc,
- const char *data)
- {
- smartlist_t *chunked_desc = smartlist_new();
- smartlist_t *intro_points = smartlist_new();
- tor_assert(desc);
- tor_assert(desc_enc);
- tor_assert(data);
- tor_assert(desc_enc->intro_points);
- /* Take the desc string, and extract the intro point substrings out of it */
- {
- /* Split the descriptor string using the intro point header as delimiter */
- smartlist_split_string(chunked_desc, data, str_intro_point_start, 0, 0);
- /* Check if there are actually any intro points included. The first chunk
- * should be other descriptor fields (e.g. create2-formats), so it's not an
- * intro point. */
- if (smartlist_len(chunked_desc) < 2) {
- goto done;
- }
- }
- /* Take the intro point substrings, and prepare them for parsing */
- {
- int i = 0;
- /* Prepend the introduction-point header to all the chunks, since
- smartlist_split_string() devoured it. */
- SMARTLIST_FOREACH_BEGIN(chunked_desc, char *, chunk) {
- /* Ignore first chunk. It's other descriptor fields. */
- if (i++ == 0) {
- continue;
- }
- smartlist_add_asprintf(intro_points, "%s %s", str_intro_point, chunk);
- } SMARTLIST_FOREACH_END(chunk);
- }
- /* Parse the intro points! */
- SMARTLIST_FOREACH_BEGIN(intro_points, const char *, intro_point) {
- hs_desc_intro_point_t *ip = decode_introduction_point(desc, intro_point);
- if (!ip) {
- /* Malformed introduction point section. We'll ignore this introduction
- * point and continue parsing. New or unknown fields are possible for
- * forward compatibility. */
- continue;
- }
- smartlist_add(desc_enc->intro_points, ip);
- } SMARTLIST_FOREACH_END(intro_point);
- done:
- SMARTLIST_FOREACH(chunked_desc, char *, a, tor_free(a));
- smartlist_free(chunked_desc);
- SMARTLIST_FOREACH(intro_points, char *, a, tor_free(a));
- smartlist_free(intro_points);
- }
- /* Return 1 iff the given base64 encoded signature in b64_sig from the encoded
- * descriptor in encoded_desc validates the descriptor content. */
- STATIC int
- desc_sig_is_valid(const char *b64_sig,
- const ed25519_public_key_t *signing_pubkey,
- const char *encoded_desc, size_t encoded_len)
- {
- int ret = 0;
- ed25519_signature_t sig;
- const char *sig_start;
- tor_assert(b64_sig);
- tor_assert(signing_pubkey);
- tor_assert(encoded_desc);
- /* Verifying nothing won't end well :). */
- tor_assert(encoded_len > 0);
- /* Signature length check. */
- if (strlen(b64_sig) != ED25519_SIG_BASE64_LEN) {
- log_warn(LD_REND, "Service descriptor has an invalid signature length."
- "Exptected %d but got %lu",
- ED25519_SIG_BASE64_LEN, (unsigned long) strlen(b64_sig));
- goto err;
- }
- /* First, convert base64 blob to an ed25519 signature. */
- if (ed25519_signature_from_base64(&sig, b64_sig) != 0) {
- log_warn(LD_REND, "Service descriptor does not contain a valid "
- "signature");
- goto err;
- }
- /* Find the start of signature. */
- sig_start = tor_memstr(encoded_desc, encoded_len, "\n" str_signature " ");
- /* Getting here means the token parsing worked for the signature so if we
- * can't find the start of the signature, we have a code flow issue. */
- if (!sig_start) {
- log_warn(LD_GENERAL, "Malformed signature line. Rejecting.");
- goto err;
- }
- /* Skip newline, it has to go in the signature check. */
- sig_start++;
- /* Validate signature with the full body of the descriptor. */
- if (ed25519_checksig_prefixed(&sig,
- (const uint8_t *) encoded_desc,
- sig_start - encoded_desc,
- str_desc_sig_prefix,
- signing_pubkey) != 0) {
- log_warn(LD_REND, "Invalid signature on service descriptor");
- goto err;
- }
- /* Valid signature! All is good. */
- ret = 1;
- err:
- return ret;
- }
- /* Decode descriptor plaintext data for version 3. Given a list of tokens, an
- * allocated plaintext object that will be populated and the encoded
- * descriptor with its length. The last one is needed for signature
- * verification. Unknown tokens are simply ignored so this won't error on
- * unknowns but requires that all v3 token be present and valid.
- *
- * Return 0 on success else a negative value. */
- static int
- desc_decode_plaintext_v3(smartlist_t *tokens,
- hs_desc_plaintext_data_t *desc,
- const char *encoded_desc, size_t encoded_len)
- {
- int ok;
- directory_token_t *tok;
- tor_assert(tokens);
- tor_assert(desc);
- /* Version higher could still use this function to decode most of the
- * descriptor and then they decode the extra part. */
- tor_assert(desc->version >= 3);
- /* Descriptor lifetime parsing. */
- tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
- tor_assert(tok->n_args == 1);
- desc->lifetime_sec = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
- UINT32_MAX, &ok, NULL);
- if (!ok) {
- log_warn(LD_REND, "Service descriptor lifetime value is invalid");
- goto err;
- }
- /* Put it from minute to second. */
- desc->lifetime_sec *= 60;
- if (desc->lifetime_sec > HS_DESC_MAX_LIFETIME) {
- log_warn(LD_REND, "Service descriptor lifetime is too big. "
- "Got %" PRIu32 " but max is %d",
- desc->lifetime_sec, HS_DESC_MAX_LIFETIME);
- goto err;
- }
- /* Descriptor signing certificate. */
- tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
- tor_assert(tok->object_body);
- /* Expecting a prop220 cert with the signing key extension, which contains
- * the blinded public key. */
- if (strcmp(tok->object_type, "ED25519 CERT") != 0) {
- log_warn(LD_REND, "Service descriptor signing cert wrong type (%s)",
- escaped(tok->object_type));
- goto err;
- }
- if (cert_parse_and_validate(&desc->signing_key_cert, tok->object_body,
- tok->object_size, CERT_TYPE_SIGNING_HS_DESC,
- "service descriptor signing key") < 0) {
- goto err;
- }
- /* Copy the public keys into signing_pubkey and blinded_pubkey */
- memcpy(&desc->signing_pubkey, &desc->signing_key_cert->signed_key,
- sizeof(ed25519_public_key_t));
- memcpy(&desc->blinded_pubkey, &desc->signing_key_cert->signing_key,
- sizeof(ed25519_public_key_t));
- /* Extract revision counter value. */
- tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
- tor_assert(tok->n_args == 1);
- desc->revision_counter = tor_parse_uint64(tok->args[0], 10, 0,
- UINT64_MAX, &ok, NULL);
- if (!ok) {
- log_warn(LD_REND, "Service descriptor revision-counter is invalid");
- goto err;
- }
- /* Extract the encrypted data section. */
- tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
- tor_assert(tok->object_body);
- if (strcmp(tok->object_type, "MESSAGE") != 0) {
- log_warn(LD_REND, "Service descriptor encrypted data section is invalid");
- goto err;
- }
- /* Make sure the length of the encrypted blob is valid. */
- if (!encrypted_data_length_is_valid(tok->object_size)) {
- goto err;
- }
- /* Copy the encrypted blob to the descriptor object so we can handle it
- * latter if needed. */
- desc->superencrypted_blob = tor_memdup(tok->object_body, tok->object_size);
- desc->superencrypted_blob_size = tok->object_size;
- /* Extract signature and verify it. */
- tok = find_by_keyword(tokens, R3_SIGNATURE);
- tor_assert(tok->n_args == 1);
- /* First arg here is the actual encoded signature. */
- if (!desc_sig_is_valid(tok->args[0], &desc->signing_pubkey,
- encoded_desc, encoded_len)) {
- goto err;
- }
- return 0;
- err:
- return -1;
- }
- /* Decode the version 3 encrypted section of the given descriptor desc. The
- * desc_encrypted_out will be populated with the decoded data. Return 0 on
- * success else -1. */
- static int
- desc_decode_encrypted_v3(const hs_descriptor_t *desc,
- hs_desc_encrypted_data_t *desc_encrypted_out)
- {
- int result = -1;
- char *message = NULL;
- size_t message_len;
- memarea_t *area = NULL;
- directory_token_t *tok;
- smartlist_t *tokens = NULL;
- tor_assert(desc);
- tor_assert(desc_encrypted_out);
- /* Decrypt the superencrypted data that is located in the plaintext section
- * in the descriptor as a blob of bytes. */
- message_len = desc_decrypt_all(desc, &message);
- if (!message_len) {
- log_warn(LD_REND, "Service descriptor decryption failed.");
- goto err;
- }
- tor_assert(message);
- area = memarea_new();
- tokens = smartlist_new();
- if (tokenize_string(area, message, message + message_len,
- tokens, hs_desc_encrypted_v3_token_table, 0) < 0) {
- log_warn(LD_REND, "Encrypted service descriptor is not parseable.");
- goto err;
- }
- /* CREATE2 supported cell format. It's mandatory. */
- tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
- tor_assert(tok);
- decode_create2_list(desc_encrypted_out, tok->args[0]);
- /* Must support ntor according to the specification */
- if (!desc_encrypted_out->create2_ntor) {
- log_warn(LD_REND, "Service create2-formats does not include ntor.");
- goto err;
- }
- /* Authentication type. It's optional but only once. */
- tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
- if (tok) {
- if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
- log_warn(LD_REND, "Service descriptor authentication type has "
- "invalid entry(ies).");
- goto err;
- }
- }
- /* Is this service a single onion service? */
- tok = find_opt_by_keyword(tokens, R3_SINGLE_ONION_SERVICE);
- if (tok) {
- desc_encrypted_out->single_onion_service = 1;
- }
- /* Initialize the descriptor's introduction point list before we start
- * decoding. Having 0 intro point is valid. Then decode them all. */
- desc_encrypted_out->intro_points = smartlist_new();
- decode_intro_points(desc, desc_encrypted_out, message);
- /* Validation of maximum introduction points allowed. */
- if (smartlist_len(desc_encrypted_out->intro_points) >
- HS_CONFIG_V3_MAX_INTRO_POINTS) {
- log_warn(LD_REND, "Service descriptor contains too many introduction "
- "points. Maximum allowed is %d but we have %d",
- HS_CONFIG_V3_MAX_INTRO_POINTS,
- smartlist_len(desc_encrypted_out->intro_points));
- goto err;
- }
- /* NOTE: Unknown fields are allowed because this function could be used to
- * decode other descriptor version. */
- result = 0;
- goto done;
- err:
- tor_assert(result < 0);
- desc_encrypted_data_free_contents(desc_encrypted_out);
- done:
- if (tokens) {
- SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
- smartlist_free(tokens);
- }
- if (area) {
- memarea_drop_all(area);
- }
- if (message) {
- tor_free(message);
- }
- return result;
- }
- /* Table of encrypted decode function version specific. The function are
- * indexed by the version number so v3 callback is at index 3 in the array. */
- static int
- (*decode_encrypted_handlers[])(
- const hs_descriptor_t *desc,
- hs_desc_encrypted_data_t *desc_encrypted) =
- {
- /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
- desc_decode_encrypted_v3,
- };
- /* Decode the encrypted data section of the given descriptor and store the
- * data in the given encrypted data object. Return 0 on success else a
- * negative value on error. */
- int
- hs_desc_decode_encrypted(const hs_descriptor_t *desc,
- hs_desc_encrypted_data_t *desc_encrypted)
- {
- int ret;
- uint32_t version;
- tor_assert(desc);
- /* Ease our life a bit. */
- version = desc->plaintext_data.version;
- tor_assert(desc_encrypted);
- /* Calling this function without an encrypted blob to parse is a code flow
- * error. The plaintext parsing should never succeed in the first place
- * without an encrypted section. */
- tor_assert(desc->plaintext_data.superencrypted_blob);
- /* Let's make sure we have a supported version as well. By correctly parsing
- * the plaintext, this should not fail. */
- if (BUG(!hs_desc_is_supported_version(version))) {
- ret = -1;
- goto err;
- }
- /* Extra precaution. Having no handler for the supported version should
- * never happened else we forgot to add it but we bumped the version. */
- tor_assert(ARRAY_LENGTH(decode_encrypted_handlers) >= version);
- tor_assert(decode_encrypted_handlers[version]);
- /* Run the version specific plaintext decoder. */
- ret = decode_encrypted_handlers[version](desc, desc_encrypted);
- if (ret < 0) {
- goto err;
- }
- err:
- return ret;
- }
- /* Table of plaintext decode function version specific. The function are
- * indexed by the version number so v3 callback is at index 3 in the array. */
- static int
- (*decode_plaintext_handlers[])(
- smartlist_t *tokens,
- hs_desc_plaintext_data_t *desc,
- const char *encoded_desc,
- size_t encoded_len) =
- {
- /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
- desc_decode_plaintext_v3,
- };
- /* Fully decode the given descriptor plaintext and store the data in the
- * plaintext data object. Returns 0 on success else a negative value. */
- int
- hs_desc_decode_plaintext(const char *encoded,
- hs_desc_plaintext_data_t *plaintext)
- {
- int ok = 0, ret = -1;
- memarea_t *area = NULL;
- smartlist_t *tokens = NULL;
- size_t encoded_len;
- directory_token_t *tok;
- tor_assert(encoded);
- tor_assert(plaintext);
- /* Check that descriptor is within size limits. */
- encoded_len = strlen(encoded);
- if (encoded_len >= hs_cache_get_max_descriptor_size()) {
- log_warn(LD_REND, "Service descriptor is too big (%lu bytes)",
- (unsigned long) encoded_len);
- goto err;
- }
- area = memarea_new();
- tokens = smartlist_new();
- /* Tokenize the descriptor so we can start to parse it. */
- if (tokenize_string(area, encoded, encoded + encoded_len, tokens,
- hs_desc_v3_token_table, 0) < 0) {
- log_warn(LD_REND, "Service descriptor is not parseable");
- goto err;
- }
- /* Get the version of the descriptor which is the first mandatory field of
- * the descriptor. From there, we'll decode the right descriptor version. */
- tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
- tor_assert(tok->n_args == 1);
- plaintext->version = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
- UINT32_MAX, &ok, NULL);
- if (!ok) {
- log_warn(LD_REND, "Service descriptor has unparseable version %s",
- escaped(tok->args[0]));
- goto err;
- }
- if (!hs_desc_is_supported_version(plaintext->version)) {
- log_warn(LD_REND, "Service descriptor has unsupported version %" PRIu32,
- plaintext->version);
- goto err;
- }
- /* Extra precaution. Having no handler for the supported version should
- * never happened else we forgot to add it but we bumped the version. */
- tor_assert(ARRAY_LENGTH(decode_plaintext_handlers) >= plaintext->version);
- tor_assert(decode_plaintext_handlers[plaintext->version]);
- /* Run the version specific plaintext decoder. */
- ret = decode_plaintext_handlers[plaintext->version](tokens, plaintext,
- encoded, encoded_len);
- if (ret < 0) {
- goto err;
- }
- /* Success. Descriptor has been populated with the data. */
- ret = 0;
- err:
- if (tokens) {
- SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
- smartlist_free(tokens);
- }
- if (area) {
- memarea_drop_all(area);
- }
- return ret;
- }
- /* Fully decode an encoded descriptor and set a newly allocated descriptor
- * object in desc_out. Subcredentials are used if not NULL else it's ignored.
- *
- * Return 0 on success. A negative value is returned on error and desc_out is
- * set to NULL. */
- int
- hs_desc_decode_descriptor(const char *encoded,
- const uint8_t *subcredential,
- hs_descriptor_t **desc_out)
- {
- int ret = -1;
- hs_descriptor_t *desc;
- tor_assert(encoded);
- desc = tor_malloc_zero(sizeof(hs_descriptor_t));
- /* Subcredentials are optional. */
- if (BUG(!subcredential)) {
- log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!");
- goto err;
- }
- memcpy(desc->subcredential, subcredential, sizeof(desc->subcredential));
- ret = hs_desc_decode_plaintext(encoded, &desc->plaintext_data);
- if (ret < 0) {
- goto err;
- }
- ret = hs_desc_decode_encrypted(desc, &desc->encrypted_data);
- if (ret < 0) {
- goto err;
- }
- if (desc_out) {
- *desc_out = desc;
- } else {
- hs_descriptor_free(desc);
- }
- return ret;
- err:
- hs_descriptor_free(desc);
- if (desc_out) {
- *desc_out = NULL;
- }
- tor_assert(ret < 0);
- return ret;
- }
- /* Table of encode function version specific. The functions are indexed by the
- * version number so v3 callback is at index 3 in the array. */
- static int
- (*encode_handlers[])(
- const hs_descriptor_t *desc,
- const ed25519_keypair_t *signing_kp,
- char **encoded_out) =
- {
- /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
- desc_encode_v3,
- };
- /* Encode the given descriptor desc including signing with the given key pair
- * signing_kp. On success, encoded_out points to a newly allocated NUL
- * terminated string that contains the encoded descriptor as a string.
- *
- * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
- * returned and encoded_out is set to NULL. */
- MOCK_IMPL(int,
- hs_desc_encode_descriptor,(const hs_descriptor_t *desc,
- const ed25519_keypair_t *signing_kp,
- char **encoded_out))
- {
- int ret = -1;
- uint32_t version;
- tor_assert(desc);
- tor_assert(encoded_out);
- /* Make sure we support the version of the descriptor format. */
- version = desc->plaintext_data.version;
- if (!hs_desc_is_supported_version(version)) {
- goto err;
- }
- /* Extra precaution. Having no handler for the supported version should
- * never happened else we forgot to add it but we bumped the version. */
- tor_assert(ARRAY_LENGTH(encode_handlers) >= version);
- tor_assert(encode_handlers[version]);
- ret = encode_handlers[version](desc, signing_kp, encoded_out);
- if (ret < 0) {
- goto err;
- }
- /* Try to decode what we just encoded. Symmetry is nice! */
- ret = hs_desc_decode_descriptor(*encoded_out, desc->subcredential, NULL);
- if (BUG(ret < 0)) {
- goto err;
- }
- return 0;
- err:
- *encoded_out = NULL;
- return ret;
- }
- /* Free the descriptor plaintext data object. */
- void
- hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
- {
- desc_plaintext_data_free_contents(desc);
- tor_free(desc);
- }
- /* Free the descriptor encrypted data object. */
- void
- hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
- {
- desc_encrypted_data_free_contents(desc);
- tor_free(desc);
- }
- /* Free the given descriptor object. */
- void
- hs_descriptor_free_(hs_descriptor_t *desc)
- {
- if (!desc) {
- return;
- }
- desc_plaintext_data_free_contents(&desc->plaintext_data);
- desc_encrypted_data_free_contents(&desc->encrypted_data);
- tor_free(desc);
- }
- /* Return the size in bytes of the given plaintext data object. A sizeof() is
- * not enough because the object contains pointers and the encrypted blob.
- * This is particularly useful for our OOM subsystem that tracks the HSDir
- * cache size for instance. */
- size_t
- hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
- {
- tor_assert(data);
- return (sizeof(*data) + sizeof(*data->signing_key_cert) +
- data->superencrypted_blob_size);
- }
- /* Return the size in bytes of the given encrypted data object. Used by OOM
- * subsystem. */
- static size_t
- hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
- {
- tor_assert(data);
- size_t intro_size = 0;
- if (data->intro_auth_types) {
- intro_size +=
- smartlist_len(data->intro_auth_types) * sizeof(intro_auth_types);
- }
- if (data->intro_points) {
- /* XXX could follow pointers here and get more accurate size */
- intro_size +=
- smartlist_len(data->intro_points) * sizeof(hs_desc_intro_point_t);
- }
- return sizeof(*data) + intro_size;
- }
- /* Return the size in bytes of the given descriptor object. Used by OOM
- * subsystem. */
- size_t
- hs_desc_obj_size(const hs_descriptor_t *data)
- {
- tor_assert(data);
- return (hs_desc_plaintext_obj_size(&data->plaintext_data) +
- hs_desc_encrypted_obj_size(&data->encrypted_data) +
- sizeof(data->subcredential));
- }
- /* Return a newly allocated descriptor intro point. */
- hs_desc_intro_point_t *
- hs_desc_intro_point_new(void)
- {
- hs_desc_intro_point_t *ip = tor_malloc_zero(sizeof(*ip));
- ip->link_specifiers = smartlist_new();
- return ip;
- }
- /* Free a descriptor intro point object. */
- void
- hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
- {
- if (ip == NULL) {
- return;
- }
- if (ip->link_specifiers) {
- SMARTLIST_FOREACH(ip->link_specifiers, hs_desc_link_specifier_t *,
- ls, hs_desc_link_specifier_free(ls));
- smartlist_free(ip->link_specifiers);
- }
- tor_cert_free(ip->auth_key_cert);
- tor_cert_free(ip->enc_key_cert);
- crypto_pk_free(ip->legacy.key);
- tor_free(ip->legacy.cert.encoded);
- tor_free(ip);
- }
- /* Free the given descriptor link specifier. */
- void
- hs_desc_link_specifier_free_(hs_desc_link_specifier_t *ls)
- {
- if (ls == NULL) {
- return;
- }
- tor_free(ls);
- }
- /* Return a newly allocated descriptor link specifier using the given extend
- * info and requested type. Return NULL on error. */
- hs_desc_link_specifier_t *
- hs_desc_link_specifier_new(const extend_info_t *info, uint8_t type)
- {
- hs_desc_link_specifier_t *ls = NULL;
- tor_assert(info);
- ls = tor_malloc_zero(sizeof(*ls));
- ls->type = type;
- switch (ls->type) {
- case LS_IPV4:
- if (info->addr.family != AF_INET) {
- goto err;
- }
- tor_addr_copy(&ls->u.ap.addr, &info->addr);
- ls->u.ap.port = info->port;
- break;
- case LS_IPV6:
- if (info->addr.family != AF_INET6) {
- goto err;
- }
- tor_addr_copy(&ls->u.ap.addr, &info->addr);
- ls->u.ap.port = info->port;
- break;
- case LS_LEGACY_ID:
- /* Bug out if the identity digest is not set */
- if (BUG(tor_mem_is_zero(info->identity_digest,
- sizeof(info->identity_digest)))) {
- goto err;
- }
- memcpy(ls->u.legacy_id, info->identity_digest, sizeof(ls->u.legacy_id));
- break;
- case LS_ED25519_ID:
- /* ed25519 keys are optional for intro points */
- if (ed25519_public_key_is_zero(&info->ed_identity)) {
- goto err;
- }
- memcpy(ls->u.ed25519_id, info->ed_identity.pubkey,
- sizeof(ls->u.ed25519_id));
- break;
- default:
- /* Unknown type is code flow error. */
- tor_assert(0);
- }
- return ls;
- err:
- tor_free(ls);
- return NULL;
- }
- /* From the given descriptor, remove and free every introduction point. */
- void
- hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
- {
- smartlist_t *ips;
- tor_assert(desc);
- ips = desc->encrypted_data.intro_points;
- if (ips) {
- SMARTLIST_FOREACH(ips, hs_desc_intro_point_t *,
- ip, hs_desc_intro_point_free(ip));
- smartlist_clear(ips);
- }
- }
- /* From a descriptor link specifier object spec, returned a newly allocated
- * link specifier object that is the encoded representation of spec. Return
- * NULL on error. */
- link_specifier_t *
- hs_desc_lspec_to_trunnel(const hs_desc_link_specifier_t *spec)
- {
- tor_assert(spec);
- link_specifier_t *ls = link_specifier_new();
- link_specifier_set_ls_type(ls, spec->type);
- switch (spec->type) {
- case LS_IPV4:
- link_specifier_set_un_ipv4_addr(ls,
- tor_addr_to_ipv4h(&spec->u.ap.addr));
- link_specifier_set_un_ipv4_port(ls, spec->u.ap.port);
- /* Four bytes IPv4 and two bytes port. */
- link_specifier_set_ls_len(ls, sizeof(spec->u.ap.addr.addr.in_addr) +
- sizeof(spec->u.ap.port));
- break;
- case LS_IPV6:
- {
- size_t addr_len = link_specifier_getlen_un_ipv6_addr(ls);
- const uint8_t *in6_addr = tor_addr_to_in6_addr8(&spec->u.ap.addr);
- uint8_t *ipv6_array = link_specifier_getarray_un_ipv6_addr(ls);
- memcpy(ipv6_array, in6_addr, addr_len);
- link_specifier_set_un_ipv6_port(ls, spec->u.ap.port);
- /* Sixteen bytes IPv6 and two bytes port. */
- link_specifier_set_ls_len(ls, addr_len + sizeof(spec->u.ap.port));
- break;
- }
- case LS_LEGACY_ID:
- {
- size_t legacy_id_len = link_specifier_getlen_un_legacy_id(ls);
- uint8_t *legacy_id_array = link_specifier_getarray_un_legacy_id(ls);
- memcpy(legacy_id_array, spec->u.legacy_id, legacy_id_len);
- link_specifier_set_ls_len(ls, legacy_id_len);
- break;
- }
- case LS_ED25519_ID:
- {
- size_t ed25519_id_len = link_specifier_getlen_un_ed25519_id(ls);
- uint8_t *ed25519_id_array = link_specifier_getarray_un_ed25519_id(ls);
- memcpy(ed25519_id_array, spec->u.ed25519_id, ed25519_id_len);
- link_specifier_set_ls_len(ls, ed25519_id_len);
- break;
- }
- default:
- tor_assert_nonfatal_unreached();
- link_specifier_free(ls);
- ls = NULL;
- }
- return ls;
- }
|