hs_circuit.c 46 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271
  1. /* Copyright (c) 2017-2018, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file hs_circuit.c
  5. **/
  6. #define HS_CIRCUIT_PRIVATE
  7. #include "core/or/or.h"
  8. #include "app/config/config.h"
  9. #include "core/crypto/hs_ntor.h"
  10. #include "core/or/circuitbuild.h"
  11. #include "core/or/circuitlist.h"
  12. #include "core/or/circuituse.h"
  13. #include "core/or/policies.h"
  14. #include "core/or/relay.h"
  15. #include "feature/client/circpathbias.h"
  16. #include "feature/hs/hs_cell.h"
  17. #include "feature/hs/hs_circuit.h"
  18. #include "feature/hs/hs_circuitmap.h"
  19. #include "feature/hs/hs_ident.h"
  20. #include "feature/hs/hs_service.h"
  21. #include "feature/nodelist/describe.h"
  22. #include "feature/nodelist/nodelist.h"
  23. #include "feature/rend/rendservice.h"
  24. #include "feature/stats/rephist.h"
  25. #include "lib/crypt_ops/crypto_dh.h"
  26. #include "lib/crypt_ops/crypto_rand.h"
  27. #include "lib/crypt_ops/crypto_util.h"
  28. /* Trunnel. */
  29. #include "trunnel/ed25519_cert.h"
  30. #include "trunnel/hs/cell_common.h"
  31. #include "trunnel/hs/cell_establish_intro.h"
  32. #include "core/or/cpath_build_state_st.h"
  33. #include "core/or/crypt_path_st.h"
  34. #include "feature/nodelist/node_st.h"
  35. #include "core/or/origin_circuit_st.h"
  36. /* A circuit is about to become an e2e rendezvous circuit. Check
  37. * <b>circ_purpose</b> and ensure that it's properly set. Return true iff
  38. * circuit purpose is properly set, otherwise return false. */
  39. static int
  40. circuit_purpose_is_correct_for_rend(unsigned int circ_purpose,
  41. int is_service_side)
  42. {
  43. if (is_service_side) {
  44. if (circ_purpose != CIRCUIT_PURPOSE_S_CONNECT_REND) {
  45. log_warn(LD_BUG,
  46. "HS e2e circuit setup with wrong purpose (%d)", circ_purpose);
  47. return 0;
  48. }
  49. }
  50. if (!is_service_side) {
  51. if (circ_purpose != CIRCUIT_PURPOSE_C_REND_READY &&
  52. circ_purpose != CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED) {
  53. log_warn(LD_BUG,
  54. "Client e2e circuit setup with wrong purpose (%d)", circ_purpose);
  55. return 0;
  56. }
  57. }
  58. return 1;
  59. }
  60. /* Create and return a crypt path for the final hop of a v3 prop224 rendezvous
  61. * circuit. Initialize the crypt path crypto using the output material from the
  62. * ntor key exchange at <b>ntor_key_seed</b>.
  63. *
  64. * If <b>is_service_side</b> is set, we are the hidden service and the final
  65. * hop of the rendezvous circuit is the client on the other side. */
  66. static crypt_path_t *
  67. create_rend_cpath(const uint8_t *ntor_key_seed, size_t seed_len,
  68. int is_service_side)
  69. {
  70. uint8_t keys[HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN];
  71. crypt_path_t *cpath = NULL;
  72. /* Do the key expansion */
  73. if (hs_ntor_circuit_key_expansion(ntor_key_seed, seed_len,
  74. keys, sizeof(keys)) < 0) {
  75. goto err;
  76. }
  77. /* Setup the cpath */
  78. cpath = tor_malloc_zero(sizeof(crypt_path_t));
  79. cpath->magic = CRYPT_PATH_MAGIC;
  80. if (circuit_init_cpath_crypto(cpath, (char*)keys, sizeof(keys),
  81. is_service_side, 1) < 0) {
  82. tor_free(cpath);
  83. goto err;
  84. }
  85. err:
  86. memwipe(keys, 0, sizeof(keys));
  87. return cpath;
  88. }
  89. /* We are a v2 legacy HS client: Create and return a crypt path for the hidden
  90. * service on the other side of the rendezvous circuit <b>circ</b>. Initialize
  91. * the crypt path crypto using the body of the RENDEZVOUS1 cell at
  92. * <b>rend_cell_body</b> (which must be at least DH1024_KEY_LEN+DIGEST_LEN
  93. * bytes).
  94. */
  95. static crypt_path_t *
  96. create_rend_cpath_legacy(origin_circuit_t *circ, const uint8_t *rend_cell_body)
  97. {
  98. crypt_path_t *hop = NULL;
  99. char keys[DIGEST_LEN+CPATH_KEY_MATERIAL_LEN];
  100. /* first DH1024_KEY_LEN bytes are g^y from the service. Finish the dh
  101. * handshake...*/
  102. tor_assert(circ->build_state);
  103. tor_assert(circ->build_state->pending_final_cpath);
  104. hop = circ->build_state->pending_final_cpath;
  105. tor_assert(hop->rend_dh_handshake_state);
  106. if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, hop->rend_dh_handshake_state,
  107. (char*)rend_cell_body, DH1024_KEY_LEN,
  108. keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
  109. log_warn(LD_GENERAL, "Couldn't complete DH handshake.");
  110. goto err;
  111. }
  112. /* ... and set up cpath. */
  113. if (circuit_init_cpath_crypto(hop,
  114. keys+DIGEST_LEN, sizeof(keys)-DIGEST_LEN,
  115. 0, 0) < 0)
  116. goto err;
  117. /* Check whether the digest is right... */
  118. if (tor_memneq(keys, rend_cell_body+DH1024_KEY_LEN, DIGEST_LEN)) {
  119. log_warn(LD_PROTOCOL, "Incorrect digest of key material.");
  120. goto err;
  121. }
  122. /* clean up the crypto stuff we just made */
  123. crypto_dh_free(hop->rend_dh_handshake_state);
  124. hop->rend_dh_handshake_state = NULL;
  125. goto done;
  126. err:
  127. hop = NULL;
  128. done:
  129. memwipe(keys, 0, sizeof(keys));
  130. return hop;
  131. }
  132. /* Append the final <b>hop</b> to the cpath of the rend <b>circ</b>, and mark
  133. * <b>circ</b> ready for use to transfer HS relay cells. */
  134. static void
  135. finalize_rend_circuit(origin_circuit_t *circ, crypt_path_t *hop,
  136. int is_service_side)
  137. {
  138. tor_assert(circ);
  139. tor_assert(hop);
  140. /* Notify the circuit state machine that we are splicing this circuit */
  141. int new_circ_purpose = is_service_side ?
  142. CIRCUIT_PURPOSE_S_REND_JOINED : CIRCUIT_PURPOSE_C_REND_JOINED;
  143. circuit_change_purpose(TO_CIRCUIT(circ), new_circ_purpose);
  144. /* All is well. Extend the circuit. */
  145. hop->state = CPATH_STATE_OPEN;
  146. /* Set the windows to default. */
  147. hop->package_window = circuit_initial_package_window();
  148. hop->deliver_window = CIRCWINDOW_START;
  149. /* Now that this circuit has finished connecting to its destination,
  150. * make sure circuit_get_open_circ_or_launch is willing to return it
  151. * so we can actually use it. */
  152. circ->hs_circ_has_timed_out = 0;
  153. /* Append the hop to the cpath of this circuit */
  154. onion_append_to_cpath(&circ->cpath, hop);
  155. /* In legacy code, 'pending_final_cpath' points to the final hop we just
  156. * appended to the cpath. We set the original pointer to NULL so that we
  157. * don't double free it. */
  158. if (circ->build_state) {
  159. circ->build_state->pending_final_cpath = NULL;
  160. }
  161. /* Finally, mark circuit as ready to be used for client streams */
  162. if (!is_service_side) {
  163. circuit_try_attaching_streams(circ);
  164. }
  165. }
  166. /* For a given circuit and a service introduction point object, register the
  167. * intro circuit to the circuitmap. This supports legacy intro point. */
  168. static void
  169. register_intro_circ(const hs_service_intro_point_t *ip,
  170. origin_circuit_t *circ)
  171. {
  172. tor_assert(ip);
  173. tor_assert(circ);
  174. if (ip->base.is_only_legacy) {
  175. hs_circuitmap_register_intro_circ_v2_service_side(circ,
  176. ip->legacy_key_digest);
  177. } else {
  178. hs_circuitmap_register_intro_circ_v3_service_side(circ,
  179. &ip->auth_key_kp.pubkey);
  180. }
  181. }
  182. /* Return the number of opened introduction circuit for the given circuit that
  183. * is matching its identity key. */
  184. static unsigned int
  185. count_opened_desc_intro_point_circuits(const hs_service_t *service,
  186. const hs_service_descriptor_t *desc)
  187. {
  188. unsigned int count = 0;
  189. tor_assert(service);
  190. tor_assert(desc);
  191. DIGEST256MAP_FOREACH(desc->intro_points.map, key,
  192. const hs_service_intro_point_t *, ip) {
  193. const circuit_t *circ;
  194. const origin_circuit_t *ocirc = hs_circ_service_get_intro_circ(ip);
  195. if (ocirc == NULL) {
  196. continue;
  197. }
  198. circ = TO_CIRCUIT(ocirc);
  199. tor_assert(circ->purpose == CIRCUIT_PURPOSE_S_ESTABLISH_INTRO ||
  200. circ->purpose == CIRCUIT_PURPOSE_S_INTRO);
  201. /* Having a circuit not for the requested service is really bad. */
  202. tor_assert(ed25519_pubkey_eq(&service->keys.identity_pk,
  203. &ocirc->hs_ident->identity_pk));
  204. /* Only count opened circuit and skip circuit that will be closed. */
  205. if (!circ->marked_for_close && circ->state == CIRCUIT_STATE_OPEN) {
  206. count++;
  207. }
  208. } DIGEST256MAP_FOREACH_END;
  209. return count;
  210. }
  211. /* From a given service, rendezvous cookie and handshake info, create a
  212. * rendezvous point circuit identifier. This can't fail. */
  213. STATIC hs_ident_circuit_t *
  214. create_rp_circuit_identifier(const hs_service_t *service,
  215. const uint8_t *rendezvous_cookie,
  216. const curve25519_public_key_t *server_pk,
  217. const hs_ntor_rend_cell_keys_t *keys)
  218. {
  219. hs_ident_circuit_t *ident;
  220. uint8_t handshake_info[CURVE25519_PUBKEY_LEN + DIGEST256_LEN];
  221. tor_assert(service);
  222. tor_assert(rendezvous_cookie);
  223. tor_assert(server_pk);
  224. tor_assert(keys);
  225. ident = hs_ident_circuit_new(&service->keys.identity_pk,
  226. HS_IDENT_CIRCUIT_RENDEZVOUS);
  227. /* Copy the RENDEZVOUS_COOKIE which is the unique identifier. */
  228. memcpy(ident->rendezvous_cookie, rendezvous_cookie,
  229. sizeof(ident->rendezvous_cookie));
  230. /* Build the HANDSHAKE_INFO which looks like this:
  231. * SERVER_PK [32 bytes]
  232. * AUTH_INPUT_MAC [32 bytes]
  233. */
  234. memcpy(handshake_info, server_pk->public_key, CURVE25519_PUBKEY_LEN);
  235. memcpy(handshake_info + CURVE25519_PUBKEY_LEN, keys->rend_cell_auth_mac,
  236. DIGEST256_LEN);
  237. tor_assert(sizeof(ident->rendezvous_handshake_info) ==
  238. sizeof(handshake_info));
  239. memcpy(ident->rendezvous_handshake_info, handshake_info,
  240. sizeof(ident->rendezvous_handshake_info));
  241. /* Finally copy the NTOR_KEY_SEED for e2e encryption on the circuit. */
  242. tor_assert(sizeof(ident->rendezvous_ntor_key_seed) ==
  243. sizeof(keys->ntor_key_seed));
  244. memcpy(ident->rendezvous_ntor_key_seed, keys->ntor_key_seed,
  245. sizeof(ident->rendezvous_ntor_key_seed));
  246. return ident;
  247. }
  248. /* From a given service and service intro point, create an introduction point
  249. * circuit identifier. This can't fail. */
  250. static hs_ident_circuit_t *
  251. create_intro_circuit_identifier(const hs_service_t *service,
  252. const hs_service_intro_point_t *ip)
  253. {
  254. hs_ident_circuit_t *ident;
  255. tor_assert(service);
  256. tor_assert(ip);
  257. ident = hs_ident_circuit_new(&service->keys.identity_pk,
  258. HS_IDENT_CIRCUIT_INTRO);
  259. ed25519_pubkey_copy(&ident->intro_auth_pk, &ip->auth_key_kp.pubkey);
  260. return ident;
  261. }
  262. /* For a given introduction point and an introduction circuit, send the
  263. * ESTABLISH_INTRO cell. The service object is used for logging. This can fail
  264. * and if so, the circuit is closed and the intro point object is flagged
  265. * that the circuit is not established anymore which is important for the
  266. * retry mechanism. */
  267. static void
  268. send_establish_intro(const hs_service_t *service,
  269. hs_service_intro_point_t *ip, origin_circuit_t *circ)
  270. {
  271. ssize_t cell_len;
  272. uint8_t payload[RELAY_PAYLOAD_SIZE];
  273. tor_assert(service);
  274. tor_assert(ip);
  275. tor_assert(circ);
  276. /* Encode establish intro cell. */
  277. cell_len = hs_cell_build_establish_intro(circ->cpath->prev->rend_circ_nonce,
  278. ip, payload);
  279. if (cell_len < 0) {
  280. log_warn(LD_REND, "Unable to encode ESTABLISH_INTRO cell for service %s "
  281. "on circuit %u. Closing circuit.",
  282. safe_str_client(service->onion_address),
  283. TO_CIRCUIT(circ)->n_circ_id);
  284. goto err;
  285. }
  286. /* Send the cell on the circuit. */
  287. if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
  288. RELAY_COMMAND_ESTABLISH_INTRO,
  289. (char *) payload, cell_len,
  290. circ->cpath->prev) < 0) {
  291. log_info(LD_REND, "Unable to send ESTABLISH_INTRO cell for service %s "
  292. "on circuit %u.",
  293. safe_str_client(service->onion_address),
  294. TO_CIRCUIT(circ)->n_circ_id);
  295. /* On error, the circuit has been closed. */
  296. goto done;
  297. }
  298. /* Record the attempt to use this circuit. */
  299. pathbias_count_use_attempt(circ);
  300. goto done;
  301. err:
  302. circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
  303. done:
  304. memwipe(payload, 0, sizeof(payload));
  305. }
  306. /* Return a string constant describing the anonymity of service. */
  307. static const char *
  308. get_service_anonymity_string(const hs_service_t *service)
  309. {
  310. if (service->config.is_single_onion) {
  311. return "single onion";
  312. } else {
  313. return "hidden";
  314. }
  315. }
  316. /* For a given service, the ntor onion key and a rendezvous cookie, launch a
  317. * circuit to the rendezvous point specified by the link specifiers. On
  318. * success, a circuit identifier is attached to the circuit with the needed
  319. * data. This function will try to open a circuit for a maximum value of
  320. * MAX_REND_FAILURES then it will give up. */
  321. static void
  322. launch_rendezvous_point_circuit(const hs_service_t *service,
  323. const hs_service_intro_point_t *ip,
  324. const hs_cell_introduce2_data_t *data)
  325. {
  326. int circ_needs_uptime;
  327. time_t now = time(NULL);
  328. extend_info_t *info = NULL;
  329. origin_circuit_t *circ;
  330. tor_assert(service);
  331. tor_assert(ip);
  332. tor_assert(data);
  333. circ_needs_uptime = hs_service_requires_uptime_circ(service->config.ports);
  334. /* Get the extend info data structure for the chosen rendezvous point
  335. * specified by the given link specifiers. */
  336. info = hs_get_extend_info_from_lspecs(data->link_specifiers,
  337. &data->onion_pk,
  338. service->config.is_single_onion);
  339. if (info == NULL) {
  340. /* We are done here, we can't extend to the rendezvous point.
  341. * If you're running an IPv6-only v3 single onion service on 0.3.2 or with
  342. * 0.3.2 clients, and somehow disable the option check, it will fail here.
  343. */
  344. log_fn(LOG_PROTOCOL_WARN, LD_REND,
  345. "Not enough info to open a circuit to a rendezvous point for "
  346. "%s service %s.",
  347. get_service_anonymity_string(service),
  348. safe_str_client(service->onion_address));
  349. goto end;
  350. }
  351. for (int i = 0; i < MAX_REND_FAILURES; i++) {
  352. int circ_flags = CIRCLAUNCH_NEED_CAPACITY | CIRCLAUNCH_IS_INTERNAL;
  353. if (circ_needs_uptime) {
  354. circ_flags |= CIRCLAUNCH_NEED_UPTIME;
  355. }
  356. /* Firewall and policies are checked when getting the extend info. */
  357. if (service->config.is_single_onion) {
  358. circ_flags |= CIRCLAUNCH_ONEHOP_TUNNEL;
  359. }
  360. circ = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_CONNECT_REND, info,
  361. circ_flags);
  362. if (circ != NULL) {
  363. /* Stop retrying, we have a circuit! */
  364. break;
  365. }
  366. }
  367. if (circ == NULL) {
  368. log_warn(LD_REND, "Giving up on launching a rendezvous circuit to %s "
  369. "for %s service %s",
  370. safe_str_client(extend_info_describe(info)),
  371. get_service_anonymity_string(service),
  372. safe_str_client(service->onion_address));
  373. goto end;
  374. }
  375. log_info(LD_REND, "Rendezvous circuit launched to %s with cookie %s "
  376. "for %s service %s",
  377. safe_str_client(extend_info_describe(info)),
  378. safe_str_client(hex_str((const char *) data->rendezvous_cookie,
  379. REND_COOKIE_LEN)),
  380. get_service_anonymity_string(service),
  381. safe_str_client(service->onion_address));
  382. tor_assert(circ->build_state);
  383. /* Rendezvous circuit have a specific timeout for the time spent on trying
  384. * to connect to the rendezvous point. */
  385. circ->build_state->expiry_time = now + MAX_REND_TIMEOUT;
  386. /* Create circuit identifier and key material. */
  387. {
  388. hs_ntor_rend_cell_keys_t keys;
  389. curve25519_keypair_t ephemeral_kp;
  390. /* No need for extra strong, this is only for this circuit life time. This
  391. * key will be used for the RENDEZVOUS1 cell that will be sent on the
  392. * circuit once opened. */
  393. curve25519_keypair_generate(&ephemeral_kp, 0);
  394. if (hs_ntor_service_get_rendezvous1_keys(&ip->auth_key_kp.pubkey,
  395. &ip->enc_key_kp,
  396. &ephemeral_kp, &data->client_pk,
  397. &keys) < 0) {
  398. /* This should not really happened but just in case, don't make tor
  399. * freak out, close the circuit and move on. */
  400. log_info(LD_REND, "Unable to get RENDEZVOUS1 key material for "
  401. "service %s",
  402. safe_str_client(service->onion_address));
  403. circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
  404. goto end;
  405. }
  406. circ->hs_ident = create_rp_circuit_identifier(service,
  407. data->rendezvous_cookie,
  408. &ephemeral_kp.pubkey, &keys);
  409. memwipe(&ephemeral_kp, 0, sizeof(ephemeral_kp));
  410. memwipe(&keys, 0, sizeof(keys));
  411. tor_assert(circ->hs_ident);
  412. }
  413. end:
  414. extend_info_free(info);
  415. }
  416. /* Return true iff the given service rendezvous circuit circ is allowed for a
  417. * relaunch to the rendezvous point. */
  418. static int
  419. can_relaunch_service_rendezvous_point(const origin_circuit_t *circ)
  420. {
  421. tor_assert(circ);
  422. /* This is initialized when allocating an origin circuit. */
  423. tor_assert(circ->build_state);
  424. tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_CONNECT_REND);
  425. /* XXX: Retrying under certain condition. This is related to #22455. */
  426. /* Avoid to relaunch twice a circuit to the same rendezvous point at the
  427. * same time. */
  428. if (circ->hs_service_side_rend_circ_has_been_relaunched) {
  429. log_info(LD_REND, "Rendezvous circuit to %s has already been retried. "
  430. "Skipping retry.",
  431. safe_str_client(
  432. extend_info_describe(circ->build_state->chosen_exit)));
  433. goto disallow;
  434. }
  435. /* We check failure_count >= hs_get_service_max_rend_failures()-1 below, and
  436. * the -1 is because we increment the failure count for our current failure
  437. * *after* this clause. */
  438. int max_rend_failures = hs_get_service_max_rend_failures() - 1;
  439. /* A failure count that has reached maximum allowed or circuit that expired,
  440. * we skip relaunching. */
  441. if (circ->build_state->failure_count > max_rend_failures ||
  442. circ->build_state->expiry_time <= time(NULL)) {
  443. log_info(LD_REND, "Attempt to build a rendezvous circuit to %s has "
  444. "failed with %d attempts and expiry time %ld. "
  445. "Giving up building.",
  446. safe_str_client(
  447. extend_info_describe(circ->build_state->chosen_exit)),
  448. circ->build_state->failure_count,
  449. (long int) circ->build_state->expiry_time);
  450. goto disallow;
  451. }
  452. /* Allowed to relaunch. */
  453. return 1;
  454. disallow:
  455. return 0;
  456. }
  457. /* Retry the rendezvous point of circ by launching a new circuit to it. */
  458. static void
  459. retry_service_rendezvous_point(const origin_circuit_t *circ)
  460. {
  461. int flags = 0;
  462. origin_circuit_t *new_circ;
  463. cpath_build_state_t *bstate;
  464. tor_assert(circ);
  465. /* This is initialized when allocating an origin circuit. */
  466. tor_assert(circ->build_state);
  467. tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_CONNECT_REND);
  468. /* Ease our life. */
  469. bstate = circ->build_state;
  470. log_info(LD_REND, "Retrying rendezvous point circuit to %s",
  471. safe_str_client(extend_info_describe(bstate->chosen_exit)));
  472. /* Get the current build state flags for the next circuit. */
  473. flags |= (bstate->need_uptime) ? CIRCLAUNCH_NEED_UPTIME : 0;
  474. flags |= (bstate->need_capacity) ? CIRCLAUNCH_NEED_CAPACITY : 0;
  475. flags |= (bstate->is_internal) ? CIRCLAUNCH_IS_INTERNAL : 0;
  476. /* We do NOT add the onehop tunnel flag even though it might be a single
  477. * onion service. The reason is that if we failed once to connect to the RP
  478. * with a direct connection, we consider that chances are that we will fail
  479. * again so try a 3-hop circuit and hope for the best. Because the service
  480. * has no anonymity (single onion), this change of behavior won't affect
  481. * security directly. */
  482. new_circ = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_CONNECT_REND,
  483. bstate->chosen_exit, flags);
  484. if (new_circ == NULL) {
  485. log_warn(LD_REND, "Failed to launch rendezvous circuit to %s",
  486. safe_str_client(extend_info_describe(bstate->chosen_exit)));
  487. goto done;
  488. }
  489. /* Transfer build state information to the new circuit state in part to
  490. * catch any other failures. */
  491. new_circ->build_state->failure_count = bstate->failure_count+1;
  492. new_circ->build_state->expiry_time = bstate->expiry_time;
  493. new_circ->hs_ident = hs_ident_circuit_dup(circ->hs_ident);
  494. done:
  495. return;
  496. }
  497. /* Add all possible link specifiers in node to lspecs:
  498. * - legacy ID is mandatory thus MUST be present in node;
  499. * - include ed25519 link specifier if present in the node, and the node
  500. * supports ed25519 link authentication, even if its link versions are not
  501. * compatible with us;
  502. * - include IPv4 link specifier, if the primary address is not IPv4, log a
  503. * BUG() warning, and return an empty smartlist;
  504. * - include IPv6 link specifier if present in the node. */
  505. static void
  506. get_lspecs_from_node(const node_t *node, smartlist_t *lspecs)
  507. {
  508. link_specifier_t *ls;
  509. tor_addr_port_t ap;
  510. tor_assert(node);
  511. tor_assert(lspecs);
  512. /* Get the relay's IPv4 address. */
  513. node_get_prim_orport(node, &ap);
  514. /* We expect the node's primary address to be a valid IPv4 address.
  515. * This conforms to the protocol, which requires either an IPv4 or IPv6
  516. * address (or both). */
  517. if (BUG(!tor_addr_is_v4(&ap.addr)) ||
  518. BUG(!tor_addr_port_is_valid_ap(&ap, 0))) {
  519. return;
  520. }
  521. ls = link_specifier_new();
  522. link_specifier_set_ls_type(ls, LS_IPV4);
  523. link_specifier_set_un_ipv4_addr(ls, tor_addr_to_ipv4h(&ap.addr));
  524. link_specifier_set_un_ipv4_port(ls, ap.port);
  525. /* Four bytes IPv4 and two bytes port. */
  526. link_specifier_set_ls_len(ls, sizeof(ap.addr.addr.in_addr) +
  527. sizeof(ap.port));
  528. smartlist_add(lspecs, ls);
  529. /* Legacy ID is mandatory and will always be present in node. */
  530. ls = link_specifier_new();
  531. link_specifier_set_ls_type(ls, LS_LEGACY_ID);
  532. memcpy(link_specifier_getarray_un_legacy_id(ls), node->identity,
  533. link_specifier_getlen_un_legacy_id(ls));
  534. link_specifier_set_ls_len(ls, link_specifier_getlen_un_legacy_id(ls));
  535. smartlist_add(lspecs, ls);
  536. /* ed25519 ID is only included if the node has it, and the node declares a
  537. protocol version that supports ed25519 link authentication, even if that
  538. link version is not compatible with us. (We are sending the ed25519 key
  539. to another tor, which may support different link versions.) */
  540. if (!ed25519_public_key_is_zero(&node->ed25519_id) &&
  541. node_supports_ed25519_link_authentication(node, 0)) {
  542. ls = link_specifier_new();
  543. link_specifier_set_ls_type(ls, LS_ED25519_ID);
  544. memcpy(link_specifier_getarray_un_ed25519_id(ls), &node->ed25519_id,
  545. link_specifier_getlen_un_ed25519_id(ls));
  546. link_specifier_set_ls_len(ls, link_specifier_getlen_un_ed25519_id(ls));
  547. smartlist_add(lspecs, ls);
  548. }
  549. /* Check for IPv6. If so, include it as well. */
  550. if (node_has_ipv6_orport(node)) {
  551. ls = link_specifier_new();
  552. node_get_pref_ipv6_orport(node, &ap);
  553. link_specifier_set_ls_type(ls, LS_IPV6);
  554. size_t addr_len = link_specifier_getlen_un_ipv6_addr(ls);
  555. const uint8_t *in6_addr = tor_addr_to_in6_addr8(&ap.addr);
  556. uint8_t *ipv6_array = link_specifier_getarray_un_ipv6_addr(ls);
  557. memcpy(ipv6_array, in6_addr, addr_len);
  558. link_specifier_set_un_ipv6_port(ls, ap.port);
  559. /* Sixteen bytes IPv6 and two bytes port. */
  560. link_specifier_set_ls_len(ls, addr_len + sizeof(ap.port));
  561. smartlist_add(lspecs, ls);
  562. }
  563. }
  564. /* Using the given descriptor intro point ip, the node of the
  565. * rendezvous point rp_node and the service's subcredential, populate the
  566. * already allocated intro1_data object with the needed key material and link
  567. * specifiers.
  568. *
  569. * Return 0 on success or a negative value if we couldn't properly filled the
  570. * introduce1 data from the RP node. In other word, it means the RP node is
  571. * unusable to use in the introduction. */
  572. static int
  573. setup_introduce1_data(const hs_desc_intro_point_t *ip,
  574. const node_t *rp_node,
  575. const uint8_t *subcredential,
  576. hs_cell_introduce1_data_t *intro1_data)
  577. {
  578. int ret = -1;
  579. smartlist_t *rp_lspecs;
  580. tor_assert(ip);
  581. tor_assert(rp_node);
  582. tor_assert(subcredential);
  583. tor_assert(intro1_data);
  584. /* Build the link specifiers from the extend information of the rendezvous
  585. * circuit that we've picked previously. */
  586. rp_lspecs = smartlist_new();
  587. get_lspecs_from_node(rp_node, rp_lspecs);
  588. if (smartlist_len(rp_lspecs) == 0) {
  589. /* We can't rendezvous without link specifiers. */
  590. smartlist_free(rp_lspecs);
  591. goto end;
  592. }
  593. /* Populate the introduce1 data object. */
  594. memset(intro1_data, 0, sizeof(hs_cell_introduce1_data_t));
  595. if (ip->legacy.key != NULL) {
  596. intro1_data->is_legacy = 1;
  597. intro1_data->legacy_key = ip->legacy.key;
  598. }
  599. intro1_data->auth_pk = &ip->auth_key_cert->signed_key;
  600. intro1_data->enc_pk = &ip->enc_key;
  601. intro1_data->subcredential = subcredential;
  602. intro1_data->link_specifiers = rp_lspecs;
  603. intro1_data->onion_pk = node_get_curve25519_onion_key(rp_node);
  604. if (intro1_data->onion_pk == NULL) {
  605. /* We can't rendezvous without the curve25519 onion key. */
  606. goto end;
  607. }
  608. /* Success, we have valid introduce data. */
  609. ret = 0;
  610. end:
  611. return ret;
  612. }
  613. /* ========== */
  614. /* Public API */
  615. /* ========== */
  616. /* Return an introduction point circuit matching the given intro point object.
  617. * NULL is returned is no such circuit can be found. */
  618. origin_circuit_t *
  619. hs_circ_service_get_intro_circ(const hs_service_intro_point_t *ip)
  620. {
  621. tor_assert(ip);
  622. if (ip->base.is_only_legacy) {
  623. return hs_circuitmap_get_intro_circ_v2_service_side(ip->legacy_key_digest);
  624. } else {
  625. return hs_circuitmap_get_intro_circ_v3_service_side(
  626. &ip->auth_key_kp.pubkey);
  627. }
  628. }
  629. /* Called when we fail building a rendezvous circuit at some point other than
  630. * the last hop: launches a new circuit to the same rendezvous point. This
  631. * supports legacy service.
  632. *
  633. * We currently relaunch connections to rendezvous points if:
  634. * - A rendezvous circuit timed out before connecting to RP.
  635. * - The rendezvous circuit failed to connect to the RP.
  636. *
  637. * We avoid relaunching a connection to this rendezvous point if:
  638. * - We have already tried MAX_REND_FAILURES times to connect to this RP,
  639. * - We've been trying to connect to this RP for more than MAX_REND_TIMEOUT
  640. * seconds, or
  641. * - We've already retried this specific rendezvous circuit.
  642. */
  643. void
  644. hs_circ_retry_service_rendezvous_point(origin_circuit_t *circ)
  645. {
  646. tor_assert(circ);
  647. tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_CONNECT_REND);
  648. /* Check if we are allowed to relaunch to the rendezvous point of circ. */
  649. if (!can_relaunch_service_rendezvous_point(circ)) {
  650. goto done;
  651. }
  652. /* Flag the circuit that we are relaunching, to avoid to relaunch twice a
  653. * circuit to the same rendezvous point at the same time. */
  654. circ->hs_service_side_rend_circ_has_been_relaunched = 1;
  655. /* Legacy services don't have a hidden service ident. */
  656. if (circ->hs_ident) {
  657. retry_service_rendezvous_point(circ);
  658. } else {
  659. rend_service_relaunch_rendezvous(circ);
  660. }
  661. done:
  662. return;
  663. }
  664. /* For a given service and a service intro point, launch a circuit to the
  665. * extend info ei. If the service is a single onion, a one-hop circuit will be
  666. * requested. Return 0 if the circuit was successfully launched and tagged
  667. * with the correct identifier. On error, a negative value is returned. */
  668. int
  669. hs_circ_launch_intro_point(hs_service_t *service,
  670. const hs_service_intro_point_t *ip,
  671. extend_info_t *ei)
  672. {
  673. /* Standard flags for introduction circuit. */
  674. int ret = -1, circ_flags = CIRCLAUNCH_NEED_UPTIME | CIRCLAUNCH_IS_INTERNAL;
  675. origin_circuit_t *circ;
  676. tor_assert(service);
  677. tor_assert(ip);
  678. tor_assert(ei);
  679. /* Update circuit flags in case of a single onion service that requires a
  680. * direct connection. */
  681. if (service->config.is_single_onion) {
  682. circ_flags |= CIRCLAUNCH_ONEHOP_TUNNEL;
  683. }
  684. log_info(LD_REND, "Launching a circuit to intro point %s for service %s.",
  685. safe_str_client(extend_info_describe(ei)),
  686. safe_str_client(service->onion_address));
  687. /* Note down the launch for the retry period. Even if the circuit fails to
  688. * be launched, we still want to respect the retry period to avoid stress on
  689. * the circuit subsystem. */
  690. service->state.num_intro_circ_launched++;
  691. circ = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_ESTABLISH_INTRO,
  692. ei, circ_flags);
  693. if (circ == NULL) {
  694. goto end;
  695. }
  696. /* Setup the circuit identifier and attach it to it. */
  697. circ->hs_ident = create_intro_circuit_identifier(service, ip);
  698. tor_assert(circ->hs_ident);
  699. /* Register circuit in the global circuitmap. */
  700. register_intro_circ(ip, circ);
  701. /* Success. */
  702. ret = 0;
  703. end:
  704. return ret;
  705. }
  706. /* Called when a service introduction point circuit is done building. Given
  707. * the service and intro point object, this function will send the
  708. * ESTABLISH_INTRO cell on the circuit. Return 0 on success. Return 1 if the
  709. * circuit has been repurposed to General because we already have too many
  710. * opened. */
  711. int
  712. hs_circ_service_intro_has_opened(hs_service_t *service,
  713. hs_service_intro_point_t *ip,
  714. const hs_service_descriptor_t *desc,
  715. origin_circuit_t *circ)
  716. {
  717. int ret = 0;
  718. unsigned int num_intro_circ, num_needed_circ;
  719. tor_assert(service);
  720. tor_assert(ip);
  721. tor_assert(desc);
  722. tor_assert(circ);
  723. /* Cound opened circuits that have sent ESTABLISH_INTRO cells or are already
  724. * established introduction circuits */
  725. num_intro_circ = count_opened_desc_intro_point_circuits(service, desc);
  726. num_needed_circ = service->config.num_intro_points;
  727. if (num_intro_circ > num_needed_circ) {
  728. /* There are too many opened valid intro circuit for what the service
  729. * needs so repurpose this one. */
  730. /* XXX: Legacy code checks options->ExcludeNodes and if not NULL it just
  731. * closes the circuit. I have NO idea why it does that so it hasn't been
  732. * added here. I can only assume in case our ExcludeNodes list changes but
  733. * in that case, all circuit are flagged unusable (config.c). --dgoulet */
  734. log_info(LD_CIRC | LD_REND, "Introduction circuit just opened but we "
  735. "have enough for service %s. Repurposing "
  736. "it to general and leaving internal.",
  737. safe_str_client(service->onion_address));
  738. tor_assert(circ->build_state->is_internal);
  739. /* Remove it from the circuitmap. */
  740. hs_circuitmap_remove_circuit(TO_CIRCUIT(circ));
  741. /* Cleaning up the hidden service identifier and repurpose. */
  742. hs_ident_circuit_free(circ->hs_ident);
  743. circ->hs_ident = NULL;
  744. if (circuit_should_use_vanguards(TO_CIRCUIT(circ)->purpose))
  745. circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_HS_VANGUARDS);
  746. else
  747. circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_C_GENERAL);
  748. /* Inform that this circuit just opened for this new purpose. */
  749. circuit_has_opened(circ);
  750. /* This return value indicate to the caller that the IP object should be
  751. * removed from the service because it's corresponding circuit has just
  752. * been repurposed. */
  753. ret = 1;
  754. goto done;
  755. }
  756. log_info(LD_REND, "Introduction circuit %u established for service %s.",
  757. TO_CIRCUIT(circ)->n_circ_id,
  758. safe_str_client(service->onion_address));
  759. circuit_log_path(LOG_INFO, LD_REND, circ);
  760. /* Time to send an ESTABLISH_INTRO cell on this circuit. On error, this call
  761. * makes sure the circuit gets closed. */
  762. send_establish_intro(service, ip, circ);
  763. done:
  764. return ret;
  765. }
  766. /* Called when a service rendezvous point circuit is done building. Given the
  767. * service and the circuit, this function will send a RENDEZVOUS1 cell on the
  768. * circuit using the information in the circuit identifier. If the cell can't
  769. * be sent, the circuit is closed. */
  770. void
  771. hs_circ_service_rp_has_opened(const hs_service_t *service,
  772. origin_circuit_t *circ)
  773. {
  774. size_t payload_len;
  775. uint8_t payload[RELAY_PAYLOAD_SIZE] = {0};
  776. tor_assert(service);
  777. tor_assert(circ);
  778. tor_assert(circ->hs_ident);
  779. /* Some useful logging. */
  780. log_info(LD_REND, "Rendezvous circuit %u has opened with cookie %s "
  781. "for service %s",
  782. TO_CIRCUIT(circ)->n_circ_id,
  783. hex_str((const char *) circ->hs_ident->rendezvous_cookie,
  784. REND_COOKIE_LEN),
  785. safe_str_client(service->onion_address));
  786. circuit_log_path(LOG_INFO, LD_REND, circ);
  787. /* This can't fail. */
  788. payload_len = hs_cell_build_rendezvous1(
  789. circ->hs_ident->rendezvous_cookie,
  790. sizeof(circ->hs_ident->rendezvous_cookie),
  791. circ->hs_ident->rendezvous_handshake_info,
  792. sizeof(circ->hs_ident->rendezvous_handshake_info),
  793. payload);
  794. /* Pad the payload with random bytes so it matches the size of a legacy cell
  795. * which is normally always bigger. Also, the size of a legacy cell is
  796. * always smaller than the RELAY_PAYLOAD_SIZE so this is safe. */
  797. if (payload_len < HS_LEGACY_RENDEZVOUS_CELL_SIZE) {
  798. crypto_rand((char *) payload + payload_len,
  799. HS_LEGACY_RENDEZVOUS_CELL_SIZE - payload_len);
  800. payload_len = HS_LEGACY_RENDEZVOUS_CELL_SIZE;
  801. }
  802. if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
  803. RELAY_COMMAND_RENDEZVOUS1,
  804. (const char *) payload, payload_len,
  805. circ->cpath->prev) < 0) {
  806. /* On error, circuit is closed. */
  807. log_warn(LD_REND, "Unable to send RENDEZVOUS1 cell on circuit %u "
  808. "for service %s",
  809. TO_CIRCUIT(circ)->n_circ_id,
  810. safe_str_client(service->onion_address));
  811. goto done;
  812. }
  813. /* Setup end-to-end rendezvous circuit between the client and us. */
  814. if (hs_circuit_setup_e2e_rend_circ(circ,
  815. circ->hs_ident->rendezvous_ntor_key_seed,
  816. sizeof(circ->hs_ident->rendezvous_ntor_key_seed),
  817. 1) < 0) {
  818. log_warn(LD_GENERAL, "Failed to setup circ");
  819. goto done;
  820. }
  821. done:
  822. memwipe(payload, 0, sizeof(payload));
  823. }
  824. /* Circ has been expecting an INTRO_ESTABLISHED cell that just arrived. Handle
  825. * the INTRO_ESTABLISHED cell payload of length payload_len arriving on the
  826. * given introduction circuit circ. The service is only used for logging
  827. * purposes. Return 0 on success else a negative value. */
  828. int
  829. hs_circ_handle_intro_established(const hs_service_t *service,
  830. const hs_service_intro_point_t *ip,
  831. origin_circuit_t *circ,
  832. const uint8_t *payload, size_t payload_len)
  833. {
  834. int ret = -1;
  835. tor_assert(service);
  836. tor_assert(ip);
  837. tor_assert(circ);
  838. tor_assert(payload);
  839. if (BUG(TO_CIRCUIT(circ)->purpose != CIRCUIT_PURPOSE_S_ESTABLISH_INTRO)) {
  840. goto done;
  841. }
  842. /* Try to parse the payload into a cell making sure we do actually have a
  843. * valid cell. For a legacy node, it's an empty payload so as long as we
  844. * have the cell, we are good. */
  845. if (!ip->base.is_only_legacy &&
  846. hs_cell_parse_intro_established(payload, payload_len) < 0) {
  847. log_warn(LD_REND, "Unable to parse the INTRO_ESTABLISHED cell on "
  848. "circuit %u for service %s",
  849. TO_CIRCUIT(circ)->n_circ_id,
  850. safe_str_client(service->onion_address));
  851. goto done;
  852. }
  853. /* Switch the purpose to a fully working intro point. */
  854. circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_S_INTRO);
  855. /* Getting a valid INTRODUCE_ESTABLISHED means we've successfully used the
  856. * circuit so update our pathbias subsystem. */
  857. pathbias_mark_use_success(circ);
  858. /* Success. */
  859. ret = 0;
  860. done:
  861. return ret;
  862. }
  863. /* We just received an INTRODUCE2 cell on the established introduction circuit
  864. * circ. Handle the INTRODUCE2 payload of size payload_len for the given
  865. * circuit and service. This cell is associated with the intro point object ip
  866. * and the subcredential. Return 0 on success else a negative value. */
  867. int
  868. hs_circ_handle_introduce2(const hs_service_t *service,
  869. const origin_circuit_t *circ,
  870. hs_service_intro_point_t *ip,
  871. const uint8_t *subcredential,
  872. const uint8_t *payload, size_t payload_len)
  873. {
  874. int ret = -1;
  875. time_t elapsed;
  876. hs_cell_introduce2_data_t data;
  877. tor_assert(service);
  878. tor_assert(circ);
  879. tor_assert(ip);
  880. tor_assert(subcredential);
  881. tor_assert(payload);
  882. /* Populate the data structure with everything we need for the cell to be
  883. * parsed, decrypted and key material computed correctly. */
  884. data.auth_pk = &ip->auth_key_kp.pubkey;
  885. data.enc_kp = &ip->enc_key_kp;
  886. data.subcredential = subcredential;
  887. data.payload = payload;
  888. data.payload_len = payload_len;
  889. data.link_specifiers = smartlist_new();
  890. data.replay_cache = ip->replay_cache;
  891. if (hs_cell_parse_introduce2(&data, circ, service) < 0) {
  892. goto done;
  893. }
  894. /* Check whether we've seen this REND_COOKIE before to detect repeats. */
  895. if (replaycache_add_test_and_elapsed(
  896. service->state.replay_cache_rend_cookie,
  897. data.rendezvous_cookie, sizeof(data.rendezvous_cookie),
  898. &elapsed)) {
  899. /* A Tor client will send a new INTRODUCE1 cell with the same REND_COOKIE
  900. * as its previous one if its intro circ times out while in state
  901. * CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT. If we received the first
  902. * INTRODUCE1 cell (the intro-point relay converts it into an INTRODUCE2
  903. * cell), we are already trying to connect to that rend point (and may
  904. * have already succeeded); drop this cell. */
  905. log_info(LD_REND, "We received an INTRODUCE2 cell with same REND_COOKIE "
  906. "field %ld seconds ago. Dropping cell.",
  907. (long int) elapsed);
  908. goto done;
  909. }
  910. /* At this point, we just confirmed that the full INTRODUCE2 cell is valid
  911. * so increment our counter that we've seen one on this intro point. */
  912. ip->introduce2_count++;
  913. /* Launch rendezvous circuit with the onion key and rend cookie. */
  914. launch_rendezvous_point_circuit(service, ip, &data);
  915. /* Success. */
  916. ret = 0;
  917. done:
  918. SMARTLIST_FOREACH(data.link_specifiers, link_specifier_t *, lspec,
  919. link_specifier_free(lspec));
  920. smartlist_free(data.link_specifiers);
  921. memwipe(&data, 0, sizeof(data));
  922. return ret;
  923. }
  924. /* Circuit <b>circ</b> just finished the rend ntor key exchange. Use the key
  925. * exchange output material at <b>ntor_key_seed</b> and setup <b>circ</b> to
  926. * serve as a rendezvous end-to-end circuit between the client and the
  927. * service. If <b>is_service_side</b> is set, then we are the hidden service
  928. * and the other side is the client.
  929. *
  930. * Return 0 if the operation went well; in case of error return -1. */
  931. int
  932. hs_circuit_setup_e2e_rend_circ(origin_circuit_t *circ,
  933. const uint8_t *ntor_key_seed, size_t seed_len,
  934. int is_service_side)
  935. {
  936. if (BUG(!circuit_purpose_is_correct_for_rend(TO_CIRCUIT(circ)->purpose,
  937. is_service_side))) {
  938. return -1;
  939. }
  940. crypt_path_t *hop = create_rend_cpath(ntor_key_seed, seed_len,
  941. is_service_side);
  942. if (!hop) {
  943. log_warn(LD_REND, "Couldn't get v3 %s cpath!",
  944. is_service_side ? "service-side" : "client-side");
  945. return -1;
  946. }
  947. finalize_rend_circuit(circ, hop, is_service_side);
  948. return 0;
  949. }
  950. /* We are a v2 legacy HS client and we just received a RENDEZVOUS1 cell
  951. * <b>rend_cell_body</b> on <b>circ</b>. Finish up the DH key exchange and then
  952. * extend the crypt path of <b>circ</b> so that the hidden service is on the
  953. * other side. */
  954. int
  955. hs_circuit_setup_e2e_rend_circ_legacy_client(origin_circuit_t *circ,
  956. const uint8_t *rend_cell_body)
  957. {
  958. if (BUG(!circuit_purpose_is_correct_for_rend(
  959. TO_CIRCUIT(circ)->purpose, 0))) {
  960. return -1;
  961. }
  962. crypt_path_t *hop = create_rend_cpath_legacy(circ, rend_cell_body);
  963. if (!hop) {
  964. log_warn(LD_GENERAL, "Couldn't get v2 cpath.");
  965. return -1;
  966. }
  967. finalize_rend_circuit(circ, hop, 0);
  968. return 0;
  969. }
  970. /* Given the introduction circuit intro_circ, the rendezvous circuit
  971. * rend_circ, a descriptor intro point object ip and the service's
  972. * subcredential, send an INTRODUCE1 cell on intro_circ.
  973. *
  974. * This will also setup the circuit identifier on rend_circ containing the key
  975. * material for the handshake and e2e encryption. Return 0 on success else
  976. * negative value. Because relay_send_command_from_edge() closes the circuit
  977. * on error, it is possible that intro_circ is closed on error. */
  978. int
  979. hs_circ_send_introduce1(origin_circuit_t *intro_circ,
  980. origin_circuit_t *rend_circ,
  981. const hs_desc_intro_point_t *ip,
  982. const uint8_t *subcredential)
  983. {
  984. int ret = -1;
  985. ssize_t payload_len;
  986. uint8_t payload[RELAY_PAYLOAD_SIZE] = {0};
  987. hs_cell_introduce1_data_t intro1_data;
  988. tor_assert(intro_circ);
  989. tor_assert(rend_circ);
  990. tor_assert(ip);
  991. tor_assert(subcredential);
  992. /* It is undefined behavior in hs_cell_introduce1_data_clear() if intro1_data
  993. * has been declared on the stack but not initialized. Here, we set it to 0.
  994. */
  995. memset(&intro1_data, 0, sizeof(hs_cell_introduce1_data_t));
  996. /* This takes various objects in order to populate the introduce1 data
  997. * object which is used to build the content of the cell. */
  998. const node_t *exit_node = build_state_get_exit_node(rend_circ->build_state);
  999. if (exit_node == NULL) {
  1000. log_info(LD_REND, "Unable to get rendezvous point for circuit %u. "
  1001. "Failing.", TO_CIRCUIT(intro_circ)->n_circ_id);
  1002. goto done;
  1003. }
  1004. /* We should never select an invalid rendezvous point in theory but if we
  1005. * do, this function will fail to populate the introduce data. */
  1006. if (setup_introduce1_data(ip, exit_node, subcredential, &intro1_data) < 0) {
  1007. log_warn(LD_REND, "Unable to setup INTRODUCE1 data. The chosen rendezvous "
  1008. "point is unusable. Closing circuit.");
  1009. goto close;
  1010. }
  1011. /* Final step before we encode a cell, we setup the circuit identifier which
  1012. * will generate both the rendezvous cookie and client keypair for this
  1013. * connection. Those are put in the ident. */
  1014. intro1_data.rendezvous_cookie = rend_circ->hs_ident->rendezvous_cookie;
  1015. intro1_data.client_kp = &rend_circ->hs_ident->rendezvous_client_kp;
  1016. memcpy(intro_circ->hs_ident->rendezvous_cookie,
  1017. rend_circ->hs_ident->rendezvous_cookie,
  1018. sizeof(intro_circ->hs_ident->rendezvous_cookie));
  1019. /* From the introduce1 data object, this will encode the INTRODUCE1 cell
  1020. * into payload which is then ready to be sent as is. */
  1021. payload_len = hs_cell_build_introduce1(&intro1_data, payload);
  1022. if (BUG(payload_len < 0)) {
  1023. goto close;
  1024. }
  1025. if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(intro_circ),
  1026. RELAY_COMMAND_INTRODUCE1,
  1027. (const char *) payload, payload_len,
  1028. intro_circ->cpath->prev) < 0) {
  1029. /* On error, circuit is closed. */
  1030. log_warn(LD_REND, "Unable to send INTRODUCE1 cell on circuit %u.",
  1031. TO_CIRCUIT(intro_circ)->n_circ_id);
  1032. goto done;
  1033. }
  1034. /* Success. */
  1035. ret = 0;
  1036. goto done;
  1037. close:
  1038. circuit_mark_for_close(TO_CIRCUIT(rend_circ), END_CIRC_REASON_INTERNAL);
  1039. done:
  1040. hs_cell_introduce1_data_clear(&intro1_data);
  1041. memwipe(payload, 0, sizeof(payload));
  1042. return ret;
  1043. }
  1044. /* Send an ESTABLISH_RENDEZVOUS cell along the rendezvous circuit circ. On
  1045. * success, 0 is returned else -1 and the circuit is marked for close. */
  1046. int
  1047. hs_circ_send_establish_rendezvous(origin_circuit_t *circ)
  1048. {
  1049. ssize_t cell_len = 0;
  1050. uint8_t cell[RELAY_PAYLOAD_SIZE] = {0};
  1051. tor_assert(circ);
  1052. tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_C_ESTABLISH_REND);
  1053. log_info(LD_REND, "Send an ESTABLISH_RENDEZVOUS cell on circuit %u",
  1054. TO_CIRCUIT(circ)->n_circ_id);
  1055. /* Set timestamp_dirty, because circuit_expire_building expects it,
  1056. * and the rend cookie also means we've used the circ. */
  1057. TO_CIRCUIT(circ)->timestamp_dirty = time(NULL);
  1058. /* We've attempted to use this circuit. Probe it if we fail */
  1059. pathbias_count_use_attempt(circ);
  1060. /* Generate the RENDEZVOUS_COOKIE and place it in the identifier so we can
  1061. * complete the handshake when receiving the acknowledgement. */
  1062. crypto_rand((char *) circ->hs_ident->rendezvous_cookie, HS_REND_COOKIE_LEN);
  1063. /* Generate the client keypair. No need to be extra strong, not long term */
  1064. curve25519_keypair_generate(&circ->hs_ident->rendezvous_client_kp, 0);
  1065. cell_len =
  1066. hs_cell_build_establish_rendezvous(circ->hs_ident->rendezvous_cookie,
  1067. cell);
  1068. if (BUG(cell_len < 0)) {
  1069. goto err;
  1070. }
  1071. if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
  1072. RELAY_COMMAND_ESTABLISH_RENDEZVOUS,
  1073. (const char *) cell, cell_len,
  1074. circ->cpath->prev) < 0) {
  1075. /* Circuit has been marked for close */
  1076. log_warn(LD_REND, "Unable to send ESTABLISH_RENDEZVOUS cell on "
  1077. "circuit %u", TO_CIRCUIT(circ)->n_circ_id);
  1078. memwipe(cell, 0, cell_len);
  1079. goto err;
  1080. }
  1081. memwipe(cell, 0, cell_len);
  1082. return 0;
  1083. err:
  1084. return -1;
  1085. }
  1086. /* We are about to close or free this <b>circ</b>. Clean it up from any
  1087. * related HS data structures. This function can be called multiple times
  1088. * safely for the same circuit. */
  1089. void
  1090. hs_circ_cleanup(circuit_t *circ)
  1091. {
  1092. tor_assert(circ);
  1093. /* If it's a service-side intro circ, notify the HS subsystem for the intro
  1094. * point circuit closing so it can be dealt with cleanly. */
  1095. if (circ->purpose == CIRCUIT_PURPOSE_S_ESTABLISH_INTRO ||
  1096. circ->purpose == CIRCUIT_PURPOSE_S_INTRO) {
  1097. hs_service_intro_circ_has_closed(TO_ORIGIN_CIRCUIT(circ));
  1098. }
  1099. /* Clear HS circuitmap token for this circ (if any). Very important to be
  1100. * done after the HS subsystem has been notified of the close else the
  1101. * circuit will not be found.
  1102. *
  1103. * We do this at the close if possible because from that point on, the
  1104. * circuit is good as dead. We can't rely on removing it in the circuit
  1105. * free() function because we open a race window between the close and free
  1106. * where we can't register a new circuit for the same intro point. */
  1107. if (circ->hs_token) {
  1108. hs_circuitmap_remove_circuit(circ);
  1109. }
  1110. }