hs_cell.c 39 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062
  1. /* Copyright (c) 2017-2019, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file hs_cell.c
  5. * \brief Hidden service API for cell creation and handling.
  6. **/
  7. #include "core/or/or.h"
  8. #include "app/config/config.h"
  9. #include "lib/crypt_ops/crypto_util.h"
  10. #include "feature/rend/rendservice.h"
  11. #include "feature/hs_common/replaycache.h"
  12. #include "feature/hs/hs_cell.h"
  13. #include "core/crypto/hs_ntor.h"
  14. #include "core/or/origin_circuit_st.h"
  15. /* Trunnel. */
  16. #include "trunnel/ed25519_cert.h"
  17. #include "trunnel/hs/cell_common.h"
  18. #include "trunnel/hs/cell_establish_intro.h"
  19. #include "trunnel/hs/cell_introduce1.h"
  20. #include "trunnel/hs/cell_rendezvous.h"
  21. /* Compute the MAC of an INTRODUCE cell in mac_out. The encoded_cell param is
  22. * the cell content up to the ENCRYPTED section of length encoded_cell_len.
  23. * The encrypted param is the start of the ENCRYPTED section of length
  24. * encrypted_len. The mac_key is the key needed for the computation of the MAC
  25. * derived from the ntor handshake of length mac_key_len.
  26. *
  27. * The length mac_out_len must be at least DIGEST256_LEN. */
  28. static void
  29. compute_introduce_mac(const uint8_t *encoded_cell, size_t encoded_cell_len,
  30. const uint8_t *encrypted, size_t encrypted_len,
  31. const uint8_t *mac_key, size_t mac_key_len,
  32. uint8_t *mac_out, size_t mac_out_len)
  33. {
  34. size_t offset = 0;
  35. size_t mac_msg_len;
  36. uint8_t mac_msg[RELAY_PAYLOAD_SIZE] = {0};
  37. tor_assert(encoded_cell);
  38. tor_assert(encrypted);
  39. tor_assert(mac_key);
  40. tor_assert(mac_out);
  41. tor_assert(mac_out_len >= DIGEST256_LEN);
  42. /* Compute the size of the message which is basically the entire cell until
  43. * the MAC field of course. */
  44. mac_msg_len = encoded_cell_len + (encrypted_len - DIGEST256_LEN);
  45. tor_assert(mac_msg_len <= sizeof(mac_msg));
  46. /* First, put the encoded cell in the msg. */
  47. memcpy(mac_msg, encoded_cell, encoded_cell_len);
  48. offset += encoded_cell_len;
  49. /* Second, put the CLIENT_PK + ENCRYPTED_DATA but ommit the MAC field (which
  50. * is junk at this point). */
  51. memcpy(mac_msg + offset, encrypted, (encrypted_len - DIGEST256_LEN));
  52. offset += (encrypted_len - DIGEST256_LEN);
  53. tor_assert(offset == mac_msg_len);
  54. crypto_mac_sha3_256(mac_out, mac_out_len,
  55. mac_key, mac_key_len,
  56. mac_msg, mac_msg_len);
  57. memwipe(mac_msg, 0, sizeof(mac_msg));
  58. }
  59. /* From a set of keys, subcredential and the ENCRYPTED section of an
  60. * INTRODUCE2 cell, return a newly allocated intro cell keys structure.
  61. * Finally, the client public key is copied in client_pk. On error, return
  62. * NULL. */
  63. static hs_ntor_intro_cell_keys_t *
  64. get_introduce2_key_material(const ed25519_public_key_t *auth_key,
  65. const curve25519_keypair_t *enc_key,
  66. const uint8_t *subcredential,
  67. const uint8_t *encrypted_section,
  68. curve25519_public_key_t *client_pk)
  69. {
  70. hs_ntor_intro_cell_keys_t *keys;
  71. tor_assert(auth_key);
  72. tor_assert(enc_key);
  73. tor_assert(subcredential);
  74. tor_assert(encrypted_section);
  75. tor_assert(client_pk);
  76. keys = tor_malloc_zero(sizeof(*keys));
  77. /* First bytes of the ENCRYPTED section are the client public key. */
  78. memcpy(client_pk->public_key, encrypted_section, CURVE25519_PUBKEY_LEN);
  79. if (hs_ntor_service_get_introduce1_keys(auth_key, enc_key, client_pk,
  80. subcredential, keys) < 0) {
  81. /* Don't rely on the caller to wipe this on error. */
  82. memwipe(client_pk, 0, sizeof(curve25519_public_key_t));
  83. tor_free(keys);
  84. keys = NULL;
  85. }
  86. return keys;
  87. }
  88. /* Using the given encryption key, decrypt the encrypted_section of length
  89. * encrypted_section_len of an INTRODUCE2 cell and return a newly allocated
  90. * buffer containing the decrypted data. On decryption failure, NULL is
  91. * returned. */
  92. static uint8_t *
  93. decrypt_introduce2(const uint8_t *enc_key, const uint8_t *encrypted_section,
  94. size_t encrypted_section_len)
  95. {
  96. uint8_t *decrypted = NULL;
  97. crypto_cipher_t *cipher = NULL;
  98. tor_assert(enc_key);
  99. tor_assert(encrypted_section);
  100. /* Decrypt ENCRYPTED section. */
  101. cipher = crypto_cipher_new_with_bits((char *) enc_key,
  102. CURVE25519_PUBKEY_LEN * 8);
  103. tor_assert(cipher);
  104. /* This is symmetric encryption so can't be bigger than the encrypted
  105. * section length. */
  106. decrypted = tor_malloc_zero(encrypted_section_len);
  107. if (crypto_cipher_decrypt(cipher, (char *) decrypted,
  108. (const char *) encrypted_section,
  109. encrypted_section_len) < 0) {
  110. tor_free(decrypted);
  111. decrypted = NULL;
  112. goto done;
  113. }
  114. done:
  115. crypto_cipher_free(cipher);
  116. return decrypted;
  117. }
  118. /* Given a pointer to the decrypted data of the ENCRYPTED section of an
  119. * INTRODUCE2 cell of length decrypted_len, parse and validate the cell
  120. * content. Return a newly allocated cell structure or NULL on error. The
  121. * circuit and service object are only used for logging purposes. */
  122. static trn_cell_introduce_encrypted_t *
  123. parse_introduce2_encrypted(const uint8_t *decrypted_data,
  124. size_t decrypted_len, const origin_circuit_t *circ,
  125. const hs_service_t *service)
  126. {
  127. trn_cell_introduce_encrypted_t *enc_cell = NULL;
  128. tor_assert(decrypted_data);
  129. tor_assert(circ);
  130. tor_assert(service);
  131. if (trn_cell_introduce_encrypted_parse(&enc_cell, decrypted_data,
  132. decrypted_len) < 0) {
  133. log_info(LD_REND, "Unable to parse the decrypted ENCRYPTED section of "
  134. "the INTRODUCE2 cell on circuit %u for service %s",
  135. TO_CIRCUIT(circ)->n_circ_id,
  136. safe_str_client(service->onion_address));
  137. goto err;
  138. }
  139. if (trn_cell_introduce_encrypted_get_onion_key_type(enc_cell) !=
  140. TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR) {
  141. log_info(LD_REND, "INTRODUCE2 onion key type is invalid. Got %u but "
  142. "expected %u on circuit %u for service %s",
  143. trn_cell_introduce_encrypted_get_onion_key_type(enc_cell),
  144. TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR,
  145. TO_CIRCUIT(circ)->n_circ_id,
  146. safe_str_client(service->onion_address));
  147. goto err;
  148. }
  149. if (trn_cell_introduce_encrypted_getlen_onion_key(enc_cell) !=
  150. CURVE25519_PUBKEY_LEN) {
  151. log_info(LD_REND, "INTRODUCE2 onion key length is invalid. Got %u but "
  152. "expected %d on circuit %u for service %s",
  153. (unsigned)trn_cell_introduce_encrypted_getlen_onion_key(enc_cell),
  154. CURVE25519_PUBKEY_LEN, TO_CIRCUIT(circ)->n_circ_id,
  155. safe_str_client(service->onion_address));
  156. goto err;
  157. }
  158. /* XXX: Validate NSPEC field as well. */
  159. return enc_cell;
  160. err:
  161. trn_cell_introduce_encrypted_free(enc_cell);
  162. return NULL;
  163. }
  164. /* Build a legacy ESTABLISH_INTRO cell with the given circuit nonce and RSA
  165. * encryption key. The encoded cell is put in cell_out that MUST at least be
  166. * of the size of RELAY_PAYLOAD_SIZE. Return the encoded cell length on
  167. * success else a negative value and cell_out is untouched. */
  168. static ssize_t
  169. build_legacy_establish_intro(const char *circ_nonce, crypto_pk_t *enc_key,
  170. uint8_t *cell_out)
  171. {
  172. ssize_t cell_len;
  173. tor_assert(circ_nonce);
  174. tor_assert(enc_key);
  175. tor_assert(cell_out);
  176. memwipe(cell_out, 0, RELAY_PAYLOAD_SIZE);
  177. cell_len = rend_service_encode_establish_intro_cell((char*)cell_out,
  178. RELAY_PAYLOAD_SIZE,
  179. enc_key, circ_nonce);
  180. return cell_len;
  181. }
  182. /* Parse an INTRODUCE2 cell from payload of size payload_len for the given
  183. * service and circuit which are used only for logging purposes. The resulting
  184. * parsed cell is put in cell_ptr_out.
  185. *
  186. * This function only parses prop224 INTRODUCE2 cells even when the intro point
  187. * is a legacy intro point. That's because intro points don't actually care
  188. * about the contents of the introduce cell. Legacy INTRODUCE cells are only
  189. * used by the legacy system now.
  190. *
  191. * Return 0 on success else a negative value and cell_ptr_out is untouched. */
  192. static int
  193. parse_introduce2_cell(const hs_service_t *service,
  194. const origin_circuit_t *circ, const uint8_t *payload,
  195. size_t payload_len,
  196. trn_cell_introduce1_t **cell_ptr_out)
  197. {
  198. trn_cell_introduce1_t *cell = NULL;
  199. tor_assert(service);
  200. tor_assert(circ);
  201. tor_assert(payload);
  202. tor_assert(cell_ptr_out);
  203. /* Parse the cell so we can start cell validation. */
  204. if (trn_cell_introduce1_parse(&cell, payload, payload_len) < 0) {
  205. log_info(LD_PROTOCOL, "Unable to parse INTRODUCE2 cell on circuit %u "
  206. "for service %s",
  207. TO_CIRCUIT(circ)->n_circ_id,
  208. safe_str_client(service->onion_address));
  209. goto err;
  210. }
  211. /* Success. */
  212. *cell_ptr_out = cell;
  213. return 0;
  214. err:
  215. return -1;
  216. }
  217. /* Set the onion public key onion_pk in cell, the encrypted section of an
  218. * INTRODUCE1 cell. */
  219. static void
  220. introduce1_set_encrypted_onion_key(trn_cell_introduce_encrypted_t *cell,
  221. const uint8_t *onion_pk)
  222. {
  223. tor_assert(cell);
  224. tor_assert(onion_pk);
  225. /* There is only one possible key type for a non legacy cell. */
  226. trn_cell_introduce_encrypted_set_onion_key_type(cell,
  227. TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR);
  228. trn_cell_introduce_encrypted_set_onion_key_len(cell, CURVE25519_PUBKEY_LEN);
  229. trn_cell_introduce_encrypted_setlen_onion_key(cell, CURVE25519_PUBKEY_LEN);
  230. memcpy(trn_cell_introduce_encrypted_getarray_onion_key(cell), onion_pk,
  231. trn_cell_introduce_encrypted_getlen_onion_key(cell));
  232. }
  233. /* Set the link specifiers in lspecs in cell, the encrypted section of an
  234. * INTRODUCE1 cell. */
  235. static void
  236. introduce1_set_encrypted_link_spec(trn_cell_introduce_encrypted_t *cell,
  237. const smartlist_t *lspecs)
  238. {
  239. tor_assert(cell);
  240. tor_assert(lspecs);
  241. tor_assert(smartlist_len(lspecs) > 0);
  242. tor_assert(smartlist_len(lspecs) <= UINT8_MAX);
  243. uint8_t lspecs_num = (uint8_t) smartlist_len(lspecs);
  244. trn_cell_introduce_encrypted_set_nspec(cell, lspecs_num);
  245. /* We aren't duplicating the link specifiers object here which means that
  246. * the ownership goes to the trn_cell_introduce_encrypted_t cell and those
  247. * object will be freed when the cell is. */
  248. SMARTLIST_FOREACH(lspecs, link_specifier_t *, ls,
  249. trn_cell_introduce_encrypted_add_nspecs(cell, ls));
  250. }
  251. /* Set padding in the enc_cell only if needed that is the total length of both
  252. * sections are below the mininum required for an INTRODUCE1 cell. */
  253. static void
  254. introduce1_set_encrypted_padding(const trn_cell_introduce1_t *cell,
  255. trn_cell_introduce_encrypted_t *enc_cell)
  256. {
  257. tor_assert(cell);
  258. tor_assert(enc_cell);
  259. /* This is the length we expect to have once encoded of the whole cell. */
  260. ssize_t full_len = trn_cell_introduce1_encoded_len(cell) +
  261. trn_cell_introduce_encrypted_encoded_len(enc_cell);
  262. tor_assert(full_len > 0);
  263. if (full_len < HS_CELL_INTRODUCE1_MIN_SIZE) {
  264. size_t padding = HS_CELL_INTRODUCE1_MIN_SIZE - full_len;
  265. trn_cell_introduce_encrypted_setlen_pad(enc_cell, padding);
  266. memset(trn_cell_introduce_encrypted_getarray_pad(enc_cell), 0,
  267. trn_cell_introduce_encrypted_getlen_pad(enc_cell));
  268. }
  269. }
  270. /* Encrypt the ENCRYPTED payload and encode it in the cell using the enc_cell
  271. * and the INTRODUCE1 data.
  272. *
  273. * This can't fail but it is very important that the caller sets every field
  274. * in data so the computation of the INTRODUCE1 keys doesn't fail. */
  275. static void
  276. introduce1_encrypt_and_encode(trn_cell_introduce1_t *cell,
  277. const trn_cell_introduce_encrypted_t *enc_cell,
  278. const hs_cell_introduce1_data_t *data)
  279. {
  280. size_t offset = 0;
  281. ssize_t encrypted_len;
  282. ssize_t encoded_cell_len, encoded_enc_cell_len;
  283. uint8_t encoded_cell[RELAY_PAYLOAD_SIZE] = {0};
  284. uint8_t encoded_enc_cell[RELAY_PAYLOAD_SIZE] = {0};
  285. uint8_t *encrypted = NULL;
  286. uint8_t mac[DIGEST256_LEN];
  287. crypto_cipher_t *cipher = NULL;
  288. hs_ntor_intro_cell_keys_t keys;
  289. tor_assert(cell);
  290. tor_assert(enc_cell);
  291. tor_assert(data);
  292. /* Encode the cells up to now of what we have to we can perform the MAC
  293. * computation on it. */
  294. encoded_cell_len = trn_cell_introduce1_encode(encoded_cell,
  295. sizeof(encoded_cell), cell);
  296. /* We have a much more serious issue if this isn't true. */
  297. tor_assert(encoded_cell_len > 0);
  298. encoded_enc_cell_len =
  299. trn_cell_introduce_encrypted_encode(encoded_enc_cell,
  300. sizeof(encoded_enc_cell), enc_cell);
  301. /* We have a much more serious issue if this isn't true. */
  302. tor_assert(encoded_enc_cell_len > 0);
  303. /* Get the key material for the encryption. */
  304. if (hs_ntor_client_get_introduce1_keys(data->auth_pk, data->enc_pk,
  305. data->client_kp,
  306. data->subcredential, &keys) < 0) {
  307. tor_assert_unreached();
  308. }
  309. /* Prepare cipher with the encryption key just computed. */
  310. cipher = crypto_cipher_new_with_bits((const char *) keys.enc_key,
  311. sizeof(keys.enc_key) * 8);
  312. tor_assert(cipher);
  313. /* Compute the length of the ENCRYPTED section which is the CLIENT_PK,
  314. * ENCRYPTED_DATA and MAC length. */
  315. encrypted_len = sizeof(data->client_kp->pubkey) + encoded_enc_cell_len +
  316. sizeof(mac);
  317. tor_assert(encrypted_len < RELAY_PAYLOAD_SIZE);
  318. encrypted = tor_malloc_zero(encrypted_len);
  319. /* Put the CLIENT_PK first. */
  320. memcpy(encrypted, data->client_kp->pubkey.public_key,
  321. sizeof(data->client_kp->pubkey.public_key));
  322. offset += sizeof(data->client_kp->pubkey.public_key);
  323. /* Then encrypt and set the ENCRYPTED_DATA. This can't fail. */
  324. crypto_cipher_encrypt(cipher, (char *) encrypted + offset,
  325. (const char *) encoded_enc_cell, encoded_enc_cell_len);
  326. crypto_cipher_free(cipher);
  327. offset += encoded_enc_cell_len;
  328. /* Compute MAC from the above and put it in the buffer. This function will
  329. * make the adjustment to the encrypted_len to omit the MAC length. */
  330. compute_introduce_mac(encoded_cell, encoded_cell_len,
  331. encrypted, encrypted_len,
  332. keys.mac_key, sizeof(keys.mac_key),
  333. mac, sizeof(mac));
  334. memcpy(encrypted + offset, mac, sizeof(mac));
  335. offset += sizeof(mac);
  336. tor_assert(offset == (size_t) encrypted_len);
  337. /* Set the ENCRYPTED section in the cell. */
  338. trn_cell_introduce1_setlen_encrypted(cell, encrypted_len);
  339. memcpy(trn_cell_introduce1_getarray_encrypted(cell),
  340. encrypted, encrypted_len);
  341. /* Cleanup. */
  342. memwipe(&keys, 0, sizeof(keys));
  343. memwipe(mac, 0, sizeof(mac));
  344. memwipe(encrypted, 0, sizeof(encrypted_len));
  345. memwipe(encoded_enc_cell, 0, sizeof(encoded_enc_cell));
  346. tor_free(encrypted);
  347. }
  348. /* Using the INTRODUCE1 data, setup the ENCRYPTED section in cell. This means
  349. * set it, encrypt it and encode it. */
  350. static void
  351. introduce1_set_encrypted(trn_cell_introduce1_t *cell,
  352. const hs_cell_introduce1_data_t *data)
  353. {
  354. trn_cell_introduce_encrypted_t *enc_cell;
  355. trn_cell_extension_t *ext;
  356. tor_assert(cell);
  357. tor_assert(data);
  358. enc_cell = trn_cell_introduce_encrypted_new();
  359. tor_assert(enc_cell);
  360. /* Set extension data. None are used. */
  361. ext = trn_cell_extension_new();
  362. tor_assert(ext);
  363. trn_cell_extension_set_num(ext, 0);
  364. trn_cell_introduce_encrypted_set_extensions(enc_cell, ext);
  365. /* Set the rendezvous cookie. */
  366. memcpy(trn_cell_introduce_encrypted_getarray_rend_cookie(enc_cell),
  367. data->rendezvous_cookie, REND_COOKIE_LEN);
  368. /* Set the onion public key. */
  369. introduce1_set_encrypted_onion_key(enc_cell, data->onion_pk->public_key);
  370. /* Set the link specifiers. */
  371. introduce1_set_encrypted_link_spec(enc_cell, data->link_specifiers);
  372. /* Set padding. */
  373. introduce1_set_encrypted_padding(cell, enc_cell);
  374. /* Encrypt and encode it in the cell. */
  375. introduce1_encrypt_and_encode(cell, enc_cell, data);
  376. /* Cleanup. */
  377. trn_cell_introduce_encrypted_free(enc_cell);
  378. }
  379. /* Set the authentication key in the INTRODUCE1 cell from the given data. */
  380. static void
  381. introduce1_set_auth_key(trn_cell_introduce1_t *cell,
  382. const hs_cell_introduce1_data_t *data)
  383. {
  384. tor_assert(cell);
  385. tor_assert(data);
  386. /* There is only one possible type for a non legacy cell. */
  387. trn_cell_introduce1_set_auth_key_type(cell,
  388. TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519);
  389. trn_cell_introduce1_set_auth_key_len(cell, ED25519_PUBKEY_LEN);
  390. trn_cell_introduce1_setlen_auth_key(cell, ED25519_PUBKEY_LEN);
  391. memcpy(trn_cell_introduce1_getarray_auth_key(cell),
  392. data->auth_pk->pubkey, trn_cell_introduce1_getlen_auth_key(cell));
  393. }
  394. /* Set the legacy ID field in the INTRODUCE1 cell from the given data. */
  395. static void
  396. introduce1_set_legacy_id(trn_cell_introduce1_t *cell,
  397. const hs_cell_introduce1_data_t *data)
  398. {
  399. tor_assert(cell);
  400. tor_assert(data);
  401. if (data->is_legacy) {
  402. uint8_t digest[DIGEST_LEN];
  403. if (BUG(crypto_pk_get_digest(data->legacy_key, (char *) digest) < 0)) {
  404. return;
  405. }
  406. memcpy(trn_cell_introduce1_getarray_legacy_key_id(cell),
  407. digest, trn_cell_introduce1_getlen_legacy_key_id(cell));
  408. } else {
  409. /* We have to zeroed the LEGACY_KEY_ID field. */
  410. memset(trn_cell_introduce1_getarray_legacy_key_id(cell), 0,
  411. trn_cell_introduce1_getlen_legacy_key_id(cell));
  412. }
  413. }
  414. /* Build and add to the given DoS cell extension the given parameter type and
  415. * value. */
  416. static void
  417. build_establish_intro_dos_param(trn_cell_extension_dos_t *dos_ext,
  418. uint8_t param_type, uint64_t param_value)
  419. {
  420. trn_cell_extension_dos_param_t *dos_param =
  421. trn_cell_extension_dos_param_new();
  422. /* Extra safety. We should never send an unknown parameter type. */
  423. tor_assert(param_type == TRUNNEL_DOS_PARAM_TYPE_INTRO2_RATE_PER_SEC ||
  424. param_type == TRUNNEL_DOS_PARAM_TYPE_INTRO2_BURST_PER_SEC);
  425. trn_cell_extension_dos_param_set_type(dos_param, param_type);
  426. trn_cell_extension_dos_param_set_value(dos_param, param_value);
  427. trn_cell_extension_dos_add_params(dos_ext, dos_param);
  428. /* Not freeing the trunnel object because it is now owned by dos_ext. */
  429. }
  430. /* Build the DoS defense cell extension and put it in the given extensions
  431. * object. This can't fail. */
  432. static void
  433. build_establish_intro_dos_extension(const hs_service_config_t *service_config,
  434. trn_cell_extension_t *extensions)
  435. {
  436. ssize_t ret, dos_ext_encoded_len;
  437. uint8_t *field_array;
  438. trn_cell_extension_field_t *field;
  439. trn_cell_extension_dos_t *dos_ext;
  440. tor_assert(service_config);
  441. tor_assert(extensions);
  442. /* We are creating a cell extension field of the type DoS. */
  443. field = trn_cell_extension_field_new();
  444. trn_cell_extension_field_set_field_type(field,
  445. TRUNNEL_CELL_EXTENSION_TYPE_DOS);
  446. /* Build DoS extension field. We will put in two parameters. */
  447. dos_ext = trn_cell_extension_dos_new();
  448. trn_cell_extension_dos_set_n_params(dos_ext, 2);
  449. /* Build DoS parameter INTRO2 rate per second. */
  450. build_establish_intro_dos_param(dos_ext,
  451. TRUNNEL_DOS_PARAM_TYPE_INTRO2_RATE_PER_SEC,
  452. service_config->intro_dos_rate_per_sec);
  453. /* Build DoS parameter INTRO2 burst per second. */
  454. build_establish_intro_dos_param(dos_ext,
  455. TRUNNEL_DOS_PARAM_TYPE_INTRO2_BURST_PER_SEC,
  456. service_config->intro_dos_burst_per_sec);
  457. /* Set the field with the encoded DoS extension. */
  458. dos_ext_encoded_len = trn_cell_extension_dos_encoded_len(dos_ext);
  459. /* Set length field and the field array size length. */
  460. trn_cell_extension_field_set_field_len(field, dos_ext_encoded_len);
  461. trn_cell_extension_field_setlen_field(field, dos_ext_encoded_len);
  462. /* Encode the DoS extension into the cell extension field. */
  463. field_array = trn_cell_extension_field_getarray_field(field);
  464. ret = trn_cell_extension_dos_encode(field_array,
  465. trn_cell_extension_field_getlen_field(field), dos_ext);
  466. tor_assert(ret == dos_ext_encoded_len);
  467. /* Finally, encode field into the cell extension. */
  468. trn_cell_extension_add_fields(extensions, field);
  469. /* We've just add an extension field to the cell extensions so increment the
  470. * total number. */
  471. trn_cell_extension_set_num(extensions,
  472. trn_cell_extension_get_num(extensions) + 1);
  473. /* Cleanup. DoS extension has been encoded at this point. */
  474. trn_cell_extension_dos_free(dos_ext);
  475. }
  476. /* ========== */
  477. /* Public API */
  478. /* ========== */
  479. /* Allocate and build all the ESTABLISH_INTRO cell extension. The given
  480. * extensions pointer is always set to a valid cell extension object. */
  481. STATIC trn_cell_extension_t *
  482. build_establish_intro_extensions(const hs_service_config_t *service_config,
  483. const hs_service_intro_point_t *ip)
  484. {
  485. trn_cell_extension_t *extensions;
  486. tor_assert(service_config);
  487. tor_assert(ip);
  488. extensions = trn_cell_extension_new();
  489. trn_cell_extension_set_num(extensions, 0);
  490. /* If the defense has been enabled service side (by the operator with a
  491. * torrc option) and the intro point does support it. */
  492. if (service_config->has_dos_defense_enabled &&
  493. ip->support_intro2_dos_defense) {
  494. /* This function takes care to increment the number of extensions. */
  495. build_establish_intro_dos_extension(service_config, extensions);
  496. }
  497. return extensions;
  498. }
  499. /* Build an ESTABLISH_INTRO cell with the given circuit nonce and intro point
  500. * object. The encoded cell is put in cell_out that MUST at least be of the
  501. * size of RELAY_PAYLOAD_SIZE. Return the encoded cell length on success else
  502. * a negative value and cell_out is untouched. This function also supports
  503. * legacy cell creation. */
  504. ssize_t
  505. hs_cell_build_establish_intro(const char *circ_nonce,
  506. const hs_service_config_t *service_config,
  507. const hs_service_intro_point_t *ip,
  508. uint8_t *cell_out)
  509. {
  510. ssize_t cell_len = -1;
  511. uint16_t sig_len = ED25519_SIG_LEN;
  512. trn_cell_establish_intro_t *cell = NULL;
  513. trn_cell_extension_t *extensions;
  514. tor_assert(circ_nonce);
  515. tor_assert(service_config);
  516. tor_assert(ip);
  517. /* Quickly handle the legacy IP. */
  518. if (ip->base.is_only_legacy) {
  519. tor_assert(ip->legacy_key);
  520. cell_len = build_legacy_establish_intro(circ_nonce, ip->legacy_key,
  521. cell_out);
  522. tor_assert(cell_len <= RELAY_PAYLOAD_SIZE);
  523. /* Success or not we are done here. */
  524. goto done;
  525. }
  526. /* Build the extensions, if any. */
  527. extensions = build_establish_intro_extensions(service_config, ip);
  528. /* Set extension data. None used here. */
  529. cell = trn_cell_establish_intro_new();
  530. trn_cell_establish_intro_set_extensions(cell, extensions);
  531. /* Set signature size. Array is then allocated in the cell. We need to do
  532. * this early so we can use trunnel API to get the signature length. */
  533. trn_cell_establish_intro_set_sig_len(cell, sig_len);
  534. trn_cell_establish_intro_setlen_sig(cell, sig_len);
  535. /* Set AUTH_KEY_TYPE: 2 means ed25519 */
  536. trn_cell_establish_intro_set_auth_key_type(cell,
  537. TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519);
  538. /* Set AUTH_KEY and AUTH_KEY_LEN field. Must also set byte-length of
  539. * AUTH_KEY to match */
  540. {
  541. uint16_t auth_key_len = ED25519_PUBKEY_LEN;
  542. trn_cell_establish_intro_set_auth_key_len(cell, auth_key_len);
  543. trn_cell_establish_intro_setlen_auth_key(cell, auth_key_len);
  544. /* We do this call _after_ setting the length because it's reallocated at
  545. * that point only. */
  546. uint8_t *auth_key_ptr = trn_cell_establish_intro_getarray_auth_key(cell);
  547. memcpy(auth_key_ptr, ip->auth_key_kp.pubkey.pubkey, auth_key_len);
  548. }
  549. /* Calculate HANDSHAKE_AUTH field (MAC). */
  550. {
  551. ssize_t tmp_cell_enc_len = 0;
  552. ssize_t tmp_cell_mac_offset =
  553. sig_len + sizeof(cell->sig_len) +
  554. trn_cell_establish_intro_getlen_handshake_mac(cell);
  555. uint8_t tmp_cell_enc[RELAY_PAYLOAD_SIZE] = {0};
  556. uint8_t mac[TRUNNEL_SHA3_256_LEN], *handshake_ptr;
  557. /* We first encode the current fields we have in the cell so we can
  558. * compute the MAC using the raw bytes. */
  559. tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
  560. sizeof(tmp_cell_enc),
  561. cell);
  562. if (BUG(tmp_cell_enc_len < 0)) {
  563. goto done;
  564. }
  565. /* Sanity check. */
  566. tor_assert(tmp_cell_enc_len > tmp_cell_mac_offset);
  567. /* Circuit nonce is always DIGEST_LEN according to tor-spec.txt. */
  568. crypto_mac_sha3_256(mac, sizeof(mac),
  569. (uint8_t *) circ_nonce, DIGEST_LEN,
  570. tmp_cell_enc, tmp_cell_enc_len - tmp_cell_mac_offset);
  571. handshake_ptr = trn_cell_establish_intro_getarray_handshake_mac(cell);
  572. memcpy(handshake_ptr, mac, sizeof(mac));
  573. memwipe(mac, 0, sizeof(mac));
  574. memwipe(tmp_cell_enc, 0, sizeof(tmp_cell_enc));
  575. }
  576. /* Calculate the cell signature SIG. */
  577. {
  578. ssize_t tmp_cell_enc_len = 0;
  579. ssize_t tmp_cell_sig_offset = (sig_len + sizeof(cell->sig_len));
  580. uint8_t tmp_cell_enc[RELAY_PAYLOAD_SIZE] = {0}, *sig_ptr;
  581. ed25519_signature_t sig;
  582. /* We first encode the current fields we have in the cell so we can
  583. * compute the signature from the raw bytes of the cell. */
  584. tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
  585. sizeof(tmp_cell_enc),
  586. cell);
  587. if (BUG(tmp_cell_enc_len < 0)) {
  588. goto done;
  589. }
  590. if (ed25519_sign_prefixed(&sig, tmp_cell_enc,
  591. tmp_cell_enc_len - tmp_cell_sig_offset,
  592. ESTABLISH_INTRO_SIG_PREFIX, &ip->auth_key_kp)) {
  593. log_warn(LD_BUG, "Unable to make signature for ESTABLISH_INTRO cell.");
  594. goto done;
  595. }
  596. /* Copy the signature into the cell. */
  597. sig_ptr = trn_cell_establish_intro_getarray_sig(cell);
  598. memcpy(sig_ptr, sig.sig, sig_len);
  599. memwipe(tmp_cell_enc, 0, sizeof(tmp_cell_enc));
  600. }
  601. /* Encode the cell. Can't be bigger than a standard cell. */
  602. cell_len = trn_cell_establish_intro_encode(cell_out, RELAY_PAYLOAD_SIZE,
  603. cell);
  604. done:
  605. trn_cell_establish_intro_free(cell);
  606. return cell_len;
  607. }
  608. /* Parse the INTRO_ESTABLISHED cell in the payload of size payload_len. If we
  609. * are successful at parsing it, return the length of the parsed cell else a
  610. * negative value on error. */
  611. ssize_t
  612. hs_cell_parse_intro_established(const uint8_t *payload, size_t payload_len)
  613. {
  614. ssize_t ret;
  615. trn_cell_intro_established_t *cell = NULL;
  616. tor_assert(payload);
  617. /* Try to parse the payload into a cell making sure we do actually have a
  618. * valid cell. */
  619. ret = trn_cell_intro_established_parse(&cell, payload, payload_len);
  620. if (ret >= 0) {
  621. /* On success, we do not keep the cell, we just notify the caller that it
  622. * was successfully parsed. */
  623. trn_cell_intro_established_free(cell);
  624. }
  625. return ret;
  626. }
  627. /* Parse the INTRODUCE2 cell using data which contains everything we need to
  628. * do so and contains the destination buffers of information we extract and
  629. * compute from the cell. Return 0 on success else a negative value. The
  630. * service and circ are only used for logging purposes. */
  631. ssize_t
  632. hs_cell_parse_introduce2(hs_cell_introduce2_data_t *data,
  633. const origin_circuit_t *circ,
  634. const hs_service_t *service)
  635. {
  636. int ret = -1;
  637. time_t elapsed;
  638. uint8_t *decrypted = NULL;
  639. size_t encrypted_section_len;
  640. const uint8_t *encrypted_section;
  641. trn_cell_introduce1_t *cell = NULL;
  642. trn_cell_introduce_encrypted_t *enc_cell = NULL;
  643. hs_ntor_intro_cell_keys_t *intro_keys = NULL;
  644. tor_assert(data);
  645. tor_assert(circ);
  646. tor_assert(service);
  647. /* Parse the cell into a decoded data structure pointed by cell_ptr. */
  648. if (parse_introduce2_cell(service, circ, data->payload, data->payload_len,
  649. &cell) < 0) {
  650. goto done;
  651. }
  652. log_info(LD_REND, "Received a decodable INTRODUCE2 cell on circuit %u "
  653. "for service %s. Decoding encrypted section...",
  654. TO_CIRCUIT(circ)->n_circ_id,
  655. safe_str_client(service->onion_address));
  656. encrypted_section = trn_cell_introduce1_getconstarray_encrypted(cell);
  657. encrypted_section_len = trn_cell_introduce1_getlen_encrypted(cell);
  658. /* Encrypted section must at least contain the CLIENT_PK and MAC which is
  659. * defined in section 3.3.2 of the specification. */
  660. if (encrypted_section_len < (CURVE25519_PUBKEY_LEN + DIGEST256_LEN)) {
  661. log_info(LD_REND, "Invalid INTRODUCE2 encrypted section length "
  662. "for service %s. Dropping cell.",
  663. safe_str_client(service->onion_address));
  664. goto done;
  665. }
  666. /* Check our replay cache for this introduction point. */
  667. if (replaycache_add_test_and_elapsed(data->replay_cache, encrypted_section,
  668. encrypted_section_len, &elapsed)) {
  669. log_warn(LD_REND, "Possible replay detected! An INTRODUCE2 cell with the"
  670. "same ENCRYPTED section was seen %ld seconds ago. "
  671. "Dropping cell.", (long int) elapsed);
  672. goto done;
  673. }
  674. /* Build the key material out of the key material found in the cell. */
  675. intro_keys = get_introduce2_key_material(data->auth_pk, data->enc_kp,
  676. data->subcredential,
  677. encrypted_section,
  678. &data->client_pk);
  679. if (intro_keys == NULL) {
  680. log_info(LD_REND, "Invalid INTRODUCE2 encrypted data. Unable to "
  681. "compute key material on circuit %u for service %s",
  682. TO_CIRCUIT(circ)->n_circ_id,
  683. safe_str_client(service->onion_address));
  684. goto done;
  685. }
  686. /* Validate MAC from the cell and our computed key material. The MAC field
  687. * in the cell is at the end of the encrypted section. */
  688. {
  689. uint8_t mac[DIGEST256_LEN];
  690. /* The MAC field is at the very end of the ENCRYPTED section. */
  691. size_t mac_offset = encrypted_section_len - sizeof(mac);
  692. /* Compute the MAC. Use the entire encoded payload with a length up to the
  693. * ENCRYPTED section. */
  694. compute_introduce_mac(data->payload,
  695. data->payload_len - encrypted_section_len,
  696. encrypted_section, encrypted_section_len,
  697. intro_keys->mac_key, sizeof(intro_keys->mac_key),
  698. mac, sizeof(mac));
  699. if (tor_memcmp(mac, encrypted_section + mac_offset, sizeof(mac))) {
  700. log_info(LD_REND, "Invalid MAC validation for INTRODUCE2 cell on "
  701. "circuit %u for service %s",
  702. TO_CIRCUIT(circ)->n_circ_id,
  703. safe_str_client(service->onion_address));
  704. goto done;
  705. }
  706. }
  707. {
  708. /* The ENCRYPTED_DATA section starts just after the CLIENT_PK. */
  709. const uint8_t *encrypted_data =
  710. encrypted_section + sizeof(data->client_pk);
  711. /* It's symmetric encryption so it's correct to use the ENCRYPTED length
  712. * for decryption. Computes the length of ENCRYPTED_DATA meaning removing
  713. * the CLIENT_PK and MAC length. */
  714. size_t encrypted_data_len =
  715. encrypted_section_len - (sizeof(data->client_pk) + DIGEST256_LEN);
  716. /* This decrypts the ENCRYPTED_DATA section of the cell. */
  717. decrypted = decrypt_introduce2(intro_keys->enc_key,
  718. encrypted_data, encrypted_data_len);
  719. if (decrypted == NULL) {
  720. log_info(LD_REND, "Unable to decrypt the ENCRYPTED section of an "
  721. "INTRODUCE2 cell on circuit %u for service %s",
  722. TO_CIRCUIT(circ)->n_circ_id,
  723. safe_str_client(service->onion_address));
  724. goto done;
  725. }
  726. /* Parse this blob into an encrypted cell structure so we can then extract
  727. * the data we need out of it. */
  728. enc_cell = parse_introduce2_encrypted(decrypted, encrypted_data_len,
  729. circ, service);
  730. memwipe(decrypted, 0, encrypted_data_len);
  731. if (enc_cell == NULL) {
  732. goto done;
  733. }
  734. }
  735. /* XXX: Implement client authorization checks. */
  736. /* Extract onion key and rendezvous cookie from the cell used for the
  737. * rendezvous point circuit e2e encryption. */
  738. memcpy(data->onion_pk.public_key,
  739. trn_cell_introduce_encrypted_getconstarray_onion_key(enc_cell),
  740. CURVE25519_PUBKEY_LEN);
  741. memcpy(data->rendezvous_cookie,
  742. trn_cell_introduce_encrypted_getconstarray_rend_cookie(enc_cell),
  743. sizeof(data->rendezvous_cookie));
  744. /* Extract rendezvous link specifiers. */
  745. for (size_t idx = 0;
  746. idx < trn_cell_introduce_encrypted_get_nspec(enc_cell); idx++) {
  747. link_specifier_t *lspec =
  748. trn_cell_introduce_encrypted_get_nspecs(enc_cell, idx);
  749. if (BUG(!lspec)) {
  750. goto done;
  751. }
  752. link_specifier_t *lspec_dup = link_specifier_dup(lspec);
  753. if (BUG(!lspec_dup)) {
  754. goto done;
  755. }
  756. smartlist_add(data->link_specifiers, lspec_dup);
  757. }
  758. /* Success. */
  759. ret = 0;
  760. log_info(LD_REND, "Valid INTRODUCE2 cell. Launching rendezvous circuit.");
  761. done:
  762. if (intro_keys) {
  763. memwipe(intro_keys, 0, sizeof(hs_ntor_intro_cell_keys_t));
  764. tor_free(intro_keys);
  765. }
  766. tor_free(decrypted);
  767. trn_cell_introduce_encrypted_free(enc_cell);
  768. trn_cell_introduce1_free(cell);
  769. return ret;
  770. }
  771. /* Build a RENDEZVOUS1 cell with the given rendezvous cookie and handshake
  772. * info. The encoded cell is put in cell_out and the length of the data is
  773. * returned. This can't fail. */
  774. ssize_t
  775. hs_cell_build_rendezvous1(const uint8_t *rendezvous_cookie,
  776. size_t rendezvous_cookie_len,
  777. const uint8_t *rendezvous_handshake_info,
  778. size_t rendezvous_handshake_info_len,
  779. uint8_t *cell_out)
  780. {
  781. ssize_t cell_len;
  782. trn_cell_rendezvous1_t *cell;
  783. tor_assert(rendezvous_cookie);
  784. tor_assert(rendezvous_handshake_info);
  785. tor_assert(cell_out);
  786. cell = trn_cell_rendezvous1_new();
  787. /* Set the RENDEZVOUS_COOKIE. */
  788. memcpy(trn_cell_rendezvous1_getarray_rendezvous_cookie(cell),
  789. rendezvous_cookie, rendezvous_cookie_len);
  790. /* Set the HANDSHAKE_INFO. */
  791. trn_cell_rendezvous1_setlen_handshake_info(cell,
  792. rendezvous_handshake_info_len);
  793. memcpy(trn_cell_rendezvous1_getarray_handshake_info(cell),
  794. rendezvous_handshake_info, rendezvous_handshake_info_len);
  795. /* Encoding. */
  796. cell_len = trn_cell_rendezvous1_encode(cell_out, RELAY_PAYLOAD_SIZE, cell);
  797. tor_assert(cell_len > 0);
  798. trn_cell_rendezvous1_free(cell);
  799. return cell_len;
  800. }
  801. /* Build an INTRODUCE1 cell from the given data. The encoded cell is put in
  802. * cell_out which must be of at least size RELAY_PAYLOAD_SIZE. On success, the
  803. * encoded length is returned else a negative value and the content of
  804. * cell_out should be ignored. */
  805. ssize_t
  806. hs_cell_build_introduce1(const hs_cell_introduce1_data_t *data,
  807. uint8_t *cell_out)
  808. {
  809. ssize_t cell_len;
  810. trn_cell_introduce1_t *cell;
  811. trn_cell_extension_t *ext;
  812. tor_assert(data);
  813. tor_assert(cell_out);
  814. cell = trn_cell_introduce1_new();
  815. tor_assert(cell);
  816. /* Set extension data. None are used. */
  817. ext = trn_cell_extension_new();
  818. tor_assert(ext);
  819. trn_cell_extension_set_num(ext, 0);
  820. trn_cell_introduce1_set_extensions(cell, ext);
  821. /* Set the legacy ID field. */
  822. introduce1_set_legacy_id(cell, data);
  823. /* Set the authentication key. */
  824. introduce1_set_auth_key(cell, data);
  825. /* Set the encrypted section. This will set, encrypt and encode the
  826. * ENCRYPTED section in the cell. After this, we'll be ready to encode. */
  827. introduce1_set_encrypted(cell, data);
  828. /* Final encoding. */
  829. cell_len = trn_cell_introduce1_encode(cell_out, RELAY_PAYLOAD_SIZE, cell);
  830. trn_cell_introduce1_free(cell);
  831. return cell_len;
  832. }
  833. /* Build an ESTABLISH_RENDEZVOUS cell from the given rendezvous_cookie. The
  834. * encoded cell is put in cell_out which must be of at least
  835. * RELAY_PAYLOAD_SIZE. On success, the encoded length is returned and the
  836. * caller should clear up the content of the cell.
  837. *
  838. * This function can't fail. */
  839. ssize_t
  840. hs_cell_build_establish_rendezvous(const uint8_t *rendezvous_cookie,
  841. uint8_t *cell_out)
  842. {
  843. tor_assert(rendezvous_cookie);
  844. tor_assert(cell_out);
  845. memcpy(cell_out, rendezvous_cookie, HS_REND_COOKIE_LEN);
  846. return HS_REND_COOKIE_LEN;
  847. }
  848. /* Handle an INTRODUCE_ACK cell encoded in payload of length payload_len.
  849. * Return the status code on success else a negative value if the cell as not
  850. * decodable. */
  851. int
  852. hs_cell_parse_introduce_ack(const uint8_t *payload, size_t payload_len)
  853. {
  854. int ret = -1;
  855. trn_cell_introduce_ack_t *cell = NULL;
  856. tor_assert(payload);
  857. /* If it is a legacy IP, rend-spec.txt specifies that a ACK is 0 byte and a
  858. * NACK is 1 byte. We can't use the legacy function for this so we have to
  859. * do a special case. */
  860. if (payload_len <= 1) {
  861. if (payload_len == 0) {
  862. ret = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS;
  863. } else {
  864. ret = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
  865. }
  866. goto end;
  867. }
  868. if (trn_cell_introduce_ack_parse(&cell, payload, payload_len) < 0) {
  869. log_info(LD_REND, "Invalid INTRODUCE_ACK cell. Unable to parse it.");
  870. goto end;
  871. }
  872. ret = trn_cell_introduce_ack_get_status(cell);
  873. end:
  874. trn_cell_introduce_ack_free(cell);
  875. return ret;
  876. }
  877. /* Handle a RENDEZVOUS2 cell encoded in payload of length payload_len. On
  878. * success, handshake_info contains the data in the HANDSHAKE_INFO field, and
  879. * 0 is returned. On error, a negative value is returned. */
  880. int
  881. hs_cell_parse_rendezvous2(const uint8_t *payload, size_t payload_len,
  882. uint8_t *handshake_info, size_t handshake_info_len)
  883. {
  884. int ret = -1;
  885. trn_cell_rendezvous2_t *cell = NULL;
  886. tor_assert(payload);
  887. tor_assert(handshake_info);
  888. if (trn_cell_rendezvous2_parse(&cell, payload, payload_len) < 0) {
  889. log_info(LD_REND, "Invalid RENDEZVOUS2 cell. Unable to parse it.");
  890. goto end;
  891. }
  892. /* Static size, we should never have an issue with this else we messed up
  893. * our code flow. */
  894. tor_assert(trn_cell_rendezvous2_getlen_handshake_info(cell) ==
  895. handshake_info_len);
  896. memcpy(handshake_info,
  897. trn_cell_rendezvous2_getconstarray_handshake_info(cell),
  898. handshake_info_len);
  899. ret = 0;
  900. end:
  901. trn_cell_rendezvous2_free(cell);
  902. return ret;
  903. }
  904. /* Clear the given INTRODUCE1 data structure data. */
  905. void
  906. hs_cell_introduce1_data_clear(hs_cell_introduce1_data_t *data)
  907. {
  908. if (data == NULL) {
  909. return;
  910. }
  911. /* Object in this list have been moved to the cell object when building it
  912. * so they've been freed earlier. We do that in order to avoid duplicating
  913. * them leading to more memory and CPU time being used for nothing. */
  914. smartlist_free(data->link_specifiers);
  915. /* The data object has no ownership of any members. */
  916. memwipe(data, 0, sizeof(hs_cell_introduce1_data_t));
  917. }