22 #include "trunnel/ed25519_cert.h"
23 #include "trunnel/hs/cell_common.h"
24 #include "trunnel/hs/cell_establish_intro.h"
25 #include "trunnel/hs/cell_introduce1.h"
26 #include "trunnel/hs/cell_rendezvous.h"
37 const uint8_t *encrypted,
size_t encrypted_len,
38 const uint8_t *mac_key,
size_t mac_key_len,
39 uint8_t *mac_out,
size_t mac_out_len)
53 mac_msg_len = encoded_cell_len + (encrypted_len -
DIGEST256_LEN);
57 memcpy(mac_msg, encoded_cell, encoded_cell_len);
58 offset += encoded_cell_len;
61 memcpy(mac_msg + offset, encrypted, (encrypted_len -
DIGEST256_LEN));
67 mac_msg, mac_msg_len);
68 memwipe(mac_msg, 0,
sizeof(mac_msg));
80 size_t n_subcredentials,
82 const uint8_t *encrypted_section,
101 subcredentials, keys) < 0) {
116 size_t encrypted_section_len)
118 uint8_t *decrypted = NULL;
119 crypto_cipher_t *cipher = NULL;
131 decrypted = tor_malloc_zero(encrypted_section_len);
133 (
const char *) encrypted_section,
134 encrypted_section_len) < 0) {
141 crypto_cipher_free(cipher);
149 static trn_cell_introduce_encrypted_t *
154 trn_cell_introduce_encrypted_t *enc_cell = NULL;
160 if (trn_cell_introduce_encrypted_parse(&enc_cell, decrypted_data,
161 decrypted_len) < 0) {
162 log_info(
LD_REND,
"Unable to parse the decrypted ENCRYPTED section of "
163 "the INTRODUCE2 cell on circuit %u for service %s",
169 if (trn_cell_introduce_encrypted_get_onion_key_type(enc_cell) !=
170 TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR) {
171 log_info(
LD_REND,
"INTRODUCE2 onion key type is invalid. Got %u but "
172 "expected %u on circuit %u for service %s",
173 trn_cell_introduce_encrypted_get_onion_key_type(enc_cell),
174 TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR,
180 if (trn_cell_introduce_encrypted_getlen_onion_key(enc_cell) !=
182 log_info(
LD_REND,
"INTRODUCE2 onion key length is invalid. Got %u but "
183 "expected %d on circuit %u for service %s",
184 (
unsigned)trn_cell_introduce_encrypted_getlen_onion_key(enc_cell),
193 trn_cell_introduce_encrypted_free(enc_cell);
213 cell_len = rend_service_encode_establish_intro_cell((
char*)cell_out,
215 enc_key, circ_nonce);
233 trn_cell_introduce1_t **cell_ptr_out)
235 trn_cell_introduce1_t *cell = NULL;
243 if (trn_cell_introduce1_parse(&cell, payload, payload_len) < 0) {
244 log_info(
LD_PROTOCOL,
"Unable to parse INTRODUCE2 cell on circuit %u "
252 *cell_ptr_out = cell;
262 const uint8_t *onion_pk)
267 trn_cell_introduce_encrypted_set_onion_key_type(cell,
268 TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR);
271 memcpy(trn_cell_introduce_encrypted_getarray_onion_key(cell), onion_pk,
272 trn_cell_introduce_encrypted_getlen_onion_key(cell));
284 tor_assert(smartlist_len(lspecs) <= UINT8_MAX);
286 uint8_t lspecs_num = (uint8_t) smartlist_len(lspecs);
287 trn_cell_introduce_encrypted_set_nspec(cell, lspecs_num);
292 trn_cell_introduce_encrypted_add_nspecs(cell, ls));
299 trn_cell_introduce_encrypted_t *enc_cell)
304 ssize_t full_len = trn_cell_introduce1_encoded_len(cell) +
305 trn_cell_introduce_encrypted_encoded_len(enc_cell);
309 trn_cell_introduce_encrypted_setlen_pad(enc_cell, padding);
310 memset(trn_cell_introduce_encrypted_getarray_pad(enc_cell), 0,
311 trn_cell_introduce_encrypted_getlen_pad(enc_cell));
322 const trn_cell_introduce_encrypted_t *enc_cell,
326 ssize_t encrypted_len;
327 ssize_t encoded_cell_len, encoded_enc_cell_len;
330 uint8_t *encrypted = NULL;
332 crypto_cipher_t *cipher = NULL;
341 encoded_cell_len = trn_cell_introduce1_encode(encoded_cell,
342 sizeof(encoded_cell), cell);
346 encoded_enc_cell_len =
347 trn_cell_introduce_encrypted_encode(encoded_enc_cell,
348 sizeof(encoded_enc_cell), enc_cell);
353 if (hs_ntor_client_get_introduce1_keys(data->
auth_pk, data->
enc_pk,
356 tor_assert_unreached();
361 sizeof(keys.enc_key) * 8);
366 encrypted_len =
sizeof(data->
client_kp->pubkey) + encoded_enc_cell_len +
369 encrypted = tor_malloc_zero(encrypted_len);
372 memcpy(encrypted, data->
client_kp->pubkey.public_key,
373 sizeof(data->
client_kp->pubkey.public_key));
374 offset +=
sizeof(data->
client_kp->pubkey.public_key);
377 (
const char *) encoded_enc_cell, encoded_enc_cell_len);
378 crypto_cipher_free(cipher);
379 offset += encoded_enc_cell_len;
383 encrypted, encrypted_len,
384 keys.mac_key,
sizeof(keys.mac_key),
386 memcpy(encrypted + offset, mac,
sizeof(mac));
387 offset +=
sizeof(mac);
391 trn_cell_introduce1_setlen_encrypted(cell, encrypted_len);
392 memcpy(trn_cell_introduce1_getarray_encrypted(cell),
393 encrypted, encrypted_len);
396 memwipe(&keys, 0,
sizeof(keys));
398 memwipe(encrypted, 0,
sizeof(encrypted_len));
399 memwipe(encoded_enc_cell, 0,
sizeof(encoded_enc_cell));
409 trn_cell_introduce_encrypted_t *enc_cell;
410 trn_cell_extension_t *ext;
415 enc_cell = trn_cell_introduce_encrypted_new();
419 ext = trn_cell_extension_new();
421 trn_cell_extension_set_num(ext, 0);
422 trn_cell_introduce_encrypted_set_extensions(enc_cell, ext);
425 memcpy(trn_cell_introduce_encrypted_getarray_rend_cookie(enc_cell),
441 trn_cell_introduce_encrypted_free(enc_cell);
452 trn_cell_introduce1_set_auth_key_type(cell,
453 TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519);
456 memcpy(trn_cell_introduce1_getarray_auth_key(cell),
457 data->
auth_pk->pubkey, trn_cell_introduce1_getlen_auth_key(cell));
473 memcpy(trn_cell_introduce1_getarray_legacy_key_id(cell),
474 digest, trn_cell_introduce1_getlen_legacy_key_id(cell));
477 memset(trn_cell_introduce1_getarray_legacy_key_id(cell), 0,
478 trn_cell_introduce1_getlen_legacy_key_id(cell));
486 uint8_t param_type, uint64_t param_value)
488 trn_cell_extension_dos_param_t *dos_param =
489 trn_cell_extension_dos_param_new();
492 tor_assert(param_type == TRUNNEL_DOS_PARAM_TYPE_INTRO2_RATE_PER_SEC ||
493 param_type == TRUNNEL_DOS_PARAM_TYPE_INTRO2_BURST_PER_SEC);
495 trn_cell_extension_dos_param_set_type(dos_param, param_type);
496 trn_cell_extension_dos_param_set_value(dos_param, param_value);
497 trn_cell_extension_dos_add_params(dos_ext, dos_param);
507 trn_cell_extension_t *extensions)
510 size_t dos_ext_encoded_len;
511 uint8_t *field_array;
512 trn_cell_extension_field_t *field = NULL;
513 trn_cell_extension_dos_t *dos_ext = NULL;
519 field = trn_cell_extension_field_new();
520 trn_cell_extension_field_set_field_type(field,
521 TRUNNEL_CELL_EXTENSION_TYPE_DOS);
524 dos_ext = trn_cell_extension_dos_new();
525 trn_cell_extension_dos_set_n_params(dos_ext, 2);
529 TRUNNEL_DOS_PARAM_TYPE_INTRO2_RATE_PER_SEC,
530 service_config->intro_dos_rate_per_sec);
533 TRUNNEL_DOS_PARAM_TYPE_INTRO2_BURST_PER_SEC,
534 service_config->intro_dos_burst_per_sec);
537 ret = trn_cell_extension_dos_encoded_len(dos_ext);
541 dos_ext_encoded_len = ret;
543 trn_cell_extension_field_set_field_len(field, dos_ext_encoded_len);
544 trn_cell_extension_field_setlen_field(field, dos_ext_encoded_len);
546 field_array = trn_cell_extension_field_getarray_field(field);
547 ret = trn_cell_extension_dos_encode(field_array,
548 trn_cell_extension_field_getlen_field(field), dos_ext);
552 tor_assert(ret == (ssize_t) dos_ext_encoded_len);
555 trn_cell_extension_add_fields(extensions, field);
559 trn_cell_extension_set_num(extensions,
560 trn_cell_extension_get_num(extensions) + 1);
563 trn_cell_extension_dos_free(dos_ext);
568 trn_cell_extension_field_free(field);
569 trn_cell_extension_dos_free(dos_ext);
579 STATIC trn_cell_extension_t *
584 trn_cell_extension_t *extensions;
589 extensions = trn_cell_extension_new();
590 trn_cell_extension_set_num(extensions, 0);
619 ssize_t cell_len = -1;
621 trn_cell_establish_intro_t *cell = NULL;
622 trn_cell_extension_t *extensions;
642 cell = trn_cell_establish_intro_new();
643 trn_cell_establish_intro_set_extensions(cell, extensions);
646 trn_cell_establish_intro_set_sig_len(cell, sig_len);
647 trn_cell_establish_intro_setlen_sig(cell, sig_len);
650 trn_cell_establish_intro_set_auth_key_type(cell,
651 TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519);
657 trn_cell_establish_intro_set_auth_key_len(cell, auth_key_len);
658 trn_cell_establish_intro_setlen_auth_key(cell, auth_key_len);
661 uint8_t *auth_key_ptr = trn_cell_establish_intro_getarray_auth_key(cell);
662 memcpy(auth_key_ptr, ip->
auth_key_kp.pubkey.pubkey, auth_key_len);
667 ssize_t tmp_cell_enc_len = 0;
668 ssize_t tmp_cell_mac_offset =
669 sig_len +
sizeof(cell->sig_len) +
670 trn_cell_establish_intro_getlen_handshake_mac(cell);
672 uint8_t mac[TRUNNEL_SHA3_256_LEN], *handshake_ptr;
676 tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
677 sizeof(tmp_cell_enc),
679 if (BUG(tmp_cell_enc_len < 0)) {
683 tor_assert(tmp_cell_enc_len > tmp_cell_mac_offset);
688 tmp_cell_enc, tmp_cell_enc_len - tmp_cell_mac_offset);
689 handshake_ptr = trn_cell_establish_intro_getarray_handshake_mac(cell);
690 memcpy(handshake_ptr, mac,
sizeof(mac));
693 memwipe(tmp_cell_enc, 0,
sizeof(tmp_cell_enc));
698 ssize_t tmp_cell_enc_len = 0;
699 ssize_t tmp_cell_sig_offset = (sig_len +
sizeof(cell->sig_len));
705 tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
706 sizeof(tmp_cell_enc),
708 if (BUG(tmp_cell_enc_len < 0)) {
713 tmp_cell_enc_len - tmp_cell_sig_offset,
715 log_warn(
LD_BUG,
"Unable to make signature for ESTABLISH_INTRO cell.");
719 sig_ptr = trn_cell_establish_intro_getarray_sig(cell);
720 memcpy(sig_ptr, sig.sig, sig_len);
722 memwipe(tmp_cell_enc, 0,
sizeof(tmp_cell_enc));
730 trn_cell_establish_intro_free(cell);
741 trn_cell_intro_established_t *cell = NULL;
747 ret = trn_cell_intro_established_parse(&cell, payload, payload_len);
751 trn_cell_intro_established_free(cell);
764 const uint8_t *encrypted_section,
765 size_t encrypted_section_len)
776 if (intro_keys == NULL) {
777 log_info(
LD_REND,
"Invalid INTRODUCE2 encrypted data. Unable to "
778 "compute key material");
789 intro_keys_result = tor_malloc_zero(
sizeof(*intro_keys_result));
794 size_t mac_offset = encrypted_section_len -
sizeof(mac);
799 encrypted_section, encrypted_section_len,
800 intro_keys[i].mac_key,
801 sizeof(intro_keys[i].mac_key),
806 bool equal =
tor_memeq(mac, encrypted_section + mac_offset,
sizeof(mac));
808 sizeof(*intro_keys_result));
817 log_info(
LD_REND,
"Invalid MAC validation for INTRODUCE2 cell");
821 return intro_keys_result;
835 uint8_t *decrypted = NULL;
836 size_t encrypted_section_len;
837 const uint8_t *encrypted_section;
838 trn_cell_introduce1_t *cell = NULL;
839 trn_cell_introduce_encrypted_t *enc_cell = NULL;
852 log_info(
LD_REND,
"Received a decodable INTRODUCE2 cell on circuit %u "
853 "for service %s. Decoding encrypted section...",
857 encrypted_section = trn_cell_introduce1_getconstarray_encrypted(cell);
858 encrypted_section_len = trn_cell_introduce1_getlen_encrypted(cell);
863 log_info(
LD_REND,
"Invalid INTRODUCE2 encrypted section length "
864 "for service %s. Dropping cell.",
871 encrypted_section_len, &elapsed)) {
872 log_warn(
LD_REND,
"Possible replay detected! An INTRODUCE2 cell with the "
873 "same ENCRYPTED section was seen %ld seconds ago. "
874 "Dropping cell.", (
long int) elapsed);
882 memcpy(&data->
client_pk.public_key, encrypted_section,
887 encrypted_section_len);
889 log_warn(
LD_REND,
"Could not get valid INTRO2 keys on circuit %u "
890 "for service %s",
TO_CIRCUIT(circ)->n_circ_id,
897 const uint8_t *encrypted_data =
898 encrypted_section +
sizeof(data->
client_pk);
902 size_t encrypted_data_len =
907 encrypted_data, encrypted_data_len);
908 if (decrypted == NULL) {
909 log_info(
LD_REND,
"Unable to decrypt the ENCRYPTED section of an "
910 "INTRODUCE2 cell on circuit %u for service %s",
920 memwipe(decrypted, 0, encrypted_data_len);
921 if (enc_cell == NULL) {
931 trn_cell_introduce_encrypted_getconstarray_onion_key(enc_cell),
934 trn_cell_introduce_encrypted_getconstarray_rend_cookie(enc_cell),
939 idx < trn_cell_introduce_encrypted_get_nspec(enc_cell); idx++) {
940 link_specifier_t *lspec =
941 trn_cell_introduce_encrypted_get_nspecs(enc_cell, idx);
946 if (BUG(!lspec_dup)) {
954 log_info(
LD_REND,
"Valid INTRODUCE2 cell. Launching rendezvous circuit.");
962 trn_cell_introduce_encrypted_free(enc_cell);
963 trn_cell_introduce1_free(cell);
972 size_t rendezvous_cookie_len,
973 const uint8_t *rendezvous_handshake_info,
974 size_t rendezvous_handshake_info_len,
978 trn_cell_rendezvous1_t *cell;
984 cell = trn_cell_rendezvous1_new();
986 memcpy(trn_cell_rendezvous1_getarray_rendezvous_cookie(cell),
987 rendezvous_cookie, rendezvous_cookie_len);
989 trn_cell_rendezvous1_setlen_handshake_info(cell,
990 rendezvous_handshake_info_len);
991 memcpy(trn_cell_rendezvous1_getarray_handshake_info(cell),
992 rendezvous_handshake_info, rendezvous_handshake_info_len);
997 trn_cell_rendezvous1_free(cell);
1010 trn_cell_introduce1_t *cell;
1011 trn_cell_extension_t *ext;
1016 cell = trn_cell_introduce1_new();
1020 ext = trn_cell_extension_new();
1022 trn_cell_extension_set_num(ext, 0);
1023 trn_cell_introduce1_set_extensions(cell, ext);
1038 trn_cell_introduce1_free(cell);
1066 trn_cell_introduce_ack_t *cell = NULL;
1073 if (payload_len <= 1) {
1074 if (payload_len == 0) {
1075 ret = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS;
1077 ret = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
1082 if (trn_cell_introduce_ack_parse(&cell, payload, payload_len) < 0) {
1083 log_info(
LD_REND,
"Invalid INTRODUCE_ACK cell. Unable to parse it.");
1087 ret = trn_cell_introduce_ack_get_status(cell);
1090 trn_cell_introduce_ack_free(cell);
1099 uint8_t *handshake_info,
size_t handshake_info_len)
1102 trn_cell_rendezvous2_t *cell = NULL;
1107 if (trn_cell_rendezvous2_parse(&cell, payload, payload_len) < 0) {
1108 log_info(
LD_REND,
"Invalid RENDEZVOUS2 cell. Unable to parse it.");
1114 tor_assert(trn_cell_rendezvous2_getlen_handshake_info(cell) ==
1115 handshake_info_len);
1116 memcpy(handshake_info,
1117 trn_cell_rendezvous2_getconstarray_handshake_info(cell),
1118 handshake_info_len);
1122 trn_cell_rendezvous2_free(cell);