tor  0.4.1.0-alpha-dev
hs_cell.c
Go to the documentation of this file.
1 /* Copyright (c) 2017-2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
9 #include "core/or/or.h"
10 #include "app/config/config.h"
14 
15 #include "feature/hs/hs_cell.h"
16 #include "core/crypto/hs_ntor.h"
17 
18 #include "core/or/origin_circuit_st.h"
19 
20 /* Trunnel. */
21 #include "trunnel/ed25519_cert.h"
22 #include "trunnel/hs/cell_common.h"
23 #include "trunnel/hs/cell_establish_intro.h"
24 #include "trunnel/hs/cell_introduce1.h"
25 #include "trunnel/hs/cell_rendezvous.h"
26 
27 /* Compute the MAC of an INTRODUCE cell in mac_out. The encoded_cell param is
28  * the cell content up to the ENCRYPTED section of length encoded_cell_len.
29  * The encrypted param is the start of the ENCRYPTED section of length
30  * encrypted_len. The mac_key is the key needed for the computation of the MAC
31  * derived from the ntor handshake of length mac_key_len.
32  *
33  * The length mac_out_len must be at least DIGEST256_LEN. */
34 static void
35 compute_introduce_mac(const uint8_t *encoded_cell, size_t encoded_cell_len,
36  const uint8_t *encrypted, size_t encrypted_len,
37  const uint8_t *mac_key, size_t mac_key_len,
38  uint8_t *mac_out, size_t mac_out_len)
39 {
40  size_t offset = 0;
41  size_t mac_msg_len;
42  uint8_t mac_msg[RELAY_PAYLOAD_SIZE] = {0};
43 
44  tor_assert(encoded_cell);
45  tor_assert(encrypted);
46  tor_assert(mac_key);
47  tor_assert(mac_out);
48  tor_assert(mac_out_len >= DIGEST256_LEN);
49 
50  /* Compute the size of the message which is basically the entire cell until
51  * the MAC field of course. */
52  mac_msg_len = encoded_cell_len + (encrypted_len - DIGEST256_LEN);
53  tor_assert(mac_msg_len <= sizeof(mac_msg));
54 
55  /* First, put the encoded cell in the msg. */
56  memcpy(mac_msg, encoded_cell, encoded_cell_len);
57  offset += encoded_cell_len;
58  /* Second, put the CLIENT_PK + ENCRYPTED_DATA but ommit the MAC field (which
59  * is junk at this point). */
60  memcpy(mac_msg + offset, encrypted, (encrypted_len - DIGEST256_LEN));
61  offset += (encrypted_len - DIGEST256_LEN);
62  tor_assert(offset == mac_msg_len);
63 
64  crypto_mac_sha3_256(mac_out, mac_out_len,
65  mac_key, mac_key_len,
66  mac_msg, mac_msg_len);
67  memwipe(mac_msg, 0, sizeof(mac_msg));
68 }
69 
70 /* From a set of keys, subcredential and the ENCRYPTED section of an
71  * INTRODUCE2 cell, return a newly allocated intro cell keys structure.
72  * Finally, the client public key is copied in client_pk. On error, return
73  * NULL. */
75 get_introduce2_key_material(const ed25519_public_key_t *auth_key,
76  const curve25519_keypair_t *enc_key,
77  const uint8_t *subcredential,
78  const uint8_t *encrypted_section,
79  curve25519_public_key_t *client_pk)
80 {
82 
83  tor_assert(auth_key);
84  tor_assert(enc_key);
85  tor_assert(subcredential);
86  tor_assert(encrypted_section);
87  tor_assert(client_pk);
88 
89  keys = tor_malloc_zero(sizeof(*keys));
90 
91  /* First bytes of the ENCRYPTED section are the client public key. */
92  memcpy(client_pk->public_key, encrypted_section, CURVE25519_PUBKEY_LEN);
93 
94  if (hs_ntor_service_get_introduce1_keys(auth_key, enc_key, client_pk,
95  subcredential, keys) < 0) {
96  /* Don't rely on the caller to wipe this on error. */
97  memwipe(client_pk, 0, sizeof(curve25519_public_key_t));
98  tor_free(keys);
99  keys = NULL;
100  }
101  return keys;
102 }
103 
104 /* Using the given encryption key, decrypt the encrypted_section of length
105  * encrypted_section_len of an INTRODUCE2 cell and return a newly allocated
106  * buffer containing the decrypted data. On decryption failure, NULL is
107  * returned. */
108 static uint8_t *
109 decrypt_introduce2(const uint8_t *enc_key, const uint8_t *encrypted_section,
110  size_t encrypted_section_len)
111 {
112  uint8_t *decrypted = NULL;
113  crypto_cipher_t *cipher = NULL;
114 
115  tor_assert(enc_key);
116  tor_assert(encrypted_section);
117 
118  /* Decrypt ENCRYPTED section. */
119  cipher = crypto_cipher_new_with_bits((char *) enc_key,
121  tor_assert(cipher);
122 
123  /* This is symmetric encryption so can't be bigger than the encrypted
124  * section length. */
125  decrypted = tor_malloc_zero(encrypted_section_len);
126  if (crypto_cipher_decrypt(cipher, (char *) decrypted,
127  (const char *) encrypted_section,
128  encrypted_section_len) < 0) {
129  tor_free(decrypted);
130  decrypted = NULL;
131  goto done;
132  }
133 
134  done:
135  crypto_cipher_free(cipher);
136  return decrypted;
137 }
138 
139 /* Given a pointer to the decrypted data of the ENCRYPTED section of an
140  * INTRODUCE2 cell of length decrypted_len, parse and validate the cell
141  * content. Return a newly allocated cell structure or NULL on error. The
142  * circuit and service object are only used for logging purposes. */
143 static trn_cell_introduce_encrypted_t *
144 parse_introduce2_encrypted(const uint8_t *decrypted_data,
145  size_t decrypted_len, const origin_circuit_t *circ,
146  const hs_service_t *service)
147 {
148  trn_cell_introduce_encrypted_t *enc_cell = NULL;
149 
150  tor_assert(decrypted_data);
151  tor_assert(circ);
152  tor_assert(service);
153 
154  if (trn_cell_introduce_encrypted_parse(&enc_cell, decrypted_data,
155  decrypted_len) < 0) {
156  log_info(LD_REND, "Unable to parse the decrypted ENCRYPTED section of "
157  "the INTRODUCE2 cell on circuit %u for service %s",
158  TO_CIRCUIT(circ)->n_circ_id,
159  safe_str_client(service->onion_address));
160  goto err;
161  }
162 
163  if (trn_cell_introduce_encrypted_get_onion_key_type(enc_cell) !=
164  HS_CELL_ONION_KEY_TYPE_NTOR) {
165  log_info(LD_REND, "INTRODUCE2 onion key type is invalid. Got %u but "
166  "expected %u on circuit %u for service %s",
167  trn_cell_introduce_encrypted_get_onion_key_type(enc_cell),
168  HS_CELL_ONION_KEY_TYPE_NTOR, TO_CIRCUIT(circ)->n_circ_id,
169  safe_str_client(service->onion_address));
170  goto err;
171  }
172 
173  if (trn_cell_introduce_encrypted_getlen_onion_key(enc_cell) !=
175  log_info(LD_REND, "INTRODUCE2 onion key length is invalid. Got %u but "
176  "expected %d on circuit %u for service %s",
177  (unsigned)trn_cell_introduce_encrypted_getlen_onion_key(enc_cell),
178  CURVE25519_PUBKEY_LEN, TO_CIRCUIT(circ)->n_circ_id,
179  safe_str_client(service->onion_address));
180  goto err;
181  }
182  /* XXX: Validate NSPEC field as well. */
183 
184  return enc_cell;
185  err:
186  trn_cell_introduce_encrypted_free(enc_cell);
187  return NULL;
188 }
189 
190 /* Build a legacy ESTABLISH_INTRO cell with the given circuit nonce and RSA
191  * encryption key. The encoded cell is put in cell_out that MUST at least be
192  * of the size of RELAY_PAYLOAD_SIZE. Return the encoded cell length on
193  * success else a negative value and cell_out is untouched. */
194 static ssize_t
195 build_legacy_establish_intro(const char *circ_nonce, crypto_pk_t *enc_key,
196  uint8_t *cell_out)
197 {
198  ssize_t cell_len;
199 
200  tor_assert(circ_nonce);
201  tor_assert(enc_key);
202  tor_assert(cell_out);
203 
204  memwipe(cell_out, 0, RELAY_PAYLOAD_SIZE);
205 
206  cell_len = rend_service_encode_establish_intro_cell((char*)cell_out,
208  enc_key, circ_nonce);
209  return cell_len;
210 }
211 
212 /* Parse an INTRODUCE2 cell from payload of size payload_len for the given
213  * service and circuit which are used only for logging purposes. The resulting
214  * parsed cell is put in cell_ptr_out.
215  *
216  * This function only parses prop224 INTRODUCE2 cells even when the intro point
217  * is a legacy intro point. That's because intro points don't actually care
218  * about the contents of the introduce cell. Legacy INTRODUCE cells are only
219  * used by the legacy system now.
220  *
221  * Return 0 on success else a negative value and cell_ptr_out is untouched. */
222 static int
223 parse_introduce2_cell(const hs_service_t *service,
224  const origin_circuit_t *circ, const uint8_t *payload,
225  size_t payload_len,
226  trn_cell_introduce1_t **cell_ptr_out)
227 {
228  trn_cell_introduce1_t *cell = NULL;
229 
230  tor_assert(service);
231  tor_assert(circ);
232  tor_assert(payload);
233  tor_assert(cell_ptr_out);
234 
235  /* Parse the cell so we can start cell validation. */
236  if (trn_cell_introduce1_parse(&cell, payload, payload_len) < 0) {
237  log_info(LD_PROTOCOL, "Unable to parse INTRODUCE2 cell on circuit %u "
238  "for service %s",
239  TO_CIRCUIT(circ)->n_circ_id,
240  safe_str_client(service->onion_address));
241  goto err;
242  }
243 
244  /* Success. */
245  *cell_ptr_out = cell;
246  return 0;
247  err:
248  return -1;
249 }
250 
251 /* Set the onion public key onion_pk in cell, the encrypted section of an
252  * INTRODUCE1 cell. */
253 static void
254 introduce1_set_encrypted_onion_key(trn_cell_introduce_encrypted_t *cell,
255  const uint8_t *onion_pk)
256 {
257  tor_assert(cell);
258  tor_assert(onion_pk);
259  /* There is only one possible key type for a non legacy cell. */
260  trn_cell_introduce_encrypted_set_onion_key_type(cell,
261  HS_CELL_ONION_KEY_TYPE_NTOR);
262  trn_cell_introduce_encrypted_set_onion_key_len(cell, CURVE25519_PUBKEY_LEN);
263  trn_cell_introduce_encrypted_setlen_onion_key(cell, CURVE25519_PUBKEY_LEN);
264  memcpy(trn_cell_introduce_encrypted_getarray_onion_key(cell), onion_pk,
265  trn_cell_introduce_encrypted_getlen_onion_key(cell));
266 }
267 
268 /* Set the link specifiers in lspecs in cell, the encrypted section of an
269  * INTRODUCE1 cell. */
270 static void
271 introduce1_set_encrypted_link_spec(trn_cell_introduce_encrypted_t *cell,
272  const smartlist_t *lspecs)
273 {
274  tor_assert(cell);
275  tor_assert(lspecs);
276  tor_assert(smartlist_len(lspecs) > 0);
277  tor_assert(smartlist_len(lspecs) <= UINT8_MAX);
278 
279  uint8_t lspecs_num = (uint8_t) smartlist_len(lspecs);
280  trn_cell_introduce_encrypted_set_nspec(cell, lspecs_num);
281  /* We aren't duplicating the link specifiers object here which means that
282  * the ownership goes to the trn_cell_introduce_encrypted_t cell and those
283  * object will be freed when the cell is. */
284  SMARTLIST_FOREACH(lspecs, link_specifier_t *, ls,
285  trn_cell_introduce_encrypted_add_nspecs(cell, ls));
286 }
287 
288 /* Set padding in the enc_cell only if needed that is the total length of both
289  * sections are below the mininum required for an INTRODUCE1 cell. */
290 static void
291 introduce1_set_encrypted_padding(const trn_cell_introduce1_t *cell,
292  trn_cell_introduce_encrypted_t *enc_cell)
293 {
294  tor_assert(cell);
295  tor_assert(enc_cell);
296  /* This is the length we expect to have once encoded of the whole cell. */
297  ssize_t full_len = trn_cell_introduce1_encoded_len(cell) +
298  trn_cell_introduce_encrypted_encoded_len(enc_cell);
299  tor_assert(full_len > 0);
300  if (full_len < HS_CELL_INTRODUCE1_MIN_SIZE) {
301  size_t padding = HS_CELL_INTRODUCE1_MIN_SIZE - full_len;
302  trn_cell_introduce_encrypted_setlen_pad(enc_cell, padding);
303  memset(trn_cell_introduce_encrypted_getarray_pad(enc_cell), 0,
304  trn_cell_introduce_encrypted_getlen_pad(enc_cell));
305  }
306 }
307 
308 /* Encrypt the ENCRYPTED payload and encode it in the cell using the enc_cell
309  * and the INTRODUCE1 data.
310  *
311  * This can't fail but it is very important that the caller sets every field
312  * in data so the computation of the INTRODUCE1 keys doesn't fail. */
313 static void
314 introduce1_encrypt_and_encode(trn_cell_introduce1_t *cell,
315  const trn_cell_introduce_encrypted_t *enc_cell,
316  const hs_cell_introduce1_data_t *data)
317 {
318  size_t offset = 0;
319  ssize_t encrypted_len;
320  ssize_t encoded_cell_len, encoded_enc_cell_len;
321  uint8_t encoded_cell[RELAY_PAYLOAD_SIZE] = {0};
322  uint8_t encoded_enc_cell[RELAY_PAYLOAD_SIZE] = {0};
323  uint8_t *encrypted = NULL;
324  uint8_t mac[DIGEST256_LEN];
325  crypto_cipher_t *cipher = NULL;
327 
328  tor_assert(cell);
329  tor_assert(enc_cell);
330  tor_assert(data);
331 
332  /* Encode the cells up to now of what we have to we can perform the MAC
333  * computation on it. */
334  encoded_cell_len = trn_cell_introduce1_encode(encoded_cell,
335  sizeof(encoded_cell), cell);
336  /* We have a much more serious issue if this isn't true. */
337  tor_assert(encoded_cell_len > 0);
338 
339  encoded_enc_cell_len =
340  trn_cell_introduce_encrypted_encode(encoded_enc_cell,
341  sizeof(encoded_enc_cell), enc_cell);
342  /* We have a much more serious issue if this isn't true. */
343  tor_assert(encoded_enc_cell_len > 0);
344 
345  /* Get the key material for the encryption. */
346  if (hs_ntor_client_get_introduce1_keys(data->auth_pk, data->enc_pk,
347  data->client_kp,
348  data->subcredential, &keys) < 0) {
349  tor_assert_unreached();
350  }
351 
352  /* Prepare cipher with the encryption key just computed. */
353  cipher = crypto_cipher_new_with_bits((const char *) keys.enc_key,
354  sizeof(keys.enc_key) * 8);
355  tor_assert(cipher);
356 
357  /* Compute the length of the ENCRYPTED section which is the CLIENT_PK,
358  * ENCRYPTED_DATA and MAC length. */
359  encrypted_len = sizeof(data->client_kp->pubkey) + encoded_enc_cell_len +
360  sizeof(mac);
361  tor_assert(encrypted_len < RELAY_PAYLOAD_SIZE);
362  encrypted = tor_malloc_zero(encrypted_len);
363 
364  /* Put the CLIENT_PK first. */
365  memcpy(encrypted, data->client_kp->pubkey.public_key,
366  sizeof(data->client_kp->pubkey.public_key));
367  offset += sizeof(data->client_kp->pubkey.public_key);
368  /* Then encrypt and set the ENCRYPTED_DATA. This can't fail. */
369  crypto_cipher_encrypt(cipher, (char *) encrypted + offset,
370  (const char *) encoded_enc_cell, encoded_enc_cell_len);
371  crypto_cipher_free(cipher);
372  offset += encoded_enc_cell_len;
373  /* Compute MAC from the above and put it in the buffer. This function will
374  * make the adjustment to the encrypted_len to omit the MAC length. */
375  compute_introduce_mac(encoded_cell, encoded_cell_len,
376  encrypted, encrypted_len,
377  keys.mac_key, sizeof(keys.mac_key),
378  mac, sizeof(mac));
379  memcpy(encrypted + offset, mac, sizeof(mac));
380  offset += sizeof(mac);
381  tor_assert(offset == (size_t) encrypted_len);
382 
383  /* Set the ENCRYPTED section in the cell. */
384  trn_cell_introduce1_setlen_encrypted(cell, encrypted_len);
385  memcpy(trn_cell_introduce1_getarray_encrypted(cell),
386  encrypted, encrypted_len);
387 
388  /* Cleanup. */
389  memwipe(&keys, 0, sizeof(keys));
390  memwipe(mac, 0, sizeof(mac));
391  memwipe(encrypted, 0, sizeof(encrypted_len));
392  memwipe(encoded_enc_cell, 0, sizeof(encoded_enc_cell));
393  tor_free(encrypted);
394 }
395 
396 /* Using the INTRODUCE1 data, setup the ENCRYPTED section in cell. This means
397  * set it, encrypt it and encode it. */
398 static void
399 introduce1_set_encrypted(trn_cell_introduce1_t *cell,
400  const hs_cell_introduce1_data_t *data)
401 {
402  trn_cell_introduce_encrypted_t *enc_cell;
403  trn_cell_extension_t *ext;
404 
405  tor_assert(cell);
406  tor_assert(data);
407 
408  enc_cell = trn_cell_introduce_encrypted_new();
409  tor_assert(enc_cell);
410 
411  /* Set extension data. None are used. */
412  ext = trn_cell_extension_new();
413  tor_assert(ext);
414  trn_cell_extension_set_num(ext, 0);
415  trn_cell_introduce_encrypted_set_extensions(enc_cell, ext);
416 
417  /* Set the rendezvous cookie. */
418  memcpy(trn_cell_introduce_encrypted_getarray_rend_cookie(enc_cell),
419  data->rendezvous_cookie, REND_COOKIE_LEN);
420 
421  /* Set the onion public key. */
422  introduce1_set_encrypted_onion_key(enc_cell, data->onion_pk->public_key);
423 
424  /* Set the link specifiers. */
425  introduce1_set_encrypted_link_spec(enc_cell, data->link_specifiers);
426 
427  /* Set padding. */
428  introduce1_set_encrypted_padding(cell, enc_cell);
429 
430  /* Encrypt and encode it in the cell. */
431  introduce1_encrypt_and_encode(cell, enc_cell, data);
432 
433  /* Cleanup. */
434  trn_cell_introduce_encrypted_free(enc_cell);
435 }
436 
437 /* Set the authentication key in the INTRODUCE1 cell from the given data. */
438 static void
439 introduce1_set_auth_key(trn_cell_introduce1_t *cell,
440  const hs_cell_introduce1_data_t *data)
441 {
442  tor_assert(cell);
443  tor_assert(data);
444  /* There is only one possible type for a non legacy cell. */
445  trn_cell_introduce1_set_auth_key_type(cell, HS_INTRO_AUTH_KEY_TYPE_ED25519);
446  trn_cell_introduce1_set_auth_key_len(cell, ED25519_PUBKEY_LEN);
447  trn_cell_introduce1_setlen_auth_key(cell, ED25519_PUBKEY_LEN);
448  memcpy(trn_cell_introduce1_getarray_auth_key(cell),
449  data->auth_pk->pubkey, trn_cell_introduce1_getlen_auth_key(cell));
450 }
451 
452 /* Set the legacy ID field in the INTRODUCE1 cell from the given data. */
453 static void
454 introduce1_set_legacy_id(trn_cell_introduce1_t *cell,
455  const hs_cell_introduce1_data_t *data)
456 {
457  tor_assert(cell);
458  tor_assert(data);
459 
460  if (data->is_legacy) {
461  uint8_t digest[DIGEST_LEN];
462  if (BUG(crypto_pk_get_digest(data->legacy_key, (char *) digest) < 0)) {
463  return;
464  }
465  memcpy(trn_cell_introduce1_getarray_legacy_key_id(cell),
466  digest, trn_cell_introduce1_getlen_legacy_key_id(cell));
467  } else {
468  /* We have to zeroed the LEGACY_KEY_ID field. */
469  memset(trn_cell_introduce1_getarray_legacy_key_id(cell), 0,
470  trn_cell_introduce1_getlen_legacy_key_id(cell));
471  }
472 }
473 
474 /* ========== */
475 /* Public API */
476 /* ========== */
477 
478 /* Build an ESTABLISH_INTRO cell with the given circuit nonce and intro point
479  * object. The encoded cell is put in cell_out that MUST at least be of the
480  * size of RELAY_PAYLOAD_SIZE. Return the encoded cell length on success else
481  * a negative value and cell_out is untouched. This function also supports
482  * legacy cell creation. */
483 ssize_t
484 hs_cell_build_establish_intro(const char *circ_nonce,
485  const hs_service_intro_point_t *ip,
486  uint8_t *cell_out)
487 {
488  ssize_t cell_len = -1;
489  uint16_t sig_len = ED25519_SIG_LEN;
490  trn_cell_extension_t *ext;
491  trn_cell_establish_intro_t *cell = NULL;
492 
493  tor_assert(circ_nonce);
494  tor_assert(ip);
495 
496  /* Quickly handle the legacy IP. */
497  if (ip->base.is_only_legacy) {
498  tor_assert(ip->legacy_key);
499  cell_len = build_legacy_establish_intro(circ_nonce, ip->legacy_key,
500  cell_out);
501  tor_assert(cell_len <= RELAY_PAYLOAD_SIZE);
502  /* Success or not we are done here. */
503  goto done;
504  }
505 
506  /* Set extension data. None used here. */
507  ext = trn_cell_extension_new();
508  trn_cell_extension_set_num(ext, 0);
509  cell = trn_cell_establish_intro_new();
510  trn_cell_establish_intro_set_extensions(cell, ext);
511  /* Set signature size. Array is then allocated in the cell. We need to do
512  * this early so we can use trunnel API to get the signature length. */
513  trn_cell_establish_intro_set_sig_len(cell, sig_len);
514  trn_cell_establish_intro_setlen_sig(cell, sig_len);
515 
516  /* Set AUTH_KEY_TYPE: 2 means ed25519 */
517  trn_cell_establish_intro_set_auth_key_type(cell,
518  HS_INTRO_AUTH_KEY_TYPE_ED25519);
519 
520  /* Set AUTH_KEY and AUTH_KEY_LEN field. Must also set byte-length of
521  * AUTH_KEY to match */
522  {
523  uint16_t auth_key_len = ED25519_PUBKEY_LEN;
524  trn_cell_establish_intro_set_auth_key_len(cell, auth_key_len);
525  trn_cell_establish_intro_setlen_auth_key(cell, auth_key_len);
526  /* We do this call _after_ setting the length because it's reallocated at
527  * that point only. */
528  uint8_t *auth_key_ptr = trn_cell_establish_intro_getarray_auth_key(cell);
529  memcpy(auth_key_ptr, ip->auth_key_kp.pubkey.pubkey, auth_key_len);
530  }
531 
532  /* Calculate HANDSHAKE_AUTH field (MAC). */
533  {
534  ssize_t tmp_cell_enc_len = 0;
535  ssize_t tmp_cell_mac_offset =
536  sig_len + sizeof(cell->sig_len) +
537  trn_cell_establish_intro_getlen_handshake_mac(cell);
538  uint8_t tmp_cell_enc[RELAY_PAYLOAD_SIZE] = {0};
539  uint8_t mac[TRUNNEL_SHA3_256_LEN], *handshake_ptr;
540 
541  /* We first encode the current fields we have in the cell so we can
542  * compute the MAC using the raw bytes. */
543  tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
544  sizeof(tmp_cell_enc),
545  cell);
546  if (BUG(tmp_cell_enc_len < 0)) {
547  goto done;
548  }
549  /* Sanity check. */
550  tor_assert(tmp_cell_enc_len > tmp_cell_mac_offset);
551 
552  /* Circuit nonce is always DIGEST_LEN according to tor-spec.txt. */
553  crypto_mac_sha3_256(mac, sizeof(mac),
554  (uint8_t *) circ_nonce, DIGEST_LEN,
555  tmp_cell_enc, tmp_cell_enc_len - tmp_cell_mac_offset);
556  handshake_ptr = trn_cell_establish_intro_getarray_handshake_mac(cell);
557  memcpy(handshake_ptr, mac, sizeof(mac));
558 
559  memwipe(mac, 0, sizeof(mac));
560  memwipe(tmp_cell_enc, 0, sizeof(tmp_cell_enc));
561  }
562 
563  /* Calculate the cell signature SIG. */
564  {
565  ssize_t tmp_cell_enc_len = 0;
566  ssize_t tmp_cell_sig_offset = (sig_len + sizeof(cell->sig_len));
567  uint8_t tmp_cell_enc[RELAY_PAYLOAD_SIZE] = {0}, *sig_ptr;
569 
570  /* We first encode the current fields we have in the cell so we can
571  * compute the signature from the raw bytes of the cell. */
572  tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
573  sizeof(tmp_cell_enc),
574  cell);
575  if (BUG(tmp_cell_enc_len < 0)) {
576  goto done;
577  }
578 
579  if (ed25519_sign_prefixed(&sig, tmp_cell_enc,
580  tmp_cell_enc_len - tmp_cell_sig_offset,
581  ESTABLISH_INTRO_SIG_PREFIX, &ip->auth_key_kp)) {
582  log_warn(LD_BUG, "Unable to make signature for ESTABLISH_INTRO cell.");
583  goto done;
584  }
585  /* Copy the signature into the cell. */
586  sig_ptr = trn_cell_establish_intro_getarray_sig(cell);
587  memcpy(sig_ptr, sig.sig, sig_len);
588 
589  memwipe(tmp_cell_enc, 0, sizeof(tmp_cell_enc));
590  }
591 
592  /* Encode the cell. Can't be bigger than a standard cell. */
593  cell_len = trn_cell_establish_intro_encode(cell_out, RELAY_PAYLOAD_SIZE,
594  cell);
595 
596  done:
597  trn_cell_establish_intro_free(cell);
598  return cell_len;
599 }
600 
601 /* Parse the INTRO_ESTABLISHED cell in the payload of size payload_len. If we
602  * are successful at parsing it, return the length of the parsed cell else a
603  * negative value on error. */
604 ssize_t
605 hs_cell_parse_intro_established(const uint8_t *payload, size_t payload_len)
606 {
607  ssize_t ret;
608  trn_cell_intro_established_t *cell = NULL;
609 
610  tor_assert(payload);
611 
612  /* Try to parse the payload into a cell making sure we do actually have a
613  * valid cell. */
614  ret = trn_cell_intro_established_parse(&cell, payload, payload_len);
615  if (ret >= 0) {
616  /* On success, we do not keep the cell, we just notify the caller that it
617  * was successfully parsed. */
618  trn_cell_intro_established_free(cell);
619  }
620  return ret;
621 }
622 
623 /* Parse the INTRODUCE2 cell using data which contains everything we need to
624  * do so and contains the destination buffers of information we extract and
625  * compute from the cell. Return 0 on success else a negative value. The
626  * service and circ are only used for logging purposes. */
627 ssize_t
628 hs_cell_parse_introduce2(hs_cell_introduce2_data_t *data,
629  const origin_circuit_t *circ,
630  const hs_service_t *service)
631 {
632  int ret = -1;
633  time_t elapsed;
634  uint8_t *decrypted = NULL;
635  size_t encrypted_section_len;
636  const uint8_t *encrypted_section;
637  trn_cell_introduce1_t *cell = NULL;
638  trn_cell_introduce_encrypted_t *enc_cell = NULL;
639  hs_ntor_intro_cell_keys_t *intro_keys = NULL;
640 
641  tor_assert(data);
642  tor_assert(circ);
643  tor_assert(service);
644 
645  /* Parse the cell into a decoded data structure pointed by cell_ptr. */
646  if (parse_introduce2_cell(service, circ, data->payload, data->payload_len,
647  &cell) < 0) {
648  goto done;
649  }
650 
651  log_info(LD_REND, "Received a decodable INTRODUCE2 cell on circuit %u "
652  "for service %s. Decoding encrypted section...",
653  TO_CIRCUIT(circ)->n_circ_id,
654  safe_str_client(service->onion_address));
655 
656  encrypted_section = trn_cell_introduce1_getconstarray_encrypted(cell);
657  encrypted_section_len = trn_cell_introduce1_getlen_encrypted(cell);
658 
659  /* Encrypted section must at least contain the CLIENT_PK and MAC which is
660  * defined in section 3.3.2 of the specification. */
661  if (encrypted_section_len < (CURVE25519_PUBKEY_LEN + DIGEST256_LEN)) {
662  log_info(LD_REND, "Invalid INTRODUCE2 encrypted section length "
663  "for service %s. Dropping cell.",
664  safe_str_client(service->onion_address));
665  goto done;
666  }
667 
668  /* Check our replay cache for this introduction point. */
669  if (replaycache_add_test_and_elapsed(data->replay_cache, encrypted_section,
670  encrypted_section_len, &elapsed)) {
671  log_warn(LD_REND, "Possible replay detected! An INTRODUCE2 cell with the"
672  "same ENCRYPTED section was seen %ld seconds ago. "
673  "Dropping cell.", (long int) elapsed);
674  goto done;
675  }
676 
677  /* Build the key material out of the key material found in the cell. */
678  intro_keys = get_introduce2_key_material(data->auth_pk, data->enc_kp,
679  data->subcredential,
680  encrypted_section,
681  &data->client_pk);
682  if (intro_keys == NULL) {
683  log_info(LD_REND, "Invalid INTRODUCE2 encrypted data. Unable to "
684  "compute key material on circuit %u for service %s",
685  TO_CIRCUIT(circ)->n_circ_id,
686  safe_str_client(service->onion_address));
687  goto done;
688  }
689 
690  /* Validate MAC from the cell and our computed key material. The MAC field
691  * in the cell is at the end of the encrypted section. */
692  {
693  uint8_t mac[DIGEST256_LEN];
694  /* The MAC field is at the very end of the ENCRYPTED section. */
695  size_t mac_offset = encrypted_section_len - sizeof(mac);
696  /* Compute the MAC. Use the entire encoded payload with a length up to the
697  * ENCRYPTED section. */
698  compute_introduce_mac(data->payload,
699  data->payload_len - encrypted_section_len,
700  encrypted_section, encrypted_section_len,
701  intro_keys->mac_key, sizeof(intro_keys->mac_key),
702  mac, sizeof(mac));
703  if (tor_memcmp(mac, encrypted_section + mac_offset, sizeof(mac))) {
704  log_info(LD_REND, "Invalid MAC validation for INTRODUCE2 cell on "
705  "circuit %u for service %s",
706  TO_CIRCUIT(circ)->n_circ_id,
707  safe_str_client(service->onion_address));
708  goto done;
709  }
710  }
711 
712  {
713  /* The ENCRYPTED_DATA section starts just after the CLIENT_PK. */
714  const uint8_t *encrypted_data =
715  encrypted_section + sizeof(data->client_pk);
716  /* It's symmetric encryption so it's correct to use the ENCRYPTED length
717  * for decryption. Computes the length of ENCRYPTED_DATA meaning removing
718  * the CLIENT_PK and MAC length. */
719  size_t encrypted_data_len =
720  encrypted_section_len - (sizeof(data->client_pk) + DIGEST256_LEN);
721 
722  /* This decrypts the ENCRYPTED_DATA section of the cell. */
723  decrypted = decrypt_introduce2(intro_keys->enc_key,
724  encrypted_data, encrypted_data_len);
725  if (decrypted == NULL) {
726  log_info(LD_REND, "Unable to decrypt the ENCRYPTED section of an "
727  "INTRODUCE2 cell on circuit %u for service %s",
728  TO_CIRCUIT(circ)->n_circ_id,
729  safe_str_client(service->onion_address));
730  goto done;
731  }
732 
733  /* Parse this blob into an encrypted cell structure so we can then extract
734  * the data we need out of it. */
735  enc_cell = parse_introduce2_encrypted(decrypted, encrypted_data_len,
736  circ, service);
737  memwipe(decrypted, 0, encrypted_data_len);
738  if (enc_cell == NULL) {
739  goto done;
740  }
741  }
742 
743  /* XXX: Implement client authorization checks. */
744 
745  /* Extract onion key and rendezvous cookie from the cell used for the
746  * rendezvous point circuit e2e encryption. */
747  memcpy(data->onion_pk.public_key,
748  trn_cell_introduce_encrypted_getconstarray_onion_key(enc_cell),
750  memcpy(data->rendezvous_cookie,
751  trn_cell_introduce_encrypted_getconstarray_rend_cookie(enc_cell),
752  sizeof(data->rendezvous_cookie));
753 
754  /* Extract rendezvous link specifiers. */
755  for (size_t idx = 0;
756  idx < trn_cell_introduce_encrypted_get_nspec(enc_cell); idx++) {
757  link_specifier_t *lspec =
758  trn_cell_introduce_encrypted_get_nspecs(enc_cell, idx);
759  if (BUG(!lspec)) {
760  goto done;
761  }
762  link_specifier_t *lspec_dup = link_specifier_dup(lspec);
763  if (BUG(!lspec_dup)) {
764  goto done;
765  }
766  smartlist_add(data->link_specifiers, lspec_dup);
767  }
768 
769  /* Success. */
770  ret = 0;
771  log_info(LD_REND, "Valid INTRODUCE2 cell. Launching rendezvous circuit.");
772 
773  done:
774  if (intro_keys) {
775  memwipe(intro_keys, 0, sizeof(hs_ntor_intro_cell_keys_t));
776  tor_free(intro_keys);
777  }
778  tor_free(decrypted);
779  trn_cell_introduce_encrypted_free(enc_cell);
780  trn_cell_introduce1_free(cell);
781  return ret;
782 }
783 
784 /* Build a RENDEZVOUS1 cell with the given rendezvous cookie and handshake
785  * info. The encoded cell is put in cell_out and the length of the data is
786  * returned. This can't fail. */
787 ssize_t
788 hs_cell_build_rendezvous1(const uint8_t *rendezvous_cookie,
789  size_t rendezvous_cookie_len,
790  const uint8_t *rendezvous_handshake_info,
791  size_t rendezvous_handshake_info_len,
792  uint8_t *cell_out)
793 {
794  ssize_t cell_len;
795  trn_cell_rendezvous1_t *cell;
796 
797  tor_assert(rendezvous_cookie);
798  tor_assert(rendezvous_handshake_info);
799  tor_assert(cell_out);
800 
801  cell = trn_cell_rendezvous1_new();
802  /* Set the RENDEZVOUS_COOKIE. */
803  memcpy(trn_cell_rendezvous1_getarray_rendezvous_cookie(cell),
804  rendezvous_cookie, rendezvous_cookie_len);
805  /* Set the HANDSHAKE_INFO. */
806  trn_cell_rendezvous1_setlen_handshake_info(cell,
807  rendezvous_handshake_info_len);
808  memcpy(trn_cell_rendezvous1_getarray_handshake_info(cell),
809  rendezvous_handshake_info, rendezvous_handshake_info_len);
810  /* Encoding. */
811  cell_len = trn_cell_rendezvous1_encode(cell_out, RELAY_PAYLOAD_SIZE, cell);
812  tor_assert(cell_len > 0);
813 
814  trn_cell_rendezvous1_free(cell);
815  return cell_len;
816 }
817 
818 /* Build an INTRODUCE1 cell from the given data. The encoded cell is put in
819  * cell_out which must be of at least size RELAY_PAYLOAD_SIZE. On success, the
820  * encoded length is returned else a negative value and the content of
821  * cell_out should be ignored. */
822 ssize_t
823 hs_cell_build_introduce1(const hs_cell_introduce1_data_t *data,
824  uint8_t *cell_out)
825 {
826  ssize_t cell_len;
827  trn_cell_introduce1_t *cell;
828  trn_cell_extension_t *ext;
829 
830  tor_assert(data);
831  tor_assert(cell_out);
832 
833  cell = trn_cell_introduce1_new();
834  tor_assert(cell);
835 
836  /* Set extension data. None are used. */
837  ext = trn_cell_extension_new();
838  tor_assert(ext);
839  trn_cell_extension_set_num(ext, 0);
840  trn_cell_introduce1_set_extensions(cell, ext);
841 
842  /* Set the legacy ID field. */
843  introduce1_set_legacy_id(cell, data);
844 
845  /* Set the authentication key. */
846  introduce1_set_auth_key(cell, data);
847 
848  /* Set the encrypted section. This will set, encrypt and encode the
849  * ENCRYPTED section in the cell. After this, we'll be ready to encode. */
850  introduce1_set_encrypted(cell, data);
851 
852  /* Final encoding. */
853  cell_len = trn_cell_introduce1_encode(cell_out, RELAY_PAYLOAD_SIZE, cell);
854 
855  trn_cell_introduce1_free(cell);
856  return cell_len;
857 }
858 
859 /* Build an ESTABLISH_RENDEZVOUS cell from the given rendezvous_cookie. The
860  * encoded cell is put in cell_out which must be of at least
861  * RELAY_PAYLOAD_SIZE. On success, the encoded length is returned and the
862  * caller should clear up the content of the cell.
863  *
864  * This function can't fail. */
865 ssize_t
866 hs_cell_build_establish_rendezvous(const uint8_t *rendezvous_cookie,
867  uint8_t *cell_out)
868 {
869  tor_assert(rendezvous_cookie);
870  tor_assert(cell_out);
871 
872  memcpy(cell_out, rendezvous_cookie, HS_REND_COOKIE_LEN);
873  return HS_REND_COOKIE_LEN;
874 }
875 
876 /* Handle an INTRODUCE_ACK cell encoded in payload of length payload_len.
877  * Return the status code on success else a negative value if the cell as not
878  * decodable. */
879 int
880 hs_cell_parse_introduce_ack(const uint8_t *payload, size_t payload_len)
881 {
882  int ret = -1;
883  trn_cell_introduce_ack_t *cell = NULL;
884 
885  tor_assert(payload);
886 
887  /* If it is a legacy IP, rend-spec.txt specifies that a ACK is 0 byte and a
888  * NACK is 1 byte. We can't use the legacy function for this so we have to
889  * do a special case. */
890  if (payload_len <= 1) {
891  if (payload_len == 0) {
892  ret = HS_CELL_INTRO_ACK_SUCCESS;
893  } else {
894  ret = HS_CELL_INTRO_ACK_FAILURE;
895  }
896  goto end;
897  }
898 
899  if (trn_cell_introduce_ack_parse(&cell, payload, payload_len) < 0) {
900  log_info(LD_REND, "Invalid INTRODUCE_ACK cell. Unable to parse it.");
901  goto end;
902  }
903 
904  ret = trn_cell_introduce_ack_get_status(cell);
905 
906  end:
907  trn_cell_introduce_ack_free(cell);
908  return ret;
909 }
910 
911 /* Handle a RENDEZVOUS2 cell encoded in payload of length payload_len. On
912  * success, handshake_info contains the data in the HANDSHAKE_INFO field, and
913  * 0 is returned. On error, a negative value is returned. */
914 int
915 hs_cell_parse_rendezvous2(const uint8_t *payload, size_t payload_len,
916  uint8_t *handshake_info, size_t handshake_info_len)
917 {
918  int ret = -1;
919  trn_cell_rendezvous2_t *cell = NULL;
920 
921  tor_assert(payload);
922  tor_assert(handshake_info);
923 
924  if (trn_cell_rendezvous2_parse(&cell, payload, payload_len) < 0) {
925  log_info(LD_REND, "Invalid RENDEZVOUS2 cell. Unable to parse it.");
926  goto end;
927  }
928 
929  /* Static size, we should never have an issue with this else we messed up
930  * our code flow. */
931  tor_assert(trn_cell_rendezvous2_getlen_handshake_info(cell) ==
932  handshake_info_len);
933  memcpy(handshake_info,
934  trn_cell_rendezvous2_getconstarray_handshake_info(cell),
935  handshake_info_len);
936  ret = 0;
937 
938  end:
939  trn_cell_rendezvous2_free(cell);
940  return ret;
941 }
942 
943 /* Clear the given INTRODUCE1 data structure data. */
944 void
945 hs_cell_introduce1_data_clear(hs_cell_introduce1_data_t *data)
946 {
947  if (data == NULL) {
948  return;
949  }
950  /* Object in this list have been moved to the cell object when building it
951  * so they've been freed earlier. We do that in order to avoid duplicating
952  * them leading to more memory and CPU time being used for nothing. */
953  smartlist_free(data->link_specifiers);
954  /* The data object has no ownership of any members. */
955  memwipe(data, 0, sizeof(hs_cell_introduce1_data_t));
956 }
957 
#define RELAY_PAYLOAD_SIZE
Definition: or.h:605
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Definition: crypto_cipher.c:88
void smartlist_add(smartlist_t *sl, void *element)
#define TO_CIRCUIT(x)
Definition: or.h:947
Header file for config.c.
Header file for replaycache.c.
#define tor_free(p)
Definition: malloc.h:52
int replaycache_add_test_and_elapsed(replaycache_t *r, const void *data, size_t len, time_t *elapsed)
Definition: replaycache.c:195
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:57
#define DIGEST256_LEN
Definition: digest_sizes.h:23
Common functions for cryptographic routines.
tor_assert(buffer)
int tor_memcmp(const void *a, const void *b, size_t len)
Definition: di_ops.c:31
#define DIGEST_LEN
Definition: digest_sizes.h:20
Header file containing cell data for the whole HS subsytem.
Master header file for Tor-specific functionality.
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
#define LD_REND
Definition: log.h:80
Header file for rendservice.c.
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
Definition: crypto_rsa.c:356
#define SMARTLIST_FOREACH(sl, type, var, cmd)
crypto_cipher_t * crypto_cipher_new_with_bits(const char *key, int bits)
Definition: crypto_cipher.c:54
void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len)
#define REND_COOKIE_LEN
Definition: or.h:399
#define LD_PROTOCOL
Definition: log.h:68
#define LD_BUG
Definition: log.h:82
#define CURVE25519_PUBKEY_LEN
Definition: x25519_sizes.h:20