21 #include "trunnel/ed25519_cert.h"
22 #include "trunnel/hs/cell_common.h"
23 #include "trunnel/hs/cell_establish_intro.h"
24 #include "trunnel/hs/cell_introduce1.h"
25 #include "trunnel/hs/cell_rendezvous.h"
36 const uint8_t *encrypted,
size_t encrypted_len,
37 const uint8_t *mac_key,
size_t mac_key_len,
38 uint8_t *mac_out,
size_t mac_out_len)
52 mac_msg_len = encoded_cell_len + (encrypted_len -
DIGEST256_LEN);
56 memcpy(mac_msg, encoded_cell, encoded_cell_len);
57 offset += encoded_cell_len;
60 memcpy(mac_msg + offset, encrypted, (encrypted_len -
DIGEST256_LEN));
66 mac_msg, mac_msg_len);
67 memwipe(mac_msg, 0,
sizeof(mac_msg));
79 size_t n_subcredentials,
81 const uint8_t *encrypted_section,
100 subcredentials, keys) < 0) {
115 size_t encrypted_section_len)
117 uint8_t *decrypted = NULL;
118 crypto_cipher_t *cipher = NULL;
130 decrypted = tor_malloc_zero(encrypted_section_len);
132 (
const char *) encrypted_section,
133 encrypted_section_len) < 0) {
140 crypto_cipher_free(cipher);
148 static trn_cell_introduce_encrypted_t *
153 trn_cell_introduce_encrypted_t *enc_cell = NULL;
159 if (trn_cell_introduce_encrypted_parse(&enc_cell, decrypted_data,
160 decrypted_len) < 0) {
161 log_info(
LD_REND,
"Unable to parse the decrypted ENCRYPTED section of "
162 "the INTRODUCE2 cell on circuit %u for service %s",
168 if (trn_cell_introduce_encrypted_get_onion_key_type(enc_cell) !=
169 TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR) {
170 log_info(
LD_REND,
"INTRODUCE2 onion key type is invalid. Got %u but "
171 "expected %u on circuit %u for service %s",
172 trn_cell_introduce_encrypted_get_onion_key_type(enc_cell),
173 TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR,
179 if (trn_cell_introduce_encrypted_getlen_onion_key(enc_cell) !=
181 log_info(
LD_REND,
"INTRODUCE2 onion key length is invalid. Got %u but "
182 "expected %d on circuit %u for service %s",
183 (
unsigned)trn_cell_introduce_encrypted_getlen_onion_key(enc_cell),
192 trn_cell_introduce_encrypted_free(enc_cell);
205 trn_cell_introduce1_t **cell_ptr_out)
207 trn_cell_introduce1_t *cell = NULL;
215 if (trn_cell_introduce1_parse(&cell, payload, payload_len) < 0) {
216 log_info(
LD_PROTOCOL,
"Unable to parse INTRODUCE2 cell on circuit %u "
224 *cell_ptr_out = cell;
234 const uint8_t *onion_pk)
239 trn_cell_introduce_encrypted_set_onion_key_type(cell,
240 TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR);
243 memcpy(trn_cell_introduce_encrypted_getarray_onion_key(cell), onion_pk,
244 trn_cell_introduce_encrypted_getlen_onion_key(cell));
256 tor_assert(smartlist_len(lspecs) <= UINT8_MAX);
258 uint8_t lspecs_num = (uint8_t) smartlist_len(lspecs);
259 trn_cell_introduce_encrypted_set_nspec(cell, lspecs_num);
264 trn_cell_introduce_encrypted_add_nspecs(cell, ls));
271 trn_cell_introduce_encrypted_t *enc_cell)
276 ssize_t full_len = trn_cell_introduce1_encoded_len(cell) +
277 trn_cell_introduce_encrypted_encoded_len(enc_cell);
281 trn_cell_introduce_encrypted_setlen_pad(enc_cell, padding);
282 memset(trn_cell_introduce_encrypted_getarray_pad(enc_cell), 0,
283 trn_cell_introduce_encrypted_getlen_pad(enc_cell));
294 const trn_cell_introduce_encrypted_t *enc_cell,
298 ssize_t encrypted_len;
299 ssize_t encoded_cell_len, encoded_enc_cell_len;
302 uint8_t *encrypted = NULL;
304 crypto_cipher_t *cipher = NULL;
313 encoded_cell_len = trn_cell_introduce1_encode(encoded_cell,
314 sizeof(encoded_cell), cell);
318 encoded_enc_cell_len =
319 trn_cell_introduce_encrypted_encode(encoded_enc_cell,
320 sizeof(encoded_enc_cell), enc_cell);
325 if (hs_ntor_client_get_introduce1_keys(data->
auth_pk, data->
enc_pk,
328 tor_assert_unreached();
333 sizeof(keys.enc_key) * 8);
338 encrypted_len =
sizeof(data->
client_kp->pubkey) + encoded_enc_cell_len +
341 encrypted = tor_malloc_zero(encrypted_len);
344 memcpy(encrypted, data->
client_kp->pubkey.public_key,
345 sizeof(data->
client_kp->pubkey.public_key));
346 offset +=
sizeof(data->
client_kp->pubkey.public_key);
349 (
const char *) encoded_enc_cell, encoded_enc_cell_len);
350 crypto_cipher_free(cipher);
351 offset += encoded_enc_cell_len;
355 encrypted, encrypted_len,
356 keys.mac_key,
sizeof(keys.mac_key),
358 memcpy(encrypted + offset, mac,
sizeof(mac));
359 offset +=
sizeof(mac);
363 trn_cell_introduce1_setlen_encrypted(cell, encrypted_len);
364 memcpy(trn_cell_introduce1_getarray_encrypted(cell),
365 encrypted, encrypted_len);
368 memwipe(&keys, 0,
sizeof(keys));
370 memwipe(encrypted, 0,
sizeof(encrypted_len));
371 memwipe(encoded_enc_cell, 0,
sizeof(encoded_enc_cell));
381 trn_cell_introduce_encrypted_t *enc_cell;
382 trn_cell_extension_t *ext;
387 enc_cell = trn_cell_introduce_encrypted_new();
391 ext = trn_cell_extension_new();
393 trn_cell_extension_set_num(ext, 0);
394 trn_cell_introduce_encrypted_set_extensions(enc_cell, ext);
397 memcpy(trn_cell_introduce_encrypted_getarray_rend_cookie(enc_cell),
413 trn_cell_introduce_encrypted_free(enc_cell);
424 trn_cell_introduce1_set_auth_key_type(cell,
425 TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519);
428 memcpy(trn_cell_introduce1_getarray_auth_key(cell),
429 data->
auth_pk->pubkey, trn_cell_introduce1_getlen_auth_key(cell));
436 uint8_t param_type, uint64_t param_value)
438 trn_cell_extension_dos_param_t *dos_param =
439 trn_cell_extension_dos_param_new();
442 tor_assert(param_type == TRUNNEL_DOS_PARAM_TYPE_INTRO2_RATE_PER_SEC ||
443 param_type == TRUNNEL_DOS_PARAM_TYPE_INTRO2_BURST_PER_SEC);
445 trn_cell_extension_dos_param_set_type(dos_param, param_type);
446 trn_cell_extension_dos_param_set_value(dos_param, param_value);
447 trn_cell_extension_dos_add_params(dos_ext, dos_param);
457 trn_cell_extension_t *extensions)
460 size_t dos_ext_encoded_len;
461 uint8_t *field_array;
462 trn_cell_extension_field_t *field = NULL;
463 trn_cell_extension_dos_t *dos_ext = NULL;
469 field = trn_cell_extension_field_new();
470 trn_cell_extension_field_set_field_type(field,
471 TRUNNEL_CELL_EXTENSION_TYPE_DOS);
474 dos_ext = trn_cell_extension_dos_new();
475 trn_cell_extension_dos_set_n_params(dos_ext, 2);
479 TRUNNEL_DOS_PARAM_TYPE_INTRO2_RATE_PER_SEC,
480 service_config->intro_dos_rate_per_sec);
483 TRUNNEL_DOS_PARAM_TYPE_INTRO2_BURST_PER_SEC,
484 service_config->intro_dos_burst_per_sec);
487 ret = trn_cell_extension_dos_encoded_len(dos_ext);
491 dos_ext_encoded_len = ret;
493 trn_cell_extension_field_set_field_len(field, dos_ext_encoded_len);
494 trn_cell_extension_field_setlen_field(field, dos_ext_encoded_len);
496 field_array = trn_cell_extension_field_getarray_field(field);
497 ret = trn_cell_extension_dos_encode(field_array,
498 trn_cell_extension_field_getlen_field(field), dos_ext);
502 tor_assert(ret == (ssize_t) dos_ext_encoded_len);
505 trn_cell_extension_add_fields(extensions, field);
509 trn_cell_extension_set_num(extensions,
510 trn_cell_extension_get_num(extensions) + 1);
513 trn_cell_extension_dos_free(dos_ext);
518 trn_cell_extension_field_free(field);
519 trn_cell_extension_dos_free(dos_ext);
529 STATIC trn_cell_extension_t *
534 trn_cell_extension_t *extensions;
539 extensions = trn_cell_extension_new();
540 trn_cell_extension_set_num(extensions, 0);
568 ssize_t cell_len = -1;
570 trn_cell_establish_intro_t *cell = NULL;
571 trn_cell_extension_t *extensions;
581 cell = trn_cell_establish_intro_new();
582 trn_cell_establish_intro_set_extensions(cell, extensions);
585 trn_cell_establish_intro_set_sig_len(cell, sig_len);
586 trn_cell_establish_intro_setlen_sig(cell, sig_len);
589 trn_cell_establish_intro_set_auth_key_type(cell,
590 TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519);
596 trn_cell_establish_intro_set_auth_key_len(cell, auth_key_len);
597 trn_cell_establish_intro_setlen_auth_key(cell, auth_key_len);
600 uint8_t *auth_key_ptr = trn_cell_establish_intro_getarray_auth_key(cell);
601 memcpy(auth_key_ptr, ip->
auth_key_kp.pubkey.pubkey, auth_key_len);
606 ssize_t tmp_cell_enc_len = 0;
607 ssize_t tmp_cell_mac_offset =
608 sig_len +
sizeof(cell->sig_len) +
609 trn_cell_establish_intro_getlen_handshake_mac(cell);
611 uint8_t mac[TRUNNEL_SHA3_256_LEN], *handshake_ptr;
615 tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
616 sizeof(tmp_cell_enc),
618 if (BUG(tmp_cell_enc_len < 0)) {
622 tor_assert(tmp_cell_enc_len > tmp_cell_mac_offset);
627 tmp_cell_enc, tmp_cell_enc_len - tmp_cell_mac_offset);
628 handshake_ptr = trn_cell_establish_intro_getarray_handshake_mac(cell);
629 memcpy(handshake_ptr, mac,
sizeof(mac));
632 memwipe(tmp_cell_enc, 0,
sizeof(tmp_cell_enc));
637 ssize_t tmp_cell_enc_len = 0;
638 ssize_t tmp_cell_sig_offset = (sig_len +
sizeof(cell->sig_len));
644 tmp_cell_enc_len = trn_cell_establish_intro_encode(tmp_cell_enc,
645 sizeof(tmp_cell_enc),
647 if (BUG(tmp_cell_enc_len < 0)) {
652 tmp_cell_enc_len - tmp_cell_sig_offset,
654 log_warn(
LD_BUG,
"Unable to make signature for ESTABLISH_INTRO cell.");
658 sig_ptr = trn_cell_establish_intro_getarray_sig(cell);
659 memcpy(sig_ptr, sig.sig, sig_len);
661 memwipe(tmp_cell_enc, 0,
sizeof(tmp_cell_enc));
669 trn_cell_establish_intro_free(cell);
680 trn_cell_intro_established_t *cell = NULL;
686 ret = trn_cell_intro_established_parse(&cell, payload, payload_len);
690 trn_cell_intro_established_free(cell);
703 const uint8_t *encrypted_section,
704 size_t encrypted_section_len)
715 if (intro_keys == NULL) {
716 log_info(
LD_REND,
"Invalid INTRODUCE2 encrypted data. Unable to "
717 "compute key material");
728 intro_keys_result = tor_malloc_zero(
sizeof(*intro_keys_result));
733 size_t mac_offset = encrypted_section_len -
sizeof(mac);
738 encrypted_section, encrypted_section_len,
739 intro_keys[i].mac_key,
740 sizeof(intro_keys[i].mac_key),
745 bool equal =
tor_memeq(mac, encrypted_section + mac_offset,
sizeof(mac));
747 sizeof(*intro_keys_result));
756 log_info(
LD_REND,
"Invalid MAC validation for INTRODUCE2 cell");
760 return intro_keys_result;
774 uint8_t *decrypted = NULL;
775 size_t encrypted_section_len;
776 const uint8_t *encrypted_section;
777 trn_cell_introduce1_t *cell = NULL;
778 trn_cell_introduce_encrypted_t *enc_cell = NULL;
791 log_info(
LD_REND,
"Received a decodable INTRODUCE2 cell on circuit %u "
792 "for service %s. Decoding encrypted section...",
796 encrypted_section = trn_cell_introduce1_getconstarray_encrypted(cell);
797 encrypted_section_len = trn_cell_introduce1_getlen_encrypted(cell);
802 log_info(
LD_REND,
"Invalid INTRODUCE2 encrypted section length "
803 "for service %s. Dropping cell.",
810 encrypted_section_len, &elapsed)) {
811 log_warn(
LD_REND,
"Possible replay detected! An INTRODUCE2 cell with the "
812 "same ENCRYPTED section was seen %ld seconds ago. "
813 "Dropping cell.", (
long int) elapsed);
821 memcpy(&data->
client_pk.public_key, encrypted_section,
826 encrypted_section_len);
828 log_warn(
LD_REND,
"Could not get valid INTRO2 keys on circuit %u "
829 "for service %s",
TO_CIRCUIT(circ)->n_circ_id,
836 const uint8_t *encrypted_data =
837 encrypted_section +
sizeof(data->
client_pk);
841 size_t encrypted_data_len =
846 encrypted_data, encrypted_data_len);
847 if (decrypted == NULL) {
848 log_info(
LD_REND,
"Unable to decrypt the ENCRYPTED section of an "
849 "INTRODUCE2 cell on circuit %u for service %s",
859 memwipe(decrypted, 0, encrypted_data_len);
860 if (enc_cell == NULL) {
870 trn_cell_introduce_encrypted_getconstarray_onion_key(enc_cell),
873 trn_cell_introduce_encrypted_getconstarray_rend_cookie(enc_cell),
878 idx < trn_cell_introduce_encrypted_get_nspec(enc_cell); idx++) {
879 link_specifier_t *lspec =
880 trn_cell_introduce_encrypted_get_nspecs(enc_cell, idx);
885 if (BUG(!lspec_dup)) {
893 log_info(
LD_REND,
"Valid INTRODUCE2 cell. Launching rendezvous circuit.");
901 trn_cell_introduce_encrypted_free(enc_cell);
902 trn_cell_introduce1_free(cell);
911 size_t rendezvous_cookie_len,
912 const uint8_t *rendezvous_handshake_info,
913 size_t rendezvous_handshake_info_len,
917 trn_cell_rendezvous1_t *cell;
923 cell = trn_cell_rendezvous1_new();
925 memcpy(trn_cell_rendezvous1_getarray_rendezvous_cookie(cell),
926 rendezvous_cookie, rendezvous_cookie_len);
928 trn_cell_rendezvous1_setlen_handshake_info(cell,
929 rendezvous_handshake_info_len);
930 memcpy(trn_cell_rendezvous1_getarray_handshake_info(cell),
931 rendezvous_handshake_info, rendezvous_handshake_info_len);
936 trn_cell_rendezvous1_free(cell);
949 trn_cell_introduce1_t *cell;
950 trn_cell_extension_t *ext;
955 cell = trn_cell_introduce1_new();
959 ext = trn_cell_extension_new();
961 trn_cell_extension_set_num(ext, 0);
962 trn_cell_introduce1_set_extensions(cell, ext);
974 trn_cell_introduce1_free(cell);
1002 trn_cell_introduce_ack_t *cell = NULL;
1006 if (trn_cell_introduce_ack_parse(&cell, payload, payload_len) < 0) {
1007 log_info(
LD_REND,
"Invalid INTRODUCE_ACK cell. Unable to parse it.");
1011 ret = trn_cell_introduce_ack_get_status(cell);
1014 trn_cell_introduce_ack_free(cell);
1023 uint8_t *handshake_info,
size_t handshake_info_len)
1026 trn_cell_rendezvous2_t *cell = NULL;
1031 if (trn_cell_rendezvous2_parse(&cell, payload, payload_len) < 0) {
1032 log_info(
LD_REND,
"Invalid RENDEZVOUS2 cell. Unable to parse it.");
1038 tor_assert(trn_cell_rendezvous2_getlen_handshake_info(cell) ==
1039 handshake_info_len);
1040 memcpy(handshake_info,
1041 trn_cell_rendezvous2_getconstarray_handshake_info(cell),
1042 handshake_info_len);
1046 trn_cell_rendezvous2_free(cell);
Header file for config.c.
crypto_cipher_t * crypto_cipher_new_with_bits(const char *key, int bits)
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len)
int ed25519_sign_prefixed(ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair)
void memwipe(void *mem, uint8_t byte, size_t sz)
Common functions for cryptographic routines.
void memcpy_if_true_timei(bool s, void *dest, const void *src, size_t n)
int tor_memeq(const void *a, const void *b, size_t sz)
int safe_mem_is_zero(const void *mem, size_t sz)
STATIC trn_cell_extension_t * build_establish_intro_extensions(const hs_service_config_t *service_config, const hs_service_intro_point_t *ip)
ssize_t hs_cell_build_establish_rendezvous(const uint8_t *rendezvous_cookie, uint8_t *cell_out)
static void introduce1_set_encrypted(trn_cell_introduce1_t *cell, const hs_cell_introduce1_data_t *data)
static void build_establish_intro_dos_param(trn_cell_extension_dos_t *dos_ext, uint8_t param_type, uint64_t param_value)
static void compute_introduce_mac(const uint8_t *encoded_cell, size_t encoded_cell_len, const uint8_t *encrypted, size_t encrypted_len, const uint8_t *mac_key, size_t mac_key_len, uint8_t *mac_out, size_t mac_out_len)
static void introduce1_set_encrypted_link_spec(trn_cell_introduce_encrypted_t *cell, const smartlist_t *lspecs)
static int parse_introduce2_cell(const hs_service_t *service, const origin_circuit_t *circ, const uint8_t *payload, size_t payload_len, trn_cell_introduce1_t **cell_ptr_out)
ssize_t hs_cell_parse_intro_established(const uint8_t *payload, size_t payload_len)
ssize_t hs_cell_build_establish_intro(const char *circ_nonce, const hs_service_config_t *service_config, const hs_service_intro_point_t *ip, uint8_t *cell_out)
int hs_cell_parse_introduce_ack(const uint8_t *payload, size_t payload_len)
static int build_establish_intro_dos_extension(const hs_service_config_t *service_config, trn_cell_extension_t *extensions)
void hs_cell_introduce1_data_clear(hs_cell_introduce1_data_t *data)
static hs_ntor_intro_cell_keys_t * get_introduce2_key_material(const ed25519_public_key_t *auth_key, const curve25519_keypair_t *enc_key, size_t n_subcredentials, const hs_subcredential_t *subcredentials, const uint8_t *encrypted_section, curve25519_public_key_t *client_pk)
static hs_ntor_intro_cell_keys_t * get_introduce2_keys_and_verify_mac(hs_cell_introduce2_data_t *data, const uint8_t *encrypted_section, size_t encrypted_section_len)
static void introduce1_encrypt_and_encode(trn_cell_introduce1_t *cell, const trn_cell_introduce_encrypted_t *enc_cell, const hs_cell_introduce1_data_t *data)
ssize_t hs_cell_build_rendezvous1(const uint8_t *rendezvous_cookie, size_t rendezvous_cookie_len, const uint8_t *rendezvous_handshake_info, size_t rendezvous_handshake_info_len, uint8_t *cell_out)
ssize_t hs_cell_build_introduce1(const hs_cell_introduce1_data_t *data, uint8_t *cell_out)
static trn_cell_introduce_encrypted_t * parse_introduce2_encrypted(const uint8_t *decrypted_data, size_t decrypted_len, const origin_circuit_t *circ, const hs_service_t *service)
int hs_cell_parse_rendezvous2(const uint8_t *payload, size_t payload_len, uint8_t *handshake_info, size_t handshake_info_len)
static void introduce1_set_auth_key(trn_cell_introduce1_t *cell, const hs_cell_introduce1_data_t *data)
static void introduce1_set_encrypted_padding(const trn_cell_introduce1_t *cell, trn_cell_introduce_encrypted_t *enc_cell)
static void introduce1_set_encrypted_onion_key(trn_cell_introduce_encrypted_t *cell, const uint8_t *onion_pk)
ssize_t hs_cell_parse_introduce2(hs_cell_introduce2_data_t *data, const origin_circuit_t *circ, const hs_service_t *service)
static uint8_t * decrypt_introduce2(const uint8_t *enc_key, const uint8_t *encrypted_section, size_t encrypted_section_len)
Header file containing cell data for the whole HS subsystem.
#define HS_CELL_INTRODUCE1_MIN_SIZE
link_specifier_t * link_specifier_dup(const link_specifier_t *src)
#define ESTABLISH_INTRO_SIG_PREFIX
#define HS_REND_COOKIE_LEN
int hs_ntor_service_get_introduce1_keys_multi(const struct ed25519_public_key_t *intro_auth_pubkey, const struct curve25519_keypair_t *intro_enc_keypair, const struct curve25519_public_key_t *client_ephemeral_enc_pubkey, size_t n_subcredentials, const hs_subcredential_t *subcredentials, hs_ntor_intro_cell_keys_t *hs_ntor_intro_cell_keys_out)
Header file for the specific code for onion balance.
Master header file for Tor-specific functionality.
#define RELAY_PAYLOAD_SIZE
Origin circuit structure.
int replaycache_add_test_and_elapsed(replaycache_t *r, const void *data, size_t len, time_t *elapsed)
Header file for replaycache.c.
void smartlist_add(smartlist_t *sl, void *element)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
const ed25519_public_key_t * auth_pk
const struct hs_subcredential_t * subcredential
const curve25519_keypair_t * client_kp
const curve25519_public_key_t * enc_pk
const uint8_t * rendezvous_cookie
const curve25519_public_key_t * onion_pk
smartlist_t * link_specifiers
curve25519_public_key_t onion_pk
const ed25519_public_key_t * auth_pk
const curve25519_keypair_t * enc_kp
uint8_t rendezvous_cookie[REND_COOKIE_LEN]
replaycache_t * replay_cache
const struct hs_subcredential_t * subcredentials
curve25519_public_key_t client_pk
smartlist_t * link_specifiers
unsigned int has_dos_defense_enabled
unsigned int support_intro2_dos_defense
ed25519_keypair_t auth_key_kp
char onion_address[HS_SERVICE_ADDR_LEN_BASE32+1]
#define ED25519_PUBKEY_LEN
#define CURVE25519_PUBKEY_LEN