Tor  0.4.4.0-alpha-dev
hs_circuit.c
Go to the documentation of this file.
1 /* Copyright (c) 2017-2020, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
4 /**
5  * \file hs_circuit.c
6  **/
7 
8 #define HS_CIRCUIT_PRIVATE
9 
10 #include "core/or/or.h"
11 #include "app/config/config.h"
12 #include "core/crypto/hs_ntor.h"
13 #include "core/or/circuitbuild.h"
14 #include "core/or/circuitlist.h"
15 #include "core/or/circuituse.h"
16 #include "core/or/policies.h"
17 #include "core/or/relay.h"
18 #include "core/or/crypt_path.h"
19 #include "feature/client/circpathbias.h"
20 #include "feature/hs/hs_cell.h"
21 #include "feature/hs/hs_circuit.h"
22 #include "feature/hs/hs_ob.h"
24 #include "feature/hs/hs_client.h"
25 #include "feature/hs/hs_ident.h"
26 #include "feature/hs/hs_service.h"
31 #include "feature/stats/rephist.h"
35 
36 /* Trunnel. */
37 #include "trunnel/ed25519_cert.h"
38 #include "trunnel/hs/cell_common.h"
39 #include "trunnel/hs/cell_establish_intro.h"
40 
42 #include "core/or/crypt_path_st.h"
45 
46 /** A circuit is about to become an e2e rendezvous circuit. Check
47  * <b>circ_purpose</b> and ensure that it's properly set. Return true iff
48  * circuit purpose is properly set, otherwise return false. */
49 static int
50 circuit_purpose_is_correct_for_rend(unsigned int circ_purpose,
51  int is_service_side)
52 {
53  if (is_service_side) {
54  if (circ_purpose != CIRCUIT_PURPOSE_S_CONNECT_REND) {
55  log_warn(LD_BUG,
56  "HS e2e circuit setup with wrong purpose (%d)", circ_purpose);
57  return 0;
58  }
59  }
60 
61  if (!is_service_side) {
62  if (circ_purpose != CIRCUIT_PURPOSE_C_REND_READY &&
64  log_warn(LD_BUG,
65  "Client e2e circuit setup with wrong purpose (%d)", circ_purpose);
66  return 0;
67  }
68  }
69 
70  return 1;
71 }
72 
73 /** Create and return a crypt path for the final hop of a v3 prop224 rendezvous
74  * circuit. Initialize the crypt path crypto using the output material from the
75  * ntor key exchange at <b>ntor_key_seed</b>.
76  *
77  * If <b>is_service_side</b> is set, we are the hidden service and the final
78  * hop of the rendezvous circuit is the client on the other side. */
79 static crypt_path_t *
80 create_rend_cpath(const uint8_t *ntor_key_seed, size_t seed_len,
81  int is_service_side)
82 {
83  uint8_t keys[HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN];
84  crypt_path_t *cpath = NULL;
85 
86  /* Do the key expansion */
87  if (hs_ntor_circuit_key_expansion(ntor_key_seed, seed_len,
88  keys, sizeof(keys)) < 0) {
89  goto err;
90  }
91 
92  /* Setup the cpath */
93  cpath = tor_malloc_zero(sizeof(crypt_path_t));
94  cpath->magic = CRYPT_PATH_MAGIC;
95 
96  if (cpath_init_circuit_crypto(cpath, (char*)keys, sizeof(keys),
97  is_service_side, 1) < 0) {
98  tor_free(cpath);
99  goto err;
100  }
101 
102  err:
103  memwipe(keys, 0, sizeof(keys));
104  return cpath;
105 }
106 
107 /** We are a v2 legacy HS client: Create and return a crypt path for the hidden
108  * service on the other side of the rendezvous circuit <b>circ</b>. Initialize
109  * the crypt path crypto using the body of the RENDEZVOUS1 cell at
110  * <b>rend_cell_body</b> (which must be at least DH1024_KEY_LEN+DIGEST_LEN
111  * bytes).
112  */
113 static crypt_path_t *
114 create_rend_cpath_legacy(origin_circuit_t *circ, const uint8_t *rend_cell_body)
115 {
116  crypt_path_t *hop = NULL;
117  char keys[DIGEST_LEN+CPATH_KEY_MATERIAL_LEN];
118 
119  /* first DH1024_KEY_LEN bytes are g^y from the service. Finish the dh
120  * handshake...*/
121  tor_assert(circ->build_state);
123  hop = circ->build_state->pending_final_cpath;
124 
126  if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, hop->rend_dh_handshake_state,
127  (char*)rend_cell_body, DH1024_KEY_LEN,
128  keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) {
129  log_warn(LD_GENERAL, "Couldn't complete DH handshake.");
130  goto err;
131  }
132  /* ... and set up cpath. */
134  keys+DIGEST_LEN, sizeof(keys)-DIGEST_LEN,
135  0, 0) < 0)
136  goto err;
137 
138  /* Check whether the digest is right... */
139  if (tor_memneq(keys, rend_cell_body+DH1024_KEY_LEN, DIGEST_LEN)) {
140  log_warn(LD_PROTOCOL, "Incorrect digest of key material.");
141  goto err;
142  }
143 
144  /* clean up the crypto stuff we just made */
145  crypto_dh_free(hop->rend_dh_handshake_state);
146  hop->rend_dh_handshake_state = NULL;
147 
148  goto done;
149 
150  err:
151  hop = NULL;
152 
153  done:
154  memwipe(keys, 0, sizeof(keys));
155  return hop;
156 }
157 
158 /** Append the final <b>hop</b> to the cpath of the rend <b>circ</b>, and mark
159  * <b>circ</b> ready for use to transfer HS relay cells. */
160 static void
162  int is_service_side)
163 {
164  tor_assert(circ);
165  tor_assert(hop);
166 
167  /* Notify the circuit state machine that we are splicing this circuit */
168  int new_circ_purpose = is_service_side ?
170  circuit_change_purpose(TO_CIRCUIT(circ), new_circ_purpose);
171 
172  /* All is well. Extend the circuit. */
173  hop->state = CPATH_STATE_OPEN;
174  /* Set the windows to default. */
177 
178  /* Now that this circuit has finished connecting to its destination,
179  * make sure circuit_get_open_circ_or_launch is willing to return it
180  * so we can actually use it. */
181  circ->hs_circ_has_timed_out = 0;
182 
183  /* Append the hop to the cpath of this circuit */
184  cpath_extend_linked_list(&circ->cpath, hop);
185 
186  /* In legacy code, 'pending_final_cpath' points to the final hop we just
187  * appended to the cpath. We set the original pointer to NULL so that we
188  * don't double free it. */
189  if (circ->build_state) {
190  circ->build_state->pending_final_cpath = NULL;
191  }
192 
193  /* Finally, mark circuit as ready to be used for client streams */
194  if (!is_service_side) {
196  }
197 }
198 
199 /** For a given circuit and a service introduction point object, register the
200  * intro circuit to the circuitmap. This supports legacy intro point. */
201 static void
203  origin_circuit_t *circ)
204 {
205  tor_assert(ip);
206  tor_assert(circ);
207 
208  if (ip->base.is_only_legacy) {
210  ip->legacy_key_digest);
211  } else {
213  &ip->auth_key_kp.pubkey);
214  }
215 }
216 
217 /** Return the number of opened introduction circuit for the given circuit that
218  * is matching its identity key. */
219 static unsigned int
221  const hs_service_descriptor_t *desc)
222 {
223  unsigned int count = 0;
224 
225  tor_assert(service);
226  tor_assert(desc);
227 
228  DIGEST256MAP_FOREACH(desc->intro_points.map, key,
229  const hs_service_intro_point_t *, ip) {
230  const circuit_t *circ;
232  if (ocirc == NULL) {
233  continue;
234  }
235  circ = TO_CIRCUIT(ocirc);
238  /* Having a circuit not for the requested service is really bad. */
240  &ocirc->hs_ident->identity_pk));
241  /* Only count opened circuit and skip circuit that will be closed. */
242  if (!circ->marked_for_close && circ->state == CIRCUIT_STATE_OPEN) {
243  count++;
244  }
245  } DIGEST256MAP_FOREACH_END;
246  return count;
247 }
248 
249 /** From a given service, rendezvous cookie and handshake info, create a
250  * rendezvous point circuit identifier. This can't fail. */
253  const uint8_t *rendezvous_cookie,
254  const curve25519_public_key_t *server_pk,
255  const hs_ntor_rend_cell_keys_t *keys)
256 {
257  hs_ident_circuit_t *ident;
258  uint8_t handshake_info[CURVE25519_PUBKEY_LEN + DIGEST256_LEN];
259 
260  tor_assert(service);
261  tor_assert(rendezvous_cookie);
262  tor_assert(server_pk);
263  tor_assert(keys);
264 
265  ident = hs_ident_circuit_new(&service->keys.identity_pk);
266  /* Copy the RENDEZVOUS_COOKIE which is the unique identifier. */
267  memcpy(ident->rendezvous_cookie, rendezvous_cookie,
268  sizeof(ident->rendezvous_cookie));
269  /* Build the HANDSHAKE_INFO which looks like this:
270  * SERVER_PK [32 bytes]
271  * AUTH_INPUT_MAC [32 bytes]
272  */
273  memcpy(handshake_info, server_pk->public_key, CURVE25519_PUBKEY_LEN);
274  memcpy(handshake_info + CURVE25519_PUBKEY_LEN, keys->rend_cell_auth_mac,
275  DIGEST256_LEN);
276  tor_assert(sizeof(ident->rendezvous_handshake_info) ==
277  sizeof(handshake_info));
278  memcpy(ident->rendezvous_handshake_info, handshake_info,
279  sizeof(ident->rendezvous_handshake_info));
280  /* Finally copy the NTOR_KEY_SEED for e2e encryption on the circuit. */
281  tor_assert(sizeof(ident->rendezvous_ntor_key_seed) ==
282  sizeof(keys->ntor_key_seed));
283  memcpy(ident->rendezvous_ntor_key_seed, keys->ntor_key_seed,
284  sizeof(ident->rendezvous_ntor_key_seed));
285  return ident;
286 }
287 
288 /** From a given service and service intro point, create an introduction point
289  * circuit identifier. This can't fail. */
290 static hs_ident_circuit_t *
292  const hs_service_intro_point_t *ip)
293 {
294  hs_ident_circuit_t *ident;
295 
296  tor_assert(service);
297  tor_assert(ip);
298 
299  ident = hs_ident_circuit_new(&service->keys.identity_pk);
300  ed25519_pubkey_copy(&ident->intro_auth_pk, &ip->auth_key_kp.pubkey);
301 
302  return ident;
303 }
304 
305 /** For a given introduction point and an introduction circuit, send the
306  * ESTABLISH_INTRO cell. The service object is used for logging. This can fail
307  * and if so, the circuit is closed and the intro point object is flagged
308  * that the circuit is not established anymore which is important for the
309  * retry mechanism. */
310 static void
313 {
314  ssize_t cell_len;
315  uint8_t payload[RELAY_PAYLOAD_SIZE];
316 
317  tor_assert(service);
318  tor_assert(ip);
319  tor_assert(circ);
320 
321  /* Encode establish intro cell. */
323  &service->config, ip, payload);
324  if (cell_len < 0) {
325  log_warn(LD_REND, "Unable to encode ESTABLISH_INTRO cell for service %s "
326  "on circuit %u. Closing circuit.",
327  safe_str_client(service->onion_address),
328  TO_CIRCUIT(circ)->n_circ_id);
329  goto err;
330  }
331 
332  /* Send the cell on the circuit. */
333  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
334  RELAY_COMMAND_ESTABLISH_INTRO,
335  (char *) payload, cell_len,
336  circ->cpath->prev) < 0) {
337  log_info(LD_REND, "Unable to send ESTABLISH_INTRO cell for service %s "
338  "on circuit %u.",
339  safe_str_client(service->onion_address),
340  TO_CIRCUIT(circ)->n_circ_id);
341  /* On error, the circuit has been closed. */
342  goto done;
343  }
344 
345  /* Record the attempt to use this circuit. */
347  goto done;
348 
349  err:
350  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
351  done:
352  memwipe(payload, 0, sizeof(payload));
353 }
354 
355 /** Return a string constant describing the anonymity of service. */
356 static const char *
358 {
359  if (service->config.is_single_onion) {
360  return "single onion";
361  } else {
362  return "hidden";
363  }
364 }
365 
366 /** For a given service, the ntor onion key and a rendezvous cookie, launch a
367  * circuit to the rendezvous point specified by the link specifiers. On
368  * success, a circuit identifier is attached to the circuit with the needed
369  * data. This function will try to open a circuit for a maximum value of
370  * MAX_REND_FAILURES then it will give up. */
371 MOCK_IMPL(STATIC void,
373  const hs_service_intro_point_t *ip,
375 {
376  int circ_needs_uptime;
377  time_t now = time(NULL);
378  extend_info_t *info = NULL;
379  origin_circuit_t *circ;
380 
381  tor_assert(service);
382  tor_assert(ip);
383  tor_assert(data);
384 
385  circ_needs_uptime = hs_service_requires_uptime_circ(service->config.ports);
386 
387  /* Get the extend info data structure for the chosen rendezvous point
388  * specified by the given link specifiers. */
390  &data->onion_pk,
391  service->config.is_single_onion);
392  if (info == NULL) {
393  /* We are done here, we can't extend to the rendezvous point. */
394  log_fn(LOG_PROTOCOL_WARN, LD_REND,
395  "Not enough info to open a circuit to a rendezvous point for "
396  "%s service %s.",
398  safe_str_client(service->onion_address));
399  goto end;
400  }
401 
402  for (int i = 0; i < MAX_REND_FAILURES; i++) {
404  if (circ_needs_uptime) {
405  circ_flags |= CIRCLAUNCH_NEED_UPTIME;
406  }
407  /* Firewall and policies are checked when getting the extend info.
408  *
409  * We only use a one-hop path on the first attempt. If the first attempt
410  * fails, we use a 3-hop path for reachability / reliability.
411  * See the comment in retry_service_rendezvous_point() for details. */
412  if (service->config.is_single_onion && i == 0) {
413  circ_flags |= CIRCLAUNCH_ONEHOP_TUNNEL;
414  }
415 
417  circ_flags);
418  if (circ != NULL) {
419  /* Stop retrying, we have a circuit! */
420  break;
421  }
422  }
423  if (circ == NULL) {
424  log_warn(LD_REND, "Giving up on launching a rendezvous circuit to %s "
425  "for %s service %s",
426  safe_str_client(extend_info_describe(info)),
428  safe_str_client(service->onion_address));
429  goto end;
430  }
431  log_info(LD_REND, "Rendezvous circuit launched to %s with cookie %s "
432  "for %s service %s",
433  safe_str_client(extend_info_describe(info)),
434  safe_str_client(hex_str((const char *) data->rendezvous_cookie,
435  REND_COOKIE_LEN)),
437  safe_str_client(service->onion_address));
438  tor_assert(circ->build_state);
439  /* Rendezvous circuit have a specific timeout for the time spent on trying
440  * to connect to the rendezvous point. */
442 
443  /* Create circuit identifier and key material. */
444  {
446  curve25519_keypair_t ephemeral_kp;
447  /* No need for extra strong, this is only for this circuit life time. This
448  * key will be used for the RENDEZVOUS1 cell that will be sent on the
449  * circuit once opened. */
450  curve25519_keypair_generate(&ephemeral_kp, 0);
451  if (hs_ntor_service_get_rendezvous1_keys(&ip->auth_key_kp.pubkey,
452  &ip->enc_key_kp,
453  &ephemeral_kp, &data->client_pk,
454  &keys) < 0) {
455  /* This should not really happened but just in case, don't make tor
456  * freak out, close the circuit and move on. */
457  log_info(LD_REND, "Unable to get RENDEZVOUS1 key material for "
458  "service %s",
459  safe_str_client(service->onion_address));
460  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
461  goto end;
462  }
463  circ->hs_ident = create_rp_circuit_identifier(service,
464  data->rendezvous_cookie,
465  &ephemeral_kp.pubkey, &keys);
466  memwipe(&ephemeral_kp, 0, sizeof(ephemeral_kp));
467  memwipe(&keys, 0, sizeof(keys));
468  tor_assert(circ->hs_ident);
469  }
470 
471  end:
472  extend_info_free(info);
473 }
474 
475 /** Return true iff the given service rendezvous circuit circ is allowed for a
476  * relaunch to the rendezvous point. */
477 static int
479 {
480  tor_assert(circ);
481  /* This is initialized when allocating an origin circuit. */
482  tor_assert(circ->build_state);
484 
485  /* XXX: Retrying under certain condition. This is related to #22455. */
486 
487  /* Avoid to relaunch twice a circuit to the same rendezvous point at the
488  * same time. */
490  log_info(LD_REND, "Rendezvous circuit to %s has already been retried. "
491  "Skipping retry.",
492  safe_str_client(
494  goto disallow;
495  }
496 
497  /* We check failure_count >= hs_get_service_max_rend_failures()-1 below, and
498  * the -1 is because we increment the failure count for our current failure
499  * *after* this clause. */
500  int max_rend_failures = hs_get_service_max_rend_failures() - 1;
501 
502  /* A failure count that has reached maximum allowed or circuit that expired,
503  * we skip relaunching. */
504  if (circ->build_state->failure_count > max_rend_failures ||
505  circ->build_state->expiry_time <= time(NULL)) {
506  log_info(LD_REND, "Attempt to build a rendezvous circuit to %s has "
507  "failed with %d attempts and expiry time %ld. "
508  "Giving up building.",
509  safe_str_client(
511  circ->build_state->failure_count,
512  (long int) circ->build_state->expiry_time);
513  goto disallow;
514  }
515 
516  /* Allowed to relaunch. */
517  return 1;
518  disallow:
519  return 0;
520 }
521 
522 /** Retry the rendezvous point of circ by launching a new circuit to it. */
523 static void
525 {
526  int flags = 0;
527  origin_circuit_t *new_circ;
528  cpath_build_state_t *bstate;
529 
530  tor_assert(circ);
531  /* This is initialized when allocating an origin circuit. */
532  tor_assert(circ->build_state);
534 
535  /* Ease our life. */
536  bstate = circ->build_state;
537 
538  log_info(LD_REND, "Retrying rendezvous point circuit to %s",
539  safe_str_client(extend_info_describe(bstate->chosen_exit)));
540 
541  /* Get the current build state flags for the next circuit. */
542  flags |= (bstate->need_uptime) ? CIRCLAUNCH_NEED_UPTIME : 0;
543  flags |= (bstate->need_capacity) ? CIRCLAUNCH_NEED_CAPACITY : 0;
544  flags |= (bstate->is_internal) ? CIRCLAUNCH_IS_INTERNAL : 0;
545 
546  /* We do NOT add the onehop tunnel flag even though it might be a single
547  * onion service. The reason is that if we failed once to connect to the RP
548  * with a direct connection, we consider that chances are that we will fail
549  * again so try a 3-hop circuit and hope for the best. Because the service
550  * has no anonymity (single onion), this change of behavior won't affect
551  * security directly. */
552 
554  bstate->chosen_exit, flags);
555  if (new_circ == NULL) {
556  log_warn(LD_REND, "Failed to launch rendezvous circuit to %s",
557  safe_str_client(extend_info_describe(bstate->chosen_exit)));
558  goto done;
559  }
560 
561  /* Transfer build state information to the new circuit state in part to
562  * catch any other failures. */
563  new_circ->build_state->failure_count = bstate->failure_count+1;
564  new_circ->build_state->expiry_time = bstate->expiry_time;
565  new_circ->hs_ident = hs_ident_circuit_dup(circ->hs_ident);
566 
567  done:
568  return;
569 }
570 
571 /** Using the given descriptor intro point ip, the node of the
572  * rendezvous point rp_node and the service's subcredential, populate the
573  * already allocated intro1_data object with the needed key material and link
574  * specifiers.
575  *
576  * Return 0 on success or a negative value if we couldn't properly filled the
577  * introduce1 data from the RP node. In other word, it means the RP node is
578  * unusable to use in the introduction. */
579 static int
581  const node_t *rp_node,
582  const hs_subcredential_t *subcredential,
583  hs_cell_introduce1_data_t *intro1_data)
584 {
585  int ret = -1;
586  smartlist_t *rp_lspecs;
587 
588  tor_assert(ip);
589  tor_assert(rp_node);
590  tor_assert(subcredential);
591  tor_assert(intro1_data);
592 
593  /* Build the link specifiers from the node at the end of the rendezvous
594  * circuit that we opened for this introduction. */
595  rp_lspecs = node_get_link_specifier_smartlist(rp_node, 0);
596  if (smartlist_len(rp_lspecs) == 0) {
597  /* We can't rendezvous without link specifiers. */
598  smartlist_free(rp_lspecs);
599  goto end;
600  }
601 
602  /* Populate the introduce1 data object. */
603  memset(intro1_data, 0, sizeof(hs_cell_introduce1_data_t));
604  if (ip->legacy.key != NULL) {
605  intro1_data->is_legacy = 1;
606  intro1_data->legacy_key = ip->legacy.key;
607  }
608  intro1_data->auth_pk = &ip->auth_key_cert->signed_key;
609  intro1_data->enc_pk = &ip->enc_key;
610  intro1_data->subcredential = subcredential;
611  intro1_data->link_specifiers = rp_lspecs;
612  intro1_data->onion_pk = node_get_curve25519_onion_key(rp_node);
613  if (intro1_data->onion_pk == NULL) {
614  /* We can't rendezvous without the curve25519 onion key. */
615  goto end;
616  }
617  /* Success, we have valid introduce data. */
618  ret = 0;
619 
620  end:
621  return ret;
622 }
623 
624 /** Helper: cleanup function for client circuit. This is for every HS version.
625  * It is called from hs_circ_cleanup_on_close() entry point. */
626 static void
628 {
629  tor_assert(circ);
630 
631  if (circuit_is_hs_v3(circ)) {
633  }
634  /* It is possible the circuit has an HS purpose but no identifier (rend_data
635  * or hs_ident). Thus possible that this passes through. */
636 }
637 
638 /** Helper: cleanup function for client circuit. This is for every HS version.
639  * It is called from hs_circ_cleanup_on_free() entry point. */
640 static void
642 {
643  tor_assert(circ);
644 
645  if (circuit_is_hs_v2(circ)) {
647  } else if (circuit_is_hs_v3(circ)) {
649  }
650  /* It is possible the circuit has an HS purpose but no identifier (rend_data
651  * or hs_ident). Thus possible that this passes through. */
652 }
653 
654 /* ========== */
655 /* Public API */
656 /* ========== */
657 
658 /** Return an introduction point circuit matching the given intro point object.
659  * NULL is returned is no such circuit can be found. */
662 {
663  tor_assert(ip);
664 
665  if (ip->base.is_only_legacy) {
667  } else {
669  &ip->auth_key_kp.pubkey);
670  }
671 }
672 
673 /** Return an introduction point established circuit matching the given intro
674  * point object. The circuit purpose has to be CIRCUIT_PURPOSE_S_INTRO. NULL
675  * is returned is no such circuit can be found. */
678 {
679  origin_circuit_t *circ;
680 
681  tor_assert(ip);
682 
683  if (ip->base.is_only_legacy) {
685  } else {
687  &ip->auth_key_kp.pubkey);
688  }
689 
690  /* Only return circuit if it is established. */
691  return (circ && TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_S_INTRO) ?
692  circ : NULL;
693 }
694 
695 /** Called when we fail building a rendezvous circuit at some point other than
696  * the last hop: launches a new circuit to the same rendezvous point. This
697  * supports legacy service.
698  *
699  * We currently relaunch connections to rendezvous points if:
700  * - A rendezvous circuit timed out before connecting to RP.
701  * - The rendezvous circuit failed to connect to the RP.
702  *
703  * We avoid relaunching a connection to this rendezvous point if:
704  * - We have already tried MAX_REND_FAILURES times to connect to this RP,
705  * - We've been trying to connect to this RP for more than MAX_REND_TIMEOUT
706  * seconds, or
707  * - We've already retried this specific rendezvous circuit.
708  */
709 void
711 {
712  tor_assert(circ);
714 
715  /* Check if we are allowed to relaunch to the rendezvous point of circ. */
717  goto done;
718  }
719 
720  /* Flag the circuit that we are relaunching, to avoid to relaunch twice a
721  * circuit to the same rendezvous point at the same time. */
723 
724  /* Legacy services don't have a hidden service ident. */
725  if (circ->hs_ident) {
727  } else {
729  }
730 
731  done:
732  return;
733 }
734 
735 /** For a given service and a service intro point, launch a circuit to the
736  * extend info ei. If the service is a single onion, and direct_conn is true,
737  * a one-hop circuit will be requested.
738  *
739  * Return 0 if the circuit was successfully launched and tagged
740  * with the correct identifier. On error, a negative value is returned. */
741 int
743  const hs_service_intro_point_t *ip,
744  extend_info_t *ei,
745  bool direct_conn)
746 {
747  /* Standard flags for introduction circuit. */
748  int ret = -1, circ_flags = CIRCLAUNCH_NEED_UPTIME | CIRCLAUNCH_IS_INTERNAL;
749  origin_circuit_t *circ;
750 
751  tor_assert(service);
752  tor_assert(ip);
753  tor_assert(ei);
754 
755  /* Update circuit flags in case of a single onion service that requires a
756  * direct connection. */
757  tor_assert_nonfatal(ip->circuit_retries > 0);
758  /* Only single onion services can make direct conns */
759  if (BUG(!service->config.is_single_onion && direct_conn)) {
760  goto end;
761  }
762  /* We only use a one-hop path on the first attempt. If the first attempt
763  * fails, we use a 3-hop path for reachability / reliability.
764  * (Unlike v2, retries is incremented by the caller before it calls this
765  * function.) */
766  if (direct_conn && ip->circuit_retries == 1) {
767  circ_flags |= CIRCLAUNCH_ONEHOP_TUNNEL;
768  }
769 
770  log_info(LD_REND, "Launching a circuit to intro point %s for service %s.",
771  safe_str_client(extend_info_describe(ei)),
772  safe_str_client(service->onion_address));
773 
774  /* Note down the launch for the retry period. Even if the circuit fails to
775  * be launched, we still want to respect the retry period to avoid stress on
776  * the circuit subsystem. */
777  service->state.num_intro_circ_launched++;
779  ei, circ_flags);
780  if (circ == NULL) {
781  goto end;
782  }
783 
784  /* Setup the circuit identifier and attach it to it. */
785  circ->hs_ident = create_intro_circuit_identifier(service, ip);
786  tor_assert(circ->hs_ident);
787  /* Register circuit in the global circuitmap. */
788  register_intro_circ(ip, circ);
789 
790  /* Success. */
791  ret = 0;
792  end:
793  return ret;
794 }
795 
796 /** Called when a service introduction point circuit is done building. Given
797  * the service and intro point object, this function will send the
798  * ESTABLISH_INTRO cell on the circuit. Return 0 on success. Return 1 if the
799  * circuit has been repurposed to General because we already have too many
800  * opened. */
801 int
804  const hs_service_descriptor_t *desc,
805  origin_circuit_t *circ)
806 {
807  int ret = 0;
808  unsigned int num_intro_circ, num_needed_circ;
809 
810  tor_assert(service);
811  tor_assert(ip);
812  tor_assert(desc);
813  tor_assert(circ);
814 
815  /* Cound opened circuits that have sent ESTABLISH_INTRO cells or are already
816  * established introduction circuits */
817  num_intro_circ = count_opened_desc_intro_point_circuits(service, desc);
818  num_needed_circ = service->config.num_intro_points;
819  if (num_intro_circ > num_needed_circ) {
820  /* There are too many opened valid intro circuit for what the service
821  * needs so repurpose this one. */
822 
823  /* XXX: Legacy code checks options->ExcludeNodes and if not NULL it just
824  * closes the circuit. I have NO idea why it does that so it hasn't been
825  * added here. I can only assume in case our ExcludeNodes list changes but
826  * in that case, all circuit are flagged unusable (config.c). --dgoulet */
827 
828  log_info(LD_CIRC | LD_REND, "Introduction circuit just opened but we "
829  "have enough for service %s. Repurposing "
830  "it to general and leaving internal.",
831  safe_str_client(service->onion_address));
833  /* Remove it from the circuitmap. */
835  /* Cleaning up the hidden service identifier and repurpose. */
836  hs_ident_circuit_free(circ->hs_ident);
837  circ->hs_ident = NULL;
838  if (circuit_should_use_vanguards(TO_CIRCUIT(circ)->purpose))
840  else
842 
843  /* Inform that this circuit just opened for this new purpose. */
844  circuit_has_opened(circ);
845  /* This return value indicate to the caller that the IP object should be
846  * removed from the service because it's corresponding circuit has just
847  * been repurposed. */
848  ret = 1;
849  goto done;
850  }
851 
852  log_info(LD_REND, "Introduction circuit %u established for service %s.",
853  TO_CIRCUIT(circ)->n_circ_id,
854  safe_str_client(service->onion_address));
856 
857  /* Time to send an ESTABLISH_INTRO cell on this circuit. On error, this call
858  * makes sure the circuit gets closed. */
859  send_establish_intro(service, ip, circ);
860 
861  done:
862  return ret;
863 }
864 
865 /** Called when a service rendezvous point circuit is done building. Given the
866  * service and the circuit, this function will send a RENDEZVOUS1 cell on the
867  * circuit using the information in the circuit identifier. If the cell can't
868  * be sent, the circuit is closed. */
869 void
871  origin_circuit_t *circ)
872 {
873  size_t payload_len;
874  uint8_t payload[RELAY_PAYLOAD_SIZE] = {0};
875 
876  tor_assert(service);
877  tor_assert(circ);
878  tor_assert(circ->hs_ident);
879 
880  /* Some useful logging. */
881  log_info(LD_REND, "Rendezvous circuit %u has opened with cookie %s "
882  "for service %s",
883  TO_CIRCUIT(circ)->n_circ_id,
884  hex_str((const char *) circ->hs_ident->rendezvous_cookie,
886  safe_str_client(service->onion_address));
888 
889  /* This can't fail. */
890  payload_len = hs_cell_build_rendezvous1(
892  sizeof(circ->hs_ident->rendezvous_cookie),
894  sizeof(circ->hs_ident->rendezvous_handshake_info),
895  payload);
896 
897  /* Pad the payload with random bytes so it matches the size of a legacy cell
898  * which is normally always bigger. Also, the size of a legacy cell is
899  * always smaller than the RELAY_PAYLOAD_SIZE so this is safe. */
900  if (payload_len < HS_LEGACY_RENDEZVOUS_CELL_SIZE) {
901  crypto_rand((char *) payload + payload_len,
902  HS_LEGACY_RENDEZVOUS_CELL_SIZE - payload_len);
903  payload_len = HS_LEGACY_RENDEZVOUS_CELL_SIZE;
904  }
905 
906  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
907  RELAY_COMMAND_RENDEZVOUS1,
908  (const char *) payload, payload_len,
909  circ->cpath->prev) < 0) {
910  /* On error, circuit is closed. */
911  log_warn(LD_REND, "Unable to send RENDEZVOUS1 cell on circuit %u "
912  "for service %s",
913  TO_CIRCUIT(circ)->n_circ_id,
914  safe_str_client(service->onion_address));
915  goto done;
916  }
917 
918  /* Setup end-to-end rendezvous circuit between the client and us. */
921  sizeof(circ->hs_ident->rendezvous_ntor_key_seed),
922  1) < 0) {
923  log_warn(LD_GENERAL, "Failed to setup circ");
924  goto done;
925  }
926 
927  done:
928  memwipe(payload, 0, sizeof(payload));
929 }
930 
931 /** Circ has been expecting an INTRO_ESTABLISHED cell that just arrived. Handle
932  * the INTRO_ESTABLISHED cell payload of length payload_len arriving on the
933  * given introduction circuit circ. The service is only used for logging
934  * purposes. Return 0 on success else a negative value. */
935 int
937  const hs_service_intro_point_t *ip,
938  origin_circuit_t *circ,
939  const uint8_t *payload, size_t payload_len)
940 {
941  int ret = -1;
942 
943  tor_assert(service);
944  tor_assert(ip);
945  tor_assert(circ);
946  tor_assert(payload);
947 
948  if (BUG(TO_CIRCUIT(circ)->purpose != CIRCUIT_PURPOSE_S_ESTABLISH_INTRO)) {
949  goto done;
950  }
951 
952  /* Try to parse the payload into a cell making sure we do actually have a
953  * valid cell. For a legacy node, it's an empty payload so as long as we
954  * have the cell, we are good. */
955  if (!ip->base.is_only_legacy &&
956  hs_cell_parse_intro_established(payload, payload_len) < 0) {
957  log_warn(LD_REND, "Unable to parse the INTRO_ESTABLISHED cell on "
958  "circuit %u for service %s",
959  TO_CIRCUIT(circ)->n_circ_id,
960  safe_str_client(service->onion_address));
961  goto done;
962  }
963 
964  /* Switch the purpose to a fully working intro point. */
966  /* Getting a valid INTRODUCE_ESTABLISHED means we've successfully used the
967  * circuit so update our pathbias subsystem. */
969  /* Success. */
970  ret = 0;
971 
972  done:
973  return ret;
974 }
975 
976 /**
977  * Go into <b>data</b> and add the right subcredential to be able to handle
978  * this incoming cell.
979  *
980  * <b>desc_subcred</b> is the subcredential of the descriptor that corresponds
981  * to the intro point that received this intro request. This subcredential
982  * should be used if we are not an onionbalance instance.
983  *
984  * Return 0 if everything went well, or -1 in case of internal error.
985  */
986 static int
989  const hs_subcredential_t *desc_subcred)
990 {
991  /* Handle the simple case first: We are not an onionbalance instance and we
992  * should just use the regular descriptor subcredential */
993  if (!hs_ob_service_is_instance(service)) {
994  data->n_subcredentials = 1;
995  data->subcredentials = desc_subcred;
996  return 0;
997  }
998 
999  /* This should not happen since we should have made onionbalance
1000  * subcredentials when we created our descriptors. */
1001  if (BUG(!service->state.ob_subcreds)) {
1002  return -1;
1003  }
1004 
1005  /* We are an onionbalance instance: */
1006  data->n_subcredentials = service->state.n_ob_subcreds;
1007  data->subcredentials = service->state.ob_subcreds;
1008 
1009  return 0;
1010 }
1011 
1012 /** We just received an INTRODUCE2 cell on the established introduction circuit
1013  * circ. Handle the INTRODUCE2 payload of size payload_len for the given
1014  * circuit and service. This cell is associated with the intro point object ip
1015  * and the subcredential. Return 0 on success else a negative value. */
1016 int
1018  const origin_circuit_t *circ,
1020  const hs_subcredential_t *subcredential,
1021  const uint8_t *payload, size_t payload_len)
1022 {
1023  int ret = -1;
1024  time_t elapsed;
1026 
1027  tor_assert(service);
1028  tor_assert(circ);
1029  tor_assert(ip);
1030  tor_assert(subcredential);
1031  tor_assert(payload);
1032 
1033  /* Populate the data structure with everything we need for the cell to be
1034  * parsed, decrypted and key material computed correctly. */
1035  data.auth_pk = &ip->auth_key_kp.pubkey;
1036  data.enc_kp = &ip->enc_key_kp;
1037  data.payload = payload;
1038  data.payload_len = payload_len;
1039  data.link_specifiers = smartlist_new();
1040  data.replay_cache = ip->replay_cache;
1041 
1043  &data, subcredential)) {
1044  goto done;
1045  }
1046 
1047  if (hs_cell_parse_introduce2(&data, circ, service) < 0) {
1048  goto done;
1049  }
1050 
1051  /* Check whether we've seen this REND_COOKIE before to detect repeats. */
1054  data.rendezvous_cookie, sizeof(data.rendezvous_cookie),
1055  &elapsed)) {
1056  /* A Tor client will send a new INTRODUCE1 cell with the same REND_COOKIE
1057  * as its previous one if its intro circ times out while in state
1058  * CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT. If we received the first
1059  * INTRODUCE1 cell (the intro-point relay converts it into an INTRODUCE2
1060  * cell), we are already trying to connect to that rend point (and may
1061  * have already succeeded); drop this cell. */
1062  log_info(LD_REND, "We received an INTRODUCE2 cell with same REND_COOKIE "
1063  "field %ld seconds ago. Dropping cell.",
1064  (long int) elapsed);
1065  goto done;
1066  }
1067 
1068  /* At this point, we just confirmed that the full INTRODUCE2 cell is valid
1069  * so increment our counter that we've seen one on this intro point. */
1070  ip->introduce2_count++;
1071 
1072  /* Launch rendezvous circuit with the onion key and rend cookie. */
1073  launch_rendezvous_point_circuit(service, ip, &data);
1074  /* Success. */
1075  ret = 0;
1076 
1077  done:
1078  link_specifier_smartlist_free(data.link_specifiers);
1079  memwipe(&data, 0, sizeof(data));
1080  return ret;
1081 }
1082 
1083 /** Circuit <b>circ</b> just finished the rend ntor key exchange. Use the key
1084  * exchange output material at <b>ntor_key_seed</b> and setup <b>circ</b> to
1085  * serve as a rendezvous end-to-end circuit between the client and the
1086  * service. If <b>is_service_side</b> is set, then we are the hidden service
1087  * and the other side is the client.
1088  *
1089  * Return 0 if the operation went well; in case of error return -1. */
1090 int
1092  const uint8_t *ntor_key_seed, size_t seed_len,
1093  int is_service_side)
1094 {
1095  if (BUG(!circuit_purpose_is_correct_for_rend(TO_CIRCUIT(circ)->purpose,
1096  is_service_side))) {
1097  return -1;
1098  }
1099 
1100  crypt_path_t *hop = create_rend_cpath(ntor_key_seed, seed_len,
1101  is_service_side);
1102  if (!hop) {
1103  log_warn(LD_REND, "Couldn't get v3 %s cpath!",
1104  is_service_side ? "service-side" : "client-side");
1105  return -1;
1106  }
1107 
1108  finalize_rend_circuit(circ, hop, is_service_side);
1109 
1110  return 0;
1111 }
1112 
1113 /** We are a v2 legacy HS client and we just received a RENDEZVOUS1 cell
1114  * <b>rend_cell_body</b> on <b>circ</b>. Finish up the DH key exchange and then
1115  * extend the crypt path of <b>circ</b> so that the hidden service is on the
1116  * other side. */
1117 int
1119  const uint8_t *rend_cell_body)
1120 {
1121 
1123  TO_CIRCUIT(circ)->purpose, 0))) {
1124  return -1;
1125  }
1126 
1127  crypt_path_t *hop = create_rend_cpath_legacy(circ, rend_cell_body);
1128  if (!hop) {
1129  log_warn(LD_GENERAL, "Couldn't get v2 cpath.");
1130  return -1;
1131  }
1132 
1133  finalize_rend_circuit(circ, hop, 0);
1134 
1135  return 0;
1136 }
1137 
1138 /** Given the introduction circuit intro_circ, the rendezvous circuit
1139  * rend_circ, a descriptor intro point object ip and the service's
1140  * subcredential, send an INTRODUCE1 cell on intro_circ.
1141  *
1142  * This will also setup the circuit identifier on rend_circ containing the key
1143  * material for the handshake and e2e encryption. Return 0 on success else
1144  * negative value. Because relay_send_command_from_edge() closes the circuit
1145  * on error, it is possible that intro_circ is closed on error. */
1146 int
1148  origin_circuit_t *rend_circ,
1149  const hs_desc_intro_point_t *ip,
1150  const hs_subcredential_t *subcredential)
1151 {
1152  int ret = -1;
1153  ssize_t payload_len;
1154  uint8_t payload[RELAY_PAYLOAD_SIZE] = {0};
1155  hs_cell_introduce1_data_t intro1_data;
1156 
1157  tor_assert(intro_circ);
1158  tor_assert(rend_circ);
1159  tor_assert(ip);
1160  tor_assert(subcredential);
1161 
1162  /* It is undefined behavior in hs_cell_introduce1_data_clear() if intro1_data
1163  * has been declared on the stack but not initialized. Here, we set it to 0.
1164  */
1165  memset(&intro1_data, 0, sizeof(hs_cell_introduce1_data_t));
1166 
1167  /* This takes various objects in order to populate the introduce1 data
1168  * object which is used to build the content of the cell. */
1169  const node_t *exit_node = build_state_get_exit_node(rend_circ->build_state);
1170  if (exit_node == NULL) {
1171  log_info(LD_REND, "Unable to get rendezvous point for circuit %u. "
1172  "Failing.", TO_CIRCUIT(intro_circ)->n_circ_id);
1173  goto done;
1174  }
1175 
1176  /* We should never select an invalid rendezvous point in theory but if we
1177  * do, this function will fail to populate the introduce data. */
1178  if (setup_introduce1_data(ip, exit_node, subcredential, &intro1_data) < 0) {
1179  log_warn(LD_REND, "Unable to setup INTRODUCE1 data. The chosen rendezvous "
1180  "point is unusable. Closing circuit.");
1181  goto close;
1182  }
1183 
1184  /* Final step before we encode a cell, we setup the circuit identifier which
1185  * will generate both the rendezvous cookie and client keypair for this
1186  * connection. Those are put in the ident. */
1187  intro1_data.rendezvous_cookie = rend_circ->hs_ident->rendezvous_cookie;
1188  intro1_data.client_kp = &rend_circ->hs_ident->rendezvous_client_kp;
1189 
1190  memcpy(intro_circ->hs_ident->rendezvous_cookie,
1191  rend_circ->hs_ident->rendezvous_cookie,
1192  sizeof(intro_circ->hs_ident->rendezvous_cookie));
1193 
1194  /* From the introduce1 data object, this will encode the INTRODUCE1 cell
1195  * into payload which is then ready to be sent as is. */
1196  payload_len = hs_cell_build_introduce1(&intro1_data, payload);
1197  if (BUG(payload_len < 0)) {
1198  goto close;
1199  }
1200 
1201  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(intro_circ),
1202  RELAY_COMMAND_INTRODUCE1,
1203  (const char *) payload, payload_len,
1204  intro_circ->cpath->prev) < 0) {
1205  /* On error, circuit is closed. */
1206  log_warn(LD_REND, "Unable to send INTRODUCE1 cell on circuit %u.",
1207  TO_CIRCUIT(intro_circ)->n_circ_id);
1208  goto done;
1209  }
1210 
1211  /* Success. */
1212  ret = 0;
1213  goto done;
1214 
1215  close:
1216  circuit_mark_for_close(TO_CIRCUIT(rend_circ), END_CIRC_REASON_INTERNAL);
1217  done:
1218  hs_cell_introduce1_data_clear(&intro1_data);
1219  memwipe(payload, 0, sizeof(payload));
1220  return ret;
1221 }
1222 
1223 /** Send an ESTABLISH_RENDEZVOUS cell along the rendezvous circuit circ. On
1224  * success, 0 is returned else -1 and the circuit is marked for close. */
1225 int
1227 {
1228  ssize_t cell_len = 0;
1229  uint8_t cell[RELAY_PAYLOAD_SIZE] = {0};
1230 
1231  tor_assert(circ);
1233 
1234  log_info(LD_REND, "Send an ESTABLISH_RENDEZVOUS cell on circuit %u",
1235  TO_CIRCUIT(circ)->n_circ_id);
1236 
1237  /* Set timestamp_dirty, because circuit_expire_building expects it,
1238  * and the rend cookie also means we've used the circ. */
1239  TO_CIRCUIT(circ)->timestamp_dirty = time(NULL);
1240 
1241  /* We've attempted to use this circuit. Probe it if we fail */
1243 
1244  /* Generate the RENDEZVOUS_COOKIE and place it in the identifier so we can
1245  * complete the handshake when receiving the acknowledgement. */
1247  /* Generate the client keypair. No need to be extra strong, not long term */
1249 
1250  cell_len =
1252  cell);
1253  if (BUG(cell_len < 0)) {
1254  goto err;
1255  }
1256 
1257  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
1258  RELAY_COMMAND_ESTABLISH_RENDEZVOUS,
1259  (const char *) cell, cell_len,
1260  circ->cpath->prev) < 0) {
1261  /* Circuit has been marked for close */
1262  log_warn(LD_REND, "Unable to send ESTABLISH_RENDEZVOUS cell on "
1263  "circuit %u", TO_CIRCUIT(circ)->n_circ_id);
1264  memwipe(cell, 0, cell_len);
1265  goto err;
1266  }
1267 
1268  memwipe(cell, 0, cell_len);
1269  return 0;
1270  err:
1271  return -1;
1272 }
1273 
1274 /** Circuit cleanup strategy:
1275  *
1276  * What follows is a series of functions that notifies the HS subsystem of 3
1277  * different circuit cleanup phase: close, free and repurpose.
1278  *
1279  * Tor can call any of those in any orders so they have to be safe between
1280  * each other. In other words, the free should never depend on close to be
1281  * called before.
1282  *
1283  * The "on_close()" is called from circuit_mark_for_close() which is
1284  * considered the tor fast path and thus as little work as possible should
1285  * done in that function. Currently, we only remove the circuit from the HS
1286  * circuit map and move on.
1287  *
1288  * The "on_free()" is called from circuit circuit_free_() and it is very
1289  * important that at the end of the function, no state or objects related to
1290  * this circuit remains alive.
1291  *
1292  * The "on_repurpose()" is called from circuit_change_purpose() for which we
1293  * simply remove it from the HS circuit map. We do not have other cleanup
1294  * requirements after that.
1295  *
1296  * NOTE: The onion service code, specifically the service code, cleans up
1297  * lingering objects or state if any of its circuit disappear which is why
1298  * our cleanup strategy doesn't involve any service specific actions. As long
1299  * as the circuit is removed from the HS circuit map, it won't be used.
1300  */
1301 
1302 /** We are about to close this <b>circ</b>. Clean it up from any related HS
1303  * data structures. This function can be called multiple times safely for the
1304  * same circuit. */
1305 void
1307 {
1308  tor_assert(circ);
1309 
1312  }
1313 
1314  /* On close, we simply remove it from the circuit map. It can not be used
1315  * anymore. We keep this code path fast and lean. */
1316 
1317  if (circ->hs_token) {
1319  }
1320 }
1321 
1322 /** We are about to free this <b>circ</b>. Clean it up from any related HS
1323  * data structures. This function can be called multiple times safely for the
1324  * same circuit. */
1325 void
1327 {
1328  tor_assert(circ);
1329 
1330  /* NOTE: Bulk of the work of cleaning up a circuit is done here. */
1331 
1334  }
1335 
1336  /* We have no assurance that the given HS circuit has been closed before and
1337  * thus removed from the HS map. This actually happens in unit tests. */
1338  if (circ->hs_token) {
1340  }
1341 }
1342 
1343 /** We are about to repurpose this <b>circ</b>. Clean it up from any related
1344  * HS data structures. This function can be called multiple times safely for
1345  * the same circuit. */
1346 void
1348 {
1349  tor_assert(circ);
1350 
1351  /* On repurpose, we simply remove it from the circuit map but we do not do
1352  * the on_free actions since we don't treat a repurpose as something we need
1353  * to report in the client cache failure. */
1354 
1355  if (circ->hs_token) {
1357  }
1358 }
1359 
1360 /** Return true iff the given established client rendezvous circuit was sent
1361  * into the INTRODUCE1 cell. This is called so we can take a decision on
1362  * expiring or not the circuit.
1363  *
1364  * The caller MUST make sure the circuit is an established client rendezvous
1365  * circuit (purpose: CIRCUIT_PURPOSE_C_REND_READY).
1366  *
1367  * This function supports all onion service versions. */
1368 bool
1370 {
1371  tor_assert(circ);
1372  /* This can only be called for a rendezvous circuit that is an established
1373  * confirmed rendezsvous circuit but without an introduction ACK. */
1375 
1376  /* The v2 and v3 circuit are handled differently:
1377  *
1378  * v2: A circ's pending_final_cpath field is non-NULL iff it is a rend circ
1379  * and we have tried to send an INTRODUCE1 cell specifying it. Thus, if the
1380  * pending_final_cpath field *is* NULL, then we want to not spare it.
1381  *
1382  * v3: When the INTRODUCE1 cell is sent, the introduction encryption public
1383  * key is copied in the rendezvous circuit hs identifier. If it is a valid
1384  * key, we know that this circuit is waiting the ACK on the introduction
1385  * circuit. We want to _not_ spare the circuit if the key was never set. */
1386 
1387  if (circ->rend_data) {
1388  /* v2. */
1389  if (circ->build_state && circ->build_state->pending_final_cpath != NULL) {
1390  return true;
1391  }
1392  } else if (circ->hs_ident) {
1393  /* v3. */
1395  return true;
1396  }
1397  } else {
1398  /* A circuit with an HS purpose without an hs_ident or rend_data in theory
1399  * can not happen. In case, scream loudly and return false to the caller
1400  * that the rendezvous was not sent in the INTRO1 cell. */
1401  tor_assert_nonfatal_unreached();
1402  }
1403 
1404  /* The rendezvous has not been specified in the INTRODUCE1 cell. */
1405  return false;
1406 }
#define RELAY_PAYLOAD_SIZE
Definition: or.h:605
int hs_circ_send_introduce1(origin_circuit_t *intro_circ, origin_circuit_t *rend_circ, const hs_desc_intro_point_t *ip, const hs_subcredential_t *subcredential)
Definition: hs_circuit.c:1147
int hs_circuit_setup_e2e_rend_circ_legacy_client(origin_circuit_t *circ, const uint8_t *rend_cell_body)
Definition: hs_circuit.c:1118
#define CIRCLAUNCH_ONEHOP_TUNNEL
Definition: circuituse.h:39
#define CIRCLAUNCH_IS_INTERNAL
Definition: circuituse.h:46
hs_service_state_t state
Definition: hs_service.h:303
void crypto_rand(char *to, size_t n)
Definition: crypto_rand.c:477
extend_info_t * hs_get_extend_info_from_lspecs(const smartlist_t *lspecs, const curve25519_public_key_t *onion_key, int direct_conn)
Definition: hs_common.c:1713
#define CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED
Definition: circuitlist.h:88
static int can_relaunch_service_rendezvous_point(const origin_circuit_t *circ)
Definition: hs_circuit.c:478
unsigned int num_intro_circ_launched
Definition: hs_service.h:270
Common functions for using (pseudo-)random number generators.
Definition: node_st.h:34
digest256map_t * map
Definition: hs_service.h:97
Header file containing service data for the HS subsytem.
Headers for crypto_dh.c.
void cpath_extend_linked_list(crypt_path_t **head_ptr, crypt_path_t *new_hop)
Definition: crypt_path.c:44
uint8_t rendezvous_cookie[HS_REND_COOKIE_LEN]
Definition: hs_ident.h:60
int curve25519_public_key_is_ok(const curve25519_public_key_t *key)
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
smartlist_t * link_specifiers
Definition: hs_cell.h:42
ed25519_public_key_t signed_key
Definition: torcert.h:30
void circuit_try_attaching_streams(origin_circuit_t *circ)
Definition: circuituse.c:1755
Header file containing client data for the HS subsytem.
extend_info_t * chosen_exit
const char * extend_info_describe(const extend_info_t *ei)
Definition: describe.c:204
const uint8_t * payload
Definition: hs_cell.h:69
curve25519_keypair_t rendezvous_client_kp
Definition: hs_ident.h:72
replaycache_t * replay_cache
Definition: hs_cell.h:84
void rend_service_relaunch_rendezvous(origin_circuit_t *oldcirc)
Definition: rendservice.c:2998
unsigned int num_intro_points
Definition: hs_service.h:224
#define LD_GENERAL
Definition: log.h:62
#define CIRCLAUNCH_NEED_UPTIME
Definition: circuituse.h:41
void hs_circ_cleanup_on_repurpose(circuit_t *circ)
Definition: hs_circuit.c:1347
Path structures for origin circuits.
bool hs_circ_is_rend_sent_in_intro1(const origin_circuit_t *circ)
Definition: hs_circuit.c:1369
bool circuit_is_hs_v3(const circuit_t *circ)
Definition: circuituse.c:2014
#define LOG_INFO
Definition: log.h:45
Header file for describe.c.
ssize_t hs_cell_build_establish_intro(const char *circ_nonce, const hs_service_config_t *service_config, const hs_service_intro_point_t *ip, uint8_t *cell_out)
Definition: hs_cell.c:614
Header file for nodelist.c.
#define CIRCWINDOW_START
Definition: or.h:501
uint8_t state
Definition: circuit_st.h:110
struct hs_desc_intro_point_t::@16 legacy
ssize_t hs_cell_build_rendezvous1(const uint8_t *rendezvous_cookie, size_t rendezvous_cookie_len, const uint8_t *rendezvous_handshake_info, size_t rendezvous_handshake_info_len, uint8_t *cell_out)
Definition: hs_cell.c:971
curve25519_keypair_t enc_key_kp
Definition: hs_service.h:51
replaycache_t * replay_cache
Definition: hs_service.h:78
uint8_t purpose
Definition: circuit_st.h:111
#define MAX_REND_TIMEOUT
Definition: hs_common.h:50
#define HS_REND_COOKIE_LEN
Definition: hs_ident.h:30
const curve25519_public_key_t * onion_pk
Definition: hs_cell.h:36
Node information structure.
static int get_subcredential_for_handling_intro2_cell(const hs_service_t *service, hs_cell_introduce2_data_t *data, const hs_subcredential_t *desc_subcred)
Definition: hs_circuit.c:987
#define TO_CIRCUIT(x)
Definition: or.h:951
#define CIRCUIT_PURPOSE_C_REND_READY
Definition: circuitlist.h:85
Header file for config.c.
hs_ident_circuit_t * hs_ident_circuit_new(const ed25519_public_key_t *identity_pk)
Definition: hs_ident.c:16
crypt_path_t * cpath
#define tor_assert(expr)
Definition: util_bug.h:102
struct crypt_path_t * prev
Definition: crypt_path_st.h:75
static void finalize_rend_circuit(origin_circuit_t *circ, crypt_path_t *hop, int is_service_side)
Definition: hs_circuit.c:161
#define CIRCUIT_PURPOSE_S_ESTABLISH_INTRO
Definition: circuitlist.h:103
#define tor_free(p)
Definition: malloc.h:52
uint16_t marked_for_close
Definition: circuit_st.h:189
static void retry_service_rendezvous_point(const origin_circuit_t *circ)
Definition: hs_circuit.c:524
int replaycache_add_test_and_elapsed(replaycache_t *r, const void *data, size_t len, time_t *elapsed)
Definition: replaycache.c:195
STATIC hs_ident_circuit_t * create_rp_circuit_identifier(const hs_service_t *service, const uint8_t *rendezvous_cookie, const curve25519_public_key_t *server_pk, const hs_ntor_rend_cell_keys_t *keys)
Definition: hs_circuit.c:252
origin_circuit_t * hs_circuitmap_get_intro_circ_v2_service_side(const uint8_t *digest)
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
smartlist_t * ports
Definition: hs_service.h:207
smartlist_t * smartlist_new(void)
const struct hs_subcredential_t * subcredentials
Definition: hs_cell.h:67
curve25519_public_key_t client_pk
Definition: hs_cell.h:80
const ed25519_public_key_t * auth_pk
Definition: hs_cell.h:30
void hs_circ_cleanup_on_free(circuit_t *circ)
Definition: hs_circuit.c:1326
#define STATIC
Definition: testsupport.h:32
#define tor_memneq(a, b, sz)
Definition: di_ops.h:21
Circuit-build-stse structure.
#define MAX_REND_FAILURES
Definition: hs_common.h:47
const curve25519_public_key_t * enc_pk
Definition: hs_cell.h:32
int circuit_should_use_vanguards(uint8_t purpose)
Definition: circuituse.c:2031
unsigned int is_legacy
Definition: hs_cell.h:25
int hs_circ_service_intro_has_opened(hs_service_t *service, hs_service_intro_point_t *ip, const hs_service_descriptor_t *desc, origin_circuit_t *circ)
Definition: hs_circuit.c:802
#define DIGEST256_LEN
Definition: digest_sizes.h:23
Header file for policies.c.
void hs_client_circuit_cleanup_on_free(const circuit_t *circ)
Definition: hs_client.c:1877
origin_circuit_t * hs_circuitmap_get_intro_circ_v3_service_side(const ed25519_public_key_t *auth_key)
int ed25519_pubkey_eq(const ed25519_public_key_t *key1, const ed25519_public_key_t *key2)
int32_t circuit_initial_package_window(void)
Definition: circuitlist.c:972
const curve25519_public_key_t * node_get_curve25519_onion_key(const node_t *node)
Definition: nodelist.c:1916
Common functions for cryptographic routines.
Header for hs_ntor.c.
#define LD_CIRC
Definition: log.h:82
origin_circuit_t * hs_circ_service_get_intro_circ(const hs_service_intro_point_t *ip)
Definition: hs_circuit.c:661
int hs_circ_send_establish_rendezvous(origin_circuit_t *circ)
Definition: hs_circuit.c:1226
uint8_t rendezvous_handshake_info[CURVE25519_PUBKEY_LEN+DIGEST256_LEN]
Definition: hs_ident.h:68
unsigned int is_only_legacy
Definition: hs_intropoint.h:19
void hs_circ_cleanup_on_close(circuit_t *circ)
Definition: hs_circuit.c:1306
char onion_address[HS_SERVICE_ADDR_LEN_BASE32+1]
Definition: hs_service.h:296
#define DIGEST_LEN
Definition: digest_sizes.h:20
Origin circuit structure.
void hs_circ_service_rp_has_opened(const hs_service_t *service, origin_circuit_t *circ)
Definition: hs_circuit.c:870
Header file containing cell data for the whole HS subsytem.
void ed25519_pubkey_copy(ed25519_public_key_t *dest, const ed25519_public_key_t *src)
uint8_t rendezvous_cookie[REND_COOKIE_LEN]
Definition: hs_cell.h:78
Master header file for Tor-specific functionality.
const ed25519_public_key_t * auth_pk
Definition: hs_cell.h:55
#define CIRCUIT_STATE_OPEN
Definition: circuitlist.h:32
const char * hex_str(const char *from, size_t fromlen)
Definition: binascii.c:34
Header file for circuitbuild.c.
curve25519_public_key_t onion_pk
Definition: hs_cell.h:76
struct crypto_dh_t * rend_dh_handshake_state
Definition: crypt_path_st.h:55
Header file for rephist.c.
char rend_circ_nonce[DIGEST_LEN]
Definition: crypt_path_st.h:58
ed25519_keypair_t auth_key_kp
Definition: hs_service.h:48
hs_service_keys_t keys
Definition: hs_service.h:306
Header file containing circuit and connection identifier data for the whole HS subsytem.
static void cleanup_on_close_client_circ(circuit_t *circ)
Definition: hs_circuit.c:627
struct hs_token_t * hs_token
Definition: circuit_st.h:216
void hs_circuitmap_register_intro_circ_v3_service_side(origin_circuit_t *circ, const ed25519_public_key_t *auth_key)
Header file for circuituse.c.
ed25519_public_key_t identity_pk
Definition: hs_ident.h:45
ed25519_public_key_t intro_auth_pk
Definition: hs_ident.h:51
hs_service_config_t config
Definition: hs_service.h:309
const node_t * build_state_get_exit_node(cpath_build_state_t *state)
ed25519_public_key_t identity_pk
Definition: hs_service.h:172
unsigned int is_single_onion
Definition: hs_service.h:239
#define CIRCUIT_PURPOSE_C_ESTABLISH_REND
Definition: circuitlist.h:83
bool circuit_is_hs_v2(const circuit_t *circ)
Definition: circuituse.c:2006
const crypto_pk_t * legacy_key
Definition: hs_cell.h:28
Header file for hs_circuitmap.c.
#define CIRCUIT_PURPOSE_S_CONNECT_REND
Definition: circuitlist.h:109
#define LD_REND
Definition: log.h:84
Header file for circuitlist.c.
Header file for rendservice.c.
int hs_circ_handle_introduce2(const hs_service_t *service, const origin_circuit_t *circ, hs_service_intro_point_t *ip, const hs_subcredential_t *subcredential, const uint8_t *payload, size_t payload_len)
Definition: hs_circuit.c:1017
void circuit_log_path(int severity, unsigned int domain, origin_circuit_t *circ)
Definition: circuitbuild.c:357
int hs_circ_launch_intro_point(hs_service_t *service, const hs_service_intro_point_t *ip, extend_info_t *ei, bool direct_conn)
Definition: hs_circuit.c:742
int cpath_init_circuit_crypto(crypt_path_t *cpath, const char *key_data, size_t key_data_len, int reverse, int is_hs_v3)
Definition: crypt_path.c:150
#define CIRCLAUNCH_NEED_CAPACITY
Definition: circuituse.h:43
curve25519_public_key_t enc_key
void hs_circuitmap_remove_circuit(circuit_t *circ)
#define CIRCUIT_PURPOSE_S_INTRO
Definition: circuitlist.h:106
static crypt_path_t * create_rend_cpath_legacy(origin_circuit_t *circ, const uint8_t *rend_cell_body)
Definition: hs_circuit.c:114
#define DH1024_KEY_LEN
Definition: dh_sizes.h:20
ssize_t hs_cell_build_introduce1(const hs_cell_introduce1_data_t *data, uint8_t *cell_out)
Definition: hs_cell.c:1006
#define CIRCUIT_PURPOSE_HS_VANGUARDS
Definition: circuitlist.h:130
static int setup_introduce1_data(const hs_desc_intro_point_t *ip, const node_t *rp_node, const hs_subcredential_t *subcredential, hs_cell_introduce1_data_t *intro1_data)
Definition: hs_circuit.c:580
Header file containing circuit data for the whole HS subsytem.
const curve25519_keypair_t * client_kp
Definition: hs_cell.h:40
const uint8_t * rendezvous_cookie
Definition: hs_cell.h:38
hs_ident_circuit_t * hs_ident_circuit_dup(const hs_ident_circuit_t *src)
Definition: hs_ident.c:37
unsigned int hs_circ_has_timed_out
hs_service_intropoints_t intro_points
Definition: hs_service.h:156
static hs_ident_circuit_t * create_intro_circuit_identifier(const hs_service_t *service, const hs_service_intro_point_t *ip)
Definition: hs_circuit.c:291
void circuit_has_opened(origin_circuit_t *circ)
Definition: circuituse.c:1681
Header file for crypt_path.c.
int hs_circuit_setup_e2e_rend_circ(origin_circuit_t *circ, const uint8_t *ntor_key_seed, size_t seed_len, int is_service_side)
Definition: hs_circuit.c:1091
origin_circuit_t * circuit_launch_by_extend_info(uint8_t purpose, extend_info_t *extend_info, int flags)
Definition: circuituse.c:2101
int hs_circ_handle_intro_established(const hs_service_t *service, const hs_service_intro_point_t *ip, origin_circuit_t *circ, const uint8_t *payload, size_t payload_len)
Definition: hs_circuit.c:936
int hs_get_service_max_rend_failures(void)
Definition: hs_common.c:233
replaycache_t * replay_cache_rend_cookie
Definition: hs_service.h:277
Header file for relay.c.
crypt_path_t * pending_final_cpath
static const char * get_service_anonymity_string(const hs_service_t *service)
Definition: hs_circuit.c:357
void hs_cell_introduce1_data_clear(hs_cell_introduce1_data_t *data)
Definition: hs_cell.c:1128
int hs_ntor_circuit_key_expansion(const uint8_t *ntor_key_seed, size_t seed_len, uint8_t *keys_out, size_t keys_out_len)
Definition: hs_ntor.c:615
void hs_client_circuit_cleanup_on_close(const circuit_t *circ)
Definition: hs_client.c:1846
uint8_t rendezvous_ntor_key_seed[DIGEST256_LEN]
Definition: hs_ident.h:76
static int circuit_purpose_is_correct_for_rend(unsigned int circ_purpose, int is_service_side)
Definition: hs_circuit.c:50
cpath_build_state_t * build_state
#define CIRCUIT_PURPOSE_C_REND_JOINED
Definition: circuitlist.h:90
static void send_establish_intro(const hs_service_t *service, hs_service_intro_point_t *ip, origin_circuit_t *circ)
Definition: hs_circuit.c:311
rend_data_t * rend_data
#define HS_LEGACY_RENDEZVOUS_CELL_SIZE
Definition: hs_common.h:131
bool circuit_purpose_is_hs_client(const uint8_t purpose)
Definition: circuituse.c:1983
origin_circuit_t * hs_circ_service_get_established_intro_circ(const hs_service_intro_point_t *ip)
Definition: hs_circuit.c:677
int curve25519_keypair_generate(curve25519_keypair_t *keypair_out, int extra_strong)
#define log_fn(severity, domain, args,...)
Definition: log.h:287
void rend_client_circuit_cleanup_on_free(const circuit_t *circ)
Definition: rendclient.c:1257
bool hs_ob_service_is_instance(const hs_service_t *service)
Definition: hs_ob.c:201
curve25519_public_key_t intro_enc_pk
Definition: hs_ident.h:55
static void register_intro_circ(const hs_service_intro_point_t *ip, origin_circuit_t *circ)
Definition: hs_circuit.c:202
STATIC void launch_rendezvous_point_circuit(const hs_service_t *service, const hs_service_intro_point_t *ip, const hs_cell_introduce2_data_t *data)
Definition: hs_circuit.c:374
#define CIRCUIT_PURPOSE_C_GENERAL
Definition: circuitlist.h:72
const curve25519_keypair_t * enc_kp
Definition: hs_cell.h:59
void pathbias_count_use_attempt(origin_circuit_t *circ)
Definition: circpathbias.c:604
void circuit_change_purpose(circuit_t *circ, uint8_t new_purpose)
Definition: circuituse.c:3095
ssize_t hs_cell_parse_intro_established(const uint8_t *payload, size_t payload_len)
Definition: hs_cell.c:738
ssize_t hs_cell_build_establish_rendezvous(const uint8_t *rendezvous_cookie, uint8_t *cell_out)
Definition: hs_cell.c:1049
static crypt_path_t * create_rend_cpath(const uint8_t *ntor_key_seed, size_t seed_len, int is_service_side)
Definition: hs_circuit.c:80
#define REND_COOKIE_LEN
Definition: or.h:399
Header file for the specific code for onion balance.
hs_intropoint_t base
Definition: hs_service.h:40
ssize_t crypto_dh_compute_secret(int severity, crypto_dh_t *dh, const char *pubkey, size_t pubkey_len, char *secret_out, size_t secret_bytes_out)
Definition: crypto_dh.c:79
static unsigned int count_opened_desc_intro_point_circuits(const hs_service_t *service, const hs_service_descriptor_t *desc)
Definition: hs_circuit.c:220
void hs_circ_retry_service_rendezvous_point(origin_circuit_t *circ)
Definition: hs_circuit.c:710
#define CIRCUIT_PURPOSE_S_REND_JOINED
Definition: circuitlist.h:112
struct hs_ident_circuit_t * hs_ident
Header file for rendclient.c.
ssize_t hs_cell_parse_introduce2(hs_cell_introduce2_data_t *data, const origin_circuit_t *circ, const hs_service_t *service)
Definition: hs_cell.c:829
#define LD_PROTOCOL
Definition: log.h:72
int hs_service_requires_uptime_circ(const smartlist_t *ports)
Definition: hs_common.c:1132
smartlist_t * link_specifiers
Definition: hs_cell.h:82
void hs_circuitmap_register_intro_circ_v2_service_side(origin_circuit_t *circ, const uint8_t *digest)
void pathbias_mark_use_success(origin_circuit_t *circ)
Definition: circpathbias.c:661
unsigned int hs_service_side_rend_circ_has_been_relaunched
static void cleanup_on_free_client_circ(circuit_t *circ)
Definition: hs_circuit.c:641
#define LD_BUG
Definition: log.h:86
#define CURVE25519_PUBKEY_LEN
Definition: x25519_sizes.h:20
const struct hs_subcredential_t * subcredential
Definition: hs_cell.h:34
uint8_t state
Definition: crypt_path_st.h:68
uint8_t legacy_key_digest[DIGEST_LEN]
Definition: hs_service.h:58
tor_cert_t * auth_key_cert