tor  0.4.2.1-alpha-dev
hs_descriptor.c
Go to the documentation of this file.
1 /* Copyright (c) 2016-2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
55 /* For unit tests.*/
56 #define HS_DESCRIPTOR_PRIVATE
57 
58 #include "core/or/or.h"
59 #include "trunnel/ed25519_cert.h" /* Trunnel interface. */
61 #include "core/or/circuitbuild.h"
65 #include "feature/rend/rendcache.h"
66 #include "feature/hs/hs_cache.h"
67 #include "feature/hs/hs_config.h"
68 #include "feature/nodelist/torcert.h" /* tor_cert_encode_ed22519() */
69 #include "lib/memarea/memarea.h"
71 
72 #include "core/or/extend_info_st.h"
73 
74 /* Constant string value used for the descriptor format. */
75 #define str_hs_desc "hs-descriptor"
76 #define str_desc_cert "descriptor-signing-key-cert"
77 #define str_rev_counter "revision-counter"
78 #define str_superencrypted "superencrypted"
79 #define str_encrypted "encrypted"
80 #define str_signature "signature"
81 #define str_lifetime "descriptor-lifetime"
82 /* Constant string value for the encrypted part of the descriptor. */
83 #define str_create2_formats "create2-formats"
84 #define str_intro_auth_required "intro-auth-required"
85 #define str_single_onion "single-onion-service"
86 #define str_intro_point "introduction-point"
87 #define str_ip_onion_key "onion-key"
88 #define str_ip_auth_key "auth-key"
89 #define str_ip_enc_key "enc-key"
90 #define str_ip_enc_key_cert "enc-key-cert"
91 #define str_ip_legacy_key "legacy-key"
92 #define str_ip_legacy_key_cert "legacy-key-cert"
93 #define str_intro_point_start "\n" str_intro_point " "
94 /* Constant string value for the construction to encrypt the encrypted data
95  * section. */
96 #define str_enc_const_superencryption "hsdir-superencrypted-data"
97 #define str_enc_const_encryption "hsdir-encrypted-data"
98 /* Prefix required to compute/verify HS desc signatures */
99 #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
100 #define str_desc_auth_type "desc-auth-type"
101 #define str_desc_auth_key "desc-auth-ephemeral-key"
102 #define str_desc_auth_client "auth-client"
103 #define str_encrypted "encrypted"
104 
105 /* Authentication supported types. */
106 static const struct {
107  hs_desc_auth_type_t type;
108  const char *identifier;
109 } intro_auth_types[] = {
110  { HS_DESC_AUTH_ED25519, "ed25519" },
111  /* Indicate end of array. */
112  { 0, NULL }
113 };
114 
115 /* Descriptor ruleset. */
116 static token_rule_t hs_desc_v3_token_table[] = {
117  T1_START(str_hs_desc, R_HS_DESCRIPTOR, EQ(1), NO_OBJ),
118  T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ),
119  T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ),
120  T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ),
121  T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ),
122  T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ),
124 };
125 
126 /* Descriptor ruleset for the superencrypted section. */
127 static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
128  T1_START(str_desc_auth_type, R3_DESC_AUTH_TYPE, GE(1), NO_OBJ),
129  T1(str_desc_auth_key, R3_DESC_AUTH_KEY, GE(1), NO_OBJ),
130  T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT, GE(3), NO_OBJ),
131  T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
133 };
134 
135 /* Descriptor ruleset for the encrypted section. */
136 static token_rule_t hs_desc_encrypted_v3_token_table[] = {
137  T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
138  T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
139  T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
141 };
142 
143 /* Descriptor ruleset for the introduction points section. */
144 static token_rule_t hs_desc_intro_point_v3_token_table[] = {
145  T1_START(str_intro_point, R3_INTRODUCTION_POINT, EQ(1), NO_OBJ),
146  T1N(str_ip_onion_key, R3_INTRO_ONION_KEY, GE(2), OBJ_OK),
147  T1(str_ip_auth_key, R3_INTRO_AUTH_KEY, NO_ARGS, NEED_OBJ),
148  T1(str_ip_enc_key, R3_INTRO_ENC_KEY, GE(2), OBJ_OK),
149  T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT, ARGS, OBJ_OK),
150  T01(str_ip_legacy_key, R3_INTRO_LEGACY_KEY, ARGS, NEED_KEY_1024),
151  T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT, ARGS, OBJ_OK),
153 };
154 
155 /* Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
156  * We use SHA3-256 for the MAC computation.
157  * This function can't fail. */
158 static void
159 build_mac(const uint8_t *mac_key, size_t mac_key_len,
160  const uint8_t *salt, size_t salt_len,
161  const uint8_t *encrypted, size_t encrypted_len,
162  uint8_t *mac_out, size_t mac_len)
163 {
164  crypto_digest_t *digest;
165 
166  const uint64_t mac_len_netorder = tor_htonll(mac_key_len);
167  const uint64_t salt_len_netorder = tor_htonll(salt_len);
168 
169  tor_assert(mac_key);
170  tor_assert(salt);
171  tor_assert(encrypted);
172  tor_assert(mac_out);
173 
174  digest = crypto_digest256_new(DIGEST_SHA3_256);
175  /* As specified in section 2.5 of proposal 224, first add the mac key
176  * then add the salt first and then the encrypted section. */
177 
178  crypto_digest_add_bytes(digest, (const char *) &mac_len_netorder, 8);
179  crypto_digest_add_bytes(digest, (const char *) mac_key, mac_key_len);
180  crypto_digest_add_bytes(digest, (const char *) &salt_len_netorder, 8);
181  crypto_digest_add_bytes(digest, (const char *) salt, salt_len);
182  crypto_digest_add_bytes(digest, (const char *) encrypted, encrypted_len);
183  crypto_digest_get_digest(digest, (char *) mac_out, mac_len);
184  crypto_digest_free(digest);
185 }
186 
187 /* Using a secret data and a given decriptor object, build the secret
188  * input needed for the KDF.
189  *
190  * secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
191  *
192  * Then, set the newly allocated buffer in secret_input_out and return the
193  * length of the buffer. */
194 static size_t
195 build_secret_input(const hs_descriptor_t *desc,
196  const uint8_t *secret_data,
197  size_t secret_data_len,
198  uint8_t **secret_input_out)
199 {
200  size_t offset = 0;
201  size_t secret_input_len = secret_data_len + DIGEST256_LEN + sizeof(uint64_t);
202  uint8_t *secret_input = NULL;
203 
204  tor_assert(desc);
205  tor_assert(secret_data);
206  tor_assert(secret_input_out);
207 
208  secret_input = tor_malloc_zero(secret_input_len);
209 
210  /* Copy the secret data. */
211  memcpy(secret_input, secret_data, secret_data_len);
212  offset += secret_data_len;
213  /* Copy subcredential. */
214  memcpy(secret_input + offset, desc->subcredential, DIGEST256_LEN);
215  offset += DIGEST256_LEN;
216  /* Copy revision counter value. */
217  set_uint64(secret_input + offset,
218  tor_htonll(desc->plaintext_data.revision_counter));
219  offset += sizeof(uint64_t);
220  tor_assert(secret_input_len == offset);
221 
222  *secret_input_out = secret_input;
223 
224  return secret_input_len;
225 }
226 
227 /* Do the KDF construction and put the resulting data in key_out which is of
228  * key_out_len length. It uses SHAKE-256 as specified in the spec. */
229 static void
230 build_kdf_key(const hs_descriptor_t *desc,
231  const uint8_t *secret_data,
232  size_t secret_data_len,
233  const uint8_t *salt, size_t salt_len,
234  uint8_t *key_out, size_t key_out_len,
235  int is_superencrypted_layer)
236 {
237  uint8_t *secret_input = NULL;
238  size_t secret_input_len;
239  crypto_xof_t *xof;
240 
241  tor_assert(desc);
242  tor_assert(secret_data);
243  tor_assert(salt);
244  tor_assert(key_out);
245 
246  /* Build the secret input for the KDF computation. */
247  secret_input_len = build_secret_input(desc, secret_data,
248  secret_data_len, &secret_input);
249 
250  xof = crypto_xof_new();
251  /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
252  crypto_xof_add_bytes(xof, secret_input, secret_input_len);
253  crypto_xof_add_bytes(xof, salt, salt_len);
254 
255  /* Feed in the right string constant based on the desc layer */
256  if (is_superencrypted_layer) {
257  crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_superencryption,
258  strlen(str_enc_const_superencryption));
259  } else {
260  crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_encryption,
261  strlen(str_enc_const_encryption));
262  }
263 
264  /* Eat from our KDF. */
265  crypto_xof_squeeze_bytes(xof, key_out, key_out_len);
266  crypto_xof_free(xof);
267  memwipe(secret_input, 0, secret_input_len);
268 
269  tor_free(secret_input);
270 }
271 
272 /* Using the given descriptor, secret data, and salt, run it through our
273  * KDF function and then extract a secret key in key_out, the IV in iv_out
274  * and MAC in mac_out. This function can't fail. */
275 static void
276 build_secret_key_iv_mac(const hs_descriptor_t *desc,
277  const uint8_t *secret_data,
278  size_t secret_data_len,
279  const uint8_t *salt, size_t salt_len,
280  uint8_t *key_out, size_t key_len,
281  uint8_t *iv_out, size_t iv_len,
282  uint8_t *mac_out, size_t mac_len,
283  int is_superencrypted_layer)
284 {
285  size_t offset = 0;
286  uint8_t kdf_key[HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN];
287 
288  tor_assert(desc);
289  tor_assert(secret_data);
290  tor_assert(salt);
291  tor_assert(key_out);
292  tor_assert(iv_out);
293  tor_assert(mac_out);
294 
295  build_kdf_key(desc, secret_data, secret_data_len,
296  salt, salt_len, kdf_key, sizeof(kdf_key),
297  is_superencrypted_layer);
298  /* Copy the bytes we need for both the secret key and IV. */
299  memcpy(key_out, kdf_key, key_len);
300  offset += key_len;
301  memcpy(iv_out, kdf_key + offset, iv_len);
302  offset += iv_len;
303  memcpy(mac_out, kdf_key + offset, mac_len);
304  /* Extra precaution to make sure we are not out of bound. */
305  tor_assert((offset + mac_len) == sizeof(kdf_key));
306  memwipe(kdf_key, 0, sizeof(kdf_key));
307 }
308 
309 /* === ENCODING === */
310 
311 /* Encode the given link specifier objects into a newly allocated string.
312  * This can't fail so caller can always assume a valid string being
313  * returned. */
314 STATIC char *
315 encode_link_specifiers(const smartlist_t *specs)
316 {
317  char *encoded_b64 = NULL;
318  link_specifier_list_t *lslist = link_specifier_list_new();
319 
320  tor_assert(specs);
321  /* No link specifiers is a code flow error, can't happen. */
322  tor_assert(smartlist_len(specs) > 0);
323  tor_assert(smartlist_len(specs) <= UINT8_MAX);
324 
325  link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
326 
327  SMARTLIST_FOREACH_BEGIN(specs, const link_specifier_t *,
328  spec) {
329  link_specifier_t *ls = link_specifier_dup(spec);
330  tor_assert(ls);
331  link_specifier_list_add_spec(lslist, ls);
332  } SMARTLIST_FOREACH_END(spec);
333 
334  {
335  uint8_t *encoded;
336  ssize_t encoded_len, encoded_b64_len, ret;
337 
338  encoded_len = link_specifier_list_encoded_len(lslist);
339  tor_assert(encoded_len > 0);
340  encoded = tor_malloc_zero(encoded_len);
341  ret = link_specifier_list_encode(encoded, encoded_len, lslist);
342  tor_assert(ret == encoded_len);
343 
344  /* Base64 encode our binary format. Add extra NUL byte for the base64
345  * encoded value. */
346  encoded_b64_len = base64_encode_size(encoded_len, 0) + 1;
347  encoded_b64 = tor_malloc_zero(encoded_b64_len);
348  ret = base64_encode(encoded_b64, encoded_b64_len, (const char *) encoded,
349  encoded_len, 0);
350  tor_assert(ret == (encoded_b64_len - 1));
351  tor_free(encoded);
352  }
353 
354  link_specifier_list_free(lslist);
355  return encoded_b64;
356 }
357 
358 /* Encode an introduction point legacy key and certificate. Return a newly
359  * allocated string with it. On failure, return NULL. */
360 static char *
361 encode_legacy_key(const hs_desc_intro_point_t *ip)
362 {
363  char *key_str, b64_cert[256], *encoded = NULL;
364  size_t key_str_len;
365 
366  tor_assert(ip);
367 
368  /* Encode cross cert. */
369  if (base64_encode(b64_cert, sizeof(b64_cert),
370  (const char *) ip->legacy.cert.encoded,
371  ip->legacy.cert.len, BASE64_ENCODE_MULTILINE) < 0) {
372  log_warn(LD_REND, "Unable to encode legacy crosscert.");
373  goto done;
374  }
375  /* Convert the encryption key to PEM format NUL terminated. */
376  if (crypto_pk_write_public_key_to_string(ip->legacy.key, &key_str,
377  &key_str_len) < 0) {
378  log_warn(LD_REND, "Unable to encode legacy encryption key.");
379  goto done;
380  }
381  tor_asprintf(&encoded,
382  "%s \n%s" /* Newline is added by the call above. */
383  "%s\n"
384  "-----BEGIN CROSSCERT-----\n"
385  "%s"
386  "-----END CROSSCERT-----",
387  str_ip_legacy_key, key_str,
388  str_ip_legacy_key_cert, b64_cert);
389  tor_free(key_str);
390 
391  done:
392  return encoded;
393 }
394 
395 /* Encode an introduction point encryption key and certificate. Return a newly
396  * allocated string with it. On failure, return NULL. */
397 static char *
398 encode_enc_key(const hs_desc_intro_point_t *ip)
399 {
400  char *encoded = NULL, *encoded_cert;
401  char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
402 
403  tor_assert(ip);
404 
405  /* Base64 encode the encryption key for the "enc-key" field. */
406  curve25519_public_to_base64(key_b64, &ip->enc_key);
407  if (tor_cert_encode_ed22519(ip->enc_key_cert, &encoded_cert) < 0) {
408  goto done;
409  }
410  tor_asprintf(&encoded,
411  "%s ntor %s\n"
412  "%s\n%s",
413  str_ip_enc_key, key_b64,
414  str_ip_enc_key_cert, encoded_cert);
415  tor_free(encoded_cert);
416 
417  done:
418  return encoded;
419 }
420 
421 /* Encode an introduction point onion key. Return a newly allocated string
422  * with it. Can not fail. */
423 static char *
424 encode_onion_key(const hs_desc_intro_point_t *ip)
425 {
426  char *encoded = NULL;
427  char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
428 
429  tor_assert(ip);
430 
431  /* Base64 encode the encryption key for the "onion-key" field. */
432  curve25519_public_to_base64(key_b64, &ip->onion_key);
433  tor_asprintf(&encoded, "%s ntor %s", str_ip_onion_key, key_b64);
434 
435  return encoded;
436 }
437 
438 /* Encode an introduction point object and return a newly allocated string
439  * with it. On failure, return NULL. */
440 static char *
441 encode_intro_point(const ed25519_public_key_t *sig_key,
442  const hs_desc_intro_point_t *ip)
443 {
444  char *encoded_ip = NULL;
445  smartlist_t *lines = smartlist_new();
446 
447  tor_assert(ip);
448  tor_assert(sig_key);
449 
450  /* Encode link specifier. */
451  {
452  char *ls_str = encode_link_specifiers(ip->link_specifiers);
453  smartlist_add_asprintf(lines, "%s %s", str_intro_point, ls_str);
454  tor_free(ls_str);
455  }
456 
457  /* Onion key encoding. */
458  {
459  char *encoded_onion_key = encode_onion_key(ip);
460  if (encoded_onion_key == NULL) {
461  goto err;
462  }
463  smartlist_add_asprintf(lines, "%s", encoded_onion_key);
464  tor_free(encoded_onion_key);
465  }
466 
467  /* Authentication key encoding. */
468  {
469  char *encoded_cert;
470  if (tor_cert_encode_ed22519(ip->auth_key_cert, &encoded_cert) < 0) {
471  goto err;
472  }
473  smartlist_add_asprintf(lines, "%s\n%s", str_ip_auth_key, encoded_cert);
474  tor_free(encoded_cert);
475  }
476 
477  /* Encryption key encoding. */
478  {
479  char *encoded_enc_key = encode_enc_key(ip);
480  if (encoded_enc_key == NULL) {
481  goto err;
482  }
483  smartlist_add_asprintf(lines, "%s", encoded_enc_key);
484  tor_free(encoded_enc_key);
485  }
486 
487  /* Legacy key if any. */
488  if (ip->legacy.key != NULL) {
489  /* Strong requirement else the IP creation was badly done. */
490  tor_assert(ip->legacy.cert.encoded);
491  char *encoded_legacy_key = encode_legacy_key(ip);
492  if (encoded_legacy_key == NULL) {
493  goto err;
494  }
495  smartlist_add_asprintf(lines, "%s", encoded_legacy_key);
496  tor_free(encoded_legacy_key);
497  }
498 
499  /* Join them all in one blob of text. */
500  encoded_ip = smartlist_join_strings(lines, "\n", 1, NULL);
501 
502  err:
503  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
504  smartlist_free(lines);
505  return encoded_ip;
506 }
507 
508 /* Given a source length, return the new size including padding for the
509  * plaintext encryption. */
510 static size_t
511 compute_padded_plaintext_length(size_t plaintext_len)
512 {
513  size_t plaintext_padded_len;
514  const int padding_block_length = HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE;
515 
516  /* Make sure we won't overflow. */
517  tor_assert(plaintext_len <= (SIZE_T_CEILING - padding_block_length));
518 
519  /* Get the extra length we need to add. For example, if srclen is 10200
520  * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
521  plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
522  padding_block_length;
523  /* Can never be extra careful. Make sure we are _really_ padded. */
524  tor_assert(!(plaintext_padded_len % padding_block_length));
525  return plaintext_padded_len;
526 }
527 
528 /* Given a buffer, pad it up to the encrypted section padding requirement. Set
529  * the newly allocated string in padded_out and return the length of the
530  * padded buffer. */
531 STATIC size_t
532 build_plaintext_padding(const char *plaintext, size_t plaintext_len,
533  uint8_t **padded_out)
534 {
535  size_t padded_len;
536  uint8_t *padded;
537 
538  tor_assert(plaintext);
539  tor_assert(padded_out);
540 
541  /* Allocate the final length including padding. */
542  padded_len = compute_padded_plaintext_length(plaintext_len);
543  tor_assert(padded_len >= plaintext_len);
544  padded = tor_malloc_zero(padded_len);
545 
546  memcpy(padded, plaintext, plaintext_len);
547  *padded_out = padded;
548  return padded_len;
549 }
550 
551 /* Using a key, IV and plaintext data of length plaintext_len, create the
552  * encrypted section by encrypting it and setting encrypted_out with the
553  * data. Return size of the encrypted data buffer. */
554 static size_t
555 build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
556  size_t plaintext_len, uint8_t **encrypted_out,
557  int is_superencrypted_layer)
558 {
559  size_t encrypted_len;
560  uint8_t *padded_plaintext, *encrypted;
561  crypto_cipher_t *cipher;
562 
563  tor_assert(key);
564  tor_assert(iv);
565  tor_assert(plaintext);
566  tor_assert(encrypted_out);
567 
568  /* If we are encrypting the middle layer of the descriptor, we need to first
569  pad the plaintext */
570  if (is_superencrypted_layer) {
571  encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
572  &padded_plaintext);
573  /* Extra precautions that we have a valid padding length. */
574  tor_assert(!(encrypted_len % HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE));
575  } else { /* No padding required for inner layers */
576  padded_plaintext = tor_memdup(plaintext, plaintext_len);
577  encrypted_len = plaintext_len;
578  }
579 
580  /* This creates a cipher for AES. It can't fail. */
581  cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
582  HS_DESC_ENCRYPTED_BIT_SIZE);
583  /* We use a stream cipher so the encrypted length will be the same as the
584  * plaintext padded length. */
585  encrypted = tor_malloc_zero(encrypted_len);
586  /* This can't fail. */
587  crypto_cipher_encrypt(cipher, (char *) encrypted,
588  (const char *) padded_plaintext, encrypted_len);
589  *encrypted_out = encrypted;
590  /* Cleanup. */
591  crypto_cipher_free(cipher);
592  tor_free(padded_plaintext);
593  return encrypted_len;
594 }
595 
596 /* Encrypt the given <b>plaintext</b> buffer using <b>desc</b> and
597  * <b>secret_data</b> to get the keys. Set encrypted_out with the encrypted
598  * data and return the length of it. <b>is_superencrypted_layer</b> is set
599  * if this is the outer encrypted layer of the descriptor. */
600 static size_t
601 encrypt_descriptor_data(const hs_descriptor_t *desc,
602  const uint8_t *secret_data,
603  size_t secret_data_len,
604  const char *plaintext,
605  char **encrypted_out, int is_superencrypted_layer)
606 {
607  char *final_blob;
608  size_t encrypted_len, final_blob_len, offset = 0;
609  uint8_t *encrypted;
610  uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
611  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
612  uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
613 
614  tor_assert(desc);
615  tor_assert(secret_data);
616  tor_assert(plaintext);
617  tor_assert(encrypted_out);
618 
619  /* Get our salt. The returned bytes are already hashed. */
620  crypto_strongest_rand(salt, sizeof(salt));
621 
622  /* KDF construction resulting in a key from which the secret key, IV and MAC
623  * key are extracted which is what we need for the encryption. */
624  build_secret_key_iv_mac(desc, secret_data, secret_data_len,
625  salt, sizeof(salt),
626  secret_key, sizeof(secret_key),
627  secret_iv, sizeof(secret_iv),
628  mac_key, sizeof(mac_key),
629  is_superencrypted_layer);
630 
631  /* Build the encrypted part that is do the actual encryption. */
632  encrypted_len = build_encrypted(secret_key, secret_iv, plaintext,
633  strlen(plaintext), &encrypted,
634  is_superencrypted_layer);
635  memwipe(secret_key, 0, sizeof(secret_key));
636  memwipe(secret_iv, 0, sizeof(secret_iv));
637  /* This construction is specified in section 2.5 of proposal 224. */
638  final_blob_len = sizeof(salt) + encrypted_len + DIGEST256_LEN;
639  final_blob = tor_malloc_zero(final_blob_len);
640 
641  /* Build the MAC. */
642  build_mac(mac_key, sizeof(mac_key), salt, sizeof(salt),
643  encrypted, encrypted_len, mac, sizeof(mac));
644  memwipe(mac_key, 0, sizeof(mac_key));
645 
646  /* The salt is the first value. */
647  memcpy(final_blob, salt, sizeof(salt));
648  offset = sizeof(salt);
649  /* Second value is the encrypted data. */
650  memcpy(final_blob + offset, encrypted, encrypted_len);
651  offset += encrypted_len;
652  /* Third value is the MAC. */
653  memcpy(final_blob + offset, mac, sizeof(mac));
654  offset += sizeof(mac);
655  /* Cleanup the buffers. */
656  memwipe(salt, 0, sizeof(salt));
657  memwipe(encrypted, 0, encrypted_len);
658  tor_free(encrypted);
659  /* Extra precaution. */
660  tor_assert(offset == final_blob_len);
661 
662  *encrypted_out = final_blob;
663  return final_blob_len;
664 }
665 
666 /* Create and return a string containing a client-auth entry. It's the
667  * responsibility of the caller to free the returned string. This function
668  * will never fail. */
669 static char *
670 get_auth_client_str(const hs_desc_authorized_client_t *client)
671 {
672  int ret;
673  char *auth_client_str = NULL;
674  /* We are gonna fill these arrays with base64 data. They are all double
675  * the size of their binary representation to fit the base64 overhead. */
676  char client_id_b64[HS_DESC_CLIENT_ID_LEN * 2];
677  char iv_b64[CIPHER_IV_LEN * 2];
678  char encrypted_cookie_b64[HS_DESC_ENCRYPED_COOKIE_LEN * 2];
679 
680 #define ASSERT_AND_BASE64(field) STMT_BEGIN \
681  tor_assert(!fast_mem_is_zero((char *) client->field, \
682  sizeof(client->field))); \
683  ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
684  client->field, sizeof(client->field)); \
685  tor_assert(ret > 0); \
686  STMT_END
687 
688  ASSERT_AND_BASE64(client_id);
689  ASSERT_AND_BASE64(iv);
690  ASSERT_AND_BASE64(encrypted_cookie);
691 
692  /* Build the final string */
693  tor_asprintf(&auth_client_str, "%s %s %s %s", str_desc_auth_client,
694  client_id_b64, iv_b64, encrypted_cookie_b64);
695 
696 #undef ASSERT_AND_BASE64
697 
698  return auth_client_str;
699 }
700 
704 static char *
706 {
707  smartlist_t *auth_client_lines = smartlist_new();
708  char *auth_client_lines_str = NULL;
709 
710  tor_assert(desc);
711  tor_assert(desc->superencrypted_data.clients);
712  tor_assert(smartlist_len(desc->superencrypted_data.clients) != 0);
713  tor_assert(smartlist_len(desc->superencrypted_data.clients)
714  % HS_DESC_AUTH_CLIENT_MULTIPLE == 0);
715 
716  /* Make a line for each client */
717  SMARTLIST_FOREACH_BEGIN(desc->superencrypted_data.clients,
718  const hs_desc_authorized_client_t *, client) {
719  char *auth_client_str = NULL;
720 
721  auth_client_str = get_auth_client_str(client);
722 
723  smartlist_add(auth_client_lines, auth_client_str);
724  } SMARTLIST_FOREACH_END(client);
725 
726  /* Join all lines together to form final string */
727  auth_client_lines_str = smartlist_join_strings(auth_client_lines,
728  "\n", 1, NULL);
729  /* Cleanup the mess */
730  SMARTLIST_FOREACH(auth_client_lines, char *, a, tor_free(a));
731  smartlist_free(auth_client_lines);
732 
733  return auth_client_lines_str;
734 }
735 
736 /* Create the inner layer of the descriptor (which includes the intro points,
737  * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
738  * an error occurred. It's the responsibility of the caller to free the
739  * returned string. */
740 static char *
741 get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
742 {
743  char *encoded_str = NULL;
744  smartlist_t *lines = smartlist_new();
745 
746  /* Build the start of the section prior to the introduction points. */
747  {
748  if (!desc->encrypted_data.create2_ntor) {
749  log_err(LD_BUG, "HS desc doesn't have recognized handshake type.");
750  goto err;
751  }
752  smartlist_add_asprintf(lines, "%s %d\n", str_create2_formats,
753  ONION_HANDSHAKE_TYPE_NTOR);
754 
755  if (desc->encrypted_data.intro_auth_types &&
756  smartlist_len(desc->encrypted_data.intro_auth_types)) {
757  /* Put the authentication-required line. */
758  char *buf = smartlist_join_strings(desc->encrypted_data.intro_auth_types,
759  " ", 0, NULL);
760  smartlist_add_asprintf(lines, "%s %s\n", str_intro_auth_required, buf);
761  tor_free(buf);
762  }
763 
764  if (desc->encrypted_data.single_onion_service) {
765  smartlist_add_asprintf(lines, "%s\n", str_single_onion);
766  }
767  }
768 
769  /* Build the introduction point(s) section. */
770  SMARTLIST_FOREACH_BEGIN(desc->encrypted_data.intro_points,
771  const hs_desc_intro_point_t *, ip) {
772  char *encoded_ip = encode_intro_point(&desc->plaintext_data.signing_pubkey,
773  ip);
774  if (encoded_ip == NULL) {
775  log_err(LD_BUG, "HS desc intro point is malformed.");
776  goto err;
777  }
778  smartlist_add(lines, encoded_ip);
779  } SMARTLIST_FOREACH_END(ip);
780 
781  /* Build the entire encrypted data section into one encoded plaintext and
782  * then encrypt it. */
783  encoded_str = smartlist_join_strings(lines, "", 0, NULL);
784 
785  err:
786  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
787  smartlist_free(lines);
788 
789  return encoded_str;
790 }
791 
792 /* Create the middle layer of the descriptor, which includes the client auth
793  * data and the encrypted inner layer (provided as a base64 string at
794  * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
795  * layer plaintext. It's the responsibility of the caller to free the returned
796  * string. Can not fail. */
797 static char *
798 get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc,
799  const char *layer2_b64_ciphertext)
800 {
801  char *layer1_str = NULL;
802  smartlist_t *lines = smartlist_new();
803 
804  /* Specify auth type */
805  smartlist_add_asprintf(lines, "%s %s\n", str_desc_auth_type, "x25519");
806 
807  { /* Print ephemeral x25519 key */
808  char ephemeral_key_base64[CURVE25519_BASE64_PADDED_LEN + 1];
809  const curve25519_public_key_t *ephemeral_pubkey;
810 
811  ephemeral_pubkey = &desc->superencrypted_data.auth_ephemeral_pubkey;
812  tor_assert(!fast_mem_is_zero((char *) ephemeral_pubkey->public_key,
814 
815  curve25519_public_to_base64(ephemeral_key_base64, ephemeral_pubkey);
816  smartlist_add_asprintf(lines, "%s %s\n",
817  str_desc_auth_key, ephemeral_key_base64);
818 
819  memwipe(ephemeral_key_base64, 0, sizeof(ephemeral_key_base64));
820  }
821 
822  { /* Create auth-client lines. */
823  char *auth_client_lines = get_all_auth_client_lines(desc);
824  tor_assert(auth_client_lines);
825  smartlist_add(lines, auth_client_lines);
826  }
827 
828  /* create encrypted section */
829  {
831  "%s\n"
832  "-----BEGIN MESSAGE-----\n"
833  "%s"
834  "-----END MESSAGE-----",
835  str_encrypted, layer2_b64_ciphertext);
836  }
837 
838  layer1_str = smartlist_join_strings(lines, "", 0, NULL);
839 
840  /* We need to memwipe all lines because it contains the ephemeral key */
841  SMARTLIST_FOREACH(lines, char *, a, memwipe(a, 0, strlen(a)));
842  SMARTLIST_FOREACH(lines, char *, a, tor_free(a));
843  smartlist_free(lines);
844 
845  return layer1_str;
846 }
847 
848 /* Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
849  * returning it. <b>desc</b> is provided to derive the encryption
850  * keys. <b>secret_data</b> is also proved to derive the encryption keys.
851  * <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
852  * middle (superencrypted) layer of the descriptor. It's the responsibility of
853  * the caller to free the returned string. */
854 static char *
855 encrypt_desc_data_and_base64(const hs_descriptor_t *desc,
856  const uint8_t *secret_data,
857  size_t secret_data_len,
858  const char *encoded_str,
859  int is_superencrypted_layer)
860 {
861  char *enc_b64;
862  ssize_t enc_b64_len, ret_len, enc_len;
863  char *encrypted_blob = NULL;
864 
865  enc_len = encrypt_descriptor_data(desc, secret_data, secret_data_len,
866  encoded_str, &encrypted_blob,
867  is_superencrypted_layer);
868  /* Get the encoded size plus a NUL terminating byte. */
869  enc_b64_len = base64_encode_size(enc_len, BASE64_ENCODE_MULTILINE) + 1;
870  enc_b64 = tor_malloc_zero(enc_b64_len);
871  /* Base64 the encrypted blob before returning it. */
872  ret_len = base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
873  BASE64_ENCODE_MULTILINE);
874  /* Return length doesn't count the NUL byte. */
875  tor_assert(ret_len == (enc_b64_len - 1));
876  tor_free(encrypted_blob);
877 
878  return enc_b64;
879 }
880 
881 /* Generate the secret data which is used to encrypt/decrypt the descriptor.
882  *
883  * SECRET_DATA = blinded-public-key
884  * SECRET_DATA = blinded-public-key | descriptor_cookie
885  *
886  * The descriptor_cookie is optional but if it exists, it must be at least
887  * HS_DESC_DESCRIPTOR_COOKIE_LEN bytes long.
888  *
889  * A newly allocated secret data is put in secret_data_out. Return the
890  * length of the secret data. This function cannot fail. */
891 static size_t
892 build_secret_data(const ed25519_public_key_t *blinded_pubkey,
893  const uint8_t *descriptor_cookie,
894  uint8_t **secret_data_out)
895 {
896  size_t secret_data_len;
897  uint8_t *secret_data;
898 
899  tor_assert(blinded_pubkey);
900  tor_assert(secret_data_out);
901 
902  if (descriptor_cookie) {
903  /* If the descriptor cookie is present, we need both the blinded
904  * pubkey and the descriptor cookie as a secret data. */
905  secret_data_len = ED25519_PUBKEY_LEN + HS_DESC_DESCRIPTOR_COOKIE_LEN;
906  secret_data = tor_malloc(secret_data_len);
907 
908  memcpy(secret_data,
909  blinded_pubkey->pubkey,
910  ED25519_PUBKEY_LEN);
911  memcpy(secret_data + ED25519_PUBKEY_LEN,
912  descriptor_cookie,
913  HS_DESC_DESCRIPTOR_COOKIE_LEN);
914  } else {
915  /* If the descriptor cookie is not present, we need only the blinded
916  * pubkey as a secret data. */
917  secret_data_len = ED25519_PUBKEY_LEN;
918  secret_data = tor_malloc(secret_data_len);
919  memcpy(secret_data,
920  blinded_pubkey->pubkey,
921  ED25519_PUBKEY_LEN);
922  }
923 
924  *secret_data_out = secret_data;
925  return secret_data_len;
926 }
927 
928 /* Generate and encode the superencrypted portion of <b>desc</b>. This also
929  * involves generating the encrypted portion of the descriptor, and performing
930  * the superencryption. A newly allocated NUL-terminated string pointer
931  * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
932  * on success else a negative value. */
933 static int
934 encode_superencrypted_data(const hs_descriptor_t *desc,
935  const uint8_t *descriptor_cookie,
936  char **encrypted_blob_out)
937 {
938  int ret = -1;
939  uint8_t *secret_data = NULL;
940  size_t secret_data_len = 0;
941  char *layer2_str = NULL;
942  char *layer2_b64_ciphertext = NULL;
943  char *layer1_str = NULL;
944  char *layer1_b64_ciphertext = NULL;
945 
946  tor_assert(desc);
947  tor_assert(encrypted_blob_out);
948 
949  /* Func logic: We first create the inner layer of the descriptor (layer2).
950  * We then encrypt it and use it to create the middle layer of the descriptor
951  * (layer1). Finally we superencrypt the middle layer and return it to our
952  * caller. */
953 
954  /* Create inner descriptor layer */
955  layer2_str = get_inner_encrypted_layer_plaintext(desc);
956  if (!layer2_str) {
957  goto err;
958  }
959 
960  secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
961  descriptor_cookie,
962  &secret_data);
963 
964  /* Encrypt and b64 the inner layer */
965  layer2_b64_ciphertext =
966  encrypt_desc_data_and_base64(desc, secret_data, secret_data_len,
967  layer2_str, 0);
968  if (!layer2_b64_ciphertext) {
969  goto err;
970  }
971 
972  /* Now create middle descriptor layer given the inner layer */
973  layer1_str = get_outer_encrypted_layer_plaintext(desc,layer2_b64_ciphertext);
974  if (!layer1_str) {
975  goto err;
976  }
977 
978  /* Encrypt and base64 the middle layer */
979  layer1_b64_ciphertext =
980  encrypt_desc_data_and_base64(desc,
981  desc->plaintext_data.blinded_pubkey.pubkey,
982  ED25519_PUBKEY_LEN,
983  layer1_str, 1);
984  if (!layer1_b64_ciphertext) {
985  goto err;
986  }
987 
988  /* Success! */
989  ret = 0;
990 
991  err:
992  memwipe(secret_data, 0, secret_data_len);
993  tor_free(secret_data);
994  tor_free(layer1_str);
995  tor_free(layer2_str);
996  tor_free(layer2_b64_ciphertext);
997 
998  *encrypted_blob_out = layer1_b64_ciphertext;
999  return ret;
1000 }
1001 
1002 /* Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
1003  * newly allocated string of the encoded descriptor. On error, -1 is returned
1004  * and encoded_out is untouched. */
1005 static int
1006 desc_encode_v3(const hs_descriptor_t *desc,
1007  const ed25519_keypair_t *signing_kp,
1008  const uint8_t *descriptor_cookie,
1009  char **encoded_out)
1010 {
1011  int ret = -1;
1012  char *encoded_str = NULL;
1013  size_t encoded_len;
1014  smartlist_t *lines = smartlist_new();
1015 
1016  tor_assert(desc);
1017  tor_assert(signing_kp);
1018  tor_assert(encoded_out);
1019  tor_assert(desc->plaintext_data.version == 3);
1020 
1021  if (BUG(desc->subcredential == NULL)) {
1022  goto err;
1023  }
1024 
1025  /* Build the non-encrypted values. */
1026  {
1027  char *encoded_cert;
1028  /* Encode certificate then create the first line of the descriptor. */
1029  if (desc->plaintext_data.signing_key_cert->cert_type
1030  != CERT_TYPE_SIGNING_HS_DESC) {
1031  log_err(LD_BUG, "HS descriptor signing key has an unexpected cert type "
1032  "(%d)", (int) desc->plaintext_data.signing_key_cert->cert_type);
1033  goto err;
1034  }
1035  if (tor_cert_encode_ed22519(desc->plaintext_data.signing_key_cert,
1036  &encoded_cert) < 0) {
1037  /* The function will print error logs. */
1038  goto err;
1039  }
1040  /* Create the hs descriptor line. */
1041  smartlist_add_asprintf(lines, "%s %" PRIu32, str_hs_desc,
1042  desc->plaintext_data.version);
1043  /* Add the descriptor lifetime line (in minutes). */
1044  smartlist_add_asprintf(lines, "%s %" PRIu32, str_lifetime,
1045  desc->plaintext_data.lifetime_sec / 60);
1046  /* Create the descriptor certificate line. */
1047  smartlist_add_asprintf(lines, "%s\n%s", str_desc_cert, encoded_cert);
1048  tor_free(encoded_cert);
1049  /* Create the revision counter line. */
1050  smartlist_add_asprintf(lines, "%s %" PRIu64, str_rev_counter,
1051  desc->plaintext_data.revision_counter);
1052  }
1053 
1054  /* Build the superencrypted data section. */
1055  {
1056  char *enc_b64_blob=NULL;
1057  if (encode_superencrypted_data(desc, descriptor_cookie,
1058  &enc_b64_blob) < 0) {
1059  goto err;
1060  }
1061  smartlist_add_asprintf(lines,
1062  "%s\n"
1063  "-----BEGIN MESSAGE-----\n"
1064  "%s"
1065  "-----END MESSAGE-----",
1066  str_superencrypted, enc_b64_blob);
1067  tor_free(enc_b64_blob);
1068  }
1069 
1070  /* Join all lines in one string so we can generate a signature and append
1071  * it to the descriptor. */
1072  encoded_str = smartlist_join_strings(lines, "\n", 1, &encoded_len);
1073 
1074  /* Sign all fields of the descriptor with our short term signing key. */
1075  {
1076  ed25519_signature_t sig;
1077  char ed_sig_b64[ED25519_SIG_BASE64_LEN + 1];
1078  if (ed25519_sign_prefixed(&sig,
1079  (const uint8_t *) encoded_str, encoded_len,
1080  str_desc_sig_prefix, signing_kp) < 0) {
1081  log_warn(LD_BUG, "Can't sign encoded HS descriptor!");
1082  tor_free(encoded_str);
1083  goto err;
1084  }
1085  ed25519_signature_to_base64(ed_sig_b64, &sig);
1086  /* Create the signature line. */
1087  smartlist_add_asprintf(lines, "%s %s", str_signature, ed_sig_b64);
1088  }
1089  /* Free previous string that we used so compute the signature. */
1090  tor_free(encoded_str);
1091  encoded_str = smartlist_join_strings(lines, "\n", 1, NULL);
1092  *encoded_out = encoded_str;
1093 
1094  if (strlen(encoded_str) >= hs_cache_get_max_descriptor_size()) {
1095  log_warn(LD_GENERAL, "We just made an HS descriptor that's too big (%d)."
1096  "Failing.", (int)strlen(encoded_str));
1097  tor_free(encoded_str);
1098  goto err;
1099  }
1100 
1101  /* XXX: Trigger a control port event. */
1102 
1103  /* Success! */
1104  ret = 0;
1105 
1106  err:
1107  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
1108  smartlist_free(lines);
1109  return ret;
1110 }
1111 
1112 /* === DECODING === */
1113 
1114 /* Given the token tok for an auth client, decode it as
1115  * hs_desc_authorized_client_t. tok->args MUST contain at least 3 elements
1116  * Return 0 on success else -1 on failure. */
1117 static int
1118 decode_auth_client(const directory_token_t *tok,
1120 {
1121  int ret = -1;
1122 
1123  tor_assert(tok);
1124  tor_assert(tok->n_args >= 3);
1125  tor_assert(client);
1126 
1127  if (base64_decode((char *) client->client_id, sizeof(client->client_id),
1128  tok->args[0], strlen(tok->args[0])) !=
1129  sizeof(client->client_id)) {
1130  goto done;
1131  }
1132  if (base64_decode((char *) client->iv, sizeof(client->iv),
1133  tok->args[1], strlen(tok->args[1])) !=
1134  sizeof(client->iv)) {
1135  goto done;
1136  }
1137  if (base64_decode((char *) client->encrypted_cookie,
1138  sizeof(client->encrypted_cookie),
1139  tok->args[2], strlen(tok->args[2])) !=
1140  sizeof(client->encrypted_cookie)) {
1141  goto done;
1142  }
1143 
1144  /* Success. */
1145  ret = 0;
1146  done:
1147  return ret;
1148 }
1149 
1150 /* Given an encoded string of the link specifiers, return a newly allocated
1151  * list of decoded link specifiers. Return NULL on error. */
1152 STATIC smartlist_t *
1153 decode_link_specifiers(const char *encoded)
1154 {
1155  int decoded_len;
1156  size_t encoded_len, i;
1157  uint8_t *decoded;
1158  smartlist_t *results = NULL;
1159  link_specifier_list_t *specs = NULL;
1160 
1161  tor_assert(encoded);
1162 
1163  encoded_len = strlen(encoded);
1164  decoded = tor_malloc(encoded_len);
1165  decoded_len = base64_decode((char *) decoded, encoded_len, encoded,
1166  encoded_len);
1167  if (decoded_len < 0) {
1168  goto err;
1169  }
1170 
1171  if (link_specifier_list_parse(&specs, decoded,
1172  (size_t) decoded_len) < decoded_len) {
1173  goto err;
1174  }
1175  tor_assert(specs);
1176  results = smartlist_new();
1177 
1178  for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
1179  link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
1180  if (BUG(!ls)) {
1181  goto err;
1182  }
1183  link_specifier_t *ls_dup = link_specifier_dup(ls);
1184  if (BUG(!ls_dup)) {
1185  goto err;
1186  }
1187  smartlist_add(results, ls_dup);
1188  }
1189 
1190  goto done;
1191  err:
1192  if (results) {
1193  SMARTLIST_FOREACH(results, link_specifier_t *, s,
1194  link_specifier_free(s));
1195  smartlist_free(results);
1196  results = NULL;
1197  }
1198  done:
1199  link_specifier_list_free(specs);
1200  tor_free(decoded);
1201  return results;
1202 }
1203 
1204 /* Given a list of authentication types, decode it and put it in the encrypted
1205  * data section. Return 1 if we at least know one of the type or 0 if we know
1206  * none of them. */
1207 static int
1208 decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
1209 {
1210  int match = 0;
1211 
1212  tor_assert(desc);
1213  tor_assert(list);
1214 
1215  desc->intro_auth_types = smartlist_new();
1216  smartlist_split_string(desc->intro_auth_types, list, " ", 0, 0);
1217 
1218  /* Validate the types that we at least know about one. */
1219  SMARTLIST_FOREACH_BEGIN(desc->intro_auth_types, const char *, auth) {
1220  for (int idx = 0; intro_auth_types[idx].identifier; idx++) {
1221  if (!strncmp(auth, intro_auth_types[idx].identifier,
1222  strlen(intro_auth_types[idx].identifier))) {
1223  match = 1;
1224  break;
1225  }
1226  }
1227  } SMARTLIST_FOREACH_END(auth);
1228 
1229  return match;
1230 }
1231 
1232 /* Parse a space-delimited list of integers representing CREATE2 formats into
1233  * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
1234 static void
1235 decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
1236 {
1237  smartlist_t *tokens;
1238 
1239  tor_assert(desc);
1240  tor_assert(list);
1241 
1242  tokens = smartlist_new();
1243  smartlist_split_string(tokens, list, " ", 0, 0);
1244 
1245  SMARTLIST_FOREACH_BEGIN(tokens, char *, s) {
1246  int ok;
1247  unsigned long type = tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
1248  if (!ok) {
1249  log_warn(LD_REND, "Unparseable value %s in create2 list", escaped(s));
1250  continue;
1251  }
1252  switch (type) {
1253  case ONION_HANDSHAKE_TYPE_NTOR:
1254  desc->create2_ntor = 1;
1255  break;
1256  default:
1257  /* We deliberately ignore unsupported handshake types */
1258  continue;
1259  }
1260  } SMARTLIST_FOREACH_END(s);
1261 
1262  SMARTLIST_FOREACH(tokens, char *, s, tor_free(s));
1263  smartlist_free(tokens);
1264 }
1265 
1266 /* Given a certificate, validate the certificate for certain conditions which
1267  * are if the given type matches the cert's one, if the signing key is
1268  * included and if the that key was actually used to sign the certificate.
1269  *
1270  * Return 1 iff if all conditions pass or 0 if one of them fails. */
1271 STATIC int
1272 cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
1273 {
1274  tor_assert(log_obj_type);
1275 
1276  if (cert == NULL) {
1277  log_warn(LD_REND, "Certificate for %s couldn't be parsed.", log_obj_type);
1278  goto err;
1279  }
1280  if (cert->cert_type != type) {
1281  log_warn(LD_REND, "Invalid cert type %02x for %s.", cert->cert_type,
1282  log_obj_type);
1283  goto err;
1284  }
1285  /* All certificate must have its signing key included. */
1286  if (!cert->signing_key_included) {
1287  log_warn(LD_REND, "Signing key is NOT included for %s.", log_obj_type);
1288  goto err;
1289  }
1290  /* The following will not only check if the signature matches but also the
1291  * expiration date and overall validity. */
1292  if (tor_cert_checksig(cert, &cert->signing_key, approx_time()) < 0) {
1293  log_warn(LD_REND, "Invalid signature for %s: %s", log_obj_type,
1295  goto err;
1296  }
1297 
1298  return 1;
1299  err:
1300  return 0;
1301 }
1302 
1303 /* Given some binary data, try to parse it to get a certificate object. If we
1304  * have a valid cert, validate it using the given wanted type. On error, print
1305  * a log using the err_msg has the certificate identifier adding semantic to
1306  * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
1307  * points to a newly allocated certificate object. */
1308 static int
1309 cert_parse_and_validate(tor_cert_t **cert_out, const char *data,
1310  size_t data_len, unsigned int cert_type_wanted,
1311  const char *err_msg)
1312 {
1313  tor_cert_t *cert;
1314 
1315  tor_assert(cert_out);
1316  tor_assert(data);
1317  tor_assert(err_msg);
1318 
1319  /* Parse certificate. */
1320  cert = tor_cert_parse((const uint8_t *) data, data_len);
1321  if (!cert) {
1322  log_warn(LD_REND, "Certificate for %s couldn't be parsed.", err_msg);
1323  goto err;
1324  }
1325 
1326  /* Validate certificate. */
1327  if (!cert_is_valid(cert, cert_type_wanted, err_msg)) {
1328  goto err;
1329  }
1330 
1331  *cert_out = cert;
1332  return 0;
1333 
1334  err:
1335  tor_cert_free(cert);
1336  *cert_out = NULL;
1337  return -1;
1338 }
1339 
1340 /* Return true iff the given length of the encrypted data of a descriptor
1341  * passes validation. */
1342 STATIC int
1343 encrypted_data_length_is_valid(size_t len)
1344 {
1345  /* Make sure there is enough data for the salt and the mac. The equality is
1346  there to ensure that there is at least one byte of encrypted data. */
1347  if (len <= HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN) {
1348  log_warn(LD_REND, "Length of descriptor's encrypted data is too small. "
1349  "Got %lu but minimum value is %d",
1350  (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
1351  goto err;
1352  }
1353 
1354  return 1;
1355  err:
1356  return 0;
1357 }
1358 
1359 /* Build the KEYS component for the authorized client computation. The format
1360  * of the construction is:
1361  *
1362  * SECRET_SEED = x25519(sk, pk)
1363  * KEYS = KDF(subcredential | SECRET_SEED, 40)
1364  *
1365  * Set the <b>keys_out</b> argument to point to the buffer containing the KEYS,
1366  * and return the buffer's length. The caller should wipe and free its content
1367  * once done with it. This function can't fail. */
1368 static size_t
1369 build_descriptor_cookie_keys(const uint8_t *subcredential,
1370  size_t subcredential_len,
1371  const curve25519_secret_key_t *sk,
1372  const curve25519_public_key_t *pk,
1373  uint8_t **keys_out)
1374 {
1375  uint8_t secret_seed[CURVE25519_OUTPUT_LEN];
1376  uint8_t *keystream;
1377  size_t keystream_len = HS_DESC_CLIENT_ID_LEN + HS_DESC_COOKIE_KEY_LEN;
1378  crypto_xof_t *xof;
1379 
1380  tor_assert(subcredential);
1381  tor_assert(sk);
1382  tor_assert(pk);
1383  tor_assert(keys_out);
1384 
1385  keystream = tor_malloc_zero(keystream_len);
1386 
1387  /* Calculate x25519(sk, pk) to get the secret seed. */
1388  curve25519_handshake(secret_seed, sk, pk);
1389 
1390  /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
1391  xof = crypto_xof_new();
1392  crypto_xof_add_bytes(xof, subcredential, subcredential_len);
1393  crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
1394  crypto_xof_squeeze_bytes(xof, keystream, keystream_len);
1395  crypto_xof_free(xof);
1396 
1397  memwipe(secret_seed, 0, sizeof(secret_seed));
1398 
1399  *keys_out = keystream;
1400  return keystream_len;
1401 }
1402 
1403 /* Decrypt the descriptor cookie given the descriptor, the auth client,
1404  * and the client secret key. On sucess, return 0 and a newly allocated
1405  * descriptor cookie descriptor_cookie_out. On error or if the client id
1406  * is invalid, return -1 and descriptor_cookie_out is set to
1407  * NULL. */
1408 static int
1409 decrypt_descriptor_cookie(const hs_descriptor_t *desc,
1410  const hs_desc_authorized_client_t *client,
1411  const curve25519_secret_key_t *client_auth_sk,
1412  uint8_t **descriptor_cookie_out)
1413 {
1414  int ret = -1;
1415  uint8_t *keystream = NULL;
1416  size_t keystream_length = 0;
1417  uint8_t *descriptor_cookie = NULL;
1418  const uint8_t *cookie_key = NULL;
1419  crypto_cipher_t *cipher = NULL;
1420 
1421  tor_assert(desc);
1422  tor_assert(client);
1423  tor_assert(client_auth_sk);
1425  (char *) &desc->superencrypted_data.auth_ephemeral_pubkey,
1426  sizeof(desc->superencrypted_data.auth_ephemeral_pubkey)));
1427  tor_assert(!fast_mem_is_zero((char *) client_auth_sk,
1428  sizeof(*client_auth_sk)));
1429  tor_assert(!fast_mem_is_zero((char *) desc->subcredential, DIGEST256_LEN));
1430 
1431  /* Get the KEYS component to derive the CLIENT-ID and COOKIE-KEY. */
1432  keystream_length =
1433  build_descriptor_cookie_keys(desc->subcredential, DIGEST256_LEN,
1434  client_auth_sk,
1435  &desc->superencrypted_data.auth_ephemeral_pubkey,
1436  &keystream);
1437  tor_assert(keystream_length > 0);
1438 
1439  /* If the client id of auth client is not the same as the calculcated
1440  * client id, it means that this auth client is invaild according to the
1441  * client secret key client_auth_sk. */
1442  if (tor_memneq(client->client_id, keystream, HS_DESC_CLIENT_ID_LEN)) {
1443  goto done;
1444  }
1445  cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
1446 
1447  /* This creates a cipher for AES. It can't fail. */
1448  cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client->iv,
1449  HS_DESC_COOKIE_KEY_BIT_SIZE);
1450  descriptor_cookie = tor_malloc_zero(HS_DESC_DESCRIPTOR_COOKIE_LEN);
1451  /* This can't fail. */
1452  crypto_cipher_decrypt(cipher, (char *) descriptor_cookie,
1453  (const char *) client->encrypted_cookie,
1454  sizeof(client->encrypted_cookie));
1455 
1456  /* Success. */
1457  ret = 0;
1458  done:
1459  *descriptor_cookie_out = descriptor_cookie;
1460  if (cipher) {
1461  crypto_cipher_free(cipher);
1462  }
1463  memwipe(keystream, 0, keystream_length);
1464  tor_free(keystream);
1465  return ret;
1466 }
1467 
1478 MOCK_IMPL(STATIC size_t,
1479 decrypt_desc_layer,(const hs_descriptor_t *desc,
1480  const uint8_t *encrypted_blob,
1481  size_t encrypted_blob_size,
1482  const uint8_t *descriptor_cookie,
1483  int is_superencrypted_layer,
1484  char **decrypted_out))
1485 {
1486  uint8_t *decrypted = NULL;
1487  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
1488  uint8_t *secret_data = NULL;
1489  size_t secret_data_len = 0;
1490  uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
1491  const uint8_t *salt, *encrypted, *desc_mac;
1492  size_t encrypted_len, result_len = 0;
1493 
1494  tor_assert(decrypted_out);
1495  tor_assert(desc);
1496  tor_assert(encrypted_blob);
1497 
1498  /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
1499  * Make sure we have enough space for all these things. */
1500  if (!encrypted_data_length_is_valid(encrypted_blob_size)) {
1501  goto err;
1502  }
1503 
1504  /* Start of the blob thus the salt. */
1505  salt = encrypted_blob;
1506 
1507  /* Next is the encrypted data. */
1508  encrypted = encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN;
1509  encrypted_len = encrypted_blob_size -
1510  (HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
1511  tor_assert(encrypted_len > 0); /* guaranteed by the check above */
1512 
1513  /* And last comes the MAC. */
1514  desc_mac = encrypted_blob + encrypted_blob_size - DIGEST256_LEN;
1515 
1516  /* Build secret data to be used in the decryption. */
1517  secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
1518  descriptor_cookie,
1519  &secret_data);
1520 
1521  /* KDF construction resulting in a key from which the secret key, IV and MAC
1522  * key are extracted which is what we need for the decryption. */
1523  build_secret_key_iv_mac(desc, secret_data, secret_data_len,
1524  salt, HS_DESC_ENCRYPTED_SALT_LEN,
1525  secret_key, sizeof(secret_key),
1526  secret_iv, sizeof(secret_iv),
1527  mac_key, sizeof(mac_key),
1528  is_superencrypted_layer);
1529 
1530  /* Build MAC. */
1531  build_mac(mac_key, sizeof(mac_key), salt, HS_DESC_ENCRYPTED_SALT_LEN,
1532  encrypted, encrypted_len, our_mac, sizeof(our_mac));
1533  memwipe(mac_key, 0, sizeof(mac_key));
1534  /* Verify MAC; MAC is H(mac_key || salt || encrypted)
1535  *
1536  * This is a critical check that is making sure the computed MAC matches the
1537  * one in the descriptor. */
1538  if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) {
1539  log_info(LD_REND, "Encrypted service descriptor MAC check failed");
1540  goto err;
1541  }
1542 
1543  {
1544  /* Decrypt. Here we are assured that the encrypted length is valid for
1545  * decryption. */
1546  crypto_cipher_t *cipher;
1547 
1548  cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
1549  HS_DESC_ENCRYPTED_BIT_SIZE);
1550  /* Extra byte for the NUL terminated byte. */
1551  decrypted = tor_malloc_zero(encrypted_len + 1);
1552  crypto_cipher_decrypt(cipher, (char *) decrypted,
1553  (const char *) encrypted, encrypted_len);
1554  crypto_cipher_free(cipher);
1555  }
1556 
1557  {
1558  /* Adjust length to remove NUL padding bytes */
1559  uint8_t *end = memchr(decrypted, 0, encrypted_len);
1560  result_len = encrypted_len;
1561  if (end) {
1562  result_len = end - decrypted;
1563  }
1564  }
1565 
1566  if (result_len == 0) {
1567  /* Treat this as an error, so that somebody will free the output. */
1568  goto err;
1569  }
1570 
1571  /* Make sure to NUL terminate the string. */
1572  decrypted[encrypted_len] = '\0';
1573  *decrypted_out = (char *) decrypted;
1574  goto done;
1575 
1576  err:
1577  if (decrypted) {
1578  tor_free(decrypted);
1579  }
1580  *decrypted_out = NULL;
1581  result_len = 0;
1582 
1583  done:
1584  memwipe(secret_data, 0, secret_data_len);
1585  memwipe(secret_key, 0, sizeof(secret_key));
1586  memwipe(secret_iv, 0, sizeof(secret_iv));
1587  tor_free(secret_data);
1588  return result_len;
1589 }
1590 
1591 /* Decrypt the superencrypted section of the descriptor using the given
1592  * descriptor object <b>desc</b>. A newly allocated NUL terminated string is
1593  * put in decrypted_out which contains the superencrypted layer of the
1594  * descriptor. Return the length of decrypted_out on success else 0 is
1595  * returned and decrypted_out is set to NULL. */
1596 static size_t
1597 desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
1598 {
1599  size_t superencrypted_len = 0;
1600  char *superencrypted_plaintext = NULL;
1601 
1602  tor_assert(desc);
1603  tor_assert(decrypted_out);
1604 
1605  superencrypted_len = decrypt_desc_layer(desc,
1606  desc->plaintext_data.superencrypted_blob,
1607  desc->plaintext_data.superencrypted_blob_size,
1608  NULL, 1, &superencrypted_plaintext);
1609 
1610  if (!superencrypted_len) {
1611  log_warn(LD_REND, "Decrypting superencrypted desc failed.");
1612  goto done;
1613  }
1614  tor_assert(superencrypted_plaintext);
1615 
1616  done:
1617  /* In case of error, superencrypted_plaintext is already NULL, so the
1618  * following line makes sense. */
1619  *decrypted_out = superencrypted_plaintext;
1620  /* This makes sense too, because, in case of error, this is zero. */
1621  return superencrypted_len;
1622 }
1623 
1624 /* Decrypt the encrypted section of the descriptor using the given descriptor
1625  * object <b>desc</b>. A newly allocated NUL terminated string is put in
1626  * decrypted_out which contains the encrypted layer of the descriptor.
1627  * Return the length of decrypted_out on success else 0 is returned and
1628  * decrypted_out is set to NULL. */
1629 static size_t
1630 desc_decrypt_encrypted(const hs_descriptor_t *desc,
1631  const curve25519_secret_key_t *client_auth_sk,
1632  char **decrypted_out)
1633 {
1634  size_t encrypted_len = 0;
1635  char *encrypted_plaintext = NULL;
1636  uint8_t *descriptor_cookie = NULL;
1637 
1638  tor_assert(desc);
1639  tor_assert(desc->superencrypted_data.clients);
1640  tor_assert(decrypted_out);
1641 
1642  /* If the client secret key is provided, try to find a valid descriptor
1643  * cookie. Otherwise, leave it NULL. */
1644  if (client_auth_sk) {
1645  SMARTLIST_FOREACH_BEGIN(desc->superencrypted_data.clients,
1646  hs_desc_authorized_client_t *, client) {
1647  /* If we can decrypt the descriptor cookie successfully, we will use that
1648  * descriptor cookie and break from the loop. */
1649  if (!decrypt_descriptor_cookie(desc, client, client_auth_sk,
1650  &descriptor_cookie)) {
1651  break;
1652  }
1653  } SMARTLIST_FOREACH_END(client);
1654  }
1655 
1656  encrypted_len = decrypt_desc_layer(desc,
1657  desc->superencrypted_data.encrypted_blob,
1658  desc->superencrypted_data.encrypted_blob_size,
1659  descriptor_cookie, 0, &encrypted_plaintext);
1660  if (!encrypted_len) {
1661  goto err;
1662  }
1663  tor_assert(encrypted_plaintext);
1664 
1665  err:
1666  /* In case of error, encrypted_plaintext is already NULL, so the
1667  * following line makes sense. */
1668  *decrypted_out = encrypted_plaintext;
1669  if (descriptor_cookie) {
1670  memwipe(descriptor_cookie, 0, HS_DESC_DESCRIPTOR_COOKIE_LEN);
1671  }
1672  tor_free(descriptor_cookie);
1673  /* This makes sense too, because, in case of error, this is zero. */
1674  return encrypted_len;
1675 }
1676 
1677 /* Given the token tok for an intro point legacy key, the list of tokens, the
1678  * introduction point ip being decoded and the descriptor desc from which it
1679  * comes from, decode the legacy key and set the intro point object. Return 0
1680  * on success else -1 on failure. */
1681 static int
1682 decode_intro_legacy_key(const directory_token_t *tok,
1683  smartlist_t *tokens,
1685  const hs_descriptor_t *desc)
1686 {
1687  tor_assert(tok);
1688  tor_assert(tokens);
1689  tor_assert(ip);
1690  tor_assert(desc);
1691 
1692  if (!crypto_pk_public_exponent_ok(tok->key)) {
1693  log_warn(LD_REND, "Introduction point legacy key is invalid");
1694  goto err;
1695  }
1696  ip->legacy.key = crypto_pk_dup_key(tok->key);
1697  /* Extract the legacy cross certification cert which MUST be present if we
1698  * have a legacy key. */
1699  tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY_CERT);
1700  if (!tok) {
1701  log_warn(LD_REND, "Introduction point legacy key cert is missing");
1702  goto err;
1703  }
1704  tor_assert(tok->object_body);
1705  if (strcmp(tok->object_type, "CROSSCERT")) {
1706  /* Info level because this might be an unknown field that we should
1707  * ignore. */
1708  log_info(LD_REND, "Introduction point legacy encryption key "
1709  "cross-certification has an unknown format.");
1710  goto err;
1711  }
1712  /* Keep a copy of the certificate. */
1713  ip->legacy.cert.encoded = tor_memdup(tok->object_body, tok->object_size);
1714  ip->legacy.cert.len = tok->object_size;
1715  /* The check on the expiration date is for the entire lifetime of a
1716  * certificate which is 24 hours. However, a descriptor has a maximum
1717  * lifetime of 12 hours meaning we have a 12h difference between the two
1718  * which ultimately accommodate the clock skewed client. */
1719  if (rsa_ed25519_crosscert_check(ip->legacy.cert.encoded,
1720  ip->legacy.cert.len, ip->legacy.key,
1721  &desc->plaintext_data.signing_pubkey,
1722  approx_time() - HS_DESC_CERT_LIFETIME)) {
1723  log_warn(LD_REND, "Unable to check cross-certification on the "
1724  "introduction point legacy encryption key.");
1725  ip->cross_certified = 0;
1726  goto err;
1727  }
1728 
1729  /* Success. */
1730  return 0;
1731  err:
1732  return -1;
1733 }
1734 
1735 /* Dig into the descriptor <b>tokens</b> to find the onion key we should use
1736  * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
1737  * was found and well-formed, otherwise return -1 in case of errors. */
1738 static int
1739 set_intro_point_onion_key(curve25519_public_key_t *onion_key_out,
1740  const smartlist_t *tokens)
1741 {
1742  int retval = -1;
1743  smartlist_t *onion_keys = NULL;
1744 
1745  tor_assert(onion_key_out);
1746 
1747  onion_keys = find_all_by_keyword(tokens, R3_INTRO_ONION_KEY);
1748  if (!onion_keys) {
1749  log_warn(LD_REND, "Descriptor did not contain intro onion keys");
1750  goto err;
1751  }
1752 
1753  SMARTLIST_FOREACH_BEGIN(onion_keys, directory_token_t *, tok) {
1754  /* This field is using GE(2) so for possible forward compatibility, we
1755  * accept more fields but must be at least 2. */
1756  tor_assert(tok->n_args >= 2);
1757 
1758  /* Try to find an ntor key, it's the only recognized type right now */
1759  if (!strcmp(tok->args[0], "ntor")) {
1760  if (curve25519_public_from_base64(onion_key_out, tok->args[1]) < 0) {
1761  log_warn(LD_REND, "Introduction point ntor onion-key is invalid");
1762  goto err;
1763  }
1764  /* Got the onion key! Set the appropriate retval */
1765  retval = 0;
1766  }
1767  } SMARTLIST_FOREACH_END(tok);
1768 
1769  /* Log an error if we didn't find it :( */
1770  if (retval < 0) {
1771  log_warn(LD_REND, "Descriptor did not contain ntor onion keys");
1772  }
1773 
1774  err:
1775  smartlist_free(onion_keys);
1776  return retval;
1777 }
1778 
1779 /* Given the start of a section and the end of it, decode a single
1780  * introduction point from that section. Return a newly allocated introduction
1781  * point object containing the decoded data. Return NULL if the section can't
1782  * be decoded. */
1783 STATIC hs_desc_intro_point_t *
1784 decode_introduction_point(const hs_descriptor_t *desc, const char *start)
1785 {
1786  hs_desc_intro_point_t *ip = NULL;
1787  memarea_t *area = NULL;
1788  smartlist_t *tokens = NULL;
1789  const directory_token_t *tok;
1790 
1791  tor_assert(desc);
1792  tor_assert(start);
1793 
1794  area = memarea_new();
1795  tokens = smartlist_new();
1796  if (tokenize_string(area, start, start + strlen(start),
1797  tokens, hs_desc_intro_point_v3_token_table, 0) < 0) {
1798  log_warn(LD_REND, "Introduction point is not parseable");
1799  goto err;
1800  }
1801 
1802  /* Ok we seem to have a well formed section containing enough tokens to
1803  * parse. Allocate our IP object and try to populate it. */
1804  ip = hs_desc_intro_point_new();
1805 
1806  /* "introduction-point" SP link-specifiers NL */
1807  tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
1808  tor_assert(tok->n_args == 1);
1809  /* Our constructor creates this list by default so free it. */
1810  smartlist_free(ip->link_specifiers);
1811  ip->link_specifiers = decode_link_specifiers(tok->args[0]);
1812  if (!ip->link_specifiers) {
1813  log_warn(LD_REND, "Introduction point has invalid link specifiers");
1814  goto err;
1815  }
1816 
1817  /* "onion-key" SP ntor SP key NL */
1818  if (set_intro_point_onion_key(&ip->onion_key, tokens) < 0) {
1819  goto err;
1820  }
1821 
1822  /* "auth-key" NL certificate NL */
1823  tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
1824  tor_assert(tok->object_body);
1825  if (strcmp(tok->object_type, "ED25519 CERT")) {
1826  log_warn(LD_REND, "Unexpected object type for introduction auth key");
1827  goto err;
1828  }
1829  /* Parse cert and do some validation. */
1830  if (cert_parse_and_validate(&ip->auth_key_cert, tok->object_body,
1831  tok->object_size, CERT_TYPE_AUTH_HS_IP_KEY,
1832  "introduction point auth-key") < 0) {
1833  goto err;
1834  }
1835  /* Validate authentication certificate with descriptor signing key. */
1836  if (tor_cert_checksig(ip->auth_key_cert,
1837  &desc->plaintext_data.signing_pubkey, 0) < 0) {
1838  log_warn(LD_REND, "Invalid authentication key signature: %s",
1839  tor_cert_describe_signature_status(ip->auth_key_cert));
1840  goto err;
1841  }
1842 
1843  /* Exactly one "enc-key" SP "ntor" SP key NL */
1844  tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
1845  if (!strcmp(tok->args[0], "ntor")) {
1846  /* This field is using GE(2) so for possible forward compatibility, we
1847  * accept more fields but must be at least 2. */
1848  tor_assert(tok->n_args >= 2);
1849 
1850  if (curve25519_public_from_base64(&ip->enc_key, tok->args[1]) < 0) {
1851  log_warn(LD_REND, "Introduction point ntor enc-key is invalid");
1852  goto err;
1853  }
1854  } else {
1855  /* Unknown key type so we can't use that introduction point. */
1856  log_warn(LD_REND, "Introduction point encryption key is unrecognized.");
1857  goto err;
1858  }
1859 
1860  /* Exactly once "enc-key-cert" NL certificate NL */
1861  tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
1862  tor_assert(tok->object_body);
1863  /* Do the cross certification. */
1864  if (strcmp(tok->object_type, "ED25519 CERT")) {
1865  log_warn(LD_REND, "Introduction point ntor encryption key "
1866  "cross-certification has an unknown format.");
1867  goto err;
1868  }
1869  if (cert_parse_and_validate(&ip->enc_key_cert, tok->object_body,
1870  tok->object_size, CERT_TYPE_CROSS_HS_IP_KEYS,
1871  "introduction point enc-key-cert") < 0) {
1872  goto err;
1873  }
1874  if (tor_cert_checksig(ip->enc_key_cert,
1875  &desc->plaintext_data.signing_pubkey, 0) < 0) {
1876  log_warn(LD_REND, "Invalid encryption key signature: %s",
1877  tor_cert_describe_signature_status(ip->enc_key_cert));
1878  goto err;
1879  }
1880  /* It is successfully cross certified. Flag the object. */
1881  ip->cross_certified = 1;
1882 
1883  /* Do we have a "legacy-key" SP key NL ?*/
1884  tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY);
1885  if (tok) {
1886  if (decode_intro_legacy_key(tok, tokens, ip, desc) < 0) {
1887  goto err;
1888  }
1889  }
1890 
1891  /* Introduction point has been parsed successfully. */
1892  goto done;
1893 
1894  err:
1895  hs_desc_intro_point_free(ip);
1896  ip = NULL;
1897 
1898  done:
1900  smartlist_free(tokens);
1901  if (area) {
1902  memarea_drop_all(area);
1903  }
1904 
1905  return ip;
1906 }
1907 
1908 /* Given a descriptor string at <b>data</b>, decode all possible introduction
1909  * points that we can find. Add the introduction point object to desc_enc as we
1910  * find them. This function can't fail and it is possible that zero
1911  * introduction points can be decoded. */
1912 static void
1913 decode_intro_points(const hs_descriptor_t *desc,
1914  hs_desc_encrypted_data_t *desc_enc,
1915  const char *data)
1916 {
1917  smartlist_t *chunked_desc = smartlist_new();
1918  smartlist_t *intro_points = smartlist_new();
1919 
1920  tor_assert(desc);
1921  tor_assert(desc_enc);
1922  tor_assert(data);
1923  tor_assert(desc_enc->intro_points);
1924 
1925  /* Take the desc string, and extract the intro point substrings out of it */
1926  {
1927  /* Split the descriptor string using the intro point header as delimiter */
1928  smartlist_split_string(chunked_desc, data, str_intro_point_start, 0, 0);
1929 
1930  /* Check if there are actually any intro points included. The first chunk
1931  * should be other descriptor fields (e.g. create2-formats), so it's not an
1932  * intro point. */
1933  if (smartlist_len(chunked_desc) < 2) {
1934  goto done;
1935  }
1936  }
1937 
1938  /* Take the intro point substrings, and prepare them for parsing */
1939  {
1940  int i = 0;
1941  /* Prepend the introduction-point header to all the chunks, since
1942  smartlist_split_string() devoured it. */
1943  SMARTLIST_FOREACH_BEGIN(chunked_desc, char *, chunk) {
1944  /* Ignore first chunk. It's other descriptor fields. */
1945  if (i++ == 0) {
1946  continue;
1947  }
1948 
1949  smartlist_add_asprintf(intro_points, "%s %s", str_intro_point, chunk);
1950  } SMARTLIST_FOREACH_END(chunk);
1951  }
1952 
1953  /* Parse the intro points! */
1954  SMARTLIST_FOREACH_BEGIN(intro_points, const char *, intro_point) {
1955  hs_desc_intro_point_t *ip = decode_introduction_point(desc, intro_point);
1956  if (!ip) {
1957  /* Malformed introduction point section. We'll ignore this introduction
1958  * point and continue parsing. New or unknown fields are possible for
1959  * forward compatibility. */
1960  continue;
1961  }
1962  smartlist_add(desc_enc->intro_points, ip);
1963  } SMARTLIST_FOREACH_END(intro_point);
1964 
1965  done:
1966  SMARTLIST_FOREACH(chunked_desc, char *, a, tor_free(a));
1967  smartlist_free(chunked_desc);
1968  SMARTLIST_FOREACH(intro_points, char *, a, tor_free(a));
1969  smartlist_free(intro_points);
1970 }
1971 
1972 /* Return 1 iff the given base64 encoded signature in b64_sig from the encoded
1973  * descriptor in encoded_desc validates the descriptor content. */
1974 STATIC int
1975 desc_sig_is_valid(const char *b64_sig,
1976  const ed25519_public_key_t *signing_pubkey,
1977  const char *encoded_desc, size_t encoded_len)
1978 {
1979  int ret = 0;
1980  ed25519_signature_t sig;
1981  const char *sig_start;
1982 
1983  tor_assert(b64_sig);
1984  tor_assert(signing_pubkey);
1985  tor_assert(encoded_desc);
1986  /* Verifying nothing won't end well :). */
1987  tor_assert(encoded_len > 0);
1988 
1989  /* Signature length check. */
1990  if (strlen(b64_sig) != ED25519_SIG_BASE64_LEN) {
1991  log_warn(LD_REND, "Service descriptor has an invalid signature length."
1992  "Exptected %d but got %lu",
1993  ED25519_SIG_BASE64_LEN, (unsigned long) strlen(b64_sig));
1994  goto err;
1995  }
1996 
1997  /* First, convert base64 blob to an ed25519 signature. */
1998  if (ed25519_signature_from_base64(&sig, b64_sig) != 0) {
1999  log_warn(LD_REND, "Service descriptor does not contain a valid "
2000  "signature");
2001  goto err;
2002  }
2003 
2004  /* Find the start of signature. */
2005  sig_start = tor_memstr(encoded_desc, encoded_len, "\n" str_signature " ");
2006  /* Getting here means the token parsing worked for the signature so if we
2007  * can't find the start of the signature, we have a code flow issue. */
2008  if (!sig_start) {
2009  log_warn(LD_GENERAL, "Malformed signature line. Rejecting.");
2010  goto err;
2011  }
2012  /* Skip newline, it has to go in the signature check. */
2013  sig_start++;
2014 
2015  /* Validate signature with the full body of the descriptor. */
2016  if (ed25519_checksig_prefixed(&sig,
2017  (const uint8_t *) encoded_desc,
2018  sig_start - encoded_desc,
2019  str_desc_sig_prefix,
2020  signing_pubkey) != 0) {
2021  log_warn(LD_REND, "Invalid signature on service descriptor");
2022  goto err;
2023  }
2024  /* Valid signature! All is good. */
2025  ret = 1;
2026 
2027  err:
2028  return ret;
2029 }
2030 
2031 /* Decode descriptor plaintext data for version 3. Given a list of tokens, an
2032  * allocated plaintext object that will be populated and the encoded
2033  * descriptor with its length. The last one is needed for signature
2034  * verification. Unknown tokens are simply ignored so this won't error on
2035  * unknowns but requires that all v3 token be present and valid.
2036  *
2037  * Return 0 on success else a negative value. */
2038 static int
2039 desc_decode_plaintext_v3(smartlist_t *tokens,
2041  const char *encoded_desc, size_t encoded_len)
2042 {
2043  int ok;
2044  directory_token_t *tok;
2045 
2046  tor_assert(tokens);
2047  tor_assert(desc);
2048  /* Version higher could still use this function to decode most of the
2049  * descriptor and then they decode the extra part. */
2050  tor_assert(desc->version >= 3);
2051 
2052  /* Descriptor lifetime parsing. */
2053  tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
2054  tor_assert(tok->n_args == 1);
2055  desc->lifetime_sec = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2056  UINT32_MAX, &ok, NULL);
2057  if (!ok) {
2058  log_warn(LD_REND, "Service descriptor lifetime value is invalid");
2059  goto err;
2060  }
2061  /* Put it from minute to second. */
2062  desc->lifetime_sec *= 60;
2063  if (desc->lifetime_sec > HS_DESC_MAX_LIFETIME) {
2064  log_warn(LD_REND, "Service descriptor lifetime is too big. "
2065  "Got %" PRIu32 " but max is %d",
2066  desc->lifetime_sec, HS_DESC_MAX_LIFETIME);
2067  goto err;
2068  }
2069 
2070  /* Descriptor signing certificate. */
2071  tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
2072  tor_assert(tok->object_body);
2073  /* Expecting a prop220 cert with the signing key extension, which contains
2074  * the blinded public key. */
2075  if (strcmp(tok->object_type, "ED25519 CERT") != 0) {
2076  log_warn(LD_REND, "Service descriptor signing cert wrong type (%s)",
2077  escaped(tok->object_type));
2078  goto err;
2079  }
2080  if (cert_parse_and_validate(&desc->signing_key_cert, tok->object_body,
2081  tok->object_size, CERT_TYPE_SIGNING_HS_DESC,
2082  "service descriptor signing key") < 0) {
2083  goto err;
2084  }
2085 
2086  /* Copy the public keys into signing_pubkey and blinded_pubkey */
2087  memcpy(&desc->signing_pubkey, &desc->signing_key_cert->signed_key,
2088  sizeof(ed25519_public_key_t));
2089  memcpy(&desc->blinded_pubkey, &desc->signing_key_cert->signing_key,
2090  sizeof(ed25519_public_key_t));
2091 
2092  /* Extract revision counter value. */
2093  tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
2094  tor_assert(tok->n_args == 1);
2095  desc->revision_counter = tor_parse_uint64(tok->args[0], 10, 0,
2096  UINT64_MAX, &ok, NULL);
2097  if (!ok) {
2098  log_warn(LD_REND, "Service descriptor revision-counter is invalid");
2099  goto err;
2100  }
2101 
2102  /* Extract the superencrypted data section. */
2103  tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
2104  tor_assert(tok->object_body);
2105  if (strcmp(tok->object_type, "MESSAGE") != 0) {
2106  log_warn(LD_REND, "Desc superencrypted data section is invalid");
2107  goto err;
2108  }
2109  /* Make sure the length of the superencrypted blob is valid. */
2110  if (!encrypted_data_length_is_valid(tok->object_size)) {
2111  goto err;
2112  }
2113 
2114  /* Copy the superencrypted blob to the descriptor object so we can handle it
2115  * latter if needed. */
2116  desc->superencrypted_blob = tor_memdup(tok->object_body, tok->object_size);
2117  desc->superencrypted_blob_size = tok->object_size;
2118 
2119  /* Extract signature and verify it. */
2120  tok = find_by_keyword(tokens, R3_SIGNATURE);
2121  tor_assert(tok->n_args == 1);
2122  /* First arg here is the actual encoded signature. */
2123  if (!desc_sig_is_valid(tok->args[0], &desc->signing_pubkey,
2124  encoded_desc, encoded_len)) {
2125  goto err;
2126  }
2127 
2128  return 0;
2129 
2130  err:
2131  return -1;
2132 }
2133 
2134 /* Decode the version 3 superencrypted section of the given descriptor desc.
2135  * The desc_superencrypted_out will be populated with the decoded data.
2136  * Return 0 on success else -1. */
2137 static int
2138 desc_decode_superencrypted_v3(const hs_descriptor_t *desc,
2140  desc_superencrypted_out)
2141 {
2142  int ret = -1;
2143  char *message = NULL;
2144  size_t message_len;
2145  memarea_t *area = NULL;
2146  directory_token_t *tok;
2147  smartlist_t *tokens = NULL;
2148  /* Rename the parameter because it is too long. */
2149  hs_desc_superencrypted_data_t *superencrypted = desc_superencrypted_out;
2150 
2151  tor_assert(desc);
2152  tor_assert(desc_superencrypted_out);
2153 
2154  /* Decrypt the superencrypted data that is located in the plaintext section
2155  * in the descriptor as a blob of bytes. */
2156  message_len = desc_decrypt_superencrypted(desc, &message);
2157  if (!message_len) {
2158  log_warn(LD_REND, "Service descriptor decryption failed.");
2159  goto err;
2160  }
2161  tor_assert(message);
2162 
2163  area = memarea_new();
2164  tokens = smartlist_new();
2165  if (tokenize_string(area, message, message + message_len,
2166  tokens, hs_desc_superencrypted_v3_token_table, 0) < 0) {
2167  log_warn(LD_REND, "Superencrypted service descriptor is not parseable.");
2168  goto err;
2169  }
2170 
2171  /* Verify desc auth type */
2172  tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
2173  tor_assert(tok->n_args >= 1);
2174  if (strcmp(tok->args[0], "x25519")) {
2175  log_warn(LD_DIR, "Unrecognized desc auth type");
2176  goto err;
2177  }
2178 
2179  /* Extract desc auth ephemeral key */
2180  tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
2181  tor_assert(tok->n_args >= 1);
2182  if (curve25519_public_from_base64(&superencrypted->auth_ephemeral_pubkey,
2183  tok->args[0]) < 0) {
2184  log_warn(LD_DIR, "Bogus desc auth ephemeral key in HS desc");
2185  goto err;
2186  }
2187 
2188  /* Extract desc auth client items */
2189  if (!superencrypted->clients) {
2190  superencrypted->clients = smartlist_new();
2191  }
2192  SMARTLIST_FOREACH_BEGIN(tokens, const directory_token_t *, token) {
2193  if (token->tp == R3_DESC_AUTH_CLIENT) {
2194  tor_assert(token->n_args >= 3);
2195 
2196  hs_desc_authorized_client_t *client =
2197  tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
2198 
2199  if (decode_auth_client(token, client) < 0) {
2200  log_warn(LD_REND, "Descriptor client authorization section can't "
2201  "be decoded.");
2202  tor_free(client);
2203  goto err;
2204  }
2205  smartlist_add(superencrypted->clients, client);
2206  }
2207  } SMARTLIST_FOREACH_END(token);
2208 
2209  /* Extract the encrypted data section. */
2210  tok = find_by_keyword(tokens, R3_ENCRYPTED);
2211  tor_assert(tok->object_body);
2212  if (strcmp(tok->object_type, "MESSAGE") != 0) {
2213  log_warn(LD_REND, "Desc encrypted data section is invalid");
2214  goto err;
2215  }
2216  /* Make sure the length of the encrypted blob is valid. */
2217  if (!encrypted_data_length_is_valid(tok->object_size)) {
2218  goto err;
2219  }
2220 
2221  /* Copy the encrypted blob to the descriptor object so we can handle it
2222  * latter if needed. */
2223  tor_assert(tok->object_size <= INT_MAX);
2224  superencrypted->encrypted_blob = tor_memdup(tok->object_body,
2225  tok->object_size);
2226  superencrypted->encrypted_blob_size = tok->object_size;
2227 
2228  ret = 0;
2229  goto done;
2230 
2231  err:
2232  tor_assert(ret < 0);
2233  hs_desc_superencrypted_data_free_contents(desc_superencrypted_out);
2234 
2235  done:
2236  if (tokens) {
2238  smartlist_free(tokens);
2239  }
2240  if (area) {
2241  memarea_drop_all(area);
2242  }
2243  if (message) {
2244  tor_free(message);
2245  }
2246  return ret;
2247 }
2248 
2249 /* Decode the version 3 encrypted section of the given descriptor desc. The
2250  * desc_encrypted_out will be populated with the decoded data. Return 0 on
2251  * success else -1. */
2252 static int
2253 desc_decode_encrypted_v3(const hs_descriptor_t *desc,
2254  const curve25519_secret_key_t *client_auth_sk,
2255  hs_desc_encrypted_data_t *desc_encrypted_out)
2256 {
2257  int ret = -1;
2258  char *message = NULL;
2259  size_t message_len;
2260  memarea_t *area = NULL;
2261  directory_token_t *tok;
2262  smartlist_t *tokens = NULL;
2263 
2264  tor_assert(desc);
2265  tor_assert(desc_encrypted_out);
2266 
2267  /* Decrypt the encrypted data that is located in the superencrypted section
2268  * in the descriptor as a blob of bytes. */
2269  message_len = desc_decrypt_encrypted(desc, client_auth_sk, &message);
2270  if (!message_len) {
2271  /* Two possible situation here. Either we have a client authorization
2272  * configured that didn't work or we do not have any configured for this
2273  * onion address so likely the descriptor is for authorized client only,
2274  * we are not. */
2275  if (client_auth_sk) {
2276  /* At warning level so the client can notice that its client
2277  * authorization is failing. */
2278  log_warn(LD_REND, "Client authorization for requested onion address "
2279  "is invalid. Can't decrypt the descriptor.");
2280  } else {
2281  /* Inform at notice level that the onion address requested can't be
2282  * reached without client authorization most likely. */
2283  log_notice(LD_REND, "Fail to decrypt descriptor for requested onion "
2284  "address. It is likely requiring client "
2285  "authorization.");
2286  }
2287  goto err;
2288  }
2289  tor_assert(message);
2290 
2291  area = memarea_new();
2292  tokens = smartlist_new();
2293  if (tokenize_string(area, message, message + message_len,
2294  tokens, hs_desc_encrypted_v3_token_table, 0) < 0) {
2295  log_warn(LD_REND, "Encrypted service descriptor is not parseable.");
2296  goto err;
2297  }
2298 
2299  /* CREATE2 supported cell format. It's mandatory. */
2300  tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
2301  tor_assert(tok);
2302  decode_create2_list(desc_encrypted_out, tok->args[0]);
2303  /* Must support ntor according to the specification */
2304  if (!desc_encrypted_out->create2_ntor) {
2305  log_warn(LD_REND, "Service create2-formats does not include ntor.");
2306  goto err;
2307  }
2308 
2309  /* Authentication type. It's optional but only once. */
2310  tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
2311  if (tok) {
2312  if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
2313  log_warn(LD_REND, "Service descriptor authentication type has "
2314  "invalid entry(ies).");
2315  goto err;
2316  }
2317  }
2318 
2319  /* Is this service a single onion service? */
2320  tok = find_opt_by_keyword(tokens, R3_SINGLE_ONION_SERVICE);
2321  if (tok) {
2322  desc_encrypted_out->single_onion_service = 1;
2323  }
2324 
2325  /* Initialize the descriptor's introduction point list before we start
2326  * decoding. Having 0 intro point is valid. Then decode them all. */
2327  desc_encrypted_out->intro_points = smartlist_new();
2328  decode_intro_points(desc, desc_encrypted_out, message);
2329 
2330  /* Validation of maximum introduction points allowed. */
2331  if (smartlist_len(desc_encrypted_out->intro_points) >
2332  HS_CONFIG_V3_MAX_INTRO_POINTS) {
2333  log_warn(LD_REND, "Service descriptor contains too many introduction "
2334  "points. Maximum allowed is %d but we have %d",
2335  HS_CONFIG_V3_MAX_INTRO_POINTS,
2336  smartlist_len(desc_encrypted_out->intro_points));
2337  goto err;
2338  }
2339 
2340  /* NOTE: Unknown fields are allowed because this function could be used to
2341  * decode other descriptor version. */
2342 
2343  ret = 0;
2344  goto done;
2345 
2346  err:
2347  tor_assert(ret < 0);
2348  hs_desc_encrypted_data_free_contents(desc_encrypted_out);
2349 
2350  done:
2351  if (tokens) {
2353  smartlist_free(tokens);
2354  }
2355  if (area) {
2356  memarea_drop_all(area);
2357  }
2358  if (message) {
2359  tor_free(message);
2360  }
2361  return ret;
2362 }
2363 
2364 /* Table of encrypted decode function version specific. The function are
2365  * indexed by the version number so v3 callback is at index 3 in the array. */
2366 static int
2367  (*decode_encrypted_handlers[])(
2368  const hs_descriptor_t *desc,
2369  const curve25519_secret_key_t *client_auth_sk,
2370  hs_desc_encrypted_data_t *desc_encrypted) =
2371 {
2372  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2373  desc_decode_encrypted_v3,
2374 };
2375 
2376 /* Decode the encrypted data section of the given descriptor and store the
2377  * data in the given encrypted data object. Return 0 on success else a
2378  * negative value on error. */
2379 int
2380 hs_desc_decode_encrypted(const hs_descriptor_t *desc,
2381  const curve25519_secret_key_t *client_auth_sk,
2382  hs_desc_encrypted_data_t *desc_encrypted)
2383 {
2384  int ret;
2385  uint32_t version;
2386 
2387  tor_assert(desc);
2388  /* Ease our life a bit. */
2389  version = desc->plaintext_data.version;
2390  tor_assert(desc_encrypted);
2391  /* Calling this function without an encrypted blob to parse is a code flow
2392  * error. The superencrypted parsing should never succeed in the first place
2393  * without an encrypted section. */
2394  tor_assert(desc->superencrypted_data.encrypted_blob);
2395  /* Let's make sure we have a supported version as well. By correctly parsing
2396  * the plaintext, this should not fail. */
2397  if (BUG(!hs_desc_is_supported_version(version))) {
2398  ret = -1;
2399  goto err;
2400  }
2401  /* Extra precaution. Having no handler for the supported version should
2402  * never happened else we forgot to add it but we bumped the version. */
2403  tor_assert(ARRAY_LENGTH(decode_encrypted_handlers) >= version);
2404  tor_assert(decode_encrypted_handlers[version]);
2405 
2406  /* Run the version specific plaintext decoder. */
2407  ret = decode_encrypted_handlers[version](desc, client_auth_sk,
2408  desc_encrypted);
2409  if (ret < 0) {
2410  goto err;
2411  }
2412 
2413  err:
2414  return ret;
2415 }
2416 
2417 /* Table of superencrypted decode function version specific. The function are
2418  * indexed by the version number so v3 callback is at index 3 in the array. */
2419 static int
2420  (*decode_superencrypted_handlers[])(
2421  const hs_descriptor_t *desc,
2422  hs_desc_superencrypted_data_t *desc_superencrypted) =
2423 {
2424  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2425  desc_decode_superencrypted_v3,
2426 };
2427 
2428 /* Decode the superencrypted data section of the given descriptor and store the
2429  * data in the given superencrypted data object. Return 0 on success else a
2430  * negative value on error. */
2431 int
2432 hs_desc_decode_superencrypted(const hs_descriptor_t *desc,
2434  desc_superencrypted)
2435 {
2436  int ret;
2437  uint32_t version;
2438 
2439  tor_assert(desc);
2440  /* Ease our life a bit. */
2441  version = desc->plaintext_data.version;
2442  tor_assert(desc_superencrypted);
2443  /* Calling this function without an superencrypted blob to parse is
2444  * a code flow error. The plaintext parsing should never succeed in
2445  * the first place without an superencrypted section. */
2446  tor_assert(desc->plaintext_data.superencrypted_blob);
2447  /* Let's make sure we have a supported version as well. By correctly parsing
2448  * the plaintext, this should not fail. */
2449  if (BUG(!hs_desc_is_supported_version(version))) {
2450  ret = -1;
2451  goto err;
2452  }
2453  /* Extra precaution. Having no handler for the supported version should
2454  * never happened else we forgot to add it but we bumped the version. */
2455  tor_assert(ARRAY_LENGTH(decode_superencrypted_handlers) >= version);
2456  tor_assert(decode_superencrypted_handlers[version]);
2457 
2458  /* Run the version specific plaintext decoder. */
2459  ret = decode_superencrypted_handlers[version](desc, desc_superencrypted);
2460  if (ret < 0) {
2461  goto err;
2462  }
2463 
2464  err:
2465  return ret;
2466 }
2467 
2468 /* Table of plaintext decode function version specific. The function are
2469  * indexed by the version number so v3 callback is at index 3 in the array. */
2470 static int
2471  (*decode_plaintext_handlers[])(
2472  smartlist_t *tokens,
2474  const char *encoded_desc,
2475  size_t encoded_len) =
2476 {
2477  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2478  desc_decode_plaintext_v3,
2479 };
2480 
2481 /* Fully decode the given descriptor plaintext and store the data in the
2482  * plaintext data object. Returns 0 on success else a negative value. */
2483 int
2484 hs_desc_decode_plaintext(const char *encoded,
2485  hs_desc_plaintext_data_t *plaintext)
2486 {
2487  int ok = 0, ret = -1;
2488  memarea_t *area = NULL;
2489  smartlist_t *tokens = NULL;
2490  size_t encoded_len;
2491  directory_token_t *tok;
2492 
2493  tor_assert(encoded);
2494  tor_assert(plaintext);
2495 
2496  /* Check that descriptor is within size limits. */
2497  encoded_len = strlen(encoded);
2498  if (encoded_len >= hs_cache_get_max_descriptor_size()) {
2499  log_warn(LD_REND, "Service descriptor is too big (%lu bytes)",
2500  (unsigned long) encoded_len);
2501  goto err;
2502  }
2503 
2504  area = memarea_new();
2505  tokens = smartlist_new();
2506  /* Tokenize the descriptor so we can start to parse it. */
2507  if (tokenize_string(area, encoded, encoded + encoded_len, tokens,
2508  hs_desc_v3_token_table, 0) < 0) {
2509  log_warn(LD_REND, "Service descriptor is not parseable");
2510  goto err;
2511  }
2512 
2513  /* Get the version of the descriptor which is the first mandatory field of
2514  * the descriptor. From there, we'll decode the right descriptor version. */
2515  tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
2516  tor_assert(tok->n_args == 1);
2517  plaintext->version = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2518  UINT32_MAX, &ok, NULL);
2519  if (!ok) {
2520  log_warn(LD_REND, "Service descriptor has unparseable version %s",
2521  escaped(tok->args[0]));
2522  goto err;
2523  }
2524  if (!hs_desc_is_supported_version(plaintext->version)) {
2525  log_warn(LD_REND, "Service descriptor has unsupported version %" PRIu32,
2526  plaintext->version);
2527  goto err;
2528  }
2529  /* Extra precaution. Having no handler for the supported version should
2530  * never happened else we forgot to add it but we bumped the version. */
2531  tor_assert(ARRAY_LENGTH(decode_plaintext_handlers) >= plaintext->version);
2532  tor_assert(decode_plaintext_handlers[plaintext->version]);
2533 
2534  /* Run the version specific plaintext decoder. */
2535  ret = decode_plaintext_handlers[plaintext->version](tokens, plaintext,
2536  encoded, encoded_len);
2537  if (ret < 0) {
2538  goto err;
2539  }
2540  /* Success. Descriptor has been populated with the data. */
2541  ret = 0;
2542 
2543  err:
2544  if (tokens) {
2546  smartlist_free(tokens);
2547  }
2548  if (area) {
2549  memarea_drop_all(area);
2550  }
2551  return ret;
2552 }
2553 
2554 /* Fully decode an encoded descriptor and set a newly allocated descriptor
2555  * object in desc_out. Client secret key is used to decrypt the "encrypted"
2556  * section if not NULL else it's ignored.
2557  *
2558  * Return 0 on success. A negative value is returned on error and desc_out is
2559  * set to NULL. */
2560 int
2561 hs_desc_decode_descriptor(const char *encoded,
2562  const uint8_t *subcredential,
2563  const curve25519_secret_key_t *client_auth_sk,
2564  hs_descriptor_t **desc_out)
2565 {
2566  int ret = -1;
2567  hs_descriptor_t *desc;
2568 
2569  tor_assert(encoded);
2570 
2571  desc = tor_malloc_zero(sizeof(hs_descriptor_t));
2572 
2573  /* Subcredentials are not optional. */
2574  if (BUG(!subcredential ||
2575  fast_mem_is_zero((char*)subcredential, DIGEST256_LEN))) {
2576  log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!");
2577  goto err;
2578  }
2579 
2580  memcpy(desc->subcredential, subcredential, sizeof(desc->subcredential));
2581 
2582  ret = hs_desc_decode_plaintext(encoded, &desc->plaintext_data);
2583  if (ret < 0) {
2584  goto err;
2585  }
2586 
2587  ret = hs_desc_decode_superencrypted(desc, &desc->superencrypted_data);
2588  if (ret < 0) {
2589  goto err;
2590  }
2591 
2592  ret = hs_desc_decode_encrypted(desc, client_auth_sk, &desc->encrypted_data);
2593  if (ret < 0) {
2594  goto err;
2595  }
2596 
2597  if (desc_out) {
2598  *desc_out = desc;
2599  } else {
2600  hs_descriptor_free(desc);
2601  }
2602  return ret;
2603 
2604  err:
2605  hs_descriptor_free(desc);
2606  if (desc_out) {
2607  *desc_out = NULL;
2608  }
2609 
2610  tor_assert(ret < 0);
2611  return ret;
2612 }
2613 
2614 /* Table of encode function version specific. The functions are indexed by the
2615  * version number so v3 callback is at index 3 in the array. */
2616 static int
2617  (*encode_handlers[])(
2618  const hs_descriptor_t *desc,
2619  const ed25519_keypair_t *signing_kp,
2620  const uint8_t *descriptor_cookie,
2621  char **encoded_out) =
2622 {
2623  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2624  desc_encode_v3,
2625 };
2626 
2627 /* Encode the given descriptor desc including signing with the given key pair
2628  * signing_kp and encrypting with the given descriptor cookie.
2629  *
2630  * If the client authorization is enabled, descriptor_cookie must be the same
2631  * as the one used to build hs_desc_authorized_client_t in the descriptor.
2632  * Otherwise, it must be NULL. On success, encoded_out points to a newly
2633  * allocated NUL terminated string that contains the encoded descriptor as
2634  * a string.
2635  *
2636  * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
2637  * returned and encoded_out is set to NULL. */
2638 MOCK_IMPL(int,
2639 hs_desc_encode_descriptor,(const hs_descriptor_t *desc,
2640  const ed25519_keypair_t *signing_kp,
2641  const uint8_t *descriptor_cookie,
2642  char **encoded_out))
2643 {
2644  int ret = -1;
2645  uint32_t version;
2646 
2647  tor_assert(desc);
2648  tor_assert(encoded_out);
2649 
2650  /* Make sure we support the version of the descriptor format. */
2651  version = desc->plaintext_data.version;
2652  if (!hs_desc_is_supported_version(version)) {
2653  goto err;
2654  }
2655  /* Extra precaution. Having no handler for the supported version should
2656  * never happened else we forgot to add it but we bumped the version. */
2657  tor_assert(ARRAY_LENGTH(encode_handlers) >= version);
2658  tor_assert(encode_handlers[version]);
2659 
2660  ret = encode_handlers[version](desc, signing_kp,
2661  descriptor_cookie, encoded_out);
2662  if (ret < 0) {
2663  goto err;
2664  }
2665 
2666  /* Try to decode what we just encoded. Symmetry is nice!, but it is
2667  * symmetric only if the client auth is disabled. That is, the descriptor
2668  * cookie will be NULL. */
2669  if (!descriptor_cookie) {
2670  ret = hs_desc_decode_descriptor(*encoded_out, desc->subcredential,
2671  NULL, NULL);
2672  if (BUG(ret < 0)) {
2673  goto err;
2674  }
2675  }
2676 
2677  return 0;
2678 
2679  err:
2680  *encoded_out = NULL;
2681  return ret;
2682 }
2683 
2684 /* Free the content of the plaintext section of a descriptor. */
2685 void
2686 hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)
2687 {
2688  if (!desc) {
2689  return;
2690  }
2691 
2692  if (desc->superencrypted_blob) {
2693  tor_free(desc->superencrypted_blob);
2694  }
2695  tor_cert_free(desc->signing_key_cert);
2696 
2697  memwipe(desc, 0, sizeof(*desc));
2698 }
2699 
2700 /* Free the content of the superencrypted section of a descriptor. */
2701 void
2702 hs_desc_superencrypted_data_free_contents(hs_desc_superencrypted_data_t *desc)
2703 {
2704  if (!desc) {
2705  return;
2706  }
2707 
2708  if (desc->encrypted_blob) {
2709  tor_free(desc->encrypted_blob);
2710  }
2711  if (desc->clients) {
2712  SMARTLIST_FOREACH(desc->clients, hs_desc_authorized_client_t *, client,
2713  hs_desc_authorized_client_free(client));
2714  smartlist_free(desc->clients);
2715  }
2716 
2717  memwipe(desc, 0, sizeof(*desc));
2718 }
2719 
2720 /* Free the content of the encrypted section of a descriptor. */
2721 void
2722 hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
2723 {
2724  if (!desc) {
2725  return;
2726  }
2727 
2728  if (desc->intro_auth_types) {
2729  SMARTLIST_FOREACH(desc->intro_auth_types, char *, a, tor_free(a));
2730  smartlist_free(desc->intro_auth_types);
2731  }
2732  if (desc->intro_points) {
2733  SMARTLIST_FOREACH(desc->intro_points, hs_desc_intro_point_t *, ip,
2734  hs_desc_intro_point_free(ip));
2735  smartlist_free(desc->intro_points);
2736  }
2737  memwipe(desc, 0, sizeof(*desc));
2738 }
2739 
2740 /* Free the descriptor plaintext data object. */
2741 void
2742 hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
2743 {
2744  hs_desc_plaintext_data_free_contents(desc);
2745  tor_free(desc);
2746 }
2747 
2748 /* Free the descriptor plaintext data object. */
2749 void
2750 hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc)
2751 {
2752  hs_desc_superencrypted_data_free_contents(desc);
2753  tor_free(desc);
2754 }
2755 
2756 /* Free the descriptor encrypted data object. */
2757 void
2758 hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
2759 {
2760  hs_desc_encrypted_data_free_contents(desc);
2761  tor_free(desc);
2762 }
2763 
2764 /* Free the given descriptor object. */
2765 void
2766 hs_descriptor_free_(hs_descriptor_t *desc)
2767 {
2768  if (!desc) {
2769  return;
2770  }
2771 
2772  hs_desc_plaintext_data_free_contents(&desc->plaintext_data);
2773  hs_desc_superencrypted_data_free_contents(&desc->superencrypted_data);
2774  hs_desc_encrypted_data_free_contents(&desc->encrypted_data);
2775  tor_free(desc);
2776 }
2777 
2778 /* Return the size in bytes of the given plaintext data object. A sizeof() is
2779  * not enough because the object contains pointers and the encrypted blob.
2780  * This is particularly useful for our OOM subsystem that tracks the HSDir
2781  * cache size for instance. */
2782 size_t
2783 hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
2784 {
2785  tor_assert(data);
2786  return (sizeof(*data) + sizeof(*data->signing_key_cert) +
2787  data->superencrypted_blob_size);
2788 }
2789 
2790 /* Return the size in bytes of the given encrypted data object. Used by OOM
2791  * subsystem. */
2792 static size_t
2793 hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
2794 {
2795  tor_assert(data);
2796  size_t intro_size = 0;
2797  if (data->intro_auth_types) {
2798  intro_size +=
2799  smartlist_len(data->intro_auth_types) * sizeof(intro_auth_types);
2800  }
2801  if (data->intro_points) {
2802  /* XXX could follow pointers here and get more accurate size */
2803  intro_size +=
2804  smartlist_len(data->intro_points) * sizeof(hs_desc_intro_point_t);
2805  }
2806 
2807  return sizeof(*data) + intro_size;
2808 }
2809 
2810 /* Return the size in bytes of the given descriptor object. Used by OOM
2811  * subsystem. */
2812  size_t
2813 hs_desc_obj_size(const hs_descriptor_t *data)
2814 {
2815  tor_assert(data);
2816  return (hs_desc_plaintext_obj_size(&data->plaintext_data) +
2817  hs_desc_encrypted_obj_size(&data->encrypted_data) +
2818  sizeof(data->subcredential));
2819 }
2820 
2821 /* Return a newly allocated descriptor intro point. */
2823 hs_desc_intro_point_new(void)
2824 {
2825  hs_desc_intro_point_t *ip = tor_malloc_zero(sizeof(*ip));
2826  ip->link_specifiers = smartlist_new();
2827  return ip;
2828 }
2829 
2830 /* Free a descriptor intro point object. */
2831 void
2832 hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
2833 {
2834  if (ip == NULL) {
2835  return;
2836  }
2837  if (ip->link_specifiers) {
2838  SMARTLIST_FOREACH(ip->link_specifiers, link_specifier_t *,
2839  ls, link_specifier_free(ls));
2840  smartlist_free(ip->link_specifiers);
2841  }
2842  tor_cert_free(ip->auth_key_cert);
2843  tor_cert_free(ip->enc_key_cert);
2844  crypto_pk_free(ip->legacy.key);
2845  tor_free(ip->legacy.cert.encoded);
2846  tor_free(ip);
2847 }
2848 
2849 /* Allocate and build a new fake client info for the descriptor. Return a
2850  * newly allocated object. This can't fail. */
2852 hs_desc_build_fake_authorized_client(void)
2853 {
2854  hs_desc_authorized_client_t *client_auth =
2855  tor_malloc_zero(sizeof(*client_auth));
2856 
2857  crypto_rand((char *) client_auth->client_id,
2858  sizeof(client_auth->client_id));
2859  crypto_rand((char *) client_auth->iv,
2860  sizeof(client_auth->iv));
2861  crypto_rand((char *) client_auth->encrypted_cookie,
2862  sizeof(client_auth->encrypted_cookie));
2863 
2864  return client_auth;
2865 }
2866 
2867 /* Using the service's subcredential, client public key, auth ephemeral secret
2868  * key, and descriptor cookie, build the auth client so we can then encode the
2869  * descriptor for publication. client_out must be already allocated. */
2870 void
2871 hs_desc_build_authorized_client(const uint8_t *subcredential,
2872  const curve25519_public_key_t *client_auth_pk,
2873  const curve25519_secret_key_t *
2874  auth_ephemeral_sk,
2875  const uint8_t *descriptor_cookie,
2876  hs_desc_authorized_client_t *client_out)
2877 {
2878  uint8_t *keystream = NULL;
2879  size_t keystream_length = 0;
2880  const uint8_t *cookie_key;
2881  crypto_cipher_t *cipher;
2882 
2883  tor_assert(client_auth_pk);
2884  tor_assert(auth_ephemeral_sk);
2885  tor_assert(descriptor_cookie);
2886  tor_assert(client_out);
2887  tor_assert(subcredential);
2888  tor_assert(!fast_mem_is_zero((char *) auth_ephemeral_sk,
2889  sizeof(*auth_ephemeral_sk)));
2890  tor_assert(!fast_mem_is_zero((char *) client_auth_pk,
2891  sizeof(*client_auth_pk)));
2892  tor_assert(!fast_mem_is_zero((char *) descriptor_cookie,
2893  HS_DESC_DESCRIPTOR_COOKIE_LEN));
2894  tor_assert(!fast_mem_is_zero((char *) subcredential,
2895  DIGEST256_LEN));
2896 
2897  /* Get the KEYS part so we can derive the CLIENT-ID and COOKIE-KEY. */
2898  keystream_length =
2899  build_descriptor_cookie_keys(subcredential, DIGEST256_LEN,
2900  auth_ephemeral_sk, client_auth_pk,
2901  &keystream);
2902  tor_assert(keystream_length > 0);
2903 
2904  /* Extract the CLIENT-ID and COOKIE-KEY from the KEYS. */
2905  memcpy(client_out->client_id, keystream, HS_DESC_CLIENT_ID_LEN);
2906  cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
2907 
2908  /* Random IV */
2909  crypto_strongest_rand(client_out->iv, sizeof(client_out->iv));
2910 
2911  /* This creates a cipher for AES. It can't fail. */
2912  cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client_out->iv,
2913  HS_DESC_COOKIE_KEY_BIT_SIZE);
2914  /* This can't fail. */
2915  crypto_cipher_encrypt(cipher, (char *) client_out->encrypted_cookie,
2916  (const char *) descriptor_cookie,
2917  HS_DESC_DESCRIPTOR_COOKIE_LEN);
2918 
2919  memwipe(keystream, 0, keystream_length);
2920  tor_free(keystream);
2921 
2922  crypto_cipher_free(cipher);
2923 }
2924 
2925 /* Free an authoriezd client object. */
2926 void
2927 hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client)
2928 {
2929  tor_free(client);
2930 }
2931 
2932 /* From the given descriptor, remove and free every introduction point. */
2933 void
2934 hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
2935 {
2936  smartlist_t *ips;
2937 
2938  tor_assert(desc);
2939 
2940  ips = desc->encrypted_data.intro_points;
2941  if (ips) {
2943  ip, hs_desc_intro_point_free(ip));
2944  smartlist_clear(ips);
2945  }
2946 }
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
struct crypto_pk_t * key
Definition: parsecommon.h:210
ed25519_public_key_t signed_key
Definition: torcert.h:25
Header file containing configuration ABI/API for the HS subsytem.
smartlist_t * find_all_by_keyword(const smartlist_t *s, directory_keyword k)
Definition: parsecommon.c:461
Common functions for using (pseudo-)random number generators.
#define END_OF_TABLE
Definition: parsecommon.h:244
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
uint64_t tor_parse_uint64(const char *s, int base, uint64_t min, uint64_t max, int *ok, char **next)
Definition: parse_int.c:107
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now)
Definition: torcert.c:244
#define LD_GENERAL
Definition: log.h:60
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
Definition: parse_int.c:75
int curve25519_public_from_base64(curve25519_public_key_t *pkey, const char *input)
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Definition: crypto_cipher.c:88
void curve25519_public_to_base64(char *output, const curve25519_public_key_t *pkey)
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
void smartlist_add(smartlist_t *sl, void *element)
uint8_t cert_type
Definition: torcert.h:38
size_t base64_encode_size(size_t srclen, int flags)
Definition: binascii.c:166
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
int crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest, size_t *len)
Definition: crypto_rsa.c:466
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
int fast_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:74
ed25519_public_key_t signing_key
Definition: torcert.h:28
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
#define tor_free(p)
Definition: malloc.h:52
#define T1_START(s, t, a, o)
Definition: parsecommon.h:252
#define T1N(s, t, a, o)
Definition: parsecommon.h:256
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:57
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
memarea_t * memarea_new(void)
Definition: memarea.c:153
void ed25519_signature_to_base64(char *output, const ed25519_signature_t *sig)
unsigned signing_key_included
Definition: torcert.h:40
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
Definition: binascii.c:215
#define CIPHER_IV_LEN
Definition: crypto_cipher.h:24
#define DIGEST256_LEN
Definition: digest_sizes.h:23
#define NO_ARGS
Definition: parsecommon.h:265
Common functions for cryptographic routines.
tor_assert(buffer)
tor_cert_t * tor_cert_parse(const uint8_t *encoded, const size_t len)
Definition: torcert.c:159
Header for crypto_format.c.
int tor_memeq(const void *a, const void *b, size_t sz)
Definition: di_ops.c:107
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
static void set_uint64(void *cp, uint64_t v)
Definition: bytes.h:91
#define SIZE_T_CEILING
Definition: torint.h:126
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
Definition: smartlist.c:36
Header file for rendcache.c.
#define GE(n)
Definition: parsecommon.h:269
Master header file for Tor-specific functionality.
Header file for circuitbuild.c.
#define ARGS
Definition: parsecommon.h:263
Header for memarea.c.
#define EQ(n)
Definition: parsecommon.h:271
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Header file for hs_descriptor.c.
#define CONCAT_ARGS
Definition: parsecommon.h:267
static uint64_t tor_htonll(uint64_t a)
Definition: bytes.h:167
#define LD_REND
Definition: log.h:82
crypto_pk_t * crypto_pk_dup_key(crypto_pk_t *orig)
directory_token_t * find_opt_by_keyword(const smartlist_t *s, directory_keyword keyword)
Definition: parsecommon.c:450
const char * tor_cert_describe_signature_status(const tor_cert_t *cert)
Definition: torcert.c:279
int crypto_pk_public_exponent_ok(const crypto_pk_t *env)
#define CURVE25519_OUTPUT_LEN
Definition: x25519_sizes.h:24
#define T1_END(s, t, a, o)
Definition: parsecommon.h:254
#define LD_DIR
Definition: log.h:86
Header file for parsecommon.c.
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
Definition: smartlist.c:279
int base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:396
#define SMARTLIST_FOREACH(sl, type, var, cmd)
const char * escaped(const char *s)
Definition: escape.c:126
static char * get_all_auth_client_lines(const hs_descriptor_t *desc)
#define ARRAY_LENGTH(x)
void crypto_strongest_rand(uint8_t *out, size_t out_len)
Definition: crypto_rand.c:340
time_t approx_time(void)
Definition: approx_time.c:32
#define T1(s, t, a, o)
Definition: parsecommon.h:250
void token_clear(directory_token_t *tok)
Definition: parsecommon.c:41
Header file for hs_cache.c.
crypto_cipher_t * crypto_cipher_new_with_iv_and_bits(const uint8_t *key, const uint8_t *iv, int bits)
Definition: crypto_cipher.c:29
int ed25519_signature_from_base64(ed25519_signature_t *sig, const char *input)
MOCK_IMPL(STATIC size_t, decrypt_desc_layer,(const hs_descriptor_t *desc, const uint8_t *encrypted_blob, size_t encrypted_blob_size, const uint8_t *descriptor_cookie, int is_superencrypted_layer, char **decrypted_out))
crypto_xof_t * crypto_xof_new(void)
void smartlist_clear(smartlist_t *sl)
int tokenize_string(memarea_t *area, const char *start, const char *end, smartlist_t *out, const token_rule_t *table, int flags)
Definition: parsecommon.c:53
#define T01(s, t, a, o)
Definition: parsecommon.h:258
#define LD_BUG
Definition: log.h:84
#define CURVE25519_PUBKEY_LEN
Definition: x25519_sizes.h:20
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)