Tor  0.4.4.0-alpha-dev
hs_descriptor.c
Go to the documentation of this file.
1 /* Copyright (c) 2016-2020, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
4 /**
5  * \file hs_descriptor.c
6  * \brief Handle hidden service descriptor encoding/decoding.
7  *
8  * \details
9  * Here is a graphical depiction of an HS descriptor and its layers:
10  *
11  * +------------------------------------------------------+
12  * |DESCRIPTOR HEADER: |
13  * | hs-descriptor 3 |
14  * | descriptor-lifetime 180 |
15  * | ... |
16  * | superencrypted |
17  * |+---------------------------------------------------+ |
18  * ||SUPERENCRYPTED LAYER (aka OUTER ENCRYPTED LAYER): | |
19  * || desc-auth-type x25519 | |
20  * || desc-auth-ephemeral-key | |
21  * || auth-client | |
22  * || auth-client | |
23  * || ... | |
24  * || encrypted | |
25  * ||+-------------------------------------------------+| |
26  * |||ENCRYPTED LAYER (aka INNER ENCRYPTED LAYER): || |
27  * ||| create2-formats || |
28  * ||| intro-auth-required || |
29  * ||| introduction-point || |
30  * ||| introduction-point || |
31  * ||| ... || |
32  * ||+-------------------------------------------------+| |
33  * |+---------------------------------------------------+ |
34  * +------------------------------------------------------+
35  *
36  * The DESCRIPTOR HEADER section is completely unencrypted and contains generic
37  * descriptor metadata.
38  *
39  * The SUPERENCRYPTED LAYER section is the first layer of encryption, and it's
40  * encrypted using the blinded public key of the hidden service to protect
41  * against entities who don't know its onion address. The clients of the hidden
42  * service know its onion address and blinded public key, whereas third-parties
43  * (like HSDirs) don't know it (except if it's a public hidden service).
44  *
45  * The ENCRYPTED LAYER section is the second layer of encryption, and it's
46  * encrypted using the client authorization key material (if those exist). When
47  * client authorization is enabled, this second layer of encryption protects
48  * the descriptor content from unauthorized entities. If client authorization
49  * is disabled, this second layer of encryption does not provide any extra
50  * security but is still present. The plaintext of this layer contains all the
51  * information required to connect to the hidden service like its list of
52  * introduction points.
53  **/
54 
55 /* For unit tests.*/
56 #define HS_DESCRIPTOR_PRIVATE
57 
58 #include "core/or/or.h"
59 #include "trunnel/ed25519_cert.h" /* Trunnel interface. */
61 #include "core/or/circuitbuild.h"
65 #include "feature/rend/rendcache.h"
66 #include "feature/hs/hs_cache.h"
67 #include "feature/hs/hs_config.h"
68 #include "feature/nodelist/torcert.h" /* tor_cert_encode_ed22519() */
69 #include "lib/memarea/memarea.h"
71 
72 #include "core/or/extend_info_st.h"
73 
74 /* Constant string value used for the descriptor format. */
75 #define str_hs_desc "hs-descriptor"
76 #define str_desc_cert "descriptor-signing-key-cert"
77 #define str_rev_counter "revision-counter"
78 #define str_superencrypted "superencrypted"
79 #define str_encrypted "encrypted"
80 #define str_signature "signature"
81 #define str_lifetime "descriptor-lifetime"
82 /* Constant string value for the encrypted part of the descriptor. */
83 #define str_create2_formats "create2-formats"
84 #define str_intro_auth_required "intro-auth-required"
85 #define str_single_onion "single-onion-service"
86 #define str_intro_point "introduction-point"
87 #define str_ip_onion_key "onion-key"
88 #define str_ip_auth_key "auth-key"
89 #define str_ip_enc_key "enc-key"
90 #define str_ip_enc_key_cert "enc-key-cert"
91 #define str_ip_legacy_key "legacy-key"
92 #define str_ip_legacy_key_cert "legacy-key-cert"
93 #define str_intro_point_start "\n" str_intro_point " "
94 /* Constant string value for the construction to encrypt the encrypted data
95  * section. */
96 #define str_enc_const_superencryption "hsdir-superencrypted-data"
97 #define str_enc_const_encryption "hsdir-encrypted-data"
98 /* Prefix required to compute/verify HS desc signatures */
99 #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
100 #define str_desc_auth_type "desc-auth-type"
101 #define str_desc_auth_key "desc-auth-ephemeral-key"
102 #define str_desc_auth_client "auth-client"
103 #define str_encrypted "encrypted"
104 
105 /** Authentication supported types. */
106 static const struct {
107  hs_desc_auth_type_t type;
108  const char *identifier;
109 } intro_auth_types[] = {
110  { HS_DESC_AUTH_ED25519, "ed25519" },
111  /* Indicate end of array. */
112  { 0, NULL }
113 };
114 
115 /** Descriptor ruleset. */
117  T1_START(str_hs_desc, R_HS_DESCRIPTOR, EQ(1), NO_OBJ),
118  T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ),
119  T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ),
120  T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ),
121  T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ),
122  T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ),
124 };
125 
126 /** Descriptor ruleset for the superencrypted section. */
128  T1_START(str_desc_auth_type, R3_DESC_AUTH_TYPE, GE(1), NO_OBJ),
129  T1(str_desc_auth_key, R3_DESC_AUTH_KEY, GE(1), NO_OBJ),
130  T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT, GE(3), NO_OBJ),
131  T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
133 };
134 
135 /** Descriptor ruleset for the encrypted section. */
137  T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
138  T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
139  T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
141 };
142 
143 /** Descriptor ruleset for the introduction points section. */
145  T1_START(str_intro_point, R3_INTRODUCTION_POINT, EQ(1), NO_OBJ),
146  T1N(str_ip_onion_key, R3_INTRO_ONION_KEY, GE(2), OBJ_OK),
147  T1(str_ip_auth_key, R3_INTRO_AUTH_KEY, NO_ARGS, NEED_OBJ),
148  T1(str_ip_enc_key, R3_INTRO_ENC_KEY, GE(2), OBJ_OK),
149  T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT, ARGS, OBJ_OK),
150  T01(str_ip_legacy_key, R3_INTRO_LEGACY_KEY, ARGS, NEED_KEY_1024),
151  T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT, ARGS, OBJ_OK),
153 };
154 
155 /** Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
156  * We use SHA3-256 for the MAC computation.
157  * This function can't fail. */
158 static void
159 build_mac(const uint8_t *mac_key, size_t mac_key_len,
160  const uint8_t *salt, size_t salt_len,
161  const uint8_t *encrypted, size_t encrypted_len,
162  uint8_t *mac_out, size_t mac_len)
163 {
164  crypto_digest_t *digest;
165 
166  const uint64_t mac_len_netorder = tor_htonll(mac_key_len);
167  const uint64_t salt_len_netorder = tor_htonll(salt_len);
168 
169  tor_assert(mac_key);
170  tor_assert(salt);
171  tor_assert(encrypted);
172  tor_assert(mac_out);
173 
174  digest = crypto_digest256_new(DIGEST_SHA3_256);
175  /* As specified in section 2.5 of proposal 224, first add the mac key
176  * then add the salt first and then the encrypted section. */
177 
178  crypto_digest_add_bytes(digest, (const char *) &mac_len_netorder, 8);
179  crypto_digest_add_bytes(digest, (const char *) mac_key, mac_key_len);
180  crypto_digest_add_bytes(digest, (const char *) &salt_len_netorder, 8);
181  crypto_digest_add_bytes(digest, (const char *) salt, salt_len);
182  crypto_digest_add_bytes(digest, (const char *) encrypted, encrypted_len);
183  crypto_digest_get_digest(digest, (char *) mac_out, mac_len);
184  crypto_digest_free(digest);
185 }
186 
187 /** Using a secret data and a given decriptor object, build the secret
188  * input needed for the KDF.
189  *
190  * secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
191  *
192  * Then, set the newly allocated buffer in secret_input_out and return the
193  * length of the buffer. */
194 static size_t
196  const uint8_t *secret_data,
197  size_t secret_data_len,
198  uint8_t **secret_input_out)
199 {
200  size_t offset = 0;
201  size_t secret_input_len = secret_data_len + DIGEST256_LEN + sizeof(uint64_t);
202  uint8_t *secret_input = NULL;
203 
204  tor_assert(desc);
205  tor_assert(secret_data);
206  tor_assert(secret_input_out);
207 
208  secret_input = tor_malloc_zero(secret_input_len);
209 
210  /* Copy the secret data. */
211  memcpy(secret_input, secret_data, secret_data_len);
212  offset += secret_data_len;
213  /* Copy subcredential. */
214  memcpy(secret_input + offset, desc->subcredential, DIGEST256_LEN);
215  offset += DIGEST256_LEN;
216  /* Copy revision counter value. */
217  set_uint64(secret_input + offset,
219  offset += sizeof(uint64_t);
220  tor_assert(secret_input_len == offset);
221 
222  *secret_input_out = secret_input;
223 
224  return secret_input_len;
225 }
226 
227 /** Do the KDF construction and put the resulting data in key_out which is of
228  * key_out_len length. It uses SHAKE-256 as specified in the spec. */
229 static void
231  const uint8_t *secret_data,
232  size_t secret_data_len,
233  const uint8_t *salt, size_t salt_len,
234  uint8_t *key_out, size_t key_out_len,
235  int is_superencrypted_layer)
236 {
237  uint8_t *secret_input = NULL;
238  size_t secret_input_len;
239  crypto_xof_t *xof;
240 
241  tor_assert(desc);
242  tor_assert(secret_data);
243  tor_assert(salt);
244  tor_assert(key_out);
245 
246  /* Build the secret input for the KDF computation. */
247  secret_input_len = build_secret_input(desc, secret_data,
248  secret_data_len, &secret_input);
249 
250  xof = crypto_xof_new();
251  /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
252  crypto_xof_add_bytes(xof, secret_input, secret_input_len);
253  crypto_xof_add_bytes(xof, salt, salt_len);
254 
255  /* Feed in the right string constant based on the desc layer */
256  if (is_superencrypted_layer) {
257  crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_superencryption,
258  strlen(str_enc_const_superencryption));
259  } else {
260  crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_encryption,
261  strlen(str_enc_const_encryption));
262  }
263 
264  /* Eat from our KDF. */
265  crypto_xof_squeeze_bytes(xof, key_out, key_out_len);
266  crypto_xof_free(xof);
267  memwipe(secret_input, 0, secret_input_len);
268 
269  tor_free(secret_input);
270 }
271 
272 /** Using the given descriptor, secret data, and salt, run it through our
273  * KDF function and then extract a secret key in key_out, the IV in iv_out
274  * and MAC in mac_out. This function can't fail. */
275 static void
277  const uint8_t *secret_data,
278  size_t secret_data_len,
279  const uint8_t *salt, size_t salt_len,
280  uint8_t *key_out, size_t key_len,
281  uint8_t *iv_out, size_t iv_len,
282  uint8_t *mac_out, size_t mac_len,
283  int is_superencrypted_layer)
284 {
285  size_t offset = 0;
286  uint8_t kdf_key[HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN];
287 
288  tor_assert(desc);
289  tor_assert(secret_data);
290  tor_assert(salt);
291  tor_assert(key_out);
292  tor_assert(iv_out);
293  tor_assert(mac_out);
294 
295  build_kdf_key(desc, secret_data, secret_data_len,
296  salt, salt_len, kdf_key, sizeof(kdf_key),
297  is_superencrypted_layer);
298  /* Copy the bytes we need for both the secret key and IV. */
299  memcpy(key_out, kdf_key, key_len);
300  offset += key_len;
301  memcpy(iv_out, kdf_key + offset, iv_len);
302  offset += iv_len;
303  memcpy(mac_out, kdf_key + offset, mac_len);
304  /* Extra precaution to make sure we are not out of bound. */
305  tor_assert((offset + mac_len) == sizeof(kdf_key));
306  memwipe(kdf_key, 0, sizeof(kdf_key));
307 }
308 
309 /* === ENCODING === */
310 
311 /** Encode the given link specifier objects into a newly allocated string.
312  * This can't fail so caller can always assume a valid string being
313  * returned. */
314 STATIC char *
316 {
317  char *encoded_b64 = NULL;
318  link_specifier_list_t *lslist = link_specifier_list_new();
319 
320  tor_assert(specs);
321  /* No link specifiers is a code flow error, can't happen. */
322  tor_assert(smartlist_len(specs) > 0);
323  tor_assert(smartlist_len(specs) <= UINT8_MAX);
324 
325  link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
326 
327  SMARTLIST_FOREACH_BEGIN(specs, const link_specifier_t *,
328  spec) {
329  link_specifier_t *ls = link_specifier_dup(spec);
330  tor_assert(ls);
331  link_specifier_list_add_spec(lslist, ls);
332  } SMARTLIST_FOREACH_END(spec);
333 
334  {
335  uint8_t *encoded;
336  ssize_t encoded_len, encoded_b64_len, ret;
337 
338  encoded_len = link_specifier_list_encoded_len(lslist);
339  tor_assert(encoded_len > 0);
340  encoded = tor_malloc_zero(encoded_len);
341  ret = link_specifier_list_encode(encoded, encoded_len, lslist);
342  tor_assert(ret == encoded_len);
343 
344  /* Base64 encode our binary format. Add extra NUL byte for the base64
345  * encoded value. */
346  encoded_b64_len = base64_encode_size(encoded_len, 0) + 1;
347  encoded_b64 = tor_malloc_zero(encoded_b64_len);
348  ret = base64_encode(encoded_b64, encoded_b64_len, (const char *) encoded,
349  encoded_len, 0);
350  tor_assert(ret == (encoded_b64_len - 1));
351  tor_free(encoded);
352  }
353 
354  link_specifier_list_free(lslist);
355  return encoded_b64;
356 }
357 
358 /** Encode an introduction point legacy key and certificate. Return a newly
359  * allocated string with it. On failure, return NULL. */
360 static char *
362 {
363  char *key_str, b64_cert[256], *encoded = NULL;
364  size_t key_str_len;
365 
366  tor_assert(ip);
367 
368  /* Encode cross cert. */
369  if (base64_encode(b64_cert, sizeof(b64_cert),
370  (const char *) ip->legacy.cert.encoded,
371  ip->legacy.cert.len, BASE64_ENCODE_MULTILINE) < 0) {
372  log_warn(LD_REND, "Unable to encode legacy crosscert.");
373  goto done;
374  }
375  /* Convert the encryption key to PEM format NUL terminated. */
377  &key_str_len) < 0) {
378  log_warn(LD_REND, "Unable to encode legacy encryption key.");
379  goto done;
380  }
381  tor_asprintf(&encoded,
382  "%s \n%s" /* Newline is added by the call above. */
383  "%s\n"
384  "-----BEGIN CROSSCERT-----\n"
385  "%s"
386  "-----END CROSSCERT-----",
387  str_ip_legacy_key, key_str,
388  str_ip_legacy_key_cert, b64_cert);
389  tor_free(key_str);
390 
391  done:
392  return encoded;
393 }
394 
395 /** Encode an introduction point encryption key and certificate. Return a newly
396  * allocated string with it. On failure, return NULL. */
397 static char *
399 {
400  char *encoded = NULL, *encoded_cert;
401  char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
402 
403  tor_assert(ip);
404 
405  /* Base64 encode the encryption key for the "enc-key" field. */
406  curve25519_public_to_base64(key_b64, &ip->enc_key);
407  if (tor_cert_encode_ed22519(ip->enc_key_cert, &encoded_cert) < 0) {
408  goto done;
409  }
410  tor_asprintf(&encoded,
411  "%s ntor %s\n"
412  "%s\n%s",
413  str_ip_enc_key, key_b64,
414  str_ip_enc_key_cert, encoded_cert);
415  tor_free(encoded_cert);
416 
417  done:
418  return encoded;
419 }
420 
421 /** Encode an introduction point onion key. Return a newly allocated string
422  * with it. Can not fail. */
423 static char *
425 {
426  char *encoded = NULL;
427  char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
428 
429  tor_assert(ip);
430 
431  /* Base64 encode the encryption key for the "onion-key" field. */
432  curve25519_public_to_base64(key_b64, &ip->onion_key);
433  tor_asprintf(&encoded, "%s ntor %s", str_ip_onion_key, key_b64);
434 
435  return encoded;
436 }
437 
438 /** Encode an introduction point object and return a newly allocated string
439  * with it. On failure, return NULL. */
440 static char *
442  const hs_desc_intro_point_t *ip)
443 {
444  char *encoded_ip = NULL;
445  smartlist_t *lines = smartlist_new();
446 
447  tor_assert(ip);
448  tor_assert(sig_key);
449 
450  /* Encode link specifier. */
451  {
452  char *ls_str = encode_link_specifiers(ip->link_specifiers);
453  smartlist_add_asprintf(lines, "%s %s", str_intro_point, ls_str);
454  tor_free(ls_str);
455  }
456 
457  /* Onion key encoding. */
458  {
459  char *encoded_onion_key = encode_onion_key(ip);
460  if (encoded_onion_key == NULL) {
461  goto err;
462  }
463  smartlist_add_asprintf(lines, "%s", encoded_onion_key);
464  tor_free(encoded_onion_key);
465  }
466 
467  /* Authentication key encoding. */
468  {
469  char *encoded_cert;
470  if (tor_cert_encode_ed22519(ip->auth_key_cert, &encoded_cert) < 0) {
471  goto err;
472  }
473  smartlist_add_asprintf(lines, "%s\n%s", str_ip_auth_key, encoded_cert);
474  tor_free(encoded_cert);
475  }
476 
477  /* Encryption key encoding. */
478  {
479  char *encoded_enc_key = encode_enc_key(ip);
480  if (encoded_enc_key == NULL) {
481  goto err;
482  }
483  smartlist_add_asprintf(lines, "%s", encoded_enc_key);
484  tor_free(encoded_enc_key);
485  }
486 
487  /* Legacy key if any. */
488  if (ip->legacy.key != NULL) {
489  /* Strong requirement else the IP creation was badly done. */
490  tor_assert(ip->legacy.cert.encoded);
491  char *encoded_legacy_key = encode_legacy_key(ip);
492  if (encoded_legacy_key == NULL) {
493  goto err;
494  }
495  smartlist_add_asprintf(lines, "%s", encoded_legacy_key);
496  tor_free(encoded_legacy_key);
497  }
498 
499  /* Join them all in one blob of text. */
500  encoded_ip = smartlist_join_strings(lines, "\n", 1, NULL);
501 
502  err:
503  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
504  smartlist_free(lines);
505  return encoded_ip;
506 }
507 
508 /** Given a source length, return the new size including padding for the
509  * plaintext encryption. */
510 static size_t
511 compute_padded_plaintext_length(size_t plaintext_len)
512 {
513  size_t plaintext_padded_len;
514  const int padding_block_length = HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE;
515 
516  /* Make sure we won't overflow. */
517  tor_assert(plaintext_len <= (SIZE_T_CEILING - padding_block_length));
518 
519  /* Get the extra length we need to add. For example, if srclen is 10200
520  * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
521  plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
522  padding_block_length;
523  /* Can never be extra careful. Make sure we are _really_ padded. */
524  tor_assert(!(plaintext_padded_len % padding_block_length));
525  return plaintext_padded_len;
526 }
527 
528 /** Given a buffer, pad it up to the encrypted section padding requirement. Set
529  * the newly allocated string in padded_out and return the length of the
530  * padded buffer. */
531 STATIC size_t
532 build_plaintext_padding(const char *plaintext, size_t plaintext_len,
533  uint8_t **padded_out)
534 {
535  size_t padded_len;
536  uint8_t *padded;
537 
538  tor_assert(plaintext);
539  tor_assert(padded_out);
540 
541  /* Allocate the final length including padding. */
542  padded_len = compute_padded_plaintext_length(plaintext_len);
543  tor_assert(padded_len >= plaintext_len);
544  padded = tor_malloc_zero(padded_len);
545 
546  memcpy(padded, plaintext, plaintext_len);
547  *padded_out = padded;
548  return padded_len;
549 }
550 
551 /** Using a key, IV and plaintext data of length plaintext_len, create the
552  * encrypted section by encrypting it and setting encrypted_out with the
553  * data. Return size of the encrypted data buffer. */
554 static size_t
555 build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
556  size_t plaintext_len, uint8_t **encrypted_out,
557  int is_superencrypted_layer)
558 {
559  size_t encrypted_len;
560  uint8_t *padded_plaintext, *encrypted;
561  crypto_cipher_t *cipher;
562 
563  tor_assert(key);
564  tor_assert(iv);
565  tor_assert(plaintext);
566  tor_assert(encrypted_out);
567 
568  /* If we are encrypting the middle layer of the descriptor, we need to first
569  pad the plaintext */
570  if (is_superencrypted_layer) {
571  encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
572  &padded_plaintext);
573  /* Extra precautions that we have a valid padding length. */
575  } else { /* No padding required for inner layers */
576  padded_plaintext = tor_memdup(plaintext, plaintext_len);
577  encrypted_len = plaintext_len;
578  }
579 
580  /* This creates a cipher for AES. It can't fail. */
581  cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
582  HS_DESC_ENCRYPTED_BIT_SIZE);
583  /* We use a stream cipher so the encrypted length will be the same as the
584  * plaintext padded length. */
585  encrypted = tor_malloc_zero(encrypted_len);
586  /* This can't fail. */
587  crypto_cipher_encrypt(cipher, (char *) encrypted,
588  (const char *) padded_plaintext, encrypted_len);
589  *encrypted_out = encrypted;
590  /* Cleanup. */
591  crypto_cipher_free(cipher);
592  tor_free(padded_plaintext);
593  return encrypted_len;
594 }
595 
596 /** Encrypt the given <b>plaintext</b> buffer using <b>desc</b> and
597  * <b>secret_data</b> to get the keys. Set encrypted_out with the encrypted
598  * data and return the length of it. <b>is_superencrypted_layer</b> is set
599  * if this is the outer encrypted layer of the descriptor. */
600 static size_t
602  const uint8_t *secret_data,
603  size_t secret_data_len,
604  const char *plaintext,
605  char **encrypted_out, int is_superencrypted_layer)
606 {
607  char *final_blob;
608  size_t encrypted_len, final_blob_len, offset = 0;
609  uint8_t *encrypted;
610  uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
611  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
612  uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
613 
614  tor_assert(desc);
615  tor_assert(secret_data);
616  tor_assert(plaintext);
617  tor_assert(encrypted_out);
618 
619  /* Get our salt. The returned bytes are already hashed. */
620  crypto_strongest_rand(salt, sizeof(salt));
621 
622  /* KDF construction resulting in a key from which the secret key, IV and MAC
623  * key are extracted which is what we need for the encryption. */
624  build_secret_key_iv_mac(desc, secret_data, secret_data_len,
625  salt, sizeof(salt),
626  secret_key, sizeof(secret_key),
627  secret_iv, sizeof(secret_iv),
628  mac_key, sizeof(mac_key),
629  is_superencrypted_layer);
630 
631  /* Build the encrypted part that is do the actual encryption. */
632  encrypted_len = build_encrypted(secret_key, secret_iv, plaintext,
633  strlen(plaintext), &encrypted,
634  is_superencrypted_layer);
635  memwipe(secret_key, 0, sizeof(secret_key));
636  memwipe(secret_iv, 0, sizeof(secret_iv));
637  /* This construction is specified in section 2.5 of proposal 224. */
638  final_blob_len = sizeof(salt) + encrypted_len + DIGEST256_LEN;
639  final_blob = tor_malloc_zero(final_blob_len);
640 
641  /* Build the MAC. */
642  build_mac(mac_key, sizeof(mac_key), salt, sizeof(salt),
643  encrypted, encrypted_len, mac, sizeof(mac));
644  memwipe(mac_key, 0, sizeof(mac_key));
645 
646  /* The salt is the first value. */
647  memcpy(final_blob, salt, sizeof(salt));
648  offset = sizeof(salt);
649  /* Second value is the encrypted data. */
650  memcpy(final_blob + offset, encrypted, encrypted_len);
651  offset += encrypted_len;
652  /* Third value is the MAC. */
653  memcpy(final_blob + offset, mac, sizeof(mac));
654  offset += sizeof(mac);
655  /* Cleanup the buffers. */
656  memwipe(salt, 0, sizeof(salt));
657  memwipe(encrypted, 0, encrypted_len);
658  tor_free(encrypted);
659  /* Extra precaution. */
660  tor_assert(offset == final_blob_len);
661 
662  *encrypted_out = final_blob;
663  return final_blob_len;
664 }
665 
666 /** Create and return a string containing a client-auth entry. It's the
667  * responsibility of the caller to free the returned string. This function
668  * will never fail. */
669 static char *
671 {
672  int ret;
673  char *auth_client_str = NULL;
674  /* We are gonna fill these arrays with base64 data. They are all double
675  * the size of their binary representation to fit the base64 overhead. */
676  char client_id_b64[HS_DESC_CLIENT_ID_LEN * 2];
677  char iv_b64[CIPHER_IV_LEN * 2];
678  char encrypted_cookie_b64[HS_DESC_ENCRYPED_COOKIE_LEN * 2];
679 
680 #define ASSERT_AND_BASE64(field) STMT_BEGIN \
681  tor_assert(!fast_mem_is_zero((char *) client->field, \
682  sizeof(client->field))); \
683  ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
684  client->field, sizeof(client->field)); \
685  tor_assert(ret > 0); \
686  STMT_END
687 
688  ASSERT_AND_BASE64(client_id);
689  ASSERT_AND_BASE64(iv);
690  ASSERT_AND_BASE64(encrypted_cookie);
691 
692  /* Build the final string */
693  tor_asprintf(&auth_client_str, "%s %s %s %s", str_desc_auth_client,
694  client_id_b64, iv_b64, encrypted_cookie_b64);
695 
696 #undef ASSERT_AND_BASE64
697 
698  return auth_client_str;
699 }
700 
701 /** Create the "client-auth" part of the descriptor and return a
702  * newly-allocated string with it. It's the responsibility of the caller to
703  * free the returned string. */
704 static char *
706 {
707  smartlist_t *auth_client_lines = smartlist_new();
708  char *auth_client_lines_str = NULL;
709 
710  tor_assert(desc);
712  tor_assert(smartlist_len(desc->superencrypted_data.clients) != 0);
713  tor_assert(smartlist_len(desc->superencrypted_data.clients)
715 
716  /* Make a line for each client */
718  const hs_desc_authorized_client_t *, client) {
719  char *auth_client_str = NULL;
720 
721  auth_client_str = get_auth_client_str(client);
722 
723  smartlist_add(auth_client_lines, auth_client_str);
724  } SMARTLIST_FOREACH_END(client);
725 
726  /* Join all lines together to form final string */
727  auth_client_lines_str = smartlist_join_strings(auth_client_lines,
728  "\n", 1, NULL);
729  /* Cleanup the mess */
730  SMARTLIST_FOREACH(auth_client_lines, char *, a, tor_free(a));
731  smartlist_free(auth_client_lines);
732 
733  return auth_client_lines_str;
734 }
735 
736 /** Create the inner layer of the descriptor (which includes the intro points,
737  * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
738  * an error occurred. It's the responsibility of the caller to free the
739  * returned string. */
740 static char *
742 {
743  char *encoded_str = NULL;
744  smartlist_t *lines = smartlist_new();
745 
746  /* Build the start of the section prior to the introduction points. */
747  {
748  if (!desc->encrypted_data.create2_ntor) {
749  log_err(LD_BUG, "HS desc doesn't have recognized handshake type.");
750  goto err;
751  }
752  smartlist_add_asprintf(lines, "%s %d\n", str_create2_formats,
753  ONION_HANDSHAKE_TYPE_NTOR);
754 
755  if (desc->encrypted_data.intro_auth_types &&
756  smartlist_len(desc->encrypted_data.intro_auth_types)) {
757  /* Put the authentication-required line. */
759  " ", 0, NULL);
760  smartlist_add_asprintf(lines, "%s %s\n", str_intro_auth_required, buf);
761  tor_free(buf);
762  }
763 
765  smartlist_add_asprintf(lines, "%s\n", str_single_onion);
766  }
767  }
768 
769  /* Build the introduction point(s) section. */
771  const hs_desc_intro_point_t *, ip) {
772  char *encoded_ip = encode_intro_point(&desc->plaintext_data.signing_pubkey,
773  ip);
774  if (encoded_ip == NULL) {
775  log_err(LD_BUG, "HS desc intro point is malformed.");
776  goto err;
777  }
778  smartlist_add(lines, encoded_ip);
779  } SMARTLIST_FOREACH_END(ip);
780 
781  /* Build the entire encrypted data section into one encoded plaintext and
782  * then encrypt it. */
783  encoded_str = smartlist_join_strings(lines, "", 0, NULL);
784 
785  err:
786  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
787  smartlist_free(lines);
788 
789  return encoded_str;
790 }
791 
792 /** Create the middle layer of the descriptor, which includes the client auth
793  * data and the encrypted inner layer (provided as a base64 string at
794  * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
795  * layer plaintext. It's the responsibility of the caller to free the returned
796  * string. Can not fail. */
797 static char *
799  const char *layer2_b64_ciphertext)
800 {
801  char *layer1_str = NULL;
802  smartlist_t *lines = smartlist_new();
803 
804  /* Specify auth type */
805  smartlist_add_asprintf(lines, "%s %s\n", str_desc_auth_type, "x25519");
806 
807  { /* Print ephemeral x25519 key */
808  char ephemeral_key_base64[CURVE25519_BASE64_PADDED_LEN + 1];
809  const curve25519_public_key_t *ephemeral_pubkey;
810 
811  ephemeral_pubkey = &desc->superencrypted_data.auth_ephemeral_pubkey;
812  tor_assert(!fast_mem_is_zero((char *) ephemeral_pubkey->public_key,
814 
815  curve25519_public_to_base64(ephemeral_key_base64, ephemeral_pubkey);
816  smartlist_add_asprintf(lines, "%s %s\n",
817  str_desc_auth_key, ephemeral_key_base64);
818 
819  memwipe(ephemeral_key_base64, 0, sizeof(ephemeral_key_base64));
820  }
821 
822  { /* Create auth-client lines. */
823  char *auth_client_lines = get_all_auth_client_lines(desc);
824  tor_assert(auth_client_lines);
825  smartlist_add(lines, auth_client_lines);
826  }
827 
828  /* create encrypted section */
829  {
831  "%s\n"
832  "-----BEGIN MESSAGE-----\n"
833  "%s"
834  "-----END MESSAGE-----",
835  str_encrypted, layer2_b64_ciphertext);
836  }
837 
838  layer1_str = smartlist_join_strings(lines, "", 0, NULL);
839 
840  /* We need to memwipe all lines because it contains the ephemeral key */
841  SMARTLIST_FOREACH(lines, char *, a, memwipe(a, 0, strlen(a)));
842  SMARTLIST_FOREACH(lines, char *, a, tor_free(a));
843  smartlist_free(lines);
844 
845  return layer1_str;
846 }
847 
848 /** Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
849  * returning it. <b>desc</b> is provided to derive the encryption
850  * keys. <b>secret_data</b> is also proved to derive the encryption keys.
851  * <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
852  * middle (superencrypted) layer of the descriptor. It's the responsibility of
853  * the caller to free the returned string. */
854 static char *
856  const uint8_t *secret_data,
857  size_t secret_data_len,
858  const char *encoded_str,
859  int is_superencrypted_layer)
860 {
861  char *enc_b64;
862  ssize_t enc_b64_len, ret_len, enc_len;
863  char *encrypted_blob = NULL;
864 
865  enc_len = encrypt_descriptor_data(desc, secret_data, secret_data_len,
866  encoded_str, &encrypted_blob,
867  is_superencrypted_layer);
868  /* Get the encoded size plus a NUL terminating byte. */
869  enc_b64_len = base64_encode_size(enc_len, BASE64_ENCODE_MULTILINE) + 1;
870  enc_b64 = tor_malloc_zero(enc_b64_len);
871  /* Base64 the encrypted blob before returning it. */
872  ret_len = base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
873  BASE64_ENCODE_MULTILINE);
874  /* Return length doesn't count the NUL byte. */
875  tor_assert(ret_len == (enc_b64_len - 1));
876  tor_free(encrypted_blob);
877 
878  return enc_b64;
879 }
880 
881 /** Generate the secret data which is used to encrypt/decrypt the descriptor.
882  *
883  * SECRET_DATA = blinded-public-key
884  * SECRET_DATA = blinded-public-key | descriptor_cookie
885  *
886  * The descriptor_cookie is optional but if it exists, it must be at least
887  * HS_DESC_DESCRIPTOR_COOKIE_LEN bytes long.
888  *
889  * A newly allocated secret data is put in secret_data_out. Return the
890  * length of the secret data. This function cannot fail. */
891 static size_t
893  const uint8_t *descriptor_cookie,
894  uint8_t **secret_data_out)
895 {
896  size_t secret_data_len;
897  uint8_t *secret_data;
898 
899  tor_assert(blinded_pubkey);
900  tor_assert(secret_data_out);
901 
902  if (descriptor_cookie) {
903  /* If the descriptor cookie is present, we need both the blinded
904  * pubkey and the descriptor cookie as a secret data. */
905  secret_data_len = ED25519_PUBKEY_LEN + HS_DESC_DESCRIPTOR_COOKIE_LEN;
906  secret_data = tor_malloc(secret_data_len);
907 
908  memcpy(secret_data,
909  blinded_pubkey->pubkey,
911  memcpy(secret_data + ED25519_PUBKEY_LEN,
912  descriptor_cookie,
913  HS_DESC_DESCRIPTOR_COOKIE_LEN);
914  } else {
915  /* If the descriptor cookie is not present, we need only the blinded
916  * pubkey as a secret data. */
917  secret_data_len = ED25519_PUBKEY_LEN;
918  secret_data = tor_malloc(secret_data_len);
919  memcpy(secret_data,
920  blinded_pubkey->pubkey,
922  }
923 
924  *secret_data_out = secret_data;
925  return secret_data_len;
926 }
927 
928 /** Generate and encode the superencrypted portion of <b>desc</b>. This also
929  * involves generating the encrypted portion of the descriptor, and performing
930  * the superencryption. A newly allocated NUL-terminated string pointer
931  * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
932  * on success else a negative value. */
933 static int
935  const uint8_t *descriptor_cookie,
936  char **encrypted_blob_out)
937 {
938  int ret = -1;
939  uint8_t *secret_data = NULL;
940  size_t secret_data_len = 0;
941  char *layer2_str = NULL;
942  char *layer2_b64_ciphertext = NULL;
943  char *layer1_str = NULL;
944  char *layer1_b64_ciphertext = NULL;
945 
946  tor_assert(desc);
947  tor_assert(encrypted_blob_out);
948 
949  /* Func logic: We first create the inner layer of the descriptor (layer2).
950  * We then encrypt it and use it to create the middle layer of the descriptor
951  * (layer1). Finally we superencrypt the middle layer and return it to our
952  * caller. */
953 
954  /* Create inner descriptor layer */
955  layer2_str = get_inner_encrypted_layer_plaintext(desc);
956  if (!layer2_str) {
957  goto err;
958  }
959 
960  secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
961  descriptor_cookie,
962  &secret_data);
963 
964  /* Encrypt and b64 the inner layer */
965  layer2_b64_ciphertext =
966  encrypt_desc_data_and_base64(desc, secret_data, secret_data_len,
967  layer2_str, 0);
968  if (!layer2_b64_ciphertext) {
969  goto err;
970  }
971 
972  /* Now create middle descriptor layer given the inner layer */
973  layer1_str = get_outer_encrypted_layer_plaintext(desc,layer2_b64_ciphertext);
974  if (!layer1_str) {
975  goto err;
976  }
977 
978  /* Encrypt and base64 the middle layer */
979  layer1_b64_ciphertext =
981  desc->plaintext_data.blinded_pubkey.pubkey,
983  layer1_str, 1);
984  if (!layer1_b64_ciphertext) {
985  goto err;
986  }
987 
988  /* Success! */
989  ret = 0;
990 
991  err:
992  memwipe(secret_data, 0, secret_data_len);
993  tor_free(secret_data);
994  tor_free(layer1_str);
995  tor_free(layer2_str);
996  tor_free(layer2_b64_ciphertext);
997 
998  *encrypted_blob_out = layer1_b64_ciphertext;
999  return ret;
1000 }
1001 
1002 /** Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
1003  * newly allocated string of the encoded descriptor. On error, -1 is returned
1004  * and encoded_out is untouched. */
1005 static int
1007  const ed25519_keypair_t *signing_kp,
1008  const uint8_t *descriptor_cookie,
1009  char **encoded_out)
1010 {
1011  int ret = -1;
1012  char *encoded_str = NULL;
1013  size_t encoded_len;
1014  smartlist_t *lines = smartlist_new();
1015 
1016  tor_assert(desc);
1017  tor_assert(signing_kp);
1018  tor_assert(encoded_out);
1019  tor_assert(desc->plaintext_data.version == 3);
1020 
1021  if (BUG(desc->subcredential == NULL)) {
1022  goto err;
1023  }
1024 
1025  /* Build the non-encrypted values. */
1026  {
1027  char *encoded_cert;
1028  /* Encode certificate then create the first line of the descriptor. */
1030  != CERT_TYPE_SIGNING_HS_DESC) {
1031  log_err(LD_BUG, "HS descriptor signing key has an unexpected cert type "
1032  "(%d)", (int) desc->plaintext_data.signing_key_cert->cert_type);
1033  goto err;
1034  }
1035  if (tor_cert_encode_ed22519(desc->plaintext_data.signing_key_cert,
1036  &encoded_cert) < 0) {
1037  /* The function will print error logs. */
1038  goto err;
1039  }
1040  /* Create the hs descriptor line. */
1041  smartlist_add_asprintf(lines, "%s %" PRIu32, str_hs_desc,
1042  desc->plaintext_data.version);
1043  /* Add the descriptor lifetime line (in minutes). */
1044  smartlist_add_asprintf(lines, "%s %" PRIu32, str_lifetime,
1045  desc->plaintext_data.lifetime_sec / 60);
1046  /* Create the descriptor certificate line. */
1047  smartlist_add_asprintf(lines, "%s\n%s", str_desc_cert, encoded_cert);
1048  tor_free(encoded_cert);
1049  /* Create the revision counter line. */
1050  smartlist_add_asprintf(lines, "%s %" PRIu64, str_rev_counter,
1052  }
1053 
1054  /* Build the superencrypted data section. */
1055  {
1056  char *enc_b64_blob=NULL;
1057  if (encode_superencrypted_data(desc, descriptor_cookie,
1058  &enc_b64_blob) < 0) {
1059  goto err;
1060  }
1061  smartlist_add_asprintf(lines,
1062  "%s\n"
1063  "-----BEGIN MESSAGE-----\n"
1064  "%s"
1065  "-----END MESSAGE-----",
1066  str_superencrypted, enc_b64_blob);
1067  tor_free(enc_b64_blob);
1068  }
1069 
1070  /* Join all lines in one string so we can generate a signature and append
1071  * it to the descriptor. */
1072  encoded_str = smartlist_join_strings(lines, "\n", 1, &encoded_len);
1073 
1074  /* Sign all fields of the descriptor with our short term signing key. */
1075  {
1076  ed25519_signature_t sig;
1077  char ed_sig_b64[ED25519_SIG_BASE64_LEN + 1];
1078  if (ed25519_sign_prefixed(&sig,
1079  (const uint8_t *) encoded_str, encoded_len,
1080  str_desc_sig_prefix, signing_kp) < 0) {
1081  log_warn(LD_BUG, "Can't sign encoded HS descriptor!");
1082  tor_free(encoded_str);
1083  goto err;
1084  }
1085  ed25519_signature_to_base64(ed_sig_b64, &sig);
1086  /* Create the signature line. */
1087  smartlist_add_asprintf(lines, "%s %s", str_signature, ed_sig_b64);
1088  }
1089  /* Free previous string that we used so compute the signature. */
1090  tor_free(encoded_str);
1091  encoded_str = smartlist_join_strings(lines, "\n", 1, NULL);
1092  *encoded_out = encoded_str;
1093 
1094  if (strlen(encoded_str) >= hs_cache_get_max_descriptor_size()) {
1095  log_warn(LD_GENERAL, "We just made an HS descriptor that's too big (%d)."
1096  "Failing.", (int)strlen(encoded_str));
1097  tor_free(encoded_str);
1098  goto err;
1099  }
1100 
1101  /* XXX: Trigger a control port event. */
1102 
1103  /* Success! */
1104  ret = 0;
1105 
1106  err:
1107  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
1108  smartlist_free(lines);
1109  return ret;
1110 }
1111 
1112 /* === DECODING === */
1113 
1114 /** Given the token tok for an auth client, decode it as
1115  * hs_desc_authorized_client_t. tok->args MUST contain at least 3 elements
1116  * Return 0 on success else -1 on failure. */
1117 static int
1120 {
1121  int ret = -1;
1122 
1123  tor_assert(tok);
1124  tor_assert(tok->n_args >= 3);
1125  tor_assert(client);
1126 
1127  if (base64_decode((char *) client->client_id, sizeof(client->client_id),
1128  tok->args[0], strlen(tok->args[0])) !=
1129  sizeof(client->client_id)) {
1130  goto done;
1131  }
1132  if (base64_decode((char *) client->iv, sizeof(client->iv),
1133  tok->args[1], strlen(tok->args[1])) !=
1134  sizeof(client->iv)) {
1135  goto done;
1136  }
1137  if (base64_decode((char *) client->encrypted_cookie,
1138  sizeof(client->encrypted_cookie),
1139  tok->args[2], strlen(tok->args[2])) !=
1140  sizeof(client->encrypted_cookie)) {
1141  goto done;
1142  }
1143 
1144  /* Success. */
1145  ret = 0;
1146  done:
1147  return ret;
1148 }
1149 
1150 /** Given an encoded string of the link specifiers, return a newly allocated
1151  * list of decoded link specifiers. Return NULL on error. */
1153 decode_link_specifiers(const char *encoded)
1154 {
1155  int decoded_len;
1156  size_t encoded_len, i;
1157  uint8_t *decoded;
1158  smartlist_t *results = NULL;
1159  link_specifier_list_t *specs = NULL;
1160 
1161  tor_assert(encoded);
1162 
1163  encoded_len = strlen(encoded);
1164  decoded = tor_malloc(encoded_len);
1165  decoded_len = base64_decode((char *) decoded, encoded_len, encoded,
1166  encoded_len);
1167  if (decoded_len < 0) {
1168  goto err;
1169  }
1170 
1171  if (link_specifier_list_parse(&specs, decoded,
1172  (size_t) decoded_len) < decoded_len) {
1173  goto err;
1174  }
1175  tor_assert(specs);
1176  results = smartlist_new();
1177 
1178  for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
1179  link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
1180  if (BUG(!ls)) {
1181  goto err;
1182  }
1183  link_specifier_t *ls_dup = link_specifier_dup(ls);
1184  if (BUG(!ls_dup)) {
1185  goto err;
1186  }
1187  smartlist_add(results, ls_dup);
1188  }
1189 
1190  goto done;
1191  err:
1192  if (results) {
1193  SMARTLIST_FOREACH(results, link_specifier_t *, s,
1194  link_specifier_free(s));
1195  smartlist_free(results);
1196  results = NULL;
1197  }
1198  done:
1199  link_specifier_list_free(specs);
1200  tor_free(decoded);
1201  return results;
1202 }
1203 
1204 /** Given a list of authentication types, decode it and put it in the encrypted
1205  * data section. Return 1 if we at least know one of the type or 0 if we know
1206  * none of them. */
1207 static int
1209 {
1210  int match = 0;
1211 
1212  tor_assert(desc);
1213  tor_assert(list);
1214 
1215  desc->intro_auth_types = smartlist_new();
1216  smartlist_split_string(desc->intro_auth_types, list, " ", 0, 0);
1217 
1218  /* Validate the types that we at least know about one. */
1219  SMARTLIST_FOREACH_BEGIN(desc->intro_auth_types, const char *, auth) {
1220  for (int idx = 0; intro_auth_types[idx].identifier; idx++) {
1221  if (!strncmp(auth, intro_auth_types[idx].identifier,
1222  strlen(intro_auth_types[idx].identifier))) {
1223  match = 1;
1224  break;
1225  }
1226  }
1227  } SMARTLIST_FOREACH_END(auth);
1228 
1229  return match;
1230 }
1231 
1232 /** Parse a space-delimited list of integers representing CREATE2 formats into
1233  * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
1234 static void
1236 {
1237  smartlist_t *tokens;
1238 
1239  tor_assert(desc);
1240  tor_assert(list);
1241 
1242  tokens = smartlist_new();
1243  smartlist_split_string(tokens, list, " ", 0, 0);
1244 
1245  SMARTLIST_FOREACH_BEGIN(tokens, char *, s) {
1246  int ok;
1247  unsigned long type = tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
1248  if (!ok) {
1249  log_warn(LD_REND, "Unparseable value %s in create2 list", escaped(s));
1250  continue;
1251  }
1252  switch (type) {
1253  case ONION_HANDSHAKE_TYPE_NTOR:
1254  desc->create2_ntor = 1;
1255  break;
1256  default:
1257  /* We deliberately ignore unsupported handshake types */
1258  continue;
1259  }
1260  } SMARTLIST_FOREACH_END(s);
1261 
1262  SMARTLIST_FOREACH(tokens, char *, s, tor_free(s));
1263  smartlist_free(tokens);
1264 }
1265 
1266 /** Given a certificate, validate the certificate for certain conditions which
1267  * are if the given type matches the cert's one, if the signing key is
1268  * included and if the that key was actually used to sign the certificate.
1269  *
1270  * Return 1 iff if all conditions pass or 0 if one of them fails. */
1271 STATIC int
1272 cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
1273 {
1274  tor_assert(log_obj_type);
1275 
1276  if (cert == NULL) {
1277  log_warn(LD_REND, "Certificate for %s couldn't be parsed.", log_obj_type);
1278  goto err;
1279  }
1280  if (cert->cert_type != type) {
1281  log_warn(LD_REND, "Invalid cert type %02x for %s.", cert->cert_type,
1282  log_obj_type);
1283  goto err;
1284  }
1285  /* All certificate must have its signing key included. */
1286  if (!cert->signing_key_included) {
1287  log_warn(LD_REND, "Signing key is NOT included for %s.", log_obj_type);
1288  goto err;
1289  }
1290  /* The following will not only check if the signature matches but also the
1291  * expiration date and overall validity. */
1292  if (tor_cert_checksig(cert, &cert->signing_key, approx_time()) < 0) {
1293  log_warn(LD_REND, "Invalid signature for %s: %s", log_obj_type,
1295  goto err;
1296  }
1297 
1298  return 1;
1299  err:
1300  return 0;
1301 }
1302 
1303 /** Given some binary data, try to parse it to get a certificate object. If we
1304  * have a valid cert, validate it using the given wanted type. On error, print
1305  * a log using the err_msg has the certificate identifier adding semantic to
1306  * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
1307  * points to a newly allocated certificate object. */
1308 static int
1309 cert_parse_and_validate(tor_cert_t **cert_out, const char *data,
1310  size_t data_len, unsigned int cert_type_wanted,
1311  const char *err_msg)
1312 {
1313  tor_cert_t *cert;
1314 
1315  tor_assert(cert_out);
1316  tor_assert(data);
1317  tor_assert(err_msg);
1318 
1319  /* Parse certificate. */
1320  cert = tor_cert_parse((const uint8_t *) data, data_len);
1321  if (!cert) {
1322  log_warn(LD_REND, "Certificate for %s couldn't be parsed.", err_msg);
1323  goto err;
1324  }
1325 
1326  /* Validate certificate. */
1327  if (!cert_is_valid(cert, cert_type_wanted, err_msg)) {
1328  goto err;
1329  }
1330 
1331  *cert_out = cert;
1332  return 0;
1333 
1334  err:
1335  tor_cert_free(cert);
1336  *cert_out = NULL;
1337  return -1;
1338 }
1339 
1340 /** Return true iff the given length of the encrypted data of a descriptor
1341  * passes validation. */
1342 STATIC int
1344 {
1345  /* Make sure there is enough data for the salt and the mac. The equality is
1346  there to ensure that there is at least one byte of encrypted data. */
1348  log_warn(LD_REND, "Length of descriptor's encrypted data is too small. "
1349  "Got %lu but minimum value is %d",
1350  (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
1351  goto err;
1352  }
1353 
1354  return 1;
1355  err:
1356  return 0;
1357 }
1358 
1359 /** Build the KEYS component for the authorized client computation. The format
1360  * of the construction is:
1361  *
1362  * SECRET_SEED = x25519(sk, pk)
1363  * KEYS = KDF(subcredential | SECRET_SEED, 40)
1364  *
1365  * Set the <b>keys_out</b> argument to point to the buffer containing the KEYS,
1366  * and return the buffer's length. The caller should wipe and free its content
1367  * once done with it. This function can't fail. */
1368 static size_t
1369 build_descriptor_cookie_keys(const uint8_t *subcredential,
1370  size_t subcredential_len,
1371  const curve25519_secret_key_t *sk,
1372  const curve25519_public_key_t *pk,
1373  uint8_t **keys_out)
1374 {
1375  uint8_t secret_seed[CURVE25519_OUTPUT_LEN];
1376  uint8_t *keystream;
1377  size_t keystream_len = HS_DESC_CLIENT_ID_LEN + HS_DESC_COOKIE_KEY_LEN;
1378  crypto_xof_t *xof;
1379 
1380  tor_assert(subcredential);
1381  tor_assert(sk);
1382  tor_assert(pk);
1383  tor_assert(keys_out);
1384 
1385  keystream = tor_malloc_zero(keystream_len);
1386 
1387  /* Calculate x25519(sk, pk) to get the secret seed. */
1388  curve25519_handshake(secret_seed, sk, pk);
1389 
1390  /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
1391  xof = crypto_xof_new();
1392  crypto_xof_add_bytes(xof, subcredential, subcredential_len);
1393  crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
1394  crypto_xof_squeeze_bytes(xof, keystream, keystream_len);
1395  crypto_xof_free(xof);
1396 
1397  memwipe(secret_seed, 0, sizeof(secret_seed));
1398 
1399  *keys_out = keystream;
1400  return keystream_len;
1401 }
1402 
1403 /** Decrypt the descriptor cookie given the descriptor, the auth client,
1404  * and the client secret key. On sucess, return 0 and a newly allocated
1405  * descriptor cookie descriptor_cookie_out. On error or if the client id
1406  * is invalid, return -1 and descriptor_cookie_out is set to
1407  * NULL. */
1408 static int
1410  const hs_desc_authorized_client_t *client,
1411  const curve25519_secret_key_t *client_auth_sk,
1412  uint8_t **descriptor_cookie_out)
1413 {
1414  int ret = -1;
1415  uint8_t *keystream = NULL;
1416  size_t keystream_length = 0;
1417  uint8_t *descriptor_cookie = NULL;
1418  const uint8_t *cookie_key = NULL;
1419  crypto_cipher_t *cipher = NULL;
1420 
1421  tor_assert(desc);
1422  tor_assert(client);
1423  tor_assert(client_auth_sk);
1427  tor_assert(!fast_mem_is_zero((char *) client_auth_sk,
1428  sizeof(*client_auth_sk)));
1430 
1431  /* Get the KEYS component to derive the CLIENT-ID and COOKIE-KEY. */
1432  keystream_length =
1434  client_auth_sk,
1436  &keystream);
1437  tor_assert(keystream_length > 0);
1438 
1439  /* If the client id of auth client is not the same as the calculcated
1440  * client id, it means that this auth client is invaild according to the
1441  * client secret key client_auth_sk. */
1442  if (tor_memneq(client->client_id, keystream, HS_DESC_CLIENT_ID_LEN)) {
1443  goto done;
1444  }
1445  cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
1446 
1447  /* This creates a cipher for AES. It can't fail. */
1448  cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client->iv,
1449  HS_DESC_COOKIE_KEY_BIT_SIZE);
1450  descriptor_cookie = tor_malloc_zero(HS_DESC_DESCRIPTOR_COOKIE_LEN);
1451  /* This can't fail. */
1452  crypto_cipher_decrypt(cipher, (char *) descriptor_cookie,
1453  (const char *) client->encrypted_cookie,
1454  sizeof(client->encrypted_cookie));
1455 
1456  /* Success. */
1457  ret = 0;
1458  done:
1459  *descriptor_cookie_out = descriptor_cookie;
1460  if (cipher) {
1461  crypto_cipher_free(cipher);
1462  }
1463  memwipe(keystream, 0, keystream_length);
1464  tor_free(keystream);
1465  return ret;
1466 }
1467 
1468 /** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
1469  * <b>encrypted_blob_size</b>. The descriptor cookie is optional. Use
1470  * the descriptor object <b>desc</b> and <b>descriptor_cookie</b>
1471  * to generate the right decryption keys; set <b>decrypted_out</b> to
1472  * the plaintext. If <b>is_superencrypted_layer</b> is set, this is
1473  * the outter encrypted layer of the descriptor.
1474  *
1475  * On any error case, including an empty output, return 0 and set
1476  * *<b>decrypted_out</b> to NULL.
1477  */
1478 MOCK_IMPL(STATIC size_t,
1479 decrypt_desc_layer,(const hs_descriptor_t *desc,
1480  const uint8_t *descriptor_cookie,
1481  bool is_superencrypted_layer,
1482  char **decrypted_out))
1483 {
1484  uint8_t *decrypted = NULL;
1485  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
1486  uint8_t *secret_data = NULL;
1487  size_t secret_data_len = 0;
1488  uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
1489  const uint8_t *salt, *encrypted, *desc_mac;
1490  size_t encrypted_len, result_len = 0;
1491  const uint8_t *encrypted_blob = (is_superencrypted_layer)
1494  size_t encrypted_blob_size = (is_superencrypted_layer)
1497 
1498  tor_assert(decrypted_out);
1499  tor_assert(desc);
1500  tor_assert(encrypted_blob);
1501 
1502  /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
1503  * Make sure we have enough space for all these things. */
1504  if (!encrypted_data_length_is_valid(encrypted_blob_size)) {
1505  goto err;
1506  }
1507 
1508  /* Start of the blob thus the salt. */
1509  salt = encrypted_blob;
1510 
1511  /* Next is the encrypted data. */
1512  encrypted = encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN;
1513  encrypted_len = encrypted_blob_size -
1515  tor_assert(encrypted_len > 0); /* guaranteed by the check above */
1516 
1517  /* And last comes the MAC. */
1518  desc_mac = encrypted_blob + encrypted_blob_size - DIGEST256_LEN;
1519 
1520  /* Build secret data to be used in the decryption. */
1521  secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
1522  descriptor_cookie,
1523  &secret_data);
1524 
1525  /* KDF construction resulting in a key from which the secret key, IV and MAC
1526  * key are extracted which is what we need for the decryption. */
1527  build_secret_key_iv_mac(desc, secret_data, secret_data_len,
1529  secret_key, sizeof(secret_key),
1530  secret_iv, sizeof(secret_iv),
1531  mac_key, sizeof(mac_key),
1532  is_superencrypted_layer);
1533 
1534  /* Build MAC. */
1535  build_mac(mac_key, sizeof(mac_key), salt, HS_DESC_ENCRYPTED_SALT_LEN,
1536  encrypted, encrypted_len, our_mac, sizeof(our_mac));
1537  memwipe(mac_key, 0, sizeof(mac_key));
1538  /* Verify MAC; MAC is H(mac_key || salt || encrypted)
1539  *
1540  * This is a critical check that is making sure the computed MAC matches the
1541  * one in the descriptor. */
1542  if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) {
1543  log_info(LD_REND, "Encrypted service descriptor MAC check failed");
1544  goto err;
1545  }
1546 
1547  {
1548  /* Decrypt. Here we are assured that the encrypted length is valid for
1549  * decryption. */
1550  crypto_cipher_t *cipher;
1551 
1552  cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
1553  HS_DESC_ENCRYPTED_BIT_SIZE);
1554  /* Extra byte for the NUL terminated byte. */
1555  decrypted = tor_malloc_zero(encrypted_len + 1);
1556  crypto_cipher_decrypt(cipher, (char *) decrypted,
1557  (const char *) encrypted, encrypted_len);
1558  crypto_cipher_free(cipher);
1559  }
1560 
1561  {
1562  /* Adjust length to remove NUL padding bytes */
1563  uint8_t *end = memchr(decrypted, 0, encrypted_len);
1564  result_len = encrypted_len;
1565  if (end) {
1566  result_len = end - decrypted;
1567  }
1568  }
1569 
1570  if (result_len == 0) {
1571  /* Treat this as an error, so that somebody will free the output. */
1572  goto err;
1573  }
1574 
1575  /* Make sure to NUL terminate the string. */
1576  decrypted[encrypted_len] = '\0';
1577  *decrypted_out = (char *) decrypted;
1578  goto done;
1579 
1580  err:
1581  if (decrypted) {
1582  tor_free(decrypted);
1583  }
1584  *decrypted_out = NULL;
1585  result_len = 0;
1586 
1587  done:
1588  memwipe(secret_data, 0, secret_data_len);
1589  memwipe(secret_key, 0, sizeof(secret_key));
1590  memwipe(secret_iv, 0, sizeof(secret_iv));
1591  tor_free(secret_data);
1592  return result_len;
1593 }
1594 
1595 /** Decrypt the superencrypted section of the descriptor using the given
1596  * descriptor object <b>desc</b>. A newly allocated NUL terminated string is
1597  * put in decrypted_out which contains the superencrypted layer of the
1598  * descriptor. Return the length of decrypted_out on success else 0 is
1599  * returned and decrypted_out is set to NULL. */
1600 static size_t
1601 desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
1602 {
1603  size_t superencrypted_len = 0;
1604  char *superencrypted_plaintext = NULL;
1605 
1606  tor_assert(desc);
1607  tor_assert(decrypted_out);
1608 
1609  superencrypted_len = decrypt_desc_layer(desc,
1610  NULL,
1611  true, &superencrypted_plaintext);
1612 
1613  if (!superencrypted_len) {
1614  log_warn(LD_REND, "Decrypting superencrypted desc failed.");
1615  goto done;
1616  }
1617  tor_assert(superencrypted_plaintext);
1618 
1619  done:
1620  /* In case of error, superencrypted_plaintext is already NULL, so the
1621  * following line makes sense. */
1622  *decrypted_out = superencrypted_plaintext;
1623  /* This makes sense too, because, in case of error, this is zero. */
1624  return superencrypted_len;
1625 }
1626 
1627 /** Decrypt the encrypted section of the descriptor using the given descriptor
1628  * object <b>desc</b>. A newly allocated NUL terminated string is put in
1629  * decrypted_out which contains the encrypted layer of the descriptor.
1630  * Return the length of decrypted_out on success else 0 is returned and
1631  * decrypted_out is set to NULL. */
1632 static size_t
1634  const curve25519_secret_key_t *client_auth_sk,
1635  char **decrypted_out)
1636 {
1637  size_t encrypted_len = 0;
1638  char *encrypted_plaintext = NULL;
1639  uint8_t *descriptor_cookie = NULL;
1640 
1641  tor_assert(desc);
1643  tor_assert(decrypted_out);
1644 
1645  /* If the client secret key is provided, try to find a valid descriptor
1646  * cookie. Otherwise, leave it NULL. */
1647  if (client_auth_sk) {
1649  hs_desc_authorized_client_t *, client) {
1650  /* If we can decrypt the descriptor cookie successfully, we will use that
1651  * descriptor cookie and break from the loop. */
1652  if (!decrypt_descriptor_cookie(desc, client, client_auth_sk,
1653  &descriptor_cookie)) {
1654  break;
1655  }
1656  } SMARTLIST_FOREACH_END(client);
1657  }
1658 
1659  encrypted_len = decrypt_desc_layer(desc,
1660  descriptor_cookie,
1661  false, &encrypted_plaintext);
1662 
1663  if (!encrypted_len) {
1664  goto err;
1665  }
1666  tor_assert(encrypted_plaintext);
1667 
1668  err:
1669  /* In case of error, encrypted_plaintext is already NULL, so the
1670  * following line makes sense. */
1671  *decrypted_out = encrypted_plaintext;
1672  if (descriptor_cookie) {
1673  memwipe(descriptor_cookie, 0, HS_DESC_DESCRIPTOR_COOKIE_LEN);
1674  }
1675  tor_free(descriptor_cookie);
1676  /* This makes sense too, because, in case of error, this is zero. */
1677  return encrypted_len;
1678 }
1679 
1680 /** Given the token tok for an intro point legacy key, the list of tokens, the
1681  * introduction point ip being decoded and the descriptor desc from which it
1682  * comes from, decode the legacy key and set the intro point object. Return 0
1683  * on success else -1 on failure. */
1684 static int
1686  smartlist_t *tokens,
1688  const hs_descriptor_t *desc)
1689 {
1690  tor_assert(tok);
1691  tor_assert(tokens);
1692  tor_assert(ip);
1693  tor_assert(desc);
1694 
1695  if (!crypto_pk_public_exponent_ok(tok->key)) {
1696  log_warn(LD_REND, "Introduction point legacy key is invalid");
1697  goto err;
1698  }
1699  ip->legacy.key = crypto_pk_dup_key(tok->key);
1700  /* Extract the legacy cross certification cert which MUST be present if we
1701  * have a legacy key. */
1702  tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY_CERT);
1703  if (!tok) {
1704  log_warn(LD_REND, "Introduction point legacy key cert is missing");
1705  goto err;
1706  }
1707  tor_assert(tok->object_body);
1708  if (strcmp(tok->object_type, "CROSSCERT")) {
1709  /* Info level because this might be an unknown field that we should
1710  * ignore. */
1711  log_info(LD_REND, "Introduction point legacy encryption key "
1712  "cross-certification has an unknown format.");
1713  goto err;
1714  }
1715  /* Keep a copy of the certificate. */
1716  ip->legacy.cert.encoded = tor_memdup(tok->object_body, tok->object_size);
1717  ip->legacy.cert.len = tok->object_size;
1718  /* The check on the expiration date is for the entire lifetime of a
1719  * certificate which is 24 hours. However, a descriptor has a maximum
1720  * lifetime of 12 hours meaning we have a 12h difference between the two
1721  * which ultimately accommodate the clock skewed client. */
1722  if (rsa_ed25519_crosscert_check(ip->legacy.cert.encoded,
1723  ip->legacy.cert.len, ip->legacy.key,
1726  log_warn(LD_REND, "Unable to check cross-certification on the "
1727  "introduction point legacy encryption key.");
1728  ip->cross_certified = 0;
1729  goto err;
1730  }
1731 
1732  /* Success. */
1733  return 0;
1734  err:
1735  return -1;
1736 }
1737 
1738 /** Dig into the descriptor <b>tokens</b> to find the onion key we should use
1739  * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
1740  * was found and well-formed, otherwise return -1 in case of errors. */
1741 static int
1743  const smartlist_t *tokens)
1744 {
1745  int retval = -1;
1746  smartlist_t *onion_keys = NULL;
1747 
1748  tor_assert(onion_key_out);
1749 
1750  onion_keys = find_all_by_keyword(tokens, R3_INTRO_ONION_KEY);
1751  if (!onion_keys) {
1752  log_warn(LD_REND, "Descriptor did not contain intro onion keys");
1753  goto err;
1754  }
1755 
1756  SMARTLIST_FOREACH_BEGIN(onion_keys, directory_token_t *, tok) {
1757  /* This field is using GE(2) so for possible forward compatibility, we
1758  * accept more fields but must be at least 2. */
1759  tor_assert(tok->n_args >= 2);
1760 
1761  /* Try to find an ntor key, it's the only recognized type right now */
1762  if (!strcmp(tok->args[0], "ntor")) {
1763  if (curve25519_public_from_base64(onion_key_out, tok->args[1]) < 0) {
1764  log_warn(LD_REND, "Introduction point ntor onion-key is invalid");
1765  goto err;
1766  }
1767  /* Got the onion key! Set the appropriate retval */
1768  retval = 0;
1769  }
1770  } SMARTLIST_FOREACH_END(tok);
1771 
1772  /* Log an error if we didn't find it :( */
1773  if (retval < 0) {
1774  log_warn(LD_REND, "Descriptor did not contain ntor onion keys");
1775  }
1776 
1777  err:
1778  smartlist_free(onion_keys);
1779  return retval;
1780 }
1781 
1782 /** Given the start of a section and the end of it, decode a single
1783  * introduction point from that section. Return a newly allocated introduction
1784  * point object containing the decoded data. Return NULL if the section can't
1785  * be decoded. */
1787 decode_introduction_point(const hs_descriptor_t *desc, const char *start)
1788 {
1789  hs_desc_intro_point_t *ip = NULL;
1790  memarea_t *area = NULL;
1791  smartlist_t *tokens = NULL;
1792  const directory_token_t *tok;
1793 
1794  tor_assert(desc);
1795  tor_assert(start);
1796 
1797  area = memarea_new();
1798  tokens = smartlist_new();
1799  if (tokenize_string(area, start, start + strlen(start),
1800  tokens, hs_desc_intro_point_v3_token_table, 0) < 0) {
1801  log_warn(LD_REND, "Introduction point is not parseable");
1802  goto err;
1803  }
1804 
1805  /* Ok we seem to have a well formed section containing enough tokens to
1806  * parse. Allocate our IP object and try to populate it. */
1807  ip = hs_desc_intro_point_new();
1808 
1809  /* "introduction-point" SP link-specifiers NL */
1810  tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
1811  tor_assert(tok->n_args == 1);
1812  /* Our constructor creates this list by default so free it. */
1813  smartlist_free(ip->link_specifiers);
1815  if (!ip->link_specifiers) {
1816  log_warn(LD_REND, "Introduction point has invalid link specifiers");
1817  goto err;
1818  }
1819 
1820  /* "onion-key" SP ntor SP key NL */
1821  if (set_intro_point_onion_key(&ip->onion_key, tokens) < 0) {
1822  goto err;
1823  }
1824 
1825  /* "auth-key" NL certificate NL */
1826  tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
1827  tor_assert(tok->object_body);
1828  if (strcmp(tok->object_type, "ED25519 CERT")) {
1829  log_warn(LD_REND, "Unexpected object type for introduction auth key");
1830  goto err;
1831  }
1832  /* Parse cert and do some validation. */
1834  tok->object_size, CERT_TYPE_AUTH_HS_IP_KEY,
1835  "introduction point auth-key") < 0) {
1836  goto err;
1837  }
1838  /* Validate authentication certificate with descriptor signing key. */
1840  &desc->plaintext_data.signing_pubkey, 0) < 0) {
1841  log_warn(LD_REND, "Invalid authentication key signature: %s",
1843  goto err;
1844  }
1845 
1846  /* Exactly one "enc-key" SP "ntor" SP key NL */
1847  tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
1848  if (!strcmp(tok->args[0], "ntor")) {
1849  /* This field is using GE(2) so for possible forward compatibility, we
1850  * accept more fields but must be at least 2. */
1851  tor_assert(tok->n_args >= 2);
1852 
1853  if (curve25519_public_from_base64(&ip->enc_key, tok->args[1]) < 0) {
1854  log_warn(LD_REND, "Introduction point ntor enc-key is invalid");
1855  goto err;
1856  }
1857  } else {
1858  /* Unknown key type so we can't use that introduction point. */
1859  log_warn(LD_REND, "Introduction point encryption key is unrecognized.");
1860  goto err;
1861  }
1862 
1863  /* Exactly once "enc-key-cert" NL certificate NL */
1864  tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
1865  tor_assert(tok->object_body);
1866  /* Do the cross certification. */
1867  if (strcmp(tok->object_type, "ED25519 CERT")) {
1868  log_warn(LD_REND, "Introduction point ntor encryption key "
1869  "cross-certification has an unknown format.");
1870  goto err;
1871  }
1873  tok->object_size, CERT_TYPE_CROSS_HS_IP_KEYS,
1874  "introduction point enc-key-cert") < 0) {
1875  goto err;
1876  }
1878  &desc->plaintext_data.signing_pubkey, 0) < 0) {
1879  log_warn(LD_REND, "Invalid encryption key signature: %s",
1881  goto err;
1882  }
1883  /* It is successfully cross certified. Flag the object. */
1884  ip->cross_certified = 1;
1885 
1886  /* Do we have a "legacy-key" SP key NL ?*/
1887  tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY);
1888  if (tok) {
1889  if (decode_intro_legacy_key(tok, tokens, ip, desc) < 0) {
1890  goto err;
1891  }
1892  }
1893 
1894  /* Introduction point has been parsed successfully. */
1895  goto done;
1896 
1897  err:
1898  hs_desc_intro_point_free(ip);
1899  ip = NULL;
1900 
1901  done:
1903  smartlist_free(tokens);
1904  if (area) {
1905  memarea_drop_all(area);
1906  }
1907 
1908  return ip;
1909 }
1910 
1911 /** Given a descriptor string at <b>data</b>, decode all possible introduction
1912  * points that we can find. Add the introduction point object to desc_enc as we
1913  * find them. This function can't fail and it is possible that zero
1914  * introduction points can be decoded. */
1915 static void
1917  hs_desc_encrypted_data_t *desc_enc,
1918  const char *data)
1919 {
1920  smartlist_t *chunked_desc = smartlist_new();
1921  smartlist_t *intro_points = smartlist_new();
1922 
1923  tor_assert(desc);
1924  tor_assert(desc_enc);
1925  tor_assert(data);
1926  tor_assert(desc_enc->intro_points);
1927 
1928  /* Take the desc string, and extract the intro point substrings out of it */
1929  {
1930  /* Split the descriptor string using the intro point header as delimiter */
1931  smartlist_split_string(chunked_desc, data, str_intro_point_start, 0, 0);
1932 
1933  /* Check if there are actually any intro points included. The first chunk
1934  * should be other descriptor fields (e.g. create2-formats), so it's not an
1935  * intro point. */
1936  if (smartlist_len(chunked_desc) < 2) {
1937  goto done;
1938  }
1939  }
1940 
1941  /* Take the intro point substrings, and prepare them for parsing */
1942  {
1943  int i = 0;
1944  /* Prepend the introduction-point header to all the chunks, since
1945  smartlist_split_string() devoured it. */
1946  SMARTLIST_FOREACH_BEGIN(chunked_desc, char *, chunk) {
1947  /* Ignore first chunk. It's other descriptor fields. */
1948  if (i++ == 0) {
1949  continue;
1950  }
1951 
1952  smartlist_add_asprintf(intro_points, "%s %s", str_intro_point, chunk);
1953  } SMARTLIST_FOREACH_END(chunk);
1954  }
1955 
1956  /* Parse the intro points! */
1957  SMARTLIST_FOREACH_BEGIN(intro_points, const char *, intro_point) {
1958  hs_desc_intro_point_t *ip = decode_introduction_point(desc, intro_point);
1959  if (!ip) {
1960  /* Malformed introduction point section. We'll ignore this introduction
1961  * point and continue parsing. New or unknown fields are possible for
1962  * forward compatibility. */
1963  continue;
1964  }
1965  smartlist_add(desc_enc->intro_points, ip);
1966  } SMARTLIST_FOREACH_END(intro_point);
1967 
1968  done:
1969  SMARTLIST_FOREACH(chunked_desc, char *, a, tor_free(a));
1970  smartlist_free(chunked_desc);
1971  SMARTLIST_FOREACH(intro_points, char *, a, tor_free(a));
1972  smartlist_free(intro_points);
1973 }
1974 
1975 /** Return 1 iff the given base64 encoded signature in b64_sig from the encoded
1976  * descriptor in encoded_desc validates the descriptor content. */
1977 STATIC int
1978 desc_sig_is_valid(const char *b64_sig,
1979  const ed25519_public_key_t *signing_pubkey,
1980  const char *encoded_desc, size_t encoded_len)
1981 {
1982  int ret = 0;
1983  ed25519_signature_t sig;
1984  const char *sig_start;
1985 
1986  tor_assert(b64_sig);
1987  tor_assert(signing_pubkey);
1988  tor_assert(encoded_desc);
1989  /* Verifying nothing won't end well :). */
1990  tor_assert(encoded_len > 0);
1991 
1992  /* Signature length check. */
1993  if (strlen(b64_sig) != ED25519_SIG_BASE64_LEN) {
1994  log_warn(LD_REND, "Service descriptor has an invalid signature length."
1995  "Exptected %d but got %lu",
1996  ED25519_SIG_BASE64_LEN, (unsigned long) strlen(b64_sig));
1997  goto err;
1998  }
1999 
2000  /* First, convert base64 blob to an ed25519 signature. */
2001  if (ed25519_signature_from_base64(&sig, b64_sig) != 0) {
2002  log_warn(LD_REND, "Service descriptor does not contain a valid "
2003  "signature");
2004  goto err;
2005  }
2006 
2007  /* Find the start of signature. */
2008  sig_start = tor_memstr(encoded_desc, encoded_len, "\n" str_signature " ");
2009  /* Getting here means the token parsing worked for the signature so if we
2010  * can't find the start of the signature, we have a code flow issue. */
2011  if (!sig_start) {
2012  log_warn(LD_GENERAL, "Malformed signature line. Rejecting.");
2013  goto err;
2014  }
2015  /* Skip newline, it has to go in the signature check. */
2016  sig_start++;
2017 
2018  /* Validate signature with the full body of the descriptor. */
2019  if (ed25519_checksig_prefixed(&sig,
2020  (const uint8_t *) encoded_desc,
2021  sig_start - encoded_desc,
2022  str_desc_sig_prefix,
2023  signing_pubkey) != 0) {
2024  log_warn(LD_REND, "Invalid signature on service descriptor");
2025  goto err;
2026  }
2027  /* Valid signature! All is good. */
2028  ret = 1;
2029 
2030  err:
2031  return ret;
2032 }
2033 
2034 /** Decode descriptor plaintext data for version 3. Given a list of tokens, an
2035  * allocated plaintext object that will be populated and the encoded
2036  * descriptor with its length. The last one is needed for signature
2037  * verification. Unknown tokens are simply ignored so this won't error on
2038  * unknowns but requires that all v3 token be present and valid.
2039  *
2040  * Return 0 on success else a negative value. */
2044  const char *encoded_desc, size_t encoded_len)
2045 {
2046  int ok;
2047  directory_token_t *tok;
2048 
2049  tor_assert(tokens);
2050  tor_assert(desc);
2051  /* Version higher could still use this function to decode most of the
2052  * descriptor and then they decode the extra part. */
2053  tor_assert(desc->version >= 3);
2054 
2055  /* Descriptor lifetime parsing. */
2056  tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
2057  tor_assert(tok->n_args == 1);
2058  desc->lifetime_sec = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2059  UINT32_MAX, &ok, NULL);
2060  if (!ok) {
2061  log_warn(LD_REND, "Service descriptor lifetime value is invalid");
2062  goto err;
2063  }
2064  /* Put it from minute to second. */
2065  desc->lifetime_sec *= 60;
2066  if (desc->lifetime_sec > HS_DESC_MAX_LIFETIME) {
2067  log_warn(LD_REND, "Service descriptor lifetime is too big. "
2068  "Got %" PRIu32 " but max is %d",
2070  goto err;
2071  }
2072 
2073  /* Descriptor signing certificate. */
2074  tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
2075  tor_assert(tok->object_body);
2076  /* Expecting a prop220 cert with the signing key extension, which contains
2077  * the blinded public key. */
2078  if (strcmp(tok->object_type, "ED25519 CERT") != 0) {
2079  log_warn(LD_REND, "Service descriptor signing cert wrong type (%s)",
2080  escaped(tok->object_type));
2081  goto err;
2082  }
2084  tok->object_size, CERT_TYPE_SIGNING_HS_DESC,
2085  "service descriptor signing key") < 0) {
2086  goto err;
2087  }
2088 
2089  /* Copy the public keys into signing_pubkey and blinded_pubkey */
2090  memcpy(&desc->signing_pubkey, &desc->signing_key_cert->signed_key,
2091  sizeof(ed25519_public_key_t));
2092  memcpy(&desc->blinded_pubkey, &desc->signing_key_cert->signing_key,
2093  sizeof(ed25519_public_key_t));
2094 
2095  /* Extract revision counter value. */
2096  tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
2097  tor_assert(tok->n_args == 1);
2098  desc->revision_counter = tor_parse_uint64(tok->args[0], 10, 0,
2099  UINT64_MAX, &ok, NULL);
2100  if (!ok) {
2101  log_warn(LD_REND, "Service descriptor revision-counter is invalid");
2102  goto err;
2103  }
2104 
2105  /* Extract the superencrypted data section. */
2106  tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
2107  tor_assert(tok->object_body);
2108  if (strcmp(tok->object_type, "MESSAGE") != 0) {
2109  log_warn(LD_REND, "Desc superencrypted data section is invalid");
2110  goto err;
2111  }
2112  /* Make sure the length of the superencrypted blob is valid. */
2114  goto err;
2115  }
2116 
2117  /* Copy the superencrypted blob to the descriptor object so we can handle it
2118  * latter if needed. */
2119  desc->superencrypted_blob = tor_memdup(tok->object_body, tok->object_size);
2121 
2122  /* Extract signature and verify it. */
2123  tok = find_by_keyword(tokens, R3_SIGNATURE);
2124  tor_assert(tok->n_args == 1);
2125  /* First arg here is the actual encoded signature. */
2126  if (!desc_sig_is_valid(tok->args[0], &desc->signing_pubkey,
2127  encoded_desc, encoded_len)) {
2128  goto err;
2129  }
2130 
2131  return HS_DESC_DECODE_OK;
2132  err:
2133  return HS_DESC_DECODE_PLAINTEXT_ERROR;
2134 }
2135 
2136 /** Decode the version 3 superencrypted section of the given descriptor desc.
2137  * The desc_superencrypted_out will be populated with the decoded data. */
2141  desc_superencrypted_out)
2142 {
2143  int ret = HS_DESC_DECODE_SUPERENC_ERROR;
2144  char *message = NULL;
2145  size_t message_len;
2146  memarea_t *area = NULL;
2147  directory_token_t *tok;
2148  smartlist_t *tokens = NULL;
2149  /* Rename the parameter because it is too long. */
2150  hs_desc_superencrypted_data_t *superencrypted = desc_superencrypted_out;
2151 
2152  tor_assert(desc);
2153  tor_assert(desc_superencrypted_out);
2154 
2155  /* Decrypt the superencrypted data that is located in the plaintext section
2156  * in the descriptor as a blob of bytes. */
2157  message_len = desc_decrypt_superencrypted(desc, &message);
2158  if (!message_len) {
2159  log_warn(LD_REND, "Service descriptor decryption failed.");
2160  goto err;
2161  }
2162  tor_assert(message);
2163 
2164  area = memarea_new();
2165  tokens = smartlist_new();
2166  if (tokenize_string(area, message, message + message_len,
2167  tokens, hs_desc_superencrypted_v3_token_table, 0) < 0) {
2168  log_warn(LD_REND, "Superencrypted service descriptor is not parseable.");
2169  goto err;
2170  }
2171 
2172  /* Verify desc auth type */
2173  tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
2174  tor_assert(tok->n_args >= 1);
2175  if (strcmp(tok->args[0], "x25519")) {
2176  log_warn(LD_DIR, "Unrecognized desc auth type");
2177  goto err;
2178  }
2179 
2180  /* Extract desc auth ephemeral key */
2181  tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
2182  tor_assert(tok->n_args >= 1);
2184  tok->args[0]) < 0) {
2185  log_warn(LD_DIR, "Bogus desc auth ephemeral key in HS desc");
2186  goto err;
2187  }
2188 
2189  /* Extract desc auth client items */
2190  if (!superencrypted->clients) {
2191  superencrypted->clients = smartlist_new();
2192  }
2193  SMARTLIST_FOREACH_BEGIN(tokens, const directory_token_t *, token) {
2194  if (token->tp == R3_DESC_AUTH_CLIENT) {
2195  tor_assert(token->n_args >= 3);
2196 
2197  hs_desc_authorized_client_t *client =
2198  tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
2199 
2200  if (decode_auth_client(token, client) < 0) {
2201  log_warn(LD_REND, "Descriptor client authorization section can't "
2202  "be decoded.");
2203  tor_free(client);
2204  goto err;
2205  }
2206  smartlist_add(superencrypted->clients, client);
2207  }
2208  } SMARTLIST_FOREACH_END(token);
2209 
2210  /* Extract the encrypted data section. */
2211  tok = find_by_keyword(tokens, R3_ENCRYPTED);
2212  tor_assert(tok->object_body);
2213  if (strcmp(tok->object_type, "MESSAGE") != 0) {
2214  log_warn(LD_REND, "Desc encrypted data section is invalid");
2215  goto err;
2216  }
2217  /* Make sure the length of the encrypted blob is valid. */
2219  goto err;
2220  }
2221 
2222  /* Copy the encrypted blob to the descriptor object so we can handle it
2223  * latter if needed. */
2224  tor_assert(tok->object_size <= INT_MAX);
2225  superencrypted->encrypted_blob = tor_memdup(tok->object_body,
2226  tok->object_size);
2227  superencrypted->encrypted_blob_size = tok->object_size;
2228 
2229  ret = HS_DESC_DECODE_OK;
2230  goto done;
2231 
2232  err:
2233  tor_assert(ret < HS_DESC_DECODE_OK);
2234  hs_desc_superencrypted_data_free_contents(desc_superencrypted_out);
2235 
2236  done:
2237  if (tokens) {
2239  smartlist_free(tokens);
2240  }
2241  if (area) {
2242  memarea_drop_all(area);
2243  }
2244  if (message) {
2245  tor_free(message);
2246  }
2247  return ret;
2248 }
2249 
2250 /** Decode the version 3 encrypted section of the given descriptor desc. The
2251  * desc_encrypted_out will be populated with the decoded data. */
2254  const curve25519_secret_key_t *client_auth_sk,
2255  hs_desc_encrypted_data_t *desc_encrypted_out)
2256 {
2257  int ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2258  char *message = NULL;
2259  size_t message_len;
2260  memarea_t *area = NULL;
2261  directory_token_t *tok;
2262  smartlist_t *tokens = NULL;
2263 
2264  tor_assert(desc);
2265  tor_assert(desc_encrypted_out);
2266 
2267  /* Decrypt the encrypted data that is located in the superencrypted section
2268  * in the descriptor as a blob of bytes. */
2269  message_len = desc_decrypt_encrypted(desc, client_auth_sk, &message);
2270  if (!message_len) {
2271  /* Two possible situation here. Either we have a client authorization
2272  * configured that didn't work or we do not have any configured for this
2273  * onion address so likely the descriptor is for authorized client only,
2274  * we are not. */
2275  if (client_auth_sk) {
2276  /* At warning level so the client can notice that its client
2277  * authorization is failing. */
2278  log_warn(LD_REND, "Client authorization for requested onion address "
2279  "is invalid. Can't decrypt the descriptor.");
2280  ret = HS_DESC_DECODE_BAD_CLIENT_AUTH;
2281  } else {
2282  /* Inform at notice level that the onion address requested can't be
2283  * reached without client authorization most likely. */
2284  log_notice(LD_REND, "Fail to decrypt descriptor for requested onion "
2285  "address. It is likely requiring client "
2286  "authorization.");
2287  ret = HS_DESC_DECODE_NEED_CLIENT_AUTH;
2288  }
2289  goto err;
2290  }
2291  tor_assert(message);
2292 
2293  area = memarea_new();
2294  tokens = smartlist_new();
2295  if (tokenize_string(area, message, message + message_len,
2296  tokens, hs_desc_encrypted_v3_token_table, 0) < 0) {
2297  log_warn(LD_REND, "Encrypted service descriptor is not parseable.");
2298  goto err;
2299  }
2300 
2301  /* CREATE2 supported cell format. It's mandatory. */
2302  tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
2303  tor_assert(tok);
2304  decode_create2_list(desc_encrypted_out, tok->args[0]);
2305  /* Must support ntor according to the specification */
2306  if (!desc_encrypted_out->create2_ntor) {
2307  log_warn(LD_REND, "Service create2-formats does not include ntor.");
2308  goto err;
2309  }
2310 
2311  /* Authentication type. It's optional but only once. */
2312  tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
2313  if (tok) {
2314  if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
2315  log_warn(LD_REND, "Service descriptor authentication type has "
2316  "invalid entry(ies).");
2317  goto err;
2318  }
2319  }
2320 
2321  /* Is this service a single onion service? */
2322  tok = find_opt_by_keyword(tokens, R3_SINGLE_ONION_SERVICE);
2323  if (tok) {
2324  desc_encrypted_out->single_onion_service = 1;
2325  }
2326 
2327  /* Initialize the descriptor's introduction point list before we start
2328  * decoding. Having 0 intro point is valid. Then decode them all. */
2329  desc_encrypted_out->intro_points = smartlist_new();
2330  decode_intro_points(desc, desc_encrypted_out, message);
2331 
2332  /* Validation of maximum introduction points allowed. */
2333  if (smartlist_len(desc_encrypted_out->intro_points) >
2334  HS_CONFIG_V3_MAX_INTRO_POINTS) {
2335  log_warn(LD_REND, "Service descriptor contains too many introduction "
2336  "points. Maximum allowed is %d but we have %d",
2337  HS_CONFIG_V3_MAX_INTRO_POINTS,
2338  smartlist_len(desc_encrypted_out->intro_points));
2339  goto err;
2340  }
2341 
2342  /* NOTE: Unknown fields are allowed because this function could be used to
2343  * decode other descriptor version. */
2344 
2345  ret = HS_DESC_DECODE_OK;
2346  goto done;
2347 
2348  err:
2349  tor_assert(ret < HS_DESC_DECODE_OK);
2350  hs_desc_encrypted_data_free_contents(desc_encrypted_out);
2351 
2352  done:
2353  if (tokens) {
2355  smartlist_free(tokens);
2356  }
2357  if (area) {
2358  memarea_drop_all(area);
2359  }
2360  if (message) {
2361  tor_free(message);
2362  }
2363  return ret;
2364 }
2365 
2366 /** Table of encrypted decode function version specific. The function are
2367  * indexed by the version number so v3 callback is at index 3 in the array. */
2370  const hs_descriptor_t *desc,
2371  const curve25519_secret_key_t *client_auth_sk,
2372  hs_desc_encrypted_data_t *desc_encrypted) =
2373 {
2374  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2376 };
2377 
2378 /** Decode the encrypted data section of the given descriptor and store the
2379  * data in the given encrypted data object. Return 0 on success else a
2380  * negative value on error. */
2383  const curve25519_secret_key_t *client_auth_sk,
2384  hs_desc_encrypted_data_t *desc_encrypted)
2385 {
2386  int ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2387  uint32_t version;
2388 
2389  tor_assert(desc);
2390  /* Ease our life a bit. */
2391  version = desc->plaintext_data.version;
2392  tor_assert(desc_encrypted);
2393  /* Calling this function without an encrypted blob to parse is a code flow
2394  * error. The superencrypted parsing should never succeed in the first place
2395  * without an encrypted section. */
2397  /* Let's make sure we have a supported version as well. By correctly parsing
2398  * the plaintext, this should not fail. */
2399  if (BUG(!hs_desc_is_supported_version(version))) {
2400  goto err;
2401  }
2402  /* Extra precaution. Having no handler for the supported version should
2403  * never happened else we forgot to add it but we bumped the version. */
2406 
2407  /* Run the version specific plaintext decoder. */
2408  ret = decode_encrypted_handlers[version](desc, client_auth_sk,
2409  desc_encrypted);
2410  if (ret < 0) {
2411  goto err;
2412  }
2413 
2414  err:
2415  return ret;
2416 }
2417 
2418 /** Table of superencrypted decode function version specific. The function are
2419  * indexed by the version number so v3 callback is at index 3 in the array. */
2422  const hs_descriptor_t *desc,
2423  hs_desc_superencrypted_data_t *desc_superencrypted) =
2424 {
2425  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2427 };
2428 
2429 /** Decode the superencrypted data section of the given descriptor and store
2430  * the data in the given superencrypted data object. */
2434  desc_superencrypted)
2435 {
2436  int ret = HS_DESC_DECODE_SUPERENC_ERROR;
2437  uint32_t version;
2438 
2439  tor_assert(desc);
2440  /* Ease our life a bit. */
2441  version = desc->plaintext_data.version;
2442  tor_assert(desc_superencrypted);
2443  /* Calling this function without an superencrypted blob to parse is
2444  * a code flow error. The plaintext parsing should never succeed in
2445  * the first place without an superencrypted section. */
2447  /* Let's make sure we have a supported version as well. By correctly parsing
2448  * the plaintext, this should not fail. */
2449  if (BUG(!hs_desc_is_supported_version(version))) {
2450  goto err;
2451  }
2452  /* Extra precaution. Having no handler for the supported version should
2453  * never happened else we forgot to add it but we bumped the version. */
2456 
2457  /* Run the version specific plaintext decoder. */
2458  ret = decode_superencrypted_handlers[version](desc, desc_superencrypted);
2459  if (ret < 0) {
2460  goto err;
2461  }
2462 
2463  err:
2464  return ret;
2465 }
2466 
2467 /** Table of plaintext decode function version specific. The function are
2468  * indexed by the version number so v3 callback is at index 3 in the array. */
2471  smartlist_t *tokens,
2473  const char *encoded_desc,
2474  size_t encoded_len) =
2475 {
2476  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2478 };
2479 
2480 /** Fully decode the given descriptor plaintext and store the data in the
2481  * plaintext data object. */
2483 hs_desc_decode_plaintext(const char *encoded,
2484  hs_desc_plaintext_data_t *plaintext)
2485 {
2486  int ok = 0, ret = HS_DESC_DECODE_PLAINTEXT_ERROR;
2487  memarea_t *area = NULL;
2488  smartlist_t *tokens = NULL;
2489  size_t encoded_len;
2490  directory_token_t *tok;
2491 
2492  tor_assert(encoded);
2493  tor_assert(plaintext);
2494 
2495  /* Check that descriptor is within size limits. */
2496  encoded_len = strlen(encoded);
2497  if (encoded_len >= hs_cache_get_max_descriptor_size()) {
2498  log_warn(LD_REND, "Service descriptor is too big (%lu bytes)",
2499  (unsigned long) encoded_len);
2500  goto err;
2501  }
2502 
2503  area = memarea_new();
2504  tokens = smartlist_new();
2505  /* Tokenize the descriptor so we can start to parse it. */
2506  if (tokenize_string(area, encoded, encoded + encoded_len, tokens,
2507  hs_desc_v3_token_table, 0) < 0) {
2508  log_warn(LD_REND, "Service descriptor is not parseable");
2509  goto err;
2510  }
2511 
2512  /* Get the version of the descriptor which is the first mandatory field of
2513  * the descriptor. From there, we'll decode the right descriptor version. */
2514  tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
2515  tor_assert(tok->n_args == 1);
2516  plaintext->version = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2517  UINT32_MAX, &ok, NULL);
2518  if (!ok) {
2519  log_warn(LD_REND, "Service descriptor has unparseable version %s",
2520  escaped(tok->args[0]));
2521  goto err;
2522  }
2523  if (!hs_desc_is_supported_version(plaintext->version)) {
2524  log_warn(LD_REND, "Service descriptor has unsupported version %" PRIu32,
2525  plaintext->version);
2526  goto err;
2527  }
2528  /* Extra precaution. Having no handler for the supported version should
2529  * never happened else we forgot to add it but we bumped the version. */
2532 
2533  /* Run the version specific plaintext decoder. */
2534  ret = decode_plaintext_handlers[plaintext->version](tokens, plaintext,
2535  encoded, encoded_len);
2536  if (ret != HS_DESC_DECODE_OK) {
2537  goto err;
2538  }
2539  /* Success. Descriptor has been populated with the data. */
2540  ret = HS_DESC_DECODE_OK;
2541 
2542  err:
2543  if (tokens) {
2545  smartlist_free(tokens);
2546  }
2547  if (area) {
2548  memarea_drop_all(area);
2549  }
2550  return ret;
2551 }
2552 
2553 /** Fully decode an encoded descriptor and set a newly allocated descriptor
2554  * object in desc_out. Client secret key is used to decrypt the "encrypted"
2555  * section if not NULL else it's ignored.
2556  *
2557  * Return 0 on success. A negative value is returned on error and desc_out is
2558  * set to NULL. */
2560 hs_desc_decode_descriptor(const char *encoded,
2561  const uint8_t *subcredential,
2562  const curve25519_secret_key_t *client_auth_sk,
2563  hs_descriptor_t **desc_out)
2564 {
2565  hs_desc_decode_status_t ret = HS_DESC_DECODE_GENERIC_ERROR;
2566  hs_descriptor_t *desc;
2567 
2568  tor_assert(encoded);
2569 
2570  desc = tor_malloc_zero(sizeof(hs_descriptor_t));
2571 
2572  /* Subcredentials are not optional. */
2573  if (BUG(!subcredential ||
2574  fast_mem_is_zero((char*)subcredential, DIGEST256_LEN))) {
2575  log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!");
2576  goto err;
2577  }
2578 
2579  memcpy(desc->subcredential, subcredential, sizeof(desc->subcredential));
2580 
2581  ret = hs_desc_decode_plaintext(encoded, &desc->plaintext_data);
2582  if (ret != HS_DESC_DECODE_OK) {
2583  goto err;
2584  }
2585 
2587  if (ret != HS_DESC_DECODE_OK) {
2588  goto err;
2589  }
2590 
2591  ret = hs_desc_decode_encrypted(desc, client_auth_sk, &desc->encrypted_data);
2592  if (ret != HS_DESC_DECODE_OK) {
2593  goto err;
2594  }
2595 
2596  if (desc_out) {
2597  *desc_out = desc;
2598  } else {
2599  hs_descriptor_free(desc);
2600  }
2601  return ret;
2602 
2603  err:
2604  hs_descriptor_free(desc);
2605  if (desc_out) {
2606  *desc_out = NULL;
2607  }
2608 
2609  tor_assert(ret < 0);
2610  return ret;
2611 }
2612 
2613 /** Table of encode function version specific. The functions are indexed by the
2614  * version number so v3 callback is at index 3 in the array. */
2615 static int
2617  const hs_descriptor_t *desc,
2618  const ed25519_keypair_t *signing_kp,
2619  const uint8_t *descriptor_cookie,
2620  char **encoded_out) =
2621 {
2622  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2624 };
2625 
2626 /** Encode the given descriptor desc including signing with the given key pair
2627  * signing_kp and encrypting with the given descriptor cookie.
2628  *
2629  * If the client authorization is enabled, descriptor_cookie must be the same
2630  * as the one used to build hs_desc_authorized_client_t in the descriptor.
2631  * Otherwise, it must be NULL. On success, encoded_out points to a newly
2632  * allocated NUL terminated string that contains the encoded descriptor as
2633  * a string.
2634  *
2635  * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
2636  * returned and encoded_out is set to NULL. */
2637 MOCK_IMPL(int,
2639  const ed25519_keypair_t *signing_kp,
2640  const uint8_t *descriptor_cookie,
2641  char **encoded_out))
2642 {
2643  int ret = -1;
2644  uint32_t version;
2645 
2646  tor_assert(desc);
2647  tor_assert(encoded_out);
2648 
2649  /* Make sure we support the version of the descriptor format. */
2650  version = desc->plaintext_data.version;
2651  if (!hs_desc_is_supported_version(version)) {
2652  goto err;
2653  }
2654  /* Extra precaution. Having no handler for the supported version should
2655  * never happened else we forgot to add it but we bumped the version. */
2657  tor_assert(encode_handlers[version]);
2658 
2659  ret = encode_handlers[version](desc, signing_kp,
2660  descriptor_cookie, encoded_out);
2661  if (ret < 0) {
2662  goto err;
2663  }
2664 
2665  /* Try to decode what we just encoded. Symmetry is nice!, but it is
2666  * symmetric only if the client auth is disabled. That is, the descriptor
2667  * cookie will be NULL. */
2668  if (!descriptor_cookie) {
2669  ret = hs_desc_decode_descriptor(*encoded_out, desc->subcredential,
2670  NULL, NULL);
2671  if (BUG(ret != HS_DESC_DECODE_OK)) {
2672  ret = -1;
2673  goto err;
2674  }
2675  }
2676 
2677  return 0;
2678 
2679  err:
2680  *encoded_out = NULL;
2681  return ret;
2682 }
2683 
2684 /** Free the content of the plaintext section of a descriptor. */
2685 void
2687 {
2688  if (!desc) {
2689  return;
2690  }
2691 
2692  if (desc->superencrypted_blob) {
2694  }
2695  tor_cert_free(desc->signing_key_cert);
2696 
2697  memwipe(desc, 0, sizeof(*desc));
2698 }
2699 
2700 /** Free the content of the superencrypted section of a descriptor. */
2701 void
2703 {
2704  if (!desc) {
2705  return;
2706  }
2707 
2708  if (desc->encrypted_blob) {
2709  tor_free(desc->encrypted_blob);
2710  }
2711  if (desc->clients) {
2713  hs_desc_authorized_client_free(client));
2714  smartlist_free(desc->clients);
2715  }
2716 
2717  memwipe(desc, 0, sizeof(*desc));
2718 }
2719 
2720 /** Free the content of the encrypted section of a descriptor. */
2721 void
2723 {
2724  if (!desc) {
2725  return;
2726  }
2727 
2728  if (desc->intro_auth_types) {
2729  SMARTLIST_FOREACH(desc->intro_auth_types, char *, a, tor_free(a));
2730  smartlist_free(desc->intro_auth_types);
2731  }
2732  if (desc->intro_points) {
2734  hs_desc_intro_point_free(ip));
2735  smartlist_free(desc->intro_points);
2736  }
2737  memwipe(desc, 0, sizeof(*desc));
2738 }
2739 
2740 /** Free the descriptor plaintext data object. */
2741 void
2743 {
2745  tor_free(desc);
2746 }
2747 
2748 /** Free the descriptor plaintext data object. */
2749 void
2751 {
2753  tor_free(desc);
2754 }
2755 
2756 /** Free the descriptor encrypted data object. */
2757 void
2759 {
2761  tor_free(desc);
2762 }
2763 
2764 /** Free the given descriptor object. */
2765 void
2767 {
2768  if (!desc) {
2769  return;
2770  }
2771 
2775  tor_free(desc);
2776 }
2777 
2778 /** Return the size in bytes of the given plaintext data object. A sizeof() is
2779  * not enough because the object contains pointers and the encrypted blob.
2780  * This is particularly useful for our OOM subsystem that tracks the HSDir
2781  * cache size for instance. */
2782 size_t
2784 {
2785  tor_assert(data);
2786  return (sizeof(*data) + sizeof(*data->signing_key_cert) +
2787  data->superencrypted_blob_size);
2788 }
2789 
2790 /** Return the size in bytes of the given encrypted data object. Used by OOM
2791  * subsystem. */
2792 static size_t
2794 {
2795  tor_assert(data);
2796  size_t intro_size = 0;
2797  if (data->intro_auth_types) {
2798  intro_size +=
2799  smartlist_len(data->intro_auth_types) * sizeof(intro_auth_types);
2800  }
2801  if (data->intro_points) {
2802  /* XXX could follow pointers here and get more accurate size */
2803  intro_size +=
2804  smartlist_len(data->intro_points) * sizeof(hs_desc_intro_point_t);
2805  }
2806 
2807  return sizeof(*data) + intro_size;
2808 }
2809 
2810 /** Return the size in bytes of the given descriptor object. Used by OOM
2811  * subsystem. */
2812  size_t
2814 {
2815  if (data == NULL) {
2816  return 0;
2817  }
2818  return (hs_desc_plaintext_obj_size(&data->plaintext_data) +
2820  sizeof(data->subcredential));
2821 }
2822 
2823 /** Return a newly allocated descriptor intro point. */
2826 {
2827  hs_desc_intro_point_t *ip = tor_malloc_zero(sizeof(*ip));
2829  return ip;
2830 }
2831 
2832 /** Free a descriptor intro point object. */
2833 void
2835 {
2836  if (ip == NULL) {
2837  return;
2838  }
2839  if (ip->link_specifiers) {
2840  SMARTLIST_FOREACH(ip->link_specifiers, link_specifier_t *,
2841  ls, link_specifier_free(ls));
2842  smartlist_free(ip->link_specifiers);
2843  }
2844  tor_cert_free(ip->auth_key_cert);
2845  tor_cert_free(ip->enc_key_cert);
2846  crypto_pk_free(ip->legacy.key);
2847  tor_free(ip->legacy.cert.encoded);
2848  tor_free(ip);
2849 }
2850 
2851 /** Allocate and build a new fake client info for the descriptor. Return a
2852  * newly allocated object. This can't fail. */
2855 {
2856  hs_desc_authorized_client_t *client_auth =
2857  tor_malloc_zero(sizeof(*client_auth));
2858 
2859  crypto_rand((char *) client_auth->client_id,
2860  sizeof(client_auth->client_id));
2861  crypto_rand((char *) client_auth->iv,
2862  sizeof(client_auth->iv));
2863  crypto_rand((char *) client_auth->encrypted_cookie,
2864  sizeof(client_auth->encrypted_cookie));
2865 
2866  return client_auth;
2867 }
2868 
2869 /** Using the service's subcredential, client public key, auth ephemeral secret
2870  * key, and descriptor cookie, build the auth client so we can then encode the
2871  * descriptor for publication. client_out must be already allocated. */
2872 void
2873 hs_desc_build_authorized_client(const uint8_t *subcredential,
2874  const curve25519_public_key_t *client_auth_pk,
2875  const curve25519_secret_key_t *
2876  auth_ephemeral_sk,
2877  const uint8_t *descriptor_cookie,
2878  hs_desc_authorized_client_t *client_out)
2879 {
2880  uint8_t *keystream = NULL;
2881  size_t keystream_length = 0;
2882  const uint8_t *cookie_key;
2883  crypto_cipher_t *cipher;
2884 
2885  tor_assert(client_auth_pk);
2886  tor_assert(auth_ephemeral_sk);
2887  tor_assert(descriptor_cookie);
2888  tor_assert(client_out);
2889  tor_assert(subcredential);
2890  tor_assert(!fast_mem_is_zero((char *) auth_ephemeral_sk,
2891  sizeof(*auth_ephemeral_sk)));
2892  tor_assert(!fast_mem_is_zero((char *) client_auth_pk,
2893  sizeof(*client_auth_pk)));
2894  tor_assert(!fast_mem_is_zero((char *) descriptor_cookie,
2895  HS_DESC_DESCRIPTOR_COOKIE_LEN));
2896  tor_assert(!fast_mem_is_zero((char *) subcredential,
2897  DIGEST256_LEN));
2898 
2899  /* Get the KEYS part so we can derive the CLIENT-ID and COOKIE-KEY. */
2900  keystream_length =
2902  auth_ephemeral_sk, client_auth_pk,
2903  &keystream);
2904  tor_assert(keystream_length > 0);
2905 
2906  /* Extract the CLIENT-ID and COOKIE-KEY from the KEYS. */
2907  memcpy(client_out->client_id, keystream, HS_DESC_CLIENT_ID_LEN);
2908  cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
2909 
2910  /* Random IV */
2911  crypto_strongest_rand(client_out->iv, sizeof(client_out->iv));
2912 
2913  /* This creates a cipher for AES. It can't fail. */
2914  cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client_out->iv,
2915  HS_DESC_COOKIE_KEY_BIT_SIZE);
2916  /* This can't fail. */
2917  crypto_cipher_encrypt(cipher, (char *) client_out->encrypted_cookie,
2918  (const char *) descriptor_cookie,
2919  HS_DESC_DESCRIPTOR_COOKIE_LEN);
2920 
2921  memwipe(keystream, 0, keystream_length);
2922  tor_free(keystream);
2923 
2924  crypto_cipher_free(cipher);
2925 }
2926 
2927 /** Free an authoriezd client object. */
2928 void
2930 {
2931  tor_free(client);
2932 }
2933 
2934 /** From the given descriptor, remove and free every introduction point. */
2935 void
2937 {
2938  smartlist_t *ips;
2939 
2940  tor_assert(desc);
2941 
2942  ips = desc->encrypted_data.intro_points;
2943  if (ips) {
2945  ip, hs_desc_intro_point_free(ip));
2946  smartlist_clear(ips);
2947  }
2948 }
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
static char * get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc, const char *layer2_b64_ciphertext)
static int(* encode_handlers[])(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static void build_secret_key_iv_mac(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_len, uint8_t *iv_out, size_t iv_len, uint8_t *mac_out, size_t mac_len, int is_superencrypted_layer)
static int decrypt_descriptor_cookie(const hs_descriptor_t *desc, const hs_desc_authorized_client_t *client, const curve25519_secret_key_t *client_auth_sk, uint8_t **descriptor_cookie_out)
unsigned int hs_cache_get_max_descriptor_size(void)
Definition: hs_cache.c:1071
uint8_t client_id[HS_DESC_CLIENT_ID_LEN]
#define crypto_xof_free(xof)
void crypto_rand(char *to, size_t n)
Definition: crypto_rand.c:477
Header file containing configuration ABI/API for the HS subsytem.
smartlist_t * find_all_by_keyword(const smartlist_t *s, directory_keyword k)
Definition: parsecommon.c:461
Common functions for using (pseudo-)random number generators.
static char * get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
unsigned signing_key_included
Definition: torcert.h:45
#define END_OF_TABLE
Definition: parsecommon.h:244
static int hs_desc_is_supported_version(uint32_t version)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
static token_rule_t hs_desc_v3_token_table[]
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
uint64_t tor_parse_uint64(const char *s, int base, uint64_t min, uint64_t max, int *ok, char **next)
Definition: parse_int.c:110
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
ed25519_public_key_t signed_key
Definition: torcert.h:30
int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now)
Definition: torcert.c:244
hs_desc_superencrypted_data_t superencrypted_data
hs_desc_authorized_client_t * hs_desc_build_fake_authorized_client(void)
static token_rule_t hs_desc_encrypted_v3_token_table[]
#define HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE
Definition: hs_descriptor.h:46
static size_t build_descriptor_cookie_keys(const uint8_t *subcredential, size_t subcredential_len, const curve25519_secret_key_t *sk, const curve25519_public_key_t *pk, uint8_t **keys_out)
hs_desc_encrypted_data_t encrypted_data
#define LD_GENERAL
Definition: log.h:62
static int desc_encode_v3(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
Definition: parse_int.c:78
int curve25519_public_from_base64(curve25519_public_key_t *pkey, const char *input)
int ed25519_sign_prefixed(ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair)
static hs_desc_decode_status_t desc_decode_plaintext_v3(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
void hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client)
ed25519_public_key_t signing_pubkey
void hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Definition: crypto_cipher.c:88
void curve25519_public_to_base64(char *output, const curve25519_public_key_t *pkey)
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
struct hs_desc_intro_point_t::@16 legacy
uint8_t subcredential[DIGEST256_LEN]
void smartlist_add(smartlist_t *sl, void *element)
static token_rule_t hs_desc_intro_point_v3_token_table[]
size_t base64_encode_size(size_t srclen, int flags)
Definition: binascii.c:166
#define memarea_drop_all(area)
Definition: memarea.h:22
void hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
int crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest, size_t *len)
Definition: crypto_rsa.c:466
unsigned int single_onion_service
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
uint8_t cert_type
Definition: torcert.h:43
int fast_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:74
#define tor_assert(expr)
Definition: util_bug.h:102
static size_t build_secret_input(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, uint8_t **secret_input_out)
STATIC size_t build_plaintext_padding(const char *plaintext, size_t plaintext_len, uint8_t **padded_out)
smartlist_t * intro_auth_types
tor_cert_t * enc_key_cert
hs_desc_decode_status_t hs_desc_decode_plaintext(const char *encoded, hs_desc_plaintext_data_t *plaintext)
#define HS_DESC_CERT_LIFETIME
Definition: hs_descriptor.h:37
hs_desc_decode_status_t hs_desc_decode_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
hs_desc_decode_status_t hs_desc_decode_descriptor(const char *encoded, const uint8_t *subcredential, const curve25519_secret_key_t *client_auth_sk, hs_descriptor_t **desc_out)
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
#define tor_free(p)
Definition: malloc.h:52
#define ED25519_PUBKEY_LEN
Definition: x25519_sizes.h:27
static char * encode_enc_key(const hs_desc_intro_point_t *ip)
#define T1_START(s, t, a, o)
Definition: parsecommon.h:252
unsigned int cross_certified
#define T1N(s, t, a, o)
Definition: parsecommon.h:256
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
#define HS_DESC_MAX_LIFETIME
Definition: hs_descriptor.h:31
smartlist_t * smartlist_new(void)
static const struct @15 intro_auth_types[]
ed25519_public_key_t blinded_pubkey
int hs_desc_encode_descriptor(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
size_t hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
void hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
memarea_t * memarea_new(void)
Definition: memarea.c:153
void ed25519_signature_to_base64(char *output, const ed25519_signature_t *sig)
#define STATIC
Definition: testsupport.h:32
#define tor_memneq(a, b, sz)
Definition: di_ops.h:21
static char * encode_intro_point(const ed25519_public_key_t *sig_key, const hs_desc_intro_point_t *ip)
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
Definition: binascii.c:215
static char * get_auth_client_str(const hs_desc_authorized_client_t *client)
static size_t compute_padded_plaintext_length(size_t plaintext_len)
#define CIPHER_IV_LEN
Definition: crypto_cipher.h:24
#define DIGEST256_LEN
Definition: digest_sizes.h:23
uint8_t encrypted_cookie[HS_DESC_ENCRYPED_COOKIE_LEN]
static int decode_intro_legacy_key(const directory_token_t *tok, smartlist_t *tokens, hs_desc_intro_point_t *ip, const hs_descriptor_t *desc)
hs_desc_intro_point_t * hs_desc_intro_point_new(void)
hs_desc_plaintext_data_t plaintext_data
#define NO_ARGS
Definition: parsecommon.h:265
Common functions for cryptographic routines.
static void build_kdf_key(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_out_len, int is_superencrypted_layer)
static char * encrypt_desc_data_and_base64(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *encoded_str, int is_superencrypted_layer)
static int decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
STATIC size_t decrypt_desc_layer(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, bool is_superencrypted_layer, char **decrypted_out)
tor_cert_t * tor_cert_parse(const uint8_t *encoded, const size_t len)
Definition: torcert.c:159
Header for crypto_format.c.
STATIC smartlist_t * decode_link_specifiers(const char *encoded)
int tor_memeq(const void *a, const void *b, size_t sz)
Definition: di_ops.c:107
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
static char * encode_legacy_key(const hs_desc_intro_point_t *ip)
curve25519_public_key_t onion_key
#define HS_DESC_AUTH_CLIENT_MULTIPLE
Definition: hs_descriptor.h:65
static void set_uint64(void *cp, uint64_t v)
Definition: bytes.h:96
uint8_t iv[CIPHER_IV_LEN]
#define SIZE_T_CEILING
Definition: torint.h:126
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
Definition: smartlist.c:36
Header file for rendcache.c.
tor_cert_t * signing_key_cert
#define GE(n)
Definition: parsecommon.h:269
Master header file for Tor-specific functionality.
static size_t desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
#define HS_DESC_ENCRYPTED_KEY_LEN
Definition: hs_descriptor.h:53
Header file for circuitbuild.c.
void hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc)
static hs_desc_decode_status_t(* decode_encrypted_handlers[])(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
struct hs_desc_intro_point_t::@16::@17 cert
#define ARGS
Definition: parsecommon.h:263
Header for memarea.c.
#define EQ(n)
Definition: parsecommon.h:271
STATIC hs_desc_intro_point_t * decode_introduction_point(const hs_descriptor_t *desc, const char *start)
static char * encode_onion_key(const hs_desc_intro_point_t *ip)
static token_rule_t hs_desc_superencrypted_v3_token_table[]
static void build_mac(const uint8_t *mac_key, size_t mac_key_len, const uint8_t *salt, size_t salt_len, const uint8_t *encrypted, size_t encrypted_len, uint8_t *mac_out, size_t mac_len)
hs_desc_decode_status_t hs_desc_decode_superencrypted(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Header file for hs_descriptor.c.
Extend-info structure.
hs_desc_auth_type_t
Definition: hs_descriptor.h:68
static hs_desc_decode_status_t desc_decode_superencrypted_v3(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted_out)
#define CONCAT_ARGS
Definition: parsecommon.h:267
static uint64_t tor_htonll(uint64_t a)
Definition: bytes.h:184
#define crypto_digest_free(d)
#define LD_REND
Definition: log.h:84
crypto_pk_t * crypto_pk_dup_key(crypto_pk_t *orig)
directory_token_t * find_opt_by_keyword(const smartlist_t *s, directory_keyword keyword)
Definition: parsecommon.c:450
STATIC int desc_sig_is_valid(const char *b64_sig, const ed25519_public_key_t *signing_pubkey, const char *encoded_desc, size_t encoded_len)
static void decode_intro_points(const hs_descriptor_t *desc, hs_desc_encrypted_data_t *desc_enc, const char *data)
static int set_intro_point_onion_key(curve25519_public_key_t *onion_key_out, const smartlist_t *tokens)
static hs_desc_decode_status_t desc_decode_encrypted_v3(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted_out)
static size_t encrypt_descriptor_data(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *plaintext, char **encrypted_out, int is_superencrypted_layer)
const char * tor_cert_describe_signature_status(const tor_cert_t *cert)
Definition: torcert.c:279
curve25519_public_key_t enc_key
ed25519_public_key_t signing_key
Definition: torcert.h:33
int crypto_pk_public_exponent_ok(const crypto_pk_t *env)
#define CURVE25519_OUTPUT_LEN
Definition: x25519_sizes.h:24
static hs_desc_decode_status_t(* decode_plaintext_handlers[])(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
#define T1_END(s, t, a, o)
Definition: parsecommon.h:254
#define LD_DIR
Definition: log.h:88
Header file for parsecommon.c.
static int cert_parse_and_validate(tor_cert_t **cert_out, const char *data, size_t data_len, unsigned int cert_type_wanted, const char *err_msg)
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
Definition: smartlist.c:279
int base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:396
#define SMARTLIST_FOREACH(sl, type, var, cmd)
const char * escaped(const char *s)
Definition: escape.c:126
link_specifier_t * link_specifier_dup(const link_specifier_t *src)
Definition: hs_common.c:1848
void hs_descriptor_free_(hs_descriptor_t *desc)
size_t hs_desc_obj_size(const hs_descriptor_t *data)
static size_t hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
static char * get_all_auth_client_lines(const hs_descriptor_t *desc)
static int encode_superencrypted_data(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, char **encrypted_blob_out)
static size_t build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext, size_t plaintext_len, uint8_t **encrypted_out, int is_superencrypted_layer)
#define ARRAY_LENGTH(x)
static hs_desc_decode_status_t(* decode_superencrypted_handlers[])(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
smartlist_t * link_specifiers
static void decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
void crypto_strongest_rand(uint8_t *out, size_t out_len)
Definition: crypto_rand.c:340
STATIC int cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
smartlist_t * intro_points
time_t approx_time(void)
Definition: approx_time.c:32
STATIC int encrypted_data_length_is_valid(size_t len)
#define T1(s, t, a, o)
Definition: parsecommon.h:250
curve25519_public_key_t auth_ephemeral_pubkey
static size_t build_secret_data(const ed25519_public_key_t *blinded_pubkey, const uint8_t *descriptor_cookie, uint8_t **secret_data_out)
Header for torcert.c.
void token_clear(directory_token_t *tok)
Definition: parsecommon.c:41
Header file for hs_cache.c.
crypto_cipher_t * crypto_cipher_new_with_iv_and_bits(const uint8_t *key, const uint8_t *iv, int bits)
Definition: crypto_cipher.c:29
struct crypto_pk_t * key
Definition: parsecommon.h:210
#define HS_DESC_CLIENT_ID_LEN
Definition: hs_descriptor.h:57
int rsa_ed25519_crosscert_check(const uint8_t *crosscert, const size_t crosscert_len, const crypto_pk_t *rsa_id_key, const ed25519_public_key_t *master_key, const time_t reject_if_expired_before)
Definition: torcert.c:395
void hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
static int decode_auth_client(const directory_token_t *tok, hs_desc_authorized_client_t *client)
static size_t desc_decrypt_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, char **decrypted_out)
int ed25519_signature_from_base64(ed25519_signature_t *sig, const char *input)
#define ED25519_SIG_BASE64_LEN
Definition: x25519_sizes.h:42
#define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN
Definition: hs_descriptor.h:42
STATIC char * encode_link_specifiers(const smartlist_t *specs)
crypto_xof_t * crypto_xof_new(void)
void smartlist_clear(smartlist_t *sl)
int tokenize_string(memarea_t *area, const char *start, const char *end, smartlist_t *out, const token_rule_t *table, int flags)
Definition: parsecommon.c:53
#define T01(s, t, a, o)
Definition: parsecommon.h:258
hs_desc_decode_status_t
Definition: hs_descriptor.h:73
void hs_desc_build_authorized_client(const uint8_t *subcredential, const curve25519_public_key_t *client_auth_pk, const curve25519_secret_key_t *auth_ephemeral_sk, const uint8_t *descriptor_cookie, hs_desc_authorized_client_t *client_out)
#define HS_DESC_ENCRYPTED_SALT_LEN
Definition: hs_descriptor.h:39
#define LD_BUG
Definition: log.h:86
#define CURVE25519_PUBKEY_LEN
Definition: x25519_sizes.h:20
tor_cert_t * auth_key_cert
#define CURVE25519_BASE64_PADDED_LEN
Definition: x25519_sizes.h:37
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
void hs_desc_superencrypted_data_free_contents(hs_desc_superencrypted_data_t *desc)
void hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
void hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)