tor  0.4.1.0-alpha-dev
hs_descriptor.c
Go to the documentation of this file.
1 /* Copyright (c) 2016-2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
55 /* For unit tests.*/
56 #define HS_DESCRIPTOR_PRIVATE
57 
58 #include "core/or/or.h"
59 #include "trunnel/ed25519_cert.h" /* Trunnel interface. */
61 #include "core/or/circuitbuild.h"
65 #include "feature/rend/rendcache.h"
66 #include "feature/hs/hs_cache.h"
67 #include "feature/hs/hs_config.h"
68 #include "feature/nodelist/torcert.h" /* tor_cert_encode_ed22519() */
69 #include "lib/memarea/memarea.h"
71 
72 #include "core/or/extend_info_st.h"
73 
74 /* Constant string value used for the descriptor format. */
75 #define str_hs_desc "hs-descriptor"
76 #define str_desc_cert "descriptor-signing-key-cert"
77 #define str_rev_counter "revision-counter"
78 #define str_superencrypted "superencrypted"
79 #define str_encrypted "encrypted"
80 #define str_signature "signature"
81 #define str_lifetime "descriptor-lifetime"
82 /* Constant string value for the encrypted part of the descriptor. */
83 #define str_create2_formats "create2-formats"
84 #define str_intro_auth_required "intro-auth-required"
85 #define str_single_onion "single-onion-service"
86 #define str_intro_point "introduction-point"
87 #define str_ip_onion_key "onion-key"
88 #define str_ip_auth_key "auth-key"
89 #define str_ip_enc_key "enc-key"
90 #define str_ip_enc_key_cert "enc-key-cert"
91 #define str_ip_legacy_key "legacy-key"
92 #define str_ip_legacy_key_cert "legacy-key-cert"
93 #define str_intro_point_start "\n" str_intro_point " "
94 /* Constant string value for the construction to encrypt the encrypted data
95  * section. */
96 #define str_enc_const_superencryption "hsdir-superencrypted-data"
97 #define str_enc_const_encryption "hsdir-encrypted-data"
98 /* Prefix required to compute/verify HS desc signatures */
99 #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
100 #define str_desc_auth_type "desc-auth-type"
101 #define str_desc_auth_key "desc-auth-ephemeral-key"
102 #define str_desc_auth_client "auth-client"
103 #define str_encrypted "encrypted"
104 
105 /* Authentication supported types. */
106 static const struct {
107  hs_desc_auth_type_t type;
108  const char *identifier;
109 } intro_auth_types[] = {
110  { HS_DESC_AUTH_ED25519, "ed25519" },
111  /* Indicate end of array. */
112  { 0, NULL }
113 };
114 
115 /* Descriptor ruleset. */
116 static token_rule_t hs_desc_v3_token_table[] = {
117  T1_START(str_hs_desc, R_HS_DESCRIPTOR, EQ(1), NO_OBJ),
118  T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ),
119  T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ),
120  T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ),
121  T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ),
122  T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ),
124 };
125 
126 /* Descriptor ruleset for the superencrypted section. */
127 static token_rule_t hs_desc_superencrypted_v3_token_table[] = {
128  T1_START(str_desc_auth_type, R3_DESC_AUTH_TYPE, GE(1), NO_OBJ),
129  T1(str_desc_auth_key, R3_DESC_AUTH_KEY, GE(1), NO_OBJ),
130  T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT, GE(3), NO_OBJ),
131  T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
133 };
134 
135 /* Descriptor ruleset for the encrypted section. */
136 static token_rule_t hs_desc_encrypted_v3_token_table[] = {
137  T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
138  T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
139  T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
141 };
142 
143 /* Descriptor ruleset for the introduction points section. */
144 static token_rule_t hs_desc_intro_point_v3_token_table[] = {
145  T1_START(str_intro_point, R3_INTRODUCTION_POINT, EQ(1), NO_OBJ),
146  T1N(str_ip_onion_key, R3_INTRO_ONION_KEY, GE(2), OBJ_OK),
147  T1(str_ip_auth_key, R3_INTRO_AUTH_KEY, NO_ARGS, NEED_OBJ),
148  T1(str_ip_enc_key, R3_INTRO_ENC_KEY, GE(2), OBJ_OK),
149  T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT, ARGS, OBJ_OK),
150  T01(str_ip_legacy_key, R3_INTRO_LEGACY_KEY, ARGS, NEED_KEY_1024),
151  T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT, ARGS, OBJ_OK),
153 };
154 
155 /* Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
156  * We use SHA3-256 for the MAC computation.
157  * This function can't fail. */
158 static void
159 build_mac(const uint8_t *mac_key, size_t mac_key_len,
160  const uint8_t *salt, size_t salt_len,
161  const uint8_t *encrypted, size_t encrypted_len,
162  uint8_t *mac_out, size_t mac_len)
163 {
164  crypto_digest_t *digest;
165 
166  const uint64_t mac_len_netorder = tor_htonll(mac_key_len);
167  const uint64_t salt_len_netorder = tor_htonll(salt_len);
168 
169  tor_assert(mac_key);
170  tor_assert(salt);
171  tor_assert(encrypted);
172  tor_assert(mac_out);
173 
174  digest = crypto_digest256_new(DIGEST_SHA3_256);
175  /* As specified in section 2.5 of proposal 224, first add the mac key
176  * then add the salt first and then the encrypted section. */
177 
178  crypto_digest_add_bytes(digest, (const char *) &mac_len_netorder, 8);
179  crypto_digest_add_bytes(digest, (const char *) mac_key, mac_key_len);
180  crypto_digest_add_bytes(digest, (const char *) &salt_len_netorder, 8);
181  crypto_digest_add_bytes(digest, (const char *) salt, salt_len);
182  crypto_digest_add_bytes(digest, (const char *) encrypted, encrypted_len);
183  crypto_digest_get_digest(digest, (char *) mac_out, mac_len);
184  crypto_digest_free(digest);
185 }
186 
187 /* Using a secret data and a given decriptor object, build the secret
188  * input needed for the KDF.
189  *
190  * secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
191  *
192  * Then, set the newly allocated buffer in secret_input_out and return the
193  * length of the buffer. */
194 static size_t
195 build_secret_input(const hs_descriptor_t *desc,
196  const uint8_t *secret_data,
197  size_t secret_data_len,
198  uint8_t **secret_input_out)
199 {
200  size_t offset = 0;
201  size_t secret_input_len = secret_data_len + DIGEST256_LEN + sizeof(uint64_t);
202  uint8_t *secret_input = NULL;
203 
204  tor_assert(desc);
205  tor_assert(secret_data);
206  tor_assert(secret_input_out);
207 
208  secret_input = tor_malloc_zero(secret_input_len);
209 
210  /* Copy the secret data. */
211  memcpy(secret_input, secret_data, secret_data_len);
212  offset += secret_data_len;
213  /* Copy subcredential. */
214  memcpy(secret_input + offset, desc->subcredential, DIGEST256_LEN);
215  offset += DIGEST256_LEN;
216  /* Copy revision counter value. */
217  set_uint64(secret_input + offset,
218  tor_htonll(desc->plaintext_data.revision_counter));
219  offset += sizeof(uint64_t);
220  tor_assert(secret_input_len == offset);
221 
222  *secret_input_out = secret_input;
223 
224  return secret_input_len;
225 }
226 
227 /* Do the KDF construction and put the resulting data in key_out which is of
228  * key_out_len length. It uses SHAKE-256 as specified in the spec. */
229 static void
230 build_kdf_key(const hs_descriptor_t *desc,
231  const uint8_t *secret_data,
232  size_t secret_data_len,
233  const uint8_t *salt, size_t salt_len,
234  uint8_t *key_out, size_t key_out_len,
235  int is_superencrypted_layer)
236 {
237  uint8_t *secret_input = NULL;
238  size_t secret_input_len;
239  crypto_xof_t *xof;
240 
241  tor_assert(desc);
242  tor_assert(secret_data);
243  tor_assert(salt);
244  tor_assert(key_out);
245 
246  /* Build the secret input for the KDF computation. */
247  secret_input_len = build_secret_input(desc, secret_data,
248  secret_data_len, &secret_input);
249 
250  xof = crypto_xof_new();
251  /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
252  crypto_xof_add_bytes(xof, secret_input, secret_input_len);
253  crypto_xof_add_bytes(xof, salt, salt_len);
254 
255  /* Feed in the right string constant based on the desc layer */
256  if (is_superencrypted_layer) {
257  crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_superencryption,
258  strlen(str_enc_const_superencryption));
259  } else {
260  crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_encryption,
261  strlen(str_enc_const_encryption));
262  }
263 
264  /* Eat from our KDF. */
265  crypto_xof_squeeze_bytes(xof, key_out, key_out_len);
266  crypto_xof_free(xof);
267  memwipe(secret_input, 0, secret_input_len);
268 
269  tor_free(secret_input);
270 }
271 
272 /* Using the given descriptor, secret data, and salt, run it through our
273  * KDF function and then extract a secret key in key_out, the IV in iv_out
274  * and MAC in mac_out. This function can't fail. */
275 static void
276 build_secret_key_iv_mac(const hs_descriptor_t *desc,
277  const uint8_t *secret_data,
278  size_t secret_data_len,
279  const uint8_t *salt, size_t salt_len,
280  uint8_t *key_out, size_t key_len,
281  uint8_t *iv_out, size_t iv_len,
282  uint8_t *mac_out, size_t mac_len,
283  int is_superencrypted_layer)
284 {
285  size_t offset = 0;
286  uint8_t kdf_key[HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN];
287 
288  tor_assert(desc);
289  tor_assert(secret_data);
290  tor_assert(salt);
291  tor_assert(key_out);
292  tor_assert(iv_out);
293  tor_assert(mac_out);
294 
295  build_kdf_key(desc, secret_data, secret_data_len,
296  salt, salt_len, kdf_key, sizeof(kdf_key),
297  is_superencrypted_layer);
298  /* Copy the bytes we need for both the secret key and IV. */
299  memcpy(key_out, kdf_key, key_len);
300  offset += key_len;
301  memcpy(iv_out, kdf_key + offset, iv_len);
302  offset += iv_len;
303  memcpy(mac_out, kdf_key + offset, mac_len);
304  /* Extra precaution to make sure we are not out of bound. */
305  tor_assert((offset + mac_len) == sizeof(kdf_key));
306  memwipe(kdf_key, 0, sizeof(kdf_key));
307 }
308 
309 /* === ENCODING === */
310 
311 /* Encode the given link specifier objects into a newly allocated string.
312  * This can't fail so caller can always assume a valid string being
313  * returned. */
314 STATIC char *
315 encode_link_specifiers(const smartlist_t *specs)
316 {
317  char *encoded_b64 = NULL;
318  link_specifier_list_t *lslist = link_specifier_list_new();
319 
320  tor_assert(specs);
321  /* No link specifiers is a code flow error, can't happen. */
322  tor_assert(smartlist_len(specs) > 0);
323  tor_assert(smartlist_len(specs) <= UINT8_MAX);
324 
325  link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
326 
327  SMARTLIST_FOREACH_BEGIN(specs, const link_specifier_t *,
328  spec) {
329  link_specifier_t *ls = link_specifier_dup(spec);
330  tor_assert(ls);
331  link_specifier_list_add_spec(lslist, ls);
332  } SMARTLIST_FOREACH_END(spec);
333 
334  {
335  uint8_t *encoded;
336  ssize_t encoded_len, encoded_b64_len, ret;
337 
338  encoded_len = link_specifier_list_encoded_len(lslist);
339  tor_assert(encoded_len > 0);
340  encoded = tor_malloc_zero(encoded_len);
341  ret = link_specifier_list_encode(encoded, encoded_len, lslist);
342  tor_assert(ret == encoded_len);
343 
344  /* Base64 encode our binary format. Add extra NUL byte for the base64
345  * encoded value. */
346  encoded_b64_len = base64_encode_size(encoded_len, 0) + 1;
347  encoded_b64 = tor_malloc_zero(encoded_b64_len);
348  ret = base64_encode(encoded_b64, encoded_b64_len, (const char *) encoded,
349  encoded_len, 0);
350  tor_assert(ret == (encoded_b64_len - 1));
351  tor_free(encoded);
352  }
353 
354  link_specifier_list_free(lslist);
355  return encoded_b64;
356 }
357 
358 /* Encode an introduction point legacy key and certificate. Return a newly
359  * allocated string with it. On failure, return NULL. */
360 static char *
361 encode_legacy_key(const hs_desc_intro_point_t *ip)
362 {
363  char *key_str, b64_cert[256], *encoded = NULL;
364  size_t key_str_len;
365 
366  tor_assert(ip);
367 
368  /* Encode cross cert. */
369  if (base64_encode(b64_cert, sizeof(b64_cert),
370  (const char *) ip->legacy.cert.encoded,
371  ip->legacy.cert.len, BASE64_ENCODE_MULTILINE) < 0) {
372  log_warn(LD_REND, "Unable to encode legacy crosscert.");
373  goto done;
374  }
375  /* Convert the encryption key to PEM format NUL terminated. */
376  if (crypto_pk_write_public_key_to_string(ip->legacy.key, &key_str,
377  &key_str_len) < 0) {
378  log_warn(LD_REND, "Unable to encode legacy encryption key.");
379  goto done;
380  }
381  tor_asprintf(&encoded,
382  "%s \n%s" /* Newline is added by the call above. */
383  "%s\n"
384  "-----BEGIN CROSSCERT-----\n"
385  "%s"
386  "-----END CROSSCERT-----",
387  str_ip_legacy_key, key_str,
388  str_ip_legacy_key_cert, b64_cert);
389  tor_free(key_str);
390 
391  done:
392  return encoded;
393 }
394 
395 /* Encode an introduction point encryption key and certificate. Return a newly
396  * allocated string with it. On failure, return NULL. */
397 static char *
398 encode_enc_key(const hs_desc_intro_point_t *ip)
399 {
400  char *encoded = NULL, *encoded_cert;
401  char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
402 
403  tor_assert(ip);
404 
405  /* Base64 encode the encryption key for the "enc-key" field. */
406  if (curve25519_public_to_base64(key_b64, &ip->enc_key) < 0) {
407  goto done;
408  }
409  if (tor_cert_encode_ed22519(ip->enc_key_cert, &encoded_cert) < 0) {
410  goto done;
411  }
412  tor_asprintf(&encoded,
413  "%s ntor %s\n"
414  "%s\n%s",
415  str_ip_enc_key, key_b64,
416  str_ip_enc_key_cert, encoded_cert);
417  tor_free(encoded_cert);
418 
419  done:
420  return encoded;
421 }
422 
423 /* Encode an introduction point onion key. Return a newly allocated string
424  * with it. On failure, return NULL. */
425 static char *
426 encode_onion_key(const hs_desc_intro_point_t *ip)
427 {
428  char *encoded = NULL;
429  char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
430 
431  tor_assert(ip);
432 
433  /* Base64 encode the encryption key for the "onion-key" field. */
434  if (curve25519_public_to_base64(key_b64, &ip->onion_key) < 0) {
435  goto done;
436  }
437  tor_asprintf(&encoded, "%s ntor %s", str_ip_onion_key, key_b64);
438 
439  done:
440  return encoded;
441 }
442 
443 /* Encode an introduction point object and return a newly allocated string
444  * with it. On failure, return NULL. */
445 static char *
446 encode_intro_point(const ed25519_public_key_t *sig_key,
447  const hs_desc_intro_point_t *ip)
448 {
449  char *encoded_ip = NULL;
450  smartlist_t *lines = smartlist_new();
451 
452  tor_assert(ip);
453  tor_assert(sig_key);
454 
455  /* Encode link specifier. */
456  {
457  char *ls_str = encode_link_specifiers(ip->link_specifiers);
458  smartlist_add_asprintf(lines, "%s %s", str_intro_point, ls_str);
459  tor_free(ls_str);
460  }
461 
462  /* Onion key encoding. */
463  {
464  char *encoded_onion_key = encode_onion_key(ip);
465  if (encoded_onion_key == NULL) {
466  goto err;
467  }
468  smartlist_add_asprintf(lines, "%s", encoded_onion_key);
469  tor_free(encoded_onion_key);
470  }
471 
472  /* Authentication key encoding. */
473  {
474  char *encoded_cert;
475  if (tor_cert_encode_ed22519(ip->auth_key_cert, &encoded_cert) < 0) {
476  goto err;
477  }
478  smartlist_add_asprintf(lines, "%s\n%s", str_ip_auth_key, encoded_cert);
479  tor_free(encoded_cert);
480  }
481 
482  /* Encryption key encoding. */
483  {
484  char *encoded_enc_key = encode_enc_key(ip);
485  if (encoded_enc_key == NULL) {
486  goto err;
487  }
488  smartlist_add_asprintf(lines, "%s", encoded_enc_key);
489  tor_free(encoded_enc_key);
490  }
491 
492  /* Legacy key if any. */
493  if (ip->legacy.key != NULL) {
494  /* Strong requirement else the IP creation was badly done. */
495  tor_assert(ip->legacy.cert.encoded);
496  char *encoded_legacy_key = encode_legacy_key(ip);
497  if (encoded_legacy_key == NULL) {
498  goto err;
499  }
500  smartlist_add_asprintf(lines, "%s", encoded_legacy_key);
501  tor_free(encoded_legacy_key);
502  }
503 
504  /* Join them all in one blob of text. */
505  encoded_ip = smartlist_join_strings(lines, "\n", 1, NULL);
506 
507  err:
508  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
509  smartlist_free(lines);
510  return encoded_ip;
511 }
512 
513 /* Given a source length, return the new size including padding for the
514  * plaintext encryption. */
515 static size_t
516 compute_padded_plaintext_length(size_t plaintext_len)
517 {
518  size_t plaintext_padded_len;
519  const int padding_block_length = HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE;
520 
521  /* Make sure we won't overflow. */
522  tor_assert(plaintext_len <= (SIZE_T_CEILING - padding_block_length));
523 
524  /* Get the extra length we need to add. For example, if srclen is 10200
525  * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
526  plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
527  padding_block_length;
528  /* Can never be extra careful. Make sure we are _really_ padded. */
529  tor_assert(!(plaintext_padded_len % padding_block_length));
530  return plaintext_padded_len;
531 }
532 
533 /* Given a buffer, pad it up to the encrypted section padding requirement. Set
534  * the newly allocated string in padded_out and return the length of the
535  * padded buffer. */
536 STATIC size_t
537 build_plaintext_padding(const char *plaintext, size_t plaintext_len,
538  uint8_t **padded_out)
539 {
540  size_t padded_len;
541  uint8_t *padded;
542 
543  tor_assert(plaintext);
544  tor_assert(padded_out);
545 
546  /* Allocate the final length including padding. */
547  padded_len = compute_padded_plaintext_length(plaintext_len);
548  tor_assert(padded_len >= plaintext_len);
549  padded = tor_malloc_zero(padded_len);
550 
551  memcpy(padded, plaintext, plaintext_len);
552  *padded_out = padded;
553  return padded_len;
554 }
555 
556 /* Using a key, IV and plaintext data of length plaintext_len, create the
557  * encrypted section by encrypting it and setting encrypted_out with the
558  * data. Return size of the encrypted data buffer. */
559 static size_t
560 build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
561  size_t plaintext_len, uint8_t **encrypted_out,
562  int is_superencrypted_layer)
563 {
564  size_t encrypted_len;
565  uint8_t *padded_plaintext, *encrypted;
566  crypto_cipher_t *cipher;
567 
568  tor_assert(key);
569  tor_assert(iv);
570  tor_assert(plaintext);
571  tor_assert(encrypted_out);
572 
573  /* If we are encrypting the middle layer of the descriptor, we need to first
574  pad the plaintext */
575  if (is_superencrypted_layer) {
576  encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
577  &padded_plaintext);
578  /* Extra precautions that we have a valid padding length. */
579  tor_assert(!(encrypted_len % HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE));
580  } else { /* No padding required for inner layers */
581  padded_plaintext = tor_memdup(plaintext, plaintext_len);
582  encrypted_len = plaintext_len;
583  }
584 
585  /* This creates a cipher for AES. It can't fail. */
586  cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
587  HS_DESC_ENCRYPTED_BIT_SIZE);
588  /* We use a stream cipher so the encrypted length will be the same as the
589  * plaintext padded length. */
590  encrypted = tor_malloc_zero(encrypted_len);
591  /* This can't fail. */
592  crypto_cipher_encrypt(cipher, (char *) encrypted,
593  (const char *) padded_plaintext, encrypted_len);
594  *encrypted_out = encrypted;
595  /* Cleanup. */
596  crypto_cipher_free(cipher);
597  tor_free(padded_plaintext);
598  return encrypted_len;
599 }
600 
601 /* Encrypt the given <b>plaintext</b> buffer using <b>desc</b> and
602  * <b>secret_data</b> to get the keys. Set encrypted_out with the encrypted
603  * data and return the length of it. <b>is_superencrypted_layer</b> is set
604  * if this is the outer encrypted layer of the descriptor. */
605 static size_t
606 encrypt_descriptor_data(const hs_descriptor_t *desc,
607  const uint8_t *secret_data,
608  size_t secret_data_len,
609  const char *plaintext,
610  char **encrypted_out, int is_superencrypted_layer)
611 {
612  char *final_blob;
613  size_t encrypted_len, final_blob_len, offset = 0;
614  uint8_t *encrypted;
615  uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
616  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
617  uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
618 
619  tor_assert(desc);
620  tor_assert(secret_data);
621  tor_assert(plaintext);
622  tor_assert(encrypted_out);
623 
624  /* Get our salt. The returned bytes are already hashed. */
625  crypto_strongest_rand(salt, sizeof(salt));
626 
627  /* KDF construction resulting in a key from which the secret key, IV and MAC
628  * key are extracted which is what we need for the encryption. */
629  build_secret_key_iv_mac(desc, secret_data, secret_data_len,
630  salt, sizeof(salt),
631  secret_key, sizeof(secret_key),
632  secret_iv, sizeof(secret_iv),
633  mac_key, sizeof(mac_key),
634  is_superencrypted_layer);
635 
636  /* Build the encrypted part that is do the actual encryption. */
637  encrypted_len = build_encrypted(secret_key, secret_iv, plaintext,
638  strlen(plaintext), &encrypted,
639  is_superencrypted_layer);
640  memwipe(secret_key, 0, sizeof(secret_key));
641  memwipe(secret_iv, 0, sizeof(secret_iv));
642  /* This construction is specified in section 2.5 of proposal 224. */
643  final_blob_len = sizeof(salt) + encrypted_len + DIGEST256_LEN;
644  final_blob = tor_malloc_zero(final_blob_len);
645 
646  /* Build the MAC. */
647  build_mac(mac_key, sizeof(mac_key), salt, sizeof(salt),
648  encrypted, encrypted_len, mac, sizeof(mac));
649  memwipe(mac_key, 0, sizeof(mac_key));
650 
651  /* The salt is the first value. */
652  memcpy(final_blob, salt, sizeof(salt));
653  offset = sizeof(salt);
654  /* Second value is the encrypted data. */
655  memcpy(final_blob + offset, encrypted, encrypted_len);
656  offset += encrypted_len;
657  /* Third value is the MAC. */
658  memcpy(final_blob + offset, mac, sizeof(mac));
659  offset += sizeof(mac);
660  /* Cleanup the buffers. */
661  memwipe(salt, 0, sizeof(salt));
662  memwipe(encrypted, 0, encrypted_len);
663  tor_free(encrypted);
664  /* Extra precaution. */
665  tor_assert(offset == final_blob_len);
666 
667  *encrypted_out = final_blob;
668  return final_blob_len;
669 }
670 
671 /* Create and return a string containing a client-auth entry. It's the
672  * responsibility of the caller to free the returned string. This function
673  * will never fail. */
674 static char *
675 get_auth_client_str(const hs_desc_authorized_client_t *client)
676 {
677  int ret;
678  char *auth_client_str = NULL;
679  /* We are gonna fill these arrays with base64 data. They are all double
680  * the size of their binary representation to fit the base64 overhead. */
681  char client_id_b64[HS_DESC_CLIENT_ID_LEN * 2];
682  char iv_b64[CIPHER_IV_LEN * 2];
683  char encrypted_cookie_b64[HS_DESC_ENCRYPED_COOKIE_LEN * 2];
684 
685 #define ASSERT_AND_BASE64(field) STMT_BEGIN \
686  tor_assert(!tor_mem_is_zero((char *) client->field, \
687  sizeof(client->field))); \
688  ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
689  client->field, sizeof(client->field)); \
690  tor_assert(ret > 0); \
691  STMT_END
692 
693  ASSERT_AND_BASE64(client_id);
694  ASSERT_AND_BASE64(iv);
695  ASSERT_AND_BASE64(encrypted_cookie);
696 
697  /* Build the final string */
698  tor_asprintf(&auth_client_str, "%s %s %s %s", str_desc_auth_client,
699  client_id_b64, iv_b64, encrypted_cookie_b64);
700 
701 #undef ASSERT_AND_BASE64
702 
703  return auth_client_str;
704 }
705 
709 static char *
711 {
712  smartlist_t *auth_client_lines = smartlist_new();
713  char *auth_client_lines_str = NULL;
714 
715  tor_assert(desc);
716  tor_assert(desc->superencrypted_data.clients);
717  tor_assert(smartlist_len(desc->superencrypted_data.clients) != 0);
718  tor_assert(smartlist_len(desc->superencrypted_data.clients)
719  % HS_DESC_AUTH_CLIENT_MULTIPLE == 0);
720 
721  /* Make a line for each client */
722  SMARTLIST_FOREACH_BEGIN(desc->superencrypted_data.clients,
723  const hs_desc_authorized_client_t *, client) {
724  char *auth_client_str = NULL;
725 
726  auth_client_str = get_auth_client_str(client);
727 
728  smartlist_add(auth_client_lines, auth_client_str);
729  } SMARTLIST_FOREACH_END(client);
730 
731  /* Join all lines together to form final string */
732  auth_client_lines_str = smartlist_join_strings(auth_client_lines,
733  "\n", 1, NULL);
734  /* Cleanup the mess */
735  SMARTLIST_FOREACH(auth_client_lines, char *, a, tor_free(a));
736  smartlist_free(auth_client_lines);
737 
738  return auth_client_lines_str;
739 }
740 
741 /* Create the inner layer of the descriptor (which includes the intro points,
742  * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
743  * an error occurred. It's the responsibility of the caller to free the
744  * returned string. */
745 static char *
746 get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
747 {
748  char *encoded_str = NULL;
749  smartlist_t *lines = smartlist_new();
750 
751  /* Build the start of the section prior to the introduction points. */
752  {
753  if (!desc->encrypted_data.create2_ntor) {
754  log_err(LD_BUG, "HS desc doesn't have recognized handshake type.");
755  goto err;
756  }
757  smartlist_add_asprintf(lines, "%s %d\n", str_create2_formats,
758  ONION_HANDSHAKE_TYPE_NTOR);
759 
760  if (desc->encrypted_data.intro_auth_types &&
761  smartlist_len(desc->encrypted_data.intro_auth_types)) {
762  /* Put the authentication-required line. */
763  char *buf = smartlist_join_strings(desc->encrypted_data.intro_auth_types,
764  " ", 0, NULL);
765  smartlist_add_asprintf(lines, "%s %s\n", str_intro_auth_required, buf);
766  tor_free(buf);
767  }
768 
769  if (desc->encrypted_data.single_onion_service) {
770  smartlist_add_asprintf(lines, "%s\n", str_single_onion);
771  }
772  }
773 
774  /* Build the introduction point(s) section. */
775  SMARTLIST_FOREACH_BEGIN(desc->encrypted_data.intro_points,
776  const hs_desc_intro_point_t *, ip) {
777  char *encoded_ip = encode_intro_point(&desc->plaintext_data.signing_pubkey,
778  ip);
779  if (encoded_ip == NULL) {
780  log_err(LD_BUG, "HS desc intro point is malformed.");
781  goto err;
782  }
783  smartlist_add(lines, encoded_ip);
784  } SMARTLIST_FOREACH_END(ip);
785 
786  /* Build the entire encrypted data section into one encoded plaintext and
787  * then encrypt it. */
788  encoded_str = smartlist_join_strings(lines, "", 0, NULL);
789 
790  err:
791  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
792  smartlist_free(lines);
793 
794  return encoded_str;
795 }
796 
797 /* Create the middle layer of the descriptor, which includes the client auth
798  * data and the encrypted inner layer (provided as a base64 string at
799  * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
800  * layer plaintext, or NULL if an error occurred. It's the responsibility of
801  * the caller to free the returned string. */
802 static char *
803 get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc,
804  const char *layer2_b64_ciphertext)
805 {
806  char *layer1_str = NULL;
807  smartlist_t *lines = smartlist_new();
808 
809  /* Specify auth type */
810  smartlist_add_asprintf(lines, "%s %s\n", str_desc_auth_type, "x25519");
811 
812  { /* Print ephemeral x25519 key */
813  char ephemeral_key_base64[CURVE25519_BASE64_PADDED_LEN + 1];
814  const curve25519_public_key_t *ephemeral_pubkey;
815 
816  ephemeral_pubkey = &desc->superencrypted_data.auth_ephemeral_pubkey;
817  tor_assert(!tor_mem_is_zero((char *) ephemeral_pubkey->public_key,
819 
820  if (curve25519_public_to_base64(ephemeral_key_base64,
821  ephemeral_pubkey) < 0) {
822  goto done;
823  }
824  smartlist_add_asprintf(lines, "%s %s\n",
825  str_desc_auth_key, ephemeral_key_base64);
826 
827  memwipe(ephemeral_key_base64, 0, sizeof(ephemeral_key_base64));
828  }
829 
830  { /* Create auth-client lines. */
831  char *auth_client_lines = get_all_auth_client_lines(desc);
832  tor_assert(auth_client_lines);
833  smartlist_add(lines, auth_client_lines);
834  }
835 
836  /* create encrypted section */
837  {
839  "%s\n"
840  "-----BEGIN MESSAGE-----\n"
841  "%s"
842  "-----END MESSAGE-----",
843  str_encrypted, layer2_b64_ciphertext);
844  }
845 
846  layer1_str = smartlist_join_strings(lines, "", 0, NULL);
847 
848  done:
849  /* We need to memwipe all lines because it contains the ephemeral key */
850  SMARTLIST_FOREACH(lines, char *, a, memwipe(a, 0, strlen(a)));
851  SMARTLIST_FOREACH(lines, char *, a, tor_free(a));
852  smartlist_free(lines);
853 
854  return layer1_str;
855 }
856 
857 /* Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
858  * returning it. <b>desc</b> is provided to derive the encryption
859  * keys. <b>secret_data</b> is also proved to derive the encryption keys.
860  * <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
861  * middle (superencrypted) layer of the descriptor. It's the responsibility of
862  * the caller to free the returned string. */
863 static char *
864 encrypt_desc_data_and_base64(const hs_descriptor_t *desc,
865  const uint8_t *secret_data,
866  size_t secret_data_len,
867  const char *encoded_str,
868  int is_superencrypted_layer)
869 {
870  char *enc_b64;
871  ssize_t enc_b64_len, ret_len, enc_len;
872  char *encrypted_blob = NULL;
873 
874  enc_len = encrypt_descriptor_data(desc, secret_data, secret_data_len,
875  encoded_str, &encrypted_blob,
876  is_superencrypted_layer);
877  /* Get the encoded size plus a NUL terminating byte. */
878  enc_b64_len = base64_encode_size(enc_len, BASE64_ENCODE_MULTILINE) + 1;
879  enc_b64 = tor_malloc_zero(enc_b64_len);
880  /* Base64 the encrypted blob before returning it. */
881  ret_len = base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
882  BASE64_ENCODE_MULTILINE);
883  /* Return length doesn't count the NUL byte. */
884  tor_assert(ret_len == (enc_b64_len - 1));
885  tor_free(encrypted_blob);
886 
887  return enc_b64;
888 }
889 
890 /* Generate the secret data which is used to encrypt/decrypt the descriptor.
891  *
892  * SECRET_DATA = blinded-public-key
893  * SECRET_DATA = blinded-public-key | descriptor_cookie
894  *
895  * The descriptor_cookie is optional but if it exists, it must be at least
896  * HS_DESC_DESCRIPTOR_COOKIE_LEN bytes long.
897  *
898  * A newly allocated secret data is put in secret_data_out. Return the
899  * length of the secret data. This function cannot fail. */
900 static size_t
901 build_secret_data(const ed25519_public_key_t *blinded_pubkey,
902  const uint8_t *descriptor_cookie,
903  uint8_t **secret_data_out)
904 {
905  size_t secret_data_len;
906  uint8_t *secret_data;
907 
908  tor_assert(blinded_pubkey);
909  tor_assert(secret_data_out);
910 
911  if (descriptor_cookie) {
912  /* If the descriptor cookie is present, we need both the blinded
913  * pubkey and the descriptor cookie as a secret data. */
914  secret_data_len = ED25519_PUBKEY_LEN + HS_DESC_DESCRIPTOR_COOKIE_LEN;
915  secret_data = tor_malloc(secret_data_len);
916 
917  memcpy(secret_data,
918  blinded_pubkey->pubkey,
919  ED25519_PUBKEY_LEN);
920  memcpy(secret_data + ED25519_PUBKEY_LEN,
921  descriptor_cookie,
922  HS_DESC_DESCRIPTOR_COOKIE_LEN);
923  } else {
924  /* If the descriptor cookie is not present, we need only the blinded
925  * pubkey as a secret data. */
926  secret_data_len = ED25519_PUBKEY_LEN;
927  secret_data = tor_malloc(secret_data_len);
928  memcpy(secret_data,
929  blinded_pubkey->pubkey,
930  ED25519_PUBKEY_LEN);
931  }
932 
933  *secret_data_out = secret_data;
934  return secret_data_len;
935 }
936 
937 /* Generate and encode the superencrypted portion of <b>desc</b>. This also
938  * involves generating the encrypted portion of the descriptor, and performing
939  * the superencryption. A newly allocated NUL-terminated string pointer
940  * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
941  * on success else a negative value. */
942 static int
943 encode_superencrypted_data(const hs_descriptor_t *desc,
944  const uint8_t *descriptor_cookie,
945  char **encrypted_blob_out)
946 {
947  int ret = -1;
948  uint8_t *secret_data = NULL;
949  size_t secret_data_len = 0;
950  char *layer2_str = NULL;
951  char *layer2_b64_ciphertext = NULL;
952  char *layer1_str = NULL;
953  char *layer1_b64_ciphertext = NULL;
954 
955  tor_assert(desc);
956  tor_assert(encrypted_blob_out);
957 
958  /* Func logic: We first create the inner layer of the descriptor (layer2).
959  * We then encrypt it and use it to create the middle layer of the descriptor
960  * (layer1). Finally we superencrypt the middle layer and return it to our
961  * caller. */
962 
963  /* Create inner descriptor layer */
964  layer2_str = get_inner_encrypted_layer_plaintext(desc);
965  if (!layer2_str) {
966  goto err;
967  }
968 
969  secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
970  descriptor_cookie,
971  &secret_data);
972 
973  /* Encrypt and b64 the inner layer */
974  layer2_b64_ciphertext =
975  encrypt_desc_data_and_base64(desc, secret_data, secret_data_len,
976  layer2_str, 0);
977  if (!layer2_b64_ciphertext) {
978  goto err;
979  }
980 
981  /* Now create middle descriptor layer given the inner layer */
982  layer1_str = get_outer_encrypted_layer_plaintext(desc,layer2_b64_ciphertext);
983  if (!layer1_str) {
984  goto err;
985  }
986 
987  /* Encrypt and base64 the middle layer */
988  layer1_b64_ciphertext =
989  encrypt_desc_data_and_base64(desc,
990  desc->plaintext_data.blinded_pubkey.pubkey,
991  ED25519_PUBKEY_LEN,
992  layer1_str, 1);
993  if (!layer1_b64_ciphertext) {
994  goto err;
995  }
996 
997  /* Success! */
998  ret = 0;
999 
1000  err:
1001  memwipe(secret_data, 0, secret_data_len);
1002  tor_free(secret_data);
1003  tor_free(layer1_str);
1004  tor_free(layer2_str);
1005  tor_free(layer2_b64_ciphertext);
1006 
1007  *encrypted_blob_out = layer1_b64_ciphertext;
1008  return ret;
1009 }
1010 
1011 /* Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
1012  * newly allocated string of the encoded descriptor. On error, -1 is returned
1013  * and encoded_out is untouched. */
1014 static int
1015 desc_encode_v3(const hs_descriptor_t *desc,
1016  const ed25519_keypair_t *signing_kp,
1017  const uint8_t *descriptor_cookie,
1018  char **encoded_out)
1019 {
1020  int ret = -1;
1021  char *encoded_str = NULL;
1022  size_t encoded_len;
1023  smartlist_t *lines = smartlist_new();
1024 
1025  tor_assert(desc);
1026  tor_assert(signing_kp);
1027  tor_assert(encoded_out);
1028  tor_assert(desc->plaintext_data.version == 3);
1029 
1030  if (BUG(desc->subcredential == NULL)) {
1031  goto err;
1032  }
1033 
1034  /* Build the non-encrypted values. */
1035  {
1036  char *encoded_cert;
1037  /* Encode certificate then create the first line of the descriptor. */
1038  if (desc->plaintext_data.signing_key_cert->cert_type
1039  != CERT_TYPE_SIGNING_HS_DESC) {
1040  log_err(LD_BUG, "HS descriptor signing key has an unexpected cert type "
1041  "(%d)", (int) desc->plaintext_data.signing_key_cert->cert_type);
1042  goto err;
1043  }
1044  if (tor_cert_encode_ed22519(desc->plaintext_data.signing_key_cert,
1045  &encoded_cert) < 0) {
1046  /* The function will print error logs. */
1047  goto err;
1048  }
1049  /* Create the hs descriptor line. */
1050  smartlist_add_asprintf(lines, "%s %" PRIu32, str_hs_desc,
1051  desc->plaintext_data.version);
1052  /* Add the descriptor lifetime line (in minutes). */
1053  smartlist_add_asprintf(lines, "%s %" PRIu32, str_lifetime,
1054  desc->plaintext_data.lifetime_sec / 60);
1055  /* Create the descriptor certificate line. */
1056  smartlist_add_asprintf(lines, "%s\n%s", str_desc_cert, encoded_cert);
1057  tor_free(encoded_cert);
1058  /* Create the revision counter line. */
1059  smartlist_add_asprintf(lines, "%s %" PRIu64, str_rev_counter,
1060  desc->plaintext_data.revision_counter);
1061  }
1062 
1063  /* Build the superencrypted data section. */
1064  {
1065  char *enc_b64_blob=NULL;
1066  if (encode_superencrypted_data(desc, descriptor_cookie,
1067  &enc_b64_blob) < 0) {
1068  goto err;
1069  }
1070  smartlist_add_asprintf(lines,
1071  "%s\n"
1072  "-----BEGIN MESSAGE-----\n"
1073  "%s"
1074  "-----END MESSAGE-----",
1075  str_superencrypted, enc_b64_blob);
1076  tor_free(enc_b64_blob);
1077  }
1078 
1079  /* Join all lines in one string so we can generate a signature and append
1080  * it to the descriptor. */
1081  encoded_str = smartlist_join_strings(lines, "\n", 1, &encoded_len);
1082 
1083  /* Sign all fields of the descriptor with our short term signing key. */
1084  {
1085  ed25519_signature_t sig;
1086  char ed_sig_b64[ED25519_SIG_BASE64_LEN + 1];
1087  if (ed25519_sign_prefixed(&sig,
1088  (const uint8_t *) encoded_str, encoded_len,
1089  str_desc_sig_prefix, signing_kp) < 0) {
1090  log_warn(LD_BUG, "Can't sign encoded HS descriptor!");
1091  tor_free(encoded_str);
1092  goto err;
1093  }
1094  if (ed25519_signature_to_base64(ed_sig_b64, &sig) < 0) {
1095  log_warn(LD_BUG, "Can't base64 encode descriptor signature!");
1096  tor_free(encoded_str);
1097  goto err;
1098  }
1099  /* Create the signature line. */
1100  smartlist_add_asprintf(lines, "%s %s", str_signature, ed_sig_b64);
1101  }
1102  /* Free previous string that we used so compute the signature. */
1103  tor_free(encoded_str);
1104  encoded_str = smartlist_join_strings(lines, "\n", 1, NULL);
1105  *encoded_out = encoded_str;
1106 
1107  if (strlen(encoded_str) >= hs_cache_get_max_descriptor_size()) {
1108  log_warn(LD_GENERAL, "We just made an HS descriptor that's too big (%d)."
1109  "Failing.", (int)strlen(encoded_str));
1110  tor_free(encoded_str);
1111  goto err;
1112  }
1113 
1114  /* XXX: Trigger a control port event. */
1115 
1116  /* Success! */
1117  ret = 0;
1118 
1119  err:
1120  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
1121  smartlist_free(lines);
1122  return ret;
1123 }
1124 
1125 /* === DECODING === */
1126 
1127 /* Given the token tok for an auth client, decode it as
1128  * hs_desc_authorized_client_t. tok->args MUST contain at least 3 elements
1129  * Return 0 on success else -1 on failure. */
1130 static int
1131 decode_auth_client(const directory_token_t *tok,
1133 {
1134  int ret = -1;
1135 
1136  tor_assert(tok);
1137  tor_assert(tok->n_args >= 3);
1138  tor_assert(client);
1139 
1140  if (base64_decode((char *) client->client_id, sizeof(client->client_id),
1141  tok->args[0], strlen(tok->args[0])) !=
1142  sizeof(client->client_id)) {
1143  goto done;
1144  }
1145  if (base64_decode((char *) client->iv, sizeof(client->iv),
1146  tok->args[1], strlen(tok->args[1])) !=
1147  sizeof(client->iv)) {
1148  goto done;
1149  }
1150  if (base64_decode((char *) client->encrypted_cookie,
1151  sizeof(client->encrypted_cookie),
1152  tok->args[2], strlen(tok->args[2])) !=
1153  sizeof(client->encrypted_cookie)) {
1154  goto done;
1155  }
1156 
1157  /* Success. */
1158  ret = 0;
1159  done:
1160  return ret;
1161 }
1162 
1163 /* Given an encoded string of the link specifiers, return a newly allocated
1164  * list of decoded link specifiers. Return NULL on error. */
1165 STATIC smartlist_t *
1166 decode_link_specifiers(const char *encoded)
1167 {
1168  int decoded_len;
1169  size_t encoded_len, i;
1170  uint8_t *decoded;
1171  smartlist_t *results = NULL;
1172  link_specifier_list_t *specs = NULL;
1173 
1174  tor_assert(encoded);
1175 
1176  encoded_len = strlen(encoded);
1177  decoded = tor_malloc(encoded_len);
1178  decoded_len = base64_decode((char *) decoded, encoded_len, encoded,
1179  encoded_len);
1180  if (decoded_len < 0) {
1181  goto err;
1182  }
1183 
1184  if (link_specifier_list_parse(&specs, decoded,
1185  (size_t) decoded_len) < decoded_len) {
1186  goto err;
1187  }
1188  tor_assert(specs);
1189  results = smartlist_new();
1190 
1191  for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
1192  link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
1193  if (BUG(!ls)) {
1194  goto err;
1195  }
1196  link_specifier_t *ls_dup = link_specifier_dup(ls);
1197  if (BUG(!ls_dup)) {
1198  goto err;
1199  }
1200  smartlist_add(results, ls_dup);
1201  }
1202 
1203  goto done;
1204  err:
1205  if (results) {
1206  SMARTLIST_FOREACH(results, link_specifier_t *, s,
1207  link_specifier_free(s));
1208  smartlist_free(results);
1209  results = NULL;
1210  }
1211  done:
1212  link_specifier_list_free(specs);
1213  tor_free(decoded);
1214  return results;
1215 }
1216 
1217 /* Given a list of authentication types, decode it and put it in the encrypted
1218  * data section. Return 1 if we at least know one of the type or 0 if we know
1219  * none of them. */
1220 static int
1221 decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
1222 {
1223  int match = 0;
1224 
1225  tor_assert(desc);
1226  tor_assert(list);
1227 
1228  desc->intro_auth_types = smartlist_new();
1229  smartlist_split_string(desc->intro_auth_types, list, " ", 0, 0);
1230 
1231  /* Validate the types that we at least know about one. */
1232  SMARTLIST_FOREACH_BEGIN(desc->intro_auth_types, const char *, auth) {
1233  for (int idx = 0; intro_auth_types[idx].identifier; idx++) {
1234  if (!strncmp(auth, intro_auth_types[idx].identifier,
1235  strlen(intro_auth_types[idx].identifier))) {
1236  match = 1;
1237  break;
1238  }
1239  }
1240  } SMARTLIST_FOREACH_END(auth);
1241 
1242  return match;
1243 }
1244 
1245 /* Parse a space-delimited list of integers representing CREATE2 formats into
1246  * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
1247 static void
1248 decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
1249 {
1250  smartlist_t *tokens;
1251 
1252  tor_assert(desc);
1253  tor_assert(list);
1254 
1255  tokens = smartlist_new();
1256  smartlist_split_string(tokens, list, " ", 0, 0);
1257 
1258  SMARTLIST_FOREACH_BEGIN(tokens, char *, s) {
1259  int ok;
1260  unsigned long type = tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
1261  if (!ok) {
1262  log_warn(LD_REND, "Unparseable value %s in create2 list", escaped(s));
1263  continue;
1264  }
1265  switch (type) {
1266  case ONION_HANDSHAKE_TYPE_NTOR:
1267  desc->create2_ntor = 1;
1268  break;
1269  default:
1270  /* We deliberately ignore unsupported handshake types */
1271  continue;
1272  }
1273  } SMARTLIST_FOREACH_END(s);
1274 
1275  SMARTLIST_FOREACH(tokens, char *, s, tor_free(s));
1276  smartlist_free(tokens);
1277 }
1278 
1279 /* Given a certificate, validate the certificate for certain conditions which
1280  * are if the given type matches the cert's one, if the signing key is
1281  * included and if the that key was actually used to sign the certificate.
1282  *
1283  * Return 1 iff if all conditions pass or 0 if one of them fails. */
1284 STATIC int
1285 cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
1286 {
1287  tor_assert(log_obj_type);
1288 
1289  if (cert == NULL) {
1290  log_warn(LD_REND, "Certificate for %s couldn't be parsed.", log_obj_type);
1291  goto err;
1292  }
1293  if (cert->cert_type != type) {
1294  log_warn(LD_REND, "Invalid cert type %02x for %s.", cert->cert_type,
1295  log_obj_type);
1296  goto err;
1297  }
1298  /* All certificate must have its signing key included. */
1299  if (!cert->signing_key_included) {
1300  log_warn(LD_REND, "Signing key is NOT included for %s.", log_obj_type);
1301  goto err;
1302  }
1303  /* The following will not only check if the signature matches but also the
1304  * expiration date and overall validity. */
1305  if (tor_cert_checksig(cert, &cert->signing_key, approx_time()) < 0) {
1306  log_warn(LD_REND, "Invalid signature for %s: %s", log_obj_type,
1308  goto err;
1309  }
1310 
1311  return 1;
1312  err:
1313  return 0;
1314 }
1315 
1316 /* Given some binary data, try to parse it to get a certificate object. If we
1317  * have a valid cert, validate it using the given wanted type. On error, print
1318  * a log using the err_msg has the certificate identifier adding semantic to
1319  * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
1320  * points to a newly allocated certificate object. */
1321 static int
1322 cert_parse_and_validate(tor_cert_t **cert_out, const char *data,
1323  size_t data_len, unsigned int cert_type_wanted,
1324  const char *err_msg)
1325 {
1326  tor_cert_t *cert;
1327 
1328  tor_assert(cert_out);
1329  tor_assert(data);
1330  tor_assert(err_msg);
1331 
1332  /* Parse certificate. */
1333  cert = tor_cert_parse((const uint8_t *) data, data_len);
1334  if (!cert) {
1335  log_warn(LD_REND, "Certificate for %s couldn't be parsed.", err_msg);
1336  goto err;
1337  }
1338 
1339  /* Validate certificate. */
1340  if (!cert_is_valid(cert, cert_type_wanted, err_msg)) {
1341  goto err;
1342  }
1343 
1344  *cert_out = cert;
1345  return 0;
1346 
1347  err:
1348  tor_cert_free(cert);
1349  *cert_out = NULL;
1350  return -1;
1351 }
1352 
1353 /* Return true iff the given length of the encrypted data of a descriptor
1354  * passes validation. */
1355 STATIC int
1356 encrypted_data_length_is_valid(size_t len)
1357 {
1358  /* Make sure there is enough data for the salt and the mac. The equality is
1359  there to ensure that there is at least one byte of encrypted data. */
1360  if (len <= HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN) {
1361  log_warn(LD_REND, "Length of descriptor's encrypted data is too small. "
1362  "Got %lu but minimum value is %d",
1363  (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
1364  goto err;
1365  }
1366 
1367  return 1;
1368  err:
1369  return 0;
1370 }
1371 
1372 /* Build the KEYS component for the authorized client computation. The format
1373  * of the construction is:
1374  *
1375  * SECRET_SEED = x25519(sk, pk)
1376  * KEYS = KDF(subcredential | SECRET_SEED, 40)
1377  *
1378  * Set the <b>keys_out</b> argument to point to the buffer containing the KEYS,
1379  * and return the buffer's length. The caller should wipe and free its content
1380  * once done with it. This function can't fail. */
1381 static size_t
1382 build_descriptor_cookie_keys(const uint8_t *subcredential,
1383  size_t subcredential_len,
1384  const curve25519_secret_key_t *sk,
1385  const curve25519_public_key_t *pk,
1386  uint8_t **keys_out)
1387 {
1388  uint8_t secret_seed[CURVE25519_OUTPUT_LEN];
1389  uint8_t *keystream;
1390  size_t keystream_len = HS_DESC_CLIENT_ID_LEN + HS_DESC_COOKIE_KEY_LEN;
1391  crypto_xof_t *xof;
1392 
1393  tor_assert(subcredential);
1394  tor_assert(sk);
1395  tor_assert(pk);
1396  tor_assert(keys_out);
1397 
1398  keystream = tor_malloc_zero(keystream_len);
1399 
1400  /* Calculate x25519(sk, pk) to get the secret seed. */
1401  curve25519_handshake(secret_seed, sk, pk);
1402 
1403  /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
1404  xof = crypto_xof_new();
1405  crypto_xof_add_bytes(xof, subcredential, subcredential_len);
1406  crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
1407  crypto_xof_squeeze_bytes(xof, keystream, keystream_len);
1408  crypto_xof_free(xof);
1409 
1410  memwipe(secret_seed, 0, sizeof(secret_seed));
1411 
1412  *keys_out = keystream;
1413  return keystream_len;
1414 }
1415 
1416 /* Decrypt the descriptor cookie given the descriptor, the auth client,
1417  * and the client secret key. On sucess, return 0 and a newly allocated
1418  * descriptor cookie descriptor_cookie_out. On error or if the client id
1419  * is invalid, return -1 and descriptor_cookie_out is set to
1420  * NULL. */
1421 static int
1422 decrypt_descriptor_cookie(const hs_descriptor_t *desc,
1423  const hs_desc_authorized_client_t *client,
1424  const curve25519_secret_key_t *client_auth_sk,
1425  uint8_t **descriptor_cookie_out)
1426 {
1427  int ret = -1;
1428  uint8_t *keystream = NULL;
1429  size_t keystream_length = 0;
1430  uint8_t *descriptor_cookie = NULL;
1431  const uint8_t *cookie_key = NULL;
1432  crypto_cipher_t *cipher = NULL;
1433 
1434  tor_assert(desc);
1435  tor_assert(client);
1436  tor_assert(client_auth_sk);
1438  (char *) &desc->superencrypted_data.auth_ephemeral_pubkey,
1439  sizeof(desc->superencrypted_data.auth_ephemeral_pubkey)));
1440  tor_assert(!tor_mem_is_zero((char *) client_auth_sk,
1441  sizeof(*client_auth_sk)));
1442  tor_assert(!tor_mem_is_zero((char *) desc->subcredential, DIGEST256_LEN));
1443 
1444  /* Get the KEYS component to derive the CLIENT-ID and COOKIE-KEY. */
1445  keystream_length =
1446  build_descriptor_cookie_keys(desc->subcredential, DIGEST256_LEN,
1447  client_auth_sk,
1448  &desc->superencrypted_data.auth_ephemeral_pubkey,
1449  &keystream);
1450  tor_assert(keystream_length > 0);
1451 
1452  /* If the client id of auth client is not the same as the calculcated
1453  * client id, it means that this auth client is invaild according to the
1454  * client secret key client_auth_sk. */
1455  if (tor_memneq(client->client_id, keystream, HS_DESC_CLIENT_ID_LEN)) {
1456  goto done;
1457  }
1458  cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
1459 
1460  /* This creates a cipher for AES. It can't fail. */
1461  cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client->iv,
1462  HS_DESC_COOKIE_KEY_BIT_SIZE);
1463  descriptor_cookie = tor_malloc_zero(HS_DESC_DESCRIPTOR_COOKIE_LEN);
1464  /* This can't fail. */
1465  crypto_cipher_decrypt(cipher, (char *) descriptor_cookie,
1466  (const char *) client->encrypted_cookie,
1467  sizeof(client->encrypted_cookie));
1468 
1469  /* Success. */
1470  ret = 0;
1471  done:
1472  *descriptor_cookie_out = descriptor_cookie;
1473  if (cipher) {
1474  crypto_cipher_free(cipher);
1475  }
1476  memwipe(keystream, 0, keystream_length);
1477  tor_free(keystream);
1478  return ret;
1479 }
1480 
1491 MOCK_IMPL(STATIC size_t,
1492 decrypt_desc_layer,(const hs_descriptor_t *desc,
1493  const uint8_t *encrypted_blob,
1494  size_t encrypted_blob_size,
1495  const uint8_t *descriptor_cookie,
1496  int is_superencrypted_layer,
1497  char **decrypted_out))
1498 {
1499  uint8_t *decrypted = NULL;
1500  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
1501  uint8_t *secret_data = NULL;
1502  size_t secret_data_len = 0;
1503  uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
1504  const uint8_t *salt, *encrypted, *desc_mac;
1505  size_t encrypted_len, result_len = 0;
1506 
1507  tor_assert(decrypted_out);
1508  tor_assert(desc);
1509  tor_assert(encrypted_blob);
1510 
1511  /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
1512  * Make sure we have enough space for all these things. */
1513  if (!encrypted_data_length_is_valid(encrypted_blob_size)) {
1514  goto err;
1515  }
1516 
1517  /* Start of the blob thus the salt. */
1518  salt = encrypted_blob;
1519 
1520  /* Next is the encrypted data. */
1521  encrypted = encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN;
1522  encrypted_len = encrypted_blob_size -
1523  (HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
1524  tor_assert(encrypted_len > 0); /* guaranteed by the check above */
1525 
1526  /* And last comes the MAC. */
1527  desc_mac = encrypted_blob + encrypted_blob_size - DIGEST256_LEN;
1528 
1529  /* Build secret data to be used in the decryption. */
1530  secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
1531  descriptor_cookie,
1532  &secret_data);
1533 
1534  /* KDF construction resulting in a key from which the secret key, IV and MAC
1535  * key are extracted which is what we need for the decryption. */
1536  build_secret_key_iv_mac(desc, secret_data, secret_data_len,
1537  salt, HS_DESC_ENCRYPTED_SALT_LEN,
1538  secret_key, sizeof(secret_key),
1539  secret_iv, sizeof(secret_iv),
1540  mac_key, sizeof(mac_key),
1541  is_superencrypted_layer);
1542 
1543  /* Build MAC. */
1544  build_mac(mac_key, sizeof(mac_key), salt, HS_DESC_ENCRYPTED_SALT_LEN,
1545  encrypted, encrypted_len, our_mac, sizeof(our_mac));
1546  memwipe(mac_key, 0, sizeof(mac_key));
1547  /* Verify MAC; MAC is H(mac_key || salt || encrypted)
1548  *
1549  * This is a critical check that is making sure the computed MAC matches the
1550  * one in the descriptor. */
1551  if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) {
1552  log_info(LD_REND, "Encrypted service descriptor MAC check failed");
1553  goto err;
1554  }
1555 
1556  {
1557  /* Decrypt. Here we are assured that the encrypted length is valid for
1558  * decryption. */
1559  crypto_cipher_t *cipher;
1560 
1561  cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
1562  HS_DESC_ENCRYPTED_BIT_SIZE);
1563  /* Extra byte for the NUL terminated byte. */
1564  decrypted = tor_malloc_zero(encrypted_len + 1);
1565  crypto_cipher_decrypt(cipher, (char *) decrypted,
1566  (const char *) encrypted, encrypted_len);
1567  crypto_cipher_free(cipher);
1568  }
1569 
1570  {
1571  /* Adjust length to remove NUL padding bytes */
1572  uint8_t *end = memchr(decrypted, 0, encrypted_len);
1573  result_len = encrypted_len;
1574  if (end) {
1575  result_len = end - decrypted;
1576  }
1577  }
1578 
1579  if (result_len == 0) {
1580  /* Treat this as an error, so that somebody will free the output. */
1581  goto err;
1582  }
1583 
1584  /* Make sure to NUL terminate the string. */
1585  decrypted[encrypted_len] = '\0';
1586  *decrypted_out = (char *) decrypted;
1587  goto done;
1588 
1589  err:
1590  if (decrypted) {
1591  tor_free(decrypted);
1592  }
1593  *decrypted_out = NULL;
1594  result_len = 0;
1595 
1596  done:
1597  memwipe(secret_data, 0, secret_data_len);
1598  memwipe(secret_key, 0, sizeof(secret_key));
1599  memwipe(secret_iv, 0, sizeof(secret_iv));
1600  tor_free(secret_data);
1601  return result_len;
1602 }
1603 
1604 /* Decrypt the superencrypted section of the descriptor using the given
1605  * descriptor object <b>desc</b>. A newly allocated NUL terminated string is
1606  * put in decrypted_out which contains the superencrypted layer of the
1607  * descriptor. Return the length of decrypted_out on success else 0 is
1608  * returned and decrypted_out is set to NULL. */
1609 static size_t
1610 desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
1611 {
1612  size_t superencrypted_len = 0;
1613  char *superencrypted_plaintext = NULL;
1614 
1615  tor_assert(desc);
1616  tor_assert(decrypted_out);
1617 
1618  superencrypted_len = decrypt_desc_layer(desc,
1619  desc->plaintext_data.superencrypted_blob,
1620  desc->plaintext_data.superencrypted_blob_size,
1621  NULL, 1, &superencrypted_plaintext);
1622 
1623  if (!superencrypted_len) {
1624  log_warn(LD_REND, "Decrypting superencrypted desc failed.");
1625  goto done;
1626  }
1627  tor_assert(superencrypted_plaintext);
1628 
1629  done:
1630  /* In case of error, superencrypted_plaintext is already NULL, so the
1631  * following line makes sense. */
1632  *decrypted_out = superencrypted_plaintext;
1633  /* This makes sense too, because, in case of error, this is zero. */
1634  return superencrypted_len;
1635 }
1636 
1637 /* Decrypt the encrypted section of the descriptor using the given descriptor
1638  * object <b>desc</b>. A newly allocated NUL terminated string is put in
1639  * decrypted_out which contains the encrypted layer of the descriptor.
1640  * Return the length of decrypted_out on success else 0 is returned and
1641  * decrypted_out is set to NULL. */
1642 static size_t
1643 desc_decrypt_encrypted(const hs_descriptor_t *desc,
1644  const curve25519_secret_key_t *client_auth_sk,
1645  char **decrypted_out)
1646 {
1647  size_t encrypted_len = 0;
1648  char *encrypted_plaintext = NULL;
1649  uint8_t *descriptor_cookie = NULL;
1650 
1651  tor_assert(desc);
1652  tor_assert(desc->superencrypted_data.clients);
1653  tor_assert(decrypted_out);
1654 
1655  /* If the client secret key is provided, try to find a valid descriptor
1656  * cookie. Otherwise, leave it NULL. */
1657  if (client_auth_sk) {
1658  SMARTLIST_FOREACH_BEGIN(desc->superencrypted_data.clients,
1659  hs_desc_authorized_client_t *, client) {
1660  /* If we can decrypt the descriptor cookie successfully, we will use that
1661  * descriptor cookie and break from the loop. */
1662  if (!decrypt_descriptor_cookie(desc, client, client_auth_sk,
1663  &descriptor_cookie)) {
1664  break;
1665  }
1666  } SMARTLIST_FOREACH_END(client);
1667  }
1668 
1669  encrypted_len = decrypt_desc_layer(desc,
1670  desc->superencrypted_data.encrypted_blob,
1671  desc->superencrypted_data.encrypted_blob_size,
1672  descriptor_cookie, 0, &encrypted_plaintext);
1673  if (!encrypted_len) {
1674  goto err;
1675  }
1676  tor_assert(encrypted_plaintext);
1677 
1678  err:
1679  /* In case of error, encrypted_plaintext is already NULL, so the
1680  * following line makes sense. */
1681  *decrypted_out = encrypted_plaintext;
1682  if (descriptor_cookie) {
1683  memwipe(descriptor_cookie, 0, HS_DESC_DESCRIPTOR_COOKIE_LEN);
1684  }
1685  tor_free(descriptor_cookie);
1686  /* This makes sense too, because, in case of error, this is zero. */
1687  return encrypted_len;
1688 }
1689 
1690 /* Given the token tok for an intro point legacy key, the list of tokens, the
1691  * introduction point ip being decoded and the descriptor desc from which it
1692  * comes from, decode the legacy key and set the intro point object. Return 0
1693  * on success else -1 on failure. */
1694 static int
1695 decode_intro_legacy_key(const directory_token_t *tok,
1696  smartlist_t *tokens,
1698  const hs_descriptor_t *desc)
1699 {
1700  tor_assert(tok);
1701  tor_assert(tokens);
1702  tor_assert(ip);
1703  tor_assert(desc);
1704 
1705  if (!crypto_pk_public_exponent_ok(tok->key)) {
1706  log_warn(LD_REND, "Introduction point legacy key is invalid");
1707  goto err;
1708  }
1709  ip->legacy.key = crypto_pk_dup_key(tok->key);
1710  /* Extract the legacy cross certification cert which MUST be present if we
1711  * have a legacy key. */
1712  tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY_CERT);
1713  if (!tok) {
1714  log_warn(LD_REND, "Introduction point legacy key cert is missing");
1715  goto err;
1716  }
1717  tor_assert(tok->object_body);
1718  if (strcmp(tok->object_type, "CROSSCERT")) {
1719  /* Info level because this might be an unknown field that we should
1720  * ignore. */
1721  log_info(LD_REND, "Introduction point legacy encryption key "
1722  "cross-certification has an unknown format.");
1723  goto err;
1724  }
1725  /* Keep a copy of the certificate. */
1726  ip->legacy.cert.encoded = tor_memdup(tok->object_body, tok->object_size);
1727  ip->legacy.cert.len = tok->object_size;
1728  /* The check on the expiration date is for the entire lifetime of a
1729  * certificate which is 24 hours. However, a descriptor has a maximum
1730  * lifetime of 12 hours meaning we have a 12h difference between the two
1731  * which ultimately accommodate the clock skewed client. */
1732  if (rsa_ed25519_crosscert_check(ip->legacy.cert.encoded,
1733  ip->legacy.cert.len, ip->legacy.key,
1734  &desc->plaintext_data.signing_pubkey,
1735  approx_time() - HS_DESC_CERT_LIFETIME)) {
1736  log_warn(LD_REND, "Unable to check cross-certification on the "
1737  "introduction point legacy encryption key.");
1738  ip->cross_certified = 0;
1739  goto err;
1740  }
1741 
1742  /* Success. */
1743  return 0;
1744  err:
1745  return -1;
1746 }
1747 
1748 /* Dig into the descriptor <b>tokens</b> to find the onion key we should use
1749  * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
1750  * was found and well-formed, otherwise return -1 in case of errors. */
1751 static int
1752 set_intro_point_onion_key(curve25519_public_key_t *onion_key_out,
1753  const smartlist_t *tokens)
1754 {
1755  int retval = -1;
1756  smartlist_t *onion_keys = NULL;
1757 
1758  tor_assert(onion_key_out);
1759 
1760  onion_keys = find_all_by_keyword(tokens, R3_INTRO_ONION_KEY);
1761  if (!onion_keys) {
1762  log_warn(LD_REND, "Descriptor did not contain intro onion keys");
1763  goto err;
1764  }
1765 
1766  SMARTLIST_FOREACH_BEGIN(onion_keys, directory_token_t *, tok) {
1767  /* This field is using GE(2) so for possible forward compatibility, we
1768  * accept more fields but must be at least 2. */
1769  tor_assert(tok->n_args >= 2);
1770 
1771  /* Try to find an ntor key, it's the only recognized type right now */
1772  if (!strcmp(tok->args[0], "ntor")) {
1773  if (curve25519_public_from_base64(onion_key_out, tok->args[1]) < 0) {
1774  log_warn(LD_REND, "Introduction point ntor onion-key is invalid");
1775  goto err;
1776  }
1777  /* Got the onion key! Set the appropriate retval */
1778  retval = 0;
1779  }
1780  } SMARTLIST_FOREACH_END(tok);
1781 
1782  /* Log an error if we didn't find it :( */
1783  if (retval < 0) {
1784  log_warn(LD_REND, "Descriptor did not contain ntor onion keys");
1785  }
1786 
1787  err:
1788  smartlist_free(onion_keys);
1789  return retval;
1790 }
1791 
1792 /* Given the start of a section and the end of it, decode a single
1793  * introduction point from that section. Return a newly allocated introduction
1794  * point object containing the decoded data. Return NULL if the section can't
1795  * be decoded. */
1796 STATIC hs_desc_intro_point_t *
1797 decode_introduction_point(const hs_descriptor_t *desc, const char *start)
1798 {
1799  hs_desc_intro_point_t *ip = NULL;
1800  memarea_t *area = NULL;
1801  smartlist_t *tokens = NULL;
1802  const directory_token_t *tok;
1803 
1804  tor_assert(desc);
1805  tor_assert(start);
1806 
1807  area = memarea_new();
1808  tokens = smartlist_new();
1809  if (tokenize_string(area, start, start + strlen(start),
1810  tokens, hs_desc_intro_point_v3_token_table, 0) < 0) {
1811  log_warn(LD_REND, "Introduction point is not parseable");
1812  goto err;
1813  }
1814 
1815  /* Ok we seem to have a well formed section containing enough tokens to
1816  * parse. Allocate our IP object and try to populate it. */
1817  ip = hs_desc_intro_point_new();
1818 
1819  /* "introduction-point" SP link-specifiers NL */
1820  tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
1821  tor_assert(tok->n_args == 1);
1822  /* Our constructor creates this list by default so free it. */
1823  smartlist_free(ip->link_specifiers);
1824  ip->link_specifiers = decode_link_specifiers(tok->args[0]);
1825  if (!ip->link_specifiers) {
1826  log_warn(LD_REND, "Introduction point has invalid link specifiers");
1827  goto err;
1828  }
1829 
1830  /* "onion-key" SP ntor SP key NL */
1831  if (set_intro_point_onion_key(&ip->onion_key, tokens) < 0) {
1832  goto err;
1833  }
1834 
1835  /* "auth-key" NL certificate NL */
1836  tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
1837  tor_assert(tok->object_body);
1838  if (strcmp(tok->object_type, "ED25519 CERT")) {
1839  log_warn(LD_REND, "Unexpected object type for introduction auth key");
1840  goto err;
1841  }
1842  /* Parse cert and do some validation. */
1843  if (cert_parse_and_validate(&ip->auth_key_cert, tok->object_body,
1844  tok->object_size, CERT_TYPE_AUTH_HS_IP_KEY,
1845  "introduction point auth-key") < 0) {
1846  goto err;
1847  }
1848  /* Validate authentication certificate with descriptor signing key. */
1849  if (tor_cert_checksig(ip->auth_key_cert,
1850  &desc->plaintext_data.signing_pubkey, 0) < 0) {
1851  log_warn(LD_REND, "Invalid authentication key signature: %s",
1852  tor_cert_describe_signature_status(ip->auth_key_cert));
1853  goto err;
1854  }
1855 
1856  /* Exactly one "enc-key" SP "ntor" SP key NL */
1857  tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
1858  if (!strcmp(tok->args[0], "ntor")) {
1859  /* This field is using GE(2) so for possible forward compatibility, we
1860  * accept more fields but must be at least 2. */
1861  tor_assert(tok->n_args >= 2);
1862 
1863  if (curve25519_public_from_base64(&ip->enc_key, tok->args[1]) < 0) {
1864  log_warn(LD_REND, "Introduction point ntor enc-key is invalid");
1865  goto err;
1866  }
1867  } else {
1868  /* Unknown key type so we can't use that introduction point. */
1869  log_warn(LD_REND, "Introduction point encryption key is unrecognized.");
1870  goto err;
1871  }
1872 
1873  /* Exactly once "enc-key-cert" NL certificate NL */
1874  tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
1875  tor_assert(tok->object_body);
1876  /* Do the cross certification. */
1877  if (strcmp(tok->object_type, "ED25519 CERT")) {
1878  log_warn(LD_REND, "Introduction point ntor encryption key "
1879  "cross-certification has an unknown format.");
1880  goto err;
1881  }
1882  if (cert_parse_and_validate(&ip->enc_key_cert, tok->object_body,
1883  tok->object_size, CERT_TYPE_CROSS_HS_IP_KEYS,
1884  "introduction point enc-key-cert") < 0) {
1885  goto err;
1886  }
1887  if (tor_cert_checksig(ip->enc_key_cert,
1888  &desc->plaintext_data.signing_pubkey, 0) < 0) {
1889  log_warn(LD_REND, "Invalid encryption key signature: %s",
1890  tor_cert_describe_signature_status(ip->enc_key_cert));
1891  goto err;
1892  }
1893  /* It is successfully cross certified. Flag the object. */
1894  ip->cross_certified = 1;
1895 
1896  /* Do we have a "legacy-key" SP key NL ?*/
1897  tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY);
1898  if (tok) {
1899  if (decode_intro_legacy_key(tok, tokens, ip, desc) < 0) {
1900  goto err;
1901  }
1902  }
1903 
1904  /* Introduction point has been parsed successfully. */
1905  goto done;
1906 
1907  err:
1908  hs_desc_intro_point_free(ip);
1909  ip = NULL;
1910 
1911  done:
1913  smartlist_free(tokens);
1914  if (area) {
1915  memarea_drop_all(area);
1916  }
1917 
1918  return ip;
1919 }
1920 
1921 /* Given a descriptor string at <b>data</b>, decode all possible introduction
1922  * points that we can find. Add the introduction point object to desc_enc as we
1923  * find them. This function can't fail and it is possible that zero
1924  * introduction points can be decoded. */
1925 static void
1926 decode_intro_points(const hs_descriptor_t *desc,
1927  hs_desc_encrypted_data_t *desc_enc,
1928  const char *data)
1929 {
1930  smartlist_t *chunked_desc = smartlist_new();
1931  smartlist_t *intro_points = smartlist_new();
1932 
1933  tor_assert(desc);
1934  tor_assert(desc_enc);
1935  tor_assert(data);
1936  tor_assert(desc_enc->intro_points);
1937 
1938  /* Take the desc string, and extract the intro point substrings out of it */
1939  {
1940  /* Split the descriptor string using the intro point header as delimiter */
1941  smartlist_split_string(chunked_desc, data, str_intro_point_start, 0, 0);
1942 
1943  /* Check if there are actually any intro points included. The first chunk
1944  * should be other descriptor fields (e.g. create2-formats), so it's not an
1945  * intro point. */
1946  if (smartlist_len(chunked_desc) < 2) {
1947  goto done;
1948  }
1949  }
1950 
1951  /* Take the intro point substrings, and prepare them for parsing */
1952  {
1953  int i = 0;
1954  /* Prepend the introduction-point header to all the chunks, since
1955  smartlist_split_string() devoured it. */
1956  SMARTLIST_FOREACH_BEGIN(chunked_desc, char *, chunk) {
1957  /* Ignore first chunk. It's other descriptor fields. */
1958  if (i++ == 0) {
1959  continue;
1960  }
1961 
1962  smartlist_add_asprintf(intro_points, "%s %s", str_intro_point, chunk);
1963  } SMARTLIST_FOREACH_END(chunk);
1964  }
1965 
1966  /* Parse the intro points! */
1967  SMARTLIST_FOREACH_BEGIN(intro_points, const char *, intro_point) {
1968  hs_desc_intro_point_t *ip = decode_introduction_point(desc, intro_point);
1969  if (!ip) {
1970  /* Malformed introduction point section. We'll ignore this introduction
1971  * point and continue parsing. New or unknown fields are possible for
1972  * forward compatibility. */
1973  continue;
1974  }
1975  smartlist_add(desc_enc->intro_points, ip);
1976  } SMARTLIST_FOREACH_END(intro_point);
1977 
1978  done:
1979  SMARTLIST_FOREACH(chunked_desc, char *, a, tor_free(a));
1980  smartlist_free(chunked_desc);
1981  SMARTLIST_FOREACH(intro_points, char *, a, tor_free(a));
1982  smartlist_free(intro_points);
1983 }
1984 /* Return 1 iff the given base64 encoded signature in b64_sig from the encoded
1985  * descriptor in encoded_desc validates the descriptor content. */
1986 STATIC int
1987 desc_sig_is_valid(const char *b64_sig,
1988  const ed25519_public_key_t *signing_pubkey,
1989  const char *encoded_desc, size_t encoded_len)
1990 {
1991  int ret = 0;
1992  ed25519_signature_t sig;
1993  const char *sig_start;
1994 
1995  tor_assert(b64_sig);
1996  tor_assert(signing_pubkey);
1997  tor_assert(encoded_desc);
1998  /* Verifying nothing won't end well :). */
1999  tor_assert(encoded_len > 0);
2000 
2001  /* Signature length check. */
2002  if (strlen(b64_sig) != ED25519_SIG_BASE64_LEN) {
2003  log_warn(LD_REND, "Service descriptor has an invalid signature length."
2004  "Exptected %d but got %lu",
2005  ED25519_SIG_BASE64_LEN, (unsigned long) strlen(b64_sig));
2006  goto err;
2007  }
2008 
2009  /* First, convert base64 blob to an ed25519 signature. */
2010  if (ed25519_signature_from_base64(&sig, b64_sig) != 0) {
2011  log_warn(LD_REND, "Service descriptor does not contain a valid "
2012  "signature");
2013  goto err;
2014  }
2015 
2016  /* Find the start of signature. */
2017  sig_start = tor_memstr(encoded_desc, encoded_len, "\n" str_signature " ");
2018  /* Getting here means the token parsing worked for the signature so if we
2019  * can't find the start of the signature, we have a code flow issue. */
2020  if (!sig_start) {
2021  log_warn(LD_GENERAL, "Malformed signature line. Rejecting.");
2022  goto err;
2023  }
2024  /* Skip newline, it has to go in the signature check. */
2025  sig_start++;
2026 
2027  /* Validate signature with the full body of the descriptor. */
2028  if (ed25519_checksig_prefixed(&sig,
2029  (const uint8_t *) encoded_desc,
2030  sig_start - encoded_desc,
2031  str_desc_sig_prefix,
2032  signing_pubkey) != 0) {
2033  log_warn(LD_REND, "Invalid signature on service descriptor");
2034  goto err;
2035  }
2036  /* Valid signature! All is good. */
2037  ret = 1;
2038 
2039  err:
2040  return ret;
2041 }
2042 
2043 /* Decode descriptor plaintext data for version 3. Given a list of tokens, an
2044  * allocated plaintext object that will be populated and the encoded
2045  * descriptor with its length. The last one is needed for signature
2046  * verification. Unknown tokens are simply ignored so this won't error on
2047  * unknowns but requires that all v3 token be present and valid.
2048  *
2049  * Return 0 on success else a negative value. */
2050 static int
2051 desc_decode_plaintext_v3(smartlist_t *tokens,
2053  const char *encoded_desc, size_t encoded_len)
2054 {
2055  int ok;
2056  directory_token_t *tok;
2057 
2058  tor_assert(tokens);
2059  tor_assert(desc);
2060  /* Version higher could still use this function to decode most of the
2061  * descriptor and then they decode the extra part. */
2062  tor_assert(desc->version >= 3);
2063 
2064  /* Descriptor lifetime parsing. */
2065  tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
2066  tor_assert(tok->n_args == 1);
2067  desc->lifetime_sec = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2068  UINT32_MAX, &ok, NULL);
2069  if (!ok) {
2070  log_warn(LD_REND, "Service descriptor lifetime value is invalid");
2071  goto err;
2072  }
2073  /* Put it from minute to second. */
2074  desc->lifetime_sec *= 60;
2075  if (desc->lifetime_sec > HS_DESC_MAX_LIFETIME) {
2076  log_warn(LD_REND, "Service descriptor lifetime is too big. "
2077  "Got %" PRIu32 " but max is %d",
2078  desc->lifetime_sec, HS_DESC_MAX_LIFETIME);
2079  goto err;
2080  }
2081 
2082  /* Descriptor signing certificate. */
2083  tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
2084  tor_assert(tok->object_body);
2085  /* Expecting a prop220 cert with the signing key extension, which contains
2086  * the blinded public key. */
2087  if (strcmp(tok->object_type, "ED25519 CERT") != 0) {
2088  log_warn(LD_REND, "Service descriptor signing cert wrong type (%s)",
2089  escaped(tok->object_type));
2090  goto err;
2091  }
2092  if (cert_parse_and_validate(&desc->signing_key_cert, tok->object_body,
2093  tok->object_size, CERT_TYPE_SIGNING_HS_DESC,
2094  "service descriptor signing key") < 0) {
2095  goto err;
2096  }
2097 
2098  /* Copy the public keys into signing_pubkey and blinded_pubkey */
2099  memcpy(&desc->signing_pubkey, &desc->signing_key_cert->signed_key,
2100  sizeof(ed25519_public_key_t));
2101  memcpy(&desc->blinded_pubkey, &desc->signing_key_cert->signing_key,
2102  sizeof(ed25519_public_key_t));
2103 
2104  /* Extract revision counter value. */
2105  tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
2106  tor_assert(tok->n_args == 1);
2107  desc->revision_counter = tor_parse_uint64(tok->args[0], 10, 0,
2108  UINT64_MAX, &ok, NULL);
2109  if (!ok) {
2110  log_warn(LD_REND, "Service descriptor revision-counter is invalid");
2111  goto err;
2112  }
2113 
2114  /* Extract the superencrypted data section. */
2115  tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
2116  tor_assert(tok->object_body);
2117  if (strcmp(tok->object_type, "MESSAGE") != 0) {
2118  log_warn(LD_REND, "Desc superencrypted data section is invalid");
2119  goto err;
2120  }
2121  /* Make sure the length of the superencrypted blob is valid. */
2122  if (!encrypted_data_length_is_valid(tok->object_size)) {
2123  goto err;
2124  }
2125 
2126  /* Copy the superencrypted blob to the descriptor object so we can handle it
2127  * latter if needed. */
2128  desc->superencrypted_blob = tor_memdup(tok->object_body, tok->object_size);
2129  desc->superencrypted_blob_size = tok->object_size;
2130 
2131  /* Extract signature and verify it. */
2132  tok = find_by_keyword(tokens, R3_SIGNATURE);
2133  tor_assert(tok->n_args == 1);
2134  /* First arg here is the actual encoded signature. */
2135  if (!desc_sig_is_valid(tok->args[0], &desc->signing_pubkey,
2136  encoded_desc, encoded_len)) {
2137  goto err;
2138  }
2139 
2140  return 0;
2141 
2142  err:
2143  return -1;
2144 }
2145 
2146 /* Decode the version 3 superencrypted section of the given descriptor desc.
2147  * The desc_superencrypted_out will be populated with the decoded data.
2148  * Return 0 on success else -1. */
2149 static int
2150 desc_decode_superencrypted_v3(const hs_descriptor_t *desc,
2152  desc_superencrypted_out)
2153 {
2154  int ret = -1;
2155  char *message = NULL;
2156  size_t message_len;
2157  memarea_t *area = NULL;
2158  directory_token_t *tok;
2159  smartlist_t *tokens = NULL;
2160  /* Rename the parameter because it is too long. */
2161  hs_desc_superencrypted_data_t *superencrypted = desc_superencrypted_out;
2162 
2163  tor_assert(desc);
2164  tor_assert(desc_superencrypted_out);
2165 
2166  /* Decrypt the superencrypted data that is located in the plaintext section
2167  * in the descriptor as a blob of bytes. */
2168  message_len = desc_decrypt_superencrypted(desc, &message);
2169  if (!message_len) {
2170  log_warn(LD_REND, "Service descriptor decryption failed.");
2171  goto err;
2172  }
2173  tor_assert(message);
2174 
2175  area = memarea_new();
2176  tokens = smartlist_new();
2177  if (tokenize_string(area, message, message + message_len,
2178  tokens, hs_desc_superencrypted_v3_token_table, 0) < 0) {
2179  log_warn(LD_REND, "Superencrypted service descriptor is not parseable.");
2180  goto err;
2181  }
2182 
2183  /* Verify desc auth type */
2184  tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
2185  tor_assert(tok->n_args >= 1);
2186  if (strcmp(tok->args[0], "x25519")) {
2187  log_warn(LD_DIR, "Unrecognized desc auth type");
2188  goto err;
2189  }
2190 
2191  /* Extract desc auth ephemeral key */
2192  tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
2193  tor_assert(tok->n_args >= 1);
2194  if (curve25519_public_from_base64(&superencrypted->auth_ephemeral_pubkey,
2195  tok->args[0]) < 0) {
2196  log_warn(LD_DIR, "Bogus desc auth ephemeral key in HS desc");
2197  goto err;
2198  }
2199 
2200  /* Extract desc auth client items */
2201  if (!superencrypted->clients) {
2202  superencrypted->clients = smartlist_new();
2203  }
2204  SMARTLIST_FOREACH_BEGIN(tokens, const directory_token_t *, token) {
2205  if (token->tp == R3_DESC_AUTH_CLIENT) {
2206  tor_assert(token->n_args >= 3);
2207 
2208  hs_desc_authorized_client_t *client =
2209  tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
2210 
2211  if (decode_auth_client(token, client) < 0) {
2212  log_warn(LD_REND, "Descriptor client authorization section can't "
2213  "be decoded.");
2214  tor_free(client);
2215  goto err;
2216  }
2217  smartlist_add(superencrypted->clients, client);
2218  }
2219  } SMARTLIST_FOREACH_END(token);
2220 
2221  /* Extract the encrypted data section. */
2222  tok = find_by_keyword(tokens, R3_ENCRYPTED);
2223  tor_assert(tok->object_body);
2224  if (strcmp(tok->object_type, "MESSAGE") != 0) {
2225  log_warn(LD_REND, "Desc encrypted data section is invalid");
2226  goto err;
2227  }
2228  /* Make sure the length of the encrypted blob is valid. */
2229  if (!encrypted_data_length_is_valid(tok->object_size)) {
2230  goto err;
2231  }
2232 
2233  /* Copy the encrypted blob to the descriptor object so we can handle it
2234  * latter if needed. */
2235  tor_assert(tok->object_size <= INT_MAX);
2236  superencrypted->encrypted_blob = tor_memdup(tok->object_body,
2237  tok->object_size);
2238  superencrypted->encrypted_blob_size = tok->object_size;
2239 
2240  ret = 0;
2241  goto done;
2242 
2243  err:
2244  tor_assert(ret < 0);
2245  hs_desc_superencrypted_data_free_contents(desc_superencrypted_out);
2246 
2247  done:
2248  if (tokens) {
2250  smartlist_free(tokens);
2251  }
2252  if (area) {
2253  memarea_drop_all(area);
2254  }
2255  if (message) {
2256  tor_free(message);
2257  }
2258  return ret;
2259 }
2260 
2261 /* Decode the version 3 encrypted section of the given descriptor desc. The
2262  * desc_encrypted_out will be populated with the decoded data. Return 0 on
2263  * success else -1. */
2264 static int
2265 desc_decode_encrypted_v3(const hs_descriptor_t *desc,
2266  const curve25519_secret_key_t *client_auth_sk,
2267  hs_desc_encrypted_data_t *desc_encrypted_out)
2268 {
2269  int ret = -1;
2270  char *message = NULL;
2271  size_t message_len;
2272  memarea_t *area = NULL;
2273  directory_token_t *tok;
2274  smartlist_t *tokens = NULL;
2275 
2276  tor_assert(desc);
2277  tor_assert(desc_encrypted_out);
2278 
2279  /* Decrypt the encrypted data that is located in the superencrypted section
2280  * in the descriptor as a blob of bytes. */
2281  message_len = desc_decrypt_encrypted(desc, client_auth_sk, &message);
2282  if (!message_len) {
2283  /* Two possible situation here. Either we have a client authorization
2284  * configured that didn't work or we do not have any configured for this
2285  * onion address so likely the descriptor is for authorized client only,
2286  * we are not. */
2287  if (client_auth_sk) {
2288  /* At warning level so the client can notice that its client
2289  * authorization is failing. */
2290  log_warn(LD_REND, "Client authorization for requested onion address "
2291  "is invalid. Can't decrypt the descriptor.");
2292  } else {
2293  /* Inform at notice level that the onion address requested can't be
2294  * reached without client authorization most likely. */
2295  log_notice(LD_REND, "Fail to decrypt descriptor for requested onion "
2296  "address. It is likely requiring client "
2297  "authorization.");
2298  }
2299  goto err;
2300  }
2301  tor_assert(message);
2302 
2303  area = memarea_new();
2304  tokens = smartlist_new();
2305  if (tokenize_string(area, message, message + message_len,
2306  tokens, hs_desc_encrypted_v3_token_table, 0) < 0) {
2307  log_warn(LD_REND, "Encrypted service descriptor is not parseable.");
2308  goto err;
2309  }
2310 
2311  /* CREATE2 supported cell format. It's mandatory. */
2312  tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
2313  tor_assert(tok);
2314  decode_create2_list(desc_encrypted_out, tok->args[0]);
2315  /* Must support ntor according to the specification */
2316  if (!desc_encrypted_out->create2_ntor) {
2317  log_warn(LD_REND, "Service create2-formats does not include ntor.");
2318  goto err;
2319  }
2320 
2321  /* Authentication type. It's optional but only once. */
2322  tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
2323  if (tok) {
2324  if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
2325  log_warn(LD_REND, "Service descriptor authentication type has "
2326  "invalid entry(ies).");
2327  goto err;
2328  }
2329  }
2330 
2331  /* Is this service a single onion service? */
2332  tok = find_opt_by_keyword(tokens, R3_SINGLE_ONION_SERVICE);
2333  if (tok) {
2334  desc_encrypted_out->single_onion_service = 1;
2335  }
2336 
2337  /* Initialize the descriptor's introduction point list before we start
2338  * decoding. Having 0 intro point is valid. Then decode them all. */
2339  desc_encrypted_out->intro_points = smartlist_new();
2340  decode_intro_points(desc, desc_encrypted_out, message);
2341 
2342  /* Validation of maximum introduction points allowed. */
2343  if (smartlist_len(desc_encrypted_out->intro_points) >
2344  HS_CONFIG_V3_MAX_INTRO_POINTS) {
2345  log_warn(LD_REND, "Service descriptor contains too many introduction "
2346  "points. Maximum allowed is %d but we have %d",
2347  HS_CONFIG_V3_MAX_INTRO_POINTS,
2348  smartlist_len(desc_encrypted_out->intro_points));
2349  goto err;
2350  }
2351 
2352  /* NOTE: Unknown fields are allowed because this function could be used to
2353  * decode other descriptor version. */
2354 
2355  ret = 0;
2356  goto done;
2357 
2358  err:
2359  tor_assert(ret < 0);
2360  hs_desc_encrypted_data_free_contents(desc_encrypted_out);
2361 
2362  done:
2363  if (tokens) {
2365  smartlist_free(tokens);
2366  }
2367  if (area) {
2368  memarea_drop_all(area);
2369  }
2370  if (message) {
2371  tor_free(message);
2372  }
2373  return ret;
2374 }
2375 
2376 /* Table of encrypted decode function version specific. The function are
2377  * indexed by the version number so v3 callback is at index 3 in the array. */
2378 static int
2379  (*decode_encrypted_handlers[])(
2380  const hs_descriptor_t *desc,
2381  const curve25519_secret_key_t *client_auth_sk,
2382  hs_desc_encrypted_data_t *desc_encrypted) =
2383 {
2384  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2385  desc_decode_encrypted_v3,
2386 };
2387 
2388 /* Decode the encrypted data section of the given descriptor and store the
2389  * data in the given encrypted data object. Return 0 on success else a
2390  * negative value on error. */
2391 int
2392 hs_desc_decode_encrypted(const hs_descriptor_t *desc,
2393  const curve25519_secret_key_t *client_auth_sk,
2394  hs_desc_encrypted_data_t *desc_encrypted)
2395 {
2396  int ret;
2397  uint32_t version;
2398 
2399  tor_assert(desc);
2400  /* Ease our life a bit. */
2401  version = desc->plaintext_data.version;
2402  tor_assert(desc_encrypted);
2403  /* Calling this function without an encrypted blob to parse is a code flow
2404  * error. The superencrypted parsing should never succeed in the first place
2405  * without an encrypted section. */
2406  tor_assert(desc->superencrypted_data.encrypted_blob);
2407  /* Let's make sure we have a supported version as well. By correctly parsing
2408  * the plaintext, this should not fail. */
2409  if (BUG(!hs_desc_is_supported_version(version))) {
2410  ret = -1;
2411  goto err;
2412  }
2413  /* Extra precaution. Having no handler for the supported version should
2414  * never happened else we forgot to add it but we bumped the version. */
2415  tor_assert(ARRAY_LENGTH(decode_encrypted_handlers) >= version);
2416  tor_assert(decode_encrypted_handlers[version]);
2417 
2418  /* Run the version specific plaintext decoder. */
2419  ret = decode_encrypted_handlers[version](desc, client_auth_sk,
2420  desc_encrypted);
2421  if (ret < 0) {
2422  goto err;
2423  }
2424 
2425  err:
2426  return ret;
2427 }
2428 
2429 /* Table of superencrypted decode function version specific. The function are
2430  * indexed by the version number so v3 callback is at index 3 in the array. */
2431 static int
2432  (*decode_superencrypted_handlers[])(
2433  const hs_descriptor_t *desc,
2434  hs_desc_superencrypted_data_t *desc_superencrypted) =
2435 {
2436  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2437  desc_decode_superencrypted_v3,
2438 };
2439 
2440 /* Decode the superencrypted data section of the given descriptor and store the
2441  * data in the given superencrypted data object. Return 0 on success else a
2442  * negative value on error. */
2443 int
2444 hs_desc_decode_superencrypted(const hs_descriptor_t *desc,
2446  desc_superencrypted)
2447 {
2448  int ret;
2449  uint32_t version;
2450 
2451  tor_assert(desc);
2452  /* Ease our life a bit. */
2453  version = desc->plaintext_data.version;
2454  tor_assert(desc_superencrypted);
2455  /* Calling this function without an superencrypted blob to parse is
2456  * a code flow error. The plaintext parsing should never succeed in
2457  * the first place without an superencrypted section. */
2458  tor_assert(desc->plaintext_data.superencrypted_blob);
2459  /* Let's make sure we have a supported version as well. By correctly parsing
2460  * the plaintext, this should not fail. */
2461  if (BUG(!hs_desc_is_supported_version(version))) {
2462  ret = -1;
2463  goto err;
2464  }
2465  /* Extra precaution. Having no handler for the supported version should
2466  * never happened else we forgot to add it but we bumped the version. */
2467  tor_assert(ARRAY_LENGTH(decode_superencrypted_handlers) >= version);
2468  tor_assert(decode_superencrypted_handlers[version]);
2469 
2470  /* Run the version specific plaintext decoder. */
2471  ret = decode_superencrypted_handlers[version](desc, desc_superencrypted);
2472  if (ret < 0) {
2473  goto err;
2474  }
2475 
2476  err:
2477  return ret;
2478 }
2479 
2480 /* Table of plaintext decode function version specific. The function are
2481  * indexed by the version number so v3 callback is at index 3 in the array. */
2482 static int
2483  (*decode_plaintext_handlers[])(
2484  smartlist_t *tokens,
2486  const char *encoded_desc,
2487  size_t encoded_len) =
2488 {
2489  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2490  desc_decode_plaintext_v3,
2491 };
2492 
2493 /* Fully decode the given descriptor plaintext and store the data in the
2494  * plaintext data object. Returns 0 on success else a negative value. */
2495 int
2496 hs_desc_decode_plaintext(const char *encoded,
2497  hs_desc_plaintext_data_t *plaintext)
2498 {
2499  int ok = 0, ret = -1;
2500  memarea_t *area = NULL;
2501  smartlist_t *tokens = NULL;
2502  size_t encoded_len;
2503  directory_token_t *tok;
2504 
2505  tor_assert(encoded);
2506  tor_assert(plaintext);
2507 
2508  /* Check that descriptor is within size limits. */
2509  encoded_len = strlen(encoded);
2510  if (encoded_len >= hs_cache_get_max_descriptor_size()) {
2511  log_warn(LD_REND, "Service descriptor is too big (%lu bytes)",
2512  (unsigned long) encoded_len);
2513  goto err;
2514  }
2515 
2516  area = memarea_new();
2517  tokens = smartlist_new();
2518  /* Tokenize the descriptor so we can start to parse it. */
2519  if (tokenize_string(area, encoded, encoded + encoded_len, tokens,
2520  hs_desc_v3_token_table, 0) < 0) {
2521  log_warn(LD_REND, "Service descriptor is not parseable");
2522  goto err;
2523  }
2524 
2525  /* Get the version of the descriptor which is the first mandatory field of
2526  * the descriptor. From there, we'll decode the right descriptor version. */
2527  tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
2528  tor_assert(tok->n_args == 1);
2529  plaintext->version = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2530  UINT32_MAX, &ok, NULL);
2531  if (!ok) {
2532  log_warn(LD_REND, "Service descriptor has unparseable version %s",
2533  escaped(tok->args[0]));
2534  goto err;
2535  }
2536  if (!hs_desc_is_supported_version(plaintext->version)) {
2537  log_warn(LD_REND, "Service descriptor has unsupported version %" PRIu32,
2538  plaintext->version);
2539  goto err;
2540  }
2541  /* Extra precaution. Having no handler for the supported version should
2542  * never happened else we forgot to add it but we bumped the version. */
2543  tor_assert(ARRAY_LENGTH(decode_plaintext_handlers) >= plaintext->version);
2544  tor_assert(decode_plaintext_handlers[plaintext->version]);
2545 
2546  /* Run the version specific plaintext decoder. */
2547  ret = decode_plaintext_handlers[plaintext->version](tokens, plaintext,
2548  encoded, encoded_len);
2549  if (ret < 0) {
2550  goto err;
2551  }
2552  /* Success. Descriptor has been populated with the data. */
2553  ret = 0;
2554 
2555  err:
2556  if (tokens) {
2558  smartlist_free(tokens);
2559  }
2560  if (area) {
2561  memarea_drop_all(area);
2562  }
2563  return ret;
2564 }
2565 
2566 /* Fully decode an encoded descriptor and set a newly allocated descriptor
2567  * object in desc_out. Client secret key is used to decrypt the "encrypted"
2568  * section if not NULL else it's ignored.
2569  *
2570  * Return 0 on success. A negative value is returned on error and desc_out is
2571  * set to NULL. */
2572 int
2573 hs_desc_decode_descriptor(const char *encoded,
2574  const uint8_t *subcredential,
2575  const curve25519_secret_key_t *client_auth_sk,
2576  hs_descriptor_t **desc_out)
2577 {
2578  int ret = -1;
2579  hs_descriptor_t *desc;
2580 
2581  tor_assert(encoded);
2582 
2583  desc = tor_malloc_zero(sizeof(hs_descriptor_t));
2584 
2585  /* Subcredentials are not optional. */
2586  if (BUG(!subcredential ||
2587  tor_mem_is_zero((char*)subcredential, DIGEST256_LEN))) {
2588  log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!");
2589  goto err;
2590  }
2591 
2592  memcpy(desc->subcredential, subcredential, sizeof(desc->subcredential));
2593 
2594  ret = hs_desc_decode_plaintext(encoded, &desc->plaintext_data);
2595  if (ret < 0) {
2596  goto err;
2597  }
2598 
2599  ret = hs_desc_decode_superencrypted(desc, &desc->superencrypted_data);
2600  if (ret < 0) {
2601  goto err;
2602  }
2603 
2604  ret = hs_desc_decode_encrypted(desc, client_auth_sk, &desc->encrypted_data);
2605  if (ret < 0) {
2606  goto err;
2607  }
2608 
2609  if (desc_out) {
2610  *desc_out = desc;
2611  } else {
2612  hs_descriptor_free(desc);
2613  }
2614  return ret;
2615 
2616  err:
2617  hs_descriptor_free(desc);
2618  if (desc_out) {
2619  *desc_out = NULL;
2620  }
2621 
2622  tor_assert(ret < 0);
2623  return ret;
2624 }
2625 
2626 /* Table of encode function version specific. The functions are indexed by the
2627  * version number so v3 callback is at index 3 in the array. */
2628 static int
2629  (*encode_handlers[])(
2630  const hs_descriptor_t *desc,
2631  const ed25519_keypair_t *signing_kp,
2632  const uint8_t *descriptor_cookie,
2633  char **encoded_out) =
2634 {
2635  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2636  desc_encode_v3,
2637 };
2638 
2639 /* Encode the given descriptor desc including signing with the given key pair
2640  * signing_kp and encrypting with the given descriptor cookie.
2641  *
2642  * If the client authorization is enabled, descriptor_cookie must be the same
2643  * as the one used to build hs_desc_authorized_client_t in the descriptor.
2644  * Otherwise, it must be NULL. On success, encoded_out points to a newly
2645  * allocated NUL terminated string that contains the encoded descriptor as
2646  * a string.
2647  *
2648  * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
2649  * returned and encoded_out is set to NULL. */
2650 MOCK_IMPL(int,
2651 hs_desc_encode_descriptor,(const hs_descriptor_t *desc,
2652  const ed25519_keypair_t *signing_kp,
2653  const uint8_t *descriptor_cookie,
2654  char **encoded_out))
2655 {
2656  int ret = -1;
2657  uint32_t version;
2658 
2659  tor_assert(desc);
2660  tor_assert(encoded_out);
2661 
2662  /* Make sure we support the version of the descriptor format. */
2663  version = desc->plaintext_data.version;
2664  if (!hs_desc_is_supported_version(version)) {
2665  goto err;
2666  }
2667  /* Extra precaution. Having no handler for the supported version should
2668  * never happened else we forgot to add it but we bumped the version. */
2669  tor_assert(ARRAY_LENGTH(encode_handlers) >= version);
2670  tor_assert(encode_handlers[version]);
2671 
2672  ret = encode_handlers[version](desc, signing_kp,
2673  descriptor_cookie, encoded_out);
2674  if (ret < 0) {
2675  goto err;
2676  }
2677 
2678  /* Try to decode what we just encoded. Symmetry is nice!, but it is
2679  * symmetric only if the client auth is disabled. That is, the descriptor
2680  * cookie will be NULL. */
2681  if (!descriptor_cookie) {
2682  ret = hs_desc_decode_descriptor(*encoded_out, desc->subcredential,
2683  NULL, NULL);
2684  if (BUG(ret < 0)) {
2685  goto err;
2686  }
2687  }
2688 
2689  return 0;
2690 
2691  err:
2692  *encoded_out = NULL;
2693  return ret;
2694 }
2695 
2696 /* Free the content of the plaintext section of a descriptor. */
2697 void
2698 hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)
2699 {
2700  if (!desc) {
2701  return;
2702  }
2703 
2704  if (desc->superencrypted_blob) {
2705  tor_free(desc->superencrypted_blob);
2706  }
2707  tor_cert_free(desc->signing_key_cert);
2708 
2709  memwipe(desc, 0, sizeof(*desc));
2710 }
2711 
2712 /* Free the content of the superencrypted section of a descriptor. */
2713 void
2714 hs_desc_superencrypted_data_free_contents(hs_desc_superencrypted_data_t *desc)
2715 {
2716  if (!desc) {
2717  return;
2718  }
2719 
2720  if (desc->encrypted_blob) {
2721  tor_free(desc->encrypted_blob);
2722  }
2723  if (desc->clients) {
2724  SMARTLIST_FOREACH(desc->clients, hs_desc_authorized_client_t *, client,
2725  hs_desc_authorized_client_free(client));
2726  smartlist_free(desc->clients);
2727  }
2728 
2729  memwipe(desc, 0, sizeof(*desc));
2730 }
2731 
2732 /* Free the content of the encrypted section of a descriptor. */
2733 void
2734 hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
2735 {
2736  if (!desc) {
2737  return;
2738  }
2739 
2740  if (desc->intro_auth_types) {
2741  SMARTLIST_FOREACH(desc->intro_auth_types, char *, a, tor_free(a));
2742  smartlist_free(desc->intro_auth_types);
2743  }
2744  if (desc->intro_points) {
2745  SMARTLIST_FOREACH(desc->intro_points, hs_desc_intro_point_t *, ip,
2746  hs_desc_intro_point_free(ip));
2747  smartlist_free(desc->intro_points);
2748  }
2749  memwipe(desc, 0, sizeof(*desc));
2750 }
2751 
2752 /* Free the descriptor plaintext data object. */
2753 void
2754 hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
2755 {
2756  hs_desc_plaintext_data_free_contents(desc);
2757  tor_free(desc);
2758 }
2759 
2760 /* Free the descriptor plaintext data object. */
2761 void
2762 hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc)
2763 {
2764  hs_desc_superencrypted_data_free_contents(desc);
2765  tor_free(desc);
2766 }
2767 
2768 /* Free the descriptor encrypted data object. */
2769 void
2770 hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
2771 {
2772  hs_desc_encrypted_data_free_contents(desc);
2773  tor_free(desc);
2774 }
2775 
2776 /* Free the given descriptor object. */
2777 void
2778 hs_descriptor_free_(hs_descriptor_t *desc)
2779 {
2780  if (!desc) {
2781  return;
2782  }
2783 
2784  hs_desc_plaintext_data_free_contents(&desc->plaintext_data);
2785  hs_desc_superencrypted_data_free_contents(&desc->superencrypted_data);
2786  hs_desc_encrypted_data_free_contents(&desc->encrypted_data);
2787  tor_free(desc);
2788 }
2789 
2790 /* Return the size in bytes of the given plaintext data object. A sizeof() is
2791  * not enough because the object contains pointers and the encrypted blob.
2792  * This is particularly useful for our OOM subsystem that tracks the HSDir
2793  * cache size for instance. */
2794 size_t
2795 hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
2796 {
2797  tor_assert(data);
2798  return (sizeof(*data) + sizeof(*data->signing_key_cert) +
2799  data->superencrypted_blob_size);
2800 }
2801 
2802 /* Return the size in bytes of the given encrypted data object. Used by OOM
2803  * subsystem. */
2804 static size_t
2805 hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
2806 {
2807  tor_assert(data);
2808  size_t intro_size = 0;
2809  if (data->intro_auth_types) {
2810  intro_size +=
2811  smartlist_len(data->intro_auth_types) * sizeof(intro_auth_types);
2812  }
2813  if (data->intro_points) {
2814  /* XXX could follow pointers here and get more accurate size */
2815  intro_size +=
2816  smartlist_len(data->intro_points) * sizeof(hs_desc_intro_point_t);
2817  }
2818 
2819  return sizeof(*data) + intro_size;
2820 }
2821 
2822 /* Return the size in bytes of the given descriptor object. Used by OOM
2823  * subsystem. */
2824  size_t
2825 hs_desc_obj_size(const hs_descriptor_t *data)
2826 {
2827  tor_assert(data);
2828  return (hs_desc_plaintext_obj_size(&data->plaintext_data) +
2829  hs_desc_encrypted_obj_size(&data->encrypted_data) +
2830  sizeof(data->subcredential));
2831 }
2832 
2833 /* Return a newly allocated descriptor intro point. */
2835 hs_desc_intro_point_new(void)
2836 {
2837  hs_desc_intro_point_t *ip = tor_malloc_zero(sizeof(*ip));
2838  ip->link_specifiers = smartlist_new();
2839  return ip;
2840 }
2841 
2842 /* Free a descriptor intro point object. */
2843 void
2844 hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
2845 {
2846  if (ip == NULL) {
2847  return;
2848  }
2849  if (ip->link_specifiers) {
2850  SMARTLIST_FOREACH(ip->link_specifiers, link_specifier_t *,
2851  ls, link_specifier_free(ls));
2852  smartlist_free(ip->link_specifiers);
2853  }
2854  tor_cert_free(ip->auth_key_cert);
2855  tor_cert_free(ip->enc_key_cert);
2856  crypto_pk_free(ip->legacy.key);
2857  tor_free(ip->legacy.cert.encoded);
2858  tor_free(ip);
2859 }
2860 
2861 /* Allocate and build a new fake client info for the descriptor. Return a
2862  * newly allocated object. This can't fail. */
2864 hs_desc_build_fake_authorized_client(void)
2865 {
2866  hs_desc_authorized_client_t *client_auth =
2867  tor_malloc_zero(sizeof(*client_auth));
2868 
2869  crypto_rand((char *) client_auth->client_id,
2870  sizeof(client_auth->client_id));
2871  crypto_rand((char *) client_auth->iv,
2872  sizeof(client_auth->iv));
2873  crypto_rand((char *) client_auth->encrypted_cookie,
2874  sizeof(client_auth->encrypted_cookie));
2875 
2876  return client_auth;
2877 }
2878 
2879 /* Using the service's subcredential, client public key, auth ephemeral secret
2880  * key, and descriptor cookie, build the auth client so we can then encode the
2881  * descriptor for publication. client_out must be already allocated. */
2882 void
2883 hs_desc_build_authorized_client(const uint8_t *subcredential,
2884  const curve25519_public_key_t *client_auth_pk,
2885  const curve25519_secret_key_t *
2886  auth_ephemeral_sk,
2887  const uint8_t *descriptor_cookie,
2888  hs_desc_authorized_client_t *client_out)
2889 {
2890  uint8_t *keystream = NULL;
2891  size_t keystream_length = 0;
2892  const uint8_t *cookie_key;
2893  crypto_cipher_t *cipher;
2894 
2895  tor_assert(client_auth_pk);
2896  tor_assert(auth_ephemeral_sk);
2897  tor_assert(descriptor_cookie);
2898  tor_assert(client_out);
2899  tor_assert(subcredential);
2900  tor_assert(!tor_mem_is_zero((char *) auth_ephemeral_sk,
2901  sizeof(*auth_ephemeral_sk)));
2902  tor_assert(!tor_mem_is_zero((char *) client_auth_pk,
2903  sizeof(*client_auth_pk)));
2904  tor_assert(!tor_mem_is_zero((char *) descriptor_cookie,
2905  HS_DESC_DESCRIPTOR_COOKIE_LEN));
2906  tor_assert(!tor_mem_is_zero((char *) subcredential,
2907  DIGEST256_LEN));
2908 
2909  /* Get the KEYS part so we can derive the CLIENT-ID and COOKIE-KEY. */
2910  keystream_length =
2911  build_descriptor_cookie_keys(subcredential, DIGEST256_LEN,
2912  auth_ephemeral_sk, client_auth_pk,
2913  &keystream);
2914  tor_assert(keystream_length > 0);
2915 
2916  /* Extract the CLIENT-ID and COOKIE-KEY from the KEYS. */
2917  memcpy(client_out->client_id, keystream, HS_DESC_CLIENT_ID_LEN);
2918  cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
2919 
2920  /* Random IV */
2921  crypto_strongest_rand(client_out->iv, sizeof(client_out->iv));
2922 
2923  /* This creates a cipher for AES. It can't fail. */
2924  cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client_out->iv,
2925  HS_DESC_COOKIE_KEY_BIT_SIZE);
2926  /* This can't fail. */
2927  crypto_cipher_encrypt(cipher, (char *) client_out->encrypted_cookie,
2928  (const char *) descriptor_cookie,
2929  HS_DESC_DESCRIPTOR_COOKIE_LEN);
2930 
2931  memwipe(keystream, 0, keystream_length);
2932  tor_free(keystream);
2933 
2934  crypto_cipher_free(cipher);
2935 }
2936 
2937 /* Free an authoriezd client object. */
2938 void
2939 hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client)
2940 {
2941  tor_free(client);
2942 }
2943 
2944 /* From the given descriptor, remove and free every introduction point. */
2945 void
2946 hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
2947 {
2948  smartlist_t *ips;
2949 
2950  tor_assert(desc);
2951 
2952  ips = desc->encrypted_data.intro_points;
2953  if (ips) {
2955  ip, hs_desc_intro_point_free(ip));
2956  smartlist_clear(ips);
2957  }
2958 }
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
struct crypto_pk_t * key
Definition: parsecommon.h:210
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
ed25519_public_key_t signed_key
Definition: torcert.h:25
Header file containing configuration ABI/API for the HS subsytem.
smartlist_t * find_all_by_keyword(const smartlist_t *s, directory_keyword k)
Definition: parsecommon.c:461
Common functions for using (pseudo-)random number generators.
#define END_OF_TABLE
Definition: parsecommon.h:244
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
uint64_t tor_parse_uint64(const char *s, int base, uint64_t min, uint64_t max, int *ok, char **next)
Definition: parse_int.c:107
int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now)
Definition: torcert.c:244
int tor_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:74
#define LD_GENERAL
Definition: log.h:58
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
Definition: parse_int.c:75
int curve25519_public_from_base64(curve25519_public_key_t *pkey, const char *input)
int ed25519_signature_to_base64(char *output, const ed25519_signature_t *sig)
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Definition: crypto_cipher.c:88
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
void smartlist_add(smartlist_t *sl, void *element)
uint8_t cert_type
Definition: torcert.h:38
size_t base64_encode_size(size_t srclen, int flags)
Definition: binascii.c:166
int crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest, size_t *len)
Definition: crypto_rsa.c:466
ed25519_public_key_t signing_key
Definition: torcert.h:28
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
#define tor_free(p)
Definition: malloc.h:52
#define T1_START(s, t, a, o)
Definition: parsecommon.h:252
#define T1N(s, t, a, o)
Definition: parsecommon.h:256
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:57
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
memarea_t * memarea_new(void)
Definition: memarea.c:153
unsigned signing_key_included
Definition: torcert.h:40
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
Definition: binascii.c:215
#define CIPHER_IV_LEN
Definition: crypto_cipher.h:24
#define DIGEST256_LEN
Definition: digest_sizes.h:23
#define NO_ARGS
Definition: parsecommon.h:265
Common functions for cryptographic routines.
tor_assert(buffer)
tor_cert_t * tor_cert_parse(const uint8_t *encoded, const size_t len)
Definition: torcert.c:159
Header for crypto_format.c.
int tor_memeq(const void *a, const void *b, size_t sz)
Definition: di_ops.c:107
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
static void set_uint64(void *cp, uint64_t v)
Definition: bytes.h:91
#define SIZE_T_CEILING
Definition: torint.h:126
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
Definition: smartlist.c:36
Header file for rendcache.c.
#define GE(n)
Definition: parsecommon.h:269
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
Master header file for Tor-specific functionality.
Header file for circuitbuild.c.
#define ARGS
Definition: parsecommon.h:263
Header for memarea.c.
#define EQ(n)
Definition: parsecommon.h:271
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Header file for hs_descriptor.c.
#define CONCAT_ARGS
Definition: parsecommon.h:267
static uint64_t tor_htonll(uint64_t a)
Definition: bytes.h:167
#define LD_REND
Definition: log.h:80
crypto_pk_t * crypto_pk_dup_key(crypto_pk_t *orig)
directory_token_t * find_opt_by_keyword(const smartlist_t *s, directory_keyword keyword)
Definition: parsecommon.c:450
const char * tor_cert_describe_signature_status(const tor_cert_t *cert)
Definition: torcert.c:279
int crypto_pk_public_exponent_ok(const crypto_pk_t *env)
#define CURVE25519_OUTPUT_LEN
Definition: x25519_sizes.h:24
#define T1_END(s, t, a, o)
Definition: parsecommon.h:254
#define LD_DIR
Definition: log.h:84
Header file for parsecommon.c.
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
Definition: smartlist.c:279
int base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:394
#define SMARTLIST_FOREACH(sl, type, var, cmd)
const char * escaped(const char *s)
Definition: escape.c:126
static char * get_all_auth_client_lines(const hs_descriptor_t *desc)
#define ARRAY_LENGTH(x)
void crypto_strongest_rand(uint8_t *out, size_t out_len)
Definition: crypto_rand.c:339
time_t approx_time(void)
Definition: approx_time.c:32
#define T1(s, t, a, o)
Definition: parsecommon.h:250
void token_clear(directory_token_t *tok)
Definition: parsecommon.c:41
Header file for hs_cache.c.
crypto_cipher_t * crypto_cipher_new_with_iv_and_bits(const uint8_t *key, const uint8_t *iv, int bits)
Definition: crypto_cipher.c:29
int ed25519_signature_from_base64(ed25519_signature_t *sig, const char *input)
MOCK_IMPL(STATIC size_t, decrypt_desc_layer,(const hs_descriptor_t *desc, const uint8_t *encrypted_blob, size_t encrypted_blob_size, const uint8_t *descriptor_cookie, int is_superencrypted_layer, char **decrypted_out))
crypto_xof_t * crypto_xof_new(void)
void smartlist_clear(smartlist_t *sl)
int tokenize_string(memarea_t *area, const char *start, const char *end, smartlist_t *out, const token_rule_t *table, int flags)
Definition: parsecommon.c:53
#define T01(s, t, a, o)
Definition: parsecommon.h:258
int curve25519_public_to_base64(char *output, const curve25519_public_key_t *pkey)
#define LD_BUG
Definition: log.h:82
#define CURVE25519_PUBKEY_LEN
Definition: x25519_sizes.h:20
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)