56 #define HS_DESCRIPTOR_PRIVATE
61 #include "trunnel/ed25519_cert.h"
76 #define str_hs_desc "hs-descriptor"
77 #define str_desc_cert "descriptor-signing-key-cert"
78 #define str_rev_counter "revision-counter"
79 #define str_superencrypted "superencrypted"
80 #define str_encrypted "encrypted"
81 #define str_signature "signature"
82 #define str_lifetime "descriptor-lifetime"
84 #define str_create2_formats "create2-formats"
85 #define str_intro_auth_required "intro-auth-required"
86 #define str_single_onion "single-onion-service"
87 #define str_intro_point "introduction-point"
88 #define str_ip_onion_key "onion-key"
89 #define str_ip_auth_key "auth-key"
90 #define str_ip_enc_key "enc-key"
91 #define str_ip_enc_key_cert "enc-key-cert"
92 #define str_ip_legacy_key "legacy-key"
93 #define str_ip_legacy_key_cert "legacy-key-cert"
94 #define str_intro_point_start "\n" str_intro_point " "
97 #define str_enc_const_superencryption "hsdir-superencrypted-data"
98 #define str_enc_const_encryption "hsdir-encrypted-data"
100 #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
101 #define str_desc_auth_type "desc-auth-type"
102 #define str_desc_auth_key "desc-auth-ephemeral-key"
103 #define str_desc_auth_client "auth-client"
104 #define str_encrypted "encrypted"
107 static const struct {
109 const char *identifier;
111 { HS_DESC_AUTH_ED25519,
"ed25519" },
119 T1(str_lifetime, R3_DESC_LIFETIME,
EQ(1),
NO_OBJ),
121 T1(str_rev_counter, R3_REVISION_COUNTER,
EQ(1),
NO_OBJ),
130 T1(str_desc_auth_key, R3_DESC_AUTH_KEY,
GE(1),
NO_OBJ),
131 T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT,
GE(3),
NO_OBJ),
139 T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED,
ARGS,
NO_OBJ),
140 T01(str_single_onion, R3_SINGLE_ONION_SERVICE,
ARGS,
NO_OBJ),
147 T1N(str_ip_onion_key, R3_INTRO_ONION_KEY,
GE(2),
OBJ_OK),
149 T1(str_ip_enc_key, R3_INTRO_ENC_KEY,
GE(2),
OBJ_OK),
150 T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT,
ARGS,
OBJ_OK),
152 T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT,
ARGS,
OBJ_OK),
161 const uint8_t *salt,
size_t salt_len,
162 const uint8_t *encrypted,
size_t encrypted_len,
163 uint8_t *mac_out,
size_t mac_len)
167 const uint64_t mac_len_netorder =
tor_htonll(mac_key_len);
168 const uint64_t salt_len_netorder =
tor_htonll(salt_len);
197 const uint8_t *secret_data,
198 size_t secret_data_len,
199 uint8_t **secret_input_out)
202 size_t secret_input_len = secret_data_len +
DIGEST256_LEN +
sizeof(uint64_t);
203 uint8_t *secret_input = NULL;
209 secret_input = tor_malloc_zero(secret_input_len);
212 memcpy(secret_input, secret_data, secret_data_len);
213 offset += secret_data_len;
220 offset +=
sizeof(uint64_t);
223 *secret_input_out = secret_input;
225 return secret_input_len;
232 const uint8_t *secret_data,
233 size_t secret_data_len,
234 const uint8_t *salt,
size_t salt_len,
235 uint8_t *key_out,
size_t key_out_len,
236 int is_superencrypted_layer)
238 uint8_t *secret_input = NULL;
239 size_t secret_input_len;
249 secret_data_len, &secret_input);
257 if (is_superencrypted_layer) {
259 strlen(str_enc_const_superencryption));
262 strlen(str_enc_const_encryption));
268 memwipe(secret_input, 0, secret_input_len);
278 const uint8_t *secret_data,
279 size_t secret_data_len,
280 const uint8_t *salt,
size_t salt_len,
281 uint8_t *key_out,
size_t key_len,
282 uint8_t *iv_out,
size_t iv_len,
283 uint8_t *mac_out,
size_t mac_len,
284 int is_superencrypted_layer)
297 salt, salt_len, kdf_key,
sizeof(kdf_key),
298 is_superencrypted_layer);
300 memcpy(key_out, kdf_key, key_len);
302 memcpy(iv_out, kdf_key + offset, iv_len);
304 memcpy(mac_out, kdf_key + offset, mac_len);
306 tor_assert((offset + mac_len) ==
sizeof(kdf_key));
307 memwipe(kdf_key, 0,
sizeof(kdf_key));
318 char *encoded_b64 = NULL;
319 link_specifier_list_t *lslist = link_specifier_list_new();
324 tor_assert(smartlist_len(specs) <= UINT8_MAX);
326 link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
332 link_specifier_list_add_spec(lslist, ls);
333 } SMARTLIST_FOREACH_END(spec);
337 ssize_t encoded_len, encoded_b64_len, ret;
339 encoded_len = link_specifier_list_encoded_len(lslist);
341 encoded = tor_malloc_zero(encoded_len);
342 ret = link_specifier_list_encode(encoded, encoded_len, lslist);
348 encoded_b64 = tor_malloc_zero(encoded_b64_len);
349 ret =
base64_encode(encoded_b64, encoded_b64_len, (
const char *) encoded,
355 link_specifier_list_free(lslist);
364 char *key_str, b64_cert[256], *encoded = NULL;
372 ip->
legacy.
cert.len, BASE64_ENCODE_MULTILINE) < 0) {
373 log_warn(
LD_REND,
"Unable to encode legacy crosscert.");
379 log_warn(
LD_REND,
"Unable to encode legacy encryption key.");
385 "-----BEGIN CROSSCERT-----\n"
387 "-----END CROSSCERT-----",
388 str_ip_legacy_key, key_str,
389 str_ip_legacy_key_cert, b64_cert);
401 char *encoded = NULL, *encoded_cert;
408 if (tor_cert_encode_ed22519(ip->
enc_key_cert, &encoded_cert) < 0) {
414 str_ip_enc_key, key_b64,
415 str_ip_enc_key_cert, encoded_cert);
427 char *encoded = NULL;
434 tor_asprintf(&encoded,
"%s ntor %s", str_ip_onion_key, key_b64);
445 char *encoded_ip = NULL;
461 if (encoded_onion_key == NULL) {
471 if (tor_cert_encode_ed22519(ip->
auth_key_cert, &encoded_cert) < 0) {
481 if (encoded_enc_key == NULL) {
493 if (encoded_legacy_key == NULL) {
505 smartlist_free(lines);
514 size_t plaintext_padded_len;
522 plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
523 padding_block_length;
525 tor_assert(!(plaintext_padded_len % padding_block_length));
526 return plaintext_padded_len;
534 uint8_t **padded_out)
545 padded = tor_malloc_zero(padded_len);
547 memcpy(padded, plaintext, plaintext_len);
548 *padded_out = padded;
557 size_t plaintext_len, uint8_t **encrypted_out,
558 int is_superencrypted_layer)
560 size_t encrypted_len;
561 uint8_t *padded_plaintext, *encrypted;
562 crypto_cipher_t *cipher;
571 if (is_superencrypted_layer) {
577 padded_plaintext = tor_memdup(plaintext, plaintext_len);
578 encrypted_len = plaintext_len;
583 HS_DESC_ENCRYPTED_BIT_SIZE);
586 encrypted = tor_malloc_zero(encrypted_len);
589 (
const char *) padded_plaintext, encrypted_len);
590 *encrypted_out = encrypted;
592 crypto_cipher_free(cipher);
594 return encrypted_len;
603 const uint8_t *secret_data,
604 size_t secret_data_len,
605 const char *plaintext,
606 char **encrypted_out,
int is_superencrypted_layer)
609 size_t encrypted_len, final_blob_len, offset = 0;
627 secret_key,
sizeof(secret_key),
628 secret_iv,
sizeof(secret_iv),
629 mac_key,
sizeof(mac_key),
630 is_superencrypted_layer);
634 strlen(plaintext), &encrypted,
635 is_superencrypted_layer);
636 memwipe(secret_key, 0,
sizeof(secret_key));
637 memwipe(secret_iv, 0,
sizeof(secret_iv));
639 final_blob_len =
sizeof(salt) + encrypted_len +
DIGEST256_LEN;
640 final_blob = tor_malloc_zero(final_blob_len);
643 build_mac(mac_key,
sizeof(mac_key), salt,
sizeof(salt),
644 encrypted, encrypted_len, mac,
sizeof(mac));
645 memwipe(mac_key, 0,
sizeof(mac_key));
648 memcpy(final_blob, salt,
sizeof(salt));
649 offset =
sizeof(salt);
651 memcpy(final_blob + offset, encrypted, encrypted_len);
652 offset += encrypted_len;
654 memcpy(final_blob + offset, mac,
sizeof(mac));
655 offset +=
sizeof(mac);
657 memwipe(salt, 0,
sizeof(salt));
658 memwipe(encrypted, 0, encrypted_len);
663 *encrypted_out = final_blob;
664 return final_blob_len;
674 char *auth_client_str = NULL;
679 char encrypted_cookie_b64[HS_DESC_ENCRYPED_COOKIE_LEN * 2];
681 #define ASSERT_AND_BASE64(field) STMT_BEGIN \
682 tor_assert(!fast_mem_is_zero((char *) client->field, \
683 sizeof(client->field))); \
684 ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
685 client->field, sizeof(client->field)); \
686 tor_assert(ret > 0); \
689 ASSERT_AND_BASE64(client_id);
690 ASSERT_AND_BASE64(iv);
691 ASSERT_AND_BASE64(encrypted_cookie);
694 tor_asprintf(&auth_client_str,
"%s %s %s %s", str_desc_auth_client,
695 client_id_b64, iv_b64, encrypted_cookie_b64);
697 #undef ASSERT_AND_BASE64
699 return auth_client_str;
709 char *auth_client_lines_str = NULL;
720 char *auth_client_str = NULL;
725 } SMARTLIST_FOREACH_END(client);
732 smartlist_free(auth_client_lines);
734 return auth_client_lines_str;
744 char *encoded_str = NULL;
750 log_err(
LD_BUG,
"HS desc doesn't have recognized handshake type.");
754 ONION_HANDSHAKE_TYPE_NTOR);
775 if (encoded_ip == NULL) {
776 log_err(
LD_BUG,
"HS desc intro point is malformed.");
780 } SMARTLIST_FOREACH_END(ip);
788 smartlist_free(lines);
800 const char *layer2_b64_ciphertext)
802 char *layer1_str = NULL;
818 str_desc_auth_key, ephemeral_key_base64);
820 memwipe(ephemeral_key_base64, 0,
sizeof(ephemeral_key_base64));
833 "-----BEGIN MESSAGE-----\n"
835 "-----END MESSAGE-----",
836 str_encrypted, layer2_b64_ciphertext);
844 smartlist_free(lines);
857 const uint8_t *secret_data,
858 size_t secret_data_len,
859 const char *encoded_str,
860 int is_superencrypted_layer)
863 ssize_t enc_b64_len, ret_len, enc_len;
864 char *encrypted_blob = NULL;
867 encoded_str, &encrypted_blob,
868 is_superencrypted_layer);
871 enc_b64 = tor_malloc_zero(enc_b64_len);
873 ret_len =
base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
874 BASE64_ENCODE_MULTILINE);
894 const uint8_t *descriptor_cookie,
895 uint8_t **secret_data_out)
897 size_t secret_data_len;
898 uint8_t *secret_data;
903 if (descriptor_cookie) {
907 secret_data = tor_malloc(secret_data_len);
910 blinded_pubkey->pubkey,
914 HS_DESC_DESCRIPTOR_COOKIE_LEN);
919 secret_data = tor_malloc(secret_data_len);
921 blinded_pubkey->pubkey,
925 *secret_data_out = secret_data;
926 return secret_data_len;
936 const uint8_t *descriptor_cookie,
937 char **encrypted_blob_out)
940 uint8_t *secret_data = NULL;
941 size_t secret_data_len = 0;
942 char *layer2_str = NULL;
943 char *layer2_b64_ciphertext = NULL;
944 char *layer1_str = NULL;
945 char *layer1_b64_ciphertext = NULL;
966 layer2_b64_ciphertext =
969 if (!layer2_b64_ciphertext) {
980 layer1_b64_ciphertext =
985 if (!layer1_b64_ciphertext) {
993 memwipe(secret_data, 0, secret_data_len);
999 *encrypted_blob_out = layer1_b64_ciphertext;
1009 const uint8_t *descriptor_cookie,
1013 char *encoded_str = NULL;
1027 != CERT_TYPE_SIGNING_HS_DESC) {
1028 log_err(
LD_BUG,
"HS descriptor signing key has an unexpected cert type "
1033 &encoded_cert) < 0) {
1053 char *enc_b64_blob=NULL;
1055 &enc_b64_blob) < 0) {
1060 "-----BEGIN MESSAGE-----\n"
1062 "-----END MESSAGE-----",
1063 str_superencrypted, enc_b64_blob);
1076 (
const uint8_t *) encoded_str, encoded_len,
1077 str_desc_sig_prefix, signing_kp) < 0) {
1078 log_warn(
LD_BUG,
"Can't sign encoded HS descriptor!");
1089 *encoded_out = encoded_str;
1092 log_warn(
LD_GENERAL,
"We just made an HS descriptor that's too big (%d)."
1093 "Failing.", (
int)strlen(encoded_str));
1105 smartlist_free(lines);
1125 tok->
args[0], strlen(tok->
args[0])) !=
1130 tok->
args[1], strlen(tok->
args[1])) !=
1131 sizeof(client->
iv)) {
1136 tok->
args[2], strlen(tok->
args[2])) !=
1153 size_t encoded_len, i;
1156 link_specifier_list_t *specs = NULL;
1160 encoded_len = strlen(encoded);
1161 decoded = tor_malloc(encoded_len);
1162 decoded_len =
base64_decode((
char *) decoded, encoded_len, encoded,
1164 if (decoded_len < 0) {
1168 if (link_specifier_list_parse(&specs, decoded,
1169 (
size_t) decoded_len) < decoded_len) {
1175 for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
1176 link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
1191 link_specifier_free(s));
1192 smartlist_free(results);
1196 link_specifier_list_free(specs);
1224 } SMARTLIST_FOREACH_END(auth);
1244 unsigned long type =
tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
1246 log_warn(
LD_REND,
"Unparseable value %s in create2 list",
escaped(s));
1250 case ONION_HANDSHAKE_TYPE_NTOR:
1257 } SMARTLIST_FOREACH_END(s);
1260 smartlist_free(tokens);
1274 log_warn(
LD_REND,
"Certificate for %s couldn't be parsed.", log_obj_type);
1284 log_warn(
LD_REND,
"Signing key is NOT included for %s.", log_obj_type);
1292 char expiration_str[ISO_TIME_LEN+1];
1294 log_fn(LOG_PROTOCOL_WARN,
LD_REND,
"Invalid signature for %s: %s (%s)",
1298 log_warn(
LD_REND,
"Invalid signature for %s: %s",
1316 size_t data_len,
unsigned int cert_type_wanted,
1317 const char *err_msg)
1328 log_warn(
LD_REND,
"Certificate for %s couldn't be parsed.", err_msg);
1341 tor_cert_free(cert);
1354 log_warn(
LD_REND,
"Length of descriptor's encrypted data is too small. "
1355 "Got %lu but minimum value is %d",
1390 keystream = tor_malloc_zero(keystream_len);
1402 memwipe(secret_seed, 0,
sizeof(secret_seed));
1404 *keys_out = keystream;
1405 return keystream_len;
1417 uint8_t **descriptor_cookie_out)
1420 uint8_t *keystream = NULL;
1421 size_t keystream_length = 0;
1422 uint8_t *descriptor_cookie = NULL;
1423 const uint8_t *cookie_key = NULL;
1424 crypto_cipher_t *cipher = NULL;
1437 if (BUG(
fast_mem_is_zero((
char *)client_auth_sk,
sizeof(*client_auth_sk)))) {
1459 HS_DESC_COOKIE_KEY_BIT_SIZE);
1460 descriptor_cookie = tor_malloc_zero(HS_DESC_DESCRIPTOR_COOKIE_LEN);
1469 *descriptor_cookie_out = descriptor_cookie;
1471 crypto_cipher_free(cipher);
1473 memwipe(keystream, 0, keystream_length);
1490 const uint8_t *descriptor_cookie,
1491 bool is_superencrypted_layer,
1492 char **decrypted_out))
1494 uint8_t *decrypted = NULL;
1496 uint8_t *secret_data = NULL;
1497 size_t secret_data_len = 0;
1499 const uint8_t *salt, *encrypted, *desc_mac;
1500 size_t encrypted_len, result_len = 0;
1501 const uint8_t *encrypted_blob = (is_superencrypted_layer)
1504 size_t encrypted_blob_size = (is_superencrypted_layer)
1519 salt = encrypted_blob;
1523 encrypted_len = encrypted_blob_size -
1528 desc_mac = encrypted_blob + encrypted_blob_size -
DIGEST256_LEN;
1539 secret_key,
sizeof(secret_key),
1540 secret_iv,
sizeof(secret_iv),
1541 mac_key,
sizeof(mac_key),
1542 is_superencrypted_layer);
1546 encrypted, encrypted_len, our_mac,
sizeof(our_mac));
1547 memwipe(mac_key, 0,
sizeof(mac_key));
1552 if (!
tor_memeq(our_mac, desc_mac,
sizeof(our_mac))) {
1553 log_info(
LD_REND,
"Encrypted service descriptor MAC check failed");
1560 crypto_cipher_t *cipher;
1563 HS_DESC_ENCRYPTED_BIT_SIZE);
1565 decrypted = tor_malloc_zero(encrypted_len + 1);
1567 (
const char *) encrypted, encrypted_len);
1568 crypto_cipher_free(cipher);
1573 uint8_t *end = memchr(decrypted, 0, encrypted_len);
1574 result_len = encrypted_len;
1576 result_len = end - decrypted;
1580 if (result_len == 0) {
1586 decrypted[encrypted_len] =
'\0';
1587 *decrypted_out = (
char *) decrypted;
1594 *decrypted_out = NULL;
1598 memwipe(secret_data, 0, secret_data_len);
1599 memwipe(secret_key, 0,
sizeof(secret_key));
1600 memwipe(secret_iv, 0,
sizeof(secret_iv));
1613 size_t superencrypted_len = 0;
1614 char *superencrypted_plaintext = NULL;
1621 true, &superencrypted_plaintext);
1623 if (!superencrypted_len) {
1624 log_warn(
LD_REND,
"Decrypting superencrypted desc failed.");
1632 *decrypted_out = superencrypted_plaintext;
1634 return superencrypted_len;
1645 char **decrypted_out)
1647 size_t encrypted_len = 0;
1648 char *encrypted_plaintext = NULL;
1649 uint8_t *descriptor_cookie = NULL;
1657 if (client_auth_sk) {
1663 &descriptor_cookie)) {
1666 } SMARTLIST_FOREACH_END(client);
1671 false, &encrypted_plaintext);
1673 if (!encrypted_len) {
1681 *decrypted_out = encrypted_plaintext;
1682 if (descriptor_cookie) {
1683 memwipe(descriptor_cookie, 0, HS_DESC_DESCRIPTOR_COOKIE_LEN);
1687 return encrypted_len;
1706 log_warn(
LD_REND,
"Introduction point legacy key is invalid");
1714 log_warn(
LD_REND,
"Introduction point legacy key cert is missing");
1721 log_info(
LD_REND,
"Introduction point legacy encryption key "
1722 "cross-certification has an unknown format.");
1736 log_warn(
LD_REND,
"Unable to check cross-certification on the "
1737 "introduction point legacy encryption key.");
1762 log_warn(
LD_REND,
"Descriptor did not contain intro onion keys");
1772 if (!strcmp(tok->args[0],
"ntor")) {
1774 log_warn(
LD_REND,
"Introduction point ntor onion-key is invalid");
1780 } SMARTLIST_FOREACH_END(tok);
1784 log_warn(
LD_REND,
"Descriptor did not contain ntor onion keys");
1788 smartlist_free(onion_keys);
1811 log_warn(
LD_REND,
"Introduction point is not parseable");
1820 tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
1826 log_warn(
LD_REND,
"Introduction point has invalid link specifiers");
1836 tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
1839 log_warn(
LD_REND,
"Unexpected object type for introduction auth key");
1845 "introduction point auth-key") < 0) {
1851 log_warn(
LD_REND,
"Invalid authentication key signature: %s",
1857 tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
1858 if (!strcmp(tok->
args[0],
"ntor")) {
1864 log_warn(
LD_REND,
"Introduction point ntor enc-key is invalid");
1869 log_warn(
LD_REND,
"Introduction point encryption key is unrecognized.");
1874 tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
1878 log_warn(
LD_REND,
"Introduction point ntor encryption key "
1879 "cross-certification has an unknown format.");
1884 "introduction point enc-key-cert") < 0) {
1889 log_warn(
LD_REND,
"Invalid encryption key signature: %s",
1908 hs_desc_intro_point_free(ip);
1913 smartlist_free(tokens);
1946 if (smartlist_len(chunked_desc) < 2) {
1963 } SMARTLIST_FOREACH_END(chunk);
1976 } SMARTLIST_FOREACH_END(intro_point);
1980 smartlist_free(chunked_desc);
1982 smartlist_free(intro_points);
1990 const char *encoded_desc,
size_t encoded_len)
1994 const char *sig_start;
2004 log_warn(
LD_REND,
"Service descriptor has an invalid signature length."
2005 "Expected %d but got %lu",
2012 log_warn(
LD_REND,
"Service descriptor does not contain a valid "
2018 sig_start = tor_memstr(encoded_desc, encoded_len,
"\n" str_signature
" ");
2022 log_warn(
LD_GENERAL,
"Malformed signature line. Rejecting.");
2030 (
const uint8_t *) encoded_desc,
2031 sig_start - encoded_desc,
2032 str_desc_sig_prefix,
2033 signing_pubkey) != 0) {
2034 log_warn(
LD_REND,
"Invalid signature on service descriptor");
2054 const char *encoded_desc,
size_t encoded_len)
2066 tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
2069 UINT32_MAX, &ok, NULL);
2071 log_warn(
LD_REND,
"Service descriptor lifetime value is invalid");
2077 log_warn(
LD_REND,
"Service descriptor lifetime is too big. "
2078 "Got %" PRIu32
" but max is %d",
2084 tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
2088 if (strcmp(tok->
object_type,
"ED25519 CERT") != 0) {
2089 log_warn(
LD_REND,
"Service descriptor signing cert wrong type (%s)",
2095 "service descriptor signing key") < 0) {
2106 tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
2109 UINT64_MAX, &ok, NULL);
2111 log_warn(
LD_REND,
"Service descriptor revision-counter is invalid");
2116 tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
2119 log_warn(
LD_REND,
"Desc superencrypted data section is invalid");
2133 tok = find_by_keyword(tokens, R3_SIGNATURE);
2137 encoded_desc, encoded_len)) {
2141 return HS_DESC_DECODE_OK;
2143 return HS_DESC_DECODE_PLAINTEXT_ERROR;
2151 desc_superencrypted_out)
2153 int ret = HS_DESC_DECODE_SUPERENC_ERROR;
2154 char *message = NULL;
2169 log_warn(
LD_REND,
"Service descriptor decryption failed.");
2178 log_warn(
LD_REND,
"Superencrypted service descriptor is not parseable.");
2183 tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
2185 if (strcmp(tok->
args[0],
"x25519")) {
2186 log_warn(
LD_DIR,
"Unrecognized desc auth type");
2191 tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
2194 tok->
args[0]) < 0) {
2195 log_warn(
LD_DIR,
"Bogus desc auth ephemeral key in HS desc");
2200 if (!superencrypted->
clients) {
2204 if (token->tp == R3_DESC_AUTH_CLIENT) {
2211 log_warn(
LD_REND,
"Descriptor client authorization section can't "
2218 } SMARTLIST_FOREACH_END(token);
2221 tok = find_by_keyword(tokens, R3_ENCRYPTED);
2224 log_warn(
LD_REND,
"Desc encrypted data section is invalid");
2239 ret = HS_DESC_DECODE_OK;
2249 smartlist_free(tokens);
2267 int ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2268 char *message = NULL;
2285 if (client_auth_sk) {
2288 log_warn(
LD_REND,
"Client authorization for requested onion address "
2289 "is invalid. Can't decrypt the descriptor.");
2290 ret = HS_DESC_DECODE_BAD_CLIENT_AUTH;
2294 log_notice(
LD_REND,
"Fail to decrypt descriptor for requested onion "
2295 "address. It is likely requiring client "
2297 ret = HS_DESC_DECODE_NEED_CLIENT_AUTH;
2307 log_warn(
LD_REND,
"Encrypted service descriptor is not parseable.");
2312 tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
2317 log_warn(
LD_REND,
"Service create2-formats does not include ntor.");
2325 log_warn(
LD_REND,
"Service descriptor authentication type has "
2326 "invalid entry(ies).");
2344 HS_CONFIG_V3_MAX_INTRO_POINTS) {
2345 log_warn(
LD_REND,
"Service descriptor contains too many introduction "
2346 "points. Maximum allowed is %d but we have %d",
2347 HS_CONFIG_V3_MAX_INTRO_POINTS,
2355 ret = HS_DESC_DECODE_OK;
2365 smartlist_free(tokens);
2396 int ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2444 desc_superencrypted)
2446 int ret = HS_DESC_DECODE_SUPERENC_ERROR;
2483 const char *encoded_desc,
2484 size_t encoded_len) =
2496 int ok = 0, ret = HS_DESC_DECODE_PLAINTEXT_ERROR;
2506 encoded_len = strlen(encoded);
2508 log_warn(
LD_REND,
"Service descriptor is too big (%lu bytes)",
2509 (
unsigned long) encoded_len);
2518 log_warn(
LD_REND,
"Service descriptor is not parseable");
2524 tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
2527 UINT32_MAX, &ok, NULL);
2529 log_warn(
LD_REND,
"Service descriptor has unparseable version %s",
2534 log_warn(
LD_REND,
"Service descriptor has unsupported version %" PRIu32,
2545 encoded, encoded_len);
2546 if (ret != HS_DESC_DECODE_OK) {
2550 ret = HS_DESC_DECODE_OK;
2555 smartlist_free(tokens);
2583 if (BUG(!subcredential ||
2585 log_warn(
LD_GENERAL,
"Tried to decrypt without subcred. Impossible!");
2592 if (ret != HS_DESC_DECODE_OK) {
2597 if (ret != HS_DESC_DECODE_OK) {
2602 if (ret != HS_DESC_DECODE_OK) {
2609 hs_descriptor_free(desc);
2614 hs_descriptor_free(desc);
2629 const uint8_t *descriptor_cookie,
2630 char **encoded_out) =
2650 const uint8_t *descriptor_cookie,
2651 char **encoded_out))
2670 descriptor_cookie, encoded_out);
2678 if (!descriptor_cookie) {
2681 if (BUG(ret != HS_DESC_DECODE_OK)) {
2690 *encoded_out = NULL;
2707 memwipe(desc, 0,
sizeof(*desc));
2723 hs_desc_authorized_client_free(client));
2724 smartlist_free(desc->
clients);
2727 memwipe(desc, 0,
sizeof(*desc));
2744 hs_desc_intro_point_free(ip));
2747 memwipe(desc, 0,
sizeof(*desc));
2806 size_t intro_size = 0;
2817 return sizeof(*data) + intro_size;
2851 ls, link_specifier_free(ls));
2867 tor_malloc_zero(
sizeof(*client_auth));
2872 sizeof(client_auth->
iv));
2887 const uint8_t *descriptor_cookie,
2890 uint8_t *keystream = NULL;
2891 size_t keystream_length = 0;
2892 const uint8_t *cookie_key;
2893 crypto_cipher_t *cipher;
2901 sizeof(*auth_ephemeral_sk)));
2903 sizeof(*client_auth_pk)));
2905 HS_DESC_DESCRIPTOR_COOKIE_LEN));
2912 auth_ephemeral_sk, client_auth_pk,
2925 HS_DESC_COOKIE_KEY_BIT_SIZE);
2928 (
const char *) descriptor_cookie,
2929 HS_DESC_DESCRIPTOR_COOKIE_LEN);
2931 memwipe(keystream, 0, keystream_length);
2934 crypto_cipher_free(cipher);
2955 ip, hs_desc_intro_point_free(ip));
int base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
size_t base64_encode_size(size_t srclen, int flags)
static void set_uint64(void *cp, uint64_t v)
static uint64_t tor_htonll(uint64_t a)
Header file for circuitbuild.c.
Header file for config.c.
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
crypto_cipher_t * crypto_cipher_new_with_iv_and_bits(const uint8_t *key, const uint8_t *iv, int bits)
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
int curve25519_public_from_base64(curve25519_public_key_t *pkey, const char *input)
void curve25519_public_to_base64(char *output, const curve25519_public_key_t *pkey, bool pad)
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
crypto_xof_t * crypto_xof_new(void)
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
#define crypto_xof_free(xof)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
#define crypto_digest_free(d)
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
int ed25519_sign_prefixed(ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair)
void crypto_rand(char *to, size_t n)
void crypto_strongest_rand(uint8_t *out, size_t out_len)
Common functions for using (pseudo-)random number generators.
int crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest, size_t *len)
crypto_pk_t * crypto_pk_dup_key(crypto_pk_t *orig)
int crypto_pk_public_exponent_ok(const crypto_pk_t *env)
void memwipe(void *mem, uint8_t byte, size_t sz)
Common functions for cryptographic routines.
int tor_memeq(const void *a, const void *b, size_t sz)
#define tor_memneq(a, b, sz)
const char * escaped(const char *s)
unsigned int hs_cache_get_max_descriptor_size(void)
Header file for hs_cache.c.
link_specifier_t * link_specifier_dup(const link_specifier_t *src)
Header file containing configuration ABI/API for the HS subsystem.
hs_desc_intro_point_t * hs_desc_intro_point_new(void)
static char * encode_intro_point(const ed25519_public_key_t *sig_key, const hs_desc_intro_point_t *ip)
static size_t build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext, size_t plaintext_len, uint8_t **encrypted_out, int is_superencrypted_layer)
void hs_desc_superencrypted_data_free_contents(hs_desc_superencrypted_data_t *desc)
hs_desc_authorized_client_t * hs_desc_build_fake_authorized_client(void)
static char * get_all_auth_client_lines(const hs_descriptor_t *desc)
static token_rule_t hs_desc_encrypted_v3_token_table[]
hs_desc_decode_status_t hs_desc_decode_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
static char * encode_legacy_key(const hs_desc_intro_point_t *ip)
int hs_desc_encode_descriptor(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
void hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
static const struct @15 intro_auth_types[]
static hs_desc_decode_status_t(* decode_superencrypted_handlers[])(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
static int desc_encode_v3(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static char * encode_onion_key(const hs_desc_intro_point_t *ip)
static void decode_intro_points(const hs_descriptor_t *desc, hs_desc_encrypted_data_t *desc_enc, const char *data)
size_t hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
static size_t build_secret_data(const ed25519_public_key_t *blinded_pubkey, const uint8_t *descriptor_cookie, uint8_t **secret_data_out)
STATIC smartlist_t * decode_link_specifiers(const char *encoded)
STATIC int desc_sig_is_valid(const char *b64_sig, const ed25519_public_key_t *signing_pubkey, const char *encoded_desc, size_t encoded_len)
static size_t desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
static int(* encode_handlers[])(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
STATIC size_t decrypt_desc_layer(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, bool is_superencrypted_layer, char **decrypted_out)
size_t hs_desc_obj_size(const hs_descriptor_t *data)
static int decode_auth_client(const directory_token_t *tok, hs_desc_authorized_client_t *client)
hs_desc_decode_status_t hs_desc_decode_plaintext(const char *encoded, hs_desc_plaintext_data_t *plaintext)
STATIC char * encode_link_specifiers(const smartlist_t *specs)
static int cert_parse_and_validate(tor_cert_t **cert_out, const char *data, size_t data_len, unsigned int cert_type_wanted, const char *err_msg)
STATIC size_t build_plaintext_padding(const char *plaintext, size_t plaintext_len, uint8_t **padded_out)
static size_t desc_decrypt_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, char **decrypted_out)
void hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
void hs_descriptor_free_(hs_descriptor_t *desc)
static char * get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
static int encode_superencrypted_data(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, char **encrypted_blob_out)
static char * encode_enc_key(const hs_desc_intro_point_t *ip)
void hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)
STATIC int encrypted_data_length_is_valid(size_t len)
void hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
static token_rule_t hs_desc_v3_token_table[]
static void decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
static int decrypt_descriptor_cookie(const hs_descriptor_t *desc, const hs_desc_authorized_client_t *client, const curve25519_secret_key_t *client_auth_sk, uint8_t **descriptor_cookie_out)
hs_desc_decode_status_t hs_desc_decode_superencrypted(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
static token_rule_t hs_desc_superencrypted_v3_token_table[]
static hs_desc_decode_status_t desc_decode_encrypted_v3(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted_out)
void hs_desc_build_authorized_client(const hs_subcredential_t *subcredential, const curve25519_public_key_t *client_auth_pk, const curve25519_secret_key_t *auth_ephemeral_sk, const uint8_t *descriptor_cookie, hs_desc_authorized_client_t *client_out)
static void build_secret_key_iv_mac(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_len, uint8_t *iv_out, size_t iv_len, uint8_t *mac_out, size_t mac_len, int is_superencrypted_layer)
void hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc)
static size_t encrypt_descriptor_data(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *plaintext, char **encrypted_out, int is_superencrypted_layer)
static size_t compute_padded_plaintext_length(size_t plaintext_len)
static int set_intro_point_onion_key(curve25519_public_key_t *onion_key_out, const smartlist_t *tokens)
static hs_desc_decode_status_t(* decode_plaintext_handlers[])(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
static char * encrypt_desc_data_and_base64(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *encoded_str, int is_superencrypted_layer)
static int decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
static size_t build_descriptor_cookie_keys(const hs_subcredential_t *subcredential, const curve25519_secret_key_t *sk, const curve25519_public_key_t *pk, uint8_t **keys_out)
static char * get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc, const char *layer2_b64_ciphertext)
static int decode_intro_legacy_key(const directory_token_t *tok, smartlist_t *tokens, hs_desc_intro_point_t *ip, const hs_descriptor_t *desc)
static void build_kdf_key(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_out_len, int is_superencrypted_layer)
static char * get_auth_client_str(const hs_desc_authorized_client_t *client)
void hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
static token_rule_t hs_desc_intro_point_v3_token_table[]
static hs_desc_decode_status_t(* decode_encrypted_handlers[])(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
STATIC int cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
static size_t hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
hs_desc_decode_status_t hs_desc_decode_descriptor(const char *encoded, const hs_subcredential_t *subcredential, const curve25519_secret_key_t *client_auth_sk, hs_descriptor_t **desc_out)
static size_t build_secret_input(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, uint8_t **secret_input_out)
STATIC hs_desc_intro_point_t * decode_introduction_point(const hs_descriptor_t *desc, const char *start)
void hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
static hs_desc_decode_status_t desc_decode_plaintext_v3(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
static hs_desc_decode_status_t desc_decode_superencrypted_v3(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted_out)
void hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client)
static void build_mac(const uint8_t *mac_key, size_t mac_key_len, const uint8_t *salt, size_t salt_len, const uint8_t *encrypted, size_t encrypted_len, uint8_t *mac_out, size_t mac_len)
Header file for hs_descriptor.c.
#define HS_DESC_CLIENT_ID_LEN
#define HS_DESC_ENCRYPTED_SALT_LEN
#define HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE
#define HS_DESC_AUTH_CLIENT_MULTIPLE
static int hs_desc_is_supported_version(uint32_t version)
#define HS_DESC_ENCRYPTED_KEY_LEN
#define HS_DESC_CERT_LIFETIME
#define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN
#define HS_DESC_MAX_LIFETIME
#define log_fn(severity, domain, args,...)
memarea_t * memarea_new(void)
#define memarea_drop_all(area)
Master header file for Tor-specific functionality.
uint64_t tor_parse_uint64(const char *s, int base, uint64_t min, uint64_t max, int *ok, char **next)
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
void token_clear(directory_token_t *tok)
int tokenize_string(memarea_t *area, const char *start, const char *end, smartlist_t *out, const token_rule_t *table, int flags)
directory_token_t * find_opt_by_keyword(const smartlist_t *s, directory_keyword keyword)
smartlist_t * find_all_by_keyword(const smartlist_t *s, directory_keyword k)
Header file for parsecommon.c.
#define T1_END(s, t, a, o)
#define T1_START(s, t, a, o)
int tor_asprintf(char **strp, const char *fmt,...)
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
uint8_t iv[CIPHER_IV_LEN]
uint8_t encrypted_cookie[HS_DESC_ENCRYPED_COOKIE_LEN]
uint8_t client_id[HS_DESC_CLIENT_ID_LEN]
smartlist_t * intro_auth_types
unsigned int single_onion_service
smartlist_t * intro_points
unsigned int create2_ntor
unsigned int cross_certified
struct hs_desc_intro_point_t::@16 legacy
curve25519_public_key_t onion_key
curve25519_public_key_t enc_key
tor_cert_t * enc_key_cert
tor_cert_t * auth_key_cert
struct hs_desc_intro_point_t::@16::@17 cert
smartlist_t * link_specifiers
uint64_t revision_counter
size_t superencrypted_blob_size
tor_cert_t * signing_key_cert
ed25519_public_key_t signing_pubkey
ed25519_public_key_t blinded_pubkey
uint8_t * superencrypted_blob
curve25519_public_key_t auth_ephemeral_pubkey
size_t encrypted_blob_size
hs_desc_encrypted_data_t encrypted_data
hs_desc_superencrypted_data_t superencrypted_data
hs_subcredential_t subcredential
hs_desc_plaintext_data_t plaintext_data
ed25519_public_key_t signing_key
ed25519_public_key_t signed_key
unsigned signing_key_included
#define MOCK_IMPL(rv, funcname, arglist)
void format_iso_time(char *buf, time_t t)
int rsa_ed25519_crosscert_check(const uint8_t *crosscert, const size_t crosscert_len, const crypto_pk_t *rsa_id_key, const ed25519_public_key_t *master_key, const time_t reject_if_expired_before)
int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now)
const char * tor_cert_describe_signature_status(const tor_cert_t *cert)
tor_cert_t * tor_cert_parse(const uint8_t *encoded, const size_t len)
int fast_mem_is_zero(const char *mem, size_t len)
#define CURVE25519_OUTPUT_LEN
#define CURVE25519_BASE64_PADDED_LEN
#define ED25519_PUBKEY_LEN
#define ED25519_SIG_BASE64_LEN
#define CURVE25519_PUBKEY_LEN