Tor  0.4.4.0-alpha-dev
hs_descriptor.c
Go to the documentation of this file.
1 /* Copyright (c) 2016-2020, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
4 /**
5  * \file hs_descriptor.c
6  * \brief Handle hidden service descriptor encoding/decoding.
7  *
8  * \details
9  * Here is a graphical depiction of an HS descriptor and its layers:
10  *
11  * +------------------------------------------------------+
12  * |DESCRIPTOR HEADER: |
13  * | hs-descriptor 3 |
14  * | descriptor-lifetime 180 |
15  * | ... |
16  * | superencrypted |
17  * |+---------------------------------------------------+ |
18  * ||SUPERENCRYPTED LAYER (aka OUTER ENCRYPTED LAYER): | |
19  * || desc-auth-type x25519 | |
20  * || desc-auth-ephemeral-key | |
21  * || auth-client | |
22  * || auth-client | |
23  * || ... | |
24  * || encrypted | |
25  * ||+-------------------------------------------------+| |
26  * |||ENCRYPTED LAYER (aka INNER ENCRYPTED LAYER): || |
27  * ||| create2-formats || |
28  * ||| intro-auth-required || |
29  * ||| introduction-point || |
30  * ||| introduction-point || |
31  * ||| ... || |
32  * ||+-------------------------------------------------+| |
33  * |+---------------------------------------------------+ |
34  * +------------------------------------------------------+
35  *
36  * The DESCRIPTOR HEADER section is completely unencrypted and contains generic
37  * descriptor metadata.
38  *
39  * The SUPERENCRYPTED LAYER section is the first layer of encryption, and it's
40  * encrypted using the blinded public key of the hidden service to protect
41  * against entities who don't know its onion address. The clients of the hidden
42  * service know its onion address and blinded public key, whereas third-parties
43  * (like HSDirs) don't know it (except if it's a public hidden service).
44  *
45  * The ENCRYPTED LAYER section is the second layer of encryption, and it's
46  * encrypted using the client authorization key material (if those exist). When
47  * client authorization is enabled, this second layer of encryption protects
48  * the descriptor content from unauthorized entities. If client authorization
49  * is disabled, this second layer of encryption does not provide any extra
50  * security but is still present. The plaintext of this layer contains all the
51  * information required to connect to the hidden service like its list of
52  * introduction points.
53  **/
54 
55 /* For unit tests.*/
56 #define HS_DESCRIPTOR_PRIVATE
57 
58 #include "core/or/or.h"
59 #include "app/config/config.h"
60 #include "trunnel/ed25519_cert.h" /* Trunnel interface. */
62 #include "core/or/circuitbuild.h"
66 #include "feature/rend/rendcache.h"
67 #include "feature/hs/hs_cache.h"
68 #include "feature/hs/hs_config.h"
69 #include "feature/nodelist/torcert.h" /* tor_cert_encode_ed22519() */
70 #include "lib/memarea/memarea.h"
72 
73 #include "core/or/extend_info_st.h"
74 
75 /* Constant string value used for the descriptor format. */
76 #define str_hs_desc "hs-descriptor"
77 #define str_desc_cert "descriptor-signing-key-cert"
78 #define str_rev_counter "revision-counter"
79 #define str_superencrypted "superencrypted"
80 #define str_encrypted "encrypted"
81 #define str_signature "signature"
82 #define str_lifetime "descriptor-lifetime"
83 /* Constant string value for the encrypted part of the descriptor. */
84 #define str_create2_formats "create2-formats"
85 #define str_intro_auth_required "intro-auth-required"
86 #define str_single_onion "single-onion-service"
87 #define str_intro_point "introduction-point"
88 #define str_ip_onion_key "onion-key"
89 #define str_ip_auth_key "auth-key"
90 #define str_ip_enc_key "enc-key"
91 #define str_ip_enc_key_cert "enc-key-cert"
92 #define str_ip_legacy_key "legacy-key"
93 #define str_ip_legacy_key_cert "legacy-key-cert"
94 #define str_intro_point_start "\n" str_intro_point " "
95 /* Constant string value for the construction to encrypt the encrypted data
96  * section. */
97 #define str_enc_const_superencryption "hsdir-superencrypted-data"
98 #define str_enc_const_encryption "hsdir-encrypted-data"
99 /* Prefix required to compute/verify HS desc signatures */
100 #define str_desc_sig_prefix "Tor onion service descriptor sig v3"
101 #define str_desc_auth_type "desc-auth-type"
102 #define str_desc_auth_key "desc-auth-ephemeral-key"
103 #define str_desc_auth_client "auth-client"
104 #define str_encrypted "encrypted"
105 
106 /** Authentication supported types. */
107 static const struct {
108  hs_desc_auth_type_t type;
109  const char *identifier;
110 } intro_auth_types[] = {
111  { HS_DESC_AUTH_ED25519, "ed25519" },
112  /* Indicate end of array. */
113  { 0, NULL }
114 };
115 
116 /** Descriptor ruleset. */
118  T1_START(str_hs_desc, R_HS_DESCRIPTOR, EQ(1), NO_OBJ),
119  T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ),
120  T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ),
121  T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ),
122  T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ),
123  T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ),
125 };
126 
127 /** Descriptor ruleset for the superencrypted section. */
129  T1_START(str_desc_auth_type, R3_DESC_AUTH_TYPE, GE(1), NO_OBJ),
130  T1(str_desc_auth_key, R3_DESC_AUTH_KEY, GE(1), NO_OBJ),
131  T1N(str_desc_auth_client, R3_DESC_AUTH_CLIENT, GE(3), NO_OBJ),
132  T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ),
134 };
135 
136 /** Descriptor ruleset for the encrypted section. */
138  T1_START(str_create2_formats, R3_CREATE2_FORMATS, CONCAT_ARGS, NO_OBJ),
139  T01(str_intro_auth_required, R3_INTRO_AUTH_REQUIRED, ARGS, NO_OBJ),
140  T01(str_single_onion, R3_SINGLE_ONION_SERVICE, ARGS, NO_OBJ),
142 };
143 
144 /** Descriptor ruleset for the introduction points section. */
146  T1_START(str_intro_point, R3_INTRODUCTION_POINT, EQ(1), NO_OBJ),
147  T1N(str_ip_onion_key, R3_INTRO_ONION_KEY, GE(2), OBJ_OK),
148  T1(str_ip_auth_key, R3_INTRO_AUTH_KEY, NO_ARGS, NEED_OBJ),
149  T1(str_ip_enc_key, R3_INTRO_ENC_KEY, GE(2), OBJ_OK),
150  T1(str_ip_enc_key_cert, R3_INTRO_ENC_KEY_CERT, ARGS, OBJ_OK),
151  T01(str_ip_legacy_key, R3_INTRO_LEGACY_KEY, ARGS, NEED_KEY_1024),
152  T01(str_ip_legacy_key_cert, R3_INTRO_LEGACY_KEY_CERT, ARGS, OBJ_OK),
154 };
155 
156 /** Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
157  * We use SHA3-256 for the MAC computation.
158  * This function can't fail. */
159 static void
160 build_mac(const uint8_t *mac_key, size_t mac_key_len,
161  const uint8_t *salt, size_t salt_len,
162  const uint8_t *encrypted, size_t encrypted_len,
163  uint8_t *mac_out, size_t mac_len)
164 {
165  crypto_digest_t *digest;
166 
167  const uint64_t mac_len_netorder = tor_htonll(mac_key_len);
168  const uint64_t salt_len_netorder = tor_htonll(salt_len);
169 
170  tor_assert(mac_key);
171  tor_assert(salt);
172  tor_assert(encrypted);
173  tor_assert(mac_out);
174 
175  digest = crypto_digest256_new(DIGEST_SHA3_256);
176  /* As specified in section 2.5 of proposal 224, first add the mac key
177  * then add the salt first and then the encrypted section. */
178 
179  crypto_digest_add_bytes(digest, (const char *) &mac_len_netorder, 8);
180  crypto_digest_add_bytes(digest, (const char *) mac_key, mac_key_len);
181  crypto_digest_add_bytes(digest, (const char *) &salt_len_netorder, 8);
182  crypto_digest_add_bytes(digest, (const char *) salt, salt_len);
183  crypto_digest_add_bytes(digest, (const char *) encrypted, encrypted_len);
184  crypto_digest_get_digest(digest, (char *) mac_out, mac_len);
185  crypto_digest_free(digest);
186 }
187 
188 /** Using a secret data and a given decriptor object, build the secret
189  * input needed for the KDF.
190  *
191  * secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
192  *
193  * Then, set the newly allocated buffer in secret_input_out and return the
194  * length of the buffer. */
195 static size_t
197  const uint8_t *secret_data,
198  size_t secret_data_len,
199  uint8_t **secret_input_out)
200 {
201  size_t offset = 0;
202  size_t secret_input_len = secret_data_len + DIGEST256_LEN + sizeof(uint64_t);
203  uint8_t *secret_input = NULL;
204 
205  tor_assert(desc);
206  tor_assert(secret_data);
207  tor_assert(secret_input_out);
208 
209  secret_input = tor_malloc_zero(secret_input_len);
210 
211  /* Copy the secret data. */
212  memcpy(secret_input, secret_data, secret_data_len);
213  offset += secret_data_len;
214  /* Copy subcredential. */
215  memcpy(secret_input + offset, desc->subcredential.subcred, DIGEST256_LEN);
216  offset += DIGEST256_LEN;
217  /* Copy revision counter value. */
218  set_uint64(secret_input + offset,
220  offset += sizeof(uint64_t);
221  tor_assert(secret_input_len == offset);
222 
223  *secret_input_out = secret_input;
224 
225  return secret_input_len;
226 }
227 
228 /** Do the KDF construction and put the resulting data in key_out which is of
229  * key_out_len length. It uses SHAKE-256 as specified in the spec. */
230 static void
232  const uint8_t *secret_data,
233  size_t secret_data_len,
234  const uint8_t *salt, size_t salt_len,
235  uint8_t *key_out, size_t key_out_len,
236  int is_superencrypted_layer)
237 {
238  uint8_t *secret_input = NULL;
239  size_t secret_input_len;
240  crypto_xof_t *xof;
241 
242  tor_assert(desc);
243  tor_assert(secret_data);
244  tor_assert(salt);
245  tor_assert(key_out);
246 
247  /* Build the secret input for the KDF computation. */
248  secret_input_len = build_secret_input(desc, secret_data,
249  secret_data_len, &secret_input);
250 
251  xof = crypto_xof_new();
252  /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
253  crypto_xof_add_bytes(xof, secret_input, secret_input_len);
254  crypto_xof_add_bytes(xof, salt, salt_len);
255 
256  /* Feed in the right string constant based on the desc layer */
257  if (is_superencrypted_layer) {
258  crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_superencryption,
259  strlen(str_enc_const_superencryption));
260  } else {
261  crypto_xof_add_bytes(xof, (const uint8_t *) str_enc_const_encryption,
262  strlen(str_enc_const_encryption));
263  }
264 
265  /* Eat from our KDF. */
266  crypto_xof_squeeze_bytes(xof, key_out, key_out_len);
267  crypto_xof_free(xof);
268  memwipe(secret_input, 0, secret_input_len);
269 
270  tor_free(secret_input);
271 }
272 
273 /** Using the given descriptor, secret data, and salt, run it through our
274  * KDF function and then extract a secret key in key_out, the IV in iv_out
275  * and MAC in mac_out. This function can't fail. */
276 static void
278  const uint8_t *secret_data,
279  size_t secret_data_len,
280  const uint8_t *salt, size_t salt_len,
281  uint8_t *key_out, size_t key_len,
282  uint8_t *iv_out, size_t iv_len,
283  uint8_t *mac_out, size_t mac_len,
284  int is_superencrypted_layer)
285 {
286  size_t offset = 0;
287  uint8_t kdf_key[HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN];
288 
289  tor_assert(desc);
290  tor_assert(secret_data);
291  tor_assert(salt);
292  tor_assert(key_out);
293  tor_assert(iv_out);
294  tor_assert(mac_out);
295 
296  build_kdf_key(desc, secret_data, secret_data_len,
297  salt, salt_len, kdf_key, sizeof(kdf_key),
298  is_superencrypted_layer);
299  /* Copy the bytes we need for both the secret key and IV. */
300  memcpy(key_out, kdf_key, key_len);
301  offset += key_len;
302  memcpy(iv_out, kdf_key + offset, iv_len);
303  offset += iv_len;
304  memcpy(mac_out, kdf_key + offset, mac_len);
305  /* Extra precaution to make sure we are not out of bound. */
306  tor_assert((offset + mac_len) == sizeof(kdf_key));
307  memwipe(kdf_key, 0, sizeof(kdf_key));
308 }
309 
310 /* === ENCODING === */
311 
312 /** Encode the given link specifier objects into a newly allocated string.
313  * This can't fail so caller can always assume a valid string being
314  * returned. */
315 STATIC char *
317 {
318  char *encoded_b64 = NULL;
319  link_specifier_list_t *lslist = link_specifier_list_new();
320 
321  tor_assert(specs);
322  /* No link specifiers is a code flow error, can't happen. */
323  tor_assert(smartlist_len(specs) > 0);
324  tor_assert(smartlist_len(specs) <= UINT8_MAX);
325 
326  link_specifier_list_set_n_spec(lslist, smartlist_len(specs));
327 
328  SMARTLIST_FOREACH_BEGIN(specs, const link_specifier_t *,
329  spec) {
330  link_specifier_t *ls = link_specifier_dup(spec);
331  tor_assert(ls);
332  link_specifier_list_add_spec(lslist, ls);
333  } SMARTLIST_FOREACH_END(spec);
334 
335  {
336  uint8_t *encoded;
337  ssize_t encoded_len, encoded_b64_len, ret;
338 
339  encoded_len = link_specifier_list_encoded_len(lslist);
340  tor_assert(encoded_len > 0);
341  encoded = tor_malloc_zero(encoded_len);
342  ret = link_specifier_list_encode(encoded, encoded_len, lslist);
343  tor_assert(ret == encoded_len);
344 
345  /* Base64 encode our binary format. Add extra NUL byte for the base64
346  * encoded value. */
347  encoded_b64_len = base64_encode_size(encoded_len, 0) + 1;
348  encoded_b64 = tor_malloc_zero(encoded_b64_len);
349  ret = base64_encode(encoded_b64, encoded_b64_len, (const char *) encoded,
350  encoded_len, 0);
351  tor_assert(ret == (encoded_b64_len - 1));
352  tor_free(encoded);
353  }
354 
355  link_specifier_list_free(lslist);
356  return encoded_b64;
357 }
358 
359 /** Encode an introduction point legacy key and certificate. Return a newly
360  * allocated string with it. On failure, return NULL. */
361 static char *
363 {
364  char *key_str, b64_cert[256], *encoded = NULL;
365  size_t key_str_len;
366 
367  tor_assert(ip);
368 
369  /* Encode cross cert. */
370  if (base64_encode(b64_cert, sizeof(b64_cert),
371  (const char *) ip->legacy.cert.encoded,
372  ip->legacy.cert.len, BASE64_ENCODE_MULTILINE) < 0) {
373  log_warn(LD_REND, "Unable to encode legacy crosscert.");
374  goto done;
375  }
376  /* Convert the encryption key to PEM format NUL terminated. */
378  &key_str_len) < 0) {
379  log_warn(LD_REND, "Unable to encode legacy encryption key.");
380  goto done;
381  }
382  tor_asprintf(&encoded,
383  "%s \n%s" /* Newline is added by the call above. */
384  "%s\n"
385  "-----BEGIN CROSSCERT-----\n"
386  "%s"
387  "-----END CROSSCERT-----",
388  str_ip_legacy_key, key_str,
389  str_ip_legacy_key_cert, b64_cert);
390  tor_free(key_str);
391 
392  done:
393  return encoded;
394 }
395 
396 /** Encode an introduction point encryption key and certificate. Return a newly
397  * allocated string with it. On failure, return NULL. */
398 static char *
400 {
401  char *encoded = NULL, *encoded_cert;
402  char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
403 
404  tor_assert(ip);
405 
406  /* Base64 encode the encryption key for the "enc-key" field. */
407  curve25519_public_to_base64(key_b64, &ip->enc_key);
408  if (tor_cert_encode_ed22519(ip->enc_key_cert, &encoded_cert) < 0) {
409  goto done;
410  }
411  tor_asprintf(&encoded,
412  "%s ntor %s\n"
413  "%s\n%s",
414  str_ip_enc_key, key_b64,
415  str_ip_enc_key_cert, encoded_cert);
416  tor_free(encoded_cert);
417 
418  done:
419  return encoded;
420 }
421 
422 /** Encode an introduction point onion key. Return a newly allocated string
423  * with it. Can not fail. */
424 static char *
426 {
427  char *encoded = NULL;
428  char key_b64[CURVE25519_BASE64_PADDED_LEN + 1];
429 
430  tor_assert(ip);
431 
432  /* Base64 encode the encryption key for the "onion-key" field. */
433  curve25519_public_to_base64(key_b64, &ip->onion_key);
434  tor_asprintf(&encoded, "%s ntor %s", str_ip_onion_key, key_b64);
435 
436  return encoded;
437 }
438 
439 /** Encode an introduction point object and return a newly allocated string
440  * with it. On failure, return NULL. */
441 static char *
443  const hs_desc_intro_point_t *ip)
444 {
445  char *encoded_ip = NULL;
446  smartlist_t *lines = smartlist_new();
447 
448  tor_assert(ip);
449  tor_assert(sig_key);
450 
451  /* Encode link specifier. */
452  {
453  char *ls_str = encode_link_specifiers(ip->link_specifiers);
454  smartlist_add_asprintf(lines, "%s %s", str_intro_point, ls_str);
455  tor_free(ls_str);
456  }
457 
458  /* Onion key encoding. */
459  {
460  char *encoded_onion_key = encode_onion_key(ip);
461  if (encoded_onion_key == NULL) {
462  goto err;
463  }
464  smartlist_add_asprintf(lines, "%s", encoded_onion_key);
465  tor_free(encoded_onion_key);
466  }
467 
468  /* Authentication key encoding. */
469  {
470  char *encoded_cert;
471  if (tor_cert_encode_ed22519(ip->auth_key_cert, &encoded_cert) < 0) {
472  goto err;
473  }
474  smartlist_add_asprintf(lines, "%s\n%s", str_ip_auth_key, encoded_cert);
475  tor_free(encoded_cert);
476  }
477 
478  /* Encryption key encoding. */
479  {
480  char *encoded_enc_key = encode_enc_key(ip);
481  if (encoded_enc_key == NULL) {
482  goto err;
483  }
484  smartlist_add_asprintf(lines, "%s", encoded_enc_key);
485  tor_free(encoded_enc_key);
486  }
487 
488  /* Legacy key if any. */
489  if (ip->legacy.key != NULL) {
490  /* Strong requirement else the IP creation was badly done. */
491  tor_assert(ip->legacy.cert.encoded);
492  char *encoded_legacy_key = encode_legacy_key(ip);
493  if (encoded_legacy_key == NULL) {
494  goto err;
495  }
496  smartlist_add_asprintf(lines, "%s", encoded_legacy_key);
497  tor_free(encoded_legacy_key);
498  }
499 
500  /* Join them all in one blob of text. */
501  encoded_ip = smartlist_join_strings(lines, "\n", 1, NULL);
502 
503  err:
504  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
505  smartlist_free(lines);
506  return encoded_ip;
507 }
508 
509 /** Given a source length, return the new size including padding for the
510  * plaintext encryption. */
511 static size_t
512 compute_padded_plaintext_length(size_t plaintext_len)
513 {
514  size_t plaintext_padded_len;
515  const int padding_block_length = HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE;
516 
517  /* Make sure we won't overflow. */
518  tor_assert(plaintext_len <= (SIZE_T_CEILING - padding_block_length));
519 
520  /* Get the extra length we need to add. For example, if srclen is 10200
521  * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
522  plaintext_padded_len = CEIL_DIV(plaintext_len, padding_block_length) *
523  padding_block_length;
524  /* Can never be extra careful. Make sure we are _really_ padded. */
525  tor_assert(!(plaintext_padded_len % padding_block_length));
526  return plaintext_padded_len;
527 }
528 
529 /** Given a buffer, pad it up to the encrypted section padding requirement. Set
530  * the newly allocated string in padded_out and return the length of the
531  * padded buffer. */
532 STATIC size_t
533 build_plaintext_padding(const char *plaintext, size_t plaintext_len,
534  uint8_t **padded_out)
535 {
536  size_t padded_len;
537  uint8_t *padded;
538 
539  tor_assert(plaintext);
540  tor_assert(padded_out);
541 
542  /* Allocate the final length including padding. */
543  padded_len = compute_padded_plaintext_length(plaintext_len);
544  tor_assert(padded_len >= plaintext_len);
545  padded = tor_malloc_zero(padded_len);
546 
547  memcpy(padded, plaintext, plaintext_len);
548  *padded_out = padded;
549  return padded_len;
550 }
551 
552 /** Using a key, IV and plaintext data of length plaintext_len, create the
553  * encrypted section by encrypting it and setting encrypted_out with the
554  * data. Return size of the encrypted data buffer. */
555 static size_t
556 build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
557  size_t plaintext_len, uint8_t **encrypted_out,
558  int is_superencrypted_layer)
559 {
560  size_t encrypted_len;
561  uint8_t *padded_plaintext, *encrypted;
562  crypto_cipher_t *cipher;
563 
564  tor_assert(key);
565  tor_assert(iv);
566  tor_assert(plaintext);
567  tor_assert(encrypted_out);
568 
569  /* If we are encrypting the middle layer of the descriptor, we need to first
570  pad the plaintext */
571  if (is_superencrypted_layer) {
572  encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
573  &padded_plaintext);
574  /* Extra precautions that we have a valid padding length. */
576  } else { /* No padding required for inner layers */
577  padded_plaintext = tor_memdup(plaintext, plaintext_len);
578  encrypted_len = plaintext_len;
579  }
580 
581  /* This creates a cipher for AES. It can't fail. */
582  cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
583  HS_DESC_ENCRYPTED_BIT_SIZE);
584  /* We use a stream cipher so the encrypted length will be the same as the
585  * plaintext padded length. */
586  encrypted = tor_malloc_zero(encrypted_len);
587  /* This can't fail. */
588  crypto_cipher_encrypt(cipher, (char *) encrypted,
589  (const char *) padded_plaintext, encrypted_len);
590  *encrypted_out = encrypted;
591  /* Cleanup. */
592  crypto_cipher_free(cipher);
593  tor_free(padded_plaintext);
594  return encrypted_len;
595 }
596 
597 /** Encrypt the given <b>plaintext</b> buffer using <b>desc</b> and
598  * <b>secret_data</b> to get the keys. Set encrypted_out with the encrypted
599  * data and return the length of it. <b>is_superencrypted_layer</b> is set
600  * if this is the outer encrypted layer of the descriptor. */
601 static size_t
603  const uint8_t *secret_data,
604  size_t secret_data_len,
605  const char *plaintext,
606  char **encrypted_out, int is_superencrypted_layer)
607 {
608  char *final_blob;
609  size_t encrypted_len, final_blob_len, offset = 0;
610  uint8_t *encrypted;
611  uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
612  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
613  uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
614 
615  tor_assert(desc);
616  tor_assert(secret_data);
617  tor_assert(plaintext);
618  tor_assert(encrypted_out);
619 
620  /* Get our salt. The returned bytes are already hashed. */
621  crypto_strongest_rand(salt, sizeof(salt));
622 
623  /* KDF construction resulting in a key from which the secret key, IV and MAC
624  * key are extracted which is what we need for the encryption. */
625  build_secret_key_iv_mac(desc, secret_data, secret_data_len,
626  salt, sizeof(salt),
627  secret_key, sizeof(secret_key),
628  secret_iv, sizeof(secret_iv),
629  mac_key, sizeof(mac_key),
630  is_superencrypted_layer);
631 
632  /* Build the encrypted part that is do the actual encryption. */
633  encrypted_len = build_encrypted(secret_key, secret_iv, plaintext,
634  strlen(plaintext), &encrypted,
635  is_superencrypted_layer);
636  memwipe(secret_key, 0, sizeof(secret_key));
637  memwipe(secret_iv, 0, sizeof(secret_iv));
638  /* This construction is specified in section 2.5 of proposal 224. */
639  final_blob_len = sizeof(salt) + encrypted_len + DIGEST256_LEN;
640  final_blob = tor_malloc_zero(final_blob_len);
641 
642  /* Build the MAC. */
643  build_mac(mac_key, sizeof(mac_key), salt, sizeof(salt),
644  encrypted, encrypted_len, mac, sizeof(mac));
645  memwipe(mac_key, 0, sizeof(mac_key));
646 
647  /* The salt is the first value. */
648  memcpy(final_blob, salt, sizeof(salt));
649  offset = sizeof(salt);
650  /* Second value is the encrypted data. */
651  memcpy(final_blob + offset, encrypted, encrypted_len);
652  offset += encrypted_len;
653  /* Third value is the MAC. */
654  memcpy(final_blob + offset, mac, sizeof(mac));
655  offset += sizeof(mac);
656  /* Cleanup the buffers. */
657  memwipe(salt, 0, sizeof(salt));
658  memwipe(encrypted, 0, encrypted_len);
659  tor_free(encrypted);
660  /* Extra precaution. */
661  tor_assert(offset == final_blob_len);
662 
663  *encrypted_out = final_blob;
664  return final_blob_len;
665 }
666 
667 /** Create and return a string containing a client-auth entry. It's the
668  * responsibility of the caller to free the returned string. This function
669  * will never fail. */
670 static char *
672 {
673  int ret;
674  char *auth_client_str = NULL;
675  /* We are gonna fill these arrays with base64 data. They are all double
676  * the size of their binary representation to fit the base64 overhead. */
677  char client_id_b64[HS_DESC_CLIENT_ID_LEN * 2];
678  char iv_b64[CIPHER_IV_LEN * 2];
679  char encrypted_cookie_b64[HS_DESC_ENCRYPED_COOKIE_LEN * 2];
680 
681 #define ASSERT_AND_BASE64(field) STMT_BEGIN \
682  tor_assert(!fast_mem_is_zero((char *) client->field, \
683  sizeof(client->field))); \
684  ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
685  client->field, sizeof(client->field)); \
686  tor_assert(ret > 0); \
687  STMT_END
688 
689  ASSERT_AND_BASE64(client_id);
690  ASSERT_AND_BASE64(iv);
691  ASSERT_AND_BASE64(encrypted_cookie);
692 
693  /* Build the final string */
694  tor_asprintf(&auth_client_str, "%s %s %s %s", str_desc_auth_client,
695  client_id_b64, iv_b64, encrypted_cookie_b64);
696 
697 #undef ASSERT_AND_BASE64
698 
699  return auth_client_str;
700 }
701 
702 /** Create the "client-auth" part of the descriptor and return a
703  * newly-allocated string with it. It's the responsibility of the caller to
704  * free the returned string. */
705 static char *
707 {
708  smartlist_t *auth_client_lines = smartlist_new();
709  char *auth_client_lines_str = NULL;
710 
711  tor_assert(desc);
713  tor_assert(smartlist_len(desc->superencrypted_data.clients) != 0);
714  tor_assert(smartlist_len(desc->superencrypted_data.clients)
716 
717  /* Make a line for each client */
719  const hs_desc_authorized_client_t *, client) {
720  char *auth_client_str = NULL;
721 
722  auth_client_str = get_auth_client_str(client);
723 
724  smartlist_add(auth_client_lines, auth_client_str);
725  } SMARTLIST_FOREACH_END(client);
726 
727  /* Join all lines together to form final string */
728  auth_client_lines_str = smartlist_join_strings(auth_client_lines,
729  "\n", 1, NULL);
730  /* Cleanup the mess */
731  SMARTLIST_FOREACH(auth_client_lines, char *, a, tor_free(a));
732  smartlist_free(auth_client_lines);
733 
734  return auth_client_lines_str;
735 }
736 
737 /** Create the inner layer of the descriptor (which includes the intro points,
738  * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
739  * an error occurred. It's the responsibility of the caller to free the
740  * returned string. */
741 static char *
743 {
744  char *encoded_str = NULL;
745  smartlist_t *lines = smartlist_new();
746 
747  /* Build the start of the section prior to the introduction points. */
748  {
749  if (!desc->encrypted_data.create2_ntor) {
750  log_err(LD_BUG, "HS desc doesn't have recognized handshake type.");
751  goto err;
752  }
753  smartlist_add_asprintf(lines, "%s %d\n", str_create2_formats,
754  ONION_HANDSHAKE_TYPE_NTOR);
755 
756  if (desc->encrypted_data.intro_auth_types &&
757  smartlist_len(desc->encrypted_data.intro_auth_types)) {
758  /* Put the authentication-required line. */
760  " ", 0, NULL);
761  smartlist_add_asprintf(lines, "%s %s\n", str_intro_auth_required, buf);
762  tor_free(buf);
763  }
764 
766  smartlist_add_asprintf(lines, "%s\n", str_single_onion);
767  }
768  }
769 
770  /* Build the introduction point(s) section. */
772  const hs_desc_intro_point_t *, ip) {
773  char *encoded_ip = encode_intro_point(&desc->plaintext_data.signing_pubkey,
774  ip);
775  if (encoded_ip == NULL) {
776  log_err(LD_BUG, "HS desc intro point is malformed.");
777  goto err;
778  }
779  smartlist_add(lines, encoded_ip);
780  } SMARTLIST_FOREACH_END(ip);
781 
782  /* Build the entire encrypted data section into one encoded plaintext and
783  * then encrypt it. */
784  encoded_str = smartlist_join_strings(lines, "", 0, NULL);
785 
786  err:
787  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
788  smartlist_free(lines);
789 
790  return encoded_str;
791 }
792 
793 /** Create the middle layer of the descriptor, which includes the client auth
794  * data and the encrypted inner layer (provided as a base64 string at
795  * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
796  * layer plaintext. It's the responsibility of the caller to free the returned
797  * string. Can not fail. */
798 static char *
800  const char *layer2_b64_ciphertext)
801 {
802  char *layer1_str = NULL;
803  smartlist_t *lines = smartlist_new();
804 
805  /* Specify auth type */
806  smartlist_add_asprintf(lines, "%s %s\n", str_desc_auth_type, "x25519");
807 
808  { /* Print ephemeral x25519 key */
809  char ephemeral_key_base64[CURVE25519_BASE64_PADDED_LEN + 1];
810  const curve25519_public_key_t *ephemeral_pubkey;
811 
812  ephemeral_pubkey = &desc->superencrypted_data.auth_ephemeral_pubkey;
813  tor_assert(!fast_mem_is_zero((char *) ephemeral_pubkey->public_key,
815 
816  curve25519_public_to_base64(ephemeral_key_base64, ephemeral_pubkey);
817  smartlist_add_asprintf(lines, "%s %s\n",
818  str_desc_auth_key, ephemeral_key_base64);
819 
820  memwipe(ephemeral_key_base64, 0, sizeof(ephemeral_key_base64));
821  }
822 
823  { /* Create auth-client lines. */
824  char *auth_client_lines = get_all_auth_client_lines(desc);
825  tor_assert(auth_client_lines);
826  smartlist_add(lines, auth_client_lines);
827  }
828 
829  /* create encrypted section */
830  {
832  "%s\n"
833  "-----BEGIN MESSAGE-----\n"
834  "%s"
835  "-----END MESSAGE-----",
836  str_encrypted, layer2_b64_ciphertext);
837  }
838 
839  layer1_str = smartlist_join_strings(lines, "", 0, NULL);
840 
841  /* We need to memwipe all lines because it contains the ephemeral key */
842  SMARTLIST_FOREACH(lines, char *, a, memwipe(a, 0, strlen(a)));
843  SMARTLIST_FOREACH(lines, char *, a, tor_free(a));
844  smartlist_free(lines);
845 
846  return layer1_str;
847 }
848 
849 /** Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
850  * returning it. <b>desc</b> is provided to derive the encryption
851  * keys. <b>secret_data</b> is also proved to derive the encryption keys.
852  * <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
853  * middle (superencrypted) layer of the descriptor. It's the responsibility of
854  * the caller to free the returned string. */
855 static char *
857  const uint8_t *secret_data,
858  size_t secret_data_len,
859  const char *encoded_str,
860  int is_superencrypted_layer)
861 {
862  char *enc_b64;
863  ssize_t enc_b64_len, ret_len, enc_len;
864  char *encrypted_blob = NULL;
865 
866  enc_len = encrypt_descriptor_data(desc, secret_data, secret_data_len,
867  encoded_str, &encrypted_blob,
868  is_superencrypted_layer);
869  /* Get the encoded size plus a NUL terminating byte. */
870  enc_b64_len = base64_encode_size(enc_len, BASE64_ENCODE_MULTILINE) + 1;
871  enc_b64 = tor_malloc_zero(enc_b64_len);
872  /* Base64 the encrypted blob before returning it. */
873  ret_len = base64_encode(enc_b64, enc_b64_len, encrypted_blob, enc_len,
874  BASE64_ENCODE_MULTILINE);
875  /* Return length doesn't count the NUL byte. */
876  tor_assert(ret_len == (enc_b64_len - 1));
877  tor_free(encrypted_blob);
878 
879  return enc_b64;
880 }
881 
882 /** Generate the secret data which is used to encrypt/decrypt the descriptor.
883  *
884  * SECRET_DATA = blinded-public-key
885  * SECRET_DATA = blinded-public-key | descriptor_cookie
886  *
887  * The descriptor_cookie is optional but if it exists, it must be at least
888  * HS_DESC_DESCRIPTOR_COOKIE_LEN bytes long.
889  *
890  * A newly allocated secret data is put in secret_data_out. Return the
891  * length of the secret data. This function cannot fail. */
892 static size_t
894  const uint8_t *descriptor_cookie,
895  uint8_t **secret_data_out)
896 {
897  size_t secret_data_len;
898  uint8_t *secret_data;
899 
900  tor_assert(blinded_pubkey);
901  tor_assert(secret_data_out);
902 
903  if (descriptor_cookie) {
904  /* If the descriptor cookie is present, we need both the blinded
905  * pubkey and the descriptor cookie as a secret data. */
906  secret_data_len = ED25519_PUBKEY_LEN + HS_DESC_DESCRIPTOR_COOKIE_LEN;
907  secret_data = tor_malloc(secret_data_len);
908 
909  memcpy(secret_data,
910  blinded_pubkey->pubkey,
912  memcpy(secret_data + ED25519_PUBKEY_LEN,
913  descriptor_cookie,
914  HS_DESC_DESCRIPTOR_COOKIE_LEN);
915  } else {
916  /* If the descriptor cookie is not present, we need only the blinded
917  * pubkey as a secret data. */
918  secret_data_len = ED25519_PUBKEY_LEN;
919  secret_data = tor_malloc(secret_data_len);
920  memcpy(secret_data,
921  blinded_pubkey->pubkey,
923  }
924 
925  *secret_data_out = secret_data;
926  return secret_data_len;
927 }
928 
929 /** Generate and encode the superencrypted portion of <b>desc</b>. This also
930  * involves generating the encrypted portion of the descriptor, and performing
931  * the superencryption. A newly allocated NUL-terminated string pointer
932  * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
933  * on success else a negative value. */
934 static int
936  const uint8_t *descriptor_cookie,
937  char **encrypted_blob_out)
938 {
939  int ret = -1;
940  uint8_t *secret_data = NULL;
941  size_t secret_data_len = 0;
942  char *layer2_str = NULL;
943  char *layer2_b64_ciphertext = NULL;
944  char *layer1_str = NULL;
945  char *layer1_b64_ciphertext = NULL;
946 
947  tor_assert(desc);
948  tor_assert(encrypted_blob_out);
949 
950  /* Func logic: We first create the inner layer of the descriptor (layer2).
951  * We then encrypt it and use it to create the middle layer of the descriptor
952  * (layer1). Finally we superencrypt the middle layer and return it to our
953  * caller. */
954 
955  /* Create inner descriptor layer */
956  layer2_str = get_inner_encrypted_layer_plaintext(desc);
957  if (!layer2_str) {
958  goto err;
959  }
960 
961  secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
962  descriptor_cookie,
963  &secret_data);
964 
965  /* Encrypt and b64 the inner layer */
966  layer2_b64_ciphertext =
967  encrypt_desc_data_and_base64(desc, secret_data, secret_data_len,
968  layer2_str, 0);
969  if (!layer2_b64_ciphertext) {
970  goto err;
971  }
972 
973  /* Now create middle descriptor layer given the inner layer */
974  layer1_str = get_outer_encrypted_layer_plaintext(desc,layer2_b64_ciphertext);
975  if (!layer1_str) {
976  goto err;
977  }
978 
979  /* Encrypt and base64 the middle layer */
980  layer1_b64_ciphertext =
982  desc->plaintext_data.blinded_pubkey.pubkey,
984  layer1_str, 1);
985  if (!layer1_b64_ciphertext) {
986  goto err;
987  }
988 
989  /* Success! */
990  ret = 0;
991 
992  err:
993  memwipe(secret_data, 0, secret_data_len);
994  tor_free(secret_data);
995  tor_free(layer1_str);
996  tor_free(layer2_str);
997  tor_free(layer2_b64_ciphertext);
998 
999  *encrypted_blob_out = layer1_b64_ciphertext;
1000  return ret;
1001 }
1002 
1003 /** Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
1004  * newly allocated string of the encoded descriptor. On error, -1 is returned
1005  * and encoded_out is untouched. */
1006 static int
1008  const ed25519_keypair_t *signing_kp,
1009  const uint8_t *descriptor_cookie,
1010  char **encoded_out)
1011 {
1012  int ret = -1;
1013  char *encoded_str = NULL;
1014  size_t encoded_len;
1015  smartlist_t *lines = smartlist_new();
1016 
1017  tor_assert(desc);
1018  tor_assert(signing_kp);
1019  tor_assert(encoded_out);
1020  tor_assert(desc->plaintext_data.version == 3);
1021 
1022  /* Build the non-encrypted values. */
1023  {
1024  char *encoded_cert;
1025  /* Encode certificate then create the first line of the descriptor. */
1027  != CERT_TYPE_SIGNING_HS_DESC) {
1028  log_err(LD_BUG, "HS descriptor signing key has an unexpected cert type "
1029  "(%d)", (int) desc->plaintext_data.signing_key_cert->cert_type);
1030  goto err;
1031  }
1032  if (tor_cert_encode_ed22519(desc->plaintext_data.signing_key_cert,
1033  &encoded_cert) < 0) {
1034  /* The function will print error logs. */
1035  goto err;
1036  }
1037  /* Create the hs descriptor line. */
1038  smartlist_add_asprintf(lines, "%s %" PRIu32, str_hs_desc,
1039  desc->plaintext_data.version);
1040  /* Add the descriptor lifetime line (in minutes). */
1041  smartlist_add_asprintf(lines, "%s %" PRIu32, str_lifetime,
1042  desc->plaintext_data.lifetime_sec / 60);
1043  /* Create the descriptor certificate line. */
1044  smartlist_add_asprintf(lines, "%s\n%s", str_desc_cert, encoded_cert);
1045  tor_free(encoded_cert);
1046  /* Create the revision counter line. */
1047  smartlist_add_asprintf(lines, "%s %" PRIu64, str_rev_counter,
1049  }
1050 
1051  /* Build the superencrypted data section. */
1052  {
1053  char *enc_b64_blob=NULL;
1054  if (encode_superencrypted_data(desc, descriptor_cookie,
1055  &enc_b64_blob) < 0) {
1056  goto err;
1057  }
1058  smartlist_add_asprintf(lines,
1059  "%s\n"
1060  "-----BEGIN MESSAGE-----\n"
1061  "%s"
1062  "-----END MESSAGE-----",
1063  str_superencrypted, enc_b64_blob);
1064  tor_free(enc_b64_blob);
1065  }
1066 
1067  /* Join all lines in one string so we can generate a signature and append
1068  * it to the descriptor. */
1069  encoded_str = smartlist_join_strings(lines, "\n", 1, &encoded_len);
1070 
1071  /* Sign all fields of the descriptor with our short term signing key. */
1072  {
1073  ed25519_signature_t sig;
1074  char ed_sig_b64[ED25519_SIG_BASE64_LEN + 1];
1075  if (ed25519_sign_prefixed(&sig,
1076  (const uint8_t *) encoded_str, encoded_len,
1077  str_desc_sig_prefix, signing_kp) < 0) {
1078  log_warn(LD_BUG, "Can't sign encoded HS descriptor!");
1079  tor_free(encoded_str);
1080  goto err;
1081  }
1082  ed25519_signature_to_base64(ed_sig_b64, &sig);
1083  /* Create the signature line. */
1084  smartlist_add_asprintf(lines, "%s %s", str_signature, ed_sig_b64);
1085  }
1086  /* Free previous string that we used so compute the signature. */
1087  tor_free(encoded_str);
1088  encoded_str = smartlist_join_strings(lines, "\n", 1, NULL);
1089  *encoded_out = encoded_str;
1090 
1091  if (strlen(encoded_str) >= hs_cache_get_max_descriptor_size()) {
1092  log_warn(LD_GENERAL, "We just made an HS descriptor that's too big (%d)."
1093  "Failing.", (int)strlen(encoded_str));
1094  tor_free(encoded_str);
1095  goto err;
1096  }
1097 
1098  /* XXX: Trigger a control port event. */
1099 
1100  /* Success! */
1101  ret = 0;
1102 
1103  err:
1104  SMARTLIST_FOREACH(lines, char *, l, tor_free(l));
1105  smartlist_free(lines);
1106  return ret;
1107 }
1108 
1109 /* === DECODING === */
1110 
1111 /** Given the token tok for an auth client, decode it as
1112  * hs_desc_authorized_client_t. tok->args MUST contain at least 3 elements
1113  * Return 0 on success else -1 on failure. */
1114 static int
1117 {
1118  int ret = -1;
1119 
1120  tor_assert(tok);
1121  tor_assert(tok->n_args >= 3);
1122  tor_assert(client);
1123 
1124  if (base64_decode((char *) client->client_id, sizeof(client->client_id),
1125  tok->args[0], strlen(tok->args[0])) !=
1126  sizeof(client->client_id)) {
1127  goto done;
1128  }
1129  if (base64_decode((char *) client->iv, sizeof(client->iv),
1130  tok->args[1], strlen(tok->args[1])) !=
1131  sizeof(client->iv)) {
1132  goto done;
1133  }
1134  if (base64_decode((char *) client->encrypted_cookie,
1135  sizeof(client->encrypted_cookie),
1136  tok->args[2], strlen(tok->args[2])) !=
1137  sizeof(client->encrypted_cookie)) {
1138  goto done;
1139  }
1140 
1141  /* Success. */
1142  ret = 0;
1143  done:
1144  return ret;
1145 }
1146 
1147 /** Given an encoded string of the link specifiers, return a newly allocated
1148  * list of decoded link specifiers. Return NULL on error. */
1150 decode_link_specifiers(const char *encoded)
1151 {
1152  int decoded_len;
1153  size_t encoded_len, i;
1154  uint8_t *decoded;
1155  smartlist_t *results = NULL;
1156  link_specifier_list_t *specs = NULL;
1157 
1158  tor_assert(encoded);
1159 
1160  encoded_len = strlen(encoded);
1161  decoded = tor_malloc(encoded_len);
1162  decoded_len = base64_decode((char *) decoded, encoded_len, encoded,
1163  encoded_len);
1164  if (decoded_len < 0) {
1165  goto err;
1166  }
1167 
1168  if (link_specifier_list_parse(&specs, decoded,
1169  (size_t) decoded_len) < decoded_len) {
1170  goto err;
1171  }
1172  tor_assert(specs);
1173  results = smartlist_new();
1174 
1175  for (i = 0; i < link_specifier_list_getlen_spec(specs); i++) {
1176  link_specifier_t *ls = link_specifier_list_get_spec(specs, i);
1177  if (BUG(!ls)) {
1178  goto err;
1179  }
1180  link_specifier_t *ls_dup = link_specifier_dup(ls);
1181  if (BUG(!ls_dup)) {
1182  goto err;
1183  }
1184  smartlist_add(results, ls_dup);
1185  }
1186 
1187  goto done;
1188  err:
1189  if (results) {
1190  SMARTLIST_FOREACH(results, link_specifier_t *, s,
1191  link_specifier_free(s));
1192  smartlist_free(results);
1193  results = NULL;
1194  }
1195  done:
1196  link_specifier_list_free(specs);
1197  tor_free(decoded);
1198  return results;
1199 }
1200 
1201 /** Given a list of authentication types, decode it and put it in the encrypted
1202  * data section. Return 1 if we at least know one of the type or 0 if we know
1203  * none of them. */
1204 static int
1206 {
1207  int match = 0;
1208 
1209  tor_assert(desc);
1210  tor_assert(list);
1211 
1212  desc->intro_auth_types = smartlist_new();
1213  smartlist_split_string(desc->intro_auth_types, list, " ", 0, 0);
1214 
1215  /* Validate the types that we at least know about one. */
1216  SMARTLIST_FOREACH_BEGIN(desc->intro_auth_types, const char *, auth) {
1217  for (int idx = 0; intro_auth_types[idx].identifier; idx++) {
1218  if (!strncmp(auth, intro_auth_types[idx].identifier,
1219  strlen(intro_auth_types[idx].identifier))) {
1220  match = 1;
1221  break;
1222  }
1223  }
1224  } SMARTLIST_FOREACH_END(auth);
1225 
1226  return match;
1227 }
1228 
1229 /** Parse a space-delimited list of integers representing CREATE2 formats into
1230  * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
1231 static void
1233 {
1234  smartlist_t *tokens;
1235 
1236  tor_assert(desc);
1237  tor_assert(list);
1238 
1239  tokens = smartlist_new();
1240  smartlist_split_string(tokens, list, " ", 0, 0);
1241 
1242  SMARTLIST_FOREACH_BEGIN(tokens, char *, s) {
1243  int ok;
1244  unsigned long type = tor_parse_ulong(s, 10, 1, UINT16_MAX, &ok, NULL);
1245  if (!ok) {
1246  log_warn(LD_REND, "Unparseable value %s in create2 list", escaped(s));
1247  continue;
1248  }
1249  switch (type) {
1250  case ONION_HANDSHAKE_TYPE_NTOR:
1251  desc->create2_ntor = 1;
1252  break;
1253  default:
1254  /* We deliberately ignore unsupported handshake types */
1255  continue;
1256  }
1257  } SMARTLIST_FOREACH_END(s);
1258 
1259  SMARTLIST_FOREACH(tokens, char *, s, tor_free(s));
1260  smartlist_free(tokens);
1261 }
1262 
1263 /** Given a certificate, validate the certificate for certain conditions which
1264  * are if the given type matches the cert's one, if the signing key is
1265  * included and if the that key was actually used to sign the certificate.
1266  *
1267  * Return 1 iff if all conditions pass or 0 if one of them fails. */
1268 STATIC int
1269 cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
1270 {
1271  tor_assert(log_obj_type);
1272 
1273  if (cert == NULL) {
1274  log_warn(LD_REND, "Certificate for %s couldn't be parsed.", log_obj_type);
1275  goto err;
1276  }
1277  if (cert->cert_type != type) {
1278  log_warn(LD_REND, "Invalid cert type %02x for %s.", cert->cert_type,
1279  log_obj_type);
1280  goto err;
1281  }
1282  /* All certificate must have its signing key included. */
1283  if (!cert->signing_key_included) {
1284  log_warn(LD_REND, "Signing key is NOT included for %s.", log_obj_type);
1285  goto err;
1286  }
1287 
1288  /* The following will not only check if the signature matches but also the
1289  * expiration date and overall validity. */
1290  if (tor_cert_checksig(cert, &cert->signing_key, approx_time()) < 0) {
1291  if (cert->cert_expired) {
1292  char expiration_str[ISO_TIME_LEN+1];
1293  format_iso_time(expiration_str, cert->valid_until);
1294  log_fn(LOG_PROTOCOL_WARN, LD_REND, "Invalid signature for %s: %s (%s)",
1295  log_obj_type, tor_cert_describe_signature_status(cert),
1296  expiration_str);
1297  } else {
1298  log_warn(LD_REND, "Invalid signature for %s: %s",
1299  log_obj_type, tor_cert_describe_signature_status(cert));
1300  }
1301  goto err;
1302  }
1303 
1304  return 1;
1305  err:
1306  return 0;
1307 }
1308 
1309 /** Given some binary data, try to parse it to get a certificate object. If we
1310  * have a valid cert, validate it using the given wanted type. On error, print
1311  * a log using the err_msg has the certificate identifier adding semantic to
1312  * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
1313  * points to a newly allocated certificate object. */
1314 static int
1315 cert_parse_and_validate(tor_cert_t **cert_out, const char *data,
1316  size_t data_len, unsigned int cert_type_wanted,
1317  const char *err_msg)
1318 {
1319  tor_cert_t *cert;
1320 
1321  tor_assert(cert_out);
1322  tor_assert(data);
1323  tor_assert(err_msg);
1324 
1325  /* Parse certificate. */
1326  cert = tor_cert_parse((const uint8_t *) data, data_len);
1327  if (!cert) {
1328  log_warn(LD_REND, "Certificate for %s couldn't be parsed.", err_msg);
1329  goto err;
1330  }
1331 
1332  /* Validate certificate. */
1333  if (!cert_is_valid(cert, cert_type_wanted, err_msg)) {
1334  goto err;
1335  }
1336 
1337  *cert_out = cert;
1338  return 0;
1339 
1340  err:
1341  tor_cert_free(cert);
1342  *cert_out = NULL;
1343  return -1;
1344 }
1345 
1346 /** Return true iff the given length of the encrypted data of a descriptor
1347  * passes validation. */
1348 STATIC int
1350 {
1351  /* Make sure there is enough data for the salt and the mac. The equality is
1352  there to ensure that there is at least one byte of encrypted data. */
1354  log_warn(LD_REND, "Length of descriptor's encrypted data is too small. "
1355  "Got %lu but minimum value is %d",
1356  (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
1357  goto err;
1358  }
1359 
1360  return 1;
1361  err:
1362  return 0;
1363 }
1364 
1365 /** Build the KEYS component for the authorized client computation. The format
1366  * of the construction is:
1367  *
1368  * SECRET_SEED = x25519(sk, pk)
1369  * KEYS = KDF(subcredential | SECRET_SEED, 40)
1370  *
1371  * Set the <b>keys_out</b> argument to point to the buffer containing the KEYS,
1372  * and return the buffer's length. The caller should wipe and free its content
1373  * once done with it. This function can't fail. */
1374 static size_t
1376  const curve25519_secret_key_t *sk,
1377  const curve25519_public_key_t *pk,
1378  uint8_t **keys_out)
1379 {
1380  uint8_t secret_seed[CURVE25519_OUTPUT_LEN];
1381  uint8_t *keystream;
1382  size_t keystream_len = HS_DESC_CLIENT_ID_LEN + HS_DESC_COOKIE_KEY_LEN;
1383  crypto_xof_t *xof;
1384 
1385  tor_assert(subcredential);
1386  tor_assert(sk);
1387  tor_assert(pk);
1388  tor_assert(keys_out);
1389 
1390  keystream = tor_malloc_zero(keystream_len);
1391 
1392  /* Calculate x25519(sk, pk) to get the secret seed. */
1393  curve25519_handshake(secret_seed, sk, pk);
1394 
1395  /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
1396  xof = crypto_xof_new();
1397  crypto_xof_add_bytes(xof, subcredential->subcred, SUBCRED_LEN);
1398  crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
1399  crypto_xof_squeeze_bytes(xof, keystream, keystream_len);
1400  crypto_xof_free(xof);
1401 
1402  memwipe(secret_seed, 0, sizeof(secret_seed));
1403 
1404  *keys_out = keystream;
1405  return keystream_len;
1406 }
1407 
1408 /** Decrypt the descriptor cookie given the descriptor, the auth client,
1409  * and the client secret key. On sucess, return 0 and a newly allocated
1410  * descriptor cookie descriptor_cookie_out. On error or if the client id
1411  * is invalid, return -1 and descriptor_cookie_out is set to
1412  * NULL. */
1413 static int
1415  const hs_desc_authorized_client_t *client,
1416  const curve25519_secret_key_t *client_auth_sk,
1417  uint8_t **descriptor_cookie_out)
1418 {
1419  int ret = -1;
1420  uint8_t *keystream = NULL;
1421  size_t keystream_length = 0;
1422  uint8_t *descriptor_cookie = NULL;
1423  const uint8_t *cookie_key = NULL;
1424  crypto_cipher_t *cipher = NULL;
1425 
1426  tor_assert(desc);
1427  tor_assert(client);
1428  tor_assert(client_auth_sk);
1432  tor_assert(!fast_mem_is_zero((char *) client_auth_sk,
1433  sizeof(*client_auth_sk)));
1434  tor_assert(!fast_mem_is_zero((char *) desc->subcredential.subcred,
1435  DIGEST256_LEN));
1436 
1437  /* Get the KEYS component to derive the CLIENT-ID and COOKIE-KEY. */
1438  keystream_length =
1440  client_auth_sk,
1442  &keystream);
1443  tor_assert(keystream_length > 0);
1444 
1445  /* If the client id of auth client is not the same as the calculcated
1446  * client id, it means that this auth client is invaild according to the
1447  * client secret key client_auth_sk. */
1448  if (tor_memneq(client->client_id, keystream, HS_DESC_CLIENT_ID_LEN)) {
1449  goto done;
1450  }
1451  cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
1452 
1453  /* This creates a cipher for AES. It can't fail. */
1454  cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client->iv,
1455  HS_DESC_COOKIE_KEY_BIT_SIZE);
1456  descriptor_cookie = tor_malloc_zero(HS_DESC_DESCRIPTOR_COOKIE_LEN);
1457  /* This can't fail. */
1458  crypto_cipher_decrypt(cipher, (char *) descriptor_cookie,
1459  (const char *) client->encrypted_cookie,
1460  sizeof(client->encrypted_cookie));
1461 
1462  /* Success. */
1463  ret = 0;
1464  done:
1465  *descriptor_cookie_out = descriptor_cookie;
1466  if (cipher) {
1467  crypto_cipher_free(cipher);
1468  }
1469  memwipe(keystream, 0, keystream_length);
1470  tor_free(keystream);
1471  return ret;
1472 }
1473 
1474 /** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
1475  * <b>encrypted_blob_size</b>. The descriptor cookie is optional. Use
1476  * the descriptor object <b>desc</b> and <b>descriptor_cookie</b>
1477  * to generate the right decryption keys; set <b>decrypted_out</b> to
1478  * the plaintext. If <b>is_superencrypted_layer</b> is set, this is
1479  * the outter encrypted layer of the descriptor.
1480  *
1481  * On any error case, including an empty output, return 0 and set
1482  * *<b>decrypted_out</b> to NULL.
1483  */
1484 MOCK_IMPL(STATIC size_t,
1485 decrypt_desc_layer,(const hs_descriptor_t *desc,
1486  const uint8_t *descriptor_cookie,
1487  bool is_superencrypted_layer,
1488  char **decrypted_out))
1489 {
1490  uint8_t *decrypted = NULL;
1491  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
1492  uint8_t *secret_data = NULL;
1493  size_t secret_data_len = 0;
1494  uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
1495  const uint8_t *salt, *encrypted, *desc_mac;
1496  size_t encrypted_len, result_len = 0;
1497  const uint8_t *encrypted_blob = (is_superencrypted_layer)
1500  size_t encrypted_blob_size = (is_superencrypted_layer)
1503 
1504  tor_assert(decrypted_out);
1505  tor_assert(desc);
1506  tor_assert(encrypted_blob);
1507 
1508  /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
1509  * Make sure we have enough space for all these things. */
1510  if (!encrypted_data_length_is_valid(encrypted_blob_size)) {
1511  goto err;
1512  }
1513 
1514  /* Start of the blob thus the salt. */
1515  salt = encrypted_blob;
1516 
1517  /* Next is the encrypted data. */
1518  encrypted = encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN;
1519  encrypted_len = encrypted_blob_size -
1521  tor_assert(encrypted_len > 0); /* guaranteed by the check above */
1522 
1523  /* And last comes the MAC. */
1524  desc_mac = encrypted_blob + encrypted_blob_size - DIGEST256_LEN;
1525 
1526  /* Build secret data to be used in the decryption. */
1527  secret_data_len = build_secret_data(&desc->plaintext_data.blinded_pubkey,
1528  descriptor_cookie,
1529  &secret_data);
1530 
1531  /* KDF construction resulting in a key from which the secret key, IV and MAC
1532  * key are extracted which is what we need for the decryption. */
1533  build_secret_key_iv_mac(desc, secret_data, secret_data_len,
1535  secret_key, sizeof(secret_key),
1536  secret_iv, sizeof(secret_iv),
1537  mac_key, sizeof(mac_key),
1538  is_superencrypted_layer);
1539 
1540  /* Build MAC. */
1541  build_mac(mac_key, sizeof(mac_key), salt, HS_DESC_ENCRYPTED_SALT_LEN,
1542  encrypted, encrypted_len, our_mac, sizeof(our_mac));
1543  memwipe(mac_key, 0, sizeof(mac_key));
1544  /* Verify MAC; MAC is H(mac_key || salt || encrypted)
1545  *
1546  * This is a critical check that is making sure the computed MAC matches the
1547  * one in the descriptor. */
1548  if (!tor_memeq(our_mac, desc_mac, sizeof(our_mac))) {
1549  log_info(LD_REND, "Encrypted service descriptor MAC check failed");
1550  goto err;
1551  }
1552 
1553  {
1554  /* Decrypt. Here we are assured that the encrypted length is valid for
1555  * decryption. */
1556  crypto_cipher_t *cipher;
1557 
1558  cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
1559  HS_DESC_ENCRYPTED_BIT_SIZE);
1560  /* Extra byte for the NUL terminated byte. */
1561  decrypted = tor_malloc_zero(encrypted_len + 1);
1562  crypto_cipher_decrypt(cipher, (char *) decrypted,
1563  (const char *) encrypted, encrypted_len);
1564  crypto_cipher_free(cipher);
1565  }
1566 
1567  {
1568  /* Adjust length to remove NUL padding bytes */
1569  uint8_t *end = memchr(decrypted, 0, encrypted_len);
1570  result_len = encrypted_len;
1571  if (end) {
1572  result_len = end - decrypted;
1573  }
1574  }
1575 
1576  if (result_len == 0) {
1577  /* Treat this as an error, so that somebody will free the output. */
1578  goto err;
1579  }
1580 
1581  /* Make sure to NUL terminate the string. */
1582  decrypted[encrypted_len] = '\0';
1583  *decrypted_out = (char *) decrypted;
1584  goto done;
1585 
1586  err:
1587  if (decrypted) {
1588  tor_free(decrypted);
1589  }
1590  *decrypted_out = NULL;
1591  result_len = 0;
1592 
1593  done:
1594  memwipe(secret_data, 0, secret_data_len);
1595  memwipe(secret_key, 0, sizeof(secret_key));
1596  memwipe(secret_iv, 0, sizeof(secret_iv));
1597  tor_free(secret_data);
1598  return result_len;
1599 }
1600 
1601 /** Decrypt the superencrypted section of the descriptor using the given
1602  * descriptor object <b>desc</b>. A newly allocated NUL terminated string is
1603  * put in decrypted_out which contains the superencrypted layer of the
1604  * descriptor. Return the length of decrypted_out on success else 0 is
1605  * returned and decrypted_out is set to NULL. */
1606 static size_t
1607 desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
1608 {
1609  size_t superencrypted_len = 0;
1610  char *superencrypted_plaintext = NULL;
1611 
1612  tor_assert(desc);
1613  tor_assert(decrypted_out);
1614 
1615  superencrypted_len = decrypt_desc_layer(desc,
1616  NULL,
1617  true, &superencrypted_plaintext);
1618 
1619  if (!superencrypted_len) {
1620  log_warn(LD_REND, "Decrypting superencrypted desc failed.");
1621  goto done;
1622  }
1623  tor_assert(superencrypted_plaintext);
1624 
1625  done:
1626  /* In case of error, superencrypted_plaintext is already NULL, so the
1627  * following line makes sense. */
1628  *decrypted_out = superencrypted_plaintext;
1629  /* This makes sense too, because, in case of error, this is zero. */
1630  return superencrypted_len;
1631 }
1632 
1633 /** Decrypt the encrypted section of the descriptor using the given descriptor
1634  * object <b>desc</b>. A newly allocated NUL terminated string is put in
1635  * decrypted_out which contains the encrypted layer of the descriptor.
1636  * Return the length of decrypted_out on success else 0 is returned and
1637  * decrypted_out is set to NULL. */
1638 static size_t
1640  const curve25519_secret_key_t *client_auth_sk,
1641  char **decrypted_out)
1642 {
1643  size_t encrypted_len = 0;
1644  char *encrypted_plaintext = NULL;
1645  uint8_t *descriptor_cookie = NULL;
1646 
1647  tor_assert(desc);
1649  tor_assert(decrypted_out);
1650 
1651  /* If the client secret key is provided, try to find a valid descriptor
1652  * cookie. Otherwise, leave it NULL. */
1653  if (client_auth_sk) {
1655  hs_desc_authorized_client_t *, client) {
1656  /* If we can decrypt the descriptor cookie successfully, we will use that
1657  * descriptor cookie and break from the loop. */
1658  if (!decrypt_descriptor_cookie(desc, client, client_auth_sk,
1659  &descriptor_cookie)) {
1660  break;
1661  }
1662  } SMARTLIST_FOREACH_END(client);
1663  }
1664 
1665  encrypted_len = decrypt_desc_layer(desc,
1666  descriptor_cookie,
1667  false, &encrypted_plaintext);
1668 
1669  if (!encrypted_len) {
1670  goto err;
1671  }
1672  tor_assert(encrypted_plaintext);
1673 
1674  err:
1675  /* In case of error, encrypted_plaintext is already NULL, so the
1676  * following line makes sense. */
1677  *decrypted_out = encrypted_plaintext;
1678  if (descriptor_cookie) {
1679  memwipe(descriptor_cookie, 0, HS_DESC_DESCRIPTOR_COOKIE_LEN);
1680  }
1681  tor_free(descriptor_cookie);
1682  /* This makes sense too, because, in case of error, this is zero. */
1683  return encrypted_len;
1684 }
1685 
1686 /** Given the token tok for an intro point legacy key, the list of tokens, the
1687  * introduction point ip being decoded and the descriptor desc from which it
1688  * comes from, decode the legacy key and set the intro point object. Return 0
1689  * on success else -1 on failure. */
1690 static int
1692  smartlist_t *tokens,
1694  const hs_descriptor_t *desc)
1695 {
1696  tor_assert(tok);
1697  tor_assert(tokens);
1698  tor_assert(ip);
1699  tor_assert(desc);
1700 
1701  if (!crypto_pk_public_exponent_ok(tok->key)) {
1702  log_warn(LD_REND, "Introduction point legacy key is invalid");
1703  goto err;
1704  }
1705  ip->legacy.key = crypto_pk_dup_key(tok->key);
1706  /* Extract the legacy cross certification cert which MUST be present if we
1707  * have a legacy key. */
1708  tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY_CERT);
1709  if (!tok) {
1710  log_warn(LD_REND, "Introduction point legacy key cert is missing");
1711  goto err;
1712  }
1713  tor_assert(tok->object_body);
1714  if (strcmp(tok->object_type, "CROSSCERT")) {
1715  /* Info level because this might be an unknown field that we should
1716  * ignore. */
1717  log_info(LD_REND, "Introduction point legacy encryption key "
1718  "cross-certification has an unknown format.");
1719  goto err;
1720  }
1721  /* Keep a copy of the certificate. */
1722  ip->legacy.cert.encoded = tor_memdup(tok->object_body, tok->object_size);
1723  ip->legacy.cert.len = tok->object_size;
1724  /* The check on the expiration date is for the entire lifetime of a
1725  * certificate which is 24 hours. However, a descriptor has a maximum
1726  * lifetime of 12 hours meaning we have a 12h difference between the two
1727  * which ultimately accommodate the clock skewed client. */
1728  if (rsa_ed25519_crosscert_check(ip->legacy.cert.encoded,
1729  ip->legacy.cert.len, ip->legacy.key,
1732  log_warn(LD_REND, "Unable to check cross-certification on the "
1733  "introduction point legacy encryption key.");
1734  ip->cross_certified = 0;
1735  goto err;
1736  }
1737 
1738  /* Success. */
1739  return 0;
1740  err:
1741  return -1;
1742 }
1743 
1744 /** Dig into the descriptor <b>tokens</b> to find the onion key we should use
1745  * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
1746  * was found and well-formed, otherwise return -1 in case of errors. */
1747 static int
1749  const smartlist_t *tokens)
1750 {
1751  int retval = -1;
1752  smartlist_t *onion_keys = NULL;
1753 
1754  tor_assert(onion_key_out);
1755 
1756  onion_keys = find_all_by_keyword(tokens, R3_INTRO_ONION_KEY);
1757  if (!onion_keys) {
1758  log_warn(LD_REND, "Descriptor did not contain intro onion keys");
1759  goto err;
1760  }
1761 
1762  SMARTLIST_FOREACH_BEGIN(onion_keys, directory_token_t *, tok) {
1763  /* This field is using GE(2) so for possible forward compatibility, we
1764  * accept more fields but must be at least 2. */
1765  tor_assert(tok->n_args >= 2);
1766 
1767  /* Try to find an ntor key, it's the only recognized type right now */
1768  if (!strcmp(tok->args[0], "ntor")) {
1769  if (curve25519_public_from_base64(onion_key_out, tok->args[1]) < 0) {
1770  log_warn(LD_REND, "Introduction point ntor onion-key is invalid");
1771  goto err;
1772  }
1773  /* Got the onion key! Set the appropriate retval */
1774  retval = 0;
1775  }
1776  } SMARTLIST_FOREACH_END(tok);
1777 
1778  /* Log an error if we didn't find it :( */
1779  if (retval < 0) {
1780  log_warn(LD_REND, "Descriptor did not contain ntor onion keys");
1781  }
1782 
1783  err:
1784  smartlist_free(onion_keys);
1785  return retval;
1786 }
1787 
1788 /** Given the start of a section and the end of it, decode a single
1789  * introduction point from that section. Return a newly allocated introduction
1790  * point object containing the decoded data. Return NULL if the section can't
1791  * be decoded. */
1793 decode_introduction_point(const hs_descriptor_t *desc, const char *start)
1794 {
1795  hs_desc_intro_point_t *ip = NULL;
1796  memarea_t *area = NULL;
1797  smartlist_t *tokens = NULL;
1798  const directory_token_t *tok;
1799 
1800  tor_assert(desc);
1801  tor_assert(start);
1802 
1803  area = memarea_new();
1804  tokens = smartlist_new();
1805  if (tokenize_string(area, start, start + strlen(start),
1806  tokens, hs_desc_intro_point_v3_token_table, 0) < 0) {
1807  log_warn(LD_REND, "Introduction point is not parseable");
1808  goto err;
1809  }
1810 
1811  /* Ok we seem to have a well formed section containing enough tokens to
1812  * parse. Allocate our IP object and try to populate it. */
1813  ip = hs_desc_intro_point_new();
1814 
1815  /* "introduction-point" SP link-specifiers NL */
1816  tok = find_by_keyword(tokens, R3_INTRODUCTION_POINT);
1817  tor_assert(tok->n_args == 1);
1818  /* Our constructor creates this list by default so free it. */
1819  smartlist_free(ip->link_specifiers);
1821  if (!ip->link_specifiers) {
1822  log_warn(LD_REND, "Introduction point has invalid link specifiers");
1823  goto err;
1824  }
1825 
1826  /* "onion-key" SP ntor SP key NL */
1827  if (set_intro_point_onion_key(&ip->onion_key, tokens) < 0) {
1828  goto err;
1829  }
1830 
1831  /* "auth-key" NL certificate NL */
1832  tok = find_by_keyword(tokens, R3_INTRO_AUTH_KEY);
1833  tor_assert(tok->object_body);
1834  if (strcmp(tok->object_type, "ED25519 CERT")) {
1835  log_warn(LD_REND, "Unexpected object type for introduction auth key");
1836  goto err;
1837  }
1838  /* Parse cert and do some validation. */
1840  tok->object_size, CERT_TYPE_AUTH_HS_IP_KEY,
1841  "introduction point auth-key") < 0) {
1842  goto err;
1843  }
1844  /* Validate authentication certificate with descriptor signing key. */
1846  &desc->plaintext_data.signing_pubkey, 0) < 0) {
1847  log_warn(LD_REND, "Invalid authentication key signature: %s",
1849  goto err;
1850  }
1851 
1852  /* Exactly one "enc-key" SP "ntor" SP key NL */
1853  tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY);
1854  if (!strcmp(tok->args[0], "ntor")) {
1855  /* This field is using GE(2) so for possible forward compatibility, we
1856  * accept more fields but must be at least 2. */
1857  tor_assert(tok->n_args >= 2);
1858 
1859  if (curve25519_public_from_base64(&ip->enc_key, tok->args[1]) < 0) {
1860  log_warn(LD_REND, "Introduction point ntor enc-key is invalid");
1861  goto err;
1862  }
1863  } else {
1864  /* Unknown key type so we can't use that introduction point. */
1865  log_warn(LD_REND, "Introduction point encryption key is unrecognized.");
1866  goto err;
1867  }
1868 
1869  /* Exactly once "enc-key-cert" NL certificate NL */
1870  tok = find_by_keyword(tokens, R3_INTRO_ENC_KEY_CERT);
1871  tor_assert(tok->object_body);
1872  /* Do the cross certification. */
1873  if (strcmp(tok->object_type, "ED25519 CERT")) {
1874  log_warn(LD_REND, "Introduction point ntor encryption key "
1875  "cross-certification has an unknown format.");
1876  goto err;
1877  }
1879  tok->object_size, CERT_TYPE_CROSS_HS_IP_KEYS,
1880  "introduction point enc-key-cert") < 0) {
1881  goto err;
1882  }
1884  &desc->plaintext_data.signing_pubkey, 0) < 0) {
1885  log_warn(LD_REND, "Invalid encryption key signature: %s",
1887  goto err;
1888  }
1889  /* It is successfully cross certified. Flag the object. */
1890  ip->cross_certified = 1;
1891 
1892  /* Do we have a "legacy-key" SP key NL ?*/
1893  tok = find_opt_by_keyword(tokens, R3_INTRO_LEGACY_KEY);
1894  if (tok) {
1895  if (decode_intro_legacy_key(tok, tokens, ip, desc) < 0) {
1896  goto err;
1897  }
1898  }
1899 
1900  /* Introduction point has been parsed successfully. */
1901  goto done;
1902 
1903  err:
1904  hs_desc_intro_point_free(ip);
1905  ip = NULL;
1906 
1907  done:
1909  smartlist_free(tokens);
1910  if (area) {
1911  memarea_drop_all(area);
1912  }
1913 
1914  return ip;
1915 }
1916 
1917 /** Given a descriptor string at <b>data</b>, decode all possible introduction
1918  * points that we can find. Add the introduction point object to desc_enc as we
1919  * find them. This function can't fail and it is possible that zero
1920  * introduction points can be decoded. */
1921 static void
1923  hs_desc_encrypted_data_t *desc_enc,
1924  const char *data)
1925 {
1926  smartlist_t *chunked_desc = smartlist_new();
1927  smartlist_t *intro_points = smartlist_new();
1928 
1929  tor_assert(desc);
1930  tor_assert(desc_enc);
1931  tor_assert(data);
1932  tor_assert(desc_enc->intro_points);
1933 
1934  /* Take the desc string, and extract the intro point substrings out of it */
1935  {
1936  /* Split the descriptor string using the intro point header as delimiter */
1937  smartlist_split_string(chunked_desc, data, str_intro_point_start, 0, 0);
1938 
1939  /* Check if there are actually any intro points included. The first chunk
1940  * should be other descriptor fields (e.g. create2-formats), so it's not an
1941  * intro point. */
1942  if (smartlist_len(chunked_desc) < 2) {
1943  goto done;
1944  }
1945  }
1946 
1947  /* Take the intro point substrings, and prepare them for parsing */
1948  {
1949  int i = 0;
1950  /* Prepend the introduction-point header to all the chunks, since
1951  smartlist_split_string() devoured it. */
1952  SMARTLIST_FOREACH_BEGIN(chunked_desc, char *, chunk) {
1953  /* Ignore first chunk. It's other descriptor fields. */
1954  if (i++ == 0) {
1955  continue;
1956  }
1957 
1958  smartlist_add_asprintf(intro_points, "%s %s", str_intro_point, chunk);
1959  } SMARTLIST_FOREACH_END(chunk);
1960  }
1961 
1962  /* Parse the intro points! */
1963  SMARTLIST_FOREACH_BEGIN(intro_points, const char *, intro_point) {
1964  hs_desc_intro_point_t *ip = decode_introduction_point(desc, intro_point);
1965  if (!ip) {
1966  /* Malformed introduction point section. We'll ignore this introduction
1967  * point and continue parsing. New or unknown fields are possible for
1968  * forward compatibility. */
1969  continue;
1970  }
1971  smartlist_add(desc_enc->intro_points, ip);
1972  } SMARTLIST_FOREACH_END(intro_point);
1973 
1974  done:
1975  SMARTLIST_FOREACH(chunked_desc, char *, a, tor_free(a));
1976  smartlist_free(chunked_desc);
1977  SMARTLIST_FOREACH(intro_points, char *, a, tor_free(a));
1978  smartlist_free(intro_points);
1979 }
1980 
1981 /** Return 1 iff the given base64 encoded signature in b64_sig from the encoded
1982  * descriptor in encoded_desc validates the descriptor content. */
1983 STATIC int
1984 desc_sig_is_valid(const char *b64_sig,
1985  const ed25519_public_key_t *signing_pubkey,
1986  const char *encoded_desc, size_t encoded_len)
1987 {
1988  int ret = 0;
1989  ed25519_signature_t sig;
1990  const char *sig_start;
1991 
1992  tor_assert(b64_sig);
1993  tor_assert(signing_pubkey);
1994  tor_assert(encoded_desc);
1995  /* Verifying nothing won't end well :). */
1996  tor_assert(encoded_len > 0);
1997 
1998  /* Signature length check. */
1999  if (strlen(b64_sig) != ED25519_SIG_BASE64_LEN) {
2000  log_warn(LD_REND, "Service descriptor has an invalid signature length."
2001  "Exptected %d but got %lu",
2002  ED25519_SIG_BASE64_LEN, (unsigned long) strlen(b64_sig));
2003  goto err;
2004  }
2005 
2006  /* First, convert base64 blob to an ed25519 signature. */
2007  if (ed25519_signature_from_base64(&sig, b64_sig) != 0) {
2008  log_warn(LD_REND, "Service descriptor does not contain a valid "
2009  "signature");
2010  goto err;
2011  }
2012 
2013  /* Find the start of signature. */
2014  sig_start = tor_memstr(encoded_desc, encoded_len, "\n" str_signature " ");
2015  /* Getting here means the token parsing worked for the signature so if we
2016  * can't find the start of the signature, we have a code flow issue. */
2017  if (!sig_start) {
2018  log_warn(LD_GENERAL, "Malformed signature line. Rejecting.");
2019  goto err;
2020  }
2021  /* Skip newline, it has to go in the signature check. */
2022  sig_start++;
2023 
2024  /* Validate signature with the full body of the descriptor. */
2025  if (ed25519_checksig_prefixed(&sig,
2026  (const uint8_t *) encoded_desc,
2027  sig_start - encoded_desc,
2028  str_desc_sig_prefix,
2029  signing_pubkey) != 0) {
2030  log_warn(LD_REND, "Invalid signature on service descriptor");
2031  goto err;
2032  }
2033  /* Valid signature! All is good. */
2034  ret = 1;
2035 
2036  err:
2037  return ret;
2038 }
2039 
2040 /** Decode descriptor plaintext data for version 3. Given a list of tokens, an
2041  * allocated plaintext object that will be populated and the encoded
2042  * descriptor with its length. The last one is needed for signature
2043  * verification. Unknown tokens are simply ignored so this won't error on
2044  * unknowns but requires that all v3 token be present and valid.
2045  *
2046  * Return 0 on success else a negative value. */
2050  const char *encoded_desc, size_t encoded_len)
2051 {
2052  int ok;
2053  directory_token_t *tok;
2054 
2055  tor_assert(tokens);
2056  tor_assert(desc);
2057  /* Version higher could still use this function to decode most of the
2058  * descriptor and then they decode the extra part. */
2059  tor_assert(desc->version >= 3);
2060 
2061  /* Descriptor lifetime parsing. */
2062  tok = find_by_keyword(tokens, R3_DESC_LIFETIME);
2063  tor_assert(tok->n_args == 1);
2064  desc->lifetime_sec = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2065  UINT32_MAX, &ok, NULL);
2066  if (!ok) {
2067  log_warn(LD_REND, "Service descriptor lifetime value is invalid");
2068  goto err;
2069  }
2070  /* Put it from minute to second. */
2071  desc->lifetime_sec *= 60;
2072  if (desc->lifetime_sec > HS_DESC_MAX_LIFETIME) {
2073  log_warn(LD_REND, "Service descriptor lifetime is too big. "
2074  "Got %" PRIu32 " but max is %d",
2076  goto err;
2077  }
2078 
2079  /* Descriptor signing certificate. */
2080  tok = find_by_keyword(tokens, R3_DESC_SIGNING_CERT);
2081  tor_assert(tok->object_body);
2082  /* Expecting a prop220 cert with the signing key extension, which contains
2083  * the blinded public key. */
2084  if (strcmp(tok->object_type, "ED25519 CERT") != 0) {
2085  log_warn(LD_REND, "Service descriptor signing cert wrong type (%s)",
2086  escaped(tok->object_type));
2087  goto err;
2088  }
2090  tok->object_size, CERT_TYPE_SIGNING_HS_DESC,
2091  "service descriptor signing key") < 0) {
2092  goto err;
2093  }
2094 
2095  /* Copy the public keys into signing_pubkey and blinded_pubkey */
2096  memcpy(&desc->signing_pubkey, &desc->signing_key_cert->signed_key,
2097  sizeof(ed25519_public_key_t));
2098  memcpy(&desc->blinded_pubkey, &desc->signing_key_cert->signing_key,
2099  sizeof(ed25519_public_key_t));
2100 
2101  /* Extract revision counter value. */
2102  tok = find_by_keyword(tokens, R3_REVISION_COUNTER);
2103  tor_assert(tok->n_args == 1);
2104  desc->revision_counter = tor_parse_uint64(tok->args[0], 10, 0,
2105  UINT64_MAX, &ok, NULL);
2106  if (!ok) {
2107  log_warn(LD_REND, "Service descriptor revision-counter is invalid");
2108  goto err;
2109  }
2110 
2111  /* Extract the superencrypted data section. */
2112  tok = find_by_keyword(tokens, R3_SUPERENCRYPTED);
2113  tor_assert(tok->object_body);
2114  if (strcmp(tok->object_type, "MESSAGE") != 0) {
2115  log_warn(LD_REND, "Desc superencrypted data section is invalid");
2116  goto err;
2117  }
2118  /* Make sure the length of the superencrypted blob is valid. */
2120  goto err;
2121  }
2122 
2123  /* Copy the superencrypted blob to the descriptor object so we can handle it
2124  * latter if needed. */
2125  desc->superencrypted_blob = tor_memdup(tok->object_body, tok->object_size);
2127 
2128  /* Extract signature and verify it. */
2129  tok = find_by_keyword(tokens, R3_SIGNATURE);
2130  tor_assert(tok->n_args == 1);
2131  /* First arg here is the actual encoded signature. */
2132  if (!desc_sig_is_valid(tok->args[0], &desc->signing_pubkey,
2133  encoded_desc, encoded_len)) {
2134  goto err;
2135  }
2136 
2137  return HS_DESC_DECODE_OK;
2138  err:
2139  return HS_DESC_DECODE_PLAINTEXT_ERROR;
2140 }
2141 
2142 /** Decode the version 3 superencrypted section of the given descriptor desc.
2143  * The desc_superencrypted_out will be populated with the decoded data. */
2147  desc_superencrypted_out)
2148 {
2149  int ret = HS_DESC_DECODE_SUPERENC_ERROR;
2150  char *message = NULL;
2151  size_t message_len;
2152  memarea_t *area = NULL;
2153  directory_token_t *tok;
2154  smartlist_t *tokens = NULL;
2155  /* Rename the parameter because it is too long. */
2156  hs_desc_superencrypted_data_t *superencrypted = desc_superencrypted_out;
2157 
2158  tor_assert(desc);
2159  tor_assert(desc_superencrypted_out);
2160 
2161  /* Decrypt the superencrypted data that is located in the plaintext section
2162  * in the descriptor as a blob of bytes. */
2163  message_len = desc_decrypt_superencrypted(desc, &message);
2164  if (!message_len) {
2165  log_warn(LD_REND, "Service descriptor decryption failed.");
2166  goto err;
2167  }
2168  tor_assert(message);
2169 
2170  area = memarea_new();
2171  tokens = smartlist_new();
2172  if (tokenize_string(area, message, message + message_len,
2173  tokens, hs_desc_superencrypted_v3_token_table, 0) < 0) {
2174  log_warn(LD_REND, "Superencrypted service descriptor is not parseable.");
2175  goto err;
2176  }
2177 
2178  /* Verify desc auth type */
2179  tok = find_by_keyword(tokens, R3_DESC_AUTH_TYPE);
2180  tor_assert(tok->n_args >= 1);
2181  if (strcmp(tok->args[0], "x25519")) {
2182  log_warn(LD_DIR, "Unrecognized desc auth type");
2183  goto err;
2184  }
2185 
2186  /* Extract desc auth ephemeral key */
2187  tok = find_by_keyword(tokens, R3_DESC_AUTH_KEY);
2188  tor_assert(tok->n_args >= 1);
2190  tok->args[0]) < 0) {
2191  log_warn(LD_DIR, "Bogus desc auth ephemeral key in HS desc");
2192  goto err;
2193  }
2194 
2195  /* Extract desc auth client items */
2196  if (!superencrypted->clients) {
2197  superencrypted->clients = smartlist_new();
2198  }
2199  SMARTLIST_FOREACH_BEGIN(tokens, const directory_token_t *, token) {
2200  if (token->tp == R3_DESC_AUTH_CLIENT) {
2201  tor_assert(token->n_args >= 3);
2202 
2203  hs_desc_authorized_client_t *client =
2204  tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
2205 
2206  if (decode_auth_client(token, client) < 0) {
2207  log_warn(LD_REND, "Descriptor client authorization section can't "
2208  "be decoded.");
2209  tor_free(client);
2210  goto err;
2211  }
2212  smartlist_add(superencrypted->clients, client);
2213  }
2214  } SMARTLIST_FOREACH_END(token);
2215 
2216  /* Extract the encrypted data section. */
2217  tok = find_by_keyword(tokens, R3_ENCRYPTED);
2218  tor_assert(tok->object_body);
2219  if (strcmp(tok->object_type, "MESSAGE") != 0) {
2220  log_warn(LD_REND, "Desc encrypted data section is invalid");
2221  goto err;
2222  }
2223  /* Make sure the length of the encrypted blob is valid. */
2225  goto err;
2226  }
2227 
2228  /* Copy the encrypted blob to the descriptor object so we can handle it
2229  * latter if needed. */
2230  tor_assert(tok->object_size <= INT_MAX);
2231  superencrypted->encrypted_blob = tor_memdup(tok->object_body,
2232  tok->object_size);
2233  superencrypted->encrypted_blob_size = tok->object_size;
2234 
2235  ret = HS_DESC_DECODE_OK;
2236  goto done;
2237 
2238  err:
2239  tor_assert(ret < HS_DESC_DECODE_OK);
2240  hs_desc_superencrypted_data_free_contents(desc_superencrypted_out);
2241 
2242  done:
2243  if (tokens) {
2245  smartlist_free(tokens);
2246  }
2247  if (area) {
2248  memarea_drop_all(area);
2249  }
2250  if (message) {
2251  tor_free(message);
2252  }
2253  return ret;
2254 }
2255 
2256 /** Decode the version 3 encrypted section of the given descriptor desc. The
2257  * desc_encrypted_out will be populated with the decoded data. */
2260  const curve25519_secret_key_t *client_auth_sk,
2261  hs_desc_encrypted_data_t *desc_encrypted_out)
2262 {
2263  int ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2264  char *message = NULL;
2265  size_t message_len;
2266  memarea_t *area = NULL;
2267  directory_token_t *tok;
2268  smartlist_t *tokens = NULL;
2269 
2270  tor_assert(desc);
2271  tor_assert(desc_encrypted_out);
2272 
2273  /* Decrypt the encrypted data that is located in the superencrypted section
2274  * in the descriptor as a blob of bytes. */
2275  message_len = desc_decrypt_encrypted(desc, client_auth_sk, &message);
2276  if (!message_len) {
2277  /* Two possible situation here. Either we have a client authorization
2278  * configured that didn't work or we do not have any configured for this
2279  * onion address so likely the descriptor is for authorized client only,
2280  * we are not. */
2281  if (client_auth_sk) {
2282  /* At warning level so the client can notice that its client
2283  * authorization is failing. */
2284  log_warn(LD_REND, "Client authorization for requested onion address "
2285  "is invalid. Can't decrypt the descriptor.");
2286  ret = HS_DESC_DECODE_BAD_CLIENT_AUTH;
2287  } else {
2288  /* Inform at notice level that the onion address requested can't be
2289  * reached without client authorization most likely. */
2290  log_notice(LD_REND, "Fail to decrypt descriptor for requested onion "
2291  "address. It is likely requiring client "
2292  "authorization.");
2293  ret = HS_DESC_DECODE_NEED_CLIENT_AUTH;
2294  }
2295  goto err;
2296  }
2297  tor_assert(message);
2298 
2299  area = memarea_new();
2300  tokens = smartlist_new();
2301  if (tokenize_string(area, message, message + message_len,
2302  tokens, hs_desc_encrypted_v3_token_table, 0) < 0) {
2303  log_warn(LD_REND, "Encrypted service descriptor is not parseable.");
2304  goto err;
2305  }
2306 
2307  /* CREATE2 supported cell format. It's mandatory. */
2308  tok = find_by_keyword(tokens, R3_CREATE2_FORMATS);
2309  tor_assert(tok);
2310  decode_create2_list(desc_encrypted_out, tok->args[0]);
2311  /* Must support ntor according to the specification */
2312  if (!desc_encrypted_out->create2_ntor) {
2313  log_warn(LD_REND, "Service create2-formats does not include ntor.");
2314  goto err;
2315  }
2316 
2317  /* Authentication type. It's optional but only once. */
2318  tok = find_opt_by_keyword(tokens, R3_INTRO_AUTH_REQUIRED);
2319  if (tok) {
2320  if (!decode_auth_type(desc_encrypted_out, tok->args[0])) {
2321  log_warn(LD_REND, "Service descriptor authentication type has "
2322  "invalid entry(ies).");
2323  goto err;
2324  }
2325  }
2326 
2327  /* Is this service a single onion service? */
2328  tok = find_opt_by_keyword(tokens, R3_SINGLE_ONION_SERVICE);
2329  if (tok) {
2330  desc_encrypted_out->single_onion_service = 1;
2331  }
2332 
2333  /* Initialize the descriptor's introduction point list before we start
2334  * decoding. Having 0 intro point is valid. Then decode them all. */
2335  desc_encrypted_out->intro_points = smartlist_new();
2336  decode_intro_points(desc, desc_encrypted_out, message);
2337 
2338  /* Validation of maximum introduction points allowed. */
2339  if (smartlist_len(desc_encrypted_out->intro_points) >
2340  HS_CONFIG_V3_MAX_INTRO_POINTS) {
2341  log_warn(LD_REND, "Service descriptor contains too many introduction "
2342  "points. Maximum allowed is %d but we have %d",
2343  HS_CONFIG_V3_MAX_INTRO_POINTS,
2344  smartlist_len(desc_encrypted_out->intro_points));
2345  goto err;
2346  }
2347 
2348  /* NOTE: Unknown fields are allowed because this function could be used to
2349  * decode other descriptor version. */
2350 
2351  ret = HS_DESC_DECODE_OK;
2352  goto done;
2353 
2354  err:
2355  tor_assert(ret < HS_DESC_DECODE_OK);
2356  hs_desc_encrypted_data_free_contents(desc_encrypted_out);
2357 
2358  done:
2359  if (tokens) {
2361  smartlist_free(tokens);
2362  }
2363  if (area) {
2364  memarea_drop_all(area);
2365  }
2366  if (message) {
2367  tor_free(message);
2368  }
2369  return ret;
2370 }
2371 
2372 /** Table of encrypted decode function version specific. The function are
2373  * indexed by the version number so v3 callback is at index 3 in the array. */
2376  const hs_descriptor_t *desc,
2377  const curve25519_secret_key_t *client_auth_sk,
2378  hs_desc_encrypted_data_t *desc_encrypted) =
2379 {
2380  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2382 };
2383 
2384 /** Decode the encrypted data section of the given descriptor and store the
2385  * data in the given encrypted data object. Return 0 on success else a
2386  * negative value on error. */
2389  const curve25519_secret_key_t *client_auth_sk,
2390  hs_desc_encrypted_data_t *desc_encrypted)
2391 {
2392  int ret = HS_DESC_DECODE_ENCRYPTED_ERROR;
2393  uint32_t version;
2394 
2395  tor_assert(desc);
2396  /* Ease our life a bit. */
2397  version = desc->plaintext_data.version;
2398  tor_assert(desc_encrypted);
2399  /* Calling this function without an encrypted blob to parse is a code flow
2400  * error. The superencrypted parsing should never succeed in the first place
2401  * without an encrypted section. */
2403  /* Let's make sure we have a supported version as well. By correctly parsing
2404  * the plaintext, this should not fail. */
2405  if (BUG(!hs_desc_is_supported_version(version))) {
2406  goto err;
2407  }
2408  /* Extra precaution. Having no handler for the supported version should
2409  * never happened else we forgot to add it but we bumped the version. */
2412 
2413  /* Run the version specific plaintext decoder. */
2414  ret = decode_encrypted_handlers[version](desc, client_auth_sk,
2415  desc_encrypted);
2416  if (ret < 0) {
2417  goto err;
2418  }
2419 
2420  err:
2421  return ret;
2422 }
2423 
2424 /** Table of superencrypted decode function version specific. The function are
2425  * indexed by the version number so v3 callback is at index 3 in the array. */
2428  const hs_descriptor_t *desc,
2429  hs_desc_superencrypted_data_t *desc_superencrypted) =
2430 {
2431  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2433 };
2434 
2435 /** Decode the superencrypted data section of the given descriptor and store
2436  * the data in the given superencrypted data object. */
2440  desc_superencrypted)
2441 {
2442  int ret = HS_DESC_DECODE_SUPERENC_ERROR;
2443  uint32_t version;
2444 
2445  tor_assert(desc);
2446  /* Ease our life a bit. */
2447  version = desc->plaintext_data.version;
2448  tor_assert(desc_superencrypted);
2449  /* Calling this function without an superencrypted blob to parse is
2450  * a code flow error. The plaintext parsing should never succeed in
2451  * the first place without an superencrypted section. */
2453  /* Let's make sure we have a supported version as well. By correctly parsing
2454  * the plaintext, this should not fail. */
2455  if (BUG(!hs_desc_is_supported_version(version))) {
2456  goto err;
2457  }
2458  /* Extra precaution. Having no handler for the supported version should
2459  * never happened else we forgot to add it but we bumped the version. */
2462 
2463  /* Run the version specific plaintext decoder. */
2464  ret = decode_superencrypted_handlers[version](desc, desc_superencrypted);
2465  if (ret < 0) {
2466  goto err;
2467  }
2468 
2469  err:
2470  return ret;
2471 }
2472 
2473 /** Table of plaintext decode function version specific. The function are
2474  * indexed by the version number so v3 callback is at index 3 in the array. */
2477  smartlist_t *tokens,
2479  const char *encoded_desc,
2480  size_t encoded_len) =
2481 {
2482  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2484 };
2485 
2486 /** Fully decode the given descriptor plaintext and store the data in the
2487  * plaintext data object. */
2489 hs_desc_decode_plaintext(const char *encoded,
2490  hs_desc_plaintext_data_t *plaintext)
2491 {
2492  int ok = 0, ret = HS_DESC_DECODE_PLAINTEXT_ERROR;
2493  memarea_t *area = NULL;
2494  smartlist_t *tokens = NULL;
2495  size_t encoded_len;
2496  directory_token_t *tok;
2497 
2498  tor_assert(encoded);
2499  tor_assert(plaintext);
2500 
2501  /* Check that descriptor is within size limits. */
2502  encoded_len = strlen(encoded);
2503  if (encoded_len >= hs_cache_get_max_descriptor_size()) {
2504  log_warn(LD_REND, "Service descriptor is too big (%lu bytes)",
2505  (unsigned long) encoded_len);
2506  goto err;
2507  }
2508 
2509  area = memarea_new();
2510  tokens = smartlist_new();
2511  /* Tokenize the descriptor so we can start to parse it. */
2512  if (tokenize_string(area, encoded, encoded + encoded_len, tokens,
2513  hs_desc_v3_token_table, 0) < 0) {
2514  log_warn(LD_REND, "Service descriptor is not parseable");
2515  goto err;
2516  }
2517 
2518  /* Get the version of the descriptor which is the first mandatory field of
2519  * the descriptor. From there, we'll decode the right descriptor version. */
2520  tok = find_by_keyword(tokens, R_HS_DESCRIPTOR);
2521  tor_assert(tok->n_args == 1);
2522  plaintext->version = (uint32_t) tor_parse_ulong(tok->args[0], 10, 0,
2523  UINT32_MAX, &ok, NULL);
2524  if (!ok) {
2525  log_warn(LD_REND, "Service descriptor has unparseable version %s",
2526  escaped(tok->args[0]));
2527  goto err;
2528  }
2529  if (!hs_desc_is_supported_version(plaintext->version)) {
2530  log_warn(LD_REND, "Service descriptor has unsupported version %" PRIu32,
2531  plaintext->version);
2532  goto err;
2533  }
2534  /* Extra precaution. Having no handler for the supported version should
2535  * never happened else we forgot to add it but we bumped the version. */
2538 
2539  /* Run the version specific plaintext decoder. */
2540  ret = decode_plaintext_handlers[plaintext->version](tokens, plaintext,
2541  encoded, encoded_len);
2542  if (ret != HS_DESC_DECODE_OK) {
2543  goto err;
2544  }
2545  /* Success. Descriptor has been populated with the data. */
2546  ret = HS_DESC_DECODE_OK;
2547 
2548  err:
2549  if (tokens) {
2551  smartlist_free(tokens);
2552  }
2553  if (area) {
2554  memarea_drop_all(area);
2555  }
2556  return ret;
2557 }
2558 
2559 /** Fully decode an encoded descriptor and set a newly allocated descriptor
2560  * object in desc_out. Client secret key is used to decrypt the "encrypted"
2561  * section if not NULL else it's ignored.
2562  *
2563  * Return 0 on success. A negative value is returned on error and desc_out is
2564  * set to NULL. */
2566 hs_desc_decode_descriptor(const char *encoded,
2567  const hs_subcredential_t *subcredential,
2568  const curve25519_secret_key_t *client_auth_sk,
2569  hs_descriptor_t **desc_out)
2570 {
2571  hs_desc_decode_status_t ret = HS_DESC_DECODE_GENERIC_ERROR;
2572  hs_descriptor_t *desc;
2573 
2574  tor_assert(encoded);
2575 
2576  desc = tor_malloc_zero(sizeof(hs_descriptor_t));
2577 
2578  /* Subcredentials are not optional. */
2579  if (BUG(!subcredential ||
2580  fast_mem_is_zero((char*)subcredential, DIGEST256_LEN))) {
2581  log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!");
2582  goto err;
2583  }
2584 
2585  memcpy(&desc->subcredential, subcredential, sizeof(desc->subcredential));
2586 
2587  ret = hs_desc_decode_plaintext(encoded, &desc->plaintext_data);
2588  if (ret != HS_DESC_DECODE_OK) {
2589  goto err;
2590  }
2591 
2593  if (ret != HS_DESC_DECODE_OK) {
2594  goto err;
2595  }
2596 
2597  ret = hs_desc_decode_encrypted(desc, client_auth_sk, &desc->encrypted_data);
2598  if (ret != HS_DESC_DECODE_OK) {
2599  goto err;
2600  }
2601 
2602  if (desc_out) {
2603  *desc_out = desc;
2604  } else {
2605  hs_descriptor_free(desc);
2606  }
2607  return ret;
2608 
2609  err:
2610  hs_descriptor_free(desc);
2611  if (desc_out) {
2612  *desc_out = NULL;
2613  }
2614 
2615  tor_assert(ret < 0);
2616  return ret;
2617 }
2618 
2619 /** Table of encode function version specific. The functions are indexed by the
2620  * version number so v3 callback is at index 3 in the array. */
2621 static int
2623  const hs_descriptor_t *desc,
2624  const ed25519_keypair_t *signing_kp,
2625  const uint8_t *descriptor_cookie,
2626  char **encoded_out) =
2627 {
2628  /* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
2630 };
2631 
2632 /** Encode the given descriptor desc including signing with the given key pair
2633  * signing_kp and encrypting with the given descriptor cookie.
2634  *
2635  * If the client authorization is enabled, descriptor_cookie must be the same
2636  * as the one used to build hs_desc_authorized_client_t in the descriptor.
2637  * Otherwise, it must be NULL. On success, encoded_out points to a newly
2638  * allocated NUL terminated string that contains the encoded descriptor as
2639  * a string.
2640  *
2641  * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
2642  * returned and encoded_out is set to NULL. */
2643 MOCK_IMPL(int,
2645  const ed25519_keypair_t *signing_kp,
2646  const uint8_t *descriptor_cookie,
2647  char **encoded_out))
2648 {
2649  int ret = -1;
2650  uint32_t version;
2651 
2652  tor_assert(desc);
2653  tor_assert(encoded_out);
2654 
2655  /* Make sure we support the version of the descriptor format. */
2656  version = desc->plaintext_data.version;
2657  if (!hs_desc_is_supported_version(version)) {
2658  goto err;
2659  }
2660  /* Extra precaution. Having no handler for the supported version should
2661  * never happened else we forgot to add it but we bumped the version. */
2663  tor_assert(encode_handlers[version]);
2664 
2665  ret = encode_handlers[version](desc, signing_kp,
2666  descriptor_cookie, encoded_out);
2667  if (ret < 0) {
2668  goto err;
2669  }
2670 
2671  /* Try to decode what we just encoded. Symmetry is nice!, but it is
2672  * symmetric only if the client auth is disabled. That is, the descriptor
2673  * cookie will be NULL. */
2674  if (!descriptor_cookie) {
2675  ret = hs_desc_decode_descriptor(*encoded_out, &desc->subcredential,
2676  NULL, NULL);
2677  if (BUG(ret != HS_DESC_DECODE_OK)) {
2678  ret = -1;
2679  goto err;
2680  }
2681  }
2682 
2683  return 0;
2684 
2685  err:
2686  *encoded_out = NULL;
2687  return ret;
2688 }
2689 
2690 /** Free the content of the plaintext section of a descriptor. */
2691 void
2693 {
2694  if (!desc) {
2695  return;
2696  }
2697 
2698  if (desc->superencrypted_blob) {
2700  }
2701  tor_cert_free(desc->signing_key_cert);
2702 
2703  memwipe(desc, 0, sizeof(*desc));
2704 }
2705 
2706 /** Free the content of the superencrypted section of a descriptor. */
2707 void
2709 {
2710  if (!desc) {
2711  return;
2712  }
2713 
2714  if (desc->encrypted_blob) {
2715  tor_free(desc->encrypted_blob);
2716  }
2717  if (desc->clients) {
2719  hs_desc_authorized_client_free(client));
2720  smartlist_free(desc->clients);
2721  }
2722 
2723  memwipe(desc, 0, sizeof(*desc));
2724 }
2725 
2726 /** Free the content of the encrypted section of a descriptor. */
2727 void
2729 {
2730  if (!desc) {
2731  return;
2732  }
2733 
2734  if (desc->intro_auth_types) {
2735  SMARTLIST_FOREACH(desc->intro_auth_types, char *, a, tor_free(a));
2736  smartlist_free(desc->intro_auth_types);
2737  }
2738  if (desc->intro_points) {
2740  hs_desc_intro_point_free(ip));
2741  smartlist_free(desc->intro_points);
2742  }
2743  memwipe(desc, 0, sizeof(*desc));
2744 }
2745 
2746 /** Free the descriptor plaintext data object. */
2747 void
2749 {
2751  tor_free(desc);
2752 }
2753 
2754 /** Free the descriptor plaintext data object. */
2755 void
2757 {
2759  tor_free(desc);
2760 }
2761 
2762 /** Free the descriptor encrypted data object. */
2763 void
2765 {
2767  tor_free(desc);
2768 }
2769 
2770 /** Free the given descriptor object. */
2771 void
2773 {
2774  if (!desc) {
2775  return;
2776  }
2777 
2781  tor_free(desc);
2782 }
2783 
2784 /** Return the size in bytes of the given plaintext data object. A sizeof() is
2785  * not enough because the object contains pointers and the encrypted blob.
2786  * This is particularly useful for our OOM subsystem that tracks the HSDir
2787  * cache size for instance. */
2788 size_t
2790 {
2791  tor_assert(data);
2792  return (sizeof(*data) + sizeof(*data->signing_key_cert) +
2793  data->superencrypted_blob_size);
2794 }
2795 
2796 /** Return the size in bytes of the given encrypted data object. Used by OOM
2797  * subsystem. */
2798 static size_t
2800 {
2801  tor_assert(data);
2802  size_t intro_size = 0;
2803  if (data->intro_auth_types) {
2804  intro_size +=
2805  smartlist_len(data->intro_auth_types) * sizeof(intro_auth_types);
2806  }
2807  if (data->intro_points) {
2808  /* XXX could follow pointers here and get more accurate size */
2809  intro_size +=
2810  smartlist_len(data->intro_points) * sizeof(hs_desc_intro_point_t);
2811  }
2812 
2813  return sizeof(*data) + intro_size;
2814 }
2815 
2816 /** Return the size in bytes of the given descriptor object. Used by OOM
2817  * subsystem. */
2818  size_t
2820 {
2821  if (data == NULL) {
2822  return 0;
2823  }
2824  return (hs_desc_plaintext_obj_size(&data->plaintext_data) +
2826  sizeof(data->subcredential));
2827 }
2828 
2829 /** Return a newly allocated descriptor intro point. */
2832 {
2833  hs_desc_intro_point_t *ip = tor_malloc_zero(sizeof(*ip));
2835  return ip;
2836 }
2837 
2838 /** Free a descriptor intro point object. */
2839 void
2841 {
2842  if (ip == NULL) {
2843  return;
2844  }
2845  if (ip->link_specifiers) {
2846  SMARTLIST_FOREACH(ip->link_specifiers, link_specifier_t *,
2847  ls, link_specifier_free(ls));
2848  smartlist_free(ip->link_specifiers);
2849  }
2850  tor_cert_free(ip->auth_key_cert);
2851  tor_cert_free(ip->enc_key_cert);
2852  crypto_pk_free(ip->legacy.key);
2853  tor_free(ip->legacy.cert.encoded);
2854  tor_free(ip);
2855 }
2856 
2857 /** Allocate and build a new fake client info for the descriptor. Return a
2858  * newly allocated object. This can't fail. */
2861 {
2862  hs_desc_authorized_client_t *client_auth =
2863  tor_malloc_zero(sizeof(*client_auth));
2864 
2865  crypto_rand((char *) client_auth->client_id,
2866  sizeof(client_auth->client_id));
2867  crypto_rand((char *) client_auth->iv,
2868  sizeof(client_auth->iv));
2869  crypto_rand((char *) client_auth->encrypted_cookie,
2870  sizeof(client_auth->encrypted_cookie));
2871 
2872  return client_auth;
2873 }
2874 
2875 /** Using the service's subcredential, client public key, auth ephemeral secret
2876  * key, and descriptor cookie, build the auth client so we can then encode the
2877  * descriptor for publication. client_out must be already allocated. */
2878 void
2880  const curve25519_public_key_t *client_auth_pk,
2881  const curve25519_secret_key_t *
2882  auth_ephemeral_sk,
2883  const uint8_t *descriptor_cookie,
2884  hs_desc_authorized_client_t *client_out)
2885 {
2886  uint8_t *keystream = NULL;
2887  size_t keystream_length = 0;
2888  const uint8_t *cookie_key;
2889  crypto_cipher_t *cipher;
2890 
2891  tor_assert(client_auth_pk);
2892  tor_assert(auth_ephemeral_sk);
2893  tor_assert(descriptor_cookie);
2894  tor_assert(client_out);
2895  tor_assert(subcredential);
2896  tor_assert(!fast_mem_is_zero((char *) auth_ephemeral_sk,
2897  sizeof(*auth_ephemeral_sk)));
2898  tor_assert(!fast_mem_is_zero((char *) client_auth_pk,
2899  sizeof(*client_auth_pk)));
2900  tor_assert(!fast_mem_is_zero((char *) descriptor_cookie,
2901  HS_DESC_DESCRIPTOR_COOKIE_LEN));
2902  tor_assert(!fast_mem_is_zero((char *) subcredential,
2903  DIGEST256_LEN));
2904 
2905  /* Get the KEYS part so we can derive the CLIENT-ID and COOKIE-KEY. */
2906  keystream_length =
2907  build_descriptor_cookie_keys(subcredential,
2908  auth_ephemeral_sk, client_auth_pk,
2909  &keystream);
2910  tor_assert(keystream_length > 0);
2911 
2912  /* Extract the CLIENT-ID and COOKIE-KEY from the KEYS. */
2913  memcpy(client_out->client_id, keystream, HS_DESC_CLIENT_ID_LEN);
2914  cookie_key = keystream + HS_DESC_CLIENT_ID_LEN;
2915 
2916  /* Random IV */
2917  crypto_strongest_rand(client_out->iv, sizeof(client_out->iv));
2918 
2919  /* This creates a cipher for AES. It can't fail. */
2920  cipher = crypto_cipher_new_with_iv_and_bits(cookie_key, client_out->iv,
2921  HS_DESC_COOKIE_KEY_BIT_SIZE);
2922  /* This can't fail. */
2923  crypto_cipher_encrypt(cipher, (char *) client_out->encrypted_cookie,
2924  (const char *) descriptor_cookie,
2925  HS_DESC_DESCRIPTOR_COOKIE_LEN);
2926 
2927  memwipe(keystream, 0, keystream_length);
2928  tor_free(keystream);
2929 
2930  crypto_cipher_free(cipher);
2931 }
2932 
2933 /** Free an authoriezd client object. */
2934 void
2936 {
2937  tor_free(client);
2938 }
2939 
2940 /** From the given descriptor, remove and free every introduction point. */
2941 void
2943 {
2944  smartlist_t *ips;
2945 
2946  tor_assert(desc);
2947 
2948  ips = desc->encrypted_data.intro_points;
2949  if (ips) {
2951  ip, hs_desc_intro_point_free(ip));
2952  smartlist_clear(ips);
2953  }
2954 }
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
static char * get_outer_encrypted_layer_plaintext(const hs_descriptor_t *desc, const char *layer2_b64_ciphertext)
static int(* encode_handlers[])(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
static void build_secret_key_iv_mac(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_len, uint8_t *iv_out, size_t iv_len, uint8_t *mac_out, size_t mac_len, int is_superencrypted_layer)
static int decrypt_descriptor_cookie(const hs_descriptor_t *desc, const hs_desc_authorized_client_t *client, const curve25519_secret_key_t *client_auth_sk, uint8_t **descriptor_cookie_out)
unsigned int hs_cache_get_max_descriptor_size(void)
Definition: hs_cache.c:1111
uint8_t client_id[HS_DESC_CLIENT_ID_LEN]
#define crypto_xof_free(xof)
void crypto_rand(char *to, size_t n)
Definition: crypto_rand.c:477
Header file containing configuration ABI/API for the HS subsytem.
smartlist_t * find_all_by_keyword(const smartlist_t *s, directory_keyword k)
Definition: parsecommon.c:468
Common functions for using (pseudo-)random number generators.
static char * get_inner_encrypted_layer_plaintext(const hs_descriptor_t *desc)
unsigned signing_key_included
Definition: torcert.h:45
#define END_OF_TABLE
Definition: parsecommon.h:244
static int hs_desc_is_supported_version(uint32_t version)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
static token_rule_t hs_desc_v3_token_table[]
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
uint64_t tor_parse_uint64(const char *s, int base, uint64_t min, uint64_t max, int *ok, char **next)
Definition: parse_int.c:110
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
ed25519_public_key_t signed_key
Definition: torcert.h:30
int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now)
Definition: torcert.c:244
hs_desc_superencrypted_data_t superencrypted_data
hs_desc_authorized_client_t * hs_desc_build_fake_authorized_client(void)
static token_rule_t hs_desc_encrypted_v3_token_table[]
#define HS_DESC_SUPERENC_PLAINTEXT_PAD_MULTIPLE
Definition: hs_descriptor.h:47
static size_t build_descriptor_cookie_keys(const hs_subcredential_t *subcredential, const curve25519_secret_key_t *sk, const curve25519_public_key_t *pk, uint8_t **keys_out)
hs_desc_encrypted_data_t encrypted_data
#define LD_GENERAL
Definition: log.h:62
static int desc_encode_v3(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
Definition: parse_int.c:78
int curve25519_public_from_base64(curve25519_public_key_t *pkey, const char *input)
int ed25519_sign_prefixed(ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair)
time_t valid_until
Definition: torcert.h:35
static hs_desc_decode_status_t desc_decode_plaintext_v3(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
void hs_desc_authorized_client_free_(hs_desc_authorized_client_t *client)
ed25519_public_key_t signing_pubkey
void hs_desc_encrypted_data_free_contents(hs_desc_encrypted_data_t *desc)
int crypto_cipher_encrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Definition: crypto_cipher.c:88
void curve25519_public_to_base64(char *output, const curve25519_public_key_t *pkey)
void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len)
struct hs_desc_intro_point_t::@16 legacy
hs_subcredential_t subcredential
void smartlist_add(smartlist_t *sl, void *element)
static token_rule_t hs_desc_intro_point_v3_token_table[]
size_t base64_encode_size(size_t srclen, int flags)
Definition: binascii.c:166
#define memarea_drop_all(area)
Definition: memarea.h:22
void hs_desc_encrypted_data_free_(hs_desc_encrypted_data_t *desc)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
Header file for config.c.
int crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest, size_t *len)
Definition: crypto_rsa.c:466
unsigned int single_onion_service
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
uint8_t cert_type
Definition: torcert.h:43
int fast_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:74
#define tor_assert(expr)
Definition: util_bug.h:102
static size_t build_secret_input(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, uint8_t **secret_input_out)
STATIC size_t build_plaintext_padding(const char *plaintext, size_t plaintext_len, uint8_t **padded_out)
smartlist_t * intro_auth_types
tor_cert_t * enc_key_cert
hs_desc_decode_status_t hs_desc_decode_plaintext(const char *encoded, hs_desc_plaintext_data_t *plaintext)
#define HS_DESC_CERT_LIFETIME
Definition: hs_descriptor.h:38
hs_desc_decode_status_t hs_desc_decode_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
#define tor_free(p)
Definition: malloc.h:52
#define ED25519_PUBKEY_LEN
Definition: x25519_sizes.h:27
static char * encode_enc_key(const hs_desc_intro_point_t *ip)
#define T1_START(s, t, a, o)
Definition: parsecommon.h:252
unsigned int cross_certified
#define T1N(s, t, a, o)
Definition: parsecommon.h:256
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
#define HS_DESC_MAX_LIFETIME
Definition: hs_descriptor.h:32
smartlist_t * smartlist_new(void)
static const struct @15 intro_auth_types[]
ed25519_public_key_t blinded_pubkey
int hs_desc_encode_descriptor(const hs_descriptor_t *desc, const ed25519_keypair_t *signing_kp, const uint8_t *descriptor_cookie, char **encoded_out)
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
size_t hs_desc_plaintext_obj_size(const hs_desc_plaintext_data_t *data)
void hs_descriptor_clear_intro_points(hs_descriptor_t *desc)
memarea_t * memarea_new(void)
Definition: memarea.c:153
void ed25519_signature_to_base64(char *output, const ed25519_signature_t *sig)
#define STATIC
Definition: testsupport.h:32
#define tor_memneq(a, b, sz)
Definition: di_ops.h:21
static char * encode_intro_point(const ed25519_public_key_t *sig_key, const hs_desc_intro_point_t *ip)
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
Definition: binascii.c:215
static char * get_auth_client_str(const hs_desc_authorized_client_t *client)
static size_t compute_padded_plaintext_length(size_t plaintext_len)
#define CIPHER_IV_LEN
Definition: crypto_cipher.h:24
#define DIGEST256_LEN
Definition: digest_sizes.h:23
uint8_t encrypted_cookie[HS_DESC_ENCRYPED_COOKIE_LEN]
static int decode_intro_legacy_key(const directory_token_t *tok, smartlist_t *tokens, hs_desc_intro_point_t *ip, const hs_descriptor_t *desc)
hs_desc_intro_point_t * hs_desc_intro_point_new(void)
hs_desc_plaintext_data_t plaintext_data
#define NO_ARGS
Definition: parsecommon.h:265
Common functions for cryptographic routines.
static void build_kdf_key(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const uint8_t *salt, size_t salt_len, uint8_t *key_out, size_t key_out_len, int is_superencrypted_layer)
static char * encrypt_desc_data_and_base64(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *encoded_str, int is_superencrypted_layer)
static int decode_auth_type(hs_desc_encrypted_data_t *desc, const char *list)
STATIC size_t decrypt_desc_layer(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, bool is_superencrypted_layer, char **decrypted_out)
tor_cert_t * tor_cert_parse(const uint8_t *encoded, const size_t len)
Definition: torcert.c:159
Header for crypto_format.c.
STATIC smartlist_t * decode_link_specifiers(const char *encoded)
int tor_memeq(const void *a, const void *b, size_t sz)
Definition: di_ops.c:107
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
static char * encode_legacy_key(const hs_desc_intro_point_t *ip)
curve25519_public_key_t onion_key
#define HS_DESC_AUTH_CLIENT_MULTIPLE
Definition: hs_descriptor.h:66
static void set_uint64(void *cp, uint64_t v)
Definition: bytes.h:96
uint8_t iv[CIPHER_IV_LEN]
#define SIZE_T_CEILING
Definition: torint.h:126
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
Definition: smartlist.c:36
Header file for rendcache.c.
tor_cert_t * signing_key_cert
#define GE(n)
Definition: parsecommon.h:269
Master header file for Tor-specific functionality.
static size_t desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
#define HS_DESC_ENCRYPTED_KEY_LEN
Definition: hs_descriptor.h:54
Header file for circuitbuild.c.
void hs_desc_superencrypted_data_free_(hs_desc_superencrypted_data_t *desc)
static hs_desc_decode_status_t(* decode_encrypted_handlers[])(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted)
struct hs_desc_intro_point_t::@16::@17 cert
#define ARGS
Definition: parsecommon.h:263
Header for memarea.c.
#define EQ(n)
Definition: parsecommon.h:271
STATIC hs_desc_intro_point_t * decode_introduction_point(const hs_descriptor_t *desc, const char *start)
static char * encode_onion_key(const hs_desc_intro_point_t *ip)
static token_rule_t hs_desc_superencrypted_v3_token_table[]
static void build_mac(const uint8_t *mac_key, size_t mac_key_len, const uint8_t *salt, size_t salt_len, const uint8_t *encrypted, size_t encrypted_len, uint8_t *mac_out, size_t mac_len)
hs_desc_decode_status_t hs_desc_decode_superencrypted(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
Header file for hs_descriptor.c.
Extend-info structure.
hs_desc_auth_type_t
Definition: hs_descriptor.h:69
static hs_desc_decode_status_t desc_decode_superencrypted_v3(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted_out)
#define CONCAT_ARGS
Definition: parsecommon.h:267
static uint64_t tor_htonll(uint64_t a)
Definition: bytes.h:184
#define crypto_digest_free(d)
#define LD_REND
Definition: log.h:84
crypto_pk_t * crypto_pk_dup_key(crypto_pk_t *orig)
directory_token_t * find_opt_by_keyword(const smartlist_t *s, directory_keyword keyword)
Definition: parsecommon.c:457
STATIC int desc_sig_is_valid(const char *b64_sig, const ed25519_public_key_t *signing_pubkey, const char *encoded_desc, size_t encoded_len)
static void decode_intro_points(const hs_descriptor_t *desc, hs_desc_encrypted_data_t *desc_enc, const char *data)
static int set_intro_point_onion_key(curve25519_public_key_t *onion_key_out, const smartlist_t *tokens)
static hs_desc_decode_status_t desc_decode_encrypted_v3(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, hs_desc_encrypted_data_t *desc_encrypted_out)
static size_t encrypt_descriptor_data(const hs_descriptor_t *desc, const uint8_t *secret_data, size_t secret_data_len, const char *plaintext, char **encrypted_out, int is_superencrypted_layer)
const char * tor_cert_describe_signature_status(const tor_cert_t *cert)
Definition: torcert.c:279
curve25519_public_key_t enc_key
unsigned cert_expired
Definition: torcert.h:52
ed25519_public_key_t signing_key
Definition: torcert.h:33
int crypto_pk_public_exponent_ok(const crypto_pk_t *env)
#define CURVE25519_OUTPUT_LEN
Definition: x25519_sizes.h:24
static hs_desc_decode_status_t(* decode_plaintext_handlers[])(smartlist_t *tokens, hs_desc_plaintext_data_t *desc, const char *encoded_desc, size_t encoded_len)
#define T1_END(s, t, a, o)
Definition: parsecommon.h:254
#define LD_DIR
Definition: log.h:88
Header file for parsecommon.c.
static int cert_parse_and_validate(tor_cert_t **cert_out, const char *data, size_t data_len, unsigned int cert_type_wanted, const char *err_msg)
void format_iso_time(char *buf, time_t t)
Definition: time_fmt.c:295
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
Definition: smartlist.c:279
hs_desc_decode_status_t hs_desc_decode_descriptor(const char *encoded, const hs_subcredential_t *subcredential, const curve25519_secret_key_t *client_auth_sk, hs_descriptor_t **desc_out)
int base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:396
#define SMARTLIST_FOREACH(sl, type, var, cmd)
const char * escaped(const char *s)
Definition: escape.c:126
link_specifier_t * link_specifier_dup(const link_specifier_t *src)
Definition: hs_common.c:1872
void hs_descriptor_free_(hs_descriptor_t *desc)
size_t hs_desc_obj_size(const hs_descriptor_t *data)
static size_t hs_desc_encrypted_obj_size(const hs_desc_encrypted_data_t *data)
static char * get_all_auth_client_lines(const hs_descriptor_t *desc)
static int encode_superencrypted_data(const hs_descriptor_t *desc, const uint8_t *descriptor_cookie, char **encrypted_blob_out)
static size_t build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext, size_t plaintext_len, uint8_t **encrypted_out, int is_superencrypted_layer)
#define ARRAY_LENGTH(x)
static hs_desc_decode_status_t(* decode_superencrypted_handlers[])(const hs_descriptor_t *desc, hs_desc_superencrypted_data_t *desc_superencrypted)
#define log_fn(severity, domain, args,...)
Definition: log.h:287
smartlist_t * link_specifiers
static void decode_create2_list(hs_desc_encrypted_data_t *desc, const char *list)
void crypto_strongest_rand(uint8_t *out, size_t out_len)
Definition: crypto_rand.c:340
STATIC int cert_is_valid(tor_cert_t *cert, uint8_t type, const char *log_obj_type)
smartlist_t * intro_points
void hs_desc_build_authorized_client(const hs_subcredential_t *subcredential, const curve25519_public_key_t *client_auth_pk, const curve25519_secret_key_t *auth_ephemeral_sk, const uint8_t *descriptor_cookie, hs_desc_authorized_client_t *client_out)
time_t approx_time(void)
Definition: approx_time.c:32
STATIC int encrypted_data_length_is_valid(size_t len)
#define T1(s, t, a, o)
Definition: parsecommon.h:250
curve25519_public_key_t auth_ephemeral_pubkey
static size_t build_secret_data(const ed25519_public_key_t *blinded_pubkey, const uint8_t *descriptor_cookie, uint8_t **secret_data_out)
Header for torcert.c.
void token_clear(directory_token_t *tok)
Definition: parsecommon.c:41
Header file for hs_cache.c.
crypto_cipher_t * crypto_cipher_new_with_iv_and_bits(const uint8_t *key, const uint8_t *iv, int bits)
Definition: crypto_cipher.c:29
struct crypto_pk_t * key
Definition: parsecommon.h:210
#define HS_DESC_CLIENT_ID_LEN
Definition: hs_descriptor.h:58
int rsa_ed25519_crosscert_check(const uint8_t *crosscert, const size_t crosscert_len, const crypto_pk_t *rsa_id_key, const ed25519_public_key_t *master_key, const time_t reject_if_expired_before)
Definition: torcert.c:395
void hs_desc_intro_point_free_(hs_desc_intro_point_t *ip)
static int decode_auth_client(const directory_token_t *tok, hs_desc_authorized_client_t *client)
static size_t desc_decrypt_encrypted(const hs_descriptor_t *desc, const curve25519_secret_key_t *client_auth_sk, char **decrypted_out)
int ed25519_signature_from_base64(ed25519_signature_t *sig, const char *input)
#define ED25519_SIG_BASE64_LEN
Definition: x25519_sizes.h:42
#define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN
Definition: hs_descriptor.h:43
STATIC char * encode_link_specifiers(const smartlist_t *specs)
crypto_xof_t * crypto_xof_new(void)
void smartlist_clear(smartlist_t *sl)
int tokenize_string(memarea_t *area, const char *start, const char *end, smartlist_t *out, const token_rule_t *table, int flags)
Definition: parsecommon.c:53
#define T01(s, t, a, o)
Definition: parsecommon.h:258
hs_desc_decode_status_t
Definition: hs_descriptor.h:74
#define HS_DESC_ENCRYPTED_SALT_LEN
Definition: hs_descriptor.h:40
#define LD_BUG
Definition: log.h:86
#define CURVE25519_PUBKEY_LEN
Definition: x25519_sizes.h:20
tor_cert_t * auth_key_cert
#define CURVE25519_BASE64_PADDED_LEN
Definition: x25519_sizes.h:37
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
void hs_desc_superencrypted_data_free_contents(hs_desc_superencrypted_data_t *desc)
void hs_desc_plaintext_data_free_(hs_desc_plaintext_data_t *desc)
void hs_desc_plaintext_data_free_contents(hs_desc_plaintext_data_t *desc)