Tor  0.4.5.0-alpha-dev
hs_intropoint.c
Go to the documentation of this file.
1 /* Copyright (c) 2016-2020, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
4 /**
5  * \file hs_intropoint.c
6  * \brief Implement next generation introductions point functionality
7  **/
8 
9 #define HS_INTROPOINT_PRIVATE
10 
11 #include "core/or/or.h"
12 #include "app/config/config.h"
13 #include "core/or/channel.h"
14 #include "core/or/circuitlist.h"
15 #include "core/or/circuituse.h"
16 #include "core/or/relay.h"
17 #include "feature/rend/rendmid.h"
18 #include "feature/stats/rephist.h"
20 
21 /* Trunnel */
22 #include "trunnel/ed25519_cert.h"
23 #include "trunnel/hs/cell_common.h"
24 #include "trunnel/hs/cell_establish_intro.h"
25 #include "trunnel/hs/cell_introduce1.h"
26 
28 #include "feature/hs/hs_common.h"
29 #include "feature/hs/hs_config.h"
31 #include "feature/hs/hs_dos.h"
33 
34 #include "core/or/or_circuit_st.h"
35 
36 /** Extract the authentication key from an ESTABLISH_INTRO or INTRODUCE1 using
37  * the given <b>cell_type</b> from <b>cell</b> and place it in
38  * <b>auth_key_out</b>. */
39 STATIC void
41  unsigned int cell_type, const void *cell)
42 {
43  size_t auth_key_len;
44  const uint8_t *key_array;
45 
46  tor_assert(auth_key_out);
47  tor_assert(cell);
48 
49  switch (cell_type) {
50  case RELAY_COMMAND_ESTABLISH_INTRO:
51  {
52  const trn_cell_establish_intro_t *c_cell = cell;
53  key_array = trn_cell_establish_intro_getconstarray_auth_key(c_cell);
54  auth_key_len = trn_cell_establish_intro_getlen_auth_key(c_cell);
55  break;
56  }
57  case RELAY_COMMAND_INTRODUCE1:
58  {
59  const trn_cell_introduce1_t *c_cell = cell;
60  key_array = trn_cell_introduce1_getconstarray_auth_key(cell);
61  auth_key_len = trn_cell_introduce1_getlen_auth_key(c_cell);
62  break;
63  }
64  default:
65  /* Getting here is really bad as it means we got a unknown cell type from
66  * this file where every call has an hardcoded value. */
67  tor_assert_unreached(); /* LCOV_EXCL_LINE */
68  }
69  tor_assert(key_array);
70  tor_assert(auth_key_len == sizeof(auth_key_out->pubkey));
71  memcpy(auth_key_out->pubkey, key_array, auth_key_len);
72 }
73 
74 /** We received an ESTABLISH_INTRO <b>cell</b>. Verify its signature and MAC,
75  * given <b>circuit_key_material</b>. Return 0 on success else -1 on error. */
76 STATIC int
77 verify_establish_intro_cell(const trn_cell_establish_intro_t *cell,
78  const uint8_t *circuit_key_material,
79  size_t circuit_key_material_len)
80 {
81  /* We only reach this function if the first byte of the cell is 0x02 which
82  * means that auth_key_type is of ed25519 type, hence this check should
83  * always pass. See hs_intro_received_establish_intro(). */
84  if (BUG(cell->auth_key_type != TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519)) {
85  return -1;
86  }
87 
88  /* Make sure the auth key length is of the right size for this type. For
89  * EXTRA safety, we check both the size of the array and the length which
90  * must be the same. Safety first!*/
91  if (trn_cell_establish_intro_getlen_auth_key(cell) != ED25519_PUBKEY_LEN ||
92  trn_cell_establish_intro_get_auth_key_len(cell) != ED25519_PUBKEY_LEN) {
93  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
94  "ESTABLISH_INTRO auth key length is invalid");
95  return -1;
96  }
97 
98  const uint8_t *msg = cell->start_cell;
99 
100  /* Verify the sig */
101  {
102  ed25519_signature_t sig_struct;
103  const uint8_t *sig_array =
104  trn_cell_establish_intro_getconstarray_sig(cell);
105 
106  /* Make sure the signature length is of the right size. For EXTRA safety,
107  * we check both the size of the array and the length which must be the
108  * same. Safety first!*/
109  if (trn_cell_establish_intro_getlen_sig(cell) != sizeof(sig_struct.sig) ||
110  trn_cell_establish_intro_get_sig_len(cell) != sizeof(sig_struct.sig)) {
111  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
112  "ESTABLISH_INTRO sig len is invalid");
113  return -1;
114  }
115  /* We are now sure that sig_len is of the right size. */
116  memcpy(sig_struct.sig, sig_array, cell->sig_len);
117 
118  ed25519_public_key_t auth_key;
119  get_auth_key_from_cell(&auth_key, RELAY_COMMAND_ESTABLISH_INTRO, cell);
120 
121  const size_t sig_msg_len = cell->end_sig_fields - msg;
122  int sig_mismatch = ed25519_checksig_prefixed(&sig_struct,
123  msg, sig_msg_len,
125  &auth_key);
126  if (sig_mismatch) {
127  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
128  "ESTABLISH_INTRO signature not as expected");
129  return -1;
130  }
131  }
132 
133  /* Verify the MAC */
134  {
135  const size_t auth_msg_len = cell->end_mac_fields - msg;
136  uint8_t mac[DIGEST256_LEN];
137  crypto_mac_sha3_256(mac, sizeof(mac),
138  circuit_key_material, circuit_key_material_len,
139  msg, auth_msg_len);
140  if (tor_memneq(mac, cell->handshake_mac, sizeof(mac))) {
141  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
142  "ESTABLISH_INTRO handshake_auth not as expected");
143  return -1;
144  }
145  }
146 
147  return 0;
148 }
149 
150 /** Send an INTRO_ESTABLISHED cell to <b>circ</b>. */
151 MOCK_IMPL(int,
153 {
154  int ret;
155  uint8_t *encoded_cell = NULL;
156  ssize_t encoded_len, result_len;
157  trn_cell_intro_established_t *cell;
158  trn_cell_extension_t *ext;
159 
160  tor_assert(circ);
161 
162  /* Build the cell payload. */
163  cell = trn_cell_intro_established_new();
164  ext = trn_cell_extension_new();
165  trn_cell_extension_set_num(ext, 0);
166  trn_cell_intro_established_set_extensions(cell, ext);
167  /* Encode the cell to binary format. */
168  encoded_len = trn_cell_intro_established_encoded_len(cell);
169  tor_assert(encoded_len > 0);
170  encoded_cell = tor_malloc_zero(encoded_len);
171  result_len = trn_cell_intro_established_encode(encoded_cell, encoded_len,
172  cell);
173  tor_assert(encoded_len == result_len);
174 
175  ret = relay_send_command_from_edge(0, TO_CIRCUIT(circ),
176  RELAY_COMMAND_INTRO_ESTABLISHED,
177  (char *) encoded_cell, encoded_len,
178  NULL);
179  /* On failure, the above function will close the circuit. */
180  trn_cell_intro_established_free(cell);
181  tor_free(encoded_cell);
182  return ret;
183 }
184 
185 /** Validate the cell DoS extension parameters. Return true iff they've been
186  * bound check and can be used. Else return false. See proposal 305 for
187  * details and reasons about this validation. */
188 STATIC bool
189 cell_dos_extension_parameters_are_valid(uint64_t intro2_rate_per_sec,
190  uint64_t intro2_burst_per_sec)
191 {
192  bool ret = false;
193 
194  /* Check that received value is not below the minimum. Don't check if minimum
195  is set to 0, since the param is a positive value and gcc will complain. */
196 #if HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MIN > 0
197  if (intro2_rate_per_sec < HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MIN) {
198  log_fn(LOG_PROTOCOL_WARN, LD_REND,
199  "Intro point DoS defenses rate per second is "
200  "too small. Received value: %" PRIu64, intro2_rate_per_sec);
201  goto end;
202  }
203 #endif /* HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MIN > 0 */
204 
205  /* Check that received value is not above maximum */
206  if (intro2_rate_per_sec > HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MAX) {
207  log_fn(LOG_PROTOCOL_WARN, LD_REND,
208  "Intro point DoS defenses rate per second is "
209  "too big. Received value: %" PRIu64, intro2_rate_per_sec);
210  goto end;
211  }
212 
213  /* Check that received value is not below the minimum */
214 #if HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MIN > 0
215  if (intro2_burst_per_sec < HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MIN) {
216  log_fn(LOG_PROTOCOL_WARN, LD_REND,
217  "Intro point DoS defenses burst per second is "
218  "too small. Received value: %" PRIu64, intro2_burst_per_sec);
219  goto end;
220  }
221 #endif /* HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MIN > 0 */
222 
223  /* Check that received value is not above maximum */
224  if (intro2_burst_per_sec > HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MAX) {
225  log_fn(LOG_PROTOCOL_WARN, LD_REND,
226  "Intro point DoS defenses burst per second is "
227  "too big. Received value: %" PRIu64, intro2_burst_per_sec);
228  goto end;
229  }
230 
231  /* In a rate limiting scenario, burst can never be smaller than the rate. At
232  * best it can be equal. */
233  if (intro2_burst_per_sec < intro2_rate_per_sec) {
234  log_info(LD_REND, "Intro point DoS defenses burst is smaller than rate. "
235  "Rate: %" PRIu64 " vs Burst: %" PRIu64,
236  intro2_rate_per_sec, intro2_burst_per_sec);
237  goto end;
238  }
239 
240  /* Passing validation. */
241  ret = true;
242 
243  end:
244  return ret;
245 }
246 
247 /** Parse the cell DoS extension and apply defenses on the given circuit if
248  * validation passes. If the cell extension is malformed or contains unusable
249  * values, the DoS defenses is disabled on the circuit. */
250 static void
252  const trn_cell_extension_field_t *field,
253  or_circuit_t *circ)
254 {
255  ssize_t ret;
256  uint64_t intro2_rate_per_sec = 0, intro2_burst_per_sec = 0;
257  trn_cell_extension_dos_t *dos = NULL;
258 
259  tor_assert(field);
260  tor_assert(circ);
261 
262  ret = trn_cell_extension_dos_parse(&dos,
263  trn_cell_extension_field_getconstarray_field(field),
264  trn_cell_extension_field_getlen_field(field));
265  if (ret < 0) {
266  goto end;
267  }
268 
269  for (size_t i = 0; i < trn_cell_extension_dos_get_n_params(dos); i++) {
270  const trn_cell_extension_dos_param_t *param =
271  trn_cell_extension_dos_getconst_params(dos, i);
272  if (BUG(param == NULL)) {
273  goto end;
274  }
275 
276  switch (trn_cell_extension_dos_param_get_type(param)) {
277  case TRUNNEL_DOS_PARAM_TYPE_INTRO2_RATE_PER_SEC:
278  intro2_rate_per_sec = trn_cell_extension_dos_param_get_value(param);
279  break;
280  case TRUNNEL_DOS_PARAM_TYPE_INTRO2_BURST_PER_SEC:
281  intro2_burst_per_sec = trn_cell_extension_dos_param_get_value(param);
282  break;
283  default:
284  goto end;
285  }
286  }
287 
288  /* At this point, the extension is valid so any values out of it implies
289  * that it was set explicitly and thus flag the circuit that it should not
290  * look at the consensus for that reason for the defenses' values. */
292 
293  /* A value of 0 is valid in the sense that we accept it but we still disable
294  * the defenses so return false. */
295  if (intro2_rate_per_sec == 0 || intro2_burst_per_sec == 0) {
296  log_info(LD_REND, "Intro point DoS defenses parameter set to 0. "
297  "Disabling INTRO2 DoS defenses on circuit id %u",
298  circ->p_circ_id);
300  goto end;
301  }
302 
303  /* If invalid, we disable the defense on the circuit. */
304  if (!cell_dos_extension_parameters_are_valid(intro2_rate_per_sec,
305  intro2_burst_per_sec)) {
307  log_info(LD_REND, "Disabling INTRO2 DoS defenses on circuit id %u",
308  circ->p_circ_id);
309  goto end;
310  }
311 
312  /* We passed validation, enable defenses and apply rate/burst. */
314 
315  /* Initialize the INTRODUCE2 token bucket for the rate limiting. */
317  (uint32_t) intro2_rate_per_sec,
318  (uint32_t) intro2_burst_per_sec,
319  (uint32_t) approx_time());
320  log_info(LD_REND, "Intro point DoS defenses enabled. Rate is %" PRIu64
321  " and Burst is %" PRIu64,
322  intro2_rate_per_sec, intro2_burst_per_sec);
323 
324  end:
325  trn_cell_extension_dos_free(dos);
326  return;
327 }
328 
329 /** Parse every cell extension in the given ESTABLISH_INTRO cell. */
330 static void
332  const trn_cell_establish_intro_t *parsed_cell,
333  or_circuit_t *circ)
334 {
335  const trn_cell_extension_t *extensions;
336 
337  tor_assert(parsed_cell);
338  tor_assert(circ);
339 
340  extensions = trn_cell_establish_intro_getconst_extensions(parsed_cell);
341  if (extensions == NULL) {
342  goto end;
343  }
344 
345  /* Go over all extensions. */
346  for (size_t idx = 0; idx < trn_cell_extension_get_num(extensions); idx++) {
347  const trn_cell_extension_field_t *field =
348  trn_cell_extension_getconst_fields(extensions, idx);
349  if (BUG(field == NULL)) {
350  /* The number of extensions should match the number of fields. */
351  break;
352  }
353 
354  switch (trn_cell_extension_field_get_field_type(field)) {
355  case TRUNNEL_CELL_EXTENSION_TYPE_DOS:
356  /* After this, the circuit should be set for DoS defenses. */
358  break;
359  default:
360  /* Unknown extension. Skip over. */
361  break;
362  }
363  }
364 
365  end:
366  return;
367 }
368 
369 /** We received an ESTABLISH_INTRO <b>parsed_cell</b> on <b>circ</b>. It's
370  * well-formed and passed our verifications. Perform appropriate actions to
371  * establish an intro point. */
372 static int
374  const trn_cell_establish_intro_t *parsed_cell)
375 {
376  /* Get the auth key of this intro point */
377  ed25519_public_key_t auth_key;
378  get_auth_key_from_cell(&auth_key, RELAY_COMMAND_ESTABLISH_INTRO,
379  parsed_cell);
380 
381  /* Setup INTRODUCE2 defenses on the circuit. Must be done before parsing the
382  * cell extension that can possibly change the defenses' values. */
384 
385  /* Handle cell extension if any. */
386  handle_establish_intro_cell_extensions(parsed_cell, circ);
387 
388  /* Then notify the hidden service that the intro point is established by
389  sending an INTRO_ESTABLISHED cell */
391  log_warn(LD_PROTOCOL, "Couldn't send INTRO_ESTABLISHED cell.");
392  return -1;
393  }
394 
395  /* Associate intro point auth key with this circuit. */
397  /* Repurpose this circuit into an intro circuit. */
399 
400  return 0;
401 }
402 
403 /** We just received an ESTABLISH_INTRO cell in <b>circ</b> with payload in
404  * <b>request</b>. Handle it by making <b>circ</b> an intro circuit. Return 0
405  * if everything went well, or -1 if there were errors. */
406 static int
407 handle_establish_intro(or_circuit_t *circ, const uint8_t *request,
408  size_t request_len)
409 {
410  int cell_ok, retval = -1;
411  trn_cell_establish_intro_t *parsed_cell = NULL;
412 
413  tor_assert(circ);
414  tor_assert(request);
415 
416  log_info(LD_REND, "Received an ESTABLISH_INTRO request on circuit %" PRIu32,
417  circ->p_circ_id);
418 
419  /* Check that the circuit is in shape to become an intro point */
421  goto err;
422  }
423 
424  /* Parse the cell */
425  ssize_t parsing_result = trn_cell_establish_intro_parse(&parsed_cell,
426  request, request_len);
427  if (parsing_result < 0) {
428  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
429  "Rejecting %s ESTABLISH_INTRO cell.",
430  parsing_result == -1 ? "invalid" : "truncated");
431  goto err;
432  }
433 
434  cell_ok = verify_establish_intro_cell(parsed_cell,
435  (uint8_t *) circ->rend_circ_nonce,
436  sizeof(circ->rend_circ_nonce));
437  if (cell_ok < 0) {
438  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
439  "Failed to verify ESTABLISH_INTRO cell.");
440  goto err;
441  }
442 
443  /* This cell is legit. Take the appropriate actions. */
444  cell_ok = handle_verified_establish_intro_cell(circ, parsed_cell);
445  if (cell_ok < 0) {
446  goto err;
447  }
448 
449  /* We are done! */
450  retval = 0;
451  goto done;
452 
453  err:
454  /* When sending the intro establish ack, on error the circuit can be marked
455  * as closed so avoid a double close. */
456  if (!TO_CIRCUIT(circ)->marked_for_close) {
457  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
458  }
459 
460  done:
461  trn_cell_establish_intro_free(parsed_cell);
462  return retval;
463 }
464 
465 /** Return True if circuit is suitable for being an intro circuit. */
466 static int
468  const char *log_cell_type_str)
469 {
470  tor_assert(circ);
471  tor_assert(log_cell_type_str);
472 
473  /* Basic circuit state sanity checks. */
474  if (circ->base_.purpose != CIRCUIT_PURPOSE_OR) {
475  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
476  "Rejecting %s on non-OR circuit.", log_cell_type_str);
477  return 0;
478  }
479 
480  if (circ->base_.n_chan) {
481  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
482  "Rejecting %s on non-edge circuit.", log_cell_type_str);
483  return 0;
484  }
485 
486  /* Suitable. */
487  return 1;
488 }
489 
490 /** Return True if circuit is suitable for being service-side intro circuit. */
491 int
493 {
494  return circuit_is_suitable_intro_point(circ, "ESTABLISH_INTRO");
495 }
496 
497 /** We just received an ESTABLISH_INTRO cell in <b>circ</b>. Figure out of it's
498  * a legacy or a next gen cell, and pass it to the appropriate handler. */
499 int
500 hs_intro_received_establish_intro(or_circuit_t *circ, const uint8_t *request,
501  size_t request_len)
502 {
503  tor_assert(circ);
504  tor_assert(request);
505 
506  if (request_len == 0) {
507  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Empty ESTABLISH_INTRO cell.");
508  goto err;
509  }
510 
511  /* Using the first byte of the cell, figure out the version of
512  * ESTABLISH_INTRO and pass it to the appropriate cell handler */
513  const uint8_t first_byte = request[0];
514  switch (first_byte) {
515  case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0:
516  case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1:
517  return rend_mid_establish_intro_legacy(circ, request, request_len);
518  case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519:
519  return handle_establish_intro(circ, request, request_len);
520  default:
521  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
522  "Unrecognized AUTH_KEY_TYPE %u.", first_byte);
523  goto err;
524  }
525 
526  err:
527  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
528  return -1;
529 }
530 
531 /** Send an INTRODUCE_ACK cell onto the circuit <b>circ</b> with the status
532  * value in <b>status</b>. Depending on the status, it can be ACK or a NACK.
533  * Return 0 on success else a negative value on error which will close the
534  * circuit. */
535 static int
536 send_introduce_ack_cell(or_circuit_t *circ, uint16_t status)
537 {
538  int ret = -1;
539  uint8_t *encoded_cell = NULL;
540  ssize_t encoded_len, result_len;
541  trn_cell_introduce_ack_t *cell;
542  trn_cell_extension_t *ext;
543 
544  tor_assert(circ);
545 
546  /* Setup the INTRODUCE_ACK cell. We have no extensions so the N_EXTENSIONS
547  * field is set to 0 by default with a new object. */
548  cell = trn_cell_introduce_ack_new();
549  ret = trn_cell_introduce_ack_set_status(cell, status);
550  /* We have no cell extensions in an INTRODUCE_ACK cell. */
551  ext = trn_cell_extension_new();
552  trn_cell_extension_set_num(ext, 0);
553  trn_cell_introduce_ack_set_extensions(cell, ext);
554  /* A wrong status is a very bad code flow error as this value is controlled
555  * by the code in this file and not an external input. This means we use a
556  * code that is not known by the trunnel ABI. */
557  tor_assert(ret == 0);
558  /* Encode the payload. We should never fail to get the encoded length. */
559  encoded_len = trn_cell_introduce_ack_encoded_len(cell);
560  tor_assert(encoded_len > 0);
561  encoded_cell = tor_malloc_zero(encoded_len);
562  result_len = trn_cell_introduce_ack_encode(encoded_cell, encoded_len, cell);
563  tor_assert(encoded_len == result_len);
564 
565  ret = relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
566  RELAY_COMMAND_INTRODUCE_ACK,
567  (char *) encoded_cell, encoded_len,
568  NULL);
569  /* On failure, the above function will close the circuit. */
570  trn_cell_introduce_ack_free(cell);
571  tor_free(encoded_cell);
572  return ret;
573 }
574 
575 /** Validate a parsed INTRODUCE1 <b>cell</b>. Return 0 if valid or else a
576  * negative value for an invalid cell that should be NACKed. */
577 STATIC int
578 validate_introduce1_parsed_cell(const trn_cell_introduce1_t *cell)
579 {
580  size_t legacy_key_id_len;
581  const uint8_t *legacy_key_id;
582 
583  tor_assert(cell);
584 
585  /* This code path SHOULD NEVER be reached if the cell is a legacy type so
586  * safety net here. The legacy ID must be zeroes in this case. */
587  legacy_key_id_len = trn_cell_introduce1_getlen_legacy_key_id(cell);
588  legacy_key_id = trn_cell_introduce1_getconstarray_legacy_key_id(cell);
589  if (BUG(!fast_mem_is_zero((char *) legacy_key_id, legacy_key_id_len))) {
590  goto invalid;
591  }
592 
593  /* The auth key of an INTRODUCE1 should be of type ed25519 thus leading to a
594  * known fixed length as well. */
595  if (trn_cell_introduce1_get_auth_key_type(cell) !=
596  TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519) {
597  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
598  "Rejecting invalid INTRODUCE1 cell auth key type. "
599  "Responding with NACK.");
600  goto invalid;
601  }
602  if (trn_cell_introduce1_get_auth_key_len(cell) != ED25519_PUBKEY_LEN ||
603  trn_cell_introduce1_getlen_auth_key(cell) != ED25519_PUBKEY_LEN) {
604  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
605  "Rejecting invalid INTRODUCE1 cell auth key length. "
606  "Responding with NACK.");
607  goto invalid;
608  }
609  if (trn_cell_introduce1_getlen_encrypted(cell) == 0) {
610  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
611  "Rejecting invalid INTRODUCE1 cell encrypted length. "
612  "Responding with NACK.");
613  goto invalid;
614  }
615 
616  return 0;
617  invalid:
618  return -1;
619 }
620 
621 /** We just received a non legacy INTRODUCE1 cell on <b>client_circ</b> with
622  * the payload in <b>request</b> of size <b>request_len</b>. Return 0 if
623  * everything went well, or -1 if an error occurred. This function is in charge
624  * of sending back an INTRODUCE_ACK cell and will close client_circ on error.
625  */
626 STATIC int
627 handle_introduce1(or_circuit_t *client_circ, const uint8_t *request,
628  size_t request_len)
629 {
630  int ret = -1;
631  or_circuit_t *service_circ;
632  trn_cell_introduce1_t *parsed_cell;
633  uint16_t status = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS;
634 
635  tor_assert(client_circ);
636  tor_assert(request);
637 
638  /* Parse cell. Note that we can only parse the non encrypted section for
639  * which we'll use the authentication key to find the service introduction
640  * circuit and relay the cell on it. */
641  ssize_t cell_size = trn_cell_introduce1_parse(&parsed_cell, request,
642  request_len);
643  if (cell_size < 0) {
644  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
645  "Rejecting %s INTRODUCE1 cell. Responding with NACK.",
646  cell_size == -1 ? "invalid" : "truncated");
647  /* Inform client that the INTRODUCE1 has a bad format. */
648  status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT;
649  goto send_ack;
650  }
651 
652  /* Once parsed validate the cell format. */
653  if (validate_introduce1_parsed_cell(parsed_cell) < 0) {
654  /* Inform client that the INTRODUCE1 has bad format. */
655  status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT;
656  goto send_ack;
657  }
658 
659  /* Find introduction circuit through our circuit map. */
660  {
661  ed25519_public_key_t auth_key;
662  get_auth_key_from_cell(&auth_key, RELAY_COMMAND_INTRODUCE1, parsed_cell);
663  service_circ = hs_circuitmap_get_intro_circ_v3_relay_side(&auth_key);
664  if (service_circ == NULL) {
665  char b64_key[ED25519_BASE64_LEN + 1];
666  ed25519_public_to_base64(b64_key, &auth_key);
667  log_info(LD_REND, "No intro circuit found for INTRODUCE1 cell "
668  "with auth key %s from circuit %" PRIu32 ". "
669  "Responding with NACK.",
670  safe_str(b64_key), client_circ->p_circ_id);
671  /* Inform the client that we don't know the requested service ID. */
672  status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
673  goto send_ack;
674  }
675  }
676 
677  /* Before sending, lets make sure this cell can be sent on the service
678  * circuit asking the DoS defenses. */
679  if (!hs_dos_can_send_intro2(service_circ)) {
680  char *msg;
681  static ratelim_t rlimit = RATELIM_INIT(5 * 60);
682  if ((msg = rate_limit_log(&rlimit, approx_time()))) {
683  log_info(LD_PROTOCOL, "Can't relay INTRODUCE1 v3 cell due to DoS "
684  "limitations. Sending NACK to client.");
685  tor_free(msg);
686  }
687  status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
688  goto send_ack;
689  }
690 
691  /* Relay the cell to the service on its intro circuit with an INTRODUCE2
692  * cell which is the same exact payload. */
693  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(service_circ),
694  RELAY_COMMAND_INTRODUCE2,
695  (char *) request, request_len, NULL)) {
696  log_warn(LD_PROTOCOL, "Unable to send INTRODUCE2 cell to the service.");
697  /* Inform the client that we can't relay the cell. Use the unknown ID
698  * status code since it means that we do not know the service. */
699  status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
700  goto send_ack;
701  }
702 
703  /* Success! Send an INTRODUCE_ACK success status onto the client circuit. */
704  status = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS;
705  ret = 0;
706 
707  send_ack:
708  /* Send INTRODUCE_ACK or INTRODUCE_NACK to client */
709  if (send_introduce_ack_cell(client_circ, status) < 0) {
710  log_warn(LD_PROTOCOL, "Unable to send an INTRODUCE ACK status %d "
711  "to client.", status);
712  /* Circuit has been closed on failure of transmission. */
713  goto done;
714  }
715  done:
716  trn_cell_introduce1_free(parsed_cell);
717  return ret;
718 }
719 
720 /** Identify if the encoded cell we just received is a legacy one or not. The
721  * <b>request</b> should be at least DIGEST_LEN bytes long. */
722 STATIC int
723 introduce1_cell_is_legacy(const uint8_t *request)
724 {
725  tor_assert(request);
726 
727  /* If the first 20 bytes of the cell (DIGEST_LEN) are NOT zeroes, it
728  * indicates a legacy cell (v2). */
729  if (!fast_mem_is_zero((const char *) request, DIGEST_LEN)) {
730  /* Legacy cell. */
731  return 1;
732  }
733  /* Not a legacy cell. */
734  return 0;
735 }
736 
737 /** Return true iff the circuit <b>circ</b> is suitable for receiving an
738  * INTRODUCE1 cell. */
739 STATIC int
741 {
742  tor_assert(circ);
743 
744  /* Is this circuit an intro point circuit? */
745  if (!circuit_is_suitable_intro_point(circ, "INTRODUCE1")) {
746  return 0;
747  }
748 
749  if (circ->already_received_introduce1) {
750  log_fn(LOG_PROTOCOL_WARN, LD_REND,
751  "Blocking multiple introductions on the same circuit. "
752  "Someone might be trying to attack a hidden service through "
753  "this relay.");
754  return 0;
755  }
756 
757  /* Disallow single hop client circuit. */
758  if (circ->p_chan && channel_is_client(circ->p_chan)) {
759  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
760  "Single hop client was rejected while trying to introduce. "
761  "Closing circuit.");
762  return 0;
763  }
764 
765  return 1;
766 }
767 
768 /** We just received an INTRODUCE1 cell on <b>circ</b>. Figure out which type
769  * it is and pass it to the appropriate handler. Return 0 on success else a
770  * negative value and the circuit is closed. */
771 int
772 hs_intro_received_introduce1(or_circuit_t *circ, const uint8_t *request,
773  size_t request_len)
774 {
775  int ret;
776 
777  tor_assert(circ);
778  tor_assert(request);
779 
780  /* A cell that can't hold a DIGEST_LEN is invalid as we need to check if
781  * it's a legacy cell or not using the first DIGEST_LEN bytes. */
782  if (request_len < DIGEST_LEN) {
783  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Invalid INTRODUCE1 cell length.");
784  goto err;
785  }
786 
787  /* Make sure we have a circuit that can have an INTRODUCE1 cell on it. */
789  /* We do not send a NACK because the circuit is not suitable for any kind
790  * of response or transmission as it's a violation of the protocol. */
791  goto err;
792  }
793  /* Mark the circuit that we got this cell. None are allowed after this as a
794  * DoS mitigation since one circuit with one client can hammer a service. */
795  circ->already_received_introduce1 = 1;
796 
797  /* We are sure here to have at least DIGEST_LEN bytes. */
798  if (introduce1_cell_is_legacy(request)) {
799  /* Handle a legacy cell. */
800  ret = rend_mid_introduce_legacy(circ, request, request_len);
801  } else {
802  /* Handle a non legacy cell. */
803  ret = handle_introduce1(circ, request, request_len);
804  }
805  return ret;
806 
807  err:
808  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
809  return -1;
810 }
811 
812 /** Clear memory allocated by the given intropoint object ip (but don't free
813  * the object itself). */
814 void
816 {
817  if (ip == NULL) {
818  return;
819  }
820  tor_cert_free(ip->auth_key_cert);
821  SMARTLIST_FOREACH(ip->link_specifiers, link_specifier_t *, ls,
822  link_specifier_free(ls));
823  smartlist_free(ip->link_specifiers);
824  memset(ip, 0, sizeof(hs_intropoint_t));
825 }
log_fn
#define log_fn(severity, domain, args,...)
Definition: log.h:287
tor_free
#define tor_free(p)
Definition: malloc.h:52
circuit_t::purpose
uint8_t purpose
Definition: circuit_st.h:111
channel_is_client
int channel_is_client(const channel_t *chan)
Definition: channel.c:2882
ED25519_BASE64_LEN
#define ED25519_BASE64_LEN
Definition: x25519_sizes.h:43
approx_time
time_t approx_time(void)
Definition: approx_time.c:32
MOCK_IMPL
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
CIRCUIT_PURPOSE_INTRO_POINT
#define CIRCUIT_PURPOSE_INTRO_POINT
Definition: circuitlist.h:42
tor_assert
#define tor_assert(expr)
Definition: util_bug.h:102
fast_mem_is_zero
int fast_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:74
circuituse.h
Header file for circuituse.c.
channel.h
Header file for channel.c.
crypto_mac_sha3_256
void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len)
Definition: crypto_digest.c:110
or_circuit_t::rend_circ_nonce
char rend_circ_nonce[DIGEST_LEN]
Definition: or_circuit_st.h:53
send_introduce_ack_cell
static int send_introduce_ack_cell(or_circuit_t *circ, uint16_t status)
Definition: hs_intropoint.c:536
get_auth_key_from_cell
STATIC void get_auth_key_from_cell(ed25519_public_key_t *auth_key_out, unsigned int cell_type, const void *cell)
Definition: hs_intropoint.c:40
hs_dos_can_send_intro2
bool hs_dos_can_send_intro2(or_circuit_t *s_intro_circ)
Definition: hs_dos.c:166
handle_establish_intro_cell_extensions
static void handle_establish_intro_cell_extensions(const trn_cell_establish_intro_t *parsed_cell, or_circuit_t *circ)
Definition: hs_intropoint.c:331
verify_establish_intro_cell
STATIC int verify_establish_intro_cell(const trn_cell_establish_intro_t *cell, const uint8_t *circuit_key_material, size_t circuit_key_material_len)
Definition: hs_intropoint.c:77
or_circuit_t::introduce2_dos_defense_explicit
unsigned int introduce2_dos_defense_explicit
Definition: or_circuit_st.h:81
circuit_t::n_chan
channel_t * n_chan
Definition: circuit_st.h:69
ED25519_PUBKEY_LEN
#define ED25519_PUBKEY_LEN
Definition: x25519_sizes.h:27
ed25519_public_to_base64
void ed25519_public_to_base64(char *output, const ed25519_public_key_t *pkey)
Definition: crypto_format.c:227
SMARTLIST_FOREACH
#define SMARTLIST_FOREACH(sl, type, var, cmd)
Definition: smartlist_foreach.h:112
circuit_is_suitable_intro_point
static int circuit_is_suitable_intro_point(const or_circuit_t *circ, const char *log_cell_type_str)
Definition: hs_intropoint.c:467
hs_intropoint_t::link_specifiers
smartlist_t * link_specifiers
Definition: hs_intropoint.h:24
hs_dos.h
Header file containing denial of service defenses for the HS subsystem for all versions.
CIRCUIT_PURPOSE_OR
#define CIRCUIT_PURPOSE_OR
Definition: circuitlist.h:39
or_circuit_t::p_chan
channel_t * p_chan
Definition: or_circuit_st.h:37
circuitlist.h
Header file for circuitlist.c.
DIGEST_LEN
#define DIGEST_LEN
Definition: digest_sizes.h:20
rate_limit_log
char * rate_limit_log(ratelim_t *lim, time_t now)
Definition: ratelim.c:42
hs_intro_send_intro_established_cell
int hs_intro_send_intro_established_cell(or_circuit_t *circ)
Definition: hs_intropoint.c:152
crypto_format.h
Header for crypto_format.c.
hs_circuitmap_register_intro_circ_v3_relay_side
void hs_circuitmap_register_intro_circ_v3_relay_side(or_circuit_t *circ, const ed25519_public_key_t *auth_key)
Definition: hs_circuitmap.c:361
hs_intropoint_clear
void hs_intropoint_clear(hs_intropoint_t *ip)
Definition: hs_intropoint.c:815
tor_memneq
#define tor_memneq(a, b, sz)
Definition: di_ops.h:21
ed25519_public_key_t
Definition: crypto_ed25519.h:23
LD_REND
#define LD_REND
Definition: log.h:84
circuit_change_purpose
void circuit_change_purpose(circuit_t *circ, uint8_t new_purpose)
Definition: circuituse.c:3117
rendmid.h
Header file for rendmid.c.
or_circuit_t::introduce2_dos_defense_enabled
unsigned int introduce2_dos_defense_enabled
Definition: or_circuit_st.h:77
hs_intro_received_introduce1
int hs_intro_received_introduce1(or_circuit_t *circ, const uint8_t *request, size_t request_len)
Definition: hs_intropoint.c:772
introduce1_cell_is_legacy
STATIC int introduce1_cell_is_legacy(const uint8_t *request)
Definition: hs_intropoint.c:723
DIGEST256_LEN
#define DIGEST256_LEN
Definition: digest_sizes.h:23
or_circuit_t::introduce2_bucket
token_bucket_ctr_t introduce2_bucket
Definition: or_circuit_st.h:86
hs_intropoint_t::auth_key_cert
tor_cert_t * auth_key_cert
Definition: hs_intropoint.h:22
handle_introduce1
STATIC int handle_introduce1(or_circuit_t *client_circ, const uint8_t *request, size_t request_len)
Definition: hs_intropoint.c:627
rend_mid_establish_intro_legacy
int rend_mid_establish_intro_legacy(or_circuit_t *circ, const uint8_t *request, size_t request_len)
Definition: rendmid.c:30
hs_common.h
Header file containing common data for the whole HS subsytem.
hs_intro_received_establish_intro
int hs_intro_received_establish_intro(or_circuit_t *circ, const uint8_t *request, size_t request_len)
Definition: hs_intropoint.c:500
relay.h
Header file for relay.c.
token_bucket_ctr_init
void token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate, uint32_t burst, uint32_t now_ts)
Definition: token_bucket.c:265
ed25519_signature_t
Definition: crypto_ed25519.h:18
cell_dos_extension_parameters_are_valid
STATIC bool cell_dos_extension_parameters_are_valid(uint64_t intro2_rate_per_sec, uint64_t intro2_burst_per_sec)
Definition: hs_intropoint.c:189
hs_config.h
Header file containing configuration ABI/API for the HS subsytem.
handle_establish_intro
static int handle_establish_intro(or_circuit_t *circ, const uint8_t *request, size_t request_len)
Definition: hs_intropoint.c:407
ESTABLISH_INTRO_SIG_PREFIX
#define ESTABLISH_INTRO_SIG_PREFIX
Definition: hs_common.h:53
hs_dos_setup_default_intro2_defenses
void hs_dos_setup_default_intro2_defenses(or_circuit_t *circ)
Definition: hs_dos.c:137
hs_intro_circuit_is_suitable_for_establish_intro
int hs_intro_circuit_is_suitable_for_establish_intro(const or_circuit_t *circ)
Definition: hs_intropoint.c:492
hs_intropoint.h
Header file for hs_intropoint.c.
hs_circuitmap.h
Header file for hs_circuitmap.c.
or_circuit_t
Definition: or_circuit_st.h:21
handle_establish_intro_cell_dos_extension
static void handle_establish_intro_cell_dos_extension(const trn_cell_extension_field_t *field, or_circuit_t *circ)
Definition: hs_intropoint.c:251
or_circuit_t::p_circ_id
circid_t p_circ_id
Definition: or_circuit_st.h:33
config.h
Header file for config.c.
handle_verified_establish_intro_cell
static int handle_verified_establish_intro_cell(or_circuit_t *circ, const trn_cell_establish_intro_t *parsed_cell)
Definition: hs_intropoint.c:373
hs_circuitmap_get_intro_circ_v3_relay_side
or_circuit_t * hs_circuitmap_get_intro_circ_v3_relay_side(const ed25519_public_key_t *auth_key)
Definition: hs_circuitmap.c:307
TO_CIRCUIT
#define TO_CIRCUIT(x)
Definition: or.h:965
STATIC
#define STATIC
Definition: testsupport.h:32
ed25519_checksig_prefixed
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
Definition: crypto_ed25519.c:339
hs_descriptor.h
Header file for hs_descriptor.c.
hs_intropoint_t
Definition: hs_intropoint.h:17
validate_introduce1_parsed_cell
STATIC int validate_introduce1_parsed_cell(const trn_cell_introduce1_t *cell)
Definition: hs_intropoint.c:578
rephist.h
Header file for rephist.c.
ratelim_t
Definition: ratelim.h:42
circuit_is_suitable_for_introduce1
STATIC int circuit_is_suitable_for_introduce1(const or_circuit_t *circ)
Definition: hs_intropoint.c:740
or.h
Master header file for Tor-specific functionality.
rend_mid_introduce_legacy
int rend_mid_introduce_legacy(or_circuit_t *circ, const uint8_t *request, size_t request_len)
Definition: rendmid.c:143
LD_PROTOCOL
#define LD_PROTOCOL
Definition: log.h:72