tor  0.4.2.1-alpha-dev
hs_intropoint.c
Go to the documentation of this file.
1 /* Copyright (c) 2016-2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
9 #define HS_INTROPOINT_PRIVATE
10 
11 #include "core/or/or.h"
12 #include "app/config/config.h"
13 #include "core/or/channel.h"
14 #include "core/or/circuitlist.h"
15 #include "core/or/circuituse.h"
16 #include "core/or/relay.h"
17 #include "feature/rend/rendmid.h"
18 #include "feature/stats/rephist.h"
20 
21 /* Trunnel */
22 #include "trunnel/ed25519_cert.h"
23 #include "trunnel/hs/cell_common.h"
24 #include "trunnel/hs/cell_establish_intro.h"
25 #include "trunnel/hs/cell_introduce1.h"
26 
28 #include "feature/hs/hs_common.h"
29 #include "feature/hs/hs_config.h"
31 #include "feature/hs/hs_dos.h"
33 
34 #include "core/or/or_circuit_st.h"
35 
39 STATIC void
41  unsigned int cell_type, const void *cell)
42 {
43  size_t auth_key_len;
44  const uint8_t *key_array;
45 
46  tor_assert(auth_key_out);
47  tor_assert(cell);
48 
49  switch (cell_type) {
50  case RELAY_COMMAND_ESTABLISH_INTRO:
51  {
52  const trn_cell_establish_intro_t *c_cell = cell;
53  key_array = trn_cell_establish_intro_getconstarray_auth_key(c_cell);
54  auth_key_len = trn_cell_establish_intro_getlen_auth_key(c_cell);
55  break;
56  }
57  case RELAY_COMMAND_INTRODUCE1:
58  {
59  const trn_cell_introduce1_t *c_cell = cell;
60  key_array = trn_cell_introduce1_getconstarray_auth_key(cell);
61  auth_key_len = trn_cell_introduce1_getlen_auth_key(c_cell);
62  break;
63  }
64  default:
65  /* Getting here is really bad as it means we got a unknown cell type from
66  * this file where every call has an hardcoded value. */
67  tor_assert_unreached(); /* LCOV_EXCL_LINE */
68  }
69  tor_assert(key_array);
70  tor_assert(auth_key_len == sizeof(auth_key_out->pubkey));
71  memcpy(auth_key_out->pubkey, key_array, auth_key_len);
72 }
73 
76 STATIC int
77 verify_establish_intro_cell(const trn_cell_establish_intro_t *cell,
78  const uint8_t *circuit_key_material,
79  size_t circuit_key_material_len)
80 {
81  /* We only reach this function if the first byte of the cell is 0x02 which
82  * means that auth_key_type is of ed25519 type, hence this check should
83  * always pass. See hs_intro_received_establish_intro(). */
84  if (BUG(cell->auth_key_type != TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519)) {
85  return -1;
86  }
87 
88  /* Make sure the auth key length is of the right size for this type. For
89  * EXTRA safety, we check both the size of the array and the length which
90  * must be the same. Safety first!*/
91  if (trn_cell_establish_intro_getlen_auth_key(cell) != ED25519_PUBKEY_LEN ||
92  trn_cell_establish_intro_get_auth_key_len(cell) != ED25519_PUBKEY_LEN) {
93  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
94  "ESTABLISH_INTRO auth key length is invalid");
95  return -1;
96  }
97 
98  const uint8_t *msg = cell->start_cell;
99 
100  /* Verify the sig */
101  {
102  ed25519_signature_t sig_struct;
103  const uint8_t *sig_array =
104  trn_cell_establish_intro_getconstarray_sig(cell);
105 
106  /* Make sure the signature length is of the right size. For EXTRA safety,
107  * we check both the size of the array and the length which must be the
108  * same. Safety first!*/
109  if (trn_cell_establish_intro_getlen_sig(cell) != sizeof(sig_struct.sig) ||
110  trn_cell_establish_intro_get_sig_len(cell) != sizeof(sig_struct.sig)) {
111  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
112  "ESTABLISH_INTRO sig len is invalid");
113  return -1;
114  }
115  /* We are now sure that sig_len is of the right size. */
116  memcpy(sig_struct.sig, sig_array, cell->sig_len);
117 
118  ed25519_public_key_t auth_key;
119  get_auth_key_from_cell(&auth_key, RELAY_COMMAND_ESTABLISH_INTRO, cell);
120 
121  const size_t sig_msg_len = cell->end_sig_fields - msg;
122  int sig_mismatch = ed25519_checksig_prefixed(&sig_struct,
123  msg, sig_msg_len,
124  ESTABLISH_INTRO_SIG_PREFIX,
125  &auth_key);
126  if (sig_mismatch) {
127  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
128  "ESTABLISH_INTRO signature not as expected");
129  return -1;
130  }
131  }
132 
133  /* Verify the MAC */
134  {
135  const size_t auth_msg_len = cell->end_mac_fields - msg;
136  uint8_t mac[DIGEST256_LEN];
137  crypto_mac_sha3_256(mac, sizeof(mac),
138  circuit_key_material, circuit_key_material_len,
139  msg, auth_msg_len);
140  if (tor_memneq(mac, cell->handshake_mac, sizeof(mac))) {
141  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
142  "ESTABLISH_INTRO handshake_auth not as expected");
143  return -1;
144  }
145  }
146 
147  return 0;
148 }
149 
150 /* Send an INTRO_ESTABLISHED cell to <b>circ</b>. */
151 MOCK_IMPL(int,
152 hs_intro_send_intro_established_cell,(or_circuit_t *circ))
153 {
154  int ret;
155  uint8_t *encoded_cell = NULL;
156  ssize_t encoded_len, result_len;
157  trn_cell_intro_established_t *cell;
158  trn_cell_extension_t *ext;
159 
160  tor_assert(circ);
161 
162  /* Build the cell payload. */
163  cell = trn_cell_intro_established_new();
164  ext = trn_cell_extension_new();
165  trn_cell_extension_set_num(ext, 0);
166  trn_cell_intro_established_set_extensions(cell, ext);
167  /* Encode the cell to binary format. */
168  encoded_len = trn_cell_intro_established_encoded_len(cell);
169  tor_assert(encoded_len > 0);
170  encoded_cell = tor_malloc_zero(encoded_len);
171  result_len = trn_cell_intro_established_encode(encoded_cell, encoded_len,
172  cell);
173  tor_assert(encoded_len == result_len);
174 
175  ret = relay_send_command_from_edge(0, TO_CIRCUIT(circ),
176  RELAY_COMMAND_INTRO_ESTABLISHED,
177  (char *) encoded_cell, encoded_len,
178  NULL);
179  /* On failure, the above function will close the circuit. */
180  trn_cell_intro_established_free(cell);
181  tor_free(encoded_cell);
182  return ret;
183 }
184 
185 /* Validate the cell DoS extension parameters. Return true iff they've been
186  * bound check and can be used. Else return false. See proposal 305 for
187  * details and reasons about this validation. */
188 STATIC bool
189 cell_dos_extension_parameters_are_valid(uint64_t intro2_rate_per_sec,
190  uint64_t intro2_burst_per_sec)
191 {
192  bool ret = false;
193 
194  /* Check that received value is not below the minimum. Don't check if minimum
195  is set to 0, since the param is a positive value and gcc will complain. */
196 #if HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MIN > 0
197  if (intro2_rate_per_sec < HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MIN) {
198  log_fn(LOG_PROTOCOL_WARN, LD_REND,
199  "Intro point DoS defenses rate per second is "
200  "too small. Received value: %" PRIu64, intro2_rate_per_sec);
201  goto end;
202  }
203 #endif /* HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MIN > 0 */
204 
205  /* Check that received value is not above maximum */
206  if (intro2_rate_per_sec > HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MAX) {
207  log_fn(LOG_PROTOCOL_WARN, LD_REND,
208  "Intro point DoS defenses rate per second is "
209  "too big. Received value: %" PRIu64, intro2_rate_per_sec);
210  goto end;
211  }
212 
213  /* Check that received value is not below the minimum */
214 #if HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MIN > 0
215  if (intro2_burst_per_sec < HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MIN) {
216  log_fn(LOG_PROTOCOL_WARN, LD_REND,
217  "Intro point DoS defenses burst per second is "
218  "too small. Received value: %" PRIu64, intro2_burst_per_sec);
219  goto end;
220  }
221 #endif /* HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MIN > 0 */
222 
223  /* Check that received value is not above maximum */
224  if (intro2_burst_per_sec > HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MAX) {
225  log_fn(LOG_PROTOCOL_WARN, LD_REND,
226  "Intro point DoS defenses burst per second is "
227  "too big. Received value: %" PRIu64, intro2_burst_per_sec);
228  goto end;
229  }
230 
231  /* In a rate limiting scenario, burst can never be smaller than the rate. At
232  * best it can be equal. */
233  if (intro2_burst_per_sec < intro2_rate_per_sec) {
234  log_info(LD_REND, "Intro point DoS defenses burst is smaller than rate. "
235  "Rate: %" PRIu64 " vs Burst: %" PRIu64,
236  intro2_rate_per_sec, intro2_burst_per_sec);
237  goto end;
238  }
239 
240  /* Passing validation. */
241  ret = true;
242 
243  end:
244  return ret;
245 }
246 
247 /* Parse the cell DoS extension and apply defenses on the given circuit if
248  * validation passes. If the cell extension is malformed or contains unusable
249  * values, the DoS defenses is disabled on the circuit. */
250 static void
251 handle_establish_intro_cell_dos_extension(
252  const trn_cell_extension_field_t *field,
253  or_circuit_t *circ)
254 {
255  ssize_t ret;
256  uint64_t intro2_rate_per_sec = 0, intro2_burst_per_sec = 0;
257  trn_cell_extension_dos_t *dos = NULL;
258 
259  tor_assert(field);
260  tor_assert(circ);
261 
262  ret = trn_cell_extension_dos_parse(&dos,
263  trn_cell_extension_field_getconstarray_field(field),
264  trn_cell_extension_field_getlen_field(field));
265  if (ret < 0) {
266  goto end;
267  }
268 
269  for (size_t i = 0; i < trn_cell_extension_dos_get_n_params(dos); i++) {
270  const trn_cell_extension_dos_param_t *param =
271  trn_cell_extension_dos_getconst_params(dos, i);
272  if (BUG(param == NULL)) {
273  goto end;
274  }
275 
276  switch (trn_cell_extension_dos_param_get_type(param)) {
277  case TRUNNEL_DOS_PARAM_TYPE_INTRO2_RATE_PER_SEC:
278  intro2_rate_per_sec = trn_cell_extension_dos_param_get_value(param);
279  break;
280  case TRUNNEL_DOS_PARAM_TYPE_INTRO2_BURST_PER_SEC:
281  intro2_burst_per_sec = trn_cell_extension_dos_param_get_value(param);
282  break;
283  default:
284  goto end;
285  }
286  }
287 
288  /* A value of 0 is valid in the sense that we accept it but we still disable
289  * the defenses so return false. */
290  if (intro2_rate_per_sec == 0 || intro2_burst_per_sec == 0) {
291  log_info(LD_REND, "Intro point DoS defenses parameter set to 0. "
292  "Disabling INTRO2 DoS defenses on circuit id %u",
293  circ->p_circ_id);
295  goto end;
296  }
297 
298  /* If invalid, we disable the defense on the circuit. */
299  if (!cell_dos_extension_parameters_are_valid(intro2_rate_per_sec,
300  intro2_burst_per_sec)) {
302  log_info(LD_REND, "Disabling INTRO2 DoS defenses on circuit id %u",
303  circ->p_circ_id);
304  goto end;
305  }
306 
307  /* We passed validation, enable defenses and apply rate/burst. */
309 
310  /* Initialize the INTRODUCE2 token bucket for the rate limiting. */
312  (uint32_t) intro2_rate_per_sec,
313  (uint32_t) intro2_burst_per_sec,
314  (uint32_t) approx_time());
315  log_info(LD_REND, "Intro point DoS defenses enabled. Rate is %" PRIu64
316  " and Burst is %" PRIu64,
317  intro2_rate_per_sec, intro2_burst_per_sec);
318 
319  end:
320  trn_cell_extension_dos_free(dos);
321  return;
322 }
323 
324 /* Parse every cell extension in the given ESTABLISH_INTRO cell. */
325 static void
326 handle_establish_intro_cell_extensions(
327  const trn_cell_establish_intro_t *parsed_cell,
328  or_circuit_t *circ)
329 {
330  const trn_cell_extension_t *extensions;
331 
332  tor_assert(parsed_cell);
333  tor_assert(circ);
334 
335  extensions = trn_cell_establish_intro_getconst_extensions(parsed_cell);
336  if (extensions == NULL) {
337  goto end;
338  }
339 
340  /* Go over all extensions. */
341  for (size_t idx = 0; idx < trn_cell_extension_get_num(extensions); idx++) {
342  const trn_cell_extension_field_t *field =
343  trn_cell_extension_getconst_fields(extensions, idx);
344  if (BUG(field == NULL)) {
345  /* The number of extensions should match the number of fields. */
346  break;
347  }
348 
349  switch (trn_cell_extension_field_get_field_type(field)) {
350  case TRUNNEL_CELL_EXTENSION_TYPE_DOS:
351  /* After this, the circuit should be set for DoS defenses. */
352  handle_establish_intro_cell_dos_extension(field, circ);
353  break;
354  default:
355  /* Unknown extension. Skip over. */
356  break;
357  }
358  }
359 
360  end:
361  return;
362 }
363 
367 static int
369  const trn_cell_establish_intro_t *parsed_cell)
370 {
371  /* Get the auth key of this intro point */
372  ed25519_public_key_t auth_key;
373  get_auth_key_from_cell(&auth_key, RELAY_COMMAND_ESTABLISH_INTRO,
374  parsed_cell);
375 
376  /* Setup INTRODUCE2 defenses on the circuit. Must be done before parsing the
377  * cell extension that can possibly change the defenses' values. */
378  hs_dos_setup_default_intro2_defenses(circ);
379 
380  /* Handle cell extension if any. */
381  handle_establish_intro_cell_extensions(parsed_cell, circ);
382 
383  /* Then notify the hidden service that the intro point is established by
384  sending an INTRO_ESTABLISHED cell */
385  if (hs_intro_send_intro_established_cell(circ)) {
386  log_warn(LD_PROTOCOL, "Couldn't send INTRO_ESTABLISHED cell.");
387  return -1;
388  }
389 
390  /* Associate intro point auth key with this circuit. */
391  hs_circuitmap_register_intro_circ_v3_relay_side(circ, &auth_key);
392  /* Repurpose this circuit into an intro circuit. */
394 
395  return 0;
396 }
397 
401 static int
402 handle_establish_intro(or_circuit_t *circ, const uint8_t *request,
403  size_t request_len)
404 {
405  int cell_ok, retval = -1;
406  trn_cell_establish_intro_t *parsed_cell = NULL;
407 
408  tor_assert(circ);
409  tor_assert(request);
410 
411  log_info(LD_REND, "Received an ESTABLISH_INTRO request on circuit %" PRIu32,
412  circ->p_circ_id);
413 
414  /* Check that the circuit is in shape to become an intro point */
415  if (!hs_intro_circuit_is_suitable_for_establish_intro(circ)) {
416  goto err;
417  }
418 
419  /* Parse the cell */
420  ssize_t parsing_result = trn_cell_establish_intro_parse(&parsed_cell,
421  request, request_len);
422  if (parsing_result < 0) {
423  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
424  "Rejecting %s ESTABLISH_INTRO cell.",
425  parsing_result == -1 ? "invalid" : "truncated");
426  goto err;
427  }
428 
429  cell_ok = verify_establish_intro_cell(parsed_cell,
430  (uint8_t *) circ->rend_circ_nonce,
431  sizeof(circ->rend_circ_nonce));
432  if (cell_ok < 0) {
433  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
434  "Failed to verify ESTABLISH_INTRO cell.");
435  goto err;
436  }
437 
438  /* This cell is legit. Take the appropriate actions. */
439  cell_ok = handle_verified_establish_intro_cell(circ, parsed_cell);
440  if (cell_ok < 0) {
441  goto err;
442  }
443 
444  /* We are done! */
445  retval = 0;
446  goto done;
447 
448  err:
449  /* When sending the intro establish ack, on error the circuit can be marked
450  * as closed so avoid a double close. */
451  if (!TO_CIRCUIT(circ)->marked_for_close) {
452  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
453  }
454 
455  done:
456  trn_cell_establish_intro_free(parsed_cell);
457  return retval;
458 }
459 
460 /* Return True if circuit is suitable for being an intro circuit. */
461 static int
462 circuit_is_suitable_intro_point(const or_circuit_t *circ,
463  const char *log_cell_type_str)
464 {
465  tor_assert(circ);
466  tor_assert(log_cell_type_str);
467 
468  /* Basic circuit state sanity checks. */
469  if (circ->base_.purpose != CIRCUIT_PURPOSE_OR) {
470  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
471  "Rejecting %s on non-OR circuit.", log_cell_type_str);
472  return 0;
473  }
474 
475  if (circ->base_.n_chan) {
476  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
477  "Rejecting %s on non-edge circuit.", log_cell_type_str);
478  return 0;
479  }
480 
481  /* Suitable. */
482  return 1;
483 }
484 
485 /* Return True if circuit is suitable for being service-side intro circuit. */
486 int
487 hs_intro_circuit_is_suitable_for_establish_intro(const or_circuit_t *circ)
488 {
489  return circuit_is_suitable_intro_point(circ, "ESTABLISH_INTRO");
490 }
491 
492 /* We just received an ESTABLISH_INTRO cell in <b>circ</b>. Figure out of it's
493  * a legacy or a next gen cell, and pass it to the appropriate handler. */
494 int
495 hs_intro_received_establish_intro(or_circuit_t *circ, const uint8_t *request,
496  size_t request_len)
497 {
498  tor_assert(circ);
499  tor_assert(request);
500 
501  if (request_len == 0) {
502  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Empty ESTABLISH_INTRO cell.");
503  goto err;
504  }
505 
506  /* Using the first byte of the cell, figure out the version of
507  * ESTABLISH_INTRO and pass it to the appropriate cell handler */
508  const uint8_t first_byte = request[0];
509  switch (first_byte) {
510  case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0:
511  case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1:
512  return rend_mid_establish_intro_legacy(circ, request, request_len);
513  case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519:
514  return handle_establish_intro(circ, request, request_len);
515  default:
516  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
517  "Unrecognized AUTH_KEY_TYPE %u.", first_byte);
518  goto err;
519  }
520 
521  err:
522  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
523  return -1;
524 }
525 
526 /* Send an INTRODUCE_ACK cell onto the circuit <b>circ</b> with the status
527  * value in <b>status</b>. Depending on the status, it can be ACK or a NACK.
528  * Return 0 on success else a negative value on error which will close the
529  * circuit. */
530 static int
531 send_introduce_ack_cell(or_circuit_t *circ, uint16_t status)
532 {
533  int ret = -1;
534  uint8_t *encoded_cell = NULL;
535  ssize_t encoded_len, result_len;
536  trn_cell_introduce_ack_t *cell;
537  trn_cell_extension_t *ext;
538 
539  tor_assert(circ);
540 
541  /* Setup the INTRODUCE_ACK cell. We have no extensions so the N_EXTENSIONS
542  * field is set to 0 by default with a new object. */
543  cell = trn_cell_introduce_ack_new();
544  ret = trn_cell_introduce_ack_set_status(cell, status);
545  /* We have no cell extensions in an INTRODUCE_ACK cell. */
546  ext = trn_cell_extension_new();
547  trn_cell_extension_set_num(ext, 0);
548  trn_cell_introduce_ack_set_extensions(cell, ext);
549  /* A wrong status is a very bad code flow error as this value is controlled
550  * by the code in this file and not an external input. This means we use a
551  * code that is not known by the trunnel ABI. */
552  tor_assert(ret == 0);
553  /* Encode the payload. We should never fail to get the encoded length. */
554  encoded_len = trn_cell_introduce_ack_encoded_len(cell);
555  tor_assert(encoded_len > 0);
556  encoded_cell = tor_malloc_zero(encoded_len);
557  result_len = trn_cell_introduce_ack_encode(encoded_cell, encoded_len, cell);
558  tor_assert(encoded_len == result_len);
559 
560  ret = relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
561  RELAY_COMMAND_INTRODUCE_ACK,
562  (char *) encoded_cell, encoded_len,
563  NULL);
564  /* On failure, the above function will close the circuit. */
565  trn_cell_introduce_ack_free(cell);
566  tor_free(encoded_cell);
567  return ret;
568 }
569 
570 /* Validate a parsed INTRODUCE1 <b>cell</b>. Return 0 if valid or else a
571  * negative value for an invalid cell that should be NACKed. */
572 STATIC int
573 validate_introduce1_parsed_cell(const trn_cell_introduce1_t *cell)
574 {
575  size_t legacy_key_id_len;
576  const uint8_t *legacy_key_id;
577 
578  tor_assert(cell);
579 
580  /* This code path SHOULD NEVER be reached if the cell is a legacy type so
581  * safety net here. The legacy ID must be zeroes in this case. */
582  legacy_key_id_len = trn_cell_introduce1_getlen_legacy_key_id(cell);
583  legacy_key_id = trn_cell_introduce1_getconstarray_legacy_key_id(cell);
584  if (BUG(!fast_mem_is_zero((char *) legacy_key_id, legacy_key_id_len))) {
585  goto invalid;
586  }
587 
588  /* The auth key of an INTRODUCE1 should be of type ed25519 thus leading to a
589  * known fixed length as well. */
590  if (trn_cell_introduce1_get_auth_key_type(cell) !=
591  TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519) {
592  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
593  "Rejecting invalid INTRODUCE1 cell auth key type. "
594  "Responding with NACK.");
595  goto invalid;
596  }
597  if (trn_cell_introduce1_get_auth_key_len(cell) != ED25519_PUBKEY_LEN ||
598  trn_cell_introduce1_getlen_auth_key(cell) != ED25519_PUBKEY_LEN) {
599  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
600  "Rejecting invalid INTRODUCE1 cell auth key length. "
601  "Responding with NACK.");
602  goto invalid;
603  }
604  if (trn_cell_introduce1_getlen_encrypted(cell) == 0) {
605  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
606  "Rejecting invalid INTRODUCE1 cell encrypted length. "
607  "Responding with NACK.");
608  goto invalid;
609  }
610 
611  return 0;
612  invalid:
613  return -1;
614 }
615 
616 /* We just received a non legacy INTRODUCE1 cell on <b>client_circ</b> with
617  * the payload in <b>request</b> of size <b>request_len</b>. Return 0 if
618  * everything went well, or -1 if an error occurred. This function is in charge
619  * of sending back an INTRODUCE_ACK cell and will close client_circ on error.
620  */
621 STATIC int
622 handle_introduce1(or_circuit_t *client_circ, const uint8_t *request,
623  size_t request_len)
624 {
625  int ret = -1;
626  or_circuit_t *service_circ;
627  trn_cell_introduce1_t *parsed_cell;
628  uint16_t status = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS;
629 
630  tor_assert(client_circ);
631  tor_assert(request);
632 
633  /* Parse cell. Note that we can only parse the non encrypted section for
634  * which we'll use the authentication key to find the service introduction
635  * circuit and relay the cell on it. */
636  ssize_t cell_size = trn_cell_introduce1_parse(&parsed_cell, request,
637  request_len);
638  if (cell_size < 0) {
639  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
640  "Rejecting %s INTRODUCE1 cell. Responding with NACK.",
641  cell_size == -1 ? "invalid" : "truncated");
642  /* Inform client that the INTRODUCE1 has a bad format. */
643  status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT;
644  goto send_ack;
645  }
646 
647  /* Once parsed validate the cell format. */
648  if (validate_introduce1_parsed_cell(parsed_cell) < 0) {
649  /* Inform client that the INTRODUCE1 has bad format. */
650  status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT;
651  goto send_ack;
652  }
653 
654  /* Find introduction circuit through our circuit map. */
655  {
656  ed25519_public_key_t auth_key;
657  get_auth_key_from_cell(&auth_key, RELAY_COMMAND_INTRODUCE1, parsed_cell);
658  service_circ = hs_circuitmap_get_intro_circ_v3_relay_side(&auth_key);
659  if (service_circ == NULL) {
660  char b64_key[ED25519_BASE64_LEN + 1];
661  ed25519_public_to_base64(b64_key, &auth_key);
662  log_info(LD_REND, "No intro circuit found for INTRODUCE1 cell "
663  "with auth key %s from circuit %" PRIu32 ". "
664  "Responding with NACK.",
665  safe_str(b64_key), client_circ->p_circ_id);
666  /* Inform the client that we don't know the requested service ID. */
667  status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
668  goto send_ack;
669  }
670  }
671 
672  /* Before sending, lets make sure this cell can be sent on the service
673  * circuit asking the DoS defenses. */
674  if (!hs_dos_can_send_intro2(service_circ)) {
675  char *msg;
676  static ratelim_t rlimit = RATELIM_INIT(5 * 60);
677  if ((msg = rate_limit_log(&rlimit, approx_time()))) {
678  log_info(LD_PROTOCOL, "Can't relay INTRODUCE1 v3 cell due to DoS "
679  "limitations. Sending NACK to client.");
680  tor_free(msg);
681  }
682  status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
683  goto send_ack;
684  }
685 
686  /* Relay the cell to the service on its intro circuit with an INTRODUCE2
687  * cell which is the same exact payload. */
688  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(service_circ),
689  RELAY_COMMAND_INTRODUCE2,
690  (char *) request, request_len, NULL)) {
691  log_warn(LD_PROTOCOL, "Unable to send INTRODUCE2 cell to the service.");
692  /* Inform the client that we can't relay the cell. Use the unknown ID
693  * status code since it means that we do not know the service. */
694  status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
695  goto send_ack;
696  }
697 
698  /* Success! Send an INTRODUCE_ACK success status onto the client circuit. */
699  status = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS;
700  ret = 0;
701 
702  send_ack:
703  /* Send INTRODUCE_ACK or INTRODUCE_NACK to client */
704  if (send_introduce_ack_cell(client_circ, status) < 0) {
705  log_warn(LD_PROTOCOL, "Unable to send an INTRODUCE ACK status %d "
706  "to client.", status);
707  /* Circuit has been closed on failure of transmission. */
708  goto done;
709  }
710  done:
711  trn_cell_introduce1_free(parsed_cell);
712  return ret;
713 }
714 
715 /* Identify if the encoded cell we just received is a legacy one or not. The
716  * <b>request</b> should be at least DIGEST_LEN bytes long. */
717 STATIC int
718 introduce1_cell_is_legacy(const uint8_t *request)
719 {
720  tor_assert(request);
721 
722  /* If the first 20 bytes of the cell (DIGEST_LEN) are NOT zeroes, it
723  * indicates a legacy cell (v2). */
724  if (!fast_mem_is_zero((const char *) request, DIGEST_LEN)) {
725  /* Legacy cell. */
726  return 1;
727  }
728  /* Not a legacy cell. */
729  return 0;
730 }
731 
732 /* Return true iff the circuit <b>circ</b> is suitable for receiving an
733  * INTRODUCE1 cell. */
734 STATIC int
735 circuit_is_suitable_for_introduce1(const or_circuit_t *circ)
736 {
737  tor_assert(circ);
738 
739  /* Is this circuit an intro point circuit? */
740  if (!circuit_is_suitable_intro_point(circ, "INTRODUCE1")) {
741  return 0;
742  }
743 
744  if (circ->already_received_introduce1) {
745  log_fn(LOG_PROTOCOL_WARN, LD_REND,
746  "Blocking multiple introductions on the same circuit. "
747  "Someone might be trying to attack a hidden service through "
748  "this relay.");
749  return 0;
750  }
751 
752  /* Disallow single hop client circuit. */
753  if (circ->p_chan && channel_is_client(circ->p_chan)) {
754  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
755  "Single hop client was rejected while trying to introduce. "
756  "Closing circuit.");
757  return 0;
758  }
759 
760  return 1;
761 }
762 
763 /* We just received an INTRODUCE1 cell on <b>circ</b>. Figure out which type
764  * it is and pass it to the appropriate handler. Return 0 on success else a
765  * negative value and the circuit is closed. */
766 int
767 hs_intro_received_introduce1(or_circuit_t *circ, const uint8_t *request,
768  size_t request_len)
769 {
770  int ret;
771 
772  tor_assert(circ);
773  tor_assert(request);
774 
775  /* A cell that can't hold a DIGEST_LEN is invalid as we need to check if
776  * it's a legacy cell or not using the first DIGEST_LEN bytes. */
777  if (request_len < DIGEST_LEN) {
778  log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Invalid INTRODUCE1 cell length.");
779  goto err;
780  }
781 
782  /* Make sure we have a circuit that can have an INTRODUCE1 cell on it. */
783  if (!circuit_is_suitable_for_introduce1(circ)) {
784  /* We do not send a NACK because the circuit is not suitable for any kind
785  * of response or transmission as it's a violation of the protocol. */
786  goto err;
787  }
788  /* Mark the circuit that we got this cell. None are allowed after this as a
789  * DoS mitigation since one circuit with one client can hammer a service. */
790  circ->already_received_introduce1 = 1;
791 
792  /* We are sure here to have at least DIGEST_LEN bytes. */
793  if (introduce1_cell_is_legacy(request)) {
794  /* Handle a legacy cell. */
795  ret = rend_mid_introduce_legacy(circ, request, request_len);
796  } else {
797  /* Handle a non legacy cell. */
798  ret = handle_introduce1(circ, request, request_len);
799  }
800  return ret;
801 
802  err:
803  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
804  return -1;
805 }
806 
807 /* Clear memory allocated by the given intropoint object ip (but don't free the
808  * object itself). */
809 void
810 hs_intropoint_clear(hs_intropoint_t *ip)
811 {
812  if (ip == NULL) {
813  return;
814  }
815  tor_cert_free(ip->auth_key_cert);
816  SMARTLIST_FOREACH(ip->link_specifiers, link_specifier_t *, ls,
817  link_specifier_free(ls));
818  smartlist_free(ip->link_specifiers);
819  memset(ip, 0, sizeof(hs_intropoint_t));
820 }
int ed25519_checksig_prefixed(const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey)
Header file containing denial of service defenses for the HS subsystem for all versions.
int channel_is_client(const channel_t *chan)
Definition: channel.c:2924
Header file containing common data for the whole HS subsytem.
Header file containing configuration ABI/API for the HS subsytem.
int rend_mid_introduce_legacy(or_circuit_t *circ, const uint8_t *request, size_t request_len)
Definition: rendmid.c:143
char * rate_limit_log(ratelim_t *lim, time_t now)
Definition: ratelim.c:41
#define TO_CIRCUIT(x)
Definition: or.h:951
Header file for config.c.
int fast_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:74
STATIC void get_auth_key_from_cell(ed25519_public_key_t *auth_key_out, unsigned int cell_type, const void *cell)
Definition: hs_intropoint.c:40
void ed25519_public_to_base64(char *output, const ed25519_public_key_t *pkey)
#define tor_free(p)
Definition: malloc.h:52
static int handle_verified_establish_intro_cell(or_circuit_t *circ, const trn_cell_establish_intro_t *parsed_cell)
uint8_t purpose
Definition: circuit_st.h:100
char rend_circ_nonce[DIGEST_LEN]
Definition: or_circuit_st.h:53
Header file for rendmid.c.
#define DIGEST256_LEN
Definition: digest_sizes.h:23
channel_t * p_chan
Definition: or_circuit_st.h:37
Header file for channel.c.
tor_assert(buffer)
static int handle_establish_intro(or_circuit_t *circ, const uint8_t *request, size_t request_len)
Header for crypto_format.c.
#define DIGEST_LEN
Definition: digest_sizes.h:20
Master header file for Tor-specific functionality.
Header file for rephist.c.
Header file for circuituse.c.
Header file for hs_descriptor.c.
Header file for hs_intropoint.c.
circid_t p_circ_id
Definition: or_circuit_st.h:33
unsigned int introduce2_dos_defense_enabled
Definition: or_circuit_st.h:77
Header file for hs_circuitmap.c.
#define LD_REND
Definition: log.h:82
Header file for circuitlist.c.
or_circuit_t * hs_circuitmap_get_intro_circ_v3_relay_side(const ed25519_public_key_t *auth_key)
void token_bucket_ctr_init(token_bucket_ctr_t *bucket, uint32_t rate, uint32_t burst, uint32_t now_ts)
Definition: token_bucket.c:265
#define CIRCUIT_PURPOSE_INTRO_POINT
Definition: circuitlist.h:41
Header file for relay.c.
#define SMARTLIST_FOREACH(sl, type, var, cmd)
#define CIRCUIT_PURPOSE_OR
Definition: circuitlist.h:38
#define log_fn(severity, domain, args,...)
Definition: log.h:274
int rend_mid_establish_intro_legacy(or_circuit_t *circ, const uint8_t *request, size_t request_len)
Definition: rendmid.c:30
void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len)
time_t approx_time(void)
Definition: approx_time.c:32
void circuit_change_purpose(circuit_t *circ, uint8_t new_purpose)
Definition: circuituse.c:3061
STATIC int verify_establish_intro_cell(const trn_cell_establish_intro_t *cell, const uint8_t *circuit_key_material, size_t circuit_key_material_len)
Definition: hs_intropoint.c:77
token_bucket_ctr_t introduce2_bucket
Definition: or_circuit_st.h:82
#define LD_PROTOCOL
Definition: log.h:70
channel_t * n_chan
Definition: circuit_st.h:58