| blob | 80273c27b153b6f52b6a43a053ec2e276e6f728c |
1 /* Copyright (c) 2016-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file hs_descriptor.c
6 * \brief Handle hidden service descriptor encoding/decoding.
7 *
8 * \details
9 * Here is a graphical depiction of an HS descriptor and its layers:
10 *
11 * +------------------------------------------------------+
12 * |DESCRIPTOR HEADER: |
13 * | hs-descriptor 3 |
14 * | descriptor-lifetime 180 |
15 * | ... |
16 * | superencrypted |
17 * |+---------------------------------------------------+ |
18 * ||SUPERENCRYPTED LAYER (aka OUTER ENCRYPTED LAYER): | |
19 * || desc-auth-type x25519 | |
20 * || desc-auth-ephemeral-key | |
21 * || auth-client | |
22 * || auth-client | |
23 * || ... | |
24 * || encrypted | |
25 * ||+-------------------------------------------------+| |
26 * |||ENCRYPTED LAYER (aka INNER ENCRYPTED LAYER): || |
27 * ||| create2-formats || |
28 * ||| intro-auth-required || |
29 * ||| introduction-point || |
30 * ||| introduction-point || |
31 * ||| ... || |
32 * ||+-------------------------------------------------+| |
33 * |+---------------------------------------------------+ |
34 * +------------------------------------------------------+
35 *
36 * The DESCRIPTOR HEADER section is completely unencrypted and contains generic
37 * descriptor metadata.
38 *
39 * The SUPERENCRYPTED LAYER section is the first layer of encryption, and it's
40 * encrypted using the blinded public key of the hidden service to protect
41 * against entities who don't know its onion address. The clients of the hidden
42 * service know its onion address and blinded public key, whereas third-parties
43 * (like HSDirs) don't know it (except if it's a public hidden service).
44 *
45 * The ENCRYPTED LAYER section is the second layer of encryption, and it's
46 * encrypted using the client authorization key material (if those exist). When
47 * client authorization is enabled, this second layer of encryption protects
48 * the descriptor content from unauthorized entities. If client authorization
49 * is disabled, this second layer of encryption does not provide any extra
50 * security but is still present. The plaintext of this layer contains all the
51 * information required to connect to the hidden service like its list of
52 * introduction points.
53 **/
55 /* For unit tests.*/
56 #define HS_DESCRIPTOR_PRIVATE
58 #include <stdbool.h>
78 /* Constant string value used for the descriptor format. */
86 /* Constant string value for the encrypted part of the descriptor. */
99 /* Constant string value for the construction to encrypt the encrypted data
100 * section. */
103 /* Prefix required to compute/verify HS desc signatures */
110 /** Authentication supported types. */
112 hs_desc_auth_type_t type;
116 /* Indicate end of array. */
118 };
120 /** Descriptor ruleset. */
128 END_OF_TABLE
129 };
131 /** Descriptor ruleset for the superencrypted section. */
137 END_OF_TABLE
138 };
140 /** Descriptor ruleset for the encrypted section. */
146 END_OF_TABLE
147 };
149 /** Descriptor ruleset for the introduction points section. */
158 END_OF_TABLE
159 };
161 /** Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
162 * We use SHA3-256 for the MAC computation.
163 * This function can't fail. */
164 static void
169 {
181 /* As specified in section 2.5 of proposal 224, first add the mac key
182 * then add the salt first and then the encrypted section. */
191 }
193 /** Using a secret data and a given descriptor object, build the secret
194 * input needed for the KDF.
195 *
196 * secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
197 *
198 * Then, set the newly allocated buffer in secret_input_out and return the
199 * length of the buffer. */
200 static size_t
205 {
216 /* Copy the secret data. */
219 /* Copy subcredential. */
222 /* Copy revision counter value. */
231 }
233 /** Do the KDF construction and put the resulting data in key_out which is of
234 * key_out_len length. It uses SHAKE-256 as specified in the spec. */
235 static void
242 {
252 /* Build the secret input for the KDF computation. */
257 /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
261 /* Feed in the right string constant based on the desc layer */
268 }
270 /* Eat from our KDF. */
276 }
278 /** Using the given descriptor, secret data, and salt, run it through our
279 * KDF function and then extract a secret key in key_out, the IV in iv_out
280 * and MAC in mac_out. This function can't fail. */
281 static void
290 {
303 is_superencrypted_layer);
304 /* Copy the bytes we need for both the secret key and IV. */
310 /* Extra precaution to make sure we are not out of bound. */
313 }
315 /* === ENCODING === */
317 /** Encode the given link specifier objects into a newly allocated string.
318 * This can't fail so caller can always assume a valid string being
319 * returned. */
322 {
327 /* No link specifiers is a code flow error, can't happen. */
334 spec) {
340 {
350 /* Base64 encode our binary format. Add extra NUL byte for the base64
351 * encoded value. */
358 }
362 }
364 /** Encode an introduction point legacy key and certificate. Return a newly
365 * allocated string with it. On failure, return NULL. */
368 {
374 /* Encode cross cert. */
380 }
381 /* Convert the encryption key to PEM format NUL terminated. */
386 }
391 "%s"
397 done:
399 }
401 /** Encode an introduction point encryption key and certificate. Return a newly
402 * allocated string with it. On failure, return NULL. */
405 {
411 /* Base64 encode the encryption key for the "enc-key" field. */
415 }
423 done:
425 }
427 /** Encode an introduction point onion key. Return a newly allocated string
428 * with it. Can not fail. */
431 {
437 /* Base64 encode the encryption key for the "onion-key" field. */
442 }
444 /** Encode an introduction point object and return a newly allocated string
445 * with it. On failure, return NULL. */
449 {
456 /* Encode link specifier. */
457 {
461 }
463 /* Onion key encoding. */
464 {
468 }
471 }
473 /* Authentication key encoding. */
474 {
478 }
481 }
483 /* Encryption key encoding. */
484 {
488 }
491 }
493 /* Legacy key if any. */
495 /* Strong requirement else the IP creation was badly done. */
500 }
503 }
505 /* Join them all in one blob of text. */
508 err:
512 }
514 /** Given a source length, return the new size including padding for the
515 * plaintext encryption. */
516 static size_t
518 {
522 /* Make sure we won't overflow. */
525 /* Get the extra length we need to add. For example, if srclen is 10200
526 * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
528 padding_block_length;
529 /* Can never be extra careful. Make sure we are _really_ padded. */
532 }
534 /** Given a buffer, pad it up to the encrypted section padding requirement. Set
535 * the newly allocated string in padded_out and return the length of the
536 * padded buffer. */
537 STATIC size_t
540 {
547 /* Allocate the final length including padding. */
555 }
557 /** Using a key, IV and plaintext data of length plaintext_len, create the
558 * encrypted section by encrypting it and setting encrypted_out with the
559 * data. Return size of the encrypted data buffer. */
560 static size_t
564 {
574 /* If we are encrypting the middle layer of the descriptor, we need to first
575 pad the plaintext */
579 /* Extra precautions that we have a valid padding length. */
584 }
586 /* This creates a cipher for AES. It can't fail. */
588 HS_DESC_ENCRYPTED_BIT_SIZE);
589 /* We use a stream cipher so the encrypted length will be the same as the
590 * plaintext padded length. */
592 /* This can't fail. */
596 /* Cleanup. */
600 }
602 /** Encrypt the given <b>plaintext</b> buffer using <b>desc</b> and
603 * <b>secret_data</b> to get the keys. Set encrypted_out with the encrypted
604 * data and return the length of it. <b>is_superencrypted_layer</b> is set
605 * if this is the outer encrypted layer of the descriptor. */
606 static size_t
612 {
625 /* Get our salt. The returned bytes are already hashed. */
628 /* KDF construction resulting in a key from which the secret key, IV and MAC
629 * key are extracted which is what we need for the encryption. */
635 is_superencrypted_layer);
637 /* Build the encrypted part that is do the actual encryption. */
640 is_superencrypted_layer);
643 /* This construction is specified in section 2.5 of proposal 224. */
647 /* Build the MAC. */
652 /* The salt is the first value. */
655 /* Second value is the encrypted data. */
658 /* Third value is the MAC. */
661 /* Cleanup the buffers. */
665 /* Extra precaution. */
670 }
672 /** Create and return a string containing a client-auth entry. It's the
673 * responsibility of the caller to free the returned string. This function
674 * will never fail. */
677 {
680 /* We are gonna fill these arrays with base64 data. They are all double
681 * the size of their binary representation to fit the base64 overhead. */
686 #define ASSERT_AND_BASE64(field) STMT_BEGIN \
687 tor_assert(!fast_mem_is_zero((char *) client->field, \
688 sizeof(client->field))); \
689 ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
690 client->field, sizeof(client->field)); \
691 tor_assert(ret > 0); \
692 STMT_END
698 /* Build the final string */
702 #undef ASSERT_AND_BASE64
705 }
707 /** Create the "client-auth" part of the descriptor and return a
708 * newly-allocated string with it. It's the responsibility of the caller to
709 * free the returned string. */
712 {
722 /* Make a line for each client */
732 /* Join all lines together to form final string */
735 /* Cleanup the mess */
740 }
742 /** Create the inner layer of the descriptor (which includes the intro points,
743 * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
744 * an error occurred. It's the responsibility of the caller to free the
745 * returned string. */
748 {
752 /* Build the start of the section prior to the introduction points. */
753 {
757 }
759 ONION_HANDSHAKE_TYPE_NTOR);
763 /* Put the authentication-required line. */
768 }
772 }
775 /* Add flow control line into the descriptor. */
779 }
780 }
782 /* Build the introduction point(s) section. */
786 ip);
790 }
794 /* Build the entire encrypted data section into one encoded plaintext and
795 * then encrypt it. */
798 err:
803 }
805 /** Create the middle layer of the descriptor, which includes the client auth
806 * data and the encrypted inner layer (provided as a base64 string at
807 * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
808 * layer plaintext. It's the responsibility of the caller to free the returned
809 * string. Can not fail. */
813 {
817 /* Specify auth type */
826 CURVE25519_PUBKEY_LEN));
833 }
839 }
841 /* create encrypted section */
842 {
846 "%s"
849 }
853 /* We need to memwipe all lines because it contains the ephemeral key */
859 }
861 /** Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
862 * returning it. <b>desc</b> is provided to derive the encryption
863 * keys. <b>secret_data</b> is also proved to derive the encryption keys.
864 * <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
865 * middle (superencrypted) layer of the descriptor. It's the responsibility of
866 * the caller to free the returned string. */
873 {
880 is_superencrypted_layer);
881 /* Get the encoded size plus a NUL terminating byte. */
884 /* Base64 the encrypted blob before returning it. */
886 BASE64_ENCODE_MULTILINE);
887 /* Return length doesn't count the NUL byte. */
892 }
894 /** Generate the secret data which is used to encrypt/decrypt the descriptor.
895 *
896 * SECRET_DATA = blinded-public-key
897 * SECRET_DATA = blinded-public-key | descriptor_cookie
898 *
899 * The descriptor_cookie is optional but if it exists, it must be at least
900 * HS_DESC_DESCRIPTOR_COOKIE_LEN bytes long.
901 *
902 * A newly allocated secret data is put in secret_data_out. Return the
903 * length of the secret data. This function cannot fail. */
904 static size_t
908 {
916 /* If the descriptor cookie is present, we need both the blinded
917 * pubkey and the descriptor cookie as a secret data. */
923 ED25519_PUBKEY_LEN);
925 descriptor_cookie,
926 HS_DESC_DESCRIPTOR_COOKIE_LEN);
928 /* If the descriptor cookie is not present, we need only the blinded
929 * pubkey as a secret data. */
934 ED25519_PUBKEY_LEN);
935 }
939 }
941 /** Generate and encode the superencrypted portion of <b>desc</b>. This also
942 * involves generating the encrypted portion of the descriptor, and performing
943 * the superencryption. A newly allocated NUL-terminated string pointer
944 * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
945 * on success else a negative value. */
946 static int
950 {
962 /* Func logic: We first create the inner layer of the descriptor (layer2).
963 * We then encrypt it and use it to create the middle layer of the descriptor
964 * (layer1). Finally we superencrypt the middle layer and return it to our
965 * caller. */
967 /* Create inner descriptor layer */
971 }
974 descriptor_cookie,
977 /* Encrypt and b64 the inner layer */
978 layer2_b64_ciphertext =
983 }
985 /* Now create middle descriptor layer given the inner layer */
989 }
991 /* Encrypt and base64 the middle layer */
992 layer1_b64_ciphertext =
995 ED25519_PUBKEY_LEN,
999 }
1001 /* Success! */
1004 err:
1013 }
1015 /** Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
1016 * newly allocated string of the encoded descriptor. On error, -1 is returned
1017 * and encoded_out is untouched. */
1018 static int
1023 {
1034 /* Build the non-encrypted values. */
1035 {
1037 /* Encode certificate then create the first line of the descriptor. */
1043 }
1046 /* The function will print error logs. */
1048 }
1049 /* Create the hs descriptor line. */
1052 /* Add the descriptor lifetime line (in minutes). */
1055 /* Create the descriptor certificate line. */
1058 /* Create the revision counter line. */
1061 }
1063 /* Build the superencrypted data section. */
1064 {
1069 }
1073 "%s"
1077 }
1079 /* Join all lines in one string so we can generate a signature and append
1080 * it to the descriptor. */
1083 /* Sign all fields of the descriptor with our short term signing key. */
1084 {
1085 ed25519_signature_t sig;
1093 }
1095 /* Create the signature line. */
1097 }
1098 /* Free previous string that we used so compute the signature. */
1108 }
1110 /* XXX: Trigger a control port event. */
1112 /* Success! */
1115 err:
1119 }
1121 /* === DECODING === */
1123 /** Given the token tok for an auth client, decode it as
1124 * hs_desc_authorized_client_t. tok->args MUST contain at least 3 elements
1125 * Return 0 on success else -1 on failure. */
1126 static int
1129 {
1140 }
1145 }
1151 }
1153 /* Success. */
1155 done:
1157 }
1159 /** Given an encoded string of the link specifiers, return a newly allocated
1160 * list of decoded link specifiers. Return NULL on error. */
1161 STATIC smartlist_t *
1163 {
1175 encoded_len);
1178 }
1183 }
1191 }
1195 }
1197 }
1200 err:
1206 }
1207 done:
1211 }
1213 /** Given a list of authentication types, decode it and put it in the encrypted
1214 * data section. Return 1 if we at least know one of the type or 0 if we know
1215 * none of them. */
1216 static int
1218 {
1227 /* Validate the types that we at least know about one. */
1234 }
1235 }
1239 }
1241 /** Parse a space-delimited list of integers representing CREATE2 formats into
1242 * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
1243 static void
1245 {
1260 }
1266 /* We deliberately ignore unsupported handshake types */
1268 }
1273 }
1275 /** Given a certificate, validate the certificate for certain conditions which
1276 * are if the given type matches the cert's one, if the signing key is
1277 * included and if the that key was actually used to sign the certificate.
1278 *
1279 * Return 1 iff if all conditions pass or 0 if one of them fails. */
1280 STATIC int
1282 {
1288 }
1291 log_obj_type);
1293 }
1294 /* All certificate must have its signing key included. */
1298 }
1300 /* The following will not only check if the signature matches but also the
1301 * expiration date and overall validity. */
1308 expiration_str);
1312 }
1314 }
1317 err:
1319 }
1321 /** Given some binary data, try to parse it to get a certificate object. If we
1322 * have a valid cert, validate it using the given wanted type. On error, print
1323 * a log using the err_msg has the certificate identifier adding semantic to
1324 * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
1325 * points to a newly allocated certificate object. */
1326 static int
1330 {
1337 /* Parse certificate. */
1342 }
1344 /* Validate certificate. */
1347 }
1352 err:
1356 }
1358 /** Return true iff the given length of the encrypted data of a descriptor
1359 * passes validation. */
1360 STATIC int
1362 {
1363 /* Make sure there is enough data for the salt and the mac. The equality is
1364 there to ensure that there is at least one byte of encrypted data. */
1370 }
1373 err:
1375 }
1377 /** Build the KEYS component for the authorized client computation. The format
1378 * of the construction is:
1379 *
1380 * SECRET_SEED = x25519(sk, pk)
1381 * KEYS = KDF(subcredential | SECRET_SEED, 40)
1382 *
1383 * Set the <b>keys_out</b> argument to point to the buffer containing the KEYS,
1384 * and return the buffer's length. The caller should wipe and free its content
1385 * once done with it. This function can't fail. */
1386 static size_t
1391 {
1404 /* Calculate x25519(sk, pk) to get the secret seed. */
1407 /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
1418 }
1420 /** Decrypt the descriptor cookie given the descriptor, the auth client,
1421 * and the client secret key. On success, return 0 and a newly allocated
1422 * descriptor cookie descriptor_cookie_out. On error or if the client id
1423 * is invalid, return -1 and descriptor_cookie_out is set to
1424 * NULL. */
1425 static int
1430 {
1445 DIGEST256_LEN));
1447 /* Catch potential code-flow cases of an uninitialized private key sneaking
1448 * into this function. */
1451 }
1453 /* Get the KEYS component to derive the CLIENT-ID and COOKIE-KEY. */
1454 keystream_length =
1456 client_auth_sk,
1461 /* If the client id of auth client is not the same as the calculcated
1462 * client id, it means that this auth client is invalid according to the
1463 * client secret key client_auth_sk. */
1466 }
1469 /* This creates a cipher for AES. It can't fail. */
1471 HS_DESC_COOKIE_KEY_BIT_SIZE);
1473 /* This can't fail. */
1478 /* Success. */
1480 done:
1484 }
1488 }
1490 /** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
1491 * <b>encrypted_blob_size</b>. The descriptor cookie is optional. Use
1492 * the descriptor object <b>desc</b> and <b>descriptor_cookie</b>
1493 * to generate the right decryption keys; set <b>decrypted_out</b> to
1494 * the plaintext. If <b>is_superencrypted_layer</b> is set, this is
1495 * the outer encrypted layer of the descriptor.
1496 *
1497 * On any error case, including an empty output, return 0 and set
1498 * *<b>decrypted_out</b> to NULL.
1499 */
1505 {
1524 /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
1525 * Make sure we have enough space for all these things. */
1528 }
1530 /* Start of the blob thus the salt. */
1533 /* Next is the encrypted data. */
1539 /* And last comes the MAC. */
1542 /* Build secret data to be used in the decryption. */
1544 descriptor_cookie,
1547 /* KDF construction resulting in a key from which the secret key, IV and MAC
1548 * key are extracted which is what we need for the decryption. */
1554 is_superencrypted_layer);
1556 /* Build MAC. */
1560 /* Verify MAC; MAC is H(mac_key || salt || encrypted)
1561 *
1562 * This is a critical check that is making sure the computed MAC matches the
1563 * one in the descriptor. */
1567 }
1569 {
1570 /* Decrypt. Here we are assured that the encrypted length is valid for
1571 * decryption. */
1575 HS_DESC_ENCRYPTED_BIT_SIZE);
1576 /* Extra byte for the NUL terminated byte. */
1581 }
1583 {
1584 /* Adjust length to remove NUL padding bytes */
1589 }
1590 }
1593 /* Treat this as an error, so that somebody will free the output. */
1595 }
1597 /* Make sure to NUL terminate the string. */
1602 err:
1605 }
1609 done:
1615 }
1617 /** Decrypt the superencrypted section of the descriptor using the given
1618 * descriptor object <b>desc</b>. A newly allocated NUL terminated string is
1619 * put in decrypted_out which contains the superencrypted layer of the
1620 * descriptor. Return the length of decrypted_out on success else 0 is
1621 * returned and decrypted_out is set to NULL. */
1624 {
1632 NULL,
1638 }
1641 done:
1642 /* In case of error, superencrypted_plaintext is already NULL, so the
1643 * following line makes sense. */
1645 /* This makes sense too, because, in case of error, this is zero. */
1647 }
1649 /** Decrypt the encrypted section of the descriptor using the given descriptor
1650 * object <b>desc</b>. A newly allocated NUL terminated string is put in
1651 * decrypted_out which contains the encrypted layer of the descriptor.
1652 * Return the length of decrypted_out on success else 0 is returned and
1653 * decrypted_out is set to NULL. */
1658 {
1667 /* If the client secret key is provided, try to find a valid descriptor
1668 * cookie. Otherwise, leave it NULL. */
1672 /* If we can decrypt the descriptor cookie successfully, we will use that
1673 * descriptor cookie and break from the loop. */
1677 }
1679 }
1682 descriptor_cookie,
1687 }
1690 err:
1691 /* In case of error, encrypted_plaintext is already NULL, so the
1692 * following line makes sense. */
1696 }
1698 /* This makes sense too, because, in case of error, this is zero. */
1700 }
1702 /** Given the token tok for an intro point legacy key, the list of tokens, the
1703 * introduction point ip being decoded and the descriptor desc from which it
1704 * comes from, decode the legacy key and set the intro point object. Return 0
1705 * on success else -1 on failure. */
1706 static int
1711 {
1720 }
1722 /* Extract the legacy cross certification cert which MUST be present if we
1723 * have a legacy key. */
1728 }
1731 /* Info level because this might be an unknown field that we should
1732 * ignore. */
1736 }
1737 /* Keep a copy of the certificate. */
1740 /* The check on the expiration date is for the entire lifetime of a
1741 * certificate which is 24 hours. However, a descriptor has a maximum
1742 * lifetime of 12 hours meaning we have a 12h difference between the two
1743 * which ultimately accommodate the clock skewed client. */
1752 }
1754 /* Success. */
1756 err:
1758 }
1760 /** Dig into the descriptor <b>tokens</b> to find the onion key we should use
1761 * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
1762 * was found and well-formed, otherwise return -1 in case of errors. */
1763 static int
1766 {
1776 }
1779 /* This field is using GE(2) so for possible forward compatibility, we
1780 * accept more fields but must be at least 2. */
1783 /* Try to find an ntor key, it's the only recognized type right now */
1788 }
1789 /* Got the onion key! Set the appropriate retval */
1791 }
1794 /* Log an error if we didn't find it :( */
1797 }
1799 err:
1802 }
1804 /** Given the start of a section and the end of it, decode a single
1805 * introduction point from that section. Return a newly allocated introduction
1806 * point object containing the decoded data. Return NULL if the section can't
1807 * be decoded. */
1808 STATIC hs_desc_intro_point_t *
1810 {
1825 }
1827 /* Ok we seem to have a well formed section containing enough tokens to
1828 * parse. Allocate our IP object and try to populate it. */
1831 /* "introduction-point" SP link-specifiers NL */
1834 /* Our constructor creates this list by default so free it. */
1840 }
1842 /* "onion-key" SP ntor SP key NL */
1845 }
1847 /* "auth-key" NL certificate NL */
1853 }
1854 /* Parse cert and do some validation. */
1859 }
1860 /* Validate authentication certificate with descriptor signing key. */
1866 }
1868 /* Exactly one "enc-key" SP "ntor" SP key NL */
1871 /* This field is using GE(2) so for possible forward compatibility, we
1872 * accept more fields but must be at least 2. */
1878 }
1880 /* Unknown key type so we can't use that introduction point. */
1883 }
1885 /* Exactly once "enc-key-cert" NL certificate NL */
1888 /* Do the cross certification. */
1893 }
1898 }
1904 }
1905 /* It is successfully cross certified. Flag the object. */
1908 /* Do we have a "legacy-key" SP key NL ?*/
1913 }
1914 }
1916 /* Introduction point has been parsed successfully. */
1919 err:
1923 done:
1928 }
1931 }
1933 /** Given a descriptor string at <b>data</b>, decode all possible introduction
1934 * points that we can find. Add the introduction point object to desc_enc as we
1935 * find them. This function can't fail and it is possible that zero
1936 * introduction points can be decoded. */
1937 static void
1941 {
1950 /* Take the desc string, and extract the intro point substrings out of it */
1951 {
1952 /* Split the descriptor string using the intro point header as delimiter */
1955 /* Check if there are actually any intro points included. The first chunk
1956 * should be other descriptor fields (e.g. create2-formats), so it's not an
1957 * intro point. */
1960 }
1961 }
1963 /* Take the intro point substrings, and prepare them for parsing */
1964 {
1966 /* Prepend the introduction-point header to all the chunks, since
1967 smartlist_split_string() devoured it. */
1969 /* Ignore first chunk. It's other descriptor fields. */
1972 }
1976 }
1978 /* Parse the intro points! */
1982 /* Malformed introduction point section. We'll ignore this introduction
1983 * point and continue parsing. New or unknown fields are possible for
1984 * forward compatibility. */
1986 }
1990 done:
1995 }
1997 /** Return 1 iff the given base64 encoded signature in b64_sig from the encoded
1998 * descriptor in encoded_desc validates the descriptor content. */
1999 STATIC int
2003 {
2005 ed25519_signature_t sig;
2011 /* Verifying nothing won't end well :). */
2014 /* Signature length check. */
2020 }
2022 /* First, convert base64 blob to an ed25519 signature. */
2027 }
2029 /* Find the start of signature. */
2031 /* Getting here means the token parsing worked for the signature so if we
2032 * can't find the start of the signature, we have a code flow issue. */
2036 }
2037 /* Skip newline, it has to go in the signature check. */
2038 sig_start++;
2040 /* Validate signature with the full body of the descriptor. */
2044 str_desc_sig_prefix,
2048 }
2049 /* Valid signature! All is good. */
2052 err:
2054 }
2056 /** Decode descriptor plaintext data for version 3. Given a list of tokens, an
2057 * allocated plaintext object that will be populated and the encoded
2058 * descriptor with its length. The last one is needed for signature
2059 * verification. Unknown tokens are simply ignored so this won't error on
2060 * unknowns but requires that all v3 token be present and valid.
2061 *
2062 * Return 0 on success else a negative value. */
2063 static hs_desc_decode_status_t
2067 {
2073 /* Version higher could still use this function to decode most of the
2074 * descriptor and then they decode the extra part. */
2077 /* Descriptor lifetime parsing. */
2085 }
2086 /* Put it from minute to second. */
2093 }
2095 /* Descriptor signing certificate. */
2098 /* Expecting a prop220 cert with the signing key extension, which contains
2099 * the blinded public key. */
2104 }
2109 }
2111 /* Copy the public keys into signing_pubkey and blinded_pubkey */
2117 /* Extract revision counter value. */
2125 }
2127 /* Extract the superencrypted data section. */
2133 }
2134 /* Make sure the length of the superencrypted blob is valid. */
2137 }
2139 /* Copy the superencrypted blob to the descriptor object so we can handle it
2140 * latter if needed. */
2144 /* Extract signature and verify it. */
2147 /* First arg here is the actual encoded signature. */
2151 }
2154 err:
2156 }
2158 /** Decode the version 3 superencrypted section of the given descriptor desc.
2159 * The desc_superencrypted_out will be populated with the decoded data. */
2160 STATIC hs_desc_decode_status_t
2162 hs_desc_superencrypted_data_t *
2163 desc_superencrypted_out)
2164 {
2171 /* Rename the parameter because it is too long. */
2177 /* Decrypt the superencrypted data that is located in the plaintext section
2178 * in the descriptor as a blob of bytes. */
2183 }
2192 }
2194 /* Verify desc auth type */
2200 }
2202 /* Extract desc auth ephemeral key */
2209 }
2211 /* Extract desc auth client items */
2214 }
2227 }
2229 }
2232 /* Extract the encrypted data section. */
2238 }
2239 /* Make sure the length of the encrypted blob is valid. */
2242 }
2244 /* Copy the encrypted blob to the descriptor object so we can handle it
2245 * latter if needed. */
2254 err:
2258 done:
2262 }
2265 }
2268 }
2270 }
2272 /** Decode the version 3 encrypted section of the given descriptor desc. The
2273 * desc_encrypted_out will be populated with the decoded data. */
2274 STATIC hs_desc_decode_status_t
2278 {
2289 /* Decrypt the encrypted data that is located in the superencrypted section
2290 * in the descriptor as a blob of bytes. */
2293 /* Two possible situation here. Either we have a client authorization
2294 * configured that didn't work or we do not have any configured for this
2295 * onion address so likely the descriptor is for authorized client only,
2296 * we are not. */
2298 /* At warning level so the client can notice that its client
2299 * authorization is failing. */
2304 /* Inform at notice level that the onion address requested can't be
2305 * reached without client authorization most likely. */
2307 "address. It is likely requiring client "
2310 }
2312 }
2321 }
2323 /* CREATE2 supported cell format. It's mandatory. */
2327 /* Must support ntor according to the specification */
2331 }
2333 /* Authentication type. It's optional but only once. */
2341 }
2342 }
2344 /* Is this service a single onion service? */
2348 }
2350 /* Initialize the descriptor's introduction point list before we start
2351 * decoding. Having 0 intro point is valid. Then decode them all. */
2355 /* Validation of maximum introduction points allowed. */
2357 HS_CONFIG_V3_MAX_INTRO_POINTS) {
2360 HS_CONFIG_V3_MAX_INTRO_POINTS,
2363 }
2365 /* NOTE: Unknown fields are allowed because this function could be used to
2366 * decode other descriptor version. */
2371 err:
2375 done:
2379 }
2382 }
2385 }
2387 }
2389 /** Table of encrypted decode function version specific. The function are
2390 * indexed by the version number so v3 callback is at index 3 in the array. */
2391 static hs_desc_decode_status_t
2396 {
2398 desc_decode_encrypted_v3,
2399 };
2401 /** Decode the encrypted data section of the given descriptor and store the
2402 * data in the given encrypted data object. Return 0 on success else a
2403 * negative value on error. */
2404 hs_desc_decode_status_t
2408 {
2413 /* Ease our life a bit. */
2416 /* Calling this function without an encrypted blob to parse is a code flow
2417 * error. The superencrypted parsing should never succeed in the first place
2418 * without an encrypted section. */
2420 /* Let's make sure we have a supported version as well. By correctly parsing
2421 * the plaintext, this should not fail. */
2424 }
2425 /* Extra precaution. Having no handler for the supported version should
2426 * never happened else we forgot to add it but we bumped the version. */
2430 /* Run the version specific plaintext decoder. */
2432 desc_encrypted);
2435 }
2437 err:
2439 }
2441 /** Table of superencrypted decode function version specific. The function are
2442 * indexed by the version number so v3 callback is at index 3 in the array. */
2443 static hs_desc_decode_status_t
2447 {
2449 desc_decode_superencrypted_v3,
2450 };
2452 /** Decode the superencrypted data section of the given descriptor and store
2453 * the data in the given superencrypted data object. */
2454 hs_desc_decode_status_t
2456 hs_desc_superencrypted_data_t *
2457 desc_superencrypted)
2458 {
2463 /* Ease our life a bit. */
2466 /* Calling this function without an superencrypted blob to parse is
2467 * a code flow error. The plaintext parsing should never succeed in
2468 * the first place without an superencrypted section. */
2470 /* Let's make sure we have a supported version as well. By correctly parsing
2471 * the plaintext, this should not fail. */
2474 }
2475 /* Extra precaution. Having no handler for the supported version should
2476 * never happened else we forgot to add it but we bumped the version. */
2480 /* Run the version specific plaintext decoder. */
2484 }
2486 err:
2488 }
2490 /** Table of plaintext decode function version specific. The function are
2491 * indexed by the version number so v3 callback is at index 3 in the array. */
2492 static hs_desc_decode_status_t
2498 {
2500 desc_decode_plaintext_v3,
2501 };
2503 /** Fully decode the given descriptor plaintext and store the data in the
2504 * plaintext data object. */
2505 hs_desc_decode_status_t
2508 {
2518 /* Check that descriptor is within size limits. */
2524 }
2528 /* Tokenize the descriptor so we can start to parse it. */
2533 }
2535 /* Get the version of the descriptor which is the first mandatory field of
2536 * the descriptor. From there, we'll decode the right descriptor version. */
2545 }
2550 }
2551 /* Extra precaution. Having no handler for the supported version should
2552 * never happened else we forgot to add it but we bumped the version. */
2556 /* Run the version specific plaintext decoder. */
2561 }
2562 /* Success. Descriptor has been populated with the data. */
2565 err:
2569 }
2572 }
2574 }
2576 /** Fully decode an encoded descriptor and set a newly allocated descriptor
2577 * object in desc_out. Client secret key is used to decrypt the "encrypted"
2578 * section if not NULL else it's ignored.
2579 *
2580 * Return 0 on success. A negative value is returned on error and desc_out is
2581 * set to NULL. */
2582 hs_desc_decode_status_t
2587 {
2595 /* Subcredentials are not optional. */
2600 }
2607 }
2612 }
2617 }
2623 }
2626 err:
2630 }
2634 }
2636 /** Table of encode function version specific. The functions are indexed by the
2637 * version number so v3 callback is at index 3 in the array. */
2638 static int
2644 {
2646 desc_encode_v3,
2647 };
2649 /** Encode the given descriptor desc including signing with the given key pair
2650 * signing_kp and encrypting with the given descriptor cookie.
2651 *
2652 * If the client authorization is enabled, descriptor_cookie must be the same
2653 * as the one used to build hs_desc_authorized_client_t in the descriptor.
2654 * Otherwise, it must be NULL. On success, encoded_out points to a newly
2655 * allocated NUL terminated string that contains the encoded descriptor as
2656 * a string.
2657 *
2658 * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
2659 * returned and encoded_out is set to NULL. */
2665 {
2672 /* Make sure we support the version of the descriptor format. */
2676 }
2677 /* Extra precaution. Having no handler for the supported version should
2678 * never happened else we forgot to add it but we bumped the version. */
2686 }
2688 /* Try to decode what we just encoded. Symmetry is nice!, but it is
2689 * symmetric only if the client auth is disabled. That is, the descriptor
2690 * cookie will be NULL. */
2697 }
2698 }
2702 err:
2705 }
2707 /** Free the content of the plaintext section of a descriptor. */
2708 void
2710 {
2713 }
2717 }
2721 }
2723 /** Free the content of the superencrypted section of a descriptor. */
2724 void
2726 {
2729 }
2733 }
2738 }
2741 }
2743 /** Free the content of the encrypted section of a descriptor. */
2744 void
2746 {
2749 }
2754 }
2759 }
2761 }
2763 /** Free the descriptor plaintext data object. */
2764 void
2766 {
2769 }
2771 /** Free the descriptor plaintext data object. */
2772 void
2774 {
2777 }
2779 /** Free the descriptor encrypted data object. */
2780 void
2782 {
2785 }
2787 /** Free the given descriptor object. */
2788 void
2790 {
2793 }
2799 }
2801 /** Return the size in bytes of the given plaintext data object. A sizeof() is
2802 * not enough because the object contains pointers and the encrypted blob.
2803 * This is particularly useful for our OOM subsystem that tracks the HSDir
2804 * cache size for instance. */
2805 size_t
2807 {
2811 }
2813 /** Return the size in bytes of the given encrypted data object. Used by OOM
2814 * subsystem. */
2815 static size_t
2817 {
2821 intro_size +=
2823 }
2825 /* XXX could follow pointers here and get more accurate size */
2826 intro_size +=
2828 }
2831 }
2833 /** Return the size in bytes of the given descriptor object. Used by OOM
2834 * subsystem. */
2835 size_t
2837 {
2840 }
2844 }
2846 /** Return a newly allocated descriptor intro point. */
2847 hs_desc_intro_point_t *
2849 {
2853 }
2855 /** Free a descriptor intro point object. */
2856 void
2858 {
2861 }
2866 }
2872 }
2874 /** Allocate and build a new fake client info for the descriptor. Return a
2875 * newly allocated object. This can't fail. */
2876 hs_desc_authorized_client_t *
2878 {
2890 }
2892 /** Using the service's subcredential, client public key, auth ephemeral secret
2893 * key, and descriptor cookie, build the auth client so we can then encode the
2894 * descriptor for publication. client_out must be already allocated. */
2895 void
2899 auth_ephemeral_sk,
2902 {
2918 HS_DESC_DESCRIPTOR_COOKIE_LEN));
2920 DIGEST256_LEN));
2922 /* Get the KEYS part so we can derive the CLIENT-ID and COOKIE-KEY. */
2923 keystream_length =
2929 /* Extract the CLIENT-ID and COOKIE-KEY from the KEYS. */
2933 /* Random IV */
2936 /* This creates a cipher for AES. It can't fail. */
2938 HS_DESC_COOKIE_KEY_BIT_SIZE);
2939 /* This can't fail. */
2942 HS_DESC_DESCRIPTOR_COOKIE_LEN);
2948 }
2950 /** Free an authoriezd client object. */
2951 void
2953 {
2955 }
2957 /** From the given descriptor, remove and free every introduction point. */
2958 void
2960 {
2970 }
2971 }