| blob | da7bb662e102feefc5bd85bdfc0faa9eedfba801 |
1 /* Copyright (c) 2016-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file hs_descriptor.c
6 * \brief Handle hidden service descriptor encoding/decoding.
7 *
8 * \details
9 * Here is a graphical depiction of an HS descriptor and its layers:
10 *
11 * +------------------------------------------------------+
12 * |DESCRIPTOR HEADER: |
13 * | hs-descriptor 3 |
14 * | descriptor-lifetime 180 |
15 * | ... |
16 * | superencrypted |
17 * |+---------------------------------------------------+ |
18 * ||SUPERENCRYPTED LAYER (aka OUTER ENCRYPTED LAYER): | |
19 * || desc-auth-type x25519 | |
20 * || desc-auth-ephemeral-key | |
21 * || auth-client | |
22 * || auth-client | |
23 * || ... | |
24 * || encrypted | |
25 * ||+-------------------------------------------------+| |
26 * |||ENCRYPTED LAYER (aka INNER ENCRYPTED LAYER): || |
27 * ||| create2-formats || |
28 * ||| intro-auth-required || |
29 * ||| introduction-point || |
30 * ||| introduction-point || |
31 * ||| ... || |
32 * ||+-------------------------------------------------+| |
33 * |+---------------------------------------------------+ |
34 * +------------------------------------------------------+
35 *
36 * The DESCRIPTOR HEADER section is completely unencrypted and contains generic
37 * descriptor metadata.
38 *
39 * The SUPERENCRYPTED LAYER section is the first layer of encryption, and it's
40 * encrypted using the blinded public key of the hidden service to protect
41 * against entities who don't know its onion address. The clients of the hidden
42 * service know its onion address and blinded public key, whereas third-parties
43 * (like HSDirs) don't know it (except if it's a public hidden service).
44 *
45 * The ENCRYPTED LAYER section is the second layer of encryption, and it's
46 * encrypted using the client authorization key material (if those exist). When
47 * client authorization is enabled, this second layer of encryption protects
48 * the descriptor content from unauthorized entities. If client authorization
49 * is disabled, this second layer of encryption does not provide any extra
50 * security but is still present. The plaintext of this layer contains all the
51 * information required to connect to the hidden service like its list of
52 * introduction points.
53 **/
55 /* For unit tests.*/
56 #define HS_DESCRIPTOR_PRIVATE
58 #include <stdbool.h>
79 /* Constant string value used for the descriptor format. */
87 /* Constant string value for the encrypted part of the descriptor. */
101 /* Constant string value for the construction to encrypt the encrypted data
102 * section. */
105 /* Prefix required to compute/verify HS desc signatures */
112 /** Authentication supported types. */
114 hs_desc_auth_type_t type;
118 /* Indicate end of array. */
120 };
122 /** PoW supported types. */
124 hs_pow_desc_type_t type;
128 /* Indicate end of array. */
130 };
132 /** Descriptor ruleset. */
140 END_OF_TABLE
141 };
143 /** Descriptor ruleset for the superencrypted section. */
149 END_OF_TABLE
150 };
152 /** Descriptor ruleset for the encrypted section. */
159 END_OF_TABLE
160 };
162 /** Descriptor ruleset for the introduction points section. */
171 END_OF_TABLE
172 };
174 /** Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
175 * We use SHA3-256 for the MAC computation.
176 * This function can't fail. */
177 static void
182 {
194 /* As specified in section 2.5 of proposal 224, first add the mac key
195 * then add the salt first and then the encrypted section. */
204 }
206 /** Using a secret data and a given descriptor object, build the secret
207 * input needed for the KDF.
208 *
209 * secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
210 *
211 * Then, set the newly allocated buffer in secret_input_out and return the
212 * length of the buffer. */
213 static size_t
218 {
229 /* Copy the secret data. */
232 /* Copy subcredential. */
235 /* Copy revision counter value. */
244 }
246 /** Do the KDF construction and put the resulting data in key_out which is of
247 * key_out_len length. It uses SHAKE-256 as specified in the spec. */
248 static void
255 {
265 /* Build the secret input for the KDF computation. */
270 /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
274 /* Feed in the right string constant based on the desc layer */
281 }
283 /* Eat from our KDF. */
289 }
291 /** Using the given descriptor, secret data, and salt, run it through our
292 * KDF function and then extract a secret key in key_out, the IV in iv_out
293 * and MAC in mac_out. This function can't fail. */
294 static void
303 {
316 is_superencrypted_layer);
317 /* Copy the bytes we need for both the secret key and IV. */
323 /* Extra precaution to make sure we are not out of bound. */
326 }
328 /* === ENCODING === */
330 /** Encode the given link specifier objects into a newly allocated string.
331 * This can't fail so caller can always assume a valid string being
332 * returned. */
335 {
340 /* No link specifiers is a code flow error, can't happen. */
347 spec) {
353 {
363 /* Base64 encode our binary format. Add extra NUL byte for the base64
364 * encoded value. */
371 }
375 }
377 /** Encode an introduction point legacy key and certificate. Return a newly
378 * allocated string with it. On failure, return NULL. */
381 {
387 /* Encode cross cert. */
393 }
394 /* Convert the encryption key to PEM format NUL terminated. */
399 }
404 "%s"
410 done:
412 }
414 /** Encode an introduction point encryption key and certificate. Return a newly
415 * allocated string with it. On failure, return NULL. */
418 {
424 /* Base64 encode the encryption key for the "enc-key" field. */
428 }
436 done:
438 }
440 /** Encode an introduction point onion key. Return a newly allocated string
441 * with it. Can not fail. */
444 {
450 /* Base64 encode the encryption key for the "onion-key" field. */
455 }
457 /** Encode an introduction point object and return a newly allocated string
458 * with it. On failure, return NULL. */
462 {
469 /* Encode link specifier. */
470 {
474 }
476 /* Onion key encoding. */
477 {
481 }
484 }
486 /* Authentication key encoding. */
487 {
491 }
494 }
496 /* Encryption key encoding. */
497 {
501 }
504 }
506 /* Legacy key if any. */
508 /* Strong requirement else the IP creation was badly done. */
513 }
516 }
518 /* Join them all in one blob of text. */
521 err:
525 }
527 /** Given a source length, return the new size including padding for the
528 * plaintext encryption. */
529 static size_t
531 {
535 /* Make sure we won't overflow. */
538 /* Get the extra length we need to add. For example, if srclen is 10200
539 * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
541 padding_block_length;
542 /* Can never be extra careful. Make sure we are _really_ padded. */
545 }
547 /** Given a buffer, pad it up to the encrypted section padding requirement. Set
548 * the newly allocated string in padded_out and return the length of the
549 * padded buffer. */
550 STATIC size_t
553 {
560 /* Allocate the final length including padding. */
568 }
570 /** Using a key, IV and plaintext data of length plaintext_len, create the
571 * encrypted section by encrypting it and setting encrypted_out with the
572 * data. Return size of the encrypted data buffer. */
573 static size_t
577 {
587 /* If we are encrypting the middle layer of the descriptor, we need to first
588 pad the plaintext */
592 /* Extra precautions that we have a valid padding length. */
597 }
599 /* This creates a cipher for AES. It can't fail. */
601 HS_DESC_ENCRYPTED_BIT_SIZE);
602 /* We use a stream cipher so the encrypted length will be the same as the
603 * plaintext padded length. */
605 /* This can't fail. */
609 /* Cleanup. */
613 }
615 /** Encrypt the given <b>plaintext</b> buffer using <b>desc</b> and
616 * <b>secret_data</b> to get the keys. Set encrypted_out with the encrypted
617 * data and return the length of it. <b>is_superencrypted_layer</b> is set
618 * if this is the outer encrypted layer of the descriptor. */
619 static size_t
625 {
638 /* Get our salt. The returned bytes are already hashed. */
641 /* KDF construction resulting in a key from which the secret key, IV and MAC
642 * key are extracted which is what we need for the encryption. */
648 is_superencrypted_layer);
650 /* Build the encrypted part that is do the actual encryption. */
653 is_superencrypted_layer);
656 /* This construction is specified in section 2.5 of proposal 224. */
660 /* Build the MAC. */
665 /* The salt is the first value. */
668 /* Second value is the encrypted data. */
671 /* Third value is the MAC. */
674 /* Cleanup the buffers. */
678 /* Extra precaution. */
683 }
685 /** Create and return a string containing a client-auth entry. It's the
686 * responsibility of the caller to free the returned string. This function
687 * will never fail. */
690 {
693 /* We are gonna fill these arrays with base64 data. They are all double
694 * the size of their binary representation to fit the base64 overhead. */
699 #define ASSERT_AND_BASE64(field) STMT_BEGIN \
700 tor_assert(!fast_mem_is_zero((char *) client->field, \
701 sizeof(client->field))); \
702 ret = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
703 client->field, sizeof(client->field)); \
704 tor_assert(ret > 0); \
705 STMT_END
711 /* Build the final string */
715 #undef ASSERT_AND_BASE64
718 }
720 /** Create the "client-auth" part of the descriptor and return a
721 * newly-allocated string with it. It's the responsibility of the caller to
722 * free the returned string. */
725 {
735 /* Make a line for each client */
745 /* Join all lines together to form final string */
748 /* Cleanup the mess */
753 }
755 /** Create the inner layer of the descriptor (which includes the intro points,
756 * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
757 * an error occurred. It's the responsibility of the caller to free the
758 * returned string. */
761 {
765 /* Build the start of the section prior to the introduction points. */
766 {
770 }
772 ONION_HANDSHAKE_TYPE_NTOR);
774 #ifdef TOR_UNIT_TESTS
778 }
779 #endif
783 /* Put the authentication-required line. */
788 }
792 }
795 /* Add flow control line into the descriptor. */
799 }
801 /* Add PoW parameters if present. */
803 /* Base64 the seed */
809 /* Return length doesn't count the NUL byte. */
812 /* Convert the expiration time to space-less ISO format. */
817 /* Add "pow-params" line to descriptor encoding. */
820 seed_b64,
822 time_buf);
824 }
825 }
827 /* Build the introduction point(s) section. */
831 ip);
835 }
839 /* Build the entire encrypted data section into one encoded plaintext and
840 * then encrypt it. */
843 err:
848 }
850 /** Create the middle layer of the descriptor, which includes the client auth
851 * data and the encrypted inner layer (provided as a base64 string at
852 * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
853 * layer plaintext. It's the responsibility of the caller to free the returned
854 * string. Can not fail. */
858 {
862 /* Specify auth type */
871 CURVE25519_PUBKEY_LEN));
878 }
884 }
886 /* create encrypted section */
887 {
891 "%s"
894 }
898 /* We need to memwipe all lines because it contains the ephemeral key */
904 }
906 /** Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
907 * returning it. <b>desc</b> is provided to derive the encryption
908 * keys. <b>secret_data</b> is also proved to derive the encryption keys.
909 * <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
910 * middle (superencrypted) layer of the descriptor. It's the responsibility of
911 * the caller to free the returned string. */
918 {
925 is_superencrypted_layer);
926 /* Get the encoded size plus a NUL terminating byte. */
929 /* Base64 the encrypted blob before returning it. */
931 BASE64_ENCODE_MULTILINE);
932 /* Return length doesn't count the NUL byte. */
937 }
939 /** Generate the secret data which is used to encrypt/decrypt the descriptor.
940 *
941 * SECRET_DATA = blinded-public-key
942 * SECRET_DATA = blinded-public-key | descriptor_cookie
943 *
944 * The descriptor_cookie is optional but if it exists, it must be at least
945 * HS_DESC_DESCRIPTOR_COOKIE_LEN bytes long.
946 *
947 * A newly allocated secret data is put in secret_data_out. Return the
948 * length of the secret data. This function cannot fail. */
949 static size_t
953 {
961 /* If the descriptor cookie is present, we need both the blinded
962 * pubkey and the descriptor cookie as a secret data. */
968 ED25519_PUBKEY_LEN);
970 descriptor_cookie,
971 HS_DESC_DESCRIPTOR_COOKIE_LEN);
973 /* If the descriptor cookie is not present, we need only the blinded
974 * pubkey as a secret data. */
979 ED25519_PUBKEY_LEN);
980 }
984 }
986 /** Generate and encode the superencrypted portion of <b>desc</b>. This also
987 * involves generating the encrypted portion of the descriptor, and performing
988 * the superencryption. A newly allocated NUL-terminated string pointer
989 * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
990 * on success else a negative value. */
991 static int
995 {
1007 /* Func logic: We first create the inner layer of the descriptor (layer2).
1008 * We then encrypt it and use it to create the middle layer of the descriptor
1009 * (layer1). Finally we superencrypt the middle layer and return it to our
1010 * caller. */
1012 /* Create inner descriptor layer */
1016 }
1019 descriptor_cookie,
1022 /* Encrypt and b64 the inner layer */
1023 layer2_b64_ciphertext =
1028 }
1030 /* Now create middle descriptor layer given the inner layer */
1034 }
1036 /* Encrypt and base64 the middle layer */
1037 layer1_b64_ciphertext =
1040 ED25519_PUBKEY_LEN,
1044 }
1046 /* Success! */
1049 err:
1058 }
1060 /** Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
1061 * newly allocated string of the encoded descriptor. On error, -1 is returned
1062 * and encoded_out is untouched. */
1063 static int
1068 {
1079 /* Build the non-encrypted values. */
1080 {
1082 /* Encode certificate then create the first line of the descriptor. */
1088 }
1091 /* The function will print error logs. */
1093 }
1094 /* Create the hs descriptor line. */
1097 /* Add the descriptor lifetime line (in minutes). */
1100 /* Create the descriptor certificate line. */
1103 /* Create the revision counter line. */
1106 }
1108 /* Build the superencrypted data section. */
1109 {
1114 }
1118 "%s"
1122 }
1124 /* Join all lines in one string so we can generate a signature and append
1125 * it to the descriptor. */
1128 /* Sign all fields of the descriptor with our short term signing key. */
1129 {
1130 ed25519_signature_t sig;
1138 }
1140 /* Create the signature line. */
1142 }
1143 /* Free previous string that we used so compute the signature. */
1153 }
1155 /* XXX: Trigger a control port event. */
1157 /* Success! */
1160 err:
1164 }
1166 /* === DECODING === */
1168 /** Given the token tok for an auth client, decode it as
1169 * hs_desc_authorized_client_t. tok->args MUST contain at least 3 elements
1170 * Return 0 on success else -1 on failure. */
1171 static int
1174 {
1185 }
1190 }
1196 }
1198 /* Success. */
1200 done:
1202 }
1204 /** Given an encoded string of the link specifiers, return a newly allocated
1205 * list of decoded link specifiers. Return NULL on error. */
1206 STATIC smartlist_t *
1208 {
1220 encoded_len);
1223 }
1228 }
1236 }
1240 }
1242 }
1245 err:
1251 }
1252 done:
1256 }
1258 /** Given a list of authentication types, decode it and put it in the encrypted
1259 * data section. Return 1 if we at least know one of the type or 0 if we know
1260 * none of them. */
1261 static int
1263 {
1272 /* Validate the types that we at least know about one. */
1279 }
1280 }
1284 }
1286 /** Parse a space-delimited list of integers representing CREATE2 formats into
1287 * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
1288 static void
1290 {
1305 }
1311 /* We deliberately ignore unsupported handshake types */
1313 }
1318 }
1320 /** Given a certificate, validate the certificate for certain conditions which
1321 * are if the given type matches the cert's one, if the signing key is
1322 * included and if the that key was actually used to sign the certificate.
1323 *
1324 * Return 1 iff if all conditions pass or 0 if one of them fails. */
1325 STATIC int
1327 {
1333 }
1336 log_obj_type);
1338 }
1339 /* All certificate must have its signing key included. */
1343 }
1345 /* The following will not only check if the signature matches but also the
1346 * expiration date and overall validity. */
1353 expiration_str);
1357 }
1359 }
1362 err:
1364 }
1366 /** Given some binary data, try to parse it to get a certificate object. If we
1367 * have a valid cert, validate it using the given wanted type. On error, print
1368 * a log using the err_msg has the certificate identifier adding semantic to
1369 * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
1370 * points to a newly allocated certificate object. */
1371 static int
1375 {
1382 /* Parse certificate. */
1387 }
1389 /* Validate certificate. */
1392 }
1397 err:
1401 }
1403 /** Return true iff the given length of the encrypted data of a descriptor
1404 * passes validation. */
1405 STATIC int
1407 {
1408 /* Make sure there is enough data for the salt and the mac. The equality is
1409 there to ensure that there is at least one byte of encrypted data. */
1415 }
1418 err:
1420 }
1422 /** Build the KEYS component for the authorized client computation. The format
1423 * of the construction is:
1424 *
1425 * SECRET_SEED = x25519(sk, pk)
1426 * KEYS = KDF(subcredential | SECRET_SEED, 40)
1427 *
1428 * Set the <b>keys_out</b> argument to point to the buffer containing the KEYS,
1429 * and return the buffer's length. The caller should wipe and free its content
1430 * once done with it. This function can't fail. */
1431 static size_t
1436 {
1449 /* Calculate x25519(sk, pk) to get the secret seed. */
1452 /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
1463 }
1465 /** Decrypt the descriptor cookie given the descriptor, the auth client,
1466 * and the client secret key. On success, return 0 and a newly allocated
1467 * descriptor cookie descriptor_cookie_out. On error or if the client id
1468 * is invalid, return -1 and descriptor_cookie_out is set to
1469 * NULL. */
1470 static int
1475 {
1490 DIGEST256_LEN));
1492 /* Catch potential code-flow cases of an uninitialized private key sneaking
1493 * into this function. */
1496 }
1498 /* Get the KEYS component to derive the CLIENT-ID and COOKIE-KEY. */
1499 keystream_length =
1501 client_auth_sk,
1506 /* If the client id of auth client is not the same as the calculcated
1507 * client id, it means that this auth client is invalid according to the
1508 * client secret key client_auth_sk. */
1511 }
1514 /* This creates a cipher for AES. It can't fail. */
1516 HS_DESC_COOKIE_KEY_BIT_SIZE);
1518 /* This can't fail. */
1523 /* Success. */
1525 done:
1529 }
1533 }
1535 /** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
1536 * <b>encrypted_blob_size</b>. The descriptor cookie is optional. Use
1537 * the descriptor object <b>desc</b> and <b>descriptor_cookie</b>
1538 * to generate the right decryption keys; set <b>decrypted_out</b> to
1539 * the plaintext. If <b>is_superencrypted_layer</b> is set, this is
1540 * the outer encrypted layer of the descriptor.
1541 *
1542 * On any error case, including an empty output, return 0 and set
1543 * *<b>decrypted_out</b> to NULL.
1544 */
1550 {
1569 /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
1570 * Make sure we have enough space for all these things. */
1573 }
1575 /* Start of the blob thus the salt. */
1578 /* Next is the encrypted data. */
1584 /* And last comes the MAC. */
1587 /* Build secret data to be used in the decryption. */
1589 descriptor_cookie,
1592 /* KDF construction resulting in a key from which the secret key, IV and MAC
1593 * key are extracted which is what we need for the decryption. */
1599 is_superencrypted_layer);
1601 /* Build MAC. */
1605 /* Verify MAC; MAC is H(mac_key || salt || encrypted)
1606 *
1607 * This is a critical check that is making sure the computed MAC matches the
1608 * one in the descriptor. */
1612 }
1614 {
1615 /* Decrypt. Here we are assured that the encrypted length is valid for
1616 * decryption. */
1620 HS_DESC_ENCRYPTED_BIT_SIZE);
1621 /* Extra byte for the NUL terminated byte. */
1626 }
1628 {
1629 /* Adjust length to remove NUL padding bytes */
1634 }
1635 }
1638 /* Treat this as an error, so that somebody will free the output. */
1640 }
1642 /* Make sure to NUL terminate the string. */
1647 err:
1650 }
1654 done:
1660 }
1662 /** Decrypt the superencrypted section of the descriptor using the given
1663 * descriptor object <b>desc</b>. A newly allocated NUL terminated string is
1664 * put in decrypted_out which contains the superencrypted layer of the
1665 * descriptor. Return the length of decrypted_out on success else 0 is
1666 * returned and decrypted_out is set to NULL. */
1669 {
1677 NULL,
1683 }
1686 done:
1687 /* In case of error, superencrypted_plaintext is already NULL, so the
1688 * following line makes sense. */
1690 /* This makes sense too, because, in case of error, this is zero. */
1692 }
1694 /** Decrypt the encrypted section of the descriptor using the given descriptor
1695 * object <b>desc</b>. A newly allocated NUL terminated string is put in
1696 * decrypted_out which contains the encrypted layer of the descriptor.
1697 * Return the length of decrypted_out on success else 0 is returned and
1698 * decrypted_out is set to NULL. */
1703 {
1712 /* If the client secret key is provided, try to find a valid descriptor
1713 * cookie. Otherwise, leave it NULL. */
1717 /* If we can decrypt the descriptor cookie successfully, we will use that
1718 * descriptor cookie and break from the loop. */
1722 }
1724 }
1727 descriptor_cookie,
1732 }
1735 err:
1736 /* In case of error, encrypted_plaintext is already NULL, so the
1737 * following line makes sense. */
1741 }
1743 /* This makes sense too, because, in case of error, this is zero. */
1745 }
1747 /** Given the token tok for an intro point legacy key, the list of tokens, the
1748 * introduction point ip being decoded and the descriptor desc from which it
1749 * comes from, decode the legacy key and set the intro point object. Return 0
1750 * on success else -1 on failure. */
1751 static int
1756 {
1765 }
1767 /* Extract the legacy cross certification cert which MUST be present if we
1768 * have a legacy key. */
1773 }
1776 /* Info level because this might be an unknown field that we should
1777 * ignore. */
1781 }
1782 /* Keep a copy of the certificate. */
1785 /* The check on the expiration date is for the entire lifetime of a
1786 * certificate which is 24 hours. However, a descriptor has a maximum
1787 * lifetime of 12 hours meaning we have a 12h difference between the two
1788 * which ultimately accommodate the clock skewed client. */
1797 }
1799 /* Success. */
1801 err:
1803 }
1805 /** Dig into the descriptor <b>tokens</b> to find the onion key we should use
1806 * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
1807 * was found and well-formed, otherwise return -1 in case of errors. */
1808 static int
1811 {
1821 }
1824 /* This field is using GE(2) so for possible forward compatibility, we
1825 * accept more fields but must be at least 2. */
1828 /* Try to find an ntor key, it's the only recognized type right now */
1833 }
1834 /* Got the onion key! Set the appropriate retval */
1836 }
1839 /* Log an error if we didn't find it :( */
1842 }
1844 err:
1847 }
1849 /** Given the start of a section and the end of it, decode a single
1850 * introduction point from that section. Return a newly allocated introduction
1851 * point object containing the decoded data. Return NULL if the section can't
1852 * be decoded. */
1853 STATIC hs_desc_intro_point_t *
1855 {
1870 }
1872 /* Ok we seem to have a well formed section containing enough tokens to
1873 * parse. Allocate our IP object and try to populate it. */
1876 /* "introduction-point" SP link-specifiers NL */
1879 /* Our constructor creates this list by default so free it. */
1885 }
1887 /* "onion-key" SP ntor SP key NL */
1890 }
1892 /* "auth-key" NL certificate NL */
1898 }
1899 /* Parse cert and do some validation. */
1904 }
1905 /* Validate authentication certificate with descriptor signing key. */
1911 }
1913 /* Exactly one "enc-key" SP "ntor" SP key NL */
1916 /* This field is using GE(2) so for possible forward compatibility, we
1917 * accept more fields but must be at least 2. */
1923 }
1925 /* Unknown key type so we can't use that introduction point. */
1928 }
1930 /* Exactly once "enc-key-cert" NL certificate NL */
1933 /* Do the cross certification. */
1938 }
1943 }
1949 }
1950 /* It is successfully cross certified. Flag the object. */
1953 /* Do we have a "legacy-key" SP key NL ?*/
1958 }
1959 }
1961 /* Introduction point has been parsed successfully. */
1964 err:
1968 done:
1973 }
1976 }
1978 /** Given a descriptor string at <b>data</b>, decode all possible introduction
1979 * points that we can find. Add the introduction point object to desc_enc as we
1980 * find them. This function can't fail and it is possible that zero
1981 * introduction points can be decoded. */
1982 static void
1986 {
1995 /* Take the desc string, and extract the intro point substrings out of it */
1996 {
1997 /* Split the descriptor string using the intro point header as delimiter */
2000 /* Check if there are actually any intro points included. The first chunk
2001 * should be other descriptor fields (e.g. create2-formats), so it's not an
2002 * intro point. */
2005 }
2006 }
2008 /* Take the intro point substrings, and prepare them for parsing */
2009 {
2011 /* Prepend the introduction-point header to all the chunks, since
2012 smartlist_split_string() devoured it. */
2014 /* Ignore first chunk. It's other descriptor fields. */
2017 }
2021 }
2023 /* Parse the intro points! */
2027 /* Malformed introduction point section. We'll ignore this introduction
2028 * point and continue parsing. New or unknown fields are possible for
2029 * forward compatibility. */
2031 }
2035 done:
2040 }
2042 /** Return 1 iff the given base64 encoded signature in b64_sig from the encoded
2043 * descriptor in encoded_desc validates the descriptor content. */
2044 STATIC int
2048 {
2050 ed25519_signature_t sig;
2056 /* Verifying nothing won't end well :). */
2059 /* Signature length check. */
2065 }
2067 /* First, convert base64 blob to an ed25519 signature. */
2072 }
2074 /* Find the start of signature. */
2076 /* Getting here means the token parsing worked for the signature so if we
2077 * can't find the start of the signature, we have a code flow issue. */
2081 }
2082 /* Skip newline, it has to go in the signature check. */
2083 sig_start++;
2085 /* Validate signature with the full body of the descriptor. */
2089 str_desc_sig_prefix,
2093 }
2094 /* Valid signature! All is good. */
2097 err:
2099 }
2101 /** Given the token tok for PoW params, decode it as hs_pow_desc_params_t.
2102 * tok->args MUST contain at least 4 elements Return 0 on success else -1 on
2103 * failure. */
2104 static int
2107 {
2114 /* Find the type of PoW system being used. */
2122 }
2123 }
2127 }
2135 }
2144 }
2147 /* Parse the expiration time of the PoW params. */
2153 }
2154 /* Validation of this time is done in client_desc_has_arrived() so we can
2155 * trigger a fetch if expired. */
2158 /* Success. */
2161 done:
2163 }
2165 /** Decode descriptor plaintext data for version 3. Given a list of tokens, an
2166 * allocated plaintext object that will be populated and the encoded
2167 * descriptor with its length. The last one is needed for signature
2168 * verification. Unknown tokens are simply ignored so this won't error on
2169 * unknowns but requires that all v3 token be present and valid.
2170 *
2171 * Return 0 on success else a negative value. */
2172 static hs_desc_decode_status_t
2176 {
2182 /* Version higher could still use this function to decode most of the
2183 * descriptor and then they decode the extra part. */
2186 /* Descriptor lifetime parsing. */
2194 }
2195 /* Put it from minute to second. */
2202 }
2204 /* Descriptor signing certificate. */
2207 /* Expecting a prop220 cert with the signing key extension, which contains
2208 * the blinded public key. */
2213 }
2218 }
2220 /* Copy the public keys into signing_pubkey and blinded_pubkey */
2226 /* Extract revision counter value. */
2234 }
2236 /* Extract the superencrypted data section. */
2242 }
2243 /* Make sure the length of the superencrypted blob is valid. */
2246 }
2248 /* Copy the superencrypted blob to the descriptor object so we can handle it
2249 * latter if needed. */
2253 /* Extract signature and verify it. */
2256 /* First arg here is the actual encoded signature. */
2260 }
2263 err:
2265 }
2267 /** Decode the version 3 superencrypted section of the given descriptor desc.
2268 * The desc_superencrypted_out will be populated with the decoded data. */
2269 STATIC hs_desc_decode_status_t
2271 hs_desc_superencrypted_data_t *
2272 desc_superencrypted_out)
2273 {
2280 /* Rename the parameter because it is too long. */
2286 /* Decrypt the superencrypted data that is located in the plaintext section
2287 * in the descriptor as a blob of bytes. */
2292 }
2301 }
2303 /* Verify desc auth type */
2309 }
2311 /* Extract desc auth ephemeral key */
2318 }
2320 /* Extract desc auth client items */
2323 }
2336 }
2338 }
2341 /* Extract the encrypted data section. */
2347 }
2348 /* Make sure the length of the encrypted blob is valid. */
2351 }
2353 /* Copy the encrypted blob to the descriptor object so we can handle it
2354 * latter if needed. */
2363 err:
2367 done:
2371 }
2374 }
2377 }
2379 }
2381 /** Decode the version 3 encrypted section of the given descriptor desc. The
2382 * desc_encrypted_out will be populated with the decoded data. */
2383 STATIC hs_desc_decode_status_t
2387 {
2398 /* Decrypt the encrypted data that is located in the superencrypted section
2399 * in the descriptor as a blob of bytes. */
2402 /* Two possible situation here. Either we have a client authorization
2403 * configured that didn't work or we do not have any configured for this
2404 * onion address so likely the descriptor is for authorized client only,
2405 * we are not. */
2407 /* At warning level so the client can notice that its client
2408 * authorization is failing. */
2413 /* Inform at notice level that the onion address requested can't be
2414 * reached without client authorization most likely. */
2416 "address. It is likely requiring client "
2419 }
2421 }
2430 }
2432 /* CREATE2 supported cell format. It's mandatory. */
2436 /* Must support ntor according to the specification */
2440 }
2442 /* Authentication type. It's optional but only once. */
2450 }
2451 }
2453 /* Is this service a single onion service? */
2457 }
2459 /* Get flow control if any. */
2472 }
2474 }
2476 /* Get PoW if any. */
2484 }
2486 }
2488 /* Initialize the descriptor's introduction point list before we start
2489 * decoding. Having 0 intro point is valid. Then decode them all. */
2493 /* Validation of maximum introduction points allowed. */
2495 HS_CONFIG_V3_MAX_INTRO_POINTS) {
2498 HS_CONFIG_V3_MAX_INTRO_POINTS,
2501 }
2503 /* NOTE: Unknown fields are allowed because this function could be used to
2504 * decode other descriptor version. */
2509 err:
2513 done:
2517 }
2520 }
2523 }
2525 }
2527 /** Table of encrypted decode function version specific. The function are
2528 * indexed by the version number so v3 callback is at index 3 in the array. */
2529 static hs_desc_decode_status_t
2534 {
2536 desc_decode_encrypted_v3,
2537 };
2539 /** Decode the encrypted data section of the given descriptor and store the
2540 * data in the given encrypted data object. Return 0 on success else a
2541 * negative value on error. */
2542 hs_desc_decode_status_t
2546 {
2551 /* Ease our life a bit. */
2554 /* Calling this function without an encrypted blob to parse is a code flow
2555 * error. The superencrypted parsing should never succeed in the first place
2556 * without an encrypted section. */
2558 /* Let's make sure we have a supported version as well. By correctly parsing
2559 * the plaintext, this should not fail. */
2562 }
2563 /* Extra precaution. Having no handler for the supported version should
2564 * never happened else we forgot to add it but we bumped the version. */
2568 /* Run the version specific plaintext decoder. */
2570 desc_encrypted);
2573 }
2575 err:
2577 }
2579 /** Table of superencrypted decode function version specific. The function are
2580 * indexed by the version number so v3 callback is at index 3 in the array. */
2581 static hs_desc_decode_status_t
2585 {
2587 desc_decode_superencrypted_v3,
2588 };
2590 /** Decode the superencrypted data section of the given descriptor and store
2591 * the data in the given superencrypted data object. */
2592 hs_desc_decode_status_t
2594 hs_desc_superencrypted_data_t *
2595 desc_superencrypted)
2596 {
2601 /* Ease our life a bit. */
2604 /* Calling this function without an superencrypted blob to parse is
2605 * a code flow error. The plaintext parsing should never succeed in
2606 * the first place without an superencrypted section. */
2608 /* Let's make sure we have a supported version as well. By correctly parsing
2609 * the plaintext, this should not fail. */
2612 }
2613 /* Extra precaution. Having no handler for the supported version should
2614 * never happened else we forgot to add it but we bumped the version. */
2618 /* Run the version specific plaintext decoder. */
2622 }
2624 err:
2626 }
2628 /** Table of plaintext decode function version specific. The function are
2629 * indexed by the version number so v3 callback is at index 3 in the array. */
2630 static hs_desc_decode_status_t
2636 {
2638 desc_decode_plaintext_v3,
2639 };
2641 /** Fully decode the given descriptor plaintext and store the data in the
2642 * plaintext data object. */
2643 hs_desc_decode_status_t
2646 {
2657 /* Check that descriptor is within size limits. */
2663 }
2667 /* Tokenize the descriptor so we can start to parse it. */
2672 }
2674 /* Get the version of the descriptor which is the first mandatory field of
2675 * the descriptor. From there, we'll decode the right descriptor version. */
2684 }
2689 }
2690 /* Extra precaution. Having no handler for the supported version should
2691 * never happened else we forgot to add it but we bumped the version. */
2695 /* Run the version specific plaintext decoder. */
2700 }
2701 /* Success. Descriptor has been populated with the data. */
2704 err:
2708 }
2711 }
2713 }
2715 /** Fully decode an encoded descriptor and set a newly allocated descriptor
2716 * object in desc_out. Client secret key is used to decrypt the "encrypted"
2717 * section if not NULL else it's ignored.
2718 *
2719 * Return 0 on success. A negative value is returned on error and desc_out is
2720 * set to NULL. */
2721 hs_desc_decode_status_t
2726 {
2734 /* Subcredentials are not optional. */
2739 }
2746 }
2751 }
2756 }
2762 }
2765 err:
2769 }
2773 }
2775 /** Table of encode function version specific. The functions are indexed by the
2776 * version number so v3 callback is at index 3 in the array. */
2777 static int
2783 {
2785 desc_encode_v3,
2786 };
2788 /** Encode the given descriptor desc including signing with the given key pair
2789 * signing_kp and encrypting with the given descriptor cookie.
2790 *
2791 * If the client authorization is enabled, descriptor_cookie must be the same
2792 * as the one used to build hs_desc_authorized_client_t in the descriptor.
2793 * Otherwise, it must be NULL. On success, encoded_out points to a newly
2794 * allocated NUL terminated string that contains the encoded descriptor as
2795 * a string.
2796 *
2797 * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
2798 * returned and encoded_out is set to NULL. */
2804 {
2811 /* Make sure we support the version of the descriptor format. */
2815 }
2816 /* Extra precaution. Having no handler for the supported version should
2817 * never happened else we forgot to add it but we bumped the version. */
2825 }
2827 /* Try to decode what we just encoded. Symmetry is nice!, but it is
2828 * symmetric only if the client auth is disabled (That is, the descriptor
2829 * cookie will be NULL) and the test-only mock plaintext isn't in use. */
2831 #ifdef TOR_UNIT_TESTS
2834 }
2835 #endif
2842 }
2843 }
2847 err:
2850 }
2852 /** Free the content of the plaintext section of a descriptor. */
2853 void
2855 {
2858 }
2862 }
2866 }
2868 /** Free the content of the superencrypted section of a descriptor. */
2869 void
2871 {
2874 }
2878 }
2883 }
2886 }
2888 /** Free the content of the encrypted section of a descriptor. */
2889 void
2891 {
2894 }
2899 }
2904 }
2908 }
2910 /** Free the descriptor plaintext data object. */
2911 void
2913 {
2916 }
2918 /** Free the descriptor plaintext data object. */
2919 void
2921 {
2924 }
2926 /** Free the descriptor encrypted data object. */
2927 void
2929 {
2932 }
2934 /** Free the given descriptor object. */
2935 void
2937 {
2940 }
2946 }
2948 /** Return the size in bytes of the given plaintext data object. A sizeof() is
2949 * not enough because the object contains pointers and the encrypted blob.
2950 * This is particularly useful for our OOM subsystem that tracks the HSDir
2951 * cache size for instance. */
2952 size_t
2954 {
2958 }
2960 /** Return the size in bytes of the given encrypted data object. Used by OOM
2961 * subsystem. */
2962 static size_t
2964 {
2968 intro_size +=
2970 }
2972 /* XXX could follow pointers here and get more accurate size */
2973 intro_size +=
2975 }
2978 }
2980 /** Return the size in bytes of the given descriptor object. Used by OOM
2981 * subsystem. */
2982 size_t
2984 {
2987 }
2991 }
2993 /** Return a newly allocated descriptor intro point. */
2994 hs_desc_intro_point_t *
2996 {
3000 }
3002 /** Free a descriptor intro point object. */
3003 void
3005 {
3008 }
3013 }
3019 }
3021 /** Allocate and build a new fake client info for the descriptor. Return a
3022 * newly allocated object. This can't fail. */
3023 hs_desc_authorized_client_t *
3025 {
3037 }
3039 /** Using the service's subcredential, client public key, auth ephemeral secret
3040 * key, and descriptor cookie, build the auth client so we can then encode the
3041 * descriptor for publication. client_out must be already allocated. */
3042 void
3046 auth_ephemeral_sk,
3049 {
3065 HS_DESC_DESCRIPTOR_COOKIE_LEN));
3067 DIGEST256_LEN));
3069 /* Get the KEYS part so we can derive the CLIENT-ID and COOKIE-KEY. */
3070 keystream_length =
3076 /* Extract the CLIENT-ID and COOKIE-KEY from the KEYS. */
3080 /* Random IV */
3083 /* This creates a cipher for AES. It can't fail. */
3085 HS_DESC_COOKIE_KEY_BIT_SIZE);
3086 /* This can't fail. */
3089 HS_DESC_DESCRIPTOR_COOKIE_LEN);
3095 }
3097 /** Free an authoriezd client object. */
3098 void
3100 {
3102 }
3104 /** From the given descriptor, remove and free every introduction point. */
3105 void
3107 {
3117 }
3118 }
3120 /** Return true iff we support the given descriptor congestion control
3121 * parameters. */
3122 bool
3124 {
3127 /* Validate that we support the protocol version in the descriptor. */
3131 }