| blob | 1708866944e47f2b65816ee60a07c18ffe63714f |
1 /* Copyright (c) 2016-2017, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file hs_descriptor.c
6 * \brief Handle hidden service descriptor encoding/decoding.
7 *
8 * \details
9 * Here is a graphical depiction of an HS descriptor and its layers:
10 *
11 * +------------------------------------------------------+
12 * |DESCRIPTOR HEADER: |
13 * | hs-descriptor 3 |
14 * | descriptor-lifetime 180 |
15 * | ... |
16 * | superencrypted |
17 * |+---------------------------------------------------+ |
18 * ||SUPERENCRYPTED LAYER (aka OUTER ENCRYPTED LAYER): | |
19 * || desc-auth-type x25519 | |
20 * || desc-auth-ephemeral-key | |
21 * || auth-client | |
22 * || auth-client | |
23 * || ... | |
24 * || encrypted | |
25 * ||+-------------------------------------------------+| |
26 * |||ENCRYPTED LAYER (aka INNER ENCRYPTED LAYER): || |
27 * ||| create2-formats || |
28 * ||| intro-auth-required || |
29 * ||| introduction-point || |
30 * ||| introduction-point || |
31 * ||| ... || |
32 * ||+-------------------------------------------------+| |
33 * |+---------------------------------------------------+ |
34 * +------------------------------------------------------+
35 *
36 * The DESCRIPTOR HEADER section is completely unencrypted and contains generic
37 * descriptor metadata.
38 *
39 * The SUPERENCRYPTED LAYER section is the first layer of encryption, and it's
40 * encrypted using the blinded public key of the hidden service to protect
41 * against entities who don't know its onion address. The clients of the hidden
42 * service know its onion address and blinded public key, whereas third-parties
43 * (like HSDirs) don't know it (except if it's a public hidden service).
44 *
45 * The ENCRYPTED LAYER section is the second layer of encryption, and it's
46 * encrypted using the client authorization key material (if those exist). When
47 * client authorization is enabled, this second layer of encryption protects
48 * the descriptor content from unauthorized entities. If client authorization
49 * is disabled, this second layer of encryption does not provide any extra
50 * security but is still present. The plaintext of this layer contains all the
51 * information required to connect to the hidden service like its list of
52 * introduction points.
53 **/
55 /* For unit tests.*/
56 #define HS_DESCRIPTOR_PRIVATE
68 /* Constant string value used for the descriptor format. */
76 /* Constant string value for the encrypted part of the descriptor. */
88 /* Constant string value for the construction to encrypt the encrypted data
89 * section. */
92 /* Prefix required to compute/verify HS desc signatures */
99 /* Authentication supported types. */
101 hs_desc_auth_type_t type;
105 /* Indicate end of array. */
107 };
109 /* Descriptor ruleset. */
117 END_OF_TABLE
118 };
120 /* Descriptor ruleset for the superencrypted section. */
126 END_OF_TABLE
127 };
129 /* Descriptor ruleset for the encrypted section. */
134 END_OF_TABLE
135 };
137 /* Descriptor ruleset for the introduction points section. */
146 END_OF_TABLE
147 };
149 /* Free the content of the plaintext section of a descriptor. */
150 STATIC void
152 {
155 }
159 }
163 }
165 /* Free the content of the encrypted section of a descriptor. */
166 static void
168 {
171 }
176 }
181 }
183 }
185 /* Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
186 * We use SHA3-256 for the MAC computation.
187 * This function can't fail. */
188 static void
193 {
205 /* As specified in section 2.5 of proposal 224, first add the mac key
206 * then add the salt first and then the encrypted section. */
215 }
217 /* Using a given decriptor object, build the secret input needed for the
218 * KDF and put it in the dst pointer which is an already allocated buffer
219 * of size dstlen. */
220 static void
222 {
229 /* XXX use the destination length as the memcpy length */
230 /* Copy blinded public key. */
234 /* Copy subcredential. */
237 /* Copy revision counter value. */
241 }
243 /* Do the KDF construction and put the resulting data in key_out which is of
244 * key_out_len length. It uses SHAKE-256 as specified in the spec. */
245 static void
250 {
258 /* Build the secret input for the KDF computation. */
262 /* Feed our KDF. [SHAKE it like a polaroid picture --Yawning]. */
266 /* Feed in the right string constant based on the desc layer */
273 }
275 /* Eat from our KDF. */
279 }
281 /* Using the given descriptor and salt, run it through our KDF function and
282 * then extract a secret key in key_out, the IV in iv_out and MAC in mac_out.
283 * This function can't fail. */
284 static void
291 {
302 is_superencrypted_layer);
303 /* Copy the bytes we need for both the secret key and IV. */
309 /* Extra precaution to make sure we are not out of bound. */
312 }
314 /* === ENCODING === */
316 /* Encode the given link specifier objects into a newly allocated string.
317 * This can't fail so caller can always assume a valid string being
318 * returned. */
321 {
326 /* No link specifiers is a code flow error, can't happen. */
333 spec) {
337 }
340 {
350 /* Base64 encode our binary format. Add extra NUL byte for the base64
351 * encoded value. */
358 }
362 }
364 /* Encode an introduction point legacy key and certificate. Return a newly
365 * allocated string with it. On failure, return NULL. */
368 {
374 /* Encode cross cert. */
380 }
381 /* Convert the encryption key to PEM format NUL terminated. */
386 }
391 "%s"
397 done:
399 }
401 /* Encode an introduction point encryption key and certificate. Return a newly
402 * allocated string with it. On failure, return NULL. */
405 {
411 /* Base64 encode the encryption key for the "enc-key" field. */
414 }
417 }
425 done:
427 }
429 /* Encode an introduction point onion key. Return a newly allocated string
430 * with it. On failure, return NULL. */
433 {
439 /* Base64 encode the encryption key for the "onion-key" field. */
442 }
445 done:
447 }
449 /* Encode an introduction point object and return a newly allocated string
450 * with it. On failure, return NULL. */
454 {
461 /* Encode link specifier. */
462 {
466 }
468 /* Onion key encoding. */
469 {
473 }
476 }
478 /* Authentication key encoding. */
479 {
483 }
486 }
488 /* Encryption key encoding. */
489 {
493 }
496 }
498 /* Legacy key if any. */
500 /* Strong requirement else the IP creation was badly done. */
505 }
508 }
510 /* Join them all in one blob of text. */
513 err:
517 }
519 /* Given a source length, return the new size including padding for the
520 * plaintext encryption. */
521 static size_t
523 {
527 /* Make sure we won't overflow. */
530 /* Get the extra length we need to add. For example, if srclen is 10200
531 * bytes, this will expand to (2 * 10k) == 20k thus an extra 9800 bytes. */
533 padding_block_length;
534 /* Can never be extra careful. Make sure we are _really_ padded. */
537 }
539 /* Given a buffer, pad it up to the encrypted section padding requirement. Set
540 * the newly allocated string in padded_out and return the length of the
541 * padded buffer. */
542 STATIC size_t
545 {
552 /* Allocate the final length including padding. */
560 }
562 /* Using a key, IV and plaintext data of length plaintext_len, create the
563 * encrypted section by encrypting it and setting encrypted_out with the
564 * data. Return size of the encrypted data buffer. */
565 static size_t
569 {
579 /* If we are encrypting the middle layer of the descriptor, we need to first
580 pad the plaintext */
584 /* Extra precautions that we have a valid padding length. */
589 }
591 /* This creates a cipher for AES. It can't fail. */
593 HS_DESC_ENCRYPTED_BIT_SIZE);
594 /* We use a stream cipher so the encrypted length will be the same as the
595 * plaintext padded length. */
597 /* This can't fail. */
601 /* Cleanup. */
605 }
607 /* Encrypt the given <b>plaintext</b> buffer using <b>desc</b> to get the
608 * keys. Set encrypted_out with the encrypted data and return the length of
609 * it. <b>is_superencrypted_layer</b> is set if this is the outer encrypted
610 * layer of the descriptor. */
611 static size_t
614 {
626 /* Get our salt. The returned bytes are already hashed. */
629 /* KDF construction resulting in a key from which the secret key, IV and MAC
630 * key are extracted which is what we need for the encryption. */
635 is_superencrypted_layer);
637 /* Build the encrypted part that is do the actual encryption. */
640 is_superencrypted_layer);
643 /* This construction is specified in section 2.5 of proposal 224. */
647 /* Build the MAC. */
652 /* The salt is the first value. */
655 /* Second value is the encrypted data. */
658 /* Third value is the MAC. */
661 /* Cleanup the buffers. */
665 /* Extra precaution. */
670 }
672 /* Create and return a string containing a fake client-auth entry. It's the
673 * responsibility of the caller to free the returned string. This function will
674 * never fail. */
677 {
679 /* We are gonna fill these arrays with fake base64 data. They are all double
680 * the size of their binary representation to fit the base64 overhead. */
686 /* This is a macro to fill a field with random data and then base64 it. */
687 #define FILL_WITH_FAKE_DATA_AND_BASE64(field) STMT_BEGIN \
688 crypto_rand((char *)field, sizeof(field)); \
689 retval = base64_encode_nopad(field##_b64, sizeof(field##_b64), \
690 field, sizeof(field)); \
691 tor_assert(retval > 0); \
692 STMT_END
702 }
704 /* Build the final string */
708 #undef FILL_WITH_FAKE_DATA_AND_BASE64
711 }
713 /** How many lines of "client-auth" we want in our descriptors; fake or not. */
714 #define CLIENT_AUTH_ENTRIES_BLOCK_SIZE 16
716 /** Create the "client-auth" part of the descriptor and return a
717 * newly-allocated string with it. It's the responsibility of the caller to
718 * free the returned string. */
721 {
722 /* XXX: Client authorization is still not implemented, so all this function
723 does is make fake clients */
728 /* Make a line for each fake client */
734 }
736 /* Join all lines together to form final string */
739 /* Cleanup the mess */
744 }
746 /* Create the inner layer of the descriptor (which includes the intro points,
747 * etc.). Return a newly-allocated string with the layer plaintext, or NULL if
748 * an error occured. It's the responsibility of the caller to free the returned
749 * string. */
752 {
756 /* Build the start of the section prior to the introduction points. */
757 {
761 }
763 ONION_HANDSHAKE_TYPE_NTOR);
767 /* Put the authentication-required line. */
772 }
776 }
777 }
779 /* Build the introduction point(s) section. */
783 ip);
787 }
791 /* Build the entire encrypted data section into one encoded plaintext and
792 * then encrypt it. */
795 err:
800 }
802 /* Create the middle layer of the descriptor, which includes the client auth
803 * data and the encrypted inner layer (provided as a base64 string at
804 * <b>layer2_b64_ciphertext</b>). Return a newly-allocated string with the
805 * layer plaintext, or NULL if an error occured. It's the responsibility of the
806 * caller to free the returned string. */
810 {
814 /* XXX: Disclaimer: This function generates only _fake_ client auth
815 * data. Real client auth is not yet implemented, but client auth data MUST
816 * always be present in descriptors. In the future this function will be
817 * refactored to use real client auth data if they exist (#20700). */
820 /* Specify auth type */
825 curve25519_keypair_t fake_x25519_keypair;
828 }
832 }
835 /* No need to memwipe any of these fake keys. They will go unused. */
836 }
842 }
844 /* create encrypted section */
845 {
849 "%s"
852 }
856 done:
861 }
863 /* Encrypt <b>encoded_str</b> into an encrypted blob and then base64 it before
864 * returning it. <b>desc</b> is provided to derive the encryption
865 * keys. <b>is_superencrypted_layer</b> is set if <b>encoded_str</b> is the
866 * middle (superencrypted) layer of the descriptor. It's the responsibility of
867 * the caller to free the returned string. */
872 {
878 is_superencrypted_layer);
879 /* Get the encoded size plus a NUL terminating byte. */
882 /* Base64 the encrypted blob before returning it. */
884 BASE64_ENCODE_MULTILINE);
885 /* Return length doesn't count the NUL byte. */
890 }
892 /* Generate and encode the superencrypted portion of <b>desc</b>. This also
893 * involves generating the encrypted portion of the descriptor, and performing
894 * the superencryption. A newly allocated NUL-terminated string pointer
895 * containing the encrypted encoded blob is put in encrypted_blob_out. Return 0
896 * on success else a negative value. */
897 static int
900 {
910 /* Func logic: We first create the inner layer of the descriptor (layer2).
911 * We then encrypt it and use it to create the middle layer of the descriptor
912 * (layer1). Finally we superencrypt the middle layer and return it to our
913 * caller. */
915 /* Create inner descriptor layer */
919 }
921 /* Encrypt and b64 the inner layer */
925 }
927 /* Now create middle descriptor layer given the inner layer */
931 }
933 /* Encrypt and base64 the middle layer */
937 }
939 /* Success! */
942 err:
949 }
951 /* Encode a v3 HS descriptor. Return 0 on success and set encoded_out to the
952 * newly allocated string of the encoded descriptor. On error, -1 is returned
953 * and encoded_out is untouched. */
954 static int
957 {
970 }
972 /* Build the non-encrypted values. */
973 {
975 /* Encode certificate then create the first line of the descriptor. */
981 }
984 /* The function will print error logs. */
986 }
987 /* Create the hs descriptor line. */
990 /* Add the descriptor lifetime line (in minutes). */
993 /* Create the descriptor certificate line. */
996 /* Create the revision counter line. */
999 }
1001 /* Build the superencrypted data section. */
1002 {
1006 }
1010 "%s"
1014 }
1016 /* Join all lines in one string so we can generate a signature and append
1017 * it to the descriptor. */
1020 /* Sign all fields of the descriptor with our short term signing key. */
1021 {
1022 ed25519_signature_t sig;
1030 }
1035 }
1036 /* Create the signature line. */
1038 }
1039 /* Free previous string that we used so compute the signature. */
1049 }
1051 /* XXX: Trigger a control port event. */
1053 /* Success! */
1056 err:
1060 }
1062 /* === DECODING === */
1064 /* Given an encoded string of the link specifiers, return a newly allocated
1065 * list of decoded link specifiers. Return NULL on error. */
1066 STATIC smartlist_t *
1068 {
1080 encoded_len);
1083 }
1088 }
1111 /* Both are known at compile time so let's make sure they are the same
1112 * else we can copy memory out of bound. */
1119 /* Both are known at compile time so let's make sure they are the same
1120 * else we can copy memory out of bound. */
1129 }
1132 }
1135 err:
1140 }
1141 done:
1145 }
1147 /* Given a list of authentication types, decode it and put it in the encrypted
1148 * data section. Return 1 if we at least know one of the type or 0 if we know
1149 * none of them. */
1150 static int
1152 {
1161 /* Validate the types that we at least know about one. */
1168 }
1169 }
1173 }
1175 /* Parse a space-delimited list of integers representing CREATE2 formats into
1176 * the bitfield in hs_desc_encrypted_data_t. Ignore unrecognized values. */
1177 static void
1179 {
1194 }
1200 /* We deliberately ignore unsupported handshake types */
1202 }
1207 }
1209 /* Given a certificate, validate the certificate for certain conditions which
1210 * are if the given type matches the cert's one, if the signing key is
1211 * included and if the that key was actually used to sign the certificate.
1212 *
1213 * Return 1 iff if all conditions pass or 0 if one of them fails. */
1214 STATIC int
1216 {
1222 }
1225 log_obj_type);
1227 }
1228 /* All certificate must have its signing key included. */
1232 }
1233 /* The following will not only check if the signature matches but also the
1234 * expiration date and overall validity. */
1238 }
1241 err:
1243 }
1245 /* Given some binary data, try to parse it to get a certificate object. If we
1246 * have a valid cert, validate it using the given wanted type. On error, print
1247 * a log using the err_msg has the certificate identifier adding semantic to
1248 * the log and cert_out is set to NULL. On success, 0 is returned and cert_out
1249 * points to a newly allocated certificate object. */
1250 static int
1254 {
1261 /* Parse certificate. */
1266 }
1268 /* Validate certificate. */
1271 }
1276 err:
1280 }
1282 /* Return true iff the given length of the encrypted data of a descriptor
1283 * passes validation. */
1284 STATIC int
1286 {
1287 /* Make sure there is enough data for the salt and the mac. The equality is
1288 there to ensure that there is at least one byte of encrypted data. */
1294 }
1297 err:
1299 }
1301 /** Decrypt an encrypted descriptor layer at <b>encrypted_blob</b> of size
1302 * <b>encrypted_blob_size</b>. Use the descriptor object <b>desc</b> to
1303 * generate the right decryption keys; set <b>decrypted_out</b> to the
1304 * plaintext. If <b>is_superencrypted_layer</b> is set, this is the outter
1305 * encrypted layer of the descriptor.
1306 *
1307 * On any error case, including an empty output, return 0 and set
1308 * *<b>decrypted_out</b> to NULL.
1309 */
1316 {
1327 /* Construction is as follow: SALT | ENCRYPTED_DATA | MAC .
1328 * Make sure we have enough space for all these things. */
1331 }
1333 /* Start of the blob thus the salt. */
1336 /* Next is the encrypted data. */
1342 /* And last comes the MAC. */
1345 /* KDF construction resulting in a key from which the secret key, IV and MAC
1346 * key are extracted which is what we need for the decryption. */
1351 is_superencrypted_layer);
1353 /* Build MAC. */
1357 /* Verify MAC; MAC is H(mac_key || salt || encrypted)
1358 *
1359 * This is a critical check that is making sure the computed MAC matches the
1360 * one in the descriptor. */
1364 }
1366 {
1367 /* Decrypt. Here we are assured that the encrypted length is valid for
1368 * decryption. */
1372 HS_DESC_ENCRYPTED_BIT_SIZE);
1373 /* Extra byte for the NUL terminated byte. */
1378 }
1380 {
1381 /* Adjust length to remove NUL padding bytes */
1386 }
1387 }
1390 /* Treat this as an error, so that somebody will free the output. */
1392 }
1394 /* Make sure to NUL terminate the string. */
1399 err:
1402 }
1406 done:
1410 }
1412 /* Basic validation that the superencrypted client auth portion of the
1413 * descriptor is well-formed and recognized. Return True if so, otherwise
1414 * return False. */
1415 static int
1417 {
1418 /* XXX: This is just basic validation for now. When we implement client auth,
1419 we can refactor this function so that it actually parses and saves the
1420 data. */
1429 }
1430 }
1434 curve25519_public_key_t k;
1440 }
1441 }
1443 /* verify desc auth client items */
1447 }
1451 }
1453 /* Parse <b>message</b>, the plaintext of the superencrypted portion of an HS
1454 * descriptor. Set <b>encrypted_out</b> to the encrypted blob, and return its
1455 * size */
1456 STATIC size_t
1459 {
1470 }
1472 /* Do some rudimentary validation of the authentication data */
1476 }
1478 /* Extract the encrypted data section. */
1479 {
1486 }
1487 /* Make sure the length of the encrypted blob is valid. */
1490 }
1492 /* Copy the encrypted blob to the descriptor object so we can handle it
1493 * latter if needed. */
1497 }
1499 err:
1504 }
1507 }
1509 /* Decrypt both the superencrypted and the encrypted section of the descriptor
1510 * using the given descriptor object <b>desc</b>. A newly allocated NUL
1511 * terminated string is put in decrypted_out which contains the inner encrypted
1512 * layer of the descriptor. Return the length of decrypted_out on success else
1513 * 0 is returned and decrypted_out is set to NULL. */
1514 static size_t
1516 {
1523 /** Function logic: This function takes us from the descriptor header to the
1524 * inner encrypted layer, by decrypting and decoding the middle descriptor
1525 * layer. In the end we return the contents of the inner encrypted layer to
1526 * our caller. */
1528 /* 1. Decrypt middle layer of descriptor */
1537 }
1540 /* 2. Parse "superencrypted" */
1542 superencrypted_len,
1547 }
1550 /* 3. Decrypt "encrypted" and set decrypted_out */
1558 }
1563 err:
1568 }
1570 /* Given the token tok for an intro point legacy key, the list of tokens, the
1571 * introduction point ip being decoded and the descriptor desc from which it
1572 * comes from, decode the legacy key and set the intro point object. Return 0
1573 * on success else -1 on failure. */
1574 static int
1579 {
1588 }
1590 /* Extract the legacy cross certification cert which MUST be present if we
1591 * have a legacy key. */
1596 }
1599 /* Info level because this might be an unknown field that we should
1600 * ignore. */
1604 }
1605 /* Keep a copy of the certificate. */
1608 /* The check on the expiration date is for the entire lifetime of a
1609 * certificate which is 24 hours. However, a descriptor has a maximum
1610 * lifetime of 12 hours meaning we have a 12h difference between the two
1611 * which ultimately accomodate the clock skewed client. */
1620 }
1622 /* Success. */
1624 err:
1626 }
1628 /* Dig into the descriptor <b>tokens</b> to find the onion key we should use
1629 * for this intro point, and set it into <b>onion_key_out</b>. Return 0 if it
1630 * was found and well-formed, otherwise return -1 in case of errors. */
1631 static int
1634 {
1644 }
1647 /* This field is using GE(2) so for possible forward compatibility, we
1648 * accept more fields but must be at least 2. */
1651 /* Try to find an ntor key, it's the only recognized type right now */
1656 }
1657 /* Got the onion key! Set the appropriate retval */
1659 }
1662 /* Log an error if we didn't find it :( */
1665 }
1667 err:
1670 }
1672 /* Given the start of a section and the end of it, decode a single
1673 * introduction point from that section. Return a newly allocated introduction
1674 * point object containing the decoded data. Return NULL if the section can't
1675 * be decoded. */
1676 STATIC hs_desc_intro_point_t *
1678 {
1693 }
1695 /* Ok we seem to have a well formed section containing enough tokens to
1696 * parse. Allocate our IP object and try to populate it. */
1699 /* "introduction-point" SP link-specifiers NL */
1702 /* Our constructor creates this list by default so free it. */
1708 }
1710 /* "onion-key" SP ntor SP key NL */
1713 }
1715 /* "auth-key" NL certificate NL */
1721 }
1722 /* Parse cert and do some validation. */
1727 }
1728 /* Validate authentication certificate with descriptor signing key. */
1733 }
1735 /* Exactly one "enc-key" SP "ntor" SP key NL */
1738 /* This field is using GE(2) so for possible forward compatibility, we
1739 * accept more fields but must be at least 2. */
1745 }
1747 /* Unknown key type so we can't use that introduction point. */
1750 }
1752 /* Exactly once "enc-key-cert" NL certificate NL */
1755 /* Do the cross certification. */
1760 }
1765 }
1770 }
1771 /* It is successfully cross certified. Flag the object. */
1774 /* Do we have a "legacy-key" SP key NL ?*/
1779 }
1780 }
1782 /* Introduction point has been parsed successfully. */
1785 err:
1789 done:
1794 }
1797 }
1799 /* Given a descriptor string at <b>data</b>, decode all possible introduction
1800 * points that we can find. Add the introduction point object to desc_enc as we
1801 * find them. This function can't fail and it is possible that zero
1802 * introduction points can be decoded. */
1803 static void
1807 {
1816 /* Take the desc string, and extract the intro point substrings out of it */
1817 {
1818 /* Split the descriptor string using the intro point header as delimiter */
1821 /* Check if there are actually any intro points included. The first chunk
1822 * should be other descriptor fields (e.g. create2-formats), so it's not an
1823 * intro point. */
1826 }
1827 }
1829 /* Take the intro point substrings, and prepare them for parsing */
1830 {
1832 /* Prepend the introduction-point header to all the chunks, since
1833 smartlist_split_string() devoured it. */
1835 /* Ignore first chunk. It's other descriptor fields. */
1838 }
1842 }
1844 /* Parse the intro points! */
1848 /* Malformed introduction point section. We'll ignore this introduction
1849 * point and continue parsing. New or unknown fields are possible for
1850 * forward compatibility. */
1852 }
1856 done:
1861 }
1862 /* Return 1 iff the given base64 encoded signature in b64_sig from the encoded
1863 * descriptor in encoded_desc validates the descriptor content. */
1864 STATIC int
1868 {
1870 ed25519_signature_t sig;
1876 /* Verifying nothing won't end well :). */
1879 /* Signature length check. */
1885 }
1887 /* First, convert base64 blob to an ed25519 signature. */
1892 }
1894 /* Find the start of signature. */
1896 /* Getting here means the token parsing worked for the signature so if we
1897 * can't find the start of the signature, we have a code flow issue. */
1901 }
1902 /* Skip newline, it has to go in the signature check. */
1903 sig_start++;
1905 /* Validate signature with the full body of the descriptor. */
1909 str_desc_sig_prefix,
1913 }
1914 /* Valid signature! All is good. */
1917 err:
1919 }
1921 /* Decode descriptor plaintext data for version 3. Given a list of tokens, an
1922 * allocated plaintext object that will be populated and the encoded
1923 * descriptor with its length. The last one is needed for signature
1924 * verification. Unknown tokens are simply ignored so this won't error on
1925 * unknowns but requires that all v3 token be present and valid.
1926 *
1927 * Return 0 on success else a negative value. */
1928 static int
1932 {
1938 /* Version higher could still use this function to decode most of the
1939 * descriptor and then they decode the extra part. */
1942 /* Descriptor lifetime parsing. */
1950 }
1951 /* Put it from minute to second. */
1958 }
1960 /* Descriptor signing certificate. */
1963 /* Expecting a prop220 cert with the signing key extension, which contains
1964 * the blinded public key. */
1969 }
1974 }
1976 /* Copy the public keys into signing_pubkey and blinded_pubkey */
1982 /* Extract revision counter value. */
1990 }
1992 /* Extract the encrypted data section. */
1998 }
1999 /* Make sure the length of the encrypted blob is valid. */
2002 }
2004 /* Copy the encrypted blob to the descriptor object so we can handle it
2005 * latter if needed. */
2009 /* Extract signature and verify it. */
2012 /* First arg here is the actual encoded signature. */
2016 }
2020 err:
2022 }
2024 /* Decode the version 3 encrypted section of the given descriptor desc. The
2025 * desc_encrypted_out will be populated with the decoded data. Return 0 on
2026 * success else -1. */
2027 static int
2030 {
2041 /* Decrypt the superencrypted data that is located in the plaintext section
2042 * in the descriptor as a blob of bytes. */
2047 }
2056 }
2058 /* CREATE2 supported cell format. It's mandatory. */
2062 /* Must support ntor according to the specification */
2066 }
2068 /* Authentication type. It's optional but only once. */
2075 }
2076 }
2078 /* Is this service a single onion service? */
2082 }
2084 /* Initialize the descriptor's introduction point list before we start
2085 * decoding. Having 0 intro point is valid. Then decode them all. */
2089 /* Validation of maximum introduction points allowed. */
2091 HS_CONFIG_V3_MAX_INTRO_POINTS) {
2094 HS_CONFIG_V3_MAX_INTRO_POINTS,
2097 }
2099 /* NOTE: Unknown fields are allowed because this function could be used to
2100 * decode other descriptor version. */
2105 err:
2109 done:
2113 }
2116 }
2119 }
2121 }
2123 /* Table of encrypted decode function version specific. The function are
2124 * indexed by the version number so v3 callback is at index 3 in the array. */
2125 static int
2129 {
2131 desc_decode_encrypted_v3,
2132 };
2134 /* Decode the encrypted data section of the given descriptor and store the
2135 * data in the given encrypted data object. Return 0 on success else a
2136 * negative value on error. */
2137 int
2140 {
2145 /* Ease our life a bit. */
2148 /* Calling this function without an encrypted blob to parse is a code flow
2149 * error. The plaintext parsing should never succeed in the first place
2150 * without an encrypted section. */
2152 /* Let's make sure we have a supported version as well. By correctly parsing
2153 * the plaintext, this should not fail. */
2157 }
2158 /* Extra precaution. Having no handler for the supported version should
2159 * never happened else we forgot to add it but we bumped the version. */
2163 /* Run the version specific plaintext decoder. */
2167 }
2169 err:
2171 }
2173 /* Table of plaintext decode function version specific. The function are
2174 * indexed by the version number so v3 callback is at index 3 in the array. */
2175 static int
2181 {
2183 desc_decode_plaintext_v3,
2184 };
2186 /* Fully decode the given descriptor plaintext and store the data in the
2187 * plaintext data object. Returns 0 on success else a negative value. */
2188 int
2191 {
2201 /* Check that descriptor is within size limits. */
2207 }
2211 /* Tokenize the descriptor so we can start to parse it. */
2216 }
2218 /* Get the version of the descriptor which is the first mandatory field of
2219 * the descriptor. From there, we'll decode the right descriptor version. */
2228 }
2233 }
2234 /* Extra precaution. Having no handler for the supported version should
2235 * never happened else we forgot to add it but we bumped the version. */
2239 /* Run the version specific plaintext decoder. */
2244 }
2245 /* Success. Descriptor has been populated with the data. */
2248 err:
2252 }
2255 }
2257 }
2259 /* Fully decode an encoded descriptor and set a newly allocated descriptor
2260 * object in desc_out. Subcredentials are used if not NULL else it's ignored.
2261 *
2262 * Return 0 on success. A negative value is returned on error and desc_out is
2263 * set to NULL. */
2264 int
2268 {
2276 /* Subcredentials are optional. */
2280 }
2287 }
2292 }
2298 }
2301 err:
2305 }
2309 }
2311 /* Table of encode function version specific. The functions are indexed by the
2312 * version number so v3 callback is at index 3 in the array. */
2313 static int
2318 {
2320 desc_encode_v3,
2321 };
2323 /* Encode the given descriptor desc including signing with the given key pair
2324 * signing_kp. On success, encoded_out points to a newly allocated NUL
2325 * terminated string that contains the encoded descriptor as a string.
2326 *
2327 * Return 0 on success and encoded_out is a valid pointer. On error, -1 is
2328 * returned and encoded_out is set to NULL. */
2333 {
2340 /* Make sure we support the version of the descriptor format. */
2344 }
2345 /* Extra precaution. Having no handler for the supported version should
2346 * never happened else we forgot to add it but we bumped the version. */
2353 }
2355 /* Try to decode what we just encoded. Symmetry is nice! */
2359 }
2363 err:
2366 }
2368 /* Free the descriptor plaintext data object. */
2369 void
2371 {
2374 }
2376 /* Free the descriptor encrypted data object. */
2377 void
2379 {
2382 }
2384 /* Free the given descriptor object. */
2385 void
2387 {
2390 }
2395 }
2397 /* Return the size in bytes of the given plaintext data object. A sizeof() is
2398 * not enough because the object contains pointers and the encrypted blob.
2399 * This is particularly useful for our OOM subsystem that tracks the HSDir
2400 * cache size for instance. */
2401 size_t
2403 {
2407 }
2409 /* Return the size in bytes of the given encrypted data object. Used by OOM
2410 * subsystem. */
2411 static size_t
2413 {
2417 intro_size +=
2419 }
2421 /* XXX could follow pointers here and get more accurate size */
2422 intro_size +=
2424 }
2427 }
2429 /* Return the size in bytes of the given descriptor object. Used by OOM
2430 * subsystem. */
2431 size_t
2433 {
2438 }
2440 /* Return a newly allocated descriptor intro point. */
2441 hs_desc_intro_point_t *
2443 {
2447 }
2449 /* Free a descriptor intro point object. */
2450 void
2452 {
2455 }
2460 }
2466 }
2468 /* Free the given descriptor link specifier. */
2469 void
2471 {
2474 }
2476 }
2478 /* Return a newly allocated descriptor link specifier using the given extend
2479 * info and requested type. Return NULL on error. */
2480 hs_desc_link_specifier_t *
2482 {
2493 }
2500 }
2505 /* Bug out if the identity digest is not set */
2509 }
2513 /* ed25519 keys are optional for intro points */
2516 }
2521 /* Unknown type is code flow error. */
2523 }
2526 err:
2529 }
2531 /* From the given descriptor, remove and free every introduction point. */
2532 void
2534 {
2544 }
2545 }
2547 /* From a descriptor link specifier object spec, returned a newly allocated
2548 * link specifier object that is the encoded representation of spec. Return
2549 * NULL on error. */
2550 link_specifier_t *
2552 {
2563 /* Four bytes IPv4 and two bytes port. */
2568 {
2574 /* Sixteen bytes IPv6 and two bytes port. */
2577 }
2579 {
2585 }
2587 {
2593 }
2598 }
2601 }