1 /* Copyright (c) 2016-2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
6 * \brief Implement next generation hidden service client functionality
9 #define HS_CLIENT_PRIVATE
11 #include "core/or/or.h"
12 #include "app/config/config.h"
13 #include "core/crypto/hs_ntor.h"
14 #include "core/mainloop/connection.h"
15 #include "core/or/circuitbuild.h"
16 #include "core/or/circuitlist.h"
17 #include "core/or/circuituse.h"
18 #include "core/or/connection_edge.h"
19 #include "core/or/reasons.h"
20 #include "feature/client/circpathbias.h"
21 #include "feature/dirclient/dirclient.h"
22 #include "feature/dircommon/directory.h"
23 #include "feature/hs/hs_cache.h"
24 #include "feature/hs/hs_cell.h"
25 #include "feature/hs/hs_circuit.h"
26 #include "feature/hs/hs_circuitmap.h"
27 #include "feature/hs/hs_client.h"
28 #include "feature/hs/hs_control.h"
29 #include "feature/hs/hs_descriptor.h"
30 #include "feature/hs/hs_ident.h"
31 #include "feature/nodelist/describe.h"
32 #include "feature/nodelist/networkstatus.h"
33 #include "feature/nodelist/nodelist.h"
34 #include "feature/nodelist/routerset.h"
35 #include "feature/rend/rendclient.h"
36 #include "lib/crypt_ops/crypto_format.h"
37 #include "lib/crypt_ops/crypto_rand.h"
38 #include "lib/crypt_ops/crypto_util.h"
40 #include "core/or/cpath_build_state_st.h"
41 #include "feature/dircommon/dir_connection_st.h"
42 #include "core/or/entry_connection_st.h"
43 #include "core/or/extend_info_st.h"
44 #include "core/or/origin_circuit_st.h"
46 /* Client-side authorizations for hidden services; map of service identity
47 * public key to hs_client_service_authorization_t *. */
48 static digest256map_t
*client_auths
= NULL
;
50 #include "trunnel/hs/cell_introduce1.h"
52 /* Return a human-readable string for the client fetch status code. */
54 fetch_status_to_string(hs_client_fetch_status_t status
)
57 case HS_CLIENT_FETCH_ERROR
:
58 return "Internal error";
59 case HS_CLIENT_FETCH_LAUNCHED
:
60 return "Descriptor fetch launched";
61 case HS_CLIENT_FETCH_HAVE_DESC
:
62 return "Already have descriptor";
63 case HS_CLIENT_FETCH_NO_HSDIRS
:
64 return "No more HSDir available to query";
65 case HS_CLIENT_FETCH_NOT_ALLOWED
:
66 return "Fetching descriptors is not allowed";
67 case HS_CLIENT_FETCH_MISSING_INFO
:
68 return "Missing directory information";
69 case HS_CLIENT_FETCH_PENDING
:
70 return "Pending descriptor fetch";
72 return "(Unknown client fetch status code)";
76 /* Return true iff tor should close the SOCKS request(s) for the descriptor
77 * fetch that ended up with this given status code. */
79 fetch_status_should_close_socks(hs_client_fetch_status_t status
)
82 case HS_CLIENT_FETCH_NO_HSDIRS
:
83 /* No more HSDir to query, we can't complete the SOCKS request(s). */
84 case HS_CLIENT_FETCH_ERROR
:
85 /* The fetch triggered an internal error. */
86 case HS_CLIENT_FETCH_NOT_ALLOWED
:
87 /* Client is not allowed to fetch (FetchHidServDescriptors 0). */
89 case HS_CLIENT_FETCH_MISSING_INFO
:
90 case HS_CLIENT_FETCH_HAVE_DESC
:
91 case HS_CLIENT_FETCH_PENDING
:
92 case HS_CLIENT_FETCH_LAUNCHED
:
93 /* The rest doesn't require tor to close the SOCKS request(s). */
103 /* Cancel all descriptor fetches currently in progress. */
105 cancel_descriptor_fetches(void)
108 connection_list_by_type_state(CONN_TYPE_DIR
, DIR_PURPOSE_FETCH_HSDESC
);
109 SMARTLIST_FOREACH_BEGIN(conns
, connection_t
*, conn
) {
110 const hs_ident_dir_conn_t
*ident
= TO_DIR_CONN(conn
)->hs_ident
;
111 if (BUG(ident
== NULL
)) {
112 /* A directory connection fetching a service descriptor can't have an
113 * empty hidden service identifier. */
116 log_debug(LD_REND
, "Marking for close a directory connection fetching "
117 "a hidden service descriptor for service %s.",
118 safe_str_client(ed25519_fmt(&ident
->identity_pk
)));
119 connection_mark_for_close(conn
);
120 } SMARTLIST_FOREACH_END(conn
);
122 /* No ownership of the objects in this list. */
123 smartlist_free(conns
);
124 log_info(LD_REND
, "Hidden service client descriptor fetches cancelled.");
127 /* Get all connections that are waiting on a circuit and flag them back to
128 * waiting for a hidden service descriptor for the given service key
129 * service_identity_pk. */
131 flag_all_conn_wait_desc(const ed25519_public_key_t
*service_identity_pk
)
133 tor_assert(service_identity_pk
);
136 connection_list_by_type_state(CONN_TYPE_AP
, AP_CONN_STATE_CIRCUIT_WAIT
);
138 SMARTLIST_FOREACH_BEGIN(conns
, connection_t
*, conn
) {
139 edge_connection_t
*edge_conn
;
140 if (BUG(!CONN_IS_EDGE(conn
))) {
143 edge_conn
= TO_EDGE_CONN(conn
);
144 if (edge_conn
->hs_ident
&&
145 ed25519_pubkey_eq(&edge_conn
->hs_ident
->identity_pk
,
146 service_identity_pk
)) {
147 connection_ap_mark_as_waiting_for_renddesc(TO_ENTRY_CONN(conn
));
149 } SMARTLIST_FOREACH_END(conn
);
151 smartlist_free(conns
);
154 /* Remove tracked HSDir requests from our history for this hidden service
155 * identity public key. */
157 purge_hid_serv_request(const ed25519_public_key_t
*identity_pk
)
159 char base64_blinded_pk
[ED25519_BASE64_LEN
+ 1];
160 ed25519_public_key_t blinded_pk
;
162 tor_assert(identity_pk
);
164 /* Get blinded pubkey of hidden service. It is possible that we just moved
165 * to a new time period meaning that we won't be able to purge the request
166 * from the previous time period. That is fine because they will expire at
167 * some point and we don't care about those anymore. */
168 hs_build_blinded_pubkey(identity_pk
, NULL
, 0,
169 hs_get_time_period_num(0), &blinded_pk
);
170 ed25519_public_to_base64(base64_blinded_pk
, &blinded_pk
);
171 /* Purge last hidden service request from cache for this blinded key. */
172 hs_purge_hid_serv_from_last_hid_serv_requests(base64_blinded_pk
);
175 /* Return true iff there is at least one pending directory descriptor request
176 * for the service identity_pk. */
178 directory_request_is_pending(const ed25519_public_key_t
*identity_pk
)
182 connection_list_by_type_purpose(CONN_TYPE_DIR
, DIR_PURPOSE_FETCH_HSDESC
);
184 SMARTLIST_FOREACH_BEGIN(conns
, connection_t
*, conn
) {
185 const hs_ident_dir_conn_t
*ident
= TO_DIR_CONN(conn
)->hs_ident
;
186 if (BUG(ident
== NULL
)) {
187 /* A directory connection fetching a service descriptor can't have an
188 * empty hidden service identifier. */
191 if (!ed25519_pubkey_eq(identity_pk
, &ident
->identity_pk
)) {
196 } SMARTLIST_FOREACH_END(conn
);
198 /* No ownership of the objects in this list. */
199 smartlist_free(conns
);
203 /* Helper function that changes the state of an entry connection to waiting
204 * for a circuit. For this to work properly, the connection timestamps are set
205 * to now and the connection is then marked as pending for a circuit. */
207 mark_conn_as_waiting_for_circuit(connection_t
*conn
, time_t now
)
211 /* Because the connection can now proceed to opening circuit and ultimately
212 * connect to the service, reset those timestamp so the connection is
213 * considered "fresh" and can continue without being closed too early. */
214 conn
->timestamp_created
= now
;
215 conn
->timestamp_last_read_allowed
= now
;
216 conn
->timestamp_last_write_allowed
= now
;
217 /* Change connection's state into waiting for a circuit. */
218 conn
->state
= AP_CONN_STATE_CIRCUIT_WAIT
;
220 connection_ap_mark_as_pending_circuit(TO_ENTRY_CONN(conn
));
223 /* We failed to fetch a descriptor for the service with <b>identity_pk</b>
224 * because of <b>status</b>. Find all pending SOCKS connections for this
225 * service that are waiting on the descriptor and close them with
228 close_all_socks_conns_waiting_for_desc(const ed25519_public_key_t
*identity_pk
,
229 hs_client_fetch_status_t status
,
232 unsigned int count
= 0;
233 time_t now
= approx_time();
235 connection_list_by_type_state(CONN_TYPE_AP
, AP_CONN_STATE_RENDDESC_WAIT
);
237 SMARTLIST_FOREACH_BEGIN(conns
, connection_t
*, base_conn
) {
238 entry_connection_t
*entry_conn
= TO_ENTRY_CONN(base_conn
);
239 const edge_connection_t
*edge_conn
= ENTRY_TO_EDGE_CONN(entry_conn
);
241 /* Only consider the entry connections that matches the service for which
242 * we tried to get the descriptor */
243 if (!edge_conn
->hs_ident
||
244 !ed25519_pubkey_eq(identity_pk
,
245 &edge_conn
->hs_ident
->identity_pk
)) {
248 assert_connection_ok(base_conn
, now
);
249 /* Unattach the entry connection which will close for the reason. */
250 connection_mark_unattached_ap(entry_conn
, reason
);
252 } SMARTLIST_FOREACH_END(base_conn
);
255 char onion_address
[HS_SERVICE_ADDR_LEN_BASE32
+ 1];
256 hs_build_address(identity_pk
, HS_VERSION_THREE
, onion_address
);
257 log_notice(LD_REND
, "Closed %u streams for service %s.onion "
258 "for reason %s. Fetch status: %s.",
259 count
, safe_str_client(onion_address
),
260 stream_end_reason_to_string(reason
),
261 fetch_status_to_string(status
));
264 /* No ownership of the object(s) in this list. */
265 smartlist_free(conns
);
268 /* Find all pending SOCKS connection waiting for a descriptor and retry them
269 * all. This is called when the directory information changed. */
271 retry_all_socks_conn_waiting_for_desc(void)
274 connection_list_by_type_state(CONN_TYPE_AP
, AP_CONN_STATE_RENDDESC_WAIT
);
276 SMARTLIST_FOREACH_BEGIN(conns
, connection_t
*, base_conn
) {
277 hs_client_fetch_status_t status
;
278 const edge_connection_t
*edge_conn
=
279 ENTRY_TO_EDGE_CONN(TO_ENTRY_CONN(base_conn
));
281 /* Ignore non HS or non v3 connection. */
282 if (edge_conn
->hs_ident
== NULL
) {
285 /* In this loop, we will possibly try to fetch a descriptor for the
286 * pending connections because we just got more directory information.
287 * However, the refetch process can cleanup all SOCKS request to the same
288 * service if an internal error happens. Thus, we can end up with closed
289 * connections in our list. */
290 if (base_conn
->marked_for_close
) {
294 /* XXX: There is an optimization we could do which is that for a service
295 * key, we could check if we can fetch and remember that decision. */
297 /* Order a refetch in case it works this time. */
298 status
= hs_client_refetch_hsdesc(&edge_conn
->hs_ident
->identity_pk
);
299 if (status
== HS_CLIENT_FETCH_HAVE_DESC
) {
300 /* This is a rare case where a SOCKS connection is in state waiting for
301 * a descriptor but we do have it in the cache.
303 * This can happen is tor comes back from suspend where it previously
304 * had the descriptor but the intro points were not usuable. Once it
305 * came back to life, the intro point failure cache was cleaned up and
306 * thus the descriptor became usable again leaving us in this code path.
308 * We'll mark the connection as waiting for a circuit so the descriptor
309 * can be retried. This is safe because a connection in state waiting
310 * for a descriptor can not be in the entry connection pending list. */
311 mark_conn_as_waiting_for_circuit(base_conn
, approx_time());
314 /* In the case of an error, either all SOCKS connections have been
315 * closed or we are still missing directory information. Leave the
316 * connection in renddesc wait state so when we get more info, we'll be
317 * able to try it again. */
318 } SMARTLIST_FOREACH_END(base_conn
);
320 /* We don't have ownership of those objects. */
321 smartlist_free(conns
);
324 /* A v3 HS circuit successfully connected to the hidden service. Update the
325 * stream state at <b>hs_conn_ident</b> appropriately. */
327 note_connection_attempt_succeeded(const hs_ident_edge_conn_t
*hs_conn_ident
)
329 tor_assert(hs_conn_ident
);
331 /* Remove from the hid serv cache all requests for that service so we can
332 * query the HSDir again later on for various reasons. */
333 purge_hid_serv_request(&hs_conn_ident
->identity_pk
);
335 /* The v2 subsystem cleans up the intro point time out flag at this stage.
336 * We don't try to do it here because we still need to keep intact the intro
337 * point state for future connections. Even though we are able to connect to
338 * the service, doesn't mean we should reset the timed out intro points.
340 * It is not possible to have successfully connected to an intro point
341 * present in our cache that was on error or timed out. Every entry in that
342 * cache have a 2 minutes lifetime so ultimately the intro point(s) state
343 * will be reset and thus possible to be retried. */
346 /* Given the pubkey of a hidden service in <b>onion_identity_pk</b>, fetch its
347 * descriptor by launching a dir connection to <b>hsdir</b>. Return a
348 * hs_client_fetch_status_t status code depending on how it went. */
349 static hs_client_fetch_status_t
350 directory_launch_v3_desc_fetch(const ed25519_public_key_t
*onion_identity_pk
,
351 const routerstatus_t
*hsdir
)
353 uint64_t current_time_period
= hs_get_time_period_num(0);
354 ed25519_public_key_t blinded_pubkey
;
355 char base64_blinded_pubkey
[ED25519_BASE64_LEN
+ 1];
356 hs_ident_dir_conn_t hs_conn_dir_ident
;
359 tor_assert(onion_identity_pk
);
361 /* Get blinded pubkey */
362 hs_build_blinded_pubkey(onion_identity_pk
, NULL
, 0,
363 current_time_period
, &blinded_pubkey
);
364 /* ...and base64 it. */
365 ed25519_public_to_base64(base64_blinded_pubkey
, &blinded_pubkey
);
367 /* Copy onion pk to a dir_ident so that we attach it to the dir conn */
368 hs_ident_dir_conn_init(onion_identity_pk
, &blinded_pubkey
,
371 /* Setup directory request */
372 directory_request_t
*req
=
373 directory_request_new(DIR_PURPOSE_FETCH_HSDESC
);
374 directory_request_set_routerstatus(req
, hsdir
);
375 directory_request_set_indirection(req
, DIRIND_ANONYMOUS
);
376 directory_request_set_resource(req
, base64_blinded_pubkey
);
377 directory_request_fetch_set_hs_ident(req
, &hs_conn_dir_ident
);
378 directory_initiate_request(req
);
379 directory_request_free(req
);
381 log_info(LD_REND
, "Descriptor fetch request for service %s with blinded "
382 "key %s to directory %s",
383 safe_str_client(ed25519_fmt(onion_identity_pk
)),
384 safe_str_client(base64_blinded_pubkey
),
385 safe_str_client(routerstatus_describe(hsdir
)));
387 /* Fire a REQUESTED event on the control port. */
388 hs_control_desc_event_requested(onion_identity_pk
, base64_blinded_pubkey
,
391 /* Cleanup memory. */
392 memwipe(&blinded_pubkey
, 0, sizeof(blinded_pubkey
));
393 memwipe(base64_blinded_pubkey
, 0, sizeof(base64_blinded_pubkey
));
394 memwipe(&hs_conn_dir_ident
, 0, sizeof(hs_conn_dir_ident
));
396 return HS_CLIENT_FETCH_LAUNCHED
;
399 /** Return the HSDir we should use to fetch the descriptor of the hidden
400 * service with identity key <b>onion_identity_pk</b>. */
401 STATIC routerstatus_t
*
402 pick_hsdir_v3(const ed25519_public_key_t
*onion_identity_pk
)
404 char base64_blinded_pubkey
[ED25519_BASE64_LEN
+ 1];
405 uint64_t current_time_period
= hs_get_time_period_num(0);
406 smartlist_t
*responsible_hsdirs
= NULL
;
407 ed25519_public_key_t blinded_pubkey
;
408 routerstatus_t
*hsdir_rs
= NULL
;
410 tor_assert(onion_identity_pk
);
412 /* Get blinded pubkey of hidden service */
413 hs_build_blinded_pubkey(onion_identity_pk
, NULL
, 0,
414 current_time_period
, &blinded_pubkey
);
415 /* ...and base64 it. */
416 ed25519_public_to_base64(base64_blinded_pubkey
, &blinded_pubkey
);
418 /* Get responsible hsdirs of service for this time period */
419 responsible_hsdirs
= smartlist_new();
421 hs_get_responsible_hsdirs(&blinded_pubkey
, current_time_period
,
422 0, 1, responsible_hsdirs
);
424 log_debug(LD_REND
, "Found %d responsible HSDirs and about to pick one.",
425 smartlist_len(responsible_hsdirs
));
427 /* Pick an HSDir from the responsible ones. The ownership of
428 * responsible_hsdirs is given to this function so no need to free it. */
429 hsdir_rs
= hs_pick_hsdir(responsible_hsdirs
, base64_blinded_pubkey
, NULL
);
434 /** Fetch a v3 descriptor using the given <b>onion_identity_pk</b>.
436 * On success, HS_CLIENT_FETCH_LAUNCHED is returned. Otherwise, an error from
437 * hs_client_fetch_status_t is returned. */
438 MOCK_IMPL(STATIC hs_client_fetch_status_t
,
439 fetch_v3_desc
, (const ed25519_public_key_t
*onion_identity_pk
))
441 routerstatus_t
*hsdir_rs
=NULL
;
443 tor_assert(onion_identity_pk
);
445 hsdir_rs
= pick_hsdir_v3(onion_identity_pk
);
447 log_info(LD_REND
, "Couldn't pick a v3 hsdir.");
448 return HS_CLIENT_FETCH_NO_HSDIRS
;
451 return directory_launch_v3_desc_fetch(onion_identity_pk
, hsdir_rs
);
454 /* With a given <b>onion_identity_pk</b>, fetch its descriptor. If
455 * <b>hsdirs</b> is specified, use the directory servers specified in the list.
456 * Else, use a random server. */
458 hs_client_launch_v3_desc_fetch(const ed25519_public_key_t
*onion_identity_pk
,
459 const smartlist_t
*hsdirs
)
461 tor_assert(onion_identity_pk
);
463 if (hsdirs
!= NULL
) {
464 SMARTLIST_FOREACH_BEGIN(hsdirs
, const routerstatus_t
*, hsdir
) {
465 directory_launch_v3_desc_fetch(onion_identity_pk
, hsdir
);
466 } SMARTLIST_FOREACH_END(hsdir
);
468 fetch_v3_desc(onion_identity_pk
);
472 /* Make sure that the given v3 origin circuit circ is a valid correct
473 * introduction circuit. This will BUG() on any problems and hard assert if
474 * the anonymity of the circuit is not ok. Return 0 on success else -1 where
475 * the circuit should be mark for closed immediately. */
477 intro_circ_is_ok(const origin_circuit_t
*circ
)
483 if (BUG(TO_CIRCUIT(circ
)->purpose
!= CIRCUIT_PURPOSE_C_INTRODUCING
&&
484 TO_CIRCUIT(circ
)->purpose
!= CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT
&&
485 TO_CIRCUIT(circ
)->purpose
!= CIRCUIT_PURPOSE_C_INTRODUCE_ACKED
)) {
488 if (BUG(circ
->hs_ident
== NULL
)) {
491 if (BUG(!hs_ident_intro_circ_is_valid(circ
->hs_ident
))) {
495 /* This can stop the tor daemon but we want that since if we don't have
496 * anonymity on this circuit, something went really wrong. */
497 assert_circ_anonymity_ok(circ
, get_options());
501 /* Find a descriptor intro point object that matches the given ident in the
502 * given descriptor desc. Return NULL if not found. */
503 static const hs_desc_intro_point_t
*
504 find_desc_intro_point_by_ident(const hs_ident_circuit_t
*ident
,
505 const hs_descriptor_t
*desc
)
507 const hs_desc_intro_point_t
*intro_point
= NULL
;
512 SMARTLIST_FOREACH_BEGIN(desc
->encrypted_data
.intro_points
,
513 const hs_desc_intro_point_t
*, ip
) {
514 if (ed25519_pubkey_eq(&ident
->intro_auth_pk
,
515 &ip
->auth_key_cert
->signed_key
)) {
519 } SMARTLIST_FOREACH_END(ip
);
524 /* Find a descriptor intro point object from the descriptor object desc that
525 * matches the given legacy identity digest in legacy_id. Return NULL if not
527 static hs_desc_intro_point_t
*
528 find_desc_intro_point_by_legacy_id(const char *legacy_id
,
529 const hs_descriptor_t
*desc
)
531 hs_desc_intro_point_t
*ret_ip
= NULL
;
533 tor_assert(legacy_id
);
536 /* We will go over every intro point and try to find which one is linked to
537 * that circuit. Those lists are small so it's not that expensive. */
538 SMARTLIST_FOREACH_BEGIN(desc
->encrypted_data
.intro_points
,
539 hs_desc_intro_point_t
*, ip
) {
540 SMARTLIST_FOREACH_BEGIN(ip
->link_specifiers
,
541 const link_specifier_t
*, lspec
) {
542 /* Not all tor node have an ed25519 identity key so we still rely on the
543 * legacy identity digest. */
544 if (link_specifier_get_ls_type(lspec
) != LS_LEGACY_ID
) {
547 if (fast_memneq(legacy_id
,
548 link_specifier_getconstarray_un_legacy_id(lspec
),
555 } SMARTLIST_FOREACH_END(lspec
);
556 } SMARTLIST_FOREACH_END(ip
);
562 /* Send an INTRODUCE1 cell along the intro circuit and populate the rend
563 * circuit identifier with the needed key material for the e2e encryption.
564 * Return 0 on success, -1 if there is a transient error such that an action
565 * has been taken to recover and -2 if there is a permanent error indicating
566 * that both circuits were closed. */
568 send_introduce1(origin_circuit_t
*intro_circ
,
569 origin_circuit_t
*rend_circ
)
572 char onion_address
[HS_SERVICE_ADDR_LEN_BASE32
+ 1];
573 const ed25519_public_key_t
*service_identity_pk
= NULL
;
574 const hs_desc_intro_point_t
*ip
;
576 tor_assert(rend_circ
);
577 if (intro_circ_is_ok(intro_circ
) < 0) {
581 service_identity_pk
= &intro_circ
->hs_ident
->identity_pk
;
582 /* For logging purposes. There will be a time where the hs_ident will have a
583 * version number but for now there is none because it's all v3. */
584 hs_build_address(service_identity_pk
, HS_VERSION_THREE
, onion_address
);
586 log_info(LD_REND
, "Sending INTRODUCE1 cell to service %s on circuit %u",
587 safe_str_client(onion_address
), TO_CIRCUIT(intro_circ
)->n_circ_id
);
589 /* 1) Get descriptor from our cache. */
590 const hs_descriptor_t
*desc
=
591 hs_cache_lookup_as_client(service_identity_pk
);
592 if (desc
== NULL
|| !hs_client_any_intro_points_usable(service_identity_pk
,
594 log_info(LD_REND
, "Request to %s %s. Trying to fetch a new descriptor.",
595 safe_str_client(onion_address
),
596 (desc
) ? "didn't have usable intro points" :
597 "didn't have a descriptor");
598 hs_client_refetch_hsdesc(service_identity_pk
);
599 /* We just triggered a refetch, make sure every connections are back
600 * waiting for that descriptor. */
601 flag_all_conn_wait_desc(service_identity_pk
);
602 /* We just asked for a refetch so this is a transient error. */
606 /* We need to find which intro point in the descriptor we are connected to
608 ip
= find_desc_intro_point_by_ident(intro_circ
->hs_ident
, desc
);
610 /* The following is possible if the descriptor was changed while we had
611 * this introduction circuit open and waiting for the rendezvous circuit to
612 * be ready. Which results in this situation where we can't find the
613 * corresponding intro point within the descriptor of the service. */
614 log_info(LD_REND
, "Unable to find introduction point for service %s "
615 "while trying to send an INTRODUCE1 cell.",
616 safe_str_client(onion_address
));
620 /* Send the INTRODUCE1 cell. */
621 if (hs_circ_send_introduce1(intro_circ
, rend_circ
, ip
,
622 desc
->subcredential
) < 0) {
623 if (TO_CIRCUIT(intro_circ
)->marked_for_close
) {
624 /* If the introduction circuit was closed, we were unable to send the
625 * cell for some reasons. In any case, the intro circuit has to be
626 * closed by the above function. We'll return a transient error so tor
627 * can recover and pick a new intro point. To avoid picking that same
628 * intro point, we'll note down the intro point failure so it doesn't
630 hs_cache_client_intro_state_note(service_identity_pk
,
631 &intro_circ
->hs_ident
->intro_auth_pk
,
632 INTRO_POINT_FAILURE_GENERIC
);
634 /* It is also possible that the rendezvous circuit was closed due to being
635 * unable to use the rendezvous point node_t so in that case, we also want
636 * to recover and let tor pick a new one. */
640 /* Cell has been sent successfully. Copy the introduction point
641 * authentication and encryption key in the rendezvous circuit identifier so
642 * we can compute the ntor keys when we receive the RENDEZVOUS2 cell. */
643 memcpy(&rend_circ
->hs_ident
->intro_enc_pk
, &ip
->enc_key
,
644 sizeof(rend_circ
->hs_ident
->intro_enc_pk
));
645 ed25519_pubkey_copy(&rend_circ
->hs_ident
->intro_auth_pk
,
646 &intro_circ
->hs_ident
->intro_auth_pk
);
648 /* Now, we wait for an ACK or NAK on this circuit. */
649 circuit_change_purpose(TO_CIRCUIT(intro_circ
),
650 CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT
);
651 /* Set timestamp_dirty, because circuit_expire_building expects it to
652 * specify when a circuit entered the _C_INTRODUCE_ACK_WAIT state. */
653 TO_CIRCUIT(intro_circ
)->timestamp_dirty
= time(NULL
);
654 pathbias_count_use_attempt(intro_circ
);
661 /* Permanent error: it is possible that the intro circuit was closed prior
662 * because we weren't able to send the cell. Make sure we don't double close
663 * it which would result in a warning. */
664 if (!TO_CIRCUIT(intro_circ
)->marked_for_close
) {
665 circuit_mark_for_close(TO_CIRCUIT(intro_circ
), END_CIRC_REASON_INTERNAL
);
667 circuit_mark_for_close(TO_CIRCUIT(rend_circ
), END_CIRC_REASON_INTERNAL
);
675 memwipe(onion_address
, 0, sizeof(onion_address
));
679 /* Using the introduction circuit circ, setup the authentication key of the
680 * intro point this circuit has extended to. */
682 setup_intro_circ_auth_key(origin_circuit_t
*circ
)
684 const hs_descriptor_t
*desc
;
685 const hs_desc_intro_point_t
*ip
;
689 desc
= hs_cache_lookup_as_client(&circ
->hs_ident
->identity_pk
);
691 /* There is a very small race window between the opening of this circuit
692 * and the client descriptor cache that gets purged (NEWNYM) or the
693 * cleaned up because it expired. Mark the circuit for close so a new
694 * descriptor fetch can occur. */
695 circuit_mark_for_close(TO_CIRCUIT(circ
), END_CIRC_REASON_INTERNAL
);
699 /* We will go over every intro point and try to find which one is linked to
700 * that circuit. Those lists are small so it's not that expensive. */
701 ip
= find_desc_intro_point_by_legacy_id(
702 circ
->build_state
->chosen_exit
->identity_digest
, desc
);
704 /* We got it, copy its authentication key to the identifier. */
705 ed25519_pubkey_copy(&circ
->hs_ident
->intro_auth_pk
,
706 &ip
->auth_key_cert
->signed_key
);
710 /* Reaching this point means we didn't find any intro point for this circuit
711 * which is not supposed to happen. */
712 tor_assert_nonfatal_unreached();
718 /* Called when an introduction circuit has opened. */
720 client_intro_circ_has_opened(origin_circuit_t
*circ
)
723 tor_assert(TO_CIRCUIT(circ
)->purpose
== CIRCUIT_PURPOSE_C_INTRODUCING
);
724 log_info(LD_REND
, "Introduction circuit %u has opened. Attaching streams.",
725 (unsigned int) TO_CIRCUIT(circ
)->n_circ_id
);
727 /* This is an introduction circuit so we'll attach the correct
728 * authentication key to the circuit identifier so it can be identified
729 * properly later on. */
730 setup_intro_circ_auth_key(circ
);
732 connection_ap_attach_pending(1);
735 /* Called when a rendezvous circuit has opened. */
737 client_rendezvous_circ_has_opened(origin_circuit_t
*circ
)
740 tor_assert(TO_CIRCUIT(circ
)->purpose
== CIRCUIT_PURPOSE_C_ESTABLISH_REND
);
742 const extend_info_t
*rp_ei
= circ
->build_state
->chosen_exit
;
744 /* Check that we didn't accidentally choose a node that does not understand
745 * the v3 rendezvous protocol */
747 const node_t
*rp_node
= node_get_by_id(rp_ei
->identity_digest
);
749 if (BUG(!node_supports_v3_rendezvous_point(rp_node
))) {
755 log_info(LD_REND
, "Rendezvous circuit has opened to %s.",
756 safe_str_client(extend_info_describe(rp_ei
)));
758 /* Ignore returned value, nothing we can really do. On failure, the circuit
759 * will be marked for close. */
760 hs_circ_send_establish_rendezvous(circ
);
762 /* Register rend circuit in circuitmap if it's still alive. */
763 if (!TO_CIRCUIT(circ
)->marked_for_close
) {
764 hs_circuitmap_register_rend_circ_client_side(circ
,
765 circ
->hs_ident
->rendezvous_cookie
);
769 /* This is an helper function that convert a descriptor intro point object ip
770 * to a newly allocated extend_info_t object fully initialized. Return NULL if
771 * we can't convert it for which chances are that we are missing or malformed
772 * link specifiers. */
773 STATIC extend_info_t
*
774 desc_intro_point_to_extend_info(const hs_desc_intro_point_t
*ip
)
780 /* Explicitly put the direct connection option to 0 because this is client
781 * side and there is no such thing as a non anonymous client. */
782 ei
= hs_get_extend_info_from_lspecs(ip
->link_specifiers
, &ip
->onion_key
, 0);
787 /* Return true iff the intro point ip for the service service_pk is usable.
788 * This function checks if the intro point is in the client intro state cache
789 * and checks at the failures. It is considered usable if:
790 * - No error happened (INTRO_POINT_FAILURE_GENERIC)
791 * - It is not flagged as timed out (INTRO_POINT_FAILURE_TIMEOUT)
792 * - The unreachable count is lower than
793 * MAX_INTRO_POINT_REACHABILITY_FAILURES (INTRO_POINT_FAILURE_UNREACHABLE)
796 intro_point_is_usable(const ed25519_public_key_t
*service_pk
,
797 const hs_desc_intro_point_t
*ip
)
799 const hs_cache_intro_state_t
*state
;
801 tor_assert(service_pk
);
804 state
= hs_cache_client_intro_state_find(service_pk
,
805 &ip
->auth_key_cert
->signed_key
);
807 /* This means we've never encountered any problem thus usable. */
811 log_info(LD_REND
, "Intro point with auth key %s had an error. Not usable",
812 safe_str_client(ed25519_fmt(&ip
->auth_key_cert
->signed_key
)));
815 if (state
->timed_out
) {
816 log_info(LD_REND
, "Intro point with auth key %s timed out. Not usable",
817 safe_str_client(ed25519_fmt(&ip
->auth_key_cert
->signed_key
)));
820 if (state
->unreachable_count
>= MAX_INTRO_POINT_REACHABILITY_FAILURES
) {
821 log_info(LD_REND
, "Intro point with auth key %s unreachable. Not usable",
822 safe_str_client(ed25519_fmt(&ip
->auth_key_cert
->signed_key
)));
832 /* Using a descriptor desc, return a newly allocated extend_info_t object of a
833 * randomly picked introduction point from its list. Return NULL if none are
835 STATIC extend_info_t
*
836 client_get_random_intro(const ed25519_public_key_t
*service_pk
)
838 extend_info_t
*ei
= NULL
, *ei_excluded
= NULL
;
839 smartlist_t
*usable_ips
= NULL
;
840 const hs_descriptor_t
*desc
;
841 const hs_desc_encrypted_data_t
*enc_data
;
842 const or_options_t
*options
= get_options();
843 /* Calculate the onion address for logging purposes */
844 char onion_address
[HS_SERVICE_ADDR_LEN_BASE32
+ 1];
846 tor_assert(service_pk
);
848 desc
= hs_cache_lookup_as_client(service_pk
);
849 /* Assume the service is v3 if the descriptor is missing. This is ok,
850 * because we only use the address in log messages */
851 hs_build_address(service_pk
,
852 desc
? desc
->plaintext_data
.version
: HS_VERSION_THREE
,
854 if (desc
== NULL
|| !hs_client_any_intro_points_usable(service_pk
,
856 log_info(LD_REND
, "Unable to randomly select an introduction point "
857 "for service %s because descriptor %s. We can't connect.",
858 safe_str_client(onion_address
),
859 (desc
) ? "doesn't have any usable intro points"
860 : "is missing (assuming v3 onion address)");
864 enc_data
= &desc
->encrypted_data
;
865 usable_ips
= smartlist_new();
866 smartlist_add_all(usable_ips
, enc_data
->intro_points
);
867 while (smartlist_len(usable_ips
) != 0) {
869 const hs_desc_intro_point_t
*ip
;
871 /* Pick a random intro point and immediately remove it from the usable
872 * list so we don't pick it again if we have to iterate more. */
873 idx
= crypto_rand_int(smartlist_len(usable_ips
));
874 ip
= smartlist_get(usable_ips
, idx
);
875 smartlist_del(usable_ips
, idx
);
877 /* We need to make sure we have a usable intro points which is in a good
878 * state in our cache. */
879 if (!intro_point_is_usable(service_pk
, ip
)) {
883 /* Generate an extend info object from the intro point object. */
884 ei
= desc_intro_point_to_extend_info(ip
);
886 /* We can get here for instance if the intro point is a private address
887 * and we aren't allowed to extend to those. */
888 log_info(LD_REND
, "Unable to select introduction point with auth key %s "
889 "for service %s, because we could not extend to it.",
890 safe_str_client(ed25519_fmt(&ip
->auth_key_cert
->signed_key
)),
891 safe_str_client(onion_address
));
895 /* Test the pick against ExcludeNodes. */
896 if (routerset_contains_extendinfo(options
->ExcludeNodes
, ei
)) {
897 /* If this pick is in the ExcludeNodes list, we keep its reference so if
898 * we ever end up not being able to pick anything else and StrictNodes is
899 * unset, we'll use it. */
901 /* If something was already here free it. After the loop is gone we
902 * will examine the last excluded intro point, and that's fine since
903 * that's random anyway */
904 extend_info_free(ei_excluded
);
910 /* Good pick! Let's go with this. */
914 /* Reaching this point means a couple of things. Either we can't use any of
915 * the intro point listed because the IP address can't be extended to or it
916 * is listed in the ExcludeNodes list. In the later case, if StrictNodes is
917 * set, we are forced to not use anything. */
919 if (options
->StrictNodes
) {
920 log_warn(LD_REND
, "Every introduction point for service %s is in the "
921 "ExcludeNodes set and StrictNodes is set. We can't connect.",
922 safe_str_client(onion_address
));
923 extend_info_free(ei
);
926 log_fn(LOG_PROTOCOL_WARN
, LD_REND
, "Every introduction point for service "
927 "%s is unusable or we can't extend to it. We can't connect.",
928 safe_str_client(onion_address
));
932 smartlist_free(usable_ips
);
933 memwipe(onion_address
, 0, sizeof(onion_address
));
937 /* For this introduction circuit, we'll look at if we have any usable
938 * introduction point left for this service. If so, we'll use the circuit to
939 * re-extend to a new intro point. Else, we'll close the circuit and its
940 * corresponding rendezvous circuit. Return 0 if we are re-extending else -1
941 * if we are closing the circuits.
943 * This is called when getting an INTRODUCE_ACK cell with a NACK. */
945 close_or_reextend_intro_circ(origin_circuit_t
*intro_circ
)
948 const hs_descriptor_t
*desc
;
949 origin_circuit_t
*rend_circ
;
951 tor_assert(intro_circ
);
953 desc
= hs_cache_lookup_as_client(&intro_circ
->hs_ident
->identity_pk
);
954 if (BUG(desc
== NULL
)) {
955 /* We can't continue without a descriptor. */
958 /* We still have the descriptor, great! Let's try to see if we can
959 * re-extend by looking up if there are any usable intro points. */
960 if (!hs_client_any_intro_points_usable(&intro_circ
->hs_ident
->identity_pk
,
964 /* Try to re-extend now. */
965 if (hs_client_reextend_intro_circuit(intro_circ
) < 0) {
968 /* Success on re-extending. Don't return an error. */
973 /* Change the intro circuit purpose before so we don't report an intro point
974 * failure again triggering an extra descriptor fetch. The circuit can
975 * already be closed on failure to re-extend. */
976 if (!TO_CIRCUIT(intro_circ
)->marked_for_close
) {
977 circuit_change_purpose(TO_CIRCUIT(intro_circ
),
978 CIRCUIT_PURPOSE_C_INTRODUCE_ACKED
);
979 circuit_mark_for_close(TO_CIRCUIT(intro_circ
), END_CIRC_REASON_FINISHED
);
981 /* Close the related rendezvous circuit. */
982 rend_circ
= hs_circuitmap_get_rend_circ_client_side(
983 intro_circ
->hs_ident
->rendezvous_cookie
);
984 /* The rendezvous circuit might have collapsed while the INTRODUCE_ACK was
985 * inflight so we can't expect one every time. */
987 circuit_mark_for_close(TO_CIRCUIT(rend_circ
), END_CIRC_REASON_FINISHED
);
994 /* Called when we get an INTRODUCE_ACK success status code. Do the appropriate
995 * actions for the rendezvous point and finally close intro_circ. */
997 handle_introduce_ack_success(origin_circuit_t
*intro_circ
)
999 origin_circuit_t
*rend_circ
= NULL
;
1001 tor_assert(intro_circ
);
1003 log_info(LD_REND
, "Received INTRODUCE_ACK ack! Informing rendezvous");
1005 /* Get the rendezvous circuit for this rendezvous cookie. */
1006 uint8_t *rendezvous_cookie
= intro_circ
->hs_ident
->rendezvous_cookie
;
1008 hs_circuitmap_get_established_rend_circ_client_side(rendezvous_cookie
);
1009 if (rend_circ
== NULL
) {
1010 log_warn(LD_REND
, "Can't find any rendezvous circuit. Stopping");
1014 assert_circ_anonymity_ok(rend_circ
, get_options());
1016 /* It is possible to get a RENDEZVOUS2 cell before the INTRODUCE_ACK which
1017 * means that the circuit will be joined and already transmitting data. In
1018 * that case, simply skip the purpose change and close the intro circuit
1019 * like it should be. */
1020 if (TO_CIRCUIT(rend_circ
)->purpose
== CIRCUIT_PURPOSE_C_REND_JOINED
) {
1023 circuit_change_purpose(TO_CIRCUIT(rend_circ
),
1024 CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED
);
1025 /* Set timestamp_dirty, because circuit_expire_building expects it to
1026 * specify when a circuit entered the
1027 * CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED state. */
1028 TO_CIRCUIT(rend_circ
)->timestamp_dirty
= time(NULL
);
1031 /* We don't need the intro circuit anymore. It did what it had to do! */
1032 circuit_change_purpose(TO_CIRCUIT(intro_circ
),
1033 CIRCUIT_PURPOSE_C_INTRODUCE_ACKED
);
1034 circuit_mark_for_close(TO_CIRCUIT(intro_circ
), END_CIRC_REASON_FINISHED
);
1036 /* XXX: Close pending intro circuits we might have in parallel. */
1040 /* Called when we get an INTRODUCE_ACK failure status code. Depending on our
1041 * failure cache status, either close the circuit or re-extend to a new
1042 * introduction point. */
1044 handle_introduce_ack_bad(origin_circuit_t
*circ
, int status
)
1048 log_info(LD_REND
, "Received INTRODUCE_ACK nack by %s. Reason: %u",
1049 safe_str_client(extend_info_describe(circ
->build_state
->chosen_exit
)),
1052 /* It's a NAK. The introduction point didn't relay our request. */
1053 circuit_change_purpose(TO_CIRCUIT(circ
), CIRCUIT_PURPOSE_C_INTRODUCING
);
1055 /* Note down this failure in the intro point failure cache. Depending on how
1056 * many times we've tried this intro point, close it or reextend. */
1057 hs_cache_client_intro_state_note(&circ
->hs_ident
->identity_pk
,
1058 &circ
->hs_ident
->intro_auth_pk
,
1059 INTRO_POINT_FAILURE_GENERIC
);
1062 /* Called when we get an INTRODUCE_ACK on the intro circuit circ. The encoded
1063 * cell is in payload of length payload_len. Return 0 on success else a
1064 * negative value. The circuit is either close or reuse to re-extend to a new
1065 * introduction point. */
1067 handle_introduce_ack(origin_circuit_t
*circ
, const uint8_t *payload
,
1070 int status
, ret
= -1;
1073 tor_assert(circ
->build_state
);
1074 tor_assert(circ
->build_state
->chosen_exit
);
1075 assert_circ_anonymity_ok(circ
, get_options());
1076 tor_assert(payload
);
1078 status
= hs_cell_parse_introduce_ack(payload
, payload_len
);
1080 case TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS
:
1082 handle_introduce_ack_success(circ
);
1084 case TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID
:
1085 case TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT
:
1086 /* It is possible that the intro point can send us an unknown status code
1087 * for the NACK that we do not know about like a new code for instance.
1088 * Just fallthrough so we can note down the NACK and re-extend. */
1090 handle_introduce_ack_bad(circ
, status
);
1091 /* We are going to see if we have to close the circuits (IP and RP) or we
1092 * can re-extend to a new intro point. */
1093 ret
= close_or_reextend_intro_circ(circ
);
1101 /* Called when we get a RENDEZVOUS2 cell on the rendezvous circuit circ. The
1102 * encoded cell is in payload of length payload_len. Return 0 on success or a
1103 * negative value on error. On error, the circuit is marked for close. */
1105 handle_rendezvous2(origin_circuit_t
*circ
, const uint8_t *payload
,
1109 curve25519_public_key_t server_pk
;
1110 uint8_t auth_mac
[DIGEST256_LEN
] = {0};
1111 uint8_t handshake_info
[CURVE25519_PUBKEY_LEN
+ sizeof(auth_mac
)] = {0};
1112 hs_ntor_rend_cell_keys_t keys
;
1113 const hs_ident_circuit_t
*ident
;
1116 tor_assert(payload
);
1118 /* Make things easier. */
1119 ident
= circ
->hs_ident
;
1122 if (hs_cell_parse_rendezvous2(payload
, payload_len
, handshake_info
,
1123 sizeof(handshake_info
)) < 0) {
1126 /* Get from the handshake info the SERVER_PK and AUTH_MAC. */
1127 memcpy(&server_pk
, handshake_info
, CURVE25519_PUBKEY_LEN
);
1128 memcpy(auth_mac
, handshake_info
+ CURVE25519_PUBKEY_LEN
, sizeof(auth_mac
));
1130 /* Generate the handshake info. */
1131 if (hs_ntor_client_get_rendezvous1_keys(&ident
->intro_auth_pk
,
1132 &ident
->rendezvous_client_kp
,
1133 &ident
->intro_enc_pk
, &server_pk
,
1135 log_info(LD_REND
, "Unable to compute the rendezvous keys.");
1139 /* Critical check, make sure that the MAC matches what we got with what we
1140 * computed just above. */
1141 if (!hs_ntor_client_rendezvous2_mac_is_good(&keys
, auth_mac
)) {
1142 log_info(LD_REND
, "Invalid MAC in RENDEZVOUS2. Rejecting cell.");
1146 /* Setup the e2e encryption on the circuit and finalize its state. */
1147 if (hs_circuit_setup_e2e_rend_circ(circ
, keys
.ntor_key_seed
,
1148 sizeof(keys
.ntor_key_seed
), 0) < 0) {
1149 log_info(LD_REND
, "Unable to setup the e2e encryption.");
1152 /* Success. Hidden service connection finalized! */
1157 circuit_mark_for_close(TO_CIRCUIT(circ
), END_CIRC_REASON_TORPROTOCOL
);
1159 memwipe(&keys
, 0, sizeof(keys
));
1163 /* Return true iff the client can fetch a descriptor for this service public
1164 * identity key and status_out if not NULL is untouched. If the client can
1165 * _not_ fetch the descriptor and if status_out is not NULL, it is set with
1166 * the fetch status code. */
1168 can_client_refetch_desc(const ed25519_public_key_t
*identity_pk
,
1169 hs_client_fetch_status_t
*status_out
)
1171 hs_client_fetch_status_t status
;
1173 tor_assert(identity_pk
);
1175 /* Are we configured to fetch descriptors? */
1176 if (!get_options()->FetchHidServDescriptors
) {
1177 log_warn(LD_REND
, "We received an onion address for a hidden service "
1178 "descriptor but we are configured to not fetch.");
1179 status
= HS_CLIENT_FETCH_NOT_ALLOWED
;
1183 /* Without a live consensus we can't do any client actions. It is needed to
1184 * compute the hashring for a service. */
1185 if (!networkstatus_get_live_consensus(approx_time())) {
1186 log_info(LD_REND
, "Can't fetch descriptor for service %s because we "
1187 "are missing a live consensus. Stalling connection.",
1188 safe_str_client(ed25519_fmt(identity_pk
)));
1189 status
= HS_CLIENT_FETCH_MISSING_INFO
;
1193 if (!router_have_minimum_dir_info()) {
1194 log_info(LD_REND
, "Can't fetch descriptor for service %s because we "
1195 "dont have enough descriptors. Stalling connection.",
1196 safe_str_client(ed25519_fmt(identity_pk
)));
1197 status
= HS_CLIENT_FETCH_MISSING_INFO
;
1201 /* Check if fetching a desc for this HS is useful to us right now */
1203 const hs_descriptor_t
*cached_desc
= NULL
;
1204 cached_desc
= hs_cache_lookup_as_client(identity_pk
);
1205 if (cached_desc
&& hs_client_any_intro_points_usable(identity_pk
,
1207 log_info(LD_GENERAL
, "We would fetch a v3 hidden service descriptor "
1208 "but we already have a usable descriptor.");
1209 status
= HS_CLIENT_FETCH_HAVE_DESC
;
1214 /* Don't try to refetch while we have a pending request for it. */
1215 if (directory_request_is_pending(identity_pk
)) {
1216 log_info(LD_REND
, "Already a pending directory request. Waiting on it.");
1217 status
= HS_CLIENT_FETCH_PENDING
;
1221 /* Yes, client can fetch! */
1225 *status_out
= status
;
1230 /* Return the client auth in the map using the service identity public key.
1231 * Return NULL if it does not exist in the map. */
1232 static hs_client_service_authorization_t
*
1233 find_client_auth(const ed25519_public_key_t
*service_identity_pk
)
1235 /* If the map is not allocated, we can assume that we do not have any client
1236 * auth information. */
1237 if (!client_auths
) {
1240 return digest256map_get(client_auths
, service_identity_pk
->pubkey
);
1247 /** A circuit just finished connecting to a hidden service that the stream
1248 * <b>conn</b> has been waiting for. Let the HS subsystem know about this. */
1250 hs_client_note_connection_attempt_succeeded(const edge_connection_t
*conn
)
1252 tor_assert(connection_edge_is_rendezvous_stream(conn
));
1254 if (BUG(conn
->rend_data
&& conn
->hs_ident
)) {
1255 log_warn(LD_BUG
, "Stream had both rend_data and hs_ident..."
1256 "Prioritizing hs_ident");
1259 if (conn
->hs_ident
) { /* It's v3: pass it to the prop224 handler */
1260 note_connection_attempt_succeeded(conn
->hs_ident
);
1262 } else if (conn
->rend_data
) { /* It's v2: pass it to the legacy handler */
1263 rend_client_note_connection_attempt_ended(conn
->rend_data
);
1268 /* With the given encoded descriptor in desc_str and the service key in
1269 * service_identity_pk, decode the descriptor and set the desc pointer with a
1270 * newly allocated descriptor object.
1272 * Return 0 on success else a negative value and desc is set to NULL. */
1274 hs_client_decode_descriptor(const char *desc_str
,
1275 const ed25519_public_key_t
*service_identity_pk
,
1276 hs_descriptor_t
**desc
)
1279 uint8_t subcredential
[DIGEST256_LEN
];
1280 ed25519_public_key_t blinded_pubkey
;
1281 hs_client_service_authorization_t
*client_auth
= NULL
;
1282 curve25519_secret_key_t
*client_auth_sk
= NULL
;
1284 tor_assert(desc_str
);
1285 tor_assert(service_identity_pk
);
1288 /* Check if we have a client authorization for this service in the map. */
1289 client_auth
= find_client_auth(service_identity_pk
);
1291 client_auth_sk
= &client_auth
->enc_seckey
;
1294 /* Create subcredential for this HS so that we can decrypt */
1296 uint64_t current_time_period
= hs_get_time_period_num(0);
1297 hs_build_blinded_pubkey(service_identity_pk
, NULL
, 0, current_time_period
,
1299 hs_get_subcredential(service_identity_pk
, &blinded_pubkey
, subcredential
);
1302 /* Parse descriptor */
1303 ret
= hs_desc_decode_descriptor(desc_str
, subcredential
,
1304 client_auth_sk
, desc
);
1305 memwipe(subcredential
, 0, sizeof(subcredential
));
1310 /* Make sure the descriptor signing key cross certifies with the computed
1311 * blinded key. Without this validation, anyone knowing the subcredential
1312 * and onion address can forge a descriptor. */
1313 tor_cert_t
*cert
= (*desc
)->plaintext_data
.signing_key_cert
;
1314 if (tor_cert_checksig(cert
,
1315 &blinded_pubkey
, approx_time()) < 0) {
1316 log_warn(LD_GENERAL
, "Descriptor signing key certificate signature "
1317 "doesn't validate with computed blinded key: %s",
1318 tor_cert_describe_signature_status(cert
));
1327 /* Return true iff there are at least one usable intro point in the service
1328 * descriptor desc. */
1330 hs_client_any_intro_points_usable(const ed25519_public_key_t
*service_pk
,
1331 const hs_descriptor_t
*desc
)
1333 tor_assert(service_pk
);
1336 SMARTLIST_FOREACH_BEGIN(desc
->encrypted_data
.intro_points
,
1337 const hs_desc_intro_point_t
*, ip
) {
1338 if (intro_point_is_usable(service_pk
, ip
)) {
1341 } SMARTLIST_FOREACH_END(ip
);
1348 /** Launch a connection to a hidden service directory to fetch a hidden
1349 * service descriptor using <b>identity_pk</b> to get the necessary keys.
1351 * A hs_client_fetch_status_t code is returned. */
1353 hs_client_refetch_hsdesc(const ed25519_public_key_t
*identity_pk
)
1355 hs_client_fetch_status_t status
;
1357 tor_assert(identity_pk
);
1359 if (!can_client_refetch_desc(identity_pk
, &status
)) {
1363 /* Try to fetch the desc and if we encounter an unrecoverable error, mark
1364 * the desc as unavailable for now. */
1365 status
= fetch_v3_desc(identity_pk
);
1366 if (fetch_status_should_close_socks(status
)) {
1367 close_all_socks_conns_waiting_for_desc(identity_pk
, status
,
1368 END_STREAM_REASON_RESOLVEFAILED
);
1369 /* Remove HSDir fetch attempts so that we can retry later if the user
1370 * wants us to regardless of if we closed any connections. */
1371 purge_hid_serv_request(identity_pk
);
1376 /* This is called when we are trying to attach an AP connection to these
1377 * hidden service circuits from connection_ap_handshake_attach_circuit().
1378 * Return 0 on success, -1 for a transient error that is actions were
1379 * triggered to recover or -2 for a permenent error where both circuits will
1382 * The following supports every hidden service version. */
1384 hs_client_send_introduce1(origin_circuit_t
*intro_circ
,
1385 origin_circuit_t
*rend_circ
)
1387 return (intro_circ
->hs_ident
) ? send_introduce1(intro_circ
, rend_circ
) :
1388 rend_client_send_introduction(intro_circ
,
1392 /* Called when the client circuit circ has been established. It can be either
1393 * an introduction or rendezvous circuit. This function handles all hidden
1394 * service versions. */
1396 hs_client_circuit_has_opened(origin_circuit_t
*circ
)
1400 /* Handle both version. v2 uses rend_data and v3 uses the hs circuit
1401 * identifier hs_ident. Can't be both. */
1402 switch (TO_CIRCUIT(circ
)->purpose
) {
1403 case CIRCUIT_PURPOSE_C_INTRODUCING
:
1404 if (circ
->hs_ident
) {
1405 client_intro_circ_has_opened(circ
);
1407 rend_client_introcirc_has_opened(circ
);
1410 case CIRCUIT_PURPOSE_C_ESTABLISH_REND
:
1411 if (circ
->hs_ident
) {
1412 client_rendezvous_circ_has_opened(circ
);
1414 rend_client_rendcirc_has_opened(circ
);
1418 tor_assert_nonfatal_unreached();
1422 /* Called when we receive a RENDEZVOUS_ESTABLISHED cell. Change the state of
1423 * the circuit to CIRCUIT_PURPOSE_C_REND_READY. Return 0 on success else a
1424 * negative value and the circuit marked for close. */
1426 hs_client_receive_rendezvous_acked(origin_circuit_t
*circ
,
1427 const uint8_t *payload
, size_t payload_len
)
1430 tor_assert(payload
);
1434 if (TO_CIRCUIT(circ
)->purpose
!= CIRCUIT_PURPOSE_C_ESTABLISH_REND
) {
1435 log_warn(LD_PROTOCOL
, "Got a RENDEZVOUS_ESTABLISHED but we were not "
1436 "expecting one. Closing circuit.");
1440 log_info(LD_REND
, "Received an RENDEZVOUS_ESTABLISHED. This circuit is "
1441 "now ready for rendezvous.");
1442 circuit_change_purpose(TO_CIRCUIT(circ
), CIRCUIT_PURPOSE_C_REND_READY
);
1444 /* Set timestamp_dirty, because circuit_expire_building expects it to
1445 * specify when a circuit entered the _C_REND_READY state. */
1446 TO_CIRCUIT(circ
)->timestamp_dirty
= time(NULL
);
1448 /* From a path bias point of view, this circuit is now successfully used.
1449 * Waiting any longer opens us up to attacks from malicious hidden services.
1450 * They could induce the client to attempt to connect to their hidden
1451 * service and never reply to the client's rend requests */
1452 pathbias_mark_use_success(circ
);
1454 /* If we already have the introduction circuit built, make sure we send
1455 * the INTRODUCE cell _now_ */
1456 connection_ap_attach_pending(1);
1460 circuit_mark_for_close(TO_CIRCUIT(circ
), END_CIRC_REASON_TORPROTOCOL
);
1464 #define client_service_authorization_free(auth) \
1465 FREE_AND_NULL(hs_client_service_authorization_t, \
1466 client_service_authorization_free_, (auth))
1469 client_service_authorization_free_(hs_client_service_authorization_t
*auth
)
1472 memwipe(auth
, 0, sizeof(*auth
));
1477 /** Helper for digest256map_free. */
1479 client_service_authorization_free_void(void *auth
)
1481 client_service_authorization_free_(auth
);
1485 client_service_authorization_free_all(void)
1487 if (!client_auths
) {
1490 digest256map_free(client_auths
, client_service_authorization_free_void
);
1493 /* Check if the auth key file name is valid or not. Return 1 if valid,
1494 * otherwise return 0. */
1496 auth_key_filename_is_valid(const char *filename
)
1499 const char *valid_extension
= ".auth_private";
1501 tor_assert(filename
);
1503 /* The length of the filename must be greater than the length of the
1504 * extension and the valid extension must be at the end of filename. */
1505 if (!strcmpend(filename
, valid_extension
) &&
1506 strlen(filename
) != strlen(valid_extension
)) {
1515 STATIC hs_client_service_authorization_t
*
1516 parse_auth_file_content(const char *client_key_str
)
1518 char *onion_address
= NULL
;
1519 char *auth_type
= NULL
;
1520 char *key_type
= NULL
;
1521 char *seckey_b32
= NULL
;
1522 hs_client_service_authorization_t
*auth
= NULL
;
1523 smartlist_t
*fields
= smartlist_new();
1525 tor_assert(client_key_str
);
1527 smartlist_split_string(fields
, client_key_str
, ":",
1528 SPLIT_SKIP_SPACE
, 0);
1529 /* Wrong number of fields. */
1530 if (smartlist_len(fields
) != 4) {
1534 onion_address
= smartlist_get(fields
, 0);
1535 auth_type
= smartlist_get(fields
, 1);
1536 key_type
= smartlist_get(fields
, 2);
1537 seckey_b32
= smartlist_get(fields
, 3);
1539 /* Currently, the only supported auth type is "descriptor" and the only
1540 * supported key type is "x25519". */
1541 if (strcmp(auth_type
, "descriptor") || strcmp(key_type
, "x25519")) {
1545 if (strlen(seckey_b32
) != BASE32_NOPAD_LEN(CURVE25519_PUBKEY_LEN
)) {
1546 log_warn(LD_REND
, "Client authorization encoded base32 private key "
1547 "length is invalid: %s", seckey_b32
);
1551 auth
= tor_malloc_zero(sizeof(hs_client_service_authorization_t
));
1552 if (base32_decode((char *) auth
->enc_seckey
.secret_key
,
1553 sizeof(auth
->enc_seckey
.secret_key
),
1554 seckey_b32
, strlen(seckey_b32
)) !=
1555 sizeof(auth
->enc_seckey
.secret_key
)) {
1556 log_warn(LD_REND
, "Client authorization encoded base32 private key "
1557 "can't be decoded: %s", seckey_b32
);
1560 strncpy(auth
->onion_address
, onion_address
, HS_SERVICE_ADDR_LEN_BASE32
);
1566 client_service_authorization_free(auth
);
1568 /* It is also a good idea to wipe the private key. */
1570 memwipe(seckey_b32
, 0, strlen(seckey_b32
));
1573 SMARTLIST_FOREACH(fields
, char *, s
, tor_free(s
));
1574 smartlist_free(fields
);
1578 /* From a set of <b>options</b>, setup every client authorization detail
1579 * found. Return 0 on success or -1 on failure. If <b>validate_only</b>
1580 * is set, parse, warn and return as normal, but don't actually change
1581 * the configuration. */
1583 hs_config_client_authorization(const or_options_t
*options
,
1587 digest256map_t
*auths
= digest256map_new();
1588 char *key_dir
= NULL
;
1589 smartlist_t
*file_list
= NULL
;
1590 char *client_key_str
= NULL
;
1591 char *client_key_file_path
= NULL
;
1593 tor_assert(options
);
1595 /* There is no client auth configured. We can just silently ignore this
1597 if (!options
->ClientOnionAuthDir
) {
1602 key_dir
= tor_strdup(options
->ClientOnionAuthDir
);
1604 /* Make sure the directory exists and is private enough. */
1605 if (check_private_dir(key_dir
, 0, options
->User
) < 0) {
1609 file_list
= tor_listdir(key_dir
);
1610 if (file_list
== NULL
) {
1611 log_warn(LD_REND
, "Client authorization key directory %s can't be listed.",
1616 SMARTLIST_FOREACH_BEGIN(file_list
, char *, filename
) {
1618 hs_client_service_authorization_t
*auth
= NULL
;
1619 ed25519_public_key_t identity_pk
;
1620 log_info(LD_REND
, "Loading a client authorization key file %s...",
1623 if (!auth_key_filename_is_valid(filename
)) {
1624 log_notice(LD_REND
, "Client authorization unrecognized filename %s. "
1625 "File must end in .auth_private. Ignoring.",
1630 /* Create a full path for a file. */
1631 client_key_file_path
= hs_path_from_filename(key_dir
, filename
);
1632 client_key_str
= read_file_to_str(client_key_file_path
, 0, NULL
);
1633 /* Free the file path immediately after using it. */
1634 tor_free(client_key_file_path
);
1636 /* If we cannot read the file, continue with the next file. */
1637 if (!client_key_str
) {
1638 log_warn(LD_REND
, "The file %s cannot be read.", filename
);
1642 auth
= parse_auth_file_content(client_key_str
);
1643 /* Free immediately after using it. */
1644 tor_free(client_key_str
);
1647 /* Parse the onion address to get an identity public key and use it
1648 * as a key of global map in the future. */
1649 if (hs_parse_address(auth
->onion_address
, &identity_pk
,
1651 log_warn(LD_REND
, "The onion address \"%s\" is invalid in "
1652 "file %s", filename
, auth
->onion_address
);
1653 client_service_authorization_free(auth
);
1657 if (digest256map_get(auths
, identity_pk
.pubkey
)) {
1658 log_warn(LD_REND
, "Duplicate authorization for the same hidden "
1659 "service address %s.",
1660 safe_str_client_opts(options
, auth
->onion_address
));
1661 client_service_authorization_free(auth
);
1665 digest256map_set(auths
, identity_pk
.pubkey
, auth
);
1666 log_info(LD_REND
, "Loaded a client authorization key file %s.",
1669 } SMARTLIST_FOREACH_END(filename
);
1676 tor_free(client_key_str
);
1677 tor_free(client_key_file_path
);
1679 SMARTLIST_FOREACH(file_list
, char *, s
, tor_free(s
));
1680 smartlist_free(file_list
);
1683 if (!validate_only
&& ret
== 0) {
1684 client_service_authorization_free_all();
1685 client_auths
= auths
;
1687 digest256map_free(auths
, client_service_authorization_free_void
);
1693 /* This is called when a descriptor has arrived following a fetch request and
1694 * has been stored in the client cache. Every entry connection that matches
1695 * the service identity key in the ident will get attached to the hidden
1696 * service circuit. */
1698 hs_client_desc_has_arrived(const hs_ident_dir_conn_t
*ident
)
1700 time_t now
= time(NULL
);
1701 smartlist_t
*conns
= NULL
;
1705 conns
= connection_list_by_type_state(CONN_TYPE_AP
,
1706 AP_CONN_STATE_RENDDESC_WAIT
);
1707 SMARTLIST_FOREACH_BEGIN(conns
, connection_t
*, base_conn
) {
1708 const hs_descriptor_t
*desc
;
1709 entry_connection_t
*entry_conn
= TO_ENTRY_CONN(base_conn
);
1710 const edge_connection_t
*edge_conn
= ENTRY_TO_EDGE_CONN(entry_conn
);
1712 /* Only consider the entry connections that matches the service for which
1713 * we just fetched its descriptor. */
1714 if (!edge_conn
->hs_ident
||
1715 !ed25519_pubkey_eq(&ident
->identity_pk
,
1716 &edge_conn
->hs_ident
->identity_pk
)) {
1719 assert_connection_ok(base_conn
, now
);
1721 /* We were just called because we stored the descriptor for this service
1722 * so not finding a descriptor means we have a bigger problem. */
1723 desc
= hs_cache_lookup_as_client(&ident
->identity_pk
);
1724 if (BUG(desc
== NULL
)) {
1728 if (!hs_client_any_intro_points_usable(&ident
->identity_pk
, desc
)) {
1729 log_info(LD_REND
, "Hidden service descriptor is unusable. "
1730 "Closing streams.");
1731 connection_mark_unattached_ap(entry_conn
,
1732 END_STREAM_REASON_RESOLVEFAILED
);
1733 /* We are unable to use the descriptor so remove the directory request
1734 * from the cache so the next connection can try again. */
1735 note_connection_attempt_succeeded(edge_conn
->hs_ident
);
1739 log_info(LD_REND
, "Descriptor has arrived. Launching circuits.");
1741 /* Mark connection as waiting for a circuit since we do have a usable
1742 * descriptor now. */
1743 mark_conn_as_waiting_for_circuit(base_conn
, now
);
1744 } SMARTLIST_FOREACH_END(base_conn
);
1747 /* We don't have ownership of the objects in this list. */
1748 smartlist_free(conns
);
1751 /* Return a newly allocated extend_info_t for a randomly chosen introduction
1752 * point for the given edge connection identifier ident. Return NULL if we
1753 * can't pick any usable introduction points. */
1755 hs_client_get_random_intro_from_edge(const edge_connection_t
*edge_conn
)
1757 tor_assert(edge_conn
);
1759 return (edge_conn
->hs_ident
) ?
1760 client_get_random_intro(&edge_conn
->hs_ident
->identity_pk
) :
1761 rend_client_get_random_intro(edge_conn
->rend_data
);
1764 /* Called when get an INTRODUCE_ACK cell on the introduction circuit circ.
1765 * Return 0 on success else a negative value is returned. The circuit will be
1766 * closed or reuse to extend again to another intro point. */
1768 hs_client_receive_introduce_ack(origin_circuit_t
*circ
,
1769 const uint8_t *payload
, size_t payload_len
)
1774 tor_assert(payload
);
1776 if (TO_CIRCUIT(circ
)->purpose
!= CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT
) {
1777 log_warn(LD_PROTOCOL
, "Unexpected INTRODUCE_ACK on circuit %u.",
1778 (unsigned int) TO_CIRCUIT(circ
)->n_circ_id
);
1779 circuit_mark_for_close(TO_CIRCUIT(circ
), END_CIRC_REASON_TORPROTOCOL
);
1783 ret
= (circ
->hs_ident
) ? handle_introduce_ack(circ
, payload
, payload_len
) :
1784 rend_client_introduction_acked(circ
, payload
,
1786 /* For path bias: This circuit was used successfully. NACK or ACK counts. */
1787 pathbias_mark_use_success(circ
);
1793 /* Called when get a RENDEZVOUS2 cell on the rendezvous circuit circ. Return
1794 * 0 on success else a negative value is returned. The circuit will be closed
1797 hs_client_receive_rendezvous2(origin_circuit_t
*circ
,
1798 const uint8_t *payload
, size_t payload_len
)
1803 tor_assert(payload
);
1805 /* Circuit can possibly be in both state because we could receive a
1806 * RENDEZVOUS2 cell before the INTRODUCE_ACK has been received. */
1807 if (TO_CIRCUIT(circ
)->purpose
!= CIRCUIT_PURPOSE_C_REND_READY
&&
1808 TO_CIRCUIT(circ
)->purpose
!= CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED
) {
1809 log_warn(LD_PROTOCOL
, "Unexpected RENDEZVOUS2 cell on circuit %u. "
1811 (unsigned int) TO_CIRCUIT(circ
)->n_circ_id
);
1812 circuit_mark_for_close(TO_CIRCUIT(circ
), END_CIRC_REASON_TORPROTOCOL
);
1816 log_info(LD_REND
, "Got RENDEZVOUS2 cell from hidden service on circuit %u.",
1817 TO_CIRCUIT(circ
)->n_circ_id
);
1819 ret
= (circ
->hs_ident
) ? handle_rendezvous2(circ
, payload
, payload_len
) :
1820 rend_client_receive_rendezvous(circ
, payload
,
1826 /* Extend the introduction circuit circ to another valid introduction point
1827 * for the hidden service it is trying to connect to, or mark it and launch a
1828 * new circuit if we can't extend it. Return 0 on success or possible
1829 * success. Return -1 and mark the introduction circuit for close on permanent
1832 * On failure, the caller is responsible for marking the associated rendezvous
1833 * circuit for close. */
1835 hs_client_reextend_intro_circuit(origin_circuit_t
*circ
)
1842 ei
= (circ
->hs_ident
) ?
1843 client_get_random_intro(&circ
->hs_ident
->identity_pk
) :
1844 rend_client_get_random_intro(circ
->rend_data
);
1846 log_warn(LD_REND
, "No usable introduction points left. Closing.");
1847 circuit_mark_for_close(TO_CIRCUIT(circ
), END_CIRC_REASON_INTERNAL
);
1851 if (circ
->remaining_relay_early_cells
) {
1852 log_info(LD_REND
, "Re-extending circ %u, this time to %s.",
1853 (unsigned int) TO_CIRCUIT(circ
)->n_circ_id
,
1854 safe_str_client(extend_info_describe(ei
)));
1855 ret
= circuit_extend_to_new_exit(circ
, ei
);
1857 /* We were able to extend so update the timestamp so we avoid expiring
1858 * this circuit too early. The intro circuit is short live so the
1859 * linkability issue is minimized, we just need the circuit to hold a
1860 * bit longer so we can introduce. */
1861 TO_CIRCUIT(circ
)->timestamp_dirty
= time(NULL
);
1864 log_info(LD_REND
, "Closing intro circ %u (out of RELAY_EARLY cells).",
1865 (unsigned int) TO_CIRCUIT(circ
)->n_circ_id
);
1866 circuit_mark_for_close(TO_CIRCUIT(circ
), END_CIRC_REASON_FINISHED
);
1867 /* connection_ap_handshake_attach_circuit will launch a new intro circ. */
1872 extend_info_free(ei
);
1876 /* Close all client introduction circuits related to the given descriptor.
1877 * This is called with a descriptor that is about to get replaced in the
1880 * Even though the introduction point might be exactly the same, we'll rebuild
1881 * them if needed but the odds are very low that an existing matching
1882 * introduction circuit exists at that stage. */
1884 hs_client_close_intro_circuits_from_desc(const hs_descriptor_t
*desc
)
1886 origin_circuit_t
*ocirc
= NULL
;
1890 /* We iterate over all client intro circuits because they aren't kept in the
1891 * HS circuitmap. That is probably something we want to do one day. */
1892 while ((ocirc
= circuit_get_next_intro_circ(ocirc
, true))) {
1893 if (ocirc
->hs_ident
== NULL
) {
1894 /* Not a v3 circuit, ignore it. */
1898 /* Does it match any IP in the given descriptor? If not, ignore. */
1899 if (find_desc_intro_point_by_ident(ocirc
->hs_ident
, desc
) == NULL
) {
1903 /* We have a match. Close the circuit as consider it expired. */
1904 circuit_mark_for_close(TO_CIRCUIT(ocirc
), END_CIRC_REASON_FINISHED
);
1908 /* Release all the storage held by the client subsystem. */
1910 hs_client_free_all(void)
1912 /* Purge the hidden service request cache. */
1913 hs_purge_last_hid_serv_requests();
1914 client_service_authorization_free_all();
1917 /* Purge all potentially remotely-detectable state held in the hidden
1918 * service client code. Called on SIGNAL NEWNYM. */
1920 hs_client_purge_state(void)
1923 rend_client_purge_state();
1925 /* Cancel all descriptor fetches. Do this first so once done we are sure
1926 * that our descriptor cache won't modified. */
1927 cancel_descriptor_fetches();
1928 /* Purge the introduction point state cache. */
1929 hs_cache_client_intro_state_purge();
1930 /* Purge the descriptor cache. */
1931 hs_cache_purge_as_client();
1932 /* Purge the last hidden service request cache. */
1933 hs_purge_last_hid_serv_requests();
1935 log_info(LD_REND
, "Hidden service client state has been purged.");
1938 /* Called when our directory information has changed. */
1940 hs_client_dir_info_changed(void)
1942 /* We have possibly reached the minimum directory information or new
1943 * consensus so retry all pending SOCKS connection in
1944 * AP_CONN_STATE_RENDDESC_WAIT state in order to fetch the descriptor. */
1945 retry_all_socks_conn_waiting_for_desc();
1948 #ifdef TOR_UNIT_TESTS
1950 STATIC digest256map_t
*
1951 get_hs_client_auths_map(void)
1953 return client_auths
;
1956 #endif /* defined(TOR_UNIT_TESTS) */