| blob | 9ac653c721411f2f6dd8034340835e45bee02e5b |
1 /* Copyright (c) 2016-2017, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file hs_client.c
6 * \brief Implement next generation hidden service client functionality
7 **/
9 #define HS_CLIENT_PRIVATE
37 /* Return a human-readable string for the client fetch status code. */
40 {
58 }
59 }
61 /* Return true iff tor should close the SOCKS request(s) for the descriptor
62 * fetch that ended up with this given status code. */
63 static int
65 {
68 /* No more HSDir to query, we can't complete the SOCKS request(s). */
70 /* The fetch triggered an internal error. */
72 /* Client is not allowed to fetch (FetchHidServDescriptors 0). */
78 /* The rest doesn't require tor to close the SOCKS request(s). */
80 }
82 no_close:
84 close:
86 }
88 /* Cancel all descriptor fetches currently in progress. */
89 static void
91 {
97 /* A directory connection fetching a service descriptor can't have an
98 * empty hidden service identifier. */
100 }
107 /* No ownership of the objects in this list. */
110 }
112 /* Get all connections that are waiting on a circuit and flag them back to
113 * waiting for a hidden service descriptor for the given service key
114 * service_identity_pk. */
115 static void
117 {
127 }
131 service_identity_pk)) {
134 }
138 }
140 /* Remove tracked HSDir requests from our history for this hidden service
141 * identity public key. */
142 static void
144 {
146 ed25519_public_key_t blinded_pk;
150 /* Get blinded pubkey of hidden service. It is possible that we just moved
151 * to a new time period meaning that we won't be able to purge the request
152 * from the previous time period. That is fine because they will expire at
153 * some point and we don't care about those anymore. */
158 }
159 /* Purge last hidden service request from cache for this blinded key. */
161 }
163 /* Return true iff there is at least one pending directory descriptor request
164 * for the service identity_pk. */
165 static int
167 {
175 /* A directory connection fetching a service descriptor can't have an
176 * empty hidden service identifier. */
178 }
181 }
186 /* No ownership of the objects in this list. */
189 }
191 /* We failed to fetch a descriptor for the service with <b>identity_pk</b>
192 * because of <b>status</b>. Find all pending SOCKS connections for this
193 * service that are waiting on the descriptor and close them with
194 * <b>reason</b>. */
195 static void
197 hs_client_fetch_status_t status,
199 {
209 /* Only consider the entry connections that matches the service for which
210 * we tried to get the descriptor */
215 }
217 /* Unattach the entry connection which will close for the reason. */
219 count++;
230 }
232 /* No ownership of the object(s) in this list. */
234 }
236 /* Find all pending SOCKS connection waiting for a descriptor and retry them
237 * all. This is called when the directory information changed. */
238 static void
240 {
245 hs_client_fetch_status_t status;
249 /* Ignore non HS or non v3 connection. */
252 }
253 /* In this loop, we will possibly try to fetch a descriptor for the
254 * pending connections because we just got more directory information.
255 * However, the refetch process can cleanup all SOCKS request so the same
256 * service if an internal error happens. Thus, we can end up with closed
257 * connections in our list. */
260 }
262 /* XXX: There is an optimization we could do which is that for a service
263 * key, we could check if we can fetch and remember that decision. */
265 /* Order a refetch in case it works this time. */
268 /* This case is unique because it can NOT happen in theory. Once we get
269 * a new descriptor, the HS client subsystem is notified immediately and
270 * the connections waiting for it are handled which means the state will
271 * change from renddesc wait state. Log this and continue to next
272 * connection. */
274 }
275 /* In the case of an error, either all SOCKS connections have been
276 * closed or we are still missing directory information. Leave the
277 * connection in renddesc wait state so when we get more info, we'll be
278 * able to try it again. */
281 /* We don't have ownership of those objects. */
283 }
285 /* A v3 HS circuit successfully connected to the hidden service. Update the
286 * stream state at <b>hs_conn_ident</b> appropriately. */
287 static void
289 {
292 /* Remove from the hid serv cache all requests for that service so we can
293 * query the HSDir again later on for various reasons. */
296 /* The v2 subsystem cleans up the intro point time out flag at this stage.
297 * We don't try to do it here because we still need to keep intact the intro
298 * point state for future connections. Even though we are able to connect to
299 * the service, doesn't mean we should reset the timed out intro points.
300 *
301 * It is not possible to have successfully connected to an intro point
302 * present in our cache that was on error or timed out. Every entry in that
303 * cache have a 2 minutes lifetime so ultimately the intro point(s) state
304 * will be reset and thus possible to be retried. */
305 }
307 /* Given the pubkey of a hidden service in <b>onion_identity_pk</b>, fetch its
308 * descriptor by launching a dir connection to <b>hsdir</b>. Return a
309 * hs_client_fetch_status_t status code depending on how it went. */
310 static hs_client_fetch_status_t
313 {
315 ed25519_public_key_t blinded_pubkey;
317 hs_ident_dir_conn_t hs_conn_dir_ident;
323 /* Get blinded pubkey */
326 /* ...and base64 it. */
330 }
332 /* Copy onion pk to a dir_ident so that we attach it to the dir conn */
336 /* Setup directory request */
352 /* Cleanup memory. */
358 }
360 /** Return the HSDir we should use to fetch the descriptor of the hidden
361 * service with identity key <b>onion_identity_pk</b>. */
362 STATIC routerstatus_t *
364 {
369 ed25519_public_key_t blinded_pubkey;
376 /* Get blinded pubkey of hidden service */
379 /* ...and base64 it. */
383 }
385 /* Get responsible hsdirs of service for this time period */
392 /* Pick an HSDir from the responsible ones. The ownership of
393 * responsible_hsdirs is given to this function so no need to free it. */
397 }
399 /** Fetch a v3 descriptor using the given <b>onion_identity_pk</b>.
400 *
401 * On success, HS_CLIENT_FETCH_LAUNCHED is returned. Otherwise, an error from
402 * hs_client_fetch_status_t is returned. */
405 {
414 }
417 }
419 /* Make sure that the given v3 origin circuit circ is a valid correct
420 * introduction circuit. This will BUG() on any problems and hard assert if
421 * the anonymity of the circuit is not ok. Return 0 on success else -1 where
422 * the circuit should be mark for closed immediately. */
423 static int
425 {
434 }
437 }
440 }
442 /* This can stop the tor daemon but we want that since if we don't have
443 * anonymity on this circuit, something went really wrong. */
446 }
448 /* Find a descriptor intro point object that matches the given ident in the
449 * given descriptor desc. Return NULL if not found. */
453 {
465 }
469 }
471 /* Find a descriptor intro point object from the descriptor object desc that
472 * matches the given legacy identity digest in legacy_id. Return NULL if not
473 * found. */
477 {
483 /* We will go over every intro point and try to find which one is linked to
484 * that circuit. Those lists are small so it's not that expensive. */
489 /* Not all tor node have an ed25519 identity key so we still rely on the
490 * legacy identity digest. */
493 }
496 }
497 /* Found it. */
503 end:
505 }
507 /* Send an INTRODUCE1 cell along the intro circuit and populate the rend
508 * circuit identifier with the needed key material for the e2e encryption.
509 * Return 0 on success, -1 if there is a transient error such that an action
510 * has been taken to recover and -2 if there is a permanent error indicating
511 * that both circuits were closed. */
512 static int
515 {
524 }
527 /* For logging purposes. There will be a time where the hs_ident will have a
528 * version number but for now there is none because it's all v3. */
534 /* 1) Get descriptor from our cache. */
538 desc)) {
544 /* We just triggered a refetch, make sure every connections are back
545 * waiting for that descriptor. */
547 /* We just asked for a refetch so this is a transient error. */
549 }
551 /* We need to find which intro point in the descriptor we are connected to
552 * on intro_circ. */
555 /* If we can find a descriptor from this introduction circuit ident, we
556 * must have a valid intro point object. Permanent error. */
558 }
560 /* Send the INTRODUCE1 cell. */
563 /* Unable to send the cell, the intro circuit has been marked for close so
564 * this is a permanent error. */
567 }
569 /* Cell has been sent successfully. Copy the introduction point
570 * authentication and encryption key in the rendezvous circuit identifier so
571 * we can compute the ntor keys when we receive the RENDEZVOUS2 cell. */
577 /* Now, we wait for an ACK or NAK on this circuit. */
579 CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT);
580 /* Set timestamp_dirty, because circuit_expire_building expects it to
581 * specify when a circuit entered the _C_INTRODUCE_ACK_WAIT state. */
585 /* Success. */
589 perm_err:
590 /* Permanent error: it is possible that the intro circuit was closed prior
591 * because we weren't able to send the cell. Make sure we don't double close
592 * it which would result in a warning. */
595 }
600 tran_err:
603 end:
606 }
608 /* Using the introduction circuit circ, setup the authentication key of the
609 * intro point this circuit has extended to. */
610 static void
612 {
620 /* Opening intro circuit without the descriptor is no good... */
622 }
624 /* We will go over every intro point and try to find which one is linked to
625 * that circuit. Those lists are small so it's not that expensive. */
629 /* We got it, copy its authentication key to the identifier. */
633 }
635 /* Reaching this point means we didn't find any intro point for this circuit
636 * which is not suppose to happen. */
639 end:
641 }
643 /* Called when an introduction circuit has opened. */
644 static void
646 {
652 /* This is an introduction circuit so we'll attach the correct
653 * authentication key to the circuit identifier so it can be identified
654 * properly later on. */
658 }
660 /* Called when a rendezvous circuit has opened. */
661 static void
663 {
669 /* Check that we didn't accidentally choose a node that does not understand
670 * the v3 rendezvous protocol */
676 }
677 }
678 }
683 /* Ignore returned value, nothing we can really do. On failure, the circuit
684 * will be marked for close. */
687 /* Register rend circuit in circuitmap if it's still alive. */
691 }
692 }
694 /* This is an helper function that convert a descriptor intro point object ip
695 * to a newly allocated extend_info_t object fully initialized. Return NULL if
696 * we can't convert it for which chances are that we are missing or malformed
697 * link specifiers. */
698 STATIC extend_info_t *
700 {
706 /* We first encode the descriptor link specifiers into the binary
707 * representation which is a trunnel object. */
714 /* Explicitely put the direct connection option to 0 because this is client
715 * side and there is no such thing as a non anonymous client. */
721 }
723 /* Return true iff the intro point ip for the service service_pk is usable.
724 * This function checks if the intro point is in the client intro state cache
725 * and checks at the failures. It is considered usable if:
726 * - No error happened (INTRO_POINT_FAILURE_GENERIC)
727 * - It is not flagged as timed out (INTRO_POINT_FAILURE_TIMEOUT)
728 * - The unreachable count is lower than
729 * MAX_INTRO_POINT_REACHABILITY_FAILURES (INTRO_POINT_FAILURE_UNREACHABLE)
730 */
731 static int
734 {
743 /* This means we've never encountered any problem thus usable. */
745 }
750 }
755 }
760 }
762 usable:
764 not_usable:
766 }
768 /* Using a descriptor desc, return a newly allocated extend_info_t object of a
769 * randomly picked introduction point from its list. Return NULL if none are
770 * usable. */
771 STATIC extend_info_t *
773 {
779 /* Calculate the onion address for logging purposes */
785 /* Assume the service is v3 if the descriptor is missing. This is ok,
786 * because we only use the address in log messages */
789 onion_address);
791 desc)) {
798 }
807 /* Pick a random intro point and immediately remove it from the usable
808 * list so we don't pick it again if we have to iterate more. */
813 /* We need to make sure we have a usable intro points which is in a good
814 * state in our cache. */
817 }
819 /* Generate an extend info object from the intro point object. */
822 /* We can get here for instance if the intro point is a private address
823 * and we aren't allowed to extend to those. */
829 }
831 /* Test the pick against ExcludeNodes. */
833 /* If this pick is in the ExcludeNodes list, we keep its reference so if
834 * we ever end up not being able to pick anything else and StrictNodes is
835 * unset, we'll use it. */
837 /* If something was already here free it. After the loop is gone we
838 * will examine the last excluded intro point, and that's fine since
839 * that's random anyway */
841 }
844 }
846 /* Good pick! Let's go with this. */
848 }
850 /* Reaching this point means a couple of things. Either we can't use any of
851 * the intro point listed because the IP address can't be extended to or it
852 * is listed in the ExcludeNodes list. In the later case, if StrictNodes is
853 * set, we are forced to not use anything. */
865 }
867 end:
871 }
873 /* For this introduction circuit, we'll look at if we have any usable
874 * introduction point left for this service. If so, we'll use the circuit to
875 * re-extend to a new intro point. Else, we'll close the circuit and its
876 * corresponding rendezvous circuit. Return 0 if we are re-extending else -1
877 * if we are closing the circuits.
878 *
879 * This is called when getting an INTRODUCE_ACK cell with a NACK. */
880 static int
882 {
891 /* We can't continue without a descriptor. */
893 }
894 /* We still have the descriptor, great! Let's try to see if we can
895 * re-extend by looking up if there are any usable intro points. */
897 desc)) {
899 }
900 /* Try to re-extend now. */
903 }
904 /* Success on re-extending. Don't return an error. */
908 close:
909 /* Change the intro circuit purpose before so we don't report an intro point
910 * failure again triggering an extra descriptor fetch. The circuit can
911 * already be closed on failure to re-extend. */
914 CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
916 }
917 /* Close the related rendezvous circuit. */
920 /* The rendezvous circuit might have collapsed while the INTRODUCE_ACK was
921 * inflight so we can't expect one every time. */
924 }
926 end:
928 }
930 /* Called when we get an INTRODUCE_ACK success status code. Do the appropriate
931 * actions for the rendezvous point and finally close intro_circ. */
932 static void
934 {
941 /* Get the rendezvous circuit for this rendezvous cookie. */
947 }
951 /* It is possible to get a RENDEZVOUS2 cell before the INTRODUCE_ACK which
952 * means that the circuit will be joined and already transmitting data. In
953 * that case, simply skip the purpose change and close the intro circuit
954 * like it should be. */
957 }
959 CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED);
960 /* Set timestamp_dirty, because circuit_expire_building expects it to
961 * specify when a circuit entered the
962 * CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED state. */
965 end:
966 /* We don't need the intro circuit anymore. It did what it had to do! */
968 CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
971 /* XXX: Close pending intro circuits we might have in parallel. */
973 }
975 /* Called when we get an INTRODUCE_ACK failure status code. Depending on our
976 * failure cache status, either close the circuit or re-extend to a new
977 * introduction point. */
978 static void
980 {
985 status);
987 /* It's a NAK. The introduction point didn't relay our request. */
990 /* Note down this failure in the intro point failure cache. Depending on how
991 * many times we've tried this intro point, close it or reextend. */
994 INTRO_POINT_FAILURE_GENERIC);
995 }
997 /* Called when we get an INTRODUCE_ACK on the intro circuit circ. The encoded
998 * cell is in payload of length payload_len. Return 0 on success else a
999 * negative value. The circuit is either close or reuse to re-extend to a new
1000 * introduction point. */
1001 static int
1004 {
1023 /* We are going to see if we have to close the circuits (IP and RP) or we
1024 * can re-extend to a new intro point. */
1029 status,
1032 }
1034 end:
1036 }
1038 /* Called when we get a RENDEZVOUS2 cell on the rendezvous circuit circ. The
1039 * encoded cell is in payload of length payload_len. Return 0 on success or a
1040 * negative value on error. On error, the circuit is marked for close. */
1041 STATIC int
1044 {
1046 curve25519_public_key_t server_pk;
1049 hs_ntor_rend_cell_keys_t keys;
1055 /* Make things easier. */
1062 }
1063 /* Get from the handshake info the SERVER_PK and AUTH_MAC. */
1067 /* Generate the handshake info. */
1074 }
1076 /* Critical check, make sure that the MAC matches what we got with what we
1077 * computed just above. */
1081 }
1083 /* Setup the e2e encryption on the circuit and finalize its state. */
1088 }
1089 /* Success. Hidden service connection finalized! */
1093 err:
1095 end:
1098 }
1100 /* Return true iff the client can fetch a descriptor for this service public
1101 * identity key and status_out if not NULL is untouched. If the client can
1102 * _not_ fetch the descriptor and if status_out is not NULL, it is set with
1103 * the fetch status code. */
1104 static unsigned int
1107 {
1108 hs_client_fetch_status_t status;
1112 /* Are we configured to fetch descriptors? */
1118 }
1120 /* Without a live consensus we can't do any client actions. It is needed to
1121 * compute the hashring for a service. */
1128 }
1136 }
1138 /* Check if fetching a desc for this HS is useful to us right now */
1139 {
1143 cached_desc)) {
1148 }
1149 }
1151 /* Don't try to refetch while we have a pending request for it. */
1156 }
1158 /* Yes, client can fetch! */
1160 cannot:
1163 }
1165 }
1167 /* ========== */
1168 /* Public API */
1169 /* ========== */
1171 /** A circuit just finished connecting to a hidden service that the stream
1172 * <b>conn</b> has been waiting for. Let the HS subsystem know about this. */
1173 void
1175 {
1181 }
1189 }
1190 }
1192 /* With the given encoded descriptor in desc_str and the service key in
1193 * service_identity_pk, decode the descriptor and set the desc pointer with a
1194 * newly allocated descriptor object.
1195 *
1196 * Return 0 on success else a negative value and desc is set to NULL. */
1197 int
1201 {
1204 ed25519_public_key_t blinded_pubkey;
1210 /* Create subcredential for this HS so that we can decrypt */
1211 {
1216 }
1218 /* Parse descriptor */
1225 }
1227 }
1229 /* Make sure the descriptor signing key cross certifies with the computed
1230 * blinded key. Without this validation, anyone knowing the subcredential
1231 * and onion address can forge a descriptor. */
1237 }
1240 err:
1242 }
1244 /* Return true iff there are at least one usable intro point in the service
1245 * descriptor desc. */
1246 int
1249 {
1257 }
1261 usable:
1263 }
1265 /** Launch a connection to a hidden service directory to fetch a hidden
1266 * service descriptor using <b>identity_pk</b> to get the necessary keys.
1267 *
1268 * A hs_client_fetch_status_t code is returned. */
1269 int
1271 {
1272 hs_client_fetch_status_t status;
1278 }
1280 /* Try to fetch the desc and if we encounter an unrecoverable error, mark
1281 * the desc as unavailable for now. */
1285 END_STREAM_REASON_RESOLVEFAILED);
1286 /* Remove HSDir fetch attempts so that we can retry later if the user
1287 * wants us to regardless of if we closed any connections. */
1289 }
1291 }
1293 /* This is called when we are trying to attach an AP connection to these
1294 * hidden service circuits from connection_ap_handshake_attach_circuit().
1295 * Return 0 on success, -1 for a transient error that is actions were
1296 * triggered to recover or -2 for a permenent error where both circuits will
1297 * marked for close.
1298 *
1299 * The following supports every hidden service version. */
1300 int
1303 {
1306 rend_circ);
1307 }
1309 /* Called when the client circuit circ has been established. It can be either
1310 * an introduction or rendezvous circuit. This function handles all hidden
1311 * service versions. */
1312 void
1314 {
1317 /* Handle both version. v2 uses rend_data and v3 uses the hs circuit
1318 * identifier hs_ident. Can't be both. */
1325 }
1332 }
1336 }
1337 }
1339 /* Called when we receive a RENDEZVOUS_ESTABLISHED cell. Change the state of
1340 * the circuit to CIRCUIT_PURPOSE_C_REND_READY. Return 0 on success else a
1341 * negative value and the circuit marked for close. */
1342 int
1345 {
1355 }
1361 /* Set timestamp_dirty, because circuit_expire_building expects it to
1362 * specify when a circuit entered the _C_REND_READY state. */
1365 /* From a path bias point of view, this circuit is now successfully used.
1366 * Waiting any longer opens us up to attacks from malicious hidden services.
1367 * They could induce the client to attempt to connect to their hidden
1368 * service and never reply to the client's rend requests */
1371 /* If we already have the introduction circuit built, make sure we send
1372 * the INTRODUCE cell _now_ */
1376 err:
1379 }
1381 /* This is called when a descriptor has arrived following a fetch request and
1382 * has been stored in the client cache. Every entry connection that matches
1383 * the service identity key in the ident will get attached to the hidden
1384 * service circuit. */
1385 void
1387 {
1394 AP_CONN_STATE_RENDDESC_WAIT);
1400 /* Only consider the entry connections that matches the service for which
1401 * we just fetched its descriptor. */
1406 }
1409 /* We were just called because we stored the descriptor for this service
1410 * so not finding a descriptor means we have a bigger problem. */
1414 }
1420 END_STREAM_REASON_RESOLVEFAILED);
1421 /* We are unable to use the descriptor so remove the directory request
1422 * from the cache so the next connection can try again. */
1425 }
1429 /* Because the connection can now proceed to opening circuit and
1430 * ultimately connect to the service, reset those timestamp so the
1431 * connection is considered "fresh" and can continue without being closed
1432 * too early. */
1436 /* Change connection's state into waiting for a circuit. */
1442 end:
1443 /* We don't have ownership of the objects in this list. */
1445 }
1447 /* Return a newly allocated extend_info_t for a randomly chosen introduction
1448 * point for the given edge connection identifier ident. Return NULL if we
1449 * can't pick any usable introduction points. */
1450 extend_info_t *
1452 {
1458 }
1459 /* Called when get an INTRODUCE_ACK cell on the introduction circuit circ.
1460 * Return 0 on success else a negative value is returned. The circuit will be
1461 * closed or reuse to extend again to another intro point. */
1462 int
1465 {
1476 }
1480 payload_len);
1481 /* For path bias: This circuit was used successfully. NACK or ACK counts. */
1484 end:
1486 }
1488 /* Called when get a RENDEZVOUS2 cell on the rendezvous circuit circ. Return
1489 * 0 on success else a negative value is returned. The circuit will be closed
1490 * on error. */
1491 int
1494 {
1500 /* Circuit can possibly be in both state because we could receive a
1501 * RENDEZVOUS2 cell before the INTRODUCE_ACK has been received. */
1509 }
1516 payload_len);
1517 end:
1519 }
1521 /* Extend the introduction circuit circ to another valid introduction point
1522 * for the hidden service it is trying to connect to, or mark it and launch a
1523 * new circuit if we can't extend it. Return 0 on success or possible
1524 * success. Return -1 and mark the introduction circuit for close on permanent
1525 * failure.
1526 *
1527 * On failure, the caller is responsible for marking the associated rendezvous
1528 * circuit for close. */
1529 int
1531 {
1544 }
1552 /* We were able to extend so update the timestamp so we avoid expiring
1553 * this circuit too early. The intro circuit is short live so the
1554 * linkability issue is minimized, we just need the circuit to hold a
1555 * bit longer so we can introduce. */
1557 }
1562 /* connection_ap_handshake_attach_circuit will launch a new intro circ. */
1564 }
1566 end:
1569 }
1571 /* Release all the storage held by the client subsystem. */
1572 void
1574 {
1575 /* Purge the hidden service request cache. */
1577 }
1579 /* Purge all potentially remotely-detectable state held in the hidden
1580 * service client code. Called on SIGNAL NEWNYM. */
1581 void
1583 {
1584 /* v2 subsystem. */
1587 /* Cancel all descriptor fetches. Do this first so once done we are sure
1588 * that our descriptor cache won't modified. */
1590 /* Purge the introduction point state cache. */
1592 /* Purge the descriptor cache. */
1594 /* Purge the last hidden service request cache. */
1598 }
1600 /* Called when our directory information has changed. */
1601 void
1603 {
1604 /* We have possibly reached the minimum directory information or new
1605 * consensus so retry all pending SOCKS connection in
1606 * AP_CONN_STATE_RENDDESC_WAIT state in order to fetch the descriptor. */
1608 }