hs_client.c 91.6 KB
Newer Older
1
/* Copyright (c) 2016-2020, The Tor Project, Inc. */
2
3
4
/* See LICENSE for licensing information */

/**
5
 * \file hs_client.c
6
7
8
 * \brief Implement next generation hidden service client functionality
 **/

9
10
#define HS_CLIENT_PRIVATE

11
#include "core/or/or.h"
12
13
14
#include "app/config/config.h"
#include "core/crypto/hs_ntor.h"
#include "core/mainloop/connection.h"
15
16
17
18
#include "core/or/circuitbuild.h"
#include "core/or/circuitlist.h"
#include "core/or/circuituse.h"
#include "core/or/connection_edge.h"
19
20
#include "core/or/reasons.h"
#include "feature/client/circpathbias.h"
21
#include "feature/dirclient/dirclient.h"
22
#include "feature/dircommon/directory.h"
23
24
25
26
27
28
29
30
#include "feature/hs/hs_cache.h"
#include "feature/hs/hs_cell.h"
#include "feature/hs/hs_circuit.h"
#include "feature/hs/hs_circuitmap.h"
#include "feature/hs/hs_client.h"
#include "feature/hs/hs_control.h"
#include "feature/hs/hs_descriptor.h"
#include "feature/hs/hs_ident.h"
31
#include "feature/nodelist/describe.h"
32
33
34
#include "feature/nodelist/networkstatus.h"
#include "feature/nodelist/nodelist.h"
#include "feature/nodelist/routerset.h"
35
36
37
38
#include "feature/rend/rendclient.h"
#include "lib/crypt_ops/crypto_format.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h"
39

40
41
42
43
44
#include "core/or/cpath_build_state_st.h"
#include "feature/dircommon/dir_connection_st.h"
#include "core/or/entry_connection_st.h"
#include "core/or/extend_info_st.h"
#include "core/or/origin_circuit_st.h"
45
#include "core/or/socks_request_st.h"
46

47
/** Client-side authorizations for hidden services; map of service identity
48
49
50
 * public key to hs_client_service_authorization_t *. */
static digest256map_t *client_auths = NULL;

51
52
#include "trunnel/hs/cell_introduce1.h"

53
/** Return a human-readable string for the client fetch status code. */
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
static const char *
fetch_status_to_string(hs_client_fetch_status_t status)
{
  switch (status) {
  case HS_CLIENT_FETCH_ERROR:
    return "Internal error";
  case HS_CLIENT_FETCH_LAUNCHED:
    return "Descriptor fetch launched";
  case HS_CLIENT_FETCH_HAVE_DESC:
    return "Already have descriptor";
  case HS_CLIENT_FETCH_NO_HSDIRS:
    return "No more HSDir available to query";
  case HS_CLIENT_FETCH_NOT_ALLOWED:
    return "Fetching descriptors is not allowed";
  case HS_CLIENT_FETCH_MISSING_INFO:
    return "Missing directory information";
  case HS_CLIENT_FETCH_PENDING:
    return "Pending descriptor fetch";
  default:
    return "(Unknown client fetch status code)";
  }
}

77
/** Return true iff tor should close the SOCKS request(s) for the descriptor
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 * fetch that ended up with this given status code. */
static int
fetch_status_should_close_socks(hs_client_fetch_status_t status)
{
  switch (status) {
  case HS_CLIENT_FETCH_NO_HSDIRS:
    /* No more HSDir to query, we can't complete the SOCKS request(s). */
  case HS_CLIENT_FETCH_ERROR:
    /* The fetch triggered an internal error. */
  case HS_CLIENT_FETCH_NOT_ALLOWED:
    /* Client is not allowed to fetch (FetchHidServDescriptors 0). */
    goto close;
  case HS_CLIENT_FETCH_MISSING_INFO:
  case HS_CLIENT_FETCH_HAVE_DESC:
  case HS_CLIENT_FETCH_PENDING:
  case HS_CLIENT_FETCH_LAUNCHED:
    /* The rest doesn't require tor to close the SOCKS request(s). */
    goto no_close;
  }

 no_close:
  return 0;
 close:
  return 1;
}
103

104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
/* Return a newly allocated list of all the entry connections that matches the
 * given service identity pk. If service_identity_pk is NULL, all entry
 * connections with an hs_ident are returned.
 *
 * Caller must free the returned list but does NOT have ownership of the
 * object inside thus they have to remain untouched. */
static smartlist_t *
find_entry_conns(const ed25519_public_key_t *service_identity_pk)
{
  time_t now = time(NULL);
  smartlist_t *conns = NULL, *entry_conns = NULL;

  entry_conns = smartlist_new();

  conns = connection_list_by_type_state(CONN_TYPE_AP,
                                        AP_CONN_STATE_RENDDESC_WAIT);
  SMARTLIST_FOREACH_BEGIN(conns, connection_t *, base_conn) {
    entry_connection_t *entry_conn = TO_ENTRY_CONN(base_conn);
    const edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(entry_conn);

    /* Only consider the entry connections that matches the service for which
     * we just fetched its descriptor. */
    if (!edge_conn->hs_ident ||
        (service_identity_pk &&
         !ed25519_pubkey_eq(service_identity_pk,
                            &edge_conn->hs_ident->identity_pk))) {
      continue;
    }
    assert_connection_ok(base_conn, now);

    /* Validated! Add the entry connection to the list. */
    smartlist_add(entry_conns, entry_conn);
  } SMARTLIST_FOREACH_END(base_conn);

  /* We don't have ownership of the objects in this list. */
  smartlist_free(conns);
  return entry_conns;
}

/* Cancel all descriptor fetches currently in progress. */
144
145
146
147
static void
cancel_descriptor_fetches(void)
{
  smartlist_t *conns =
148
    connection_list_by_type_purpose(CONN_TYPE_DIR, DIR_PURPOSE_FETCH_HSDESC);
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
  SMARTLIST_FOREACH_BEGIN(conns, connection_t *, conn) {
    const hs_ident_dir_conn_t *ident = TO_DIR_CONN(conn)->hs_ident;
    if (BUG(ident == NULL)) {
      /* A directory connection fetching a service descriptor can't have an
       * empty hidden service identifier. */
      continue;
    }
    log_debug(LD_REND, "Marking for close a directory connection fetching "
                       "a hidden service descriptor for service %s.",
              safe_str_client(ed25519_fmt(&ident->identity_pk)));
    connection_mark_for_close(conn);
  } SMARTLIST_FOREACH_END(conn);

  /* No ownership of the objects in this list. */
  smartlist_free(conns);
  log_info(LD_REND, "Hidden service client descriptor fetches cancelled.");
}

167
/** Get all connections that are waiting on a circuit and flag them back to
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
 * waiting for a hidden service descriptor for the given service key
 * service_identity_pk. */
static void
flag_all_conn_wait_desc(const ed25519_public_key_t *service_identity_pk)
{
  tor_assert(service_identity_pk);

  smartlist_t *conns =
    connection_list_by_type_state(CONN_TYPE_AP, AP_CONN_STATE_CIRCUIT_WAIT);

  SMARTLIST_FOREACH_BEGIN(conns, connection_t *, conn) {
    edge_connection_t *edge_conn;
    if (BUG(!CONN_IS_EDGE(conn))) {
      continue;
    }
    edge_conn = TO_EDGE_CONN(conn);
    if (edge_conn->hs_ident &&
        ed25519_pubkey_eq(&edge_conn->hs_ident->identity_pk,
                          service_identity_pk)) {
187
      connection_ap_mark_as_waiting_for_renddesc(TO_ENTRY_CONN(conn));
188
189
190
191
192
    }
  } SMARTLIST_FOREACH_END(conn);

  smartlist_free(conns);
}
193

194
/** Remove tracked HSDir requests from our history for this hidden service
195
196
197
198
199
200
201
202
203
204
205
206
207
208
 * identity public key. */
static void
purge_hid_serv_request(const ed25519_public_key_t *identity_pk)
{
  char base64_blinded_pk[ED25519_BASE64_LEN + 1];
  ed25519_public_key_t blinded_pk;

  tor_assert(identity_pk);

  /* Get blinded pubkey of hidden service. It is possible that we just moved
   * to a new time period meaning that we won't be able to purge the request
   * from the previous time period. That is fine because they will expire at
   * some point and we don't care about those anymore. */
  hs_build_blinded_pubkey(identity_pk, NULL, 0,
209
                          hs_get_time_period_num(0), &blinded_pk);
210
  ed25519_public_to_base64(base64_blinded_pk, &blinded_pk);
211
212
213
214
  /* Purge last hidden service request from cache for this blinded key. */
  hs_purge_hid_serv_from_last_hid_serv_requests(base64_blinded_pk);
}

215
/** Return true iff there is at least one pending directory descriptor request
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
 * for the service identity_pk. */
static int
directory_request_is_pending(const ed25519_public_key_t *identity_pk)
{
  int ret = 0;
  smartlist_t *conns =
    connection_list_by_type_purpose(CONN_TYPE_DIR, DIR_PURPOSE_FETCH_HSDESC);

  SMARTLIST_FOREACH_BEGIN(conns, connection_t *, conn) {
    const hs_ident_dir_conn_t *ident = TO_DIR_CONN(conn)->hs_ident;
    if (BUG(ident == NULL)) {
      /* A directory connection fetching a service descriptor can't have an
       * empty hidden service identifier. */
      continue;
    }
    if (!ed25519_pubkey_eq(identity_pk, &ident->identity_pk)) {
      continue;
    }
    ret = 1;
    break;
  } SMARTLIST_FOREACH_END(conn);

  /* No ownership of the objects in this list. */
  smartlist_free(conns);
  return ret;
}

243
/** Helper function that changes the state of an entry connection to waiting
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
 * for a circuit. For this to work properly, the connection timestamps are set
 * to now and the connection is then marked as pending for a circuit. */
static void
mark_conn_as_waiting_for_circuit(connection_t *conn, time_t now)
{
  tor_assert(conn);

  /* Because the connection can now proceed to opening circuit and ultimately
   * connect to the service, reset those timestamp so the connection is
   * considered "fresh" and can continue without being closed too early. */
  conn->timestamp_created = now;
  conn->timestamp_last_read_allowed = now;
  conn->timestamp_last_write_allowed = now;
  /* Change connection's state into waiting for a circuit. */
  conn->state = AP_CONN_STATE_CIRCUIT_WAIT;

  connection_ap_mark_as_pending_circuit(TO_ENTRY_CONN(conn));
}

263
/** We failed to fetch a descriptor for the service with <b>identity_pk</b>
264
265
266
267
268
269
270
271
272
 * because of <b>status</b>. Find all pending SOCKS connections for this
 * service that are waiting on the descriptor and close them with
 * <b>reason</b>. */
static void
close_all_socks_conns_waiting_for_desc(const ed25519_public_key_t *identity_pk,
                                       hs_client_fetch_status_t status,
                                       int reason)
{
  unsigned int count = 0;
273
  smartlist_t *entry_conns = find_entry_conns(identity_pk);
274

275
  SMARTLIST_FOREACH_BEGIN(entry_conns, entry_connection_t *, entry_conn) {
276
277
278
    /* Unattach the entry connection which will close for the reason. */
    connection_mark_unattached_ap(entry_conn, reason);
    count++;
279
  } SMARTLIST_FOREACH_END(entry_conn);
280
281
282
283
284
285
286
287
288
289
290
291

  if (count > 0) {
    char onion_address[HS_SERVICE_ADDR_LEN_BASE32 + 1];
    hs_build_address(identity_pk, HS_VERSION_THREE, onion_address);
    log_notice(LD_REND, "Closed %u streams for service %s.onion "
                        "for reason %s. Fetch status: %s.",
               count, safe_str_client(onion_address),
               stream_end_reason_to_string(reason),
               fetch_status_to_string(status));
  }

  /* No ownership of the object(s) in this list. */
292
  smartlist_free(entry_conns);
293
294
}

295
/** Find all pending SOCKS connection waiting for a descriptor and retry them
296
 * all. This is called when the directory information changed. */
297
STATIC void
298
299
retry_all_socks_conn_waiting_for_desc(void)
{
300
  smartlist_t *entry_conns = find_entry_conns(NULL);
301

302
  SMARTLIST_FOREACH_BEGIN(entry_conns, entry_connection_t *, entry_conn) {
303
    hs_client_fetch_status_t status;
304
305
    edge_connection_t *edge_conn = ENTRY_TO_EDGE_CONN(entry_conn);
    connection_t *base_conn = &edge_conn->base_;
306
307
308
309
310

    /* Ignore non HS or non v3 connection. */
    if (edge_conn->hs_ident == NULL) {
      continue;
    }
311

312
313
    /* In this loop, we will possibly try to fetch a descriptor for the
     * pending connections because we just got more directory information.
314
     * However, the refetch process can cleanup all SOCKS request to the same
315
316
317
318
319
320
321
322
323
324
325
     * service if an internal error happens. Thus, we can end up with closed
     * connections in our list. */
    if (base_conn->marked_for_close) {
      continue;
    }

    /* XXX: There is an optimization we could do which is that for a service
     * key, we could check if we can fetch and remember that decision. */

    /* Order a refetch in case it works this time. */
    status = hs_client_refetch_hsdesc(&edge_conn->hs_ident->identity_pk);
326
327
328
329
330
331
332
333
334
335
336
337
338
    if (status == HS_CLIENT_FETCH_HAVE_DESC) {
      /* This is a rare case where a SOCKS connection is in state waiting for
       * a descriptor but we do have it in the cache.
       *
       * This can happen is tor comes back from suspend where it previously
       * had the descriptor but the intro points were not usuable. Once it
       * came back to life, the intro point failure cache was cleaned up and
       * thus the descriptor became usable again leaving us in this code path.
       *
       * We'll mark the connection as waiting for a circuit so the descriptor
       * can be retried. This is safe because a connection in state waiting
       * for a descriptor can not be in the entry connection pending list. */
      mark_conn_as_waiting_for_circuit(base_conn, approx_time());
339
340
341
342
343
344
      continue;
    }
    /* In the case of an error, either all SOCKS connections have been
     * closed or we are still missing directory information. Leave the
     * connection in renddesc wait state so when we get more info, we'll be
     * able to try it again. */
345
  } SMARTLIST_FOREACH_END(entry_conn);
346
347

  /* We don't have ownership of those objects. */
348
  smartlist_free(entry_conns);
349
350
}

351
/** A v3 HS circuit successfully connected to the hidden service. Update the
352
 * stream state at <b>hs_conn_ident</b> appropriately. */
353
static void
354
note_connection_attempt_succeeded(const hs_ident_edge_conn_t *hs_conn_ident)
355
{
356
357
358
359
360
  tor_assert(hs_conn_ident);

  /* Remove from the hid serv cache all requests for that service so we can
   * query the HSDir again later on for various reasons. */
  purge_hid_serv_request(&hs_conn_ident->identity_pk);
361

362
363
364
365
366
367
368
369
370
  /* The v2 subsystem cleans up the intro point time out flag at this stage.
   * We don't try to do it here because we still need to keep intact the intro
   * point state for future connections. Even though we are able to connect to
   * the service, doesn't mean we should reset the timed out intro points.
   *
   * It is not possible to have successfully connected to an intro point
   * present in our cache that was on error or timed out. Every entry in that
   * cache have a 2 minutes lifetime so ultimately the intro point(s) state
   * will be reset and thus possible to be retried. */
371
372
}

373
/** Given the pubkey of a hidden service in <b>onion_identity_pk</b>, fetch its
374
375
376
 * descriptor by launching a dir connection to <b>hsdir</b>. Return a
 * hs_client_fetch_status_t status code depending on how it went. */
static hs_client_fetch_status_t
377
378
379
directory_launch_v3_desc_fetch(const ed25519_public_key_t *onion_identity_pk,
                               const routerstatus_t *hsdir)
{
380
  uint64_t current_time_period = hs_get_time_period_num(0);
381
382
383
384
385
386
387
388
389
390
391
  ed25519_public_key_t blinded_pubkey;
  char base64_blinded_pubkey[ED25519_BASE64_LEN + 1];
  hs_ident_dir_conn_t hs_conn_dir_ident;

  tor_assert(hsdir);
  tor_assert(onion_identity_pk);

  /* Get blinded pubkey */
  hs_build_blinded_pubkey(onion_identity_pk, NULL, 0,
                          current_time_period, &blinded_pubkey);
  /* ...and base64 it. */
392
  ed25519_public_to_base64(base64_blinded_pubkey, &blinded_pubkey);
393
394

  /* Copy onion pk to a dir_ident so that we attach it to the dir conn */
395
396
  hs_ident_dir_conn_init(onion_identity_pk, &blinded_pubkey,
                         &hs_conn_dir_ident);
397
398
399
400
401
402
403

  /* Setup directory request */
  directory_request_t *req =
    directory_request_new(DIR_PURPOSE_FETCH_HSDESC);
  directory_request_set_routerstatus(req, hsdir);
  directory_request_set_indirection(req, DIRIND_ANONYMOUS);
  directory_request_set_resource(req, base64_blinded_pubkey);
404
  directory_request_fetch_set_hs_ident(req, &hs_conn_dir_ident);
405
406
407
408
409
410
411
412
413
  directory_initiate_request(req);
  directory_request_free(req);

  log_info(LD_REND, "Descriptor fetch request for service %s with blinded "
                    "key %s to directory %s",
           safe_str_client(ed25519_fmt(onion_identity_pk)),
           safe_str_client(base64_blinded_pubkey),
           safe_str_client(routerstatus_describe(hsdir)));

414
415
416
417
  /* Fire a REQUESTED event on the control port. */
  hs_control_desc_event_requested(onion_identity_pk, base64_blinded_pubkey,
                                  hsdir);

418
419
420
421
422
  /* Cleanup memory. */
  memwipe(&blinded_pubkey, 0, sizeof(blinded_pubkey));
  memwipe(base64_blinded_pubkey, 0, sizeof(base64_blinded_pubkey));
  memwipe(&hs_conn_dir_ident, 0, sizeof(hs_conn_dir_ident));

423
  return HS_CLIENT_FETCH_LAUNCHED;
424
425
426
427
}

/** Return the HSDir we should use to fetch the descriptor of the hidden
 *  service with identity key <b>onion_identity_pk</b>. */
428
STATIC routerstatus_t *
429
430
431
pick_hsdir_v3(const ed25519_public_key_t *onion_identity_pk)
{
  char base64_blinded_pubkey[ED25519_BASE64_LEN + 1];
432
  uint64_t current_time_period = hs_get_time_period_num(0);
433
  smartlist_t *responsible_hsdirs = NULL;
434
435
436
437
438
439
440
441
442
  ed25519_public_key_t blinded_pubkey;
  routerstatus_t *hsdir_rs = NULL;

  tor_assert(onion_identity_pk);

  /* Get blinded pubkey of hidden service */
  hs_build_blinded_pubkey(onion_identity_pk, NULL, 0,
                          current_time_period, &blinded_pubkey);
  /* ...and base64 it. */
443
  ed25519_public_to_base64(base64_blinded_pubkey, &blinded_pubkey);
444
445

  /* Get responsible hsdirs of service for this time period */
446
447
  responsible_hsdirs = smartlist_new();

448
  hs_get_responsible_hsdirs(&blinded_pubkey, current_time_period,
449
                            0, 1, responsible_hsdirs);
450
451
452
453
454
455

  log_debug(LD_REND, "Found %d responsible HSDirs and about to pick one.",
           smartlist_len(responsible_hsdirs));

  /* Pick an HSDir from the responsible ones. The ownership of
   * responsible_hsdirs is given to this function so no need to free it. */
456
  hsdir_rs = hs_pick_hsdir(responsible_hsdirs, base64_blinded_pubkey, NULL);
457
458
459
460
461
462

  return hsdir_rs;
}

/** Fetch a v3 descriptor using the given <b>onion_identity_pk</b>.
 *
463
464
 * On success, HS_CLIENT_FETCH_LAUNCHED is returned. Otherwise, an error from
 * hs_client_fetch_status_t is returned. */
465
466
MOCK_IMPL(STATIC hs_client_fetch_status_t,
fetch_v3_desc, (const ed25519_public_key_t *onion_identity_pk))
467
468
469
470
471
472
473
474
{
  routerstatus_t *hsdir_rs =NULL;

  tor_assert(onion_identity_pk);

  hsdir_rs = pick_hsdir_v3(onion_identity_pk);
  if (!hsdir_rs) {
    log_info(LD_REND, "Couldn't pick a v3 hsdir.");
475
    return HS_CLIENT_FETCH_NO_HSDIRS;
476
477
478
479
480
  }

  return directory_launch_v3_desc_fetch(onion_identity_pk, hsdir_rs);
}

481
/** With a given <b>onion_identity_pk</b>, fetch its descriptor. If
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
 * <b>hsdirs</b> is specified, use the directory servers specified in the list.
 * Else, use a random server. */
void
hs_client_launch_v3_desc_fetch(const ed25519_public_key_t *onion_identity_pk,
                               const smartlist_t *hsdirs)
{
  tor_assert(onion_identity_pk);

  if (hsdirs != NULL) {
    SMARTLIST_FOREACH_BEGIN(hsdirs, const routerstatus_t *, hsdir) {
      directory_launch_v3_desc_fetch(onion_identity_pk, hsdir);
    } SMARTLIST_FOREACH_END(hsdir);
  } else {
    fetch_v3_desc(onion_identity_pk);
  }
}

499
/** Make sure that the given v3 origin circuit circ is a valid correct
500
501
502
503
504
 * introduction circuit. This will BUG() on any problems and hard assert if
 * the anonymity of the circuit is not ok. Return 0 on success else -1 where
 * the circuit should be mark for closed immediately. */
static int
intro_circ_is_ok(const origin_circuit_t *circ)
505
{
506
507
  int ret = 0;

508
  tor_assert(circ);
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523

  if (BUG(TO_CIRCUIT(circ)->purpose != CIRCUIT_PURPOSE_C_INTRODUCING &&
          TO_CIRCUIT(circ)->purpose != CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT &&
          TO_CIRCUIT(circ)->purpose != CIRCUIT_PURPOSE_C_INTRODUCE_ACKED)) {
    ret = -1;
  }
  if (BUG(circ->hs_ident == NULL)) {
    ret = -1;
  }
  if (BUG(!hs_ident_intro_circ_is_valid(circ->hs_ident))) {
    ret = -1;
  }

  /* This can stop the tor daemon but we want that since if we don't have
   * anonymity on this circuit, something went really wrong. */
524
  assert_circ_anonymity_ok(circ, get_options());
525
  return ret;
526
}
527

528
/** Find a descriptor intro point object that matches the given ident in the
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
 * given descriptor desc. Return NULL if not found. */
static const hs_desc_intro_point_t *
find_desc_intro_point_by_ident(const hs_ident_circuit_t *ident,
                               const hs_descriptor_t *desc)
{
  const hs_desc_intro_point_t *intro_point = NULL;

  tor_assert(ident);
  tor_assert(desc);

  SMARTLIST_FOREACH_BEGIN(desc->encrypted_data.intro_points,
                          const hs_desc_intro_point_t *, ip) {
    if (ed25519_pubkey_eq(&ident->intro_auth_pk,
                          &ip->auth_key_cert->signed_key)) {
      intro_point = ip;
      break;
    }
  } SMARTLIST_FOREACH_END(ip);

  return intro_point;
}

551
/** Find a descriptor intro point object from the descriptor object desc that
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
 * matches the given legacy identity digest in legacy_id. Return NULL if not
 * found. */
static hs_desc_intro_point_t *
find_desc_intro_point_by_legacy_id(const char *legacy_id,
                                   const hs_descriptor_t *desc)
{
  hs_desc_intro_point_t *ret_ip = NULL;

  tor_assert(legacy_id);
  tor_assert(desc);

  /* We will go over every intro point and try to find which one is linked to
   * that circuit. Those lists are small so it's not that expensive. */
  SMARTLIST_FOREACH_BEGIN(desc->encrypted_data.intro_points,
                          hs_desc_intro_point_t *, ip) {
    SMARTLIST_FOREACH_BEGIN(ip->link_specifiers,
teor's avatar
teor committed
568
                            const link_specifier_t *, lspec) {
569
570
      /* Not all tor node have an ed25519 identity key so we still rely on the
       * legacy identity digest. */
teor's avatar
teor committed
571
      if (link_specifier_get_ls_type(lspec) != LS_LEGACY_ID) {
572
573
        continue;
      }
teor's avatar
teor committed
574
575
576
      if (fast_memneq(legacy_id,
                      link_specifier_getconstarray_un_legacy_id(lspec),
                      DIGEST_LEN)) {
577
578
579
580
581
582
583
584
585
586
587
588
        break;
      }
      /* Found it. */
      ret_ip = ip;
      goto end;
    } SMARTLIST_FOREACH_END(lspec);
  } SMARTLIST_FOREACH_END(ip);

 end:
  return ret_ip;
}

589
/** Send an INTRODUCE1 cell along the intro circuit and populate the rend
590
591
592
593
594
595
596
597
598
599
600
601
602
603
 * circuit identifier with the needed key material for the e2e encryption.
 * Return 0 on success, -1 if there is a transient error such that an action
 * has been taken to recover and -2 if there is a permanent error indicating
 * that both circuits were closed. */
static int
send_introduce1(origin_circuit_t *intro_circ,
                origin_circuit_t *rend_circ)
{
  int status;
  char onion_address[HS_SERVICE_ADDR_LEN_BASE32 + 1];
  const ed25519_public_key_t *service_identity_pk = NULL;
  const hs_desc_intro_point_t *ip;

  tor_assert(rend_circ);
604
605
606
  if (intro_circ_is_ok(intro_circ) < 0) {
    goto perm_err;
  }
607
608
609
610
611
612
613
614
615
616
617
618

  service_identity_pk = &intro_circ->hs_ident->identity_pk;
  /* For logging purposes. There will be a time where the hs_ident will have a
   * version number but for now there is none because it's all v3. */
  hs_build_address(service_identity_pk, HS_VERSION_THREE, onion_address);

  log_info(LD_REND, "Sending INTRODUCE1 cell to service %s on circuit %u",
           safe_str_client(onion_address), TO_CIRCUIT(intro_circ)->n_circ_id);

  /* 1) Get descriptor from our cache. */
  const hs_descriptor_t *desc =
    hs_cache_lookup_as_client(service_identity_pk);
619
620
  if (desc == NULL || !hs_client_any_intro_points_usable(service_identity_pk,
                                                         desc)) {
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
    log_info(LD_REND, "Request to %s %s. Trying to fetch a new descriptor.",
             safe_str_client(onion_address),
             (desc) ? "didn't have usable intro points" :
             "didn't have a descriptor");
    hs_client_refetch_hsdesc(service_identity_pk);
    /* We just triggered a refetch, make sure every connections are back
     * waiting for that descriptor. */
    flag_all_conn_wait_desc(service_identity_pk);
    /* We just asked for a refetch so this is a transient error. */
    goto tran_err;
  }

  /* We need to find which intro point in the descriptor we are connected to
   * on intro_circ. */
  ip = find_desc_intro_point_by_ident(intro_circ->hs_ident, desc);
636
637
638
639
640
641
642
643
  if (ip == NULL) {
    /* The following is possible if the descriptor was changed while we had
     * this introduction circuit open and waiting for the rendezvous circuit to
     * be ready. Which results in this situation where we can't find the
     * corresponding intro point within the descriptor of the service. */
    log_info(LD_REND, "Unable to find introduction point for service %s "
                      "while trying to send an INTRODUCE1 cell.",
             safe_str_client(onion_address));
644
645
646
647
648
    goto perm_err;
  }

  /* Send the INTRODUCE1 cell. */
  if (hs_circ_send_introduce1(intro_circ, rend_circ, ip,
649
                              &desc->subcredential) < 0) {
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
    if (TO_CIRCUIT(intro_circ)->marked_for_close) {
      /* If the introduction circuit was closed, we were unable to send the
       * cell for some reasons. In any case, the intro circuit has to be
       * closed by the above function. We'll return a transient error so tor
       * can recover and pick a new intro point. To avoid picking that same
       * intro point, we'll note down the intro point failure so it doesn't
       * get reused. */
      hs_cache_client_intro_state_note(service_identity_pk,
                                       &intro_circ->hs_ident->intro_auth_pk,
                                       INTRO_POINT_FAILURE_GENERIC);
    }
    /* It is also possible that the rendezvous circuit was closed due to being
     * unable to use the rendezvous point node_t so in that case, we also want
     * to recover and let tor pick a new one. */
    goto tran_err;
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
  }

  /* Cell has been sent successfully. Copy the introduction point
   * authentication and encryption key in the rendezvous circuit identifier so
   * we can compute the ntor keys when we receive the RENDEZVOUS2 cell. */
  memcpy(&rend_circ->hs_ident->intro_enc_pk, &ip->enc_key,
         sizeof(rend_circ->hs_ident->intro_enc_pk));
  ed25519_pubkey_copy(&rend_circ->hs_ident->intro_auth_pk,
                      &intro_circ->hs_ident->intro_auth_pk);

  /* Now, we wait for an ACK or NAK on this circuit. */
  circuit_change_purpose(TO_CIRCUIT(intro_circ),
                         CIRCUIT_PURPOSE_C_INTRODUCE_ACK_WAIT);
  /* Set timestamp_dirty, because circuit_expire_building expects it to
   * specify when a circuit entered the _C_INTRODUCE_ACK_WAIT state. */
  TO_CIRCUIT(intro_circ)->timestamp_dirty = time(NULL);
  pathbias_count_use_attempt(intro_circ);

  /* Success. */
  status = 0;
  goto end;

 perm_err:
  /* Permanent error: it is possible that the intro circuit was closed prior
   * because we weren't able to send the cell. Make sure we don't double close
   * it which would result in a warning. */
  if (!TO_CIRCUIT(intro_circ)->marked_for_close) {
    circuit_mark_for_close(TO_CIRCUIT(intro_circ), END_CIRC_REASON_INTERNAL);
  }
  circuit_mark_for_close(TO_CIRCUIT(rend_circ), END_CIRC_REASON_INTERNAL);
  status = -2;
  goto end;

 tran_err:
  status = -1;

 end:
  memwipe(onion_address, 0, sizeof(onion_address));
  return status;
}

706
/** Using the introduction circuit circ, setup the authentication key of the
707
708
709
710
711
 * intro point this circuit has extended to.
 *
 * Return 0 if everything went well, otherwise return -1 in the case of errors.
 */
static int
712
713
714
setup_intro_circ_auth_key(origin_circuit_t *circ)
{
  const hs_descriptor_t *desc;
715
  const hs_desc_intro_point_t *ip;
716
717
718
719

  tor_assert(circ);

  desc = hs_cache_lookup_as_client(&circ->hs_ident->identity_pk);
720
721
722
723
724
  if (desc == NULL) {
    /* There is a very small race window between the opening of this circuit
     * and the client descriptor cache that gets purged (NEWNYM) or the
     * cleaned up because it expired. Mark the circuit for close so a new
     * descriptor fetch can occur. */
725
    goto err;
726
727
728
729
  }

  /* We will go over every intro point and try to find which one is linked to
   * that circuit. Those lists are small so it's not that expensive. */
730
731
  ip = find_desc_intro_point_by_legacy_id(
                       circ->build_state->chosen_exit->identity_digest, desc);
732
733
734
735
736
  if (!ip) {
    /* Reaching this point means we didn't find any intro point for this
     * circuit which is not supposed to happen. */
    log_info(LD_REND,"Could not match opened intro circuit with intro point.");
    goto err;
737
  }
738

739
740
741
742
743
744
  /* We got it, copy its authentication key to the identifier. */
  ed25519_pubkey_copy(&circ->hs_ident->intro_auth_pk,
                      &ip->auth_key_cert->signed_key);
  return 0;

 err:
745
746
  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
  return -1;
747
748
}

749
/** Called when an introduction circuit has opened. */
750
751
752
753
754
755
756
757
758
759
760
static void
client_intro_circ_has_opened(origin_circuit_t *circ)
{
  tor_assert(circ);
  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_C_INTRODUCING);
  log_info(LD_REND, "Introduction circuit %u has opened. Attaching streams.",
           (unsigned int) TO_CIRCUIT(circ)->n_circ_id);

  /* This is an introduction circuit so we'll attach the correct
   * authentication key to the circuit identifier so it can be identified
   * properly later on. */
761
762
763
  if (setup_intro_circ_auth_key(circ) < 0) {
    return;
  }
764
765
766
767

  connection_ap_attach_pending(1);
}

768
/** Called when a rendezvous circuit has opened. */
769
770
771
772
773
774
static void
client_rendezvous_circ_has_opened(origin_circuit_t *circ)
{
  tor_assert(circ);
  tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_C_ESTABLISH_REND);

775
776
777
778
779
780
  const extend_info_t *rp_ei = circ->build_state->chosen_exit;

  /* Check that we didn't accidentally choose a node that does not understand
   * the v3 rendezvous protocol */
  if (rp_ei) {
    const node_t *rp_node = node_get_by_id(rp_ei->identity_digest);
781
782
783
784
785
786
787
788
789
790
    if (rp_node && !node_supports_v3_rendezvous_point(rp_node)) {
      /* Even tho we checked that this node supported v3 when we created the
         rendezvous circuit, there is a chance that we might think it does
         not support v3 anymore. This might happen if we got a new consensus
         in the meanwhile, where the relay is still listed but its listed
         descriptor digest has changed and hence we can't access its 'ri' or
         'md'. */
      log_info(LD_REND, "Rendezvous node %s did not support v3 after circuit "
               "has opened.", safe_str_client(extend_info_describe(rp_ei)));
      return;
791
792
793
    }
  }

794
  log_info(LD_REND, "Rendezvous circuit has opened to %s.",
795
           safe_str_client(extend_info_describe(rp_ei)));
796

797
798
799
  /* Ignore returned value, nothing we can really do. On failure, the circuit
   * will be marked for close. */
  hs_circ_send_establish_rendezvous(circ);
800
801
802
803
804
805

  /* Register rend circuit in circuitmap if it's still alive. */
  if (!TO_CIRCUIT(circ)->marked_for_close) {
    hs_circuitmap_register_rend_circ_client_side(circ,
                                     circ->hs_ident->rendezvous_cookie);
  }
806
807
}

808
/** This is an helper function that convert a descriptor intro point object ip
809
810
811
 * to a newly allocated extend_info_t object fully initialized. Return NULL if
 * we can't convert it for which chances are that we are missing or malformed
 * link specifiers. */
812
STATIC extend_info_t *
813
814
815
816
817
818
desc_intro_point_to_extend_info(const hs_desc_intro_point_t *ip)
{
  extend_info_t *ei;

  tor_assert(ip);

819
  /* Explicitly put the direct connection option to 0 because this is client
820
   * side and there is no such thing as a non anonymous client. */
teor's avatar
teor committed
821
  ei = hs_get_extend_info_from_lspecs(ip->link_specifiers, &ip->onion_key, 0);
822
823
824
825

  return ei;
}

826
/** Return true iff the intro point ip for the service service_pk is usable.
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
 * This function checks if the intro point is in the client intro state cache
 * and checks at the failures. It is considered usable if:
 *   - No error happened (INTRO_POINT_FAILURE_GENERIC)
 *   - It is not flagged as timed out (INTRO_POINT_FAILURE_TIMEOUT)
 *   - The unreachable count is lower than
 *     MAX_INTRO_POINT_REACHABILITY_FAILURES (INTRO_POINT_FAILURE_UNREACHABLE)
 */
static int
intro_point_is_usable(const ed25519_public_key_t *service_pk,
                      const hs_desc_intro_point_t *ip)
{
  const hs_cache_intro_state_t *state;

  tor_assert(service_pk);
  tor_assert(ip);

  state = hs_cache_client_intro_state_find(service_pk,
                                           &ip->auth_key_cert->signed_key);
  if (state == NULL) {
    /* This means we've never encountered any problem thus usable. */
    goto usable;
  }
  if (state->error) {
    log_info(LD_REND, "Intro point with auth key %s had an error. Not usable",
             safe_str_client(ed25519_fmt(&ip->auth_key_cert->signed_key)));
    goto not_usable;
  }
  if (state->timed_out) {
    log_info(LD_REND, "Intro point with auth key %s timed out. Not usable",
             safe_str_client(ed25519_fmt(&ip->auth_key_cert->signed_key)));
    goto not_usable;
  }
  if (state->unreachable_count >= MAX_INTRO_POINT_REACHABILITY_FAILURES) {
    log_info(LD_REND, "Intro point with auth key %s unreachable. Not usable",
             safe_str_client(ed25519_fmt(&ip->auth_key_cert->signed_key)));
    goto not_usable;
  }

 usable:
  return 1;
 not_usable:
  return 0;
}

871
/** Using a descriptor desc, return a newly allocated extend_info_t object of a
872
873
 * randomly picked introduction point from its list. Return NULL if none are
 * usable. */
874
STATIC extend_info_t *
875
876
877
878
879
880
881
client_get_random_intro(const ed25519_public_key_t *service_pk)
{
  extend_info_t *ei = NULL, *ei_excluded = NULL;
  smartlist_t *usable_ips = NULL;
  const hs_descriptor_t *desc;
  const hs_desc_encrypted_data_t *enc_data;
  const or_options_t *options = get_options();
882
883
  /* Calculate the onion address for logging purposes */
  char onion_address[HS_SERVICE_ADDR_LEN_BASE32 + 1];
884
885
886
887

  tor_assert(service_pk);

  desc = hs_cache_lookup_as_client(service_pk);
888
889
890
891
892
  /* Assume the service is v3 if the descriptor is missing. This is ok,
   * because we only use the address in log messages */
  hs_build_address(service_pk,
                   desc ? desc->plaintext_data.version : HS_VERSION_THREE,
                   onion_address);
893
894
  if (desc == NULL || !hs_client_any_intro_points_usable(service_pk,
                                                         desc)) {
895
    log_info(LD_REND, "Unable to randomly select an introduction point "
896
897
898
899
             "for service %s because descriptor %s. We can't connect.",
             safe_str_client(onion_address),
             (desc) ? "doesn't have any usable intro points"
                    : "is missing (assuming v3 onion address)");
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
    goto end;
  }

  enc_data = &desc->encrypted_data;
  usable_ips = smartlist_new();
  smartlist_add_all(usable_ips, enc_data->intro_points);
  while (smartlist_len(usable_ips) != 0) {
    int idx;
    const hs_desc_intro_point_t *ip;

    /* Pick a random intro point and immediately remove it from the usable
     * list so we don't pick it again if we have to iterate more. */
    idx = crypto_rand_int(smartlist_len(usable_ips));
    ip = smartlist_get(usable_ips, idx);
    smartlist_del(usable_ips, idx);

916
917
918
919
920
921
    /* We need to make sure we have a usable intro points which is in a good
     * state in our cache. */
    if (!intro_point_is_usable(service_pk, ip)) {
      continue;
    }

922
923
924
925
926
    /* Generate an extend info object from the intro point object. */
    ei = desc_intro_point_to_extend_info(ip);
    if (ei == NULL) {
      /* We can get here for instance if the intro point is a private address
       * and we aren't allowed to extend to those. */
927
928
929
930
      log_info(LD_REND, "Unable to select introduction point with auth key %s "
               "for service %s, because we could not extend to it.",
               safe_str_client(ed25519_fmt(&ip->auth_key_cert->signed_key)),
               safe_str_client(onion_address));
931
932
933
934
935
936
937
938
      continue;
    }

    /* Test the pick against ExcludeNodes. */
    if (routerset_contains_extendinfo(options->ExcludeNodes, ei)) {
      /* If this pick is in the ExcludeNodes list, we keep its reference so if
       * we ever end up not being able to pick anything else and StrictNodes is
       * unset, we'll use it. */
939
940
941
942
943
944
      if (ei_excluded) {
        /* If something was already here free it. After the loop is gone we
         * will examine the last excluded intro point, and that's fine since
         * that's random anyway */
        extend_info_free(ei_excluded);
      }
945
946
947
948
949
950
951
952
953
954
955
956
957
958
      ei_excluded = ei;
      continue;
    }

    /* Good pick! Let's go with this. */
    goto end;
  }

  /* Reaching this point means a couple of things. Either we can't use any of
   * the intro point listed because the IP address can't be extended to or it
   * is listed in the ExcludeNodes list. In the later case, if StrictNodes is
   * set, we are forced to not use anything. */
  ei = ei_excluded;
  if (options->StrictNodes) {
959
960
961
    log_warn(LD_REND, "Every introduction point for service %s is in the "
             "ExcludeNodes set and StrictNodes is set. We can't connect.",
             safe_str_client(onion_address));
962
    extend_info_free(ei);
963
    ei = NULL;
964
965
966
967
  } else {
    log_fn(LOG_PROTOCOL_WARN, LD_REND, "Every introduction point for service "
           "%s is unusable or we can't extend to it. We can't connect.",
           safe_str_client(onion_address));
968
969
970
971
  }

 end:
  smartlist_free(usable_ips);
972
  memwipe(onion_address, 0, sizeof(onion_address));
973
974
975
  return ei;
}

976
977
978
979
980
981
982
983
984
/** Return true iff all intro points for the given service have timed out. */
static bool
intro_points_all_timed_out(const ed25519_public_key_t *service_pk)
{
  bool ret = false;

  tor_assert(service_pk);

  const hs_descriptor_t *desc = hs_cache_lookup_as_client(service_pk);
985
986
987
988
989
990
  if (BUG(!desc)) {
    /* We can't introduce without a descriptor so ending up here means somehow
     * between the introduction failure and this, the cache entry was removed
     * which shouldn't be possible in theory. */
    goto end;
  }
991
992
993
994
995
996
997
998
999
1000

  SMARTLIST_FOREACH_BEGIN(desc->encrypted_data.intro_points,
                          const hs_desc_intro_point_t *, ip) {
    const hs_cache_intro_state_t *state =
      hs_cache_client_intro_state_find(service_pk,
                                       &ip->auth_key_cert->signed_key);
    if (!state || !state->timed_out) {
      /* No state or if this intro point has not timed out, we are done since
       * clearly not all of them have timed out. */
      goto end;