From 7456677a50d1c4c9f0f2e6b63259905f694d329a Mon Sep 17 00:00:00 2001 From: George Kadianakis Date: Wed, 21 Dec 2016 16:07:07 +0200 Subject: [PATCH 1/2] Make outter (plaintext) layer of HS desc conform to prop224. This basically means changing the 'encrypted' field to 'superencrypted'. --- src/or/hs_descriptor.c | 12 ++++++------ src/or/parsecommon.h | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c index 37aa1d745e..75ad205890 100644 --- a/src/or/hs_descriptor.c +++ b/src/or/hs_descriptor.c @@ -21,7 +21,7 @@ #define str_hs_desc "hs-descriptor" #define str_desc_cert "descriptor-signing-key-cert" #define str_rev_counter "revision-counter" -#define str_encrypted "encrypted" +#define str_superencrypted "superencrypted" #define str_signature "signature" #define str_lifetime "descriptor-lifetime" /* Constant string value for the encrypted part of the descriptor. */ @@ -35,7 +35,7 @@ #define str_intro_point_start "\n" str_intro_point " " /* Constant string value for the construction to encrypt the encrypted data * section. */ -#define str_enc_hsdir_data "hsdir-encrypted-data" +#define str_enc_hsdir_data "hsdir-superencrypted-data" /* Prefix required to compute/verify HS desc signatures */ #define str_desc_sig_prefix "Tor onion service descriptor sig v3" @@ -56,7 +56,7 @@ static token_rule_t hs_desc_v3_token_table[] = { T1(str_lifetime, R3_DESC_LIFETIME, EQ(1), NO_OBJ), T1(str_desc_cert, R3_DESC_SIGNING_CERT, NO_ARGS, NEED_OBJ), T1(str_rev_counter, R3_REVISION_COUNTER, EQ(1), NO_OBJ), - T1(str_encrypted, R3_ENCRYPTED, NO_ARGS, NEED_OBJ), + T1(str_superencrypted, R3_SUPERENCRYPTED, NO_ARGS, NEED_OBJ), T1_END(str_signature, R3_SIGNATURE, EQ(1), NO_OBJ), END_OF_TABLE }; @@ -750,7 +750,7 @@ desc_encode_v3(const hs_descriptor_t *desc, char **encoded_out) desc->plaintext_data.revision_counter); } - /* Build the encrypted data section. */ + /* Build the superencrypted data section. */ { char *enc_b64_blob=NULL; if (encode_encrypted_data(desc, &enc_b64_blob) < 0) { @@ -761,7 +761,7 @@ desc_encode_v3(const hs_descriptor_t *desc, char **encoded_out) "-----BEGIN MESSAGE-----\n" "%s" "-----END MESSAGE-----", - str_encrypted, enc_b64_blob); + str_superencrypted, enc_b64_blob); tor_free(enc_b64_blob); } @@ -1491,7 +1491,7 @@ desc_decode_plaintext_v3(smartlist_t *tokens, } /* Extract the encrypted data section. */ - tok = find_by_keyword(tokens, R3_ENCRYPTED); + tok = find_by_keyword(tokens, R3_SUPERENCRYPTED); tor_assert(tok->object_body); if (strcmp(tok->object_type, "MESSAGE") != 0) { log_warn(LD_REND, "Service descriptor encrypted data section is invalid"); diff --git a/src/or/parsecommon.h b/src/or/parsecommon.h index 3019df63eb..15e9f7ae85 100644 --- a/src/or/parsecommon.h +++ b/src/or/parsecommon.h @@ -154,7 +154,7 @@ typedef enum { R3_DESC_LIFETIME, R3_DESC_SIGNING_CERT, R3_REVISION_COUNTER, - R3_ENCRYPTED, + R3_SUPERENCRYPTED, R3_SIGNATURE, R3_CREATE2_FORMATS, R3_AUTHENTICATION_REQUIRED, From e1d7661412325bb8c81a3a7f4d5cc25efdee5a78 Mon Sep 17 00:00:00 2001 From: George Kadianakis Date: Fri, 23 Dec 2016 14:48:05 +0200 Subject: [PATCH 2/2] Max HS descriptor size is now 50kb and also consensus param. --- src/or/hs_cache.c | 13 +++++++++++++ src/or/hs_cache.h | 2 ++ src/or/hs_descriptor.c | 4 +++- src/or/hs_descriptor.h | 2 +- 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/or/hs_cache.c b/src/or/hs_cache.c index b7ff979e5b..6e23a74d68 100644 --- a/src/or/hs_cache.c +++ b/src/or/hs_cache.c @@ -15,6 +15,7 @@ #include "config.h" #include "hs_common.h" #include "hs_descriptor.h" +#include "networkstatus.h" #include "rendcache.h" /* Directory descriptor cache. Map indexed by blinded key. */ @@ -366,6 +367,18 @@ hs_cache_handle_oom(time_t now, size_t min_remove_bytes) return bytes_removed; } +/** + * Return the maximum size of an HS descriptor we are willing to accept as an + * HSDir. + */ +unsigned int +hs_cache_get_max_descriptor_size(void) +{ + return (unsigned) networkstatus_get_param(NULL, + "HSV3MaxDescriptorSize", + HS_DESC_MAX_LEN, 1, INT32_MAX); +} + /* Initialize the hidden service cache subsystem. */ void hs_cache_init(void) diff --git a/src/or/hs_cache.h b/src/or/hs_cache.h index 01abb8002f..ba95e73338 100644 --- a/src/or/hs_cache.h +++ b/src/or/hs_cache.h @@ -44,6 +44,8 @@ void hs_cache_free_all(void); void hs_cache_clean_as_dir(time_t now); size_t hs_cache_handle_oom(time_t now, size_t min_remove_bytes); +unsigned int hs_cache_get_max_descriptor_size(void); + /* Store and Lookup function. They are version agnostic that is depending on * the requested version of the descriptor, it will be re-routed to the * right function. */ diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c index 75ad205890..2e92c89354 100644 --- a/src/or/hs_descriptor.c +++ b/src/or/hs_descriptor.c @@ -15,6 +15,7 @@ #include "ed25519_cert.h" /* Trunnel interface. */ #include "parsecommon.h" #include "rendcache.h" +#include "hs_cache.h" #include "torcert.h" /* tor_cert_encode_ed22519() */ /* Constant string value used for the descriptor format. */ @@ -1700,8 +1701,9 @@ hs_desc_decode_plaintext(const char *encoded, tor_assert(encoded); tor_assert(plaintext); + /* Check that descriptor is within size limits. */ encoded_len = strlen(encoded); - if (encoded_len >= HS_DESC_MAX_LEN) { + if (encoded_len >= hs_cache_get_max_descriptor_size()) { log_warn(LD_REND, "Service descriptor is too big (%lu bytes)", (unsigned long) encoded_len); goto err; diff --git a/src/or/hs_descriptor.h b/src/or/hs_descriptor.h index 083d353860..e0abcea2c4 100644 --- a/src/or/hs_descriptor.h +++ b/src/or/hs_descriptor.h @@ -54,7 +54,7 @@ HS_DESC_ENCRYPTED_SALT_LEN + \ HS_DESC_PLAINTEXT_PADDING_MULTIPLE + DIGEST256_LEN /* Maximum length in bytes of a full hidden service descriptor. */ -#define HS_DESC_MAX_LEN 32768 // XXX justify +#define HS_DESC_MAX_LEN 50000 /* 50kb max size */ /* The minimum amount of fields a descriptor should contain. The parsing of * the fields are version specific so the only required field, as a generic * view of a descriptor, is 1 that is the version field. */