hs-v3: Add ephemeral service support

The functions are now used by the ADD_ONION/DEL_ONION control port command as
well. This commits makes them fully functionnal with hidden service v3.

Part of #20699

Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
David Goulet 2017-11-09 14:28:22 -05:00 committed by Nick Mathewson
parent 5d180309ea
commit f0e3331f3c
4 changed files with 243 additions and 15 deletions

View File

@ -4447,19 +4447,14 @@ add_onion_helper_add_service(int hs_version, void *pk, smartlist_t *port_cfgs,
switch (hs_version) {
case HS_VERSION_TWO:
{
ret = rend_service_add_ephemeral(pk, port_cfgs, max_streams,
max_streams_close_circuit, auth_type,
auth_clients, address_out);
break;
}
case HS_VERSION_THREE:
{
/* XXX: Not implemented yet. */
*address_out = tor_strdup("this is a v3 address");
ret = RSAE_OKAY;
ret = hs_service_add_ephemeral(pk, port_cfgs, max_streams,
max_streams_close_circuit, address_out);
break;
}
default:
tor_assert_unreached();
}
@ -4971,6 +4966,7 @@ handle_control_del_onion(control_connection_t *conn,
uint32_t len,
const char *body)
{
int hs_version = 0;
smartlist_t *args;
(void) len; /* body is nul-terminated; it's safe to ignore the length */
args = getargs_helper("DEL_ONION", conn, body, 1, 1);
@ -4978,7 +4974,11 @@ handle_control_del_onion(control_connection_t *conn,
return 0;
const char *service_id = smartlist_get(args, 0);
if (!rend_valid_v2_service_id(service_id)) {
if (rend_valid_v2_service_id(service_id)) {
hs_version = HS_VERSION_TWO;
} else if (hs_address_is_valid(service_id)) {
hs_version = HS_VERSION_THREE;
} else {
connection_printf_to_buf(conn, "512 Malformed Onion Service id\r\n");
goto out;
}
@ -5005,8 +5005,20 @@ handle_control_del_onion(control_connection_t *conn,
if (onion_services == NULL) {
connection_printf_to_buf(conn, "552 Unknown Onion Service id\r\n");
} else {
int ret = rend_service_del_ephemeral(service_id);
if (ret) {
int ret = -1;
switch (hs_version) {
case HS_VERSION_TWO:
ret = rend_service_del_ephemeral(service_id);
break;
case HS_VERSION_THREE:
ret = hs_service_del_ephemeral(service_id);
break;
default:
/* The ret value will be -1 thus hitting the warning below. This should
* never happen because of the check at the start of the function. */
break;
}
if (ret < 0) {
/* This should *NEVER* fail, since the service is on either the
* per-control connection list, or the global one.
*/
@ -5076,9 +5088,16 @@ connection_control_closed(control_connection_t *conn)
* The list and it's contents are scrubbed/freed in connection_free_.
*/
if (conn->ephemeral_onion_services) {
SMARTLIST_FOREACH(conn->ephemeral_onion_services, char *, cp, {
SMARTLIST_FOREACH_BEGIN(conn->ephemeral_onion_services, char *, cp) {
if (rend_valid_v2_service_id(cp)) {
rend_service_del_ephemeral(cp);
});
} else if (hs_address_is_valid(cp)) {
hs_service_del_ephemeral(cp);
} else {
/* An invalid .onion in our list should NEVER happen */
tor_fragile_assert();
}
} SMARTLIST_FOREACH_END(cp);
}
if (conn->is_owning_control_connection) {

View File

@ -2900,6 +2900,132 @@ service_add_fnames_to_list(const hs_service_t *service, smartlist_t *list)
/* Public API */
/* ========== */
/* Add the ephemeral service using the secret key sk and ports. Both max
* streams parameter will be set in the newly created service.
*
* Ownership of sk and ports is passed to this routine. Regardless of
* success/failure, callers should not touch these values after calling this
* routine, and may assume that correct cleanup has been done on failure.
*
* Return an appropriate hs_service_add_ephemeral_status_t. */
hs_service_add_ephemeral_status_t
hs_service_add_ephemeral(ed25519_secret_key_t *sk, smartlist_t *ports,
int max_streams_per_rdv_circuit,
int max_streams_close_circuit, char **address_out)
{
hs_service_add_ephemeral_status_t ret;
hs_service_t *service = NULL;
tor_assert(sk);
tor_assert(ports);
tor_assert(address_out);
service = hs_service_new(get_options());
/* Setup the service configuration with specifics. A default service is
* HS_VERSION_TWO so explicitely set it. */
service->config.version = HS_VERSION_THREE;
service->config.max_streams_per_rdv_circuit = max_streams_per_rdv_circuit;
service->config.max_streams_close_circuit = !!max_streams_close_circuit;
service->config.is_ephemeral = 1;
smartlist_free(service->config.ports);
service->config.ports = ports;
/* Handle the keys. */
memcpy(&service->keys.identity_sk, sk, sizeof(service->keys.identity_sk));
if (ed25519_public_key_generate(&service->keys.identity_pk,
&service->keys.identity_sk) < 0) {
log_warn(LD_CONFIG, "Unable to generate ed25519 public key"
"for v3 service.");
ret = RSAE_BADPRIVKEY;
goto err;
}
/* Make sure we have at least one port. */
if (smartlist_len(service->config.ports) == 0) {
log_warn(LD_CONFIG, "At least one VIRTPORT/TARGET must be specified "
"for v3 service.");
ret = RSAE_BADVIRTPORT;
goto err;
}
/* The only way the registration can fail is if the service public key
* already exists. */
if (BUG(register_service(hs_service_map, service) < 0)) {
log_warn(LD_CONFIG, "Onion Service private key collides with an "
"existing v3 service.");
ret = RSAE_ADDREXISTS;
goto err;
}
/* Last step is to build the onion address. */
hs_build_address(&service->keys.identity_pk,
(uint8_t) service->config.version,
service->onion_address);
*address_out = tor_strdup(service->onion_address);
log_info(LD_CONFIG, "Added ephemeral v3 onion service: %s",
safe_str_client(service->onion_address));
ret = RSAE_OKAY;
goto end;
err:
hs_service_free(service);
end:
memwipe(sk, 0, sizeof(ed25519_secret_key_t));
tor_free(sk);
return ret;
}
/* For the given onion address, delete the ephemeral service. Return 0 on
* success else -1 on error. */
int
hs_service_del_ephemeral(const char *address)
{
uint8_t version;
ed25519_public_key_t pk;
hs_service_t *service = NULL;
tor_assert(address);
if (hs_parse_address(address, &pk, NULL, &version) < 0) {
log_warn(LD_CONFIG, "Requested malformed v3 onion address for removal.");
goto err;
}
if (version != HS_VERSION_THREE) {
log_warn(LD_CONFIG, "Requested version of onion address for removal "
"is not supported.");
goto err;
}
service = find_service(hs_service_map, &pk);
if (service == NULL) {
log_warn(LD_CONFIG, "Requested non-existent v3 hidden service for "
"removal.");
goto err;
}
if (!service->config.is_ephemeral) {
log_warn(LD_CONFIG, "Requested non-ephemeral v3 hidden service for "
"removal.");
goto err;
}
/* Close circuits, remove from map and finally free. */
close_service_circuits(service);
remove_service(hs_service_map, service);
hs_service_free(service);
log_info(LD_CONFIG, "Removed ephemeral v3 hidden service: %s",
safe_str_client(address));
return 0;
err:
return -1;
}
/* Using the ed25519 public key pk, find a service for that key and return the
* current encoded descriptor as a newly allocated string or NULL if not
* found. This is used by the control port subsystem. */

View File

@ -273,6 +273,12 @@ void hs_service_intro_circ_has_closed(origin_circuit_t *circ);
char *hs_service_lookup_current_desc(const ed25519_public_key_t *pk);
hs_service_add_ephemeral_status_t
hs_service_add_ephemeral(ed25519_secret_key_t *sk, smartlist_t *ports,
int max_streams_per_rdv_circuit,
int max_streams_close_circuit, char **address_out);
int hs_service_del_ephemeral(const char *address);
#ifdef HS_SERVICE_PRIVATE
#ifdef TOR_UNIT_TESTS

View File

@ -14,7 +14,81 @@
#include "test_helpers.h"
static void
test_add_onion_helper_keyarg(void *arg)
test_add_onion_helper_keyarg_v3(void *arg)
{
int ret, hs_version;
void *pk_ptr = NULL;
char *key_new_blob = NULL;
char *err_msg = NULL;
const char *key_new_alg = NULL;
(void) arg;
/* Test explicit ED25519-V3 key generation. */
ret = add_onion_helper_keyarg("NEW:ED25519-V3", 0, &key_new_alg,
&key_new_blob, &pk_ptr, &hs_version,
&err_msg);
tt_int_op(ret, OP_EQ, 0);
tt_int_op(hs_version, OP_EQ, HS_VERSION_THREE);
tt_assert(pk_ptr);
tt_str_op(key_new_alg, OP_EQ, "ED25519-V3");
tt_assert(key_new_blob);
tt_ptr_op(err_msg, OP_EQ, NULL);
tor_free(pk_ptr); pk_ptr = NULL;
tor_free(key_new_blob);
/* Test discarding the private key. */
ret = add_onion_helper_keyarg("NEW:ED25519-V3", 1, &key_new_alg,
&key_new_blob, &pk_ptr, &hs_version,
&err_msg);
tt_int_op(ret, OP_EQ, 0);
tt_int_op(hs_version, OP_EQ, HS_VERSION_THREE);
tt_assert(pk_ptr);
tt_ptr_op(key_new_alg, OP_EQ, NULL);
tt_ptr_op(key_new_blob, OP_EQ, NULL);
tt_ptr_op(err_msg, OP_EQ, NULL);
tor_free(pk_ptr); pk_ptr = NULL;
tor_free(key_new_blob);
/* Test passing a key blob. */
{
/* The base64 key and hex key are the same. Hex key is 64 bytes long. The
* sk has been generated randomly using python3. */
const char *base64_sk =
"a9bT19PqGC9Y+BmOo1IQvCGjjwxMiaaxEXZ+FKMxpEQW"
"6AmSV5roThUGMRCaqQSCnR2jI1vL2QxHORzI4RxMmw==";
const char *hex_sk =
"\x6b\xd6\xd3\xd7\xd3\xea\x18\x2f\x58\xf8\x19\x8e\xa3\x52\x10\xbc"
"\x21\xa3\x8f\x0c\x4c\x89\xa6\xb1\x11\x76\x7e\x14\xa3\x31\xa4\x44"
"\x16\xe8\x09\x92\x57\x9a\xe8\x4e\x15\x06\x31\x10\x9a\xa9\x04\x82"
"\x9d\x1d\xa3\x23\x5b\xcb\xd9\x0c\x47\x39\x1c\xc8\xe1\x1c\x4c\x9b";
char *key_blob = NULL;
tor_asprintf(&key_blob, "ED25519-V3:%s", base64_sk);
tt_assert(key_blob);
ret = add_onion_helper_keyarg(key_blob, 1, &key_new_alg,
&key_new_blob, &pk_ptr, &hs_version,
&err_msg);
tor_free(key_blob);
tt_int_op(ret, OP_EQ, 0);
tt_int_op(hs_version, OP_EQ, HS_VERSION_THREE);
tt_assert(pk_ptr);
tt_mem_op(pk_ptr, OP_EQ, hex_sk, 64);
tt_ptr_op(key_new_alg, OP_EQ, NULL);
tt_ptr_op(key_new_blob, OP_EQ, NULL);
tt_ptr_op(err_msg, OP_EQ, NULL);
tor_free(pk_ptr); pk_ptr = NULL;
tor_free(key_new_blob);
}
done:
tor_free(pk_ptr);
tor_free(key_new_blob);
tor_free(err_msg);
}
static void
test_add_onion_helper_keyarg_v2(void *arg)
{
int ret, hs_version;
void *pk_ptr = NULL;
@ -1386,7 +1460,10 @@ test_download_status_bridge(void *arg)
}
struct testcase_t controller_tests[] = {
{ "add_onion_helper_keyarg", test_add_onion_helper_keyarg, 0, NULL, NULL },
{ "add_onion_helper_keyarg_v2", test_add_onion_helper_keyarg_v2, 0,
NULL, NULL },
{ "add_onion_helper_keyarg_v3", test_add_onion_helper_keyarg_v3, 0,
NULL, NULL },
{ "getinfo_helper_onion", test_getinfo_helper_onion, 0, NULL, NULL },
{ "rend_service_parse_port_config", test_rend_service_parse_port_config, 0,
NULL, NULL },