tor/src/test/hs_test_helpers.c
2020-09-17 08:19:53 -04:00

434 lines
17 KiB
C

/* Copyright (c) 2017-2020, The Tor Project, Inc. */
/* See LICENSE for licensing information */
#define HS_CLIENT_PRIVATE
#include "core/or/or.h"
#include "lib/crypt_ops/crypto_ed25519.h"
#include "test/test.h"
#include "feature/nodelist/torcert.h"
#include "feature/hs/hs_client.h"
#include "feature/hs/hs_common.h"
#include "feature/hs/hs_service.h"
#include "test/hs_test_helpers.h"
/**
* Create an introduction point taken straight out of an HSv3 descriptor.
*
* Use 'signing_kp' to sign the introduction point certificates.
*
* If 'intro_auth_kp' is provided use that as the introduction point
* authentication keypair, otherwise generate one on the fly.
*
* If 'intro_enc_kp' is provided use that as the introduction point encryption
* keypair, otherwise generate one on the fly.
*/
hs_desc_intro_point_t *
hs_helper_build_intro_point(const ed25519_keypair_t *signing_kp, time_t now,
const char *addr, int legacy,
const ed25519_keypair_t *intro_auth_kp,
const curve25519_keypair_t *intro_enc_kp)
{
int ret;
ed25519_keypair_t auth_kp;
hs_desc_intro_point_t *intro_point = NULL;
hs_desc_intro_point_t *ip = hs_desc_intro_point_new();
/* For a usable intro point we need at least two link specifiers: One legacy
* keyid and one ipv4 */
{
tor_addr_t a;
tor_addr_make_unspec(&a);
link_specifier_t *ls_legacy = link_specifier_new();
link_specifier_t *ls_ip = link_specifier_new();
link_specifier_set_ls_type(ls_legacy, LS_LEGACY_ID);
memset(link_specifier_getarray_un_legacy_id(ls_legacy), 'C',
link_specifier_getlen_un_legacy_id(ls_legacy));
int family = tor_addr_parse(&a, addr);
switch (family) {
case AF_INET:
link_specifier_set_ls_type(ls_ip, LS_IPV4);
link_specifier_set_un_ipv4_addr(ls_ip, tor_addr_to_ipv4h(&a));
link_specifier_set_un_ipv4_port(ls_ip, 9001);
break;
case AF_INET6:
link_specifier_set_ls_type(ls_ip, LS_IPV6);
memcpy(link_specifier_getarray_un_ipv6_addr(ls_ip),
tor_addr_to_in6_addr8(&a),
link_specifier_getlen_un_ipv6_addr(ls_ip));
link_specifier_set_un_ipv6_port(ls_ip, 9001);
break;
default:
/* Stop the test, not supposed to have an error.
* Compare with -1 to show the actual family.
*/
tt_int_op(family, OP_EQ, -1);
}
smartlist_add(ip->link_specifiers, ls_legacy);
smartlist_add(ip->link_specifiers, ls_ip);
}
if (intro_auth_kp) {
memcpy(&auth_kp, intro_auth_kp, sizeof(ed25519_keypair_t));
} else {
ret = ed25519_keypair_generate(&auth_kp, 0);
tt_int_op(ret, OP_EQ, 0);
}
ip->auth_key_cert = tor_cert_create_ed25519(signing_kp,
CERT_TYPE_AUTH_HS_IP_KEY,
&auth_kp.pubkey, now,
HS_DESC_CERT_LIFETIME,
CERT_FLAG_INCLUDE_SIGNING_KEY);
tt_assert(ip->auth_key_cert);
if (legacy) {
ip->legacy.key = crypto_pk_new();
tt_assert(ip->legacy.key);
ret = crypto_pk_generate_key(ip->legacy.key);
tt_int_op(ret, OP_EQ, 0);
ssize_t cert_len = tor_make_rsa_ed25519_crosscert(
&signing_kp->pubkey, ip->legacy.key,
now + HS_DESC_CERT_LIFETIME,
&ip->legacy.cert.encoded);
tt_assert(ip->legacy.cert.encoded);
tt_u64_op(cert_len, OP_GT, 0);
ip->legacy.cert.len = cert_len;
}
/* Encryption key. */
{
int signbit;
curve25519_keypair_t curve25519_kp;
ed25519_keypair_t ed25519_kp;
tor_cert_t *cross_cert;
if (intro_enc_kp) {
memcpy(&curve25519_kp, intro_enc_kp, sizeof(curve25519_keypair_t));
} else {
ret = curve25519_keypair_generate(&curve25519_kp, 0);
tt_int_op(ret, OP_EQ, 0);
}
ed25519_keypair_from_curve25519_keypair(&ed25519_kp, &signbit,
&curve25519_kp);
cross_cert = tor_cert_create_ed25519(signing_kp,
CERT_TYPE_CROSS_HS_IP_KEYS,
&ed25519_kp.pubkey, time(NULL),
HS_DESC_CERT_LIFETIME,
CERT_FLAG_INCLUDE_SIGNING_KEY);
tt_assert(cross_cert);
ip->enc_key_cert = cross_cert;
memcpy(ip->enc_key.public_key, curve25519_kp.pubkey.public_key,
CURVE25519_PUBKEY_LEN);
}
intro_point = ip;
done:
if (intro_point == NULL)
tor_free(ip);
return intro_point;
}
/* Return a valid hs_descriptor_t object. If no_ip is set, no introduction
* points are added. */
static hs_descriptor_t *
hs_helper_build_hs_desc_impl(unsigned int no_ip,
const ed25519_keypair_t *signing_kp)
{
int ret;
int i;
time_t now = approx_time();
ed25519_keypair_t blinded_kp;
curve25519_keypair_t auth_ephemeral_kp;
hs_descriptor_t *descp = NULL, *desc = tor_malloc_zero(sizeof(*desc));
desc->plaintext_data.version = HS_DESC_SUPPORTED_FORMAT_VERSION_MAX;
/* Copy only the public key into the descriptor. */
memcpy(&desc->plaintext_data.signing_pubkey, &signing_kp->pubkey,
sizeof(ed25519_public_key_t));
uint64_t current_time_period = hs_get_time_period_num(0);
hs_build_blinded_keypair(signing_kp, NULL, 0,
current_time_period, &blinded_kp);
/* Copy only the public key into the descriptor. */
memcpy(&desc->plaintext_data.blinded_pubkey, &blinded_kp.pubkey,
sizeof(ed25519_public_key_t));
desc->plaintext_data.signing_key_cert =
tor_cert_create_ed25519(&blinded_kp, CERT_TYPE_SIGNING_HS_DESC,
&signing_kp->pubkey, now, 3600,
CERT_FLAG_INCLUDE_SIGNING_KEY);
tt_assert(desc->plaintext_data.signing_key_cert);
desc->plaintext_data.revision_counter = 42;
desc->plaintext_data.lifetime_sec = 3 * 60 * 60;
hs_get_subcredential(&signing_kp->pubkey, &blinded_kp.pubkey,
&desc->subcredential);
/* Setup superencrypted data section. */
ret = curve25519_keypair_generate(&auth_ephemeral_kp, 0);
tt_int_op(ret, OP_EQ, 0);
memcpy(&desc->superencrypted_data.auth_ephemeral_pubkey,
&auth_ephemeral_kp.pubkey,
sizeof(curve25519_public_key_t));
desc->superencrypted_data.clients = smartlist_new();
for (i = 0; i < HS_DESC_AUTH_CLIENT_MULTIPLE; i++) {
hs_desc_authorized_client_t *desc_client =
hs_desc_build_fake_authorized_client();
smartlist_add(desc->superencrypted_data.clients, desc_client);
}
/* Setup encrypted data section. */
desc->encrypted_data.create2_ntor = 1;
desc->encrypted_data.intro_auth_types = smartlist_new();
desc->encrypted_data.single_onion_service = 1;
smartlist_add(desc->encrypted_data.intro_auth_types, tor_strdup("ed25519"));
desc->encrypted_data.intro_points = smartlist_new();
if (!no_ip) {
/* Add four intro points. */
smartlist_add(desc->encrypted_data.intro_points,
hs_helper_build_intro_point(signing_kp, now, "1.2.3.4", 0,
NULL, NULL));
smartlist_add(desc->encrypted_data.intro_points,
hs_helper_build_intro_point(signing_kp, now, "[2600::1]", 0,
NULL, NULL));
smartlist_add(desc->encrypted_data.intro_points,
hs_helper_build_intro_point(signing_kp, now, "3.2.1.4", 1,
NULL, NULL));
smartlist_add(desc->encrypted_data.intro_points,
hs_helper_build_intro_point(signing_kp, now, "5.6.7.8", 1,
NULL, NULL));
}
descp = desc;
done:
if (descp == NULL)
tor_free(desc);
return descp;
}
/** Helper function to get the HS subcredential using the identity keypair of
* an HS. Used to decrypt descriptors in unittests. */
void
hs_helper_get_subcred_from_identity_keypair(ed25519_keypair_t *signing_kp,
hs_subcredential_t *subcred_out)
{
ed25519_keypair_t blinded_kp;
uint64_t current_time_period = hs_get_time_period_num(approx_time());
hs_build_blinded_keypair(signing_kp, NULL, 0,
current_time_period, &blinded_kp);
hs_get_subcredential(&signing_kp->pubkey, &blinded_kp.pubkey,
subcred_out);
}
/* Build a descriptor with introduction points. */
hs_descriptor_t *
hs_helper_build_hs_desc_with_ip(const ed25519_keypair_t *signing_kp)
{
return hs_helper_build_hs_desc_impl(0, signing_kp);
}
/* Build a descriptor without any introduction points. */
hs_descriptor_t *
hs_helper_build_hs_desc_no_ip(const ed25519_keypair_t *signing_kp)
{
return hs_helper_build_hs_desc_impl(1, signing_kp);
}
hs_descriptor_t *
hs_helper_build_hs_desc_with_client_auth(
const uint8_t *descriptor_cookie,
const curve25519_public_key_t *client_pk,
const ed25519_keypair_t *signing_kp)
{
curve25519_keypair_t auth_ephemeral_kp;
hs_descriptor_t *desc = hs_helper_build_hs_desc_impl(0, signing_kp);
hs_desc_authorized_client_t *desc_client;
/* The number of client authorized auth has tobe a multiple of
* HS_DESC_AUTH_CLIENT_MULTIPLE so remove one that we'll replace. */
desc_client = smartlist_get(desc->superencrypted_data.clients, 0);
smartlist_remove(desc->superencrypted_data.clients, desc_client);
hs_desc_authorized_client_free(desc_client);
desc_client = tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
curve25519_keypair_generate(&auth_ephemeral_kp, 0);
memcpy(&desc->superencrypted_data.auth_ephemeral_pubkey,
&auth_ephemeral_kp.pubkey, sizeof(curve25519_public_key_t));
hs_desc_build_authorized_client(&desc->subcredential, client_pk,
&auth_ephemeral_kp.seckey,
descriptor_cookie, desc_client);
smartlist_add(desc->superencrypted_data.clients, desc_client);
return desc;
}
void
hs_helper_desc_equal(const hs_descriptor_t *desc1,
const hs_descriptor_t *desc2)
{
/* Plaintext data section. */
tt_int_op(desc1->plaintext_data.version, OP_EQ,
desc2->plaintext_data.version);
tt_uint_op(desc1->plaintext_data.lifetime_sec, OP_EQ,
desc2->plaintext_data.lifetime_sec);
tt_assert(tor_cert_eq(desc1->plaintext_data.signing_key_cert,
desc2->plaintext_data.signing_key_cert));
tt_mem_op(desc1->plaintext_data.signing_pubkey.pubkey, OP_EQ,
desc2->plaintext_data.signing_pubkey.pubkey,
ED25519_PUBKEY_LEN);
tt_mem_op(desc1->plaintext_data.blinded_pubkey.pubkey, OP_EQ,
desc2->plaintext_data.blinded_pubkey.pubkey,
ED25519_PUBKEY_LEN);
tt_u64_op(desc1->plaintext_data.revision_counter, OP_EQ,
desc2->plaintext_data.revision_counter);
/* NOTE: We can't compare the encrypted blob because when encoding the
* descriptor, the object is immutable thus we don't update it with the
* encrypted blob. As contrast to the decoding process where we populate a
* descriptor object. */
/* Superencrypted data section. */
tt_mem_op(desc1->superencrypted_data.auth_ephemeral_pubkey.public_key, OP_EQ,
desc2->superencrypted_data.auth_ephemeral_pubkey.public_key,
CURVE25519_PUBKEY_LEN);
/* Auth clients. */
{
tt_assert(desc1->superencrypted_data.clients);
tt_assert(desc2->superencrypted_data.clients);
tt_int_op(smartlist_len(desc1->superencrypted_data.clients), OP_EQ,
smartlist_len(desc2->superencrypted_data.clients));
for (int i=0;
i < smartlist_len(desc1->superencrypted_data.clients);
i++) {
hs_desc_authorized_client_t
*client1 = smartlist_get(desc1->superencrypted_data.clients, i),
*client2 = smartlist_get(desc2->superencrypted_data.clients, i);
tt_mem_op(client1->client_id, OP_EQ, client2->client_id,
sizeof(client1->client_id));
tt_mem_op(client1->iv, OP_EQ, client2->iv,
sizeof(client1->iv));
tt_mem_op(client1->encrypted_cookie, OP_EQ, client2->encrypted_cookie,
sizeof(client1->encrypted_cookie));
}
}
/* Encrypted data section. */
tt_uint_op(desc1->encrypted_data.create2_ntor, OP_EQ,
desc2->encrypted_data.create2_ntor);
/* Authentication type. */
tt_int_op(!!desc1->encrypted_data.intro_auth_types, OP_EQ,
!!desc2->encrypted_data.intro_auth_types);
if (desc1->encrypted_data.intro_auth_types &&
desc2->encrypted_data.intro_auth_types) {
tt_int_op(smartlist_len(desc1->encrypted_data.intro_auth_types), OP_EQ,
smartlist_len(desc2->encrypted_data.intro_auth_types));
for (int i = 0;
i < smartlist_len(desc1->encrypted_data.intro_auth_types);
i++) {
tt_str_op(smartlist_get(desc1->encrypted_data.intro_auth_types, i),OP_EQ,
smartlist_get(desc2->encrypted_data.intro_auth_types, i));
}
}
/* Introduction points. */
{
tt_assert(desc1->encrypted_data.intro_points);
tt_assert(desc2->encrypted_data.intro_points);
tt_int_op(smartlist_len(desc1->encrypted_data.intro_points), OP_EQ,
smartlist_len(desc2->encrypted_data.intro_points));
for (int i=0; i < smartlist_len(desc1->encrypted_data.intro_points); i++) {
hs_desc_intro_point_t *ip1 = smartlist_get(desc1->encrypted_data
.intro_points, i),
*ip2 = smartlist_get(desc2->encrypted_data
.intro_points, i);
tt_assert(tor_cert_eq(ip1->auth_key_cert, ip2->auth_key_cert));
if (ip1->legacy.key) {
tt_int_op(crypto_pk_cmp_keys(ip1->legacy.key, ip2->legacy.key),
OP_EQ, 0);
} else {
tt_mem_op(&ip1->enc_key, OP_EQ, &ip2->enc_key, CURVE25519_PUBKEY_LEN);
}
tt_int_op(smartlist_len(ip1->link_specifiers), OP_EQ,
smartlist_len(ip2->link_specifiers));
for (int j = 0; j < smartlist_len(ip1->link_specifiers); j++) {
link_specifier_t *ls1 = smartlist_get(ip1->link_specifiers, j),
*ls2 = smartlist_get(ip2->link_specifiers, j);
tt_int_op(link_specifier_get_ls_type(ls1), OP_EQ,
link_specifier_get_ls_type(ls2));
switch (link_specifier_get_ls_type(ls1)) {
case LS_IPV4:
{
uint32_t addr1 = link_specifier_get_un_ipv4_addr(ls1);
uint32_t addr2 = link_specifier_get_un_ipv4_addr(ls2);
tt_int_op(addr1, OP_EQ, addr2);
uint16_t port1 = link_specifier_get_un_ipv4_port(ls1);
uint16_t port2 = link_specifier_get_un_ipv4_port(ls2);
tt_int_op(port1, OP_EQ, port2);
}
break;
case LS_IPV6:
{
const uint8_t *addr1 =
link_specifier_getconstarray_un_ipv6_addr(ls1);
const uint8_t *addr2 =
link_specifier_getconstarray_un_ipv6_addr(ls2);
tt_int_op(link_specifier_getlen_un_ipv6_addr(ls1), OP_EQ,
link_specifier_getlen_un_ipv6_addr(ls2));
tt_mem_op(addr1, OP_EQ, addr2,
link_specifier_getlen_un_ipv6_addr(ls1));
uint16_t port1 = link_specifier_get_un_ipv6_port(ls1);
uint16_t port2 = link_specifier_get_un_ipv6_port(ls2);
tt_int_op(port1, OP_EQ, port2);
}
break;
case LS_LEGACY_ID:
{
const uint8_t *id1 =
link_specifier_getconstarray_un_legacy_id(ls1);
const uint8_t *id2 =
link_specifier_getconstarray_un_legacy_id(ls2);
tt_int_op(link_specifier_getlen_un_legacy_id(ls1), OP_EQ,
link_specifier_getlen_un_legacy_id(ls2));
tt_mem_op(id1, OP_EQ, id2,
link_specifier_getlen_un_legacy_id(ls1));
}
break;
default:
/* Unknown type, caught it and print its value. */
tt_int_op(link_specifier_get_ls_type(ls1), OP_EQ, -1);
}
}
}
}
done:
;
}
void
hs_helper_add_client_auth(const ed25519_public_key_t *service_pk,
const curve25519_secret_key_t *client_sk)
{
digest256map_t *client_auths = get_hs_client_auths_map();
if (client_auths == NULL) {
client_auths = digest256map_new();
set_hs_client_auths_map(client_auths);
}
hs_client_service_authorization_t *auth =
tor_malloc_zero(sizeof(hs_client_service_authorization_t));
memcpy(&auth->enc_seckey, client_sk, sizeof(curve25519_secret_key_t));
hs_build_address(service_pk, HS_VERSION_THREE, auth->onion_address);
digest256map_set(client_auths, service_pk->pubkey, auth);
}