hs_intropoint.c

Go to the documentation of this file.

/* Copyright (c) 2016-2021, The Tor Project, Inc. */
/* See LICENSE for licensing information */
 
/**
 * \file hs_intropoint.c
 * \brief Implement next generation introductions point functionality
 **/
 
#define HS_INTROPOINT_PRIVATE
 
#include "core/or/or.h"
#include "app/config/config.h"
#include "core/or/channel.h"
#include "core/or/circuitlist.h"
#include "core/or/circuituse.h"
#include "core/or/relay.h"
#include "core/or/relay_msg.h"
#include "feature/rend/rendmid.h"
#include "feature/relay/relay_metrics.h"
#include "feature/stats/rephist.h"
#include "lib/crypt_ops/crypto_format.h"
#include "lib/time/compat_time.h"
 
/* Trunnel */
#include "trunnel/ed25519_cert.h"
#include "trunnel/extension.h"
#include "trunnel/hs/cell_establish_intro.h"
#include "trunnel/hs/cell_introduce1.h"
 
#include "feature/hs/hs_circuitmap.h"
#include "feature/hs/hs_common.h"
#include "feature/hs/hs_config.h"
#include "feature/hs/hs_descriptor.h"
#include "feature/hs/hs_dos.h"
#include "feature/hs/hs_intropoint.h"
 
#include "core/or/or_circuit_st.h"
 
/** Extract the authentication key from an ESTABLISH_INTRO or INTRODUCE1 using
 * the given <b>cell_type</b> from <b>cell</b> and place it in
 * <b>auth_key_out</b>. */
STATIC void
get_auth_key_from_cell(ed25519_public_key_t *auth_key_out,
                       unsigned int cell_type, const void *cell)
{
  size_t auth_key_len;
  const uint8_t *key_array;
 
  tor_assert(auth_key_out);
  tor_assert(cell);
 
  switch (cell_type) {
  case RELAY_COMMAND_ESTABLISH_INTRO:
  {
    const trn_cell_establish_intro_t *c_cell = cell;
    key_array = trn_cell_establish_intro_getconstarray_auth_key(c_cell);
    auth_key_len = trn_cell_establish_intro_getlen_auth_key(c_cell);
    break;
  }
  case RELAY_COMMAND_INTRODUCE1:
  {
    const trn_cell_introduce1_t *c_cell = cell;
    key_array = trn_cell_introduce1_getconstarray_auth_key(cell);
    auth_key_len = trn_cell_introduce1_getlen_auth_key(c_cell);
    break;
  }
  default:
    /* Getting here is really bad as it means we got a unknown cell type from
     * this file where every call has an hardcoded value. */
    tor_assert_unreached(); /* LCOV_EXCL_LINE */
  }
  tor_assert(key_array);
  tor_assert(auth_key_len == sizeof(auth_key_out->pubkey));
  memcpy(auth_key_out->pubkey, key_array, auth_key_len);
}
 
/** We received an ESTABLISH_INTRO <b>cell</b>. Verify its signature and MAC,
 *  given <b>circuit_key_material</b>. Return 0 on success else -1 on error. */
STATIC int
verify_establish_intro_cell(const trn_cell_establish_intro_t *cell,
                            const uint8_t *circuit_key_material,
                            size_t circuit_key_material_len)
{
  /* We only reach this function if the first byte of the cell is 0x02 which
   * means that auth_key_type is of ed25519 type, hence this check should
   * always pass. See hs_intro_received_establish_intro().  */
  if (BUG(cell->auth_key_type != TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519)) {
    return -1;
  }
 
  /* Make sure the auth key length is of the right size for this type. For
   * EXTRA safety, we check both the size of the array and the length which
   * must be the same. Safety first!*/
  if (trn_cell_establish_intro_getlen_auth_key(cell) != ED25519_PUBKEY_LEN ||
      trn_cell_establish_intro_get_auth_key_len(cell) != ED25519_PUBKEY_LEN) {
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "ESTABLISH_INTRO auth key length is invalid");
    return -1;
  }
 
  const uint8_t *msg = cell->start_cell;
 
  /* Verify the sig */
  {
    ed25519_signature_t sig_struct;
    const uint8_t *sig_array =
      trn_cell_establish_intro_getconstarray_sig(cell);
 
    /* Make sure the signature length is of the right size. For EXTRA safety,
     * we check both the size of the array and the length which must be the
     * same. Safety first!*/
    if (trn_cell_establish_intro_getlen_sig(cell) != sizeof(sig_struct.sig) ||
        trn_cell_establish_intro_get_sig_len(cell) != sizeof(sig_struct.sig)) {
      log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
             "ESTABLISH_INTRO sig len is invalid");
      return -1;
    }
    /* We are now sure that sig_len is of the right size. */
    memcpy(sig_struct.sig, sig_array, cell->sig_len);
 
    ed25519_public_key_t auth_key;
    get_auth_key_from_cell(&auth_key, RELAY_COMMAND_ESTABLISH_INTRO, cell);
 
    const size_t sig_msg_len = cell->end_sig_fields - msg;
    int sig_mismatch = ed25519_checksig_prefixed(&sig_struct,
                                                 msg, sig_msg_len,
                                                 ESTABLISH_INTRO_SIG_PREFIX,
                                                 &auth_key);
    if (sig_mismatch) {
      log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
             "ESTABLISH_INTRO signature not as expected");
      return -1;
    }
  }
 
  /* Verify the MAC */
  {
    const size_t auth_msg_len = cell->end_mac_fields - msg;
    uint8_t mac[DIGEST256_LEN];
    crypto_mac_sha3_256(mac, sizeof(mac),
                        circuit_key_material, circuit_key_material_len,
                        msg, auth_msg_len);
    if (tor_memneq(mac, cell->handshake_mac, sizeof(mac))) {
      log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
             "ESTABLISH_INTRO handshake_auth not as expected");
      return -1;
    }
  }
 
  return 0;
}
 
/** Send an INTRO_ESTABLISHED cell to <b>circ</b>. */
MOCK_IMPL(int,
hs_intro_send_intro_established_cell,(or_circuit_t *circ))
{
  int ret;
  uint8_t *encoded_cell = NULL;
  ssize_t encoded_len, result_len;
  trn_cell_intro_established_t *cell;
  trn_extension_t *ext;
 
  tor_assert(circ);
 
  /* Build the cell payload. */
  cell = trn_cell_intro_established_new();
  ext = trn_extension_new();
  trn_extension_set_num(ext, 0);
  trn_cell_intro_established_set_extensions(cell, ext);
  /* Encode the cell to binary format. */
  encoded_len = trn_cell_intro_established_encoded_len(cell);
  tor_assert(encoded_len > 0);
  encoded_cell = tor_malloc_zero(encoded_len);
  result_len = trn_cell_intro_established_encode(encoded_cell, encoded_len,
                                                cell);
  tor_assert(encoded_len == result_len);
 
  ret = relay_send_command_from_edge(0, TO_CIRCUIT(circ),
                                     RELAY_COMMAND_INTRO_ESTABLISHED,
                                     (char *) encoded_cell, encoded_len,
                                     NULL);
  /* On failure, the above function will close the circuit. */
  trn_cell_intro_established_free(cell);
  tor_free(encoded_cell);
  return ret;
}
 
/** Validate the cell DoS extension parameters. Return true iff they've been
 * bound check and can be used. Else return false. See proposal 305 for
 * details and reasons about this validation. */
STATIC bool
cell_dos_extension_parameters_are_valid(uint64_t intro2_rate_per_sec,
                                        uint64_t intro2_burst_per_sec)
{
  bool ret = false;
 
  /* Check that received value is not below the minimum. Don't check if minimum
     is set to 0, since the param is a positive value and gcc will complain. */
#if HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MIN > 0
  if (intro2_rate_per_sec < HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MIN) {
    log_fn(LOG_PROTOCOL_WARN, LD_REND,
           "Intro point DoS defenses rate per second is "
           "too small. Received value: %" PRIu64, intro2_rate_per_sec);
    goto end;
  }
#endif /* HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MIN > 0 */
 
  /* Check that received value is not above maximum */
  if (intro2_rate_per_sec > HS_CONFIG_V3_DOS_DEFENSE_RATE_PER_SEC_MAX) {
    log_fn(LOG_PROTOCOL_WARN, LD_REND,
           "Intro point DoS defenses rate per second is "
           "too big. Received value: %" PRIu64, intro2_rate_per_sec);
    goto end;
  }
 
  /* Check that received value is not below the minimum */
#if HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MIN > 0
  if (intro2_burst_per_sec < HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MIN) {
    log_fn(LOG_PROTOCOL_WARN, LD_REND,
           "Intro point DoS defenses burst per second is "
           "too small. Received value: %" PRIu64, intro2_burst_per_sec);
    goto end;
  }
#endif /* HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MIN > 0 */
 
  /* Check that received value is not above maximum */
  if (intro2_burst_per_sec > HS_CONFIG_V3_DOS_DEFENSE_BURST_PER_SEC_MAX) {
    log_fn(LOG_PROTOCOL_WARN, LD_REND,
           "Intro point DoS defenses burst per second is "
           "too big. Received value: %" PRIu64, intro2_burst_per_sec);
    goto end;
  }
 
  /* In a rate limiting scenario, burst can never be smaller than the rate. At
   * best it can be equal. */
  if (intro2_burst_per_sec < intro2_rate_per_sec) {
    log_info(LD_REND, "Intro point DoS defenses burst is smaller than rate. "
                      "Rate: %" PRIu64 " vs Burst: %" PRIu64,
             intro2_rate_per_sec, intro2_burst_per_sec);
    goto end;
  }
 
  /* Passing validation. */
  ret = true;
 
 end:
  return ret;
}
 
/** Parse the cell DoS extension and apply defenses on the given circuit if
 * validation passes. If the cell extension is malformed or contains unusable
 * values, the DoS defenses is disabled on the circuit. */
static void
handle_establish_intro_cell_dos_extension(
                                const trn_extension_field_t *field,
                                or_circuit_t *circ)
{
  ssize_t ret;
  uint64_t intro2_rate_per_sec = 0, intro2_burst_per_sec = 0;
  trn_cell_extension_dos_t *dos = NULL;
 
  tor_assert(field);
  tor_assert(circ);
 
  ret = trn_cell_extension_dos_parse(&dos,
                 trn_extension_field_getconstarray_field(field),
                 trn_extension_field_getlen_field(field));
  if (ret < 0) {
    goto end;
  }
 
  for (size_t i = 0; i < trn_cell_extension_dos_get_n_params(dos); i++) {
    const trn_cell_extension_dos_param_t *param =
      trn_cell_extension_dos_getconst_params(dos, i);
    if (BUG(param == NULL)) {
      goto end;
    }
 
    switch (trn_cell_extension_dos_param_get_type(param)) {
    case TRUNNEL_DOS_PARAM_TYPE_INTRO2_RATE_PER_SEC:
      intro2_rate_per_sec = trn_cell_extension_dos_param_get_value(param);
      break;
    case TRUNNEL_DOS_PARAM_TYPE_INTRO2_BURST_PER_SEC:
      intro2_burst_per_sec = trn_cell_extension_dos_param_get_value(param);
      break;
    default:
      goto end;
    }
  }
 
  /* At this point, the extension is valid so any values out of it implies
   * that it was set explicitly and thus flag the circuit that it should not
   * look at the consensus for that reason for the defenses' values. */
  circ->introduce2_dos_defense_explicit = 1;
 
  /* A value of 0 is valid in the sense that we accept it but we still disable
   * the defenses so return false. */
  if (intro2_rate_per_sec == 0 || intro2_burst_per_sec == 0) {
    log_info(LD_REND, "Intro point DoS defenses parameter set to 0. "
                      "Disabling INTRO2 DoS defenses on circuit id %u",
             circ->p_circ_id);
    circ->introduce2_dos_defense_enabled = 0;
    goto end;
  }
 
  /* If invalid, we disable the defense on the circuit. */
  if (!cell_dos_extension_parameters_are_valid(intro2_rate_per_sec,
                                               intro2_burst_per_sec)) {
    circ->introduce2_dos_defense_enabled = 0;
    log_info(LD_REND, "Disabling INTRO2 DoS defenses on circuit id %u",
             circ->p_circ_id);
    goto end;
  }
 
  /* We passed validation, enable defenses and apply rate/burst. */
  circ->introduce2_dos_defense_enabled = 1;
 
  /* Initialize the INTRODUCE2 token bucket for the rate limiting. */
  token_bucket_ctr_init(&circ->introduce2_bucket,
                        (uint32_t) intro2_rate_per_sec,
                        (uint32_t) intro2_burst_per_sec,
                        (uint32_t) monotime_coarse_absolute_sec());
  log_info(LD_REND, "Intro point DoS defenses enabled. Rate is %" PRIu64
                    " and Burst is %" PRIu64,
           intro2_rate_per_sec, intro2_burst_per_sec);
 
 end:
  trn_cell_extension_dos_free(dos);
  return;
}
 
/** Parse every cell extension in the given ESTABLISH_INTRO cell. */
static void
handle_establish_intro_cell_extensions(
                            const trn_cell_establish_intro_t *parsed_cell,
                            or_circuit_t *circ)
{
  const trn_extension_t *extensions;
 
  tor_assert(parsed_cell);
  tor_assert(circ);
 
  extensions = trn_cell_establish_intro_getconst_extensions(parsed_cell);
  if (extensions == NULL) {
    goto end;
  }
 
  /* Go over all extensions. */
  for (size_t idx = 0; idx < trn_extension_get_num(extensions); idx++) {
    const trn_extension_field_t *field =
      trn_extension_getconst_fields(extensions, idx);
    if (BUG(field == NULL)) {
      /* The number of extensions should match the number of fields. */
      break;
    }
 
    switch (trn_extension_field_get_field_type(field)) {
    case TRUNNEL_CELL_EXTENSION_TYPE_DOS:
      /* After this, the circuit should be set for DoS defenses. */
      handle_establish_intro_cell_dos_extension(field, circ);
      break;
    default:
      /* Unknown extension. Skip over. */
      break;
    }
  }
 
 end:
  return;
}
 
/** We received an ESTABLISH_INTRO <b>parsed_cell</b> on <b>circ</b>. It's
 *  well-formed and passed our verifications. Perform appropriate actions to
 *  establish an intro point. */
static int
handle_verified_establish_intro_cell(or_circuit_t *circ,
                               const trn_cell_establish_intro_t *parsed_cell)
{
  /* Get the auth key of this intro point */
  ed25519_public_key_t auth_key;
  get_auth_key_from_cell(&auth_key, RELAY_COMMAND_ESTABLISH_INTRO,
                         parsed_cell);
 
  /* Setup INTRODUCE2 defenses on the circuit. Must be done before parsing the
   * cell extension that can possibly change the defenses' values. */
  hs_dos_setup_default_intro2_defenses(circ);
 
  /* Handle cell extension if any. */
  handle_establish_intro_cell_extensions(parsed_cell, circ);
 
  /* Then notify the hidden service that the intro point is established by
     sending an INTRO_ESTABLISHED cell */
  if (hs_intro_send_intro_established_cell(circ)) {
    log_warn(LD_PROTOCOL, "Couldn't send INTRO_ESTABLISHED cell.");
    return -1;
  }
 
  /* Associate intro point auth key with this circuit. */
  hs_circuitmap_register_intro_circ_v3_relay_side(circ, &auth_key);
  /* Repurpose this circuit into an intro circuit. */
  circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_INTRO_POINT);
 
  return 0;
}
 
/** We just received an ESTABLISH_INTRO cell in <b>circ</b> with payload in
 *  <b>request</b>. Handle it by making <b>circ</b> an intro circuit. Return 0
 *  if everything went well, or -1 if there were errors. */
static int
handle_establish_intro(or_circuit_t *circ, const uint8_t *request,
                       size_t request_len)
{
  int cell_ok, retval = -1;
  trn_cell_establish_intro_t *parsed_cell = NULL;
 
  tor_assert(circ);
  tor_assert(request);
 
  log_info(LD_REND, "Received an ESTABLISH_INTRO request on circuit %" PRIu32,
           circ->p_circ_id);
 
  /* Check that the circuit is in shape to become an intro point */
  if (!hs_intro_circuit_is_suitable_for_establish_intro(circ)) {
    relay_increment_est_intro_action(EST_INTRO_UNSUITABLE_CIRCUIT);
    goto err;
  }
 
  /* Parse the cell */
  ssize_t parsing_result = trn_cell_establish_intro_parse(&parsed_cell,
                                                         request, request_len);
  if (parsing_result < 0) {
    relay_increment_est_intro_action(EST_INTRO_MALFORMED);
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Rejecting %s ESTABLISH_INTRO cell.",
           parsing_result == -1 ? "invalid" : "truncated");
    goto err;
  }
 
  cell_ok = verify_establish_intro_cell(parsed_cell,
                                        (uint8_t *) circ->rend_circ_nonce,
                                        sizeof(circ->rend_circ_nonce));
  if (cell_ok < 0) {
    relay_increment_est_intro_action(EST_INTRO_MALFORMED);
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Failed to verify ESTABLISH_INTRO cell.");
    goto err;
  }
 
  /* This cell is legit. Take the appropriate actions. */
  cell_ok = handle_verified_establish_intro_cell(circ, parsed_cell);
  if (cell_ok < 0) {
    relay_increment_est_intro_action(EST_INTRO_CIRCUIT_DEAD);
    goto err;
  }
 
  relay_increment_est_intro_action(EST_INTRO_SUCCESS);
  /* We are done! */
  retval = 0;
  goto done;
 
 err:
  /* When sending the intro establish ack, on error the circuit can be marked
   * as closed so avoid a double close. */
  if (!TO_CIRCUIT(circ)->marked_for_close) {
    circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
  }
 
 done:
  trn_cell_establish_intro_free(parsed_cell);
  return retval;
}
 
/** Return True if circuit is suitable for being an intro circuit. */
static int
circuit_is_suitable_intro_point(const or_circuit_t *circ,
                                const char *log_cell_type_str)
{
  tor_assert(circ);
  tor_assert(log_cell_type_str);
 
  /* Basic circuit state sanity checks. */
  if (circ->base_.purpose != CIRCUIT_PURPOSE_OR) {
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Rejecting %s on non-OR circuit.", log_cell_type_str);
    return 0;
  }
 
  if (circ->base_.n_chan) {
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Rejecting %s on non-edge circuit.", log_cell_type_str);
    return 0;
  }
 
  /* Suitable. */
  return 1;
}
 
/** Return True if circuit is suitable for being service-side intro circuit. */
int
hs_intro_circuit_is_suitable_for_establish_intro(const or_circuit_t *circ)
{
  return circuit_is_suitable_intro_point(circ, "ESTABLISH_INTRO");
}
 
/** We just received an ESTABLISH_INTRO cell in <b>circ</b>. Pass it to the
 * appropriate handler. */
int
hs_intro_received_establish_intro(or_circuit_t *circ, const uint8_t *request,
                            size_t request_len)
{
  tor_assert(circ);
  tor_assert(request);
 
  if (request_len == 0) {
    relay_increment_est_intro_action(EST_INTRO_MALFORMED);
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Empty ESTABLISH_INTRO cell.");
    goto err;
  }
 
  /* Using the first byte of the cell, figure out the version of
   * ESTABLISH_INTRO and pass it to the appropriate cell handler */
  const uint8_t first_byte = request[0];
  switch (first_byte) {
    case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0:
    case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1:
      /* Likely version 2 onion service which is now obsolete. Avoid a
       * protocol warning considering they still exists on the network. */
    relay_increment_est_intro_action(EST_INTRO_MALFORMED);
      goto err;
    case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519:
      return handle_establish_intro(circ, request, request_len);
    default:
      relay_increment_est_intro_action(EST_INTRO_MALFORMED);
      log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
             "Unrecognized AUTH_KEY_TYPE %u.", first_byte);
      goto err;
  }
 
 err:
  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
  return -1;
}
 
/** Send an INTRODUCE_ACK cell onto the circuit <b>circ</b> with the status
 * value in <b>status</b>. Depending on the status, it can be ACK or a NACK.
 * Return 0 on success else a negative value on error which will close the
 * circuit. */
static int
send_introduce_ack_cell(or_circuit_t *circ, uint16_t status)
{
  int ret = -1;
  uint8_t *encoded_cell = NULL;
  ssize_t encoded_len, result_len;
  trn_cell_introduce_ack_t *cell;
  trn_extension_t *ext;
 
  tor_assert(circ);
 
  /* Setup the INTRODUCE_ACK cell. We have no extensions so the N_EXTENSIONS
   * field is set to 0 by default with a new object. */
  cell = trn_cell_introduce_ack_new();
  ret = trn_cell_introduce_ack_set_status(cell, status);
  /* We have no cell extensions in an INTRODUCE_ACK cell. */
  ext = trn_extension_new();
  trn_extension_set_num(ext, 0);
  trn_cell_introduce_ack_set_extensions(cell, ext);
  /* A wrong status is a very bad code flow error as this value is controlled
   * by the code in this file and not an external input. This means we use a
   * code that is not known by the trunnel ABI. */
  tor_assert(ret == 0);
  /* Encode the payload. We should never fail to get the encoded length. */
  encoded_len = trn_cell_introduce_ack_encoded_len(cell);
  tor_assert(encoded_len > 0);
  encoded_cell = tor_malloc_zero(encoded_len);
  result_len = trn_cell_introduce_ack_encode(encoded_cell, encoded_len, cell);
  tor_assert(encoded_len == result_len);
 
  ret = relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
                                     RELAY_COMMAND_INTRODUCE_ACK,
                                     (char *) encoded_cell, encoded_len,
                                     NULL);
  /* On failure, the above function will close the circuit. */
  trn_cell_introduce_ack_free(cell);
  tor_free(encoded_cell);
  return ret;
}
 
/** Validate a parsed INTRODUCE1 <b>cell</b>. Return 0 if valid or else a
 * negative value for an invalid cell that should be NACKed. */
STATIC int
validate_introduce1_parsed_cell(const trn_cell_introduce1_t *cell)
{
  size_t legacy_key_id_len;
  const uint8_t *legacy_key_id;
 
  tor_assert(cell);
 
  /* This code path SHOULD NEVER be reached if the cell is a legacy type so
   * safety net here. The legacy ID must be zeroes in this case. */
  legacy_key_id_len = trn_cell_introduce1_getlen_legacy_key_id(cell);
  legacy_key_id = trn_cell_introduce1_getconstarray_legacy_key_id(cell);
  if (BUG(!fast_mem_is_zero((char *) legacy_key_id, legacy_key_id_len))) {
    goto invalid;
  }
 
  /* The auth key of an INTRODUCE1 should be of type ed25519 thus leading to a
   * known fixed length as well. */
  if (trn_cell_introduce1_get_auth_key_type(cell) !=
      TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519) {
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Rejecting invalid INTRODUCE1 cell auth key type. "
           "Responding with NACK.");
    goto invalid;
  }
  if (trn_cell_introduce1_get_auth_key_len(cell) != ED25519_PUBKEY_LEN ||
      trn_cell_introduce1_getlen_auth_key(cell) != ED25519_PUBKEY_LEN) {
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Rejecting invalid INTRODUCE1 cell auth key length. "
           "Responding with NACK.");
    goto invalid;
  }
  if (trn_cell_introduce1_getlen_encrypted(cell) == 0) {
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Rejecting invalid INTRODUCE1 cell encrypted length. "
           "Responding with NACK.");
    goto invalid;
  }
 
  return 0;
 invalid:
  return -1;
}
 
/** We just received a non legacy INTRODUCE1 cell on <b>client_circ</b> with
 * the payload in <b>request</b> of size <b>request_len</b>. Return 0 if
 * everything went well, or -1 if an error occurred. This function is in charge
 * of sending back an INTRODUCE_ACK cell and will close client_circ on error.
 */
STATIC int
handle_introduce1(or_circuit_t *client_circ, const uint8_t *request,
                  size_t request_len)
{
  int ret = -1;
  or_circuit_t *service_circ;
  trn_cell_introduce1_t *parsed_cell = NULL;
  uint16_t status = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS;
 
  tor_assert(client_circ);
  tor_assert(request);
 
  /* Make sure the cell we're going to send toward the onion service is
   * small enough to fit in a CGO-style circuit. Otherwise we should fail
   * it right here, rather than trying to send it toward the onion
   * service, maybe discovering that it doesn't fit, and maybe tearing
   * down that intro circuit.
   *
   * Note that we refuse this cell in that case even if it would fit
   * (that is, even if the onion service side isn't using a CGO-style
   * circuit), because we don't want to reveal to the client which kind
   * of circuit the onion service made. */
  if (request_len >
      relay_cell_max_payload_size(RELAY_CELL_FORMAT_V1,
                                  RELAY_COMMAND_INTRODUCE2)) {
    relay_increment_intro1_action(INTRO1_MALFORMED);
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Rejecting over-long INTRODUCE1 cell. Responding with NACK.");
    /* Inform client that the INTRODUCE1 has a bad format. */
    status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT;
    goto send_ack;
  }
 
  /* Parse cell. Note that we can only parse the non encrypted section for
   * which we'll use the authentication key to find the service introduction
   * circuit and relay the cell on it. */
  ssize_t cell_size = trn_cell_introduce1_parse(&parsed_cell, request,
                                               request_len);
  if (cell_size < 0) {
    relay_increment_intro1_action(INTRO1_MALFORMED);
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Rejecting %s INTRODUCE1 cell. Responding with NACK.",
           cell_size == -1 ? "invalid" : "truncated");
    /* Inform client that the INTRODUCE1 has a bad format. */
    status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT;
    goto send_ack;
  }
 
  /* Once parsed validate the cell format. */
  if (validate_introduce1_parsed_cell(parsed_cell) < 0) {
    relay_increment_intro1_action(INTRO1_MALFORMED);
    /* Inform client that the INTRODUCE1 has bad format. */
    status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT;
    goto send_ack;
  }
 
  /* Find introduction circuit through our circuit map. */
  {
    ed25519_public_key_t auth_key;
    get_auth_key_from_cell(&auth_key, RELAY_COMMAND_INTRODUCE1, parsed_cell);
    service_circ = hs_circuitmap_get_intro_circ_v3_relay_side(&auth_key);
    if (service_circ == NULL) {
      relay_increment_intro1_action(INTRO1_UNKNOWN_SERVICE);
      char b64_key[ED25519_BASE64_LEN + 1];
      ed25519_public_to_base64(b64_key, &auth_key);
      log_info(LD_REND, "No intro circuit found for INTRODUCE1 cell "
                        "with auth key %s from circuit %" PRIu32 ". "
                        "Responding with NACK.",
               safe_str(b64_key), client_circ->p_circ_id);
      /* Inform the client that we don't know the requested service ID. */
      status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
      goto send_ack;
    }
  }
 
  /* Before sending, let's make sure this cell can be sent on the service
   * circuit asking the DoS defenses. */
  if (!hs_dos_can_send_intro2(service_circ)) {
    relay_increment_intro1_action(INTRO1_RATE_LIMITED);
    char *msg;
    static ratelim_t rlimit = RATELIM_INIT(5 * 60);
    if ((msg = rate_limit_log(&rlimit, approx_time()))) {
      log_info(LD_PROTOCOL, "Can't relay INTRODUCE1 v3 cell due to DoS "
                            "limitations. Sending NACK to client.");
      tor_free(msg);
    }
    status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
    goto send_ack;
  }
 
  /* Relay the cell to the service on its intro circuit with an INTRODUCE2
   * cell which is the same exact payload. */
  if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(service_circ),
                                   RELAY_COMMAND_INTRODUCE2,
                                   (char *) request, request_len, NULL)) {
    relay_increment_intro1_action(INTRO1_CIRCUIT_DEAD);
    /* Inform the client that we can't relay the cell. Use the unknown ID
     * status code since it means that we do not know the service. */
    status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID;
    goto send_ack;
  }
 
  relay_increment_intro1_action(INTRO1_SUCCESS);
  /* Success! Send an INTRODUCE_ACK success status onto the client circuit. */
  status = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS;
  ret = 0;
 
 send_ack:
  /* Send INTRODUCE_ACK or INTRODUCE_NACK to client */
  if (send_introduce_ack_cell(client_circ, status) < 0) {
    log_warn(LD_PROTOCOL, "Unable to send an INTRODUCE ACK status %d "
                          "to client.", status);
    /* Circuit has been closed on failure of transmission. */
    goto done;
  }
 done:
  trn_cell_introduce1_free(parsed_cell);
  return ret;
}
 
/** Return true iff the circuit <b>circ</b> is suitable for receiving an
 * INTRODUCE1 cell. */
STATIC int
circuit_is_suitable_for_introduce1(const or_circuit_t *circ)
{
  tor_assert(circ);
 
  /* Is this circuit an intro point circuit? */
  if (!circuit_is_suitable_intro_point(circ, "INTRODUCE1")) {
    return 0;
  }
 
  if (circ->already_received_introduce1) {
    relay_increment_intro1_action(INTRO1_CIRCUIT_REUSED);
    log_fn(LOG_PROTOCOL_WARN, LD_REND,
           "Blocking multiple introductions on the same circuit. "
           "Someone might be trying to attack a hidden service through "
           "this relay.");
    return 0;
  }
 
  /* Disallow single hop client circuit. */
  if (circ->p_chan && channel_is_client(circ->p_chan)) {
    relay_increment_intro1_action(INTRO1_SINGLE_HOP);
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Single hop client was rejected while trying to introduce. "
           "Closing circuit.");
    return 0;
  }
 
  return 1;
}
 
/** We just received an INTRODUCE1 cell on <b>circ</b>. Figure out which type
 * it is and pass it to the appropriate handler. Return 0 on success else a
 * negative value and the circuit is closed. */
int
hs_intro_received_introduce1(or_circuit_t *circ, const uint8_t *request,
                             size_t request_len)
{
  tor_assert(circ);
  tor_assert(request);
 
  /* A cell that can't hold a DIGEST_LEN is invalid. */
  if (request_len < DIGEST_LEN) {
    relay_increment_intro1_action(INTRO1_MALFORMED);
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Invalid INTRODUCE1 cell length.");
    goto err;
  }
 
  /* Make sure we have a circuit that can have an INTRODUCE1 cell on it. */
  if (!circuit_is_suitable_for_introduce1(circ)) {
    /* We do not send a NACK because the circuit is not suitable for any kind
     * of response or transmission as it's a violation of the protocol. */
    goto err;
  }
  /* Mark the circuit that we got this cell. None are allowed after this as a
   * DoS mitigation since one circuit with one client can hammer a service. */
  circ->already_received_introduce1 = 1;
 
  /* Handle the cell. */
  return handle_introduce1(circ, request, request_len);
 
 err:
  circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_TORPROTOCOL);
  return -1;
}
 
/** Clear memory allocated by the given intropoint object ip (but don't free
 * the object itself). */
void
hs_intropoint_clear(hs_intropoint_t *ip)
{
  if (ip == NULL) {
    return;
  }
  tor_cert_free(ip->auth_key_cert);
  SMARTLIST_FOREACH(ip->link_specifiers, link_specifier_t *, ls,
                    link_specifier_free(ls));
  smartlist_free(ip->link_specifiers);
  memset(ip, 0, sizeof(hs_intropoint_t));
}