Specify CREATE_FAST more fully.

svn:r5529

1 files changed, 22 insertions, 13 deletions

diff --git a/doc/tor-spec.txt b/doc/tor-spec.txt
index 5ef7bfcdd4..156f4c9acf 100644
--- a/doc/tor-spec.txt
+++ b/doc/tor-spec.txt
@@ -194,9 +194,9 @@ when do we rotate which keys (tls, link, etc)?
    The port and address field denote the IPV4 address and port of the next
    onion router in the circuit; the public key hash is the SHA1 hash of the
    PKCS#1 ASN1 encoding of the next onion router's identity (signing) key.
-[XXX please describe why we have this hash. my first guess is that this
-way we can notice that we're already connected to this guy even if he's
-connected at a different place. anything else? -RD]
+   (Including this hash allows the extending OR verify that it is indeed
+   connected to the correct target OR, and prevents certain man-in-the-middle
+   attacks.)
 
    The payload for a CREATED cell, or the relay payload for an
    EXTENDED cell, contains:
@@ -212,6 +212,8 @@ connected at a different place. anything else? -RD]
 
    Public keys are compared numerically by modulus.
 
+   As usual with DH, x and y MUST be generated randomly.
+
    (Older versions of Tor compared OR nicknames, and did it in a broken and
    unreliable way.  To support versions of Tor earlier than 0.0.9pre6,
    implementations should notice when the other side of a connection is
@@ -223,7 +225,7 @@ connected at a different place. anything else? -RD]
    established the OR's identity and negotiated a secret key using TLS.
    Because of this, it is not always necessary for the OP to perform the
    public key operations to create a circuit.  In this case, the
-   OP SHOULD send a CREATE_FAST cell instead of a CREATE cell for the first
+   OP MAY send a CREATE_FAST cell instead of a CREATE cell for the first
    hop only.  The OR responds with a CREATED_FAST cell, and the circuit is
    created.
 
@@ -234,14 +236,16 @@ connected at a different place. anything else? -RD]
    A CREATED_FAST cell contains:
 
        Key material (Y)    [20 bytes]
-       Derivative key data [20 bytes]
+       Derivative key data [20 bytes] (See 4.2 below)
+
+   The values of X and Y must be generated randomly.
 
    [Versions of Tor before 0.1.0.6-rc did not support these cell types;
     clients should not send CREATE_FAST cells to older Tor servers.]
 
 4.2. Setting circuit keys
 
-   Once the handshake between the OP and an OR is completed, both servers can
+   Once the handshake between the OP and an OR is completed, both can
    now calculate g^xy with ordinary DH.  Before computing g^xy, both client
    and server MUST verify that the received g^x or g^y value is not degenerate;
    that is, it must be strictly greater than 1 and strictly less than p-1
@@ -252,15 +256,20 @@ connected at a different place. anything else? -RD]
    discarded, an attacker can substitute the server's CREATED cell's g^y with
    0 or 1, thus creating a known g^xy and impersonating the server.)
 
-   (The mainline Tor implementation, in the 0.1.1.x-alpha series, also
-   discarded all g^x values that are less than 2^24, that are greater than
-   p-2^24, or that have more than 1024-16 identical bits.  This serves no
-   useful purpose, and will probably stop soon.)
+   (The mainline Tor implementation, in the 0.1.1.x-alpha series, discarded
+   all g^x values less than 2^24, greater than p-2^24, or having more than
+   1024-16 identical bits.  This served no useful purpose, and we stopped.)
+
+   If CREATE or EXTEND is used to extend a circuit, the client and server
+   base their key material on K0=g^xy, represented as a big-endian unsigned
+   integer.
+
+   If CREATE_FAST is used, the client and server base their key material on
+   K0=X|Y.
 
    From the base key material g^xy, they compute derivative key material as
-   follows.  First, the server represents g^xy as a big-endian unsigned
-   integer.  Next, the server computes 100 bytes of key data as K = SHA1(g^xy
-   | [00]) | SHA1(g^xy | [01]) | ... SHA1(g^xy | [04]) where "00" is a single
+   follows.  Next, the server computes 100 bytes of key data as K = SHA1(K0
+   | [00]) | SHA1(K0 | [01]) | ... SHA1(K0 | [04]) where "00" is a single
    octet whose value is zero, [01] is a single octet whose value is one, etc.
    The first 20 bytes of K form KH, bytes 21-40 form the forward digest Df,
    41-60 form the backward digest Db, 61-76 form Kf, and 77-92 form Kb.