ntor: Don't fail fast server-side on an unrecognized KEYID(B)

6 files changed, 21 insertions, 7 deletions

diff --git a/src/or/onion.c b/src/or/onion.c
index 3f0b0b1e46..56bc9a3b8a 100644
--- a/src/or/onion.c
+++ b/src/or/onion.c
@@ -192,6 +192,8 @@ setup_server_onion_keys(server_onion_keys_t *keys)
   dup_onion_keys(&keys->onion_key, &keys->last_onion_key);
 #ifdef CURVE25519_ENABLED
   keys->curve25519_key_map = construct_ntor_key_map();
+  keys->junk_keypair = tor_malloc_zero(sizeof(curve25519_keypair_t));
+  curve25519_keypair_generate(keys->junk_keypair, 0);
 #endif
 }
 
@@ -207,6 +209,7 @@ release_server_onion_keys(server_onion_keys_t *keys)
   crypto_pk_free(keys->last_onion_key);
 #ifdef CURVE25519_ENABLED
   ntor_key_map_free(keys->curve25519_key_map);
+  tor_free(keys->junk_keypair);
 #endif
   memset(keys, 0, sizeof(server_onion_keys_t));
 }
@@ -345,6 +348,7 @@ onion_skin_server_handshake(int type,
 
       if (onion_skin_ntor_server_handshake(
                                    onion_skin, keys->curve25519_key_map,
+                                   keys->junk_keypair,
                                    keys->my_identity,
                                    reply_out, keys_tmp, keys_tmp_len)<0) {
         tor_free(keys_tmp);
diff --git a/src/or/onion.h b/src/or/onion.h
index e4081392e9..33bf341bbc 100644
--- a/src/or/onion.h
+++ b/src/or/onion.h
@@ -24,6 +24,7 @@ typedef struct server_onion_keys_t {
   crypto_pk_t *last_onion_key;
 #ifdef CURVE25519_ENABLED
   di_digest256_map_t *curve25519_key_map;
+  curve25519_keypair_t *junk_keypair;
 #endif
 } server_onion_keys_t;
 
diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c
index 30d18cc473..3f4faf3fa7 100644
--- a/src/or/onion_ntor.c
+++ b/src/or/onion_ntor.c
@@ -121,14 +121,16 @@ onion_skin_ntor_create(const uint8_t *router_id,
  * NTOR_ONIONSKIN_LEN-byte message in <b>onion_skin</b>, our own identity
  * fingerprint as <b>my_node_id</b>, and an associative array mapping public
  * onion keys to curve25519_keypair_t in <b>private_keys</b>, attempt to
- * perform the handshake.  Write an NTOR_REPLY_LEN-byte message to send back
- * to the client into <b>handshake_reply_out</b>, and generate
- * <b>key_out_len</b> bytes of key material in <b>key_out</b>. Return 0 on
- * success, -1 on failure.
+ * perform the handshake.  Use <b>junk_keys</b> if present if the handshake
+ * indicates an unrecognized public key.  Write an NTOR_REPLY_LEN-byte
+ * message to send back to the client into <b>handshake_reply_out</b>, and
+ * generate <b>key_out_len</b> bytes of key material in <b>key_out</b>. Return
+ * 0 on success, -1 on failure.
  */
 int
 onion_skin_ntor_server_handshake(const uint8_t *onion_skin,
                                  const di_digest256_map_t *private_keys,
+                                 const curve25519_keypair_t *junk_keys,
                                  const uint8_t *my_node_id,
                                  uint8_t *handshake_reply_out,
                                  uint8_t *key_out,
@@ -153,9 +155,14 @@ onion_skin_ntor_server_handshake(const uint8_t *onion_skin,
   /* XXXX Does this possible early-return business threaten our security? */
   if (tor_memneq(onion_skin, my_node_id, DIGEST_LEN))
     return -1;
-  keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN, NULL);
+  /* Note that on key-not-found, we go through with this operation anyway,
+   * using "junk_keys". This will result in failed authentication, but won't
+   * leak whether we recognized the key. */
+  keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN,
+                            (void*)junk_keys);
   if (!keypair_bB)
     return -1;
+
   memcpy(s.pubkey_X.public_key, onion_skin+DIGEST_LEN+DIGEST256_LEN,
          CURVE25519_PUBKEY_LEN);
 
diff --git a/src/or/onion_ntor.h b/src/or/onion_ntor.h
index 80015fd3fa..a5cceb94db 100644
--- a/src/or/onion_ntor.h
+++ b/src/or/onion_ntor.h
@@ -27,6 +27,7 @@ int onion_skin_ntor_create(const uint8_t *router_id,
 
 int onion_skin_ntor_server_handshake(const uint8_t *onion_skin,
                                  const di_digest256_map_t *private_keys,
+                                 const curve25519_keypair_t *junk_keypair,
                                  const uint8_t *my_node_id,
                                  uint8_t *handshake_reply_out,
                                  uint8_t *key_out,
diff --git a/src/test/bench.c b/src/test/bench.c
index 23560cd437..2c40cdf4dc 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -199,7 +199,7 @@ bench_onion_ntor(void)
   start = perftime();
   for (i = 0; i < iters; ++i) {
     uint8_t key_out[CPATH_KEY_MATERIAL_LEN];
-    onion_skin_ntor_server_handshake(os, keymap, nodeid, or,
+    onion_skin_ntor_server_handshake(os, keymap, NULL, nodeid, or,
                                 key_out, sizeof(key_out));
   }
   end = perftime();
diff --git a/src/test/test.c b/src/test/test.c
index daac67ee47..32e060080b 100644
--- a/src/test/test.c
+++ b/src/test/test.c
@@ -895,7 +895,8 @@ test_ntor_handshake(void *arg)
   /* server handshake */
   memset(s_buf, 0, NTOR_REPLY_LEN);
   memset(s_keys, 0, 40);
-  tt_int_op(0, ==, onion_skin_ntor_server_handshake(c_buf, s_keymap, node_id,
+  tt_int_op(0, ==, onion_skin_ntor_server_handshake(c_buf, s_keymap, NULL,
+                                                    node_id,
                                                     s_buf, s_keys, 400));
 
   /* client handshake 2 */