Merge remote-tracking branch 'public/bug9635'

1 files changed, 10 insertions, 2 deletions

diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c
index 9cf7d5dd6e..b91ecbee33 100644
--- a/src/or/onion_ntor.c
+++ b/src/or/onion_ntor.c
@@ -256,7 +256,7 @@ onion_skin_ntor_client_handshake(
   si += CURVE25519_OUTPUT_LEN;
   curve25519_handshake(si, &handshake_state->seckey_x,
                        &handshake_state->pubkey_B);
-  bad |= safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
+  bad |= (safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN) << 1);
   si += CURVE25519_OUTPUT_LEN;
   APPEND(si, handshake_state->router_id, DIGEST_LEN);
   APPEND(si, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN);
@@ -281,7 +281,7 @@ onion_skin_ntor_client_handshake(
   /* Compute auth */
   h_tweak(s.auth, s.auth_input, sizeof(s.auth_input), T->t_mac);
 
-  bad |= tor_memneq(s.auth, auth_candidate, DIGEST256_LEN);
+  bad |= (tor_memneq(s.auth, auth_candidate, DIGEST256_LEN) << 2);
 
   crypto_expand_key_material_rfc5869_sha256(
                            s.secret_input, sizeof(s.secret_input),
@@ -290,6 +290,14 @@ onion_skin_ntor_client_handshake(
                            key_out, key_out_len);
 
   memwipe(&s, 0, sizeof(s));
+
+  if (bad & 4) {
+    log_warn(LD_PROTOCOL, "Incorrect digest from ntor circuit extension "
+             "request.");
+  } else if (bad) {
+    log_warn(LD_PROTOCOL, "Invalid result from curve25519 handshake");
+  }
+
   return bad ? -1 : 0;
 }