aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changes/bug96353
-rw-r--r--src/or/circuitbuild.c11
-rw-r--r--src/or/command.c1
-rw-r--r--src/or/onion.c24
-rw-r--r--src/or/onion.h3
-rw-r--r--src/or/onion_fast.c10
-rw-r--r--src/or/onion_fast.h3
-rw-r--r--src/or/onion_ntor.c19
-rw-r--r--src/or/onion_ntor.h3
-rw-r--r--src/or/onion_tap.c10
-rw-r--r--src/or/onion_tap.h3
-rw-r--r--src/or/relay.c5
-rw-r--r--src/test/bench.c6
-rw-r--r--src/test/test.c10
-rw-r--r--src/test/test_ntor_cl.c2
15 files changed, 75 insertions, 38 deletions
diff --git a/changes/bug9635 b/changes/bug9635
new file mode 100644
index 0000000000..17a2ea5b78
--- /dev/null
+++ b/changes/bug9635
@@ -0,0 +1,3 @@
+ o Downgraded warnings:
+ - Don't warn when we've attempted to contact a relay using the wrong
+ ntor onion key. Closes ticket 9635.
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 6d5bbbf16c..fa5a2f5242 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -1251,8 +1251,10 @@ circuit_finish_handshake(origin_circuit_t *circ,
crypt_path_t *hop;
int rv;
- if ((rv = pathbias_count_build_attempt(circ)) < 0)
+ if ((rv = pathbias_count_build_attempt(circ)) < 0) {
+ log_warn(LD_CIRC, "pathbias_count_build_attempt failed: %d", rv);
return rv;
+ }
if (circ->cpath->state == CPATH_STATE_AWAITING_KEYS) {
hop = circ->cpath;
@@ -1266,12 +1268,15 @@ circuit_finish_handshake(origin_circuit_t *circ,
tor_assert(hop->state == CPATH_STATE_AWAITING_KEYS);
{
+ const char *msg = NULL;
if (onion_skin_client_handshake(hop->handshake_state.tag,
&hop->handshake_state,
reply->reply, reply->handshake_len,
(uint8_t*)keys, sizeof(keys),
- (uint8_t*)hop->rend_circ_nonce) < 0) {
- log_warn(LD_CIRC,"onion_skin_client_handshake failed.");
+ (uint8_t*)hop->rend_circ_nonce,
+ &msg) < 0) {
+ if (msg)
+ log_warn(LD_CIRC,"onion_skin_client_handshake failed: %s", msg);
return -END_CIRC_REASON_TORPROTOCOL;
}
}
diff --git a/src/or/command.c b/src/or/command.c
index c4a0f9baeb..719b10736b 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -398,7 +398,6 @@ command_process_created_cell(cell_t *cell, channel_t *chan)
log_debug(LD_OR,"at OP. Finishing handshake.");
if ((err_reason = circuit_finish_handshake(origin_circ,
&extended_cell.created_cell)) < 0) {
- log_warn(LD_OR,"circuit_finish_handshake failed.");
circuit_mark_for_close(circ, -err_reason);
return;
}
diff --git a/src/or/onion.c b/src/or/onion.c
index 43fb63c832..4864792511 100644
--- a/src/or/onion.c
+++ b/src/or/onion.c
@@ -526,13 +526,15 @@ onion_skin_server_handshake(int type,
* bytes worth of key material in <b>keys_out_len</b>, set
* <b>rend_authenticator_out</b> to the "KH" field that can be used to
* establish introduction points at this hop, and return 0. On failure,
- * return -1. */
+ * return -1, and set *msg_out to an error message if this is worth
+ * complaining to the usre about. */
int
onion_skin_client_handshake(int type,
const onion_handshake_state_t *handshake_state,
const uint8_t *reply, size_t reply_len,
uint8_t *keys_out, size_t keys_out_len,
- uint8_t *rend_authenticator_out)
+ uint8_t *rend_authenticator_out,
+ const char **msg_out)
{
if (handshake_state->tag != type)
return -1;
@@ -540,12 +542,14 @@ onion_skin_client_handshake(int type,
switch (type) {
case ONION_HANDSHAKE_TYPE_TAP:
if (reply_len != TAP_ONIONSKIN_REPLY_LEN) {
- log_warn(LD_CIRC, "TAP reply was not of the correct length.");
+ if (msg_out)
+ *msg_out = "TAP reply was not of the correct length.";
return -1;
}
if (onion_skin_TAP_client_handshake(handshake_state->u.tap,
(const char*)reply,
- (char *)keys_out, keys_out_len) < 0)
+ (char *)keys_out, keys_out_len,
+ msg_out) < 0)
return -1;
memcpy(rend_authenticator_out, reply+DH_KEY_LEN, DIGEST_LEN);
@@ -553,26 +557,28 @@ onion_skin_client_handshake(int type,
return 0;
case ONION_HANDSHAKE_TYPE_FAST:
if (reply_len != CREATED_FAST_LEN) {
- log_warn(LD_CIRC, "CREATED_FAST reply was not of the correct length.");
+ if (msg_out)
+ *msg_out = "TAP reply was not of the correct length.";
return -1;
}
if (fast_client_handshake(handshake_state->u.fast, reply,
- keys_out, keys_out_len) < 0)
+ keys_out, keys_out_len, msg_out) < 0)
return -1;
memcpy(rend_authenticator_out, reply+DIGEST_LEN, DIGEST_LEN);
return 0;
case ONION_HANDSHAKE_TYPE_NTOR:
if (reply_len < NTOR_REPLY_LEN) {
- log_warn(LD_CIRC, "ntor reply was not of the correct length.");
+ if (msg_out)
+ *msg_out = "ntor reply was not of the correct length.";
return -1;
}
{
size_t keys_tmp_len = keys_out_len + DIGEST_LEN;
uint8_t *keys_tmp = tor_malloc(keys_tmp_len);
if (onion_skin_ntor_client_handshake(handshake_state->u.ntor,
- reply,
- keys_tmp, keys_tmp_len) < 0) {
+ reply,
+ keys_tmp, keys_tmp_len, msg_out) < 0) {
tor_free(keys_tmp);
return -1;
}
diff --git a/src/or/onion.h b/src/or/onion.h
index 96050083f8..45454f480d 100644
--- a/src/or/onion.h
+++ b/src/or/onion.h
@@ -49,7 +49,8 @@ int onion_skin_client_handshake(int type,
const onion_handshake_state_t *handshake_state,
const uint8_t *reply, size_t reply_len,
uint8_t *keys_out, size_t key_out_len,
- uint8_t *rend_authenticator_out);
+ uint8_t *rend_authenticator_out,
+ const char **msg_out);
/** A parsed CREATE, CREATE_FAST, or CREATE2 cell. */
typedef struct create_cell_t {
diff --git a/src/or/onion_fast.c b/src/or/onion_fast.c
index a52a11357c..7584112570 100644
--- a/src/or/onion_fast.c
+++ b/src/or/onion_fast.c
@@ -92,7 +92,8 @@ int
fast_client_handshake(const fast_handshake_state_t *handshake_state,
const uint8_t *handshake_reply_out,/*DIGEST_LEN*2 bytes*/
uint8_t *key_out,
- size_t key_out_len)
+ size_t key_out_len,
+ const char **msg_out)
{
uint8_t tmp[DIGEST_LEN+DIGEST_LEN];
uint8_t *out;
@@ -104,13 +105,14 @@ fast_client_handshake(const fast_handshake_state_t *handshake_state,
out_len = key_out_len+DIGEST_LEN;
out = tor_malloc(out_len);
if (crypto_expand_key_material_TAP(tmp, sizeof(tmp), out, out_len)) {
- log_warn(LD_CIRC, "Failed to expand key material");
+ if (msg_out)
+ *msg_out = "Failed to expand key material";
goto done;
}
if (tor_memneq(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
/* H(K) does *not* match. Something fishy. */
- log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on fast handshake. "
- "Bug or attack.");
+ if (msg_out)
+ *msg_out = "Digest DOES NOT MATCH on fast handshake. Bug or attack.";
goto done;
}
memcpy(key_out, out+DIGEST_LEN, key_out_len);
diff --git a/src/or/onion_fast.h b/src/or/onion_fast.h
index da3c217ae9..d50d503a73 100644
--- a/src/or/onion_fast.h
+++ b/src/or/onion_fast.h
@@ -32,7 +32,8 @@ int fast_server_handshake(const uint8_t *message_in,
int fast_client_handshake(const fast_handshake_state_t *handshake_state,
const uint8_t *handshake_reply_out,
uint8_t *key_out,
- size_t key_out_len);
+ size_t key_out_len,
+ const char **msg_out);
#endif
diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c
index 7f58f4d758..539f06f61f 100644
--- a/src/or/onion_ntor.c
+++ b/src/or/onion_ntor.c
@@ -3,8 +3,8 @@
#include "orconfig.h"
-#include "crypto.h"
#define ONION_NTOR_PRIVATE
+#include "crypto.h"
#include "onion_ntor.h"
#include "torlog.h"
#include "util.h"
@@ -226,7 +226,8 @@ onion_skin_ntor_client_handshake(
const ntor_handshake_state_t *handshake_state,
const uint8_t *handshake_reply,
uint8_t *key_out,
- size_t key_out_len)
+ size_t key_out_len,
+ const char **msg_out)
{
const tweakset_t *T = &proto1_tweaks;
/* Sensitive stack-allocated material. Kept in an anonymous struct to make
@@ -292,7 +293,19 @@ onion_skin_ntor_client_handshake(
memwipe(&s, 0, sizeof(s));
if (bad) {
- log_warn(LD_PROTOCOL, "Invalid result from curve25519 handshake: %d", bad);
+ if (bad & 4) {
+ if (msg_out)
+ *msg_out = NULL; /* Don't report this one; we probably just had the
+ * wrong onion key.*/
+ log_fn(LOG_INFO, LD_PROTOCOL,
+ "Invalid result from curve25519 handshake: %d", bad);
+ }
+ if (bad & 3) {
+ if (msg_out)
+ *msg_out = "Zero output from curve25519 handshake";
+ log_fn(LOG_WARN, LD_PROTOCOL,
+ "Invalid result from curve25519 handshake: %d", bad);
+ }
}
return bad ? -1 : 0;
diff --git a/src/or/onion_ntor.h b/src/or/onion_ntor.h
index 230941c3c5..0a39c1de16 100644
--- a/src/or/onion_ntor.h
+++ b/src/or/onion_ntor.h
@@ -36,7 +36,8 @@ int onion_skin_ntor_client_handshake(
const ntor_handshake_state_t *handshake_state,
const uint8_t *handshake_reply,
uint8_t *key_out,
- size_t key_out_len);
+ size_t key_out_len,
+ const char **msg_out);
#ifdef ONION_NTOR_PRIVATE
diff --git a/src/or/onion_tap.c b/src/or/onion_tap.c
index 8879a22ca2..487cbeec04 100644
--- a/src/or/onion_tap.c
+++ b/src/or/onion_tap.c
@@ -183,7 +183,8 @@ int
onion_skin_TAP_client_handshake(crypto_dh_t *handshake_state,
const char *handshake_reply, /* TAP_ONIONSKIN_REPLY_LEN bytes */
char *key_out,
- size_t key_out_len)
+ size_t key_out_len,
+ const char **msg_out)
{
ssize_t len;
char *key_material=NULL;
@@ -196,14 +197,15 @@ onion_skin_TAP_client_handshake(crypto_dh_t *handshake_state,
handshake_reply, DH_KEY_LEN, key_material,
key_material_len);
if (len < 0) {
- log_warn(LD_PROTOCOL,"DH computation failed.");
+ if (msg_out)
+ *msg_out = "DH computation failed.";
goto err;
}
if (tor_memneq(key_material, handshake_reply+DH_KEY_LEN, DIGEST_LEN)) {
/* H(K) does *not* match. Something fishy. */
- log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on onion handshake. "
- "Bug or attack.");
+ if (msg_out)
+ *msg_out = "Digest DOES NOT MATCH on onion handshake. Bug or attack.";
goto err;
}
diff --git a/src/or/onion_tap.h b/src/or/onion_tap.h
index f02a4f6f51..c548b3d99f 100644
--- a/src/or/onion_tap.h
+++ b/src/or/onion_tap.h
@@ -31,7 +31,8 @@ int onion_skin_TAP_server_handshake(const char *onion_skin,
int onion_skin_TAP_client_handshake(crypto_dh_t *handshake_state,
const char *handshake_reply,
char *key_out,
- size_t key_out_len);
+ size_t key_out_len,
+ const char **msg_out);
#endif
diff --git a/src/or/relay.c b/src/or/relay.c
index 8653d8c461..c83d9249ff 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1646,8 +1646,9 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
}
if ((reason = circuit_finish_handshake(TO_ORIGIN_CIRCUIT(circ),
&extended_cell.created_cell)) < 0) {
- log_warn(domain,"circuit_finish_handshake failed.");
- return reason;
+ circuit_mark_for_close(circ, -reason);
+ return 0; /* We don't want to cause a warning, so we mark the circuit
+ * here. */
}
}
if ((reason=circuit_send_next_onion_skin(TO_ORIGIN_CIRCUIT(circ)))<0) {
diff --git a/src/test/bench.c b/src/test/bench.c
index 68870f8657..5cbc072700 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -164,7 +164,8 @@ bench_onion_TAP(void)
char key_out[CPATH_KEY_MATERIAL_LEN];
int s;
dh = crypto_dh_dup(dh_out);
- s = onion_skin_TAP_client_handshake(dh, or, key_out, sizeof(key_out));
+ s = onion_skin_TAP_client_handshake(dh, or, key_out, sizeof(key_out),
+ NULL);
crypto_dh_free(dh);
tor_assert(s == 0);
}
@@ -223,7 +224,8 @@ bench_onion_ntor(void)
for (i = 0; i < iters; ++i) {
uint8_t key_out[CPATH_KEY_MATERIAL_LEN];
int s;
- s = onion_skin_ntor_client_handshake(state, or, key_out, sizeof(key_out));
+ s = onion_skin_ntor_client_handshake(state, or, key_out, sizeof(key_out),
+ NULL);
tor_assert(s == 0);
}
end = perftime();
diff --git a/src/test/test.c b/src/test/test.c
index ff4f517ac5..85a7ad6c7c 100644
--- a/src/test/test.c
+++ b/src/test/test.c
@@ -106,7 +106,7 @@ test_onion_handshake(void *arg)
/* client handshake 2 */
memset(c_keys, 0, 40);
- tt_assert(! onion_skin_TAP_client_handshake(c_dh, s_buf, c_keys, 40));
+ tt_assert(! onion_skin_TAP_client_handshake(c_dh, s_buf, c_keys, 40, NULL));
tt_mem_op(c_keys,OP_EQ, s_keys, 40);
memset(s_buf, 0, 40);
@@ -179,18 +179,18 @@ test_bad_onion_handshake(void *arg)
/* Client: Case 1: The server sent back junk. */
s_buf[64] ^= 33;
tt_int_op(-1, OP_EQ,
- onion_skin_TAP_client_handshake(c_dh, s_buf, c_keys, 40));
+ onion_skin_TAP_client_handshake(c_dh, s_buf, c_keys, 40, NULL));
s_buf[64] ^= 33;
/* Let the client finish; make sure it can. */
tt_int_op(0, OP_EQ,
- onion_skin_TAP_client_handshake(c_dh, s_buf, c_keys, 40));
+ onion_skin_TAP_client_handshake(c_dh, s_buf, c_keys, 40, NULL));
tt_mem_op(s_keys,OP_EQ, c_keys, 40);
/* Client: Case 2: The server sent back a degenerate DH. */
memset(s_buf, 0, sizeof(s_buf));
tt_int_op(-1, OP_EQ,
- onion_skin_TAP_client_handshake(c_dh, s_buf, c_keys, 40));
+ onion_skin_TAP_client_handshake(c_dh, s_buf, c_keys, 40, NULL));
done:
crypto_dh_free(c_dh);
@@ -239,7 +239,7 @@ test_ntor_handshake(void *arg)
/* client handshake 2 */
memset(c_keys, 0, 40);
tt_int_op(0, OP_EQ, onion_skin_ntor_client_handshake(c_state, s_buf,
- c_keys, 400));
+ c_keys, 400, NULL));
tt_mem_op(c_keys,OP_EQ, s_keys, 400);
memset(s_buf, 0, 40);
diff --git a/src/test/test_ntor_cl.c b/src/test/test_ntor_cl.c
index 955b508ef0..bfbf13a476 100644
--- a/src/test/test_ntor_cl.c
+++ b/src/test/test_ntor_cl.c
@@ -126,7 +126,7 @@ client2(int argc, char **argv)
keys = tor_malloc(keybytes);
hexkeys = tor_malloc(keybytes*2+1);
- if (onion_skin_ntor_client_handshake(&state, msg, keys, keybytes)<0) {
+ if (onion_skin_ntor_client_handshake(&state, msg, keys, keybytes, NULL)<0) {
fprintf(stderr, "handshake failed");
result = 2;
goto done;