diff options
Diffstat (limited to 'src/or/onion.c')
| -rw-r--r-- | src/or/onion.c | 79 |
1 files changed, 46 insertions, 33 deletions
diff --git a/src/or/onion.c b/src/or/onion.c index cb65b93598..dc13592a71 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -344,68 +344,81 @@ onion_skin_client_handshake(crypto_dh_env_t *handshake_state, return 0; } -/** DOCDOC */ +/** Implement the server side of the CREATE_FAST abbreviated handshake. The + * client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x"). We + * generate a reply of DIGEST_LEN*2 bytes in <b>key_out/b>, consisting of a + * new random "y", followed by H(x|y) to check for correctness. We set + * <b>key_out_len</b> bytes of key material in <b>key_out</b>. + * Return 0 on success, <0 on failure. + **/ int fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */ char *handshake_reply_out, /* DIGEST_LEN*2 bytes */ char *key_out, size_t key_out_len) { - char tmp[DIGEST_LEN+DIGEST_LEN+1]; - char digest[DIGEST_LEN]; - int i; + char tmp[DIGEST_LEN+DIGEST_LEN]; + char *out; + size_t out_len; if (crypto_rand(handshake_reply_out, DIGEST_LEN)<0) return -1; memcpy(tmp, key_in, DIGEST_LEN); memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN); - tmp[DIGEST_LEN+DIGEST_LEN] = 0; - crypto_digest(handshake_reply_out+DIGEST_LEN, tmp, sizeof(tmp)); - - for (i = 0; i*DIGEST_LEN < (int)key_out_len; ++i) { - size_t len; - tmp[DIGEST_LEN+DIGEST_LEN] = i+1; - crypto_digest(digest, tmp, sizeof(tmp)); - len = key_out_len - i*DIGEST_LEN; - if (len > DIGEST_LEN) len = DIGEST_LEN; - memcpy(key_out+i*DIGEST_LEN, digest, len); + out_len = key_out_len+DIGEST_LEN; + out = tor_malloc(out_len); + if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) { + tor_free(out); + return -1; } - + memcpy(handshake_reply_out+DIGEST_LEN, out, DIGEST_LEN); + memcpy(key_out, out+DIGEST_LEN, key_out_len); + memset(tmp, 0, sizeof(tmp)); + memset(out, 0, out_len); + tor_free(out); return 0; } -/** DOCDOC */ +/** Implement the second half of the client side of the CREATE_FAST handshake. + * We sent the server <b>handshake_state</b> ("x") already, and the server + * told us <b>handshake_reply_out</b> (y|H(x|y)). Make sure that the hash is + * correct, and generate key material in <b>key_out</b>. Return 0 on success, + * true on failure. + * + * NOTE: The "CREATE_FAST" handshake path is distinguishable from regular + * "onionskin" handshakes, and is not secure if an adversary can see or modify + * the messages. Therefore, it should only be used by clients, and only as + * the first hop of a circuit (since the first hop is already authenticated + * and protected by TLS). + */ int fast_client_handshake(const char *handshake_state, /* DIGEST_LEN bytes */ const char *handshake_reply_out, /* DIGEST_LEN*2 bytes */ char *key_out, size_t key_out_len) { - char tmp[DIGEST_LEN+DIGEST_LEN+1]; - char digest[DIGEST_LEN]; - int i; + char tmp[DIGEST_LEN+DIGEST_LEN]; + char *out; + size_t out_len; memcpy(tmp, handshake_state, DIGEST_LEN); memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN); - tmp[DIGEST_LEN+DIGEST_LEN] = 0; - crypto_digest(digest, tmp, sizeof(tmp)); - - if (memcmp(digest, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) { + out_len = key_out_len+DIGEST_LEN; + out = tor_malloc(out_len); + if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) { + tor_free(out); + return -1; + } + if (memcmp(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) { /* H(K) does *not* match. Something fishy. */ warn(LD_PROTOCOL,"Digest DOES NOT MATCH on fast handshake. Bug or attack."); return -1; } - - for (i = 0; i*DIGEST_LEN < (int)key_out_len; ++i) { - size_t len; - tmp[DIGEST_LEN+DIGEST_LEN] = i+1; - crypto_digest(digest, tmp, sizeof(tmp)); - len = key_out_len - i*DIGEST_LEN; - if (len > DIGEST_LEN) len = DIGEST_LEN; - memcpy(key_out+i*DIGEST_LEN, digest, len); - } - + memcpy(key_out, out+DIGEST_LEN, key_out_len); + memset(tmp, 0, sizeof(tmp)); + memset(out, 0, out_len); + tor_free(out); return 0; } |