From de9de9e7dd2f34af04c76abf3f51c72dec4bdc93 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 27 Mar 2014 14:15:53 -0400 Subject: Give specific warnings when client-side onionskin handshakes fail Fix for bug9635. --- src/or/onion_ntor.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'src/or/onion_ntor.c') diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c index 9cf7d5dd6e..b91ecbee33 100644 --- a/src/or/onion_ntor.c +++ b/src/or/onion_ntor.c @@ -256,7 +256,7 @@ onion_skin_ntor_client_handshake( si += CURVE25519_OUTPUT_LEN; curve25519_handshake(si, &handshake_state->seckey_x, &handshake_state->pubkey_B); - bad |= safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN); + bad |= (safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN) << 1); si += CURVE25519_OUTPUT_LEN; APPEND(si, handshake_state->router_id, DIGEST_LEN); APPEND(si, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN); @@ -281,7 +281,7 @@ onion_skin_ntor_client_handshake( /* Compute auth */ h_tweak(s.auth, s.auth_input, sizeof(s.auth_input), T->t_mac); - bad |= tor_memneq(s.auth, auth_candidate, DIGEST256_LEN); + bad |= (tor_memneq(s.auth, auth_candidate, DIGEST256_LEN) << 2); crypto_expand_key_material_rfc5869_sha256( s.secret_input, sizeof(s.secret_input), @@ -290,6 +290,14 @@ onion_skin_ntor_client_handshake( key_out, key_out_len); memwipe(&s, 0, sizeof(s)); + + if (bad & 4) { + log_warn(LD_PROTOCOL, "Incorrect digest from ntor circuit extension " + "request."); + } else if (bad) { + log_warn(LD_PROTOCOL, "Invalid result from curve25519 handshake"); + } + return bad ? -1 : 0; } -- cgit v1.2.3-54-g00ecf