From 839016ac791de98c02ad7eab50092deedde0ad55 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 7 Dec 2012 13:40:21 -0500
Subject: ntor: Don't fail fast server-side on an unrecognized KEYID(B)

---
 src/or/onion_ntor.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

(limited to 'src/or/onion_ntor.c')

diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c
index 30d18cc47..3f4faf3fa 100644
--- a/src/or/onion_ntor.c
+++ b/src/or/onion_ntor.c
@@ -121,14 +121,16 @@ onion_skin_ntor_create(const uint8_t *router_id,
  * NTOR_ONIONSKIN_LEN-byte message in <b>onion_skin</b>, our own identity
  * fingerprint as <b>my_node_id</b>, and an associative array mapping public
  * onion keys to curve25519_keypair_t in <b>private_keys</b>, attempt to
- * perform the handshake.  Write an NTOR_REPLY_LEN-byte message to send back
- * to the client into <b>handshake_reply_out</b>, and generate
- * <b>key_out_len</b> bytes of key material in <b>key_out</b>. Return 0 on
- * success, -1 on failure.
+ * perform the handshake.  Use <b>junk_keys</b> if present if the handshake
+ * indicates an unrecognized public key.  Write an NTOR_REPLY_LEN-byte
+ * message to send back to the client into <b>handshake_reply_out</b>, and
+ * generate <b>key_out_len</b> bytes of key material in <b>key_out</b>. Return
+ * 0 on success, -1 on failure.
  */
 int
 onion_skin_ntor_server_handshake(const uint8_t *onion_skin,
                                  const di_digest256_map_t *private_keys,
+                                 const curve25519_keypair_t *junk_keys,
                                  const uint8_t *my_node_id,
                                  uint8_t *handshake_reply_out,
                                  uint8_t *key_out,
@@ -153,9 +155,14 @@ onion_skin_ntor_server_handshake(const uint8_t *onion_skin,
   /* XXXX Does this possible early-return business threaten our security? */
   if (tor_memneq(onion_skin, my_node_id, DIGEST_LEN))
     return -1;
-  keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN, NULL);
+  /* Note that on key-not-found, we go through with this operation anyway,
+   * using "junk_keys". This will result in failed authentication, but won't
+   * leak whether we recognized the key. */
+  keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN,
+                            (void*)junk_keys);
   if (!keypair_bB)
     return -1;
+
   memcpy(s.pubkey_X.public_key, onion_skin+DIGEST_LEN+DIGEST256_LEN,
          CURVE25519_PUBKEY_LEN);
 
-- 
cgit v1.2.3