From cf4dd5fbcb15fbaef47156c8602ee75877333ebd Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 3 Dec 2012 21:24:21 -0500 Subject: Implementat the ntor handshake The ntor handshake--described in proposal 216 and in a paper by Goldberg, Stebila, and Ustaoglu--gets us much better performance than our current approach. --- src/or/onion_ntor.h | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 src/or/onion_ntor.h (limited to 'src/or/onion_ntor.h') diff --git a/src/or/onion_ntor.h b/src/or/onion_ntor.h new file mode 100644 index 000000000..03b83da5f --- /dev/null +++ b/src/or/onion_ntor.h @@ -0,0 +1,49 @@ +/* Copyright (c) 2012, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +#ifndef TOR_ONION_NTOR_H +#define TOR_ONION_NTOR_H + +#include "torint.h" +#include "crypto_curve25519.h" +#include "di_ops.h" + +/** State to be maintained by a client between sending an ntor onionskin + * and receiving a reply. */ +typedef struct ntor_handshake_state_t ntor_handshake_state_t; + +/** Length of an ntor onionskin, as sent from the client to server. */ +#define NTOR_ONIONSKIN_LEN 84 +/** Length of an ntor reply, as sent from server to client. */ +#define NTOR_REPLY_LEN 64 + +/** A paired public and private key for curve25519. + * XXXX024 move this structure somewhere smarter. + **/ +typedef struct curve25519_keypair_t { + curve25519_public_key_t pubkey; + curve25519_secret_key_t seckey; +} curve25519_keypair_t; + +void ntor_handshake_state_free(ntor_handshake_state_t *state); + +int onion_skin_ntor_create(const uint8_t *router_id, + const curve25519_public_key_t *router_key, + ntor_handshake_state_t **handshake_state_out, + uint8_t *onion_skin_out); + +int onion_skin_ntor_server_handshake(const uint8_t *onion_skin, + const di_digest256_map_t *private_keys, + const uint8_t *my_node_id, + uint8_t *handshake_reply_out, + uint8_t *key_out, + size_t key_out_len); + +int onion_skin_ntor_client_handshake( + const ntor_handshake_state_t *handshake_state, + const uint8_t *handshake_reply, + uint8_t *key_out, + size_t key_out_len); + +#endif + -- cgit v1.2.3 From 6c883bc6384b3260d791e407b42ffcabb8276beb Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 4 Dec 2012 15:57:16 -0500 Subject: Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs. --- src/common/crypto_curve25519.c | 82 ++++++++++++++++++++++++++++++++++++++++++ src/common/crypto_curve25519.h | 18 ++++++++++ src/or/onion_ntor.h | 8 ----- 3 files changed, 100 insertions(+), 8 deletions(-) (limited to 'src/or/onion_ntor.h') diff --git a/src/common/crypto_curve25519.c b/src/common/crypto_curve25519.c index ce0cd0d60..60347065d 100644 --- a/src/common/crypto_curve25519.c +++ b/src/common/crypto_curve25519.c @@ -5,9 +5,13 @@ #define CRYPTO_CURVE25519_PRIVATE #include "orconfig.h" +#ifdef HAVE_SYS_STAT_H +#include +#endif #include "crypto.h" #include "crypto_curve25519.h" #include "util.h" +#include "torlog.h" /* ============================== Part 1: wrap a suitable curve25519 implementation as curve25519_impl @@ -85,6 +89,84 @@ curve25519_public_key_generate(curve25519_public_key_t *key_out, curve25519_impl(key_out->public_key, seckey->secret_key, basepoint); } +void +curve25519_keypair_generate(curve25519_keypair_t *keypair_out, + int extra_strong) +{ + curve25519_secret_key_generate(&keypair_out->seckey, extra_strong); + curve25519_public_key_generate(&keypair_out->pubkey, &keypair_out->seckey); +} + +int +curve25519_keypair_write_to_file(const curve25519_keypair_t *keypair, + const char *fname, + const char *tag) +{ + char contents[32 + CURVE25519_SECKEY_LEN + CURVE25519_PUBKEY_LEN]; + int r; + + memset(contents, 0, sizeof(contents)); + tor_snprintf(contents, sizeof(contents), "== c25519v1: %s ==", tag); + tor_assert(strlen(contents) <= 32); + memcpy(contents+32, keypair->seckey.secret_key, CURVE25519_SECKEY_LEN); + memcpy(contents+32+CURVE25519_SECKEY_LEN, + keypair->pubkey.public_key, CURVE25519_PUBKEY_LEN); + + r = write_bytes_to_file(fname, contents, sizeof(contents), 1); + + memwipe(contents, 0, sizeof(contents)); + return r; +} + +int +curve25519_keypair_read_from_file(curve25519_keypair_t *keypair_out, + char **tag_out, + const char *fname) +{ + char prefix[33]; + char *content; + struct stat st; + int r = -1; + + *tag_out = NULL; + + st.st_size = 0; + content = read_file_to_str(fname, RFTS_BIN|RFTS_IGNORE_MISSING, &st); + if (! content) + goto end; + if (st.st_size != 32 + CURVE25519_SECKEY_LEN + CURVE25519_PUBKEY_LEN) + goto end; + + memcpy(prefix, content, 32); + prefix[32] = '\0'; + if (strcmpstart(prefix, "== c25519v1: ") || + strcmpend(prefix, " ==")) + goto end; + + *tag_out = tor_strndup(prefix+strlen("== c25519v1: "), + strlen(prefix) - strlen("== c25519v1: ==")); + + memcpy(keypair_out->seckey.secret_key, content+32, CURVE25519_SECKEY_LEN); + curve25519_public_key_generate(&keypair_out->pubkey, &keypair_out->seckey); + if (tor_memneq(keypair_out->pubkey.public_key, + content + 32 + CURVE25519_SECKEY_LEN, + CURVE25519_PUBKEY_LEN)) + goto end; + + r = 0; + + end: + if (content) { + memwipe(content, 0, st.st_size); + tor_free(content); + } + if (r != 0) { + memset(keypair_out, 0, sizeof(*keypair_out)); + tor_free(*tag_out); + } + return r; +} + /** Perform the curve25519 ECDH handshake with skey and pkey, * writing CURVE25519_OUTPUT_LEN bytes of output into output. */ void diff --git a/src/common/crypto_curve25519.h b/src/common/crypto_curve25519.h index 3e093be7b..c43017e35 100644 --- a/src/common/crypto_curve25519.h +++ b/src/common/crypto_curve25519.h @@ -23,21 +23,39 @@ typedef struct curve25519_secret_key_t { uint8_t secret_key[CURVE25519_SECKEY_LEN]; } curve25519_secret_key_t; +/** A paired public and private key for curve25519. **/ +typedef struct curve25519_keypair_t { + curve25519_public_key_t pubkey; + curve25519_secret_key_t seckey; +} curve25519_keypair_t; + +#ifdef CURVE25519_ENABLED int curve25519_public_key_is_ok(const curve25519_public_key_t *); void curve25519_secret_key_generate(curve25519_secret_key_t *key_out, int extra_strong); void curve25519_public_key_generate(curve25519_public_key_t *key_out, const curve25519_secret_key_t *seckey); +void curve25519_keypair_generate(curve25519_keypair_t *keypair_out, + int extra_strong); void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *, const curve25519_public_key_t *); +int curve25519_keypair_write_to_file(const curve25519_keypair_t *keypair, + const char *fname, + const char *tag); + +int curve25519_keypair_read_from_file(curve25519_keypair_t *keypair_out, + char **tag_out, + const char *fname); + #ifdef CRYPTO_CURVE25519_PRIVATE int curve25519_impl(uint8_t *output, const uint8_t *secret, const uint8_t *basepoint); #endif +#endif #endif diff --git a/src/or/onion_ntor.h b/src/or/onion_ntor.h index 03b83da5f..4f305a49e 100644 --- a/src/or/onion_ntor.h +++ b/src/or/onion_ntor.h @@ -17,14 +17,6 @@ typedef struct ntor_handshake_state_t ntor_handshake_state_t; /** Length of an ntor reply, as sent from server to client. */ #define NTOR_REPLY_LEN 64 -/** A paired public and private key for curve25519. - * XXXX024 move this structure somewhere smarter. - **/ -typedef struct curve25519_keypair_t { - curve25519_public_key_t pubkey; - curve25519_secret_key_t seckey; -} curve25519_keypair_t; - void ntor_handshake_state_free(ntor_handshake_state_t *state); int onion_skin_ntor_create(const uint8_t *router_id, -- cgit v1.2.3 From f58d4dfcd61aec7ea1900873ca08ecc31d7a7ef7 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 4 Dec 2012 21:27:07 -0500 Subject: Massive refactoring of the various handshake types The three handshake types are now accessed from a unified interface; their state is abstracted from the rest of the cpath state, and so on. --- src/or/circuitbuild.c | 122 ++++++++++++++----------- src/or/circuitbuild.h | 3 +- src/or/circuitlist.c | 7 +- src/or/command.c | 10 ++- src/or/cpuworker.c | 40 +++++---- src/or/onion.c | 243 +++++++++++++++++++++++++++++++++++++++++++++++++- src/or/onion.h | 33 +++++++ src/or/onion_ntor.h | 2 + src/or/onion_tap.c | 26 +++--- src/or/onion_tap.h | 11 ++- src/or/or.h | 40 ++++++--- src/or/rendclient.c | 14 +-- src/or/rendservice.c | 8 +- src/or/router.c | 7 ++ src/or/router.h | 1 + src/test/bench.c | 16 ++-- src/test/test.c | 14 +-- 17 files changed, 462 insertions(+), 135 deletions(-) (limited to 'src/or/onion_ntor.h') diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index b6cf1252f..8393ba171 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -27,6 +27,7 @@ #include "main.h" #include "networkstatus.h" #include "nodelist.h" +#include "onion.h" #include "onion_tap.h" #include "onion_fast.h" #include "policies.h" @@ -54,7 +55,9 @@ static channel_t * channel_connect_for_circuit(const tor_addr_t *addr, uint16_t port, const char *id_digest); static int circuit_deliver_create_cell(circuit_t *circ, - uint8_t cell_type, const char *payload); + uint8_t cell_type, + const uint8_t *payload, + size_t payload_len); static int onion_pick_cpath_exit(origin_circuit_t *circ, extend_info_t *exit); static crypt_path_t *onion_next_hop_in_cpath(crypt_path_t *cpath); static int onion_extend_cpath(origin_circuit_t *circ); @@ -474,7 +477,8 @@ circuit_n_chan_done(channel_t *chan, int status) /* pull the create cell out of circ->onionskin, and send it */ tor_assert(circ->n_chan_onionskin); if (circuit_deliver_create_cell(circ,CELL_CREATE, - circ->n_chan_onionskin)<0) { + (const uint8_t*)circ->n_chan_onionskin, + circ->n_chan_onionskin_len)<0) { circuit_mark_for_close(circ, END_CIRC_REASON_RESOURCELIMIT); continue; } @@ -491,12 +495,12 @@ circuit_n_chan_done(channel_t *chan, int status) * for the outgoing * circuit circ, and deliver a cell of type cell_type * (either CELL_CREATE or CELL_CREATE_FAST) with payload payload - * to this circuit. + * to this circuit. DOCDOC payload_len * Return -1 if we failed to find a suitable circid, else return 0. */ static int circuit_deliver_create_cell(circuit_t *circ, uint8_t cell_type, - const char *payload) + const uint8_t *payload, size_t payload_len) { cell_t cell; circid_t id; @@ -518,7 +522,7 @@ circuit_deliver_create_cell(circuit_t *circ, uint8_t cell_type, cell.command = cell_type; cell.circ_id = circ->n_circ_id; - memcpy(cell.payload, payload, ONIONSKIN_CHALLENGE_LEN); + memcpy(cell.payload, payload, payload_len); append_cell_to_circuit_queue(circ, circ->n_chan, &cell, CELL_DIRECTION_OUT, 0); @@ -611,8 +615,10 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) { crypt_path_t *hop; const node_t *node; - char payload[2+4+DIGEST_LEN+ONIONSKIN_CHALLENGE_LEN]; - char *onionskin; + uint8_t payload[2+4+DIGEST_LEN+MAX_ONIONSKIN_CHALLENGE_LEN]; + uint8_t *onionskin; + uint16_t handshake_type; + int onionskin_len; size_t payload_len; tor_assert(circ); @@ -633,30 +639,29 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) * send an old slow create cell. */ cell_type = CELL_CREATE; - if (onion_skin_create(circ->cpath->extend_info->onion_key, - &(circ->cpath->dh_handshake_state), - payload) < 0) { - log_warn(LD_CIRC,"onion_skin_create (first hop) failed."); - return - END_CIRC_REASON_INTERNAL; - } + handshake_type = ONION_HANDSHAKE_TYPE_TAP; note_request("cell: create", 1); } else { /* We are not an OR, and we're building the first hop of a circuit to a * new OR: we can be speedy and use CREATE_FAST to save an RSA operation * and a DH operation. */ cell_type = CELL_CREATE_FAST; - - memset(payload, 0, sizeof(payload)); - if (fast_onionskin_create(&circ->cpath->fast_handshake_state, - (uint8_t *)payload) < 0) { - log_warn(LD_CIRC,"onion_skin_create FAST (first hop) failed."); - return - END_CIRC_REASON_INTERNAL; - } - + handshake_type = ONION_HANDSHAKE_TYPE_FAST; note_request("cell: create fast", 1); } - if (circuit_deliver_create_cell(TO_CIRCUIT(circ), cell_type, payload) < 0) + memset(payload, 0, sizeof(payload)); + onionskin_len = onion_skin_create(handshake_type, + circ->cpath->extend_info, + &circ->cpath->handshake_state, + payload); + if (onionskin_len < 0) { + log_warn(LD_CIRC,"onion_skin_create (first hop) failed."); + return - END_CIRC_REASON_INTERNAL; + } + + if (circuit_deliver_create_cell(TO_CIRCUIT(circ), cell_type, payload, + onionskin_len) < 0) return - END_CIRC_REASON_RESOURCELIMIT; circ->cpath->state = CPATH_STATE_AWAITING_KEYS; @@ -742,12 +747,16 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) set_uint16(payload+4, htons(hop->extend_info->port)); onionskin = payload+2+4; - memcpy(payload+2+4+ONIONSKIN_CHALLENGE_LEN, + memcpy(payload+2+4+TAP_ONIONSKIN_CHALLENGE_LEN, hop->extend_info->identity_digest, DIGEST_LEN); - payload_len = 2+4+ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN; + payload_len = 2+4+TAP_ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN; + + handshake_type = ONION_HANDSHAKE_TYPE_TAP; - if (onion_skin_create(hop->extend_info->onion_key, - &(hop->dh_handshake_state), onionskin) < 0) { + if (onion_skin_create(handshake_type, + hop->extend_info, + &hop->handshake_state, + onionskin) < 0) { log_warn(LD_CIRC,"onion_skin_create failed."); return - END_CIRC_REASON_INTERNAL; } @@ -758,7 +767,8 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) * it to a create cell and then send to hop */ if (relay_send_command_from_edge(0, TO_CIRCUIT(circ), RELAY_COMMAND_EXTEND, - payload, payload_len, hop->prev) < 0) + (char*)payload, payload_len, + hop->prev) < 0) return 0; /* circuit is closed */ hop->state = CPATH_STATE_AWAITING_KEYS; @@ -826,7 +836,7 @@ circuit_extend(cell_t *cell, circuit_t *circ) relay_header_unpack(&rh, cell->payload); - if (rh.length < 4+2+ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN) { + if (rh.length < 4+2+TAP_ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Wrong length %d on extend cell. Closing circuit.", rh.length); @@ -837,7 +847,7 @@ circuit_extend(cell_t *cell, circuit_t *circ) n_port = ntohs(get_uint16(cell->payload+RELAY_HEADER_SIZE+4)); onionskin = (char*) cell->payload+RELAY_HEADER_SIZE+4+2; id_digest = (char*) cell->payload+RELAY_HEADER_SIZE+4+2+ - ONIONSKIN_CHALLENGE_LEN; + TAP_ONIONSKIN_CHALLENGE_LEN; tor_addr_from_ipv4h(&n_addr, n_addr32); if (!n_port || !n_addr32) { @@ -890,8 +900,10 @@ circuit_extend(cell_t *cell, circuit_t *circ) NULL /*onion_key*/, &n_addr, n_port); - circ->n_chan_onionskin = tor_malloc(ONIONSKIN_CHALLENGE_LEN); - memcpy(circ->n_chan_onionskin, onionskin, ONIONSKIN_CHALLENGE_LEN); + circ->n_chan_onionskin = tor_malloc(TAP_ONIONSKIN_CHALLENGE_LEN); + memcpy(circ->n_chan_onionskin, onionskin, TAP_ONIONSKIN_CHALLENGE_LEN); + circ->n_chan_onionskin_len = TAP_ONIONSKIN_CHALLENGE_LEN; + circuit_set_state(circ, CIRCUIT_STATE_CHAN_WAIT); if (should_launch) { @@ -917,7 +929,8 @@ circuit_extend(cell_t *cell, circuit_t *circ) "n_chan is %s", channel_get_canonical_remote_descr(n_chan)); - if (circuit_deliver_create_cell(circ, CELL_CREATE, onionskin) < 0) + if (circuit_deliver_create_cell(circ, CELL_CREATE, (uint8_t*)onionskin, + TAP_ONIONSKIN_CHALLENGE_LEN) < 0) return -1; return 0; } @@ -1377,31 +1390,32 @@ circuit_finish_handshake(origin_circuit_t *circ, uint8_t reply_type, } tor_assert(hop->state == CPATH_STATE_AWAITING_KEYS); - if (reply_type == CELL_CREATED && hop->dh_handshake_state) { - if (onion_skin_client_handshake(hop->dh_handshake_state, (char*)reply,keys, - DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) { - log_warn(LD_CIRC,"onion_skin_client_handshake failed."); + { + uint16_t handshake_type = 0xffff; + if (reply_type == CELL_CREATED) + handshake_type = ONION_HANDSHAKE_TYPE_TAP; + else if (reply_type == CELL_CREATED_FAST) + handshake_type = ONION_HANDSHAKE_TYPE_FAST; + + if (handshake_type != hop->handshake_state.tag) { + log_warn(LD_PROTOCOL,"CREATED cell onionskin type (%u) did not " + "match CREATE cell onionskin type (%u).", + (unsigned)handshake_type, + (unsigned) hop->handshake_state.tag); return -END_CIRC_REASON_TORPROTOCOL; } - /* Remember hash of g^xy */ - memcpy(hop->handshake_digest, reply+DH_KEY_LEN, DIGEST_LEN); - } else if (reply_type == CELL_CREATED_FAST && !hop->dh_handshake_state) { - if (fast_client_handshake(hop->fast_handshake_state, reply, - (uint8_t*)keys, - DIGEST_LEN*2+CIPHER_KEY_LEN*2) < 0) { - log_warn(LD_CIRC,"fast_client_handshake failed."); + + if (onion_skin_client_handshake(handshake_type, + &hop->handshake_state, + reply, + (uint8_t*)keys, sizeof(keys), + (uint8_t*)hop->handshake_digest) < 0) { + log_warn(LD_CIRC,"onion_skin_client_handshake failed."); return -END_CIRC_REASON_TORPROTOCOL; } - memcpy(hop->handshake_digest, reply+DIGEST_LEN, DIGEST_LEN); - } else { - log_warn(LD_PROTOCOL,"CREATED cell type did not match CREATE cell type."); - return -END_CIRC_REASON_TORPROTOCOL; } - crypto_dh_free(hop->dh_handshake_state); /* don't need it anymore */ - hop->dh_handshake_state = NULL; - - memset(hop->fast_handshake_state, 0, sizeof(hop->fast_handshake_state)); + onion_handshake_state_release(&hop->handshake_state); if (circuit_init_cpath_crypto(hop, keys, 0)<0) { return -END_CIRC_REASON_TORPROTOCOL; @@ -1470,7 +1484,7 @@ circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer, int reason) */ int onionskin_answer(or_circuit_t *circ, uint8_t cell_type, const char *payload, - const char *keys) + size_t payload_len, const char *keys) { cell_t cell; crypt_path_t *tmp_cpath; @@ -1484,8 +1498,7 @@ onionskin_answer(or_circuit_t *circ, uint8_t cell_type, const char *payload, circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_OPEN); - memcpy(cell.payload, payload, - cell_type == CELL_CREATED ? ONIONSKIN_REPLY_LEN : DIGEST_LEN*2); + memcpy(cell.payload, payload, payload_len); log_debug(LD_CIRC,"init digest forward 0x%.8x, backward 0x%.8x.", (unsigned int)get_uint32(keys), @@ -1502,6 +1515,7 @@ onionskin_answer(or_circuit_t *circ, uint8_t cell_type, const char *payload, tmp_cpath->magic = 0; tor_free(tmp_cpath); + /* XXXX Move responsibility for extracting this. */ if (cell_type == CELL_CREATED) memcpy(circ->handshake_digest, cell.payload+DH_KEY_LEN, DIGEST_LEN); else diff --git a/src/or/circuitbuild.h b/src/or/circuitbuild.h index 78575afcf..f83cb554c 100644 --- a/src/or/circuitbuild.h +++ b/src/or/circuitbuild.h @@ -35,7 +35,8 @@ int circuit_finish_handshake(origin_circuit_t *circ, uint8_t cell_type, int circuit_truncated(origin_circuit_t *circ, crypt_path_t *layer, int reason); int onionskin_answer(or_circuit_t *circ, uint8_t cell_type, - const char *payload, const char *keys); + const char *payload, size_t payload_len, + const char *keys); int circuit_all_predicted_ports_handled(time_t now, int *need_uptime, int *need_capacity); diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c index 2c17fd2bb..2565470e2 100644 --- a/src/or/circuitlist.c +++ b/src/or/circuitlist.c @@ -744,8 +744,8 @@ circuit_free_cpath_node(crypt_path_t *victim) crypto_cipher_free(victim->b_crypto); crypto_digest_free(victim->f_digest); crypto_digest_free(victim->b_digest); - crypto_dh_free(victim->dh_handshake_state); - fast_handshake_state_free(victim->fast_handshake_state); + onion_handshake_state_release(&victim->handshake_state); + crypto_dh_free(victim->rend_dh_handshake_state); extend_info_free(victim->extend_info); memwipe(victim, 0xBB, sizeof(crypt_path_t)); /* poison memory */ @@ -1494,7 +1494,8 @@ assert_cpath_layer_ok(const crypt_path_t *cp) tor_assert(cp->b_crypto); /* fall through */ case CPATH_STATE_CLOSED: - tor_assert(!cp->dh_handshake_state); + /*XXXX Assert that there's no handshake_state either. */ + tor_assert(!cp->rend_dh_handshake_state); break; case CPATH_STATE_AWAITING_KEYS: /* tor_assert(cp->dh_handshake_state); */ diff --git a/src/or/command.c b/src/or/command.c index 2718ec92b..a33a9b182 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -30,6 +30,7 @@ #include "hibernate.h" #include "nodelist.h" //#include "onion.h" +#include "onion_tap.h" #include "onion_fast.h" #include "relay.h" #include "router.h" @@ -254,8 +255,8 @@ command_process_create_cell(cell_t *cell, channel_t *chan) circ->base_.purpose = CIRCUIT_PURPOSE_OR; circuit_set_state(TO_CIRCUIT(circ), CIRCUIT_STATE_ONIONSKIN_PENDING); if (cell->command == CELL_CREATE) { - char *onionskin = tor_malloc(ONIONSKIN_CHALLENGE_LEN); - memcpy(onionskin, cell->payload, ONIONSKIN_CHALLENGE_LEN); + char *onionskin = tor_malloc(TAP_ONIONSKIN_CHALLENGE_LEN); + memcpy(onionskin, cell->payload, TAP_ONIONSKIN_CHALLENGE_LEN); /* hand it off to the cpuworkers, and then return. */ if (assign_onionskin_to_cpuworker(NULL, circ, onionskin) < 0) { @@ -282,7 +283,8 @@ command_process_create_cell(cell_t *cell, channel_t *chan) circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL); return; } - if (onionskin_answer(circ, CELL_CREATED_FAST, reply, keys)<0) { + if (onionskin_answer(circ, CELL_CREATED_FAST, reply, sizeof(reply), + keys)<0) { log_warn(LD_OR,"Failed to reply to CREATE_FAST cell. Closing."); circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL); return; @@ -340,7 +342,7 @@ command_process_created_cell(cell_t *cell, channel_t *chan) log_debug(LD_OR, "Converting created cell to extended relay cell, sending."); relay_send_command_from_edge(0, circ, RELAY_COMMAND_EXTENDED, - (char*)cell->payload, ONIONSKIN_REPLY_LEN, + (char*)cell->payload, TAP_ONIONSKIN_REPLY_LEN, NULL); } } diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c index 3a3d68724..e8087c2b8 100644 --- a/src/or/cpuworker.c +++ b/src/or/cpuworker.c @@ -35,7 +35,7 @@ #define TAG_LEN 10 /** How many bytes are sent from the cpuworker back to tor? */ #define LEN_ONION_RESPONSE \ - (1+TAG_LEN+ONIONSKIN_REPLY_LEN+CPATH_KEY_MATERIAL_LEN) + (1+TAG_LEN+TAP_ONIONSKIN_REPLY_LEN+CPATH_KEY_MATERIAL_LEN) /** How many cpuworkers we have running right now. */ static int num_cpuworkers=0; @@ -185,7 +185,8 @@ connection_cpu_process_inbuf(connection_t *conn) } tor_assert(! CIRCUIT_IS_ORIGIN(circ)); if (onionskin_answer(TO_OR_CIRCUIT(circ), CELL_CREATED, buf+TAG_LEN, - buf+TAG_LEN+ONIONSKIN_REPLY_LEN) < 0) { + TAP_ONIONSKIN_REPLY_LEN, + buf+TAG_LEN+TAP_ONIONSKIN_REPLY_LEN) < 0) { log_warn(LD_OR,"onionskin_answer failed. Closing."); circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL); goto done_processing; @@ -214,11 +215,11 @@ connection_cpu_process_inbuf(connection_t *conn) * Request format: * Task type [1 byte, always CPUWORKER_TASK_ONION] * Opaque tag TAG_LEN - * Onionskin challenge ONIONSKIN_CHALLENGE_LEN + * Onionskin challenge TAP_ONIONSKIN_CHALLENGE_LEN * Response format: * Success/failure [1 byte, boolean.] * Opaque tag TAG_LEN - * Onionskin challenge ONIONSKIN_REPLY_LEN + * Onionskin challenge TAP_ONIONSKIN_REPLY_LEN * Negotiated keys KEY_LEN*2+DIGEST_LEN*2 * * (Note: this _should_ be by addr/port, since we're concerned with specific @@ -227,17 +228,17 @@ connection_cpu_process_inbuf(connection_t *conn) static void cpuworker_main(void *data) { - char question[ONIONSKIN_CHALLENGE_LEN]; + char question[TAP_ONIONSKIN_CHALLENGE_LEN]; uint8_t question_type; tor_socket_t *fdarray = data; tor_socket_t fd; /* variables for onion processing */ char keys[CPATH_KEY_MATERIAL_LEN]; - char reply_to_proxy[ONIONSKIN_REPLY_LEN]; + char reply_to_proxy[MAX_ONIONSKIN_REPLY_LEN]; char buf[LEN_ONION_RESPONSE]; char tag[TAG_LEN]; - crypto_pk_t *onion_key = NULL, *last_onion_key = NULL; + server_onion_keys_t onion_keys; fd = fdarray[1]; /* this side is ours */ #ifndef TOR_IS_MULTITHREADED @@ -248,7 +249,7 @@ cpuworker_main(void *data) #endif tor_free(data); - dup_onion_keys(&onion_key, &last_onion_key); + setup_server_onion_keys(&onion_keys); for (;;) { ssize_t r; @@ -275,15 +276,18 @@ cpuworker_main(void *data) goto end; } - if (read_all(fd, question, ONIONSKIN_CHALLENGE_LEN, 1) != - ONIONSKIN_CHALLENGE_LEN) { + if (read_all(fd, question, TAP_ONIONSKIN_CHALLENGE_LEN, 1) != + TAP_ONIONSKIN_CHALLENGE_LEN) { log_err(LD_BUG,"read question failed. Exiting."); goto end; } if (question_type == CPUWORKER_TASK_ONION) { - if (onion_skin_server_handshake(question, onion_key, last_onion_key, - reply_to_proxy, keys, CPATH_KEY_MATERIAL_LEN) < 0) { + if (onion_skin_server_handshake(ONION_HANDSHAKE_TYPE_TAP, + (const uint8_t*)question, + &onion_keys, + (uint8_t*)reply_to_proxy, + (uint8_t*)keys, CPATH_KEY_MATERIAL_LEN) < 0) { /* failure */ log_debug(LD_OR,"onion_skin_server_handshake failed."); *buf = 0; /* indicate failure in first byte */ @@ -295,8 +299,9 @@ cpuworker_main(void *data) log_debug(LD_OR,"onion_skin_server_handshake succeeded."); buf[0] = 1; /* 1 means success */ memcpy(buf+1,tag,TAG_LEN); - memcpy(buf+1+TAG_LEN,reply_to_proxy,ONIONSKIN_REPLY_LEN); - memcpy(buf+1+TAG_LEN+ONIONSKIN_REPLY_LEN,keys,CPATH_KEY_MATERIAL_LEN); + memcpy(buf+1+TAG_LEN,reply_to_proxy,TAP_ONIONSKIN_REPLY_LEN); + memcpy(buf+1+TAG_LEN+TAP_ONIONSKIN_REPLY_LEN,keys, + CPATH_KEY_MATERIAL_LEN); } if (write_all(fd, buf, LEN_ONION_RESPONSE, 1) != LEN_ONION_RESPONSE) { log_err(LD_BUG,"writing response buf failed. Exiting."); @@ -306,10 +311,7 @@ cpuworker_main(void *data) } } end: - if (onion_key) - crypto_pk_free(onion_key); - if (last_onion_key) - crypto_pk_free(last_onion_key); + release_server_onion_keys(&onion_keys); tor_close_socket(fd); crypto_thread_cleanup(); spawn_exit(); @@ -497,7 +499,7 @@ assign_onionskin_to_cpuworker(connection_t *cpuworker, qbuf[0] = CPUWORKER_TASK_ONION; connection_write_to_buf(qbuf, 1, cpuworker); connection_write_to_buf(tag, sizeof(tag), cpuworker); - connection_write_to_buf(onionskin, ONIONSKIN_CHALLENGE_LEN, cpuworker); + connection_write_to_buf(onionskin, TAP_ONIONSKIN_CHALLENGE_LEN, cpuworker); tor_free(onionskin); } return 0; diff --git a/src/or/onion.c b/src/or/onion.c index f468adab2..90fc830dd 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -6,15 +6,19 @@ /** * \file onion.c - * \brief Functions to queue create cells, and handle onionskin - * parsing and creation. + * \brief Functions to queue create cells, handle onionskin + * parsing and creation, and wrap the various onionskin types. **/ #include "or.h" #include "circuitlist.h" #include "config.h" #include "onion.h" +#include "onion_fast.h" +#include "onion_ntor.h" +#include "onion_tap.h" #include "rephist.h" +#include "router.h" /** Type for a linked list of circuits that are waiting for a free CPU worker * to process a waiting onion handshake. */ @@ -37,6 +41,8 @@ static onion_queue_t *ol_tail=NULL; /** Length of ol_list */ static int ol_length=0; +/* XXXX Check lengths vs MAX_ONIONSKIN_{CHALLENGE,REPLY}_LEN */ + /** Add circ to the end of ol_list and return 0, except * if ol_list is too long, in which case do nothing and return -1. */ @@ -171,3 +177,236 @@ clear_pending_onions(void) ol_length = 0; } +/* ============================================================ */ + +/** Fill in a server_onion_keys_t object at keys with all of the keys + * and other info we might need to do onion handshakes. (We make a copy of + * our keys for each cpuworker to avoid race conditions with the main thread, + * and to avoid locking) */ +void +setup_server_onion_keys(server_onion_keys_t *keys) +{ + memset(keys, 0, sizeof(server_onion_keys_t)); + memcpy(keys->my_identity, router_get_my_id_digest(), DIGEST_LEN); + dup_onion_keys(&keys->onion_key, &keys->last_onion_key); +#ifdef CURVE25519_ENABLED + keys->curve25519_key_map = construct_ntor_key_map(); +#endif +} + +/** Release all storage held in keys, but do not free keys + * itself (as it's likely to be stack-allocated.) */ +void +release_server_onion_keys(server_onion_keys_t *keys) +{ + if (! keys) + return; + + crypto_pk_free(keys->onion_key); + crypto_pk_free(keys->last_onion_key); +#ifdef CURVE25519_ENABLED + ntor_key_map_free(keys->curve25519_key_map); +#endif + memset(keys, 0, sizeof(server_onion_keys_t)); +} + +/** Release whatever storage is held in state, depending on its + * type, and clear its pointer. */ +void +onion_handshake_state_release(onion_handshake_state_t *state) +{ + switch (state->tag) { + case ONION_HANDSHAKE_TYPE_TAP: + crypto_dh_free(state->u.tap); + state->u.tap = NULL; + break; + case ONION_HANDSHAKE_TYPE_FAST: + fast_handshake_state_free(state->u.fast); + state->u.fast = NULL; + break; +#ifdef CURVE25519_ENABLED + case ONION_HANDSHAKE_TYPE_NTOR: + ntor_handshake_state_free(state->u.ntor); + state->u.ntor = NULL; + break; +#endif + default: + log_warn(LD_BUG, "called with unknown handshake state type %d", + (int)state->tag); + tor_fragile_assert(); + } +} + +/** Perform the first step of a circuit-creation handshake of type type + * (one of ONION_HANDSHAKE_TYPE_*): generate the initial "onion skin" in + * onion_skin_out, and store any state information in state_out. + * Return -1 on failure, and the length of the onionskin on acceptance. + */ +int +onion_skin_create(int type, + const extend_info_t *node, + onion_handshake_state_t *state_out, + uint8_t *onion_skin_out) +{ + int r = -1; + + switch (type) { + case ONION_HANDSHAKE_TYPE_TAP: + if (!node->onion_key) + return -1; + + if (onion_skin_TAP_create(node->onion_key, + &state_out->u.tap, + (char*)onion_skin_out) < 0) + return -1; + + r = TAP_ONIONSKIN_CHALLENGE_LEN; + break; + case ONION_HANDSHAKE_TYPE_FAST: + if (fast_onionskin_create(&state_out->u.fast, onion_skin_out) < 0) + return -1; + + r = CREATE_FAST_LEN; + break; + case ONION_HANDSHAKE_TYPE_NTOR: +#ifdef CURVE25519_ENABLED + if (tor_mem_is_zero((const char*)node->curve25519_onion_key.public_key, + CURVE25519_PUBKEY_LEN)) + return -1; + if (onion_skin_ntor_create((const uint8_t*)node->identity_digest, + &node->curve25519_onion_key, + &state_out->u.ntor, + onion_skin_out) < 0) + return -1; + + r = NTOR_ONIONSKIN_LEN; +#else + return -1; +#endif + break; + default: + log_warn(LD_BUG, "called with unknown handshake state type %d", type); + tor_fragile_assert(); + r = -1; + } + + if (r > 0) + state_out->tag = (uint16_t) type; + + return r; +} + +/** Perform the second (server-side) step of a circuit-creation handshake of + * type type, responding to the client request in onion_skin + * using the keys in keys. On success, write our response into + * reply_out, generate keys_out_len bytes worth of key material + * in keys_out_len, and return the length of the reply. On failure, + * return -1. */ +int +onion_skin_server_handshake(int type, + const uint8_t *onion_skin, + const server_onion_keys_t *keys, + uint8_t *reply_out, + uint8_t *keys_out, size_t keys_out_len) +{ + int r = -1; + + switch (type) { + case ONION_HANDSHAKE_TYPE_TAP: + if (onion_skin_TAP_server_handshake((const char*)onion_skin, + keys->onion_key, keys->last_onion_key, + (char*)reply_out, + (char*)keys_out, keys_out_len)<0) + return -1; + r = TAP_ONIONSKIN_REPLY_LEN; + break; + case ONION_HANDSHAKE_TYPE_FAST: + if (fast_server_handshake(onion_skin, reply_out, keys_out, keys_out_len)<0) + return -1; + r = CREATED_FAST_LEN; + break; + case ONION_HANDSHAKE_TYPE_NTOR: +#ifdef CURVE25519_ENABLED + if (onion_skin_ntor_server_handshake(onion_skin, keys->curve25519_key_map, + keys->my_identity, + reply_out, keys_out, keys_out_len)<0) + return -1; + r = NTOR_REPLY_LEN; +#else + return -1; +#endif + break; + default: + log_warn(LD_BUG, "called with unknown handshake state type %d", type); + tor_fragile_assert(); + return -1; + } + + /* XXXX we should generate the rendezvous nonce stuff too. Some notes + * below */ + // memcpy(hop->handshake_digest, reply+DH_KEY_LEN, DIGEST_LEN); + + //memcpy(hop->handshake_digest, reply+DIGEST_LEN, DIGEST_LEN); + + return r; +} + +/** Perform the final (client-side) step of a circuit-creation handshake of + * type type, using our state in handshake_state and the + * server's response in reply On success, generate keys_out_len + * bytes worth of key material in keys_out_len, set + * rend_authenticator_out to the "KH" field that can be used to + * establish introduction points at this hop, and return 0. On failure, + * return -1. */ +int +onion_skin_client_handshake(int type, + const onion_handshake_state_t *handshake_state, + const uint8_t *reply, + uint8_t *keys_out, size_t keys_out_len, + uint8_t *rend_authenticator_out) +{ + if (handshake_state->tag != type) + return -1; + + switch (type) { + case ONION_HANDSHAKE_TYPE_TAP: + if (onion_skin_TAP_client_handshake(handshake_state->u.tap, + (const char*)reply, + (char *)keys_out, keys_out_len) < 0) + return -1; + + memcpy(rend_authenticator_out, reply+DH_KEY_LEN, DIGEST_LEN); + + return 0; + case ONION_HANDSHAKE_TYPE_FAST: + if (fast_client_handshake(handshake_state->u.fast, reply, + keys_out, keys_out_len) < 0) + return -1; + + memcpy(rend_authenticator_out, reply+DIGEST_LEN, DIGEST_LEN); + return 0; +#ifdef CURVE25519_ENABLED + case ONION_HANDSHAKE_TYPE_NTOR: + { + size_t keys_tmp_len = keys_out_len + DIGEST_LEN; + uint8_t *keys_tmp = tor_malloc(keys_tmp_len); + if (onion_skin_ntor_client_handshake(handshake_state->u.ntor, + reply, + keys_tmp, keys_tmp_len) < 0) { + tor_free(keys_tmp); + return -1; + } + memcpy(keys_out, keys_tmp, keys_out_len); + memcpy(rend_authenticator_out, keys_tmp + keys_out_len, DIGEST_LEN); + memwipe(keys_tmp, 0, keys_tmp_len); + tor_free(keys_tmp); + } + return 0; +#endif + default: + log_warn(LD_BUG, "called with unknown handshake state type %d", type); + tor_fragile_assert(); + return -1; + } +} + diff --git a/src/or/onion.h b/src/or/onion.h index 55ea3f930..3c12e1f85 100644 --- a/src/or/onion.h +++ b/src/or/onion.h @@ -17,5 +17,38 @@ or_circuit_t *onion_next_task(char **onionskin_out); void onion_pending_remove(or_circuit_t *circ); void clear_pending_onions(void); +typedef struct server_onion_keys_t { + uint8_t my_identity[DIGEST_LEN]; + crypto_pk_t *onion_key; + crypto_pk_t *last_onion_key; +#ifdef CURVE25519_ENABLED + di_digest256_map_t *curve25519_key_map; +#endif +} server_onion_keys_t; + +#define MAX_ONIONSKIN_CHALLENGE_LEN 255 +#define MAX_ONIONSKIN_REPLY_LEN 255 + +void setup_server_onion_keys(server_onion_keys_t *keys); +void release_server_onion_keys(server_onion_keys_t *keys); + +void onion_handshake_state_release(onion_handshake_state_t *state); + +int onion_skin_create(int type, + const extend_info_t *node, + onion_handshake_state_t *state_out, + uint8_t *onion_skin_out); +int onion_skin_server_handshake(int type, + const uint8_t *onion_skin, + const server_onion_keys_t *keys, + uint8_t *reply_out, + uint8_t *keys_out, size_t key_out_len); +// uint8_t *rend_authenticator_out); +int onion_skin_client_handshake(int type, + const onion_handshake_state_t *handshake_state, + const uint8_t *reply, + uint8_t *keys_out, size_t key_out_len, + uint8_t *rend_authenticator_out); + #endif diff --git a/src/or/onion_ntor.h b/src/or/onion_ntor.h index 4f305a49e..80015fd3f 100644 --- a/src/or/onion_ntor.h +++ b/src/or/onion_ntor.h @@ -17,6 +17,7 @@ typedef struct ntor_handshake_state_t ntor_handshake_state_t; /** Length of an ntor reply, as sent from server to client. */ #define NTOR_REPLY_LEN 64 +#ifdef CURVE25519_ENABLED void ntor_handshake_state_free(ntor_handshake_state_t *state); int onion_skin_ntor_create(const uint8_t *router_id, @@ -36,6 +37,7 @@ int onion_skin_ntor_client_handshake( const uint8_t *handshake_reply, uint8_t *key_out, size_t key_out_len); +#endif #endif diff --git a/src/or/onion_tap.c b/src/or/onion_tap.c index 464b8451d..0ec526cd0 100644 --- a/src/or/onion_tap.c +++ b/src/or/onion_tap.c @@ -35,9 +35,9 @@ * The meeting point/cookies and auth are zeroed out for now. */ int -onion_skin_create(crypto_pk_t *dest_router_key, +onion_skin_TAP_create(crypto_pk_t *dest_router_key, crypto_dh_t **handshake_state_out, - char *onion_skin_out) /* ONIONSKIN_CHALLENGE_LEN bytes */ + char *onion_skin_out) /* TAP_ONIONSKIN_CHALLENGE_LEN bytes */ { char challenge[DH_KEY_LEN]; crypto_dh_t *dh = NULL; @@ -47,7 +47,7 @@ onion_skin_create(crypto_pk_t *dest_router_key, tor_assert(handshake_state_out); tor_assert(onion_skin_out); *handshake_state_out = NULL; - memset(onion_skin_out, 0, ONIONSKIN_CHALLENGE_LEN); + memset(onion_skin_out, 0, TAP_ONIONSKIN_CHALLENGE_LEN); if (!(dh = crypto_dh_new(DH_TYPE_CIRCUIT))) goto err; @@ -64,7 +64,7 @@ onion_skin_create(crypto_pk_t *dest_router_key, /* set meeting point, meeting cookie, etc here. Leave zero for now. */ if (crypto_pk_public_hybrid_encrypt(dest_router_key, onion_skin_out, - ONIONSKIN_CHALLENGE_LEN, + TAP_ONIONSKIN_CHALLENGE_LEN, challenge, DH_KEY_LEN, PK_PKCS1_OAEP_PADDING, 1)<0) goto err; @@ -85,14 +85,17 @@ onion_skin_create(crypto_pk_t *dest_router_key, * next key_out_len bytes of key material in key_out. */ int -onion_skin_server_handshake(const char *onion_skin, /*ONIONSKIN_CHALLENGE_LEN*/ +onion_skin_TAP_server_handshake( + /*TAP_ONIONSKIN_CHALLENGE_LEN*/ + const char *onion_skin, crypto_pk_t *private_key, crypto_pk_t *prev_private_key, - char *handshake_reply_out, /*ONIONSKIN_REPLY_LEN*/ + /*TAP_ONIONSKIN_REPLY_LEN*/ + char *handshake_reply_out, char *key_out, size_t key_out_len) { - char challenge[ONIONSKIN_CHALLENGE_LEN]; + char challenge[TAP_ONIONSKIN_CHALLENGE_LEN]; crypto_dh_t *dh = NULL; ssize_t len; char *key_material=NULL; @@ -107,8 +110,9 @@ onion_skin_server_handshake(const char *onion_skin, /*ONIONSKIN_CHALLENGE_LEN*/ break; note_crypto_pk_op(DEC_ONIONSKIN); len = crypto_pk_private_hybrid_decrypt(k, challenge, - ONIONSKIN_CHALLENGE_LEN, - onion_skin, ONIONSKIN_CHALLENGE_LEN, + TAP_ONIONSKIN_CHALLENGE_LEN, + onion_skin, + TAP_ONIONSKIN_CHALLENGE_LEN, PK_PKCS1_OAEP_PADDING,0); if (len>0) break; @@ -175,8 +179,8 @@ onion_skin_server_handshake(const char *onion_skin, /*ONIONSKIN_CHALLENGE_LEN*/ * After the invocation, call crypto_dh_free on handshake_state. */ int -onion_skin_client_handshake(crypto_dh_t *handshake_state, - const char *handshake_reply, /* ONIONSKIN_REPLY_LEN bytes */ +onion_skin_TAP_client_handshake(crypto_dh_t *handshake_state, + const char *handshake_reply, /* TAP_ONIONSKIN_REPLY_LEN bytes */ char *key_out, size_t key_out_len) { diff --git a/src/or/onion_tap.h b/src/or/onion_tap.h index 3bd90c95e..deae1bf8c 100644 --- a/src/or/onion_tap.h +++ b/src/or/onion_tap.h @@ -12,18 +12,23 @@ #ifndef TOR_ONION_TAP_H #define TOR_ONION_TAP_H -int onion_skin_create(crypto_pk_t *router_key, +#define TAP_ONIONSKIN_CHALLENGE_LEN (PKCS1_OAEP_PADDING_OVERHEAD+\ + CIPHER_KEY_LEN+\ + DH_KEY_LEN) +#define TAP_ONIONSKIN_REPLY_LEN (DH_KEY_LEN+DIGEST_LEN) + +int onion_skin_TAP_create(crypto_pk_t *router_key, crypto_dh_t **handshake_state_out, char *onion_skin_out); -int onion_skin_server_handshake(const char *onion_skin, +int onion_skin_TAP_server_handshake(const char *onion_skin, crypto_pk_t *private_key, crypto_pk_t *prev_private_key, char *handshake_reply_out, char *key_out, size_t key_out_len); -int onion_skin_client_handshake(crypto_dh_t *handshake_state, +int onion_skin_TAP_client_handshake(crypto_dh_t *handshake_state, const char *handshake_reply, char *key_out, size_t key_out_len); diff --git a/src/or/or.h b/src/or/or.h index 6fada7700..f7407a8e9 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1381,6 +1381,7 @@ typedef struct or_connection_t { or_handshake_state_t *handshake_state; /**< If we are setting this connection * up, state information to do so. */ + time_t timestamp_lastempty; /**< When was the outbuf last completely empty?*/ time_t timestamp_last_added_nonpadding; /** When did we last add a * non-padding cell to the outbuf? */ @@ -2470,6 +2471,9 @@ typedef struct extend_info_t { uint16_t port; /**< OR port. */ tor_addr_t addr; /**< IP address. */ crypto_pk_t *onion_key; /**< Current onionskin key. */ +#ifdef CURVE25519_ENABLED + curve25519_public_key_t curve25519_onion_key; +#endif } extend_info_t; /** Certificate for v3 directory protocol: binds long-term authority identity @@ -2525,6 +2529,19 @@ typedef enum { #define CRYPT_PATH_MAGIC 0x70127012u struct fast_handshake_state_t; +struct ntor_handshake_state_t; +#define ONION_HANDSHAKE_TYPE_TAP 0x0000 +#define ONION_HANDSHAKE_TYPE_FAST 0x0001 +#define ONION_HANDSHAKE_TYPE_NTOR 0x0002 +typedef struct { + uint16_t tag; + union { + struct fast_handshake_state_t *fast; + crypto_dh_t *tap; + struct ntor_handshake_state_t *ntor; + } u; +} onion_handshake_state_t; + /** Holds accounting information for a single step in the layered encryption * performed by a circuit. Used only at the client edge of a circuit. */ typedef struct crypt_path_t { @@ -2543,16 +2560,15 @@ typedef struct crypt_path_t { /** Digest state for cells heading away from the OR at this step. */ crypto_digest_t *b_digest; - /** Current state of Diffie-Hellman key negotiation with the OR at this + /** Current state of the handshake as performed with the OR at this * step. */ - crypto_dh_t *dh_handshake_state; - /** Current state of 'fast' (non-PK) key negotiation with the OR at this - * step. Used to save CPU when TLS is already providing all the - * authentication, secrecy, and integrity we need, and we're already - * distinguishable from an OR. - */ - struct fast_handshake_state_t *fast_handshake_state; + onion_handshake_state_t handshake_state; + /** Diffie-hellman handshake state for performing an introduction + * operations */ + crypto_dh_t *rend_dh_handshake_state; + /** Negotiated key material shared with the OR at this step. */ + /* XXXX RENAME */ char handshake_digest[DIGEST_LEN];/* KH in tor-spec.txt */ /** Information to extend to the OR at this step. */ @@ -2594,10 +2610,6 @@ typedef struct { #define CPATH_KEY_MATERIAL_LEN (20*2+16*2) #define DH_KEY_LEN DH_BYTES -#define ONIONSKIN_CHALLENGE_LEN (PKCS1_OAEP_PADDING_OVERHEAD+\ - CIPHER_KEY_LEN+\ - DH_KEY_LEN) -#define ONIONSKIN_REPLY_LEN (DH_KEY_LEN+DIGEST_LEN) /** Information used to build a circuit. */ typedef struct { @@ -2703,9 +2715,10 @@ typedef struct circuit_t { * more. */ int deliver_window; + uint8_t n_chan_onionskin_len; /* XXXX MAKE THIS GET USED. */ /** For storage while n_chan is pending * (state CIRCUIT_STATE_CHAN_WAIT). When defined, it is always - * length ONIONSKIN_CHALLENGE_LEN. */ + * length n_chan_onionskin_len */ char *n_chan_onionskin; /** When was this circuit created? We keep this timestamp with a higher @@ -2965,6 +2978,7 @@ typedef struct or_circuit_t { char rend_token[REND_TOKEN_LEN]; /* ???? move to a subtype or adjunct structure? Wastes 20 bytes -NM */ + /* XXXX rename this. */ char handshake_digest[DIGEST_LEN]; /**< Stores KH for the handshake. */ /** How many more relay_early cells can we send on this circuit, according diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 3fb4025e6..61fb3aad8 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -206,12 +206,12 @@ rend_client_send_introduction(origin_circuit_t *introcirc, cpath = rendcirc->build_state->pending_final_cpath = tor_malloc_zero(sizeof(crypt_path_t)); cpath->magic = CRYPT_PATH_MAGIC; - if (!(cpath->dh_handshake_state = crypto_dh_new(DH_TYPE_REND))) { + if (!(cpath->rend_dh_handshake_state = crypto_dh_new(DH_TYPE_REND))) { log_warn(LD_BUG, "Internal error: couldn't allocate DH."); status = -2; goto perm_err; } - if (crypto_dh_generate_public(cpath->dh_handshake_state)<0) { + if (crypto_dh_generate_public(cpath->rend_dh_handshake_state)<0) { log_warn(LD_BUG, "Internal error: couldn't generate g^x."); status = -2; goto perm_err; @@ -261,7 +261,7 @@ rend_client_send_introduction(origin_circuit_t *introcirc, dh_offset = MAX_NICKNAME_LEN+1+REND_COOKIE_LEN; } - if (crypto_dh_get_public(cpath->dh_handshake_state, tmp+dh_offset, + if (crypto_dh_get_public(cpath->rend_dh_handshake_state, tmp+dh_offset, DH_KEY_LEN)<0) { log_warn(LD_BUG, "Internal error: couldn't extract g^x."); status = -2; @@ -896,9 +896,9 @@ rend_client_receive_rendezvous(origin_circuit_t *circ, const uint8_t *request, tor_assert(circ->build_state); tor_assert(circ->build_state->pending_final_cpath); hop = circ->build_state->pending_final_cpath; - tor_assert(hop->dh_handshake_state); + tor_assert(hop->rend_dh_handshake_state); if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, - hop->dh_handshake_state, (char*)request, + hop->rend_dh_handshake_state, (char*)request, DH_KEY_LEN, keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) { log_warn(LD_GENERAL, "Couldn't complete DH handshake."); @@ -914,8 +914,8 @@ rend_client_receive_rendezvous(origin_circuit_t *circ, const uint8_t *request, goto err; } - crypto_dh_free(hop->dh_handshake_state); - hop->dh_handshake_state = NULL; + crypto_dh_free(hop->rend_dh_handshake_state); + hop->rend_dh_handshake_state = NULL; /* All is well. Extend the circuit. */ circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_C_REND_JOINED); diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 09792bd1d..08a7feb3e 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1378,7 +1378,7 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, cpath->magic = CRYPT_PATH_MAGIC; launched->build_state->expiry_time = now + MAX_REND_TIMEOUT; - cpath->dh_handshake_state = dh; + cpath->rend_dh_handshake_state = dh; dh = NULL; if (circuit_init_cpath_crypto(cpath,keys+DIGEST_LEN,1)<0) goto err; @@ -2624,7 +2624,7 @@ rend_service_rendezvous_has_opened(origin_circuit_t *circuit) /* All we need to do is send a RELAY_RENDEZVOUS1 cell... */ memcpy(buf, circuit->rend_data->rend_cookie, REND_COOKIE_LEN); - if (crypto_dh_get_public(hop->dh_handshake_state, + if (crypto_dh_get_public(hop->rend_dh_handshake_state, buf+REND_COOKIE_LEN, DH_KEY_LEN)<0) { log_warn(LD_GENERAL,"Couldn't get DH public key."); reason = END_CIRC_REASON_INTERNAL; @@ -2643,8 +2643,8 @@ rend_service_rendezvous_has_opened(origin_circuit_t *circuit) goto err; } - crypto_dh_free(hop->dh_handshake_state); - hop->dh_handshake_state = NULL; + crypto_dh_free(hop->rend_dh_handshake_state); + hop->rend_dh_handshake_state = NULL; /* Append the cpath entry. */ hop->state = CPATH_STATE_OPEN; diff --git a/src/or/router.c b/src/or/router.c index 954304dd2..3733bec4d 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -1598,6 +1598,13 @@ router_digest_is_me(const char *digest) tor_memeq(server_identitykey_digest, digest, DIGEST_LEN)); } +/** DOCDOC */ +const uint8_t * +router_get_my_id_digest(void) +{ + return (const uint8_t *)server_identitykey_digest; +} + /** Return true iff I'm a server and digest is equal to * my identity digest. */ int diff --git a/src/or/router.h b/src/or/router.h index 85c7d351d..ea0b2ab4e 100644 --- a/src/or/router.h +++ b/src/or/router.h @@ -84,6 +84,7 @@ extrainfo_t *router_get_my_extrainfo(void); const char *router_get_my_descriptor(void); const char *router_get_descriptor_gen_reason(void); int router_digest_is_me(const char *digest); +const uint8_t *router_get_my_id_digest(void); int router_extrainfo_digest_is_me(const char *digest); int router_is_me(const routerinfo_t *router); int router_fingerprint_is_me(const char *fp); diff --git a/src/test/bench.c b/src/test/bench.c index 567b1a4d7..23560cd43 100644 --- a/src/test/bench.c +++ b/src/test/bench.c @@ -110,8 +110,8 @@ bench_onion_TAP(void) int i; crypto_pk_t *key, *key2; uint64_t start, end; - char os[ONIONSKIN_CHALLENGE_LEN]; - char or[ONIONSKIN_REPLY_LEN]; + char os[TAP_ONIONSKIN_CHALLENGE_LEN]; + char or[TAP_ONIONSKIN_REPLY_LEN]; crypto_dh_t *dh_out; key = crypto_pk_new(); @@ -122,17 +122,18 @@ bench_onion_TAP(void) reset_perftime(); start = perftime(); for (i = 0; i < iters; ++i) { - onion_skin_create(key, &dh_out, os); + onion_skin_TAP_create(key, &dh_out, os); crypto_dh_free(dh_out); } end = perftime(); printf("Client-side, part 1: %f usec.\n", NANOCOUNT(start, end, iters)/1e3); - onion_skin_create(key, &dh_out, os); + onion_skin_TAP_create(key, &dh_out, os); start = perftime(); for (i = 0; i < iters; ++i) { char key_out[CPATH_KEY_MATERIAL_LEN]; - onion_skin_server_handshake(os, key, NULL, or, key_out, sizeof(key_out)); + onion_skin_TAP_server_handshake(os, key, NULL, or, + key_out, sizeof(key_out)); } end = perftime(); printf("Server-side, key guessed right: %f usec\n", @@ -141,7 +142,8 @@ bench_onion_TAP(void) start = perftime(); for (i = 0; i < iters; ++i) { char key_out[CPATH_KEY_MATERIAL_LEN]; - onion_skin_server_handshake(os, key2, key, or, key_out, sizeof(key_out)); + onion_skin_TAP_server_handshake(os, key2, key, or, + key_out, sizeof(key_out)); } end = perftime(); printf("Server-side, key guessed wrong: %f usec.\n", @@ -153,7 +155,7 @@ bench_onion_TAP(void) char key_out[CPATH_KEY_MATERIAL_LEN]; int s; dh = crypto_dh_dup(dh_out); - s = onion_skin_client_handshake(dh, or, key_out, sizeof(key_out)); + s = onion_skin_TAP_client_handshake(dh, or, key_out, sizeof(key_out)); tor_assert(s == 0); } end = perftime(); diff --git a/src/test/test.c b/src/test/test.c index cc2d481c7..daac67ee4 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -819,11 +819,11 @@ test_onion_handshake(void) { /* client-side */ crypto_dh_t *c_dh = NULL; - char c_buf[ONIONSKIN_CHALLENGE_LEN]; + char c_buf[TAP_ONIONSKIN_CHALLENGE_LEN]; char c_keys[40]; /* server-side */ - char s_buf[ONIONSKIN_REPLY_LEN]; + char s_buf[TAP_ONIONSKIN_REPLY_LEN]; char s_keys[40]; /* shared */ @@ -832,18 +832,18 @@ test_onion_handshake(void) pk = pk_generate(0); /* client handshake 1. */ - memset(c_buf, 0, ONIONSKIN_CHALLENGE_LEN); - test_assert(! onion_skin_create(pk, &c_dh, c_buf)); + memset(c_buf, 0, TAP_ONIONSKIN_CHALLENGE_LEN); + test_assert(! onion_skin_TAP_create(pk, &c_dh, c_buf)); /* server handshake */ - memset(s_buf, 0, ONIONSKIN_REPLY_LEN); + memset(s_buf, 0, TAP_ONIONSKIN_REPLY_LEN); memset(s_keys, 0, 40); - test_assert(! onion_skin_server_handshake(c_buf, pk, NULL, + test_assert(! onion_skin_TAP_server_handshake(c_buf, pk, NULL, s_buf, s_keys, 40)); /* client handshake 2 */ memset(c_keys, 0, 40); - test_assert(! onion_skin_client_handshake(c_dh, s_buf, c_keys, 40)); + test_assert(! onion_skin_TAP_client_handshake(c_dh, s_buf, c_keys, 40)); if (memcmp(c_keys, s_keys, 40)) { puts("Aiiiie"); -- cgit v1.2.3 From 839016ac791de98c02ad7eab50092deedde0ad55 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 7 Dec 2012 13:40:21 -0500 Subject: ntor: Don't fail fast server-side on an unrecognized KEYID(B) --- src/or/onion.c | 4 ++++ src/or/onion.h | 1 + src/or/onion_ntor.c | 17 ++++++++++++----- src/or/onion_ntor.h | 1 + src/test/bench.c | 2 +- src/test/test.c | 3 ++- 6 files changed, 21 insertions(+), 7 deletions(-) (limited to 'src/or/onion_ntor.h') diff --git a/src/or/onion.c b/src/or/onion.c index 3f0b0b1e4..56bc9a3b8 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -192,6 +192,8 @@ setup_server_onion_keys(server_onion_keys_t *keys) dup_onion_keys(&keys->onion_key, &keys->last_onion_key); #ifdef CURVE25519_ENABLED keys->curve25519_key_map = construct_ntor_key_map(); + keys->junk_keypair = tor_malloc_zero(sizeof(curve25519_keypair_t)); + curve25519_keypair_generate(keys->junk_keypair, 0); #endif } @@ -207,6 +209,7 @@ release_server_onion_keys(server_onion_keys_t *keys) crypto_pk_free(keys->last_onion_key); #ifdef CURVE25519_ENABLED ntor_key_map_free(keys->curve25519_key_map); + tor_free(keys->junk_keypair); #endif memset(keys, 0, sizeof(server_onion_keys_t)); } @@ -345,6 +348,7 @@ onion_skin_server_handshake(int type, if (onion_skin_ntor_server_handshake( onion_skin, keys->curve25519_key_map, + keys->junk_keypair, keys->my_identity, reply_out, keys_tmp, keys_tmp_len)<0) { tor_free(keys_tmp); diff --git a/src/or/onion.h b/src/or/onion.h index e4081392e..33bf341bb 100644 --- a/src/or/onion.h +++ b/src/or/onion.h @@ -24,6 +24,7 @@ typedef struct server_onion_keys_t { crypto_pk_t *last_onion_key; #ifdef CURVE25519_ENABLED di_digest256_map_t *curve25519_key_map; + curve25519_keypair_t *junk_keypair; #endif } server_onion_keys_t; diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c index 30d18cc47..3f4faf3fa 100644 --- a/src/or/onion_ntor.c +++ b/src/or/onion_ntor.c @@ -121,14 +121,16 @@ onion_skin_ntor_create(const uint8_t *router_id, * NTOR_ONIONSKIN_LEN-byte message in onion_skin, our own identity * fingerprint as my_node_id, and an associative array mapping public * onion keys to curve25519_keypair_t in private_keys, attempt to - * perform the handshake. Write an NTOR_REPLY_LEN-byte message to send back - * to the client into handshake_reply_out, and generate - * key_out_len bytes of key material in key_out. Return 0 on - * success, -1 on failure. + * perform the handshake. Use junk_keys if present if the handshake + * indicates an unrecognized public key. Write an NTOR_REPLY_LEN-byte + * message to send back to the client into handshake_reply_out, and + * generate key_out_len bytes of key material in key_out. Return + * 0 on success, -1 on failure. */ int onion_skin_ntor_server_handshake(const uint8_t *onion_skin, const di_digest256_map_t *private_keys, + const curve25519_keypair_t *junk_keys, const uint8_t *my_node_id, uint8_t *handshake_reply_out, uint8_t *key_out, @@ -153,9 +155,14 @@ onion_skin_ntor_server_handshake(const uint8_t *onion_skin, /* XXXX Does this possible early-return business threaten our security? */ if (tor_memneq(onion_skin, my_node_id, DIGEST_LEN)) return -1; - keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN, NULL); + /* Note that on key-not-found, we go through with this operation anyway, + * using "junk_keys". This will result in failed authentication, but won't + * leak whether we recognized the key. */ + keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN, + (void*)junk_keys); if (!keypair_bB) return -1; + memcpy(s.pubkey_X.public_key, onion_skin+DIGEST_LEN+DIGEST256_LEN, CURVE25519_PUBKEY_LEN); diff --git a/src/or/onion_ntor.h b/src/or/onion_ntor.h index 80015fd3f..a5cceb94d 100644 --- a/src/or/onion_ntor.h +++ b/src/or/onion_ntor.h @@ -27,6 +27,7 @@ int onion_skin_ntor_create(const uint8_t *router_id, int onion_skin_ntor_server_handshake(const uint8_t *onion_skin, const di_digest256_map_t *private_keys, + const curve25519_keypair_t *junk_keypair, const uint8_t *my_node_id, uint8_t *handshake_reply_out, uint8_t *key_out, diff --git a/src/test/bench.c b/src/test/bench.c index 23560cd43..2c40cdf4d 100644 --- a/src/test/bench.c +++ b/src/test/bench.c @@ -199,7 +199,7 @@ bench_onion_ntor(void) start = perftime(); for (i = 0; i < iters; ++i) { uint8_t key_out[CPATH_KEY_MATERIAL_LEN]; - onion_skin_ntor_server_handshake(os, keymap, nodeid, or, + onion_skin_ntor_server_handshake(os, keymap, NULL, nodeid, or, key_out, sizeof(key_out)); } end = perftime(); diff --git a/src/test/test.c b/src/test/test.c index daac67ee4..32e060080 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -895,7 +895,8 @@ test_ntor_handshake(void *arg) /* server handshake */ memset(s_buf, 0, NTOR_REPLY_LEN); memset(s_keys, 0, 40); - tt_int_op(0, ==, onion_skin_ntor_server_handshake(c_buf, s_keymap, node_id, + tt_int_op(0, ==, onion_skin_ntor_server_handshake(c_buf, s_keymap, NULL, + node_id, s_buf, s_keys, 400)); /* client handshake 2 */ -- cgit v1.2.3 From c46ff3ec79420a6d94207cbe0d4e4d08208ccc4c Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 8 Dec 2012 00:52:44 -0500 Subject: Add reference implementation for ntor, plus compatibility test Before I started coding ntor in C, I did another one in Python. Turns out, they interoperate just fine. --- src/or/onion_ntor.c | 18 +-- src/or/onion_ntor.h | 19 +++ src/test/include.am | 13 ++ src/test/ntor_ref.py | 387 ++++++++++++++++++++++++++++++++++++++++++++++++ src/test/test_ntor_cl.c | 166 +++++++++++++++++++++ 5 files changed, 587 insertions(+), 16 deletions(-) create mode 100644 src/test/ntor_ref.py create mode 100644 src/test/test_ntor_cl.c (limited to 'src/or/onion_ntor.h') diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c index 3f4faf3fa..8eab55acf 100644 --- a/src/or/onion_ntor.c +++ b/src/or/onion_ntor.c @@ -3,26 +3,12 @@ #include "orconfig.h" -#include "onion_ntor.h" #include "crypto.h" +#define ONION_NTOR_PRIVATE +#include "onion_ntor.h" #include "torlog.h" #include "util.h" -/** Storage held by a client while waiting for an ntor reply from a server. */ -struct ntor_handshake_state_t { - /** Identity digest of the router we're talking to. */ - uint8_t router_id[DIGEST_LEN]; - /** Onion key of the router we're talking to. */ - curve25519_public_key_t pubkey_B; - - /** - * Short-lived keypair for use with this handshake. - * @{ */ - curve25519_secret_key_t seckey_x; - curve25519_public_key_t pubkey_X; - /** @} */ -}; - /** Free storage held in an ntor handshake state. */ void ntor_handshake_state_free(ntor_handshake_state_t *state) diff --git a/src/or/onion_ntor.h b/src/or/onion_ntor.h index a5cceb94d..61ff5c0ad 100644 --- a/src/or/onion_ntor.h +++ b/src/or/onion_ntor.h @@ -38,6 +38,25 @@ int onion_skin_ntor_client_handshake( const uint8_t *handshake_reply, uint8_t *key_out, size_t key_out_len); + +#ifdef ONION_NTOR_PRIVATE + +/** Storage held by a client while waiting for an ntor reply from a server. */ +struct ntor_handshake_state_t { + /** Identity digest of the router we're talking to. */ + uint8_t router_id[DIGEST_LEN]; + /** Onion key of the router we're talking to. */ + curve25519_public_key_t pubkey_B; + + /** + * Short-lived keypair for use with this handshake. + * @{ */ + curve25519_secret_key_t seckey_x; + curve25519_public_key_t pubkey_X; + /** @} */ +}; +#endif + #endif #endif diff --git a/src/test/include.am b/src/test/include.am index e4f2897cd..f625ab7f7 100644 --- a/src/test/include.am +++ b/src/test/include.am @@ -53,3 +53,16 @@ src_test_bench_LDADD = src/or/libtor.a src/common/libor.a \ noinst_HEADERS+= \ src/test/test.h +if CURVE25519_ENABLED +noinst_PROGRAMS+= src/test/test-ntor-cl +src_test_test_ntor_cl_SOURCES = src/test/test_ntor_cl.c +src_test_test_ntor_cl_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ +src_test_test_ntor_cl_LDADD = src/or/libtor.a src/common/libor.a \ + src/common/libor-crypto.a $(LIBDONNA) \ + @TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ \ + @TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ +src_test_test_ntor_cl_AM_CPPFLAGS = \ + -I"$(top_srcdir)/src/or" + +endif + diff --git a/src/test/ntor_ref.py b/src/test/ntor_ref.py new file mode 100644 index 000000000..6133be139 --- /dev/null +++ b/src/test/ntor_ref.py @@ -0,0 +1,387 @@ +# Copyright 2012 The Tor Project, Inc +# See LICENSE for licensing information + +""" +ntor_ref.py + + +This module is a reference implementation for the "ntor" protocol +s proposed by Goldberg, Stebila, and Ustaoglu and as instantiated in +Tor Proposal 216. + +It's meant to be used to validate Tor's ntor implementation. It +requirs the curve25519 python module from the curve25519-donna +package. + + *** DO NOT USE THIS IN PRODUCTION. *** + +commands: + + gen_kdf_vectors: Print out some test vectors for the RFC5869 KDF. + timing: Print a little timing information about this implementation's + handshake. + self-test: Try handshaking with ourself; make sure we can. + test-tor: Handshake with tor's ntor implementation via the program + src/test/test-ntor-cl; make sure we can. + +""" + +import binascii +import curve25519 +import hashlib +import hmac +import subprocess + +# ********************************************************************** +# Helpers and constants + +def HMAC(key,msg): + "Return the HMAC-SHA256 of 'msg' using the key 'key'." + H = hmac.new(key, "", hashlib.sha256) + H.update(msg) + return H.digest() + +def H(msg,tweak): + """Return the hash of 'msg' using tweak 'tweak'. (In this version of ntor, + the tweaked hash is just HMAC with the tweak as the key.)""" + return HMAC(key=tweak, + msg=msg) + +def keyid(k): + """Return the 32-byte key ID of a public key 'k'. (Since we're + using curve25519, we let k be its own keyid.) + """ + return k.serialize() + +NODE_ID_LENGTH = 20 +KEYID_LENGTH = 32 +G_LENGTH = 32 +H_LENGTH = 32 + +PROTOID = b"ntor-curve25519-sha256-1" +M_EXPAND = PROTOID + ":key_expand" +T_MAC = PROTOID + ":mac" +T_KEY = PROTOID + ":key_extract" +T_VERIFY = PROTOID + ":verify" + +def H_mac(msg): return H(msg, tweak=T_MAC) +def H_verify(msg): return H(msg, tweak=T_VERIFY) + +class PrivateKey(curve25519.keys.Private): + """As curve25519.keys.Private, but doesn't regenerate its public key + every time you ask for it. + """ + def __init__(self): + curve25519.keys.Private.__init__(self) + self._memo_public = None + + def get_public(self): + if self._memo_public is None: + self._memo_public = curve25519.keys.Private.get_public(self) + + return self._memo_public + +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +def kdf_rfc5869(key, salt, info, n): + + prk = HMAC(key=salt, msg=key) + + out = b"" + last = b"" + i = 1 + while len(out) < n: + m = last + info + chr(i) + last = h = HMAC(key=prk, msg=m) + out += h + i = i + 1 + return out[:n] + +def kdf_ntor(key, n): + return kdf_rfc5869(key, T_KEY, M_EXPAND, n) + +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +def client_part1(node_id, pubkey_B): + """Initial handshake, client side. + + From the specification: + + <> + + Takes node_id -- a digest of the server's identity key, + pubkey_B -- a public key for the server. + Returns a tuple of (client secret key x, client->server message)""" + + assert len(node_id) == NODE_ID_LENGTH + + key_id = keyid(pubkey_B) + seckey_x = PrivateKey() + pubkey_X = seckey_x.get_public().serialize() + + message = node_id + key_id + pubkey_X + + assert len(message) == NODE_ID_LENGTH + H_LENGTH + H_LENGTH + return seckey_x , message + +def hash_nil(x): + """Identity function: if we don't pass a hash function that does nothing, + the curve25519 python lib will try to sha256 it for us.""" + return x + +def bad_result(r): + """Helper: given a result of multiplying a public key by a private key, + return True iff one of the inputs was broken""" + assert len(r) == 32 + return r == '\x00'*32 + +def server(seckey_b, my_node_id, message, keyBytes=72): + """Handshake step 2, server side. + + From the spec: + + << + The server generates a keypair of y,Y = KEYGEN(), and computes + + secret_input = EXP(X,y) | EXP(X,b) | ID | B | X | Y | PROTOID + KEY_SEED = H(secret_input, t_key) + verify = H(secret_input, t_verify) + auth_input = verify | ID | B | Y | X | PROTOID | "Server" + + The server sends a CREATED cell containing: + + SERVER_PK: Y -- G_LENGTH bytes + AUTH: H(auth_input, t_mac) -- H_LENGTH byets + >> + + Takes seckey_b -- the server's secret key + my_node_id -- the servers's public key digest, + message -- a message from a client + keybytes -- amount of key material to generate + + Returns a tuple of (key material, sever->client reply), or None on + error. + """ + + assert len(message) == NODE_ID_LENGTH + H_LENGTH + H_LENGTH + + if my_node_id != message[:NODE_ID_LENGTH]: + return None + + badness = (keyid(seckey_b.get_public()) != + message[NODE_ID_LENGTH:NODE_ID_LENGTH+H_LENGTH]) + + pubkey_X = curve25519.keys.Public(message[NODE_ID_LENGTH+H_LENGTH:]) + seckey_y = PrivateKey() + pubkey_Y = seckey_y.get_public() + pubkey_B = seckey_b.get_public() + xy = seckey_y.get_shared_key(pubkey_X, hash_nil) + xb = seckey_b.get_shared_key(pubkey_X, hash_nil) + + # secret_input = EXP(X,y) | EXP(X,b) | ID | B | X | Y | PROTOID + secret_input = (xy + xb + my_node_id + + pubkey_B.serialize() + + pubkey_X.serialize() + + pubkey_Y.serialize() + + PROTOID) + + verify = H_verify(secret_input) + + # auth_input = verify | ID | B | Y | X | PROTOID | "Server" + auth_input = (verify + + my_node_id + + pubkey_B.serialize() + + pubkey_Y.serialize() + + pubkey_X.serialize() + + PROTOID + + "Server") + + msg = pubkey_Y.serialize() + H_mac(auth_input) + + badness += bad_result(xb) + badness += bad_result(xy) + + if badness: + return None + + keys = kdf_ntor(secret_input, keyBytes) + + return keys, msg + +def client_part2(seckey_x, msg, node_id, pubkey_B, keyBytes=72): + """Handshake step 3: client side again. + + From the spec: + + << + The client then checks Y is in G^* [see NOTE below], and computes + + secret_input = EXP(Y,x) | EXP(B,x) | ID | B | X | Y | PROTOID + KEY_SEED = H(secret_input, t_key) + verify = H(secret_input, t_verify) + auth_input = verify | ID | B | Y | X | PROTOID | "Server" + + The client verifies that AUTH == H(auth_input, t_mac). + >> + + Takes seckey_x -- the secret key we generated in step 1. + msg -- the message from the server. + node_id -- the node_id we used in step 1. + server_key -- the same public key we used in step 1. + keyBytes -- the number of bytes we want to generate + Returns key material, or None on error + + """ + assert len(msg) == G_LENGTH + H_LENGTH + + pubkey_Y = curve25519.keys.Public(msg[:G_LENGTH]) + their_auth = msg[G_LENGTH:] + + pubkey_X = seckey_x.get_public() + + yx = seckey_x.get_shared_key(pubkey_Y, hash_nil) + bx = seckey_x.get_shared_key(pubkey_B, hash_nil) + + + # secret_input = EXP(Y,x) | EXP(B,x) | ID | B | X | Y | PROTOID + secret_input = (yx + bx + node_id + + pubkey_B.serialize() + + pubkey_X.serialize() + + pubkey_Y.serialize() + PROTOID) + + verify = H_verify(secret_input) + + # auth_input = verify | ID | B | Y | X | PROTOID | "Server" + auth_input = (verify + node_id + + pubkey_B.serialize() + + pubkey_Y.serialize() + + pubkey_X.serialize() + PROTOID + + "Server") + + my_auth = H_mac(auth_input) + + badness = my_auth != their_auth + badness = bad_result(yx) + bad_result(bx) + + if badness: + return None + + return kdf_ntor(secret_input, keyBytes) + +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +def demo(node_id="iToldYouAboutStairs.", server_key=PrivateKey()): + """ + Try to handshake with ourself. + """ + x, create = client_part1(node_id, server_key.get_public()) + skeys, created = server(server_key, node_id, create) + ckeys = client_part2(x, created, node_id, server_key.get_public()) + assert len(skeys) == 72 + assert len(ckeys) == 72 + assert skeys == ckeys + +# ====================================================================== +def timing(): + """ + Use Python's timeit module to see how fast this nonsense is + """ + import timeit + t = timeit.Timer(stmt="ntor_ref.demo(N,SK)", + setup="import ntor_ref,curve25519;N='ABCD'*5;SK=ntor_ref.PrivateKey()") + print t.timeit(number=1000) + +# ====================================================================== + +def kdf_vectors(): + """ + Generate some vectors to check our KDF. + """ + import binascii + def kdf_vec(inp): + k = kdf(inp, T_KEY, M_EXPAND, 100) + print repr(inp), "\n\""+ binascii.b2a_hex(k)+ "\"" + kdf_vec("") + kdf_vec("Tor") + kdf_vec("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT") + +# ====================================================================== + + +def test_tor(): + """ + Call the test-ntor-cl command-line program to make sure we can + interoperate with Tor's ntor program + """ + enhex=binascii.b2a_hex + dehex=lambda s: binascii.a2b_hex(s.strip()) + + PROG = "./src/test/test-ntor-cl" + def tor_client1(node_id, pubkey_B): + " returns (msg, state) " + p = subprocess.Popen([PROG, "client1", enhex(node_id), + enhex(pubkey_B.serialize())], + stdout=subprocess.PIPE) + return map(dehex, p.stdout.readlines()) + def tor_server1(seckey_b, node_id, msg, n): + " returns (msg, keys) " + p = subprocess.Popen([PROG, "server1", enhex(seckey_b.serialize()), + enhex(node_id), enhex(msg), str(n)], + stdout=subprocess.PIPE) + return map(dehex, p.stdout.readlines()) + def tor_client2(state, msg, n): + " returns (keys,) " + p = subprocess.Popen([PROG, "client2", enhex(state), + enhex(msg), str(n)], + stdout=subprocess.PIPE) + return map(dehex, p.stdout.readlines()) + + + node_id = "thisisatornodeid$#%^" + seckey_b = PrivateKey() + pubkey_B = seckey_b.get_public() + + # Do a pure-Tor handshake + c2s_msg, c_state = tor_client1(node_id, pubkey_B) + s2c_msg, s_keys = tor_server1(seckey_b, node_id, c2s_msg, 90) + c_keys, = tor_client2(c_state, s2c_msg, 90) + assert c_keys == s_keys + assert len(c_keys) == 90 + + # Try a mixed handshake with Tor as the client + c2s_msg, c_state = tor_client1(node_id, pubkey_B) + s_keys, s2c_msg = server(seckey_b, node_id, c2s_msg, 90) + c_keys, = tor_client2(c_state, s2c_msg, 90) + assert c_keys == s_keys + assert len(c_keys) == 90 + + # Now do a mixed handshake with Tor as the server + c_x, c2s_msg = client_part1(node_id, pubkey_B) + s2c_msg, s_keys = tor_server1(seckey_b, node_id, c2s_msg, 90) + c_keys = client_part2(c_x, s2c_msg, node_id, pubkey_B, 90) + assert c_keys == s_keys + assert len(c_keys) == 90 + + print "We just interoperated." + +# ====================================================================== + +if __name__ == '__main__': + import sys + if sys.argv[1] == 'gen_kdf_vectors': + kdf_vectors() + elif sys.argv[1] == 'timing': + timing() + elif sys.argv[1] == 'self-test': + demo() + elif sys.argv[1] == 'test-tor': + test_tor() + + else: + print __doc__ diff --git a/src/test/test_ntor_cl.c b/src/test/test_ntor_cl.c new file mode 100644 index 000000000..6e6bd2139 --- /dev/null +++ b/src/test/test_ntor_cl.c @@ -0,0 +1,166 @@ +/* Copyright (c) 2012, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +#include "orconfig.h" +#include +#include + +#define ONION_NTOR_PRIVATE +#include "or.h" +#include "util.h" +#include "compat.h" +#include "crypto.h" +#include "crypto_curve25519.h" +#include "onion_ntor.h" + +#ifndef CURVE25519_ENABLED +#error "This isn't going to work without curve25519." +#endif + +#define N_ARGS(n) STMT_BEGIN { \ + if (argc < (n)) { \ + fprintf(stderr, "%s needs %d arguments.\n",argv[1],n); \ + return 1; \ + } \ + } STMT_END +#define BASE16(idx, var, n) STMT_BEGIN { \ + const char *s = argv[(idx)]; \ + if (base16_decode((char*)var, n, s, strlen(s)) < 0 ) { \ + fprintf(stderr, "couldn't decode argument %d (%s)\n",idx,s); \ + return 1; \ + } \ + } STMT_END +#define INT(idx, var) STMT_BEGIN { \ + var = atoi(argv[(idx)]); \ + if (var <= 0) { \ + fprintf(stderr, "bad integer argument %d (%s)\n",idx,argv[(idx)]); \ + } \ + } STMT_END + +static int +client1(int argc, char **argv) +{ + /* client1 nodeID B -> msg state */ + curve25519_public_key_t B; + uint8_t node_id[DIGEST_LEN]; + ntor_handshake_state_t *state; + uint8_t msg[NTOR_ONIONSKIN_LEN]; + + char buf[1024]; + + memset(&state, 0, sizeof(state)); + + N_ARGS(4); + BASE16(2, node_id, DIGEST_LEN); + BASE16(3, B.public_key, CURVE25519_PUBKEY_LEN); + + if (onion_skin_ntor_create(node_id, &B, &state, msg)<0) { + fprintf(stderr, "handshake failed"); + return 2; + } + + base16_encode(buf, sizeof(buf), (const char*)msg, sizeof(msg)); + printf("%s\n", buf); + base16_encode(buf, sizeof(buf), (void*)state, sizeof(*state)); + printf("%s\n", buf); + ntor_handshake_state_free(state); + return 0; +} + +static int +server1(int argc, char **argv) +{ + uint8_t msg_in[NTOR_ONIONSKIN_LEN]; + curve25519_keypair_t kp; + di_digest256_map_t *keymap=NULL; + uint8_t node_id[DIGEST_LEN]; + int keybytes; + + uint8_t msg_out[NTOR_REPLY_LEN]; + uint8_t *keys; + char *hexkeys; + + char buf[256]; + + /* server1: b nodeID msg N -> msg keys */ + N_ARGS(6); + BASE16(2, kp.seckey.secret_key, CURVE25519_SECKEY_LEN); + BASE16(3, node_id, DIGEST_LEN); + BASE16(4, msg_in, NTOR_ONIONSKIN_LEN); + INT(5, keybytes); + + curve25519_public_key_generate(&kp.pubkey, &kp.seckey); + dimap_add_entry(&keymap, kp.pubkey.public_key, &kp); + + keys = tor_malloc(keybytes); + hexkeys = tor_malloc(keybytes*2+1); + if (onion_skin_ntor_server_handshake( + msg_in, keymap, NULL, node_id, msg_out, keys, + (size_t)keybytes)<0) { + fprintf(stderr, "handshake failed"); + return 2; + } + + base16_encode(buf, sizeof(buf), (const char*)msg_out, sizeof(msg_out)); + printf("%s\n", buf); + base16_encode(hexkeys, keybytes*2+1, (const char*)keys, keybytes); + printf("%s\n", hexkeys); + + tor_free(keys); + tor_free(hexkeys); + return 0; +} + +static int +client2(int argc, char **argv) +{ + struct ntor_handshake_state_t state; + uint8_t msg[NTOR_REPLY_LEN]; + int keybytes; + uint8_t *keys; + char *hexkeys; + + N_ARGS(5); + BASE16(2, (&state), sizeof(state)); + BASE16(3, msg, sizeof(msg)); + INT(4, keybytes); + + keys = tor_malloc(keybytes); + hexkeys = tor_malloc(keybytes*2+1); + if (onion_skin_ntor_client_handshake(&state, msg, keys, keybytes)<0) { + fprintf(stderr, "handshake failed"); + return 2; + } + + base16_encode(hexkeys, keybytes*2+1, (const char*)keys, keybytes); + printf("%s\n", hexkeys); + + tor_free(keys); + tor_free(hexkeys); + + return 0; +} + +int +main(int argc, char **argv) +{ + /* + client1: nodeID B -> msg state + server1: b nodeID msg N -> msg keys + client2: state msg N -> keys + */ + if (argc < 2) { + fprintf(stderr, "I need arguments. Read source for more info.\n"); + return 1; + } else if (!strcmp(argv[1], "client1")) { + return client1(argc, argv); + } else if (!strcmp(argv[1], "server1")) { + return server1(argc, argv); + } else if (!strcmp(argv[1], "client2")) { + return client2(argc, argv); + } else { + fprintf(stderr, "What's a %s?\n", argv[1]); + return 1; + } +} + -- cgit v1.2.3