onion_ntor.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335
  1. /* Copyright (c) 2012-2017, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file onion_ntor.c
  5. *
  6. * \brief Implementation for the ntor handshake.
  7. *
  8. * The ntor circuit-extension handshake was developed as a replacement
  9. * for the old TAP handshake. It uses Elliptic-curve Diffie-Hellman and
  10. * a hash function in order to perform a one-way authenticated key
  11. * exchange. The ntor handshake is meant to replace the old "TAP"
  12. * handshake.
  13. *
  14. * We instantiate ntor with curve25519, HMAC-SHA256, and HKDF.
  15. *
  16. * This handshake, like the other circuit-extension handshakes, is
  17. * invoked from onion.c.
  18. */
  19. #include "orconfig.h"
  20. #define ONION_NTOR_PRIVATE
  21. #include "crypto.h"
  22. #include "onion_ntor.h"
  23. #include "torlog.h"
  24. #include "util.h"
  25. /** Free storage held in an ntor handshake state. */
  26. void
  27. ntor_handshake_state_free(ntor_handshake_state_t *state)
  28. {
  29. if (!state)
  30. return;
  31. memwipe(state, 0, sizeof(*state));
  32. tor_free(state);
  33. }
  34. /** Convenience function to represent HMAC_SHA256 as our instantiation of
  35. * ntor's "tweaked hash'. Hash the <b>inp_len</b> bytes at <b>inp</b> into
  36. * a DIGEST256_LEN-byte digest at <b>out</b>, with the hash changing
  37. * depending on the value of <b>tweak</b>. */
  38. static void
  39. h_tweak(uint8_t *out,
  40. const uint8_t *inp, size_t inp_len,
  41. const char *tweak)
  42. {
  43. size_t tweak_len = strlen(tweak);
  44. crypto_hmac_sha256((char*)out, tweak, tweak_len, (const char*)inp, inp_len);
  45. }
  46. /** Wrapper around a set of tweak-values for use with the ntor handshake. */
  47. typedef struct tweakset_t {
  48. const char *t_mac;
  49. const char *t_key;
  50. const char *t_verify;
  51. const char *m_expand;
  52. } tweakset_t;
  53. /** The tweaks to be used with our handshake. */
  54. static const tweakset_t proto1_tweaks = {
  55. #define PROTOID "ntor-curve25519-sha256-1"
  56. #define PROTOID_LEN 24
  57. PROTOID ":mac",
  58. PROTOID ":key_extract",
  59. PROTOID ":verify",
  60. PROTOID ":key_expand"
  61. };
  62. /** Convenience macro: copy <b>len</b> bytes from <b>inp</b> to <b>ptr</b>,
  63. * and advance <b>ptr</b> by the number of bytes copied. */
  64. #define APPEND(ptr, inp, len) \
  65. STMT_BEGIN { \
  66. memcpy(ptr, (inp), (len)); \
  67. ptr += len; \
  68. } STMT_END
  69. /**
  70. * Compute the first client-side step of the ntor handshake for communicating
  71. * with a server whose DIGEST_LEN-byte server identity is <b>router_id</b>,
  72. * and whose onion key is <b>router_key</b>. Store the NTOR_ONIONSKIN_LEN-byte
  73. * message in <b>onion_skin_out</b>, and store the handshake state in
  74. * *<b>handshake_state_out</b>. Return 0 on success, -1 on failure.
  75. */
  76. int
  77. onion_skin_ntor_create(const uint8_t *router_id,
  78. const curve25519_public_key_t *router_key,
  79. ntor_handshake_state_t **handshake_state_out,
  80. uint8_t *onion_skin_out)
  81. {
  82. ntor_handshake_state_t *state;
  83. uint8_t *op;
  84. state = tor_malloc_zero(sizeof(ntor_handshake_state_t));
  85. memcpy(state->router_id, router_id, DIGEST_LEN);
  86. memcpy(&state->pubkey_B, router_key, sizeof(curve25519_public_key_t));
  87. if (curve25519_secret_key_generate(&state->seckey_x, 0) < 0) {
  88. /* LCOV_EXCL_START
  89. * Secret key generation should be unable to fail when the key isn't
  90. * marked as "extra-strong" */
  91. tor_assert_nonfatal_unreached();
  92. tor_free(state);
  93. return -1;
  94. /* LCOV_EXCL_STOP */
  95. }
  96. curve25519_public_key_generate(&state->pubkey_X, &state->seckey_x);
  97. op = onion_skin_out;
  98. APPEND(op, router_id, DIGEST_LEN);
  99. APPEND(op, router_key->public_key, CURVE25519_PUBKEY_LEN);
  100. APPEND(op, state->pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  101. tor_assert(op == onion_skin_out + NTOR_ONIONSKIN_LEN);
  102. *handshake_state_out = state;
  103. return 0;
  104. }
  105. #define SERVER_STR "Server"
  106. #define SERVER_STR_LEN 6
  107. #define SECRET_INPUT_LEN (CURVE25519_PUBKEY_LEN * 3 + \
  108. CURVE25519_OUTPUT_LEN * 2 + \
  109. DIGEST_LEN + PROTOID_LEN)
  110. #define AUTH_INPUT_LEN (DIGEST256_LEN + DIGEST_LEN + \
  111. CURVE25519_PUBKEY_LEN*3 + \
  112. PROTOID_LEN + SERVER_STR_LEN)
  113. /**
  114. * Perform the server side of an ntor handshake. Given an
  115. * NTOR_ONIONSKIN_LEN-byte message in <b>onion_skin</b>, our own identity
  116. * fingerprint as <b>my_node_id</b>, and an associative array mapping public
  117. * onion keys to curve25519_keypair_t in <b>private_keys</b>, attempt to
  118. * perform the handshake. Use <b>junk_keys</b> if present if the handshake
  119. * indicates an unrecognized public key. Write an NTOR_REPLY_LEN-byte
  120. * message to send back to the client into <b>handshake_reply_out</b>, and
  121. * generate <b>key_out_len</b> bytes of key material in <b>key_out</b>. Return
  122. * 0 on success, -1 on failure.
  123. */
  124. int
  125. onion_skin_ntor_server_handshake(const uint8_t *onion_skin,
  126. const di_digest256_map_t *private_keys,
  127. const curve25519_keypair_t *junk_keys,
  128. const uint8_t *my_node_id,
  129. uint8_t *handshake_reply_out,
  130. uint8_t *key_out,
  131. size_t key_out_len)
  132. {
  133. const tweakset_t *T = &proto1_tweaks;
  134. /* Sensitive stack-allocated material. Kept in an anonymous struct to make
  135. * it easy to wipe. */
  136. struct {
  137. uint8_t secret_input[SECRET_INPUT_LEN];
  138. uint8_t auth_input[AUTH_INPUT_LEN];
  139. curve25519_public_key_t pubkey_X;
  140. curve25519_secret_key_t seckey_y;
  141. curve25519_public_key_t pubkey_Y;
  142. uint8_t verify[DIGEST256_LEN];
  143. } s;
  144. uint8_t *si = s.secret_input, *ai = s.auth_input;
  145. const curve25519_keypair_t *keypair_bB;
  146. int bad;
  147. /* Decode the onion skin */
  148. /* XXXX Does this possible early-return business threaten our security? */
  149. if (tor_memneq(onion_skin, my_node_id, DIGEST_LEN))
  150. return -1;
  151. /* Note that on key-not-found, we go through with this operation anyway,
  152. * using "junk_keys". This will result in failed authentication, but won't
  153. * leak whether we recognized the key. */
  154. keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN,
  155. (void*)junk_keys);
  156. if (!keypair_bB)
  157. return -1;
  158. memcpy(s.pubkey_X.public_key, onion_skin+DIGEST_LEN+DIGEST256_LEN,
  159. CURVE25519_PUBKEY_LEN);
  160. /* Make y, Y */
  161. curve25519_secret_key_generate(&s.seckey_y, 0);
  162. curve25519_public_key_generate(&s.pubkey_Y, &s.seckey_y);
  163. /* NOTE: If we ever use a group other than curve25519, or a different
  164. * representation for its points, we may need to perform different or
  165. * additional checks on X here and on Y in the client handshake, or lose our
  166. * security properties. What checks we need would depend on the properties
  167. * of the group and its representation.
  168. *
  169. * In short: if you use anything other than curve25519, this aspect of the
  170. * code will need to be reconsidered carefully. */
  171. /* build secret_input */
  172. curve25519_handshake(si, &s.seckey_y, &s.pubkey_X);
  173. bad = safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
  174. si += CURVE25519_OUTPUT_LEN;
  175. curve25519_handshake(si, &keypair_bB->seckey, &s.pubkey_X);
  176. bad |= safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
  177. si += CURVE25519_OUTPUT_LEN;
  178. APPEND(si, my_node_id, DIGEST_LEN);
  179. APPEND(si, keypair_bB->pubkey.public_key, CURVE25519_PUBKEY_LEN);
  180. APPEND(si, s.pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  181. APPEND(si, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  182. APPEND(si, PROTOID, PROTOID_LEN);
  183. tor_assert(si == s.secret_input + sizeof(s.secret_input));
  184. /* Compute hashes of secret_input */
  185. h_tweak(s.verify, s.secret_input, sizeof(s.secret_input), T->t_verify);
  186. /* Compute auth_input */
  187. APPEND(ai, s.verify, DIGEST256_LEN);
  188. APPEND(ai, my_node_id, DIGEST_LEN);
  189. APPEND(ai, keypair_bB->pubkey.public_key, CURVE25519_PUBKEY_LEN);
  190. APPEND(ai, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  191. APPEND(ai, s.pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  192. APPEND(ai, PROTOID, PROTOID_LEN);
  193. APPEND(ai, SERVER_STR, SERVER_STR_LEN);
  194. tor_assert(ai == s.auth_input + sizeof(s.auth_input));
  195. /* Build the reply */
  196. memcpy(handshake_reply_out, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  197. h_tweak(handshake_reply_out+CURVE25519_PUBKEY_LEN,
  198. s.auth_input, sizeof(s.auth_input),
  199. T->t_mac);
  200. /* Generate the key material */
  201. crypto_expand_key_material_rfc5869_sha256(
  202. s.secret_input, sizeof(s.secret_input),
  203. (const uint8_t*)T->t_key, strlen(T->t_key),
  204. (const uint8_t*)T->m_expand, strlen(T->m_expand),
  205. key_out, key_out_len);
  206. /* Wipe all of our local state */
  207. memwipe(&s, 0, sizeof(s));
  208. return bad ? -1 : 0;
  209. }
  210. /**
  211. * Perform the final client side of the ntor handshake, using the state in
  212. * <b>handshake_state</b> and the server's NTOR_REPLY_LEN-byte reply in
  213. * <b>handshake_reply</b>. Generate <b>key_out_len</b> bytes of key material
  214. * in <b>key_out</b>. Return 0 on success, -1 on failure.
  215. */
  216. int
  217. onion_skin_ntor_client_handshake(
  218. const ntor_handshake_state_t *handshake_state,
  219. const uint8_t *handshake_reply,
  220. uint8_t *key_out,
  221. size_t key_out_len,
  222. const char **msg_out)
  223. {
  224. const tweakset_t *T = &proto1_tweaks;
  225. /* Sensitive stack-allocated material. Kept in an anonymous struct to make
  226. * it easy to wipe. */
  227. struct {
  228. curve25519_public_key_t pubkey_Y;
  229. uint8_t secret_input[SECRET_INPUT_LEN];
  230. uint8_t verify[DIGEST256_LEN];
  231. uint8_t auth_input[AUTH_INPUT_LEN];
  232. uint8_t auth[DIGEST256_LEN];
  233. } s;
  234. uint8_t *ai = s.auth_input, *si = s.secret_input;
  235. const uint8_t *auth_candidate;
  236. int bad;
  237. /* Decode input */
  238. memcpy(s.pubkey_Y.public_key, handshake_reply, CURVE25519_PUBKEY_LEN);
  239. auth_candidate = handshake_reply + CURVE25519_PUBKEY_LEN;
  240. /* See note in server_handshake above about checking points. The
  241. * circumstances under which we'd need to check Y for membership are
  242. * different than those under which we'd be checking X. */
  243. /* Compute secret_input */
  244. curve25519_handshake(si, &handshake_state->seckey_x, &s.pubkey_Y);
  245. bad = safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
  246. si += CURVE25519_OUTPUT_LEN;
  247. curve25519_handshake(si, &handshake_state->seckey_x,
  248. &handshake_state->pubkey_B);
  249. bad |= (safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN) << 1);
  250. si += CURVE25519_OUTPUT_LEN;
  251. APPEND(si, handshake_state->router_id, DIGEST_LEN);
  252. APPEND(si, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN);
  253. APPEND(si, handshake_state->pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  254. APPEND(si, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  255. APPEND(si, PROTOID, PROTOID_LEN);
  256. tor_assert(si == s.secret_input + sizeof(s.secret_input));
  257. /* Compute verify from secret_input */
  258. h_tweak(s.verify, s.secret_input, sizeof(s.secret_input), T->t_verify);
  259. /* Compute auth_input */
  260. APPEND(ai, s.verify, DIGEST256_LEN);
  261. APPEND(ai, handshake_state->router_id, DIGEST_LEN);
  262. APPEND(ai, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN);
  263. APPEND(ai, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  264. APPEND(ai, handshake_state->pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  265. APPEND(ai, PROTOID, PROTOID_LEN);
  266. APPEND(ai, SERVER_STR, SERVER_STR_LEN);
  267. tor_assert(ai == s.auth_input + sizeof(s.auth_input));
  268. /* Compute auth */
  269. h_tweak(s.auth, s.auth_input, sizeof(s.auth_input), T->t_mac);
  270. bad |= (tor_memneq(s.auth, auth_candidate, DIGEST256_LEN) << 2);
  271. crypto_expand_key_material_rfc5869_sha256(
  272. s.secret_input, sizeof(s.secret_input),
  273. (const uint8_t*)T->t_key, strlen(T->t_key),
  274. (const uint8_t*)T->m_expand, strlen(T->m_expand),
  275. key_out, key_out_len);
  276. memwipe(&s, 0, sizeof(s));
  277. if (bad) {
  278. if (bad & 4) {
  279. if (msg_out)
  280. *msg_out = NULL; /* Don't report this one; we probably just had the
  281. * wrong onion key.*/
  282. log_fn(LOG_INFO, LD_PROTOCOL,
  283. "Invalid result from curve25519 handshake: %d", bad);
  284. }
  285. if (bad & 3) {
  286. if (msg_out)
  287. *msg_out = "Zero output from curve25519 handshake";
  288. log_fn(LOG_WARN, LD_PROTOCOL,
  289. "Invalid result from curve25519 handshake: %d", bad);
  290. }
  291. }
  292. return bad ? -1 : 0;
  293. }