onion_ntor.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313
  1. /* Copyright (c) 2012-2015, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. #include "orconfig.h"
  4. #define ONION_NTOR_PRIVATE
  5. #include "crypto.h"
  6. #include "onion_ntor.h"
  7. #include "torlog.h"
  8. #include "util.h"
  9. /** Free storage held in an ntor handshake state. */
  10. void
  11. ntor_handshake_state_free(ntor_handshake_state_t *state)
  12. {
  13. if (!state)
  14. return;
  15. memwipe(state, 0, sizeof(*state));
  16. tor_free(state);
  17. }
  18. /** Convenience function to represent HMAC_SHA256 as our instantiation of
  19. * ntor's "tweaked hash'. Hash the <b>inp_len</b> bytes at <b>inp</b> into
  20. * a DIGEST256_LEN-byte digest at <b>out</b>, with the hash changing
  21. * depending on the value of <b>tweak</b>. */
  22. static void
  23. h_tweak(uint8_t *out,
  24. const uint8_t *inp, size_t inp_len,
  25. const char *tweak)
  26. {
  27. size_t tweak_len = strlen(tweak);
  28. crypto_hmac_sha256((char*)out, tweak, tweak_len, (const char*)inp, inp_len);
  29. }
  30. /** Wrapper around a set of tweak-values for use with the ntor handshake. */
  31. typedef struct tweakset_t {
  32. const char *t_mac;
  33. const char *t_key;
  34. const char *t_verify;
  35. const char *m_expand;
  36. } tweakset_t;
  37. /** The tweaks to be used with our handshake. */
  38. const tweakset_t proto1_tweaks = {
  39. #define PROTOID "ntor-curve25519-sha256-1"
  40. #define PROTOID_LEN 24
  41. PROTOID ":mac",
  42. PROTOID ":key_extract",
  43. PROTOID ":verify",
  44. PROTOID ":key_expand"
  45. };
  46. /** Convenience macro: copy <b>len</b> bytes from <b>inp</b> to <b>ptr</b>,
  47. * and advance <b>ptr</b> by the number of bytes copied. */
  48. #define APPEND(ptr, inp, len) \
  49. STMT_BEGIN { \
  50. memcpy(ptr, (inp), (len)); \
  51. ptr += len; \
  52. } STMT_END
  53. /**
  54. * Compute the first client-side step of the ntor handshake for communicating
  55. * with a server whose DIGEST_LEN-byte server identity is <b>router_id</b>,
  56. * and whose onion key is <b>router_key</b>. Store the NTOR_ONIONSKIN_LEN-byte
  57. * message in <b>onion_skin_out</b>, and store the handshake state in
  58. * *<b>handshake_state_out</b>. Return 0 on success, -1 on failure.
  59. */
  60. int
  61. onion_skin_ntor_create(const uint8_t *router_id,
  62. const curve25519_public_key_t *router_key,
  63. ntor_handshake_state_t **handshake_state_out,
  64. uint8_t *onion_skin_out)
  65. {
  66. ntor_handshake_state_t *state;
  67. uint8_t *op;
  68. state = tor_malloc_zero(sizeof(ntor_handshake_state_t));
  69. memcpy(state->router_id, router_id, DIGEST_LEN);
  70. memcpy(&state->pubkey_B, router_key, sizeof(curve25519_public_key_t));
  71. if (curve25519_secret_key_generate(&state->seckey_x, 0) < 0) {
  72. tor_free(state);
  73. return -1;
  74. }
  75. curve25519_public_key_generate(&state->pubkey_X, &state->seckey_x);
  76. op = onion_skin_out;
  77. APPEND(op, router_id, DIGEST_LEN);
  78. APPEND(op, router_key->public_key, CURVE25519_PUBKEY_LEN);
  79. APPEND(op, state->pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  80. tor_assert(op == onion_skin_out + NTOR_ONIONSKIN_LEN);
  81. *handshake_state_out = state;
  82. return 0;
  83. }
  84. #define SERVER_STR "Server"
  85. #define SERVER_STR_LEN 6
  86. #define SECRET_INPUT_LEN (CURVE25519_PUBKEY_LEN * 3 + \
  87. CURVE25519_OUTPUT_LEN * 2 + \
  88. DIGEST_LEN + PROTOID_LEN)
  89. #define AUTH_INPUT_LEN (DIGEST256_LEN + DIGEST_LEN + \
  90. CURVE25519_PUBKEY_LEN*3 + \
  91. PROTOID_LEN + SERVER_STR_LEN)
  92. /**
  93. * Perform the server side of an ntor handshake. Given an
  94. * NTOR_ONIONSKIN_LEN-byte message in <b>onion_skin</b>, our own identity
  95. * fingerprint as <b>my_node_id</b>, and an associative array mapping public
  96. * onion keys to curve25519_keypair_t in <b>private_keys</b>, attempt to
  97. * perform the handshake. Use <b>junk_keys</b> if present if the handshake
  98. * indicates an unrecognized public key. Write an NTOR_REPLY_LEN-byte
  99. * message to send back to the client into <b>handshake_reply_out</b>, and
  100. * generate <b>key_out_len</b> bytes of key material in <b>key_out</b>. Return
  101. * 0 on success, -1 on failure.
  102. */
  103. int
  104. onion_skin_ntor_server_handshake(const uint8_t *onion_skin,
  105. const di_digest256_map_t *private_keys,
  106. const curve25519_keypair_t *junk_keys,
  107. const uint8_t *my_node_id,
  108. uint8_t *handshake_reply_out,
  109. uint8_t *key_out,
  110. size_t key_out_len)
  111. {
  112. const tweakset_t *T = &proto1_tweaks;
  113. /* Sensitive stack-allocated material. Kept in an anonymous struct to make
  114. * it easy to wipe. */
  115. struct {
  116. uint8_t secret_input[SECRET_INPUT_LEN];
  117. uint8_t auth_input[AUTH_INPUT_LEN];
  118. curve25519_public_key_t pubkey_X;
  119. curve25519_secret_key_t seckey_y;
  120. curve25519_public_key_t pubkey_Y;
  121. uint8_t verify[DIGEST256_LEN];
  122. } s;
  123. uint8_t *si = s.secret_input, *ai = s.auth_input;
  124. const curve25519_keypair_t *keypair_bB;
  125. int bad;
  126. /* Decode the onion skin */
  127. /* XXXX Does this possible early-return business threaten our security? */
  128. if (tor_memneq(onion_skin, my_node_id, DIGEST_LEN))
  129. return -1;
  130. /* Note that on key-not-found, we go through with this operation anyway,
  131. * using "junk_keys". This will result in failed authentication, but won't
  132. * leak whether we recognized the key. */
  133. keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN,
  134. (void*)junk_keys);
  135. if (!keypair_bB)
  136. return -1;
  137. memcpy(s.pubkey_X.public_key, onion_skin+DIGEST_LEN+DIGEST256_LEN,
  138. CURVE25519_PUBKEY_LEN);
  139. /* Make y, Y */
  140. curve25519_secret_key_generate(&s.seckey_y, 0);
  141. curve25519_public_key_generate(&s.pubkey_Y, &s.seckey_y);
  142. /* NOTE: If we ever use a group other than curve25519, or a different
  143. * representation for its points, we may need to perform different or
  144. * additional checks on X here and on Y in the client handshake, or lose our
  145. * security properties. What checks we need would depend on the properties
  146. * of the group and its representation.
  147. *
  148. * In short: if you use anything other than curve25519, this aspect of the
  149. * code will need to be reconsidered carefully. */
  150. /* build secret_input */
  151. curve25519_handshake(si, &s.seckey_y, &s.pubkey_X);
  152. bad = safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
  153. si += CURVE25519_OUTPUT_LEN;
  154. curve25519_handshake(si, &keypair_bB->seckey, &s.pubkey_X);
  155. bad |= safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
  156. si += CURVE25519_OUTPUT_LEN;
  157. APPEND(si, my_node_id, DIGEST_LEN);
  158. APPEND(si, keypair_bB->pubkey.public_key, CURVE25519_PUBKEY_LEN);
  159. APPEND(si, s.pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  160. APPEND(si, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  161. APPEND(si, PROTOID, PROTOID_LEN);
  162. tor_assert(si == s.secret_input + sizeof(s.secret_input));
  163. /* Compute hashes of secret_input */
  164. h_tweak(s.verify, s.secret_input, sizeof(s.secret_input), T->t_verify);
  165. /* Compute auth_input */
  166. APPEND(ai, s.verify, DIGEST256_LEN);
  167. APPEND(ai, my_node_id, DIGEST_LEN);
  168. APPEND(ai, keypair_bB->pubkey.public_key, CURVE25519_PUBKEY_LEN);
  169. APPEND(ai, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  170. APPEND(ai, s.pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  171. APPEND(ai, PROTOID, PROTOID_LEN);
  172. APPEND(ai, SERVER_STR, SERVER_STR_LEN);
  173. tor_assert(ai == s.auth_input + sizeof(s.auth_input));
  174. /* Build the reply */
  175. memcpy(handshake_reply_out, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  176. h_tweak(handshake_reply_out+CURVE25519_PUBKEY_LEN,
  177. s.auth_input, sizeof(s.auth_input),
  178. T->t_mac);
  179. /* Generate the key material */
  180. crypto_expand_key_material_rfc5869_sha256(
  181. s.secret_input, sizeof(s.secret_input),
  182. (const uint8_t*)T->t_key, strlen(T->t_key),
  183. (const uint8_t*)T->m_expand, strlen(T->m_expand),
  184. key_out, key_out_len);
  185. /* Wipe all of our local state */
  186. memwipe(&s, 0, sizeof(s));
  187. return bad ? -1 : 0;
  188. }
  189. /**
  190. * Perform the final client side of the ntor handshake, using the state in
  191. * <b>handshake_state</b> and the server's NTOR_REPLY_LEN-byte reply in
  192. * <b>handshake_reply</b>. Generate <b>key_out_len</b> bytes of key material
  193. * in <b>key_out</b>. Return 0 on success, -1 on failure.
  194. */
  195. int
  196. onion_skin_ntor_client_handshake(
  197. const ntor_handshake_state_t *handshake_state,
  198. const uint8_t *handshake_reply,
  199. uint8_t *key_out,
  200. size_t key_out_len,
  201. const char **msg_out)
  202. {
  203. const tweakset_t *T = &proto1_tweaks;
  204. /* Sensitive stack-allocated material. Kept in an anonymous struct to make
  205. * it easy to wipe. */
  206. struct {
  207. curve25519_public_key_t pubkey_Y;
  208. uint8_t secret_input[SECRET_INPUT_LEN];
  209. uint8_t verify[DIGEST256_LEN];
  210. uint8_t auth_input[AUTH_INPUT_LEN];
  211. uint8_t auth[DIGEST256_LEN];
  212. } s;
  213. uint8_t *ai = s.auth_input, *si = s.secret_input;
  214. const uint8_t *auth_candidate;
  215. int bad;
  216. /* Decode input */
  217. memcpy(s.pubkey_Y.public_key, handshake_reply, CURVE25519_PUBKEY_LEN);
  218. auth_candidate = handshake_reply + CURVE25519_PUBKEY_LEN;
  219. /* See note in server_handshake above about checking points. The
  220. * circumstances under which we'd need to check Y for membership are
  221. * different than those under which we'd be checking X. */
  222. /* Compute secret_input */
  223. curve25519_handshake(si, &handshake_state->seckey_x, &s.pubkey_Y);
  224. bad = safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
  225. si += CURVE25519_OUTPUT_LEN;
  226. curve25519_handshake(si, &handshake_state->seckey_x,
  227. &handshake_state->pubkey_B);
  228. bad |= (safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN) << 1);
  229. si += CURVE25519_OUTPUT_LEN;
  230. APPEND(si, handshake_state->router_id, DIGEST_LEN);
  231. APPEND(si, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN);
  232. APPEND(si, handshake_state->pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  233. APPEND(si, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  234. APPEND(si, PROTOID, PROTOID_LEN);
  235. tor_assert(si == s.secret_input + sizeof(s.secret_input));
  236. /* Compute verify from secret_input */
  237. h_tweak(s.verify, s.secret_input, sizeof(s.secret_input), T->t_verify);
  238. /* Compute auth_input */
  239. APPEND(ai, s.verify, DIGEST256_LEN);
  240. APPEND(ai, handshake_state->router_id, DIGEST_LEN);
  241. APPEND(ai, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN);
  242. APPEND(ai, s.pubkey_Y.public_key, CURVE25519_PUBKEY_LEN);
  243. APPEND(ai, handshake_state->pubkey_X.public_key, CURVE25519_PUBKEY_LEN);
  244. APPEND(ai, PROTOID, PROTOID_LEN);
  245. APPEND(ai, SERVER_STR, SERVER_STR_LEN);
  246. tor_assert(ai == s.auth_input + sizeof(s.auth_input));
  247. /* Compute auth */
  248. h_tweak(s.auth, s.auth_input, sizeof(s.auth_input), T->t_mac);
  249. bad |= (tor_memneq(s.auth, auth_candidate, DIGEST256_LEN) << 2);
  250. crypto_expand_key_material_rfc5869_sha256(
  251. s.secret_input, sizeof(s.secret_input),
  252. (const uint8_t*)T->t_key, strlen(T->t_key),
  253. (const uint8_t*)T->m_expand, strlen(T->m_expand),
  254. key_out, key_out_len);
  255. memwipe(&s, 0, sizeof(s));
  256. if (bad) {
  257. if (bad & 4) {
  258. if (msg_out)
  259. *msg_out = NULL; /* Don't report this one; we probably just had the
  260. * wrong onion key.*/
  261. log_fn(LOG_INFO, LD_PROTOCOL,
  262. "Invalid result from curve25519 handshake: %d", bad);
  263. }
  264. if (bad & 3) {
  265. if (msg_out)
  266. *msg_out = "Zero output from curve25519 handshake";
  267. log_fn(LOG_WARN, LD_PROTOCOL,
  268. "Invalid result from curve25519 handshake: %d", bad);
  269. }
  270. }
  271. return bad ? -1 : 0;
  272. }