onion_fast.c 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142
  1. /* Copyright (c) 2001 Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file onion_fast.c
  8. * \brief Functions implement the CREATE_FAST circuit handshake.
  9. *
  10. * The "CREATE_FAST" handshake is an unauthenticated, non-forward-secure
  11. * key derivation mechanism based on SHA1. We used to use it for the
  12. * first hop of each circuit, since the TAP handshake provided no
  13. * additional security beyond the security already provided by the TLS
  14. * handshake [*].
  15. *
  16. * When we switched to ntor, we deprecated CREATE_FAST, since ntor is
  17. * stronger than our TLS handshake was, and fast enough to not be worrisome.
  18. *
  19. * This handshake, like the other circuit-extension handshakes, is
  20. * invoked from onion.c.
  21. *
  22. * [*]Actually, it's possible that TAP _was_ a little better than TLS with
  23. * RSA1024 certificates and EDH1024 for forward secrecy, if you
  24. * hypothesize an adversary who can compute discrete logarithms on a
  25. * small number of targeted DH1024 fields, but who can't break all that
  26. * many RSA1024 keys.
  27. **/
  28. #include "or.h"
  29. #include "onion_fast.h"
  30. /** Release all state held in <b>victim</b>. */
  31. void
  32. fast_handshake_state_free_(fast_handshake_state_t *victim)
  33. {
  34. if (! victim)
  35. return;
  36. memwipe(victim, 0, sizeof(fast_handshake_state_t));
  37. tor_free(victim);
  38. }
  39. /** Create the state needed to perform a CREATE_FAST handshake. Return 0
  40. * on success, -1 on failure. */
  41. int
  42. fast_onionskin_create(fast_handshake_state_t **handshake_state_out,
  43. uint8_t *handshake_out)
  44. {
  45. fast_handshake_state_t *s;
  46. *handshake_state_out = s = tor_malloc(sizeof(fast_handshake_state_t));
  47. crypto_rand((char*)s->state, sizeof(s->state));
  48. memcpy(handshake_out, s->state, DIGEST_LEN);
  49. return 0;
  50. }
  51. /** Implement the server side of the CREATE_FAST abbreviated handshake. The
  52. * client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x"). We
  53. * generate a reply of DIGEST_LEN*2 bytes in <b>key_out</b>, consisting of a
  54. * new random "y", followed by H(x|y) to check for correctness. We set
  55. * <b>key_out_len</b> bytes of key material in <b>key_out</b>.
  56. * Return 0 on success, &lt;0 on failure.
  57. **/
  58. int
  59. fast_server_handshake(const uint8_t *key_in, /* DIGEST_LEN bytes */
  60. uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */
  61. uint8_t *key_out,
  62. size_t key_out_len)
  63. {
  64. uint8_t tmp[DIGEST_LEN+DIGEST_LEN];
  65. uint8_t *out = NULL;
  66. size_t out_len;
  67. int r = -1;
  68. crypto_rand((char*)handshake_reply_out, DIGEST_LEN);
  69. memcpy(tmp, key_in, DIGEST_LEN);
  70. memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
  71. out_len = key_out_len+DIGEST_LEN;
  72. out = tor_malloc(out_len);
  73. if (BUG(crypto_expand_key_material_TAP(tmp, sizeof(tmp), out, out_len))) {
  74. goto done; // LCOV_EXCL_LINE
  75. }
  76. memcpy(handshake_reply_out+DIGEST_LEN, out, DIGEST_LEN);
  77. memcpy(key_out, out+DIGEST_LEN, key_out_len);
  78. r = 0;
  79. done:
  80. memwipe(tmp, 0, sizeof(tmp));
  81. memwipe(out, 0, out_len);
  82. tor_free(out);
  83. return r;
  84. }
  85. /** Implement the second half of the client side of the CREATE_FAST handshake.
  86. * We sent the server <b>handshake_state</b> ("x") already, and the server
  87. * told us <b>handshake_reply_out</b> (y|H(x|y)). Make sure that the hash is
  88. * correct, and generate key material in <b>key_out</b>. Return 0 on success,
  89. * true on failure.
  90. *
  91. * NOTE: The "CREATE_FAST" handshake path is distinguishable from regular
  92. * "onionskin" handshakes, and is not secure if an adversary can see or modify
  93. * the messages. Therefore, it should only be used by clients, and only as
  94. * the first hop of a circuit (since the first hop is already authenticated
  95. * and protected by TLS).
  96. */
  97. int
  98. fast_client_handshake(const fast_handshake_state_t *handshake_state,
  99. const uint8_t *handshake_reply_out,/*DIGEST_LEN*2 bytes*/
  100. uint8_t *key_out,
  101. size_t key_out_len,
  102. const char **msg_out)
  103. {
  104. uint8_t tmp[DIGEST_LEN+DIGEST_LEN];
  105. uint8_t *out;
  106. size_t out_len;
  107. int r = -1;
  108. memcpy(tmp, handshake_state->state, DIGEST_LEN);
  109. memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
  110. out_len = key_out_len+DIGEST_LEN;
  111. out = tor_malloc(out_len);
  112. if (BUG(crypto_expand_key_material_TAP(tmp, sizeof(tmp), out, out_len))) {
  113. /* LCOV_EXCL_START */
  114. if (msg_out)
  115. *msg_out = "Failed to expand key material";
  116. goto done;
  117. /* LCOV_EXCL_STOP */
  118. }
  119. if (tor_memneq(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
  120. /* H(K) does *not* match. Something fishy. */
  121. if (msg_out)
  122. *msg_out = "Digest DOES NOT MATCH on fast handshake. Bug or attack.";
  123. goto done;
  124. }
  125. memcpy(key_out, out+DIGEST_LEN, key_out_len);
  126. r = 0;
  127. done:
  128. memwipe(tmp, 0, sizeof(tmp));
  129. memwipe(out, 0, out_len);
  130. tor_free(out);
  131. return r;
  132. }