|
@@ -124,13 +124,13 @@ int onionskin_answer(circuit_t *circ, unsigned char *payload, unsigned char *key
|
|
|
memset(&cell, 0, sizeof(cell_t));
|
|
|
cell.command = CELL_CREATED;
|
|
|
cell.circ_id = circ->p_circ_id;
|
|
|
- cell.length = DH_KEY_LEN;
|
|
|
+ cell.length = ONIONSKIN_REPLY_LEN;
|
|
|
|
|
|
circ->state = CIRCUIT_STATE_OPEN;
|
|
|
|
|
|
log_fn(LOG_DEBUG,"Entering.");
|
|
|
|
|
|
- memcpy(cell.payload, payload, DH_KEY_LEN);
|
|
|
+ memcpy(cell.payload, payload, ONIONSKIN_REPLY_LEN);
|
|
|
|
|
|
log_fn(LOG_DEBUG,"init cipher forward %d, backward %d.", *(int*)keys, *(int*)(keys+16));
|
|
|
|
|
@@ -548,52 +548,56 @@ int onion_extend_cpath(crypt_path_t **head_ptr, cpath_build_state_t *state, rout
|
|
|
|
|
|
/*----------------------------------------------------------------------*/
|
|
|
|
|
|
-/* Given a router's public key, generates a 144-byte encrypted DH pubkey,
|
|
|
- * and stores it into onion_skin out. Stores the DH private key into
|
|
|
- * handshake_state_out for later completion of the handshake.
|
|
|
+/* Given a router's 128 byte public key,
|
|
|
+ stores the following in onion_skin_out:
|
|
|
+[16 bytes] Symmetric key for encrypting blob past RSA
|
|
|
+[112 bytes] g^x part 1 (inside the RSA)
|
|
|
+[16 bytes] g^x part 2 (symmetrically encrypted)
|
|
|
+[ 6 bytes] Meeting point (IP/port)
|
|
|
+[ 8 bytes] Meeting cookie
|
|
|
+[16 bytes] End-to-end authentication [optional]
|
|
|
+
|
|
|
+ * Stores the DH private key into handshake_state_out for later completion
|
|
|
+ * of the handshake.
|
|
|
*
|
|
|
- * The encrypted pubkey is formed as follows:
|
|
|
- * 16 bytes of symmetric key
|
|
|
- * 128 bytes of g^x for DH.
|
|
|
- * The first 128 bytes are RSA-encrypted with the server's public key,
|
|
|
- * and the last 16 are encrypted with the symmetric key.
|
|
|
+ * The meeting point/cookies and auth are zeroed out for now.
|
|
|
*/
|
|
|
int
|
|
|
onion_skin_create(crypto_pk_env_t *dest_router_key,
|
|
|
crypto_dh_env_t **handshake_state_out,
|
|
|
- char *onion_skin_out) /* Must be DH_ONIONSKIN_LEN bytes long */
|
|
|
+ char *onion_skin_out) /* Must be ONIONSKIN_CHALLENGE_LEN bytes */
|
|
|
{
|
|
|
char iv[16];
|
|
|
- char *pubkey = NULL;
|
|
|
+ char *challenge = NULL;
|
|
|
crypto_dh_env_t *dh = NULL;
|
|
|
crypto_cipher_env_t *cipher = NULL;
|
|
|
int dhbytes, pkbytes;
|
|
|
|
|
|
*handshake_state_out = NULL;
|
|
|
- memset(onion_skin_out, 0, DH_ONIONSKIN_LEN);
|
|
|
+ memset(onion_skin_out, 0, ONIONSKIN_CHALLENGE_LEN);
|
|
|
memset(iv, 0, 16);
|
|
|
|
|
|
if (!(dh = crypto_dh_new()))
|
|
|
goto err;
|
|
|
-
|
|
|
+
|
|
|
dhbytes = crypto_dh_get_bytes(dh);
|
|
|
pkbytes = crypto_pk_keysize(dest_router_key);
|
|
|
- assert(dhbytes+16 == DH_ONIONSKIN_LEN);
|
|
|
- pubkey = (char *)tor_malloc(dhbytes+16);
|
|
|
+ assert(dhbytes == 128);
|
|
|
+ assert(pkbytes == 128);
|
|
|
+ challenge = (char *)tor_malloc_zero(ONIONSKIN_CHALLENGE_LEN);
|
|
|
|
|
|
- if (crypto_rand(16, pubkey))
|
|
|
+ if (crypto_rand(16, challenge))
|
|
|
goto err;
|
|
|
|
|
|
/* You can't just run around RSA-encrypting any bitstream: if it's
|
|
|
* greater than the RSA key, then OpenSSL will happily encrypt,
|
|
|
* and later decrypt to the wrong value. So we set the first bit
|
|
|
- * of 'pubkey' to 0. This means that our symmetric key is really only
|
|
|
- * 127 bits long, but since it shouldn't be necessary to encrypt
|
|
|
- * DH public keys values in the first place, we should be fine.
|
|
|
+ * of 'challenge' to 0. This means that our symmetric key is really
|
|
|
+ * only 127 bits.
|
|
|
*/
|
|
|
- pubkey[0] &= 0x7f;
|
|
|
+ challenge[0] &= 0x7f;
|
|
|
|
|
|
- if (crypto_dh_get_public(dh, pubkey+16, dhbytes))
|
|
|
+ if (crypto_dh_get_public(dh, challenge+16, dhbytes))
|
|
|
goto err;
|
|
|
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
@@ -601,65 +605,69 @@ onion_skin_create(crypto_pk_env_t *dest_router_key,
|
|
|
{ int _i; for (_i = 0; _i<n; ++_i) printf("%02x ",((int)(a)[_i])&0xFF); }
|
|
|
|
|
|
printf("Client: client g^x:");
|
|
|
- PA(pubkey+16,3);
|
|
|
+ PA(challenge+16,3);
|
|
|
printf("...");
|
|
|
- PA(pubkey+141,3);
|
|
|
+ PA(challenge+141,3);
|
|
|
puts("");
|
|
|
|
|
|
printf("Client: client symkey:");
|
|
|
- PA(pubkey+0,16);
|
|
|
+ PA(challenge+0,16);
|
|
|
puts("");
|
|
|
#endif
|
|
|
|
|
|
- cipher = crypto_create_init_cipher(ONION_CIPHER, pubkey, iv, 1);
|
|
|
+ /* set meeting point, meeting cookie, etc here. Leave zero for now. */
|
|
|
+
|
|
|
+ cipher = crypto_create_init_cipher(ONION_CIPHER, challenge, iv, 1);
|
|
|
|
|
|
if (!cipher)
|
|
|
goto err;
|
|
|
|
|
|
- if (crypto_pk_public_encrypt(dest_router_key, pubkey, pkbytes,
|
|
|
+ if (crypto_pk_public_encrypt(dest_router_key, challenge, pkbytes,
|
|
|
onion_skin_out, RSA_NO_PADDING)==-1)
|
|
|
goto err;
|
|
|
|
|
|
- if (crypto_cipher_encrypt(cipher, pubkey+pkbytes, dhbytes+16-pkbytes,
|
|
|
+ if (crypto_cipher_encrypt(cipher, challenge+pkbytes, ONIONSKIN_CHALLENGE_LEN-pkbytes,
|
|
|
onion_skin_out+pkbytes))
|
|
|
goto err;
|
|
|
|
|
|
- free(pubkey);
|
|
|
+ tor_free(challenge);
|
|
|
crypto_free_cipher_env(cipher);
|
|
|
*handshake_state_out = dh;
|
|
|
|
|
|
return 0;
|
|
|
err:
|
|
|
- tor_free(pubkey);
|
|
|
+ tor_free(challenge);
|
|
|
if (dh) crypto_dh_free(dh);
|
|
|
if (cipher) crypto_free_cipher_env(cipher);
|
|
|
return -1;
|
|
|
}
|
|
|
|
|
|
/* Given an encrypted DH public key as generated by onion_skin_create,
|
|
|
- * and the private key for this onion router, generate the 128-byte DH
|
|
|
- * reply, and key_out_len bytes of key material, stored in key_out.
|
|
|
+ * and the private key for this onion router, generate the reply (128-byte
|
|
|
+ * DH plus the first 20 bytes of shared key material), and store the
|
|
|
+ * next key_out_len bytes of key material in key_out.
|
|
|
*/
|
|
|
int
|
|
|
-onion_skin_server_handshake(char *onion_skin, /* DH_ONIONSKIN_LEN bytes long */
|
|
|
+onion_skin_server_handshake(char *onion_skin, /* ONIONSKIN_CHALLENGE_LEN bytes */
|
|
|
crypto_pk_env_t *private_key,
|
|
|
- char *handshake_reply_out, /* DH_KEY_LEN bytes long */
|
|
|
+ char *handshake_reply_out, /* ONIONSKIN_REPLY_LEN bytes */
|
|
|
char *key_out,
|
|
|
int key_out_len)
|
|
|
{
|
|
|
- char buf[DH_ONIONSKIN_LEN];
|
|
|
+ char challenge[ONIONSKIN_CHALLENGE_LEN];
|
|
|
char iv[16];
|
|
|
crypto_dh_env_t *dh = NULL;
|
|
|
crypto_cipher_env_t *cipher = NULL;
|
|
|
int pkbytes;
|
|
|
int len;
|
|
|
+ char *key_material=NULL;
|
|
|
|
|
|
memset(iv, 0, 16);
|
|
|
pkbytes = crypto_pk_keysize(private_key);
|
|
|
|
|
|
if (crypto_pk_private_decrypt(private_key,
|
|
|
onion_skin, pkbytes,
|
|
|
- buf, RSA_NO_PADDING) == -1)
|
|
|
+ challenge, RSA_NO_PADDING) == -1)
|
|
|
goto err;
|
|
|
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
@@ -668,10 +676,10 @@ onion_skin_server_handshake(char *onion_skin, /* DH_ONIONSKIN_LEN bytes long */
|
|
|
puts("");
|
|
|
#endif
|
|
|
|
|
|
- cipher = crypto_create_init_cipher(ONION_CIPHER, buf, iv, 0);
|
|
|
+ cipher = crypto_create_init_cipher(ONION_CIPHER, challenge, iv, 0);
|
|
|
|
|
|
- if (crypto_cipher_decrypt(cipher, onion_skin+pkbytes, DH_ONIONSKIN_LEN-pkbytes,
|
|
|
- buf+pkbytes))
|
|
|
+ if (crypto_cipher_decrypt(cipher, onion_skin+pkbytes, ONIONSKIN_CHALLENGE_LEN-pkbytes,
|
|
|
+ challenge+pkbytes))
|
|
|
goto err;
|
|
|
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
@@ -681,7 +689,7 @@ onion_skin_server_handshake(char *onion_skin, /* DH_ONIONSKIN_LEN bytes long */
|
|
|
PA(buf+141,3);
|
|
|
puts("");
|
|
|
#endif
|
|
|
-
|
|
|
+
|
|
|
dh = crypto_dh_new();
|
|
|
if (crypto_dh_get_public(dh, handshake_reply_out, DH_KEY_LEN))
|
|
|
goto err;
|
|
@@ -694,10 +702,18 @@ onion_skin_server_handshake(char *onion_skin, /* DH_ONIONSKIN_LEN bytes long */
|
|
|
puts("");
|
|
|
#endif
|
|
|
|
|
|
- len = crypto_dh_compute_secret(dh, buf+16, DH_KEY_LEN, key_out, key_out_len);
|
|
|
+ key_material = tor_malloc(20+key_out_len);
|
|
|
+ len = crypto_dh_compute_secret(dh, challenge+16, DH_KEY_LEN,
|
|
|
+ key_material, 20+key_out_len);
|
|
|
if (len < 0)
|
|
|
goto err;
|
|
|
|
|
|
+ /* send back H(K) as proof that we learned K. */
|
|
|
+ memcpy(handshake_reply_out+DH_KEY_LEN, key_material, 20);
|
|
|
+
|
|
|
+ /* use the rest of the key material for our shared keys, digests, etc */
|
|
|
+ memcpy(key_out, key_material+20, key_out_len);
|
|
|
+
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
printf("Server: key material:");
|
|
|
PA(buf, DH_KEY_LEN);
|
|
@@ -707,10 +723,12 @@ onion_skin_server_handshake(char *onion_skin, /* DH_ONIONSKIN_LEN bytes long */
|
|
|
puts("");
|
|
|
#endif
|
|
|
|
|
|
+ tor_free(key_material);
|
|
|
crypto_free_cipher_env(cipher);
|
|
|
crypto_dh_free(dh);
|
|
|
return 0;
|
|
|
err:
|
|
|
+ tor_free(key_material);
|
|
|
if (cipher) crypto_free_cipher_env(cipher);
|
|
|
if (dh) crypto_dh_free(dh);
|
|
|
|
|
@@ -718,19 +736,22 @@ onion_skin_server_handshake(char *onion_skin, /* DH_ONIONSKIN_LEN bytes long */
|
|
|
}
|
|
|
|
|
|
/* Finish the client side of the DH handshake.
|
|
|
- * Given the 128 byte DH reply as generated by onion_skin_server_handshake
|
|
|
- * and the handshake state generated by onion_skin_create, generate
|
|
|
- * key_out_len bytes of shared key material and store them in key_out.
|
|
|
+ * Given the 128 byte DH reply + 20 byte hash as generated by
|
|
|
+ * onion_skin_server_handshake and the handshake state generated by
|
|
|
+ * onion_skin_create, verify H(K) with the first 20 bytes of shared
|
|
|
+ * key material, then generate key_out_len more bytes of shared key
|
|
|
+ * material and store them in key_out.
|
|
|
*
|
|
|
* After the invocation, call crypto_dh_free on handshake_state.
|
|
|
*/
|
|
|
int
|
|
|
onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
|
|
|
- char *handshake_reply,/* Must be DH_KEY_LEN bytes long*/
|
|
|
+ char *handshake_reply, /* Must be ONIONSKIN_REPLY_LEN bytes */
|
|
|
char *key_out,
|
|
|
- int key_out_len)
|
|
|
+ int key_out_len)
|
|
|
{
|
|
|
int len;
|
|
|
+ char *key_material=NULL;
|
|
|
assert(crypto_dh_get_bytes(handshake_state) == DH_KEY_LEN);
|
|
|
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
@@ -741,17 +762,29 @@ onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
|
|
|
puts("");
|
|
|
#endif
|
|
|
|
|
|
+ key_material = tor_malloc(20+key_out_len);
|
|
|
len = crypto_dh_compute_secret(handshake_state, handshake_reply, DH_KEY_LEN,
|
|
|
- key_out, key_out_len);
|
|
|
+ key_material, 20+key_out_len);
|
|
|
if (len < 0)
|
|
|
return -1;
|
|
|
|
|
|
+ if(memcmp(key_material, handshake_reply+DH_KEY_LEN, 20)) {
|
|
|
+ /* H(K) does *not* match. Something fishy. */
|
|
|
+ tor_free(key_material);
|
|
|
+ log_fn(LOG_WARN,"Digest DOES NOT MATCH on onion handshake. Bug or attack.");
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* use the rest of the key material for our shared keys, digests, etc */
|
|
|
+ memcpy(key_out, key_material+20, key_out_len);
|
|
|
+
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
printf("Client: keys out:");
|
|
|
PA(key_out, key_out_len);
|
|
|
puts("");
|
|
|
#endif
|
|
|
|
|
|
+ tor_free(key_material);
|
|
|
return 0;
|
|
|
}
|
|
|
|