|
@@ -6,21 +6,26 @@
|
|
|
|
|
|
/**
|
|
|
* \file onion.c
|
|
|
- * \brief Functions to queue create cells, and handle onionskin
|
|
|
- * parsing and creation.
|
|
|
+ * \brief Functions to queue create cells, wrap the various onionskin types,
|
|
|
+ * and parse and create the CREATE cell and its allies.
|
|
|
**/
|
|
|
|
|
|
#include "or.h"
|
|
|
#include "circuitlist.h"
|
|
|
#include "config.h"
|
|
|
#include "onion.h"
|
|
|
+#include "onion_fast.h"
|
|
|
+#include "onion_ntor.h"
|
|
|
+#include "onion_tap.h"
|
|
|
+#include "relay.h"
|
|
|
#include "rephist.h"
|
|
|
+#include "router.h"
|
|
|
|
|
|
/** Type for a linked list of circuits that are waiting for a free CPU worker
|
|
|
* to process a waiting onion handshake. */
|
|
|
typedef struct onion_queue_t {
|
|
|
or_circuit_t *circ;
|
|
|
- char *onionskin;
|
|
|
+ create_cell_t *onionskin;
|
|
|
time_t when_added;
|
|
|
struct onion_queue_t *next;
|
|
|
} onion_queue_t;
|
|
@@ -37,11 +42,13 @@ static onion_queue_t *ol_tail=NULL;
|
|
|
/** Length of ol_list */
|
|
|
static int ol_length=0;
|
|
|
|
|
|
+/* XXXX Check lengths vs MAX_ONIONSKIN_{CHALLENGE,REPLY}_LEN */
|
|
|
+
|
|
|
/** Add <b>circ</b> to the end of ol_list and return 0, except
|
|
|
* if ol_list is too long, in which case do nothing and return -1.
|
|
|
*/
|
|
|
int
|
|
|
-onion_pending_add(or_circuit_t *circ, char *onionskin)
|
|
|
+onion_pending_add(or_circuit_t *circ, create_cell_t *onionskin)
|
|
|
{
|
|
|
onion_queue_t *tmp;
|
|
|
time_t now = time(NULL);
|
|
@@ -98,7 +105,7 @@ onion_pending_add(or_circuit_t *circ, char *onionskin)
|
|
|
* NULL if the list is empty.
|
|
|
*/
|
|
|
or_circuit_t *
|
|
|
-onion_next_task(char **onionskin_out)
|
|
|
+onion_next_task(create_cell_t **onionskin_out)
|
|
|
{
|
|
|
or_circuit_t *circ;
|
|
|
|
|
@@ -157,292 +164,843 @@ onion_pending_remove(or_circuit_t *circ)
|
|
|
tor_free(victim);
|
|
|
}
|
|
|
|
|
|
-/*----------------------------------------------------------------------*/
|
|
|
+/** Remove all circuits from the pending list. Called from tor_free_all. */
|
|
|
+void
|
|
|
+clear_pending_onions(void)
|
|
|
+{
|
|
|
+ while (ol_list) {
|
|
|
+ onion_queue_t *victim = ol_list;
|
|
|
+ ol_list = victim->next;
|
|
|
+ tor_free(victim->onionskin);
|
|
|
+ tor_free(victim);
|
|
|
+ }
|
|
|
+ ol_list = ol_tail = NULL;
|
|
|
+ ol_length = 0;
|
|
|
+}
|
|
|
+
|
|
|
+/* ============================================================ */
|
|
|
|
|
|
-/** Given a router's 128 byte public key,
|
|
|
- * stores the following in onion_skin_out:
|
|
|
- * - [42 bytes] OAEP padding
|
|
|
- * - [16 bytes] Symmetric key for encrypting blob past RSA
|
|
|
- * - [70 bytes] g^x part 1 (inside the RSA)
|
|
|
- * - [58 bytes] g^x part 2 (symmetrically encrypted)
|
|
|
- *
|
|
|
- * Stores the DH private key into handshake_state_out for later completion
|
|
|
- * of the handshake.
|
|
|
- *
|
|
|
- * The meeting point/cookies and auth are zeroed out for now.
|
|
|
+/** Fill in a server_onion_keys_t object at <b>keys</b> with all of the keys
|
|
|
+ * and other info we might need to do onion handshakes. (We make a copy of
|
|
|
+ * our keys for each cpuworker to avoid race conditions with the main thread,
|
|
|
+ * and to avoid locking) */
|
|
|
+void
|
|
|
+setup_server_onion_keys(server_onion_keys_t *keys)
|
|
|
+{
|
|
|
+ memset(keys, 0, sizeof(server_onion_keys_t));
|
|
|
+ memcpy(keys->my_identity, router_get_my_id_digest(), DIGEST_LEN);
|
|
|
+ dup_onion_keys(&keys->onion_key, &keys->last_onion_key);
|
|
|
+#ifdef CURVE25519_ENABLED
|
|
|
+ keys->curve25519_key_map = construct_ntor_key_map();
|
|
|
+ keys->junk_keypair = tor_malloc_zero(sizeof(curve25519_keypair_t));
|
|
|
+ curve25519_keypair_generate(keys->junk_keypair, 0);
|
|
|
+#endif
|
|
|
+}
|
|
|
+
|
|
|
+/** Release all storage held in <b>keys</b>, but do not free <b>keys</b>
|
|
|
+ * itself (as it's likely to be stack-allocated.) */
|
|
|
+void
|
|
|
+release_server_onion_keys(server_onion_keys_t *keys)
|
|
|
+{
|
|
|
+ if (! keys)
|
|
|
+ return;
|
|
|
+
|
|
|
+ crypto_pk_free(keys->onion_key);
|
|
|
+ crypto_pk_free(keys->last_onion_key);
|
|
|
+#ifdef CURVE25519_ENABLED
|
|
|
+ ntor_key_map_free(keys->curve25519_key_map);
|
|
|
+ tor_free(keys->junk_keypair);
|
|
|
+#endif
|
|
|
+ memset(keys, 0, sizeof(server_onion_keys_t));
|
|
|
+}
|
|
|
+
|
|
|
+/** Release whatever storage is held in <b>state</b>, depending on its
|
|
|
+ * type, and clear its pointer. */
|
|
|
+void
|
|
|
+onion_handshake_state_release(onion_handshake_state_t *state)
|
|
|
+{
|
|
|
+ switch (state->tag) {
|
|
|
+ case ONION_HANDSHAKE_TYPE_TAP:
|
|
|
+ crypto_dh_free(state->u.tap);
|
|
|
+ state->u.tap = NULL;
|
|
|
+ break;
|
|
|
+ case ONION_HANDSHAKE_TYPE_FAST:
|
|
|
+ fast_handshake_state_free(state->u.fast);
|
|
|
+ state->u.fast = NULL;
|
|
|
+ break;
|
|
|
+#ifdef CURVE25519_ENABLED
|
|
|
+ case ONION_HANDSHAKE_TYPE_NTOR:
|
|
|
+ ntor_handshake_state_free(state->u.ntor);
|
|
|
+ state->u.ntor = NULL;
|
|
|
+ break;
|
|
|
+#endif
|
|
|
+ default:
|
|
|
+ log_warn(LD_BUG, "called with unknown handshake state type %d",
|
|
|
+ (int)state->tag);
|
|
|
+ tor_fragile_assert();
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+/** Perform the first step of a circuit-creation handshake of type <b>type</b>
|
|
|
+ * (one of ONION_HANDSHAKE_TYPE_*): generate the initial "onion skin" in
|
|
|
+ * <b>onion_skin_out</b>, and store any state information in <b>state_out</b>.
|
|
|
+ * Return -1 on failure, and the length of the onionskin on acceptance.
|
|
|
*/
|
|
|
int
|
|
|
-onion_skin_create(crypto_pk_t *dest_router_key,
|
|
|
- crypto_dh_t **handshake_state_out,
|
|
|
- char *onion_skin_out) /* ONIONSKIN_CHALLENGE_LEN bytes */
|
|
|
+onion_skin_create(int type,
|
|
|
+ const extend_info_t *node,
|
|
|
+ onion_handshake_state_t *state_out,
|
|
|
+ uint8_t *onion_skin_out)
|
|
|
{
|
|
|
- char challenge[DH_KEY_LEN];
|
|
|
- crypto_dh_t *dh = NULL;
|
|
|
- int dhbytes, pkbytes;
|
|
|
+ int r = -1;
|
|
|
+
|
|
|
+ switch (type) {
|
|
|
+ case ONION_HANDSHAKE_TYPE_TAP:
|
|
|
+ if (!node->onion_key)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ if (onion_skin_TAP_create(node->onion_key,
|
|
|
+ &state_out->u.tap,
|
|
|
+ (char*)onion_skin_out) < 0)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ r = TAP_ONIONSKIN_CHALLENGE_LEN;
|
|
|
+ break;
|
|
|
+ case ONION_HANDSHAKE_TYPE_FAST:
|
|
|
+ if (fast_onionskin_create(&state_out->u.fast, onion_skin_out) < 0)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ r = CREATE_FAST_LEN;
|
|
|
+ break;
|
|
|
+ case ONION_HANDSHAKE_TYPE_NTOR:
|
|
|
+#ifdef CURVE25519_ENABLED
|
|
|
+ if (tor_mem_is_zero((const char*)node->curve25519_onion_key.public_key,
|
|
|
+ CURVE25519_PUBKEY_LEN))
|
|
|
+ return -1;
|
|
|
+ if (onion_skin_ntor_create((const uint8_t*)node->identity_digest,
|
|
|
+ &node->curve25519_onion_key,
|
|
|
+ &state_out->u.ntor,
|
|
|
+ onion_skin_out) < 0)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ r = NTOR_ONIONSKIN_LEN;
|
|
|
+#else
|
|
|
+ return -1;
|
|
|
+#endif
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ log_warn(LD_BUG, "called with unknown handshake state type %d", type);
|
|
|
+ tor_fragile_assert();
|
|
|
+ r = -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (r > 0)
|
|
|
+ state_out->tag = (uint16_t) type;
|
|
|
+
|
|
|
+ return r;
|
|
|
+}
|
|
|
+
|
|
|
+/** Perform the second (server-side) step of a circuit-creation handshake of
|
|
|
+ * type <b>type</b>, responding to the client request in <b>onion_skin</b>
|
|
|
+ * using the keys in <b>keys</b>. On success, write our response into
|
|
|
+ * <b>reply_out</b>, generate <b>keys_out_len</b> bytes worth of key material
|
|
|
+ * in <b>keys_out_len</b>, a hidden service nonce to <b>rend_nonce_out</b>,
|
|
|
+ * and return the length of the reply. On failure, return -1.
|
|
|
+ */
|
|
|
+int
|
|
|
+onion_skin_server_handshake(int type,
|
|
|
+ const uint8_t *onion_skin, size_t onionskin_len,
|
|
|
+ const server_onion_keys_t *keys,
|
|
|
+ uint8_t *reply_out,
|
|
|
+ uint8_t *keys_out, size_t keys_out_len,
|
|
|
+ uint8_t *rend_nonce_out)
|
|
|
+{
|
|
|
+ int r = -1;
|
|
|
|
|
|
- tor_assert(dest_router_key);
|
|
|
- tor_assert(handshake_state_out);
|
|
|
- tor_assert(onion_skin_out);
|
|
|
- *handshake_state_out = NULL;
|
|
|
- memset(onion_skin_out, 0, ONIONSKIN_CHALLENGE_LEN);
|
|
|
+ switch (type) {
|
|
|
+ case ONION_HANDSHAKE_TYPE_TAP:
|
|
|
+ if (onionskin_len != TAP_ONIONSKIN_CHALLENGE_LEN)
|
|
|
+ return -1;
|
|
|
+ if (onion_skin_TAP_server_handshake((const char*)onion_skin,
|
|
|
+ keys->onion_key, keys->last_onion_key,
|
|
|
+ (char*)reply_out,
|
|
|
+ (char*)keys_out, keys_out_len)<0)
|
|
|
+ return -1;
|
|
|
+ r = TAP_ONIONSKIN_REPLY_LEN;
|
|
|
+ memcpy(rend_nonce_out, reply_out+DH_KEY_LEN, DIGEST_LEN);
|
|
|
+ break;
|
|
|
+ case ONION_HANDSHAKE_TYPE_FAST:
|
|
|
+ if (onionskin_len != CREATE_FAST_LEN)
|
|
|
+ return -1;
|
|
|
+ if (fast_server_handshake(onion_skin, reply_out, keys_out, keys_out_len)<0)
|
|
|
+ return -1;
|
|
|
+ r = CREATED_FAST_LEN;
|
|
|
+ memcpy(rend_nonce_out, reply_out+DIGEST_LEN, DIGEST_LEN);
|
|
|
+ break;
|
|
|
+ case ONION_HANDSHAKE_TYPE_NTOR:
|
|
|
+#ifdef CURVE25519_ENABLED
|
|
|
+ if (onionskin_len < NTOR_ONIONSKIN_LEN)
|
|
|
+ return -1;
|
|
|
+ {
|
|
|
+ size_t keys_tmp_len = keys_out_len + DIGEST_LEN;
|
|
|
+ uint8_t *keys_tmp = tor_malloc(keys_out_len + DIGEST_LEN);
|
|
|
+
|
|
|
+ if (onion_skin_ntor_server_handshake(
|
|
|
+ onion_skin, keys->curve25519_key_map,
|
|
|
+ keys->junk_keypair,
|
|
|
+ keys->my_identity,
|
|
|
+ reply_out, keys_tmp, keys_tmp_len)<0) {
|
|
|
+ tor_free(keys_tmp);
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+ memcpy(keys_out, keys_tmp, keys_out_len);
|
|
|
+ memcpy(rend_nonce_out, keys_tmp+keys_out_len, DIGEST_LEN);
|
|
|
+ memwipe(keys_tmp, 0, keys_tmp_len);
|
|
|
+ tor_free(keys_tmp);
|
|
|
+ r = NTOR_REPLY_LEN;
|
|
|
+ }
|
|
|
+#else
|
|
|
+ return -1;
|
|
|
+#endif
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ log_warn(LD_BUG, "called with unknown handshake state type %d", type);
|
|
|
+ tor_fragile_assert();
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
|
|
|
- if (!(dh = crypto_dh_new(DH_TYPE_CIRCUIT)))
|
|
|
- goto err;
|
|
|
+ return r;
|
|
|
+}
|
|
|
|
|
|
- dhbytes = crypto_dh_get_bytes(dh);
|
|
|
- pkbytes = (int) crypto_pk_keysize(dest_router_key);
|
|
|
- tor_assert(dhbytes == 128);
|
|
|
- tor_assert(pkbytes == 128);
|
|
|
+/** Perform the final (client-side) step of a circuit-creation handshake of
|
|
|
+ * type <b>type</b>, using our state in <b>handshake_state</b> and the
|
|
|
+ * server's response in <b>reply</b> On success, generate <b>keys_out_len</b>
|
|
|
+ * bytes worth of key material in <b>keys_out_len</b>, set
|
|
|
+ * <b>rend_authenticator_out</b> to the "KH" field that can be used to
|
|
|
+ * establish introduction points at this hop, and return 0. On failure,
|
|
|
+ * return -1. */
|
|
|
+int
|
|
|
+onion_skin_client_handshake(int type,
|
|
|
+ const onion_handshake_state_t *handshake_state,
|
|
|
+ const uint8_t *reply, size_t reply_len,
|
|
|
+ uint8_t *keys_out, size_t keys_out_len,
|
|
|
+ uint8_t *rend_authenticator_out)
|
|
|
+{
|
|
|
+ if (handshake_state->tag != type)
|
|
|
+ return -1;
|
|
|
|
|
|
- if (crypto_dh_get_public(dh, challenge, dhbytes))
|
|
|
- goto err;
|
|
|
+ switch (type) {
|
|
|
+ case ONION_HANDSHAKE_TYPE_TAP:
|
|
|
+ if (reply_len != TAP_ONIONSKIN_REPLY_LEN)
|
|
|
+ return -1;
|
|
|
+ if (onion_skin_TAP_client_handshake(handshake_state->u.tap,
|
|
|
+ (const char*)reply,
|
|
|
+ (char *)keys_out, keys_out_len) < 0)
|
|
|
+ return -1;
|
|
|
|
|
|
- note_crypto_pk_op(ENC_ONIONSKIN);
|
|
|
+ memcpy(rend_authenticator_out, reply+DH_KEY_LEN, DIGEST_LEN);
|
|
|
+
|
|
|
+ return 0;
|
|
|
+ case ONION_HANDSHAKE_TYPE_FAST:
|
|
|
+ if (reply_len != CREATED_FAST_LEN)
|
|
|
+ return -1;
|
|
|
+ if (fast_client_handshake(handshake_state->u.fast, reply,
|
|
|
+ keys_out, keys_out_len) < 0)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ memcpy(rend_authenticator_out, reply+DIGEST_LEN, DIGEST_LEN);
|
|
|
+ return 0;
|
|
|
+#ifdef CURVE25519_ENABLED
|
|
|
+ case ONION_HANDSHAKE_TYPE_NTOR:
|
|
|
+ if (reply_len < NTOR_REPLY_LEN)
|
|
|
+ return -1;
|
|
|
+ {
|
|
|
+ size_t keys_tmp_len = keys_out_len + DIGEST_LEN;
|
|
|
+ uint8_t *keys_tmp = tor_malloc(keys_tmp_len);
|
|
|
+ if (onion_skin_ntor_client_handshake(handshake_state->u.ntor,
|
|
|
+ reply,
|
|
|
+ keys_tmp, keys_tmp_len) < 0) {
|
|
|
+ tor_free(keys_tmp);
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+ memcpy(keys_out, keys_tmp, keys_out_len);
|
|
|
+ memcpy(rend_authenticator_out, keys_tmp + keys_out_len, DIGEST_LEN);
|
|
|
+ memwipe(keys_tmp, 0, keys_tmp_len);
|
|
|
+ tor_free(keys_tmp);
|
|
|
+ }
|
|
|
+ return 0;
|
|
|
+#endif
|
|
|
+ default:
|
|
|
+ log_warn(LD_BUG, "called with unknown handshake state type %d", type);
|
|
|
+ tor_fragile_assert();
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+}
|
|
|
|
|
|
- /* set meeting point, meeting cookie, etc here. Leave zero for now. */
|
|
|
- if (crypto_pk_public_hybrid_encrypt(dest_router_key, onion_skin_out,
|
|
|
- ONIONSKIN_CHALLENGE_LEN,
|
|
|
- challenge, DH_KEY_LEN,
|
|
|
- PK_PKCS1_OAEP_PADDING, 1)<0)
|
|
|
- goto err;
|
|
|
+/** Helper: return 0 if <b>cell</b> appears valid, -1 otherwise. If
|
|
|
+ * <b>unknown_ok</b> is true, allow cells with handshake types we don't
|
|
|
+ * recognize. */
|
|
|
+static int
|
|
|
+check_create_cell(const create_cell_t *cell, int unknown_ok)
|
|
|
+{
|
|
|
+ switch (cell->cell_type) {
|
|
|
+ case CELL_CREATE:
|
|
|
+ if (cell->handshake_type != ONION_HANDSHAKE_TYPE_TAP &&
|
|
|
+ cell->handshake_type != ONION_HANDSHAKE_TYPE_NTOR)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
+ case CELL_CREATE_FAST:
|
|
|
+ if (cell->handshake_type != ONION_HANDSHAKE_TYPE_FAST)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
+ case CELL_CREATE2:
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
|
|
|
- memwipe(challenge, 0, sizeof(challenge));
|
|
|
- *handshake_state_out = dh;
|
|
|
+ switch (cell->handshake_type) {
|
|
|
+ case ONION_HANDSHAKE_TYPE_TAP:
|
|
|
+ if (cell->handshake_len != TAP_ONIONSKIN_CHALLENGE_LEN)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
+ case ONION_HANDSHAKE_TYPE_FAST:
|
|
|
+ if (cell->handshake_len != CREATE_FAST_LEN)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
+#ifdef CURVE25519_ENABLED
|
|
|
+ case ONION_HANDSHAKE_TYPE_NTOR:
|
|
|
+ if (cell->handshake_len != NTOR_ONIONSKIN_LEN)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
+#endif
|
|
|
+ default:
|
|
|
+ if (! unknown_ok)
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
|
|
|
return 0;
|
|
|
- err:
|
|
|
- memwipe(challenge, 0, sizeof(challenge));
|
|
|
- if (dh) crypto_dh_free(dh);
|
|
|
- return -1;
|
|
|
}
|
|
|
|
|
|
-/** Given an encrypted DH public key as generated by onion_skin_create,
|
|
|
- * and the private key for this onion router, generate the reply (128-byte
|
|
|
- * DH plus the first 20 bytes of shared key material), and store the
|
|
|
- * next key_out_len bytes of key material in key_out.
|
|
|
+/** Helper: parse the CREATE2 payload at <b>p</b>, which could be up to
|
|
|
+ * <b>p_len</b> bytes long, and use it to fill the fields of
|
|
|
+ * <b>cell_out</b>. Return 0 on success and -1 on failure.
|
|
|
+ *
|
|
|
+ * Note that part of the body of an EXTEND2 cell is a CREATE2 payload, so
|
|
|
+ * this function is also used for parsing those.
|
|
|
*/
|
|
|
+static int
|
|
|
+parse_create2_payload(create_cell_t *cell_out, const uint8_t *p, size_t p_len)
|
|
|
+{
|
|
|
+ if (p_len < 4)
|
|
|
+ return -1;
|
|
|
+ cell_out->cell_type = CELL_CREATE2;
|
|
|
+ cell_out->handshake_type = ntohs(get_uint16(p));
|
|
|
+ cell_out->handshake_len = ntohs(get_uint16(p+2));
|
|
|
+ if (cell_out->handshake_len > CELL_PAYLOAD_SIZE - 4 ||
|
|
|
+ cell_out->handshake_len > p_len - 4)
|
|
|
+ return -1;
|
|
|
+ if (cell_out->handshake_type == ONION_HANDSHAKE_TYPE_FAST)
|
|
|
+ return -1;
|
|
|
+ memcpy(cell_out->onionskin, p+4, cell_out->handshake_len);
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
+/** Magic string which, in a CREATE or EXTEND cell, indicates that a seeming
|
|
|
+ * TAP payload is really an ntor payload. We'd do away with this if every
|
|
|
+ * relay supported EXTEND2, but we want to be able to extend from A to B with
|
|
|
+ * ntor even when A doesn't understand EXTEND2 and so can't generate a
|
|
|
+ * CREATE2 cell.
|
|
|
+ **/
|
|
|
+#define NTOR_CREATE_MAGIC "ntorNTORntorNTOR"
|
|
|
+
|
|
|
+/** Parse a CREATE, CREATE_FAST, or CREATE2 cell from <b>cell_in</b> into
|
|
|
+ * <b>cell_out</b>. Return 0 on success, -1 on failure. (We reject some
|
|
|
+ * syntactically valid CREATE2 cells that we can't generate or react to.) */
|
|
|
int
|
|
|
-onion_skin_server_handshake(const char *onion_skin, /*ONIONSKIN_CHALLENGE_LEN*/
|
|
|
- crypto_pk_t *private_key,
|
|
|
- crypto_pk_t *prev_private_key,
|
|
|
- char *handshake_reply_out, /*ONIONSKIN_REPLY_LEN*/
|
|
|
- char *key_out,
|
|
|
- size_t key_out_len)
|
|
|
+create_cell_parse(create_cell_t *cell_out, const cell_t *cell_in)
|
|
|
{
|
|
|
- char challenge[ONIONSKIN_CHALLENGE_LEN];
|
|
|
- crypto_dh_t *dh = NULL;
|
|
|
- ssize_t len;
|
|
|
- char *key_material=NULL;
|
|
|
- size_t key_material_len=0;
|
|
|
- int i;
|
|
|
- crypto_pk_t *k;
|
|
|
-
|
|
|
- len = -1;
|
|
|
- for (i=0;i<2;++i) {
|
|
|
- k = i==0?private_key:prev_private_key;
|
|
|
- if (!k)
|
|
|
- break;
|
|
|
- note_crypto_pk_op(DEC_ONIONSKIN);
|
|
|
- len = crypto_pk_private_hybrid_decrypt(k, challenge,
|
|
|
- ONIONSKIN_CHALLENGE_LEN,
|
|
|
- onion_skin, ONIONSKIN_CHALLENGE_LEN,
|
|
|
- PK_PKCS1_OAEP_PADDING,0);
|
|
|
- if (len>0)
|
|
|
- break;
|
|
|
- }
|
|
|
- if (len<0) {
|
|
|
- log_info(LD_PROTOCOL,
|
|
|
- "Couldn't decrypt onionskin: client may be using old onion key");
|
|
|
- goto err;
|
|
|
- } else if (len != DH_KEY_LEN) {
|
|
|
- log_warn(LD_PROTOCOL, "Unexpected onionskin length after decryption: %ld",
|
|
|
- (long)len);
|
|
|
- goto err;
|
|
|
+ memset(cell_out, 0, sizeof(*cell_out));
|
|
|
+
|
|
|
+ switch (cell_in->command) {
|
|
|
+ case CELL_CREATE:
|
|
|
+ cell_out->cell_type = CELL_CREATE;
|
|
|
+ if (tor_memeq(cell_in->payload, NTOR_CREATE_MAGIC, 16)) {
|
|
|
+ cell_out->handshake_type = ONION_HANDSHAKE_TYPE_NTOR;
|
|
|
+ cell_out->handshake_len = NTOR_ONIONSKIN_LEN;
|
|
|
+ memcpy(cell_out->onionskin, cell_in->payload+16, NTOR_ONIONSKIN_LEN);
|
|
|
+ } else {
|
|
|
+ cell_out->handshake_type = ONION_HANDSHAKE_TYPE_TAP;
|
|
|
+ cell_out->handshake_len = TAP_ONIONSKIN_CHALLENGE_LEN;
|
|
|
+ memcpy(cell_out->onionskin, cell_in->payload,
|
|
|
+ TAP_ONIONSKIN_CHALLENGE_LEN);
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ case CELL_CREATE_FAST:
|
|
|
+ cell_out->cell_type = CELL_CREATE_FAST;
|
|
|
+ cell_out->handshake_type = ONION_HANDSHAKE_TYPE_FAST;
|
|
|
+ cell_out->handshake_len = CREATE_FAST_LEN;
|
|
|
+ memcpy(cell_out->onionskin, cell_in->payload, CREATE_FAST_LEN);
|
|
|
+ break;
|
|
|
+ case CELL_CREATE2:
|
|
|
+ if (parse_create2_payload(cell_out, cell_in->payload,
|
|
|
+ CELL_PAYLOAD_SIZE) < 0)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ return -1;
|
|
|
}
|
|
|
|
|
|
- dh = crypto_dh_new(DH_TYPE_CIRCUIT);
|
|
|
- if (!dh) {
|
|
|
- log_warn(LD_BUG, "Couldn't allocate DH key");
|
|
|
- goto err;
|
|
|
+ return check_create_cell(cell_out, 0);
|
|
|
+}
|
|
|
+
|
|
|
+/** Helper: return 0 if <b>cell</b> appears valid, -1 otherwise. */
|
|
|
+static int
|
|
|
+check_created_cell(const created_cell_t *cell)
|
|
|
+{
|
|
|
+ switch (cell->cell_type) {
|
|
|
+ case CELL_CREATED:
|
|
|
+ if (cell->handshake_len != TAP_ONIONSKIN_REPLY_LEN)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
+ case CELL_CREATED_FAST:
|
|
|
+ if (cell->handshake_len != CREATED_FAST_LEN)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
+ case CELL_CREATED2:
|
|
|
+ if (cell->handshake_len > RELAY_PAYLOAD_SIZE-2)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
}
|
|
|
- if (crypto_dh_get_public(dh, handshake_reply_out, DH_KEY_LEN)) {
|
|
|
- log_info(LD_GENERAL, "crypto_dh_get_public failed.");
|
|
|
- goto err;
|
|
|
+
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
+/** Parse a CREATED, CREATED_FAST, or CREATED2 cell from <b>cell_in</b> into
|
|
|
+ * <b>cell_out</b>. Return 0 on success, -1 on failure. */
|
|
|
+int
|
|
|
+created_cell_parse(created_cell_t *cell_out, const cell_t *cell_in)
|
|
|
+{
|
|
|
+ memset(cell_out, 0, sizeof(*cell_out));
|
|
|
+
|
|
|
+ switch (cell_in->command) {
|
|
|
+ case CELL_CREATED:
|
|
|
+ cell_out->cell_type = CELL_CREATED;
|
|
|
+ cell_out->handshake_len = TAP_ONIONSKIN_REPLY_LEN;
|
|
|
+ memcpy(cell_out->reply, cell_in->payload, TAP_ONIONSKIN_REPLY_LEN);
|
|
|
+ break;
|
|
|
+ case CELL_CREATED_FAST:
|
|
|
+ cell_out->cell_type = CELL_CREATED_FAST;
|
|
|
+ cell_out->handshake_len = CREATED_FAST_LEN;
|
|
|
+ memcpy(cell_out->reply, cell_in->payload, CREATED_FAST_LEN);
|
|
|
+ break;
|
|
|
+ case CELL_CREATED2:
|
|
|
+ {
|
|
|
+ const uint8_t *p = cell_in->payload;
|
|
|
+ cell_out->cell_type = CELL_CREATED2;
|
|
|
+ cell_out->handshake_len = ntohs(get_uint16(p));
|
|
|
+ if (cell_out->handshake_len > CELL_PAYLOAD_SIZE - 2)
|
|
|
+ return -1;
|
|
|
+ memcpy(cell_out->reply, p+2, cell_out->handshake_len);
|
|
|
+ break;
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
- key_material_len = DIGEST_LEN+key_out_len;
|
|
|
- key_material = tor_malloc(key_material_len);
|
|
|
- len = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, dh, challenge,
|
|
|
- DH_KEY_LEN, key_material,
|
|
|
- key_material_len);
|
|
|
- if (len < 0) {
|
|
|
- log_info(LD_GENERAL, "crypto_dh_compute_secret failed.");
|
|
|
- goto err;
|
|
|
+ return check_created_cell(cell_out);
|
|
|
+}
|
|
|
+
|
|
|
+/** Helper: return 0 if <b>cell</b> appears valid, -1 otherwise. */
|
|
|
+static int
|
|
|
+check_extend_cell(const extend_cell_t *cell)
|
|
|
+{
|
|
|
+ if (tor_digest_is_zero((const char*)cell->node_id))
|
|
|
+ return -1;
|
|
|
+ /* We don't currently allow EXTEND2 cells without an IPv4 address */
|
|
|
+ if (tor_addr_family(&cell->orport_ipv4.addr) == AF_UNSPEC)
|
|
|
+ return -1;
|
|
|
+ if (cell->create_cell.cell_type == CELL_CREATE) {
|
|
|
+ if (cell->cell_type != RELAY_COMMAND_EXTEND)
|
|
|
+ return -1;
|
|
|
+ } else if (cell->create_cell.cell_type == CELL_CREATE2) {
|
|
|
+ if (cell->cell_type != RELAY_COMMAND_EXTEND2 &&
|
|
|
+ cell->cell_type != RELAY_COMMAND_EXTEND)
|
|
|
+ return -1;
|
|
|
+ } else {
|
|
|
+ /* In particular, no CREATE_FAST cells are allowed */
|
|
|
+ return -1;
|
|
|
}
|
|
|
+ if (cell->create_cell.handshake_type == ONION_HANDSHAKE_TYPE_FAST)
|
|
|
+ return -1;
|
|
|
|
|
|
- /* send back H(K|0) as proof that we learned K. */
|
|
|
- memcpy(handshake_reply_out+DH_KEY_LEN, key_material, DIGEST_LEN);
|
|
|
+ return check_create_cell(&cell->create_cell, 1);
|
|
|
+}
|
|
|
|
|
|
- /* use the rest of the key material for our shared keys, digests, etc */
|
|
|
- memcpy(key_out, key_material+DIGEST_LEN, key_out_len);
|
|
|
+/** Protocol constants for specifier types in EXTEND2
|
|
|
+ * @{
|
|
|
+ */
|
|
|
+#define SPECTYPE_IPV4 0
|
|
|
+#define SPECTYPE_IPV6 1
|
|
|
+#define SPECTYPE_LEGACY_ID 2
|
|
|
+/** @} */
|
|
|
+
|
|
|
+/** Parse an EXTEND or EXTEND2 cell (according to <b>command</b>) from the
|
|
|
+ * <b>payload_length</b> bytes of <b>payload</b> into <b>cell_out</b>. Return
|
|
|
+ * 0 on success, -1 on failure. */
|
|
|
+int
|
|
|
+extend_cell_parse(extend_cell_t *cell_out, const uint8_t command,
|
|
|
+ const uint8_t *payload, size_t payload_length)
|
|
|
+{
|
|
|
+ const uint8_t *eop;
|
|
|
|
|
|
- memwipe(challenge, 0, sizeof(challenge));
|
|
|
- memwipe(key_material, 0, key_material_len);
|
|
|
- tor_free(key_material);
|
|
|
- crypto_dh_free(dh);
|
|
|
- return 0;
|
|
|
- err:
|
|
|
- memwipe(challenge, 0, sizeof(challenge));
|
|
|
- if (key_material) {
|
|
|
- memwipe(key_material, 0, key_material_len);
|
|
|
- tor_free(key_material);
|
|
|
+ memset(cell_out, 0, sizeof(*cell_out));
|
|
|
+ if (payload_length > RELAY_PAYLOAD_SIZE)
|
|
|
+ return -1;
|
|
|
+ eop = payload + payload_length;
|
|
|
+
|
|
|
+ switch (command) {
|
|
|
+ case RELAY_COMMAND_EXTEND:
|
|
|
+ {
|
|
|
+ if (payload_length != 6 + TAP_ONIONSKIN_CHALLENGE_LEN + DIGEST_LEN)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ cell_out->cell_type = RELAY_COMMAND_EXTEND;
|
|
|
+ tor_addr_from_ipv4n(&cell_out->orport_ipv4.addr, get_uint32(payload));
|
|
|
+ cell_out->orport_ipv4.port = ntohs(get_uint16(payload+4));
|
|
|
+ tor_addr_make_unspec(&cell_out->orport_ipv6.addr);
|
|
|
+ if (tor_memeq(payload + 6, NTOR_CREATE_MAGIC, 16)) {
|
|
|
+ cell_out->create_cell.cell_type = CELL_CREATE2;
|
|
|
+ cell_out->create_cell.handshake_type = ONION_HANDSHAKE_TYPE_NTOR;
|
|
|
+ cell_out->create_cell.handshake_len = NTOR_ONIONSKIN_LEN;
|
|
|
+ memcpy(cell_out->create_cell.onionskin, payload + 22,
|
|
|
+ NTOR_ONIONSKIN_LEN);
|
|
|
+ } else {
|
|
|
+ cell_out->create_cell.cell_type = CELL_CREATE;
|
|
|
+ cell_out->create_cell.handshake_type = ONION_HANDSHAKE_TYPE_TAP;
|
|
|
+ cell_out->create_cell.handshake_len = TAP_ONIONSKIN_CHALLENGE_LEN;
|
|
|
+ memcpy(cell_out->create_cell.onionskin, payload + 6,
|
|
|
+ TAP_ONIONSKIN_CHALLENGE_LEN);
|
|
|
+ }
|
|
|
+ memcpy(cell_out->node_id, payload + 6 + TAP_ONIONSKIN_CHALLENGE_LEN,
|
|
|
+ DIGEST_LEN);
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ case RELAY_COMMAND_EXTEND2:
|
|
|
+ {
|
|
|
+ uint8_t n_specs = *payload, spectype, speclen;
|
|
|
+ int i;
|
|
|
+ int found_ipv4 = 0, found_ipv6 = 0, found_id = 0;
|
|
|
+ tor_addr_make_unspec(&cell_out->orport_ipv4.addr);
|
|
|
+ tor_addr_make_unspec(&cell_out->orport_ipv6.addr);
|
|
|
+
|
|
|
+ cell_out->cell_type = RELAY_COMMAND_EXTEND2;
|
|
|
+ ++payload;
|
|
|
+ /* Parse the specifiers. We'll only take the first IPv4 and first IPv6
|
|
|
+ * addres, and the node ID, and ignore everything else */
|
|
|
+ for (i = 0; i < n_specs; ++i) {
|
|
|
+ if (eop - payload < 2)
|
|
|
+ return -1;
|
|
|
+ spectype = payload[0];
|
|
|
+ speclen = payload[1];
|
|
|
+ payload += 2;
|
|
|
+ if (eop - payload < speclen)
|
|
|
+ return -1;
|
|
|
+ switch (spectype) {
|
|
|
+ case SPECTYPE_IPV4:
|
|
|
+ if (speclen != 6)
|
|
|
+ return -1;
|
|
|
+ if (!found_ipv4) {
|
|
|
+ tor_addr_from_ipv4n(&cell_out->orport_ipv4.addr,
|
|
|
+ get_uint32(payload));
|
|
|
+ cell_out->orport_ipv4.port = ntohs(get_uint16(payload+4));
|
|
|
+ found_ipv4 = 1;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ case SPECTYPE_IPV6:
|
|
|
+ if (speclen != 18)
|
|
|
+ return -1;
|
|
|
+ if (!found_ipv6) {
|
|
|
+ tor_addr_from_ipv6_bytes(&cell_out->orport_ipv6.addr,
|
|
|
+ (const char*)payload);
|
|
|
+ cell_out->orport_ipv6.port = ntohs(get_uint16(payload+16));
|
|
|
+ found_ipv6 = 1;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ case SPECTYPE_LEGACY_ID:
|
|
|
+ if (speclen != 20)
|
|
|
+ return -1;
|
|
|
+ if (found_id)
|
|
|
+ return -1;
|
|
|
+ memcpy(cell_out->node_id, payload, 20);
|
|
|
+ found_id = 1;
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ payload += speclen;
|
|
|
+ }
|
|
|
+ if (!found_id || !found_ipv4)
|
|
|
+ return -1;
|
|
|
+ if (parse_create2_payload(&cell_out->create_cell,payload,eop-payload)<0)
|
|
|
+ return -1;
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ default:
|
|
|
+ return -1;
|
|
|
}
|
|
|
- if (dh) crypto_dh_free(dh);
|
|
|
|
|
|
- return -1;
|
|
|
+ return check_extend_cell(cell_out);
|
|
|
}
|
|
|
|
|
|
-/** Finish the client side of the DH handshake.
|
|
|
- * Given the 128 byte DH reply + 20 byte hash as generated by
|
|
|
- * onion_skin_server_handshake and the handshake state generated by
|
|
|
- * onion_skin_create, verify H(K) with the first 20 bytes of shared
|
|
|
- * key material, then generate key_out_len more bytes of shared key
|
|
|
- * material and store them in key_out.
|
|
|
- *
|
|
|
- * After the invocation, call crypto_dh_free on handshake_state.
|
|
|
- */
|
|
|
+/** Helper: return 0 if <b>cell</b> appears valid, -1 otherwise. */
|
|
|
+static int
|
|
|
+check_extended_cell(const extended_cell_t *cell)
|
|
|
+{
|
|
|
+ if (cell->created_cell.cell_type == CELL_CREATED) {
|
|
|
+ if (cell->cell_type != RELAY_COMMAND_EXTENDED)
|
|
|
+ return -1;
|
|
|
+ } else if (cell->created_cell.cell_type == CELL_CREATED2) {
|
|
|
+ if (cell->cell_type != RELAY_COMMAND_EXTENDED2)
|
|
|
+ return -1;
|
|
|
+ } else {
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ return check_created_cell(&cell->created_cell);
|
|
|
+}
|
|
|
+
|
|
|
+/** Parse an EXTENDED or EXTENDED2 cell (according to <b>command</b>) from the
|
|
|
+ * <b>payload_length</b> bytes of <b>payload</b> into <b>cell_out</b>. Return
|
|
|
+ * 0 on success, -1 on failure. */
|
|
|
int
|
|
|
-onion_skin_client_handshake(crypto_dh_t *handshake_state,
|
|
|
- const char *handshake_reply, /* ONIONSKIN_REPLY_LEN bytes */
|
|
|
- char *key_out,
|
|
|
- size_t key_out_len)
|
|
|
+extended_cell_parse(extended_cell_t *cell_out,
|
|
|
+ const uint8_t command, const uint8_t *payload,
|
|
|
+ size_t payload_len)
|
|
|
{
|
|
|
- ssize_t len;
|
|
|
- char *key_material=NULL;
|
|
|
- size_t key_material_len;
|
|
|
- tor_assert(crypto_dh_get_bytes(handshake_state) == DH_KEY_LEN);
|
|
|
-
|
|
|
- key_material_len = DIGEST_LEN + key_out_len;
|
|
|
- key_material = tor_malloc(key_material_len);
|
|
|
- len = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, handshake_state,
|
|
|
- handshake_reply, DH_KEY_LEN, key_material,
|
|
|
- key_material_len);
|
|
|
- if (len < 0)
|
|
|
- goto err;
|
|
|
-
|
|
|
- if (tor_memneq(key_material, handshake_reply+DH_KEY_LEN, DIGEST_LEN)) {
|
|
|
- /* H(K) does *not* match. Something fishy. */
|
|
|
- log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on onion handshake. "
|
|
|
- "Bug or attack.");
|
|
|
- goto err;
|
|
|
+ memset(cell_out, 0, sizeof(*cell_out));
|
|
|
+ if (payload_len > RELAY_PAYLOAD_SIZE)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ switch (command) {
|
|
|
+ case RELAY_COMMAND_EXTENDED:
|
|
|
+ if (payload_len != TAP_ONIONSKIN_REPLY_LEN)
|
|
|
+ return -1;
|
|
|
+ cell_out->cell_type = RELAY_COMMAND_EXTENDED;
|
|
|
+ cell_out->created_cell.cell_type = CELL_CREATED;
|
|
|
+ cell_out->created_cell.handshake_len = TAP_ONIONSKIN_REPLY_LEN;
|
|
|
+ memcpy(cell_out->created_cell.reply, payload, TAP_ONIONSKIN_REPLY_LEN);
|
|
|
+ break;
|
|
|
+ case RELAY_COMMAND_EXTENDED2:
|
|
|
+ {
|
|
|
+ cell_out->cell_type = RELAY_COMMAND_EXTENDED2;
|
|
|
+ cell_out->created_cell.cell_type = CELL_CREATED2;
|
|
|
+ cell_out->created_cell.handshake_len = ntohs(get_uint16(payload));
|
|
|
+ if (cell_out->created_cell.handshake_len > RELAY_PAYLOAD_SIZE - 2 ||
|
|
|
+ cell_out->created_cell.handshake_len > payload_len - 2)
|
|
|
+ return -1;
|
|
|
+ memcpy(cell_out->created_cell.reply, payload+2,
|
|
|
+ cell_out->created_cell.handshake_len);
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ return -1;
|
|
|
}
|
|
|
|
|
|
- /* use the rest of the key material for our shared keys, digests, etc */
|
|
|
- memcpy(key_out, key_material+DIGEST_LEN, key_out_len);
|
|
|
+ return check_extended_cell(cell_out);
|
|
|
+}
|
|
|
+
|
|
|
+/** Fill <b>cell_out</b> with a correctly formatted version of the
|
|
|
+ * CREATE{,_FAST,2} cell in <b>cell_in</b>. Return 0 on success, -1 on
|
|
|
+ * failure. This is a cell we didn't originate if <b>relayed</b> is true. */
|
|
|
+static int
|
|
|
+create_cell_format_impl(cell_t *cell_out, const create_cell_t *cell_in,
|
|
|
+ int relayed)
|
|
|
+{
|
|
|
+ uint8_t *p;
|
|
|
+ size_t space;
|
|
|
+ if (check_create_cell(cell_in, relayed) < 0)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ memset(cell_out->payload, 0, sizeof(cell_out->payload));
|
|
|
+ cell_out->command = cell_in->cell_type;
|
|
|
+
|
|
|
+ p = cell_out->payload;
|
|
|
+ space = sizeof(cell_out->payload);
|
|
|
+
|
|
|
+ switch (cell_in->cell_type) {
|
|
|
+ case CELL_CREATE:
|
|
|
+ if (cell_in->handshake_type == ONION_HANDSHAKE_TYPE_NTOR) {
|
|
|
+ memcpy(p, NTOR_CREATE_MAGIC, 16);
|
|
|
+ p += 16;
|
|
|
+ space -= 16;
|
|
|
+ }
|
|
|
+ /* Fall through */
|
|
|
+ case CELL_CREATE_FAST:
|
|
|
+ tor_assert(cell_in->handshake_len <= space);
|
|
|
+ memcpy(p, cell_in->onionskin, cell_in->handshake_len);
|
|
|
+ break;
|
|
|
+ case CELL_CREATE2:
|
|
|
+ tor_assert(cell_in->handshake_len <= sizeof(cell_out->payload)-4);
|
|
|
+ set_uint16(cell_out->payload, htons(cell_in->handshake_type));
|
|
|
+ set_uint16(cell_out->payload+2, htons(cell_in->handshake_len));
|
|
|
+ memcpy(cell_out->payload + 4, cell_in->onionskin, cell_in->handshake_len);
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
|
|
|
- memwipe(key_material, 0, key_material_len);
|
|
|
- tor_free(key_material);
|
|
|
return 0;
|
|
|
- err:
|
|
|
- memwipe(key_material, 0, key_material_len);
|
|
|
- tor_free(key_material);
|
|
|
- return -1;
|
|
|
}
|
|
|
|
|
|
-/** Implement the server side of the CREATE_FAST abbreviated handshake. The
|
|
|
- * client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x"). We
|
|
|
- * generate a reply of DIGEST_LEN*2 bytes in <b>key_out</b>, consisting of a
|
|
|
- * new random "y", followed by H(x|y) to check for correctness. We set
|
|
|
- * <b>key_out_len</b> bytes of key material in <b>key_out</b>.
|
|
|
- * Return 0 on success, <0 on failure.
|
|
|
- **/
|
|
|
int
|
|
|
-fast_server_handshake(const uint8_t *key_in, /* DIGEST_LEN bytes */
|
|
|
- uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */
|
|
|
- uint8_t *key_out,
|
|
|
- size_t key_out_len)
|
|
|
+create_cell_format(cell_t *cell_out, const create_cell_t *cell_in)
|
|
|
{
|
|
|
- char tmp[DIGEST_LEN+DIGEST_LEN];
|
|
|
- char *out = NULL;
|
|
|
- size_t out_len;
|
|
|
- int r = -1;
|
|
|
+ return create_cell_format_impl(cell_out, cell_in, 0);
|
|
|
+}
|
|
|
|
|
|
- if (crypto_rand((char*)handshake_reply_out, DIGEST_LEN)<0)
|
|
|
+int
|
|
|
+create_cell_format_relayed(cell_t *cell_out, const create_cell_t *cell_in)
|
|
|
+{
|
|
|
+ return create_cell_format_impl(cell_out, cell_in, 1);
|
|
|
+}
|
|
|
+
|
|
|
+/** Fill <b>cell_out</b> with a correctly formatted version of the
|
|
|
+ * CREATED{,_FAST,2} cell in <b>cell_in</b>. Return 0 on success, -1 on
|
|
|
+ * failure. */
|
|
|
+int
|
|
|
+created_cell_format(cell_t *cell_out, const created_cell_t *cell_in)
|
|
|
+{
|
|
|
+ if (check_created_cell(cell_in) < 0)
|
|
|
return -1;
|
|
|
|
|
|
- memcpy(tmp, key_in, DIGEST_LEN);
|
|
|
- memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
|
|
|
- out_len = key_out_len+DIGEST_LEN;
|
|
|
- out = tor_malloc(out_len);
|
|
|
- if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) {
|
|
|
- goto done;
|
|
|
+ memset(cell_out->payload, 0, sizeof(cell_out->payload));
|
|
|
+ cell_out->command = cell_in->cell_type;
|
|
|
+
|
|
|
+ switch (cell_in->cell_type) {
|
|
|
+ case CELL_CREATED:
|
|
|
+ case CELL_CREATED_FAST:
|
|
|
+ tor_assert(cell_in->handshake_len <= sizeof(cell_out->payload));
|
|
|
+ memcpy(cell_out->payload, cell_in->reply, cell_in->handshake_len);
|
|
|
+ break;
|
|
|
+ case CELL_CREATED2:
|
|
|
+ tor_assert(cell_in->handshake_len <= sizeof(cell_out->payload)-2);
|
|
|
+ set_uint16(cell_out->payload, htons(cell_in->handshake_len));
|
|
|
+ memcpy(cell_out->payload + 2, cell_in->reply, cell_in->handshake_len);
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ return -1;
|
|
|
}
|
|
|
- memcpy(handshake_reply_out+DIGEST_LEN, out, DIGEST_LEN);
|
|
|
- memcpy(key_out, out+DIGEST_LEN, key_out_len);
|
|
|
- r = 0;
|
|
|
- done:
|
|
|
- memwipe(tmp, 0, sizeof(tmp));
|
|
|
- memwipe(out, 0, out_len);
|
|
|
- tor_free(out);
|
|
|
- return r;
|
|
|
+ return 0;
|
|
|
}
|
|
|
|
|
|
-/** Implement the second half of the client side of the CREATE_FAST handshake.
|
|
|
- * We sent the server <b>handshake_state</b> ("x") already, and the server
|
|
|
- * told us <b>handshake_reply_out</b> (y|H(x|y)). Make sure that the hash is
|
|
|
- * correct, and generate key material in <b>key_out</b>. Return 0 on success,
|
|
|
- * true on failure.
|
|
|
- *
|
|
|
- * NOTE: The "CREATE_FAST" handshake path is distinguishable from regular
|
|
|
- * "onionskin" handshakes, and is not secure if an adversary can see or modify
|
|
|
- * the messages. Therefore, it should only be used by clients, and only as
|
|
|
- * the first hop of a circuit (since the first hop is already authenticated
|
|
|
- * and protected by TLS).
|
|
|
- */
|
|
|
+/** Format the EXTEND{,2} cell in <b>cell_in</b>, storing its relay payload in
|
|
|
+ * <b>payload_out</b>, the number of bytes used in *<b>len_out</b>, and the
|
|
|
+ * relay command in *<b>command_out</b>. The <b>payload_out</b> must have
|
|
|
+ * RELAY_PAYLOAD_SIZE bytes available. Return 0 on success, -1 on failure. */
|
|
|
int
|
|
|
-fast_client_handshake(const uint8_t *handshake_state,/*DIGEST_LEN bytes*/
|
|
|
- const uint8_t *handshake_reply_out,/*DIGEST_LEN*2 bytes*/
|
|
|
- uint8_t *key_out,
|
|
|
- size_t key_out_len)
|
|
|
+extend_cell_format(uint8_t *command_out, uint16_t *len_out,
|
|
|
+ uint8_t *payload_out, const extend_cell_t *cell_in)
|
|
|
{
|
|
|
- char tmp[DIGEST_LEN+DIGEST_LEN];
|
|
|
- char *out;
|
|
|
- size_t out_len;
|
|
|
- int r = -1;
|
|
|
+ uint8_t *p, *eop;
|
|
|
+ if (check_extend_cell(cell_in) < 0)
|
|
|
+ return -1;
|
|
|
|
|
|
- memcpy(tmp, handshake_state, DIGEST_LEN);
|
|
|
- memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
|
|
|
- out_len = key_out_len+DIGEST_LEN;
|
|
|
- out = tor_malloc(out_len);
|
|
|
- if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) {
|
|
|
- goto done;
|
|
|
- }
|
|
|
- if (tor_memneq(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
|
|
|
- /* H(K) does *not* match. Something fishy. */
|
|
|
- log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on fast handshake. "
|
|
|
- "Bug or attack.");
|
|
|
- goto done;
|
|
|
+ p = payload_out;
|
|
|
+ eop = payload_out + RELAY_PAYLOAD_SIZE;
|
|
|
+
|
|
|
+ memset(p, 0, RELAY_PAYLOAD_SIZE);
|
|
|
+
|
|
|
+ switch (cell_in->cell_type) {
|
|
|
+ case RELAY_COMMAND_EXTEND:
|
|
|
+ {
|
|
|
+ *command_out = RELAY_COMMAND_EXTEND;
|
|
|
+ *len_out = 6 + TAP_ONIONSKIN_CHALLENGE_LEN + DIGEST_LEN;
|
|
|
+ set_uint32(p, tor_addr_to_ipv4n(&cell_in->orport_ipv4.addr));
|
|
|
+ set_uint16(p+4, ntohs(cell_in->orport_ipv4.port));
|
|
|
+ if (cell_in->create_cell.handshake_type == ONION_HANDSHAKE_TYPE_NTOR) {
|
|
|
+ memcpy(p+6, NTOR_CREATE_MAGIC, 16);
|
|
|
+ memcpy(p+22, cell_in->create_cell.onionskin, NTOR_ONIONSKIN_LEN);
|
|
|
+ } else {
|
|
|
+ memcpy(p+6, cell_in->create_cell.onionskin,
|
|
|
+ TAP_ONIONSKIN_CHALLENGE_LEN);
|
|
|
+ }
|
|
|
+ memcpy(p+6+TAP_ONIONSKIN_CHALLENGE_LEN, cell_in->node_id, DIGEST_LEN);
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ case RELAY_COMMAND_EXTEND2:
|
|
|
+ {
|
|
|
+ uint8_t n = 2;
|
|
|
+ *command_out = RELAY_COMMAND_EXTEND2;
|
|
|
+
|
|
|
+ *p++ = n; /* 2 identifiers */
|
|
|
+ *p++ = SPECTYPE_IPV4; /* First is IPV4. */
|
|
|
+ *p++ = 6; /* It's 6 bytes long. */
|
|
|
+ set_uint32(p, tor_addr_to_ipv4n(&cell_in->orport_ipv4.addr));
|
|
|
+ set_uint16(p+4, htons(cell_in->orport_ipv4.port));
|
|
|
+ p += 6;
|
|
|
+ *p++ = SPECTYPE_LEGACY_ID; /* Next is an identity digest. */
|
|
|
+ *p++ = 20; /* It's 20 bytes long */
|
|
|
+ memcpy(p, cell_in->node_id, DIGEST_LEN);
|
|
|
+ p += 20;
|
|
|
+
|
|
|
+ /* Now we can send the handshake */
|
|
|
+ set_uint16(p, htons(cell_in->create_cell.handshake_type));
|
|
|
+ set_uint16(p+2, htons(cell_in->create_cell.handshake_len));
|
|
|
+ p += 4;
|
|
|
+
|
|
|
+ if (cell_in->create_cell.handshake_len > eop - p)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ memcpy(p, cell_in->create_cell.onionskin,
|
|
|
+ cell_in->create_cell.handshake_len);
|
|
|
+
|
|
|
+ p += cell_in->create_cell.handshake_len;
|
|
|
+ *len_out = p - payload_out;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ return -1;
|
|
|
}
|
|
|
- memcpy(key_out, out+DIGEST_LEN, key_out_len);
|
|
|
- r = 0;
|
|
|
- done:
|
|
|
- memwipe(tmp, 0, sizeof(tmp));
|
|
|
- memwipe(out, 0, out_len);
|
|
|
- tor_free(out);
|
|
|
- return r;
|
|
|
+
|
|
|
+ return 0;
|
|
|
}
|
|
|
|
|
|
-/** Remove all circuits from the pending list. Called from tor_free_all. */
|
|
|
-void
|
|
|
-clear_pending_onions(void)
|
|
|
+/** Format the EXTENDED{,2} cell in <b>cell_in</b>, storing its relay payload
|
|
|
+ * in <b>payload_out</b>, the number of bytes used in *<b>len_out</b>, and the
|
|
|
+ * relay command in *<b>command_out</b>. The <b>payload_out</b> must have
|
|
|
+ * RELAY_PAYLOAD_SIZE bytes available. Return 0 on success, -1 on failure. */
|
|
|
+int
|
|
|
+extended_cell_format(uint8_t *command_out, uint16_t *len_out,
|
|
|
+ uint8_t *payload_out, const extended_cell_t *cell_in)
|
|
|
{
|
|
|
- while (ol_list) {
|
|
|
- onion_queue_t *victim = ol_list;
|
|
|
- ol_list = victim->next;
|
|
|
- tor_free(victim->onionskin);
|
|
|
- tor_free(victim);
|
|
|
+ uint8_t *p;
|
|
|
+ if (check_extended_cell(cell_in) < 0)
|
|
|
+ return -1;
|
|
|
+
|
|
|
+ p = payload_out;
|
|
|
+ memset(p, 0, RELAY_PAYLOAD_SIZE);
|
|
|
+
|
|
|
+ switch (cell_in->cell_type) {
|
|
|
+ case RELAY_COMMAND_EXTENDED:
|
|
|
+ {
|
|
|
+ *command_out = RELAY_COMMAND_EXTENDED;
|
|
|
+ *len_out = TAP_ONIONSKIN_REPLY_LEN;
|
|
|
+ memcpy(payload_out, cell_in->created_cell.reply,
|
|
|
+ TAP_ONIONSKIN_REPLY_LEN);
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ case RELAY_COMMAND_EXTENDED2:
|
|
|
+ {
|
|
|
+ *command_out = RELAY_COMMAND_EXTENDED2;
|
|
|
+ *len_out = 2 + cell_in->created_cell.handshake_len;
|
|
|
+ set_uint16(payload_out, htons(cell_in->created_cell.handshake_len));
|
|
|
+ if (2+cell_in->created_cell.handshake_len > RELAY_PAYLOAD_SIZE)
|
|
|
+ return -1;
|
|
|
+ memcpy(payload_out+2, cell_in->created_cell.reply,
|
|
|
+ cell_in->created_cell.handshake_len);
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ return -1;
|
|
|
}
|
|
|
- ol_list = ol_tail = NULL;
|
|
|
- ol_length = 0;
|
|
|
+
|
|
|
+ return 0;
|
|
|
}
|
|
|
|