|
@@ -256,7 +256,7 @@ onion_skin_ntor_client_handshake(
|
|
|
si += CURVE25519_OUTPUT_LEN;
|
|
|
curve25519_handshake(si, &handshake_state->seckey_x,
|
|
|
&handshake_state->pubkey_B);
|
|
|
- bad |= safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
|
|
|
+ bad |= (safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN) << 1);
|
|
|
si += CURVE25519_OUTPUT_LEN;
|
|
|
APPEND(si, handshake_state->router_id, DIGEST_LEN);
|
|
|
APPEND(si, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN);
|
|
@@ -281,7 +281,7 @@ onion_skin_ntor_client_handshake(
|
|
|
/* Compute auth */
|
|
|
h_tweak(s.auth, s.auth_input, sizeof(s.auth_input), T->t_mac);
|
|
|
|
|
|
- bad |= tor_memneq(s.auth, auth_candidate, DIGEST256_LEN);
|
|
|
+ bad |= (tor_memneq(s.auth, auth_candidate, DIGEST256_LEN) << 2);
|
|
|
|
|
|
crypto_expand_key_material_rfc5869_sha256(
|
|
|
s.secret_input, sizeof(s.secret_input),
|
|
@@ -290,6 +290,14 @@ onion_skin_ntor_client_handshake(
|
|
|
key_out, key_out_len);
|
|
|
|
|
|
memwipe(&s, 0, sizeof(s));
|
|
|
+
|
|
|
+ if (bad & 4) {
|
|
|
+ log_warn(LD_PROTOCOL, "Incorrect digest from ntor circuit extension "
|
|
|
+ "request.");
|
|
|
+ } else if (bad) {
|
|
|
+ log_warn(LD_PROTOCOL, "Invalid result from curve25519 handshake");
|
|
|
+ }
|
|
|
+
|
|
|
return bad ? -1 : 0;
|
|
|
}
|
|
|
|