hs_ntor.c 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620
  1. /* Copyright (c) 2017-2019, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /** \file hs_ntor.c
  4. * \brief Implements the ntor variant used in Tor hidden services.
  5. *
  6. * \details
  7. * This module handles the variant of the ntor handshake that is documented in
  8. * section [NTOR-WITH-EXTRA-DATA] of rend-spec-ng.txt .
  9. *
  10. * The functions in this file provide an API that should be used when sending
  11. * or receiving INTRODUCE1/RENDEZVOUS1 cells to generate the various key
  12. * material required to create and handle those cells.
  13. *
  14. * In the case of INTRODUCE1 it provides encryption and MAC keys to
  15. * encode/decode the encrypted blob (see hs_ntor_intro_cell_keys_t). The
  16. * relevant pub functions are hs_ntor_{client,service}_get_introduce1_keys().
  17. *
  18. * In the case of RENDEZVOUS1 it calculates the MAC required to authenticate
  19. * the cell, and also provides the key seed that is used to derive the crypto
  20. * material for rendezvous encryption (see hs_ntor_rend_cell_keys_t). The
  21. * relevant pub functions are hs_ntor_{client,service}_get_rendezvous1_keys().
  22. * It also provides a function (hs_ntor_circuit_key_expansion()) that does the
  23. * rendezvous key expansion to setup end-to-end rend circuit keys.
  24. */
  25. #include "core/or/or.h"
  26. #include "lib/crypt_ops/crypto_util.h"
  27. #include "lib/crypt_ops/crypto_curve25519.h"
  28. #include "lib/crypt_ops/crypto_ed25519.h"
  29. #include "core/crypto/hs_ntor.h"
  30. /* String constants used by the ntor HS protocol */
  31. #define PROTOID "tor-hs-ntor-curve25519-sha3-256-1"
  32. #define PROTOID_LEN (sizeof(PROTOID) - 1)
  33. #define SERVER_STR "Server"
  34. #define SERVER_STR_LEN (sizeof(SERVER_STR) - 1)
  35. /* Protocol-specific tweaks to our crypto inputs */
  36. #define T_HSENC PROTOID ":hs_key_extract"
  37. #define T_HSENC_LEN (sizeof(T_HSENC) - 1)
  38. #define T_HSVERIFY PROTOID ":hs_verify"
  39. #define T_HSMAC PROTOID ":hs_mac"
  40. #define M_HSEXPAND PROTOID ":hs_key_expand"
  41. #define M_HSEXPAND_LEN (sizeof(M_HSEXPAND) - 1)
  42. /************************* Helper functions: *******************************/
  43. /** Helper macro: copy <b>len</b> bytes from <b>inp</b> to <b>ptr</b> and
  44. *advance <b>ptr</b> by the number of bytes copied. Stolen from onion_ntor.c */
  45. #define APPEND(ptr, inp, len) \
  46. STMT_BEGIN { \
  47. memcpy(ptr, (inp), (len)); \
  48. ptr += len; \
  49. } STMT_END
  50. /* Length of EXP(X,y) | EXP(X,b) | AUTH_KEY | B | X | Y | PROTOID */
  51. #define REND_SECRET_HS_INPUT_LEN (CURVE25519_OUTPUT_LEN * 2 + \
  52. ED25519_PUBKEY_LEN + CURVE25519_PUBKEY_LEN * 3 + PROTOID_LEN)
  53. /* Length of auth_input = verify | AUTH_KEY | B | Y | X | PROTOID | "Server" */
  54. #define REND_AUTH_INPUT_LEN (DIGEST256_LEN + ED25519_PUBKEY_LEN + \
  55. CURVE25519_PUBKEY_LEN * 3 + PROTOID_LEN + SERVER_STR_LEN)
  56. /** Helper function: Compute the last part of the HS ntor handshake which
  57. * derives key material necessary to create and handle RENDEZVOUS1
  58. * cells. Function used by both client and service. The actual calculations is
  59. * as follows:
  60. *
  61. * NTOR_KEY_SEED = MAC(rend_secret_hs_input, t_hsenc)
  62. * verify = MAC(rend_secret_hs_input, t_hsverify)
  63. * auth_input = verify | AUTH_KEY | B | Y | X | PROTOID | "Server"
  64. * auth_input_mac = MAC(auth_input, t_hsmac)
  65. *
  66. * where in the above, AUTH_KEY is <b>intro_auth_pubkey</b>, B is
  67. * <b>intro_enc_pubkey</b>, Y is <b>service_ephemeral_rend_pubkey</b>, and X
  68. * is <b>client_ephemeral_enc_pubkey</b>. The provided
  69. * <b>rend_secret_hs_input</b> is of size REND_SECRET_HS_INPUT_LEN.
  70. *
  71. * The final results of NTOR_KEY_SEED and auth_input_mac are placed in
  72. * <b>hs_ntor_rend_cell_keys_out</b>. Return 0 if everything went fine. */
  73. static int
  74. get_rendezvous1_key_material(const uint8_t *rend_secret_hs_input,
  75. const ed25519_public_key_t *intro_auth_pubkey,
  76. const curve25519_public_key_t *intro_enc_pubkey,
  77. const curve25519_public_key_t *service_ephemeral_rend_pubkey,
  78. const curve25519_public_key_t *client_ephemeral_enc_pubkey,
  79. hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys_out)
  80. {
  81. int bad = 0;
  82. uint8_t ntor_key_seed[DIGEST256_LEN];
  83. uint8_t ntor_verify[DIGEST256_LEN];
  84. uint8_t rend_auth_input[REND_AUTH_INPUT_LEN];
  85. uint8_t rend_cell_auth[DIGEST256_LEN];
  86. uint8_t *ptr;
  87. /* Let's build NTOR_KEY_SEED */
  88. crypto_mac_sha3_256(ntor_key_seed, sizeof(ntor_key_seed),
  89. rend_secret_hs_input, REND_SECRET_HS_INPUT_LEN,
  90. (const uint8_t *)T_HSENC, strlen(T_HSENC));
  91. bad |= safe_mem_is_zero(ntor_key_seed, DIGEST256_LEN);
  92. /* Let's build ntor_verify */
  93. crypto_mac_sha3_256(ntor_verify, sizeof(ntor_verify),
  94. rend_secret_hs_input, REND_SECRET_HS_INPUT_LEN,
  95. (const uint8_t *)T_HSVERIFY, strlen(T_HSVERIFY));
  96. bad |= safe_mem_is_zero(ntor_verify, DIGEST256_LEN);
  97. /* Let's build auth_input: */
  98. ptr = rend_auth_input;
  99. /* Append ntor_verify */
  100. APPEND(ptr, ntor_verify, sizeof(ntor_verify));
  101. /* Append AUTH_KEY */
  102. APPEND(ptr, intro_auth_pubkey->pubkey, ED25519_PUBKEY_LEN);
  103. /* Append B */
  104. APPEND(ptr, intro_enc_pubkey->public_key, CURVE25519_PUBKEY_LEN);
  105. /* Append Y */
  106. APPEND(ptr,
  107. service_ephemeral_rend_pubkey->public_key, CURVE25519_PUBKEY_LEN);
  108. /* Append X */
  109. APPEND(ptr,
  110. client_ephemeral_enc_pubkey->public_key, CURVE25519_PUBKEY_LEN);
  111. /* Append PROTOID */
  112. APPEND(ptr, PROTOID, strlen(PROTOID));
  113. /* Append "Server" */
  114. APPEND(ptr, SERVER_STR, strlen(SERVER_STR));
  115. tor_assert(ptr == rend_auth_input + sizeof(rend_auth_input));
  116. /* Let's build auth_input_mac that goes in RENDEZVOUS1 cell */
  117. crypto_mac_sha3_256(rend_cell_auth, sizeof(rend_cell_auth),
  118. rend_auth_input, sizeof(rend_auth_input),
  119. (const uint8_t *)T_HSMAC, strlen(T_HSMAC));
  120. bad |= safe_mem_is_zero(ntor_verify, DIGEST256_LEN);
  121. { /* Get the computed RENDEZVOUS1 material! */
  122. memcpy(&hs_ntor_rend_cell_keys_out->rend_cell_auth_mac,
  123. rend_cell_auth, DIGEST256_LEN);
  124. memcpy(&hs_ntor_rend_cell_keys_out->ntor_key_seed,
  125. ntor_key_seed, DIGEST256_LEN);
  126. }
  127. memwipe(rend_cell_auth, 0, sizeof(rend_cell_auth));
  128. memwipe(rend_auth_input, 0, sizeof(rend_auth_input));
  129. memwipe(ntor_key_seed, 0, sizeof(ntor_key_seed));
  130. return bad;
  131. }
  132. /** Length of secret_input = EXP(B,x) | AUTH_KEY | X | B | PROTOID */
  133. #define INTRO_SECRET_HS_INPUT_LEN (CURVE25519_OUTPUT_LEN +ED25519_PUBKEY_LEN +\
  134. CURVE25519_PUBKEY_LEN + CURVE25519_PUBKEY_LEN + PROTOID_LEN)
  135. /* Length of info = m_hsexpand | subcredential */
  136. #define INFO_BLOB_LEN (M_HSEXPAND_LEN + DIGEST256_LEN)
  137. /* Length of KDF input = intro_secret_hs_input | t_hsenc | info */
  138. #define KDF_INPUT_LEN (INTRO_SECRET_HS_INPUT_LEN + T_HSENC_LEN + INFO_BLOB_LEN)
  139. /** Helper function: Compute the part of the HS ntor handshake that generates
  140. * key material for creating and handling INTRODUCE1 cells. Function used
  141. * by both client and service. Specifically, calculate the following:
  142. *
  143. * info = m_hsexpand | subcredential
  144. * hs_keys = KDF(intro_secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN)
  145. * ENC_KEY = hs_keys[0:S_KEY_LEN]
  146. * MAC_KEY = hs_keys[S_KEY_LEN:S_KEY_LEN+MAC_KEY_LEN]
  147. *
  148. * where intro_secret_hs_input is <b>secret_input</b> (of size
  149. * INTRO_SECRET_HS_INPUT_LEN), and <b>subcredential</b> is of size
  150. * DIGEST256_LEN.
  151. *
  152. * If everything went well, fill <b>hs_ntor_intro_cell_keys_out</b> with the
  153. * necessary key material, and return 0. */
  154. static void
  155. get_introduce1_key_material(const uint8_t *secret_input,
  156. const uint8_t *subcredential,
  157. hs_ntor_intro_cell_keys_t *hs_ntor_intro_cell_keys_out)
  158. {
  159. uint8_t keystream[CIPHER256_KEY_LEN + DIGEST256_LEN];
  160. uint8_t info_blob[INFO_BLOB_LEN];
  161. uint8_t kdf_input[KDF_INPUT_LEN];
  162. crypto_xof_t *xof;
  163. uint8_t *ptr;
  164. /* Let's build info */
  165. ptr = info_blob;
  166. APPEND(ptr, M_HSEXPAND, strlen(M_HSEXPAND));
  167. APPEND(ptr, subcredential, DIGEST256_LEN);
  168. tor_assert(ptr == info_blob + sizeof(info_blob));
  169. /* Let's build the input to the KDF */
  170. ptr = kdf_input;
  171. APPEND(ptr, secret_input, INTRO_SECRET_HS_INPUT_LEN);
  172. APPEND(ptr, T_HSENC, strlen(T_HSENC));
  173. APPEND(ptr, info_blob, sizeof(info_blob));
  174. tor_assert(ptr == kdf_input + sizeof(kdf_input));
  175. /* Now we need to run kdf_input over SHAKE-256 */
  176. xof = crypto_xof_new();
  177. crypto_xof_add_bytes(xof, kdf_input, sizeof(kdf_input));
  178. crypto_xof_squeeze_bytes(xof, keystream, sizeof(keystream)) ;
  179. crypto_xof_free(xof);
  180. { /* Get the keys */
  181. memcpy(&hs_ntor_intro_cell_keys_out->enc_key, keystream,CIPHER256_KEY_LEN);
  182. memcpy(&hs_ntor_intro_cell_keys_out->mac_key,
  183. keystream+CIPHER256_KEY_LEN, DIGEST256_LEN);
  184. }
  185. memwipe(keystream, 0, sizeof(keystream));
  186. memwipe(kdf_input, 0, sizeof(kdf_input));
  187. }
  188. /** Helper function: Calculate the 'intro_secret_hs_input' element used by the
  189. * HS ntor handshake and place it in <b>secret_input_out</b>. This function is
  190. * used by both client and service code.
  191. *
  192. * For the client-side it looks like this:
  193. *
  194. * intro_secret_hs_input = EXP(B,x) | AUTH_KEY | X | B | PROTOID
  195. *
  196. * whereas for the service-side it looks like this:
  197. *
  198. * intro_secret_hs_input = EXP(X,b) | AUTH_KEY | X | B | PROTOID
  199. *
  200. * In this function, <b>dh_result</b> carries the EXP() result (and has size
  201. * CURVE25519_OUTPUT_LEN) <b>intro_auth_pubkey</b> is AUTH_KEY,
  202. * <b>client_ephemeral_enc_pubkey</b> is X, and <b>intro_enc_pubkey</b> is B.
  203. */
  204. static void
  205. get_intro_secret_hs_input(const uint8_t *dh_result,
  206. const ed25519_public_key_t *intro_auth_pubkey,
  207. const curve25519_public_key_t *client_ephemeral_enc_pubkey,
  208. const curve25519_public_key_t *intro_enc_pubkey,
  209. uint8_t *secret_input_out)
  210. {
  211. uint8_t *ptr;
  212. /* Append EXP() */
  213. ptr = secret_input_out;
  214. APPEND(ptr, dh_result, CURVE25519_OUTPUT_LEN);
  215. /* Append AUTH_KEY */
  216. APPEND(ptr, intro_auth_pubkey->pubkey, ED25519_PUBKEY_LEN);
  217. /* Append X */
  218. APPEND(ptr, client_ephemeral_enc_pubkey->public_key, CURVE25519_PUBKEY_LEN);
  219. /* Append B */
  220. APPEND(ptr, intro_enc_pubkey->public_key, CURVE25519_PUBKEY_LEN);
  221. /* Append PROTOID */
  222. APPEND(ptr, PROTOID, strlen(PROTOID));
  223. tor_assert(ptr == secret_input_out + INTRO_SECRET_HS_INPUT_LEN);
  224. }
  225. /** Calculate the 'rend_secret_hs_input' element used by the HS ntor handshake
  226. * and place it in <b>rend_secret_hs_input_out</b>. This function is used by
  227. * both client and service code.
  228. *
  229. * The computation on the client side is:
  230. * rend_secret_hs_input = EXP(X,y) | EXP(X,b) | AUTH_KEY | B | X | Y | PROTOID
  231. * whereas on the service side it is:
  232. * rend_secret_hs_input = EXP(Y,x) | EXP(B,x) | AUTH_KEY | B | X | Y | PROTOID
  233. *
  234. * where:
  235. * <b>dh_result1</b> and <b>dh_result2</b> carry the two EXP() results (of size
  236. * CURVE25519_OUTPUT_LEN)
  237. * <b>intro_auth_pubkey</b> is AUTH_KEY,
  238. * <b>intro_enc_pubkey</b> is B,
  239. * <b>client_ephemeral_enc_pubkey</b> is X, and
  240. * <b>service_ephemeral_rend_pubkey</b> is Y.
  241. */
  242. static void
  243. get_rend_secret_hs_input(const uint8_t *dh_result1, const uint8_t *dh_result2,
  244. const ed25519_public_key_t *intro_auth_pubkey,
  245. const curve25519_public_key_t *intro_enc_pubkey,
  246. const curve25519_public_key_t *client_ephemeral_enc_pubkey,
  247. const curve25519_public_key_t *service_ephemeral_rend_pubkey,
  248. uint8_t *rend_secret_hs_input_out)
  249. {
  250. uint8_t *ptr;
  251. ptr = rend_secret_hs_input_out;
  252. /* Append the first EXP() */
  253. APPEND(ptr, dh_result1, CURVE25519_OUTPUT_LEN);
  254. /* Append the other EXP() */
  255. APPEND(ptr, dh_result2, CURVE25519_OUTPUT_LEN);
  256. /* Append AUTH_KEY */
  257. APPEND(ptr, intro_auth_pubkey->pubkey, ED25519_PUBKEY_LEN);
  258. /* Append B */
  259. APPEND(ptr, intro_enc_pubkey->public_key, CURVE25519_PUBKEY_LEN);
  260. /* Append X */
  261. APPEND(ptr,
  262. client_ephemeral_enc_pubkey->public_key, CURVE25519_PUBKEY_LEN);
  263. /* Append Y */
  264. APPEND(ptr,
  265. service_ephemeral_rend_pubkey->public_key, CURVE25519_PUBKEY_LEN);
  266. /* Append PROTOID */
  267. APPEND(ptr, PROTOID, strlen(PROTOID));
  268. tor_assert(ptr == rend_secret_hs_input_out + REND_SECRET_HS_INPUT_LEN);
  269. }
  270. /************************* Public functions: *******************************/
  271. /* Public function: Do the appropriate ntor calculations and derive the keys
  272. * needed to encrypt and authenticate INTRODUCE1 cells. Return 0 and place the
  273. * final key material in <b>hs_ntor_intro_cell_keys_out</b> if everything went
  274. * well, otherwise return -1;
  275. *
  276. * The relevant calculations are as follows:
  277. *
  278. * intro_secret_hs_input = EXP(B,x) | AUTH_KEY | X | B | PROTOID
  279. * info = m_hsexpand | subcredential
  280. * hs_keys = KDF(intro_secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN)
  281. * ENC_KEY = hs_keys[0:S_KEY_LEN]
  282. * MAC_KEY = hs_keys[S_KEY_LEN:S_KEY_LEN+MAC_KEY_LEN]
  283. *
  284. * where:
  285. * <b>intro_auth_pubkey</b> is AUTH_KEY (found in HS descriptor),
  286. * <b>intro_enc_pubkey</b> is B (also found in HS descriptor),
  287. * <b>client_ephemeral_enc_keypair</b> is freshly generated keypair (x,X)
  288. * <b>subcredential</b> is the hidden service subcredential (of size
  289. * DIGEST256_LEN). */
  290. int
  291. hs_ntor_client_get_introduce1_keys(
  292. const ed25519_public_key_t *intro_auth_pubkey,
  293. const curve25519_public_key_t *intro_enc_pubkey,
  294. const curve25519_keypair_t *client_ephemeral_enc_keypair,
  295. const uint8_t *subcredential,
  296. hs_ntor_intro_cell_keys_t *hs_ntor_intro_cell_keys_out)
  297. {
  298. int bad = 0;
  299. uint8_t secret_input[INTRO_SECRET_HS_INPUT_LEN];
  300. uint8_t dh_result[CURVE25519_OUTPUT_LEN];
  301. tor_assert(intro_auth_pubkey);
  302. tor_assert(intro_enc_pubkey);
  303. tor_assert(client_ephemeral_enc_keypair);
  304. tor_assert(subcredential);
  305. tor_assert(hs_ntor_intro_cell_keys_out);
  306. /* Calculate EXP(B,x) */
  307. curve25519_handshake(dh_result,
  308. &client_ephemeral_enc_keypair->seckey,
  309. intro_enc_pubkey);
  310. bad |= safe_mem_is_zero(dh_result, CURVE25519_OUTPUT_LEN);
  311. /* Get intro_secret_hs_input */
  312. get_intro_secret_hs_input(dh_result, intro_auth_pubkey,
  313. &client_ephemeral_enc_keypair->pubkey,
  314. intro_enc_pubkey, secret_input);
  315. bad |= safe_mem_is_zero(secret_input, CURVE25519_OUTPUT_LEN);
  316. /* Get ENC_KEY and MAC_KEY! */
  317. get_introduce1_key_material(secret_input, subcredential,
  318. hs_ntor_intro_cell_keys_out);
  319. /* Cleanup */
  320. memwipe(secret_input, 0, sizeof(secret_input));
  321. if (bad) {
  322. memwipe(hs_ntor_intro_cell_keys_out, 0, sizeof(hs_ntor_intro_cell_keys_t));
  323. }
  324. return bad ? -1 : 0;
  325. }
  326. /* Public function: Do the appropriate ntor calculations and derive the keys
  327. * needed to verify RENDEZVOUS1 cells and encrypt further rendezvous
  328. * traffic. Return 0 and place the final key material in
  329. * <b>hs_ntor_rend_cell_keys_out</b> if everything went well, else return -1.
  330. *
  331. * The relevant calculations are as follows:
  332. *
  333. * rend_secret_hs_input = EXP(Y,x) | EXP(B,x) | AUTH_KEY | B | X | Y | PROTOID
  334. * NTOR_KEY_SEED = MAC(rend_secret_hs_input, t_hsenc)
  335. * verify = MAC(rend_secret_hs_input, t_hsverify)
  336. * auth_input = verify | AUTH_KEY | B | Y | X | PROTOID | "Server"
  337. * auth_input_mac = MAC(auth_input, t_hsmac)
  338. *
  339. * where:
  340. * <b>intro_auth_pubkey</b> is AUTH_KEY (found in HS descriptor),
  341. * <b>client_ephemeral_enc_keypair</b> is freshly generated keypair (x,X)
  342. * <b>intro_enc_pubkey</b> is B (also found in HS descriptor),
  343. * <b>service_ephemeral_rend_pubkey</b> is Y (SERVER_PK in RENDEZVOUS1 cell) */
  344. int
  345. hs_ntor_client_get_rendezvous1_keys(
  346. const ed25519_public_key_t *intro_auth_pubkey,
  347. const curve25519_keypair_t *client_ephemeral_enc_keypair,
  348. const curve25519_public_key_t *intro_enc_pubkey,
  349. const curve25519_public_key_t *service_ephemeral_rend_pubkey,
  350. hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys_out)
  351. {
  352. int bad = 0;
  353. uint8_t rend_secret_hs_input[REND_SECRET_HS_INPUT_LEN];
  354. uint8_t dh_result1[CURVE25519_OUTPUT_LEN];
  355. uint8_t dh_result2[CURVE25519_OUTPUT_LEN];
  356. tor_assert(intro_auth_pubkey);
  357. tor_assert(client_ephemeral_enc_keypair);
  358. tor_assert(intro_enc_pubkey);
  359. tor_assert(service_ephemeral_rend_pubkey);
  360. tor_assert(hs_ntor_rend_cell_keys_out);
  361. /* Compute EXP(Y, x) */
  362. curve25519_handshake(dh_result1,
  363. &client_ephemeral_enc_keypair->seckey,
  364. service_ephemeral_rend_pubkey);
  365. bad |= safe_mem_is_zero(dh_result1, CURVE25519_OUTPUT_LEN);
  366. /* Compute EXP(B, x) */
  367. curve25519_handshake(dh_result2,
  368. &client_ephemeral_enc_keypair->seckey,
  369. intro_enc_pubkey);
  370. bad |= safe_mem_is_zero(dh_result2, CURVE25519_OUTPUT_LEN);
  371. /* Get rend_secret_hs_input */
  372. get_rend_secret_hs_input(dh_result1, dh_result2,
  373. intro_auth_pubkey, intro_enc_pubkey,
  374. &client_ephemeral_enc_keypair->pubkey,
  375. service_ephemeral_rend_pubkey,
  376. rend_secret_hs_input);
  377. /* Get NTOR_KEY_SEED and the auth_input MAC */
  378. bad |= get_rendezvous1_key_material(rend_secret_hs_input,
  379. intro_auth_pubkey,
  380. intro_enc_pubkey,
  381. service_ephemeral_rend_pubkey,
  382. &client_ephemeral_enc_keypair->pubkey,
  383. hs_ntor_rend_cell_keys_out);
  384. memwipe(rend_secret_hs_input, 0, sizeof(rend_secret_hs_input));
  385. if (bad) {
  386. memwipe(hs_ntor_rend_cell_keys_out, 0, sizeof(hs_ntor_rend_cell_keys_t));
  387. }
  388. return bad ? -1 : 0;
  389. }
  390. /* Public function: Do the appropriate ntor calculations and derive the keys
  391. * needed to decrypt and verify INTRODUCE1 cells. Return 0 and place the final
  392. * key material in <b>hs_ntor_intro_cell_keys_out</b> if everything went well,
  393. * otherwise return -1;
  394. *
  395. * The relevant calculations are as follows:
  396. *
  397. * intro_secret_hs_input = EXP(X,b) | AUTH_KEY | X | B | PROTOID
  398. * info = m_hsexpand | subcredential
  399. * hs_keys = KDF(intro_secret_hs_input | t_hsenc | info, S_KEY_LEN+MAC_LEN)
  400. * HS_DEC_KEY = hs_keys[0:S_KEY_LEN]
  401. * HS_MAC_KEY = hs_keys[S_KEY_LEN:S_KEY_LEN+MAC_KEY_LEN]
  402. *
  403. * where:
  404. * <b>intro_auth_pubkey</b> is AUTH_KEY (introduction point auth key),
  405. * <b>intro_enc_keypair</b> is (b,B) (introduction point encryption keypair),
  406. * <b>client_ephemeral_enc_pubkey</b> is X (CLIENT_PK in INTRODUCE2 cell),
  407. * <b>subcredential</b> is the HS subcredential (of size DIGEST256_LEN) */
  408. int
  409. hs_ntor_service_get_introduce1_keys(
  410. const ed25519_public_key_t *intro_auth_pubkey,
  411. const curve25519_keypair_t *intro_enc_keypair,
  412. const curve25519_public_key_t *client_ephemeral_enc_pubkey,
  413. const uint8_t *subcredential,
  414. hs_ntor_intro_cell_keys_t *hs_ntor_intro_cell_keys_out)
  415. {
  416. int bad = 0;
  417. uint8_t secret_input[INTRO_SECRET_HS_INPUT_LEN];
  418. uint8_t dh_result[CURVE25519_OUTPUT_LEN];
  419. tor_assert(intro_auth_pubkey);
  420. tor_assert(intro_enc_keypair);
  421. tor_assert(client_ephemeral_enc_pubkey);
  422. tor_assert(subcredential);
  423. tor_assert(hs_ntor_intro_cell_keys_out);
  424. /* Compute EXP(X, b) */
  425. curve25519_handshake(dh_result,
  426. &intro_enc_keypair->seckey,
  427. client_ephemeral_enc_pubkey);
  428. bad |= safe_mem_is_zero(dh_result, CURVE25519_OUTPUT_LEN);
  429. /* Get intro_secret_hs_input */
  430. get_intro_secret_hs_input(dh_result, intro_auth_pubkey,
  431. client_ephemeral_enc_pubkey,
  432. &intro_enc_keypair->pubkey,
  433. secret_input);
  434. bad |= safe_mem_is_zero(secret_input, CURVE25519_OUTPUT_LEN);
  435. /* Get ENC_KEY and MAC_KEY! */
  436. get_introduce1_key_material(secret_input, subcredential,
  437. hs_ntor_intro_cell_keys_out);
  438. memwipe(secret_input, 0, sizeof(secret_input));
  439. if (bad) {
  440. memwipe(hs_ntor_intro_cell_keys_out, 0, sizeof(hs_ntor_intro_cell_keys_t));
  441. }
  442. return bad ? -1 : 0;
  443. }
  444. /* Public function: Do the appropriate ntor calculations and derive the keys
  445. * needed to create and authenticate RENDEZVOUS1 cells. Return 0 and place the
  446. * final key material in <b>hs_ntor_rend_cell_keys_out</b> if all went fine,
  447. * return -1 if error happened.
  448. *
  449. * The relevant calculations are as follows:
  450. *
  451. * rend_secret_hs_input = EXP(X,y) | EXP(X,b) | AUTH_KEY | B | X | Y | PROTOID
  452. * NTOR_KEY_SEED = MAC(rend_secret_hs_input, t_hsenc)
  453. * verify = MAC(rend_secret_hs_input, t_hsverify)
  454. * auth_input = verify | AUTH_KEY | B | Y | X | PROTOID | "Server"
  455. * auth_input_mac = MAC(auth_input, t_hsmac)
  456. *
  457. * where:
  458. * <b>intro_auth_pubkey</b> is AUTH_KEY (intro point auth key),
  459. * <b>intro_enc_keypair</b> is (b,B) (intro point enc keypair)
  460. * <b>service_ephemeral_rend_keypair</b> is a fresh (y,Y) keypair
  461. * <b>client_ephemeral_enc_pubkey</b> is X (CLIENT_PK in INTRODUCE2 cell) */
  462. int
  463. hs_ntor_service_get_rendezvous1_keys(
  464. const ed25519_public_key_t *intro_auth_pubkey,
  465. const curve25519_keypair_t *intro_enc_keypair,
  466. const curve25519_keypair_t *service_ephemeral_rend_keypair,
  467. const curve25519_public_key_t *client_ephemeral_enc_pubkey,
  468. hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys_out)
  469. {
  470. int bad = 0;
  471. uint8_t rend_secret_hs_input[REND_SECRET_HS_INPUT_LEN];
  472. uint8_t dh_result1[CURVE25519_OUTPUT_LEN];
  473. uint8_t dh_result2[CURVE25519_OUTPUT_LEN];
  474. tor_assert(intro_auth_pubkey);
  475. tor_assert(intro_enc_keypair);
  476. tor_assert(service_ephemeral_rend_keypair);
  477. tor_assert(client_ephemeral_enc_pubkey);
  478. tor_assert(hs_ntor_rend_cell_keys_out);
  479. /* Compute EXP(X, y) */
  480. curve25519_handshake(dh_result1,
  481. &service_ephemeral_rend_keypair->seckey,
  482. client_ephemeral_enc_pubkey);
  483. bad |= safe_mem_is_zero(dh_result1, CURVE25519_OUTPUT_LEN);
  484. /* Compute EXP(X, b) */
  485. curve25519_handshake(dh_result2,
  486. &intro_enc_keypair->seckey,
  487. client_ephemeral_enc_pubkey);
  488. bad |= safe_mem_is_zero(dh_result2, CURVE25519_OUTPUT_LEN);
  489. /* Get rend_secret_hs_input */
  490. get_rend_secret_hs_input(dh_result1, dh_result2,
  491. intro_auth_pubkey,
  492. &intro_enc_keypair->pubkey,
  493. client_ephemeral_enc_pubkey,
  494. &service_ephemeral_rend_keypair->pubkey,
  495. rend_secret_hs_input);
  496. /* Get NTOR_KEY_SEED and AUTH_INPUT_MAC! */
  497. bad |= get_rendezvous1_key_material(rend_secret_hs_input,
  498. intro_auth_pubkey,
  499. &intro_enc_keypair->pubkey,
  500. &service_ephemeral_rend_keypair->pubkey,
  501. client_ephemeral_enc_pubkey,
  502. hs_ntor_rend_cell_keys_out);
  503. memwipe(rend_secret_hs_input, 0, sizeof(rend_secret_hs_input));
  504. if (bad) {
  505. memwipe(hs_ntor_rend_cell_keys_out, 0, sizeof(hs_ntor_rend_cell_keys_t));
  506. }
  507. return bad ? -1 : 0;
  508. }
  509. /** Given a received RENDEZVOUS2 MAC in <b>mac</b> (of length DIGEST256_LEN),
  510. * and the RENDEZVOUS1 key material in <b>hs_ntor_rend_cell_keys</b>, return 1
  511. * if the MAC is good, otherwise return 0. */
  512. int
  513. hs_ntor_client_rendezvous2_mac_is_good(
  514. const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys,
  515. const uint8_t *rcvd_mac)
  516. {
  517. tor_assert(rcvd_mac);
  518. tor_assert(hs_ntor_rend_cell_keys);
  519. return tor_memeq(hs_ntor_rend_cell_keys->rend_cell_auth_mac,
  520. rcvd_mac, DIGEST256_LEN);
  521. }
  522. /* Input length to KDF for key expansion */
  523. #define NTOR_KEY_EXPANSION_KDF_INPUT_LEN (DIGEST256_LEN + M_HSEXPAND_LEN)
  524. /** Given the rendezvous key seed in <b>ntor_key_seed</b> (of size
  525. * DIGEST256_LEN), do the circuit key expansion as specified by section
  526. * '4.2.1. Key expansion' and place the keys in <b>keys_out</b> (which must be
  527. * of size HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN).
  528. *
  529. * Return 0 if things went well, else return -1. */
  530. int
  531. hs_ntor_circuit_key_expansion(const uint8_t *ntor_key_seed, size_t seed_len,
  532. uint8_t *keys_out, size_t keys_out_len)
  533. {
  534. uint8_t *ptr;
  535. uint8_t kdf_input[NTOR_KEY_EXPANSION_KDF_INPUT_LEN];
  536. crypto_xof_t *xof;
  537. /* Sanity checks on lengths to make sure we are good */
  538. if (BUG(seed_len != DIGEST256_LEN)) {
  539. return -1;
  540. }
  541. if (BUG(keys_out_len != HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN)) {
  542. return -1;
  543. }
  544. /* Let's build the input to the KDF */
  545. ptr = kdf_input;
  546. APPEND(ptr, ntor_key_seed, DIGEST256_LEN);
  547. APPEND(ptr, M_HSEXPAND, strlen(M_HSEXPAND));
  548. tor_assert(ptr == kdf_input + sizeof(kdf_input));
  549. /* Generate the keys */
  550. xof = crypto_xof_new();
  551. crypto_xof_add_bytes(xof, kdf_input, sizeof(kdf_input));
  552. crypto_xof_squeeze_bytes(xof, keys_out, HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN);
  553. crypto_xof_free(xof);
  554. return 0;
  555. }