Tor  0.4.3.0-alpha-dev
onion_fast.c
Go to the documentation of this file.
1 /* Copyright (c) 2001 Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2019, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
7 /**
8  * \file onion_fast.c
9  * \brief Functions implement the CREATE_FAST circuit handshake.
10  *
11  * The "CREATE_FAST" handshake is an unauthenticated, non-forward-secure
12  * key derivation mechanism based on SHA1. We used to use it for the
13  * first hop of each circuit, since the TAP handshake provided no
14  * additional security beyond the security already provided by the TLS
15  * handshake [*].
16  *
17  * When we switched to ntor, we deprecated CREATE_FAST, since ntor is
18  * stronger than our TLS handshake was, and fast enough to not be worrisome.
19  *
20  * This handshake, like the other circuit-extension handshakes, is
21  * invoked from onion.c.
22  *
23  * [*]Actually, it's possible that TAP _was_ a little better than TLS with
24  * RSA1024 certificates and EDH1024 for forward secrecy, if you
25  * hypothesize an adversary who can compute discrete logarithms on a
26  * small number of targeted DH1024 fields, but who can't break all that
27  * many RSA1024 keys.
28  **/
29 
30 #include "core/or/or.h"
31 #include "core/crypto/onion_fast.h"
35 
36 /** Release all state held in <b>victim</b>. */
37 void
39 {
40  if (! victim)
41  return;
42  memwipe(victim, 0, sizeof(fast_handshake_state_t));
43  tor_free(victim);
44 }
45 
46 /** Create the state needed to perform a CREATE_FAST handshake. Return 0
47  * on success, -1 on failure. */
48 int
50  uint8_t *handshake_out)
51 {
53  *handshake_state_out = s = tor_malloc(sizeof(fast_handshake_state_t));
54  crypto_rand((char*)s->state, sizeof(s->state));
55  memcpy(handshake_out, s->state, DIGEST_LEN);
56  return 0;
57 }
58 
59 /** Implement the server side of the CREATE_FAST abbreviated handshake. The
60  * client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x"). We
61  * generate a reply of DIGEST_LEN*2 bytes in <b>key_out</b>, consisting of a
62  * new random "y", followed by H(x|y) to check for correctness. We set
63  * <b>key_out_len</b> bytes of key material in <b>key_out</b>.
64  * Return 0 on success, &lt;0 on failure.
65  **/
66 int
67 fast_server_handshake(const uint8_t *key_in, /* DIGEST_LEN bytes */
68  uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */
69  uint8_t *key_out,
70  size_t key_out_len)
71 {
72  uint8_t tmp[DIGEST_LEN+DIGEST_LEN];
73  uint8_t *out = NULL;
74  size_t out_len;
75  int r = -1;
76 
77  crypto_rand((char*)handshake_reply_out, DIGEST_LEN);
78 
79  memcpy(tmp, key_in, DIGEST_LEN);
80  memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
81  out_len = key_out_len+DIGEST_LEN;
82  out = tor_malloc(out_len);
83  if (BUG(crypto_expand_key_material_TAP(tmp, sizeof(tmp), out, out_len))) {
84  goto done; // LCOV_EXCL_LINE
85  }
86  memcpy(handshake_reply_out+DIGEST_LEN, out, DIGEST_LEN);
87  memcpy(key_out, out+DIGEST_LEN, key_out_len);
88  r = 0;
89  done:
90  memwipe(tmp, 0, sizeof(tmp));
91  memwipe(out, 0, out_len);
92  tor_free(out);
93  return r;
94 }
95 
96 /** Implement the second half of the client side of the CREATE_FAST handshake.
97  * We sent the server <b>handshake_state</b> ("x") already, and the server
98  * told us <b>handshake_reply_out</b> (y|H(x|y)). Make sure that the hash is
99  * correct, and generate key material in <b>key_out</b>. Return 0 on success,
100  * true on failure.
101  *
102  * NOTE: The "CREATE_FAST" handshake path is distinguishable from regular
103  * "onionskin" handshakes, and is not secure if an adversary can see or modify
104  * the messages. Therefore, it should only be used by clients, and only as
105  * the first hop of a circuit (since the first hop is already authenticated
106  * and protected by TLS).
107  */
108 int
110  const uint8_t *handshake_reply_out,/*DIGEST_LEN*2 bytes*/
111  uint8_t *key_out,
112  size_t key_out_len,
113  const char **msg_out)
114 {
115  uint8_t tmp[DIGEST_LEN+DIGEST_LEN];
116  uint8_t *out;
117  size_t out_len;
118  int r = -1;
119 
120  memcpy(tmp, handshake_state->state, DIGEST_LEN);
121  memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
122  out_len = key_out_len+DIGEST_LEN;
123  out = tor_malloc(out_len);
124  if (BUG(crypto_expand_key_material_TAP(tmp, sizeof(tmp), out, out_len))) {
125  /* LCOV_EXCL_START */
126  if (msg_out)
127  *msg_out = "Failed to expand key material";
128  goto done;
129  /* LCOV_EXCL_STOP */
130  }
131  if (tor_memneq(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
132  /* H(K) does *not* match. Something fishy. */
133  if (msg_out)
134  *msg_out = "Digest DOES NOT MATCH on fast handshake. Bug or attack.";
135  goto done;
136  }
137  memcpy(key_out, out+DIGEST_LEN, key_out_len);
138  r = 0;
139  done:
140  memwipe(tmp, 0, sizeof(tmp));
141  memwipe(out, 0, out_len);
142  tor_free(out);
143  return r;
144 }
void crypto_rand(char *to, size_t n)
Definition: crypto_rand.c:477
Common functions for using (pseudo-)random number generators.
int crypto_expand_key_material_TAP(const uint8_t *key_in, size_t key_in_len, uint8_t *key_out, size_t key_out_len)
Definition: crypto_hkdf.c:43
int fast_onionskin_create(fast_handshake_state_t **handshake_state_out, uint8_t *handshake_out)
Definition: onion_fast.c:49
int fast_server_handshake(const uint8_t *key_in, uint8_t *handshake_reply_out, uint8_t *key_out, size_t key_out_len)
Definition: onion_fast.c:67
#define tor_free(p)
Definition: malloc.h:52
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:57
#define tor_memneq(a, b, sz)
Definition: di_ops.h:21
Headers for crypto_hkdf.h.
Common functions for cryptographic routines.
#define DIGEST_LEN
Definition: digest_sizes.h:20
Master header file for Tor-specific functionality.
Header file for onion_fast.c.
int fast_client_handshake(const fast_handshake_state_t *handshake_state, const uint8_t *handshake_reply_out, uint8_t *key_out, size_t key_out_len, const char **msg_out)
Definition: onion_fast.c:109
void fast_handshake_state_free_(fast_handshake_state_t *victim)
Definition: onion_fast.c:38