23 #define ONION_NTOR_PRIVATE
42 memwipe(state, 0,
sizeof(*state));
52 const uint8_t *inp,
size_t inp_len,
55 size_t tweak_len = strlen(tweak);
69 #define PROTOID "ntor-curve25519-sha256-1"
70 #define PROTOID_LEN 24
72 PROTOID
":key_extract",
79 #define APPEND(ptr, inp, len) \
81 memcpy(ptr, (inp), (len)); \
96 uint8_t *onion_skin_out)
103 memcpy(state->router_id, router_id,
DIGEST_LEN);
122 *handshake_state_out = state;
127 #define SERVER_STR "Server"
128 #define SERVER_STR_LEN 6
130 #define SECRET_INPUT_LEN (CURVE25519_PUBKEY_LEN * 3 + \
131 CURVE25519_OUTPUT_LEN * 2 + \
132 DIGEST_LEN + PROTOID_LEN)
133 #define AUTH_INPUT_LEN (DIGEST256_LEN + DIGEST_LEN + \
134 CURVE25519_PUBKEY_LEN*3 + \
135 PROTOID_LEN + SERVER_STR_LEN)
152 const uint8_t *my_node_id,
153 uint8_t *handshake_reply_out,
161 uint8_t secret_input[SECRET_INPUT_LEN];
162 uint8_t auth_input[AUTH_INPUT_LEN];
168 uint8_t *si = s.secret_input, *ai = s.auth_input;
212 APPEND(si, PROTOID, PROTOID_LEN);
213 tor_assert(si == s.secret_input +
sizeof(s.secret_input));
216 h_tweak(s.verify, s.secret_input,
sizeof(s.secret_input),
T->t_verify);
224 APPEND(ai, PROTOID, PROTOID_LEN);
225 APPEND(ai, SERVER_STR, SERVER_STR_LEN);
226 tor_assert(ai == s.auth_input +
sizeof(s.auth_input));
231 s.auth_input,
sizeof(s.auth_input),
236 s.secret_input,
sizeof(s.secret_input),
237 (
const uint8_t*)
T->t_key, strlen(
T->t_key),
238 (
const uint8_t*)
T->m_expand, strlen(
T->m_expand),
239 key_out, key_out_len);
256 const uint8_t *handshake_reply,
259 const char **msg_out)
266 uint8_t secret_input[SECRET_INPUT_LEN];
268 uint8_t auth_input[AUTH_INPUT_LEN];
271 uint8_t *ai = s.auth_input, *si = s.secret_input;
272 const uint8_t *auth_candidate;
288 &handshake_state->pubkey_B);
295 APPEND(si, PROTOID, PROTOID_LEN);
296 tor_assert(si == s.secret_input +
sizeof(s.secret_input));
299 h_tweak(s.verify, s.secret_input,
sizeof(s.secret_input),
T->t_verify);
307 APPEND(ai, PROTOID, PROTOID_LEN);
308 APPEND(ai, SERVER_STR, SERVER_STR_LEN);
309 tor_assert(ai == s.auth_input +
sizeof(s.auth_input));
312 h_tweak(s.auth, s.auth_input,
sizeof(s.auth_input),
T->t_mac);
317 s.secret_input,
sizeof(s.secret_input),
318 (
const uint8_t*)
T->t_key, strlen(
T->t_key),
319 (
const uint8_t*)
T->m_expand, strlen(
T->m_expand),
320 key_out, key_out_len);
330 "Invalid result from curve25519 handshake: %d", bad);
334 *msg_out =
"Zero output from curve25519 handshake";
336 "Invalid result from curve25519 handshake: %d", bad);
Headers for crypto_cipher.c.
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
int curve25519_secret_key_generate(curve25519_secret_key_t *key_out, int extra_strong)
void curve25519_public_key_generate(curve25519_public_key_t *key_out, const curve25519_secret_key_t *seckey)
Headers for crypto_digest.c.
void crypto_hmac_sha256(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len)
int crypto_expand_key_material_rfc5869_sha256(const uint8_t *key_in, size_t key_in_len, const uint8_t *salt_in, size_t salt_in_len, const uint8_t *info_in, size_t info_in_len, uint8_t *key_out, size_t key_out_len)
Headers for crypto_hkdf.h.
void memwipe(void *mem, uint8_t byte, size_t sz)
Common functions for cryptographic routines.
void * dimap_search(const di_digest256_map_t *map, const uint8_t *key, void *dflt_val)
int safe_mem_is_zero(const void *mem, size_t sz)
#define tor_memneq(a, b, sz)
#define log_fn(severity, domain, args,...)
int onion_skin_ntor_client_handshake(const ntor_handshake_state_t *handshake_state, const uint8_t *handshake_reply, uint8_t *key_out, size_t key_out_len, const char **msg_out)
static void h_tweak(uint8_t *out, const uint8_t *inp, size_t inp_len, const char *tweak)
int onion_skin_ntor_server_handshake(const uint8_t *onion_skin, const di_digest256_map_t *private_keys, const curve25519_keypair_t *junk_keys, const uint8_t *my_node_id, uint8_t *handshake_reply_out, uint8_t *key_out, size_t key_out_len)
#define APPEND(ptr, inp, len)
static const tweakset_t proto1_tweaks
int onion_skin_ntor_create(const uint8_t *router_id, const curve25519_public_key_t *router_key, ntor_handshake_state_t **handshake_state_out, uint8_t *onion_skin_out)
void ntor_handshake_state_free_(ntor_handshake_state_t *state)
struct ntor_handshake_state_t ntor_handshake_state_t
#define NTOR_ONIONSKIN_LEN
Macros to manage assertions, fatal and non-fatal.
#define tor_assert_nonfatal_unreached()
#define CURVE25519_OUTPUT_LEN
#define CURVE25519_PUBKEY_LEN