23 #define ONION_NTOR_PRIVATE
42 memwipe(state, 0,
sizeof(*state));
52 const uint8_t *inp,
size_t inp_len,
55 size_t tweak_len = strlen(tweak);
69 #define PROTOID "ntor-curve25519-sha256-1"
70 #define PROTOID_LEN 24
72 PROTOID
":key_extract",
79 #define APPEND(ptr, inp, len) \
81 memcpy(ptr, (inp), (len)); \
96 uint8_t *onion_skin_out)
103 memcpy(state->router_id, router_id,
DIGEST_LEN);
122 *handshake_state_out = state;
127 #define SERVER_STR "Server"
128 #define SERVER_STR_LEN 6
130 #define SECRET_INPUT_LEN (CURVE25519_PUBKEY_LEN * 3 + \
131 CURVE25519_OUTPUT_LEN * 2 + \
132 DIGEST_LEN + PROTOID_LEN)
133 #define AUTH_INPUT_LEN (DIGEST256_LEN + DIGEST_LEN + \
134 CURVE25519_PUBKEY_LEN*3 + \
135 PROTOID_LEN + SERVER_STR_LEN)
152 const uint8_t *my_node_id,
153 uint8_t *handshake_reply_out,
161 uint8_t secret_input[SECRET_INPUT_LEN];
162 uint8_t auth_input[AUTH_INPUT_LEN];
168 uint8_t *si = s.secret_input, *ai = s.auth_input;
212 APPEND(si, PROTOID, PROTOID_LEN);
213 tor_assert(si == s.secret_input +
sizeof(s.secret_input));
216 h_tweak(s.verify, s.secret_input,
sizeof(s.secret_input),
T->t_verify);
224 APPEND(ai, PROTOID, PROTOID_LEN);
225 APPEND(ai, SERVER_STR, SERVER_STR_LEN);
226 tor_assert(ai == s.auth_input +
sizeof(s.auth_input));
231 s.auth_input,
sizeof(s.auth_input),
236 s.secret_input,
sizeof(s.secret_input),
237 (
const uint8_t*)
T->t_key, strlen(
T->t_key),
238 (
const uint8_t*)
T->m_expand, strlen(
T->m_expand),
239 key_out, key_out_len);
256 const uint8_t *handshake_reply,
259 const char **msg_out)
266 uint8_t secret_input[SECRET_INPUT_LEN];
268 uint8_t auth_input[AUTH_INPUT_LEN];
271 uint8_t *ai = s.auth_input, *si = s.secret_input;
272 const uint8_t *auth_candidate;
288 &handshake_state->pubkey_B);
295 APPEND(si, PROTOID, PROTOID_LEN);
296 tor_assert(si == s.secret_input +
sizeof(s.secret_input));
299 h_tweak(s.verify, s.secret_input,
sizeof(s.secret_input),
T->t_verify);
307 APPEND(ai, PROTOID, PROTOID_LEN);
308 APPEND(ai, SERVER_STR, SERVER_STR_LEN);
309 tor_assert(ai == s.auth_input +
sizeof(s.auth_input));
312 h_tweak(s.auth, s.auth_input,
sizeof(s.auth_input),
T->t_mac);
317 s.secret_input,
sizeof(s.secret_input),
318 (
const uint8_t*)
T->t_key, strlen(
T->t_key),
319 (
const uint8_t*)
T->m_expand, strlen(
T->m_expand),
320 key_out, key_out_len);
330 "Invalid result from curve25519 handshake: %d", bad);
334 *msg_out =
"Zero output from curve25519 handshake";
336 "Invalid result from curve25519 handshake: %d", bad);