src/or/onion_fast.c

   1 /* Copyright (c) 2001 Matej Pfajfar.
   2  * Copyright (c) 2001-2004, Roger Dingledine.
   3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
   4  * Copyright (c) 2007-2013, The Tor Project, Inc. */
   5 /* See LICENSE for licensing information */
   6
   7 /**
   8  * \file onion_fast.c
   9  * \brief Functions implement the CREATE_FAST circuit handshake.
  10  **/
  11
  12 #include "or.h"
  13 #include "onion_fast.h"
  14
  15 /** Release all state held in <b>victim</b>. */
  16 void
  17 fast_handshake_state_free(fast_handshake_state_t *victim)
  18 {
  19   if (! victim)
  20     return;
  21   memwipe(victim, 0, sizeof(fast_handshake_state_t));
  22   tor_free(victim);
  23 }
  24
  25 /** Create the state needed to perform a CREATE_FAST handshake. Return 0
  26  * on success, -1 on failure. */
  27 int
  28 fast_onionskin_create(fast_handshake_state_t **handshake_state_out,
  29                       uint8_t *handshake_out)
  30 {
  31   fast_handshake_state_t *s;
  32   *handshake_state_out = s = tor_malloc(sizeof(fast_handshake_state_t));
  33   if (crypto_rand((char*)s->state, sizeof(s->state)) < 0) {
  34     tor_free(s);
  35     return -1;
  36   }
  37   memcpy(handshake_out, s->state, DIGEST_LEN);
  38   return 0;
  39 }
  40
  41 /** Implement the server side of the CREATE_FAST abbreviated handshake.  The
  42  * client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x").  We
  43  * generate a reply of DIGEST_LEN*2 bytes in <b>key_out</b>, consisting of a
  44  * new random "y", followed by H(x|y) to check for correctness.  We set
  45  * <b>key_out_len</b> bytes of key material in <b>key_out</b>.
  46  * Return 0 on success, &lt;0 on failure.
  47  **/
  48 int
  49 fast_server_handshake(const uint8_t *key_in, /* DIGEST_LEN bytes */
  50                       uint8_t *handshake_reply_out, /* DIGEST_LEN*2 bytes */
  51                       uint8_t *key_out,
  52                       size_t key_out_len)
  53 {
  54   uint8_t tmp[DIGEST_LEN+DIGEST_LEN];
  55   uint8_t *out = NULL;
  56   size_t out_len;
  57   int r = -1;
  58
  59   if (crypto_rand((char*)handshake_reply_out, DIGEST_LEN)<0)
  60     return -1;
  61
  62   memcpy(tmp, key_in, DIGEST_LEN);
  63   memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
  64   out_len = key_out_len+DIGEST_LEN;
  65   out = tor_malloc(out_len);
  66   if (crypto_expand_key_material_TAP(tmp, sizeof(tmp), out, out_len)) {
  67     goto done;
  68   }
  69   memcpy(handshake_reply_out+DIGEST_LEN, out, DIGEST_LEN);
  70   memcpy(key_out, out+DIGEST_LEN, key_out_len);
  71   r = 0;
  72  done:
  73   memwipe(tmp, 0, sizeof(tmp));
  74   memwipe(out, 0, out_len);
  75   tor_free(out);
  76   return r;
  77 }
  78
  79 /** Implement the second half of the client side of the CREATE_FAST handshake.
  80  * We sent the server <b>handshake_state</b> ("x") already, and the server
  81  * told us <b>handshake_reply_out</b> (y|H(x|y)).  Make sure that the hash is
  82  * correct, and generate key material in <b>key_out</b>.  Return 0 on success,
  83  * true on failure.
  84  *
  85  * NOTE: The "CREATE_FAST" handshake path is distinguishable from regular
  86  * "onionskin" handshakes, and is not secure if an adversary can see or modify
  87  * the messages.  Therefore, it should only be used by clients, and only as
  88  * the first hop of a circuit (since the first hop is already authenticated
  89  * and protected by TLS).
  90  */
  91 int
  92 fast_client_handshake(const fast_handshake_state_t *handshake_state,
  93                       const uint8_t *handshake_reply_out,/*DIGEST_LEN*2 bytes*/
  94                       uint8_t *key_out,
  95                       size_t key_out_len)
  96 {
  97   uint8_t tmp[DIGEST_LEN+DIGEST_LEN];
  98   uint8_t *out;
  99   size_t out_len;
 100   int r = -1;
 101
 102   memcpy(tmp, handshake_state->state, DIGEST_LEN);
 103   memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
 104   out_len = key_out_len+DIGEST_LEN;
 105   out = tor_malloc(out_len);
 106   if (crypto_expand_key_material_TAP(tmp, sizeof(tmp), out, out_len)) {
 107     log_warn(LD_CIRC, "Failed to expand key material");
 108     goto done;
 109   }
 110   if (tor_memneq(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
 111     /* H(K) does *not* match. Something fishy. */
 112     log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on fast handshake. "
 113              "Bug or attack.");
 114     goto done;
 115   }
 116   memcpy(key_out, out+DIGEST_LEN, key_out_len);
 117   r = 0;
 118  done:
 119   memwipe(tmp, 0, sizeof(tmp));
 120   memwipe(out, 0, out_len);
 121   tor_free(out);
 122   return r;
 123 }
 124