1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2015, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
9 * \brief Functions implement the CREATE_FAST circuit handshake.
13 #include "onion_fast.h"
15 /** Release all state held in <b>victim</b>. */
17 fast_handshake_state_free(fast_handshake_state_t
*victim
)
21 memwipe(victim
, 0, sizeof(fast_handshake_state_t
));
25 /** Create the state needed to perform a CREATE_FAST handshake. Return 0
26 * on success, -1 on failure. */
28 fast_onionskin_create(fast_handshake_state_t
**handshake_state_out
,
29 uint8_t *handshake_out
)
31 fast_handshake_state_t
*s
;
32 *handshake_state_out
= s
= tor_malloc(sizeof(fast_handshake_state_t
));
33 if (crypto_rand((char*)s
->state
, sizeof(s
->state
)) < 0) {
37 memcpy(handshake_out
, s
->state
, DIGEST_LEN
);
41 /** Implement the server side of the CREATE_FAST abbreviated handshake. The
42 * client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x"). We
43 * generate a reply of DIGEST_LEN*2 bytes in <b>key_out</b>, consisting of a
44 * new random "y", followed by H(x|y) to check for correctness. We set
45 * <b>key_out_len</b> bytes of key material in <b>key_out</b>.
46 * Return 0 on success, <0 on failure.
49 fast_server_handshake(const uint8_t *key_in
, /* DIGEST_LEN bytes */
50 uint8_t *handshake_reply_out
, /* DIGEST_LEN*2 bytes */
54 uint8_t tmp
[DIGEST_LEN
+DIGEST_LEN
];
59 if (crypto_rand((char*)handshake_reply_out
, DIGEST_LEN
)<0)
62 memcpy(tmp
, key_in
, DIGEST_LEN
);
63 memcpy(tmp
+DIGEST_LEN
, handshake_reply_out
, DIGEST_LEN
);
64 out_len
= key_out_len
+DIGEST_LEN
;
65 out
= tor_malloc(out_len
);
66 if (crypto_expand_key_material_TAP(tmp
, sizeof(tmp
), out
, out_len
)) {
69 memcpy(handshake_reply_out
+DIGEST_LEN
, out
, DIGEST_LEN
);
70 memcpy(key_out
, out
+DIGEST_LEN
, key_out_len
);
73 memwipe(tmp
, 0, sizeof(tmp
));
74 memwipe(out
, 0, out_len
);
79 /** Implement the second half of the client side of the CREATE_FAST handshake.
80 * We sent the server <b>handshake_state</b> ("x") already, and the server
81 * told us <b>handshake_reply_out</b> (y|H(x|y)). Make sure that the hash is
82 * correct, and generate key material in <b>key_out</b>. Return 0 on success,
85 * NOTE: The "CREATE_FAST" handshake path is distinguishable from regular
86 * "onionskin" handshakes, and is not secure if an adversary can see or modify
87 * the messages. Therefore, it should only be used by clients, and only as
88 * the first hop of a circuit (since the first hop is already authenticated
89 * and protected by TLS).
92 fast_client_handshake(const fast_handshake_state_t
*handshake_state
,
93 const uint8_t *handshake_reply_out
,/*DIGEST_LEN*2 bytes*/
98 uint8_t tmp
[DIGEST_LEN
+DIGEST_LEN
];
103 memcpy(tmp
, handshake_state
->state
, DIGEST_LEN
);
104 memcpy(tmp
+DIGEST_LEN
, handshake_reply_out
, DIGEST_LEN
);
105 out_len
= key_out_len
+DIGEST_LEN
;
106 out
= tor_malloc(out_len
);
107 if (crypto_expand_key_material_TAP(tmp
, sizeof(tmp
), out
, out_len
)) {
109 *msg_out
= "Failed to expand key material";
112 if (tor_memneq(out
, handshake_reply_out
+DIGEST_LEN
, DIGEST_LEN
)) {
113 /* H(K) does *not* match. Something fishy. */
115 *msg_out
= "Digest DOES NOT MATCH on fast handshake. Bug or attack.";
118 memcpy(key_out
, out
+DIGEST_LEN
, key_out_len
);
121 memwipe(tmp
, 0, sizeof(tmp
));
122 memwipe(out
, 0, out_len
);