1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
9 * \brief Functions implement the CREATE_FAST circuit handshake.
11 * The "CREATE_FAST" handshake is an unauthenticated, non-forward-secure
12 * key derivation mechanism based on SHA1. We used to use it for the
13 * first hop of each circuit, since the TAP handshake provided no
14 * additional security beyond the security already provided by the TLS
17 * When we switched to ntor, we deprecated CREATE_FAST, since ntor is
18 * stronger than our TLS handshake was, and fast enough to not be worrisome.
20 * This handshake, like the other circuit-extension handshakes, is
21 * invoked from onion.c.
23 * [*]Actually, it's possible that TAP _was_ a little better than TLS with
24 * RSA1024 certificates and EDH1024 for forward secrecy, if you
25 * hypothesize an adversary who can compute discrete logarithms on a
26 * small number of targeted DH1024 fields, but who can't break all that
30 #include "core/or/or.h"
31 #include "core/crypto/onion_fast.h"
32 #include "lib/crypt_ops/crypto_hkdf.h"
33 #include "lib/crypt_ops/crypto_rand.h"
34 #include "lib/crypt_ops/crypto_util.h"
36 /** Release all state held in <b>victim</b>. */
38 fast_handshake_state_free_(fast_handshake_state_t
*victim
)
42 memwipe(victim
, 0, sizeof(fast_handshake_state_t
));
46 /** Create the state needed to perform a CREATE_FAST handshake. Return 0
47 * on success, -1 on failure. */
49 fast_onionskin_create(fast_handshake_state_t
**handshake_state_out
,
50 uint8_t *handshake_out
)
52 fast_handshake_state_t
*s
;
53 *handshake_state_out
= s
= tor_malloc(sizeof(fast_handshake_state_t
));
54 crypto_rand((char*)s
->state
, sizeof(s
->state
));
55 memcpy(handshake_out
, s
->state
, DIGEST_LEN
);
59 /** Implement the server side of the CREATE_FAST abbreviated handshake. The
60 * client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x"). We
61 * generate a reply of DIGEST_LEN*2 bytes in <b>key_out</b>, consisting of a
62 * new random "y", followed by H(x|y) to check for correctness. We set
63 * <b>key_out_len</b> bytes of key material in <b>key_out</b>.
64 * Return 0 on success, <0 on failure.
67 fast_server_handshake(const uint8_t *key_in
, /* DIGEST_LEN bytes */
68 uint8_t *handshake_reply_out
, /* DIGEST_LEN*2 bytes */
72 uint8_t tmp
[DIGEST_LEN
+DIGEST_LEN
];
77 crypto_rand((char*)handshake_reply_out
, DIGEST_LEN
);
79 memcpy(tmp
, key_in
, DIGEST_LEN
);
80 memcpy(tmp
+DIGEST_LEN
, handshake_reply_out
, DIGEST_LEN
);
81 out_len
= key_out_len
+DIGEST_LEN
;
82 out
= tor_malloc(out_len
);
83 if (BUG(crypto_expand_key_material_TAP(tmp
, sizeof(tmp
), out
, out_len
))) {
84 goto done
; // LCOV_EXCL_LINE
86 memcpy(handshake_reply_out
+DIGEST_LEN
, out
, DIGEST_LEN
);
87 memcpy(key_out
, out
+DIGEST_LEN
, key_out_len
);
90 memwipe(tmp
, 0, sizeof(tmp
));
91 memwipe(out
, 0, out_len
);
96 /** Implement the second half of the client side of the CREATE_FAST handshake.
97 * We sent the server <b>handshake_state</b> ("x") already, and the server
98 * told us <b>handshake_reply_out</b> (y|H(x|y)). Make sure that the hash is
99 * correct, and generate key material in <b>key_out</b>. Return 0 on success,
102 * NOTE: The "CREATE_FAST" handshake path is distinguishable from regular
103 * "onionskin" handshakes, and is not secure if an adversary can see or modify
104 * the messages. Therefore, it should only be used by clients, and only as
105 * the first hop of a circuit (since the first hop is already authenticated
106 * and protected by TLS).
109 fast_client_handshake(const fast_handshake_state_t
*handshake_state
,
110 const uint8_t *handshake_reply_out
,/*DIGEST_LEN*2 bytes*/
113 const char **msg_out
)
115 uint8_t tmp
[DIGEST_LEN
+DIGEST_LEN
];
120 memcpy(tmp
, handshake_state
->state
, DIGEST_LEN
);
121 memcpy(tmp
+DIGEST_LEN
, handshake_reply_out
, DIGEST_LEN
);
122 out_len
= key_out_len
+DIGEST_LEN
;
123 out
= tor_malloc(out_len
);
124 if (BUG(crypto_expand_key_material_TAP(tmp
, sizeof(tmp
), out
, out_len
))) {
125 /* LCOV_EXCL_START */
127 *msg_out
= "Failed to expand key material";
131 if (tor_memneq(out
, handshake_reply_out
+DIGEST_LEN
, DIGEST_LEN
)) {
132 /* H(K) does *not* match. Something fishy. */
134 *msg_out
= "Digest DOES NOT MATCH on fast handshake. Bug or attack.";
137 memcpy(key_out
, out
+DIGEST_LEN
, key_out_len
);
140 memwipe(tmp
, 0, sizeof(tmp
));
141 memwipe(out
, 0, out_len
);