search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'maint-0.4.8'
[tor.git] / src / core / crypto / onion_ntor_v3.c
blob491c69cf8d606091ad5b0bdd9b91b70ebdd21580
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6
7 /**
8 * @file onion_ntor_v3.c
9 * @brief Implements the version 3 ntor handshake as first specified in
10 * proposal 332.
11 *
12 * The v3 ntor handshake differs from the earlier versions (ntor and hs-ntor)
13 * primarily in that it allows the client to send an authenticated encrypted
14 * message as part of its onion skin, and allows the relay to send and
15 * encrypted authenticated reply as part of its response.
16 *
17 * It also takes a "verification string" -- the handshake cannot succeed
18 * unless both parties use the same value for their verification stream.
19 **/
20
21 #define ONION_NTOR_V3_PRIVATE
22
23 #include "orconfig.h"
24 #include "core/crypto/onion_ntor_v3.h"
25
26 #include "lib/arch/bytes.h"
27 #include "lib/crypt_ops/crypto_digest.h"
28 #include "lib/crypt_ops/crypto_rand.h"
29 #include "lib/crypt_ops/crypto_util.h"
30 #include "lib/ctime/di_ops.h"
31 #include "lib/log/util_bug.h"
32
33 #include <string.h>
34
35 /* Parameters used to keep the outputs of this handshake from colliding with
36 * others. These are defined in the specification. */
37 #define PROTOID "ntor3-curve25519-sha3_256-1"
38 #define TWEAK(A) (PROTOID ":" A)
39
40 #define T_MSGKDF TWEAK("kdf_phase1")
41 #define T_MSGMAC TWEAK("msg_mac")
42 #define T_KEY_SEED TWEAK("key_seed")
43 #define T_VERIFY TWEAK("verify")
44 #define T_FINAL TWEAK("kdf_final")
45 #define T_AUTH TWEAK("auth_final")
46
47 /**
48 * Add @a len bytes of @a data as input to the provided @a xof.
49 *
50 * (This is provided just for abbreviation).
51 **/
52 #define xof_add(xof, data, len) crypto_xof_add_bytes((xof), (data), (len))
53 /**
54 * Add @a len bytes of @a data as input to the provided @a xof,
55 * prefixed with an encoding of the length.
56 *
57 * This is equivalent to ENCAP(data) in the spec.
58 **/
59 static void
60 xof_add_encap(crypto_xof_t *xof, const uint8_t *data, size_t len)
61 {
62 uint64_t len64 = tor_htonll(len);
63 xof_add(xof, (uint8_t *)(&len64), 8);
64 xof_add(xof, data, len);
65 }
66 /**
67 * Add an encapsulated tweak to the provided xof.
68 **/
69 #define xof_add_tweak(d, s) xof_add_encap((d), (const uint8_t *)(s), strlen(s))
70
71 /**
72 * Add @a len bytes of @a data to the provided @a digest.
73 *
74 * This is provided as an abbreviation, and to get the types right.
75 **/
76 static void
77 d_add(crypto_digest_t *digest, const uint8_t *data, size_t len)
78 {
79 crypto_digest_add_bytes(digest, (const char *)data, len);
80 }
81 /**
82 * Add @a len bytes of @a data to the provided @a digest, prefixed
83 * with the encoded length.
84 *
85 * This is equivalent to ENCAP(data) from the spec.
86 **/
87 static void
88 d_add_encap(crypto_digest_t *digest, const uint8_t *data, size_t len)
89 {
90 uint64_t len64 = tor_htonll(len);
91 d_add(digest, (const uint8_t *)(&len64), 8);
92 d_add(digest, data, len);
93 }
94 /**
95 * Add an encapsulated tweak to the provided digest.
96 **/
97 #define d_add_tweak(d, s) d_add_encap((d), (const uint8_t *)(s), strlen(s))
98
99 /**
100 * Helper: copy @a len bytes of @a data onto *@a ptr, and advance @a ptr
101 * forward by @a len bytes.
102 *
103 * Asserts that @a ptr will not be advanced beyond @a endptr.
104 **/
105 static void
106 push(uint8_t **ptr, const uint8_t *endptr, const uint8_t *data, size_t len)
107 {
108 size_t remaining = endptr - *ptr;
109 tor_assert(len <= remaining);
110 memcpy(*ptr, data, len);
111 *ptr += len;
112 }
113
114 /**
115 * Helper: Drop storage held by @a state, after wiping it.
116 **/
117 void
118 ntor3_handshake_state_free_(ntor3_handshake_state_t *state)
119 {
120 if (!state)
121 return;
122
123 memwipe(state, 0, sizeof(*state));
124 tor_free(state);
125 }
126
127 /**
128 * Perform a client-side v3 ntor handshake with a given relay.
129 *
130 * As inputs this function takes the relay's Ed25519 identity (@a relay_id),
131 * the relay's current ntor onion key (@a relay_key), a verification string
132 * (@a verification_len bytes at @a verification), and a message to send
133 * as part of the handshake (@a message_len bytes at @a message).
134 *
135 * The message will be encrypted and authenticated to the relay, but will not
136 * receive the same forward secrecy as the rest of the handshake. We should
137 * not put any super-confidential data in it.
138 *
139 * The handshake will only succeed if the relay uses the same verification
140 * string as we are using.
141 *
142 * As outputs, this function returns 0 on success and -1 on failure. On
143 * success, it sets @a onion_skin_out and @a onion_skin_len_out to a newly
144 * allocated handshake message that the client can send as part of its CREATE2
145 * or EXTEND2 cell. It also sets it sets @a handshake_state_out to a newly
146 * allocated handshake state object; the client needs to use this object to
147 * process the relay's eventual reply.
148 **/
149 int
150 onion_skin_ntor3_create(const ed25519_public_key_t *relay_id,
151 const curve25519_public_key_t *relay_key,
152 const uint8_t *verification,
153 const size_t verification_len,
154 const uint8_t *message,
155 const size_t message_len,
156 ntor3_handshake_state_t **handshake_state_out,
157 uint8_t **onion_skin_out,
158 size_t *onion_skin_len_out)
159 {
160 curve25519_keypair_t client_keypair;
161 if (curve25519_keypair_generate(&client_keypair, 0) < 0) {
162 return -1;
163 }
164 int r = onion_skin_ntor3_create_nokeygen(
165 &client_keypair,
166 relay_id,
167 relay_key,
168 verification,
169 verification_len,
170 message,
171 message_len,
172 handshake_state_out,
173 onion_skin_out,
174 onion_skin_len_out);
175 memwipe(&client_keypair, 0, sizeof(client_keypair));
176 return r;
177 }
178
179 /**
180 * Like onion_skin_ntor3_create, but do not generate a new ephemeral keypair.
181 * Instead, take the ephemeral keypair (x,X) from @a client_keypair.
182 *
183 * (Having a separate function for this lets us test the code for correct
184 * behavior.)
185 **/
186 STATIC int
187 onion_skin_ntor3_create_nokeygen(
188 const curve25519_keypair_t *client_keypair,
189 const ed25519_public_key_t *relay_id,
190 const curve25519_public_key_t *relay_key,
191 const uint8_t *verification,
192 const size_t verification_len,
193 const uint8_t *message,
194 const size_t message_len,
195 ntor3_handshake_state_t **handshake_state_out,
196 uint8_t **onion_skin_out,
197 size_t *onion_skin_len_out)
198 {
199 *handshake_state_out = NULL;
200 *onion_skin_out = NULL;
201 *onion_skin_len_out = 0;
202
203 // Set up the handshake state object.
204 *handshake_state_out = tor_malloc_zero(sizeof(ntor3_handshake_state_t));
205 memcpy(&(*handshake_state_out)->client_keypair, client_keypair,
206 sizeof(*client_keypair));
207 memcpy(&(*handshake_state_out)->relay_id, relay_id, sizeof(*relay_id));
208 memcpy(&(*handshake_state_out)->relay_key, relay_key, sizeof(*relay_key));
209
210 // Perform the first DH handshake.
211 curve25519_handshake((*handshake_state_out)->bx,
212 &client_keypair->seckey, relay_key);
213 if (safe_mem_is_zero((*handshake_state_out)->bx, CURVE25519_OUTPUT_LEN)) {
214 // Okay to return early here, since our behavior here doesn't
215 // cause a visible timing sidechannel.
216 return -1;
217 }
218
219 // Compute phase1_keys.
220 uint8_t enc_key[CIPHER256_KEY_LEN];
221 uint8_t mac_key[DIGEST256_LEN];
222 {
223 crypto_xof_t *xof = crypto_xof_new();
224 // secret_input_phase1 = Bx | ID | X | B | PROTOID | ENCAP(VER)
225 xof_add_tweak(xof, T_MSGKDF);
226 xof_add(xof, (*handshake_state_out)->bx, CURVE25519_OUTPUT_LEN);
227 xof_add(xof, relay_id->pubkey, ED25519_PUBKEY_LEN);
228 xof_add(xof, client_keypair->pubkey.public_key, CURVE25519_PUBKEY_LEN);
229 xof_add(xof, relay_key->public_key, CURVE25519_PUBKEY_LEN);
230 xof_add(xof, (const uint8_t *)PROTOID, strlen(PROTOID));
231 xof_add_encap(xof, verification, verification_len);
232 crypto_xof_squeeze_bytes(xof, enc_key, sizeof(enc_key));
233 crypto_xof_squeeze_bytes(xof, mac_key, sizeof(mac_key));
234 crypto_xof_free(xof);
235 }
236
237 // Compute encrypted message.
238 uint8_t *encrypted_message = tor_memdup(message, message_len);
239 {
240 crypto_cipher_t *c =
241 crypto_cipher_new_with_bits((const char *)enc_key, 256);
242 crypto_cipher_crypt_inplace(c, (char *)encrypted_message, message_len);
243 crypto_cipher_free(c);
244 }
245
246 // Compute the MAC value.
247 {
248 crypto_digest_t *m = crypto_digest256_new(DIGEST_SHA3_256);
249 d_add_tweak(m, T_MSGMAC);
250 d_add_encap(m, mac_key, sizeof(mac_key));
251 d_add(m, relay_id->pubkey, ED25519_PUBKEY_LEN);
252 d_add(m, relay_key->public_key, CURVE25519_PUBKEY_LEN);
253 d_add(m, client_keypair->pubkey.public_key, CURVE25519_PUBKEY_LEN);
254 d_add(m, encrypted_message, message_len);
255 crypto_digest_get_digest(m,
256 (char *)(*handshake_state_out)->msg_mac,
257 DIGEST256_LEN);
258 crypto_digest_free(m);
259 }
260
261 // Build the onionskin.
262 *onion_skin_len_out = (ED25519_PUBKEY_LEN + CURVE25519_PUBKEY_LEN*2 +
263 DIGEST256_LEN + message_len);
264 *onion_skin_out = tor_malloc(*onion_skin_len_out);
265 {
266 uint8_t *ptr = *onion_skin_out, *end = ptr + *onion_skin_len_out;
267
268 push(&ptr, end, relay_id->pubkey, ED25519_PUBKEY_LEN);
269 push(&ptr, end, relay_key->public_key, CURVE25519_PUBKEY_LEN);
270 push(&ptr, end, client_keypair->pubkey.public_key, CURVE25519_PUBKEY_LEN);
271 push(&ptr, end, encrypted_message, message_len);
272 push(&ptr, end, (*handshake_state_out)->msg_mac, DIGEST256_LEN);
273 tor_assert(ptr == end);
274 }
275
276 memwipe(&enc_key, 0, sizeof(enc_key));
277 memwipe(&mac_key, 0, sizeof(mac_key));
278 memwipe(encrypted_message, 0, message_len);
279 tor_free(encrypted_message);
280
281 return 0;
282 }
283
284 /**
285 * Complete a client-side v3 ntor handshake.
286 *
287 * Takes a @a handshake_state returned earlier by `onion_skin_ntor3_create()`,
288 * and the relay's reply to that handshake (@a reply_len bytes at @a
289 * handshake_reply). Also takes a verification string (@a verification_len
290 * bytes at @a verification).
291 *
292 * Returns 0 on success and -1 on failure. On success, generates @a key_len
293 * bytes of key material into the provided @a keys_out buffer, and sets @a
294 * message_out to the message that the relay sent in reply to our message (and
295 * sets @a message_out_len to that message's length).
296 **/
297 int
298 onion_ntor3_client_handshake(const ntor3_handshake_state_t *handshake_state,
299 const uint8_t *handshake_reply,
300 size_t reply_len,
301 const uint8_t *verification,
302 size_t verification_len,
303 uint8_t *keys_out,
304 size_t keys_out_len,
305 uint8_t **message_out,
306 size_t *message_len_out)
307 {
308 *message_out = NULL;
309 *message_len_out = 0;
310
311 int problems = 0;
312
313 // Parse the relay's message.
314 curve25519_public_key_t relay_Y;
315 uint8_t relay_auth[DIGEST256_LEN];
316 size_t encrypted_msg_len;
317 const uint8_t *encrypted_msg;
318 {
319 if (reply_len < CURVE25519_PUBKEY_LEN + DIGEST256_LEN) {
320 // Okay to return early here, since the message is completely
321 // ill-formed, so we can't leak anything.
322 ++problems;
323 goto done;
324 }
325 encrypted_msg_len = reply_len - (CURVE25519_PUBKEY_LEN + DIGEST256_LEN);
326
327 memcpy(&relay_Y.public_key, handshake_reply, CURVE25519_PUBKEY_LEN);
328 handshake_reply += CURVE25519_PUBKEY_LEN;
329 memcpy(&relay_auth, handshake_reply, DIGEST256_LEN);
330 handshake_reply += DIGEST256_LEN;
331 encrypted_msg = handshake_reply;
332 }
333
334 // Finish the second diffie hellman handshake.
335 uint8_t yx[CURVE25519_OUTPUT_LEN];
336 curve25519_handshake(yx, &handshake_state->client_keypair.seckey, &relay_Y);
337 problems |= safe_mem_is_zero(yx, sizeof(yx));
338
339 // Compute two tweaked hashes of secret_input.
340 uint8_t key_seed[DIGEST256_LEN], verify[DIGEST256_LEN];
341 {
342 crypto_digest_t *ks = crypto_digest256_new(DIGEST_SHA3_256);
343 crypto_digest_t *v = crypto_digest256_new(DIGEST_SHA3_256);
344 d_add_tweak(ks, T_KEY_SEED);
345 d_add_tweak(v, T_VERIFY);
346 #define ADD2(s,len) STMT_BEGIN { \
347 d_add(ks, (s),(len)); d_add(v, (s), (len)); \
348 } STMT_END
349 #define ADD2_ENCAP(s,len) STMT_BEGIN { \
350 d_add_encap(ks, (s),(len)); d_add_encap(v, (s), (len)); \
351 } STMT_END
352
353 ADD2(yx, sizeof(yx));
354 ADD2(handshake_state->bx, sizeof(handshake_state->bx));
355 ADD2(handshake_state->relay_id.pubkey, ED25519_PUBKEY_LEN);
356 ADD2(handshake_state->relay_key.public_key, CURVE25519_PUBKEY_LEN);
357 ADD2(handshake_state->client_keypair.pubkey.public_key,
358 CURVE25519_PUBKEY_LEN);
359 ADD2(relay_Y.public_key, CURVE25519_PUBKEY_LEN);
360 ADD2((const uint8_t *)PROTOID, strlen(PROTOID));
361 ADD2_ENCAP(verification, verification_len);
362
363 crypto_digest_get_digest(ks, (char*) key_seed, DIGEST256_LEN);
364 crypto_digest_get_digest(v, (char*) verify, DIGEST256_LEN);
365 crypto_digest_free(ks);
366 crypto_digest_free(v);
367 }
368
369 // compute expected auth value.
370 uint8_t auth_computed[DIGEST256_LEN];
371 {
372 crypto_digest_t *d = crypto_digest256_new(DIGEST_SHA3_256);
373 d_add_tweak(d, T_AUTH);
374 d_add(d, verify, sizeof(verify));
375 d_add(d, handshake_state->relay_id.pubkey, ED25519_PUBKEY_LEN);
376 d_add(d, handshake_state->relay_key.public_key, CURVE25519_PUBKEY_LEN);
377 d_add(d, relay_Y.public_key, CURVE25519_PUBKEY_LEN);
378 d_add(d, handshake_state->client_keypair.pubkey.public_key,
379 CURVE25519_PUBKEY_LEN);
380 d_add(d, handshake_state->msg_mac, DIGEST256_LEN);
381 d_add_encap(d, encrypted_msg, encrypted_msg_len);
382 d_add(d, (const uint8_t*)PROTOID, strlen(PROTOID));
383 d_add(d, (const uint8_t*)"Server", strlen("Server"));
384 crypto_digest_get_digest(d, (char *)auth_computed, DIGEST256_LEN);
385 crypto_digest_free(d);
386 }
387
388 // Check authentication value.
389 problems |= tor_memneq(auth_computed, relay_auth, DIGEST256_LEN);
390
391 // Compute keystream, decrypt message, and return.
392 *message_out = tor_malloc(encrypted_msg_len);
393 *message_len_out = encrypted_msg_len;
394 uint8_t enc_key[CIPHER256_KEY_LEN];
395 {
396 crypto_xof_t *xof = crypto_xof_new();
397 xof_add_tweak(xof, T_FINAL);
398 xof_add(xof, key_seed, sizeof(key_seed));
399 crypto_xof_squeeze_bytes(xof, enc_key, sizeof(enc_key));
400 crypto_xof_squeeze_bytes(xof, (uint8_t *)keys_out, keys_out_len);
401 crypto_xof_free(xof);
402
403 crypto_cipher_t *c =
404 crypto_cipher_new_with_bits((const char *)enc_key, 256);
405 crypto_cipher_decrypt(c, (char *)*message_out,
406 (const char *)encrypted_msg, encrypted_msg_len);
407 crypto_cipher_free(c);
408 }
409
410 done:
411 memwipe(&relay_Y, 0, sizeof(relay_Y));
412 memwipe(&relay_auth, 0, sizeof(relay_auth));
413 memwipe(&yx, 0, sizeof(yx));
414 memwipe(key_seed, 0, sizeof(key_seed));
415 memwipe(verify, 0, sizeof(verify));
416 memwipe(enc_key, 0, sizeof(enc_key));
417 if (problems) {
418 if (*message_out) {
419 memwipe(*message_out, 0, *message_len_out);
420 tor_free(*message_out); // Sets it to NULL.
421 }
422 *message_len_out = 0;
423 crypto_rand((char*)keys_out, keys_out_len); // In case bad code uses it.
424 return -1;
425 }
426
427 return 0;
428 }
429
430 /**
431 * Wipe a server handshake state, and release the storage it holds.
432 **/
433 void
434 ntor3_server_handshake_state_free_(ntor3_server_handshake_state_t *state)
435 {
436 if (state == NULL)
437 return;
438
439 memwipe(state, 0, sizeof(ntor3_server_handshake_state_t));
440 tor_free(state);
441 }
442
443 /**
444 * As a relay, start handling a client's v3 ntor handshake.
445 *
446 * This function performs the _first half_ of the handshake, up to the point
447 * where the client's message is decoded. After calling it, the relay should
448 * decide how and whether to reply to the client's message, compose its reply,
449 * and call `onion_skin_ntor3_server_handshake_part2`.
450 *
451 * It takes as input a map of the relay's known onion keys in @a private_keys,
452 * along with a fake @a junk_key to use if there is a complete mismatch. It
453 * takes the relay's ed25519 identity in @a my_id, along with the client's
454 * handshake message (@a client_handshake_len bytes in @a client_handshake),
455 * and a verification string (@a verification_len bytes in @a verification).
456 *
457 * Return 0 on success, and -1 on failure. On success, sets @a
458 * client_message_out to a newly allocated string holding the plaintext of the
459 * message that the client sent as part of its handshake, and @a
460 * client_message_out_len to its length. Also sets @a state_out to a newly
461 * allocated state object holding the intermediate computation for this
462 * handshake.
463 **/
464 int
465 onion_skin_ntor3_server_handshake_part1(
466 const di_digest256_map_t *private_keys,
467 const curve25519_keypair_t *junk_key,
468 const ed25519_public_key_t *my_id,
469 const uint8_t *client_handshake,
470 size_t client_handshake_len,
471 const uint8_t *verification,
472 size_t verification_len,
473 uint8_t **client_message_out,
474 size_t *client_message_len_out,
475 ntor3_server_handshake_state_t **state_out)
476 {
477 *client_message_out = NULL;
478 *client_message_len_out = 0;
479 *state_out = NULL;
480
481 int problems = 0;
482
483 // Initialize state.
484 (*state_out) = tor_malloc_zero(sizeof(ntor3_server_handshake_state_t));
485 memcpy(&(*state_out)->my_id, my_id, sizeof(*my_id));
486
487 const uint8_t *wanted_id; // [ED25519_PUBKEY_LEN]
488 const uint8_t *wanted_key; // [CURVE25519_PUBKEY_LEN]
489 const uint8_t *encrypted_message;
490 size_t encrypted_message_len;
491 // Unpack the client handshake.
492 {
493 const uint8_t *ptr = client_handshake;
494 const uint8_t *end = ptr + client_handshake_len;
495
496 if (client_handshake_len <
497 ED25519_PUBKEY_LEN + CURVE25519_PUBKEY_LEN * 2 + DIGEST256_LEN) {
498 // Okay to end early; the client knows this is unparseable already.
499 ++problems;
500 goto done;
501 }
502 wanted_id = ptr;
503 ptr += ED25519_PUBKEY_LEN;
504 wanted_key = ptr;
505 ptr += CURVE25519_PUBKEY_LEN;
506 memcpy((*state_out)->client_key.public_key, ptr, CURVE25519_PUBKEY_LEN);
507 ptr += CURVE25519_PUBKEY_LEN;
508 size_t remaining = (end-ptr);
509 if (BUG(remaining < DIGEST256_LEN)) {
510 // Okay to end early; this is a bug.
511 ++problems;
512 goto done;
513 }
514 encrypted_message = ptr;
515 encrypted_message_len = remaining - DIGEST256_LEN;
516 ptr += encrypted_message_len;
517 remaining = (end-ptr);
518 tor_assert(remaining == DIGEST256_LEN);
519 memcpy((*state_out)->msg_mac, ptr, DIGEST256_LEN);
520 }
521
522 // Check the identity.
523 problems |= tor_memneq(my_id->pubkey, wanted_id, ED25519_PUBKEY_LEN);
524
525 // Find the correct keypair.
526 const curve25519_keypair_t *keypair =
527 dimap_search(private_keys, wanted_key, (void *)junk_key);
528 tor_assert(keypair);
529 memcpy(&(*state_out)->my_key, &keypair->pubkey,
530 sizeof(curve25519_public_key_t));
531
532 // Do the first diffie hellman handshake.
533 curve25519_handshake((*state_out)->xb,
534 &keypair->seckey, &(*state_out)->client_key);
535 problems |= safe_mem_is_zero((*state_out)->xb, CURVE25519_OUTPUT_LEN);
536
537 // Derive the encryption and mac keys
538 uint8_t enc_key[CIPHER256_KEY_LEN], mac_key[DIGEST256_LEN];
539 {
540 crypto_xof_t *xof = crypto_xof_new();
541 xof_add_tweak(xof, T_MSGKDF);
542 xof_add(xof, (*state_out)->xb, CURVE25519_OUTPUT_LEN);
543 xof_add(xof, wanted_id, ED25519_PUBKEY_LEN);
544 xof_add(xof, (*state_out)->client_key.public_key, CURVE25519_PUBKEY_LEN);
545 xof_add(xof, keypair->pubkey.public_key, CURVE25519_PUBKEY_LEN);
546 xof_add(xof, (const uint8_t *)PROTOID, strlen(PROTOID));
547 xof_add_encap(xof, verification, verification_len);
548 crypto_xof_squeeze_bytes(xof, enc_key, sizeof(enc_key));
549 crypto_xof_squeeze_bytes(xof, mac_key, sizeof(mac_key));
550 crypto_xof_free(xof);
551 }
552
553 // Check the MAC.
554 uint8_t computed_mac[DIGEST256_LEN];
555 {
556 crypto_digest_t *d = crypto_digest256_new(DIGEST_SHA3_256);
557 d_add_tweak(d, T_MSGMAC);
558 d_add_encap(d, mac_key, sizeof(mac_key));
559 d_add(d, my_id->pubkey, ED25519_PUBKEY_LEN);
560 d_add(d, keypair->pubkey.public_key, CURVE25519_PUBKEY_LEN);
561 d_add(d, (*state_out)->client_key.public_key, CURVE25519_PUBKEY_LEN);
562 d_add(d, encrypted_message, encrypted_message_len);
563 crypto_digest_get_digest(d, (char *)computed_mac, DIGEST256_LEN);
564 crypto_digest_free(d);
565 }
566
567 problems |= tor_memneq((*state_out)->msg_mac, computed_mac, DIGEST256_LEN);
568
569 // Decrypt the message.
570 *client_message_out = tor_malloc(encrypted_message_len);
571 *client_message_len_out = encrypted_message_len;
572 {
573 crypto_cipher_t *c =
574 crypto_cipher_new_with_bits((const char *)enc_key, 256);
575 crypto_cipher_decrypt(c, (char *)*client_message_out,
576 (const char *)encrypted_message,
577 encrypted_message_len);
578 crypto_cipher_free(c);
579 }
580
581 done:
582 memwipe(enc_key, 0, sizeof(enc_key));
583 memwipe(mac_key, 0, sizeof(mac_key));
584 memwipe(computed_mac, 0, sizeof(computed_mac));
585 if (problems) {
586 if (*client_message_out) {
587 memwipe(*client_message_out, 0, *client_message_len_out);
588 tor_free(*client_message_out); // Sets it to NULL.
589 }
590 *client_message_len_out = 0;
591 ntor3_server_handshake_state_free(*state_out);
592 return -1;
593 }
594
595 return 0;
596 }
597
598 /**
599 * Finish the relay side of an ntor v3 handshake.
600 *
601 * The relay calls this function after it has decided to respond to the
602 * client's original encrypted message. This function receives the relay's
603 * message in @a server_message and its length in @a server_message_len, and
604 * completes the handshake.
605 *
606 * Returns 0 on success and -1 on failure. On success, stores the newly
607 * allocated handshake for the relay to send in @a handshake_out, and its
608 * length in @a handshake_len_out. Stores @a keys_out_len bytes of generated
609 * keys in the provided buffer at @a keys_out.
610 **/
611 int
612 onion_skin_ntor3_server_handshake_part2(
613 const ntor3_server_handshake_state_t *state,
614 const uint8_t *verification,
615 size_t verification_len,
616 const uint8_t *server_message,
617 size_t server_message_len,
618 uint8_t **handshake_out,
619 size_t *handshake_len_out,
620 uint8_t *keys_out,
621 size_t keys_out_len)
622 {
623 curve25519_keypair_t relay_keypair;
624 if (curve25519_keypair_generate(&relay_keypair, 0) < 0) {
625 return -1;
626 }
627 int r = onion_skin_ntor3_server_handshake_part2_nokeygen(
628 &relay_keypair,
629 state,
630 verification,
631 verification_len,
632 server_message,
633 server_message_len,
634 handshake_out,
635 handshake_len_out,
636 keys_out,
637 keys_out_len);
638 memwipe(&relay_keypair, 0, sizeof(relay_keypair));
639 return r;
640 }
641
642 /**
643 * Like `onion_skin_ntor3_server_handshake_part2`, but do not generate
644 * an ephemeral (y,Y) keypair.
645 *
646 * Instead, this function takes that keypair as @a relay_keypair_y.
647 *
648 * (Having a separate function for this lets us test the code for correct
649 * behavior.)
650 **/
651 STATIC int
652 onion_skin_ntor3_server_handshake_part2_nokeygen(
653 const curve25519_keypair_t *relay_keypair_y,
654 const ntor3_server_handshake_state_t *state,
655 const uint8_t *verification,
656 size_t verification_len,
657 const uint8_t *server_message,
658 size_t server_message_len,
659 uint8_t **handshake_out,
660 size_t *handshake_len_out,
661 uint8_t *keys_out,
662 size_t keys_out_len)
663 {
664 *handshake_out = NULL;
665 *handshake_len_out = 0;
666
667 int problems = 0;
668
669 // Second diffie-hellman handshake.
670 uint8_t xy[CURVE25519_OUTPUT_LEN];
671 curve25519_handshake(xy, &relay_keypair_y->seckey, &state->client_key);
672 problems |= safe_mem_is_zero(xy, sizeof(xy));
673
674 // Compute two tweaked hashes of secret_input.
675 uint8_t key_seed[DIGEST256_LEN], verify[DIGEST256_LEN];
676 {
677 crypto_digest_t *ks = crypto_digest256_new(DIGEST_SHA3_256);
678 crypto_digest_t *v = crypto_digest256_new(DIGEST_SHA3_256);
679 d_add_tweak(ks, T_KEY_SEED);
680 d_add_tweak(v, T_VERIFY);
681 ADD2(xy, sizeof(xy));
682 ADD2(state->xb, sizeof(state->xb));
683 ADD2(state->my_id.pubkey, ED25519_PUBKEY_LEN);
684 ADD2(state->my_key.public_key, CURVE25519_PUBKEY_LEN);
685 ADD2(state->client_key.public_key, CURVE25519_PUBKEY_LEN);
686 ADD2(relay_keypair_y->pubkey.public_key, CURVE25519_PUBKEY_LEN);
687 ADD2((const uint8_t *)PROTOID, strlen(PROTOID));
688 ADD2_ENCAP(verification, verification_len);
689 crypto_digest_get_digest(ks, (char*) key_seed, DIGEST256_LEN);
690 crypto_digest_get_digest(v, (char*) verify, DIGEST256_LEN);
691 crypto_digest_free(ks);
692 crypto_digest_free(v);
693 }
694
695 // Compute enc_key and keystream.
696 uint8_t enc_key[CIPHER256_KEY_LEN];
697 {
698 crypto_xof_t *xof = crypto_xof_new();
699 xof_add_tweak(xof, T_FINAL);
700 xof_add(xof, key_seed, sizeof(key_seed));
701 crypto_xof_squeeze_bytes(xof, enc_key, sizeof(enc_key));
702 crypto_xof_squeeze_bytes(xof, keys_out, keys_out_len);
703 crypto_xof_free(xof);
704 }
705
706 // Encrypt message.
707 uint8_t *encrypted_message = tor_memdup(server_message, server_message_len);
708 {
709 crypto_cipher_t *c =
710 crypto_cipher_new_with_bits((const char *)enc_key, 256);
711 crypto_cipher_crypt_inplace(
712 c, (char *)encrypted_message, server_message_len);
713 crypto_cipher_free(c);
714 }
715
716 // Compute AUTH digest.
717 uint8_t auth[DIGEST256_LEN];
718 {
719 crypto_digest_t *d = crypto_digest256_new(DIGEST_SHA3_256);
720 d_add_tweak(d, T_AUTH);
721 d_add(d, verify, sizeof(verify));
722 d_add(d, state->my_id.pubkey, ED25519_PUBKEY_LEN);
723 d_add(d, state->my_key.public_key, CURVE25519_PUBKEY_LEN);
724 d_add(d, relay_keypair_y->pubkey.public_key, CURVE25519_PUBKEY_LEN);
725 d_add(d, state->client_key.public_key, CURVE25519_PUBKEY_LEN);
726 d_add(d, state->msg_mac, DIGEST256_LEN);
727 d_add_encap(d, encrypted_message, server_message_len);
728 d_add(d, (const uint8_t*)PROTOID, strlen(PROTOID));
729 d_add(d, (const uint8_t*)"Server", strlen("Server"));
730 crypto_digest_get_digest(d, (char *)auth, DIGEST256_LEN);
731 crypto_digest_free(d);
732 }
733
734 // Compose the reply.
735 *handshake_len_out = CURVE25519_PUBKEY_LEN + DIGEST256_LEN +
736 server_message_len;
737 *handshake_out = tor_malloc(*handshake_len_out);
738 uint8_t *ptr = *handshake_out, *end = ptr + *handshake_len_out;
739 push(&ptr, end, relay_keypair_y->pubkey.public_key, CURVE25519_PUBKEY_LEN);
740 push(&ptr, end, auth, sizeof(auth));
741 push(&ptr, end, encrypted_message, server_message_len);
742 tor_assert(ptr == end);
743
744 // Clean up and return.
745 memwipe(xy, 0, sizeof(xy));
746 memwipe(key_seed, 0, sizeof(key_seed));
747 memwipe(verify, 0, sizeof(verify));
748 memwipe(enc_key, 0, sizeof(enc_key));
749 memwipe(encrypted_message, 0, server_message_len);
750 tor_free(encrypted_message);
751
752 if (problems) {
753 memwipe(*handshake_out, 0, *handshake_len_out);
754 tor_free(*handshake_out); // Sets it to NULL.
755 *handshake_len_out = 0;
756 crypto_rand((char*)keys_out, keys_out_len); // In case bad code uses it.
757 return -1;
758 }
759 return 0;
760 }
The Onion Router