2006-02-09 06:46:49 +01:00
|
|
|
/* Copyright (c) 2001 Matej Pfajfar.
|
|
|
|
* Copyright (c) 2001-2004, Roger Dingledine.
|
2007-12-12 22:09:01 +01:00
|
|
|
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
2008-02-07 06:31:47 +01:00
|
|
|
* Copyright (c) 2007-2008, The Tor Project, Inc. */
|
Implemented link padding and receiver token buckets
Each socket reads at most 'bandwidth' bytes per second sustained, but
can handle bursts of up to 10*bandwidth bytes.
Cells are now sent out at evenly-spaced intervals, with padding sent
out otherwise. Set Linkpadding=0 in the rc file to send cells as soon
as they're available (and to never send padding cells).
Added license/copyrights statements at the top of most files.
router->min and router->max have been merged into a single 'bandwidth'
value. We should make the routerinfo_t reflect this (want to do that,
Mat?)
As the bandwidth increases, and we want to stop sleeping more and more
frequently to send a single cell, cpu usage goes up. At 128kB/s we're
pretty much calling poll with a timeout of 1ms or even 0ms. The current
code takes a timeout of 0-9ms and makes it 10ms. prepare_for_poll()
handles everything that should have happened in the past, so as long as
our buffers don't get too full in that 10ms, we're ok.
Speaking of too full, if you run three servers at 100kB/s with -l debug,
it spends too much time printing debugging messages to be able to keep
up with the cells. The outbuf ultimately fills up and it kills that
connection. If you run with -l err, it works fine up through 500kB/s and
probably beyond. Down the road we'll want to teach it to recognize when
an outbuf is getting full, and back off.
svn:r50
2002-07-16 03:12:15 +02:00
|
|
|
/* See LICENSE for licensing information */
|
|
|
|
/* $Id$ */
|
2005-12-14 21:40:40 +01:00
|
|
|
const char onion_c_id[] =
|
|
|
|
"$Id$";
|
2002-06-27 00:45:49 +02:00
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/**
|
|
|
|
* \file onion.c
|
2004-05-13 09:24:49 +02:00
|
|
|
* \brief Functions to queue create cells, and handle onionskin
|
|
|
|
* parsing and creation.
|
2004-05-10 04:36:04 +02:00
|
|
|
**/
|
|
|
|
|
2002-06-27 00:45:49 +02:00
|
|
|
#include "or.h"
|
|
|
|
|
2005-10-06 06:33:40 +02:00
|
|
|
/** Type for a linked list of circuits that are waiting for a free CPU worker
|
|
|
|
* to process a waiting onion handshake. */
|
2005-07-22 23:12:10 +02:00
|
|
|
typedef struct onion_queue_t {
|
2006-07-23 09:37:35 +02:00
|
|
|
or_circuit_t *circ;
|
2008-02-06 00:20:49 +01:00
|
|
|
char *onionskin;
|
2005-02-20 10:27:48 +01:00
|
|
|
time_t when_added;
|
2003-09-16 22:57:09 +02:00
|
|
|
struct onion_queue_t *next;
|
2005-07-22 23:12:10 +02:00
|
|
|
} onion_queue_t;
|
2003-09-16 22:57:09 +02:00
|
|
|
|
2005-02-20 10:27:48 +01:00
|
|
|
/** 5 seconds on the onion queue til we just send back a destroy */
|
|
|
|
#define ONIONQUEUE_WAIT_CUTOFF 5
|
|
|
|
|
2007-02-24 08:50:38 +01:00
|
|
|
/** First and last elements in the linked list of circuits waiting for CPU
|
2007-02-16 21:01:02 +01:00
|
|
|
* workers, or NULL if the list is empty. */
|
2005-07-22 23:12:10 +02:00
|
|
|
static onion_queue_t *ol_list=NULL;
|
|
|
|
static onion_queue_t *ol_tail=NULL;
|
2005-02-20 10:27:48 +01:00
|
|
|
/** Length of ol_list */
|
2002-11-27 05:08:20 +01:00
|
|
|
static int ol_length=0;
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Add <b>circ</b> to the end of ol_list and return 0, except
|
|
|
|
* if ol_list is too long, in which case do nothing and return -1.
|
|
|
|
*/
|
2005-06-11 20:52:12 +02:00
|
|
|
int
|
2008-02-06 00:20:49 +01:00
|
|
|
onion_pending_add(or_circuit_t *circ, char *onionskin)
|
2005-06-11 20:52:12 +02:00
|
|
|
{
|
2005-07-22 23:12:10 +02:00
|
|
|
onion_queue_t *tmp;
|
2005-02-20 10:27:48 +01:00
|
|
|
time_t now = time(NULL);
|
2002-11-27 05:08:20 +01:00
|
|
|
|
2005-07-22 23:12:10 +02:00
|
|
|
tmp = tor_malloc_zero(sizeof(onion_queue_t));
|
2002-11-27 05:08:20 +01:00
|
|
|
tmp->circ = circ;
|
2008-02-06 00:20:49 +01:00
|
|
|
tmp->onionskin = onionskin;
|
2005-02-20 10:27:48 +01:00
|
|
|
tmp->when_added = now;
|
2002-11-27 05:08:20 +01:00
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (!ol_tail) {
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(!ol_list);
|
|
|
|
tor_assert(!ol_length);
|
2002-11-27 05:08:20 +01:00
|
|
|
ol_list = tmp;
|
|
|
|
ol_tail = tmp;
|
|
|
|
ol_length++;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(ol_list);
|
|
|
|
tor_assert(!ol_tail->next);
|
2002-11-27 05:08:20 +01:00
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (ol_length >= get_options()->MaxOnionsPending) {
|
2006-02-13 10:37:53 +01:00
|
|
|
log_warn(LD_GENERAL,
|
|
|
|
"Your computer is too slow to handle this many circuit "
|
|
|
|
"creation requests! Please consider using the "
|
|
|
|
"MaxAdvertisedBandwidth config option or choosing a more "
|
|
|
|
"restricted exit policy.");
|
2004-09-29 08:52:36 +02:00
|
|
|
tor_free(tmp);
|
2002-11-27 05:08:20 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
ol_length++;
|
|
|
|
ol_tail->next = tmp;
|
|
|
|
ol_tail = tmp;
|
2005-02-20 10:27:48 +01:00
|
|
|
while ((int)(now - ol_list->when_added) >= ONIONQUEUE_WAIT_CUTOFF) {
|
|
|
|
/* cull elderly requests. */
|
|
|
|
circ = ol_list->circ;
|
|
|
|
onion_pending_remove(ol_list->circ);
|
2006-02-13 10:37:53 +01:00
|
|
|
log_info(LD_CIRC,
|
|
|
|
"Circuit create request is too old; cancelling due to overload.");
|
2006-07-23 09:37:35 +02:00
|
|
|
circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_RESOURCELIMIT);
|
2005-02-20 10:27:48 +01:00
|
|
|
}
|
2002-11-27 05:08:20 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Remove the first item from ol_list and return it, or return
|
|
|
|
* NULL if the list is empty.
|
|
|
|
*/
|
2006-07-23 09:37:35 +02:00
|
|
|
or_circuit_t *
|
2008-02-06 00:20:49 +01:00
|
|
|
onion_next_task(char **onionskin_out)
|
2005-06-11 20:52:12 +02:00
|
|
|
{
|
2006-07-23 09:37:35 +02:00
|
|
|
or_circuit_t *circ;
|
2002-11-27 05:08:20 +01:00
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (!ol_list)
|
2003-08-21 01:05:22 +02:00
|
|
|
return NULL; /* no onions pending, we're done */
|
2002-11-27 05:08:20 +01:00
|
|
|
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(ol_list->circ);
|
|
|
|
tor_assert(ol_list->circ->p_conn); /* make sure it's still valid */
|
|
|
|
tor_assert(ol_length > 0);
|
2003-09-14 10:17:14 +02:00
|
|
|
circ = ol_list->circ;
|
2008-02-06 00:20:49 +01:00
|
|
|
*onionskin_out = ol_list->onionskin;
|
|
|
|
ol_list->onionskin = NULL; /* prevent free. */
|
2003-09-14 10:17:14 +02:00
|
|
|
onion_pending_remove(ol_list->circ);
|
|
|
|
return circ;
|
2002-11-27 05:08:20 +01:00
|
|
|
}
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Go through ol_list, find the onion_queue_t element which points to
|
|
|
|
* circ, remove and free that element. Leave circ itself alone.
|
2002-11-27 05:08:20 +01:00
|
|
|
*/
|
2005-06-11 20:52:12 +02:00
|
|
|
void
|
2006-07-23 09:37:35 +02:00
|
|
|
onion_pending_remove(or_circuit_t *circ)
|
2005-06-11 20:52:12 +02:00
|
|
|
{
|
2005-07-22 23:12:10 +02:00
|
|
|
onion_queue_t *tmpo, *victim;
|
2002-11-27 05:08:20 +01:00
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (!ol_list)
|
2002-11-27 05:08:20 +01:00
|
|
|
return; /* nothing here. */
|
|
|
|
|
|
|
|
/* first check to see if it's the first entry */
|
|
|
|
tmpo = ol_list;
|
2004-11-28 10:05:49 +01:00
|
|
|
if (tmpo->circ == circ) {
|
2002-11-27 05:08:20 +01:00
|
|
|
/* it's the first one. remove it from the list. */
|
|
|
|
ol_list = tmpo->next;
|
2004-11-28 10:05:49 +01:00
|
|
|
if (!ol_list)
|
2002-11-27 05:08:20 +01:00
|
|
|
ol_tail = NULL;
|
|
|
|
ol_length--;
|
|
|
|
victim = tmpo;
|
|
|
|
} else { /* we need to hunt through the rest of the list */
|
2004-11-28 10:05:49 +01:00
|
|
|
for ( ;tmpo->next && tmpo->next->circ != circ; tmpo=tmpo->next) ;
|
|
|
|
if (!tmpo->next) {
|
2006-02-13 10:37:53 +01:00
|
|
|
log_debug(LD_GENERAL,
|
|
|
|
"circ (p_circ_id %d) not in list, probably at cpuworker.",
|
|
|
|
circ->p_circ_id);
|
2002-11-27 05:08:20 +01:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
/* now we know tmpo->next->circ == circ */
|
|
|
|
victim = tmpo->next;
|
|
|
|
tmpo->next = victim->next;
|
2004-11-28 10:05:49 +01:00
|
|
|
if (ol_tail == victim)
|
2002-11-27 05:08:20 +01:00
|
|
|
ol_tail = tmpo;
|
|
|
|
ol_length--;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* now victim points to the element that needs to be removed */
|
|
|
|
|
2008-02-06 00:20:49 +01:00
|
|
|
tor_free(victim->onionskin);
|
2004-09-29 08:52:36 +02:00
|
|
|
tor_free(victim);
|
2002-11-27 05:08:20 +01:00
|
|
|
}
|
|
|
|
|
2003-05-01 21:42:51 +02:00
|
|
|
/*----------------------------------------------------------------------*/
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Given a router's 128 byte public key,
|
|
|
|
* stores the following in onion_skin_out:
|
|
|
|
* - [42 bytes] OAEP padding
|
|
|
|
* - [16 bytes] Symmetric key for encrypting blob past RSA
|
|
|
|
* - [70 bytes] g^x part 1 (inside the RSA)
|
|
|
|
* - [58 bytes] g^x part 2 (symmetrically encrypted)
|
|
|
|
*
|
2003-12-16 09:21:58 +01:00
|
|
|
* Stores the DH private key into handshake_state_out for later completion
|
|
|
|
* of the handshake.
|
2003-05-01 21:42:51 +02:00
|
|
|
*
|
2003-12-16 09:21:58 +01:00
|
|
|
* The meeting point/cookies and auth are zeroed out for now.
|
2003-05-01 21:42:51 +02:00
|
|
|
*/
|
|
|
|
int
|
2003-05-06 01:24:46 +02:00
|
|
|
onion_skin_create(crypto_pk_env_t *dest_router_key,
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_dh_env_t **handshake_state_out,
|
2005-12-14 21:40:40 +01:00
|
|
|
char *onion_skin_out) /* ONIONSKIN_CHALLENGE_LEN bytes */
|
2003-05-01 21:42:51 +02:00
|
|
|
{
|
2008-02-07 17:10:33 +01:00
|
|
|
char challenge[DH_KEY_LEN];
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_dh_env_t *dh = NULL;
|
|
|
|
int dhbytes, pkbytes;
|
|
|
|
|
2005-06-29 23:46:55 +02:00
|
|
|
tor_assert(dest_router_key);
|
|
|
|
tor_assert(handshake_state_out);
|
|
|
|
tor_assert(onion_skin_out);
|
2003-05-01 21:42:51 +02:00
|
|
|
*handshake_state_out = NULL;
|
2003-12-16 09:21:58 +01:00
|
|
|
memset(onion_skin_out, 0, ONIONSKIN_CHALLENGE_LEN);
|
2003-05-01 21:42:51 +02:00
|
|
|
|
|
|
|
if (!(dh = crypto_dh_new()))
|
|
|
|
goto err;
|
2003-12-16 09:21:58 +01:00
|
|
|
|
2003-05-01 21:42:51 +02:00
|
|
|
dhbytes = crypto_dh_get_bytes(dh);
|
2003-05-06 01:24:46 +02:00
|
|
|
pkbytes = crypto_pk_keysize(dest_router_key);
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(dhbytes == 128);
|
|
|
|
tor_assert(pkbytes == 128);
|
2003-05-01 21:42:51 +02:00
|
|
|
|
2004-04-06 22:16:12 +02:00
|
|
|
if (crypto_dh_get_public(dh, challenge, dhbytes))
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
|
#define PA(a,n) \
|
|
|
|
{ int _i; for (_i = 0; _i<n; ++_i) printf("%02x ",((int)(a)[_i])&0xFF); }
|
|
|
|
|
|
|
|
printf("Client: client g^x:");
|
2003-12-16 09:21:58 +01:00
|
|
|
PA(challenge+16,3);
|
2003-06-13 23:23:14 +02:00
|
|
|
printf("...");
|
2003-12-16 09:21:58 +01:00
|
|
|
PA(challenge+141,3);
|
2003-06-13 23:23:14 +02:00
|
|
|
puts("");
|
|
|
|
|
|
|
|
printf("Client: client symkey:");
|
2003-12-16 09:21:58 +01:00
|
|
|
PA(challenge+0,16);
|
2003-06-13 23:23:14 +02:00
|
|
|
puts("");
|
2003-05-05 06:27:00 +02:00
|
|
|
#endif
|
|
|
|
|
2006-10-31 20:17:07 +01:00
|
|
|
note_crypto_pk_op(ENC_ONIONSKIN);
|
|
|
|
|
2003-12-16 09:21:58 +01:00
|
|
|
/* set meeting point, meeting cookie, etc here. Leave zero for now. */
|
2004-11-02 03:28:51 +01:00
|
|
|
if (crypto_pk_public_hybrid_encrypt(dest_router_key, onion_skin_out,
|
|
|
|
challenge, DH_KEY_LEN,
|
|
|
|
PK_PKCS1_OAEP_PADDING, 1)<0)
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2008-02-07 17:10:33 +01:00
|
|
|
memset(challenge, 0, sizeof(challenge));
|
2003-05-01 21:42:51 +02:00
|
|
|
*handshake_state_out = dh;
|
2003-05-05 06:27:00 +02:00
|
|
|
|
2003-05-01 21:42:51 +02:00
|
|
|
return 0;
|
|
|
|
err:
|
2008-02-07 17:10:33 +01:00
|
|
|
memset(challenge, 0, sizeof(challenge));
|
2003-05-01 21:42:51 +02:00
|
|
|
if (dh) crypto_dh_free(dh);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Given an encrypted DH public key as generated by onion_skin_create,
|
2003-12-16 09:21:58 +01:00
|
|
|
* and the private key for this onion router, generate the reply (128-byte
|
|
|
|
* DH plus the first 20 bytes of shared key material), and store the
|
|
|
|
* next key_out_len bytes of key material in key_out.
|
2003-05-01 21:42:51 +02:00
|
|
|
*/
|
|
|
|
int
|
2005-12-14 21:40:40 +01:00
|
|
|
onion_skin_server_handshake(const char *onion_skin, /*ONIONSKIN_CHALLENGE_LEN*/
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_pk_env_t *private_key,
|
2004-04-25 00:17:50 +02:00
|
|
|
crypto_pk_env_t *prev_private_key,
|
2005-12-14 21:40:40 +01:00
|
|
|
char *handshake_reply_out, /*ONIONSKIN_REPLY_LEN*/
|
2003-05-01 21:42:51 +02:00
|
|
|
char *key_out,
|
2004-10-14 04:47:09 +02:00
|
|
|
size_t key_out_len)
|
2003-05-01 21:42:51 +02:00
|
|
|
{
|
2003-12-16 09:21:58 +01:00
|
|
|
char challenge[ONIONSKIN_CHALLENGE_LEN];
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_dh_env_t *dh = NULL;
|
2003-06-14 03:30:53 +02:00
|
|
|
int len;
|
2003-12-16 09:21:58 +01:00
|
|
|
char *key_material=NULL;
|
2008-02-07 17:10:33 +01:00
|
|
|
size_t key_material_len=0;
|
2004-04-25 00:17:50 +02:00
|
|
|
int i;
|
|
|
|
crypto_pk_env_t *k;
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2004-04-25 00:17:50 +02:00
|
|
|
len = -1;
|
|
|
|
for (i=0;i<2;++i) {
|
|
|
|
k = i==0?private_key:prev_private_key;
|
|
|
|
if (!k)
|
|
|
|
break;
|
2006-10-31 20:17:07 +01:00
|
|
|
note_crypto_pk_op(DEC_ONIONSKIN);
|
2004-11-02 03:28:51 +01:00
|
|
|
len = crypto_pk_private_hybrid_decrypt(k, challenge,
|
2004-04-25 00:17:50 +02:00
|
|
|
onion_skin, ONIONSKIN_CHALLENGE_LEN,
|
2004-11-02 03:28:51 +01:00
|
|
|
PK_PKCS1_OAEP_PADDING,0);
|
2004-04-25 00:17:50 +02:00
|
|
|
if (len>0)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (len<0) {
|
2006-02-13 10:37:53 +01:00
|
|
|
log_info(LD_PROTOCOL,
|
|
|
|
"Couldn't decrypt onionskin: client may be using old onion key");
|
2004-04-25 00:17:50 +02:00
|
|
|
goto err;
|
|
|
|
} else if (len != DH_KEY_LEN) {
|
2006-02-13 10:37:53 +01:00
|
|
|
log_warn(LD_PROTOCOL, "Unexpected onionskin length after decryption: %d",
|
|
|
|
len);
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
2004-04-25 00:17:50 +02:00
|
|
|
}
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2003-05-01 21:42:51 +02:00
|
|
|
dh = crypto_dh_new();
|
2005-10-17 18:21:42 +02:00
|
|
|
if (crypto_dh_get_public(dh, handshake_reply_out, DH_KEY_LEN)) {
|
2006-02-13 10:37:53 +01:00
|
|
|
log_info(LD_GENERAL, "crypto_dh_get_public failed.");
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
2005-10-17 18:21:42 +02:00
|
|
|
}
|
2003-05-01 21:42:51 +02:00
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
|
printf("Server: server g^y:");
|
|
|
|
PA(handshake_reply_out+0,3);
|
|
|
|
printf("...");
|
|
|
|
PA(handshake_reply_out+125,3);
|
|
|
|
puts("");
|
|
|
|
#endif
|
|
|
|
|
2008-02-07 17:10:33 +01:00
|
|
|
key_material_len = DIGEST_LEN+key_out_len;
|
|
|
|
key_material = tor_malloc(key_material_len);
|
2004-04-06 22:16:12 +02:00
|
|
|
len = crypto_dh_compute_secret(dh, challenge, DH_KEY_LEN,
|
2008-02-07 17:10:33 +01:00
|
|
|
key_material, key_material_len);
|
2005-10-17 18:21:42 +02:00
|
|
|
if (len < 0) {
|
2006-02-13 10:37:53 +01:00
|
|
|
log_info(LD_GENERAL, "crypto_dh_compute_secret failed.");
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
2005-10-17 18:21:42 +02:00
|
|
|
}
|
2003-05-01 21:42:51 +02:00
|
|
|
|
2004-01-05 06:23:03 +01:00
|
|
|
/* send back H(K|0) as proof that we learned K. */
|
2004-04-06 22:16:12 +02:00
|
|
|
memcpy(handshake_reply_out+DH_KEY_LEN, key_material, DIGEST_LEN);
|
2003-12-16 09:21:58 +01:00
|
|
|
|
|
|
|
/* use the rest of the key material for our shared keys, digests, etc */
|
2004-04-06 22:16:12 +02:00
|
|
|
memcpy(key_out, key_material+DIGEST_LEN, key_out_len);
|
2003-12-16 09:21:58 +01:00
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
2003-06-14 03:34:39 +02:00
|
|
|
printf("Server: key material:");
|
2005-06-13 19:33:12 +02:00
|
|
|
PA(key_material, DH_KEY_LEN);
|
2003-06-14 03:34:39 +02:00
|
|
|
puts("");
|
2003-06-13 23:23:14 +02:00
|
|
|
printf("Server: keys out:");
|
|
|
|
PA(key_out, key_out_len);
|
|
|
|
puts("");
|
|
|
|
#endif
|
|
|
|
|
2008-02-07 17:10:33 +01:00
|
|
|
memset(challenge, 0, sizeof(challenge));
|
|
|
|
memset(key_material, 0, key_material_len);
|
2003-12-16 09:21:58 +01:00
|
|
|
tor_free(key_material);
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_dh_free(dh);
|
|
|
|
return 0;
|
|
|
|
err:
|
2008-02-07 17:10:33 +01:00
|
|
|
memset(challenge, 0, sizeof(challenge));
|
|
|
|
if (key_material) {
|
|
|
|
memset(key_material, 0, key_material_len);
|
|
|
|
tor_free(key_material);
|
|
|
|
}
|
2003-05-01 21:42:51 +02:00
|
|
|
if (dh) crypto_dh_free(dh);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Finish the client side of the DH handshake.
|
2003-12-16 09:21:58 +01:00
|
|
|
* Given the 128 byte DH reply + 20 byte hash as generated by
|
|
|
|
* onion_skin_server_handshake and the handshake state generated by
|
|
|
|
* onion_skin_create, verify H(K) with the first 20 bytes of shared
|
|
|
|
* key material, then generate key_out_len more bytes of shared key
|
|
|
|
* material and store them in key_out.
|
2003-05-01 21:42:51 +02:00
|
|
|
*
|
|
|
|
* After the invocation, call crypto_dh_free on handshake_state.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
|
2005-12-14 21:40:40 +01:00
|
|
|
const char *handshake_reply, /* ONIONSKIN_REPLY_LEN bytes */
|
2005-05-03 00:35:18 +02:00
|
|
|
char *key_out,
|
|
|
|
size_t key_out_len)
|
2003-05-01 21:42:51 +02:00
|
|
|
{
|
2003-06-14 03:30:53 +02:00
|
|
|
int len;
|
2003-12-16 09:21:58 +01:00
|
|
|
char *key_material=NULL;
|
2008-02-07 17:10:33 +01:00
|
|
|
size_t key_material_len;
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(crypto_dh_get_bytes(handshake_state) == DH_KEY_LEN);
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
|
printf("Client: server g^y:");
|
|
|
|
PA(handshake_reply+0,3);
|
|
|
|
printf("...");
|
|
|
|
PA(handshake_reply+125,3);
|
|
|
|
puts("");
|
|
|
|
#endif
|
|
|
|
|
2008-02-07 17:10:33 +01:00
|
|
|
key_material_len = DIGEST_LEN + key_out_len;
|
|
|
|
key_material = tor_malloc(key_material_len);
|
2003-06-14 03:30:53 +02:00
|
|
|
len = crypto_dh_compute_secret(handshake_state, handshake_reply, DH_KEY_LEN,
|
2008-02-07 17:10:33 +01:00
|
|
|
key_material, key_material_len);
|
2003-06-14 03:30:53 +02:00
|
|
|
if (len < 0)
|
2008-01-16 06:27:19 +01:00
|
|
|
goto err;
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2008-02-07 17:10:33 +01:00
|
|
|
if (memcmp(key_material, handshake_reply+DH_KEY_LEN, DIGEST_LEN)) {
|
2003-12-16 09:21:58 +01:00
|
|
|
/* H(K) does *not* match. Something fishy. */
|
2006-02-13 10:37:53 +01:00
|
|
|
log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on onion handshake. "
|
|
|
|
"Bug or attack.");
|
2008-01-16 06:27:19 +01:00
|
|
|
goto err;
|
2003-12-16 09:21:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/* use the rest of the key material for our shared keys, digests, etc */
|
2008-02-07 17:10:33 +01:00
|
|
|
memcpy(key_out, key_material+DIGEST_LEN, key_out_len);
|
2003-12-16 09:21:58 +01:00
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
|
printf("Client: keys out:");
|
|
|
|
PA(key_out, key_out_len);
|
|
|
|
puts("");
|
|
|
|
#endif
|
|
|
|
|
2008-02-07 17:10:33 +01:00
|
|
|
memset(key_material, 0, key_material_len);
|
2003-12-16 09:21:58 +01:00
|
|
|
tor_free(key_material);
|
2003-05-01 21:42:51 +02:00
|
|
|
return 0;
|
2008-01-16 06:27:19 +01:00
|
|
|
err:
|
2008-02-07 17:10:33 +01:00
|
|
|
memset(key_material, 0, key_material_len);
|
2008-01-16 06:27:19 +01:00
|
|
|
tor_free(key_material);
|
|
|
|
return -1;
|
2003-05-01 21:42:51 +02:00
|
|
|
}
|
|
|
|
|
2005-12-08 18:38:32 +01:00
|
|
|
/** Implement the server side of the CREATE_FAST abbreviated handshake. The
|
|
|
|
* client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x"). We
|
2007-02-02 21:06:43 +01:00
|
|
|
* generate a reply of DIGEST_LEN*2 bytes in <b>key_out</b>, consisting of a
|
2005-12-08 18:38:32 +01:00
|
|
|
* new random "y", followed by H(x|y) to check for correctness. We set
|
|
|
|
* <b>key_out_len</b> bytes of key material in <b>key_out</b>.
|
2007-02-02 21:06:43 +01:00
|
|
|
* Return 0 on success, <0 on failure.
|
2005-12-08 18:38:32 +01:00
|
|
|
**/
|
2005-05-03 00:35:18 +02:00
|
|
|
int
|
|
|
|
fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */
|
|
|
|
char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
|
|
|
|
char *key_out,
|
|
|
|
size_t key_out_len)
|
|
|
|
{
|
2005-12-08 18:38:32 +01:00
|
|
|
char tmp[DIGEST_LEN+DIGEST_LEN];
|
2008-02-07 17:10:33 +01:00
|
|
|
char *out = NULL;
|
2005-12-08 18:38:32 +01:00
|
|
|
size_t out_len;
|
2008-02-07 17:10:33 +01:00
|
|
|
int r = -1;
|
2005-05-03 00:35:18 +02:00
|
|
|
|
|
|
|
if (crypto_rand(handshake_reply_out, DIGEST_LEN)<0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
memcpy(tmp, key_in, DIGEST_LEN);
|
|
|
|
memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
|
2005-12-08 18:38:32 +01:00
|
|
|
out_len = key_out_len+DIGEST_LEN;
|
|
|
|
out = tor_malloc(out_len);
|
|
|
|
if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) {
|
2008-02-07 17:10:33 +01:00
|
|
|
goto done;
|
2005-05-03 00:35:18 +02:00
|
|
|
}
|
2005-12-08 18:38:32 +01:00
|
|
|
memcpy(handshake_reply_out+DIGEST_LEN, out, DIGEST_LEN);
|
|
|
|
memcpy(key_out, out+DIGEST_LEN, key_out_len);
|
2008-02-07 17:10:33 +01:00
|
|
|
r = 0;
|
|
|
|
done:
|
2005-12-08 18:38:32 +01:00
|
|
|
memset(tmp, 0, sizeof(tmp));
|
|
|
|
memset(out, 0, out_len);
|
|
|
|
tor_free(out);
|
2008-02-07 17:10:33 +01:00
|
|
|
return r;
|
2005-05-03 00:35:18 +02:00
|
|
|
}
|
|
|
|
|
2005-12-08 18:38:32 +01:00
|
|
|
/** Implement the second half of the client side of the CREATE_FAST handshake.
|
|
|
|
* We sent the server <b>handshake_state</b> ("x") already, and the server
|
|
|
|
* told us <b>handshake_reply_out</b> (y|H(x|y)). Make sure that the hash is
|
|
|
|
* correct, and generate key material in <b>key_out</b>. Return 0 on success,
|
|
|
|
* true on failure.
|
|
|
|
*
|
|
|
|
* NOTE: The "CREATE_FAST" handshake path is distinguishable from regular
|
|
|
|
* "onionskin" handshakes, and is not secure if an adversary can see or modify
|
|
|
|
* the messages. Therefore, it should only be used by clients, and only as
|
|
|
|
* the first hop of a circuit (since the first hop is already authenticated
|
|
|
|
* and protected by TLS).
|
|
|
|
*/
|
2005-05-03 00:35:18 +02:00
|
|
|
int
|
|
|
|
fast_client_handshake(const char *handshake_state, /* DIGEST_LEN bytes */
|
|
|
|
const char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
|
|
|
|
char *key_out,
|
|
|
|
size_t key_out_len)
|
|
|
|
{
|
2005-12-08 18:38:32 +01:00
|
|
|
char tmp[DIGEST_LEN+DIGEST_LEN];
|
|
|
|
char *out;
|
|
|
|
size_t out_len;
|
2008-02-07 17:10:33 +01:00
|
|
|
int r;
|
2005-05-03 00:35:18 +02:00
|
|
|
|
|
|
|
memcpy(tmp, handshake_state, DIGEST_LEN);
|
|
|
|
memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
|
2005-12-08 18:38:32 +01:00
|
|
|
out_len = key_out_len+DIGEST_LEN;
|
|
|
|
out = tor_malloc(out_len);
|
|
|
|
if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) {
|
2008-02-07 17:10:33 +01:00
|
|
|
goto done;
|
2005-12-08 18:38:32 +01:00
|
|
|
}
|
|
|
|
if (memcmp(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
|
2005-05-03 00:35:18 +02:00
|
|
|
/* H(K) does *not* match. Something fishy. */
|
2006-02-13 10:37:53 +01:00
|
|
|
log_warn(LD_PROTOCOL,"Digest DOES NOT MATCH on fast handshake. "
|
|
|
|
"Bug or attack.");
|
2008-02-07 17:10:33 +01:00
|
|
|
goto done;
|
2005-05-03 00:35:18 +02:00
|
|
|
}
|
2005-12-08 18:38:32 +01:00
|
|
|
memcpy(key_out, out+DIGEST_LEN, key_out_len);
|
2008-02-07 17:10:33 +01:00
|
|
|
r = 0;
|
|
|
|
done:
|
2005-12-08 18:38:32 +01:00
|
|
|
memset(tmp, 0, sizeof(tmp));
|
|
|
|
memset(out, 0, out_len);
|
|
|
|
tor_free(out);
|
2008-02-07 17:10:33 +01:00
|
|
|
return r;
|
2005-05-03 00:35:18 +02:00
|
|
|
}
|
|
|
|
|
2005-02-11 02:26:47 +01:00
|
|
|
/** Remove all circuits from the pending list. Called from tor_free_all. */
|
|
|
|
void
|
|
|
|
clear_pending_onions(void)
|
|
|
|
{
|
|
|
|
while (ol_list) {
|
2005-07-22 23:12:10 +02:00
|
|
|
onion_queue_t *victim = ol_list;
|
2005-02-11 02:26:47 +01:00
|
|
|
ol_list = victim->next;
|
2008-02-06 00:20:49 +01:00
|
|
|
tor_free(victim->onionskin);
|
2005-02-11 02:26:47 +01:00
|
|
|
tor_free(victim);
|
|
|
|
}
|
|
|
|
ol_list = ol_tail = NULL;
|
|
|
|
ol_length = 0;
|
|
|
|
}
|
2005-06-09 21:03:31 +02:00
|
|
|
|