2004-11-07 02:33:06 +01:00
|
|
|
/* Copyright 2001 Matej Pfajfar.
|
|
|
|
* Copyright 2001-2004 Roger Dingledine.
|
|
|
|
* Copyright 2004 Roger Dingledine, Nick Mathewson. */
|
Implemented link padding and receiver token buckets
Each socket reads at most 'bandwidth' bytes per second sustained, but
can handle bursts of up to 10*bandwidth bytes.
Cells are now sent out at evenly-spaced intervals, with padding sent
out otherwise. Set Linkpadding=0 in the rc file to send cells as soon
as they're available (and to never send padding cells).
Added license/copyrights statements at the top of most files.
router->min and router->max have been merged into a single 'bandwidth'
value. We should make the routerinfo_t reflect this (want to do that,
Mat?)
As the bandwidth increases, and we want to stop sleeping more and more
frequently to send a single cell, cpu usage goes up. At 128kB/s we're
pretty much calling poll with a timeout of 1ms or even 0ms. The current
code takes a timeout of 0-9ms and makes it 10ms. prepare_for_poll()
handles everything that should have happened in the past, so as long as
our buffers don't get too full in that 10ms, we're ok.
Speaking of too full, if you run three servers at 100kB/s with -l debug,
it spends too much time printing debugging messages to be able to keep
up with the cells. The outbuf ultimately fills up and it kills that
connection. If you run with -l err, it works fine up through 500kB/s and
probably beyond. Down the road we'll want to teach it to recognize when
an outbuf is getting full, and back off.
svn:r50
2002-07-16 03:12:15 +02:00
|
|
|
/* See LICENSE for licensing information */
|
|
|
|
/* $Id$ */
|
2002-06-27 00:45:49 +02:00
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/**
|
|
|
|
* \file onion.c
|
2004-05-13 09:24:49 +02:00
|
|
|
* \brief Functions to queue create cells, and handle onionskin
|
|
|
|
* parsing and creation.
|
2004-05-10 04:36:04 +02:00
|
|
|
**/
|
|
|
|
|
2002-06-27 00:45:49 +02:00
|
|
|
#include "or.h"
|
|
|
|
|
2003-09-16 22:57:09 +02:00
|
|
|
struct onion_queue_t {
|
|
|
|
circuit_t *circ;
|
|
|
|
struct onion_queue_t *next;
|
|
|
|
};
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** global (within this file) variables used by the next few functions */
|
2002-11-27 05:08:20 +01:00
|
|
|
static struct onion_queue_t *ol_list=NULL;
|
|
|
|
static struct onion_queue_t *ol_tail=NULL;
|
2004-05-10 04:36:04 +02:00
|
|
|
/** length of ol_list */
|
2002-11-27 05:08:20 +01:00
|
|
|
static int ol_length=0;
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Add <b>circ</b> to the end of ol_list and return 0, except
|
|
|
|
* if ol_list is too long, in which case do nothing and return -1.
|
|
|
|
*/
|
2002-11-27 05:08:20 +01:00
|
|
|
int onion_pending_add(circuit_t *circ) {
|
|
|
|
struct onion_queue_t *tmp;
|
|
|
|
|
2004-10-16 22:38:57 +02:00
|
|
|
tmp = tor_malloc_zero(sizeof(struct onion_queue_t));
|
2002-11-27 05:08:20 +01:00
|
|
|
tmp->circ = circ;
|
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (!ol_tail) {
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(!ol_list);
|
|
|
|
tor_assert(!ol_length);
|
2002-11-27 05:08:20 +01:00
|
|
|
ol_list = tmp;
|
|
|
|
ol_tail = tmp;
|
|
|
|
ol_length++;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(ol_list);
|
|
|
|
tor_assert(!ol_tail->next);
|
2002-11-27 05:08:20 +01:00
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (ol_length >= get_options()->MaxOnionsPending) {
|
2003-10-10 03:48:32 +02:00
|
|
|
log_fn(LOG_WARN,"Already have %d onions queued. Closing.", ol_length);
|
2004-09-29 08:52:36 +02:00
|
|
|
tor_free(tmp);
|
2002-11-27 05:08:20 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
ol_length++;
|
|
|
|
ol_tail->next = tmp;
|
|
|
|
ol_tail = tmp;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Remove the first item from ol_list and return it, or return
|
|
|
|
* NULL if the list is empty.
|
|
|
|
*/
|
2003-08-21 01:05:22 +02:00
|
|
|
circuit_t *onion_next_task(void) {
|
2003-09-14 10:17:14 +02:00
|
|
|
circuit_t *circ;
|
2002-11-27 05:08:20 +01:00
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (!ol_list)
|
2003-08-21 01:05:22 +02:00
|
|
|
return NULL; /* no onions pending, we're done */
|
2002-11-27 05:08:20 +01:00
|
|
|
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(ol_list->circ);
|
|
|
|
tor_assert(ol_list->circ->p_conn); /* make sure it's still valid */
|
|
|
|
tor_assert(ol_length > 0);
|
2003-09-14 10:17:14 +02:00
|
|
|
circ = ol_list->circ;
|
|
|
|
onion_pending_remove(ol_list->circ);
|
|
|
|
return circ;
|
2002-11-27 05:08:20 +01:00
|
|
|
}
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Go through ol_list, find the onion_queue_t element which points to
|
|
|
|
* circ, remove and free that element. Leave circ itself alone.
|
2002-11-27 05:08:20 +01:00
|
|
|
*/
|
|
|
|
void onion_pending_remove(circuit_t *circ) {
|
|
|
|
struct onion_queue_t *tmpo, *victim;
|
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (!ol_list)
|
2002-11-27 05:08:20 +01:00
|
|
|
return; /* nothing here. */
|
|
|
|
|
|
|
|
/* first check to see if it's the first entry */
|
|
|
|
tmpo = ol_list;
|
2004-11-28 10:05:49 +01:00
|
|
|
if (tmpo->circ == circ) {
|
2002-11-27 05:08:20 +01:00
|
|
|
/* it's the first one. remove it from the list. */
|
|
|
|
ol_list = tmpo->next;
|
2004-11-28 10:05:49 +01:00
|
|
|
if (!ol_list)
|
2002-11-27 05:08:20 +01:00
|
|
|
ol_tail = NULL;
|
|
|
|
ol_length--;
|
|
|
|
victim = tmpo;
|
|
|
|
} else { /* we need to hunt through the rest of the list */
|
2004-11-28 10:05:49 +01:00
|
|
|
for ( ;tmpo->next && tmpo->next->circ != circ; tmpo=tmpo->next) ;
|
|
|
|
if (!tmpo->next) {
|
2003-11-11 04:01:48 +01:00
|
|
|
log_fn(LOG_DEBUG,"circ (p_circ_id %d) not in list, probably at cpuworker.",circ->p_circ_id);
|
2002-11-27 05:08:20 +01:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
/* now we know tmpo->next->circ == circ */
|
|
|
|
victim = tmpo->next;
|
|
|
|
tmpo->next = victim->next;
|
2004-11-28 10:05:49 +01:00
|
|
|
if (ol_tail == victim)
|
2002-11-27 05:08:20 +01:00
|
|
|
ol_tail = tmpo;
|
|
|
|
ol_length--;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* now victim points to the element that needs to be removed */
|
|
|
|
|
2004-09-29 08:52:36 +02:00
|
|
|
tor_free(victim);
|
2002-11-27 05:08:20 +01:00
|
|
|
}
|
|
|
|
|
2003-05-01 21:42:51 +02:00
|
|
|
/*----------------------------------------------------------------------*/
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Given a router's 128 byte public key,
|
|
|
|
* stores the following in onion_skin_out:
|
|
|
|
* - [42 bytes] OAEP padding
|
|
|
|
* - [16 bytes] Symmetric key for encrypting blob past RSA
|
|
|
|
* - [70 bytes] g^x part 1 (inside the RSA)
|
|
|
|
* - [58 bytes] g^x part 2 (symmetrically encrypted)
|
|
|
|
*
|
2003-12-16 09:21:58 +01:00
|
|
|
* Stores the DH private key into handshake_state_out for later completion
|
|
|
|
* of the handshake.
|
2003-05-01 21:42:51 +02:00
|
|
|
*
|
2003-12-16 09:21:58 +01:00
|
|
|
* The meeting point/cookies and auth are zeroed out for now.
|
2003-05-01 21:42:51 +02:00
|
|
|
*/
|
|
|
|
int
|
2003-05-06 01:24:46 +02:00
|
|
|
onion_skin_create(crypto_pk_env_t *dest_router_key,
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_dh_env_t **handshake_state_out,
|
2003-12-16 09:21:58 +01:00
|
|
|
char *onion_skin_out) /* Must be ONIONSKIN_CHALLENGE_LEN bytes */
|
2003-05-01 21:42:51 +02:00
|
|
|
{
|
2003-12-16 09:21:58 +01:00
|
|
|
char *challenge = NULL;
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_dh_env_t *dh = NULL;
|
|
|
|
int dhbytes, pkbytes;
|
|
|
|
|
|
|
|
*handshake_state_out = NULL;
|
2003-12-16 09:21:58 +01:00
|
|
|
memset(onion_skin_out, 0, ONIONSKIN_CHALLENGE_LEN);
|
2003-05-01 21:42:51 +02:00
|
|
|
|
|
|
|
if (!(dh = crypto_dh_new()))
|
|
|
|
goto err;
|
2003-12-16 09:21:58 +01:00
|
|
|
|
2003-05-01 21:42:51 +02:00
|
|
|
dhbytes = crypto_dh_get_bytes(dh);
|
2003-05-06 01:24:46 +02:00
|
|
|
pkbytes = crypto_pk_keysize(dest_router_key);
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(dhbytes == 128);
|
|
|
|
tor_assert(pkbytes == 128);
|
2004-04-25 00:17:50 +02:00
|
|
|
challenge = tor_malloc_zero(DH_KEY_LEN);
|
2003-05-01 21:42:51 +02:00
|
|
|
|
2004-04-06 22:16:12 +02:00
|
|
|
if (crypto_dh_get_public(dh, challenge, dhbytes))
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
|
#define PA(a,n) \
|
|
|
|
{ int _i; for (_i = 0; _i<n; ++_i) printf("%02x ",((int)(a)[_i])&0xFF); }
|
|
|
|
|
|
|
|
printf("Client: client g^x:");
|
2003-12-16 09:21:58 +01:00
|
|
|
PA(challenge+16,3);
|
2003-06-13 23:23:14 +02:00
|
|
|
printf("...");
|
2003-12-16 09:21:58 +01:00
|
|
|
PA(challenge+141,3);
|
2003-06-13 23:23:14 +02:00
|
|
|
puts("");
|
|
|
|
|
|
|
|
printf("Client: client symkey:");
|
2003-12-16 09:21:58 +01:00
|
|
|
PA(challenge+0,16);
|
2003-06-13 23:23:14 +02:00
|
|
|
puts("");
|
2003-05-05 06:27:00 +02:00
|
|
|
#endif
|
|
|
|
|
2003-12-16 09:21:58 +01:00
|
|
|
/* set meeting point, meeting cookie, etc here. Leave zero for now. */
|
2004-11-02 03:28:51 +01:00
|
|
|
if (crypto_pk_public_hybrid_encrypt(dest_router_key, onion_skin_out,
|
|
|
|
challenge, DH_KEY_LEN,
|
|
|
|
PK_PKCS1_OAEP_PADDING, 1)<0)
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2003-12-16 09:21:58 +01:00
|
|
|
tor_free(challenge);
|
2003-05-01 21:42:51 +02:00
|
|
|
*handshake_state_out = dh;
|
2003-05-05 06:27:00 +02:00
|
|
|
|
2003-05-01 21:42:51 +02:00
|
|
|
return 0;
|
|
|
|
err:
|
2003-12-16 09:21:58 +01:00
|
|
|
tor_free(challenge);
|
2003-05-01 21:42:51 +02:00
|
|
|
if (dh) crypto_dh_free(dh);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Given an encrypted DH public key as generated by onion_skin_create,
|
2003-12-16 09:21:58 +01:00
|
|
|
* and the private key for this onion router, generate the reply (128-byte
|
|
|
|
* DH plus the first 20 bytes of shared key material), and store the
|
|
|
|
* next key_out_len bytes of key material in key_out.
|
2003-05-01 21:42:51 +02:00
|
|
|
*/
|
|
|
|
int
|
2003-12-16 09:21:58 +01:00
|
|
|
onion_skin_server_handshake(char *onion_skin, /* ONIONSKIN_CHALLENGE_LEN bytes */
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_pk_env_t *private_key,
|
2004-04-25 00:17:50 +02:00
|
|
|
crypto_pk_env_t *prev_private_key,
|
2003-12-16 09:21:58 +01:00
|
|
|
char *handshake_reply_out, /* ONIONSKIN_REPLY_LEN bytes */
|
2003-05-01 21:42:51 +02:00
|
|
|
char *key_out,
|
2004-10-14 04:47:09 +02:00
|
|
|
size_t key_out_len)
|
2003-05-01 21:42:51 +02:00
|
|
|
{
|
2003-12-16 09:21:58 +01:00
|
|
|
char challenge[ONIONSKIN_CHALLENGE_LEN];
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_dh_env_t *dh = NULL;
|
2003-06-14 03:30:53 +02:00
|
|
|
int len;
|
2003-12-16 09:21:58 +01:00
|
|
|
char *key_material=NULL;
|
2004-04-25 00:17:50 +02:00
|
|
|
int i;
|
|
|
|
crypto_pk_env_t *k;
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2004-04-25 00:17:50 +02:00
|
|
|
len = -1;
|
|
|
|
for (i=0;i<2;++i) {
|
|
|
|
k = i==0?private_key:prev_private_key;
|
|
|
|
if (!k)
|
|
|
|
break;
|
2004-11-02 03:28:51 +01:00
|
|
|
len = crypto_pk_private_hybrid_decrypt(k, challenge,
|
2004-04-25 00:17:50 +02:00
|
|
|
onion_skin, ONIONSKIN_CHALLENGE_LEN,
|
2004-11-02 03:28:51 +01:00
|
|
|
PK_PKCS1_OAEP_PADDING,0);
|
2004-04-25 00:17:50 +02:00
|
|
|
if (len>0)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (len<0) {
|
2004-05-12 21:30:28 +02:00
|
|
|
log_fn(LOG_WARN, "Couldn't decrypt onionskin: client may be using old onion key");
|
2004-04-25 00:17:50 +02:00
|
|
|
goto err;
|
|
|
|
} else if (len != DH_KEY_LEN) {
|
|
|
|
log_fn(LOG_WARN, "Unexpected onionskin length after decryption: %d",
|
|
|
|
len);
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
2004-04-25 00:17:50 +02:00
|
|
|
}
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2003-05-01 21:42:51 +02:00
|
|
|
dh = crypto_dh_new();
|
2003-05-06 07:54:42 +02:00
|
|
|
if (crypto_dh_get_public(dh, handshake_reply_out, DH_KEY_LEN))
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
|
printf("Server: server g^y:");
|
|
|
|
PA(handshake_reply_out+0,3);
|
|
|
|
printf("...");
|
|
|
|
PA(handshake_reply_out+125,3);
|
|
|
|
puts("");
|
|
|
|
#endif
|
|
|
|
|
2004-04-06 22:16:12 +02:00
|
|
|
key_material = tor_malloc(DIGEST_LEN+key_out_len);
|
|
|
|
len = crypto_dh_compute_secret(dh, challenge, DH_KEY_LEN,
|
|
|
|
key_material, DIGEST_LEN+key_out_len);
|
2003-06-14 03:30:53 +02:00
|
|
|
if (len < 0)
|
2003-05-01 21:42:51 +02:00
|
|
|
goto err;
|
|
|
|
|
2004-01-05 06:23:03 +01:00
|
|
|
/* send back H(K|0) as proof that we learned K. */
|
2004-04-06 22:16:12 +02:00
|
|
|
memcpy(handshake_reply_out+DH_KEY_LEN, key_material, DIGEST_LEN);
|
2003-12-16 09:21:58 +01:00
|
|
|
|
|
|
|
/* use the rest of the key material for our shared keys, digests, etc */
|
2004-04-06 22:16:12 +02:00
|
|
|
memcpy(key_out, key_material+DIGEST_LEN, key_out_len);
|
2003-12-16 09:21:58 +01:00
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
2003-06-14 03:34:39 +02:00
|
|
|
printf("Server: key material:");
|
|
|
|
PA(buf, DH_KEY_LEN);
|
|
|
|
puts("");
|
2003-06-13 23:23:14 +02:00
|
|
|
printf("Server: keys out:");
|
|
|
|
PA(key_out, key_out_len);
|
|
|
|
puts("");
|
|
|
|
#endif
|
|
|
|
|
2003-12-16 09:21:58 +01:00
|
|
|
tor_free(key_material);
|
2003-05-01 21:42:51 +02:00
|
|
|
crypto_dh_free(dh);
|
|
|
|
return 0;
|
|
|
|
err:
|
2003-12-16 09:21:58 +01:00
|
|
|
tor_free(key_material);
|
2003-05-01 21:42:51 +02:00
|
|
|
if (dh) crypto_dh_free(dh);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2004-05-10 04:36:04 +02:00
|
|
|
/** Finish the client side of the DH handshake.
|
2003-12-16 09:21:58 +01:00
|
|
|
* Given the 128 byte DH reply + 20 byte hash as generated by
|
|
|
|
* onion_skin_server_handshake and the handshake state generated by
|
|
|
|
* onion_skin_create, verify H(K) with the first 20 bytes of shared
|
|
|
|
* key material, then generate key_out_len more bytes of shared key
|
|
|
|
* material and store them in key_out.
|
2003-05-01 21:42:51 +02:00
|
|
|
*
|
|
|
|
* After the invocation, call crypto_dh_free on handshake_state.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
|
2003-12-16 09:21:58 +01:00
|
|
|
char *handshake_reply, /* Must be ONIONSKIN_REPLY_LEN bytes */
|
2003-05-01 21:42:51 +02:00
|
|
|
char *key_out,
|
2004-10-14 04:47:09 +02:00
|
|
|
size_t key_out_len)
|
2003-05-01 21:42:51 +02:00
|
|
|
{
|
2003-06-14 03:30:53 +02:00
|
|
|
int len;
|
2003-12-16 09:21:58 +01:00
|
|
|
char *key_material=NULL;
|
2004-04-25 22:37:37 +02:00
|
|
|
tor_assert(crypto_dh_get_bytes(handshake_state) == DH_KEY_LEN);
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
|
printf("Client: server g^y:");
|
|
|
|
PA(handshake_reply+0,3);
|
|
|
|
printf("...");
|
|
|
|
PA(handshake_reply+125,3);
|
|
|
|
puts("");
|
|
|
|
#endif
|
|
|
|
|
2003-12-16 09:21:58 +01:00
|
|
|
key_material = tor_malloc(20+key_out_len);
|
2003-06-14 03:30:53 +02:00
|
|
|
len = crypto_dh_compute_secret(handshake_state, handshake_reply, DH_KEY_LEN,
|
2003-12-16 09:21:58 +01:00
|
|
|
key_material, 20+key_out_len);
|
2003-06-14 03:30:53 +02:00
|
|
|
if (len < 0)
|
2003-05-01 21:42:51 +02:00
|
|
|
return -1;
|
2003-12-07 23:03:47 +01:00
|
|
|
|
2004-11-28 10:05:49 +01:00
|
|
|
if (memcmp(key_material, handshake_reply+DH_KEY_LEN, 20)) {
|
2003-12-16 09:21:58 +01:00
|
|
|
/* H(K) does *not* match. Something fishy. */
|
|
|
|
tor_free(key_material);
|
|
|
|
log_fn(LOG_WARN,"Digest DOES NOT MATCH on onion handshake. Bug or attack.");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* use the rest of the key material for our shared keys, digests, etc */
|
|
|
|
memcpy(key_out, key_material+20, key_out_len);
|
|
|
|
|
2003-06-13 23:23:14 +02:00
|
|
|
#ifdef DEBUG_ONION_SKINS
|
|
|
|
printf("Client: keys out:");
|
|
|
|
PA(key_out, key_out_len);
|
|
|
|
puts("");
|
|
|
|
#endif
|
|
|
|
|
2003-12-16 09:21:58 +01:00
|
|
|
tor_free(key_material);
|
2003-05-01 21:42:51 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|