From 7a61a92870df84c37bacd9d065e0c8df2b938d37 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sun, 1 Jul 2018 11:25:29 -0400 Subject: [PATCH] Combine DH_BYTES and DH_KEY_LEN; put them in a lib/defs header. --- src/lib/crypt_ops/crypto_dh.c | 4 +- src/lib/crypt_ops/crypto_dh.h | 4 +- src/lib/defs/dh_sizes.h | 13 ++++++ src/lib/defs/include.am | 3 +- src/or/hs_circuit.c | 10 ++--- src/or/hs_common.h | 2 +- src/or/onion.c | 4 +- src/or/onion_tap.c | 18 ++++---- src/or/onion_tap.h | 4 +- src/or/or.h | 2 - src/or/rendclient.c | 6 +-- src/or/rendmid.c | 4 +- src/or/rendservice.c | 16 +++---- src/or/rendservice.h | 2 +- src/test/bench.c | 10 ++--- src/test/test.c | 3 +- src/test/test_crypto.c | 83 +++++++++++++++++++---------------- src/test/test_hs_client.c | 6 +-- 18 files changed, 107 insertions(+), 87 deletions(-) create mode 100644 src/lib/defs/dh_sizes.h diff --git a/src/lib/crypt_ops/crypto_dh.c b/src/lib/crypt_ops/crypto_dh.c index a2622cfc2f..c37e286daf 100644 --- a/src/lib/crypt_ops/crypto_dh.c +++ b/src/lib/crypt_ops/crypto_dh.c @@ -344,7 +344,7 @@ crypto_dh_generate_public(crypto_dh_t *dh) /** Generate g^x as necessary, and write the g^x for the key exchange * as a pubkey_len-byte value into pubkey. Return 0 on - * success, -1 on failure. pubkey_len must be \>= DH_BYTES. + * success, -1 on failure. pubkey_len must be \>= DH1024_KEY_LEN. */ int crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, size_t pubkey_len) @@ -378,7 +378,7 @@ crypto_dh_get_public(crypto_dh_t *dh, char *pubkey, size_t pubkey_len) tor_assert(bytes >= 0); if (pubkey_len < (size_t)bytes) { log_warn(LD_CRYPTO, - "Weird! pubkey_len (%d) was smaller than DH_BYTES (%d)", + "Weird! pubkey_len (%d) was smaller than DH1024_KEY_LEN (%d)", (int) pubkey_len, bytes); return -1; } diff --git a/src/lib/crypt_ops/crypto_dh.h b/src/lib/crypt_ops/crypto_dh.h index 7b03e128a2..73a7bcb521 100644 --- a/src/lib/crypt_ops/crypto_dh.h +++ b/src/lib/crypt_ops/crypto_dh.h @@ -14,9 +14,7 @@ #define TOR_CRYPTO_DH_H #include "orconfig.h" - -/** Length of our DH keys. */ -#define DH_BYTES (1024/8) +#include "lib/defs/dh_sizes.h" typedef struct crypto_dh_t crypto_dh_t; diff --git a/src/lib/defs/dh_sizes.h b/src/lib/defs/dh_sizes.h new file mode 100644 index 0000000000..b60957281c --- /dev/null +++ b/src/lib/defs/dh_sizes.h @@ -0,0 +1,13 @@ +/* Copyright (c) 2001, Matej Pfajfar. + * Copyright (c) 2001-2004, Roger Dingledine. + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2018, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +#ifndef TOR_DH_SIZES_H +#define TOR_DH_SIZES_H + +/** Length of our legacy DH keys. */ +#define DH1024_KEY_LEN (1024/8) + +#endif diff --git a/src/lib/defs/include.am b/src/lib/defs/include.am index ff48cff07c..b54bac555b 100644 --- a/src/lib/defs/include.am +++ b/src/lib/defs/include.am @@ -1,3 +1,4 @@ -noinst_HEADERS += \ +noinst_HEADERS += \ + src/lib/defs/dh_sizes.h \ src/lib/defs/digest_sizes.h diff --git a/src/or/hs_circuit.c b/src/or/hs_circuit.c index 9fcb30ecc6..853669846e 100644 --- a/src/or/hs_circuit.c +++ b/src/or/hs_circuit.c @@ -102,7 +102,8 @@ create_rend_cpath(const uint8_t *ntor_key_seed, size_t seed_len, /* We are a v2 legacy HS client: Create and return a crypt path for the hidden * service on the other side of the rendezvous circuit circ. Initialize * the crypt path crypto using the body of the RENDEZVOUS1 cell at - * rend_cell_body (which must be at least DH_KEY_LEN+DIGEST_LEN bytes). + * rend_cell_body (which must be at least DH1024_KEY_LEN+DIGEST_LEN + * bytes). */ static crypt_path_t * create_rend_cpath_legacy(origin_circuit_t *circ, const uint8_t *rend_cell_body) @@ -110,7 +111,7 @@ create_rend_cpath_legacy(origin_circuit_t *circ, const uint8_t *rend_cell_body) crypt_path_t *hop = NULL; char keys[DIGEST_LEN+CPATH_KEY_MATERIAL_LEN]; - /* first DH_KEY_LEN bytes are g^y from the service. Finish the dh + /* first DH1024_KEY_LEN bytes are g^y from the service. Finish the dh * handshake...*/ tor_assert(circ->build_state); tor_assert(circ->build_state->pending_final_cpath); @@ -118,7 +119,7 @@ create_rend_cpath_legacy(origin_circuit_t *circ, const uint8_t *rend_cell_body) tor_assert(hop->rend_dh_handshake_state); if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, hop->rend_dh_handshake_state, - (char*)rend_cell_body, DH_KEY_LEN, + (char*)rend_cell_body, DH1024_KEY_LEN, keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) { log_warn(LD_GENERAL, "Couldn't complete DH handshake."); goto err; @@ -130,7 +131,7 @@ create_rend_cpath_legacy(origin_circuit_t *circ, const uint8_t *rend_cell_body) goto err; /* Check whether the digest is right... */ - if (tor_memneq(keys, rend_cell_body+DH_KEY_LEN, DIGEST_LEN)) { + if (tor_memneq(keys, rend_cell_body+DH1024_KEY_LEN, DIGEST_LEN)) { log_warn(LD_PROTOCOL, "Incorrect digest of key material."); goto err; } @@ -1244,4 +1245,3 @@ hs_circ_cleanup(circuit_t *circ) hs_circuitmap_remove_circuit(circ); } } - diff --git a/src/or/hs_common.h b/src/or/hs_common.h index 6d60d7799f..11806365e4 100644 --- a/src/or/hs_common.h +++ b/src/or/hs_common.h @@ -122,7 +122,7 @@ * bigger than the 84 bytes needed for version 3 so we need to pad up to that * length so it is indistinguishable between versions. */ #define HS_LEGACY_RENDEZVOUS_CELL_SIZE \ - (REND_COOKIE_LEN + DH_KEY_LEN + DIGEST_LEN) + (REND_COOKIE_LEN + DH1024_KEY_LEN + DIGEST_LEN) /* Type of authentication key used by an introduction point. */ typedef enum { diff --git a/src/or/onion.c b/src/or/onion.c index 776aacbf78..2b30870e5d 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -558,7 +558,7 @@ onion_skin_server_handshake(int type, (char*)keys_out, keys_out_len)<0) return -1; r = TAP_ONIONSKIN_REPLY_LEN; - memcpy(rend_nonce_out, reply_out+DH_KEY_LEN, DIGEST_LEN); + memcpy(rend_nonce_out, reply_out+DH1024_KEY_LEN, DIGEST_LEN); break; case ONION_HANDSHAKE_TYPE_FAST: if (onionskin_len != CREATE_FAST_LEN) @@ -635,7 +635,7 @@ onion_skin_client_handshake(int type, msg_out) < 0) return -1; - memcpy(rend_authenticator_out, reply+DH_KEY_LEN, DIGEST_LEN); + memcpy(rend_authenticator_out, reply+DH1024_KEY_LEN, DIGEST_LEN); return 0; case ONION_HANDSHAKE_TYPE_FAST: diff --git a/src/or/onion_tap.c b/src/or/onion_tap.c index cf5963b19e..0f9f638fa2 100644 --- a/src/or/onion_tap.c +++ b/src/or/onion_tap.c @@ -53,7 +53,7 @@ onion_skin_TAP_create(crypto_pk_t *dest_router_key, crypto_dh_t **handshake_state_out, char *onion_skin_out) /* TAP_ONIONSKIN_CHALLENGE_LEN bytes */ { - char challenge[DH_KEY_LEN]; + char challenge[DH1024_KEY_LEN]; crypto_dh_t *dh = NULL; int dhbytes, pkbytes; @@ -77,7 +77,7 @@ onion_skin_TAP_create(crypto_pk_t *dest_router_key, /* set meeting point, meeting cookie, etc here. Leave zero for now. */ if (crypto_pk_obsolete_public_hybrid_encrypt(dest_router_key, onion_skin_out, TAP_ONIONSKIN_CHALLENGE_LEN, - challenge, DH_KEY_LEN, + challenge, DH1024_KEY_LEN, PK_PKCS1_OAEP_PADDING, 1)<0) goto err; @@ -136,7 +136,7 @@ onion_skin_TAP_server_handshake( log_info(LD_PROTOCOL, "Couldn't decrypt onionskin: client may be using old onion key"); goto err; - } else if (len != DH_KEY_LEN) { + } else if (len != DH1024_KEY_LEN) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Unexpected onionskin length after decryption: %ld", (long)len); @@ -152,7 +152,7 @@ onion_skin_TAP_server_handshake( goto err; /* LCOV_EXCL_STOP */ } - if (crypto_dh_get_public(dh, handshake_reply_out, DH_KEY_LEN)) { + if (crypto_dh_get_public(dh, handshake_reply_out, DH1024_KEY_LEN)) { /* LCOV_EXCL_START * This can only fail if the length of the key we just allocated is too * big. That should be impossible. */ @@ -164,7 +164,7 @@ onion_skin_TAP_server_handshake( key_material_len = DIGEST_LEN+key_out_len; key_material = tor_malloc(key_material_len); len = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, dh, challenge, - DH_KEY_LEN, key_material, + DH1024_KEY_LEN, key_material, key_material_len); if (len < 0) { log_info(LD_GENERAL, "crypto_dh_compute_secret failed."); @@ -172,7 +172,7 @@ onion_skin_TAP_server_handshake( } /* send back H(K|0) as proof that we learned K. */ - memcpy(handshake_reply_out+DH_KEY_LEN, key_material, DIGEST_LEN); + memcpy(handshake_reply_out+DH1024_KEY_LEN, key_material, DIGEST_LEN); /* use the rest of the key material for our shared keys, digests, etc */ memcpy(key_out, key_material+DIGEST_LEN, key_out_len); @@ -212,12 +212,12 @@ onion_skin_TAP_client_handshake(crypto_dh_t *handshake_state, ssize_t len; char *key_material=NULL; size_t key_material_len; - tor_assert(crypto_dh_get_bytes(handshake_state) == DH_KEY_LEN); + tor_assert(crypto_dh_get_bytes(handshake_state) == DH1024_KEY_LEN); key_material_len = DIGEST_LEN + key_out_len; key_material = tor_malloc(key_material_len); len = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, handshake_state, - handshake_reply, DH_KEY_LEN, key_material, + handshake_reply, DH1024_KEY_LEN, key_material, key_material_len); if (len < 0) { if (msg_out) @@ -225,7 +225,7 @@ onion_skin_TAP_client_handshake(crypto_dh_t *handshake_state, goto err; } - if (tor_memneq(key_material, handshake_reply+DH_KEY_LEN, DIGEST_LEN)) { + if (tor_memneq(key_material, handshake_reply+DH1024_KEY_LEN, DIGEST_LEN)) { /* H(K) does *not* match. Something fishy. */ if (msg_out) *msg_out = "Digest DOES NOT MATCH on onion handshake. Bug or attack."; diff --git a/src/or/onion_tap.h b/src/or/onion_tap.h index fdc2ce9123..5b1eacce70 100644 --- a/src/or/onion_tap.h +++ b/src/or/onion_tap.h @@ -14,8 +14,8 @@ #define TAP_ONIONSKIN_CHALLENGE_LEN (PKCS1_OAEP_PADDING_OVERHEAD+\ CIPHER_KEY_LEN+\ - DH_KEY_LEN) -#define TAP_ONIONSKIN_REPLY_LEN (DH_KEY_LEN+DIGEST_LEN) + DH1024_KEY_LEN) +#define TAP_ONIONSKIN_REPLY_LEN (DH1024_KEY_LEN+DIGEST_LEN) int onion_skin_TAP_create(crypto_pk_t *router_key, crypto_dh_t **handshake_state_out, diff --git a/src/or/or.h b/src/or/or.h index 63349cffbb..3d3972fb8f 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1542,8 +1542,6 @@ typedef struct crypt_path_reference_t crypt_path_reference_t; #define CPATH_KEY_MATERIAL_LEN (20*2+16*2) -#define DH_KEY_LEN DH_BYTES - typedef struct cpath_build_state_t cpath_build_state_t; /** "magic" value for an origin_circuit_t */ diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 1da695706c..b714574563 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -258,7 +258,7 @@ rend_client_send_introduction(origin_circuit_t *introcirc, } if (crypto_dh_get_public(cpath->rend_dh_handshake_state, tmp+dh_offset, - DH_KEY_LEN)<0) { + DH1024_KEY_LEN)<0) { log_warn(LD_BUG, "Internal error: couldn't extract g^x."); status = -2; goto perm_err; @@ -269,7 +269,7 @@ rend_client_send_introduction(origin_circuit_t *introcirc, r = crypto_pk_obsolete_public_hybrid_encrypt(intro_key, payload+DIGEST_LEN, sizeof(payload)-DIGEST_LEN, tmp, - (int)(dh_offset+DH_KEY_LEN), + (int)(dh_offset+DH1024_KEY_LEN), PK_PKCS1_OAEP_PADDING, 0); if (r<0) { log_warn(LD_BUG,"Internal error: hybrid pk encrypt failed."); @@ -874,7 +874,7 @@ int rend_client_receive_rendezvous(origin_circuit_t *circ, const uint8_t *request, size_t request_len) { - if (request_len != DH_KEY_LEN+DIGEST_LEN) { + if (request_len != DH1024_KEY_LEN+DIGEST_LEN) { log_warn(LD_PROTOCOL,"Incorrect length (%d) on RENDEZVOUS2 cell.", (int)request_len); goto err; diff --git a/src/or/rendmid.c b/src/or/rendmid.c index 56b65079ab..38c1c52e43 100644 --- a/src/or/rendmid.c +++ b/src/or/rendmid.c @@ -157,7 +157,8 @@ rend_mid_introduce_legacy(or_circuit_t *circ, const uint8_t *request, * to revise this protocol anyway. */ if (request_len < (DIGEST_LEN+(MAX_NICKNAME_LEN+1)+REND_COOKIE_LEN+ - DH_KEY_LEN+CIPHER_KEY_LEN+PKCS1_OAEP_PADDING_OVERHEAD)) { + DH1024_KEY_LEN+CIPHER_KEY_LEN+ + PKCS1_OAEP_PADDING_OVERHEAD)) { log_warn(LD_PROTOCOL, "Impossibly short INTRODUCE1 cell on circuit %u; " "responding with nack.", (unsigned)circ->p_circ_id); @@ -367,4 +368,3 @@ rend_mid_rendezvous(or_circuit_t *circ, const uint8_t *request, circuit_mark_for_close(TO_CIRCUIT(circ), reason); return -1; } - diff --git a/src/or/rendservice.c b/src/or/rendservice.c index b2023c72cb..f55b9b776c 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -2005,7 +2005,7 @@ rend_service_receive_introduction(origin_circuit_t *circuit, * part 1. */ replay = replaycache_add_test_and_elapsed( service->accepted_intro_dh_parts, - parsed_req->dh, DH_KEY_LEN, + parsed_req->dh, DH1024_KEY_LEN, &elapsed); if (replay) { @@ -2055,7 +2055,7 @@ rend_service_receive_introduction(origin_circuit_t *circuit, } if (crypto_dh_compute_secret(LOG_PROTOCOL_WARN, dh, (char *)(parsed_req->dh), - DH_KEY_LEN, keys, + DH1024_KEY_LEN, keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN)<0) { log_warn(LD_BUG, "Internal error: couldn't complete DH handshake"); reason = END_CIRC_REASON_INTERNAL; @@ -2336,7 +2336,7 @@ rend_service_begin_parse_intro(const uint8_t *request, /* min key length plus digest length plus nickname length */ if (request_len < (DIGEST_LEN + REND_COOKIE_LEN + (MAX_NICKNAME_LEN + 1) + - DH_KEY_LEN + 42)) { + DH1024_KEY_LEN + 42)) { if (err_msg_out) { tor_asprintf(&err_msg, "got a truncated INTRODUCE%d cell", @@ -2872,14 +2872,14 @@ rend_service_parse_intro_plaintext( */ ver_invariant_len = intro->plaintext_len - ver_specific_len; - if (ver_invariant_len < REND_COOKIE_LEN + DH_KEY_LEN) { + if (ver_invariant_len < REND_COOKIE_LEN + DH1024_KEY_LEN) { tor_asprintf(&err_msg, "decrypted plaintext of INTRODUCE%d cell was truncated (%ld bytes)", (int)(intro->type), (long)(intro->plaintext_len)); status = -5; goto err; - } else if (ver_invariant_len > REND_COOKIE_LEN + DH_KEY_LEN) { + } else if (ver_invariant_len > REND_COOKIE_LEN + DH1024_KEY_LEN) { tor_asprintf(&err_msg, "decrypted plaintext of INTRODUCE%d cell was too long (%ld bytes)", (int)(intro->type), @@ -2892,7 +2892,7 @@ rend_service_parse_intro_plaintext( REND_COOKIE_LEN); memcpy(intro->dh, intro->plaintext + ver_specific_len + REND_COOKIE_LEN, - DH_KEY_LEN); + DH1024_KEY_LEN); } /* Flag it as being fully parsed */ @@ -3449,12 +3449,12 @@ rend_service_rendezvous_has_opened(origin_circuit_t *circuit) /* All we need to do is send a RELAY_RENDEZVOUS1 cell... */ memcpy(buf, rend_cookie, REND_COOKIE_LEN); if (crypto_dh_get_public(hop->rend_dh_handshake_state, - buf+REND_COOKIE_LEN, DH_KEY_LEN)<0) { + buf+REND_COOKIE_LEN, DH1024_KEY_LEN)<0) { log_warn(LD_GENERAL,"Couldn't get DH public key."); reason = END_CIRC_REASON_INTERNAL; goto err; } - memcpy(buf+REND_COOKIE_LEN+DH_KEY_LEN, hop->rend_circ_nonce, + memcpy(buf+REND_COOKIE_LEN+DH1024_KEY_LEN, hop->rend_circ_nonce, DIGEST_LEN); /* Send the cell */ diff --git a/src/or/rendservice.h b/src/or/rendservice.h index b2644d8b40..a9b3689d2b 100644 --- a/src/or/rendservice.h +++ b/src/or/rendservice.h @@ -58,7 +58,7 @@ struct rend_intro_cell_s { /* Rendezvous cookie */ uint8_t rc[REND_COOKIE_LEN]; /* Diffie-Hellman data */ - uint8_t dh[DH_KEY_LEN]; + uint8_t dh[DH1024_KEY_LEN]; }; #ifdef RENDSERVICE_PRIVATE diff --git a/src/test/bench.c b/src/test/bench.c index 6653f4942f..f46eeef7fb 100644 --- a/src/test/bench.c +++ b/src/test/bench.c @@ -551,8 +551,8 @@ bench_dh(void) reset_perftime(); start = perftime(); for (i = 0; i < iters; ++i) { - char dh_pubkey_a[DH_BYTES], dh_pubkey_b[DH_BYTES]; - char secret_a[DH_BYTES], secret_b[DH_BYTES]; + char dh_pubkey_a[DH1024_KEY_LEN], dh_pubkey_b[DH1024_KEY_LEN]; + char secret_a[DH1024_KEY_LEN], secret_b[DH1024_KEY_LEN]; ssize_t slen_a, slen_b; crypto_dh_t *dh_a = crypto_dh_new(DH_TYPE_TLS); crypto_dh_t *dh_b = crypto_dh_new(DH_TYPE_TLS); @@ -586,7 +586,7 @@ bench_ecdh_impl(int nid, const char *name) reset_perftime(); start = perftime(); for (i = 0; i < iters; ++i) { - char secret_a[DH_BYTES], secret_b[DH_BYTES]; + char secret_a[DH1024_KEY_LEN], secret_b[DH1024_KEY_LEN]; ssize_t slen_a, slen_b; EC_KEY *dh_a = EC_KEY_new_by_curve_name(nid); EC_KEY *dh_b = EC_KEY_new_by_curve_name(nid); @@ -597,10 +597,10 @@ bench_ecdh_impl(int nid, const char *name) EC_KEY_generate_key(dh_a); EC_KEY_generate_key(dh_b); - slen_a = ECDH_compute_key(secret_a, DH_BYTES, + slen_a = ECDH_compute_key(secret_a, DH1024_KEY_LEN, EC_KEY_get0_public_key(dh_b), dh_a, NULL); - slen_b = ECDH_compute_key(secret_b, DH_BYTES, + slen_b = ECDH_compute_key(secret_b, DH1024_KEY_LEN, EC_KEY_get0_public_key(dh_a), dh_b, NULL); diff --git a/src/test/test.c b/src/test/test.c index e3121293c3..d36c47a07d 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -148,7 +148,8 @@ test_bad_onion_handshake(void *arg) memset(junk_buf, 0, sizeof(junk_buf)); crypto_pk_obsolete_public_hybrid_encrypt(pk, junk_buf2, TAP_ONIONSKIN_CHALLENGE_LEN, - junk_buf, DH_KEY_LEN, PK_PKCS1_OAEP_PADDING, 1); + junk_buf, DH1024_KEY_LEN, + PK_PKCS1_OAEP_PADDING, 1); tt_int_op(-1, OP_EQ, onion_skin_TAP_server_handshake(junk_buf2, pk, NULL, s_buf, s_keys, 40)); diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c index e8a2efe597..a85d036e36 100644 --- a/src/test/test_crypto.c +++ b/src/test/test_crypto.c @@ -23,38 +23,39 @@ test_crypto_dh(void *arg) crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT); crypto_dh_t *dh1_dup = NULL; crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT); - char p1[DH_BYTES]; - char p2[DH_BYTES]; - char s1[DH_BYTES]; - char s2[DH_BYTES]; + char p1[DH1024_KEY_LEN]; + char p2[DH1024_KEY_LEN]; + char s1[DH1024_KEY_LEN]; + char s2[DH1024_KEY_LEN]; ssize_t s1len, s2len; (void)arg; - tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH_BYTES); - tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH_BYTES); + tt_int_op(crypto_dh_get_bytes(dh1),OP_EQ, DH1024_KEY_LEN); + tt_int_op(crypto_dh_get_bytes(dh2),OP_EQ, DH1024_KEY_LEN); - memset(p1, 0, DH_BYTES); - memset(p2, 0, DH_BYTES); - tt_mem_op(p1,OP_EQ, p2, DH_BYTES); + memset(p1, 0, DH1024_KEY_LEN); + memset(p2, 0, DH1024_KEY_LEN); + tt_mem_op(p1,OP_EQ, p2, DH1024_KEY_LEN); tt_int_op(-1, OP_EQ, crypto_dh_get_public(dh1, p1, 6)); /* too short */ - tt_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES)); - tt_mem_op(p1,OP_NE, p2, DH_BYTES); - tt_assert(! crypto_dh_get_public(dh2, p2, DH_BYTES)); - tt_mem_op(p1,OP_NE, p2, DH_BYTES); + tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN)); + tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN); + tt_assert(! crypto_dh_get_public(dh2, p2, DH1024_KEY_LEN)); + tt_mem_op(p1,OP_NE, p2, DH1024_KEY_LEN); - memset(s1, 0, DH_BYTES); - memset(s2, 0xFF, DH_BYTES); - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH_BYTES, s1, 50); - s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH_BYTES, s2, 50); + memset(s1, 0, DH1024_KEY_LEN); + memset(s2, 0xFF, DH1024_KEY_LEN); + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH1024_KEY_LEN, s1, 50); + s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH1024_KEY_LEN, s2, 50); tt_assert(s1len > 0); tt_int_op(s1len,OP_EQ, s2len); tt_mem_op(s1,OP_EQ, s2, s1len); /* test dh_dup; make sure it works the same. */ dh1_dup = crypto_dh_dup(dh1); - s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH_BYTES, s1, 50); + s1len = crypto_dh_compute_secret(LOG_WARN, dh1_dup, p2, DH1024_KEY_LEN, + s1, 50); tt_mem_op(s1,OP_EQ, s2, s1len); { @@ -67,12 +68,14 @@ test_crypto_dh(void *arg) s1len = crypto_dh_compute_secret(LOG_WARN, dh1, "\x00", 1, s1, 50); tt_int_op(-1, OP_EQ, s1len); - memset(p1, 0, DH_BYTES); /* 0 with padding. */ - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50); + memset(p1, 0, DH1024_KEY_LEN); /* 0 with padding. */ + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, + s1, 50); tt_int_op(-1, OP_EQ, s1len); - p1[DH_BYTES-1] = 1; /* 1 with padding*/ - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50); + p1[DH1024_KEY_LEN-1] = 1; /* 1 with padding*/ + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, + s1, 50); tt_int_op(-1, OP_EQ, s1len); /* 2 is okay, though weird. */ @@ -89,15 +92,18 @@ test_crypto_dh(void *arg) /* p-1, p, and so on are not okay. */ base16_decode(p1, sizeof(p1), P, strlen(P)); - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50); + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, + s1, 50); tt_int_op(-1, OP_EQ, s1len); - p1[DH_BYTES-1] = 0xFE; /* p-1 */ - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50); + p1[DH1024_KEY_LEN-1] = 0xFE; /* p-1 */ + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, + s1, 50); tt_int_op(-1, OP_EQ, s1len); - p1[DH_BYTES-1] = 0xFD; /* p-2 works fine */ - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50); + p1[DH1024_KEY_LEN-1] = 0xFD; /* p-2 works fine */ + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, + s1, 50); tt_int_op(50, OP_EQ, s1len); const char P_plus_one[] = @@ -109,31 +115,35 @@ test_crypto_dh(void *arg) base16_decode(p1, sizeof(p1), P_plus_one, strlen(P_plus_one)); - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50); + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, + s1, 50); tt_int_op(-1, OP_EQ, s1len); - p1[DH_BYTES-1] = 0x01; /* p+2 */ - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50); + p1[DH1024_KEY_LEN-1] = 0x01; /* p+2 */ + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, + s1, 50); tt_int_op(-1, OP_EQ, s1len); - p1[DH_BYTES-1] = 0xff; /* p+256 */ - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50); + p1[DH1024_KEY_LEN-1] = 0xff; /* p+256 */ + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, + s1, 50); tt_int_op(-1, OP_EQ, s1len); - memset(p1, 0xff, DH_BYTES), /* 2^1024-1 */ - s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH_BYTES, s1, 50); + memset(p1, 0xff, DH1024_KEY_LEN), /* 2^1024-1 */ + s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p1, DH1024_KEY_LEN, + s1, 50); tt_int_op(-1, OP_EQ, s1len); } { /* provoke an error in the openssl DH_compute_key function; make sure we * survive. */ - tt_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES)); + tt_assert(! crypto_dh_get_public(dh1, p1, DH1024_KEY_LEN)); crypto_dh_free(dh2); dh2= crypto_dh_new(DH_TYPE_CIRCUIT); /* no private key set */ s1len = crypto_dh_compute_secret(LOG_WARN, dh2, - p1, DH_BYTES, + p1, DH1024_KEY_LEN, s1, 50); tt_int_op(s1len, OP_EQ, -1); } @@ -3063,4 +3073,3 @@ struct testcase_t crypto_tests[] = { { "failure_modes", test_crypto_failure_modes, TT_FORK, NULL, NULL }, END_OF_TESTCASES }; - diff --git a/src/test/test_hs_client.c b/src/test/test_hs_client.c index 58002d6292..3a4d35431e 100644 --- a/src/test/test_hs_client.c +++ b/src/test/test_hs_client.c @@ -197,17 +197,17 @@ test_e2e_rend_circuit_setup_legacy(void *arg) /* Make a good RENDEZVOUS1 cell body because it needs to pass key exchange * digest verification... */ - uint8_t rend_cell_body[DH_KEY_LEN+DIGEST_LEN] = {2}; + uint8_t rend_cell_body[DH1024_KEY_LEN+DIGEST_LEN] = {2}; { char keys[DIGEST_LEN+CPATH_KEY_MATERIAL_LEN]; crypto_dh_t *dh_state = or_circ->build_state->pending_final_cpath->rend_dh_handshake_state; /* compute and overwrite digest of cell body with the right value */ retval = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, dh_state, - (char*)rend_cell_body, DH_KEY_LEN, + (char*)rend_cell_body, DH1024_KEY_LEN, keys, DIGEST_LEN+CPATH_KEY_MATERIAL_LEN); tt_int_op(retval, OP_GT, 0); - memcpy(rend_cell_body+DH_KEY_LEN, keys, DIGEST_LEN); + memcpy(rend_cell_body+DH1024_KEY_LEN, keys, DIGEST_LEN); } /* Setup the circuit */