Commit Graph

16584 Commits

Author SHA1 Message Date
Nick Mathewson
d907fca29b Make libcurve25519_donna get built as a .a
This lets us give it compiler flags differing from the rest of
libor-crypto.a
2013-01-03 11:29:47 -05:00
Nick Mathewson
ef13bf4432 Fix an unused-variable warning 2013-01-03 11:29:47 -05:00
Nick Mathewson
b286373908 Enable the ntor handshake on the client side.
"works for me"
2013-01-03 11:29:47 -05:00
Nick Mathewson
ecf88b16b8 Enable handling of create2/extend2/created2/extended2 2013-01-03 11:29:47 -05:00
Nick Mathewson
5c68a1efaa Don't check create cells too much when we're relaying them
We want to sanity-check our own create cells carefully, and other
people's loosely.
2013-01-03 11:29:47 -05:00
Nick Mathewson
1ed4786dba Implement scheme to allow ntor requests/responses via older servers 2013-01-03 11:29:47 -05:00
Nick Mathewson
115e8fe9a5 Use created_cell_format where appropriate 2013-01-03 11:29:47 -05:00
Nick Mathewson
6c69b16c93 Use new wrappers for making,sending,processing create/extend cells 2013-01-03 11:29:47 -05:00
Nick Mathewson
2802ccaeb6 Teach cpuworker and others about create_cell_t and friends
The unit of work sent to a cpuworker is now a create_cell_t; its
response is now a created_cell_t.  Several of the things that call or
get called by this chain of logic now take create_cell_t or
created_cell_t too.

Since all cpuworkers are forked or spawned by Tor, they don't need a
stable wire protocol, so we can just send structs.  This saves us some
insanity, and helps p
2013-01-03 11:29:46 -05:00
Nick Mathewson
5d15d597a9 Code to parse and format CREATE{,2,_FAST} cells and their allies
As elsewhere, it makes sense when adding or extending a cell type to
actually make the code to parse it into a separate tested function.

This commit doesn't actually make anything use these new functions;
that's for a later commit.
2013-01-03 11:29:46 -05:00
Nick Mathewson
18c7d3f157 Rename handshake_digest to rend_circ_nonce
The handshake_digest field was never meaningfully a digest *of* the
handshake, but rather is a digest *from* the handshake that we exapted
to prevent replays of ESTABLISH_INTRO cells.  The ntor handshake will
generate it as more key material rather than taking it from any part
of the circuit handshake reply..
2013-01-03 11:29:46 -05:00
Nick Mathewson
f58d4dfcd6 Massive refactoring of the various handshake types
The three handshake types are now accessed from a unified interface;
their state is abstracted from the rest of the cpath state, and so on.
2013-01-03 11:29:46 -05:00
Nick Mathewson
5fa1c7484c Refactor the CREATE_FAST handshake code to match the others. 2013-01-03 11:29:02 -05:00
Nick Mathewson
f7e590df05 Split onion.[ch] into onion{,_fast,_tap}.[ch]
I'm going to want a generic "onionskin" type and set of wrappers, and
for that, it will be helpful to isolate the different circuit creation
handshakes.  Now the original handshake is in onion_tap.[ch], the
CREATE_FAST handshake is in onion_fast.[ch], and onion.[ch] now
handles the onion queue.

This commit does nothing but move code and adjust header files.
2013-01-02 14:11:14 -05:00
Nick Mathewson
5b3dd1610c Wrangle curve25519 onion keys: generate, store, load, publish, republish
Here we try to handle curve25519 onion keys from generating them,
loading and storing them, publishing them in our descriptors, putting
them in microdescriptors, and so on.

This commit is untested and probably buggy like whoa
2013-01-02 14:11:14 -05:00
Nick Mathewson
6c883bc638 Move curve25519 keypair type to src/common; give it functions
This patch moves curve25519_keypair_t from src/or/onion_ntor.h to
src/common/crypto_curve25519.h, and adds new functions to generate,
load, and store keypairs.
2013-01-02 14:11:13 -05:00
Nick Mathewson
25c05cb747 Refactor strong os-RNG into its own function
Previously, we only used the strong OS entropy source as part of
seeding OpenSSL's RNG.  But with curve25519, we'll have occasion to
want to generate some keys using extremely-good entopy, as well as the
means to do so.  So let's!

This patch refactors the OS-entropy wrapper into its own
crypto_strongest_rand() function, and makes our new
curve25519_secret_key_generate function try it as appropriate.
2013-01-02 14:11:13 -05:00
Nick Mathewson
4d36eafd74 curve25519-donna-c64: make endian-neutralness fns static 2013-01-02 14:11:13 -05:00
Nick Mathewson
cf4dd5fbcb Implementat the ntor handshake
The ntor handshake--described in proposal 216 and in a paper by
Goldberg, Stebila, and Ustaoglu--gets us much better performance than
our current approach.
2013-01-02 14:10:49 -05:00
Nick Mathewson
89ec584805 Add a wrapper around, and test and build support for, curve25519.
We want to use donna-c64 when we have a GCC with support for
64x64->uint128_t multiplying.  If not, we want to use libnacl if we
can, unless it's giving us the unsafe "ref" implementation.  And if
that isn't going to work, we'd like to use the
portable-and-safe-but-slow 32-bit "donna" implementation.

We might need more library searching for the correct libnacl,
especially once the next libnacl release is out -- it's likely to have
bunches of better curve25519 implementations.

I also define a set of curve25519 wrapper functions, though it really
shouldn't be necessary.

We should eventually make the -donna*.c files get build with
-fomit-frame-pointer, since that can make a difference.
2013-01-02 14:10:48 -05:00
Nick Mathewson
f06966023a curve25519-donna-c64: work on bigendian and alignment-happy systems
There was one place in curve25519-donna-c64 that was relying on
unaligned access and relying on little-endian values.  This patch
fixes that.

I've sent Adam a pull request.
2013-01-02 14:10:48 -05:00
Nick Mathewson
c85bb680cc Make curve25519-donna work with our compiler warnings. 2013-01-02 14:10:48 -05:00
Nick Mathewson
9c3c571c0c Add fallback implementations for curve25519: curve25519_donna
This is copied from Adam Langley's curve25519-donna package, as
of commit 09427c9cab32075c06c3487aa01628030e1c5ae7.
2013-01-02 14:10:48 -05:00
Nick Mathewson
cfab9f0755 Add a data-invariant linear-search map structure
I'm going to use this for looking op keys server-side for ntor.
2013-01-02 14:10:48 -05:00
Nick Mathewson
ee4182612f Avoid spurious local-port warnings
Our old warn_nonlocal_client_ports() would give a bogus warning for
every nonlocal port every time it parsed any ports at all.  So if it
parsed a nonlocal socksport, it would complain that it had a nonlocal
socksport...and then turn around and complain about the nonlocal
socksport again, calling it a nonlocal transport or nonlocal dnsport,
if it had any of those.

Fixes bug 7836; bugfix on 0.2.3.3-alpha.
2013-01-02 10:37:03 -05:00
Sebastian Hahn
11e8a445c3 Fix a couple of harmless clang3.2 warnings 2012-12-31 18:23:28 +01:00
Nick Mathewson
51c2dd8f89 Merge branch 'bug7814_squash' 2012-12-29 01:23:14 -05:00
Nick Mathewson
5e22cfe2b4 Fix a crash bug when running an node without IPv6-exit support.
Fixes bug 7814; bugfix on 0.2.4.7-alpha.
2012-12-29 01:22:34 -05:00
Nick Mathewson
127cb39ffc Rate-limit "No circuits are opened" message to once-per-hour
mr-4 reports on #7799 that he was seeing it several times per second,
which suggests that things had gone very wrong.

This isn't a real fix, but it should make Tor usable till we can
figure out the real issue.
2012-12-26 10:05:45 -05:00
Nick Mathewson
2e9be92cd7 Fix a possibly-unused-var warning. Thank you, GCC. 2012-12-25 23:37:41 -05:00
Nick Mathewson
01a09e8f86 Fix compilation warning: must not format u64 as long. 2012-12-25 23:34:38 -05:00
Nick Mathewson
8324824d8f Fix whitespace 2012-12-25 23:34:16 -05:00
Nick Mathewson
885e8d35c7 Merge remote-tracking branch 'mikeperry/209-path-bias-changes' 2012-12-25 23:30:28 -05:00
Nick Mathewson
265aab298a Merge branch 'directory_guards_rebased' 2012-12-25 23:22:54 -05:00
Nick Mathewson
c2c6e8e5b2 Add documentation for directory guard options 2012-12-25 23:19:10 -05:00
Nick Mathewson
0f9dfef9d6 Add configuration options for directory guards
In addition to all the other ways to make directory gurads not go,
you can now set UseEntryGuardsAsDirGuards to 0.
2012-12-25 23:14:43 -05:00
Nick Mathewson
0c4210fb65 Directory guard implementation.
Implements proposal 207; ticket 6526.
2012-12-25 23:14:43 -05:00
Nick Mathewson
1df7289000 Remember which of our guards are directory caches 2012-12-25 23:10:41 -05:00
Nick Mathewson
a7c6b4ab91 Split choosing a regular directory into its own fn 2012-12-25 23:10:41 -05:00
Nick Mathewson
68dae4cf35 One last fix for a warning on non-EC systems 2012-12-25 22:12:18 -05:00
Nick Mathewson
3eb3900510 Merge branch 'tls_ecdhe_rebased_v2' 2012-12-25 22:10:57 -05:00
Nick Mathewson
ddbe28919a Be more noncomittal about performance improvement of uint128 backend. 2012-12-25 21:08:42 -05:00
Nick Mathewson
25afecdbf9 Make ECDHE group configurable: 224 for public, 256 for bridges (default) 2012-12-25 20:22:46 -05:00
Nick Mathewson
c8b3bdb782 Inform the user if they're passing up a 10x ECDH speedup. 2012-12-25 20:14:07 -05:00
Nick Mathewson
2f8fd53750 Add benchmark for DH handshake and ECDH-P-224/56 handshake 2012-12-25 20:14:07 -05:00
Nick Mathewson
175b2678d7 Let servers choose better ciphersuites when clients support them
This implements the server-side of proposal 198 by detecting when
clients lack the magic list of ciphersuites that indicates that
they're lying faking some ciphers they don't really have.  When
clients lack this list, we can choose any cipher that we'd actually
like.  The newly allowed ciphersuites are, currently, "All ECDHE-RSA
ciphers that openssl supports, except for ECDHE-RSA-RC4".

The code to detect the cipher list relies on on (ab)use of
SSL_set_session_secret_cb.
2012-12-25 20:14:07 -05:00
Nick Mathewson
63208aa1e5 Remove the address argument from client cipher classification fns 2012-12-25 20:14:07 -05:00
Nick Mathewson
047d9e57b0 Cache the type of client cipher list we have in the tor_tls_t
We already use this classification for deciding whether (as a server)
to do a v2/v3 handshake, and we're about to start using it for
deciding whether we can use good ciphersuites too.
2012-12-25 20:14:07 -05:00
Nick Mathewson
2a26e1d45f prop198: Detect the list of ciphersuites we used to lie about having
This is less easy than you might think; we can't just look at the
client ciphers list, since openssl doesn't remember client ciphers if
it doesn't know about them.  So we have to keep a list of the "v2"
ciphers, with the ones we don't know about removed.
2012-12-25 20:14:07 -05:00
Nick Mathewson
bbaf4d9643 Configure SSL context to know about using P-256 for ECDHE. 2012-12-25 20:14:03 -05:00