Document CREATE_FAST better in the code. Move our key expansion algorithm into a separate function in crypto.c

svn:r5530
This commit is contained in:
Nick Mathewson 2005-12-08 17:38:32 +00:00
parent 25303172b8
commit e9b66ec906
6 changed files with 104 additions and 47 deletions

View file

@ -1487,11 +1487,9 @@ crypto_dh_compute_secret(crypto_dh_env_t *dh,
const char *pubkey, size_t pubkey_len, const char *pubkey, size_t pubkey_len,
char *secret_out, size_t secret_bytes_out) char *secret_out, size_t secret_bytes_out)
{ {
char hash[DIGEST_LEN];
char *secret_tmp = NULL; char *secret_tmp = NULL;
BIGNUM *pubkey_bn = NULL; BIGNUM *pubkey_bn = NULL;
size_t secret_len=0; size_t secret_len=0;
unsigned int i;
int result=0; int result=0;
tor_assert(dh); tor_assert(dh);
tor_assert(secret_bytes_out/DIGEST_LEN <= 255); tor_assert(secret_bytes_out/DIGEST_LEN <= 255);
@ -1503,7 +1501,7 @@ crypto_dh_compute_secret(crypto_dh_env_t *dh,
warn(LD_CRYPTO,"Rejected invalid g^x"); warn(LD_CRYPTO,"Rejected invalid g^x");
goto error; goto error;
} }
secret_tmp = tor_malloc(crypto_dh_get_bytes(dh)+1); secret_tmp = tor_malloc(crypto_dh_get_bytes(dh));
result = DH_compute_key((unsigned char*)secret_tmp, pubkey_bn, dh->dh); result = DH_compute_key((unsigned char*)secret_tmp, pubkey_bn, dh->dh);
if (result < 0) { if (result < 0) {
warn(LD_CRYPTO,"DH_compute_key() failed."); warn(LD_CRYPTO,"DH_compute_key() failed.");
@ -1517,12 +1515,9 @@ crypto_dh_compute_secret(crypto_dh_env_t *dh,
* bytes long. * bytes long.
* What are the security implications here? * What are the security implications here?
*/ */
for (i = 0; i < secret_bytes_out; i += DIGEST_LEN) { if (crypto_expand_key_material(secret_tmp, secret_len,
secret_tmp[secret_len] = (unsigned char) i/DIGEST_LEN; secret_out, secret_bytes_out)<0)
if (crypto_digest(hash, secret_tmp, secret_len+1))
goto error; goto error;
memcpy(secret_out+i, hash, MIN(DIGEST_LEN, secret_bytes_out-i));
}
secret_len = secret_bytes_out; secret_len = secret_bytes_out;
goto done; goto done;
@ -1539,6 +1534,44 @@ crypto_dh_compute_secret(crypto_dh_env_t *dh,
return secret_len; return secret_len;
} }
/** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
* ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
* <b>key_out</b> by taking the first key_out_len bytes of
* H(K | [00]) | H(K | [01]) | ....
*
* Return 0 on success, -1 on failure.
*/
int
crypto_expand_key_material(const char *key_in, size_t key_in_len,
char *key_out, size_t key_out_len)
{
int i;
char *cp, *tmp = tor_malloc(key_in_len+1);
char digest[DIGEST_LEN];
/* If we try to get more than this amount of key data, we'll repeat blocks.*/
tor_assert(key_out_len <= DIGEST_LEN*256);
memcpy(tmp, key_in, key_in_len);
for (cp = key_out, i=0; key_out_len; ++i, cp += DIGEST_LEN) {
tmp[key_in_len] = i;
if (crypto_digest(digest, tmp, key_in_len+1))
goto err;
memcpy(cp, digest, MIN(DIGEST_LEN, key_out_len));
if (key_out_len < DIGEST_LEN)
break;
key_out_len -= DIGEST_LEN;
}
memset(tmp, 0, key_in_len+1);
tor_free(tmp);
return 0;
err:
memset(tmp, 0, key_in_len+1);
tor_free(tmp);
return -1;
}
/** Free a DH key exchange object. /** Free a DH key exchange object.
*/ */
void void

View file

@ -141,6 +141,8 @@ int crypto_dh_compute_secret(crypto_dh_env_t *dh,
const char *pubkey, size_t pubkey_len, const char *pubkey, size_t pubkey_len,
char *secret_out, size_t secret_out_len); char *secret_out, size_t secret_out_len);
void crypto_dh_free(crypto_dh_env_t *dh); void crypto_dh_free(crypto_dh_env_t *dh);
int crypto_expand_key_material(const char *key_in, size_t in_len,
char *key_out, size_t key_out_len);
/* random numbers */ /* random numbers */
int crypto_seed_rng(void); int crypto_seed_rng(void);

View file

@ -553,8 +553,9 @@ circuit_send_next_onion_skin(circuit_t *circ)
return -1; return -1;
} }
} else { } else {
/* We are not an OR, and we're building the first hop of a circuit to /* We are not an OR, and we're building the first hop of a circuit to a
* a new OR: we can be speedy. */ * new OR: we can be speedy and use CREATE_FAST to save an RSA operation
* and a DH operation. */
cell_type = CELL_CREATE_FAST; cell_type = CELL_CREATE_FAST;
memset(payload, 0, sizeof(payload)); memset(payload, 0, sizeof(payload));
crypto_rand(circ->cpath->fast_handshake_state, crypto_rand(circ->cpath->fast_handshake_state,
@ -769,9 +770,10 @@ circuit_init_cpath_crypto(crypt_path_t *cpath, char *key_data, int reverse)
return 0; return 0;
} }
/** A created or extended cell came back to us on the circuit, /** A created or extended cell came back to us on the circuit, and it included
* and it included <b>reply</b> (the second DH key, plus KH). * <b>reply</b> as its body. (If <b>reply_type</b> is CELL_CREATED, the body
* DOCDOC reply_type. * contains (the second DH key, plus KH). If <b>reply_type</b> is
* CELL_CREATED_FAST, the body contains a secret y and a hash H(x|y).)
* *
* Calculate the appropriate keys and digests, make sure KH is * Calculate the appropriate keys and digests, make sure KH is
* correct, and initialize this hop of the cpath. * correct, and initialize this hop of the cpath.

View file

@ -211,6 +211,8 @@ command_process_create_cell(cell_t *cell, connection_t *conn)
} }
debug(LD_OR,"success: handed off onionskin."); debug(LD_OR,"success: handed off onionskin.");
} else { } else {
/* This is a CREATE_FAST cell; we can handle it immediately without using
* a CPU worker.*/
char keys[CPATH_KEY_MATERIAL_LEN]; char keys[CPATH_KEY_MATERIAL_LEN];
char reply[DIGEST_LEN*2]; char reply[DIGEST_LEN*2];
tor_assert(cell->command == CELL_CREATE_FAST); tor_assert(cell->command == CELL_CREATE_FAST);

View file

@ -344,68 +344,81 @@ onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
return 0; return 0;
} }
/** DOCDOC */ /** Implement the server side of the CREATE_FAST abbreviated handshake. The
* client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x"). We
* generate a reply of DIGEST_LEN*2 bytes in <b>key_out/b>, consisting of a
* new random "y", followed by H(x|y) to check for correctness. We set
* <b>key_out_len</b> bytes of key material in <b>key_out</b>.
* Return 0 on success, <0 on failure.
**/
int int
fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */ fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */
char *handshake_reply_out, /* DIGEST_LEN*2 bytes */ char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
char *key_out, char *key_out,
size_t key_out_len) size_t key_out_len)
{ {
char tmp[DIGEST_LEN+DIGEST_LEN+1]; char tmp[DIGEST_LEN+DIGEST_LEN];
char digest[DIGEST_LEN]; char *out;
int i; size_t out_len;
if (crypto_rand(handshake_reply_out, DIGEST_LEN)<0) if (crypto_rand(handshake_reply_out, DIGEST_LEN)<0)
return -1; return -1;
memcpy(tmp, key_in, DIGEST_LEN); memcpy(tmp, key_in, DIGEST_LEN);
memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN); memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
tmp[DIGEST_LEN+DIGEST_LEN] = 0; out_len = key_out_len+DIGEST_LEN;
crypto_digest(handshake_reply_out+DIGEST_LEN, tmp, sizeof(tmp)); out = tor_malloc(out_len);
if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) {
for (i = 0; i*DIGEST_LEN < (int)key_out_len; ++i) { tor_free(out);
size_t len; return -1;
tmp[DIGEST_LEN+DIGEST_LEN] = i+1;
crypto_digest(digest, tmp, sizeof(tmp));
len = key_out_len - i*DIGEST_LEN;
if (len > DIGEST_LEN) len = DIGEST_LEN;
memcpy(key_out+i*DIGEST_LEN, digest, len);
} }
memcpy(handshake_reply_out+DIGEST_LEN, out, DIGEST_LEN);
memcpy(key_out, out+DIGEST_LEN, key_out_len);
memset(tmp, 0, sizeof(tmp));
memset(out, 0, out_len);
tor_free(out);
return 0; return 0;
} }
/** DOCDOC */ /** Implement the second half of the client side of the CREATE_FAST handshake.
* We sent the server <b>handshake_state</b> ("x") already, and the server
* told us <b>handshake_reply_out</b> (y|H(x|y)). Make sure that the hash is
* correct, and generate key material in <b>key_out</b>. Return 0 on success,
* true on failure.
*
* NOTE: The "CREATE_FAST" handshake path is distinguishable from regular
* "onionskin" handshakes, and is not secure if an adversary can see or modify
* the messages. Therefore, it should only be used by clients, and only as
* the first hop of a circuit (since the first hop is already authenticated
* and protected by TLS).
*/
int int
fast_client_handshake(const char *handshake_state, /* DIGEST_LEN bytes */ fast_client_handshake(const char *handshake_state, /* DIGEST_LEN bytes */
const char *handshake_reply_out, /* DIGEST_LEN*2 bytes */ const char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
char *key_out, char *key_out,
size_t key_out_len) size_t key_out_len)
{ {
char tmp[DIGEST_LEN+DIGEST_LEN+1]; char tmp[DIGEST_LEN+DIGEST_LEN];
char digest[DIGEST_LEN]; char *out;
int i; size_t out_len;
memcpy(tmp, handshake_state, DIGEST_LEN); memcpy(tmp, handshake_state, DIGEST_LEN);
memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN); memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
tmp[DIGEST_LEN+DIGEST_LEN] = 0; out_len = key_out_len+DIGEST_LEN;
crypto_digest(digest, tmp, sizeof(tmp)); out = tor_malloc(out_len);
if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) {
if (memcmp(digest, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) { tor_free(out);
return -1;
}
if (memcmp(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
/* H(K) does *not* match. Something fishy. */ /* H(K) does *not* match. Something fishy. */
warn(LD_PROTOCOL,"Digest DOES NOT MATCH on fast handshake. Bug or attack."); warn(LD_PROTOCOL,"Digest DOES NOT MATCH on fast handshake. Bug or attack.");
return -1; return -1;
} }
memcpy(key_out, out+DIGEST_LEN, key_out_len);
for (i = 0; i*DIGEST_LEN < (int)key_out_len; ++i) { memset(tmp, 0, sizeof(tmp));
size_t len; memset(out, 0, out_len);
tmp[DIGEST_LEN+DIGEST_LEN] = i+1; tor_free(out);
crypto_digest(digest, tmp, sizeof(tmp));
len = key_out_len - i*DIGEST_LEN;
if (len > DIGEST_LEN) len = DIGEST_LEN;
memcpy(key_out+i*DIGEST_LEN, digest, len);
}
return 0; return 0;
} }

View file

@ -924,6 +924,11 @@ typedef struct crypt_path_t {
/** Current state of Diffie-Hellman key negotiation with the OR at this /** Current state of Diffie-Hellman key negotiation with the OR at this
* step. */ * step. */
crypto_dh_env_t *dh_handshake_state; crypto_dh_env_t *dh_handshake_state;
/** Current state of 'fast' (non-PK) key negotiation with the OR at this
* step. Used to save CPU when TLS is already providing all the
* authentication, secrecy, and integrity we need, and we're already
* distinguishable from an OR.
*/
char fast_handshake_state[DIGEST_LEN]; char fast_handshake_state[DIGEST_LEN];
/** Negotiated key material shared with the OR at this step. */ /** Negotiated key material shared with the OR at this step. */
char handshake_digest[DIGEST_LEN];/* KH in tor-spec.txt */ char handshake_digest[DIGEST_LEN];/* KH in tor-spec.txt */