tor-commits January 2013

tor-commits@lists.torproject.org

19 participants
1125 discussions

[tor/master] Add reference implementation for ntor, plus compatibility test
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit c46ff3ec79420a6d94207cbe0d4e4d08208ccc4c Author: Nick Mathewson <nickm(a)torproject.org> Date: Sat Dec 8 00:52:44 2012 -0500 Add reference implementation for ntor, plus compatibility test Before I started coding ntor in C, I did another one in Python. Turns out, they interoperate just fine. --- src/or/onion_ntor.c | 18 +-- src/or/onion_ntor.h | 19 +++ src/test/include.am | 13 ++ src/test/ntor_ref.py | 387 +++++++++++++++++++++++++++++++++++++++++++++++ src/test/test_ntor_cl.c | 166 ++++++++++++++++++++ 5 files changed, 587 insertions(+), 16 deletions(-) diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c index 3f4faf3..8eab55a 100644 --- a/src/or/onion_ntor.c +++ b/src/or/onion_ntor.c @@ -3,26 +3,12 @@ #include "orconfig.h" -#include "onion_ntor.h" #include "crypto.h" +#define ONION_NTOR_PRIVATE +#include "onion_ntor.h" #include "torlog.h" #include "util.h" -/** Storage held by a client while waiting for an ntor reply from a server. */ -struct ntor_handshake_state_t { - /** Identity digest of the router we're talking to. */ - uint8_t router_id[DIGEST_LEN]; - /** Onion key of the router we're talking to. */ - curve25519_public_key_t pubkey_B; - - /** - * Short-lived keypair for use with this handshake. - * @{ */ - curve25519_secret_key_t seckey_x; - curve25519_public_key_t pubkey_X; - /** @} */ -}; - /** Free storage held in an ntor handshake state. */ void ntor_handshake_state_free(ntor_handshake_state_t *state) diff --git a/src/or/onion_ntor.h b/src/or/onion_ntor.h index a5cceb9..61ff5c0 100644 --- a/src/or/onion_ntor.h +++ b/src/or/onion_ntor.h @@ -38,6 +38,25 @@ int onion_skin_ntor_client_handshake( const uint8_t *handshake_reply, uint8_t *key_out, size_t key_out_len); + +#ifdef ONION_NTOR_PRIVATE + +/** Storage held by a client while waiting for an ntor reply from a server. */ +struct ntor_handshake_state_t { + /** Identity digest of the router we're talking to. */ + uint8_t router_id[DIGEST_LEN]; + /** Onion key of the router we're talking to. */ + curve25519_public_key_t pubkey_B; + + /** + * Short-lived keypair for use with this handshake. + * @{ */ + curve25519_secret_key_t seckey_x; + curve25519_public_key_t pubkey_X; + /** @} */ +}; +#endif + #endif #endif diff --git a/src/test/include.am b/src/test/include.am index e4f2897..f625ab7 100644 --- a/src/test/include.am +++ b/src/test/include.am @@ -53,3 +53,16 @@ src_test_bench_LDADD = src/or/libtor.a src/common/libor.a \ noinst_HEADERS+= \ src/test/test.h +if CURVE25519_ENABLED +noinst_PROGRAMS+= src/test/test-ntor-cl +src_test_test_ntor_cl_SOURCES = src/test/test_ntor_cl.c +src_test_test_ntor_cl_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ +src_test_test_ntor_cl_LDADD = src/or/libtor.a src/common/libor.a \ + src/common/libor-crypto.a $(LIBDONNA) \ + @TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ \ + @TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ +src_test_test_ntor_cl_AM_CPPFLAGS = \ + -I"$(top_srcdir)/src/or" + +endif + diff --git a/src/test/ntor_ref.py b/src/test/ntor_ref.py new file mode 100644 index 0000000..6133be1 --- /dev/null +++ b/src/test/ntor_ref.py @@ -0,0 +1,387 @@ +# Copyright 2012 The Tor Project, Inc +# See LICENSE for licensing information + +""" +ntor_ref.py + + +This module is a reference implementation for the "ntor" protocol +s proposed by Goldberg, Stebila, and Ustaoglu and as instantiated in +Tor Proposal 216. + +It's meant to be used to validate Tor's ntor implementation. It +requirs the curve25519 python module from the curve25519-donna +package. + + *** DO NOT USE THIS IN PRODUCTION. *** + +commands: + + gen_kdf_vectors: Print out some test vectors for the RFC5869 KDF. + timing: Print a little timing information about this implementation's + handshake. + self-test: Try handshaking with ourself; make sure we can. + test-tor: Handshake with tor's ntor implementation via the program + src/test/test-ntor-cl; make sure we can. + +""" + +import binascii +import curve25519 +import hashlib +import hmac +import subprocess + +# ********************************************************************** +# Helpers and constants + +def HMAC(key,msg): + "Return the HMAC-SHA256 of 'msg' using the key 'key'." + H = hmac.new(key, "", hashlib.sha256) + H.update(msg) + return H.digest() + +def H(msg,tweak): + """Return the hash of 'msg' using tweak 'tweak'. (In this version of ntor, + the tweaked hash is just HMAC with the tweak as the key.)""" + return HMAC(key=tweak, + msg=msg) + +def keyid(k): + """Return the 32-byte key ID of a public key 'k'. (Since we're + using curve25519, we let k be its own keyid.) + """ + return k.serialize() + +NODE_ID_LENGTH = 20 +KEYID_LENGTH = 32 +G_LENGTH = 32 +H_LENGTH = 32 + +PROTOID = b"ntor-curve25519-sha256-1" +M_EXPAND = PROTOID + ":key_expand" +T_MAC = PROTOID + ":mac" +T_KEY = PROTOID + ":key_extract" +T_VERIFY = PROTOID + ":verify" + +def H_mac(msg): return H(msg, tweak=T_MAC) +def H_verify(msg): return H(msg, tweak=T_VERIFY) + +class PrivateKey(curve25519.keys.Private): + """As curve25519.keys.Private, but doesn't regenerate its public key + every time you ask for it. + """ + def __init__(self): + curve25519.keys.Private.__init__(self) + self._memo_public = None + + def get_public(self): + if self._memo_public is None: + self._memo_public = curve25519.keys.Private.get_public(self) + + return self._memo_public + +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +def kdf_rfc5869(key, salt, info, n): + + prk = HMAC(key=salt, msg=key) + + out = b"" + last = b"" + i = 1 + while len(out) < n: + m = last + info + chr(i) + last = h = HMAC(key=prk, msg=m) + out += h + i = i + 1 + return out[:n] + +def kdf_ntor(key, n): + return kdf_rfc5869(key, T_KEY, M_EXPAND, n) + +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +def client_part1(node_id, pubkey_B): + """Initial handshake, client side. + + From the specification: + + <<To send a create cell, the client generates a keypair x,X = + KEYGEN(), and sends a CREATE cell with contents: + + NODEID: ID -- ID_LENGTH bytes + KEYID: KEYID(B) -- H_LENGTH bytes + CLIENT_PK: X -- G_LENGTH bytes + >> + + Takes node_id -- a digest of the server's identity key, + pubkey_B -- a public key for the server. + Returns a tuple of (client secret key x, client->server message)""" + + assert len(node_id) == NODE_ID_LENGTH + + key_id = keyid(pubkey_B) + seckey_x = PrivateKey() + pubkey_X = seckey_x.get_public().serialize() + + message = node_id + key_id + pubkey_X + + assert len(message) == NODE_ID_LENGTH + H_LENGTH + H_LENGTH + return seckey_x , message + +def hash_nil(x): + """Identity function: if we don't pass a hash function that does nothing, + the curve25519 python lib will try to sha256 it for us.""" + return x + +def bad_result(r): + """Helper: given a result of multiplying a public key by a private key, + return True iff one of the inputs was broken""" + assert len(r) == 32 + return r == '\x00'*32 + +def server(seckey_b, my_node_id, message, keyBytes=72): + """Handshake step 2, server side. + + From the spec: + + << + The server generates a keypair of y,Y = KEYGEN(), and computes + + secret_input = EXP(X,y) | EXP(X,b) | ID | B | X | Y | PROTOID + KEY_SEED = H(secret_input, t_key) + verify = H(secret_input, t_verify) + auth_input = verify | ID | B | Y | X | PROTOID | "Server" + + The server sends a CREATED cell containing: + + SERVER_PK: Y -- G_LENGTH bytes + AUTH: H(auth_input, t_mac) -- H_LENGTH byets + >> + + Takes seckey_b -- the server's secret key + my_node_id -- the servers's public key digest, + message -- a message from a client + keybytes -- amount of key material to generate + + Returns a tuple of (key material, sever->client reply), or None on + error. + """ + + assert len(message) == NODE_ID_LENGTH + H_LENGTH + H_LENGTH + + if my_node_id != message[:NODE_ID_LENGTH]: + return None + + badness = (keyid(seckey_b.get_public()) != + message[NODE_ID_LENGTH:NODE_ID_LENGTH+H_LENGTH]) + + pubkey_X = curve25519.keys.Public(message[NODE_ID_LENGTH+H_LENGTH:]) + seckey_y = PrivateKey() + pubkey_Y = seckey_y.get_public() + pubkey_B = seckey_b.get_public() + xy = seckey_y.get_shared_key(pubkey_X, hash_nil) + xb = seckey_b.get_shared_key(pubkey_X, hash_nil) + + # secret_input = EXP(X,y) | EXP(X,b) | ID | B | X | Y | PROTOID + secret_input = (xy + xb + my_node_id + + pubkey_B.serialize() + + pubkey_X.serialize() + + pubkey_Y.serialize() + + PROTOID) + + verify = H_verify(secret_input) + + # auth_input = verify | ID | B | Y | X | PROTOID | "Server" + auth_input = (verify + + my_node_id + + pubkey_B.serialize() + + pubkey_Y.serialize() + + pubkey_X.serialize() + + PROTOID + + "Server") + + msg = pubkey_Y.serialize() + H_mac(auth_input) + + badness += bad_result(xb) + badness += bad_result(xy) + + if badness: + return None + + keys = kdf_ntor(secret_input, keyBytes) + + return keys, msg + +def client_part2(seckey_x, msg, node_id, pubkey_B, keyBytes=72): + """Handshake step 3: client side again. + + From the spec: + + << + The client then checks Y is in G^* [see NOTE below], and computes + + secret_input = EXP(Y,x) | EXP(B,x) | ID | B | X | Y | PROTOID + KEY_SEED = H(secret_input, t_key) + verify = H(secret_input, t_verify) + auth_input = verify | ID | B | Y | X | PROTOID | "Server" + + The client verifies that AUTH == H(auth_input, t_mac). + >> + + Takes seckey_x -- the secret key we generated in step 1. + msg -- the message from the server. + node_id -- the node_id we used in step 1. + server_key -- the same public key we used in step 1. + keyBytes -- the number of bytes we want to generate + Returns key material, or None on error + + """ + assert len(msg) == G_LENGTH + H_LENGTH + + pubkey_Y = curve25519.keys.Public(msg[:G_LENGTH]) + their_auth = msg[G_LENGTH:] + + pubkey_X = seckey_x.get_public() + + yx = seckey_x.get_shared_key(pubkey_Y, hash_nil) + bx = seckey_x.get_shared_key(pubkey_B, hash_nil) + + + # secret_input = EXP(Y,x) | EXP(B,x) | ID | B | X | Y | PROTOID + secret_input = (yx + bx + node_id + + pubkey_B.serialize() + + pubkey_X.serialize() + + pubkey_Y.serialize() + PROTOID) + + verify = H_verify(secret_input) + + # auth_input = verify | ID | B | Y | X | PROTOID | "Server" + auth_input = (verify + node_id + + pubkey_B.serialize() + + pubkey_Y.serialize() + + pubkey_X.serialize() + PROTOID + + "Server") + + my_auth = H_mac(auth_input) + + badness = my_auth != their_auth + badness = bad_result(yx) + bad_result(bx) + + if badness: + return None + + return kdf_ntor(secret_input, keyBytes) + +# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +def demo(node_id="iToldYouAboutStairs.", server_key=PrivateKey()): + """ + Try to handshake with ourself. + """ + x, create = client_part1(node_id, server_key.get_public()) + skeys, created = server(server_key, node_id, create) + ckeys = client_part2(x, created, node_id, server_key.get_public()) + assert len(skeys) == 72 + assert len(ckeys) == 72 + assert skeys == ckeys + +# ====================================================================== +def timing(): + """ + Use Python's timeit module to see how fast this nonsense is + """ + import timeit + t = timeit.Timer(stmt="ntor_ref.demo(N,SK)", + setup="import ntor_ref,curve25519;N='ABCD'*5;SK=ntor_ref.PrivateKey()") + print t.timeit(number=1000) + +# ====================================================================== + +def kdf_vectors(): + """ + Generate some vectors to check our KDF. + """ + import binascii + def kdf_vec(inp): + k = kdf(inp, T_KEY, M_EXPAND, 100) + print repr(inp), "\n\""+ binascii.b2a_hex(k)+ "\"" + kdf_vec("") + kdf_vec("Tor") + kdf_vec("AN ALARMING ITEM TO FIND ON YOUR CREDIT-RATING STATEMENT") + +# ====================================================================== + + +def test_tor(): + """ + Call the test-ntor-cl command-line program to make sure we can + interoperate with Tor's ntor program + """ + enhex=binascii.b2a_hex + dehex=lambda s: binascii.a2b_hex(s.strip()) + + PROG = "./src/test/test-ntor-cl" + def tor_client1(node_id, pubkey_B): + " returns (msg, state) " + p = subprocess.Popen([PROG, "client1", enhex(node_id), + enhex(pubkey_B.serialize())], + stdout=subprocess.PIPE) + return map(dehex, p.stdout.readlines()) + def tor_server1(seckey_b, node_id, msg, n): + " returns (msg, keys) " + p = subprocess.Popen([PROG, "server1", enhex(seckey_b.serialize()), + enhex(node_id), enhex(msg), str(n)], + stdout=subprocess.PIPE) + return map(dehex, p.stdout.readlines()) + def tor_client2(state, msg, n): + " returns (keys,) " + p = subprocess.Popen([PROG, "client2", enhex(state), + enhex(msg), str(n)], + stdout=subprocess.PIPE) + return map(dehex, p.stdout.readlines()) + + + node_id = "thisisatornodeid$#%^" + seckey_b = PrivateKey() + pubkey_B = seckey_b.get_public() + + # Do a pure-Tor handshake + c2s_msg, c_state = tor_client1(node_id, pubkey_B) + s2c_msg, s_keys = tor_server1(seckey_b, node_id, c2s_msg, 90) + c_keys, = tor_client2(c_state, s2c_msg, 90) + assert c_keys == s_keys + assert len(c_keys) == 90 + + # Try a mixed handshake with Tor as the client + c2s_msg, c_state = tor_client1(node_id, pubkey_B) + s_keys, s2c_msg = server(seckey_b, node_id, c2s_msg, 90) + c_keys, = tor_client2(c_state, s2c_msg, 90) + assert c_keys == s_keys + assert len(c_keys) == 90 + + # Now do a mixed handshake with Tor as the server + c_x, c2s_msg = client_part1(node_id, pubkey_B) + s2c_msg, s_keys = tor_server1(seckey_b, node_id, c2s_msg, 90) + c_keys = client_part2(c_x, s2c_msg, node_id, pubkey_B, 90) + assert c_keys == s_keys + assert len(c_keys) == 90 + + print "We just interoperated." + +# ====================================================================== + +if __name__ == '__main__': + import sys + if sys.argv[1] == 'gen_kdf_vectors': + kdf_vectors() + elif sys.argv[1] == 'timing': + timing() + elif sys.argv[1] == 'self-test': + demo() + elif sys.argv[1] == 'test-tor': + test_tor() + + else: + print __doc__ diff --git a/src/test/test_ntor_cl.c b/src/test/test_ntor_cl.c new file mode 100644 index 0000000..6e6bd21 --- /dev/null +++ b/src/test/test_ntor_cl.c @@ -0,0 +1,166 @@ +/* Copyright (c) 2012, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +#include "orconfig.h" +#include <stdio.h> +#include <stdlib.h> + +#define ONION_NTOR_PRIVATE +#include "or.h" +#include "util.h" +#include "compat.h" +#include "crypto.h" +#include "crypto_curve25519.h" +#include "onion_ntor.h" + +#ifndef CURVE25519_ENABLED +#error "This isn't going to work without curve25519." +#endif + +#define N_ARGS(n) STMT_BEGIN { \ + if (argc < (n)) { \ + fprintf(stderr, "%s needs %d arguments.\n",argv[1],n); \ + return 1; \ + } \ + } STMT_END +#define BASE16(idx, var, n) STMT_BEGIN { \ + const char *s = argv[(idx)]; \ + if (base16_decode((char*)var, n, s, strlen(s)) < 0 ) { \ + fprintf(stderr, "couldn't decode argument %d (%s)\n",idx,s); \ + return 1; \ + } \ + } STMT_END +#define INT(idx, var) STMT_BEGIN { \ + var = atoi(argv[(idx)]); \ + if (var <= 0) { \ + fprintf(stderr, "bad integer argument %d (%s)\n",idx,argv[(idx)]); \ + } \ + } STMT_END + +static int +client1(int argc, char **argv) +{ + /* client1 nodeID B -> msg state */ + curve25519_public_key_t B; + uint8_t node_id[DIGEST_LEN]; + ntor_handshake_state_t *state; + uint8_t msg[NTOR_ONIONSKIN_LEN]; + + char buf[1024]; + + memset(&state, 0, sizeof(state)); + + N_ARGS(4); + BASE16(2, node_id, DIGEST_LEN); + BASE16(3, B.public_key, CURVE25519_PUBKEY_LEN); + + if (onion_skin_ntor_create(node_id, &B, &state, msg)<0) { + fprintf(stderr, "handshake failed"); + return 2; + } + + base16_encode(buf, sizeof(buf), (const char*)msg, sizeof(msg)); + printf("%s\n", buf); + base16_encode(buf, sizeof(buf), (void*)state, sizeof(*state)); + printf("%s\n", buf); + ntor_handshake_state_free(state); + return 0; +} + +static int +server1(int argc, char **argv) +{ + uint8_t msg_in[NTOR_ONIONSKIN_LEN]; + curve25519_keypair_t kp; + di_digest256_map_t *keymap=NULL; + uint8_t node_id[DIGEST_LEN]; + int keybytes; + + uint8_t msg_out[NTOR_REPLY_LEN]; + uint8_t *keys; + char *hexkeys; + + char buf[256]; + + /* server1: b nodeID msg N -> msg keys */ + N_ARGS(6); + BASE16(2, kp.seckey.secret_key, CURVE25519_SECKEY_LEN); + BASE16(3, node_id, DIGEST_LEN); + BASE16(4, msg_in, NTOR_ONIONSKIN_LEN); + INT(5, keybytes); + + curve25519_public_key_generate(&kp.pubkey, &kp.seckey); + dimap_add_entry(&keymap, kp.pubkey.public_key, &kp); + + keys = tor_malloc(keybytes); + hexkeys = tor_malloc(keybytes*2+1); + if (onion_skin_ntor_server_handshake( + msg_in, keymap, NULL, node_id, msg_out, keys, + (size_t)keybytes)<0) { + fprintf(stderr, "handshake failed"); + return 2; + } + + base16_encode(buf, sizeof(buf), (const char*)msg_out, sizeof(msg_out)); + printf("%s\n", buf); + base16_encode(hexkeys, keybytes*2+1, (const char*)keys, keybytes); + printf("%s\n", hexkeys); + + tor_free(keys); + tor_free(hexkeys); + return 0; +} + +static int +client2(int argc, char **argv) +{ + struct ntor_handshake_state_t state; + uint8_t msg[NTOR_REPLY_LEN]; + int keybytes; + uint8_t *keys; + char *hexkeys; + + N_ARGS(5); + BASE16(2, (&state), sizeof(state)); + BASE16(3, msg, sizeof(msg)); + INT(4, keybytes); + + keys = tor_malloc(keybytes); + hexkeys = tor_malloc(keybytes*2+1); + if (onion_skin_ntor_client_handshake(&state, msg, keys, keybytes)<0) { + fprintf(stderr, "handshake failed"); + return 2; + } + + base16_encode(hexkeys, keybytes*2+1, (const char*)keys, keybytes); + printf("%s\n", hexkeys); + + tor_free(keys); + tor_free(hexkeys); + + return 0; +} + +int +main(int argc, char **argv) +{ + /* + client1: nodeID B -> msg state + server1: b nodeID msg N -> msg keys + client2: state msg N -> keys + */ + if (argc < 2) { + fprintf(stderr, "I need arguments. Read source for more info.\n"); + return 1; + } else if (!strcmp(argv[1], "client1")) { + return client1(argc, argv); + } else if (!strcmp(argv[1], "server1")) { + return server1(argc, argv); + } else if (!strcmp(argv[1], "client2")) { + return client2(argc, argv); + } else { + fprintf(stderr, "What's a %s?\n", argv[1]); + return 1; + } +} +

1 0

[tor/master] Enable handling of create2/extend2/created2/extended2
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit ecf88b16b8672c8b734d13d84910e97357c470a8 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Dec 6 00:28:01 2012 -0500 Enable handling of create2/extend2/created2/extended2 --- src/or/command.c | 2 ++ src/or/relay.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletions(-) diff --git a/src/or/command.c b/src/or/command.c index 773d19c..7d1f53a 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -133,11 +133,13 @@ command_process_cell(channel_t *chan, cell_t *cell) switch (cell->command) { case CELL_CREATE: case CELL_CREATE_FAST: + case CELL_CREATE2: ++stats_n_create_cells_processed; PROCESS_CELL(create, cell, chan); break; case CELL_CREATED: case CELL_CREATED_FAST: + case CELL_CREATED2: ++stats_n_created_cells_processed; PROCESS_CELL(created, cell, chan); break; diff --git a/src/or/relay.c b/src/or/relay.c index d0c8c22..5d87b27 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1256,7 +1256,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, connection_mark_and_flush(TO_CONN(conn)); } return 0; - case RELAY_COMMAND_EXTEND: { + case RELAY_COMMAND_EXTEND: + case RELAY_COMMAND_EXTEND2: { static uint64_t total_n_extend=0, total_nonearly=0; total_n_extend++; if (rh.stream_id) { @@ -1291,6 +1292,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, return circuit_extend(cell, circ); } case RELAY_COMMAND_EXTENDED: + case RELAY_COMMAND_EXTENDED2: if (!layer_hint) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "'extended' unsupported at non-origin. Dropping.");

1 0

[tor/master] Update our copy of curve25519-donna-c64.
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit 463e9378df7eaa07a895da34dc10d3c336760f09 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Dec 7 12:45:46 2012 -0500 Update our copy of curve25519-donna-c64. This now matches upstream at version 59a896970a1ad0a6cd7d0. (Adam took my patches.) --- src/ext/README | 3 +-- src/ext/curve25519_donna/curve25519-donna-c64.c | 9 +++------ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/src/ext/README b/src/ext/README index 8147691..cd23f29 100644 --- a/src/ext/README +++ b/src/ext/README @@ -39,5 +39,4 @@ tor_queue.h curve25519_donna/*.c A copy of Adam Langley's curve25519-donna mostly-portable - implementations of curve25519, with a couple of portability - changes which Adam hasn't merged yet. + implementations of curve25519. diff --git a/src/ext/curve25519_donna/curve25519-donna-c64.c b/src/ext/curve25519_donna/curve25519-donna-c64.c index 38b94e7..9ebd8a1 100644 --- a/src/ext/curve25519_donna/curve25519-donna-c64.c +++ b/src/ext/curve25519_donna/curve25519-donna-c64.c @@ -188,8 +188,7 @@ fsquare_times(felem output, const felem in, limb count) { /* Load a little-endian 64-bit number */ static limb -load_limb(const u8 *in) -{ +load_limb(const u8 *in) { return ((limb)in[0]) | (((limb)in[1]) << 8) | @@ -202,8 +201,7 @@ load_limb(const u8 *in) } static void -store_limb(u8 *out, limb in) -{ +store_limb(u8 *out, limb in) { out[0] = in & 0xff; out[1] = (in >> 8) & 0xff; out[2] = (in >> 16) & 0xff; @@ -216,8 +214,7 @@ store_limb(u8 *out, limb in) /* Take a little-endian, 32-byte number and expand it into polynomial form */ static void -fexpand(limb *output, const u8 *in) -{ +fexpand(limb *output, const u8 *in) { output[0] = load_limb(in) & 0x7ffffffffffff; output[1] = (load_limb(in+6) >> 3) & 0x7ffffffffffff; output[2] = (load_limb(in+12) >> 6) & 0x7ffffffffffff;

1 0

[tor/master] Enable the ntor handshake on the client side.
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit b2863739083125d332cf1166ae6b095df7d0f155 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Dec 6 01:53:29 2012 -0500 Enable the ntor handshake on the client side. "works for me" --- src/or/channeltls.c | 2 + src/or/circuitbuild.c | 103 ++++++++++++++++++++++++++++++++++++++++++++---- src/or/circuitbuild.h | 5 +- src/or/circuituse.c | 4 +- src/or/config.c | 1 + src/or/entrynodes.c | 2 +- src/or/nodelist.c | 12 ++++++ src/or/nodelist.h | 1 + src/or/or.h | 5 ++ src/or/relay.c | 4 +- src/or/router.c | 3 +- src/or/routerparse.c | 2 + 12 files changed, 128 insertions(+), 16 deletions(-) diff --git a/src/or/channeltls.c b/src/or/channeltls.c index ede2458..f6069e0 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -914,6 +914,8 @@ channel_tls_handle_cell(cell_t *cell, or_connection_t *conn) case CELL_RELAY: case CELL_RELAY_EARLY: case CELL_DESTROY: + case CELL_CREATE2: + case CELL_CREATED2: /* * These are all transport independent and we pass them up through the * channel_t mechanism. They are ultimately handled in command.c. diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index b7ab47f..9300b04 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -604,6 +604,73 @@ circuit_timeout_want_to_count_circ(origin_circuit_t *circ) && circ->build_state->desired_path_len == DEFAULT_ROUTE_LEN; } +#ifdef CURVE25519_ENABLED +/** Return true if the ntor handshake is enabled in the configuration, or if + * it's been set to "auto" in the configuration and it's enabled in the + * consensus. */ +static int +circuits_can_use_ntor(void) +{ + const or_options_t *options = get_options(); + if (options->UseNTorHandshake != -1) + return options->UseNTorHandshake; + return networkstatus_get_param(NULL, "UseNTorHandshake", 0, 0, 1); +} +#endif + +/** Decide whether to use a TAP or ntor handshake for connecting to ei + * directly, and set *cell_type_out and *handshake_type_out + * accordingly. */ +static void +circuit_pick_create_handshake(uint8_t *cell_type_out, + uint16_t *handshake_type_out, + const extend_info_t *ei) +{ +#ifdef CURVE25519_ENABLED + if (!tor_mem_is_zero((const char*)ei->curve25519_onion_key.public_key, + CURVE25519_PUBKEY_LEN) && + circuits_can_use_ntor()) { + *cell_type_out = CELL_CREATE2; + *handshake_type_out = ONION_HANDSHAKE_TYPE_NTOR; + return; + } +#else + (void) ei; +#endif + + *cell_type_out = CELL_CREATE; + *handshake_type_out = ONION_HANDSHAKE_TYPE_TAP; +} + +/** Decide whether to use a TAP or ntor handshake for connecting to ei + * directly, and set *handshake_type_out accordingly. Decide whether, + * in extending through node to do so, we should use an EXTEND2 or an + * EXTEND cell to do so, and set *cell_type_out and + * *create_cell_type_out accordingly. */ +static void +circuit_pick_extend_handshake(uint8_t *cell_type_out, + uint8_t *create_cell_type_out, + uint16_t *handshake_type_out, + const node_t *node_prev, + const extend_info_t *ei) +{ + uint8_t t; + circuit_pick_create_handshake(&t, handshake_type_out, ei); + /* XXXX024 The check for whether the node has a curve25519 key is a bad + * proxy for whether it can do extend2 cells; once a version that + * handles extend2 cells is out, remove it. */ + if (node_prev && + *handshake_type_out != ONION_HANDSHAKE_TYPE_TAP && + (node_has_curve25519_onion_key(node_prev) || + (node_prev->rs && node_prev->rs->version_supports_extend2_cells))) { + *cell_type_out = RELAY_COMMAND_EXTEND2; + *create_cell_type_out = CELL_CREATE2; + } else { + *cell_type_out = RELAY_COMMAND_EXTEND; + *create_cell_type_out = CELL_CREATE; + } +} + /** This is the backbone function for building circuits. * * If circ's first hop is closed, then we need to build a create @@ -638,10 +705,10 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) fast = should_use_create_fast_for_circuit(circ); if (!fast) { /* We are an OR and we know the right onion key: we should - * send an old slow create cell. + * send a create cell. */ - cc.cell_type = CELL_CREATE; - cc.handshake_type = ONION_HANDSHAKE_TYPE_TAP; + circuit_pick_create_handshake(&cc.cell_type, &cc.handshake_type, + circ->cpath->extend_info); note_request("cell: create", 1); } else { /* We are not an OR, and we're building the first hop of a circuit to a @@ -747,15 +814,21 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) return - END_CIRC_REASON_INTERNAL; } - ec.cell_type = RELAY_COMMAND_EXTEND; + { + const node_t *prev_node; + prev_node = node_get_by_id(hop->prev->extend_info->identity_digest); + circuit_pick_extend_handshake(&ec.cell_type, + &ec.create_cell.cell_type, + &ec.create_cell.handshake_type, + prev_node, + hop->extend_info); + } + tor_addr_copy(&ec.orport_ipv4.addr, &hop->extend_info->addr); ec.orport_ipv4.port = hop->extend_info->port; tor_addr_make_unspec(&ec.orport_ipv6.addr); memcpy(ec.node_id, hop->extend_info->identity_digest, DIGEST_LEN); - ec.create_cell.handshake_type = ONION_HANDSHAKE_TYPE_TAP; - ec.create_cell.cell_type = CELL_CREATE; - len = onion_skin_create(ec.create_cell.handshake_type, hop->extend_info, &hop->handshake_state, @@ -903,6 +976,7 @@ circuit_extend(cell_t *cell, circuit_t *circ) circ->n_hop = extend_info_new(NULL /*nickname*/, (const char*)ec.node_id, NULL /*onion_key*/, + NULL /*curve25519_key*/, &ec.orport_ipv4.addr, ec.orport_ipv4.port); @@ -938,6 +1012,7 @@ circuit_extend(cell_t *cell, circuit_t *circ) if (circuit_deliver_create_cell(circ, &ec.create_cell, 1) < 0) return -1; + return 0; } @@ -2310,8 +2385,9 @@ onion_append_hop(crypt_path_t **head_ptr, extend_info_t *choice) /** Allocate a new extend_info object based on the various arguments. */ extend_info_t * extend_info_new(const char *nickname, const char *digest, - crypto_pk_t *onion_key, - const tor_addr_t *addr, uint16_t port) + crypto_pk_t *onion_key, + const curve25519_public_key_t *curve25519_key, + const tor_addr_t *addr, uint16_t port) { extend_info_t *info = tor_malloc_zero(sizeof(extend_info_t)); memcpy(info->identity_digest, digest, DIGEST_LEN); @@ -2319,6 +2395,13 @@ extend_info_new(const char *nickname, const char *digest, strlcpy(info->nickname, nickname, sizeof(info->nickname)); if (onion_key) info->onion_key = crypto_pk_dup_key(onion_key); +#ifdef CURVE25519_ENABLED + if (curve25519_key) + memcpy(&info->curve25519_onion_key, curve25519_key, + sizeof(curve25519_public_key_t)); +#else + (void)curve25519_key; +#endif tor_addr_copy(&info->addr, addr); info->port = port; return info; @@ -2353,12 +2436,14 @@ extend_info_from_node(const node_t *node, int for_direct_connect) return extend_info_new(node->ri->nickname, node->identity, node->ri->onion_pkey, + node->ri->onion_curve25519_pkey, &ap.addr, ap.port); else if (node->rs && node->md) return extend_info_new(node->rs->nickname, node->identity, node->md->onion_pkey, + node->md->onion_curve25519_pkey, &ap.addr, ap.port); else diff --git a/src/or/circuitbuild.h b/src/or/circuitbuild.h index 23213e8..d4f7926 100644 --- a/src/or/circuitbuild.h +++ b/src/or/circuitbuild.h @@ -46,8 +46,9 @@ int circuit_append_new_exit(origin_circuit_t *circ, extend_info_t *info); int circuit_extend_to_new_exit(origin_circuit_t *circ, extend_info_t *info); void onion_append_to_cpath(crypt_path_t **head_ptr, crypt_path_t *new_hop); extend_info_t *extend_info_new(const char *nickname, const char *digest, - crypto_pk_t *onion_key, - const tor_addr_t *addr, uint16_t port); + crypto_pk_t *onion_key, + const curve25519_public_key_t *curve25519_key, + const tor_addr_t *addr, uint16_t port); extend_info_t *extend_info_from_node(const node_t *r, int for_direct_connect); extend_info_t *extend_info_dup(extend_info_t *info); void extend_info_free(extend_info_t *info); diff --git a/src/or/circuituse.c b/src/or/circuituse.c index d3cde1d..6a733d6 100644 --- a/src/or/circuituse.c +++ b/src/or/circuituse.c @@ -1577,8 +1577,8 @@ circuit_get_open_circ_or_launch(entry_connection_t *conn, return -1; } extend_info = extend_info_new(conn->chosen_exit_name+1, - digest, NULL, &addr, - conn->socks_request->port); + digest, NULL, NULL, &addr, + conn->socks_request->port); } else { /* We will need an onion key for the router, and we * don't have one. Refuse or relax requirements. */ diff --git a/src/or/config.c b/src/or/config.c index 75f6193..979d09c 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -383,6 +383,7 @@ static config_var_t option_vars_[] = { V(UseBridges, BOOL, "0"), V(UseEntryGuards, BOOL, "1"), V(UseMicrodescriptors, AUTOBOOL, "auto"), + V(UseNTorHandshake, AUTOBOOL, "auto"), V(User, STRING, NULL), V(UserspaceIOCPBuffers, BOOL, "0"), VAR("V1AuthoritativeDirectory",BOOL, V1AuthoritativeDir, "0"), diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c index edb26dc..a4e18d0 100644 --- a/src/or/entrynodes.c +++ b/src/or/entrynodes.c @@ -1502,7 +1502,7 @@ routerset_contains_bridge(const routerset_t *routerset, return 0; extinfo = extend_info_new( - NULL, bridge->identity, NULL, &bridge->addr, bridge->port); + NULL, bridge->identity, NULL, NULL, &bridge->addr, bridge->port); result = routerset_contains_extendinfo(routerset, extinfo); extend_info_free(extinfo); return result; diff --git a/src/or/nodelist.c b/src/or/nodelist.c index 95345fb..fa3828f 100644 --- a/src/or/nodelist.c +++ b/src/or/nodelist.c @@ -916,6 +916,18 @@ node_get_pref_ipv6_orport(const node_t *node, tor_addr_port_t *ap_out) } } +/** Return true iff node has a curve25519 onion key. */ +int +node_has_curve25519_onion_key(const node_t *node) +{ + if (node->ri) + return node->ri->onion_curve25519_pkey != NULL; + else if (node->md) + return node->md->onion_curve25519_pkey != NULL; + else + return 0; +} + /** Refresh the country code of ri. This function MUST be called on * each router when the GeoIP database is reloaded, and on all new routers. */ void diff --git a/src/or/nodelist.h b/src/or/nodelist.h index 13a3847..39f0948 100644 --- a/src/or/nodelist.h +++ b/src/or/nodelist.h @@ -54,6 +54,7 @@ int node_ipv6_preferred(const node_t *node); int node_get_prim_orport(const node_t *node, tor_addr_port_t *ap_out); void node_get_pref_orport(const node_t *node, tor_addr_port_t *ap_out); void node_get_pref_ipv6_orport(const node_t *node, tor_addr_port_t *ap_out); +int node_has_curve25519_onion_key(const node_t *node); smartlist_t *nodelist_get_list(void); diff --git a/src/or/or.h b/src/or/or.h index 66e9054..b5718a8 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2025,6 +2025,9 @@ typedef struct routerstatus_t { /** True iff this router is a version that allows DATA cells to arrive on * a stream before it has sent a CONNECTED cell. */ unsigned int version_supports_optimistic_data:1; + /** True iff this router has a version that allows it to accept EXTEND2 + * cells */ + unsigned int version_supports_extend2_cells:1; unsigned int has_bandwidth:1; /**< The vote/consensus had bw info */ unsigned int has_exitsummary:1; /**< The vote/consensus had exit summaries */ @@ -3799,6 +3802,8 @@ typedef struct { int IPv6Exit; /**< Do we support exiting to IPv6 addresses? */ + /** Autobool: should we use the ntor handshake if we can? */ + int UseNTorHandshake; } or_options_t; /** Persistent state for an onion router, as saved to disk. */ diff --git a/src/or/relay.c b/src/or/relay.c index 5d87b27..ddeec4e 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -572,6 +572,7 @@ relay_send_command_from_edge(streamid_t stream_id, circuit_t *circ, origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ); if (origin_circ->remaining_relay_early_cells > 0 && (relay_command == RELAY_COMMAND_EXTEND || + relay_command == RELAY_COMMAND_EXTEND2 || cpath_layer != origin_circ->cpath)) { /* If we've got any relay_early cells left and (we're sending * an extend cell or we're not talking to the first hop), use @@ -585,7 +586,8 @@ relay_send_command_from_edge(streamid_t stream_id, circuit_t *circ, * task 878. */ origin_circ->relay_early_commands[ origin_circ->relay_early_cells_sent++] = relay_command; - } else if (relay_command == RELAY_COMMAND_EXTEND) { + } else if (relay_command == RELAY_COMMAND_EXTEND || + relay_command == RELAY_COMMAND_EXTEND2) { /* If no RELAY_EARLY cells can be sent over this circuit, log which * commands have been sent as RELAY_EARLY cells before; helps debug * task 878. */ diff --git a/src/or/router.c b/src/or/router.c index 3733bec..a97db85 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -1071,7 +1071,8 @@ extend_info_from_router(const routerinfo_t *r) router_get_prim_orport(r, &ap); return extend_info_new(r->nickname, r->cache_info.identity_digest, - r->onion_pkey, &ap.addr, ap.port); + r->onion_pkey, r->onion_curve25519_pkey, + &ap.addr, ap.port); } /** Some time has passed, or we just got new directory information. diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 17902d9..1be2374 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -2188,6 +2188,8 @@ routerstatus_parse_entry_from_string(memarea_t *area, tor_version_supports_microdescriptors(tok->args[0]); rs->version_supports_optimistic_data = tor_version_as_new_as(tok->args[0], "0.2.3.1-alpha"); + rs->version_supports_extend2_cells = + tor_version_as_new_as(tok->args[0], "0.2.4.7-alpha"); } if (vote_rs) { vote_rs->version = tor_strdup(tok->args[0]);

1 0

[tor/master] changes file for the ntor branch
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit 92d6a83e9895da874eae81e20e14df20231f25bf Author: Nick Mathewson <nickm(a)torproject.org> Date: Sun Dec 16 23:21:27 2012 -0500 changes file for the ntor branch --- changes/ntor | 40 ++++++++++++++++++++++++++++++++++++++++ 1 files changed, 40 insertions(+), 0 deletions(-) diff --git a/changes/ntor b/changes/ntor new file mode 100644 index 0000000..3aca820 --- /dev/null +++ b/changes/ntor @@ -0,0 +1,40 @@ + o Major features: + + - Tor now supports a new circuit extension handshake designed by Ian + Goldberg, Douglas Stebila, and Berkant Ustaoglu. Our original + circuit extension handshake, later called "TAP", was a bit slow + (especially on the server side), had a fragile security proof, and + used weaker keys than we'd now prefer. The new circuit handshake + uses Dan Bernstein's "curve25519" elliptic-curve Diffie-Hellman + function, making it significantly more secure than the older + handshake, and significantly faster. Tor can either use one of two + built-in pure-C curve25519-donna implementations by Adam Langley, + or link against the "nacl" library for a tuned version if present. + + The built-in version is very fast for 64-bit systems building with + GCC. (About 10-14x faster on the server side, and about 7x faster + on the client side.) The built-in 32-bit version is still faster + than the old TAP protocol (about 3x), but using libnacl would be + better on most 32-bit x86 hosts. + + Clients don't currently use this protocol by default, since + comparatively few clients support it so far. To try it, set + UseNTorHandshake to 1. + + Implements proposal 216; closes ticket #7202. + + - Tor servers and clients now support a better CREATE/EXTEND cell + format, allowing the sender to specify multiple address, identity, + and handshake types. Implements Robert Ransom's proposal 200; + closes ticket #7199. + + o Code simplification and refactoring: + - Split the onion.c file into separate modules for the onion queue + and the different handshakes it supports. + - Remove the marshalling/unmarshalling code for sending requests to + cpuworkers over a socket, and instead just send structs. The + recipient will always be the same Tor binary as the sender, so + any encoding is overkill. + + o Testing: + - Add benchmark functions to test onion handshake performance.

1 0

[tor/master] ntor: Don't fail fast server-side on an unrecognized KEYID(B)
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit 839016ac791de98c02ad7eab50092deedde0ad55 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Dec 7 13:40:21 2012 -0500 ntor: Don't fail fast server-side on an unrecognized KEYID(B) --- src/or/onion.c | 4 ++++ src/or/onion.h | 1 + src/or/onion_ntor.c | 17 ++++++++++++----- src/or/onion_ntor.h | 1 + src/test/bench.c | 2 +- src/test/test.c | 3 ++- 6 files changed, 21 insertions(+), 7 deletions(-) diff --git a/src/or/onion.c b/src/or/onion.c index 3f0b0b1..56bc9a3 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -192,6 +192,8 @@ setup_server_onion_keys(server_onion_keys_t *keys) dup_onion_keys(&keys->onion_key, &keys->last_onion_key); #ifdef CURVE25519_ENABLED keys->curve25519_key_map = construct_ntor_key_map(); + keys->junk_keypair = tor_malloc_zero(sizeof(curve25519_keypair_t)); + curve25519_keypair_generate(keys->junk_keypair, 0); #endif } @@ -207,6 +209,7 @@ release_server_onion_keys(server_onion_keys_t *keys) crypto_pk_free(keys->last_onion_key); #ifdef CURVE25519_ENABLED ntor_key_map_free(keys->curve25519_key_map); + tor_free(keys->junk_keypair); #endif memset(keys, 0, sizeof(server_onion_keys_t)); } @@ -345,6 +348,7 @@ onion_skin_server_handshake(int type, if (onion_skin_ntor_server_handshake( onion_skin, keys->curve25519_key_map, + keys->junk_keypair, keys->my_identity, reply_out, keys_tmp, keys_tmp_len)<0) { tor_free(keys_tmp); diff --git a/src/or/onion.h b/src/or/onion.h index e408139..33bf341 100644 --- a/src/or/onion.h +++ b/src/or/onion.h @@ -24,6 +24,7 @@ typedef struct server_onion_keys_t { crypto_pk_t *last_onion_key; #ifdef CURVE25519_ENABLED di_digest256_map_t *curve25519_key_map; + curve25519_keypair_t *junk_keypair; #endif } server_onion_keys_t; diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c index 30d18cc..3f4faf3 100644 --- a/src/or/onion_ntor.c +++ b/src/or/onion_ntor.c @@ -121,14 +121,16 @@ onion_skin_ntor_create(const uint8_t *router_id, * NTOR_ONIONSKIN_LEN-byte message in onion_skin, our own identity * fingerprint as my_node_id, and an associative array mapping public * onion keys to curve25519_keypair_t in private_keys, attempt to - * perform the handshake. Write an NTOR_REPLY_LEN-byte message to send back - * to the client into handshake_reply_out, and generate - * key_out_len bytes of key material in key_out. Return 0 on - * success, -1 on failure. + * perform the handshake. Use junk_keys if present if the handshake + * indicates an unrecognized public key. Write an NTOR_REPLY_LEN-byte + * message to send back to the client into handshake_reply_out, and + * generate key_out_len bytes of key material in key_out. Return + * 0 on success, -1 on failure. */ int onion_skin_ntor_server_handshake(const uint8_t *onion_skin, const di_digest256_map_t *private_keys, + const curve25519_keypair_t *junk_keys, const uint8_t *my_node_id, uint8_t *handshake_reply_out, uint8_t *key_out, @@ -153,9 +155,14 @@ onion_skin_ntor_server_handshake(const uint8_t *onion_skin, /* XXXX Does this possible early-return business threaten our security? */ if (tor_memneq(onion_skin, my_node_id, DIGEST_LEN)) return -1; - keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN, NULL); + /* Note that on key-not-found, we go through with this operation anyway, + * using "junk_keys". This will result in failed authentication, but won't + * leak whether we recognized the key. */ + keypair_bB = dimap_search(private_keys, onion_skin + DIGEST_LEN, + (void*)junk_keys); if (!keypair_bB) return -1; + memcpy(s.pubkey_X.public_key, onion_skin+DIGEST_LEN+DIGEST256_LEN, CURVE25519_PUBKEY_LEN); diff --git a/src/or/onion_ntor.h b/src/or/onion_ntor.h index 80015fd..a5cceb9 100644 --- a/src/or/onion_ntor.h +++ b/src/or/onion_ntor.h @@ -27,6 +27,7 @@ int onion_skin_ntor_create(const uint8_t *router_id, int onion_skin_ntor_server_handshake(const uint8_t *onion_skin, const di_digest256_map_t *private_keys, + const curve25519_keypair_t *junk_keypair, const uint8_t *my_node_id, uint8_t *handshake_reply_out, uint8_t *key_out, diff --git a/src/test/bench.c b/src/test/bench.c index 23560cd..2c40cdf 100644 --- a/src/test/bench.c +++ b/src/test/bench.c @@ -199,7 +199,7 @@ bench_onion_ntor(void) start = perftime(); for (i = 0; i < iters; ++i) { uint8_t key_out[CPATH_KEY_MATERIAL_LEN]; - onion_skin_ntor_server_handshake(os, keymap, nodeid, or, + onion_skin_ntor_server_handshake(os, keymap, NULL, nodeid, or, key_out, sizeof(key_out)); } end = perftime(); diff --git a/src/test/test.c b/src/test/test.c index daac67e..32e0600 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -895,7 +895,8 @@ test_ntor_handshake(void *arg) /* server handshake */ memset(s_buf, 0, NTOR_REPLY_LEN); memset(s_keys, 0, 40); - tt_int_op(0, ==, onion_skin_ntor_server_handshake(c_buf, s_keymap, node_id, + tt_int_op(0, ==, onion_skin_ntor_server_handshake(c_buf, s_keymap, NULL, + node_id, s_buf, s_keys, 400)); /* client handshake 2 */

1 0

[tor/master] Add new ntor bits to gitignore
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit ce57e94728d8bd33474ed20402ba3e1b2456a785 Author: Nick Mathewson <nickm(a)torproject.org> Date: Sat Dec 8 00:57:19 2012 -0500 Add new ntor bits to gitignore --- .gitignore | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/.gitignore b/.gitignore index 8034ae6..f25323e 100644 --- a/.gitignore +++ b/.gitignore @@ -24,6 +24,8 @@ .dirstamp # Stuff made by our makefiles *.bak +# Python droppings +*.pyc # / /Makefile @@ -130,6 +132,8 @@ /src/common/libor-crypto.lib /src/common/libor-event.a /src/common/libor-event.lib +/src/common/libcurve25519_donna.a +/src/common/libcurve25519_donna.lib # /src/config/ /src/config/Makefile @@ -154,9 +158,10 @@ /src/test/bench.exe /src/test/test /src/test/test-child +/src/test/test-ntor-cl /src/test/test.exe /src/test/test-child.exe - +/src/test/test-ntor-cl.exe # /src/tools/ /src/tools/tor-checkkey

1 0

[tor/master] Implement a constant-time safe_mem_is_zero.
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit f07a5125cb5bb9ee5968ded163cfdd73e5ad028c Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 25 22:22:07 2012 -0500 Implement a constant-time safe_mem_is_zero. --- src/common/di_ops.c | 17 +++++++++++++++++ src/common/di_ops.h | 2 ++ src/test/test_util.c | 10 ++++++++++ 3 files changed, 29 insertions(+), 0 deletions(-) diff --git a/src/common/di_ops.c b/src/common/di_ops.c index b73a3cc..e299e31 100644 --- a/src/common/di_ops.c +++ b/src/common/di_ops.c @@ -203,3 +203,20 @@ dimap_search(const di_digest256_map_t *map, const uint8_t *key, return (void *)result; } +/** + * Return true iff the sz bytes at mem are all zero. Runs in + * time independent of the contents of mem. + */ +int +safe_mem_is_zero(const void *mem, size_t sz) +{ + uint32_t total = 0; + const uint8_t *ptr = mem; + + while (sz--) { + total |= *ptr++; + } + + return 1 & ((total - 1) >> 8); +} + diff --git a/src/common/di_ops.h b/src/common/di_ops.h index a86f56c..1444828 100644 --- a/src/common/di_ops.h +++ b/src/common/di_ops.h @@ -27,6 +27,8 @@ int tor_memeq(const void *a, const void *b, size_t sz); #define fast_memeq(a,b,c) (0==memcmp((a),(b),(c))) #define fast_memneq(a,b,c) (0!=memcmp((a),(b),(c))) +int safe_mem_is_zero(const void *mem, size_t sz); + /** A type for a map from DIGEST256_LEN-byte blobs to void*, such that * data lookups take an amount of time proportional only to the size * of the map, and not to the position or presence of the item in the map. diff --git a/src/test/test_util.c b/src/test/test_util.c index 04ca42d..f949c6d 100644 --- a/src/test/test_util.c +++ b/src/test/test_util.c @@ -2843,6 +2843,16 @@ test_util_di_ops(void) test_eq(neq1, !eq1); } + tt_int_op(1, ==, safe_mem_is_zero("", 0)); + tt_int_op(1, ==, safe_mem_is_zero("", 1)); + tt_int_op(0, ==, safe_mem_is_zero("a", 1)); + tt_int_op(0, ==, safe_mem_is_zero("a", 2)); + tt_int_op(0, ==, safe_mem_is_zero("\0a", 2)); + tt_int_op(1, ==, safe_mem_is_zero("\0\0a", 2)); + tt_int_op(1, ==, safe_mem_is_zero("\0\0\0\0\0\0\0\0", 8)); + tt_int_op(1, ==, safe_mem_is_zero("\0\0\0\0\0\0\0\0a", 8)); + tt_int_op(0, ==, safe_mem_is_zero("\0\0\0\0\0\0\0\0a", 9)); + done: ; }

1 0

[tor/master] Use safe_mem_is_zero for checking curve25519 output for 0-ness
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit 5f219ddd029348df2d384fca5012d96957885cbc Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 25 22:25:09 2012 -0500 Use safe_mem_is_zero for checking curve25519 output for 0-ness This should make the intent more explicit. Probably needless, though. --- src/common/crypto_curve25519.c | 6 +----- src/or/onion_ntor.c | 24 ++++-------------------- 2 files changed, 5 insertions(+), 25 deletions(-) diff --git a/src/common/crypto_curve25519.c b/src/common/crypto_curve25519.c index 6034706..f3ecdb5 100644 --- a/src/common/crypto_curve25519.c +++ b/src/common/crypto_curve25519.c @@ -49,11 +49,7 @@ curve25519_impl(uint8_t *output, const uint8_t *secret, int curve25519_public_key_is_ok(const curve25519_public_key_t *key) { - static const uint8_t zero[] = - "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" - "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; - - return tor_memneq(key->public_key, zero, CURVE25519_PUBKEY_LEN); + return !safe_mem_is_zero(key->public_key, CURVE25519_PUBKEY_LEN); } /** Generate a new keypair and return the secret key. If extra_strong diff --git a/src/or/onion_ntor.c b/src/or/onion_ntor.c index 8eab55a..b601d1e 100644 --- a/src/or/onion_ntor.c +++ b/src/or/onion_ntor.c @@ -167,18 +167,10 @@ onion_skin_ntor_server_handshake(const uint8_t *onion_skin, /* build secret_input */ curve25519_handshake(si, &s.seckey_y, &s.pubkey_X); - bad = tor_memeq(si, - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", 32); + bad = safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN); si += CURVE25519_OUTPUT_LEN; curve25519_handshake(si, &keypair_bB->seckey, &s.pubkey_X); - bad |= tor_memeq(si, - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", 32); + bad |= safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN); si += CURVE25519_OUTPUT_LEN; APPEND(si, my_node_id, DIGEST_LEN); @@ -257,19 +249,11 @@ onion_skin_ntor_client_handshake( /* Compute secret_input */ curve25519_handshake(si, &handshake_state->seckey_x, &s.pubkey_Y); - bad = tor_memeq(si, - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", 32); + bad = safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN); si += CURVE25519_OUTPUT_LEN; curve25519_handshake(si, &handshake_state->seckey_x, &handshake_state->pubkey_B); - bad |= tor_memeq(si, - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00", 32); + bad |= safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN); si += CURVE25519_OUTPUT_LEN; APPEND(si, handshake_state->router_id, DIGEST_LEN); APPEND(si, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN);

1 0

[tor/master] Complete all DOCDOC entries from the ntor branch
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit 94cb7bd24d2ffda9038c267b3ee0837dd64ec903 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 25 22:38:20 2012 -0500 Complete all DOCDOC entries from the ntor branch --- src/or/circuitbuild.c | 8 ++++---- src/or/cpuworker.c | 21 ++++++++++++++++++--- src/or/onion.c | 5 ++--- src/or/onion_fast.c | 5 +++-- src/or/router.c | 36 ++++++++++++++++++------------------ 5 files changed, 45 insertions(+), 30 deletions(-) diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 9300b04..552167f 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -490,10 +490,10 @@ circuit_n_chan_done(channel_t *chan, int status) /** Find a new circid that isn't currently in use on the circ->n_chan * for the outgoing - * circuit circ, and deliver a cell of type cell_type - * (either CELL_CREATE or CELL_CREATE_FAST) with payload payload - * to this circuit. DOCDOC new arguments - * Return -1 if we failed to find a suitable circid, else return 0. + * circuit circ, and deliver the cell create_cell to this + * circuit. If relayed is true, this is a create cell somebody + * gave us via an EXTEND cell, so we shouldn't worry if we don't understand + * it. Return -1 if we failed to find a suitable circid, else return 0. */ static int circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell, diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c index 1ac8cd5..3f8fc94 100644 --- a/src/or/cpuworker.c +++ b/src/or/cpuworker.c @@ -84,29 +84,44 @@ tag_unpack(const uint8_t *tag, uint64_t *chan_id, circid_t *circ_id) *circ_id = get_uint16(tag+8); } -/** DOCDOC */ +/** Magic numbers to make sure our cpuworker_requests don't grow any + * mis-framing bugs. */ #define CPUWORKER_REQUEST_MAGIC 0xda4afeed #define CPUWORKER_REPLY_MAGIC 0x5eedf00d -/**DOCDOC*/ +/** A request sent to a cpuworker. */ typedef struct cpuworker_request_t { + /** Magic number; must be CPUWORKER_REQUEST_MAGIC. */ uint32_t magic; /** Opaque tag to identify the job */ uint8_t tag[TAG_LEN]; + /** Task code. Must be one of CPUWORKER_TASK_* */ uint8_t task; + /** A create cell for the cpuworker to process. */ create_cell_t create_cell; + /* Turn the above into a tagged union if needed. */ } cpuworker_request_t; -/**DOCDOC*/ +/** A reply sent by a cpuworker. */ typedef struct cpuworker_reply_t { + /** Magic number; must be CPUWORKER_REPLY_MAGIC. */ uint32_t magic; + /** Opaque tag to identify the job; matches the request's tag.*/ uint8_t tag[TAG_LEN]; + /** True iff we got a successful request. */ uint8_t success; + /** Output of processing a create cell + * + * @{ + */ + /** The created cell to send back. */ created_cell_t created_cell; + /** The keys to use on this circuit. */ uint8_t keys[CPATH_KEY_MATERIAL_LEN]; + /** Input to use for authenticating introduce1 cells. */ uint8_t rend_auth_material[DIGEST_LEN]; } cpuworker_reply_t; diff --git a/src/or/onion.c b/src/or/onion.c index 56bc9a3..fc3e621 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -304,9 +304,8 @@ onion_skin_create(int type, * type type, responding to the client request in onion_skin * using the keys in keys. On success, write our response into * reply_out, generate keys_out_len bytes worth of key material - * in keys_out_len, and return the length of the reply. On failure, - * return -1. - * DOCDOC rend_nonce_out + * in keys_out_len, a hidden service nonce to rend_nonce_out, + * and return the length of the reply. On failure, return -1. */ int onion_skin_server_handshake(int type, diff --git a/src/or/onion_fast.c b/src/or/onion_fast.c index f33b048..eb9eceb 100644 --- a/src/or/onion_fast.c +++ b/src/or/onion_fast.c @@ -12,7 +12,7 @@ #include "or.h" #include "onion_fast.h" -/**DOCDOC*/ +/** Release all state held in victim. */ void fast_handshake_state_free(fast_handshake_state_t *victim) { @@ -22,7 +22,8 @@ fast_handshake_state_free(fast_handshake_state_t *victim) tor_free(victim); } -/** DOCDOC */ +/** Create the state needed to perform a CREATE_FAST hasnshake. Return 0 + * on success, -1 on failure. */ int fast_onionskin_create(fast_handshake_state_t **handshake_state_out, uint8_t *handshake_out) diff --git a/src/or/router.c b/src/or/router.c index a97db85..961fd48 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -56,8 +56,10 @@ static crypto_pk_t *onionkey=NULL; * generated by clients that have an older version of our descriptor. */ static crypto_pk_t *lastonionkey=NULL; #ifdef CURVE25519_ENABLED -/**DOCDOC*/ +/** Current private ntor secret key: used to perform the ntor handshake. */ static curve25519_keypair_t curve25519_onion_key; +/** Previous private ntor secret key: used to perform the ntor handshake + * with clients that have an older version of our descriptor. */ static curve25519_keypair_t last_curve25519_onion_key; #endif /** Private server "identity key": used to sign directory info and TLS @@ -105,20 +107,6 @@ set_onion_key(crypto_pk_t *k) mark_my_descriptor_dirty("set onion key"); } -#if 0 -/**DOCDOC*/ -static void -set_curve25519_onion_key(const curve25519_keypair_t *kp) -{ - if (tor_memeq(&curve25519_onion_key, kp, sizeof(curve25519_keypair_t))) - return; - - tor_mutex_acquire(key_lock); - memcpy(&curve25519_onion_key, kp, sizeof(curve25519_keypair_t)); - tor_mutex_release(key_lock); -} -#endif - /** Return the current onion key. Requires that the onion key has been * loaded or generated. */ crypto_pk_t * @@ -147,12 +135,15 @@ dup_onion_keys(crypto_pk_t **key, crypto_pk_t **last) } #ifdef CURVE25519_ENABLED -/**DOCDOC only in main thread*/ +/** Return the current secret onion key for the ntor handshake. Must only + * be called from the main thread. */ static const curve25519_keypair_t * get_current_curve25519_keypair(void) { return &curve25519_onion_key; } +/** Return a map from KEYID (the key itself) to keypairs for use in the ntor + * handshake. Must only be called from the main thread. */ di_digest256_map_t * construct_ntor_key_map(void) { @@ -173,6 +164,8 @@ construct_ntor_key_map(void) return m; } +/** Helper used to deallocate a di_digest256_map_t returned by + * construct_ntor_key_map. */ static void ntor_key_map_free_helper(void *arg) { @@ -180,9 +173,12 @@ ntor_key_map_free_helper(void *arg) memwipe(k, 0, sizeof(*k)); tor_free(k); } +/** Release all storage from a keymap returned by construct_ntor_key_map. */ void ntor_key_map_free(di_digest256_map_t *map) { + if (!map) + return; dimap_free(map, ntor_key_map_free_helper); } #endif @@ -453,7 +449,11 @@ init_key_from_file(const char *fname, int generate, int severity) } #ifdef CURVE25519_ENABLED -/** DOCDOC */ +/** Load a curve25519 keypair from the file fname, writing it into + * keys_out. If the file isn't found and generate is true, + * create a new keypair and write it into the file. If there are errors, log + * them at level severity. Generate files using tag in their + * ASCII wrapper. */ static int init_curve25519_keypair_from_file(curve25519_keypair_t *keys_out, const char *fname, @@ -1599,7 +1599,7 @@ router_digest_is_me(const char *digest) tor_memeq(server_identitykey_digest, digest, DIGEST_LEN)); } -/** DOCDOC */ +/** Return my identity digest. */ const uint8_t * router_get_my_id_digest(void) {

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits January 2013