[obfsproxy/master] Stop doing iterative hashing when we don't have a shared secret. - tor-commits

29 May 2011

commit 0da68ca3c40ffc775421ae732f70504ac74891fc
Author: George Kadianakis desnacked@gmail.com
Date:   Thu May 26 00:33:46 2011 +0200
Stop doing iterative hashing when we don't have a shared secret.
---
 doc/protocol-spec.txt |   24 ++++++++++--------------
 src/main.c            |    3 ++-
 src/protocols/obfs2.c |   28 ++++++++++++++++------------
 3 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/doc/protocol-spec.txt b/doc/protocol-spec.txt
index 0f9edf9..798da14 100644
--- a/doc/protocol-spec.txt
+++ b/doc/protocol-spec.txt
@@ -17,6 +17,8 @@ The Twobfuscator
 1. Primitives, notation, and constants.
H(x) is SHA256 of X
+    H^n(x) is H(x) called iteratively n times. 
+
     E_K(s) is the AES-counter-mode encryption of s using the key K.
x | y is the concatenation of x and y
@@ -39,9 +41,6 @@ The Twobfuscator
MAC(s, x) = H(s | x | s)
-    Let n = HASH_ITERATIONS through section '2. Key establishment phase.'.
-    Then, H^n(x) is H(x) called iteratively n times. 
-
     A "byte" is an 8-bit octet.
We require that HASHLEN >= KEYLEN + IVLEN
@@ -53,14 +52,12 @@ The Twobfuscator
    a padding key as follows.  The initiator generates:
INIT_SEED = SR(SEED_LENGTH)
-    INIT_PAD_TEMP = MAC("Initiator obfuscation padding", INIT_SEED)[:KEYLEN]
-    INIT_PAD_KEY = H^n(INIT_PAD_TEMP)
+    INIT_PAD_KEY = MAC("Initiator obfuscation padding", INIT_SEED)[:KEYLEN]
And the responder generates:
RESP_SEED = SR(SEED_LENGTH)
-    RESP_PAD_TEMP = MAC("Responder obfuscation padding", INIT_SEED)[:KEYLEN]
-    RESP_PAD_KEY = H^n(RESP_PAD_TEMP)
+    RESP_PAD_KEY = MAC("Responder obfuscation padding", INIT_SEED)[:KEYLEN]
Each then generates a random number PADLEN in range from 0 through
    MAX_PADDING (inclusive), and sends:
@@ -79,12 +76,10 @@ The Twobfuscator
INIT_SECRET = MAC("Initiator obfuscated data", INIT_SEED|RESP_SEED)
      RESP_SECRET = MAC("Responder obfuscated data", INIT_SEED|RESP_SEED)
-     INIT_MASTER_KEY = H^n(INIT_SECRET)
-     RESP_MASTER_KEY = H^n(RESP_SECRET)
-     INIT_KEY = INIT_MASTER_KEY[:KEYLEN]
-     INIT_IV = INIT_MASTER_KEY[KEYLEN:]
-     RESP_KEY = RESP_MASTER_KEY[:KEYLEN]
-     RESP_IV = RESP_MASTER_KEY[KEYLEN:]
+     INIT_KEY = INIT_SECRET[:KEYLEN]
+     INIT_IV = INIT_SECRET[KEYLEN:]
+     RESP_KEY = RESP_SECRET[:KEYLEN]
+     RESP_IV = RESP_SECRET[KEYLEN:]
The INIT_KEY value keys a stream cipher used to encrypt values from
    initiator to responder thereafter.  The stream cipher's IV is
@@ -97,5 +92,6 @@ The Twobfuscator
    Optionally, if the client and server share a secret value SECRET,
    they can replace the MAC function with:
-      MAC(s,x) = H(s | x | SECRET | s)
+      MAC(s,x) = H^n(s | x | SECRET | s)
+   where n = HASH_ITERATIONS.
diff --git a/src/main.c b/src/main.c
index 59b6909..4c3c48c 100644
--- a/src/main.c
+++ b/src/main.c
@@ -128,7 +128,8 @@ main(int argc, const char **argv)
                           mode, protocol,
                           (struct sockaddr *)&ss_listen, sl_listen,
                           sa_target, sl_target,
-                          shared_secret, strlen(shared_secret));
+                          shared_secret, 
+                          shared_secret ? strlen(shared_secret) : 0);
   if (! listener) {
     printf("Couldn't create listener!\n");
     return 4;
diff --git a/src/protocols/obfs2.c b/src/protocols/obfs2.c
index 4159691..b3fe590 100644
--- a/src/protocols/obfs2.c
+++ b/src/protocols/obfs2.c
@@ -75,8 +75,6 @@ derive_key(void *s, const char *keytype)
   crypt_t *cryptstate;
   uchar buf[SHA256_LENGTH];
   digest_t *c = digest_new();
-  digest_t *d;
-  int i;
digest_update(c, (uchar*)keytype, strlen(keytype));
   if (seed_nonzero(state->initiator_seed))
@@ -88,10 +86,14 @@ derive_key(void *s, const char *keytype)
   digest_update(c, (uchar*)keytype, strlen(keytype));
   digest_getdigest(c, buf, sizeof(buf));
-  for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) {
-    d = digest_new();
-    digest_update(d, buf, sizeof(buf));
-    digest_getdigest(d, buf, sizeof(buf));
+  if (seed_nonzero(state->secret_seed)) {
+    digest_t *d;
+    int i;
+    for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) {
+      d = digest_new();
+      digest_update(d, buf, sizeof(buf));
+      digest_getdigest(d, buf, sizeof(buf));
+    }
   }
cryptstate = crypt_new(buf, 16);
@@ -110,8 +112,6 @@ derive_padding_key(void *s, const uchar *seed,
   crypt_t *cryptstate;
   uchar buf[SHA256_LENGTH];
   digest_t *c = digest_new();
-  digest_t *d;
-  int i;
digest_update(c, (uchar*)keytype, strlen(keytype));
   if (seed_nonzero(seed))
@@ -121,10 +121,14 @@ derive_padding_key(void *s, const uchar *seed,
   digest_update(c, (uchar*)keytype, strlen(keytype));
   digest_getdigest(c, buf, sizeof(buf));
-  for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) {
-    d = digest_new();
-    digest_update(d, buf, sizeof(buf));
-    digest_getdigest(d, buf, sizeof(buf));
+  if (seed_nonzero(state->secret_seed)) {
+    digest_t *d;
+    int i;
+    for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) {
+      d = digest_new();
+      digest_update(d, buf, sizeof(buf));
+      digest_getdigest(d, buf, sizeof(buf));
+    }
   }
cryptstate = crypt_new(buf, 16);

    