commit 0da68ca3c40ffc775421ae732f70504ac74891fc Author: George Kadianakis <desnacked@gmail.com> Date: Thu May 26 00:33:46 2011 +0200 Stop doing iterative hashing when we don't have a shared secret. --- doc/protocol-spec.txt | 24 ++++++++++-------------- src/main.c | 3 ++- src/protocols/obfs2.c | 28 ++++++++++++++++------------ 3 files changed, 28 insertions(+), 27 deletions(-) diff --git a/doc/protocol-spec.txt b/doc/protocol-spec.txt index 0f9edf9..798da14 100644 --- a/doc/protocol-spec.txt +++ b/doc/protocol-spec.txt @@ -17,6 +17,8 @@ The Twobfuscator 1. Primitives, notation, and constants. H(x) is SHA256 of X + H^n(x) is H(x) called iteratively n times. + E_K(s) is the AES-counter-mode encryption of s using the key K. x | y is the concatenation of x and y @@ -39,9 +41,6 @@ The Twobfuscator MAC(s, x) = H(s | x | s) - Let n = HASH_ITERATIONS through section '2. Key establishment phase.'. - Then, H^n(x) is H(x) called iteratively n times. - A "byte" is an 8-bit octet. We require that HASHLEN >= KEYLEN + IVLEN @@ -53,14 +52,12 @@ The Twobfuscator a padding key as follows. The initiator generates: INIT_SEED = SR(SEED_LENGTH) - INIT_PAD_TEMP = MAC("Initiator obfuscation padding", INIT_SEED)[:KEYLEN] - INIT_PAD_KEY = H^n(INIT_PAD_TEMP) + INIT_PAD_KEY = MAC("Initiator obfuscation padding", INIT_SEED)[:KEYLEN] And the responder generates: RESP_SEED = SR(SEED_LENGTH) - RESP_PAD_TEMP = MAC("Responder obfuscation padding", INIT_SEED)[:KEYLEN] - RESP_PAD_KEY = H^n(RESP_PAD_TEMP) + RESP_PAD_KEY = MAC("Responder obfuscation padding", INIT_SEED)[:KEYLEN] Each then generates a random number PADLEN in range from 0 through MAX_PADDING (inclusive), and sends: @@ -79,12 +76,10 @@ The Twobfuscator INIT_SECRET = MAC("Initiator obfuscated data", INIT_SEED|RESP_SEED) RESP_SECRET = MAC("Responder obfuscated data", INIT_SEED|RESP_SEED) - INIT_MASTER_KEY = H^n(INIT_SECRET) - RESP_MASTER_KEY = H^n(RESP_SECRET) - INIT_KEY = INIT_MASTER_KEY[:KEYLEN] - INIT_IV = INIT_MASTER_KEY[KEYLEN:] - RESP_KEY = RESP_MASTER_KEY[:KEYLEN] - RESP_IV = RESP_MASTER_KEY[KEYLEN:] + INIT_KEY = INIT_SECRET[:KEYLEN] + INIT_IV = INIT_SECRET[KEYLEN:] + RESP_KEY = RESP_SECRET[:KEYLEN] + RESP_IV = RESP_SECRET[KEYLEN:] The INIT_KEY value keys a stream cipher used to encrypt values from initiator to responder thereafter. The stream cipher's IV is @@ -97,5 +92,6 @@ The Twobfuscator Optionally, if the client and server share a secret value SECRET, they can replace the MAC function with: - MAC(s,x) = H(s | x | SECRET | s) + MAC(s,x) = H^n(s | x | SECRET | s) + where n = HASH_ITERATIONS. diff --git a/src/main.c b/src/main.c index 59b6909..4c3c48c 100644 --- a/src/main.c +++ b/src/main.c @@ -128,7 +128,8 @@ main(int argc, const char **argv) mode, protocol, (struct sockaddr *)&ss_listen, sl_listen, sa_target, sl_target, - shared_secret, strlen(shared_secret)); + shared_secret, + shared_secret ? strlen(shared_secret) : 0); if (! listener) { printf("Couldn't create listener!\n"); return 4; diff --git a/src/protocols/obfs2.c b/src/protocols/obfs2.c index 4159691..b3fe590 100644 --- a/src/protocols/obfs2.c +++ b/src/protocols/obfs2.c @@ -75,8 +75,6 @@ derive_key(void *s, const char *keytype) crypt_t *cryptstate; uchar buf[SHA256_LENGTH]; digest_t *c = digest_new(); - digest_t *d; - int i; digest_update(c, (uchar*)keytype, strlen(keytype)); if (seed_nonzero(state->initiator_seed)) @@ -88,10 +86,14 @@ derive_key(void *s, const char *keytype) digest_update(c, (uchar*)keytype, strlen(keytype)); digest_getdigest(c, buf, sizeof(buf)); - for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) { - d = digest_new(); - digest_update(d, buf, sizeof(buf)); - digest_getdigest(d, buf, sizeof(buf)); + if (seed_nonzero(state->secret_seed)) { + digest_t *d; + int i; + for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) { + d = digest_new(); + digest_update(d, buf, sizeof(buf)); + digest_getdigest(d, buf, sizeof(buf)); + } } cryptstate = crypt_new(buf, 16); @@ -110,8 +112,6 @@ derive_padding_key(void *s, const uchar *seed, crypt_t *cryptstate; uchar buf[SHA256_LENGTH]; digest_t *c = digest_new(); - digest_t *d; - int i; digest_update(c, (uchar*)keytype, strlen(keytype)); if (seed_nonzero(seed)) @@ -121,10 +121,14 @@ derive_padding_key(void *s, const uchar *seed, digest_update(c, (uchar*)keytype, strlen(keytype)); digest_getdigest(c, buf, sizeof(buf)); - for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) { - d = digest_new(); - digest_update(d, buf, sizeof(buf)); - digest_getdigest(d, buf, sizeof(buf)); + if (seed_nonzero(state->secret_seed)) { + digest_t *d; + int i; + for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) { + d = digest_new(); + digest_update(d, buf, sizeof(buf)); + digest_getdigest(d, buf, sizeof(buf)); + } } cryptstate = crypt_new(buf, 16);