static void
bench_dh(void)
{
const int iters = 1<<10;
int i;
uint64_t start, end;
reset_perftime();
start = perftime();
for (i = 0; i < iters; ++i) {
char dh_pubkey_a[DH_BYTES], dh_pubkey_b[DH_BYTES];
char secret_a[DH_BYTES], secret_b[DH_BYTES];
ssize_t slen_a, slen_b;
crypto_dh_t *dh_a = crypto_dh_new(DH_TYPE_TLS);
crypto_dh_t *dh_b = crypto_dh_new(DH_TYPE_TLS);
crypto_dh_generate_public(dh_a);
crypto_dh_generate_public(dh_b);
crypto_dh_get_public(dh_a, dh_pubkey_a, sizeof(dh_pubkey_a));
crypto_dh_get_public(dh_b, dh_pubkey_b, sizeof(dh_pubkey_b));
slen_a = crypto_dh_compute_secret(LOG_NOTICE,
dh_a, dh_pubkey_b, sizeof(dh_pubkey_b),
secret_a, sizeof(secret_a));
slen_b = crypto_dh_compute_secret(LOG_NOTICE,
dh_b, dh_pubkey_a, sizeof(dh_pubkey_a),
secret_b, sizeof(secret_b));
tor_assert(slen_a == slen_b);
tor_assert(!memcmp(secret_a, secret_b, slen_a));
crypto_dh_free(dh_a);
crypto_dh_free(dh_b);
}
end = perftime();
printf("Complete DH handshakes (1024 bit, public and private ops):\n"
" %f millisec each.\n", NANOCOUNT(start, end, iters)/1e6);
}
/** Run unit tests for Diffie-Hellman functionality. */
static void
test_crypto_dh(void)
{
crypto_dh_t *dh1 = crypto_dh_new(DH_TYPE_CIRCUIT);
crypto_dh_t *dh2 = crypto_dh_new(DH_TYPE_CIRCUIT);
char p1[DH_BYTES];
char p2[DH_BYTES];
char s1[DH_BYTES];
char s2[DH_BYTES];
ssize_t s1len, s2len;
test_eq(crypto_dh_get_bytes(dh1), DH_BYTES);
test_eq(crypto_dh_get_bytes(dh2), DH_BYTES);
memset(p1, 0, DH_BYTES);
memset(p2, 0, DH_BYTES);
test_memeq(p1, p2, DH_BYTES);
test_assert(! crypto_dh_get_public(dh1, p1, DH_BYTES));
test_memneq(p1, p2, DH_BYTES);
test_assert(! crypto_dh_get_public(dh2, p2, DH_BYTES));
test_memneq(p1, p2, DH_BYTES);
memset(s1, 0, DH_BYTES);
memset(s2, 0xFF, DH_BYTES);
s1len = crypto_dh_compute_secret(LOG_WARN, dh1, p2, DH_BYTES, s1, 50);
s2len = crypto_dh_compute_secret(LOG_WARN, dh2, p1, DH_BYTES, s2, 50);
test_assert(s1len > 0);
test_eq(s1len, s2len);
test_memeq(s1, s2, s1len);
{
/* XXXX Now fabricate some bad values and make sure they get caught,
* Check 0, 1, N-1, >= N, etc.
*/
}
done:
crypto_dh_free(dh1);
crypto_dh_free(dh2);
}
/** Given a router's 128 byte public key,
* stores the following in onion_skin_out:
* - [42 bytes] OAEP padding
* - [16 bytes] Symmetric key for encrypting blob past RSA
* - [70 bytes] g^x part 1 (inside the RSA)
* - [58 bytes] g^x part 2 (symmetrically encrypted)
*
* Stores the DH private key into handshake_state_out for later completion
* of the handshake.
*
* The meeting point/cookies and auth are zeroed out for now.
*/
int
onion_skin_TAP_create(crypto_pk_t *dest_router_key,
crypto_dh_t **handshake_state_out,
char *onion_skin_out) /* TAP_ONIONSKIN_CHALLENGE_LEN bytes */
{
char challenge[DH1024_KEY_LEN];
crypto_dh_t *dh = NULL;
int dhbytes, pkbytes;
tor_assert(dest_router_key);
tor_assert(handshake_state_out);
tor_assert(onion_skin_out);
*handshake_state_out = NULL;
memset(onion_skin_out, 0, TAP_ONIONSKIN_CHALLENGE_LEN);
if (!(dh = crypto_dh_new(DH_TYPE_CIRCUIT)))
goto err;
dhbytes = crypto_dh_get_bytes(dh);
pkbytes = (int) crypto_pk_keysize(dest_router_key);
tor_assert(dhbytes == 128);
tor_assert(pkbytes == 128);
if (crypto_dh_get_public(dh, challenge, dhbytes))
goto err;
/* set meeting point, meeting cookie, etc here. Leave zero for now. */
if (crypto_pk_obsolete_public_hybrid_encrypt(dest_router_key, onion_skin_out,
TAP_ONIONSKIN_CHALLENGE_LEN,
challenge, DH1024_KEY_LEN,
PK_PKCS1_OAEP_PADDING, 1)<0)
goto err;
memwipe(challenge, 0, sizeof(challenge));
*handshake_state_out = dh;
return 0;
err:
/* LCOV_EXCL_START
* We only get here if RSA encryption fails or DH keygen fails. Those
* shouldn't be possible. */
memwipe(challenge, 0, sizeof(challenge));
if (dh) crypto_dh_free(dh);
return -1;
/* LCOV_EXCL_STOP */
}
/** Given a router's 128 byte public key,
* stores the following in onion_skin_out:
* - [42 bytes] OAEP padding
* - [16 bytes] Symmetric key for encrypting blob past RSA
* - [70 bytes] g^x part 1 (inside the RSA)
* - [58 bytes] g^x part 2 (symmetrically encrypted)
*
* Stores the DH private key into handshake_state_out for later completion
* of the handshake.
*
* The meeting point/cookies and auth are zeroed out for now.
*/
int
onion_skin_TAP_create(crypto_pk_t *dest_router_key,
crypto_dh_t **handshake_state_out,
char *onion_skin_out) /* TAP_ONIONSKIN_CHALLENGE_LEN bytes */
{
char challenge[DH_KEY_LEN];
crypto_dh_t *dh = NULL;
int dhbytes, pkbytes;
tor_assert(dest_router_key);
tor_assert(handshake_state_out);
tor_assert(onion_skin_out);
*handshake_state_out = NULL;
memset(onion_skin_out, 0, TAP_ONIONSKIN_CHALLENGE_LEN);
if (!(dh = crypto_dh_new(DH_TYPE_CIRCUIT)))
goto err;
dhbytes = crypto_dh_get_bytes(dh);
pkbytes = (int) crypto_pk_keysize(dest_router_key);
tor_assert(dhbytes == 128);
tor_assert(pkbytes == 128);
if (crypto_dh_get_public(dh, challenge, dhbytes))
goto err;
note_crypto_pk_op(ENC_ONIONSKIN);
/* set meeting point, meeting cookie, etc here. Leave zero for now. */
if (crypto_pk_public_hybrid_encrypt(dest_router_key, onion_skin_out,
TAP_ONIONSKIN_CHALLENGE_LEN,
challenge, DH_KEY_LEN,
PK_PKCS1_OAEP_PADDING, 1)<0)
goto err;
memwipe(challenge, 0, sizeof(challenge));
*handshake_state_out = dh;
return 0;
err:
memwipe(challenge, 0, sizeof(challenge));
if (dh) crypto_dh_free(dh);
return -1;
}
/** Given an encrypted DH public key as generated by onion_skin_create,
* and the private key for this onion router, generate the reply (128-byte
* DH plus the first 20 bytes of shared key material), and store the
* next key_out_len bytes of key material in key_out.
*/
int
onion_skin_server_handshake(const char *onion_skin, /*ONIONSKIN_CHALLENGE_LEN*/
crypto_pk_env_t *private_key,
crypto_pk_env_t *prev_private_key,
char *handshake_reply_out, /*ONIONSKIN_REPLY_LEN*/
char *key_out,
size_t key_out_len)
{
char challenge[ONIONSKIN_CHALLENGE_LEN];
crypto_dh_env_t *dh = NULL;
ssize_t len;
char *key_material=NULL;
size_t key_material_len=0;
int i;
crypto_pk_env_t *k;
len = -1;
for (i=0;i<2;++i) {
k = i==0?private_key:prev_private_key;
if (!k)
break;
note_crypto_pk_op(DEC_ONIONSKIN);
len = crypto_pk_private_hybrid_decrypt(k, challenge,
onion_skin, ONIONSKIN_CHALLENGE_LEN,
PK_PKCS1_OAEP_PADDING,0);
if (len>0)
break;
}
if (len<0) {
log_info(LD_PROTOCOL,
"Couldn't decrypt onionskin: client may be using old onion key");
goto err;
} else if (len != DH_KEY_LEN) {
log_warn(LD_PROTOCOL, "Unexpected onionskin length after decryption: %ld",
(long)len);
goto err;
}
dh = crypto_dh_new();
if (crypto_dh_get_public(dh, handshake_reply_out, DH_KEY_LEN)) {
log_info(LD_GENERAL, "crypto_dh_get_public failed.");
goto err;
}
key_material_len = DIGEST_LEN+key_out_len;
key_material = tor_malloc(key_material_len);
len = crypto_dh_compute_secret(dh, challenge, DH_KEY_LEN,
key_material, key_material_len);
if (len < 0) {
log_info(LD_GENERAL, "crypto_dh_compute_secret failed.");
goto err;
}
/* send back H(K|0) as proof that we learned K. */
memcpy(handshake_reply_out+DH_KEY_LEN, key_material, DIGEST_LEN);
/* use the rest of the key material for our shared keys, digests, etc */
memcpy(key_out, key_material+DIGEST_LEN, key_out_len);
memset(challenge, 0, sizeof(challenge));
memset(key_material, 0, key_material_len);
tor_free(key_material);
crypto_dh_free(dh);
return 0;
err:
memset(challenge, 0, sizeof(challenge));
if (key_material) {
memset(key_material, 0, key_material_len);
tor_free(key_material);
}
if (dh) crypto_dh_free(dh);
return -1;
}
/** Given an encrypted DH public key as generated by onion_skin_create,
* and the private key for this onion router, generate the reply (128-byte
* DH plus the first 20 bytes of shared key material), and store the
* next key_out_len bytes of key material in key_out.
*/
int
onion_skin_TAP_server_handshake(
/*TAP_ONIONSKIN_CHALLENGE_LEN*/
const char *onion_skin,
crypto_pk_t *private_key,
crypto_pk_t *prev_private_key,
/*TAP_ONIONSKIN_REPLY_LEN*/
char *handshake_reply_out,
char *key_out,
size_t key_out_len)
{
char challenge[TAP_ONIONSKIN_CHALLENGE_LEN];
crypto_dh_t *dh = NULL;
ssize_t len;
char *key_material=NULL;
size_t key_material_len=0;
int i;
crypto_pk_t *k;
len = -1;
for (i=0;i<2;++i) {
k = i==0?private_key:prev_private_key;
if (!k)
break;
len = crypto_pk_obsolete_private_hybrid_decrypt(k, challenge,
TAP_ONIONSKIN_CHALLENGE_LEN,
onion_skin,
TAP_ONIONSKIN_CHALLENGE_LEN,
PK_PKCS1_OAEP_PADDING,0);
if (len>0)
break;
}
if (len<0) {
log_info(LD_PROTOCOL,
"Couldn't decrypt onionskin: client may be using old onion key");
goto err;
} else if (len != DH1024_KEY_LEN) {
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Unexpected onionskin length after decryption: %ld",
(long)len);
goto err;
}
dh = crypto_dh_new(DH_TYPE_CIRCUIT);
if (!dh) {
/* LCOV_EXCL_START
* Failure to allocate a DH key should be impossible.
*/
log_warn(LD_BUG, "Couldn't allocate DH key");
goto err;
/* LCOV_EXCL_STOP */
}
if (crypto_dh_get_public(dh, handshake_reply_out, DH1024_KEY_LEN)) {
/* LCOV_EXCL_START
* This can only fail if the length of the key we just allocated is too
* big. That should be impossible. */
log_info(LD_GENERAL, "crypto_dh_get_public failed.");
goto err;
/* LCOV_EXCL_STOP */
}
key_material_len = DIGEST_LEN+key_out_len;
key_material = tor_malloc(key_material_len);
len = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, dh, challenge,
DH1024_KEY_LEN, key_material,
key_material_len);
if (len < 0) {
log_info(LD_GENERAL, "crypto_dh_compute_secret failed.");
goto err;
}
/* send back H(K|0) as proof that we learned K. */
memcpy(handshake_reply_out+DH1024_KEY_LEN, key_material, DIGEST_LEN);
/* use the rest of the key material for our shared keys, digests, etc */
memcpy(key_out, key_material+DIGEST_LEN, key_out_len);
memwipe(challenge, 0, sizeof(challenge));
memwipe(key_material, 0, key_material_len);
tor_free(key_material);
crypto_dh_free(dh);
return 0;
err:
memwipe(challenge, 0, sizeof(challenge));
if (key_material) {
memwipe(key_material, 0, key_material_len);
tor_free(key_material);
}
if (dh) crypto_dh_free(dh);
return -1;
}
