[or-cvs] Document CREATE_FAST better in the code. Move our key expa...

Nick Mathewson nickm at seul.org
Thu Dec 8 17:38:34 UTC 2005 

Update of /home/or/cvsroot/tor/src/or
In directory moria:/tmp/cvs-serv7766/src/or

Modified Files:
	circuitbuild.c command.c onion.c or.h 
Log Message:
Document CREATE_FAST better in the code.  Move our key expansion algorithm into a separate function in crypto.c

Index: circuitbuild.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/circuitbuild.c,v
retrieving revision 1.168
retrieving revision 1.169
diff -u -d -r1.168 -r1.169
--- circuitbuild.c	7 Dec 2005 22:09:02 -0000	1.168
+++ circuitbuild.c	8 Dec 2005 17:38:32 -0000	1.169
@@ -553,8 +553,9 @@
         return -1;
       }
     } else {
-      /* We are not an OR, and we're building the first hop of a circuit to
-       * a new OR: we can be speedy. */
+      /* We are not an OR, and we're building the first hop of a circuit to a
+       * new OR: we can be speedy and use CREATE_FAST to save an RSA operation
+       * and a DH operation. */
       cell_type = CELL_CREATE_FAST;
       memset(payload, 0, sizeof(payload));
       crypto_rand(circ->cpath->fast_handshake_state,
@@ -769,9 +770,10 @@
   return 0;
 }
 
-/** A created or extended cell came back to us on the circuit,
- * and it included <b>reply</b> (the second DH key, plus KH).
- * DOCDOC reply_type.
+/** A created or extended cell came back to us on the circuit, and it included
+ * <b>reply</b> as its body.  (If <b>reply_type</b> is CELL_CREATED, the body
+ * contains (the second DH key, plus KH).  If <b>reply_type</b> is
+ * CELL_CREATED_FAST, the body contains a secret y and a hash H(x|y).)
  *
  * Calculate the appropriate keys and digests, make sure KH is
  * correct, and initialize this hop of the cpath.

Index: command.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/command.c,v
retrieving revision 1.102
retrieving revision 1.103
diff -u -d -r1.102 -r1.103
--- command.c	3 Dec 2005 02:12:37 -0000	1.102
+++ command.c	8 Dec 2005 17:38:32 -0000	1.103
@@ -211,6 +211,8 @@
     }
     debug(LD_OR,"success: handed off onionskin.");
   } else {
+    /* This is a CREATE_FAST cell; we can handle it immediately without using
+     * a CPU worker.*/
     char keys[CPATH_KEY_MATERIAL_LEN];
     char reply[DIGEST_LEN*2];
     tor_assert(cell->command == CELL_CREATE_FAST);

Index: onion.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/onion.c,v
retrieving revision 1.189
retrieving revision 1.190
diff -u -d -r1.189 -r1.190
--- onion.c	25 Oct 2005 18:01:01 -0000	1.189
+++ onion.c	8 Dec 2005 17:38:32 -0000	1.190
@@ -344,68 +344,81 @@
   return 0;
 }
 
-/** DOCDOC */
+/** Implement the server side of the CREATE_FAST abbreviated handshake.  The
+ * client has provided DIGEST_LEN key bytes in <b>key_in</b> ("x").  We
+ * generate a reply of DIGEST_LEN*2 bytes in <b>key_out/b>, consisting of a
+ * new random "y", followed by H(x|y) to check for correctness.  We set
+ * <b>key_out_len</b> bytes of key material in <b>key_out</b>.
+ * Return 0 on success, <0 on failure.
+ **/
 int
 fast_server_handshake(const char *key_in, /* DIGEST_LEN bytes */
                       char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
                       char *key_out,
                       size_t key_out_len)
 {
-  char tmp[DIGEST_LEN+DIGEST_LEN+1];
-  char digest[DIGEST_LEN];
-  int i;
+  char tmp[DIGEST_LEN+DIGEST_LEN];
+  char *out;
+  size_t out_len;
 
   if (crypto_rand(handshake_reply_out, DIGEST_LEN)<0)
     return -1;
 
   memcpy(tmp, key_in, DIGEST_LEN);
   memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
-  tmp[DIGEST_LEN+DIGEST_LEN] = 0;
-  crypto_digest(handshake_reply_out+DIGEST_LEN, tmp, sizeof(tmp));
-
-  for (i = 0; i*DIGEST_LEN < (int)key_out_len; ++i) {
-    size_t len;
-    tmp[DIGEST_LEN+DIGEST_LEN] = i+1;
-    crypto_digest(digest, tmp, sizeof(tmp));
-    len = key_out_len - i*DIGEST_LEN;
-    if (len > DIGEST_LEN) len = DIGEST_LEN;
-    memcpy(key_out+i*DIGEST_LEN, digest, len);
+  out_len = key_out_len+DIGEST_LEN;
+  out = tor_malloc(out_len);
+  if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) {
+    tor_free(out);
+    return -1;
   }
-
+  memcpy(handshake_reply_out+DIGEST_LEN, out, DIGEST_LEN);
+  memcpy(key_out, out+DIGEST_LEN, key_out_len);
+  memset(tmp, 0, sizeof(tmp));
+  memset(out, 0, out_len);
+  tor_free(out);
   return 0;
 }
 
-/** DOCDOC */
+/** Implement the second half of the client side of the CREATE_FAST handshake.
+ * We sent the server <b>handshake_state</b> ("x") already, and the server
+ * told us <b>handshake_reply_out</b> (y|H(x|y)).  Make sure that the hash is
+ * correct, and generate key material in <b>key_out</b>.  Return 0 on success,
+ * true on failure.
+ *
+ * NOTE: The "CREATE_FAST" handshake path is distinguishable from regular
+ * "onionskin" handshakes, and is not secure if an adversary can see or modify
+ * the messages.  Therefore, it should only be used by clients, and only as
+ * the first hop of a circuit (since the first hop is already authenticated
+ * and protected by TLS).
+ */
 int
 fast_client_handshake(const char *handshake_state, /* DIGEST_LEN bytes */
                       const char *handshake_reply_out, /* DIGEST_LEN*2 bytes */
                       char *key_out,
                       size_t key_out_len)
 {
-  char tmp[DIGEST_LEN+DIGEST_LEN+1];
-  char digest[DIGEST_LEN];
-  int i;
+  char tmp[DIGEST_LEN+DIGEST_LEN];
+  char *out;
+  size_t out_len;
 
   memcpy(tmp, handshake_state, DIGEST_LEN);
   memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN);
-  tmp[DIGEST_LEN+DIGEST_LEN] = 0;
-  crypto_digest(digest, tmp, sizeof(tmp));
-
-  if (memcmp(digest, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
+  out_len = key_out_len+DIGEST_LEN;
+  out = tor_malloc(out_len);
+  if (crypto_expand_key_material(tmp, sizeof(tmp), out, out_len)) {
+    tor_free(out);
+    return -1;
+  }
+  if (memcmp(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
     /* H(K) does *not* match. Something fishy. */
     warn(LD_PROTOCOL,"Digest DOES NOT MATCH on fast handshake. Bug or attack.");
     return -1;
   }
-
-  for (i = 0; i*DIGEST_LEN < (int)key_out_len; ++i) {
-    size_t len;
-    tmp[DIGEST_LEN+DIGEST_LEN] = i+1;
-    crypto_digest(digest, tmp, sizeof(tmp));
-    len = key_out_len - i*DIGEST_LEN;
-    if (len > DIGEST_LEN) len = DIGEST_LEN;
-    memcpy(key_out+i*DIGEST_LEN, digest, len);
-  }
-
+  memcpy(key_out, out+DIGEST_LEN, key_out_len);
+  memset(tmp, 0, sizeof(tmp));
+  memset(out, 0, out_len);
+  tor_free(out);
   return 0;
 }
 

Index: or.h
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/or.h,v
retrieving revision 1.751
retrieving revision 1.752
diff -u -d -r1.751 -r1.752
--- or.h	7 Dec 2005 22:09:02 -0000	1.751
+++ or.h	8 Dec 2005 17:38:32 -0000	1.752
@@ -924,6 +924,11 @@
   /** Current state of Diffie-Hellman key negotiation with the OR at this
    * step. */
   crypto_dh_env_t *dh_handshake_state;
+  /** Current state of 'fast' (non-PK) key negotiation with the OR at this
+   * step. Used to save CPU when TLS is already providing all the
+   * authentication, secrecy, and integrity we need, and we're already
+   * distinguishable from an OR.
+   */
   char fast_handshake_state[DIGEST_LEN];
   /** Negotiated key material shared with the OR at this step. */
   char handshake_digest[DIGEST_LEN];/* KH in tor-spec.txt */

More information about the tor-commits mailing list