21#define ONION_NTOR_V3_PRIVATE
37#define PROTOID "ntor3-curve25519-sha3_256-1"
38#define TWEAK(A) (PROTOID ":" A)
40#define T_MSGKDF TWEAK("kdf_phase1")
41#define T_MSGMAC TWEAK("msg_mac")
42#define T_KEY_SEED TWEAK("key_seed")
43#define T_VERIFY TWEAK("verify")
44#define T_FINAL TWEAK("kdf_final")
45#define T_AUTH TWEAK("auth_final")
52#define xof_add(xof, data, len) crypto_xof_add_bytes((xof), (data), (len))
63 xof_add(xof, (uint8_t *)(&len64), 8);
69#define xof_add_tweak(d, s) xof_add_encap((d), (const uint8_t *)(s), strlen(s))
91 d_add(digest, (
const uint8_t *)(&len64), 8);
92 d_add(digest, data, len);
97#define d_add_tweak(d, s) d_add_encap((d), (const uint8_t *)(s), strlen(s))
106push(uint8_t **ptr,
const uint8_t *endptr,
const uint8_t *data,
size_t len)
108 size_t remaining = endptr - *ptr;
110 memcpy(*ptr, data, len);
123 memwipe(state, 0,
sizeof(*state));
152 const uint8_t *verification,
153 const size_t verification_len,
154 const uint8_t *message,
155 const size_t message_len,
157 uint8_t **onion_skin_out,
158 size_t *onion_skin_len_out)
175 memwipe(&client_keypair, 0,
sizeof(client_keypair));
191 const uint8_t *verification,
192 const size_t verification_len,
193 const uint8_t *message,
194 const size_t message_len,
196 uint8_t **onion_skin_out,
197 size_t *onion_skin_len_out)
199 *handshake_state_out = NULL;
200 *onion_skin_out = NULL;
201 *onion_skin_len_out = 0;
205 memcpy(&(*handshake_state_out)->client_keypair, client_keypair,
206 sizeof(*client_keypair));
207 memcpy(&(*handshake_state_out)->relay_id, relay_id,
sizeof(*relay_id));
208 memcpy(&(*handshake_state_out)->relay_key, relay_key,
sizeof(*relay_key));
212 &client_keypair->seckey, relay_key);
230 xof_add(xof, (
const uint8_t *)PROTOID, strlen(PROTOID));
238 uint8_t *encrypted_message = tor_memdup(message, message_len);
243 crypto_cipher_free(c);
254 d_add(m, encrypted_message, message_len);
256 (
char *)(*handshake_state_out)->msg_mac,
264 *onion_skin_out = tor_malloc(*onion_skin_len_out);
266 uint8_t *ptr = *onion_skin_out, *end = ptr + *onion_skin_len_out;
271 push(&ptr, end, encrypted_message, message_len);
276 memwipe(&enc_key, 0,
sizeof(enc_key));
277 memwipe(&mac_key, 0,
sizeof(mac_key));
278 memwipe(encrypted_message, 0, message_len);
299 const uint8_t *handshake_reply,
301 const uint8_t *verification,
302 size_t verification_len,
305 uint8_t **message_out,
306 size_t *message_len_out)
309 *message_len_out = 0;
316 size_t encrypted_msg_len;
317 const uint8_t *encrypted_msg;
331 encrypted_msg = handshake_reply;
346#define ADD2(s,len) STMT_BEGIN { \
347 d_add(ks, (s),(len)); d_add(v, (s), (len)); \
349#define ADD2_ENCAP(s,len) STMT_BEGIN { \
350 d_add_encap(ks, (s),(len)); d_add_encap(v, (s), (len)); \
353 ADD2(yx,
sizeof(yx));
354 ADD2(handshake_state->bx,
sizeof(handshake_state->bx));
357 ADD2(handshake_state->client_keypair.pubkey.public_key,
360 ADD2((
const uint8_t *)PROTOID, strlen(PROTOID));
361 ADD2_ENCAP(verification, verification_len);
374 d_add(d, verify,
sizeof(verify));
378 d_add(d, handshake_state->client_keypair.pubkey.public_key,
382 d_add(d, (
const uint8_t*)PROTOID, strlen(PROTOID));
383 d_add(d, (
const uint8_t*)
"Server", strlen(
"Server"));
392 *message_out = tor_malloc(encrypted_msg_len);
393 *message_len_out = encrypted_msg_len;
398 xof_add(xof, key_seed,
sizeof(key_seed));
406 (
const char *)encrypted_msg, encrypted_msg_len);
407 crypto_cipher_free(c);
411 memwipe(&relay_Y, 0,
sizeof(relay_Y));
412 memwipe(&relay_auth, 0,
sizeof(relay_auth));
414 memwipe(key_seed, 0,
sizeof(key_seed));
415 memwipe(verify, 0,
sizeof(verify));
416 memwipe(enc_key, 0,
sizeof(enc_key));
419 memwipe(*message_out, 0, *message_len_out);
422 *message_len_out = 0;
469 const uint8_t *client_handshake,
470 size_t client_handshake_len,
471 const uint8_t *verification,
472 size_t verification_len,
473 uint8_t **client_message_out,
474 size_t *client_message_len_out,
477 *client_message_out = NULL;
478 *client_message_len_out = 0;
485 memcpy(&(*state_out)->my_id, my_id,
sizeof(*my_id));
487 const uint8_t *wanted_id;
488 const uint8_t *wanted_key;
489 const uint8_t *encrypted_message;
490 size_t encrypted_message_len;
493 const uint8_t *ptr = client_handshake;
494 const uint8_t *end = ptr + client_handshake_len;
496 if (client_handshake_len <
508 size_t remaining = (end-ptr);
514 encrypted_message = ptr;
516 ptr += encrypted_message_len;
517 remaining = (end-ptr);
527 dimap_search(private_keys, wanted_key, (
void *)junk_key);
529 memcpy(&(*state_out)->my_key, &keypair->pubkey,
534 &keypair->seckey, &(*state_out)->client_key);
546 xof_add(xof, (
const uint8_t *)PROTOID, strlen(PROTOID));
562 d_add(d, encrypted_message, encrypted_message_len);
570 *client_message_out = tor_malloc(encrypted_message_len);
571 *client_message_len_out = encrypted_message_len;
576 (
const char *)encrypted_message,
577 encrypted_message_len);
578 crypto_cipher_free(c);
582 memwipe(enc_key, 0,
sizeof(enc_key));
583 memwipe(mac_key, 0,
sizeof(mac_key));
584 memwipe(computed_mac, 0,
sizeof(computed_mac));
586 if (*client_message_out) {
587 memwipe(*client_message_out, 0, *client_message_len_out);
590 *client_message_len_out = 0;
591 ntor3_server_handshake_state_free(*state_out);
614 const uint8_t *verification,
615 size_t verification_len,
616 const uint8_t *server_message,
617 size_t server_message_len,
618 uint8_t **handshake_out,
619 size_t *handshake_len_out,
638 memwipe(&relay_keypair, 0,
sizeof(relay_keypair));
655 const uint8_t *verification,
656 size_t verification_len,
657 const uint8_t *server_message,
658 size_t server_message_len,
659 uint8_t **handshake_out,
660 size_t *handshake_len_out,
664 *handshake_out = NULL;
665 *handshake_len_out = 0;
681 ADD2(xy,
sizeof(xy));
682 ADD2(state->xb,
sizeof(state->xb));
687 ADD2((
const uint8_t *)PROTOID, strlen(PROTOID));
688 ADD2_ENCAP(verification, verification_len);
700 xof_add(xof, key_seed,
sizeof(key_seed));
707 uint8_t *encrypted_message = tor_memdup(server_message, server_message_len);
712 c, (
char *)encrypted_message, server_message_len);
713 crypto_cipher_free(c);
721 d_add(d, verify,
sizeof(verify));
727 d_add_encap(d, encrypted_message, server_message_len);
728 d_add(d, (
const uint8_t*)PROTOID, strlen(PROTOID));
729 d_add(d, (
const uint8_t*)
"Server", strlen(
"Server"));
737 *handshake_out = tor_malloc(*handshake_len_out);
738 uint8_t *ptr = *handshake_out, *end = ptr + *handshake_len_out;
740 push(&ptr, end, auth,
sizeof(auth));
741 push(&ptr, end, encrypted_message, server_message_len);
746 memwipe(key_seed, 0,
sizeof(key_seed));
747 memwipe(verify, 0,
sizeof(verify));
748 memwipe(enc_key, 0,
sizeof(enc_key));
749 memwipe(encrypted_message, 0, server_message_len);
753 memwipe(*handshake_out, 0, *handshake_len_out);
755 *handshake_len_out = 0;
Inline functions for reading and writing multibyte values from the middle of strings,...
static uint64_t tor_htonll(uint64_t a)
crypto_cipher_t * crypto_cipher_new_with_bits(const char *key, int bits)
void crypto_cipher_crypt_inplace(crypto_cipher_t *env, char *buf, size_t len)
int crypto_cipher_decrypt(crypto_cipher_t *env, char *to, const char *from, size_t fromlen)
#define CIPHER256_KEY_LEN
void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey)
int curve25519_keypair_generate(curve25519_keypair_t *keypair_out, int extra_strong)
void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len)
crypto_xof_t * crypto_xof_new(void)
Headers for crypto_digest.c.
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
#define crypto_xof_free(xof)
#define crypto_digest_free(d)
crypto_digest_t * crypto_digest256_new(digest_algorithm_t algorithm)
void crypto_digest_add_bytes(crypto_digest_t *digest, const char *data, size_t len)
void crypto_rand(char *to, size_t n)
Common functions for using (pseudo-)random number generators.
void memwipe(void *mem, uint8_t byte, size_t sz)
Common functions for cryptographic routines.
int safe_mem_is_zero(const void *mem, size_t sz)
void * dimap_search(const di_digest256_map_t *map, const uint8_t *key, void *dflt_val)
#define tor_memneq(a, b, sz)
static void d_add(crypto_digest_t *digest, const uint8_t *data, size_t len)
int onion_ntor3_client_handshake(const ntor3_handshake_state_t *handshake_state, const uint8_t *handshake_reply, size_t reply_len, const uint8_t *verification, size_t verification_len, uint8_t *keys_out, size_t keys_out_len, uint8_t **message_out, size_t *message_len_out)
STATIC int onion_skin_ntor3_create_nokeygen(const curve25519_keypair_t *client_keypair, const ed25519_public_key_t *relay_id, const curve25519_public_key_t *relay_key, const uint8_t *verification, const size_t verification_len, const uint8_t *message, const size_t message_len, ntor3_handshake_state_t **handshake_state_out, uint8_t **onion_skin_out, size_t *onion_skin_len_out)
int onion_skin_ntor3_server_handshake_part1(const di_digest256_map_t *private_keys, const curve25519_keypair_t *junk_key, const ed25519_public_key_t *my_id, const uint8_t *client_handshake, size_t client_handshake_len, const uint8_t *verification, size_t verification_len, uint8_t **client_message_out, size_t *client_message_len_out, ntor3_server_handshake_state_t **state_out)
int onion_skin_ntor3_create(const ed25519_public_key_t *relay_id, const curve25519_public_key_t *relay_key, const uint8_t *verification, const size_t verification_len, const uint8_t *message, const size_t message_len, ntor3_handshake_state_t **handshake_state_out, uint8_t **onion_skin_out, size_t *onion_skin_len_out)
void ntor3_server_handshake_state_free_(ntor3_server_handshake_state_t *state)
static void xof_add_encap(crypto_xof_t *xof, const uint8_t *data, size_t len)
STATIC int onion_skin_ntor3_server_handshake_part2_nokeygen(const curve25519_keypair_t *relay_keypair_y, const ntor3_server_handshake_state_t *state, const uint8_t *verification, size_t verification_len, const uint8_t *server_message, size_t server_message_len, uint8_t **handshake_out, size_t *handshake_len_out, uint8_t *keys_out, size_t keys_out_len)
#define d_add_tweak(d, s)
int onion_skin_ntor3_server_handshake_part2(const ntor3_server_handshake_state_t *state, const uint8_t *verification, size_t verification_len, const uint8_t *server_message, size_t server_message_len, uint8_t **handshake_out, size_t *handshake_len_out, uint8_t *keys_out, size_t keys_out_len)
void ntor3_handshake_state_free_(ntor3_handshake_state_t *state)
#define xof_add_tweak(d, s)
static void d_add_encap(crypto_digest_t *digest, const uint8_t *data, size_t len)
#define xof_add(xof, data, len)
static void push(uint8_t **ptr, const uint8_t *endptr, const uint8_t *data, size_t len)
Header for core/crypto/onion_ntor_v3.c.
struct ntor3_handshake_state_t ntor3_handshake_state_t
struct ntor3_server_handshake_state_t ntor3_server_handshake_state_t
Macros to manage assertions, fatal and non-fatal.
#define CURVE25519_OUTPUT_LEN
#define ED25519_PUBKEY_LEN
#define CURVE25519_PUBKEY_LEN