onion.c 15.1 KB
Newer Older
1
2
3
/* Copyright 2001,2002 Roger Dingledine, Matej Pfajfar. */
/* See LICENSE for licensing information */
/* $Id$ */
Roger Dingledine's avatar
Roger Dingledine committed
4
5
6

#include "or.h"

7
extern or_options_t options; /* command-line and config-file options */
8

9
static int count_acceptable_routers(routerinfo_t **rarray, int rarray_len);
Roger Dingledine's avatar
Roger Dingledine committed
10

11
12
13
14
15
16
17
18
19
int decide_aci_type(char *local_nick, char *remote_nick) {
  int result;
 
  assert(remote_nick);
  if(!local_nick)
    return ACI_TYPE_LOWER;
  result = strcmp(local_nick, remote_nick);
  assert(result);
  if(result < 0)
Roger Dingledine's avatar
Roger Dingledine committed
20
    return ACI_TYPE_LOWER;
21
  return ACI_TYPE_HIGHER;
Roger Dingledine's avatar
Roger Dingledine committed
22
23
}

Roger Dingledine's avatar
Roger Dingledine committed
24
25
26
27
28
struct onion_queue_t {
  circuit_t *circ;
  struct onion_queue_t *next;
};

29
30
31
32
33
34
35
36
/* global (within this file) variables used by the next few functions */
static struct onion_queue_t *ol_list=NULL;
static struct onion_queue_t *ol_tail=NULL;
static int ol_length=0;

int onion_pending_add(circuit_t *circ) {
  struct onion_queue_t *tmp;

37
  tmp = tor_malloc(sizeof(struct onion_queue_t));
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
  memset(tmp, 0, sizeof(struct onion_queue_t));
  tmp->circ = circ;

  if(!ol_tail) {
    assert(!ol_list);
    assert(!ol_length);
    ol_list = tmp;
    ol_tail = tmp;
    ol_length++;
    return 0;
  }

  assert(ol_list);
  assert(!ol_tail->next);

  if(ol_length >= options.MaxOnionsPending) {
54
    log_fn(LOG_WARNING,"Already have %d onions queued. Closing.", ol_length);
55
56
57
58
59
60
61
62
63
64
65
    free(tmp);
    return -1;
  }

  ol_length++;
  ol_tail->next = tmp;
  ol_tail = tmp;
  return 0;

}

Roger Dingledine's avatar
Roger Dingledine committed
66
circuit_t *onion_next_task(void) {
67
  circuit_t *circ;
68
69

  if(!ol_list)
Roger Dingledine's avatar
Roger Dingledine committed
70
    return NULL; /* no onions pending, we're done */
71

72
  assert(ol_list->circ);
73
  if(!ol_list->circ->p_conn) {
Roger Dingledine's avatar
Roger Dingledine committed
74
    log_fn(LOG_INFO,"ol_list->circ->p_conn null, must have died?");
75
    onion_pending_remove(ol_list->circ);
Roger Dingledine's avatar
Roger Dingledine committed
76
    return onion_next_task(); /* recurse: how about the next one? */
77
78
  }

79
  assert(ol_length > 0);
80
81
82
  circ = ol_list->circ;
  onion_pending_remove(ol_list->circ);
  return circ;
83
84
}

85
86
/* go through ol_list, find the onion_queue_t element which points to
 * circ, remove and free that element. leave circ itself alone.
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 */
void onion_pending_remove(circuit_t *circ) {
  struct onion_queue_t *tmpo, *victim;

  if(!ol_list)
    return; /* nothing here. */

  /* first check to see if it's the first entry */
  tmpo = ol_list;
  if(tmpo->circ == circ) {
    /* it's the first one. remove it from the list. */
    ol_list = tmpo->next;
    if(!ol_list)
      ol_tail = NULL;
    ol_length--;
    victim = tmpo;
  } else { /* we need to hunt through the rest of the list */
    for( ;tmpo->next && tmpo->next->circ != circ; tmpo=tmpo->next) ;
    if(!tmpo->next) {
106
      log_fn(LOG_DEBUG,"circ (p_aci %d) not in list, probably at cpuworker.",circ->p_aci);
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
      return;
    }
    /* now we know tmpo->next->circ == circ */
    victim = tmpo->next;
    tmpo->next = victim->next;
    if(ol_tail == victim)
      ol_tail = tmpo;
    ol_length--;
  }

  /* now victim points to the element that needs to be removed */

  free(victim); 
}

Roger Dingledine's avatar
Roger Dingledine committed
122
/* given a response payload and keys, initialize, then send a created cell back */
123
int onionskin_answer(circuit_t *circ, unsigned char *payload, unsigned char *keys) {
124
  unsigned char iv[16];
125
126
  cell_t cell;

127
  memset(iv, 0, 16);
128

129
130
131
  memset(&cell, 0, sizeof(cell_t));
  cell.command = CELL_CREATED;
  cell.aci = circ->p_aci;
132
  cell.length = DH_KEY_LEN;
133
134

  circ->state = CIRCUIT_STATE_OPEN;
Roger Dingledine's avatar
Roger Dingledine committed
135

Roger Dingledine's avatar
Roger Dingledine committed
136
  log_fn(LOG_DEBUG,"Entering.");
137

Roger Dingledine's avatar
Roger Dingledine committed
138
  memcpy(cell.payload, payload, DH_KEY_LEN);
Roger Dingledine's avatar
Roger Dingledine committed
139

Roger Dingledine's avatar
Roger Dingledine committed
140
  log_fn(LOG_DEBUG,"init cipher forward %d, backward %d.", *(int*)keys, *(int*)(keys+16));
141
142

  if (!(circ->n_crypto =
Nick Mathewson's avatar
src/or    
Nick Mathewson committed
143
        crypto_create_init_cipher(CIRCUIT_CIPHER,keys,iv,0))) {
144
    log_fn(LOG_WARNING,"Cipher initialization failed (n).");
Roger Dingledine's avatar
Roger Dingledine committed
145
146
147
    return -1;
  }

148
  if (!(circ->p_crypto =
Nick Mathewson's avatar
src/or    
Nick Mathewson committed
149
        crypto_create_init_cipher(CIRCUIT_CIPHER,keys+16,iv,1))) {
150
    log_fn(LOG_WARNING,"Cipher initialization failed (p).");
Roger Dingledine's avatar
Roger Dingledine committed
151
152
153
    return -1;
  }

154
  connection_write_cell_to_buf(&cell, circ->p_conn);
Roger Dingledine's avatar
Roger Dingledine committed
155
  log_fn(LOG_DEBUG,"Finished sending 'created' cell.");
Roger Dingledine's avatar
Roger Dingledine committed
156
157
158
159

  return 0;
}

160
/* uses a weighted coin with weight cw to choose a route length */
Roger Dingledine's avatar
Roger Dingledine committed
161
static int chooselen(double cw) {
162
  int len = 2;
163
  uint8_t coin;
164
165
166
167
168
169
  
  if ((cw < 0) || (cw >= 1)) /* invalid parameter */
    return -1;
  
  while(1)
  {
170
    if (CRYPTO_PSEUDO_RAND_INT(coin))
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
      return -1;
    
    if (coin > cw*255) /* don't extend */
      break;
    else
      len++;
  }
  
  return len;
}

/* returns an array of pointers to routent that define a new route through the OR network
 * int cw is the coin weight to use when choosing the route 
 * order of routers is from last to first
 */
Roger Dingledine's avatar
Roger Dingledine committed
186
static unsigned int *new_route(double cw, routerinfo_t **rarray, int rarray_len, int *routelen) {
187
  int i;
188
  int num_acceptable_routers;
189
  unsigned int *route;
190
  unsigned int oldchoice, choice;
191

192
  assert((cw >= 0) && (cw < 1) && (rarray) && (routelen) ); /* valid parameters */
193

194
195
  *routelen = chooselen(cw);
  if (*routelen == -1) {
196
    log_fn(LOG_WARNING,"Choosing route length failed.");
Roger Dingledine's avatar
Roger Dingledine committed
197
198
    return NULL;
  }
199
  log_fn(LOG_DEBUG,"Chosen route length %d (%d routers available).",*routelen, rarray_len);
Roger Dingledine's avatar
Roger Dingledine committed
200

201
202
  num_acceptable_routers = count_acceptable_routers(rarray, rarray_len);

203
  if(num_acceptable_routers < 2) {
204
    log_fn(LOG_INFO,"Not enough acceptable routers. Failing.");
205
206
207
    return NULL;
  }

208
  if(num_acceptable_routers < *routelen) {
209
    log_fn(LOG_INFO,"Not enough routers: cutting routelen from %d to %d.",*routelen, num_acceptable_routers);
210
    *routelen = num_acceptable_routers;
Roger Dingledine's avatar
Roger Dingledine committed
211
  }
212

213
  if(*routelen < 1) {
214
    log_fn(LOG_WARNING,"Didn't find any acceptable routers. Failing.");
Roger Dingledine's avatar
Roger Dingledine committed
215
216
217
218
    return NULL;
  }

  /* allocate memory for the new route */
219
  route = (unsigned int *)tor_malloc(*routelen * sizeof(unsigned int));
Roger Dingledine's avatar
Roger Dingledine committed
220
221
 
  oldchoice = rarray_len;
222
  for(i=0;i<*routelen;i++) {
223
    log_fn(LOG_DEBUG,"Choosing hop %u.",i);
224
    if (CRYPTO_PSEUDO_RAND_INT(choice)) {
Roger Dingledine's avatar
Roger Dingledine committed
225
      free((void *)route);
226
227
228
      return NULL;
    }

229
    choice = choice % rarray_len;
230
    log_fn(LOG_DEBUG,"Contemplating router %u.",choice);
231
    if(choice == oldchoice ||
232
       (oldchoice < rarray_len && !crypto_pk_cmp_keys(rarray[choice]->onion_pkey, rarray[oldchoice]->onion_pkey)) ||
233
      (options.OnionRouter && !connection_twin_get_by_addr_port(rarray[choice]->addr, rarray[choice]->or_port))) {
Roger Dingledine's avatar
Roger Dingledine committed
234
235
236
      /* Same router as last choice, or router twin,
       *   or no routers with that key are connected to us.
       * Try again. */
237
      log_fn(LOG_DEBUG,"Picked a router %d that won't work as next hop.",choice);
238
239
      i--;
      continue;  
240
    }
241
    log_fn(LOG_DEBUG,"Chosen router %u for hop %u.",choice,i);
Roger Dingledine's avatar
Roger Dingledine committed
242
243
244
    oldchoice = choice;
    route[i] = choice;
  }
245
   
Roger Dingledine's avatar
Roger Dingledine committed
246
  return route;
247
248
}

249
250
251
static int count_acceptable_routers(routerinfo_t **rarray, int rarray_len) {
  int i, j;
  int num=0;
252
  connection_t *conn;
253
254

  for(i=0;i<rarray_len;i++) {
255
    log_fn(LOG_DEBUG,"Contemplating whether router %d is a new option...",i);
256
    if(options.OnionRouter) {
257
258
      conn = connection_exact_get_by_addr_port(rarray[i]->addr, rarray[i]->or_port);
      if(!conn || conn->type != CONN_TYPE_OR || conn->state != OR_CONN_STATE_OPEN) {
259
        log_fn(LOG_DEBUG,"Nope, %d is not connected.",i);
260
261
        goto next_i_loop;
      }
262
263
    }
    for(j=0;j<i;j++) {
264
      if(!crypto_pk_cmp_keys(rarray[i]->onion_pkey, rarray[j]->onion_pkey)) {
265
        /* these guys are twins. so we've already counted him. */
266
        log_fn(LOG_DEBUG,"Nope, %d is a twin of %d.",i,j);
267
268
269
270
        goto next_i_loop;
      }
    }
    num++;
271
    log_fn(LOG_DEBUG,"I like %d. num_acceptable_routers now %d.",i, num);
272
273
274
275
276
277
278
    next_i_loop:
      ; /* our compiler may need an explicit statement after the label */
  }

  return num;
}

279
280
281
282
crypt_path_t *onion_generate_cpath(routerinfo_t **firsthop) {
  int routelen; /* length of the route */
  unsigned int *route; /* hops in the route as an array of indexes into rarray */
  crypt_path_t *cpath=NULL;
283
  directory_t *dir;
284
285
  routerinfo_t **rarray;
  int rarray_len;
286
287
  int i;
  crypt_path_t *hop;
288
  routerinfo_t *router;
289
  struct in_addr netaddr;
290

291
292
293
  router_get_directory(&dir);
  rarray = dir->routers;
  rarray_len = dir->n_routers;
294

295
296
297
  /* choose a route */
  route = new_route(options.CoinWeight, rarray, rarray_len, &routelen);
  if (!route) {
298
    log_fn(LOG_INFO,"Error choosing a route through the OR network.");
299
300
    return NULL;
  }
301
  log_fn(LOG_DEBUG,"Chosen a route of length %u: ",routelen);
302
303
304

  *firsthop = rarray[route[routelen-1]];
  assert(*firsthop); /* should always be defined */
305

306
  for(i=0; i<routelen; i++) {
307
308
    netaddr.s_addr = htonl((rarray[route[i]])->addr);

309
    log_fn(LOG_DEBUG,"%u : %s:%u, %u/%u",routelen-i,
310
311
        inet_ntoa(netaddr),
        (rarray[route[i]])->or_port,
312
313
        (int) (rarray[route[i]])->onion_pkey,
        crypto_pk_keysize((rarray[route[i]])->onion_pkey));
314
  }
315

316
  /* create the cpath layer by layer, starting at the last hop */
317
318
  for (i=0;i<routelen;i++) {
    router = rarray[route[i]];
319

320
    /* build up the crypt_path */
321
    hop = (crypt_path_t *)tor_malloc(sizeof(crypt_path_t));
322
    memset(hop, 0, sizeof(crypt_path_t));
323

324
    /* link hop into the cpath, at the front */
325
    hop->next = cpath;
326
    hop->prev = NULL;
327
328
329
    hop->state = CPATH_STATE_CLOSED;
    if(cpath) {
      cpath->prev = hop;
330
    }
331
    cpath = hop;
332

333
334
    hop->port = rarray[route[i]]->or_port;
    hop->addr = rarray[route[i]]->addr;
335

336
337
338
    hop->package_window = CIRCWINDOW_START;
    hop->deliver_window = CIRCWINDOW_START;

339
    log_fn(LOG_DEBUG,"Building hop %u of crypt path.",i+1);
340
  }
341

342
  /* now link cpath->prev to the end of cpath */
343
344
345
  for(hop=cpath; hop->next; hop=hop->next) ;
  hop->next = cpath;
  cpath->prev = hop;
346

347
348
  free(route);
  return cpath;
349
350
}

351
352
/*----------------------------------------------------------------------*/

353
/* Given a router's public key, generates a 144-byte encrypted DH pubkey,
354
355
356
357
358
 * and stores it into onion_skin out.  Stores the DH private key into 
 * handshake_state_out for later completion of the handshake.
 *
 * The encrypted pubkey is formed as follows:
 *    16 bytes of symmetric key
359
 *   128 bytes of g^x for DH.
360
 * The first 128 bytes are RSA-encrypted with the server's public key,
361
 * and the last 16 are encrypted with the symmetric key.
362
363
 */
int
364
onion_skin_create(crypto_pk_env_t *dest_router_key,
365
                  crypto_dh_env_t **handshake_state_out,
366
                  char *onion_skin_out) /* Must be DH_ONIONSKIN_LEN bytes long */
367
368
369
370
371
372
373
374
{
  char iv[16];
  char *pubkey = NULL;
  crypto_dh_env_t *dh = NULL;
  crypto_cipher_env_t *cipher = NULL;
  int dhbytes, pkbytes;

  *handshake_state_out = NULL;
375
  memset(onion_skin_out, 0, DH_ONIONSKIN_LEN);
376
  memset(iv, 0, 16);
377
378
379
380
381

  if (!(dh = crypto_dh_new()))
    goto err;
  
  dhbytes = crypto_dh_get_bytes(dh);
382
  pkbytes = crypto_pk_keysize(dest_router_key);
383
  assert(dhbytes+16 == DH_ONIONSKIN_LEN);
384
  pubkey = (char *)tor_malloc(dhbytes+16);
385
386
387

  if (crypto_rand(16, pubkey))
    goto err;
388
389
390
391
392
393
394
395
396
  
  /* XXXX You can't just run around RSA-encrypting any bitstream: if it's
   *      greater than the RSA key, then OpenSSL will happily encrypt,
   *      and later decrypt to the wrong value.  So we set the first bit
   *      of 'pubkey' to 0.  This means that our symmetric key is really only
   *      127 bits long, but since it shouldn't be necessary to encrypt
   *      DH public keys values in the first place, we should be fine.
   */
  pubkey[0] &= 0x7f; 
397
398
399
400

  if (crypto_dh_get_public(dh, pubkey+16, dhbytes))
    goto err;

401
402
403
404
405
406
407
408
409
410
411
412
413
#ifdef DEBUG_ONION_SKINS
#define PA(a,n) \
  { int _i; for (_i = 0; _i<n; ++_i) printf("%02x ",((int)(a)[_i])&0xFF); }

  printf("Client: client g^x:");
  PA(pubkey+16,3);
  printf("...");
  PA(pubkey+141,3);
  puts("");

  printf("Client: client symkey:");
  PA(pubkey+0,16);
  puts("");
414
415
#endif

Nick Mathewson's avatar
src/or    
Nick Mathewson committed
416
  cipher = crypto_create_init_cipher(ONION_CIPHER, pubkey, iv, 1);
417
418
419
420

  if (!cipher)
    goto err;

421
  if (crypto_pk_public_encrypt(dest_router_key, pubkey, pkbytes,
422
                               onion_skin_out, RSA_NO_PADDING)==-1)
423
424
    goto err;

425
  if (crypto_cipher_encrypt(cipher, pubkey+pkbytes, dhbytes+16-pkbytes,
426
427
428
429
430
431
                            onion_skin_out+pkbytes))
    goto err;

  free(pubkey);
  crypto_free_cipher_env(cipher);
  *handshake_state_out = dh;
432

433
434
435
436
437
438
439
440
441
  return 0;
 err:
  if (pubkey) free(pubkey);
  if (dh) crypto_dh_free(dh);
  if (cipher) crypto_free_cipher_env(cipher);
  return -1;
}

/* Given an encrypted DH public key as generated by onion_skin_create,
442
 * and the private key for this onion router, generate the 128-byte DH
443
444
445
 * reply, and key_out_len bytes of key material, stored in key_out.
 */
int
446
onion_skin_server_handshake(char *onion_skin, /* DH_ONIONSKIN_LEN bytes long */
447
                            crypto_pk_env_t *private_key,
448
                            char *handshake_reply_out, /* DH_KEY_LEN bytes long */
449
450
451
                            char *key_out,
                            int key_out_len)
{
452
  char buf[DH_ONIONSKIN_LEN];
453
454
455
456
  char iv[16];
  crypto_dh_env_t *dh = NULL;
  crypto_cipher_env_t *cipher = NULL;
  int pkbytes;
457
  int len;
458
459
460
461
462
463
  
  memset(iv, 0, 16);
  pkbytes = crypto_pk_keysize(private_key);

  if (crypto_pk_private_decrypt(private_key,
                                onion_skin, pkbytes,
464
                                buf, RSA_NO_PADDING) == -1)
465
    goto err;
466
  
467
468
469
470
#ifdef DEBUG_ONION_SKINS
  printf("Server: client symkey:");
  PA(buf+0,16);
  puts("");
471
#endif
472

Nick Mathewson's avatar
src/or    
Nick Mathewson committed
473
  cipher = crypto_create_init_cipher(ONION_CIPHER, buf, iv, 0);
474

475
  if (crypto_cipher_decrypt(cipher, onion_skin+pkbytes, DH_ONIONSKIN_LEN-pkbytes,
476
477
                            buf+pkbytes))
    goto err;
478

479
480
481
482
483
484
#ifdef DEBUG_ONION_SKINS
  printf("Server: client g^x:");
  PA(buf+16,3);
  printf("...");
  PA(buf+141,3);
  puts("");
485
#endif
486
487
  
  dh = crypto_dh_new();
488
  if (crypto_dh_get_public(dh, handshake_reply_out, DH_KEY_LEN))
489
490
    goto err;

491
492
493
494
495
496
497
498
#ifdef DEBUG_ONION_SKINS
  printf("Server: server g^y:");
  PA(handshake_reply_out+0,3);
  printf("...");
  PA(handshake_reply_out+125,3);
  puts("");
#endif

Nick Mathewson's avatar
src/or    
Nick Mathewson committed
499
  len = crypto_dh_compute_secret(dh, buf+16, DH_KEY_LEN, key_out, key_out_len);
500
  if (len < 0)
501
502
    goto err;

503
#ifdef DEBUG_ONION_SKINS
504
505
506
  printf("Server: key material:");
  PA(buf, DH_KEY_LEN);
  puts("");
507
508
509
510
511
  printf("Server: keys out:");
  PA(key_out, key_out_len);
  puts("");
#endif

512
513
514
515
516
517
518
519
520
521
522
  crypto_free_cipher_env(cipher);
  crypto_dh_free(dh);
  return 0;
 err:
  if (cipher) crypto_free_cipher_env(cipher);
  if (dh) crypto_dh_free(dh);

  return -1;
}

/* Finish the client side of the DH handshake.
523
 * Given the 128 byte DH reply as generated by onion_skin_server_handshake
524
525
526
527
528
529
530
 * and the handshake state generated by onion_skin_create, generate
 * key_out_len bytes of shared key material and store them in key_out.
 *
 * After the invocation, call crypto_dh_free on handshake_state.
 */
int
onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
531
                            char *handshake_reply,/* Must be DH_KEY_LEN bytes long*/
532
533
534
                            char *key_out,
                            int key_out_len) 
{
535
  int len;
536
  assert(crypto_dh_get_bytes(handshake_state) == DH_KEY_LEN);
537
  
538
539
540
541
542
543
544
545
#ifdef DEBUG_ONION_SKINS
  printf("Client: server g^y:");
  PA(handshake_reply+0,3);
  printf("...");
  PA(handshake_reply+125,3);
  puts("");
#endif

546
  len = crypto_dh_compute_secret(handshake_state, handshake_reply, DH_KEY_LEN,
Nick Mathewson's avatar
src/or    
Nick Mathewson committed
547
                                 key_out, key_out_len);
548
  if (len < 0)
549
550
    return -1;
  
551
552
553
554
555
556
#ifdef DEBUG_ONION_SKINS
  printf("Client: keys out:");
  PA(key_out, key_out_len);
  puts("");
#endif

557
558
559
  return 0;
}

560
561
562
563
564
565
566
/*
  Local Variables:
  mode:c
  indent-tabs-mode:nil
  c-basic-offset:2
  End:
*/