Loading src/common/crypto.c +16 −9 Original line number Diff line number Diff line Loading @@ -2109,25 +2109,32 @@ crypto_hmac_sha256(char *hmac_out, tor_assert(rv); } /** Compute an SHA3 MAC of <b>msg</b> using <b>key</b> as the key. The format * used for our MAC is SHA3(k | m). Write the DIGEST256_LEN-byte result into * <b>mac_out</b> of size <b>mac_out_len</b>. */ /** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a * <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length * <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in * <b>mac_out</b>. This function can't fail. */ void crypto_mac_sha3_256(char *mac_out, size_t mac_out_len, const char *key, size_t key_len, const char *msg, size_t msg_len) crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len) { crypto_digest_t *digest; const uint64_t key_len_netorder = tor_htonll(key_len); tor_assert(mac_out); tor_assert(key); tor_assert(msg); digest = crypto_digest256_new(DIGEST_SHA3_256); crypto_digest_add_bytes(digest, key, key_len); crypto_digest_add_bytes(digest, msg, msg_len); crypto_digest_get_digest(digest, mac_out, mac_out_len); /* Order matters here that is any subsystem using this function should * expect this very precise ordering in the MAC construction. */ crypto_digest_add_bytes(digest, (const char *) &key_len_netorder, sizeof(key_len_netorder)); crypto_digest_add_bytes(digest, (const char *) key, key_len); crypto_digest_add_bytes(digest, (const char *) msg, msg_len); crypto_digest_get_digest(digest, (char *) mac_out, len_out); crypto_digest_free(digest); } Loading src/common/crypto.h +4 −3 Original line number Diff line number Diff line Loading @@ -255,9 +255,10 @@ void crypto_digest_assign(crypto_digest_t *into, void crypto_hmac_sha256(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len); void crypto_mac_sha3_256(char *mac_out, size_t mac_out_len, const char *key, size_t key_len, const char *msg, size_t msg_len); void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len); crypto_xof_t *crypto_xof_new(void); void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len); void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len); Loading src/or/hs_intropoint.c +9 −9 Original line number Diff line number Diff line Loading @@ -42,7 +42,7 @@ get_auth_key_from_establish_intro_cell(ed25519_public_key_t *auth_key_out, * given <b>circuit_key_material</b>. Return 0 on success else -1 on error. */ STATIC int verify_establish_intro_cell(const hs_cell_establish_intro_t *cell, const char *circuit_key_material, const uint8_t *circuit_key_material, size_t circuit_key_material_len) { /* We only reach this function if the first byte of the cell is 0x02 which Loading @@ -62,7 +62,7 @@ verify_establish_intro_cell(const hs_cell_establish_intro_t *cell, return -1; } const char *msg = (char*) cell->start_cell; const uint8_t *msg = cell->start_cell; /* Verify the sig */ { Loading @@ -79,7 +79,7 @@ verify_establish_intro_cell(const hs_cell_establish_intro_t *cell, ed25519_public_key_t auth_key; get_auth_key_from_establish_intro_cell(&auth_key, cell); const size_t sig_msg_len = (char*) (cell->end_sig_fields) - msg; const size_t sig_msg_len = cell->end_sig_fields - msg; int sig_mismatch = ed25519_checksig_prefixed(&sig_struct, (uint8_t*) msg, sig_msg_len, ESTABLISH_INTRO_SIG_PREFIX, Loading @@ -92,8 +92,8 @@ verify_establish_intro_cell(const hs_cell_establish_intro_t *cell, /* Verify the MAC */ { const size_t auth_msg_len = (char*) (cell->end_mac_fields) - msg; char mac[DIGEST256_LEN]; const size_t auth_msg_len = cell->end_mac_fields - msg; uint8_t mac[DIGEST256_LEN]; crypto_mac_sha3_256(mac, sizeof(mac), circuit_key_material, circuit_key_material_len, msg, auth_msg_len); Loading Loading @@ -198,7 +198,7 @@ handle_establish_intro(or_circuit_t *circ, const uint8_t *request, } cell_ok = verify_establish_intro_cell(parsed_cell, circ->rend_circ_nonce, (uint8_t *) circ->rend_circ_nonce, sizeof(circ->rend_circ_nonce)); if (cell_ok < 0) { log_warn(LD_PROTOCOL, "Failed to verify ESTABLISH_INTRO cell."); Loading src/or/hs_intropoint.h +1 −1 Original line number Diff line number Diff line Loading @@ -28,7 +28,7 @@ int hs_intro_circuit_is_suitable(const or_circuit_t *circ); STATIC int verify_establish_intro_cell(const hs_cell_establish_intro_t *out, const char *circuit_key_material, const uint8_t *circuit_key_material, size_t circuit_key_material_len); STATIC void Loading src/or/hs_service.c +3 −3 Original line number Diff line number Diff line Loading @@ -60,7 +60,7 @@ set_cell_extensions(hs_cell_establish_intro_t *cell) * returned cell is allocated on the heap and it's the responsibility of the * caller to free it. */ STATIC hs_cell_establish_intro_t * generate_establish_intro_cell(const char *circuit_key_material, generate_establish_intro_cell(const uint8_t *circuit_key_material, size_t circuit_key_material_len) { hs_cell_establish_intro_t *cell = NULL; Loading Loading @@ -109,7 +109,7 @@ generate_establish_intro_cell(const char *circuit_key_material, /* To calculate HANDSHAKE_AUTH, we dump the cell in bytes, and then derive the MAC from it. */ uint8_t cell_bytes_tmp[RELAY_PAYLOAD_SIZE] = {0}; char mac[TRUNNEL_SHA3_256_LEN]; uint8_t mac[TRUNNEL_SHA3_256_LEN]; encoded_len = hs_cell_establish_intro_encode(cell_bytes_tmp, sizeof(cell_bytes_tmp), Loading @@ -125,7 +125,7 @@ generate_establish_intro_cell(const char *circuit_key_material, /* Calculate MAC of all fields before HANDSHAKE_AUTH */ crypto_mac_sha3_256(mac, sizeof(mac), circuit_key_material, circuit_key_material_len, (const char*)cell_bytes_tmp, cell_bytes_tmp, encoded_len - (ED25519_SIG_LEN + 2 + TRUNNEL_SHA3_256_LEN)); /* Write the MAC to the cell */ uint8_t *handshake_ptr = Loading Loading
src/common/crypto.c +16 −9 Original line number Diff line number Diff line Loading @@ -2109,25 +2109,32 @@ crypto_hmac_sha256(char *hmac_out, tor_assert(rv); } /** Compute an SHA3 MAC of <b>msg</b> using <b>key</b> as the key. The format * used for our MAC is SHA3(k | m). Write the DIGEST256_LEN-byte result into * <b>mac_out</b> of size <b>mac_out_len</b>. */ /** Compute a MAC using SHA3-256 of <b>msg_len</b> bytes in <b>msg</b> using a * <b>key</b> of length <b>key_len</b> and a <b>salt</b> of length * <b>salt_len</b>. Store the result of <b>len_out</b> bytes in in * <b>mac_out</b>. This function can't fail. */ void crypto_mac_sha3_256(char *mac_out, size_t mac_out_len, const char *key, size_t key_len, const char *msg, size_t msg_len) crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len) { crypto_digest_t *digest; const uint64_t key_len_netorder = tor_htonll(key_len); tor_assert(mac_out); tor_assert(key); tor_assert(msg); digest = crypto_digest256_new(DIGEST_SHA3_256); crypto_digest_add_bytes(digest, key, key_len); crypto_digest_add_bytes(digest, msg, msg_len); crypto_digest_get_digest(digest, mac_out, mac_out_len); /* Order matters here that is any subsystem using this function should * expect this very precise ordering in the MAC construction. */ crypto_digest_add_bytes(digest, (const char *) &key_len_netorder, sizeof(key_len_netorder)); crypto_digest_add_bytes(digest, (const char *) key, key_len); crypto_digest_add_bytes(digest, (const char *) msg, msg_len); crypto_digest_get_digest(digest, (char *) mac_out, len_out); crypto_digest_free(digest); } Loading
src/common/crypto.h +4 −3 Original line number Diff line number Diff line Loading @@ -255,9 +255,10 @@ void crypto_digest_assign(crypto_digest_t *into, void crypto_hmac_sha256(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len); void crypto_mac_sha3_256(char *mac_out, size_t mac_out_len, const char *key, size_t key_len, const char *msg, size_t msg_len); void crypto_mac_sha3_256(uint8_t *mac_out, size_t len_out, const uint8_t *key, size_t key_len, const uint8_t *msg, size_t msg_len); crypto_xof_t *crypto_xof_new(void); void crypto_xof_add_bytes(crypto_xof_t *xof, const uint8_t *data, size_t len); void crypto_xof_squeeze_bytes(crypto_xof_t *xof, uint8_t *out, size_t len); Loading
src/or/hs_intropoint.c +9 −9 Original line number Diff line number Diff line Loading @@ -42,7 +42,7 @@ get_auth_key_from_establish_intro_cell(ed25519_public_key_t *auth_key_out, * given <b>circuit_key_material</b>. Return 0 on success else -1 on error. */ STATIC int verify_establish_intro_cell(const hs_cell_establish_intro_t *cell, const char *circuit_key_material, const uint8_t *circuit_key_material, size_t circuit_key_material_len) { /* We only reach this function if the first byte of the cell is 0x02 which Loading @@ -62,7 +62,7 @@ verify_establish_intro_cell(const hs_cell_establish_intro_t *cell, return -1; } const char *msg = (char*) cell->start_cell; const uint8_t *msg = cell->start_cell; /* Verify the sig */ { Loading @@ -79,7 +79,7 @@ verify_establish_intro_cell(const hs_cell_establish_intro_t *cell, ed25519_public_key_t auth_key; get_auth_key_from_establish_intro_cell(&auth_key, cell); const size_t sig_msg_len = (char*) (cell->end_sig_fields) - msg; const size_t sig_msg_len = cell->end_sig_fields - msg; int sig_mismatch = ed25519_checksig_prefixed(&sig_struct, (uint8_t*) msg, sig_msg_len, ESTABLISH_INTRO_SIG_PREFIX, Loading @@ -92,8 +92,8 @@ verify_establish_intro_cell(const hs_cell_establish_intro_t *cell, /* Verify the MAC */ { const size_t auth_msg_len = (char*) (cell->end_mac_fields) - msg; char mac[DIGEST256_LEN]; const size_t auth_msg_len = cell->end_mac_fields - msg; uint8_t mac[DIGEST256_LEN]; crypto_mac_sha3_256(mac, sizeof(mac), circuit_key_material, circuit_key_material_len, msg, auth_msg_len); Loading Loading @@ -198,7 +198,7 @@ handle_establish_intro(or_circuit_t *circ, const uint8_t *request, } cell_ok = verify_establish_intro_cell(parsed_cell, circ->rend_circ_nonce, (uint8_t *) circ->rend_circ_nonce, sizeof(circ->rend_circ_nonce)); if (cell_ok < 0) { log_warn(LD_PROTOCOL, "Failed to verify ESTABLISH_INTRO cell."); Loading
src/or/hs_intropoint.h +1 −1 Original line number Diff line number Diff line Loading @@ -28,7 +28,7 @@ int hs_intro_circuit_is_suitable(const or_circuit_t *circ); STATIC int verify_establish_intro_cell(const hs_cell_establish_intro_t *out, const char *circuit_key_material, const uint8_t *circuit_key_material, size_t circuit_key_material_len); STATIC void Loading
src/or/hs_service.c +3 −3 Original line number Diff line number Diff line Loading @@ -60,7 +60,7 @@ set_cell_extensions(hs_cell_establish_intro_t *cell) * returned cell is allocated on the heap and it's the responsibility of the * caller to free it. */ STATIC hs_cell_establish_intro_t * generate_establish_intro_cell(const char *circuit_key_material, generate_establish_intro_cell(const uint8_t *circuit_key_material, size_t circuit_key_material_len) { hs_cell_establish_intro_t *cell = NULL; Loading Loading @@ -109,7 +109,7 @@ generate_establish_intro_cell(const char *circuit_key_material, /* To calculate HANDSHAKE_AUTH, we dump the cell in bytes, and then derive the MAC from it. */ uint8_t cell_bytes_tmp[RELAY_PAYLOAD_SIZE] = {0}; char mac[TRUNNEL_SHA3_256_LEN]; uint8_t mac[TRUNNEL_SHA3_256_LEN]; encoded_len = hs_cell_establish_intro_encode(cell_bytes_tmp, sizeof(cell_bytes_tmp), Loading @@ -125,7 +125,7 @@ generate_establish_intro_cell(const char *circuit_key_material, /* Calculate MAC of all fields before HANDSHAKE_AUTH */ crypto_mac_sha3_256(mac, sizeof(mac), circuit_key_material, circuit_key_material_len, (const char*)cell_bytes_tmp, cell_bytes_tmp, encoded_len - (ED25519_SIG_LEN + 2 + TRUNNEL_SHA3_256_LEN)); /* Write the MAC to the cell */ uint8_t *handshake_ptr = Loading