From: Nick Mathewson Date: Mon, 17 Mar 2025 13:43:27 +0000 (-0400) Subject: Remove higher-level RSA-SHA256-TLSSecret code. X-Git-Tag: tor-0.4.9.2-alpha~30^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9738e40d3ddf96549bafb9d6d92b093b0bb8a645;p=thirdparty%2Ftor.git Remove higher-level RSA-SHA256-TLSSecret code. This is all unreachable now, so we can tear it out and simplify things a bit. --- diff --git a/src/core/or/channeltls.c b/src/core/or/channeltls.c index a79f5c36e8..bed1cd11df 100644 --- a/src/core/or/channeltls.c +++ b/src/core/or/channeltls.c @@ -2469,18 +2469,16 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) if (! expected_cell) ERR("Couldn't compute expected AUTHENTICATE cell body"); - int sig_is_rsa; - if (authtype == AUTHTYPE_RSA_SHA256_TLSSECRET || - authtype == AUTHTYPE_RSA_SHA256_RFC5705) { - bodylen = V3_AUTH_BODY_LEN; - sig_is_rsa = 1; + if (BUG(authtype != AUTHTYPE_ED25519_SHA256_RFC5705)) { + /* We should have detected that we don't support this + * authentication type earlier, when we called + * authchallenge_type_is_supported(). */ + ERR("Unsupported authentication type"); } else { - tor_assert(authtype == AUTHTYPE_ED25519_SHA256_RFC5705); /* Our earlier check had better have made sure we had room * for an ed25519 sig (inadvertently) */ tor_assert(V3_AUTH_BODY_LEN > ED25519_SIG_LEN); bodylen = authlen - ED25519_SIG_LEN; - sig_is_rsa = 0; } if (expected_cell->payload_len != bodylen+4) { ERR("Expected AUTHENTICATE cell body len not as expected."); @@ -2496,47 +2494,7 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) if (tor_memneq(expected_cell->payload+4, auth, bodylen-24)) ERR("Some field in the AUTHENTICATE cell body was not as expected"); - if (sig_is_rsa) { - if (chan->conn->handshake_state->certs->ed_id_sign != NULL) - ERR("RSA-signed AUTHENTICATE response provided with an ED25519 cert"); - - if (chan->conn->handshake_state->certs->auth_cert == NULL) - ERR("We never got an RSA authentication certificate"); - - crypto_pk_t *pk = tor_tls_cert_get_key( - chan->conn->handshake_state->certs->auth_cert); - char d[DIGEST256_LEN]; - char *signed_data; - size_t keysize; - int signed_len; - - if (! pk) { - ERR("Couldn't get RSA key from AUTH cert."); - } - crypto_digest256(d, (char*)auth, V3_AUTH_BODY_LEN, DIGEST_SHA256); - - keysize = crypto_pk_keysize(pk); - signed_data = tor_malloc(keysize); - signed_len = crypto_pk_public_checksig(pk, signed_data, keysize, - (char*)auth + V3_AUTH_BODY_LEN, - authlen - V3_AUTH_BODY_LEN); - crypto_pk_free(pk); - if (signed_len < 0) { - tor_free(signed_data); - ERR("RSA signature wasn't valid"); - } - if (signed_len < DIGEST256_LEN) { - tor_free(signed_data); - ERR("Not enough data was signed"); - } - /* Note that we deliberately allow *more* than DIGEST256_LEN bytes here, - * in case they're later used to hold a SHA3 digest or something. */ - if (tor_memneq(signed_data, d, DIGEST256_LEN)) { - tor_free(signed_data); - ERR("Signature did not match data to be signed."); - } - tor_free(signed_data); - } else { + { if (chan->conn->handshake_state->certs->ed_id_sign == NULL) ERR("We never got an Ed25519 identity certificate."); if (chan->conn->handshake_state->certs->ed_sign_auth == NULL) @@ -2563,7 +2521,7 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) const common_digests_t *id_digests = tor_x509_cert_get_id_digests(id_cert); const ed25519_public_key_t *ed_identity_received = NULL; - if (! sig_is_rsa) { + { chan->conn->handshake_state->authenticated_ed25519 = 1; ed_identity_received = &chan->conn->handshake_state->certs->ed_id_sign->signing_key; diff --git a/src/feature/relay/relay_handshake.c b/src/feature/relay/relay_handshake.c index 4187475050..362cc81f63 100644 --- a/src/feature/relay/relay_handshake.c +++ b/src/feature/relay/relay_handshake.c @@ -233,11 +233,6 @@ connection_or_send_auth_challenge_cell(or_connection_t *conn) tor_assert(sizeof(ac->challenge) == 32); crypto_rand((char*)ac->challenge, sizeof(ac->challenge)); - if (authchallenge_type_is_supported(AUTHTYPE_RSA_SHA256_TLSSECRET)) - auth_challenge_cell_add_methods(ac, AUTHTYPE_RSA_SHA256_TLSSECRET); - /* Disabled, because everything that supports this method also supports - * the much-superior ED25519_SHA256_RFC5705 */ - /* auth_challenge_cell_add_methods(ac, AUTHTYPE_RSA_SHA256_RFC5705); */ if (authchallenge_type_is_supported(AUTHTYPE_ED25519_SHA256_RFC5705)) auth_challenge_cell_add_methods(ac, AUTHTYPE_ED25519_SHA256_RFC5705); auth_challenge_cell_set_n_methods(ac, @@ -292,23 +287,20 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, auth1_t *auth = NULL; auth_ctx_t *ctx = auth_ctx_new(); var_cell_t *result = NULL; - int old_tlssecrets_algorithm = 0; const char *authtype_str = NULL; - int is_ed = 0; + (void) signing_key; // XXXX remove. /* assert state is reasonable XXXX */ switch (authtype) { case AUTHTYPE_RSA_SHA256_TLSSECRET: - authtype_str = "AUTH0001"; - old_tlssecrets_algorithm = 1; - break; case AUTHTYPE_RSA_SHA256_RFC5705: - authtype_str = "AUTH0002"; + /* These are unsupported; we should never reach this point. */ + tor_assert_nonfatal_unreached_once(); + return NULL; break; case AUTHTYPE_ED25519_SHA256_RFC5705: authtype_str = "AUTH0003"; - is_ed = 1; break; default: tor_assert(0); @@ -316,7 +308,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, } auth = auth1_new(); - ctx->is_ed = is_ed; + ctx->is_ed = 1; /* Type: 8 bytes. */ memcpy(auth1_getarray_type(auth), authtype_str, 8); @@ -345,7 +337,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, memcpy(auth->sid, server_id, 32); } - if (is_ed) { + { const ed25519_public_key_t *my_ed_id, *their_ed_id; if (!conn->handshake_state->certs->ed_id_sign) { log_warn(LD_OR, "Ed authenticate without Ed ID cert from peer."); @@ -398,13 +390,8 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, tor_x509_cert_free(cert); } - /* HMAC of clientrandom and serverrandom using master key : 32 octets */ - if (old_tlssecrets_algorithm) { - log_fn(LOG_PROTOCOL_WARN, LD_OR, "Somebody asked us for an obsolete TLS " - "authentication method (AUTHTYPE_RSA_SHA256_TLSSECRET) " - "which we don't support."); - goto err; - } else { + /* RFC5709 key exporter material : 32 octets */ + { char label[128]; tor_snprintf(label, sizeof(label), "EXPORTER FOR TOR TLS CLIENT BINDING %s", authtype_str); @@ -425,10 +412,8 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, crypto_rand((char*)auth->rand, 24); ssize_t maxlen = auth1_encoded_len(auth, ctx); - if (ed_signing_key && is_ed) { + if (ed_signing_key) { maxlen += ED25519_SIG_LEN; - } else if (signing_key && !is_ed) { - maxlen += crypto_pk_keysize(signing_key); } const int AUTH_CELL_HEADER_LEN = 4; /* 2 bytes of type, 2 bytes of length */ @@ -469,7 +454,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, goto done; } - if (ed_signing_key && is_ed) { + if (ed_signing_key) { ed25519_signature_t sig; if (ed25519_sign(&sig, out, len, ed_signing_key) < 0) { /* LCOV_EXCL_START */ @@ -479,22 +464,6 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, } auth1_setlen_sig(auth, ED25519_SIG_LEN); memcpy(auth1_getarray_sig(auth), sig.sig, ED25519_SIG_LEN); - - } else if (signing_key && !is_ed) { - auth1_setlen_sig(auth, crypto_pk_keysize(signing_key)); - - char d[32]; - crypto_digest256(d, (char*)out, len, DIGEST_SHA256); - int siglen = crypto_pk_private_sign(signing_key, - (char*)auth1_getarray_sig(auth), - auth1_getlen_sig(auth), - d, 32); - if (siglen < 0) { - log_warn(LD_OR, "Unable to sign AUTH1 data."); - goto err; - } - - auth1_setlen_sig(auth, siglen); } len = auth1_encode(out, outlen, auth, ctx);