Fix for bug9635.
--- /dev/null
+ o Minor features:
+ - Give more specific warnings when we notice at the client side that
+ an onion handshake has failed. Fixes ticket 9635.
switch (type) {
case ONION_HANDSHAKE_TYPE_TAP:
- if (reply_len != TAP_ONIONSKIN_REPLY_LEN)
+ if (reply_len != TAP_ONIONSKIN_REPLY_LEN) {
+ log_warn(LD_CIRC, "TAP reply was not of the correct length.");
return -1;
+ }
if (onion_skin_TAP_client_handshake(handshake_state->u.tap,
(const char*)reply,
(char *)keys_out, keys_out_len) < 0)
return 0;
case ONION_HANDSHAKE_TYPE_FAST:
- if (reply_len != CREATED_FAST_LEN)
+ if (reply_len != CREATED_FAST_LEN) {
+ log_warn(LD_CIRC, "CREATED_FAST reply was not of the correct length.");
return -1;
+ }
if (fast_client_handshake(handshake_state->u.fast, reply,
keys_out, keys_out_len) < 0)
return -1;
return 0;
#ifdef CURVE25519_ENABLED
case ONION_HANDSHAKE_TYPE_NTOR:
- if (reply_len < NTOR_REPLY_LEN)
+ if (reply_len < NTOR_REPLY_LEN) {
+ log_warn(LD_CIRC, "ntor reply was not of the correct length.");
return -1;
+ }
{
size_t keys_tmp_len = keys_out_len + DIGEST_LEN;
uint8_t *keys_tmp = tor_malloc(keys_tmp_len);
out_len = key_out_len+DIGEST_LEN;
out = tor_malloc(out_len);
if (crypto_expand_key_material_TAP(tmp, sizeof(tmp), out, out_len)) {
+ log_warn(LD_CIRC, "Failed to expand key material");
goto done;
}
if (tor_memneq(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {
si += CURVE25519_OUTPUT_LEN;
curve25519_handshake(si, &handshake_state->seckey_x,
&handshake_state->pubkey_B);
- bad |= safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
+ bad |= (safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN) << 1);
si += CURVE25519_OUTPUT_LEN;
APPEND(si, handshake_state->router_id, DIGEST_LEN);
APPEND(si, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN);
/* Compute auth */
h_tweak(s.auth, s.auth_input, sizeof(s.auth_input), T->t_mac);
- bad |= tor_memneq(s.auth, auth_candidate, DIGEST256_LEN);
+ bad |= (tor_memneq(s.auth, auth_candidate, DIGEST256_LEN) << 2);
crypto_expand_key_material_rfc5869_sha256(
s.secret_input, sizeof(s.secret_input),
key_out, key_out_len);
memwipe(&s, 0, sizeof(s));
+
+ if (bad & 4) {
+ log_warn(LD_PROTOCOL, "Incorrect digest from ntor circuit extension "
+ "request.");
+ } else if (bad) {
+ log_warn(LD_PROTOCOL, "Invalid result from curve25519 handshake");
+ }
+
return bad ? -1 : 0;
}
len = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, handshake_state,
handshake_reply, DH_KEY_LEN, key_material,
key_material_len);
- if (len < 0)
+ if (len < 0) {
+ log_warn(LD_PROTOCOL,"DH computation failed.");
goto err;
+ }
if (tor_memneq(key_material, handshake_reply+DH_KEY_LEN, DIGEST_LEN)) {
/* H(K) does *not* match. Something fishy. */
projects / thirdparty / tor.git / commitdiff
