[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] add H(K|1) to the onionskin reply
Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/or
Modified Files:
circuit.c command.c cpuworker.c onion.c or.h test.c
Log Message:
add H(K|1) to the onionskin reply
verify it at the client end
abstract the onionskin handshake lengths
breaks backward compatibility (again)
Index: circuit.c
===================================================================
RCS file: /home/or/cvsroot/src/or/circuit.c,v
retrieving revision 1.117
retrieving revision 1.118
diff -u -d -r1.117 -r1.118
--- circuit.c 15 Dec 2003 21:35:52 -0000 1.117
+++ circuit.c 16 Dec 2003 08:21:58 -0000 1.118
@@ -114,6 +114,10 @@
crypto_free_cipher_env(victim->f_crypto);
if(victim->b_crypto)
crypto_free_cipher_env(victim->b_crypto);
+ if(victim->f_digest)
+ crypto_free_digest_env(victim->f_digest);
+ if(victim->b_digest)
+ crypto_free_digest_env(victim->b_digest);
if(victim->handshake_state)
crypto_dh_free(victim->handshake_state);
free(victim);
@@ -319,6 +323,12 @@
if(recognized) {
if(cell_direction == CELL_DIRECTION_OUT) {
+#if 0
+ if(relay_update_digest(circ->n_digest, cell) < 0) {
+ log_fn(LOG_WARN,"outgoing cell failed integrity check. Closing circ.");
+ return -1;
+ }
+#endif
++stats_n_relay_cells_delivered;
log_fn(LOG_DEBUG,"Sending to exit.");
if (connection_edge_process_relay_cell(cell, circ, conn, EDGE_EXIT, NULL) < 0) {
@@ -327,6 +337,12 @@
}
}
if(cell_direction == CELL_DIRECTION_IN) {
+#if 0
+ if(relay_update_digest(layer_hint->p_digest, cell) < 0) {
+ log_fn(LOG_WARN,"outgoing cell failed integrity check. Closing circ.");
+ return -1;
+ }
+#endif
++stats_n_relay_cells_delivered;
log_fn(LOG_DEBUG,"Sending to AP.");
if (connection_edge_process_relay_cell(cell, circ, conn, EDGE_AP, layer_hint) < 0) {
@@ -365,7 +381,8 @@
assert(inlen < 256);
if(cell_direction == CELL_DIRECTION_IN) {
- if(circ->cpath) { /* we're at the beginning of the circuit. We'll want to do layered crypts. */
+ if(circ->cpath) { /* we're at the beginning of the circuit.
+ We'll want to do layered crypts. */
thishop = circ->cpath;
if(thishop->state != CPATH_STATE_OPEN) {
log_fn(LOG_WARN,"Relay cell before first created cell?");
@@ -845,7 +862,7 @@
memset(&cell, 0, sizeof(cell_t));
cell.command = CELL_CREATE;
cell.circ_id = circ->n_circ_id;
- cell.length = DH_ONIONSKIN_LEN;
+ cell.length = ONIONSKIN_CHALLENGE_LEN;
if(onion_skin_create(circ->n_conn->onion_pkey, &(circ->cpath->handshake_state), cell.payload) < 0) {
log_fn(LOG_WARN,"onion_skin_create (first hop) failed.");
@@ -883,7 +900,7 @@
SET_CELL_RELAY_COMMAND(cell, RELAY_COMMAND_EXTEND);
SET_CELL_STREAM_ID(cell, ZERO_STREAM);
- cell.length = RELAY_HEADER_SIZE + 6 + DH_ONIONSKIN_LEN;
+ cell.length = RELAY_HEADER_SIZE + 6 + ONIONSKIN_CHALLENGE_LEN;
*(uint32_t*)(cell.payload+RELAY_HEADER_SIZE) = htonl(hop->addr);
*(uint16_t*)(cell.payload+RELAY_HEADER_SIZE+4) = htons(hop->port);
if(onion_skin_create(router->onion_pkey, &(hop->handshake_state), cell.payload+RELAY_HEADER_SIZE+6) < 0) {
@@ -954,9 +971,10 @@
memset(&newcell, 0, sizeof(cell_t));
newcell.command = CELL_CREATE;
newcell.circ_id = circ->n_circ_id;
- newcell.length = DH_ONIONSKIN_LEN;
+ newcell.length = ONIONSKIN_CHALLENGE_LEN;
- memcpy(newcell.payload, cell->payload+RELAY_HEADER_SIZE+6, DH_ONIONSKIN_LEN);
+ memcpy(newcell.payload, cell->payload+RELAY_HEADER_SIZE+6,
+ ONIONSKIN_CHALLENGE_LEN);
connection_or_write_cell_to_buf(&newcell, circ->n_conn);
return 0;
Index: command.c
===================================================================
RCS file: /home/or/cvsroot/src/or/command.c,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -d -r1.48 -r1.49
--- command.c 18 Nov 2003 07:48:00 -0000 1.48
+++ command.c 16 Dec 2003 08:21:58 -0000 1.49
@@ -103,7 +103,7 @@
circ = circuit_new(cell->circ_id, conn);
circ->state = CIRCUIT_STATE_ONIONSKIN_PENDING;
- if(cell->length != DH_ONIONSKIN_LEN) {
+ if(cell->length != ONIONSKIN_CHALLENGE_LEN) {
log_fn(LOG_WARN,"Bad cell length %d. Dropping.", cell->length);
circuit_close(circ);
return;
@@ -135,7 +135,7 @@
circuit_close(circ);
return;
}
- assert(cell->length == DH_KEY_LEN);
+ assert(cell->length == ONIONSKIN_REPLY_LEN);
if(circ->cpath) { /* we're the OP. Handshake this. */
log_fn(LOG_DEBUG,"at OP. Finishing handshake.");
@@ -153,7 +153,7 @@
} else { /* pack it into an extended relay cell, and send it. */
log_fn(LOG_INFO,"Converting created cell to extended relay cell, sending.");
connection_edge_send_command(NULL, circ, RELAY_COMMAND_EXTENDED,
- cell->payload, DH_KEY_LEN, NULL);
+ cell->payload, cell->length, NULL);
}
}
Index: cpuworker.c
===================================================================
RCS file: /home/or/cvsroot/src/or/cpuworker.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- cpuworker.c 14 Dec 2003 06:03:46 -0000 1.16
+++ cpuworker.c 16 Dec 2003 08:21:58 -0000 1.17
@@ -9,8 +9,8 @@
#define MIN_CPUWORKERS 1
#define TAG_LEN 8
-#define LEN_ONION_QUESTION (1+TAG_LEN+DH_ONIONSKIN_LEN)
-#define LEN_ONION_RESPONSE (1+TAG_LEN+DH_KEY_LEN+32)
+#define LEN_ONION_QUESTION (1+TAG_LEN+ONIONSKIN_CHALLENGE_LEN)
+#define LEN_ONION_RESPONSE (1+TAG_LEN+ONIONSKIN_REPLY_LEN+32)
int num_cpuworkers=0;
int num_cpuworkers_busy=0;
@@ -95,7 +95,7 @@
circuit_close(circ);
goto done_processing;
}
- if(onionskin_answer(circ, buf+1+TAG_LEN, buf+1+TAG_LEN+DH_KEY_LEN) < 0) {
+ if(onionskin_answer(circ, buf+1+TAG_LEN, buf+1+TAG_LEN+ONIONSKIN_REPLY_LEN) < 0) {
log_fn(LOG_WARN,"onionskin_answer failed. Closing.");
circuit_close(circ);
goto done_processing;
@@ -113,14 +113,14 @@
}
int cpuworker_main(void *data) {
- unsigned char question[DH_ONIONSKIN_LEN];
+ unsigned char question[ONIONSKIN_CHALLENGE_LEN];
unsigned char question_type;
int *fdarray = data;
int fd;
/* variables for onion processing */
unsigned char keys[32];
- unsigned char reply_to_proxy[DH_KEY_LEN];
+ unsigned char reply_to_proxy[ONIONSKIN_REPLY_LEN];
unsigned char buf[LEN_ONION_RESPONSE];
char tag[TAG_LEN];
@@ -140,7 +140,7 @@
spawn_exit();
}
- if(read_all(fd, question, DH_ONIONSKIN_LEN) != DH_ONIONSKIN_LEN) {
+ if(read_all(fd, question, ONIONSKIN_CHALLENGE_LEN) != ONIONSKIN_CHALLENGE_LEN) {
log_fn(LOG_ERR,"read question failed. Exiting.");
spawn_exit();
}
@@ -156,8 +156,8 @@
log_fn(LOG_INFO,"onion_skin_server_handshake succeeded.");
buf[0] = 1; /* 1 means success */
memcpy(buf+1,tag,TAG_LEN);
- memcpy(buf+1+TAG_LEN,reply_to_proxy,DH_KEY_LEN);
- memcpy(buf+1+TAG_LEN+DH_KEY_LEN,keys,32);
+ memcpy(buf+1+TAG_LEN,reply_to_proxy,ONIONSKIN_REPLY_LEN);
+ memcpy(buf+1+TAG_LEN+ONIONSKIN_REPLY_LEN,keys,32);
}
if(write_all(fd, buf, LEN_ONION_RESPONSE) != LEN_ONION_RESPONSE) {
log_fn(LOG_ERR,"writing response buf failed. Exiting.");
@@ -272,7 +272,7 @@
connection_write_to_buf(&question_type, 1, cpuworker);
connection_write_to_buf(tag, sizeof(tag), cpuworker);
- connection_write_to_buf(circ->onionskin, DH_ONIONSKIN_LEN, cpuworker);
+ connection_write_to_buf(circ->onionskin, ONIONSKIN_CHALLENGE_LEN, cpuworker);
}
return 0;
}
Index: onion.c
===================================================================
RCS file: /home/or/cvsroot/src/or/onion.c,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -d -r1.111 -r1.112
--- onion.c 14 Dec 2003 06:50:44 -0000 1.111
+++ onion.c 16 Dec 2003 08:21:58 -0000 1.112
@@ -124,13 +124,13 @@
memset(&cell, 0, sizeof(cell_t));
cell.command = CELL_CREATED;
cell.circ_id = circ->p_circ_id;
- cell.length = DH_KEY_LEN;
+ cell.length = ONIONSKIN_REPLY_LEN;
circ->state = CIRCUIT_STATE_OPEN;
log_fn(LOG_DEBUG,"Entering.");
- memcpy(cell.payload, payload, DH_KEY_LEN);
+ memcpy(cell.payload, payload, ONIONSKIN_REPLY_LEN);
log_fn(LOG_DEBUG,"init cipher forward %d, backward %d.", *(int*)keys, *(int*)(keys+16));
@@ -548,52 +548,56 @@
/*----------------------------------------------------------------------*/
-/* Given a router's public key, generates a 144-byte encrypted DH pubkey,
- * and stores it into onion_skin out. Stores the DH private key into
- * handshake_state_out for later completion of the handshake.
+/* Given a router's 128 byte public key,
+ stores the following in onion_skin_out:
+[16 bytes] Symmetric key for encrypting blob past RSA
+[112 bytes] g^x part 1 (inside the RSA)
+[16 bytes] g^x part 2 (symmetrically encrypted)
+[ 6 bytes] Meeting point (IP/port)
+[ 8 bytes] Meeting cookie
+[16 bytes] End-to-end authentication [optional]
+
+ * Stores the DH private key into handshake_state_out for later completion
+ * of the handshake.
*
- * The encrypted pubkey is formed as follows:
- * 16 bytes of symmetric key
- * 128 bytes of g^x for DH.
- * The first 128 bytes are RSA-encrypted with the server's public key,
- * and the last 16 are encrypted with the symmetric key.
+ * The meeting point/cookies and auth are zeroed out for now.
*/
int
onion_skin_create(crypto_pk_env_t *dest_router_key,
crypto_dh_env_t **handshake_state_out,
- char *onion_skin_out) /* Must be DH_ONIONSKIN_LEN bytes long */
+ char *onion_skin_out) /* Must be ONIONSKIN_CHALLENGE_LEN bytes */
{
char iv[16];
- char *pubkey = NULL;
+ char *challenge = NULL;
crypto_dh_env_t *dh = NULL;
crypto_cipher_env_t *cipher = NULL;
int dhbytes, pkbytes;
*handshake_state_out = NULL;
- memset(onion_skin_out, 0, DH_ONIONSKIN_LEN);
+ memset(onion_skin_out, 0, ONIONSKIN_CHALLENGE_LEN);
memset(iv, 0, 16);
if (!(dh = crypto_dh_new()))
goto err;
-
+
dhbytes = crypto_dh_get_bytes(dh);
pkbytes = crypto_pk_keysize(dest_router_key);
- assert(dhbytes+16 == DH_ONIONSKIN_LEN);
- pubkey = (char *)tor_malloc(dhbytes+16);
+ assert(dhbytes == 128);
+ assert(pkbytes == 128);
+ challenge = (char *)tor_malloc_zero(ONIONSKIN_CHALLENGE_LEN);
- if (crypto_rand(16, pubkey))
+ if (crypto_rand(16, challenge))
goto err;
/* You can't just run around RSA-encrypting any bitstream: if it's
* greater than the RSA key, then OpenSSL will happily encrypt,
* and later decrypt to the wrong value. So we set the first bit
- * of 'pubkey' to 0. This means that our symmetric key is really only
- * 127 bits long, but since it shouldn't be necessary to encrypt
- * DH public keys values in the first place, we should be fine.
+ * of 'challenge' to 0. This means that our symmetric key is really
+ * only 127 bits.
*/
- pubkey[0] &= 0x7f;
+ challenge[0] &= 0x7f;
- if (crypto_dh_get_public(dh, pubkey+16, dhbytes))
+ if (crypto_dh_get_public(dh, challenge+16, dhbytes))
goto err;
#ifdef DEBUG_ONION_SKINS
@@ -601,65 +605,69 @@
{ int _i; for (_i = 0; _i<n; ++_i) printf("%02x ",((int)(a)[_i])&0xFF); }
printf("Client: client g^x:");
- PA(pubkey+16,3);
+ PA(challenge+16,3);
printf("...");
- PA(pubkey+141,3);
+ PA(challenge+141,3);
puts("");
printf("Client: client symkey:");
- PA(pubkey+0,16);
+ PA(challenge+0,16);
puts("");
#endif
- cipher = crypto_create_init_cipher(ONION_CIPHER, pubkey, iv, 1);
+ /* set meeting point, meeting cookie, etc here. Leave zero for now. */
+
+ cipher = crypto_create_init_cipher(ONION_CIPHER, challenge, iv, 1);
if (!cipher)
goto err;
- if (crypto_pk_public_encrypt(dest_router_key, pubkey, pkbytes,
+ if (crypto_pk_public_encrypt(dest_router_key, challenge, pkbytes,
onion_skin_out, RSA_NO_PADDING)==-1)
goto err;
- if (crypto_cipher_encrypt(cipher, pubkey+pkbytes, dhbytes+16-pkbytes,
+ if (crypto_cipher_encrypt(cipher, challenge+pkbytes, ONIONSKIN_CHALLENGE_LEN-pkbytes,
onion_skin_out+pkbytes))
goto err;
- free(pubkey);
+ tor_free(challenge);
crypto_free_cipher_env(cipher);
*handshake_state_out = dh;
return 0;
err:
- tor_free(pubkey);
+ tor_free(challenge);
if (dh) crypto_dh_free(dh);
if (cipher) crypto_free_cipher_env(cipher);
return -1;
}
/* Given an encrypted DH public key as generated by onion_skin_create,
- * and the private key for this onion router, generate the 128-byte DH
- * reply, and key_out_len bytes of key material, stored in key_out.
+ * and the private key for this onion router, generate the reply (128-byte
+ * DH plus the first 20 bytes of shared key material), and store the
+ * next key_out_len bytes of key material in key_out.
*/
int
-onion_skin_server_handshake(char *onion_skin, /* DH_ONIONSKIN_LEN bytes long */
+onion_skin_server_handshake(char *onion_skin, /* ONIONSKIN_CHALLENGE_LEN bytes */
crypto_pk_env_t *private_key,
- char *handshake_reply_out, /* DH_KEY_LEN bytes long */
+ char *handshake_reply_out, /* ONIONSKIN_REPLY_LEN bytes */
char *key_out,
int key_out_len)
{
- char buf[DH_ONIONSKIN_LEN];
+ char challenge[ONIONSKIN_CHALLENGE_LEN];
char iv[16];
crypto_dh_env_t *dh = NULL;
crypto_cipher_env_t *cipher = NULL;
int pkbytes;
int len;
+ char *key_material=NULL;
memset(iv, 0, 16);
pkbytes = crypto_pk_keysize(private_key);
if (crypto_pk_private_decrypt(private_key,
onion_skin, pkbytes,
- buf, RSA_NO_PADDING) == -1)
+ challenge, RSA_NO_PADDING) == -1)
goto err;
#ifdef DEBUG_ONION_SKINS
@@ -668,10 +676,10 @@
puts("");
#endif
- cipher = crypto_create_init_cipher(ONION_CIPHER, buf, iv, 0);
+ cipher = crypto_create_init_cipher(ONION_CIPHER, challenge, iv, 0);
- if (crypto_cipher_decrypt(cipher, onion_skin+pkbytes, DH_ONIONSKIN_LEN-pkbytes,
- buf+pkbytes))
+ if (crypto_cipher_decrypt(cipher, onion_skin+pkbytes, ONIONSKIN_CHALLENGE_LEN-pkbytes,
+ challenge+pkbytes))
goto err;
#ifdef DEBUG_ONION_SKINS
@@ -681,7 +689,7 @@
PA(buf+141,3);
puts("");
#endif
-
+
dh = crypto_dh_new();
if (crypto_dh_get_public(dh, handshake_reply_out, DH_KEY_LEN))
goto err;
@@ -694,10 +702,18 @@
puts("");
#endif
- len = crypto_dh_compute_secret(dh, buf+16, DH_KEY_LEN, key_out, key_out_len);
+ key_material = tor_malloc(20+key_out_len);
+ len = crypto_dh_compute_secret(dh, challenge+16, DH_KEY_LEN,
+ key_material, 20+key_out_len);
if (len < 0)
goto err;
+ /* send back H(K) as proof that we learned K. */
+ memcpy(handshake_reply_out+DH_KEY_LEN, key_material, 20);
+
+ /* use the rest of the key material for our shared keys, digests, etc */
+ memcpy(key_out, key_material+20, key_out_len);
+
#ifdef DEBUG_ONION_SKINS
printf("Server: key material:");
PA(buf, DH_KEY_LEN);
@@ -707,10 +723,12 @@
puts("");
#endif
+ tor_free(key_material);
crypto_free_cipher_env(cipher);
crypto_dh_free(dh);
return 0;
err:
+ tor_free(key_material);
if (cipher) crypto_free_cipher_env(cipher);
if (dh) crypto_dh_free(dh);
@@ -718,19 +736,22 @@
}
/* Finish the client side of the DH handshake.
- * Given the 128 byte DH reply as generated by onion_skin_server_handshake
- * and the handshake state generated by onion_skin_create, generate
- * key_out_len bytes of shared key material and store them in key_out.
+ * Given the 128 byte DH reply + 20 byte hash as generated by
+ * onion_skin_server_handshake and the handshake state generated by
+ * onion_skin_create, verify H(K) with the first 20 bytes of shared
+ * key material, then generate key_out_len more bytes of shared key
+ * material and store them in key_out.
*
* After the invocation, call crypto_dh_free on handshake_state.
*/
int
onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
- char *handshake_reply,/* Must be DH_KEY_LEN bytes long*/
+ char *handshake_reply, /* Must be ONIONSKIN_REPLY_LEN bytes */
char *key_out,
- int key_out_len)
+ int key_out_len)
{
int len;
+ char *key_material=NULL;
assert(crypto_dh_get_bytes(handshake_state) == DH_KEY_LEN);
#ifdef DEBUG_ONION_SKINS
@@ -741,17 +762,29 @@
puts("");
#endif
+ key_material = tor_malloc(20+key_out_len);
len = crypto_dh_compute_secret(handshake_state, handshake_reply, DH_KEY_LEN,
- key_out, key_out_len);
+ key_material, 20+key_out_len);
if (len < 0)
return -1;
+ if(memcmp(key_material, handshake_reply+DH_KEY_LEN, 20)) {
+ /* H(K) does *not* match. Something fishy. */
+ tor_free(key_material);
+ log_fn(LOG_WARN,"Digest DOES NOT MATCH on onion handshake. Bug or attack.");
+ return -1;
+ }
+
+ /* use the rest of the key material for our shared keys, digests, etc */
+ memcpy(key_out, key_material+20, key_out_len);
+
#ifdef DEBUG_ONION_SKINS
printf("Client: keys out:");
PA(key_out, key_out_len);
puts("");
#endif
+ tor_free(key_material);
return 0;
}
Index: or.h
===================================================================
RCS file: /home/or/cvsroot/src/or/or.h,v
retrieving revision 1.206
retrieving revision 1.207
diff -u -d -r1.206 -r1.207
--- or.h 14 Dec 2003 08:32:14 -0000 1.206
+++ or.h 16 Dec 2003 08:21:58 -0000 1.207
@@ -374,6 +374,9 @@
crypto_cipher_env_t *f_crypto;
crypto_cipher_env_t *b_crypto;
+ crypto_digest_env_t *f_digest; /* for integrity checking */
+ crypto_digest_env_t *b_digest;
+
crypto_dh_env_t *handshake_state;
uint32_t addr;
@@ -391,7 +394,8 @@
};
#define DH_KEY_LEN CRYPTO_DH_SIZE
-#define DH_ONIONSKIN_LEN DH_KEY_LEN+16
+#define ONIONSKIN_CHALLENGE_LEN (16+DH_KEY_LEN+6+8+16)
+#define ONIONSKIN_REPLY_LEN (DH_KEY_LEN+20)
typedef struct crypt_path_t crypt_path_t;
@@ -417,10 +421,13 @@
crypto_cipher_env_t *p_crypto; /* used only for intermediate hops */
crypto_cipher_env_t *n_crypto;
+ crypto_digest_env_t *p_digest; /* for integrity checking, */
+ crypto_digest_env_t *n_digest; /* intermediate hops only */
+
cpath_build_state_t *build_state;
crypt_path_t *cpath;
- char onionskin[DH_ONIONSKIN_LEN]; /* for storage while onionskin pending */
+ char onionskin[ONIONSKIN_CHALLENGE_LEN]; /* for storage while onionskin pending */
time_t timestamp_created;
time_t timestamp_dirty; /* when the circuit was first used, or 0 if clean */
@@ -709,16 +716,16 @@
int onion_skin_create(crypto_pk_env_t *router_key,
crypto_dh_env_t **handshake_state_out,
- char *onion_skin_out); /* Must be DH_ONIONSKIN_LEN bytes long */
+ char *onion_skin_out);
-int onion_skin_server_handshake(char *onion_skin, /* DH_ONIONSKIN_LEN bytes long */
+int onion_skin_server_handshake(char *onion_skin,
crypto_pk_env_t *private_key,
- char *handshake_reply_out, /* DH_KEY_LEN bytes long */
+ char *handshake_reply_out,
char *key_out,
int key_out_len);
int onion_skin_client_handshake(crypto_dh_env_t *handshake_state,
- char *handshake_reply,/* Must be DH_KEY_LEN bytes long*/
+ char *handshake_reply,
char *key_out,
int key_out_len);
Index: test.c
===================================================================
RCS file: /home/or/cvsroot/src/or/test.c,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -d -r1.56 -r1.57
--- test.c 14 Dec 2003 09:58:43 -0000 1.56
+++ test.c 16 Dec 2003 08:21:58 -0000 1.57
@@ -485,11 +485,11 @@
test_onion_handshake() {
/* client-side */
crypto_dh_env_t *c_dh = NULL;
- char c_buf[DH_ONIONSKIN_LEN];
+ char c_buf[ONIONSKIN_CHALLENGE_LEN];
char c_keys[40];
/* server-side */
- char s_buf[DH_KEY_LEN];
+ char s_buf[ONIONSKIN_REPLY_LEN];
char s_keys[40];
/* shared */
@@ -499,11 +499,11 @@
test_assert(! crypto_pk_generate_key(pk));
/* client handshake 1. */
- memset(c_buf, 0, DH_ONIONSKIN_LEN);
+ memset(c_buf, 0, ONIONSKIN_CHALLENGE_LEN);
test_assert(! onion_skin_create(pk, &c_dh, c_buf));
/* server handshake */
- memset(s_buf, 0, DH_KEY_LEN);
+ memset(s_buf, 0, ONIONSKIN_REPLY_LEN);
memset(s_keys, 0, 40);
test_assert(! onion_skin_server_handshake(c_buf, pk, s_buf, s_keys, 40));