[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [obfsproxy/master] Stop doing iterative hashing when we don't have a shared secret.
commit 0da68ca3c40ffc775421ae732f70504ac74891fc
Author: George Kadianakis <desnacked@xxxxxxxxx>
Date: Thu May 26 00:33:46 2011 +0200
Stop doing iterative hashing when we don't have a shared secret.
---
doc/protocol-spec.txt | 24 ++++++++++--------------
src/main.c | 3 ++-
src/protocols/obfs2.c | 28 ++++++++++++++++------------
3 files changed, 28 insertions(+), 27 deletions(-)
diff --git a/doc/protocol-spec.txt b/doc/protocol-spec.txt
index 0f9edf9..798da14 100644
--- a/doc/protocol-spec.txt
+++ b/doc/protocol-spec.txt
@@ -17,6 +17,8 @@ The Twobfuscator
1. Primitives, notation, and constants.
H(x) is SHA256 of X
+ H^n(x) is H(x) called iteratively n times.
+
E_K(s) is the AES-counter-mode encryption of s using the key K.
x | y is the concatenation of x and y
@@ -39,9 +41,6 @@ The Twobfuscator
MAC(s, x) = H(s | x | s)
- Let n = HASH_ITERATIONS through section '2. Key establishment phase.'.
- Then, H^n(x) is H(x) called iteratively n times.
-
A "byte" is an 8-bit octet.
We require that HASHLEN >= KEYLEN + IVLEN
@@ -53,14 +52,12 @@ The Twobfuscator
a padding key as follows. The initiator generates:
INIT_SEED = SR(SEED_LENGTH)
- INIT_PAD_TEMP = MAC("Initiator obfuscation padding", INIT_SEED)[:KEYLEN]
- INIT_PAD_KEY = H^n(INIT_PAD_TEMP)
+ INIT_PAD_KEY = MAC("Initiator obfuscation padding", INIT_SEED)[:KEYLEN]
And the responder generates:
RESP_SEED = SR(SEED_LENGTH)
- RESP_PAD_TEMP = MAC("Responder obfuscation padding", INIT_SEED)[:KEYLEN]
- RESP_PAD_KEY = H^n(RESP_PAD_TEMP)
+ RESP_PAD_KEY = MAC("Responder obfuscation padding", INIT_SEED)[:KEYLEN]
Each then generates a random number PADLEN in range from 0 through
MAX_PADDING (inclusive), and sends:
@@ -79,12 +76,10 @@ The Twobfuscator
INIT_SECRET = MAC("Initiator obfuscated data", INIT_SEED|RESP_SEED)
RESP_SECRET = MAC("Responder obfuscated data", INIT_SEED|RESP_SEED)
- INIT_MASTER_KEY = H^n(INIT_SECRET)
- RESP_MASTER_KEY = H^n(RESP_SECRET)
- INIT_KEY = INIT_MASTER_KEY[:KEYLEN]
- INIT_IV = INIT_MASTER_KEY[KEYLEN:]
- RESP_KEY = RESP_MASTER_KEY[:KEYLEN]
- RESP_IV = RESP_MASTER_KEY[KEYLEN:]
+ INIT_KEY = INIT_SECRET[:KEYLEN]
+ INIT_IV = INIT_SECRET[KEYLEN:]
+ RESP_KEY = RESP_SECRET[:KEYLEN]
+ RESP_IV = RESP_SECRET[KEYLEN:]
The INIT_KEY value keys a stream cipher used to encrypt values from
initiator to responder thereafter. The stream cipher's IV is
@@ -97,5 +92,6 @@ The Twobfuscator
Optionally, if the client and server share a secret value SECRET,
they can replace the MAC function with:
- MAC(s,x) = H(s | x | SECRET | s)
+ MAC(s,x) = H^n(s | x | SECRET | s)
+ where n = HASH_ITERATIONS.
diff --git a/src/main.c b/src/main.c
index 59b6909..4c3c48c 100644
--- a/src/main.c
+++ b/src/main.c
@@ -128,7 +128,8 @@ main(int argc, const char **argv)
mode, protocol,
(struct sockaddr *)&ss_listen, sl_listen,
sa_target, sl_target,
- shared_secret, strlen(shared_secret));
+ shared_secret,
+ shared_secret ? strlen(shared_secret) : 0);
if (! listener) {
printf("Couldn't create listener!\n");
return 4;
diff --git a/src/protocols/obfs2.c b/src/protocols/obfs2.c
index 4159691..b3fe590 100644
--- a/src/protocols/obfs2.c
+++ b/src/protocols/obfs2.c
@@ -75,8 +75,6 @@ derive_key(void *s, const char *keytype)
crypt_t *cryptstate;
uchar buf[SHA256_LENGTH];
digest_t *c = digest_new();
- digest_t *d;
- int i;
digest_update(c, (uchar*)keytype, strlen(keytype));
if (seed_nonzero(state->initiator_seed))
@@ -88,10 +86,14 @@ derive_key(void *s, const char *keytype)
digest_update(c, (uchar*)keytype, strlen(keytype));
digest_getdigest(c, buf, sizeof(buf));
- for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) {
- d = digest_new();
- digest_update(d, buf, sizeof(buf));
- digest_getdigest(d, buf, sizeof(buf));
+ if (seed_nonzero(state->secret_seed)) {
+ digest_t *d;
+ int i;
+ for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) {
+ d = digest_new();
+ digest_update(d, buf, sizeof(buf));
+ digest_getdigest(d, buf, sizeof(buf));
+ }
}
cryptstate = crypt_new(buf, 16);
@@ -110,8 +112,6 @@ derive_padding_key(void *s, const uchar *seed,
crypt_t *cryptstate;
uchar buf[SHA256_LENGTH];
digest_t *c = digest_new();
- digest_t *d;
- int i;
digest_update(c, (uchar*)keytype, strlen(keytype));
if (seed_nonzero(seed))
@@ -121,10 +121,14 @@ derive_padding_key(void *s, const uchar *seed,
digest_update(c, (uchar*)keytype, strlen(keytype));
digest_getdigest(c, buf, sizeof(buf));
- for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) {
- d = digest_new();
- digest_update(d, buf, sizeof(buf));
- digest_getdigest(d, buf, sizeof(buf));
+ if (seed_nonzero(state->secret_seed)) {
+ digest_t *d;
+ int i;
+ for (i=0; i < OBFUSCATE_HASH_ITERATIONS; i++) {
+ d = digest_new();
+ digest_update(d, buf, sizeof(buf));
+ digest_getdigest(d, buf, sizeof(buf));
+ }
}
cryptstate = crypt_new(buf, 16);
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits