Merge remote-tracking branch 'public/bug9635'

changes/bug9635

@@ -0,0 +1,3 @@
+  o Minor features:
+    - Give more specific warnings when we notice at the client side that
+      an onion handshake has failed. Fixes ticket 9635.

src/or/onion.c

@@ -554,8 +554,10 @@ onion_skin_client_handshake(int type,
 
   switch (type) {
   case ONION_HANDSHAKE_TYPE_TAP:
-    if (reply_len != TAP_ONIONSKIN_REPLY_LEN)
+    if (reply_len != TAP_ONIONSKIN_REPLY_LEN) {
+      log_warn(LD_CIRC, "TAP reply was not of the correct length.");
       return -1;
+    }
     if (onion_skin_TAP_client_handshake(handshake_state->u.tap,
                                         (const char*)reply,
                                         (char *)keys_out, keys_out_len) < 0)
@@ -565,8 +567,10 @@ onion_skin_client_handshake(int type,
 
     return 0;
   case ONION_HANDSHAKE_TYPE_FAST:
-    if (reply_len != CREATED_FAST_LEN)
+    if (reply_len != CREATED_FAST_LEN) {
+      log_warn(LD_CIRC, "CREATED_FAST reply was not of the correct length.");
       return -1;
+    }
     if (fast_client_handshake(handshake_state->u.fast, reply,
                               keys_out, keys_out_len) < 0)
       return -1;
@@ -575,8 +579,10 @@ onion_skin_client_handshake(int type,
     return 0;
 #ifdef CURVE25519_ENABLED
   case ONION_HANDSHAKE_TYPE_NTOR:
-    if (reply_len < NTOR_REPLY_LEN)
+    if (reply_len < NTOR_REPLY_LEN) {
+      log_warn(LD_CIRC, "ntor reply was not of the correct length.");
       return -1;
+    }
     {
       size_t keys_tmp_len = keys_out_len + DIGEST_LEN;
       uint8_t *keys_tmp = tor_malloc(keys_tmp_len);

src/or/onion_fast.c

@@ -104,6 +104,7 @@ fast_client_handshake(const fast_handshake_state_t *handshake_state,
   out_len = key_out_len+DIGEST_LEN;
   out = tor_malloc(out_len);
   if (crypto_expand_key_material_TAP(tmp, sizeof(tmp), out, out_len)) {
+    log_warn(LD_CIRC, "Failed to expand key material");
     goto done;
   }
   if (tor_memneq(out, handshake_reply_out+DIGEST_LEN, DIGEST_LEN)) {

src/or/onion_ntor.c

@@ -256,7 +256,7 @@ onion_skin_ntor_client_handshake(
   si += CURVE25519_OUTPUT_LEN;
   curve25519_handshake(si, &handshake_state->seckey_x,
                        &handshake_state->pubkey_B);
-  bad |= safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN);
+  bad |= (safe_mem_is_zero(si, CURVE25519_OUTPUT_LEN) << 1);
   si += CURVE25519_OUTPUT_LEN;
   APPEND(si, handshake_state->router_id, DIGEST_LEN);
   APPEND(si, handshake_state->pubkey_B.public_key, CURVE25519_PUBKEY_LEN);
@@ -281,7 +281,7 @@ onion_skin_ntor_client_handshake(
   /* Compute auth */
   h_tweak(s.auth, s.auth_input, sizeof(s.auth_input), T->t_mac);
 
-  bad |= tor_memneq(s.auth, auth_candidate, DIGEST256_LEN);
+  bad |= (tor_memneq(s.auth, auth_candidate, DIGEST256_LEN) << 2);
 
   crypto_expand_key_material_rfc5869_sha256(
                            s.secret_input, sizeof(s.secret_input),
@@ -290,6 +290,14 @@ onion_skin_ntor_client_handshake(
                            key_out, key_out_len);
 
   memwipe(&s, 0, sizeof(s));
+
+  if (bad & 4) {
+    log_warn(LD_PROTOCOL, "Incorrect digest from ntor circuit extension "
+             "request.");
+  } else if (bad) {
+    log_warn(LD_PROTOCOL, "Invalid result from curve25519 handshake");
+  }
+
   return bad ? -1 : 0;
 }
 

src/or/onion_tap.c

@@ -194,8 +194,10 @@ onion_skin_TAP_client_handshake(crypto_dh_t *handshake_state,
   len = crypto_dh_compute_secret(LOG_PROTOCOL_WARN, handshake_state,
                                  handshake_reply, DH_KEY_LEN, key_material,
                                  key_material_len);
-  if (len < 0)
+  if (len < 0) {
+    log_warn(LD_PROTOCOL,"DH computation failed.");
     goto err;
+  }
 
   if (tor_memneq(key_material, handshake_reply+DH_KEY_LEN, DIGEST_LEN)) {
     /* H(K) does *not* match. Something fishy. */