Commit ba928e1a authored by asn's avatar asn Committed by Nick Mathewson

Refactor the HS ntor key expansion to fit the e2e circuit API.

We want to use the circuit_init_cpath_crypto() function to setup our
cpath, and that function accepts a key array as input. So let's make our
HS ntor key expansion function also return a key array as output,
instead of a struct.

Also, we actually don't need KH from the key expansion, so the key
expansion output can be one DIGEST256_LEN shorter. See here for more
parent f8dc1164
......@@ -578,49 +578,28 @@ hs_ntor_client_rendezvous2_mac_is_good(
/* Input length to KDF for key expansion */
/* Output length of KDF for key expansion */
/** Given the rendezvous key material in <b>hs_ntor_rend_cell_keys</b>, do the
* circuit key expansion as specified by section '4.2.1. Key expansion' and
* return a hs_ntor_rend_circuit_keys_t structure with the computed keys. */
hs_ntor_rend_circuit_keys_t *
const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys)
/** Given the rendezvous key seed in <b>ntor_key_seed</b> (of size
* DIGEST256_LEN), do the circuit key expansion as specified by section
* '4.2.1. Key expansion' and place the keys in <b>keys_out</b> (which must be
hs_ntor_circuit_key_expansion(const uint8_t *ntor_key_seed, uint8_t *keys_out)
uint8_t *ptr;
crypto_xof_t *xof;
hs_ntor_rend_circuit_keys_t *rend_circuit_keys = NULL;
/* Let's build the input to the KDF */
ptr = kdf_input;
APPEND(ptr, hs_ntor_rend_cell_keys->ntor_key_seed, DIGEST256_LEN);
APPEND(ptr, ntor_key_seed, DIGEST256_LEN);
tor_assert(ptr == kdf_input + sizeof(kdf_input));
/* Generate the keys */
xof = crypto_xof_new();
crypto_xof_add_bytes(xof, kdf_input, sizeof(kdf_input));
crypto_xof_squeeze_bytes(xof, keys, sizeof(keys));
crypto_xof_squeeze_bytes(xof, keys_out, HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN);
/* Generate keys structure and assign keys to it */
rend_circuit_keys = tor_malloc_zero(sizeof(hs_ntor_rend_circuit_keys_t));
ptr = keys;
memcpy(rend_circuit_keys->KH, ptr, DIGEST256_LEN);
ptr += DIGEST256_LEN;;
memcpy(rend_circuit_keys->Df, ptr, DIGEST256_LEN);
ptr += DIGEST256_LEN;
memcpy(rend_circuit_keys->Db, ptr, DIGEST256_LEN);
ptr += DIGEST256_LEN;
memcpy(rend_circuit_keys->Kf, ptr, CIPHER256_KEY_LEN);
ptr += CIPHER256_KEY_LEN;
memcpy(rend_circuit_keys->Kb, ptr, CIPHER256_KEY_LEN);
ptr += CIPHER256_KEY_LEN;
tor_assert(ptr == keys + sizeof(keys));
return rend_circuit_keys;
......@@ -6,6 +6,10 @@
#include "or.h"
/* Output length of KDF for key expansion */
/* Key material needed to encode/decode INTRODUCE1 cells */
typedef struct {
/* Key used for encryption of encrypted INTRODUCE1 blob */
......@@ -23,21 +27,6 @@ typedef struct {
uint8_t ntor_key_seed[DIGEST256_LEN];
} hs_ntor_rend_cell_keys_t;
/* Key material resulting from key expansion as detailed in section "4.2.1. Key
* expansion" of rend-spec-ng.txt. */
typedef struct {
/* Per-circuit key material used in ESTABLISH_INTRO cell */
uint8_t KH[DIGEST256_LEN];
/* Authentication key for outgoing RELAY cells */
uint8_t Df[DIGEST256_LEN];
/* Authentication key for incoming RELAY cells */
uint8_t Db[DIGEST256_LEN];
/* Encryption key for outgoing RELAY cells */
uint8_t Kf[CIPHER256_KEY_LEN];
/* Decryption key for incoming RELAY cells */
uint8_t Kb[CIPHER256_KEY_LEN];
} hs_ntor_rend_circuit_keys_t;
int hs_ntor_client_get_introduce1_keys(
const ed25519_public_key_t *intro_auth_pubkey,
const curve25519_public_key_t *intro_enc_pubkey,
......@@ -66,8 +55,8 @@ int hs_ntor_service_get_rendezvous1_keys(
const curve25519_public_key_t *client_ephemeral_enc_pubkey,
hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys_out);
hs_ntor_rend_circuit_keys_t *hs_ntor_circuit_key_expansion(
const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys);
void hs_ntor_circuit_key_expansion(const uint8_t *ntor_key_seed,
uint8_t *keys_out);
int hs_ntor_client_rendezvous2_mac_is_good(
const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys,
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment