[tor-commits] [tor/master] hs: Use AES-256 for v3 descriptor

nickm at torproject.org nickm at torproject.org
Wed Jan 11 17:58:52 UTC 2017 

commit 870b5e2227c4382aef1d98b1b5fc9d5f4d275c1c
Author: David Goulet <dgoulet at torproject.org>
Date:   Mon Nov 7 13:15:46 2016 -0500

    hs: Use AES-256 for v3 descriptor
    
    That key size is taken from proposal 224 thus specified in the protocol.
    
    Closes #20569
    
    Signed-off-by: David Goulet <dgoulet at torproject.org>
---
 src/common/crypto.h    |  6 ++++--
 src/or/hs_descriptor.c | 14 ++++++++------
 src/or/hs_descriptor.h |  8 +++++++-
 3 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/src/common/crypto.h b/src/common/crypto.h
index 116e0a6..70f6376 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -59,10 +59,12 @@
 #define DIGEST256_LEN 32
 /** Length of the output of our 64-bit optimized message digests (SHA512). */
 #define DIGEST512_LEN 64
-/** Length of our symmetric cipher's keys. */
+/** Length of our symmetric cipher's keys of 128-bit. */
 #define CIPHER_KEY_LEN 16
-/** Length of our symmetric cipher's IV. */
+/** Length of our symmetric cipher's IV of 128-bit. */
 #define CIPHER_IV_LEN 16
+/** Length of our symmetric cipher's keys of 256-bit. */
+#define CIPHER256_KEY_LEN 32
 /** Length of our public keys. */
 #define PK_BYTES (1024/8)
 /** Length of our DH keys. */
diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c
index 37aa1d7..986f996 100644
--- a/src/or/hs_descriptor.c
+++ b/src/or/hs_descriptor.c
@@ -541,8 +541,9 @@ build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
   tor_assert(plaintext);
   tor_assert(encrypted_out);
 
-  /* This creates a cipher for AES128. It can't fail. */
-  cipher = crypto_cipher_new_with_iv((const char *) key, (const char *) iv);
+  /* This creates a cipher for AES. It can't fail. */
+  cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
+                                              HS_DESC_ENCRYPTED_BIT_SIZE);
   /* This can't fail. */
   encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
                                           &padded_plaintext);
@@ -573,7 +574,7 @@ encrypt_descriptor_data(const hs_descriptor_t *desc, const char *plaintext,
   size_t encrypted_len, final_blob_len, offset = 0;
   uint8_t *encrypted;
   uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
-  uint8_t secret_key[CIPHER_KEY_LEN], secret_iv[CIPHER_IV_LEN];
+  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
   uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
 
   tor_assert(desc);
@@ -1058,7 +1059,7 @@ static size_t
 desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
 {
   uint8_t *decrypted = NULL;
-  uint8_t secret_key[CIPHER_KEY_LEN], secret_iv[CIPHER_IV_LEN];
+  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
   uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
   const uint8_t *salt, *encrypted, *desc_mac;
   size_t encrypted_len, result_len = 0;
@@ -1118,8 +1119,9 @@ desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
     /* Decrypt. Here we are assured that the encrypted length is valid for
      * decryption. */
     crypto_cipher_t *cipher;
-    cipher = crypto_cipher_new_with_iv((const char *) secret_key,
-                                       (const char *) secret_iv);
+
+    cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
+                                                HS_DESC_ENCRYPTED_BIT_SIZE);
     /* Extra byte for the NUL terminated byte. */
     decrypted = tor_malloc_zero(encrypted_len + 1);
     crypto_cipher_decrypt(cipher, (char *) decrypted,
diff --git a/src/or/hs_descriptor.h b/src/or/hs_descriptor.h
index 083d353..dd4e946 100644
--- a/src/or/hs_descriptor.h
+++ b/src/or/hs_descriptor.h
@@ -40,7 +40,7 @@
 /* Length of the KDF output value which is the length of the secret key,
  * the secret IV and MAC key length which is the length of H() output. */
 #define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN \
-  CIPHER_KEY_LEN + CIPHER_IV_LEN + DIGEST256_LEN
+  CIPHER256_KEY_LEN + CIPHER_IV_LEN + DIGEST256_LEN
 /* We need to pad the plaintext version of the encrypted data section before
  * encryption and it has to be a multiple of this value. */
 #define HS_DESC_PLAINTEXT_PADDING_MULTIPLE 128
@@ -60,6 +60,12 @@
  * view of a descriptor, is 1 that is the version field. */
 #define HS_DESC_PLAINTEXT_MIN_FIELDS 1
 
+/* Key length for the descriptor symmetric encryption. As specified in the
+ * protocol, we use AES-256 for the encrypted section of the descriptor. The
+ * following is the length in bytes and the bit size. */
+#define HS_DESC_ENCRYPTED_KEY_LEN CIPHER256_KEY_LEN
+#define HS_DESC_ENCRYPTED_BIT_SIZE (HS_DESC_ENCRYPTED_KEY_LEN * 8)
+
 /* Type of authentication in the descriptor. */
 typedef enum {
   HS_DESC_AUTH_PASSWORD = 1,

More information about the tor-commits mailing list