hs: Use AES-256 for v3 descriptor

That key size is taken from proposal 224 thus specified in the protocol.

Closes #20569

Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
David Goulet 2016-11-07 13:15:46 -05:00 committed by Nick Mathewson
parent 963e70673a
commit 870b5e2227
3 changed files with 19 additions and 9 deletions

View File

@ -59,10 +59,12 @@
#define DIGEST256_LEN 32
/** Length of the output of our 64-bit optimized message digests (SHA512). */
#define DIGEST512_LEN 64
/** Length of our symmetric cipher's keys. */
/** Length of our symmetric cipher's keys of 128-bit. */
#define CIPHER_KEY_LEN 16
/** Length of our symmetric cipher's IV. */
/** Length of our symmetric cipher's IV of 128-bit. */
#define CIPHER_IV_LEN 16
/** Length of our symmetric cipher's keys of 256-bit. */
#define CIPHER256_KEY_LEN 32
/** Length of our public keys. */
#define PK_BYTES (1024/8)
/** Length of our DH keys. */

View File

@ -541,8 +541,9 @@ build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
tor_assert(plaintext);
tor_assert(encrypted_out);
/* This creates a cipher for AES128. It can't fail. */
cipher = crypto_cipher_new_with_iv((const char *) key, (const char *) iv);
/* This creates a cipher for AES. It can't fail. */
cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
HS_DESC_ENCRYPTED_BIT_SIZE);
/* This can't fail. */
encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
&padded_plaintext);
@ -573,7 +574,7 @@ encrypt_descriptor_data(const hs_descriptor_t *desc, const char *plaintext,
size_t encrypted_len, final_blob_len, offset = 0;
uint8_t *encrypted;
uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
uint8_t secret_key[CIPHER_KEY_LEN], secret_iv[CIPHER_IV_LEN];
uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
tor_assert(desc);
@ -1058,7 +1059,7 @@ static size_t
desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
{
uint8_t *decrypted = NULL;
uint8_t secret_key[CIPHER_KEY_LEN], secret_iv[CIPHER_IV_LEN];
uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
const uint8_t *salt, *encrypted, *desc_mac;
size_t encrypted_len, result_len = 0;
@ -1118,8 +1119,9 @@ desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
/* Decrypt. Here we are assured that the encrypted length is valid for
* decryption. */
crypto_cipher_t *cipher;
cipher = crypto_cipher_new_with_iv((const char *) secret_key,
(const char *) secret_iv);
cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
HS_DESC_ENCRYPTED_BIT_SIZE);
/* Extra byte for the NUL terminated byte. */
decrypted = tor_malloc_zero(encrypted_len + 1);
crypto_cipher_decrypt(cipher, (char *) decrypted,

View File

@ -40,7 +40,7 @@
/* Length of the KDF output value which is the length of the secret key,
* the secret IV and MAC key length which is the length of H() output. */
#define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN \
CIPHER_KEY_LEN + CIPHER_IV_LEN + DIGEST256_LEN
CIPHER256_KEY_LEN + CIPHER_IV_LEN + DIGEST256_LEN
/* We need to pad the plaintext version of the encrypted data section before
* encryption and it has to be a multiple of this value. */
#define HS_DESC_PLAINTEXT_PADDING_MULTIPLE 128
@ -60,6 +60,12 @@
* view of a descriptor, is 1 that is the version field. */
#define HS_DESC_PLAINTEXT_MIN_FIELDS 1
/* Key length for the descriptor symmetric encryption. As specified in the
* protocol, we use AES-256 for the encrypted section of the descriptor. The
* following is the length in bytes and the bit size. */
#define HS_DESC_ENCRYPTED_KEY_LEN CIPHER256_KEY_LEN
#define HS_DESC_ENCRYPTED_BIT_SIZE (HS_DESC_ENCRYPTED_KEY_LEN * 8)
/* Type of authentication in the descriptor. */
typedef enum {
HS_DESC_AUTH_PASSWORD = 1,