mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 20:33:31 +01:00
hs-v3: Rename client_sk to client_auth_sk
Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
Suphanat Chunhapanya
David Goulet
parent
b61403c787
commit
9f975e9995
@ -1233,7 +1233,7 @@ hs_client_decode_descriptor(const char *desc_str,
|
|||||||
uint8_t subcredential[DIGEST256_LEN];
|
uint8_t subcredential[DIGEST256_LEN];
|
||||||
ed25519_public_key_t blinded_pubkey;
|
ed25519_public_key_t blinded_pubkey;
|
||||||
hs_client_service_authorization_t *client_auth = NULL;
|
hs_client_service_authorization_t *client_auth = NULL;
|
||||||
curve25519_secret_key_t *client_sk = NULL;
|
curve25519_secret_key_t *client_auht_sk = NULL;
|
||||||
|
|
||||||
tor_assert(desc_str);
|
tor_assert(desc_str);
|
||||||
tor_assert(service_identity_pk);
|
tor_assert(service_identity_pk);
|
||||||
@ -1242,7 +1242,7 @@ hs_client_decode_descriptor(const char *desc_str,
|
|||||||
/* Check if we have a client authorization for this service in the map. */
|
/* Check if we have a client authorization for this service in the map. */
|
||||||
client_auth = find_client_auth(service_identity_pk);
|
client_auth = find_client_auth(service_identity_pk);
|
||||||
if (client_auth) {
|
if (client_auth) {
|
||||||
client_sk = &client_auth->enc_seckey;
|
client_auht_sk = &client_auth->enc_seckey;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Create subcredential for this HS so that we can decrypt */
|
/* Create subcredential for this HS so that we can decrypt */
|
||||||
@ -1254,7 +1254,8 @@ hs_client_decode_descriptor(const char *desc_str,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Parse descriptor */
|
/* Parse descriptor */
|
||||||
ret = hs_desc_decode_descriptor(desc_str, subcredential, client_sk, desc);
|
ret = hs_desc_decode_descriptor(desc_str, subcredential,
|
||||||
|
client_auht_sk, desc);
|
||||||
memwipe(subcredential, 0, sizeof(subcredential));
|
memwipe(subcredential, 0, sizeof(subcredential));
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
log_warn(LD_GENERAL, "Could not parse received descriptor as client.");
|
log_warn(LD_GENERAL, "Could not parse received descriptor as client.");
|
||||||
|
|||||||
@ -1408,7 +1408,7 @@ encrypted_data_length_is_valid(size_t len)
|
|||||||
static int
|
static int
|
||||||
decrypt_descriptor_cookie(const hs_descriptor_t *desc,
|
decrypt_descriptor_cookie(const hs_descriptor_t *desc,
|
||||||
const hs_desc_authorized_client_t *client,
|
const hs_desc_authorized_client_t *client,
|
||||||
const curve25519_secret_key_t *client_sk,
|
const curve25519_secret_key_t *client_auth_sk,
|
||||||
uint8_t **descriptor_cookie_out)
|
uint8_t **descriptor_cookie_out)
|
||||||
{
|
{
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
@ -1421,15 +1421,15 @@ decrypt_descriptor_cookie(const hs_descriptor_t *desc,
|
|||||||
|
|
||||||
tor_assert(desc);
|
tor_assert(desc);
|
||||||
tor_assert(client);
|
tor_assert(client);
|
||||||
tor_assert(client_sk);
|
tor_assert(client_auth_sk);
|
||||||
tor_assert(!tor_mem_is_zero(
|
tor_assert(!tor_mem_is_zero(
|
||||||
(char *) &desc->superencrypted_data.auth_ephemeral_pubkey,
|
(char *) &desc->superencrypted_data.auth_ephemeral_pubkey,
|
||||||
sizeof(desc->superencrypted_data.auth_ephemeral_pubkey)));
|
sizeof(desc->superencrypted_data.auth_ephemeral_pubkey)));
|
||||||
tor_assert(!tor_mem_is_zero((char *) client_sk,
|
tor_assert(!tor_mem_is_zero((char *) client_auth_sk,
|
||||||
sizeof(*client_sk)));
|
sizeof(*client_auth_sk)));
|
||||||
|
|
||||||
/* Calculate x25519(client_x, hs_Y) */
|
/* Calculate x25519(client_x, hs_Y) */
|
||||||
curve25519_handshake(secret_seed, client_sk,
|
curve25519_handshake(secret_seed, client_auth_sk,
|
||||||
&desc->superencrypted_data.auth_ephemeral_pubkey);
|
&desc->superencrypted_data.auth_ephemeral_pubkey);
|
||||||
|
|
||||||
/* Calculate KEYS = KDF(SECRET_SEED, 40) */
|
/* Calculate KEYS = KDF(SECRET_SEED, 40) */
|
||||||
@ -1440,7 +1440,7 @@ decrypt_descriptor_cookie(const hs_descriptor_t *desc,
|
|||||||
|
|
||||||
/* If the client id of auth client is not the same as the calculcated
|
/* If the client id of auth client is not the same as the calculcated
|
||||||
* client id, it means that this auth client is invaild according to the
|
* client id, it means that this auth client is invaild according to the
|
||||||
* client secret key client_sk. */
|
* client secret key client_auth_sk. */
|
||||||
if (tor_memneq(client->client_id, keystream, HS_DESC_CLIENT_ID_LEN)) {
|
if (tor_memneq(client->client_id, keystream, HS_DESC_CLIENT_ID_LEN)) {
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
@ -1630,7 +1630,7 @@ desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
|
|||||||
* decrypted_out is set to NULL. */
|
* decrypted_out is set to NULL. */
|
||||||
static size_t
|
static size_t
|
||||||
desc_decrypt_encrypted(const hs_descriptor_t *desc,
|
desc_decrypt_encrypted(const hs_descriptor_t *desc,
|
||||||
const curve25519_secret_key_t *client_sk,
|
const curve25519_secret_key_t *client_auth_sk,
|
||||||
char **decrypted_out)
|
char **decrypted_out)
|
||||||
{
|
{
|
||||||
size_t encrypted_len = 0;
|
size_t encrypted_len = 0;
|
||||||
@ -1643,12 +1643,12 @@ desc_decrypt_encrypted(const hs_descriptor_t *desc,
|
|||||||
|
|
||||||
/* If the client secret key is provided, try to find a valid descriptor
|
/* If the client secret key is provided, try to find a valid descriptor
|
||||||
* cookie. Otherwise, leave it NULL. */
|
* cookie. Otherwise, leave it NULL. */
|
||||||
if (client_sk) {
|
if (client_auth_sk) {
|
||||||
SMARTLIST_FOREACH_BEGIN(desc->superencrypted_data.clients,
|
SMARTLIST_FOREACH_BEGIN(desc->superencrypted_data.clients,
|
||||||
hs_desc_authorized_client_t *, client) {
|
hs_desc_authorized_client_t *, client) {
|
||||||
/* If we can decrypt the descriptor cookie successfully, we will use that
|
/* If we can decrypt the descriptor cookie successfully, we will use that
|
||||||
* descriptor cookie and break from the loop. */
|
* descriptor cookie and break from the loop. */
|
||||||
if (!decrypt_descriptor_cookie(desc, client, client_sk,
|
if (!decrypt_descriptor_cookie(desc, client, client_auth_sk,
|
||||||
&descriptor_cookie)) {
|
&descriptor_cookie)) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -2253,7 +2253,7 @@ desc_decode_superencrypted_v3(const hs_descriptor_t *desc,
|
|||||||
* success else -1. */
|
* success else -1. */
|
||||||
static int
|
static int
|
||||||
desc_decode_encrypted_v3(const hs_descriptor_t *desc,
|
desc_decode_encrypted_v3(const hs_descriptor_t *desc,
|
||||||
const curve25519_secret_key_t *client_sk,
|
const curve25519_secret_key_t *client_auth_sk,
|
||||||
hs_desc_encrypted_data_t *desc_encrypted_out)
|
hs_desc_encrypted_data_t *desc_encrypted_out)
|
||||||
{
|
{
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
@ -2268,7 +2268,7 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc,
|
|||||||
|
|
||||||
/* Decrypt the encrypted data that is located in the superencrypted section
|
/* Decrypt the encrypted data that is located in the superencrypted section
|
||||||
* in the descriptor as a blob of bytes. */
|
* in the descriptor as a blob of bytes. */
|
||||||
message_len = desc_decrypt_encrypted(desc, client_sk, &message);
|
message_len = desc_decrypt_encrypted(desc, client_auth_sk, &message);
|
||||||
if (!message_len) {
|
if (!message_len) {
|
||||||
log_warn(LD_REND, "Service descriptor decryption failed.");
|
log_warn(LD_REND, "Service descriptor decryption failed.");
|
||||||
goto err;
|
goto err;
|
||||||
@ -2353,7 +2353,7 @@ desc_decode_encrypted_v3(const hs_descriptor_t *desc,
|
|||||||
static int
|
static int
|
||||||
(*decode_encrypted_handlers[])(
|
(*decode_encrypted_handlers[])(
|
||||||
const hs_descriptor_t *desc,
|
const hs_descriptor_t *desc,
|
||||||
const curve25519_secret_key_t *client_sk,
|
const curve25519_secret_key_t *client_auth_sk,
|
||||||
hs_desc_encrypted_data_t *desc_encrypted) =
|
hs_desc_encrypted_data_t *desc_encrypted) =
|
||||||
{
|
{
|
||||||
/* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
|
/* v0 */ NULL, /* v1 */ NULL, /* v2 */ NULL,
|
||||||
@ -2365,7 +2365,7 @@ static int
|
|||||||
* negative value on error. */
|
* negative value on error. */
|
||||||
int
|
int
|
||||||
hs_desc_decode_encrypted(const hs_descriptor_t *desc,
|
hs_desc_decode_encrypted(const hs_descriptor_t *desc,
|
||||||
const curve25519_secret_key_t *client_sk,
|
const curve25519_secret_key_t *client_auth_sk,
|
||||||
hs_desc_encrypted_data_t *desc_encrypted)
|
hs_desc_encrypted_data_t *desc_encrypted)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
@ -2391,7 +2391,8 @@ hs_desc_decode_encrypted(const hs_descriptor_t *desc,
|
|||||||
tor_assert(decode_encrypted_handlers[version]);
|
tor_assert(decode_encrypted_handlers[version]);
|
||||||
|
|
||||||
/* Run the version specific plaintext decoder. */
|
/* Run the version specific plaintext decoder. */
|
||||||
ret = decode_encrypted_handlers[version](desc, client_sk, desc_encrypted);
|
ret = decode_encrypted_handlers[version](desc, client_auth_sk,
|
||||||
|
desc_encrypted);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
@ -2547,7 +2548,7 @@ hs_desc_decode_plaintext(const char *encoded,
|
|||||||
int
|
int
|
||||||
hs_desc_decode_descriptor(const char *encoded,
|
hs_desc_decode_descriptor(const char *encoded,
|
||||||
const uint8_t *subcredential,
|
const uint8_t *subcredential,
|
||||||
const curve25519_secret_key_t *client_sk,
|
const curve25519_secret_key_t *client_auth_sk,
|
||||||
hs_descriptor_t **desc_out)
|
hs_descriptor_t **desc_out)
|
||||||
{
|
{
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
@ -2575,7 +2576,7 @@ hs_desc_decode_descriptor(const char *encoded,
|
|||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = hs_desc_decode_encrypted(desc, client_sk, &desc->encrypted_data);
|
ret = hs_desc_decode_encrypted(desc, client_auth_sk, &desc->encrypted_data);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -277,14 +277,14 @@ MOCK_DECL(int,
|
|||||||
|
|
||||||
int hs_desc_decode_descriptor(const char *encoded,
|
int hs_desc_decode_descriptor(const char *encoded,
|
||||||
const uint8_t *subcredential,
|
const uint8_t *subcredential,
|
||||||
const curve25519_secret_key_t *client_sk,
|
const curve25519_secret_key_t *client_auth_sk,
|
||||||
hs_descriptor_t **desc_out);
|
hs_descriptor_t **desc_out);
|
||||||
int hs_desc_decode_plaintext(const char *encoded,
|
int hs_desc_decode_plaintext(const char *encoded,
|
||||||
hs_desc_plaintext_data_t *plaintext);
|
hs_desc_plaintext_data_t *plaintext);
|
||||||
int hs_desc_decode_superencrypted(const hs_descriptor_t *desc,
|
int hs_desc_decode_superencrypted(const hs_descriptor_t *desc,
|
||||||
hs_desc_superencrypted_data_t *desc_out);
|
hs_desc_superencrypted_data_t *desc_out);
|
||||||
int hs_desc_decode_encrypted(const hs_descriptor_t *desc,
|
int hs_desc_decode_encrypted(const hs_descriptor_t *desc,
|
||||||
const curve25519_secret_key_t *client_sk,
|
const curve25519_secret_key_t *client_auth_sk,
|
||||||
hs_desc_encrypted_data_t *desc_out);
|
hs_desc_encrypted_data_t *desc_out);
|
||||||
|
|
||||||
size_t hs_desc_obj_size(const hs_descriptor_t *data);
|
size_t hs_desc_obj_size(const hs_descriptor_t *data);
|
||||||
|
|||||||
@ -867,7 +867,7 @@ test_build_authorized_client(void *arg)
|
|||||||
hs_desc_authorized_client_t *desc_client = NULL;
|
hs_desc_authorized_client_t *desc_client = NULL;
|
||||||
uint8_t descriptor_cookie[HS_DESC_DESCRIPTOR_COOKIE_LEN];
|
uint8_t descriptor_cookie[HS_DESC_DESCRIPTOR_COOKIE_LEN];
|
||||||
curve25519_secret_key_t auth_ephemeral_sk;
|
curve25519_secret_key_t auth_ephemeral_sk;
|
||||||
curve25519_secret_key_t client_sk;
|
curve25519_secret_key_t client_auth_sk;
|
||||||
curve25519_public_key_t client_pk;
|
curve25519_public_key_t client_pk;
|
||||||
const char ephemeral_sk_b16[] =
|
const char ephemeral_sk_b16[] =
|
||||||
"d023b674d993a5c8446bd2ca97e9961149b3c0e88c7dc14e8777744dd3468d6a";
|
"d023b674d993a5c8446bd2ca97e9961149b3c0e88c7dc14e8777744dd3468d6a";
|
||||||
@ -882,9 +882,9 @@ test_build_authorized_client(void *arg)
|
|||||||
ret = curve25519_secret_key_generate(&auth_ephemeral_sk, 0);
|
ret = curve25519_secret_key_generate(&auth_ephemeral_sk, 0);
|
||||||
tt_int_op(ret, OP_EQ, 0);
|
tt_int_op(ret, OP_EQ, 0);
|
||||||
|
|
||||||
ret = curve25519_secret_key_generate(&client_sk, 0);
|
ret = curve25519_secret_key_generate(&client_auth_sk, 0);
|
||||||
tt_int_op(ret, OP_EQ, 0);
|
tt_int_op(ret, OP_EQ, 0);
|
||||||
curve25519_public_key_generate(&client_pk, &client_sk);
|
curve25519_public_key_generate(&client_pk, &client_auth_sk);
|
||||||
|
|
||||||
desc_client = tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
|
desc_client = tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user