From 870b5e2227c4382aef1d98b1b5fc9d5f4d275c1c Mon Sep 17 00:00:00 2001 From: David Goulet Date: Mon, 7 Nov 2016 13:15:46 -0500 Subject: [PATCH] hs: Use AES-256 for v3 descriptor That key size is taken from proposal 224 thus specified in the protocol. Closes #20569 Signed-off-by: David Goulet --- src/common/crypto.h | 6 ++++-- src/or/hs_descriptor.c | 14 ++++++++------ src/or/hs_descriptor.h | 8 +++++++- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/src/common/crypto.h b/src/common/crypto.h index 116e0a62fd..70f6376849 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -59,10 +59,12 @@ #define DIGEST256_LEN 32 /** Length of the output of our 64-bit optimized message digests (SHA512). */ #define DIGEST512_LEN 64 -/** Length of our symmetric cipher's keys. */ +/** Length of our symmetric cipher's keys of 128-bit. */ #define CIPHER_KEY_LEN 16 -/** Length of our symmetric cipher's IV. */ +/** Length of our symmetric cipher's IV of 128-bit. */ #define CIPHER_IV_LEN 16 +/** Length of our symmetric cipher's keys of 256-bit. */ +#define CIPHER256_KEY_LEN 32 /** Length of our public keys. */ #define PK_BYTES (1024/8) /** Length of our DH keys. */ diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c index 37aa1d745e..986f996317 100644 --- a/src/or/hs_descriptor.c +++ b/src/or/hs_descriptor.c @@ -541,8 +541,9 @@ build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext, tor_assert(plaintext); tor_assert(encrypted_out); - /* This creates a cipher for AES128. It can't fail. */ - cipher = crypto_cipher_new_with_iv((const char *) key, (const char *) iv); + /* This creates a cipher for AES. It can't fail. */ + cipher = crypto_cipher_new_with_iv_and_bits(key, iv, + HS_DESC_ENCRYPTED_BIT_SIZE); /* This can't fail. */ encrypted_len = build_plaintext_padding(plaintext, plaintext_len, &padded_plaintext); @@ -573,7 +574,7 @@ encrypt_descriptor_data(const hs_descriptor_t *desc, const char *plaintext, size_t encrypted_len, final_blob_len, offset = 0; uint8_t *encrypted; uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN]; - uint8_t secret_key[CIPHER_KEY_LEN], secret_iv[CIPHER_IV_LEN]; + uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN]; uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN]; tor_assert(desc); @@ -1058,7 +1059,7 @@ static size_t desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out) { uint8_t *decrypted = NULL; - uint8_t secret_key[CIPHER_KEY_LEN], secret_iv[CIPHER_IV_LEN]; + uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN]; uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN]; const uint8_t *salt, *encrypted, *desc_mac; size_t encrypted_len, result_len = 0; @@ -1118,8 +1119,9 @@ desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out) /* Decrypt. Here we are assured that the encrypted length is valid for * decryption. */ crypto_cipher_t *cipher; - cipher = crypto_cipher_new_with_iv((const char *) secret_key, - (const char *) secret_iv); + + cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv, + HS_DESC_ENCRYPTED_BIT_SIZE); /* Extra byte for the NUL terminated byte. */ decrypted = tor_malloc_zero(encrypted_len + 1); crypto_cipher_decrypt(cipher, (char *) decrypted, diff --git a/src/or/hs_descriptor.h b/src/or/hs_descriptor.h index 083d353860..dd4e946e52 100644 --- a/src/or/hs_descriptor.h +++ b/src/or/hs_descriptor.h @@ -40,7 +40,7 @@ /* Length of the KDF output value which is the length of the secret key, * the secret IV and MAC key length which is the length of H() output. */ #define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN \ - CIPHER_KEY_LEN + CIPHER_IV_LEN + DIGEST256_LEN + CIPHER256_KEY_LEN + CIPHER_IV_LEN + DIGEST256_LEN /* We need to pad the plaintext version of the encrypted data section before * encryption and it has to be a multiple of this value. */ #define HS_DESC_PLAINTEXT_PADDING_MULTIPLE 128 @@ -60,6 +60,12 @@ * view of a descriptor, is 1 that is the version field. */ #define HS_DESC_PLAINTEXT_MIN_FIELDS 1 +/* Key length for the descriptor symmetric encryption. As specified in the + * protocol, we use AES-256 for the encrypted section of the descriptor. The + * following is the length in bytes and the bit size. */ +#define HS_DESC_ENCRYPTED_KEY_LEN CIPHER256_KEY_LEN +#define HS_DESC_ENCRYPTED_BIT_SIZE (HS_DESC_ENCRYPTED_KEY_LEN * 8) + /* Type of authentication in the descriptor. */ typedef enum { HS_DESC_AUTH_PASSWORD = 1,