From ba928e1ac8f13714aa6b619dd6f12ae89240d6ff Mon Sep 17 00:00:00 2001
From: George Kadianakis <desnacked@riseup.net>
Date: Tue, 2 May 2017 16:18:10 +0300
Subject: [PATCH] Refactor the HS ntor key expansion to fit the e2e circuit
 API.

We want to use the circuit_init_cpath_crypto() function to setup our
cpath, and that function accepts a key array as input. So let's make our
HS ntor key expansion function also return a key array as output,
instead of a struct.

Also, we actually don't need KH from the key expansion, so the key
expansion output can be one DIGEST256_LEN shorter. See here for more
info: https://trac.torproject.org/projects/tor/ticket/22052#comment:3
---
 src/or/hs_ntor.c | 37 ++++++++-----------------------------
 src/or/hs_ntor.h | 23 ++++++-----------------
 2 files changed, 14 insertions(+), 46 deletions(-)

diff --git a/src/or/hs_ntor.c b/src/or/hs_ntor.c
index 119899817e..668ef221b8 100644
--- a/src/or/hs_ntor.c
+++ b/src/or/hs_ntor.c
@@ -578,49 +578,28 @@ hs_ntor_client_rendezvous2_mac_is_good(
 
 /* Input length to KDF for key expansion */
 #define NTOR_KEY_EXPANSION_KDF_INPUT_LEN (DIGEST256_LEN + M_HSEXPAND_LEN)
-/* Output length of KDF for key expansion */
-#define NTOR_KEY_EXPANSION_KDF_OUTPUT_LEN (DIGEST256_LEN*3+CIPHER256_KEY_LEN*2)
 
-/** Given the rendezvous key material in <b>hs_ntor_rend_cell_keys</b>, do the
- *  circuit key expansion as specified by section '4.2.1. Key expansion' and
- *  return a hs_ntor_rend_circuit_keys_t structure with the computed keys. */
-hs_ntor_rend_circuit_keys_t *
-hs_ntor_circuit_key_expansion(
-                       const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys)
+/** Given the rendezvous key seed in <b>ntor_key_seed</b> (of size
+ *  DIGEST256_LEN), do the circuit key expansion as specified by section
+ *  '4.2.1. Key expansion' and place the keys in <b>keys_out</b> (which must be
+ *  of size HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN). */
+void
+hs_ntor_circuit_key_expansion(const uint8_t *ntor_key_seed, uint8_t *keys_out)
 {
   uint8_t *ptr;
   uint8_t kdf_input[NTOR_KEY_EXPANSION_KDF_INPUT_LEN];
-  uint8_t keys[NTOR_KEY_EXPANSION_KDF_OUTPUT_LEN];
   crypto_xof_t *xof;
-  hs_ntor_rend_circuit_keys_t *rend_circuit_keys = NULL;
 
   /* Let's build the input to the KDF */
   ptr = kdf_input;
-  APPEND(ptr, hs_ntor_rend_cell_keys->ntor_key_seed, DIGEST256_LEN);
+  APPEND(ptr, ntor_key_seed, DIGEST256_LEN);
   APPEND(ptr, M_HSEXPAND, strlen(M_HSEXPAND));
   tor_assert(ptr == kdf_input + sizeof(kdf_input));
 
   /* Generate the keys */
   xof = crypto_xof_new();
   crypto_xof_add_bytes(xof, kdf_input, sizeof(kdf_input));
-  crypto_xof_squeeze_bytes(xof, keys, sizeof(keys));
+  crypto_xof_squeeze_bytes(xof, keys_out, HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN);
   crypto_xof_free(xof);
-
-  /* Generate keys structure and assign keys to it */
-  rend_circuit_keys = tor_malloc_zero(sizeof(hs_ntor_rend_circuit_keys_t));
-  ptr = keys;
-  memcpy(rend_circuit_keys->KH, ptr, DIGEST256_LEN);
-  ptr += DIGEST256_LEN;;
-  memcpy(rend_circuit_keys->Df, ptr, DIGEST256_LEN);
-  ptr += DIGEST256_LEN;
-  memcpy(rend_circuit_keys->Db, ptr, DIGEST256_LEN);
-  ptr += DIGEST256_LEN;
-  memcpy(rend_circuit_keys->Kf, ptr, CIPHER256_KEY_LEN);
-  ptr += CIPHER256_KEY_LEN;
-  memcpy(rend_circuit_keys->Kb, ptr, CIPHER256_KEY_LEN);
-  ptr += CIPHER256_KEY_LEN;
-  tor_assert(ptr == keys + sizeof(keys));
-
-  return rend_circuit_keys;
 }
 
diff --git a/src/or/hs_ntor.h b/src/or/hs_ntor.h
index cd75f46a4c..3a97e17acc 100644
--- a/src/or/hs_ntor.h
+++ b/src/or/hs_ntor.h
@@ -6,6 +6,10 @@
 
 #include "or.h"
 
+/* Output length of KDF for key expansion */
+#define HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN \
+  (DIGEST256_LEN*2 + CIPHER256_KEY_LEN*2)
+
 /* Key material needed to encode/decode INTRODUCE1 cells */
 typedef struct {
   /* Key used for encryption of encrypted INTRODUCE1 blob */
@@ -23,21 +27,6 @@ typedef struct {
   uint8_t ntor_key_seed[DIGEST256_LEN];
 } hs_ntor_rend_cell_keys_t;
 
-/* Key material resulting from key expansion as detailed in section "4.2.1. Key
- * expansion" of rend-spec-ng.txt. */
-typedef struct {
-  /* Per-circuit key material used in ESTABLISH_INTRO cell */
-  uint8_t KH[DIGEST256_LEN];
-  /* Authentication key for outgoing RELAY cells */
-  uint8_t Df[DIGEST256_LEN];
-  /* Authentication key for incoming RELAY cells */
-  uint8_t Db[DIGEST256_LEN];
-  /* Encryption key for outgoing RELAY cells */
-  uint8_t Kf[CIPHER256_KEY_LEN];
-  /* Decryption key for incoming RELAY cells */
-  uint8_t Kb[CIPHER256_KEY_LEN];
-} hs_ntor_rend_circuit_keys_t;
-
 int hs_ntor_client_get_introduce1_keys(
                       const ed25519_public_key_t *intro_auth_pubkey,
                       const curve25519_public_key_t *intro_enc_pubkey,
@@ -66,8 +55,8 @@ int hs_ntor_service_get_rendezvous1_keys(
                   const curve25519_public_key_t *client_ephemeral_enc_pubkey,
                   hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys_out);
 
-hs_ntor_rend_circuit_keys_t *hs_ntor_circuit_key_expansion(
-                       const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys);
+void hs_ntor_circuit_key_expansion(const uint8_t *ntor_key_seed,
+                                   uint8_t *keys_out);
 
 int hs_ntor_client_rendezvous2_mac_is_good(
                         const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys,