Refactor the HS ntor key expansion to fit the e2e circuit API.

We want to use the circuit_init_cpath_crypto() function to setup our cpath, and that function accepts a key array as input. So let's make our HS ntor key expansion function also return a key array as output, instead of a struct. Also, we actually don't need KH from the key expansion, so the key expansion output can be one DIGEST256_LEN shorter. See here for more info: https://trac.torproject.org/projects/tor/ticket/22052#comment:3

Refactor the HS ntor key expansion to fit the e2e circuit API.
ba928e1a · George Kadianakis · Nick Mathewson · f8dc1164 · ba928e1a · ba928e1a
Commit ba928e1a authored 7 years ago by George Kadianakis Committed by Nick Mathewson 7 years ago
--- a/src/or/hs_ntor.c
+++ b/src/or/hs_ntor.c
@@ -578,49 +578,28 @@ hs_ntor_client_rendezvous2_mac_is_good(

 /* Input length to KDF for key expansion */
 #define NTOR_KEY_EXPANSION_KDF_INPUT_LEN (DIGEST256_LEN + M_HSEXPAND_LEN)
-/* Output length of KDF for key expansion */
-#define NTOR_KEY_EXPANSION_KDF_OUTPUT_LEN (DIGEST256_LEN*3+CIPHER256_KEY_LEN*2)
-
-/** Given the rendezvous key material in <b>hs_ntor_rend_cell_keys</b>, do the
- *  circuit key expansion as specified by section '4.2.1. Key expansion' and
- *  return a hs_ntor_rend_circuit_keys_t structure with the computed keys. */
-hs_ntor_rend_circuit_keys_t *
-hs_ntor_circuit_key_expansion(
-                       const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys)
+
+/** Given the rendezvous key seed in <b>ntor_key_seed</b> (of size
+ *  DIGEST256_LEN), do the circuit key expansion as specified by section
+ *  '4.2.1. Key expansion' and place the keys in <b>keys_out</b> (which must be
+ *  of size HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN). */
+void
+hs_ntor_circuit_key_expansion(const uint8_t *ntor_key_seed, uint8_t *keys_out)
 {
  uint8_t *ptr;
  uint8_t kdf_input[NTOR_KEY_EXPANSION_KDF_INPUT_LEN];
-  uint8_t keys[NTOR_KEY_EXPANSION_KDF_OUTPUT_LEN];
  crypto_xof_t *xof;
-  hs_ntor_rend_circuit_keys_t *rend_circuit_keys = NULL;

  /* Let's build the input to the KDF */
  ptr = kdf_input;
-  APPEND(ptr, hs_ntor_rend_cell_keys->ntor_key_seed, DIGEST256_LEN);
+  APPEND(ptr, ntor_key_seed, DIGEST256_LEN);
  APPEND(ptr, M_HSEXPAND, strlen(M_HSEXPAND));
  tor_assert(ptr == kdf_input + sizeof(kdf_input));

  /* Generate the keys */
  xof = crypto_xof_new();
  crypto_xof_add_bytes(xof, kdf_input, sizeof(kdf_input));
-  crypto_xof_squeeze_bytes(xof, keys, sizeof(keys));
+  crypto_xof_squeeze_bytes(xof, keys_out, HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN);
  crypto_xof_free(xof);
-
-  /* Generate keys structure and assign keys to it */
-  rend_circuit_keys = tor_malloc_zero(sizeof(hs_ntor_rend_circuit_keys_t));
-  ptr = keys;
-  memcpy(rend_circuit_keys->KH, ptr, DIGEST256_LEN);
-  ptr += DIGEST256_LEN;;
-  memcpy(rend_circuit_keys->Df, ptr, DIGEST256_LEN);
-  ptr += DIGEST256_LEN;
-  memcpy(rend_circuit_keys->Db, ptr, DIGEST256_LEN);
-  ptr += DIGEST256_LEN;
-  memcpy(rend_circuit_keys->Kf, ptr, CIPHER256_KEY_LEN);
-  ptr += CIPHER256_KEY_LEN;
-  memcpy(rend_circuit_keys->Kb, ptr, CIPHER256_KEY_LEN);
-  ptr += CIPHER256_KEY_LEN;
-  tor_assert(ptr == keys + sizeof(keys));
-
-  return rend_circuit_keys;
 }

--- a/src/or/hs_ntor.h
+++ b/src/or/hs_ntor.h
@@ -6,6 +6,10 @@

 #include "or.h"

+/* Output length of KDF for key expansion */
+#define HS_NTOR_KEY_EXPANSION_KDF_OUT_LEN \
+  (DIGEST256_LEN*2 + CIPHER256_KEY_LEN*2)
+
 /* Key material needed to encode/decode INTRODUCE1 cells */
 typedef struct {
  /* Key used for encryption of encrypted INTRODUCE1 blob */
@@ -23,21 +27,6 @@ typedef struct {
  uint8_t ntor_key_seed[DIGEST256_LEN];
 } hs_ntor_rend_cell_keys_t;

-/* Key material resulting from key expansion as detailed in section "4.2.1. Key
- * expansion" of rend-spec-ng.txt. */
-typedef struct {
-  /* Per-circuit key material used in ESTABLISH_INTRO cell */
-  uint8_t KH[DIGEST256_LEN];
-  /* Authentication key for outgoing RELAY cells */
-  uint8_t Df[DIGEST256_LEN];
-  /* Authentication key for incoming RELAY cells */
-  uint8_t Db[DIGEST256_LEN];
-  /* Encryption key for outgoing RELAY cells */
-  uint8_t Kf[CIPHER256_KEY_LEN];
-  /* Decryption key for incoming RELAY cells */
-  uint8_t Kb[CIPHER256_KEY_LEN];
-} hs_ntor_rend_circuit_keys_t;
-
 int hs_ntor_client_get_introduce1_keys(
                      const ed25519_public_key_t *intro_auth_pubkey,
                      const curve25519_public_key_t *intro_enc_pubkey,
@@ -66,8 +55,8 @@ int hs_ntor_service_get_rendezvous1_keys(
                  const curve25519_public_key_t *client_ephemeral_enc_pubkey,
                  hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys_out);

-hs_ntor_rend_circuit_keys_t *hs_ntor_circuit_key_expansion(
-                       const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys);
+void hs_ntor_circuit_key_expansion(const uint8_t *ntor_key_seed,
+                                   uint8_t *keys_out);

 int hs_ntor_client_rendezvous2_mac_is_good(
                        const hs_ntor_rend_cell_keys_t *hs_ntor_rend_cell_keys,