tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE

relay_crypto_cgo.h (6202B)

      1 /* Copyright (c) 2001 Matej Pfajfar.
      2 * Copyright (c) 2001-2004, Roger Dingledine.
      3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
      4 * Copyright (c) 2007-2025, The Tor Project, Inc. */
      5 /* See LICENSE for licensing information */
      6 
      7 /**
      8 * \file relay_crypto_cgo.h
      9 * \brief Header file for relay_crypto_cgo.c.
     10 **/
     11 
     12 #ifndef TOR_RELAY_CRYPTO_CGO_H
     13 #define TOR_RELAY_CRYPTO_CGO_H
     14 
     15 #include "lib/testsupport/testsupport.h"
     16 
     17 /**
     18 * State to implement forward _or_ reverse crypto between a client and a single
     19 * hop on a circuit.
     20 *
     21 * (There needs to be one of these for each direction.
     22 */
     23 typedef struct cgo_crypt_t cgo_crypt_t;
     24 
     25 typedef enum {
     26  CGO_MODE_CLIENT_FORWARD,
     27  CGO_MODE_CLIENT_BACKWARD,
     28  CGO_MODE_RELAY_FORWARD,
     29  CGO_MODE_RELAY_BACKWARD,
     30 } cgo_mode_t;
     31 
     32 struct cell_t;
     33 
     34 size_t cgo_key_material_len(int aesbits);
     35 cgo_crypt_t * cgo_crypt_new(cgo_mode_t mode, int aesbits,
     36                      const uint8_t *keys, size_t keylen);
     37 void cgo_crypt_free_(cgo_crypt_t *cgo);
     38 #define cgo_crypt_free(cgo) \
     39  FREE_AND_NULL(cgo_crypt_t, cgo_crypt_free_, (cgo))
     40 
     41 void cgo_crypt_relay_forward(cgo_crypt_t *cgo, struct cell_t *cell,
     42                             const uint8_t **recognized_tag_out);
     43 void cgo_crypt_relay_backward(cgo_crypt_t *cgo, struct cell_t *cell);
     44 void cgo_crypt_relay_originate(cgo_crypt_t *cgo, struct cell_t *cell,
     45                               const uint8_t **tag_out);
     46 void cgo_crypt_client_forward(cgo_crypt_t *cgo, struct cell_t *cell);
     47 void cgo_crypt_client_originate(cgo_crypt_t *cgo, struct cell_t *cell,
     48                                const uint8_t **tag_out);
     49 void cgo_crypt_client_backward(cgo_crypt_t *cgo, struct cell_t *cell,
     50                               const uint8_t **recognized_tag_out);
     51 
     52 #ifdef RELAY_CRYPTO_CGO_PRIVATE
     53 /* Internal types and definitions for CGO encryption algorithms.
     54 *
     55 * Where reasonable, the identifiers here are chosen to match those
     56 * in the spec (proposal 359), which in turn were chosen to match
     57 * those in the paper.
     58 */
     59 
     60 /**
     61 * Tweakable block cipher, following the LRW2 construction,
     62 * instantiated with AES.
     63 *
     64 * Any given instance can be used for encryption _or_ decryption,
     65 * not both.
     66 */
     67 typedef struct cgo_et_t {
     68  /**
     69   * AES block cipher instance
     70   */
     71  aes_raw_t *kb;
     72  /**
     73   * Polyval instance, with expanded key.
     74   */
     75  polyvalx_t ku;
     76 } cgo_et_t;
     77 /**
     78 * Keyed pseudorandom function, based on polyval and AES-CTR.
     79 */
     80 typedef struct cgo_prf_t {
     81  /**
     82   * AES stream cipher: may be 128, 192, or 256 bits.
     83   */
     84  aes_cnt_cipher_t *k;
     85  /**
     86   * Polyval instance.
     87   */
     88  polyval_key_t b;
     89 } cgo_prf_t;
     90 /**
     91 * Rugged tweakable pseudorandom permutation, using the UIV+ construction.
     92 *
     93 * This is, roughly, a wide-block cipher where _encryption_
     94 * is non-malleable, but where _decryption_ is malleable.
     95 *
     96 * UIV+ is the basis of CGO encryption, though it is used in different
     97 * ways for each of the relay operations.
     98 */
     99 typedef struct cgo_uiv_t {
    100  /**
    101   * Tweakable block cipher instance.
    102   */
    103  cgo_et_t j;
    104  /**
    105   * PRF instance.
    106   */
    107  cgo_prf_t s;
    108 #ifdef TOR_UNIT_TESTS
    109  /** Testing only: Copy of keys used to instantiate this UIV.
    110   * We use this in tests so that we can confirm the correctness
    111   * of cgo_uiv_update().
    112   */
    113  uint8_t uiv_keys_[32 * 2 + 16 * 2];
    114 #endif
    115 } cgo_uiv_t;
    116 /**
    117 * Length of the 'h' component of uiv_tweak_t.
    118 */
    119 #define ET_TWEAK_LEN_H 16
    120 /**
    121 * Length of the 'x_r' component of et_tweak_t.
    122 */
    123 #define ET_TWEAK_LEN_X_R 493
    124 
    125 /**
    126 * Tweak for the UIV+ wide-block cipher.
    127 */
    128 typedef struct uiv_tweak_t {
    129  /** H component of the wide-block cipher.
    130   *
    131   * This must be ET_TWEAK_LEN_H bytes long.
    132   **/
    133  const uint8_t *h;
    134  /** Additional data component of the wide-block cipher.
    135   * This value is sent to the cell command (RELAY or RELAY_EARLY)
    136   * for each relay cell.
    137   */
    138  const uint8_t cmd;
    139 } uiv_tweak_t;
    140 /**
    141 * Tweak for the ET tweakable block cipher.
    142 */
    143 typedef struct et_tweak_t {
    144  /** Components from the UIV+ tweak. */
    145  uiv_tweak_t uiv;
    146  /**
    147   * X_R component of the ET tweak.
    148   *
    149   * This must be X_R bytes long.
    150   */
    151  const uint8_t *x_r;
    152 } et_tweak_t;
    153 
    154 /** Length of expected input to the PRF. */
    155 #define PRF_INPUT_LEN 16
    156 /** Output length for cgo_prf_xor_t0(). */
    157 #define PRF_T0_DATA_LEN 493
    158 
    159 /** Length of block handled by uiv instantiation. */
    160 #define UIV_BLOCK_LEN 509
    161 
    162 STATIC int cgo_et_init(cgo_et_t *et, int aesbits, bool encrypt,
    163                       const uint8_t *key);
    164 STATIC void cgo_et_set_key(cgo_et_t *et, int aesbits, bool encrypt,
    165                           const uint8_t *key);
    166 STATIC void cgo_et_encrypt(cgo_et_t *et, const et_tweak_t tweak,
    167                    uint8_t *block);
    168 STATIC void cgo_et_decrypt(cgo_et_t *et, const et_tweak_t tweak,
    169                    uint8_t *block);
    170 STATIC void cgo_et_clear(cgo_et_t *et);
    171 
    172 STATIC int cgo_prf_init(cgo_prf_t *prf, int aesbits,
    173                        const uint8_t *key);
    174 STATIC void cgo_prf_set_key(cgo_prf_t *prf, int aesbits,
    175                           const uint8_t *key);
    176 STATIC void cgo_prf_xor_t0(cgo_prf_t *prf, const uint8_t *input,
    177                          uint8_t *data);
    178 STATIC void cgo_prf_gen_t1(cgo_prf_t *prf, const uint8_t *input,
    179                   uint8_t *buf, size_t n);
    180 STATIC void cgo_prf_clear(cgo_prf_t *prf);
    181 
    182 STATIC int cgo_uiv_init(cgo_uiv_t *uiv, int aesbits, bool encrypt,
    183                        const uint8_t *key);
    184 STATIC void cgo_uiv_encrypt(cgo_uiv_t *uiv, const uiv_tweak_t tweak,
    185                            uint8_t *cell_body);
    186 STATIC void cgo_uiv_decrypt(cgo_uiv_t *uiv, const uiv_tweak_t tweak,
    187                            uint8_t *cell_body);
    188 STATIC void cgo_uiv_update(cgo_uiv_t *uiv, int aesbits, bool encrypt,
    189                           uint8_t *nonce);
    190 STATIC void cgo_uiv_clear(cgo_uiv_t *uiv);
    191 
    192 struct cgo_crypt_t {
    193  cgo_uiv_t uiv;
    194  uint8_t nonce[SENDME_TAG_LEN_CGO];
    195  uint8_t tprime[SENDME_TAG_LEN_CGO];
    196  /**
    197   * Stored version of the last incoming cell tag.
    198   * Only used for cgo_crypt_relay_fwd, where this information is not
    199   * otherwise available after encryption.
    200   */
    201  uint8_t last_tag_relay_fwd[SENDME_TAG_LEN_CGO];
    202  uint8_t aes_bytes;
    203 };
    204 #endif
    205 
    206 #endif /* !defined(TOR_RELAY_CRYPTO_CGO_H) */