vincenzopalazzo
/
arti
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rename key identifiers that have changed in the spec 

Generated with perl:

s/K([PS])_hs_intro_tid/K$1_hs_ipt_sid/g;
s/K([PS])_onion_ntor/K$1_ntor/g;
s/K([PS])_hs_intro_ntor/K$1_hss_ntor/g;
s/K([PS])_hs_desc_ephem/K$1_hss_desc_enc/g;
This commit is contained in:
Nick Mathewson 2023-02-08 11:57:27 -05:00
parent 9046ef90d0
commit 18e8ac7cb6
6 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
crates/tor-cert/src/lib.rs
View File

@ -98,7 +98,7 @@ caret_int! {
HS_BLINDED_ID_V_SIGNING = 0x08,
/// For onion services: Introduction point authentication key
/// (`KP_hs_intro_tid`), signed with short term descriptor signing key
/// (`KP_hs_ipt_sid`), signed with short term descriptor signing key
/// (`KP_hs_desc_sign`).
///
/// This one is, sadly, a bit complicated. In the original specification
@ -117,7 +117,7 @@ caret_int! {
/// identity key.
NTOR_CC_IDENTITY = 0x0A,
/// For onion services: Ntor encryption key (`KP_hs_intro_ntor`),
/// For onion services: Ntor encryption key (`KP_hss_ntor`),
/// converted to ed25519, signed with the descriptor signing key
/// (`KP_hs_desc_sign`).
///

2
crates/tor-hscrypto/src/pk.rs
View File

@ -254,7 +254,7 @@ pub struct DescSigningKey(ed25519::PublicKey) / DescSigningSecretKey(ed25519::Se
define_pk_keypair! {
/// A key used to identify and authenticate an onion service at a single
/// introduction point. (`KP_hs_intro_tid`)
/// introduction point. (`KP_hs_ipt_sid`)
///
/// This key is included in the onion service's descriptor; a different one is
/// used at each introduction point. Introduction points don't know the

6
crates/tor-netdoc/src/doc/hsdesc.rs
View File

@ -140,14 +140,14 @@ pub struct IntroPointDesc {
link_specifiers: Vec<LinkSpec>,
/// The key used to extend a circuit _to the introduction point_, using the
/// ntor or ntor3 handshakes. (`KP_onion_ntor`)
/// ntor or ntor3 handshakes. (`KP_ntor`)
ntor_onion_key: curve25519::PublicKey,
/// A key used to identify the onion service at this introduction point.
/// (`KP_hs_intro_tid`)
/// (`KP_hs_ipt_sid`)
auth_key: IntroPtAuthKey,
/// `KP_hs_intro_ntor`, the key used to encrypt a handshake _to the onion
/// `KP_hss_ntor`, the key used to encrypt a handshake _to the onion
/// service_ when using this introduction point.
///
/// The onion service uses a separate key of this type with each

12
crates/tor-netdoc/src/doc/hsdesc/inner_layer.rs
View File

@ -185,7 +185,7 @@ impl HsDescInner {
res
};
// Parse the ntor "onion-key" (`KP_onion_ntor`) of the introduction point.
// Parse the ntor "onion-key" (`KP_ntor`) of the introduction point.
let ntor_onion_key = {
let tok = ipt_section
.slice(ONION_KEY)
@ -196,17 +196,17 @@ impl HsDescInner {
tok.parse_arg::<B64>(1)?.into_array()?.into()
};
// Extract the auth_key (`KP_hs_intro_tid`) from the (unchecked)
// Extract the auth_key (`KP_hs_ipt_sid`) from the (unchecked)
// "auth-key" certificate.
let auth_key: IntroPtAuthKey = {
// Note that this certificate does not actually serve any
// function _as_ a certificate; it was meant to cross-certify
// the descriptor signing key (`KP_hs_desc_sign`) using the
// authentication key (`KP_hs_intro_tid`). But the C tor
// authentication key (`KP_hs_ipt_sid`). But the C tor
// implementation got it backwards.
//
// We have to parse this certificate to extract
// `KP_hs_intro_tid`, but we don't actually need to validate it:
// `KP_hs_ipt_sid`, but we don't actually need to validate it:
// it appears inside the inner layer, which is already signed
// with `KP_hs_desc_sign`.
//
@ -248,7 +248,7 @@ impl HsDescInner {
ed_key.into()
};
// Extract the key `KP_hs_intro_ntor` that we'll use for our
// Extract the key `KP_hss_ntor` that we'll use for our
// handshake with the onion service itself. This comes from the
// "enc-key" item.
// TODO HS RENAME: Rename to KP_hs_intro_intor, or whatever we wind up with.
@ -264,7 +264,7 @@ impl HsDescInner {
};
// Check that the key in the "enc-key-cert" item matches the
// `KP_hs_intro_ntor` we just extracted.
// `KP_hss_ntor` we just extracted.
{
// NOTE: As above, this certificate is backwards, and hence
// useless. Therefore, we do not validate it: we only check that

6
crates/tor-netdoc/src/doc/hsdesc/middle_layer.rs
View File

@ -24,7 +24,7 @@ pub(super) struct HsDescMiddle {
/// in use.
///
/// This is `desc-auth-ephemeral-key` in the document format; it does not
/// yet have a name in our spec's list of keys. Call it `KP_hs_desc_ephem`
/// yet have a name in our spec's list of keys. Call it `KP_hss_desc_enc`
/// for now. It is used along with `KS_hsc_desc_enc` to perform a
/// diffie-hellman operation and decrypt the inner layer.
// TODO HS rename. Possibly to kp_hs_desc_ephem, depending.
@ -87,7 +87,7 @@ impl HsDescMiddle {
use tor_llcrypto::cipher::aes::Aes256Ctr as Cipher;
use tor_llcrypto::d::Shake256 as KDF;
// Perform a diffie hellman handshake using `KS_hsc_desc_enc` and `KP_hs_desc_ephem`,
// Perform a diffie hellman handshake using `KS_hsc_desc_enc` and `KP_hss_desc_enc`,
// and use it to find our client_id and cookie_key.
//
// The spec says:
@ -220,7 +220,7 @@ impl HsDescMiddle {
}
}
// Extract `KP_hs_desc_ephem` from DESC_AUTH_EPHEMERAL_KEY
// Extract `KP_hss_desc_enc` from DESC_AUTH_EPHEMERAL_KEY
let ephemeral_key: curve25519::PublicKey = {
let token = body.required(DESC_AUTH_EPHEMERAL_KEY)?;
let bytes = token.parse_arg::<B64>(0)?.into_array()?;

2
doc/dev/notes/onion_service_keys.md
View File

@ -47,7 +47,7 @@ these offline keys:
To operate, an onion service needs these secret keys, which do not have to be
persistent.
The corresponding public keys are published in the service descriptor:
* A ntor key for its cryptographic handshake (`KS_hs_intro_ntor`).
* A ntor key for its cryptographic handshake (`KS_hss_ntor`).
* A signing key associated with each active introduction point.
(`KS_hs_intro_auth`)