hs: Use AES-256 for v3 descriptor

That key size is taken from proposal 224 thus specified in the protocol.

Closes #20569

Signed-off-by: David Goulet <dgoulet@torproject.org>

src/common/crypto.h

@@ -59,10 +59,12 @@
 #define DIGEST256_LEN 32
 /** Length of the output of our 64-bit optimized message digests (SHA512). */
 #define DIGEST512_LEN 64
-/** Length of our symmetric cipher's keys. */
+/** Length of our symmetric cipher's keys of 128-bit. */
 #define CIPHER_KEY_LEN 16
-/** Length of our symmetric cipher's IV. */
+/** Length of our symmetric cipher's IV of 128-bit. */
 #define CIPHER_IV_LEN 16
+/** Length of our symmetric cipher's keys of 256-bit. */
+#define CIPHER256_KEY_LEN 32
 /** Length of our public keys. */
 #define PK_BYTES (1024/8)
 /** Length of our DH keys. */

src/or/hs_descriptor.c

@@ -541,8 +541,9 @@ build_encrypted(const uint8_t *key, const uint8_t *iv, const char *plaintext,
   tor_assert(plaintext);
   tor_assert(encrypted_out);
 
-  /* This creates a cipher for AES128. It can't fail. */
-  cipher = crypto_cipher_new_with_iv((const char *) key, (const char *) iv);
+  /* This creates a cipher for AES. It can't fail. */
+  cipher = crypto_cipher_new_with_iv_and_bits(key, iv,
+                                              HS_DESC_ENCRYPTED_BIT_SIZE);
   /* This can't fail. */
   encrypted_len = build_plaintext_padding(plaintext, plaintext_len,
                                           &padded_plaintext);
@@ -573,7 +574,7 @@ encrypt_descriptor_data(const hs_descriptor_t *desc, const char *plaintext,
   size_t encrypted_len, final_blob_len, offset = 0;
   uint8_t *encrypted;
   uint8_t salt[HS_DESC_ENCRYPTED_SALT_LEN];
-  uint8_t secret_key[CIPHER_KEY_LEN], secret_iv[CIPHER_IV_LEN];
+  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
   uint8_t mac_key[DIGEST256_LEN], mac[DIGEST256_LEN];
 
   tor_assert(desc);
@@ -1058,7 +1059,7 @@ static size_t
 desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
 {
   uint8_t *decrypted = NULL;
-  uint8_t secret_key[CIPHER_KEY_LEN], secret_iv[CIPHER_IV_LEN];
+  uint8_t secret_key[HS_DESC_ENCRYPTED_KEY_LEN], secret_iv[CIPHER_IV_LEN];
   uint8_t mac_key[DIGEST256_LEN], our_mac[DIGEST256_LEN];
   const uint8_t *salt, *encrypted, *desc_mac;
   size_t encrypted_len, result_len = 0;
@@ -1118,8 +1119,9 @@ desc_decrypt_data_v3(const hs_descriptor_t *desc, char **decrypted_out)
     /* Decrypt. Here we are assured that the encrypted length is valid for
      * decryption. */
     crypto_cipher_t *cipher;
-    cipher = crypto_cipher_new_with_iv((const char *) secret_key,
-                                       (const char *) secret_iv);
+
+    cipher = crypto_cipher_new_with_iv_and_bits(secret_key, secret_iv,
+                                                HS_DESC_ENCRYPTED_BIT_SIZE);
     /* Extra byte for the NUL terminated byte. */
     decrypted = tor_malloc_zero(encrypted_len + 1);
     crypto_cipher_decrypt(cipher, (char *) decrypted,

src/or/hs_descriptor.h

@@ -40,7 +40,7 @@
 /* Length of the KDF output value which is the length of the secret key,
  * the secret IV and MAC key length which is the length of H() output. */
 #define HS_DESC_ENCRYPTED_KDF_OUTPUT_LEN \
-  CIPHER_KEY_LEN + CIPHER_IV_LEN + DIGEST256_LEN
+  CIPHER256_KEY_LEN + CIPHER_IV_LEN + DIGEST256_LEN
 /* We need to pad the plaintext version of the encrypted data section before
  * encryption and it has to be a multiple of this value. */
 #define HS_DESC_PLAINTEXT_PADDING_MULTIPLE 128
@@ -60,6 +60,12 @@
  * view of a descriptor, is 1 that is the version field. */
 #define HS_DESC_PLAINTEXT_MIN_FIELDS 1
 
+/* Key length for the descriptor symmetric encryption. As specified in the
+ * protocol, we use AES-256 for the encrypted section of the descriptor. The
+ * following is the length in bytes and the bit size. */
+#define HS_DESC_ENCRYPTED_KEY_LEN CIPHER256_KEY_LEN
+#define HS_DESC_ENCRYPTED_BIT_SIZE (HS_DESC_ENCRYPTED_KEY_LEN * 8)
+
 /* Type of authentication in the descriptor. */
 typedef enum {
   HS_DESC_AUTH_PASSWORD = 1,