static void
bench_ed25519_impl(void)
{
uint64_t start, end;
const int iters = 1<<12;
int i;
const uint8_t msg[] = "but leaving, could not tell what they had heard";
ed25519_signature_t sig;
ed25519_keypair_t kp;
curve25519_keypair_t curve_kp;
ed25519_public_key_t pubkey_tmp;
ed25519_secret_key_generate(&kp.seckey, 0);
start = perftime();
for (i = 0; i < iters; ++i) {
ed25519_public_key_generate(&kp.pubkey, &kp.seckey);
}
end = perftime();
printf("Generate public key: %.2f usec\n",
MICROCOUNT(start, end, iters));
start = perftime();
for (i = 0; i < iters; ++i) {
ed25519_sign(&sig, msg, sizeof(msg), &kp);
}
end = perftime();
printf("Sign a short message: %.2f usec\n",
MICROCOUNT(start, end, iters));
start = perftime();
for (i = 0; i < iters; ++i) {
ed25519_checksig(&sig, msg, sizeof(msg), &kp.pubkey);
}
end = perftime();
printf("Verify signature: %.2f usec\n",
MICROCOUNT(start, end, iters));
curve25519_keypair_generate(&curve_kp, 0);
start = perftime();
for (i = 0; i < iters; ++i) {
ed25519_public_key_from_curve25519_public_key(&pubkey_tmp,
&curve_kp.pubkey, 1);
}
end = perftime();
printf("Convert public point from curve25519: %.2f usec\n",
MICROCOUNT(start, end, iters));
curve25519_keypair_generate(&curve_kp, 0);
start = perftime();
for (i = 0; i < iters; ++i) {
ed25519_public_blind(&pubkey_tmp, &kp.pubkey, msg);
}
end = perftime();
printf("Blind a public key: %.2f usec\n",
MICROCOUNT(start, end, iters));
}
static void
test_routerkeys_cross_certify_ntor(void *args)
{
(void) args;
tor_cert_t *cert = NULL;
curve25519_keypair_t onion_keys;
ed25519_public_key_t master_key;
ed25519_public_key_t onion_check_key;
time_t now = time(NULL);
int sign;
tt_int_op(0, OP_EQ, ed25519_public_from_base64(&master_key,
"IamwritingthesetestsOnARainyAfternoonin2014"));
tt_int_op(0, OP_EQ, curve25519_keypair_generate(&onion_keys, 0));
cert = make_ntor_onion_key_crosscert(&onion_keys,
&master_key,
now, 10000,
&sign);
tt_assert(cert);
tt_assert(sign == 0 || sign == 1);
tt_int_op(cert->cert_type, OP_EQ, CERT_TYPE_ONION_ID);
tt_int_op(1, OP_EQ, ed25519_pubkey_eq(&cert->signed_key, &master_key));
tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
&onion_check_key, &onion_keys.pubkey, sign));
tt_int_op(0, OP_EQ, tor_cert_checksig(cert, &onion_check_key, now));
done:
tor_cert_free(cert);
}
/** Fill in a server_onion_keys_t object at <b>keys</b> with all of the keys
* and other info we might need to do onion handshakes. (We make a copy of
* our keys for each cpuworker to avoid race conditions with the main thread,
* and to avoid locking) */
void
setup_server_onion_keys(server_onion_keys_t *keys)
{
memset(keys, 0, sizeof(server_onion_keys_t));
memcpy(keys->my_identity, router_get_my_id_digest(), DIGEST_LEN);
dup_onion_keys(&keys->onion_key, &keys->last_onion_key);
keys->curve25519_key_map = construct_ntor_key_map();
keys->junk_keypair = tor_malloc_zero(sizeof(curve25519_keypair_t));
curve25519_keypair_generate(keys->junk_keypair, 0);
}
/* Send an ESTABLISH_RENDEZVOUS cell along the rendezvous circuit circ. On
* success, 0 is returned else -1 and the circuit is marked for close. */
int
hs_circ_send_establish_rendezvous(origin_circuit_t *circ)
{
ssize_t cell_len = 0;
uint8_t cell[RELAY_PAYLOAD_SIZE] = {0};
tor_assert(circ);
tor_assert(TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_C_ESTABLISH_REND);
log_info(LD_REND, "Send an ESTABLISH_RENDEZVOUS cell on circuit %u",
TO_CIRCUIT(circ)->n_circ_id);
/* Set timestamp_dirty, because circuit_expire_building expects it,
* and the rend cookie also means we've used the circ. */
TO_CIRCUIT(circ)->timestamp_dirty = time(NULL);
/* We've attempted to use this circuit. Probe it if we fail */
pathbias_count_use_attempt(circ);
/* Generate the RENDEZVOUS_COOKIE and place it in the identifier so we can
* complete the handshake when receiving the acknowledgement. */
crypto_rand((char *) circ->hs_ident->rendezvous_cookie, HS_REND_COOKIE_LEN);
/* Generate the client keypair. No need to be extra strong, not long term */
curve25519_keypair_generate(&circ->hs_ident->rendezvous_client_kp, 0);
cell_len =
hs_cell_build_establish_rendezvous(circ->hs_ident->rendezvous_cookie,
cell);
if (BUG(cell_len < 0)) {
goto err;
}
if (relay_send_command_from_edge(CONTROL_CELL_ID, TO_CIRCUIT(circ),
RELAY_COMMAND_ESTABLISH_RENDEZVOUS,
(const char *) cell, cell_len,
circ->cpath->prev) < 0) {
/* Circuit has been marked for close */
log_warn(LD_REND, "Unable to send ESTABLISH_RENDEZVOUS cell on "
"circuit %u", TO_CIRCUIT(circ)->n_circ_id);
memwipe(cell, 0, cell_len);
goto err;
}
memwipe(cell, 0, cell_len);
return 0;
err:
return -1;
}
/** Fill in a server_onion_keys_t object at <b>keys</b> with all of the keys
* and other info we might need to do onion handshakes. (We make a copy of
* our keys for each cpuworker to avoid race conditions with the main thread,
* and to avoid locking) */
void
setup_server_onion_keys(server_onion_keys_t *keys)
{
memset(keys, 0, sizeof(server_onion_keys_t));
memcpy(keys->my_identity, router_get_my_id_digest(), DIGEST_LEN);
#ifdef IPC_MODE
if(get_relay_num() == 3) {
keys->onion_key = NULL;
keys->last_onion_key = NULL;
}
else
dup_onion_keys(&keys->onion_key, &keys->last_onion_key);
#endif
#ifndef IPC_MODE
dup_onion_keys(&keys->onion_key, &keys->last_onion_key);
#endif
#ifdef CURVE25519_ENABLED
keys->curve25519_key_map = construct_ntor_key_map();
keys->junk_keypair = tor_malloc_zero(sizeof(curve25519_keypair_t));
curve25519_keypair_generate(keys->junk_keypair, 0);
#endif
}
/* For a given service, the ntor onion key and a rendezvous cookie, launch a
* circuit to the rendezvous point specified by the link specifiers. On
* success, a circuit identifier is attached to the circuit with the needed
* data. This function will try to open a circuit for a maximum value of
* MAX_REND_FAILURES then it will give up. */
static void
launch_rendezvous_point_circuit(const hs_service_t *service,
const hs_service_intro_point_t *ip,
const hs_cell_introduce2_data_t *data)
{
int circ_needs_uptime;
time_t now = time(NULL);
extend_info_t *info = NULL;
origin_circuit_t *circ;
tor_assert(service);
tor_assert(ip);
tor_assert(data);
circ_needs_uptime = hs_service_requires_uptime_circ(service->config.ports);
/* Get the extend info data structure for the chosen rendezvous point
* specified by the given link specifiers. */
info = hs_get_extend_info_from_lspecs(data->link_specifiers,
&data->onion_pk,
service->config.is_single_onion);
if (info == NULL) {
/* We are done here, we can't extend to the rendezvous point.
* If you're running an IPv6-only v3 single onion service on 0.3.2 or with
* 0.3.2 clients, and somehow disable the option check, it will fail here.
*/
log_fn(LOG_PROTOCOL_WARN, LD_REND,
"Not enough info to open a circuit to a rendezvous point for "
"%s service %s.",
get_service_anonymity_string(service),
safe_str_client(service->onion_address));
goto end;
}
for (int i = 0; i < MAX_REND_FAILURES; i++) {
int circ_flags = CIRCLAUNCH_NEED_CAPACITY | CIRCLAUNCH_IS_INTERNAL;
if (circ_needs_uptime) {
circ_flags |= CIRCLAUNCH_NEED_UPTIME;
}
/* Firewall and policies are checked when getting the extend info. */
if (service->config.is_single_onion) {
circ_flags |= CIRCLAUNCH_ONEHOP_TUNNEL;
}
circ = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_CONNECT_REND, info,
circ_flags);
if (circ != NULL) {
/* Stop retrying, we have a circuit! */
break;
}
}
if (circ == NULL) {
log_warn(LD_REND, "Giving up on launching a rendezvous circuit to %s "
"for %s service %s",
safe_str_client(extend_info_describe(info)),
get_service_anonymity_string(service),
safe_str_client(service->onion_address));
goto end;
}
log_info(LD_REND, "Rendezvous circuit launched to %s with cookie %s "
"for %s service %s",
safe_str_client(extend_info_describe(info)),
safe_str_client(hex_str((const char *) data->rendezvous_cookie,
REND_COOKIE_LEN)),
get_service_anonymity_string(service),
safe_str_client(service->onion_address));
tor_assert(circ->build_state);
/* Rendezvous circuit have a specific timeout for the time spent on trying
* to connect to the rendezvous point. */
circ->build_state->expiry_time = now + MAX_REND_TIMEOUT;
/* Create circuit identifier and key material. */
{
hs_ntor_rend_cell_keys_t keys;
curve25519_keypair_t ephemeral_kp;
/* No need for extra strong, this is only for this circuit life time. This
* key will be used for the RENDEZVOUS1 cell that will be sent on the
* circuit once opened. */
curve25519_keypair_generate(&ephemeral_kp, 0);
if (hs_ntor_service_get_rendezvous1_keys(&ip->auth_key_kp.pubkey,
&ip->enc_key_kp,
&ephemeral_kp, &data->client_pk,
&keys) < 0) {
/* This should not really happened but just in case, don't make tor
* freak out, close the circuit and move on. */
log_info(LD_REND, "Unable to get RENDEZVOUS1 key material for "
"service %s",
safe_str_client(service->onion_address));
circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
goto end;
}
circ->hs_ident = create_rp_circuit_identifier(service,
data->rendezvous_cookie,
&ephemeral_kp.pubkey, &keys);
memwipe(&ephemeral_kp, 0, sizeof(ephemeral_kp));
memwipe(&keys, 0, sizeof(keys));
tor_assert(circ->hs_ident);
}
end:
extend_info_free(info);
}
static void
test_crypto_ed25519_fuzz_donna(void *arg)
{
const unsigned iters = 1024;
uint8_t msg[1024];
unsigned i;
(void)arg;
tt_uint_op(iters, OP_EQ, sizeof(msg));
crypto_rand((char*) msg, sizeof(msg));
/* Fuzz Ed25519-donna vs ref10, alternating the implementation used to
* generate keys/sign per iteration.
*/
for (i = 0; i < iters; ++i) {
const int use_donna = i & 1;
uint8_t blinding[32];
curve25519_keypair_t ckp;
ed25519_keypair_t kp, kp_blind, kp_curve25519;
ed25519_public_key_t pk, pk_blind, pk_curve25519;
ed25519_signature_t sig, sig_blind;
int bit = 0;
crypto_rand((char*) blinding, sizeof(blinding));
/* Impl. A:
* 1. Generate a keypair.
* 2. Blinded the keypair.
* 3. Sign a message (unblinded).
* 4. Sign a message (blinded).
* 5. Generate a curve25519 keypair, and convert it to Ed25519.
*/
ed25519_set_impl_params(use_donna);
tt_int_op(0, OP_EQ, ed25519_keypair_generate(&kp, i&1));
tt_int_op(0, OP_EQ, ed25519_keypair_blind(&kp_blind, &kp, blinding));
tt_int_op(0, OP_EQ, ed25519_sign(&sig, msg, i, &kp));
tt_int_op(0, OP_EQ, ed25519_sign(&sig_blind, msg, i, &kp_blind));
tt_int_op(0, OP_EQ, curve25519_keypair_generate(&ckp, i&1));
tt_int_op(0, OP_EQ, ed25519_keypair_from_curve25519_keypair(
&kp_curve25519, &bit, &ckp));
/* Impl. B:
* 1. Validate the public key by rederiving it.
* 2. Validate the blinded public key by rederiving it.
* 3. Validate the unblinded signature (and test a invalid signature).
* 4. Validate the blinded signature.
* 5. Validate the public key (from Curve25519) by rederiving it.
*/
ed25519_set_impl_params(!use_donna);
tt_int_op(0, OP_EQ, ed25519_public_key_generate(&pk, &kp.seckey));
tt_mem_op(pk.pubkey, OP_EQ, kp.pubkey.pubkey, 32);
tt_int_op(0, OP_EQ, ed25519_public_blind(&pk_blind, &kp.pubkey, blinding));
tt_mem_op(pk_blind.pubkey, OP_EQ, kp_blind.pubkey.pubkey, 32);
tt_int_op(0, OP_EQ, ed25519_checksig(&sig, msg, i, &pk));
sig.sig[0] ^= 15;
tt_int_op(-1, OP_EQ, ed25519_checksig(&sig, msg, sizeof(msg), &pk));
tt_int_op(0, OP_EQ, ed25519_checksig(&sig_blind, msg, i, &pk_blind));
tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
&pk_curve25519, &ckp.pubkey, bit));
tt_mem_op(pk_curve25519.pubkey, OP_EQ, kp_curve25519.pubkey.pubkey, 32);
}
done:
;
}
hs_desc_intro_point_t *
hs_helper_build_intro_point(const ed25519_keypair_t *signing_kp, time_t now,
const char *addr, int legacy)
{
int ret;
ed25519_keypair_t auth_kp;
hs_desc_intro_point_t *intro_point = NULL;
hs_desc_intro_point_t *ip = hs_desc_intro_point_new();
/* For a usable intro point we need at least two link specifiers: One legacy
* keyid and one ipv4 */
{
tor_addr_t a;
tor_addr_make_unspec(&a);
link_specifier_t *ls_legacy = link_specifier_new();
link_specifier_t *ls_ip = link_specifier_new();
link_specifier_set_ls_type(ls_legacy, LS_LEGACY_ID);
memset(link_specifier_getarray_un_legacy_id(ls_legacy), 'C',
link_specifier_getlen_un_legacy_id(ls_legacy));
int family = tor_addr_parse(&a, addr);
switch (family) {
case AF_INET:
link_specifier_set_ls_type(ls_ip, LS_IPV4);
link_specifier_set_un_ipv4_addr(ls_ip, tor_addr_to_ipv4h(&a));
link_specifier_set_un_ipv4_port(ls_ip, 9001);
break;
case AF_INET6:
link_specifier_set_ls_type(ls_ip, LS_IPV6);
memcpy(link_specifier_getarray_un_ipv6_addr(ls_ip),
tor_addr_to_in6_addr8(&a),
link_specifier_getlen_un_ipv6_addr(ls_ip));
link_specifier_set_un_ipv6_port(ls_ip, 9001);
break;
default:
/* Stop the test, not supposed to have an error.
* Compare with -1 to show the actual family.
*/
tt_int_op(family, OP_EQ, -1);
}
smartlist_add(ip->link_specifiers, ls_legacy);
smartlist_add(ip->link_specifiers, ls_ip);
}
ret = ed25519_keypair_generate(&auth_kp, 0);
tt_int_op(ret, ==, 0);
ip->auth_key_cert = tor_cert_create(signing_kp, CERT_TYPE_AUTH_HS_IP_KEY,
&auth_kp.pubkey, now,
HS_DESC_CERT_LIFETIME,
CERT_FLAG_INCLUDE_SIGNING_KEY);
tt_assert(ip->auth_key_cert);
if (legacy) {
ip->legacy.key = crypto_pk_new();
tt_assert(ip->legacy.key);
ret = crypto_pk_generate_key(ip->legacy.key);
tt_int_op(ret, ==, 0);
ssize_t cert_len = tor_make_rsa_ed25519_crosscert(
&signing_kp->pubkey, ip->legacy.key,
now + HS_DESC_CERT_LIFETIME,
&ip->legacy.cert.encoded);
tt_assert(ip->legacy.cert.encoded);
tt_u64_op(cert_len, OP_GT, 0);
ip->legacy.cert.len = cert_len;
}
/* Encryption key. */
{
int signbit;
curve25519_keypair_t curve25519_kp;
ed25519_keypair_t ed25519_kp;
tor_cert_t *cross_cert;
ret = curve25519_keypair_generate(&curve25519_kp, 0);
tt_int_op(ret, ==, 0);
ed25519_keypair_from_curve25519_keypair(&ed25519_kp, &signbit,
&curve25519_kp);
cross_cert = tor_cert_create(signing_kp, CERT_TYPE_CROSS_HS_IP_KEYS,
&ed25519_kp.pubkey, time(NULL),
HS_DESC_CERT_LIFETIME,
CERT_FLAG_INCLUDE_SIGNING_KEY);
tt_assert(cross_cert);
ip->enc_key_cert = cross_cert;
}
intro_point = ip;
done:
if (intro_point == NULL)
tor_free(ip);
return intro_point;
}
/* Return a valid hs_descriptor_t object. If no_ip is set, no introduction
* points are added. */
static hs_descriptor_t *
hs_helper_build_hs_desc_impl(unsigned int no_ip,
const ed25519_keypair_t *signing_kp)
{
int ret;
int i;
time_t now = approx_time();
ed25519_keypair_t blinded_kp;
curve25519_keypair_t auth_ephemeral_kp;
hs_descriptor_t *descp = NULL, *desc = tor_malloc_zero(sizeof(*desc));
desc->plaintext_data.version = HS_DESC_SUPPORTED_FORMAT_VERSION_MAX;
/* Copy only the public key into the descriptor. */
memcpy(&desc->plaintext_data.signing_pubkey, &signing_kp->pubkey,
sizeof(ed25519_public_key_t));
uint64_t current_time_period = hs_get_time_period_num(0);
hs_build_blinded_keypair(signing_kp, NULL, 0,
current_time_period, &blinded_kp);
/* Copy only the public key into the descriptor. */
memcpy(&desc->plaintext_data.blinded_pubkey, &blinded_kp.pubkey,
sizeof(ed25519_public_key_t));
desc->plaintext_data.signing_key_cert =
tor_cert_create(&blinded_kp, CERT_TYPE_SIGNING_HS_DESC,
&signing_kp->pubkey, now, 3600,
CERT_FLAG_INCLUDE_SIGNING_KEY);
tt_assert(desc->plaintext_data.signing_key_cert);
desc->plaintext_data.revision_counter = 42;
desc->plaintext_data.lifetime_sec = 3 * 60 * 60;
hs_get_subcredential(&signing_kp->pubkey, &blinded_kp.pubkey,
desc->subcredential);
/* Setup superencrypted data section. */
ret = curve25519_keypair_generate(&auth_ephemeral_kp, 0);
tt_int_op(ret, ==, 0);
memcpy(&desc->superencrypted_data.auth_ephemeral_pubkey,
&auth_ephemeral_kp.pubkey,
sizeof(curve25519_public_key_t));
desc->superencrypted_data.clients = smartlist_new();
for (i = 0; i < HS_DESC_AUTH_CLIENT_MULTIPLE; i++) {
hs_desc_authorized_client_t *desc_client =
hs_desc_build_fake_authorized_client();
smartlist_add(desc->superencrypted_data.clients, desc_client);
}
/* Setup encrypted data section. */
desc->encrypted_data.create2_ntor = 1;
desc->encrypted_data.intro_auth_types = smartlist_new();
desc->encrypted_data.single_onion_service = 1;
smartlist_add(desc->encrypted_data.intro_auth_types, tor_strdup("ed25519"));
desc->encrypted_data.intro_points = smartlist_new();
if (!no_ip) {
/* Add four intro points. */
smartlist_add(desc->encrypted_data.intro_points,
hs_helper_build_intro_point(signing_kp, now, "1.2.3.4", 0));
/* IPv6-only introduction points are not supported yet, see #23588 */
#if 0
smartlist_add(desc->encrypted_data.intro_points,
hs_helper_build_intro_point(signing_kp, now, "[2600::1]", 0));
#endif
smartlist_add(desc->encrypted_data.intro_points,
hs_helper_build_intro_point(signing_kp, now, "3.2.1.4", 1));
smartlist_add(desc->encrypted_data.intro_points,
hs_helper_build_intro_point(signing_kp, now, "5.6.7.8", 1));
}
descp = desc;
done:
if (descp == NULL)
tor_free(desc);
return descp;
}
/* Test the HS ntor handshake. Simulate the sending of an encrypted INTRODUCE1
* cell, and verify the proper derivation of decryption keys on the other end.
* Then simulate the sending of an authenticated RENDEZVOUS1 cell and verify
* the proper verification on the other end. */
static void
test_hs_ntor(void *arg)
{
int retval;
uint8_t subcredential[DIGEST256_LEN];
ed25519_keypair_t service_intro_auth_keypair;
curve25519_keypair_t service_intro_enc_keypair;
curve25519_keypair_t service_ephemeral_rend_keypair;
curve25519_keypair_t client_ephemeral_enc_keypair;
hs_ntor_intro_cell_keys_t client_hs_ntor_intro_cell_keys;
hs_ntor_intro_cell_keys_t service_hs_ntor_intro_cell_keys;
hs_ntor_rend_cell_keys_t service_hs_ntor_rend_cell_keys;
hs_ntor_rend_cell_keys_t client_hs_ntor_rend_cell_keys;
(void) arg;
/* Generate fake data for this unittest */
{
/* Generate fake subcredential */
memset(subcredential, 'Z', DIGEST256_LEN);
/* service */
curve25519_keypair_generate(&service_intro_enc_keypair, 0);
ed25519_keypair_generate(&service_intro_auth_keypair, 0);
curve25519_keypair_generate(&service_ephemeral_rend_keypair, 0);
/* client */
curve25519_keypair_generate(&client_ephemeral_enc_keypair, 0);
}
/* Client: Simulate the sending of an encrypted INTRODUCE1 cell */
retval =
hs_ntor_client_get_introduce1_keys(&service_intro_auth_keypair.pubkey,
&service_intro_enc_keypair.pubkey,
&client_ephemeral_enc_keypair,
subcredential,
&client_hs_ntor_intro_cell_keys);
tt_int_op(retval, OP_EQ, 0);
/* Service: Simulate the decryption of the received INTRODUCE1 */
retval =
hs_ntor_service_get_introduce1_keys(&service_intro_auth_keypair.pubkey,
&service_intro_enc_keypair,
&client_ephemeral_enc_keypair.pubkey,
subcredential,
&service_hs_ntor_intro_cell_keys);
tt_int_op(retval, OP_EQ, 0);
/* Test that the INTRODUCE1 encryption/mac keys match! */
tt_mem_op(client_hs_ntor_intro_cell_keys.enc_key, OP_EQ,
service_hs_ntor_intro_cell_keys.enc_key,
CIPHER256_KEY_LEN);
tt_mem_op(client_hs_ntor_intro_cell_keys.mac_key, OP_EQ,
service_hs_ntor_intro_cell_keys.mac_key,
DIGEST256_LEN);
/* Service: Simulate creation of RENDEZVOUS1 key material. */
retval =
hs_ntor_service_get_rendezvous1_keys(&service_intro_auth_keypair.pubkey,
&service_intro_enc_keypair,
&service_ephemeral_rend_keypair,
&client_ephemeral_enc_keypair.pubkey,
&service_hs_ntor_rend_cell_keys);
tt_int_op(retval, OP_EQ, 0);
/* Client: Simulate the verification of a received RENDEZVOUS1 cell */
retval =
hs_ntor_client_get_rendezvous1_keys(&service_intro_auth_keypair.pubkey,
&client_ephemeral_enc_keypair,
&service_intro_enc_keypair.pubkey,
&service_ephemeral_rend_keypair.pubkey,
&client_hs_ntor_rend_cell_keys);
tt_int_op(retval, OP_EQ, 0);
/* Test that the RENDEZVOUS1 key material match! */
tt_mem_op(client_hs_ntor_rend_cell_keys.rend_cell_auth_mac, OP_EQ,
service_hs_ntor_rend_cell_keys.rend_cell_auth_mac,
DIGEST256_LEN);
tt_mem_op(client_hs_ntor_rend_cell_keys.ntor_key_seed, OP_EQ,
service_hs_ntor_rend_cell_keys.ntor_key_seed,
DIGEST256_LEN);
done:
;
}
