tor-proto 0.41.0

Asynchronous client-side implementation of the central Tor network protocols
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678

//! Relay cell cryptography
//!
//! The Tor protocol centers around "RELAY cells", which are transmitted through
//! the network along circuits.  The client that creates a circuit shares two
//! different sets of keys and state with each of the relays on the circuit: one
//! for "outbound" traffic, and one for "inbound" traffic.
//!
//! So for example, if a client creates a 3-hop circuit with relays R1, R2, and
//! R3, the client has:
//!   * An "inbound" cryptographic state shared with R1.
//!   * An "inbound" cryptographic state shared with R2.
//!   * An "inbound" cryptographic state shared with R3.
//!   * An "outbound" cryptographic state shared with R1.
//!   * An "outbound" cryptographic state shared with R2.
//!   * An "outbound" cryptographic state shared with R3.
//!
//! In this module at least, we'll call each of these state objects a "layer" of
//! the circuit's encryption.
//!
//! The Tor specification does not describe these layer objects very explicitly.
//! In the current relay cryptography protocol, each layer contains:
//!    * A keyed AES-CTR state. (AES-128 or AES-256)  This cipher uses a key
//!      called `Kf` or `Kb` in the spec, where `Kf` is a "forward" key used in
//!      the outbound direction, and `Kb` is a "backward" key used in the
//!      inbound direction.
//!    * A running digest. (SHA1 or SHA3)  This digest is initialized with a
//!      value called `Df` or `Db` in the spec.
//!
//! This `crypto::cell` module itself provides traits and implementations that
//! should work for all current future versions of the relay cell crypto design.
//! The current Tor protocols are instantiated in a `tor1` submodule.

#[cfg(feature = "bench")]
pub(crate) mod bench_utils;
#[cfg(feature = "counter-galois-onion")]
pub(crate) mod cgo;
pub(crate) mod tor1;

use crate::{Error, Result};
use derive_deftly::Deftly;
use tor_cell::{
    chancell::{BoxedCellBody, ChanCmd},
    relaycell::msg::SendmeTag,
};
use tor_memquota::derive_deftly_template_HasMemoryCost;

use super::binding::CircuitBinding;

/// Type for the body of a relay cell.
#[cfg_attr(feature = "bench", visibility::make(pub))]
#[derive(Clone, derive_more::From, derive_more::Into)]
pub(crate) struct RelayCellBody(BoxedCellBody);

impl AsRef<[u8]> for RelayCellBody {
    fn as_ref(&self) -> &[u8] {
        &self.0[..]
    }
}
impl AsMut<[u8]> for RelayCellBody {
    fn as_mut(&mut self) -> &mut [u8] {
        &mut self.0[..]
    }
}

/// Represents the ability for one hop of a circuit's cryptographic state to be
/// initialized from a given seed.
#[cfg_attr(feature = "bench", visibility::make(pub))]
pub(crate) trait CryptInit: Sized {
    /// Return the number of bytes that this state will require.
    fn seed_len() -> usize;
    /// Construct this state from a seed of the appropriate length.
    fn initialize(seed: &[u8]) -> Result<Self>;
    /// Initialize this object from a key generator.
    fn construct<K: super::handshake::KeyGenerator>(keygen: K) -> Result<Self> {
        let seed = keygen.expand(Self::seed_len())?;
        Self::initialize(&seed[..])
    }
}

/// A paired object containing the inbound and outbound cryptographic layers
/// used by a client to communicate with a single hop on one of its circuits.
///
/// TODO: Maybe we should fold this into CryptInit.
#[cfg_attr(feature = "bench", visibility::make(pub))]
pub(crate) trait ClientLayer<F, B>
where
    F: OutboundClientLayer,
    B: InboundClientLayer,
{
    /// Consume this ClientLayer and return a paired forward and reverse
    /// crypto layer, and a [`CircuitBinding`] object
    fn split_client_layer(self) -> (F, B, CircuitBinding);
}

/// A paired object containing the inbound and outbound cryptographic layers
/// used by a relay to implement a client's circuits.
///
#[allow(dead_code)] // To be used by relays.
#[cfg_attr(feature = "bench", visibility::make(pub))]
pub(crate) trait RelayLayer<F, B>
where
    F: OutboundRelayLayer,
    B: InboundRelayLayer,
{
    /// Consume this ClientLayer and return a paired forward and reverse
    /// crypto layers, and a [`CircuitBinding`] object
    fn split_relay_layer(self) -> (F, B, CircuitBinding);
}

/// Represents a relay's view of the inbound crypto state on a given circuit.
#[allow(dead_code)] // Relays are not yet implemented.
#[cfg_attr(feature = "bench", visibility::make(pub))]
pub(crate) trait InboundRelayLayer {
    /// Prepare a RelayCellBody to be sent towards the client,
    /// and encrypt it.
    ///
    /// Return the authentication tag.
    fn originate(&mut self, cmd: ChanCmd, cell: &mut RelayCellBody) -> SendmeTag;
    /// Encrypt a RelayCellBody that is moving towards the client.
    fn encrypt_inbound(&mut self, cmd: ChanCmd, cell: &mut RelayCellBody);
}

/// Represent a relay's view of the outbound crypto state on a given circuit.
#[allow(dead_code)]
#[cfg_attr(feature = "bench", visibility::make(pub))]
pub(crate) trait OutboundRelayLayer {
    /// Decrypt a RelayCellBody that is coming from the client.
    ///
    /// Return an authentication tag if it is addressed to us.
    fn decrypt_outbound(&mut self, cmd: ChanCmd, cell: &mut RelayCellBody) -> Option<SendmeTag>;
}

/// A client's view of the cryptographic state shared with a single relay on a
/// circuit, as used for outbound cells.
#[cfg_attr(feature = "bench", visibility::make(pub))]
pub(crate) trait OutboundClientLayer {
    /// Prepare a RelayCellBody to be sent to the relay at this layer, and
    /// encrypt it.
    ///
    /// Return the authentication tag.
    fn originate_for(&mut self, cmd: ChanCmd, cell: &mut RelayCellBody) -> SendmeTag;
    /// Encrypt a RelayCellBody to be decrypted by this layer.
    fn encrypt_outbound(&mut self, cmd: ChanCmd, cell: &mut RelayCellBody);
}

/// A client's view of the crypto state shared with a single relay on a circuit,
/// as used for inbound cells.
#[cfg_attr(feature = "bench", visibility::make(pub))]
pub(crate) trait InboundClientLayer {
    /// Decrypt a CellBody that passed through this layer.
    ///
    /// Return an authentication tag if this layer is the originator.
    fn decrypt_inbound(&mut self, cmd: ChanCmd, cell: &mut RelayCellBody) -> Option<SendmeTag>;
}

/// Type to store hop indices on a circuit.
///
/// Hop indices are zero-based: "0" denotes the first hop on the circuit.
#[derive(Copy, Clone, Eq, PartialEq, Debug, Deftly, Ord, PartialOrd)]
#[derive_deftly(HasMemoryCost)]
pub struct HopNum(u8);

impl HopNum {
    /// Return an object that implements [`Display`](std::fmt::Display) for printing `HopNum`s.
    ///
    /// This will display the `HopNum` as a 1-indexed value (the string representation of the first
    /// hop is `"#1"`).
    ///
    /// To display the zero-based underlying representation of the `HopNum`, use
    /// [`Debug`](std::fmt::Debug).
    pub fn display(&self) -> HopNumDisplay {
        HopNumDisplay(*self)
    }

    /// Return true if this is  the first hop of a circuit.
    pub(crate) fn is_first_hop(&self) -> bool {
        self.0 == 0
    }
}

/// A helper for displaying [`HopNum`]s.
///
/// The [`Display`](std::fmt::Display) of this type displays the `HopNum` as a 1-based index
/// prefixed with the number sign (`#`). For example, the string representation of the first hop is
/// `"#1"`.
#[derive(Copy, Clone, Eq, PartialEq, Debug)]
pub struct HopNumDisplay(HopNum);

impl std::fmt::Display for HopNumDisplay {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::result::Result<(), std::fmt::Error> {
        let hop_num: u8 = self.0.into();

        write!(f, "#{}", hop_num + 1)
    }
}

impl From<HopNum> for u8 {
    fn from(hop: HopNum) -> u8 {
        hop.0
    }
}

impl From<u8> for HopNum {
    fn from(v: u8) -> HopNum {
        HopNum(v)
    }
}

impl From<HopNum> for usize {
    fn from(hop: HopNum) -> usize {
        hop.0 as usize
    }
}

/// A client's view of the cryptographic state for an entire
/// constructed circuit, as used for sending cells.
#[cfg_attr(feature = "bench", visibility::make(pub), derive(Default))]
pub(crate) struct OutboundClientCrypt {
    /// Vector of layers, one for each hop on the circuit, ordered from the
    /// closest hop to the farthest.
    layers: Vec<Box<dyn OutboundClientLayer + Send>>,
}

/// A client's view of the cryptographic state for an entire
/// constructed circuit, as used for receiving cells.
#[cfg_attr(feature = "bench", visibility::make(pub), derive(Default))]
pub(crate) struct InboundClientCrypt {
    /// Vector of layers, one for each hop on the circuit, ordered from the
    /// closest hop to the farthest.
    layers: Vec<Box<dyn InboundClientLayer + Send>>,
}

impl OutboundClientCrypt {
    /// Return a new (empty) OutboundClientCrypt.
    #[cfg_attr(feature = "bench", visibility::make(pub))]
    pub(crate) fn new() -> Self {
        OutboundClientCrypt { layers: Vec::new() }
    }
    /// Prepare a cell body to sent away from the client.
    ///
    /// The cell is prepared for the `hop`th hop, and then encrypted with
    /// the appropriate keys.
    ///
    /// On success, returns a reference to tag that should be expected
    /// for an authenticated SENDME sent in response to this cell.
    #[cfg_attr(feature = "bench", visibility::make(pub))]
    pub(crate) fn encrypt(
        &mut self,
        cmd: ChanCmd,
        cell: &mut RelayCellBody,
        hop: HopNum,
    ) -> Result<SendmeTag> {
        let hop: usize = hop.into();
        if hop >= self.layers.len() {
            return Err(Error::NoSuchHop);
        }

        let mut layers = self.layers.iter_mut().take(hop + 1).rev();
        let first_layer = layers.next().ok_or(Error::NoSuchHop)?;
        let tag = first_layer.originate_for(cmd, cell);
        for layer in layers {
            layer.encrypt_outbound(cmd, cell);
        }
        Ok(tag)
    }

    /// Add a new layer to this OutboundClientCrypt
    pub(crate) fn add_layer(&mut self, layer: Box<dyn OutboundClientLayer + Send>) {
        assert!(self.layers.len() < u8::MAX as usize);
        self.layers.push(layer);
    }

    /// Return the number of layers configured on this OutboundClientCrypt.
    pub(crate) fn n_layers(&self) -> usize {
        self.layers.len()
    }
}

impl InboundClientCrypt {
    /// Return a new (empty) InboundClientCrypt.
    #[cfg_attr(feature = "bench", visibility::make(pub))]
    pub(crate) fn new() -> Self {
        InboundClientCrypt { layers: Vec::new() }
    }
    /// Decrypt an incoming cell that is coming to the client.
    ///
    /// On success, return which hop was the originator of the cell.
    // TODO(nickm): Use a real type for the tag, not just `&[u8]`.
    #[cfg_attr(feature = "bench", visibility::make(pub))]
    pub(crate) fn decrypt(
        &mut self,
        cmd: ChanCmd,
        cell: &mut RelayCellBody,
    ) -> Result<(HopNum, SendmeTag)> {
        for (hopnum, layer) in self.layers.iter_mut().enumerate() {
            if let Some(tag) = layer.decrypt_inbound(cmd, cell) {
                let hopnum = HopNum(u8::try_from(hopnum).expect("Somehow > 255 hops"));
                return Ok((hopnum, tag));
            }
        }
        Err(Error::BadCellAuth)
    }
    /// Add a new layer to this InboundClientCrypt
    pub(crate) fn add_layer(&mut self, layer: Box<dyn InboundClientLayer + Send>) {
        assert!(self.layers.len() < u8::MAX as usize);
        self.layers.push(layer);
    }

    /// Return the number of layers configured on this InboundClientCrypt.
    ///
    /// TODO: use HopNum
    #[allow(dead_code)]
    pub(crate) fn n_layers(&self) -> usize {
        self.layers.len()
    }
}

/// Standard Tor relay crypto, as instantiated for RELAY cells.
pub(crate) type Tor1RelayCrypto =
    tor1::CryptStatePair<tor_llcrypto::cipher::aes::Aes128Ctr, tor_llcrypto::d::Sha1>;

/// Standard Tor relay crypto, as instantiated for the HSv3 protocol.
///
/// (The use of SHA3 is ridiculously overkill.)
#[cfg(feature = "hs-common")]
pub(crate) type Tor1Hsv3RelayCrypto =
    tor1::CryptStatePair<tor_llcrypto::cipher::aes::Aes256Ctr, tor_llcrypto::d::Sha3_256>;

/// Counter galois onion relay crypto.
//
// We use `aes` directly here instead of tor_llcrypto::aes, which may or may not be OpenSSL:
// the OpenSSL implementations have bad performance when it comes to re-keying
// or changing IVs.
#[cfg(feature = "counter-galois-onion")]
pub(crate) type CgoRelayCrypto = cgo::CryptStatePair<aes::Aes128, aes::Aes128Enc>;

#[cfg(test)]
mod test {
    // @@ begin test lint list maintained by maint/add_warning @@
    #![allow(clippy::bool_assert_comparison)]
    #![allow(clippy::clone_on_copy)]
    #![allow(clippy::dbg_macro)]
    #![allow(clippy::mixed_attributes_style)]
    #![allow(clippy::print_stderr)]
    #![allow(clippy::print_stdout)]
    #![allow(clippy::single_char_pattern)]
    #![allow(clippy::unwrap_used)]
    #![allow(clippy::unchecked_time_subtraction)]
    #![allow(clippy::useless_vec)]
    #![allow(clippy::needless_pass_by_value)]
    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->

    use super::*;
    use rand::{RngCore, seq::IndexedRandom as _};
    use tor_basic_utils::{RngExt as _, test_rng::testing_rng};
    use tor_bytes::SecretBuf;
    use tor_cell::relaycell::RelayCellFormat;

    pub(crate) fn add_layers(
        cc_out: &mut OutboundClientCrypt,
        cc_in: &mut InboundClientCrypt,
        pair: Tor1RelayCrypto,
    ) {
        let (outbound, inbound, _) = pair.split_client_layer();
        cc_out.add_layer(Box::new(outbound));
        cc_in.add_layer(Box::new(inbound));
    }

    #[test]
    fn roundtrip() {
        // Take canned keys and make sure we can do crypto correctly.
        use crate::crypto::handshake::ShakeKeyGenerator as KGen;
        fn s(seed: &[u8]) -> SecretBuf {
            seed.to_vec().into()
        }

        let seed1 = s(b"hidden we are free");
        let seed2 = s(b"free to speak, to free ourselves");
        let seed3 = s(b"free to hide no more");

        let mut cc_out = OutboundClientCrypt::new();
        let mut cc_in = InboundClientCrypt::new();
        let pair = Tor1RelayCrypto::construct(KGen::new(seed1.clone())).unwrap();
        add_layers(&mut cc_out, &mut cc_in, pair);
        let pair = Tor1RelayCrypto::construct(KGen::new(seed2.clone())).unwrap();
        add_layers(&mut cc_out, &mut cc_in, pair);
        let pair = Tor1RelayCrypto::construct(KGen::new(seed3.clone())).unwrap();
        add_layers(&mut cc_out, &mut cc_in, pair);

        assert_eq!(cc_in.n_layers(), 3);
        assert_eq!(cc_out.n_layers(), 3);

        let (mut r1f, mut r1b, _) = Tor1RelayCrypto::construct(KGen::new(seed1))
            .unwrap()
            .split_relay_layer();
        let (mut r2f, mut r2b, _) = Tor1RelayCrypto::construct(KGen::new(seed2))
            .unwrap()
            .split_relay_layer();
        let (mut r3f, mut r3b, _) = Tor1RelayCrypto::construct(KGen::new(seed3))
            .unwrap()
            .split_relay_layer();
        let cmd = ChanCmd::RELAY;

        let mut rng = testing_rng();
        for _ in 1..300 {
            // outbound cell
            let mut cell = Box::new([0_u8; 509]);
            let mut cell_orig = [0_u8; 509];
            rng.fill_bytes(&mut cell_orig);
            cell.copy_from_slice(&cell_orig);
            let mut cell = cell.into();
            let _tag = cc_out.encrypt(cmd, &mut cell, 2.into()).unwrap();
            assert_ne!(&cell.as_ref()[9..], &cell_orig.as_ref()[9..]);
            assert!(r1f.decrypt_outbound(cmd, &mut cell).is_none());
            assert!(r2f.decrypt_outbound(cmd, &mut cell).is_none());
            assert!(r3f.decrypt_outbound(cmd, &mut cell).is_some());

            assert_eq!(&cell.as_ref()[9..], &cell_orig.as_ref()[9..]);

            // inbound cell
            let mut cell = Box::new([0_u8; 509]);
            let mut cell_orig = [0_u8; 509];
            rng.fill_bytes(&mut cell_orig);
            cell.copy_from_slice(&cell_orig);
            let mut cell = cell.into();

            r3b.originate(cmd, &mut cell);
            r2b.encrypt_inbound(cmd, &mut cell);
            r1b.encrypt_inbound(cmd, &mut cell);
            let (layer, _tag) = cc_in.decrypt(cmd, &mut cell).unwrap();
            assert_eq!(layer, 2.into());
            assert_eq!(&cell.as_ref()[9..], &cell_orig.as_ref()[9..]);

            // TODO: Test tag somehow.
        }

        // Try a failure: sending a cell to a nonexistent hop.
        {
            let mut cell = Box::new([0_u8; 509]).into();
            let err = cc_out.encrypt(cmd, &mut cell, 10.into());
            assert!(matches!(err, Err(Error::NoSuchHop)));
        }

        // Try a failure: A junk cell with no correct auth from any layer.
        {
            let mut cell = Box::new([0_u8; 509]).into();
            let err = cc_in.decrypt(cmd, &mut cell);
            assert!(matches!(err, Err(Error::BadCellAuth)));
        }
    }

    #[test]
    fn hop_num_display() {
        for i in 0..10 {
            let hop_num = HopNum::from(i);
            let expect = format!("#{}", i + 1);

            assert_eq!(expect, hop_num.display().to_string());
        }
    }

    /// Helper: Clear every field in the tor1 `cell` that is reserved for cryptography by relay cell
    /// format `version.
    ///
    /// We do this so that we can be sure that the _other_ fields have all been transmitted correctly.
    fn clean_cell_fields(cell: &mut RelayCellBody, format: RelayCellFormat) {
        use super::tor1;
        match format {
            RelayCellFormat::V0 => {
                cell.0[tor1::RECOGNIZED_RANGE].fill(0);
                cell.0[tor1::DIGEST_RANGE].fill(0);
            }
            RelayCellFormat::V1 => {
                cell.0[0..16].fill(0);
            }
            _ => {
                panic!("Unrecognized format!");
            }
        }
    }

    /// Helper: Test a single-hop message, forward from the client.
    fn test_fwd_one_hop<CS, RS, CF, CB, RF, RB>(format: RelayCellFormat)
    where
        CS: CryptInit + ClientLayer<CF, CB>,
        RS: CryptInit + RelayLayer<RF, RB>,
        CF: OutboundClientLayer,
        CB: InboundClientLayer,
        RF: OutboundRelayLayer,
        RB: InboundRelayLayer,
    {
        let mut rng = testing_rng();
        assert_eq!(CS::seed_len(), RS::seed_len());
        let mut seed = vec![0; CS::seed_len()];
        rng.fill_bytes(&mut seed[..]);
        let (mut client, _, _) = CS::initialize(&seed).unwrap().split_client_layer();
        let (mut relay, _, _) = RS::initialize(&seed).unwrap().split_relay_layer();

        for _ in 0..5 {
            let mut cell = RelayCellBody(Box::new([0_u8; 509]));
            rng.fill_bytes(&mut cell.0[..]);
            clean_cell_fields(&mut cell, format);
            let msg_orig = cell.clone();

            let ctag = client.originate_for(ChanCmd::RELAY, &mut cell);
            assert_ne!(cell.0[16..], msg_orig.0[16..]);
            let rtag = relay.decrypt_outbound(ChanCmd::RELAY, &mut cell);
            clean_cell_fields(&mut cell, format);
            assert_eq!(cell.0[..], msg_orig.0[..]);
            assert_eq!(rtag, Some(ctag));
        }
    }

    /// Helper: Test a single-hop message, backwards towards the client.
    fn test_rev_one_hop<CS, RS, CF, CB, RF, RB>(format: RelayCellFormat)
    where
        CS: CryptInit + ClientLayer<CF, CB>,
        RS: CryptInit + RelayLayer<RF, RB>,
        CF: OutboundClientLayer,
        CB: InboundClientLayer,
        RF: OutboundRelayLayer,
        RB: InboundRelayLayer,
    {
        let mut rng = testing_rng();
        assert_eq!(CS::seed_len(), RS::seed_len());
        let mut seed = vec![0; CS::seed_len()];
        rng.fill_bytes(&mut seed[..]);
        let (_, mut client, _) = CS::initialize(&seed).unwrap().split_client_layer();
        let (_, mut relay, _) = RS::initialize(&seed).unwrap().split_relay_layer();

        for _ in 0..5 {
            let mut cell = RelayCellBody(Box::new([0_u8; 509]));
            rng.fill_bytes(&mut cell.0[..]);
            clean_cell_fields(&mut cell, format);
            let msg_orig = cell.clone();

            let rtag = relay.originate(ChanCmd::RELAY, &mut cell);
            assert_ne!(cell.0[16..], msg_orig.0[16..]);
            let ctag = client.decrypt_inbound(ChanCmd::RELAY, &mut cell);
            clean_cell_fields(&mut cell, format);
            assert_eq!(cell.0[..], msg_orig.0[..]);
            assert_eq!(ctag, Some(rtag));
        }
    }

    fn test_fwd_three_hops_leaky<CS, RS, CF, CB, RF, RB>(format: RelayCellFormat)
    where
        CS: CryptInit + ClientLayer<CF, CB>,
        RS: CryptInit + RelayLayer<RF, RB>,
        CF: OutboundClientLayer + Send + 'static,
        CB: InboundClientLayer,
        RF: OutboundRelayLayer,
        RB: InboundRelayLayer,
    {
        let mut rng = testing_rng();
        assert_eq!(CS::seed_len(), RS::seed_len());
        let mut client = OutboundClientCrypt::new();
        let mut relays = Vec::new();
        for _ in 0..3 {
            let mut seed = vec![0; CS::seed_len()];
            rng.fill_bytes(&mut seed[..]);
            let (client_layer, _, _) = CS::initialize(&seed).unwrap().split_client_layer();
            let (relay_layer, _, _) = RS::initialize(&seed).unwrap().split_relay_layer();
            client.add_layer(Box::new(client_layer));
            relays.push(relay_layer);
        }

        'cell_loop: for _ in 0..32 {
            let mut cell = RelayCellBody(Box::new([0_u8; 509]));
            rng.fill_bytes(&mut cell.0[..]);
            clean_cell_fields(&mut cell, format);
            let msg_orig = cell.clone();
            let cmd = *[ChanCmd::RELAY, ChanCmd::RELAY_EARLY]
                .choose(&mut rng)
                .unwrap();
            let hop: u8 = rng.gen_range_checked(0_u8..=2).unwrap();

            let ctag = client.encrypt(cmd, &mut cell, hop.into()).unwrap();

            for r_idx in 0..=hop {
                let rtag = relays[r_idx as usize].decrypt_outbound(cmd, &mut cell);
                if let Some(rtag) = rtag {
                    clean_cell_fields(&mut cell, format);
                    assert_eq!(cell.0[..], msg_orig.0[..]);
                    assert_eq!(rtag, ctag);
                    continue 'cell_loop;
                }
            }
            panic!("None of the relays thought that this cell was recognized!");
        }
    }

    fn test_rev_three_hops_leaky<CS, RS, CF, CB, RF, RB>(format: RelayCellFormat)
    where
        CS: CryptInit + ClientLayer<CF, CB>,
        RS: CryptInit + RelayLayer<RF, RB>,
        CF: OutboundClientLayer,
        CB: InboundClientLayer + Send + 'static,
        RF: OutboundRelayLayer,
        RB: InboundRelayLayer,
    {
        let mut rng = testing_rng();
        assert_eq!(CS::seed_len(), RS::seed_len());
        let mut client = InboundClientCrypt::new();
        let mut relays = Vec::new();
        for _ in 0..3 {
            let mut seed = vec![0; CS::seed_len()];
            rng.fill_bytes(&mut seed[..]);
            let (_, client_layer, _) = CS::initialize(&seed).unwrap().split_client_layer();
            let (_, relay_layer, _) = RS::initialize(&seed).unwrap().split_relay_layer();
            client.add_layer(Box::new(client_layer));
            relays.push(relay_layer);
        }

        for _ in 0..32 {
            let mut cell = RelayCellBody(Box::new([0_u8; 509]));
            rng.fill_bytes(&mut cell.0[..]);
            clean_cell_fields(&mut cell, format);
            let msg_orig = cell.clone();
            let cmd = *[ChanCmd::RELAY, ChanCmd::RELAY_EARLY]
                .choose(&mut rng)
                .unwrap();
            let hop: u8 = rng.gen_range_checked(0_u8..=2).unwrap();

            let rtag = relays[hop as usize].originate(cmd, &mut cell);
            for r_idx in (0..hop.into()).rev() {
                relays[r_idx as usize].encrypt_inbound(cmd, &mut cell);
            }

            let (observed_hop, ctag) = client.decrypt(cmd, &mut cell).unwrap();
            assert_eq!(observed_hop, hop.into());
            clean_cell_fields(&mut cell, format);
            assert_eq!(cell.0[..], msg_orig.0[..]);
            assert_eq!(ctag, rtag);
        }
    }

    macro_rules! integration_tests { { $modname:ident($fmt:expr, $ctype:ty, $rtype:ty) } => {
        mod $modname {
            use super::*;
            #[test]
            fn test_fwd_one_hop() {
                super::test_fwd_one_hop::<$ctype, $rtype, _, _, _, _>($fmt);
            }
            #[test]
            fn test_rev_one_hop() {
                super::test_rev_one_hop::<$ctype, $rtype, _, _, _, _>($fmt);
            }
            #[test]
            fn test_fwd_three_hops_leaky() {
                super::test_fwd_three_hops_leaky::<$ctype, $rtype, _, _, _, _>($fmt);
            }
            #[test]
            fn test_rev_three_hops_leaky() {
                super::test_rev_three_hops_leaky::<$ctype, $rtype, _, _, _, _>($fmt);
            }
        }
    }}

    integration_tests! { tor1(RelayCellFormat::V0, Tor1RelayCrypto, Tor1RelayCrypto) }
    #[cfg(feature = "hs-common")]
    integration_tests! { tor1_hs(RelayCellFormat::V0, Tor1Hsv3RelayCrypto, Tor1Hsv3RelayCrypto) }

    #[cfg(feature = "counter-galois-onion")]
    integration_tests! {
        cgo_aes128(RelayCellFormat::V1,
            cgo::CryptStatePair<aes::Aes128Dec, aes::Aes128Enc>,// client
            cgo::CryptStatePair<aes::Aes128Enc, aes::Aes128Enc> // relay
        )
    }
    #[cfg(feature = "counter-galois-onion")]
    integration_tests! {
        cgo_aes256(RelayCellFormat::V1,
            cgo::CryptStatePair<aes::Aes256Dec, aes::Aes256Enc>,// client
            cgo::CryptStatePair<aes::Aes256Enc, aes::Aes256Enc> // relay
        )
    }
}