tor-commits November 2019

tor-commits@lists.torproject.org

20 participants
2923 discussions

[stem/master] Fix python 3.x support
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 8530ad6f5386c8dd1112a9e071f60aa002d14566 Author: Damian Johnson <atagar(a)torproject.org> Date: Thu Nov 14 14:19:40 2019 -0800 Fix python 3.x support This might *not* fully fix python3 support, but closer. I don't quite grok why but my openssl bindings have ed25519 support with python 2.7 but not 3.5. Oh well, fixing what I can for now. % python Python 2.7.12 (default, Oct 8 2019, 14:14:10) >>> import cryptography >>> cryptography.__version__ '2.7' >>> from cryptography.hazmat.backends.openssl.backend import backend >>> backend.ed25519_supported() True ------------------------------------------------------------ % python3 Python 3.5.2 (default, Oct 8 2019, 13:06:37) >>> import cryptography >>> cryptography.__version__ '2.8' >>> from cryptography.hazmat.backends.openssl.backend import backend >>> backend.ed25519_supported() False --- stem/descriptor/certificate.py | 10 ++++------ stem/descriptor/hidden_service.py | 7 ++++--- stem/util/__init__.py | 7 ++++--- test/unit/descriptor/hidden_service_v3.py | 9 +++++++-- 4 files changed, 19 insertions(+), 14 deletions(-) diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index 10518364..74a4e08c 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -307,7 +307,7 @@ class Ed25519CertificateV1(Ed25519Certificate): self.type, self.type_int = ClientCertType.get(cert_type) self.expiration = expiration if expiration else datetime.datetime.utcnow() + datetime.timedelta(hours = DEFAULT_EXPIRATION_HOURS) self.key_type = key_type if key_type else 1 - self.key = key if isinstance(key, str) else stem.util._pubkey_bytes(key) + self.key = stem.util._pubkey_bytes(key) self.extensions = extensions if extensions else [] self.signature = signature @@ -371,9 +371,7 @@ class Ed25519CertificateV1(Ed25519Certificate): if extension_data: raise ValueError('Ed25519 certificate had %i bytes of unused extension data' % len(extension_data)) - instance = Ed25519CertificateV1(cert_type, datetime.datetime.utcfromtimestamp(expiration_hours * 3600), key_type, key, extensions, signature) - - return instance + return Ed25519CertificateV1(cert_type, datetime.datetime.utcfromtimestamp(expiration_hours * 3600), key_type, key, extensions, signature) def is_expired(self): """ @@ -448,10 +446,10 @@ class Ed25519CertificateV1(Ed25519Certificate): if isinstance(descriptor, stem.descriptor.server_descriptor.RelayDescriptor): prefix = SIG_PREFIX_SERVER_DESC - regex = '(.+router-sig-ed25519 )' + regex = b'(.+router-sig-ed25519 )' elif isinstance(descriptor, stem.descriptor.hidden_service.HiddenServiceDescriptorV3): prefix = SIG_PREFIX_HS_V3 - regex = '(.+)signature ' + regex = b'(.+)signature ' else: raise ValueError('BUG: %s type unexpected' % type(descriptor).__name__) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 604c3849..dd4ab934 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -563,7 +563,7 @@ def _parse_v3_introduction_points(descriptor, entries): remaining = descriptor._unparsed_introduction_points while remaining: - div = remaining.find('\nintroduction-point ', 10) + div = remaining.find(b'\nintroduction-point ', 10) content, remaining = (remaining[:div], remaining[div + 1:]) if div != -1 else (remaining, '') introduction_points.append(IntroductionPointV3.parse(content)) @@ -1257,7 +1257,7 @@ class InnerLayer(Descriptor): return _descriptor_content(attr, exclude, ( ('create2-formats', '2'), - )) + suffix + )) + stem.util.str_tools._to_bytes(suffix) @classmethod def create(cls, attr = None, exclude = (), validate = True, sign = False, introduction_points = None): @@ -1270,7 +1270,8 @@ class InnerLayer(Descriptor): # inner layer begins with a few header fields, followed by any # number of introduction-points - div = content.find('\nintroduction-point ') + content = stem.util.str_tools._to_bytes(content) + div = content.find(b'\nintroduction-point ') if div != -1: self._unparsed_introduction_points = content[div + 1:] diff --git a/stem/util/__init__.py b/stem/util/__init__.py index a8870499..eb4e0618 100644 --- a/stem/util/__init__.py +++ b/stem/util/__init__.py @@ -132,6 +132,9 @@ def _pubkey_bytes(key): Normalizes X25509 and ED25519 keys into their public key bytes. """ + if _is_str(key): + return key + if not stem.prereq.is_crypto_available(): raise ImportError('Key normalization requires the cryptography module') elif not stem.prereq.is_crypto_available(ed25519 = True): @@ -141,9 +144,7 @@ def _pubkey_bytes(key): from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey - if isinstance(key, str): - return key - elif isinstance(key, (X25519PrivateKey, Ed25519PrivateKey)): + if isinstance(key, (X25519PrivateKey, Ed25519PrivateKey)): return key.public_key().public_bytes( encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw, diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index 81e04a0f..893ef29e 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -162,6 +162,7 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertEqual(None, intro_point.legacy_key_raw) self.assertEqual(None, intro_point.legacy_key_cert) + @test.require.ed25519_support def test_required_fields(self): """ Check that we require the mandatory fields. @@ -180,6 +181,7 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): desc_text = HiddenServiceDescriptorV3.content(exclude = (line,)) expect_invalid_attr_for_text(self, desc_text, line_to_attr[line], None) + @test.require.ed25519_support def test_invalid_version(self): """ Checks that our version field expects a numeric value. @@ -194,6 +196,7 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): for test_value in test_values: expect_invalid_attr(self, {'hs-descriptor': test_value}, 'version') + @test.require.ed25519_support def test_invalid_lifetime(self): """ Checks that our lifetime field expects a numeric value. @@ -208,6 +211,7 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): for test_value in test_values: expect_invalid_attr(self, {'descriptor-lifetime': test_value}, 'lifetime') + @test.require.ed25519_support def test_invalid_revision_counter(self): """ Checks that our revision counter field expects a numeric value. @@ -302,6 +306,7 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): reparsed = IntroductionPointV3.parse(intro_point.encode()) self.assertEqual(intro_point, reparsed) + @test.require.ed25519_support def test_inner_layer_creation(self): """ Internal layer creation. @@ -309,12 +314,12 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): # minimal layer - self.assertEqual('create2-formats 2', InnerLayer.content()) + self.assertEqual(b'create2-formats 2', InnerLayer.content()) self.assertEqual([2], InnerLayer.create().formats) # specify their only mandatory parameter (formats) - self.assertEqual('create2-formats 1 2 3', InnerLayer.content({'create2-formats': '1 2 3'})) + self.assertEqual(b'create2-formats 1 2 3', InnerLayer.content({'create2-formats': '1 2 3'})) self.assertEqual([1, 2, 3], InnerLayer.create({'create2-formats': '1 2 3'}).formats) # include optional parameters

1 0

[stem/master] Drop the HSv3PublicBlindedKey class
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 864cc12bc3bf057d92f96bc40369447003151ea5 Author: Damian Johnson <atagar(a)torproject.org> Date: Thu Nov 7 14:42:57 2019 -0800 Drop the HSv3PublicBlindedKey class This class' verify() method was never called, making it effectively a container for its single attribute. --- stem/descriptor/hidden_service.py | 8 +++----- stem/descriptor/hsv3_crypto.py | 31 ++++++------------------------- 2 files changed, 9 insertions(+), 30 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 7b6651b7..54874f0d 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -849,7 +849,7 @@ def _get_descriptor_signing_cert(descriptor_signing_public_key, blinded_priv_key expiration_date = datetime.datetime.utcnow() + datetime.timedelta(hours=54) signing_key = stem.util._pubkey_bytes(descriptor_signing_public_key) - extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_priv_key.public_key().public_key)] + extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_priv_key.blinded_pubkey)] desc_signing_cert = Ed25519CertificateV1(CertType.HS_V3_DESC_SIGNING, expiration_date, 1, signing_key, extensions, signing_key = blinded_priv_key) @@ -1027,13 +1027,11 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): raise ValueError('Need to provide a blinding param for this descriptor') # Get the identity public key - public_identity_key = ed25519_private_identity_key.public_key() - public_identity_key_bytes = stem.util._pubkey_bytes(public_identity_key) + public_identity_key_bytes = stem.util._pubkey_bytes(ed25519_private_identity_key) # Blind the identity key to get ephemeral blinded key blinded_privkey = stem.descriptor.hsv3_crypto.HSv3PrivateBlindedKey(ed25519_private_identity_key, blinding_param = blinding_param) - blinded_pubkey = blinded_privkey.public_key() - blinded_pubkey_bytes = blinded_pubkey.public_key + blinded_pubkey_bytes = blinded_privkey.blinded_pubkey # Generate descriptor signing key signing_key = Ed25519PrivateKey.generate() diff --git a/stem/descriptor/hsv3_crypto.py b/stem/descriptor/hsv3_crypto.py index 73654866..5bce5dcf 100644 --- a/stem/descriptor/hsv3_crypto.py +++ b/stem/descriptor/hsv3_crypto.py @@ -2,11 +2,8 @@ import hashlib import struct import os +import stem.descriptor.ed25519_exts_ref import stem.descriptor.slow_ed25519 -import stem.prereq - -from stem.descriptor import ed25519_exts_ref -from stem.descriptor import slow_ed25519 """ @@ -31,30 +28,14 @@ class HSv3PrivateBlindedKey(object): secret_seed = hazmat_private_key.private_bytes(encoding = serialization.Encoding.Raw, format = serialization.PrivateFormat.Raw, encryption_algorithm = serialization.NoEncryption()) assert(len(secret_seed) == 32) - expanded_identity_priv_key = ed25519_exts_ref.expandSK(secret_seed) - identity_public_key = slow_ed25519.publickey(secret_seed) - - self.blinded_secret_key = ed25519_exts_ref.blindESK(expanded_identity_priv_key, blinding_param) - blinded_public_key = ed25519_exts_ref.blindPK(identity_public_key, blinding_param) - self.blinded_public_key = HSv3PublicBlindedKey(blinded_public_key) + expanded_identity_priv_key = stem.descriptor.ed25519_exts_ref.expandSK(secret_seed) + identity_public_key = stem.descriptor.slow_ed25519.publickey(secret_seed) - def public_key(self): - return self.blinded_public_key + self.blinded_secret_key = stem.descriptor.ed25519_exts_ref.blindESK(expanded_identity_priv_key, blinding_param) + self.blinded_pubkey = stem.descriptor.ed25519_exts_ref.blindPK(identity_public_key, blinding_param) def sign(self, msg): - return ed25519_exts_ref.signatureWithESK(msg, self.blinded_secret_key, self.blinded_public_key.public_key) - - -class HSv3PublicBlindedKey(object): - def __init__(self, public_key): - self.public_key = public_key - - def verify(self, signature, message): - """ - raises exception if sig not valid - """ - - stem.descriptor.slow_ed25519.checkvalid(signature, message, self.public_key) + return stem.descriptor.ed25519_exts_ref.signatureWithESK(msg, self.blinded_secret_key, self.blinded_pubkey) """

1 0

[stem/master] Drop _get_descriptor_signing_cert()
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 53c9ac83a4f7eb53d1b35a06346bcb2675453ec5 Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Nov 13 14:22:53 2019 -0800 Drop _get_descriptor_signing_cert() Flattening the last content() helper so we can see all the remaining implementation in one spot. Getting close! --- stem/descriptor/hidden_service.py | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 56ba4d22..05c8267b 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -863,26 +863,6 @@ class HiddenServiceDescriptorV2(BaseHiddenServiceDescriptor): return introduction_points -def _get_descriptor_signing_cert(descriptor_signing_public_key, blinded_priv_key): - """ - Get the string representation of the descriptor signing cert - - 'descriptor_signing_public_key' key that gets certified by certificate - - 'blinded_priv_key' key that signs the certificate - """ - - # 54 hours expiration date like tor does - expiration_date = datetime.datetime.utcnow() + datetime.timedelta(hours=54) - - signing_key = stem.util._pubkey_bytes(descriptor_signing_public_key) - extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_priv_key.blinded_pubkey)] - - desc_signing_cert = Ed25519CertificateV1(CertType.HS_V3_DESC_SIGNING, expiration_date, 1, signing_key, extensions, signing_key = blinded_priv_key) - - return '\n' + desc_signing_cert.to_base64(pem = True) - - class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): """ Version 3 hidden service descriptor. @@ -988,10 +968,15 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): blinded_key = blinded_key, ) + expiration = datetime.datetime.utcnow() + datetime.timedelta(hours = stem.descriptor.certificate.DEFAULT_EXPIRATION_HOURS) + extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_privkey.blinded_pubkey)] + + signing_cert = Ed25519CertificateV1(CertType.HS_V3_DESC_SIGNING, expiration, 1, stem.util._pubkey_bytes(descriptor_signing_public_key), extensions, signing_key = blinded_privkey) + desc_content = _descriptor_content(attr, exclude, ( ('hs-descriptor', '3'), ('descriptor-lifetime', '180'), - ('descriptor-signing-key-cert', _get_descriptor_signing_cert(descriptor_signing_public_key, blinded_privkey)), + ('descriptor-signing-key-cert', '\n' + signing_cert.to_base64(pem = True)), ('revision-counter', str(revision_counter)), ('superencrypted', b'\n' + outer_layer._encrypt(revision_counter, subcredential, blinded_key)), ), ())

1 0

[stem/master] Merge ed25519_exts_ref into hsv3_crypto
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 4db893a68a324c3ac16ece85c4f3b36e2d768fa8 Author: Damian Johnson <atagar(a)torproject.org> Date: Thu Nov 7 15:22:13 2019 -0800 Merge ed25519_exts_ref into hsv3_crypto Moving the subset of ed25519_exts_ref that's used into hsv3_crypto to give myself one fewer modules to puzzle out. --- stem/descriptor/ed25519_exts_ref.py | 243 ------------------------------------ stem/descriptor/hsv3_crypto.py | 46 +++++-- 2 files changed, 39 insertions(+), 250 deletions(-) diff --git a/stem/descriptor/ed25519_exts_ref.py b/stem/descriptor/ed25519_exts_ref.py deleted file mode 100644 index 23701315..00000000 --- a/stem/descriptor/ed25519_exts_ref.py +++ /dev/null @@ -1,243 +0,0 @@ -#!/usr/bin/python -# Copyright 2014-2019, The Tor Project, Inc -# See LICENSE for licensing information - -""" - Reference implementations for the ed25519 tweaks that Tor uses. - - Includes self-tester and test vector generator. -""" - -from stem.descriptor import slow_ed25519 - -import os -import unittest -import binascii -import textwrap - -# define a synonym that doesn't look like 1 -ell = slow_ed25519.l - -# This replaces expmod above and makes it go a lot faster. -slow_ed25519.expmod = pow - - -def blindESK(esk, param): - mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(param, i) for i in range(3, slow_ed25519.b - 2)) - s = slow_ed25519.decodeint(esk[:32]) - s_prime = (s * mult) % ell - k = esk[32:] - assert(len(k) == 32) - k_prime = slow_ed25519.H(b'Derive temporary signing key hash input' + k)[:32] - return slow_ed25519.encodeint(s_prime) + k_prime - - -def blindPK(pk, param): - mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(param, i) for i in range(3, slow_ed25519.b - 2)) - P = slow_ed25519.decodepoint(pk) - return slow_ed25519.encodepoint(slow_ed25519.scalarmult(P, mult)) - - -def expandSK(sk): - h = slow_ed25519.H(sk) - a = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(h, i) for i in range(3, slow_ed25519.b - 2)) - k = b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) - assert len(k) == 32 - return slow_ed25519.encodeint(a) + k - - -def publickeyFromESK(h): - a = slow_ed25519.decodeint(h[:32]) - A = slow_ed25519.scalarmult(slow_ed25519.B, a) - return slow_ed25519.encodepoint(A) - - -def signatureWithESK(m, h, pk): - a = slow_ed25519.decodeint(h[:32]) - r = slow_ed25519.Hint(b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) + m) - R = slow_ed25519.scalarmult(slow_ed25519.B, r) - S = (r + slow_ed25519.Hint(slow_ed25519.encodepoint(R) + pk + m) * a) % slow_ed25519.l - - return slow_ed25519.encodepoint(R) + slow_ed25519.encodeint(S) - - -def newSK(): - return os.urandom(32) - - -def random_scalar(entropy_f): - # 0..L-1 inclusive - # reduce the bias to a safe level by generating 256 extra bits - - oversized = int(binascii.hexlify(entropy_f(32 + 32)), 16) - return oversized % ell - - -# ------------------------------------------------------------ - -MSG = b'This is extremely silly. But it is also incredibly serious business!' - - -class SelfTest(unittest.TestCase): - def _testSignatures(self, esk, pk): - sig = signatureWithESK(MSG, esk, pk) - slow_ed25519.checkvalid(sig, MSG, pk) - bad = False - - try: - slow_ed25519.checkvalid(sig, MSG * 2, pk) - bad = True - except Exception: - pass - - self.assertFalse(bad) - - def testExpand(self): - sk = newSK() - pk = slow_ed25519.publickey(sk) - esk = expandSK(sk) - sig1 = slow_ed25519.signature(MSG, sk, pk) - sig2 = signatureWithESK(MSG, esk, pk) - self.assertEqual(sig1, sig2) - - def testSignatures(self): - sk = newSK() - esk = expandSK(sk) - pk = publickeyFromESK(esk) - pk2 = slow_ed25519.publickey(sk) - self.assertEqual(pk, pk2) - - self._testSignatures(esk, pk) - - def testBlinding(self): - sk = newSK() - esk = expandSK(sk) - pk = publickeyFromESK(esk) - param = os.urandom(32) - besk = blindESK(esk, param) - bpk = blindPK(pk, param) - bpk2 = publickeyFromESK(besk) - self.assertEqual(bpk, bpk2) - - self._testSignatures(besk, bpk) - - def testIdentity(self): - # Get identity E by doing: E = l*B, where l is the group order - identity = slow_ed25519.scalarmult(slow_ed25519.B, ell) - - # Get identity E by doing: E = l*A, where A is a random point - sk = newSK() - pk = slow_ed25519.decodepoint(slow_ed25519.publickey(sk)) - identity2 = slow_ed25519.scalarmult(pk, ell) - - # Check that identities match - assert(identity == identity2) - # Check that identity is the point (0, 1) - assert(identity == [0, 1]) - - # Check identity element: a*E = E, where a is a random scalar - scalar = random_scalar(os.urandom) - result = slow_ed25519.scalarmult(identity, scalar) - assert(result == identity == identity2) - - -# ------------------------------------------------------------ - -# From pprint.pprint([binascii.b2a_hex(os.urandom(32)) for _ in xrange(8)]) -RAND_INPUTS = [ - '26c76712d89d906e6672dafa614c42e5cb1caac8c6568e4d2493087db51f0d36', - 'fba7a5366b5cb98c2667a18783f5cf8f4f8d1a2ce939ad22a6e685edde85128d', - '67e3aa7a14fac8445d15e45e38a523481a69ae35513c9e4143eb1c2196729a0e', - 'd51385942033a76dc17f089a59e6a5a7fe80d9c526ae8ddd8c3a506b99d3d0a6', - '5c8eac469bb3f1b85bc7cd893f52dc42a9ab66f1b02b5ce6a68e9b175d3bb433', - 'eda433d483059b6d1ff8b7cfbd0fe406bfb23722c8f3c8252629284573b61b86', - '4377c40431c30883c5fbd9bc92ae48d1ed8a47b81d13806beac5351739b5533d', - 'c6bbcce615839756aed2cc78b1de13884dd3618f48367a17597a16c1cd7a290b'] - -# From pprint.pprint([binascii.b2a_hex(os.urandom(32)) for _ in xrange(8)]) -BLINDING_PARAMS = [ - '54a513898b471d1d448a2f3c55c1de2c0ef718c447b04497eeb999ed32027823', - '831e9b5325b5d31b7ae6197e9c7a7baf2ec361e08248bce055908971047a2347', - 'ac78a1d46faf3bfbbdc5af5f053dc6dc9023ed78236bec1760dadfd0b2603760', - 'f9c84dc0ac31571507993df94da1b3d28684a12ad14e67d0a068aba5c53019fc', - 'b1fe79d1dec9bc108df69f6612c72812755751f21ecc5af99663b30be8b9081f', - '81f1512b63ab5fb5c1711a4ec83d379c420574aedffa8c3368e1c3989a3a0084', - '97f45142597c473a4b0e9a12d64561133ad9e1155fe5a9807fe6af8a93557818', - '3f44f6a5a92cde816635dfc12ade70539871078d2ff097278be2a555c9859cd0'] - -PREFIX = 'ED25519_' - - -def writeArray(name, array): - print('static const char *{prefix}{name}[] = {{'.format(prefix = PREFIX, name = name)) - - for a in array: - h = a.hex() - - if len(h) > 70: - h1 = h[:70] - h2 = h[70:] - print(' "{0}"\n "{1}",'.format(h1, h2)) - else: - print(' "{0}",'.format(h)) - - print('};\n') - - -def comment(text, initial='/**'): - print(initial) - print(textwrap.fill(text, initial_indent = ' * ', subsequent_indent = ' * ')) - print(' */') - - -def makeTestVectors(): - comment("""Test vectors for our ed25519 implementation and related - functions. These were automatically generated by the - ed25519_exts_ref.py script.""", initial = '/*') - - comment("""Secret key seeds used as inputs for the ed25519 test vectors. - Randomly generated. """) - secretKeys = [bytes.fromhex(r) for r in RAND_INPUTS] - writeArray('SECRET_KEYS', secretKeys) - - comment("""Secret ed25519 keys after expansion from seeds. This is how Tor - represents them internally.""") - expandedSecretKeys = [expandSK(sk) for sk in secretKeys] - writeArray('EXPANDED_SECRET_KEYS', expandedSecretKeys) - - comment('Public keys derived from the above secret keys') - publicKeys = [slow_ed25519.publickey(sk) for sk in secretKeys] - writeArray('PUBLIC_KEYS', publicKeys) - - comment('Parameters used for key blinding tests. Randomly generated.') - blindingParams = [binascii.a2b_hex(r) for r in BLINDING_PARAMS] - writeArray('BLINDING_PARAMS', blindingParams) - - comment("""Blinded secret keys for testing key blinding. The nth blinded - key corresponds to the nth secret key blidned with the nth - blinding parameter.""") - - writeArray('BLINDED_SECRET_KEYS', (blindESK(expandSK(sk), bp) for sk, bp in zip(secretKeys, blindingParams))) - - comment("""Blinded public keys for testing key blinding. The nth blinded - key corresponds to the nth public key blidned with the nth - blinding parameter.""") - - writeArray('BLINDED_PUBLIC_KEYS', (blindPK(pk, bp) for pk, bp in zip(publicKeys, blindingParams))) - - comment("""Signatures of the public keys, made with their corresponding - secret keys.""") - writeArray('SELF_SIGNATURES', (slow_ed25519.signature(pk, sk, pk) for pk, sk in zip(publicKeys, secretKeys))) - - -if __name__ == '__main__': - import sys - - if len(sys.argv) == 1 or sys.argv[1] not in ('SelfTest', 'MakeVectors'): - print ("You should specify one of 'SelfTest' or 'MakeVectors'") - sys.exit(1) - - if sys.argv[1] == 'SelfTest': - unittest.main() - else: - makeTestVectors() diff --git a/stem/descriptor/hsv3_crypto.py b/stem/descriptor/hsv3_crypto.py index 5bce5dcf..80759aa2 100644 --- a/stem/descriptor/hsv3_crypto.py +++ b/stem/descriptor/hsv3_crypto.py @@ -2,8 +2,7 @@ import hashlib import struct import os -import stem.descriptor.ed25519_exts_ref -import stem.descriptor.slow_ed25519 +from stem.descriptor import slow_ed25519 """ @@ -21,6 +20,39 @@ certificate module. """ +def blindESK(esk, param): + mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(param, i) for i in range(3, slow_ed25519.b - 2)) + s = slow_ed25519.decodeint(esk[:32]) + s_prime = (s * mult) % slow_ed25519.l + k = esk[32:] + assert(len(k) == 32) + k_prime = slow_ed25519.H(b'Derive temporary signing key hash input' + k)[:32] + return slow_ed25519.encodeint(s_prime) + k_prime + + +def blindPK(pk, param): + mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(param, i) for i in range(3, slow_ed25519.b - 2)) + P = slow_ed25519.decodepoint(pk) + return slow_ed25519.encodepoint(slow_ed25519.scalarmult(P, mult)) + + +def expandSK(sk): + h = slow_ed25519.H(sk) + a = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(h, i) for i in range(3, slow_ed25519.b - 2)) + k = b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) + assert len(k) == 32 + return slow_ed25519.encodeint(a) + k + + +def signatureWithESK(m, h, pk): + a = slow_ed25519.decodeint(h[:32]) + r = slow_ed25519.Hint(b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) + m) + R = slow_ed25519.scalarmult(slow_ed25519.B, r) + S = (r + slow_ed25519.Hint(slow_ed25519.encodepoint(R) + pk + m) * a) % slow_ed25519.l + + return slow_ed25519.encodepoint(R) + slow_ed25519.encodeint(S) + + class HSv3PrivateBlindedKey(object): def __init__(self, hazmat_private_key, blinding_param): from cryptography.hazmat.primitives import serialization @@ -28,14 +60,14 @@ class HSv3PrivateBlindedKey(object): secret_seed = hazmat_private_key.private_bytes(encoding = serialization.Encoding.Raw, format = serialization.PrivateFormat.Raw, encryption_algorithm = serialization.NoEncryption()) assert(len(secret_seed) == 32) - expanded_identity_priv_key = stem.descriptor.ed25519_exts_ref.expandSK(secret_seed) - identity_public_key = stem.descriptor.slow_ed25519.publickey(secret_seed) + expanded_identity_priv_key = expandSK(secret_seed) + identity_public_key = slow_ed25519.publickey(secret_seed) - self.blinded_secret_key = stem.descriptor.ed25519_exts_ref.blindESK(expanded_identity_priv_key, blinding_param) - self.blinded_pubkey = stem.descriptor.ed25519_exts_ref.blindPK(identity_public_key, blinding_param) + self.blinded_secret_key = blindESK(expanded_identity_priv_key, blinding_param) + self.blinded_pubkey = blindPK(identity_public_key, blinding_param) def sign(self, msg): - return stem.descriptor.ed25519_exts_ref.signatureWithESK(msg, self.blinded_secret_key, self.blinded_pubkey) + return signatureWithESK(msg, self.blinded_secret_key, self.blinded_pubkey) """

1 0

[stem/master] Inner layer creation and encryption
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 41f8a42a9e8735513b72d9ba3f6a5c11acf02943 Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Nov 11 15:32:55 2019 -0800 Inner layer creation and encryption InnerLayer creation, encryption, and test. While _get_superencrypted_blob() provided a great demo, it was limited to just introduction points. Now we'll support anything the layer does. --- stem/descriptor/__init__.py | 2 +- stem/descriptor/hidden_service.py | 41 +++++++++++++++++++++++--- test/unit/descriptor/hidden_service_v3.py | 48 +++++++++++++++++++++++++++++++ 3 files changed, 86 insertions(+), 5 deletions(-) diff --git a/stem/descriptor/__init__.py b/stem/descriptor/__init__.py index 3a3d1838..862d5aca 100644 --- a/stem/descriptor/__init__.py +++ b/stem/descriptor/__init__.py @@ -975,7 +975,7 @@ class Descriptor(object): :returns: **bytes** for the descriptor's contents """ - return self._raw_contents + return stem.util.str_tools._to_bytes(self._raw_contents) def get_unrecognized_lines(self): """ diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 141f54b0..fcd29032 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -920,14 +920,14 @@ def _get_middle_descriptor_layer_body(encrypted): b'%s' % (fake_pub_key_bytes_b64, fake_clients, encrypted) -def _get_superencrypted_blob(intro_points, descriptor_signing_privkey, revision_counter, blinded_key, subcredential): +def _get_superencrypted_blob(intro_points, revision_counter, blinded_key, subcredential): """ Get the superencrypted blob (which also includes the encrypted blob) that should be attached to the descriptor """ - inner_descriptor_layer = stem.util.str_tools._to_bytes('create2-formats 2\n' + '\n'.join(map(IntroductionPointV3.encode, intro_points)) + '\n') - inner_ciphertext_b64 = b'encrypted\n' + _encrypt_layer(inner_descriptor_layer, b'hsdir-encrypted-data', revision_counter, subcredential, blinded_key) + inner_layer = InnerLayer.create(introduction_points = intro_points) + inner_ciphertext_b64 = b'encrypted\n' + inner_layer.encrypt(revision_counter, blinded_key, subcredential) middle_descriptor_layer = _get_middle_descriptor_layer_body(inner_ciphertext_b64) @@ -1042,7 +1042,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): # this descriptor object so that we don't have to carry them around # functions and instead we could use e.g. self.descriptor_signing_public_key # But because this is a @classmethod this is not possible :/ - superencrypted_blob = _get_superencrypted_blob(intro_points, signing_key, revision_counter_int, blinded_pubkey_bytes, subcredential) + superencrypted_blob = _get_superencrypted_blob(intro_points, revision_counter_int, blinded_pubkey_bytes, subcredential) desc_content = _descriptor_content(attr, exclude, ( ('hs-descriptor', '3'), @@ -1281,6 +1281,24 @@ class InnerLayer(Descriptor): plaintext = _decrypt_layer(outer_layer.encrypted, b'hsdir-encrypted-data', revision_counter, subcredential, blinded_key) return InnerLayer(plaintext, validate = True, outer_layer = outer_layer) + @classmethod + def content(cls, attr = None, exclude = (), sign = False, introduction_points = None): + if sign: + raise NotImplementedError('Signing of %s not implemented' % cls.__name__) + + if introduction_points: + suffix = '\n' + '\n'.join(map(IntroductionPointV3.encode, introduction_points)) + else: + suffix = '' + + return _descriptor_content(attr, exclude, ( + ('create2-formats', '2'), + )) + suffix + + @classmethod + def create(cls, attr = None, exclude = (), validate = True, sign = False, introduction_points = None): + return cls(cls.content(attr, exclude, sign, introduction_points), validate = validate) + def __init__(self, content, validate = False, outer_layer = None): super(InnerLayer, self).__init__(content, lazy_load = not validate) self.outer = outer_layer @@ -1304,6 +1322,21 @@ class InnerLayer(Descriptor): else: self._entries = entries + def encrypt(self, revision_counter, blinded_key, subcredential): + """ + Encrypts into the content contained within the OuterLayer. + + :param int revision_counter: descriptor revision number + :param bytes blinded_key: descriptor signing key + :param bytes subcredential: public key hash + + :returns: base64 encoded content of the outer layer's 'encrypted' field + """ + + if not stem.prereq.is_crypto_available(ed25519 = True): + raise ImportError('Hidden service descriptor encryption requires cryptography version 2.6') + + return _encrypt_layer(self.get_bytes(), b'hsdir-encrypted-data', revision_counter, subcredential, blinded_key) # TODO: drop this alias in stem 2.x diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index 163ea3db..f6173768 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -28,6 +28,12 @@ from test.unit.descriptor import ( ) try: + # added in python 2.7 + from collections import OrderedDict +except ImportError: + from stem.util.ordereddict import OrderedDict + +try: # added in python 3.3 from unittest.mock import patch, Mock except ImportError: @@ -284,6 +290,48 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): reparsed = IntroductionPointV3.parse(intro_point.encode()) self.assertEqual(intro_point, reparsed) + def test_inner_layer_creation(self): + """ + Internal layer creation. + """ + + # minimal layer + + self.assertEqual('create2-formats 2', InnerLayer.content()) + self.assertEqual([2], InnerLayer.create().formats) + + # specify their only mandatory parameter (formats) + + self.assertEqual('create2-formats 1 2 3', InnerLayer.content({'create2-formats': '1 2 3'})) + self.assertEqual([1, 2, 3], InnerLayer.create({'create2-formats': '1 2 3'}).formats) + + # include optional parameters + + desc = InnerLayer.create(OrderedDict(( + ('intro-auth-required', 'ed25519'), + ('single-onion-service', ''), + ))) + + self.assertEqual([2], desc.formats) + self.assertEqual(['ed25519'], desc.intro_auth) + self.assertEqual(True, desc.is_single_service) + self.assertEqual([], desc.introduction_points) + + # include introduction points + + desc = InnerLayer.create(introduction_points = [ + IntroductionPointV3.create('1.1.1.1', 9001), + IntroductionPointV3.create('2.2.2.2', 9001), + IntroductionPointV3.create('3.3.3.3', 9001), + ]) + + self.assertEqual(3, len(desc.introduction_points)) + self.assertEqual('1.1.1.1', desc.introduction_points[0].link_specifiers[0].address) + + self.assertTrue(InnerLayer.content(introduction_points = [ + IntroductionPointV3.create('1.1.1.1', 9001), + ]).startswith('create2-formats 2\nintroduction-point AQAGAQEBASMp')) + @test.require.ed25519_support def test_encode_decode_descriptor(self): """

1 0

[stem/master] Resume hidden service tests
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 13e166b54eb3b7c1c8d4e4960d08df6571f93f00 Author: Damian Johnson <atagar(a)torproject.org> Date: Sun Nov 17 14:46:38 2019 -0800 Resume hidden service tests Resuming our HSv3 tests, with blinding mocked out so we don't negatively impact runtime (without these mocks the unit tests jump from 6s => 51s). --- test/unit/descriptor/hidden_service_v3.py | 41 ++++++++++++++----------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index 34108188..6a838c8a 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -80,14 +80,21 @@ with open(get_resource('hidden_service_v3_intro_point')) as intro_point_file: INTRO_POINT_STR = intro_point_file.read() -# TODO: Blinded key creation and signing are horribly slow. 1.5 seconds each, -# making each call to HiddenServiceDescriptorV3.create() take over three -# seconds. -# -# Obviously we need to address this, but for the moment skipping the slow tests -# don't slow branch development. +def disable_blinding(func): + """ + Blinded key creation and signing are horribly slow. 1.5 seconds each, + making each call to HiddenServiceDescriptorV3.create() take over three + seconds. -SKIP_SLOW_TESTS = True + As such disabling it in most tests. + """ + + def wrapped(*args, **kwargs): + with patch('stem.descriptor.hidden_service._blinded_pubkey', Mock(return_value = b'k' * 32)): + with patch('stem.descriptor.hidden_service._blinded_sign', Mock(return_value = b'a' * 64)): + return func(*args, **kwargs) + + return wrapped class TestHiddenServiceDescriptorV3(unittest.TestCase): @@ -171,15 +178,13 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertEqual(None, intro_point.legacy_key_raw) self.assertEqual(None, intro_point.legacy_key_cert) + @disable_blinding @test.require.ed25519_support def test_required_fields(self): """ Check that we require the mandatory fields. """ - if SKIP_SLOW_TESTS: - return - line_to_attr = { 'hs-descriptor': 'version', 'descriptor-lifetime': 'lifetime', @@ -193,15 +198,13 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): desc_text = HiddenServiceDescriptorV3.content(exclude = (line,)) expect_invalid_attr_for_text(self, desc_text, line_to_attr[line], None) + @disable_blinding @test.require.ed25519_support def test_invalid_version(self): """ Checks that our version field expects a numeric value. """ - if SKIP_SLOW_TESTS: - return - test_values = ( '', '-10', @@ -211,15 +214,13 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): for test_value in test_values: expect_invalid_attr(self, {'hs-descriptor': test_value}, 'version') + @disable_blinding @test.require.ed25519_support def test_invalid_lifetime(self): """ Checks that our lifetime field expects a numeric value. """ - if SKIP_SLOW_TESTS: - return - test_values = ( '', '-10', @@ -229,15 +230,13 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): for test_value in test_values: expect_invalid_attr(self, {'descriptor-lifetime': test_value}, 'lifetime') + @disable_blinding @test.require.ed25519_support def test_invalid_revision_counter(self): """ Checks that our revision counter field expects a numeric value. """ - if SKIP_SLOW_TESTS: - return - test_values = ( '', '-10', @@ -428,15 +427,13 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertEqual(1, len(inner_layer.introduction_points)) self.assertEqual('1.1.1.1', inner_layer.introduction_points[0].link_specifiers[0].address) + @disable_blinding @test.require.ed25519_support def test_descriptor_creation(self): """ HiddenServiceDescriptorV3 creation. """ - if SKIP_SLOW_TESTS: - return - # minimal descriptor self.assertTrue(HiddenServiceDescriptorV3.content().startswith('hs-descriptor 3\ndescriptor-lifetime 180\n'))

1 0

[stem/master] Disable key blinding by default
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 860afdb8f6edccdb31a9e4e13399b178645554b3 Author: Damian Johnson <atagar(a)torproject.org> Date: Sun Nov 17 15:11:39 2019 -0800 Disable key blinding by default On reflection, why not simply disable blinding by default? Blinding parameters are unnecessary for the vast majority of use cases, and when needed the caller can simply provide a nonce (and by extension accept the lengthy runtime). We can always re-enable blinding as a default if/when we have a performant implementation. --- stem/descriptor/hidden_service.py | 15 ++++++++++++--- test/unit/descriptor/hidden_service_v3.py | 22 ---------------------- 2 files changed, 12 insertions(+), 25 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 3af2fa0c..3ad2f031 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -920,6 +920,14 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): Construction through this method can supply any or none of these, with omitted parameters populated with randomized defaults. + **Ed25519 key blinding takes several seconds**, and as such is disabled if a + **blinding_nonce** is not provided. To blind with a random nonce simply + call... + + :: + + HiddenServiceDescriptorV3(blinding_nonce = os.urandom(32)) + :param dict attr: keyword/value mappings to be included in plaintext descriptor :param list exclude: mandatory keywords to exclude from the descriptor, this results in an invalid descriptor @@ -948,6 +956,8 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): raise ImportError('Hidden service descriptor creation requires cryptography version 2.6') elif not stem.prereq._is_sha3_available(): raise ImportError('Hidden service descriptor creation requires python 3.6+ or the pysha3 module (https://pypi.org/project/pysha3/)') + elif blinding_nonce and len(blinding_nonce) != 32: + raise ValueError('Blinding nonce must be 32 bytes, but was %i' % len(blinding_nonce)) from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey @@ -955,9 +965,8 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): identity_key = identity_key if identity_key else Ed25519PrivateKey.generate() signing_key = signing_key if signing_key else Ed25519PrivateKey.generate() revision_counter = revision_counter if revision_counter else int(time.time()) - blinding_nonce = blinding_nonce if blinding_nonce else os.urandom(32) - blinded_key = _blinded_pubkey(identity_key, blinding_nonce) + blinded_key = _blinded_pubkey(identity_key, blinding_nonce) if blinding_nonce else b'a' * 32 subcredential = HiddenServiceDescriptorV3._subcredential(identity_key, blinded_key) custom_sig = attr.pop('signature') if (attr and 'signature' in attr) else None @@ -974,7 +983,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_key)] signing_cert = Ed25519CertificateV1(cert_type = CertType.HS_V3_DESC_SIGNING, key = signing_key, extensions = extensions) - signing_cert.signature = _blinded_sign(signing_cert.pack(), identity_key, blinded_key, blinding_nonce) + signing_cert.signature = _blinded_sign(signing_cert.pack(), identity_key, blinded_key, blinding_nonce) if blinding_nonce else b'b' * 64 desc_content = _descriptor_content(attr, exclude, ( ('hs-descriptor', '3'), diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index 6a838c8a..4549db2b 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -80,23 +80,6 @@ with open(get_resource('hidden_service_v3_intro_point')) as intro_point_file: INTRO_POINT_STR = intro_point_file.read() -def disable_blinding(func): - """ - Blinded key creation and signing are horribly slow. 1.5 seconds each, - making each call to HiddenServiceDescriptorV3.create() take over three - seconds. - - As such disabling it in most tests. - """ - - def wrapped(*args, **kwargs): - with patch('stem.descriptor.hidden_service._blinded_pubkey', Mock(return_value = b'k' * 32)): - with patch('stem.descriptor.hidden_service._blinded_sign', Mock(return_value = b'a' * 64)): - return func(*args, **kwargs) - - return wrapped - - class TestHiddenServiceDescriptorV3(unittest.TestCase): def test_real_descriptor(self): """ @@ -178,7 +161,6 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertEqual(None, intro_point.legacy_key_raw) self.assertEqual(None, intro_point.legacy_key_cert) - @disable_blinding @test.require.ed25519_support def test_required_fields(self): """ @@ -198,7 +180,6 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): desc_text = HiddenServiceDescriptorV3.content(exclude = (line,)) expect_invalid_attr_for_text(self, desc_text, line_to_attr[line], None) - @disable_blinding @test.require.ed25519_support def test_invalid_version(self): """ @@ -214,7 +195,6 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): for test_value in test_values: expect_invalid_attr(self, {'hs-descriptor': test_value}, 'version') - @disable_blinding @test.require.ed25519_support def test_invalid_lifetime(self): """ @@ -230,7 +210,6 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): for test_value in test_values: expect_invalid_attr(self, {'descriptor-lifetime': test_value}, 'lifetime') - @disable_blinding @test.require.ed25519_support def test_invalid_revision_counter(self): """ @@ -427,7 +406,6 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertEqual(1, len(inner_layer.introduction_points)) self.assertEqual('1.1.1.1', inner_layer.introduction_points[0].link_specifiers[0].address) - @disable_blinding @test.require.ed25519_support def test_descriptor_creation(self): """

1 0

[stem/master] HSv3 descriptor creation support
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 91973b00077f9aba0d3064355838c8f8ace6e206 Merge: eff0664c 860afdb8 Author: Damian Johnson <atagar(a)torproject.org> Date: Sun Nov 17 15:32:40 2019 -0800 HSv3 descriptor creation support Cryptographically valid support for hidden service creation... https://trac.torproject.org/projects/tor/ticket/31823 HSv3 descriptors consist of three parts: an inner layer, outer layer, and the descriptor itself. Callers of HiddenServiceDescriptorV3's create() and content() methods can supply these to specify that layer's parameters. For example, to supply custom introduction points with random key material simply call... HiddenServiceDescriptorV3.content( inner_layer = InnerLayer.create( introduction_points = [ IntroductionPointV3.create('1.1.1.1', 9001), IntroductionPointV3.create('2.2.2.2', 9001), IntroductionPointV3.create('3.3.3.3', 9001), ], ), ) stem/client/datatype.py | 146 +++-- stem/descriptor/__init__.py | 4 +- stem/descriptor/certificate.py | 358 ++++++++---- stem/descriptor/hidden_service.py | 638 +++++++++++++++++---- stem/descriptor/router_status_entry.py | 7 +- stem/descriptor/server_descriptor.py | 4 +- stem/prereq.py | 37 +- stem/util/__init__.py | 31 + stem/util/slow_ed25519.py | 158 +++++ stem/util/str_tools.py | 12 + test/require.py | 3 +- test/settings.cfg | 2 + test/unit/client/cell.py | 6 +- test/unit/client/certificate.py | 2 +- test/unit/client/link_specifier.py | 22 +- test/unit/descriptor/certificate.py | 70 ++- .../descriptor/data/hidden_service_v3_intro_point | 28 + test/unit/descriptor/hidden_service_v3.py | 302 +++++++++- test/unit/descriptor/server_descriptor.py | 5 +- 19 files changed, 1484 insertions(+), 351 deletions(-)

1 0

[stem/master] HSv3 descriptor creation test
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit eca1fe8073c1f43e3f9eab114bcc192f6ca0deac Author: Damian Johnson <atagar(a)torproject.org> Date: Fri Nov 15 13:22:45 2019 -0800 HSv3 descriptor creation test Now that we've revised HiddenServiceDescriptorV3.content() we can test it in a similar fashion to inner/outer layers. This provides the same coverage as test_encode_decode_descriptor() so that test is now redundant. Fixing a few bugs this spotted along the way and renaming the 'public_key_from_address' functions to specify that they take identity keys instead (we have so many key types I lost track of what these truly did when I originally tacked 'em on). --- stem/descriptor/hidden_service.py | 28 ++++++---- test/unit/descriptor/hidden_service_v3.py | 88 ++++++++++++++----------------- 2 files changed, 57 insertions(+), 59 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index dd4ab934..cdb8d645 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -957,6 +957,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): blinded_key = stem.descriptor.hsv3_crypto.HSv3PrivateBlindedKey(identity_key, blinding_param = blinding_param) subcredential = HiddenServiceDescriptorV3._subcredential(identity_key, blinded_key.blinded_pubkey) + custom_sig = attr.pop('signature') if (attr and 'signature' in attr) else None if not outer_layer: outer_layer = OuterLayer.create( @@ -983,7 +984,9 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): ('superencrypted', b'\n' + outer_layer._encrypt(revision_counter, subcredential, blinded_key.blinded_pubkey)), ), ()) + b'\n' - if 'signature' not in exclude: + if custom_sig: + desc_content += b'signature %s' % custom_sig + elif 'signature' not in exclude: sig_content = stem.descriptor.certificate.SIG_PREFIX_HS_V3 + desc_content desc_content += b'signature %s' % base64.b64encode(signing_key.sign(sig_content)).rstrip(b'=') @@ -991,7 +994,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): @classmethod def create(cls, attr = None, exclude = (), validate = True, sign = False, inner_layer = None, outer_layer = None, identity_key = None, signing_key = None, signing_cert = None, revision_counter = None, blinding_param = None): - return cls(cls.content(attr, exclude, sign, inner_layer, outer_layer, identity_key, signing_key, signing_cert, revision_counter, blinding_param), validate = validate, skip_crypto_validation = not sign) + return cls(cls.content(attr, exclude, sign, inner_layer, outer_layer, identity_key, signing_key, signing_cert, revision_counter, blinding_param), validate = validate) def __init__(self, raw_contents, validate = False): super(HiddenServiceDescriptorV3, self).__init__(raw_contents, lazy_load = not validate) @@ -1045,7 +1048,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): if not blinded_key: raise ValueError('No signing key is present') - identity_public_key = HiddenServiceDescriptorV3.public_key_from_address(onion_address) + identity_public_key = HiddenServiceDescriptorV3.identity_key_from_address(onion_address) subcredential = HiddenServiceDescriptorV3._subcredential(identity_public_key, blinded_key) outer_layer = OuterLayer._decrypt(self.superencrypted, self.revision_counter, subcredential, blinded_key) @@ -1054,11 +1057,12 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): return self._inner_layer @staticmethod - def address_from_public_key(pubkey, suffix = True): + def address_from_identity_key(key, suffix = True): """ - Converts a hidden service public key into its address. + Converts a hidden service identity key into its address. This accepts all + key formats (private, public, or public bytes). - :param bytes pubkey: hidden service public key + :param Ed25519PublicKey,Ed25519PrivateKey,bytes key: hidden service identity key :param bool suffix: includes the '.onion' suffix if true, excluded otherwise :returns: **unicode** hidden service address @@ -1069,20 +1073,22 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): if not stem.prereq._is_sha3_available(): raise ImportError('Hidden service address conversion requires python 3.6+ or the pysha3 module (https://pypi.org/project/pysha3/)') + key = stem.util._pubkey_bytes(key) # normalize key into bytes + version = stem.client.datatype.Size.CHAR.pack(3) - checksum = hashlib.sha3_256(CHECKSUM_CONSTANT + pubkey + version).digest()[:2] - onion_address = base64.b32encode(pubkey + checksum + version) + checksum = hashlib.sha3_256(CHECKSUM_CONSTANT + key + version).digest()[:2] + onion_address = base64.b32encode(key + checksum + version) return stem.util.str_tools._to_unicode(onion_address + b'.onion' if suffix else onion_address).lower() @staticmethod - def public_key_from_address(onion_address): + def identity_key_from_address(onion_address): """ - Converts a hidden service address into its public key. + Converts a hidden service address into its public identity key. :param str onion_address: hidden service address - :returns: **bytes** for the hidden service's public key + :returns: **bytes** for the hidden service's public identity key :raises: * **ImportError** if sha3 unsupported diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index 5bfd5cc4..34108188 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -3,7 +3,6 @@ Unit tests for stem.descriptor.hidden_service for version 3. """ import base64 -import datetime import functools import unittest @@ -249,14 +248,14 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): expect_invalid_attr(self, {'revision-counter': test_value}, 'revision_counter') @require_sha3 - def test_address_from_public_key(self): - self.assertEqual(HS_ADDRESS, HiddenServiceDescriptorV3.address_from_public_key(HS_PUBKEY)) + def test_address_from_identity_key(self): + self.assertEqual(HS_ADDRESS, HiddenServiceDescriptorV3.address_from_identity_key(HS_PUBKEY)) @require_sha3 - def test_public_key_from_address(self): - self.assertEqual(HS_PUBKEY, HiddenServiceDescriptorV3.public_key_from_address(HS_ADDRESS)) - self.assertRaisesWith(ValueError, "'boom.onion' isn't a valid hidden service v3 address", HiddenServiceDescriptorV3.public_key_from_address, 'boom') - self.assertRaisesWith(ValueError, 'Bad checksum (expected def7 but was 842e)', HiddenServiceDescriptorV3.public_key_from_address, '5' * 56) + def test_identity_key_from_address(self): + self.assertEqual(HS_PUBKEY, HiddenServiceDescriptorV3.identity_key_from_address(HS_ADDRESS)) + self.assertRaisesWith(ValueError, "'boom.onion' isn't a valid hidden service v3 address", HiddenServiceDescriptorV3.identity_key_from_address, 'boom') + self.assertRaisesWith(ValueError, 'Bad checksum (expected def7 but was 842e)', HiddenServiceDescriptorV3.identity_key_from_address, '5' * 56) def test_intro_point_parse(self): """ @@ -430,60 +429,53 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertEqual('1.1.1.1', inner_layer.introduction_points[0].link_specifiers[0].address) @test.require.ed25519_support - def test_encode_decode_descriptor(self): + def test_descriptor_creation(self): """ - Encode an HSv3 descriptor and then decode it and make sure you get the intended results. - - This test is from the point of view of the onionbalance, so the object that - this test generates is the data that onionbalance also has available when - making onion service descriptors. + HiddenServiceDescriptorV3 creation. """ if SKIP_SLOW_TESTS: return - from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey - from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey - - onion_key = X25519PrivateKey.generate() - enc_key = X25519PrivateKey.generate() - auth_key = Ed25519PrivateKey.generate() - signing_key = Ed25519PrivateKey.generate() + # minimal descriptor - expiration = datetime.datetime.utcnow() + datetime.timedelta(hours = 54) + self.assertTrue(HiddenServiceDescriptorV3.content().startswith('hs-descriptor 3\ndescriptor-lifetime 180\n')) + self.assertEqual(180, HiddenServiceDescriptorV3.create().lifetime) - # Build the service - private_identity_key = Ed25519PrivateKey.from_private_bytes(b'a' * 32) - public_identity_key = private_identity_key.public_key() + # specify the parameters - onion_address = HiddenServiceDescriptorV3.address_from_public_key(stem.util._pubkey_bytes(public_identity_key)) + desc = HiddenServiceDescriptorV3.create({ + 'hs-descriptor': '4', + 'descriptor-lifetime': '123', + 'descriptor-signing-key-cert': '\n-----BEGIN ED25519 CERT-----\nmalformed block\n-----END ED25519 CERT-----', + 'revision-counter': '5', + 'superencrypted': '\n-----BEGIN MESSAGE-----\nmalformed block\n-----END MESSAGE-----', + 'signature': 'abcde', + }, validate = False) + + self.assertEqual(4, desc.version) + self.assertEqual(123, desc.lifetime) + self.assertEqual(None, desc.signing_cert) # malformed cert dropped because validation is disabled + self.assertEqual(5, desc.revision_counter) + self.assertEqual('-----BEGIN MESSAGE-----\nmalformed block\n-----END MESSAGE-----', desc.superencrypted) + self.assertEqual('abcde', desc.signature) - intro_points = [ - IntroductionPointV3.create('1.1.1.1', 9001, expiration, onion_key, enc_key, auth_key, signing_key), - IntroductionPointV3.create('2.2.2.2', 9001, expiration, onion_key, enc_key, auth_key, signing_key), - IntroductionPointV3.create('3.3.3.3', 9001, expiration, onion_key, enc_key, auth_key, signing_key), - ] + # include introduction points - # TODO: replace with bytes.fromhex() when we drop python 2.x support + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey - blind_param = bytearray.fromhex('677776AE42464CAAB0DF0BF1E68A5FB651A390A6A8243CF4B60EE73A6AC2E4E3') + identity_key = Ed25519PrivateKey.generate() + onion_address = HiddenServiceDescriptorV3.address_from_identity_key(identity_key) - # Build the descriptor - desc_string = HiddenServiceDescriptorV3.content(identity_key = private_identity_key, inner_layer = InnerLayer.create(introduction_points = intro_points), blinding_param = blind_param) + desc = HiddenServiceDescriptorV3.create( + identity_key = identity_key, + inner_layer = InnerLayer.create(introduction_points = [ + IntroductionPointV3.create('1.1.1.1', 9001), + IntroductionPointV3.create('2.2.2.2', 9001), + IntroductionPointV3.create('3.3.3.3', 9001), + ]), + ) - # Parse the descriptor - desc = HiddenServiceDescriptorV3.from_str(desc_string) inner_layer = desc.decrypt(onion_address) - self.assertEqual(3, len(inner_layer.introduction_points)) - - for i, intro_point in enumerate(inner_layer.introduction_points): - original = intro_points[i] - - self.assertEqual(original.enc_key_raw, intro_point.enc_key_raw) - self.assertEqual(original.onion_key_raw, intro_point.onion_key_raw) - self.assertEqual(original.auth_key_cert.key, intro_point.auth_key_cert.key) - - self.assertEqual(intro_point.enc_key_raw, base64.b64encode(stem.util._pubkey_bytes(intro_point.enc_key()))) - self.assertEqual(intro_point.onion_key_raw, base64.b64encode(stem.util._pubkey_bytes(intro_point.onion_key()))) - self.assertEqual(intro_point.auth_key_cert.key, stem.util._pubkey_bytes(intro_point.auth_key())) + self.assertEqual('1.1.1.1', inner_layer.introduction_points[0].link_specifiers[0].address)

1 0

[stem/master] Simplify HSv3 blinding
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 838f6209babae74279dec100df13c3f594425a8f Author: Damian Johnson <atagar(a)torproject.org> Date: Sun Nov 17 14:24:51 2019 -0800 Simplify HSv3 blinding I won't pretend to understand this math. A smarter mind than mine (asn's) came up with this crypto. Just massaging it into a form I find easier to understand. --- stem/descriptor/certificate.py | 6 +-- stem/descriptor/hidden_service.py | 73 ++++++++++++++++++++++++------- stem/descriptor/hsv3_crypto.py | 66 ---------------------------- stem/{descriptor => util}/slow_ed25519.py | 8 ++-- test/settings.cfg | 2 + 5 files changed, 64 insertions(+), 91 deletions(-) diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index 74a4e08c..fe94b52d 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -291,15 +291,13 @@ class Ed25519CertificateV1(Ed25519Certificate): :var bytes signature: certificate signature :param bytes signature: pre-calculated certificate signature - :param cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey: certificate signing key + :param cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey signing_key: certificate signing key """ def __init__(self, cert_type = None, expiration = None, key_type = None, key = None, extensions = None, signature = None, signing_key = None): super(Ed25519CertificateV1, self).__init__(1) - if not signature and not signing_key: - raise ValueError('Certificate signature or signing key is required') - elif cert_type is None: + if cert_type is None: raise ValueError('Certificate type is required') elif key is None: raise ValueError('Certificate key is required') diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index cdb8d645..3af2fa0c 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -21,6 +21,8 @@ These are only available through the Controller's BaseHiddenServiceDescriptor - Common parent for hidden service descriptors |- HiddenServiceDescriptorV2 - Version 2 hidden service descriptor +- HiddenServiceDescriptorV3 - Version 3 hidden service descriptor + |- address_from_identity_key - convert an identity key to address + |- identity_key_from_address - convert an address to identity key +- decrypt - decrypt and parse encrypted layers OuterLayer - First encrypted layer of a hidden service v3 descriptor @@ -41,7 +43,6 @@ import time import stem.client.datatype import stem.descriptor.certificate -import stem.descriptor.hsv3_crypto import stem.prereq import stem.util import stem.util.connection @@ -50,6 +51,7 @@ import stem.util.tor_tools from stem.client.datatype import CertType from stem.descriptor.certificate import ExtensionType, Ed25519Extension, Ed25519Certificate, Ed25519CertificateV1 +from stem.util import slow_ed25519 from stem.descriptor import ( PGP_BLOCK_END, @@ -903,7 +905,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): } @classmethod - def content(cls, attr = None, exclude = (), sign = False, inner_layer = None, outer_layer = None, identity_key = None, signing_key = None, signing_cert = None, revision_counter = None, blinding_param = None): + def content(cls, attr = None, exclude = (), sign = False, inner_layer = None, outer_layer = None, identity_key = None, signing_key = None, signing_cert = None, revision_counter = None, blinding_nonce = None): """ Hidden service v3 descriptors consist of three parts: @@ -933,7 +935,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): :param stem.descriptor.Ed25519CertificateV1 signing_cert: certificate signing this descriptor :param int revision_counter: descriptor revision number - :param bytes blinding_param: 32 byte blinding factor to derive the blinding key + :param bytes blinding_nonce: 32 byte blinding factor to derive the blinding key :returns: **str** with the content of a descriptor @@ -953,10 +955,10 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): identity_key = identity_key if identity_key else Ed25519PrivateKey.generate() signing_key = signing_key if signing_key else Ed25519PrivateKey.generate() revision_counter = revision_counter if revision_counter else int(time.time()) - blinding_param = blinding_param if blinding_param else os.urandom(32) + blinding_nonce = blinding_nonce if blinding_nonce else os.urandom(32) - blinded_key = stem.descriptor.hsv3_crypto.HSv3PrivateBlindedKey(identity_key, blinding_param = blinding_param) - subcredential = HiddenServiceDescriptorV3._subcredential(identity_key, blinded_key.blinded_pubkey) + blinded_key = _blinded_pubkey(identity_key, blinding_nonce) + subcredential = HiddenServiceDescriptorV3._subcredential(identity_key, blinded_key) custom_sig = attr.pop('signature') if (attr and 'signature' in attr) else None if not outer_layer: @@ -965,23 +967,21 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): inner_layer = inner_layer, revision_counter = revision_counter, subcredential = subcredential, - blinded_key = blinded_key.blinded_pubkey, + blinded_key = blinded_key, ) if not signing_cert: - signing_cert = Ed25519CertificateV1( - cert_type = CertType.HS_V3_DESC_SIGNING, - key = signing_key, - extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_key.blinded_pubkey)], - signing_key = blinded_key, - ) + extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_key)] + + signing_cert = Ed25519CertificateV1(cert_type = CertType.HS_V3_DESC_SIGNING, key = signing_key, extensions = extensions) + signing_cert.signature = _blinded_sign(signing_cert.pack(), identity_key, blinded_key, blinding_nonce) desc_content = _descriptor_content(attr, exclude, ( ('hs-descriptor', '3'), ('descriptor-lifetime', '180'), ('descriptor-signing-key-cert', '\n' + signing_cert.to_base64(pem = True)), ('revision-counter', str(revision_counter)), - ('superencrypted', b'\n' + outer_layer._encrypt(revision_counter, subcredential, blinded_key.blinded_pubkey)), + ('superencrypted', b'\n' + outer_layer._encrypt(revision_counter, subcredential, blinded_key)), ), ()) + b'\n' if custom_sig: @@ -993,8 +993,8 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): return desc_content @classmethod - def create(cls, attr = None, exclude = (), validate = True, sign = False, inner_layer = None, outer_layer = None, identity_key = None, signing_key = None, signing_cert = None, revision_counter = None, blinding_param = None): - return cls(cls.content(attr, exclude, sign, inner_layer, outer_layer, identity_key, signing_key, signing_cert, revision_counter, blinding_param), validate = validate) + def create(cls, attr = None, exclude = (), validate = True, sign = False, inner_layer = None, outer_layer = None, identity_key = None, signing_key = None, signing_cert = None, revision_counter = None, blinding_nonce = None): + return cls(cls.content(attr, exclude, sign, inner_layer, outer_layer, identity_key, signing_key, signing_cert, revision_counter, blinding_nonce), validate = validate) def __init__(self, raw_contents, validate = False): super(HiddenServiceDescriptorV3, self).__init__(raw_contents, lazy_load = not validate) @@ -1294,6 +1294,47 @@ class InnerLayer(Descriptor): self._entries = entries +def _blinded_pubkey(identity_key, blinding_nonce): + mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(blinding_nonce, i) for i in range(3, slow_ed25519.b - 2)) + P = slow_ed25519.decodepoint(stem.util._pubkey_bytes(identity_key)) + return slow_ed25519.encodepoint(slow_ed25519.scalarmult(P, mult)) + + +def _blinded_sign(msg, identity_key, blinded_key, blinding_nonce): + from cryptography.hazmat.primitives import serialization + + identity_key_bytes = identity_key.private_bytes( + encoding = serialization.Encoding.Raw, + format = serialization.PrivateFormat.Raw, + encryption_algorithm = serialization.NoEncryption(), + ) + + # pad private identity key into an ESK (encrypted secret key) + + h = slow_ed25519.H(identity_key_bytes) + a = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(h, i) for i in range(3, slow_ed25519.b - 2)) + k = b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) + esk = slow_ed25519.encodeint(a) + k + + # blind the ESK with this nonce + + mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(blinding_nonce, i) for i in range(3, slow_ed25519.b - 2)) + s = slow_ed25519.decodeint(esk[:32]) + s_prime = (s * mult) % slow_ed25519.l + k = esk[32:] + k_prime = slow_ed25519.H(b'Derive temporary signing key hash input' + k)[:32] + blinded_esk = slow_ed25519.encodeint(s_prime) + k_prime + + # finally, sign the message + + a = slow_ed25519.decodeint(blinded_esk[:32]) + r = slow_ed25519.Hint(b''.join([blinded_esk[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) + msg) + R = slow_ed25519.scalarmult(slow_ed25519.B, r) + S = (r + slow_ed25519.Hint(slow_ed25519.encodepoint(R) + blinded_key + msg) * a) % slow_ed25519.l + + return slow_ed25519.encodepoint(R) + slow_ed25519.encodeint(S) + + # TODO: drop this alias in stem 2.x HiddenServiceDescriptor = HiddenServiceDescriptorV2 diff --git a/stem/descriptor/hsv3_crypto.py b/stem/descriptor/hsv3_crypto.py deleted file mode 100644 index 0186ba90..00000000 --- a/stem/descriptor/hsv3_crypto.py +++ /dev/null @@ -1,66 +0,0 @@ -from stem.descriptor import slow_ed25519 - - -""" -HSv3 Key blinding - -Expose classes for HSv3 blinded keys which can mimic the hazmat ed25519 -public/private key classes, so that we can use them interchangeably in the -certificate module. - -- HSv3PublicBlindedKey: represents the public blinded ed25519 key of an onion - service and should expose a public_bytes() method and a verify() method. - -- HSv3PrivateBlindedKey: represents the private part of a blinded ed25519 key - of an onion service and should expose a public_key() method and a sign() method. -""" - - -def blindESK(esk, param): - mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(param, i) for i in range(3, slow_ed25519.b - 2)) - s = slow_ed25519.decodeint(esk[:32]) - s_prime = (s * mult) % slow_ed25519.l - k = esk[32:] - assert(len(k) == 32) - k_prime = slow_ed25519.H(b'Derive temporary signing key hash input' + k)[:32] - return slow_ed25519.encodeint(s_prime) + k_prime - - -def blindPK(pk, param): - mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(param, i) for i in range(3, slow_ed25519.b - 2)) - P = slow_ed25519.decodepoint(pk) - return slow_ed25519.encodepoint(slow_ed25519.scalarmult(P, mult)) - - -def expandSK(sk): - h = slow_ed25519.H(sk) - a = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(h, i) for i in range(3, slow_ed25519.b - 2)) - k = b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) - assert len(k) == 32 - return slow_ed25519.encodeint(a) + k - - -def signatureWithESK(m, h, pk): - a = slow_ed25519.decodeint(h[:32]) - r = slow_ed25519.Hint(b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) + m) - R = slow_ed25519.scalarmult(slow_ed25519.B, r) - S = (r + slow_ed25519.Hint(slow_ed25519.encodepoint(R) + pk + m) * a) % slow_ed25519.l - - return slow_ed25519.encodepoint(R) + slow_ed25519.encodeint(S) - - -class HSv3PrivateBlindedKey(object): - def __init__(self, hazmat_private_key, blinding_param): - from cryptography.hazmat.primitives import serialization - - secret_seed = hazmat_private_key.private_bytes(encoding = serialization.Encoding.Raw, format = serialization.PrivateFormat.Raw, encryption_algorithm = serialization.NoEncryption()) - assert(len(secret_seed) == 32) - - expanded_identity_priv_key = expandSK(secret_seed) - identity_public_key = slow_ed25519.publickey(secret_seed) - - self.blinded_secret_key = blindESK(expanded_identity_priv_key, blinding_param) - self.blinded_pubkey = blindPK(identity_public_key, blinding_param) - - def sign(self, msg): - return signatureWithESK(msg, self.blinded_secret_key, self.blinded_pubkey) diff --git a/stem/descriptor/slow_ed25519.py b/stem/util/slow_ed25519.py similarity index 94% rename from stem/descriptor/slow_ed25519.py rename to stem/util/slow_ed25519.py index ffca5b02..fb617464 100644 --- a/stem/descriptor/slow_ed25519.py +++ b/stem/util/slow_ed25519.py @@ -1,12 +1,10 @@ -# This is the ed25519 implementation from -# http://ed25519.cr.yp.to/python/ed25519.py . -# It is in the public domain. +# Public domain ed25519 implementation from... +# +# http://ed25519.cr.yp.to/python/ed25519.py # # It isn't constant-time. Don't use it except for testing. Also, see # warnings about how very slow it is. Only use this for generating # test vectors, I'd suggest. -# -# Don't edit this file. Mess with ed25519_ref.py import hashlib diff --git a/test/settings.cfg b/test/settings.cfg index 8fe79d2a..5443df41 100644 --- a/test/settings.cfg +++ b/test/settings.cfg @@ -177,6 +177,8 @@ pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.m pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.networkstatus pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.server_descriptor pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.tordnsel +pycodestyle.ignore stem/util/slow_ed25519.py => E741: l = 2 ** 252 + 27742317777372353535851937790883648493 +pycodestyle.ignore stem/util/slow_ed25519.py => E741: I = expmod(2, (q - 1) // 4, q) pycodestyle.ignore test/unit/util/connection.py => W291: _tor tor 15843 10 pipe 0x0 state: pycodestyle.ignore test/unit/util/connection.py => W291: _tor tor 15843 11 pipe 0x0 state:

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits November 2019