[tor-bugs] #31823 [Core Tor/Stem]: HSv3 descriptor support in stem [encoding]
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 20 20:45:12 UTC 2019
#31823: HSv3 descriptor support in stem [encoding]
-------------------------------------------------+-------------------------
Reporter: asn | Owner: atagar
Type: defect | Status:
| needs_revision
Priority: Medium | Milestone: Tor:
| unspecified
Component: Core Tor/Stem | Version:
Severity: Normal | Resolution:
Keywords: tor-hs scaling onionbalance | Actual Points: 2
network-team-roadmap-september tor-spec |
Parent ID: #26768 | Points: 5
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by atagar):
> Hm. I understand that _descriptor_content() arguments are default
values, but what defines a good default value here?
Hi George. Yup, I'm delighted to improve our defaults and this is probably
simply a matter of us misunderstanding each other's code. Here's what you
had...
{{{
def _get_fake_clients_bytes():
"""
Generate fake client authorization data for the middle layer
"""
final_bytes = b''
num_fake_clients = 16 # default for when client auth is disabled
for _ in range(num_fake_clients):
client_id = base64.b64encode(os.urandom(8)).rstrip(b'=')
client_iv = base64.b64encode(os.urandom(16)).rstrip(b'=')
descriptor_cookie = base64.b64encode(os.urandom(16)).rstrip(b'=')
final_bytes += b'%s %s %s %s\n' % (b'auth-client', client_id,
client_iv, descriptor_cookie)
return final_bytes
def _get_middle_descriptor_layer_body(encrypted):
"""
Get the middle descriptor layer as bytes
(It's just fake client auth data since client auth is disabled)
"""
from cryptography.hazmat.primitives.asymmetric.x25519 import
X25519PrivateKey
from cryptography.hazmat.primitives import serialization
fake_pub_key = X25519PrivateKey.generate().public_key()
fake_pub_key_bytes = fake_pub_key.public_bytes(encoding =
serialization.Encoding.Raw, format = serialization.PublicFormat.Raw)
fake_pub_key_bytes_b64 = base64.b64encode(fake_pub_key_bytes)
fake_clients = _get_fake_clients_bytes()
return b'desc-auth-type x25519\n' \
b'desc-auth-ephemeral-key %s\n' \
b'%s' \
b'%s' % (fake_pub_key_bytes_b64, fake_clients, encrypted)
}}}
This didn't explain why values were fabricated this way so I figured it
was simply overly complicated and inflexible (callers should have a
mechanism to override all descriptor values).
Since you're calling out **desc-auth-ephemeral-key** in particular here's
your version of just that...
{{{
fake_pub_key = X25519PrivateKey.generate().public_key()
fake_pub_key_bytes = fake_pub_key.public_bytes(encoding =
serialization.Encoding.Raw, format = serialization.PublicFormat.Raw)
b'desc-auth-ephemeral-key %s' % base64.b64encode(fake_pub_key_bytes)
}}}
As such, to do the same as your code I could simply change...
{{{
return _descriptor_content(attr, exclude, (
('desc-auth-type', 'x25519'),
('desc-auth-ephemeral-key', base64.b64encode(os.urandom(32))),
), (
('encrypted', b'\n' + inner_layer._encrypt(revision_counter,
subcredential, blinded_key)),
))
}}}
... to...
{{{
return _descriptor_content(attr, exclude, (
('desc-auth-type', 'x25519'),
('desc-auth-ephemeral-key',
base64.b64encode(stem.util._pubkey_bytes(X25519PrivateKey.generate()))),
), (
('encrypted', b'\n' + inner_layer._encrypt(revision_counter,
subcredential, blinded_key)),
))
}}}
Is that what you would like? The base64 encoding of a random key? If so
that's a very simple tweak to make. Or are you requesting something else?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31823#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list