[tor-commits] [stem/master] Move some stuff back to hsv3_crypto.

atagar at torproject.org atagar at torproject.org
Sun Nov 17 23:40:39 UTC 2019 

commit 9ffca2043c66544c0d54885ae3d19b10dcc652f1
Author: George Kadianakis <desnacked at riseup.net>
Date:   Thu Oct 10 20:56:17 2019 +0300

    Move some stuff back to hsv3_crypto.
    
    These functions are gonna be used both by the decoding code and the encoding
    code.
    
    We are now starting to write an encode-to-decode unittest and when debuggin the
    descriptor encryption it's very useful to have the encryption-related code
    centralized in one function.
---
 stem/descriptor/hidden_service.py | 31 +++++--------
 stem/descriptor/hsv3_crypto.py    | 98 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 110 insertions(+), 19 deletions(-)

diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py
index 4a75bc88..305dfaf7 100644
--- a/stem/descriptor/hidden_service.py
+++ b/stem/descriptor/hidden_service.py
@@ -42,7 +42,9 @@ import stem.util.connection
 import stem.util.str_tools
 import stem.util.tor_tools
 
-from stem.descriptor.certificate import Ed25519Certificate
+import stem.descriptor.hsv3_crypto as hsv3_crypto
+
+from stem.descriptor.certificate import Ed25519Certificate, CertType
 
 from stem.descriptor import (
   PGP_BLOCK_END,
@@ -263,7 +265,7 @@ class IntroductionPointV3(object):
     return body
 
 class AuthorizedClient(collections.namedtuple('AuthorizedClient', ['id', 'iv', 'cookie'])):
-    """
+  """
   Client authorized to use a v3 hidden service.
 
   .. versionadded:: 1.8.0
@@ -318,9 +320,6 @@ def _decrypt_layer(encrypted_block, constant, revision_counter, subcredential, b
   from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
   from cryptography.hazmat.backends import default_backend
 
-  def pack(val):
-    return struct.pack('>Q', val)
-
   if encrypted_block.startswith('-----BEGIN MESSAGE-----\n') and encrypted_block.endswith('\n-----END MESSAGE-----'):
     encrypted_block = encrypted_block[24:-22]
 
@@ -336,14 +335,10 @@ def _decrypt_layer(encrypted_block, constant, revision_counter, subcredential, b
   ciphertext = encrypted[SALT_LEN:-MAC_LEN]
   expected_mac = encrypted[-MAC_LEN:]
 
-  kdf = hashlib.shake_256(blinded_key + subcredential + pack(revision_counter) + salt + constant)
-  keys = kdf.digest(S_KEY_LEN + S_IV_LEN + MAC_LEN)
+  secret_key, secret_iv, mac_key = hsv3_crypto.get_desc_keys(blinded_key, constant,
+                                                             subcredential, revision_counter, salt, )
 
-  secret_key = keys[:S_KEY_LEN]
-  secret_iv = keys[S_KEY_LEN:S_KEY_LEN + S_IV_LEN]
-  mac_key = keys[S_KEY_LEN + S_IV_LEN:]
-
-  mac = hashlib.sha3_256(pack(len(mac_key)) + mac_key + pack(len(salt)) + salt + ciphertext).digest()
+  mac = hsv3_crypto.get_desc_encryption_mac(mac_key, salt, ciphertext)
 
   if mac != expected_mac:
     raise ValueError('Malformed mac (expected %s, but was %s)' % (expected_mac, mac))
@@ -844,6 +839,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor):
     super(HiddenServiceDescriptorV3, self).__init__(raw_contents, lazy_load = not validate)
 
     self._inner_layer = None
+    self._outer_layer = None
     entries = _descriptor_components(raw_contents, validate)
 
     if validate:
@@ -889,15 +885,12 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor):
       if not blinded_key:
         raise ValueError('No signing key is present')
 
-      # credential = H('credential' | public-identity-key)
-      # subcredential = H('subcredential' | credential | blinded-public-key)
-
       identity_public_key = HiddenServiceDescriptorV3._public_key_from_address(onion_address)
-      credential = hashlib.sha3_256(b'credential%s' % (identity_public_key)).digest()
-      subcredential = hashlib.sha3_256(b'subcredential%s%s' % (credential, blinded_key)).digest()
 
-      outer_layer = OuterLayer._decrypt(self.superencrypted, self.revision_counter, subcredential, blinded_key)
-      self._inner_layer = InnerLayer._decrypt(outer_layer, self.revision_counter, subcredential, blinded_key)
+      subcredential = hsv3_crypto.get_subcredential(identity_public_key, blinded_key)
+
+      self._outer_layer = OuterLayer._decrypt(self.superencrypted, self.revision_counter, subcredential, blinded_key)
+      self._inner_layer = InnerLayer._decrypt(self._outer_layer, self.revision_counter, subcredential, blinded_key)
 
     return self._inner_layer
 
diff --git a/stem/descriptor/hsv3_crypto.py b/stem/descriptor/hsv3_crypto.py
index bd090265..ed4ad7b8 100644
--- a/stem/descriptor/hsv3_crypto.py
+++ b/stem/descriptor/hsv3_crypto.py
@@ -57,3 +57,101 @@ class HSv3PublicBlindedKey(object):
         """
         ext.slow_ed25519.checkvalid(signature, message, self.public_key)
 
+"""
+subcredential
+
+       subcredential = H("subcredential" | credential | blinded-public-ke
+       credential = H("credential" | public-identity-key)
+"""
+def get_subcredential(public_identity_key, blinded_key):
+    cred_bytes_constant = "credential".encode()
+    subcred_bytes_constant = "subcredential".encode()
+
+    credential = hashlib.sha3_256(b"%s%s" % (cred_bytes_constant, public_identity_key)).digest()
+    subcredential = hashlib.sha3_256(b"%s%s%s" % (subcred_bytes_constant, credential, blinded_key)).digest()
+
+    return subcredential
+
+
+"""
+Basic descriptor logic:
+
+       SALT = 16 bytes from H(random), changes each time we rebuld the
+              descriptor even if the content of the descriptor hasn't changed.
+              (So that we don't leak whether the intro point list etc. changed)
+
+       secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
+
+       keys = KDF(secret_input | salt | STRING_CONSTANT, S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN)
+
+       SECRET_KEY = first S_KEY_LEN bytes of keys
+       SECRET_IV  = next S_IV_LEN bytes of keys
+       MAC_KEY    = last MAC_KEY_LEN bytes of keys
+
+
+Layer data:
+
+ 2.5.1.1. First layer encryption logic
+     SECRET_DATA = blinded-public-key
+     STRING_CONSTANT = "hsdir-superencrypted-data"
+
+ 2.5.2.1. Second layer encryption keys
+     SECRET_DATA = blinded-public-key | descriptor_cookie
+     STRING_CONSTANT = "hsdir-encrypted-data"
+"""
+
+SALT_LEN = 16
+MAC_LEN = 32
+
+S_KEY_LEN = 32
+S_IV_LEN = 16
+MAC_KEY_LEN = 32
+
+"""
+
+Descriptor encryption
+
+"""
+
+def pack(val):
+    return struct.pack('>Q', val)
+
+
+def get_desc_keys(secret_data, string_constant,
+                  subcredential, revision_counter, salt):
+    """
+       secret_input = SECRET_DATA | subcredential | INT_8(revision_counter)
+
+       keys = KDF(secret_input | salt | STRING_CONSTANT, S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN)
+
+       SECRET_KEY = first S_KEY_LEN bytes of keys
+       SECRET_IV  = next S_IV_LEN bytes of keys
+       MAC_KEY    = last MAC_KEY_LEN bytes of keys
+
+    where
+
+    2.5.1.1. First layer encryption logic
+     SECRET_DATA = blinded-public-key
+     STRING_CONSTANT = "hsdir-superencrypted-data"
+
+    2.5.2.1. Second layer encryption keys
+     SECRET_DATA = blinded-public-key | descriptor_cookie
+     STRING_CONSTANT = "hsdir-encrypted-data"
+    """
+    secret_input = b"%s%s%s" % (secret_data, subcredential, pack(revision_counter))
+
+    kdf = hashlib.shake_256(secret_input + salt + string_constant)
+
+    keys = kdf.digest(S_KEY_LEN + S_IV_LEN + MAC_LEN)
+
+    secret_key = keys[:S_KEY_LEN]
+    secret_iv = keys[S_KEY_LEN:S_KEY_LEN + S_IV_LEN]
+    mac_key = keys[S_KEY_LEN + S_IV_LEN:]
+
+    return secret_key, secret_iv, mac_key
+
+def get_desc_encryption_mac(key, salt, ciphertext):
+
+    mac = hashlib.sha3_256(pack(len(key)) + key + pack(len(salt)) + salt + ciphertext).digest()
+    return mac
+

More information about the tor-commits mailing list