[tor-commits] [stem/master] Revert _decrypt_layer() crypto changes

[atagar at torproject.org]

commit c40db8f7c28e6b5b90e61317e256911fb8661dc7
Author: Damian Johnson <atagar at torproject.org>
Date:   Thu Oct 31 15:48:07 2019 -0700

    Revert _decrypt_layer() crypto changes
    
    George adjusted _decrypt_layer() to use his hsv3_crypto module. Swapping this
    back to what we had.
---
 stem/descriptor/hidden_service.py | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py
index bb8937d8..a490f3b7 100644
--- a/stem/descriptor/hidden_service.py
+++ b/stem/descriptor/hidden_service.py
@@ -36,6 +36,7 @@ import datetime
 import hashlib
 import io
 import os
+import struct
 import time
 
 import stem.client.datatype
@@ -213,8 +214,8 @@ class IntroductionPointV3(collections.namedtuple('IntroductionPointV3', ['link_s
     lines = []
 
     link_count = stem.client.datatype.Size.CHAR.pack(len(self.link_specifiers))
-    link_specifiers = link_count + ''.join([l.pack() for l in self.link_specifiers])
-    lines.append('introduction-point %s' % base64.b64encode(link_specifiers))
+    link_specifiers = link_count + b''.join([l.pack() for l in self.link_specifiers])
+    lines.append('introduction-point %s' % stem.util.str_tools._to_unicode(base64.b64encode(link_specifiers)))
 
     if self.onion_key_raw:
       lines.append('onion-key ntor %s' % self.onion_key_raw)
@@ -365,6 +366,9 @@ def _decrypt_layer(encrypted_block, constant, revision_counter, subcredential, b
   from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
   from cryptography.hazmat.backends import default_backend
 
+  def pack(val):
+    return struct.pack('>Q', val)
+
   if encrypted_block.startswith('-----BEGIN MESSAGE-----\n') and encrypted_block.endswith('\n-----END MESSAGE-----'):
     encrypted_block = encrypted_block[24:-22]
 
@@ -380,10 +384,14 @@ def _decrypt_layer(encrypted_block, constant, revision_counter, subcredential, b
   ciphertext = encrypted[SALT_LEN:-MAC_LEN]
   expected_mac = encrypted[-MAC_LEN:]
 
-  secret_key, secret_iv, mac_key = hsv3_crypto.get_desc_keys(blinded_key, constant,
-                                                             subcredential, revision_counter, salt, )
+  kdf = hashlib.shake_256(blinded_key + subcredential + pack(revision_counter) + salt + constant)
+  keys = kdf.digest(S_KEY_LEN + S_IV_LEN + MAC_LEN)
+
+  secret_key = keys[:S_KEY_LEN]
+  secret_iv = keys[S_KEY_LEN:S_KEY_LEN + S_IV_LEN]
+  mac_key = keys[S_KEY_LEN + S_IV_LEN:]
 
-  mac = hsv3_crypto.get_desc_encryption_mac(mac_key, salt, ciphertext)
+  mac = hashlib.sha3_256(pack(len(mac_key)) + mac_key + pack(len(salt)) + salt + ciphertext).digest()
 
   if mac != expected_mac:
     raise ValueError('Malformed mac (expected %s, but was %s)' % (expected_mac, mac))