#31823: HSv3 descriptor support in stem [encoding] -------------------------------------------------+------------------------- Reporter: asn | Owner: atagar Type: defect | Status: | needs_revision Priority: Medium | Milestone: Tor: | unspecified Component: Core Tor/Stem | Version: Severity: Normal | Resolution: Keywords: tor-hs scaling onionbalance | Actual Points: 2 network-team-roadmap-september tor-spec | Parent ID: #26768 | Points: 5 Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by atagar): > Hm. I understand that _descriptor_content() arguments are default values, but what defines a good default value here? Hi George. Yup, I'm delighted to improve our defaults and this is probably simply a matter of us misunderstanding each other's code. Here's what you had... {{{ def _get_fake_clients_bytes(): """ Generate fake client authorization data for the middle layer """ final_bytes = b'' num_fake_clients = 16 # default for when client auth is disabled for _ in range(num_fake_clients): client_id = base64.b64encode(os.urandom(8)).rstrip(b'=') client_iv = base64.b64encode(os.urandom(16)).rstrip(b'=') descriptor_cookie = base64.b64encode(os.urandom(16)).rstrip(b'=') final_bytes += b'%s %s %s %s\n' % (b'auth-client', client_id, client_iv, descriptor_cookie) return final_bytes def _get_middle_descriptor_layer_body(encrypted): """ Get the middle descriptor layer as bytes (It's just fake client auth data since client auth is disabled) """ from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey from cryptography.hazmat.primitives import serialization fake_pub_key = X25519PrivateKey.generate().public_key() fake_pub_key_bytes = fake_pub_key.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) fake_pub_key_bytes_b64 = base64.b64encode(fake_pub_key_bytes) fake_clients = _get_fake_clients_bytes() return b'desc-auth-type x25519\n' \ b'desc-auth-ephemeral-key %s\n' \ b'%s' \ b'%s' % (fake_pub_key_bytes_b64, fake_clients, encrypted) }}} This didn't explain why values were fabricated this way so I figured it was simply overly complicated and inflexible (callers should have a mechanism to override all descriptor values). Since you're calling out **desc-auth-ephemeral-key** in particular here's your version of just that... {{{ fake_pub_key = X25519PrivateKey.generate().public_key() fake_pub_key_bytes = fake_pub_key.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) b'desc-auth-ephemeral-key %s' % base64.b64encode(fake_pub_key_bytes) }}} As such, to do the same as your code I could simply change... {{{ return _descriptor_content(attr, exclude, ( ('desc-auth-type', 'x25519'), ('desc-auth-ephemeral-key', base64.b64encode(os.urandom(32))), ), ( ('encrypted', b'\n' + inner_layer._encrypt(revision_counter, subcredential, blinded_key)), )) }}} ... to... {{{ return _descriptor_content(attr, exclude, ( ('desc-auth-type', 'x25519'), ('desc-auth-ephemeral-key', base64.b64encode(stem.util._pubkey_bytes(X25519PrivateKey.generate()))), ), ( ('encrypted', b'\n' + inner_layer._encrypt(revision_counter, subcredential, blinded_key)), )) }}} Is that what you would like? The base64 encoding of a random key? If so that's a very simple tweak to make. Or are you requesting something else? -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31823#comment:14> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs