Commit 4ad4467f authored by George Kadianakis's avatar George Kadianakis Committed by Nick Mathewson
Browse files

Don't double hash the ed25519 blind key parameter.

We used to do:
   h = H(BLIND_STRING | H(A | s | B | N )
when we should be doing:
   h = H(BLIND_STRING | A | s | B | N)

Change the logic so that hs_common.c does the hashing, and our ed25519
libraries just receive the hashed parameter ready-made. That's easier
than doing the hashing on the ed25519 libraries, since that means we
would have to pass them a variable-length param (depending on whether
's' is set or not).

Also fix the ed25519 test vectors since they were also double hashing.
parent b89d2fa1
...@@ -245,13 +245,7 @@ ed25519_donna_sign(unsigned char *sig, const unsigned char *m, size_t mlen, ...@@ -245,13 +245,7 @@ ed25519_donna_sign(unsigned char *sig, const unsigned char *m, size_t mlen,
static void static void
ed25519_donna_gettweak(unsigned char *out, const unsigned char *param) ed25519_donna_gettweak(unsigned char *out, const unsigned char *param)
{ {
static const char str[] = "Derive temporary signing key"; memcpy(out, param, 32);
ed25519_hash_context ctx;
ed25519_hash_init(&ctx);
ed25519_hash_update(&ctx, (const unsigned char*)str, strlen(str));
ed25519_hash_update(&ctx, param, 32);
ed25519_hash_final(&ctx, out);
out[0] &= 248; /* Is this necessary ? */ out[0] &= 248; /* Is this necessary ? */
out[31] &= 63; out[31] &= 63;
......
...@@ -12,8 +12,8 @@ ...@@ -12,8 +12,8 @@
static void static void
ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param) ed25519_ref10_gettweak(unsigned char *out, const unsigned char *param)
{ {
const char str[] = "Derive temporary signing key"; memcpy(out, param, 32);
crypto_hash_sha512_2(out, (const unsigned char*)str, strlen(str), param, 32);
out[0] &= 248; /* Is this necessary necessary ? */ out[0] &= 248; /* Is this necessary necessary ? */
out[31] &= 63; out[31] &= 63;
out[31] |= 64; out[31] |= 64;
......
...@@ -551,6 +551,7 @@ build_blinded_key_param(const ed25519_public_key_t *pubkey, ...@@ -551,6 +551,7 @@ build_blinded_key_param(const ed25519_public_key_t *pubkey,
uint8_t *param_out) uint8_t *param_out)
{ {
size_t offset = 0; size_t offset = 0;
const char blind_str[] = "Derive temporary signing key";
uint8_t nonce[HS_KEYBLIND_NONCE_LEN]; uint8_t nonce[HS_KEYBLIND_NONCE_LEN];
crypto_digest_t *digest; crypto_digest_t *digest;
...@@ -568,8 +569,9 @@ build_blinded_key_param(const ed25519_public_key_t *pubkey, ...@@ -568,8 +569,9 @@ build_blinded_key_param(const ed25519_public_key_t *pubkey,
tor_assert(offset == HS_KEYBLIND_NONCE_LEN); tor_assert(offset == HS_KEYBLIND_NONCE_LEN);
/* Generate the parameter h and the construction is as follow: /* Generate the parameter h and the construction is as follow:
* h = H(pubkey | [secret] | ed25519-basepoint | nonce) */ * h = H(BLIND_STRING | pubkey | [secret] | ed25519-basepoint | N) */
digest = crypto_digest256_new(DIGEST_SHA3_256); digest = crypto_digest256_new(DIGEST_SHA3_256);
crypto_digest_add_bytes(digest, blind_str, sizeof(blind_str));
crypto_digest_add_bytes(digest, (char *) pubkey, ED25519_PUBKEY_LEN); crypto_digest_add_bytes(digest, (char *) pubkey, ED25519_PUBKEY_LEN);
/* Optional secret. */ /* Optional secret. */
if (secret) { if (secret) {
......
...@@ -32,8 +32,7 @@ def curve25519ToEd25519(c, sign): ...@@ -32,8 +32,7 @@ def curve25519ToEd25519(c, sign):
return encodepoint([x,y]) return encodepoint([x,y])
def blindESK(esk, param): def blindESK(esk, param):
h = H("Derive temporary signing key" + param) mult = 2**(b-2) + sum(2**i * bit(param,i) for i in range(3,b-2))
mult = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
s = decodeint(esk[:32]) s = decodeint(esk[:32])
s_prime = (s * mult) % ell s_prime = (s * mult) % ell
k = esk[32:] k = esk[32:]
...@@ -42,8 +41,7 @@ def blindESK(esk, param): ...@@ -42,8 +41,7 @@ def blindESK(esk, param):
return encodeint(s_prime) + k_prime return encodeint(s_prime) + k_prime
def blindPK(pk, param): def blindPK(pk, param):
h = H("Derive temporary signing key" + param) mult = 2**(b-2) + sum(2**i * bit(param,i) for i in range(3,b-2))
mult = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
P = decodepoint(pk) P = decodepoint(pk)
return encodepoint(scalarmult(P, mult)) return encodepoint(scalarmult(P, mult))
......
...@@ -91,21 +91,21 @@ static const char *ED25519_BLINDING_PARAMS[] = { ...@@ -91,21 +91,21 @@ static const char *ED25519_BLINDING_PARAMS[] = {
* blinding parameter. * blinding parameter.
*/ */
static const char *ED25519_BLINDED_SECRET_KEYS[] = { static const char *ED25519_BLINDED_SECRET_KEYS[] = {
"014e83abadb2ca9a27e0ffe23920333d817729f48700e97656ec2823d694050e171d43" "293c3acff4e902f6f63ddc5d5caa2a57e771db4f24de65d4c28df3232f47fa01171d43"
"f24e3f53e70ec7ac280044ac77d4942dee5d6807118a59bdf3ee647e89", "f24e3f53e70ec7ac280044ac77d4942dee5d6807118a59bdf3ee647e89",
"fad8cca0b4335847795288b1452508752b253e64e6c7c78d4a02dbbd7d46aa0eb8ceff" "38b88f9f9440358da544504ee152fb475528f7c51c285bd1c68b14ade8e29a07b8ceff"
"20dfcf53eb52b891fc078c934efbf0353af7242e7dc51bb32a093afa29", "20dfcf53eb52b891fc078c934efbf0353af7242e7dc51bb32a093afa29",
"116eb0ae0a4a91763365bdf86db427b00862db448487808788cc339ac10e5e089217f5" "4d03ce16a3f3249846aac9de0a0075061495c3b027248eeee47da4ddbaf9e0049217f5"
"2e92797462bd890fc274672e05c98f2c82970d640084781334aae0f940", "2e92797462bd890fc274672e05c98f2c82970d640084781334aae0f940",
"bd1fbb0ee5acddc4adbcf5f33e95d9445f40326ce579fdd764a24483a9ccb20f509ece" "51d7db01aaa0d937a9fd7c8c7381445a14d8fa61f43347af5460d7cd8fda9904509ece"
"e77082ce088f7c19d5a00e955eeef8df6fa41686abc1030c2d76807733", "e77082ce088f7c19d5a00e955eeef8df6fa41686abc1030c2d76807733",
"237f5345cefe8573ce9fa7e216381a1172796c9e3f70668ab503b1352952530fb57b95" "1f76cab834e222bd2546efa7e073425680ab88df186ff41327d3e40770129b00b57b95"
"a440570659a440a3e4771465022a8e67af86bdf2d0990c54e7bb87ff9a", "a440570659a440a3e4771465022a8e67af86bdf2d0990c54e7bb87ff9a",
"ba8ff23bc4ad2b739e1ccffc9fbc7837053ea81cdfdb15073f56411cfbae1d0ec492fc" "c23588c23ee76093419d07b27c6df5922a03ac58f96c53671456a7d1bdbf560ec492fc"
"87d5ec2a1b185ca5a40541fdef0b1e128fd5c2380c888bfa924711bcab", "87d5ec2a1b185ca5a40541fdef0b1e128fd5c2380c888bfa924711bcab",
"0fa68f969de038c7a90a4a74ee6167c77582006f2dedecc1956501ba6b6fb10391b476" "3ed249c6932d076e1a2f6916975914b14e8c739da00992358b8f37d3e790650691b476"
"8f8e556d78f4bdcb9a13b6f6066fe81d3134ae965dc48cd0785b3af2b8", "8f8e556d78f4bdcb9a13b6f6066fe81d3134ae965dc48cd0785b3af2b8",
"deaa3456d1c21944d5dcd361a646858c6cf9336b0a6851d925717eb1ae186902053d9c" "288cbfd923cb286d48c084555b5bdd06c05e92fb81acdb45271367f57515380e053d9c"
"00c81e1331c06ab50087be8cfc7dc11691b132614474f1aa9c2503cccd", "00c81e1331c06ab50087be8cfc7dc11691b132614474f1aa9c2503cccd",
}; };
...@@ -115,14 +115,14 @@ static const char *ED25519_BLINDED_SECRET_KEYS[] = { ...@@ -115,14 +115,14 @@ static const char *ED25519_BLINDED_SECRET_KEYS[] = {
* blinding parameter. * blinding parameter.
*/ */
static const char *ED25519_BLINDED_PUBLIC_KEYS[] = { static const char *ED25519_BLINDED_PUBLIC_KEYS[] = {
"722d6da6348e618967ef782e71061e27163a8b35f21856475d9d2023f65b6495", "1fc1fa4465bd9d4956fdbdc9d3acb3c7019bb8d5606b951c2e1dfe0b42eaeb41",
"1dffa0586da6cbfcff2024eedf4fc6c818242d9a82dbbe635d6da1b975a1160d", "1cbbd4a88ce8f165447f159d9f628ada18674158c4f7c5ead44ce8eb0fa6eb7e",
"5ed81f98fed5a6acda4ea6da2c34fab0ab359d950c510c256473f1f33ff438b4", "c5419ad133ffde7e0ac882055d942f582054132b092de377d587435722deb028",
"6e6f92a54fb282120c46d9603df41135f025bc1f58f283809d04be96aeb04040", "3e08d0dc291066272e313014bfac4d39ad84aa93c038478a58011f431648105f",
"cda236f28edc4c7e02d18007b8dab49d669265b0f7aefb1824d7cc8e73a2cd63", "59381f06acb6bf1389ba305f70874eed3e0f2ab57cdb7bc69ed59a9b8899ff4d",
"367b03b17b67ca7329b89a520bdab91782402a41cd67264e34b5541a4b3f875b", "2b946a484344eb1c17c89dd8b04196a84f3b7222c876a07a4cece85f676f87d9",
"8d486b03ac4e3b486b7a1d563706c7fdac75aee789a7cf6f22789eedeff61a31", "c6b585129b135f8769df2eba987e76e089e80ba3a2a6729134d3b28008ac098e",
"9f297ff0aa2ceda91c5ab1b6446f12533d145940de6d850dc323417afde0cb78", "0eefdc795b59cabbc194c6174e34ba9451e8355108520554ec285acabebb34ac",
}; };
/** /**
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment