|
@@ -343,7 +343,7 @@ class NTor:
|
|
|
"""Create the ntor request message: X = g^x."""
|
|
|
self.client_ephem_key = nacl.public.PrivateKey.generate()
|
|
|
self.perfstats.keygens += 1
|
|
|
- return self.client_ephem_key.public_key
|
|
|
+ return bytes(self.client_ephem_key.public_key)
|
|
|
|
|
|
@staticmethod
|
|
|
def reply(onion_privkey, idpubkey, client_pubkey, perfstats,
|
|
@@ -353,13 +353,17 @@ class NTor:
|
|
|
secret S = H(M, "secret") for M = (X^y,X^b,ID,B,X,Y). If
|
|
|
sphinx_domainsep is not None, also compute and return the Sphinx
|
|
|
reblinded client request to pass to the next server."""
|
|
|
+ if type(idpubkey) is not bytes:
|
|
|
+ idpubkey = bytes(idpubkey)
|
|
|
+ if type(client_pubkey) is bytes:
|
|
|
+ client_pubkey = nacl.public.PublicKey(client_pubkey)
|
|
|
server_ephem_key = nacl.public.PrivateKey.generate()
|
|
|
perfstats.keygens += 1
|
|
|
xykey = nacl.public.Box(server_ephem_key, client_pubkey).shared_key()
|
|
|
xbkey = nacl.public.Box(onion_privkey, client_pubkey).shared_key()
|
|
|
perfstats.dhs += 2
|
|
|
M = xykey + xbkey + \
|
|
|
- idpubkey.encode(encoder=nacl.encoding.RawEncoder) + \
|
|
|
+ idpubkey + \
|
|
|
onion_privkey.public_key.encode(encoder=nacl.encoding.RawEncoder) + \
|
|
|
server_ephem_key.public_key.encode(encoder=nacl.encoding.RawEncoder)
|
|
|
A = nacl.hash.sha256(M + b'verify', encoder=nacl.encoding.RawEncoder)
|
|
@@ -369,11 +373,12 @@ class NTor:
|
|
|
blindkey = Sphinx.makeblindkey(S, sphinx_domainsep, perfstats)
|
|
|
blinded_client_pubkey = Sphinx.reblindpubkey(blindkey,
|
|
|
client_pubkey, perfstats)
|
|
|
- return ((server_ephem_key.public_key, onion_privkey.public_key, A),
|
|
|
+ return ((bytes(server_ephem_key.public_key),
|
|
|
+ bytes(onion_privkey.public_key), A),
|
|
|
S), blinded_client_pubkey
|
|
|
else:
|
|
|
- return ((server_ephem_key.public_key, onion_privkey.public_key, A),
|
|
|
- S)
|
|
|
+ return ((bytes(server_ephem_key.public_key),
|
|
|
+ bytes(onion_privkey.public_key), A), S)
|
|
|
|
|
|
def verify(self, reply, onion_pubkey, idpubkey, sphinx_domainsep=None):
|
|
|
"""The client calls this method to verify the ntor reply
|
|
@@ -383,6 +388,14 @@ class NTor:
|
|
|
reuse this same NTor object for the next server. Returns the
|
|
|
shared secret on success, or raises ValueError on failure."""
|
|
|
server_ephem_pubkey, server_onion_pubkey, authtag = reply
|
|
|
+ if type(idpubkey) is not bytes:
|
|
|
+ idpubkey = bytes(idpubkey)
|
|
|
+ if type(server_ephem_pubkey) is bytes:
|
|
|
+ server_ephem_pubkey = nacl.public.PublicKey(server_ephem_pubkey)
|
|
|
+ if type(server_onion_pubkey) is bytes:
|
|
|
+ server_onion_pubkey = nacl.public.PublicKey(server_onion_pubkey)
|
|
|
+ if type(onion_pubkey) is bytes:
|
|
|
+ onion_pubkey = nacl.public.PublicKey(onion_pubkey)
|
|
|
if onion_pubkey != server_onion_pubkey:
|
|
|
raise ValueError("NTor onion pubkey mismatch")
|
|
|
# We use the blinding keys if present; if they're not present
|
|
@@ -403,7 +416,7 @@ class NTor:
|
|
|
reblinded_onion_pubkey).shared_key()
|
|
|
self.perfstats.dhs += 2
|
|
|
M = xykey + xbkey + \
|
|
|
- idpubkey.encode(encoder=nacl.encoding.RawEncoder) + \
|
|
|
+ idpubkey + \
|
|
|
onion_pubkey.encode(encoder=nacl.encoding.RawEncoder) + \
|
|
|
server_ephem_pubkey.encode(encoder=nacl.encoding.RawEncoder)
|
|
|
Acheck = nacl.hash.sha256(M + b'verify', encoder=nacl.encoding.RawEncoder)
|
|
@@ -456,7 +469,7 @@ class TelescopingExtendCircuitHandler:
|
|
|
|
|
|
def __init__(self, relaypicker, current_relay_idkey):
|
|
|
self.relaypicker = relaypicker
|
|
|
- self.current_relay_idkey = current_relay_idkey
|
|
|
+ self.current_relay_idkey = bytes(current_relay_idkey)
|
|
|
|
|
|
def received_cell(self, circhandler, cell):
|
|
|
# Remove ourselves from handling a second
|
|
@@ -980,7 +993,7 @@ class RelayChannelManager(ChannelManager):
|
|
|
if next_hop == None:
|
|
|
logging.debug("Client requested extending the circuit to a relay index that results in None, aborting. my circid: %s", str(circhandler.circid))
|
|
|
circhandler.close()
|
|
|
- elif next_hop.snipdict["idkey"] == self.idpubkey or next_hop.snipdict["addr"] == peeraddr:
|
|
|
+ elif next_hop.snipdict["idkey"] == bytes(self.idpubkey) or next_hop.snipdict["addr"] == peeraddr:
|
|
|
logging.debug("Client requested extending the circuit to a relay already in the path; aborting. my circid: %s", str(circhandler.circid))
|
|
|
circhandler.close()
|
|
|
|
|
@@ -1092,8 +1105,8 @@ class Relay(network.Server):
|
|
|
# previous upload if upload=False
|
|
|
descdict = dict();
|
|
|
descdict["epoch"] = network.thenetwork.getepoch() + 1
|
|
|
- descdict["idkey"] = self.idkey.verify_key
|
|
|
- descdict["onionkey"] = self.onionkey.public_key
|
|
|
+ descdict["idkey"] = bytes(self.idkey.verify_key)
|
|
|
+ descdict["onionkey"] = bytes(self.onionkey.public_key)
|
|
|
descdict["addr"] = self.netaddr
|
|
|
descdict["bw"] = self.bw
|
|
|
descdict["flags"] = self.flags
|