Don't double hash the ed25519 blind key parameter.

We used to do:
   h = H(BLIND_STRING | H(A | s | B | N )
when we should be doing:
   h = H(BLIND_STRING | A | s | B | N)

Change the logic so that hs_common.c does the hashing, and our ed25519
libraries just receive the hashed parameter ready-made. That's easier
than doing the hashing on the ed25519 libraries, since that means we
would have to pass them a variable-length param (depending on whether
's' is set or not).

Also fix the ed25519 test vectors since they were also double hashing.

1 files changed, 3 insertions, 1 deletions

diff --git a/src/or/hs_common.c b/src/or/hs_common.c
index 2894d0a286..a29b377494 100644
--- a/src/or/hs_common.c
+++ b/src/or/hs_common.c
@@ -551,6 +551,7 @@ build_blinded_key_param(const ed25519_public_key_t *pubkey,
                         uint8_t *param_out)
 {
   size_t offset = 0;
+  const char blind_str[] = "Derive temporary signing key";
   uint8_t nonce[HS_KEYBLIND_NONCE_LEN];
   crypto_digest_t *digest;
 
@@ -568,8 +569,9 @@ build_blinded_key_param(const ed25519_public_key_t *pubkey,
   tor_assert(offset == HS_KEYBLIND_NONCE_LEN);
 
   /* Generate the parameter h and the construction is as follow:
-   *    h = H(pubkey | [secret] | ed25519-basepoint | nonce) */
+   *    h = H(BLIND_STRING | pubkey | [secret] | ed25519-basepoint | N) */
   digest = crypto_digest256_new(DIGEST_SHA3_256);
+  crypto_digest_add_bytes(digest, blind_str, sizeof(blind_str));
   crypto_digest_add_bytes(digest, (char *) pubkey, ED25519_PUBKEY_LEN);
   /* Optional secret. */
   if (secret) {