Use a better salted-MAC construction in build_mac()

1 files changed, 7 insertions, 2 deletions

diff --git a/src/or/hs_descriptor.c b/src/or/hs_descriptor.c
index 7868c05641..a0ddf272fc 100644
--- a/src/or/hs_descriptor.c
+++ b/src/or/hs_descriptor.c
@@ -481,8 +481,7 @@ build_secret_key_iv_mac(const hs_descriptor_t *desc,
 }
 
 /* Using a key, salt and encrypted payload, build a MAC and put it in mac_out.
- * The length of the mac key and salt must be fixed and if not, you can't rely
- * on the result to be a valid MAC. We use SHA3-256 for the MAC computation.
+ * We use SHA3-256 for the MAC computation.
  * This function can't fail. */
 static void
 build_mac(const uint8_t *mac_key, size_t mac_key_len,
@@ -492,6 +491,9 @@ build_mac(const uint8_t *mac_key, size_t mac_key_len,
 {
   crypto_digest_t *digest;
 
+  const uint64_t mac_len_netorder = tor_htonll(mac_key_len);
+  const uint64_t salt_len_netorder = tor_htonll(salt_len);
+
   tor_assert(mac_key);
   tor_assert(salt);
   tor_assert(encrypted);
@@ -500,7 +502,10 @@ build_mac(const uint8_t *mac_key, size_t mac_key_len,
   digest = crypto_digest256_new(DIGEST_SHA3_256);
   /* As specified in section 2.5 of proposal 224, first add the mac key
    * then add the salt first and then the encrypted section. */
+
+  crypto_digest_add_bytes(digest, (const char *) &mac_len_netorder, 8);
   crypto_digest_add_bytes(digest, (const char *) mac_key, mac_key_len);
+  crypto_digest_add_bytes(digest, (const char *) &salt_len_netorder, 8);
   crypto_digest_add_bytes(digest, (const char *) salt, salt_len);
   crypto_digest_add_bytes(digest, (const char *) encrypted, encrypted_len);
   crypto_digest_get_digest(digest, (char *) mac_out, mac_len);