Remove padding from ntor-onion-key #7869

src/feature/dirauth/dirvote.c

@@ -3848,11 +3848,10 @@ dirvote_create_microdescriptor(const routerinfo_t *ri, int consensus_method)
   smartlist_add_asprintf(chunks, "onion-key\n%s", key);
 
   if (ri->onion_curve25519_pkey) {
-    char kbuf[128];
+    char kbuf[CURVE25519_BASE64_PADDED_LEN + 1];
-    base64_encode(kbuf, sizeof(kbuf),
+    bool add_padding = (consensus_method < MIN_METHOD_FOR_UNPADDED_NTOR_KEY);
-                  (const char*)ri->onion_curve25519_pkey->public_key,
+    curve25519_public_to_base64(kbuf, ri->onion_curve25519_pkey, add_padding);
-                  CURVE25519_PUBKEY_LEN, BASE64_ENCODE_MULTILINE);
+    smartlist_add_asprintf(chunks, "ntor-onion-key %s\n", kbuf);
-    smartlist_add_asprintf(chunks, "ntor-onion-key %s", kbuf);
   }
 
   if (family) {
@@ -3963,6 +3962,8 @@ static const struct consensus_method_range_t {
   {MIN_SUPPORTED_CONSENSUS_METHOD,
    MIN_METHOD_FOR_CANONICAL_FAMILIES_IN_MICRODESCS - 1},
   {MIN_METHOD_FOR_CANONICAL_FAMILIES_IN_MICRODESCS,
+   MIN_METHOD_FOR_UNPADDED_NTOR_KEY - 1},
+  {MIN_METHOD_FOR_UNPADDED_NTOR_KEY,
    MAX_SUPPORTED_CONSENSUS_METHOD},
   {-1, -1}
 };

src/feature/dirauth/dirvote.h

@@ -53,7 +53,7 @@
 #define MIN_SUPPORTED_CONSENSUS_METHOD 28
 
 /** The highest consensus method that we currently support. */
-#define MAX_SUPPORTED_CONSENSUS_METHOD 29
+#define MAX_SUPPORTED_CONSENSUS_METHOD 30
 
 /**
  * Lowest consensus method where microdescriptor lines are put in canonical
@@ -61,6 +61,10 @@
  **/
 #define MIN_METHOD_FOR_CANONICAL_FAMILIES_IN_MICRODESCS 29
 
+/** Lowest consensus method where an unpadded base64 onion-key-ntor is allowed
+ * See #7869 */
+#define MIN_METHOD_FOR_UNPADDED_NTOR_KEY 30
+
 /** Default bandwidth to clip unmeasured bandwidths to using method >=
  * MIN_METHOD_TO_CLIP_UNMEASURED_BW.  (This is not a consensus method; do not
  * get confused with the above macros.) */

src/feature/relay/router.c

@@ -2854,11 +2854,9 @@ router_dump_router_to_string(routerinfo_t *router,
   }
 
   if (router->onion_curve25519_pkey) {
-    char kbuf[128];
+    char kbuf[CURVE25519_BASE64_PADDED_LEN + 1];
-    base64_encode(kbuf, sizeof(kbuf),
+    curve25519_public_to_base64(kbuf, router->onion_curve25519_pkey, false);
-                  (const char *)router->onion_curve25519_pkey->public_key,
+    smartlist_add_asprintf(chunks, "ntor-onion-key %s\n", kbuf);
-                  CURVE25519_PUBKEY_LEN, BASE64_ENCODE_MULTILINE);
-    smartlist_add_asprintf(chunks, "ntor-onion-key %s", kbuf);
   } else {
     /* Authorities will start rejecting relays without ntor keys in 0.2.9 */
     log_err(LD_BUG, "A relay must have an ntor onion key");

src/test/test_dir.c

@@ -397,18 +397,14 @@ get_new_ntor_onion_key_line(const curve25519_public_key_t *ntor_onion_pubkey)
 {
   char *line = NULL;
   char cert_buf[256];
-  int rv = 0;
 
   tor_assert(ntor_onion_pubkey);
 
-  rv = base64_encode(cert_buf, sizeof(cert_buf),
+  curve25519_public_to_base64(cert_buf, ntor_onion_pubkey, false);
-                     (const char*)ntor_onion_pubkey->public_key, 32,
-                     BASE64_ENCODE_MULTILINE);
-  tor_assert(rv > 0);
   tor_assert(strlen(cert_buf) > 0);
 
   tor_asprintf(&line,
-               "ntor-onion-key %s",
+               "ntor-onion-key %s\n",
                cert_buf);
   tor_assert(line);