commit 6583d1e7091ba368b66c6f3038df223d3b7652cb Author: George Kadianakis desnacked@riseup.net Date: Thu Sep 6 16:25:31 2018 +0300
HSv3: Add subcredential in client auth KDF on the client-side. --- src/feature/hs/hs_descriptor.c | 14 ++++++++------ src/feature/hs/hs_descriptor.h | 3 ++- 2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c index f34685e23..d0cdffdf1 100644 --- a/src/feature/hs/hs_descriptor.c +++ b/src/feature/hs/hs_descriptor.c @@ -1427,13 +1427,15 @@ decrypt_descriptor_cookie(const hs_descriptor_t *desc, sizeof(desc->superencrypted_data.auth_ephemeral_pubkey))); tor_assert(!tor_mem_is_zero((char *) client_auth_sk, sizeof(*client_auth_sk))); + tor_assert(!tor_mem_is_zero((char *) desc->subcredential, DIGEST256_LEN));
/* Calculate x25519(client_x, hs_Y) */ curve25519_handshake(secret_seed, client_auth_sk, &desc->superencrypted_data.auth_ephemeral_pubkey);
- /* Calculate KEYS = KDF(SECRET_SEED, 40) */ + /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */ xof = crypto_xof_new(); + crypto_xof_add_bytes(xof, desc->subcredential, DIGEST256_LEN); crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed)); crypto_xof_squeeze_bytes(xof, keystream, sizeof(keystream)); crypto_xof_free(xof); @@ -2539,9 +2541,8 @@ hs_desc_decode_plaintext(const char *encoded, }
/* Fully decode an encoded descriptor and set a newly allocated descriptor - * object in desc_out. Subcredentials are used if not NULL else it's ignored. - * Client secret key is used to decrypt the "encrypted" section if not NULL - * else it's ignored. + * object in desc_out. Client secret key is used to decrypt the "encrypted" + * section if not NULL else it's ignored. * * Return 0 on success. A negative value is returned on error and desc_out is * set to NULL. */ @@ -2558,8 +2559,9 @@ hs_desc_decode_descriptor(const char *encoded,
desc = tor_malloc_zero(sizeof(hs_descriptor_t));
- /* Subcredentials are optional. */ - if (BUG(!subcredential)) { + /* Subcredentials are not optional. */ + if (BUG(!subcredential || + tor_mem_is_zero((char*)subcredential, DIGEST256_LEN))) { log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!"); goto err; } diff --git a/src/feature/hs/hs_descriptor.h b/src/feature/hs/hs_descriptor.h index 9d447105f..adfb94dea 100644 --- a/src/feature/hs/hs_descriptor.h +++ b/src/feature/hs/hs_descriptor.h @@ -303,7 +303,8 @@ link_specifier_t *hs_desc_lspec_to_trunnel( const hs_desc_link_specifier_t *spec);
hs_desc_authorized_client_t *hs_desc_build_fake_authorized_client(void); -void hs_desc_build_authorized_client(const curve25519_public_key_t * +void hs_desc_build_authorized_client(const uint8_t *subcredential, + const curve25519_public_key_t * client_auth_pk, const curve25519_secret_key_t * auth_ephemeral_sk,