commit 47672ec1c7202feb0422317b39f9bcefb231fe5b Author: David Goulet dgoulet@torproject.org Date: Tue Aug 22 09:02:23 2017 -0400

prop224: Check decoded descriptor matches the expected blinded key

When a client decodes a descriptor, make sure it matches the expected blinded key which is derived from the hidden service identity key.

Signed-off-by: David Goulet dgoulet@torproject.org --- src/or/hs_client.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/or/hs_client.c b/src/or/hs_client.c index 77348f23e..71186b261 100644 --- a/src/or/hs_client.c +++ b/src/or/hs_client.c @@ -800,6 +800,7 @@ hs_client_decode_descriptor(const char *desc_str, { int ret; uint8_t subcredential[DIGEST256_LEN]; + ed25519_public_key_t blinded_pubkey;

tor_assert(desc_str); tor_assert(service_identity_pk); @@ -807,7 +808,6 @@ hs_client_decode_descriptor(const char *desc_str,

/* Create subcredential for this HS so that we can decrypt */ { - ed25519_public_key_t blinded_pubkey; uint64_t current_time_period = hs_get_time_period_num(approx_time()); hs_build_blinded_pubkey(service_identity_pk, NULL, 0, current_time_period, &blinded_pubkey); @@ -822,6 +822,16 @@ hs_client_decode_descriptor(const char *desc_str, goto err; }

+ /* Make sure the descriptor signing key cross certifies with the computed + * blinded key. Without this validation, anyone knowing the subcredential + * and onion address can forge a descriptor. */ + if (tor_cert_checksig((*desc)->plaintext_data.signing_key_cert, + &blinded_pubkey, approx_time()) < 0) { + log_warn(LD_GENERAL, "Descriptor signing key certificate signature " + "doesn't validate with computed blinded key."); + goto err; + } + return 0; err: return -1;