[tor-commits] [tor/master] HSv3: Add subcredential in client auth KDF on the client-side.

nickm at torproject.org nickm at torproject.org
Fri Sep 7 19:06:19 UTC 2018 

commit 6583d1e7091ba368b66c6f3038df223d3b7652cb
Author: George Kadianakis <desnacked at riseup.net>
Date:   Thu Sep 6 16:25:31 2018 +0300

    HSv3: Add subcredential in client auth KDF on the client-side.
---
 src/feature/hs/hs_descriptor.c | 14 ++++++++------
 src/feature/hs/hs_descriptor.h |  3 ++-
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c
index f34685e23..d0cdffdf1 100644
--- a/src/feature/hs/hs_descriptor.c
+++ b/src/feature/hs/hs_descriptor.c
@@ -1427,13 +1427,15 @@ decrypt_descriptor_cookie(const hs_descriptor_t *desc,
         sizeof(desc->superencrypted_data.auth_ephemeral_pubkey)));
   tor_assert(!tor_mem_is_zero((char *) client_auth_sk,
                               sizeof(*client_auth_sk)));
+  tor_assert(!tor_mem_is_zero((char *) desc->subcredential, DIGEST256_LEN));
 
   /* Calculate x25519(client_x, hs_Y) */
   curve25519_handshake(secret_seed, client_auth_sk,
                        &desc->superencrypted_data.auth_ephemeral_pubkey);
 
-  /* Calculate KEYS = KDF(SECRET_SEED, 40) */
+  /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
   xof = crypto_xof_new();
+  crypto_xof_add_bytes(xof, desc->subcredential, DIGEST256_LEN);
   crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
   crypto_xof_squeeze_bytes(xof, keystream, sizeof(keystream));
   crypto_xof_free(xof);
@@ -2539,9 +2541,8 @@ hs_desc_decode_plaintext(const char *encoded,
 }
 
 /* Fully decode an encoded descriptor and set a newly allocated descriptor
- * object in desc_out. Subcredentials are used if not NULL else it's ignored.
- * Client secret key is used to decrypt the "encrypted" section if not NULL
- * else it's ignored.
+ * object in desc_out.  Client secret key is used to decrypt the "encrypted"
+ * section if not NULL else it's ignored.
  *
  * Return 0 on success. A negative value is returned on error and desc_out is
  * set to NULL. */
@@ -2558,8 +2559,9 @@ hs_desc_decode_descriptor(const char *encoded,
 
   desc = tor_malloc_zero(sizeof(hs_descriptor_t));
 
-  /* Subcredentials are optional. */
-  if (BUG(!subcredential)) {
+  /* Subcredentials are not optional. */
+  if (BUG(!subcredential ||
+          tor_mem_is_zero((char*)subcredential, DIGEST256_LEN))) {
     log_warn(LD_GENERAL, "Tried to decrypt without subcred. Impossible!");
     goto err;
   }
diff --git a/src/feature/hs/hs_descriptor.h b/src/feature/hs/hs_descriptor.h
index 9d447105f..adfb94dea 100644
--- a/src/feature/hs/hs_descriptor.h
+++ b/src/feature/hs/hs_descriptor.h
@@ -303,7 +303,8 @@ link_specifier_t *hs_desc_lspec_to_trunnel(
                                    const hs_desc_link_specifier_t *spec);
 
 hs_desc_authorized_client_t *hs_desc_build_fake_authorized_client(void);
-void hs_desc_build_authorized_client(const curve25519_public_key_t *
+void hs_desc_build_authorized_client(const uint8_t *subcredential,
+                                     const curve25519_public_key_t *
                                      client_auth_pk,
                                      const curve25519_secret_key_t *
                                      auth_ephemeral_sk,

More information about the tor-commits mailing list