[tor-commits] [tor/master] HSv3: Add subcredential in client auth KDF on the service-side.

nickm at torproject.org nickm at torproject.org
Fri Sep 7 19:06:19 UTC 2018 

commit 1e9428dc618250ba7a64f5e2e0451a9da9c75853
Author: George Kadianakis <desnacked at riseup.net>
Date:   Thu Sep 6 16:07:27 2018 +0300

    HSv3: Add subcredential in client auth KDF on the service-side.
    
    Also update some client auth test vectors that broke...
---
 src/feature/hs/hs_descriptor.c | 15 ++++++++++-----
 src/feature/hs/hs_service.c    | 11 ++++++++++-
 src/test/test_hs_descriptor.c  | 18 ++++++++++++------
 3 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c
index 9c3d4fc96..f34685e23 100644
--- a/src/feature/hs/hs_descriptor.c
+++ b/src/feature/hs/hs_descriptor.c
@@ -2851,11 +2851,12 @@ hs_desc_build_fake_authorized_client(void)
   return client_auth;
 }
 
-/* Using the client public key, auth ephemeral secret key, and descriptor
- * cookie, build the auth client so we can then encode the descriptor for
- * publication. client_out must be already allocated. */
+/* Using the service's subcredential, client public key, auth ephemeral secret
+ * key, and descriptor cookie, build the auth client so we can then encode the
+ * descriptor for publication. client_out must be already allocated. */
 void
-hs_desc_build_authorized_client(const curve25519_public_key_t *client_auth_pk,
+hs_desc_build_authorized_client(const uint8_t *subcredential,
+                                const curve25519_public_key_t *client_auth_pk,
                                 const curve25519_secret_key_t *
                                 auth_ephemeral_sk,
                                 const uint8_t *descriptor_cookie,
@@ -2871,20 +2872,24 @@ hs_desc_build_authorized_client(const curve25519_public_key_t *client_auth_pk,
   tor_assert(auth_ephemeral_sk);
   tor_assert(descriptor_cookie);
   tor_assert(client_out);
+  tor_assert(subcredential);
   tor_assert(!tor_mem_is_zero((char *) auth_ephemeral_sk,
                               sizeof(*auth_ephemeral_sk)));
   tor_assert(!tor_mem_is_zero((char *) client_auth_pk,
                               sizeof(*client_auth_pk)));
   tor_assert(!tor_mem_is_zero((char *) descriptor_cookie,
                               HS_DESC_DESCRIPTOR_COOKIE_LEN));
+  tor_assert(!tor_mem_is_zero((char *) subcredential,
+                              DIGEST256_LEN));
 
   /* Calculate x25519(hs_y, client_X) */
   curve25519_handshake(secret_seed,
                        auth_ephemeral_sk,
                        client_auth_pk);
 
-  /* Calculate KEYS = KDF(SECRET_SEED, 40) */
+  /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
   xof = crypto_xof_new();
+  crypto_xof_add_bytes(xof, subcredential, DIGEST256_LEN);
   crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
   crypto_xof_squeeze_bytes(xof, keystream, sizeof(keystream));
   crypto_xof_free(xof);
diff --git a/src/feature/hs/hs_service.c b/src/feature/hs/hs_service.c
index 79ef0a35e..43e5626a5 100644
--- a/src/feature/hs/hs_service.c
+++ b/src/feature/hs/hs_service.c
@@ -1744,10 +1744,18 @@ build_service_desc_superencrypted(const hs_service_t *service,
 
   /* The ephemeral key pair is already generated, so this should not give
    * an error. */
+  if (BUG(!curve25519_public_key_is_ok(&desc->auth_ephemeral_kp.pubkey))) {
+    return -1;
+  }
   memcpy(&superencrypted->auth_ephemeral_pubkey,
          &desc->auth_ephemeral_kp.pubkey,
          sizeof(curve25519_public_key_t));
 
+  /* Test that subcred is not zero because we might use it below */
+  if (BUG(tor_mem_is_zero((char*)desc->desc->subcredential, DIGEST256_LEN))) {
+    return -1;
+  }
+
   /* Create a smartlist to store clients */
   superencrypted->clients = smartlist_new();
 
@@ -1761,7 +1769,8 @@ build_service_desc_superencrypted(const hs_service_t *service,
 
       /* Prepare the client for descriptor and then add to the list in the
        * superencrypted part of the descriptor */
-      hs_desc_build_authorized_client(&client->client_pk,
+      hs_desc_build_authorized_client(desc->desc->subcredential,
+                                      &client->client_pk,
                                       &desc->auth_ephemeral_kp.seckey,
                                       desc->descriptor_cookie, desc_client);
       smartlist_add(superencrypted->clients, desc_client);
diff --git a/src/test/test_hs_descriptor.c b/src/test/test_hs_descriptor.c
index be7932cd2..4889281cb 100644
--- a/src/test/test_hs_descriptor.c
+++ b/src/test/test_hs_descriptor.c
@@ -400,12 +400,16 @@ test_decode_descriptor(void *arg)
     memcpy(&desc->superencrypted_data.auth_ephemeral_pubkey,
            &auth_ephemeral_kp.pubkey, CURVE25519_PUBKEY_LEN);
 
+    hs_helper_get_subcred_from_identity_keypair(&signing_kp,
+                                                subcredential);
+
     /* Build and add the auth client to the descriptor. */
     clients = desc->superencrypted_data.clients;
     if (!clients) {
       clients = smartlist_new();
     }
-    hs_desc_build_authorized_client(&client_kp.pubkey,
+    hs_desc_build_authorized_client(subcredential,
+                                    &client_kp.pubkey,
                                     &auth_ephemeral_kp.seckey,
                                     descriptor_cookie, client);
     smartlist_add(clients, client);
@@ -418,8 +422,6 @@ test_decode_descriptor(void *arg)
     desc->superencrypted_data.clients = clients;
 
     /* Test the encoding/decoding in the following lines. */
-    hs_helper_get_subcred_from_identity_keypair(&signing_kp,
-                                                subcredential);
     tor_free(encoded);
     ret = hs_desc_encode_descriptor(desc, &signing_kp,
                                     descriptor_cookie, &encoded);
@@ -874,6 +876,7 @@ test_build_authorized_client(void *arg)
     "07d087f1d8c68393721f6e70316d3b29";
   const char client_pubkey_b16[] =
     "8c1298fa6050e372f8598f6deca32e27b0ad457741422c2629ebb132cf7fae37";
+  uint8_t subcredential[DIGEST256_LEN];
   char *mem_op_hex_tmp=NULL;
 
   (void) arg;
@@ -885,6 +888,8 @@ test_build_authorized_client(void *arg)
   tt_int_op(ret, OP_EQ, 0);
   curve25519_public_key_generate(&client_auth_pk, &client_auth_sk);
 
+  memset(subcredential, 42, sizeof(subcredential));
+
   desc_client = tor_malloc_zero(sizeof(hs_desc_authorized_client_t));
 
   base16_decode((char *) &auth_ephemeral_sk,
@@ -904,15 +909,16 @@ test_build_authorized_client(void *arg)
 
   MOCK(crypto_strongest_rand, mock_crypto_strongest_rand);
 
-  hs_desc_build_authorized_client(&client_auth_pk, &auth_ephemeral_sk,
+  hs_desc_build_authorized_client(subcredential,
+                                  &client_auth_pk, &auth_ephemeral_sk,
                                   descriptor_cookie, desc_client);
 
   test_memeq_hex((char *) desc_client->client_id,
-                 "b514ef67192cad5f");
+                 "EC19B7FF4D2DDA13");
   test_memeq_hex((char *) desc_client->iv,
                 "01010101010101010101010101010101");
   test_memeq_hex((char *) desc_client->encrypted_cookie,
-                "46860a9df37b9f6d708E0D7E730C10C1");
+                "B21222BE13F385F355BD07B2381F9F29");
 
  done:
   tor_free(desc_client);

More information about the tor-commits mailing list