[tor-commits] [tor/master] prop224: Check decoded descriptor matches the expected blinded key

[nickm at torproject.org]

commit 47672ec1c7202feb0422317b39f9bcefb231fe5b
Author: David Goulet <dgoulet at torproject.org>
Date:   Tue Aug 22 09:02:23 2017 -0400

    prop224: Check decoded descriptor matches the expected blinded key
    
    When a client decodes a descriptor, make sure it matches the expected blinded
    key which is derived from the hidden service identity key.
    
    Signed-off-by: David Goulet <dgoulet at torproject.org>
---
 src/or/hs_client.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/or/hs_client.c b/src/or/hs_client.c
index 77348f23e..71186b261 100644
--- a/src/or/hs_client.c
+++ b/src/or/hs_client.c
@@ -800,6 +800,7 @@ hs_client_decode_descriptor(const char *desc_str,
 {
   int ret;
   uint8_t subcredential[DIGEST256_LEN];
+  ed25519_public_key_t blinded_pubkey;
 
   tor_assert(desc_str);
   tor_assert(service_identity_pk);
@@ -807,7 +808,6 @@ hs_client_decode_descriptor(const char *desc_str,
 
   /* Create subcredential for this HS so that we can decrypt */
   {
-    ed25519_public_key_t blinded_pubkey;
     uint64_t current_time_period = hs_get_time_period_num(approx_time());
     hs_build_blinded_pubkey(service_identity_pk, NULL, 0, current_time_period,
                             &blinded_pubkey);
@@ -822,6 +822,16 @@ hs_client_decode_descriptor(const char *desc_str,
     goto err;
   }
 
+  /* Make sure the descriptor signing key cross certifies with the computed
+   * blinded key. Without this validation, anyone knowing the subcredential
+   * and onion address can forge a descriptor. */
+  if (tor_cert_checksig((*desc)->plaintext_data.signing_key_cert,
+                        &blinded_pubkey, approx_time()) < 0) {
+    log_warn(LD_GENERAL, "Descriptor signing key certificate signature "
+                         "doesn't validate with computed blinded key.");
+    goto err;
+  }
+
   return 0;
  err:
   return -1;