HSv3: Add subcredential in client auth KDF on the service-side.

Also update some client auth test vectors that broke...

2 files changed, 20 insertions, 6 deletions

diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c
index 9c3d4fc96b..f34685e232 100644
--- a/src/feature/hs/hs_descriptor.c
+++ b/src/feature/hs/hs_descriptor.c
@@ -2851,11 +2851,12 @@ hs_desc_build_fake_authorized_client(void)
   return client_auth;
 }
 
-/* Using the client public key, auth ephemeral secret key, and descriptor
- * cookie, build the auth client so we can then encode the descriptor for
- * publication. client_out must be already allocated. */
+/* Using the service's subcredential, client public key, auth ephemeral secret
+ * key, and descriptor cookie, build the auth client so we can then encode the
+ * descriptor for publication. client_out must be already allocated. */
 void
-hs_desc_build_authorized_client(const curve25519_public_key_t *client_auth_pk,
+hs_desc_build_authorized_client(const uint8_t *subcredential,
+                                const curve25519_public_key_t *client_auth_pk,
                                 const curve25519_secret_key_t *
                                 auth_ephemeral_sk,
                                 const uint8_t *descriptor_cookie,
@@ -2871,20 +2872,24 @@ hs_desc_build_authorized_client(const curve25519_public_key_t *client_auth_pk,
   tor_assert(auth_ephemeral_sk);
   tor_assert(descriptor_cookie);
   tor_assert(client_out);
+  tor_assert(subcredential);
   tor_assert(!tor_mem_is_zero((char *) auth_ephemeral_sk,
                               sizeof(*auth_ephemeral_sk)));
   tor_assert(!tor_mem_is_zero((char *) client_auth_pk,
                               sizeof(*client_auth_pk)));
   tor_assert(!tor_mem_is_zero((char *) descriptor_cookie,
                               HS_DESC_DESCRIPTOR_COOKIE_LEN));
+  tor_assert(!tor_mem_is_zero((char *) subcredential,
+                              DIGEST256_LEN));
 
   /* Calculate x25519(hs_y, client_X) */
   curve25519_handshake(secret_seed,
                        auth_ephemeral_sk,
                        client_auth_pk);
 
-  /* Calculate KEYS = KDF(SECRET_SEED, 40) */
+  /* Calculate KEYS = KDF(subcredential | SECRET_SEED, 40) */
   xof = crypto_xof_new();
+  crypto_xof_add_bytes(xof, subcredential, DIGEST256_LEN);
   crypto_xof_add_bytes(xof, secret_seed, sizeof(secret_seed));
   crypto_xof_squeeze_bytes(xof, keystream, sizeof(keystream));
   crypto_xof_free(xof);
diff --git a/src/feature/hs/hs_service.c b/src/feature/hs/hs_service.c
index 79ef0a35e9..43e5626a57 100644
--- a/src/feature/hs/hs_service.c
+++ b/src/feature/hs/hs_service.c
@@ -1744,10 +1744,18 @@ build_service_desc_superencrypted(const hs_service_t *service,
 
   /* The ephemeral key pair is already generated, so this should not give
    * an error. */
+  if (BUG(!curve25519_public_key_is_ok(&desc->auth_ephemeral_kp.pubkey))) {
+    return -1;
+  }
   memcpy(&superencrypted->auth_ephemeral_pubkey,
          &desc->auth_ephemeral_kp.pubkey,
          sizeof(curve25519_public_key_t));
 
+  /* Test that subcred is not zero because we might use it below */
+  if (BUG(tor_mem_is_zero((char*)desc->desc->subcredential, DIGEST256_LEN))) {
+    return -1;
+  }
+
   /* Create a smartlist to store clients */
   superencrypted->clients = smartlist_new();
 
@@ -1761,7 +1769,8 @@ build_service_desc_superencrypted(const hs_service_t *service,
 
       /* Prepare the client for descriptor and then add to the list in the
        * superencrypted part of the descriptor */
-      hs_desc_build_authorized_client(&client->client_pk,
+      hs_desc_build_authorized_client(desc->desc->subcredential,
+                                      &client->client_pk,
                                       &desc->auth_ephemeral_kp.seckey,
                                       desc->descriptor_cookie, desc_client);
       smartlist_add(superencrypted->clients, desc_client);