Skip to content
  • George Kadianakis's avatar
    hs-v3: Don't allow registration of an all-zeroes client auth key. · 37bcc9f3
    George Kadianakis authored and Nick Mathewson's avatar Nick Mathewson committed
    The client auth protocol allows attacker-controlled x25519 private keys being
    passed around, which allows an attacker to potentially trigger the all-zeroes
    assert for client_auth_sk in hs_descriptor.c:decrypt_descriptor_cookie().
    
    We fixed that by making sure that an all-zeroes client auth key will not be
    used.
    
    There are no guidelines for validating x25519 private keys, and the assert was
    there as a sanity check for code flow issues (we don't want to enter that
    function with an unitialized key if client auth is being used). To avoid such
    crashes in the future, we also changed the assert to a BUG-and-err.
    37bcc9f3