prop224: Check decoded descriptor matches the expected blinded key

When a client decodes a descriptor, make sure it matches the expected blinded
key which is derived from the hidden service identity key.

Signed-off-by: David Goulet <dgoulet@torproject.org>

src/or/hs_client.c

@@ -800,6 +800,7 @@ hs_client_decode_descriptor(const char *desc_str,
 {
   int ret;
   uint8_t subcredential[DIGEST256_LEN];
+  ed25519_public_key_t blinded_pubkey;
 
   tor_assert(desc_str);
   tor_assert(service_identity_pk);
@@ -807,7 +808,6 @@ hs_client_decode_descriptor(const char *desc_str,
 
   /* Create subcredential for this HS so that we can decrypt */
   {
-    ed25519_public_key_t blinded_pubkey;
     uint64_t current_time_period = hs_get_time_period_num(approx_time());
     hs_build_blinded_pubkey(service_identity_pk, NULL, 0, current_time_period,
                             &blinded_pubkey);
@@ -822,6 +822,16 @@ hs_client_decode_descriptor(const char *desc_str,
     goto err;
   }
 
+  /* Make sure the descriptor signing key cross certifies with the computed
+   * blinded key. Without this validation, anyone knowing the subcredential
+   * and onion address can forge a descriptor. */
+  if (tor_cert_checksig((*desc)->plaintext_data.signing_key_cert,
+                        &blinded_pubkey, approx_time()) < 0) {
+    log_warn(LD_GENERAL, "Descriptor signing key certificate signature "
+                         "doesn't validate with computed blinded key.");
+    goto err;
+  }
+
   return 0;
  err:
   return -1;