crypto: Fix hs_ntor MAC zero validation

A likely copy-pasta made its way through review which made the `rend_cell_auth`
never checked for all-zero.

This is not that problematic has the chances for SHA3 to generate a zeroed
buffer is close to impossible but defense in depth always.

Related to #41228

Signed-off-by: David Goulet <dgoulet@torproject.org>

diff --git a/src/core/crypto/hs_ntor.c b/src/core/crypto/hs_ntor.c
index 67da65d8bc3af9487ab16f6a3424142fa5aedfb9..f6cee3494b059d27bab5a04ee2e8f3b97daf2f53 100644 (file)
--- a/src/core/crypto/hs_ntor.c
+++ b/src/core/crypto/hs_ntor.c
@@ -129,7 +129,7 @@ get_rendezvous1_key_material(const uint8_t *rend_secret_hs_input,
   crypto_mac_sha3_256(rend_cell_auth, sizeof(rend_cell_auth),
                       rend_auth_input, sizeof(rend_auth_input),
                       (const uint8_t *)T_HSMAC, strlen(T_HSMAC));
-  bad |= safe_mem_is_zero(ntor_verify, DIGEST256_LEN);
+  bad |= safe_mem_is_zero(rend_cell_auth, DIGEST256_LEN);
 
   { /* Get the computed RENDEZVOUS1 material! */
     memcpy(&hs_ntor_rend_cell_keys_out->rend_cell_auth_mac,