April 2012 - tor-commits - lists.torproject.org

[tor/master] Merge branch 'maint-0.2.2'
by arma＠torproject.org 01 Apr '12

01 Apr '12

commit c7cbd06d5f2727c3742dfd426223f1f1ebe46f94 Merge: 341c6a5 5fed1ccd Author: Roger Dingledine <arma(a)torproject.org> Date: Sun Apr 1 16:03:16 2012 -0400 Merge branch 'maint-0.2.2' Conflicts: src/or/config.c doc/tor.1.txt | 7 +++++-- src/or/config.c | 6 +++--- src/or/directory.c | 5 +++-- src/or/or.h | 4 ++-- 4 files changed, 13 insertions(+), 9 deletions(-) diff --cc src/or/config.c index 2ce930b,fbbd902..24edc4d --- a/src/or/config.c +++ b/src/or/config.c @@@ -808,12 -713,7 +808,12 @@@ or_options_free(or_options_t *options return; routerset_free(options->_ExcludeExitNodesUnion); + if (options->NodeFamilySets) { + SMARTLIST_FOREACH(options->NodeFamilySets, routerset_t *, + rs, routerset_free(rs)); + smartlist_free(options->NodeFamilySets); + } - tor_free(options->BridgePassword_AuthDigest); + tor_free(options->_BridgePassword_AuthDigest); config_free(&options_format, options); }

1 0

[tor/maint-0.2.2] BridgePassword was never for debugging
by arma＠torproject.org 01 Apr '12

01 Apr '12

commit 40ab832c4e61bfddd26915e6208137b43329ae86 Author: Roger Dingledine <arma(a)torproject.org> Date: Sun Apr 1 15:59:00 2012 -0400 BridgePassword was never for debugging It is for the not-yet-implemented bridge community design. --- doc/tor.1.txt | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 160feb0..25a440d 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1297,8 +1297,11 @@ DIRECTORY AUTHORITY SERVER OPTIONS **BridgePassword** __Password__:: If set, contains an HTTP authenticator that tells a bridge authority to - serve all requested bridge information. Used for debugging. (Default: - not set.) + serve all requested bridge information. Used by the (only partially + implemented) "bridge community" design, where a community of bridge + relay operators all use an alternate bridge directory authority, + and their target user audience can periodically fetch the list of + available community bridges to stay up-to-date. (Default: not set.) **V3AuthVotingInterval** __N__ **minutes**|**hours**:: V3 authoritative directories only. Configures the server's preferred voting

1 0

[tor/maint-0.2.2] put a _ before or_options_t elements that aren't configurable
by arma＠torproject.org 01 Apr '12

01 Apr '12

commit 5fed1ccd901d4751a3fed7dc01042771ca76f449 Author: Roger Dingledine <arma(a)torproject.org> Date: Sun Apr 1 15:59:38 2012 -0400 put a _ before or_options_t elements that aren't configurable it's fine with me if we change the current convention, but we should actually decide to change it if we want to. --- src/or/config.c | 6 +++--- src/or/directory.c | 5 +++-- src/or/or.h | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/or/config.c b/src/or/config.c index 1e7bd58..fbbd902 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -713,7 +713,7 @@ or_options_free(or_options_t *options) return; routerset_free(options->_ExcludeExitNodesUnion); - tor_free(options->BridgePassword_AuthDigest); + tor_free(options->_BridgePassword_AuthDigest); config_free(&options_format, options); } @@ -1310,8 +1310,8 @@ options_act(or_options_t *old_options) "BridgePassword."); return -1; } - options->BridgePassword_AuthDigest = tor_malloc(DIGEST256_LEN); - crypto_digest256(options->BridgePassword_AuthDigest, + options->_BridgePassword_AuthDigest = tor_malloc(DIGEST256_LEN); + crypto_digest256(options->_BridgePassword_AuthDigest, http_authenticator, strlen(http_authenticator), DIGEST_SHA256); tor_free(http_authenticator); diff --git a/src/or/directory.c b/src/or/directory.c index 9bc58e5..29cf10c 100644 --- a/src/or/directory.c +++ b/src/or/directory.c @@ -3069,7 +3069,7 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers, } if (options->BridgeAuthoritativeDir && - options->BridgePassword_AuthDigest && + options->_BridgePassword_AuthDigest && connection_dir_is_encrypted(conn) && !strcmp(url,"/tor/networkstatus-bridges")) { char *status; @@ -3081,7 +3081,8 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers, /* now make sure the password is there and right */ if (!header || - tor_memneq(digest, options->BridgePassword_AuthDigest, DIGEST256_LEN)) { + tor_memneq(digest, + options->_BridgePassword_AuthDigest, DIGEST256_LEN)) { write_http_status_line(conn, 404, "Not found"); tor_free(header); goto done; diff --git a/src/or/or.h b/src/or/or.h index 92592e5..a4e8e49 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2492,8 +2492,8 @@ typedef struct { * for bridge statuses -- but only if the requests use this password. */ char *BridgePassword; /** If BridgePassword is set, this is a SHA256 digest of the basic http - * authenticator for it. */ - char *BridgePassword_AuthDigest; + * authenticator for it. Used so we can do a time-independent comparison. */ + char *_BridgePassword_AuthDigest; int UseBridges; /**< Boolean: should we start all circuits with a bridge? */ config_line_t *Bridges; /**< List of bootstrap bridge addresses. */

1 0

r25593: {website} let people know we haven't been updating the obfsproxy bundl (website/trunk/projects/en)
by Roger Dingledine 01 Apr '12

01 Apr '12

Author: arma Date: 2012-04-01 18:19:23 +0000 (Sun, 01 Apr 2012) New Revision: 25593 Modified: website/trunk/projects/en/obfsproxy.wml Log: let people know we haven't been updating the obfsproxy bundles Modified: website/trunk/projects/en/obfsproxy.wml =================================================================== --- website/trunk/projects/en/obfsproxy.wml 2012-04-01 17:58:34 UTC (rev 25592) +++ website/trunk/projects/en/obfsproxy.wml 2012-04-01 18:19:23 UTC (rev 25593) @@ -55,13 +55,14 @@ <h2><a class="anchor" href="#download">Download Obfsproxy Tor Browser Bundle</a></h2> <p> - We've made an experimental that currently works in all censored + We've made an experimental package that currently works in all censored countries with no config changes. - <b>Please spread the news of these bundles to the right people, - but please don't make a big media splash out of them — we need - them to remain available and working for people in censored areas.</b> </p> + <p>Note that these bundles <b>are not maintained currently</b> — + for example, they include old insecure versions of Firefox. We're + working on automating the build process. Stay tuned!</p> + <p> <a href="https://www.torproject.org/dist/obfsproxy/tor-obfsproxy-browser-bundle-2.3.…">Windows Obfsproxy Tor Browser Bundle</a> (<a

1 0

r25592: {website} fix the alpha tbb torbutton version tag. (website/trunk/projects/en)
by Andrew Lewman 01 Apr '12

01 Apr '12

Author: phobos Date: 2012-04-01 17:58:34 +0000 (Sun, 01 Apr 2012) New Revision: 25592 Modified: website/trunk/projects/en/torbrowser-details.wml Log: fix the alpha tbb torbutton version tag. Modified: website/trunk/projects/en/torbrowser-details.wml =================================================================== --- website/trunk/projects/en/torbrowser-details.wml 2012-04-01 17:56:09 UTC (rev 25591) +++ website/trunk/projects/en/torbrowser-details.wml 2012-04-01 17:58:34 UTC (rev 25592) @@ -31,7 +31,7 @@ <ul> <li>Vidalia <version-vidalia-alpha></li> <li>Tor <version-alpha></li> - <li>Mozilla Firefox <version-torbrowser-firefox> and Torbutton <version-torbutton-torbutton></li> + <li>Mozilla Firefox <version-torbrowser-firefox> and Torbutton <version-torbrowser-torbutton></li> </ul> <h3 id="build">Building the bundle</h3>

1 0

r25591: {website} add the tbb alpha contents. (website/trunk/projects/en)
by Andrew Lewman 01 Apr '12

01 Apr '12

Author: phobos Date: 2012-04-01 17:56:09 +0000 (Sun, 01 Apr 2012) New Revision: 25591 Modified: website/trunk/projects/en/torbrowser-details.wml Log: add the tbb alpha contents. Modified: website/trunk/projects/en/torbrowser-details.wml =================================================================== --- website/trunk/projects/en/torbrowser-details.wml 2012-04-01 17:39:34 UTC (rev 25590) +++ website/trunk/projects/en/torbrowser-details.wml 2012-04-01 17:56:09 UTC (rev 25591) @@ -17,14 +17,22 @@ <h2>Tor Browser Bundle: Details</h2> <hr> - <h3 id="contents">Bundle contents</h3> + <h3 id="contents">Stable Bundle contents</h3> <ul> <li>Vidalia <version-torbrowser-vidalia></li> - <li>Tor <version-torbrowser-tor> (with <version-torbrowser-tor-components>)</li> - <li>Mozilla Aurora <version-torbrowser-firefox> and Torbutton <version-torbrowser-torbutton>)</li> + <li>Tor <version-torbrowser-tor></li> + <li>Mozilla Aurora <version-torbrowser-firefox> and Torbutton <version-torbrowser-torbutton></li> <li>Pidgin <version-torbrowser-pidgin> and OTR <version-torbrowser-otr> (only in Tor IM Browser Bundle)</li> </ul> + + <h3 id="alphacontents">Alpha Bundle Contents</h3> + + <ul> + <li>Vidalia <version-vidalia-alpha></li> + <li>Tor <version-alpha></li> + <li>Mozilla Firefox <version-torbrowser-firefox> and Torbutton <version-torbutton-torbutton></li> + </ul> <h3 id="build">Building the bundle</h3>

1 0

r25590: {website} update phone number across all pages. (in website/trunk: about/en include press/en)
by Andrew Lewman 01 Apr '12

01 Apr '12

Author: phobos Date: 2012-04-01 17:39:34 +0000 (Sun, 01 Apr 2012) New Revision: 25590 Modified: website/trunk/about/en/contact.wml website/trunk/include/foot.wmi website/trunk/press/en/2008-12-19-roadmap-press-release.wml website/trunk/press/en/2009-03-12-performance-roadmap-press-release.wml website/trunk/press/en/2010-03-25-tor-store-press-release.wml website/trunk/press/en/2010-09-16-ten-things-circumvention-tools.wml website/trunk/press/en/2011-08-28-tor-022-stable.wml Log: update phone number across all pages. Modified: website/trunk/about/en/contact.wml =================================================================== --- website/trunk/about/en/contact.wml 2012-04-01 04:11:15 UTC (rev 25589) +++ website/trunk/about/en/contact.wml 2012-04-01 17:39:34 UTC (rev 25590) @@ -77,7 +77,7 @@ us at <em>torproject(a)jit.si</em> for live help, questions, or feedback. This address does not receive emails, only XMPP and VOIP.</p> - <p>The only time to reach someone is 10:00 - 12:00 GMT-5 + <p>The best time to reach someone is 10:00 - 12:00 GMT-5 on Tuesday and 16:00 - 18:00 GMT-5 on Thursday.</p> <p>Our OTR key is F624A3 158D22 19F48E E28A73 09F527 1AD5DF 668D. Learn more about <a @@ -89,7 +89,7 @@ <p>If none of the above appeal to you, calling +1-781-948-1982 will reach the Tor office. Should there be no answer, please leave a message with a way to reach you.</p> - + </div>  <div id = "sidecol"> Modified: website/trunk/include/foot.wmi =================================================================== --- website/trunk/include/foot.wmi 2012-04-01 04:11:15 UTC (rev 25589) +++ website/trunk/include/foot.wmi 2012-04-01 17:39:34 UTC (rev 25590) @@ -4,12 +4,12 @@ <div id="footer"> <div class="onion"><img src="$(IMGROOT)/onion.jpg" alt="Tor"></div> <div class="about"> - <p>"Tor" and the "Onion Logo" are registered trademarks of - <a href="<page docs/trademark-faq>">The Tor Project, Inc.</a> - Content on this site is licensed under a <a - href="http://creativecommons.org/licenses/by/3.0/us/">Creative - Commons Attribution 3.0 United States License</a>, unless - otherwise noted.</p> + <p>"Tor" and the "Onion Logo" are registered trademarks of + <a href="<page docs/trademark-faq>">The Tor Project, Inc.</a> + Content on this site is licensed under a <a + href="http://creativecommons.org/licenses/by/3.0/us/">Creative + Commons Attribution 3.0 United States License</a>, unless + otherwise noted.</p> <!-- # This will grab the date from svn info/git # REQUIRES svn or git for this to work @@ -48,7 +48,7 @@ <h4>Get Involved</h4> <ul> <li><a href="<page donate/donate>">Donate</a></li> - <li><a href="<page docs/documentation>#MailingLists">Mailing List</a></li> + <li><a href="<page docs/documentation>#MailingLists">Mailing Lists</a></li> <li><a href="<page getinvolved/mirrors>">Mirrors</a></li> <li><a href="<page docs/hidden-services>">Hidden Services</a></li> <li><a href="<page getinvolved/translation>">Translations</a></li> Modified: website/trunk/press/en/2008-12-19-roadmap-press-release.wml =================================================================== --- website/trunk/press/en/2008-12-19-roadmap-press-release.wml 2012-04-01 04:11:15 UTC (rev 25589) +++ website/trunk/press/en/2008-12-19-roadmap-press-release.wml 2012-04-01 17:39:34 UTC (rev 25590) @@ -82,7 +82,7 @@ of The Tor Project, Inc.</p> <p>Contact: Andrew Lewman</p> - <p>Tel: +1-781-352-0568</p> + <p>Tel: +1-781-948-1982</p> <p>Email: execdir(a)torproject.org</p> <p><a href="https://www.torproject.org/">Website: Tor Project</a></p> </div> Modified: website/trunk/press/en/2009-03-12-performance-roadmap-press-release.wml =================================================================== --- website/trunk/press/en/2009-03-12-performance-roadmap-press-release.wml 2012-04-01 04:11:15 UTC (rev 25589) +++ website/trunk/press/en/2009-03-12-performance-roadmap-press-release.wml 2012-04-01 17:39:34 UTC (rev 25590) @@ -65,7 +65,7 @@ of The Tor Project, Inc.</p> <p>Contact: Andrew Lewman</p> - <p>Tel: +1-781-352-0568</p> + <p>Tel: +1-781-948-1982</p> <p>Email: execdir(a)torproject.org</p> <p><a href="https://www.torproject.org/">Website: Tor Project</a></p> </div> Modified: website/trunk/press/en/2010-03-25-tor-store-press-release.wml =================================================================== --- website/trunk/press/en/2010-03-25-tor-store-press-release.wml 2012-04-01 04:11:15 UTC (rev 25589) +++ website/trunk/press/en/2010-03-25-tor-store-press-release.wml 2012-04-01 17:39:34 UTC (rev 25590) @@ -82,7 +82,7 @@ of The Tor Project, Inc.</p> <p>Contact: Andrew Lewman</p> - <p>Tel: +1-781-352-0568</p> + <p>Tel: +1-781-948-1982</p> <p>Email: execdir(a)torproject.org</p> <p><a href="https://www.torproject.org/">Website: Tor Project</a></p> </div> Modified: website/trunk/press/en/2010-09-16-ten-things-circumvention-tools.wml =================================================================== --- website/trunk/press/en/2010-09-16-ten-things-circumvention-tools.wml 2012-04-01 04:11:15 UTC (rev 25589) +++ website/trunk/press/en/2010-09-16-ten-things-circumvention-tools.wml 2012-04-01 17:39:34 UTC (rev 25590) @@ -64,7 +64,7 @@ of The Tor Project, Inc.</p> <p>Contact: Andrew Lewman</p> -<p>Tel: +1-781-352-0568</p> +<p>Tel: +1-781-948-1982</p> <p>Email: execdir(a)torproject.org</p> <p><a href="https://www.torproject.org/">Website: Tor Project</a></p> <div align=center>###</div> Modified: website/trunk/press/en/2011-08-28-tor-022-stable.wml =================================================================== --- website/trunk/press/en/2011-08-28-tor-022-stable.wml 2012-04-01 04:11:15 UTC (rev 25589) +++ website/trunk/press/en/2011-08-28-tor-022-stable.wml 2012-04-01 17:39:34 UTC (rev 25590) @@ -74,7 +74,7 @@ of The Tor Project, Inc.</p> <p>Contact: Andrew Lewman</p> -<p>Tel: +1-781-352-0568</p> +<p>Tel: +1-781-948-1982</p> <p>Email: execdir(a)torproject.org</p> <p><a href="https://www.torproject.org/">Website: Tor Project</a></p> <div align=center>###</div>

1 0

[tor/master] Merge remote-tracking branch 'origin/maint-0.2.2'
by nickm＠torproject.org 01 Apr '12

01 Apr '12

commit 341c6a59db09a43ee2301a6c59158b09ec55134b Merge: 458718d 9a69c24 Author: Nick Mathewson <nickm(a)torproject.org> Date: Sun Apr 1 00:46:52 2012 -0400 Merge remote-tracking branch 'origin/maint-0.2.2' Conflicts: src/or/config.c Conflict was in or_options_free, where two newly added fields had free calls in the same place. changes/bridgepassword | 11 +++++++++++ src/or/config.c | 19 +++++++++++++++++++ src/or/directory.c | 11 ++++++----- src/or/or.h | 7 ++++--- 4 files changed, 40 insertions(+), 8 deletions(-) diff --cc src/or/config.c index 2a8c540,1e7bd58..2ce930b --- a/src/or/config.c +++ b/src/or/config.c @@@ -808,11 -713,7 +808,12 @@@ or_options_free(or_options_t *options return; routerset_free(options->_ExcludeExitNodesUnion); + if (options->NodeFamilySets) { + SMARTLIST_FOREACH(options->NodeFamilySets, routerset_t *, + rs, routerset_free(rs)); + smartlist_free(options->NodeFamilySets); + } + tor_free(options->BridgePassword_AuthDigest); config_free(&options_format, options); }

1 0

[tor/master] Do not use strcmp() to compare an http authenticator to its expected value
by nickm＠torproject.org 01 Apr '12

01 Apr '12

commit 9a69c24150965e54322ed9616638d4f1939b1289 Author: Nick Mathewson <nickm(a)torproject.org> Date: Sat Mar 31 22:51:28 2012 -0400 Do not use strcmp() to compare an http authenticator to its expected value This fixes a side-channel attack on the (fortunately unused!) BridgePassword option for bridge authorities. Fix for bug 5543; bugfix on 0.2.0.14-alpha. --- changes/bridgepassword | 11 +++++++++++ src/or/config.c | 19 +++++++++++++++++++ src/or/directory.c | 11 ++++++----- src/or/or.h | 7 ++++--- 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/changes/bridgepassword b/changes/bridgepassword new file mode 100644 index 0000000..5f0e250 --- /dev/null +++ b/changes/bridgepassword @@ -0,0 +1,11 @@ + o Security fixes: + - When using the debuging BridgePassword field, a bridge authority + now compares alleged passwords by hashing them, then comparing + the result to a digest of the expected authenticator. This avoids + a potential side-channel attack in the previous code, which + had foolishly used strcmp(). Fortunately, the BridgePassword field + *is not in use*, but if it had been, the timing + behavior of strcmp() might have allowed an adversary to guess the + BridgePassword value, and enumerate the bridges. Bugfix on + 0.2.0.14-alpha. Fixes bug 5543. + diff --git a/src/or/config.c b/src/or/config.c index c3e285d..1e7bd58 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -713,6 +713,7 @@ or_options_free(or_options_t *options) return; routerset_free(options->_ExcludeExitNodesUnion); + tor_free(options->BridgePassword_AuthDigest); config_free(&options_format, options); } @@ -1298,6 +1299,24 @@ options_act(or_options_t *old_options) /* Change the cell EWMA settings */ cell_ewma_set_scale_factor(options, networkstatus_get_latest_consensus()); + /* Update the BridgePassword's hashed version as needed. We store this as a + * digest so that we can do side-channel-proof comparisons on it. + */ + if (options->BridgePassword) { + char *http_authenticator; + http_authenticator = alloc_http_authenticator(options->BridgePassword); + if (!http_authenticator) { + log_warn(LD_BUG, "Unable to allocate HTTP authenticator. Not setting " + "BridgePassword."); + return -1; + } + options->BridgePassword_AuthDigest = tor_malloc(DIGEST256_LEN); + crypto_digest256(options->BridgePassword_AuthDigest, + http_authenticator, strlen(http_authenticator), + DIGEST_SHA256); + tor_free(http_authenticator); + } + /* Check for transitions that need action. */ if (old_options) { int revise_trackexithosts = 0; diff --git a/src/or/directory.c b/src/or/directory.c index e3cc70f..9bc58e5 100644 --- a/src/or/directory.c +++ b/src/or/directory.c @@ -3069,22 +3069,23 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers, } if (options->BridgeAuthoritativeDir && - options->BridgePassword && + options->BridgePassword_AuthDigest && connection_dir_is_encrypted(conn) && !strcmp(url,"/tor/networkstatus-bridges")) { char *status; - char *secret = alloc_http_authenticator(options->BridgePassword); + char digest[DIGEST256_LEN]; header = http_get_header(headers, "Authorization: Basic "); + if (header) + crypto_digest256(digest, header, strlen(header), DIGEST_SHA256); /* now make sure the password is there and right */ - if (!header || strcmp(header, secret)) { + if (!header || + tor_memneq(digest, options->BridgePassword_AuthDigest, DIGEST256_LEN)) { write_http_status_line(conn, 404, "Not found"); - tor_free(secret); tor_free(header); goto done; } - tor_free(secret); tor_free(header); /* all happy now. send an answer. */ diff --git a/src/or/or.h b/src/or/or.h index eecd375..92592e5 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2489,10 +2489,11 @@ typedef struct { * that aggregates bridge descriptors? */ /** If set on a bridge authority, it will answer requests on its dirport - * for bridge statuses -- but only if the requests use this password. - * If set on a bridge user, request bridge statuses, and use this password - * when doing so. */ + * for bridge statuses -- but only if the requests use this password. */ char *BridgePassword; + /** If BridgePassword is set, this is a SHA256 digest of the basic http + * authenticator for it. */ + char *BridgePassword_AuthDigest; int UseBridges; /**< Boolean: should we start all circuits with a bridge? */ config_line_t *Bridges; /**< List of bootstrap bridge addresses. */

1 0

[tor/maint-0.2.2] Do not use strcmp() to compare an http authenticator to its expected value
by nickm＠torproject.org 01 Apr '12

01 Apr '12

commit 9a69c24150965e54322ed9616638d4f1939b1289 Author: Nick Mathewson <nickm(a)torproject.org> Date: Sat Mar 31 22:51:28 2012 -0400 Do not use strcmp() to compare an http authenticator to its expected value This fixes a side-channel attack on the (fortunately unused!) BridgePassword option for bridge authorities. Fix for bug 5543; bugfix on 0.2.0.14-alpha. --- changes/bridgepassword | 11 +++++++++++ src/or/config.c | 19 +++++++++++++++++++ src/or/directory.c | 11 ++++++----- src/or/or.h | 7 ++++--- 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/changes/bridgepassword b/changes/bridgepassword new file mode 100644 index 0000000..5f0e250 --- /dev/null +++ b/changes/bridgepassword @@ -0,0 +1,11 @@ + o Security fixes: + - When using the debuging BridgePassword field, a bridge authority + now compares alleged passwords by hashing them, then comparing + the result to a digest of the expected authenticator. This avoids + a potential side-channel attack in the previous code, which + had foolishly used strcmp(). Fortunately, the BridgePassword field + *is not in use*, but if it had been, the timing + behavior of strcmp() might have allowed an adversary to guess the + BridgePassword value, and enumerate the bridges. Bugfix on + 0.2.0.14-alpha. Fixes bug 5543. + diff --git a/src/or/config.c b/src/or/config.c index c3e285d..1e7bd58 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -713,6 +713,7 @@ or_options_free(or_options_t *options) return; routerset_free(options->_ExcludeExitNodesUnion); + tor_free(options->BridgePassword_AuthDigest); config_free(&options_format, options); } @@ -1298,6 +1299,24 @@ options_act(or_options_t *old_options) /* Change the cell EWMA settings */ cell_ewma_set_scale_factor(options, networkstatus_get_latest_consensus()); + /* Update the BridgePassword's hashed version as needed. We store this as a + * digest so that we can do side-channel-proof comparisons on it. + */ + if (options->BridgePassword) { + char *http_authenticator; + http_authenticator = alloc_http_authenticator(options->BridgePassword); + if (!http_authenticator) { + log_warn(LD_BUG, "Unable to allocate HTTP authenticator. Not setting " + "BridgePassword."); + return -1; + } + options->BridgePassword_AuthDigest = tor_malloc(DIGEST256_LEN); + crypto_digest256(options->BridgePassword_AuthDigest, + http_authenticator, strlen(http_authenticator), + DIGEST_SHA256); + tor_free(http_authenticator); + } + /* Check for transitions that need action. */ if (old_options) { int revise_trackexithosts = 0; diff --git a/src/or/directory.c b/src/or/directory.c index e3cc70f..9bc58e5 100644 --- a/src/or/directory.c +++ b/src/or/directory.c @@ -3069,22 +3069,23 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers, } if (options->BridgeAuthoritativeDir && - options->BridgePassword && + options->BridgePassword_AuthDigest && connection_dir_is_encrypted(conn) && !strcmp(url,"/tor/networkstatus-bridges")) { char *status; - char *secret = alloc_http_authenticator(options->BridgePassword); + char digest[DIGEST256_LEN]; header = http_get_header(headers, "Authorization: Basic "); + if (header) + crypto_digest256(digest, header, strlen(header), DIGEST_SHA256); /* now make sure the password is there and right */ - if (!header || strcmp(header, secret)) { + if (!header || + tor_memneq(digest, options->BridgePassword_AuthDigest, DIGEST256_LEN)) { write_http_status_line(conn, 404, "Not found"); - tor_free(secret); tor_free(header); goto done; } - tor_free(secret); tor_free(header); /* all happy now. send an answer. */ diff --git a/src/or/or.h b/src/or/or.h index eecd375..92592e5 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2489,10 +2489,11 @@ typedef struct { * that aggregates bridge descriptors? */ /** If set on a bridge authority, it will answer requests on its dirport - * for bridge statuses -- but only if the requests use this password. - * If set on a bridge user, request bridge statuses, and use this password - * when doing so. */ + * for bridge statuses -- but only if the requests use this password. */ char *BridgePassword; + /** If BridgePassword is set, this is a SHA256 digest of the basic http + * authenticator for it. */ + char *BridgePassword_AuthDigest; int UseBridges; /**< Boolean: should we start all circuits with a bridge? */ config_line_t *Bridges; /**< List of bootstrap bridge addresses. */

1 0