commit 28816242f9eaa5509dc400a48ade1e7c4a591717
Author: Nick Mathewson <nickm(a)torproject.org>
Date: Wed May 3 11:24:22 2017 -0400
Fix a security problem in prop140 related to signature encoding
The problem was that clients would, when contacting caches, identify
consensuses by the sha3 digest of the entire consensus, including
signatures. But there are multiple valid encodings for a set of
signatures, meaning that a malicious cache could serve each client a
different encoding, and recognize the clients using the sha3 digests
in their requests.
The first part of the solution is to fetch consensuses diffs based
only on the consensus's digest-as-signed: the digest of the
consensus with no signatures on it.
The second part of the solution is to generate diffs using the
<n>,$d format to first remove all trailing signatures, so that the
diffs will apply to any valid consensus, no matter how the
signatures are encoded.
---
proposals/140-consensus-diffs.txt | 39 ++++++++++++++++++++++++++++++---------
1 file changed, 30 insertions(+), 9 deletions(-)
diff --git a/proposals/140-consensus-diffs.txt b/proposals/140-consensus-diffs.txt
index 8a420df..233a6fe 100644
--- a/proposals/140-consensus-diffs.txt
+++ b/proposals/140-consensus-diffs.txt
@@ -16,6 +16,11 @@ Status: Accepted
diffs, add parameters, restore diff-only URLs, say what "Digest"
means. -nickm
+ 3-May-2017: Add a notion of "digest-as-signed" vs "full digest", since
+ otherwise the fact that there are multiple encodings of the same valid
+ consensus signatures would make clients identify which encodings they
+ had been given as they asked for diffs.
+
1. Overview.
Tor clients and servers need a list of which relays are on the
@@ -47,8 +52,17 @@ Status: Accepted
3.0. Preliminaries.
- Unless otherwise specified, all hashes in this document are SHA3-256
- hashes, encoded in base64.
+ Unless otherwise specified, all digests in this document are SHA3-256
+ digests, encoded in base64. This document also uses "hash" as
+ synonymous with "digest".
+
+ A "full digest" of a consensus document covers the entire document,
+ from the "network-status-version" through the newline after the final
+ "-----END SIGNATURE-----".
+
+ A "digest as signed" of a consensus document covers the same part that
+ the signatures cover: the "network-status-version" through the newline
+ immediately before the first "directory-signature" line.
3.1 Clients
@@ -92,7 +106,7 @@ Status: Accepted
HTTP/1.0 GET /tor/status-vote/current/consensus{-Flavor}/<FPRLIST>.z
X-Or-Diff-From-Consensus: HASH1 HASH2...
- where the hashes are the full digests of the consensuses the client
+ where the hashes are the digests-as-signed of the consensuses the client
currently has, and FPRLIST is a list of (abbreviated) fingerprints of
authorities the client trusts.
@@ -121,8 +135,8 @@ Status: Accepted
I currently lean towards the empty diff.]
- Additionally, specific diff for a given consensus hash should be available
- a URL of the form:
+ Additionally, specific diff for a given consensus digest-as-signed
+ should be available a URL of the form:
/tor/status-vote/current/consensus{-Flavor}/diff/<HASH>/<FPRLIST>.z
@@ -139,10 +153,10 @@ Status: Accepted
to be a full consensus download and would therefore currently start
with "network-status-version 3".
- Following the network-status-diff line is another header line, starting with
- the token "hash" followed by the full digest of the consensus that this diff
- applies to and the full digest that the resulting consensus
- should have.
+ Following the network-status-diff line is another header line,
+ starting with the token "hash" followed by the digest-as-signed of the
+ consensus that this diff applies to, and the full digest that the
+ resulting consensus should have.
Following the network-status-diff header lines is a diff, or patch, in
limited ed format. We choose this format because it is easy to create
@@ -158,6 +172,7 @@ Status: Accepted
We support the following ed commands, each on a line by itself:
- "<n1>d" Delete line n1
- "<n1>,<n2>d" Delete lines n1 through n2, inclusive
+ - "<n1>,$d" Delete line n1 through the end of the file, inclusive.
- "<n1>c" Replace line n1 with the following block
- "<n1>,<n2>c" Replace lines n1 through n2, inclusive, with the
following block.
@@ -172,6 +187,12 @@ Status: Accepted
lines are only ever referred to by their position in the original
file.
+ If there are any directory signatures on the original document, the
+ first command MUST be a "<n1>,$d" form to remove all of the directory
+ signatures. Using this format ensures that the client will
+ successfully apply the diff even if they have an unusual encoding for
+ the signatures.
+
The "current line" is either the first line of the file, if this is
the first command, the last line of a block we added in an append or
change command, or the line immediate following a set of lines we just