[tor-bugs] #19317 [Metrics/CollecTor]: Sanitize TCP ports in bridge descriptors

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jun 9 00:21:15 UTC 2016 

#19317: Sanitize TCP ports in bridge descriptors
-------------------------------+---------------------
 Reporter:  karsten            |          Owner:
     Type:  enhancement        |         Status:  new
 Priority:  Medium             |      Milestone:
Component:  Metrics/CollecTor  |        Version:
 Severity:  Normal             |     Resolution:
 Keywords:                     |  Actual Points:
Parent ID:                     |         Points:
 Reviewer:                     |        Sponsor:
-------------------------------+---------------------

Comment (by teor):

 Replying to [comment:2 karsten]:
 > Huh, good point, didn't think of that.  How about we make the following
 two changes, one related to your suggestion and one unrelated?
 >
 >  - Take out the `% 65535 + 1` part to make this calculation a little
 less complicated, at the risk of accidentally changing 1 in 2^16^ ports to
 0.

 I think that a 0 port has a special meaning (not configured) and we need
 to preserve that.
 I'm comfortable with the extra complexity. But I'm not the one who has to
 code or maintain it, so it's up to you.

 >  - Add clarifying sentence: "All calculations assume that inputs and
 outputs are in network byte order."  Does that make sense, or is there a
 better sentence to add here?  (We'll want to add a similar sentence to the
 IP address sanitizing part.)

 Hmm, network byte order is only meaningful for integers, and it's
 important only when they are hashed, or otherwise interpreted as an array
 of bytes. So it only affects the port (16 bit integer) and IPv4 address
 (32 bit integer).

 All the other hash inputs and outputs have a defined order already - the
 order in memory.

 So I'm not sure if this sentence would add more confusion - maybe it's
 just worth clarifying the integer inputs?

 > New paragraph would be:
 >
 >  - Each non-zero TCP port is replaced with `H(port | bridge identity |
 secret)[:2]` written as decimal number.  The input `port` is the 2-byte
 long binary representation of the TCP port.  The `bridge identity` is the
 20-byte long binary representation of the bridge's long-term identity
 fingerprint.  The `secret` is a 33-byte long secure random string that
 changes once per month for all descriptors and statuses published in that
 month.  `H()` is SHA-256.  The `[:2]` operator means that we pick the 2
 most significant bytes of the result.  All operations assume network byte
 order for their inputs and outputs.  TCP ports that are 0 in the original
 descriptor are left unchanged.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19317#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list