[tor-bugs] #26037 [Core Tor/Tor]: DirAuths should check vote signatures before parsing
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 7 18:21:04 UTC 2018
#26037: DirAuths should check vote signatures before parsing
------------------------------+--------------------------------------
Reporter: isis | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: tor-security, tor-crypto
Actual Points: | Parent ID:
Points: 2 | Reviewer:
Sponsor: |
------------------------------+--------------------------------------
teor pointed out that vote parsing occurs before checking the votes
signature (both verifying the signature and ensuring that it comes from a
known valid directory authority). dgoulet confirmed this is the case:
> See dirvote.c, function dirvote_add_vote(). You will notice that the
very first thing is parsing the whole thing with
networkstatus_parse_vote_from_string(). Now, as far as I can tell, the
voter signature check happens in that function. However, by the time we
check it out, we've tokenized the votes and parsed _many_ parts of the
vote already. (If you look for check_signature_token() in that function).
>
> And then once we are done parsing, we do have a valid signature for the
vote which then make us check if we know the authority with
trusteddirserver_get_by_v3_auth_digest().
The issue of anyone being able to trigger a hypothetical vulnerability in
one of the parsing functions aside, it's also just simply not efficient to
do all the parsing work and then chuck the results at the end of
`networkstatus_parse_vote_from_string()` if the signature wasn't from a
valid sig from a known authority.
This issue has been apparently been present since f4ce7f9c9b4 in
tor-0.2.0.3-alpha.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26037>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list