[tor-bugs] #30428 [Core Tor/Tor]: sendme: Failure to validate authenticated SENDMEs client side
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 7 12:00:51 UTC 2019
#30428: sendme: Failure to validate authenticated SENDMEs client side
------------------------------+---------------------------------
Reporter: dgoulet | Owner: dgoulet
Type: defect | Status: assigned
Priority: Very High | Milestone: Tor: 0.4.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: tor-circuit, sendme
Actual Points: | Parent ID: #26288
Points: 1 | Reviewer:
Sponsor: SponsorV |
------------------------------+---------------------------------
Turns out that we have two issues with `sendme_is_valid()` (new
authenticated SENDMEs).
1. We can not fallback onto version 0 if the version of the cell is
unrecognized. Right now, if let say we have a minimum version (from
consensus) of 1 and then we support version 3 but we get version 4, then
ultimately we will end up in defaulting to version 0. Not good.
There needs to be a strong check on what we can minimally support (from
consensus) and the upper bound of what we support. Anything outside of
that range, the circuit has to be closed.
2. This one is a bit more bad. Basically, `sendme_process_circuit_level()`
needs to validate the SENDME for both client and service. SENDMEs
authenticate both ways and thus can not only be on service side like it is
right now.
In other words, we need to call `sendme_is_valid()` in both cases that is
if we are origin circuit or not.
Now that we have the unit test predictable fast prng feature, we should
really add a tests that makes sure this entire logic works by sending 100
cells and expecting a SENDME validation.
Thanks to armadev's review for spotting those big issues!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30428>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list