[tor-bugs] #26037 [Core Tor/Tor]: DirAuths should check vote signatures before parsing
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 7 18:22:25 UTC 2018
#26037: DirAuths should check vote signatures before parsing
--------------------------------------+------------------------------------
Reporter: isis | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-security, tor-crypto | Actual Points:
Parent ID: | Points: 2
Reviewer: | Sponsor:
--------------------------------------+------------------------------------
Description changed by isis:
Old description:
> teor pointed out that vote parsing occurs before checking the votes
> signature (both verifying the signature and ensuring that it comes from a
> known valid directory authority). dgoulet confirmed this is the case:
>
> > See dirvote.c, function dirvote_add_vote(). You will notice that the
> very first thing is parsing the whole thing with
> networkstatus_parse_vote_from_string(). Now, as far as I can tell, the
> voter signature check happens in that function. However, by the time we
> check it out, we've tokenized the votes and parsed _many_ parts of the
> vote already. (If you look for check_signature_token() in that function).
> >
> > And then once we are done parsing, we do have a valid signature for the
> vote which then make us check if we know the authority with
> trusteddirserver_get_by_v3_auth_digest().
>
> The issue of anyone being able to trigger a hypothetical vulnerability in
> one of the parsing functions aside, it's also just simply not efficient
> to do all the parsing work and then chuck the results at the end of
> `networkstatus_parse_vote_from_string()` if the signature wasn't from a
> valid sig from a known authority.
>
> This issue has been apparently been present since f4ce7f9c9b4 in
> tor-0.2.0.3-alpha.
New description:
teor pointed out that vote parsing occurs before checking the votes
signature (both verifying the signature and ensuring that it comes from a
known valid directory authority). dgoulet confirmed this is the case:
> See dirvote.c, function dirvote_add_vote(). You will notice that the
very first thing is parsing the whole thing with
networkstatus_parse_vote_from_string(). Now, as far as I can tell, the
voter signature check happens in that function. However, by the time we
check it out, we've tokenized the votes and parsed _many_ parts of the
vote already. (If you look for check_signature_token() in that function).
>
> And then once we are done parsing, we do have a valid signature for the
vote which then make us check if we know the authority with
trusteddirserver_get_by_v3_auth_digest().
The issue of anyone being able to trigger a hypothetical vulnerability in
one of the parsing functions aside, it's also just simply not efficient to
do all the parsing work and then chuck the results at the end of
`networkstatus_parse_vote_from_string()` if the signature wasn't from a
valid sig from a known authority.
This issue has been apparently been present since f4ce7f9c9b4 in
tor-0.2.0.3-alpha.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26037#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list