tor/src/test/test_protover.c

629 lines
20 KiB
C
Raw Normal View History

2018-06-20 14:13:28 +02:00
/* Copyright (c) 2016-2018, The Tor Project, Inc. */
2016-08-10 01:11:47 +02:00
/* See LICENSE for licensing information */
#define PROTOVER_PRIVATE
#include "orconfig.h"
#include "test.h"
#include "protover.h"
#include "or.h"
#include "connection_or.h"
2016-08-10 01:11:47 +02:00
static void
test_protover_parse(void *arg)
{
(void) arg;
2017-09-27 21:48:07 +02:00
#ifdef HAVE_RUST
/** This test is disabled on rust builds, because it only exists to test
* internal C functions. */
tt_skip();
done:
;
#else
2016-08-10 01:11:47 +02:00
char *re_encoded = NULL;
const char *orig = "Foo=1,3 Bar=3 Baz= Quux=9-12,14,15-16,900";
smartlist_t *elts = parse_protocol_list(orig);
tt_assert(elts);
tt_int_op(smartlist_len(elts), OP_EQ, 4);
const proto_entry_t *e;
const proto_range_t *r;
e = smartlist_get(elts, 0);
tt_str_op(e->name, OP_EQ, "Foo");
tt_int_op(smartlist_len(e->ranges), OP_EQ, 2);
{
r = smartlist_get(e->ranges, 0);
tt_int_op(r->low, OP_EQ, 1);
tt_int_op(r->high, OP_EQ, 1);
r = smartlist_get(e->ranges, 1);
tt_int_op(r->low, OP_EQ, 3);
tt_int_op(r->high, OP_EQ, 3);
}
e = smartlist_get(elts, 1);
tt_str_op(e->name, OP_EQ, "Bar");
tt_int_op(smartlist_len(e->ranges), OP_EQ, 1);
{
r = smartlist_get(e->ranges, 0);
tt_int_op(r->low, OP_EQ, 3);
tt_int_op(r->high, OP_EQ, 3);
}
e = smartlist_get(elts, 2);
tt_str_op(e->name, OP_EQ, "Baz");
tt_int_op(smartlist_len(e->ranges), OP_EQ, 0);
e = smartlist_get(elts, 3);
tt_str_op(e->name, OP_EQ, "Quux");
tt_int_op(smartlist_len(e->ranges), OP_EQ, 4);
{
r = smartlist_get(e->ranges, 0);
tt_int_op(r->low, OP_EQ, 9);
tt_int_op(r->high, OP_EQ, 12);
r = smartlist_get(e->ranges, 1);
tt_int_op(r->low, OP_EQ, 14);
tt_int_op(r->high, OP_EQ, 14);
r = smartlist_get(e->ranges, 2);
tt_int_op(r->low, OP_EQ, 15);
tt_int_op(r->high, OP_EQ, 16);
r = smartlist_get(e->ranges, 3);
tt_int_op(r->low, OP_EQ, 900);
tt_int_op(r->high, OP_EQ, 900);
}
re_encoded = encode_protocol_list(elts);
tt_assert(re_encoded);
tt_str_op(re_encoded, OP_EQ, orig);
done:
if (elts)
SMARTLIST_FOREACH(elts, proto_entry_t *, ent, proto_entry_free(ent));
smartlist_free(elts);
tor_free(re_encoded);
2017-09-27 21:48:07 +02:00
#endif
2016-08-10 01:11:47 +02:00
}
static void
test_protover_parse_fail(void *arg)
{
(void)arg;
2017-09-27 21:48:07 +02:00
#ifdef HAVE_RUST
/** This test is disabled on rust builds, because it only exists to test
* internal C functions. */
tt_skip();
#else
smartlist_t *elts;
/* random junk */
elts = parse_protocol_list("!!3@*");
2017-08-24 21:55:27 +02:00
tt_ptr_op(elts, OP_EQ, NULL);
/* Missing equals sign in an entry */
elts = parse_protocol_list("Link=4 Haprauxymatyve Desc=9");
2017-08-24 21:55:27 +02:00
tt_ptr_op(elts, OP_EQ, NULL);
/* Missing word. */
elts = parse_protocol_list("Link=4 =3 Desc=9");
2017-08-24 21:55:27 +02:00
tt_ptr_op(elts, OP_EQ, NULL);
/* Broken numbers */
elts = parse_protocol_list("Link=fred");
2017-08-24 21:55:27 +02:00
tt_ptr_op(elts, OP_EQ, NULL);
elts = parse_protocol_list("Link=1,fred");
2017-08-24 21:55:27 +02:00
tt_ptr_op(elts, OP_EQ, NULL);
elts = parse_protocol_list("Link=1,fred,3");
2017-08-24 21:55:27 +02:00
tt_ptr_op(elts, OP_EQ, NULL);
/* Broken range */
elts = parse_protocol_list("Link=1,9-8,3");
2017-08-24 21:55:27 +02:00
tt_ptr_op(elts, OP_EQ, NULL);
protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing. In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-03-29 03:54:05 +02:00
/* Protocol name too long */
elts = parse_protocol_list("DoSaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
2018-05-22 18:32:00 +02:00
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing. In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-03-29 03:54:05 +02:00
tt_ptr_op(elts, OP_EQ, NULL);
2017-09-27 21:48:07 +02:00
#endif
done:
;
}
static void
test_protover_vote(void *arg)
{
(void) arg;
smartlist_t *lst = smartlist_new();
char *result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "");
tor_free(result);
smartlist_add(lst, (void*) "Foo=1-10,500 Bar=1,3-7,8");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "Bar=1,3-8 Foo=1-10,500");
tor_free(result);
smartlist_add(lst, (void*) "Quux=123-456,78 Bar=2-6,8 Foo=9");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "Bar=1-8 Foo=1-10,500 Quux=78,123-456");
tor_free(result);
result = protover_compute_vote(lst, 2);
tt_str_op(result, OP_EQ, "Bar=3-6,8 Foo=9");
tor_free(result);
/* High threshold */
result = protover_compute_vote(lst, 3);
tt_str_op(result, OP_EQ, "");
tor_free(result);
/* Bad votes: the result must be empty */
smartlist_clear(lst);
smartlist_add(lst, (void*) "Faux=10-5");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "");
tor_free(result);
/* This fails, since "-0" is not valid. */
smartlist_clear(lst);
smartlist_add(lst, (void*) "Faux=-0");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "");
tor_free(result);
/* Vote large protover lists that are just below the threshold */
/* Just below the threshold: Rust */
smartlist_clear(lst);
smartlist_add(lst, (void*) "Sleen=1-500");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "Sleen=1-500");
tor_free(result);
/* Just below the threshold: C */
smartlist_clear(lst);
smartlist_add(lst, (void*) "Sleen=1-65536");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "Sleen=1-65536");
tor_free(result);
/* Large protover lists that exceed the threshold */
/* By adding two votes, C allows us to exceed the limit */
smartlist_add(lst, (void*) "Sleen=1-65536");
smartlist_add(lst, (void*) "Sleen=100000");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "Sleen=1-65536,100000");
tor_free(result);
/* Large integers */
smartlist_clear(lst);
smartlist_add(lst, (void*) "Sleen=4294967294");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "Sleen=4294967294");
tor_free(result);
/* This parses, but fails at the vote stage */
smartlist_clear(lst);
smartlist_add(lst, (void*) "Sleen=4294967295");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "");
tor_free(result);
smartlist_clear(lst);
smartlist_add(lst, (void*) "Sleen=4294967296");
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "");
tor_free(result);
protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing. In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-03-29 03:54:05 +02:00
/* Protocol name too long */
smartlist_clear(lst);
smartlist_add(lst, (void*) "DoSaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
2018-05-22 18:32:00 +02:00
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing. In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-03-29 03:54:05 +02:00
result = protover_compute_vote(lst, 1);
tt_str_op(result, OP_EQ, "");
tor_free(result);
done:
tor_free(result);
smartlist_free(lst);
}
2016-08-23 19:47:14 +02:00
static void
test_protover_all_supported(void *arg)
{
(void)arg;
char *msg = NULL;
tt_assert(protover_all_supported(NULL, &msg));
2017-08-24 21:55:27 +02:00
tt_ptr_op(msg, OP_EQ, NULL);
2016-08-23 19:47:14 +02:00
tt_assert(protover_all_supported("", &msg));
2017-08-24 21:55:27 +02:00
tt_ptr_op(msg, OP_EQ, NULL);
2016-08-23 19:47:14 +02:00
// Some things that we do support
tt_assert(protover_all_supported("Link=3-4", &msg));
2017-08-24 21:55:27 +02:00
tt_ptr_op(msg, OP_EQ, NULL);
2016-08-23 19:47:14 +02:00
tt_assert(protover_all_supported("Link=3-4 Desc=2", &msg));
2017-08-24 21:55:27 +02:00
tt_ptr_op(msg, OP_EQ, NULL);
2016-08-23 19:47:14 +02:00
// Some things we don't support
tt_assert(! protover_all_supported("Wombat=9", &msg));
tt_str_op(msg, OP_EQ, "Wombat=9");
tor_free(msg);
tt_assert(! protover_all_supported("Link=999", &msg));
tt_str_op(msg, OP_EQ, "Link=999");
tor_free(msg);
// Mix of things we support and things we don't
tt_assert(! protover_all_supported("Link=3-4 Wombat=9", &msg));
tt_str_op(msg, OP_EQ, "Wombat=9");
tor_free(msg);
/* Mix of things we support and don't support within a single protocol
* which we do support */
2016-08-23 19:47:14 +02:00
tt_assert(! protover_all_supported("Link=3-999", &msg));
tt_str_op(msg, OP_EQ, "Link=6-999");
tor_free(msg);
tt_assert(! protover_all_supported("Link=1-3,345-666", &msg));
tt_str_op(msg, OP_EQ, "Link=345-666");
tor_free(msg);
tt_assert(! protover_all_supported("Link=1-3,5-12", &msg));
tt_str_op(msg, OP_EQ, "Link=6-12");
tor_free(msg);
/* Mix of protocols we do support and some we don't, where the protocols
* we do support have some versions we don't support. */
tt_assert(! protover_all_supported("Link=1-3,5-12 Quokka=9000-9001", &msg));
tt_str_op(msg, OP_EQ, "Link=6-12 Quokka=9000-9001");
2016-08-23 19:47:14 +02:00
tor_free(msg);
/* We shouldn't be able to DoS ourselves parsing a large range. */
tt_assert(! protover_all_supported("Sleen=0-2147483648", &msg));
tt_str_op(msg, OP_EQ, "Sleen=0-2147483648");
tor_free(msg);
/* This case is allowed. */
tt_assert(! protover_all_supported("Sleen=0-4294967294", &msg));
tt_str_op(msg, OP_EQ, "Sleen=0-4294967294");
tor_free(msg);
/* If we get a (barely) valid (but unsupported list, we say "yes, that's
* supported." */
tt_assert(protover_all_supported("Fribble=", &msg));
tt_ptr_op(msg, OP_EQ, NULL);
/* If we get a completely unparseable list, protover_all_supported should
* hit a fatal assertion for BUG(entries == NULL). */
tor_capture_bugs_(1);
tt_assert(protover_all_supported("Fribble", &msg));
tor_end_capture_bugs_();
/* If we get a completely unparseable list, protover_all_supported should
* hit a fatal assertion for BUG(entries == NULL). */
tor_capture_bugs_(1);
tt_assert(protover_all_supported("Sleen=0-4294967295", &msg));
tor_end_capture_bugs_();
protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing. In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-03-29 03:54:05 +02:00
/* Protocol name too long */
#ifndef HAVE_RUST // XXXXXX ?????
protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing. In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-03-29 03:54:05 +02:00
tor_capture_bugs_(1);
2018-05-22 18:32:00 +02:00
tt_assert(protover_all_supported(
"DoSaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaa=1-65536", &msg));
protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing. In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-03-29 03:54:05 +02:00
tor_end_capture_bugs_();
#endif
protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing. In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-03-29 03:54:05 +02:00
2016-08-23 19:47:14 +02:00
done:
tor_end_capture_bugs_();
2016-08-23 19:47:14 +02:00
tor_free(msg);
}
2017-09-27 21:48:07 +02:00
static void
test_protover_list_supports_protocol_returns_true(void *arg)
{
(void)arg;
const char *protocols = "Link=1";
int is_supported = protocol_list_supports_protocol(protocols, PRT_LINK, 1);
tt_int_op(is_supported, OP_EQ, 1);
done:
;
}
static void
test_protover_list_supports_protocol_for_unsupported_returns_false(void *arg)
{
(void)arg;
const char *protocols = "Link=1";
int is_supported = protocol_list_supports_protocol(protocols, PRT_LINK, 10);
tt_int_op(is_supported, OP_EQ, 0);
done:
;
}
static void
test_protover_supports_version(void *arg)
{
(void)arg;
tt_assert(protocol_list_supports_protocol("Link=3-6", PRT_LINK, 3));
tt_assert(protocol_list_supports_protocol("Link=3-6", PRT_LINK, 6));
tt_assert(!protocol_list_supports_protocol("Link=3-6", PRT_LINK, 7));
tt_assert(!protocol_list_supports_protocol("Link=3-6", PRT_LINKAUTH, 3));
tt_assert(!protocol_list_supports_protocol("Link=4-6 LinkAuth=3",
PRT_LINKAUTH, 2));
tt_assert(protocol_list_supports_protocol("Link=4-6 LinkAuth=3",
PRT_LINKAUTH, 3));
tt_assert(!protocol_list_supports_protocol("Link=4-6 LinkAuth=3",
PRT_LINKAUTH, 4));
tt_assert(!protocol_list_supports_protocol_or_later("Link=4-6 LinkAuth=3",
PRT_LINKAUTH, 4));
tt_assert(protocol_list_supports_protocol_or_later("Link=4-6 LinkAuth=3",
PRT_LINKAUTH, 3));
tt_assert(protocol_list_supports_protocol_or_later("Link=4-6 LinkAuth=3",
PRT_LINKAUTH, 2));
tt_assert(!protocol_list_supports_protocol_or_later("Link=4-6 LinkAuth=3",
PRT_DESC, 2));
done:
;
}
/* This could be MAX_PROTOCOLS_TO_EXPAND, but that's not exposed by protover */
#define MAX_PROTOCOLS_TO_TEST 1024
/* LinkAuth and Relay protocol versions.
* Hard-coded here, because they are not in the code, or not exposed in the
* headers. */
#define PROTOVER_LINKAUTH_V1 1
#define PROTOVER_LINKAUTH_V3 3
#define PROTOVER_RELAY_V1 1
#define PROTOVER_RELAY_V2 2
/* Highest supported HSv2 introduce protocol version.
* Hard-coded here, because it does not appear anywhere in the code.
* It's not clear if we actually support version 2, see #25068. */
#define PROTOVER_HSINTRO_V2 3
/* HSv2 Rend and HSDir protocol versions.
* Hard-coded here, because they do not appear anywhere in the code. */
#define PROTOVER_HS_RENDEZVOUS_POINT_V2 1
#define PROTOVER_HSDIR_V2 1
/* DirCache, Desc, Microdesc, and Cons protocol versions.
* Hard-coded here, because they do not appear anywhere in the code. */
#define PROTOVER_DIRCACHE_V1 1
#define PROTOVER_DIRCACHE_V2 2
#define PROTOVER_DESC_V1 1
#define PROTOVER_DESC_V2 2
#define PROTOVER_MICRODESC_V1 1
#define PROTOVER_MICRODESC_V2 2
#define PROTOVER_CONS_V1 1
#define PROTOVER_CONS_V2 2
/* Make sure we haven't forgotten any supported protocols */
static void
test_protover_supported_protocols(void *arg)
{
(void)arg;
const char *supported_protocols = protover_get_supported_protocols();
/* Test for new Link in the code, that hasn't been added to supported
* protocols */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_LINK,
MAX_LINK_PROTO));
for (uint16_t i = 0; i < MAX_PROTOCOLS_TO_TEST; i++) {
if (is_or_protocol_version_known(i)) {
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_LINK,
i));
}
}
/* Legacy LinkAuth does not appear anywhere in the code. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_LINKAUTH,
PROTOVER_LINKAUTH_V1));
/* Latest LinkAuth is not exposed in the headers. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_LINKAUTH,
PROTOVER_LINKAUTH_V3));
/* Is there any way to test for new LinkAuth? */
/* Relay protovers do not appear anywhere in the code. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_RELAY,
PROTOVER_RELAY_V1));
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_RELAY,
PROTOVER_RELAY_V2));
/* Is there any way to test for new Relay? */
/* We could test legacy HSIntro by calling rend_service_update_descriptor(),
* and checking the protocols field. But that's unlikely to change, so
* we just use a hard-coded value. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_HSINTRO,
PROTOVER_HSINTRO_V2));
/* Test for HSv3 HSIntro */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_HSINTRO,
PROTOVER_HS_INTRO_V3));
/* Is there any way to test for new HSIntro? */
/* Legacy HSRend does not appear anywhere in the code. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_HSREND,
PROTOVER_HS_RENDEZVOUS_POINT_V2));
/* Test for HSv3 HSRend */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_HSREND,
PROTOVER_HS_RENDEZVOUS_POINT_V3));
/* Is there any way to test for new HSRend? */
/* Legacy HSDir does not appear anywhere in the code. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_HSDIR,
PROTOVER_HSDIR_V2));
/* Test for HSv3 HSDir */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_HSDIR,
PROTOVER_HSDIR_V3));
/* Is there any way to test for new HSDir? */
/* No DirCache versions appear anywhere in the code. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_DIRCACHE,
PROTOVER_DIRCACHE_V1));
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_DIRCACHE,
PROTOVER_DIRCACHE_V2));
/* Is there any way to test for new DirCache? */
/* No Desc versions appear anywhere in the code. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_DESC,
PROTOVER_DESC_V1));
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_DESC,
PROTOVER_DESC_V2));
/* Is there any way to test for new Desc? */
/* No Microdesc versions appear anywhere in the code. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_MICRODESC,
PROTOVER_MICRODESC_V1));
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_MICRODESC,
PROTOVER_MICRODESC_V2));
/* Is there any way to test for new Microdesc? */
/* No Cons versions appear anywhere in the code. */
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_CONS,
PROTOVER_CONS_V1));
tt_assert(protocol_list_supports_protocol(supported_protocols,
PRT_CONS,
PROTOVER_CONS_V2));
/* Is there any way to test for new Cons? */
done:
;
}
static void
test_protover_vote_roundtrip(void *args)
{
(void) args;
static const struct {
const char *input;
const char *expected_output;
} examples[] = {
{ "Fkrkljdsf", NULL },
{ "Zn=4294967295", NULL },
{ "Zn=4294967295-1", NULL },
{ "Zn=4294967293-4294967295", NULL },
/* Will fail because of 4294967295. */
{ "Foo=1,3 Bar=3 Baz= Quux=9-12,14,15-16,900 Zn=0,4294967295",
NULL },
{ "Foo=1,3 Bar=3 Baz= Quux=9-12,14,15-16,900 Zn=0,4294967294",
"Bar=3 Foo=1,3 Quux=9-12,14-16,900 Zn=0,4294967294" },
{ "Zu16=0,65536", "Zu16=0,65536" },
{ "N-1=1,2", "N-1=1-2" },
{ "-1=4294967295", NULL },
{ "-1=3", "-1=3" },
/* junk. */
{ "!!3@*", NULL },
/* Missing equals sign */
{ "Link=4 Haprauxymatyve Desc=9", NULL },
{ "Link=4 Haprauxymatyve=7 Desc=9",
"Desc=9 Haprauxymatyve=7 Link=4" },
{ "=10-11", NULL },
{ "X=10-11", "X=10-11" },
{ "Link=4 =3 Desc=9", NULL },
{ "Link=4 Z=3 Desc=9", "Desc=9 Link=4 Z=3" },
{ "Link=fred", NULL },
{ "Link=1,fred", NULL },
{ "Link=1,fred,3", NULL },
{ "Link=1,9-8,3", NULL },
{ "Faux=-0", NULL },
{ "Faux=0--0", NULL },
{ "Faux=-1", NULL },
{ "Faux=-1-3", NULL },
{ "Faux=1--1", NULL },
/* Large integers */
{ "Link=4294967296", NULL },
/* Large range */
{ "Sleen=1-501", "Sleen=1-501" },
{ "Sleen=1-65537", NULL },
/* Both C/Rust implementations should be able to handle this mild DoS. */
{ "Sleen=0-2147483648", NULL },
/* Rust tests are built in debug mode, so ints are bounds-checked. */
{ "Sleen=0-4294967295", NULL },
};
unsigned u;
smartlist_t *votes = smartlist_new();
char *result = NULL;
for (u = 0; u < ARRAY_LENGTH(examples); ++u) {
const char *input = examples[u].input;
const char *expected_output = examples[u].expected_output;
smartlist_add(votes, (void*)input);
result = protover_compute_vote(votes, 1);
if (expected_output != NULL) {
tt_str_op(result, OP_EQ, expected_output);
} else {
tt_str_op(result, OP_EQ, "");
}
smartlist_clear(votes);
tor_free(result);
}
done:
smartlist_free(votes);
tor_free(result);
}
2016-08-10 01:11:47 +02:00
#define PV_TEST(name, flags) \
{ #name, test_protover_ ##name, (flags), NULL, NULL }
struct testcase_t protover_tests[] = {
PV_TEST(parse, 0),
PV_TEST(parse_fail, 0),
PV_TEST(vote, 0),
2016-08-23 19:47:14 +02:00
PV_TEST(all_supported, 0),
2017-09-27 21:48:07 +02:00
PV_TEST(list_supports_protocol_for_unsupported_returns_false, 0),
PV_TEST(list_supports_protocol_returns_true, 0),
PV_TEST(supports_version, 0),
PV_TEST(supported_protocols, 0),
PV_TEST(vote_roundtrip, 0),
2016-08-10 01:11:47 +02:00
END_OF_TESTCASES
};