From 50ad3939242885b1a1a11688abd0c9756631747f Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 11 Apr 2014 10:22:14 -0400 Subject: [PATCH 1/3] Code to blacklist authority signing keys (I need a list of actual signing keys to blacklist.) --- changes/bug11464_023 | 5 +++++ src/or/networkstatus.c | 11 +++++++++++ src/or/routerlist.c | 22 ++++++++++++++++++++++ src/or/routerlist.h | 1 + src/or/routerparse.c | 8 ++++++++ 5 files changed, 47 insertions(+) create mode 100644 changes/bug11464_023 diff --git a/changes/bug11464_023 b/changes/bug11464_023 new file mode 100644 index 0000000000..a9cd658abc --- /dev/null +++ b/changes/bug11464_023 @@ -0,0 +1,5 @@ + o Major features (security): + - Block every authority signing key that was used on an authority + vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). + (We don't have any evidence that these keys _were_ compromised; + we're doing this to be prudent.) Resolves ticket 11464. diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c index e780eadac7..10cc56231f 100644 --- a/src/or/networkstatus.c +++ b/src/or/networkstatus.c @@ -453,6 +453,17 @@ networkstatus_check_document_signature(const networkstatus_t *consensus, DIGEST_LEN)) return -1; + if (authority_cert_is_blacklisted(cert)) { + /* We implement blacklisting for authority signing keys by treating + * all their signatures as always bad. That way we don't get into + * crazy loops of dropping and re-fetching signatures. */ + log_warn(LD_DIR, "Ignoring a consensus signature made with deprecated" + " signing key %s", + hex_str(cert->signing_key_digest, DIGEST_LEN)); + sig->bad_signature = 1; + return 0; + } + signed_digest_len = crypto_pk_keysize(cert->signing_key); signed_digest = tor_malloc(signed_digest_len); if (crypto_pk_public_checksig(cert->signing_key, diff --git a/src/or/routerlist.c b/src/or/routerlist.c index 3c39e362df..e993e138eb 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -458,6 +458,28 @@ authority_cert_dl_failed(const char *id_digest, int status) download_status_failed(&cl->dl_status, status); } +static const char *BAD_SIGNING_KEYS[] = { + "----------------------------------------", + NULL, +}; + +/** DOCDOC */ +int +authority_cert_is_blacklisted(const authority_cert_t *cert) +{ + char hex_digest[HEX_DIGEST_LEN+1]; + int i; + base16_encode(hex_digest, sizeof(hex_digest), + cert->signing_key_digest, sizeof(cert->signing_key_digest)); + + for (i = 0; BAD_SIGNING_KEYS[i]; ++i) { + if (!strcasecmp(hex_digest, BAD_SIGNING_KEYS[i])) { + return 1; + } + } + return 0; +} + /** Return true iff when we've been getting enough failures when trying to * download the certificate with ID digest id_digest that we're willing * to start bugging the user about it. */ diff --git a/src/or/routerlist.h b/src/or/routerlist.h index 8dcc6eb026..bd55b7b201 100644 --- a/src/or/routerlist.h +++ b/src/or/routerlist.h @@ -25,6 +25,7 @@ void authority_cert_dl_failed(const char *id_digest, int status); void authority_certs_fetch_missing(networkstatus_t *status, time_t now); int router_reload_router_list(void); int authority_cert_dl_looks_uncertain(const char *id_digest); +int authority_cert_is_blacklisted(const authority_cert_t *cert); smartlist_t *router_get_trusted_dir_servers(void); const routerstatus_t *router_pick_directory_server(dirinfo_type_t type, diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 299d07d376..97e0bc8c85 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -3053,6 +3053,14 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out, log_warn(LD_DIR,"Mismatch between identities in certificate and vote"); goto err; } + if (ns->type != NS_TYPE_CONSENSUS) { + if (authority_cert_is_blacklisted(ns->cert)) { + log_warn(LD_DIR, "Rejecting vote signature made with blacklisted " + "signing key %s", + hex_str(ns->cert->signing_key_digest, DIGEST_LEN)); + goto err; + } + } voter->address = tor_strdup(tok->args[2]); if (!tor_inet_aton(tok->args[3], &in)) { log_warn(LD_DIR, "Error decoding IP address %s in network-status.", From 46cf63bb42f2818201bc0c39036f2c17e210fcdb Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 14 Apr 2014 16:03:53 -0400 Subject: [PATCH 2/3] Fill in the list of blacklisted signing keys. I used a list of certificate files from arma, and a little script, both at 11464. --- src/or/routerlist.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/or/routerlist.c b/src/or/routerlist.c index e993e138eb..7cbf6eff1d 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -459,7 +459,18 @@ authority_cert_dl_failed(const char *id_digest, int status) } static const char *BAD_SIGNING_KEYS[] = { - "----------------------------------------", + "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31 +// dizum still needs to rotate as of 2014-04-04 +//"0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 +// dannenberg still needs to rotate as of 2014-04-04 +//"57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 + "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09 + "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56 + "9904B52336713A5ADCB13E4FB14DC919E0D45571", // Expires 2014-04-20 20:01:01 + "9DCD8E3F1DD1597E2AD476BBA28A1A89F3095227", // Expires 2015-01-16 03:52:30 + "A61682F34B9BB9694AC98491FE1ABBFE61923941", // Expires 2014-06-11 09:25:09 + "B59F6E99C575113650C99F1C425BA7B20A8C071D", // Expires 2014-07-31 13:22:10 + "D27178388FA75B96D37FA36E0B015227DDDBDA51", // Expires 2014-08-04 04:01:57 NULL, }; From 09ed8a5dbb5216caae0055c1608abbc8c76412c9 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 14 Apr 2014 17:58:49 -0400 Subject: [PATCH 3/3] Tweak changes file and comment dates. --- changes/bug11464_023 | 2 +- src/or/routerlist.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/changes/bug11464_023 b/changes/bug11464_023 index a9cd658abc..80c04b21e6 100644 --- a/changes/bug11464_023 +++ b/changes/bug11464_023 @@ -1,5 +1,5 @@ o Major features (security): - - Block every authority signing key that was used on an authority + - Block authority signing keys that were used on an authorities vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). (We don't have any evidence that these keys _were_ compromised; we're doing this to be prudent.) Resolves ticket 11464. diff --git a/src/or/routerlist.c b/src/or/routerlist.c index 7cbf6eff1d..a7968beca2 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -460,9 +460,9 @@ authority_cert_dl_failed(const char *id_digest, int status) static const char *BAD_SIGNING_KEYS[] = { "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31 -// dizum still needs to rotate as of 2014-04-04 +// dizum still needs to rotate as of 2014-04-14 //"0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 -// dannenberg still needs to rotate as of 2014-04-04 +// dannenberg still needs to rotate as of 2014-04-14 //"57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09 "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56