Merge branch 'maint-0.4.4' into maint-0.4.5

changes/bug40391

@@ -0,0 +1,9 @@
+  o Major bugfixes (security):
+    - Resist a hashtable-based CPU denial-of-service attack against
+      relays. Previously we used a naive unkeyed hash function to look up
+      circuits in a circuitmux object. An attacker could exploit this to
+      construct circuits with chosen circuit IDs in order to try to create
+      collisions and make the hash table inefficient.  Now we use a SipHash
+      construction for this hash table instead. Fixes bug 40391; bugfix on
+      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005.
+      Reported by Jann Horn from Google's Project Zero.

src/core/or/circuitmux.c

@@ -169,9 +169,10 @@ chanid_circid_entries_eq(chanid_circid_muxinfo_t *a,
 static inline unsigned int
 chanid_circid_entry_hash(chanid_circid_muxinfo_t *a)
 {
-    return (((unsigned int)(a->circ_id) << 8) ^
+  uint8_t data[8 + 4];
-            ((unsigned int)((a->chan_id >> 32) & 0xffffffff)) ^
+  set_uint64(data, a->chan_id);
-            ((unsigned int)(a->chan_id & 0xffffffff)));
+  set_uint32(data + 8, a->circ_id);
+  return (unsigned) siphash24g(data, sizeof(data));
 }
 
 /* Emit a bunch of hash table stuff */