hs: Correctly validate v3 descriptor encrypted length

The encrypted_data_length_is_valid() function wasn't validating correctly the
length of the encrypted data of a v3 descriptor. The side effect of this is
that an HSDir was rejecting the descriptor and ultimately not storing it.

Fixes #22447

Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
David Goulet 2017-05-30 10:27:42 -04:00
parent 83439e78cc
commit 5b33d95a3d
3 changed files with 9 additions and 22 deletions

3
changes/bug22447 Normal file
View File

@ -0,0 +1,3 @@
o Major bugfixes (hidden service v3):
- HSDir failed to validate the encrypted size of a v3 descriptor and thus
rejecting it. Fixes bug 22447; bugfix on tor-0.3.0.1-alpha.

View File

@ -1023,30 +1023,15 @@ cert_parse_and_validate(tor_cert_t **cert_out, const char *data,
STATIC int STATIC int
encrypted_data_length_is_valid(size_t len) encrypted_data_length_is_valid(size_t len)
{ {
/* Check for the minimum length possible. */ /* Make sure there is enough data for the salt and the mac. The equality is
if (len < HS_DESC_ENCRYPTED_MIN_LEN) { * there to ensure that there is at least one byte of encrypted data. */
if (len <= HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN) {
log_warn(LD_REND, "Length of descriptor's encrypted data is too small. " log_warn(LD_REND, "Length of descriptor's encrypted data is too small. "
"Got %lu but minimum value is %d", "Got %lu but minimum value is %d",
(unsigned long)len, HS_DESC_ENCRYPTED_MIN_LEN); (unsigned long)len, HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN);
goto err; goto err;
} }
/* Encrypted data has the salt and MAC concatenated to it so remove those
* from the validation calculation. */
len -= HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN;
/* Check that it's aligned on the block size of the crypto algorithm. */
if (len % HS_DESC_PLAINTEXT_PADDING_MULTIPLE) {
log_warn(LD_REND, "Length of descriptor's encrypted data is invalid. "
"Got %lu which is not a multiple of %d.",
(unsigned long) len, HS_DESC_PLAINTEXT_PADDING_MULTIPLE);
goto err;
}
/* XXX: Check maximum size. Will strongly depends on the maximum intro point
* allowed we decide on and probably if they will all have to use the legacy
* key which is bigger than the ed25519 key. */
return 1; return 1;
err: err:
return 0; return 0;

View File

@ -587,9 +587,8 @@ test_encrypted_data_len(void *arg)
/* No length, error. */ /* No length, error. */
ret = encrypted_data_length_is_valid(0); ret = encrypted_data_length_is_valid(0);
tt_int_op(ret, OP_EQ, 0); tt_int_op(ret, OP_EQ, 0);
/* Not a multiple of our encryption algorithm (thus no padding). It's /* This value is missing data. */
* suppose to be aligned on HS_DESC_PLAINTEXT_PADDING_MULTIPLE. */ value = HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN;
value = HS_DESC_PLAINTEXT_PADDING_MULTIPLE * 10 - 1;
ret = encrypted_data_length_is_valid(value); ret = encrypted_data_length_is_valid(value);
tt_int_op(ret, OP_EQ, 0); tt_int_op(ret, OP_EQ, 0);
/* Valid value. */ /* Valid value. */