mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-13 22:53:44 +01:00
Check for replays in PK-encrypted part of intro cell, not just in the g^x value
This commit is contained in:
parent
c75ee94ab4
commit
cb9226bcdb
13
changes/replay-firstpart
Normal file
13
changes/replay-firstpart
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
o Minor features (security):
|
||||||
|
|
||||||
|
- Check for replays of the public-key encrypted portion of an
|
||||||
|
INTRODUCE1 cell, in addition to the current check for replays of
|
||||||
|
the g^x value. This prevents a possible class of active attacks
|
||||||
|
by an attacker who controls both an introduction point and a
|
||||||
|
rendezvous point, and who uses the malleability of AES-CTR to
|
||||||
|
alter the encrypted g^x portion of the INTRODUCE1 cell. We
|
||||||
|
think that these attacks is infeasible (requiring the attacker
|
||||||
|
to send on the order of zettabytes of altered cells in a short
|
||||||
|
interval), but we'd rather block them off in case there are any
|
||||||
|
classes of this attack that we missed. Reported by dvorak.
|
||||||
|
|
@ -976,6 +976,29 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
|
|||||||
"PK-encrypted portion of INTRODUCE2 cell was truncated.");
|
"PK-encrypted portion of INTRODUCE2 cell was truncated.");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!service->accepted_intros)
|
||||||
|
service->accepted_intros = digestmap_new();
|
||||||
|
|
||||||
|
{
|
||||||
|
char pkpart_digest[DIGEST_LEN];
|
||||||
|
/* Check for replay of PK-encrypted portion. It is slightly naughty to
|
||||||
|
use the same digestmap to check for this and for g^x replays, but
|
||||||
|
collisions are tremendously unlikely.
|
||||||
|
*/
|
||||||
|
crypto_digest(pkpart_digest, (char*)request+DIGEST_LEN, keylen);
|
||||||
|
access_time = digestmap_get(service->accepted_intros, pkpart_digest);
|
||||||
|
if (access_time != NULL) {
|
||||||
|
log_warn(LD_REND, "Possible replay detected! We received an "
|
||||||
|
"INTRODUCE2 cell with same PK-encrypted part %d seconds ago. "
|
||||||
|
"Dropping cell.", (int)(now-*access_time));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
access_time = tor_malloc(sizeof(time_t));
|
||||||
|
*access_time = now;
|
||||||
|
digestmap_set(service->accepted_intros, pkpart_digest, access_time);
|
||||||
|
}
|
||||||
|
|
||||||
/* Next N bytes is encrypted with service key */
|
/* Next N bytes is encrypted with service key */
|
||||||
note_crypto_pk_op(REND_SERVER);
|
note_crypto_pk_op(REND_SERVER);
|
||||||
r = crypto_pk_private_hybrid_decrypt(
|
r = crypto_pk_private_hybrid_decrypt(
|
||||||
@ -1109,9 +1132,6 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
|
|||||||
|
|
||||||
/* Check whether there is a past request with the same Diffie-Hellman,
|
/* Check whether there is a past request with the same Diffie-Hellman,
|
||||||
* part 1. */
|
* part 1. */
|
||||||
if (!service->accepted_intros)
|
|
||||||
service->accepted_intros = digestmap_new();
|
|
||||||
|
|
||||||
access_time = digestmap_get(service->accepted_intros, diffie_hellman_hash);
|
access_time = digestmap_get(service->accepted_intros, diffie_hellman_hash);
|
||||||
if (access_time != NULL) {
|
if (access_time != NULL) {
|
||||||
log_warn(LD_REND, "Possible replay detected! We received an "
|
log_warn(LD_REND, "Possible replay detected! We received an "
|
||||||
|
Loading…
Reference in New Issue
Block a user