Commit Graph

4186 Commits

Author SHA1 Message Date
Nick Mathewson
60b8aaefa1 lintChanges fixes 2016-06-13 13:57:03 -04:00
Nick Mathewson
2ee3dbe801 Merge branch 'maint-0.2.7' into maint-0.2.8 2016-06-13 10:49:05 -04:00
Nick Mathewson
80089c9e7c Merge branch 'maint-0.2.6' into maint-0.2.7 2016-06-13 10:48:56 -04:00
Nick Mathewson
b4bb88606e Merge branch 'maint-0.2.5' into maint-0.2.6 2016-06-13 10:48:48 -04:00
Nick Mathewson
f25f7b759c Merge branch 'maint-0.2.4' into maint-0.2.5 2016-06-13 10:48:35 -04:00
Karsten Loesing
c14c662758 Update geoip and geoip6 to the June 7 2016 database. 2016-06-12 11:35:50 +02:00
Nick Mathewson
ada5668c5e Merge remote-tracking branch 'public/bug19203_027' into maint-0.2.8 2016-06-11 10:16:00 -04:00
Nick Mathewson
6eeedc02d8 Use directory_must_use_begindir to predict we'll surely use begindir
Previously, we used !directory_fetches_from_authorities() to predict
that we would tunnel connections.  But the rules have changed
somewhat over the course of 0.2.8
2016-06-02 10:40:39 -04:00
Nick Mathewson
a32ca313c4 Merge branch 'maint-0.2.7' into maint-0.2.8 2016-06-02 10:12:56 -04:00
Nick Mathewson
5854b19816 Use tor_sscanf, not sscanf, in test_util.c.
Fixes the 0.2.7 case of bug #19213, which prevented mingw64 from
working.
2016-06-02 10:11:29 -04:00
Nick Mathewson
bdc59e33c1 Fix a warning on unnamed nodes in node_get_by_nickname().
There was a > that should have been an ==, and a missing !.  These
together prevented us from issuing a warning in the case that a
nickname matched an Unnamed node only.

Fixes bug 19203; bugfix on 0.2.3.1-alpha.
2016-05-30 12:03:03 -04:00
Nick Mathewson
36b2b48308 Merge branch 'bug18668_028' into maint-0.2.8 2016-05-25 16:58:43 -04:00
Nick Mathewson
6d375f17fc Merge branch 'bug19161_028_v2' into maint-0.2.8 2016-05-25 10:17:26 -04:00
Nick Mathewson
fdfc528f85 Merge branch 'bug19152_024_v2' into maint-0.2.8 2016-05-25 09:26:45 -04:00
Nick Mathewson
c4c4380a5e Fix a dangling pointer issue in our RSA keygen code
If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or if
OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and Baishakhi
Ray.

This is potentially scary stuff, so let me walk through my analysis.
I think this is a bug, and a backport candidate, but not remotely
triggerable in any useful way.

Observation 1a:

Looking over the OpenSSL code here, the only way we can really fail in
the non-engine case is if malloc() fails.  But if malloc() is failing,
then tor_malloc() calls should be tor_asserting -- the only way that an
attacker could do an exploit here would be to figure out some way to
make malloc() fail when openssl does it, but work whenever Tor does it.

(Also ordinary malloc() doesn't fail on platforms like Linux that
overcommit.)

Observation 1b:

Although engines are _allowed_ to fail in extra ways, I can't find much
evidence online  that they actually _do_ fail in practice. More evidence
would be nice, though.

Observation 2:

We don't call crypto_pk_generate*() all that often, and we don't do it
in response to external inputs. The only way to get it to happen
remotely would be by causing a hidden service to build new introduction
points.

Observation 3a:

So, let's assume that both of the above observations are wrong, and the
attacker can make us generate a crypto_pk_env_t with a dangling pointer
in its 'key' field, and not immediately crash.

This dangling pointer will point to what used to be an RSA structure,
with the fields all set to NULL.  Actually using this RSA structure,
before the memory is reused for anything else, will cause a crash.

In nearly every function where we call crypto_pk_generate*(), we quickly
use the RSA key pointer -- either to sign something, or to encode the
key, or to free the key.  The only exception is when we generate an
intro key in rend_consider_services_intro_points().  In that case, we
don't actually use the key until the intro circuit is opened -- at which
point we encode it, and use it to sign an introduction request.

So in order to exploit this bug to do anything besides crash Tor, the
attacker needs to make sure that by the time the introduction circuit
completes, either:
  * the e, d, and n BNs look valid, and at least one of the other BNs is
    still NULL.
OR
  * all 8 of the BNs must look valid.

To look like a valid BN, *they* all need to have their 'top' index plus
their 'd' pointer indicate an addressable region in memory.

So actually getting useful data of of this, rather than a crash, is
going to be pretty damn hard.  You'd have to force an introduction point
to be created (or wait for one to be created), and force that particular
crypto_pk_generate*() to fail, and then arrange for the memory that the
RSA points to to in turn point to 3...8 valid BNs, all by the time the
introduction circuit completes.

Naturally, the signature won't check as valid [*], so the intro point
will reject the ESTABLISH_INTRO cell.  So you need to _be_ the
introduction point, or you don't actually see this information.

[*] Okay, so if you could somehow make the 'rsa' pointer point to a
different valid RSA key, then you'd get a valid signature of an
ESTABLISH_INTRO cell using a key that was supposed to be used for
something else ... but nothing else looks like that, so you can't use
that signature elsewhere.

Observation 3b:

Your best bet as an attacker would be to make the dangling RSA pointer
actually contain a fake method, with a fake RSA_private_encrypt
function that actually pointed to code you wanted to execute.  You'd
still need to transit 3 or 4 pointers deep though in order to make that
work.

Conclusion:

By 1, you probably can't trigger this without Tor crashing from OOM.

By 2, you probably can't trigger this reliably.

By 3, even if I'm wrong about 1 and 2, you have to jump through a pretty
big array of hoops in order to get any kind of data leak or code
execution.

So I'm calling it a bug, but not a security hole. Still worth
patching.
2016-05-25 09:23:57 -04:00
Nick Mathewson
6abceca182 Merge branch 'memarea_overflow_027_squashed' into maint-0.2.8 2016-05-25 09:22:02 -04:00
Nick Mathewson
be2d37ad3c Fix a pointer arithmetic bug in memarea_alloc()
Fortunately, the arithmetic cannot actually overflow, so long as we
*always* check for the size of potentially hostile input before
copying it.  I think we do, though.  We do check each line against
MAX_LINE_LENGTH, and each object name or object against
MAX_UNPARSED_OBJECT_SIZE, both of which are 128k.  So to get this
overflow, we need to have our memarea allocated way way too high up
in RAM, which most allocators won't actually do.

Bugfix on 0.2.1.1-alpha, where memarea was introduced.

Found by Guido Vranken.
2016-05-25 09:20:37 -04:00
Nick Mathewson
be3875cda2 Make sure that libscrypt_scrypt actually exists before using it.
Previously, if the header was present, we'd proceed even if the
function wasn't there.

Easy fix for bug 19161.  A better fix would involve trying harder to
find libscrypt_scrypt.
2016-05-24 10:31:02 -04:00
Nick Mathewson
dd17df2253 lintchanges on 18809, and fix the bug number 2016-05-19 08:54:19 -04:00
Nick Mathewson
7c7d990704 changelog typo fix 2016-05-19 08:29:45 -04:00
Nick Mathewson
9f217c83b0 Merge branch 'bug18809_028_squashed' into maint-0.2.8 2016-05-19 08:17:02 -04:00
teor (Tim Wilson-Brown)
8dc8d71226 Changes file for bug 18809 2016-05-19 07:58:40 -04:00
Nick Mathewson
3f49474349 Merge branch 'bug17150_027_extra' into maint-0.2.8 2016-05-17 19:47:22 -04:00
Nick Mathewson
49ff09aef2 Fix another, more subtle, case of bug 17150.
We need to make sure that the corresponding sd and ei match in their
certificates.
2016-05-17 13:16:36 -04:00
Nick Mathewson
7d1eb0d570 When making sure digest256 matches in ei, look at sd, not ri.
The routerinfo we pass to routerinfo_incompatible_with_extrainfo is
the latest routerinfo for the relay.  The signed_descriptor_t, on
the other hand, is the signed_descriptor_t that corresponds to the
extrainfo.  That means we should be checking the digest256 match
with that signed_descriptor_t, not with the routerinfo.

Fixes bug 17150 (and 19017); bugfix on 0.2.7.2-alpha.
2016-05-17 12:57:03 -04:00
Nick Mathewson
d6a2fec05e Merge branch 'bug18616-v4-merged_028' into maint-0.2.8 2016-05-17 11:09:54 -04:00
Nick Mathewson
ff5eb7fc62 Fix remaining lintChanges warnings. 2016-05-17 11:06:41 -04:00
Nick Mathewson
e0fb75c349 Resolve lintChanges warnings. 2016-05-17 11:05:57 -04:00
Nick Mathewson
548d14247e Merge remote-tracking branch 'arma/bug18616-v4' into maint-0.2.8 2016-05-17 10:48:12 -04:00
Roger Dingledine
06031b441e touchups and refactorings on bug 18616 branch
no behavior changes
2016-05-16 17:43:47 -04:00
Nick Mathewson
0f9b0b8bfe Initialize networking _before_ initializing libevent in the tests
This prevents WSANOTINITIALISED errors and fixes bug 18668. Bugfix
on 0.2.8.1-alpha -- 1bac468882 specifically.
2016-05-16 14:30:04 -04:00
Nick Mathewson
e8cc9f3edf Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-12 15:33:47 -04:00
Nick Mathewson
4165b1a0da Merge branch 'bug18977_026_v2' into maint-0.2.7 2016-05-12 15:33:35 -04:00
Nick Mathewson
20b01cece8 Merge branch 'bug18977_024_v2' into bug18977_026_v2
Had conflicts related to other correct_tm bugs in 0.2.6.  Added wday
for another case.
2016-05-12 14:39:06 -04:00
Nick Mathewson
e57f26c135 Have correct_tm set tm_wday as well.
The tm_wday field had been left uninitialized, which was causing
some assertions to fail on Windows unit tests.

Fixes bug 18977.
2016-05-12 14:37:27 -04:00
Nick Mathewson
ce6f2d1c4d Merge remote-tracking branch 'arma/bug19003-try2' into maint-0.2.8 2016-05-12 11:09:33 -04:00
Roger Dingledine
4a62d7aabc minor touchups on nick's ticket 17621 changes 2016-05-11 16:35:36 -04:00
Nick Mathewson
af4b7d0405 Document the contents of $datadir/keys
Ticket 17621.
2016-05-11 14:03:34 -04:00
Nick Mathewson
8d962233f6 Merge remote-tracking branch 'teor/bug18816_simplify' into maint-0.2.8 2016-05-11 13:20:51 -04:00
Nick Mathewson
24fbb9a81b Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-11 13:15:17 -04:00
Nick Mathewson
4e94580591 Merge remote-tracking branch 'special/bug19032-027' into maint-0.2.7 2016-05-11 13:13:23 -04:00
John Brooks
bf3e32a452 Fix out-of-bounds write during voting with duplicate ed25519 keys
In dirserv_compute_performance_thresholds, we allocate arrays based
on the length of 'routers', a list of routerinfo_t, but loop over
the nodelist. The 'routers' list may be shorter when relays were
filtered by routers_make_ed_keys_unique, leading to an out-of-bounds
write on directory authorities.

This bug was originally introduced in 26e89742, but it doesn't look
possible to trigger until routers_make_ed_keys_unique was introduced
in 13a31e72.

Fixes bug 19032; bugfix on tor 0.2.8.2-alpha.
2016-05-11 13:11:03 -04:00
teor (Tim Wilson-Brown)
2cbad2aac7
Revert "Switch between fallback and authority when auth cert fetch fails"
This reverts commit 92d7ee08b8.
2016-05-11 13:06:13 -04:00
Nick Mathewson
28e1aa1118 Merge branch 'bug18761_028_squashed' into maint-0.2.8 2016-05-11 12:36:27 -04:00
Nick Mathewson
b59d79134e Log find_rp_for_intro_() failures at LOG_PROTOCOL_WARN.
Closes ticket 18761.

Also fix a whitespace issue.
2016-05-11 12:36:19 -04:00
Nick Mathewson
e71dfb6344 Merge remote-tracking branch 'teor/bug18816-squashed' into maint-0.2.8 2016-05-11 12:28:37 -04:00
Nick Mathewson
50249c7cd9 Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-11 12:23:20 -04:00
Nick Mathewson
039fc8427a Merge branch 'bug18841_1_025' into maint-0.2.7 2016-05-11 12:22:36 -04:00
Nick Mathewson
c662bef455 Undefine _FORTIFY_SOURCE before defining it.
This makes our compilation options checks in autoconf work better on
systems that already define _FORTIFY_SOURCE.

Fixes at least one case of bug 18841; bugfix on 0.2.3.17-beta. Patch
from "trudokal".
2016-05-11 12:15:37 -04:00
teor (Tim Wilson-Brown)
92d7ee08b8
Switch between fallback and authority when auth cert fetch fails 2016-05-10 11:25:55 -04:00