Commit Graph

21110 Commits

Author SHA1 Message Date
Nick Mathewson
d95c2809b3 Merge branch 'maint-0.2.4' into maint-0.2.5 2016-07-19 12:31:20 +02:00
Karsten Loesing
79939c6f11 Update geoip and geoip6 to the July 6 2016 database. 2016-07-18 08:40:22 +02:00
Nick Mathewson
92891ded30 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-07-05 13:51:51 -04:00
Nick Mathewson
19078b1b89 Merge branch 'maint-0.2.4' into maint-0.2.5 2016-07-05 13:51:34 -04:00
Nick Mathewson
6b8c3d2bc0 whoops. changelog file for 19271. 2016-07-05 13:51:21 -04:00
Nick Mathewson
c28ba994ec Merge branch 'maint-0.2.5' into maint-0.2.6 2016-07-05 12:21:25 -04:00
Nick Mathewson
9d3de77d4d Merge branch 'maint-0.2.4' into maint-0.2.5 2016-07-05 12:20:42 -04:00
Sebastian Hahn
7ae34e722a
Remove urras as a default trusted directory authority
It had been a directory authority since 0.2.1.20.
2016-07-03 21:59:32 +02:00
Nick Mathewson
b4bb88606e Merge branch 'maint-0.2.5' into maint-0.2.6 2016-06-13 10:48:48 -04:00
Nick Mathewson
f25f7b759c Merge branch 'maint-0.2.4' into maint-0.2.5 2016-06-13 10:48:35 -04:00
Karsten Loesing
c14c662758 Update geoip and geoip6 to the June 7 2016 database. 2016-06-12 11:35:50 +02:00
Nick Mathewson
c4c4380a5e Fix a dangling pointer issue in our RSA keygen code
If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or if
OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and Baishakhi
Ray.

This is potentially scary stuff, so let me walk through my analysis.
I think this is a bug, and a backport candidate, but not remotely
triggerable in any useful way.

Observation 1a:

Looking over the OpenSSL code here, the only way we can really fail in
the non-engine case is if malloc() fails.  But if malloc() is failing,
then tor_malloc() calls should be tor_asserting -- the only way that an
attacker could do an exploit here would be to figure out some way to
make malloc() fail when openssl does it, but work whenever Tor does it.

(Also ordinary malloc() doesn't fail on platforms like Linux that
overcommit.)

Observation 1b:

Although engines are _allowed_ to fail in extra ways, I can't find much
evidence online  that they actually _do_ fail in practice. More evidence
would be nice, though.

Observation 2:

We don't call crypto_pk_generate*() all that often, and we don't do it
in response to external inputs. The only way to get it to happen
remotely would be by causing a hidden service to build new introduction
points.

Observation 3a:

So, let's assume that both of the above observations are wrong, and the
attacker can make us generate a crypto_pk_env_t with a dangling pointer
in its 'key' field, and not immediately crash.

This dangling pointer will point to what used to be an RSA structure,
with the fields all set to NULL.  Actually using this RSA structure,
before the memory is reused for anything else, will cause a crash.

In nearly every function where we call crypto_pk_generate*(), we quickly
use the RSA key pointer -- either to sign something, or to encode the
key, or to free the key.  The only exception is when we generate an
intro key in rend_consider_services_intro_points().  In that case, we
don't actually use the key until the intro circuit is opened -- at which
point we encode it, and use it to sign an introduction request.

So in order to exploit this bug to do anything besides crash Tor, the
attacker needs to make sure that by the time the introduction circuit
completes, either:
  * the e, d, and n BNs look valid, and at least one of the other BNs is
    still NULL.
OR
  * all 8 of the BNs must look valid.

To look like a valid BN, *they* all need to have their 'top' index plus
their 'd' pointer indicate an addressable region in memory.

So actually getting useful data of of this, rather than a crash, is
going to be pretty damn hard.  You'd have to force an introduction point
to be created (or wait for one to be created), and force that particular
crypto_pk_generate*() to fail, and then arrange for the memory that the
RSA points to to in turn point to 3...8 valid BNs, all by the time the
introduction circuit completes.

Naturally, the signature won't check as valid [*], so the intro point
will reject the ESTABLISH_INTRO cell.  So you need to _be_ the
introduction point, or you don't actually see this information.

[*] Okay, so if you could somehow make the 'rsa' pointer point to a
different valid RSA key, then you'd get a valid signature of an
ESTABLISH_INTRO cell using a key that was supposed to be used for
something else ... but nothing else looks like that, so you can't use
that signature elsewhere.

Observation 3b:

Your best bet as an attacker would be to make the dangling RSA pointer
actually contain a fake method, with a fake RSA_private_encrypt
function that actually pointed to code you wanted to execute.  You'd
still need to transit 3 or 4 pointers deep though in order to make that
work.

Conclusion:

By 1, you probably can't trigger this without Tor crashing from OOM.

By 2, you probably can't trigger this reliably.

By 3, even if I'm wrong about 1 and 2, you have to jump through a pretty
big array of hoops in order to get any kind of data leak or code
execution.

So I'm calling it a bug, but not a security hole. Still worth
patching.
2016-05-25 09:23:57 -04:00
Nick Mathewson
0b477bfd55 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-05-09 14:55:45 -04:00
Nick Mathewson
368146370b Merge branch 'maint-0.2.4' into maint-0.2.5 2016-05-09 14:55:22 -04:00
Karsten Loesing
3c2d4611ce Update geoip and geoip6 to the May 4 2016 database. 2016-05-09 17:51:15 +02:00
Scott Dial
0ca3f495c6 Fix dnsserv.c assertion when no supported questions are requested.
The problem is that "q" is always set on the first iteration even
if the question is not a supported question. This set of "q" is
not necessary, and will be handled after exiting the loop if there
if a supported q->type was found.

    [Changes file by nickm]

lease enter the commit message for your changes. Lines starting
2016-05-04 14:45:09 -04:00
Nick Mathewson
2ce99b9f48 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-04-07 10:45:38 -04:00
Nick Mathewson
34a51d1621 Merge branch 'maint-0.2.4' into maint-0.2.5 2016-04-07 10:45:32 -04:00
Karsten Loesing
97c6e717b9 Update geoip and geoip6 to the April 5 2016 database. 2016-04-07 11:10:09 +02:00
Nick Mathewson
443dddb749 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-03-09 10:36:35 -05:00
Nick Mathewson
21f9829e79 Merge branch 'maint-0.2.4' into maint-0.2.5 2016-03-09 10:36:20 -05:00
Karsten Loesing
8e2640b15a Update geoip and geoip6 to the March 3 2016 database. 2016-03-04 10:56:51 +01:00
Nick Mathewson
740421af19 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-02-11 13:00:25 -05:00
Nick Mathewson
ce289e2cb5 Merge branch 'maint-0.2.4' into maint-0.2.5 2016-02-11 12:55:40 -05:00
Nick Mathewson
ad95d64fec Merge branch 'bug18162_024' into maint-0.2.4 2016-02-11 12:55:25 -05:00
Nick Mathewson
c2fd648469 Make ensure_capacity a bit more pedantically correct
Issues noted by cypherpunks on #18162
2016-02-11 12:54:52 -05:00
Nick Mathewson
44ad3be221 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-02-05 08:13:24 -05:00
Nick Mathewson
f06d9a9cef Merge branch 'maint-0.2.4' into maint-0.2.5 2016-02-05 08:13:13 -05:00
Karsten Loesing
d5ac79e056 Update geoip and geoip6 to the February 2 2016 database. 2016-02-04 08:53:24 +01:00
Nick Mathewson
bca7083e82 avoid integer overflow in and around smartlist_ensure_capacity.
This closes bug 18162; bugfix on a45b131590, which fixed a related
issue long ago.

In addition to the #18162 issues, this fixes a signed integer overflow
in smarltist_add_all(), which is probably not so great either.
2016-01-27 12:32:41 -05:00
Nick Mathewson
e2efa9e321 Refine the memwipe() arguments check for 18089 a little more.
We still silently ignore
     memwipe(NULL, ch, 0);
and
     memwipe(ptr, ch, 0);  /* for ptr != NULL */

But we now assert on:
     memwipe(NULL, ch, 30);
2016-01-19 08:28:58 -05:00
teor (Tim Wilson-Brown)
db81565331 Make memwipe() do nothing when passed a NULL pointer or zero size
Check size argument to memwipe() for underflow.

Closes bug #18089. Reported by "gk", patch by "teor".
Bugfix on 0.2.3.25 and 0.2.4.6-alpha (#7352),
commit 49dd5ef3 on 7 Nov 2012.
2016-01-18 19:58:07 -05:00
Nick Mathewson
c7b0cd9c2f Merge branch 'maint-0.2.5' into maint-0.2.6 2016-01-07 09:41:36 -08:00
Nick Mathewson
9ca329581a Merge branch 'maint-0.2.4' into maint-0.2.5
Conflicts:
	src/or/config.c
2016-01-07 09:40:23 -08:00
teor (Tim Wilson-Brown)
11f63d26ac Update dannenberg's V3 authority identity fingerprint
This new identity key was changed on 18 November 2015.
2016-01-07 09:39:04 -08:00
Nick Mathewson
400df18688 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-01-07 09:14:05 -08:00
Nick Mathewson
ae223138fb Merge branch 'maint-0.2.4' into maint-0.2.5 2016-01-07 09:13:54 -08:00
Karsten Loesing
1496056c12 Update geoip and geoip6 to the January 5 2016 database. 2016-01-07 11:10:37 +01:00
Nick Mathewson
7a489a6389 Use the correct bug #. For real this time. Thanks again, skruffy 2015-12-10 11:20:24 -05:00
Nick Mathewson
1979414f0f Use the correct bug #. Thanks, skruffy 2015-12-10 11:08:35 -05:00
Nick Mathewson
31b337d2b7 tweak 0276 changelog; copy it into the releasenotes 2015-12-10 10:44:52 -05:00
Nick Mathewson
f01f8e18b8 Merge branch 'maint-0.2.7' into release-0.2.7 2015-12-10 10:05:08 -05:00
Nick Mathewson
7fb19f1ca8 bump maint version to 0.2.7.6 2015-12-10 10:04:59 -05:00
Nick Mathewson
6f3f753c21 Reflow and sort the changelog. 2015-12-10 09:50:52 -05:00
Roger Dingledine
9236e50415 fold in the changes entries 2015-12-10 08:14:58 -05:00
Roger Dingledine
b2a53e8ca9 Merge branch 'maint-0.2.7' into release-0.2.7 2015-12-10 04:12:10 -05:00
Nick Mathewson
c6a337557a Merge branch 'maint-0.2.6' into maint-0.2.7 2015-12-08 10:23:41 -05:00
Nick Mathewson
1adc2bf66f Merge branch 'maint-0.2.5' into maint-0.2.6 2015-12-08 10:20:21 -05:00
Nick Mathewson
c3d11b119d Merge branch 'maint-0.2.4' into maint-0.2.5 2015-12-08 10:20:14 -05:00
Nick Mathewson
35deb4d442 Merge branch 'bug17772_024' into maint-0.2.4 2015-12-08 10:18:31 -05:00