Commit Graph

21997 Commits

Author SHA1 Message Date
Nick Mathewson
fdfc528f85 Merge branch 'bug19152_024_v2' into maint-0.2.8 2016-05-25 09:26:45 -04:00
Nick Mathewson
c4c4380a5e Fix a dangling pointer issue in our RSA keygen code
If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or if
OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and Baishakhi
Ray.

This is potentially scary stuff, so let me walk through my analysis.
I think this is a bug, and a backport candidate, but not remotely
triggerable in any useful way.

Observation 1a:

Looking over the OpenSSL code here, the only way we can really fail in
the non-engine case is if malloc() fails.  But if malloc() is failing,
then tor_malloc() calls should be tor_asserting -- the only way that an
attacker could do an exploit here would be to figure out some way to
make malloc() fail when openssl does it, but work whenever Tor does it.

(Also ordinary malloc() doesn't fail on platforms like Linux that
overcommit.)

Observation 1b:

Although engines are _allowed_ to fail in extra ways, I can't find much
evidence online  that they actually _do_ fail in practice. More evidence
would be nice, though.

Observation 2:

We don't call crypto_pk_generate*() all that often, and we don't do it
in response to external inputs. The only way to get it to happen
remotely would be by causing a hidden service to build new introduction
points.

Observation 3a:

So, let's assume that both of the above observations are wrong, and the
attacker can make us generate a crypto_pk_env_t with a dangling pointer
in its 'key' field, and not immediately crash.

This dangling pointer will point to what used to be an RSA structure,
with the fields all set to NULL.  Actually using this RSA structure,
before the memory is reused for anything else, will cause a crash.

In nearly every function where we call crypto_pk_generate*(), we quickly
use the RSA key pointer -- either to sign something, or to encode the
key, or to free the key.  The only exception is when we generate an
intro key in rend_consider_services_intro_points().  In that case, we
don't actually use the key until the intro circuit is opened -- at which
point we encode it, and use it to sign an introduction request.

So in order to exploit this bug to do anything besides crash Tor, the
attacker needs to make sure that by the time the introduction circuit
completes, either:
  * the e, d, and n BNs look valid, and at least one of the other BNs is
    still NULL.
OR
  * all 8 of the BNs must look valid.

To look like a valid BN, *they* all need to have their 'top' index plus
their 'd' pointer indicate an addressable region in memory.

So actually getting useful data of of this, rather than a crash, is
going to be pretty damn hard.  You'd have to force an introduction point
to be created (or wait for one to be created), and force that particular
crypto_pk_generate*() to fail, and then arrange for the memory that the
RSA points to to in turn point to 3...8 valid BNs, all by the time the
introduction circuit completes.

Naturally, the signature won't check as valid [*], so the intro point
will reject the ESTABLISH_INTRO cell.  So you need to _be_ the
introduction point, or you don't actually see this information.

[*] Okay, so if you could somehow make the 'rsa' pointer point to a
different valid RSA key, then you'd get a valid signature of an
ESTABLISH_INTRO cell using a key that was supposed to be used for
something else ... but nothing else looks like that, so you can't use
that signature elsewhere.

Observation 3b:

Your best bet as an attacker would be to make the dangling RSA pointer
actually contain a fake method, with a fake RSA_private_encrypt
function that actually pointed to code you wanted to execute.  You'd
still need to transit 3 or 4 pointers deep though in order to make that
work.

Conclusion:

By 1, you probably can't trigger this without Tor crashing from OOM.

By 2, you probably can't trigger this reliably.

By 3, even if I'm wrong about 1 and 2, you have to jump through a pretty
big array of hoops in order to get any kind of data leak or code
execution.

So I'm calling it a bug, but not a security hole. Still worth
patching.
2016-05-25 09:23:57 -04:00
Nick Mathewson
6abceca182 Merge branch 'memarea_overflow_027_squashed' into maint-0.2.8 2016-05-25 09:22:02 -04:00
Nick Mathewson
be2d37ad3c Fix a pointer arithmetic bug in memarea_alloc()
Fortunately, the arithmetic cannot actually overflow, so long as we
*always* check for the size of potentially hostile input before
copying it.  I think we do, though.  We do check each line against
MAX_LINE_LENGTH, and each object name or object against
MAX_UNPARSED_OBJECT_SIZE, both of which are 128k.  So to get this
overflow, we need to have our memarea allocated way way too high up
in RAM, which most allocators won't actually do.

Bugfix on 0.2.1.1-alpha, where memarea was introduced.

Found by Guido Vranken.
2016-05-25 09:20:37 -04:00
cypherpunks
87134db57c Do not ignore files that are being tracked by git 2016-05-23 11:02:15 -04:00
Nick Mathewson
50cbf22099 Fix a bug related to moving signing_key_cert
Now that the field exists in signed_descriptor_t, we need to make
sure we free it when we free a signed_descriptor_t, and we need to
make sure that we don't free it when we convert a routerinfo_t to a
signed_descriptor_t.

But not in any released Tor. I found this while working on #19128.

One problem: I don't see how this could cause 19128.
2016-05-20 07:59:09 -04:00
Nick Mathewson
33841a6030 Merge remote-tracking branch 'teor/fix18809-warnings' into maint-0.2.8 2016-05-19 16:04:56 -04:00
Nick Mathewson
0d6f293e0e Merge remote-tracking branch 'public/bug19073' into maint-0.2.8 2016-05-19 15:56:31 -04:00
teor (Tim Wilson-Brown)
2d21f03cdc
Fix unused-but-set-variable warnings in the connection unit tests
No behaviour change - just remove the variables
2016-05-19 12:49:36 -04:00
teor (Tim Wilson-Brown)
c5d87ef6af
Describe what happens when we get a consensus, but no certificates
Comment-only change
2016-05-19 12:35:09 -04:00
Nick Mathewson
dd17df2253 lintchanges on 18809, and fix the bug number 2016-05-19 08:54:19 -04:00
Nick Mathewson
7c7d990704 changelog typo fix 2016-05-19 08:29:45 -04:00
Nick Mathewson
06803c317f Fix a compilation error in test_dir.c 2016-05-19 08:27:11 -04:00
Nick Mathewson
9f217c83b0 Merge branch 'bug18809_028_squashed' into maint-0.2.8 2016-05-19 08:17:02 -04:00
teor (Tim Wilson-Brown)
f698b509d8 Add unit tests for networkstatus_consensus_is_bootstrapping 2016-05-19 07:58:41 -04:00
teor (Tim Wilson-Brown)
d5c70d7102 Restore and improve download schedule unit tests 2016-05-19 07:58:41 -04:00
teor (Tim Wilson-Brown)
4254d0297c Update unit tests for multiple bootstrap connections 2016-05-19 07:58:41 -04:00
teor (Tim Wilson-Brown)
ab0a7e2961 Remove consensus_max_download_tries by refactoring
No behaviour change

This function is used twice. The code is simpler if we split
it up and inline it where it is used.
2016-05-19 07:58:40 -04:00
teor (Tim Wilson-Brown)
8dc8d71226 Changes file for bug 18809 2016-05-19 07:58:40 -04:00
teor (Tim Wilson-Brown)
84ab26c320 Stop downloading consensuses when a consensus has been downloaded
Previosuly, during bootstrap, we would continue to download
consensuses if we had a consensus, but didn't have the certificates
to validate it.
2016-05-19 07:58:40 -04:00
Nick Mathewson
2729f166cb whitespace fixes 2016-05-17 20:08:03 -04:00
Nick Mathewson
ab932cd7bf Remove duplicate siging_key_cert fields.
With the fix for #17150, I added a duplicate certificate here.  Here
I remove the original location in 0.2.8.  (I wouldn't want to do
that in 027, due to the amount of authority-voting-related code
drift.)

Closes 19073.
2016-05-17 20:04:16 -04:00
Nick Mathewson
3f49474349 Merge branch 'bug17150_027_extra' into maint-0.2.8 2016-05-17 19:47:22 -04:00
Nick Mathewson
00f74e0372 Improve API of routerinfo_incompatible_with_extrainfo()
This API change makes it so that routerinfo_incompatible...() no
longer takes a routerinfo_t, so that it's obvious that it should
only look at fields from the signed_descriptor_t.

This change should prevent a recurrence of #17150.
2016-05-17 13:24:01 -04:00
Nick Mathewson
49ff09aef2 Fix another, more subtle, case of bug 17150.
We need to make sure that the corresponding sd and ei match in their
certificates.
2016-05-17 13:16:36 -04:00
Nick Mathewson
8acfac7375 Copy the signing_key_cert field into signed_descriptor_t
We need this field to be in signed_descriptor_t so that
routerinfo_incompatible_with_extrainfo can work correctly (#17150).
But I don't want to move it completely in this patch, since a great
deal of the code that messes with it has been in flux since 0.2.7,
when this ticket was opened.  I should open another ticket about
removing the field from routerinfo_t and extrainfo_t later on.

This patch fixes no actual behavior.
2016-05-17 13:14:04 -04:00
Nick Mathewson
64748f2f98 Fix documentation for routerinfo_incompatible_with_extrainfo 2016-05-17 13:08:34 -04:00
Nick Mathewson
7d1eb0d570 When making sure digest256 matches in ei, look at sd, not ri.
The routerinfo we pass to routerinfo_incompatible_with_extrainfo is
the latest routerinfo for the relay.  The signed_descriptor_t, on
the other hand, is the signed_descriptor_t that corresponds to the
extrainfo.  That means we should be checking the digest256 match
with that signed_descriptor_t, not with the routerinfo.

Fixes bug 17150 (and 19017); bugfix on 0.2.7.2-alpha.
2016-05-17 12:57:03 -04:00
Nick Mathewson
44da47d3c1 Move extra_info_digest256 into signed_descriptor_t
This patch includes no semantic changes; it's just a field movement.

It's prerequisite for a fix to 19017/17150.
2016-05-17 12:53:12 -04:00
Nick Mathewson
d6a2fec05e Merge branch 'bug18616-v4-merged_028' into maint-0.2.8 2016-05-17 11:09:54 -04:00
Nick Mathewson
ff5eb7fc62 Fix remaining lintChanges warnings. 2016-05-17 11:06:41 -04:00
Nick Mathewson
e0fb75c349 Resolve lintChanges warnings. 2016-05-17 11:05:57 -04:00
Nick Mathewson
548d14247e Merge remote-tracking branch 'arma/bug18616-v4' into maint-0.2.8 2016-05-17 10:48:12 -04:00
Roger Dingledine
06031b441e touchups and refactorings on bug 18616 branch
no behavior changes
2016-05-16 17:43:47 -04:00
Nick Mathewson
6cc3397e26 Merge remote-tracking branch 'teor/fallback-script' into maint-0.2.8 2016-05-16 08:33:17 -04:00
Nick Mathewson
e8cc9f3edf Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-12 15:33:47 -04:00
Nick Mathewson
4165b1a0da Merge branch 'bug18977_026_v2' into maint-0.2.7 2016-05-12 15:33:35 -04:00
Nick Mathewson
20b01cece8 Merge branch 'bug18977_024_v2' into bug18977_026_v2
Had conflicts related to other correct_tm bugs in 0.2.6.  Added wday
for another case.
2016-05-12 14:39:06 -04:00
Nick Mathewson
e57f26c135 Have correct_tm set tm_wday as well.
The tm_wday field had been left uninitialized, which was causing
some assertions to fail on Windows unit tests.

Fixes bug 18977.
2016-05-12 14:37:27 -04:00
Nick Mathewson
ce6f2d1c4d Merge remote-tracking branch 'arma/bug19003-try2' into maint-0.2.8 2016-05-12 11:09:33 -04:00
Nick Mathewson
d00d3f1c28 Merge remote-tracking branch 'arma/bug17621-try2' into maint-0.2.8 2016-05-12 10:03:00 -04:00
Roger Dingledine
4a62d7aabc minor touchups on nick's ticket 17621 changes 2016-05-11 16:35:36 -04:00
Nick Mathewson
af4b7d0405 Document the contents of $datadir/keys
Ticket 17621.
2016-05-11 14:03:34 -04:00
Roger Dingledine
163cee1b64 Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-11 13:42:40 -04:00
Roger Dingledine
d40e8695f4 unbreak the build (when warnings are enabled) 2016-05-11 13:42:00 -04:00
Nick Mathewson
8d962233f6 Merge remote-tracking branch 'teor/bug18816_simplify' into maint-0.2.8 2016-05-11 13:20:51 -04:00
Nick Mathewson
24fbb9a81b Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-11 13:15:17 -04:00
Nick Mathewson
4e94580591 Merge remote-tracking branch 'special/bug19032-027' into maint-0.2.7 2016-05-11 13:13:23 -04:00
John Brooks
bf3e32a452 Fix out-of-bounds write during voting with duplicate ed25519 keys
In dirserv_compute_performance_thresholds, we allocate arrays based
on the length of 'routers', a list of routerinfo_t, but loop over
the nodelist. The 'routers' list may be shorter when relays were
filtered by routers_make_ed_keys_unique, leading to an out-of-bounds
write on directory authorities.

This bug was originally introduced in 26e89742, but it doesn't look
possible to trigger until routers_make_ed_keys_unique was introduced
in 13a31e72.

Fixes bug 19032; bugfix on tor 0.2.8.2-alpha.
2016-05-11 13:11:03 -04:00
teor (Tim Wilson-Brown)
797ece042d
Confim we want certificates from fallbacks
Comment-only change
2016-05-11 13:08:45 -04:00