diff options
| author | Nick Mathewson <nickm@torproject.org> | 2012-10-16 13:41:55 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2012-10-17 19:19:58 -0400 |
| commit | 3d8b73db553712b2bea4fc74b8f478f1b1b39aee (patch) | |
| tree | 15a9329801d89f8fb0a3eb1bd1d494ce98ec4241 | |
| parent | 94a030990986e6c731141da3969aeae3ec0f5ea8 (diff) | |
| download | tor-3d8b73db553712b2bea4fc74b8f478f1b1b39aee.tar.gz tor-3d8b73db553712b2bea4fc74b8f478f1b1b39aee.zip | |
Discard extraneous renegotiation attempts in the v3 link protocol
Failure to do so left us open to a remotely triggerable assertion
failure. Fixes CVE-2012-2249; bugfix on 0.2.3.6-alpha. Reported by
"some guy from France".
This patch is a forward-port to 0.2.4, to work with the new channel
logic.
| -rw-r--r-- | changes/cve-2012-2249 | 5 | ||||
| -rw-r--r-- | src/or/channeltls.c | 1 | ||||
| -rw-r--r-- | src/or/connection_or.c | 14 | ||||
| -rw-r--r-- | src/or/connection_or.h | 1 |
4 files changed, 19 insertions, 2 deletions
diff --git a/changes/cve-2012-2249 b/changes/cve-2012-2249 new file mode 100644 index 0000000000..625bfa2f58 --- /dev/null +++ b/changes/cve-2012-2249 @@ -0,0 +1,5 @@ + o Major bugfixes (security): + - Discard extraneous renegotiation attempts once the V3 link + protocol has been initiated. Failure to do so left us open to + a remotely triggerable assertion failure. Fixes CVE-2012-2249; + bugfix on 0.2.3.6-alpha. Reported by "some guy from France". diff --git a/src/or/channeltls.c b/src/or/channeltls.c index 234aa3111d..4470e92b79 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -1130,6 +1130,7 @@ enter_v3_handshake_with_cell(var_cell_t *cell, channel_tls_t *chan) "Received a cell while TLS-handshaking, not in " "OR_HANDSHAKING_V3, on a connection we originated."); } + connection_or_block_renegotiation(chan->conn); chan->conn->base_.state = OR_CONN_STATE_OR_HANDSHAKING_V3; if (connection_init_or_handshake_state(chan->conn, started_here) < 0) { connection_or_close_for_error(chan->conn, 0); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 877ddf1315..92feb53af1 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -1251,6 +1251,17 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving) return 0; } +/** Block all future attempts to renegotiate on 'conn' */ +void +connection_or_block_renegotiation(or_connection_t *conn) +{ + tor_tls_t *tls = conn->tls; + if (!tls) + return; + tor_tls_set_renegotiate_callback(tls, NULL, NULL); + tor_tls_block_renegotiation(tls); +} + /** Invoked on the server side from inside tor_tls_read() when the server * gets a successful TLS renegotiation from the client. */ static void @@ -1260,8 +1271,7 @@ connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn) (void)tls; /* Don't invoke this again. */ - tor_tls_set_renegotiate_callback(tls, NULL, NULL); - tor_tls_block_renegotiation(tls); + connection_or_block_renegotiation(conn); if (connection_tls_finish_handshake(conn) < 0) { /* XXXX_TLS double-check that it's ok to do this from inside read. */ diff --git a/src/or/connection_or.h b/src/or/connection_or.h index adfdde8d1b..727de211b0 100644 --- a/src/or/connection_or.h +++ b/src/or/connection_or.h @@ -21,6 +21,7 @@ or_connection_t *connection_or_get_for_extend(const char *digest, int *launch_out); void connection_or_set_bad_connections(const char *digest, int force); +void connection_or_block_renegotiation(or_connection_t *conn); int connection_or_reached_eof(or_connection_t *conn); int connection_or_process_inbuf(or_connection_t *conn); int connection_or_flushed_some(or_connection_t *conn); |