From 2834cc9c18230c36278ffa94a252abeb91b6cff9 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 11 Nov 2017 13:40:21 -0500 Subject: Fix length of replaycache-checked data. This is a regression; we should have been checking only the public-key encrypted portion. Fixes bug 24244, TROVE-2017-009, and CVE-2017-8819. --- changes/trove-2017-009 | 10 ++++++++++ src/or/rendservice.c | 4 +++- 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 changes/trove-2017-009 diff --git a/changes/trove-2017-009 b/changes/trove-2017-009 new file mode 100644 index 0000000000..512d18c299 --- /dev/null +++ b/changes/trove-2017-009 @@ -0,0 +1,10 @@ + o Major fixes (security): + - When checking for replays in the INTRODUCE1 cell data for a (legacy) + hiddden service, correctly detect replays in the RSA-encrypted part of + the cell. We were previously checking for replays on the entire cell, + but those can be circumvented due to the malleability of Tor's legacy + hybrid encryption. This fix helps prevent a traffic confirmation + attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also + tracked as TROVE-2017-009 and CVE-2017-8819. + + diff --git a/src/or/rendservice.c b/src/or/rendservice.c index d958de9df9..ba8891eade 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1162,6 +1162,7 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, time_t now = time(NULL); time_t elapsed; int replay; + size_t keylen; /* Do some initial validation and logging before we parse the cell */ if (circuit->base_.purpose != CIRCUIT_PURPOSE_S_INTRO) { @@ -1245,9 +1246,10 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, } /* check for replay of PK-encrypted portion. */ + keylen = crypto_pk_keysize(intro_key); replay = replaycache_add_test_and_elapsed( intro_point->accepted_intro_rsa_parts, - parsed_req->ciphertext, parsed_req->ciphertext_len, + parsed_req->ciphertext, MIN(parsed_req->ciphertext_len, keylen), &elapsed); if (replay) { -- cgit v1.2.3-54-g00ecf