From af12c39d6de5bbcd24915db3c4cc9404f102ac02 Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Sun, 23 Oct 2011 14:27:56 -0700 Subject: Don't use any OR connection which sent us a CREATE_FAST cell for an EXTEND Fix suggested by Nick Mathewson. --- src/or/command.c | 6 ++++++ src/or/connection_or.c | 5 +++++ src/or/or.h | 4 ++++ 3 files changed, 15 insertions(+) (limited to 'src/or') diff --git a/src/or/command.c b/src/or/command.c index 61b898cead..a17a3a6025 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -285,7 +285,13 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn) * a CPU worker. */ char keys[CPATH_KEY_MATERIAL_LEN]; char reply[DIGEST_LEN*2]; + tor_assert(cell->command == CELL_CREATE_FAST); + + /* Make sure we never try to use the OR connection on which we + * received this cell to satisfy an EXTEND request, */ + conn->is_connection_with_client = 1; + if (fast_server_handshake(cell->payload, (uint8_t*)reply, (uint8_t*)keys, sizeof(keys))<0) { log_warn(LD_OR,"Failed to generate key material. Closing."); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 95cc02e34f..35f6da9214 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -519,6 +519,11 @@ connection_or_get_for_extend(const char *digest, tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN)); if (conn->_base.marked_for_close) continue; + /* Never return a connection on which the other end appears to be + * a client. */ + if (conn->is_connection_with_client) { + continue; + } /* Never return a non-open connection. */ if (conn->_base.state != OR_CONN_STATE_OPEN) { /* If the address matches, don't launch a new connection for this diff --git a/src/or/or.h b/src/or/or.h index 4105ff42eb..72e4c639ad 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1031,6 +1031,10 @@ typedef struct or_connection_t { * because the connection is too old, or because there's a better one, etc. */ unsigned int is_bad_for_new_circs:1; + /** True iff we have decided that the other end of this connection + * is a client. Connections with this flag set should never be used + * to satisfy an EXTEND request. */ + unsigned int is_connection_with_client:1; uint8_t link_proto; /**< What protocol version are we using? 0 for * "none negotiated yet." */ circid_t next_circ_id; /**< Which circ_id do we try to use next on -- cgit v1.2.3-54-g00ecf From c05bb53508f5fe3e570a285e6c9ead452ded0e43 Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Sun, 23 Oct 2011 14:58:00 -0700 Subject: Mark which OR connections are outgoing --- src/or/connection_or.c | 2 ++ src/or/or.h | 2 ++ 2 files changed, 4 insertions(+) (limited to 'src/or') diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 35f6da9214..f019c79edd 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -776,6 +776,8 @@ connection_or_connect(const tor_addr_t *_addr, uint16_t port, conn->_base.state = OR_CONN_STATE_CONNECTING; control_event_or_conn_status(conn, OR_CONN_EVENT_LAUNCHED, 0); + conn->is_outgoing = 1; + if (options->HttpsProxy) { /* we shouldn't connect directly. use the https proxy instead. */ tor_addr_from_ipv4h(&addr, options->HttpsProxyAddr); diff --git a/src/or/or.h b/src/or/or.h index 72e4c639ad..edbb73cca5 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1035,6 +1035,8 @@ typedef struct or_connection_t { * is a client. Connections with this flag set should never be used * to satisfy an EXTEND request. */ unsigned int is_connection_with_client:1; + /** True iff this is an outgoing connection. */ + unsigned int is_outgoing:1; uint8_t link_proto; /**< What protocol version are we using? 0 for * "none negotiated yet." */ circid_t next_circ_id; /**< Which circ_id do we try to use next on -- cgit v1.2.3-54-g00ecf From a74e7fd40f1a77eb4000d8216bb5b80cdd8a6193 Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Sun, 23 Oct 2011 15:21:49 -0700 Subject: Reject create cells on outgoing OR connections from bridges --- changes/issue-2011-10-23G | 9 +++++++++ src/or/command.c | 7 +++++-- 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 changes/issue-2011-10-23G (limited to 'src/or') diff --git a/changes/issue-2011-10-23G b/changes/issue-2011-10-23G new file mode 100644 index 0000000000..45f86754f0 --- /dev/null +++ b/changes/issue-2011-10-23G @@ -0,0 +1,9 @@ + o Security fixes: + + - Reject CREATE and CREATE_FAST cells on outgoing OR connections + from a bridge to a relay. Previously, we would accept them and + handle them normally, thereby allowing a malicious relay to + easily distinguish bridges which connect to it from clients. + Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha, when bridges were + implemented; found by frosty_un. + diff --git a/src/or/command.c b/src/or/command.c index a17a3a6025..54f23bb0cd 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -219,6 +219,7 @@ static void command_process_create_cell(cell_t *cell, or_connection_t *conn) { or_circuit_t *circ; + or_options_t *options = get_options(); int id_is_high; if (we_are_hibernating()) { @@ -230,9 +231,11 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn) return; } - if (!server_mode(get_options())) { + if (!server_mode(options) || + (!public_server_mode(options) && conn->is_outgoing)) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, - "Received create cell (type %d) from %s:%d, but we're a client. " + "Received create cell (type %d) from %s:%d, but we're connected " + "to it as a client. " "Sending back a destroy.", (int)cell->command, conn->_base.address, conn->_base.port); connection_or_send_destroy(cell->circ_id, conn, -- cgit v1.2.3-54-g00ecf From 4d0f152aadabd431924acb137990081269cffb3d Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Mon, 24 Oct 2011 23:36:57 -0700 Subject: Make tor_version_same_series non-static --- src/or/routerparse.c | 3 +-- src/or/routerparse.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'src/or') diff --git a/src/or/routerparse.c b/src/or/routerparse.c index aed4fd131e..001c4d6c7f 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -572,7 +572,6 @@ static int check_signature_token(const char *digest, int flags, const char *doctype); static crypto_pk_env_t *find_dir_signing_key(const char *str, const char *eos); -static int tor_version_same_series(tor_version_t *a, tor_version_t *b); #undef DEBUG_AREA_ALLOC @@ -4556,7 +4555,7 @@ tor_version_compare(tor_version_t *a, tor_version_t *b) /** Return true iff versions a and b belong to the same series. */ -static int +int tor_version_same_series(tor_version_t *a, tor_version_t *b) { tor_assert(a); diff --git a/src/or/routerparse.h b/src/or/routerparse.h index 8b8cde25f6..527de5dc8b 100644 --- a/src/or/routerparse.h +++ b/src/or/routerparse.h @@ -47,6 +47,7 @@ version_status_t tor_version_is_obsolete(const char *myversion, int tor_version_parse(const char *s, tor_version_t *out); int tor_version_as_new_as(const char *platform, const char *cutoff); int tor_version_compare(tor_version_t *a, tor_version_t *b); +int tor_version_same_series(tor_version_t *a, tor_version_t *b); void sort_version_list(smartlist_t *lst, int remove_duplicates); void assert_addr_policy_ok(smartlist_t *t); void dump_distinct_digest_count(int severity); -- cgit v1.2.3-54-g00ecf From 00fffbc1a15e2696a89c721d0c94dc333ff419ef Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Tue, 25 Oct 2011 00:24:15 -0700 Subject: Don't give the Guard flag to relays without the CVE-2011-2768 fix --- changes/issue-2011-10-19L | 7 +++++ src/or/dirserv.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 77 insertions(+), 1 deletion(-) (limited to 'src/or') diff --git a/changes/issue-2011-10-19L b/changes/issue-2011-10-19L index 1fefd7267e..b879c9d401 100644 --- a/changes/issue-2011-10-19L +++ b/changes/issue-2011-10-19L @@ -19,3 +19,10 @@ client is connected to a patched relay. Bugfix on FIXME; found by frosty_un. + - Don't assign the Guard flag to relays running a version of Tor + which would use an OR connection on which it has received a + CREATE_FAST cell to satisfy an EXTEND request. Mitigates + CVE-2011-2768, by ensuring that clients will not connect + directly to any relay which an attacker could probe for an + unpatched client's connections. + diff --git a/src/or/dirserv.c b/src/or/dirserv.c index 66079018ab..fa7f693afe 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -2251,6 +2251,74 @@ get_possible_sybil_list(const smartlist_t *routers) return omit_as_sybil; } +/** Return non-zero iff a relay running the Tor version specified in + * platform is suitable for use as a potential entry guard. */ +static int +is_router_version_good_for_possible_guard(const char *platform) +{ + static int parsed_versions_initialized = 0; + static tor_version_t first_good_0_2_1_guard_version; + static tor_version_t first_good_0_2_2_guard_version; + static tor_version_t first_good_later_guard_version; + + tor_version_t router_version; + + /* XXX023 This block should be extracted into its own function. */ + /* XXXX Begin code copied from tor_version_as_new_as (in routerparse.c) */ + { + char *s, *s2, *start; + char tmp[128]; + + tor_assert(platform); + + if (strcmpstart(platform,"Tor ")) /* nonstandard Tor; be safe and say yes */ + return 1; + + start = (char *)eat_whitespace(platform+3); + if (!*start) return 0; + s = (char *)find_whitespace(start); /* also finds '\0', which is fine */ + s2 = (char*)eat_whitespace(s); + if (!strcmpstart(s2, "(r") || !strcmpstart(s2, "(git-")) + s = (char*)find_whitespace(s2); + + if ((size_t)(s-start+1) >= sizeof(tmp)) /* too big, no */ + return 0; + strlcpy(tmp, start, s-start+1); + + if (tor_version_parse(tmp, &router_version)<0) { + log_info(LD_DIR,"Router version '%s' unparseable.",tmp); + return 1; /* be safe and say yes */ + } + } + /* XXXX End code copied from tor_version_as_new_as (in routerparse.c) */ + + if (!parsed_versions_initialized) { + /* CVE-2011-2769 was fixed on the relay side in Tor versions + * 0.2.1.31, 0.2.2.34, and 0.2.3.6-alpha. */ + tor_assert(tor_version_parse("0.2.1.31", + &first_good_0_2_1_guard_version)>=0); + tor_assert(tor_version_parse("0.2.2.34", + &first_good_0_2_2_guard_version)>=0); + tor_assert(tor_version_parse("0.2.3.6-alpha", + &first_good_later_guard_version)>=0); + + /* Don't parse these constant version strings once for every relay + * for every vote. */ + parsed_versions_initialized = 1; + } + + return ((tor_version_same_series(&first_good_0_2_1_guard_version, + &router_version) && + tor_version_compare(&first_good_0_2_1_guard_version, + &router_version) <= 0) || + (tor_version_same_series(&first_good_0_2_2_guard_version, + &router_version) && + tor_version_compare(&first_good_0_2_2_guard_version, + &router_version) <= 0) || + (tor_version_compare(&first_good_later_guard_version, + &router_version) <= 0)); +} + /** Extract status information from ri and from other authority * functions and store it in rs>. If naming, consider setting * the named flag in rs. @@ -2294,7 +2362,8 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs, (router_get_advertised_bandwidth(ri) >= BANDWIDTH_TO_GUARANTEE_GUARD || router_get_advertised_bandwidth(ri) >= MIN(guard_bandwidth_including_exits, - guard_bandwidth_excluding_exits))) { + guard_bandwidth_excluding_exits)) && + is_router_version_good_for_possible_guard(ri->platform)) { long tk = rep_hist_get_weighted_time_known( ri->cache_info.identity_digest, now); double wfu = rep_hist_get_weighted_fractional_uptime( -- cgit v1.2.3-54-g00ecf From 4684ced1b3fced0543fa65bf01f75c5d81eaf464 Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Tue, 25 Oct 2011 12:33:21 -0700 Subject: Add option to give guard flag to relays without the CVE-2011-2768 fix This way, all of the DA operators can upgrade immediately, without nuking every client's set of entry guards as soon as a majority of them upgrade. Until enough guards have upgraded, a majority of dirauths should set this config option so that there are still enough guards in the network. After a few days pass, all dirauths should use the default. --- src/or/config.c | 2 ++ src/or/dirserv.c | 4 +++- src/or/or.h | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) (limited to 'src/or') diff --git a/src/or/config.c b/src/or/config.c index 230ccf25c0..78e433620d 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -269,6 +269,8 @@ static config_var_t _option_vars[] = { V(GeoIPFile, FILENAME, SHARE_DATADIR PATH_SEPARATOR "tor" PATH_SEPARATOR "geoip"), #endif + V(GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays, + BOOL, "0"), OBSOLETE("Group"), V(HardwareAccel, BOOL, "0"), V(AccelName, STRING, NULL), diff --git a/src/or/dirserv.c b/src/or/dirserv.c index fa7f693afe..c427fe2ef3 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -2332,6 +2332,7 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs, int naming, int listbadexits, int listbaddirs, int vote_on_hsdirs) { + const or_options_t *options = get_options(); int unstable_version = !tor_version_as_new_as(ri->platform,"0.1.1.16-rc-cvs"); memset(rs, 0, sizeof(routerstatus_t)); @@ -2363,7 +2364,8 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs, router_get_advertised_bandwidth(ri) >= MIN(guard_bandwidth_including_exits, guard_bandwidth_excluding_exits)) && - is_router_version_good_for_possible_guard(ri->platform)) { + (options->GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays || + is_router_version_good_for_possible_guard(ri->platform))) { long tk = rep_hist_get_weighted_time_known( ri->cache_info.identity_digest, now); double wfu = rep_hist_get_weighted_fractional_uptime( diff --git a/src/or/or.h b/src/or/or.h index 8638f20997..7d50e1f505 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2672,6 +2672,10 @@ typedef struct { * number of servers per IP address shared * with an authority. */ + /** Should we assign the Guard flag to relays which would allow + * exploitation of CVE-2011-2768 against their clients? */ + int GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays; + char *AccountingStart; /**< How long is the accounting interval, and when * does it start? */ uint64_t AccountingMax; /**< How many bytes do we allow per accounting -- cgit v1.2.3-54-g00ecf