#26037: DirAuths should check vote signatures before parsing ------------------------------+-------------------------------------- Reporter: isis | Owner: (none) Type: defect | Status: new Priority: Medium | Milestone: Tor: 0.3.5.x-final Component: Core Tor/Tor | Version: Severity: Normal | Keywords: tor-security, tor-crypto Actual Points: | Parent ID: Points: 2 | Reviewer: Sponsor: | ------------------------------+-------------------------------------- teor pointed out that vote parsing occurs before checking the votes signature (both verifying the signature and ensuring that it comes from a known valid directory authority). dgoulet confirmed this is the case:
> See dirvote.c, function dirvote_add_vote(). You will notice that the very first thing is parsing the whole thing with networkstatus_parse_vote_from_string(). Now, as far as I can tell, the voter signature check happens in that function. However, by the time we check it out, we've tokenized the votes and parsed _many_ parts of the vote already. (If you look for check_signature_token() in that function). > > And then once we are done parsing, we do have a valid signature for the vote which then make us check if we know the authority with trusteddirserver_get_by_v3_auth_digest(). The issue of anyone being able to trigger a hypothetical vulnerability in one of the parsing functions aside, it's also just simply not efficient to do all the parsing work and then chuck the results at the end of `networkstatus_parse_vote_from_string()` if the signature wasn't from a valid sig from a known authority. This issue has been apparently been present since f4ce7f9c9b4 in tor-0.2.0.3-alpha. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26037> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs