#26037: DirAuths should check vote signatures before parsing --------------------------------------+------------------------------------ Reporter: isis | Owner: (none) Type: defect | Status: new Priority: Medium | Milestone: Tor: 0.3.5.x-final Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: tor-security, tor-crypto | Actual Points: Parent ID: | Points: 2 Reviewer: | Sponsor: --------------------------------------+------------------------------------ Description changed by isis:
Old description: > teor pointed out that vote parsing occurs before checking the votes > signature (both verifying the signature and ensuring that it comes from a > known valid directory authority). dgoulet confirmed this is the case: > > > See dirvote.c, function dirvote_add_vote(). You will notice that the > very first thing is parsing the whole thing with > networkstatus_parse_vote_from_string(). Now, as far as I can tell, the > voter signature check happens in that function. However, by the time we > check it out, we've tokenized the votes and parsed _many_ parts of the > vote already. (If you look for check_signature_token() in that function). > > > > And then once we are done parsing, we do have a valid signature for the > vote which then make us check if we know the authority with > trusteddirserver_get_by_v3_auth_digest(). > > The issue of anyone being able to trigger a hypothetical vulnerability in > one of the parsing functions aside, it's also just simply not efficient > to do all the parsing work and then chuck the results at the end of > `networkstatus_parse_vote_from_string()` if the signature wasn't from a > valid sig from a known authority. > > This issue has been apparently been present since f4ce7f9c9b4 in > tor-0.2.0.3-alpha. New description: teor pointed out that vote parsing occurs before checking the votes signature (both verifying the signature and ensuring that it comes from a known valid directory authority). dgoulet confirmed this is the case: > See dirvote.c, function dirvote_add_vote(). You will notice that the very first thing is parsing the whole thing with networkstatus_parse_vote_from_string(). Now, as far as I can tell, the voter signature check happens in that function. However, by the time we check it out, we've tokenized the votes and parsed _many_ parts of the vote already. (If you look for check_signature_token() in that function). > > And then once we are done parsing, we do have a valid signature for the vote which then make us check if we know the authority with trusteddirserver_get_by_v3_auth_digest(). The issue of anyone being able to trigger a hypothetical vulnerability in one of the parsing functions aside, it's also just simply not efficient to do all the parsing work and then chuck the results at the end of `networkstatus_parse_vote_from_string()` if the signature wasn't from a valid sig from a known authority. This issue has been apparently been present since f4ce7f9c9b4 in tor-0.2.0.3-alpha. -- -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26037#comment:2> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs