14 years ago · 7571e9f1cb
--- a/changes/check-fetched-rend-desc-service-id
+++ b/changes/check-fetched-rend-desc-service-id
@@ -0,0 +1,7 @@
 
				+  o Security fixes:
			
 
				+    - When fetching a hidden service descriptor, check that it is for
			
 
				+      the hidden service we were trying to connect to, in order to
			
 
				+      stop a directory from pre-seeding a client with a descriptor for
			
 
				+      a hidden service that they didn't want.  Bugfix on 0.0.6.
			
 
				+
			
 
				+
			
--- a/src/or/directory.c
+++ b/src/or/directory.c
@@ -1909,7 +1909,8 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
 
				              (int)body_len, status_code, escaped(reason));
			
 
				     switch (status_code) {
			
 
				       case 200:
			
 
				-        if (rend_cache_store(body, body_len, 0) < -1) {
			
 
				+        if (rend_cache_store(body, body_len, 0,
			
 
				+                             conn->rend_data->onion_address) < -1) {
			
 
				           log_warn(LD_REND,"Failed to parse rendezvous descriptor.");
			
 
				           /* Any pending rendezvous attempts will notice when
			
 
				            * connection_about_to_close_connection()
			
@@ -3114,7 +3115,7 @@ directory_handle_command_post(dir_connection_t *conn, const char *headers,
 
				       !strcmpstart(url,"/tor/rendezvous/publish")) {
			
 
				     /* rendezvous descriptor post */
			
 
				     log_info(LD_REND, "Handling rendezvous descriptor post.");
			
 
				-    if (rend_cache_store(body, body_len, 1) < 0) {
			
 
				+    if (rend_cache_store(body, body_len, 1, NULL) < 0) {
			
 
				       log_fn(LOG_PROTOCOL_WARN, LD_DIRSERV,
			
 
				              "Rejected rend descriptor (length %d) from %s.",
			
 
				              (int)body_len, conn->_base.address);
			
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -4146,7 +4146,8 @@ int rend_cache_lookup_desc(const char *query, int version, const char **desc,
 
				 int rend_cache_lookup_entry(const char *query, int version,
			
 
				                             rend_cache_entry_t **entry_out);
			
 
				 int rend_cache_lookup_v2_desc_as_dir(const char *query, const char **desc);
			
 
				-int rend_cache_store(const char *desc, size_t desc_len, int published);
			
 
				+int rend_cache_store(const char *desc, size_t desc_len, int published,
			
 
				+                     const char *service_id);
			
 
				 int rend_cache_store_v2_desc_as_client(const char *desc,
			
 
				                                        const rend_data_t *rend_query);
			
 
				 int rend_cache_store_v2_desc_as_dir(const char *desc);
			
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@@ -1047,9 +1047,14 @@ rend_cache_lookup_v2_desc_as_dir(const char *desc_id, const char **desc)
 
				  *
			
 
				  * The published flag tells us if we store the descriptor
			
 
				  * in our role as directory (1) or if we cache it as client (0).
			
 
				+ *
			
 
				+ * If <b>service_id</b> is non-NULL and the descriptor is not for that
			
 
				+ * service ID, reject it.  <b>service_id</b> must be specified if and
			
 
				+ * only if <b>published</b> is 0 (we fetched this descriptor).
			
 
				  */
			
 
				 int
			
 
				-rend_cache_store(const char *desc, size_t desc_len, int published)
			
 
				+rend_cache_store(const char *desc, size_t desc_len, int published,
			
 
				+                 const char *service_id)
			
 
				 {
			
 
				   rend_cache_entry_t *e;
			
 
				   rend_service_descriptor_t *parsed;
			
@@ -1068,6 +1073,12 @@ rend_cache_store(const char *desc, size_t desc_len, int published)
 
				     rend_service_descriptor_free(parsed);
			
 
				     return -2;
			
 
				   }
			
 
				+  if ((service_id != NULL) && strcmp(query, service_id)) {
			
 
				+    log_warn(LD_REND, "Received service descriptor for service ID %s; "
			
 
				+             "expected descriptor for service ID %s.",
			
 
				+             query, safe_str(service_id));
			
 
				+    return -2;
			
 
				+  }
			
 
				   now = time(NULL);
			
 
				   if (parsed->timestamp < now-REND_CACHE_MAX_AGE-REND_CACHE_MAX_SKEW) {
			
 
				     log_fn(LOG_PROTOCOL_WARN, LD_REND,
			
@@ -1253,6 +1264,8 @@ rend_cache_store_v2_desc_as_dir(const char *desc)
 
				  * If we have an older descriptor with the same ID, replace it.
			
 
				  * If we have any v0 descriptor with the same ID, reject this one in order
			
 
				  * to not get confused with having both versions for the same service.
			
 
				+ * If the descriptor's service ID does not match
			
 
				+ * <b>rend_query</b>-\>onion_address, reject it.
			
 
				  * Return -2 if it's malformed or otherwise rejected; return -1 if we
			
 
				  * already have a v0 descriptor here; return 0 if it's the same or older
			
 
				  * than one we've already got; return 1 if it's novel.
			
@@ -1303,6 +1316,13 @@ rend_cache_store_v2_desc_as_client(const char *desc,
 
				     retval = -2;
			
 
				     goto err;
			
 
				   }
			
 
				+  if (strcmp(rend_query->onion_address, service_id)) {
			
 
				+    log_warn(LD_REND, "Received service descriptor for service ID %s; "
			
 
				+             "expected descriptor for service ID %s.",
			
 
				+             service_id, safe_str(rend_query->onion_address));
			
 
				+    retval = -2;
			
 
				+    goto err;
			
 
				+  }
			
 
				   /* Decode/decrypt introduction points. */
			
 
				   if (intro_content) {
			
 
				     if (rend_query->auth_type != REND_NO_AUTH &&