6 years ago · ba4a9cf0c0
--- a/changes/trove-2017-009
+++ b/changes/trove-2017-009
@@ -0,0 +1,10 @@
 
				+  o Major bugfixes (security):
			
 
				+    - When checking for replays in the INTRODUCE1 cell data for a (legacy)
			
 
				+      hiddden service, correctly detect replays in the RSA-encrypted part of
			
 
				+      the cell. We were previously checking for replays on the entire cell,
			
 
				+      but those can be circumvented due to the malleability of Tor's legacy
			
 
				+      hybrid encryption. This fix helps prevent a traffic confirmation
			
 
				+      attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also
			
 
				+      tracked as TROVE-2017-009 and CVE-2017-8819.
			
 
				+
			
 
				+
			
--- a/changes/trove-2017-011
+++ b/changes/trove-2017-011
@@ -0,0 +1,8 @@
 
				+  o Major bugfixes (security):
			
 
				+    - Fix a denial of service bug where an attacker could use a malformed
			
 
				+      directory object to cause a Tor instance to pause while OpenSSL would
			
 
				+      try to read a passphrase from the terminal. (If the terminal was not
			
 
				+      available, tor would continue running.)  Fixes bug 24246; bugfix on
			
 
				+      every version of Tor.  Also tracked as TROVE-2017-011 and
			
 
				+      CVE-2017-8821.  Found by OSS-Fuzz as testcase 6360145429790720.
			
 
				+
			
--- a/changes/trove-2017-012-part1
+++ b/changes/trove-2017-012-part1
@@ -0,0 +1,6 @@
 
				+  o Major bugfixes (security, relay):
			
 
				+    - When running as a relay, make sure that we never build a path through
			
 
				+      ourselves, even in the case where we have somehow lost the version of
			
 
				+      our descriptor appearing in the consensus. Fixes part of bug 21534;
			
 
				+      bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012
			
 
				+      and CVE-2017-8822.
			
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -666,11 +666,21 @@ MOCK_IMPL(int,
 
				   return 0;
			
 
				 }
			
 
				 
			
 
				+/** A PEM callback that always reports a failure to get a password */
			
 
				+static int
			
 
				+pem_no_password_cb(char *buf, int size, int rwflag, void *u)
			
 
				+{
			
 
				+  (void)buf;
			
 
				+  (void)size;
			
 
				+  (void)rwflag;
			
 
				+  (void)u;
			
 
				+  return 0;
			
 
				+}
			
 
				+
			
 
				 /** Read a PEM-encoded private key from the <b>len</b>-byte string <b>s</b>
			
 
				  * into <b>env</b>.  Return 0 on success, -1 on failure.  If len is -1,
			
 
				  * the string is nul-terminated.
			
 
				  */
			
 
				-/* Used here, and used for testing. */
			
 
				 int
			
 
				 crypto_pk_read_private_key_from_string(crypto_pk_t *env,
			
 
				                                        const char *s, ssize_t len)
			
@@ -689,7 +699,7 @@ crypto_pk_read_private_key_from_string(crypto_pk_t *env,
 
				   if (env->key)
			
 
				     RSA_free(env->key);
			
 
				 
			
 
				-  env->key = PEM_read_bio_RSAPrivateKey(b,NULL,NULL,NULL);
			
 
				+  env->key = PEM_read_bio_RSAPrivateKey(b,NULL,pem_no_password_cb,NULL);
			
 
				 
			
 
				   BIO_free(b);
			
 
				 
			
@@ -821,7 +831,7 @@ crypto_pk_read_public_key_from_string(crypto_pk_t *env, const char *src,
 
				 
			
 
				   if (env->key)
			
 
				     RSA_free(env->key);
			
 
				-  env->key = PEM_read_bio_RSAPublicKey(b, NULL, NULL, NULL);
			
 
				+  env->key = PEM_read_bio_RSAPublicKey(b, NULL, pem_no_password_cb, NULL);
			
 
				   BIO_free(b);
			
 
				   if (!env->key) {
			
 
				     crypto_log_errors(LOG_WARN, "reading public key from string");
			
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -1469,6 +1469,7 @@ rend_service_receive_introduction(origin_circuit_t *circuit,
 
				   time_t now = time(NULL);
			
 
				   time_t elapsed;
			
 
				   int replay;
			
 
				+  size_t keylen;
			
 
				 
			
 
				   /* Do some initial validation and logging before we parse the cell */
			
 
				   if (circuit->base_.purpose != CIRCUIT_PURPOSE_S_INTRO) {
			
@@ -1544,9 +1545,10 @@ rend_service_receive_introduction(origin_circuit_t *circuit,
 
				   }
			
 
				 
			
 
				   /* check for replay of PK-encrypted portion. */
			
 
				+  keylen = crypto_pk_keysize(intro_key);
			
 
				   replay = replaycache_add_test_and_elapsed(
			
 
				     intro_point->accepted_intro_rsa_parts,
			
 
				-    parsed_req->ciphertext, parsed_req->ciphertext_len,
			
 
				+    parsed_req->ciphertext, MIN(parsed_req->ciphertext_len, keylen),
			
 
				     &elapsed);
			
 
				 
			
 
				   if (replay) {
			
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -2536,7 +2536,10 @@ router_choose_random_node(smartlist_t *excludedsmartlist,
 
				       });
			
 
				   }
			
 
				 
			
 
				-  if ((r = routerlist_find_my_routerinfo()))
			
 
				+  /* If the node_t is not found we won't be to exclude ourself but we
			
 
				+   * won't be able to pick ourself in router_choose_random_node() so
			
 
				+   * this is fine to at least try with our routerinfo_t object. */
			
 
				+  if ((r = router_get_my_routerinfo()))
			
 
				     routerlist_add_node_and_family(excludednodes, r);
			
 
				 
			
 
				   router_add_running_nodes_to_smartlist(sl, allow_invalid,