Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Check for replays in PK-encrypted part of intro cell, not just in the g^x value

Nick Mathewson 14 years ago
parent
c75ee94ab4
commit
cb9226bcdb
2 changed files with 36 additions and 3 deletions
Split View Show Diff Stats
  1. 13 0
      changes/replay-firstpart
  2. 23 3
      src/or/rendservice.c

+ 13 - 0
changes/replay-firstpart
View File 

@@ -0,0 +1,13 @@
 
+  o Minor features (security):
 
+
 
+    - Check for replays of the public-key encrypted portion of an
 
+      INTRODUCE1 cell, in addition to the current check for replays of
 
+      the g^x value.  This prevents a possible class of active attacks
 
+      by an attacker who controls both an introduction point and a
 
+      rendezvous point, and who uses the malleability of AES-CTR to
 
+      alter the encrypted g^x portion of the INTRODUCE1 cell.  We
 
+      think that these attacks is infeasible (requiring the attacker
 
+      to send on the order of zettabytes of altered cells in a short
 
+      interval), but we'd rather block them off in case there are any
 
+      classes of this attack that we missed.  Reported by dvorak.
 
+

+ 23 - 3
src/or/rendservice.c
View File 

@@ -976,6 +976,29 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
 
              "PK-encrypted portion of INTRODUCE2 cell was truncated.");
 
     return -1;
 
   }
 
+
 
+  if (!service->accepted_intros)
 
+    service->accepted_intros = digestmap_new();
 
+
 
+  {
 
+    char pkpart_digest[DIGEST_LEN];
 
+    /* Check for replay of PK-encrypted portion.  It is slightly naughty to
 
+       use the same digestmap to check for this and for g^x replays, but
 
+       collisions are tremendously unlikely.
 
+    */
 
+    crypto_digest(pkpart_digest, (char*)request+DIGEST_LEN, keylen);
 
+    access_time = digestmap_get(service->accepted_intros, pkpart_digest);
 
+    if (access_time != NULL) {
 
+      log_warn(LD_REND, "Possible replay detected! We received an "
 
+               "INTRODUCE2 cell with same PK-encrypted part %d seconds ago. "
 
+               "Dropping cell.", (int)(now-*access_time));
 
+      return -1;
 
+    }
 
+    access_time = tor_malloc(sizeof(time_t));
 
+    *access_time = now;
 
+    digestmap_set(service->accepted_intros, pkpart_digest, access_time);
 
+  }
 
+
 
   /* Next N bytes is encrypted with service key */
 
   note_crypto_pk_op(REND_SERVER);
 
   r = crypto_pk_private_hybrid_decrypt(
 
@@ -1109,9 +1132,6 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
 
 
   /* Check whether there is a past request with the same Diffie-Hellman,
 
    * part 1. */
 
-  if (!service->accepted_intros)
 
-    service->accepted_intros = digestmap_new();
 
-
 
   access_time = digestmap_get(service->accepted_intros, diffie_hellman_hash);
 
   if (access_time != NULL) {
 
     log_warn(LD_REND, "Possible replay detected! We received an "