From 638fdedcf16cf7d6f7c586d36f7ef335c1c9714f Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sun, 23 Oct 2011 16:06:06 +0000 Subject: [PATCH 1/4] Don't send a certificate chain on outgoing TLS connections from non-relays --- changes/issue-2011-10-19L | 12 +++++ src/common/tortls.c | 93 +++++++++++++++++++++++---------------- 2 files changed, 66 insertions(+), 39 deletions(-) create mode 100644 changes/issue-2011-10-19L diff --git a/changes/issue-2011-10-19L b/changes/issue-2011-10-19L new file mode 100644 index 000000000..972823eee --- /dev/null +++ b/changes/issue-2011-10-19L @@ -0,0 +1,12 @@ + o Security fixes: + + - Don't send TLS certificate chains on outgoing OR connections + from clients and bridges. Previously, each client or bridge + would use a single cert chain for all outgoing OR connections + for up to 24 hours, which allowed any relay connected to by a + client or bridge to determine which entry guards it is using. + This is a potential user-tracing bug for *all* users; everyone + who uses Tor's client or hidden service functionality should + upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by + frosty_un. + diff --git a/src/common/tortls.c b/src/common/tortls.c index c78a9ec95..cc805f80c 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -186,9 +186,11 @@ static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa, static void tor_tls_unblock_renegotiation(tor_tls_t *tls); static int tor_tls_context_init_one(tor_tls_context_t **ppcontext, crypto_pk_env_t *identity, - unsigned int key_lifetime); + unsigned int key_lifetime, + int is_client); static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity, - unsigned int key_lifetime); + unsigned int key_lifetime, + int is_client); /** Global TLS contexts. We keep them here because nobody else needs * to touch them. */ @@ -624,7 +626,7 @@ tor_tls_context_init(int is_public_server, rv1 = tor_tls_context_init_one(&server_tls_context, server_identity, - key_lifetime); + key_lifetime, 0); if (rv1 >= 0) { new_ctx = server_tls_context; @@ -640,7 +642,8 @@ tor_tls_context_init(int is_public_server, if (server_identity != NULL) { rv1 = tor_tls_context_init_one(&server_tls_context, server_identity, - key_lifetime); + key_lifetime, + 0); } else { tor_tls_context_t *old_ctx = server_tls_context; server_tls_context = NULL; @@ -652,7 +655,8 @@ tor_tls_context_init(int is_public_server, rv2 = tor_tls_context_init_one(&client_tls_context, client_identity, - key_lifetime); + key_lifetime, + 1); } return rv1 < rv2 ? rv1 : rv2; @@ -669,10 +673,12 @@ tor_tls_context_init(int is_public_server, static int tor_tls_context_init_one(tor_tls_context_t **ppcontext, crypto_pk_env_t *identity, - unsigned int key_lifetime) + unsigned int key_lifetime, + int is_client) { tor_tls_context_t *new_ctx = tor_tls_context_new(identity, - key_lifetime); + key_lifetime, + is_client); tor_tls_context_t *old_ctx = *ppcontext; if (new_ctx != NULL) { @@ -694,7 +700,8 @@ tor_tls_context_init_one(tor_tls_context_t **ppcontext, * certificate. */ static tor_tls_context_t * -tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) +tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, + int is_client) { crypto_pk_env_t *rsa = NULL; EVP_PKEY *pkey = NULL; @@ -711,22 +718,26 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) goto error; if (crypto_pk_generate_key(rsa)<0) goto error; - /* Create certificate signed by identity key. */ - cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, - key_lifetime); - /* Create self-signed certificate for identity key. */ - idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, - IDENTITY_CERT_LIFETIME); - if (!cert || !idcert) { - log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); - goto error; + if (!is_client) { + /* Create certificate signed by identity key. */ + cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, + key_lifetime); + /* Create self-signed certificate for identity key. */ + idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, + IDENTITY_CERT_LIFETIME); + if (!cert || !idcert) { + log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); + goto error; + } } result = tor_malloc_zero(sizeof(tor_tls_context_t)); result->refcnt = 1; - result->my_cert = X509_dup(cert); - result->my_id_cert = X509_dup(idcert); - result->key = crypto_pk_dup_key(rsa); + if (!is_client) { + result->my_cert = X509_dup(cert); + result->my_id_cert = X509_dup(idcert); + result->key = crypto_pk_dup_key(rsa); + } #ifdef EVERYONE_HAS_AES /* Tell OpenSSL to only use TLS1 */ @@ -758,27 +769,31 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS); #endif - if (cert && !SSL_CTX_use_certificate(result->ctx,cert)) - goto error; - X509_free(cert); /* We just added a reference to cert. */ - cert=NULL; - if (idcert) { - X509_STORE *s = SSL_CTX_get_cert_store(result->ctx); - tor_assert(s); - X509_STORE_add_cert(s, idcert); - X509_free(idcert); /* The context now owns the reference to idcert */ - idcert = NULL; + if (! is_client) { + if (cert && !SSL_CTX_use_certificate(result->ctx,cert)) + goto error; + X509_free(cert); /* We just added a reference to cert. */ + cert=NULL; + if (idcert) { + X509_STORE *s = SSL_CTX_get_cert_store(result->ctx); + tor_assert(s); + X509_STORE_add_cert(s, idcert); + X509_free(idcert); /* The context now owns the reference to idcert */ + idcert = NULL; + } } SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF); - tor_assert(rsa); - if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1))) - goto error; - if (!SSL_CTX_use_PrivateKey(result->ctx, pkey)) - goto error; - EVP_PKEY_free(pkey); - pkey = NULL; - if (!SSL_CTX_check_private_key(result->ctx)) - goto error; + if (!is_client) { + tor_assert(rsa); + if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1))) + goto error; + if (!SSL_CTX_use_PrivateKey(result->ctx, pkey)) + goto error; + EVP_PKEY_free(pkey); + pkey = NULL; + if (!SSL_CTX_check_private_key(result->ctx)) + goto error; + } { crypto_dh_env_t *dh = crypto_dh_new(DH_TYPE_TLS); SSL_CTX_set_tmp_dh(result->ctx, _crypto_dh_env_get_dh(dh)); From af12c39d6de5bbcd24915db3c4cc9404f102ac02 Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Sun, 23 Oct 2011 14:27:56 -0700 Subject: [PATCH 2/4] Don't use any OR connection which sent us a CREATE_FAST cell for an EXTEND Fix suggested by Nick Mathewson. --- changes/issue-2011-10-19L | 9 +++++++++ src/or/command.c | 6 ++++++ src/or/connection_or.c | 5 +++++ src/or/or.h | 4 ++++ 4 files changed, 24 insertions(+) diff --git a/changes/issue-2011-10-19L b/changes/issue-2011-10-19L index 972823eee..1fefd7267 100644 --- a/changes/issue-2011-10-19L +++ b/changes/issue-2011-10-19L @@ -10,3 +10,12 @@ upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by frosty_un. + - Don't use any OR connection on which we have received a + CREATE_FAST cell to satisfy an EXTEND request. Previously, we + would not consider whether a connection appears to be from a + client or bridge when deciding whether to use that connection to + satisfy an EXTEND request. Mitigates CVE-2011-2768, by + preventing an attacker from determining whether an unpatched + client is connected to a patched relay. Bugfix on FIXME; found + by frosty_un. + diff --git a/src/or/command.c b/src/or/command.c index 61b898cea..a17a3a602 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -285,7 +285,13 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn) * a CPU worker. */ char keys[CPATH_KEY_MATERIAL_LEN]; char reply[DIGEST_LEN*2]; + tor_assert(cell->command == CELL_CREATE_FAST); + + /* Make sure we never try to use the OR connection on which we + * received this cell to satisfy an EXTEND request, */ + conn->is_connection_with_client = 1; + if (fast_server_handshake(cell->payload, (uint8_t*)reply, (uint8_t*)keys, sizeof(keys))<0) { log_warn(LD_OR,"Failed to generate key material. Closing."); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 95cc02e34..35f6da921 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -519,6 +519,11 @@ connection_or_get_for_extend(const char *digest, tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN)); if (conn->_base.marked_for_close) continue; + /* Never return a connection on which the other end appears to be + * a client. */ + if (conn->is_connection_with_client) { + continue; + } /* Never return a non-open connection. */ if (conn->_base.state != OR_CONN_STATE_OPEN) { /* If the address matches, don't launch a new connection for this diff --git a/src/or/or.h b/src/or/or.h index 4105ff42e..72e4c639a 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1031,6 +1031,10 @@ typedef struct or_connection_t { * because the connection is too old, or because there's a better one, etc. */ unsigned int is_bad_for_new_circs:1; + /** True iff we have decided that the other end of this connection + * is a client. Connections with this flag set should never be used + * to satisfy an EXTEND request. */ + unsigned int is_connection_with_client:1; uint8_t link_proto; /**< What protocol version are we using? 0 for * "none negotiated yet." */ circid_t next_circ_id; /**< Which circ_id do we try to use next on From c05bb53508f5fe3e570a285e6c9ead452ded0e43 Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Sun, 23 Oct 2011 14:58:00 -0700 Subject: [PATCH 3/4] Mark which OR connections are outgoing --- src/or/connection_or.c | 2 ++ src/or/or.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 35f6da921..f019c79ed 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -776,6 +776,8 @@ connection_or_connect(const tor_addr_t *_addr, uint16_t port, conn->_base.state = OR_CONN_STATE_CONNECTING; control_event_or_conn_status(conn, OR_CONN_EVENT_LAUNCHED, 0); + conn->is_outgoing = 1; + if (options->HttpsProxy) { /* we shouldn't connect directly. use the https proxy instead. */ tor_addr_from_ipv4h(&addr, options->HttpsProxyAddr); diff --git a/src/or/or.h b/src/or/or.h index 72e4c639a..edbb73cca 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1035,6 +1035,8 @@ typedef struct or_connection_t { * is a client. Connections with this flag set should never be used * to satisfy an EXTEND request. */ unsigned int is_connection_with_client:1; + /** True iff this is an outgoing connection. */ + unsigned int is_outgoing:1; uint8_t link_proto; /**< What protocol version are we using? 0 for * "none negotiated yet." */ circid_t next_circ_id; /**< Which circ_id do we try to use next on From a74e7fd40f1a77eb4000d8216bb5b80cdd8a6193 Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Sun, 23 Oct 2011 15:21:49 -0700 Subject: [PATCH 4/4] Reject create cells on outgoing OR connections from bridges --- changes/issue-2011-10-23G | 9 +++++++++ src/or/command.c | 7 +++++-- 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 changes/issue-2011-10-23G diff --git a/changes/issue-2011-10-23G b/changes/issue-2011-10-23G new file mode 100644 index 000000000..45f86754f --- /dev/null +++ b/changes/issue-2011-10-23G @@ -0,0 +1,9 @@ + o Security fixes: + + - Reject CREATE and CREATE_FAST cells on outgoing OR connections + from a bridge to a relay. Previously, we would accept them and + handle them normally, thereby allowing a malicious relay to + easily distinguish bridges which connect to it from clients. + Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha, when bridges were + implemented; found by frosty_un. + diff --git a/src/or/command.c b/src/or/command.c index a17a3a602..54f23bb0c 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -219,6 +219,7 @@ static void command_process_create_cell(cell_t *cell, or_connection_t *conn) { or_circuit_t *circ; + or_options_t *options = get_options(); int id_is_high; if (we_are_hibernating()) { @@ -230,9 +231,11 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn) return; } - if (!server_mode(get_options())) { + if (!server_mode(options) || + (!public_server_mode(options) && conn->is_outgoing)) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, - "Received create cell (type %d) from %s:%d, but we're a client. " + "Received create cell (type %d) from %s:%d, but we're connected " + "to it as a client. " "Sending back a destroy.", (int)cell->command, conn->_base.address, conn->_base.port); connection_or_send_destroy(cell->circ_id, conn,