--- /dev/null
+ o Security fixes:
+ - When fetching a hidden service descriptor, check that it is for
+ the hidden service we were trying to connect to, in order to
+ stop a directory from pre-seeding a client with a descriptor for
+ a hidden service that they didn't want. Bugfix on 0.0.6.
+
+
(int)body_len, status_code, escaped(reason));
switch (status_code) {
case 200:
- if (rend_cache_store(body, body_len, 0) < -1) {
+ if (rend_cache_store(body, body_len, 0,
+ conn->rend_data->onion_address) < -1) {
log_warn(LD_REND,"Failed to parse rendezvous descriptor.");
/* Any pending rendezvous attempts will notice when
* connection_about_to_close_connection()
!strcmpstart(url,"/tor/rendezvous/publish")) {
/* rendezvous descriptor post */
log_info(LD_REND, "Handling rendezvous descriptor post.");
- if (rend_cache_store(body, body_len, 1) < 0) {
+ if (rend_cache_store(body, body_len, 1, NULL) < 0) {
log_fn(LOG_PROTOCOL_WARN, LD_DIRSERV,
"Rejected rend descriptor (length %d) from %s.",
(int)body_len, conn->_base.address);
int rend_cache_lookup_entry(const char *query, int version,
rend_cache_entry_t **entry_out);
int rend_cache_lookup_v2_desc_as_dir(const char *query, const char **desc);
-int rend_cache_store(const char *desc, size_t desc_len, int published);
+int rend_cache_store(const char *desc, size_t desc_len, int published,
+ const char *service_id);
int rend_cache_store_v2_desc_as_client(const char *desc,
const rend_data_t *rend_query);
int rend_cache_store_v2_desc_as_dir(const char *desc);
*
* The published flag tells us if we store the descriptor
* in our role as directory (1) or if we cache it as client (0).
+ *
+ * If <b>service_id</b> is non-NULL and the descriptor is not for that
+ * service ID, reject it. <b>service_id</b> must be specified if and
+ * only if <b>published</b> is 0 (we fetched this descriptor).
*/
int
-rend_cache_store(const char *desc, size_t desc_len, int published)
+rend_cache_store(const char *desc, size_t desc_len, int published,
+ const char *service_id)
{
rend_cache_entry_t *e;
rend_service_descriptor_t *parsed;
rend_service_descriptor_free(parsed);
return -2;
}
+ if ((service_id != NULL) && strcmp(query, service_id)) {
+ log_warn(LD_REND, "Received service descriptor for service ID %s; "
+ "expected descriptor for service ID %s.",
+ query, safe_str(service_id));
+ return -2;
+ }
now = time(NULL);
if (parsed->timestamp < now-REND_CACHE_MAX_AGE-REND_CACHE_MAX_SKEW) {
log_fn(LOG_PROTOCOL_WARN, LD_REND,
* If we have an older descriptor with the same ID, replace it.
* If we have any v0 descriptor with the same ID, reject this one in order
* to not get confused with having both versions for the same service.
+ * If the descriptor's service ID does not match
+ * <b>rend_query</b>-\>onion_address, reject it.
* Return -2 if it's malformed or otherwise rejected; return -1 if we
* already have a v0 descriptor here; return 0 if it's the same or older
* than one we've already got; return 1 if it's novel.
retval = -2;
goto err;
}
+ if (strcmp(rend_query->onion_address, service_id)) {
+ log_warn(LD_REND, "Received service descriptor for service ID %s; "
+ "expected descriptor for service ID %s.",
+ service_id, safe_str(rend_query->onion_address));
+ retval = -2;
+ goto err;
+ }
/* Decode/decrypt introduction points. */
if (intro_content) {
if (rend_query->auth_type != REND_NO_AUTH &&
projects / thirdparty / tor.git / commitdiff
