Use a more secure hash function for the circuitmux hashtable.

Fixes bug 40931; bugfix on 0.2.4.4-alpha. Also tracked as
TROVE-2021-005.

This issue was reported by Jann Horn from Google's Project Zero.

diff --git a/changes/bug40391 b/changes/bug40391
new file mode 100644 (file)
index 0000000..e3c1862
--- /dev/null
+++ b/changes/bug40391
@@ -0,0 +1,9 @@
+  o Major bugfixes (security):
+    - Resist a hashtable-based CPU denial-of-service attack against
+      relays. Previously we used a naive unkeyed hash function to look up
+      circuits in a circuitmux object. An attacker could exploit this to
+      construct circuits with chosen circuit IDs in order to try to create
+      collisions and make the hash table inefficient.  Now we use a SipHash
+      construction for this hash table instead. Fixes bug 40391; bugfix on
+      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005.
+      Reported by Jann Horn from Google's Project Zero.

diff --git a/src/core/or/circuitmux.c b/src/core/or/circuitmux.c
index 88f9ac79230b7cf9c29ad180d7f220ef946c8530..e7309553c44e90e1cd9d854fe114c07c9ff1c57f 100644 (file)
--- a/src/core/or/circuitmux.c
+++ b/src/core/or/circuitmux.c
@@ -216,9 +216,10 @@ chanid_circid_entries_eq(chanid_circid_muxinfo_t *a,
 static inline unsigned int
 chanid_circid_entry_hash(chanid_circid_muxinfo_t *a)
 {
-    return (((unsigned int)(a->circ_id) << 8) ^
-            ((unsigned int)((a->chan_id >> 32) & 0xffffffff)) ^
-            ((unsigned int)(a->chan_id & 0xffffffff)));
+  uint8_t data[8 + 4];
+  set_uint64(data, a->chan_id);
+  set_uint32(data + 8, a->circ_id);
+  return (unsigned) siphash24g(data, sizeof(data));
 }
 
 /* Declare the struct chanid_circid_muxinfo_map type */
@@ -1361,4 +1362,3 @@ circuitmux_compare_muxes, (circuitmux_t *cmux_1, circuitmux_t *cmux_2))
     return 0;
   }
 }
-