[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] Re: #1299 [Tor - Tor client]: Tor should verify signatures before parsing

To: undisclosed-recipients:;
Subject: [tor-bugs] Re: #1299 [Tor - Tor client]: Tor should verify signatures before parsing
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Wed, 23 Jun 2010 02:46:33 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivered-to: tor-bugs-outgoing@xxxxxxxx
Delivered-to: tor-bugs@xxxxxxxxxxxxxx
Delivery-date: Tue, 22 Jun 2010 22:46:41 -0400
In-reply-to: <049.4bfc9699503c4aca90e849029b7de6b4@xxxxxxxxxxxxxx>
References: <049.4bfc9699503c4aca90e849029b7de6b4@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: owner-tor-bugs@xxxxxxxxxxxxxx

#1299: Tor should verify signatures before parsing
-----------------------+----------------------------------------------------
 Reporter:  mikeperry  |         Type:  defect          
   Status:  new        |     Priority:  major           
Milestone:             |    Component:  Tor - Tor client
  Version:  0.2.1.24   |   Resolution:  None            
 Keywords:             |       Parent:                  
-----------------------+----------------------------------------------------

Comment(by nickm):

 One problem here is that, for certain documents, you need to parse them in
 order to learn what key they were supposed to be signed with.  We could
 change our procedure from the current "parse, extract key from parsed
 document, check signature" to "locate key in raw document, parse key only,
 check signature, parse document"... but historically we've had headaches
 stemming from the "locate XYZ in raw document" step not following exactly
 the same rules as the "parse document" step.

 Some of the code I did for bug #1270 tries to make parsing in general more
 verifiably and obviously correct; that could make us feel better about
 this if we merged it, but it wouldn't resolve the issue.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1299#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

Prev by Author: [tor-bugs] Re: #1250 [Tor - Tor client]: strange SOCKS error code when connecting to a hidden service using the wrong port
Next by Author: [tor-bugs] Re: #1296 [Tor - Tor client]: CircuitBuildTimes should have an option to disable
Previous by thread: [tor-bugs] Re: #1250 [Tor - Tor client]: strange SOCKS error code when connecting to a hidden service using the wrong port
Next by thread: [tor-bugs] Re: #1296 [Tor - Tor client]: CircuitBuildTimes should have an option to disable
Index(es):
- Author
- Thread