[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/maint-0.2.3] Code to blacklist authority signing keys
commit 50ad3939242885b1a1a11688abd0c9756631747f
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Fri Apr 11 10:22:14 2014 -0400
Code to blacklist authority signing keys
(I need a list of actual signing keys to blacklist.)
---
changes/bug11464_023 | 5 +++++
src/or/networkstatus.c | 11 +++++++++++
src/or/routerlist.c | 22 ++++++++++++++++++++++
src/or/routerlist.h | 1 +
src/or/routerparse.c | 8 ++++++++
5 files changed, 47 insertions(+)
diff --git a/changes/bug11464_023 b/changes/bug11464_023
new file mode 100644
index 0000000..a9cd658
--- /dev/null
+++ b/changes/bug11464_023
@@ -0,0 +1,5 @@
+ o Major features (security):
+ - Block every authority signing key that was used on an authority
+ vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160).
+ (We don't have any evidence that these keys _were_ compromised;
+ we're doing this to be prudent.) Resolves ticket 11464.
diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c
index e780ead..10cc562 100644
--- a/src/or/networkstatus.c
+++ b/src/or/networkstatus.c
@@ -453,6 +453,17 @@ networkstatus_check_document_signature(const networkstatus_t *consensus,
DIGEST_LEN))
return -1;
+ if (authority_cert_is_blacklisted(cert)) {
+ /* We implement blacklisting for authority signing keys by treating
+ * all their signatures as always bad. That way we don't get into
+ * crazy loops of dropping and re-fetching signatures. */
+ log_warn(LD_DIR, "Ignoring a consensus signature made with deprecated"
+ " signing key %s",
+ hex_str(cert->signing_key_digest, DIGEST_LEN));
+ sig->bad_signature = 1;
+ return 0;
+ }
+
signed_digest_len = crypto_pk_keysize(cert->signing_key);
signed_digest = tor_malloc(signed_digest_len);
if (crypto_pk_public_checksig(cert->signing_key,
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index 3c39e36..e993e13 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -458,6 +458,28 @@ authority_cert_dl_failed(const char *id_digest, int status)
download_status_failed(&cl->dl_status, status);
}
+static const char *BAD_SIGNING_KEYS[] = {
+ "----------------------------------------",
+ NULL,
+};
+
+/** DOCDOC */
+int
+authority_cert_is_blacklisted(const authority_cert_t *cert)
+{
+ char hex_digest[HEX_DIGEST_LEN+1];
+ int i;
+ base16_encode(hex_digest, sizeof(hex_digest),
+ cert->signing_key_digest, sizeof(cert->signing_key_digest));
+
+ for (i = 0; BAD_SIGNING_KEYS[i]; ++i) {
+ if (!strcasecmp(hex_digest, BAD_SIGNING_KEYS[i])) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
/** Return true iff when we've been getting enough failures when trying to
* download the certificate with ID digest <b>id_digest</b> that we're willing
* to start bugging the user about it. */
diff --git a/src/or/routerlist.h b/src/or/routerlist.h
index 8dcc6eb..bd55b7b 100644
--- a/src/or/routerlist.h
+++ b/src/or/routerlist.h
@@ -25,6 +25,7 @@ void authority_cert_dl_failed(const char *id_digest, int status);
void authority_certs_fetch_missing(networkstatus_t *status, time_t now);
int router_reload_router_list(void);
int authority_cert_dl_looks_uncertain(const char *id_digest);
+int authority_cert_is_blacklisted(const authority_cert_t *cert);
smartlist_t *router_get_trusted_dir_servers(void);
const routerstatus_t *router_pick_directory_server(dirinfo_type_t type,
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 299d07d..97e0bc8 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -3053,6 +3053,14 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out,
log_warn(LD_DIR,"Mismatch between identities in certificate and vote");
goto err;
}
+ if (ns->type != NS_TYPE_CONSENSUS) {
+ if (authority_cert_is_blacklisted(ns->cert)) {
+ log_warn(LD_DIR, "Rejecting vote signature made with blacklisted "
+ "signing key %s",
+ hex_str(ns->cert->signing_key_digest, DIGEST_LEN));
+ goto err;
+ }
+ }
voter->address = tor_strdup(tok->args[2]);
if (!tor_inet_aton(tok->args[3], &in)) {
log_warn(LD_DIR, "Error decoding IP address %s in network-status.",
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits