[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #26158 [Core Tor/Tor]: A little bug of circular path of Tor
#26158: A little bug of circular path of Tor
------------------------------+--------------------------------
Reporter: TBD.Chen | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.3.2.x-final
Component: Core Tor/Tor | Version: Tor: 0.3.2.10
Severity: Normal | Keywords: circular-path
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+--------------------------------
In order to defend the **circular-path** attacks, Tor relays detects the
next hop and previous hop of a circuit through node-id and Ed25519-id.
However, when the Tor relay detects the previous node has the same
Ed25519-id with next node, it forgot to return -1, and continue to extend
the circuit.
This might cause some loopholes for the circular-path.
{{{
/* Next, check if we're being asked to connect to the hop that the
* extend cell came from. There isn't any reason for that, and it can
* assist circular-path attacks. */
if (tor_memeq(ec.node_id,
TO_OR_CIRCUIT(circ)->p_chan->identity_digest,
DIGEST_LEN)) {
log_fn(LOG_PROTOCO[[Image()]]L_WARN, LD_PROTOCOL,
"Client asked me to extend back to the previous hop.");
return -1;
}
/* Check the previous hop Ed25519 ID too */
if (! ed25519_public_key_is_zero(&ec.ed_pubkey) &&
ed25519_pubkey_eq(&ec.ed_pubkey,
&TO_OR_CIRCUIT(circ)->p_chan->ed25519_identity)) {
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Client asked me to extend back to the previous hop "
"(by Ed25519 ID).");
}
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26158>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs