Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T15:25:29Zhttps://gitlab.torproject.org/legacy/trac/-/issues/26037DirAuths should check vote signatures before parsing2020-06-13T15:25:29ZIsis LovecruftDirAuths should check vote signatures before parsingteor pointed out that vote parsing occurs before checking the votes signature (both verifying the signature and ensuring that it comes from a known valid directory authority). dgoulet confirmed this is the case:
> See dirvote.c, functi...teor pointed out that vote parsing occurs before checking the votes signature (both verifying the signature and ensuring that it comes from a known valid directory authority). dgoulet confirmed this is the case:
> See dirvote.c, function dirvote_add_vote(). You will notice that the very first thing is parsing the whole thing with networkstatus_parse_vote_from_string(). Now, as far as I can tell, the voter signature check happens in that function. However, by the time we check it out, we've tokenized the votes and parsed _many_ parts of the vote already. (If you look for check_signature_token() in that function).
>
> And then once we are done parsing, we do have a valid signature for the vote which then make us check if we know the authority with trusteddirserver_get_by_v3_auth_digest().
The issue of anyone being able to trigger a hypothetical vulnerability in one of the parsing functions aside, it's also just simply not efficient to do all the parsing work and then chuck the results at the end of `networkstatus_parse_vote_from_string()` if the signature wasn't from a valid sig from a known authority.
This issue has been apparently been present since f4ce7f9c9b4 in tor-0.2.0.3-alpha.Tor: 0.3.5.x-finalSamdneySamdney