Merge branch 'maint-0.4.6'

d9edf143 · Nick Mathewson · 085bf61a · 69bd4a8a · d9edf143 · d9edf143
Commit d9edf143 authored 3 years ago by Nick Mathewson
--- a/changes/bug40391
+++ b/changes/bug40391
+  o Major bugfixes (security):
+    - Resist a hashtable-based CPU denial-of-service attack against
+      relays. Previously we used a naive unkeyed hash function to look up
+      circuits in a circuitmux object. An attacker could exploit this to
+      construct circuits with chosen circuit IDs in order to try to create
+      collisions and make the hash table inefficient.  Now we use a SipHash
+      construction for this hash table instead. Fixes bug 40391; bugfix on
+      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005.
+      Reported by Jann Horn from Google's Project Zero.
--- a/src/core/or/circuitmux.c
+++ b/src/core/or/circuitmux.c
@@ -169,9 +169,10 @@ chanid_circid_entries_eq(chanid_circid_muxinfo_t *a,
 static inline unsigned int
 chanid_circid_entry_hash(chanid_circid_muxinfo_t *a)
 {
-    return (((unsigned int)(a->circ_id) << 8) ^
-            ((unsigned int)((a->chan_id >> 32) & 0xffffffff)) ^
-            ((unsigned int)(a->chan_id & 0xffffffff)));
+  uint8_t data[8 + 4];
+  set_uint64(data, a->chan_id);
+  set_uint32(data + 8, a->circ_id);
+  return (unsigned) siphash24g(data, sizeof(data));
 }

 /* Emit a bunch of hash table stuff */