Merge branch 'bug40391_035' into maint-0.3.5

changes/bug40391

+  o Major bugfixes (security):
+    - Resist a hashtable-based CPU denial-of-service attack against
+      relays. Previously we used a naive unkeyed hash function to look up
+      circuits in a circuitmux object. An attacker could exploit this to
+      construct circuits with chosen circuit IDs in order to try to create
+      collisions and make the hash table inefficient.  Now we use a SipHash
+      construction for this hash table instead. Fixes bug 40391; bugfix on
+      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005.
+      Reported by Jann Horn from Google's Project Zero.

src/core/or/circuitmux.c

@@ -216,9 +216,10 @@ chanid_circid_entries_eq(chanid_circid_muxinfo_t *a,
 static inline unsigned int
 chanid_circid_entry_hash(chanid_circid_muxinfo_t *a)
 {
-    return (((unsigned int)(a->circ_id) << 8) ^
-            ((unsigned int)((a->chan_id >> 32) & 0xffffffff)) ^
-            ((unsigned int)(a->chan_id & 0xffffffff)));
+  uint8_t data[8 + 4];
+  set_uint64(data, a->chan_id);
+  set_uint32(data + 8, a->circ_id);
+  return (unsigned) siphash24g(data, sizeof(data));
 }
 
 /* Declare the struct chanid_circid_muxinfo_map type */
@@ -1361,4 +1362,3 @@ circuitmux_compare_muxes, (circuitmux_t *cmux_1, circuitmux_t *cmux_2))
     return 0;
   }
 }
-