Opened 5 years ago

Closed 5 years ago

#11565 closed defect (fixed)

Make it clear if circ_id for create cell can be zero with non zero MSB

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: 025-triaged
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It's unclear if zero circ_id with non zero MSB allowed by specification.
Why 0x80..00 should be allowed and 0x00..00 shouldn't?
With current implementation initiator never choose zero circ_id with or without set of MSB.
But command_process_create_cell() refuse only 0x00..00 and passes 0x80..00

  if (cell->circ_id == 0) {
    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
           "Received a create cell (type %d) from %s with zero circID; "
           " ignoring.", (int)cell->command,
           channel_get_actual_remote_descr(chan));
    return;
  }

Child Tickets

Change History (9)

comment:1 Changed 5 years ago by nickm

Milestone: Tor: 0.2.5.x-final

comment:2 Changed 5 years ago by nickm

The current spec says that 0 is reserved, and makes no mention of anything else; I'm going to say that 0 is the only reserved value, and it's reserved because we need a circID that means "no circuit".

Addressed in 78de0f958204b463e6dbf64831d925a21c4350cf.

comment:3 Changed 5 years ago by cypherpunks

Then peers have different space of available IDs (for v4 link protocol initiator have one less available id to choose from). Can it be used to leak some information? (even fact of used prior reserved id will add some fingerprint)

comment:4 Changed 5 years ago by nickm

I don't see how you can leak information with that; if you managed to fill up the circID space between A and B, *and* get an exact count of circuits, you could learn whether A or B was the connection initiator... but to fill up the space in v4 link protocol, you would need to make 2 billion circuits, and to get an exact count, you would need to be sure that nobody else is making circuits too. Even if you succeeded, it's not clear to me what good it would do to know whether A or B is the initiator.

At least, that's what I think now. Is there an attack here that I'm missing?

comment:5 Changed 5 years ago by nickm

(I am happy to add an "implementations MAY avoid 0x80000000" note if we think that will help)

comment:6 in reply to:  4 Changed 5 years ago by cypherpunks

Even if you succeeded, it's not clear to me what good it would do to know whether A or B is the initiator.

Agreed. It's zero chance to make it worse with v4 link protocol.

But v3 link protocol have chance for client to leak fact of new version (without limits for 0x80..00), if MSB set after cmp recved key with internal pkey. Then maybe to allow implementations to have zero MSB only if no certs sent (it's unclear part too, client allowed not to use certs but what about CircID for them?) v3 link protocol can long used for some months (years?) yet.

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:7 Changed 5 years ago by nickm

Keywords: 025-triaged added

comment:8 Changed 5 years ago by cypherpunks

Then maybe to allow implementations to have zero MSB only if no certs sent

It makes stuff yet more complicated. So I agree no need another changes in to specification except already did about zero CircID. Chance to leak about used version is a price to make stuff clear. Such a leaks vanishes after new stable versions.

comment:9 Changed 5 years ago by nickm

Resolution: fixed
Status: newclosed

Okay. IIUC you think this is good to close; I think so too. Please reopen if I'm wrong.

Note: See TracTickets for help on using tickets.