Opened 3 years ago

Closed 3 years ago

#22931 closed defect (fixed)

What happens when a VERSIONS cell is sent outside a handshake?

Reported by: teor Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: doc tor-spec
Cc: Actual Points:
Parent ID: #18856 Points:
Reviewer: Sponsor:

Description

The spec really doesn't say:

   To determine the version, in any connection where the "renegotiation"
   or "in-protocol" handshake was used (that is, where the responder
   sent only one certificate at first and where the initiator did not
   send any certificates in the first negotiation), both parties MUST
   send a VERSIONS cell.  In "renegotiation", they send a VERSIONS cell
   right after the renegotiation is finished, before any other cells are
   sent.  In "in-protocol", the initiator sends a VERSIONS cell
   immediately after the initial TLS handshake, and the responder
   replies immediately with a VERSIONS cell.  Parties MUST NOT send any
   other cells on a connection until they have received a VERSIONS cell.

   The payload in a VERSIONS cell is a series of big-endian two-byte
   integers.  Both parties MUST select as the link protocol version the
   highest number contained both in the VERSIONS cell they sent and in the
   versions cell they received.  If they have no such version in common,
   they cannot communicate and MUST close the connection.  Either party MUST
   close the connection if the versions cell is not well-formed (for example,
   if it contains an odd number of bytes).

Child Tickets

Change History (3)

comment:1 Changed 3 years ago by teor

Status: newneeds_review

The relay drops extra versions cells. We could document this by saying:

+ Any VERSIONS cells sent after the first VERSIONS cell MUST be ignored.

Changing versions on a link shouldn't be allowed.

There are 3 possible cases:

First and second version cells ask for link version 3 and has cird_id_len 2:

Jul 15 18:41:01.000 [info] channel_tls_process_versions_cell: Received a VERSIONS cell on a connection with its version already set to 3; dropping

First version cell asks for link version 4 and has cird_id_len 2, second version cell asks for link version 4 and has cird_id_len 4:

Jul 15 18:46:14.000 [info] channel_tls_process_versions_cell: Received a VERSIONS cell on a connection with its version already set to 4; dropping

First version cell asks for link version 4 and has cird_id_len 2, second version cell asks for link version 4 and has cird_id_len 2:

(The cell is mis-parsed: the command is read from the second byte of the versions cell's payload length. Since no further input arrives to complete the cell, the relay times out.)

A script that sends cells to trigger all these cases is at:

https://github.com/teor2345/endosome/blob/master/client-or-22931.py

comment:2 Changed 3 years ago by teor

My branch bug22929 fixes #22929 and #22931.

comment:3 Changed 3 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Merged!

Note: See TracTickets for help on using tickets.