Opened 4 years ago

Closed 3 years ago

Last modified 16 months ago

#10849 closed defect (fixed)

tunneldirconns 0 makes hidden services publish descriptors over http -- and they're refused

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-hs, 025-triaged, 2016-bug-retrospective
Cc: isis Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Run your Tor with "tunneldirconns 0 prefertunneleddirconns 0" and also a hidden service configured. It will complain with lines like

Feb 09 01:29:41.685 [warn] http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '88.198.180.24:9030'. Malformed rendezvous descriptor?
Feb 09 01:29:41.780 [warn] http status 400 ("Bad Request") response from dirserver '77.247.181.163:80'. Malformed rendezvous descriptor?
Feb 09 01:29:42.778 [warn] http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '144.76.34.179:9030'. Malformed rendezvous descriptor?
Feb 09 01:29:42.807 [warn] http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '173.213.113.155:80'. Malformed rendezvous descriptor?
Feb 09 01:29:44.595 [warn] http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '97.107.142.28:9030'. Malformed rendezvous descriptor?

That's because tunneldirconns 0 instructs Tor to

Feb 09 01:29:41.249 [info] directory_post_to_hs_dir(): Launching upload for v2 descriptor for service 'g7dufxzidsmpomay' with descriptor ID '[...]' with validity of 44457 seconds to hidden service directory 'Firebird' on 173.213.113.155:443.
Feb 09 01:29:41.249 [debug] directory_initiate_command_rend(): anonymized 1, use_begindir 0.

and the use_begindir 0 means that this code never triggers on the server side:

  if (options->HidServDirectoryV2 &&
      connection_dir_is_encrypted(conn) &&
      !strcmpstart(url,"/tor/rendezvous2/publish")) {

meaning it falls through to

  if (!authdir_mode(options)) {
    /* we just provide cached directories; we don't want to
     * receive anything. */
    write_http_status_line(conn, 400, "Nonauthoritative directory does not "
                           "accept posted server descriptors");

which doesn't really tell the user went wrong.

Child Tickets

Attachments (5)

TICKET10849-nickm_024-debug.truncated.log (2.7 MB) - added by isis 4 years ago.
TICKET10849-torrc-testing-nickm-bug_024 (1.4 KB) - added by isis 4 years ago.
TICKET10849-isis-hsdesc-use-orport-patch_debug.REND.DIR.log (58.4 KB) - added by isis 4 years ago.
0001-fixup-TunnelDirConns-0-no-longer-breaks-hidden-servi.patch (973 bytes) - added by rransom 4 years ago.
Fix my %@#! stupid code typo
0002-fixup-TunnelDirConns-0-no-longer-breaks-hidden-servi.patch (1.4 KB) - added by rransom 4 years ago.
Pass dir_purpose to directory_command_should_use_begindir

Change History (35)

comment:1 Changed 4 years ago by arma

Maybe the fix is to use_begindir for hidden service posts no matter what? And for hidden service fetches too I guess?

Or should we be more aggressive and start to obsolete tunneldirconns==0 more broadly?

comment:2 Changed 4 years ago by arma

(bug found by isis, who has 47 config lines in her torrc.)

comment:3 Changed 4 years ago by isis

Cc: isis added

comment:4 Changed 4 years ago by rransom

The bug is in the last if statement in directory_command_should_use_begindir:

  if (!options->TunnelDirConns &&
      router_purpose != ROUTER_PURPOSE_BRIDGE)

To fix it, append && !is_sensitive_dir_purpose(router_purpose) to the condition.

I suspect that this is a bugfix on whatever release introduced TunnelDirConns, but I'm not going to do the archaeology to verify that.

In versions before whenever in 0.2.3.x ‘tor2web mode’ was merged, this bug would have immediately deanonymized the hidden service. After ‘tor2web mode’ (specifically the extra assertions I added while developing it), it would have at worst crashed the HS instead.

comment:5 in reply to:  4 Changed 4 years ago by rransom

Replying to rransom:

To fix it, append && !is_sensitive_dir_purpose(router_purpose) to the condition.

(This fix is untested.)

comment:6 Changed 4 years ago by nickm

Keywords: tor-hs 024-backport added
Status: newneeds_review

I propose that (after review) we merge rransom's fix in 0.2.4 and beyond, *and* we obsolete the tunneldirconns and prefertunneleddirconns options in 0.2.5 and beyond.

(Unless there's a reason for keeping them?)

comment:7 Changed 4 years ago by arma

Proposed patch sounds plausible. Around that location was what I had in mind too.

Deprecating or obsoleting the options sounds fine to me. Long ago, they were a way to turn on this feature. Now the feature is on by default, so they're only a way to turn it off. We don't need that anymore.

comment:8 in reply to:  4 Changed 4 years ago by rransom

Replying to rransom:

In versions before whenever in 0.2.3.x ‘tor2web mode’ was merged, this bug would have immediately deanonymized the hidden service.

I was wrong about this part.

comment:9 Changed 4 years ago by nickm

Isis, could you test bug10849_024 in my public repository?

comment:10 Changed 4 years ago by nickm

bug10849_025 is the remove-the-options branch for 0.2.5.

comment:11 in reply to:  9 ; Changed 4 years ago by isis

Replying to nickm:

Isis, could you test bug10849_024 in my public repository?

Yep, compiling and testing now.

comment:12 in reply to:  11 ; Changed 4 years ago by isis

Replying to isis:

Replying to nickm:

Isis, could you test bug10849_024 in my public repository?

Yep, compiling and testing now.

I looked at those lines when trying to debug on my own, and the problem seemed to stem from directory_command_should_use_begindir(), but I couldn't pinpoint it.

The patch in bug10849_024 seems not to fix the problem, or at least compiling this branch (with this torrc; just directories and port numbers changed, and debug logs enabled) the logs show the following:

Feb 11 23:56:41.000 [debug] {REND} rend_add_service(): Configuring service with directory "/var/www/hstest/"
Feb 11 23:56:41.000 [debug] {REND} rend_add_service(): Service maps port 7013 to 127.0.0.1:80
Feb 11 23:56:56.000 [info] {REND} rend_service_load_all_keys(): Loading hidden-service keys from "/var/www/hstest/"
Feb 11 23:57:06.000 [info] {REND} rend_services_introduce(): Picked router [scrubbed] as an intro point for [scrubbed].
Feb 11 23:57:06.000 [info] {REND} rend_services_introduce(): Picked router [scrubbed] as an intro point for [scrubbed].
Feb 11 23:57:06.000 [info] {REND} rend_services_introduce(): Picked router [scrubbed] as an intro point for [scrubbed].
Feb 11 23:57:06.000 [info] {REND} rend_services_introduce(): Picked router [scrubbed] as an intro point for [scrubbed].
Feb 11 23:57:06.000 [info] {REND} rend_services_introduce(): Picked router [scrubbed] as an intro point for [scrubbed].
Feb 11 23:57:06.000 [info] {REND} rend_service_launch_establish_intro(): Launching circuit to introduction point [scrubbed] for service dl2erovyzq7kob4n
Feb 11 23:57:06.000 [info] {REND} rend_service_launch_establish_intro(): Launching circuit to introduction point [scrubbed] for service dl2erovyzq7kob4n
Feb 11 23:57:06.000 [info] {REND} rend_service_launch_establish_intro(): Launching circuit to introduction point [scrubbed] for service dl2erovyzq7kob4n
Feb 11 23:57:06.000 [info] {REND} rend_service_launch_establish_intro(): Launching circuit to introduction point [scrubbed] for service dl2erovyzq7kob4n
Feb 11 23:57:06.000 [info] {REND} rend_service_launch_establish_intro(): Launching circuit to introduction point [scrubbed] for service dl2erovyzq7kob4n
Feb 11 23:57:07.000 [info] {REND} rend_service_intro_has_opened(): Established circuit 31060 as introduction point for service dl2erovyzq7kob4n
Feb 11 23:57:07.000 [info] {REND} rend_service_intro_has_opened(): Established circuit 31062 as introduction point for service dl2erovyzq7kob4n
Feb 11 23:57:08.000 [info] {REND} rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 31060 for service dl2erovyzq7kob4n
Feb 11 23:57:08.000 [info] {REND} rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 31062 for service dl2erovyzq7kob4n
Feb 11 23:57:08.000 [info] {REND} rend_service_intro_has_opened(): Established circuit 31061 as introduction point for service dl2erovyzq7kob4n
Feb 11 23:57:08.000 [info] {REND} rend_service_intro_established(): Received INTRO_ESTABLISHED cell on circuit 31061 for service dl2erovyzq7kob4n
Feb 11 23:57:16.000 [info] {REND,CIRC} rend_service_intro_has_opened(): We have just finished an introduction circuit, but we already have enough. Redefining purpose to general; leaving as internal.
Feb 11 23:57:16.000 [info] {REND,CIRC} rend_service_intro_has_opened(): We have just finished an introduction circuit, but we already have enough. Redefining purpose to general; leaving as internal.
Feb 11 23:57:16.000 [info] {REND} rend_services_introduce(): Giving up on [scrubbed] as intro point for [scrubbed] (circuit disappeared).
Feb 11 23:57:16.000 [info] {REND} rend_services_introduce(): Giving up on [scrubbed] as intro point for [scrubbed] (circuit disappeared).
Feb 11 23:57:39.000 [info] {REND} rend_encode_v2_descriptors(): Successfully encoded a v2 descriptor and confirmed that it is parsable.
Feb 11 23:57:39.000 [info] {REND} upload_service_descriptor(): Launching upload for hidden service dl2erovyzq7kob4n
Feb 11 23:57:39.000 [info] {REND} directory_post_to_hs_dir(): Launching upload for v2 descriptor for service '[scrubbed]' with descriptor ID '[scrubbed]' with validity of 77766 seconds to hidden service directory 'rumpelstilzchen' on 144.76.117.148:9001.
Feb 11 23:57:39.000 [info] {REND} directory_post_to_hs_dir(): Launching upload for v2 descriptor for service '[scrubbed]' with descriptor ID '[scrubbed]' with validity of 77766 seconds to hidden service directory 'ballerina' on 82.170.185.9:9001.
Feb 11 23:57:39.000 [info] {REND} directory_post_to_hs_dir(): Launching upload for v2 descriptor for service '[scrubbed]' with descriptor ID '[scrubbed]' with validity of 77766 seconds to hidden service directory 'default' on 78.101.53.2:443.
Feb 11 23:57:39.000 [info] {REND} directory_post_to_hs_dir(): Launching upload for v2 descriptor for service '[scrubbed]' with descriptor ID '[scrubbed]' with validity of 77766 seconds to hidden service directory 'TorMenta2' on 200.75.228.92:9001.
Feb 11 23:57:39.000 [info] {REND} directory_post_to_hs_dir(): Launching upload for v2 descriptor for service '[scrubbed]' with descriptor ID '[scrubbed]' with validity of 77766 seconds to hidden service directory 'Tor1ByHostplanetME' on 37.59.150.178:443.
Feb 11 23:57:39.000 [info] {REND} directory_post_to_hs_dir(): Launching upload for v2 descriptor for service '[scrubbed]' with descriptor ID '[scrubbed]' with validity of 77766 seconds to hidden service directory 'BearNecessities' on 46.38.57.196:443.
Feb 11 23:57:39.000 [info] {REND} upload_service_descriptor(): Successfully uploaded v2 rend descriptors!
Feb 11 23:57:40.000 [info] {REND} connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 400 ("Nonauthoritative directory does not accept posted server descriptors"))
Feb 11 23:57:40.000 [warn] {REND} http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '144.76.117.148:9030'. Malformed rendezvous descriptor?
Feb 11 23:57:41.000 [info] {REND} connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 400 ("Nonauthoritative directory does not accept posted server descriptors"))
Feb 11 23:57:41.000 [warn] {REND} http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '46.38.57.196:80'. Malformed rendezvous descriptor?
Feb 11 23:57:41.000 [info] {REND} connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 400 ("Nonauthoritative directory does not accept posted server descriptors"))
Feb 11 23:57:41.000 [warn] {REND} http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '78.101.53.2:9030'. Malformed rendezvous descriptor?
Feb 11 23:57:41.000 [info] {REND} connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 400 ("Nonauthoritative directory does not accept posted server descriptors"))
Feb 11 23:57:41.000 [warn] {REND} http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '82.170.185.9:9030'. Malformed rendezvous descriptor?
Feb 11 23:57:41.000 [info] {REND} connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 400 ("Bad Request"))
Feb 11 23:57:41.000 [warn] {REND} http status 400 ("Bad Request") response from dirserver '37.59.150.178:80'. Malformed rendezvous descriptor?
Feb 11 23:57:42.000 [info] {REND} connection_dir_client_reached_eof(): Uploaded rendezvous descriptor (status 400 ("Nonauthoritative directory does not accept posted server descriptors"))
Feb 11 23:57:42.000 [warn] {REND} http status 400 ("Nonauthoritative directory does not accept posted server descriptors") response from dirserver '200.75.228.92:9030'. Malformed rendezvous descriptor?
Last edited 4 years ago by isis (previous) (diff)

comment:13 in reply to:  12 Changed 4 years ago by rransom

Replying to isis:

The patch in bug10849_024 seems not to fix the problem, or at least compiling this branch (with this torrc; just directories and port numbers changed, and debug logs enabled) the logs show the following:

Does the HS successfully publish its descriptors if you do not specify TunnelDirConns 0 and/or PreferTunneledDirConns 0?

Changed 4 years ago by isis

Changed 4 years ago by isis

comment:14 Changed 4 years ago by rransom

Also, debug-level LD_DIR messages (e.g. from directory_initiate_command_rend) are important, not just LD_REND.

comment:15 in reply to:  14 ; Changed 4 years ago by isis

Replying to rransom:

Also, debug-level LD_DIR messages (e.g. from directory_initiate_command_rend) are important, not just LD_REND.

Logs attached above, most of LD_DIR included, but it was noisy so I cut out the initial relay descriptor fetching.

comment:16 in reply to:  15 ; Changed 4 years ago by rransom

Replying to isis:

Replying to rransom:

Also, debug-level LD_DIR messages (e.g. from directory_initiate_command_rend) are important, not just LD_REND.

Logs attached above, most of LD_DIR included, but it was noisy so I cut out the initial relay descriptor fetching.

Thanks! (There were still some consensus/descriptor/microdesc fetches at the beginning, but I found the information I wanted.)

According to your logs, Tor is still refusing to use BEGINDIR:

Feb 11 23:57:39.000 [debug] {DIR} directory_initiate_command_rend(): anonymized 1, use_begindir 0.
Feb 11 23:57:39.000 [debug] {DIR} directory_initiate_command_rend(): Initiating hidden-service v2 descriptor upload

comment:17 Changed 4 years ago by isis

I think the problem is actually in directory_initiate_command_rend and my patch is in my bug10849-hsdesc-use-orport branch.

comment:18 in reply to:  16 Changed 4 years ago by isis

Replying to rransom:

Replying to isis:

Replying to rransom:

Also, debug-level LD_DIR messages (e.g. from directory_initiate_command_rend) are important, not just LD_REND.

Logs attached above, most of LD_DIR included, but it was noisy so I cut out the initial relay descriptor fetching.

Thanks! (There were still some consensus/descriptor/microdesc fetches at the beginning, but I found the information I wanted.)

According to your logs, Tor is still refusing to use BEGINDIR:

Feb 11 23:57:39.000 [debug] {DIR} directory_initiate_command_rend(): anonymized 1, use_begindir 0.
Feb 11 23:57:39.000 [debug] {DIR} directory_initiate_command_rend(): Initiating hidden-service v2 descriptor upload

Right. I saw the problem not as "tor isn't using BEGIN_DIR" but that BEGIN_DIR was meant for a tunnelled dir connection to the DirPort, not an anonymized connection to the ORPort. But there was very little info in either dir-spec*.txt or rend-spec.txt.

I haven't had a chance to test my patch yet; I'm leaving this country in less than 12 hours and I need to do some data sanitisation and sleep maybe. I probably won't be around until the afternoon before the dev meeting, when I arrive in Iceland.

Last edited 4 years ago by isis (previous) (diff)

comment:19 Changed 4 years ago by isis

I tested my patch and it appears to be working, but we should probably temporarily add some more LD_DIR logs to directory_initiate_command_rend() and maybe a few other related functions to see what is getting passed in. Here's the relevant log output from the the build with my patch.

Also the specs are still not at all clear to me if we're supposed to be using BEGIN_DIR with anonymous directory requests, or if BEGIN_DIR is only for tunneled directory connections.

Last edited 4 years ago by isis (previous) (diff)

Changed 4 years ago by rransom

Fix my %@#! stupid code typo

Changed 4 years ago by rransom

Pass dir_purpose to directory_command_should_use_begindir

comment:20 Changed 4 years ago by rransom

There was a (stupid) code typo in my fix: router_purpose instead of dir_purpose. I've attached patches to fix the fix.

comment:21 in reply to:  19 Changed 4 years ago by rransom

Replying to isis:

I tested my patch and it appears to be working, but we should probably temporarily add some more LD_DIR logs to directory_initiate_command_rend() and maybe a few other related functions to see what is getting passed in. Here's the relevant log output from the the build with my patch.

That didn't fix it:

Feb 12 04:57:57.000 [debug] {DIR} directory_initiate_command_rend(): anonymized 1, use_begindir 0.
Feb 12 04:57:57.000 [debug] {DIR} directory_initiate_command_rend(): Initiating hidden-service v2 descriptor upload

The following line only means that Tor has successfully started the process of uploading its HS descriptors, not that it has in fact successfully uploaded them. (This is horribly confusing. Someone should fix it.)

Feb 12 04:57:57.000 [info] {REND} upload_service_descriptor(): Successfully uploaded v2 rend descriptors!

And in the log that you posted, the upload operations never reported completion, either successful or unsuccessful. (That's probably a bug somewhere too.)

Also the specs are still not at all clear to me if we're supposed to be using BEGIN_DIR with anonymous directory requests, or if BEGIN_DIR is only for tunneled directory connections.

A directory connection is defined to be ‘tunneled’ iff it uses BEGIN_DIR. Almost all anonymous directory connections should also be tunneled; the sole exception is a DirPort reachability-test connection.

comment:22 Changed 3 years ago by andrea

Keywords: 025-triaged added

comment:23 Changed 3 years ago by nickm

Keywords: nickm-review-0255 added

comment:24 Changed 3 years ago by nickm

Keywords: 023-backport added; nickm-review-0255 removed

this has languished too long. How about this very brute-force fix for 0.2.3 and 0.2.4: branch "bug10849_023_bruteforce".

And how about bug10849_025 for 0.2.5?

rransom's fix also looks plausible to me for 0.2.3 and 0.2.4.

comment:25 in reply to:  24 Changed 3 years ago by isis

Replying to nickm:

this has languished too long. How about this very brute-force fix for 0.2.3 and 0.2.4: branch "bug10849_023_bruteforce".

And how about bug10849_025 for 0.2.5?

rransom's fix also looks plausible to me for 0.2.3 and 0.2.4.

Unclear if you want either your patch or rransom's, or if rransom's is supposed to apply to 0.2.5 only.

Either way, nickm, your bug10849_023_bruteforce branch looks good to me, it's simple and tells the operator what they're doing wrong. It's probably easier to use the config changes for the backports since it's simpler and shouldn't mess with anything else.

FWIW, rransom's fix also looks good to me for 0.2.5, if that's still what you were planning to do.

comment:26 Changed 3 years ago by nickm

Keywords: 024-backport 023-backport removed

Merged bug10849_023_bruteforce to 0.2.3, 0.2.4, and master.

Still under consideration: bug10849_025, which just rips out the *TunneledDirConns options.

comment:27 Changed 3 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

The bug10849_025 fix still looks good to me; merging it into 0.2.5 so that *TunneledDirConns will be no more.

comment:28 Changed 16 months ago by nickm

Keywords: 2016-bug-retrospective added

Mark bugs for 2016 bug retrospective based on hand-examination of changelogs for 0.2.5 onwards.

comment:29 Changed 16 months ago by nickm

Mark bugs for 2016 bug retrospective based on hand-examination of changelogs for 0.2.5 onwards.

comment:30 Changed 16 months ago by nickm

Mark bugs for 2016 bug retrospective based on hand-examination of changelogs for 0.2.5 onwards.

Note: See TracTickets for help on using tickets.