Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13587 closed defect (not a bug)

scamblesuit bug: sharedSecret is not None

Reported by: hellais Owned by: asn
Priority: Medium Milestone:
Component: Obfuscation/Obfsproxy Version:
Severity: Keywords:
Cc: asn, phw, mrphs, yawning Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We got an ooniprobe that indicates that this error is thrown in some cases when running scramble suit.
See the report here:
http://reports.ooni.nu/IR/bridge_reachability-2014-10-24T213005Z-AS21341-probe.yamloo

Relevant obfsproxy log:

2014-10-25 04:44:43,342 [WARNING] Obfsproxy (version: 0.2.12) starting up.
2014-10-25 04:44:43,342 [INFO] Entering client managed-mode.
2014-10-25 04:44:43,343 [ERROR] 

################################################
Do NOT rely on ScrambleSuit for strong security!
################################################

2014-10-25 04:44:43,343 [INFO] Creating directory path `/tmp/tortmpXcfTNH/pt_state/scramblesuit/'.
2014-10-25 04:44:43,344 [INFO] OBFSSOCKSv5Factory starting on 57513
2014-10-25 04:44:43,344 [INFO] Starting factory <obfsproxy.network.socks.OBFSSOCKSv5Factory instance at 0x32bcea8>
2014-10-25 04:44:43,344 [INFO] Starting up the event loop.
2014-10-25 04:44:44,561 [ERROR] Unhandled Error
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 88, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/log.py", line 73, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/local/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 619, in _doReadOrWrite
    why = selectable.doWrite()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 592, in doConnect
    self._connectDone()
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 611, in _connectDone
    self.protocol.makeConnection(self)
  File "/usr/local/lib/python2.7/dist-packages/twisted/internet/protocol.py", line 481, in makeConnection
    self.connectionMade()
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy/network/socks.py", line 54, in connectionMade
    self.socks.set_up_circuit(self)
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy/network/socks.py", line 162, in set_up_circuit
    self.circuit.setUpstreamConnection(self)
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy/network/network.py", line 109, in setUpstreamConnection
    self.circuitCompleted(self.downstream)
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy/network/network.py", line 134, in circuitCompleted
    self.transport.circuitConnected()
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy/transports/scramblesuit/scramblesuit.py", line 242, in circuitConnected
    self.circuit.downstream.write(self.uniformdh.createHandshake())
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy/transports/scramblesuit/uniformdh.py", line 168, in createHandshake
    assert self.sharedSecret is not None
exceptions.AssertionError: 

2014-10-25 04:51:21,990 [INFO] Received SIGTERM, shutting down.
2014-10-25 04:51:21,990 [INFO] (TCP Port 57513 Closed)
2014-10-25 04:51:21,991 [INFO] Stopping factory <obfsproxy.network.socks.OBFSSOCKSv5Factory instance at 0x32bcea8>
2014-10-25 04:51:21,991 [INFO] Main loop terminated.

Child Tickets

Change History (9)

comment:1 Changed 4 years ago by mrphs

Cc: mrphs added

comment:2 Changed 4 years ago by asn

Component: Pluggable transportObfsproxy
Summary: Bug found while running ooniprobe in Iranscamblesuit bug: sharedSecret is not None

comment:3 Changed 4 years ago by yawning

Cc: yawning added

comment:4 Changed 4 years ago by phw

Status: newneeds_information

Do we already know if this is a bug in ScrambleSuit or if OONI simply invoked ScrambleSuit without the password option?

comment:5 in reply to:  4 Changed 4 years ago by yawning

Status: needs_informationneeds_review

Replying to phw:

Do we already know if this is a bug in ScrambleSuit or if OONI simply invoked ScrambleSuit without the password option?

"Yes" (It's both).

When in managed mode, and the password option is missing entirely handle_socks_args() will never get called from the base code, resulting in the shared secret being None and the assert being hit since that condition is never explicitly checked.

It's trivial to reproduce (just delete the password argument from the bridge line), and trivial to fix (https://gitweb.torproject.org/user/yawning/obfsproxy.git/commit/49dd8aae6064839d08f677b1ff641b56951dd9ca)

comment:6 Changed 4 years ago by hellais

After checking with what we were running on the probe machines it turned out that in some cases we were not specifying the password in the Bridge line, by adding it that fixed it.

Glad to head though that also the usage with the command line option will work.

I think this can be closed.

comment:7 Changed 4 years ago by phw

Resolution: not a bug
Status: needs_reviewclosed

comment:8 Changed 4 years ago by yawning

Shouldn't the code handle the password being missing more gracefully than "assert and dump a stacktrace, and not bothering to tear down the connection"?

I guess it's up to asn if he wants to merge my branch or not, but "logging an error and closing the connection" seems like the sane thing to do if only for the sake of troubleshooting this the next time it happens.

comment:9 Changed 4 years ago by asn

Merged Yawning's code since it was The Right Thing to do.

Thanks! Closing this ticket!

Note: See TracTickets for help on using tickets.