Opened 3 years ago

Last modified 4 months ago

#20006 needs_revision enhancement

HSFETCH fails for hidden services which use client authentication

Reported by: segfault Owned by: rl1987
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.9.2-alpha
Severity: Normal Keywords: tor-hs, tor-spec, tor-control, missing-feature, authentication, hs-auth, 040-deferred-20190220
Cc: segfault@… Actual Points:
Parent ID: Points:
Reviewer: dgoulet Sponsor:

Description (last modified by segfault)

When using HSFETCH with a hidden service which uses client authentication, it does not return the descriptor.

Example:

echo "AUTHENTICATE
HSFETCH prkszpeygn2a3kxo | nc -U /var/run/tor/control

Output:

650 OK
650 HS_DESC REQUESTED prkszpeygn2a3kxo NO_AUTH $4D596DB0B8214621D60183B6CBF73DF67B0A97CD~CrashM jvdlgb7c3xkihcww5fypqnbkuv5dfima
650 HS_DESC FAILED prkszpeygn2a3kxo NO_AUTH $4D596DB0B8214621D60183B6CBF73DF67B0A97CD~CrashM rhdhss3jibwpmennesop3sops3mr42du REASON=BAD_DESC
650+HS_DESC_CONTENT prkszpeygn2a3kxo jvdlgb7c3xkihcww5fypqnbkuv5dfima $4D596DB0B8214621D60183B6CBF73DF67B0A97CD~CrashM

log:

Aug 27 13:29:45.000 [warn] Failed to parse introduction points. Either the service has published a corrupt descriptor or you have provided invalid authorization data.
Aug 27 13:29:45.000 [warn] Fetching v2 rendezvous descriptor failed. Retrying at another directory.

I took a quick look at the code and it seems like HSFETCH simply assumes no authentication is used:

  rend_query = rend_data_client_create(hsaddress, desc_id, NULL,
                                       REND_NO_AUTH);

https://gitweb.torproject.org/tor.git/tree/src/or/control.c#n4095

Child Tickets

Change History (15)

comment:1 Changed 3 years ago by segfault

Description: modified (diff)

comment:2 Changed 2 years ago by nickm

Milestone: Tor: 0.3.1.x-final

comment:3 Changed 2 years ago by dgoulet

Keywords: tor-hs controller tor-spec added
Milestone: Tor: 0.3.1.x-finalTor: unspecified
Type: defectenhancement

comment:4 Changed 2 years ago by dgoulet

Unify controller keyword to "tor-control".

comment:5 Changed 2 years ago by dgoulet

Keywords: tor-control added; controller removed

Unify "controller" keyword to "tor-control".

comment:6 Changed 2 years ago by nickm

Keywords: missing-feature authentication hs-auth added

comment:7 Changed 6 months ago by rl1987

Status: newneeds_review

Implementing this turned out pretty simple, if we expect Tor to have HidServAuth configuration entry for target HS already. This enables us to refrain from doing any changes to torspec, as user can simply add HidServAuth through control port before attempting HSFETCH.

See: https://github.com/torproject/tor/pull/621

However I'm not sure what's the testing approach here? Should it be done with stem? It seems we don't have any existing unit-tests for handle_control_hsfetch() that I could extend.

comment:8 Changed 6 months ago by rl1987

Owner: set to rl1987
Status: needs_reviewassigned

comment:9 Changed 6 months ago by rl1987

Status: assignedneeds_review

comment:10 Changed 6 months ago by nickm

Milestone: Tor: unspecifiedTor: 0.4.0.x-final

comment:11 Changed 5 months ago by dgoulet

Reviewer: dgoulet

comment:12 Changed 5 months ago by dgoulet

lgtm except from one tiny detail on the PR.

As for testing, yeah we would need to create a new one from scratch that tests with client auth basically.

Last edited 5 months ago by dgoulet (previous) (diff)

comment:13 Changed 5 months ago by dgoulet

Status: needs_reviewneeds_revision

comment:14 Changed 5 months ago by rl1987

Pushed a fixup commit to the branch. Opened #29165 for unit-testing part.

comment:15 Changed 4 months ago by nickm

Keywords: 040-deferred-20190220 added
Milestone: Tor: 0.4.0.x-finalTor: unspecified

Deferring 51 tickets from 0.4.0.x-final. Tagging them with 040-deferred-20190220 for visibility. These are the tickets that did not get 040-must, 040-can, or tor-ci.

Note: See TracTickets for help on using tickets.