#21107 closed defect (fixed)

0.3.0.x dir auths enforcing ED identity keys: intended?

Reported by: arma Owned by: nickm
Priority: Very High Milestone: Tor: 0.3.0.x-final
Component: Core Tor/Tor Version: Tor: 0.3.0.1-alpha
Severity: Critical Keywords:
Cc: dgoulet Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Check out the 'atlassky' relay. n-1 dir auths are voting about it because they find it to be Running. (I think it is Running.)

But moria1 is voting only V2Dir, and no other flags. That seems to come from:

Dec 29 12:21:44.517 [info] channel_tls_process_versions_cell(): Negotiated version 4 with 176.123.26.11:80; Sending cells: CERTS
Dec 29 12:21:44.517 [info] connection_or_client_learned_peer_id(): learned peer id for 0x7f97d5d688f0 (176.123.26.11): 848878591CAF51274E3A9B71933E9599FA39E122, <null>
Dec 29 12:21:44.517 [info] dirserv_orconn_tls_done(): Router at 176.123.26.11:80 with RSA ID 848878591CAF51274E3A9B71933E9599FA39E122 did not present expected Ed25519 ID.
Dec 29 12:21:44.517 [info] channel_tls_process_certs_cell(): Got some good certificates from 176.123.26.11:80: Authenticated it with RSA
Dec 29 12:21:44.517 [info] channel_tls_process_auth_challenge_cell(): Got an AUTH_CHALLENGE cell from 176.123.26.11:80: Sending authentication type 1
Dec 29 12:21:44.517 [info] channel_tls_process_netinfo_cell(): Got good NETINFO cell from 176.123.26.11:80; OR connection is now open, using protocol version 4. Its ID digest is 848878591CAF51274E3A9B71933E9599FA39E122. Our address is apparently 128.31.0.34.

From the new code in dirserv_orconn_tls_done(), I see

    if (! ed_id_rcvd || ! ed25519_pubkey_eq(ed_id_rcvd, expected_id)) {
      log_info(LD_DIRSERV, "Router at %s:%d with RSA ID %s "
               "did not present expected Ed25519 ID.",
               fmt_addr(addr), or_port, hex_str(digest_rcvd, DIGEST_LEN));
      return; /* Don't mark it as reachable. */
    }

So it looks like the dir auths are now enforcing whatever ED key they saw from the relay earlier? Is this change intended at this point? If so, is there anything we need to do to explain to current relays what they need to do or not do?

Child Tickets

Change History (14)

comment:1 Changed 11 months ago by arma

Also, it looks like we're marking the relay as not running, yet we're considering the tls connection open and usable? That sounds weird.

comment:2 Changed 11 months ago by nickm

Milestone: Tor: 0.3.0.x-final

comment:3 Changed 11 months ago by nickm

So it looks like the dir auths are now enforcing whatever ED key they saw from the relay earlier?

So, this is happening *during the connection attempt*, not during the directory voting stage. Because moria1 knows a descriptor with an Ed25519 key for this relay, it expects to find that ed25519 key when it connects. The same thing would happen to any other 0.3.0.1-alpha client trying to connect to this router using that descriptor.

The difference with a directory authority is that it causes the reachability tests to reject this relay.

I'm fine with this, personally -- we mean to turn key pinning on anyway, with #18319 .

If so, is there anything we need to do to explain to current relays what they need to do or not do?

They need to make sure they only have one relay running with any given RSA key; see #18319 analysis.

comment:4 Changed 11 months ago by nickm

Also, it looks like we're marking the relay as not running, yet we're considering the tls connection open and usable? That sounds weird.

We try to connect to it by its the RSA key ID only, when we connect to see if it's running. Since we never said which Ed25519 key we wanted for this relay, we won't close the connection when it arrives.

Yeah, it's a little weird.

I think this whole ticket is not-a-bug though. Thoughts?

comment:5 Changed 11 months ago by arma

Cc: dgoulet added

dgoulet points out that moria1 is only voting for around 2500 running relays.

Maybe it's coincidence, or maybe it is this issue.

comment:6 Changed 11 months ago by nickm

Huh. Is ed25519 negotiation happening successfully with some of those relays, or none, or just a few?

Can anything be said about the versions of the relays that are omitted?

comment:7 Changed 11 months ago by nickm

Owner: set to nickm
Priority: MediumVery High
Severity: NormalCritical
Status: newaccepted

Can anything be said about the versions of the relays that are omitted?

Dgoulet reports that moria1 omits 028 and 029 relays entirely!

I think the bug may be that it isn't checking whether the relay is expected to know the new handshake -- only whether it has an ed25519 key?

comment:8 Changed 11 months ago by dgoulet

Here is some data on moria1 current vote:

  Voting 2652 running relay out of 7860
  Relays per version (not only Running):
    > 0.2.7.x: 1092
    > 0.2.8.x: 1888
    > 0.2.9.x: 1910
Tor 0.2.4.19: 2
Tor 0.2.4.20: 15
Tor 0.2.4.21: 9
Tor 0.2.4.22: 21
Tor 0.2.4.23: 159
Tor 0.2.4.24: 14
Tor 0.2.4.25: 1
Tor 0.2.4.26: 4
Tor 0.2.4.27: 586
Tor 0.2.5.0-alpha-dev: 1
Tor 0.2.5.10: 32
Tor 0.2.5.11: 4
Tor 0.2.5.12: 1136
Tor 0.2.5.5-alpha: 10
Tor 0.2.5.6-alpha: 1
Tor 0.2.5.8-rc: 4
Tor 0.2.6.0-alpha-dev: 6
Tor 0.2.6.1-alpha-dev: 1
Tor 0.2.6.10: 449
Tor 0.2.6.2-alpha: 1
Tor 0.2.6.6: 4
Tor 0.2.6.7: 9
Tor 0.2.6.8: 7
Tor 0.2.6.9: 23
Tor 0.2.7.1-alpha: 1
Tor 0.3.0.0-alpha-dev: 13
Tor 0.3.0.1-alpha: 123
Tor 0.3.0.1-alpha-dev: 16

comment:9 Changed 10 months ago by nickm

Okay, theory supported. It means that moria is not voting "Running" for any version between 0.2.7.2-alpha and 0.3.0.0-alpha-dev. But it's voting Running for 0.2.7.1-alpha, and voting Running for 0.3.0.1-alpha.

0.2.7.2-alpha was the first version for relays to have Ed25519 keys.

During 0.3.0.0-alpha-dev, we implemented the link handshake part of Ed25519.

comment:10 Changed 10 months ago by nickm

Status: acceptedneeds_review

bug21107 is a possible one-line fix.

comment:11 Changed 10 months ago by arma

moria1 has been running the fix for the past hours. Somebody should check if they like its new behavior. It looks promising.

comment:12 Changed 10 months ago by dgoulet

moria1 is indeed voting Running again, latest: 7213 Running :)

comment:13 Changed 10 months ago by nickm

I like the new behavior and so does dgoulet. Here's the version-by-version breakdown. First column is version; second is Running routers, third is all listed routers.

Tor 0.2.4.19	1	2
Tor 0.2.4.20	15	18
Tor 0.2.4.21	9	9
Tor 0.2.4.22	18	22
Tor 0.2.4.23	132	255
Tor 0.2.4.24	13	13
Tor 0.2.4.25	1	1
Tor 0.2.4.26	4	4
Tor 0.2.4.27	600	651
Tor 0.2.5.0-alpha-dev	1	1
Tor 0.2.5.10	32	35
Tor 0.2.5.11	2	2
Tor 0.2.5.12	1131	1244
Tor 0.2.5.13	1	1
Tor 0.2.5.5-alpha	10	10
Tor 0.2.5.6-alpha	1	1
Tor 0.2.5.8-rc	4	4
Tor 0.2.6.0-alpha-dev	7	8
Tor 0.2.6.1-alpha-dev	1	1
Tor 0.2.6.10	422	435
Tor 0.2.6.2-alpha	1	1
Tor 0.2.6.6	1	1
Tor 0.2.6.7	6	7
Tor 0.2.6.8	7	7
Tor 0.2.6.9	19	21
Tor 0.2.7.1-alpha	2	2
Tor 0.2.7.1-alpha-dev	1	1
Tor 0.2.7.2-alpha	1	1
Tor 0.2.7.3-rc	1	1
Tor 0.2.7.4-rc	2	3
Tor 0.2.7.5	22	22
Tor 0.2.7.6	957	1042
Tor 0.2.8.0-alpha-dev	2	2
Tor 0.2.8.1-alpha	3	3
Tor 0.2.8.10	80	90
Tor 0.2.8.10-dev	1	1
Tor 0.2.8.11	177	190
Tor 0.2.8.12	229	244
Tor 0.2.8.2-alpha	3	3
Tor 0.2.8.3-alpha	1	1
Tor 0.2.8.6	35	40
Tor 0.2.8.6-dev	1	1
Tor 0.2.8.7	104	124
Tor 0.2.8.8	97	107
Tor 0.2.8.9	536	576
Tor 0.2.9.1-alpha	1	1
Tor 0.2.9.2-alpha	4	4
Tor 0.2.9.3-alpha	1	1
Tor 0.2.9.3-alpha-dev	1	1
Tor 0.2.9.4-alpha	10	10
Tor 0.2.9.5-alpha	13	13
Tor 0.2.9.6-rc	4	5
Tor 0.2.9.7-rc	3	3
Tor 0.2.9.8	884	942
Tor 0.2.9.8-dev	3	3
Tor 0.2.9.9	1388	1539
Tor 0.2.9.9-dev	2	2
Tor 0.3.0.0-alpha-dev	5	5
Tor 0.3.0.1-alpha	69	81
Tor 0.3.0.1-alpha-dev	10	12
Tor 0.3.0.2-alpha	128	131
Tor 0.3.0.2-alpha-dev	20	22

comment:14 Changed 10 months ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Merged this fix to master. :)

Note: See TracTickets for help on using tickets.