Opened 4 months ago

Closed 4 months ago

#26776 closed defect (duplicate)

Control port failures for hidden services

Reported by: oqista Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

1.
With Tor 0.3.2.9 on Linux, connect to the control port. Then setconf HiddenServiceDir (to create a new service) and HiddenServicePort, as one command. Then getconf HiddenServiceOptions to make sure it's right.

Now, connect to your new hidden service from another computer, with no authorization. Success, as expected.

Then, setconf HiddenServiceDir (for the same service as before), HiddenServicePort, and HiddenServiceAuthorizeClient, all as one command. Notice the hostname file for the hidden service now contains an auth cookie, as expected.

Finally, connect to the hidden service again from another computer, still with no authorization. Success! But it should fail, since you didn't provide the auth cookie!

To fix it, you have to restart Tor on your server, and do setconf _with_ HiddenServiceAuthorizeClient the first time.

2.
The same bug hits in the other direction too: after you restart Tor to start enforcing the auth cookie, if you do setconf without HiddenServiceAuthorizeClient, then the auth cookie immediately disappears from the hostname file (as expected), but Tor continues enforcing the cookie until you restart.

3.
The same configuration-stickiness bug applies to setconf HidServAuth on the client side too (tested on Linux and Windows). If you try to connect to a hidden service requiring authentication before you set HidServAuth, then of course it fails, but if you then set HidServAuth, it _still_ fails. You have to restart Tor, then set HidServAuth _before_ you try to connect to the hidden service for the first time. Then it will succeed.

Just to be clear: to trigger these bugs, do all the various configurations and reconfigurations exclusively via the control port. Don't set any of them in torrc.

Child Tickets

Change History (3)

comment:1 Changed 4 months ago by Dbryrtfbcbhgf

Have you been able to reproduce this bug on Tor 0.3.3.8 or in the alpha 0.3.4.4-rc ?

And installing the latest devolment snapshot of Stem may also fix the bugs.
git clone https://git.torproject.org/stem.git

Last edited 4 months ago by Dbryrtfbcbhgf (previous) (diff)

comment:2 Changed 4 months ago by oqista

Reproduced on 0.3.3.7 on Windows. https://www.torproject.org/download/download.html.en has no Windows build for 0.3.3.8 yet, and on Linux my distribution doesn't package it yet.

I'm not using Stem. To reproduce the bugs, talk to Tor's control port directly, e.g. using netcat.

comment:3 Changed 4 months ago by dgoulet

Resolution: duplicate
Status: newclosed

Thanks for this oqista! I've opened #26812 with what I believe is the problem in the code. We'll defer every discussion about this bug there from now on. There might be more things but as we discover them, we'll open tickets if needed. Closing this ticket has duplicate for this purpose.

Thanks again!

Note: See TracTickets for help on using tickets.