Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#2722 closed defect (fixed)

TunnelDirConns option affects hid_serv_get_responsible_directories

Reported by: rransom Owned by: rransom
Priority: High Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version: Tor: 0.2.2.23-alpha
Severity: Keywords: tor-hs
Cc: nickm, arma, karsten Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If the TunnelDirConns torrc option is off, hid_serv_get_responsible_directories skips over any HSDir relay that does not advertise a DirPort when building its list of hidden service directory nodes 'responsible' for a descriptor ID. This behaviour cannot possibly be correct.

The TunnelDirConns option should not affect a Tor instance's use of hidden service directories, as clients and hidden services always connect to hidden service directories anonymously (thus using BEGIN_DIR). Also, in order for the hidden service directory system to work correctly, every Tor instance must consider the same set of hidden service directories to be responsible for a descriptor ID, regardless of its configuration settings.

Child Tickets

Change History (11)

comment:1 Changed 8 years ago by rransom

Milestone: Tor: 0.2.1.x-final
Priority: normalblocker

The fix for this is to revert commit 9a7098487b2c25f36112b3521758f42621dcd6af (first released in 0.2.1.6-alpha). That earlier commit claimed to be a 'bugfix'; if it really was, then Tor clients were connecting directly to HSDir nodes to upload and fetch hidden service descriptors, which is a major information leak.

Raising priority to 'blocker' until we know how serious this problem is.

comment:2 Changed 8 years ago by rransom

Status: newneeds_review

See bug2722 ( ssh://mob@repo.or.cz/srv/git/tor/rransom.git bug2722 ) (on maint-0.2.1) for a revert of 9a709848. We still need to audit the HS code to make sure it never tries to contact v2 HSDirs directly.

comment:3 in reply to:  2 Changed 8 years ago by rransom

Priority: blockernormal

Replying to rransom:

We still need to audit the HS code to make sure it never tries to contact v2 HSDirs directly.

The calls to directory_initiate_command_routerstatus_rend and directory_initiate_command_routerstatus in src/or/rendclient.c and src/or/rendservice.c both have anonymized_connection set to 1, so they should not result in direct connections to HSDir nodes.

comment:4 Changed 8 years ago by Sebastian

I think we're currently (in the deployed network with the deployed dirauths) safe here, because all HSDir nodes are required to have a dirport open due to bug #1693. This is not future-proof and we should verify that we're always using a begindir connection. We should talk to karsten about what triggered this fix, and his thoughts on the revert. Is 0.2.1.x the appropriate milestone here? Looks like we'll keep requiring hsdirs have a dirport open for quite a while, so if we can't reach karsten for a comment here we should probably put this into 0.2.2.x

comment:5 Changed 8 years ago by nickm

Cc: karsten added

Adding karsten to the cc here, since I'm only seeing "We should ask karsten" and not "I have asked karsten" ;)

comment:6 in reply to:  4 Changed 8 years ago by karsten

Replying to Sebastian:

We should talk to karsten about what triggered this fix, and his thoughts on the revert.

I really don't know anymore. In general, "we should talk to karsten" isn't a good algorithm to investigate potential hidden service bugs. I'm mostly ignoring hidden services for, what, 2 years now, and I'd really appreciate if someone else becomes the new hidden service expert. Sorry.

if we can't reach karsten for a comment here we should probably put this into 0.2.2.x

Why not put it into 0.2.3.x first to see if something breaks badly and backport to 0.2.2.x or 0.2.1.x if it works fine?

comment:7 Changed 8 years ago by rransom

If we don't put this in 0.2.1.31, we'll need to add a comment to the DA code on maint-0.2.2. See bug2722b ( ssh://mob@repo.or.cz/srv/git/tor/rransom.git bug2722b ).

comment:8 Changed 8 years ago by nickm

Milestone: Tor: 0.2.1.x-finalTor: 0.2.2.x-final
Priority: normalmajor

We should target this for 0.2.2: Even if we fix all 0.2.1.31 clients and later (say), the workaround will need to continue exist until all current Tor implementations are obsolete.

comment:9 Changed 8 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

merged into 0.2.2; thanks!

comment:10 Changed 7 years ago by nickm

Keywords: tor-hs added

comment:11 Changed 7 years ago by nickm

Component: Tor Hidden ServicesTor
Note: See TracTickets for help on using tickets.