Opened 7 months ago

Last modified 7 months ago

#29134 assigned defect

Document the max number of v3 client auths I can make

Reported by: pastly Owned by: haxxpop
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.3.5.7
Severity: Normal Keywords: 035-proposed
Cc: dgoulet, asn Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'm testing out v3 onion service client auth. I couldn't find a documented maximum number of clients I can authorize for a single onion service, so I tried a really big number (400).

Full log here: https://paste.debian.net/1061430/ and first bit here:

matt@spacecow:~/src/tor$ ./src/app/tor -f torrc-server
Jan 19 13:34:11.635 [notice] Tor 0.3.5.7 (git-9beb085c10562a25) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0j, Zlib 1.2.8, Liblzma N/A, and Libzstd N/A.
Jan 19 13:34:11.635 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jan 19 13:34:11.635 [notice] Read configuration file "/home/matt/src/tor/torrc-server".
Jan 19 13:34:11.640 [warn] Path for DataDirectory (data-server) is relative and will resolve to /home/matt/src/tor/data-server. Is this what you wanted?
Jan 19 13:34:11.640 [warn] Path for PidFile (data-server/tor.pid) is relative and will resolve to /home/matt/src/tor/data-server/tor.pid. Is this what you wanted?
Jan 19 13:34:11.640 [warn] Path for HiddenServiceDir (data-server/onion_service) is relative and will resolve to /home/matt/src/tor/data-server/onion_service. Is this what you wanted?
Jan 19 13:34:11.641 [warn] Your log may contain sensitive information - you disabled SafeLogging. Don't log unless it serves an important reason. Overwrite the log afterwards.
Jan 19 13:34:11.666 [notice] Bootstrapped 0%: Starting
Jan 19 13:34:11.948 [notice] Starting with guard context "default"
Jan 19 13:34:12.666 [notice] Bootstrapped 10%: Finishing handshake with directory server
Jan 19 13:34:12.666 [notice] Bootstrapped 80%: Connecting to the Tor network
Jan 19 13:34:12.722 [notice] Bootstrapped 90%: Establishing a Tor circuit
Jan 19 13:34:13.048 [notice] Bootstrapped 100%: Done
Jan 19 13:34:14.676 [warn] We just made an HS descriptor that's too big (54736).Failing.
Jan 19 13:34:14.676 [warn] tor_bug_occurred_(): Bug: src/feature/hs/hs_service.c:2828: upload_descriptor_to_hsdir: Non-fatal assertion !(service_encode_descriptor(service, desc, &desc->signing_kp, &encoded_desc) < 0) failed. (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug: Non-fatal assertion !(service_encode_descriptor(service, desc, &desc->signing_kp, &encoded_desc) < 0) failed in upload_descriptor_to_hsdir at src/feature/hs/hs_service.c:2828. Stack trace: (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(log_backtrace_impl+0x47) [0x564e05c29297] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(tor_bug_occurred_+0xc0) [0x564e05c24930] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(hs_service_run_scheduled_events+0x1d6a) [0x564e05b4c5ca] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(+0x65e71) [0x564e05aa7e71] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(+0x697e1) [0x564e05aab7e1] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5(event_base_loop+0x6a0) [0x7f19b89755a0] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(do_main_loop+0x9d) [0x564e05aab21d] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(tor_run_main+0x1215) [0x564e05a990a5] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(tor_main+0x3a) [0x564e05a962ca] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(main+0x19) [0x564e05a95e49] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1) [0x7f19b7ac12e1] (on Tor 0.3.5.7 9beb085c10562a25)
Jan 19 13:34:14.677 [warn] Bug:     ./src/app/tor(_start+0x2a) [0x564e05a95e9a] (on Tor 0.3.5.7 9beb085c10562a25)

I didn't expect to be allowed an unlimited number of client authorizations, but I do expect Tor to handle too many more gracefully.

matt@spacecow:~/src/tor$ cat torrc-server 
DataDirectory data-server
Log notice file data-server/notice.log
Log notice stdout
PidFile data-server/tor.pid
SocksPort 0

SafeLogging 0
LogTimeGranularity 1

HiddenServiceDir data-server/onion_service
HiddenServicePort 80 11223
matt@spacecow:~/src/tor$ cat torrc-client
DataDirectory data-client
Log notice file data-client/notice.log
Log notice stdout
PidFile data-client/tor.pid
SocksPort auto

SafeLogging 0
LogTimeGranularity 1

ClientOnionAuthDir data-client/v3onionauth

I wrote a script to generate a ton of .auth and .auth_private files.

  1. Start the server's tor with DisableNetwork set, wait for it to bootstrap, then stop it. Grab the hostname of the onion service
  2. Use this script (https://paste.debian.net/1061432/) to generate a bunch of .auth and .auth_private files. For example:
matt@spacecow:~/src/python-snippits/src ./x25519-gen.py \
> ck7vkjy5dfk4dh564wnhqrdhmeh4qrnnkmo5tdwu4n7wickkhbzrb7yd \
> 400 \
> ~/src/tor/data-server/onion_service/authorized_clients/ \
> ~/src/tor/data-client/v3onionauth/
  1. Then remove DisableNetwork and start the server. It produces the above buggy logs

Child Tickets

Attachments (1)

x25519-gen.py (1.8 KB) - added by pastly 7 months ago.

Download all attachments as: .zip

Change History (5)

Changed 7 months ago by pastly

Attachment: x25519-gen.py added

comment:1 Changed 7 months ago by pastly

The limit seems to be around 350-360

comment:2 in reply to:  1 Changed 7 months ago by teor

Replying to pastly:

The limit seems to be around 350-360

Client auth uses 80 bytes per client. Then there's some padding to obscure the number of clients.

Client auth effectively uses the leftover space in the descriptor under 50 kB.

So the limit may be lower if your onion service:

  • is a single onion service (21 bytes)
  • has 4-10 introduction points (default 3)
  • has legacy introduction points (chosen at random, fewer legacy into points as more relays upgrade from 0.2.9 and earlier)
  • has IPv6 introduction points (one #26992 is implemented, if an IPv6 relay is chosen at random, then its address will be added to the link specifiers. There will be more IPv6 intro points as more relays configure IPv6.)

We should calculate the worst-case scenario for the hard limit, and implement a check for it. We should add some paddiding, because adding extra link specifiers on relays will increase the size of descriptors (once #26971 is implemented).

Then we can document the hard limit, and a suggested soft maximum that's compatible with future versions of Tor. We should add a test for the hard limit. Otherwise, we could make changes that increase the size of a descriptor, but fail to change the limit in the documentation.

comment:3 Changed 7 months ago by nickm

Keywords: 035-proposed added
Milestone: Tor: unspecified

comment:4 Changed 7 months ago by haxxpop

Cc: dgoulet asn added
Owner: set to haxxpop
Status: newassigned
Note: See TracTickets for help on using tickets.