Opened 6 years ago

Closed 5 years ago

#9812 closed defect (fixed)

Unhelpful "Crypto error" message in Release 0.2.4.17-rc non-exit Relay

Reported by: LoneRanger1012 Owned by: rl1987
Priority: Medium Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version: Tor: 0.2.4.17-rc
Severity: Keywords: tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

My relay that has been running release 0.2.4.17-rc for several day now
has become saturated with what I would consider 'noise' - namely a huge
amount of handshake activity. It does respond downward to lowereing the
bandwidth setting, but the bandwidth graph is nearly flat. Now I have
just noticed two crypto errors in the message log.

Sep 23 14:17:32.902 [Notice] Circuit handshake stats since last time:
224326/224887 TAP, 40/40 NTor.
Sep 23 15:17:32.999 [Notice] Circuit handshake stats since last time:
224169/225104 TAP, 77/77 NTor.
Sep 23 16:17:32.016 [Notice] Circuit handshake stats since last time:
224655/225333 TAP, 63/63 NTor.
Sep 23 16:50:14.883 [Warning] crypto error while checking RSA signature:
block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1)
Sep 23 16:50:14.883 [Warning] crypto error while checking RSA signature:
padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT)
Sep 23 17:17:32.782 [Notice] Circuit handshake stats since last time:
222538/222987 TAP, 14/14 NTor.
Sep 23 17:36:03.704 [Warning] eventdns: All nameservers have failed
Sep 23 17:36:03.829 [Notice] eventdns: Nameserver 192.168.1.254:53 is
back up

My relay is running from 108.214.60.211 and in the last 2 days it has started eating up to 17 % of my CPU time where it previously used less than 10 %. Handshake counts are up substantially more than an order of magnitude.
I rebooted out of an abundance of caution, and the cpu usage is now below 5 % but the handshake numbers is "Sep 23 19:25:12.621 [Notice] Circuit handshake stats since last time: 131567/132269 TAP, 14/14 NTor.", after rebooting.

Child Tickets

Change History (13)

comment:1 Changed 6 years ago by nickm

Keywords: tor-relay added
Milestone: Tor: 0.2.5.x-final
Priority: majornormal
Summary: Crypto error in Release 0.2.4.17-rc non-exit RelayUnhelpful "Crypto error" message in Release 0.2.4.17-rc non-exit Relay

That warning is probably nothing to worry about; it looks like a signature check is failing, and so Tor is rejecting a signature. We should have a better description of which kind of signature, though: I'll leave this ticket open to indicate that.

comment:2 Changed 6 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.???

Triage: This doesn't need to rush into 0.2.5.

The right fix here is probably to move those crypto messages to "info", and add actual warnings in places where checking a signature fails, to tell us what kind of signature, given to us by whom. (The details of what was wrong with the signature are less important.)

comment:3 Changed 5 years ago by rl1987

Owner: set to rl1987
Status: newaccepted

comment:4 Changed 5 years ago by rl1987

Status: acceptedneeds_review

I made some changes in the following branch:

The RSA signature warnings were downgraded to info loglevel and I fixed the only codepath that didn't emit any warnings when crypto_pk_public_checksig() was returning -1.

Last edited 5 years ago by rl1987 (previous) (diff)

comment:5 Changed 5 years ago by nickm

Milestone: Tor: 0.2.???Tor: 0.2.6.x-final

comment:6 Changed 5 years ago by nickm

This looks plausible to to me. I just need to double-check that there aren't any cases that you missed, and then this is good to merge.

comment:7 Changed 5 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Okay, looks good. Merged it. Thanks!

comment:8 Changed 5 years ago by arma

Resolution: fixed
Status: closedreopened

Something's gone wrong here.

moria1, running git master including this patch, is giving me a whole lot of

Nov 14 01:17:02.173 [warn] router info incompatible with extra info (reason: Extrainfo published time did not match routerdesc)

In fact,

% grep incompatible moria1-notice|wc -l
15712

since earlier today.

comment:9 Changed 5 years ago by arma

Nov 14 01:17:02.173 [info] connection_dir_client_reached_eof(): Received extra server info (size 4058) from server '154.35.32.5:80'
Nov 14 01:17:02.173 [info] router_load_extrainfo_from_string(): 1 elements to add
Nov 14 01:17:02.173 [warn] router info incompatible with extra info (reason: Extrainfo published time did not match routerdesc)
Nov 14 01:17:02.193 [info] connection_dir_client_reached_eof(): Received 0/1 extra-info documents requested from 154.35.32.5:80

comment:10 Changed 5 years ago by sysrqb

#13762 was opened for this. where should this be resolved?

comment:11 Changed 5 years ago by arma

Oh dear. It appears that it is size 4058 in many of these cases.

Is it fetching, discarding, and soon after deciding to fetch again?

comment:12 in reply to:  10 Changed 5 years ago by arma

Replying to sysrqb:

#13762 was opened for this. where should this be resolved?

Resolving there is fine with me. Whatever nickm wants.

comment:13 Changed 5 years ago by arma

Resolution: fixed
Status: reopenedclosed

Closing in favor of #13762.

Note: See TracTickets for help on using tickets.