ClientAuthV3 for v3 onions via Tor controller is accepted by ADD_ONION but seems to get ignored
Hi there, I'm one of the OnionShare developers and I'm trying to implement the new support for ClientAuthV3 via the controller as per [1] (thanks for adding it!). Since OnionShare depends on Stem, I also began by adding support for passing the ClientAuthV3 argument and V3Auth flag into Stem (I intend on submitting that as a PR once I solve the problem below, but I think the problem isn't Stem specific) I can send the ClientAuthV3 base32-encoded public key and the V3Auth flag to ADD_ONION, and get a 250 response back. The problem is that when I then visit the onion address, it doesn't actually require the Client Auth that was set :) I am running the nightly Tor on Debian 10 (Buster): ``` Tor version 0.4.7.0-alpha-dev. Tor is running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, Libzstd 1.3.8 and Glibc 2.28 as libc. Tor compiled with GCC version 8.3.0 ``` Steps to reproduce: 1) Take these public and private base32-encoded strings (as generated by [2], if you want to generate different ones) public: FGTORMIDKR7T2PR632HSHLWA4G6HF5TCWSGMHDUU4LWBEFTAVYQQ private: 5ZTNYVGHGMBCWT47YQT4ZFOFBWYU24C5PRQZ2CRCXZ5FKTVMJ7QA 2) Start a simple service on localhost:9735: ``` echo Hi | nc -l 127.0.0.1 9735 ``` 3) Connect to Tor's control port and add an onion with a private key that will derive the onion address rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid.onion (or put your own if you wish): ``` user@onionshare:~$ sudo telnet localhost 9051 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. authenticate "" 250 OK ADD_ONION ED25519-V3:MNkxu0oI0CX6Oq1AEroRGSAiqXurEbzBdraDKJB1pkNkl9hNCr+bagdAg7gA4F3M/FrF7BHBdh5zdvkHB7oO4w== ClientAuthV3=FGTORMIDKR7T2PR632HSHLWA4G6HF5TCWSGMHDUU4LWBEFTAVYQQ Flags=V3Auth Port=80,9735 250-ServiceID=rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid 250-ClientAuthV3=AUEFTXH34ZVRXIIVOK5G7XLHTUXGVRLLXG7DG3NKJLRCVSEEHQDQ 250 OK ``` 4) Visit http://rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid.onion and expect to get the Tor Browser pop-up dialog '[onion service] is requesting that you authenticate.. Enter your private key for this onion service'. etc Instead: the service loads 'Hi' without any requirement for Client Auth occurring. I never added the private key to Tor Browser in any way. Is it a bug, or am I doing it wrong somehow? Thanks! mig5 [1] https://gitlab.torproject.org/tpo/core/tor/-/issues/40084 [2] https://github.com/pastly/python-snippits/blob/master/src/tor/x25519-gen.py
Hello again, just to add some clarification to what I realise is a confusing output below: On Mon, May 03, 2021 at 04:38:07PM +1000, Miguel Jacq wrote:
``` user@onionshare:~$ sudo telnet localhost 9051 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. authenticate "" 250 OK ADD_ONION ED25519-V3:MNkxu0oI0CX6Oq1AEroRGSAiqXurEbzBdraDKJB1pkNkl9hNCr+bagdAg7gA4F3M/FrF7BHBdh5zdvkHB7oO4w== ClientAuthV3=FGTORMIDKR7T2PR632HSHLWA4G6HF5TCWSGMHDUU4LWBEFTAVYQQ Flags=V3Auth Port=80,9735 250-ServiceID=rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid 250-ClientAuthV3=AUEFTXH34ZVRXIIVOK5G7XLHTUXGVRLLXG7DG3NKJLRCVSEEHQDQ 250 OK ```
The public key is different in the request and response here, that's my copy-paste fail.. I had 'lost' the original private key and wanted to provide a valid pair for someone to troubleshoot with. As a result I amended my output here to show the new public key being sent in the ADD_ONION, but forgot to update it in the returned response from my earlier attempt. Sorry if it added confusion. The problem still stands that the ClientAuthV3 key is accepted by ADD_ONION in the nightly/alpha Tor, but it doesn't then seem to be enforced when viewing the onion service.. unless I'm doing something wrong. Appreciate any help, cheers! mig5
On 04 May (06:59:39), Miguel Jacq wrote:
Hello again, just to add some clarification to what I realise is a confusing output below:
On Mon, May 03, 2021 at 04:38:07PM +1000, Miguel Jacq wrote:
``` user@onionshare:~$ sudo telnet localhost 9051 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. authenticate "" 250 OK ADD_ONION ED25519-V3:MNkxu0oI0CX6Oq1AEroRGSAiqXurEbzBdraDKJB1pkNkl9hNCr+bagdAg7gA4F3M/FrF7BHBdh5zdvkHB7oO4w== ClientAuthV3=FGTORMIDKR7T2PR632HSHLWA4G6HF5TCWSGMHDUU4LWBEFTAVYQQ Flags=V3Auth Port=80,9735 250-ServiceID=rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid 250-ClientAuthV3=AUEFTXH34ZVRXIIVOK5G7XLHTUXGVRLLXG7DG3NKJLRCVSEEHQDQ 250 OK ```
The public key is different in the request and response here, that's my copy-paste fail.. I had 'lost' the original private key and wanted to provide a valid pair for someone to troubleshoot with. As a result I amended my output here to show the new public key being sent in the ADD_ONION, but forgot to update it in the returned response from my earlier attempt. Sorry if it added confusion.
The problem still stands that the ClientAuthV3 key is accepted by ADD_ONION in the nightly/alpha Tor, but it doesn't then seem to be enforced when viewing the onion service.. unless I'm doing something wrong.
Appreciate any help, cheers!
Hi! I've created https://gitlab.torproject.org/tpo/core/tor/-/issues/40378 to track this down. Thanks a lot for the detailed report! David -- NQlJcF99RlKvTqgt52eFZXmY4kBQuGdSZNERmVsg/3E=
participants (2)
-
David Goulet -
Miguel Jacq