[tor-bugs] #5185 [Tor Client]: Implement ‘safe cookie authentication’ in Tor

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Feb 29 19:58:33 UTC 2012 

#5185: Implement ‘safe cookie authentication’ in Tor
--------------------------+-------------------------------------------------
 Reporter:  rransom       |          Owner:                    
     Type:  enhancement   |         Status:  needs_revision    
 Priority:  critical      |      Milestone:  Tor: 0.2.2.x-final
Component:  Tor Client    |        Version:                    
 Keywords:  security-fix  |         Parent:                    
   Points:                |   Actualpoints:                    
--------------------------+-------------------------------------------------
Changes (by nickm):

  * status:  needs_review => needs_revision


Comment:

 Re the spec:
 {{{
 13:27 < nickm> rransom_: Okay, so I think I am okay with the change, with
 the
                proviso that I won't absolutely commit to removing COOKIE
 in
                0.2.4.1-alpha.  Deprecating it in 0.2.4.1-alpha, yes.
 Having a
                loud annoying warning, yes.  Maybe making it
                disabled-by-default, yes.  Removing it before 0.2.4.x-rc,
 yes.
                I hope we can kill it entirely, but I want to keep the
 freedom
                for 0.2.4.1-alpha to come out before every controller gets
 its
                ducks in a line.
 }}}

 On reflection, I think the idiom might be about getting one's ducks in a
 row, not a line.

 Also wrt the spec, I'd rather not have QuotedString as an option for the
 client AUTHCHALLENGE: It's just begging for somebody to do something
 stupid.

 WRT the patch itself, looking at the version in safecookie-022-v3:

  * I didn't review the hmac-sha256 implementation; I'm the cherry-pick was
 correct.
  * We don't support NDEBUG, but as a matter of style, I think we try to
 avoid sticking expressions with side-effects into tor_assert().
  * The buffers (on the stack and on the heap) seem like the kind of thing
 people might feel more comfortable if we memset(0) after using.  This is
 pure cargo-cult though.

 As a side-note, is there any place in control.c where we document that the
 'body' values passed into handle_control_* are NUL-terminated?  If not, we
 probably should!

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5185#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list