[tor-bugs] #15240 [Tor]: ExtORPort authentication failure

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Mar 12 14:26:51 UTC 2015


#15240: ExtORPort authentication failure
------------------------+--------------------------------
     Reporter:  qbi     |      Owner:  asn
         Type:  defect  |     Status:  new
     Priority:  normal  |  Milestone:
    Component:  Tor     |    Version:  Tor: 0.2.5.10
   Resolution:          |   Keywords:  goptlib, extorport
Actual Points:          |  Parent ID:
       Points:          |
------------------------+--------------------------------

Comment (by yawning):

 Oh boy.

 {{{
 Mar 12 10:49:29.000 [info] launch_managed_proxy(): Managed proxy at
 '/usr/bin/obfs4proxy' has spawned with PID '24479'.

 [snip]

 Mar 12 10:49:29.000 [debug] tor_rename(): Renaming
 /var/lib/tor/137/extended_orport_auth_cookie.tmp to
 /var/lib/tor/137/extended_orport_auth_cookie
 Mar 12 10:49:29.000 [info] init_cookie_authentication(): Generated auth
 cookie file in '"/var/lib/tor/137/extended_orport_auth_cookie"'.
 }}}

 goptlib reads the authentication cookie as part of `pt.ServerSetup()` like
 thus:
 {{{
         authCookieFilename := getenv("TOR_PT_AUTH_COOKIE_FILE")
         if authCookieFilename != "" {
                 info.AuthCookie, err =
 readAuthCookieFile(authCookieFilename)
                 if err != nil {
                         err = envError(fmt.Sprintf("error reading
 TOR_PT_AUTH_COOKIE_FILE %q: %s", authCookieFilename, err.Error()))
                         return
                 }
         }
 }}}

 Which is called basically immediately on obfs4proxy launch.  There's a
 race condition here, because tor launches all of the PTs and then
 generates the ExtORPort auth cookie.  Meanwhile the newly launched pt is
 expecting the auth cookie to already be present on disk.

 I suspect that in most enviornments tor wins the race, but in this
 configuration, obfs4proxy is winning, leading to a stale cookie getting
 cached in memory.

 I will make a build of obfs4proxy for qbi that has goptlib modified to
 read the auth cookie every connection (inefficient but eliminates the
 race), and see if that fixes things.  Even if there are other forms of
 evil afoot, this should be corrected in tor, and worked around in all the
 3rd party extorport code till older versions of tor are deprecated.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15240#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list