[tor-bugs] #26776 [Core Tor/Tor]: Control port failures for hidden services

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 12 23:46:42 UTC 2018 

#26776: Control port failures for hidden services
------------------------------+--------------------
     Reporter:  oqista        |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------
 1.
 With Tor 0.3.2.9 on Linux, connect to the control port. Then setconf
 HiddenServiceDir (to create a new service) and HiddenServicePort, as one
 command. Then getconf HiddenServiceOptions to make sure it's right.

 Now, connect to your new hidden service from another computer, with no
 authorization. Success, as expected.

 Then, setconf HiddenServiceDir (for the same service as before),
 HiddenServicePort, and HiddenServiceAuthorizeClient, all as one command.
 Notice the hostname file for the hidden service now contains an auth
 cookie, as expected.

 Finally, connect to the hidden service again from another computer, still
 with no authorization. Success! But it should fail, since you didn't
 provide the auth cookie!

 To fix it, you have to restart Tor on your server, and do setconf _with_
 HiddenServiceAuthorizeClient the first time.

 2.
 The same bug hits in the other direction too: after you restart Tor to
 start enforcing the auth cookie, if you do setconf without
 HiddenServiceAuthorizeClient, then the auth cookie immediately disappears
 from the hostname file (as expected), but Tor continues enforcing the
 cookie until you restart.

 3.
 The same configuration-stickiness bug applies to setconf HidServAuth on
 the client side too (tested on Linux and Windows). If you try to connect
 to a hidden service requiring authentication before you set HidServAuth,
 then of course it fails, but if you then set HidServAuth, it _still_
 fails. You have to restart Tor, then set HidServAuth _before_ you try to
 connect to the hidden service for the first time. Then it will succeed.

 Just to be clear: to trigger these bugs, do all the various configurations
 and reconfigurations exclusively via the control port. Don't set any of
 them in torrc.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26776>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list