[tor-bugs] #28184 [Core Tor/Tor]: Reload is additive with regards to new v3 HS client authorizations but it won't subtract deleted ones

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 8 13:27:48 UTC 2018 

#28184: Reload is additive with regards to new v3 HS client authorizations but it
won't subtract deleted ones
--------------------------+------------------------------------
 Reporter:  jchevali      |          Owner:  haxxpop
     Type:  defect        |         Status:  needs_information
 Priority:  Medium        |      Milestone:  Tor: 0.3.5.x-final
Component:  Core Tor/Tor  |        Version:  Tor: 0.3.5.2-alpha
 Severity:  Normal        |     Resolution:
 Keywords:  tor-hs        |  Actual Points:
Parent ID:                |         Points:
 Reviewer:  asn           |        Sponsor:
--------------------------+------------------------------------

Comment (by asn):

 Replying to [comment:10 haxxpop]:
 > Replying to [comment:9 dgoulet]:
 > > 2. Clearing our descriptor cache (client side):
 > >
 > >  This is a bit more interesting because if the client authorization
 for A.onion changed then the old descriptor is not usable anymore meaning
 we won't be able to decrypt it.
 > >
 > >  There lies another issue. I don't think we have that feature which is
 if a client looks up a descriptor in its cache and can not decrypt it, we
 should purge it and refetch it. A client does NOT store a descriptor that
 it can't decode so at least that is that. But this situation can happen if
 we change the client auth for A.onion and SIGHUP.
 > >
 > > All in all, we could reduce the complexity of this patch by simply
 adding a way to "purge a undecodable descriptor in our cache" which will
 lead to fetching the new descriptor and using the new client
 authorization.
 > >
 > > We would ignore the closing the circuits because if there is an RP
 circuit for A.onion, great we use it.
 >
 > I would like to add some opinion here. I think "refetching when the
 client can't decode or can't use the IPs" should be considered not client
 auth related.
 >
 > I mean we should refetch only when we can't decode or can't use the IPs.
 It shouldn't be triggered by anything else like when the client change the
 auth config, or anything else. Otherwise, I think the code will be too
 complex.
 >

 Agreed. But we should also place a cap on how many refetches we do in this
 case, otherwise a client who - for some reason - tries to access a client-
 authed HS without any credentials will keep on re-fetching the descriptor
 since they can't decrypt it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28184#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list