[tor-bugs] #27838 [Core Tor/Tor]: v3 onion service wrongly considers Invalid signature for service descriptor signing key: expired

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 11 19:45:21 UTC 2018 

#27838: v3 onion service wrongly considers Invalid signature for service descriptor
signing key: expired
--------------------------+------------------------------------
 Reporter:  s7r           |          Owner:  dgoulet
     Type:  defect        |         Status:  accepted
 Priority:  High          |      Milestone:  Tor: 0.3.5.x-final
Component:  Core Tor/Tor  |        Version:  Tor: 0.3.5.1-alpha
 Severity:  Normal        |     Resolution:
 Keywords:  tor-hs        |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------------

Comment (by dgoulet):

 Replying to [comment:3 s7r]:
 > Come back after more digging.

 Epic digging. Very useful! Thanks.

 > 3. After internet came back up, Tor tried to upload the descriptor
 earlier built. It was expired, so the warning + stack trace was logged.
 [PROBLEM TO FIX]

 Ooooooook that is a great find actually. The HS subsystem is *not*
 notified whatsoever on an upload failure. Considering connectivity issues
 on the service side, none of the descriptors were uploaded but we never
 adjusted to that.

 Meaning that the failure will happen and then the next upload time is set
 to 1h to 2h later...

 This we can fix, and should, with a callback to the HS subsystem when any
 kind of upload failure happens.

 >
 > 4. After the time for this descriptor expired as well, new one was
 built, so warning + stack trace disappeared from log. [NOT OK, WHILE THE
 WARNING DISAPPEARED v3 ONION SERVICE WAS STILL UNACCESSIBLE]..
 >
 > Timings:
 > full internet came back up at `~ 14:03:something`;
 > first warning + stack trace logged at `14:04:00.000`;

 I believe this is possible because (and my memory is flaky here) the
 directory connection kept the descriptor in the outbuf and once the
 Internet came back, retried to send it. But, without the HS subsystem
 knowing.


 Ok so considering the idea that we should rebuild our descriptor from
 scratch every time we are about to upload instead of keeping the
 certificate for a long time (among other things), we should very much fix
 the issue highlighted in (3) imo.

 The HS subsystem not knowing the upload failed is pretty bad for
 reachability. Imagine OnionShare on a bad connection moving around on a
 laptop, we need the HS service to be much more resilient to disconnect.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27838#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list