[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #4817 [Tor]: Control port authentication failures don't differentiate failure types
#4817: Control port authentication failures don't differentiate failure types
-------------------------+-------------------------------------------
Reporter: atagar | Owner:
Type: defect | Status: needs_review
Priority: trivial | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Resolution: | Keywords: easy maybe-proposal tor-relay
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------
Comment (by nickm):
So, (B) and (C) are not technically distinct: You are allowed to specify a
password in hex, and passwords are allowed to be 32 bytes long. So you
can also say: ```AUTHENTICATE 6d792070617373776f7264` instead of
```AUTHENTICATE "my password"```.
So if a controller says ```AUTHENTICATE
b4c9e2effc93bbbf139dcc5c0fc15d0b890a9e7bf7c8bb49b1d34c2eb547c910```, we
don't actually ''know'' that they're providing a cookie rather than
providing a very strange password and encoding it in hex.
Similarly, (E) and (F) are not totally distinct: passwords are allowed to
be 32 characters, and users are allowed to send control-cookies as
C-encoded strings if they choose.
In other words, we can't actually determine which kind of authentication
the controller was trying to send. We know that non-32-byte fields are
never cookies, and that's about it. We can *guess* that 32-byte hex-
encoded things are ''usually'' cookies, but that's only a heuristic.
Is this still worth doing IYO?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4817#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs