[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] ClientAuthV3 for v3 onions via Tor controller is accepted by ADD_ONION but seems to get ignored

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-dev] ClientAuthV3 for v3 onions via Tor controller is accepted by ADD_ONION but seems to get ignored
From: Miguel Jacq <mig@xxxxxxxx>
Date: Mon, 3 May 2021 16:38:08 +1000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 03 May 2021 15:45:05 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mig5.net; s=201809; t=1620023896; bh=kBJm5AYVjtBpztBUhhTxceXu1j+K2E8C0nf01axNaZI=; h=Date:From:To:Subject:From; b=QgA19lR7XHaTWdf27nePSbSPV9MbegBoGnakbdWdw+2n0A+vjMfXSvUe3U9oswpE4 eVzGetbUF6EgKSl7D4sRY3DeWawyobkUZQxh6XPSkjRRULRTuRuYsYFLh+EzU4/f05 EiXxRuFxw9f2yTPWtUb4DQFtv7vgSf5Q43NJb9KR3ikTct1mLy/tT/STQE3l94GhnW PSGidaUTMljC8EKJ0mNaxBQXx7ak3ahzwx35luRoEDGKxVBjeMu+HjpJOphnmaL+E6 +ZNZFtHcx9abXR01ifM/YoEFrg7sWlyOzIsQNHQzePhfbzSnfBu4xjLozo9Usga4kB AVjYhcj5EGFiA==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mig5.net; s=201809; t=1620023895; bh=kBJm5AYVjtBpztBUhhTxceXu1j+K2E8C0nf01axNaZI=; h=Date:From:To:Subject:From; b=GEZCLPUyQi4IUzIZntE14dZcigTpsLpySUjJ5a/6A0eksPIlHLSIRt/W7cqjsSZRQ UGOCSIIZqUZlA08e6agajtSXebGboUTMJyDG1zhJcpI2HSD2+ShyGhZbSGVjOYUBtx TKuFpyxPgb7SGtuzyw6Yh+65e1VI4KnKl0qOw8TR1BVmGI9jMpIl+hW5D8tJ+kNfFV 5K4GlB3XPm9NC8/u+T0FgVcGfMP9Op1ThDWHOoPTKytuV2CaO9FiaF55NckXaHnAV4 /IiP+KnLYsr5+R9aZB2m9ETPVh+Hj8JpgFHu0lXcHrO8jyIz2LOcNjiCXWKI4IyK3L GNmeqwOJjSVtw==
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.10.1 (2018-07-13)

Hi there,

I'm one of the OnionShare developers and I'm trying to implement the new support for ClientAuthV3 via the controller as per [1] (thanks for adding it!). Since OnionShare depends on Stem, I also began by adding support for passing the ClientAuthV3 argument and V3Auth flag into Stem (I intend on submitting that as a PR once I solve the problem below, but I think the problem isn't Stem specific)

I can send the ClientAuthV3 base32-encoded public key and the V3Auth flag to ADD_ONION, and get a 250 response back.

The problem is that when I then visit the onion address, it doesn't actually require the Client Auth that was set :) 

I am running the nightly Tor on Debian 10 (Buster):

```
Tor version 0.4.7.0-alpha-dev.
Tor is running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, Libzstd 1.3.8 and Glibc 2.28 as libc.
Tor compiled with GCC version 8.3.0
```


Steps to reproduce:

1) Take these public and private base32-encoded strings (as generated by [2], if you want to generate different ones)

public:  FGTORMIDKR7T2PR632HSHLWA4G6HF5TCWSGMHDUU4LWBEFTAVYQQ
private: 5ZTNYVGHGMBCWT47YQT4ZFOFBWYU24C5PRQZ2CRCXZ5FKTVMJ7QA

2) Start a simple service on localhost:9735:

```
echo Hi | nc -l 127.0.0.1 9735
```

3) Connect to Tor's control port and add an onion with a private key that will derive the onion address rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid.onion (or put your own if you wish):

```
user@onionshare:~$ sudo telnet localhost 9051
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
authenticate ""
250 OK
ADD_ONION ED25519-V3:MNkxu0oI0CX6Oq1AEroRGSAiqXurEbzBdraDKJB1pkNkl9hNCr+bagdAg7gA4F3M/FrF7BHBdh5zdvkHB7oO4w== ClientAuthV3=FGTORMIDKR7T2PR632HSHLWA4G6HF5TCWSGMHDUU4LWBEFTAVYQQ Flags=V3Auth Port=80,9735
250-ServiceID=rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid
250-ClientAuthV3=AUEFTXH34ZVRXIIVOK5G7XLHTUXGVRLLXG7DG3NKJLRCVSEEHQDQ
250 OK
```

4) Visit http://rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid.onion and expect to get the Tor Browser pop-up dialog '[onion service] is requesting that you authenticate.. Enter your private key for this onion service'. etc

Instead: the service loads 'Hi' without any requirement for Client Auth occurring. I never added the private key to Tor Browser in any way.


Is it a bug, or am I doing it wrong somehow?

Thanks!

mig5

[1] https://gitlab.torproject.org/tpo/core/tor/-/issues/40084
[2] https://github.com/pastly/python-snippits/blob/master/src/tor/x25519-gen.py

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] ClientAuthV3 for v3 onions via Tor controller is accepted by ADD_ONION but seems to get ignored
  - From: Miguel Jacq

Prev by Author: Re: [tor-dev] ClientAuthV3 for v3 onions via Tor controller is accepted by ADD_ONION but seems to get ignored
Next by Author: Re: [tor-dev] What's the best way to learn about critical updates to Tor?
Next by thread: Re: [tor-dev] ClientAuthV3 for v3 onions via Tor controller is accepted by ADD_ONION but seems to get ignored
Index(es):
- Author
- Thread