Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T15:28:37Zhttps://gitlab.torproject.org/legacy/trac/-/issues/26927Improve the log message when peer id authentication fails2020-06-13T15:28:37ZteorImprove the log message when peer id authentication failsSplit off #26924.Split off #26924.Tor: 0.3.5.x-finalteorteorhttps://gitlab.torproject.org/legacy/trac/-/issues/26925Make link specifier handling in rend-spec-v3 more precise2020-06-13T15:28:36ZteorMake link specifier handling in rend-spec-v3 more preciseSplit off #26627.
We should specify that clients and services must not check untrusted link specifiers against the consensus:
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1338
https://gitweb.torproject.org/torspec.gi...Split off #26627.
We should specify that clients and services must not check untrusted link specifiers against the consensus:
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1338
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1705
Services should also copy unrecognized rend point link specifiers from the introduce cell to the rendezvous join cell.
We can copy the text from the service intro->rend spec:
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1705
To the the client desc->intro spec:
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1338
Thanks to catalyst for picking up on these missing parts of the spec.
Edit: fix line numbersTor: 0.3.5.x-finalteorteorhttps://gitlab.torproject.org/legacy/trac/-/issues/26924Make single onion service to rend and Tor2web to intro link authentication in...2020-06-13T15:28:35ZteorMake single onion service to rend and Tor2web to intro link authentication into a protocol warningSingle onion services and Tor2web connect directly to relays using untrusted link authentication keys.
These connections can cause a lot of warnings, particularly due to the link auth bugs in #26627.
We can either:
* downgrade all link...Single onion services and Tor2web connect directly to relays using untrusted link authentication keys.
These connections can cause a lot of warnings, particularly due to the link auth bugs in #26627.
We can either:
* downgrade all link auth warnings to protocol warnings on single onion services and Tor2web (this is the fast fix)
* taint untrusted link auth keys, and then downgrade connections using tainted keys to protocol warnings (this is very intrusive)Tor: 0.3.5.x-finalteorteorhttps://gitlab.torproject.org/legacy/trac/-/issues/26627HSv3 throws many "Tried connecting to router at [IP:port], but RSA identity k...2020-06-13T15:28:36ZGeorge KadianakisHSv3 throws many "Tried connecting to router at [IP:port], but RSA identity key was not as expected"A popular-ish HSv3 operator contacted me and told me that they've been getting lots of warnings on their logs:
```
[warn] Tried connecting to router at [IP:port], but RSA identity key was not as expected: wanted [hex string] + [base64 s...A popular-ish HSv3 operator contacted me and told me that they've been getting lots of warnings on their logs:
```
[warn] Tried connecting to router at [IP:port], but RSA identity key was not as expected: wanted [hex string] + [base64 string] but got [same hex string] + no ed25519 key.
```
They are afraid it's some sort of downgrade attack. We should look into this.Tor: 0.3.2.x-finalteorteorhttps://gitlab.torproject.org/legacy/trac/-/issues/22460Link handshake trouble: certificates and keys can get out of sync2020-06-13T15:09:51ZteorLink handshake trouble: certificates and keys can get out of syncI'm running a recent tor master as an authority in a tor testing network:
```
[notice] Tor 0.3.1.0-alpha-dev (git-0266c4ac819d9c83) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2k, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
...I'm running a recent tor master as an authority in a tor testing network:
```
[notice] Tor 0.3.1.0-alpha-dev (git-0266c4ac819d9c83) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2k, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
```
I get this warning every so often:
```
[warn] Received a bad CERTS cell: Link certificate does not match TLS certificate
```
Is this expected?Tor: 0.3.1.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17723connection_tls_continue_handshake: Assertion !tor_tls_is_server(conn->tls) fa...2020-06-13T14:51:41ZTracconnection_tls_continue_handshake: Assertion !tor_tls_is_server(conn->tls) failedTor is running on a debian machine, 64bit. (Debian 3.2.65-1+deb7u2).
The Tor daemon terminates under Tor v0.2.8.0-alpha-dev with the following Output:
Nov 25 21:50:36.000 [err] tor_assertion_failed_(): Bug: ../src/or/connection_or.c...Tor is running on a debian machine, 64bit. (Debian 3.2.65-1+deb7u2).
The Tor daemon terminates under Tor v0.2.8.0-alpha-dev with the following Output:
Nov 25 21:50:36.000 [err] tor_assertion_failed_(): Bug: ../src/or/connection_or.c:1483: connection_tls_continue_handshake: Assertion !tor_tls_is_server(conn->tls) failed; aborting. (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: Assertion !tor_tls_is_server(conn->tls) failed in connection_tls_continue_handshake at ../src/or/connection_or.c:1483. Stack trace: (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /usr/bin/tor(log_backtrace+0x42) [0x7fe0978887a2] (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /usr/bin/tor(tor_assertion_failed_+0x8c) [0x7fe097896a0c] (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /usr/bin/tor(connection_tls_continue_handshake+0x2a3) [0x7fe097848413] (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /usr/bin/tor(+0xe5243) [0x7fe09783d243] (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /usr/bin/tor(+0x3ecd1) [0x7fe097796cd1] (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5(event_base_loop+0x7fc) [0x7fe096de13dc] (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /usr/bin/tor(do_main_loop+0x274) [0x7fe097797c84] (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /usr/bin/tor(tor_main+0x19ad) [0x7fe09779b1fd] (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /usr/bin/tor(main+0x19) [0x7fe097793949] (on Tor 0.2.8.0-alpha-dev )
Nov 25 21:50:36.000 [err] Bug: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fe095b92b45] (on Tor 0.2.8.0-alpha-dev)
Nov 25 21:50:36.000 [err] Bug: /usr/bin/tor(+0x3b999) [0x7fe097793999] (on Tor 0.2.8.0-alpha-dev )
This error shows up after some time. 30 minutes - 1 hour.
**Trac**:
**Username**: viriihttps://gitlab.torproject.org/legacy/trac/-/issues/4587Bugs in tor_tls_got_client_hello()2020-06-13T14:15:20ZSebastian HahnBugs in tor_tls_got_client_hello()irc backlog, because troll refuses to use trac again...
```
< frosty_un> seems like not so much openssl guru in the devs that why you going to wrong ways. it's a last of my try (non guru too, however).
< frosty_un> "log_warn(LD_BUG, "Go...irc backlog, because troll refuses to use trac again...
```
< frosty_un> seems like not so much openssl guru in the devs that why you going to wrong ways. it's a last of my try (non guru too, however).
< frosty_un> "log_warn(LD_BUG, "Got a renegotiation request but we don't"" no, no, no. it's remotely trigerable thing, it's can't be BUG.
< frosty_un> read the openssl code.
< frosty_un> ssl3_check_client_hello() just during reading client certs.
< frosty_un> two hello in the row triggers such warn.
< frosty_un> ok, thats your way. i did a try.
< frosty_un> "Looks good!"
< troll> it's even more fun bug than warns. fun. excess_renegotiations_callback is NULL before handshake complete.
< troll> NULL(NULL) whatt a nice func.
```Tor: unspecifiedNick MathewsonNick Mathewson