[tor-bugs] #7098 [Tor]: Add safe-cookie authentication to Extended ORPort and TransportControlPort

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 7 00:33:58 UTC 2012 

#7098: Add safe-cookie authentication to Extended ORPort and TransportControlPort
------------------------+---------------------------------------------------
 Reporter:  asn         |          Owner:                    
     Type:  defect      |         Status:  needs_review      
 Priority:  normal      |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor         |        Version:                    
 Keywords:  tor-bridge  |         Parent:  #4773             
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by asn):

 Replying to [comment:10 nickm]:
 > Replying to [comment:9 asn]:
 > > See branch `bug7098_draft` in
 `https://git.torproject.org/user/asn/torspec.git` for an early-draft of
 the proposal. Do you like the general direction of the protocol?
 >
 > I don't think the version negotiation works.  What is the client
 supposed to do if it sees a version it doesn't recognize, or an
 authentication means that it doesn't support? What if the server supports
 multiple versions/authenticators?  Other than that, looks sane.  Also, it
 should specify how the client finds out the cookie; that was a world of
 trouble in the earlier control protocol things.
 >

 OK. Would you prefer something like this:
 S->C: <list of supported handshake versions>
 C->S: <picks a handshake version>
 handshake version 1:
 S->C: <list of types of authentication>
 C->S: <picks a type of authentication>
 ...auth-specific messages...
 ?
 Or something with less round trips and less flexibility?

 > "Tor Port Guardian" is a bit silly as a name.  We already have "Guards";
 let's not confuse people.  How about just "Tor Extended ORPort
 Authentication" ?
 >

 OK.

 > The cookie file should have have 32 fixed bytes to start with, and then
 a fixed-length cookie.
 >

 Sure. I misinterpreted the end of comment:7 to mean that you wanted a
 variable-sized cookie.

 > I really do want to know how the parent protocol specifies the file
 location.
 >
 > TOR_AUTH_PT_COOKIE should be TOR_AUTH_PT_COOKIE_FILE imo.

 Sure.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7098#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list