[tor-dev] Onion Client Auth on v3 descriptor via Control port

Miguel Jacq mig at mig5.net
Wed Jun 17 07:14:36 UTC 2020


Hi,

I'm one of the OnionShare developers, looking at what can be done to support Client Auth with v3 onions.

OnionShare depends on Stem for all its interaction setting up ephemeral onions, so we need Stem to support that fierst.

So I have been working on adding support for ONION_CLIENT_AUTH_ADD to Stem. I actually have it working as far as getting a 250 OK back from the controller! Nice.

But I'm puzzled, because despite successfully adding the client auth, I can access my onion service *without* auth in Tor Browser.


Here is a link to a PoC script. Note that it doesn't do the ONION_CLIENT_AUTH_ADD via Stem here yet. I have that working locally, but this issue isn't with my Stem implementation I don't think...

https://gist.github.com/mig5/2e95a3fbe157e1f78764f7a718bf93b9

Here's the output if I run the script with python3 create-v3-service-and-keys.py

user at onionshare:~$ python3 create-v3-service-and-keys.py
http service: http://127.0.0.1:8080/

starting onion service with: key_type='NEW', key_content='ED25519-V3'
http://4sa6jhqf2atg7edi2nzqun4o5kyughmwvjyrb7sfxe7d6ypqyh7f6nqd.onion/

private base64: wkiyM1bQN2dI43PvobZnbD87cNBl/KFyrc8baZzJOv0=
public base32:  WJJTONEA5SRZKVHHAYY2EHIF5LNF3526RCLYSC7ZZRCPVPIFA6PA====
private base32: YJELEM2W2A3WOSHDOPX2DNTHNQ7TW4GQMX6KC4VNZ4NWTHGJHL6Q====


Now, if in another terminal I telnet to the control port and manually add the onion auth, I get a 250, I can view the auth etc:

user at onionshare:~/git/stem$ sudo -u debian-tor telnet 127.0.0.1 9051
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Authenticate ""
250 OK
ONION_CLIENT_AUTH_ADD 4sa6jhqf2atg7edi2nzqun4o5kyughmwvjyrb7sfxe7d6ypqyh7f6nqd x25519:wkiyM1bQN2dI43PvobZnbD87cNBl/KFyrc8baZzJOv0=
250 OK
ONION_CLIENT_AUTH_VIEW 4sa6jhqf2atg7edi2nzqun4o5kyughmwvjyrb7sfxe7d6ypqyh7f6nqd
250-ONION_CLIENT_AUTH_VIEW 4sa6jhqf2atg7edi2nzqun4o5kyughmwvjyrb7sfxe7d6ypqyh7f6nqd
250-CLIENT 4sa6jhqf2atg7edi2nzqun4o5kyughmwvjyrb7sfxe7d6ypqyh7f6nqd x25519:wkiyM1bQN2dI43PvobZnbD87cNBl/KFyrc8baZzJOv0=
250 OK


So that all looks good. But what is weird, is if I go to http://gmdo3idszymnvfbuf2fm6miepearldgwbo7qfc4lsrw2kact2ka77kqd.onion/ , I see my 'hello world', I never had to add any client auth to Tor Browser.

What am I doing wrong? How do I make the onion auth actually be 'required' since I succeeded at adding it? I was under the impression that as soon as I ran ONION_CLIENT_AUTH_ADD and got a success, from that point on, client auth would be *needed*.

Maybe it's a problem with how I'm generating the keys? I had a bit of trouble figuring out how to send the base64 encoded private key. Even so, it accepts the private key, and yet it allows access without auth, which surprised me...

It's probably really obvious but I've been working on this a while so I'm tired :) Time to embarass myself on a public mailing list..

Thanks in advance!

Mig

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200617/a98f54e6/attachment.sig>


More information about the tor-dev mailing list