Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  rl1987
 Type:  defect| Status:  closed
 Priority:  High  |  Milestone:  Tor: 0.3.5.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:  fixed
 Keywords:  regression, 035-backport  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by nickm):

 * status:  merge_ready => closed
 * resolution:   => fixed
 * milestone:  Tor: 0.4.0.x-final => Tor: 0.3.5.x-final


Comment:

 Merged to maint-0.3.5 and forward.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  rl1987
 Type:  defect| Status:  merge_ready
 Priority:  High  |  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, 035-backport  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by jakett2):

 * cc: jakett2 (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  rl1987
 Type:  defect| Status:  merge_ready
 Priority:  High  |  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, 035-backport  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by gk):

 First round of users affected by this bug are showing up on the blog:

 https://blog.torproject.org/comment/279524#comment-279524
 https://blog.torproject.org/comment/279555#comment-279555

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  rl1987
 Type:  defect| Status:  merge_ready
 Priority:  High  |  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, 035-backport  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by boklm):

 * cc: bugiguiman (added)


Comment:

 #29236 is a duplicate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  rl1987
 Type:  defect| Status:  merge_ready
 Priority:  High  |  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, 035-backport  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by arma):

 * status:  needs_review => merge_ready


Comment:

 Looks good to me! Let's get this in, and also into a new 0,3.5.x as soon
 as is practical.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  rl1987
 Type:  defect| Status:  needs_review
 Priority:  High  |  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, 035-backport  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by rl1987):

 * status:  accepted => needs_review


Comment:

 https://github.com/torproject/tor/pull/670

 I would side with keeping the interoperability we previously had, even if
 we technically violate the protocol spec. This will make some somewhat
 broken SOCKS5 clients work with tor again.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  rl1987
 Type:  defect| Status:  accepted
 Priority:  High  |  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, 035-backport  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Old description:

> There is a regression in Tor 0.3.5.x with handling socks5 handshakes that
> offer username/password auth but then present empty username and
> password.
>
> It came in during commit 9068ac3c (which went into 0.3.5.1-alpha).
>
> The symptom is that when you do your socks5 handshake with an empty
> username and password (e.g. like pidgin does it), you get log lines like
> {{{
> Jan 24 19:40:17.000 [warn] Fetching socks handshake failed. Closing.
> Jan 24 19:40:17.000 [warn] socks5: parsing failed - invalid user/pass
> authentication message.
> }}}
>
> Bug reported by a person on #tor, and also separately by #29050.
>
> I asked Josh Glazebrook, the author of the socks library in #29050, for
> some actual traces of correct behavior / incorrect behavior, and he sent:
>
> {{{
> ocks v2.2.3
> tor v0.3.5.7
> client announces it only supports noauth (00)
> server chooses noauth (00)
>

> send  [00 = noauth]
> recv  [server chose noauth]
> send  [connect
> command - ipinfo.io]
> recv  [success]
>

>

> socks v2.2.2
> tor v0.3.5.7
> client announces it supports noauth (00) and userpass (02)
> server chooses userpass (02)
> connection is unsuccessful - server returns general socks server failure,
> tor logs indicate invalid user/pass.
> Jan 24 14:47:15.000 [warn] Fetching socks handshake failed. Closing.
> Jan 24 14:47:56.000 [warn] socks5: parsing failed - invalid user/pass
> authentication message.
>

> send  [00 = noauth, 02 = userpass]
> recv  [server chose userpass]
> send  [00 = zero length username, 00 = zero length
> password]
> recv  [00 = server indicates auth success]
> send  [connect
> command - ipinfo.io]
> recv  [01- general SOCKS server failure] (in tor's
> log output it's saying auth is invalid at this point)
>

>
> socks v.2.2.2
> tor via torbrowser 8.0.4 (unsure of which tor version, but likely older
> than 0.3.5.7)
> client announces it supports noauth (00) and userpass (02)
> server chooses userpass (02)
> connection is successful
>
> send  [00 = noauth, 02 = userpass]
> recv  [server chose userpass]
> send  [00 = zero length username, 00 = zero length
> password]
> recv  [00 = server indicates auth success]
> send  [connect
> command - ipinfo.io]
> recv  [00 = success]
> }}}
>
> Josh further gives us this hint:
>
> {{{
> It appears there is indeed something that changed between older versions
> of
> Tor and newer versions. Looking at the actual data being exchanged, it's
> exactly the same.
>
> The only odd thing is tor v0.3.5.7 is indicating in the auth reply that
> the
> authentication was a success, and only when the connect command is sent,
> it's returning a "general socks server failure" code, but in the actual
> tor
> log it's logging invalid user/pass.
> }}}
>
> I went spelunking and found this code newly in 0.3.5.x:
>
> {{{
>   if (usernamelen && username) {
> tor_free(req->username);
> req->username = tor_memdup_nulterm(username, usernamelen);
> req->usernamelen = usernamelen;
>
> req->got_auth = 1;
>   }
>
>   if (passwordlen && password) {
> tor_free(req->password);
> req->password = tor_memdup_nulterm(password, passwordlen);
> req->passwordlen = passwordlen;
>
> req->got_auth = 1;
>   }
> }}}
>
> Compare to the code in 0.3.4.x:
> {{{
>   if (usernamelen) {
> req->username = tor_memdup(data+2u, usernamelen);
> req->usernamelen = usernamelen;
>   }
>   if (passlen) {
> req->password = tor_memdup(data+3u+usernamelen, passlen);
> req->passwordlen = passlen;
>   }
>   *drain_out = 2u + usernamelen + 1u + passlen;
>   req->got_auth = 1;
> }}}
>
> So in 0.3.4.x when we got a type 0x02 handshake but empty username and
> empty password, we would still set got_auth to 1. In 0.3.5.x when that
> happens, we leave got_auth at 0.
>
> The result is that the socks5 handshake itself still goes identically,
> but when we get the empty username and password, we '''don't record that
> we received it''', even though we send back a "handshake was successful"
> response. And then when application data shows up after that, we try to
> treat it as a socks5 username and password, because we're still waiting
> for one. That's where things go bad.

New description:

 There is a regression in Tor 0.3.5.x with handling socks5 

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  rl1987
 Type:  defect| Status:  accepted
 Priority:  High  |  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, 035-backport  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by nickm):

 * keywords:  regression, backport-035 => regression, 035-backport
 * priority:  Medium => High


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  rl1987
 Type:  defect| Status:  accepted
 Priority:  Medium|  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, backport-035  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+
Changes (by rl1987):

 * status:  new => accepted
 * owner:  (none) => rl1987


Comment:

 Will look some more into this tomorrow.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  (none)
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, backport-035  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by yawning):

 Rejecting malformed username/password authentication attempts is the
 correct behavior.

 > {{{ send  [00 = zero length username, 00 = zero length
 password] }}}

 Both UNAME and PASSWD are explicitly specified as 1 to 255 octets long.
 Fix the client library.

 See:
  * https://tools.ietf.org/html/rfc1929
  * https://www.ietf.org/archive/id/draft-thomson-postel-was-wrong-03.txt

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+
 Reporter:  arma  |  Owner:  (none)
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal| Resolution:
 Keywords:  regression, backport-035  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+

Comment (by arma):

 My proposed fix would be:
 {{{
 diff --git a/src/core/proto/proto_socks.c b/src/core/proto/proto_socks.c
 index 86c656e..8e3cf4a 100644
 --- a/src/core/proto/proto_socks.c
 +++ b/src/core/proto/proto_socks.c
 @@ -451,7 +451,6 @@ parse_socks5_userpass_auth(const uint8_t *raw_data,
 socks_re
  req->username = tor_memdup_nulterm(username, usernamelen);
  req->usernamelen = usernamelen;

 -req->got_auth = 1;
}

if (passwordlen && password) {
 @@ -459,9 +458,10 @@ parse_socks5_userpass_auth(const uint8_t *raw_data,
 socks_r
  req->password = tor_memdup_nulterm(password, passwordlen);
  req->passwordlen = passwordlen;

 -req->got_auth = 1;
}

 +  req->got_auth = 1;
 +
end:
socks5_client_userpass_auth_free(trunnel_req);
return res;
 }}}

 But I don't know if that is a *sufficient* fix. Somebody should test it.
 :)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth

[Tor Bug Tracker & Wiki]

#29175: Tor 0.3.5.x mishandles empty socks5 auth
--+--
 Reporter:  arma  |  Owner:  (none)
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |Version:
 Severity:  Normal|   Keywords:  regression, backport-035
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+--
 There is a regression in Tor 0.3.5.x with handling socks5 handshakes that
 offer username/password auth but then present empty username and password.

 It came in during commit 9068ac3c (which went into 0.3.5.1-alpha).

 The symptom is that when you do your socks5 handshake with an empty
 username and password (e.g. like pidgin does it), you get log lines like
 {{{
 Jan 24 19:40:17.000 [warn] Fetching socks handshake failed. Closing.
 Jan 24 19:40:17.000 [warn] socks5: parsing failed - invalid user/pass
 authentication message.
 }}}

 Bug reported by a person on #tor, and also separately by #29050.

 I asked Josh Glazebrook, the author of the socks library in #29050, for
 some actual traces of correct behavior / incorrect behavior, and he sent:

 {{{
 ocks v2.2.3
 tor v0.3.5.7
 client announces it only supports noauth (00)
 server chooses noauth (00)


 send  [00 = noauth]
 recv  [server chose noauth]
 send  [connect
 command - ipinfo.io]
 recv  [success]




 socks v2.2.2
 tor v0.3.5.7
 client announces it supports noauth (00) and userpass (02)
 server chooses userpass (02)
 connection is unsuccessful - server returns general socks server failure,
 tor logs indicate invalid user/pass.
 Jan 24 14:47:15.000 [warn] Fetching socks handshake failed. Closing.
 Jan 24 14:47:56.000 [warn] socks5: parsing failed - invalid user/pass
 authentication message.


 send  [00 = noauth, 02 = userpass]
 recv  [server chose userpass]
 send  [00 = zero length username, 00 = zero length
 password]
 recv  [00 = server indicates auth success]
 send  [connect
 command - ipinfo.io]
 recv  [01- general SOCKS server failure] (in tor's
 log output it's saying auth is invalid at this point)



 socks v.2.2.2
 tor via torbrowser 8.0.4 (unsure of which tor version, but likely older
 than 0.3.5.7)
 client announces it supports noauth (00) and userpass (02)
 server chooses userpass (02)
 connection is successful

 send  [00 = noauth, 02 = userpass]
 recv  [server chose userpass]
 send  [00 = zero length username, 00 = zero length
 password]
 recv  [00 = server indicates auth success]
 send  [connect
 command - ipinfo.io]
 recv  [00 = success]
 }}}

 Josh further gives us this hint:

 {{{
 It appears there is indeed something that changed between older versions
 of
 Tor and newer versions. Looking at the actual data being exchanged, it's
 exactly the same.

 The only odd thing is tor v0.3.5.7 is indicating in the auth reply that
 the
 authentication was a success, and only when the connect command is sent,
 it's returning a "general socks server failure" code, but in the actual
 tor
 log it's logging invalid user/pass.
 }}}

 I went spelunking and found this code newly in 0.3.5.x:

 {{{
   if (usernamelen && username) {
 tor_free(req->username);
 req->username = tor_memdup_nulterm(username, usernamelen);
 req->usernamelen = usernamelen;

 req->got_auth = 1;
   }

   if (passwordlen && password) {
 tor_free(req->password);
 req->password = tor_memdup_nulterm(password, passwordlen);
 req->passwordlen = passwordlen;

 req->got_auth = 1;
   }
 }}}

 Compare to the code in 0.3.4.x:
 {{{
   if (usernamelen) {
 req->username = tor_memdup(data+2u, usernamelen);
 req->usernamelen = usernamelen;
   }
   if (passlen) {
 req->password = tor_memdup(data+3u+usernamelen, passlen);
 req->passwordlen = passlen;
   }
   *drain_out = 2u + usernamelen + 1u + passlen;
   req->got_auth = 1;
 }}}

 So in 0.3.4.x when we got a type 0x02 handshake but empty username and
 empty password, we would still set got_auth to 1. In 0.3.5.x when that
 happens, we leave got_auth at 0.

 The result is that the socks5 handshake itself still goes identically, but
 when we get the empty username and password, we '''don't record that we
 received it''', even though we send back a "handshake was successful"
 response. And then when application data shows up after that, we try to
 treat it as a socks5 username and password, because we're still waiting
 for one. That's where things go bad.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs