July 2011 - tor-commits - lists.torproject.org

[tor/master] Merge remote-tracking branch 'public/bug1666'
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 1aab5b6b391ca179d9acded9465ee4941ec4700b Merge: 9a6642f 16c5a62 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jul 13 12:12:16 2011 -0400 Merge remote-tracking branch 'public/bug1666' Conflicts: doc/spec/socks-extensions.txt src/or/buffers.c src/or/config.c src/or/connection_edge.c changes/bug1666 | 4 + src/or/buffers.c | 182 ++++++++++++++++------ src/or/buffers.h | 2 + src/or/config.c | 3 +- src/or/config.h | 2 + src/or/connection.c | 8 +- src/or/connection_edge.c | 23 ++-- src/or/or.h | 26 +++- src/test/test.c | 384 ++++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 566 insertions(+), 68 deletions(-) diff --cc src/or/buffers.c index 7312749,b7567bf..256b507 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@@ -1482,10 -1475,25 +1482,29 @@@ log_unsafe_socks_warning(int socks_prot socks_protocol, address, (int)port); } +/** Do not attempt to parse socks messages longer than this. This value is + * actually significantly higher than the longest possible socks message. */ +#define MAX_SOCKS_MESSAGE_LEN 512 + + /** Return a new socks_request_t. */ + socks_request_t * + socks_request_new(void) + { + return tor_malloc_zero(sizeof(socks_request_t)); + } + + /** Free all storage held in the socks_request_t req. */ + void + socks_request_free(socks_request_t *req) + { + if (!req) + return; + tor_free(req->username); + tor_free(req->password); + memset(req, 0xCC, sizeof(socks_request_t)); + tor_free(req); + } + /** There is a (possibly incomplete) socks handshake on buf, of one * of the forms * - socks4: "socksheader username\\0" diff --cc src/or/config.c index 4a9d2c9,d2dbdaa..cdf0122 --- a/src/or/config.c +++ b/src/or/config.c @@@ -547,44 -521,38 +547,43 @@@ static char *get_windows_conf_root(void #endif static void config_line_append(config_line_t **lst, const char *key, const char *val); -static void option_clear(config_format_t *fmt, or_options_t *options, - config_var_t *var); -static void option_reset(config_format_t *fmt, or_options_t *options, - config_var_t *var, int use_defaults); -static void config_free(config_format_t *fmt, void *options); +static void option_clear(const config_format_t *fmt, or_options_t *options, + const config_var_t *var); +static void option_reset(const config_format_t *fmt, or_options_t *options, + const config_var_t *var, int use_defaults); +static void config_free(const config_format_t *fmt, void *options); static int config_lines_eq(config_line_t *a, config_line_t *b); -static int option_is_same(config_format_t *fmt, - or_options_t *o1, or_options_t *o2, +static int option_is_same(const config_format_t *fmt, + const or_options_t *o1, const or_options_t *o2, const char *name); -static or_options_t *options_dup(config_format_t *fmt, or_options_t *old); -static int options_validate(or_options_t *old_options, or_options_t *options, +static or_options_t *options_dup(const config_format_t *fmt, + const or_options_t *old); +static int options_validate(or_options_t *old_options, + or_options_t *options, int from_setconf, char **msg); -static int options_act_reversible(or_options_t *old_options, char **msg); -static int options_act(or_options_t *old_options); -static int options_transition_allowed(or_options_t *old, or_options_t *new, +static int options_act_reversible(const or_options_t *old_options, char **msg); +static int options_act(const or_options_t *old_options); +static int options_transition_allowed(const or_options_t *old, + const or_options_t *new, char **msg); -static int options_transition_affects_workers(or_options_t *old_options, - or_options_t *new_options); -static int options_transition_affects_descriptor(or_options_t *old_options, - or_options_t *new_options); +static int options_transition_affects_workers( + const or_options_t *old_options, const or_options_t *new_options); +static int options_transition_affects_descriptor( + const or_options_t *old_options, const or_options_t *new_options); static int check_nickname_list(const char *lst, const char *name, char **msg); - static void config_register_addressmaps(const or_options_t *options); static int parse_bridge_line(const char *line, int validate_only); +static int parse_client_transport_line(const char *line, int validate_only); static int parse_dir_server_line(const char *line, - authority_type_t required_type, + dirinfo_type_t required_type, int validate_only); static int validate_data_directory(or_options_t *options); -static int write_configuration_file(const char *fname, or_options_t *options); -static config_line_t *get_assigned_option(config_format_t *fmt, - void *options, const char *key, - int escape_val); -static void config_init(config_format_t *fmt, void *options); +static int write_configuration_file(const char *fname, + const or_options_t *options); +static config_line_t *get_assigned_option(const config_format_t *fmt, + const void *options, const char *key, + int escape_val); +static void config_init(const config_format_t *fmt, void *options); static int or_state_validate(or_state_t *old_options, or_state_t *options, int from_setconf, char **msg); static int or_state_load(void); @@@ -4430,8 -4313,8 +4429,8 @@@ get_torrc_fname(void /** Adjust the address map based on the MapAddress elements in the * configuration options */ - static void + void -config_register_addressmaps(or_options_t *options) +config_register_addressmaps(const or_options_t *options) { smartlist_t *elts; config_line_t *opt; diff --cc src/or/config.h index bc71191,db871d4..8a06f44 --- a/src/or/config.h +++ b/src/or/config.h @@@ -79,5 -76,7 +79,7 @@@ uint32_t get_effective_bwburst(const or or_options_t *options_new(void); #endif -void config_register_addressmaps(or_options_t *options); ++void config_register_addressmaps(const or_options_t *options); + #endif diff --cc src/or/connection_edge.c index 7516716,bff73d4..c19e8b7 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@@ -2144,7 -1882,8 +2144,8 @@@ connection_ap_handshake_process_socks(e { socks_request_t *socks; int sockshere; - or_options_t *options = get_options(); + const or_options_t *options = get_options(); + int had_reply = 0; tor_assert(conn); tor_assert(conn->_base.type == CONN_TYPE_AP);

1 0

[tor/master] bug1666 - Pass-through support for SOCKS5 authentication
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit bf136b94de39de65638ce3daaf2e87731cd0a44a Author: Robert Hogan <robert(a)roberthogan.net> Date: Tue Aug 3 22:28:55 2010 +0100 bug1666 - Pass-through support for SOCKS5 authentication If a SOCKS5 client insists on authentication, allow it to negotiate a connection with Tor's SOCKS server successfully. Any credentials the client provides are ignored. This allows Tor to work with SOCKS5 clients that can only support 'authenticated' connections. Also add a bunch of basic unit tests for SOCKS4/4a/5 support in buffers.c. --- doc/spec/socks-extensions.txt | 5 +- src/or/buffers.c | 62 ++++++++--- src/or/config.c | 3 +- src/or/config.h | 2 + src/or/or.h | 2 + src/test/test.c | 237 +++++++++++++++++++++++++++++++++++++++++ 6 files changed, 293 insertions(+), 18 deletions(-) diff --git a/doc/spec/socks-extensions.txt b/doc/spec/socks-extensions.txt index 62d86ac..52d6834 100644 --- a/doc/spec/socks-extensions.txt +++ b/doc/spec/socks-extensions.txt @@ -31,8 +31,9 @@ Tor's extensions to the SOCKS protocol SOCKS5: - The (SOCKS5) "UDP ASSOCIATE" command is not supported. - IPv6 is not supported in CONNECT commands. - - Only the "NO AUTHENTICATION" (SOCKS5) authentication method [00] is - supported. + - The "NO AUTHENTICATION" (SOCKS5) authentication method [00] and the + "USERNAME/PASSWORD" (SOCKS5) authentication method [02] are both + supported. Any credentials passed in the latter are ignored. 2. Name lookup diff --git a/src/or/buffers.c b/src/or/buffers.c index 11c4fc8..534f31c 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1633,40 +1633,74 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, uint8_t socksver; enum {socks4, socks4a} socks4_prot = socks4a; char *next, *startaddr; + unsigned char usernamelen, passlen; struct in_addr in; socksver = *data; switch (socksver) { /* which version of socks? */ + case 1: /* socks5: username/password authentication request */ + + usernamelen = (unsigned char)*(buf->head->data + 1); + if (buf->datalen < 2u + usernamelen) + return 0; + buf_pullup(buf, 2u + usernamelen + 1, 0); + passlen = (unsigned char)*(buf->head->data + 2u + usernamelen); + if (buf->datalen < 2u + usernamelen + 1u + passlen) + return 0; + if (buf->datalen > 2u + usernamelen + 1u + passlen) { + log_warn(LD_APP, + "socks5: Malformed username/password. Rejecting."); + return -1; + } + req->replylen = 2; /* 2 bytes of response */ + req->reply[0] = 5; + req->reply[1] = 0; /* authentication successful */ + buf_clear(buf); + log_debug(LD_APP, + "socks5: Accepted username/password without checking."); + return 0; + case 5: /* socks5 */ if (req->socks_version != 5) { /* we need to negotiate a method */ unsigned char nummethods = (unsigned char)*(data+1); + int r=0; tor_assert(!req->socks_version); if (datalen < 2u+nummethods) { *want_length_out = 2u+nummethods; return 0; } - if (!nummethods || !memchr(data+2, 0, nummethods)) { + buf_pullup(buf, 2u+nummethods, 0); + if (!nummethods) + return -1; + req->replylen = 2; /* 2 bytes of response */ + req->reply[0] = 5; /* socks5 reply */ + if (memchr(buf->head->data+2, SOCKS_NO_AUTH, nummethods)) { + req->reply[1] = SOCKS_NO_AUTH; /* tell client to use "none" auth + method */ + req->socks_version = 5; /* remember we've already negotiated auth */ + log_debug(LD_APP,"socks5: accepted method 0 (no authentication)"); + r=0; + }else if (memchr(buf->head->data+2, SOCKS_USER_PASS,nummethods)) { + req->reply[1] = SOCKS_USER_PASS; /* tell client to use "user/pass" + auth method */ + req->socks_version = 5; /* remember we've already negotiated auth */ + log_debug(LD_APP,"socks5: accepted method 2 (username/password)"); + r=0; + } else { log_warn(LD_APP, - "socks5: offered methods don't include 'no auth'. " - "Rejecting."); - req->replylen = 2; /* 2 bytes of response */ - req->reply[0] = 5; + "socks5: offered methods don't include 'no auth' or " + "username/password. Rejecting."); req->reply[1] = '\xFF'; /* reject all methods */ - return -1; + r=-1; } /* remove packet from buf. also remove any other extraneous * bytes, to support broken socks clients. */ *drain_out = -1; - req->replylen = 2; /* 2 bytes of response */ - req->reply[0] = 5; /* socks5 reply */ - req->reply[1] = 0; /* tell client to use "none" auth method */ - req->socks_version = 5; /* remember we've already negotiated auth */ - log_debug(LD_APP,"socks5: accepted method 0"); - return 0; + return r; } /* we know the method; read in the request */ log_debug(LD_APP,"socks5: checking request"); @@ -1761,8 +1795,8 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, } tor_assert(0); case 4: /* socks4 */ - /* http://archive.socks.permeo.com/protocol/socks4.protocol */ - /* http://archive.socks.permeo.com/protocol/socks4a.protocol */ + /* http://ss5.sourceforge.net/socks4.protocol.txt */ + /* http://ss5.sourceforge.net/socks4A.protocol.txt */ req->socks_version = 4; if (datalen < SOCKS4_NETWORK_LEN) {/* basic info available? */ diff --git a/src/or/config.c b/src/or/config.c index cd6b0b0..d2dbdaa 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -542,7 +542,6 @@ static int options_transition_affects_workers(or_options_t *old_options, static int options_transition_affects_descriptor(or_options_t *old_options, or_options_t *new_options); static int check_nickname_list(const char *lst, const char *name, char **msg); -static void config_register_addressmaps(or_options_t *options); static int parse_bridge_line(const char *line, int validate_only); static int parse_dir_server_line(const char *line, @@ -4314,7 +4313,7 @@ get_torrc_fname(void) /** Adjust the address map based on the MapAddress elements in the * configuration options */ -static void +void config_register_addressmaps(or_options_t *options) { smartlist_t *elts; diff --git a/src/or/config.h b/src/or/config.h index bd5827b..db871d4 100644 --- a/src/or/config.h +++ b/src/or/config.h @@ -76,5 +76,7 @@ uint32_t get_effective_bwburst(or_options_t *options); or_options_t *options_new(void); #endif +void config_register_addressmaps(or_options_t *options); + #endif diff --git a/src/or/or.h b/src/or/or.h index c5349ae..6ae62e8 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3067,6 +3067,8 @@ static INLINE void or_state_mark_dirty(or_state_t *state, time_t when) #define MAX_SOCKS_REPLY_LEN 1024 #define MAX_SOCKS_ADDR_LEN 256 +#define SOCKS_NO_AUTH 0x00 +#define SOCKS_USER_PASS 0x02 /** Please open a TCP connection to this addr:port. */ #define SOCKS_COMMAND_CONNECT 0x01 diff --git a/src/test/test.c b/src/test/test.c index 9b0251b..68f1aeb 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -197,6 +197,207 @@ free_pregenerated_keys(void) } } +/** Helper: Perform supported SOCKS 5 commands */ +static void +test_buffers_socks4_unsupported_commands_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 4 Send BIND [02] to IP address 2.2.2.2:4369 */ + cp = "\x04\x02\x11\x11\x02\x02\x02\x02\x00"; + write_to_buf(cp, 9, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == -1); + test_eq(4, socks->socks_version); + test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ + +done: + ; +} + +/** Helper: Perform supported SOCKS 5 commands */ +static void +test_buffers_socks4_supported_commands_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 4 Send CONNECT [01] to IP address 2.2.2.2:4369 */ + cp = "\x04\x01\x11\x11\x02\x02\x02\x02\x00"; + write_to_buf(cp, 9, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(4, socks->socks_version); + test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ + test_streq("2.2.2.2", socks->address); + test_eq(4369, socks->port); + + /* SOCKS 4 Send CONNECT [01] to IP address 2.2.2.2:4369 with userid*/ + cp = "\x04\x01\x11\x11\x02\x02\x02\x02\x02me\x00"; + write_to_buf(cp, 12, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(4, socks->socks_version); + test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ + test_streq("2.2.2.2", socks->address); + test_eq(4369, socks->port); + + /* SOCKS 4a Send RESOLVE [F0] request for torproject.org:4369 */ + cp = "\x04\xF0\x01\x01\x00\x00\x00\x02\x02me\x00tor.org\x00"; + write_to_buf(cp, 20, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(4, socks->socks_version); + test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ + test_streq("tor.org", socks->address); + +done: + ; +} + +/** Helper: Perform supported SOCKS 5 commands */ +static void +test_buffers_socks5_unsupported_commands_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Send unsupported BIND [02] command */ + cp = "\x05\x02\x00\x01\x02\x02\x02\x02\x01\x01"; + write_to_buf(cp, 10, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == -1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); /* XXX: shouldn't tor reply 'command + not supported' [07]? */ + + /* SOCKS 5 Send unsupported UDP_ASSOCIATE [03] command */ + cp = "\x05\x03\x00\x01\x02\x02\x02\x02\x01\x01"; + write_to_buf(cp, 10, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == -1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); /* XXX: shouldn't tor reply 'command + not supported' [07]? */ + +done: + ; +} + +/** Helper: Perform supported SOCKS 5 commands */ +static void +test_buffers_socks5_supported_commands_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Send CONNECT [01] to IP address 2.2.2.2:4369 */ + cp = "\x05\x01\x00\x01\x02\x02\x02\x02\x11\x11"; + write_to_buf(cp, 10, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("2.2.2.2", socks->address); + test_eq(4369, socks->port); + + /* SOCKS 5 Send CONNECT [01] to FQDN torproject.org:4369 */ + cp = "\x05\x01\x00\x03\x07tor.org\x11\x11"; + write_to_buf(cp, 14, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("tor.org", socks->address); + test_eq(4369, socks->port); + + /* SOCKS 5 Send RESOLVE [F0] request for torproject.org:4369 */ + cp = "\x05\xF0\x00\x03\x07tor.org"; + write_to_buf(cp, 14, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("tor.org", socks->address); + + /* SOCKS 5 Send RESOLVE_PTR [F1] for IP address 2.2.2.2 */ + cp = "\x05\xF1\x00\x01\x02\x02\x02\x02"; + write_to_buf(cp, 10, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("2.2.2.2", socks->address); + +done: + ; +} + +/** Helper: Perform SOCKS 5 authentication */ +static void +test_buffers_socks5_no_authenticate_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /*SOCKS 5 No Authentication */ + cp = "\x05\x01\x00"; + write_to_buf(cp, 3, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(SOCKS_NO_AUTH, socks->reply[1]); + + /*SOCKS 5 Send username/password anyway - pretend to be broken */ + cp = "\x01\x02\x01\x01\x02\x01\x01"; + write_to_buf(cp, 7, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + +done: + ; +} + +/** Helper: Perform SOCKS 5 authentication */ +static void +test_buffers_socks5_authenticate_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Negotiate username/password authentication */ + cp = "\x05\x01\x02"; + write_to_buf(cp, 3, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(SOCKS_USER_PASS, socks->reply[1]); + test_eq(5, socks->socks_version); + + /* SOCKS 5 Send username/password */ + cp = "\x01\x02me\x02me"; + write_to_buf(cp, 7, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); +done: + ; +} + /** Run unit tests for buffers.c */ static void test_buffers(void) @@ -206,6 +407,7 @@ test_buffers(void) buf_t *buf = NULL, *buf2 = NULL; const char *cp; + socks_request_t *socks; int j; size_t r; @@ -363,6 +565,41 @@ test_buffers(void) buf_free(buf); buf = NULL; + /* Test fetch_from_buf_socks() */ + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + config_register_addressmaps(get_options()); + + /* A SOCKS 5 client that only supports authentication */ + test_buffers_socks5_authenticate_helper(cp, buf, socks); + test_buffers_socks5_supported_commands_helper(cp, buf, socks); + test_buffers_socks5_unsupported_commands_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + + /* A SOCKS 5 client that doesn't want authentication */ + test_buffers_socks5_no_authenticate_helper(cp, buf, socks); + test_buffers_socks5_supported_commands_helper(cp, buf, socks); + test_buffers_socks5_unsupported_commands_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + + /* A SOCKS 4(a) client */ + test_buffers_socks4_supported_commands_helper(cp, buf, socks); + test_buffers_socks4_unsupported_commands_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + done: if (buf) buf_free(buf);

1 0

[tor/master] Be more strict about when to accept socks auth message
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit aec396d9d0c2db18d44c9ad850bedbc01d50e40a Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 12:00:00 2011 -0400 Be more strict about when to accept socks auth message In the code as it stood, we would accept any number of socks5 username/password authentication messages, regardless of whether we had actually negotiated username/password authentication. Instead, we should only accept one, and only if we have really negotiated username/password authentication. This patch also makes some fields of socks_request_t into uint8_t, for safety. --- src/or/buffers.c | 36 +++++++++++++++++++++--------------- src/or/or.h | 12 +++++++++--- 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 3490d6d..bbd60c4 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1636,18 +1636,12 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, unsigned char usernamelen, passlen; struct in_addr in; - socksver = *data; - - switch (socksver) { /* which version of socks? */ - - case 1: /* socks5: username/password authentication request */ - - if (req->socks_version != 5) { - log_warn(LD_APP, - "socks5: Received authentication attempt before " - "authentication negotiated. Rejecting."); - return -1; - } + if (req->socks_version == 5 && !req->got_auth) { + /* See if we have received authentication. Strictly speaking, we should + also check whether we actually negotiated username/password + authentication. But some broken clients will send us authentication + even if we negotiated SOCKS_NO_AUTH. */ + if (*data == 1) { /* username/pass version 1 */ /* Format is: authversion [1 byte] == 1 usernamelen [1 byte] username [usernamelen bytes] @@ -1669,8 +1663,19 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, log_debug(LD_APP, "socks5: Accepted username/password without checking."); *drain_out = 2u + usernamelen + 1u + passlen; + req->got_auth = 1; return 0; + } else if (req->auth_type == SOCKS_USER_PASS) { + /* unknown version byte */ + log_warn(LD_APP, "Socks5 username/password version %d not recognized; " + "rejecting.", (int)*data); + return -1; + } + } + socksver = *data; + + switch (socksver) { /* which version of socks? */ case 5: /* socks5 */ if (req->socks_version != 5) { /* we need to negotiate a method */ @@ -1691,7 +1696,8 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, req->socks_version = 5; /* remember we've already negotiated auth */ log_debug(LD_APP,"socks5: accepted method 0 (no authentication)"); r=0; - } else if (memchr(data+2, SOCKS_USER_PASS,nummethods)) { + } else if (memchr(data+2, SOCKS_USER_PASS, nummethods)) { + req->auth_type = SOCKS_USER_PASS; req->reply[1] = SOCKS_USER_PASS; /* tell client to use "user/pass" auth method */ req->socks_version = 5; /* remember we've already negotiated auth */ @@ -1911,7 +1917,7 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, case 'H': /* head */ case 'P': /* put/post */ case 'C': /* connect */ - strlcpy(req->reply, + strlcpy((char*)req->reply, "HTTP/1.0 501 Tor is not an HTTP Proxy\r\n" "Content-Type: text/html; charset=iso-8859-1\r\n\r\n" "<html>\n" @@ -1937,7 +1943,7 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, "</body>\n" "</html>\n" , MAX_SOCKS_REPLY_LEN); - req->replylen = strlen(req->reply)+1; + req->replylen = strlen((char*)req->reply)+1; /* fall through */ default: /* version is not socks4 or socks5 */ log_warn(LD_APP, diff --git a/src/or/or.h b/src/or/or.h index 6ae62e8..bc80e39 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3088,10 +3088,15 @@ struct socks_request_t { /** Which version of SOCKS did the client use? One of "0, 4, 5" -- where * 0 means that no socks handshake ever took place, and this is just a * stub connection (e.g. see connection_ap_make_link()). */ - char socks_version; - int command; /**< What is this stream's goal? One from the above list. */ + uint8_t socks_version; + /** If using socks5 authentication, which authentication type did we + * negotiate? currently we support 0 (no authentication) and 2 + * (username/password). */ + uint8_t auth_type; + /** What is this stream's goal? One of the SOCKS_COMMAND_* values */ + uint8_t command; size_t replylen; /**< Length of reply. */ - char reply[MAX_SOCKS_REPLY_LEN]; /**< Write an entry into this string if + uint8_t reply[MAX_SOCKS_REPLY_LEN]; /**< Write an entry into this string if * we want to specify our own socks reply, * rather than using the default socks4 or * socks5 socks reply. We use this for the @@ -3103,6 +3108,7 @@ struct socks_request_t { unsigned int has_finished : 1; /**< Has the SOCKS handshake finished? Used to * make sure we send back a socks reply for * every connection. */ + unsigned int got_auth : 1; /**< Have we received any authentication data? */ }; /********************************* circuitbuild.c **********************/

1 0

[tor/master] If we negotiate authentication, require it.
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 204bce7e3ca0f60cfec1d8be700848309f605abd Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 12:16:09 2011 -0400 If we negotiate authentication, require it. --- src/or/buffers.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index bbd60c4..7b212a7 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1716,6 +1716,11 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, return r; } + if (req->auth_type != SOCKS_NO_AUTH && !req->got_auth) { + log_warn(LD_APP, + "socks5: negotiated authentication, but none provided"); + return -1; + } /* we know the method; read in the request */ log_debug(LD_APP,"socks5: checking request"); if (datalen < 8) {/* basic info plus >=2 for addr plus 2 for port */

1 0

[tor/master] Fix 'make check-spaces'
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 9b3f48c0744bd72cb8b25ac7857476181b29481a Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 11:47:35 2011 -0400 Fix 'make check-spaces' --- src/or/buffers.c | 2 +- src/test/test.c | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 4b8532a..3490d6d 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1691,7 +1691,7 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, req->socks_version = 5; /* remember we've already negotiated auth */ log_debug(LD_APP,"socks5: accepted method 0 (no authentication)"); r=0; - }else if (memchr(data+2, SOCKS_USER_PASS,nummethods)) { + } else if (memchr(data+2, SOCKS_USER_PASS,nummethods)) { req->reply[1] = SOCKS_USER_PASS; /* tell client to use "user/pass" auth method */ req->socks_version = 5; /* remember we've already negotiated auth */ diff --git a/src/test/test.c b/src/test/test.c index bac73f2..d0e24d1 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -210,7 +210,7 @@ test_buffers_socks4_unsupported_commands_helper(const char *cp, buf_t *buf, test_eq(4, socks->socks_version); test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ -done: + done: ; } @@ -248,7 +248,7 @@ test_buffers_socks4_supported_commands_helper(const char *cp, buf_t *buf, test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ test_streq("tor.org", socks->address); -done: + done: ; } @@ -279,7 +279,7 @@ test_buffers_socks5_unsupported_commands_helper(const char *cp, buf_t *buf, test_eq(0, socks->reply[1]); /* XXX: shouldn't tor reply 'command not supported' [07]? */ -done: + done: ; } @@ -334,7 +334,7 @@ test_buffers_socks5_supported_commands_helper(const char *cp, buf_t *buf, test_eq(0, socks->reply[1]); test_streq("2.2.2.2", socks->address); -done: + done: ; } @@ -364,7 +364,7 @@ test_buffers_socks5_no_authenticate_helper(const char *cp, buf_t *buf, test_eq(5, socks->reply[0]); test_eq(0, socks->reply[1]); -done: + done: ; } @@ -394,7 +394,7 @@ test_buffers_socks5_authenticate_helper(const char *cp, buf_t *buf, test_eq(2, socks->replylen); test_eq(5, socks->reply[0]); test_eq(0, socks->reply[1]); -done: + done: ; } @@ -434,7 +434,7 @@ test_buffers_socks5_authenticate_with_data_helper(const char *cp, buf_t *buf, test_eq(0, socks->reply[1]); test_streq("2.2.2.2", socks->address); test_eq(4369, socks->port); -done: + done: ; } @@ -454,7 +454,7 @@ test_buffers_socks5_auth_before_negotiation_helper(const char *cp, buf_t *buf, test_eq(0, socks->reply[0]); test_eq(0, socks->reply[1]); -done: + done: ; }

1 0

[tor/master] Correct byte-counting in socks auth parsing code
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 1ed615ded7db0765e8355687bda8b00fdc643e3e Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 11:45:15 2011 -0400 Correct byte-counting in socks auth parsing code --- src/or/buffers.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 445376f..4b8532a 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1648,14 +1648,19 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, "authentication negotiated. Rejecting."); return -1; } + /* Format is: authversion [1 byte] == 1 + usernamelen [1 byte] + username [usernamelen bytes] + passlen [1 byte] + password [passlen bytes] */ usernamelen = (unsigned char)*(data + 1); - if (datalen < 2u + usernamelen) { - *want_length_out = 2u+usernamelen; + if (datalen < 2u + usernamelen + 1u) { + *want_length_out = 2u + usernamelen + 1u; return 0; } passlen = (unsigned char)*(data + 2u + usernamelen); if (datalen < 2u + usernamelen + 1u + passlen) { - *want_length_out = 2u+usernamelen; + *want_length_out = 2u + usernamelen + 1u + passlen; return 0; } req->replylen = 2; /* 2 bytes of response */

1 0

[tor/master] bug1666 - Pass-through support for SOCKS5 authentication(4)
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 02c2d9a4aa2a7ce339e87be9c0c0dc23a6881c14 Author: Robert Hogan <robert(a)roberthogan.net> Date: Tue Dec 14 19:59:42 2010 +0000 bug1666 - Pass-through support for SOCKS5 authentication(4) Implement nickm's suggestion that we tolerate SOCKS5 clients that send authentication credentials and SOCKS commands all in one go. --- src/or/buffers.c | 5 ----- src/test/test.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 5cd76fa..445376f 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1658,11 +1658,6 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, *want_length_out = 2u+usernamelen; return 0; } - if (datalen > 2u + usernamelen + 1u + passlen) { - log_warn(LD_APP, - "socks5: Malformed username/password. Rejecting."); - return -1; - } req->replylen = 2; /* 2 bytes of response */ req->reply[0] = 5; req->reply[1] = 0; /* authentication successful */ diff --git a/src/test/test.c b/src/test/test.c index 8155c3f..bac73f2 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -398,6 +398,46 @@ done: ; } +/** Helper: Perform SOCKS 5 authentication and send data all in one go */ +static void +test_buffers_socks5_authenticate_with_data_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Negotiate username/password authentication */ + cp = "\x05\x01\x02"; + write_to_buf(cp, 3, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(SOCKS_USER_PASS, socks->reply[1]); + test_eq(5, socks->socks_version); + + /* SOCKS 5 Send username/password */ + /* SOCKS 5 Send CONNECT [01] to IP address 2.2.2.2:4369 */ + cp = "\x01\x02me\x02me\x05\x01\x00\x01\x02\x02\x02\x02\x11\x11"; + write_to_buf(cp, 17, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("2.2.2.2", socks->address); + test_eq(4369, socks->port); +done: + ; +} + /** Helper: Perform SOCKS 5 authentication before method negotiated */ static void test_buffers_socks5_auth_before_negotiation_helper(const char *cp, buf_t *buf, @@ -610,6 +650,15 @@ test_buffers(void) buf = buf_new_with_capacity(256); socks = tor_malloc_zero(sizeof(socks_request_t));; + /* A SOCKS 5 client that sends credentials and data in one go */ + test_buffers_socks5_authenticate_with_data_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + /* A SOCKS 5 client that doesn't want authentication */ test_buffers_socks5_no_authenticate_helper(cp, buf, socks); test_buffers_socks5_supported_commands_helper(cp, buf, socks);

1 0

[tor/master] bug1666 - Pass-through support for SOCKS5 authentication(3)
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 8a2f7ef66ac3bee0d6885ec3ca16937fed0703bb Author: Robert Hogan <robert(a)roberthogan.net> Date: Sun Oct 17 14:22:24 2010 +0100 bug1666 - Pass-through support for SOCKS5 authentication(3) Add changes file. --- changes/bug1666 | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/changes/bug1666 b/changes/bug1666 new file mode 100644 index 0000000..9fd790d --- /dev/null +++ b/changes/bug1666 @@ -0,0 +1,4 @@ + o Minor features: + - Accept attempts to include a password authenticator in the handshake, as + supported by SOCKS5. This handles SOCKS clients that don't know how to + omit the password when authenticating. Resolves bug 1666.

1 0

[tor/master] bug1666 - Pass-through support for SOCKS5 authentication (2)
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit f85f52808cd29e50874b233e55b0a0fe98e425f3 Author: Robert Hogan <robert(a)roberthogan.net> Date: Sun Oct 17 14:14:51 2010 +0100 bug1666 - Pass-through support for SOCKS5 authentication (2) Address Nick's comments: - Refactor against changes in buffers.c - Ensure we have negotiated a method before accepting authentication credentials --- src/or/buffers.c | 28 ++++++++++++++++++---------- src/test/test.c | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 12 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 534f31c..5cd76fa 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1642,14 +1642,23 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, case 1: /* socks5: username/password authentication request */ - usernamelen = (unsigned char)*(buf->head->data + 1); - if (buf->datalen < 2u + usernamelen) + if (req->socks_version != 5) { + log_warn(LD_APP, + "socks5: Received authentication attempt before " + "authentication negotiated. Rejecting."); + return -1; + } + usernamelen = (unsigned char)*(data + 1); + if (datalen < 2u + usernamelen) { + *want_length_out = 2u+usernamelen; return 0; - buf_pullup(buf, 2u + usernamelen + 1, 0); - passlen = (unsigned char)*(buf->head->data + 2u + usernamelen); - if (buf->datalen < 2u + usernamelen + 1u + passlen) + } + passlen = (unsigned char)*(data + 2u + usernamelen); + if (datalen < 2u + usernamelen + 1u + passlen) { + *want_length_out = 2u+usernamelen; return 0; - if (buf->datalen > 2u + usernamelen + 1u + passlen) { + } + if (datalen > 2u + usernamelen + 1u + passlen) { log_warn(LD_APP, "socks5: Malformed username/password. Rejecting."); return -1; @@ -1657,9 +1666,9 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, req->replylen = 2; /* 2 bytes of response */ req->reply[0] = 5; req->reply[1] = 0; /* authentication successful */ - buf_clear(buf); log_debug(LD_APP, "socks5: Accepted username/password without checking."); + *drain_out = 2u + usernamelen + 1u + passlen; return 0; case 5: /* socks5 */ @@ -1672,18 +1681,17 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, *want_length_out = 2u+nummethods; return 0; } - buf_pullup(buf, 2u+nummethods, 0); if (!nummethods) return -1; req->replylen = 2; /* 2 bytes of response */ req->reply[0] = 5; /* socks5 reply */ - if (memchr(buf->head->data+2, SOCKS_NO_AUTH, nummethods)) { + if (memchr(data+2, SOCKS_NO_AUTH, nummethods)) { req->reply[1] = SOCKS_NO_AUTH; /* tell client to use "none" auth method */ req->socks_version = 5; /* remember we've already negotiated auth */ log_debug(LD_APP,"socks5: accepted method 0 (no authentication)"); r=0; - }else if (memchr(buf->head->data+2, SOCKS_USER_PASS,nummethods)) { + }else if (memchr(data+2, SOCKS_USER_PASS,nummethods)) { req->reply[1] = SOCKS_USER_PASS; /* tell client to use "user/pass" auth method */ req->socks_version = 5; /* remember we've already negotiated auth */ diff --git a/src/test/test.c b/src/test/test.c index 68f1aeb..8155c3f 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -197,7 +197,7 @@ free_pregenerated_keys(void) } } -/** Helper: Perform supported SOCKS 5 commands */ +/** Helper: Perform supported SOCKS 4 commands */ static void test_buffers_socks4_unsupported_commands_helper(const char *cp, buf_t *buf, socks_request_t *socks) @@ -214,7 +214,7 @@ done: ; } -/** Helper: Perform supported SOCKS 5 commands */ +/** Helper: Perform supported SOCKS 4 commands */ static void test_buffers_socks4_supported_commands_helper(const char *cp, buf_t *buf, socks_request_t *socks) @@ -398,6 +398,26 @@ done: ; } +/** Helper: Perform SOCKS 5 authentication before method negotiated */ +static void +test_buffers_socks5_auth_before_negotiation_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Send username/password */ + cp = "\x01\x02me\x02me"; + write_to_buf(cp, 7, buf); + test_assert(fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks) == -1); + test_eq(0, socks->socks_version); + test_eq(0, socks->replylen); + test_eq(0, socks->reply[0]); + test_eq(0, socks->reply[1]); + +done: + ; +} + /** Run unit tests for buffers.c */ static void test_buffers(void) @@ -570,6 +590,15 @@ test_buffers(void) socks = tor_malloc_zero(sizeof(socks_request_t));; config_register_addressmaps(get_options()); + /* Sending auth credentials before we've negotiated a method */ + test_buffers_socks5_auth_before_negotiation_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + /* A SOCKS 5 client that only supports authentication */ test_buffers_socks5_authenticate_helper(cp, buf, socks); test_buffers_socks5_supported_commands_helper(cp, buf, socks);

1 0

[torspec/master] Update socks-extensions to allow username/password auth
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit f8529305e94ac36c17da6d9b756a9c83e6b046fe Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 18:08:37 2011 -0400 Update socks-extensions to allow username/password auth --- socks-extensions.txt | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/socks-extensions.txt b/socks-extensions.txt index 62d86ac..60695e5 100644 --- a/socks-extensions.txt +++ b/socks-extensions.txt @@ -31,8 +31,11 @@ Tor's extensions to the SOCKS protocol SOCKS5: - The (SOCKS5) "UDP ASSOCIATE" command is not supported. - IPv6 is not supported in CONNECT commands. - - Only the "NO AUTHENTICATION" (SOCKS5) authentication method [00] is - supported. + - The "NO AUTHENTICATION" (SOCKS5) authentication method [00] is supported. + As of Tor 0.2.3.2-alpha, the "USERNAME/PASSWORD" (SOCKS5) authentication + method [02] is supported too. As an extension to support some broken + clients, we allow clients to pass "USERNAME/PASSWORD" authentication to + us even if no authentication was selected. 2. Name lookup

1 0