July 2011 - tor-commits - lists.torproject.org

[tor/master] Don't drain extra data when parsing socks auth methods
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit ee42fe8fbb85504ceef9335e2854c35e6163a8c3 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 17:29:33 2011 -0400 Don't drain extra data when parsing socks auth methods We added this back in 0649fa14 in 2006, to deal with the case where the client unconditionally sent us authentication data. Hopefully, that's not needed any longer, since we now can actually parse authentication data. --- src/or/buffers.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 0e2dbbe..44a492a 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1736,9 +1736,9 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, req->reply[1] = '\xFF'; /* reject all methods */ r=-1; } - /* remove packet from buf. also remove any other extraneous - * bytes, to support broken socks clients. */ - *drain_out = -1; + /* Remove packet from buf. Some SOCKS clients will have sent extra + * junk at this point; let's hope it's an authentication message. */ + *drain_out = 2u + nummethods; return r; }

1 0

[tor/master] bug1666 - Pass-through support for SOCKS5 authentication (2)
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit f85f52808cd29e50874b233e55b0a0fe98e425f3 Author: Robert Hogan <robert(a)roberthogan.net> Date: Sun Oct 17 14:14:51 2010 +0100 bug1666 - Pass-through support for SOCKS5 authentication (2) Address Nick's comments: - Refactor against changes in buffers.c - Ensure we have negotiated a method before accepting authentication credentials --- src/or/buffers.c | 28 ++++++++++++++++++---------- src/test/test.c | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 12 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 534f31c..5cd76fa 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1642,14 +1642,23 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, case 1: /* socks5: username/password authentication request */ - usernamelen = (unsigned char)*(buf->head->data + 1); - if (buf->datalen < 2u + usernamelen) + if (req->socks_version != 5) { + log_warn(LD_APP, + "socks5: Received authentication attempt before " + "authentication negotiated. Rejecting."); + return -1; + } + usernamelen = (unsigned char)*(data + 1); + if (datalen < 2u + usernamelen) { + *want_length_out = 2u+usernamelen; return 0; - buf_pullup(buf, 2u + usernamelen + 1, 0); - passlen = (unsigned char)*(buf->head->data + 2u + usernamelen); - if (buf->datalen < 2u + usernamelen + 1u + passlen) + } + passlen = (unsigned char)*(data + 2u + usernamelen); + if (datalen < 2u + usernamelen + 1u + passlen) { + *want_length_out = 2u+usernamelen; return 0; - if (buf->datalen > 2u + usernamelen + 1u + passlen) { + } + if (datalen > 2u + usernamelen + 1u + passlen) { log_warn(LD_APP, "socks5: Malformed username/password. Rejecting."); return -1; @@ -1657,9 +1666,9 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, req->replylen = 2; /* 2 bytes of response */ req->reply[0] = 5; req->reply[1] = 0; /* authentication successful */ - buf_clear(buf); log_debug(LD_APP, "socks5: Accepted username/password without checking."); + *drain_out = 2u + usernamelen + 1u + passlen; return 0; case 5: /* socks5 */ @@ -1672,18 +1681,17 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, *want_length_out = 2u+nummethods; return 0; } - buf_pullup(buf, 2u+nummethods, 0); if (!nummethods) return -1; req->replylen = 2; /* 2 bytes of response */ req->reply[0] = 5; /* socks5 reply */ - if (memchr(buf->head->data+2, SOCKS_NO_AUTH, nummethods)) { + if (memchr(data+2, SOCKS_NO_AUTH, nummethods)) { req->reply[1] = SOCKS_NO_AUTH; /* tell client to use "none" auth method */ req->socks_version = 5; /* remember we've already negotiated auth */ log_debug(LD_APP,"socks5: accepted method 0 (no authentication)"); r=0; - }else if (memchr(buf->head->data+2, SOCKS_USER_PASS,nummethods)) { + }else if (memchr(data+2, SOCKS_USER_PASS,nummethods)) { req->reply[1] = SOCKS_USER_PASS; /* tell client to use "user/pass" auth method */ req->socks_version = 5; /* remember we've already negotiated auth */ diff --git a/src/test/test.c b/src/test/test.c index 68f1aeb..8155c3f 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -197,7 +197,7 @@ free_pregenerated_keys(void) } } -/** Helper: Perform supported SOCKS 5 commands */ +/** Helper: Perform supported SOCKS 4 commands */ static void test_buffers_socks4_unsupported_commands_helper(const char *cp, buf_t *buf, socks_request_t *socks) @@ -214,7 +214,7 @@ done: ; } -/** Helper: Perform supported SOCKS 5 commands */ +/** Helper: Perform supported SOCKS 4 commands */ static void test_buffers_socks4_supported_commands_helper(const char *cp, buf_t *buf, socks_request_t *socks) @@ -398,6 +398,26 @@ done: ; } +/** Helper: Perform SOCKS 5 authentication before method negotiated */ +static void +test_buffers_socks5_auth_before_negotiation_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Send username/password */ + cp = "\x01\x02me\x02me"; + write_to_buf(cp, 7, buf); + test_assert(fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks) == -1); + test_eq(0, socks->socks_version); + test_eq(0, socks->replylen); + test_eq(0, socks->reply[0]); + test_eq(0, socks->reply[1]); + +done: + ; +} + /** Run unit tests for buffers.c */ static void test_buffers(void) @@ -570,6 +590,15 @@ test_buffers(void) socks = tor_malloc_zero(sizeof(socks_request_t));; config_register_addressmaps(get_options()); + /* Sending auth credentials before we've negotiated a method */ + test_buffers_socks5_auth_before_negotiation_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + /* A SOCKS 5 client that only supports authentication */ test_buffers_socks5_authenticate_helper(cp, buf, socks); test_buffers_socks5_supported_commands_helper(cp, buf, socks);

1 0

[tor/master] If we negotiate authentication, require it.
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 204bce7e3ca0f60cfec1d8be700848309f605abd Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 12:16:09 2011 -0400 If we negotiate authentication, require it. --- src/or/buffers.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index bbd60c4..7b212a7 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1716,6 +1716,11 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, return r; } + if (req->auth_type != SOCKS_NO_AUTH && !req->got_auth) { + log_warn(LD_APP, + "socks5: negotiated authentication, but none provided"); + return -1; + } /* we know the method; read in the request */ log_debug(LD_APP,"socks5: checking request"); if (datalen < 8) {/* basic info plus >=2 for addr plus 2 for port */

1 0

[tor/master] Be more strict about when to accept socks auth message
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit aec396d9d0c2db18d44c9ad850bedbc01d50e40a Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 12:00:00 2011 -0400 Be more strict about when to accept socks auth message In the code as it stood, we would accept any number of socks5 username/password authentication messages, regardless of whether we had actually negotiated username/password authentication. Instead, we should only accept one, and only if we have really negotiated username/password authentication. This patch also makes some fields of socks_request_t into uint8_t, for safety. --- src/or/buffers.c | 36 +++++++++++++++++++++--------------- src/or/or.h | 12 +++++++++--- 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 3490d6d..bbd60c4 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1636,18 +1636,12 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, unsigned char usernamelen, passlen; struct in_addr in; - socksver = *data; - - switch (socksver) { /* which version of socks? */ - - case 1: /* socks5: username/password authentication request */ - - if (req->socks_version != 5) { - log_warn(LD_APP, - "socks5: Received authentication attempt before " - "authentication negotiated. Rejecting."); - return -1; - } + if (req->socks_version == 5 && !req->got_auth) { + /* See if we have received authentication. Strictly speaking, we should + also check whether we actually negotiated username/password + authentication. But some broken clients will send us authentication + even if we negotiated SOCKS_NO_AUTH. */ + if (*data == 1) { /* username/pass version 1 */ /* Format is: authversion [1 byte] == 1 usernamelen [1 byte] username [usernamelen bytes] @@ -1669,8 +1663,19 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, log_debug(LD_APP, "socks5: Accepted username/password without checking."); *drain_out = 2u + usernamelen + 1u + passlen; + req->got_auth = 1; return 0; + } else if (req->auth_type == SOCKS_USER_PASS) { + /* unknown version byte */ + log_warn(LD_APP, "Socks5 username/password version %d not recognized; " + "rejecting.", (int)*data); + return -1; + } + } + socksver = *data; + + switch (socksver) { /* which version of socks? */ case 5: /* socks5 */ if (req->socks_version != 5) { /* we need to negotiate a method */ @@ -1691,7 +1696,8 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, req->socks_version = 5; /* remember we've already negotiated auth */ log_debug(LD_APP,"socks5: accepted method 0 (no authentication)"); r=0; - } else if (memchr(data+2, SOCKS_USER_PASS,nummethods)) { + } else if (memchr(data+2, SOCKS_USER_PASS, nummethods)) { + req->auth_type = SOCKS_USER_PASS; req->reply[1] = SOCKS_USER_PASS; /* tell client to use "user/pass" auth method */ req->socks_version = 5; /* remember we've already negotiated auth */ @@ -1911,7 +1917,7 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, case 'H': /* head */ case 'P': /* put/post */ case 'C': /* connect */ - strlcpy(req->reply, + strlcpy((char*)req->reply, "HTTP/1.0 501 Tor is not an HTTP Proxy\r\n" "Content-Type: text/html; charset=iso-8859-1\r\n\r\n" "<html>\n" @@ -1937,7 +1943,7 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, "</body>\n" "</html>\n" , MAX_SOCKS_REPLY_LEN); - req->replylen = strlen(req->reply)+1; + req->replylen = strlen((char*)req->reply)+1; /* fall through */ default: /* version is not socks4 or socks5 */ log_warn(LD_APP, diff --git a/src/or/or.h b/src/or/or.h index 6ae62e8..bc80e39 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3088,10 +3088,15 @@ struct socks_request_t { /** Which version of SOCKS did the client use? One of "0, 4, 5" -- where * 0 means that no socks handshake ever took place, and this is just a * stub connection (e.g. see connection_ap_make_link()). */ - char socks_version; - int command; /**< What is this stream's goal? One from the above list. */ + uint8_t socks_version; + /** If using socks5 authentication, which authentication type did we + * negotiate? currently we support 0 (no authentication) and 2 + * (username/password). */ + uint8_t auth_type; + /** What is this stream's goal? One of the SOCKS_COMMAND_* values */ + uint8_t command; size_t replylen; /**< Length of <b>reply</b>. */ - char reply[MAX_SOCKS_REPLY_LEN]; /**< Write an entry into this string if + uint8_t reply[MAX_SOCKS_REPLY_LEN]; /**< Write an entry into this string if * we want to specify our own socks reply, * rather than using the default socks4 or * socks5 socks reply. We use this for the @@ -3103,6 +3108,7 @@ struct socks_request_t { unsigned int has_finished : 1; /**< Has the SOCKS handshake finished? Used to * make sure we send back a socks reply for * every connection. */ + unsigned int got_auth : 1; /**< Have we received any authentication data? */ }; /********************************* circuitbuild.c **********************/

1 0

[tor/master] Fix 'make check-spaces'
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 9b3f48c0744bd72cb8b25ac7857476181b29481a Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 11:47:35 2011 -0400 Fix 'make check-spaces' --- src/or/buffers.c | 2 +- src/test/test.c | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 4b8532a..3490d6d 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1691,7 +1691,7 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, req->socks_version = 5; /* remember we've already negotiated auth */ log_debug(LD_APP,"socks5: accepted method 0 (no authentication)"); r=0; - }else if (memchr(data+2, SOCKS_USER_PASS,nummethods)) { + } else if (memchr(data+2, SOCKS_USER_PASS,nummethods)) { req->reply[1] = SOCKS_USER_PASS; /* tell client to use "user/pass" auth method */ req->socks_version = 5; /* remember we've already negotiated auth */ diff --git a/src/test/test.c b/src/test/test.c index bac73f2..d0e24d1 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -210,7 +210,7 @@ test_buffers_socks4_unsupported_commands_helper(const char *cp, buf_t *buf, test_eq(4, socks->socks_version); test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ -done: + done: ; } @@ -248,7 +248,7 @@ test_buffers_socks4_supported_commands_helper(const char *cp, buf_t *buf, test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ test_streq("tor.org", socks->address); -done: + done: ; } @@ -279,7 +279,7 @@ test_buffers_socks5_unsupported_commands_helper(const char *cp, buf_t *buf, test_eq(0, socks->reply[1]); /* XXX: shouldn't tor reply 'command not supported' [07]? */ -done: + done: ; } @@ -334,7 +334,7 @@ test_buffers_socks5_supported_commands_helper(const char *cp, buf_t *buf, test_eq(0, socks->reply[1]); test_streq("2.2.2.2", socks->address); -done: + done: ; } @@ -364,7 +364,7 @@ test_buffers_socks5_no_authenticate_helper(const char *cp, buf_t *buf, test_eq(5, socks->reply[0]); test_eq(0, socks->reply[1]); -done: + done: ; } @@ -394,7 +394,7 @@ test_buffers_socks5_authenticate_helper(const char *cp, buf_t *buf, test_eq(2, socks->replylen); test_eq(5, socks->reply[0]); test_eq(0, socks->reply[1]); -done: + done: ; } @@ -434,7 +434,7 @@ test_buffers_socks5_authenticate_with_data_helper(const char *cp, buf_t *buf, test_eq(0, socks->reply[1]); test_streq("2.2.2.2", socks->address); test_eq(4369, socks->port); -done: + done: ; } @@ -454,7 +454,7 @@ test_buffers_socks5_auth_before_negotiation_helper(const char *cp, buf_t *buf, test_eq(0, socks->reply[0]); test_eq(0, socks->reply[1]); -done: + done: ; }

1 0

[tor/master] Correct byte-counting in socks auth parsing code
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 1ed615ded7db0765e8355687bda8b00fdc643e3e Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 11:45:15 2011 -0400 Correct byte-counting in socks auth parsing code --- src/or/buffers.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 445376f..4b8532a 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1648,14 +1648,19 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, "authentication negotiated. Rejecting."); return -1; } + /* Format is: authversion [1 byte] == 1 + usernamelen [1 byte] + username [usernamelen bytes] + passlen [1 byte] + password [passlen bytes] */ usernamelen = (unsigned char)*(data + 1); - if (datalen < 2u + usernamelen) { - *want_length_out = 2u+usernamelen; + if (datalen < 2u + usernamelen + 1u) { + *want_length_out = 2u + usernamelen + 1u; return 0; } passlen = (unsigned char)*(data + 2u + usernamelen); if (datalen < 2u + usernamelen + 1u + passlen) { - *want_length_out = 2u+usernamelen; + *want_length_out = 2u + usernamelen + 1u + passlen; return 0; } req->replylen = 2; /* 2 bytes of response */

1 0

[tor/master] bug1666 - Pass-through support for SOCKS5 authentication(4)
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 02c2d9a4aa2a7ce339e87be9c0c0dc23a6881c14 Author: Robert Hogan <robert(a)roberthogan.net> Date: Tue Dec 14 19:59:42 2010 +0000 bug1666 - Pass-through support for SOCKS5 authentication(4) Implement nickm's suggestion that we tolerate SOCKS5 clients that send authentication credentials and SOCKS commands all in one go. --- src/or/buffers.c | 5 ----- src/test/test.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 5 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 5cd76fa..445376f 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1658,11 +1658,6 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, *want_length_out = 2u+usernamelen; return 0; } - if (datalen > 2u + usernamelen + 1u + passlen) { - log_warn(LD_APP, - "socks5: Malformed username/password. Rejecting."); - return -1; - } req->replylen = 2; /* 2 bytes of response */ req->reply[0] = 5; req->reply[1] = 0; /* authentication successful */ diff --git a/src/test/test.c b/src/test/test.c index 8155c3f..bac73f2 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -398,6 +398,46 @@ done: ; } +/** Helper: Perform SOCKS 5 authentication and send data all in one go */ +static void +test_buffers_socks5_authenticate_with_data_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Negotiate username/password authentication */ + cp = "\x05\x01\x02"; + write_to_buf(cp, 3, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(SOCKS_USER_PASS, socks->reply[1]); + test_eq(5, socks->socks_version); + + /* SOCKS 5 Send username/password */ + /* SOCKS 5 Send CONNECT [01] to IP address 2.2.2.2:4369 */ + cp = "\x01\x02me\x02me\x05\x01\x00\x01\x02\x02\x02\x02\x11\x11"; + write_to_buf(cp, 17, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("2.2.2.2", socks->address); + test_eq(4369, socks->port); +done: + ; +} + /** Helper: Perform SOCKS 5 authentication before method negotiated */ static void test_buffers_socks5_auth_before_negotiation_helper(const char *cp, buf_t *buf, @@ -610,6 +650,15 @@ test_buffers(void) buf = buf_new_with_capacity(256); socks = tor_malloc_zero(sizeof(socks_request_t));; + /* A SOCKS 5 client that sends credentials and data in one go */ + test_buffers_socks5_authenticate_with_data_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + /* A SOCKS 5 client that doesn't want authentication */ test_buffers_socks5_no_authenticate_helper(cp, buf, socks); test_buffers_socks5_supported_commands_helper(cp, buf, socks);

1 0

[tor/master] bug1666 - Pass-through support for SOCKS5 authentication(3)
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit 8a2f7ef66ac3bee0d6885ec3ca16937fed0703bb Author: Robert Hogan <robert(a)roberthogan.net> Date: Sun Oct 17 14:22:24 2010 +0100 bug1666 - Pass-through support for SOCKS5 authentication(3) Add changes file. --- changes/bug1666 | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/changes/bug1666 b/changes/bug1666 new file mode 100644 index 0000000..9fd790d --- /dev/null +++ b/changes/bug1666 @@ -0,0 +1,4 @@ + o Minor features: + - Accept attempts to include a password authenticator in the handshake, as + supported by SOCKS5. This handles SOCKS clients that don't know how to + omit the password when authenticating. Resolves bug 1666.

1 0

[tor/master] bug1666 - Pass-through support for SOCKS5 authentication
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit bf136b94de39de65638ce3daaf2e87731cd0a44a Author: Robert Hogan <robert(a)roberthogan.net> Date: Tue Aug 3 22:28:55 2010 +0100 bug1666 - Pass-through support for SOCKS5 authentication If a SOCKS5 client insists on authentication, allow it to negotiate a connection with Tor's SOCKS server successfully. Any credentials the client provides are ignored. This allows Tor to work with SOCKS5 clients that can only support 'authenticated' connections. Also add a bunch of basic unit tests for SOCKS4/4a/5 support in buffers.c. --- doc/spec/socks-extensions.txt | 5 +- src/or/buffers.c | 62 ++++++++--- src/or/config.c | 3 +- src/or/config.h | 2 + src/or/or.h | 2 + src/test/test.c | 237 +++++++++++++++++++++++++++++++++++++++++ 6 files changed, 293 insertions(+), 18 deletions(-) diff --git a/doc/spec/socks-extensions.txt b/doc/spec/socks-extensions.txt index 62d86ac..52d6834 100644 --- a/doc/spec/socks-extensions.txt +++ b/doc/spec/socks-extensions.txt @@ -31,8 +31,9 @@ Tor's extensions to the SOCKS protocol SOCKS5: - The (SOCKS5) "UDP ASSOCIATE" command is not supported. - IPv6 is not supported in CONNECT commands. - - Only the "NO AUTHENTICATION" (SOCKS5) authentication method [00] is - supported. + - The "NO AUTHENTICATION" (SOCKS5) authentication method [00] and the + "USERNAME/PASSWORD" (SOCKS5) authentication method [02] are both + supported. Any credentials passed in the latter are ignored. 2. Name lookup diff --git a/src/or/buffers.c b/src/or/buffers.c index 11c4fc8..534f31c 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1633,40 +1633,74 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, uint8_t socksver; enum {socks4, socks4a} socks4_prot = socks4a; char *next, *startaddr; + unsigned char usernamelen, passlen; struct in_addr in; socksver = *data; switch (socksver) { /* which version of socks? */ + case 1: /* socks5: username/password authentication request */ + + usernamelen = (unsigned char)*(buf->head->data + 1); + if (buf->datalen < 2u + usernamelen) + return 0; + buf_pullup(buf, 2u + usernamelen + 1, 0); + passlen = (unsigned char)*(buf->head->data + 2u + usernamelen); + if (buf->datalen < 2u + usernamelen + 1u + passlen) + return 0; + if (buf->datalen > 2u + usernamelen + 1u + passlen) { + log_warn(LD_APP, + "socks5: Malformed username/password. Rejecting."); + return -1; + } + req->replylen = 2; /* 2 bytes of response */ + req->reply[0] = 5; + req->reply[1] = 0; /* authentication successful */ + buf_clear(buf); + log_debug(LD_APP, + "socks5: Accepted username/password without checking."); + return 0; + case 5: /* socks5 */ if (req->socks_version != 5) { /* we need to negotiate a method */ unsigned char nummethods = (unsigned char)*(data+1); + int r=0; tor_assert(!req->socks_version); if (datalen < 2u+nummethods) { *want_length_out = 2u+nummethods; return 0; } - if (!nummethods || !memchr(data+2, 0, nummethods)) { + buf_pullup(buf, 2u+nummethods, 0); + if (!nummethods) + return -1; + req->replylen = 2; /* 2 bytes of response */ + req->reply[0] = 5; /* socks5 reply */ + if (memchr(buf->head->data+2, SOCKS_NO_AUTH, nummethods)) { + req->reply[1] = SOCKS_NO_AUTH; /* tell client to use "none" auth + method */ + req->socks_version = 5; /* remember we've already negotiated auth */ + log_debug(LD_APP,"socks5: accepted method 0 (no authentication)"); + r=0; + }else if (memchr(buf->head->data+2, SOCKS_USER_PASS,nummethods)) { + req->reply[1] = SOCKS_USER_PASS; /* tell client to use "user/pass" + auth method */ + req->socks_version = 5; /* remember we've already negotiated auth */ + log_debug(LD_APP,"socks5: accepted method 2 (username/password)"); + r=0; + } else { log_warn(LD_APP, - "socks5: offered methods don't include 'no auth'. " - "Rejecting."); - req->replylen = 2; /* 2 bytes of response */ - req->reply[0] = 5; + "socks5: offered methods don't include 'no auth' or " + "username/password. Rejecting."); req->reply[1] = '\xFF'; /* reject all methods */ - return -1; + r=-1; } /* remove packet from buf. also remove any other extraneous * bytes, to support broken socks clients. */ *drain_out = -1; - req->replylen = 2; /* 2 bytes of response */ - req->reply[0] = 5; /* socks5 reply */ - req->reply[1] = 0; /* tell client to use "none" auth method */ - req->socks_version = 5; /* remember we've already negotiated auth */ - log_debug(LD_APP,"socks5: accepted method 0"); - return 0; + return r; } /* we know the method; read in the request */ log_debug(LD_APP,"socks5: checking request"); @@ -1761,8 +1795,8 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req, } tor_assert(0); case 4: /* socks4 */ - /* http://archive.socks.permeo.com/protocol/socks4.protocol */ - /* http://archive.socks.permeo.com/protocol/socks4a.protocol */ + /* http://ss5.sourceforge.net/socks4.protocol.txt */ + /* http://ss5.sourceforge.net/socks4A.protocol.txt */ req->socks_version = 4; if (datalen < SOCKS4_NETWORK_LEN) {/* basic info available? */ diff --git a/src/or/config.c b/src/or/config.c index cd6b0b0..d2dbdaa 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -542,7 +542,6 @@ static int options_transition_affects_workers(or_options_t *old_options, static int options_transition_affects_descriptor(or_options_t *old_options, or_options_t *new_options); static int check_nickname_list(const char *lst, const char *name, char **msg); -static void config_register_addressmaps(or_options_t *options); static int parse_bridge_line(const char *line, int validate_only); static int parse_dir_server_line(const char *line, @@ -4314,7 +4313,7 @@ get_torrc_fname(void) /** Adjust the address map based on the MapAddress elements in the * configuration <b>options</b> */ -static void +void config_register_addressmaps(or_options_t *options) { smartlist_t *elts; diff --git a/src/or/config.h b/src/or/config.h index bd5827b..db871d4 100644 --- a/src/or/config.h +++ b/src/or/config.h @@ -76,5 +76,7 @@ uint32_t get_effective_bwburst(or_options_t *options); or_options_t *options_new(void); #endif +void config_register_addressmaps(or_options_t *options); + #endif diff --git a/src/or/or.h b/src/or/or.h index c5349ae..6ae62e8 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3067,6 +3067,8 @@ static INLINE void or_state_mark_dirty(or_state_t *state, time_t when) #define MAX_SOCKS_REPLY_LEN 1024 #define MAX_SOCKS_ADDR_LEN 256 +#define SOCKS_NO_AUTH 0x00 +#define SOCKS_USER_PASS 0x02 /** Please open a TCP connection to this addr:port. */ #define SOCKS_COMMAND_CONNECT 0x01 diff --git a/src/test/test.c b/src/test/test.c index 9b0251b..68f1aeb 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -197,6 +197,207 @@ free_pregenerated_keys(void) } } +/** Helper: Perform supported SOCKS 5 commands */ +static void +test_buffers_socks4_unsupported_commands_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 4 Send BIND [02] to IP address 2.2.2.2:4369 */ + cp = "\x04\x02\x11\x11\x02\x02\x02\x02\x00"; + write_to_buf(cp, 9, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == -1); + test_eq(4, socks->socks_version); + test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ + +done: + ; +} + +/** Helper: Perform supported SOCKS 5 commands */ +static void +test_buffers_socks4_supported_commands_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 4 Send CONNECT [01] to IP address 2.2.2.2:4369 */ + cp = "\x04\x01\x11\x11\x02\x02\x02\x02\x00"; + write_to_buf(cp, 9, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(4, socks->socks_version); + test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ + test_streq("2.2.2.2", socks->address); + test_eq(4369, socks->port); + + /* SOCKS 4 Send CONNECT [01] to IP address 2.2.2.2:4369 with userid*/ + cp = "\x04\x01\x11\x11\x02\x02\x02\x02\x02me\x00"; + write_to_buf(cp, 12, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(4, socks->socks_version); + test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ + test_streq("2.2.2.2", socks->address); + test_eq(4369, socks->port); + + /* SOCKS 4a Send RESOLVE [F0] request for torproject.org:4369 */ + cp = "\x04\xF0\x01\x01\x00\x00\x00\x02\x02me\x00tor.org\x00"; + write_to_buf(cp, 20, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(4, socks->socks_version); + test_eq(0, socks->replylen); /* XXX: shouldn't tor reply? */ + test_streq("tor.org", socks->address); + +done: + ; +} + +/** Helper: Perform supported SOCKS 5 commands */ +static void +test_buffers_socks5_unsupported_commands_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Send unsupported BIND [02] command */ + cp = "\x05\x02\x00\x01\x02\x02\x02\x02\x01\x01"; + write_to_buf(cp, 10, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == -1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); /* XXX: shouldn't tor reply 'command + not supported' [07]? */ + + /* SOCKS 5 Send unsupported UDP_ASSOCIATE [03] command */ + cp = "\x05\x03\x00\x01\x02\x02\x02\x02\x01\x01"; + write_to_buf(cp, 10, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == -1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); /* XXX: shouldn't tor reply 'command + not supported' [07]? */ + +done: + ; +} + +/** Helper: Perform supported SOCKS 5 commands */ +static void +test_buffers_socks5_supported_commands_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Send CONNECT [01] to IP address 2.2.2.2:4369 */ + cp = "\x05\x01\x00\x01\x02\x02\x02\x02\x11\x11"; + write_to_buf(cp, 10, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("2.2.2.2", socks->address); + test_eq(4369, socks->port); + + /* SOCKS 5 Send CONNECT [01] to FQDN torproject.org:4369 */ + cp = "\x05\x01\x00\x03\x07tor.org\x11\x11"; + write_to_buf(cp, 14, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("tor.org", socks->address); + test_eq(4369, socks->port); + + /* SOCKS 5 Send RESOLVE [F0] request for torproject.org:4369 */ + cp = "\x05\xF0\x00\x03\x07tor.org"; + write_to_buf(cp, 14, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("tor.org", socks->address); + + /* SOCKS 5 Send RESOLVE_PTR [F1] for IP address 2.2.2.2 */ + cp = "\x05\xF1\x00\x01\x02\x02\x02\x02"; + write_to_buf(cp, 10, buf); + test_assert(fetch_from_buf_socks(buf, socks, get_options()->TestSocks, + get_options()->SafeSocks) == 1); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + test_streq("2.2.2.2", socks->address); + +done: + ; +} + +/** Helper: Perform SOCKS 5 authentication */ +static void +test_buffers_socks5_no_authenticate_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /*SOCKS 5 No Authentication */ + cp = "\x05\x01\x00"; + write_to_buf(cp, 3, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(SOCKS_NO_AUTH, socks->reply[1]); + + /*SOCKS 5 Send username/password anyway - pretend to be broken */ + cp = "\x01\x02\x01\x01\x02\x01\x01"; + write_to_buf(cp, 7, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); + +done: + ; +} + +/** Helper: Perform SOCKS 5 authentication */ +static void +test_buffers_socks5_authenticate_helper(const char *cp, buf_t *buf, + socks_request_t *socks) +{ + /* SOCKS 5 Negotiate username/password authentication */ + cp = "\x05\x01\x02"; + write_to_buf(cp, 3, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(SOCKS_USER_PASS, socks->reply[1]); + test_eq(5, socks->socks_version); + + /* SOCKS 5 Send username/password */ + cp = "\x01\x02me\x02me"; + write_to_buf(cp, 7, buf); + test_assert(!fetch_from_buf_socks(buf, socks, + get_options()->TestSocks, + get_options()->SafeSocks)); + test_eq(5, socks->socks_version); + test_eq(2, socks->replylen); + test_eq(5, socks->reply[0]); + test_eq(0, socks->reply[1]); +done: + ; +} + /** Run unit tests for buffers.c */ static void test_buffers(void) @@ -206,6 +407,7 @@ test_buffers(void) buf_t *buf = NULL, *buf2 = NULL; const char *cp; + socks_request_t *socks; int j; size_t r; @@ -363,6 +565,41 @@ test_buffers(void) buf_free(buf); buf = NULL; + /* Test fetch_from_buf_socks() */ + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + config_register_addressmaps(get_options()); + + /* A SOCKS 5 client that only supports authentication */ + test_buffers_socks5_authenticate_helper(cp, buf, socks); + test_buffers_socks5_supported_commands_helper(cp, buf, socks); + test_buffers_socks5_unsupported_commands_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + + /* A SOCKS 5 client that doesn't want authentication */ + test_buffers_socks5_no_authenticate_helper(cp, buf, socks); + test_buffers_socks5_supported_commands_helper(cp, buf, socks); + test_buffers_socks5_unsupported_commands_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + buf = buf_new_with_capacity(256); + socks = tor_malloc_zero(sizeof(socks_request_t));; + + /* A SOCKS 4(a) client */ + test_buffers_socks4_supported_commands_helper(cp, buf, socks); + test_buffers_socks4_unsupported_commands_helper(cp, buf, socks); + + tor_free(socks); + buf_free(buf); + buf = NULL; + done: if (buf) buf_free(buf);

1 0

[torspec/master] Update socks-extensions to allow username/password auth
by nickm＠torproject.org 13 Jul '11

13 Jul '11

commit f8529305e94ac36c17da6d9b756a9c83e6b046fe Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 29 18:08:37 2011 -0400 Update socks-extensions to allow username/password auth --- socks-extensions.txt | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/socks-extensions.txt b/socks-extensions.txt index 62d86ac..60695e5 100644 --- a/socks-extensions.txt +++ b/socks-extensions.txt @@ -31,8 +31,11 @@ Tor's extensions to the SOCKS protocol SOCKS5: - The (SOCKS5) "UDP ASSOCIATE" command is not supported. - IPv6 is not supported in CONNECT commands. - - Only the "NO AUTHENTICATION" (SOCKS5) authentication method [00] is - supported. + - The "NO AUTHENTICATION" (SOCKS5) authentication method [00] is supported. + As of Tor 0.2.3.2-alpha, the "USERNAME/PASSWORD" (SOCKS5) authentication + method [02] is supported too. As an extension to support some broken + clients, we allow clients to pass "USERNAME/PASSWORD" authentication to + us even if no authentication was selected. 2. Name lookup

1 0