April 2014 - tor-commits - lists.torproject.org

[torsocks/master] Fix: bad libc detection on system with libcap.so
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 2812e211f4827eef110a31baeef6241a5a0e8e89 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Fri Feb 7 22:20:38 2014 -0500 Fix: bad libc detection on system with libcap.so The binary "yes" is much more generic and has a standard path in BSD, Linux and OS X. Furthermore, it cannot be linked with libcap.so. But this patch improves the grep regex to only detect "libc.so". Fixes #21 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- … [View More]

1 0

[torsocks/master] Add portable is localhost function
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 50e740492c0a1a547fe56952332c1d6fd2751371 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Fri Feb 7 22:14:30 2014 -0500 Add portable is localhost function This removes the utils_is_ipv4_local() call and move to a generic portable way of checking if the sockaddr is localhost (both ipv4 and ipv6 are supported). Reported-by: Nick Mathewson <nickm(a)torproject.org> Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/common/compat.… [View More]h | 11 +++-------- src/common/utils.c | 29 +++++++++++++++++++++++++++++ src/common/utils.h | 11 +---------- src/lib/connect.c | 7 +++---- 4 files changed, 36 insertions(+), 22 deletions(-) diff --git a/src/common/compat.h b/src/common/compat.h index e9a59e7..077bcce 100644 --- a/src/common/compat.h +++ b/src/common/compat.h @@ -98,13 +98,8 @@ void tsocks_mutex_unlock(tsocks_mutex_t *m); #endif /* __FreeBSD__, __FreeBSD_kernel__, __darwin__, __NetBSD__ */ -/* - * Shamelessly taken from linux/in.h of the libc. This is consider trivial code - * by the GPL license thus copying it as is should be OK. Slight modification - * was made to make the check in host byte order. - */ -#ifndef IN_LOOPBACK -#define IN_LOOPBACK(a) ((((long int) (a)) & 0x000000ff) == 0x0000007f) -#endif +#define TSOCKS_CLASSA_NET 0xff000000 +#define TSOCKS_LOOPBACK_NET 0x7f000000 +#define TSOCKS_IN6_INIT { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } #endif /* TORSOCKS_COMPAT_H */ diff --git a/src/common/utils.c b/src/common/utils.c index 0c5c2c8..4ecb9f4 100644 --- a/src/common/utils.c +++ b/src/common/utils.c @@ -18,12 +18,14 @@ */ #include <arpa/inet.h> +#include <netinet/in.h> #include <sys/socket.h> #include <assert.h> #include <errno.h> #include <stdlib.h> #include <string.h> +#include "compat.h" #include "macros.h" #include "utils.h" @@ -176,3 +178,30 @@ int utils_strcasecmpend(const char *s1, const char *s2) return strncasecmp(s1 + (n1 - n2), s2, n2); } } + +/* + * Return 1 if the given sockaddr is localhost else 0 + */ +ATTR_HIDDEN +int utils_sockaddr_is_localhost(const struct sockaddr *sa) +{ + int is_localhost; + + assert(sa); + + if (sa->sa_family == AF_INET) { + const struct sockaddr_in *sin = (const struct sockaddr_in *) sa; + is_localhost = ((ntohl(sin->sin_addr.s_addr) & TSOCKS_CLASSA_NET) == + TSOCKS_LOOPBACK_NET); + } else if (sa->sa_family == AF_INET6) { + const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *) sa; + static const uint8_t addr[] = TSOCKS_IN6_INIT; + is_localhost = !memcmp(sin6->sin6_addr.s6_addr, addr, + sizeof(sin6->sin6_addr.s6_addr)); + } else { + /* Unknown sockaddr family thus not localhost. */ + is_localhost = 0; + } + + return is_localhost; +} diff --git a/src/common/utils.h b/src/common/utils.h index 474b2df..7721dc5 100644 --- a/src/common/utils.h +++ b/src/common/utils.h @@ -30,15 +30,6 @@ int utils_tokenize_ignore_comments(const char *_line, size_t size, char **tokens int utils_is_address_ipv4(const char *ip); int utils_is_address_ipv6(const char *ip); - -/* - * Check if the given IPv4 is in the loopback net (127.x.x.x). - * - * Return 1 if so else 0 if not. - */ -static inline int utils_is_ipv4_local(in_addr_t addr) -{ - return IN_LOOPBACK(addr); -} +int utils_sockaddr_is_localhost(const struct sockaddr *sa); #endif /* TORSOCKS_UTILS_H */ diff --git a/src/lib/connect.c b/src/lib/connect.c index bdc9e6f..8f34e37 100644 --- a/src/lib/connect.c +++ b/src/lib/connect.c @@ -109,11 +109,10 @@ LIBC_CONNECT_RET_TYPE tsocks_connect(LIBC_CONNECT_SIG) new_conn->dest_addr.hostname.port = inet_addr->sin_port; } else { /* - * Check if address is local IPv4. At this point, we are sure it's not - * a .onion cookie address that is by default in the loopback network. + * Check if address is localhost. At this point, we are sure it's not a + * .onion cookie address that is by default in the loopback network. */ - if (__addr->sa_family == AF_INET && - utils_is_ipv4_local(inet_addr->sin_addr.s_addr)) { + if (utils_sockaddr_is_localhost(__addr)) { WARN("[connect] Connection to a local address are denied since it " "might be a TCP DNS query to a local DNS server. " "Rejecting it for safety reasons."); [View Less]

1 0

[torsocks/master] Fix: README typos
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit af6a702aaed9752e313019b7768529479344d634 Author: Jérémie Galarneau <jeremie.galarneau(a)gmail.com> Date: Sun Feb 2 05:54:40 2014 -0500 Fix: README typos Corrected some mistakes in the README file. Closes #22 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- README | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README b/README index 3f0a594..bbbec69 100644 --- a/README +++ b/README @@ -5,16 +5,16 @@ What is … [View More]

1 0

[torsocks/master] Fix: remove gethostent() usage
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 6f8237cc1a7d2d4592734707de0a188eb79ed0af Author: David Goulet <dgoulet(a)ev0ke.net> Date: Sat Feb 8 12:34:54 2014 -0500 Fix: remove gethostent() usage Torsocks should not allow any local file resolution for external hostname (not localhost stuff). Furthermore, gethostent() could do LDAP listing thus clearly UNSAFE here. This patch removes the use of gethostent() and replace it with the new utils function that only resolves the hostname against … [View More]

1 0

[torsocks/master] Add localhost resolve utils function
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 5ded9b27a083e0f5d14d8141c197a095165d86da Author: David Goulet <dgoulet(a)ev0ke.net> Date: Sat Feb 8 12:07:44 2014 -0500 Add localhost resolve utils function Using a hostname, address family (v4/v6) and a buffer, this function tries to match the hostname to the localhost names list local to torsocks. If found, the given buffer is populated with the corresponding IP address. This is the first step to remove gethostent() in the code. It's … [View More]important for torsocks to be able to resolve localhost but it should NOT try to resolve DNS with a local file (ex: /etc/hosts). One use cases is for SSH to be able to bind to localhost for a SOCKS proxy for instance using torsocks hence needing to resolve local name. Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/common/compat.h | 5 ++- src/common/utils.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++- src/common/utils.h | 1 + tests/unit/test_utils.c | 50 ++++++++++++++++++++++- 4 files changed, 156 insertions(+), 3 deletions(-) diff --git a/src/common/compat.h b/src/common/compat.h index 077bcce..ee8263f 100644 --- a/src/common/compat.h +++ b/src/common/compat.h @@ -100,6 +100,9 @@ void tsocks_mutex_unlock(tsocks_mutex_t *m); #define TSOCKS_CLASSA_NET 0xff000000 #define TSOCKS_LOOPBACK_NET 0x7f000000 -#define TSOCKS_IN6_INIT { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } + +/* Loopback address in network byte order. */ +#define TSOCKS_LOOPBACK 0x0100007f +#define TSOCKS_LOOPBACK6 { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } #endif /* TORSOCKS_COMPAT_H */ diff --git a/src/common/utils.c b/src/common/utils.c index 4ecb9f4..e526ce7 100644 --- a/src/common/utils.c +++ b/src/common/utils.c @@ -30,6 +30,20 @@ #include "utils.h" /* + * Hardcoded list of localhost hostname. In order to resolve these for an + * application, usually we would need to check in /etc/hosts by using + * gethostent() but in order to avoid DNS resolution outside of Tor (even local + * file), only the localhost is resolved and the rest is sent through Tor. + */ +static const char *localhost_names_v4[] = { + "localhost", "ip-localhost", NULL, +}; + +static const char *localhost_names_v6[] = { + "localhost", "ip6-loopback", "ip6-localhost", NULL, +}; + +/* * Return 1 if the given IP belongs in the af domain else return a negative * value. */ @@ -49,6 +63,35 @@ static int check_addr(const char *ip, int af) } /* + * Given a name string and a list NULL terminated of strings, this will try to + * match the name. + * + * Return the entry in the list if match else NULL. + */ +static const char *match_name(const char *name, const char **list) +{ + unsigned int count = 0; + const char *entry; + + assert(name); + assert(list); + + while ((entry = list[count]) != NULL) { + int ret; + + ret = strcmp(entry, name); + if (!ret) { + /* Match. */ + goto end; + } + count++; + } + +end: + return entry; +} + +/* * Return 1 if the given IP is an IPv4. */ ATTR_HIDDEN @@ -195,7 +238,7 @@ int utils_sockaddr_is_localhost(const struct sockaddr *sa) TSOCKS_LOOPBACK_NET); } else if (sa->sa_family == AF_INET6) { const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *) sa; - static const uint8_t addr[] = TSOCKS_IN6_INIT; + static const uint8_t addr[] = TSOCKS_LOOPBACK6; is_localhost = !memcmp(sin6->sin6_addr.s6_addr, addr, sizeof(sin6->sin6_addr.s6_addr)); } else { @@ -205,3 +248,61 @@ int utils_sockaddr_is_localhost(const struct sockaddr *sa) return is_localhost; } + +/* + * Try to match a given name to localhost names (v4 and v6). + * + * If a match is found, the address in network byte order is copied in the + * buffer thus len must match the size of the given address family and 1 is + * returned. + * + * If NO match is found, 0 is return and buf is untouched. + * + * If len is the wrong size, -EINVAL is returned and buf is untouched. + */ +ATTR_HIDDEN +int utils_localhost_resolve(const char *name, int af, void *buf, size_t len) +{ + const char *entry; + + assert(name); + assert(buf); + + if (af == AF_INET) { + const in_addr_t addr = TSOCKS_LOOPBACK; + + entry = match_name(name, localhost_names_v4); + if (entry) { + if (len < sizeof(in_addr_t)) { + /* Size of buffer is not large enough. */ + goto error; + } + memcpy(buf, &addr, sizeof(addr)); + goto match; + } + } else if (af == AF_INET6) { + const uint8_t addr[] = TSOCKS_LOOPBACK6; + + entry = match_name(name, localhost_names_v6); + if (entry) { + if (len < sizeof(addr)) { + /* Size of buffer is not large enough. */ + goto error; + } + memcpy(buf, addr, sizeof(addr)); + goto match; + } + } else { + /* Unknown family type. */ + assert(0); + goto error; + } + + /* No match. */ + return 0; +match: + /* Match found. */ + return 1; +error: + return -EINVAL; +} diff --git a/src/common/utils.h b/src/common/utils.h index 7721dc5..b0281eb 100644 --- a/src/common/utils.h +++ b/src/common/utils.h @@ -31,5 +31,6 @@ int utils_tokenize_ignore_comments(const char *_line, size_t size, char **tokens int utils_is_address_ipv4(const char *ip); int utils_is_address_ipv6(const char *ip); int utils_sockaddr_is_localhost(const struct sockaddr *sa); +int utils_localhost_resolve(const char *name, int af, void *buf, size_t len); #endif /* TORSOCKS_UTILS_H */ diff --git a/tests/unit/test_utils.c b/tests/unit/test_utils.c index e241901..df8e089 100644 --- a/tests/unit/test_utils.c +++ b/tests/unit/test_utils.c @@ -23,7 +23,7 @@ #include <tap/tap.h> -#define NUM_TESTS 10 +#define NUM_TESTS 22 static void test_is_address_ipv4(void) { @@ -60,6 +60,53 @@ static void test_is_address_ipv6(void) ok(ret == -1, "Invalid IPv6 address when IPv4"); } +static void test_localhost_resolve(void) +{ + int ret = 0; + in_addr_t ipv4, loopback = TSOCKS_LOOPBACK; + struct in6_addr ipv6; + const uint8_t loopback6[] = TSOCKS_LOOPBACK6; + + diag("Utils localhost resolve test"); + + ret = utils_localhost_resolve("localhost", AF_INET, &ipv4, sizeof(ipv4)); + ok(ret == 1, "localhost resolved successfully"); + ok(memcmp(&ipv4, &loopback, sizeof(ipv4)) == 0, + "localhost IPv4 address matches"); + + ret = utils_localhost_resolve("ip-localhost", AF_INET, &ipv4, sizeof(ipv4)); + ok(ret == 1, "ip-localhost resolved successfully"); + ok(memcmp(&ipv4, &loopback, sizeof(ipv4)) == 0, + "ip-localhost IPv4 address matches"); + + ret = utils_localhost_resolve("nsa.gov", AF_INET, &ipv4, sizeof(ipv4)); + ok(ret == 0, "nsa.gov did NOT resolved successfully"); + + /* Len smaller than buffer size. */ + ret = utils_localhost_resolve("localhost", AF_INET, &ipv4, 1); + ok(ret == -EINVAL, "localhost len of buffer was too small"); + + /* IPV6 */ + + ret = utils_localhost_resolve("localhost", AF_INET6, &ipv6, sizeof(ipv6)); + ok(ret == 1, "localhost v6 resolved successfully"); + ok(memcmp(&ipv6, &loopback6, sizeof(in6addr_loopback)) == 0, + "localhost IPv6 address matches"); + + ret = utils_localhost_resolve("ip6-localhost", AF_INET6, &ipv6, + sizeof(ipv6)); + ok(ret == 1, "ip6-localhost resolved successfully"); + ok(memcmp(&ipv6, &loopback6, sizeof(in6addr_loopback)) == 0, + "localhost IPv6 address matches"); + + ret = utils_localhost_resolve("nsa.gov", AF_INET6, &ipv6, sizeof(ipv6)); + ok(ret == 0, "nsa.gov did NOT resolved successfully"); + + /* Len smaller than buffer size. */ + ret = utils_localhost_resolve("localhost", AF_INET6, &ipv6, 1); + ok(ret == -EINVAL, "localhost v6 len of buffer was too small"); +} + static void helper_reset_tokens(char **tokens) { assert(tokens); @@ -108,6 +155,7 @@ int main(int argc, char **argv) test_is_address_ipv4(); test_is_address_ipv6(); + test_localhost_resolve(); test_utils_tokenize_ignore_comments(); return exit_status(); [View Less]

1 0

[torsocks/master] Fix: bad reference in getaddrinfo() using inet_pton
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit d8649f577f615b53fc207f97932111a49a986119 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Sat Feb 8 14:22:08 2014 -0500 Fix: bad reference in getaddrinfo() using inet_pton Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/lib/getaddrinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/getaddrinfo.c b/src/lib/getaddrinfo.c index 7d60e3e..c93cd42 100644 --- a/src/lib/getaddrinfo.c +++ b/src/lib/getaddrinfo.c @@ -66,7 +66,… [View More]

1 0

[torsocks/master] Fix: fd leak on tor resolve error
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 11152e145f989bb063ad9efdf988e03396fd0b4c Author: David Goulet <dgoulet(a)ev0ke.net> Date: Mon Feb 10 22:46:06 2014 -0500 Fix: fd leak on tor resolve error Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/lib/torsocks.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/src/lib/torsocks.c b/src/lib/torsocks.c index bcf06a1..b98e0ed 100644 --- a/src/lib/torsocks.c +++ b/src/lib/torsocks.c @@ -402,25 +402,24 @@ … [View More]

1 0

[torsocks/master] Fix: use libc close() when resolving through Tor
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 82fd72da042f383ad3d53daf48a47bbc5bb39e30 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Sat Feb 8 15:24:20 2014 -0500 Fix: use libc close() when resolving through Tor Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/lib/torsocks.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib/torsocks.c b/src/lib/torsocks.c index 8d83bcd..bcf06a1 100644 --- a/src/lib/torsocks.c +++ b/src/lib/torsocks.c @@ -416,7 +416,7 @@ int … [View More]

1 0

[torsocks/master] Test: add unit test for sockaddr_is_localhost
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit aa13ff8c8338883dce98545aaf4f7ffc41009ac2 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Sat Feb 8 13:39:04 2014 -0500 Test: add unit test for sockaddr_is_localhost Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- tests/unit/test_utils.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/tests/unit/test_utils.c b/tests/unit/test_utils.c index df8e089..2db255b 100644 --- a/tests/unit/test_utils.c +++ b/… [View More]

1 0

[torsocks/master] Fix: build status markdown
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit bf9bdf1db170dd882500c5d97aa115082ef02c7f Author: Arlo Breault <arlolra(a)gmail.com> Date: Mon Feb 10 21:39:31 2014 -0800 Fix: build status markdown Markdown was not being parsed. Closes #24 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- README | 61 ------------------------------------------------------------- README.md | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 61 … [View More]deletions(-) diff --git a/README b/README deleted file mode 100644 index bbbec69..0000000 --- a/README +++ /dev/null @@ -1,61 +0,0 @@ -[![Build Status](https://travis-ci.org/dgoulet/torsocks.png)](https://travis-ci.org/… - -What is torsocks? ------------------ - -Torsocks allows you to use most applications in a safe way with Tor. It ensures -that DNS requests are handled safely and explicitly rejects any traffic other -than TCP from the application you're using. - -Torsocks is an ELF shared library that is loaded before all others. The library -overrides every needed Internet communication libc function calls such as -connect(2) or gethostbyname(3). - -This process is transparent to the user and if torsocks detects any -communication that can't go through the Tor network such as UDP traffic, for -instance, the connection is denied. If, for any reason, there is no way for -torsocks to provide the Tor anonymity guarantee to your application, torsocks -will force the application to quit and stop everything. - -Installation ------------------ - - $ ./configure - $ make - $ sudo make install - -If you are compiling it from the git repository, run ./autogen.sh before the -configure script. - -Using torsocks --------------- - -Once you have installed torsocks, just launch it like so: - - $ torsocks [application] - -So, for example you can use ssh to a some.ssh.com by doing: - - $ torsocks ssh username(a)some.ssh.com - -You can use the torsocks library without the script provided: - - $ LD_PRELOAD=/full/path/to/libtorsocks.so your_app - -For more details, please see the torsocks.1, torsocks.8 and torsocks.conf.5 man -pages. Also, you can use -h, --help for all the possible options of the -torsocks script. - -A configuration file named *torsocks.conf* is also provided for the user to -control some parameters. - -More informations --------------- - -torsocks is distributed under the GNU General Public License version 2. - -Mailing list for help is <tor-talk(a)lists.torproject.org> and for development -use <tor-dev(a)lists.torproject.org>. You can find the project also on IRC server -irc.oftc.net (OFTC) in #tor and #tor-dev. - -See more information about the Tor project at https://www.torproject.org. diff --git a/README.md b/README.md new file mode 100644 index 0000000..9137849 --- /dev/null +++ b/README.md @@ -0,0 +1,61 @@ +[![Build Status](https://travis-ci.org/dgoulet/torsocks.png)](https://travis-ci.org/… + +What is torsocks? +----------------- + +Torsocks allows you to use most applications in a safe way with Tor. It ensures +that DNS requests are handled safely and explicitly rejects any traffic other +than TCP from the application you're using. + +Torsocks is an ELF shared library that is loaded before all others. The library +overrides every needed Internet communication libc function calls such as +connect(2) or gethostbyname(3). + +This process is transparent to the user and if torsocks detects any +communication that can't go through the Tor network such as UDP traffic, for +instance, the connection is denied. If, for any reason, there is no way for +torsocks to provide the Tor anonymity guarantee to your application, torsocks +will force the application to quit and stop everything. + +Installation +----------------- + + $ ./configure + $ make + $ sudo make install + +If you are compiling it from the git repository, run ./autogen.sh before the +configure script. + +Using torsocks +-------------- + +Once you have installed torsocks, just launch it like so: + + $ torsocks [application] + +So, for example you can use ssh to a some.ssh.com by doing: + + $ torsocks ssh username(a)some.ssh.com + +You can use the torsocks library without the script provided: + + $ LD_PRELOAD=/full/path/to/libtorsocks.so your_app + +For more details, please see the torsocks.1, torsocks.8 and torsocks.conf.5 man +pages. Also, you can use -h, --help for all the possible options of the +torsocks script. + +A configuration file named *torsocks.conf* is also provided for the user to +control some parameters. + +More informations +-------------- + +torsocks is distributed under the GNU General Public License version 2. + +Mailing list for help is <tor-talk(a)lists.torproject.org> and for development +use <tor-dev(a)lists.torproject.org>. You can find the project also on IRC server +irc.oftc.net (OFTC) in #tor and #tor-dev. + +See more information about the Tor project at https://www.torproject.org. [View Less]

1 0