tor-commits April 2014

tor-commits@lists.torproject.org

22 participants
2020 discussions

[torsocks/master] Update version to v2.0.0-rc4
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit b2de66763cd1318352678ce1b7723552b3560ff5 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Mon Mar 3 20:52:34 2014 -0500 Update version to v2.0.0-rc4 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- ChangeLog | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 2 +- 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f84de34..f1096e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,69 @@ +2014-03-03 torsocks 2.0.0-rc4 + * Extras: add bash and zsh completion file + * Fix: move functions in file and set hidden attribute + * Update torsocks.1 man page with new options and some fixes + * Add -u/-p/-d to torsocks script + * Fix: check SOCKS5 user/pass before setting them in config + * Test: add socks5 tests + * Fix: assert conn->fd typo + * Add SOCKS5 username/password authentication + * Fix: handle conn. type domain name for socks5 connect + * Fix: check strdup return value in config-file.c + * Fix: make tsock_tor_resolve support IPv6 + * Fix: overload listen and not bind + * Fix: remove the use of IPv4 sockaddr in connect + * Tests: add one for utils_tokenize_ignore_comments + * Fix: use unsigned char for socks5 ABI + * Fix: use connection_get_ref on creation + * Fix: use strtok_r reentrant instead of strtok + * Fix: check is_suid flag before each getenv() + * Deny libc function bind() + * Deny libc function accept()/accept4() + * Fix: handle hints being NULL in getaddrinfo + * Fix: handle socket creation with multiple types + * Fix: better document connection registry mutex + * Fix: check strdup return value + * Fix: deny connection to ANY address + * Fix: remove all variables with double underscore + * Fix: change socks5_send_ptr_request to use address type + * Fix: IPv6 typo in socks5_send_resolve_ptr_request + * Fix: assert conn->fd typo + * Fix: build status markdown + * Fix: return right value with localhost resolve + * Fix: fd leak on tor resolve error + * Fix: use libc close() when resolving through Tor + * Fix: socks5 connect use connection domain and correct len + * Fix: bad reference in getaddrinfo() using inet_pton + * Test: add unit test for sockaddr_is_localhost + * Fix: remove gethostent() usage + * Add localhost resolve utils function + * Fix: README typos + * Fix: bad libc detection on system with libcap.so + * Add portable is localhost function + * Tests: add travis build status image to README + * Fix: quote torsocks script shell arguments + * Add --version to torsocks.in + * Add hardening compile and linker flags + * Fix: cleanup configure.ac and add missing headers/functions + * Fix: typo in exit.c comment + * Fix: add a library cleanup flag + * Fix: overload _exit and _Exit to cleanup library + * Fix: lookup libc name and pass it to dlopen() + * Fix: bad include and duplicate syscall values + * Fix: change non TCP socket warning to debug + * Fix: check if address is local after onion lookup + * Fix: put utils_is_ipv4_local static inline + * Fix: set loopback check in host byte order + * Fix: reject IPv6 socket creation + * Fix: fix localhost resolution address + * Fix: add missing errno to handle non-blocking connect() + * Revert "Fix: explicitly remove src.old from tarball" + * Add __syscall support for *BSD systems + * Add NetBSD support + * Fix: install documentation in doc directory + * Fix: explicitly remove src.old from tarball + * Fix: typo in README + 2013-11-03 torsocks 2.0.0-rc3 * Fix: add fixtures directory to EXTRA_DIST * Fix: add fixtures.h to makefile.am as EXTRA_DIST diff --git a/configure.ac b/configure.ac index 92999f3..cf6764e 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ ############################################################################## # Process this file with autoconf to produce a configure script. -AC_INIT([torsocks], [2.0.0-rc3],[dgoulet@ev0ke.net],[],[https://torproject.org]) +AC_INIT([torsocks], [2.0.0-rc4],[dgoulet@ev0ke.net],[],[https://torproject.org]) AC_CONFIG_AUX_DIR([config]) AC_CANONICAL_TARGET # Get hostname and other information.

1 0

[torsocks/master] Update torsocks.1 man page with new options and some fixes
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 5658f6104b918be82c5f234515e195df19456726 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Mon Mar 3 15:34:58 2014 -0500 Update torsocks.1 man page with new options and some fixes Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- doc/torsocks.1 | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/doc/torsocks.1 b/doc/torsocks.1 index b4dab1f..9fc4361 100644 --- a/doc/torsocks.1 +++ b/doc/torsocks.1 @@ -1,4 +1,4 @@ -.TH "TORSOCKS" "1" "August 24th, 2013" "" "" +.TH "TORSOCKS" "1" "March 3rd, 2014" "" "" .SH NAME torsocks \(em Shell wrapper to simplify the use of the torsocks(8) library to @@ -28,16 +28,32 @@ For further information on configuration, see .SH OPTIONS .TP -.BR "\-h, \-\-help, \-?" +.BR "\-h, \-\-help" Show summary of possible options and commands. .TP .BR "\-\-shell" Create a new shell with LD_PRELOAD including \fBtorsocks(8)\fP. .TP +.BR "\-\-version" +Show version. +.TP +.BR "\-u, \-\-user" +Set username for the SOCKS5 authentication. Use for circuit isolation in Tor. +Note that you MUST have a password set either by the command line, environment +variable or configuration file (torsocks.conf(5). +.TP +.BR "\-p, \-\-pass" +Set password for the SOCKS5 authentication. Use for circuit isolation in Tor. +Note that you MUST have a username set either by the command line, environment +variable or configuration file (torsocks.conf(5)). +.TP +.BR "\-d, \-\-debug" +Activate the debug mode. Output will be written on stderr. +.TP .BR "on | off" This option adds or removes \fBtorsocks(8)\fP from the LD_PRELOAD environment variable for the current shell. If you want to use this option, you HAVE to -source torsocks from yours. +source torsocks from your shell. .br .nf @@ -76,5 +92,5 @@ irc.oftc.net (OFTC) in #tor and #tor-dev. .SH AUTHOR torsocks was originally written by Robert Hogan and has been rewritten by David -Goulet <dgoulet(a)ev0ke.net> in 2013. +Goulet <dgoulet(a)torproject.org> in 2013. .PP

1 0

[torsocks/master] Fix: handle NULL node in getaddrinfo
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 5636ed0f84981b14f61e8ff562e33d444e1aba28 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Tue Mar 4 17:07:58 2014 -0500 Fix: handle NULL node in getaddrinfo Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/lib/getaddrinfo.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/lib/getaddrinfo.c b/src/lib/getaddrinfo.c index 003e51f..378f87f 100644 --- a/src/lib/getaddrinfo.c +++ b/src/lib/getaddrinfo.c @@ -44,8 +44,13 @@ LIBC_GETADDRINFO_RET_TYPE tsocks_getaddrinfo(LIBC_GETADDRINFO_SIG) DBG("[getaddrinfo] Requesting %s hostname", node); if (!node) { - ret = EAI_NONAME; - goto error; + /* + * As stated in the man page, if node is NULL, the libc call will + * return a valid socket address but NO external DNS resolution is + * possible since there is no host name to resolve. + */ + tmp_node = node; + goto libc_call; } /*

1 0

[torsocks/master] Fix: add torsocks.conf option type
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 2469d79933f710a7299c866689d59ad3879bb1b3 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Tue Mar 4 17:24:24 2014 -0500 Fix: add torsocks.conf option type Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- doc/torsocks.conf.5 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/torsocks.conf.5 b/doc/torsocks.conf.5 index 7ccfa4a..451af59 100644 --- a/doc/torsocks.conf.5 +++ b/doc/torsocks.conf.5 @@ -42,17 +42,17 @@ ignored. The following directives are used in the torsocks configuration file: .TP -.I TorAddress +.I TorAddress ip_addr The IP address of the Tor SOCKS server (e.g "server = 10.1.4.253"). Only one server may be specified. Currently, torsocks does NOT support hostname. (default: 127.0.0.1) .TP -.I TorPort +.I TorPort port The port on which the Tor SOCKS server receives requests. (default: 9050) .TP -.I OnionAddrRange +.I OnionAddrRange subnet/mask Tor hidden sites do not have real IP addresses. This specifies what range of IP addresses will be handed to the application as "cookies" for .onion names. Of course, you should pick a block of addresses which you aren't going to ever @@ -60,13 +60,13 @@ need to actually connect to. This is similar to the MapAddress feature of the main tor daemon. (default: 127.42.42.0/24) .TP -.I SOCKS5Username +.I SOCKS5Username username Username to use for SOCKS5 authentication method that makes the connections to Tor to use a different circuit from other existing streams. If set, the SOCKS5Password must be specified also. (Default: none). .TP -.I SOCKS5Password +.I SOCKS5Password password Password to use for SOCKS5 authentication method that makes the connections to Tor to use a different circuit from other existing streams. If set, the SOCKS5Username must be specified also. (Default: none).

1 0

[torsocks/master] Add option to allow inbound connections
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit e9f0be95b105aa15894549f047b9cd6eb78785f1 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Tue Mar 4 17:17:12 2014 -0500 Add option to allow inbound connections This adds the possibility of telling torsocks to allow inbound connections meaning allowing listen() and accept()/accept4() for non localhost address. Add a AllowInbound 0|1 option to the configuration file along with a TORSOCKS_ALLOW_INBOUND environment variable to control that behavior. By default, Unix socket are allowed. Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- doc/torsocks.8 | 5 +++ doc/torsocks.conf | 4 ++ doc/torsocks.conf.5 | 6 +++ src/common/config-file.c | 36 ++++++++++++++++++ src/common/config-file.h | 7 ++++ src/common/defaults.h | 3 ++ src/lib/accept.c | 92 +++++++++++++++++++++++++++++++++++++++++----- src/lib/listen.c | 52 +++++++++++++++++++++++--- src/lib/torsocks.c | 16 ++++++-- 9 files changed, 202 insertions(+), 19 deletions(-) diff --git a/doc/torsocks.8 b/doc/torsocks.8 index eb4c7dd..4a14703 100644 --- a/doc/torsocks.8 +++ b/doc/torsocks.8 @@ -94,6 +94,11 @@ also with the variable below. Set the password for the SOCKS5 authentication method. Username MUST be set also with the variable above. +.PP +.IP TORSOCKS_ALLOW_INBOUND +Allow inbound connections so the application can accept and listen for +connections. + .SH KNOWN ISSUES .SS DNS diff --git a/doc/torsocks.conf b/doc/torsocks.conf index 7653818..c1596c0 100644 --- a/doc/torsocks.conf +++ b/doc/torsocks.conf @@ -24,3 +24,7 @@ OnionAddrRange 127.42.42.0/24 # variable overrides these options. #SOCKS5Username <username> #SOCKS5Password <password> + +# Set Torsocks to accept inbound connections. If set to 1, listen() and +# accept() will be allowed to be used with non localhost address. (Default: 0) +#AllowInbound 1 diff --git a/doc/torsocks.conf.5 b/doc/torsocks.conf.5 index 6cd600f..7ccfa4a 100644 --- a/doc/torsocks.conf.5 +++ b/doc/torsocks.conf.5 @@ -71,6 +71,12 @@ Password to use for SOCKS5 authentication method that makes the connections to Tor to use a different circuit from other existing streams. If set, the SOCKS5Username must be specified also. (Default: none). +.TP +.I AllowInbound 0|1 +Allow inbound connections meaning that listen() and accept()/accept4() will be +allowed for non localhost address so the applicaton can handle incoming +connection. Note that Unix socket are allowed. (Default: 0) + .SH EXAMPLE $ export TORSOCKS_CONF_FILE=$PWD/torsocks.conf $ torsocks ssh account(a)sshserver.com diff --git a/src/common/config-file.c b/src/common/config-file.c index 2882678..79fe5ca 100644 --- a/src/common/config-file.c +++ b/src/common/config-file.c @@ -37,6 +37,7 @@ static const char *conf_torport_str = "TorPort"; static const char *conf_onion_str = "OnionAddrRange"; static const char *conf_socks5_user_str = "SOCKS5Username"; static const char *conf_socks5_pass_str = "SOCKS5Password"; +static const char *conf_allow_inbound_str = "AllowInbound"; /* * Once this value reaches 2, it means both user and password for a SOCKS5 @@ -221,6 +222,11 @@ static int parse_config_line(const char *line, struct configuration *config) if (ret < 0) { goto error; } + } else if (!strcmp(tokens[0], conf_allow_inbound_str)) { + ret = conf_file_set_allow_inbound(tokens[1], config); + if (ret < 0) { + goto error; + } } else { WARN("Config file contains unknown value: %s", line); } @@ -332,6 +338,34 @@ error: } /* + * Set the allow inbound option for the given config. + * + * Return 0 if option is off, 1 if on and negative value on error. + */ +ATTR_HIDDEN +int conf_file_set_allow_inbound(const char *val, struct configuration *config) +{ + int ret; + + assert(val); + assert(config); + + ret = atoi(val); + if (ret == 0) { + config->allow_inbound = 0; + DBG("[config] Inbound connections disallowed."); + } else if (ret == 1) { + config->allow_inbound = 1; + DBG("[config] Inbound connections allowed."); + } else { + ERR("[config] Invalid %s value for %s", val, conf_allow_inbound_str); + ret = -EINVAL; + } + + return ret; +} + +/* * Read and populate the given config parsed data structure. * * Return 0 on success or else a negative value. @@ -370,6 +404,8 @@ int config_file_read(const char *filename, struct configuration *config) /* ENOMEM is probably the only case here. */ goto error; } + + config->allow_inbound = 0; goto end; } diff --git a/src/common/config-file.h b/src/common/config-file.h index 04dbf42..c35507d 100644 --- a/src/common/config-file.h +++ b/src/common/config-file.h @@ -72,6 +72,12 @@ struct configuration { * initialized to something of len > 0. */ unsigned int socks5_use_auth:1; + + /* + * Allow inbound connections meaning listen() and accept() are permitted + * for non localhost addresses. + */ + unsigned int allow_inbound:1; }; int config_file_read(const char *filename, struct configuration *config); @@ -80,5 +86,6 @@ int conf_file_set_socks5_pass(const char *password, struct configuration *config); int conf_file_set_socks5_user(const char *username, struct configuration *config); +int conf_file_set_allow_inbound(const char *val, struct configuration *config); #endif /* CONFIG_FILE_H */ diff --git a/src/common/defaults.h b/src/common/defaults.h index fe35a6d..36c7bc0 100644 --- a/src/common/defaults.h +++ b/src/common/defaults.h @@ -63,4 +63,7 @@ #define DEFAULT_SOCKS5_USER_ENV "TORSOCKS_USERNAME" #define DEFAULT_SOCKS5_PASS_ENV "TORSOCKS_PASSWORD" +/* Control if torsocks allows inbound connection or not. */ +#define DEFAULT_ALLOW_INBOUND_ENV "TORSOCKS_ALLOW_INBOUND" + #endif /* TORSOCKS_DEFAULTS_H */ diff --git a/src/lib/accept.c b/src/lib/accept.c index 3dd7617..07715b3 100644 --- a/src/lib/accept.c +++ b/src/lib/accept.c @@ -17,6 +17,8 @@ #include <assert.h> +#include <common/utils.h> + #include "torsocks.h" TSOCKS_LIBC_DECL(accept, LIBC_ACCEPT_RET_TYPE, LIBC_ACCEPT_SIG) @@ -26,14 +28,44 @@ TSOCKS_LIBC_DECL(accept, LIBC_ACCEPT_RET_TYPE, LIBC_ACCEPT_SIG) */ LIBC_ACCEPT_RET_TYPE tsocks_accept(LIBC_ACCEPT_SIG) { - DBG("[accept] Syscall denied since inbound connection are not allowed."); + int ret; + + if (tsocks_config.allow_inbound) { + /* Allowed by the user so directly go to the libc. */ + goto libc_call; + } + + if (!addr) { + errno = EFAULT; + goto error; + } /* - * Accept is completely denied here since this means that the application - * can accept inbound connections that are obviously NOT handled by the Tor - * network thus reject this call. + * accept() on a Unix socket is allowed else we are going to try to match + * it on INET localhost socket. */ - errno = EPERM; + if (addr->sa_family == AF_UNIX) { + goto libc_call; + } + + /* Inbound localhost connections are allowed. */ + ret = utils_sockaddr_is_localhost(addr); + if (!ret) { + + /* + * Accept is completely denied here since this means that the + * application can accept inbound connections on non localhost that are + * obviously NOT handled by the Tor network thus reject this call. + */ + DBG("[accept] Non localhost inbound connection are not allowed."); + errno = EPERM; + goto error; + } + +libc_call: + return tsocks_libc_accept(LIBC_ACCEPT_ARGS); + +error: return -1; } @@ -42,6 +74,11 @@ LIBC_ACCEPT_RET_TYPE tsocks_accept(LIBC_ACCEPT_SIG) */ LIBC_ACCEPT_DECL { + if (!tsocks_libc_accept) { + tsocks_libc_accept = tsocks_find_libc_symbol( + LIBC_ACCEPT_NAME_STR, TSOCKS_SYM_EXIT_NOT_FOUND); + } + return tsocks_accept(LIBC_ACCEPT_ARGS); } @@ -54,14 +91,44 @@ TSOCKS_LIBC_DECL(accept4, LIBC_ACCEPT4_RET_TYPE, LIBC_ACCEPT4_SIG) */ LIBC_ACCEPT4_RET_TYPE tsocks_accept4(LIBC_ACCEPT4_SIG) { - DBG("[accept] Syscall denied since inbound connection are not allowed."); + int ret; + + if (tsocks_config.allow_inbound) { + /* Allowed by the user so directly go to the libc. */ + goto libc_call; + } + + if (!addr) { + errno = EFAULT; + goto error; + } /* - * Accept is completely denied here since this means that the application - * can accept inbound connections that are obviously NOT handled by the Tor - * network thus reject this call. + * accept4() on a Unix socket is allowed else we are going to try to match + * it on INET localhost socket. */ - errno = EPERM; + if (addr->sa_family == AF_UNIX) { + goto libc_call; + } + + /* Inbound localhost connections are allowed. */ + ret = utils_sockaddr_is_localhost(addr); + if (!ret) { + + /* + * Accept is completely denied here since this means that the + * application can accept inbound connections on non localhost that are + * obviously NOT handled by the Tor network thus reject this call. + */ + DBG("[accept4] Non localhost inbound connection are not allowed."); + errno = EPERM; + goto error; + } + +libc_call: + return tsocks_libc_accept4(LIBC_ACCEPT4_ARGS); + +error: return -1; } @@ -70,6 +137,11 @@ LIBC_ACCEPT4_RET_TYPE tsocks_accept4(LIBC_ACCEPT4_SIG) */ LIBC_ACCEPT4_DECL { + if (!tsocks_libc_accept4) { + tsocks_libc_accept4 = tsocks_find_libc_symbol( + LIBC_ACCEPT4_NAME_STR, TSOCKS_SYM_EXIT_NOT_FOUND); + } + return tsocks_accept4(LIBC_ACCEPT4_ARGS); } #endif diff --git a/src/lib/listen.c b/src/lib/listen.c index e72f1f6..38c37d8 100644 --- a/src/lib/listen.c +++ b/src/lib/listen.c @@ -17,6 +17,8 @@ #include <assert.h> +#include <common/utils.h> + #include "torsocks.h" TSOCKS_LIBC_DECL(listen, LIBC_LISTEN_RET_TYPE, LIBC_LISTEN_SIG) @@ -26,14 +28,49 @@ TSOCKS_LIBC_DECL(listen, LIBC_LISTEN_RET_TYPE, LIBC_LISTEN_SIG) */ LIBC_LISTEN_RET_TYPE tsocks_listen(LIBC_LISTEN_SIG) { - DBG("[accept] Syscall denied since inbound connection are not allowed."); + int ret; + socklen_t addrlen; + struct sockaddr sa; + + if (tsocks_config.allow_inbound) { + /* Allowed by the user so directly go to the libc. */ + goto libc_call; + } + + addrlen = sizeof(sa); + + ret = getsockname(sockfd, &sa, &addrlen); + if (ret < 0) { + PERROR("[listen] getsockname"); + goto error; + } /* - * Bind is completely denied here since this means that the application - * can accept inbound connections that are obviously NOT handled by the Tor - * network thus reject this call. + * Listen () on a Unix socket is allowed else we are going to try to match + * it on INET localhost socket. */ - errno = EPERM; + if (sa.sa_family == AF_UNIX) { + goto libc_call; + } + + /* Inbound localhost connections are allowed. */ + ret = utils_sockaddr_is_localhost(&sa); + if (!ret) { + /* + * Listen is completely denied here since this means that the + * application can accept inbound connections on non localhost that are + * obviously NOT handled by the Tor network thus reject this call. + */ + DBG("[listen] Non localhost inbound connection are not allowed."); + errno = EPERM; + goto error; + } + +libc_call: + DBG("[listen] Passing listen fd %d to libc", sockfd); + return tsocks_libc_listen(LIBC_LISTEN_ARGS); + +error: return -1; } @@ -42,5 +79,10 @@ LIBC_LISTEN_RET_TYPE tsocks_listen(LIBC_LISTEN_SIG) */ LIBC_LISTEN_DECL { + if (!tsocks_libc_listen) { + tsocks_libc_listen = tsocks_find_libc_symbol( + LIBC_LISTEN_NAME_STR, TSOCKS_SYM_EXIT_NOT_FOUND); + } + return tsocks_listen(LIBC_LISTEN_ARGS); } diff --git a/src/lib/torsocks.c b/src/lib/torsocks.c index a20e94f..af4ab79 100644 --- a/src/lib/torsocks.c +++ b/src/lib/torsocks.c @@ -69,15 +69,23 @@ static void clean_exit(int status) * Read SOCKS5 username and password environment variable and if found set them * in the configuration. If we are setuid, return gracefully. */ -static void read_user_pass_env(void) +static void read_env(void) { int ret; - const char *username, *password; + const char *username, *password, *allow_in; if (is_suid) { goto end; } + allow_in = getenv(DEFAULT_ALLOW_INBOUND_ENV); + if (allow_in) { + ret = conf_file_set_allow_inbound(allow_in, &tsocks_config); + if (ret < 0) { + goto error; + } + } + username = getenv(DEFAULT_SOCKS5_USER_ENV); password = getenv(DEFAULT_SOCKS5_PASS_ENV); if (!username && !password) { @@ -168,8 +176,8 @@ static void init_config(void) clean_exit(EXIT_FAILURE); } - /* Handle SOCKS5 user/pass env. variables. */ - read_user_pass_env(); + /* Handle possible env. variables. */ + read_env(); } /*

1 0

[torsocks/master] Add fclose() support
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 7dee92c5f0e29222258dd10074bbdf8a008bc749 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Sat Mar 8 11:20:07 2014 -0500 Add fclose() support Fixes #29 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/lib/Makefile.am | 2 +- src/lib/fclose.c | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/lib/torsocks.h | 15 +++++++++ 3 files changed, 101 insertions(+), 1 deletion(-) diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index cccecf1..d64b3f6 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -9,6 +9,6 @@ lib_LTLIBRARIES = libtorsocks.la libtorsocks_la_SOURCES = torsocks.c torsocks.h \ connect.c gethostbyname.c getaddrinfo.c close.c \ getpeername.c socket.c syscall.c socketpair.c recv.c \ - exit.c accept.c listen.c + exit.c accept.c listen.c fclose.c libtorsocks_la_LIBADD = $(top_builddir)/src/common/libcommon.la diff --git a/src/lib/fclose.c b/src/lib/fclose.c new file mode 100644 index 0000000..8d371cd --- /dev/null +++ b/src/lib/fclose.c @@ -0,0 +1,85 @@ +/* + * Copyright (C) 2014 - David Goulet <dgoulet(a)ev0ke.net> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License, version 2 only, as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 51 + * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <common/connection.h> +#include <common/log.h> + +#include "torsocks.h" + +/* fclose(3) */ +TSOCKS_LIBC_DECL(fclose, LIBC_FCLOSE_RET_TYPE, LIBC_FCLOSE_SIG) + +/* + * Torsocks call for fclose(3). + */ +LIBC_FCLOSE_RET_TYPE tsocks_fclose(LIBC_FCLOSE_SIG) +{ + int fd; + struct connection *conn; + + if (!fp) { + errno = EBADF; + goto error; + } + + fd = fileno(fp); + if (fd < 0) { + /* errno is set to EBADF here by fileno(). */ + goto error; + } + + DBG("[fclose] Close catched for fd %d", fd); + + connection_registry_lock(); + conn = connection_find(fd); + if (conn) { + /* + * Remove from the registry so it's not visible anymore and thus using + * it without lock. + */ + connection_remove(conn); + } + connection_registry_unlock(); + + /* + * Put back the connection reference. If the refcount get to 0, the + * connection pointer is destroyed. + */ + if (conn) { + DBG("Close connection putting back ref"); + connection_put_ref(conn); + } + + /* Return the original libc fclose. */ + return tsocks_libc_fclose(fp); + +error: + return -1; +} + +/* + * Libc hijacked symbol fclose(3). + */ +LIBC_FCLOSE_DECL +{ + if (!tsocks_libc_fclose) { + tsocks_libc_fclose = tsocks_find_libc_symbol( + LIBC_FCLOSE_NAME_STR, TSOCKS_SYM_EXIT_NOT_FOUND); + } + + return tsocks_fclose(LIBC_FCLOSE_ARGS); +} diff --git a/src/lib/torsocks.h b/src/lib/torsocks.h index 1b95cb9..057a32e 100644 --- a/src/lib/torsocks.h +++ b/src/lib/torsocks.h @@ -74,6 +74,15 @@ #define LIBC_CLOSE_SIG int fd #define LIBC_CLOSE_ARGS fd +/* fclose(3) */ +#include <stdio.h> + +#define LIBC_FCLOSE_NAME fclose +#define LIBC_FCLOSE_NAME_STR XSTR(LIBC_FCLOSE_NAME) +#define LIBC_FCLOSE_RET_TYPE int +#define LIBC_FCLOSE_SIG FILE *fp +#define LIBC_FCLOSE_ARGS fp + /* gethostbyname(3) - DEPRECATED in glibc. */ #include <netdb.h> @@ -297,6 +306,12 @@ TSOCKS_DECL(close, LIBC_CLOSE_RET_TYPE, LIBC_CLOSE_SIG) #define LIBC_CLOSE_DECL \ LIBC_CLOSE_RET_TYPE LIBC_CLOSE_NAME(LIBC_CLOSE_SIG) +/* fclose(3) */ +extern TSOCKS_LIBC_DECL(fclose, LIBC_FCLOSE_RET_TYPE, LIBC_FCLOSE_SIG) +TSOCKS_DECL(fclose, LIBC_FCLOSE_RET_TYPE, LIBC_FCLOSE_SIG) +#define LIBC_FCLOSE_DECL \ + LIBC_FCLOSE_RET_TYPE LIBC_FCLOSE_NAME(LIBC_FCLOSE_SIG) + /* gethostbyname(3) */ extern TSOCKS_LIBC_DECL(gethostbyname, LIBC_GETHOSTBYNAME_RET_TYPE, LIBC_GETHOSTBYNAME_SIG)

1 0

[torsocks/master] Update version to v2.0.0-rc5
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 3c860254b106bdc223bb414781576b7a7994c60b Author: David Goulet <dgoulet(a)ev0ke.net> Date: Mon Mar 17 13:53:02 2014 -0400 Update version to v2.0.0-rc5 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- ChangeLog | 7 +++++++ configure.ac | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f1096e7..807f334 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2014-03-17 torsocks 2.0.0-rc5 + * Fix: strict aliasing in library + * Add fclose() support + * Fix: add torsocks.conf option type + * Add option to allow inbound connections + * Fix: handle NULL node in getaddrinfo + 2014-03-03 torsocks 2.0.0-rc4 * Extras: add bash and zsh completion file * Fix: move functions in file and set hidden attribute diff --git a/configure.ac b/configure.ac index cf6764e..1805835 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ ############################################################################## # Process this file with autoconf to produce a configure script. -AC_INIT([torsocks], [2.0.0-rc4],[dgoulet@ev0ke.net],[],[https://torproject.org]) +AC_INIT([torsocks], [2.0.0-rc5],[dgoulet@ev0ke.net],[],[https://torproject.org]) AC_CONFIG_AUX_DIR([config]) AC_CANONICAL_TARGET # Get hostname and other information.

1 0

[torsocks/master] Fix: strict aliasing in library
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 506f1dc40cc2f7991f4d27285d050daf2f7ff14e Author: David Goulet <dgoulet(a)ev0ke.net> Date: Wed Mar 12 20:08:03 2014 -0400 Fix: strict aliasing in library Fixes #28 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/lib/gethostbyname.c | 8 ++++---- src/lib/recv.c | 7 +++---- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/src/lib/gethostbyname.c b/src/lib/gethostbyname.c index 6b4ea21..322f398 100644 --- a/src/lib/gethostbyname.c +++ b/src/lib/gethostbyname.c @@ -94,8 +94,8 @@ LIBC_GETHOSTBYNAME_RET_TYPE tsocks_gethostbyname(LIBC_GETHOSTBYNAME_SIG) tsocks_he.h_addrtype = AF_INET; tsocks_he.h_addr_list = tsocks_he_addr_list; - DBG("Hostname %s resolved to %s", name, - inet_ntoa(*((struct in_addr *) &ip))); + DBG("[gethostbyname] Hostname %s resolved to %u.%u.%u.%u", name, + ip & 0XFF, (ip >> 8) & 0XFF, (ip >> 16) & 0XFF, (ip >> 24) & 0xFF); errno = 0; return &tsocks_he; @@ -368,8 +368,8 @@ LIBC_GETHOSTBYNAME_R_RET_TYPE tsocks_gethostbyname_r(LIBC_GETHOSTBYNAME_R_SIG) he->h_length = sizeof(in_addr_t); he->h_addrtype = AF_INET; - DBG("[gethostbyname_r] Hostname %s resolved to %s", name, - inet_ntoa(*((struct in_addr *) &ip))); + DBG("[gethostbyname_r] Hostname %s resolved to %u.%u.%u.%u", name, + ip & 0XFF, (ip >> 8) & 0XFF, (ip >> 16) & 0XFF, (ip >> 24) & 0xFF); error: return ret; diff --git a/src/lib/recv.c b/src/lib/recv.c index b041f6d..036fa91 100644 --- a/src/lib/recv.c +++ b/src/lib/recv.c @@ -67,7 +67,7 @@ LIBC_RECVMSG_RET_TYPE tsocks_recvmsg(LIBC_RECVMSG_SIG) * further. */ if (cmsg->cmsg_type == SCM_RIGHTS || cmsg->cmsg_level == SOL_SOCKET) { - struct sockaddr_storage addr; + struct sockaddr addr; socklen_t addrlen; sa_family_t family = AF_UNSPEC; @@ -75,14 +75,13 @@ LIBC_RECVMSG_RET_TYPE tsocks_recvmsg(LIBC_RECVMSG_SIG) /* Get socket protocol family. */ addrlen = sizeof(addr); - ret = getsockname(fd, (struct sockaddr *) &addr, &addrlen); + ret = getsockname(fd, &addr, &addrlen); if (ret < 0) { /* Use the getsockname() errno value. */ goto end; } - family = ((struct sockaddr *) &addr)->sa_family; - + family = addr.sa_family; if (family == AF_INET || family == AF_INET6) { ERR("[recvmsg] Inet socket passing detected. Aborting everything! " "A non Tor socket could be used thus leaking information.");

1 0

[torsocks/master] Fix: set addr len for getsockname in accept
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 76fcebb963d9a590bd387949e600b9a4adfe46b0 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Mon Mar 17 14:46:07 2014 -0400 Fix: set addr len for getsockname in accept Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/lib/accept.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lib/accept.c b/src/lib/accept.c index 08fe1b4..e9bc36c 100644 --- a/src/lib/accept.c +++ b/src/lib/accept.c @@ -42,6 +42,8 @@ LIBC_ACCEPT_RET_TYPE tsocks_accept(LIBC_ACCEPT_SIG) goto error; } + sa_len = sizeof(sa); + ret = getsockname(sockfd, &sa, &sa_len); if (ret < 0) { PERROR("[accept] getsockname"); @@ -113,6 +115,8 @@ LIBC_ACCEPT4_RET_TYPE tsocks_accept4(LIBC_ACCEPT4_SIG) goto error; } + sa_len = sizeof(sa); + ret = getsockname(sockfd, &sa, &sa_len); if (ret < 0) { PERROR("[accept4] getsockname");

1 0

[torsocks/master] Fix: use socket fd and NOT sockaddr in accept
by dgoulet＠torproject.org 04 Apr '14

04 Apr '14

commit 17774c06a3fbcce3af637ae9faa0d42227c7a6ea Author: David Goulet <dgoulet(a)ev0ke.net> Date: Mon Mar 17 14:26:05 2014 -0400 Fix: use socket fd and NOT sockaddr in accept Major mistake in accept() which was checking the given sockaddr structure instead of the given socket fd. The address structure passed to accept is meant to be filled up by the accept function thus not containing any usable data. Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/lib/accept.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/src/lib/accept.c b/src/lib/accept.c index 07715b3..08fe1b4 100644 --- a/src/lib/accept.c +++ b/src/lib/accept.c @@ -29,6 +29,8 @@ TSOCKS_LIBC_DECL(accept, LIBC_ACCEPT_RET_TYPE, LIBC_ACCEPT_SIG) LIBC_ACCEPT_RET_TYPE tsocks_accept(LIBC_ACCEPT_SIG) { int ret; + socklen_t sa_len; + struct sockaddr sa; if (tsocks_config.allow_inbound) { /* Allowed by the user so directly go to the libc. */ @@ -40,16 +42,22 @@ LIBC_ACCEPT_RET_TYPE tsocks_accept(LIBC_ACCEPT_SIG) goto error; } + ret = getsockname(sockfd, &sa, &sa_len); + if (ret < 0) { + PERROR("[accept] getsockname"); + goto error; + } + /* * accept() on a Unix socket is allowed else we are going to try to match * it on INET localhost socket. */ - if (addr->sa_family == AF_UNIX) { + if (sa.sa_family == AF_UNIX) { goto libc_call; } /* Inbound localhost connections are allowed. */ - ret = utils_sockaddr_is_localhost(addr); + ret = utils_sockaddr_is_localhost(&sa); if (!ret) { /* @@ -92,6 +100,8 @@ TSOCKS_LIBC_DECL(accept4, LIBC_ACCEPT4_RET_TYPE, LIBC_ACCEPT4_SIG) LIBC_ACCEPT4_RET_TYPE tsocks_accept4(LIBC_ACCEPT4_SIG) { int ret; + socklen_t sa_len; + struct sockaddr sa; if (tsocks_config.allow_inbound) { /* Allowed by the user so directly go to the libc. */ @@ -103,16 +113,22 @@ LIBC_ACCEPT4_RET_TYPE tsocks_accept4(LIBC_ACCEPT4_SIG) goto error; } + ret = getsockname(sockfd, &sa, &sa_len); + if (ret < 0) { + PERROR("[accept4] getsockname"); + goto error; + } + /* * accept4() on a Unix socket is allowed else we are going to try to match * it on INET localhost socket. */ - if (addr->sa_family == AF_UNIX) { + if (sa.sa_family == AF_UNIX) { goto libc_call; } /* Inbound localhost connections are allowed. */ - ret = utils_sockaddr_is_localhost(addr); + ret = utils_sockaddr_is_localhost(&sa); if (!ret) { /*

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits April 2014