April 2018 - tor-commits - lists.torproject.org

[torsocks/master] Bug 23715: Support memfd_create(2).
by dgoulet＠torproject.org 20 Apr '18

20 Apr '18

commit dc1d6ae5639a84103a1b067775238f33b4590533 Author: Yawning Angel <yawning(a)schwanenlied.me> Date: Sat Sep 30 07:09:13 2017 +0000 Bug 23715: Support memfd_create(2). Enough things use this now, that the syscall(2) wrapper should support it, since glibc doesn't provide a wrapper for it, and the documentation says to invoke it using syscall(2). --- src/common/compat.h | 4 ++++ src/lib/syscall.c | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/src/common/compat.h b/src/common/compat.h index f490113..a9b73c2 100644 --- a/src/common/compat.h +++ b/src/common/compat.h @@ -126,6 +126,9 @@ void tsocks_once(tsocks_once_t *o, void (*init_routine)(void)); #ifndef __NR_fork #define __NR_fork -18 #endif +#ifndef __NR_memfd_create +#define __NR_memfd_create -19 +#endif #define TSOCKS_NR_SOCKET __NR_socket #define TSOCKS_NR_CONNECT __NR_connect @@ -145,6 +148,7 @@ void tsocks_once(tsocks_once_t *o, void (*init_routine)(void)); #define TSOCKS_NR_GETTIMEOFDAY __NR_gettimeofday #define TSOCKS_NR_CLOCK_GETTIME __NR_clock_gettime #define TSOCKS_NR_FORK __NR_fork +#define TSOCKS_NR_MEMFD_CREATE __NR_memfd_create /* * Despite glibc providing wrappers for these calls for a long time diff --git a/src/lib/syscall.c b/src/lib/syscall.c index 41cba28..7fba580 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c @@ -423,6 +423,20 @@ static LIBC_SYSCALL_RET_TYPE handle_fork(void) { return tsocks_libc_syscall(TSOCKS_NR_FORK); } + +/* + * Handle memfd_create(2) syscall. + */ +static LIBC_SYSCALL_RET_TYPE handle_memfd_create(va_list args) +{ + const char *name; + unsigned int flags; + + name = va_arg(args, __typeof__(name)); + flags = va_arg(args, __typeof__(flags)); + + return tsocks_libc_syscall(TSOCKS_NR_MEMFD_CREATE, name, flags); +} #endif /* __linux__ */ /* @@ -541,6 +555,9 @@ LIBC_SYSCALL_RET_TYPE tsocks_syscall(long int number, va_list args) case TSOCKS_NR_FORK: ret = handle_fork(); break; + case TSOCKS_NR_MEMFD_CREATE: + ret = handle_memfd_create(args); + break; #endif /* __linux__ */ default: /*

1 0

[torsocks/master] socks5: Always use ATYP 0x03 for CONNECT command
by dgoulet＠torproject.org 20 Apr '18

20 Apr '18

commit a0070f02d77315b640dbc00105a246ef64d89011 Author: David Goulet <dgoulet(a)torproject.org> Date: Fri Apr 20 10:34:34 2018 -0400 socks5: Always use ATYP 0x03 for CONNECT command Because of the SafeSocks parameter of Tor, if set, we can't pass a raw IP address to Tor since it will believe we did a DNS resolution from the application. Now, thanks to #22461, Tor safely accepts an IPv4/IPv6 address withing a FQDN connect request which avoids the SafeSocks warnings. The #22461 wasn't backported which means that torsocks working with SafeSocks is only possible in tor >= 0.3.2 stable series. Fixes #23667 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/common/socks5.c | 80 ++++++++++++++++++++++-------------------------- tests/unit/test_socks5.c | 54 ++++++-------------------------- 2 files changed, 46 insertions(+), 88 deletions(-) diff --git a/src/common/socks5.c b/src/common/socks5.c index 1be2ab8..bf6019a 100644 --- a/src/common/socks5.c +++ b/src/common/socks5.c @@ -385,75 +385,60 @@ int socks5_send_connect_request(struct connection *conn) unsigned char buffer[1500]; ssize_t buf_len, ret_send; struct socks5_request msg; + struct socks5_request_domain req_name; + const char *retp; assert(conn); assert(conn->fd >= 0); + memset(&req_name, 0, sizeof(req_name)); memset(buffer, 0, sizeof(buffer)); buf_len = sizeof(msg); + /* Set up the header part. It is always the same, even the address type as + * Tor handles IPv4/IPv6 as a Domain Name so SafeSocks doesn't complain. For + * this reason, we always send ATYP 0x03 (domain name) to Tor. */ msg.ver = SOCKS5_VERSION; msg.cmd = SOCKS5_CMD_CONNECT; /* Always zeroed. */ msg.rsv = 0; + msg.atyp = SOCKS5_ATYP_DOMAIN; + memcpy(buffer, &msg, buf_len); + /* Depending on the domain of the connection, we'll set the hostname + * accordingly that is transforming the address into a text format. */ switch (conn->dest_addr.domain) { case CONNECTION_DOMAIN_INET: { - struct socks5_request_ipv4 req_ipv4; - - msg.atyp = SOCKS5_ATYP_IPV4; - /* Copy the first part of the request. */ - memcpy(buffer, &msg, buf_len); - - /* Prepare the ipv4 payload to be copied in the send buffer. */ - memcpy(req_ipv4.addr, &conn->dest_addr.u.sin.sin_addr, - sizeof(req_ipv4.addr)); - req_ipv4.port = conn->dest_addr.u.sin.sin_port; - - /* Copy ipv4 request portion in the buffer. */ - memcpy(buffer + buf_len, &req_ipv4, sizeof(req_ipv4)); - buf_len += sizeof(req_ipv4); + retp = inet_ntop(AF_INET, &conn->dest_addr.u.sin.sin_addr, + (char *) req_name.name, sizeof(req_name.name)); + if (retp == NULL) { + ERR("Socks5 connection malformed IPv4"); + ret = -EINVAL; + goto error; + } + req_name.port = conn->dest_addr.u.sin.sin_port; break; } case CONNECTION_DOMAIN_INET6: { - struct socks5_request_ipv6 req_ipv6; - - msg.atyp = SOCKS5_ATYP_IPV6; - /* Copy the first part of the request. */ - memcpy(buffer, &msg, buf_len); - - /* Prepare the ipv6 payload to be copied in the send buffer. */ - memcpy(req_ipv6.addr, &conn->dest_addr.u.sin6.sin6_addr, - sizeof(req_ipv6.addr)); - req_ipv6.port = conn->dest_addr.u.sin6.sin6_port; - - /* Copy ipv6 request portion in the buffer. */ - memcpy(buffer + buf_len, &req_ipv6, sizeof(req_ipv6)); - buf_len += sizeof(req_ipv6); + retp = inet_ntop(AF_INET6, &conn->dest_addr.u.sin6.sin6_addr, + (char *) req_name.name, sizeof(req_name.name)); + if (retp == NULL) { + ERR("Socks5 connection malformed IPv4"); + ret = -EINVAL; + goto error; + } + req_name.port = conn->dest_addr.u.sin6.sin6_port; break; } case CONNECTION_DOMAIN_NAME: { - struct socks5_request_domain req_name; - - msg.atyp = SOCKS5_ATYP_DOMAIN; - /* Copy the first part of the request. */ - memcpy(buffer, &msg, buf_len); - /* Setup domain name request buffer. */ req_name.len = strlen(conn->dest_addr.hostname.addr); - memcpy(req_name.name, conn->dest_addr.hostname.addr, req_name.len); + memcpy(req_name.name, conn->dest_addr.hostname.addr, + strlen(conn->dest_addr.hostname.addr)); req_name.port = conn->dest_addr.hostname.port; - - /* Copy ipv6 request portion in the buffer. */ - memcpy(buffer + buf_len, &req_name.len, sizeof(req_name.len)); - buf_len += sizeof(req_name.len); - memcpy(buffer + buf_len, req_name.name, req_name.len); - buf_len += req_name.len; - memcpy(buffer + buf_len, &req_name.port, sizeof(req_name.port)); - buf_len += sizeof(req_name.port); break; } default: @@ -462,6 +447,15 @@ int socks5_send_connect_request(struct connection *conn) goto error; } + /* Common for everyone, copy the filled up request buffer. */ + req_name.len = strlen((char *) req_name.name); + memcpy(buffer + buf_len, &req_name.len, sizeof(req_name.len)); + buf_len += sizeof(req_name.len); + memcpy(buffer + buf_len, req_name.name, req_name.len); + buf_len += req_name.len; + memcpy(buffer + buf_len, &req_name.port, sizeof(req_name.port)); + buf_len += sizeof(req_name.port); + DBG("Socks5 sending connect request to fd %d", conn->fd); ret_send = send_data(conn->fd, &buffer, buf_len); diff --git a/tests/unit/test_socks5.c b/tests/unit/test_socks5.c index ac8ed3c..284abc4 100644 --- a/tests/unit/test_socks5.c +++ b/tests/unit/test_socks5.c @@ -30,8 +30,6 @@ static struct socks5_method_req method_req; static struct socks5_request req; -static struct socks5_request_ipv4 req_ipv4; -static struct socks5_request_ipv6 req_ipv6; static struct socks5_request_domain req_name; static struct socks5_request_resolve req_resolve; static struct socks5_request_resolve_ptr req_resolve_ptr; @@ -138,37 +136,12 @@ static ssize_t socks5_recv_method_no_accept_stub(int fd, void *buf, size_t len) * send_connect_request test doubles */ -static ssize_t socks5_send_connect_request_ipv4_spy(int fd, const void *buf, - size_t len) -{ - ssize_t buf_len = 0; - - set_socks5_request(buf); - buf_len += sizeof(struct socks5_request); - - req_ipv4 = (*(struct socks5_request_ipv4 *) (buf + buf_len)); - - return 1; -} - -static ssize_t socks5_send_connect_request_ipv6_spy(int fd, const void *buf, - size_t len) -{ - ssize_t buf_len = 0; - - set_socks5_request(buf); - buf_len += sizeof(struct socks5_request); - - req_ipv6 = (*(struct socks5_request_ipv6 *) (buf + buf_len)); - - return 1; -} - static ssize_t socks5_send_connect_request_domain_spy(int fd, const void *buf, size_t len) { ssize_t buf_len = 0; + memset(&req_name, 0, sizeof(req_name)); set_socks5_request(buf); buf_len += sizeof(struct socks5_request); @@ -597,24 +570,19 @@ static void test_socks5_send_connect_request(void) { int ret; struct connection *conn_stub; - char ip[INET6_ADDRSTRLEN]; conn_stub = get_connection_stub(); - socks5_init(socks5_send_connect_request_ipv4_spy, NULL); + socks5_init(socks5_send_connect_request_domain_spy, NULL); ret = socks5_send_connect_request(conn_stub); - inet_ntop(AF_INET, - (struct sockaddr_in *)&req_ipv4.addr, - ip, INET6_ADDRSTRLEN); - ok(ret == 0 && req.ver == SOCKS5_VERSION && req.cmd == SOCKS5_CMD_CONNECT && req.rsv == 0 && - req.atyp == SOCKS5_ATYP_IPV4 && - strncmp(ip, "127.0.0.1", INET6_ADDRSTRLEN) == 0 && - req_ipv4.port == htons(9050), + req.atyp == SOCKS5_ATYP_DOMAIN && + strncmp((char *) req_name.name, "127.0.0.1", INET6_ADDRSTRLEN) == 0 && + req_name.port == htons(9050), "socks5 send connect request IPv4"); connection_destroy(conn_stub); @@ -623,21 +591,17 @@ static void test_socks5_send_connect_request(void) /* IPv6 */ conn_stub = get_connection_ipv6_stub(); - socks5_init(socks5_send_connect_request_ipv6_spy, NULL); + socks5_init(socks5_send_connect_request_domain_spy, NULL); ret = socks5_send_connect_request(conn_stub); - inet_ntop(AF_INET6, - (struct sockaddr_in *)&req_ipv6.addr, - ip, INET6_ADDRSTRLEN); - ok(ret == 0 && req.ver == SOCKS5_VERSION && req.cmd == SOCKS5_CMD_CONNECT && req.rsv == 0 && - req.atyp == SOCKS5_ATYP_IPV6 && - strncmp(ip, "::1", INET6_ADDRSTRLEN) == 0 && - req_ipv6.port == htons(9050), + req.atyp == SOCKS5_ATYP_DOMAIN && + strncmp((char *) req_name.name, "::1", INET6_ADDRSTRLEN) == 0 && + req_name.port == htons(9050), "socks5 send connect request IPv6"); /* Domain name */

1 0

[torsocks/master] Merge remote-tracking branch 'yawning/bug23715'
by dgoulet＠torproject.org 20 Apr '18

20 Apr '18

commit 8258eac291341cf493f6ddaf5c4d8541fd57729b Merge: f7f4154 dc1d6ae Author: David Goulet <dgoulet(a)torproject.org> Date: Fri Apr 20 10:54:42 2018 -0400 Merge remote-tracking branch 'yawning/bug23715' src/common/compat.h | 4 ++++ src/lib/syscall.c | 17 +++++++++++++++++ 2 files changed, 21 insertions(+)

1 0

[torsocks/master] test: Make getpeername test connect to moria1
by dgoulet＠torproject.org 20 Apr '18

20 Apr '18

commit c32050ae282bc69bff1c959c96253ee9bc0d4c61 Author: David Goulet <dgoulet(a)torproject.org> Date: Fri Apr 20 10:51:29 2018 -0400 test: Make getpeername test connect to moria1 The other IP doesn't work anymore and I can't recall what it was ;). Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- tests/test_getpeername.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_getpeername.c b/tests/test_getpeername.c index c09e487..269d2a1 100644 --- a/tests/test_getpeername.c +++ b/tests/test_getpeername.c @@ -35,7 +35,7 @@ static void test_getpeername(void) struct sockaddr_in addrv4; struct sockaddr_storage ss; socklen_t addrlen; - const char *ip = "93.95.227.222"; + const char *ip = "128.31.0.39"; ret = pipe(pipe_fds); if (ret < 0) { @@ -60,7 +60,7 @@ static void test_getpeername(void) /* Connect socket through Tor so we can test the wrapper. */ addrv4.sin_family = AF_INET; - addrv4.sin_port = htons(443); + addrv4.sin_port = htons(9131); inet_pton(addrv4.sin_family, ip, &addrv4.sin_addr); memset(addrv4.sin_zero, 0, sizeof(addrv4.sin_zero));

1 0

[torsocks/master] Make torsocks always connect to the configured Tor port
by dgoulet＠torproject.org 20 Apr '18

20 Apr '18

commit f7f4154dd687da2285c7f0eaa1bca034c410224c Author: David Goulet <dgoulet(a)torproject.org> Date: Fri Apr 20 10:52:20 2018 -0400 Make torsocks always connect to the configured Tor port Whatever we use IPv4 or IPv6, make torsocks use the configured SocksPort in the configuration. Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/common/socks5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/socks5.c b/src/common/socks5.c index bf6019a..9f7853b 100644 --- a/src/common/socks5.c +++ b/src/common/socks5.c @@ -165,7 +165,7 @@ int socks5_connect(struct connection *conn) * the right socket family. Thus, trying to establish a connection to a * remote IPv6, we have to connect to the Tor daemon in v6. */ - switch (conn->dest_addr.domain) { + switch (tsocks_config.socks5_addr.domain) { case CONNECTION_DOMAIN_NAME: /* * For a domain name such as an onion address, use the default IPv4 to

1 0

[torsocks/master] doc: Clarify the libc limitation in README
by dgoulet＠torproject.org 20 Apr '18

20 Apr '18

commit fd7b0d71a0e9f511d2e32fde51fc4f63c5fb7000 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Fri Apr 20 09:11:05 2018 -0400 doc: Clarify the libc limitation in README Fixes #22068 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 8ad574f..dde1676 100644 --- a/README.md +++ b/README.md @@ -7,9 +7,13 @@ Torsocks allows you to use most applications in a safe way with Tor. It ensures that DNS requests are handled safely and explicitly rejects any traffic other than TCP from the application you're using. -Torsocks is an ELF shared library that is loaded before all others. The library -overrides every needed Internet communication libc function calls such as -connect(2) or gethostbyname(3). +Torsocks is an ELF shared library that is loaded before all others. The +library overrides every needed Internet communication libc function calls such +as connect(2) or gethostbyname(3). + +BE ADVISE: It uses the LD\_PRELOAD mechanism (man ld.so.8) which means that if +the application is not using the libc or for instance uses raw syscalls, +torsocks will be useless and the traffic will not go through Tor. This process is transparent to the user and if torsocks detects any communication that can't go through the Tor network such as UDP traffic, for @@ -20,7 +24,7 @@ will force the application to quit and stop everything. Requirements ----------------- - - autoconf + - autoconf - automake - libtool - gcc

1 0

[torsocks/master] accept4: Initialize libc symbol early
by dgoulet＠torproject.org 20 Apr '18

20 Apr '18

commit e4601e0f89b47c5aff9df30238a10224e8bd04a6 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Fri Apr 20 09:01:17 2018 -0400 accept4: Initialize libc symbol early Fixes #17618 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- src/lib/torsocks.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lib/torsocks.c b/src/lib/torsocks.c index 731b33c..b7e7cdd 100644 --- a/src/lib/torsocks.c +++ b/src/lib/torsocks.c @@ -234,8 +234,9 @@ static void init_libc_symbols(void) tsocks_libc_socket = dlsym(libc_ptr, LIBC_SOCKET_NAME_STR); tsocks_libc_syscall = dlsym(libc_ptr, LIBC_SYSCALL_NAME_STR); tsocks_libc_execve = dlsym(libc_ptr, LIBC_EXECVE_NAME_STR); - if (!tsocks_libc_connect || !tsocks_libc_close || !tsocks_libc_socket - || !tsocks_libc_syscall || !tsocks_libc_execve) { + tsocks_libc_accept4 = dlsym(libc_ptr, LIBC_ACCEPT4_NAME_STR); + if (!tsocks_libc_connect || !tsocks_libc_close || !tsocks_libc_socket || + !tsocks_libc_syscall || !tsocks_libc_execve || ! tsocks_libc_accept4) { ERR("Unable to lookup symbols in " LIBC_NAME "(%s)", dlerror()); goto error; }

1 0

[torsocks/master] Merge remote-tracking branch 'upstream/master'
by dgoulet＠torproject.org 20 Apr '18

20 Apr '18

commit f75543371864ae9a4d041cf3b75efa2d96e33d37 Merge: fd7b0d7 70822d0 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Fri Apr 20 09:16:48 2018 -0400 Merge remote-tracking branch 'upstream/master' README.md | 1 + src/lib/connect.c | 2 +- src/lib/torsocks.c | 4 ++-- tests/Makefile.am | 2 +- tests/test_fd_passing.c | 10 +++++++++- 5 files changed, 14 insertions(+), 5 deletions(-)

1 0

[translation/https_everywhere_completed] Update translations for https_everywhere_completed
by translation＠torproject.org 20 Apr '18

20 Apr '18

commit 5d89c23e26cee92836bf9f8c0f9388c13f5caa61 Author: Translation commit bot <translation(a)torproject.org> Date: Fri Apr 20 10:15:38 2018 +0000 Update translations for https_everywhere_completed --- es/https-everywhere.dtd | 1 + 1 file changed, 1 insertion(+) diff --git a/es/https-everywhere.dtd b/es/https-everywhere.dtd index 4491b1c0d..62195f4a4 100644 --- a/es/https-everywhere.dtd +++ b/es/https-everywhere.dtd @@ -17,6 +17,7 @@ <!ENTITY https-everywhere.options.importSettings "Importar configuraciones"> <!ENTITY https-everywhere.options.import "Importar"> <!ENTITY https-everywhere.options.enableMixedRulesets "Habilitar conjuntos de reglas de contenido mixto"> +<!ENTITY https-everywhere.options.showDevtoolsTab "Mostrar pestaña Devtools"> <!ENTITY https-everywhere.options.autoUpdateRulesets "Reglas actualizadas automáticamente"> <!ENTITY https-everywhere.options.imported "Se ha importado tu configuración">

1 0

[translation/https_everywhere] Update translations for https_everywhere
by translation＠torproject.org 20 Apr '18

20 Apr '18

commit 7373cb4ba84db1f8c37fc9a84dd4fb7aeaa4a36d Author: Translation commit bot <translation(a)torproject.org> Date: Fri Apr 20 10:15:29 2018 +0000 Update translations for https_everywhere --- es/https-everywhere.dtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/es/https-everywhere.dtd b/es/https-everywhere.dtd index 3fa3ef4f6..62195f4a4 100644 --- a/es/https-everywhere.dtd +++ b/es/https-everywhere.dtd @@ -17,7 +17,7 @@ <!ENTITY https-everywhere.options.importSettings "Importar configuraciones"> <!ENTITY https-everywhere.options.import "Importar"> <!ENTITY https-everywhere.options.enableMixedRulesets "Habilitar conjuntos de reglas de contenido mixto"> -<!ENTITY https-everywhere.options.showDevtoolsTab "Show Devtools tab"> +<!ENTITY https-everywhere.options.showDevtoolsTab "Mostrar pestaña Devtools"> <!ENTITY https-everywhere.options.autoUpdateRulesets "Reglas actualizadas automáticamente"> <!ENTITY https-everywhere.options.imported "Se ha importado tu configuración">

1 0