On 14 Jan (16:25:17), Tim Ruehsen wrote:
Upps, I made a last second failure...
Here is the amended (and working) patch.
Hey! Sorry for the delayed response, too many things at once! :) I've done some fixes on the patch that I'll be merging in a jiffy, I've outlined them to you below. (mostly syntax thingy...)
Tim
On Wednesday 14 January 2015 14:55:58 Tim Ruehsen wrote:
Hi,
no answer yet, so I created a first 'works for me' patch to let torified TFO aware clients not leak silently.
(I hope I am on the right list here)
Please review and apply|comment.
On Tuesday 13 January 2015 15:25:35 Tim Ruehsen wrote:
Hi,
I tried to torify my wget-like application (https://github.com/rockdaboot/mget) and after some struggling I found that TFO is enabled by default (where available).
I guess, the problem is TFO not using connect() but sendto().
Please enlighten me, what I can do (despite turning off TFO).
Is it worth a patch or do you think patching libtorsocks has pitfalls or unwanted side-effects ?
From 3a775bf43d970c01fb955d7169f0da98be0a297c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> Date: Wed, 14 Jan 2015 14:48:37 +0100 Subject: [PATCH] Allow TCP Fast Open clients go through tor.
This patch prevents TFO clients to silently leak when torified. TFO uses sendto() instead of connect()/send(). --- src/lib/Makefile.am | 2 +- src/lib/sendto.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++ src/lib/torsocks.h | 19 +++++++++++++- 3 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 src/lib/sendto.c
diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index d64b3f6..6e137f3 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -9,6 +9,6 @@ lib_LTLIBRARIES = libtorsocks.la libtorsocks_la_SOURCES = torsocks.c torsocks.h \ connect.c gethostbyname.c getaddrinfo.c close.c \ getpeername.c socket.c syscall.c socketpair.c recv.c \ - exit.c accept.c listen.c fclose.c + exit.c accept.c listen.c fclose.c sendto.c
libtorsocks_la_LIBADD = $(top_builddir)/src/common/libcommon.la diff --git a/src/lib/sendto.c b/src/lib/sendto.c new file mode 100644 index 0000000..af2550a --- /dev/null +++ b/src/lib/sendto.c @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2015 - Tim R?hsen <tim.ruehsen@gmx.de> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License, version 2 only, as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 51 + * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <assert.h> + +#include <common/log.h> +#include <common/utils.h> + +#include "torsocks.h" + +/* + * Using TCP Fast Open (TFO) uses sendto() instead of connect() with 'flags' + * set to MSG_FASTOPEN. Without this code, using TFO simply bypasses TOR + * without letting the user know. + * + * This solution simply ignores TFO and falls back to connect(). + * At the time the TOR server supports TFO, socks5.c (client code) could + * implement it in send_data() and connect_socks5().
Could you simply clarify this for me meaning what's needed in socks5 code for TFO to be supported? (no need for an extra comments, just how would I do that :)
+ */ + +/* sendto(2) + * args: int sockfd, const void *buf, size_t len, int flags, + * const struct sockaddr *dest_addr, socklen_t addrlen + */ +TSOCKS_LIBC_DECL(sendto, LIBC_SENDTO_RET_TYPE, LIBC_SENDTO_SIG) + +/* + * Torsocks call for sendto(2). + */ +LIBC_SENDTO_RET_TYPE tsocks_sendto(LIBC_SENDTO_SIG) +{ +#ifdef MSG_FASTOPEN + int ret; + + if ((flags&MSG_FASTOPEN) == 0) { + /* No TFO, fallback to libc sendto() */ + goto libc_sendto; + } + + DBG("TFO Sendto catched on fd %d", sockfd); + + ret = connect(sockfd, dest_addr, addrlen); + if (ret == 0) { + /* connection established, send payload */ + ret = send(sockfd, buf, len, flags&~MSG_FASTOPEN); + } + + return ret; + +libc_sendto: +#endif /* ifdef MSG_FASTOPEN */ + return tsocks_libc_sendto(LIBC_SENDTO_ARGS);
That symbol needs to be looked up (dlsym()) before you can use it so I did that in the function below. See accept.c how we do that. Big thanks for that! Really appreciated and one less leak also! :) Cheers! David