[tor-dev] [PATCH] torify/torsocks and TCP Fast Open

David Goulet dgoulet at ev0ke.net
Wed Jan 21 20:26:56 UTC 2015 

On 14 Jan (16:25:17), Tim Ruehsen wrote:
> Upps, I made a last second failure...
> 
> Here is the amended (and working) patch.

Hey!

Sorry for the delayed response, too many things at once! :)

I've done some fixes on the patch that I'll be merging in a jiffy, I've
outlined them to you below. (mostly syntax thingy...)

> 
> Tim
> 
> On Wednesday 14 January 2015 14:55:58 Tim Ruehsen wrote:
> > Hi,
> > 
> > no answer yet, so I created a first 'works for me' patch to let torified TFO
> > aware clients not leak silently.
> > 
> > (I hope I am on the right list here)
> > 
> > Please review and apply|comment.
> > 
> > On Tuesday 13 January 2015 15:25:35 Tim Ruehsen wrote:
> > > Hi,
> > > 
> > > I tried to torify my wget-like application
> > > (https://github.com/rockdaboot/mget) and after some struggling I found
> > > that
> > > TFO is enabled by default (where available).
> > > 
> > > I guess, the problem is TFO not using connect() but sendto().
> > > 
> > > Please enlighten me, what I can do (despite turning off TFO).
> > > 
> > > Is it worth a patch or do you think patching libtorsocks has pitfalls or
> > > unwanted side-effects ?

> From 3a775bf43d970c01fb955d7169f0da98be0a297c Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen at gmx.de>
> Date: Wed, 14 Jan 2015 14:48:37 +0100
> Subject: [PATCH] Allow TCP Fast Open clients go through tor.
> 
> This patch prevents TFO clients to silently leak when torified.
> TFO uses sendto() instead of connect()/send().
> ---
>  src/lib/Makefile.am |  2 +-
>  src/lib/sendto.c    | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++
>  src/lib/torsocks.h  | 19 +++++++++++++-
>  3 files changed, 94 insertions(+), 2 deletions(-)
>  create mode 100644 src/lib/sendto.c
> 
> diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
> index d64b3f6..6e137f3 100644
> --- a/src/lib/Makefile.am
> +++ b/src/lib/Makefile.am
> @@ -9,6 +9,6 @@ lib_LTLIBRARIES = libtorsocks.la
>  libtorsocks_la_SOURCES = torsocks.c torsocks.h \
>                           connect.c gethostbyname.c getaddrinfo.c close.c \
>                           getpeername.c socket.c syscall.c socketpair.c recv.c \
> -                         exit.c accept.c listen.c fclose.c
> +                         exit.c accept.c listen.c fclose.c sendto.c
>  
>  libtorsocks_la_LIBADD = $(top_builddir)/src/common/libcommon.la
> diff --git a/src/lib/sendto.c b/src/lib/sendto.c
> new file mode 100644
> index 0000000..af2550a
> --- /dev/null
> +++ b/src/lib/sendto.c
> @@ -0,0 +1,75 @@
> +/*
> + * Copyright (C) 2015 - Tim R?hsen <tim.ruehsen at gmx.de>
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of the GNU General Public License, version 2 only, as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful, but WITHOUT
> + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
> + * more details.
> + *
> + * You should have received a copy of the GNU General Public License along with
> + * this program; if not, write to the Free Software Foundation, Inc., 51
> + * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> + */
> +
> +#include <assert.h>
> +
> +#include <common/log.h>
> +#include <common/utils.h>
> +
> +#include "torsocks.h"
> +
> +/*
> + * Using TCP Fast Open (TFO) uses sendto() instead of connect() with 'flags'
> + * set to MSG_FASTOPEN. Without this code, using TFO simply bypasses TOR
> + * without letting the user know.
> + *
> + * This solution simply ignores TFO and falls back to connect().
> + * At the time the TOR server supports TFO, socks5.c (client code) could
> + * implement it in send_data() and connect_socks5().

Could you simply clarify this for me meaning what's needed in socks5
code for TFO to be supported? (no need for an extra comments, just how
would I do that :)

> + */
> +
> +/* sendto(2)
> + * args: int sockfd, const void *buf, size_t len, int flags,
> + *       const struct sockaddr *dest_addr, socklen_t addrlen
> + */
> +TSOCKS_LIBC_DECL(sendto, LIBC_SENDTO_RET_TYPE, LIBC_SENDTO_SIG)
> +
> +/*
> + * Torsocks call for sendto(2).
> + */
> +LIBC_SENDTO_RET_TYPE tsocks_sendto(LIBC_SENDTO_SIG)
> +{
> +#ifdef MSG_FASTOPEN
> +	int ret;
> +
> +	if ((flags&MSG_FASTOPEN) == 0) {
> +		/* No TFO, fallback to libc sendto() */
> +		goto libc_sendto;
> +	}
> +
> +	DBG("TFO Sendto catched on fd %d", sockfd);
> +
> +	ret = connect(sockfd, dest_addr, addrlen);
> +	if (ret == 0) {
> +		/* connection established, send payload */
> +		ret = send(sockfd, buf, len, flags&~MSG_FASTOPEN);
> +	}
> +
> +	return ret;
> +
> +libc_sendto:
> +#endif /* ifdef MSG_FASTOPEN */
> +	return tsocks_libc_sendto(LIBC_SENDTO_ARGS);

That symbol needs to be looked up (dlsym()) before you can use it so I
did that in the function below. See accept.c how we do that.

Big thanks for that! Really appreciated and one less leak also! :)

Cheers!
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150121/4419ae9a/attachment.sig>

More information about the tor-dev mailing list