[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] warn if we use an unsafe socks variant



Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/or

Modified Files:
	buffers.c 
Log Message:
warn if we use an unsafe socks variant
for now, warn every time. we should decide how often we want to warn;
one problem here is that there are several scenarios where we use an
unsafe socks variant safely, so the warning may be inaccurate. hm.


Index: buffers.c
===================================================================
RCS file: /home/or/cvsroot/src/or/buffers.c,v
retrieving revision 1.98
retrieving revision 1.99
diff -u -d -r1.98 -r1.99
--- buffers.c	12 Jul 2004 16:51:05 -0000	1.98
+++ buffers.c	3 Aug 2004 23:42:33 -0000	1.99
@@ -409,6 +409,10 @@
   return 1;
 }
 
+/** If the user connects with socks4 or the wrong variant of socks5,
+ * then log one warning to let him know that it might be unwise. */
+static int have_warned_about_unsafe_socks = 0;
+
 /** There is a (possibly incomplete) socks handshake on <b>buf</b>, of one
  * of the forms
  *  - socks4: "socksheader username\\0"
@@ -480,6 +484,10 @@
           log_fn(LOG_DEBUG,"socks5: ipv4 address type");
           if(buf->datalen < 10) /* ip/port there? */
             return 0; /* not yet */
+          if(!have_warned_about_unsafe_socks) {
+            log_fn(LOG_WARN,"Your application is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead.");
+//            have_warned_about_unsafe_socks = 1; // (for now, warn every time)
+          }
           destip = ntohl(*(uint32_t*)(buf->mem+4));
           in.s_addr = htonl(destip);
           tmpbuf = inet_ntoa(in);
@@ -556,6 +564,10 @@
       }
 
       startaddr = next+1;
+      if(socks4_prot != socks4a && !have_warned_about_unsafe_socks) {
+        log_fn(LOG_WARN,"Your application is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead.");
+//      have_warned_about_unsafe_socks = 1; // (for now, warn every time)
+      }
       if(socks4_prot == socks4a) {
         next = memchr(startaddr, 0, buf->mem+buf->datalen-startaddr);
         if(!next) {