Implement proposal 351

This proposal adds new syntax to the SOCKS5 username/password extension scheme,
so that requests with usernames starting with <torS0X> are now reserved.

For C tor, all we need to do is reject every username starting with <torS0X>
unless it is exactly "<torS0X>0".
This commit is contained in:
Nick Mathewson 2024-09-09 17:00:50 -04:00
parent 17a70ab7c5
commit 3dfbacc7b6
2 changed files with 20 additions and 0 deletions

7
changes/prop351 Normal file
View File

@ -0,0 +1,7 @@
o Minor features (SOCKS):
- Detect invalid SOCKS5 username/password combinations according to
new extended parameters syntax. (Currently, this rejects any
SOCKS5 username beginning with "<torS0X>", except for the username
"<torS0X>0". Such usernames are now reserved to communicate additional
parameters with other Tor implementations.)
Implements proposal 351.

View File

@ -451,6 +451,19 @@ parse_socks5_userpass_auth(const uint8_t *raw_data, socks_request_t *req,
const char *password =
socks5_client_userpass_auth_getconstarray_passwd(trunnel_req);
/* Detect invalid SOCKS5 extended-parameter requests. */
if (usernamelen >= 8 &&
tor_memeq(username, "<torS0X>", 8)) {
/* This is indeed an extended-parameter request. */
if (usernamelen != 9 ||
tor_memneq(username, "<torS0X>0", 9)) {
/* This request is an unrecognized version, or it includes an Arti RPC
* object ID (which we do not recognize). */
res = SOCKS_RESULT_INVALID;
goto end;
}
}
if (usernamelen && username) {
tor_free(req->username);
req->username = tor_memdup_nulterm(username, usernamelen);