Ticket #4806: 0001-Adds-support-for-checking-ipv6-tempaddr-usage.patch

File 0001-Adds-support-for-checking-ipv6-tempaddr-usage.patch, 4.7 KB (added by cypherpunks, 7 years ago)
  • configure.in

    From 67ac2acfdbac0376d2632f27f5b66394f7a1fb24 Mon Sep 17 00:00:00 2001
    From: Aki Tuomi <cmouse@cmouse.fi>
    Date: Thu, 23 Aug 2012 23:45:34 +0300
    Subject: [PATCH 1/3] Adds support for checking ipv6 tempaddr usage.
     Signed-off-by: Aki Tuomi <cmouse@cmouse.fi>
    
    ---
     configure.in        |    3 +-
     src/common/compat.c |  107 +++++++++++++++++++++++++++++++++++++++++++++++++++
     src/common/compat.h |    1 +
     src/or/main.c       |    7 ++++
     4 files changed, 117 insertions(+), 1 deletion(-)
    
    diff --git a/configure.in b/configure.in
    index 1c342c5..23187b2 100644
    a b AC_CHECK_HEADERS( 
    687687        sys/utime.h \
    688688        sys/wait.h \
    689689        syslog.h \
    690         utime.h
     690        utime.h \
     691        dirent.h
    691692)
    692693
    693694AC_CHECK_HEADERS(sys/param.h)
  • src/common/compat.c

    diff --git a/src/common/compat.c b/src/common/compat.c
    index ca850a3..7d33de7 100644
    a b  
    5959#include <crt_externs.h>
    6060#endif
    6161
     62#ifdef HAVE_DIRENT_H
     63#include <dirent.h>
     64#endif
     65
     66#ifdef HAVE_SYS_STAT_H
     67#include <sys/stat.h>
     68#endif
     69
    6270#ifndef HAVE_GETTIMEOFDAY
    6371#ifdef HAVE_FTIME
    6472#include <sys/timeb.h>
    format_win32_error(DWORD err) 
    30903098}
    30913099#endif
    30923100
     3101/**
     3102 * Checks for any interface(s) that do not have use_tempaddr set
     3103 * enabling possible leak of MAC address. Logging can be enabled
     3104 * setting verbose to 1.
     3105 *
     3106 * Returns -1 on error, 0 on success/non-applicable, or
     3107 * number of interfaces that have failed.
     3108 */
     3109#ifdef _WIN32
     3110int
     3111check_ipv6_tempaddr(int verbose)
     3112{
     3113  return 0;
     3114}
     3115#elif HAVE_DIRENT_H && HAVE_SYS_STAT_H
     3116int
     3117check_ipv6_tempaddr(int verbose)
     3118{
     3119  struct stat buf;
     3120  DIR *dir;
     3121  struct dirent *ent;
     3122  int n_of_interfaces;
     3123
     3124  /* check for proc access */
     3125  if (stat("/proc/sys/net/ipv6", &buf) == -1) {
     3126    return 0; /* no ipv6 enabled, or no proc fs */
     3127  }
     3128
     3129  /* then we check the interfaces */
     3130  dir = opendir("/proc/sys/net/ipv6/conf");
     3131  if (dir == NULL) {
     3132    if (verbose != 0)
     3133      log_warn(LD_GENERAL, "Could not open /proc/sys/net/ipv6/conf");
     3134    return -1;
     3135  }
     3136
     3137  n_of_interfaces = 0;
     3138  while ((ent = readdir(dir) ) != NULL) {
     3139     char fname[1024] = {0};
     3140
     3141     /* skip dot-files */
     3142     if (ent->d_name[0] == '.') continue;
     3143     /* not an interface */
     3144     if (!strncmp(ent->d_name, "all", 3) ||
     3145         /* not an interface */
     3146         !strncmp(ent->d_name, "default", 7) ||
     3147         /* localhost is not outbound */
     3148         !strncmp(ent->d_name, "lo", 2)) continue;
     3149
     3150     snprintf(fname, sizeof fname, "%s/%s", "/proc/sys/net/ipv6/conf",
     3151              ent->d_name);
     3152     if (stat(fname, &buf) == 0) {
     3153       if (!S_ISDIR(buf.st_mode)) continue; /* not a directory */
     3154     } else {
     3155       continue; /* not accessible */
     3156     }
     3157
     3158     snprintf(fname, sizeof fname, "%s/%s/use_tempaddr",
     3159              "/proc/sys/net/ipv6/conf", ent->d_name);
     3160     if (stat(fname, &buf) == 0) {
     3161        int state;
     3162        FILE *f;
     3163        /* read the value */
     3164        f = fopen(fname, "r");
     3165        if (f == NULL) {
     3166           if (verbose)
     3167             log_warn(LD_GENERAL, "Cannot check use_tempaddr for interface %s",
     3168                      ent->d_name);
     3169           continue;
     3170        }
     3171        state = 0;
     3172        if (fscanf(f, "%d", &state) == 1) {
     3173           if (state == 0) {
     3174             n_of_interfaces++;
     3175             if (verbose)
     3176                log_warn(LD_GENERAL, "Interface %s might expose your MAC \
     3177address to world, you can fix this with \
     3178sysctl -p net.ipv6.conf.%s.use_tempaddr=2", ent->d_name, ent->d_name);
     3179           }
     3180        } else {
     3181            if (verbose)
     3182              log_warn(LD_GENERAL,
     3183                       "Cannot check use_tempaddr for interface %s",
     3184                       ent->d_name);
     3185        }
     3186        fclose(f);
     3187     }
     3188  }
     3189  closedir(dir);
     3190  return n_of_interfaces;
     3191}
     3192#else
     3193int
     3194check_ipv6_tempaddr(int verbose)
     3195{
     3196  return 0;
     3197}
     3198#endif
     3199
  • src/common/compat.h

    diff --git a/src/common/compat.h b/src/common/compat.h
    index 42648bb..01e3a12 100644
    a b char *format_win32_error(DWORD err); 
    692692
    693693#endif
    694694
     695int check_ipv6_tempaddr(int);
  • src/or/main.c

    diff --git a/src/or/main.c b/src/or/main.c
    index 20a1e08..f9affdb 100644
    a b  
    6363#include <event2/bufferevent.h>
    6464#endif
    6565
     66#ifdef HAVE_DIRENT_H
     67#include <dirent.h>
     68#endif
     69
    6670void evdns_shutdown(int);
    6771
    6872/********* PROTOTYPES **********/
    do_main_loop(void) 
    18501854  int loop_result;
    18511855  time_t now;
    18521856
     1857  /* check for IPv6 tempaddr use, in verbose mode */
     1858  check_ipv6_tempaddr(1);
     1859
    18531860  /* initialize dns resolve map, spawn workers if needed */
    18541861  if (dns_init() < 0) {
    18551862    if (get_options()->ServerDNSAllowBrokenConfig)