[Pkg-privacy-commits] [onioncat] 303/340: Added option -U for unidirectional connections which is a severe security improvement.

Sat Aug 22 13:04:50 UTC 2015

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch debian
in repository onioncat.

commit be2e8ba4180af932e96194cdc1783af88c72e446
Author: eagle <eagle at 58e1ccc2-750e-0410-8d0d-f93ca75ab447>
Date:   Mon May 20 08:11:59 2013 +0000

    Added option -U for unidirectional connections which is a severe security improvement.
    
    git-svn-id: https://www.cypherpunk.at/svn/onioncat/trunk@555 58e1ccc2-750e-0410-8d0d-f93ca75ab447
---
 configure       | 22 +++++++++++-----------
 src/ocat.c      |  7 ++++++-
 src/ocat.h      |  4 ++++
 src/ocatroute.c |  4 ++--
 src/ocatsetup.c |  6 +++++-
 5 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/configure b/configure
index 4963e95..535c824 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for onioncat 0.2.2.r554.
+# Generated by GNU Autoconf 2.68 for onioncat 0.2.2.r555.
 #
 # Report bugs to <rahra at cypherpunk.at>.
 #
@@ -559,8 +559,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='onioncat'
 PACKAGE_TARNAME='onioncat'
-PACKAGE_VERSION='0.2.2.r554'
-PACKAGE_STRING='onioncat 0.2.2.r554'
+PACKAGE_VERSION='0.2.2.r555'
+PACKAGE_STRING='onioncat 0.2.2.r555'
 PACKAGE_BUGREPORT='rahra at cypherpunk.at'
 PACKAGE_URL=''
 
@@ -1221,7 +1221,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures onioncat 0.2.2.r554 to adapt to many kinds of systems.
+\`configure' configures onioncat 0.2.2.r555 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1291,7 +1291,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of onioncat 0.2.2.r554:";;
+     short | recursive ) echo "Configuration of onioncat 0.2.2.r555:";;
    esac
   cat <<\_ACEOF
 
@@ -1384,7 +1384,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-onioncat configure 0.2.2.r554
+onioncat configure 0.2.2.r555
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -1694,7 +1694,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by onioncat $as_me 0.2.2.r554, which was
+It was created by onioncat $as_me 0.2.2.r555, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -2509,7 +2509,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='onioncat'
- VERSION='0.2.2.r554'
+ VERSION='0.2.2.r555'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -2553,7 +2553,7 @@ ac_config_headers="$ac_config_headers config.h"
 
 
 
-$as_echo "#define SVN_REVISION \"554\"" >>confdefs.h
+$as_echo "#define SVN_REVISION \"555\"" >>confdefs.h
 
 
 
@@ -5086,7 +5086,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by onioncat $as_me 0.2.2.r554, which was
+This file was extended by onioncat $as_me 0.2.2.r555, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -5152,7 +5152,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-onioncat config.status 0.2.2.r554
+onioncat config.status 0.2.2.r555
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
diff --git a/src/ocat.c b/src/ocat.c
index dbcc0ac..2ad5d80 100644
--- a/src/ocat.c
+++ b/src/ocat.c
@@ -47,6 +47,7 @@ void usage(const char *s)
 #ifndef WITHOUT_TUN
          "   -T <tun_device>       path to tun character device, default = \"%s\"\n"
 #endif
+         "   -U                    connections are unidirectional\n"
          "   -u <user>             change UID to user, default = \"%s\"\n"
          "   -4                    enable IPv4 support (default = %d)\n"
          , CNF(version), s,
@@ -326,7 +327,7 @@ int parse_opt(int argc, char *argv[])
    log_debug("parse_opt_early()");
    opterr = 1;
    optind = 1;
-   while ((c = getopt(argc, argv, "f:IabBCd:hHrRiopl:t:T:s:u:4L:P:")) != -1)
+   while ((c = getopt(argc, argv, "f:IabBCd:hHrRiopl:t:T:s:Uu:4L:P:")) != -1)
    {
       log_debug("getopt(): c = %c, optind = %d, opterr = %d, optarg = \"%s\"", c, optind, opterr, SSTR(optarg));
       switch (c)
@@ -419,6 +420,10 @@ int parse_opt(int argc, char *argv[])
             break;
 #endif
 
+         case 'U':
+            CNF(unidirectional) = 1;
+            break;
+
          case 'u':
             CNF(usrname) = optarg;
             break;
diff --git a/src/ocat.h b/src/ocat.h
index 7a95d06..46a47c7 100644
--- a/src/ocat.h
+++ b/src/ocat.h
@@ -348,6 +348,10 @@ struct OcatSetup
    //! pipe filedescriptors for pid deletion process
    int pid_fd[2];
    int sig_usr1, clear_stats;
+   /*! Define if OC connection should be used uni- or bidirectional.
+      Bidirectional has a faster setup time but unidirectional is more safe in
+      respect to security because both ends are verfied. */
+   int unidirectional;
    int hosts_lookup;
    struct in6_addr oc_vdns;
 };
diff --git a/src/ocatroute.c b/src/ocatroute.c
index 7d00d4f..fbbf682 100644
--- a/src/ocatroute.c
+++ b/src/ocatroute.c
@@ -468,8 +468,8 @@ void *socket_receiver(void *p)
                break;
             }
 
-            // set IP address if it is not set yet and frame is valid
-            if (!drop && IN6_IS_ADDR_UNSPECIFIED(&peer->addr))
+            // set IP address if it is not set yet and frame is valid and in bidirectional mode
+            if (!CNF(unidirectional) && !drop && IN6_IS_ADDR_UNSPECIFIED(&peer->addr))
             {
                if (*peer->tunhdr == CNF(fhd_key[IPV6_KEY]))
                {
diff --git a/src/ocatsetup.c b/src/ocatsetup.c
index 4399ee4..90dc6b9 100644
--- a/src/ocatsetup.c
+++ b/src/ocatsetup.c
@@ -122,6 +122,8 @@ struct OcatSetup setup_ =
    {-1, -1},
    // sig_usr1, clear_stats
    0, 0,
+   // unidirectional
+   0,
    // hosts_lookup
    1
 };
@@ -272,6 +274,7 @@ void print_setup_struct(FILE *f)
          "pid_fd[2]              = {%d, %d}\n"
          "clear_stats            = %d\n"
          "ctrl_listen_cnt        = %d\n"
+         "unidirectional         = %d\n"
          "hosts_lookup           = %d\n"
          ,
          IPV4_KEY, ntohl(setup_.fhd_key[IPV4_KEY]), IPV6_KEY, ntohl(setup_.fhd_key[IPV6_KEY]),
@@ -311,6 +314,7 @@ void print_setup_struct(FILE *f)
          setup_.pid_fd[0], setup_.pid_fd[1],
          setup_.clear_stats,
          setup_.ctrl_listen_cnt,
+         setup_.unidirectional,
          setup_.hosts_lookup
          );
 
@@ -352,7 +356,7 @@ void print_setup_struct(FILE *f)
    }
 
    inet_ntop(AF_INET6, &setup_.oc_vdns, ip6, SBUF);
-   fprintf(f, "ocat_dir               = %s\n", ip6);
+   fprintf(f, "oc_vdns                = %s\n", ip6);
 }
 
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/onioncat.git

