case CONN_TYPE_OR:
return connection_tls_start_handshake(conn, 1);
case CONN_TYPE_AP:
+ /* check sockspolicy to see if we should accept it */
+ if(socks_policy_permits_address(conn->addr) == 0) {
+ log_fn(LOG_WARN,"Denying socks connection from untrusted address %s.", conn->address);
+ return -1;
+ }
conn->state = AP_CONN_STATE_SOCKS_WAIT;
break;
case CONN_TYPE_DIR:
static int connection_ap_handshake_process_socks(connection_t *conn);
static void parse_socks_policy(void);
-static int socks_policy_permits_address(uint32_t addr);
/** Handle new bytes on conn->inbuf, or notification of eof.
*
conn->socks_request->port, exit->exit_policy);
}
+/** A helper function for socks_policy_permits_address() below.
+ *
+ * Parse options.SocksPolicy in the same way that the exit policy
+ * is parsed, and put the processed version in &socks_policy.
+ * Ignore port specifiers.
+ */
static void parse_socks_policy(void)
{
struct exit_policy_t *n;
}
}
+/** Return 1 if <b>addr</b> is permitted to connect to our socks port,
+ * based on <b>socks_policy</b>. Else return 0.
+ */
int socks_policy_permits_address(uint32_t addr)
{
int a;
return 0;
else if (a==0)
return 1;
- else if (a==1) {
- log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy");
- return 1;
- }
+ tor_assert(a==1);
+ log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy");
+ return 0;
}
/* ***** Client DNS code ***** */
void connection_ap_expire_beginning(void);
void connection_ap_attach_pending(void);
+int socks_policy_permits_address(uint32_t addr);
+
void client_dns_init(void);
uint32_t client_dns_lookup_entry(const char *address);
int client_dns_incr_failures(const char *address);
projects / thirdparty / tor.git / commitdiff
