From: Roger Dingledine Date: Thu, 20 May 2004 04:16:43 +0000 (+0000) Subject: enable checking the socks policy X-Git-Tag: tor-0.0.7rc1~39 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b6faca2268712ba73aa18f7fc99ed106e107f57d;p=thirdparty%2Ftor.git enable checking the socks policy svn:r1906 --- diff --git a/src/or/connection.c b/src/or/connection.c index 49576eba33..e868a43bf9 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -429,6 +429,11 @@ static int connection_init_accepted_conn(connection_t *conn) { case CONN_TYPE_OR: return connection_tls_start_handshake(conn, 1); case CONN_TYPE_AP: + /* check sockspolicy to see if we should accept it */ + if(socks_policy_permits_address(conn->addr) == 0) { + log_fn(LOG_WARN,"Denying socks connection from untrusted address %s.", conn->address); + return -1; + } conn->state = AP_CONN_STATE_SOCKS_WAIT; break; case CONN_TYPE_DIR: diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 8de0d6d9ba..82e28e4091 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -17,7 +17,6 @@ static struct exit_policy_t *socks_policy = NULL; static int connection_ap_handshake_process_socks(connection_t *conn); static void parse_socks_policy(void); -static int socks_policy_permits_address(uint32_t addr); /** Handle new bytes on conn->inbuf, or notification of eof. * @@ -785,6 +784,12 @@ int connection_ap_can_use_exit(connection_t *conn, routerinfo_t *exit) conn->socks_request->port, exit->exit_policy); } +/** A helper function for socks_policy_permits_address() below. + * + * Parse options.SocksPolicy in the same way that the exit policy + * is parsed, and put the processed version in &socks_policy. + * Ignore port specifiers. + */ static void parse_socks_policy(void) { struct exit_policy_t *n; @@ -800,6 +805,9 @@ static void parse_socks_policy(void) } } +/** Return 1 if addr is permitted to connect to our socks port, + * based on socks_policy. Else return 0. + */ int socks_policy_permits_address(uint32_t addr) { int a; @@ -811,10 +819,9 @@ int socks_policy_permits_address(uint32_t addr) return 0; else if (a==0) return 1; - else if (a==1) { - log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy"); - return 1; - } + tor_assert(a==1); + log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy"); + return 0; } /* ***** Client DNS code ***** */ diff --git a/src/or/or.h b/src/or/or.h index db1f58173f..149c197d5f 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1044,6 +1044,8 @@ int connection_ap_can_use_exit(connection_t *conn, routerinfo_t *exit); void connection_ap_expire_beginning(void); void connection_ap_attach_pending(void); +int socks_policy_permits_address(uint32_t addr); + void client_dns_init(void); uint32_t client_dns_lookup_entry(const char *address); int client_dns_incr_failures(const char *address);