[or-cvs] enable checking the socks policy
Roger Dingledine
arma at seul.org
Thu May 20 04:16:46 UTC 2004
Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/or
Modified Files:
connection.c connection_edge.c or.h
Log Message:
enable checking the socks policy
Index: connection.c
===================================================================
RCS file: /home/or/cvsroot/src/or/connection.c,v
retrieving revision 1.227
retrieving revision 1.228
diff -u -d -r1.227 -r1.228
--- connection.c 20 May 2004 02:42:49 -0000 1.227
+++ connection.c 20 May 2004 04:16:43 -0000 1.228
@@ -429,6 +429,11 @@
case CONN_TYPE_OR:
return connection_tls_start_handshake(conn, 1);
case CONN_TYPE_AP:
+ /* check sockspolicy to see if we should accept it */
+ if(socks_policy_permits_address(conn->addr) == 0) {
+ log_fn(LOG_WARN,"Denying socks connection from untrusted address %s.", conn->address);
+ return -1;
+ }
conn->state = AP_CONN_STATE_SOCKS_WAIT;
break;
case CONN_TYPE_DIR:
Index: connection_edge.c
===================================================================
RCS file: /home/or/cvsroot/src/or/connection_edge.c,v
retrieving revision 1.190
retrieving revision 1.191
diff -u -d -r1.190 -r1.191
--- connection_edge.c 20 May 2004 02:42:49 -0000 1.190
+++ connection_edge.c 20 May 2004 04:16:43 -0000 1.191
@@ -17,7 +17,6 @@
static int connection_ap_handshake_process_socks(connection_t *conn);
static void parse_socks_policy(void);
-static int socks_policy_permits_address(uint32_t addr);
/** Handle new bytes on conn->inbuf, or notification of eof.
*
@@ -785,6 +784,12 @@
conn->socks_request->port, exit->exit_policy);
}
+/** A helper function for socks_policy_permits_address() below.
+ *
+ * Parse options.SocksPolicy in the same way that the exit policy
+ * is parsed, and put the processed version in &socks_policy.
+ * Ignore port specifiers.
+ */
static void parse_socks_policy(void)
{
struct exit_policy_t *n;
@@ -800,6 +805,9 @@
}
}
+/** Return 1 if <b>addr</b> is permitted to connect to our socks port,
+ * based on <b>socks_policy</b>. Else return 0.
+ */
int socks_policy_permits_address(uint32_t addr)
{
int a;
@@ -811,10 +819,9 @@
return 0;
else if (a==0)
return 1;
- else if (a==1) {
- log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy");
- return 1;
- }
+ tor_assert(a==1);
+ log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy");
+ return 0;
}
/* ***** Client DNS code ***** */
Index: or.h
===================================================================
RCS file: /home/or/cvsroot/src/or/or.h,v
retrieving revision 1.352
retrieving revision 1.353
diff -u -d -r1.352 -r1.353
--- or.h 20 May 2004 02:42:49 -0000 1.352
+++ or.h 20 May 2004 04:16:43 -0000 1.353
@@ -1044,6 +1044,8 @@
void connection_ap_expire_beginning(void);
void connection_ap_attach_pending(void);
+int socks_policy_permits_address(uint32_t addr);
+
void client_dns_init(void);
uint32_t client_dns_lookup_entry(const char *address);
int client_dns_incr_failures(const char *address);
More information about the tor-commits
mailing list