[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] enable checking the socks policy

To: or-cvs@freehaven.net
Subject: [or-cvs] enable checking the socks policy
From: arma@seul.org (Roger Dingledine)
Date: Thu, 20 May 2004 00:16:46 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: or-cvs-outgoing@seul.org
Delivered-to: or-cvs@seul.org
Delivery-date: Thu, 20 May 2004 00:17:23 -0400
Reply-to: or-dev@freehaven.net
Sender: owner-or-cvs@freehaven.net

Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/or

Modified Files:
	connection.c connection_edge.c or.h 
Log Message:
enable checking the socks policy


Index: connection.c
===================================================================
RCS file: /home/or/cvsroot/src/or/connection.c,v
retrieving revision 1.227
retrieving revision 1.228
diff -u -d -r1.227 -r1.228
--- connection.c	20 May 2004 02:42:49 -0000	1.227
+++ connection.c	20 May 2004 04:16:43 -0000	1.228
@@ -429,6 +429,11 @@
     case CONN_TYPE_OR:
       return connection_tls_start_handshake(conn, 1);
     case CONN_TYPE_AP:
+      /* check sockspolicy to see if we should accept it */
+      if(socks_policy_permits_address(conn->addr) == 0) {
+        log_fn(LOG_WARN,"Denying socks connection from untrusted address %s.", conn->address);
+        return -1;
+      }
       conn->state = AP_CONN_STATE_SOCKS_WAIT;
       break;
     case CONN_TYPE_DIR:

Index: connection_edge.c
===================================================================
RCS file: /home/or/cvsroot/src/or/connection_edge.c,v
retrieving revision 1.190
retrieving revision 1.191
diff -u -d -r1.190 -r1.191
--- connection_edge.c	20 May 2004 02:42:49 -0000	1.190
+++ connection_edge.c	20 May 2004 04:16:43 -0000	1.191
@@ -17,7 +17,6 @@
 
 static int connection_ap_handshake_process_socks(connection_t *conn);
 static void parse_socks_policy(void);
-static int socks_policy_permits_address(uint32_t addr);
 
 /** Handle new bytes on conn->inbuf, or notification of eof.
  *
@@ -785,6 +784,12 @@
            conn->socks_request->port, exit->exit_policy);
 }
 
+/** A helper function for socks_policy_permits_address() below.
+ *
+ * Parse options.SocksPolicy in the same way that the exit policy
+ * is parsed, and put the processed version in &socks_policy.
+ * Ignore port specifiers.
+ */
 static void parse_socks_policy(void)
 {
   struct exit_policy_t *n;
@@ -800,6 +805,9 @@
   }
 }
 
+/** Return 1 if <b>addr</b> is permitted to connect to our socks port,
+ * based on <b>socks_policy</b>. Else return 0.
+ */
 int socks_policy_permits_address(uint32_t addr)
 {
   int a;
@@ -811,10 +819,9 @@
     return 0;
   else if (a==0)
     return 1;
-  else if (a==1) {
-    log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy");
-    return 1;
-  }
+  tor_assert(a==1);
+  log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy");
+  return 0;
 }
 
 /* ***** Client DNS code ***** */

Index: or.h
===================================================================
RCS file: /home/or/cvsroot/src/or/or.h,v
retrieving revision 1.352
retrieving revision 1.353
diff -u -d -r1.352 -r1.353
--- or.h	20 May 2004 02:42:49 -0000	1.352
+++ or.h	20 May 2004 04:16:43 -0000	1.353
@@ -1044,6 +1044,8 @@
 void connection_ap_expire_beginning(void);
 void connection_ap_attach_pending(void);
 
+int socks_policy_permits_address(uint32_t addr);
+
 void client_dns_init(void);
 uint32_t client_dns_lookup_entry(const char *address);
 int client_dns_incr_failures(const char *address);

Prev by Author: [or-cvs] do all the heavy lifting in connection_about_to_close_conne...
Next by Author: [or-cvs] non-dirservers expire routerinfo"s that are more than a day...
Previous by thread: [or-cvs] Allow multiple exit policy lines; mostly add support for AP...
Next by thread: [or-cvs] non-dirservers expire routerinfo"s that are more than a day...
Index(es):
- Author
- Thread