summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoger Dingledine <arma@torproject.org>2004-05-20 04:16:43 +0000
committerRoger Dingledine <arma@torproject.org>2004-05-20 04:16:43 +0000
commitb6faca2268712ba73aa18f7fc99ed106e107f57d (patch)
tree9b855f18eac431ef95ea1fd09c09bb1e2452cc07
parent80365b989749efbeca6202156197321706462e4d (diff)
downloadtor-b6faca2268712ba73aa18f7fc99ed106e107f57d.tar.gz
tor-b6faca2268712ba73aa18f7fc99ed106e107f57d.zip
enable checking the socks policy
svn:r1906
Diffstat
-rw-r--r--src/or/connection.c5
-rw-r--r--src/or/connection_edge.c17
-rw-r--r--src/or/or.h2
3 files changed, 19 insertions, 5 deletions
diff --git a/src/or/connection.c b/src/or/connection.c
index 49576eba33..e868a43bf9 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -429,6 +429,11 @@ static int connection_init_accepted_conn(connection_t *conn) {
case CONN_TYPE_OR:
return connection_tls_start_handshake(conn, 1);
case CONN_TYPE_AP:
+ /* check sockspolicy to see if we should accept it */
+ if(socks_policy_permits_address(conn->addr) == 0) {
+ log_fn(LOG_WARN,"Denying socks connection from untrusted address %s.", conn->address);
+ return -1;
+ }
conn->state = AP_CONN_STATE_SOCKS_WAIT;
break;
case CONN_TYPE_DIR:
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 8de0d6d9ba..82e28e4091 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -17,7 +17,6 @@ static struct exit_policy_t *socks_policy = NULL;
static int connection_ap_handshake_process_socks(connection_t *conn);
static void parse_socks_policy(void);
-static int socks_policy_permits_address(uint32_t addr);
/** Handle new bytes on conn->inbuf, or notification of eof.
*
@@ -785,6 +784,12 @@ int connection_ap_can_use_exit(connection_t *conn, routerinfo_t *exit)
conn->socks_request->port, exit->exit_policy);
}
+/** A helper function for socks_policy_permits_address() below.
+ *
+ * Parse options.SocksPolicy in the same way that the exit policy
+ * is parsed, and put the processed version in &socks_policy.
+ * Ignore port specifiers.
+ */
static void parse_socks_policy(void)
{
struct exit_policy_t *n;
@@ -800,6 +805,9 @@ static void parse_socks_policy(void)
}
}
+/** Return 1 if <b>addr</b> is permitted to connect to our socks port,
+ * based on <b>socks_policy</b>. Else return 0.
+ */
int socks_policy_permits_address(uint32_t addr)
{
int a;
@@ -811,10 +819,9 @@ int socks_policy_permits_address(uint32_t addr)
return 0;
else if (a==0)
return 1;
- else if (a==1) {
- log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy");
- return 1;
- }
+ tor_assert(a==1);
+ log_fn(LOG_WARN, "Got unexpected 'maybe' answer from socks policy");
+ return 0;
}
/* ***** Client DNS code ***** */
diff --git a/src/or/or.h b/src/or/or.h
index db1f58173f..149c197d5f 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -1044,6 +1044,8 @@ int connection_ap_can_use_exit(connection_t *conn, routerinfo_t *exit);
void connection_ap_expire_beginning(void);
void connection_ap_attach_pending(void);
+int socks_policy_permits_address(uint32_t addr);
+
void client_dns_init(void);
uint32_t client_dns_lookup_entry(const char *address);
int client_dns_incr_failures(const char *address);
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion