diff options
| -rw-r--r-- | src/or/buffers.c | 11 | ||||
| -rw-r--r-- | src/or/config.c | 1 | ||||
| -rw-r--r-- | src/or/connection_edge.c | 7 | ||||
| -rw-r--r-- | src/or/or.h | 4 |
4 files changed, 17 insertions, 6 deletions
diff --git a/src/or/buffers.c b/src/or/buffers.c index 68f51e7eb6..da60a619dc 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -888,10 +888,13 @@ fetch_from_buf_http(buf_t *buf, * If you want to specify the socks reply, write it into <b>req->reply</b> * and set <b>req->replylen</b>, else leave <b>req->replylen</b> alone. * + * If <b>log_sockstype</b> is non-zero, then do a notice-level log of whether + * the connection is possibly leaking DNS requests locally or not. + * * If returning 0 or -1, <b>req->address</b> and <b>req->port</b> are undefined. */ int -fetch_from_buf_socks(buf_t *buf, socks_request_t *req) +fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype) { unsigned char len; char tmpbuf[INET_NTOA_BUF_LEN]; @@ -924,7 +927,7 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req) req->reply[1] = '\xFF'; /* reject all methods */ return -1; } - buf_remove_from_front(buf,2+nummethods);/* remove packet from buf */ + buf_remove_from_front(buf,2+nummethods); /* remove packet from buf */ req->replylen = 2; /* 2 bytes of response */ req->reply[0] = 5; /* socks5 reply */ @@ -982,6 +985,8 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req) req->address[len] = 0; req->port = ntohs(get_uint16(buf->cur+5+len)); buf_remove_from_front(buf, 5+len+2); + if (log_sockstype) + notice(LD_APP, "Your application (using socks5 on port %d) gave Tor a hostname, which means Tor will do the DNS resolve for you. This is good.", req->port); return 1; default: /* unsupported */ warn(LD_APP,"socks5: unsupported address type %d. Rejecting.",*(buf->cur+3)); @@ -1055,6 +1060,8 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req) return -1; } tor_assert(next < buf->cur+buf->datalen); + if (log_sockstype) + notice(LD_APP, "Your application (using socks4a on port %d) gave Tor a hostname, which means Tor will do the DNS resolve for you. This is good.", req->port); } debug(LD_APP,"socks4: Everything is here. Success."); strlcpy(req->address, startaddr ? startaddr : tmpbuf, diff --git a/src/or/config.c b/src/or/config.c index b1ad5f8717..e44ab8584a 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -191,6 +191,7 @@ static config_var_t _option_vars[] = { VAR("StrictEntryNodes", BOOL, StrictEntryNodes, "0"), VAR("StrictExitNodes", BOOL, StrictExitNodes, "0"), VAR("SysLog", LINELIST_S, OldLogOptions, NULL), + VAR("TestSocks", BOOL, TestSocks, "0"), VAR("TrackHostExits", CSV, TrackHostExits, NULL), VAR("TrackHostExitsExpire",INTERVAL, TrackHostExitsExpire, "30 minutes"), OBSOLETE("TrafficShaping"), diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 1c904621e1..e6a0e2f714 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -923,7 +923,8 @@ connection_ap_handshake_process_socks(connection_t *conn) socks_request_t *socks; int sockshere; hostname_type_t addresstype; - int tor_should_handle_stream = !get_options()->LeaveStreamsUnattached; + or_options_t *options = get_options(); + int tor_should_handle_stream = !options->LeaveStreamsUnattached; tor_assert(conn); tor_assert(conn->type == CONN_TYPE_AP); @@ -933,7 +934,7 @@ connection_ap_handshake_process_socks(connection_t *conn) debug(LD_APP,"entered."); - sockshere = fetch_from_buf_socks(conn->inbuf, socks); + sockshere = fetch_from_buf_socks(conn->inbuf, socks, options->TestSocks); if (sockshere == 0) { if (socks->replylen) { connection_write_to_buf(socks->reply, socks->replylen, conn); @@ -1072,7 +1073,7 @@ connection_ap_handshake_process_socks(connection_t *conn) rep_hist_note_used_port(socks->port, time(NULL)); /* help predict this next time */ control_event_stream_status(conn, STREAM_EVENT_NEW); } - if (get_options()->LeaveStreamsUnattached) { + if (!tor_should_handle_stream) { conn->state = AP_CONN_STATE_CONTROLLER_WAIT; } else { conn->state = AP_CONN_STATE_CIRCUIT_WAIT; diff --git a/src/or/or.h b/src/or/or.h index 1ef9972dbf..04748a91f5 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1307,6 +1307,8 @@ typedef struct { #define LOG_PROTOCOL_WARN (get_options()->ProtocolWarnings ? LOG_WARN : LOG_INFO) int ProtocolWarnings; /**< Boolean: when other parties screw up the Tor * protocol, is it a warn or an info in our logs? */ + int TestSocks; /**< Boolean: when we get a socks connection, do we loudly + * log whether it was DNS-leaking or not? */ int HardwareAccel; /**< Boolean: Should we enable OpenSSL hardware * acceleration where available? */ int UseHelperNodes; /**< Boolean: Do we try to enter from a smallish number @@ -1379,7 +1381,7 @@ int fetch_from_buf_http(buf_t *buf, char **headers_out, size_t max_headerlen, char **body_out, size_t *body_used, size_t max_bodylen, int force_complete); -int fetch_from_buf_socks(buf_t *buf, socks_request_t *req); +int fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype); int fetch_from_buf_control0(buf_t *buf, uint32_t *len_out, uint16_t *type_out, char **body_out, int check_for_v1); int fetch_from_buf_line(buf_t *buf, char *data_out, size_t *data_len); |