Add a new config option TestSocks so people can see if their

applications are using socks4, socks4a, socks5-with-ip, or socks5-with-hostname. This way they don't have to keep mucking with tcpdump and wondering if something got cached somewhere. svn:r5399
2024-11-27 22:03:31 +01:00 · 2005-11-16 23:37:35 +00:00 · 2005-11-16 23:37:35 +00:00 · c4aa9e7941
commit c4aa9e7941
parent 83d6b0387b
4 changed files with 17 additions and 6 deletions
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@ -888,10 +888,13 @@ fetch_from_buf_http(buf_t *buf,
 * If you want to specify the socks reply, write it into <b>req->reply</b>
 *   and set <b>req->replylen</b>, else leave <b>req->replylen</b> alone.
 *
+ * If <b>log_sockstype</b> is non-zero, then do a notice-level log of whether
+ * the connection is possibly leaking DNS requests locally or not.
+ *
 * If returning 0 or -1, <b>req->address</b> and <b>req->port</b> are undefined.
 */
 int
-fetch_from_buf_socks(buf_t *buf, socks_request_t *req)
+fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype)
 {
  unsigned char len;
  char tmpbuf[INET_NTOA_BUF_LEN];
@ -924,7 +927,7 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req)
          req->reply[1] = '\xFF'; /* reject all methods */
          return -1;
        }
-        buf_remove_from_front(buf,2+nummethods);/* remove packet from buf */
+        buf_remove_from_front(buf,2+nummethods); /* remove packet from buf */

        req->replylen = 2; /* 2 bytes of response */
        req->reply[0] = 5; /* socks5 reply */
@ -982,6 +985,8 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req)
          req->address[len] = 0;
          req->port = ntohs(get_uint16(buf->cur+5+len));
          buf_remove_from_front(buf, 5+len+2);
+          if (log_sockstype)
+            notice(LD_APP, "Your application (using socks5 on port %d) gave Tor a hostname, which means Tor will do the DNS resolve for you. This is good.", req->port);
          return 1;
        default: /* unsupported */
          warn(LD_APP,"socks5: unsupported address type %d. Rejecting.",*(buf->cur+3));
@ -1055,6 +1060,8 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req)
          return -1;
        }
        tor_assert(next < buf->cur+buf->datalen);
+        if (log_sockstype)
+          notice(LD_APP, "Your application (using socks4a on port %d) gave Tor a hostname, which means Tor will do the DNS resolve for you. This is good.", req->port);
      }
      debug(LD_APP,"socks4: Everything is here. Success.");
      strlcpy(req->address, startaddr ? startaddr : tmpbuf,
--- a/src/or/config.c
+++ b/src/or/config.c
@ -191,6 +191,7 @@ static config_var_t _option_vars[] = {
  VAR("StrictEntryNodes",    BOOL,     StrictEntryNodes,     "0"),
  VAR("StrictExitNodes",     BOOL,     StrictExitNodes,      "0"),
  VAR("SysLog",              LINELIST_S, OldLogOptions,      NULL),
+  VAR("TestSocks",           BOOL,     TestSocks,            "0"),
  VAR("TrackHostExits",      CSV,      TrackHostExits,       NULL),
  VAR("TrackHostExitsExpire",INTERVAL, TrackHostExitsExpire, "30 minutes"),
  OBSOLETE("TrafficShaping"),
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@ -923,7 +923,8 @@ connection_ap_handshake_process_socks(connection_t *conn)
  socks_request_t *socks;
  int sockshere;
  hostname_type_t addresstype;
-  int tor_should_handle_stream = !get_options()->LeaveStreamsUnattached;
+  or_options_t *options = get_options();
+  int tor_should_handle_stream = !options->LeaveStreamsUnattached;

  tor_assert(conn);
  tor_assert(conn->type == CONN_TYPE_AP);
@ -933,7 +934,7 @@ connection_ap_handshake_process_socks(connection_t *conn)

  debug(LD_APP,"entered.");

-  sockshere = fetch_from_buf_socks(conn->inbuf, socks);
+  sockshere = fetch_from_buf_socks(conn->inbuf, socks, options->TestSocks);
  if (sockshere == 0) {
    if (socks->replylen) {
      connection_write_to_buf(socks->reply, socks->replylen, conn);
@ -1072,7 +1073,7 @@ connection_ap_handshake_process_socks(connection_t *conn)
      rep_hist_note_used_port(socks->port, time(NULL)); /* help predict this next time */
      control_event_stream_status(conn, STREAM_EVENT_NEW);
    }
-    if (get_options()->LeaveStreamsUnattached) {
+    if (!tor_should_handle_stream) {
      conn->state = AP_CONN_STATE_CONTROLLER_WAIT;
    } else {
      conn->state = AP_CONN_STATE_CIRCUIT_WAIT;
--- a/src/or/or.h
+++ b/src/or/or.h
@ -1307,6 +1307,8 @@ typedef struct {
 #define LOG_PROTOCOL_WARN (get_options()->ProtocolWarnings ? LOG_WARN : LOG_INFO)
  int ProtocolWarnings; /**< Boolean: when other parties screw up the Tor
                         * protocol, is it a warn or an info in our logs? */
+  int TestSocks; /**< Boolean: when we get a socks connection, do we loudly
+                  * log whether it was DNS-leaking or not? */
  int HardwareAccel; /**< Boolean: Should we enable OpenSSL hardware
                      * acceleration where available? */
  int UseHelperNodes; /**< Boolean: Do we try to enter from a smallish number
@ -1379,7 +1381,7 @@ int fetch_from_buf_http(buf_t *buf,
                        char **headers_out, size_t max_headerlen,
                        char **body_out, size_t *body_used, size_t max_bodylen,
                        int force_complete);
-int fetch_from_buf_socks(buf_t *buf, socks_request_t *req);
+int fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype);
 int fetch_from_buf_control0(buf_t *buf, uint32_t *len_out, uint16_t *type_out,
                            char **body_out, int check_for_v1);
 int fetch_from_buf_line(buf_t *buf, char *data_out, size_t *data_len);