diff -U 6 -N -I Id: -r -x *~ -x #* -x CVS -x Makefile -x Makefile.in -x aclocal.m4 -x ar-lib -x autoconf.h.in -x compile -x config.status -x config.sub -x config_parse.c -x config_parse.h -x config_scan.c -x config.log -x depcomp -x install-sh -x missing -x redefac.h -x remtest-0.90-pre1.tar.gz dante-1.4.3-old/sockd/sockd_protocol.c dante-1.4.3/sockd/sockd_protocol.c --- dante-1.4.3-old/sockd/sockd_protocol.c Fri Aug 15 20:16:43 2014 +++ dante-1.4.3/sockd/sockd_protocol.c Fri Dec 6 02:36:51 2024 @@ -425,24 +425,45 @@ static negotiate_result_t recv_v4req (s, request, state) int s; request_t *request; negotiate_state_t *state; { + rule_t *crule; /* * v4 request: * VN CD DSTPORT DSTIP USERID NUL * 1 + 1 + 2 + 4 + ? + 1 * * so minimum length is 9. */ /* * No methods supported in v4. */ + + SASSERTX(state->crule != NULL); + + crule = (rule_t *)state->crule; + + if (crule->state.smethodc > 0 + && crule->state.smethodv[0] != AUTHMETHOD_NONE) { + snprintf(state->emsg, sizeof(state->emsg), + "client-rule overrides prefered SOCKS authentication to use for " + "matching clients to be %s\"%s\", but connected client " + "is using SOCKS v4, which does not support any authentication", + crule->state.smethodc == 1 ? "" : "one of ", + methods2string(crule->state.smethodc, + crule->state.smethodv, + NULL, + 0)); + + return NEGOTIATE_ERROR; + } + request->auth->method = AUTHMETHOD_NONE; /* CD */ state->rcurrent = recv_cmd; return state->rcurrent(s, request, state); @@ -552,16 +573,16 @@ (size_t)methodc); break; default: { /* * Socks-methods that can be decided for use before we receive - * the actual request. Normally only gssapi, but if the - * rule has singleauth enabled and the client matches the - * criteria for it, the socks-method will also have been - * chosen already (should be NONE). + * the actual request. Normally only gssapi, but if the rule has + * singleauth enabled and the client matches the criteria for it, + * the socks-method will also have been chosen already (should be + * NONE). */ size_t i; slog(LOG_DEBUG, "%s: method %d already chosen for this rule, not selecting again", function, request->auth->method);