From acf62b63d182ff4b5f0565bd009db6d1bccc2bfd Mon Sep 17 00:00:00 2001
From: shw <shw@subgraph.com>
Date: Mon, 22 May 2017 16:48:50 +0000
Subject: [PATCH] Changed SOCKS/Tor credential randomization so it only occurs
 if username and password are empty.

---
 sgfw/policy.go             | 13 +++++++++----
 sgfw/socks_server_chain.go | 10 ++++++----
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/sgfw/policy.go b/sgfw/policy.go
index c7846b0..9971353 100644
--- a/sgfw/policy.go
+++ b/sgfw/policy.go
@@ -395,6 +395,11 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info
 }
 
 func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
+	if basicAllowPacket(pkt) {
+		pkt.Accept()
+		return
+	}
+
 	isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
 	if isudp {
 		srcport, _ := getPacketUDPPorts(pkt)
@@ -422,7 +427,6 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
 		return
 	} */
 
-
 	ppath := "*"
 	strictness := procsnitch.MATCH_STRICT
 
@@ -451,11 +455,11 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
 		}
 	}
 	log.Debugf("filterPacket [%s] %s", ppath, printPacket(pkt, fw.dns.Lookup(dstip, pinfo.Pid), nil))
-	if basicAllowPacket(pkt) {
+/*	if basicAllowPacket(pkt) {
 		pkt.Accept()
-//log.Notice("XXX: passed basicallowpacket")
 		return
 	}
+*/
 	policy := fw.PolicyForPath(ppath)
 //log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
 	policy.processPacket(pkt, pinfo, optstring)
@@ -662,7 +666,8 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
 		dstip.IsLinkLocalMulticast() ||
 		(pkt.Packet.Layer(layers.LayerTypeTCP) == nil &&
 		 pkt.Packet.Layer(layers.LayerTypeUDP) == nil &&
-		 pkt.Packet.Layer(layers.LayerTypeICMPv4) == nil)
+		 pkt.Packet.Layer(layers.LayerTypeICMPv4) == nil &&
+		 pkt.Packet.Layer(layers.LayerTypeICMPv6) == nil)
 }
 
 func getPacketIPAddrs(pkt *nfqueue.NFQPacket) (net.IP, net.IP) {
diff --git a/sgfw/socks_server_chain.go b/sgfw/socks_server_chain.go
index 4c613a4..c470554 100644
--- a/sgfw/socks_server_chain.go
+++ b/sgfw/socks_server_chain.go
@@ -158,10 +158,12 @@ func (c *socksChainSession) sessionWorker() {
 		return
 	}
 
-	// Randomize username and password to force a new TOR circuit with each connection
-	rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid()))
-	c.req.Auth.Uname = rndbytes
-	c.req.Auth.Passwd = rndbytes
+	if len(c.req.Auth.Uname) == 0 && len(c.req.Auth.Passwd) == 0 {
+		// Randomize username and password to force a new TOR circuit with each connection
+		rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid()))
+		c.req.Auth.Uname = rndbytes
+		c.req.Auth.Passwd = rndbytes
+	}
 
 	switch c.req.Cmd {
 	case CommandTorResolve, CommandTorResolvePTR: