December 2015 - tbb-commits - lists.torproject.org

[tor-browser/tor-browser-38.4.0esr-5.0-1] Bug #17207: Hide mime types and plugins when resisting fingerprinting
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 7267388a1c76a609d55300b3a726fb872bb5ef1d Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Fri Oct 16 16:09:54 2015 -0700 Bug #17207: Hide mime types and plugins when resisting fingerprinting --- dom/base/nsMimeTypeArray.cpp | 19 +++++++++++++++++++ dom/base/nsPluginArray.cpp | 13 ++++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/dom/base/nsMimeTypeArray.cpp b/dom/base/nsMimeTypeArray.cpp index 257abf6..ee530a3 100644 --- a/dom/base/nsMimeTypeArray.cpp +++ b/dom/base/nsMimeTypeArray.cpp @@ -14,6 +14,7 @@ #include "nsIMIMEInfo.h" #include "Navigator.h" #include "nsServiceManagerUtils.h" +#include "nsContentUtils.h" using namespace mozilla; using namespace mozilla::dom; @@ -39,6 +40,12 @@ nsMimeTypeArray::~nsMimeTypeArray() { } +static bool +ResistFingerprinting() { + return !nsContentUtils::ThreadsafeIsCallerChrome() && + nsContentUtils::ResistFingerprinting(); +} + JSObject* nsMimeTypeArray::WrapObject(JSContext* aCx) { @@ -78,6 +85,10 @@ nsMimeTypeArray::IndexedGetter(uint32_t aIndex, bool &aFound) { aFound = false; + if (ResistFingerprinting()) { + return nullptr; + } + EnsurePluginMimeTypes(); if (aIndex >= mMimeTypes.Length()) { @@ -108,6 +119,10 @@ nsMimeTypeArray::NamedGetter(const nsAString& aName, bool &aFound) { aFound = false; + if (ResistFingerprinting()) { + return nullptr; + } + EnsurePluginMimeTypes(); nsString lowerName(aName); @@ -181,6 +196,10 @@ nsMimeTypeArray::NameIsEnumerable(const nsAString& aName) uint32_t nsMimeTypeArray::Length() { + if (ResistFingerprinting()) { + return 0; + } + EnsurePluginMimeTypes(); return mMimeTypes.Length(); diff --git a/dom/base/nsPluginArray.cpp b/dom/base/nsPluginArray.cpp index 1dcd551..8f789ee 100644 --- a/dom/base/nsPluginArray.cpp +++ b/dom/base/nsPluginArray.cpp @@ -20,6 +20,7 @@ #include "nsIWeakReference.h" #include "mozilla/Services.h" #include "nsIInterfaceRequestorUtils.h" +#include "nsContentUtils.h" using namespace mozilla; using namespace mozilla::dom; @@ -43,6 +44,12 @@ nsPluginArray::~nsPluginArray() { } +static bool +ResistFingerprinting() { + return !nsContentUtils::ThreadsafeIsCallerChrome() && + nsContentUtils::ResistFingerprinting(); +} + nsPIDOMWindow* nsPluginArray::GetParentObject() const { @@ -174,7 +181,7 @@ nsPluginArray::IndexedGetter(uint32_t aIndex, bool &aFound) { aFound = false; - if (!AllowPlugins()) { + if (!AllowPlugins() || ResistFingerprinting()) { return nullptr; } @@ -217,7 +224,7 @@ nsPluginArray::NamedGetter(const nsAString& aName, bool &aFound) { aFound = false; - if (!AllowPlugins()) { + if (!AllowPlugins() || ResistFingerprinting()) { return nullptr; } @@ -241,7 +248,7 @@ nsPluginArray::NameIsEnumerable(const nsAString& aName) uint32_t nsPluginArray::Length() { - if (!AllowPlugins()) { + if (!AllowPlugins() || ResistFingerprinting()) { return 0; }

1 0

[tor-browser/tor-browser-38.4.0esr-5.0-1] Regression tests for Bug #17207: Hide mime types and plugins when resisting fingerprinting
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 3e925a360daf492465ab74f336209dad54e5497b Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Fri Oct 16 17:10:57 2015 -0700 Regression tests for Bug #17207: Hide mime types and plugins when resisting fingerprinting --- dom/base/test/mochitest.ini | 1 + dom/base/test/test_tor_bug17207.html | 49 ++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/dom/base/test/mochitest.ini b/dom/base/test/mochitest.ini index 133348e..6a8c334 100644 --- a/dom/base/test/mochitest.ini +++ b/dom/base/test/mochitest.ini @@ -739,6 +739,7 @@ skip-if = toolkit == 'android' || e10s #RANDOM [test_title.html] [test_tor_bug15502.html] [test_tor_bug15703.html] +[test_tor_bug17207.html] [test_treewalker_nextsibling.xml] [test_viewport_scroll.html] [test_viewsource_forbidden_in_object.html] diff --git a/dom/base/test/test_tor_bug17207.html b/dom/base/test/test_tor_bug17207.html new file mode 100644 index 0000000..4ab0a0d --- /dev/null +++ b/dom/base/test/test_tor_bug17207.html @@ -0,0 +1,49 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="content-type" content="text/html; charset=utf-8"> + <title>Test for Tor Browser Bug 17207</title> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> + +<div id="content"></div> + +<script class="testbody" type="application/javascript;version=1.7"> +SimpleTest.waitForExplicitFinish(); + +// __setPref(key, value)__. +// Set a pref value asynchronously, returning a promise that resolves +// when it succeeds. +let setPref = function* (key, value) { + return new Promise(function(resolve, reject) { + SpecialPowers.pushPrefEnv({"set": [[key, value]]}, resolve); + }); +}; + +// Run a test to see that we don't expose the supported mimeTypes +// or installed plugins when "privacy.resistFingerprinting" is active. +spawnTask(function* () { + yield setPref("privacy.resistFingerprinting", true); + is(navigator.mimeTypes["application/pdf"], undefined, "Don't reveal mime types"); + is(navigator.mimeTypes.length, 0, "navigator.mimeTypes.length should be 0"); + yield setPref("privacy.resistFingerprinting", false); + isnot(navigator.mimeTypes["application/pdf"], undefined), + // TODO: In Firefox 38, mimeTypes are not enumerable because of https://bugzilla.mozilla.org/757726. + // But mimeType enumeration was subsequently brought back by https://bugzilla.mozilla.org/1169945. + // So we'll need to include the following line in mozilla-central or TBB/FF45ESR: + // isnot(navigator.mimeTypes.length, 0, "navigator.mimeTypes.length should not be nonzero"); + // TODO: We don't have any plugins in Tor Browser, but we will need to implement + // similar tests for plugins in mainline Firefox. + SimpleTest.finish(); +}); + +</script> + +</body> +</html>

1 0

[tor-browser/tor-browser-38.4.0esr-5.0-1] fixup! Bug #4234: Use the Firefox Update Process for Tor Browser.
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 882edab1efebbdc1d502516fc698bdc8edfdf7d4 Author: Georg Koppen <gk(a)torproject.org> Date: Wed Sep 9 14:04:54 2015 +0000 fixup! Bug #4234: Use the Firefox Update Process for Tor Browser. This is part of the fix for bug 16909. We need to adapt our update packaging tools to cope with the HTTPS Everywhere extension ID change introduced by version 5.1.0. --- tools/update-packaging/make_full_update.sh | 5 ++++- tools/update-packaging/make_incremental_update.sh | 13 ++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/tools/update-packaging/make_full_update.sh b/tools/update-packaging/make_full_update.sh index 62baf4c..3578ae4 100755 --- a/tools/update-packaging/make_full_update.sh +++ b/tools/update-packaging/make_full_update.sh @@ -11,7 +11,10 @@ . $(dirname "$0")/common.sh # TODO: it would be better to pass this as a command line option. -directories_to_remove='TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org' +# Make sure we delete the pre 5.1.0 HTTPS Everywhere as well in case it +# exists. The extension ID got changed with the version bump to 5.1.0. +ext_path='TorBrowser/Data/Browser/profile.default/extensions' +directories_to_remove="$ext_path/https-everywhere(a)eff.org $ext_path/https-everywhere-eff(a)eff.org" # ----------------------------------------------------------------------------- diff --git a/tools/update-packaging/make_incremental_update.sh b/tools/update-packaging/make_incremental_update.sh index 0e1e3f6..c803809 100755 --- a/tools/update-packaging/make_incremental_update.sh +++ b/tools/update-packaging/make_incremental_update.sh @@ -64,7 +64,8 @@ check_for_forced_update() { fi # If the file in the skip list ends with /*, do a prefix match. - # This allows TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org/* to be used to force all HTTPS Everywhere files to be updated. + # This allows TorBrowser/Data/Browser/profile.default/extensions/https-everywhere-eff(a)eff.org/* + # to be used to force all HTTPS Everywhere files to be updated. f_suffix=${f##*/} if [[ $f_suffix = "*" ]]; then f_prefix="${f%\/\*}"; @@ -122,7 +123,7 @@ archivefiles="updatev2.manifest updatev3.manifest" # If the NoScript or HTTPS Everywhere extensions have changed between # releases, add them to the "force updates" list. ext_path='TorBrowser/Data/Browser/profile.default/extensions' -https_everywhere='https-everywhere(a)eff.org' +https_everywhere='https-everywhere-eff(a)eff.org' noscript='{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi' # NoScript is a packed extension, so we simply compare the old and the new @@ -144,12 +145,14 @@ https_everywhere_install_rdf="$ext_path/$https_everywhere/install.rdf" diff "$olddir/$https_everywhere_install_rdf" \ "$newdir/$https_everywhere_install_rdf" > /dev/null rc=$? -if [ $rc -gt 1 ]; then +if [ $rc -gt 1 -a -e "$olddir/$https_everywhere_install_rdf" ]; then notice "Unexpected exit $rc from $https_everywhere_install_rdf diff command" exit 2 -elif [ $rc -eq 1 ]; then +elif [ $rc -ge 1 ]; then requested_forced_updates="$requested_forced_updates $ext_path/$https_everywhere/*" - directories_to_remove="$directories_to_remove $ext_path/$https_everywhere" + # Make sure we delete the pre 5.1.0 HTTPS Everywhere as well in case it + # exists. The extension ID got changed with the version bump to 5.1.0. + directories_to_remove="$directories_to_remove $ext_path/https-everywhere(a)eff.org $ext_path/$https_everywhere" fi mkdir -p "$workdir"

1 0

[tor-browser-bundle/hardened-builds] Bug 17801: Remove special tor patches
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit fe0fbddde4c008ceba36abe826daf75fd63b403d Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 09:04:42 2015 +0000 Bug 17801: Remove special tor patches --- gitian/descriptors/linux/gitian-tor.yml | 14 - gitian/descriptors/mac/gitian-tor.yml | 14 - gitian/descriptors/windows/gitian-tor.yml | 14 - gitian/patches/bug15482.patch | 40 -- gitian/patches/bug16430.patch | 93 ---- gitian/patches/bug16674.patch | 74 --- gitian/patches/bug8402-master.patch | 732 ----------------------------- gitian/patches/bug8405.patch | 84 ---- 8 files changed, 1065 deletions(-) diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index f31aac9..630c2e0 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -23,11 +23,6 @@ files: - "openssl-linux64-utils.zip" - "libevent-linux64-utils.zip" - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "dzip.sh" script: | INSTDIR="$HOME/install" @@ -73,15 +68,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 857b5de..a6824c0 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -54,15 +49,6 @@ script: | export LDFLAGS="-m64 -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/ -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/system/ -mmacosx-version-min=10.5" cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 601dc4e..63b527a 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -54,15 +49,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # We are building normal bundles without the console popping up and expert diff --git a/gitian/patches/bug15482.patch b/gitian/patches/bug15482.patch deleted file mode 100644 index df8a156..0000000 --- a/gitian/patches/bug15482.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 748414784f71126b093aa7466908e00f71a7b046 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Fri, 27 Mar 2015 12:57:37 -0700 -Subject: [PATCH] Bug 15482: Don't abandon circuits that are still in use for - browsing. - -Only applies to connections with SOCKS auth set, so that non-web Tor -activity is not affected. - -Simpler version of Nick's patch because the randomness worried me, and I'm not -otherwise sure why we want a max here. ---- - src/or/circuituse.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/or/circuituse.c b/src/or/circuituse.c -index d0d31ad..6cce4bf 100644 ---- a/src/or/circuituse.c -+++ b/src/or/circuituse.c -@@ -2264,8 +2264,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, - - base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT; - -- if (!circ->base_.timestamp_dirty) -- circ->base_.timestamp_dirty = time(NULL); -+ if (!circ->base_.timestamp_dirty) { -+ circ->base_.timestamp_dirty = approx_time(); -+ } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) && -+ (conn->socks_request->usernamelen || -+ conn->socks_request->passwordlen)) { -+ /* When stream isolation is in use and controlled by an application -+ * we are willing to keep using the stream. */ -+ circ->base_.timestamp_dirty = approx_time(); -+ } - - pathbias_count_use_attempt(circ); - --- -1.9.1 - diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch deleted file mode 100644 index 81bbe3e..0000000 --- a/gitian/patches/bug16430.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Wed, 24 Jun 2015 13:52:29 +0000 -Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS - checks. - -RFC 952 is approximately 30 years old, and people are failing to comply, -by serving A records with '_' as part of the hostname. Since relaxing -the check is a QOL improvement for our userbase, relax the check to -allow such abominations as destinations, especially since there are -likely to be other similarly misconfigured domains out there. ---- - changes/bug16430 | 4 ++++ - src/common/util.c | 7 +++++-- - src/test/test_util.c | 9 +++++++-- - 3 files changed, 16 insertions(+), 4 deletions(-) - create mode 100644 changes/bug16430 - -diff --git a/changes/bug16430 b/changes/bug16430 -new file mode 100644 -index 0000000..ca7b874 ---- /dev/null -+++ b/changes/bug16430 -@@ -0,0 +1,4 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ '_' to cope with domains observed in the wild that are serving non-RFC -+ compliant records. Resolves ticket 16430. -diff --git a/src/common/util.c b/src/common/util.c -index 942d0c2..4490150 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) - - /** Return true iff string matches a pattern of DNS names - * that we allow Tor clients to connect to. -+ * -+ * Note: This allows certain technically invalid characters ('_') to cope -+ * with misconfigured zones that have been encountered in the wild. - */ - int - string_is_valid_hostname(const char *string) -@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) - smartlist_split_string(components,string,".",0,0); - - SMARTLIST_FOREACH_BEGIN(components, char *, c) { -- if (c[0] == '-') { -+ if ((c[0] == '-') || (*c == '_')) { - result = 0; - break; - } -@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || -- (*c == '-')) -+ (*c == '-') || (*c == '_')) - c++; - else - result = 0; -diff --git a/src/test/test_util.c b/src/test/test_util.c -index b0366db..0f64c26 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) - tt_assert(string_is_valid_hostname("stanford.edu")); - tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); - -- // Subdomain name cannot start with '-'. -+ // Subdomain name cannot start with '-' or '_'. - tt_assert(!string_is_valid_hostname("-torproject.org")); - tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); - tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); -+ tt_assert(!string_is_valid_hostname("___abc.org")); - - // Hostnames cannot contain non-alphanumeric characters. - tt_assert(!string_is_valid_hostname("%%domain.\\org.")); - tt_assert(!string_is_valid_hostname("***x.net")); -- tt_assert(!string_is_valid_hostname("___abc.org")); - tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); - tt_assert(!string_is_valid_hostname("word1 word2.net")); - -+ // Test workaround for nytimes.com stupidity, technically invalid, -+ // but we allow it since they are big, even though they are failing to -+ // comply with a ~30 year old standard. -+ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); -+ - // XXX: do we allow single-label DNS names? - - done: --- -1.9.1 - diff --git a/gitian/patches/bug16674.patch b/gitian/patches/bug16674.patch deleted file mode 100644 index 9497684..0000000 --- a/gitian/patches/bug16674.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 27 Jul 2015 12:58:40 +0000 -Subject: [PATCH] Allow a single trailing `.` when validating FQDNs from SOCKS. - -URI syntax (and DNS syntax) allows for a single trailing `.` to -explicitly distinguish between a relative and absolute -(fully-qualified) domain name. While this is redundant in that RFC 1928 -DOMAINNAME addresses are *always* fully-qualified, certain clients -blindly pass the trailing `.` along in the request. - -Fixes bug 16674; bugfix on 0.2.6.2-alpha. ---- - changes/bug16674 | 5 +++++ - src/common/util.c | 6 ++++++ - src/test/test_util.c | 12 ++++++++++++ - 3 files changed, 23 insertions(+) - create mode 100644 changes/bug16674 - -diff --git a/changes/bug16674 b/changes/bug16674 -new file mode 100644 -index 0000000..de55523 ---- /dev/null -+++ b/changes/bug16674 -@@ -0,0 +1,5 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ a single trailing '.' to cope with clients that pass FQDNs using that -+ syntax to explicitly indicate that the domain name is -+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. -diff --git a/src/common/util.c b/src/common/util.c -index 618e6a1..1aac4fc 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) - break; - } - -+ /* Allow a single terminating '.' used rarely to indicate domains -+ * are FQDNs rather than relative. */ -+ if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { -+ continue; -+ } -+ - do { - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || -diff --git a/src/test/test_util.c b/src/test/test_util.c -index 0f64c26..2bffb17 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) - // comply with a ~30 year old standard. - tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); - -+ // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, -+ // which is redundant since the spec states DOMAINNAME addresses are fully -+ // qualified. While unusual, this should be tollerated. -+ tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); -+ tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); -+ tt_assert(!string_is_valid_hostname("so.is..ft.com")); -+ tt_assert(!string_is_valid_hostname("...")); -+ - // XXX: do we allow single-label DNS names? -+ // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" -+ // but only test pathologically malformed traling '.' cases for now. -+ tt_assert(!string_is_valid_hostname(".")); -+ tt_assert(!string_is_valid_hostname("..")); - - done: - return; --- -1.9.1 - diff --git a/gitian/patches/bug8402-master.patch b/gitian/patches/bug8402-master.patch deleted file mode 100644 index 5a6386a..0000000 --- a/gitian/patches/bug8402-master.patch +++ /dev/null @@ -1,732 +0,0 @@ -From 9d7410ac5837658efa9b2d7d85c0c71f09a7a759 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Tue, 25 Mar 2014 07:21:22 +0000 -Subject: [PATCH 1/5] Allow ClientTransportPlugins to use proxies - -This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with -ClientTransportPlugins via the TOR_PT_PROXY extension to the -pluggable transport specification. - -This fixes bug #8402. ---- - src/or/config.c | 13 ++++-- - src/or/connection.c | 62 +++++++++++++++++++++-------- - src/or/transports.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++-- - src/or/transports.h | 6 +++ - src/test/test_pt.c | 81 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 251 insertions(+), 23 deletions(-) - -diff --git a/src/or/config.c b/src/or/config.c -index 0f7b1d2..b33098e 100644 ---- a/src/or/config.c -+++ b/src/or/config.c -@@ -3174,11 +3174,11 @@ options_validate(or_options_t *old_options, or_options_t *options, - } - } - -- /* Check if more than one proxy type has been enabled. */ -+ /* Check if more than one exclusive proxy type has been enabled. */ - if (!!options->Socks4Proxy + !!options->Socks5Proxy + -- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) -+ !!options->HTTPSProxy > 1) - REJECT("You have configured more than one proxy type. " -- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); -+ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); - - /* Check if the proxies will give surprising behavior. */ - if (options->HTTPProxy && !(options->Socks4Proxy || -@@ -4842,6 +4842,13 @@ parse_client_transport_line(const or_options_t *options, - pt_kickstart_client_proxy(transport_list, proxy_argv); - } - } else { /* external */ -+ /* ClientTransportPlugins connecting through a proxy is managed only. */ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ log_warn(LD_CONFIG, "You have configured an external proxy with another " -+ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); -+ goto err; -+ } -+ - if (smartlist_len(transport_list) != 1) { - log_warn(LD_CONFIG, "You can't have an external proxy with " - "more than one transports."); -diff --git a/src/or/connection.c b/src/or/connection.c -index cef9172..b32cddf 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,6 +86,8 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); -+static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -+ int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -1689,14 +1691,14 @@ get_proxy_type(void) - { - const or_options_t *options = get_options(); - -- if (options->HTTPSProxy) -+ if (options->ClientTransportPlugin) -+ return PROXY_PLUGGABLE; -+ else if (options->HTTPSProxy) - return PROXY_CONNECT; - else if (options->Socks4Proxy) - return PROXY_SOCKS4; - else if (options->Socks5Proxy) - return PROXY_SOCKS5; -- else if (options->ClientTransportPlugin) -- return PROXY_PLUGGABLE; - else - return PROXY_NONE; - } -@@ -4771,6 +4773,35 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -+ * pluggable transport or bridge we are using. -+ * conn contains the connection we are using the PT/bridge for. -+ * -+ * Return 0 on success, -1 on failure. -+ */ -+static int -+get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -+ const connection_t *conn) -+{ -+ const or_options_t *options = get_options(); -+ -+ if (options->ClientTransportPlugin || options->Bridges) { -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ -+/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4782,6 +4813,16 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - { - const or_options_t *options = get_options(); - -+ /* Client Transport Plugins can use another proxy, but that should be hidden -+ * from the rest of tor (as the plugin is responsible for dealing with the -+ * proxy), check it first, then check the rest of the proxy types to allow -+ * the config to have unused ClientTransportPlugin entries. -+ */ -+ if (options->ClientTransportPlugin) { -+ if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ return 0; -+ } -+ - if (options->HTTPSProxy) { - tor_addr_copy(addr, &options->HTTPSProxyAddr); - *port = options->HTTPSProxyPort; -@@ -4797,19 +4838,8 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->ClientTransportPlugin || -- options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -+ } else if (options->Bridges) { -+ return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); -diff --git a/src/or/transports.c b/src/or/transports.c -index dc30754..b810315 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -124,6 +124,8 @@ static INLINE void free_execve_args(char **arg); - #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" - #define PROTO_CMETHODS_DONE "CMETHODS DONE" - #define PROTO_SMETHODS_DONE "SMETHODS DONE" -+#define PROTO_PROXY_DONE "PROXY DONE" -+#define PROTO_PROXY_ERROR "PROXY-ERROR" - - /** The first and only supported - at the moment - configuration - protocol version. */ -@@ -439,6 +441,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) - static int - proxy_needs_restart(const managed_proxy_t *mp) - { -+ int ret = 1; -+ char* proxy_uri; -+ -+ /* If the PT proxy config has changed, then all existing pluggable transports -+ * should be restarted. -+ */ -+ -+ proxy_uri = get_pt_proxy_uri(); -+ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) -+ goto needs_restart; -+ - /* mp->transport_to_launch is populated with the names of the - transports that must be launched *after* the SIGHUP. - mp->transports is populated with the transports that were -@@ -459,10 +472,10 @@ proxy_needs_restart(const managed_proxy_t *mp) - - } SMARTLIST_FOREACH_END(t); - -- return 0; -- -- needs_restart: -- return 1; -+ ret = 0; -+needs_restart: -+ tor_free(proxy_uri); -+ return ret; - } - - /** Managed proxy mp must be restarted. Do all the necessary -@@ -493,6 +506,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) - SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); - smartlist_clear(mp->transports); - -+ /* Reset the proxy's HTTPS/SOCKS proxy */ -+ tor_free(mp->proxy_uri); -+ mp->proxy_uri = get_pt_proxy_uri(); -+ mp->proxy_supported = 0; -+ - /* flag it as an infant proxy so that it gets launched on next tick */ - mp->conf_state = PT_PROTO_INFANT; - unconfigured_proxies_n++; -@@ -727,12 +745,52 @@ managed_proxy_destroy(managed_proxy_t *mp, - /* free the argv */ - free_execve_args(mp->argv); - -+ /* free the outgoing proxy URI */ -+ tor_free(mp->proxy_uri); -+ - tor_process_handle_destroy(mp->process_handle, also_terminate_process); - mp->process_handle = NULL; - - tor_free(mp); - } - -+/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ -+STATIC char * -+get_pt_proxy_uri(void) -+{ -+ const or_options_t *options = get_options(); -+ char *uri = NULL; -+ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ char addr[TOR_ADDR_BUF_LEN+1]; -+ -+ if (options->Socks4Proxy) { -+ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); -+ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); -+ } else if (options->Socks5Proxy) { -+ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); -+ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { -+ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); -+ } else { -+ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", -+ options->Socks5ProxyUsername, -+ options->Socks5ProxyPassword, -+ addr, options->Socks5ProxyPort); -+ } -+ } else if (options->HTTPSProxy) { -+ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); -+ if (!options->HTTPSProxyAuthenticator) { -+ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); -+ } else { -+ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, -+ addr, options->HTTPSProxyPort); -+ } -+ } -+ } -+ -+ return uri; -+} -+ - /** Handle a configured or broken managed proxy mp. */ - static void - handle_finished_proxy(managed_proxy_t *mp) -@@ -745,6 +803,12 @@ handle_finished_proxy(managed_proxy_t *mp) - managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ - break; - case PT_PROTO_CONFIGURED: /* if configured correctly: */ -+ if (mp->proxy_uri && !mp->proxy_supported) { -+ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -+ "specified outgoing proxy.", mp->argv[0]); -+ managed_proxy_destroy(mp, 1); /* annihilate it. */ -+ break; -+ } - register_proxy(mp); /* register its transports */ - mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ - break; -@@ -862,6 +926,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) - goto err; - - return; -+ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ if (mp->proxy_uri) { -+ mp->proxy_supported = 1; -+ return; -+ } -+ -+ /* No proxy was configured, this should log */ -+ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ parse_proxy_error(line); -+ goto err; - } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { - /* managed proxy launch failed: parse error message to learn why. */ - int retval, child_state, saved_errno; -@@ -1128,6 +1208,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) - return r; - } - -+/** Parses an PROXY-ERROR line and warns the user accordingly. */ -+STATIC void -+parse_proxy_error(const char *line) -+{ -+ /* (Length of the protocol string) plus (a space) and (the first char of -+ the error message) */ -+ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) -+ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " -+ "message.", PROTO_PROXY_ERROR); -+ -+ log_warn(LD_CONFIG, "Managed proxy failed to configure the " -+ "pluggable transport's outgoing proxy. (%s)", -+ line+strlen(PROTO_PROXY_ERROR)+1); -+} -+ - /** Return a newly allocated string that tor should place in - * TOR_PT_SERVER_TRANSPORT_OPTIONS while configuring the server - * manged proxy in mp. Return NULL if no such options are found. */ -@@ -1292,6 +1387,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) - } else { - smartlist_add_asprintf(envs, "TOR_PT_EXTENDED_SERVER_PORT="); - } -+ } else { -+ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the -+ * TOR_PT_PROXY line. -+ */ -+ -+ if (mp->proxy_uri) { -+ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); -+ } - } - - SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { -@@ -1324,6 +1427,7 @@ managed_proxy_create(const smartlist_t *transport_list, - mp->is_server = is_server; - mp->argv = proxy_argv; - mp->transports = smartlist_new(); -+ mp->proxy_uri = get_pt_proxy_uri(); - - mp->transports_to_launch = smartlist_new(); - SMARTLIST_FOREACH(transport_list, const char *, transport, -diff --git a/src/or/transports.h b/src/or/transports.h -index 1365ead..bc2331d 100644 ---- a/src/or/transports.h -+++ b/src/or/transports.h -@@ -81,6 +81,9 @@ typedef struct { - char **argv; /* the cli arguments of this proxy */ - int conf_protocol; /* the configuration protocol version used */ - -+ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ -+ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ -+ - int is_server; /* is it a server proxy? */ - - /* A pointer to the process handle of this managed proxy. */ -@@ -112,6 +115,7 @@ STATIC int parse_smethod_line(const char *line, managed_proxy_t *mp); - - STATIC int parse_version(const char *line, managed_proxy_t *mp); - STATIC void parse_env_error(const char *line); -+STATIC void parse_proxy_error(const char *line); - STATIC void handle_proxy_line(const char *line, managed_proxy_t *mp); - STATIC char *get_transport_options_for_server_proxy(const managed_proxy_t *mp); - -@@ -123,6 +127,8 @@ STATIC managed_proxy_t *managed_proxy_create(const smartlist_t *transport_list, - - STATIC int configure_proxy(managed_proxy_t *mp); - -+STATIC char* get_pt_proxy_uri(void); -+ - #endif - - #endif -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index f71627d..788d420 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -450,6 +450,85 @@ test_pt_configure_proxy(void *arg) - tor_free(mp); - } - -+/* Test the get_pt_proxy_uri() function. */ -+static void -+test_get_pt_proxy_uri(void *arg) -+{ -+ or_options_t *options = get_options_mutable(); -+ char *uri = NULL; -+ int ret; -+ (void) arg; -+ -+ /* Test with no proxy. */ -+ uri = get_pt_proxy_uri(); -+ tt_assert(uri == NULL); -+ -+ /* Test with a SOCKS4 proxy. */ -+ options->Socks4Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks4Proxy = NULL; -+ -+ /* Test with a SOCKS5 proxy, no username/password. */ -+ options->Socks5Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks5Proxy, -+ &options->Socks5ProxyAddr, -+ &options->Socks5ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ /* Test with a SOCKS5 proxy, with username/password. */ -+ options->Socks5ProxyUsername = "hwest"; -+ options->Socks5ProxyPassword = "r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks5Proxy = NULL; -+ -+ /* Test with a HTTPS proxy, no authenticator. */ -+ options->HTTPSProxy = "192.0.2.1:80"; -+ ret = tor_addr_port_lookup(options->HTTPSProxy, -+ &options->HTTPSProxyAddr, -+ &options->HTTPSProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://192.0.2.1:80"); -+ tor_free(uri); -+ -+ /* Test with a HTTPS proxy, with authenticator. */ -+ options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); -+ tor_free(uri); -+ -+ options->HTTPSProxy = NULL; -+ -+ /* Token nod to the fact that IPv6 exists. */ -+ options->Socks4Proxy = "[2001:db8::1]:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); -+ tor_free(uri); -+ -+ -+ done: -+ if (uri) -+ tor_free(uri); -+} -+ -+ - #define PT_LEGACY(name) \ - { #name, legacy_test_helper, 0, &legacy_setup, test_pt_ ## name } - -@@ -462,6 +541,8 @@ struct testcase_t pt_tests[] = { - NULL, NULL }, - { "configure_proxy",test_pt_configure_proxy, TT_FORK, - NULL, NULL }, -+ { "get_pt_proxy_uri", test_get_pt_proxy_uri, TT_FORK, -+ NULL, NULL }, - END_OF_TESTCASES - }; - --- -2.0.0.rc2 - - -From 92eecbfee128b22b07bcc97ac36ecdd5183c2da7 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 14 Apr 2014 21:51:34 +0000 -Subject: [PATCH 2/5] Fixed the test build with --enable-gcc-warnings - ---- - src/test/test_pt.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index 788d420..cfbd084 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -464,7 +464,7 @@ test_get_pt_proxy_uri(void *arg) - tt_assert(uri == NULL); - - /* Test with a SOCKS4 proxy. */ -- options->Socks4Proxy = "192.0.2.1:1080"; -+ options->Socks4Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -472,11 +472,10 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks4Proxy = NULL; -+ tor_free(options->Socks4Proxy); - - /* Test with a SOCKS5 proxy, no username/password. */ -- options->Socks5Proxy = "192.0.2.1:1080"; -+ options->Socks5Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks5Proxy, - &options->Socks5ProxyAddr, - &options->Socks5ProxyPort); -@@ -486,16 +485,17 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a SOCKS5 proxy, with username/password. */ -- options->Socks5ProxyUsername = "hwest"; -- options->Socks5ProxyPassword = "r34n1m470r"; -+ options->Socks5ProxyUsername = tor_strdup("hwest"); -+ options->Socks5ProxyPassword = tor_strdup("r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks5Proxy = NULL; -+ tor_free(options->Socks5Proxy); -+ tor_free(options->Socks5ProxyUsername); -+ tor_free(options->Socks5ProxyPassword); - - /* Test with a HTTPS proxy, no authenticator. */ -- options->HTTPSProxy = "192.0.2.1:80"; -+ options->HTTPSProxy = tor_strdup("192.0.2.1:80"); - ret = tor_addr_port_lookup(options->HTTPSProxy, - &options->HTTPSProxyAddr, - &options->HTTPSProxyPort); -@@ -505,15 +505,15 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a HTTPS proxy, with authenticator. */ -- options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ options->HTTPSProxyAuthenticator = tor_strdup("hwest:r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); - tor_free(uri); -- -- options->HTTPSProxy = NULL; -+ tor_free(options->HTTPSProxy); -+ tor_free(options->HTTPSProxyAuthenticator); - - /* Token nod to the fact that IPv6 exists. */ -- options->Socks4Proxy = "[2001:db8::1]:1080"; -+ options->Socks4Proxy = tor_strdup("[2001:db8::1]:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -521,7 +521,7 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); - tor_free(uri); -- -+ tor_free(options->Socks4Proxy); - - done: - if (uri) --- -2.0.0.rc2 - - -From 8361223c10eb929b570e72853a5d9e51b67fd6c3 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:30:09 +0000 -Subject: [PATCH 3/5] Remove get_bridge_pt_addrport(). - -The code was not disambiguating ClientTransportPlugin configured and -not used, and ClientTransportPlugin configured, but in a failed state. - -The right thing to do is to undo moving the get_transport_by_addrport() -call back into get_proxy_addrport(), and remove and explicit check for -using a Bridge since by the time the check is made, if a Bridge is -being used, it is PT/proxy-less. ---- - src/or/connection.c | 46 ++++++++++++---------------------------------- - 1 file changed, 12 insertions(+), 34 deletions(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index b32cddf..ff8cdf1 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,8 +86,6 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); --static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -- int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -4773,35 +4771,6 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -- * pluggable transport or bridge we are using. -- * conn contains the connection we are using the PT/bridge for. -- * -- * Return 0 on success, -1 on failure. -- */ --static int --get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -- const connection_t *conn) --{ -- const or_options_t *options = get_options(); -- -- if (options->ClientTransportPlugin || options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -- } -- -- return -1; --} -- --/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4819,8 +4788,19 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - * the config to have unused ClientTransportPlugin entries. - */ - if (options->ClientTransportPlugin) { -- if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; - return 0; -+ } -+ -+ /* Unused ClientTransportPlugin. */ - } - - if (options->HTTPSProxy) { -@@ -4838,8 +4818,6 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->Bridges) { -- return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); --- -2.0.0.rc2 - - -From 68184b317d3f4dc14e758e451377e4e3996bd0ab Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:43:53 +0000 -Subject: [PATCH 4/5] Log the correct proxy type on failure. - -get_proxy_addrport fills in proxy_type with the correct value, so there -is no point in logging something that's a "best guess" based off the -config. ---- - src/or/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index ff8cdf1..5069ed6 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -4841,7 +4841,7 @@ log_failed_proxy_connection(connection_t *conn) - log_warn(LD_NET, - "The connection to the %s proxy server at %s just failed. " - "Make sure that the proxy server is up and running.", -- proxy_type_to_string(get_proxy_type()), -+ proxy_type_to_string(proxy_type), - fmt_addrport(&proxy_addr, proxy_port)); - } - --- -2.0.0.rc2 - - -From 34200a44fbbd3f158ea17043c2bcd21d0e382b89 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 18:58:53 +0000 -Subject: [PATCH 5/5] Improve the log message when a transport doesn't support - proxies. - -Per feedback, explicltly note that the transport will be killed when it -does not acknowledge the configured outgoing proxy. ---- - src/or/transports.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/or/transports.c b/src/or/transports.c -index b810315..eee159d 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -805,7 +805,8 @@ handle_finished_proxy(managed_proxy_t *mp) - case PT_PROTO_CONFIGURED: /* if configured correctly: */ - if (mp->proxy_uri && !mp->proxy_supported) { - log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -- "specified outgoing proxy.", mp->argv[0]); -+ "specified outgoing proxy and will be terminated.", -+ mp->argv[0]); - managed_proxy_destroy(mp, 1); /* annihilate it. */ - break; - } --- -2.0.0.rc2 - diff --git a/gitian/patches/bug8405.patch b/gitian/patches/bug8405.patch deleted file mode 100644 index 3c40632..0000000 --- a/gitian/patches/bug8405.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a298c77f7eba232154ff08ca1119b05ccd9eee9e Mon Sep 17 00:00:00 2001 -From: Arthur Edelstein <arthuredelstein(a)gmail.com> -Date: Tue, 15 Jul 2014 21:27:59 -0700 -Subject: [PATCH] Bug #8405: Report SOCKS username/password in CIRC status - events - -Introduces two new circuit status name-value parameters: SOCKS_USERNAME -and SOCKS_PASSWORD. Values are enclosing in quotes and unusual characters -are escaped. - -Example: - - 650 CIRC 5 EXTENDED [...] SOCKS_USERNAME="my_username" SOCKS_PASSWORD="my_password" ---- - src/common/util.c | 14 ++++++++++++++ - src/common/util.h | 1 + - src/or/control.c | 14 ++++++++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/src/common/util.c b/src/common/util.c -index 8589344..64cee56 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1222,6 +1222,20 @@ esc_for_log(const char *s) - return result; - } - -+/** Similar to esc_for_log. Allocate and return a new string representing -+ * the first n characters in chars, surround by quotes and using -+ * standard C escapes. If a NUL character is encountered in chars, -+ * the resulting string will be terminated there. -+ */ -+char * -+esc_for_log_len(const char *chars, size_t n) -+{ -+ char *string = tor_strndup(chars, n); -+ char *string_escaped = esc_for_log(string); -+ tor_free(string); -+ return string_escaped; -+} -+ - /** Allocate and return a new string representing the contents of s, - * surrounded by quotes and using standard C escapes. - * -diff --git a/src/common/util.h b/src/common/util.h -index 97367a9..50c5a3d 100644 ---- a/src/common/util.h -+++ b/src/common/util.h -@@ -229,6 +229,7 @@ int tor_mem_is_zero(const char *mem, size_t len); - int tor_digest_is_zero(const char *digest); - int tor_digest256_is_zero(const char *digest); - char *esc_for_log(const char *string) ATTR_MALLOC; -+char *esc_for_log_len(const char *chars, size_t n) ATTR_MALLOC; - const char *escaped(const char *string); - - char *tor_escape_str_for_pt_args(const char *string, -diff --git a/src/or/control.c b/src/or/control.c -index 9285fc5..aa46df6 100644 ---- a/src/or/control.c -+++ b/src/or/control.c -@@ -1862,6 +1862,20 @@ circuit_describe_status_for_controller(origin_circuit_t *circ) - smartlist_add_asprintf(descparts, "TIME_CREATED=%s", tbuf); - } - -+ // Show username and/or password if available. -+ if (circ->socks_username_len > 0) { -+ char* socks_username_escaped = esc_for_log_len(circ->socks_username, -+ (size_t) circ->socks_username_len); -+ smartlist_add_asprintf(descparts, "SOCKS_USERNAME=%s", socks_username_escaped); -+ tor_free(socks_username_escaped); -+ } -+ if (circ->socks_password_len > 0) { -+ char* socks_password_escaped = esc_for_log_len(circ->socks_password, -+ (size_t) circ->socks_password_len); -+ smartlist_add_asprintf(descparts, "SOCKS_PASSWORD=%s", socks_password_escaped); -+ tor_free(socks_password_escaped); -+ } -+ - rv = smartlist_join_strings(descparts, " ", 0, NULL); - - SMARTLIST_FOREACH(descparts, char *, cp, tor_free(cp)); --- -1.8.3.4 (Apple Git-47) -

1 0

[tor-browser-bundle/master] Bug 17801: Remove special tor patches
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 9fc1f843da2a43bc7d3a8b53964e984dd86476e3 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 09:04:42 2015 +0000 Bug 17801: Remove special tor patches --- gitian/descriptors/linux/gitian-tor.yml | 14 - gitian/descriptors/mac/gitian-tor.yml | 14 - gitian/descriptors/windows/gitian-tor.yml | 14 - gitian/patches/bug15482.patch | 40 -- gitian/patches/bug16430.patch | 93 ---- gitian/patches/bug16674.patch | 74 --- gitian/patches/bug8402-master.patch | 732 ----------------------------- gitian/patches/bug8405.patch | 84 ---- 8 files changed, 1065 deletions(-) diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index d8e3557..0e35d2f 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -19,11 +19,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "dzip.sh" - "openssl-linux32-utils.zip" - "openssl-linux64-utils.zip" @@ -76,15 +71,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 857b5de..a6824c0 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -54,15 +49,6 @@ script: | export LDFLAGS="-m64 -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/ -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/system/ -mmacosx-version-min=10.5" cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 601dc4e..63b527a 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -54,15 +49,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # We are building normal bundles without the console popping up and expert diff --git a/gitian/patches/bug15482.patch b/gitian/patches/bug15482.patch deleted file mode 100644 index df8a156..0000000 --- a/gitian/patches/bug15482.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 748414784f71126b093aa7466908e00f71a7b046 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Fri, 27 Mar 2015 12:57:37 -0700 -Subject: [PATCH] Bug 15482: Don't abandon circuits that are still in use for - browsing. - -Only applies to connections with SOCKS auth set, so that non-web Tor -activity is not affected. - -Simpler version of Nick's patch because the randomness worried me, and I'm not -otherwise sure why we want a max here. ---- - src/or/circuituse.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/or/circuituse.c b/src/or/circuituse.c -index d0d31ad..6cce4bf 100644 ---- a/src/or/circuituse.c -+++ b/src/or/circuituse.c -@@ -2264,8 +2264,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, - - base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT; - -- if (!circ->base_.timestamp_dirty) -- circ->base_.timestamp_dirty = time(NULL); -+ if (!circ->base_.timestamp_dirty) { -+ circ->base_.timestamp_dirty = approx_time(); -+ } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) && -+ (conn->socks_request->usernamelen || -+ conn->socks_request->passwordlen)) { -+ /* When stream isolation is in use and controlled by an application -+ * we are willing to keep using the stream. */ -+ circ->base_.timestamp_dirty = approx_time(); -+ } - - pathbias_count_use_attempt(circ); - --- -1.9.1 - diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch deleted file mode 100644 index 81bbe3e..0000000 --- a/gitian/patches/bug16430.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Wed, 24 Jun 2015 13:52:29 +0000 -Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS - checks. - -RFC 952 is approximately 30 years old, and people are failing to comply, -by serving A records with '_' as part of the hostname. Since relaxing -the check is a QOL improvement for our userbase, relax the check to -allow such abominations as destinations, especially since there are -likely to be other similarly misconfigured domains out there. ---- - changes/bug16430 | 4 ++++ - src/common/util.c | 7 +++++-- - src/test/test_util.c | 9 +++++++-- - 3 files changed, 16 insertions(+), 4 deletions(-) - create mode 100644 changes/bug16430 - -diff --git a/changes/bug16430 b/changes/bug16430 -new file mode 100644 -index 0000000..ca7b874 ---- /dev/null -+++ b/changes/bug16430 -@@ -0,0 +1,4 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ '_' to cope with domains observed in the wild that are serving non-RFC -+ compliant records. Resolves ticket 16430. -diff --git a/src/common/util.c b/src/common/util.c -index 942d0c2..4490150 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) - - /** Return true iff string matches a pattern of DNS names - * that we allow Tor clients to connect to. -+ * -+ * Note: This allows certain technically invalid characters ('_') to cope -+ * with misconfigured zones that have been encountered in the wild. - */ - int - string_is_valid_hostname(const char *string) -@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) - smartlist_split_string(components,string,".",0,0); - - SMARTLIST_FOREACH_BEGIN(components, char *, c) { -- if (c[0] == '-') { -+ if ((c[0] == '-') || (*c == '_')) { - result = 0; - break; - } -@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || -- (*c == '-')) -+ (*c == '-') || (*c == '_')) - c++; - else - result = 0; -diff --git a/src/test/test_util.c b/src/test/test_util.c -index b0366db..0f64c26 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) - tt_assert(string_is_valid_hostname("stanford.edu")); - tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); - -- // Subdomain name cannot start with '-'. -+ // Subdomain name cannot start with '-' or '_'. - tt_assert(!string_is_valid_hostname("-torproject.org")); - tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); - tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); -+ tt_assert(!string_is_valid_hostname("___abc.org")); - - // Hostnames cannot contain non-alphanumeric characters. - tt_assert(!string_is_valid_hostname("%%domain.\\org.")); - tt_assert(!string_is_valid_hostname("***x.net")); -- tt_assert(!string_is_valid_hostname("___abc.org")); - tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); - tt_assert(!string_is_valid_hostname("word1 word2.net")); - -+ // Test workaround for nytimes.com stupidity, technically invalid, -+ // but we allow it since they are big, even though they are failing to -+ // comply with a ~30 year old standard. -+ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); -+ - // XXX: do we allow single-label DNS names? - - done: --- -1.9.1 - diff --git a/gitian/patches/bug16674.patch b/gitian/patches/bug16674.patch deleted file mode 100644 index 9497684..0000000 --- a/gitian/patches/bug16674.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 27 Jul 2015 12:58:40 +0000 -Subject: [PATCH] Allow a single trailing `.` when validating FQDNs from SOCKS. - -URI syntax (and DNS syntax) allows for a single trailing `.` to -explicitly distinguish between a relative and absolute -(fully-qualified) domain name. While this is redundant in that RFC 1928 -DOMAINNAME addresses are *always* fully-qualified, certain clients -blindly pass the trailing `.` along in the request. - -Fixes bug 16674; bugfix on 0.2.6.2-alpha. ---- - changes/bug16674 | 5 +++++ - src/common/util.c | 6 ++++++ - src/test/test_util.c | 12 ++++++++++++ - 3 files changed, 23 insertions(+) - create mode 100644 changes/bug16674 - -diff --git a/changes/bug16674 b/changes/bug16674 -new file mode 100644 -index 0000000..de55523 ---- /dev/null -+++ b/changes/bug16674 -@@ -0,0 +1,5 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ a single trailing '.' to cope with clients that pass FQDNs using that -+ syntax to explicitly indicate that the domain name is -+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. -diff --git a/src/common/util.c b/src/common/util.c -index 618e6a1..1aac4fc 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) - break; - } - -+ /* Allow a single terminating '.' used rarely to indicate domains -+ * are FQDNs rather than relative. */ -+ if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { -+ continue; -+ } -+ - do { - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || -diff --git a/src/test/test_util.c b/src/test/test_util.c -index 0f64c26..2bffb17 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) - // comply with a ~30 year old standard. - tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); - -+ // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, -+ // which is redundant since the spec states DOMAINNAME addresses are fully -+ // qualified. While unusual, this should be tollerated. -+ tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); -+ tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); -+ tt_assert(!string_is_valid_hostname("so.is..ft.com")); -+ tt_assert(!string_is_valid_hostname("...")); -+ - // XXX: do we allow single-label DNS names? -+ // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" -+ // but only test pathologically malformed traling '.' cases for now. -+ tt_assert(!string_is_valid_hostname(".")); -+ tt_assert(!string_is_valid_hostname("..")); - - done: - return; --- -1.9.1 - diff --git a/gitian/patches/bug8402-master.patch b/gitian/patches/bug8402-master.patch deleted file mode 100644 index 5a6386a..0000000 --- a/gitian/patches/bug8402-master.patch +++ /dev/null @@ -1,732 +0,0 @@ -From 9d7410ac5837658efa9b2d7d85c0c71f09a7a759 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Tue, 25 Mar 2014 07:21:22 +0000 -Subject: [PATCH 1/5] Allow ClientTransportPlugins to use proxies - -This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with -ClientTransportPlugins via the TOR_PT_PROXY extension to the -pluggable transport specification. - -This fixes bug #8402. ---- - src/or/config.c | 13 ++++-- - src/or/connection.c | 62 +++++++++++++++++++++-------- - src/or/transports.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++-- - src/or/transports.h | 6 +++ - src/test/test_pt.c | 81 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 251 insertions(+), 23 deletions(-) - -diff --git a/src/or/config.c b/src/or/config.c -index 0f7b1d2..b33098e 100644 ---- a/src/or/config.c -+++ b/src/or/config.c -@@ -3174,11 +3174,11 @@ options_validate(or_options_t *old_options, or_options_t *options, - } - } - -- /* Check if more than one proxy type has been enabled. */ -+ /* Check if more than one exclusive proxy type has been enabled. */ - if (!!options->Socks4Proxy + !!options->Socks5Proxy + -- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) -+ !!options->HTTPSProxy > 1) - REJECT("You have configured more than one proxy type. " -- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); -+ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); - - /* Check if the proxies will give surprising behavior. */ - if (options->HTTPProxy && !(options->Socks4Proxy || -@@ -4842,6 +4842,13 @@ parse_client_transport_line(const or_options_t *options, - pt_kickstart_client_proxy(transport_list, proxy_argv); - } - } else { /* external */ -+ /* ClientTransportPlugins connecting through a proxy is managed only. */ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ log_warn(LD_CONFIG, "You have configured an external proxy with another " -+ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); -+ goto err; -+ } -+ - if (smartlist_len(transport_list) != 1) { - log_warn(LD_CONFIG, "You can't have an external proxy with " - "more than one transports."); -diff --git a/src/or/connection.c b/src/or/connection.c -index cef9172..b32cddf 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,6 +86,8 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); -+static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -+ int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -1689,14 +1691,14 @@ get_proxy_type(void) - { - const or_options_t *options = get_options(); - -- if (options->HTTPSProxy) -+ if (options->ClientTransportPlugin) -+ return PROXY_PLUGGABLE; -+ else if (options->HTTPSProxy) - return PROXY_CONNECT; - else if (options->Socks4Proxy) - return PROXY_SOCKS4; - else if (options->Socks5Proxy) - return PROXY_SOCKS5; -- else if (options->ClientTransportPlugin) -- return PROXY_PLUGGABLE; - else - return PROXY_NONE; - } -@@ -4771,6 +4773,35 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -+ * pluggable transport or bridge we are using. -+ * conn contains the connection we are using the PT/bridge for. -+ * -+ * Return 0 on success, -1 on failure. -+ */ -+static int -+get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -+ const connection_t *conn) -+{ -+ const or_options_t *options = get_options(); -+ -+ if (options->ClientTransportPlugin || options->Bridges) { -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ -+/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4782,6 +4813,16 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - { - const or_options_t *options = get_options(); - -+ /* Client Transport Plugins can use another proxy, but that should be hidden -+ * from the rest of tor (as the plugin is responsible for dealing with the -+ * proxy), check it first, then check the rest of the proxy types to allow -+ * the config to have unused ClientTransportPlugin entries. -+ */ -+ if (options->ClientTransportPlugin) { -+ if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ return 0; -+ } -+ - if (options->HTTPSProxy) { - tor_addr_copy(addr, &options->HTTPSProxyAddr); - *port = options->HTTPSProxyPort; -@@ -4797,19 +4838,8 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->ClientTransportPlugin || -- options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -+ } else if (options->Bridges) { -+ return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); -diff --git a/src/or/transports.c b/src/or/transports.c -index dc30754..b810315 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -124,6 +124,8 @@ static INLINE void free_execve_args(char **arg); - #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" - #define PROTO_CMETHODS_DONE "CMETHODS DONE" - #define PROTO_SMETHODS_DONE "SMETHODS DONE" -+#define PROTO_PROXY_DONE "PROXY DONE" -+#define PROTO_PROXY_ERROR "PROXY-ERROR" - - /** The first and only supported - at the moment - configuration - protocol version. */ -@@ -439,6 +441,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) - static int - proxy_needs_restart(const managed_proxy_t *mp) - { -+ int ret = 1; -+ char* proxy_uri; -+ -+ /* If the PT proxy config has changed, then all existing pluggable transports -+ * should be restarted. -+ */ -+ -+ proxy_uri = get_pt_proxy_uri(); -+ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) -+ goto needs_restart; -+ - /* mp->transport_to_launch is populated with the names of the - transports that must be launched *after* the SIGHUP. - mp->transports is populated with the transports that were -@@ -459,10 +472,10 @@ proxy_needs_restart(const managed_proxy_t *mp) - - } SMARTLIST_FOREACH_END(t); - -- return 0; -- -- needs_restart: -- return 1; -+ ret = 0; -+needs_restart: -+ tor_free(proxy_uri); -+ return ret; - } - - /** Managed proxy mp must be restarted. Do all the necessary -@@ -493,6 +506,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) - SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); - smartlist_clear(mp->transports); - -+ /* Reset the proxy's HTTPS/SOCKS proxy */ -+ tor_free(mp->proxy_uri); -+ mp->proxy_uri = get_pt_proxy_uri(); -+ mp->proxy_supported = 0; -+ - /* flag it as an infant proxy so that it gets launched on next tick */ - mp->conf_state = PT_PROTO_INFANT; - unconfigured_proxies_n++; -@@ -727,12 +745,52 @@ managed_proxy_destroy(managed_proxy_t *mp, - /* free the argv */ - free_execve_args(mp->argv); - -+ /* free the outgoing proxy URI */ -+ tor_free(mp->proxy_uri); -+ - tor_process_handle_destroy(mp->process_handle, also_terminate_process); - mp->process_handle = NULL; - - tor_free(mp); - } - -+/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ -+STATIC char * -+get_pt_proxy_uri(void) -+{ -+ const or_options_t *options = get_options(); -+ char *uri = NULL; -+ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ char addr[TOR_ADDR_BUF_LEN+1]; -+ -+ if (options->Socks4Proxy) { -+ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); -+ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); -+ } else if (options->Socks5Proxy) { -+ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); -+ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { -+ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); -+ } else { -+ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", -+ options->Socks5ProxyUsername, -+ options->Socks5ProxyPassword, -+ addr, options->Socks5ProxyPort); -+ } -+ } else if (options->HTTPSProxy) { -+ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); -+ if (!options->HTTPSProxyAuthenticator) { -+ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); -+ } else { -+ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, -+ addr, options->HTTPSProxyPort); -+ } -+ } -+ } -+ -+ return uri; -+} -+ - /** Handle a configured or broken managed proxy mp. */ - static void - handle_finished_proxy(managed_proxy_t *mp) -@@ -745,6 +803,12 @@ handle_finished_proxy(managed_proxy_t *mp) - managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ - break; - case PT_PROTO_CONFIGURED: /* if configured correctly: */ -+ if (mp->proxy_uri && !mp->proxy_supported) { -+ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -+ "specified outgoing proxy.", mp->argv[0]); -+ managed_proxy_destroy(mp, 1); /* annihilate it. */ -+ break; -+ } - register_proxy(mp); /* register its transports */ - mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ - break; -@@ -862,6 +926,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) - goto err; - - return; -+ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ if (mp->proxy_uri) { -+ mp->proxy_supported = 1; -+ return; -+ } -+ -+ /* No proxy was configured, this should log */ -+ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ parse_proxy_error(line); -+ goto err; - } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { - /* managed proxy launch failed: parse error message to learn why. */ - int retval, child_state, saved_errno; -@@ -1128,6 +1208,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) - return r; - } - -+/** Parses an PROXY-ERROR line and warns the user accordingly. */ -+STATIC void -+parse_proxy_error(const char *line) -+{ -+ /* (Length of the protocol string) plus (a space) and (the first char of -+ the error message) */ -+ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) -+ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " -+ "message.", PROTO_PROXY_ERROR); -+ -+ log_warn(LD_CONFIG, "Managed proxy failed to configure the " -+ "pluggable transport's outgoing proxy. (%s)", -+ line+strlen(PROTO_PROXY_ERROR)+1); -+} -+ - /** Return a newly allocated string that tor should place in - * TOR_PT_SERVER_TRANSPORT_OPTIONS while configuring the server - * manged proxy in mp. Return NULL if no such options are found. */ -@@ -1292,6 +1387,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) - } else { - smartlist_add_asprintf(envs, "TOR_PT_EXTENDED_SERVER_PORT="); - } -+ } else { -+ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the -+ * TOR_PT_PROXY line. -+ */ -+ -+ if (mp->proxy_uri) { -+ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); -+ } - } - - SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { -@@ -1324,6 +1427,7 @@ managed_proxy_create(const smartlist_t *transport_list, - mp->is_server = is_server; - mp->argv = proxy_argv; - mp->transports = smartlist_new(); -+ mp->proxy_uri = get_pt_proxy_uri(); - - mp->transports_to_launch = smartlist_new(); - SMARTLIST_FOREACH(transport_list, const char *, transport, -diff --git a/src/or/transports.h b/src/or/transports.h -index 1365ead..bc2331d 100644 ---- a/src/or/transports.h -+++ b/src/or/transports.h -@@ -81,6 +81,9 @@ typedef struct { - char **argv; /* the cli arguments of this proxy */ - int conf_protocol; /* the configuration protocol version used */ - -+ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ -+ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ -+ - int is_server; /* is it a server proxy? */ - - /* A pointer to the process handle of this managed proxy. */ -@@ -112,6 +115,7 @@ STATIC int parse_smethod_line(const char *line, managed_proxy_t *mp); - - STATIC int parse_version(const char *line, managed_proxy_t *mp); - STATIC void parse_env_error(const char *line); -+STATIC void parse_proxy_error(const char *line); - STATIC void handle_proxy_line(const char *line, managed_proxy_t *mp); - STATIC char *get_transport_options_for_server_proxy(const managed_proxy_t *mp); - -@@ -123,6 +127,8 @@ STATIC managed_proxy_t *managed_proxy_create(const smartlist_t *transport_list, - - STATIC int configure_proxy(managed_proxy_t *mp); - -+STATIC char* get_pt_proxy_uri(void); -+ - #endif - - #endif -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index f71627d..788d420 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -450,6 +450,85 @@ test_pt_configure_proxy(void *arg) - tor_free(mp); - } - -+/* Test the get_pt_proxy_uri() function. */ -+static void -+test_get_pt_proxy_uri(void *arg) -+{ -+ or_options_t *options = get_options_mutable(); -+ char *uri = NULL; -+ int ret; -+ (void) arg; -+ -+ /* Test with no proxy. */ -+ uri = get_pt_proxy_uri(); -+ tt_assert(uri == NULL); -+ -+ /* Test with a SOCKS4 proxy. */ -+ options->Socks4Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks4Proxy = NULL; -+ -+ /* Test with a SOCKS5 proxy, no username/password. */ -+ options->Socks5Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks5Proxy, -+ &options->Socks5ProxyAddr, -+ &options->Socks5ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ /* Test with a SOCKS5 proxy, with username/password. */ -+ options->Socks5ProxyUsername = "hwest"; -+ options->Socks5ProxyPassword = "r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks5Proxy = NULL; -+ -+ /* Test with a HTTPS proxy, no authenticator. */ -+ options->HTTPSProxy = "192.0.2.1:80"; -+ ret = tor_addr_port_lookup(options->HTTPSProxy, -+ &options->HTTPSProxyAddr, -+ &options->HTTPSProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://192.0.2.1:80"); -+ tor_free(uri); -+ -+ /* Test with a HTTPS proxy, with authenticator. */ -+ options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); -+ tor_free(uri); -+ -+ options->HTTPSProxy = NULL; -+ -+ /* Token nod to the fact that IPv6 exists. */ -+ options->Socks4Proxy = "[2001:db8::1]:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); -+ tor_free(uri); -+ -+ -+ done: -+ if (uri) -+ tor_free(uri); -+} -+ -+ - #define PT_LEGACY(name) \ - { #name, legacy_test_helper, 0, &legacy_setup, test_pt_ ## name } - -@@ -462,6 +541,8 @@ struct testcase_t pt_tests[] = { - NULL, NULL }, - { "configure_proxy",test_pt_configure_proxy, TT_FORK, - NULL, NULL }, -+ { "get_pt_proxy_uri", test_get_pt_proxy_uri, TT_FORK, -+ NULL, NULL }, - END_OF_TESTCASES - }; - --- -2.0.0.rc2 - - -From 92eecbfee128b22b07bcc97ac36ecdd5183c2da7 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 14 Apr 2014 21:51:34 +0000 -Subject: [PATCH 2/5] Fixed the test build with --enable-gcc-warnings - ---- - src/test/test_pt.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index 788d420..cfbd084 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -464,7 +464,7 @@ test_get_pt_proxy_uri(void *arg) - tt_assert(uri == NULL); - - /* Test with a SOCKS4 proxy. */ -- options->Socks4Proxy = "192.0.2.1:1080"; -+ options->Socks4Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -472,11 +472,10 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks4Proxy = NULL; -+ tor_free(options->Socks4Proxy); - - /* Test with a SOCKS5 proxy, no username/password. */ -- options->Socks5Proxy = "192.0.2.1:1080"; -+ options->Socks5Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks5Proxy, - &options->Socks5ProxyAddr, - &options->Socks5ProxyPort); -@@ -486,16 +485,17 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a SOCKS5 proxy, with username/password. */ -- options->Socks5ProxyUsername = "hwest"; -- options->Socks5ProxyPassword = "r34n1m470r"; -+ options->Socks5ProxyUsername = tor_strdup("hwest"); -+ options->Socks5ProxyPassword = tor_strdup("r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks5Proxy = NULL; -+ tor_free(options->Socks5Proxy); -+ tor_free(options->Socks5ProxyUsername); -+ tor_free(options->Socks5ProxyPassword); - - /* Test with a HTTPS proxy, no authenticator. */ -- options->HTTPSProxy = "192.0.2.1:80"; -+ options->HTTPSProxy = tor_strdup("192.0.2.1:80"); - ret = tor_addr_port_lookup(options->HTTPSProxy, - &options->HTTPSProxyAddr, - &options->HTTPSProxyPort); -@@ -505,15 +505,15 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a HTTPS proxy, with authenticator. */ -- options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ options->HTTPSProxyAuthenticator = tor_strdup("hwest:r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); - tor_free(uri); -- -- options->HTTPSProxy = NULL; -+ tor_free(options->HTTPSProxy); -+ tor_free(options->HTTPSProxyAuthenticator); - - /* Token nod to the fact that IPv6 exists. */ -- options->Socks4Proxy = "[2001:db8::1]:1080"; -+ options->Socks4Proxy = tor_strdup("[2001:db8::1]:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -521,7 +521,7 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); - tor_free(uri); -- -+ tor_free(options->Socks4Proxy); - - done: - if (uri) --- -2.0.0.rc2 - - -From 8361223c10eb929b570e72853a5d9e51b67fd6c3 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:30:09 +0000 -Subject: [PATCH 3/5] Remove get_bridge_pt_addrport(). - -The code was not disambiguating ClientTransportPlugin configured and -not used, and ClientTransportPlugin configured, but in a failed state. - -The right thing to do is to undo moving the get_transport_by_addrport() -call back into get_proxy_addrport(), and remove and explicit check for -using a Bridge since by the time the check is made, if a Bridge is -being used, it is PT/proxy-less. ---- - src/or/connection.c | 46 ++++++++++++---------------------------------- - 1 file changed, 12 insertions(+), 34 deletions(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index b32cddf..ff8cdf1 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,8 +86,6 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); --static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -- int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -4773,35 +4771,6 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -- * pluggable transport or bridge we are using. -- * conn contains the connection we are using the PT/bridge for. -- * -- * Return 0 on success, -1 on failure. -- */ --static int --get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -- const connection_t *conn) --{ -- const or_options_t *options = get_options(); -- -- if (options->ClientTransportPlugin || options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -- } -- -- return -1; --} -- --/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4819,8 +4788,19 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - * the config to have unused ClientTransportPlugin entries. - */ - if (options->ClientTransportPlugin) { -- if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; - return 0; -+ } -+ -+ /* Unused ClientTransportPlugin. */ - } - - if (options->HTTPSProxy) { -@@ -4838,8 +4818,6 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->Bridges) { -- return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); --- -2.0.0.rc2 - - -From 68184b317d3f4dc14e758e451377e4e3996bd0ab Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:43:53 +0000 -Subject: [PATCH 4/5] Log the correct proxy type on failure. - -get_proxy_addrport fills in proxy_type with the correct value, so there -is no point in logging something that's a "best guess" based off the -config. ---- - src/or/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index ff8cdf1..5069ed6 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -4841,7 +4841,7 @@ log_failed_proxy_connection(connection_t *conn) - log_warn(LD_NET, - "The connection to the %s proxy server at %s just failed. " - "Make sure that the proxy server is up and running.", -- proxy_type_to_string(get_proxy_type()), -+ proxy_type_to_string(proxy_type), - fmt_addrport(&proxy_addr, proxy_port)); - } - --- -2.0.0.rc2 - - -From 34200a44fbbd3f158ea17043c2bcd21d0e382b89 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 18:58:53 +0000 -Subject: [PATCH 5/5] Improve the log message when a transport doesn't support - proxies. - -Per feedback, explicltly note that the transport will be killed when it -does not acknowledge the configured outgoing proxy. ---- - src/or/transports.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/or/transports.c b/src/or/transports.c -index b810315..eee159d 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -805,7 +805,8 @@ handle_finished_proxy(managed_proxy_t *mp) - case PT_PROTO_CONFIGURED: /* if configured correctly: */ - if (mp->proxy_uri && !mp->proxy_supported) { - log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -- "specified outgoing proxy.", mp->argv[0]); -+ "specified outgoing proxy and will be terminated.", -+ mp->argv[0]); - managed_proxy_destroy(mp, 1); /* annihilate it. */ - break; - } --- -2.0.0.rc2 - diff --git a/gitian/patches/bug8405.patch b/gitian/patches/bug8405.patch deleted file mode 100644 index 3c40632..0000000 --- a/gitian/patches/bug8405.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a298c77f7eba232154ff08ca1119b05ccd9eee9e Mon Sep 17 00:00:00 2001 -From: Arthur Edelstein <arthuredelstein(a)gmail.com> -Date: Tue, 15 Jul 2014 21:27:59 -0700 -Subject: [PATCH] Bug #8405: Report SOCKS username/password in CIRC status - events - -Introduces two new circuit status name-value parameters: SOCKS_USERNAME -and SOCKS_PASSWORD. Values are enclosing in quotes and unusual characters -are escaped. - -Example: - - 650 CIRC 5 EXTENDED [...] SOCKS_USERNAME="my_username" SOCKS_PASSWORD="my_password" ---- - src/common/util.c | 14 ++++++++++++++ - src/common/util.h | 1 + - src/or/control.c | 14 ++++++++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/src/common/util.c b/src/common/util.c -index 8589344..64cee56 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1222,6 +1222,20 @@ esc_for_log(const char *s) - return result; - } - -+/** Similar to esc_for_log. Allocate and return a new string representing -+ * the first n characters in chars, surround by quotes and using -+ * standard C escapes. If a NUL character is encountered in chars, -+ * the resulting string will be terminated there. -+ */ -+char * -+esc_for_log_len(const char *chars, size_t n) -+{ -+ char *string = tor_strndup(chars, n); -+ char *string_escaped = esc_for_log(string); -+ tor_free(string); -+ return string_escaped; -+} -+ - /** Allocate and return a new string representing the contents of s, - * surrounded by quotes and using standard C escapes. - * -diff --git a/src/common/util.h b/src/common/util.h -index 97367a9..50c5a3d 100644 ---- a/src/common/util.h -+++ b/src/common/util.h -@@ -229,6 +229,7 @@ int tor_mem_is_zero(const char *mem, size_t len); - int tor_digest_is_zero(const char *digest); - int tor_digest256_is_zero(const char *digest); - char *esc_for_log(const char *string) ATTR_MALLOC; -+char *esc_for_log_len(const char *chars, size_t n) ATTR_MALLOC; - const char *escaped(const char *string); - - char *tor_escape_str_for_pt_args(const char *string, -diff --git a/src/or/control.c b/src/or/control.c -index 9285fc5..aa46df6 100644 ---- a/src/or/control.c -+++ b/src/or/control.c -@@ -1862,6 +1862,20 @@ circuit_describe_status_for_controller(origin_circuit_t *circ) - smartlist_add_asprintf(descparts, "TIME_CREATED=%s", tbuf); - } - -+ // Show username and/or password if available. -+ if (circ->socks_username_len > 0) { -+ char* socks_username_escaped = esc_for_log_len(circ->socks_username, -+ (size_t) circ->socks_username_len); -+ smartlist_add_asprintf(descparts, "SOCKS_USERNAME=%s", socks_username_escaped); -+ tor_free(socks_username_escaped); -+ } -+ if (circ->socks_password_len > 0) { -+ char* socks_password_escaped = esc_for_log_len(circ->socks_password, -+ (size_t) circ->socks_password_len); -+ smartlist_add_asprintf(descparts, "SOCKS_PASSWORD=%s", socks_password_escaped); -+ tor_free(socks_password_escaped); -+ } -+ - rv = smartlist_join_strings(descparts, " ", 0, NULL); - - SMARTLIST_FOREACH(descparts, char *, cp, tor_free(cp)); --- -1.8.3.4 (Apple Git-47) -

1 0

[tor-browser-bundle/maint-5.0] Bumping tor and openssl versions
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit c8571a07cebe902b85afd9dfac4a07805826cfe2 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 08:59:32 2015 +0000 Bumping tor and openssl versions --- gitian/versions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gitian/versions b/gitian/versions index 9ca1970..3fc3b04 100755 --- a/gitian/versions +++ b/gitian/versions @@ -9,7 +9,7 @@ FIREFOX_VERSION=38.4.0esr TORBROWSER_UPDATE_CHANNEL=release TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.0-1-build2 -TOR_TAG=tor-0.2.6.10 +TOR_TAG=tor-0.2.7.5 TORLAUNCHER_TAG=0.2.7.7 TORBUTTON_TAG=1.9.3.5 HTTPSE_TAG=5.0.7 @@ -35,7 +35,7 @@ OBFS4_TAG=obfs4proxy-0.0.5 GITIAN_TAG=tor-browser-builder-3.x-8-gpgsux -OPENSSL_VER=1.0.1p +OPENSSL_VER=1.0.1q GMP_VER=5.1.3 FIREFOX_LANG_VER=$FIREFOX_VERSION FIREFOX_LANG_BUILD=build2 @@ -80,7 +80,7 @@ PARSLEY_PACKAGE=Parsley-${PARSLEY_VER}.tar.gz GO_PACKAGE=go${GO_VER}.src.tar.gz # Hashes for packages with weak sigs or no sigs -OPENSSL_HASH=bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 +OPENSSL_HASH=b3658b84e9ea606a5ded3c972a5517cd785282e7ea86b20c78aa4b773a047fb7 GMP_HASH=752079520b4690531171d0f4532e40f08600215feefede70b24fabdc6f1ab160 OSXSDK_HASH=da77bb0003fcca5ea8c4e8cb2da8828ded750c54afdcac29ec6f3b46ad5e3adf OSXSDK_OLD_HASH=6602d8d5ddb371fbc02e2a5967d9bd0cd7358d46f9417753c8234b923f2ea6fc

1 0

[tor-browser-bundle/maint-5.0] Bug 17124: No patch for tor alpha > 0.2.7.2 anymore
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit a1e91e917dab27d229c49484d89400193d2b340b Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 08:51:29 2015 +0000 Bug 17124: No patch for tor alpha > 0.2.7.2 anymore --- Bundle-Data/linux/Data/Tor/torrc-defaults | 2 +- Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults | 2 +- Bundle-Data/windows/Data/Tor/torrc-defaults | 2 +- gitian/descriptors/linux/gitian-tor.yml | 2 -- gitian/descriptors/mac/gitian-tor.yml | 2 -- gitian/descriptors/windows/gitian-tor.yml | 2 -- 6 files changed, 3 insertions(+), 9 deletions(-) diff --git a/Bundle-Data/linux/Data/Tor/torrc-defaults b/Bundle-Data/linux/Data/Tor/torrc-defaults index e4c8920..4b91aae 100644 --- a/Bundle-Data/linux/Data/Tor/torrc-defaults +++ b/Bundle-Data/linux/Data/Tor/torrc-defaults @@ -5,6 +5,6 @@ AvoidDiskWrites 1 Log notice stdout # Bind to this address to listen to connections from SOCKS-speaking # applications. -SocksPort 9150 IPv6Traffic PreferIPv6 +SocksPort 9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth ControlPort 9151 CookieAuthentication 1 diff --git a/Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults b/Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults index e4c8920..4b91aae 100644 --- a/Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults +++ b/Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults @@ -5,6 +5,6 @@ AvoidDiskWrites 1 Log notice stdout # Bind to this address to listen to connections from SOCKS-speaking # applications. -SocksPort 9150 IPv6Traffic PreferIPv6 +SocksPort 9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth ControlPort 9151 CookieAuthentication 1 diff --git a/Bundle-Data/windows/Data/Tor/torrc-defaults b/Bundle-Data/windows/Data/Tor/torrc-defaults index e4c8920..4b91aae 100644 --- a/Bundle-Data/windows/Data/Tor/torrc-defaults +++ b/Bundle-Data/windows/Data/Tor/torrc-defaults @@ -5,6 +5,6 @@ AvoidDiskWrites 1 Log notice stdout # Bind to this address to listen to connections from SOCKS-speaking # applications. -SocksPort 9150 IPv6Traffic PreferIPv6 +SocksPort 9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth ControlPort 9151 CookieAuthentication 1 diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index 906077b..d8e3557 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -84,8 +84,6 @@ script: | git am ~/build/bug15482.patch git am ~/build/bug16430.patch git am ~/build/bug16674.patch - else - git am ~/build/bug15482.patch fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 8e64922..1c07538 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -62,8 +62,6 @@ script: | git am ~/build/bug15482.patch git am ~/build/bug16430.patch git am ~/build/bug16674.patch - else - git am ~/build/bug15482.patch fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 7320a65..9d6838c 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -62,8 +62,6 @@ script: | git am ~/build/bug15482.patch git am ~/build/bug16430.patch git am ~/build/bug16674.patch - else - git am ~/build/bug15482.patch fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src

1 0

[tor-browser-bundle/maint-5.0] Bug 17801: Remove special tor patches
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit d6e5bee80d153d21b2e2061ead37fd264c6c3eb6 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 09:04:42 2015 +0000 Bug 17801: Remove special tor patches --- gitian/descriptors/linux/gitian-tor.yml | 14 - gitian/descriptors/mac/gitian-tor.yml | 14 - gitian/descriptors/windows/gitian-tor.yml | 14 - gitian/patches/bug15482.patch | 40 -- gitian/patches/bug16430.patch | 93 ---- gitian/patches/bug16674.patch | 74 --- gitian/patches/bug8402-master.patch | 732 ----------------------------- gitian/patches/bug8405.patch | 84 ---- 8 files changed, 1065 deletions(-) diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index d8e3557..0e35d2f 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -19,11 +19,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "dzip.sh" - "openssl-linux32-utils.zip" - "openssl-linux64-utils.zip" @@ -76,15 +71,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 1c07538..92f7c57 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -54,15 +49,6 @@ script: | export LDFLAGS="-m64 -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/ -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/system/ -mmacosx-version-min=10.5" cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 9d6838c..6fcc72b 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -54,15 +49,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # Let's avoid the console window popping up. diff --git a/gitian/patches/bug15482.patch b/gitian/patches/bug15482.patch deleted file mode 100644 index df8a156..0000000 --- a/gitian/patches/bug15482.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 748414784f71126b093aa7466908e00f71a7b046 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Fri, 27 Mar 2015 12:57:37 -0700 -Subject: [PATCH] Bug 15482: Don't abandon circuits that are still in use for - browsing. - -Only applies to connections with SOCKS auth set, so that non-web Tor -activity is not affected. - -Simpler version of Nick's patch because the randomness worried me, and I'm not -otherwise sure why we want a max here. ---- - src/or/circuituse.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/or/circuituse.c b/src/or/circuituse.c -index d0d31ad..6cce4bf 100644 ---- a/src/or/circuituse.c -+++ b/src/or/circuituse.c -@@ -2264,8 +2264,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, - - base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT; - -- if (!circ->base_.timestamp_dirty) -- circ->base_.timestamp_dirty = time(NULL); -+ if (!circ->base_.timestamp_dirty) { -+ circ->base_.timestamp_dirty = approx_time(); -+ } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) && -+ (conn->socks_request->usernamelen || -+ conn->socks_request->passwordlen)) { -+ /* When stream isolation is in use and controlled by an application -+ * we are willing to keep using the stream. */ -+ circ->base_.timestamp_dirty = approx_time(); -+ } - - pathbias_count_use_attempt(circ); - --- -1.9.1 - diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch deleted file mode 100644 index 81bbe3e..0000000 --- a/gitian/patches/bug16430.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Wed, 24 Jun 2015 13:52:29 +0000 -Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS - checks. - -RFC 952 is approximately 30 years old, and people are failing to comply, -by serving A records with '_' as part of the hostname. Since relaxing -the check is a QOL improvement for our userbase, relax the check to -allow such abominations as destinations, especially since there are -likely to be other similarly misconfigured domains out there. ---- - changes/bug16430 | 4 ++++ - src/common/util.c | 7 +++++-- - src/test/test_util.c | 9 +++++++-- - 3 files changed, 16 insertions(+), 4 deletions(-) - create mode 100644 changes/bug16430 - -diff --git a/changes/bug16430 b/changes/bug16430 -new file mode 100644 -index 0000000..ca7b874 ---- /dev/null -+++ b/changes/bug16430 -@@ -0,0 +1,4 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ '_' to cope with domains observed in the wild that are serving non-RFC -+ compliant records. Resolves ticket 16430. -diff --git a/src/common/util.c b/src/common/util.c -index 942d0c2..4490150 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) - - /** Return true iff string matches a pattern of DNS names - * that we allow Tor clients to connect to. -+ * -+ * Note: This allows certain technically invalid characters ('_') to cope -+ * with misconfigured zones that have been encountered in the wild. - */ - int - string_is_valid_hostname(const char *string) -@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) - smartlist_split_string(components,string,".",0,0); - - SMARTLIST_FOREACH_BEGIN(components, char *, c) { -- if (c[0] == '-') { -+ if ((c[0] == '-') || (*c == '_')) { - result = 0; - break; - } -@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || -- (*c == '-')) -+ (*c == '-') || (*c == '_')) - c++; - else - result = 0; -diff --git a/src/test/test_util.c b/src/test/test_util.c -index b0366db..0f64c26 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) - tt_assert(string_is_valid_hostname("stanford.edu")); - tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); - -- // Subdomain name cannot start with '-'. -+ // Subdomain name cannot start with '-' or '_'. - tt_assert(!string_is_valid_hostname("-torproject.org")); - tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); - tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); -+ tt_assert(!string_is_valid_hostname("___abc.org")); - - // Hostnames cannot contain non-alphanumeric characters. - tt_assert(!string_is_valid_hostname("%%domain.\\org.")); - tt_assert(!string_is_valid_hostname("***x.net")); -- tt_assert(!string_is_valid_hostname("___abc.org")); - tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); - tt_assert(!string_is_valid_hostname("word1 word2.net")); - -+ // Test workaround for nytimes.com stupidity, technically invalid, -+ // but we allow it since they are big, even though they are failing to -+ // comply with a ~30 year old standard. -+ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); -+ - // XXX: do we allow single-label DNS names? - - done: --- -1.9.1 - diff --git a/gitian/patches/bug16674.patch b/gitian/patches/bug16674.patch deleted file mode 100644 index 9497684..0000000 --- a/gitian/patches/bug16674.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 27 Jul 2015 12:58:40 +0000 -Subject: [PATCH] Allow a single trailing `.` when validating FQDNs from SOCKS. - -URI syntax (and DNS syntax) allows for a single trailing `.` to -explicitly distinguish between a relative and absolute -(fully-qualified) domain name. While this is redundant in that RFC 1928 -DOMAINNAME addresses are *always* fully-qualified, certain clients -blindly pass the trailing `.` along in the request. - -Fixes bug 16674; bugfix on 0.2.6.2-alpha. ---- - changes/bug16674 | 5 +++++ - src/common/util.c | 6 ++++++ - src/test/test_util.c | 12 ++++++++++++ - 3 files changed, 23 insertions(+) - create mode 100644 changes/bug16674 - -diff --git a/changes/bug16674 b/changes/bug16674 -new file mode 100644 -index 0000000..de55523 ---- /dev/null -+++ b/changes/bug16674 -@@ -0,0 +1,5 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ a single trailing '.' to cope with clients that pass FQDNs using that -+ syntax to explicitly indicate that the domain name is -+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. -diff --git a/src/common/util.c b/src/common/util.c -index 618e6a1..1aac4fc 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) - break; - } - -+ /* Allow a single terminating '.' used rarely to indicate domains -+ * are FQDNs rather than relative. */ -+ if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { -+ continue; -+ } -+ - do { - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || -diff --git a/src/test/test_util.c b/src/test/test_util.c -index 0f64c26..2bffb17 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) - // comply with a ~30 year old standard. - tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); - -+ // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, -+ // which is redundant since the spec states DOMAINNAME addresses are fully -+ // qualified. While unusual, this should be tollerated. -+ tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); -+ tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); -+ tt_assert(!string_is_valid_hostname("so.is..ft.com")); -+ tt_assert(!string_is_valid_hostname("...")); -+ - // XXX: do we allow single-label DNS names? -+ // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" -+ // but only test pathologically malformed traling '.' cases for now. -+ tt_assert(!string_is_valid_hostname(".")); -+ tt_assert(!string_is_valid_hostname("..")); - - done: - return; --- -1.9.1 - diff --git a/gitian/patches/bug8402-master.patch b/gitian/patches/bug8402-master.patch deleted file mode 100644 index 5a6386a..0000000 --- a/gitian/patches/bug8402-master.patch +++ /dev/null @@ -1,732 +0,0 @@ -From 9d7410ac5837658efa9b2d7d85c0c71f09a7a759 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Tue, 25 Mar 2014 07:21:22 +0000 -Subject: [PATCH 1/5] Allow ClientTransportPlugins to use proxies - -This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with -ClientTransportPlugins via the TOR_PT_PROXY extension to the -pluggable transport specification. - -This fixes bug #8402. ---- - src/or/config.c | 13 ++++-- - src/or/connection.c | 62 +++++++++++++++++++++-------- - src/or/transports.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++-- - src/or/transports.h | 6 +++ - src/test/test_pt.c | 81 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 251 insertions(+), 23 deletions(-) - -diff --git a/src/or/config.c b/src/or/config.c -index 0f7b1d2..b33098e 100644 ---- a/src/or/config.c -+++ b/src/or/config.c -@@ -3174,11 +3174,11 @@ options_validate(or_options_t *old_options, or_options_t *options, - } - } - -- /* Check if more than one proxy type has been enabled. */ -+ /* Check if more than one exclusive proxy type has been enabled. */ - if (!!options->Socks4Proxy + !!options->Socks5Proxy + -- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) -+ !!options->HTTPSProxy > 1) - REJECT("You have configured more than one proxy type. " -- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); -+ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); - - /* Check if the proxies will give surprising behavior. */ - if (options->HTTPProxy && !(options->Socks4Proxy || -@@ -4842,6 +4842,13 @@ parse_client_transport_line(const or_options_t *options, - pt_kickstart_client_proxy(transport_list, proxy_argv); - } - } else { /* external */ -+ /* ClientTransportPlugins connecting through a proxy is managed only. */ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ log_warn(LD_CONFIG, "You have configured an external proxy with another " -+ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); -+ goto err; -+ } -+ - if (smartlist_len(transport_list) != 1) { - log_warn(LD_CONFIG, "You can't have an external proxy with " - "more than one transports."); -diff --git a/src/or/connection.c b/src/or/connection.c -index cef9172..b32cddf 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,6 +86,8 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); -+static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -+ int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -1689,14 +1691,14 @@ get_proxy_type(void) - { - const or_options_t *options = get_options(); - -- if (options->HTTPSProxy) -+ if (options->ClientTransportPlugin) -+ return PROXY_PLUGGABLE; -+ else if (options->HTTPSProxy) - return PROXY_CONNECT; - else if (options->Socks4Proxy) - return PROXY_SOCKS4; - else if (options->Socks5Proxy) - return PROXY_SOCKS5; -- else if (options->ClientTransportPlugin) -- return PROXY_PLUGGABLE; - else - return PROXY_NONE; - } -@@ -4771,6 +4773,35 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -+ * pluggable transport or bridge we are using. -+ * conn contains the connection we are using the PT/bridge for. -+ * -+ * Return 0 on success, -1 on failure. -+ */ -+static int -+get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -+ const connection_t *conn) -+{ -+ const or_options_t *options = get_options(); -+ -+ if (options->ClientTransportPlugin || options->Bridges) { -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ -+/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4782,6 +4813,16 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - { - const or_options_t *options = get_options(); - -+ /* Client Transport Plugins can use another proxy, but that should be hidden -+ * from the rest of tor (as the plugin is responsible for dealing with the -+ * proxy), check it first, then check the rest of the proxy types to allow -+ * the config to have unused ClientTransportPlugin entries. -+ */ -+ if (options->ClientTransportPlugin) { -+ if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ return 0; -+ } -+ - if (options->HTTPSProxy) { - tor_addr_copy(addr, &options->HTTPSProxyAddr); - *port = options->HTTPSProxyPort; -@@ -4797,19 +4838,8 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->ClientTransportPlugin || -- options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -+ } else if (options->Bridges) { -+ return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); -diff --git a/src/or/transports.c b/src/or/transports.c -index dc30754..b810315 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -124,6 +124,8 @@ static INLINE void free_execve_args(char **arg); - #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" - #define PROTO_CMETHODS_DONE "CMETHODS DONE" - #define PROTO_SMETHODS_DONE "SMETHODS DONE" -+#define PROTO_PROXY_DONE "PROXY DONE" -+#define PROTO_PROXY_ERROR "PROXY-ERROR" - - /** The first and only supported - at the moment - configuration - protocol version. */ -@@ -439,6 +441,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) - static int - proxy_needs_restart(const managed_proxy_t *mp) - { -+ int ret = 1; -+ char* proxy_uri; -+ -+ /* If the PT proxy config has changed, then all existing pluggable transports -+ * should be restarted. -+ */ -+ -+ proxy_uri = get_pt_proxy_uri(); -+ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) -+ goto needs_restart; -+ - /* mp->transport_to_launch is populated with the names of the - transports that must be launched *after* the SIGHUP. - mp->transports is populated with the transports that were -@@ -459,10 +472,10 @@ proxy_needs_restart(const managed_proxy_t *mp) - - } SMARTLIST_FOREACH_END(t); - -- return 0; -- -- needs_restart: -- return 1; -+ ret = 0; -+needs_restart: -+ tor_free(proxy_uri); -+ return ret; - } - - /** Managed proxy mp must be restarted. Do all the necessary -@@ -493,6 +506,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) - SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); - smartlist_clear(mp->transports); - -+ /* Reset the proxy's HTTPS/SOCKS proxy */ -+ tor_free(mp->proxy_uri); -+ mp->proxy_uri = get_pt_proxy_uri(); -+ mp->proxy_supported = 0; -+ - /* flag it as an infant proxy so that it gets launched on next tick */ - mp->conf_state = PT_PROTO_INFANT; - unconfigured_proxies_n++; -@@ -727,12 +745,52 @@ managed_proxy_destroy(managed_proxy_t *mp, - /* free the argv */ - free_execve_args(mp->argv); - -+ /* free the outgoing proxy URI */ -+ tor_free(mp->proxy_uri); -+ - tor_process_handle_destroy(mp->process_handle, also_terminate_process); - mp->process_handle = NULL; - - tor_free(mp); - } - -+/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ -+STATIC char * -+get_pt_proxy_uri(void) -+{ -+ const or_options_t *options = get_options(); -+ char *uri = NULL; -+ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ char addr[TOR_ADDR_BUF_LEN+1]; -+ -+ if (options->Socks4Proxy) { -+ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); -+ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); -+ } else if (options->Socks5Proxy) { -+ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); -+ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { -+ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); -+ } else { -+ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", -+ options->Socks5ProxyUsername, -+ options->Socks5ProxyPassword, -+ addr, options->Socks5ProxyPort); -+ } -+ } else if (options->HTTPSProxy) { -+ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); -+ if (!options->HTTPSProxyAuthenticator) { -+ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); -+ } else { -+ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, -+ addr, options->HTTPSProxyPort); -+ } -+ } -+ } -+ -+ return uri; -+} -+ - /** Handle a configured or broken managed proxy mp. */ - static void - handle_finished_proxy(managed_proxy_t *mp) -@@ -745,6 +803,12 @@ handle_finished_proxy(managed_proxy_t *mp) - managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ - break; - case PT_PROTO_CONFIGURED: /* if configured correctly: */ -+ if (mp->proxy_uri && !mp->proxy_supported) { -+ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -+ "specified outgoing proxy.", mp->argv[0]); -+ managed_proxy_destroy(mp, 1); /* annihilate it. */ -+ break; -+ } - register_proxy(mp); /* register its transports */ - mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ - break; -@@ -862,6 +926,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) - goto err; - - return; -+ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ if (mp->proxy_uri) { -+ mp->proxy_supported = 1; -+ return; -+ } -+ -+ /* No proxy was configured, this should log */ -+ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ parse_proxy_error(line); -+ goto err; - } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { - /* managed proxy launch failed: parse error message to learn why. */ - int retval, child_state, saved_errno; -@@ -1128,6 +1208,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) - return r; - } - -+/** Parses an PROXY-ERROR line and warns the user accordingly. */ -+STATIC void -+parse_proxy_error(const char *line) -+{ -+ /* (Length of the protocol string) plus (a space) and (the first char of -+ the error message) */ -+ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) -+ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " -+ "message.", PROTO_PROXY_ERROR); -+ -+ log_warn(LD_CONFIG, "Managed proxy failed to configure the " -+ "pluggable transport's outgoing proxy. (%s)", -+ line+strlen(PROTO_PROXY_ERROR)+1); -+} -+ - /** Return a newly allocated string that tor should place in - * TOR_PT_SERVER_TRANSPORT_OPTIONS while configuring the server - * manged proxy in mp. Return NULL if no such options are found. */ -@@ -1292,6 +1387,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) - } else { - smartlist_add_asprintf(envs, "TOR_PT_EXTENDED_SERVER_PORT="); - } -+ } else { -+ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the -+ * TOR_PT_PROXY line. -+ */ -+ -+ if (mp->proxy_uri) { -+ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); -+ } - } - - SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { -@@ -1324,6 +1427,7 @@ managed_proxy_create(const smartlist_t *transport_list, - mp->is_server = is_server; - mp->argv = proxy_argv; - mp->transports = smartlist_new(); -+ mp->proxy_uri = get_pt_proxy_uri(); - - mp->transports_to_launch = smartlist_new(); - SMARTLIST_FOREACH(transport_list, const char *, transport, -diff --git a/src/or/transports.h b/src/or/transports.h -index 1365ead..bc2331d 100644 ---- a/src/or/transports.h -+++ b/src/or/transports.h -@@ -81,6 +81,9 @@ typedef struct { - char **argv; /* the cli arguments of this proxy */ - int conf_protocol; /* the configuration protocol version used */ - -+ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ -+ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ -+ - int is_server; /* is it a server proxy? */ - - /* A pointer to the process handle of this managed proxy. */ -@@ -112,6 +115,7 @@ STATIC int parse_smethod_line(const char *line, managed_proxy_t *mp); - - STATIC int parse_version(const char *line, managed_proxy_t *mp); - STATIC void parse_env_error(const char *line); -+STATIC void parse_proxy_error(const char *line); - STATIC void handle_proxy_line(const char *line, managed_proxy_t *mp); - STATIC char *get_transport_options_for_server_proxy(const managed_proxy_t *mp); - -@@ -123,6 +127,8 @@ STATIC managed_proxy_t *managed_proxy_create(const smartlist_t *transport_list, - - STATIC int configure_proxy(managed_proxy_t *mp); - -+STATIC char* get_pt_proxy_uri(void); -+ - #endif - - #endif -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index f71627d..788d420 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -450,6 +450,85 @@ test_pt_configure_proxy(void *arg) - tor_free(mp); - } - -+/* Test the get_pt_proxy_uri() function. */ -+static void -+test_get_pt_proxy_uri(void *arg) -+{ -+ or_options_t *options = get_options_mutable(); -+ char *uri = NULL; -+ int ret; -+ (void) arg; -+ -+ /* Test with no proxy. */ -+ uri = get_pt_proxy_uri(); -+ tt_assert(uri == NULL); -+ -+ /* Test with a SOCKS4 proxy. */ -+ options->Socks4Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks4Proxy = NULL; -+ -+ /* Test with a SOCKS5 proxy, no username/password. */ -+ options->Socks5Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks5Proxy, -+ &options->Socks5ProxyAddr, -+ &options->Socks5ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ /* Test with a SOCKS5 proxy, with username/password. */ -+ options->Socks5ProxyUsername = "hwest"; -+ options->Socks5ProxyPassword = "r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks5Proxy = NULL; -+ -+ /* Test with a HTTPS proxy, no authenticator. */ -+ options->HTTPSProxy = "192.0.2.1:80"; -+ ret = tor_addr_port_lookup(options->HTTPSProxy, -+ &options->HTTPSProxyAddr, -+ &options->HTTPSProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://192.0.2.1:80"); -+ tor_free(uri); -+ -+ /* Test with a HTTPS proxy, with authenticator. */ -+ options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); -+ tor_free(uri); -+ -+ options->HTTPSProxy = NULL; -+ -+ /* Token nod to the fact that IPv6 exists. */ -+ options->Socks4Proxy = "[2001:db8::1]:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); -+ tor_free(uri); -+ -+ -+ done: -+ if (uri) -+ tor_free(uri); -+} -+ -+ - #define PT_LEGACY(name) \ - { #name, legacy_test_helper, 0, &legacy_setup, test_pt_ ## name } - -@@ -462,6 +541,8 @@ struct testcase_t pt_tests[] = { - NULL, NULL }, - { "configure_proxy",test_pt_configure_proxy, TT_FORK, - NULL, NULL }, -+ { "get_pt_proxy_uri", test_get_pt_proxy_uri, TT_FORK, -+ NULL, NULL }, - END_OF_TESTCASES - }; - --- -2.0.0.rc2 - - -From 92eecbfee128b22b07bcc97ac36ecdd5183c2da7 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 14 Apr 2014 21:51:34 +0000 -Subject: [PATCH 2/5] Fixed the test build with --enable-gcc-warnings - ---- - src/test/test_pt.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index 788d420..cfbd084 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -464,7 +464,7 @@ test_get_pt_proxy_uri(void *arg) - tt_assert(uri == NULL); - - /* Test with a SOCKS4 proxy. */ -- options->Socks4Proxy = "192.0.2.1:1080"; -+ options->Socks4Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -472,11 +472,10 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks4Proxy = NULL; -+ tor_free(options->Socks4Proxy); - - /* Test with a SOCKS5 proxy, no username/password. */ -- options->Socks5Proxy = "192.0.2.1:1080"; -+ options->Socks5Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks5Proxy, - &options->Socks5ProxyAddr, - &options->Socks5ProxyPort); -@@ -486,16 +485,17 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a SOCKS5 proxy, with username/password. */ -- options->Socks5ProxyUsername = "hwest"; -- options->Socks5ProxyPassword = "r34n1m470r"; -+ options->Socks5ProxyUsername = tor_strdup("hwest"); -+ options->Socks5ProxyPassword = tor_strdup("r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks5Proxy = NULL; -+ tor_free(options->Socks5Proxy); -+ tor_free(options->Socks5ProxyUsername); -+ tor_free(options->Socks5ProxyPassword); - - /* Test with a HTTPS proxy, no authenticator. */ -- options->HTTPSProxy = "192.0.2.1:80"; -+ options->HTTPSProxy = tor_strdup("192.0.2.1:80"); - ret = tor_addr_port_lookup(options->HTTPSProxy, - &options->HTTPSProxyAddr, - &options->HTTPSProxyPort); -@@ -505,15 +505,15 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a HTTPS proxy, with authenticator. */ -- options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ options->HTTPSProxyAuthenticator = tor_strdup("hwest:r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); - tor_free(uri); -- -- options->HTTPSProxy = NULL; -+ tor_free(options->HTTPSProxy); -+ tor_free(options->HTTPSProxyAuthenticator); - - /* Token nod to the fact that IPv6 exists. */ -- options->Socks4Proxy = "[2001:db8::1]:1080"; -+ options->Socks4Proxy = tor_strdup("[2001:db8::1]:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -521,7 +521,7 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); - tor_free(uri); -- -+ tor_free(options->Socks4Proxy); - - done: - if (uri) --- -2.0.0.rc2 - - -From 8361223c10eb929b570e72853a5d9e51b67fd6c3 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:30:09 +0000 -Subject: [PATCH 3/5] Remove get_bridge_pt_addrport(). - -The code was not disambiguating ClientTransportPlugin configured and -not used, and ClientTransportPlugin configured, but in a failed state. - -The right thing to do is to undo moving the get_transport_by_addrport() -call back into get_proxy_addrport(), and remove and explicit check for -using a Bridge since by the time the check is made, if a Bridge is -being used, it is PT/proxy-less. ---- - src/or/connection.c | 46 ++++++++++++---------------------------------- - 1 file changed, 12 insertions(+), 34 deletions(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index b32cddf..ff8cdf1 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,8 +86,6 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); --static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -- int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -4773,35 +4771,6 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -- * pluggable transport or bridge we are using. -- * conn contains the connection we are using the PT/bridge for. -- * -- * Return 0 on success, -1 on failure. -- */ --static int --get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -- const connection_t *conn) --{ -- const or_options_t *options = get_options(); -- -- if (options->ClientTransportPlugin || options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -- } -- -- return -1; --} -- --/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4819,8 +4788,19 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - * the config to have unused ClientTransportPlugin entries. - */ - if (options->ClientTransportPlugin) { -- if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; - return 0; -+ } -+ -+ /* Unused ClientTransportPlugin. */ - } - - if (options->HTTPSProxy) { -@@ -4838,8 +4818,6 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->Bridges) { -- return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); --- -2.0.0.rc2 - - -From 68184b317d3f4dc14e758e451377e4e3996bd0ab Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:43:53 +0000 -Subject: [PATCH 4/5] Log the correct proxy type on failure. - -get_proxy_addrport fills in proxy_type with the correct value, so there -is no point in logging something that's a "best guess" based off the -config. ---- - src/or/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index ff8cdf1..5069ed6 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -4841,7 +4841,7 @@ log_failed_proxy_connection(connection_t *conn) - log_warn(LD_NET, - "The connection to the %s proxy server at %s just failed. " - "Make sure that the proxy server is up and running.", -- proxy_type_to_string(get_proxy_type()), -+ proxy_type_to_string(proxy_type), - fmt_addrport(&proxy_addr, proxy_port)); - } - --- -2.0.0.rc2 - - -From 34200a44fbbd3f158ea17043c2bcd21d0e382b89 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 18:58:53 +0000 -Subject: [PATCH 5/5] Improve the log message when a transport doesn't support - proxies. - -Per feedback, explicltly note that the transport will be killed when it -does not acknowledge the configured outgoing proxy. ---- - src/or/transports.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/or/transports.c b/src/or/transports.c -index b810315..eee159d 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -805,7 +805,8 @@ handle_finished_proxy(managed_proxy_t *mp) - case PT_PROTO_CONFIGURED: /* if configured correctly: */ - if (mp->proxy_uri && !mp->proxy_supported) { - log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -- "specified outgoing proxy.", mp->argv[0]); -+ "specified outgoing proxy and will be terminated.", -+ mp->argv[0]); - managed_proxy_destroy(mp, 1); /* annihilate it. */ - break; - } --- -2.0.0.rc2 - diff --git a/gitian/patches/bug8405.patch b/gitian/patches/bug8405.patch deleted file mode 100644 index 3c40632..0000000 --- a/gitian/patches/bug8405.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a298c77f7eba232154ff08ca1119b05ccd9eee9e Mon Sep 17 00:00:00 2001 -From: Arthur Edelstein <arthuredelstein(a)gmail.com> -Date: Tue, 15 Jul 2014 21:27:59 -0700 -Subject: [PATCH] Bug #8405: Report SOCKS username/password in CIRC status - events - -Introduces two new circuit status name-value parameters: SOCKS_USERNAME -and SOCKS_PASSWORD. Values are enclosing in quotes and unusual characters -are escaped. - -Example: - - 650 CIRC 5 EXTENDED [...] SOCKS_USERNAME="my_username" SOCKS_PASSWORD="my_password" ---- - src/common/util.c | 14 ++++++++++++++ - src/common/util.h | 1 + - src/or/control.c | 14 ++++++++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/src/common/util.c b/src/common/util.c -index 8589344..64cee56 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1222,6 +1222,20 @@ esc_for_log(const char *s) - return result; - } - -+/** Similar to esc_for_log. Allocate and return a new string representing -+ * the first n characters in chars, surround by quotes and using -+ * standard C escapes. If a NUL character is encountered in chars, -+ * the resulting string will be terminated there. -+ */ -+char * -+esc_for_log_len(const char *chars, size_t n) -+{ -+ char *string = tor_strndup(chars, n); -+ char *string_escaped = esc_for_log(string); -+ tor_free(string); -+ return string_escaped; -+} -+ - /** Allocate and return a new string representing the contents of s, - * surrounded by quotes and using standard C escapes. - * -diff --git a/src/common/util.h b/src/common/util.h -index 97367a9..50c5a3d 100644 ---- a/src/common/util.h -+++ b/src/common/util.h -@@ -229,6 +229,7 @@ int tor_mem_is_zero(const char *mem, size_t len); - int tor_digest_is_zero(const char *digest); - int tor_digest256_is_zero(const char *digest); - char *esc_for_log(const char *string) ATTR_MALLOC; -+char *esc_for_log_len(const char *chars, size_t n) ATTR_MALLOC; - const char *escaped(const char *string); - - char *tor_escape_str_for_pt_args(const char *string, -diff --git a/src/or/control.c b/src/or/control.c -index 9285fc5..aa46df6 100644 ---- a/src/or/control.c -+++ b/src/or/control.c -@@ -1862,6 +1862,20 @@ circuit_describe_status_for_controller(origin_circuit_t *circ) - smartlist_add_asprintf(descparts, "TIME_CREATED=%s", tbuf); - } - -+ // Show username and/or password if available. -+ if (circ->socks_username_len > 0) { -+ char* socks_username_escaped = esc_for_log_len(circ->socks_username, -+ (size_t) circ->socks_username_len); -+ smartlist_add_asprintf(descparts, "SOCKS_USERNAME=%s", socks_username_escaped); -+ tor_free(socks_username_escaped); -+ } -+ if (circ->socks_password_len > 0) { -+ char* socks_password_escaped = esc_for_log_len(circ->socks_password, -+ (size_t) circ->socks_password_len); -+ smartlist_add_asprintf(descparts, "SOCKS_PASSWORD=%s", socks_password_escaped); -+ tor_free(socks_password_escaped); -+ } -+ - rv = smartlist_join_strings(descparts, " ", 0, NULL); - - SMARTLIST_FOREACH(descparts, char *, cp, tor_free(cp)); --- -1.8.3.4 (Apple Git-47) -

1 0

[tor-browser/tor-browser-38.4.0esr-5.0-1] Bug 16863: console.error on new Tor Browser window
by gk＠torproject.org 09 Dec '15

09 Dec '15

commit 916624727c1effa1987dff1cc5e37961a9e0e7f5 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Wed Dec 9 11:47:08 2015 -0500 Bug 16863: console.error on new Tor Browser window Improve error handling and avoid confusing error log messages when loop.enabled is false. --- browser/components/customizableui/CustomizableUI.jsm | 8 ++++++++ browser/components/customizableui/CustomizableWidgets.jsm | 8 +++----- browser/components/loop/MozLoopService.jsm | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/browser/components/customizableui/CustomizableUI.jsm b/browser/components/customizableui/CustomizableUI.jsm index 54c2ede..a43404e 100644 --- a/browser/components/customizableui/CustomizableUI.jsm +++ b/browser/components/customizableui/CustomizableUI.jsm @@ -1186,6 +1186,11 @@ let CustomizableUIInternal = { throw new Error("buildWidget was passed a non-widget to build."); } + if (aWidget.onIsHidden && aWidget.onIsHidden()) { + LOG("Skipping hidden widget " + aWidget.id + " of type " + aWidget.type); + return undefined; + } + LOG("Building " + aWidget.id + " of type " + aWidget.type); let node; @@ -2180,6 +2185,7 @@ let CustomizableUIInternal = { widget._introducedInVersion = aData.introducedInVersion || 0; } + this.wrapWidgetEventHandler("onIsHidden", widget); this.wrapWidgetEventHandler("onBeforeCreated", widget); this.wrapWidgetEventHandler("onClick", widget); this.wrapWidgetEventHandler("onCreated", widget); @@ -3015,6 +3021,8 @@ this.CustomizableUI = { * of the widget. * - viewId: Only useful for views (and required there): the id of the * <panelview> that should be shown when clicking the widget. + * - onIsHidden(): Called to check whether a widget should be hidden + * (optional; returns a Boolean value). * - onBuild(aDoc): Only useful for custom widgets (and required there); a * function that will be invoked with the document in which * to build a widget. Should return the DOM node that has diff --git a/browser/components/customizableui/CustomizableWidgets.jsm b/browser/components/customizableui/CustomizableWidgets.jsm index 75f69dd..4a8bacf 100644 --- a/browser/components/customizableui/CustomizableWidgets.jsm +++ b/browser/components/customizableui/CustomizableWidgets.jsm @@ -933,12 +933,10 @@ const CustomizableWidgets = [ // Not in private browsing, see bug 1108187. showInPrivateBrowsing: false, introducedInVersion: 4, + onIsHidden: function() { + return !Services.prefs.getBoolPref("loop.enabled"); + }, onBuild: function(aDocument) { - // If we're not supposed to see the button, return zip. - if (!Services.prefs.getBoolPref("loop.enabled")) { - return null; - } - let node = aDocument.createElementNS(kNSXUL, "toolbarbutton"); node.setAttribute("id", this.id); node.classList.add("toolbarbutton-1"); diff --git a/browser/components/loop/MozLoopService.jsm b/browser/components/loop/MozLoopService.jsm index 3f6a77c..d915070 100644 --- a/browser/components/loop/MozLoopService.jsm +++ b/browser/components/loop/MozLoopService.jsm @@ -1107,7 +1107,7 @@ this.MozLoopService = { // Don't do anything if loop is not enabled. if (!Services.prefs.getBoolPref("loop.enabled")) { - return Promise.reject(new Error("loop is not enabled")); + return Promise.resolve(); } if (Services.prefs.getPrefType("loop.fxa.enabled") == Services.prefs.PREF_BOOL) {

1 0

[tor-browser/tor-browser-38.4.0esr-5.5-1] Bug 16863: console.error on new Tor Browser window
by gk＠torproject.org 09 Dec '15

09 Dec '15

commit c2ce09f61101f3ac2d16d644d7fb56c035bec9ba Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Wed Dec 9 11:47:08 2015 -0500 Bug 16863: console.error on new Tor Browser window Improve error handling and avoid confusing error log messages when loop.enabled is false. --- browser/components/customizableui/CustomizableUI.jsm | 8 ++++++++ browser/components/customizableui/CustomizableWidgets.jsm | 8 +++----- browser/components/loop/MozLoopService.jsm | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/browser/components/customizableui/CustomizableUI.jsm b/browser/components/customizableui/CustomizableUI.jsm index 54c2ede..a43404e 100644 --- a/browser/components/customizableui/CustomizableUI.jsm +++ b/browser/components/customizableui/CustomizableUI.jsm @@ -1186,6 +1186,11 @@ let CustomizableUIInternal = { throw new Error("buildWidget was passed a non-widget to build."); } + if (aWidget.onIsHidden && aWidget.onIsHidden()) { + LOG("Skipping hidden widget " + aWidget.id + " of type " + aWidget.type); + return undefined; + } + LOG("Building " + aWidget.id + " of type " + aWidget.type); let node; @@ -2180,6 +2185,7 @@ let CustomizableUIInternal = { widget._introducedInVersion = aData.introducedInVersion || 0; } + this.wrapWidgetEventHandler("onIsHidden", widget); this.wrapWidgetEventHandler("onBeforeCreated", widget); this.wrapWidgetEventHandler("onClick", widget); this.wrapWidgetEventHandler("onCreated", widget); @@ -3015,6 +3021,8 @@ this.CustomizableUI = { * of the widget. * - viewId: Only useful for views (and required there): the id of the * <panelview> that should be shown when clicking the widget. + * - onIsHidden(): Called to check whether a widget should be hidden + * (optional; returns a Boolean value). * - onBuild(aDoc): Only useful for custom widgets (and required there); a * function that will be invoked with the document in which * to build a widget. Should return the DOM node that has diff --git a/browser/components/customizableui/CustomizableWidgets.jsm b/browser/components/customizableui/CustomizableWidgets.jsm index 75f69dd..4a8bacf 100644 --- a/browser/components/customizableui/CustomizableWidgets.jsm +++ b/browser/components/customizableui/CustomizableWidgets.jsm @@ -933,12 +933,10 @@ const CustomizableWidgets = [ // Not in private browsing, see bug 1108187. showInPrivateBrowsing: false, introducedInVersion: 4, + onIsHidden: function() { + return !Services.prefs.getBoolPref("loop.enabled"); + }, onBuild: function(aDocument) { - // If we're not supposed to see the button, return zip. - if (!Services.prefs.getBoolPref("loop.enabled")) { - return null; - } - let node = aDocument.createElementNS(kNSXUL, "toolbarbutton"); node.setAttribute("id", this.id); node.classList.add("toolbarbutton-1"); diff --git a/browser/components/loop/MozLoopService.jsm b/browser/components/loop/MozLoopService.jsm index 3f6a77c..d915070 100644 --- a/browser/components/loop/MozLoopService.jsm +++ b/browser/components/loop/MozLoopService.jsm @@ -1107,7 +1107,7 @@ this.MozLoopService = { // Don't do anything if loop is not enabled. if (!Services.prefs.getBoolPref("loop.enabled")) { - return Promise.reject(new Error("loop is not enabled")); + return Promise.resolve(); } if (Services.prefs.getPrefType("loop.fxa.enabled") == Services.prefs.PREF_BOOL) {

1 0