- tbb-commits - lists.torproject.org

[tor-browser/tor-browser-38.4.0esr-5.0-1] Bug #17207: Hide mime types and plugins when resisting fingerprinting
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 7267388a1c76a609d55300b3a726fb872bb5ef1d Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Fri Oct 16 16:09:54 2015 -0700 Bug #17207: Hide mime types and plugins when resisting fingerprinting --- dom/base/nsMimeTypeArray.cpp | 19 +++++++++++++++++++ dom/base/nsPluginArray.cpp | 13 ++++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/dom/base/nsMimeTypeArray.cpp b/dom/base/nsMimeTypeArray.cpp index 257abf6..ee530a3 100644 --- a/dom/base/nsMimeTypeArray.cpp +++ b/dom/base/nsMimeTypeArray.cpp @@ -14,6 +14,7 @@ #include "nsIMIMEInfo.h" #include "Navigator.h" #include "nsServiceManagerUtils.h" +#include "nsContentUtils.h" using namespace mozilla; using namespace mozilla::dom; @@ -39,6 +40,12 @@ nsMimeTypeArray::~nsMimeTypeArray() { } +static bool +ResistFingerprinting() { + return !nsContentUtils::ThreadsafeIsCallerChrome() && + nsContentUtils::ResistFingerprinting(); +} + JSObject* nsMimeTypeArray::WrapObject(JSContext* aCx) { @@ -78,6 +85,10 @@ nsMimeTypeArray::IndexedGetter(uint32_t aIndex, bool &aFound) { aFound = false; + if (ResistFingerprinting()) { + return nullptr; + } + EnsurePluginMimeTypes(); if (aIndex >= mMimeTypes.Length()) { @@ -108,6 +119,10 @@ nsMimeTypeArray::NamedGetter(const nsAString& aName, bool &aFound) { aFound = false; + if (ResistFingerprinting()) { + return nullptr; + } + EnsurePluginMimeTypes(); nsString lowerName(aName); @@ -181,6 +196,10 @@ nsMimeTypeArray::NameIsEnumerable(const nsAString& aName) uint32_t nsMimeTypeArray::Length() { + if (ResistFingerprinting()) { + return 0; + } + EnsurePluginMimeTypes(); return mMimeTypes.Length(); diff --git a/dom/base/nsPluginArray.cpp b/dom/base/nsPluginArray.cpp index 1dcd551..8f789ee 100644 --- a/dom/base/nsPluginArray.cpp +++ b/dom/base/nsPluginArray.cpp @@ -20,6 +20,7 @@ #include "nsIWeakReference.h" #include "mozilla/Services.h" #include "nsIInterfaceRequestorUtils.h" +#include "nsContentUtils.h" using namespace mozilla; using namespace mozilla::dom; @@ -43,6 +44,12 @@ nsPluginArray::~nsPluginArray() { } +static bool +ResistFingerprinting() { + return !nsContentUtils::ThreadsafeIsCallerChrome() && + nsContentUtils::ResistFingerprinting(); +} + nsPIDOMWindow* nsPluginArray::GetParentObject() const { @@ -174,7 +181,7 @@ nsPluginArray::IndexedGetter(uint32_t aIndex, bool &aFound) { aFound = false; - if (!AllowPlugins()) { + if (!AllowPlugins() || ResistFingerprinting()) { return nullptr; } @@ -217,7 +224,7 @@ nsPluginArray::NamedGetter(const nsAString& aName, bool &aFound) { aFound = false; - if (!AllowPlugins()) { + if (!AllowPlugins() || ResistFingerprinting()) { return nullptr; } @@ -241,7 +248,7 @@ nsPluginArray::NameIsEnumerable(const nsAString& aName) uint32_t nsPluginArray::Length() { - if (!AllowPlugins()) { + if (!AllowPlugins() || ResistFingerprinting()) { return 0; }

1 0

[tor-browser-bundle/hardened-builds] Bug 17801: Remove special tor patches
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit fe0fbddde4c008ceba36abe826daf75fd63b403d Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 09:04:42 2015 +0000 Bug 17801: Remove special tor patches --- gitian/descriptors/linux/gitian-tor.yml | 14 - gitian/descriptors/mac/gitian-tor.yml | 14 - gitian/descriptors/windows/gitian-tor.yml | 14 - gitian/patches/bug15482.patch | 40 -- gitian/patches/bug16430.patch | 93 ---- gitian/patches/bug16674.patch | 74 --- gitian/patches/bug8402-master.patch | 732 ----------------------------- gitian/patches/bug8405.patch | 84 ---- 8 files changed, 1065 deletions(-) diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index f31aac9..630c2e0 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -23,11 +23,6 @@ files: - "openssl-linux64-utils.zip" - "libevent-linux64-utils.zip" - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "dzip.sh" script: | INSTDIR="$HOME/install" @@ -73,15 +68,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 857b5de..a6824c0 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -54,15 +49,6 @@ script: | export LDFLAGS="-m64 -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/ -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/system/ -mmacosx-version-min=10.5" cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 601dc4e..63b527a 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -54,15 +49,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # We are building normal bundles without the console popping up and expert diff --git a/gitian/patches/bug15482.patch b/gitian/patches/bug15482.patch deleted file mode 100644 index df8a156..0000000 --- a/gitian/patches/bug15482.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 748414784f71126b093aa7466908e00f71a7b046 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Fri, 27 Mar 2015 12:57:37 -0700 -Subject: [PATCH] Bug 15482: Don't abandon circuits that are still in use for - browsing. - -Only applies to connections with SOCKS auth set, so that non-web Tor -activity is not affected. - -Simpler version of Nick's patch because the randomness worried me, and I'm not -otherwise sure why we want a max here. ---- - src/or/circuituse.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/or/circuituse.c b/src/or/circuituse.c -index d0d31ad..6cce4bf 100644 ---- a/src/or/circuituse.c -+++ b/src/or/circuituse.c -@@ -2264,8 +2264,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, - - base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT; - -- if (!circ->base_.timestamp_dirty) -- circ->base_.timestamp_dirty = time(NULL); -+ if (!circ->base_.timestamp_dirty) { -+ circ->base_.timestamp_dirty = approx_time(); -+ } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) && -+ (conn->socks_request->usernamelen || -+ conn->socks_request->passwordlen)) { -+ /* When stream isolation is in use and controlled by an application -+ * we are willing to keep using the stream. */ -+ circ->base_.timestamp_dirty = approx_time(); -+ } - - pathbias_count_use_attempt(circ); - --- -1.9.1 - diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch deleted file mode 100644 index 81bbe3e..0000000 --- a/gitian/patches/bug16430.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Wed, 24 Jun 2015 13:52:29 +0000 -Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS - checks. - -RFC 952 is approximately 30 years old, and people are failing to comply, -by serving A records with '_' as part of the hostname. Since relaxing -the check is a QOL improvement for our userbase, relax the check to -allow such abominations as destinations, especially since there are -likely to be other similarly misconfigured domains out there. ---- - changes/bug16430 | 4 ++++ - src/common/util.c | 7 +++++-- - src/test/test_util.c | 9 +++++++-- - 3 files changed, 16 insertions(+), 4 deletions(-) - create mode 100644 changes/bug16430 - -diff --git a/changes/bug16430 b/changes/bug16430 -new file mode 100644 -index 0000000..ca7b874 ---- /dev/null -+++ b/changes/bug16430 -@@ -0,0 +1,4 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ '_' to cope with domains observed in the wild that are serving non-RFC -+ compliant records. Resolves ticket 16430. -diff --git a/src/common/util.c b/src/common/util.c -index 942d0c2..4490150 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) - - /** Return true iff string matches a pattern of DNS names - * that we allow Tor clients to connect to. -+ * -+ * Note: This allows certain technically invalid characters ('_') to cope -+ * with misconfigured zones that have been encountered in the wild. - */ - int - string_is_valid_hostname(const char *string) -@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) - smartlist_split_string(components,string,".",0,0); - - SMARTLIST_FOREACH_BEGIN(components, char *, c) { -- if (c[0] == '-') { -+ if ((c[0] == '-') || (*c == '_')) { - result = 0; - break; - } -@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || -- (*c == '-')) -+ (*c == '-') || (*c == '_')) - c++; - else - result = 0; -diff --git a/src/test/test_util.c b/src/test/test_util.c -index b0366db..0f64c26 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) - tt_assert(string_is_valid_hostname("stanford.edu")); - tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); - -- // Subdomain name cannot start with '-'. -+ // Subdomain name cannot start with '-' or '_'. - tt_assert(!string_is_valid_hostname("-torproject.org")); - tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); - tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); -+ tt_assert(!string_is_valid_hostname("___abc.org")); - - // Hostnames cannot contain non-alphanumeric characters. - tt_assert(!string_is_valid_hostname("%%domain.\\org.")); - tt_assert(!string_is_valid_hostname("***x.net")); -- tt_assert(!string_is_valid_hostname("___abc.org")); - tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); - tt_assert(!string_is_valid_hostname("word1 word2.net")); - -+ // Test workaround for nytimes.com stupidity, technically invalid, -+ // but we allow it since they are big, even though they are failing to -+ // comply with a ~30 year old standard. -+ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); -+ - // XXX: do we allow single-label DNS names? - - done: --- -1.9.1 - diff --git a/gitian/patches/bug16674.patch b/gitian/patches/bug16674.patch deleted file mode 100644 index 9497684..0000000 --- a/gitian/patches/bug16674.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 27 Jul 2015 12:58:40 +0000 -Subject: [PATCH] Allow a single trailing `.` when validating FQDNs from SOCKS. - -URI syntax (and DNS syntax) allows for a single trailing `.` to -explicitly distinguish between a relative and absolute -(fully-qualified) domain name. While this is redundant in that RFC 1928 -DOMAINNAME addresses are *always* fully-qualified, certain clients -blindly pass the trailing `.` along in the request. - -Fixes bug 16674; bugfix on 0.2.6.2-alpha. ---- - changes/bug16674 | 5 +++++ - src/common/util.c | 6 ++++++ - src/test/test_util.c | 12 ++++++++++++ - 3 files changed, 23 insertions(+) - create mode 100644 changes/bug16674 - -diff --git a/changes/bug16674 b/changes/bug16674 -new file mode 100644 -index 0000000..de55523 ---- /dev/null -+++ b/changes/bug16674 -@@ -0,0 +1,5 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ a single trailing '.' to cope with clients that pass FQDNs using that -+ syntax to explicitly indicate that the domain name is -+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. -diff --git a/src/common/util.c b/src/common/util.c -index 618e6a1..1aac4fc 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) - break; - } - -+ /* Allow a single terminating '.' used rarely to indicate domains -+ * are FQDNs rather than relative. */ -+ if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { -+ continue; -+ } -+ - do { - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || -diff --git a/src/test/test_util.c b/src/test/test_util.c -index 0f64c26..2bffb17 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) - // comply with a ~30 year old standard. - tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); - -+ // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, -+ // which is redundant since the spec states DOMAINNAME addresses are fully -+ // qualified. While unusual, this should be tollerated. -+ tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); -+ tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); -+ tt_assert(!string_is_valid_hostname("so.is..ft.com")); -+ tt_assert(!string_is_valid_hostname("...")); -+ - // XXX: do we allow single-label DNS names? -+ // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" -+ // but only test pathologically malformed traling '.' cases for now. -+ tt_assert(!string_is_valid_hostname(".")); -+ tt_assert(!string_is_valid_hostname("..")); - - done: - return; --- -1.9.1 - diff --git a/gitian/patches/bug8402-master.patch b/gitian/patches/bug8402-master.patch deleted file mode 100644 index 5a6386a..0000000 --- a/gitian/patches/bug8402-master.patch +++ /dev/null @@ -1,732 +0,0 @@ -From 9d7410ac5837658efa9b2d7d85c0c71f09a7a759 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Tue, 25 Mar 2014 07:21:22 +0000 -Subject: [PATCH 1/5] Allow ClientTransportPlugins to use proxies - -This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with -ClientTransportPlugins via the TOR_PT_PROXY extension to the -pluggable transport specification. - -This fixes bug #8402. ---- - src/or/config.c | 13 ++++-- - src/or/connection.c | 62 +++++++++++++++++++++-------- - src/or/transports.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++-- - src/or/transports.h | 6 +++ - src/test/test_pt.c | 81 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 251 insertions(+), 23 deletions(-) - -diff --git a/src/or/config.c b/src/or/config.c -index 0f7b1d2..b33098e 100644 ---- a/src/or/config.c -+++ b/src/or/config.c -@@ -3174,11 +3174,11 @@ options_validate(or_options_t *old_options, or_options_t *options, - } - } - -- /* Check if more than one proxy type has been enabled. */ -+ /* Check if more than one exclusive proxy type has been enabled. */ - if (!!options->Socks4Proxy + !!options->Socks5Proxy + -- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) -+ !!options->HTTPSProxy > 1) - REJECT("You have configured more than one proxy type. " -- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); -+ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); - - /* Check if the proxies will give surprising behavior. */ - if (options->HTTPProxy && !(options->Socks4Proxy || -@@ -4842,6 +4842,13 @@ parse_client_transport_line(const or_options_t *options, - pt_kickstart_client_proxy(transport_list, proxy_argv); - } - } else { /* external */ -+ /* ClientTransportPlugins connecting through a proxy is managed only. */ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ log_warn(LD_CONFIG, "You have configured an external proxy with another " -+ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); -+ goto err; -+ } -+ - if (smartlist_len(transport_list) != 1) { - log_warn(LD_CONFIG, "You can't have an external proxy with " - "more than one transports."); -diff --git a/src/or/connection.c b/src/or/connection.c -index cef9172..b32cddf 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,6 +86,8 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); -+static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -+ int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -1689,14 +1691,14 @@ get_proxy_type(void) - { - const or_options_t *options = get_options(); - -- if (options->HTTPSProxy) -+ if (options->ClientTransportPlugin) -+ return PROXY_PLUGGABLE; -+ else if (options->HTTPSProxy) - return PROXY_CONNECT; - else if (options->Socks4Proxy) - return PROXY_SOCKS4; - else if (options->Socks5Proxy) - return PROXY_SOCKS5; -- else if (options->ClientTransportPlugin) -- return PROXY_PLUGGABLE; - else - return PROXY_NONE; - } -@@ -4771,6 +4773,35 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -+ * pluggable transport or bridge we are using. -+ * conn contains the connection we are using the PT/bridge for. -+ * -+ * Return 0 on success, -1 on failure. -+ */ -+static int -+get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -+ const connection_t *conn) -+{ -+ const or_options_t *options = get_options(); -+ -+ if (options->ClientTransportPlugin || options->Bridges) { -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ -+/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4782,6 +4813,16 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - { - const or_options_t *options = get_options(); - -+ /* Client Transport Plugins can use another proxy, but that should be hidden -+ * from the rest of tor (as the plugin is responsible for dealing with the -+ * proxy), check it first, then check the rest of the proxy types to allow -+ * the config to have unused ClientTransportPlugin entries. -+ */ -+ if (options->ClientTransportPlugin) { -+ if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ return 0; -+ } -+ - if (options->HTTPSProxy) { - tor_addr_copy(addr, &options->HTTPSProxyAddr); - *port = options->HTTPSProxyPort; -@@ -4797,19 +4838,8 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->ClientTransportPlugin || -- options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -+ } else if (options->Bridges) { -+ return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); -diff --git a/src/or/transports.c b/src/or/transports.c -index dc30754..b810315 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -124,6 +124,8 @@ static INLINE void free_execve_args(char **arg); - #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" - #define PROTO_CMETHODS_DONE "CMETHODS DONE" - #define PROTO_SMETHODS_DONE "SMETHODS DONE" -+#define PROTO_PROXY_DONE "PROXY DONE" -+#define PROTO_PROXY_ERROR "PROXY-ERROR" - - /** The first and only supported - at the moment - configuration - protocol version. */ -@@ -439,6 +441,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) - static int - proxy_needs_restart(const managed_proxy_t *mp) - { -+ int ret = 1; -+ char* proxy_uri; -+ -+ /* If the PT proxy config has changed, then all existing pluggable transports -+ * should be restarted. -+ */ -+ -+ proxy_uri = get_pt_proxy_uri(); -+ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) -+ goto needs_restart; -+ - /* mp->transport_to_launch is populated with the names of the - transports that must be launched *after* the SIGHUP. - mp->transports is populated with the transports that were -@@ -459,10 +472,10 @@ proxy_needs_restart(const managed_proxy_t *mp) - - } SMARTLIST_FOREACH_END(t); - -- return 0; -- -- needs_restart: -- return 1; -+ ret = 0; -+needs_restart: -+ tor_free(proxy_uri); -+ return ret; - } - - /** Managed proxy mp must be restarted. Do all the necessary -@@ -493,6 +506,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) - SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); - smartlist_clear(mp->transports); - -+ /* Reset the proxy's HTTPS/SOCKS proxy */ -+ tor_free(mp->proxy_uri); -+ mp->proxy_uri = get_pt_proxy_uri(); -+ mp->proxy_supported = 0; -+ - /* flag it as an infant proxy so that it gets launched on next tick */ - mp->conf_state = PT_PROTO_INFANT; - unconfigured_proxies_n++; -@@ -727,12 +745,52 @@ managed_proxy_destroy(managed_proxy_t *mp, - /* free the argv */ - free_execve_args(mp->argv); - -+ /* free the outgoing proxy URI */ -+ tor_free(mp->proxy_uri); -+ - tor_process_handle_destroy(mp->process_handle, also_terminate_process); - mp->process_handle = NULL; - - tor_free(mp); - } - -+/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ -+STATIC char * -+get_pt_proxy_uri(void) -+{ -+ const or_options_t *options = get_options(); -+ char *uri = NULL; -+ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ char addr[TOR_ADDR_BUF_LEN+1]; -+ -+ if (options->Socks4Proxy) { -+ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); -+ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); -+ } else if (options->Socks5Proxy) { -+ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); -+ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { -+ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); -+ } else { -+ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", -+ options->Socks5ProxyUsername, -+ options->Socks5ProxyPassword, -+ addr, options->Socks5ProxyPort); -+ } -+ } else if (options->HTTPSProxy) { -+ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); -+ if (!options->HTTPSProxyAuthenticator) { -+ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); -+ } else { -+ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, -+ addr, options->HTTPSProxyPort); -+ } -+ } -+ } -+ -+ return uri; -+} -+ - /** Handle a configured or broken managed proxy mp. */ - static void - handle_finished_proxy(managed_proxy_t *mp) -@@ -745,6 +803,12 @@ handle_finished_proxy(managed_proxy_t *mp) - managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ - break; - case PT_PROTO_CONFIGURED: /* if configured correctly: */ -+ if (mp->proxy_uri && !mp->proxy_supported) { -+ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -+ "specified outgoing proxy.", mp->argv[0]); -+ managed_proxy_destroy(mp, 1); /* annihilate it. */ -+ break; -+ } - register_proxy(mp); /* register its transports */ - mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ - break; -@@ -862,6 +926,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) - goto err; - - return; -+ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ if (mp->proxy_uri) { -+ mp->proxy_supported = 1; -+ return; -+ } -+ -+ /* No proxy was configured, this should log */ -+ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ parse_proxy_error(line); -+ goto err; - } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { - /* managed proxy launch failed: parse error message to learn why. */ - int retval, child_state, saved_errno; -@@ -1128,6 +1208,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) - return r; - } - -+/** Parses an PROXY-ERROR line and warns the user accordingly. */ -+STATIC void -+parse_proxy_error(const char *line) -+{ -+ /* (Length of the protocol string) plus (a space) and (the first char of -+ the error message) */ -+ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) -+ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " -+ "message.", PROTO_PROXY_ERROR); -+ -+ log_warn(LD_CONFIG, "Managed proxy failed to configure the " -+ "pluggable transport's outgoing proxy. (%s)", -+ line+strlen(PROTO_PROXY_ERROR)+1); -+} -+ - /** Return a newly allocated string that tor should place in - * TOR_PT_SERVER_TRANSPORT_OPTIONS while configuring the server - * manged proxy in mp. Return NULL if no such options are found. */ -@@ -1292,6 +1387,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) - } else { - smartlist_add_asprintf(envs, "TOR_PT_EXTENDED_SERVER_PORT="); - } -+ } else { -+ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the -+ * TOR_PT_PROXY line. -+ */ -+ -+ if (mp->proxy_uri) { -+ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); -+ } - } - - SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { -@@ -1324,6 +1427,7 @@ managed_proxy_create(const smartlist_t *transport_list, - mp->is_server = is_server; - mp->argv = proxy_argv; - mp->transports = smartlist_new(); -+ mp->proxy_uri = get_pt_proxy_uri(); - - mp->transports_to_launch = smartlist_new(); - SMARTLIST_FOREACH(transport_list, const char *, transport, -diff --git a/src/or/transports.h b/src/or/transports.h -index 1365ead..bc2331d 100644 ---- a/src/or/transports.h -+++ b/src/or/transports.h -@@ -81,6 +81,9 @@ typedef struct { - char **argv; /* the cli arguments of this proxy */ - int conf_protocol; /* the configuration protocol version used */ - -+ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ -+ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ -+ - int is_server; /* is it a server proxy? */ - - /* A pointer to the process handle of this managed proxy. */ -@@ -112,6 +115,7 @@ STATIC int parse_smethod_line(const char *line, managed_proxy_t *mp); - - STATIC int parse_version(const char *line, managed_proxy_t *mp); - STATIC void parse_env_error(const char *line); -+STATIC void parse_proxy_error(const char *line); - STATIC void handle_proxy_line(const char *line, managed_proxy_t *mp); - STATIC char *get_transport_options_for_server_proxy(const managed_proxy_t *mp); - -@@ -123,6 +127,8 @@ STATIC managed_proxy_t *managed_proxy_create(const smartlist_t *transport_list, - - STATIC int configure_proxy(managed_proxy_t *mp); - -+STATIC char* get_pt_proxy_uri(void); -+ - #endif - - #endif -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index f71627d..788d420 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -450,6 +450,85 @@ test_pt_configure_proxy(void *arg) - tor_free(mp); - } - -+/* Test the get_pt_proxy_uri() function. */ -+static void -+test_get_pt_proxy_uri(void *arg) -+{ -+ or_options_t *options = get_options_mutable(); -+ char *uri = NULL; -+ int ret; -+ (void) arg; -+ -+ /* Test with no proxy. */ -+ uri = get_pt_proxy_uri(); -+ tt_assert(uri == NULL); -+ -+ /* Test with a SOCKS4 proxy. */ -+ options->Socks4Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks4Proxy = NULL; -+ -+ /* Test with a SOCKS5 proxy, no username/password. */ -+ options->Socks5Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks5Proxy, -+ &options->Socks5ProxyAddr, -+ &options->Socks5ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ /* Test with a SOCKS5 proxy, with username/password. */ -+ options->Socks5ProxyUsername = "hwest"; -+ options->Socks5ProxyPassword = "r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks5Proxy = NULL; -+ -+ /* Test with a HTTPS proxy, no authenticator. */ -+ options->HTTPSProxy = "192.0.2.1:80"; -+ ret = tor_addr_port_lookup(options->HTTPSProxy, -+ &options->HTTPSProxyAddr, -+ &options->HTTPSProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://192.0.2.1:80"); -+ tor_free(uri); -+ -+ /* Test with a HTTPS proxy, with authenticator. */ -+ options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); -+ tor_free(uri); -+ -+ options->HTTPSProxy = NULL; -+ -+ /* Token nod to the fact that IPv6 exists. */ -+ options->Socks4Proxy = "[2001:db8::1]:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); -+ tor_free(uri); -+ -+ -+ done: -+ if (uri) -+ tor_free(uri); -+} -+ -+ - #define PT_LEGACY(name) \ - { #name, legacy_test_helper, 0, &legacy_setup, test_pt_ ## name } - -@@ -462,6 +541,8 @@ struct testcase_t pt_tests[] = { - NULL, NULL }, - { "configure_proxy",test_pt_configure_proxy, TT_FORK, - NULL, NULL }, -+ { "get_pt_proxy_uri", test_get_pt_proxy_uri, TT_FORK, -+ NULL, NULL }, - END_OF_TESTCASES - }; - --- -2.0.0.rc2 - - -From 92eecbfee128b22b07bcc97ac36ecdd5183c2da7 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 14 Apr 2014 21:51:34 +0000 -Subject: [PATCH 2/5] Fixed the test build with --enable-gcc-warnings - ---- - src/test/test_pt.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index 788d420..cfbd084 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -464,7 +464,7 @@ test_get_pt_proxy_uri(void *arg) - tt_assert(uri == NULL); - - /* Test with a SOCKS4 proxy. */ -- options->Socks4Proxy = "192.0.2.1:1080"; -+ options->Socks4Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -472,11 +472,10 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks4Proxy = NULL; -+ tor_free(options->Socks4Proxy); - - /* Test with a SOCKS5 proxy, no username/password. */ -- options->Socks5Proxy = "192.0.2.1:1080"; -+ options->Socks5Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks5Proxy, - &options->Socks5ProxyAddr, - &options->Socks5ProxyPort); -@@ -486,16 +485,17 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a SOCKS5 proxy, with username/password. */ -- options->Socks5ProxyUsername = "hwest"; -- options->Socks5ProxyPassword = "r34n1m470r"; -+ options->Socks5ProxyUsername = tor_strdup("hwest"); -+ options->Socks5ProxyPassword = tor_strdup("r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks5Proxy = NULL; -+ tor_free(options->Socks5Proxy); -+ tor_free(options->Socks5ProxyUsername); -+ tor_free(options->Socks5ProxyPassword); - - /* Test with a HTTPS proxy, no authenticator. */ -- options->HTTPSProxy = "192.0.2.1:80"; -+ options->HTTPSProxy = tor_strdup("192.0.2.1:80"); - ret = tor_addr_port_lookup(options->HTTPSProxy, - &options->HTTPSProxyAddr, - &options->HTTPSProxyPort); -@@ -505,15 +505,15 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a HTTPS proxy, with authenticator. */ -- options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ options->HTTPSProxyAuthenticator = tor_strdup("hwest:r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); - tor_free(uri); -- -- options->HTTPSProxy = NULL; -+ tor_free(options->HTTPSProxy); -+ tor_free(options->HTTPSProxyAuthenticator); - - /* Token nod to the fact that IPv6 exists. */ -- options->Socks4Proxy = "[2001:db8::1]:1080"; -+ options->Socks4Proxy = tor_strdup("[2001:db8::1]:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -521,7 +521,7 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); - tor_free(uri); -- -+ tor_free(options->Socks4Proxy); - - done: - if (uri) --- -2.0.0.rc2 - - -From 8361223c10eb929b570e72853a5d9e51b67fd6c3 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:30:09 +0000 -Subject: [PATCH 3/5] Remove get_bridge_pt_addrport(). - -The code was not disambiguating ClientTransportPlugin configured and -not used, and ClientTransportPlugin configured, but in a failed state. - -The right thing to do is to undo moving the get_transport_by_addrport() -call back into get_proxy_addrport(), and remove and explicit check for -using a Bridge since by the time the check is made, if a Bridge is -being used, it is PT/proxy-less. ---- - src/or/connection.c | 46 ++++++++++++---------------------------------- - 1 file changed, 12 insertions(+), 34 deletions(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index b32cddf..ff8cdf1 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,8 +86,6 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); --static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -- int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -4773,35 +4771,6 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -- * pluggable transport or bridge we are using. -- * conn contains the connection we are using the PT/bridge for. -- * -- * Return 0 on success, -1 on failure. -- */ --static int --get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -- const connection_t *conn) --{ -- const or_options_t *options = get_options(); -- -- if (options->ClientTransportPlugin || options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -- } -- -- return -1; --} -- --/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4819,8 +4788,19 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - * the config to have unused ClientTransportPlugin entries. - */ - if (options->ClientTransportPlugin) { -- if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; - return 0; -+ } -+ -+ /* Unused ClientTransportPlugin. */ - } - - if (options->HTTPSProxy) { -@@ -4838,8 +4818,6 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->Bridges) { -- return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); --- -2.0.0.rc2 - - -From 68184b317d3f4dc14e758e451377e4e3996bd0ab Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:43:53 +0000 -Subject: [PATCH 4/5] Log the correct proxy type on failure. - -get_proxy_addrport fills in proxy_type with the correct value, so there -is no point in logging something that's a "best guess" based off the -config. ---- - src/or/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index ff8cdf1..5069ed6 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -4841,7 +4841,7 @@ log_failed_proxy_connection(connection_t *conn) - log_warn(LD_NET, - "The connection to the %s proxy server at %s just failed. " - "Make sure that the proxy server is up and running.", -- proxy_type_to_string(get_proxy_type()), -+ proxy_type_to_string(proxy_type), - fmt_addrport(&proxy_addr, proxy_port)); - } - --- -2.0.0.rc2 - - -From 34200a44fbbd3f158ea17043c2bcd21d0e382b89 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 18:58:53 +0000 -Subject: [PATCH 5/5] Improve the log message when a transport doesn't support - proxies. - -Per feedback, explicltly note that the transport will be killed when it -does not acknowledge the configured outgoing proxy. ---- - src/or/transports.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/or/transports.c b/src/or/transports.c -index b810315..eee159d 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -805,7 +805,8 @@ handle_finished_proxy(managed_proxy_t *mp) - case PT_PROTO_CONFIGURED: /* if configured correctly: */ - if (mp->proxy_uri && !mp->proxy_supported) { - log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -- "specified outgoing proxy.", mp->argv[0]); -+ "specified outgoing proxy and will be terminated.", -+ mp->argv[0]); - managed_proxy_destroy(mp, 1); /* annihilate it. */ - break; - } --- -2.0.0.rc2 - diff --git a/gitian/patches/bug8405.patch b/gitian/patches/bug8405.patch deleted file mode 100644 index 3c40632..0000000 --- a/gitian/patches/bug8405.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a298c77f7eba232154ff08ca1119b05ccd9eee9e Mon Sep 17 00:00:00 2001 -From: Arthur Edelstein <arthuredelstein(a)gmail.com> -Date: Tue, 15 Jul 2014 21:27:59 -0700 -Subject: [PATCH] Bug #8405: Report SOCKS username/password in CIRC status - events - -Introduces two new circuit status name-value parameters: SOCKS_USERNAME -and SOCKS_PASSWORD. Values are enclosing in quotes and unusual characters -are escaped. - -Example: - - 650 CIRC 5 EXTENDED [...] SOCKS_USERNAME="my_username" SOCKS_PASSWORD="my_password" ---- - src/common/util.c | 14 ++++++++++++++ - src/common/util.h | 1 + - src/or/control.c | 14 ++++++++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/src/common/util.c b/src/common/util.c -index 8589344..64cee56 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1222,6 +1222,20 @@ esc_for_log(const char *s) - return result; - } - -+/** Similar to esc_for_log. Allocate and return a new string representing -+ * the first n characters in chars, surround by quotes and using -+ * standard C escapes. If a NUL character is encountered in chars, -+ * the resulting string will be terminated there. -+ */ -+char * -+esc_for_log_len(const char *chars, size_t n) -+{ -+ char *string = tor_strndup(chars, n); -+ char *string_escaped = esc_for_log(string); -+ tor_free(string); -+ return string_escaped; -+} -+ - /** Allocate and return a new string representing the contents of s, - * surrounded by quotes and using standard C escapes. - * -diff --git a/src/common/util.h b/src/common/util.h -index 97367a9..50c5a3d 100644 ---- a/src/common/util.h -+++ b/src/common/util.h -@@ -229,6 +229,7 @@ int tor_mem_is_zero(const char *mem, size_t len); - int tor_digest_is_zero(const char *digest); - int tor_digest256_is_zero(const char *digest); - char *esc_for_log(const char *string) ATTR_MALLOC; -+char *esc_for_log_len(const char *chars, size_t n) ATTR_MALLOC; - const char *escaped(const char *string); - - char *tor_escape_str_for_pt_args(const char *string, -diff --git a/src/or/control.c b/src/or/control.c -index 9285fc5..aa46df6 100644 ---- a/src/or/control.c -+++ b/src/or/control.c -@@ -1862,6 +1862,20 @@ circuit_describe_status_for_controller(origin_circuit_t *circ) - smartlist_add_asprintf(descparts, "TIME_CREATED=%s", tbuf); - } - -+ // Show username and/or password if available. -+ if (circ->socks_username_len > 0) { -+ char* socks_username_escaped = esc_for_log_len(circ->socks_username, -+ (size_t) circ->socks_username_len); -+ smartlist_add_asprintf(descparts, "SOCKS_USERNAME=%s", socks_username_escaped); -+ tor_free(socks_username_escaped); -+ } -+ if (circ->socks_password_len > 0) { -+ char* socks_password_escaped = esc_for_log_len(circ->socks_password, -+ (size_t) circ->socks_password_len); -+ smartlist_add_asprintf(descparts, "SOCKS_PASSWORD=%s", socks_password_escaped); -+ tor_free(socks_password_escaped); -+ } -+ - rv = smartlist_join_strings(descparts, " ", 0, NULL); - - SMARTLIST_FOREACH(descparts, char *, cp, tor_free(cp)); --- -1.8.3.4 (Apple Git-47) -

1 0

[tor-browser-bundle/master] Bug 17801: Remove special tor patches
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 9fc1f843da2a43bc7d3a8b53964e984dd86476e3 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 09:04:42 2015 +0000 Bug 17801: Remove special tor patches --- gitian/descriptors/linux/gitian-tor.yml | 14 - gitian/descriptors/mac/gitian-tor.yml | 14 - gitian/descriptors/windows/gitian-tor.yml | 14 - gitian/patches/bug15482.patch | 40 -- gitian/patches/bug16430.patch | 93 ---- gitian/patches/bug16674.patch | 74 --- gitian/patches/bug8402-master.patch | 732 ----------------------------- gitian/patches/bug8405.patch | 84 ---- 8 files changed, 1065 deletions(-) diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index d8e3557..0e35d2f 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -19,11 +19,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "dzip.sh" - "openssl-linux32-utils.zip" - "openssl-linux64-utils.zip" @@ -76,15 +71,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 857b5de..a6824c0 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -54,15 +49,6 @@ script: | export LDFLAGS="-m64 -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/ -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/system/ -mmacosx-version-min=10.5" cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 601dc4e..63b527a 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -54,15 +49,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # We are building normal bundles without the console popping up and expert diff --git a/gitian/patches/bug15482.patch b/gitian/patches/bug15482.patch deleted file mode 100644 index df8a156..0000000 --- a/gitian/patches/bug15482.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 748414784f71126b093aa7466908e00f71a7b046 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Fri, 27 Mar 2015 12:57:37 -0700 -Subject: [PATCH] Bug 15482: Don't abandon circuits that are still in use for - browsing. - -Only applies to connections with SOCKS auth set, so that non-web Tor -activity is not affected. - -Simpler version of Nick's patch because the randomness worried me, and I'm not -otherwise sure why we want a max here. ---- - src/or/circuituse.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/or/circuituse.c b/src/or/circuituse.c -index d0d31ad..6cce4bf 100644 ---- a/src/or/circuituse.c -+++ b/src/or/circuituse.c -@@ -2264,8 +2264,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, - - base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT; - -- if (!circ->base_.timestamp_dirty) -- circ->base_.timestamp_dirty = time(NULL); -+ if (!circ->base_.timestamp_dirty) { -+ circ->base_.timestamp_dirty = approx_time(); -+ } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) && -+ (conn->socks_request->usernamelen || -+ conn->socks_request->passwordlen)) { -+ /* When stream isolation is in use and controlled by an application -+ * we are willing to keep using the stream. */ -+ circ->base_.timestamp_dirty = approx_time(); -+ } - - pathbias_count_use_attempt(circ); - --- -1.9.1 - diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch deleted file mode 100644 index 81bbe3e..0000000 --- a/gitian/patches/bug16430.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Wed, 24 Jun 2015 13:52:29 +0000 -Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS - checks. - -RFC 952 is approximately 30 years old, and people are failing to comply, -by serving A records with '_' as part of the hostname. Since relaxing -the check is a QOL improvement for our userbase, relax the check to -allow such abominations as destinations, especially since there are -likely to be other similarly misconfigured domains out there. ---- - changes/bug16430 | 4 ++++ - src/common/util.c | 7 +++++-- - src/test/test_util.c | 9 +++++++-- - 3 files changed, 16 insertions(+), 4 deletions(-) - create mode 100644 changes/bug16430 - -diff --git a/changes/bug16430 b/changes/bug16430 -new file mode 100644 -index 0000000..ca7b874 ---- /dev/null -+++ b/changes/bug16430 -@@ -0,0 +1,4 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ '_' to cope with domains observed in the wild that are serving non-RFC -+ compliant records. Resolves ticket 16430. -diff --git a/src/common/util.c b/src/common/util.c -index 942d0c2..4490150 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) - - /** Return true iff string matches a pattern of DNS names - * that we allow Tor clients to connect to. -+ * -+ * Note: This allows certain technically invalid characters ('_') to cope -+ * with misconfigured zones that have been encountered in the wild. - */ - int - string_is_valid_hostname(const char *string) -@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) - smartlist_split_string(components,string,".",0,0); - - SMARTLIST_FOREACH_BEGIN(components, char *, c) { -- if (c[0] == '-') { -+ if ((c[0] == '-') || (*c == '_')) { - result = 0; - break; - } -@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || -- (*c == '-')) -+ (*c == '-') || (*c == '_')) - c++; - else - result = 0; -diff --git a/src/test/test_util.c b/src/test/test_util.c -index b0366db..0f64c26 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) - tt_assert(string_is_valid_hostname("stanford.edu")); - tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); - -- // Subdomain name cannot start with '-'. -+ // Subdomain name cannot start with '-' or '_'. - tt_assert(!string_is_valid_hostname("-torproject.org")); - tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); - tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); -+ tt_assert(!string_is_valid_hostname("___abc.org")); - - // Hostnames cannot contain non-alphanumeric characters. - tt_assert(!string_is_valid_hostname("%%domain.\\org.")); - tt_assert(!string_is_valid_hostname("***x.net")); -- tt_assert(!string_is_valid_hostname("___abc.org")); - tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); - tt_assert(!string_is_valid_hostname("word1 word2.net")); - -+ // Test workaround for nytimes.com stupidity, technically invalid, -+ // but we allow it since they are big, even though they are failing to -+ // comply with a ~30 year old standard. -+ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); -+ - // XXX: do we allow single-label DNS names? - - done: --- -1.9.1 - diff --git a/gitian/patches/bug16674.patch b/gitian/patches/bug16674.patch deleted file mode 100644 index 9497684..0000000 --- a/gitian/patches/bug16674.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 27 Jul 2015 12:58:40 +0000 -Subject: [PATCH] Allow a single trailing `.` when validating FQDNs from SOCKS. - -URI syntax (and DNS syntax) allows for a single trailing `.` to -explicitly distinguish between a relative and absolute -(fully-qualified) domain name. While this is redundant in that RFC 1928 -DOMAINNAME addresses are *always* fully-qualified, certain clients -blindly pass the trailing `.` along in the request. - -Fixes bug 16674; bugfix on 0.2.6.2-alpha. ---- - changes/bug16674 | 5 +++++ - src/common/util.c | 6 ++++++ - src/test/test_util.c | 12 ++++++++++++ - 3 files changed, 23 insertions(+) - create mode 100644 changes/bug16674 - -diff --git a/changes/bug16674 b/changes/bug16674 -new file mode 100644 -index 0000000..de55523 ---- /dev/null -+++ b/changes/bug16674 -@@ -0,0 +1,5 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ a single trailing '.' to cope with clients that pass FQDNs using that -+ syntax to explicitly indicate that the domain name is -+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. -diff --git a/src/common/util.c b/src/common/util.c -index 618e6a1..1aac4fc 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) - break; - } - -+ /* Allow a single terminating '.' used rarely to indicate domains -+ * are FQDNs rather than relative. */ -+ if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { -+ continue; -+ } -+ - do { - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || -diff --git a/src/test/test_util.c b/src/test/test_util.c -index 0f64c26..2bffb17 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) - // comply with a ~30 year old standard. - tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); - -+ // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, -+ // which is redundant since the spec states DOMAINNAME addresses are fully -+ // qualified. While unusual, this should be tollerated. -+ tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); -+ tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); -+ tt_assert(!string_is_valid_hostname("so.is..ft.com")); -+ tt_assert(!string_is_valid_hostname("...")); -+ - // XXX: do we allow single-label DNS names? -+ // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" -+ // but only test pathologically malformed traling '.' cases for now. -+ tt_assert(!string_is_valid_hostname(".")); -+ tt_assert(!string_is_valid_hostname("..")); - - done: - return; --- -1.9.1 - diff --git a/gitian/patches/bug8402-master.patch b/gitian/patches/bug8402-master.patch deleted file mode 100644 index 5a6386a..0000000 --- a/gitian/patches/bug8402-master.patch +++ /dev/null @@ -1,732 +0,0 @@ -From 9d7410ac5837658efa9b2d7d85c0c71f09a7a759 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Tue, 25 Mar 2014 07:21:22 +0000 -Subject: [PATCH 1/5] Allow ClientTransportPlugins to use proxies - -This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with -ClientTransportPlugins via the TOR_PT_PROXY extension to the -pluggable transport specification. - -This fixes bug #8402. ---- - src/or/config.c | 13 ++++-- - src/or/connection.c | 62 +++++++++++++++++++++-------- - src/or/transports.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++-- - src/or/transports.h | 6 +++ - src/test/test_pt.c | 81 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 251 insertions(+), 23 deletions(-) - -diff --git a/src/or/config.c b/src/or/config.c -index 0f7b1d2..b33098e 100644 ---- a/src/or/config.c -+++ b/src/or/config.c -@@ -3174,11 +3174,11 @@ options_validate(or_options_t *old_options, or_options_t *options, - } - } - -- /* Check if more than one proxy type has been enabled. */ -+ /* Check if more than one exclusive proxy type has been enabled. */ - if (!!options->Socks4Proxy + !!options->Socks5Proxy + -- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) -+ !!options->HTTPSProxy > 1) - REJECT("You have configured more than one proxy type. " -- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); -+ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); - - /* Check if the proxies will give surprising behavior. */ - if (options->HTTPProxy && !(options->Socks4Proxy || -@@ -4842,6 +4842,13 @@ parse_client_transport_line(const or_options_t *options, - pt_kickstart_client_proxy(transport_list, proxy_argv); - } - } else { /* external */ -+ /* ClientTransportPlugins connecting through a proxy is managed only. */ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ log_warn(LD_CONFIG, "You have configured an external proxy with another " -+ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); -+ goto err; -+ } -+ - if (smartlist_len(transport_list) != 1) { - log_warn(LD_CONFIG, "You can't have an external proxy with " - "more than one transports."); -diff --git a/src/or/connection.c b/src/or/connection.c -index cef9172..b32cddf 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,6 +86,8 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); -+static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -+ int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -1689,14 +1691,14 @@ get_proxy_type(void) - { - const or_options_t *options = get_options(); - -- if (options->HTTPSProxy) -+ if (options->ClientTransportPlugin) -+ return PROXY_PLUGGABLE; -+ else if (options->HTTPSProxy) - return PROXY_CONNECT; - else if (options->Socks4Proxy) - return PROXY_SOCKS4; - else if (options->Socks5Proxy) - return PROXY_SOCKS5; -- else if (options->ClientTransportPlugin) -- return PROXY_PLUGGABLE; - else - return PROXY_NONE; - } -@@ -4771,6 +4773,35 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -+ * pluggable transport or bridge we are using. -+ * conn contains the connection we are using the PT/bridge for. -+ * -+ * Return 0 on success, -1 on failure. -+ */ -+static int -+get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -+ const connection_t *conn) -+{ -+ const or_options_t *options = get_options(); -+ -+ if (options->ClientTransportPlugin || options->Bridges) { -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ -+/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4782,6 +4813,16 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - { - const or_options_t *options = get_options(); - -+ /* Client Transport Plugins can use another proxy, but that should be hidden -+ * from the rest of tor (as the plugin is responsible for dealing with the -+ * proxy), check it first, then check the rest of the proxy types to allow -+ * the config to have unused ClientTransportPlugin entries. -+ */ -+ if (options->ClientTransportPlugin) { -+ if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ return 0; -+ } -+ - if (options->HTTPSProxy) { - tor_addr_copy(addr, &options->HTTPSProxyAddr); - *port = options->HTTPSProxyPort; -@@ -4797,19 +4838,8 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->ClientTransportPlugin || -- options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -+ } else if (options->Bridges) { -+ return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); -diff --git a/src/or/transports.c b/src/or/transports.c -index dc30754..b810315 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -124,6 +124,8 @@ static INLINE void free_execve_args(char **arg); - #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" - #define PROTO_CMETHODS_DONE "CMETHODS DONE" - #define PROTO_SMETHODS_DONE "SMETHODS DONE" -+#define PROTO_PROXY_DONE "PROXY DONE" -+#define PROTO_PROXY_ERROR "PROXY-ERROR" - - /** The first and only supported - at the moment - configuration - protocol version. */ -@@ -439,6 +441,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) - static int - proxy_needs_restart(const managed_proxy_t *mp) - { -+ int ret = 1; -+ char* proxy_uri; -+ -+ /* If the PT proxy config has changed, then all existing pluggable transports -+ * should be restarted. -+ */ -+ -+ proxy_uri = get_pt_proxy_uri(); -+ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) -+ goto needs_restart; -+ - /* mp->transport_to_launch is populated with the names of the - transports that must be launched *after* the SIGHUP. - mp->transports is populated with the transports that were -@@ -459,10 +472,10 @@ proxy_needs_restart(const managed_proxy_t *mp) - - } SMARTLIST_FOREACH_END(t); - -- return 0; -- -- needs_restart: -- return 1; -+ ret = 0; -+needs_restart: -+ tor_free(proxy_uri); -+ return ret; - } - - /** Managed proxy mp must be restarted. Do all the necessary -@@ -493,6 +506,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) - SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); - smartlist_clear(mp->transports); - -+ /* Reset the proxy's HTTPS/SOCKS proxy */ -+ tor_free(mp->proxy_uri); -+ mp->proxy_uri = get_pt_proxy_uri(); -+ mp->proxy_supported = 0; -+ - /* flag it as an infant proxy so that it gets launched on next tick */ - mp->conf_state = PT_PROTO_INFANT; - unconfigured_proxies_n++; -@@ -727,12 +745,52 @@ managed_proxy_destroy(managed_proxy_t *mp, - /* free the argv */ - free_execve_args(mp->argv); - -+ /* free the outgoing proxy URI */ -+ tor_free(mp->proxy_uri); -+ - tor_process_handle_destroy(mp->process_handle, also_terminate_process); - mp->process_handle = NULL; - - tor_free(mp); - } - -+/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ -+STATIC char * -+get_pt_proxy_uri(void) -+{ -+ const or_options_t *options = get_options(); -+ char *uri = NULL; -+ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ char addr[TOR_ADDR_BUF_LEN+1]; -+ -+ if (options->Socks4Proxy) { -+ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); -+ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); -+ } else if (options->Socks5Proxy) { -+ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); -+ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { -+ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); -+ } else { -+ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", -+ options->Socks5ProxyUsername, -+ options->Socks5ProxyPassword, -+ addr, options->Socks5ProxyPort); -+ } -+ } else if (options->HTTPSProxy) { -+ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); -+ if (!options->HTTPSProxyAuthenticator) { -+ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); -+ } else { -+ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, -+ addr, options->HTTPSProxyPort); -+ } -+ } -+ } -+ -+ return uri; -+} -+ - /** Handle a configured or broken managed proxy mp. */ - static void - handle_finished_proxy(managed_proxy_t *mp) -@@ -745,6 +803,12 @@ handle_finished_proxy(managed_proxy_t *mp) - managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ - break; - case PT_PROTO_CONFIGURED: /* if configured correctly: */ -+ if (mp->proxy_uri && !mp->proxy_supported) { -+ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -+ "specified outgoing proxy.", mp->argv[0]); -+ managed_proxy_destroy(mp, 1); /* annihilate it. */ -+ break; -+ } - register_proxy(mp); /* register its transports */ - mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ - break; -@@ -862,6 +926,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) - goto err; - - return; -+ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ if (mp->proxy_uri) { -+ mp->proxy_supported = 1; -+ return; -+ } -+ -+ /* No proxy was configured, this should log */ -+ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ parse_proxy_error(line); -+ goto err; - } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { - /* managed proxy launch failed: parse error message to learn why. */ - int retval, child_state, saved_errno; -@@ -1128,6 +1208,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) - return r; - } - -+/** Parses an PROXY-ERROR line and warns the user accordingly. */ -+STATIC void -+parse_proxy_error(const char *line) -+{ -+ /* (Length of the protocol string) plus (a space) and (the first char of -+ the error message) */ -+ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) -+ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " -+ "message.", PROTO_PROXY_ERROR); -+ -+ log_warn(LD_CONFIG, "Managed proxy failed to configure the " -+ "pluggable transport's outgoing proxy. (%s)", -+ line+strlen(PROTO_PROXY_ERROR)+1); -+} -+ - /** Return a newly allocated string that tor should place in - * TOR_PT_SERVER_TRANSPORT_OPTIONS while configuring the server - * manged proxy in mp. Return NULL if no such options are found. */ -@@ -1292,6 +1387,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) - } else { - smartlist_add_asprintf(envs, "TOR_PT_EXTENDED_SERVER_PORT="); - } -+ } else { -+ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the -+ * TOR_PT_PROXY line. -+ */ -+ -+ if (mp->proxy_uri) { -+ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); -+ } - } - - SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { -@@ -1324,6 +1427,7 @@ managed_proxy_create(const smartlist_t *transport_list, - mp->is_server = is_server; - mp->argv = proxy_argv; - mp->transports = smartlist_new(); -+ mp->proxy_uri = get_pt_proxy_uri(); - - mp->transports_to_launch = smartlist_new(); - SMARTLIST_FOREACH(transport_list, const char *, transport, -diff --git a/src/or/transports.h b/src/or/transports.h -index 1365ead..bc2331d 100644 ---- a/src/or/transports.h -+++ b/src/or/transports.h -@@ -81,6 +81,9 @@ typedef struct { - char **argv; /* the cli arguments of this proxy */ - int conf_protocol; /* the configuration protocol version used */ - -+ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ -+ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ -+ - int is_server; /* is it a server proxy? */ - - /* A pointer to the process handle of this managed proxy. */ -@@ -112,6 +115,7 @@ STATIC int parse_smethod_line(const char *line, managed_proxy_t *mp); - - STATIC int parse_version(const char *line, managed_proxy_t *mp); - STATIC void parse_env_error(const char *line); -+STATIC void parse_proxy_error(const char *line); - STATIC void handle_proxy_line(const char *line, managed_proxy_t *mp); - STATIC char *get_transport_options_for_server_proxy(const managed_proxy_t *mp); - -@@ -123,6 +127,8 @@ STATIC managed_proxy_t *managed_proxy_create(const smartlist_t *transport_list, - - STATIC int configure_proxy(managed_proxy_t *mp); - -+STATIC char* get_pt_proxy_uri(void); -+ - #endif - - #endif -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index f71627d..788d420 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -450,6 +450,85 @@ test_pt_configure_proxy(void *arg) - tor_free(mp); - } - -+/* Test the get_pt_proxy_uri() function. */ -+static void -+test_get_pt_proxy_uri(void *arg) -+{ -+ or_options_t *options = get_options_mutable(); -+ char *uri = NULL; -+ int ret; -+ (void) arg; -+ -+ /* Test with no proxy. */ -+ uri = get_pt_proxy_uri(); -+ tt_assert(uri == NULL); -+ -+ /* Test with a SOCKS4 proxy. */ -+ options->Socks4Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks4Proxy = NULL; -+ -+ /* Test with a SOCKS5 proxy, no username/password. */ -+ options->Socks5Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks5Proxy, -+ &options->Socks5ProxyAddr, -+ &options->Socks5ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ /* Test with a SOCKS5 proxy, with username/password. */ -+ options->Socks5ProxyUsername = "hwest"; -+ options->Socks5ProxyPassword = "r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks5Proxy = NULL; -+ -+ /* Test with a HTTPS proxy, no authenticator. */ -+ options->HTTPSProxy = "192.0.2.1:80"; -+ ret = tor_addr_port_lookup(options->HTTPSProxy, -+ &options->HTTPSProxyAddr, -+ &options->HTTPSProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://192.0.2.1:80"); -+ tor_free(uri); -+ -+ /* Test with a HTTPS proxy, with authenticator. */ -+ options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); -+ tor_free(uri); -+ -+ options->HTTPSProxy = NULL; -+ -+ /* Token nod to the fact that IPv6 exists. */ -+ options->Socks4Proxy = "[2001:db8::1]:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); -+ tor_free(uri); -+ -+ -+ done: -+ if (uri) -+ tor_free(uri); -+} -+ -+ - #define PT_LEGACY(name) \ - { #name, legacy_test_helper, 0, &legacy_setup, test_pt_ ## name } - -@@ -462,6 +541,8 @@ struct testcase_t pt_tests[] = { - NULL, NULL }, - { "configure_proxy",test_pt_configure_proxy, TT_FORK, - NULL, NULL }, -+ { "get_pt_proxy_uri", test_get_pt_proxy_uri, TT_FORK, -+ NULL, NULL }, - END_OF_TESTCASES - }; - --- -2.0.0.rc2 - - -From 92eecbfee128b22b07bcc97ac36ecdd5183c2da7 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 14 Apr 2014 21:51:34 +0000 -Subject: [PATCH 2/5] Fixed the test build with --enable-gcc-warnings - ---- - src/test/test_pt.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index 788d420..cfbd084 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -464,7 +464,7 @@ test_get_pt_proxy_uri(void *arg) - tt_assert(uri == NULL); - - /* Test with a SOCKS4 proxy. */ -- options->Socks4Proxy = "192.0.2.1:1080"; -+ options->Socks4Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -472,11 +472,10 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks4Proxy = NULL; -+ tor_free(options->Socks4Proxy); - - /* Test with a SOCKS5 proxy, no username/password. */ -- options->Socks5Proxy = "192.0.2.1:1080"; -+ options->Socks5Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks5Proxy, - &options->Socks5ProxyAddr, - &options->Socks5ProxyPort); -@@ -486,16 +485,17 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a SOCKS5 proxy, with username/password. */ -- options->Socks5ProxyUsername = "hwest"; -- options->Socks5ProxyPassword = "r34n1m470r"; -+ options->Socks5ProxyUsername = tor_strdup("hwest"); -+ options->Socks5ProxyPassword = tor_strdup("r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks5Proxy = NULL; -+ tor_free(options->Socks5Proxy); -+ tor_free(options->Socks5ProxyUsername); -+ tor_free(options->Socks5ProxyPassword); - - /* Test with a HTTPS proxy, no authenticator. */ -- options->HTTPSProxy = "192.0.2.1:80"; -+ options->HTTPSProxy = tor_strdup("192.0.2.1:80"); - ret = tor_addr_port_lookup(options->HTTPSProxy, - &options->HTTPSProxyAddr, - &options->HTTPSProxyPort); -@@ -505,15 +505,15 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a HTTPS proxy, with authenticator. */ -- options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ options->HTTPSProxyAuthenticator = tor_strdup("hwest:r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); - tor_free(uri); -- -- options->HTTPSProxy = NULL; -+ tor_free(options->HTTPSProxy); -+ tor_free(options->HTTPSProxyAuthenticator); - - /* Token nod to the fact that IPv6 exists. */ -- options->Socks4Proxy = "[2001:db8::1]:1080"; -+ options->Socks4Proxy = tor_strdup("[2001:db8::1]:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -521,7 +521,7 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); - tor_free(uri); -- -+ tor_free(options->Socks4Proxy); - - done: - if (uri) --- -2.0.0.rc2 - - -From 8361223c10eb929b570e72853a5d9e51b67fd6c3 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:30:09 +0000 -Subject: [PATCH 3/5] Remove get_bridge_pt_addrport(). - -The code was not disambiguating ClientTransportPlugin configured and -not used, and ClientTransportPlugin configured, but in a failed state. - -The right thing to do is to undo moving the get_transport_by_addrport() -call back into get_proxy_addrport(), and remove and explicit check for -using a Bridge since by the time the check is made, if a Bridge is -being used, it is PT/proxy-less. ---- - src/or/connection.c | 46 ++++++++++++---------------------------------- - 1 file changed, 12 insertions(+), 34 deletions(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index b32cddf..ff8cdf1 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,8 +86,6 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); --static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -- int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -4773,35 +4771,6 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -- * pluggable transport or bridge we are using. -- * conn contains the connection we are using the PT/bridge for. -- * -- * Return 0 on success, -1 on failure. -- */ --static int --get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -- const connection_t *conn) --{ -- const or_options_t *options = get_options(); -- -- if (options->ClientTransportPlugin || options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -- } -- -- return -1; --} -- --/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4819,8 +4788,19 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - * the config to have unused ClientTransportPlugin entries. - */ - if (options->ClientTransportPlugin) { -- if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; - return 0; -+ } -+ -+ /* Unused ClientTransportPlugin. */ - } - - if (options->HTTPSProxy) { -@@ -4838,8 +4818,6 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->Bridges) { -- return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); --- -2.0.0.rc2 - - -From 68184b317d3f4dc14e758e451377e4e3996bd0ab Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:43:53 +0000 -Subject: [PATCH 4/5] Log the correct proxy type on failure. - -get_proxy_addrport fills in proxy_type with the correct value, so there -is no point in logging something that's a "best guess" based off the -config. ---- - src/or/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index ff8cdf1..5069ed6 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -4841,7 +4841,7 @@ log_failed_proxy_connection(connection_t *conn) - log_warn(LD_NET, - "The connection to the %s proxy server at %s just failed. " - "Make sure that the proxy server is up and running.", -- proxy_type_to_string(get_proxy_type()), -+ proxy_type_to_string(proxy_type), - fmt_addrport(&proxy_addr, proxy_port)); - } - --- -2.0.0.rc2 - - -From 34200a44fbbd3f158ea17043c2bcd21d0e382b89 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 18:58:53 +0000 -Subject: [PATCH 5/5] Improve the log message when a transport doesn't support - proxies. - -Per feedback, explicltly note that the transport will be killed when it -does not acknowledge the configured outgoing proxy. ---- - src/or/transports.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/or/transports.c b/src/or/transports.c -index b810315..eee159d 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -805,7 +805,8 @@ handle_finished_proxy(managed_proxy_t *mp) - case PT_PROTO_CONFIGURED: /* if configured correctly: */ - if (mp->proxy_uri && !mp->proxy_supported) { - log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -- "specified outgoing proxy.", mp->argv[0]); -+ "specified outgoing proxy and will be terminated.", -+ mp->argv[0]); - managed_proxy_destroy(mp, 1); /* annihilate it. */ - break; - } --- -2.0.0.rc2 - diff --git a/gitian/patches/bug8405.patch b/gitian/patches/bug8405.patch deleted file mode 100644 index 3c40632..0000000 --- a/gitian/patches/bug8405.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a298c77f7eba232154ff08ca1119b05ccd9eee9e Mon Sep 17 00:00:00 2001 -From: Arthur Edelstein <arthuredelstein(a)gmail.com> -Date: Tue, 15 Jul 2014 21:27:59 -0700 -Subject: [PATCH] Bug #8405: Report SOCKS username/password in CIRC status - events - -Introduces two new circuit status name-value parameters: SOCKS_USERNAME -and SOCKS_PASSWORD. Values are enclosing in quotes and unusual characters -are escaped. - -Example: - - 650 CIRC 5 EXTENDED [...] SOCKS_USERNAME="my_username" SOCKS_PASSWORD="my_password" ---- - src/common/util.c | 14 ++++++++++++++ - src/common/util.h | 1 + - src/or/control.c | 14 ++++++++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/src/common/util.c b/src/common/util.c -index 8589344..64cee56 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1222,6 +1222,20 @@ esc_for_log(const char *s) - return result; - } - -+/** Similar to esc_for_log. Allocate and return a new string representing -+ * the first n characters in chars, surround by quotes and using -+ * standard C escapes. If a NUL character is encountered in chars, -+ * the resulting string will be terminated there. -+ */ -+char * -+esc_for_log_len(const char *chars, size_t n) -+{ -+ char *string = tor_strndup(chars, n); -+ char *string_escaped = esc_for_log(string); -+ tor_free(string); -+ return string_escaped; -+} -+ - /** Allocate and return a new string representing the contents of s, - * surrounded by quotes and using standard C escapes. - * -diff --git a/src/common/util.h b/src/common/util.h -index 97367a9..50c5a3d 100644 ---- a/src/common/util.h -+++ b/src/common/util.h -@@ -229,6 +229,7 @@ int tor_mem_is_zero(const char *mem, size_t len); - int tor_digest_is_zero(const char *digest); - int tor_digest256_is_zero(const char *digest); - char *esc_for_log(const char *string) ATTR_MALLOC; -+char *esc_for_log_len(const char *chars, size_t n) ATTR_MALLOC; - const char *escaped(const char *string); - - char *tor_escape_str_for_pt_args(const char *string, -diff --git a/src/or/control.c b/src/or/control.c -index 9285fc5..aa46df6 100644 ---- a/src/or/control.c -+++ b/src/or/control.c -@@ -1862,6 +1862,20 @@ circuit_describe_status_for_controller(origin_circuit_t *circ) - smartlist_add_asprintf(descparts, "TIME_CREATED=%s", tbuf); - } - -+ // Show username and/or password if available. -+ if (circ->socks_username_len > 0) { -+ char* socks_username_escaped = esc_for_log_len(circ->socks_username, -+ (size_t) circ->socks_username_len); -+ smartlist_add_asprintf(descparts, "SOCKS_USERNAME=%s", socks_username_escaped); -+ tor_free(socks_username_escaped); -+ } -+ if (circ->socks_password_len > 0) { -+ char* socks_password_escaped = esc_for_log_len(circ->socks_password, -+ (size_t) circ->socks_password_len); -+ smartlist_add_asprintf(descparts, "SOCKS_PASSWORD=%s", socks_password_escaped); -+ tor_free(socks_password_escaped); -+ } -+ - rv = smartlist_join_strings(descparts, " ", 0, NULL); - - SMARTLIST_FOREACH(descparts, char *, cp, tor_free(cp)); --- -1.8.3.4 (Apple Git-47) -

1 0

[tor-browser-bundle/maint-5.0] Bug 17801: Remove special tor patches
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit d6e5bee80d153d21b2e2061ead37fd264c6c3eb6 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 09:04:42 2015 +0000 Bug 17801: Remove special tor patches --- gitian/descriptors/linux/gitian-tor.yml | 14 - gitian/descriptors/mac/gitian-tor.yml | 14 - gitian/descriptors/windows/gitian-tor.yml | 14 - gitian/patches/bug15482.patch | 40 -- gitian/patches/bug16430.patch | 93 ---- gitian/patches/bug16674.patch | 74 --- gitian/patches/bug8402-master.patch | 732 ----------------------------- gitian/patches/bug8405.patch | 84 ---- 8 files changed, 1065 deletions(-) diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index d8e3557..0e35d2f 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -19,11 +19,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "dzip.sh" - "openssl-linux32-utils.zip" - "openssl-linux64-utils.zip" @@ -76,15 +71,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 1c07538..92f7c57 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -54,15 +49,6 @@ script: | export LDFLAGS="-m64 -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/ -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/system/ -mmacosx-version-min=10.5" cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 9d6838c..6fcc72b 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -54,15 +49,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # Let's avoid the console window popping up. diff --git a/gitian/patches/bug15482.patch b/gitian/patches/bug15482.patch deleted file mode 100644 index df8a156..0000000 --- a/gitian/patches/bug15482.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 748414784f71126b093aa7466908e00f71a7b046 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Fri, 27 Mar 2015 12:57:37 -0700 -Subject: [PATCH] Bug 15482: Don't abandon circuits that are still in use for - browsing. - -Only applies to connections with SOCKS auth set, so that non-web Tor -activity is not affected. - -Simpler version of Nick's patch because the randomness worried me, and I'm not -otherwise sure why we want a max here. ---- - src/or/circuituse.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/or/circuituse.c b/src/or/circuituse.c -index d0d31ad..6cce4bf 100644 ---- a/src/or/circuituse.c -+++ b/src/or/circuituse.c -@@ -2264,8 +2264,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, - - base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT; - -- if (!circ->base_.timestamp_dirty) -- circ->base_.timestamp_dirty = time(NULL); -+ if (!circ->base_.timestamp_dirty) { -+ circ->base_.timestamp_dirty = approx_time(); -+ } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) && -+ (conn->socks_request->usernamelen || -+ conn->socks_request->passwordlen)) { -+ /* When stream isolation is in use and controlled by an application -+ * we are willing to keep using the stream. */ -+ circ->base_.timestamp_dirty = approx_time(); -+ } - - pathbias_count_use_attempt(circ); - --- -1.9.1 - diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch deleted file mode 100644 index 81bbe3e..0000000 --- a/gitian/patches/bug16430.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Wed, 24 Jun 2015 13:52:29 +0000 -Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS - checks. - -RFC 952 is approximately 30 years old, and people are failing to comply, -by serving A records with '_' as part of the hostname. Since relaxing -the check is a QOL improvement for our userbase, relax the check to -allow such abominations as destinations, especially since there are -likely to be other similarly misconfigured domains out there. ---- - changes/bug16430 | 4 ++++ - src/common/util.c | 7 +++++-- - src/test/test_util.c | 9 +++++++-- - 3 files changed, 16 insertions(+), 4 deletions(-) - create mode 100644 changes/bug16430 - -diff --git a/changes/bug16430 b/changes/bug16430 -new file mode 100644 -index 0000000..ca7b874 ---- /dev/null -+++ b/changes/bug16430 -@@ -0,0 +1,4 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ '_' to cope with domains observed in the wild that are serving non-RFC -+ compliant records. Resolves ticket 16430. -diff --git a/src/common/util.c b/src/common/util.c -index 942d0c2..4490150 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) - - /** Return true iff string matches a pattern of DNS names - * that we allow Tor clients to connect to. -+ * -+ * Note: This allows certain technically invalid characters ('_') to cope -+ * with misconfigured zones that have been encountered in the wild. - */ - int - string_is_valid_hostname(const char *string) -@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) - smartlist_split_string(components,string,".",0,0); - - SMARTLIST_FOREACH_BEGIN(components, char *, c) { -- if (c[0] == '-') { -+ if ((c[0] == '-') || (*c == '_')) { - result = 0; - break; - } -@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || -- (*c == '-')) -+ (*c == '-') || (*c == '_')) - c++; - else - result = 0; -diff --git a/src/test/test_util.c b/src/test/test_util.c -index b0366db..0f64c26 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) - tt_assert(string_is_valid_hostname("stanford.edu")); - tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); - -- // Subdomain name cannot start with '-'. -+ // Subdomain name cannot start with '-' or '_'. - tt_assert(!string_is_valid_hostname("-torproject.org")); - tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); - tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); -+ tt_assert(!string_is_valid_hostname("___abc.org")); - - // Hostnames cannot contain non-alphanumeric characters. - tt_assert(!string_is_valid_hostname("%%domain.\\org.")); - tt_assert(!string_is_valid_hostname("***x.net")); -- tt_assert(!string_is_valid_hostname("___abc.org")); - tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); - tt_assert(!string_is_valid_hostname("word1 word2.net")); - -+ // Test workaround for nytimes.com stupidity, technically invalid, -+ // but we allow it since they are big, even though they are failing to -+ // comply with a ~30 year old standard. -+ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); -+ - // XXX: do we allow single-label DNS names? - - done: --- -1.9.1 - diff --git a/gitian/patches/bug16674.patch b/gitian/patches/bug16674.patch deleted file mode 100644 index 9497684..0000000 --- a/gitian/patches/bug16674.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 27 Jul 2015 12:58:40 +0000 -Subject: [PATCH] Allow a single trailing `.` when validating FQDNs from SOCKS. - -URI syntax (and DNS syntax) allows for a single trailing `.` to -explicitly distinguish between a relative and absolute -(fully-qualified) domain name. While this is redundant in that RFC 1928 -DOMAINNAME addresses are *always* fully-qualified, certain clients -blindly pass the trailing `.` along in the request. - -Fixes bug 16674; bugfix on 0.2.6.2-alpha. ---- - changes/bug16674 | 5 +++++ - src/common/util.c | 6 ++++++ - src/test/test_util.c | 12 ++++++++++++ - 3 files changed, 23 insertions(+) - create mode 100644 changes/bug16674 - -diff --git a/changes/bug16674 b/changes/bug16674 -new file mode 100644 -index 0000000..de55523 ---- /dev/null -+++ b/changes/bug16674 -@@ -0,0 +1,5 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ a single trailing '.' to cope with clients that pass FQDNs using that -+ syntax to explicitly indicate that the domain name is -+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. -diff --git a/src/common/util.c b/src/common/util.c -index 618e6a1..1aac4fc 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) - break; - } - -+ /* Allow a single terminating '.' used rarely to indicate domains -+ * are FQDNs rather than relative. */ -+ if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { -+ continue; -+ } -+ - do { - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || -diff --git a/src/test/test_util.c b/src/test/test_util.c -index 0f64c26..2bffb17 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) - // comply with a ~30 year old standard. - tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); - -+ // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, -+ // which is redundant since the spec states DOMAINNAME addresses are fully -+ // qualified. While unusual, this should be tollerated. -+ tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); -+ tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); -+ tt_assert(!string_is_valid_hostname("so.is..ft.com")); -+ tt_assert(!string_is_valid_hostname("...")); -+ - // XXX: do we allow single-label DNS names? -+ // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" -+ // but only test pathologically malformed traling '.' cases for now. -+ tt_assert(!string_is_valid_hostname(".")); -+ tt_assert(!string_is_valid_hostname("..")); - - done: - return; --- -1.9.1 - diff --git a/gitian/patches/bug8402-master.patch b/gitian/patches/bug8402-master.patch deleted file mode 100644 index 5a6386a..0000000 --- a/gitian/patches/bug8402-master.patch +++ /dev/null @@ -1,732 +0,0 @@ -From 9d7410ac5837658efa9b2d7d85c0c71f09a7a759 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Tue, 25 Mar 2014 07:21:22 +0000 -Subject: [PATCH 1/5] Allow ClientTransportPlugins to use proxies - -This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with -ClientTransportPlugins via the TOR_PT_PROXY extension to the -pluggable transport specification. - -This fixes bug #8402. ---- - src/or/config.c | 13 ++++-- - src/or/connection.c | 62 +++++++++++++++++++++-------- - src/or/transports.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++-- - src/or/transports.h | 6 +++ - src/test/test_pt.c | 81 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 251 insertions(+), 23 deletions(-) - -diff --git a/src/or/config.c b/src/or/config.c -index 0f7b1d2..b33098e 100644 ---- a/src/or/config.c -+++ b/src/or/config.c -@@ -3174,11 +3174,11 @@ options_validate(or_options_t *old_options, or_options_t *options, - } - } - -- /* Check if more than one proxy type has been enabled. */ -+ /* Check if more than one exclusive proxy type has been enabled. */ - if (!!options->Socks4Proxy + !!options->Socks5Proxy + -- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) -+ !!options->HTTPSProxy > 1) - REJECT("You have configured more than one proxy type. " -- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); -+ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); - - /* Check if the proxies will give surprising behavior. */ - if (options->HTTPProxy && !(options->Socks4Proxy || -@@ -4842,6 +4842,13 @@ parse_client_transport_line(const or_options_t *options, - pt_kickstart_client_proxy(transport_list, proxy_argv); - } - } else { /* external */ -+ /* ClientTransportPlugins connecting through a proxy is managed only. */ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ log_warn(LD_CONFIG, "You have configured an external proxy with another " -+ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); -+ goto err; -+ } -+ - if (smartlist_len(transport_list) != 1) { - log_warn(LD_CONFIG, "You can't have an external proxy with " - "more than one transports."); -diff --git a/src/or/connection.c b/src/or/connection.c -index cef9172..b32cddf 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,6 +86,8 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); -+static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -+ int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -1689,14 +1691,14 @@ get_proxy_type(void) - { - const or_options_t *options = get_options(); - -- if (options->HTTPSProxy) -+ if (options->ClientTransportPlugin) -+ return PROXY_PLUGGABLE; -+ else if (options->HTTPSProxy) - return PROXY_CONNECT; - else if (options->Socks4Proxy) - return PROXY_SOCKS4; - else if (options->Socks5Proxy) - return PROXY_SOCKS5; -- else if (options->ClientTransportPlugin) -- return PROXY_PLUGGABLE; - else - return PROXY_NONE; - } -@@ -4771,6 +4773,35 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -+ * pluggable transport or bridge we are using. -+ * conn contains the connection we are using the PT/bridge for. -+ * -+ * Return 0 on success, -1 on failure. -+ */ -+static int -+get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -+ const connection_t *conn) -+{ -+ const or_options_t *options = get_options(); -+ -+ if (options->ClientTransportPlugin || options->Bridges) { -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ -+/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4782,6 +4813,16 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - { - const or_options_t *options = get_options(); - -+ /* Client Transport Plugins can use another proxy, but that should be hidden -+ * from the rest of tor (as the plugin is responsible for dealing with the -+ * proxy), check it first, then check the rest of the proxy types to allow -+ * the config to have unused ClientTransportPlugin entries. -+ */ -+ if (options->ClientTransportPlugin) { -+ if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ return 0; -+ } -+ - if (options->HTTPSProxy) { - tor_addr_copy(addr, &options->HTTPSProxyAddr); - *port = options->HTTPSProxyPort; -@@ -4797,19 +4838,8 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->ClientTransportPlugin || -- options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -+ } else if (options->Bridges) { -+ return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); -diff --git a/src/or/transports.c b/src/or/transports.c -index dc30754..b810315 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -124,6 +124,8 @@ static INLINE void free_execve_args(char **arg); - #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" - #define PROTO_CMETHODS_DONE "CMETHODS DONE" - #define PROTO_SMETHODS_DONE "SMETHODS DONE" -+#define PROTO_PROXY_DONE "PROXY DONE" -+#define PROTO_PROXY_ERROR "PROXY-ERROR" - - /** The first and only supported - at the moment - configuration - protocol version. */ -@@ -439,6 +441,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) - static int - proxy_needs_restart(const managed_proxy_t *mp) - { -+ int ret = 1; -+ char* proxy_uri; -+ -+ /* If the PT proxy config has changed, then all existing pluggable transports -+ * should be restarted. -+ */ -+ -+ proxy_uri = get_pt_proxy_uri(); -+ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) -+ goto needs_restart; -+ - /* mp->transport_to_launch is populated with the names of the - transports that must be launched *after* the SIGHUP. - mp->transports is populated with the transports that were -@@ -459,10 +472,10 @@ proxy_needs_restart(const managed_proxy_t *mp) - - } SMARTLIST_FOREACH_END(t); - -- return 0; -- -- needs_restart: -- return 1; -+ ret = 0; -+needs_restart: -+ tor_free(proxy_uri); -+ return ret; - } - - /** Managed proxy mp must be restarted. Do all the necessary -@@ -493,6 +506,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) - SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); - smartlist_clear(mp->transports); - -+ /* Reset the proxy's HTTPS/SOCKS proxy */ -+ tor_free(mp->proxy_uri); -+ mp->proxy_uri = get_pt_proxy_uri(); -+ mp->proxy_supported = 0; -+ - /* flag it as an infant proxy so that it gets launched on next tick */ - mp->conf_state = PT_PROTO_INFANT; - unconfigured_proxies_n++; -@@ -727,12 +745,52 @@ managed_proxy_destroy(managed_proxy_t *mp, - /* free the argv */ - free_execve_args(mp->argv); - -+ /* free the outgoing proxy URI */ -+ tor_free(mp->proxy_uri); -+ - tor_process_handle_destroy(mp->process_handle, also_terminate_process); - mp->process_handle = NULL; - - tor_free(mp); - } - -+/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ -+STATIC char * -+get_pt_proxy_uri(void) -+{ -+ const or_options_t *options = get_options(); -+ char *uri = NULL; -+ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ char addr[TOR_ADDR_BUF_LEN+1]; -+ -+ if (options->Socks4Proxy) { -+ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); -+ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); -+ } else if (options->Socks5Proxy) { -+ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); -+ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { -+ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); -+ } else { -+ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", -+ options->Socks5ProxyUsername, -+ options->Socks5ProxyPassword, -+ addr, options->Socks5ProxyPort); -+ } -+ } else if (options->HTTPSProxy) { -+ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); -+ if (!options->HTTPSProxyAuthenticator) { -+ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); -+ } else { -+ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, -+ addr, options->HTTPSProxyPort); -+ } -+ } -+ } -+ -+ return uri; -+} -+ - /** Handle a configured or broken managed proxy mp. */ - static void - handle_finished_proxy(managed_proxy_t *mp) -@@ -745,6 +803,12 @@ handle_finished_proxy(managed_proxy_t *mp) - managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ - break; - case PT_PROTO_CONFIGURED: /* if configured correctly: */ -+ if (mp->proxy_uri && !mp->proxy_supported) { -+ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -+ "specified outgoing proxy.", mp->argv[0]); -+ managed_proxy_destroy(mp, 1); /* annihilate it. */ -+ break; -+ } - register_proxy(mp); /* register its transports */ - mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ - break; -@@ -862,6 +926,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) - goto err; - - return; -+ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ if (mp->proxy_uri) { -+ mp->proxy_supported = 1; -+ return; -+ } -+ -+ /* No proxy was configured, this should log */ -+ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ parse_proxy_error(line); -+ goto err; - } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { - /* managed proxy launch failed: parse error message to learn why. */ - int retval, child_state, saved_errno; -@@ -1128,6 +1208,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) - return r; - } - -+/** Parses an PROXY-ERROR line and warns the user accordingly. */ -+STATIC void -+parse_proxy_error(const char *line) -+{ -+ /* (Length of the protocol string) plus (a space) and (the first char of -+ the error message) */ -+ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) -+ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " -+ "message.", PROTO_PROXY_ERROR); -+ -+ log_warn(LD_CONFIG, "Managed proxy failed to configure the " -+ "pluggable transport's outgoing proxy. (%s)", -+ line+strlen(PROTO_PROXY_ERROR)+1); -+} -+ - /** Return a newly allocated string that tor should place in - * TOR_PT_SERVER_TRANSPORT_OPTIONS while configuring the server - * manged proxy in mp. Return NULL if no such options are found. */ -@@ -1292,6 +1387,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) - } else { - smartlist_add_asprintf(envs, "TOR_PT_EXTENDED_SERVER_PORT="); - } -+ } else { -+ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the -+ * TOR_PT_PROXY line. -+ */ -+ -+ if (mp->proxy_uri) { -+ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); -+ } - } - - SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { -@@ -1324,6 +1427,7 @@ managed_proxy_create(const smartlist_t *transport_list, - mp->is_server = is_server; - mp->argv = proxy_argv; - mp->transports = smartlist_new(); -+ mp->proxy_uri = get_pt_proxy_uri(); - - mp->transports_to_launch = smartlist_new(); - SMARTLIST_FOREACH(transport_list, const char *, transport, -diff --git a/src/or/transports.h b/src/or/transports.h -index 1365ead..bc2331d 100644 ---- a/src/or/transports.h -+++ b/src/or/transports.h -@@ -81,6 +81,9 @@ typedef struct { - char **argv; /* the cli arguments of this proxy */ - int conf_protocol; /* the configuration protocol version used */ - -+ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ -+ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ -+ - int is_server; /* is it a server proxy? */ - - /* A pointer to the process handle of this managed proxy. */ -@@ -112,6 +115,7 @@ STATIC int parse_smethod_line(const char *line, managed_proxy_t *mp); - - STATIC int parse_version(const char *line, managed_proxy_t *mp); - STATIC void parse_env_error(const char *line); -+STATIC void parse_proxy_error(const char *line); - STATIC void handle_proxy_line(const char *line, managed_proxy_t *mp); - STATIC char *get_transport_options_for_server_proxy(const managed_proxy_t *mp); - -@@ -123,6 +127,8 @@ STATIC managed_proxy_t *managed_proxy_create(const smartlist_t *transport_list, - - STATIC int configure_proxy(managed_proxy_t *mp); - -+STATIC char* get_pt_proxy_uri(void); -+ - #endif - - #endif -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index f71627d..788d420 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -450,6 +450,85 @@ test_pt_configure_proxy(void *arg) - tor_free(mp); - } - -+/* Test the get_pt_proxy_uri() function. */ -+static void -+test_get_pt_proxy_uri(void *arg) -+{ -+ or_options_t *options = get_options_mutable(); -+ char *uri = NULL; -+ int ret; -+ (void) arg; -+ -+ /* Test with no proxy. */ -+ uri = get_pt_proxy_uri(); -+ tt_assert(uri == NULL); -+ -+ /* Test with a SOCKS4 proxy. */ -+ options->Socks4Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks4Proxy = NULL; -+ -+ /* Test with a SOCKS5 proxy, no username/password. */ -+ options->Socks5Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks5Proxy, -+ &options->Socks5ProxyAddr, -+ &options->Socks5ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ /* Test with a SOCKS5 proxy, with username/password. */ -+ options->Socks5ProxyUsername = "hwest"; -+ options->Socks5ProxyPassword = "r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks5Proxy = NULL; -+ -+ /* Test with a HTTPS proxy, no authenticator. */ -+ options->HTTPSProxy = "192.0.2.1:80"; -+ ret = tor_addr_port_lookup(options->HTTPSProxy, -+ &options->HTTPSProxyAddr, -+ &options->HTTPSProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://192.0.2.1:80"); -+ tor_free(uri); -+ -+ /* Test with a HTTPS proxy, with authenticator. */ -+ options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); -+ tor_free(uri); -+ -+ options->HTTPSProxy = NULL; -+ -+ /* Token nod to the fact that IPv6 exists. */ -+ options->Socks4Proxy = "[2001:db8::1]:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); -+ tor_free(uri); -+ -+ -+ done: -+ if (uri) -+ tor_free(uri); -+} -+ -+ - #define PT_LEGACY(name) \ - { #name, legacy_test_helper, 0, &legacy_setup, test_pt_ ## name } - -@@ -462,6 +541,8 @@ struct testcase_t pt_tests[] = { - NULL, NULL }, - { "configure_proxy",test_pt_configure_proxy, TT_FORK, - NULL, NULL }, -+ { "get_pt_proxy_uri", test_get_pt_proxy_uri, TT_FORK, -+ NULL, NULL }, - END_OF_TESTCASES - }; - --- -2.0.0.rc2 - - -From 92eecbfee128b22b07bcc97ac36ecdd5183c2da7 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 14 Apr 2014 21:51:34 +0000 -Subject: [PATCH 2/5] Fixed the test build with --enable-gcc-warnings - ---- - src/test/test_pt.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index 788d420..cfbd084 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -464,7 +464,7 @@ test_get_pt_proxy_uri(void *arg) - tt_assert(uri == NULL); - - /* Test with a SOCKS4 proxy. */ -- options->Socks4Proxy = "192.0.2.1:1080"; -+ options->Socks4Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -472,11 +472,10 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks4Proxy = NULL; -+ tor_free(options->Socks4Proxy); - - /* Test with a SOCKS5 proxy, no username/password. */ -- options->Socks5Proxy = "192.0.2.1:1080"; -+ options->Socks5Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks5Proxy, - &options->Socks5ProxyAddr, - &options->Socks5ProxyPort); -@@ -486,16 +485,17 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a SOCKS5 proxy, with username/password. */ -- options->Socks5ProxyUsername = "hwest"; -- options->Socks5ProxyPassword = "r34n1m470r"; -+ options->Socks5ProxyUsername = tor_strdup("hwest"); -+ options->Socks5ProxyPassword = tor_strdup("r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks5Proxy = NULL; -+ tor_free(options->Socks5Proxy); -+ tor_free(options->Socks5ProxyUsername); -+ tor_free(options->Socks5ProxyPassword); - - /* Test with a HTTPS proxy, no authenticator. */ -- options->HTTPSProxy = "192.0.2.1:80"; -+ options->HTTPSProxy = tor_strdup("192.0.2.1:80"); - ret = tor_addr_port_lookup(options->HTTPSProxy, - &options->HTTPSProxyAddr, - &options->HTTPSProxyPort); -@@ -505,15 +505,15 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a HTTPS proxy, with authenticator. */ -- options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ options->HTTPSProxyAuthenticator = tor_strdup("hwest:r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); - tor_free(uri); -- -- options->HTTPSProxy = NULL; -+ tor_free(options->HTTPSProxy); -+ tor_free(options->HTTPSProxyAuthenticator); - - /* Token nod to the fact that IPv6 exists. */ -- options->Socks4Proxy = "[2001:db8::1]:1080"; -+ options->Socks4Proxy = tor_strdup("[2001:db8::1]:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -521,7 +521,7 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); - tor_free(uri); -- -+ tor_free(options->Socks4Proxy); - - done: - if (uri) --- -2.0.0.rc2 - - -From 8361223c10eb929b570e72853a5d9e51b67fd6c3 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:30:09 +0000 -Subject: [PATCH 3/5] Remove get_bridge_pt_addrport(). - -The code was not disambiguating ClientTransportPlugin configured and -not used, and ClientTransportPlugin configured, but in a failed state. - -The right thing to do is to undo moving the get_transport_by_addrport() -call back into get_proxy_addrport(), and remove and explicit check for -using a Bridge since by the time the check is made, if a Bridge is -being used, it is PT/proxy-less. ---- - src/or/connection.c | 46 ++++++++++++---------------------------------- - 1 file changed, 12 insertions(+), 34 deletions(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index b32cddf..ff8cdf1 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,8 +86,6 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); --static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -- int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -4773,35 +4771,6 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -- * pluggable transport or bridge we are using. -- * conn contains the connection we are using the PT/bridge for. -- * -- * Return 0 on success, -1 on failure. -- */ --static int --get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -- const connection_t *conn) --{ -- const or_options_t *options = get_options(); -- -- if (options->ClientTransportPlugin || options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -- } -- -- return -1; --} -- --/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4819,8 +4788,19 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - * the config to have unused ClientTransportPlugin entries. - */ - if (options->ClientTransportPlugin) { -- if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; - return 0; -+ } -+ -+ /* Unused ClientTransportPlugin. */ - } - - if (options->HTTPSProxy) { -@@ -4838,8 +4818,6 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->Bridges) { -- return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); --- -2.0.0.rc2 - - -From 68184b317d3f4dc14e758e451377e4e3996bd0ab Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:43:53 +0000 -Subject: [PATCH 4/5] Log the correct proxy type on failure. - -get_proxy_addrport fills in proxy_type with the correct value, so there -is no point in logging something that's a "best guess" based off the -config. ---- - src/or/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index ff8cdf1..5069ed6 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -4841,7 +4841,7 @@ log_failed_proxy_connection(connection_t *conn) - log_warn(LD_NET, - "The connection to the %s proxy server at %s just failed. " - "Make sure that the proxy server is up and running.", -- proxy_type_to_string(get_proxy_type()), -+ proxy_type_to_string(proxy_type), - fmt_addrport(&proxy_addr, proxy_port)); - } - --- -2.0.0.rc2 - - -From 34200a44fbbd3f158ea17043c2bcd21d0e382b89 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 18:58:53 +0000 -Subject: [PATCH 5/5] Improve the log message when a transport doesn't support - proxies. - -Per feedback, explicltly note that the transport will be killed when it -does not acknowledge the configured outgoing proxy. ---- - src/or/transports.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/or/transports.c b/src/or/transports.c -index b810315..eee159d 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -805,7 +805,8 @@ handle_finished_proxy(managed_proxy_t *mp) - case PT_PROTO_CONFIGURED: /* if configured correctly: */ - if (mp->proxy_uri && !mp->proxy_supported) { - log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -- "specified outgoing proxy.", mp->argv[0]); -+ "specified outgoing proxy and will be terminated.", -+ mp->argv[0]); - managed_proxy_destroy(mp, 1); /* annihilate it. */ - break; - } --- -2.0.0.rc2 - diff --git a/gitian/patches/bug8405.patch b/gitian/patches/bug8405.patch deleted file mode 100644 index 3c40632..0000000 --- a/gitian/patches/bug8405.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a298c77f7eba232154ff08ca1119b05ccd9eee9e Mon Sep 17 00:00:00 2001 -From: Arthur Edelstein <arthuredelstein(a)gmail.com> -Date: Tue, 15 Jul 2014 21:27:59 -0700 -Subject: [PATCH] Bug #8405: Report SOCKS username/password in CIRC status - events - -Introduces two new circuit status name-value parameters: SOCKS_USERNAME -and SOCKS_PASSWORD. Values are enclosing in quotes and unusual characters -are escaped. - -Example: - - 650 CIRC 5 EXTENDED [...] SOCKS_USERNAME="my_username" SOCKS_PASSWORD="my_password" ---- - src/common/util.c | 14 ++++++++++++++ - src/common/util.h | 1 + - src/or/control.c | 14 ++++++++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/src/common/util.c b/src/common/util.c -index 8589344..64cee56 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1222,6 +1222,20 @@ esc_for_log(const char *s) - return result; - } - -+/** Similar to esc_for_log. Allocate and return a new string representing -+ * the first n characters in chars, surround by quotes and using -+ * standard C escapes. If a NUL character is encountered in chars, -+ * the resulting string will be terminated there. -+ */ -+char * -+esc_for_log_len(const char *chars, size_t n) -+{ -+ char *string = tor_strndup(chars, n); -+ char *string_escaped = esc_for_log(string); -+ tor_free(string); -+ return string_escaped; -+} -+ - /** Allocate and return a new string representing the contents of s, - * surrounded by quotes and using standard C escapes. - * -diff --git a/src/common/util.h b/src/common/util.h -index 97367a9..50c5a3d 100644 ---- a/src/common/util.h -+++ b/src/common/util.h -@@ -229,6 +229,7 @@ int tor_mem_is_zero(const char *mem, size_t len); - int tor_digest_is_zero(const char *digest); - int tor_digest256_is_zero(const char *digest); - char *esc_for_log(const char *string) ATTR_MALLOC; -+char *esc_for_log_len(const char *chars, size_t n) ATTR_MALLOC; - const char *escaped(const char *string); - - char *tor_escape_str_for_pt_args(const char *string, -diff --git a/src/or/control.c b/src/or/control.c -index 9285fc5..aa46df6 100644 ---- a/src/or/control.c -+++ b/src/or/control.c -@@ -1862,6 +1862,20 @@ circuit_describe_status_for_controller(origin_circuit_t *circ) - smartlist_add_asprintf(descparts, "TIME_CREATED=%s", tbuf); - } - -+ // Show username and/or password if available. -+ if (circ->socks_username_len > 0) { -+ char* socks_username_escaped = esc_for_log_len(circ->socks_username, -+ (size_t) circ->socks_username_len); -+ smartlist_add_asprintf(descparts, "SOCKS_USERNAME=%s", socks_username_escaped); -+ tor_free(socks_username_escaped); -+ } -+ if (circ->socks_password_len > 0) { -+ char* socks_password_escaped = esc_for_log_len(circ->socks_password, -+ (size_t) circ->socks_password_len); -+ smartlist_add_asprintf(descparts, "SOCKS_PASSWORD=%s", socks_password_escaped); -+ tor_free(socks_password_escaped); -+ } -+ - rv = smartlist_join_strings(descparts, " ", 0, NULL); - - SMARTLIST_FOREACH(descparts, char *, cp, tor_free(cp)); --- -1.8.3.4 (Apple Git-47) -

1 0

[tor-browser-bundle/maint-5.0] Bug 17124: No patch for tor alpha > 0.2.7.2 anymore
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit a1e91e917dab27d229c49484d89400193d2b340b Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 08:51:29 2015 +0000 Bug 17124: No patch for tor alpha > 0.2.7.2 anymore --- Bundle-Data/linux/Data/Tor/torrc-defaults | 2 +- Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults | 2 +- Bundle-Data/windows/Data/Tor/torrc-defaults | 2 +- gitian/descriptors/linux/gitian-tor.yml | 2 -- gitian/descriptors/mac/gitian-tor.yml | 2 -- gitian/descriptors/windows/gitian-tor.yml | 2 -- 6 files changed, 3 insertions(+), 9 deletions(-) diff --git a/Bundle-Data/linux/Data/Tor/torrc-defaults b/Bundle-Data/linux/Data/Tor/torrc-defaults index e4c8920..4b91aae 100644 --- a/Bundle-Data/linux/Data/Tor/torrc-defaults +++ b/Bundle-Data/linux/Data/Tor/torrc-defaults @@ -5,6 +5,6 @@ AvoidDiskWrites 1 Log notice stdout # Bind to this address to listen to connections from SOCKS-speaking # applications. -SocksPort 9150 IPv6Traffic PreferIPv6 +SocksPort 9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth ControlPort 9151 CookieAuthentication 1 diff --git a/Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults b/Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults index e4c8920..4b91aae 100644 --- a/Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults +++ b/Bundle-Data/mac/TorBrowser/Data/Tor/torrc-defaults @@ -5,6 +5,6 @@ AvoidDiskWrites 1 Log notice stdout # Bind to this address to listen to connections from SOCKS-speaking # applications. -SocksPort 9150 IPv6Traffic PreferIPv6 +SocksPort 9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth ControlPort 9151 CookieAuthentication 1 diff --git a/Bundle-Data/windows/Data/Tor/torrc-defaults b/Bundle-Data/windows/Data/Tor/torrc-defaults index e4c8920..4b91aae 100644 --- a/Bundle-Data/windows/Data/Tor/torrc-defaults +++ b/Bundle-Data/windows/Data/Tor/torrc-defaults @@ -5,6 +5,6 @@ AvoidDiskWrites 1 Log notice stdout # Bind to this address to listen to connections from SOCKS-speaking # applications. -SocksPort 9150 IPv6Traffic PreferIPv6 +SocksPort 9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth ControlPort 9151 CookieAuthentication 1 diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index 906077b..d8e3557 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -84,8 +84,6 @@ script: | git am ~/build/bug15482.patch git am ~/build/bug16430.patch git am ~/build/bug16674.patch - else - git am ~/build/bug15482.patch fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 8e64922..1c07538 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -62,8 +62,6 @@ script: | git am ~/build/bug15482.patch git am ~/build/bug16430.patch git am ~/build/bug16674.patch - else - git am ~/build/bug15482.patch fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 7320a65..9d6838c 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -62,8 +62,6 @@ script: | git am ~/build/bug15482.patch git am ~/build/bug16430.patch git am ~/build/bug16674.patch - else - git am ~/build/bug15482.patch fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src

1 0

[tor-browser-bundle/maint-5.0] Bumping tor and openssl versions
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit c8571a07cebe902b85afd9dfac4a07805826cfe2 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 08:59:32 2015 +0000 Bumping tor and openssl versions --- gitian/versions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gitian/versions b/gitian/versions index 9ca1970..3fc3b04 100755 --- a/gitian/versions +++ b/gitian/versions @@ -9,7 +9,7 @@ FIREFOX_VERSION=38.4.0esr TORBROWSER_UPDATE_CHANNEL=release TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.0-1-build2 -TOR_TAG=tor-0.2.6.10 +TOR_TAG=tor-0.2.7.5 TORLAUNCHER_TAG=0.2.7.7 TORBUTTON_TAG=1.9.3.5 HTTPSE_TAG=5.0.7 @@ -35,7 +35,7 @@ OBFS4_TAG=obfs4proxy-0.0.5 GITIAN_TAG=tor-browser-builder-3.x-8-gpgsux -OPENSSL_VER=1.0.1p +OPENSSL_VER=1.0.1q GMP_VER=5.1.3 FIREFOX_LANG_VER=$FIREFOX_VERSION FIREFOX_LANG_BUILD=build2 @@ -80,7 +80,7 @@ PARSLEY_PACKAGE=Parsley-${PARSLEY_VER}.tar.gz GO_PACKAGE=go${GO_VER}.src.tar.gz # Hashes for packages with weak sigs or no sigs -OPENSSL_HASH=bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 +OPENSSL_HASH=b3658b84e9ea606a5ded3c972a5517cd785282e7ea86b20c78aa4b773a047fb7 GMP_HASH=752079520b4690531171d0f4532e40f08600215feefede70b24fabdc6f1ab160 OSXSDK_HASH=da77bb0003fcca5ea8c4e8cb2da8828ded750c54afdcac29ec6f3b46ad5e3adf OSXSDK_OLD_HASH=6602d8d5ddb371fbc02e2a5967d9bd0cd7358d46f9417753c8234b923f2ea6fc

1 0

[tor-browser/tor-browser-38.4.0esr-5.0-1] Bug 16863: console.error on new Tor Browser window
by gk＠torproject.org 09 Dec '15

09 Dec '15

commit 916624727c1effa1987dff1cc5e37961a9e0e7f5 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Wed Dec 9 11:47:08 2015 -0500 Bug 16863: console.error on new Tor Browser window Improve error handling and avoid confusing error log messages when loop.enabled is false. --- browser/components/customizableui/CustomizableUI.jsm | 8 ++++++++ browser/components/customizableui/CustomizableWidgets.jsm | 8 +++----- browser/components/loop/MozLoopService.jsm | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/browser/components/customizableui/CustomizableUI.jsm b/browser/components/customizableui/CustomizableUI.jsm index 54c2ede..a43404e 100644 --- a/browser/components/customizableui/CustomizableUI.jsm +++ b/browser/components/customizableui/CustomizableUI.jsm @@ -1186,6 +1186,11 @@ let CustomizableUIInternal = { throw new Error("buildWidget was passed a non-widget to build."); } + if (aWidget.onIsHidden && aWidget.onIsHidden()) { + LOG("Skipping hidden widget " + aWidget.id + " of type " + aWidget.type); + return undefined; + } + LOG("Building " + aWidget.id + " of type " + aWidget.type); let node; @@ -2180,6 +2185,7 @@ let CustomizableUIInternal = { widget._introducedInVersion = aData.introducedInVersion || 0; } + this.wrapWidgetEventHandler("onIsHidden", widget); this.wrapWidgetEventHandler("onBeforeCreated", widget); this.wrapWidgetEventHandler("onClick", widget); this.wrapWidgetEventHandler("onCreated", widget); @@ -3015,6 +3021,8 @@ this.CustomizableUI = { * of the widget. * - viewId: Only useful for views (and required there): the id of the * <panelview> that should be shown when clicking the widget. + * - onIsHidden(): Called to check whether a widget should be hidden + * (optional; returns a Boolean value). * - onBuild(aDoc): Only useful for custom widgets (and required there); a * function that will be invoked with the document in which * to build a widget. Should return the DOM node that has diff --git a/browser/components/customizableui/CustomizableWidgets.jsm b/browser/components/customizableui/CustomizableWidgets.jsm index 75f69dd..4a8bacf 100644 --- a/browser/components/customizableui/CustomizableWidgets.jsm +++ b/browser/components/customizableui/CustomizableWidgets.jsm @@ -933,12 +933,10 @@ const CustomizableWidgets = [ // Not in private browsing, see bug 1108187. showInPrivateBrowsing: false, introducedInVersion: 4, + onIsHidden: function() { + return !Services.prefs.getBoolPref("loop.enabled"); + }, onBuild: function(aDocument) { - // If we're not supposed to see the button, return zip. - if (!Services.prefs.getBoolPref("loop.enabled")) { - return null; - } - let node = aDocument.createElementNS(kNSXUL, "toolbarbutton"); node.setAttribute("id", this.id); node.classList.add("toolbarbutton-1"); diff --git a/browser/components/loop/MozLoopService.jsm b/browser/components/loop/MozLoopService.jsm index 3f6a77c..d915070 100644 --- a/browser/components/loop/MozLoopService.jsm +++ b/browser/components/loop/MozLoopService.jsm @@ -1107,7 +1107,7 @@ this.MozLoopService = { // Don't do anything if loop is not enabled. if (!Services.prefs.getBoolPref("loop.enabled")) { - return Promise.reject(new Error("loop is not enabled")); + return Promise.resolve(); } if (Services.prefs.getPrefType("loop.fxa.enabled") == Services.prefs.PREF_BOOL) {

1 0

[tor-browser/tor-browser-38.4.0esr-5.5-1] Bug 16863: console.error on new Tor Browser window
by gk＠torproject.org 09 Dec '15

09 Dec '15

commit c2ce09f61101f3ac2d16d644d7fb56c035bec9ba Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Wed Dec 9 11:47:08 2015 -0500 Bug 16863: console.error on new Tor Browser window Improve error handling and avoid confusing error log messages when loop.enabled is false. --- browser/components/customizableui/CustomizableUI.jsm | 8 ++++++++ browser/components/customizableui/CustomizableWidgets.jsm | 8 +++----- browser/components/loop/MozLoopService.jsm | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/browser/components/customizableui/CustomizableUI.jsm b/browser/components/customizableui/CustomizableUI.jsm index 54c2ede..a43404e 100644 --- a/browser/components/customizableui/CustomizableUI.jsm +++ b/browser/components/customizableui/CustomizableUI.jsm @@ -1186,6 +1186,11 @@ let CustomizableUIInternal = { throw new Error("buildWidget was passed a non-widget to build."); } + if (aWidget.onIsHidden && aWidget.onIsHidden()) { + LOG("Skipping hidden widget " + aWidget.id + " of type " + aWidget.type); + return undefined; + } + LOG("Building " + aWidget.id + " of type " + aWidget.type); let node; @@ -2180,6 +2185,7 @@ let CustomizableUIInternal = { widget._introducedInVersion = aData.introducedInVersion || 0; } + this.wrapWidgetEventHandler("onIsHidden", widget); this.wrapWidgetEventHandler("onBeforeCreated", widget); this.wrapWidgetEventHandler("onClick", widget); this.wrapWidgetEventHandler("onCreated", widget); @@ -3015,6 +3021,8 @@ this.CustomizableUI = { * of the widget. * - viewId: Only useful for views (and required there): the id of the * <panelview> that should be shown when clicking the widget. + * - onIsHidden(): Called to check whether a widget should be hidden + * (optional; returns a Boolean value). * - onBuild(aDoc): Only useful for custom widgets (and required there); a * function that will be invoked with the document in which * to build a widget. Should return the DOM node that has diff --git a/browser/components/customizableui/CustomizableWidgets.jsm b/browser/components/customizableui/CustomizableWidgets.jsm index 75f69dd..4a8bacf 100644 --- a/browser/components/customizableui/CustomizableWidgets.jsm +++ b/browser/components/customizableui/CustomizableWidgets.jsm @@ -933,12 +933,10 @@ const CustomizableWidgets = [ // Not in private browsing, see bug 1108187. showInPrivateBrowsing: false, introducedInVersion: 4, + onIsHidden: function() { + return !Services.prefs.getBoolPref("loop.enabled"); + }, onBuild: function(aDocument) { - // If we're not supposed to see the button, return zip. - if (!Services.prefs.getBoolPref("loop.enabled")) { - return null; - } - let node = aDocument.createElementNS(kNSXUL, "toolbarbutton"); node.setAttribute("id", this.id); node.classList.add("toolbarbutton-1"); diff --git a/browser/components/loop/MozLoopService.jsm b/browser/components/loop/MozLoopService.jsm index 3f6a77c..d915070 100644 --- a/browser/components/loop/MozLoopService.jsm +++ b/browser/components/loop/MozLoopService.jsm @@ -1107,7 +1107,7 @@ this.MozLoopService = { // Don't do anything if loop is not enabled. if (!Services.prefs.getBoolPref("loop.enabled")) { - return Promise.reject(new Error("loop is not enabled")); + return Promise.resolve(); } if (Services.prefs.getPrefType("loop.fxa.enabled") == Services.prefs.PREF_BOOL) {

1 0

[tor-browser/tor-browser-38.4.0esr-5.5-1] Bug 12516: Compile hardenend Tor Browser with -fwrapv
by gk＠torproject.org 09 Dec '15

09 Dec '15

commit 507be1ee78b54b23106d6e99b5d07835d34682a0 Author: Georg Koppen <gk(a)torproject.org> Date: Tue Dec 8 10:27:03 2015 +0000 Bug 12516: Compile hardenend Tor Browser with -fwrapv --- .mozconfig-asan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.mozconfig-asan b/.mozconfig-asan index 218d2bd..9472ff2 100644 --- a/.mozconfig-asan +++ b/.mozconfig-asan @@ -1,7 +1,7 @@ . $topsrcdir/browser/config/mozconfig -export CFLAGS="-fsanitize=address -Dxmalloc=myxmalloc" -export CXXFLAGS="-fsanitize=address -Dxmalloc=myxmalloc" +export CFLAGS="-fsanitize=address -Dxmalloc=myxmalloc -fwrapv" +export CXXFLAGS="-fsanitize=address -Dxmalloc=myxmalloc -frwapv" # We need to add -ldl explicitely due to bug 1213698 export LDFLAGS="-fsanitize=address -ldl"

1 0

[tor-browser-bundle/hardened-builds] Bug 17747: Replace schanenlied with ndnop3
by gk＠torproject.org 09 Dec '15

09 Dec '15

commit ce9150067e4bdf5699dc22d64bd0b532516d3292 Author: Georg Koppen <gk(a)torproject.org> Date: Mon Dec 7 11:12:35 2015 +0000 Bug 17747: Replace schanenlied with ndnop3 --- Bundle-Data/PTConfigs/bridge_prefs.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Bundle-Data/PTConfigs/bridge_prefs.js b/Bundle-Data/PTConfigs/bridge_prefs.js index a055d8f..f27d389 100644 --- a/Bundle-Data/PTConfigs/bridge_prefs.js +++ b/Bundle-Data/PTConfigs/bridge_prefs.js @@ -20,7 +20,7 @@ pref("extensions.torlauncher.default_bridge.fte-ipv6.2", "fte [2001:49f0:d00a:1: pref("extensions.torlauncher.default_bridge.scramblesuit.1", "scramblesuit 83.212.101.3:443 A09D536DD1752D542E1FBB3C9CE4449D51298239 password=XTCXLG2JAMJKZW2POLBAOWOQETQSMASH"); -pref("extensions.torlauncher.default_bridge.obfs4.1", "obfs4 178.209.52.110:443 67E72FF33D7D41BF11C569646A0A7B4B188340DF cert=Z+cv8z19Qb8RxWlkagp7SxiDQN++b7D2Tntowhf+j4D15/kLuj3EoSSGvuREGPc3h60Ofw iat-mode=0"); +pref("extensions.torlauncher.default_bridge.obfs4.1", "obfs4 109.105.109.165:24215 8DFCD8FB3285E855F5A55EDDA35696C743ABFC4E cert=Bvg/itxeL4TWKLP6N1MaQzSOC6tcRIBv6q57DYAZc3b2AzuM+/TfB7mqTFEfXILCjEwzVA iat-mode=0"); pref("extensions.torlauncher.default_bridge.obfs4.2", "obfs4 83.212.101.3:41213 A09D536DD1752D542E1FBB3C9CE4449D51298239 cert=lPRQ/MXdD1t5SRZ9MquYQNT9m5DV757jtdXdlePmRCudUU9CFUOX1Tm7/meFSyPOsud7Cw iat-mode=0"); pref("extensions.torlauncher.default_bridge.obfs4.3", "obfs4 104.131.108.182:56880 EF577C30B9F788B0E1801CF7E433B3B77792B77A cert=0SFhfDQrKjUJP8Qq6wrwSICEPf3Vl/nJRsYxWbg3QRoSqhl2EB78MPS2lQxbXY4EW1wwXA iat-mode=0");

1 0