commit 1a94be0a770084b61d87bf6da4f9563cfac236ed Author: Mike Perry <mikeperry-git@torproject.org> Date: Thu May 1 12:32:43 2014 -0700 Bug 11658: Add support for proxies while PT lines are present. This technically backports Bug 8402's patch, which will allow proxies to work without PTs again. However, PT+Proxies remain unsupported until we bump obfs3 to 0.2.9 and solve bug #11535. Flashproxy and FTE may need similar bumps+tweaks to fully solve bug #8402. --- gitian/descriptors/linux/gitian-tor.yml | 2 + gitian/descriptors/mac/gitian-tor.yml | 2 + gitian/descriptors/windows/gitian-tor.yml | 2 + gitian/patches/bug8402.patch | 437 +++++++++++++++++++++++++++++ 4 files changed, 443 insertions(+) diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index 826d355..8b1644e 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -29,6 +29,7 @@ files: - "bug11200.patch" - "bug11069.patch" - "bug9665.patch" +- "bug8402.patch" - "dzip.sh" - "openssl-linux32-utils.zip" - "openssl-linux64-utils.zip" @@ -79,6 +80,7 @@ script: | git am ~/build/bug11156.patch git am ~/build/bug9665.patch git am ~/build/bug11200.patch + git am ~/build/bug8402.patch fi fi mkdir -p $OUTDIR/src diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index c3ae8d8..ca938fc 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -32,6 +32,7 @@ files: - "bug11200.patch" - "bug11069.patch" - "bug9665.patch" +- "bug8402.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -110,6 +111,7 @@ script: | git am ~/build/bug11156.patch git am ~/build/bug9665.patch git am ~/build/bug11200.patch + git am ~/build/bug8402.patch fi fi mkdir -p $OUTDIR/src diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 5e452b9..61fc9b5 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -31,6 +31,7 @@ files: - "bug11200.patch" - "bug11069.patch" - "bug9665.patch" +- "bug8402.patch" - "binutils.tar.bz2" - "dzip.sh" - "openssl.tar.gz" @@ -106,6 +107,7 @@ script: | git am ~/build/bug11156.patch git am ~/build/bug9665.patch git am ~/build/bug11200.patch + git am ~/build/bug8402.patch fi fi mkdir -p $OUTDIR/src diff --git a/gitian/patches/bug8402.patch b/gitian/patches/bug8402.patch new file mode 100644 index 0000000..2aa74c6 --- /dev/null +++ b/gitian/patches/bug8402.patch @@ -0,0 +1,437 @@ +From 88ddabbce1e15627f51b1bd6aef06f1b3515dd15 Mon Sep 17 00:00:00 2001 +From: Yawning Angel <yawning@schwanenlied.me> +Date: Thu, 1 May 2014 03:57:29 +0000 +Subject: [PATCH 1/2] Allow ClientTransportPlugins to use proxies + +This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with +ClientTransportPlugins via the TOR_PT_PROXY extension to the +pluggable transport specification. + +This fixes bug #8402. + +WARNING: + +This is a backport to tor-0.2.4.x of a unmerged patch. Differences +at the time of writing from my real branch are: + * Unit tests. + * get_proxy_type() is removed in the backport, 0.2.5.x uses the + routine elsewhere, so it is left intact (with modifications). +--- + src/or/config.c | 24 +++++++---- + src/or/connection.c | 55 ++++++++++--------------- + src/or/transports.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++-- + src/or/transports.h | 3 ++ + 4 files changed, 152 insertions(+), 44 deletions(-) + +diff --git a/src/or/config.c b/src/or/config.c +index 09fdc0c..3fe5b73 100644 +--- a/src/or/config.c ++++ b/src/or/config.c +@@ -490,7 +490,9 @@ static int options_transition_affects_descriptor( + static int check_nickname_list(const char *lst, const char *name, char **msg); + + static int parse_bridge_line(const char *line, int validate_only); +-static int parse_client_transport_line(const char *line, int validate_only); ++static int parse_client_transport_line(const or_options_t *options, ++ const char *line, ++ int validate_only); + + static int parse_server_transport_line(const char *line, int validate_only); + static char *get_bindaddr_from_transport_listen_line(const char *line, +@@ -1337,7 +1339,7 @@ options_act(const or_options_t *old_options) + pt_prepare_proxy_list_for_config_read(); + if (options->ClientTransportPlugin) { + for (cl = options->ClientTransportPlugin; cl; cl = cl->next) { +- if (parse_client_transport_line(cl->value, 0)<0) { ++ if (parse_client_transport_line(options, cl->value, 0)<0) { + log_warn(LD_BUG, + "Previously validated ClientTransportPlugin line " + "could not be added!"); +@@ -2954,11 +2956,11 @@ options_validate(or_options_t *old_options, or_options_t *options, + } + } + +- /* Check if more than one proxy type has been enabled. */ ++ /* Check if more than one exclusive proxy type has been enabled. */ + if (!!options->Socks4Proxy + !!options->Socks5Proxy + +- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) ++ !!options->HTTPSProxy > 1) + REJECT("You have configured more than one proxy type. " +- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); ++ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); + + /* Check if the proxies will give surprising behavior. */ + if (options->HTTPProxy && !(options->Socks4Proxy || +@@ -3073,7 +3075,7 @@ options_validate(or_options_t *old_options, or_options_t *options, + } + + for (cl = options->ClientTransportPlugin; cl; cl = cl->next) { +- if (parse_client_transport_line(cl->value, 1)<0) ++ if (parse_client_transport_line(options, cl->value, 1)<0) + REJECT("Transport line did not parse. See logs for details."); + } + +@@ -4229,7 +4231,8 @@ parse_bridge_line(const char *line, int validate_only) + * our internal transport list. + * - If it's a managed proxy line, launch the managed proxy. */ + static int +-parse_client_transport_line(const char *line, int validate_only) ++parse_client_transport_line(const or_options_t *options, const char *line, ++ int validate_only) + { + smartlist_t *items = NULL; + int r; +@@ -4308,6 +4311,13 @@ parse_client_transport_line(const char *line, int validate_only) + pt_kickstart_client_proxy(transport_list, proxy_argv); + } + } else { /* external */ ++ /* ClientTransportPlugins connecting through a proxy is managed only. */ ++ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { ++ log_warn(LD_CONFIG, "You have configured an external proxy with another " ++ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); ++ goto err; ++ } ++ + if (smartlist_len(transport_list) != 1) { + log_warn(LD_CONFIG, "You can't have an external proxy with " + "more than one transports."); +diff --git a/src/or/connection.c b/src/or/connection.c +index 4f74a1d..683cf46 100644 +--- a/src/or/connection.c ++++ b/src/or/connection.c +@@ -81,7 +81,6 @@ static const char *connection_proxy_state_to_string(int state); + static int connection_read_https_proxy_response(connection_t *conn); + static void connection_send_socks5_connect(connection_t *conn); + static const char *proxy_type_to_string(int proxy_type); +-static int get_proxy_type(void); + + /** The last addresses that our network interface seemed to have been + * binding to. We use this as one way to detect when our IP changes. +@@ -4390,6 +4389,27 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, + { + const or_options_t *options = get_options(); + ++ /* Client Transport Plugins can use another proxy, but that should be hidden ++ * from the rest of tor (as the plugin is responsible for dealing with the ++ * proxy), check it first, then check the rest of the proxy types to allow ++ * the config to have unused ClientTransportPlugin entries. ++ */ ++ if (options->ClientTransportPlugin) { ++ const transport_t *transport = NULL; ++ int r; ++ r = find_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); ++ if (r<0) ++ return -1; ++ if (transport) { /* transport found */ ++ tor_addr_copy(addr, &transport->addr); ++ *port = transport->port; ++ *proxy_type = transport->socks_version; ++ return 0; ++ } ++ ++ /* Unused ClientTransportPlugin. */ ++ } ++ + if (options->HTTPSProxy) { + tor_addr_copy(addr, &options->HTTPSProxyAddr); + *port = options->HTTPSProxyPort; +@@ -4405,43 +4425,12 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, + *port = options->Socks5ProxyPort; + *proxy_type = PROXY_SOCKS5; + return 0; +- } else if (options->ClientTransportPlugin || +- options->Bridges) { +- const transport_t *transport = NULL; +- int r; +- r = find_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); +- if (r<0) +- return -1; +- if (transport) { /* transport found */ +- tor_addr_copy(addr, &transport->addr); +- *port = transport->port; +- *proxy_type = transport->socks_version; +- return 0; +- } + } + + *proxy_type = PROXY_NONE; + return 0; + } + +-/** Returns the global proxy type used by tor. */ +-static int +-get_proxy_type(void) +-{ +- const or_options_t *options = get_options(); +- +- if (options->HTTPSProxy) +- return PROXY_CONNECT; +- else if (options->Socks4Proxy) +- return PROXY_SOCKS4; +- else if (options->Socks5Proxy) +- return PROXY_SOCKS5; +- else if (options->ClientTransportPlugin) +- return PROXY_PLUGGABLE; +- else +- return PROXY_NONE; +-} +- + /** Log a failed connection to a proxy server. + * <b>conn</b> is the connection we use the proxy server for. */ + void +@@ -4457,7 +4446,7 @@ log_failed_proxy_connection(connection_t *conn) + log_warn(LD_NET, + "The connection to the %s proxy server at %s just failed. " + "Make sure that the proxy server is up and running.", +- proxy_type_to_string(get_proxy_type()), ++ proxy_type_to_string(proxy_type), + fmt_addrport(&proxy_addr, proxy_port)); + } + +diff --git a/src/or/transports.c b/src/or/transports.c +index 3749d6b..cae1f31 100644 +--- a/src/or/transports.c ++++ b/src/or/transports.c +@@ -103,6 +103,8 @@ static INLINE int proxy_configuration_finished(const managed_proxy_t *mp); + + static void managed_proxy_destroy(managed_proxy_t *mp, + int also_terminate_process); ++static char* get_pt_proxy_uri(void); ++static void parse_proxy_error(const char *line); + + static void handle_finished_proxy(managed_proxy_t *mp); + static int configure_proxy(managed_proxy_t *mp); +@@ -123,6 +125,8 @@ static INLINE void free_execve_args(char **arg); + #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" + #define PROTO_CMETHODS_DONE "CMETHODS DONE" + #define PROTO_SMETHODS_DONE "SMETHODS DONE" ++#define PROTO_PROXY_DONE "PROXY DONE" ++#define PROTO_PROXY_ERROR "PROXY-ERROR" + + /** The first and only supported - at the moment - configuration + protocol version. */ +@@ -434,6 +438,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) + static int + proxy_needs_restart(const managed_proxy_t *mp) + { ++ int ret = 1; ++ char* proxy_uri; ++ ++ /* If the PT proxy config has changed, then all existing pluggable transports ++ * should be restarted. ++ */ ++ ++ proxy_uri = get_pt_proxy_uri(); ++ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) ++ goto needs_restart; ++ + /* mp->transport_to_launch is populated with the names of the + transports that must be launched *after* the SIGHUP. + mp->transports is populated with the transports that were +@@ -454,10 +469,10 @@ proxy_needs_restart(const managed_proxy_t *mp) + + } SMARTLIST_FOREACH_END(t); + +- return 0; +- +- needs_restart: +- return 1; ++ ret = 0; ++needs_restart: ++ tor_free(proxy_uri); ++ return ret; + } + + /** Managed proxy <b>mp</b> must be restarted. Do all the necessary +@@ -488,6 +503,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) + SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); + smartlist_clear(mp->transports); + ++ /* Reset the proxy's HTTPS/SOCKS proxy */ ++ tor_free(mp->proxy_uri); ++ mp->proxy_uri = get_pt_proxy_uri(); ++ mp->proxy_supported = 0; ++ + /* flag it as an infant proxy so that it gets launched on next tick */ + mp->conf_state = PT_PROTO_INFANT; + unconfigured_proxies_n++; +@@ -718,12 +738,52 @@ managed_proxy_destroy(managed_proxy_t *mp, + /* free the argv */ + free_execve_args(mp->argv); + ++ /* free the outgoing proxy URI */ ++ tor_free(mp->proxy_uri); ++ + tor_process_handle_destroy(mp->process_handle, also_terminate_process); + mp->process_handle = NULL; + + tor_free(mp); + } + ++/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ ++static char * ++get_pt_proxy_uri(void) ++{ ++ const or_options_t *options = get_options(); ++ char *uri = NULL; ++ ++ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { ++ char addr[TOR_ADDR_BUF_LEN+1]; ++ ++ if (options->Socks4Proxy) { ++ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); ++ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); ++ } else if (options->Socks5Proxy) { ++ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); ++ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { ++ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); ++ } else { ++ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", ++ options->Socks5ProxyUsername, ++ options->Socks5ProxyPassword, ++ addr, options->Socks5ProxyPort); ++ } ++ } else if (options->HTTPSProxy) { ++ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); ++ if (!options->HTTPSProxyAuthenticator) { ++ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); ++ } else { ++ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, ++ addr, options->HTTPSProxyPort); ++ } ++ } ++ } ++ ++ return uri; ++} ++ + /** Handle a configured or broken managed proxy <b>mp</b>. */ + static void + handle_finished_proxy(managed_proxy_t *mp) +@@ -736,6 +796,12 @@ handle_finished_proxy(managed_proxy_t *mp) + managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ + break; + case PT_PROTO_CONFIGURED: /* if configured correctly: */ ++ if (mp->proxy_uri && !mp->proxy_supported) { ++ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " ++ "specified outgoing proxy.", mp->argv[0]); ++ managed_proxy_destroy(mp, 1); /* annihilate it. */ ++ break; ++ } + register_proxy(mp); /* register its transports */ + mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ + break; +@@ -854,6 +920,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) + goto err; + + return; ++ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { ++ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) ++ goto err; ++ ++ if (mp->proxy_uri) { ++ mp->proxy_supported = 1; ++ return; ++ } ++ ++ /* No proxy was configured, this should log */ ++ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { ++ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) ++ goto err; ++ ++ parse_proxy_error(line); ++ goto err; + } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { + /* managed proxy launch failed: parse error message to learn why. */ + int retval, child_state, saved_errno; +@@ -1105,6 +1187,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) + return r; + } + ++/** Parses an PROXY-ERROR <b>line</b> and warns the user accordingly. */ ++static void ++parse_proxy_error(const char *line) ++{ ++ /* (Length of the protocol string) plus (a space) and (the first char of ++ the error message) */ ++ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) ++ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " ++ "message.", PROTO_PROXY_ERROR); ++ ++ log_warn(LD_CONFIG, "Managed proxy failed to configure the " ++ "pluggable transport's outgoing proxy. (%s)", ++ line+strlen(PROTO_PROXY_ERROR)+1); ++} ++ + /** Return the string that tor should place in TOR_PT_SERVER_BINDADDR + * while configuring the server managed proxy in <b>mp</b>. The + * string is stored in the heap, and it's the the responsibility of +@@ -1193,6 +1290,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) + * variable in Tor's environment and crash PTs that try to parse + * it even when not run in server mode.) */ + smartlist_add(envs, tor_strdup("TOR_PT_EXTENDED_SERVER_PORT=")); ++ } else { ++ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the ++ * TOR_PT_PROXY line. ++ */ ++ ++ if (mp->proxy_uri) { ++ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); ++ } + } + + SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { +@@ -1225,6 +1330,7 @@ managed_proxy_create(const smartlist_t *transport_list, + mp->is_server = is_server; + mp->argv = proxy_argv; + mp->transports = smartlist_new(); ++ mp->proxy_uri = get_pt_proxy_uri(); + + mp->transports_to_launch = smartlist_new(); + SMARTLIST_FOREACH(transport_list, const char *, transport, +diff --git a/src/or/transports.h b/src/or/transports.h +index 6ee82f4..f13de5d 100644 +--- a/src/or/transports.h ++++ b/src/or/transports.h +@@ -74,6 +74,9 @@ typedef struct { + char **argv; /* the cli arguments of this proxy */ + int conf_protocol; /* the configuration protocol version used */ + ++ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ ++ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ ++ + int is_server; /* is it a server proxy? */ + + /* A pointer to the process handle of this managed proxy. */ +-- +1.8.1.2 + +From 34004139ee9380c5c468d28037520d02681dd7cf Mon Sep 17 00:00:00 2001 +From: Yawning Angel <yawning@schwanenlied.me> +Date: Thu, 1 May 2014 19:01:34 +0000 +Subject: [PATCH 2/2] Improve the log message when a transport doesn't support + proxies. + +Per feedback, explicltly note that the transport will be killed when it +does not acknowledge the configured outgoing proxy. +--- + src/or/transports.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/or/transports.c b/src/or/transports.c +index cae1f31..917d12a 100644 +--- a/src/or/transports.c ++++ b/src/or/transports.c +@@ -798,7 +798,8 @@ handle_finished_proxy(managed_proxy_t *mp) + case PT_PROTO_CONFIGURED: /* if configured correctly: */ + if (mp->proxy_uri && !mp->proxy_supported) { + log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " +- "specified outgoing proxy.", mp->argv[0]); ++ "specified outgoing proxy and will be terminated.", ++ mp->argv[0]); + managed_proxy_destroy(mp, 1); /* annihilate it. */ + break; + } +-- +1.8.1.2 +