March 2011 - tor-commits - lists.torproject.org

r24436: {website} Fixing the projects page side nav to match the page contents (website/trunk/projects/en)
by Damian Johnson 25 Mar '11

25 Mar '11

Author: atagar Date: 2011-03-25 15:06:02 +0000 (Fri, 25 Mar 2011) New Revision: 24436 Modified: website/trunk/projects/en/sidenav.wmi Log: Fixing the projects page side nav to match the page contents (caught by karsten). Modified: website/trunk/projects/en/sidenav.wmi =================================================================== --- website/trunk/projects/en/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435) +++ website/trunk/projects/en/sidenav.wmi 2011-03-25 15:06:02 UTC (rev 24436) @@ -38,14 +38,17 @@ {'url' => 'projects/arm', 'txt' => 'Arm', }, - {'url' => '<wiki>projects/TorBulkExitlist', - 'txt' => 'TorBEL', + {'url' => 'https://guardianproject.info/apps/orbot/', + 'txt' => 'Orbot', }, - {'url' => 'https://check.torproject.org', - 'txt' => 'TorCheck', + {'url' => 'https://tails.boum.org/', + 'txt' => 'Tails', }, - {'url' => 'projects/gettor', - 'txt' => 'GetTor', + {'url' => 'http://torstatus.blutmagie.de/', + 'txt' => 'TorStatus', + }, + {'url' => 'https://metrics.torproject.org/', + 'txt' => 'Metrics Portal', } ] }];

1 0

r24435: {website} include stable man page from the old website (in website/trunk/docs: ar en fr my pl ru)
by Runa Sandvik 25 Mar '11

25 Mar '11

Author: runa Date: 2011-03-25 13:08:28 +0000 (Fri, 25 Mar 2011) New Revision: 24435 Modified: website/trunk/docs/ar/sidenav.wmi website/trunk/docs/en/sidenav.wmi website/trunk/docs/en/tor-manual.wml website/trunk/docs/fr/sidenav.wmi website/trunk/docs/my/sidenav.wmi website/trunk/docs/pl/sidenav.wmi website/trunk/docs/ru/sidenav.wmi Log: include stable man page from the old website Modified: website/trunk/docs/ar/sidenav.wmi =================================================================== --- website/trunk/docs/ar/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434) +++ website/trunk/docs/ar/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435) @@ -61,9 +61,9 @@ {'url' => 'docs/running-a-mirror', 'txt' => 'ضبط مرآة', }, -# {'url' => 'docs/tor-manual', -# 'txt' => 'تور- دليل الإصدارة الثابتة', -# }, + {'url' => 'docs/tor-manual', + 'txt' => 'تور- دليل الإصدارة الثابتة', + }, {'url' => 'docs/tor-manual-dev', 'txt' => 'تور- دليل الإصدارة ألفا', }, Modified: website/trunk/docs/en/sidenav.wmi =================================================================== --- website/trunk/docs/en/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434) +++ website/trunk/docs/en/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435) @@ -61,9 +61,9 @@ {'url' => 'docs/running-a-mirror', 'txt' => 'Configuring a Mirror', }, -# {'url' => 'docs/tor-manual', -# 'txt' => 'Tor -stable Manual', -# }, + {'url' => 'docs/tor-manual', + 'txt' => 'Tor -stable Manual', + }, {'url' => 'docs/tor-manual-dev', 'txt' => 'Tor -alpha Manual', }, Modified: website/trunk/docs/en/tor-manual.wml =================================================================== --- website/trunk/docs/en/tor-manual.wml 2011-03-25 09:48:18 UTC (rev 24434) +++ website/trunk/docs/en/tor-manual.wml 2011-03-25 13:08:28 UTC (rev 24435) @@ -9,22 +9,2321 @@ <div id="breadcrumbs"> <a href="<page index>">Home » </a> <a href="<page docs/documentation>">Documentation » </a> - <a href="<page docs/tor-doc-osx>">Tor Dev Manual</a> + <a href="<page docs/tor-doc-osx>">Tor Manual</a> </div> - <div id="maincol"> - <: - die "Missing git clone at $(TORGIT)" unless -d "$(TORGIT)"; - my $man = `GIT_DIR=$(TORGIT) git show $(STABLETAG):doc/tor.1.txt | asciidoc -d manpage -s -o - -`; - die "No manpage because of asciidoc error or file not available from git" unless $man; - print $man; - :> - </div> + <div id="maincol"> + <h2 id="_synopsis">SYNOPSIS</h2> + <div class="sectionbody"> + <div class="paragraph">tor [OPTION value]… + </div> + </div> + <h2 id="_description">DESCRIPTION</h2> + <div class="sectionbody"> + <div class="paragraph">tor is a connection-oriented anonymizing communication + service. Users choose a source-routed path through a set of nodes, and + negotiate a "virtual circuit" through the network, in which each node + knows its predecessor and successor, but no others. Traffic flowing down + the circuit is unwrapped by a symmetric key at each node, which reveals + the downstream node. </div> + + <div class="paragraph">Basically tor provides a distributed network of servers ("onion routers"). + Users bounce their TCP streams — web traffic, ftp, ssh, etc — around the + routers, and recipients, observers, and even the routers themselves have + difficulty tracking the source of the stream.</div> + </div> + <h2 id="_options">OPTIONS</h2> + <div class="sectionbody"> + <div class="dlist"><dl> + <dt class="hdlist1"> + -h, -help + </dt> + <dd> + + Display a short help message and exit. + + </dd> + <dt class="hdlist1"> + -f FILE + </dt> + <dd> + + FILE contains further "option value" pairs. (Default: @CONFDIR@/torrc) + + </dd> + <dt class="hdlist1"> + --hash-password + </dt> + <dd> + + Generates a hashed password for control port access. + + </dd> + <dt class="hdlist1"> + --list-fingerprint + </dt> + <dd> + + Generate your keys and output your nickname and fingerprint. + + </dd> + <dt class="hdlist1"> + --verify-config + </dt> + <dd> + + Verify the configuration file is valid. + + </dd> + <dt class="hdlist1"> + --nt-service + </dt> + <dd> + + --service [install|remove|start|stop] Manage the Tor Windows + NT/2000/XP service. Current instructions can be found at + <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#WinNTService">https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#WinNTService</a> + + </dd> + <dt class="hdlist1"> + --list-torrc-options + </dt> + <dd> + + List all valid options. + + </dd> + <dt class="hdlist1"> + --version + </dt> + <dd> + + Display Tor version and exit. + + </dd> + <dt class="hdlist1"> + --quiet + </dt> + <dd> + + Do not start Tor with a console log unless explicitly requested to do so. + (By default, Tor starts out logging messages at level "notice" or higher to + the console, until it has parsed its configuration.) + + </dd> + </dl> + </div> + <div class="paragraph"> + Other options can be specified either on the command-line (--option + value), or in the configuration file (option value or option "value"). + Options are case-insensitive. C-style escaped characters are allowed inside + quoted values. Options on the command line take precedence over + options found in the configuration file, except indicated otherwise. To + split one configuration entry into multiple lines, use a single \ before + the end of the line. Comments can be used in such multiline entries, but + they must start at the beginning of a line. + </div> + <div class="dlist"><dl> + <dt class="hdlist1"> + BandwidthRate N bytes|KB|MB|GB + </dt> + <dd> + + A token bucket limits the average incoming bandwidth usage on this node to + the specified number of bytes per second, and the average outgoing + bandwidth usage to that same value. If you want to run a relay in the + public network, this needs to be at the very least 20 KB (that is, + 20480 bytes). (Default: 5 MB) + + </dd> + <dt class="hdlist1"> + BandwidthBurst N bytes|KB|MB|GB + </dt> + <dd> + + Limit the maximum token bucket size (also known as the burst) to the given + number of bytes in each direction. (Default: 10 MB) + + </dd> + <dt class="hdlist1"> + MaxAdvertisedBandwidth N bytes|KB|MB|GB + </dt> + <dd> + + If set, we will not advertise more than this amount of bandwidth for our + BandwidthRate. Server operators who want to reduce the number of clients + who ask to build circuits through them (since this is proportional to + advertised bandwidth rate) can thus reduce the CPU demands on their server + without impacting network performance. + + </dd> + <dt class="hdlist1"> + RelayBandwidthRate N bytes|KB|MB|GB + </dt> + <dd> + + If not 0, a separate token bucket limits the average incoming bandwidth + usage for _relayed traffic_ on this node to the specified number of bytes + per second, and the average outgoing bandwidth usage to that same value. + Relayed traffic currently is calculated to include answers to directory + requests, but that may change in future versions. (Default: 0) + + </dd> + <dt class="hdlist1"> + RelayBandwidthBurst N bytes|KB|MB|GB + </dt> + <dd> + + If not 0, limit the maximum token bucket size (also known as the burst) for + _relayed traffic_ to the given number of bytes in each direction. + (Default: 0) + + </dd> + <dt class="hdlist1"> + ConnLimit NUM + </dt> + <dd> + + The minimum number of file descriptors that must be available to the Tor + process before it will start. Tor will ask the OS for as many file + descriptors as the OS will allow (you can find this by "ulimit -H -n"). + If this number is less than ConnLimit, then Tor will refuse to start. + + You probably don’t need to adjust this. It has no effect on Windows + since that platform lacks getrlimit(). (Default: 1000) + + </dd> + <dt class="hdlist1"> + ConstrainedSockets 0|1 + </dt> + <dd> + + If set, Tor will tell the kernel to attempt to shrink the buffers for all + sockets to the size specified in ConstrainedSockSize. This is useful for + virtual servers and other environments where system level TCP buffers may + be limited. If you’re on a virtual server, and you encounter the "Error + creating network socket: No buffer space available" message, you are + likely experiencing this problem. + + The preferred solution is to have the admin increase the buffer pool for + the host itself via /proc/sys/net/ipv4/tcp_mem or equivalent facility; + this configuration option is a second-resort. + + The DirPort option should also not be used if TCP buffers are scarce. The + cached directory requests consume additional sockets which exacerbates + the problem. + + You should not enable this feature unless you encounter the "no buffer + space available" issue. Reducing the TCP buffers affects window size for + the TCP stream and will reduce throughput in proportion to round trip + time on long paths. (Default: 0.) + + </dd> + <dt class="hdlist1"> + ConstrainedSockSize N bytes|KB + </dt> + <dd> + + When ConstrainedSockets is enabled the receive and transmit buffers for + all sockets will be set to this limit. Must be a value between 2048 and + 262144, in 1024 byte increments. Default of 8192 is recommended. + + </dd> + <dt class="hdlist1"> + ControlPort Port + </dt> + <dd> + + If set, Tor will accept connections on this port and allow those + connections to control the Tor process using the Tor Control Protocol + (described in control-spec.txt). Note: unless you also specify one of + HashedControlPassword or CookieAuthentication, setting this option will + cause Tor to allow any process on the local host to control it. This + option is required for many Tor controllers; most use the value of 9051. + + </dd> + <dt class="hdlist1"> + ControlListenAddress IP[:PORT] + </dt> + <dd> + + Bind the controller listener to this address. If you specify a port, bind + to this port rather than the one specified in ControlPort. We strongly + recommend that you leave this alone unless you know what you’re doing, + since giving attackers access to your control listener is really + dangerous. (Default: 127.0.0.1) This directive can be specified multiple + times to bind to multiple addresses/ports. + + </dd> + <dt class="hdlist1"> + ControlSocket Path + </dt> + <dd> + + Like ControlPort, but listens on a Unix domain socket, rather than a TCP + socket. (Unix and Unix-like systems only.) + + </dd> + <dt class="hdlist1"> + HashedControlPassword hashed_password + </dt> + <dd> + + Don’t allow any connections on the control port except when the other + process knows the password whose one-way hash is hashed_password. You + can compute the hash of a password by running "tor --hash-password + password". You can provide several acceptable passwords by using more + than one HashedControlPassword line. + + </dd> + <dt class="hdlist1"> + CookieAuthentication 0|1 + </dt> + <dd> + + If this option is set to 1, don’t allow any connections on the control port + except when the connecting process knows the contents of a file named + "control_auth_cookie", which Tor will create in its data directory. This + authentication method should only be used on systems with good filesystem + security. (Default: 0) + + </dd> + <dt class="hdlist1"> + CookieAuthFile Path + </dt> + <dd> + + If set, this option overrides the default location and file name + for Tor’s cookie file. (See CookieAuthentication above.) + + </dd> + <dt class="hdlist1"> +CookieAuthFileGroupReadable 0|1|Groupname +</dt> +<dd> + + If this option is set to 0, don’t allow the filesystem group to read the + cookie file. If the option is set to 1, make the cookie file readable by + the default GID. [Making the file readable by other groups is not yet + implemented; let us know if you need this for some reason.] (Default: 0). + +</dd> +<dt class="hdlist1"> +DataDirectory DIR +</dt> +<dd> + + Store working data in DIR (Default: @LOCALSTATEDIR@/lib/tor) + +</dd> +<dt class="hdlist1"> +DirServer [nickname] [flags] address:port fingerprint +</dt> +<dd> + + Use a nonstandard authoritative directory server at the provided address + and port, with the specified key fingerprint. This option can be repeated + many times, for multiple authoritative directory servers. Flags are + separated by spaces, and determine what kind of an authority this directory + is. By default, every authority is authoritative for current ("v2")-style + directories, unless the "no-v2" flag is given. If the "v1" flags is + provided, Tor will use this server as an authority for old-style (v1) + directories as well. (Only directory mirrors care about this.) Tor will + use this server as an authority for hidden service information if the "hs" + flag is set, or if the "v1" flag is set and the "no-hs" flag is not set. + Tor will use this authority as a bridge authoritative directory if the + "bridge" flag is set. If a flag "orport=port" is given, Tor will use the + given port when opening encrypted tunnels to the dirserver. Lastly, if a + flag "v3ident=fp" is given, the dirserver is a v3 directory authority + whose v3 long-term signing key has the fingerprint fp. + + If no dirserver line is given, Tor will use the default directory + servers. NOTE: this option is intended for setting up a private Tor + network with its own directory authorities. If you use it, you will be + distinguishable from other users, because you won’t believe the same + authorities they do. + +</dd> +</dl></div> +<div class="paragraph">AlternateDirAuthority [nickname] [flags] address:port fingerprint </div> +<div class="paragraph">AlternateHSAuthority [nickname] [flags] address:port fingerprint </div> +<div class="dlist"><dl> +<dt class="hdlist1"> +AlternateBridgeAuthority [nickname] [flags] address:port fingerprint +</dt> +<dd> + + As DirServer, but replaces less of the default directory authorities. Using + AlternateDirAuthority replaces the default Tor directory authorities, but + leaves the hidden service authorities and bridge authorities in place. + Similarly, Using AlternateHSAuthority replaces the default hidden service + authorities, but not the directory or bridge authorities. + +</dd> +<dt class="hdlist1"> +FetchDirInfoEarly 0|1 +</dt> +<dd> + + If set to 1, Tor will always fetch directory information like other + directory caches, even if you don’t meet the normal criteria for fetching + early. Normal users should leave it off. (Default: 0) + +</dd> +<dt class="hdlist1"> +FetchHidServDescriptors 0|1 +</dt> +<dd> + + If set to 0, Tor will never fetch any hidden service descriptors from the + rendezvous directories. This option is only useful if you’re using a Tor + controller that handles hidden service fetches for you. (Default: 1) + +</dd> +<dt class="hdlist1"> +FetchServerDescriptors 0|1 +</dt> +<dd> + + If set to 0, Tor will never fetch any network status summaries or server + descriptors from the directory servers. This option is only useful if + you’re using a Tor controller that handles directory fetches for you. + (Default: 1) + +</dd> +<dt class="hdlist1"> +FetchUselessDescriptors 0|1 +</dt> +<dd> + + If set to 1, Tor will fetch every non-obsolete descriptor from the + authorities that it hears about. Otherwise, it will avoid fetching useless + descriptors, for example for routers that are not running. This option is + useful if you’re using the contributed "exitlist" script to enumerate Tor + nodes that exit to certain addresses. (Default: 0) + +</dd> +<dt class="hdlist1"> +HTTPProxy host[:port] +</dt> +<dd> + + Tor will make all its directory requests through this host:port (or host:80 + if port is not specified), rather than connecting directly to any directory + servers. + +</dd> +<dt class="hdlist1"> +HTTPProxyAuthenticator username:password +</dt> +<dd> + + If defined, Tor will use this username:password for Basic HTTP proxy + authentication, as in RFC 2617. This is currently the only form of HTTP + proxy authentication that Tor supports; feel free to submit a patch if you + want it to support others. + +</dd> +<dt class="hdlist1"> +HTTPSProxy host[:port] +</dt> +<dd> + + Tor will make all its OR (SSL) connections through this host:port (or + host:443 if port is not specified), via HTTP CONNECT rather than connecting + directly to servers. You may want to set FascistFirewall to restrict + the set of ports you might try to connect to, if your HTTPS proxy only + allows connecting to certain ports. + +</dd> +<dt class="hdlist1"> +HTTPSProxyAuthenticator username:password +</dt> +<dd> + + If defined, Tor will use this username:password for Basic HTTPS proxy + authentication, as in RFC 2617. This is currently the only form of HTTPS + proxy authentication that Tor supports; feel free to submit a patch if you + want it to support others. + +</dd> +<dt class="hdlist1"> +KeepalivePeriod NUM +</dt> +<dd> + + To keep firewalls from expiring connections, send a padding keepalive cell + every NUM seconds on open connections that are in use. If the connection + has no open circuits, it will instead be closed after NUM seconds of + idleness. (Default: 5 minutes) + +</dd> +<dt class="hdlist1"> +Log minSeverity[-maxSeverity] stderr|stdout|syslog +</dt> +<dd> + + Send all messages between minSeverity and maxSeverity to the standard + output stream, the standard error stream, or to the system log. (The + "syslog" value is only supported on Unix.) Recognized severity levels are + debug, info, notice, warn, and err. We advise using "notice" in most cases, + since anything more verbose may provide sensitive information to an + attacker who obtains the logs. If only one severity level is given, all + messages of that level or higher will be sent to the listed destination. + +</dd> +<dt class="hdlist1"> +Log minSeverity[-maxSeverity] file FILENAME +</dt> +<dd> + + As above, but send log messages to the listed filename. The + "Log" option may appear more than once in a configuration file. + Messages are sent to all the logs that match their severity + level. + +</dd> +<dt class="hdlist1"> +OutboundBindAddress IP +</dt> +<dd> + + Make all outbound connections originate from the IP address specified. This + is only useful when you have multiple network interfaces, and you want all + of Tor’s outgoing connections to use a single one. This setting will be + ignored for connections to the loopback addresses (127.0.0.0/8 and ::1). + +</dd> +<dt class="hdlist1"> +PidFile FILE +</dt> +<dd> + + On startup, write our PID to FILE. On clean shutdown, remove + FILE. + +</dd> +<dt class="hdlist1"> +ProtocolWarnings 0|1 +</dt> +<dd> + + If 1, Tor will log with severity 'warn' various cases of other parties not + following the Tor specification. Otherwise, they are logged with severity + 'info'. (Default: 0) + +</dd> +<dt class="hdlist1"> +RunAsDaemon 0|1 +</dt> +<dd> + + If 1, Tor forks and daemonizes to the background. This option has no effect + on Windows; instead you should use the --service command-line option. + (Default: 0) + +</dd> +<dt class="hdlist1"> +SafeLogging 0|1 +</dt> +<dd> + + Tor can scrub potentially sensitive strings from log messages (e.g. + addresses) by replacing them with the string [scrubbed]. This way logs can + still be useful, but they don’t leave behind personally identifying + information about what sites a user might have visited. + + If this option is set to 0, Tor will not perform any scrubbing, if it is + set to 1, all potentially sensitive strings are replaced. (Default: 1) + +</dd> +<dt class="hdlist1"> +User UID +</dt> +<dd> + + On startup, setuid to this user and setgid to their primary group. + +</dd> +<dt class="hdlist1"> +HardwareAccel 0|1 +</dt> +<dd> + + If non-zero, try to use built-in (static) crypto hardware acceleration when + available. This is untested and probably buggy. (Default: 0) + +</dd> +<dt class="hdlist1"> +AvoidDiskWrites 0|1 +</dt> +<dd> + + If non-zero, try to write to disk less frequently than we would otherwise. + This is useful when running on flash memory or other media that support + only a limited number of writes. (Default: 0) + +</dd> +<dt class="hdlist1"> +TunnelDirConns 0|1 +</dt> +<dd> + + If non-zero, when a directory server we contact supports it, we will build + a one-hop circuit and make an encrypted connection via its ORPort. + (Default: 1) + +</dd> +<dt class="hdlist1"> +PreferTunneledDirConns 0|1 +</dt> +<dd> + + If non-zero, we will avoid directory servers that don’t support tunneled + directory connections, when possible. (Default: 1) + +</dd> +</dl></div> +</div> +<h2 id="_client_options">CLIENT OPTIONS</h2> +<div class="sectionbody"> +<div class="paragraph">The following options are useful only for clients (that is, if +SocksPort is non-zero):</div> +<div class="dlist"><dl> +<dt class="hdlist1"> +AllowInvalidNodes entry|exit|middle|introduction|rendezvous|… +</dt> +<dd> + + If some Tor servers are obviously not working right, the directory + authorities can manually mark them as invalid, meaning that it’s not + recommended you use them for entry or exit positions in your circuits. You + can opt to use them in some circuit positions, though. The default is + "middle,rendezvous", and other choices are not advised. + +</dd> +<dt class="hdlist1"> +ExcludeSingleHopRelays 0|1 +</dt> +<dd> + + This option controls whether circuits built by Tor will include relays with + the AllowSingleHopExits flag set to true. If ExcludeSingleHopRelays is set + to 0, these relays will be included. Note that these relays might be at + higher risk of being seized or observed, so they are not normally + included. Also note that relatively few clients turn off this option, + so using these relays might make your client stand out. + (Default: 1) + +</dd> +<dt class="hdlist1"> +Bridge IP:ORPort [fingerprint] +</dt> +<dd> + + When set along with UseBridges, instructs Tor to use the relay at + "IP:ORPort" as a "bridge" relaying into the Tor network. If "fingerprint" + is provided (using the same format as for DirServer), we will verify that + the relay running at that location has the right fingerprint. We also use + fingerprint to look up the bridge descriptor at the bridge authority, if + it’s provided and if UpdateBridgesFromAuthority is set too. + +</dd> +<dt class="hdlist1"> +CircuitBuildTimeout NUM +</dt> +<dd> + + Try for at most NUM seconds when building circuits. If the circuit isn't + open in that time, give up on it. (Default: 1 minute.) + +</dd> +<dt class="hdlist1"> +CircuitIdleTimeout NUM +</dt> +<dd> + + If we have kept a clean (never used) circuit around for NUM seconds, then + close it. This way when the Tor client is entirely idle, it can expire all + of its circuits, and then expire its TLS connections. Also, if we end up + making a circuit that is not useful for exiting any of the requests we’re + receiving, it won’t forever take up a slot in the circuit list. (Default: 1 + hour.) + +</dd> +<dt class="hdlist1"> +ClientOnly 0|1 +</dt> +<dd> + + If set to 1, Tor will under no circumstances run as a server or serve + directory requests. The default is to run as a client unless ORPort is + configured. (Usually, you don’t need to set this; Tor is pretty smart at + figuring out whether you are reliable and high-bandwidth enough to be a + useful server.) (Default: 0) + +</dd> +<dt class="hdlist1"> +ExcludeNodes node,node,… +</dt> +<dd> + + A list of identity fingerprints, nicknames, country codes and address + patterns of nodes to never use when building a circuit. (Example: + ExcludeNodes SlowServer, $ EFFFFFFFFFFFFFFF, {cc}, 255.254.0.0/8) + +</dd> +<dt class="hdlist1"> +ExcludeExitNodes node,node,… +</dt> +<dd> + + A list of identity fingerprints, nicknames, country codes and address + patterns of nodes to never use when picking an exit node. Note that any + node listed in ExcludeNodes is automatically considered to be part of this + list. + +</dd> +<dt class="hdlist1"> +EntryNodes node,node,… +</dt> +<dd> + + A list of identity fingerprints, nicknames and address + patterns of nodes to use for the first hop in normal circuits. These are + treated only as preferences unless StrictNodes (see below) is also set. + +</dd> +<dt class="hdlist1"> +ExitNodes node,node,… +</dt> +<dd> + + A list of identity fingerprints, nicknames, country codes and address + patterns of nodes to use for the last hop in normal exit circuits. These + are treated only as preferences unless StrictNodes (see below) is also set. + +</dd> +<dt class="hdlist1"> +StrictEntryNodes 0|1 +</dt> +<dd> + + If 1, Tor will never use any nodes besides those listed in "EntryNodes" for + the first hop of a circuit. + +</dd> +<dt class="hdlist1"> +StrictExitNodes 0|1 +</dt> +<dd> + + If 1, Tor will never use any nodes besides those listed in "ExitNodes" for + the last hop of a circuit. + +</dd> +<dt class="hdlist1"> +FascistFirewall 0|1 +</dt> +<dd> + + If 1, Tor will only create outgoing connections to ORs running on ports + that your firewall allows (defaults to 80 and 443; see FirewallPorts). + This will allow you to run Tor as a client behind a firewall with + restrictive policies, but will not allow you to run as a server behind such + a firewall. If you prefer more fine-grained control, use + ReachableAddresses instead. + +</dd> +<dt class="hdlist1"> +FirewallPorts PORTS +</dt> +<dd> + + A list of ports that your firewall allows you to connect to. Only used when + FascistFirewall is set. This option is deprecated; use ReachableAddresses + instead. (Default: 80, 443) + +</dd> +<dt class="hdlist1"> +HidServAuth onion-address auth-cookie [service-name] +</dt> +<dd> + + Client authorization for a hidden service. Valid onion addresses contain 16 + characters in a-z2-7 plus ".onion", and valid auth cookies contain 22 + characters in A-Za-z0-9+/. The service name is only used for internal + purposes, e.g., for Tor controllers. This option may be used multiple times + for different hidden services. If a hidden service uses authorization and + this option is not set, the hidden service is not accessible. Hidden + services can be configured to require authorization using the + HiddenServiceAuthorizeClient option. + +</dd> +<dt class="hdlist1"> +ReachableAddresses ADDR[/MASK][:PORT]… +</dt> +<dd> + + A comma-separated list of IP addresses and ports that your firewall allows + you to connect to. The format is as for the addresses in ExitPolicy, except + that "accept" is understood unless "reject" is explicitly provided. For + example, 'ReachableAddresses 99.0.0.0/8, reject 18.0.0.0/8:80, accept + *:80' means that your firewall allows connections to everything inside net + 99, rejects port 80 connections to net 18, and accepts connections to port + 80 otherwise. (Default: 'accept *:*'.) + +</dd> +<dt class="hdlist1"> +ReachableDirAddresses ADDR[/MASK][:PORT]… +</dt> +<dd> + + Like ReachableAddresses, a list of addresses and ports. Tor will obey + these restrictions when fetching directory information, using standard HTTP + GET requests. If not set explicitly then the value of + ReachableAddresses is used. If HTTPProxy is set then these + connections will go through that proxy. + +</dd> +<dt class="hdlist1"> +ReachableORAddresses ADDR[/MASK][:PORT]… +</dt> +<dd> + + Like ReachableAddresses, a list of addresses and ports. Tor will obey + these restrictions when connecting to Onion Routers, using TLS/SSL. If not + set explicitly then the value of ReachableAddresses is used. If + HTTPSProxy is set then these connections will go through that proxy. + + The separation between ReachableORAddresses and + ReachableDirAddresses is only interesting when you are connecting + through proxies (see HTTPProxy and HTTPSProxy). Most proxies limit + TLS connections (which Tor uses to connect to Onion Routers) to port 443, + and some limit HTTP GET requests (which Tor uses for fetching directory + information) to port 80. + +</dd> +<dt class="hdlist1"> +LongLivedPorts PORTS +</dt> +<dd> + + A list of ports for services that tend to have long-running connections + (e.g. chat and interactive shells). Circuits for streams that use these + ports will contain only high-uptime nodes, to reduce the chance that a node + will go down before the stream is finished. (Default: 21, 22, 706, 1863, + 5050, 5190, 5222, 5223, 6667, 6697, 8300) + +</dd> +<dt class="hdlist1"> +MapAddress address newaddress +</dt> +<dd> + + When a request for address arrives to Tor, it will rewrite it to newaddress + before processing it. For example, if you always want connections to + www.indymedia.org to exit via torserver (where torserver is the + nickname of the server), use "MapAddress www.indymedia.org + www.indymedia.org.torserver.exit". + +</dd> +<dt class="hdlist1"> +NewCircuitPeriod NUM +</dt> +<dd> + + Every NUM seconds consider whether to build a new circuit. (Default: 30 + seconds) + +</dd> +<dt class="hdlist1"> +MaxCircuitDirtiness NUM +</dt> +<dd> + + Feel free to reuse a circuit that was first used at most NUM seconds ago, + but never attach a new stream to a circuit that is too old. (Default: 10 + minutes) + +</dd> +<dt class="hdlist1"> +NodeFamily node,node,… +</dt> +<dd> + + The Tor servers, defined by their identity fingerprints or nicknames, + constitute a "family" of similar or co-administered servers, so never use + any two of them in the same circuit. Defining a NodeFamily is only needed + when a server doesn’t list the family itself (with MyFamily). This option + can be used multiple times. + +</dd> +<dt class="hdlist1"> +EnforceDistinctSubnets 0|1 +</dt> +<dd> + + If 1, Tor will not put two servers whose IP addresses are "too close" on + the same circuit. Currently, two addresses are "too close" if they lie in + the same /16 range. (Default: 1) + +</dd> +<dt class="hdlist1"> +SocksPort PORT +</dt> +<dd> + + Advertise this port to listen for connections from Socks-speaking + applications. Set this to 0 if you don’t want to allow application + connections. (Default: 9050) + +</dd> +<dt class="hdlist1"> +SocksListenAddress IP[:PORT] +</dt> +<dd> + + Bind to this address to listen for connections from Socks-speaking + applications. (Default: 127.0.0.1) You can also specify a port (e.g. + 192.168.0.1:9100). This directive can be specified multiple times to bind + to multiple addresses/ports. + +</dd> +<dt class="hdlist1"> +SocksPolicy policy,policy,… +</dt> +<dd> + + Set an entrance policy for this server, to limit who can connect to the + SocksPort and DNSPort ports. The policies have the same form as exit + policies below. + +</dd> +<dt class="hdlist1"> +SocksTimeout NUM +</dt> +<dd> + + Let a socks connection wait NUM seconds handshaking, and NUM seconds + unattached waiting for an appropriate circuit, before we fail it. (Default: + 2 minutes.) + +</dd> +<dt class="hdlist1"> +TrackHostExits host,.domain,… +</dt> +<dd> + + For each value in the comma separated list, Tor will track recent + connections to hosts that match this value and attempt to reuse the same + exit node for each. If the value is prepended with a '.', it is treated as + matching an entire domain. If one of the values is just a '.', it means + match everything. This option is useful if you frequently connect to sites + that will expire all your authentication cookies (i.e. log you out) if + your IP address changes. Note that this option does have the disadvantage + of making it more clear that a given history is associated with a single + user. However, most people who would wish to observe this will observe it + through cookies or other protocol-specific means anyhow. + +</dd> +<dt class="hdlist1"> +TrackHostExitsExpire NUM +</dt> +<dd> + + Since exit servers go up and down, it is desirable to expire the + association between host and exit server after NUM seconds. The default is + 1800 seconds (30 minutes). + +</dd> +<dt class="hdlist1"> +UpdateBridgesFromAuthority 0|1 +</dt> +<dd> + + When set (along with UseBridges), Tor will try to fetch bridge descriptors + from the configured bridge authorities when feasible. It will fall back to + a direct request if the authority responds with a 404. (Default: 0) + +</dd> +<dt class="hdlist1"> +UseBridges 0|1 +</dt> +<dd> + + When set, Tor will fetch descriptors for each bridge listed in the "Bridge" + config lines, and use these relays as both entry guards and directory + guards. (Default: 0) + +</dd> +<dt class="hdlist1"> +UseEntryGuards 0|1 +</dt> +<dd> + + If this option is set to 1, we pick a few long-term entry servers, and try + to stick with them. This is desirable because constantly changing servers + increases the odds that an adversary who owns some servers will observe a + fraction of your paths. (Defaults to 1.) + +</dd> +<dt class="hdlist1"> +NumEntryGuards NUM +</dt> +<dd> + + If UseEntryGuards is set to 1, we will try to pick a total of NUM routers + as long-term entries for our circuits. (Defaults to 3.) + +</dd> +<dt class="hdlist1"> +SafeSocks 0|1 +</dt> +<dd> + + When this option is enabled, Tor will reject application connections that + use unsafe variants of the socks protocol — ones that only provide an IP + address, meaning the application is doing a DNS resolve first. + Specifically, these are socks4 and socks5 when not doing remote DNS. + (Defaults to 0.) + +</dd> +<dt class="hdlist1"> +TestSocks 0|1 +</dt> +<dd> + + When this option is enabled, Tor will make a notice-level log entry for + each connection to the Socks port indicating whether the request used a + safe socks protocol or an unsafe one (see above entry on SafeSocks). This + helps to determine whether an application using Tor is possibly leaking + DNS requests. (Default: 0) + +</dd> +<dt class="hdlist1"> +VirtualAddrNetwork Address/bits +</dt> +<dd> + + When Tor needs to assign a virtual (unused) address because of a MAPADDRESS + command from the controller or the AutomapHostsOnResolve feature, Tor + picks an unassigned address from this range. (Default: + 127.192.0.0/10) + + When providing proxy server service to a network of computers using a tool + like dns-proxy-tor, change this address to "10.192.0.0/10" or + "172.16.0.0/12". The default VirtualAddrNetwork address range on a + properly configured machine will route to the loopback interface. For + local use, no change to the default VirtualAddrNetwork setting is needed. + +</dd> +<dt class="hdlist1"> +AllowNonRFC953Hostnames 0|1 +</dt> +<dd> + + When this option is disabled, Tor blocks hostnames containing illegal + characters (like @ and :) rather than sending them to an exit node to be + resolved. This helps trap accidental attempts to resolve URLs and so on. + (Default: 0) + +</dd> +<dt class="hdlist1"> +FastFirstHopPK 0|1 +</dt> +<dd> + + When this option is disabled, Tor uses the public key step for the first + hop of creating circuits. Skipping it is generally safe since we have + already used TLS to authenticate the relay and to establish forward-secure + keys. Turning this option off makes circuit building slower. + + Note that Tor will always use the public key step for the first hop if it’s + operating as a relay, and it will never use the public key step if it + doesn’t yet know the onion key of the first hop. (Default: 1) + +</dd> +<dt class="hdlist1"> +TransPort PORT +</dt> +<dd> + + If non-zero, enables transparent proxy support on PORT (by convention, + 9040). Requires OS support for transparent proxies, such as BSDs' pf or + Linux’s IPTables. If you’re planning to use Tor as a transparent proxy for + a network, you’ll want to examine and change VirtualAddrNetwork from the + default setting. You’ll also want to set the TransListenAddress option for + the network you’d like to proxy. (Default: 0). + +</dd> +<dt class="hdlist1"> +TransListenAddress IP[:PORT] +</dt> +<dd> + + Bind to this address to listen for transparent proxy connections. (Default: + 127.0.0.1). This is useful for exporting a transparent proxy server to an + entire network. + +</dd> +<dt class="hdlist1"> +NATDPort PORT +</dt> +<dd> + + Allow old versions of ipfw (as included in old versions of FreeBSD, etc.) + to send connections through Tor using the NATD protocol. This option is + only for people who cannot use TransPort. + +</dd> +<dt class="hdlist1"> +NATDListenAddress IP[:PORT] +</dt> +<dd> + + Bind to this address to listen for NATD connections. (Default: 127.0.0.1). + +</dd> +<dt class="hdlist1"> +AutomapHostsOnResolve 0|1 +</dt> +<dd> + + When this option is enabled, and we get a request to resolve an address + that ends with one of the suffixes in AutomapHostsSuffixes, we map an + unused virtual address to that address, and return the new virtual address. + This is handy for making ".onion" addresses work with applications that + resolve an address and then connect to it. (Default: 0). + +</dd> +<dt class="hdlist1"> +AutomapHostsSuffixes SUFFIX,SUFFIX,… +</dt> +<dd> + + A comma-separated list of suffixes to use with AutomapHostsOnResolve. + The "." suffix is equivalent to "all addresses." (Default: .exit,.onion). + +</dd> +<dt class="hdlist1"> +DNSPort PORT +</dt> +<dd> + + If non-zero, Tor listens for UDP DNS requests on this port and resolves + them anonymously. (Default: 0). + +</dd> +<dt class="hdlist1"> +DNSListenAddress IP[:PORT] +</dt> +<dd> + + Bind to this address to listen for DNS connections. (Default: 127.0.0.1). + +</dd> +<dt class="hdlist1"> +ClientDNSRejectInternalAddresses 0|1 +</dt> +<dd> + + If true, Tor does not believe any anonymously retrieved DNS answer that + tells it that an address resolves to an internal address (like 127.0.0.1 or + 192.168.0.1). This option prevents certain browser-based attacks; don’t + turn it off unless you know what you’re doing. (Default: 1). + +</dd> +<dt class="hdlist1"> +DownloadExtraInfo 0|1 +</dt> +<dd> + + If true, Tor downloads and caches "extra-info" documents. These documents + contain information about servers other than the information in their + regular router descriptors. Tor does not use this information for anything + itself; to save bandwidth, leave this option turned off. (Default: 0). + +</dd> +<dt class="hdlist1"> +FallbackNetworkstatusFile FILENAME +</dt> +<dd> + + If Tor doesn’t have a cached networkstatus file, it starts out using this + one instead. Even if this file is out of date, Tor can still use it to + learn about directory mirrors, so it doesn’t need to put load on the + authorities. (Default: None). + +</dd> +<dt class="hdlist1"> +WarnPlaintextPorts port,port,… +</dt> +<dd> + + Tells Tor to issue a warnings whenever the user tries to make an anonymous + connection to one of these ports. This option is designed to alert users + to services that risk sending passwords in the clear. (Default: + 23,109,110,143). + +</dd> +<dt class="hdlist1"> +RejectPlaintextPorts port,port,… +</dt> +<dd> + + Like WarnPlaintextPorts, but instead of warning about risky port uses, Tor + will instead refuse to make the connection. (Default: None). + +</dd> +</dl></div> +</div> +<h2 id="_server_options">SERVER OPTIONS</h2> +<div class="sectionbody"> +<div class="paragraph">The following options are useful only for servers (that is, if ORPort +is non-zero):</div> +<div class="dlist"><dl> +<dt class="hdlist1"> +Address address +</dt> +<dd> + + The IP address or fully qualified domain name of this server (e.g. + moria.mit.edu) You can leave this unset, and Tor will guess your IP + address. + +</dd> +<dt class="hdlist1"> +AllowSingleHopExits 0|1 +</dt> +<dd> + + This option controls whether clients can use this server as a single hop + proxy. If set to 1, clients can use this server as an exit even if it is + the only hop in the circuit. Note that most clients will refuse to use + servers that set this option, since most clients have + ExcludeSingleHopRelays set. (Default: 0) + +</dd> +<dt class="hdlist1"> +AssumeReachable 0|1 +</dt> +<dd> + + This option is used when bootstrapping a new Tor network. If set to 1, + don’t do self-reachability testing; just upload your server descriptor + immediately. If AuthoritativeDirectory is also set, this option + instructs the dirserver to bypass remote reachability testing too and list + all connected servers as running. + +</dd> +<dt class="hdlist1"> +BridgeRelay 0|1 +</dt> +<dd> + + Sets the relay to act as a "bridge" with respect to relaying connections + from bridge users to the Tor network. It mainly causes Tor to publish a + server descriptor to the bridge database, rather than publishing a relay + descriptor to the public directory authorities. + +</dd> +<dt class="hdlist1"> +ContactInfo email_address +</dt> +<dd> + + Administrative contact information for server. This line might get picked + up by spam harvesters, so you may want to obscure the fact that it’s an + email address. + +</dd> +<dt class="hdlist1"> +ExitPolicy policy,policy,… +</dt> +<dd> + + Set an exit policy for this server. Each policy is of the form + "accept|reject ADDR[/MASK][:PORT]". If /MASK is + omitted then this policy just applies to the host given. Instead of giving + a host or network you can also use "*" to denote the universe (0.0.0.0/0). + PORT can be a single port number, an interval of ports + "FROM_PORT-TO_PORT", or "*". If PORT is omitted, that means + "*". + + For example, "accept 18.7.22.69:*,reject 18.0.0.0/8:*,accept *:*" would + reject any traffic destined for MIT except for web.mit.edu, and accept + anything else. + + To specify all internal and link-local networks (including 0.0.0.0/8, + 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and + 172.16.0.0/12), you can use the "private" alias instead of an address. + These addresses are rejected by default (at the beginning of your exit + policy), along with your public IP address, unless you set the + ExitPolicyRejectPrivate config option to 0. For example, once you’ve done + that, you could allow HTTP to 127.0.0.1 and block all other connections to + internal networks with "accept 127.0.0.1:80,reject private:*", though that + may also allow connections to your own computer that are addressed to its + public (external) IP address. See RFC 1918 and RFC 3330 for more details + about internal and reserved IP address space. + + This directive can be specified multiple times so you don’t have to put it + all on one line. + + Policies are considered first to last, and the first match wins. If you + want to _replace_ the default exit policy, end your exit policy with + either a reject *:* or an accept *:*. Otherwise, you’re _augmenting_ + (prepending to) the default exit policy. The default exit policy is: + +<div class="literalblock"> +<div class="content"> +<pre><tt>reject *:25^M +reject *:119^M +reject *:135-139^M +reject *:445^M +reject *:563^M +reject *:1214^M +reject *:4661-4666^M +reject *:6346-6429^M +reject *:6699^M +reject *:6881-6999^M +accept *:*</tt></pre> +</div></div> +</dd> +<dt class="hdlist1"> +ExitPolicyRejectPrivate 0|1 +</dt> +<dd> + + Reject all private (local) networks, along with your own public IP address, + at the beginning of your exit policy. See above entry on ExitPolicy. + (Default: 1) + +</dd> +<dt class="hdlist1"> +MaxOnionsPending NUM +</dt> +<dd> + + If you have more than this number of onionskins queued for decrypt, reject + new ones. (Default: 100) + +</dd> +<dt class="hdlist1"> +MyFamily node,node,… +</dt> +<dd> + + Declare that this Tor server is controlled or administered by a group or + organization identical or similar to that of the other servers, defined by + their identity fingerprints or nicknames. When two servers both declare + that they are in the same 'family', Tor clients will not use them in the + same circuit. (Each server only needs to list the other servers in its + family; it doesn’t need to list itself, but it won’t hurt.) + +</dd> +<dt class="hdlist1"> +Nickname name +</dt> +<dd> + + Set the server’s nickname to 'name'. Nicknames must be between 1 and 19 + characters inclusive, and must contain only the characters [a-zA-Z0-9]. + +</dd> +<dt class="hdlist1"> +NumCPUs num +</dt> +<dd> + + How many processes to use at once for decrypting onionskins. (Default: 1) + +</dd> +<dt class="hdlist1"> +ORPort PORT +</dt> +<dd> + + Advertise this port to listen for connections from Tor clients and servers. + +</dd> +<dt class="hdlist1"> +ORListenAddress IP[:PORT] +</dt> +<dd> + + Bind to this IP address to listen for connections from Tor clients and + servers. If you specify a port, bind to this port rather than the one + specified in ORPort. (Default: 0.0.0.0) This directive can be specified + multiple times to bind to multiple addresses/ports. + +</dd> +<dt class="hdlist1"> +PublishServerDescriptor 0|1|v1|v2|v3|bridge,… +</dt> +<dd> + + This option specifies which descriptors Tor will publish when acting as + a relay. You can + choose multiple arguments, separated by commas. + + If this option is set to 0, Tor will not publish its + descriptors to any directories. (This is useful if you’re testing + out your server, or if you’re using a Tor controller that handles directory + publishing for you.) Otherwise, Tor will publish its descriptors of all + type(s) specified. The default is "1", + which means "if running as a server, publish the + appropriate descriptors to the authorities". + +</dd> +<dt class="hdlist1"> +ShutdownWaitLength NUM +</dt> +<dd> + + When we get a SIGINT and we’re a server, we begin shutting down: + we close listeners and start refusing new circuits. After NUM + seconds, we exit. If we get a second SIGINT, we exit immedi- + ately. (Default: 30 seconds) + +</dd> +<dt class="hdlist1"> +AccountingMax N bytes|KB|MB|GB|TB +</dt> +<dd> + + Never send more than the specified number of bytes in a given accounting + period, or receive more than that number in the period. For example, with + AccountingMax set to 1 GB, a server could send 900 MB and receive 800 MB + and continue running. It will only hibernate once one of the two reaches 1 + GB. When the number of bytes gets low, Tor will stop accepting new + connections and circuits. When the number of bytes + is exhausted, Tor will hibernate until some + time in the next accounting period. To prevent all servers from waking at + the same time, Tor will also wait until a random point in each period + before waking up. If you have bandwidth cost issues, enabling hibernation + is preferable to setting a low bandwidth, since it provides users with a + collection of fast servers that are up some of the time, which is more + useful than a set of slow servers that are always "available". + +</dd> +<dt class="hdlist1"> +AccountingStart day|week|month [day] HH:MM +</dt> +<dd> + + Specify how long accounting periods last. If month is given, each + accounting period runs from the time HH:MM on the dayth day of one + month to the same day and time of the next. (The day must be between 1 and + 28.) If week is given, each accounting period runs from the time HH:MM + of the dayth day of one week to the same day and time of the next week, + with Monday as day 1 and Sunday as day 7. If day is given, each + accounting period runs from the time HH:MM each day to the same time on + the next day. All times are local, and given in 24-hour time. (Defaults to + "month 1 0:00".) + +</dd> +<dt class="hdlist1"> +ServerDNSResolvConfFile filename +</dt> +<dd> + + Overrides the default DNS configuration with the configuration in + filename. The file format is the same as the standard Unix + "resolv.conf" file (7). This option, like all other ServerDNS options, + only affects name lookups that your server does on behalf of clients. + (Defaults to use the system DNS configuration.) + +</dd> +<dt class="hdlist1"> +ServerDNSAllowBrokenConfig 0|1 +</dt> +<dd> + + If this option is false, Tor exits immediately if there are problems + parsing the system DNS configuration or connecting to nameservers. + Otherwise, Tor continues to periodically retry the system nameservers until + it eventually succeeds. (Defaults to "1".) + +</dd> +<dt class="hdlist1"> +ServerDNSSearchDomains 0|1 +</dt> +<dd> + + If set to 1, then we will search for addresses in the local search domain. + For example, if this system is configured to believe it is in + "example.com", and a client tries to connect to "www", the client will be + connected to "www.example.com". This option only affects name lookups that + your server does on behalf of clients. (Defaults to "0".) + +</dd> +<dt class="hdlist1"> +ServerDNSDetectHijacking 0|1 +</dt> +<dd> + + When this option is set to 1, we will test periodically to determine + whether our local nameservers have been configured to hijack failing DNS + requests (usually to an advertising site). If they are, we will attempt to + correct this. This option only affects name lookups that your server does + on behalf of clients. (Defaults to "1".) + +</dd> +<dt class="hdlist1"> +ServerDNSTestAddresses address,address,… +</dt> +<dd> + + When we’re detecting DNS hijacking, make sure that these valid addresses + aren’t getting redirected. If they are, then our DNS is completely useless, + and we’ll reset our exit policy to "reject :". This option only affects + name lookups that your server does on behalf of clients. (Defaults to + "www.google.com, www.mit.edu, www.yahoo.com, www.slashdot.org".) + +</dd> +<dt class="hdlist1"> +ServerDNSAllowNonRFC953Hostnames 0|1 +</dt> +<dd> + + When this option is disabled, Tor does not try to resolve hostnames + containing illegal characters (like @ and :) rather than sending them to an + exit node to be resolved. This helps trap accidental attempts to resolve + URLs and so on. This option only affects name lookups that your server does + on behalf of clients. (Default: 0) + +</dd> +<dt class="hdlist1"> +BridgeRecordUsageByCountry 0|1 +</dt> +<dd> + + When this option is enabled and BridgeRelay is also enabled, and we have + GeoIP data, Tor keeps a keep a per-country count of how many client + addresses have contacted it so that it can help the bridge authority guess + which countries have blocked access to it. (Default: 1) + +</dd> +<dt class="hdlist1"> +ServerDNSRandomizeCase 0|1 +</dt> +<dd> + + When this option is set, Tor sets the case of each character randomly in + outgoing DNS requests, and makes sure that the case matches in DNS replies. + This so-called "0x20 hack" helps resist some types of DNS poisoning attack. + For more information, see "Increased DNS Forgery Resistance through + 0x20-Bit Encoding". This option only affects name lookups that your server + does on behalf of clients. (Default: 1) + +</dd> +<dt class="hdlist1"> +GeoIPFile filename +</dt> +<dd> + + A filename containing GeoIP data, for use with BridgeRecordUsageByCountry. + +</dd> +</dl></div> +</div> +<h2 id="_directory_server_options">DIRECTORY SERVER OPTIONS</h2> +<div class="sectionbody"> +<div class="paragraph">The following options are useful only for directory servers (that is, +if DirPort is non-zero):</div> +<div class="dlist"><dl> +<dt class="hdlist1"> +AuthoritativeDirectory 0|1 +</dt> +<dd> + + When this option is set to 1, Tor operates as an authoritative directory + server. Instead of caching the directory, it generates its own list of + good servers, signs it, and sends that to the clients. Unless the clients + already have you listed as a trusted directory, you probably do not want + to set this option. Please coordinate with the other admins at + <a href="mailto:tor-ops@torproject.org">tor-ops(a)torproject.org</a> if you think you should be a directory. + +</dd> +<dt class="hdlist1"> +DirPortFrontPage FILENAME +</dt> +<dd> + + When this option is set, it takes an HTML file and publishes it as "/" on + the DirPort. Now relay operators can provide a disclaimer without needing + to set up a separate webserver. There’s a sample disclaimer in + contrib/tor-exit-notice.html. + +</dd> +<dt class="hdlist1"> +V1AuthoritativeDirectory 0|1 +</dt> +<dd> + + When this option is set in addition to AuthoritativeDirectory, Tor + generates version 1 directory and running-routers documents (for legacy + Tor clients up to 0.1.0.x). + +</dd> +<dt class="hdlist1"> +V2AuthoritativeDirectory 0|1 +</dt> +<dd> + + When this option is set in addition to AuthoritativeDirectory, Tor + generates version 2 network statuses and serves descriptors, etc as + described in doc/spec/dir-spec-v2.txt (for Tor clients and servers running + 0.1.1.x and 0.1.2.x). + +</dd> +<dt class="hdlist1"> +V3AuthoritativeDirectory 0|1 +</dt> +<dd> + + When this option is set in addition to AuthoritativeDirectory, Tor + generates version 3 network statuses and serves descriptors, etc as + described in doc/spec/dir-spec.txt (for Tor clients and servers running at + least 0.2.0.x). + +</dd> +<dt class="hdlist1"> +VersioningAuthoritativeDirectory 0|1 +</dt> +<dd> + + When this option is set to 1, Tor adds information on which versions of + Tor are still believed safe for use to the published directory. Each + version 1 authority is automatically a versioning authority; version 2 + authorities provide this service optionally. See RecommendedVersions, + RecommendedClientVersions, and RecommendedServerVersions. + +</dd> +<dt class="hdlist1"> +NamingAuthoritativeDirectory 0|1 +</dt> +<dd> + + When this option is set to 1, then the server advertises that it has + opinions about nickname-to-fingerprint bindings. It will include these + opinions in its published network-status pages, by listing servers with + the flag "Named" if a correct binding between that nickname and fingerprint + has been registered with the dirserver. Naming dirservers will refuse to + accept or publish descriptors that contradict a registered binding. See + approved-routers in the FILES section below. + +</dd> +<dt class="hdlist1"> +HSAuthoritativeDir 0|1 +</dt> +<dd> + + When this option is set in addition to + AuthoritativeDirectory, Tor also accepts and serves hidden + service descriptors. (Default: 0) + +</dd> +<dt class="hdlist1"> +HSAuthorityRecordStats 0|1 +</dt> +<dd> + + When this option is set in addition to HSAuthoritativeDir, + Tor periodically (every 15 minutes) writes statistics about hidden service + usage to a file hsusage in its data directory. (Default: + 0) + +</dd> +<dt class="hdlist1"> +HidServDirectoryV2 0|1 +</dt> +<dd> + + When this option is set, Tor accepts and serves v2 hidden service + descriptors. Setting DirPort is not required for this, because clients + connect via the ORPort by default. (Default: 1) + +</dd> +<dt class="hdlist1"> +BridgeAuthoritativeDir 0|1 +</dt> +<dd> + + When this option is set in addition to AuthoritativeDirectory, Tor + accepts and serves router descriptors, but it caches and serves the main + networkstatus documents rather than generating its own. (Default: 0) + +</dd> +<dt class="hdlist1"> +MinUptimeHidServDirectoryV2 N seconds|minutes|hours|days|weeks +</dt> +<dd> + + Minimum uptime of a v2 hidden service directory to be accepted as such by + authoritative directories. (Default: 24 hours) + +</dd> +<dt class="hdlist1"> +DirPort PORT +</dt> +<dd> + + Advertise the directory service on this port. + +</dd> +<dt class="hdlist1"> +DirListenAddress IP[:PORT] +</dt> +<dd> + + Bind the directory service to this address. If you specify a port, bind to + this port rather than the one specified in DirPort. (Default: 0.0.0.0) + This directive can be specified multiple times to bind to multiple + addresses/ports. + +</dd> +<dt class="hdlist1"> +DirPolicy policy,policy,… +</dt> +<dd> + + Set an entrance policy for this server, to limit who can connect to the + directory ports. The policies have the same form as exit policies above. + +</dd> +</dl></div> +</div> +<h2 id="_directory_authority_server_options">DIRECTORY AUTHORITY SERVER OPTIONS</h2> +<div class="sectionbody"> +<div class="dlist"><dl> +<dt class="hdlist1"> +RecommendedVersions STRING +</dt> +<dd> + + STRING is a comma-separated list of Tor versions currently believed to be + safe. The list is included in each directory, and nodes which pull down the + directory learn whether they need to upgrade. This option can appear + multiple times: the values from multiple lines are spliced together. When + this is set then VersioningAuthoritativeDirectory should be set too. + +</dd> +<dt class="hdlist1"> +RecommendedClientVersions STRING +</dt> +<dd> + + STRING is a comma-separated list of Tor versions currently believed to be + safe for clients to use. This information is included in version 2 + directories. If this is not set then the value of RecommendedVersions + is used. When this is set then VersioningAuthoritativeDirectory should + be set too. + +</dd> +<dt class="hdlist1"> +RecommendedServerVersions STRING +</dt> +<dd> + + STRING is a comma-separated list of Tor versions currently believed to be + safe for servers to use. This information is included in version 2 + directories. If this is not set then the value of RecommendedVersions + is used. When this is set then VersioningAuthoritativeDirectory should + be set too. + +</dd> +<dt class="hdlist1"> +DirAllowPrivateAddresses 0|1 +</dt> +<dd> + + If set to 1, Tor will accept router descriptors with arbitrary "Address" + elements. Otherwise, if the address is not an IP address or is a private IP + address, it will reject the router descriptor. Defaults to 0. + +</dd> +<dt class="hdlist1"> +AuthDirBadDir AddressPattern… +</dt> +<dd> + + Authoritative directories only. A set of address patterns for servers that + will be listed as bad directories in any network status document this + authority publishes, if AuthDirListBadDirs is set. + +</dd> +<dt class="hdlist1"> +AuthDirBadExit AddressPattern… +</dt> +<dd> + + Authoritative directories only. A set of address patterns for servers that + will be listed as bad exits in any network status document this authority + publishes, if AuthDirListBadExits is set. + +</dd> +<dt class="hdlist1"> +AuthDirInvalid AddressPattern… +</dt> +<dd> + + Authoritative directories only. A set of address patterns for servers that + will never be listed as "valid" in any network status document that this + authority publishes. + +</dd> +<dt class="hdlist1"> +AuthDirReject AddressPattern… +</dt> +<dd> + + Authoritative directories only. A set of address patterns for servers that + will never be listed at all in any network status document that this + authority publishes, or accepted as an OR address in any descriptor + submitted for publication by this authority. + +</dd> +<dt class="hdlist1"> +AuthDirListBadDirs 0|1 +</dt> +<dd> + + Authoritative directories only. If set to 1, this directory has some + opinion about which nodes are unsuitable as directory caches. (Do not set + this to 1 unless you plan to list non-functioning directories as bad; + otherwise, you are effectively voting in favor of every declared + directory.) + +</dd> +<dt class="hdlist1"> +AuthDirListBadExits 0|1 +</dt> +<dd> + + Authoritative directories only. If set to 1, this directory has some + opinion about which nodes are unsuitable as exit nodes. (Do not set this to + 1 unless you plan to list non-functioning exits as bad; otherwise, you are + effectively voting in favor of every declared exit as an exit.) + +</dd> +<dt class="hdlist1"> +AuthDirRejectUnlisted 0|1 +</dt> +<dd> + + Authoritative directories only. If set to 1, the directory server rejects + all uploaded server descriptors that aren’t explicitly listed in the + fingerprints file. This acts as a "panic button" if we get hit with a Sybil + attack. (Default: 0) + +</dd> +<dt class="hdlist1"> +AuthDirMaxServersPerAddr NUM +</dt> +<dd> + + Authoritative directories only. The maximum number of servers that we will + list as acceptable on a single IP address. Set this to "0" for "no limit". + (Default: 2) + +</dd> +<dt class="hdlist1"> +AuthDirMaxServersPerAuthAddr NUM +</dt> +<dd> + + Authoritative directories only. Like AuthDirMaxServersPerAddr, but applies + to addresses shared with directory authorities. (Default: 5) + +</dd> +<dt class="hdlist1"> +V3AuthVotingInterval N minutes|hours +</dt> +<dd> + + V3 authoritative directories only. Configures the server’s preferred voting + interval. Note that voting will actually happen at an interval chosen + by consensus from all the authorities' preferred intervals. This time + SHOULD divide evenly into a day. (Default: 1 hour) + +</dd> +<dt class="hdlist1"> +V3AuthVoteDelay N minutes|hours +</dt> +<dd> + + V3 authoritative directories only. Configures the server’s preferred delay + between publishing its vote and assuming it has all the votes from all the + other authorities. Note that the actual time used is not the server’s + preferred time, but the consensus of all preferences. (Default: 5 minutes.) + +</dd> +<dt class="hdlist1"> +V3AuthDistDelay N minutes|hours +</dt> +<dd> + + V3 authoritative directories only. Configures the server’s preferred delay + between publishing its consensus and signature and assuming it has all the + signatures from all the other authorities. Note that the actual time used + is not the server’s preferred time, but the consensus of all preferences. + (Default: 5 minutes.) + +</dd> +<dt class="hdlist1"> +V3AuthNIntervalsValid NUM +</dt> +<dd> + + V3 authoritative directories only. Configures the number of VotingIntervals + for which each consensus should be valid for. Choosing high numbers + increases network partitioning risks; choosing low numbers increases + directory traffic. Note that the actual number of intervals used is not the + server’s preferred number, but the consensus of all preferences. Must be at + least 2. (Default: 3.) + +</dd> +</dl></div> +</div> +<h2 id="_hidden_service_options">HIDDEN SERVICE OPTIONS</h2> +<div class="sectionbody"> +<div class="paragraph">The following options are used to configure a hidden service.</div> +<div class="dlist"><dl> +<dt class="hdlist1"> +HiddenServiceDir DIRECTORY +</dt> +<dd> + + Store data files for a hidden service in DIRECTORY. Every hidden service + must have a separate directory. You may use this option multiple times to + specify multiple services. + +</dd> +<dt class="hdlist1"> +HiddenServicePort VIRTPORT [TARGET] +</dt> +<dd> + + Configure a virtual port VIRTPORT for a hidden service. You may use this + option multiple times; each time applies to the service using the most + recent hiddenservicedir. By default, this option maps the virtual port to + the same port on 127.0.0.1. You may override the target port, address, or + both by specifying a target of addr, port, or addr:port. You may also have + multiple lines with the same VIRTPORT: when a user connects to that + VIRTPORT, one of the TARGETs from those lines will be chosen at random. + +</dd> +<dt class="hdlist1"> +PublishHidServDescriptors 0|1 +</dt> +<dd> + + If set to 0, Tor will run any hidden services you configure, but it won’t + advertise them to the rendezvous directory. This option is only useful if + you’re using a Tor controller that handles hidserv publishing for you. + (Default: 1) + +</dd> +<dt class="hdlist1"> +HiddenServiceVersion version,version,… +</dt> +<dd> + + A list of rendezvous service descriptor versions to publish for the hidden + service. Currently, only version 2 is supported. (Default: 2) + +</dd> +<dt class="hdlist1"> +HiddenServiceAuthorizeClient auth-type client-name,client-name,… +</dt> +<dd> + + If configured, the hidden service is accessible for authorized clients + only. The auth-type can either be 'basic' for a general-purpose + authorization protocol or 'stealth' for a less scalable protocol that also + hides service activity from unauthorized clients. Only clients that are + listed here are authorized to access the hidden service. Valid client names + are 1 to 19 characters long and only use characters in A-Za-z0-9+-_ (no + spaces). If this option is set, the hidden service is not accessible for + clients without authorization any more. Generated authorization data can be + found in the hostname file. Clients need to put this authorization data in + their configuration file using HidServAuth. + +</dd> +<dt class="hdlist1"> +RendPostPeriod N seconds|minutes|hours|days|weeks +</dt> +<dd> + + Every time the specified period elapses, Tor uploads any rendezvous + service descriptors to the directory servers. This information is also + uploaded whenever it changes. (Default: 1 hour) + +</dd> +</dl></div> +</div> +<h2 id="_testing_network_options">TESTING NETWORK OPTIONS</h2> +<div class="sectionbody"> +<div class="paragraph">The following options are used for running a testing Tor network.</div> +<div class="dlist"><dl> +<dt class="hdlist1"> +TestingTorNetwork 0|1 +</dt> +<dd> + + If set to 1, Tor adjusts default values of the configuration options below, + so that it is easier to set up a testing Tor network. May only be set if + non-default set of DirServers is set. Cannot be unset while Tor is running. + (Default: 0) + +<div class="literalblock"> +<div class="content"> +<pre><tt>ServerDNSAllowBrokenConfig 1^M +DirAllowPrivateAddresses 1^M +EnforceDistinctSubnets 0^M +AssumeReachable 1^M +AuthDirMaxServersPerAddr 0^M +AuthDirMaxServersPerAuthAddr 0^M +ClientDNSRejectInternalAddresses 0^M +ExitPolicyRejectPrivate 0^M +V3AuthVotingInterval 5 minutes^M +V3AuthVoteDelay 20 seconds^M +V3AuthDistDelay 20 seconds^M +TestingV3AuthInitialVotingInterval 5 minutes^M +TestingV3AuthInitialVoteDelay 20 seconds^M +TestingV3AuthInitialDistDelay 20 seconds^M +TestingAuthDirTimeToLearnReachability 0 minutes^M +TestingEstimatedDescriptorPropagationTime 0 minutes</tt></pre> +</div></div> +</dd> +<dt class="hdlist1"> +TestingV3AuthInitialVotingInterval N minutes|hours +</dt> +<dd> + + Like V3AuthVotingInterval, but for initial voting interval before the first + consensus has been created. Changing this requires that + TestingTorNetwork is set. (Default: 30 minutes) + +</dd> +<dt class="hdlist1"> +TestingV3AuthInitialVoteDelay N minutes|hours +</dt> +<dd> + + Like TestingV3AuthInitialVoteDelay, but for initial voting interval before + the first consensus has been created. Changing this requires that + TestingTorNetwork is set. (Default: 5 minutes) + +</dd> +<dt class="hdlist1"> +TestingV3AuthInitialDistDelay N minutes|hours +</dt> +<dd> + + Like TestingV3AuthInitialDistDelay, but for initial voting interval before + the first consensus has been created. Changing this requires that + TestingTorNetwork is set. (Default: 5 minutes) + +</dd> +<dt class="hdlist1"> +TestingAuthDirTimeToLearnReachability N minutes|hours +</dt> +<dd> + + After starting as an authority, do not make claims about whether routers + are Running until this much time has passed. Changing this requires + that TestingTorNetwork is set. (Default: 30 minutes) + +</dd> +<dt class="hdlist1"> +TestingEstimatedDescriptorPropagationTime N minutes|hours +</dt> +<dd> + + Clients try downloading router descriptors from directory caches after this + time. Changing this requires that TestingTorNetwork is set. (Default: + 10 minutes) + +</dd> +</dl></div> +</div> +<h2 id="_signals">SIGNALS</h2> +<div class="sectionbody"> +<div class="paragraph">Tor catches the following signals:</div> +<div class="dlist"><dl> +<dt class="hdlist1"> +SIGTERM +</dt> +<dd> + + Tor will catch this, clean up and sync to disk if necessary, and exit. + +</dd> +<dt class="hdlist1"> +SIGINT +</dt> +<dd> + + Tor clients behave as with SIGTERM; but Tor servers will do a controlled + slow shutdown, closing listeners and waiting 30 seconds before exiting. + (The delay can be configured with the ShutdownWaitLength config option.) + +</dd> +<dt class="hdlist1"> +SIGHUP +</dt> +<dd> + + The signal instructs Tor to reload its configuration (including closing and + reopening logs), and kill and restart its helper processes if applicable. + +</dd> +<dt class="hdlist1"> +SIGUSR1 +</dt> +<dd> + + Log statistics about current connections, past connections, and throughput. + +</dd> +<dt class="hdlist1"> +SIGUSR2 +</dt> +<dd> + + Switch all logs to loglevel debug. You can go back to the old loglevels by + sending a SIGHUP. + +</dd> +<dt class="hdlist1"> +SIGCHLD +</dt> +<dd> + + Tor receives this signal when one of its helper processes has exited, so it + can clean up. + +</dd> +<dt class="hdlist1"> +SIGPIPE +</dt> +<dd> + + Tor catches this signal and ignores it. + +</dd> +<dt class="hdlist1"> +SIGXFSZ +</dt> +<dd> + + If this signal exists on your platform, Tor catches and ignores it. + +</dd> +</dl></div> +</div> +<h2 id="_files">FILES</h2> +<div class="sectionbody"> +<div class="dlist"><dl> +<dt class="hdlist1"> +@CONFDIR@/torrc +</dt> +<dd> + + The configuration file, which contains "option value" pairs. + +</dd> +<dt class="hdlist1"> +@LOCALSTATEDIR@/lib/tor/ +</dt> +<dd> + + The tor process stores keys and other data here. + +</dd> +<dt class="hdlist1"> +DataDirectory/cached-status/ +</dt> +<dd> + + The most recently downloaded network status document for each authority. + Each file holds one such document; the filenames are the hexadecimal + identity key fingerprints of the directory authorities. + +</dd> +<dt class="hdlist1"> +DataDirectory/cached-descriptors and cached-descriptors.new +</dt> +<dd> + + These files hold downloaded router statuses. Some routers may appear more + than once; if so, the most recently published descriptor is used. Lines + beginning with @-signs are annotations that contain more information about + a given router. The ".new" file is an append-only journal; when it gets + too large, all entries are merged into a new cached-descriptors file. + +</dd> +<dt class="hdlist1"> +DataDirectory/cached-routers and cached-routers.new +</dt> +<dd> + + Obsolete versions of cached-descriptors and cached-descriptors.new. When + Tor can’t find the newer files, it looks here instead. + +</dd> +<dt class="hdlist1"> +DataDirectory/state +</dt> +<dd> + + A set of persistent key-value mappings. These are documented in + the file. These include: + +<div class="ulist"><ul> +<li> + +The current entry guards and their status. + +</li> +<li> + +The current bandwidth accounting values (unused so far; see + below). + +</li> +<li> + +When the file was last written + +</li> +<li> + +What version of Tor generated the state file + +</li> +<li> + +A short history of bandwidth usage, as produced in the router + descriptors. + +</li> +</ul></div> +</dd> +<dt class="hdlist1"> +DataDirectory/bw_accounting +</dt> +<dd> + + Used to track bandwidth accounting values (when the current period starts + and ends; how much has been read and written so far this period). This file + is obsolete, and the data is now stored in the 'state' file as well. Only + used when bandwidth accounting is enabled. + +</dd> +<dt class="hdlist1"> +DataDirectory/control_auth_cookie +</dt> +<dd> + + Used for cookie authentication with the controller. Location can be + overridden by the CookieAuthFile config option. Regenerated on startup. See + control-spec.txt for details. Only used when cookie authentication is + enabled. + +</dd> +<dt class="hdlist1"> +DataDirectory/keys/* +</dt> +<dd> + + Only used by servers. Holds identity keys and onion keys. + +</dd> +<dt class="hdlist1"> +DataDirectory/fingerprint +</dt> +<dd> + + Only used by servers. Holds the fingerprint of the server’s identity key. + +</dd> +<dt class="hdlist1"> +DataDirectory/approved-routers +</dt> +<dd> + + Only for naming authoritative directory servers (see + NamingAuthoritativeDirectory). This file lists nickname to identity + bindings. Each line lists a nickname and a fingerprint separated by + whitespace. See your fingerprint file in the DataDirectory for an + example line. If the nickname is !reject then descriptors from the + given identity (fingerprint) are rejected by this server. If it is + !invalid then descriptors are accepted but marked in the directory as + not valid, that is, not recommended. + +</dd> +<dt class="hdlist1"> +DataDirectory/router-stability +</dt> +<dd> + + Only used by authoritative directory servers. Tracks measurements for + router mean-time-between-failures so that authorities have a good idea of + how to set their Stable flags. + +</dd> +<dt class="hdlist1"> +HiddenServiceDirectory/hostname +</dt> +<dd> + + The <base32-encoded-fingerprint>.onion domain name for this hidden service. + If the hidden service is restricted to authorized clients only, this file + also contains authorization data for all clients. + +</dd> +<dt class="hdlist1"> +HiddenServiceDirectory/private_key +</dt> +<dd> + + The private key for this hidden service. + +</dd> +<dt class="hdlist1"> +HiddenServiceDirectory/client_keys +</dt> +<dd> + + Authorization data for a hidden service that is only accessible by + authorized clients. + +</dd> +</dl></div> +</div> +<h2 id="_see_also">SEE ALSO</h2> +<div class="sectionbody"> +<div class="paragraph">privoxy(1), tsocks(1), torify(1) </div> +<div class="paragraph">https://www.torproject.org/</div> +</div> +<h2 id="_bugs">BUGS</h2> +<div class="sectionbody"> +<div class="paragraph">Plenty, probably. Tor is still in development. Please report them.</div> +</div> +<h2 id="_authors">AUTHORS</h2> +<div class="sectionbody"> +<div class="paragraph">Roger Dingledine [arma at mit.edu] Nick Mathewson [nickm at alum.mit.edu]</div> +</div> +</div>  - <div id = "sidecol"> +<div id = "sidecol"> #include "side.wmi" #include "info.wmi" - </div> -  </div> + +</div>  -#include <foot.wmi> +#include <foot.wmi> Modified: website/trunk/docs/fr/sidenav.wmi =================================================================== --- website/trunk/docs/fr/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434) +++ website/trunk/docs/fr/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435) @@ -61,9 +61,9 @@ {'url' => 'docs/running-a-mirror', 'txt' => 'Configuring a Mirror', }, -# {'url' => 'docs/tor-manual', -# 'txt' => 'Tor -stable Manual', -# }, + {'url' => 'docs/tor-manual', + 'txt' => 'Tor -stable Manual', + }, {'url' => 'docs/tor-manual-dev', 'txt' => 'Tor -alpha Manual', }, Modified: website/trunk/docs/my/sidenav.wmi =================================================================== --- website/trunk/docs/my/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434) +++ website/trunk/docs/my/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435) @@ -61,9 +61,9 @@ {'url' => 'docs/running-a-mirror', 'txt' => 'Configuring a Mirror', }, -# {'url' => 'docs/tor-manual', -# 'txt' => 'Tor -stable Manual', -# }, + {'url' => 'docs/tor-manual', + 'txt' => 'Tor -stable Manual', + }, {'url' => 'docs/tor-manual-dev', 'txt' => 'Tor -alpha Manual', }, Modified: website/trunk/docs/pl/sidenav.wmi =================================================================== --- website/trunk/docs/pl/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434) +++ website/trunk/docs/pl/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435) @@ -61,9 +61,9 @@ {'url' => 'docs/running-a-mirror', 'txt' => 'Configuring a Mirror', }, -# {'url' => 'docs/tor-manual', -# 'txt' => 'Tor -stable Manual', -# }, + {'url' => 'docs/tor-manual', + 'txt' => 'Tor -stable Manual', + }, {'url' => 'docs/tor-manual-dev', 'txt' => 'Tor -alpha Manual', }, Modified: website/trunk/docs/ru/sidenav.wmi =================================================================== --- website/trunk/docs/ru/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434) +++ website/trunk/docs/ru/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435) @@ -61,9 +61,9 @@ {'url' => 'docs/running-a-mirror', 'txt' => 'Configuring a Mirror', }, -# {'url' => 'docs/tor-manual', -# 'txt' => 'Tor -stable Manual', -# }, + {'url' => 'docs/tor-manual', + 'txt' => 'Tor -stable Manual', + }, {'url' => 'docs/tor-manual-dev', 'txt' => 'Tor -alpha Manual', },

1 0

[metrics-tasks/master] Add code to extract and transform dirreqs from the metrics-web database.
by karsten＠torproject.org 25 Mar '11

25 Mar '11

commit 34ff5894093706ceee424968c1ed18cd729ed7d9 Author: Karsten Loesing <karsten.loesing(a)gmx.net> Date: Fri Mar 25 13:45:27 2011 +0100 Add code to extract and transform dirreqs from the metrics-web database. --- task-2718/.gitignore | 2 +- task-2718/README | 22 ++++++++++++++++++++++ task-2718/convert-dirreqs-sql.R | 8 ++++++++ 3 files changed, 31 insertions(+), 1 deletions(-) diff --git a/task-2718/.gitignore b/task-2718/.gitignore index 673fa5f..917bb1b 100644 --- a/task-2718/.gitignore +++ b/task-2718/.gitignore @@ -1,3 +1,3 @@ -direct-users.csv +*.csv *.pdf diff --git a/task-2718/README b/task-2718/README index 807142a..8c60847 100644 --- a/task-2718/README +++ b/task-2718/README @@ -3,3 +3,25 @@ Here's how you run the censorship detector prototype: $ wget https://metrics.torproject.org/csv/direct-users.csv $ R --slave -f detect-censorship.R +------------------------------------------------------------------------- + +Extracting raw directory requests from the metrics-web database: + +- Export dirreq_stats table from the metrics-web database via psql: + + # \f ',' + # \a + # \t + # \o dirreqs-sql.csv + # SELECT * FROM dirreq_stats ORDER BY statsend; + # \o + # \t + # \a + +- Transform the huge (!) CSV file (104M) from long to wide format. Note + that this takes a while: + + $ R --slave -f convert-dirreqs-sql.R + +- The result is in dirreqs.csv (8.8M). + diff --git a/task-2718/convert-dirreqs-sql.R b/task-2718/convert-dirreqs-sql.R new file mode 100644 index 0000000..e330307 --- /dev/null +++ b/task-2718/convert-dirreqs-sql.R @@ -0,0 +1,8 @@ +library(ggplot2) +data <- read.csv("dirreqs-sql.csv", header = FALSE) +data <- data.frame(fingerprint = data$V1, statsend = data$V2, + seconds = data$V3, country = data$V4, requests = data$V5) +data <- cast(data, fingerprint + statsend + seconds ~ country, + value = "requests") +write.csv(data, file = "dirreqs.csv", quote = FALSE, row.names = FALSE) +

1 0

r24434: {website} move robert and chiiph to the core people page (website/trunk/about/en)
by Roger Dingledine 25 Mar '11

25 Mar '11

Author: arma Date: 2011-03-25 09:48:18 +0000 (Fri, 25 Mar 2011) New Revision: 24434 Modified: website/trunk/about/en/corepeople.wml website/trunk/about/en/volunteers.wml Log: move robert and chiiph to the core people page Modified: website/trunk/about/en/corepeople.wml =================================================================== --- website/trunk/about/en/corepeople.wml 2011-03-25 02:30:48 UTC (rev 24433) +++ website/trunk/about/en/corepeople.wml 2011-03-25 09:48:18 UTC (rev 24434) @@ -136,6 +136,10 @@ Tor network and measures various properties and behaviors. Developer and maintainer of <a href="<page torbutton/index>">Torbutton</a>.</dd> + <dt>Robert Ransom</dt> + <dd>Bug catcher and immensely helpful on irc and the + email lists. Looking into hidden service performance and + robustness.</dd> <dt>Karen Reilly, Development Director</dt> <dd>Responsible for fundraising, advocacy, general marketing, policy outreach programs for Tor. She is also available to @@ -160,6 +164,9 @@ <dd>Works on the artwork and design for various projects, annual reports, and brochures. His other work can be found at <a href="http://jmtodaro.com/">http://jmtodaro.com/</a>.</dd> + <dt>Tomás Touceda</dt> + <dd>Maintenance and new development for Vidalia.</dd> + </dl> </div>  Modified: website/trunk/about/en/volunteers.wml =================================================================== --- website/trunk/about/en/volunteers.wml 2011-03-25 02:30:48 UTC (rev 24433) +++ website/trunk/about/en/volunteers.wml 2011-03-25 09:48:18 UTC (rev 24434) @@ -36,8 +36,6 @@ defenses, and resource management, especially for hidden services.</dd> <dt>Martin Peck</dt><dd>Working on a VM-based transparent proxying approach for Tor clients on Windows.</dd> -<dt>Robert Ransom</dt><dd>Bug catcher and immensely helpful on irc and the -email lists</dd> <dt>rovv (a pseudonym -- he's managed to stay anonymous even from us!)</dt><dd>The most dedicated bug reporter we've ever heard from. He must read Tor source code every day over breakfast.</dd> @@ -46,8 +44,6 @@ href="<wiki>TransparentProxy">transparent proxy</a>. Also maintains the <a href="http://p56soo2ibjkx23xo.onion/">TorDNSEL code</a>.</dd> -<dt>Tomás Touceda</dt><dd>Fantastic developer involved with the Vidalia -project</dd> <dt>Kyle Williams</dt><dd>Developer for JanusVM, a VMWare-based transparent Tor proxy that makes Tor easier to set up and use.</dd>

1 0

[metrics-tasks/master] Add George's censorship detector script.
by karsten＠torproject.org 25 Mar '11

25 Mar '11

commit f5d257dff6af41dbbe33ab20c5bbb218a38c8cd8 Author: Karsten Loesing <karsten.loesing(a)gmx.net> Date: Fri Mar 25 10:29:38 2011 +0100 Add George's censorship detector script. --- task-2718/detector.py | 306 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 306 insertions(+), 0 deletions(-) diff --git a/task-2718/detector.py b/task-2718/detector.py new file mode 100644 index 0000000..0370d02 --- /dev/null +++ b/task-2718/detector.py @@ -0,0 +1,306 @@ +## Copyright (c) 2011 George Danezis <gdane(a)microsoft.com> +## +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted (subject to the limitations in the +## disclaimer below) provided that the following conditions are met: +## +## * Redistributions of source code must retain the above copyright +## notice, this list of conditions and the following disclaimer. +## +## * Redistributions in binary form must reproduce the above copyright +## notice, this list of conditions and the following disclaimer in the +## documentation and/or other materials provided with the +## distribution. +## +## * Neither the name of <Owner Organization> nor the names of its +## contributors may be used to endorse or promote products derived +## from this software without specific prior written permission. +## +## NO EXPRESS OR IMPLIED LICENSES TO ANY PARTY'S PATENT RIGHTS ARE +## GRANTED BY THIS LICENSE. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT +## HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED +## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +## DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +## LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +## BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +## WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +## OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +## IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +## +## (Clear BSD license: http://labs.metacarta.com/license-explanation.html#license) + +## This script reads a .csv file of the number of Tor users and finds +## anomalies that might be indicative of censorship. + +# Dep: matplotlib +from pylab import * +import matplotlib + +# Dep: numpy +import numpy + +# Dep: scipy +import scipy.stats +from scipy.stats.distributions import norm +from scipy.stats.distributions import poisson + +# Std lib +from datetime import date +from datetime import timedelta +import os.path + +days = ["Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun"] + +# read the .csv file +class torstatstore: + def __init__(self, file_name): + f = file(file_name) + country_codes = f.readline() + country_codes = country_codes.strip().split(",") + + store = {} + MAX_INDEX = 0 + for i, line in enumerate(f): + MAX_INDEX += 1 + line_parsed = line.strip().split(",") + for j, (ccode, val) in enumerate(zip(country_codes,line_parsed)): + processed_val = None + if ccode == "date": + try: + year, month, day = int(val[:4]), int(val[5:7]), int(val[8:10]) + processed_val = date(year, month, day) + except Exception, e: + print "Parsing error (ignoring line %s):" % j + print "%s" % val,e + break + + elif val != "NA": + processed_val = int(val) + store[(ccode, i)] = processed_val + + # min and max + date_min = store[("date", 0)] + date_max = store[("date", i)] + + all_dates = [] + d = date_min + dt = timedelta(days=1) + while d <= date_max: + all_dates += [d] + d = d + dt + + # Save for later + self.store = store + self.all_dates = all_dates + self.country_codes = country_codes + self.MAX_INDEX = MAX_INDEX + self.date_min = date_min + self.date_max = date_max + + def get_country_series(self, ccode): + assert ccode in self.country_codes + series = {} + for d in self.all_dates: + series[d] = None + for i in range(self.MAX_INDEX): + series[self.store[("date", i)]] = self.store[(ccode, i)] + sx = [] + for d in self.all_dates: + sx += [series[d]] + return sx + + def get_largest(self, number): + exclude = set(["all", "??", "date"]) + l = [(self.store[(c, self.MAX_INDEX-1)], c) for c in self.country_codes if c not in exclude] + l.sort() + l.reverse() + return l[:number] + + def get_largest_locations(self, number): + l = self.get_largest(number) + res = {} + for _, ccode in l[:number]: + res[ccode] = self.get_country_series(ccode) + return res + +# Computes the difference between today and a number of days in the past +def n_day_rel(series, days): + rel = [] + for i, v in enumerate(series): + if series[i] is None: + rel += [None] + continue + + if i - days < 0 or series[i-days] is None or series[i-days] == 0: + rel += [None] + else: + rel += [ float(series[i]) / series[i-days]] + return rel + +# Main model: computes the expected min / max range of number of users +def make_tendencies_minmax(l, INTERVAL = 1): + lminus1 = dict([(ccode, n_day_rel(l[ccode], INTERVAL)) for ccode in l]) + c = lminus1[lminus1.keys()[0]] + dists = [] + minx = [] + maxx = [] + for i in range(len(c)): + vals = [lminus1[ccode][i] for ccode in lminus1.keys() if lminus1[ccode][i] != None] + if len(vals) < 8: + dists += [None] + minx += [None] + maxx += [None] + else: + vals.sort() + median = vals[len(vals)/2] + q1 = vals[len(vals)/4] + q2 = vals[(3*len(vals))/4] + qd = q2 - q1 + vals = [v for v in vals if median - qd*4 < v and v < median + qd*4] + if len(vals) < 8: + dists += [None] + minx += [None] + maxx += [None] + continue + mu, signma = norm.fit(vals) + dists += [(mu, signma)] + maxx += [norm.ppf(0.9999, mu, signma)] + minx += [norm.ppf(1 - 0.9999, mu, signma)] + ## print minx[-1], maxx[-1] + return minx, maxx + +# Makes pretty plots +def raw_plot(series, minc, maxc, labels, xtitle): + assert len(xtitle) == 3 + fname, stitle, slegend = xtitle + + font = {'family' : 'Bitstream Vera Sans', + 'weight' : 'normal', + 'size' : 8} + matplotlib.rc('font', **font) + + ylim( (-max(series)*0.1, max(series)*1.1) ) + plot(labels, series, linewidth=1.0, label="Users") + + wherefill = [] + for mm,mx in zip(minc, maxc): + wherefill += [not (mm == None and mx == None)] + assert mm < mx or (mm == None and mx == None) + + fill_between(labels, minc, maxc, where=wherefill, color="gray", label="Prediction") + + vdown = [] + vup = [] + for i,v in enumerate(series): + if minc[i] != None and v < minc[i]: + vdown += [v] + vup += [None] + elif maxc[i] != None and v > maxc[i]: + vdown += [None] + vup += [v] + else: + vup += [None] + vdown += [None] + + plot(labels, vdown, 'o', ms=10, lw=2, alpha=0.5, mfc='orange', label="Downturns") + plot(labels, vup, 'o', ms=10, lw=2, alpha=0.5, mfc='green', label="Upturns") + + legend(loc=2) + + xlabel('Time (days)') + ylabel('Users') + title(stitle) + grid(True) + F = gcf() + + F.set_size_inches(10,5) + F.savefig(fname, format="png", dpi = (150)) + close() + +def absolute_plot(series, minc, maxc, labels,INTERVAL, xtitle): + in_minc = [] + in_maxc = [] + for i, v in enumerate(series): + if i > 0 and i - INTERVAL >= 0 and series[i] != None and series[i-INTERVAL] != None and series[i-INTERVAL] != 0 and minc[i]!= None and maxc[i]!= None: + in_minc += [minc[i] * poisson.ppf(1-0.9999, series[i-INTERVAL])] + in_maxc += [maxc[i] * poisson.ppf(0.9999, series[i-INTERVAL])] + if not in_minc[-1] < in_maxc[-1]: + print in_minc[-1], in_maxc[-1], series[i-INTERVAL], minc[i], maxc[i] + assert in_minc[-1] < in_maxc[-1] + else: + in_minc += [None] + in_maxc += [None] + raw_plot(series, in_minc, in_maxc, labels, xtitle) + +# Censorship score by jurisdiction +def censor_score(series, minc, maxc, INTERVAL): + upscore = 0 + downscore = 0 + for i, v in enumerate(series): + if i > 0 and i - INTERVAL >= 0 and series[i] != None and series[i-INTERVAL] != None and series[i-INTERVAL] != 0 and minc[i]!= None and maxc[i]!= None: + in_minc = minc[i] * poisson.ppf(1-0.9999, series[i-INTERVAL]) + in_maxc = maxc[i] * poisson.ppf(0.9999, series[i-INTERVAL]) + downscore += 1 if minc[i] != None and v < in_minc else 0 + upscore += 1 if maxc[i] != None and v > in_maxc else 0 + return downscore, upscore + +def plot_target(tss, TARGET, xtitle, minx, maxx, DAYS=365, INTERV = 7): + ctarget = tss.get_country_series(TARGET) + c = n_day_rel(ctarget, INTERV) + absolute_plot(ctarget[-DAYS:], minx[-DAYS:], maxx[-DAYS:], tss.all_dates[-DAYS:],INTERV, xtitle = xtitle) + + +## Make a league table of censorship + nice graphs +def plot_all(tss, minx, maxx, INTERV, DAYS=None, rdir="img"): + rdir = os.path.realpath(rdir) + if not os.path.exists(rdir) or not os.path.isdir(rdir): + print "ERROR: %s does not exist or is not a directory." % rdir + return + + summary_file = file(os.path.join(rdir, "summary.txt"), "w") + + if DAYS == None: + DAYS = 6*31 + + s = tss.get_largest(200) + scores = [] + for num, li in s: + print ".", + ds,us = censor_score(tss.get_country_series(li)[-DAYS:], minx[-DAYS:], maxx[-DAYS:], INTERV) + # print ds, us + scores += [(ds,num, us, li)] + scores.sort() + scores.reverse() + s = "\n=======================\n" + s+= "Report for %s to %s\n" % (tss.all_dates[-DAYS], tss.all_dates[-1]) + s+= "=======================\n" + print s + summary_file.write(s) + for a,nx, b,c in scores: + if a > 0: + s = "%s -- down: %2d (up: %2d affected: %s)" % (c, a, b, nx) + print s + summary_file.write(s + "\n") + xtitle = (os.path.join(rdir, "%03d-%s-censor.png" % (a,c)), "Tor report for %s -- down: %2d (up: %2d affected: %s)" % (c, a, b, nx),"") + plot_target(tss, c,xtitle, minx, maxx, DAYS, INTERV) + summary_file.close() + +def main(): + # Change these to customize script + CSV_FILE = "direct-users.csv" + GRAPH_DIR = "img" + INTERV = 7 + DAYS= 6 * 31 + + tss = torstatstore(CSV_FILE) + l = tss.get_largest_locations(50) + minx, maxx = make_tendencies_minmax(l, INTERV) + plot_all(tss, minx, maxx, INTERV, DAYS, rdir=GRAPH_DIR) + +if __name__ == "__main__": + main()

1 0

r24433: {arm} Couple small fixes: fix: using Tor's internal address when n (arm/trunk/src/interface/connections)
by Damian Johnson 25 Mar '11

25 Mar '11

Author: atagar Date: 2011-03-25 02:30:48 +0000 (Fri, 25 Mar 2011) New Revision: 24433 Modified: arm/trunk/src/interface/connections/connEntry.py Log: Couple small fixes: fix: using Tor's internal address when not expanding (patch by Fabian Keil) fix: sorting scrubbed ip addresses at the end Modified: arm/trunk/src/interface/connections/connEntry.py =================================================================== --- arm/trunk/src/interface/connections/connEntry.py 2011-03-24 10:56:13 UTC (rev 24432) +++ arm/trunk/src/interface/connections/connEntry.py 2011-03-25 02:30:48 UTC (rev 24433) @@ -29,6 +29,9 @@ LABEL_FORMAT = "%s --> %s %s%s" LABEL_MIN_PADDING = 2 # min space between listing label and following data +# sort value for scrubbed ip addresses +SCRUBBED_IP_VAL = 255 ** 4 + CONFIG = {"features.connection.markInitialConnections": True, "features.connection.showExitPort": True, "features.connection.showColumn.fingerprint": True, @@ -149,25 +152,28 @@ Provides the value of a single attribute used for sorting purposes. """ + connLine = self.lines[0] if attr == entries.SortAttr.IP_ADDRESS: - return self.lines[0].sortIpAddr + if connLine.isPrivate(): return SCRUBBED_IP_VAL # orders at the end + return connLine.sortIpAddr elif attr == entries.SortAttr.PORT: - return self.lines[0].sortPort + return connLine.sortPort elif attr == entries.SortAttr.HOSTNAME: - return self.lines[0].foreign.getHostname("") + if connLine.isPrivate(): return "" + return connLine.foreign.getHostname("") elif attr == entries.SortAttr.FINGERPRINT: - return self.lines[0].foreign.getFingerprint() + return connLine.foreign.getFingerprint() elif attr == entries.SortAttr.NICKNAME: - myNickname = self.lines[0].foreign.getNickname() + myNickname = connLine.foreign.getNickname() if myNickname == "UNKNOWN": return "z" * 20 # orders at the end else: return myNickname.lower() elif attr == entries.SortAttr.CATEGORY: - return Category.indexOf(self.lines[0].getType()) + return Category.indexOf(connLine.getType()) elif attr == entries.SortAttr.UPTIME: - return self.lines[0].startTime + return connLine.startTime elif attr == entries.SortAttr.COUNTRY: if connections.isIpAddressPrivate(self.lines[0].foreign.getIpAddr()): return "" - else: return self.lines[0].foreign.getLocale("") + else: return connLine.foreign.getLocale("") else: return entries.ConnectionPanelEntry.getSortValue(self, attr, listingType) @@ -508,7 +514,8 @@ isExpansionType = not myType in (Category.PROGRAM, Category.CONTROL) - srcAddress = myExternalIpAddr + localPort + if isExpansionType: srcAddress = myExternalIpAddr + localPort + else: srcAddress = self.local.getIpAddr() + localPort src = "%-21s" % srcAddress # ip:port = max of 21 characters dst = "%-26s" % dstAddress # ip:port (xx) = max of 26 characters

1 0

[metrics-tasks/master] Add code for bridge churn graph (#2794).
by karsten＠torproject.org 24 Mar '11

24 Mar '11

commit 8dde11c31d385d92d3dc41032438b62b693f6daf Author: Karsten Loesing <karsten.loesing(a)gmx.net> Date: Thu Mar 24 16:05:35 2011 +0100 Add code for bridge churn graph (#2794). --- task-2794/.gitignore | 4 + task-2794/README | 12 +++ task-2794/StillRunning.java | 139 +++++++++++++++++++++++++++++++++++++ task-2794/still-running-bridges.R | 15 ++++ 4 files changed, 170 insertions(+), 0 deletions(-) diff --git a/task-2794/.gitignore b/task-2794/.gitignore new file mode 100644 index 0000000..939f812 --- /dev/null +++ b/task-2794/.gitignore @@ -0,0 +1,4 @@ +*.csv +*.class +*.png + diff --git a/task-2794/README b/task-2794/README new file mode 100644 index 0000000..311c5b5 --- /dev/null +++ b/task-2794/README @@ -0,0 +1,12 @@ +Code to create a graph on "Uptimes of bridges that were running Jan 2, +2011, 00:00:00 UTC": + + - Generate assignments.csv and statuses.csv using the #2680 code and put + them in this directory. + + - Compile and run the Java class: + $ javac StillRunning.java && java StillRunning + + - Run the R code (note that this may take a few minutes!): + $ R --slave -f still-running-bridges.R + diff --git a/task-2794/StillRunning.java b/task-2794/StillRunning.java new file mode 100644 index 0000000..111c085 --- /dev/null +++ b/task-2794/StillRunning.java @@ -0,0 +1,139 @@ +import java.io.*; +import java.util.*; +public class StillRunning { + public static void main(String[] args) throws Exception { + + /* Parse bridge pool assignments. */ + Map<String, String> assignments = new HashMap<String, String>(); + BufferedReader br = new BufferedReader(new FileReader( + "assignments.csv")); + String line = br.readLine(); + while ((line = br.readLine()) != null) { + String[] parts = line.split(","); + String fingerprint = parts[1]; + String type = parts[2]; + assignments.put(fingerprint, type); + } + br.close(); + + /* Parse running bridges in first status of the second day in the data + * set. */ + br = new BufferedReader(new FileReader("statuses.csv")); + line = br.readLine(); + if (!line.split(",")[15].equals("running")) { + System.out.println("Column 16 should be 'running'"); + System.exit(1); + } + String dayOne = null, lastStatus = null; + List<String> fingerprints = new ArrayList<String>(); + Map<String, String> addresses = new HashMap<String, String>(); + while ((line = br.readLine()) != null) { + String[] parts = line.split(","); + String status = parts[0]; + if (dayOne == null) { + dayOne = status.substring(0, "yyyy-mm-dd".length()); + } else if (status.startsWith(dayOne)) { + continue; + } + String running = parts[15]; + if (!running.equals("TRUE")) { + continue; + } + if (lastStatus != null && !status.equals(lastStatus)) { + break; + } + lastStatus = status; + String fingerprint = parts[1]; + fingerprints.add(fingerprint); + String address = parts[4]; + addresses.put(fingerprint, address); + } + + /* Parse subsequent statuses and count how often these bridges + * occur. */ + Map<String, Integer> + fingerprintAnyCount = new HashMap<String, Integer>(), + fingerprintSameCount = new HashMap<String, Integer>(); + for (String fingerprint : fingerprints) { + fingerprintAnyCount.put(fingerprint, 1); + fingerprintSameCount.put(fingerprint, 1); + } + do { + String[] parts = line.split(","); + String status = parts[0]; + String running = parts[15]; + if (!running.equals("TRUE")) { + continue; + } + String fingerprint = parts[1]; + if (!fingerprints.contains(fingerprint)) { + continue; + } + fingerprintAnyCount.put(fingerprint, + fingerprintAnyCount.get(fingerprint) + 1); + String address = parts[4]; + if (addresses.get(fingerprint).equals(address)) { + fingerprintSameCount.put(fingerprint, + fingerprintSameCount.get(fingerprint) + 1); + } + } while ((line = br.readLine()) != null); + + /* Create two lists of fingerprints, ordered by the number of + * occurrences. */ + SortedMap<String, String> + sortAnyFingerprints = new TreeMap<String, String>(), + sortSameFingerprints = new TreeMap<String, String>(); + for (Map.Entry<String, Integer> e : fingerprintAnyCount.entrySet()) { + sortAnyFingerprints.put(String.format("%05d %s", e.getValue(), + e.getKey()), e.getKey()); + } + List<String> sortedAnyFingerprints = new ArrayList<String>( + sortAnyFingerprints.values()); + for (Map.Entry<String, Integer> e : fingerprintSameCount.entrySet()) { + sortSameFingerprints.put(String.format("%05d %s", e.getValue(), + e.getKey()), e.getKey()); + } + List<String> sortedSameFingerprints = new ArrayList<String>( + sortSameFingerprints.values()); + + /* Write bridges of first status to disk. */ + BufferedWriter bw = new BufferedWriter(new FileWriter( + "still-running-bridges.csv")); + bw.write("status,anyid,sameid,type,addresschange\n"); + for (String fingerprint : sortedAnyFingerprints) { + bw.write(lastStatus + "," + + sortedAnyFingerprints.indexOf(fingerprint) + "," + + sortedSameFingerprints.indexOf(fingerprint) + "," + + assignments.get(fingerprint) + ",FALSE\n"); + } + + /* Parse statuses once again and write bridges to disk. */ + br = new BufferedReader(new FileReader("statuses.csv")); + line = br.readLine(); + while ((line = br.readLine()) != null) { + String[] parts = line.split(","); + String status = parts[0]; + if (status.startsWith(dayOne)) { + continue; + } + String running = parts[15]; + if (!running.equals("TRUE")) { + continue; + } + String fingerprint = parts[1]; + if (!fingerprints.contains(fingerprint)) { + continue; + } + String address = parts[4]; + boolean addressChange = !addresses.get(fingerprint).equals(address); + bw.write(status + "," + + sortedAnyFingerprints.indexOf(fingerprint) + "," + + sortedSameFingerprints.indexOf(fingerprint) + "," + + assignments.get(fingerprint) + "," + + (addressChange ? "TRUE" : "FALSE") + "\n"); + } + bw.close(); + br.close(); + } +} + diff --git a/task-2794/still-running-bridges.R b/task-2794/still-running-bridges.R new file mode 100644 index 0000000..8752b07 --- /dev/null +++ b/task-2794/still-running-bridges.R @@ -0,0 +1,15 @@ +library(ggplot2) +anyip <- read.csv("still-running-bridges.csv", stringsAsFactors = FALSE) +sameip <- anyip[anyip$addresschange == FALSE, ] +data <- rbind( + data.frame(status = anyip$status, bridgeid = anyip$anyid, address = "any IP address"), + data.frame(status = sameip$status, bridgeid = sameip$sameid, address = "same IP address")) +ggplot(data, aes(x = as.POSIXct(status), + y = (max(data$bridgeid) - bridgeid) / max(data$bridgeid))) + +facet_grid(address ~ .) + +geom_point(size = 0.2, colour = "springgreen3") + +scale_x_datetime(name = "") + +scale_y_continuous(name = "", formatter = "percent") + +opts(title = "Uptimes of bridges that were running Jan 2, 2011, 00:00:00 UTC\n") +ggsave(filename = "still-running-bridges.png", width = 8, height = 5, dpi = 72) +

1 0

[torbrowser/master] add firefox 3.6 patch
by erinn＠torproject.org 24 Mar '11

24 Mar '11

commit 9cd39bbc7dd073af5b86485bf0a074ff01e9b4c8 Author: Erinn Clark <erinn(a)torproject.org> Date: Thu Mar 24 12:29:41 2011 +0100 add firefox 3.6 patch --- .../non-blocking-socks-firefox-3.6.patch | 1637 ++++++++++++++++++++ 1 files changed, 1637 insertions(+), 0 deletions(-) diff --git a/src/current-patches/non-blocking-socks-firefox-3.6.patch b/src/current-patches/non-blocking-socks-firefox-3.6.patch new file mode 100644 index 0000000..fd24905 --- /dev/null +++ b/src/current-patches/non-blocking-socks-firefox-3.6.patch @@ -0,0 +1,1637 @@ +--- a/netwerk/base/src/nsSocketTransport2.cpp ++++ a/netwerk/base/src/nsSocketTransport2.cpp +@@ -1222,16 +1222,26 @@ nsSocketTransport::InitiateSocket() + // connection... wouldn't we need to call ProxyStartSSL after a call + // to PR_ConnectContinue indicates that we are connected? + // + // XXX this appears to be what the old socket transport did. why + // isn't this broken? + } + } + // ++ // A SOCKS request was rejected; get the actual error code from ++ // the OS error ++ // ++ else if (PR_UNKNOWN_ERROR == code && ++ mProxyTransparent && ++ !mProxyHost.IsEmpty()) { ++ code = PR_GetOSError(); ++ rv = ErrorAccordingToNSPR(code); ++ } ++ // + // The connection was refused... + // + else { + rv = ErrorAccordingToNSPR(code); + if ((rv == NS_ERROR_CONNECTION_REFUSED) && !mProxyHost.IsEmpty()) + rv = NS_ERROR_PROXY_CONNECTION_REFUSED; + } + } +@@ -1544,17 +1554,26 @@ nsSocketTransport::OnSocketReady(PRFileD + // + // If the connect is still not ready, then continue polling... + // + if ((PR_WOULD_BLOCK_ERROR == code) || (PR_IN_PROGRESS_ERROR == code)) { + // Set up the select flags for connect... + mPollFlags = (PR_POLL_EXCEPT | PR_POLL_WRITE); + // Update poll timeout in case it was changed + mPollTimeout = mTimeouts[TIMEOUT_CONNECT]; +- } ++ } ++ // ++ // The SOCKS proxy rejected our request. Find out why. ++ // ++ else if (PR_UNKNOWN_ERROR == code && ++ mProxyTransparent && ++ !mProxyHost.IsEmpty()) { ++ code = PR_GetOSError(); ++ mCondition = ErrorAccordingToNSPR(code); ++ } + else { + // + // else, the connection failed... + // + mCondition = ErrorAccordingToNSPR(code); + if ((mCondition == NS_ERROR_CONNECTION_REFUSED) && !mProxyHost.IsEmpty()) + mCondition = NS_ERROR_PROXY_CONNECTION_REFUSED; + SOCKET_LOG((" connection failed! [reason=%x]\n", mCondition)); +--- a/netwerk/socket/base/nsSOCKSIOLayer.cpp ++++ a/netwerk/socket/base/nsSOCKSIOLayer.cpp +@@ -20,16 +20,17 @@ + * Portions created by the Initial Developer are Copyright (C) 1998 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Justin Bradford <jab(a)atdot.org> + * Bradley Baetz <bbaetz(a)acm.org> + * Darin Fisher <darin(a)meer.net> + * Malcolm Smith <malsmith(a)cs.rmit.edu.au> ++ * Christopher Davis <chrisd(a)torproject.org> + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your +@@ -63,51 +64,115 @@ static PRLogModuleInfo *gSOCKSLog; + + #else + #define LOGDEBUG(args) + #define LOGERROR(args) + #endif + + class nsSOCKSSocketInfo : public nsISOCKSSocketInfo + { ++ enum State { ++ SOCKS_INITIAL, ++ SOCKS_CONNECTING_TO_PROXY, ++ SOCKS4_WRITE_CONNECT_REQUEST, ++ SOCKS4_READ_CONNECT_RESPONSE, ++ SOCKS5_WRITE_AUTH_REQUEST, ++ SOCKS5_READ_AUTH_RESPONSE, ++ SOCKS5_WRITE_CONNECT_REQUEST, ++ SOCKS5_READ_CONNECT_RESPONSE_TOP, ++ SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, ++ SOCKS_CONNECTED, ++ SOCKS_FAILED ++ }; ++ ++ // A buffer of 262 bytes should be enough for any request and response ++ // in case of SOCKS4 as well as SOCKS5 ++ static const PRUint32 BUFFER_SIZE = 262; ++ static const PRUint32 MAX_HOSTNAME_LEN = 255; ++ + public: + nsSOCKSSocketInfo(); +- virtual ~nsSOCKSSocketInfo() {} ++ virtual ~nsSOCKSSocketInfo() { HandshakeFinished(); } + + NS_DECL_ISUPPORTS + NS_DECL_NSISOCKSSOCKETINFO + + void Init(PRInt32 version, + const char *proxyHost, + PRInt32 proxyPort, + const char *destinationHost, + PRUint32 flags); + +- const nsCString &DestinationHost() { return mDestinationHost; } +- const nsCString &ProxyHost() { return mProxyHost; } +- PRInt32 ProxyPort() { return mProxyPort; } +- PRInt32 Version() { return mVersion; } +- PRUint32 Flags() { return mFlags; } ++ void SetConnectTimeout(PRIntervalTime to); ++ PRStatus DoHandshake(PRFileDesc *fd, PRInt16 oflags = -1); ++ PRInt16 GetPollFlags() const; ++ bool IsConnected() const { return mState == SOCKS_CONNECTED; } + + private: ++ void HandshakeFinished(PRErrorCode err = 0); ++ PRStatus ConnectToProxy(PRFileDesc *fd); ++ PRStatus ContinueConnectingToProxy(PRFileDesc *fd, PRInt16 oflags); ++ PRStatus WriteV4ConnectRequest(); ++ PRStatus ReadV4ConnectResponse(); ++ PRStatus WriteV5AuthRequest(); ++ PRStatus ReadV5AuthResponse(); ++ PRStatus WriteV5ConnectRequest(); ++ PRStatus ReadV5AddrTypeAndLength(PRUint8 *type, PRUint32 *len); ++ PRStatus ReadV5ConnectResponseTop(); ++ PRStatus ReadV5ConnectResponseBottom(); ++ ++ void WriteUint8(PRUint8 d); ++ void WriteUint16(PRUint16 d); ++ void WriteUint32(PRUint32 d); ++ void WriteNetAddr(const PRNetAddr *addr); ++ void WriteNetPort(const PRNetAddr *addr); ++ void WriteString(const nsACString &str); ++ ++ PRUint8 ReadUint8(); ++ PRUint16 ReadUint16(); ++ PRUint32 ReadUint32(); ++ void ReadNetAddr(PRNetAddr *addr, PRUint16 fam); ++ void ReadNetPort(PRNetAddr *addr); ++ ++ void WantRead(PRUint32 sz); ++ PRStatus ReadFromSocket(PRFileDesc *fd); ++ PRStatus WriteToSocket(PRFileDesc *fd); ++ ++private: ++ State mState; ++ PRUint8 * mData; ++ PRUint8 * mDataIoPtr; ++ PRUint32 mDataLength; ++ PRUint32 mReadOffset; ++ PRUint32 mAmountToRead; ++ nsCOMPtr<nsIDNSRecord> mDnsRec; ++ + nsCString mDestinationHost; + nsCString mProxyHost; + PRInt32 mProxyPort; + PRInt32 mVersion; // SOCKS version 4 or 5 + PRUint32 mFlags; + PRNetAddr mInternalProxyAddr; + PRNetAddr mExternalProxyAddr; + PRNetAddr mDestinationAddr; ++ PRIntervalTime mTimeout; + }; + + nsSOCKSSocketInfo::nsSOCKSSocketInfo() +- : mProxyPort(-1) ++ : mState(SOCKS_INITIAL) ++ , mDataIoPtr(nsnull) ++ , mDataLength(0) ++ , mReadOffset(0) ++ , mAmountToRead(0) ++ , mProxyPort(-1) + , mVersion(-1) + , mFlags(0) ++ , mTimeout(PR_INTERVAL_NO_TIMEOUT) + { ++ mData = new PRUint8[BUFFER_SIZE]; + PR_InitializeNetAddr(PR_IpAddrAny, 0, &mInternalProxyAddr); + PR_InitializeNetAddr(PR_IpAddrAny, 0, &mExternalProxyAddr); + PR_InitializeNetAddr(PR_IpAddrAny, 0, &mDestinationAddr); + } + + void + nsSOCKSSocketInfo::Init(PRInt32 version, const char *proxyHost, PRInt32 proxyPort, const char *host, PRUint32 flags) + { +@@ -157,647 +222,817 @@ nsSOCKSSocketInfo::GetInternalProxyAddr( + + NS_IMETHODIMP + nsSOCKSSocketInfo::SetInternalProxyAddr(PRNetAddr *aInternalProxyAddr) + { + memcpy(&mInternalProxyAddr, aInternalProxyAddr, sizeof(PRNetAddr)); + return NS_OK; + } + +-static PRInt32 +-pr_RecvAll(PRFileDesc *fd, unsigned char *buf, PRInt32 amount, PRIntn flags, +- PRIntervalTime *timeout) ++// There needs to be a means of distinguishing between connection errors ++// that the SOCKS server reports when it rejects a connection request, and ++// connection errors that happen while attempting to connect to the SOCKS ++// server. Otherwise, Firefox will report incorrectly that the proxy server ++// is refusing connections when a SOCKS request is rejected by the proxy. ++// When a SOCKS handshake failure occurs, the PR error is set to ++// PR_UNKNOWN_ERROR, and the real error code is returned via the OS error. ++void ++nsSOCKSSocketInfo::HandshakeFinished(PRErrorCode err) + { +- PRInt32 bytesRead = 0; +- PRInt32 offset = 0; ++ if (err == 0) { ++ mState = SOCKS_CONNECTED; ++ } else { ++ mState = SOCKS_FAILED; ++ PR_SetError(PR_UNKNOWN_ERROR, err); ++ } + +- while (offset < amount) { +- PRIntervalTime start_time = PR_IntervalNow(); +- bytesRead = PR_Recv(fd, buf + offset, amount - offset, flags, *timeout); +- PRIntervalTime elapsed = PR_IntervalNow() - start_time; +- +- if (elapsed > *timeout) { +- *timeout = 0; +- } else { +- *timeout -= elapsed; +- } +- +- if (bytesRead > 0) { +- offset += bytesRead; +- } else if (bytesRead == 0 || offset != 0) { +- return offset; +- } else { +- return bytesRead; +- } +- +- if (*timeout == 0) { +- LOGERROR(("PR_Recv() timed out. amount = %d. offset = %d.", +- amount, offset)); +- return offset; +- } +- } +- return offset; ++ // We don't need the buffer any longer, so free it. ++ delete [] mData; ++ mData = nsnull; ++ mDataIoPtr = nsnull; ++ mDataLength = 0; ++ mReadOffset = 0; ++ mAmountToRead = 0; + } + +-static PRInt32 +-pr_Send(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, +- PRIntervalTime *timeout) ++PRStatus ++nsSOCKSSocketInfo::ConnectToProxy(PRFileDesc *fd) + { +- PRIntervalTime start_time = PR_IntervalNow(); +- PRInt32 retval = PR_Send(fd, buf, amount, flags, *timeout); +- PRIntervalTime elapsed = PR_IntervalNow() - start_time; ++ PRStatus status; ++ nsresult rv; + +- if (elapsed > *timeout) { +- *timeout = 0; +- LOGERROR(("PR_Send() timed out. amount = %d. retval = %d.", +- amount, retval)); +- return retval; +- } else { +- *timeout -= elapsed; +- } ++ NS_ABORT_IF_FALSE(mState == SOCKS_INITIAL, ++ "Must be in initial state to make connection!"); + +- if (retval <= 0) { +- LOGERROR(("PR_Send() failed. amount = %d. retval = %d.", +- amount, retval)); +- } ++ // If we haven't performed the DNS lookup, do that now. ++ if (!mDnsRec) { ++ nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID); ++ if (!dns) ++ return PR_FAILURE; + +- return retval; +-} +- +-// Negotiate a SOCKS 5 connection. Assumes the TCP connection to the socks +-// server port has been established. +-static nsresult +-ConnectSOCKS5(PRFileDesc *fd, const PRNetAddr *addr, PRNetAddr *extAddr, PRIntervalTime timeout) +-{ +- int request_len = 0; +- int response_len = 0; +- int desired_len = 0; +- unsigned char request[22]; +- unsigned char response[262]; +- +- NS_ENSURE_TRUE(fd, NS_ERROR_NOT_INITIALIZED); +- NS_ENSURE_TRUE(addr, NS_ERROR_NOT_INITIALIZED); +- NS_ENSURE_TRUE(extAddr, NS_ERROR_NOT_INITIALIZED); +- +- request[0] = 0x05; // SOCKS version 5 +- request[1] = 0x01; // number of auth procotols we recognize +- // auth protocols +- request[2] = 0x00; // no authentication required +- // compliant implementations MUST implement GSSAPI +- // and SHOULD implement username/password and MAY +- // implement CHAP +- // TODO: we don't implement these +- //request[3] = 0x01; // GSSAPI +- //request[4] = 0x02; // username/password +- //request[5] = 0x03; // CHAP +- +- request_len = 2 + request[1]; +- int write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- return NS_ERROR_FAILURE; +- } +- +- // get the server's response. +- desired_len = 2; +- response_len = pr_RecvAll(fd, response, desired_len, 0, &timeout); +- +- if (response_len < desired_len) { +- LOGERROR(("pr_RecvAll() failed. response_len = %d.", response_len)); +- return NS_ERROR_FAILURE; +- } +- +- if (response[0] != 0x05) { +- // it's a either not SOCKS or not our version +- LOGERROR(("Not a SOCKS 5 reply. Expected: 5; received: %x", response[0])); +- return NS_ERROR_FAILURE; +- } +- switch (response[1]) { +- case 0x00: +- // no auth +- break; +- case 0x01: +- // GSSAPI +- // TODO: implement +- LOGERROR(("Server want to use GSSAPI to authenticate, but we don't support it.")); +- return NS_ERROR_FAILURE; +- case 0x02: +- // username/password +- // TODO: implement +- LOGERROR(("Server want to use username/password to authenticate, but we don't support it.")); +- return NS_ERROR_FAILURE; +- case 0x03: +- // CHAP +- // TODO: implement? +- LOGERROR(("Server want to use CHAP to authenticate, but we don't support it.")); +- return NS_ERROR_FAILURE; +- default: +- // unrecognized auth method +- LOGERROR(("Uncrecognized authentication method received: %x", response[1])); +- return NS_ERROR_FAILURE; +- } +- +- // we are now authenticated, so lets tell +- // the server where to connect to +- +- request_len = 0; +- +- request[0] = 0x05; // SOCKS version 5 +- request[1] = 0x01; // CONNECT command +- request[2] = 0x00; // obligatory reserved field (perfect for MS tampering!) +- +- // get destination port +- PRInt32 destPort = PR_ntohs(PR_NetAddrInetPort(addr)); +- nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; +- +- if (info->Flags() & nsISocketProvider::PROXY_RESOLVES_HOST) { +- +- LOGDEBUG(("using server to resolve hostnames rather than resolving it first\n")); +- +- // if the PROXY_RESOLVES_HOST flag is set, we assume +- // that the transport wants us to pass the SOCKS server the +- // hostname and port and let it do the name resolution. +- +- // the real destination hostname and port was stored +- // in our info object earlier when this layer was created. +- +- const nsCString& destHost = info->DestinationHost(); +- +- LOGDEBUG(("host:port -> %s:%li", destHost.get(), destPort)); +- +- request[3] = 0x03; // encoding of destination address (3 == hostname) +- +- int host_len = destHost.Length(); +- if (host_len > 255) { +- // SOCKS5 transmits the length of the hostname in a single char. +- // This gives us an absolute limit of 255 chars in a hostname, and +- // there's nothing we can do to extend it. I don't think many +- // hostnames will ever be bigger than this, so hopefully it's an +- // uneventful abort condition. +- LOGERROR (("Hostname too big for SOCKS5.")); +- return NS_ERROR_INVALID_ARG; +- } +- request[4] = (char) host_len; +- request_len = 5; +- +- // Send the initial header first... +- write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- // bad write +- return NS_ERROR_FAILURE; +- } +- +- // Now send the hostname... +- write_len = pr_Send(fd, destHost.get(), host_len, 0, &timeout); +- if (write_len != host_len) { +- // bad write +- return NS_ERROR_FAILURE; +- } +- +- // There's no data left because we just sent it. +- request_len = 0; +- +- } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { +- +- request[3] = 0x01; // encoding of destination address (1 == IPv4) +- request_len = 8; // 4 for address, 4 SOCKS headers +- +- char * ip = (char*)(&addr->inet.ip); +- request[4] = *ip++; +- request[5] = *ip++; +- request[6] = *ip++; +- request[7] = *ip++; +- +- } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { +- +- request[3] = 0x04; // encoding of destination address (4 == IPv6) +- request_len = 20; // 16 for address, 4 SOCKS headers +- +- char * ip = (char*)(&addr->ipv6.ip.pr_s6_addr); +- request[4] = *ip++; request[5] = *ip++; +- request[6] = *ip++; request[7] = *ip++; +- request[8] = *ip++; request[9] = *ip++; +- request[10] = *ip++; request[11] = *ip++; +- request[12] = *ip++; request[13] = *ip++; +- request[14] = *ip++; request[15] = *ip++; +- request[16] = *ip++; request[17] = *ip++; +- request[18] = *ip++; request[19] = *ip++; +- +- // we're going to test to see if this address can +- // be mapped back into IPv4 without loss. if so, +- // we'll use IPv4 instead, as reliable SOCKS server +- // support for IPv6 is probably questionable. +- +- if (PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { +- request[3] = 0x01; // ipv4 encoding +- request[4] = request[16]; +- request[5] = request[17]; +- request[6] = request[18]; +- request[7] = request[19]; +- request_len -= 12; +- } +- } else { +- // Unknown address type +- LOGERROR(("Don't know what kind of IP address this is.")); +- return NS_ERROR_FAILURE; +- } +- +- // add the destination port to the request +- request[request_len] = (unsigned char)(destPort >> 8); +- request[request_len+1] = (unsigned char)destPort; +- request_len += 2; +- +- write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- // bad write +- return NS_ERROR_FAILURE; +- } +- +- desired_len = 5; +- response_len = pr_RecvAll(fd, response, desired_len, 0, &timeout); +- if (response_len < desired_len) { // bad read +- LOGERROR(("pr_RecvAll() failed getting connect command reply. response_len = %d.", response_len)); +- return NS_ERROR_FAILURE; +- } +- +- if (response[0] != 0x05) { +- // bad response +- LOGERROR(("Not a SOCKS 5 reply. Expected: 5; received: %x", response[0])); +- return NS_ERROR_FAILURE; +- } +- +- switch(response[1]) { +- case 0x00: break; // success +- case 0x01: LOGERROR(("SOCKS 5 server rejected connect request: 01, General SOCKS server failure.")); +- return NS_ERROR_FAILURE; +- case 0x02: LOGERROR(("SOCKS 5 server rejected connect request: 02, Connection not allowed by ruleset.")); +- return NS_ERROR_FAILURE; +- case 0x03: LOGERROR(("SOCKS 5 server rejected connect request: 03, Network unreachable.")); +- return NS_ERROR_FAILURE; +- case 0x04: LOGERROR(("SOCKS 5 server rejected connect request: 04, Host unreachable.")); +- return NS_ERROR_FAILURE; +- case 0x05: LOGERROR(("SOCKS 5 server rejected connect request: 05, Connection refused.")); +- return NS_ERROR_FAILURE; +- case 0x06: LOGERROR(("SOCKS 5 server rejected connect request: 06, TTL expired.")); +- return NS_ERROR_FAILURE; +- case 0x07: LOGERROR(("SOCKS 5 server rejected connect request: 07, Command not supported.")); +- return NS_ERROR_FAILURE; +- case 0x08: LOGERROR(("SOCKS 5 server rejected connect request: 08, Address type not supported.")); +- return NS_ERROR_FAILURE; +- default: LOGERROR(("SOCKS 5 server rejected connect request: %x.", response[1])); +- return NS_ERROR_FAILURE; +- +- +- } +- +- switch (response[3]) { +- case 0x01: // IPv4 +- desired_len = 4 + 2 - 1; +- break; +- case 0x03: // FQDN +- desired_len = response[4] + 2; +- break; +- case 0x04: // IPv6 +- desired_len = 16 + 2 - 1; +- break; +- default: // unknown format +- return NS_ERROR_FAILURE; +- break; +- } +- response_len = pr_RecvAll(fd, response + 5, desired_len, 0, &timeout); +- if (response_len < desired_len) { // bad read +- LOGERROR(("pr_RecvAll() failed getting connect command reply. response_len = %d.", response_len)); +- return NS_ERROR_FAILURE; +- } +- response_len += 5; +- +- // get external bound address (this is what +- // the outside world sees as "us") +- char *ip = nsnull; +- PRUint16 extPort = 0; +- +- switch (response[3]) { +- case 0x01: // IPv4 +- +- extPort = (response[8] << 8) | response[9]; +- +- PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET, extPort, extAddr); +- +- ip = (char*)(&extAddr->inet.ip); +- *ip++ = response[4]; +- *ip++ = response[5]; +- *ip++ = response[6]; +- *ip++ = response[7]; +- +- break; +- case 0x04: // IPv6 +- +- extPort = (response[20] << 8) | response[21]; +- +- PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, extPort, extAddr); +- +- ip = (char*)(&extAddr->ipv6.ip.pr_s6_addr); +- *ip++ = response[4]; *ip++ = response[5]; +- *ip++ = response[6]; *ip++ = response[7]; +- *ip++ = response[8]; *ip++ = response[9]; +- *ip++ = response[10]; *ip++ = response[11]; +- *ip++ = response[12]; *ip++ = response[13]; +- *ip++ = response[14]; *ip++ = response[15]; +- *ip++ = response[16]; *ip++ = response[17]; +- *ip++ = response[18]; *ip++ = response[19]; +- +- break; +- case 0x03: // FQDN +- // if we get here, we don't know our external address. +- // however, as that's possibly not critical to the user, +- // we let it slide. +- extPort = (response[response_len - 2] << 8) | +- response[response_len - 1]; +- PR_InitializeNetAddr(PR_IpAddrNull, extPort, extAddr); +- break; +- } +- return NS_OK; +-} +- +-// Negotiate a SOCKS 4 connection. Assumes the TCP connection to the socks +-// server port has been established. +-static nsresult +-ConnectSOCKS4(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime timeout) +-{ +- int request_len = 0; +- int write_len; +- int response_len = 0; +- int desired_len = 0; +- char *ip = nsnull; +- unsigned char request[12]; +- unsigned char response[10]; +- +- NS_ENSURE_TRUE(fd, NS_ERROR_NOT_INITIALIZED); +- NS_ENSURE_TRUE(addr, NS_ERROR_NOT_INITIALIZED); +- +- request[0] = 0x04; // SOCKS version 4 +- request[1] = 0x01; // CD command code -- 1 for connect +- +- // destination port +- PRInt32 destPort = PR_ntohs(PR_NetAddrInetPort(addr)); +- +- // store the port +- request[2] = (unsigned char)(destPort >> 8); +- request[3] = (unsigned char)destPort; +- +- // username +- request[8] = 'M'; +- request[9] = 'O'; +- request[10] = 'Z'; +- +- request[11] = 0x00; +- +- request_len = 12; +- +- nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; +- +- if (info->Flags() & nsISocketProvider::PROXY_RESOLVES_HOST) { +- +- LOGDEBUG(("using server to resolve hostnames rather than resolving it first\n")); +- +- // if the PROXY_RESOLVES_HOST flag is set, we assume that the +- // transport wants us to pass the SOCKS server the hostname +- // and port and let it do the name resolution. +- +- // an extension to SOCKS 4, called 4a, specifies a way +- // to do this, so we'll try that and hope the +- // server supports it. +- +- // the real destination hostname and port was stored +- // in our info object earlier when this layer was created. +- +- const nsCString& destHost = info->DestinationHost(); +- +- LOGDEBUG(("host:port -> %s:%li\n", destHost.get(), destPort)); +- +- // the IP portion of the query is set to this special address. +- request[4] = 0; +- request[5] = 0; +- request[6] = 0; +- request[7] = 1; +- +- write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- return NS_ERROR_FAILURE; +- } +- +- // Remember the NULL. +- int host_len = destHost.Length() + 1; +- +- write_len = pr_Send(fd, destHost.get(), host_len, 0, &timeout); +- if (write_len != host_len) { +- return NS_ERROR_FAILURE; +- } +- +- // No data to send, just sent it. +- request_len = 0; +- +- } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { // IPv4 +- +- // store the ip +- ip = (char*)(&addr->inet.ip); +- request[4] = *ip++; +- request[5] = *ip++; +- request[6] = *ip++; +- request[7] = *ip++; +- +- } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { // IPv6 +- +- // IPv4 address encoded in an IPv6 address +- if (PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { +- // store the ip +- ip = (char*)(&addr->ipv6.ip.pr_s6_addr[12]); +- request[4] = *ip++; +- request[5] = *ip++; +- request[6] = *ip++; +- request[7] = *ip++; +- } else { +- LOGERROR(("IPv6 is not supported in SOCKS 4.")); +- return NS_ERROR_FAILURE; // SOCKS 4 can't do IPv6 +- } +- +- } else { +- LOGERROR(("Don't know what kind of IP address this is.")); +- return NS_ERROR_FAILURE; // don't recognize this type +- } +- +- if (request_len > 0) { +- write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- return NS_ERROR_FAILURE; ++ rv = dns->Resolve(mProxyHost, 0, getter_AddRefs(mDnsRec)); ++ if (NS_FAILED(rv)) { ++ LOGERROR(("socks: DNS lookup for SOCKS proxy %s failed", ++ mProxyHost.get())); ++ return PR_FAILURE; + } + } + +- // get the server's response +- desired_len = 8; // size of the response +- response_len = pr_RecvAll(fd, response, desired_len, 0, &timeout); +- if (response_len < desired_len) { +- LOGERROR(("pr_RecvAll() failed. response_len = %d.", response_len)); +- return NS_ERROR_FAILURE; ++ do { ++ rv = mDnsRec->GetNextAddr(mProxyPort, &mInternalProxyAddr); ++ // No more addresses to try? If so, we'll need to bail ++ if (NS_FAILED(rv)) { ++ LOGERROR(("socks: unable to connect to SOCKS proxy, %s", ++ mProxyHost.get())); ++ return PR_FAILURE; ++ } ++ ++#if defined(PR_LOGGING) ++ char buf[64]; ++ PR_NetAddrToString(&mInternalProxyAddr, buf, sizeof(buf)); ++ LOGDEBUG(("socks: trying proxy server, %s:%hu", ++ buf, PR_ntohs(PR_NetAddrInetPort(&mInternalProxyAddr)))); ++#endif ++ status = fd->lower->methods->connect(fd->lower, ++ &mInternalProxyAddr, mTimeout); ++ if (status != PR_SUCCESS) { ++ PRErrorCode c = PR_GetError(); ++ // If EINPROGRESS, return now and check back later after polling ++ if (c == PR_WOULD_BLOCK_ERROR || c == PR_IN_PROGRESS_ERROR) { ++ mState = SOCKS_CONNECTING_TO_PROXY; ++ return status; ++ } ++ } ++ } while (status != PR_SUCCESS); ++ ++ // Connected now, start SOCKS ++ if (mVersion == 4) ++ return WriteV4ConnectRequest(); ++ return WriteV5AuthRequest(); ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ContinueConnectingToProxy(PRFileDesc *fd, PRInt16 oflags) ++{ ++ PRStatus status; ++ ++ NS_ABORT_IF_FALSE(mState == SOCKS_CONNECTING_TO_PROXY, ++ "Continuing connection in wrong state!"); ++ ++ LOGDEBUG(("socks: continuing connection to proxy")); ++ ++ status = fd->lower->methods->connectcontinue(fd->lower, oflags); ++ if (status != PR_SUCCESS) { ++ PRErrorCode c = PR_GetError(); ++ if (c != PR_WOULD_BLOCK_ERROR && c != PR_IN_PROGRESS_ERROR) { ++ // A connection failure occured, try another address ++ mState = SOCKS_INITIAL; ++ return ConnectToProxy(fd); ++ } ++ ++ // We're still connecting ++ return PR_FAILURE; + } + +- if ((response[0] != 0x00) && (response[0] != 0x04)) { +- // Novell BorderManager sends a response of type 4, should be zero +- // According to the spec. Cope with this brokenness. +- // it's not a SOCKS 4 reply or version 0 of the reply code +- LOGERROR(("Not a SOCKS 4 reply. Expected: 0; received: %x.", response[0])); +- return NS_ERROR_FAILURE; ++ // Connected now, start SOCKS ++ if (mVersion == 4) ++ return WriteV4ConnectRequest(); ++ return WriteV5AuthRequest(); ++} ++ ++PRStatus ++nsSOCKSSocketInfo::WriteV4ConnectRequest() ++{ ++ PRNetAddr *addr = &mDestinationAddr; ++ PRInt32 proxy_resolve; ++ ++ NS_ABORT_IF_FALSE(mState == SOCKS_CONNECTING_TO_PROXY, ++ "Invalid state!"); ++ ++ proxy_resolve = mFlags & nsISocketProvider::PROXY_RESOLVES_HOST; ++ ++ mDataLength = 0; ++ mState = SOCKS4_WRITE_CONNECT_REQUEST; ++ ++ LOGDEBUG(("socks4: sending connection request (socks4a resolve? %s)", ++ proxy_resolve? "yes" : "no")); ++ ++ // Send a SOCKS 4 connect request. ++ WriteUint8(0x04); // version -- 4 ++ WriteUint8(0x01); // command -- connect ++ WriteNetPort(addr); ++ if (proxy_resolve) { ++ // Add the full name, null-terminated, to the request ++ // according to SOCKS 4a. A fake IP address, with the first ++ // four bytes set to 0 and the last byte set to something other ++ // than 0, is used to notify the proxy that this is a SOCKS 4a ++ // request. This request type works for Tor and perhaps others. ++ WriteUint32(PR_htonl(0x00000001)); // Fake IP ++ WriteUint8(0x00); // Send an emtpy username ++ if (mDestinationHost.Length() > MAX_HOSTNAME_LEN) { ++ LOGERROR(("socks4: destination host name is too long!")); ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ WriteString(mDestinationHost); // Hostname ++ WriteUint8(0x00); ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { ++ WriteNetAddr(addr); // Add the IPv4 address ++ WriteUint8(0x00); // Send an emtpy username ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { ++ LOGERROR(("socks: SOCKS 4 can't handle IPv6 addresses!")); ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; + } + +- if (response[1] != 0x5A) { // = 90: request granted +- // connect request not granted +- LOGERROR(("Connection request refused. Expected: 90; received: %d.", response[1])); +- return NS_ERROR_FAILURE; +- } +- +- return NS_OK; +- ++ return PR_SUCCESS; + } + ++PRStatus ++nsSOCKSSocketInfo::ReadV4ConnectResponse() ++{ ++ NS_ABORT_IF_FALSE(mState == SOCKS4_READ_CONNECT_RESPONSE, ++ "Handling SOCKS 4 connection reply in wrong state!"); ++ NS_ABORT_IF_FALSE(mDataLength == 8, ++ "SOCKS 4 connection reply must be 8 bytes!"); ++ ++ LOGDEBUG(("socks4: checking connection reply")); ++ ++ if (ReadUint8() != 0x00) { ++ LOGERROR(("socks4: wrong connection reply")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } ++ ++ // See if our connection request was granted ++ if (ReadUint8() == 90) { ++ LOGDEBUG(("socks4: connection successful!")); ++ HandshakeFinished(); ++ return PR_SUCCESS; ++ } ++ ++ LOGERROR(("socks4: unable to connect")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::WriteV5AuthRequest() ++{ ++ NS_ABORT_IF_FALSE(mVersion == 5, "SOCKS version must be 5!"); ++ ++ mState = SOCKS5_WRITE_AUTH_REQUEST; ++ ++ // Send an initial SOCKS 5 greeting ++ LOGDEBUG(("socks5: sending auth methods")); ++ WriteUint8(0x05); // version -- 5 ++ WriteUint8(0x01); // # auth methods -- 1 ++ WriteUint8(0x00); // we don't support authentication ++ ++ return PR_SUCCESS; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadV5AuthResponse() ++{ ++ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_AUTH_RESPONSE, ++ "Handling SOCKS 5 auth method reply in wrong state!"); ++ NS_ABORT_IF_FALSE(mDataLength == 2, ++ "SOCKS 5 auth method reply must be 2 bytes!"); ++ ++ LOGDEBUG(("socks5: checking auth method reply")); ++ ++ // Check version number ++ if (ReadUint8() != 0x05) { ++ LOGERROR(("socks5: unexpected version in the reply")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } ++ ++ // Make sure our authentication choice was accepted ++ if (ReadUint8() != 0x00) { ++ LOGERROR(("socks5: server did not accept our authentication method")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } ++ ++ return WriteV5ConnectRequest(); ++} ++ ++PRStatus ++nsSOCKSSocketInfo::WriteV5ConnectRequest() ++{ ++ // Send SOCKS 5 connect request ++ PRNetAddr *addr = &mDestinationAddr; ++ PRInt32 proxy_resolve; ++ proxy_resolve = mFlags & nsISocketProvider::PROXY_RESOLVES_HOST; ++ ++ LOGDEBUG(("socks5: sending connection request (socks5 resolve? %s)", ++ proxy_resolve? "yes" : "no")); ++ ++ mDataLength = 0; ++ mState = SOCKS5_WRITE_CONNECT_REQUEST; ++ ++ WriteUint8(0x05); // version -- 5 ++ WriteUint8(0x01); // command -- connect ++ WriteUint8(0x00); // reserved ++ ++ // Add the address to the SOCKS 5 request. SOCKS 5 supports several ++ // address types, so we pick the one that works best for us. ++ if (proxy_resolve) { ++ // Add the host name. Only a single byte is used to store the length, ++ // so we must prevent long names from being used. ++ if (mDestinationHost.Length() > MAX_HOSTNAME_LEN) { ++ LOGERROR(("socks5: destination host name is too long!")); ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ WriteUint8(0x03); // addr type -- domainname ++ WriteUint8(mDestinationHost.Length()); // name length ++ WriteString(mDestinationHost); ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { ++ WriteUint8(0x01); // addr type -- IPv4 ++ WriteNetAddr(addr); ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { ++ WriteUint8(0x04); // addr type -- IPv6 ++ WriteNetAddr(addr); ++ } else { ++ LOGERROR(("socks5: destination address of unknown type!")); ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ ++ WriteNetPort(addr); // port ++ ++ return PR_SUCCESS; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadV5AddrTypeAndLength(PRUint8 *type, PRUint32 *len) ++{ ++ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_TOP || ++ mState == SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, ++ "Invalid state!"); ++ NS_ABORT_IF_FALSE(mDataLength >= 5, ++ "SOCKS 5 connection reply must be at least 5 bytes!"); ++ ++ // Seek to the address location ++ mReadOffset = 3; ++ ++ *type = ReadUint8(); ++ ++ switch (*type) { ++ case 0x01: // ipv4 ++ *len = 4 - 1; ++ break; ++ case 0x04: // ipv6 ++ *len = 16 - 1; ++ break; ++ case 0x03: // fqdn ++ *len = ReadUint8(); ++ break; ++ default: // wrong address type ++ LOGERROR(("socks5: wrong address type in connection reply!")); ++ return PR_FAILURE; ++ } ++ ++ return PR_SUCCESS; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadV5ConnectResponseTop() ++{ ++ PRUint8 res; ++ PRUint32 len; ++ ++ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_TOP, ++ "Invalid state!"); ++ NS_ABORT_IF_FALSE(mDataLength == 5, ++ "SOCKS 5 connection reply must be exactly 5 bytes!"); ++ ++ LOGDEBUG(("socks5: checking connection reply")); ++ ++ // Check version number ++ if (ReadUint8() != 0x05) { ++ LOGERROR(("socks5: unexpected version in the reply")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } ++ ++ // Check response ++ res = ReadUint8(); ++ if (res != 0x00) { ++ PRErrorCode c = PR_CONNECT_REFUSED_ERROR; ++ ++ switch (res) { ++ case 0x01: ++ LOGERROR(("socks5: connect failed: " ++ "01, General SOCKS server failure.")); ++ break; ++ case 0x02: ++ LOGERROR(("socks5: connect failed: " ++ "02, Connection not allowed by ruleset.")); ++ break; ++ case 0x03: ++ LOGERROR(("socks5: connect failed: 03, Network unreachable.")); ++ c = PR_NETWORK_UNREACHABLE_ERROR; ++ break; ++ case 0x04: ++ LOGERROR(("socks5: connect failed: 04, Host unreachable.")); ++ break; ++ case 0x05: ++ LOGERROR(("socks5: connect failed: 05, Connection refused.")); ++ break; ++ case 0x06: ++ LOGERROR(("socks5: connect failed: 06, TTL expired.")); ++ c = PR_CONNECT_TIMEOUT_ERROR; ++ break; ++ case 0x07: ++ LOGERROR(("socks5: connect failed: " ++ "07, Command not supported.")); ++ break; ++ case 0x08: ++ LOGERROR(("socks5: connect failed: " ++ "08, Address type not supported.")); ++ c = PR_BAD_ADDRESS_ERROR; ++ break; ++ default: ++ LOGERROR(("socks5: connect failed.")); ++ break; ++ } ++ ++ HandshakeFinished(c); ++ return PR_FAILURE; ++ } ++ ++ if (ReadV5AddrTypeAndLength(&res, &len) != PR_SUCCESS) { ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ ++ mState = SOCKS5_READ_CONNECT_RESPONSE_BOTTOM; ++ WantRead(len + 2); ++ ++ return PR_SUCCESS; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadV5ConnectResponseBottom() ++{ ++ PRUint8 type; ++ PRUint32 len; ++ ++ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, ++ "Invalid state!"); ++ ++ if (ReadV5AddrTypeAndLength(&type, &len) != PR_SUCCESS) { ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ ++ NS_ABORT_IF_FALSE(mDataLength == 7+len, ++ "SOCKS 5 unexpected length of connection reply!"); ++ ++ LOGDEBUG(("socks5: loading source addr and port")); ++ // Read what the proxy says is our source address ++ switch (type) { ++ case 0x01: // ipv4 ++ ReadNetAddr(&mExternalProxyAddr, PR_AF_INET); ++ break; ++ case 0x04: // ipv6 ++ ReadNetAddr(&mExternalProxyAddr, PR_AF_INET6); ++ break; ++ case 0x03: // fqdn (skip) ++ mReadOffset += len; ++ mExternalProxyAddr.raw.family = PR_AF_INET; ++ break; ++ } ++ ++ ReadNetPort(&mExternalProxyAddr); ++ ++ LOGDEBUG(("socks5: connected!")); ++ HandshakeFinished(); ++ ++ return PR_SUCCESS; ++} ++ ++void ++nsSOCKSSocketInfo::SetConnectTimeout(PRIntervalTime to) ++{ ++ mTimeout = to; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::DoHandshake(PRFileDesc *fd, PRInt16 oflags) ++{ ++ LOGDEBUG(("socks: DoHandshake(), state = %d", mState)); ++ ++ switch (mState) { ++ case SOCKS_INITIAL: ++ return ConnectToProxy(fd); ++ case SOCKS_CONNECTING_TO_PROXY: ++ return ContinueConnectingToProxy(fd, oflags); ++ case SOCKS4_WRITE_CONNECT_REQUEST: ++ if (WriteToSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ WantRead(8); ++ mState = SOCKS4_READ_CONNECT_RESPONSE; ++ return PR_SUCCESS; ++ case SOCKS4_READ_CONNECT_RESPONSE: ++ if (ReadFromSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ return ReadV4ConnectResponse(); ++ ++ case SOCKS5_WRITE_AUTH_REQUEST: ++ if (WriteToSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ WantRead(2); ++ mState = SOCKS5_READ_AUTH_RESPONSE; ++ return PR_SUCCESS; ++ case SOCKS5_READ_AUTH_RESPONSE: ++ if (ReadFromSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ return ReadV5AuthResponse(); ++ case SOCKS5_WRITE_CONNECT_REQUEST: ++ if (WriteToSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ ++ // The SOCKS 5 response to the connection request is variable ++ // length. First, we'll read enough to tell how long the response ++ // is, and will read the rest later. ++ WantRead(5); ++ mState = SOCKS5_READ_CONNECT_RESPONSE_TOP; ++ return PR_SUCCESS; ++ case SOCKS5_READ_CONNECT_RESPONSE_TOP: ++ if (ReadFromSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ return ReadV5ConnectResponseTop(); ++ case SOCKS5_READ_CONNECT_RESPONSE_BOTTOM: ++ if (ReadFromSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ return ReadV5ConnectResponseBottom(); ++ ++ case SOCKS_CONNECTED: ++ LOGERROR(("socks: already connected")); ++ HandshakeFinished(PR_IS_CONNECTED_ERROR); ++ return PR_FAILURE; ++ case SOCKS_FAILED: ++ LOGERROR(("socks: already failed")); ++ return PR_FAILURE; ++ } ++ ++ LOGERROR(("socks: executing handshake in invalid state, %d", mState)); ++ HandshakeFinished(PR_INVALID_STATE_ERROR); ++ ++ return PR_FAILURE; ++} ++ ++PRInt16 ++nsSOCKSSocketInfo::GetPollFlags() const ++{ ++ switch (mState) { ++ case SOCKS_CONNECTING_TO_PROXY: ++ return PR_POLL_EXCEPT | PR_POLL_WRITE; ++ case SOCKS4_WRITE_CONNECT_REQUEST: ++ case SOCKS5_WRITE_AUTH_REQUEST: ++ case SOCKS5_WRITE_CONNECT_REQUEST: ++ return PR_POLL_WRITE; ++ case SOCKS4_READ_CONNECT_RESPONSE: ++ case SOCKS5_READ_AUTH_RESPONSE: ++ case SOCKS5_READ_CONNECT_RESPONSE_TOP: ++ case SOCKS5_READ_CONNECT_RESPONSE_BOTTOM: ++ return PR_POLL_READ; ++ default: ++ break; ++ } ++ ++ return 0; ++} ++ ++inline void ++nsSOCKSSocketInfo::WriteUint8(PRUint8 v) ++{ ++ NS_ABORT_IF_FALSE(mDataLength + sizeof(v) <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ mData[mDataLength] = v; ++ mDataLength += sizeof(v); ++} ++ ++inline void ++nsSOCKSSocketInfo::WriteUint16(PRUint16 v) ++{ ++ NS_ABORT_IF_FALSE(mDataLength + sizeof(v) <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ memcpy(mData + mDataLength, &v, sizeof(v)); ++ mDataLength += sizeof(v); ++} ++ ++inline void ++nsSOCKSSocketInfo::WriteUint32(PRUint32 v) ++{ ++ NS_ABORT_IF_FALSE(mDataLength + sizeof(v) <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ memcpy(mData + mDataLength, &v, sizeof(v)); ++ mDataLength += sizeof(v); ++} ++ ++void ++nsSOCKSSocketInfo::WriteNetAddr(const PRNetAddr *addr) ++{ ++ const char *ip = NULL; ++ PRUint32 len = 0; ++ ++ if (PR_NetAddrFamily(addr) == PR_AF_INET) { ++ ip = (const char*)&addr->inet.ip; ++ len = sizeof(addr->inet.ip); ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { ++ ip = (const char*)addr->ipv6.ip.pr_s6_addr; ++ len = sizeof(addr->ipv6.ip.pr_s6_addr); ++ } ++ ++ NS_ABORT_IF_FALSE(ip != NULL, "Unknown address"); ++ NS_ABORT_IF_FALSE(mDataLength + len <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ ++ memcpy(mData + mDataLength, ip, len); ++ mDataLength += len; ++} ++ ++void ++nsSOCKSSocketInfo::WriteNetPort(const PRNetAddr *addr) ++{ ++ WriteUint16(PR_NetAddrInetPort(addr)); ++} ++ ++void ++nsSOCKSSocketInfo::WriteString(const nsACString &str) ++{ ++ NS_ABORT_IF_FALSE(mDataLength + str.Length() <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ memcpy(mData + mDataLength, str.Data(), str.Length()); ++ mDataLength += str.Length(); ++} ++ ++inline PRUint8 ++nsSOCKSSocketInfo::ReadUint8() ++{ ++ PRUint8 rv; ++ NS_ABORT_IF_FALSE(mReadOffset + sizeof(rv) <= mDataLength, ++ "Not enough space to pop a uint8!"); ++ rv = mData[mReadOffset]; ++ mReadOffset += sizeof(rv); ++ return rv; ++} ++ ++inline PRUint16 ++nsSOCKSSocketInfo::ReadUint16() ++{ ++ PRUint16 rv; ++ NS_ABORT_IF_FALSE(mReadOffset + sizeof(rv) <= mDataLength, ++ "Not enough space to pop a uint16!"); ++ memcpy(&rv, mData + mReadOffset, sizeof(rv)); ++ mReadOffset += sizeof(rv); ++ return rv; ++} ++ ++inline PRUint32 ++nsSOCKSSocketInfo::ReadUint32() ++{ ++ PRUint32 rv; ++ NS_ABORT_IF_FALSE(mReadOffset + sizeof(rv) <= mDataLength, ++ "Not enough space to pop a uint32!"); ++ memcpy(&rv, mData + mReadOffset, sizeof(rv)); ++ mReadOffset += sizeof(rv); ++ return rv; ++} ++ ++void ++nsSOCKSSocketInfo::ReadNetAddr(PRNetAddr *addr, PRUint16 fam) ++{ ++ PRUint32 amt; ++ const PRUint8 *ip = mData + mReadOffset; ++ ++ addr->raw.family = fam; ++ if (fam == PR_AF_INET) { ++ amt = sizeof(addr->inet.ip); ++ NS_ABORT_IF_FALSE(mReadOffset + amt <= mDataLength, ++ "Not enough space to pop an ipv4 addr!"); ++ memcpy(&addr->inet.ip, ip, amt); ++ } else if (fam == PR_AF_INET6) { ++ amt = sizeof(addr->ipv6.ip.pr_s6_addr); ++ NS_ABORT_IF_FALSE(mReadOffset + amt <= mDataLength, ++ "Not enough space to pop an ipv6 addr!"); ++ memcpy(addr->ipv6.ip.pr_s6_addr, ip, amt); ++ } ++ ++ mReadOffset += amt; ++} ++ ++void ++nsSOCKSSocketInfo::ReadNetPort(PRNetAddr *addr) ++{ ++ addr->inet.port = ReadUint16(); ++} ++ ++void ++nsSOCKSSocketInfo::WantRead(PRUint32 sz) ++{ ++ NS_ABORT_IF_FALSE(mDataIoPtr == NULL, ++ "WantRead() called while I/O already in progress!"); ++ NS_ABORT_IF_FALSE(mDataLength + sz <= BUFFER_SIZE, ++ "Can't read that much data!"); ++ mAmountToRead = sz; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadFromSocket(PRFileDesc *fd) ++{ ++ PRInt32 rc; ++ const PRUint8 *end; ++ ++ if (!mAmountToRead) { ++ LOGDEBUG(("socks: ReadFromSocket(), nothing to do")); ++ return PR_SUCCESS; ++ } ++ ++ if (!mDataIoPtr) { ++ mDataIoPtr = mData + mDataLength; ++ mDataLength += mAmountToRead; ++ } ++ ++ end = mData + mDataLength; ++ ++ while (mDataIoPtr < end) { ++ rc = PR_Read(fd, mDataIoPtr, end - mDataIoPtr); ++ if (rc <= 0) { ++ if (rc == 0) { ++ LOGERROR(("socks: proxy server closed connection")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } else if (PR_GetError() == PR_WOULD_BLOCK_ERROR) { ++ LOGDEBUG(("socks: ReadFromSocket(), want read")); ++ } ++ break; ++ } ++ ++ mDataIoPtr += rc; ++ } ++ ++ LOGDEBUG(("socks: ReadFromSocket(), have %u bytes total", ++ unsigned(mDataIoPtr - mData))); ++ if (mDataIoPtr == end) { ++ mDataIoPtr = nsnull; ++ mAmountToRead = 0; ++ mReadOffset = 0; ++ return PR_SUCCESS; ++ } ++ ++ return PR_FAILURE; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::WriteToSocket(PRFileDesc *fd) ++{ ++ PRInt32 rc; ++ const PRUint8 *end; ++ ++ if (!mDataLength) { ++ LOGDEBUG(("socks: WriteToSocket(), nothing to do")); ++ return PR_SUCCESS; ++ } ++ ++ if (!mDataIoPtr) ++ mDataIoPtr = mData; ++ ++ end = mData + mDataLength; ++ ++ while (mDataIoPtr < end) { ++ rc = PR_Write(fd, mDataIoPtr, end - mDataIoPtr); ++ if (rc < 0) { ++ if (PR_GetError() == PR_WOULD_BLOCK_ERROR) { ++ LOGDEBUG(("socks: WriteToSocket(), want write")); ++ } ++ break; ++ } ++ ++ mDataIoPtr += rc; ++ } ++ ++ if (mDataIoPtr == end) { ++ mDataIoPtr = nsnull; ++ mDataLength = 0; ++ mReadOffset = 0; ++ return PR_SUCCESS; ++ } ++ ++ return PR_FAILURE; ++} + + static PRStatus +-nsSOCKSIOLayerConnect(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime /*timeout*/) ++nsSOCKSIOLayerConnect(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime to) + { ++ PRStatus status; ++ PRNetAddr dst; + ++ nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; ++ if (info == NULL) return PR_FAILURE; ++ ++ if (PR_NetAddrFamily(addr) == PR_AF_INET6 && ++ PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { ++ const PRUint8 *srcp; ++ ++ LOGDEBUG(("socks: converting ipv4-mapped ipv6 address to ipv4")); ++ ++ // copied from _PR_ConvertToIpv4NetAddr() ++ PR_InitializeNetAddr(PR_IpAddrAny, 0, &dst); ++ srcp = addr->ipv6.ip.pr_s6_addr; ++ memcpy(&dst.inet.ip, srcp + 12, 4); ++ dst.inet.family = PR_AF_INET; ++ dst.inet.port = addr->ipv6.port; ++ } else { ++ memcpy(&dst, addr, sizeof(dst)); ++ } ++ ++ info->SetDestinationAddr(&dst); ++ info->SetConnectTimeout(to); ++ ++ do { ++ status = info->DoHandshake(fd, -1); ++ } while (status == PR_SUCCESS && !info->IsConnected()); ++ ++ return status; ++} ++ ++static PRStatus ++nsSOCKSIOLayerConnectContinue(PRFileDesc *fd, PRInt16 oflags) ++{ + PRStatus status; + + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + if (info == NULL) return PR_FAILURE; + +- // First, we need to look up our proxy... +- const nsCString &proxyHost = info->ProxyHost(); ++ do { ++ status = info->DoHandshake(fd, oflags); ++ } while (status == PR_SUCCESS && !info->IsConnected()); + +- if (proxyHost.IsEmpty()) +- return PR_FAILURE; ++ return status; ++} + +- PRInt32 socksVersion = info->Version(); ++static PRInt16 ++nsSOCKSIOLayerPoll(PRFileDesc *fd, PRInt16 in_flags, PRInt16 *out_flags) ++{ ++ nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; ++ if (info == NULL) return PR_FAILURE; + +- LOGDEBUG(("nsSOCKSIOLayerConnect SOCKS %u; proxyHost: %s.", socksVersion, proxyHost.get())); +- +- // Sync resolve the proxy hostname. +- PRNetAddr proxyAddr; +- nsCOMPtr<nsIDNSRecord> rec; +- nsresult rv; +- { +- nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID); +- if (!dns) +- return PR_FAILURE; +- +- rv = dns->Resolve(proxyHost, 0, getter_AddRefs(rec)); +- if (NS_FAILED(rv)) +- return PR_FAILURE; ++ if (!info->IsConnected()) { ++ *out_flags = 0; ++ return info->GetPollFlags(); + } + +- info->SetInternalProxyAddr(&proxyAddr); +- +- // For now, we'll do this as a blocking connect, +- // but with nspr 4.1, the necessary functions to +- // do a non-blocking connect will be available +- +- // Preserve the non-blocking state of the socket +- PRBool nonblocking; +- PRSocketOptionData sockopt; +- sockopt.option = PR_SockOpt_Nonblocking; +- status = PR_GetSocketOption(fd, &sockopt); +- +- if (PR_SUCCESS != status) { +- LOGERROR(("PR_GetSocketOption() failed. status = %x.", status)); +- return status; +- } +- +- // Store blocking option +- nonblocking = sockopt.value.non_blocking; +- +- sockopt.option = PR_SockOpt_Nonblocking; +- sockopt.value.non_blocking = PR_FALSE; +- status = PR_SetSocketOption(fd, &sockopt); +- +- if (PR_SUCCESS != status) { +- LOGERROR(("PR_SetSocketOption() failed. status = %x.", status)); +- return status; +- } +- +- // Now setup sockopts, so we can restore the value later. +- sockopt.option = PR_SockOpt_Nonblocking; +- sockopt.value.non_blocking = nonblocking; +- +- // This connectWait should be long enough to connect to local proxy +- // servers, but not much longer. Since this protocol negotiation +- // uses blocking network calls, the app can appear to hang for a maximum +- // of this time if the user presses the STOP button during the SOCKS +- // connection negotiation. Note that this value only applies to the +- // connecting to the SOCKS server: once the SOCKS connection has been +- // established, the value is not used anywhere else. +- PRIntervalTime connectWait = PR_SecondsToInterval(10); +- +- // Connect to the proxy server. +- PRInt32 addresses = 0; +- do { +- rv = rec->GetNextAddr(info->ProxyPort(), &proxyAddr); +- if (NS_FAILED(rv)) { +- status = PR_FAILURE; +- break; +- } +- ++addresses; +- status = fd->lower->methods->connect(fd->lower, &proxyAddr, connectWait); +- } while (PR_SUCCESS != status); +- +- if (PR_SUCCESS != status) { +- LOGERROR(("Failed to TCP connect to the proxy server (%s): timeout = %d, status = %x, tried %d addresses.", proxyHost.get(), connectWait, status, addresses)); +- PR_SetSocketOption(fd, &sockopt); +- return status; +- } +- +- +- // We are now connected to the SOCKS proxy server. +- // Now we will negotiate a connection to the desired server. +- +- // External IP address returned from ConnectSOCKS5(). Not supported in SOCKS4. +- PRNetAddr extAddr; +- PR_InitializeNetAddr(PR_IpAddrNull, 0, &extAddr); +- +- NS_ASSERTION((socksVersion == 4) || (socksVersion == 5), "SOCKS Version must be selected"); +- +- // Try to connect via SOCKS 5. +- if (socksVersion == 5) { +- rv = ConnectSOCKS5(fd, addr, &extAddr, connectWait); +- +- if (NS_FAILED(rv)) { +- PR_SetSocketOption(fd, &sockopt); +- return PR_FAILURE; +- } +- +- } +- +- // Try to connect via SOCKS 4. +- else { +- rv = ConnectSOCKS4(fd, addr, connectWait); +- +- if (NS_FAILED(rv)) { +- PR_SetSocketOption(fd, &sockopt); +- return PR_FAILURE; +- } +- +- } +- +- +- info->SetDestinationAddr((PRNetAddr*)addr); +- info->SetExternalProxyAddr(&extAddr); +- +- // restore non-blocking option +- PR_SetSocketOption(fd, &sockopt); +- +- // we're set-up and connected. +- // this socket can be used as normal now. +- +- return PR_SUCCESS; ++ return fd->lower->methods->poll(fd->lower, in_flags, out_flags); + } + + static PRStatus + nsSOCKSIOLayerClose(PRFileDesc *fd) + { + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + PRDescIdentity id = PR_GetLayersIdentity(fd); + +@@ -880,16 +1115,18 @@ nsSOCKSIOLayerAddToSocket(PRInt32 family + + + if (firstTime) + { + nsSOCKSIOLayerIdentity = PR_GetUniqueIdentity("SOCKS layer"); + nsSOCKSIOLayerMethods = *PR_GetDefaultIOMethods(); + + nsSOCKSIOLayerMethods.connect = nsSOCKSIOLayerConnect; ++ nsSOCKSIOLayerMethods.connectcontinue = nsSOCKSIOLayerConnectContinue; ++ nsSOCKSIOLayerMethods.poll = nsSOCKSIOLayerPoll; + nsSOCKSIOLayerMethods.bind = nsSOCKSIOLayerBind; + nsSOCKSIOLayerMethods.acceptread = nsSOCKSIOLayerAcceptRead; + nsSOCKSIOLayerMethods.getsockname = nsSOCKSIOLayerGetName; + nsSOCKSIOLayerMethods.getpeername = nsSOCKSIOLayerGetPeerName; + nsSOCKSIOLayerMethods.accept = nsSOCKSIOLayerAccept; + nsSOCKSIOLayerMethods.listen = nsSOCKSIOLayerListen; + nsSOCKSIOLayerMethods.close = nsSOCKSIOLayerClose; +

1 0

r24432: {website} tbbs finally done uploading. bump all of their versions on t (website/trunk/include)
by Erinn Clark 24 Mar '11

24 Mar '11

Author: erinn Date: 2011-03-24 10:56:13 +0000 (Thu, 24 Mar 2011) New Revision: 24432 Modified: website/trunk/include/versions.wmi Log: tbbs finally done uploading. bump all of their versions on the website. Modified: website/trunk/include/versions.wmi =================================================================== --- website/trunk/include/versions.wmi 2011-03-24 08:46:00 UTC (rev 24431) +++ website/trunk/include/versions.wmi 2011-03-24 10:56:13 UTC (rev 24432) @@ -19,28 +19,28 @@ <define-tag version-osx-ppc-stable whitespace=delete>0.2.1.30</define-tag> <define-tag version-osx-ppc-alpha whitespace=delete>0.2.2.23-alpha</define-tag> -<define-tag version-torbrowserbundle whitespace=delete>1.3.20</define-tag> +<define-tag version-torbrowserbundle whitespace=delete>1.3.21</define-tag> <define-tag version-torbrowser-tor whitespace=delete>0.2.1.30</define-tag> <define-tag version-torbrowser-tor-components whitespace=delete>libevent-1.4.13, zlib-1.2.3, openssl-0.9.8p</define-tag> -<define-tag version-torbrowser-firefox whitespace=delete>3.6.15</define-tag> +<define-tag version-torbrowser-firefox whitespace=delete>3.6.16</define-tag> <define-tag version-torbrowser-torbutton whitespace=delete>1.2.5</define-tag> <define-tag version-torbrowser-polipo whitespace=delete>1.0.4.1</define-tag> <define-tag version-torbrowser-pidgin whitespace=delete>2.7.5</define-tag> <define-tag version-torbrowser-otr whitespace=delete>3.2</define-tag> <define-tag version-torbrowser-vidalia whitespace=delete>0.2.10</define-tag> -<define-tag version-torimbrowserbundle whitespace=delete>1.3.20</define-tag> +<define-tag version-torimbrowserbundle whitespace=delete>1.3.21</define-tag> -<define-tag version-torbrowserbundlelinux32 whitespace=delete>1.1.5</define-tag> -<define-tag version-torbrowserbundlelinux64 whitespace=delete>1.1.5</define-tag> +<define-tag version-torbrowserbundlelinux32 whitespace=delete>1.1.6</define-tag> +<define-tag version-torbrowserbundlelinux64 whitespace=delete>1.1.6</define-tag> <define-tag version-gnu-torbrowser-tor whitespace=delete>0.2.2.23-alpha</define-tag> -<define-tag version-gnu-torbrowser-tor-components whitespace=delete>libevent-1.4.13, zlib-1.2.3, openssl-0.9.8p</define-tag> -<define-tag version-gnu-torbrowser-firefox whitespace=delete>3.6.15</define-tag> +<define-tag version-gnu-torbrowser-tor-components whitespace=delete>libevent-2.0.10, zlib-1.2.3, openssl-0.9.8p</define-tag> +<define-tag version-gnu-torbrowser-firefox whitespace=delete>3.6.16</define-tag> <define-tag version-gnu-torbrowser-torbutton whitespace=delete>1.2.5</define-tag> <define-tag version-gnu-torbrowser-vidalia whitespace=delete>0.2.10</define-tag> -<define-tag version-torbrowserbundleosx whitespace=delete>1.0.13</define-tag> +<define-tag version-torbrowserbundleosx whitespace=delete>1.0.14</define-tag> <define-tag version-osx-torbrowser-tor whitespace=delete>0.2.2.23-alpha</define-tag> -<define-tag version-osx-torbrowser-firefox whitespace=delete>3.6.15</define-tag> +<define-tag version-osx-torbrowser-firefox whitespace=delete>3.6.16</define-tag> <define-tag version-osx-torbrowser-torbutton whitespace=delete>1.2.5</define-tag> <define-tag version-osx-torbrowser-polipo whitespace=delete>1.0.4.1</define-tag> <define-tag version-osx-torbrowser-vidalia whitespace=delete>0.2.10</define-tag>

1 0

r24431: {website} Fix MIME type of table-title-arrow-rtl.jpg (website/trunk/images)
by Robert Ransom 24 Mar '11

24 Mar '11

Author: rransom Date: 2011-03-24 08:46:00 +0000 (Thu, 24 Mar 2011) New Revision: 24431 Modified: website/trunk/images/table-title-arrow-rtl.jpg Log: Fix MIME type of table-title-arrow-rtl.jpg Property changes on: website/trunk/images/table-title-arrow-rtl.jpg ___________________________________________________________________ Added: svn:mime-type + image/jpeg

1 0