June 2011 - tor-commits - lists.torproject.org

[arm/master] Making interface panels optional
by atagar＠torproject.org 16 Jun '11

16 Jun '11

commit b9e004d7b2fff8ecfcf0fbf12bdb4e0e1982764f Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Jun 15 08:23:30 2011 -0700 Making interface panels optional Adding "features.panels.show.*" configuration options for including or excluding individual portions of the interface. --- armrc.sample | 7 +++++ src/cli/controller.py | 69 +++++++++++++++++++++++++++++------------------- 2 files changed, 49 insertions(+), 27 deletions(-) diff --git a/armrc.sample b/armrc.sample index 1eafe77..a81c9d8 100644 --- a/armrc.sample +++ b/armrc.sample @@ -11,6 +11,13 @@ queries.resourceUsage.rate 5 queries.connections.minRate 5 queries.refreshRate.rate 5 +# allows individual panels to be included/excluded +features.panels.show.graph true +features.panels.show.log true +features.panels.show.connection true +features.panels.show.config true +features.panels.show.torrc true + # Read the proc contents directly instead of calling ps, netstat, and other # resolvers. This provides very sizable performance benefits (around 90% # faster lookups) but this is only available on Linux. diff --git a/src/cli/controller.py b/src/cli/controller.py index b019f8e..feb7cf0 100644 --- a/src/cli/controller.py +++ b/src/cli/controller.py @@ -25,6 +25,11 @@ ARM_CONTROLLER = None CONFIG = {"startup.events": "N3", "startup.blindModeEnabled": False, + "features.panels.show.graph": True, + "features.panels.show.log": True, + "features.panels.show.connection": True, + "features.panels.show.config": True, + "features.panels.show.torrc": True, "features.redrawRate": 5, "features.confirmQuit": True, "features.graph.type": 1, @@ -60,22 +65,29 @@ def initController(stdscr, startTime): # initializes the panels stickyPanels = [cli.headerPanel.HeaderPanel(stdscr, startTime, config), LabelPanel(stdscr)] - pagePanels = [] + pagePanels, firstPagePanels = [], [] # first page: graph and log - expandedEvents = cli.logPanel.expandEvents(CONFIG["startup.events"]) - pagePanels.append([cli.graphing.graphPanel.GraphPanel(stdscr), - cli.logPanel.LogPanel(stdscr, expandedEvents, config)]) + if CONFIG["features.panels.show.graph"]: + firstPagePanels.append(cli.graphing.graphPanel.GraphPanel(stdscr)) + + if CONFIG["features.panels.show.log"]: + expandedEvents = cli.logPanel.expandEvents(CONFIG["startup.events"]) + firstPagePanels.append(cli.logPanel.LogPanel(stdscr, expandedEvents, config)) + + if firstPagePanels: pagePanels.append(firstPagePanels) # second page: connections - if not CONFIG["startup.blindModeEnabled"]: + if not CONFIG["startup.blindModeEnabled"] and CONFIG["features.panels.show.connection"]: pagePanels.append([cli.connections.connPanel.ConnectionPanel(stdscr, config)]) # third page: config - pagePanels.append([cli.configPanel.ConfigPanel(stdscr, cli.configPanel.State.TOR, config)]) + if CONFIG["features.panels.show.config"]: + pagePanels.append([cli.configPanel.ConfigPanel(stdscr, cli.configPanel.State.TOR, config)]) # fourth page: torrc - pagePanels.append([cli.torrcPanel.TorrcPanel(stdscr, cli.torrcPanel.Config.TORRC, config)]) + if CONFIG["features.panels.show.torrc"]: + pagePanels.append([cli.torrcPanel.TorrcPanel(stdscr, cli.torrcPanel.Config.TORRC, config)]) # initializes the controller ARM_CONTROLLER = Controller(stdscr, stickyPanels, pagePanels) @@ -83,23 +95,24 @@ def initController(stdscr, startTime): # additional configuration for the graph panel graphPanel = ARM_CONTROLLER.getPanel("graph") - # statistical monitors for graph - bwStats = cli.graphing.bandwidthStats.BandwidthStats(config) - graphPanel.addStats(GraphStat.BANDWIDTH, bwStats) - graphPanel.addStats(GraphStat.SYSTEM_RESOURCES, cli.graphing.resourceStats.ResourceStats()) - if not CONFIG["startup.blindModeEnabled"]: - graphPanel.addStats(GraphStat.CONNECTIONS, cli.graphing.connStats.ConnStats()) - - # sets graph based on config parameter - try: - initialStats = GRAPH_INIT_STATS.get(CONFIG["features.graph.type"]) - graphPanel.setStats(initialStats) - except ValueError: pass # invalid stats, maybe connections when in blind mode - - # prepopulates bandwidth values from state file - if CONFIG["features.graph.bw.prepopulate"]: - isSuccessful = bwStats.prepopulateFromState() - if isSuccessful: graphPanel.updateInterval = 4 + if graphPanel: + # statistical monitors for graph + bwStats = cli.graphing.bandwidthStats.BandwidthStats(config) + graphPanel.addStats(GraphStat.BANDWIDTH, bwStats) + graphPanel.addStats(GraphStat.SYSTEM_RESOURCES, cli.graphing.resourceStats.ResourceStats()) + if not CONFIG["startup.blindModeEnabled"]: + graphPanel.addStats(GraphStat.CONNECTIONS, cli.graphing.connStats.ConnStats()) + + # sets graph based on config parameter + try: + initialStats = GRAPH_INIT_STATS.get(CONFIG["features.graph.type"]) + graphPanel.setStats(initialStats) + except ValueError: pass # invalid stats, maybe connections when in blind mode + + # prepopulates bandwidth values from state file + if CONFIG["features.graph.bw.prepopulate"]: + isSuccessful = bwStats.prepopulateFromState() + if isSuccessful: graphPanel.updateInterval = 4 class LabelPanel(panel.Panel): """ @@ -259,9 +272,11 @@ class Controller: returnPage = self._page if pageNumber == None else pageNumber - if includeSticky: - return self._stickyPanels + self._pagePanels[returnPage] - else: return list(self._pagePanels[returnPage]) + if self._pagePanels: + if includeSticky: + return self._stickyPanels + self._pagePanels[returnPage] + else: return list(self._pagePanels[returnPage]) + else: return self._stickyPanels if includeSticky else [] def getDaemonPanels(self): """

1 0

[arm/master] fix: Lowering get_network_status call memory usage
by atagar＠torproject.org 16 Jun '11

16 Jun '11

commit 40580190efde4a645481da72571f2722c7aa8c8b Author: Damian Johnson <atagar(a)torproject.org> Date: Thu Jun 16 07:35:14 2011 -0700 fix: Lowering get_network_status call memory usage When generating the IP -> fingerprint mappings I call the TorCtl get_network_status function which generates a TorCtl.NetworkStatus instance for every relay that exists. Since all of the memory is allocated at once this increases the preceived memory footprint of arm by 3.5 MB. This is because even after the memory's freed the python allocator doesn't actually give the memory back: http://effbot.org/pyfaq/why-doesnt-python-release-the-memory-when-i-delete-… This uses (and relies) on a change in TorCtl to use an iterator instead to avoid this mass allocation: https://gitweb.torproject.org/atagar/pytorctl.git/commit/45d7753b7c947b1412… In practice this lowers arm's baseline memory usage by 2.5 MB (12%). --- src/util/torTools.py | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/util/torTools.py b/src/util/torTools.py index 8c18a9d..14f24a0 100644 --- a/src/util/torTools.py +++ b/src/util/torTools.py @@ -1637,7 +1637,7 @@ class Controller(TorCtl.PostEventListener): if self.isAlive(): # fetch the current network status if not provided if not nsList: - try: nsList = self.conn.get_network_status() + try: nsList = self.conn.get_network_status(getIterator=True) except (socket.error, TorCtl.TorCtlClosed, TorCtl.ErrorReply): nsList = [] # construct mappings of ips to relay data

1 0

[arm/master] Moving connection component fetching to TorCtl
by atagar＠torproject.org 16 Jun '11

16 Jun '11

commit 26231dd6ccddc0659acb295a68b972d2ad979bab Author: Damian Johnson <atagar(a)torproject.org> Date: Thu Jun 16 07:58:00 2011 -0700 Moving connection component fetching to TorCtl The TorCtl.connect method is highly inflexable... https://trac.torproject.org/projects/tor/ticket/3409 so I've been using a custom implementation that duplicated most of the work that TorCtl was already doing. I've moved this higher visability version into TorCtl to negate the need for this hack. This relies on the following TorCtl change: https://gitweb.torproject.org/atagar/pytorctl.git/commit/565e18a6ff6189dd11… --- src/cli/headerPanel.py | 6 ++++-- src/starter.py | 4 ++-- src/util/torTools.py | 42 ------------------------------------------ 3 files changed, 6 insertions(+), 46 deletions(-) diff --git a/src/cli/headerPanel.py b/src/cli/headerPanel.py index decf975..93930b1 100644 --- a/src/cli/headerPanel.py +++ b/src/cli/headerPanel.py @@ -19,6 +19,8 @@ import time import curses import threading +import TorCtl.TorCtl + import cli.popups from util import log, panel, sysTools, torTools, uiTools @@ -117,9 +119,9 @@ class HeaderPanel(panel.Panel, threading.Thread): if key in (ord('r'), ord('R')) and not self._isTorConnected: try: ctlAddr, ctlPort = self._config["startup.interface.ipAddress"], self._config["startup.interface.port"] - tmpConn, authType, authValue = torTools.getConnectionComponents(ctlAddr, ctlPort) + tmpConn, authType, authValue = TorCtl.TorCtl.connectionComp(ctlAddr, ctlPort) - if authType == torTools.AUTH_TYPE.PASSWORD: + if authType == TorCtl.TorCtl.AUTH_TYPE.PASSWORD: authValue = cli.popups.inputPrompt("Controller Password: ") if not authValue: raise IOError() # cancel reconnection diff --git a/src/starter.py b/src/starter.py index d2ac910..94bb30b 100644 --- a/src/starter.py +++ b/src/starter.py @@ -358,9 +358,9 @@ if __name__ == '__main__': # making this a much bigger hack). try: - tmpConn, authType, cookiePath = util.torTools.getConnectionComponents(controlAddr, controlPort) + tmpConn, authType, cookiePath = TorCtl.TorCtl.connectionComp(controlAddr, controlPort) - if authType == util.torTools.AUTH_TYPE.COOKIE: + if authType == TorCtl.TorCtl.AUTH_TYPE.COOKIE: torPid = util.torTools.getPid(controlPort) if torPid and cookiePath[0] != "/": diff --git a/src/util/torTools.py b/src/util/torTools.py index 14f24a0..d0d658a 100644 --- a/src/util/torTools.py +++ b/src/util/torTools.py @@ -20,9 +20,6 @@ from util import enum, log, procTools, sysTools, uiTools # CLOSED - control port closed State = enum.Enum("INIT", "CLOSED") -# enums for authentication on the tor control port -AUTH_TYPE = enum.Enum("NONE", "COOKIE", "PASSWORD") - # Addresses of the default directory authorities for tor version 0.2.3.0-alpha # (this comes from the dirservers array in src/or/config.c). DIR_SERVERS = [("86.59.21.38", "80"), # tor26 @@ -298,45 +295,6 @@ def parseVersion(versionStr): return result -def getConnectionComponents(controlAddr="127.0.0.1", controlPort=9051): - """ - Provides an uninitiated torctl connection for the control port. This returns - a tuple with the... - (torctl connection, authType, authValue) - - The authValue corresponds to the cookie path if using an authentication - cookie. Otherwise this is the empty string. This raises an IOError if unable - to connect. - - Arguments: - controlAddr - ip address belonging to the controller - controlPort - port belonging to the controller - """ - - try: - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.connect((controlAddr, controlPort)) - conn = TorCtl.Connection(s) - authType, authValue = conn.get_auth_type(), "" - - if authType == TorCtl.AUTH_TYPE.COOKIE: - authValue = conn.get_auth_cookie_path() - - # converts to our enum type - if authType == TorCtl.AUTH_TYPE.NONE: - authType = AUTH_TYPE.NONE - elif authType == TorCtl.AUTH_TYPE.COOKIE: - authType = AUTH_TYPE.COOKIE - elif authType == TorCtl.AUTH_TYPE.PASSWORD: - authType = AUTH_TYPE.PASSWORD - - return (conn, authType, authValue) - except socket.error, exc: - if "Connection refused" in exc.args: - raise IOError("Connection refused. Is the ControlPort enabled?") - else: raise IOError("Failed to establish socket: %s" % exc) - except Exception, exc: raise IOError(exc) - def getConn(): """ Singleton constructor for a Controller. Be aware that this starts as being

1 0

[torbrowser/maint-2.2] update firefox build target so that it really builds things automatically
by erinn＠torproject.org 16 Jun '11

16 Jun '11

commit c2da9ee4f34b7339395ec7ace064c1880af68049 Author: Erinn Clark <erinn(a)torproject.org> Date: Wed Jun 15 21:55:24 2011 -0300 update firefox build target so that it really builds things automatically --- build-scripts/osx.mk | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/build-scripts/osx.mk b/build-scripts/osx.mk index 12d790c..1fa698f 100644 --- a/build-scripts/osx.mk +++ b/build-scripts/osx.mk @@ -101,8 +101,13 @@ build-tor: cd $(TOR_DIR) && make cd $(TOR_DIR) && make install +FIREFOX_DIR=$(FETCH_DIR)/mozilla-2.0 build-firefox: - echo "We're using a prebuilt firefox. Fix this someday!" + cp ../src/current-patches/*firefox* $(FIREFOX_DIR) + cp patch-firefox-src.sh $(FIREFOX_DIR) + cp $(CONFIG_SRC)/mozconfig-osx-$(ARCH_TYPE) $(FIREFOX_DIR)/mozconfig + cd $(FIREFOX_DIR) && ./patch-firefox-src.sh + cd $(FIREFOX_DIR) && make -f client.mk build build-all-binaries: build-zlib build-openssl build-vidalia build-libevent build-tor echo "If we're here, we've done something right."

1 0

[torbrowser/maint-2.2] add small shell script for applying firefox patches and number the socks patch
by erinn＠torproject.org 16 Jun '11

16 Jun '11

commit b58e8ff774b8db34b784ff6b3cf339ae2f83f7e0 Author: Erinn Clark <erinn(a)torproject.org> Date: Wed Jun 15 21:53:15 2011 -0300 add small shell script for applying firefox patches and number the socks patch --- build-scripts/patch-firefox-src.sh | 6 + .../001-firefox-4.0-non-blocking-socks.patch | 1637 ++++++++++++++++++++ .../non-blocking-socks-firefox-4.0.patch | 1637 -------------------- 3 files changed, 1643 insertions(+), 1637 deletions(-) diff --git a/build-scripts/patch-firefox-src.sh b/build-scripts/patch-firefox-src.sh new file mode 100755 index 0000000..602612a --- /dev/null +++ b/build-scripts/patch-firefox-src.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +# Cycle through available patches for Firefox and apply them in order. Fail if +# any of them don't apply cleanly. + +for i in *patch; do patch -tp1 <$i || exit 1; done diff --git a/src/current-patches/001-firefox-4.0-non-blocking-socks.patch b/src/current-patches/001-firefox-4.0-non-blocking-socks.patch new file mode 100644 index 0000000..cf5aeae --- /dev/null +++ b/src/current-patches/001-firefox-4.0-non-blocking-socks.patch @@ -0,0 +1,1637 @@ +--- a/netwerk/base/src/nsSocketTransport2.cpp ++++ a/netwerk/base/src/nsSocketTransport2.cpp +@@ -1222,16 +1222,26 @@ nsSocketTransport::InitiateSocket() + // connection... wouldn't we need to call ProxyStartSSL after a call + // to PR_ConnectContinue indicates that we are connected? + // + // XXX this appears to be what the old socket transport did. why + // isn't this broken? + } + } + // ++ // A SOCKS request was rejected; get the actual error code from ++ // the OS error ++ // ++ else if (PR_UNKNOWN_ERROR == code && ++ mProxyTransparent && ++ !mProxyHost.IsEmpty()) { ++ code = PR_GetOSError(); ++ rv = ErrorAccordingToNSPR(code); ++ } ++ // + // The connection was refused... + // + else { + rv = ErrorAccordingToNSPR(code); + if ((rv == NS_ERROR_CONNECTION_REFUSED) && !mProxyHost.IsEmpty()) + rv = NS_ERROR_PROXY_CONNECTION_REFUSED; + } + } +@@ -1544,17 +1554,26 @@ nsSocketTransport::OnSocketReady(PRFileD + // + // If the connect is still not ready, then continue polling... + // + if ((PR_WOULD_BLOCK_ERROR == code) || (PR_IN_PROGRESS_ERROR == code)) { + // Set up the select flags for connect... + mPollFlags = (PR_POLL_EXCEPT | PR_POLL_WRITE); + // Update poll timeout in case it was changed + mPollTimeout = mTimeouts[TIMEOUT_CONNECT]; +- } ++ } ++ // ++ // The SOCKS proxy rejected our request. Find out why. ++ // ++ else if (PR_UNKNOWN_ERROR == code && ++ mProxyTransparent && ++ !mProxyHost.IsEmpty()) { ++ code = PR_GetOSError(); ++ mCondition = ErrorAccordingToNSPR(code); ++ } + else { + // + // else, the connection failed... + // + mCondition = ErrorAccordingToNSPR(code); + if ((mCondition == NS_ERROR_CONNECTION_REFUSED) && !mProxyHost.IsEmpty()) + mCondition = NS_ERROR_PROXY_CONNECTION_REFUSED; + SOCKET_LOG((" connection failed! [reason=%x]\n", mCondition)); +--- a/netwerk/socket/nsSOCKSIOLayer.cpp ++++ a/netwerk/socket/nsSOCKSIOLayer.cpp +@@ -20,16 +20,17 @@ + * Portions created by the Initial Developer are Copyright (C) 1998 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Justin Bradford <jab(a)atdot.org> + * Bradley Baetz <bbaetz(a)acm.org> + * Darin Fisher <darin(a)meer.net> + * Malcolm Smith <malsmith(a)cs.rmit.edu.au> ++ * Christopher Davis <chrisd(a)torproject.org> + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your +@@ -63,51 +64,115 @@ static PRLogModuleInfo *gSOCKSLog; + + #else + #define LOGDEBUG(args) + #define LOGERROR(args) + #endif + + class nsSOCKSSocketInfo : public nsISOCKSSocketInfo + { ++ enum State { ++ SOCKS_INITIAL, ++ SOCKS_CONNECTING_TO_PROXY, ++ SOCKS4_WRITE_CONNECT_REQUEST, ++ SOCKS4_READ_CONNECT_RESPONSE, ++ SOCKS5_WRITE_AUTH_REQUEST, ++ SOCKS5_READ_AUTH_RESPONSE, ++ SOCKS5_WRITE_CONNECT_REQUEST, ++ SOCKS5_READ_CONNECT_RESPONSE_TOP, ++ SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, ++ SOCKS_CONNECTED, ++ SOCKS_FAILED ++ }; ++ ++ // A buffer of 262 bytes should be enough for any request and response ++ // in case of SOCKS4 as well as SOCKS5 ++ static const PRUint32 BUFFER_SIZE = 262; ++ static const PRUint32 MAX_HOSTNAME_LEN = 255; ++ + public: + nsSOCKSSocketInfo(); +- virtual ~nsSOCKSSocketInfo() {} ++ virtual ~nsSOCKSSocketInfo() { HandshakeFinished(); } + + NS_DECL_ISUPPORTS + NS_DECL_NSISOCKSSOCKETINFO + + void Init(PRInt32 version, + const char *proxyHost, + PRInt32 proxyPort, + const char *destinationHost, + PRUint32 flags); + +- const nsCString &DestinationHost() { return mDestinationHost; } +- const nsCString &ProxyHost() { return mProxyHost; } +- PRInt32 ProxyPort() { return mProxyPort; } +- PRInt32 Version() { return mVersion; } +- PRUint32 Flags() { return mFlags; } ++ void SetConnectTimeout(PRIntervalTime to); ++ PRStatus DoHandshake(PRFileDesc *fd, PRInt16 oflags = -1); ++ PRInt16 GetPollFlags() const; ++ bool IsConnected() const { return mState == SOCKS_CONNECTED; } + + private: ++ void HandshakeFinished(PRErrorCode err = 0); ++ PRStatus ConnectToProxy(PRFileDesc *fd); ++ PRStatus ContinueConnectingToProxy(PRFileDesc *fd, PRInt16 oflags); ++ PRStatus WriteV4ConnectRequest(); ++ PRStatus ReadV4ConnectResponse(); ++ PRStatus WriteV5AuthRequest(); ++ PRStatus ReadV5AuthResponse(); ++ PRStatus WriteV5ConnectRequest(); ++ PRStatus ReadV5AddrTypeAndLength(PRUint8 *type, PRUint32 *len); ++ PRStatus ReadV5ConnectResponseTop(); ++ PRStatus ReadV5ConnectResponseBottom(); ++ ++ void WriteUint8(PRUint8 d); ++ void WriteUint16(PRUint16 d); ++ void WriteUint32(PRUint32 d); ++ void WriteNetAddr(const PRNetAddr *addr); ++ void WriteNetPort(const PRNetAddr *addr); ++ void WriteString(const nsACString &str); ++ ++ PRUint8 ReadUint8(); ++ PRUint16 ReadUint16(); ++ PRUint32 ReadUint32(); ++ void ReadNetAddr(PRNetAddr *addr, PRUint16 fam); ++ void ReadNetPort(PRNetAddr *addr); ++ ++ void WantRead(PRUint32 sz); ++ PRStatus ReadFromSocket(PRFileDesc *fd); ++ PRStatus WriteToSocket(PRFileDesc *fd); ++ ++private: ++ State mState; ++ PRUint8 * mData; ++ PRUint8 * mDataIoPtr; ++ PRUint32 mDataLength; ++ PRUint32 mReadOffset; ++ PRUint32 mAmountToRead; ++ nsCOMPtr<nsIDNSRecord> mDnsRec; ++ + nsCString mDestinationHost; + nsCString mProxyHost; + PRInt32 mProxyPort; + PRInt32 mVersion; // SOCKS version 4 or 5 + PRUint32 mFlags; + PRNetAddr mInternalProxyAddr; + PRNetAddr mExternalProxyAddr; + PRNetAddr mDestinationAddr; ++ PRIntervalTime mTimeout; + }; + + nsSOCKSSocketInfo::nsSOCKSSocketInfo() +- : mProxyPort(-1) ++ : mState(SOCKS_INITIAL) ++ , mDataIoPtr(nsnull) ++ , mDataLength(0) ++ , mReadOffset(0) ++ , mAmountToRead(0) ++ , mProxyPort(-1) + , mVersion(-1) + , mFlags(0) ++ , mTimeout(PR_INTERVAL_NO_TIMEOUT) + { ++ mData = new PRUint8[BUFFER_SIZE]; + PR_InitializeNetAddr(PR_IpAddrAny, 0, &mInternalProxyAddr); + PR_InitializeNetAddr(PR_IpAddrAny, 0, &mExternalProxyAddr); + PR_InitializeNetAddr(PR_IpAddrAny, 0, &mDestinationAddr); + } + + void + nsSOCKSSocketInfo::Init(PRInt32 version, const char *proxyHost, PRInt32 proxyPort, const char *host, PRUint32 flags) + { +@@ -157,647 +222,817 @@ nsSOCKSSocketInfo::GetInternalProxyAddr( + + NS_IMETHODIMP + nsSOCKSSocketInfo::SetInternalProxyAddr(PRNetAddr *aInternalProxyAddr) + { + memcpy(&mInternalProxyAddr, aInternalProxyAddr, sizeof(PRNetAddr)); + return NS_OK; + } + +-static PRInt32 +-pr_RecvAll(PRFileDesc *fd, unsigned char *buf, PRInt32 amount, PRIntn flags, +- PRIntervalTime *timeout) ++// There needs to be a means of distinguishing between connection errors ++// that the SOCKS server reports when it rejects a connection request, and ++// connection errors that happen while attempting to connect to the SOCKS ++// server. Otherwise, Firefox will report incorrectly that the proxy server ++// is refusing connections when a SOCKS request is rejected by the proxy. ++// When a SOCKS handshake failure occurs, the PR error is set to ++// PR_UNKNOWN_ERROR, and the real error code is returned via the OS error. ++void ++nsSOCKSSocketInfo::HandshakeFinished(PRErrorCode err) + { +- PRInt32 bytesRead = 0; +- PRInt32 offset = 0; ++ if (err == 0) { ++ mState = SOCKS_CONNECTED; ++ } else { ++ mState = SOCKS_FAILED; ++ PR_SetError(PR_UNKNOWN_ERROR, err); ++ } + +- while (offset < amount) { +- PRIntervalTime start_time = PR_IntervalNow(); +- bytesRead = PR_Recv(fd, buf + offset, amount - offset, flags, *timeout); +- PRIntervalTime elapsed = PR_IntervalNow() - start_time; +- +- if (elapsed > *timeout) { +- *timeout = 0; +- } else { +- *timeout -= elapsed; +- } +- +- if (bytesRead > 0) { +- offset += bytesRead; +- } else if (bytesRead == 0 || offset != 0) { +- return offset; +- } else { +- return bytesRead; +- } +- +- if (*timeout == 0) { +- LOGERROR(("PR_Recv() timed out. amount = %d. offset = %d.", +- amount, offset)); +- return offset; +- } +- } +- return offset; ++ // We don't need the buffer any longer, so free it. ++ delete [] mData; ++ mData = nsnull; ++ mDataIoPtr = nsnull; ++ mDataLength = 0; ++ mReadOffset = 0; ++ mAmountToRead = 0; + } + +-static PRInt32 +-pr_Send(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, +- PRIntervalTime *timeout) ++PRStatus ++nsSOCKSSocketInfo::ConnectToProxy(PRFileDesc *fd) + { +- PRIntervalTime start_time = PR_IntervalNow(); +- PRInt32 retval = PR_Send(fd, buf, amount, flags, *timeout); +- PRIntervalTime elapsed = PR_IntervalNow() - start_time; ++ PRStatus status; ++ nsresult rv; + +- if (elapsed > *timeout) { +- *timeout = 0; +- LOGERROR(("PR_Send() timed out. amount = %d. retval = %d.", +- amount, retval)); +- return retval; +- } else { +- *timeout -= elapsed; +- } ++ NS_ABORT_IF_FALSE(mState == SOCKS_INITIAL, ++ "Must be in initial state to make connection!"); + +- if (retval <= 0) { +- LOGERROR(("PR_Send() failed. amount = %d. retval = %d.", +- amount, retval)); +- } ++ // If we haven't performed the DNS lookup, do that now. ++ if (!mDnsRec) { ++ nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID); ++ if (!dns) ++ return PR_FAILURE; + +- return retval; +-} +- +-// Negotiate a SOCKS 5 connection. Assumes the TCP connection to the socks +-// server port has been established. +-static nsresult +-ConnectSOCKS5(PRFileDesc *fd, const PRNetAddr *addr, PRNetAddr *extAddr, PRIntervalTime timeout) +-{ +- int request_len = 0; +- int response_len = 0; +- int desired_len = 0; +- unsigned char request[22]; +- unsigned char response[262]; +- +- NS_ENSURE_TRUE(fd, NS_ERROR_NOT_INITIALIZED); +- NS_ENSURE_TRUE(addr, NS_ERROR_NOT_INITIALIZED); +- NS_ENSURE_TRUE(extAddr, NS_ERROR_NOT_INITIALIZED); +- +- request[0] = 0x05; // SOCKS version 5 +- request[1] = 0x01; // number of auth procotols we recognize +- // auth protocols +- request[2] = 0x00; // no authentication required +- // compliant implementations MUST implement GSSAPI +- // and SHOULD implement username/password and MAY +- // implement CHAP +- // TODO: we don't implement these +- //request[3] = 0x01; // GSSAPI +- //request[4] = 0x02; // username/password +- //request[5] = 0x03; // CHAP +- +- request_len = 2 + request[1]; +- int write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- return NS_ERROR_FAILURE; +- } +- +- // get the server's response. +- desired_len = 2; +- response_len = pr_RecvAll(fd, response, desired_len, 0, &timeout); +- +- if (response_len < desired_len) { +- LOGERROR(("pr_RecvAll() failed. response_len = %d.", response_len)); +- return NS_ERROR_FAILURE; +- } +- +- if (response[0] != 0x05) { +- // it's a either not SOCKS or not our version +- LOGERROR(("Not a SOCKS 5 reply. Expected: 5; received: %x", response[0])); +- return NS_ERROR_FAILURE; +- } +- switch (response[1]) { +- case 0x00: +- // no auth +- break; +- case 0x01: +- // GSSAPI +- // TODO: implement +- LOGERROR(("Server want to use GSSAPI to authenticate, but we don't support it.")); +- return NS_ERROR_FAILURE; +- case 0x02: +- // username/password +- // TODO: implement +- LOGERROR(("Server want to use username/password to authenticate, but we don't support it.")); +- return NS_ERROR_FAILURE; +- case 0x03: +- // CHAP +- // TODO: implement? +- LOGERROR(("Server want to use CHAP to authenticate, but we don't support it.")); +- return NS_ERROR_FAILURE; +- default: +- // unrecognized auth method +- LOGERROR(("Uncrecognized authentication method received: %x", response[1])); +- return NS_ERROR_FAILURE; +- } +- +- // we are now authenticated, so lets tell +- // the server where to connect to +- +- request_len = 0; +- +- request[0] = 0x05; // SOCKS version 5 +- request[1] = 0x01; // CONNECT command +- request[2] = 0x00; // obligatory reserved field (perfect for MS tampering!) +- +- // get destination port +- PRInt32 destPort = PR_ntohs(PR_NetAddrInetPort(addr)); +- nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; +- +- if (info->Flags() & nsISocketProvider::PROXY_RESOLVES_HOST) { +- +- LOGDEBUG(("using server to resolve hostnames rather than resolving it first\n")); +- +- // if the PROXY_RESOLVES_HOST flag is set, we assume +- // that the transport wants us to pass the SOCKS server the +- // hostname and port and let it do the name resolution. +- +- // the real destination hostname and port was stored +- // in our info object earlier when this layer was created. +- +- const nsCString& destHost = info->DestinationHost(); +- +- LOGDEBUG(("host:port -> %s:%li", destHost.get(), destPort)); +- +- request[3] = 0x03; // encoding of destination address (3 == hostname) +- +- int host_len = destHost.Length(); +- if (host_len > 255) { +- // SOCKS5 transmits the length of the hostname in a single char. +- // This gives us an absolute limit of 255 chars in a hostname, and +- // there's nothing we can do to extend it. I don't think many +- // hostnames will ever be bigger than this, so hopefully it's an +- // uneventful abort condition. +- LOGERROR (("Hostname too big for SOCKS5.")); +- return NS_ERROR_INVALID_ARG; +- } +- request[4] = (char) host_len; +- request_len = 5; +- +- // Send the initial header first... +- write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- // bad write +- return NS_ERROR_FAILURE; +- } +- +- // Now send the hostname... +- write_len = pr_Send(fd, destHost.get(), host_len, 0, &timeout); +- if (write_len != host_len) { +- // bad write +- return NS_ERROR_FAILURE; +- } +- +- // There's no data left because we just sent it. +- request_len = 0; +- +- } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { +- +- request[3] = 0x01; // encoding of destination address (1 == IPv4) +- request_len = 8; // 4 for address, 4 SOCKS headers +- +- char * ip = (char*)(&addr->inet.ip); +- request[4] = *ip++; +- request[5] = *ip++; +- request[6] = *ip++; +- request[7] = *ip++; +- +- } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { +- +- request[3] = 0x04; // encoding of destination address (4 == IPv6) +- request_len = 20; // 16 for address, 4 SOCKS headers +- +- char * ip = (char*)(&addr->ipv6.ip.pr_s6_addr); +- request[4] = *ip++; request[5] = *ip++; +- request[6] = *ip++; request[7] = *ip++; +- request[8] = *ip++; request[9] = *ip++; +- request[10] = *ip++; request[11] = *ip++; +- request[12] = *ip++; request[13] = *ip++; +- request[14] = *ip++; request[15] = *ip++; +- request[16] = *ip++; request[17] = *ip++; +- request[18] = *ip++; request[19] = *ip++; +- +- // we're going to test to see if this address can +- // be mapped back into IPv4 without loss. if so, +- // we'll use IPv4 instead, as reliable SOCKS server +- // support for IPv6 is probably questionable. +- +- if (PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { +- request[3] = 0x01; // ipv4 encoding +- request[4] = request[16]; +- request[5] = request[17]; +- request[6] = request[18]; +- request[7] = request[19]; +- request_len -= 12; +- } +- } else { +- // Unknown address type +- LOGERROR(("Don't know what kind of IP address this is.")); +- return NS_ERROR_FAILURE; +- } +- +- // add the destination port to the request +- request[request_len] = (unsigned char)(destPort >> 8); +- request[request_len+1] = (unsigned char)destPort; +- request_len += 2; +- +- write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- // bad write +- return NS_ERROR_FAILURE; +- } +- +- desired_len = 5; +- response_len = pr_RecvAll(fd, response, desired_len, 0, &timeout); +- if (response_len < desired_len) { // bad read +- LOGERROR(("pr_RecvAll() failed getting connect command reply. response_len = %d.", response_len)); +- return NS_ERROR_FAILURE; +- } +- +- if (response[0] != 0x05) { +- // bad response +- LOGERROR(("Not a SOCKS 5 reply. Expected: 5; received: %x", response[0])); +- return NS_ERROR_FAILURE; +- } +- +- switch(response[1]) { +- case 0x00: break; // success +- case 0x01: LOGERROR(("SOCKS 5 server rejected connect request: 01, General SOCKS server failure.")); +- return NS_ERROR_FAILURE; +- case 0x02: LOGERROR(("SOCKS 5 server rejected connect request: 02, Connection not allowed by ruleset.")); +- return NS_ERROR_FAILURE; +- case 0x03: LOGERROR(("SOCKS 5 server rejected connect request: 03, Network unreachable.")); +- return NS_ERROR_FAILURE; +- case 0x04: LOGERROR(("SOCKS 5 server rejected connect request: 04, Host unreachable.")); +- return NS_ERROR_FAILURE; +- case 0x05: LOGERROR(("SOCKS 5 server rejected connect request: 05, Connection refused.")); +- return NS_ERROR_FAILURE; +- case 0x06: LOGERROR(("SOCKS 5 server rejected connect request: 06, TTL expired.")); +- return NS_ERROR_FAILURE; +- case 0x07: LOGERROR(("SOCKS 5 server rejected connect request: 07, Command not supported.")); +- return NS_ERROR_FAILURE; +- case 0x08: LOGERROR(("SOCKS 5 server rejected connect request: 08, Address type not supported.")); +- return NS_ERROR_FAILURE; +- default: LOGERROR(("SOCKS 5 server rejected connect request: %x.", response[1])); +- return NS_ERROR_FAILURE; +- +- +- } +- +- switch (response[3]) { +- case 0x01: // IPv4 +- desired_len = 4 + 2 - 1; +- break; +- case 0x03: // FQDN +- desired_len = response[4] + 2; +- break; +- case 0x04: // IPv6 +- desired_len = 16 + 2 - 1; +- break; +- default: // unknown format +- return NS_ERROR_FAILURE; +- break; +- } +- response_len = pr_RecvAll(fd, response + 5, desired_len, 0, &timeout); +- if (response_len < desired_len) { // bad read +- LOGERROR(("pr_RecvAll() failed getting connect command reply. response_len = %d.", response_len)); +- return NS_ERROR_FAILURE; +- } +- response_len += 5; +- +- // get external bound address (this is what +- // the outside world sees as "us") +- char *ip = nsnull; +- PRUint16 extPort = 0; +- +- switch (response[3]) { +- case 0x01: // IPv4 +- +- extPort = (response[8] << 8) | response[9]; +- +- PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET, extPort, extAddr); +- +- ip = (char*)(&extAddr->inet.ip); +- *ip++ = response[4]; +- *ip++ = response[5]; +- *ip++ = response[6]; +- *ip++ = response[7]; +- +- break; +- case 0x04: // IPv6 +- +- extPort = (response[20] << 8) | response[21]; +- +- PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, extPort, extAddr); +- +- ip = (char*)(&extAddr->ipv6.ip.pr_s6_addr); +- *ip++ = response[4]; *ip++ = response[5]; +- *ip++ = response[6]; *ip++ = response[7]; +- *ip++ = response[8]; *ip++ = response[9]; +- *ip++ = response[10]; *ip++ = response[11]; +- *ip++ = response[12]; *ip++ = response[13]; +- *ip++ = response[14]; *ip++ = response[15]; +- *ip++ = response[16]; *ip++ = response[17]; +- *ip++ = response[18]; *ip++ = response[19]; +- +- break; +- case 0x03: // FQDN +- // if we get here, we don't know our external address. +- // however, as that's possibly not critical to the user, +- // we let it slide. +- extPort = (response[response_len - 2] << 8) | +- response[response_len - 1]; +- PR_InitializeNetAddr(PR_IpAddrNull, extPort, extAddr); +- break; +- } +- return NS_OK; +-} +- +-// Negotiate a SOCKS 4 connection. Assumes the TCP connection to the socks +-// server port has been established. +-static nsresult +-ConnectSOCKS4(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime timeout) +-{ +- int request_len = 0; +- int write_len; +- int response_len = 0; +- int desired_len = 0; +- char *ip = nsnull; +- unsigned char request[12]; +- unsigned char response[10]; +- +- NS_ENSURE_TRUE(fd, NS_ERROR_NOT_INITIALIZED); +- NS_ENSURE_TRUE(addr, NS_ERROR_NOT_INITIALIZED); +- +- request[0] = 0x04; // SOCKS version 4 +- request[1] = 0x01; // CD command code -- 1 for connect +- +- // destination port +- PRInt32 destPort = PR_ntohs(PR_NetAddrInetPort(addr)); +- +- // store the port +- request[2] = (unsigned char)(destPort >> 8); +- request[3] = (unsigned char)destPort; +- +- // username +- request[8] = 'M'; +- request[9] = 'O'; +- request[10] = 'Z'; +- +- request[11] = 0x00; +- +- request_len = 12; +- +- nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; +- +- if (info->Flags() & nsISocketProvider::PROXY_RESOLVES_HOST) { +- +- LOGDEBUG(("using server to resolve hostnames rather than resolving it first\n")); +- +- // if the PROXY_RESOLVES_HOST flag is set, we assume that the +- // transport wants us to pass the SOCKS server the hostname +- // and port and let it do the name resolution. +- +- // an extension to SOCKS 4, called 4a, specifies a way +- // to do this, so we'll try that and hope the +- // server supports it. +- +- // the real destination hostname and port was stored +- // in our info object earlier when this layer was created. +- +- const nsCString& destHost = info->DestinationHost(); +- +- LOGDEBUG(("host:port -> %s:%li\n", destHost.get(), destPort)); +- +- // the IP portion of the query is set to this special address. +- request[4] = 0; +- request[5] = 0; +- request[6] = 0; +- request[7] = 1; +- +- write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- return NS_ERROR_FAILURE; +- } +- +- // Remember the NULL. +- int host_len = destHost.Length() + 1; +- +- write_len = pr_Send(fd, destHost.get(), host_len, 0, &timeout); +- if (write_len != host_len) { +- return NS_ERROR_FAILURE; +- } +- +- // No data to send, just sent it. +- request_len = 0; +- +- } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { // IPv4 +- +- // store the ip +- ip = (char*)(&addr->inet.ip); +- request[4] = *ip++; +- request[5] = *ip++; +- request[6] = *ip++; +- request[7] = *ip++; +- +- } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { // IPv6 +- +- // IPv4 address encoded in an IPv6 address +- if (PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { +- // store the ip +- ip = (char*)(&addr->ipv6.ip.pr_s6_addr[12]); +- request[4] = *ip++; +- request[5] = *ip++; +- request[6] = *ip++; +- request[7] = *ip++; +- } else { +- LOGERROR(("IPv6 is not supported in SOCKS 4.")); +- return NS_ERROR_FAILURE; // SOCKS 4 can't do IPv6 +- } +- +- } else { +- LOGERROR(("Don't know what kind of IP address this is.")); +- return NS_ERROR_FAILURE; // don't recognize this type +- } +- +- if (request_len > 0) { +- write_len = pr_Send(fd, request, request_len, 0, &timeout); +- if (write_len != request_len) { +- return NS_ERROR_FAILURE; ++ rv = dns->Resolve(mProxyHost, 0, getter_AddRefs(mDnsRec)); ++ if (NS_FAILED(rv)) { ++ LOGERROR(("socks: DNS lookup for SOCKS proxy %s failed", ++ mProxyHost.get())); ++ return PR_FAILURE; + } + } + +- // get the server's response +- desired_len = 8; // size of the response +- response_len = pr_RecvAll(fd, response, desired_len, 0, &timeout); +- if (response_len < desired_len) { +- LOGERROR(("pr_RecvAll() failed. response_len = %d.", response_len)); +- return NS_ERROR_FAILURE; ++ do { ++ rv = mDnsRec->GetNextAddr(mProxyPort, &mInternalProxyAddr); ++ // No more addresses to try? If so, we'll need to bail ++ if (NS_FAILED(rv)) { ++ LOGERROR(("socks: unable to connect to SOCKS proxy, %s", ++ mProxyHost.get())); ++ return PR_FAILURE; ++ } ++ ++#if defined(PR_LOGGING) ++ char buf[64]; ++ PR_NetAddrToString(&mInternalProxyAddr, buf, sizeof(buf)); ++ LOGDEBUG(("socks: trying proxy server, %s:%hu", ++ buf, PR_ntohs(PR_NetAddrInetPort(&mInternalProxyAddr)))); ++#endif ++ status = fd->lower->methods->connect(fd->lower, ++ &mInternalProxyAddr, mTimeout); ++ if (status != PR_SUCCESS) { ++ PRErrorCode c = PR_GetError(); ++ // If EINPROGRESS, return now and check back later after polling ++ if (c == PR_WOULD_BLOCK_ERROR || c == PR_IN_PROGRESS_ERROR) { ++ mState = SOCKS_CONNECTING_TO_PROXY; ++ return status; ++ } ++ } ++ } while (status != PR_SUCCESS); ++ ++ // Connected now, start SOCKS ++ if (mVersion == 4) ++ return WriteV4ConnectRequest(); ++ return WriteV5AuthRequest(); ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ContinueConnectingToProxy(PRFileDesc *fd, PRInt16 oflags) ++{ ++ PRStatus status; ++ ++ NS_ABORT_IF_FALSE(mState == SOCKS_CONNECTING_TO_PROXY, ++ "Continuing connection in wrong state!"); ++ ++ LOGDEBUG(("socks: continuing connection to proxy")); ++ ++ status = fd->lower->methods->connectcontinue(fd->lower, oflags); ++ if (status != PR_SUCCESS) { ++ PRErrorCode c = PR_GetError(); ++ if (c != PR_WOULD_BLOCK_ERROR && c != PR_IN_PROGRESS_ERROR) { ++ // A connection failure occured, try another address ++ mState = SOCKS_INITIAL; ++ return ConnectToProxy(fd); ++ } ++ ++ // We're still connecting ++ return PR_FAILURE; + } + +- if ((response[0] != 0x00) && (response[0] != 0x04)) { +- // Novell BorderManager sends a response of type 4, should be zero +- // According to the spec. Cope with this brokenness. +- // it's not a SOCKS 4 reply or version 0 of the reply code +- LOGERROR(("Not a SOCKS 4 reply. Expected: 0; received: %x.", response[0])); +- return NS_ERROR_FAILURE; ++ // Connected now, start SOCKS ++ if (mVersion == 4) ++ return WriteV4ConnectRequest(); ++ return WriteV5AuthRequest(); ++} ++ ++PRStatus ++nsSOCKSSocketInfo::WriteV4ConnectRequest() ++{ ++ PRNetAddr *addr = &mDestinationAddr; ++ PRInt32 proxy_resolve; ++ ++ NS_ABORT_IF_FALSE(mState == SOCKS_CONNECTING_TO_PROXY, ++ "Invalid state!"); ++ ++ proxy_resolve = mFlags & nsISocketProvider::PROXY_RESOLVES_HOST; ++ ++ mDataLength = 0; ++ mState = SOCKS4_WRITE_CONNECT_REQUEST; ++ ++ LOGDEBUG(("socks4: sending connection request (socks4a resolve? %s)", ++ proxy_resolve? "yes" : "no")); ++ ++ // Send a SOCKS 4 connect request. ++ WriteUint8(0x04); // version -- 4 ++ WriteUint8(0x01); // command -- connect ++ WriteNetPort(addr); ++ if (proxy_resolve) { ++ // Add the full name, null-terminated, to the request ++ // according to SOCKS 4a. A fake IP address, with the first ++ // four bytes set to 0 and the last byte set to something other ++ // than 0, is used to notify the proxy that this is a SOCKS 4a ++ // request. This request type works for Tor and perhaps others. ++ WriteUint32(PR_htonl(0x00000001)); // Fake IP ++ WriteUint8(0x00); // Send an emtpy username ++ if (mDestinationHost.Length() > MAX_HOSTNAME_LEN) { ++ LOGERROR(("socks4: destination host name is too long!")); ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ WriteString(mDestinationHost); // Hostname ++ WriteUint8(0x00); ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { ++ WriteNetAddr(addr); // Add the IPv4 address ++ WriteUint8(0x00); // Send an emtpy username ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { ++ LOGERROR(("socks: SOCKS 4 can't handle IPv6 addresses!")); ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; + } + +- if (response[1] != 0x5A) { // = 90: request granted +- // connect request not granted +- LOGERROR(("Connection request refused. Expected: 90; received: %d.", response[1])); +- return NS_ERROR_FAILURE; +- } +- +- return NS_OK; +- ++ return PR_SUCCESS; + } + ++PRStatus ++nsSOCKSSocketInfo::ReadV4ConnectResponse() ++{ ++ NS_ABORT_IF_FALSE(mState == SOCKS4_READ_CONNECT_RESPONSE, ++ "Handling SOCKS 4 connection reply in wrong state!"); ++ NS_ABORT_IF_FALSE(mDataLength == 8, ++ "SOCKS 4 connection reply must be 8 bytes!"); ++ ++ LOGDEBUG(("socks4: checking connection reply")); ++ ++ if (ReadUint8() != 0x00) { ++ LOGERROR(("socks4: wrong connection reply")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } ++ ++ // See if our connection request was granted ++ if (ReadUint8() == 90) { ++ LOGDEBUG(("socks4: connection successful!")); ++ HandshakeFinished(); ++ return PR_SUCCESS; ++ } ++ ++ LOGERROR(("socks4: unable to connect")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::WriteV5AuthRequest() ++{ ++ NS_ABORT_IF_FALSE(mVersion == 5, "SOCKS version must be 5!"); ++ ++ mState = SOCKS5_WRITE_AUTH_REQUEST; ++ ++ // Send an initial SOCKS 5 greeting ++ LOGDEBUG(("socks5: sending auth methods")); ++ WriteUint8(0x05); // version -- 5 ++ WriteUint8(0x01); // # auth methods -- 1 ++ WriteUint8(0x00); // we don't support authentication ++ ++ return PR_SUCCESS; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadV5AuthResponse() ++{ ++ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_AUTH_RESPONSE, ++ "Handling SOCKS 5 auth method reply in wrong state!"); ++ NS_ABORT_IF_FALSE(mDataLength == 2, ++ "SOCKS 5 auth method reply must be 2 bytes!"); ++ ++ LOGDEBUG(("socks5: checking auth method reply")); ++ ++ // Check version number ++ if (ReadUint8() != 0x05) { ++ LOGERROR(("socks5: unexpected version in the reply")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } ++ ++ // Make sure our authentication choice was accepted ++ if (ReadUint8() != 0x00) { ++ LOGERROR(("socks5: server did not accept our authentication method")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } ++ ++ return WriteV5ConnectRequest(); ++} ++ ++PRStatus ++nsSOCKSSocketInfo::WriteV5ConnectRequest() ++{ ++ // Send SOCKS 5 connect request ++ PRNetAddr *addr = &mDestinationAddr; ++ PRInt32 proxy_resolve; ++ proxy_resolve = mFlags & nsISocketProvider::PROXY_RESOLVES_HOST; ++ ++ LOGDEBUG(("socks5: sending connection request (socks5 resolve? %s)", ++ proxy_resolve? "yes" : "no")); ++ ++ mDataLength = 0; ++ mState = SOCKS5_WRITE_CONNECT_REQUEST; ++ ++ WriteUint8(0x05); // version -- 5 ++ WriteUint8(0x01); // command -- connect ++ WriteUint8(0x00); // reserved ++ ++ // Add the address to the SOCKS 5 request. SOCKS 5 supports several ++ // address types, so we pick the one that works best for us. ++ if (proxy_resolve) { ++ // Add the host name. Only a single byte is used to store the length, ++ // so we must prevent long names from being used. ++ if (mDestinationHost.Length() > MAX_HOSTNAME_LEN) { ++ LOGERROR(("socks5: destination host name is too long!")); ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ WriteUint8(0x03); // addr type -- domainname ++ WriteUint8(mDestinationHost.Length()); // name length ++ WriteString(mDestinationHost); ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { ++ WriteUint8(0x01); // addr type -- IPv4 ++ WriteNetAddr(addr); ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { ++ WriteUint8(0x04); // addr type -- IPv6 ++ WriteNetAddr(addr); ++ } else { ++ LOGERROR(("socks5: destination address of unknown type!")); ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ ++ WriteNetPort(addr); // port ++ ++ return PR_SUCCESS; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadV5AddrTypeAndLength(PRUint8 *type, PRUint32 *len) ++{ ++ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_TOP || ++ mState == SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, ++ "Invalid state!"); ++ NS_ABORT_IF_FALSE(mDataLength >= 5, ++ "SOCKS 5 connection reply must be at least 5 bytes!"); ++ ++ // Seek to the address location ++ mReadOffset = 3; ++ ++ *type = ReadUint8(); ++ ++ switch (*type) { ++ case 0x01: // ipv4 ++ *len = 4 - 1; ++ break; ++ case 0x04: // ipv6 ++ *len = 16 - 1; ++ break; ++ case 0x03: // fqdn ++ *len = ReadUint8(); ++ break; ++ default: // wrong address type ++ LOGERROR(("socks5: wrong address type in connection reply!")); ++ return PR_FAILURE; ++ } ++ ++ return PR_SUCCESS; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadV5ConnectResponseTop() ++{ ++ PRUint8 res; ++ PRUint32 len; ++ ++ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_TOP, ++ "Invalid state!"); ++ NS_ABORT_IF_FALSE(mDataLength == 5, ++ "SOCKS 5 connection reply must be exactly 5 bytes!"); ++ ++ LOGDEBUG(("socks5: checking connection reply")); ++ ++ // Check version number ++ if (ReadUint8() != 0x05) { ++ LOGERROR(("socks5: unexpected version in the reply")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } ++ ++ // Check response ++ res = ReadUint8(); ++ if (res != 0x00) { ++ PRErrorCode c = PR_CONNECT_REFUSED_ERROR; ++ ++ switch (res) { ++ case 0x01: ++ LOGERROR(("socks5: connect failed: " ++ "01, General SOCKS server failure.")); ++ break; ++ case 0x02: ++ LOGERROR(("socks5: connect failed: " ++ "02, Connection not allowed by ruleset.")); ++ break; ++ case 0x03: ++ LOGERROR(("socks5: connect failed: 03, Network unreachable.")); ++ c = PR_NETWORK_UNREACHABLE_ERROR; ++ break; ++ case 0x04: ++ LOGERROR(("socks5: connect failed: 04, Host unreachable.")); ++ break; ++ case 0x05: ++ LOGERROR(("socks5: connect failed: 05, Connection refused.")); ++ break; ++ case 0x06: ++ LOGERROR(("socks5: connect failed: 06, TTL expired.")); ++ c = PR_CONNECT_TIMEOUT_ERROR; ++ break; ++ case 0x07: ++ LOGERROR(("socks5: connect failed: " ++ "07, Command not supported.")); ++ break; ++ case 0x08: ++ LOGERROR(("socks5: connect failed: " ++ "08, Address type not supported.")); ++ c = PR_BAD_ADDRESS_ERROR; ++ break; ++ default: ++ LOGERROR(("socks5: connect failed.")); ++ break; ++ } ++ ++ HandshakeFinished(c); ++ return PR_FAILURE; ++ } ++ ++ if (ReadV5AddrTypeAndLength(&res, &len) != PR_SUCCESS) { ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ ++ mState = SOCKS5_READ_CONNECT_RESPONSE_BOTTOM; ++ WantRead(len + 2); ++ ++ return PR_SUCCESS; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadV5ConnectResponseBottom() ++{ ++ PRUint8 type; ++ PRUint32 len; ++ ++ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, ++ "Invalid state!"); ++ ++ if (ReadV5AddrTypeAndLength(&type, &len) != PR_SUCCESS) { ++ HandshakeFinished(PR_BAD_ADDRESS_ERROR); ++ return PR_FAILURE; ++ } ++ ++ NS_ABORT_IF_FALSE(mDataLength == 7+len, ++ "SOCKS 5 unexpected length of connection reply!"); ++ ++ LOGDEBUG(("socks5: loading source addr and port")); ++ // Read what the proxy says is our source address ++ switch (type) { ++ case 0x01: // ipv4 ++ ReadNetAddr(&mExternalProxyAddr, PR_AF_INET); ++ break; ++ case 0x04: // ipv6 ++ ReadNetAddr(&mExternalProxyAddr, PR_AF_INET6); ++ break; ++ case 0x03: // fqdn (skip) ++ mReadOffset += len; ++ mExternalProxyAddr.raw.family = PR_AF_INET; ++ break; ++ } ++ ++ ReadNetPort(&mExternalProxyAddr); ++ ++ LOGDEBUG(("socks5: connected!")); ++ HandshakeFinished(); ++ ++ return PR_SUCCESS; ++} ++ ++void ++nsSOCKSSocketInfo::SetConnectTimeout(PRIntervalTime to) ++{ ++ mTimeout = to; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::DoHandshake(PRFileDesc *fd, PRInt16 oflags) ++{ ++ LOGDEBUG(("socks: DoHandshake(), state = %d", mState)); ++ ++ switch (mState) { ++ case SOCKS_INITIAL: ++ return ConnectToProxy(fd); ++ case SOCKS_CONNECTING_TO_PROXY: ++ return ContinueConnectingToProxy(fd, oflags); ++ case SOCKS4_WRITE_CONNECT_REQUEST: ++ if (WriteToSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ WantRead(8); ++ mState = SOCKS4_READ_CONNECT_RESPONSE; ++ return PR_SUCCESS; ++ case SOCKS4_READ_CONNECT_RESPONSE: ++ if (ReadFromSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ return ReadV4ConnectResponse(); ++ ++ case SOCKS5_WRITE_AUTH_REQUEST: ++ if (WriteToSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ WantRead(2); ++ mState = SOCKS5_READ_AUTH_RESPONSE; ++ return PR_SUCCESS; ++ case SOCKS5_READ_AUTH_RESPONSE: ++ if (ReadFromSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ return ReadV5AuthResponse(); ++ case SOCKS5_WRITE_CONNECT_REQUEST: ++ if (WriteToSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ ++ // The SOCKS 5 response to the connection request is variable ++ // length. First, we'll read enough to tell how long the response ++ // is, and will read the rest later. ++ WantRead(5); ++ mState = SOCKS5_READ_CONNECT_RESPONSE_TOP; ++ return PR_SUCCESS; ++ case SOCKS5_READ_CONNECT_RESPONSE_TOP: ++ if (ReadFromSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ return ReadV5ConnectResponseTop(); ++ case SOCKS5_READ_CONNECT_RESPONSE_BOTTOM: ++ if (ReadFromSocket(fd) != PR_SUCCESS) ++ return PR_FAILURE; ++ return ReadV5ConnectResponseBottom(); ++ ++ case SOCKS_CONNECTED: ++ LOGERROR(("socks: already connected")); ++ HandshakeFinished(PR_IS_CONNECTED_ERROR); ++ return PR_FAILURE; ++ case SOCKS_FAILED: ++ LOGERROR(("socks: already failed")); ++ return PR_FAILURE; ++ } ++ ++ LOGERROR(("socks: executing handshake in invalid state, %d", mState)); ++ HandshakeFinished(PR_INVALID_STATE_ERROR); ++ ++ return PR_FAILURE; ++} ++ ++PRInt16 ++nsSOCKSSocketInfo::GetPollFlags() const ++{ ++ switch (mState) { ++ case SOCKS_CONNECTING_TO_PROXY: ++ return PR_POLL_EXCEPT | PR_POLL_WRITE; ++ case SOCKS4_WRITE_CONNECT_REQUEST: ++ case SOCKS5_WRITE_AUTH_REQUEST: ++ case SOCKS5_WRITE_CONNECT_REQUEST: ++ return PR_POLL_WRITE; ++ case SOCKS4_READ_CONNECT_RESPONSE: ++ case SOCKS5_READ_AUTH_RESPONSE: ++ case SOCKS5_READ_CONNECT_RESPONSE_TOP: ++ case SOCKS5_READ_CONNECT_RESPONSE_BOTTOM: ++ return PR_POLL_READ; ++ default: ++ break; ++ } ++ ++ return 0; ++} ++ ++inline void ++nsSOCKSSocketInfo::WriteUint8(PRUint8 v) ++{ ++ NS_ABORT_IF_FALSE(mDataLength + sizeof(v) <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ mData[mDataLength] = v; ++ mDataLength += sizeof(v); ++} ++ ++inline void ++nsSOCKSSocketInfo::WriteUint16(PRUint16 v) ++{ ++ NS_ABORT_IF_FALSE(mDataLength + sizeof(v) <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ memcpy(mData + mDataLength, &v, sizeof(v)); ++ mDataLength += sizeof(v); ++} ++ ++inline void ++nsSOCKSSocketInfo::WriteUint32(PRUint32 v) ++{ ++ NS_ABORT_IF_FALSE(mDataLength + sizeof(v) <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ memcpy(mData + mDataLength, &v, sizeof(v)); ++ mDataLength += sizeof(v); ++} ++ ++void ++nsSOCKSSocketInfo::WriteNetAddr(const PRNetAddr *addr) ++{ ++ const char *ip = NULL; ++ PRUint32 len = 0; ++ ++ if (PR_NetAddrFamily(addr) == PR_AF_INET) { ++ ip = (const char*)&addr->inet.ip; ++ len = sizeof(addr->inet.ip); ++ } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { ++ ip = (const char*)addr->ipv6.ip.pr_s6_addr; ++ len = sizeof(addr->ipv6.ip.pr_s6_addr); ++ } ++ ++ NS_ABORT_IF_FALSE(ip != NULL, "Unknown address"); ++ NS_ABORT_IF_FALSE(mDataLength + len <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ ++ memcpy(mData + mDataLength, ip, len); ++ mDataLength += len; ++} ++ ++void ++nsSOCKSSocketInfo::WriteNetPort(const PRNetAddr *addr) ++{ ++ WriteUint16(PR_NetAddrInetPort(addr)); ++} ++ ++void ++nsSOCKSSocketInfo::WriteString(const nsACString &str) ++{ ++ NS_ABORT_IF_FALSE(mDataLength + str.Length() <= BUFFER_SIZE, ++ "Can't write that much data!"); ++ memcpy(mData + mDataLength, str.Data(), str.Length()); ++ mDataLength += str.Length(); ++} ++ ++inline PRUint8 ++nsSOCKSSocketInfo::ReadUint8() ++{ ++ PRUint8 rv; ++ NS_ABORT_IF_FALSE(mReadOffset + sizeof(rv) <= mDataLength, ++ "Not enough space to pop a uint8!"); ++ rv = mData[mReadOffset]; ++ mReadOffset += sizeof(rv); ++ return rv; ++} ++ ++inline PRUint16 ++nsSOCKSSocketInfo::ReadUint16() ++{ ++ PRUint16 rv; ++ NS_ABORT_IF_FALSE(mReadOffset + sizeof(rv) <= mDataLength, ++ "Not enough space to pop a uint16!"); ++ memcpy(&rv, mData + mReadOffset, sizeof(rv)); ++ mReadOffset += sizeof(rv); ++ return rv; ++} ++ ++inline PRUint32 ++nsSOCKSSocketInfo::ReadUint32() ++{ ++ PRUint32 rv; ++ NS_ABORT_IF_FALSE(mReadOffset + sizeof(rv) <= mDataLength, ++ "Not enough space to pop a uint32!"); ++ memcpy(&rv, mData + mReadOffset, sizeof(rv)); ++ mReadOffset += sizeof(rv); ++ return rv; ++} ++ ++void ++nsSOCKSSocketInfo::ReadNetAddr(PRNetAddr *addr, PRUint16 fam) ++{ ++ PRUint32 amt; ++ const PRUint8 *ip = mData + mReadOffset; ++ ++ addr->raw.family = fam; ++ if (fam == PR_AF_INET) { ++ amt = sizeof(addr->inet.ip); ++ NS_ABORT_IF_FALSE(mReadOffset + amt <= mDataLength, ++ "Not enough space to pop an ipv4 addr!"); ++ memcpy(&addr->inet.ip, ip, amt); ++ } else if (fam == PR_AF_INET6) { ++ amt = sizeof(addr->ipv6.ip.pr_s6_addr); ++ NS_ABORT_IF_FALSE(mReadOffset + amt <= mDataLength, ++ "Not enough space to pop an ipv6 addr!"); ++ memcpy(addr->ipv6.ip.pr_s6_addr, ip, amt); ++ } ++ ++ mReadOffset += amt; ++} ++ ++void ++nsSOCKSSocketInfo::ReadNetPort(PRNetAddr *addr) ++{ ++ addr->inet.port = ReadUint16(); ++} ++ ++void ++nsSOCKSSocketInfo::WantRead(PRUint32 sz) ++{ ++ NS_ABORT_IF_FALSE(mDataIoPtr == NULL, ++ "WantRead() called while I/O already in progress!"); ++ NS_ABORT_IF_FALSE(mDataLength + sz <= BUFFER_SIZE, ++ "Can't read that much data!"); ++ mAmountToRead = sz; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::ReadFromSocket(PRFileDesc *fd) ++{ ++ PRInt32 rc; ++ const PRUint8 *end; ++ ++ if (!mAmountToRead) { ++ LOGDEBUG(("socks: ReadFromSocket(), nothing to do")); ++ return PR_SUCCESS; ++ } ++ ++ if (!mDataIoPtr) { ++ mDataIoPtr = mData + mDataLength; ++ mDataLength += mAmountToRead; ++ } ++ ++ end = mData + mDataLength; ++ ++ while (mDataIoPtr < end) { ++ rc = PR_Read(fd, mDataIoPtr, end - mDataIoPtr); ++ if (rc <= 0) { ++ if (rc == 0) { ++ LOGERROR(("socks: proxy server closed connection")); ++ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); ++ return PR_FAILURE; ++ } else if (PR_GetError() == PR_WOULD_BLOCK_ERROR) { ++ LOGDEBUG(("socks: ReadFromSocket(), want read")); ++ } ++ break; ++ } ++ ++ mDataIoPtr += rc; ++ } ++ ++ LOGDEBUG(("socks: ReadFromSocket(), have %u bytes total", ++ unsigned(mDataIoPtr - mData))); ++ if (mDataIoPtr == end) { ++ mDataIoPtr = nsnull; ++ mAmountToRead = 0; ++ mReadOffset = 0; ++ return PR_SUCCESS; ++ } ++ ++ return PR_FAILURE; ++} ++ ++PRStatus ++nsSOCKSSocketInfo::WriteToSocket(PRFileDesc *fd) ++{ ++ PRInt32 rc; ++ const PRUint8 *end; ++ ++ if (!mDataLength) { ++ LOGDEBUG(("socks: WriteToSocket(), nothing to do")); ++ return PR_SUCCESS; ++ } ++ ++ if (!mDataIoPtr) ++ mDataIoPtr = mData; ++ ++ end = mData + mDataLength; ++ ++ while (mDataIoPtr < end) { ++ rc = PR_Write(fd, mDataIoPtr, end - mDataIoPtr); ++ if (rc < 0) { ++ if (PR_GetError() == PR_WOULD_BLOCK_ERROR) { ++ LOGDEBUG(("socks: WriteToSocket(), want write")); ++ } ++ break; ++ } ++ ++ mDataIoPtr += rc; ++ } ++ ++ if (mDataIoPtr == end) { ++ mDataIoPtr = nsnull; ++ mDataLength = 0; ++ mReadOffset = 0; ++ return PR_SUCCESS; ++ } ++ ++ return PR_FAILURE; ++} + + static PRStatus +-nsSOCKSIOLayerConnect(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime /*timeout*/) ++nsSOCKSIOLayerConnect(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime to) + { ++ PRStatus status; ++ PRNetAddr dst; + ++ nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; ++ if (info == NULL) return PR_FAILURE; ++ ++ if (PR_NetAddrFamily(addr) == PR_AF_INET6 && ++ PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { ++ const PRUint8 *srcp; ++ ++ LOGDEBUG(("socks: converting ipv4-mapped ipv6 address to ipv4")); ++ ++ // copied from _PR_ConvertToIpv4NetAddr() ++ PR_InitializeNetAddr(PR_IpAddrAny, 0, &dst); ++ srcp = addr->ipv6.ip.pr_s6_addr; ++ memcpy(&dst.inet.ip, srcp + 12, 4); ++ dst.inet.family = PR_AF_INET; ++ dst.inet.port = addr->ipv6.port; ++ } else { ++ memcpy(&dst, addr, sizeof(dst)); ++ } ++ ++ info->SetDestinationAddr(&dst); ++ info->SetConnectTimeout(to); ++ ++ do { ++ status = info->DoHandshake(fd, -1); ++ } while (status == PR_SUCCESS && !info->IsConnected()); ++ ++ return status; ++} ++ ++static PRStatus ++nsSOCKSIOLayerConnectContinue(PRFileDesc *fd, PRInt16 oflags) ++{ + PRStatus status; + + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + if (info == NULL) return PR_FAILURE; + +- // First, we need to look up our proxy... +- const nsCString &proxyHost = info->ProxyHost(); ++ do { ++ status = info->DoHandshake(fd, oflags); ++ } while (status == PR_SUCCESS && !info->IsConnected()); + +- if (proxyHost.IsEmpty()) +- return PR_FAILURE; ++ return status; ++} + +- PRInt32 socksVersion = info->Version(); ++static PRInt16 ++nsSOCKSIOLayerPoll(PRFileDesc *fd, PRInt16 in_flags, PRInt16 *out_flags) ++{ ++ nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; ++ if (info == NULL) return PR_FAILURE; + +- LOGDEBUG(("nsSOCKSIOLayerConnect SOCKS %u; proxyHost: %s.", socksVersion, proxyHost.get())); +- +- // Sync resolve the proxy hostname. +- PRNetAddr proxyAddr; +- nsCOMPtr<nsIDNSRecord> rec; +- nsresult rv; +- { +- nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID); +- if (!dns) +- return PR_FAILURE; +- +- rv = dns->Resolve(proxyHost, 0, getter_AddRefs(rec)); +- if (NS_FAILED(rv)) +- return PR_FAILURE; ++ if (!info->IsConnected()) { ++ *out_flags = 0; ++ return info->GetPollFlags(); + } + +- info->SetInternalProxyAddr(&proxyAddr); +- +- // For now, we'll do this as a blocking connect, +- // but with nspr 4.1, the necessary functions to +- // do a non-blocking connect will be available +- +- // Preserve the non-blocking state of the socket +- PRBool nonblocking; +- PRSocketOptionData sockopt; +- sockopt.option = PR_SockOpt_Nonblocking; +- status = PR_GetSocketOption(fd, &sockopt); +- +- if (PR_SUCCESS != status) { +- LOGERROR(("PR_GetSocketOption() failed. status = %x.", status)); +- return status; +- } +- +- // Store blocking option +- nonblocking = sockopt.value.non_blocking; +- +- sockopt.option = PR_SockOpt_Nonblocking; +- sockopt.value.non_blocking = PR_FALSE; +- status = PR_SetSocketOption(fd, &sockopt); +- +- if (PR_SUCCESS != status) { +- LOGERROR(("PR_SetSocketOption() failed. status = %x.", status)); +- return status; +- } +- +- // Now setup sockopts, so we can restore the value later. +- sockopt.option = PR_SockOpt_Nonblocking; +- sockopt.value.non_blocking = nonblocking; +- +- // This connectWait should be long enough to connect to local proxy +- // servers, but not much longer. Since this protocol negotiation +- // uses blocking network calls, the app can appear to hang for a maximum +- // of this time if the user presses the STOP button during the SOCKS +- // connection negotiation. Note that this value only applies to the +- // connecting to the SOCKS server: once the SOCKS connection has been +- // established, the value is not used anywhere else. +- PRIntervalTime connectWait = PR_SecondsToInterval(10); +- +- // Connect to the proxy server. +- PRInt32 addresses = 0; +- do { +- rv = rec->GetNextAddr(info->ProxyPort(), &proxyAddr); +- if (NS_FAILED(rv)) { +- status = PR_FAILURE; +- break; +- } +- ++addresses; +- status = fd->lower->methods->connect(fd->lower, &proxyAddr, connectWait); +- } while (PR_SUCCESS != status); +- +- if (PR_SUCCESS != status) { +- LOGERROR(("Failed to TCP connect to the proxy server (%s): timeout = %d, status = %x, tried %d addresses.", proxyHost.get(), connectWait, status, addresses)); +- PR_SetSocketOption(fd, &sockopt); +- return status; +- } +- +- +- // We are now connected to the SOCKS proxy server. +- // Now we will negotiate a connection to the desired server. +- +- // External IP address returned from ConnectSOCKS5(). Not supported in SOCKS4. +- PRNetAddr extAddr; +- PR_InitializeNetAddr(PR_IpAddrNull, 0, &extAddr); +- +- NS_ASSERTION((socksVersion == 4) || (socksVersion == 5), "SOCKS Version must be selected"); +- +- // Try to connect via SOCKS 5. +- if (socksVersion == 5) { +- rv = ConnectSOCKS5(fd, addr, &extAddr, connectWait); +- +- if (NS_FAILED(rv)) { +- PR_SetSocketOption(fd, &sockopt); +- return PR_FAILURE; +- } +- +- } +- +- // Try to connect via SOCKS 4. +- else { +- rv = ConnectSOCKS4(fd, addr, connectWait); +- +- if (NS_FAILED(rv)) { +- PR_SetSocketOption(fd, &sockopt); +- return PR_FAILURE; +- } +- +- } +- +- +- info->SetDestinationAddr((PRNetAddr*)addr); +- info->SetExternalProxyAddr(&extAddr); +- +- // restore non-blocking option +- PR_SetSocketOption(fd, &sockopt); +- +- // we're set-up and connected. +- // this socket can be used as normal now. +- +- return PR_SUCCESS; ++ return fd->lower->methods->poll(fd->lower, in_flags, out_flags); + } + + static PRStatus + nsSOCKSIOLayerClose(PRFileDesc *fd) + { + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + PRDescIdentity id = PR_GetLayersIdentity(fd); + +@@ -880,16 +1115,18 @@ nsSOCKSIOLayerAddToSocket(PRInt32 family + + + if (firstTime) + { + nsSOCKSIOLayerIdentity = PR_GetUniqueIdentity("SOCKS layer"); + nsSOCKSIOLayerMethods = *PR_GetDefaultIOMethods(); + + nsSOCKSIOLayerMethods.connect = nsSOCKSIOLayerConnect; ++ nsSOCKSIOLayerMethods.connectcontinue = nsSOCKSIOLayerConnectContinue; ++ nsSOCKSIOLayerMethods.poll = nsSOCKSIOLayerPoll; + nsSOCKSIOLayerMethods.bind = nsSOCKSIOLayerBind; + nsSOCKSIOLayerMethods.acceptread = nsSOCKSIOLayerAcceptRead; + nsSOCKSIOLayerMethods.getsockname = nsSOCKSIOLayerGetName; + nsSOCKSIOLayerMethods.getpeername = nsSOCKSIOLayerGetPeerName; + nsSOCKSIOLayerMethods.accept = nsSOCKSIOLayerAccept; + nsSOCKSIOLayerMethods.listen = nsSOCKSIOLayerListen; + nsSOCKSIOLayerMethods.close = nsSOCKSIOLayerClose; + diff --git a/src/current-patches/non-blocking-socks-firefox-4.0.patch b/src/current-patches/non-blocking-socks-firefox-4.0.patch deleted file mode 100644 index cf5aeae..0000000 --- a/src/current-patches/non-blocking-socks-firefox-4.0.patch +++ /dev/null @@ -1,1637 +0,0 @@ ---- a/netwerk/base/src/nsSocketTransport2.cpp -+++ a/netwerk/base/src/nsSocketTransport2.cpp -@@ -1222,16 +1222,26 @@ nsSocketTransport::InitiateSocket() - // connection... wouldn't we need to call ProxyStartSSL after a call - // to PR_ConnectContinue indicates that we are connected? - // - // XXX this appears to be what the old socket transport did. why - // isn't this broken? - } - } - // -+ // A SOCKS request was rejected; get the actual error code from -+ // the OS error -+ // -+ else if (PR_UNKNOWN_ERROR == code && -+ mProxyTransparent && -+ !mProxyHost.IsEmpty()) { -+ code = PR_GetOSError(); -+ rv = ErrorAccordingToNSPR(code); -+ } -+ // - // The connection was refused... - // - else { - rv = ErrorAccordingToNSPR(code); - if ((rv == NS_ERROR_CONNECTION_REFUSED) && !mProxyHost.IsEmpty()) - rv = NS_ERROR_PROXY_CONNECTION_REFUSED; - } - } -@@ -1544,17 +1554,26 @@ nsSocketTransport::OnSocketReady(PRFileD - // - // If the connect is still not ready, then continue polling... - // - if ((PR_WOULD_BLOCK_ERROR == code) || (PR_IN_PROGRESS_ERROR == code)) { - // Set up the select flags for connect... - mPollFlags = (PR_POLL_EXCEPT | PR_POLL_WRITE); - // Update poll timeout in case it was changed - mPollTimeout = mTimeouts[TIMEOUT_CONNECT]; -- } -+ } -+ // -+ // The SOCKS proxy rejected our request. Find out why. -+ // -+ else if (PR_UNKNOWN_ERROR == code && -+ mProxyTransparent && -+ !mProxyHost.IsEmpty()) { -+ code = PR_GetOSError(); -+ mCondition = ErrorAccordingToNSPR(code); -+ } - else { - // - // else, the connection failed... - // - mCondition = ErrorAccordingToNSPR(code); - if ((mCondition == NS_ERROR_CONNECTION_REFUSED) && !mProxyHost.IsEmpty()) - mCondition = NS_ERROR_PROXY_CONNECTION_REFUSED; - SOCKET_LOG((" connection failed! [reason=%x]\n", mCondition)); ---- a/netwerk/socket/nsSOCKSIOLayer.cpp -+++ a/netwerk/socket/nsSOCKSIOLayer.cpp -@@ -20,16 +20,17 @@ - * Portions created by the Initial Developer are Copyright (C) 1998 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * Justin Bradford <jab(a)atdot.org> - * Bradley Baetz <bbaetz(a)acm.org> - * Darin Fisher <darin(a)meer.net> - * Malcolm Smith <malsmith(a)cs.rmit.edu.au> -+ * Christopher Davis <chrisd(a)torproject.org> - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your -@@ -63,51 +64,115 @@ static PRLogModuleInfo *gSOCKSLog; - - #else - #define LOGDEBUG(args) - #define LOGERROR(args) - #endif - - class nsSOCKSSocketInfo : public nsISOCKSSocketInfo - { -+ enum State { -+ SOCKS_INITIAL, -+ SOCKS_CONNECTING_TO_PROXY, -+ SOCKS4_WRITE_CONNECT_REQUEST, -+ SOCKS4_READ_CONNECT_RESPONSE, -+ SOCKS5_WRITE_AUTH_REQUEST, -+ SOCKS5_READ_AUTH_RESPONSE, -+ SOCKS5_WRITE_CONNECT_REQUEST, -+ SOCKS5_READ_CONNECT_RESPONSE_TOP, -+ SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, -+ SOCKS_CONNECTED, -+ SOCKS_FAILED -+ }; -+ -+ // A buffer of 262 bytes should be enough for any request and response -+ // in case of SOCKS4 as well as SOCKS5 -+ static const PRUint32 BUFFER_SIZE = 262; -+ static const PRUint32 MAX_HOSTNAME_LEN = 255; -+ - public: - nsSOCKSSocketInfo(); -- virtual ~nsSOCKSSocketInfo() {} -+ virtual ~nsSOCKSSocketInfo() { HandshakeFinished(); } - - NS_DECL_ISUPPORTS - NS_DECL_NSISOCKSSOCKETINFO - - void Init(PRInt32 version, - const char *proxyHost, - PRInt32 proxyPort, - const char *destinationHost, - PRUint32 flags); - -- const nsCString &DestinationHost() { return mDestinationHost; } -- const nsCString &ProxyHost() { return mProxyHost; } -- PRInt32 ProxyPort() { return mProxyPort; } -- PRInt32 Version() { return mVersion; } -- PRUint32 Flags() { return mFlags; } -+ void SetConnectTimeout(PRIntervalTime to); -+ PRStatus DoHandshake(PRFileDesc *fd, PRInt16 oflags = -1); -+ PRInt16 GetPollFlags() const; -+ bool IsConnected() const { return mState == SOCKS_CONNECTED; } - - private: -+ void HandshakeFinished(PRErrorCode err = 0); -+ PRStatus ConnectToProxy(PRFileDesc *fd); -+ PRStatus ContinueConnectingToProxy(PRFileDesc *fd, PRInt16 oflags); -+ PRStatus WriteV4ConnectRequest(); -+ PRStatus ReadV4ConnectResponse(); -+ PRStatus WriteV5AuthRequest(); -+ PRStatus ReadV5AuthResponse(); -+ PRStatus WriteV5ConnectRequest(); -+ PRStatus ReadV5AddrTypeAndLength(PRUint8 *type, PRUint32 *len); -+ PRStatus ReadV5ConnectResponseTop(); -+ PRStatus ReadV5ConnectResponseBottom(); -+ -+ void WriteUint8(PRUint8 d); -+ void WriteUint16(PRUint16 d); -+ void WriteUint32(PRUint32 d); -+ void WriteNetAddr(const PRNetAddr *addr); -+ void WriteNetPort(const PRNetAddr *addr); -+ void WriteString(const nsACString &str); -+ -+ PRUint8 ReadUint8(); -+ PRUint16 ReadUint16(); -+ PRUint32 ReadUint32(); -+ void ReadNetAddr(PRNetAddr *addr, PRUint16 fam); -+ void ReadNetPort(PRNetAddr *addr); -+ -+ void WantRead(PRUint32 sz); -+ PRStatus ReadFromSocket(PRFileDesc *fd); -+ PRStatus WriteToSocket(PRFileDesc *fd); -+ -+private: -+ State mState; -+ PRUint8 * mData; -+ PRUint8 * mDataIoPtr; -+ PRUint32 mDataLength; -+ PRUint32 mReadOffset; -+ PRUint32 mAmountToRead; -+ nsCOMPtr<nsIDNSRecord> mDnsRec; -+ - nsCString mDestinationHost; - nsCString mProxyHost; - PRInt32 mProxyPort; - PRInt32 mVersion; // SOCKS version 4 or 5 - PRUint32 mFlags; - PRNetAddr mInternalProxyAddr; - PRNetAddr mExternalProxyAddr; - PRNetAddr mDestinationAddr; -+ PRIntervalTime mTimeout; - }; - - nsSOCKSSocketInfo::nsSOCKSSocketInfo() -- : mProxyPort(-1) -+ : mState(SOCKS_INITIAL) -+ , mDataIoPtr(nsnull) -+ , mDataLength(0) -+ , mReadOffset(0) -+ , mAmountToRead(0) -+ , mProxyPort(-1) - , mVersion(-1) - , mFlags(0) -+ , mTimeout(PR_INTERVAL_NO_TIMEOUT) - { -+ mData = new PRUint8[BUFFER_SIZE]; - PR_InitializeNetAddr(PR_IpAddrAny, 0, &mInternalProxyAddr); - PR_InitializeNetAddr(PR_IpAddrAny, 0, &mExternalProxyAddr); - PR_InitializeNetAddr(PR_IpAddrAny, 0, &mDestinationAddr); - } - - void - nsSOCKSSocketInfo::Init(PRInt32 version, const char *proxyHost, PRInt32 proxyPort, const char *host, PRUint32 flags) - { -@@ -157,647 +222,817 @@ nsSOCKSSocketInfo::GetInternalProxyAddr( - - NS_IMETHODIMP - nsSOCKSSocketInfo::SetInternalProxyAddr(PRNetAddr *aInternalProxyAddr) - { - memcpy(&mInternalProxyAddr, aInternalProxyAddr, sizeof(PRNetAddr)); - return NS_OK; - } - --static PRInt32 --pr_RecvAll(PRFileDesc *fd, unsigned char *buf, PRInt32 amount, PRIntn flags, -- PRIntervalTime *timeout) -+// There needs to be a means of distinguishing between connection errors -+// that the SOCKS server reports when it rejects a connection request, and -+// connection errors that happen while attempting to connect to the SOCKS -+// server. Otherwise, Firefox will report incorrectly that the proxy server -+// is refusing connections when a SOCKS request is rejected by the proxy. -+// When a SOCKS handshake failure occurs, the PR error is set to -+// PR_UNKNOWN_ERROR, and the real error code is returned via the OS error. -+void -+nsSOCKSSocketInfo::HandshakeFinished(PRErrorCode err) - { -- PRInt32 bytesRead = 0; -- PRInt32 offset = 0; -+ if (err == 0) { -+ mState = SOCKS_CONNECTED; -+ } else { -+ mState = SOCKS_FAILED; -+ PR_SetError(PR_UNKNOWN_ERROR, err); -+ } - -- while (offset < amount) { -- PRIntervalTime start_time = PR_IntervalNow(); -- bytesRead = PR_Recv(fd, buf + offset, amount - offset, flags, *timeout); -- PRIntervalTime elapsed = PR_IntervalNow() - start_time; -- -- if (elapsed > *timeout) { -- *timeout = 0; -- } else { -- *timeout -= elapsed; -- } -- -- if (bytesRead > 0) { -- offset += bytesRead; -- } else if (bytesRead == 0 || offset != 0) { -- return offset; -- } else { -- return bytesRead; -- } -- -- if (*timeout == 0) { -- LOGERROR(("PR_Recv() timed out. amount = %d. offset = %d.", -- amount, offset)); -- return offset; -- } -- } -- return offset; -+ // We don't need the buffer any longer, so free it. -+ delete [] mData; -+ mData = nsnull; -+ mDataIoPtr = nsnull; -+ mDataLength = 0; -+ mReadOffset = 0; -+ mAmountToRead = 0; - } - --static PRInt32 --pr_Send(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags, -- PRIntervalTime *timeout) -+PRStatus -+nsSOCKSSocketInfo::ConnectToProxy(PRFileDesc *fd) - { -- PRIntervalTime start_time = PR_IntervalNow(); -- PRInt32 retval = PR_Send(fd, buf, amount, flags, *timeout); -- PRIntervalTime elapsed = PR_IntervalNow() - start_time; -+ PRStatus status; -+ nsresult rv; - -- if (elapsed > *timeout) { -- *timeout = 0; -- LOGERROR(("PR_Send() timed out. amount = %d. retval = %d.", -- amount, retval)); -- return retval; -- } else { -- *timeout -= elapsed; -- } -+ NS_ABORT_IF_FALSE(mState == SOCKS_INITIAL, -+ "Must be in initial state to make connection!"); - -- if (retval <= 0) { -- LOGERROR(("PR_Send() failed. amount = %d. retval = %d.", -- amount, retval)); -- } -+ // If we haven't performed the DNS lookup, do that now. -+ if (!mDnsRec) { -+ nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID); -+ if (!dns) -+ return PR_FAILURE; - -- return retval; --} -- --// Negotiate a SOCKS 5 connection. Assumes the TCP connection to the socks --// server port has been established. --static nsresult --ConnectSOCKS5(PRFileDesc *fd, const PRNetAddr *addr, PRNetAddr *extAddr, PRIntervalTime timeout) --{ -- int request_len = 0; -- int response_len = 0; -- int desired_len = 0; -- unsigned char request[22]; -- unsigned char response[262]; -- -- NS_ENSURE_TRUE(fd, NS_ERROR_NOT_INITIALIZED); -- NS_ENSURE_TRUE(addr, NS_ERROR_NOT_INITIALIZED); -- NS_ENSURE_TRUE(extAddr, NS_ERROR_NOT_INITIALIZED); -- -- request[0] = 0x05; // SOCKS version 5 -- request[1] = 0x01; // number of auth procotols we recognize -- // auth protocols -- request[2] = 0x00; // no authentication required -- // compliant implementations MUST implement GSSAPI -- // and SHOULD implement username/password and MAY -- // implement CHAP -- // TODO: we don't implement these -- //request[3] = 0x01; // GSSAPI -- //request[4] = 0x02; // username/password -- //request[5] = 0x03; // CHAP -- -- request_len = 2 + request[1]; -- int write_len = pr_Send(fd, request, request_len, 0, &timeout); -- if (write_len != request_len) { -- return NS_ERROR_FAILURE; -- } -- -- // get the server's response. -- desired_len = 2; -- response_len = pr_RecvAll(fd, response, desired_len, 0, &timeout); -- -- if (response_len < desired_len) { -- LOGERROR(("pr_RecvAll() failed. response_len = %d.", response_len)); -- return NS_ERROR_FAILURE; -- } -- -- if (response[0] != 0x05) { -- // it's a either not SOCKS or not our version -- LOGERROR(("Not a SOCKS 5 reply. Expected: 5; received: %x", response[0])); -- return NS_ERROR_FAILURE; -- } -- switch (response[1]) { -- case 0x00: -- // no auth -- break; -- case 0x01: -- // GSSAPI -- // TODO: implement -- LOGERROR(("Server want to use GSSAPI to authenticate, but we don't support it.")); -- return NS_ERROR_FAILURE; -- case 0x02: -- // username/password -- // TODO: implement -- LOGERROR(("Server want to use username/password to authenticate, but we don't support it.")); -- return NS_ERROR_FAILURE; -- case 0x03: -- // CHAP -- // TODO: implement? -- LOGERROR(("Server want to use CHAP to authenticate, but we don't support it.")); -- return NS_ERROR_FAILURE; -- default: -- // unrecognized auth method -- LOGERROR(("Uncrecognized authentication method received: %x", response[1])); -- return NS_ERROR_FAILURE; -- } -- -- // we are now authenticated, so lets tell -- // the server where to connect to -- -- request_len = 0; -- -- request[0] = 0x05; // SOCKS version 5 -- request[1] = 0x01; // CONNECT command -- request[2] = 0x00; // obligatory reserved field (perfect for MS tampering!) -- -- // get destination port -- PRInt32 destPort = PR_ntohs(PR_NetAddrInetPort(addr)); -- nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; -- -- if (info->Flags() & nsISocketProvider::PROXY_RESOLVES_HOST) { -- -- LOGDEBUG(("using server to resolve hostnames rather than resolving it first\n")); -- -- // if the PROXY_RESOLVES_HOST flag is set, we assume -- // that the transport wants us to pass the SOCKS server the -- // hostname and port and let it do the name resolution. -- -- // the real destination hostname and port was stored -- // in our info object earlier when this layer was created. -- -- const nsCString& destHost = info->DestinationHost(); -- -- LOGDEBUG(("host:port -> %s:%li", destHost.get(), destPort)); -- -- request[3] = 0x03; // encoding of destination address (3 == hostname) -- -- int host_len = destHost.Length(); -- if (host_len > 255) { -- // SOCKS5 transmits the length of the hostname in a single char. -- // This gives us an absolute limit of 255 chars in a hostname, and -- // there's nothing we can do to extend it. I don't think many -- // hostnames will ever be bigger than this, so hopefully it's an -- // uneventful abort condition. -- LOGERROR (("Hostname too big for SOCKS5.")); -- return NS_ERROR_INVALID_ARG; -- } -- request[4] = (char) host_len; -- request_len = 5; -- -- // Send the initial header first... -- write_len = pr_Send(fd, request, request_len, 0, &timeout); -- if (write_len != request_len) { -- // bad write -- return NS_ERROR_FAILURE; -- } -- -- // Now send the hostname... -- write_len = pr_Send(fd, destHost.get(), host_len, 0, &timeout); -- if (write_len != host_len) { -- // bad write -- return NS_ERROR_FAILURE; -- } -- -- // There's no data left because we just sent it. -- request_len = 0; -- -- } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { -- -- request[3] = 0x01; // encoding of destination address (1 == IPv4) -- request_len = 8; // 4 for address, 4 SOCKS headers -- -- char * ip = (char*)(&addr->inet.ip); -- request[4] = *ip++; -- request[5] = *ip++; -- request[6] = *ip++; -- request[7] = *ip++; -- -- } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { -- -- request[3] = 0x04; // encoding of destination address (4 == IPv6) -- request_len = 20; // 16 for address, 4 SOCKS headers -- -- char * ip = (char*)(&addr->ipv6.ip.pr_s6_addr); -- request[4] = *ip++; request[5] = *ip++; -- request[6] = *ip++; request[7] = *ip++; -- request[8] = *ip++; request[9] = *ip++; -- request[10] = *ip++; request[11] = *ip++; -- request[12] = *ip++; request[13] = *ip++; -- request[14] = *ip++; request[15] = *ip++; -- request[16] = *ip++; request[17] = *ip++; -- request[18] = *ip++; request[19] = *ip++; -- -- // we're going to test to see if this address can -- // be mapped back into IPv4 without loss. if so, -- // we'll use IPv4 instead, as reliable SOCKS server -- // support for IPv6 is probably questionable. -- -- if (PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { -- request[3] = 0x01; // ipv4 encoding -- request[4] = request[16]; -- request[5] = request[17]; -- request[6] = request[18]; -- request[7] = request[19]; -- request_len -= 12; -- } -- } else { -- // Unknown address type -- LOGERROR(("Don't know what kind of IP address this is.")); -- return NS_ERROR_FAILURE; -- } -- -- // add the destination port to the request -- request[request_len] = (unsigned char)(destPort >> 8); -- request[request_len+1] = (unsigned char)destPort; -- request_len += 2; -- -- write_len = pr_Send(fd, request, request_len, 0, &timeout); -- if (write_len != request_len) { -- // bad write -- return NS_ERROR_FAILURE; -- } -- -- desired_len = 5; -- response_len = pr_RecvAll(fd, response, desired_len, 0, &timeout); -- if (response_len < desired_len) { // bad read -- LOGERROR(("pr_RecvAll() failed getting connect command reply. response_len = %d.", response_len)); -- return NS_ERROR_FAILURE; -- } -- -- if (response[0] != 0x05) { -- // bad response -- LOGERROR(("Not a SOCKS 5 reply. Expected: 5; received: %x", response[0])); -- return NS_ERROR_FAILURE; -- } -- -- switch(response[1]) { -- case 0x00: break; // success -- case 0x01: LOGERROR(("SOCKS 5 server rejected connect request: 01, General SOCKS server failure.")); -- return NS_ERROR_FAILURE; -- case 0x02: LOGERROR(("SOCKS 5 server rejected connect request: 02, Connection not allowed by ruleset.")); -- return NS_ERROR_FAILURE; -- case 0x03: LOGERROR(("SOCKS 5 server rejected connect request: 03, Network unreachable.")); -- return NS_ERROR_FAILURE; -- case 0x04: LOGERROR(("SOCKS 5 server rejected connect request: 04, Host unreachable.")); -- return NS_ERROR_FAILURE; -- case 0x05: LOGERROR(("SOCKS 5 server rejected connect request: 05, Connection refused.")); -- return NS_ERROR_FAILURE; -- case 0x06: LOGERROR(("SOCKS 5 server rejected connect request: 06, TTL expired.")); -- return NS_ERROR_FAILURE; -- case 0x07: LOGERROR(("SOCKS 5 server rejected connect request: 07, Command not supported.")); -- return NS_ERROR_FAILURE; -- case 0x08: LOGERROR(("SOCKS 5 server rejected connect request: 08, Address type not supported.")); -- return NS_ERROR_FAILURE; -- default: LOGERROR(("SOCKS 5 server rejected connect request: %x.", response[1])); -- return NS_ERROR_FAILURE; -- -- -- } -- -- switch (response[3]) { -- case 0x01: // IPv4 -- desired_len = 4 + 2 - 1; -- break; -- case 0x03: // FQDN -- desired_len = response[4] + 2; -- break; -- case 0x04: // IPv6 -- desired_len = 16 + 2 - 1; -- break; -- default: // unknown format -- return NS_ERROR_FAILURE; -- break; -- } -- response_len = pr_RecvAll(fd, response + 5, desired_len, 0, &timeout); -- if (response_len < desired_len) { // bad read -- LOGERROR(("pr_RecvAll() failed getting connect command reply. response_len = %d.", response_len)); -- return NS_ERROR_FAILURE; -- } -- response_len += 5; -- -- // get external bound address (this is what -- // the outside world sees as "us") -- char *ip = nsnull; -- PRUint16 extPort = 0; -- -- switch (response[3]) { -- case 0x01: // IPv4 -- -- extPort = (response[8] << 8) | response[9]; -- -- PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET, extPort, extAddr); -- -- ip = (char*)(&extAddr->inet.ip); -- *ip++ = response[4]; -- *ip++ = response[5]; -- *ip++ = response[6]; -- *ip++ = response[7]; -- -- break; -- case 0x04: // IPv6 -- -- extPort = (response[20] << 8) | response[21]; -- -- PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, extPort, extAddr); -- -- ip = (char*)(&extAddr->ipv6.ip.pr_s6_addr); -- *ip++ = response[4]; *ip++ = response[5]; -- *ip++ = response[6]; *ip++ = response[7]; -- *ip++ = response[8]; *ip++ = response[9]; -- *ip++ = response[10]; *ip++ = response[11]; -- *ip++ = response[12]; *ip++ = response[13]; -- *ip++ = response[14]; *ip++ = response[15]; -- *ip++ = response[16]; *ip++ = response[17]; -- *ip++ = response[18]; *ip++ = response[19]; -- -- break; -- case 0x03: // FQDN -- // if we get here, we don't know our external address. -- // however, as that's possibly not critical to the user, -- // we let it slide. -- extPort = (response[response_len - 2] << 8) | -- response[response_len - 1]; -- PR_InitializeNetAddr(PR_IpAddrNull, extPort, extAddr); -- break; -- } -- return NS_OK; --} -- --// Negotiate a SOCKS 4 connection. Assumes the TCP connection to the socks --// server port has been established. --static nsresult --ConnectSOCKS4(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime timeout) --{ -- int request_len = 0; -- int write_len; -- int response_len = 0; -- int desired_len = 0; -- char *ip = nsnull; -- unsigned char request[12]; -- unsigned char response[10]; -- -- NS_ENSURE_TRUE(fd, NS_ERROR_NOT_INITIALIZED); -- NS_ENSURE_TRUE(addr, NS_ERROR_NOT_INITIALIZED); -- -- request[0] = 0x04; // SOCKS version 4 -- request[1] = 0x01; // CD command code -- 1 for connect -- -- // destination port -- PRInt32 destPort = PR_ntohs(PR_NetAddrInetPort(addr)); -- -- // store the port -- request[2] = (unsigned char)(destPort >> 8); -- request[3] = (unsigned char)destPort; -- -- // username -- request[8] = 'M'; -- request[9] = 'O'; -- request[10] = 'Z'; -- -- request[11] = 0x00; -- -- request_len = 12; -- -- nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; -- -- if (info->Flags() & nsISocketProvider::PROXY_RESOLVES_HOST) { -- -- LOGDEBUG(("using server to resolve hostnames rather than resolving it first\n")); -- -- // if the PROXY_RESOLVES_HOST flag is set, we assume that the -- // transport wants us to pass the SOCKS server the hostname -- // and port and let it do the name resolution. -- -- // an extension to SOCKS 4, called 4a, specifies a way -- // to do this, so we'll try that and hope the -- // server supports it. -- -- // the real destination hostname and port was stored -- // in our info object earlier when this layer was created. -- -- const nsCString& destHost = info->DestinationHost(); -- -- LOGDEBUG(("host:port -> %s:%li\n", destHost.get(), destPort)); -- -- // the IP portion of the query is set to this special address. -- request[4] = 0; -- request[5] = 0; -- request[6] = 0; -- request[7] = 1; -- -- write_len = pr_Send(fd, request, request_len, 0, &timeout); -- if (write_len != request_len) { -- return NS_ERROR_FAILURE; -- } -- -- // Remember the NULL. -- int host_len = destHost.Length() + 1; -- -- write_len = pr_Send(fd, destHost.get(), host_len, 0, &timeout); -- if (write_len != host_len) { -- return NS_ERROR_FAILURE; -- } -- -- // No data to send, just sent it. -- request_len = 0; -- -- } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { // IPv4 -- -- // store the ip -- ip = (char*)(&addr->inet.ip); -- request[4] = *ip++; -- request[5] = *ip++; -- request[6] = *ip++; -- request[7] = *ip++; -- -- } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { // IPv6 -- -- // IPv4 address encoded in an IPv6 address -- if (PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { -- // store the ip -- ip = (char*)(&addr->ipv6.ip.pr_s6_addr[12]); -- request[4] = *ip++; -- request[5] = *ip++; -- request[6] = *ip++; -- request[7] = *ip++; -- } else { -- LOGERROR(("IPv6 is not supported in SOCKS 4.")); -- return NS_ERROR_FAILURE; // SOCKS 4 can't do IPv6 -- } -- -- } else { -- LOGERROR(("Don't know what kind of IP address this is.")); -- return NS_ERROR_FAILURE; // don't recognize this type -- } -- -- if (request_len > 0) { -- write_len = pr_Send(fd, request, request_len, 0, &timeout); -- if (write_len != request_len) { -- return NS_ERROR_FAILURE; -+ rv = dns->Resolve(mProxyHost, 0, getter_AddRefs(mDnsRec)); -+ if (NS_FAILED(rv)) { -+ LOGERROR(("socks: DNS lookup for SOCKS proxy %s failed", -+ mProxyHost.get())); -+ return PR_FAILURE; - } - } - -- // get the server's response -- desired_len = 8; // size of the response -- response_len = pr_RecvAll(fd, response, desired_len, 0, &timeout); -- if (response_len < desired_len) { -- LOGERROR(("pr_RecvAll() failed. response_len = %d.", response_len)); -- return NS_ERROR_FAILURE; -+ do { -+ rv = mDnsRec->GetNextAddr(mProxyPort, &mInternalProxyAddr); -+ // No more addresses to try? If so, we'll need to bail -+ if (NS_FAILED(rv)) { -+ LOGERROR(("socks: unable to connect to SOCKS proxy, %s", -+ mProxyHost.get())); -+ return PR_FAILURE; -+ } -+ -+#if defined(PR_LOGGING) -+ char buf[64]; -+ PR_NetAddrToString(&mInternalProxyAddr, buf, sizeof(buf)); -+ LOGDEBUG(("socks: trying proxy server, %s:%hu", -+ buf, PR_ntohs(PR_NetAddrInetPort(&mInternalProxyAddr)))); -+#endif -+ status = fd->lower->methods->connect(fd->lower, -+ &mInternalProxyAddr, mTimeout); -+ if (status != PR_SUCCESS) { -+ PRErrorCode c = PR_GetError(); -+ // If EINPROGRESS, return now and check back later after polling -+ if (c == PR_WOULD_BLOCK_ERROR || c == PR_IN_PROGRESS_ERROR) { -+ mState = SOCKS_CONNECTING_TO_PROXY; -+ return status; -+ } -+ } -+ } while (status != PR_SUCCESS); -+ -+ // Connected now, start SOCKS -+ if (mVersion == 4) -+ return WriteV4ConnectRequest(); -+ return WriteV5AuthRequest(); -+} -+ -+PRStatus -+nsSOCKSSocketInfo::ContinueConnectingToProxy(PRFileDesc *fd, PRInt16 oflags) -+{ -+ PRStatus status; -+ -+ NS_ABORT_IF_FALSE(mState == SOCKS_CONNECTING_TO_PROXY, -+ "Continuing connection in wrong state!"); -+ -+ LOGDEBUG(("socks: continuing connection to proxy")); -+ -+ status = fd->lower->methods->connectcontinue(fd->lower, oflags); -+ if (status != PR_SUCCESS) { -+ PRErrorCode c = PR_GetError(); -+ if (c != PR_WOULD_BLOCK_ERROR && c != PR_IN_PROGRESS_ERROR) { -+ // A connection failure occured, try another address -+ mState = SOCKS_INITIAL; -+ return ConnectToProxy(fd); -+ } -+ -+ // We're still connecting -+ return PR_FAILURE; - } - -- if ((response[0] != 0x00) && (response[0] != 0x04)) { -- // Novell BorderManager sends a response of type 4, should be zero -- // According to the spec. Cope with this brokenness. -- // it's not a SOCKS 4 reply or version 0 of the reply code -- LOGERROR(("Not a SOCKS 4 reply. Expected: 0; received: %x.", response[0])); -- return NS_ERROR_FAILURE; -+ // Connected now, start SOCKS -+ if (mVersion == 4) -+ return WriteV4ConnectRequest(); -+ return WriteV5AuthRequest(); -+} -+ -+PRStatus -+nsSOCKSSocketInfo::WriteV4ConnectRequest() -+{ -+ PRNetAddr *addr = &mDestinationAddr; -+ PRInt32 proxy_resolve; -+ -+ NS_ABORT_IF_FALSE(mState == SOCKS_CONNECTING_TO_PROXY, -+ "Invalid state!"); -+ -+ proxy_resolve = mFlags & nsISocketProvider::PROXY_RESOLVES_HOST; -+ -+ mDataLength = 0; -+ mState = SOCKS4_WRITE_CONNECT_REQUEST; -+ -+ LOGDEBUG(("socks4: sending connection request (socks4a resolve? %s)", -+ proxy_resolve? "yes" : "no")); -+ -+ // Send a SOCKS 4 connect request. -+ WriteUint8(0x04); // version -- 4 -+ WriteUint8(0x01); // command -- connect -+ WriteNetPort(addr); -+ if (proxy_resolve) { -+ // Add the full name, null-terminated, to the request -+ // according to SOCKS 4a. A fake IP address, with the first -+ // four bytes set to 0 and the last byte set to something other -+ // than 0, is used to notify the proxy that this is a SOCKS 4a -+ // request. This request type works for Tor and perhaps others. -+ WriteUint32(PR_htonl(0x00000001)); // Fake IP -+ WriteUint8(0x00); // Send an emtpy username -+ if (mDestinationHost.Length() > MAX_HOSTNAME_LEN) { -+ LOGERROR(("socks4: destination host name is too long!")); -+ HandshakeFinished(PR_BAD_ADDRESS_ERROR); -+ return PR_FAILURE; -+ } -+ WriteString(mDestinationHost); // Hostname -+ WriteUint8(0x00); -+ } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { -+ WriteNetAddr(addr); // Add the IPv4 address -+ WriteUint8(0x00); // Send an emtpy username -+ } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { -+ LOGERROR(("socks: SOCKS 4 can't handle IPv6 addresses!")); -+ HandshakeFinished(PR_BAD_ADDRESS_ERROR); -+ return PR_FAILURE; - } - -- if (response[1] != 0x5A) { // = 90: request granted -- // connect request not granted -- LOGERROR(("Connection request refused. Expected: 90; received: %d.", response[1])); -- return NS_ERROR_FAILURE; -- } -- -- return NS_OK; -- -+ return PR_SUCCESS; - } - -+PRStatus -+nsSOCKSSocketInfo::ReadV4ConnectResponse() -+{ -+ NS_ABORT_IF_FALSE(mState == SOCKS4_READ_CONNECT_RESPONSE, -+ "Handling SOCKS 4 connection reply in wrong state!"); -+ NS_ABORT_IF_FALSE(mDataLength == 8, -+ "SOCKS 4 connection reply must be 8 bytes!"); -+ -+ LOGDEBUG(("socks4: checking connection reply")); -+ -+ if (ReadUint8() != 0x00) { -+ LOGERROR(("socks4: wrong connection reply")); -+ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); -+ return PR_FAILURE; -+ } -+ -+ // See if our connection request was granted -+ if (ReadUint8() == 90) { -+ LOGDEBUG(("socks4: connection successful!")); -+ HandshakeFinished(); -+ return PR_SUCCESS; -+ } -+ -+ LOGERROR(("socks4: unable to connect")); -+ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); -+ return PR_FAILURE; -+} -+ -+PRStatus -+nsSOCKSSocketInfo::WriteV5AuthRequest() -+{ -+ NS_ABORT_IF_FALSE(mVersion == 5, "SOCKS version must be 5!"); -+ -+ mState = SOCKS5_WRITE_AUTH_REQUEST; -+ -+ // Send an initial SOCKS 5 greeting -+ LOGDEBUG(("socks5: sending auth methods")); -+ WriteUint8(0x05); // version -- 5 -+ WriteUint8(0x01); // # auth methods -- 1 -+ WriteUint8(0x00); // we don't support authentication -+ -+ return PR_SUCCESS; -+} -+ -+PRStatus -+nsSOCKSSocketInfo::ReadV5AuthResponse() -+{ -+ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_AUTH_RESPONSE, -+ "Handling SOCKS 5 auth method reply in wrong state!"); -+ NS_ABORT_IF_FALSE(mDataLength == 2, -+ "SOCKS 5 auth method reply must be 2 bytes!"); -+ -+ LOGDEBUG(("socks5: checking auth method reply")); -+ -+ // Check version number -+ if (ReadUint8() != 0x05) { -+ LOGERROR(("socks5: unexpected version in the reply")); -+ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); -+ return PR_FAILURE; -+ } -+ -+ // Make sure our authentication choice was accepted -+ if (ReadUint8() != 0x00) { -+ LOGERROR(("socks5: server did not accept our authentication method")); -+ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); -+ return PR_FAILURE; -+ } -+ -+ return WriteV5ConnectRequest(); -+} -+ -+PRStatus -+nsSOCKSSocketInfo::WriteV5ConnectRequest() -+{ -+ // Send SOCKS 5 connect request -+ PRNetAddr *addr = &mDestinationAddr; -+ PRInt32 proxy_resolve; -+ proxy_resolve = mFlags & nsISocketProvider::PROXY_RESOLVES_HOST; -+ -+ LOGDEBUG(("socks5: sending connection request (socks5 resolve? %s)", -+ proxy_resolve? "yes" : "no")); -+ -+ mDataLength = 0; -+ mState = SOCKS5_WRITE_CONNECT_REQUEST; -+ -+ WriteUint8(0x05); // version -- 5 -+ WriteUint8(0x01); // command -- connect -+ WriteUint8(0x00); // reserved -+ -+ // Add the address to the SOCKS 5 request. SOCKS 5 supports several -+ // address types, so we pick the one that works best for us. -+ if (proxy_resolve) { -+ // Add the host name. Only a single byte is used to store the length, -+ // so we must prevent long names from being used. -+ if (mDestinationHost.Length() > MAX_HOSTNAME_LEN) { -+ LOGERROR(("socks5: destination host name is too long!")); -+ HandshakeFinished(PR_BAD_ADDRESS_ERROR); -+ return PR_FAILURE; -+ } -+ WriteUint8(0x03); // addr type -- domainname -+ WriteUint8(mDestinationHost.Length()); // name length -+ WriteString(mDestinationHost); -+ } else if (PR_NetAddrFamily(addr) == PR_AF_INET) { -+ WriteUint8(0x01); // addr type -- IPv4 -+ WriteNetAddr(addr); -+ } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { -+ WriteUint8(0x04); // addr type -- IPv6 -+ WriteNetAddr(addr); -+ } else { -+ LOGERROR(("socks5: destination address of unknown type!")); -+ HandshakeFinished(PR_BAD_ADDRESS_ERROR); -+ return PR_FAILURE; -+ } -+ -+ WriteNetPort(addr); // port -+ -+ return PR_SUCCESS; -+} -+ -+PRStatus -+nsSOCKSSocketInfo::ReadV5AddrTypeAndLength(PRUint8 *type, PRUint32 *len) -+{ -+ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_TOP || -+ mState == SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, -+ "Invalid state!"); -+ NS_ABORT_IF_FALSE(mDataLength >= 5, -+ "SOCKS 5 connection reply must be at least 5 bytes!"); -+ -+ // Seek to the address location -+ mReadOffset = 3; -+ -+ *type = ReadUint8(); -+ -+ switch (*type) { -+ case 0x01: // ipv4 -+ *len = 4 - 1; -+ break; -+ case 0x04: // ipv6 -+ *len = 16 - 1; -+ break; -+ case 0x03: // fqdn -+ *len = ReadUint8(); -+ break; -+ default: // wrong address type -+ LOGERROR(("socks5: wrong address type in connection reply!")); -+ return PR_FAILURE; -+ } -+ -+ return PR_SUCCESS; -+} -+ -+PRStatus -+nsSOCKSSocketInfo::ReadV5ConnectResponseTop() -+{ -+ PRUint8 res; -+ PRUint32 len; -+ -+ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_TOP, -+ "Invalid state!"); -+ NS_ABORT_IF_FALSE(mDataLength == 5, -+ "SOCKS 5 connection reply must be exactly 5 bytes!"); -+ -+ LOGDEBUG(("socks5: checking connection reply")); -+ -+ // Check version number -+ if (ReadUint8() != 0x05) { -+ LOGERROR(("socks5: unexpected version in the reply")); -+ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); -+ return PR_FAILURE; -+ } -+ -+ // Check response -+ res = ReadUint8(); -+ if (res != 0x00) { -+ PRErrorCode c = PR_CONNECT_REFUSED_ERROR; -+ -+ switch (res) { -+ case 0x01: -+ LOGERROR(("socks5: connect failed: " -+ "01, General SOCKS server failure.")); -+ break; -+ case 0x02: -+ LOGERROR(("socks5: connect failed: " -+ "02, Connection not allowed by ruleset.")); -+ break; -+ case 0x03: -+ LOGERROR(("socks5: connect failed: 03, Network unreachable.")); -+ c = PR_NETWORK_UNREACHABLE_ERROR; -+ break; -+ case 0x04: -+ LOGERROR(("socks5: connect failed: 04, Host unreachable.")); -+ break; -+ case 0x05: -+ LOGERROR(("socks5: connect failed: 05, Connection refused.")); -+ break; -+ case 0x06: -+ LOGERROR(("socks5: connect failed: 06, TTL expired.")); -+ c = PR_CONNECT_TIMEOUT_ERROR; -+ break; -+ case 0x07: -+ LOGERROR(("socks5: connect failed: " -+ "07, Command not supported.")); -+ break; -+ case 0x08: -+ LOGERROR(("socks5: connect failed: " -+ "08, Address type not supported.")); -+ c = PR_BAD_ADDRESS_ERROR; -+ break; -+ default: -+ LOGERROR(("socks5: connect failed.")); -+ break; -+ } -+ -+ HandshakeFinished(c); -+ return PR_FAILURE; -+ } -+ -+ if (ReadV5AddrTypeAndLength(&res, &len) != PR_SUCCESS) { -+ HandshakeFinished(PR_BAD_ADDRESS_ERROR); -+ return PR_FAILURE; -+ } -+ -+ mState = SOCKS5_READ_CONNECT_RESPONSE_BOTTOM; -+ WantRead(len + 2); -+ -+ return PR_SUCCESS; -+} -+ -+PRStatus -+nsSOCKSSocketInfo::ReadV5ConnectResponseBottom() -+{ -+ PRUint8 type; -+ PRUint32 len; -+ -+ NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, -+ "Invalid state!"); -+ -+ if (ReadV5AddrTypeAndLength(&type, &len) != PR_SUCCESS) { -+ HandshakeFinished(PR_BAD_ADDRESS_ERROR); -+ return PR_FAILURE; -+ } -+ -+ NS_ABORT_IF_FALSE(mDataLength == 7+len, -+ "SOCKS 5 unexpected length of connection reply!"); -+ -+ LOGDEBUG(("socks5: loading source addr and port")); -+ // Read what the proxy says is our source address -+ switch (type) { -+ case 0x01: // ipv4 -+ ReadNetAddr(&mExternalProxyAddr, PR_AF_INET); -+ break; -+ case 0x04: // ipv6 -+ ReadNetAddr(&mExternalProxyAddr, PR_AF_INET6); -+ break; -+ case 0x03: // fqdn (skip) -+ mReadOffset += len; -+ mExternalProxyAddr.raw.family = PR_AF_INET; -+ break; -+ } -+ -+ ReadNetPort(&mExternalProxyAddr); -+ -+ LOGDEBUG(("socks5: connected!")); -+ HandshakeFinished(); -+ -+ return PR_SUCCESS; -+} -+ -+void -+nsSOCKSSocketInfo::SetConnectTimeout(PRIntervalTime to) -+{ -+ mTimeout = to; -+} -+ -+PRStatus -+nsSOCKSSocketInfo::DoHandshake(PRFileDesc *fd, PRInt16 oflags) -+{ -+ LOGDEBUG(("socks: DoHandshake(), state = %d", mState)); -+ -+ switch (mState) { -+ case SOCKS_INITIAL: -+ return ConnectToProxy(fd); -+ case SOCKS_CONNECTING_TO_PROXY: -+ return ContinueConnectingToProxy(fd, oflags); -+ case SOCKS4_WRITE_CONNECT_REQUEST: -+ if (WriteToSocket(fd) != PR_SUCCESS) -+ return PR_FAILURE; -+ WantRead(8); -+ mState = SOCKS4_READ_CONNECT_RESPONSE; -+ return PR_SUCCESS; -+ case SOCKS4_READ_CONNECT_RESPONSE: -+ if (ReadFromSocket(fd) != PR_SUCCESS) -+ return PR_FAILURE; -+ return ReadV4ConnectResponse(); -+ -+ case SOCKS5_WRITE_AUTH_REQUEST: -+ if (WriteToSocket(fd) != PR_SUCCESS) -+ return PR_FAILURE; -+ WantRead(2); -+ mState = SOCKS5_READ_AUTH_RESPONSE; -+ return PR_SUCCESS; -+ case SOCKS5_READ_AUTH_RESPONSE: -+ if (ReadFromSocket(fd) != PR_SUCCESS) -+ return PR_FAILURE; -+ return ReadV5AuthResponse(); -+ case SOCKS5_WRITE_CONNECT_REQUEST: -+ if (WriteToSocket(fd) != PR_SUCCESS) -+ return PR_FAILURE; -+ -+ // The SOCKS 5 response to the connection request is variable -+ // length. First, we'll read enough to tell how long the response -+ // is, and will read the rest later. -+ WantRead(5); -+ mState = SOCKS5_READ_CONNECT_RESPONSE_TOP; -+ return PR_SUCCESS; -+ case SOCKS5_READ_CONNECT_RESPONSE_TOP: -+ if (ReadFromSocket(fd) != PR_SUCCESS) -+ return PR_FAILURE; -+ return ReadV5ConnectResponseTop(); -+ case SOCKS5_READ_CONNECT_RESPONSE_BOTTOM: -+ if (ReadFromSocket(fd) != PR_SUCCESS) -+ return PR_FAILURE; -+ return ReadV5ConnectResponseBottom(); -+ -+ case SOCKS_CONNECTED: -+ LOGERROR(("socks: already connected")); -+ HandshakeFinished(PR_IS_CONNECTED_ERROR); -+ return PR_FAILURE; -+ case SOCKS_FAILED: -+ LOGERROR(("socks: already failed")); -+ return PR_FAILURE; -+ } -+ -+ LOGERROR(("socks: executing handshake in invalid state, %d", mState)); -+ HandshakeFinished(PR_INVALID_STATE_ERROR); -+ -+ return PR_FAILURE; -+} -+ -+PRInt16 -+nsSOCKSSocketInfo::GetPollFlags() const -+{ -+ switch (mState) { -+ case SOCKS_CONNECTING_TO_PROXY: -+ return PR_POLL_EXCEPT | PR_POLL_WRITE; -+ case SOCKS4_WRITE_CONNECT_REQUEST: -+ case SOCKS5_WRITE_AUTH_REQUEST: -+ case SOCKS5_WRITE_CONNECT_REQUEST: -+ return PR_POLL_WRITE; -+ case SOCKS4_READ_CONNECT_RESPONSE: -+ case SOCKS5_READ_AUTH_RESPONSE: -+ case SOCKS5_READ_CONNECT_RESPONSE_TOP: -+ case SOCKS5_READ_CONNECT_RESPONSE_BOTTOM: -+ return PR_POLL_READ; -+ default: -+ break; -+ } -+ -+ return 0; -+} -+ -+inline void -+nsSOCKSSocketInfo::WriteUint8(PRUint8 v) -+{ -+ NS_ABORT_IF_FALSE(mDataLength + sizeof(v) <= BUFFER_SIZE, -+ "Can't write that much data!"); -+ mData[mDataLength] = v; -+ mDataLength += sizeof(v); -+} -+ -+inline void -+nsSOCKSSocketInfo::WriteUint16(PRUint16 v) -+{ -+ NS_ABORT_IF_FALSE(mDataLength + sizeof(v) <= BUFFER_SIZE, -+ "Can't write that much data!"); -+ memcpy(mData + mDataLength, &v, sizeof(v)); -+ mDataLength += sizeof(v); -+} -+ -+inline void -+nsSOCKSSocketInfo::WriteUint32(PRUint32 v) -+{ -+ NS_ABORT_IF_FALSE(mDataLength + sizeof(v) <= BUFFER_SIZE, -+ "Can't write that much data!"); -+ memcpy(mData + mDataLength, &v, sizeof(v)); -+ mDataLength += sizeof(v); -+} -+ -+void -+nsSOCKSSocketInfo::WriteNetAddr(const PRNetAddr *addr) -+{ -+ const char *ip = NULL; -+ PRUint32 len = 0; -+ -+ if (PR_NetAddrFamily(addr) == PR_AF_INET) { -+ ip = (const char*)&addr->inet.ip; -+ len = sizeof(addr->inet.ip); -+ } else if (PR_NetAddrFamily(addr) == PR_AF_INET6) { -+ ip = (const char*)addr->ipv6.ip.pr_s6_addr; -+ len = sizeof(addr->ipv6.ip.pr_s6_addr); -+ } -+ -+ NS_ABORT_IF_FALSE(ip != NULL, "Unknown address"); -+ NS_ABORT_IF_FALSE(mDataLength + len <= BUFFER_SIZE, -+ "Can't write that much data!"); -+ -+ memcpy(mData + mDataLength, ip, len); -+ mDataLength += len; -+} -+ -+void -+nsSOCKSSocketInfo::WriteNetPort(const PRNetAddr *addr) -+{ -+ WriteUint16(PR_NetAddrInetPort(addr)); -+} -+ -+void -+nsSOCKSSocketInfo::WriteString(const nsACString &str) -+{ -+ NS_ABORT_IF_FALSE(mDataLength + str.Length() <= BUFFER_SIZE, -+ "Can't write that much data!"); -+ memcpy(mData + mDataLength, str.Data(), str.Length()); -+ mDataLength += str.Length(); -+} -+ -+inline PRUint8 -+nsSOCKSSocketInfo::ReadUint8() -+{ -+ PRUint8 rv; -+ NS_ABORT_IF_FALSE(mReadOffset + sizeof(rv) <= mDataLength, -+ "Not enough space to pop a uint8!"); -+ rv = mData[mReadOffset]; -+ mReadOffset += sizeof(rv); -+ return rv; -+} -+ -+inline PRUint16 -+nsSOCKSSocketInfo::ReadUint16() -+{ -+ PRUint16 rv; -+ NS_ABORT_IF_FALSE(mReadOffset + sizeof(rv) <= mDataLength, -+ "Not enough space to pop a uint16!"); -+ memcpy(&rv, mData + mReadOffset, sizeof(rv)); -+ mReadOffset += sizeof(rv); -+ return rv; -+} -+ -+inline PRUint32 -+nsSOCKSSocketInfo::ReadUint32() -+{ -+ PRUint32 rv; -+ NS_ABORT_IF_FALSE(mReadOffset + sizeof(rv) <= mDataLength, -+ "Not enough space to pop a uint32!"); -+ memcpy(&rv, mData + mReadOffset, sizeof(rv)); -+ mReadOffset += sizeof(rv); -+ return rv; -+} -+ -+void -+nsSOCKSSocketInfo::ReadNetAddr(PRNetAddr *addr, PRUint16 fam) -+{ -+ PRUint32 amt; -+ const PRUint8 *ip = mData + mReadOffset; -+ -+ addr->raw.family = fam; -+ if (fam == PR_AF_INET) { -+ amt = sizeof(addr->inet.ip); -+ NS_ABORT_IF_FALSE(mReadOffset + amt <= mDataLength, -+ "Not enough space to pop an ipv4 addr!"); -+ memcpy(&addr->inet.ip, ip, amt); -+ } else if (fam == PR_AF_INET6) { -+ amt = sizeof(addr->ipv6.ip.pr_s6_addr); -+ NS_ABORT_IF_FALSE(mReadOffset + amt <= mDataLength, -+ "Not enough space to pop an ipv6 addr!"); -+ memcpy(addr->ipv6.ip.pr_s6_addr, ip, amt); -+ } -+ -+ mReadOffset += amt; -+} -+ -+void -+nsSOCKSSocketInfo::ReadNetPort(PRNetAddr *addr) -+{ -+ addr->inet.port = ReadUint16(); -+} -+ -+void -+nsSOCKSSocketInfo::WantRead(PRUint32 sz) -+{ -+ NS_ABORT_IF_FALSE(mDataIoPtr == NULL, -+ "WantRead() called while I/O already in progress!"); -+ NS_ABORT_IF_FALSE(mDataLength + sz <= BUFFER_SIZE, -+ "Can't read that much data!"); -+ mAmountToRead = sz; -+} -+ -+PRStatus -+nsSOCKSSocketInfo::ReadFromSocket(PRFileDesc *fd) -+{ -+ PRInt32 rc; -+ const PRUint8 *end; -+ -+ if (!mAmountToRead) { -+ LOGDEBUG(("socks: ReadFromSocket(), nothing to do")); -+ return PR_SUCCESS; -+ } -+ -+ if (!mDataIoPtr) { -+ mDataIoPtr = mData + mDataLength; -+ mDataLength += mAmountToRead; -+ } -+ -+ end = mData + mDataLength; -+ -+ while (mDataIoPtr < end) { -+ rc = PR_Read(fd, mDataIoPtr, end - mDataIoPtr); -+ if (rc <= 0) { -+ if (rc == 0) { -+ LOGERROR(("socks: proxy server closed connection")); -+ HandshakeFinished(PR_CONNECT_REFUSED_ERROR); -+ return PR_FAILURE; -+ } else if (PR_GetError() == PR_WOULD_BLOCK_ERROR) { -+ LOGDEBUG(("socks: ReadFromSocket(), want read")); -+ } -+ break; -+ } -+ -+ mDataIoPtr += rc; -+ } -+ -+ LOGDEBUG(("socks: ReadFromSocket(), have %u bytes total", -+ unsigned(mDataIoPtr - mData))); -+ if (mDataIoPtr == end) { -+ mDataIoPtr = nsnull; -+ mAmountToRead = 0; -+ mReadOffset = 0; -+ return PR_SUCCESS; -+ } -+ -+ return PR_FAILURE; -+} -+ -+PRStatus -+nsSOCKSSocketInfo::WriteToSocket(PRFileDesc *fd) -+{ -+ PRInt32 rc; -+ const PRUint8 *end; -+ -+ if (!mDataLength) { -+ LOGDEBUG(("socks: WriteToSocket(), nothing to do")); -+ return PR_SUCCESS; -+ } -+ -+ if (!mDataIoPtr) -+ mDataIoPtr = mData; -+ -+ end = mData + mDataLength; -+ -+ while (mDataIoPtr < end) { -+ rc = PR_Write(fd, mDataIoPtr, end - mDataIoPtr); -+ if (rc < 0) { -+ if (PR_GetError() == PR_WOULD_BLOCK_ERROR) { -+ LOGDEBUG(("socks: WriteToSocket(), want write")); -+ } -+ break; -+ } -+ -+ mDataIoPtr += rc; -+ } -+ -+ if (mDataIoPtr == end) { -+ mDataIoPtr = nsnull; -+ mDataLength = 0; -+ mReadOffset = 0; -+ return PR_SUCCESS; -+ } -+ -+ return PR_FAILURE; -+} - - static PRStatus --nsSOCKSIOLayerConnect(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime /*timeout*/) -+nsSOCKSIOLayerConnect(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime to) - { -+ PRStatus status; -+ PRNetAddr dst; - -+ nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; -+ if (info == NULL) return PR_FAILURE; -+ -+ if (PR_NetAddrFamily(addr) == PR_AF_INET6 && -+ PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { -+ const PRUint8 *srcp; -+ -+ LOGDEBUG(("socks: converting ipv4-mapped ipv6 address to ipv4")); -+ -+ // copied from _PR_ConvertToIpv4NetAddr() -+ PR_InitializeNetAddr(PR_IpAddrAny, 0, &dst); -+ srcp = addr->ipv6.ip.pr_s6_addr; -+ memcpy(&dst.inet.ip, srcp + 12, 4); -+ dst.inet.family = PR_AF_INET; -+ dst.inet.port = addr->ipv6.port; -+ } else { -+ memcpy(&dst, addr, sizeof(dst)); -+ } -+ -+ info->SetDestinationAddr(&dst); -+ info->SetConnectTimeout(to); -+ -+ do { -+ status = info->DoHandshake(fd, -1); -+ } while (status == PR_SUCCESS && !info->IsConnected()); -+ -+ return status; -+} -+ -+static PRStatus -+nsSOCKSIOLayerConnectContinue(PRFileDesc *fd, PRInt16 oflags) -+{ - PRStatus status; - - nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; - if (info == NULL) return PR_FAILURE; - -- // First, we need to look up our proxy... -- const nsCString &proxyHost = info->ProxyHost(); -+ do { -+ status = info->DoHandshake(fd, oflags); -+ } while (status == PR_SUCCESS && !info->IsConnected()); - -- if (proxyHost.IsEmpty()) -- return PR_FAILURE; -+ return status; -+} - -- PRInt32 socksVersion = info->Version(); -+static PRInt16 -+nsSOCKSIOLayerPoll(PRFileDesc *fd, PRInt16 in_flags, PRInt16 *out_flags) -+{ -+ nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; -+ if (info == NULL) return PR_FAILURE; - -- LOGDEBUG(("nsSOCKSIOLayerConnect SOCKS %u; proxyHost: %s.", socksVersion, proxyHost.get())); -- -- // Sync resolve the proxy hostname. -- PRNetAddr proxyAddr; -- nsCOMPtr<nsIDNSRecord> rec; -- nsresult rv; -- { -- nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID); -- if (!dns) -- return PR_FAILURE; -- -- rv = dns->Resolve(proxyHost, 0, getter_AddRefs(rec)); -- if (NS_FAILED(rv)) -- return PR_FAILURE; -+ if (!info->IsConnected()) { -+ *out_flags = 0; -+ return info->GetPollFlags(); - } - -- info->SetInternalProxyAddr(&proxyAddr); -- -- // For now, we'll do this as a blocking connect, -- // but with nspr 4.1, the necessary functions to -- // do a non-blocking connect will be available -- -- // Preserve the non-blocking state of the socket -- PRBool nonblocking; -- PRSocketOptionData sockopt; -- sockopt.option = PR_SockOpt_Nonblocking; -- status = PR_GetSocketOption(fd, &sockopt); -- -- if (PR_SUCCESS != status) { -- LOGERROR(("PR_GetSocketOption() failed. status = %x.", status)); -- return status; -- } -- -- // Store blocking option -- nonblocking = sockopt.value.non_blocking; -- -- sockopt.option = PR_SockOpt_Nonblocking; -- sockopt.value.non_blocking = PR_FALSE; -- status = PR_SetSocketOption(fd, &sockopt); -- -- if (PR_SUCCESS != status) { -- LOGERROR(("PR_SetSocketOption() failed. status = %x.", status)); -- return status; -- } -- -- // Now setup sockopts, so we can restore the value later. -- sockopt.option = PR_SockOpt_Nonblocking; -- sockopt.value.non_blocking = nonblocking; -- -- // This connectWait should be long enough to connect to local proxy -- // servers, but not much longer. Since this protocol negotiation -- // uses blocking network calls, the app can appear to hang for a maximum -- // of this time if the user presses the STOP button during the SOCKS -- // connection negotiation. Note that this value only applies to the -- // connecting to the SOCKS server: once the SOCKS connection has been -- // established, the value is not used anywhere else. -- PRIntervalTime connectWait = PR_SecondsToInterval(10); -- -- // Connect to the proxy server. -- PRInt32 addresses = 0; -- do { -- rv = rec->GetNextAddr(info->ProxyPort(), &proxyAddr); -- if (NS_FAILED(rv)) { -- status = PR_FAILURE; -- break; -- } -- ++addresses; -- status = fd->lower->methods->connect(fd->lower, &proxyAddr, connectWait); -- } while (PR_SUCCESS != status); -- -- if (PR_SUCCESS != status) { -- LOGERROR(("Failed to TCP connect to the proxy server (%s): timeout = %d, status = %x, tried %d addresses.", proxyHost.get(), connectWait, status, addresses)); -- PR_SetSocketOption(fd, &sockopt); -- return status; -- } -- -- -- // We are now connected to the SOCKS proxy server. -- // Now we will negotiate a connection to the desired server. -- -- // External IP address returned from ConnectSOCKS5(). Not supported in SOCKS4. -- PRNetAddr extAddr; -- PR_InitializeNetAddr(PR_IpAddrNull, 0, &extAddr); -- -- NS_ASSERTION((socksVersion == 4) || (socksVersion == 5), "SOCKS Version must be selected"); -- -- // Try to connect via SOCKS 5. -- if (socksVersion == 5) { -- rv = ConnectSOCKS5(fd, addr, &extAddr, connectWait); -- -- if (NS_FAILED(rv)) { -- PR_SetSocketOption(fd, &sockopt); -- return PR_FAILURE; -- } -- -- } -- -- // Try to connect via SOCKS 4. -- else { -- rv = ConnectSOCKS4(fd, addr, connectWait); -- -- if (NS_FAILED(rv)) { -- PR_SetSocketOption(fd, &sockopt); -- return PR_FAILURE; -- } -- -- } -- -- -- info->SetDestinationAddr((PRNetAddr*)addr); -- info->SetExternalProxyAddr(&extAddr); -- -- // restore non-blocking option -- PR_SetSocketOption(fd, &sockopt); -- -- // we're set-up and connected. -- // this socket can be used as normal now. -- -- return PR_SUCCESS; -+ return fd->lower->methods->poll(fd->lower, in_flags, out_flags); - } - - static PRStatus - nsSOCKSIOLayerClose(PRFileDesc *fd) - { - nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; - PRDescIdentity id = PR_GetLayersIdentity(fd); - -@@ -880,16 +1115,18 @@ nsSOCKSIOLayerAddToSocket(PRInt32 family - - - if (firstTime) - { - nsSOCKSIOLayerIdentity = PR_GetUniqueIdentity("SOCKS layer"); - nsSOCKSIOLayerMethods = *PR_GetDefaultIOMethods(); - - nsSOCKSIOLayerMethods.connect = nsSOCKSIOLayerConnect; -+ nsSOCKSIOLayerMethods.connectcontinue = nsSOCKSIOLayerConnectContinue; -+ nsSOCKSIOLayerMethods.poll = nsSOCKSIOLayerPoll; - nsSOCKSIOLayerMethods.bind = nsSOCKSIOLayerBind; - nsSOCKSIOLayerMethods.acceptread = nsSOCKSIOLayerAcceptRead; - nsSOCKSIOLayerMethods.getsockname = nsSOCKSIOLayerGetName; - nsSOCKSIOLayerMethods.getpeername = nsSOCKSIOLayerGetPeerName; - nsSOCKSIOLayerMethods.accept = nsSOCKSIOLayerAccept; - nsSOCKSIOLayerMethods.listen = nsSOCKSIOLayerListen; - nsSOCKSIOLayerMethods.close = nsSOCKSIOLayerClose; -

1 0

[tor/master] Assert that HS operations are not performed using single-hop circuits
by nickm＠torproject.org 15 Jun '11

15 Jun '11

commit 44eafa9697b0adebfa5e18579adcf70cd6d9c935 Author: Robert Ransom <rransom.8774(a)gmail.com> Date: Mon Jun 13 16:12:47 2011 -0700 Assert that HS operations are not performed using single-hop circuits (with fixes by Nick Mathewson to unbreak the build) --- changes/bug3332 | 9 +++++++++ src/or/directory.c | 17 +++++++++++++++++ src/or/rendclient.c | 4 ++++ src/or/rendservice.c | 3 +++ 4 files changed, 33 insertions(+), 0 deletions(-) diff --git a/changes/bug3332 b/changes/bug3332 new file mode 100644 index 0000000..28ccbf4 --- /dev/null +++ b/changes/bug3332 @@ -0,0 +1,9 @@ + o Minor bugfixes: + - Assert that hidden-service-related operations are not performed + using single-hop circuits. Previously, Tor would assert that + client-side streams are not attached to single-hop circuits, but + not that other sensitive operations on the client and service + side are not performed using single-hop circuits. Fixes bug + 3332; bugfix on 0.0.6. + + diff --git a/src/or/directory.c b/src/or/directory.c index e7a2a4b..70eb1f2 100644 --- a/src/or/directory.c +++ b/src/or/directory.c @@ -858,6 +858,20 @@ directory_initiate_command(const char *address, const tor_addr_t *_addr, if_modified_since, NULL); } +/** Return non-zero iff a directory connection with purpose + * <b>dir_purpose</b> reveals sensitive information about a Tor + * instance's client activities. (Such connections must be performed + * through normal three-hop Tor circuits.) */ +static int +is_sensitive_dir_purpose(uint8_t dir_purpose) +{ + return ((dir_purpose == DIR_PURPOSE_FETCH_RENDDESC) || + (dir_purpose == DIR_PURPOSE_HAS_FETCHED_RENDDESC) || + (dir_purpose == DIR_PURPOSE_UPLOAD_RENDDESC) || + (dir_purpose == DIR_PURPOSE_UPLOAD_RENDDESC_V2) || + (dir_purpose == DIR_PURPOSE_FETCH_RENDDESC_V2)); +} + /** Same as directory_initiate_command(), but accepts rendezvous data to * fetch a hidden service descriptor. */ static void @@ -892,6 +906,9 @@ directory_initiate_command_rend(const char *address, const tor_addr_t *_addr, log_debug(LD_DIR, "Initiating %s", dir_conn_purpose_to_string(dir_purpose)); + tor_assert(!(is_sensitive_dir_purpose(dir_purpose) && + !anonymized_connection)); + /* ensure that we don't make direct connections when a SOCKS server is * configured. */ if (!anonymized_connection && !use_begindir && !options->HTTPProxy && diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 3e9c6e8..36930fe 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -145,6 +145,8 @@ rend_client_send_introduction(origin_circuit_t *introcirc, tor_assert(rendcirc->rend_data); tor_assert(!rend_cmp_service_ids(introcirc->rend_data->onion_address, rendcirc->rend_data->onion_address)); + tor_assert(!(introcirc->build_state->onehop_tunnel)); + tor_assert(!(rendcirc->build_state->onehop_tunnel)); if (rend_cache_lookup_entry(introcirc->rend_data->onion_address, -1, &entry) < 1) { @@ -335,6 +337,7 @@ rend_client_introduction_acked(origin_circuit_t *circ, } tor_assert(circ->build_state->chosen_exit); + tor_assert(!(circ->build_state->onehop_tunnel)); tor_assert(circ->rend_data); if (request_len == 0) { @@ -346,6 +349,7 @@ rend_client_introduction_acked(origin_circuit_t *circ, rendcirc = circuit_get_by_rend_query_and_purpose( circ->rend_data->onion_address, CIRCUIT_PURPOSE_C_REND_READY); if (rendcirc) { /* remember the ack */ + tor_assert(!(rendcirc->build_state->onehop_tunnel)); rendcirc->_base.purpose = CIRCUIT_PURPOSE_C_REND_READY_INTRO_ACKED; /* Set timestamp_dirty, because circuit_expire_building expects * it to specify when a circuit entered the diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 79abc57..80fa357 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -905,6 +905,7 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request, time_t *access_time; or_options_t *options = get_options(); + tor_assert(!(circuit->build_state->onehop_tunnel)); tor_assert(circuit->rend_data); base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1, @@ -1359,6 +1360,7 @@ rend_service_intro_has_opened(origin_circuit_t *circuit) crypto_pk_env_t *intro_key; tor_assert(circuit->_base.purpose == CIRCUIT_PURPOSE_S_ESTABLISH_INTRO); + tor_assert(!(circuit->build_state->onehop_tunnel)); tor_assert(circuit->cpath); tor_assert(circuit->rend_data); @@ -1501,6 +1503,7 @@ rend_service_rendezvous_has_opened(origin_circuit_t *circuit) tor_assert(circuit->_base.purpose == CIRCUIT_PURPOSE_S_CONNECT_REND); tor_assert(circuit->cpath); tor_assert(circuit->build_state); + tor_assert(!(circuit->build_state->onehop_tunnel)); tor_assert(circuit->rend_data); hop = circuit->build_state->pending_final_cpath; tor_assert(hop);

1 0

[tor/master] Merge remote-tracking branch 'rransom-tor/bug3332-v2'
by nickm＠torproject.org 15 Jun '11

15 Jun '11

commit a857f61e278aa5e5980722f9d458424b8790e9b1 Merge: 875a551 44eafa9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jun 15 11:33:40 2011 -0400 Merge remote-tracking branch 'rransom-tor/bug3332-v2' changes/bug3332 | 9 +++++++++ src/or/directory.c | 17 +++++++++++++++++ src/or/rendclient.c | 4 ++++ src/or/rendservice.c | 3 +++ 4 files changed, 33 insertions(+), 0 deletions(-) diff --cc src/or/rendservice.c index af1a290,80fa357..4413ae9 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@@ -903,8 -903,9 +903,9 @@@ rend_service_introduce(origin_circuit_ time_t now = time(NULL); char diffie_hellman_hash[DIGEST_LEN]; time_t *access_time; - or_options_t *options = get_options(); + const or_options_t *options = get_options(); + tor_assert(!(circuit->build_state->onehop_tunnel)); tor_assert(circuit->rend_data); base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1,

1 0

[metrics-web/master] Provide old relay stats in a single tarball.
by karsten＠torproject.org 15 Jun '11

15 Jun '11

commit e73815094c224dc79e2e73e89d89847e1c5a215e Author: Karsten Loesing <karsten.loesing(a)gmx.net> Date: Wed Jun 15 15:36:29 2011 +0200 Provide old relay stats in a single tarball. --- .../torproject/ernie/web/ResearchDataServlet.java | 31 +-------- web/WEB-INF/data.jsp | 66 +++++--------------- 2 files changed, 18 insertions(+), 79 deletions(-) diff --git a/src/org/torproject/ernie/web/ResearchDataServlet.java b/src/org/torproject/ernie/web/ResearchDataServlet.java index cd39ee6..0cf1564 100644 --- a/src/org/torproject/ernie/web/ResearchDataServlet.java +++ b/src/org/torproject/ernie/web/ResearchDataServlet.java @@ -72,8 +72,7 @@ public class ResearchDataServlet extends HttpServlet { String[] certs = new String[2]; SortedMap<Date, String[]> bridgeDescriptors = new TreeMap<Date, String[]>(java.util.Collections.reverseOrder()); - SortedMap<String, Map<String, String[]>> relayStatistics = - new TreeMap<String, Map<String, String[]>>(); + String[] relayStatistics = new String[2]; SortedMap<String, Map<String, String[]>> torperfData = new TreeMap<String, Map<String, String[]>>(); SortedMap<Date, String[]> exitLists = @@ -151,33 +150,9 @@ public class ResearchDataServlet extends HttpServlet { bridgeDescriptors.get(month)[index] = url; /* URL contains relay statistics. */ - } else if (filename.startsWith("buffer-") || - filename.startsWith("dirreq-") || - filename.startsWith("entry-") || - (filename.startsWith("exit-") && - !filename.startsWith("exit-list-"))) { - String[] parts = filename.split("-"); - if (parts.length != 3) { - continue; - } - String type = parts[0]; - String nickname = parts[1]; - String fingerprint = parts[2]; - fingerprint = fingerprint.substring(0, 8); + } else if (filename.startsWith("relay-statistics.tar.bz2")) { int index = filename.endsWith(".asc") ? 1 : 0; - String nicknameAndFingerprint = nickname + " (" - + fingerprint.toUpperCase() + ")"; - if (!relayStatistics.containsKey(nicknameAndFingerprint)) { - relayStatistics.put(nicknameAndFingerprint, - new HashMap<String, String[]>()); - } - if (!relayStatistics.get(nicknameAndFingerprint).containsKey( - type)) { - relayStatistics.get(nicknameAndFingerprint).put(type, - new String[2]); - } - relayStatistics.get(nicknameAndFingerprint).get(type)[index] = - url; + relayStatistics[index] = url; /* URL contains Torperf data file. */ } else if (filename.endsWith("b.data") || diff --git a/web/WEB-INF/data.jsp b/web/WEB-INF/data.jsp index da4ceb4..85cd3cc 100644 --- a/web/WEB-INF/data.jsp +++ b/web/WEB-INF/data.jsp @@ -28,7 +28,6 @@ <li><a href="#relaydesc">Relay descriptor archives</a></li> <li><a href="#bridgedesc">Bridge descriptor archives</a></li> <li><a href="#bridgeassignments">Bridge pool assignments</a></li> - <li><a href="#stats">Statistics produced by relays</a></li> <li><a href="#performance">Performance data</a></li> <li><a href="#exitlist">Exit lists</a></li> </ul> @@ -106,6 +105,21 @@ </c:if> which is updated whenever new v3 certificates become available.</p> </c:if> + <c:if test="${relayStatistics[0] ne null}"> + <br> + <p>Some of the relays are configured to gather statistics on the + number of requests or connecting clients, the number of + processed cells per queue, or the number of exiting bytes per + port. Relays running version 0.2.2.4-alpha or higher can include + these statistics in extra-info descriptors, so that they are + included in the relay descriptor archives. This + <a href="${relayStatistics[0]}">archive</a> + <c:if test="${relayStatistics[1] ne null}"> + (<a href="${relayStatistics[1]}">sig</a>) + </c:if> + contains the statistics produced by relays running earlier + versions.</p> + </c:if> <br> <a name="bridgedesc"></a> <h3>Bridge descriptor archives</h3> @@ -155,56 +169,6 @@ </c:forEach> </table> <br> - <a name="stats"></a> - <h3>Statistics produced by relays</h3> - <br> - <p>Some of the relays are configured to gather statistics on the - number of requests or connecting clients, the number of processed - cells per queue, or the number of exiting bytes per port. Relays - running version 0.2.2.4-alpha can include these statistics in - extra-info descriptors, so that they are included in the relay - descriptor archives. The following files contain the statistics - produced by relays running earlier versions:</p> - <table width="100%" border="0" cellpadding="5" cellspacing="0" summary=""> - <c:forEach var="item" items="${relayStatistics}" > - <tr> - <td>${item.key}</td> - <td> - <c:if test="${item.value['buffer'] ne null}" > - <a href="${item.value['buffer'][0]}">buffer-stats</a> - <c:if test="${item.value['buffer'][1] ne null}"> - (<a href="${item.value['buffer'][1]}">sig</a>) - </c:if> - </c:if> - </td> - <td> - <c:if test="${item.value['dirreq'] ne null}" > - <a href="${item.value['dirreq'][0]}">dirreq-stats</a> - <c:if test="${item.value['dirreq'][1] ne null}"> - (<a href="${item.value['dirreq'][1]}">sig</a>) - </c:if> - </c:if> - </td> - <td> - <c:if test="${item.value['entry'] ne null}" > - <a href="${item.value['entry'][0]}">entry-stats</a> - <c:if test="${item.value['entry'][1] ne null}"> - (<a href="${item.value['entry'][1]}">sig</a>) - </c:if> - </c:if> - </td> - <td> - <c:if test="${item.value['exit'] ne null}" > - <a href="${item.value['exit'][0]}">exit-stats</a> - <c:if test="${item.value['exit'][1] ne null}"> - (<a href="${item.value['exit'][1]}">sig</a>) - </c:if> - </c:if> - </td> - </tr> - </c:forEach> - </table> - <br> <a name="performance"></a> <h3>Performance data</h3> <br>

1 0

r24822: {} a picture of the old vs new stickers (projects/misc/phobos/tor)
by Andrew Lewman 14 Jun '11

14 Jun '11

Author: phobos Date: 2011-06-14 21:04:07 +0000 (Tue, 14 Jun 2011) New Revision: 24822 Added: projects/misc/phobos/tor/2011-oldsticker-vs-newsticker.jpg Removed: projects/misc/phobos/tor/2011-03-30-12.00.01.jpg Log: a picture of the old vs new stickers Deleted: projects/misc/phobos/tor/2011-03-30-12.00.01.jpg =================================================================== (Binary files differ) Added: projects/misc/phobos/tor/2011-oldsticker-vs-newsticker.jpg =================================================================== (Binary files differ) Property changes on: projects/misc/phobos/tor/2011-oldsticker-vs-newsticker.jpg ___________________________________________________________________ Added: svn:mime-type + image/jpeg

1 0

r24821: {} add the raw html and css for the check.tpo redesign. need to (projects/misc/phobos)
by Andrew Lewman 14 Jun '11

14 Jun '11

Author: phobos Date: 2011-06-14 20:55:20 +0000 (Tue, 14 Jun 2011) New Revision: 24821 Added: projects/misc/phobos/2011-check_redesign_files.tar.gz Log: add the raw html and css for the check.tpo redesign. need to hack this into the python code. Added: projects/misc/phobos/2011-check_redesign_files.tar.gz =================================================================== (Binary files differ) Property changes on: projects/misc/phobos/2011-check_redesign_files.tar.gz ___________________________________________________________________ Added: svn:mime-type + application/octet-stream

1 0