December 2015 - tor-commits - lists.torproject.org

[tor-browser-bundle/maint-5.0] Bug 16909: Don't download submodules while building
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit fc7cf9fb69855238648bdb59135636d422746779 Author: Georg Koppen <gk(a)torproject.org> Date: Sat Oct 31 08:18:08 2015 +0000 Bug 16909: Don't download submodules while building a) this is wrong and b) it is currently broken due to a certificate error. --- gitian/descriptors/linux/gitian-bundle.yml | 17 +++++++---------- gitian/descriptors/mac/gitian-bundle.yml | 17 +++++++---------- gitian/descriptors/windows/gitian-bundle.yml | 17 +++++++---------- 3 files changed, 21 insertions(+), 30 deletions(-) diff --git a/gitian/descriptors/linux/gitian-bundle.yml b/gitian/descriptors/linux/gitian-bundle.yml index c4e342b..a62bc68 100644 --- a/gitian/descriptors/linux/gitian-bundle.yml +++ b/gitian/descriptors/linux/gitian-bundle.yml @@ -108,16 +108,13 @@ script: | # Workaround for git not knowing `git submodule -f` in the version shipped in # 10.04. sed 's/recursive -f/recursive/' -i makexpi.sh - # We are invoking the build script with a particular tag to avoid #10066. This - # does not work for nightlies as there is no "master" tag in that sense. But - # we don't need to care about that as we don't need reproducibility for - # nightly builds. - if [ $HTTPSE_TAG != "master" ]; - then - ./makexpi.sh $HTTPSE_TAG - else - ./makexpi.sh - fi + # XXX: Bloody hack to workaround a bug in HTTPS_E's git hash extraction in + # makexpi.sh. See https://trac.torproject.org/projects/tor/ticket/10066 + # The solution there does not work for us as doing something like + # |./makexpi.sh foo| to build tag |foo| is a) trying to download the sources + # during build time (again) and b) broken due to a certificate error. + rm -f .git/refs/heads/master + ./makexpi.sh # Since 5.0.2 a .xpi for AMO is built, too. We don't need it. rm ./pkg/*-amo.xpi cp pkg/*.xpi ../tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org.xpi diff --git a/gitian/descriptors/mac/gitian-bundle.yml b/gitian/descriptors/mac/gitian-bundle.yml index e9af0c2..767f3d4 100644 --- a/gitian/descriptors/mac/gitian-bundle.yml +++ b/gitian/descriptors/mac/gitian-bundle.yml @@ -108,16 +108,13 @@ script: | cd ../../../ # cd https-everywhere - # We are invoking the build script with a particular tag to avoid #10066. This - # does not work for nightlies as there is no "master" tag in that sense. But - # we don't need to care about that as we don't need reproducibility for - # nightly builds. - if [ $HTTPSE_TAG != "master" ]; - then - ./makexpi.sh $HTTPSE_TAG - else - ./makexpi.sh - fi + # XXX: Bloody hack to workaround a bug in HTTPS_E's git hash extraction in + # makexpi.sh. See https://trac.torproject.org/projects/tor/ticket/10066 + # The solution there does not work for us as doing something like + # |./makexpi.sh foo| to build tag |foo| is a) trying to download the sources + # during build time (again) and b) broken due to a certificate error. + rm -f .git/refs/heads/master + ./makexpi.sh # Since 5.0.2 a .xpi for AMO is built, too. We don't need it. rm ./pkg/*-amo.xpi cp pkg/*.xpi ../$TORBROWSER_NAME.app/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org.xpi diff --git a/gitian/descriptors/windows/gitian-bundle.yml b/gitian/descriptors/windows/gitian-bundle.yml index f84afd8..cc86d55 100644 --- a/gitian/descriptors/windows/gitian-bundle.yml +++ b/gitian/descriptors/windows/gitian-bundle.yml @@ -96,16 +96,13 @@ script: | cd ../../../ # cd https-everywhere - # We are invoking the build script with a particular tag to avoid #10066. This - # does not work for nightlies as there is no "master" tag in that sense. But - # we don't need to care about that as we don't need reproducibility for - # nightly builds. - if [ $HTTPSE_TAG != "master" ]; - then - ./makexpi.sh $HTTPSE_TAG - else - ./makexpi.sh - fi + # XXX: Bloody hack to workaround a bug in HTTPS_E's git hash extraction in + # makexpi.sh. See https://trac.torproject.org/projects/tor/ticket/10066 + # The solution there does not work for us as doing something like + # |./makexpi.sh foo| to build tag |foo| is a) trying to download the sources + # during build time (again) and b) broken due to a certificate error. + rm -f .git/refs/heads/master + ./makexpi.sh # Since 5.0.2 a .xpi for AMO is built, too. We don't need it. rm ./pkg/*-amo.xpi cp ./pkg/*.xpi ../tbb-windows-installer/"Tor Browser"/Browser/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org.xpi

1 0

[tor-browser-bundle/maint-5.0] Bug 16909: Adapt to HTTPS-Everyhwere build changes
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit c05a7a15155304ede2dbb16cc63f9696ddb8fcd5 Author: Georg Koppen <gk(a)torproject.org> Date: Tue Sep 8 15:18:17 2015 +0000 Bug 16909: Adapt to HTTPS-Everyhwere build changes There are two changes that got made recently: 1) The extension ID got renamed due to conflicts on the AMO dashboard with the version hosted by Mozilla. 2) Translations moved to an own git submodule. The first change is unproblematic. For the second one, however, we need to bump the mininmum Ubuntu version for the host operating system to 14.04. We want to initialize and update the submodules right while we are fetching the inputs and not during build time to be not dependent on network access during the bundling step. This fails on Ubuntu 12.04 due to an old git version (1.7.9.5) that uses abolute paths to locate submodules. As this path is not available on the build VM the build breaks. This does not affect Debian Wheezy (which ships with git 1.7.10.4) nor any later Debian version. In order to make this change obvious for 12.04 users we include an Ubuntu version check in check-prerequisites.sh. Additionally, we cleaned the bundling descriptors up to implement a proper solution for #10066 instead of working around that bug. --- gitian/README.build | 2 +- gitian/check-prerequisites.sh | 25 ++++++++++++++++--------- gitian/descriptors/linux/gitian-bundle.yml | 18 ++++++++++++------ gitian/descriptors/mac/gitian-bundle.yml | 18 ++++++++++++------ gitian/descriptors/windows/gitian-bundle.yml | 18 ++++++++++++------ gitian/fetch-inputs.sh | 9 ++++++++- gitian/versions.alpha | 2 +- gitian/versions.beta | 2 +- 8 files changed, 63 insertions(+), 31 deletions(-) diff --git a/gitian/README.build b/gitian/README.build index 656dddd..f289791 100644 --- a/gitian/README.build +++ b/gitian/README.build @@ -1,6 +1,6 @@ QuickStart: - On an Ubuntu 12.04+/Debian Wheezy+ machine or VM, run: + On an Ubuntu 14.04+/Debian Wheezy+ machine or VM, run: $ make diff --git a/gitian/check-prerequisites.sh b/gitian/check-prerequisites.sh index 8518ffe..bd027a3 100755 --- a/gitian/check-prerequisites.sh +++ b/gitian/check-prerequisites.sh @@ -6,7 +6,7 @@ if [ ! -f /etc/debian_version ]; then echo "Gitian is dependent upon the Ubuntu Virtualization Tools." echo - echo "You need to run Ubuntu 12.04 LTS/Debian Wheezy or newer." + echo "You need to run Ubuntu 14.04 LTS/Debian Wheezy or newer." exit 1 fi @@ -14,15 +14,22 @@ DISTRO=`cat /etc/issue | grep -Eo 'Ubuntu|Debian*'` if [ $DISTRO = "Ubuntu" ]; then - dpkg -s ruby apache2 git apt-cacher-ng python-vm-builder qemu-kvm virt-what lxc lxctl fakeroot faketime zip unzip subversion torsocks tor 2>/dev/null >/dev/null - - if [ $? -ne 0 ]; + VERSION=`cat /etc/issue | grep -Eo '[0-9]{2}' | head -1` + if [ "$VERSION" -ge "14" ]; then - echo "You are missing one or more Gitian build tool dependencies." - echo - echo "Please run:" - echo " sudo apt-get install torsocks tor" - echo " sudo torsocks apt-get install ruby apache2 git apt-cacher-ng python-vm-builder qemu-kvm virt-what lxc lxctl fakeroot faketime zip unzip subversion" + dpkg -s ruby apache2 git apt-cacher-ng python-vm-builder qemu-kvm virt-what lxc lxctl fakeroot faketime zip unzip subversion torsocks tor 2>/dev/null >/dev/null + + if [ $? -ne 0 ]; + then + echo "You are missing one or more Gitian build tool dependencies." + echo + echo "Please run:" + echo " sudo apt-get install torsocks tor" + echo " sudo torsocks apt-get install ruby apache2 git apt-cacher-ng python-vm-builder qemu-kvm virt-what lxc lxctl fakeroot faketime zip unzip subversion" + exit 1 + fi + else + echo "Your Ubuntu is too old. You need Ubuntu 14.04 LTS or newer to build Tor Browser with Gitian." exit 1 fi elif [ $DISTRO = "Debian" ]; diff --git a/gitian/descriptors/linux/gitian-bundle.yml b/gitian/descriptors/linux/gitian-bundle.yml index d3774cd..4767623 100644 --- a/gitian/descriptors/linux/gitian-bundle.yml +++ b/gitian/descriptors/linux/gitian-bundle.yml @@ -63,7 +63,7 @@ script: | umask 0022 # mkdir -p $OUTDIR/ - mkdir -p tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org + mkdir -p tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere-eff(a)eff.org mkdir -p tor-browser/Browser/TorBrowser/Data/Browser/profile.meek-http-helper/extensions mkdir -p tor-browser/Browser/TorBrowser/Data/Browser/Caches mkdir -p tor-browser/Browser/TorBrowser/Docs/sources/ @@ -97,10 +97,16 @@ script: | cd ../../../ # cd https-everywhere - # XXX: Bloody hack to workaround a bug in HTTPS_E's git hash extraction in - # makexpi.sh. See https://trac.torproject.org/projects/tor/ticket/10066 - rm -f .git/refs/heads/master - ./makexpi.sh + # We are invoking the build script with a particular tag to avoid #10066. This + # does not work for nightlies as there is no "master" tag in that sense. But + # we don't need to care about that as we don't need reproducibility for + # nightly builds. + if [ $HTTPSE_TAG != "master" ]; + then + ./makexpi.sh $HTTPSE_TAG + else + ./makexpi.sh + fi # Since 5.0.2 a .xpi for AMO is built, too. We don't need it. rm ./pkg/*-amo.xpi cp pkg/*.xpi ../tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org.xpi @@ -109,7 +115,7 @@ script: | cp *.xpi tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions/ cd tor-browser/Browser/TorBrowser/Data/Browser/profile.default/extensions mv noscript(a)noscript.net.xpi {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi - cd https-everywhere(a)eff.org/ + cd https-everywhere-eff(a)eff.org/ unzip ../https-everywhere(a)eff.org.xpi rm ../https-everywhere(a)eff.org.xpi cd ~/build diff --git a/gitian/descriptors/mac/gitian-bundle.yml b/gitian/descriptors/mac/gitian-bundle.yml index be404ce..bfe9899 100644 --- a/gitian/descriptors/mac/gitian-bundle.yml +++ b/gitian/descriptors/mac/gitian-bundle.yml @@ -72,7 +72,7 @@ script: | MARTOOLS=~/build/mar-tools # mkdir -p $OUTDIR/ - mkdir -p $TORBROWSER_NAME.app/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org + mkdir -p $TORBROWSER_NAME.app/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere-eff(a)eff.org mkdir -p $TORBROWSER_NAME.app/TorBrowser/Data/Browser/profile.meek-http-helper/extensions mkdir -p $TORBROWSER_NAME.app/TorBrowser/Data/Browser/Caches mkdir -p $TORBROWSER_NAME.app/TorBrowser/Docs/sources @@ -100,10 +100,16 @@ script: | cd ../../../ # cd https-everywhere - # XXX: Bloody hack to workaround a bug in HTTPS_E's git hash extraction in - # makexpi.sh. See https://trac.torproject.org/projects/tor/ticket/10066 - rm -f .git/refs/heads/master - ./makexpi.sh + # We are invoking the build script with a particular tag to avoid #10066. This + # does not work for nightlies as there is no "master" tag in that sense. But + # we don't need to care about that as we don't need reproducibility for + # nightly builds. + if [ $HTTPSE_TAG != "master" ]; + then + ./makexpi.sh $HTTPSE_TAG + else + ./makexpi.sh + fi # Since 5.0.2 a .xpi for AMO is built, too. We don't need it. rm ./pkg/*-amo.xpi cp pkg/*.xpi ../$TORBROWSER_NAME.app/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org.xpi @@ -112,7 +118,7 @@ script: | cp *.xpi ./$TORBROWSER_NAME.app/TorBrowser/Data/Browser/profile.default/extensions/ cd $TORBROWSER_NAME.app/TorBrowser/Data/Browser/profile.default/extensions/ mv noscript(a)noscript.net.xpi {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi - cd https-everywhere(a)eff.org + cd https-everywhere-eff(a)eff.org unzip ../https-everywhere(a)eff.org.xpi rm ../https-everywhere(a)eff.org.xpi cd ~/build/ diff --git a/gitian/descriptors/windows/gitian-bundle.yml b/gitian/descriptors/windows/gitian-bundle.yml index 2fe0c2f..3ab73c3 100644 --- a/gitian/descriptors/windows/gitian-bundle.yml +++ b/gitian/descriptors/windows/gitian-bundle.yml @@ -63,7 +63,7 @@ script: | MARTOOLS=~/build/mar-tools # mkdir -p $OUTDIR/ - mkdir -p tbb-windows-installer/"Tor Browser"/Browser/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org + mkdir -p tbb-windows-installer/"Tor Browser"/Browser/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere-eff(a)eff.org mkdir -p tbb-windows-installer/"Tor Browser"/Browser/TorBrowser/Data/Browser/profile.meek-http-helper/extensions mkdir -p tbb-windows-installer/"Tor Browser"/Browser/TorBrowser/Data/Browser/Caches mkdir -p tbb-windows-installer/"Tor Browser"/Browser/TorBrowser/Docs/sources @@ -88,10 +88,16 @@ script: | cd ../../../ # cd https-everywhere - # XXX: Bloody hack to workaround a bug in HTTPS_E's git hash extraction in - # makexpi.sh. See https://trac.torproject.org/projects/tor/ticket/10066 - rm -f .git/refs/heads/master - ./makexpi.sh + # We are invoking the build script with a particular tag to avoid #10066. This + # does not work for nightlies as there is no "master" tag in that sense. But + # we don't need to care about that as we don't need reproducibility for + # nightly builds. + if [ $HTTPSE_TAG != "master" ]; + then + ./makexpi.sh $HTTPSE_TAG + else + ./makexpi.sh + fi # Since 5.0.2 a .xpi for AMO is built, too. We don't need it. rm ./pkg/*-amo.xpi cp ./pkg/*.xpi ../tbb-windows-installer/"Tor Browser"/Browser/TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org.xpi @@ -100,7 +106,7 @@ script: | cp *.xpi tbb-windows-installer/"Tor Browser"/Browser/TorBrowser/Data/Browser/profile.default/extensions cd tbb-windows-installer/"Tor Browser"/Browser/TorBrowser/Data/Browser/profile.default/extensions mv noscript(a)noscript.net.xpi {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi - cd https-everywhere(a)eff.org + cd https-everywhere-eff(a)eff.org unzip ../https-everywhere(a)eff.org.xpi rm ../https-everywhere(a)eff.org.xpi cd ~/build/ diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh index 2a5bd16..b00cabd 100755 --- a/gitian/fetch-inputs.sh +++ b/gitian/fetch-inputs.sh @@ -162,7 +162,7 @@ do get "${!PACKAGE}" "${!URL}" done -# NoScript and HTTPS-Everywhere are magikal and special: +# NoScript is magikal and special: wget -U "" -N ${NOSCRIPT_URL} # Verify packages with weak or no signatures via direct sha256 check @@ -260,5 +260,12 @@ goxnet https://go.googlesource.com/net $GO_X_NET_TAG obfs4 https://git.torproject.org/pluggable-transports/obfs4.git $OBFS4_TAG EOF +# HTTPS-Everywhere is special, too. We need to initialize the git submodules and +# update them here. Otherwise it would happen during the build. +cd https-everywhere +git submodule init +git submodule update +cd .. + exit 0 diff --git a/gitian/versions.alpha b/gitian/versions.alpha index a0d64c7..0889489 100755 --- a/gitian/versions.alpha +++ b/gitian/versions.alpha @@ -12,7 +12,7 @@ TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-5.5-1-build1 TOR_TAG=tor-0.2.7.2-alpha TORLAUNCHER_TAG=0.2.7.7 TORBUTTON_TAG=1.9.3.3 -HTTPSE_TAG=5.0.7 +HTTPSE_TAG=5.1.0 NSIS_TAG=v0.3 ZLIB_TAG=v1.2.8 LIBEVENT_TAG=release-2.0.21-stable diff --git a/gitian/versions.beta b/gitian/versions.beta index d743c89..b666ee6 100755 --- a/gitian/versions.beta +++ b/gitian/versions.beta @@ -12,7 +12,7 @@ TORBROWSER_TAG=tor-browser-${FIREFOX_VERSION}-1-build4 TOR_TAG=tor-0.2.4.21 TORLAUNCHER_TAG=0.2.5.4 TORBUTTON_TAG=1.6.9.0 -HTTPSE_TAG=5.0.2 +HTTPSE_TAG=5.1.0 NSIS_TAG=v0.1 ZLIB_TAG=v1.2.8 LIBEVENT_TAG=release-2.0.21-stable

1 0

[tor-browser/tor-browser-38.4.0esr-5.0-1] Bug #17207: Hide mime types and plugins when resisting fingerprinting
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 7267388a1c76a609d55300b3a726fb872bb5ef1d Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Fri Oct 16 16:09:54 2015 -0700 Bug #17207: Hide mime types and plugins when resisting fingerprinting --- dom/base/nsMimeTypeArray.cpp | 19 +++++++++++++++++++ dom/base/nsPluginArray.cpp | 13 ++++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/dom/base/nsMimeTypeArray.cpp b/dom/base/nsMimeTypeArray.cpp index 257abf6..ee530a3 100644 --- a/dom/base/nsMimeTypeArray.cpp +++ b/dom/base/nsMimeTypeArray.cpp @@ -14,6 +14,7 @@ #include "nsIMIMEInfo.h" #include "Navigator.h" #include "nsServiceManagerUtils.h" +#include "nsContentUtils.h" using namespace mozilla; using namespace mozilla::dom; @@ -39,6 +40,12 @@ nsMimeTypeArray::~nsMimeTypeArray() { } +static bool +ResistFingerprinting() { + return !nsContentUtils::ThreadsafeIsCallerChrome() && + nsContentUtils::ResistFingerprinting(); +} + JSObject* nsMimeTypeArray::WrapObject(JSContext* aCx) { @@ -78,6 +85,10 @@ nsMimeTypeArray::IndexedGetter(uint32_t aIndex, bool &aFound) { aFound = false; + if (ResistFingerprinting()) { + return nullptr; + } + EnsurePluginMimeTypes(); if (aIndex >= mMimeTypes.Length()) { @@ -108,6 +119,10 @@ nsMimeTypeArray::NamedGetter(const nsAString& aName, bool &aFound) { aFound = false; + if (ResistFingerprinting()) { + return nullptr; + } + EnsurePluginMimeTypes(); nsString lowerName(aName); @@ -181,6 +196,10 @@ nsMimeTypeArray::NameIsEnumerable(const nsAString& aName) uint32_t nsMimeTypeArray::Length() { + if (ResistFingerprinting()) { + return 0; + } + EnsurePluginMimeTypes(); return mMimeTypes.Length(); diff --git a/dom/base/nsPluginArray.cpp b/dom/base/nsPluginArray.cpp index 1dcd551..8f789ee 100644 --- a/dom/base/nsPluginArray.cpp +++ b/dom/base/nsPluginArray.cpp @@ -20,6 +20,7 @@ #include "nsIWeakReference.h" #include "mozilla/Services.h" #include "nsIInterfaceRequestorUtils.h" +#include "nsContentUtils.h" using namespace mozilla; using namespace mozilla::dom; @@ -43,6 +44,12 @@ nsPluginArray::~nsPluginArray() { } +static bool +ResistFingerprinting() { + return !nsContentUtils::ThreadsafeIsCallerChrome() && + nsContentUtils::ResistFingerprinting(); +} + nsPIDOMWindow* nsPluginArray::GetParentObject() const { @@ -174,7 +181,7 @@ nsPluginArray::IndexedGetter(uint32_t aIndex, bool &aFound) { aFound = false; - if (!AllowPlugins()) { + if (!AllowPlugins() || ResistFingerprinting()) { return nullptr; } @@ -217,7 +224,7 @@ nsPluginArray::NamedGetter(const nsAString& aName, bool &aFound) { aFound = false; - if (!AllowPlugins()) { + if (!AllowPlugins() || ResistFingerprinting()) { return nullptr; } @@ -241,7 +248,7 @@ nsPluginArray::NameIsEnumerable(const nsAString& aName) uint32_t nsPluginArray::Length() { - if (!AllowPlugins()) { + if (!AllowPlugins() || ResistFingerprinting()) { return 0; }

1 0

[tor-browser/tor-browser-38.4.0esr-5.0-1] Regression tests for Bug #17207: Hide mime types and plugins when resisting fingerprinting
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 3e925a360daf492465ab74f336209dad54e5497b Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Fri Oct 16 17:10:57 2015 -0700 Regression tests for Bug #17207: Hide mime types and plugins when resisting fingerprinting --- dom/base/test/mochitest.ini | 1 + dom/base/test/test_tor_bug17207.html | 49 ++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/dom/base/test/mochitest.ini b/dom/base/test/mochitest.ini index 133348e..6a8c334 100644 --- a/dom/base/test/mochitest.ini +++ b/dom/base/test/mochitest.ini @@ -739,6 +739,7 @@ skip-if = toolkit == 'android' || e10s #RANDOM [test_title.html] [test_tor_bug15502.html] [test_tor_bug15703.html] +[test_tor_bug17207.html] [test_treewalker_nextsibling.xml] [test_viewport_scroll.html] [test_viewsource_forbidden_in_object.html] diff --git a/dom/base/test/test_tor_bug17207.html b/dom/base/test/test_tor_bug17207.html new file mode 100644 index 0000000..4ab0a0d --- /dev/null +++ b/dom/base/test/test_tor_bug17207.html @@ -0,0 +1,49 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta http-equiv="content-type" content="text/html; charset=utf-8"> + <title>Test for Tor Browser Bug 17207</title> + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> + <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> +</head> +<body> + +<div id="content"></div> + +<script class="testbody" type="application/javascript;version=1.7"> +SimpleTest.waitForExplicitFinish(); + +// __setPref(key, value)__. +// Set a pref value asynchronously, returning a promise that resolves +// when it succeeds. +let setPref = function* (key, value) { + return new Promise(function(resolve, reject) { + SpecialPowers.pushPrefEnv({"set": [[key, value]]}, resolve); + }); +}; + +// Run a test to see that we don't expose the supported mimeTypes +// or installed plugins when "privacy.resistFingerprinting" is active. +spawnTask(function* () { + yield setPref("privacy.resistFingerprinting", true); + is(navigator.mimeTypes["application/pdf"], undefined, "Don't reveal mime types"); + is(navigator.mimeTypes.length, 0, "navigator.mimeTypes.length should be 0"); + yield setPref("privacy.resistFingerprinting", false); + isnot(navigator.mimeTypes["application/pdf"], undefined), + // TODO: In Firefox 38, mimeTypes are not enumerable because of https://bugzilla.mozilla.org/757726. + // But mimeType enumeration was subsequently brought back by https://bugzilla.mozilla.org/1169945. + // So we'll need to include the following line in mozilla-central or TBB/FF45ESR: + // isnot(navigator.mimeTypes.length, 0, "navigator.mimeTypes.length should not be nonzero"); + // TODO: We don't have any plugins in Tor Browser, but we will need to implement + // similar tests for plugins in mainline Firefox. + SimpleTest.finish(); +}); + +</script> + +</body> +</html>

1 0

[tor-browser/tor-browser-38.4.0esr-5.0-1] fixup! Bug #4234: Use the Firefox Update Process for Tor Browser.
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 882edab1efebbdc1d502516fc698bdc8edfdf7d4 Author: Georg Koppen <gk(a)torproject.org> Date: Wed Sep 9 14:04:54 2015 +0000 fixup! Bug #4234: Use the Firefox Update Process for Tor Browser. This is part of the fix for bug 16909. We need to adapt our update packaging tools to cope with the HTTPS Everywhere extension ID change introduced by version 5.1.0. --- tools/update-packaging/make_full_update.sh | 5 ++++- tools/update-packaging/make_incremental_update.sh | 13 ++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/tools/update-packaging/make_full_update.sh b/tools/update-packaging/make_full_update.sh index 62baf4c..3578ae4 100755 --- a/tools/update-packaging/make_full_update.sh +++ b/tools/update-packaging/make_full_update.sh @@ -11,7 +11,10 @@ . $(dirname "$0")/common.sh # TODO: it would be better to pass this as a command line option. -directories_to_remove='TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org' +# Make sure we delete the pre 5.1.0 HTTPS Everywhere as well in case it +# exists. The extension ID got changed with the version bump to 5.1.0. +ext_path='TorBrowser/Data/Browser/profile.default/extensions' +directories_to_remove="$ext_path/https-everywhere(a)eff.org $ext_path/https-everywhere-eff(a)eff.org" # ----------------------------------------------------------------------------- diff --git a/tools/update-packaging/make_incremental_update.sh b/tools/update-packaging/make_incremental_update.sh index 0e1e3f6..c803809 100755 --- a/tools/update-packaging/make_incremental_update.sh +++ b/tools/update-packaging/make_incremental_update.sh @@ -64,7 +64,8 @@ check_for_forced_update() { fi # If the file in the skip list ends with /*, do a prefix match. - # This allows TorBrowser/Data/Browser/profile.default/extensions/https-everywhere(a)eff.org/* to be used to force all HTTPS Everywhere files to be updated. + # This allows TorBrowser/Data/Browser/profile.default/extensions/https-everywhere-eff(a)eff.org/* + # to be used to force all HTTPS Everywhere files to be updated. f_suffix=${f##*/} if [[ $f_suffix = "*" ]]; then f_prefix="${f%\/\*}"; @@ -122,7 +123,7 @@ archivefiles="updatev2.manifest updatev3.manifest" # If the NoScript or HTTPS Everywhere extensions have changed between # releases, add them to the "force updates" list. ext_path='TorBrowser/Data/Browser/profile.default/extensions' -https_everywhere='https-everywhere(a)eff.org' +https_everywhere='https-everywhere-eff(a)eff.org' noscript='{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi' # NoScript is a packed extension, so we simply compare the old and the new @@ -144,12 +145,14 @@ https_everywhere_install_rdf="$ext_path/$https_everywhere/install.rdf" diff "$olddir/$https_everywhere_install_rdf" \ "$newdir/$https_everywhere_install_rdf" > /dev/null rc=$? -if [ $rc -gt 1 ]; then +if [ $rc -gt 1 -a -e "$olddir/$https_everywhere_install_rdf" ]; then notice "Unexpected exit $rc from $https_everywhere_install_rdf diff command" exit 2 -elif [ $rc -eq 1 ]; then +elif [ $rc -ge 1 ]; then requested_forced_updates="$requested_forced_updates $ext_path/$https_everywhere/*" - directories_to_remove="$directories_to_remove $ext_path/$https_everywhere" + # Make sure we delete the pre 5.1.0 HTTPS Everywhere as well in case it + # exists. The extension ID got changed with the version bump to 5.1.0. + directories_to_remove="$directories_to_remove $ext_path/https-everywhere(a)eff.org $ext_path/$https_everywhere" fi mkdir -p "$workdir"

1 0

[tor-browser-bundle/hardened-builds] Bug 17801: Remove special tor patches
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit fe0fbddde4c008ceba36abe826daf75fd63b403d Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 09:04:42 2015 +0000 Bug 17801: Remove special tor patches --- gitian/descriptors/linux/gitian-tor.yml | 14 - gitian/descriptors/mac/gitian-tor.yml | 14 - gitian/descriptors/windows/gitian-tor.yml | 14 - gitian/patches/bug15482.patch | 40 -- gitian/patches/bug16430.patch | 93 ---- gitian/patches/bug16674.patch | 74 --- gitian/patches/bug8402-master.patch | 732 ----------------------------- gitian/patches/bug8405.patch | 84 ---- 8 files changed, 1065 deletions(-) diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index f31aac9..630c2e0 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -23,11 +23,6 @@ files: - "openssl-linux64-utils.zip" - "libevent-linux64-utils.zip" - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "dzip.sh" script: | INSTDIR="$HOME/install" @@ -73,15 +68,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 857b5de..a6824c0 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -54,15 +49,6 @@ script: | export LDFLAGS="-m64 -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/ -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/system/ -mmacosx-version-min=10.5" cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 601dc4e..63b527a 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -54,15 +49,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # We are building normal bundles without the console popping up and expert diff --git a/gitian/patches/bug15482.patch b/gitian/patches/bug15482.patch deleted file mode 100644 index df8a156..0000000 --- a/gitian/patches/bug15482.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 748414784f71126b093aa7466908e00f71a7b046 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Fri, 27 Mar 2015 12:57:37 -0700 -Subject: [PATCH] Bug 15482: Don't abandon circuits that are still in use for - browsing. - -Only applies to connections with SOCKS auth set, so that non-web Tor -activity is not affected. - -Simpler version of Nick's patch because the randomness worried me, and I'm not -otherwise sure why we want a max here. ---- - src/or/circuituse.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/or/circuituse.c b/src/or/circuituse.c -index d0d31ad..6cce4bf 100644 ---- a/src/or/circuituse.c -+++ b/src/or/circuituse.c -@@ -2264,8 +2264,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, - - base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT; - -- if (!circ->base_.timestamp_dirty) -- circ->base_.timestamp_dirty = time(NULL); -+ if (!circ->base_.timestamp_dirty) { -+ circ->base_.timestamp_dirty = approx_time(); -+ } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) && -+ (conn->socks_request->usernamelen || -+ conn->socks_request->passwordlen)) { -+ /* When stream isolation is in use and controlled by an application -+ * we are willing to keep using the stream. */ -+ circ->base_.timestamp_dirty = approx_time(); -+ } - - pathbias_count_use_attempt(circ); - --- -1.9.1 - diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch deleted file mode 100644 index 81bbe3e..0000000 --- a/gitian/patches/bug16430.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Wed, 24 Jun 2015 13:52:29 +0000 -Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS - checks. - -RFC 952 is approximately 30 years old, and people are failing to comply, -by serving A records with '_' as part of the hostname. Since relaxing -the check is a QOL improvement for our userbase, relax the check to -allow such abominations as destinations, especially since there are -likely to be other similarly misconfigured domains out there. ---- - changes/bug16430 | 4 ++++ - src/common/util.c | 7 +++++-- - src/test/test_util.c | 9 +++++++-- - 3 files changed, 16 insertions(+), 4 deletions(-) - create mode 100644 changes/bug16430 - -diff --git a/changes/bug16430 b/changes/bug16430 -new file mode 100644 -index 0000000..ca7b874 ---- /dev/null -+++ b/changes/bug16430 -@@ -0,0 +1,4 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ '_' to cope with domains observed in the wild that are serving non-RFC -+ compliant records. Resolves ticket 16430. -diff --git a/src/common/util.c b/src/common/util.c -index 942d0c2..4490150 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) - - /** Return true iff string matches a pattern of DNS names - * that we allow Tor clients to connect to. -+ * -+ * Note: This allows certain technically invalid characters ('_') to cope -+ * with misconfigured zones that have been encountered in the wild. - */ - int - string_is_valid_hostname(const char *string) -@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) - smartlist_split_string(components,string,".",0,0); - - SMARTLIST_FOREACH_BEGIN(components, char *, c) { -- if (c[0] == '-') { -+ if ((c[0] == '-') || (*c == '_')) { - result = 0; - break; - } -@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || -- (*c == '-')) -+ (*c == '-') || (*c == '_')) - c++; - else - result = 0; -diff --git a/src/test/test_util.c b/src/test/test_util.c -index b0366db..0f64c26 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) - tt_assert(string_is_valid_hostname("stanford.edu")); - tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); - -- // Subdomain name cannot start with '-'. -+ // Subdomain name cannot start with '-' or '_'. - tt_assert(!string_is_valid_hostname("-torproject.org")); - tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); - tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); -+ tt_assert(!string_is_valid_hostname("___abc.org")); - - // Hostnames cannot contain non-alphanumeric characters. - tt_assert(!string_is_valid_hostname("%%domain.\\org.")); - tt_assert(!string_is_valid_hostname("***x.net")); -- tt_assert(!string_is_valid_hostname("___abc.org")); - tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); - tt_assert(!string_is_valid_hostname("word1 word2.net")); - -+ // Test workaround for nytimes.com stupidity, technically invalid, -+ // but we allow it since they are big, even though they are failing to -+ // comply with a ~30 year old standard. -+ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); -+ - // XXX: do we allow single-label DNS names? - - done: --- -1.9.1 - diff --git a/gitian/patches/bug16674.patch b/gitian/patches/bug16674.patch deleted file mode 100644 index 9497684..0000000 --- a/gitian/patches/bug16674.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 27 Jul 2015 12:58:40 +0000 -Subject: [PATCH] Allow a single trailing `.` when validating FQDNs from SOCKS. - -URI syntax (and DNS syntax) allows for a single trailing `.` to -explicitly distinguish between a relative and absolute -(fully-qualified) domain name. While this is redundant in that RFC 1928 -DOMAINNAME addresses are *always* fully-qualified, certain clients -blindly pass the trailing `.` along in the request. - -Fixes bug 16674; bugfix on 0.2.6.2-alpha. ---- - changes/bug16674 | 5 +++++ - src/common/util.c | 6 ++++++ - src/test/test_util.c | 12 ++++++++++++ - 3 files changed, 23 insertions(+) - create mode 100644 changes/bug16674 - -diff --git a/changes/bug16674 b/changes/bug16674 -new file mode 100644 -index 0000000..de55523 ---- /dev/null -+++ b/changes/bug16674 -@@ -0,0 +1,5 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ a single trailing '.' to cope with clients that pass FQDNs using that -+ syntax to explicitly indicate that the domain name is -+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. -diff --git a/src/common/util.c b/src/common/util.c -index 618e6a1..1aac4fc 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) - break; - } - -+ /* Allow a single terminating '.' used rarely to indicate domains -+ * are FQDNs rather than relative. */ -+ if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { -+ continue; -+ } -+ - do { - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || -diff --git a/src/test/test_util.c b/src/test/test_util.c -index 0f64c26..2bffb17 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) - // comply with a ~30 year old standard. - tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); - -+ // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, -+ // which is redundant since the spec states DOMAINNAME addresses are fully -+ // qualified. While unusual, this should be tollerated. -+ tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); -+ tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); -+ tt_assert(!string_is_valid_hostname("so.is..ft.com")); -+ tt_assert(!string_is_valid_hostname("...")); -+ - // XXX: do we allow single-label DNS names? -+ // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" -+ // but only test pathologically malformed traling '.' cases for now. -+ tt_assert(!string_is_valid_hostname(".")); -+ tt_assert(!string_is_valid_hostname("..")); - - done: - return; --- -1.9.1 - diff --git a/gitian/patches/bug8402-master.patch b/gitian/patches/bug8402-master.patch deleted file mode 100644 index 5a6386a..0000000 --- a/gitian/patches/bug8402-master.patch +++ /dev/null @@ -1,732 +0,0 @@ -From 9d7410ac5837658efa9b2d7d85c0c71f09a7a759 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Tue, 25 Mar 2014 07:21:22 +0000 -Subject: [PATCH 1/5] Allow ClientTransportPlugins to use proxies - -This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with -ClientTransportPlugins via the TOR_PT_PROXY extension to the -pluggable transport specification. - -This fixes bug #8402. ---- - src/or/config.c | 13 ++++-- - src/or/connection.c | 62 +++++++++++++++++++++-------- - src/or/transports.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++-- - src/or/transports.h | 6 +++ - src/test/test_pt.c | 81 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 251 insertions(+), 23 deletions(-) - -diff --git a/src/or/config.c b/src/or/config.c -index 0f7b1d2..b33098e 100644 ---- a/src/or/config.c -+++ b/src/or/config.c -@@ -3174,11 +3174,11 @@ options_validate(or_options_t *old_options, or_options_t *options, - } - } - -- /* Check if more than one proxy type has been enabled. */ -+ /* Check if more than one exclusive proxy type has been enabled. */ - if (!!options->Socks4Proxy + !!options->Socks5Proxy + -- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) -+ !!options->HTTPSProxy > 1) - REJECT("You have configured more than one proxy type. " -- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); -+ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); - - /* Check if the proxies will give surprising behavior. */ - if (options->HTTPProxy && !(options->Socks4Proxy || -@@ -4842,6 +4842,13 @@ parse_client_transport_line(const or_options_t *options, - pt_kickstart_client_proxy(transport_list, proxy_argv); - } - } else { /* external */ -+ /* ClientTransportPlugins connecting through a proxy is managed only. */ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ log_warn(LD_CONFIG, "You have configured an external proxy with another " -+ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); -+ goto err; -+ } -+ - if (smartlist_len(transport_list) != 1) { - log_warn(LD_CONFIG, "You can't have an external proxy with " - "more than one transports."); -diff --git a/src/or/connection.c b/src/or/connection.c -index cef9172..b32cddf 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,6 +86,8 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); -+static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -+ int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -1689,14 +1691,14 @@ get_proxy_type(void) - { - const or_options_t *options = get_options(); - -- if (options->HTTPSProxy) -+ if (options->ClientTransportPlugin) -+ return PROXY_PLUGGABLE; -+ else if (options->HTTPSProxy) - return PROXY_CONNECT; - else if (options->Socks4Proxy) - return PROXY_SOCKS4; - else if (options->Socks5Proxy) - return PROXY_SOCKS5; -- else if (options->ClientTransportPlugin) -- return PROXY_PLUGGABLE; - else - return PROXY_NONE; - } -@@ -4771,6 +4773,35 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -+ * pluggable transport or bridge we are using. -+ * conn contains the connection we are using the PT/bridge for. -+ * -+ * Return 0 on success, -1 on failure. -+ */ -+static int -+get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -+ const connection_t *conn) -+{ -+ const or_options_t *options = get_options(); -+ -+ if (options->ClientTransportPlugin || options->Bridges) { -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ -+/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4782,6 +4813,16 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - { - const or_options_t *options = get_options(); - -+ /* Client Transport Plugins can use another proxy, but that should be hidden -+ * from the rest of tor (as the plugin is responsible for dealing with the -+ * proxy), check it first, then check the rest of the proxy types to allow -+ * the config to have unused ClientTransportPlugin entries. -+ */ -+ if (options->ClientTransportPlugin) { -+ if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ return 0; -+ } -+ - if (options->HTTPSProxy) { - tor_addr_copy(addr, &options->HTTPSProxyAddr); - *port = options->HTTPSProxyPort; -@@ -4797,19 +4838,8 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->ClientTransportPlugin || -- options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -+ } else if (options->Bridges) { -+ return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); -diff --git a/src/or/transports.c b/src/or/transports.c -index dc30754..b810315 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -124,6 +124,8 @@ static INLINE void free_execve_args(char **arg); - #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" - #define PROTO_CMETHODS_DONE "CMETHODS DONE" - #define PROTO_SMETHODS_DONE "SMETHODS DONE" -+#define PROTO_PROXY_DONE "PROXY DONE" -+#define PROTO_PROXY_ERROR "PROXY-ERROR" - - /** The first and only supported - at the moment - configuration - protocol version. */ -@@ -439,6 +441,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) - static int - proxy_needs_restart(const managed_proxy_t *mp) - { -+ int ret = 1; -+ char* proxy_uri; -+ -+ /* If the PT proxy config has changed, then all existing pluggable transports -+ * should be restarted. -+ */ -+ -+ proxy_uri = get_pt_proxy_uri(); -+ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) -+ goto needs_restart; -+ - /* mp->transport_to_launch is populated with the names of the - transports that must be launched *after* the SIGHUP. - mp->transports is populated with the transports that were -@@ -459,10 +472,10 @@ proxy_needs_restart(const managed_proxy_t *mp) - - } SMARTLIST_FOREACH_END(t); - -- return 0; -- -- needs_restart: -- return 1; -+ ret = 0; -+needs_restart: -+ tor_free(proxy_uri); -+ return ret; - } - - /** Managed proxy mp must be restarted. Do all the necessary -@@ -493,6 +506,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) - SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); - smartlist_clear(mp->transports); - -+ /* Reset the proxy's HTTPS/SOCKS proxy */ -+ tor_free(mp->proxy_uri); -+ mp->proxy_uri = get_pt_proxy_uri(); -+ mp->proxy_supported = 0; -+ - /* flag it as an infant proxy so that it gets launched on next tick */ - mp->conf_state = PT_PROTO_INFANT; - unconfigured_proxies_n++; -@@ -727,12 +745,52 @@ managed_proxy_destroy(managed_proxy_t *mp, - /* free the argv */ - free_execve_args(mp->argv); - -+ /* free the outgoing proxy URI */ -+ tor_free(mp->proxy_uri); -+ - tor_process_handle_destroy(mp->process_handle, also_terminate_process); - mp->process_handle = NULL; - - tor_free(mp); - } - -+/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ -+STATIC char * -+get_pt_proxy_uri(void) -+{ -+ const or_options_t *options = get_options(); -+ char *uri = NULL; -+ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ char addr[TOR_ADDR_BUF_LEN+1]; -+ -+ if (options->Socks4Proxy) { -+ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); -+ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); -+ } else if (options->Socks5Proxy) { -+ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); -+ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { -+ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); -+ } else { -+ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", -+ options->Socks5ProxyUsername, -+ options->Socks5ProxyPassword, -+ addr, options->Socks5ProxyPort); -+ } -+ } else if (options->HTTPSProxy) { -+ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); -+ if (!options->HTTPSProxyAuthenticator) { -+ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); -+ } else { -+ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, -+ addr, options->HTTPSProxyPort); -+ } -+ } -+ } -+ -+ return uri; -+} -+ - /** Handle a configured or broken managed proxy mp. */ - static void - handle_finished_proxy(managed_proxy_t *mp) -@@ -745,6 +803,12 @@ handle_finished_proxy(managed_proxy_t *mp) - managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ - break; - case PT_PROTO_CONFIGURED: /* if configured correctly: */ -+ if (mp->proxy_uri && !mp->proxy_supported) { -+ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -+ "specified outgoing proxy.", mp->argv[0]); -+ managed_proxy_destroy(mp, 1); /* annihilate it. */ -+ break; -+ } - register_proxy(mp); /* register its transports */ - mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ - break; -@@ -862,6 +926,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) - goto err; - - return; -+ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ if (mp->proxy_uri) { -+ mp->proxy_supported = 1; -+ return; -+ } -+ -+ /* No proxy was configured, this should log */ -+ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ parse_proxy_error(line); -+ goto err; - } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { - /* managed proxy launch failed: parse error message to learn why. */ - int retval, child_state, saved_errno; -@@ -1128,6 +1208,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) - return r; - } - -+/** Parses an PROXY-ERROR line and warns the user accordingly. */ -+STATIC void -+parse_proxy_error(const char *line) -+{ -+ /* (Length of the protocol string) plus (a space) and (the first char of -+ the error message) */ -+ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) -+ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " -+ "message.", PROTO_PROXY_ERROR); -+ -+ log_warn(LD_CONFIG, "Managed proxy failed to configure the " -+ "pluggable transport's outgoing proxy. (%s)", -+ line+strlen(PROTO_PROXY_ERROR)+1); -+} -+ - /** Return a newly allocated string that tor should place in - * TOR_PT_SERVER_TRANSPORT_OPTIONS while configuring the server - * manged proxy in mp. Return NULL if no such options are found. */ -@@ -1292,6 +1387,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) - } else { - smartlist_add_asprintf(envs, "TOR_PT_EXTENDED_SERVER_PORT="); - } -+ } else { -+ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the -+ * TOR_PT_PROXY line. -+ */ -+ -+ if (mp->proxy_uri) { -+ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); -+ } - } - - SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { -@@ -1324,6 +1427,7 @@ managed_proxy_create(const smartlist_t *transport_list, - mp->is_server = is_server; - mp->argv = proxy_argv; - mp->transports = smartlist_new(); -+ mp->proxy_uri = get_pt_proxy_uri(); - - mp->transports_to_launch = smartlist_new(); - SMARTLIST_FOREACH(transport_list, const char *, transport, -diff --git a/src/or/transports.h b/src/or/transports.h -index 1365ead..bc2331d 100644 ---- a/src/or/transports.h -+++ b/src/or/transports.h -@@ -81,6 +81,9 @@ typedef struct { - char **argv; /* the cli arguments of this proxy */ - int conf_protocol; /* the configuration protocol version used */ - -+ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ -+ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ -+ - int is_server; /* is it a server proxy? */ - - /* A pointer to the process handle of this managed proxy. */ -@@ -112,6 +115,7 @@ STATIC int parse_smethod_line(const char *line, managed_proxy_t *mp); - - STATIC int parse_version(const char *line, managed_proxy_t *mp); - STATIC void parse_env_error(const char *line); -+STATIC void parse_proxy_error(const char *line); - STATIC void handle_proxy_line(const char *line, managed_proxy_t *mp); - STATIC char *get_transport_options_for_server_proxy(const managed_proxy_t *mp); - -@@ -123,6 +127,8 @@ STATIC managed_proxy_t *managed_proxy_create(const smartlist_t *transport_list, - - STATIC int configure_proxy(managed_proxy_t *mp); - -+STATIC char* get_pt_proxy_uri(void); -+ - #endif - - #endif -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index f71627d..788d420 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -450,6 +450,85 @@ test_pt_configure_proxy(void *arg) - tor_free(mp); - } - -+/* Test the get_pt_proxy_uri() function. */ -+static void -+test_get_pt_proxy_uri(void *arg) -+{ -+ or_options_t *options = get_options_mutable(); -+ char *uri = NULL; -+ int ret; -+ (void) arg; -+ -+ /* Test with no proxy. */ -+ uri = get_pt_proxy_uri(); -+ tt_assert(uri == NULL); -+ -+ /* Test with a SOCKS4 proxy. */ -+ options->Socks4Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks4Proxy = NULL; -+ -+ /* Test with a SOCKS5 proxy, no username/password. */ -+ options->Socks5Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks5Proxy, -+ &options->Socks5ProxyAddr, -+ &options->Socks5ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ /* Test with a SOCKS5 proxy, with username/password. */ -+ options->Socks5ProxyUsername = "hwest"; -+ options->Socks5ProxyPassword = "r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks5Proxy = NULL; -+ -+ /* Test with a HTTPS proxy, no authenticator. */ -+ options->HTTPSProxy = "192.0.2.1:80"; -+ ret = tor_addr_port_lookup(options->HTTPSProxy, -+ &options->HTTPSProxyAddr, -+ &options->HTTPSProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://192.0.2.1:80"); -+ tor_free(uri); -+ -+ /* Test with a HTTPS proxy, with authenticator. */ -+ options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); -+ tor_free(uri); -+ -+ options->HTTPSProxy = NULL; -+ -+ /* Token nod to the fact that IPv6 exists. */ -+ options->Socks4Proxy = "[2001:db8::1]:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); -+ tor_free(uri); -+ -+ -+ done: -+ if (uri) -+ tor_free(uri); -+} -+ -+ - #define PT_LEGACY(name) \ - { #name, legacy_test_helper, 0, &legacy_setup, test_pt_ ## name } - -@@ -462,6 +541,8 @@ struct testcase_t pt_tests[] = { - NULL, NULL }, - { "configure_proxy",test_pt_configure_proxy, TT_FORK, - NULL, NULL }, -+ { "get_pt_proxy_uri", test_get_pt_proxy_uri, TT_FORK, -+ NULL, NULL }, - END_OF_TESTCASES - }; - --- -2.0.0.rc2 - - -From 92eecbfee128b22b07bcc97ac36ecdd5183c2da7 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 14 Apr 2014 21:51:34 +0000 -Subject: [PATCH 2/5] Fixed the test build with --enable-gcc-warnings - ---- - src/test/test_pt.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index 788d420..cfbd084 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -464,7 +464,7 @@ test_get_pt_proxy_uri(void *arg) - tt_assert(uri == NULL); - - /* Test with a SOCKS4 proxy. */ -- options->Socks4Proxy = "192.0.2.1:1080"; -+ options->Socks4Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -472,11 +472,10 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks4Proxy = NULL; -+ tor_free(options->Socks4Proxy); - - /* Test with a SOCKS5 proxy, no username/password. */ -- options->Socks5Proxy = "192.0.2.1:1080"; -+ options->Socks5Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks5Proxy, - &options->Socks5ProxyAddr, - &options->Socks5ProxyPort); -@@ -486,16 +485,17 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a SOCKS5 proxy, with username/password. */ -- options->Socks5ProxyUsername = "hwest"; -- options->Socks5ProxyPassword = "r34n1m470r"; -+ options->Socks5ProxyUsername = tor_strdup("hwest"); -+ options->Socks5ProxyPassword = tor_strdup("r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks5Proxy = NULL; -+ tor_free(options->Socks5Proxy); -+ tor_free(options->Socks5ProxyUsername); -+ tor_free(options->Socks5ProxyPassword); - - /* Test with a HTTPS proxy, no authenticator. */ -- options->HTTPSProxy = "192.0.2.1:80"; -+ options->HTTPSProxy = tor_strdup("192.0.2.1:80"); - ret = tor_addr_port_lookup(options->HTTPSProxy, - &options->HTTPSProxyAddr, - &options->HTTPSProxyPort); -@@ -505,15 +505,15 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a HTTPS proxy, with authenticator. */ -- options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ options->HTTPSProxyAuthenticator = tor_strdup("hwest:r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); - tor_free(uri); -- -- options->HTTPSProxy = NULL; -+ tor_free(options->HTTPSProxy); -+ tor_free(options->HTTPSProxyAuthenticator); - - /* Token nod to the fact that IPv6 exists. */ -- options->Socks4Proxy = "[2001:db8::1]:1080"; -+ options->Socks4Proxy = tor_strdup("[2001:db8::1]:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -521,7 +521,7 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); - tor_free(uri); -- -+ tor_free(options->Socks4Proxy); - - done: - if (uri) --- -2.0.0.rc2 - - -From 8361223c10eb929b570e72853a5d9e51b67fd6c3 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:30:09 +0000 -Subject: [PATCH 3/5] Remove get_bridge_pt_addrport(). - -The code was not disambiguating ClientTransportPlugin configured and -not used, and ClientTransportPlugin configured, but in a failed state. - -The right thing to do is to undo moving the get_transport_by_addrport() -call back into get_proxy_addrport(), and remove and explicit check for -using a Bridge since by the time the check is made, if a Bridge is -being used, it is PT/proxy-less. ---- - src/or/connection.c | 46 ++++++++++++---------------------------------- - 1 file changed, 12 insertions(+), 34 deletions(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index b32cddf..ff8cdf1 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,8 +86,6 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); --static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -- int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -4773,35 +4771,6 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -- * pluggable transport or bridge we are using. -- * conn contains the connection we are using the PT/bridge for. -- * -- * Return 0 on success, -1 on failure. -- */ --static int --get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -- const connection_t *conn) --{ -- const or_options_t *options = get_options(); -- -- if (options->ClientTransportPlugin || options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -- } -- -- return -1; --} -- --/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4819,8 +4788,19 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - * the config to have unused ClientTransportPlugin entries. - */ - if (options->ClientTransportPlugin) { -- if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; - return 0; -+ } -+ -+ /* Unused ClientTransportPlugin. */ - } - - if (options->HTTPSProxy) { -@@ -4838,8 +4818,6 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->Bridges) { -- return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); --- -2.0.0.rc2 - - -From 68184b317d3f4dc14e758e451377e4e3996bd0ab Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:43:53 +0000 -Subject: [PATCH 4/5] Log the correct proxy type on failure. - -get_proxy_addrport fills in proxy_type with the correct value, so there -is no point in logging something that's a "best guess" based off the -config. ---- - src/or/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index ff8cdf1..5069ed6 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -4841,7 +4841,7 @@ log_failed_proxy_connection(connection_t *conn) - log_warn(LD_NET, - "The connection to the %s proxy server at %s just failed. " - "Make sure that the proxy server is up and running.", -- proxy_type_to_string(get_proxy_type()), -+ proxy_type_to_string(proxy_type), - fmt_addrport(&proxy_addr, proxy_port)); - } - --- -2.0.0.rc2 - - -From 34200a44fbbd3f158ea17043c2bcd21d0e382b89 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 18:58:53 +0000 -Subject: [PATCH 5/5] Improve the log message when a transport doesn't support - proxies. - -Per feedback, explicltly note that the transport will be killed when it -does not acknowledge the configured outgoing proxy. ---- - src/or/transports.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/or/transports.c b/src/or/transports.c -index b810315..eee159d 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -805,7 +805,8 @@ handle_finished_proxy(managed_proxy_t *mp) - case PT_PROTO_CONFIGURED: /* if configured correctly: */ - if (mp->proxy_uri && !mp->proxy_supported) { - log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -- "specified outgoing proxy.", mp->argv[0]); -+ "specified outgoing proxy and will be terminated.", -+ mp->argv[0]); - managed_proxy_destroy(mp, 1); /* annihilate it. */ - break; - } --- -2.0.0.rc2 - diff --git a/gitian/patches/bug8405.patch b/gitian/patches/bug8405.patch deleted file mode 100644 index 3c40632..0000000 --- a/gitian/patches/bug8405.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a298c77f7eba232154ff08ca1119b05ccd9eee9e Mon Sep 17 00:00:00 2001 -From: Arthur Edelstein <arthuredelstein(a)gmail.com> -Date: Tue, 15 Jul 2014 21:27:59 -0700 -Subject: [PATCH] Bug #8405: Report SOCKS username/password in CIRC status - events - -Introduces two new circuit status name-value parameters: SOCKS_USERNAME -and SOCKS_PASSWORD. Values are enclosing in quotes and unusual characters -are escaped. - -Example: - - 650 CIRC 5 EXTENDED [...] SOCKS_USERNAME="my_username" SOCKS_PASSWORD="my_password" ---- - src/common/util.c | 14 ++++++++++++++ - src/common/util.h | 1 + - src/or/control.c | 14 ++++++++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/src/common/util.c b/src/common/util.c -index 8589344..64cee56 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1222,6 +1222,20 @@ esc_for_log(const char *s) - return result; - } - -+/** Similar to esc_for_log. Allocate and return a new string representing -+ * the first n characters in chars, surround by quotes and using -+ * standard C escapes. If a NUL character is encountered in chars, -+ * the resulting string will be terminated there. -+ */ -+char * -+esc_for_log_len(const char *chars, size_t n) -+{ -+ char *string = tor_strndup(chars, n); -+ char *string_escaped = esc_for_log(string); -+ tor_free(string); -+ return string_escaped; -+} -+ - /** Allocate and return a new string representing the contents of s, - * surrounded by quotes and using standard C escapes. - * -diff --git a/src/common/util.h b/src/common/util.h -index 97367a9..50c5a3d 100644 ---- a/src/common/util.h -+++ b/src/common/util.h -@@ -229,6 +229,7 @@ int tor_mem_is_zero(const char *mem, size_t len); - int tor_digest_is_zero(const char *digest); - int tor_digest256_is_zero(const char *digest); - char *esc_for_log(const char *string) ATTR_MALLOC; -+char *esc_for_log_len(const char *chars, size_t n) ATTR_MALLOC; - const char *escaped(const char *string); - - char *tor_escape_str_for_pt_args(const char *string, -diff --git a/src/or/control.c b/src/or/control.c -index 9285fc5..aa46df6 100644 ---- a/src/or/control.c -+++ b/src/or/control.c -@@ -1862,6 +1862,20 @@ circuit_describe_status_for_controller(origin_circuit_t *circ) - smartlist_add_asprintf(descparts, "TIME_CREATED=%s", tbuf); - } - -+ // Show username and/or password if available. -+ if (circ->socks_username_len > 0) { -+ char* socks_username_escaped = esc_for_log_len(circ->socks_username, -+ (size_t) circ->socks_username_len); -+ smartlist_add_asprintf(descparts, "SOCKS_USERNAME=%s", socks_username_escaped); -+ tor_free(socks_username_escaped); -+ } -+ if (circ->socks_password_len > 0) { -+ char* socks_password_escaped = esc_for_log_len(circ->socks_password, -+ (size_t) circ->socks_password_len); -+ smartlist_add_asprintf(descparts, "SOCKS_PASSWORD=%s", socks_password_escaped); -+ tor_free(socks_password_escaped); -+ } -+ - rv = smartlist_join_strings(descparts, " ", 0, NULL); - - SMARTLIST_FOREACH(descparts, char *, cp, tor_free(cp)); --- -1.8.3.4 (Apple Git-47) -

1 0

[tor-browser-bundle/master] Bug 17801: Remove special tor patches
by gk＠torproject.org 10 Dec '15

10 Dec '15

commit 9fc1f843da2a43bc7d3a8b53964e984dd86476e3 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 10 09:04:42 2015 +0000 Bug 17801: Remove special tor patches --- gitian/descriptors/linux/gitian-tor.yml | 14 - gitian/descriptors/mac/gitian-tor.yml | 14 - gitian/descriptors/windows/gitian-tor.yml | 14 - gitian/patches/bug15482.patch | 40 -- gitian/patches/bug16430.patch | 93 ---- gitian/patches/bug16674.patch | 74 --- gitian/patches/bug8402-master.patch | 732 ----------------------------- gitian/patches/bug8405.patch | 84 ---- 8 files changed, 1065 deletions(-) diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index d8e3557..0e35d2f 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -19,11 +19,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "dzip.sh" - "openssl-linux32-utils.zip" - "openssl-linux64-utils.zip" @@ -76,15 +71,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 857b5de..a6824c0 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -54,15 +49,6 @@ script: | export LDFLAGS="-m64 -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/ -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/system/ -mmacosx-version-min=10.5" cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 601dc4e..63b527a 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -54,15 +49,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # We are building normal bundles without the console popping up and expert diff --git a/gitian/patches/bug15482.patch b/gitian/patches/bug15482.patch deleted file mode 100644 index df8a156..0000000 --- a/gitian/patches/bug15482.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 748414784f71126b093aa7466908e00f71a7b046 Mon Sep 17 00:00:00 2001 -From: Mike Perry <mikeperry-git(a)torproject.org> -Date: Fri, 27 Mar 2015 12:57:37 -0700 -Subject: [PATCH] Bug 15482: Don't abandon circuits that are still in use for - browsing. - -Only applies to connections with SOCKS auth set, so that non-web Tor -activity is not affected. - -Simpler version of Nick's patch because the randomness worried me, and I'm not -otherwise sure why we want a max here. ---- - src/or/circuituse.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/or/circuituse.c b/src/or/circuituse.c -index d0d31ad..6cce4bf 100644 ---- a/src/or/circuituse.c -+++ b/src/or/circuituse.c -@@ -2264,8 +2264,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, - - base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT; - -- if (!circ->base_.timestamp_dirty) -- circ->base_.timestamp_dirty = time(NULL); -+ if (!circ->base_.timestamp_dirty) { -+ circ->base_.timestamp_dirty = approx_time(); -+ } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) && -+ (conn->socks_request->usernamelen || -+ conn->socks_request->passwordlen)) { -+ /* When stream isolation is in use and controlled by an application -+ * we are willing to keep using the stream. */ -+ circ->base_.timestamp_dirty = approx_time(); -+ } - - pathbias_count_use_attempt(circ); - --- -1.9.1 - diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch deleted file mode 100644 index 81bbe3e..0000000 --- a/gitian/patches/bug16430.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Wed, 24 Jun 2015 13:52:29 +0000 -Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS - checks. - -RFC 952 is approximately 30 years old, and people are failing to comply, -by serving A records with '_' as part of the hostname. Since relaxing -the check is a QOL improvement for our userbase, relax the check to -allow such abominations as destinations, especially since there are -likely to be other similarly misconfigured domains out there. ---- - changes/bug16430 | 4 ++++ - src/common/util.c | 7 +++++-- - src/test/test_util.c | 9 +++++++-- - 3 files changed, 16 insertions(+), 4 deletions(-) - create mode 100644 changes/bug16430 - -diff --git a/changes/bug16430 b/changes/bug16430 -new file mode 100644 -index 0000000..ca7b874 ---- /dev/null -+++ b/changes/bug16430 -@@ -0,0 +1,4 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ '_' to cope with domains observed in the wild that are serving non-RFC -+ compliant records. Resolves ticket 16430. -diff --git a/src/common/util.c b/src/common/util.c -index 942d0c2..4490150 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) - - /** Return true iff string matches a pattern of DNS names - * that we allow Tor clients to connect to. -+ * -+ * Note: This allows certain technically invalid characters ('_') to cope -+ * with misconfigured zones that have been encountered in the wild. - */ - int - string_is_valid_hostname(const char *string) -@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) - smartlist_split_string(components,string,".",0,0); - - SMARTLIST_FOREACH_BEGIN(components, char *, c) { -- if (c[0] == '-') { -+ if ((c[0] == '-') || (*c == '_')) { - result = 0; - break; - } -@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || -- (*c == '-')) -+ (*c == '-') || (*c == '_')) - c++; - else - result = 0; -diff --git a/src/test/test_util.c b/src/test/test_util.c -index b0366db..0f64c26 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) - tt_assert(string_is_valid_hostname("stanford.edu")); - tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); - -- // Subdomain name cannot start with '-'. -+ // Subdomain name cannot start with '-' or '_'. - tt_assert(!string_is_valid_hostname("-torproject.org")); - tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); - tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); -+ tt_assert(!string_is_valid_hostname("___abc.org")); - - // Hostnames cannot contain non-alphanumeric characters. - tt_assert(!string_is_valid_hostname("%%domain.\\org.")); - tt_assert(!string_is_valid_hostname("***x.net")); -- tt_assert(!string_is_valid_hostname("___abc.org")); - tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); - tt_assert(!string_is_valid_hostname("word1 word2.net")); - -+ // Test workaround for nytimes.com stupidity, technically invalid, -+ // but we allow it since they are big, even though they are failing to -+ // comply with a ~30 year old standard. -+ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); -+ - // XXX: do we allow single-label DNS names? - - done: --- -1.9.1 - diff --git a/gitian/patches/bug16674.patch b/gitian/patches/bug16674.patch deleted file mode 100644 index 9497684..0000000 --- a/gitian/patches/bug16674.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 27 Jul 2015 12:58:40 +0000 -Subject: [PATCH] Allow a single trailing `.` when validating FQDNs from SOCKS. - -URI syntax (and DNS syntax) allows for a single trailing `.` to -explicitly distinguish between a relative and absolute -(fully-qualified) domain name. While this is redundant in that RFC 1928 -DOMAINNAME addresses are *always* fully-qualified, certain clients -blindly pass the trailing `.` along in the request. - -Fixes bug 16674; bugfix on 0.2.6.2-alpha. ---- - changes/bug16674 | 5 +++++ - src/common/util.c | 6 ++++++ - src/test/test_util.c | 12 ++++++++++++ - 3 files changed, 23 insertions(+) - create mode 100644 changes/bug16674 - -diff --git a/changes/bug16674 b/changes/bug16674 -new file mode 100644 -index 0000000..de55523 ---- /dev/null -+++ b/changes/bug16674 -@@ -0,0 +1,5 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ a single trailing '.' to cope with clients that pass FQDNs using that -+ syntax to explicitly indicate that the domain name is -+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. -diff --git a/src/common/util.c b/src/common/util.c -index 618e6a1..1aac4fc 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) - break; - } - -+ /* Allow a single terminating '.' used rarely to indicate domains -+ * are FQDNs rather than relative. */ -+ if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { -+ continue; -+ } -+ - do { - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || -diff --git a/src/test/test_util.c b/src/test/test_util.c -index 0f64c26..2bffb17 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) - // comply with a ~30 year old standard. - tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); - -+ // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, -+ // which is redundant since the spec states DOMAINNAME addresses are fully -+ // qualified. While unusual, this should be tollerated. -+ tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); -+ tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); -+ tt_assert(!string_is_valid_hostname("so.is..ft.com")); -+ tt_assert(!string_is_valid_hostname("...")); -+ - // XXX: do we allow single-label DNS names? -+ // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" -+ // but only test pathologically malformed traling '.' cases for now. -+ tt_assert(!string_is_valid_hostname(".")); -+ tt_assert(!string_is_valid_hostname("..")); - - done: - return; --- -1.9.1 - diff --git a/gitian/patches/bug8402-master.patch b/gitian/patches/bug8402-master.patch deleted file mode 100644 index 5a6386a..0000000 --- a/gitian/patches/bug8402-master.patch +++ /dev/null @@ -1,732 +0,0 @@ -From 9d7410ac5837658efa9b2d7d85c0c71f09a7a759 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Tue, 25 Mar 2014 07:21:22 +0000 -Subject: [PATCH 1/5] Allow ClientTransportPlugins to use proxies - -This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with -ClientTransportPlugins via the TOR_PT_PROXY extension to the -pluggable transport specification. - -This fixes bug #8402. ---- - src/or/config.c | 13 ++++-- - src/or/connection.c | 62 +++++++++++++++++++++-------- - src/or/transports.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++-- - src/or/transports.h | 6 +++ - src/test/test_pt.c | 81 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 251 insertions(+), 23 deletions(-) - -diff --git a/src/or/config.c b/src/or/config.c -index 0f7b1d2..b33098e 100644 ---- a/src/or/config.c -+++ b/src/or/config.c -@@ -3174,11 +3174,11 @@ options_validate(or_options_t *old_options, or_options_t *options, - } - } - -- /* Check if more than one proxy type has been enabled. */ -+ /* Check if more than one exclusive proxy type has been enabled. */ - if (!!options->Socks4Proxy + !!options->Socks5Proxy + -- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) -+ !!options->HTTPSProxy > 1) - REJECT("You have configured more than one proxy type. " -- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); -+ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); - - /* Check if the proxies will give surprising behavior. */ - if (options->HTTPProxy && !(options->Socks4Proxy || -@@ -4842,6 +4842,13 @@ parse_client_transport_line(const or_options_t *options, - pt_kickstart_client_proxy(transport_list, proxy_argv); - } - } else { /* external */ -+ /* ClientTransportPlugins connecting through a proxy is managed only. */ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ log_warn(LD_CONFIG, "You have configured an external proxy with another " -+ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); -+ goto err; -+ } -+ - if (smartlist_len(transport_list) != 1) { - log_warn(LD_CONFIG, "You can't have an external proxy with " - "more than one transports."); -diff --git a/src/or/connection.c b/src/or/connection.c -index cef9172..b32cddf 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,6 +86,8 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); -+static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -+ int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -1689,14 +1691,14 @@ get_proxy_type(void) - { - const or_options_t *options = get_options(); - -- if (options->HTTPSProxy) -+ if (options->ClientTransportPlugin) -+ return PROXY_PLUGGABLE; -+ else if (options->HTTPSProxy) - return PROXY_CONNECT; - else if (options->Socks4Proxy) - return PROXY_SOCKS4; - else if (options->Socks5Proxy) - return PROXY_SOCKS5; -- else if (options->ClientTransportPlugin) -- return PROXY_PLUGGABLE; - else - return PROXY_NONE; - } -@@ -4771,6 +4773,35 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -+ * pluggable transport or bridge we are using. -+ * conn contains the connection we are using the PT/bridge for. -+ * -+ * Return 0 on success, -1 on failure. -+ */ -+static int -+get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -+ const connection_t *conn) -+{ -+ const or_options_t *options = get_options(); -+ -+ if (options->ClientTransportPlugin || options->Bridges) { -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ -+/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4782,6 +4813,16 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - { - const or_options_t *options = get_options(); - -+ /* Client Transport Plugins can use another proxy, but that should be hidden -+ * from the rest of tor (as the plugin is responsible for dealing with the -+ * proxy), check it first, then check the rest of the proxy types to allow -+ * the config to have unused ClientTransportPlugin entries. -+ */ -+ if (options->ClientTransportPlugin) { -+ if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ return 0; -+ } -+ - if (options->HTTPSProxy) { - tor_addr_copy(addr, &options->HTTPSProxyAddr); - *port = options->HTTPSProxyPort; -@@ -4797,19 +4838,8 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->ClientTransportPlugin || -- options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -+ } else if (options->Bridges) { -+ return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); -diff --git a/src/or/transports.c b/src/or/transports.c -index dc30754..b810315 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -124,6 +124,8 @@ static INLINE void free_execve_args(char **arg); - #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" - #define PROTO_CMETHODS_DONE "CMETHODS DONE" - #define PROTO_SMETHODS_DONE "SMETHODS DONE" -+#define PROTO_PROXY_DONE "PROXY DONE" -+#define PROTO_PROXY_ERROR "PROXY-ERROR" - - /** The first and only supported - at the moment - configuration - protocol version. */ -@@ -439,6 +441,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) - static int - proxy_needs_restart(const managed_proxy_t *mp) - { -+ int ret = 1; -+ char* proxy_uri; -+ -+ /* If the PT proxy config has changed, then all existing pluggable transports -+ * should be restarted. -+ */ -+ -+ proxy_uri = get_pt_proxy_uri(); -+ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) -+ goto needs_restart; -+ - /* mp->transport_to_launch is populated with the names of the - transports that must be launched *after* the SIGHUP. - mp->transports is populated with the transports that were -@@ -459,10 +472,10 @@ proxy_needs_restart(const managed_proxy_t *mp) - - } SMARTLIST_FOREACH_END(t); - -- return 0; -- -- needs_restart: -- return 1; -+ ret = 0; -+needs_restart: -+ tor_free(proxy_uri); -+ return ret; - } - - /** Managed proxy mp must be restarted. Do all the necessary -@@ -493,6 +506,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) - SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); - smartlist_clear(mp->transports); - -+ /* Reset the proxy's HTTPS/SOCKS proxy */ -+ tor_free(mp->proxy_uri); -+ mp->proxy_uri = get_pt_proxy_uri(); -+ mp->proxy_supported = 0; -+ - /* flag it as an infant proxy so that it gets launched on next tick */ - mp->conf_state = PT_PROTO_INFANT; - unconfigured_proxies_n++; -@@ -727,12 +745,52 @@ managed_proxy_destroy(managed_proxy_t *mp, - /* free the argv */ - free_execve_args(mp->argv); - -+ /* free the outgoing proxy URI */ -+ tor_free(mp->proxy_uri); -+ - tor_process_handle_destroy(mp->process_handle, also_terminate_process); - mp->process_handle = NULL; - - tor_free(mp); - } - -+/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ -+STATIC char * -+get_pt_proxy_uri(void) -+{ -+ const or_options_t *options = get_options(); -+ char *uri = NULL; -+ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ char addr[TOR_ADDR_BUF_LEN+1]; -+ -+ if (options->Socks4Proxy) { -+ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); -+ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); -+ } else if (options->Socks5Proxy) { -+ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); -+ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { -+ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); -+ } else { -+ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", -+ options->Socks5ProxyUsername, -+ options->Socks5ProxyPassword, -+ addr, options->Socks5ProxyPort); -+ } -+ } else if (options->HTTPSProxy) { -+ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); -+ if (!options->HTTPSProxyAuthenticator) { -+ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); -+ } else { -+ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, -+ addr, options->HTTPSProxyPort); -+ } -+ } -+ } -+ -+ return uri; -+} -+ - /** Handle a configured or broken managed proxy mp. */ - static void - handle_finished_proxy(managed_proxy_t *mp) -@@ -745,6 +803,12 @@ handle_finished_proxy(managed_proxy_t *mp) - managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ - break; - case PT_PROTO_CONFIGURED: /* if configured correctly: */ -+ if (mp->proxy_uri && !mp->proxy_supported) { -+ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -+ "specified outgoing proxy.", mp->argv[0]); -+ managed_proxy_destroy(mp, 1); /* annihilate it. */ -+ break; -+ } - register_proxy(mp); /* register its transports */ - mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ - break; -@@ -862,6 +926,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) - goto err; - - return; -+ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ if (mp->proxy_uri) { -+ mp->proxy_supported = 1; -+ return; -+ } -+ -+ /* No proxy was configured, this should log */ -+ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ parse_proxy_error(line); -+ goto err; - } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { - /* managed proxy launch failed: parse error message to learn why. */ - int retval, child_state, saved_errno; -@@ -1128,6 +1208,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) - return r; - } - -+/** Parses an PROXY-ERROR line and warns the user accordingly. */ -+STATIC void -+parse_proxy_error(const char *line) -+{ -+ /* (Length of the protocol string) plus (a space) and (the first char of -+ the error message) */ -+ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) -+ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " -+ "message.", PROTO_PROXY_ERROR); -+ -+ log_warn(LD_CONFIG, "Managed proxy failed to configure the " -+ "pluggable transport's outgoing proxy. (%s)", -+ line+strlen(PROTO_PROXY_ERROR)+1); -+} -+ - /** Return a newly allocated string that tor should place in - * TOR_PT_SERVER_TRANSPORT_OPTIONS while configuring the server - * manged proxy in mp. Return NULL if no such options are found. */ -@@ -1292,6 +1387,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) - } else { - smartlist_add_asprintf(envs, "TOR_PT_EXTENDED_SERVER_PORT="); - } -+ } else { -+ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the -+ * TOR_PT_PROXY line. -+ */ -+ -+ if (mp->proxy_uri) { -+ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); -+ } - } - - SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { -@@ -1324,6 +1427,7 @@ managed_proxy_create(const smartlist_t *transport_list, - mp->is_server = is_server; - mp->argv = proxy_argv; - mp->transports = smartlist_new(); -+ mp->proxy_uri = get_pt_proxy_uri(); - - mp->transports_to_launch = smartlist_new(); - SMARTLIST_FOREACH(transport_list, const char *, transport, -diff --git a/src/or/transports.h b/src/or/transports.h -index 1365ead..bc2331d 100644 ---- a/src/or/transports.h -+++ b/src/or/transports.h -@@ -81,6 +81,9 @@ typedef struct { - char **argv; /* the cli arguments of this proxy */ - int conf_protocol; /* the configuration protocol version used */ - -+ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ -+ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ -+ - int is_server; /* is it a server proxy? */ - - /* A pointer to the process handle of this managed proxy. */ -@@ -112,6 +115,7 @@ STATIC int parse_smethod_line(const char *line, managed_proxy_t *mp); - - STATIC int parse_version(const char *line, managed_proxy_t *mp); - STATIC void parse_env_error(const char *line); -+STATIC void parse_proxy_error(const char *line); - STATIC void handle_proxy_line(const char *line, managed_proxy_t *mp); - STATIC char *get_transport_options_for_server_proxy(const managed_proxy_t *mp); - -@@ -123,6 +127,8 @@ STATIC managed_proxy_t *managed_proxy_create(const smartlist_t *transport_list, - - STATIC int configure_proxy(managed_proxy_t *mp); - -+STATIC char* get_pt_proxy_uri(void); -+ - #endif - - #endif -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index f71627d..788d420 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -450,6 +450,85 @@ test_pt_configure_proxy(void *arg) - tor_free(mp); - } - -+/* Test the get_pt_proxy_uri() function. */ -+static void -+test_get_pt_proxy_uri(void *arg) -+{ -+ or_options_t *options = get_options_mutable(); -+ char *uri = NULL; -+ int ret; -+ (void) arg; -+ -+ /* Test with no proxy. */ -+ uri = get_pt_proxy_uri(); -+ tt_assert(uri == NULL); -+ -+ /* Test with a SOCKS4 proxy. */ -+ options->Socks4Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks4Proxy = NULL; -+ -+ /* Test with a SOCKS5 proxy, no username/password. */ -+ options->Socks5Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks5Proxy, -+ &options->Socks5ProxyAddr, -+ &options->Socks5ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ /* Test with a SOCKS5 proxy, with username/password. */ -+ options->Socks5ProxyUsername = "hwest"; -+ options->Socks5ProxyPassword = "r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks5Proxy = NULL; -+ -+ /* Test with a HTTPS proxy, no authenticator. */ -+ options->HTTPSProxy = "192.0.2.1:80"; -+ ret = tor_addr_port_lookup(options->HTTPSProxy, -+ &options->HTTPSProxyAddr, -+ &options->HTTPSProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://192.0.2.1:80"); -+ tor_free(uri); -+ -+ /* Test with a HTTPS proxy, with authenticator. */ -+ options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); -+ tor_free(uri); -+ -+ options->HTTPSProxy = NULL; -+ -+ /* Token nod to the fact that IPv6 exists. */ -+ options->Socks4Proxy = "[2001:db8::1]:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); -+ tor_free(uri); -+ -+ -+ done: -+ if (uri) -+ tor_free(uri); -+} -+ -+ - #define PT_LEGACY(name) \ - { #name, legacy_test_helper, 0, &legacy_setup, test_pt_ ## name } - -@@ -462,6 +541,8 @@ struct testcase_t pt_tests[] = { - NULL, NULL }, - { "configure_proxy",test_pt_configure_proxy, TT_FORK, - NULL, NULL }, -+ { "get_pt_proxy_uri", test_get_pt_proxy_uri, TT_FORK, -+ NULL, NULL }, - END_OF_TESTCASES - }; - --- -2.0.0.rc2 - - -From 92eecbfee128b22b07bcc97ac36ecdd5183c2da7 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Mon, 14 Apr 2014 21:51:34 +0000 -Subject: [PATCH 2/5] Fixed the test build with --enable-gcc-warnings - ---- - src/test/test_pt.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index 788d420..cfbd084 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -464,7 +464,7 @@ test_get_pt_proxy_uri(void *arg) - tt_assert(uri == NULL); - - /* Test with a SOCKS4 proxy. */ -- options->Socks4Proxy = "192.0.2.1:1080"; -+ options->Socks4Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -472,11 +472,10 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks4Proxy = NULL; -+ tor_free(options->Socks4Proxy); - - /* Test with a SOCKS5 proxy, no username/password. */ -- options->Socks5Proxy = "192.0.2.1:1080"; -+ options->Socks5Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks5Proxy, - &options->Socks5ProxyAddr, - &options->Socks5ProxyPort); -@@ -486,16 +485,17 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a SOCKS5 proxy, with username/password. */ -- options->Socks5ProxyUsername = "hwest"; -- options->Socks5ProxyPassword = "r34n1m470r"; -+ options->Socks5ProxyUsername = tor_strdup("hwest"); -+ options->Socks5ProxyPassword = tor_strdup("r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks5Proxy = NULL; -+ tor_free(options->Socks5Proxy); -+ tor_free(options->Socks5ProxyUsername); -+ tor_free(options->Socks5ProxyPassword); - - /* Test with a HTTPS proxy, no authenticator. */ -- options->HTTPSProxy = "192.0.2.1:80"; -+ options->HTTPSProxy = tor_strdup("192.0.2.1:80"); - ret = tor_addr_port_lookup(options->HTTPSProxy, - &options->HTTPSProxyAddr, - &options->HTTPSProxyPort); -@@ -505,15 +505,15 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a HTTPS proxy, with authenticator. */ -- options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ options->HTTPSProxyAuthenticator = tor_strdup("hwest:r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); - tor_free(uri); -- -- options->HTTPSProxy = NULL; -+ tor_free(options->HTTPSProxy); -+ tor_free(options->HTTPSProxyAuthenticator); - - /* Token nod to the fact that IPv6 exists. */ -- options->Socks4Proxy = "[2001:db8::1]:1080"; -+ options->Socks4Proxy = tor_strdup("[2001:db8::1]:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -521,7 +521,7 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); - tor_free(uri); -- -+ tor_free(options->Socks4Proxy); - - done: - if (uri) --- -2.0.0.rc2 - - -From 8361223c10eb929b570e72853a5d9e51b67fd6c3 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:30:09 +0000 -Subject: [PATCH 3/5] Remove get_bridge_pt_addrport(). - -The code was not disambiguating ClientTransportPlugin configured and -not used, and ClientTransportPlugin configured, but in a failed state. - -The right thing to do is to undo moving the get_transport_by_addrport() -call back into get_proxy_addrport(), and remove and explicit check for -using a Bridge since by the time the check is made, if a Bridge is -being used, it is PT/proxy-less. ---- - src/or/connection.c | 46 ++++++++++++---------------------------------- - 1 file changed, 12 insertions(+), 34 deletions(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index b32cddf..ff8cdf1 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,8 +86,6 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); --static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -- int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -4773,35 +4771,6 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills addr and port with the details of the global -- * pluggable transport or bridge we are using. -- * conn contains the connection we are using the PT/bridge for. -- * -- * Return 0 on success, -1 on failure. -- */ --static int --get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -- const connection_t *conn) --{ -- const or_options_t *options = get_options(); -- -- if (options->ClientTransportPlugin || options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -- } -- -- return -1; --} -- --/** Fills addr and port with the details of the global - * proxy server we are using. - * conn contains the connection we are using the proxy for. - * -@@ -4819,8 +4788,19 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - * the config to have unused ClientTransportPlugin entries. - */ - if (options->ClientTransportPlugin) { -- if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; - return 0; -+ } -+ -+ /* Unused ClientTransportPlugin. */ - } - - if (options->HTTPSProxy) { -@@ -4838,8 +4818,6 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->Bridges) { -- return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); --- -2.0.0.rc2 - - -From 68184b317d3f4dc14e758e451377e4e3996bd0ab Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 03:43:53 +0000 -Subject: [PATCH 4/5] Log the correct proxy type on failure. - -get_proxy_addrport fills in proxy_type with the correct value, so there -is no point in logging something that's a "best guess" based off the -config. ---- - src/or/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index ff8cdf1..5069ed6 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -4841,7 +4841,7 @@ log_failed_proxy_connection(connection_t *conn) - log_warn(LD_NET, - "The connection to the %s proxy server at %s just failed. " - "Make sure that the proxy server is up and running.", -- proxy_type_to_string(get_proxy_type()), -+ proxy_type_to_string(proxy_type), - fmt_addrport(&proxy_addr, proxy_port)); - } - --- -2.0.0.rc2 - - -From 34200a44fbbd3f158ea17043c2bcd21d0e382b89 Mon Sep 17 00:00:00 2001 -From: Yawning Angel <yawning(a)schwanenlied.me> -Date: Thu, 1 May 2014 18:58:53 +0000 -Subject: [PATCH 5/5] Improve the log message when a transport doesn't support - proxies. - -Per feedback, explicltly note that the transport will be killed when it -does not acknowledge the configured outgoing proxy. ---- - src/or/transports.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/or/transports.c b/src/or/transports.c -index b810315..eee159d 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -805,7 +805,8 @@ handle_finished_proxy(managed_proxy_t *mp) - case PT_PROTO_CONFIGURED: /* if configured correctly: */ - if (mp->proxy_uri && !mp->proxy_supported) { - log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -- "specified outgoing proxy.", mp->argv[0]); -+ "specified outgoing proxy and will be terminated.", -+ mp->argv[0]); - managed_proxy_destroy(mp, 1); /* annihilate it. */ - break; - } --- -2.0.0.rc2 - diff --git a/gitian/patches/bug8405.patch b/gitian/patches/bug8405.patch deleted file mode 100644 index 3c40632..0000000 --- a/gitian/patches/bug8405.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a298c77f7eba232154ff08ca1119b05ccd9eee9e Mon Sep 17 00:00:00 2001 -From: Arthur Edelstein <arthuredelstein(a)gmail.com> -Date: Tue, 15 Jul 2014 21:27:59 -0700 -Subject: [PATCH] Bug #8405: Report SOCKS username/password in CIRC status - events - -Introduces two new circuit status name-value parameters: SOCKS_USERNAME -and SOCKS_PASSWORD. Values are enclosing in quotes and unusual characters -are escaped. - -Example: - - 650 CIRC 5 EXTENDED [...] SOCKS_USERNAME="my_username" SOCKS_PASSWORD="my_password" ---- - src/common/util.c | 14 ++++++++++++++ - src/common/util.h | 1 + - src/or/control.c | 14 ++++++++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/src/common/util.c b/src/common/util.c -index 8589344..64cee56 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1222,6 +1222,20 @@ esc_for_log(const char *s) - return result; - } - -+/** Similar to esc_for_log. Allocate and return a new string representing -+ * the first n characters in chars, surround by quotes and using -+ * standard C escapes. If a NUL character is encountered in chars, -+ * the resulting string will be terminated there. -+ */ -+char * -+esc_for_log_len(const char *chars, size_t n) -+{ -+ char *string = tor_strndup(chars, n); -+ char *string_escaped = esc_for_log(string); -+ tor_free(string); -+ return string_escaped; -+} -+ - /** Allocate and return a new string representing the contents of s, - * surrounded by quotes and using standard C escapes. - * -diff --git a/src/common/util.h b/src/common/util.h -index 97367a9..50c5a3d 100644 ---- a/src/common/util.h -+++ b/src/common/util.h -@@ -229,6 +229,7 @@ int tor_mem_is_zero(const char *mem, size_t len); - int tor_digest_is_zero(const char *digest); - int tor_digest256_is_zero(const char *digest); - char *esc_for_log(const char *string) ATTR_MALLOC; -+char *esc_for_log_len(const char *chars, size_t n) ATTR_MALLOC; - const char *escaped(const char *string); - - char *tor_escape_str_for_pt_args(const char *string, -diff --git a/src/or/control.c b/src/or/control.c -index 9285fc5..aa46df6 100644 ---- a/src/or/control.c -+++ b/src/or/control.c -@@ -1862,6 +1862,20 @@ circuit_describe_status_for_controller(origin_circuit_t *circ) - smartlist_add_asprintf(descparts, "TIME_CREATED=%s", tbuf); - } - -+ // Show username and/or password if available. -+ if (circ->socks_username_len > 0) { -+ char* socks_username_escaped = esc_for_log_len(circ->socks_username, -+ (size_t) circ->socks_username_len); -+ smartlist_add_asprintf(descparts, "SOCKS_USERNAME=%s", socks_username_escaped); -+ tor_free(socks_username_escaped); -+ } -+ if (circ->socks_password_len > 0) { -+ char* socks_password_escaped = esc_for_log_len(circ->socks_password, -+ (size_t) circ->socks_password_len); -+ smartlist_add_asprintf(descparts, "SOCKS_PASSWORD=%s", socks_password_escaped); -+ tor_free(socks_password_escaped); -+ } -+ - rv = smartlist_join_strings(descparts, " ", 0, NULL); - - SMARTLIST_FOREACH(descparts, char *, cp, tor_free(cp)); --- -1.8.3.4 (Apple Git-47) -

1 0

[tor/release-0.2.7] Merge branch 'maint-0.2.6' into maint-0.2.7
by arma＠torproject.org 10 Dec '15

10 Dec '15

commit c6a337557ae5c73e8dc8208b18f902e9eeb21404 Merge: eeb9751 1adc2bf Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 8 10:23:41 2015 -0500 Merge branch 'maint-0.2.6' into maint-0.2.7 changes/bug17772 | 7 +++++++ src/or/routerlist.c | 10 ++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --cc src/or/routerlist.c index 03729bd,af8e68e..79a5bb3 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@@ -1501,8 -1498,17 +1501,14 @@@ router_pick_directory_server_impl(dirin if ((type & EXTRAINFO_DIRINFO) && !router_supports_extrainfo(node->identity, is_trusted_extrainfo)) continue; - if (for_guard && node->using_as_guard) - continue; /* Don't make the same node a guard twice. */ - if ((type & MICRODESC_DIRINFO) && !is_trusted && - !node->rs->version_supports_microdesc_cache) - continue; + /* Don't make the same node a guard twice */ + if (for_guard && node->using_as_guard) { + continue; + } + /* Ensure that a directory guard is actually a guard node. */ + if (for_guard && !node->is_possible_guard) { + continue; + } if (try_excluding && routerset_contains_routerstatus(options->ExcludeNodes, status, country)) {

1 0

[tor/release-0.2.7] Merge branch 'maint-0.2.5' into maint-0.2.6
by arma＠torproject.org 10 Dec '15

10 Dec '15

commit 1adc2bf66fedb1768c5013dcf5f4778fae453217 Merge: b53ff86 c3d11b1 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 8 10:20:21 2015 -0500 Merge branch 'maint-0.2.5' into maint-0.2.6 changes/bug17772 | 7 +++++++ src/or/routerlist.c | 10 ++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-)

1 0

[tor/release-0.2.7] Merge branch 'maint-0.2.7' into release-0.2.7
by arma＠torproject.org 10 Dec '15

10 Dec '15

commit b2a53e8ca910391a10451860a1aaf66b3c207f50 Merge: e0fa07c c6a3375 Author: Roger Dingledine <arma(a)torproject.org> Date: Thu Dec 10 04:12:10 2015 -0500 Merge branch 'maint-0.2.7' into release-0.2.7 changes/bug16056 | 4 + changes/bug16702 | 4 + changes/bug17551 | 4 + changes/bug17722 | 3 + changes/bug17772 | 7 + changes/bug17781 | 3 + changes/geoip-december2015 | 4 + configure.ac | 3 + src/config/geoip | 4547 ++++++++++++++++++++++++++++++++------------ src/config/geoip6 | 2580 +++++++++++++++++++++---- src/or/policies.c | 6 +- src/or/rendservice.c | 3 +- src/or/routerlist.c | 10 +- src/or/torcert.c | 6 +- 14 files changed, 5558 insertions(+), 1626 deletions(-)

1 0