GitLab

at 2023-07-27T18:11:55+02:00

fixup! Bug 40933: Add tor-launcher functionality

Bug 41844: Added a couple of wrappers for Onion Auth on
TorProtocolService.

fixup! Bug 30237: Add v3 onion services client authentication prompt

Bug 41844: Stop using the control port directly

fixup! Bug 40933: Add tor-launcher functionality

Small improvements on event registration.

fixup! Bug 40933: Add tor-launcher functionality

Bug 41844: Do not use a the control port directly.

Collect the bridge node for the about:preferences#connection page in
TorMonitorService.

Also, move parts of the circuit display to TorMonitorService and
TorProtocolService.

fixup! Bug 31286: Implementation of bridge, proxy, and firewall settings in about:preferences#connection

Bug 41844: Do not use the control port directly

Do not use the controller in the settings frontend.
Instead, let TorMonitorService collect the first node's fingerprint.

fixup! Bug 3455: Add DomainIsolator, for isolating circuit by domain.

Bug 41844: Do not use the control port directly.

Use TorDomainIsolator also as a backend for the circuit display.

fixup! Bug 41600: Add a tor circuit display panel.

Bug 41844: Have a separate backend for the tor circuits

Remove the backend stuff from the circuit display.

   TabsSetupFlowManager:

     "resource:///modules/firefox-view-tabs-setup-manager.sys.mjs",

   TelemetryEnvironment: "resource://gre/modules/TelemetryEnvironment.sys.mjs",

+  TorDomainIsolator: "resource://gre/modules/TorDomainIsolator.sys.mjs",

   TranslationsParent: "resource://gre/actors/TranslationsParent.sys.mjs",

   UITour: "resource:///modules/UITour.sys.mjs",

   UpdateUtils: "resource://gre/modules/UpdateUtils.sys.mjs",

   TorConnect: "resource:///modules/TorConnect.jsm",

   TorConnectState: "resource:///modules/TorConnect.jsm",

   TorConnectTopics: "resource:///modules/TorConnect.jsm",

-  TorDomainIsolator: "resource://gre/modules/TorDomainIsolator.jsm",

   Translation: "resource:///modules/translation/TranslationParent.jsm",

   webrtcUI: "resource:///modules/webrtcUI.jsm",

   ZoomUI: "resource:///modules/ZoomUI.jsm",

 XPCOMUtils.defineLazyModuleGetters(this, {

   OnionAuthUtil: "chrome://browser/content/onionservices/authUtil.jsm",

   CommonUtils: "resource://services-common/utils.js",

+  TorProtocolService: "resource://gre/modules/TorProtocolService.jsm",

   TorStrings: "resource:///modules/TorStrings.jsm",

 });

       let controllerFailureMsg =

         TorStrings.onionServices.authPrompt.failedToSetKey;

       try {

-        let { controller } = ChromeUtils.import(

-          "resource://torbutton/modules/tor-control-port.js"

-        );

-        let torController = await controller();

         // ^(subdomain.)*onionserviceid.onion$ (case-insensitive)

         const onionServiceIdRegExp =

           /^(.*\.)*(?<onionServiceId>[a-z2-7]{56})\.onion$/i;

         let checkboxElem = this._getCheckboxElement();

         let isPermanent = checkboxElem && checkboxElem.checked;

-        torController

-          .onionAuthAdd(onionServiceId, base64key, isPermanent)

+        TorProtocolService.onionAuthAdd(onionServiceId, base64key, isPermanent)

           .then(aResponse => {

             // Success! Reload the page.

             this._browser.sendMessageToActor(

 ChromeUtils.defineModuleGetter(

   this,

-  "controller",

-  "resource://torbutton/modules/tor-control-port.js"

+  "TorProtocolService",

+  "resource://gre/modules/TorProtocolService.jsm"

 );

 var gOnionServicesSavedKeysDialog = {

       const controllerFailureMsg =

         TorStrings.onionServices.authPreferences.failedToRemoveKey;

       try {

-        const torController = await controller();

-

         // Remove in reverse index order to avoid issues caused by index changes.

         for (let i = indexesToDelete.length - 1; i >= 0; --i) {

-          await this._deleteOneKey(torController, indexesToDelete[i]);

+          await this._deleteOneKey(indexesToDelete[i]);

         }

       } catch (e) {

         if (e.torMessage) {

     try {

       this._tree.view = this;

-      const torController = await controller();

-      const keyInfoList = await torController.onionAuthViewKeys();

+      const keyInfoList = await TorProtocolService.onionAuthViewKeys();

       if (keyInfoList) {

         // Filter out temporary keys.

         this._keyInfoList = keyInfoList.filter(aKeyInfo => {

   },

   // This method may throw; callers should catch errors.

-  async _deleteOneKey(aTorController, aIndex) {

+  async _deleteOneKey(aIndex) {

     const keyInfoObj = this._keyInfoList[aIndex];

-    await aTorController.onionAuthRemove(keyInfoObj.hsAddress);

+    await TorProtocolService.onionAuthRemove(keyInfoObj.hsAddress);

     this._tree.view.selection.clearRange(aIndex, aIndex);

     this._keyInfoList.splice(aIndex, 1);

     this._tree.rowCountChanged(aIndex + 1, -1);

 /* eslint-env mozilla/browser-window */

-/**

- * Stores the data associated with a circuit node.

- *

- * @typedef NodeData

- * @property {string[]} ipAddrs - The ip addresses associated with this node.

- * @property {string?} bridgeType - The bridge type for this node, or "" if the

- *   node is a bridge but the type is unknown, or null if this is not a bridge

- *   node.

- * @property {string?} regionCode - An upper case 2-letter ISO3166-1 code for

- *   the first ip address, or null if there is no region. This should also be a

- *   valid BCP47 Region subtag.

- */

-

 /**

  * Data about the current domain and circuit for a xul:browser.

  *

    * @type {Element}

    */

   toolbarButton: null,

-  /**

-   * A list of IDs for "mature" circuits (those that have conveyed a stream).

-   *

-   * @type {string[]}

-   */

-  _knownCircuitIDs: [],

-  /**

-   * Stores the circuit nodes for each SOCKS username/password pair. The keys

-   * are of the form "<username>|<password>".

-   *

-   * @type {Map<string, NodeData[]>}

-   */

-  _credentialsToCircuitNodes: new Map(),

-  /**

-   * Browser data for their currently shown page.

-   *

-   * This data may be stale for a given browser since we only update this data

-   * when loading a new page in the currently selected browser, when switching

-   * tabs, or if we find a new circuit for the current browser.

-   *

-   * @type {WeakMap<MozBrowser, BrowserCircuitData>}

-   */

-  _browserData: new WeakMap(),

   /**

    * The data for the currently shown browser.

    *

    */

   _isActive: false,

+  /**

+   * The topic on which circuit changes are broadcast.

+   *

+   * @type {string}

+   */

+  TOR_CIRCUIT_TOPIC: "TorCircuitChange",

+

   /**

    * Initialize the panel.

    */

       maxLogLevelPref: "browser.torcircuitpanel.loglevel",

     });

-    const { wait_for_controller } = ChromeUtils.import(

-      "resource://torbutton/modules/tor-control-port.js"

-    );

-    wait_for_controller().then(

-      controller => {

-        if (!this._isActive) {

-          // uninit() was called before resolution.

-          return;

-        }

-        // FIXME: We should be using some dedicated integrated back end to

-        // store circuit information, rather than collecting it all here in the

-        // front end. See tor-browser#41700.

-        controller.watchEvent(

-          "STREAM",

-          streamEvent => streamEvent.StreamStatus === "SENTCONNECT",

-          streamEvent => this._collectCircuit(controller, streamEvent)

-        );

-      },

-      error => {

-        this._log.error(

-          `Not collecting circuits because of an error: ${error.message}`

-        );

-      }

-    );

-

     this.panel = document.getElementById("tor-circuit-panel");

     this._panelElements = {

       heading: document.getElementById("tor-circuit-heading"),

     // Notified of new locations for the currently selected browser (tab) *and*

     // switching selected browser.

     gBrowser.addProgressListener(this._locationListener);

+

+    // Get notifications for circuit changes.

+    Services.obs.addObserver(this, this.TOR_CIRCUIT_TOPIC);

   },

   /**

   uninit() {

     this._isActive = false;

     gBrowser.removeProgressListener(this._locationListener);

+    Services.obs.removeObserver(this, this.TOR_CIRCUIT_TOPIC);

+  },

+

+  /**

+   * Observe circuit changes.

+   */

+  observe(subject, topic, data) {

+    if (topic === this.TOR_CIRCUIT_TOPIC) {

+      // TODO: Maybe check if we actually need to do something earlier.

+      this._updateCurrentBrowser();

+    }

   },

   /**

     window.openWebLinkIn(this._panelElements.aliasLink.href, where);

   },

-  /**

-   * Collect circuit data for the found circuits, to be used later for display.

-   *

-   * @param {controller} controller - The tor controller.

-   * @param {object} streamEvent - The streamEvent for the new circuit.

-   */

-  async _collectCircuit(controller, streamEvent) {

-    const id = streamEvent.CircuitID;

-    if (this._knownCircuitIDs.includes(id)) {

-      return;

-    }

-    this._log.debug(`New streamEvent.CircuitID: ${id}.`);

-    // FIXME: This list grows and is never freed. See tor-browser#41700.

-    this._knownCircuitIDs.push(id);

-    const circuitStatus = (await controller.getInfo("circuit-status"))?.find(

-      circuit => circuit.id === id

-    );

-    if (!circuitStatus?.SOCKS_USERNAME || !circuitStatus?.SOCKS_PASSWORD) {

-      return;

-    }

-    const nodes = await Promise.all(

-      circuitStatus.circuit.map(names =>

-        this._nodeDataForCircuit(controller, names)

-      )

-    );

-    // Remove quotes from the strings.

-    const username = circuitStatus.SOCKS_USERNAME.replace(/^"(.*)"$/, "$1");

-    const password = circuitStatus.SOCKS_PASSWORD.replace(/^"(.*)"$/, "$1");

-    const credentials = `${username}|${password}`;

-    // FIXME: This map grows and is never freed. We cannot simply request this

-    // information when needed because it is no longer available once the

-    // circuit is dropped, even if the web page is still displayed.

-    // See tor-browser#41700.

-    this._credentialsToCircuitNodes.set(credentials, nodes);

-    // Update the circuit in case the current page gains a new circuit whilst

-    // the popup is still open.

-    this._updateCurrentBrowser(credentials);

-  },

-

-  /**

-   * Fetch the node data for the given circuit node.

-   *

-   * @param {controller} controller - The tor controller.

-   * @param {string[]} circuitNodeNames - The names for the circuit node. Only

-   *   the first name, the node id, will be used.

-   *

-   * @returns {NodeData} - The data for this circuit node.

-   */

-  async _nodeDataForCircuit(controller, circuitNodeNames) {

-    // The first "name" in circuitNodeNames is the id.

-    // Remove the leading '$' if present.

-    const id = circuitNodeNames[0].replace(/^\$/, "");

-    let result = { ipAddrs: [], bridgeType: null, regionCode: null };

-    const bridge = (await controller.getConf("bridge"))?.find(

-      foundBridge => foundBridge.ID?.toUpperCase() === id.toUpperCase()

-    );

-    const addrRe = /^\[?([^\]]+)\]?:\d+$/;

-    if (bridge) {

-      result.bridgeType = bridge.type ?? "";

-      // Attempt to get an IP address from bridge address string.

-      const ip = bridge.address.match(addrRe)?.[1];

-      if (ip && !ip.startsWith("0.")) {

-        result.ipAddrs.push(ip);

-      }

-    } else {

-      // Either dealing with a relay, or a bridge whose fingerprint is not saved

-      // in torrc.

-      let statusMap;

-      try {

-        statusMap = await controller.getInfo("ns/id/" + id);

-      } catch {

-        // getInfo will throw if the given id is not a relay.

-        // This probably means we are dealing with a user-provided bridge with

-        // no fingerprint.

-        // We don't know the ip/ipv6 or type, so leave blank.

-        result.bridgeType = "";

-        return result;

-      }

-      if (statusMap.IP && !statusMap.IP.startsWith("0.")) {

-        result.ipAddrs.push(statusMap.IP);

-      }

-      const ip6 = statusMap.IPv6?.match(addrRe)?.[1];

-      if (ip6) {

-        result.ipAddrs.push(ip6);

-      }

-    }

-    if (result.ipAddrs.length) {

-      // Get the country code for the node's IP address.

-      let regionCode;

-      try {

-        // Expect a 2-letter ISO3166-1 code, which should also be a valid BCP47

-        // Region subtag.

-        regionCode = await controller.getInfo(

-          "ip-to-country/" + result.ipAddrs[0]

-        );

-      } catch {}

-      if (regionCode && regionCode !== "??") {

-        result.regionCode = regionCode.toUpperCase();

-      }

-    }

-    return result;

-  },

-

   /**

    * A list of schemes to never show the circuit display for.

    *

    *

    * @type {string[]}

    */

-  // FIXME: Have a back end that handles this instead. See tor-browser#41700.

+  // FIXME: Check if we find a UX to handle some of these cases, and if we

+  // manage to solve some technical issues.

+  // See tor-browser#41700 and tor-browser!699.

   _ignoredSchemes: ["about", "file", "chrome", "resource"],

   /**

    * Update the current circuit and domain data for the currently selected

    * browser, possibly changing the UI.

-   *

-   * @param {string?} [matchingCredentials=null] - If given, only update the

-   *   current browser data if the current browser's credentials match.

    */

-  _updateCurrentBrowser(matchingCredentials = null) {

+  _updateCurrentBrowser() {

     const browser = gBrowser.selectedBrowser;

     const domain = TorDomainIsolator.getDomainForBrowser(browser);

+    const nodes = TorDomainIsolator.getCircuit(

+      browser,

+      domain,

+      browser.contentPrincipal.originAttributes.userContextId

+    );

     // We choose the currentURI, which matches what is shown in the URL bar and

     // will match up with the domain.

     // In contrast, documentURI corresponds to the shown page. E.g. it could

     // point to "about:certerror".

     const scheme = browser.currentURI?.scheme;

-    let credentials = TorDomainIsolator.getSocksProxyCredentials(

-      domain,

-      browser.contentPrincipal.originAttributes.userContextId

-    );

-    if (credentials) {

-      credentials = `${credentials.username}|${credentials.password}`;

-    }

-

-    if (matchingCredentials && matchingCredentials !== credentials) {

-      // This update was triggered by the circuit update for some other browser

-      // or process.

-      return;

-    }

-

-    let nodes = this._credentialsToCircuitNodes.get(credentials) ?? [];

-

-    const prevData = this._browserData.get(browser);

-    if (

-      prevData &&

-      prevData.domain &&

-      prevData.domain === domain &&

-      prevData.scheme === scheme &&

-      prevData.nodes.length &&

-      !nodes.length

-    ) {

-      // Since this is the same domain, for the same browser, and we used to

-      // have circuit nodes, we *assume* we are re-generating a circuit. So we

-      // keep the old circuit data around for the time being.

-      // FIXME: Have a back end that makes this explicit, rather than an

-      // assumption. See tor-browser#41700.

-      nodes = prevData.nodes;

-      this._log.debug(`Keeping old circuit for ${domain}.`);

-    }

-

-    this._browserData.set(browser, { domain, scheme, nodes });

     if (

       this._currentBrowserData &&

       this._currentBrowserData.domain === domain &&

       this._currentBrowserData.scheme === scheme &&

-      this._currentBrowserData.nodes === nodes

+      this._currentBrowserData.nodes.length === nodes.length &&

+      // If non-null, the fingerprints of the nodes match.

+      (!nodes ||

+        nodes.every(

+          (n, index) =>

+            n.fingerprint === this._currentBrowserData.nodes[index].fingerprint

+        ))

     ) {

       // No change.

+      this._log.debug(

+        "Skipping browser update because the data is already up to date."

+      );

       return;

     }

-    this._currentBrowserData = this._browserData.get(browser);

+    this._currentBrowserData = { domain, scheme, nodes };

+    this._log.debug("Updating current browser.", this._currentBrowserData);

     if (

       // Schemes where we always want to hide the display.

 const { TorProtocolService } = ChromeUtils.import(

   "resource://gre/modules/TorProtocolService.jsm"

 );

+const { TorMonitorService, TorMonitorTopics } = ChromeUtils.import(

+  "resource://gre/modules/TorMonitorService.jsm"

+);

 const { TorConnect, TorConnectTopics, TorConnectState, TorCensorshipLevel } =

   ChromeUtils.import("resource:///modules/TorConnect.jsm");

     _internetStatus: InternetStatus.Unknown,

-    _controller: null,

-

     _currentBridgeId: null,

     // populate xul with strings and cache the relevant elements

       };

       // Use a promise to avoid blocking the population of the page

       // FIXME: Stop using a JSON file, and switch to properties

-      fetch(

+      const annotationPromise = fetch(

         "chrome://browser/content/torpreferences/bridgemoji/annotations.json"

-      ).then(async res => {

+      );

+      annotationPromise.then(async res => {

         const annotations = await res.json();

         const bcp47 = Services.locale.appLocaleAsBCP47;

         const dash = bcp47.indexOf("-");

           ".currently-connected"

         )) {

           card.classList.remove("currently-connected");

+          card.querySelector(selectors.bridges.cardQrGrid).style.height = "";

         }

         if (!this._currentBridgeId) {

           return;

         placeholder.replaceWith(...cards);

         this._checkBridgeCardsHeight();

       };

-      try {

-        const { controller } = ChromeUtils.import(

-          "resource://torbutton/modules/tor-control-port.js"

-        );

-        // Avoid the cache because we set our custom event watcher, and at the

-        // moment, watchers cannot be removed from a controller.

-        controller(true).then(aController => {

-          this._controller = aController;

-          // Getting the circuits may be enough, if we have bootstrapped for a

-          // while, but at the beginning it gives many bridges as connected,

-          // because tor pokes all the bridges to find the best one.

-          // Also, watching circuit events does not work, at the moment, but in

-          // any case, checking the stream has the advantage that we can see if

-          // it really used for a connection, rather than tor having created

-          // this circuit to check if the bridge can be used. We do this by

-          // checking if the stream has SOCKS username, which actually contains

-          // the destination of the stream.

-          // FIXME: We only know the currentBridge *after* a circuit event, but

-          // if the circuit event is sent *before* about:torpreferences is

-          // opened we will miss it. Therefore this approach only works if a

-          // circuit is created after opening about:torconnect. A dedicated

-          // backend outside of about:preferences would help, and could be

-          // shared with gTorCircuitPanel. See tor-browser#41700.

-          this._controller.watchEvent(

-            "STREAM",

-            event =>

-              event.StreamStatus === "SUCCEEDED" && "SOCKS_USERNAME" in event,

-            async event => {

-              const circuitStatuses = await this._controller.getInfo(

-                "circuit-status"

-              );

-              if (!circuitStatuses) {

-                return;

-              }

-              for (const status of circuitStatuses) {

-                if (status.id === event.CircuitID && status.circuit.length) {

-                  // The id in the circuit begins with a $ sign.

-                  const id = status.circuit[0][0].replace(/^\$/, "");

-                  if (id !== this._currentBridgeId) {

-                    const bridge = (

-                      await this._controller.getConf("bridge")

-                    )?.find(

-                      foundBridge =>

-                        foundBridge.ID?.toUpperCase() === id.toUpperCase()

-                    );

-                    if (!bridge) {

-                      // Either there is no bridge, or bridge with no

-                      // fingerprint.

-                      this._currentBridgeId = null;

-                    } else {

-                      this._currentBridgeId = id;

-                    }

-                    this._updateConnectedBridges();

-                  }

-                  break;

-                }

-              }

-            }

-          );

-        });

-      } catch (err) {

-        console.warn(

-          "We could not load torbutton, bridge statuses will not be updated",

-          err

-        );

-      }

+      this._checkConnectedBridge = () => {

+        // TODO: We could make sure TorSettings is in sync by monitoring also

+        // changes of settings. At that point, we could query it, instead of

+        // doing a query over the control port.

+        const bridge = TorMonitorService.currentBridge;

+        if (bridge?.fingerprint !== this._currentBridgeId) {

+          this._currentBridgeId = bridge?.fingerprint ?? null;

+          this._updateConnectedBridges();

+        }

+      };

+      annotationPromise.then(this._checkConnectedBridge.bind(this));

       // Add a new bridge

       prefpane.querySelector(selectors.bridges.addHeader).textContent =

       });

       Services.obs.addObserver(this, TorConnectTopics.StateChange);

+      Services.obs.addObserver(this, TorMonitorTopics.BridgeChanged);

     },

     init() {

       // unregister our observer topics

       Services.obs.removeObserver(this, TorSettingsTopics.SettingChanged);

       Services.obs.removeObserver(this, TorConnectTopics.StateChange);

-

-      if (this._controller !== null) {

-        this._controller.close();

-        this._controller = null;

-      }

+      Services.obs.removeObserver(this, TorMonitorTopics.BridgeChanged);

     },

     // whether the page should be present in about:preferences

           this.onStateChange();

           break;

         }

+        case TorMonitorTopics.BridgeChanged: {

+          if (data?.fingerprint !== this._currentBridgeId) {

+            this._checkConnectedBridge();

+          }

+          break;

+        }

       }

     },

     onRemoveAllBridges() {

       TorSettings.bridges.enabled = false;

       TorSettings.bridges.bridge_strings = "";

-      if (TorSettings.bridges.source == TorBridgeSource.BuiltIn) {

+      if (TorSettings.bridges.source === TorBridgeSource.BuiltIn) {

         TorSettings.bridges.builtin_type = "";

       }

       TorSettings.saveToPrefs();

-// A component for Tor Browser that puts requests from different

-// first party domains on separate Tor circuits.

-

-var EXPORTED_SYMBOLS = ["TorDomainIsolator"];

+/**

+ * A component for Tor Browser that puts requests from different first party

+ * domains on separate Tor circuits.

+ */

-const { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");

-const { XPCOMUtils } = ChromeUtils.import(

-  "resource://gre/modules/XPCOMUtils.jsm"

-);

-const { ConsoleAPI } = ChromeUtils.import("resource://gre/modules/Console.jsm");

+import { XPCOMUtils } from "resource://gre/modules/XPCOMUtils.sys.mjs";

+import { ConsoleAPI } from "resource://gre/modules/Console.sys.mjs";

+import {

+  clearInterval,

+  setInterval,

+} from "resource://gre/modules/Timer.sys.mjs";

 const lazy = {};

   ],

 });

-ChromeUtils.defineModuleGetter(

-  lazy,

-  "TorProtocolService",

-  "resource://gre/modules/TorProtocolService.jsm"

-);

+ChromeUtils.defineESModuleGetters(lazy, {

+  TorMonitorTopics: "resource://gre/modules/TorMonitorService.sys.mjs",

+  TorProtocolService: "resource://gre/modules/TorProtocolService.sys.mjs",

+});

 const logger = new ConsoleAPI({

   prefix: "TorDomainIsolator",

 // The string to use instead of the domain when it is not known.

 const CATCHALL_DOMAIN = "--unknown--";

+// The maximum lifetime for the catch-all circuit in milliseconds.

+// When the catch-all circuit is needed, we check if more than this amount of

+// time has passed since we last changed it nonce, and in case we change it

+// again.

+const CATCHALL_MAX_LIFETIME = 600_000;

+

 // The preference to observe, to know whether isolation should be enabled or

 // disabled.

 const NON_TOR_PROXY_PREF = "extensions.torbutton.use_nontor_proxy";

 // The topic of new identity, to observe to cleanup all the nonces.

 const NEW_IDENTITY_TOPIC = "new-identity-requested";

+// The topic on which we broacast circuit change notifications.

+const TOR_CIRCUIT_TOPIC = "TorCircuitChange";

+

+// We have an interval to delete circuits that are not reclaimed by any browser.

+const CLEAR_TIMEOUT = 600_000;

+

+/**

+ * @typedef {string} CircuitId A string that we use to identify a circuit.

+ * Currently, it is a string that combines SOCKS credentials, to make it easier

+ * to use as a map key.

+ * It is not related to Tor's CircuitIDs.

+ */

+/**

+ * @typedef {number} BrowserId

+ */

+/**

+ * @typedef {NodeData[]} CircuitData The data about the nodes, ordered from

+ * guard (or bridge) to exit.

+ */

+/**

+ * @typedef BrowserCircuits Circuits related to a certain combination of

+ * isolators (first-party domain and user context ID, currently).

+ * @property {CircuitId} current The id of the last known circuit that has been

+ * used to fetch data for the isolated context.

+ * @property {CircuitId?} pending The id of the last used circuit for this

+ * isolation context. We might or might not know data about it, yet. But if we

+ * know it, we should move this id into current.

+ */

+

 class TorDomainIsolatorImpl {

-  // A mutable map that records what nonce we are using for each domain.

+  /**

+   * A mutable map that records what nonce we are using for each domain.

+   *

+   * @type {Map<string, string>}

+   */

   #noncesForDomains = new Map();

-  // A mutable map that records what nonce we are using for each tab container.

+  /**

+   * A mutable map that records what nonce we are using for each tab container.

+   *

+   * @type {Map<string, string>}

+   */

   #noncesForUserContextId = new Map();

-  // A bool that controls if we use SOCKS auth for isolation or not.

+  /**

+   * Tell whether we use SOCKS auth for isolation or not.

+   *

+   * @type {boolean}

+   */

   #isolationEnabled = true;

-  // Specifies when the current catch-all circuit was first used

+  /**

+   * Specifies when the current catch-all circuit was first used.

+   *

+   * @type {integer}

+   */

   #catchallDirtySince = Date.now();

+  /**

+   * A map that associates circuit ids to the circuit information.

+   *

+   * @type {Map<CircuitId, CircuitData>}

+   */

+  #knownCircuits = new Map();

+

+  /**

+   * A map that associates a certain browser to all the circuits it used or it

+   * is going to use.

+   * The circuits are keyed on the SOCKS username, which we take for granted

+   * being a combination of the first-party domain and the user context id.

+   *

+   * @type {Map<BrowserId, Map<string, BrowserCircuits>>}

+   */

+  #browsers = new Map();

+

+  /**

+   * The handle of the interval we use to cleanup old circuit data.

+   *

+   * @type {number?}

+   */

+  #cleanupIntervalId = null;

+

   /**

    * Initialize the domain isolator.

-   * This function will setup the proxy filter that injects the credentials and

-   * register some observers.

+   * This function will setup the proxy filter that injects the credentials,

+   * register some observers, and setup the cleaning interval.

    */

   init() {

     logger.info("Setup circuit isolation by domain and user context");

     Services.prefs.addObserver(NON_TOR_PROXY_PREF, this);

     Services.obs.addObserver(this, NEW_IDENTITY_TOPIC);

+    Services.obs.addObserver(this, lazy.TorMonitorTopics.StreamSucceeded);

+

+    this.#cleanupIntervalId = setInterval(

+      this.#clearKnownCircuits.bind(this),

+      CLEAR_TIMEOUT

+    );

   }

   /**

-   * Removes the observers added in the initialization.

+   * Removes the observers added in the initialization and stops the cleaning

+   * interval.

    */

   uninit() {

     Services.prefs.removeObserver(NON_TOR_PROXY_PREF, this);

     Services.obs.removeObserver(this, NEW_IDENTITY_TOPIC);

+    Services.obs.removeObserver(this, lazy.TorMonitorTopics.StreamSucceeded);

+    clearInterval(this.#cleanupIntervalId);

+    this.#cleanupIntervalId = null;

+    this.clearIsolation();

   }

   enable() {

   }

   /**

-   * Return the credentials to use as username and password for the SOCKS proxy,

-   * given a certain domain and userContextId. Optionally, create them.

+   * Get the last circuit used in a certain browser.

+   * The returned data is created when the circuit is first seen, therefore it

+   * could be stale (i.e., the circuit might not be available anymore).

    *

-   * @param {string} firstPartyDomain The first party domain associated to the requests

-   * @param {string} userContextId The context ID associated to the request

-   * @param {bool} create Whether to create the nonce, if it is not available

-   * @returns {object|null} Either the credential, or null if we do not have them and create is

-   * false.

+   * @param {MozBrowser} browser The browser to get data for

+   * @param {string} domain The first party domain we want to get the circuit

+   * for

+   * @param {number} userContextId The user context domain we want to get the

+   * circuit for

+   * @returns {NodeData[]} The node data, or an empty array if we do not have

+   * data for the requested key.

    */

-  getSocksProxyCredentials(firstPartyDomain, userContextId, create = false) {

-    if (!this.#noncesForDomains.has(firstPartyDomain)) {

-      if (!create) {

-        return null;

-      }

-      const nonce = this.#nonce();

-      logger.info(`New nonce for first party ${firstPartyDomain}: ${nonce}`);

-      this.#noncesForDomains.set(firstPartyDomain, nonce);

+  getCircuit(browser, domain, userContextId) {

+    const username = this.#makeUsername(domain, userContextId);

+    const circuits = this.#browsers.get(browser.browserId)?.get(username);

+    // This is the only place where circuit data can go out, so the only place

+    // where it makes a difference to check whether the pending circuit is still

+    // pending, or it has actually got data.

+    const pending = this.#knownCircuits.get(circuits?.pending);

+    if (pending?.length) {

+      circuits.current = circuits.pending;

+      circuits.pending = null;

+      return pending;

     }

-    if (!this.#noncesForUserContextId.has(userContextId)) {

-      if (!create) {

-        return null;

-      }

-      const nonce = this.#nonce();

-      logger.info(`New nonce for userContextId ${userContextId}: ${nonce}`);

-      this.#noncesForUserContextId.set(userContextId, nonce);

-    }

-    return {

-      username: this.#makeUsername(firstPartyDomain, userContextId),

-      password:

-        this.#noncesForDomains.get(firstPartyDomain) +

-        this.#noncesForUserContextId.get(userContextId),

-    };

+    // TODO: At this point we already know if we expect a circuit change for

+    // this key: (circuit?.pending && !pending). However, we do not consume this

+    // data yet in the frontend, so do not send it for now.

+    return this.#knownCircuits.get(circuits?.current) ?? [];

   }

   /**

    * Create a new nonce for the FP domain of the selected browser and reload the

    * tab with a new circuit.

    *

-   * @param {object} browser Should be the gBrowser from the context of the

-   * caller

+   * @param {object} globalBrowser Should be the gBrowser from the context of

+   * the caller

    */

-  newCircuitForBrowser(browser) {

-    const firstPartyDomain = getDomainForBrowser(browser.selectedBrowser);

+  newCircuitForBrowser(globalBrowser) {

+    const browser = globalBrowser.selectedBrowser;

+    const firstPartyDomain = getDomainForBrowser(browser);

     this.#newCircuitForDomain(firstPartyDomain);

-    // TODO: How to properly handle the user context? Should we use

-    // (domain, userContextId) pairs, instead of concatenating nonces?

+    const { username, password } = this.#getSocksProxyCredentials(

+      firstPartyDomain,

+      browser.contentPrincipal.originAttributes.userContextId

+    );

+    this.#trackBrowser(browser, username, password);

     browser.reloadWithFlags(Ci.nsIWebNavigation.LOAD_FLAGS_BYPASS_CACHE);

   }

     // Per-domain and per contextId nonces are stored in maps, so simply clear

     // them.

+    // Notice that the catch-all circuit is included in #noncesForDomains, so we

+    // are implicilty cleaning it. Should this change, we should change its

+    // nonce explicitly here.

     this.#noncesForDomains.clear();

     this.#noncesForUserContextId.clear();

+    this.#catchallDirtySince = Date.now();

-    // Force a rotation on the next catch-all circuit use by setting the

-    // creation time to the epoch.

-    this.#catchallDirtySince = 0;

+    this.#knownCircuits.clear();

+    this.#browsers.clear();

   }

   async observe(subject, topic, data) {

         logger.error("Could not send the newnym command", e);

         // TODO: What UX to use here? See tor-browser#41708

       }

+    } else if (topic === lazy.TorMonitorTopics.StreamSucceeded) {

+      const { username, password, circuit } = subject.wrappedJSObject;

+      this.#updateCircuit(username, password, circuit);

     }

   }

   /**

-   * Setup a filter that for every HTTPChannel, replaces the default SOCKS proxy

-   * with one that authenticates to the SOCKS server (the tor client process)

-   * with a username (the first party domain and userContextId) and a nonce

-   * password.

-   * Tor provides a separate circuit for each username+password combination.

+   * Setup a filter that for every HTTPChannel.

    */

   #setupProxyFilter() {

-    const filterFunction = (aChannel, aProxy) => {

-      if (!this.#isolationEnabled) {

-        return aProxy;

-      }

-      try {

-        const channel = aChannel.QueryInterface(Ci.nsIChannel);

-        let firstPartyDomain =

-          channel.loadInfo.originAttributes.firstPartyDomain;

-        const userContextId = channel.loadInfo.originAttributes.userContextId;

-        if (firstPartyDomain === "") {

-          firstPartyDomain = CATCHALL_DOMAIN;

-          if (Date.now() - this.#catchallDirtySince > 1000 * 10 * 60) {

-            logger.info(

-              "tor catchall circuit has been dirty for over 10 minutes. Rotating."

-            );

-            this.#newCircuitForDomain(CATCHALL_DOMAIN);

-            this.#catchallDirtySince = Date.now();

-          }

-        }

-        const replacementProxy = this.#applySocksProxyCredentials(

-          aProxy,

-          firstPartyDomain,

-          userContextId

-        );

-        logger.debug(

-          `Requested ${channel.URI.spec} via ${replacementProxy.username}:${replacementProxy.password}`

-        );

-        return replacementProxy;

-      } catch (e) {

-        logger.error("Error while setting a new proxy", e);

-        return null;

-      }

-    };

-

     lazy.ProtocolProxyService.registerChannelFilter(

       {

-        applyFilter(aChannel, aProxy, aCallback) {

-          aCallback.onProxyFilterResult(filterFunction(aChannel, aProxy));

+        applyFilter: (aChannel, aProxy, aCallback) => {

+          aCallback.onProxyFilterResult(this.#proxyFilter(aChannel, aProxy));

         },

       },

       0

   }

   /**

-   * Takes a proxyInfo object (originalProxy) and returns a new proxyInfo

-   * object with the same properties, except the username is set to the

-   * the domain and userContextId, and the password is a nonce.

+   * Replaces the default SOCKS proxy with one that authenticates to the SOCKS

+   * server (the tor client process) with a username (the first party domain and

+   * userContextId) and a nonce password.

+   * Tor provides a separate circuit for each username+password combination.

+   *

+   * @param {nsIChannel} aChannel The channel we are setting the proxy for

+   * @param {nsIProxyInfo} aProxy The original proxy

+   * @returns {nsIProxyInfo} The new proxy to use

    */

-  #applySocksProxyCredentials(originalProxy, domain, userContextId) {

-    const proxy = originalProxy.QueryInterface(Ci.nsIProxyInfo);

-    const { username, password } = this.getSocksProxyCredentials(

-      domain,

-      userContextId,

-      true

-    );

-    return lazy.ProtocolProxyService.newProxyInfoWithAuth(

-      "socks",

-      proxy.host,

-      proxy.port,

-      username,

-      password,

-      "", // aProxyAuthorizationHeader

-      "", // aConnectionIsolationKey

-      proxy.flags,

-      proxy.failoverTimeout,

-      proxy.failoverProxy

-    );

+  #proxyFilter(aChannel, aProxy) {

+    if (!this.#isolationEnabled) {

+      return aProxy;

+    }

+    try {

+      const channel = aChannel.QueryInterface(Ci.nsIChannel);

+      let firstPartyDomain = channel.loadInfo.originAttributes.firstPartyDomain;

+      const userContextId = channel.loadInfo.originAttributes.userContextId;

+      if (!firstPartyDomain) {

+        firstPartyDomain = CATCHALL_DOMAIN;

+        if (Date.now() - this.#catchallDirtySince > CATCHALL_MAX_LIFETIME) {

+          logger.info(

+            "tor catchall circuit has reached its maximum lifetime. Rotating."

+          );

+          this.#newCircuitForDomain(CATCHALL_DOMAIN);

+        }

+      }

+      const { username, password } = this.#getSocksProxyCredentials(

+        firstPartyDomain,

+        userContextId

+      );

+      const browser = this.#getBrowserForChannel(channel);

+      if (browser) {

+        this.#trackBrowser(browser, username, password);

+      }

+      logger.debug(`Requested ${channel.URI.spec} via ${username}:${password}`);

+      const proxy = aProxy.QueryInterface(Ci.nsIProxyInfo);

+      return lazy.ProtocolProxyService.newProxyInfoWithAuth(

+        "socks",

+        proxy.host,

+        proxy.port,

+        username,

+        password,

+        "", // aProxyAuthorizationHeader

+        "", // aConnectionIsolationKey

+        proxy.flags,

+        proxy.failoverTimeout,

+        proxy.failoverProxy

+      );

+    } catch (e) {

+      logger.error("Error while setting a new proxy", e);

+      return null;

+    }

+  }

+

+  /**

+   * Return the credentials to use as username and password for the SOCKS proxy,

+   * given a certain domain and userContextId.

+   * A new random password will be created if not available yet.

+   *

+   * @param {string} firstPartyDomain The first party domain associated to the

+   * requests

+   * @param {number} userContextId The context ID associated to the request

+   * @returns {object} The credentials

+   */

+  #getSocksProxyCredentials(firstPartyDomain, userContextId) {

+    if (!this.#noncesForDomains.has(firstPartyDomain)) {

+      const nonce = this.#nonce();

+      logger.info(`New nonce for first party ${firstPartyDomain}: ${nonce}`);

+      this.#noncesForDomains.set(firstPartyDomain, nonce);

+    }

+    if (!this.#noncesForUserContextId.has(userContextId)) {

+      const nonce = this.#nonce();

+      logger.info(`New nonce for userContextId ${userContextId}: ${nonce}`);

+      this.#noncesForUserContextId.set(userContextId, nonce);

+    }

+    // TODO: How to properly handle the user-context? Should we use

+    // (domain, userContextId) pairs, instead of concatenating nonces?

+    return {

+      username: this.#makeUsername(firstPartyDomain, userContextId),

+      password:

+        this.#noncesForDomains.get(firstPartyDomain) +

+        this.#noncesForUserContextId.get(userContextId),

+    };

   }

   /**

    * Combine the needed data into a username for the proxy.

+   *

+   * @param {string} domain The first-party domain associated to the request

+   * @param {integer} userContextId The userContextId associated to the request

    */

   #makeUsername(domain, userContextId) {

     if (!domain) {

     return `${domain}:${userContextId}`;

   }

+  /**

+   * Combine SOCKS username and password into a string to use as ID.

+   *

+   * @param {string} username The SOCKS username

+   * @param {string} password The SOCKS password

+   * @returns {CircuitId} A string that combines username and password and can

+   * be used for map lookups.

+   */

+  #credentialsToId(username, password) {

+    return `${username}|${password}`;

+  }

+

   /**

    * Generate a new 128 bit random tag.

    *

    * Strictly speaking both using a cryptographic entropy source and using 128

    * bits of entropy for the tag are likely overkill, as correct behavior only

    * depends on how unlikely it is for there to be a collision.

+   *

+   * @returns {string} The random nonce

    */

   #nonce() {

     return Array.from(crypto.getRandomValues(new Uint8Array(16)), byte =>

   /**

    * Re-generate the nonce for a certain domain.

+   *

+   * @param {string?} domain The first-party domain to re-create the nonce for.

+   * If empty or null, the catchall domain will be used.

    */

   #newCircuitForDomain(domain) {

     if (!domain) {

       domain = CATCHALL_DOMAIN;

     }

     this.#noncesForDomains.set(domain, this.#nonce());

+    if (domain === CATCHALL_DOMAIN) {

+      this.#catchallDirtySince = Date.now();

+    }

     logger.info(

       `New domain isolation for ${domain}: ${this.#noncesForDomains.get(

         domain

    * Re-generate the nonce for a userContextId.

    *

    * Currently, this function is not hooked to anything.

+   *

+   * @param {integer} userContextId The userContextId to re-create the nonce for

    */

   #newCircuitForUserContextId(userContextId) {

     this.#noncesForUserContextId.set(userContextId, this.#nonce());

       )}`

     );

   }

+

+  /**

+   * Try to extract a browser from a channel.

+   *

+   * @param {nsIChannel} channel The channel to extract the browser from

+   * @returns {MozBrowser?} The browser the channel is associated to

+   */

+  #getBrowserForChannel(channel) {

+    const browsers =

+      channel.loadInfo.browsingContext?.topChromeWindow?.gBrowser.browsers;

+    if (!browsers || !channel.loadInfo.browsingContext?.browserId) {

+      return null;

+    }

+    for (const browser of browsers) {

+      if (browser.browserId === channel.loadInfo.browsingContext.browserId) {

+        logger.debug(

+          "Matched browser with browserId",

+          channel.loadInfo.browsingContext.browserId

+        );

+        return browser;

+      }

+    }

+    // Expected to arrive here for example for the update checker.

+    // If we find a way to check that, we could raise the level to a warn.

+    logger.debug("Browser not matched", channel);

+    return null;

+  }

+

+  /**

+   * Associate the SOCKS credentials to a browser.

+   * If needed (the browser is associated for the first time, or it was already

+   * known but its credential changed), notify the related circuit display.

+   *

+   * @param {MozBrowser} browser The browser to track

+   * @param {string} username The SOCKS username

+   * @param {string} password The SOCKS password

+   */

+  #trackBrowser(browser, username, password) {

+    let browserCircuits = this.#browsers.get(browser.browserId);

+    if (!browserCircuits) {

+      browserCircuits = new Map();

+      this.#browsers.set(browser.browserId, browserCircuits);

+    }

+    const circuitIds = browserCircuits.get(username) ?? {};

+    const id = this.#credentialsToId(username, password);

+    if (circuitIds.current === id) {

+      // The circuit with these credentials was already built (we already knew

+      // its nodes, or we would not have promoted it to the current circuit).

+      // We do not need to do anything else, because we cannot detect a change

+      // of nodes here.

+      return;

+    }

+

+    logger.debug(

+      `Found new credentials ${username} ${password} for browser`,

+      browser

+    );

+    const circuit = this.#knownCircuits.get(id);

+    if (circuit?.length) {

+      circuitIds.current = id;

+      if (circuitIds.pending === id) {

+        circuitIds.pending = null;

+      }

+      browserCircuits.set(username, circuitIds);

+      // FIXME: We only notify the circuit display when we have a change that

+      // involves circuits whose nodes are known, for now. We need to resolve a

+      // few other techical problems (e.g., associate the circuit to the

+      // document?) and develop a UX with some animation to notify the circuit

+      // display more often.

+      // See tor-browser#41700 and tor-browser!699.

+      // In any case, notify the circuit display only after the internal map has

+      // been updated.

+      this.#notifyCircuitDisplay();

+    } else if (circuitIds.pending !== id) {

+      // We do not have node data, so we store that we might need to track this.

+      // Otherwise, when a circuit is ready, we do not know which browser was it

+      // used for.

+      circuitIds.pending = id;

+      browserCircuits.set(username, circuitIds);

+    }

+  }

+

+  /**

+   * Update a circuit, and notify the related circuit displays if it changed.

+   *

+   * This function is called when a certain stream has succeeded and so we can

+   * associate its SOCKS credential to the circuit it is using.

+   * We receive only the fingerprints of the circuit nodes, but they are enough

+   * to check if the circuit has changed. If it has, we also get the nodes'

+   * information through the control port.

+   *

+   * @param {string} username The SOCKS username

+   * @param {string} password The SOCKS password

+   * @param {NodeFingerprint[]} circuit The fingerprints of the nodes that

+   * compose the circuit

+   */

+  async #updateCircuit(username, password, circuit) {

+    const id = this.#credentialsToId(username, password);

+    let data = this.#knownCircuits.get(id) ?? [];

+    // Should we modify the lower layer to send a circuit identifier, instead?

+    if (

+      circuit.length === data.length &&

+      circuit.every((id, index) => id === data[index].fingerprint)

+    ) {

+      return;

+    }

+

+    data = await Promise.all(

+      circuit.map(fingerprint =>

+        lazy.TorProtocolService.getNodeInfo(fingerprint)

+      )

+    );

+    this.#knownCircuits.set(id, data);

+    // We know that something changed, but we cannot know if anyone is

+    // interested in this change. So, we have to notify all the possible

+    // consumers of the data in any case.

+    // Not being specific and let them check if they need to do something allows

+    // us to keep a simpler structure.

+    this.#notifyCircuitDisplay();

+  }

+

+  /**

+   * Broadcast a notification when a circuit changed, or a browser is changing

+   * circuit (which might happen also in case of navigation).

+   */

+  #notifyCircuitDisplay() {

+    Services.obs.notifyObservers(null, TOR_CIRCUIT_TOPIC);

+  }

+

+  /**

+   * Clear the known circuit information, when they are not needed anymore.

+   *

+   * We keep circuit data around for a while. We decouple it from the underlying

+   * tor circuit management in case the user clicks on the circuit display when

+   * circuit has long gone.

+   * However, data accumulate during a session. So, since we store all the

+   * browsers that used a circuit anyway, every now and then we check if we

+   * still know browsers using a certain circuits. If there are not, we forget

+   * about it.

+   *

+   * This function is run by an interval.

+   */

+  #clearKnownCircuits() {

+    logger.info("Running the circuit cleanup");

+    const windows = [];

+    const enumerator = Services.wm.getEnumerator("navigator:browser");

+    while (enumerator.hasMoreElements()) {

+      windows.push(enumerator.getNext());

+    }

+    const browsers = windows

+      .flatMap(win => win.gBrowser.browsers.map(b => b.browserId))

+      .filter(id => this.#browsers.has(id));

+    this.#browsers = new Map(browsers.map(id => [id, this.#browsers.get(id)]));

+    this.#knownCircuits = new Map(

+      Array.from(this.#browsers.values(), circuits =>

+        Array.from(circuits.values(), ids => {

+          const r = [];

+          const current = this.#knownCircuits.get(ids.current);

+          if (current) {

+            r.push([ids.current, current]);

+          }

+          const pending = this.#knownCircuits.get(ids.pending);

+          if (pending) {

+            r.push([ids.pending, pending]);

+          }

+          return r;

+        })

+      ).flat(2)

+    );

+  }

 }

 /**

  * Get the first party domain for a certain browser.

  *

- * @param browser The browser to get the FP-domain for.

- *

+ * @param {MozBrowser} browser The browser to get the FP-domain for.

  * Please notice that it should be gBrowser.selectedBrowser, because

  * browser.documentURI is the actual shown page, and might be an error page.

  * In this case, we rely on currentURI, which for gBrowser is an alias of

   return fpd;

 }

-const TorDomainIsolator = new TorDomainIsolatorImpl();

+export const TorDomainIsolator = new TorDomainIsolatorImpl();

 // Reduce global vars pollution

 TorDomainIsolator.getDomainForBrowser = getDomainForBrowser;
   "resource://torbutton/modules/tor-control-port.js"

 );

+ChromeUtils.defineESModuleGetters(lazy, {

+  TorProtocolService: "resource://gre/modules/TorProtocolService.sys.mjs",

+});

+

 const logger = new ConsoleAPI({

   maxLogLevel: "warn",

   maxLogLevelPref: "browser.tor_monitor_service.log_level",

   ProcessRestarted: "TorProcessRestarted",

 });

+export const TorMonitorTopics = Object.freeze({

+  BridgeChanged: "TorBridgeChanged",

+  StreamSucceeded: "TorStreamSucceeded",

+});

+

 const ControlConnTimings = Object.freeze({

   initialDelayMS: 25, // Wait 25ms after the process has started, before trying to connect

   maxRetryMS: 10000, // Retry at most every 10 seconds

   timeoutMS: 5 * 60 * 1000, // Wait at most 5 minutes for tor to start

 });

+/**

+ * From control-spec.txt:

+ *   CircuitID = 1*16 IDChar

+ *   IDChar = ALPHA / DIGIT

+ *   Currently, Tor only uses digits, but this may change.

+ *

+ * @typedef {string} CircuitID

+ */

+/**

+ * The fingerprint of a node.

+ * From control-spec.txt:

+ *   Fingerprint = "$" 40*HEXDIG

+ * However, we do not keep the $ in our structures.

+ *

+ * @typedef {string} NodeFingerprint

+ */

+

 /**

  * This service monitors an existing Tor instance, or starts one, if needed, and

  * then starts monitoring it.

  */

 export const TorMonitorService = {

   _connection: null,

-  _eventsToMonitor: Object.freeze(["STATUS_CLIENT", "NOTICE", "WARN", "ERR"]),

+  _eventHandlers: {},

   _torLog: [], // Array of objects with date, type, and msg properties.

   _startTimeout: null,

   _inited: false,

+  /**

+   * Stores the nodes of a circuit. Keys are cicuit IDs, and values are the node

+   * fingerprints.

+   *

+   * Theoretically, we could hook this map up to the new identity notification,

+   * but in practice it does not work. Tor pre-builds circuits, and the NEWNYM

+   * signal does not affect them. So, we might end up using a circuit that was

+   * built before the new identity but not yet used. If we cleaned the map, we

+   * risked of not having the data about it.

+   *

+   * @type {Map<CircuitID, NodeFingerprint[]>}

+   */

+  _circuits: new Map(),

+  /**

+   * The last used bridge, or null if bridges are not in use or if it was not

+   * possible to detect the bridge. This needs the user to have specified bridge

+   * lines with fingerprints to work.

+   *

+   * @type {NodeFingerprint?}

+   */

+  _currentBridge: null,

+

   // Public methods

   // Starts Tor, if needed, and starts monitoring for events

       return;

     }

     this._inited = true;

+

+    // We always liten to these events, because they are needed for the circuit

+    // display.

+    this._eventHandlers = new Map([

+      ["CIRC", this._processCircEvent.bind(this)],

+      ["STREAM", this._processStreamEvent.bind(this)],

+    ]);

+

     if (this.ownsTorDaemon) {

+      // When we own the tor daemon, we listen to more events, that are used

+      // for about:torconnect or for showing the logs in the settings page.

+      this._eventHandlers.set("STATUS_CLIENT", (_eventType, lines) =>

+        this._processBootstrapStatus(lines[0], false)

+      );

+      this._eventHandlers.set("NOTICE", this._processLog.bind(this));

+      this._eventHandlers.set("WARN", this._processLog.bind(this));

+      this._eventHandlers.set("ERR", this._processLog.bind(this));

       this._controlTor();

     } else {

-      logger.info(

-        "Not starting the event monitor, as we do not own the Tor daemon."

-      );

+      this._startEventMonitor();

     }

-    logger.debug("TorMonitorService initialized");

+    logger.info("TorMonitorService initialized");

   },

   // Closes the connection that monitors for events.

     return !!this._connection;

   },

+  /**

+   * Return the data about the current bridge, if any, or null.

+   * We can detect bridge only when the configured bridge lines include the

+   * fingerprints.

+   *

+   * @returns {NodeData?} The node information, or null if the first node

+   * is not a bridge, or no circuit has been opened, yet.

+   */

+  get currentBridge() {

+    return this._currentBridge;

+  },

+

   // Private methods

   async _startProcess() {

     // TODO: optionally monitor INFO and DEBUG log messages.

     let reply = await conn.sendCommand(

-      "SETEVENTS " + this._eventsToMonitor.join(" ")

+      "SETEVENTS " + Array.from(this._eventHandlers.keys()).join(" ")

     );

     reply = TorParsers.parseCommandResponse(reply);

     if (!TorParsers.commandSucceeded(reply)) {

       return false;

     }

-    // FIXME: At the moment it is not possible to start the event monitor

-    // when we do start the tor process. So, does it make sense to keep this

-    // control?

     if (this._torProcess) {

       this._torProcess.connectionWorked();

     }

-

-    if (!TorLauncherUtil.shouldOnlyConfigureTor) {

+    if (this.ownsTorDaemon && !TorLauncherUtil.shouldOnlyConfigureTor) {

       try {

         await this._takeTorOwnership(conn);

       } catch (e) {

     }

     this._connection = conn;

-    this._waitForEventData();

+

+    for (const [type, callback] of this._eventHandlers.entries()) {

+      this._monitorEvent(type, callback);

+    }

+

+    // Populate the circuit map already, in case we are connecting to an

+    // external tor daemon.

+    try {

+      const reply = await this._connection.sendCommand(

+        "GETINFO circuit-status"

+      );

+      const lines = reply.split(/\r?\n/);

+      if (lines.shift() === "250+circuit-status=") {

+        for (const line of lines) {

+          if (line === ".") {

+            break;

+          }

+          // _processCircEvent processes only one line at a time

+          this._processCircEvent("CIRC", [line]);

+        }

+      }

+    } catch (e) {

+      logger.warn("Could not populate the initial circuit map", e);

+    }

+

     return true;

   },

     }

   },

-  _waitForEventData() {

-    if (!this._connection) {

-      return;

-    }

-    logger.debug("Start watching events:", this._eventsToMonitor);

+  _monitorEvent(type, callback) {

+    logger.info(`Watching events of type ${type}.`);

     let replyObj = {};

-    for (const torEvent of this._eventsToMonitor) {

-      this._connection.watchEvent(

-        torEvent,

-        null,

-        line => {

-          if (!line) {

-            return;

-          }

-          logger.debug("Event response: ", line);

-          const isComplete = TorParsers.parseReplyLine(line, replyObj);

-          if (isComplete) {

-            this._processEventReply(replyObj);

-            replyObj = {};

-          }

-        },

-        true

-      );

-    }

+    this._connection.watchEvent(

+      type,

+      null,

+      line => {

+        if (!line) {

+          return;

+        }

+        logger.debug("Event response: ", line);

+        const isComplete = TorParsers.parseReplyLine(line, replyObj);

+        if (!isComplete || replyObj._parseError || !replyObj.lineArray.length) {

+          return;

+        }

+        const reply = replyObj;

+        replyObj = {};

+        if (reply.statusCode !== TorStatuses.EventNotification) {

+          logger.error("Unexpected event status code:", reply.statusCode);

+          return;

+        }

+        if (!reply.lineArray[0].startsWith(`${type} `)) {

+          logger.error("Wrong format for the first line:", reply.lineArray[0]);

+          return;

+        }

+        reply.lineArray[0] = reply.lineArray[0].substring(type.length + 1);

+        try {

+          callback(type, reply.lineArray);

+        } catch (e) {

+          logger.error("Exception while handling an event", reply, e);

+        }

+      },

+      true

+    );

   },

-  _processEventReply(aReply) {

-    if (aReply._parseError || !aReply.lineArray.length) {

-      return;

-    }

-

-    if (aReply.statusCode !== TorStatuses.EventNotification) {

-      logger.warn("Unexpected event status code:", aReply.statusCode);

-      return;

-    }

-

-    // TODO: do we need to handle multiple lines?

-    const s = aReply.lineArray[0];

-    const idx = s.indexOf(" ");

-    if (idx === -1) {

-      return;

-    }

-    const eventType = s.substring(0, idx);

-    const msg = s.substring(idx + 1).trim();

-

-    if (eventType === "STATUS_CLIENT") {

-      this._processBootstrapStatus(msg, false);

-      return;

-    } else if (!this._eventsToMonitor.includes(eventType)) {

-      logger.debug(`Dropping unlistened event ${eventType}`);

-      return;

-    }

-

-    if (eventType === "WARN" || eventType === "ERR") {

+  _processLog(type, lines) {

+    if (type === "WARN" || type === "ERR") {

       // Notify so that Copy Log can be enabled.

       Services.obs.notifyObservers(null, TorTopics.HasWarnOrErr);

     }

-    const now = new Date();

+    const date = new Date();

     const maxEntries = Services.prefs.getIntPref(

       "extensions.torlauncher.max_tor_log_entries",

       1000

     if (maxEntries > 0 && this._torLog.length >= maxEntries) {

       this._torLog.splice(0, 1);

     }

-    this._torLog.push({ date: now, type: eventType, msg });

-    const logString = `Tor ${eventType}: ${msg}`;

+

+    const msg = lines.join("\n");

+    this._torLog.push({ date, type, msg });

+    const logString = `Tor ${type}: ${msg}`;

     logger.info(logString);

   },

     }

   },

+  async _processCircEvent(_type, lines) {

+    const builtEvent =

+      /^(?<CircuitID>[a-zA-Z0-9]{1,16})\sBUILT\s(?<Path>(?:,?\$[0-9a-fA-F]{40}(?:~[a-zA-Z0-9]{1,19})?)+)/.exec(

+        lines[0]

+      );

+    const closedEvent = /^(?<ID>[a-zA-Z0-9]{1,16})\sCLOSED/.exec(lines[0]);

+    if (builtEvent) {

+      const fp = /\$([0-9a-fA-F]{40})/g;

+      const nodes = Array.from(builtEvent.groups.Path.matchAll(fp), g =>

+        g[1].toUpperCase()

+      );

+      this._circuits.set(builtEvent.groups.CircuitID, nodes);

+      // Ignore circuits of length 1, that are used, for example, to probe

+      // bridges. So, only store them, since we might see streams that use them,

+      // but then early-return.

+      if (nodes.length === 1) {

+        return;

+      }

+      // In some cases, we might already receive SOCKS credentials in the line.

+      // However, this might be a problem with onion services: we get also a

+      // 4-hop circuit that we likely do not want to show to the user,

+      // especially because it is used only temporarily, and it would need a

+      // technical explaination.

+      // this._checkCredentials(lines[0], nodes);

+      if (this._currentBridge?.fingerprint !== nodes[0]) {

+        const nodeInfo = await lazy.TorProtocolService.getNodeInfo(nodes[0]);

+        let notify = false;

+        if (nodeInfo?.bridgeType) {

+          logger.info(`Bridge changed to ${nodes[0]}`);

+          this._currentBridge = nodeInfo;

+          notify = true;

+        } else if (this._currentBridge) {

+          logger.info("Bridges disabled");

+          this._currentBridge = null;

+          notify = true;

+        }

+        if (notify) {

+          Services.obs.notifyObservers(

+            null,

+            TorMonitorTopics.BridgeChanged,

+            this._currentBridge

+          );

+        }

+      }

+    } else if (closedEvent) {

+      this._circuits.delete(closedEvent.groups.ID);

+    }

+  },

+

+  _processStreamEvent(_type, lines) {

+    // The first block is the stream ID, which we do not need at the moment.

+    const succeeedEvent =

+      /^[a-zA-Z0-9]{1,16}\sSUCCEEDED\s(?<CircuitID>[a-zA-Z0-9]{1,16})/.exec(

+        lines[0]

+      );

+    if (!succeeedEvent) {

+      return;

+    }

+    const circuit = this._circuits.get(succeeedEvent.groups.CircuitID);

+    if (!circuit) {

+      logger.error(

+        "Seen a STREAM SUCCEEDED with an unknown circuit. Not notifying observers.",

+        lines[0]

+      );

+      return;

+    }

+    this._checkCredentials(lines[0], circuit);

+  },

+

+  /**

+   * Check if a STREAM or CIRC response line contains SOCKS_USERNAME and

+   * SOCKS_PASSWORD. In case, notify observers that we could associate a certain

+   * circuit to these credentials.

+   *

+   * @param {string} line The circ or stream line to check

+   * @param {NodeFingerprint[]} circuit The fingerprints of the nodes in the

+   * circuit.

+   */

+  _checkCredentials(line, circuit) {

+    const username = /SOCKS_USERNAME=("(?:[^"\\]|\\.)*")/.exec(line);

+    const password = /SOCKS_PASSWORD=("(?:[^"\\]|\\.)*")/.exec(line);

+    if (!username || !password) {

+      return;

+    }

+    Services.obs.notifyObservers(

+      {

+        wrappedJSObject: {

+          username: TorParsers.unescapeString(username[1]),

+          password: TorParsers.unescapeString(password[1]),

+          circuit,

+        },

+      },

+      TorMonitorTopics.StreamSucceeded

+    );

+  },

+

   _shutDownEventMonitor() {

-    this._connection?.close();

+    try {

+      this._connection?.close();

+    } catch (e) {

+      logger.error("Could not close the connection to the control port", e);

+    }

     this._connection = null;

     if (this._startTimeout !== null) {

       clearTimeout(this._startTimeout);

       return aStr;

     }

     const escaped = aStr

-      .replace("\\", "\\\\")

-      .replace('"', '\\"')

-      .replace("\n", "\\n")

-      .replace("\r", "\\r")

-      .replace("\t", "\\t")

-      .replace(/[^\x20-\x7e]+/g, text => {

+      .replaceAll("\\", "\\\\")

+      .replaceAll('"', '\\"')

+      .replaceAll("\n", "\\n")

+      .replaceAll("\r", "\\r")

+      .replaceAll("\t", "\\t")

+      .replaceAll(/[^\x20-\x7e]+/g, text => {

         const encoder = new TextEncoder();

         return Array.from(

           encoder.encode(text),

   prefix: "TorProtocolService",

 });

+/**

+ * Stores the data associated with a circuit node.

+ *

+ * @typedef NodeData

+ * @property {string} fingerprint The node fingerprint.

+ * @property {string[]} ipAddrs - The ip addresses associated with this node.

+ * @property {string?} bridgeType - The bridge type for this node, or "" if the

+ *   node is a bridge but the type is unknown, or null if this is not a bridge

+ *   node.

+ * @property {string?} regionCode - An upper case 2-letter ISO3166-1 code for

+ *   the first ip address, or null if there is no region. This should also be a

+ *   valid BCP47 Region subtag.

+ */

+

 // Manage the connection to tor's control port, to update its settings and query

 // other useful information.

 //

     return TorParsers.parseReply(cmd, keyword, response);

   },

+  async getBridges() {

+    // Ideally, we would not need this function, because we should be the one

+    // setting them with TorSettings. However, TorSettings is not notified of

+    // change of settings. So, asking tor directly with the control connection

+    // is the most reliable way of getting the configured bridges, at the

+    // moment. Also, we are using this for the circuit display, which should

+    // work also when we are not configuring the tor daemon, but just using it.

+    return this._withConnection(conn => {

+      return conn.getConf("bridge");

+    });

+  },

+

+  /**

+   * Returns tha data about a relay or a bridge.

+   *

+   * @param {string} id The fingerprint of the node to get data about

+   * @returns {NodeData}

+   */

+  async getNodeInfo(id) {

+    return this._withConnection(async conn => {

+      const node = {

+        fingerprint: id,

+        ipAddrs: [],

+        bridgeType: null,

+        regionCode: null,

+      };

+      const bridge = (await conn.getConf("bridge"))?.find(

+        foundBridge => foundBridge.ID?.toUpperCase() === id.toUpperCase()

+      );

+      const addrRe = /^\[?([^\]]+)\]?:\d+$/;

+      if (bridge) {

+        node.bridgeType = bridge.type ?? "";

+        // Attempt to get an IP address from bridge address string.

+        const ip = bridge.address.match(addrRe)?.[1];

+        if (ip && !ip.startsWith("0.")) {

+          node.ipAddrs.push(ip);

+        }

+      } else {

+        // Either dealing with a relay, or a bridge whose fingerprint is not

+        // saved in torrc.

+        const info = await conn.getInfo(`ns/id/${id}`);

+        if (info.IP && !info.IP.startsWith("0.")) {

+          node.ipAddrs.push(info.IP);

+        }

+        const ip6 = info.IPv6?.match(addrRe)?.[1];

+        if (ip6) {

+          node.ipAddrs.push(ip6);

+        }

+      }

+      if (node.ipAddrs.length) {

+        // Get the country code for the node's IP address.

+        let regionCode;

+        try {

+          // Expect a 2-letter ISO3166-1 code, which should also be a valid

+          // BCP47 Region subtag.

+          regionCode = await conn.getInfo("ip-to-country/" + node.ipAddrs[0]);

+        } catch {}

+        if (regionCode && regionCode !== "??") {

+          node.regionCode = regionCode.toUpperCase();

+        }

+      }

+      return node;

+    });

+  },

+

+  async onionAuthAdd(hsAddress, b64PrivateKey, isPermanent) {

+    return this._withConnection(conn => {

+      return conn.onionAuthAdd(hsAddress, b64PrivateKey, isPermanent);

+    });

+  },

+

+  async onionAuthRemove(hsAddress) {

+    return this._withConnection(conn => {

+      return conn.onionAuthRemove(hsAddress);

+    });

+  },

+

+  async onionAuthViewKeys() {

+    return this._withConnection(conn => {

+      return conn.onionAuthViewKeys();

+    });

+  },

+

   // TODO: transform the following 4 functions in getters. At the moment they

   // are also used in torbutton.

     }

   },

+  async _withConnection(func) {

+    // TODO: Make more robust?

+    const conn = await this._getConnection();

+    try {

+      return await func(conn);

+    } finally {

+      this._returnConnection();

+    }

+  },

+

   // If aConn is omitted, the cached connection is closed.

   _closeConnection() {

     if (this._controlConnection) {

 // We will use the modules only when the profile is loaded, so prefer lazy

 // loading

 ChromeUtils.defineESModuleGetters(lazy, {

+  TorDomainIsolator: "resource://gre/modules/TorDomainIsolator.sys.mjs",

   TorLauncherUtil: "resource://gre/modules/TorLauncherUtil.sys.mjs",

   TorMonitorService: "resource://gre/modules/TorMonitorService.sys.mjs",

   TorProtocolService: "resource://gre/modules/TorProtocolService.sys.mjs",

   "resource:///modules/TorSettings.jsm"

 );

-ChromeUtils.defineModuleGetter(

-  lazy,

-  "TorDomainIsolator",

-  "resource://gre/modules/TorDomainIsolator.jsm"

-);

-

 /* Browser observer topis */

 const BrowserTopics = Object.freeze({

   ProfileAfterChange: "profile-after-change",

 EXTRA_JS_MODULES += [

     "TorBootstrapRequest.sys.mjs",

-    "TorDomainIsolator.jsm",

+    "TorDomainIsolator.sys.mjs",

     "TorLauncherUtil.sys.mjs",

     "TorMonitorService.sys.mjs",

     "TorParsers.sys.mjs",

richard pushed to branch tor-browser-115.1.0esr-13.0-1 at The Tor Project / Applications / Tor Browser

Commits:

11 changed files:

Changes: