[tor/master] Merge remote-tracking branch 'public/bug8117_023' into maint-0.2.4 - tor-commits

11 Apr 2013

commit 7f50af116f2497a73fe9113e814a5765047cf3ca
Merge: 6acf0ac fa3c237
Author: Nick Mathewson nickm@torproject.org
Date:   Thu Apr 11 01:39:26 2013 -0400
Merge remote-tracking branch 'public/bug8117_023' into maint-0.2.4
Conflicts:
    	doc/tor.1.txt
    	src/or/config.c
    	src/or/connection.c
changes/bug8117     |   13 +++++++++++++
 doc/tor.1.txt       |    9 +++++++++
 src/or/buffers.c    |   17 ++++++++++-------
 src/or/config.c     |    7 +++++++
 src/or/connection.c |    6 ++++++
 src/or/or.h         |   12 ++++++++++++
 6 files changed, 57 insertions(+), 7 deletions(-)
diff --cc doc/tor.1.txt
index c502c57,85f0835..f35d639

--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@@ -927,52 -893,20 +927,61 @@@ The following options are useful only f
          on this port to share circuits with streams from every other
          port with the same session group.  (By default, streams received
          on different SOCKSPorts, TransPorts, etc are always isolated from one
 -        another. This option overrides that behavior.)
 +        another. This option overrides that behavior.) +
  +
      Other recognized _flags_ for a SOCKSPort are:
 +    **NoIPv4Traffic**;;
 +        Tell exits to not connect to IPv4 addresses in response to SOCKS
 +        requests on this connection.
 +    **IPv6Traffic**;;
 +        Tell exits to allow IPv6 addresses in response to SOCKS requests on
 +        this connection, so long as SOCKS5 is in use.  (SOCKS4 can't handle
 +        IPv6.)
 +    **PreferIPv6**;;
 +        Tells exits that, if a host has both an IPv4 and an IPv6 address,
 +        we would prefer to connect to it via IPv6. (IPv4 is the default.) +
 ++
 +       NOTE: Although this option allows you to specify an IP address
 +       other than localhost, you should do so only with extreme caution.
 +       The SOCKS protocol is unencrypted and (as we use it)
 +       unauthenticated, so exposing it in this way could leak your
 +       information to anybody watching your network, and allow anybody
 +       to use your computer as an open proxy.
 +    **CacheIPv4DNS**;;
 +        Tells the client to remember IPv4 DNS answers we receive from exit
 +        nodes via this connection. (On by default.)
 +    **CacheIPv6DNS**;;
 +        Tells the client to remember IPv6 DNS answers we receive from exit
 +        nodes via this connection.
 +    **CacheDNS**;;
 +        Tells the client to remember all DNS answers we receive from exit
 +        nodes via this connection.
 +    **UseIPv4Cache**;;
 +        Tells the client to use any cached IPv4 DNS answers we have when making
 +        requests via this connection. (NOTE: This option, along UseIPv6Cache
 +        and UseDNSCache, can harm your anonymity, and probably
 +        won't help performance as much as you might expect. Use with care!)
 +    **UseIPv6Cache**;;
 +        Tells the client to use any cached IPv6 DNS answers we have when making
 +        requests via this connection.
 +    **UseDNSCache**;;
 +        Tells the client to use any cached DNS answers we have when making
 +        requests via this connection.
 +    **PreferIPv6Automap**;;
 +        When serving a hostname lookup request on this port that
 +        should get automapped (according to AutomapHostsOnResove),
 +        if we could return either an IPv4 or an IPv6 answer, prefer
 +        an IPv6 answer. (On by default.)
+     **PreferSOCKSNoAuth**;;
+         Ordinarily, when an application offers both "username/password
+         authentication" and "no authentication" to Tor via SOCKS5, Tor
+         selects username/password authentication so that IsolateSOCKSAuth can
+         work.  This can confuse some applications, if they offer a
+         username/password combination then get confused when asked for
+         one. You can disable this behavior, so that Tor will select "No
+         authentication" when IsolateSOCKSAuth is disabled, or when this
+         option is set.
-
  **SOCKSListenAddress** __IP__[:__PORT__]::
      Bind to this address to listen for connections from Socks-speaking
      applications. (Default: 127.0.0.1) You can also specify a port (e.g.
diff --cc src/or/config.c
index ffa984b,a80576e..20a3c20
--- a/src/or/config.c
+++ b/src/or/config.c
@@@ -5142,40 -5917,9 +5143,43 @@@ parse_port_config(smartlist_t *out
            no = 1;
            elt += 2;
          }
 -        if (!strcasecmp(elt, "PreferSOCKSNoAuth")) {
 +
 +        if (takes_hostnames) {
 +          if (!strcasecmp(elt, "IPv4Traffic")) {
 +            ipv4_traffic = ! no;
 +            continue;
 +          } else if (!strcasecmp(elt, "IPv6Traffic")) {
 +            ipv6_traffic = ! no;
 +            continue;
 +          } else if (!strcasecmp(elt, "PreferIPv6")) {
 +            prefer_ipv6 = ! no;
 +            continue;
 +          }
 +        }
 +        if (!strcasecmp(elt, "CacheIPv4DNS")) {
 +          cache_ipv4 = ! no;
 +          continue;
 +        } else if (!strcasecmp(elt, "CacheIPv6DNS")) {
 +          cache_ipv6 = ! no;
 +          continue;
 +        } else if (!strcasecmp(elt, "CacheDNS")) {
 +          cache_ipv4 = cache_ipv6 = ! no;
 +          continue;
 +        } else if (!strcasecmp(elt, "UseIPv4Cache")) {
 +          use_cached_ipv4 = ! no;
 +          continue;
 +        } else if (!strcasecmp(elt, "UseIPv6Cache")) {
 +          use_cached_ipv6 = ! no;
 +          continue;
 +        } else if (!strcasecmp(elt, "UseDNSCache")) {
 +          use_cached_ipv4 = use_cached_ipv6 = ! no;
 +          continue;
 +        } else if (!strcasecmp(elt, "PreferIPv6Automap")) {
 +          prefer_ipv6_automap = ! no;
 +          continue;
++        } else if (!strcasecmp(elt, "PreferSOCKSNoAuth")) {
+           prefer_no_auth = ! no;
+           continue;
          }
if (!strcasecmpend(elt, "s"))
@@@ -5225,16 -5963,11 +5229,19 @@@
        cfg->no_advertise = no_advertise;
        cfg->no_listen = no_listen;
        cfg->all_addrs = all_addrs;
 -      cfg->ipv4_only = ipv4_only;
 -      cfg->ipv6_only = ipv6_only;
 +      cfg->bind_ipv4_only = bind_ipv4_only;
 +      cfg->bind_ipv6_only = bind_ipv6_only;
 +      cfg->ipv4_traffic = ipv4_traffic;
 +      cfg->ipv6_traffic = ipv6_traffic;
 +      cfg->prefer_ipv6 = prefer_ipv6;
 +      cfg->cache_ipv4_answers = cache_ipv4;
 +      cfg->cache_ipv6_answers = cache_ipv6;
 +      cfg->use_cached_ipv4_answers = use_cached_ipv4;
 +      cfg->use_cached_ipv6_answers = use_cached_ipv6;
 +      cfg->prefer_ipv6_virtaddr = prefer_ipv6_automap;
+       cfg->socks_prefer_no_auth = prefer_no_auth;
+       if (! (isolation & ISO_SOCKSAUTH))
+         cfg->socks_prefer_no_auth = 1;
smartlist_add(out, cfg);
      }
diff --cc src/or/connection.c
index 2cc3d74,aeb4949..358a4ee
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@@ -1132,19 -1056,7 +1132,20 @@@ connection_listener_new(const struct so
        lis_conn->session_group = global_next_session_group--;
      }
    }
 +  if (type == CONN_TYPE_AP_LISTENER) {
 +    lis_conn->socks_ipv4_traffic = port_cfg->ipv4_traffic;
 +    lis_conn->socks_ipv6_traffic = port_cfg->ipv6_traffic;
 +    lis_conn->socks_prefer_ipv6 = port_cfg->prefer_ipv6;
 +  } else {
 +    lis_conn->socks_ipv4_traffic = 1;
 +    lis_conn->socks_ipv6_traffic = 1;
 +  }
 +  lis_conn->cache_ipv4_answers = port_cfg->cache_ipv4_answers;
 +  lis_conn->cache_ipv6_answers = port_cfg->cache_ipv6_answers;
 +  lis_conn->use_cached_ipv4_answers = port_cfg->use_cached_ipv4_answers;
 +  lis_conn->use_cached_ipv6_answers = port_cfg->use_cached_ipv6_answers;
 +  lis_conn->prefer_ipv6_virtaddr = port_cfg->prefer_ipv6_virtaddr;
+   lis_conn->socks_prefer_no_auth = port_cfg->socks_prefer_no_auth;
if (connection_add(conn) < 0) { /* no space, forget it */
      log_warn(LD_NET,"connection_add for listener failed. Giving up.");
diff --cc src/or/or.h
index 4e19140,ca28c0e..ece2bc7
--- a/src/or/or.h
+++ b/src/or/or.h
@@@ -1247,37 -1085,11 +1247,41 @@@ typedef struct listener_connection_t 
    /** One or more ISO_ flags to describe how to isolate streams. */
    uint8_t isolation_flags;
    /**@}*/
+   /** For SOCKS connections only: If this is set, we will choose "no
+    * authentication" instead of "username/password" authentication if both
+    * are offered. Used as input to parse_socks. */
+   unsigned int socks_prefer_no_auth : 1;
+  /** For a SOCKS listeners, these fields describe whether we should
 +   * allow IPv4 and IPv6 addresses from our exit nodes, respectively.
 +   *
 +   * @{
 +   */
 +  unsigned int socks_ipv4_traffic : 1;
 +  unsigned int socks_ipv6_traffic : 1;
 +  /** @} */
 +  /** For a socks listener: should we tell the exit that we prefer IPv6
 +   * addresses? */
 +  unsigned int socks_prefer_ipv6 : 1;
 +
 +  /** For a socks listener: should we cache IPv4/IPv6 DNS information that
 +   * exit nodes tell us?
 +   *
 +   * @{ */
 +  unsigned int cache_ipv4_answers : 1;
 +  unsigned int cache_ipv6_answers : 1;
 +  /** @} */
 +  /** For a socks listeners: if we find an answer in our client-side DNS cache,
 +   * should we use it?
 +   *
 +   * @{ */
 +  unsigned int use_cached_ipv4_answers : 1;
 +  unsigned int use_cached_ipv6_answers : 1;
 +  /** @} */
 +  /** For socks listeners: When we can automap an address to IPv4 or IPv6,
 +   * do we prefer IPv6? */
 +  unsigned int prefer_ipv6_virtaddr : 1;
 +
  } listener_connection_t;
/** Minimum length of the random part of an AUTH_CHALLENGE cell. */

    