commit 1b63eea66cbb8793a3cff05de8d856ce3b93fc17 Merge: 9276c07a9 14d781fff Author: Nick Mathewson <nickm@torproject.org> Date: Mon Jan 6 13:41:20 2020 -0500 Merge branch 'haxxpop/tcp_proxy_squashed' into tcp_proxy_squshed_and_merged changes/ticket31518 | 6 + doc/tor.1.txt | 16 ++ src/app/config/config.c | 89 +++++++- src/app/config/config.h | 2 + src/app/config/or_options_st.h | 11 + src/core/include.am | 2 + src/core/mainloop/connection.c | 341 ++++++++++++++++++----------- src/core/mainloop/connection.h | 4 +- src/core/or/connection_or.c | 26 ++- src/core/or/connection_or.h | 7 + src/core/or/or.h | 5 +- src/core/or/or_connection_st.h | 2 +- src/core/proto/.may_include | 6 +- src/core/proto/proto_haproxy.c | 45 ++++ src/core/proto/proto_haproxy.h | 12 + src/feature/client/transports.c | 3 + src/feature/control/btrack_orconn_cevent.c | 1 + src/test/include.am | 1 + src/test/test.c | 1 + src/test/test.h | 1 + src/test/test_config.c | 47 ++++ src/test/test_connection.c | 96 +++++++- src/test/test_connection.h | 1 + src/test/test_helpers.c | 81 +++++++ src/test/test_helpers.h | 3 + src/test/test_options.c | 9 +- src/test/test_proto_haproxy.c | 66 ++++++ 27 files changed, 731 insertions(+), 153 deletions(-) diff --cc doc/tor.1.txt index 85369dfce,5bcb6ec2b..e1738c9ba --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@@ -880,63 -910,8 +880,79 @@@ forward slash (/) in the configuration If KIST is used in Schedulers, this is a multiplier of the per-socket limit calculation of the KIST algorithm. (Default: 1.0) -CLIENT OPTIONS --------------- + +[[ServerTransportListenAddr]] **ServerTransportListenAddr** __transport__ __IP__:__PORT__:: + When this option is set, Tor will suggest __IP__:__PORT__ as the + listening address of any pluggable transport proxy that tries to + launch __transport__. (IPv4 addresses should written as-is; IPv6 + addresses should be wrapped in square brackets.) (Default: none) + +[[ServerTransportOptions]] **ServerTransportOptions** __transport__ __k=v__ __k=v__ ...:: + When this option is set, Tor will pass the __k=v__ parameters to + any pluggable transport proxy that tries to launch __transport__. + + (Example: ServerTransportOptions obfs45 shared-secret=bridgepasswd cache=/var/lib/tor/cache) (Default: none) + +[[ServerTransportPlugin]] **ServerTransportPlugin** __transport__ exec __path-to-binary__ [options]:: + The Tor relay launches the pluggable transport proxy in __path-to-binary__ + using __options__ as its command-line options, and expects to receive + proxied client traffic from it. (Default: none) + +[[Socks4Proxy]] **Socks4Proxy** __host__[:__port__]:: + Tor will make all OR connections through the SOCKS 4 proxy at host:port + (or host:1080 if port is not specified). + +[[Socks5Proxy]] **Socks5Proxy** __host__[:__port__]:: + Tor will make all OR connections through the SOCKS 5 proxy at host:port + (or host:1080 if port is not specified). + +// Out of order because Username logically precedes Password +[[Socks5ProxyUsername]] **Socks5ProxyUsername** __username__ + + +[[Socks5ProxyPassword]] **Socks5ProxyPassword** __password__:: + If defined, authenticate to the SOCKS 5 server using username and password + in accordance to RFC 1929. Both username and password must be between 1 and + 255 characters. + +[[SyslogIdentityTag]] **SyslogIdentityTag** __tag__:: + When logging to syslog, adds a tag to the syslog identity such that + log entries are marked with "Tor-__tag__". Can not be changed while tor is + running. (Default: none) + ++[[TCPProxy]] **TCPProxy** __protocol__ __host__:__port__:: ++ Tor will use the given protocol to make all its OR (SSL) connections through ++ a TCP proxy on host:port, rather than connecting directly to servers. You may ++ want to set **FascistFirewall** to restrict the set of ports you might try to ++ connect to, if your proxy only allows connecting to certain ports. There is no ++ equivalent option for directory connections, because all Tor client versions ++ that support this option download directory documents via OR connections. + +++ ++ The only protocol supported right now 'haproxy'. This option is only for ++ clients. (Default: none) + +++ ++ The HAProxy version 1 proxy protocol is described in detail at ++ https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt + +++ ++ Both source IP address and source port will be set to zero. ++ +[[TruncateLogFile]] **TruncateLogFile** **0**|**1**:: + If 1, Tor will overwrite logs at startup and in response to a HUP signal, + instead of appending to them. (Default: 0) + +[[UnixSocksGroupWritable]] **UnixSocksGroupWritable** **0**|**1**:: + If this option is set to 0, don't allow the filesystem group to read and + write unix sockets (e.g. SocksPort unix:). If the option is set to 1, make + the Unix socket readable and writable by the default GID. (Default: 0) + +[[UseDefaultFallbackDirs]] **UseDefaultFallbackDirs** **0**|**1**:: + Use Tor's default hard-coded FallbackDirs (if any). (When a + FallbackDir line is present, it replaces the hard-coded FallbackDirs, + regardless of the value of UseDefaultFallbackDirs.) (Default: 1) + +[[User]] **User** __Username__:: + On startup, setuid to this user and setgid to their primary group. + Can not be changed while tor is running. + +== CLIENT OPTIONS The following options are useful only for clients (that is, if **SocksPort**, **HTTPTunnelPort**, **TransPort**, **DNSPort**, or diff --cc src/app/config/config.c index 72ab065fb,c67f547cf..65a4dcb0e --- a/src/app/config/config.c +++ b/src/app/config/config.c @@@ -538,8 -522,9 +538,9 @@@ static const config_var_t option_vars_[ V(Socks5Proxy, STRING, NULL), V(Socks5ProxyUsername, STRING, NULL), V(Socks5ProxyPassword, STRING, NULL), + V(TCPProxy, STRING, NULL), - VAR("KeyDirectory", FILENAME, KeyDirectory_option, NULL), - V(KeyDirectoryGroupReadable, BOOL, "0"), + VAR_IMMUTABLE("KeyDirectory", FILENAME, KeyDirectory_option, NULL), + V(KeyDirectoryGroupReadable, AUTOBOOL, "auto"), VAR_D("HSLayer2Nodes", ROUTERSET, HSLayer2Nodes, NULL), VAR_D("HSLayer3Nodes", ROUTERSET, HSLayer3Nodes, NULL), V(KeepalivePeriod, INTERVAL, "5 minutes"), diff --cc src/app/config/config.h index 15c935246,aa2b052c0..2c03714fd --- a/src/app/config/config.h +++ b/src/app/config/config.h @@@ -286,6 -259,15 +286,8 @@@ STATIC const struct config_mgr_t *get_o STATIC void or_options_free_(or_options_t *options); STATIC int options_validate_single_onion(or_options_t *options, char **msg); -STATIC int options_validate(or_options_t *old_options, - or_options_t *options, - or_options_t *default_options, - int from_setconf, char **msg); -STATIC int parse_transport_line(const or_options_t *options, - const char *line, int validate_only, - int server); + STATIC int parse_tcp_proxy_line(const char *line, or_options_t *options, + char **msg); STATIC int consider_adding_dir_servers(const or_options_t *options, const or_options_t *old_options); STATIC void add_default_trusted_dir_authorities(dirinfo_type_t type); diff --cc src/test/test_connection.c index 0d2827670,34ef3fdf1..736998128 --- a/src/test/test_connection.c +++ b/src/test/test_connection.c @@@ -888,8 -969,10 +970,11 @@@ test_failed_orconn_tracker(void *arg /* where arg is an expression (constant, variable, compound expression) */ #define CONNECTION_TESTCASE_ARG(name, fork, setup, arg) \ { #name "_" #arg, test_conn_##name, fork, &setup, (void *)arg } +#endif /* !defined(COCCI) */ + static const unsigned int PROXY_CONNECT_ARG = PROXY_CONNECT; + static const unsigned int PROXY_HAPROXY_ARG = PROXY_HAPROXY; + struct testcase_t connection_tests[] = { CONNECTION_TESTCASE(get_basic, TT_FORK, test_conn_get_basic_st), CONNECTION_TESTCASE(get_rend, TT_FORK, test_conn_get_rend_st), diff --cc src/test/test_helpers.c index 29743a0d1,f972aca5b..31bf1fcc2 --- a/src/test/test_helpers.c +++ b/src/test/test_helpers.c @@@ -16,9 -17,10 +17,10 @@@ #include "lib/buf/buffers.h" #include "app/config/config.h" -#include "lib/confmgt/confparse.h" +#include "lib/confmgt/confmgt.h" #include "app/main/subsysmgr.h" #include "core/mainloop/connection.h" + #include "core/or/connection_or.h" #include "lib/crypt_ops/crypto_rand.h" #include "core/mainloop/mainloop.h" #include "feature/nodelist/nodelist.h" diff --cc src/test/test_options.c index b99ae7893,394aff45b..ce05eb01f --- a/src/test/test_options.c +++ b/src/test/test_options.c @@@ -2801,23 -2946,27 +2801,24 @@@ test_options_validate__proxy(void *igno tor_free(msg); free_options_test_data(tdata); - tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES - "Socks4Proxy 215.1.1.1\n" + tdata = get_options_test_data("Socks4Proxy 215.1.1.1\n" "Socks5Proxy 215.1.1.2\n" ); - ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + ret = options_validate(NULL, tdata->opt, &msg); tt_int_op(ret, OP_EQ, -1); tt_str_op(msg, OP_EQ, "You have configured more than one proxy type. " - "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); + "(Socks4Proxy|Socks5Proxy|HTTPSProxy|TCPProxy)"); tor_free(msg); free_options_test_data(tdata); - tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES - "HttpProxy 215.1.1.1\n" - ); + tdata = get_options_test_data("HttpProxy 215.1.1.1\n"); mock_clean_saved_logs(); - ret = options_validate(tdata->old_opt, tdata->opt, tdata->def_opt, 0, &msg); + ret = options_validate(NULL, tdata->opt, &msg); tt_int_op(ret, OP_EQ, 0); - expect_log_msg("HTTPProxy configured, but no SOCKS " - "proxy or HTTPS proxy configured. Watch out: this configuration " - "will proxy unencrypted directory connections only.\n"); + expect_log_msg("HTTPProxy configured, but no SOCKS proxy, " + "HTTPS proxy, or any other TCP proxy configured. Watch out: " + "this configuration will proxy unencrypted directory " + "connections only.\n"); tor_free(msg); free_options_test_data(tdata);