commit 9fc1f843da2a43bc7d3a8b53964e984dd86476e3 Author: Georg Koppen gk@torproject.org Date: Thu Dec 10 09:04:42 2015 +0000

Bug 17801: Remove special tor patches --- gitian/descriptors/linux/gitian-tor.yml | 14 - gitian/descriptors/mac/gitian-tor.yml | 14 - gitian/descriptors/windows/gitian-tor.yml | 14 - gitian/patches/bug15482.patch | 40 -- gitian/patches/bug16430.patch | 93 ---- gitian/patches/bug16674.patch | 74 --- gitian/patches/bug8402-master.patch | 732 ----------------------------- gitian/patches/bug8405.patch | 84 ---- 8 files changed, 1065 deletions(-)

diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index d8e3557..0e35d2f 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -19,11 +19,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "dzip.sh" - "openssl-linux32-utils.zip" - "openssl-linux64-utils.zip" @@ -76,15 +71,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 857b5de..a6824c0 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -54,15 +49,6 @@ script: | export LDFLAGS="-m64 -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/ -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/system/ -mmacosx-version-min=10.5" cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src ./autogen.sh diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index 601dc4e..63b527a 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -15,11 +15,6 @@ remotes: "dir": "tor" files: - "versions" -- "bug8402-master.patch" -- "bug8405.patch" -- "bug15482.patch" -- "bug16430.patch" -- "bug16674.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -54,15 +49,6 @@ script: | # Building tor cd tor git update-index --refresh -q - export GIT_COMMITTER_NAME="nobody" - export GIT_COMMITTER_EMAIL="nobody@localhost" - export GIT_COMMITTER_DATE="$REFERENCE_DATETIME" - if [ ${TOR_TAG::9} == "tor-0.2.6" ]; - then - git am ~/build/bug15482.patch - git am ~/build/bug16430.patch - git am ~/build/bug16674.patch - fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # We are building normal bundles without the console popping up and expert diff --git a/gitian/patches/bug15482.patch b/gitian/patches/bug15482.patch deleted file mode 100644 index df8a156..0000000 --- a/gitian/patches/bug15482.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 748414784f71126b093aa7466908e00f71a7b046 Mon Sep 17 00:00:00 2001 -From: Mike Perry mikeperry-git@torproject.org -Date: Fri, 27 Mar 2015 12:57:37 -0700 -Subject: [PATCH] Bug 15482: Don't abandon circuits that are still in use for - browsing. - -Only applies to connections with SOCKS auth set, so that non-web Tor -activity is not affected. - -Simpler version of Nick's patch because the randomness worried me, and I'm not -otherwise sure why we want a max here. ---- - src/or/circuituse.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/or/circuituse.c b/src/or/circuituse.c -index d0d31ad..6cce4bf 100644 ---- a/src/or/circuituse.c -+++ b/src/or/circuituse.c -@@ -2264,8 +2264,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn, - - base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT; - -- if (!circ->base_.timestamp_dirty) -- circ->base_.timestamp_dirty = time(NULL); -+ if (!circ->base_.timestamp_dirty) { -+ circ->base_.timestamp_dirty = approx_time(); -+ } else if ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) && -+ (conn->socks_request->usernamelen || -+ conn->socks_request->passwordlen)) { -+ /* When stream isolation is in use and controlled by an application -+ * we are willing to keep using the stream. */ -+ circ->base_.timestamp_dirty = approx_time(); -+ } - - pathbias_count_use_attempt(circ); - --- -1.9.1 - diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch deleted file mode 100644 index 81bbe3e..0000000 --- a/gitian/patches/bug16430.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 -From: Yawning Angel yawning@schwanenlied.me -Date: Wed, 24 Jun 2015 13:52:29 +0000 -Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS - checks. - -RFC 952 is approximately 30 years old, and people are failing to comply, -by serving A records with '_' as part of the hostname. Since relaxing -the check is a QOL improvement for our userbase, relax the check to -allow such abominations as destinations, especially since there are -likely to be other similarly misconfigured domains out there. ---- - changes/bug16430 | 4 ++++ - src/common/util.c | 7 +++++-- - src/test/test_util.c | 9 +++++++-- - 3 files changed, 16 insertions(+), 4 deletions(-) - create mode 100644 changes/bug16430 - -diff --git a/changes/bug16430 b/changes/bug16430 -new file mode 100644 -index 0000000..ca7b874 ---- /dev/null -+++ b/changes/bug16430 -@@ -0,0 +1,4 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ '_' to cope with domains observed in the wild that are serving non-RFC -+ compliant records. Resolves ticket 16430. -diff --git a/src/common/util.c b/src/common/util.c -index 942d0c2..4490150 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) - - /** Return true iff <b>string</b> matches a pattern of DNS names - * that we allow Tor clients to connect to. -+ * -+ * Note: This allows certain technically invalid characters ('_') to cope -+ * with misconfigured zones that have been encountered in the wild. - */ - int - string_is_valid_hostname(const char *string) -@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) - smartlist_split_string(components,string,".",0,0); - - SMARTLIST_FOREACH_BEGIN(components, char *, c) { -- if (c[0] == '-') { -+ if ((c[0] == '-') || (*c == '_')) { - result = 0; - break; - } -@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || - (*c >= '0' && *c <= '9') || -- (*c == '-')) -+ (*c == '-') || (*c == '_')) - c++; - else - result = 0; -diff --git a/src/test/test_util.c b/src/test/test_util.c -index b0366db..0f64c26 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) - tt_assert(string_is_valid_hostname("stanford.edu")); - tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); - -- // Subdomain name cannot start with '-'. -+ // Subdomain name cannot start with '-' or '_'. - tt_assert(!string_is_valid_hostname("-torproject.org")); - tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); - tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); -+ tt_assert(!string_is_valid_hostname("___abc.org")); - - // Hostnames cannot contain non-alphanumeric characters. - tt_assert(!string_is_valid_hostname("%%domain.\org.")); - tt_assert(!string_is_valid_hostname("***x.net")); -- tt_assert(!string_is_valid_hostname("___abc.org")); - tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); - tt_assert(!string_is_valid_hostname("word1 word2.net")); - -+ // Test workaround for nytimes.com stupidity, technically invalid, -+ // but we allow it since they are big, even though they are failing to -+ // comply with a ~30 year old standard. -+ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); -+ - // XXX: do we allow single-label DNS names? - - done: --- -1.9.1 - diff --git a/gitian/patches/bug16674.patch b/gitian/patches/bug16674.patch deleted file mode 100644 index 9497684..0000000 --- a/gitian/patches/bug16674.patch +++ /dev/null @@ -1,74 +0,0 @@ -From da6aa7bfa5014b980a93b38024d16b32720dc67a Mon Sep 17 00:00:00 2001 -From: Yawning Angel yawning@schwanenlied.me -Date: Mon, 27 Jul 2015 12:58:40 +0000 -Subject: [PATCH] Allow a single trailing `.` when validating FQDNs from SOCKS. - -URI syntax (and DNS syntax) allows for a single trailing `.` to -explicitly distinguish between a relative and absolute -(fully-qualified) domain name. While this is redundant in that RFC 1928 -DOMAINNAME addresses are *always* fully-qualified, certain clients -blindly pass the trailing `.` along in the request. - -Fixes bug 16674; bugfix on 0.2.6.2-alpha. ---- - changes/bug16674 | 5 +++++ - src/common/util.c | 6 ++++++ - src/test/test_util.c | 12 ++++++++++++ - 3 files changed, 23 insertions(+) - create mode 100644 changes/bug16674 - -diff --git a/changes/bug16674 b/changes/bug16674 -new file mode 100644 -index 0000000..de55523 ---- /dev/null -+++ b/changes/bug16674 -@@ -0,0 +1,5 @@ -+ o Minor features (client): -+ - Relax the validation done to hostnames in SOCKS5 requests, and allow -+ a single trailing '.' to cope with clients that pass FQDNs using that -+ syntax to explicitly indicate that the domain name is -+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha. -diff --git a/src/common/util.c b/src/common/util.c -index 618e6a1..1aac4fc 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1056,6 +1056,12 @@ string_is_valid_hostname(const char *string) - break; - } - -+ /* Allow a single terminating '.' used rarely to indicate domains -+ * are FQDNs rather than relative. */ -+ if ((c_sl_idx > 0) && (c_sl_idx + 1 == c_sl_len) && !*c) { -+ continue; -+ } -+ - do { - if ((*c >= 'a' && *c <= 'z') || - (*c >= 'A' && *c <= 'Z') || -diff --git a/src/test/test_util.c b/src/test/test_util.c -index 0f64c26..2bffb17 100644 ---- a/src/test/test_util.c -+++ b/src/test/test_util.c -@@ -4285,7 +4285,19 @@ test_util_hostname_validation(void *arg) - // comply with a ~30 year old standard. - tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); - -+ // Firefox passes FQDNs with trailing '.'s directly to the SOCKS proxy, -+ // which is redundant since the spec states DOMAINNAME addresses are fully -+ // qualified. While unusual, this should be tollerated. -+ tt_assert(string_is_valid_hostname("core9_euw1.fabrik.nytimes.com.")); -+ tt_assert(!string_is_valid_hostname("..washingtonpost.is.better.com")); -+ tt_assert(!string_is_valid_hostname("so.is..ft.com")); -+ tt_assert(!string_is_valid_hostname("...")); -+ - // XXX: do we allow single-label DNS names? -+ // We shouldn't for SOCKS (spec says "contains a fully-qualified domain name" -+ // but only test pathologically malformed traling '.' cases for now. -+ tt_assert(!string_is_valid_hostname(".")); -+ tt_assert(!string_is_valid_hostname("..")); - - done: - return; --- -1.9.1 - diff --git a/gitian/patches/bug8402-master.patch b/gitian/patches/bug8402-master.patch deleted file mode 100644 index 5a6386a..0000000 --- a/gitian/patches/bug8402-master.patch +++ /dev/null @@ -1,732 +0,0 @@ -From 9d7410ac5837658efa9b2d7d85c0c71f09a7a759 Mon Sep 17 00:00:00 2001 -From: Yawning Angel yawning@schwanenlied.me -Date: Tue, 25 Mar 2014 07:21:22 +0000 -Subject: [PATCH 1/5] Allow ClientTransportPlugins to use proxies - -This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with -ClientTransportPlugins via the TOR_PT_PROXY extension to the -pluggable transport specification. - -This fixes bug #8402. ---- - src/or/config.c | 13 ++++-- - src/or/connection.c | 62 +++++++++++++++++++++-------- - src/or/transports.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++-- - src/or/transports.h | 6 +++ - src/test/test_pt.c | 81 +++++++++++++++++++++++++++++++++++++ - 5 files changed, 251 insertions(+), 23 deletions(-) - -diff --git a/src/or/config.c b/src/or/config.c -index 0f7b1d2..b33098e 100644 ---- a/src/or/config.c -+++ b/src/or/config.c -@@ -3174,11 +3174,11 @@ options_validate(or_options_t *old_options, or_options_t *options, - } - } - -- /* Check if more than one proxy type has been enabled. */ -+ /* Check if more than one exclusive proxy type has been enabled. */ - if (!!options->Socks4Proxy + !!options->Socks5Proxy + -- !!options->HTTPSProxy + !!options->ClientTransportPlugin > 1) -+ !!options->HTTPSProxy > 1) - REJECT("You have configured more than one proxy type. " -- "(Socks4Proxy|Socks5Proxy|HTTPSProxy|ClientTransportPlugin)"); -+ "(Socks4Proxy|Socks5Proxy|HTTPSProxy)"); - - /* Check if the proxies will give surprising behavior. */ - if (options->HTTPProxy && !(options->Socks4Proxy || -@@ -4842,6 +4842,13 @@ parse_client_transport_line(const or_options_t *options, - pt_kickstart_client_proxy(transport_list, proxy_argv); - } - } else { /* external */ -+ /* ClientTransportPlugins connecting through a proxy is managed only. */ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ log_warn(LD_CONFIG, "You have configured an external proxy with another " -+ "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy)"); -+ goto err; -+ } -+ - if (smartlist_len(transport_list) != 1) { - log_warn(LD_CONFIG, "You can't have an external proxy with " - "more than one transports."); -diff --git a/src/or/connection.c b/src/or/connection.c -index cef9172..b32cddf 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,6 +86,8 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); -+static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -+ int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -1689,14 +1691,14 @@ get_proxy_type(void) - { - const or_options_t *options = get_options(); - -- if (options->HTTPSProxy) -+ if (options->ClientTransportPlugin) -+ return PROXY_PLUGGABLE; -+ else if (options->HTTPSProxy) - return PROXY_CONNECT; - else if (options->Socks4Proxy) - return PROXY_SOCKS4; - else if (options->Socks5Proxy) - return PROXY_SOCKS5; -- else if (options->ClientTransportPlugin) -- return PROXY_PLUGGABLE; - else - return PROXY_NONE; - } -@@ -4771,6 +4773,35 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills <b>addr</b> and <b>port</b> with the details of the global -+ * pluggable transport or bridge we are using. -+ * <b>conn</b> contains the connection we are using the PT/bridge for. -+ * -+ * Return 0 on success, -1 on failure. -+ */ -+static int -+get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -+ const connection_t *conn) -+{ -+ const or_options_t *options = get_options(); -+ -+ if (options->ClientTransportPlugin || options->Bridges) { -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ -+/** Fills <b>addr</b> and <b>port</b> with the details of the global - * proxy server we are using. - * <b>conn</b> contains the connection we are using the proxy for. - * -@@ -4782,6 +4813,16 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - { - const or_options_t *options = get_options(); - -+ /* Client Transport Plugins can use another proxy, but that should be hidden -+ * from the rest of tor (as the plugin is responsible for dealing with the -+ * proxy), check it first, then check the rest of the proxy types to allow -+ * the config to have unused ClientTransportPlugin entries. -+ */ -+ if (options->ClientTransportPlugin) { -+ if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ return 0; -+ } -+ - if (options->HTTPSProxy) { - tor_addr_copy(addr, &options->HTTPSProxyAddr); - *port = options->HTTPSProxyPort; -@@ -4797,19 +4838,8 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->ClientTransportPlugin || -- options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -+ } else if (options->Bridges) { -+ return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); -diff --git a/src/or/transports.c b/src/or/transports.c -index dc30754..b810315 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -124,6 +124,8 @@ static INLINE void free_execve_args(char **arg); - #define PROTO_SMETHOD_ERROR "SMETHOD-ERROR" - #define PROTO_CMETHODS_DONE "CMETHODS DONE" - #define PROTO_SMETHODS_DONE "SMETHODS DONE" -+#define PROTO_PROXY_DONE "PROXY DONE" -+#define PROTO_PROXY_ERROR "PROXY-ERROR" - - /** The first and only supported - at the moment - configuration - protocol version. */ -@@ -439,6 +441,17 @@ add_transport_to_proxy(const char *transport, managed_proxy_t *mp) - static int - proxy_needs_restart(const managed_proxy_t *mp) - { -+ int ret = 1; -+ char* proxy_uri; -+ -+ /* If the PT proxy config has changed, then all existing pluggable transports -+ * should be restarted. -+ */ -+ -+ proxy_uri = get_pt_proxy_uri(); -+ if (strcmp_opt(proxy_uri, mp->proxy_uri) != 0) -+ goto needs_restart; -+ - /* mp->transport_to_launch is populated with the names of the - transports that must be launched *after* the SIGHUP. - mp->transports is populated with the transports that were -@@ -459,10 +472,10 @@ proxy_needs_restart(const managed_proxy_t *mp) - - } SMARTLIST_FOREACH_END(t); - -- return 0; -- -- needs_restart: -- return 1; -+ ret = 0; -+needs_restart: -+ tor_free(proxy_uri); -+ return ret; - } - - /** Managed proxy <b>mp</b> must be restarted. Do all the necessary -@@ -493,6 +506,11 @@ proxy_prepare_for_restart(managed_proxy_t *mp) - SMARTLIST_FOREACH(mp->transports, transport_t *, t, transport_free(t)); - smartlist_clear(mp->transports); - -+ /* Reset the proxy's HTTPS/SOCKS proxy */ -+ tor_free(mp->proxy_uri); -+ mp->proxy_uri = get_pt_proxy_uri(); -+ mp->proxy_supported = 0; -+ - /* flag it as an infant proxy so that it gets launched on next tick */ - mp->conf_state = PT_PROTO_INFANT; - unconfigured_proxies_n++; -@@ -727,12 +745,52 @@ managed_proxy_destroy(managed_proxy_t *mp, - /* free the argv */ - free_execve_args(mp->argv); - -+ /* free the outgoing proxy URI */ -+ tor_free(mp->proxy_uri); -+ - tor_process_handle_destroy(mp->process_handle, also_terminate_process); - mp->process_handle = NULL; - - tor_free(mp); - } - -+/** Convert the tor proxy options to a URI suitable for TOR_PT_PROXY. */ -+STATIC char * -+get_pt_proxy_uri(void) -+{ -+ const or_options_t *options = get_options(); -+ char *uri = NULL; -+ -+ if (options->Socks4Proxy || options->Socks5Proxy || options->HTTPSProxy) { -+ char addr[TOR_ADDR_BUF_LEN+1]; -+ -+ if (options->Socks4Proxy) { -+ tor_addr_to_str(addr, &options->Socks4ProxyAddr, sizeof(addr), 1); -+ tor_asprintf(&uri, "socks4a://%s:%d", addr, options->Socks4ProxyPort); -+ } else if (options->Socks5Proxy) { -+ tor_addr_to_str(addr, &options->Socks5ProxyAddr, sizeof(addr), 1); -+ if (!options->Socks5ProxyUsername && !options->Socks5ProxyPassword) { -+ tor_asprintf(&uri, "socks5://%s:%d", addr, options->Socks5ProxyPort); -+ } else { -+ tor_asprintf(&uri, "socks5://%s:%s@%s:%d", -+ options->Socks5ProxyUsername, -+ options->Socks5ProxyPassword, -+ addr, options->Socks5ProxyPort); -+ } -+ } else if (options->HTTPSProxy) { -+ tor_addr_to_str(addr, &options->HTTPSProxyAddr, sizeof(addr), 1); -+ if (!options->HTTPSProxyAuthenticator) { -+ tor_asprintf(&uri, "http://%s:%d", addr, options->HTTPSProxyPort); -+ } else { -+ tor_asprintf(&uri, "http://%s@%s:%d", options->HTTPSProxyAuthenticator, -+ addr, options->HTTPSProxyPort); -+ } -+ } -+ } -+ -+ return uri; -+} -+ - /** Handle a configured or broken managed proxy <b>mp</b>. */ - static void - handle_finished_proxy(managed_proxy_t *mp) -@@ -745,6 +803,12 @@ handle_finished_proxy(managed_proxy_t *mp) - managed_proxy_destroy(mp, 0); /* destroy it but don't terminate */ - break; - case PT_PROTO_CONFIGURED: /* if configured correctly: */ -+ if (mp->proxy_uri && !mp->proxy_supported) { -+ log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -+ "specified outgoing proxy.", mp->argv[0]); -+ managed_proxy_destroy(mp, 1); /* annihilate it. */ -+ break; -+ } - register_proxy(mp); /* register its transports */ - mp->conf_state = PT_PROTO_COMPLETED; /* and mark it as completed. */ - break; -@@ -862,6 +926,22 @@ handle_proxy_line(const char *line, managed_proxy_t *mp) - goto err; - - return; -+ } else if (!strcmpstart(line, PROTO_PROXY_DONE)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ if (mp->proxy_uri) { -+ mp->proxy_supported = 1; -+ return; -+ } -+ -+ /* No proxy was configured, this should log */ -+ } else if (!strcmpstart(line, PROTO_PROXY_ERROR)) { -+ if (mp->conf_state != PT_PROTO_ACCEPTING_METHODS) -+ goto err; -+ -+ parse_proxy_error(line); -+ goto err; - } else if (!strcmpstart(line, SPAWN_ERROR_MESSAGE)) { - /* managed proxy launch failed: parse error message to learn why. */ - int retval, child_state, saved_errno; -@@ -1128,6 +1208,21 @@ parse_cmethod_line(const char *line, managed_proxy_t *mp) - return r; - } - -+/** Parses an PROXY-ERROR <b>line</b> and warns the user accordingly. */ -+STATIC void -+parse_proxy_error(const char *line) -+{ -+ /* (Length of the protocol string) plus (a space) and (the first char of -+ the error message) */ -+ if (strlen(line) < (strlen(PROTO_PROXY_ERROR) + 2)) -+ log_notice(LD_CONFIG, "Managed proxy sent us an %s without an error " -+ "message.", PROTO_PROXY_ERROR); -+ -+ log_warn(LD_CONFIG, "Managed proxy failed to configure the " -+ "pluggable transport's outgoing proxy. (%s)", -+ line+strlen(PROTO_PROXY_ERROR)+1); -+} -+ - /** Return a newly allocated string that tor should place in - * TOR_PT_SERVER_TRANSPORT_OPTIONS while configuring the server - * manged proxy in <b>mp</b>. Return NULL if no such options are found. */ -@@ -1292,6 +1387,14 @@ create_managed_proxy_environment(const managed_proxy_t *mp) - } else { - smartlist_add_asprintf(envs, "TOR_PT_EXTENDED_SERVER_PORT="); - } -+ } else { -+ /* If ClientTransportPlugin has a HTTPS/SOCKS proxy configured, set the -+ * TOR_PT_PROXY line. -+ */ -+ -+ if (mp->proxy_uri) { -+ smartlist_add_asprintf(envs, "TOR_PT_PROXY=%s", mp->proxy_uri); -+ } - } - - SMARTLIST_FOREACH_BEGIN(envs, const char *, env_var) { -@@ -1324,6 +1427,7 @@ managed_proxy_create(const smartlist_t *transport_list, - mp->is_server = is_server; - mp->argv = proxy_argv; - mp->transports = smartlist_new(); -+ mp->proxy_uri = get_pt_proxy_uri(); - - mp->transports_to_launch = smartlist_new(); - SMARTLIST_FOREACH(transport_list, const char *, transport, -diff --git a/src/or/transports.h b/src/or/transports.h -index 1365ead..bc2331d 100644 ---- a/src/or/transports.h -+++ b/src/or/transports.h -@@ -81,6 +81,9 @@ typedef struct { - char **argv; /* the cli arguments of this proxy */ - int conf_protocol; /* the configuration protocol version used */ - -+ char *proxy_uri; /* the outgoing proxy in TOR_PT_PROXY URI format */ -+ int proxy_supported : 1; /* the proxy claims to honor TOR_PT_PROXY */ -+ - int is_server; /* is it a server proxy? */ - - /* A pointer to the process handle of this managed proxy. */ -@@ -112,6 +115,7 @@ STATIC int parse_smethod_line(const char *line, managed_proxy_t *mp); - - STATIC int parse_version(const char *line, managed_proxy_t *mp); - STATIC void parse_env_error(const char *line); -+STATIC void parse_proxy_error(const char *line); - STATIC void handle_proxy_line(const char *line, managed_proxy_t *mp); - STATIC char *get_transport_options_for_server_proxy(const managed_proxy_t *mp); - -@@ -123,6 +127,8 @@ STATIC managed_proxy_t *managed_proxy_create(const smartlist_t *transport_list, - - STATIC int configure_proxy(managed_proxy_t *mp); - -+STATIC char* get_pt_proxy_uri(void); -+ - #endif - - #endif -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index f71627d..788d420 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -450,6 +450,85 @@ test_pt_configure_proxy(void *arg) - tor_free(mp); - } - -+/* Test the get_pt_proxy_uri() function. */ -+static void -+test_get_pt_proxy_uri(void *arg) -+{ -+ or_options_t *options = get_options_mutable(); -+ char *uri = NULL; -+ int ret; -+ (void) arg; -+ -+ /* Test with no proxy. */ -+ uri = get_pt_proxy_uri(); -+ tt_assert(uri == NULL); -+ -+ /* Test with a SOCKS4 proxy. */ -+ options->Socks4Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks4Proxy = NULL; -+ -+ /* Test with a SOCKS5 proxy, no username/password. */ -+ options->Socks5Proxy = "192.0.2.1:1080"; -+ ret = tor_addr_port_lookup(options->Socks5Proxy, -+ &options->Socks5ProxyAddr, -+ &options->Socks5ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://192.0.2.1:1080"); -+ tor_free(uri); -+ -+ /* Test with a SOCKS5 proxy, with username/password. */ -+ options->Socks5ProxyUsername = "hwest"; -+ options->Socks5ProxyPassword = "r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); -+ tor_free(uri); -+ -+ options->Socks5Proxy = NULL; -+ -+ /* Test with a HTTPS proxy, no authenticator. */ -+ options->HTTPSProxy = "192.0.2.1:80"; -+ ret = tor_addr_port_lookup(options->HTTPSProxy, -+ &options->HTTPSProxyAddr, -+ &options->HTTPSProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://192.0.2.1:80"); -+ tor_free(uri); -+ -+ /* Test with a HTTPS proxy, with authenticator. */ -+ options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); -+ tor_free(uri); -+ -+ options->HTTPSProxy = NULL; -+ -+ /* Token nod to the fact that IPv6 exists. */ -+ options->Socks4Proxy = "[2001:db8::1]:1080"; -+ ret = tor_addr_port_lookup(options->Socks4Proxy, -+ &options->Socks4ProxyAddr, -+ &options->Socks4ProxyPort); -+ tt_assert(ret == 0); -+ uri = get_pt_proxy_uri(); -+ tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); -+ tor_free(uri); -+ -+ -+ done: -+ if (uri) -+ tor_free(uri); -+} -+ -+ - #define PT_LEGACY(name) \ - { #name, legacy_test_helper, 0, &legacy_setup, test_pt_ ## name } - -@@ -462,6 +541,8 @@ struct testcase_t pt_tests[] = { - NULL, NULL }, - { "configure_proxy",test_pt_configure_proxy, TT_FORK, - NULL, NULL }, -+ { "get_pt_proxy_uri", test_get_pt_proxy_uri, TT_FORK, -+ NULL, NULL }, - END_OF_TESTCASES - }; - --- -2.0.0.rc2 - - -From 92eecbfee128b22b07bcc97ac36ecdd5183c2da7 Mon Sep 17 00:00:00 2001 -From: Yawning Angel yawning@schwanenlied.me -Date: Mon, 14 Apr 2014 21:51:34 +0000 -Subject: [PATCH 2/5] Fixed the test build with --enable-gcc-warnings - ---- - src/test/test_pt.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/src/test/test_pt.c b/src/test/test_pt.c -index 788d420..cfbd084 100644 ---- a/src/test/test_pt.c -+++ b/src/test/test_pt.c -@@ -464,7 +464,7 @@ test_get_pt_proxy_uri(void *arg) - tt_assert(uri == NULL); - - /* Test with a SOCKS4 proxy. */ -- options->Socks4Proxy = "192.0.2.1:1080"; -+ options->Socks4Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -472,11 +472,10 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks4Proxy = NULL; -+ tor_free(options->Socks4Proxy); - - /* Test with a SOCKS5 proxy, no username/password. */ -- options->Socks5Proxy = "192.0.2.1:1080"; -+ options->Socks5Proxy = tor_strdup("192.0.2.1:1080"); - ret = tor_addr_port_lookup(options->Socks5Proxy, - &options->Socks5ProxyAddr, - &options->Socks5ProxyPort); -@@ -486,16 +485,17 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a SOCKS5 proxy, with username/password. */ -- options->Socks5ProxyUsername = "hwest"; -- options->Socks5ProxyPassword = "r34n1m470r"; -+ options->Socks5ProxyUsername = tor_strdup("hwest"); -+ options->Socks5ProxyPassword = tor_strdup("r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks5://hwest:r34n1m470r@192.0.2.1:1080"); - tor_free(uri); -- -- options->Socks5Proxy = NULL; -+ tor_free(options->Socks5Proxy); -+ tor_free(options->Socks5ProxyUsername); -+ tor_free(options->Socks5ProxyPassword); - - /* Test with a HTTPS proxy, no authenticator. */ -- options->HTTPSProxy = "192.0.2.1:80"; -+ options->HTTPSProxy = tor_strdup("192.0.2.1:80"); - ret = tor_addr_port_lookup(options->HTTPSProxy, - &options->HTTPSProxyAddr, - &options->HTTPSProxyPort); -@@ -505,15 +505,15 @@ test_get_pt_proxy_uri(void *arg) - tor_free(uri); - - /* Test with a HTTPS proxy, with authenticator. */ -- options->HTTPSProxyAuthenticator = "hwest:r34n1m470r"; -+ options->HTTPSProxyAuthenticator = tor_strdup("hwest:r34n1m470r"); - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "http://hwest:r34n1m470r@192.0.2.1:80"); - tor_free(uri); -- -- options->HTTPSProxy = NULL; -+ tor_free(options->HTTPSProxy); -+ tor_free(options->HTTPSProxyAuthenticator); - - /* Token nod to the fact that IPv6 exists. */ -- options->Socks4Proxy = "[2001:db8::1]:1080"; -+ options->Socks4Proxy = tor_strdup("[2001:db8::1]:1080"); - ret = tor_addr_port_lookup(options->Socks4Proxy, - &options->Socks4ProxyAddr, - &options->Socks4ProxyPort); -@@ -521,7 +521,7 @@ test_get_pt_proxy_uri(void *arg) - uri = get_pt_proxy_uri(); - tt_str_op(uri, ==, "socks4a://[2001:db8::1]:1080"); - tor_free(uri); -- -+ tor_free(options->Socks4Proxy); - - done: - if (uri) --- -2.0.0.rc2 - - -From 8361223c10eb929b570e72853a5d9e51b67fd6c3 Mon Sep 17 00:00:00 2001 -From: Yawning Angel yawning@schwanenlied.me -Date: Thu, 1 May 2014 03:30:09 +0000 -Subject: [PATCH 3/5] Remove get_bridge_pt_addrport(). - -The code was not disambiguating ClientTransportPlugin configured and -not used, and ClientTransportPlugin configured, but in a failed state. - -The right thing to do is to undo moving the get_transport_by_addrport() -call back into get_proxy_addrport(), and remove and explicit check for -using a Bridge since by the time the check is made, if a Bridge is -being used, it is PT/proxy-less. ---- - src/or/connection.c | 46 ++++++++++++---------------------------------- - 1 file changed, 12 insertions(+), 34 deletions(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index b32cddf..ff8cdf1 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -86,8 +86,6 @@ static int connection_read_https_proxy_response(connection_t *conn); - static void connection_send_socks5_connect(connection_t *conn); - static const char *proxy_type_to_string(int proxy_type); - static int get_proxy_type(void); --static int get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, -- int *proxy_type, const connection_t *conn); - - /** The last addresses that our network interface seemed to have been - * binding to. We use this as one way to detect when our IP changes. -@@ -4773,35 +4771,6 @@ assert_connection_ok(connection_t *conn, time_t now) - } - - /** Fills <b>addr</b> and <b>port</b> with the details of the global -- * pluggable transport or bridge we are using. -- * <b>conn</b> contains the connection we are using the PT/bridge for. -- * -- * Return 0 on success, -1 on failure. -- */ --static int --get_bridge_pt_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, -- const connection_t *conn) --{ -- const or_options_t *options = get_options(); -- -- if (options->ClientTransportPlugin || options->Bridges) { -- const transport_t *transport = NULL; -- int r; -- r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -- if (r<0) -- return -1; -- if (transport) { /* transport found */ -- tor_addr_copy(addr, &transport->addr); -- *port = transport->port; -- *proxy_type = transport->socks_version; -- return 0; -- } -- } -- -- return -1; --} -- --/** Fills <b>addr</b> and <b>port</b> with the details of the global - * proxy server we are using. - * <b>conn</b> contains the connection we are using the proxy for. - * -@@ -4819,8 +4788,19 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - * the config to have unused ClientTransportPlugin entries. - */ - if (options->ClientTransportPlugin) { -- if (get_bridge_pt_addrport(addr, port, proxy_type, conn) == 0) -+ const transport_t *transport = NULL; -+ int r; -+ r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); -+ if (r<0) -+ return -1; -+ if (transport) { /* transport found */ -+ tor_addr_copy(addr, &transport->addr); -+ *port = transport->port; -+ *proxy_type = transport->socks_version; - return 0; -+ } -+ -+ /* Unused ClientTransportPlugin. */ - } - - if (options->HTTPSProxy) { -@@ -4838,8 +4818,6 @@ get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, - *port = options->Socks5ProxyPort; - *proxy_type = PROXY_SOCKS5; - return 0; -- } else if (options->Bridges) { -- return get_bridge_pt_addrport(addr, port, proxy_type, conn); - } - - tor_addr_make_unspec(addr); --- -2.0.0.rc2 - - -From 68184b317d3f4dc14e758e451377e4e3996bd0ab Mon Sep 17 00:00:00 2001 -From: Yawning Angel yawning@schwanenlied.me -Date: Thu, 1 May 2014 03:43:53 +0000 -Subject: [PATCH 4/5] Log the correct proxy type on failure. - -get_proxy_addrport fills in proxy_type with the correct value, so there -is no point in logging something that's a "best guess" based off the -config. ---- - src/or/connection.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/or/connection.c b/src/or/connection.c -index ff8cdf1..5069ed6 100644 ---- a/src/or/connection.c -+++ b/src/or/connection.c -@@ -4841,7 +4841,7 @@ log_failed_proxy_connection(connection_t *conn) - log_warn(LD_NET, - "The connection to the %s proxy server at %s just failed. " - "Make sure that the proxy server is up and running.", -- proxy_type_to_string(get_proxy_type()), -+ proxy_type_to_string(proxy_type), - fmt_addrport(&proxy_addr, proxy_port)); - } - --- -2.0.0.rc2 - - -From 34200a44fbbd3f158ea17043c2bcd21d0e382b89 Mon Sep 17 00:00:00 2001 -From: Yawning Angel yawning@schwanenlied.me -Date: Thu, 1 May 2014 18:58:53 +0000 -Subject: [PATCH 5/5] Improve the log message when a transport doesn't support - proxies. - -Per feedback, explicltly note that the transport will be killed when it -does not acknowledge the configured outgoing proxy. ---- - src/or/transports.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/or/transports.c b/src/or/transports.c -index b810315..eee159d 100644 ---- a/src/or/transports.c -+++ b/src/or/transports.c -@@ -805,7 +805,8 @@ handle_finished_proxy(managed_proxy_t *mp) - case PT_PROTO_CONFIGURED: /* if configured correctly: */ - if (mp->proxy_uri && !mp->proxy_supported) { - log_warn(LD_CONFIG, "Managed proxy '%s' did not configure the " -- "specified outgoing proxy.", mp->argv[0]); -+ "specified outgoing proxy and will be terminated.", -+ mp->argv[0]); - managed_proxy_destroy(mp, 1); /* annihilate it. */ - break; - } --- -2.0.0.rc2 - diff --git a/gitian/patches/bug8405.patch b/gitian/patches/bug8405.patch deleted file mode 100644 index 3c40632..0000000 --- a/gitian/patches/bug8405.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a298c77f7eba232154ff08ca1119b05ccd9eee9e Mon Sep 17 00:00:00 2001 -From: Arthur Edelstein arthuredelstein@gmail.com -Date: Tue, 15 Jul 2014 21:27:59 -0700 -Subject: [PATCH] Bug #8405: Report SOCKS username/password in CIRC status - events - -Introduces two new circuit status name-value parameters: SOCKS_USERNAME -and SOCKS_PASSWORD. Values are enclosing in quotes and unusual characters -are escaped. - -Example: - - 650 CIRC 5 EXTENDED [...] SOCKS_USERNAME="my_username" SOCKS_PASSWORD="my_password" ---- - src/common/util.c | 14 ++++++++++++++ - src/common/util.h | 1 + - src/or/control.c | 14 ++++++++++++++ - 3 files changed, 29 insertions(+) - -diff --git a/src/common/util.c b/src/common/util.c -index 8589344..64cee56 100644 ---- a/src/common/util.c -+++ b/src/common/util.c -@@ -1222,6 +1222,20 @@ esc_for_log(const char *s) - return result; - } - -+/** Similar to esc_for_log. Allocate and return a new string representing -+ * the first n characters in <b>chars</b>, surround by quotes and using -+ * standard C escapes. If a NUL character is encountered in <b>chars</b>, -+ * the resulting string will be terminated there. -+ */ -+char * -+esc_for_log_len(const char *chars, size_t n) -+{ -+ char *string = tor_strndup(chars, n); -+ char *string_escaped = esc_for_log(string); -+ tor_free(string); -+ return string_escaped; -+} -+ - /** Allocate and return a new string representing the contents of <b>s</b>, - * surrounded by quotes and using standard C escapes. - * -diff --git a/src/common/util.h b/src/common/util.h -index 97367a9..50c5a3d 100644 ---- a/src/common/util.h -+++ b/src/common/util.h -@@ -229,6 +229,7 @@ int tor_mem_is_zero(const char *mem, size_t len); - int tor_digest_is_zero(const char *digest); - int tor_digest256_is_zero(const char *digest); - char *esc_for_log(const char *string) ATTR_MALLOC; -+char *esc_for_log_len(const char *chars, size_t n) ATTR_MALLOC; - const char *escaped(const char *string); - - char *tor_escape_str_for_pt_args(const char *string, -diff --git a/src/or/control.c b/src/or/control.c -index 9285fc5..aa46df6 100644 ---- a/src/or/control.c -+++ b/src/or/control.c -@@ -1862,6 +1862,20 @@ circuit_describe_status_for_controller(origin_circuit_t *circ) - smartlist_add_asprintf(descparts, "TIME_CREATED=%s", tbuf); - } - -+ // Show username and/or password if available. -+ if (circ->socks_username_len > 0) { -+ char* socks_username_escaped = esc_for_log_len(circ->socks_username, -+ (size_t) circ->socks_username_len); -+ smartlist_add_asprintf(descparts, "SOCKS_USERNAME=%s", socks_username_escaped); -+ tor_free(socks_username_escaped); -+ } -+ if (circ->socks_password_len > 0) { -+ char* socks_password_escaped = esc_for_log_len(circ->socks_password, -+ (size_t) circ->socks_password_len); -+ smartlist_add_asprintf(descparts, "SOCKS_PASSWORD=%s", socks_password_escaped); -+ tor_free(socks_password_escaped); -+ } -+ - rv = smartlist_join_strings(descparts, " ", 0, NULL); - - SMARTLIST_FOREACH(descparts, char *, cp, tor_free(cp)); --- -1.8.3.4 (Apple Git-47) -