netbase.cpp
1 // Copyright (c) 2009-2010 Satoshi Nakamoto 2 // Copyright (c) 2009-present The Bitcoin Core developers 3 // Distributed under the MIT software license, see the accompanying 4 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 6 #include <bitcoin-build-config.h> // IWYU pragma: keep 7 8 #include <netbase.h> 9 10 #include <compat/compat.h> 11 #include <logging.h> 12 #include <sync.h> 13 #include <tinyformat.h> 14 #include <util/sock.h> 15 #include <util/strencodings.h> 16 #include <util/string.h> 17 #include <util/time.h> 18 19 #include <atomic> 20 #include <chrono> 21 #include <cstdint> 22 #include <functional> 23 #include <limits> 24 #include <memory> 25 26 #ifdef HAVE_SOCKADDR_UN 27 #include <sys/un.h> 28 #endif 29 30 using util::ContainsNoNUL; 31 32 // Settings 33 static GlobalMutex g_proxyinfo_mutex; 34 static Proxy proxyInfo[NET_MAX] GUARDED_BY(g_proxyinfo_mutex); 35 static Proxy nameProxy GUARDED_BY(g_proxyinfo_mutex); 36 int nConnectTimeout = DEFAULT_CONNECT_TIMEOUT; 37 bool fNameLookup = DEFAULT_NAME_LOOKUP; 38 39 // Need ample time for negotiation for very slow proxies such as Tor 40 std::chrono::milliseconds g_socks5_recv_timeout = 20s; 41 CThreadInterrupt g_socks5_interrupt; 42 43 ReachableNets g_reachable_nets; 44 45 std::vector<CNetAddr> WrappedGetAddrInfo(const std::string& name, bool allow_lookup) 46 { 47 addrinfo ai_hint{}; 48 // We want a TCP port, which is a streaming socket type 49 ai_hint.ai_socktype = SOCK_STREAM; 50 ai_hint.ai_protocol = IPPROTO_TCP; 51 // We don't care which address family (IPv4 or IPv6) is returned 52 ai_hint.ai_family = AF_UNSPEC; 53 54 // If we allow lookups of hostnames, use the AI_ADDRCONFIG flag to only 55 // return addresses whose family we have an address configured for. 56 // 57 // If we don't allow lookups, then use the AI_NUMERICHOST flag for 58 // getaddrinfo to only decode numerical network addresses and suppress 59 // hostname lookups. 60 ai_hint.ai_flags = allow_lookup ? AI_ADDRCONFIG : AI_NUMERICHOST; 61 62 addrinfo* ai_res{nullptr}; 63 const int n_err{getaddrinfo(name.c_str(), nullptr, &ai_hint, &ai_res)}; 64 if (n_err != 0) { 65 if ((ai_hint.ai_flags & AI_ADDRCONFIG) == AI_ADDRCONFIG) { 66 // AI_ADDRCONFIG on some systems may exclude loopback-only addresses 67 // If first lookup failed we perform a second lookup without AI_ADDRCONFIG 68 ai_hint.ai_flags = (ai_hint.ai_flags & ~AI_ADDRCONFIG); 69 const int n_err_retry{getaddrinfo(name.c_str(), nullptr, &ai_hint, &ai_res)}; 70 if (n_err_retry != 0) { 71 return {}; 72 } 73 } else { 74 return {}; 75 } 76 } 77 78 // Traverse the linked list starting with ai_trav. 79 addrinfo* ai_trav{ai_res}; 80 std::vector<CNetAddr> resolved_addresses; 81 while (ai_trav != nullptr) { 82 if (ai_trav->ai_family == AF_INET) { 83 assert(ai_trav->ai_addrlen >= sizeof(sockaddr_in)); 84 resolved_addresses.emplace_back(reinterpret_cast<sockaddr_in*>(ai_trav->ai_addr)->sin_addr); 85 } 86 if (ai_trav->ai_family == AF_INET6) { 87 assert(ai_trav->ai_addrlen >= sizeof(sockaddr_in6)); 88 const sockaddr_in6* s6{reinterpret_cast<sockaddr_in6*>(ai_trav->ai_addr)}; 89 resolved_addresses.emplace_back(s6->sin6_addr, s6->sin6_scope_id); 90 } 91 ai_trav = ai_trav->ai_next; 92 } 93 freeaddrinfo(ai_res); 94 95 return resolved_addresses; 96 } 97 98 DNSLookupFn g_dns_lookup{WrappedGetAddrInfo}; 99 100 enum Network ParseNetwork(const std::string& net_in) { 101 std::string net = ToLower(net_in); 102 if (net == "ipv4") return NET_IPV4; 103 if (net == "ipv6") return NET_IPV6; 104 if (net == "onion") return NET_ONION; 105 if (net == "i2p") { 106 return NET_I2P; 107 } 108 if (net == "cjdns") { 109 return NET_CJDNS; 110 } 111 return NET_UNROUTABLE; 112 } 113 114 std::string GetNetworkName(enum Network net) 115 { 116 switch (net) { 117 case NET_UNROUTABLE: return "not_publicly_routable"; 118 case NET_IPV4: return "ipv4"; 119 case NET_IPV6: return "ipv6"; 120 case NET_ONION: return "onion"; 121 case NET_I2P: return "i2p"; 122 case NET_CJDNS: return "cjdns"; 123 case NET_INTERNAL: return "internal"; 124 case NET_MAX: assert(false); 125 } // no default case, so the compiler can warn about missing cases 126 127 assert(false); 128 } 129 130 std::vector<std::string> GetNetworkNames(bool append_unroutable) 131 { 132 std::vector<std::string> names; 133 for (int n = 0; n < NET_MAX; ++n) { 134 const enum Network network{static_cast<Network>(n)}; 135 if (network == NET_UNROUTABLE || network == NET_INTERNAL) continue; 136 names.emplace_back(GetNetworkName(network)); 137 } 138 if (append_unroutable) { 139 names.emplace_back(GetNetworkName(NET_UNROUTABLE)); 140 } 141 return names; 142 } 143 144 static std::vector<CNetAddr> LookupIntern(const std::string& name, unsigned int nMaxSolutions, bool fAllowLookup, DNSLookupFn dns_lookup_function) 145 { 146 if (!ContainsNoNUL(name)) return {}; 147 { 148 CNetAddr addr; 149 // From our perspective, onion addresses are not hostnames but rather 150 // direct encodings of CNetAddr much like IPv4 dotted-decimal notation 151 // or IPv6 colon-separated hextet notation. Since we can't use 152 // getaddrinfo to decode them and it wouldn't make sense to resolve 153 // them, we return a network address representing it instead. See 154 // CNetAddr::SetSpecial(const std::string&) for more details. 155 if (addr.SetSpecial(name)) return {addr}; 156 } 157 158 std::vector<CNetAddr> addresses; 159 160 for (const CNetAddr& resolved : dns_lookup_function(name, fAllowLookup)) { 161 if (nMaxSolutions > 0 && addresses.size() >= nMaxSolutions) { 162 break; 163 } 164 /* Never allow resolving to an internal address. Consider any such result invalid */ 165 if (!resolved.IsInternal()) { 166 addresses.push_back(resolved); 167 } 168 } 169 170 return addresses; 171 } 172 173 std::vector<CNetAddr> LookupHost(const std::string& name, unsigned int nMaxSolutions, bool fAllowLookup, DNSLookupFn dns_lookup_function) 174 { 175 if (!ContainsNoNUL(name)) return {}; 176 std::string strHost = name; 177 if (strHost.empty()) return {}; 178 if (strHost.front() == '[' && strHost.back() == ']') { 179 strHost = strHost.substr(1, strHost.size() - 2); 180 } 181 182 return LookupIntern(strHost, nMaxSolutions, fAllowLookup, dns_lookup_function); 183 } 184 185 std::optional<CNetAddr> LookupHost(const std::string& name, bool fAllowLookup, DNSLookupFn dns_lookup_function) 186 { 187 const std::vector<CNetAddr> addresses{LookupHost(name, 1, fAllowLookup, dns_lookup_function)}; 188 return addresses.empty() ? std::nullopt : std::make_optional(addresses.front()); 189 } 190 191 std::vector<CService> Lookup(const std::string& name, uint16_t portDefault, bool fAllowLookup, unsigned int nMaxSolutions, DNSLookupFn dns_lookup_function) 192 { 193 if (name.empty() || !ContainsNoNUL(name)) { 194 return {}; 195 } 196 uint16_t port{portDefault}; 197 std::string hostname; 198 SplitHostPort(name, port, hostname); 199 200 const std::vector<CNetAddr> addresses{LookupIntern(hostname, nMaxSolutions, fAllowLookup, dns_lookup_function)}; 201 if (addresses.empty()) return {}; 202 std::vector<CService> services; 203 services.reserve(addresses.size()); 204 for (const auto& addr : addresses) 205 services.emplace_back(addr, port); 206 return services; 207 } 208 209 std::optional<CService> Lookup(const std::string& name, uint16_t portDefault, bool fAllowLookup, DNSLookupFn dns_lookup_function) 210 { 211 const std::vector<CService> services{Lookup(name, portDefault, fAllowLookup, 1, dns_lookup_function)}; 212 213 return services.empty() ? std::nullopt : std::make_optional(services.front()); 214 } 215 216 CService LookupNumeric(const std::string& name, uint16_t portDefault, DNSLookupFn dns_lookup_function) 217 { 218 if (!ContainsNoNUL(name)) { 219 return {}; 220 } 221 // "1.2:345" will fail to resolve the ip, but will still set the port. 222 // If the ip fails to resolve, re-init the result. 223 return Lookup(name, portDefault, /*fAllowLookup=*/false, dns_lookup_function).value_or(CService{}); 224 } 225 226 bool IsUnixSocketPath(const std::string& name) 227 { 228 #ifdef HAVE_SOCKADDR_UN 229 if (!name.starts_with(ADDR_PREFIX_UNIX)) return false; 230 231 // Split off "unix:" prefix 232 std::string str{name.substr(ADDR_PREFIX_UNIX.length())}; 233 234 // Path size limit is platform-dependent 235 // see https://manpages.ubuntu.com/manpages/xenial/en/man7/unix.7.html 236 if (str.size() + 1 > sizeof(((sockaddr_un*)nullptr)->sun_path)) return false; 237 238 return true; 239 #else 240 return false; 241 #endif 242 } 243 244 /** SOCKS version */ 245 enum SOCKSVersion: uint8_t { 246 SOCKS4 = 0x04, 247 SOCKS5 = 0x05 248 }; 249 250 /** Values defined for METHOD in RFC1928 */ 251 enum SOCKS5Method: uint8_t { 252 NOAUTH = 0x00, //!< No authentication required 253 GSSAPI = 0x01, //!< GSSAPI 254 USER_PASS = 0x02, //!< Username/password 255 NO_ACCEPTABLE = 0xff, //!< No acceptable methods 256 }; 257 258 /** Values defined for CMD in RFC1928 */ 259 enum SOCKS5Command: uint8_t { 260 CONNECT = 0x01, 261 BIND = 0x02, 262 UDP_ASSOCIATE = 0x03 263 }; 264 265 /** Values defined for REP in RFC1928 and https://spec.torproject.org/socks-extensions.html */ 266 enum SOCKS5Reply: uint8_t { 267 SUCCEEDED = 0x00, //!< RFC1928: Succeeded 268 GENFAILURE = 0x01, //!< RFC1928: General failure 269 NOTALLOWED = 0x02, //!< RFC1928: Connection not allowed by ruleset 270 NETUNREACHABLE = 0x03, //!< RFC1928: Network unreachable 271 HOSTUNREACHABLE = 0x04, //!< RFC1928: Network unreachable 272 CONNREFUSED = 0x05, //!< RFC1928: Connection refused 273 TTLEXPIRED = 0x06, //!< RFC1928: TTL expired 274 CMDUNSUPPORTED = 0x07, //!< RFC1928: Command not supported 275 ATYPEUNSUPPORTED = 0x08, //!< RFC1928: Address type not supported 276 TOR_HS_DESC_NOT_FOUND = 0xf0, //!< Tor: Onion service descriptor can not be found 277 TOR_HS_DESC_INVALID = 0xf1, //!< Tor: Onion service descriptor is invalid 278 TOR_HS_INTRO_FAILED = 0xf2, //!< Tor: Onion service introduction failed 279 TOR_HS_REND_FAILED = 0xf3, //!< Tor: Onion service rendezvous failed 280 TOR_HS_MISSING_CLIENT_AUTH = 0xf4, //!< Tor: Onion service missing client authorization 281 TOR_HS_WRONG_CLIENT_AUTH = 0xf5, //!< Tor: Onion service wrong client authorization 282 TOR_HS_BAD_ADDRESS = 0xf6, //!< Tor: Onion service invalid address 283 TOR_HS_INTRO_TIMEOUT = 0xf7, //!< Tor: Onion service introduction timed out 284 }; 285 286 /** Values defined for ATYPE in RFC1928 */ 287 enum SOCKS5Atyp: uint8_t { 288 IPV4 = 0x01, 289 DOMAINNAME = 0x03, 290 IPV6 = 0x04, 291 }; 292 293 /** Status codes that can be returned by InterruptibleRecv */ 294 enum class IntrRecvError { 295 OK, 296 Timeout, 297 Disconnected, 298 NetworkError, 299 Interrupted 300 }; 301 302 /** 303 * Try to read a specified number of bytes from a socket. Please read the "see 304 * also" section for more detail. 305 * 306 * @param data The buffer where the read bytes should be stored. 307 * @param len The number of bytes to read into the specified buffer. 308 * @param timeout The total timeout for this read. 309 * @param sock The socket (has to be in non-blocking mode) from which to read bytes. 310 * 311 * @returns An IntrRecvError indicating the resulting status of this read. 312 * IntrRecvError::OK only if all of the specified number of bytes were 313 * read. 314 * 315 * @see This function can be interrupted by calling g_socks5_interrupt(). 316 * Sockets can be made non-blocking with Sock::SetNonBlocking(). 317 */ 318 static IntrRecvError InterruptibleRecv(uint8_t* data, size_t len, std::chrono::milliseconds timeout, const Sock& sock) 319 { 320 auto curTime{Now<SteadyMilliseconds>()}; 321 const auto endTime{curTime + timeout}; 322 while (len > 0 && curTime < endTime) { 323 ssize_t ret = sock.Recv(data, len, 0); // Optimistically try the recv first 324 if (ret > 0) { 325 len -= ret; 326 data += ret; 327 } else if (ret == 0) { // Unexpected disconnection 328 return IntrRecvError::Disconnected; 329 } else { // Other error or blocking 330 int nErr = WSAGetLastError(); 331 if (nErr == WSAEINPROGRESS || nErr == WSAEWOULDBLOCK || nErr == WSAEINVAL) { 332 // Only wait at most MAX_WAIT_FOR_IO at a time, unless 333 // we're approaching the end of the specified total timeout 334 const auto remaining = std::chrono::milliseconds{endTime - curTime}; 335 const auto timeout = std::min(remaining, std::chrono::milliseconds{MAX_WAIT_FOR_IO}); 336 if (!sock.Wait(timeout, Sock::RECV)) { 337 return IntrRecvError::NetworkError; 338 } 339 } else { 340 return IntrRecvError::NetworkError; 341 } 342 } 343 if (g_socks5_interrupt) { 344 return IntrRecvError::Interrupted; 345 } 346 curTime = Now<SteadyMilliseconds>(); 347 } 348 return len == 0 ? IntrRecvError::OK : IntrRecvError::Timeout; 349 } 350 351 /** Convert SOCKS5 reply to an error message */ 352 static std::string Socks5ErrorString(uint8_t err) 353 { 354 switch(err) { 355 case SOCKS5Reply::GENFAILURE: 356 return "general failure"; 357 case SOCKS5Reply::NOTALLOWED: 358 return "connection not allowed"; 359 case SOCKS5Reply::NETUNREACHABLE: 360 return "network unreachable"; 361 case SOCKS5Reply::HOSTUNREACHABLE: 362 return "host unreachable"; 363 case SOCKS5Reply::CONNREFUSED: 364 return "connection refused"; 365 case SOCKS5Reply::TTLEXPIRED: 366 return "TTL expired"; 367 case SOCKS5Reply::CMDUNSUPPORTED: 368 return "protocol error"; 369 case SOCKS5Reply::ATYPEUNSUPPORTED: 370 return "address type not supported"; 371 case SOCKS5Reply::TOR_HS_DESC_NOT_FOUND: 372 return "onion service descriptor can not be found"; 373 case SOCKS5Reply::TOR_HS_DESC_INVALID: 374 return "onion service descriptor is invalid"; 375 case SOCKS5Reply::TOR_HS_INTRO_FAILED: 376 return "onion service introduction failed"; 377 case SOCKS5Reply::TOR_HS_REND_FAILED: 378 return "onion service rendezvous failed"; 379 case SOCKS5Reply::TOR_HS_MISSING_CLIENT_AUTH: 380 return "onion service missing client authorization"; 381 case SOCKS5Reply::TOR_HS_WRONG_CLIENT_AUTH: 382 return "onion service wrong client authorization"; 383 case SOCKS5Reply::TOR_HS_BAD_ADDRESS: 384 return "onion service invalid address"; 385 case SOCKS5Reply::TOR_HS_INTRO_TIMEOUT: 386 return "onion service introduction timed out"; 387 default: 388 return strprintf("unknown (0x%02x)", err); 389 } 390 } 391 392 bool Socks5(const std::string& strDest, uint16_t port, const ProxyCredentials* auth, const Sock& sock) 393 { 394 try { 395 IntrRecvError recvr; 396 LogDebug(BCLog::NET, "SOCKS5 connecting %s\n", strDest); 397 if (strDest.size() > 255) { 398 LogError("Hostname too long\n"); 399 return false; 400 } 401 // Construct the version identifier/method selection message 402 std::vector<uint8_t> vSocks5Init; 403 vSocks5Init.push_back(SOCKSVersion::SOCKS5); // We want the SOCK5 protocol 404 if (auth) { 405 vSocks5Init.push_back(0x02); // 2 method identifiers follow... 406 vSocks5Init.push_back(SOCKS5Method::NOAUTH); 407 vSocks5Init.push_back(SOCKS5Method::USER_PASS); 408 } else { 409 vSocks5Init.push_back(0x01); // 1 method identifier follows... 410 vSocks5Init.push_back(SOCKS5Method::NOAUTH); 411 } 412 sock.SendComplete(vSocks5Init, g_socks5_recv_timeout, g_socks5_interrupt); 413 uint8_t pchRet1[2]; 414 if (InterruptibleRecv(pchRet1, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) { 415 LogInfo("Socks5() connect to %s:%d failed: InterruptibleRecv() timeout or other failure\n", strDest, port); 416 return false; 417 } 418 if (pchRet1[0] != SOCKSVersion::SOCKS5) { 419 LogError("Proxy failed to initialize\n"); 420 return false; 421 } 422 if (pchRet1[1] == SOCKS5Method::USER_PASS && auth) { 423 // Perform username/password authentication (as described in RFC1929) 424 std::vector<uint8_t> vAuth; 425 vAuth.push_back(0x01); // Current (and only) version of user/pass subnegotiation 426 if (auth->username.size() > 255 || auth->password.size() > 255) { 427 LogError("Proxy username or password too long\n"); 428 return false; 429 } 430 vAuth.push_back(auth->username.size()); 431 vAuth.insert(vAuth.end(), auth->username.begin(), auth->username.end()); 432 vAuth.push_back(auth->password.size()); 433 vAuth.insert(vAuth.end(), auth->password.begin(), auth->password.end()); 434 LogDebug(BCLog::PROXY, "SOCKS5 sending username/password authentication\n"); 435 sock.SendComplete(vAuth, g_socks5_recv_timeout, g_socks5_interrupt); 436 uint8_t pchRetA[2]; 437 if (InterruptibleRecv(pchRetA, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) { 438 LogError("Error reading proxy authentication response\n"); 439 return false; 440 } 441 if (pchRetA[0] != 0x01 || pchRetA[1] != 0x00) { 442 LogError("Proxy authentication unsuccessful\n"); 443 return false; 444 } 445 } else if (pchRet1[1] == SOCKS5Method::NOAUTH) { 446 // Perform no authentication 447 } else { 448 LogError("Proxy requested wrong authentication method %02x\n", pchRet1[1]); 449 return false; 450 } 451 std::vector<uint8_t> vSocks5; 452 vSocks5.push_back(SOCKSVersion::SOCKS5); // VER protocol version 453 vSocks5.push_back(SOCKS5Command::CONNECT); // CMD CONNECT 454 vSocks5.push_back(0x00); // RSV Reserved must be 0 455 vSocks5.push_back(SOCKS5Atyp::DOMAINNAME); // ATYP DOMAINNAME 456 vSocks5.push_back(strDest.size()); // Length<=255 is checked at beginning of function 457 vSocks5.insert(vSocks5.end(), strDest.begin(), strDest.end()); 458 vSocks5.push_back((port >> 8) & 0xFF); 459 vSocks5.push_back((port >> 0) & 0xFF); 460 sock.SendComplete(vSocks5, g_socks5_recv_timeout, g_socks5_interrupt); 461 uint8_t pchRet2[4]; 462 if ((recvr = InterruptibleRecv(pchRet2, 4, g_socks5_recv_timeout, sock)) != IntrRecvError::OK) { 463 if (recvr == IntrRecvError::Timeout) { 464 /* If a timeout happens here, this effectively means we timed out while connecting 465 * to the remote node. This is very common for Tor, so do not print an 466 * error message. */ 467 return false; 468 } else { 469 LogError("Error while reading proxy response\n"); 470 return false; 471 } 472 } 473 if (pchRet2[0] != SOCKSVersion::SOCKS5) { 474 LogError("Proxy failed to accept request\n"); 475 return false; 476 } 477 if (pchRet2[1] != SOCKS5Reply::SUCCEEDED) { 478 // Failures to connect to a peer that are not proxy errors 479 LogDebug(BCLog::NET, 480 "Socks5() connect to %s:%d failed: %s\n", strDest, port, Socks5ErrorString(pchRet2[1])); 481 return false; 482 } 483 if (pchRet2[2] != 0x00) { // Reserved field must be 0 484 LogError("Error: malformed proxy response\n"); 485 return false; 486 } 487 uint8_t pchRet3[256]; 488 switch (pchRet2[3]) { 489 case SOCKS5Atyp::IPV4: recvr = InterruptibleRecv(pchRet3, 4, g_socks5_recv_timeout, sock); break; 490 case SOCKS5Atyp::IPV6: recvr = InterruptibleRecv(pchRet3, 16, g_socks5_recv_timeout, sock); break; 491 case SOCKS5Atyp::DOMAINNAME: { 492 recvr = InterruptibleRecv(pchRet3, 1, g_socks5_recv_timeout, sock); 493 if (recvr != IntrRecvError::OK) { 494 LogError("Error reading from proxy\n"); 495 return false; 496 } 497 int nRecv = pchRet3[0]; 498 recvr = InterruptibleRecv(pchRet3, nRecv, g_socks5_recv_timeout, sock); 499 break; 500 } 501 default: { 502 LogError("Error: malformed proxy response\n"); 503 return false; 504 } 505 } 506 if (recvr != IntrRecvError::OK) { 507 LogError("Error reading from proxy\n"); 508 return false; 509 } 510 if (InterruptibleRecv(pchRet3, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) { 511 LogError("Error reading from proxy\n"); 512 return false; 513 } 514 LogDebug(BCLog::NET, "SOCKS5 connected %s\n", strDest); 515 return true; 516 } catch (const std::runtime_error& e) { 517 LogError("Error during SOCKS5 proxy handshake: %s\n", e.what()); 518 return false; 519 } 520 } 521 522 std::unique_ptr<Sock> CreateSockOS(int domain, int type, int protocol) 523 { 524 // Not IPv4, IPv6 or UNIX 525 if (domain == AF_UNSPEC) return nullptr; 526 527 // Create a socket in the specified address family. 528 SOCKET hSocket = socket(domain, type, protocol); 529 if (hSocket == INVALID_SOCKET) { 530 return nullptr; 531 } 532 533 auto sock = std::make_unique<Sock>(hSocket); 534 535 if (domain != AF_INET && domain != AF_INET6 && domain != AF_UNIX) { 536 return sock; 537 } 538 539 // Ensure that waiting for I/O on this socket won't result in undefined 540 // behavior. 541 if (!sock->IsSelectable()) { 542 LogInfo("Cannot create connection: non-selectable socket created (fd >= FD_SETSIZE ?)\n"); 543 return nullptr; 544 } 545 546 #ifdef SO_NOSIGPIPE 547 int set = 1; 548 // Set the no-sigpipe option on the socket for BSD systems, other UNIXes 549 // should use the MSG_NOSIGNAL flag for every send. 550 if (sock->SetSockOpt(SOL_SOCKET, SO_NOSIGPIPE, &set, sizeof(int)) == SOCKET_ERROR) { 551 LogInfo("Error setting SO_NOSIGPIPE on socket: %s, continuing anyway\n", 552 NetworkErrorString(WSAGetLastError())); 553 } 554 #endif 555 556 // Set the non-blocking option on the socket. 557 if (!sock->SetNonBlocking()) { 558 LogInfo("Error setting socket to non-blocking: %s\n", NetworkErrorString(WSAGetLastError())); 559 return nullptr; 560 } 561 562 #ifdef HAVE_SOCKADDR_UN 563 if (domain == AF_UNIX) return sock; 564 #endif 565 566 if (protocol == IPPROTO_TCP) { 567 // Set the no-delay option (disable Nagle's algorithm) on the TCP socket. 568 const int on{1}; 569 if (sock->SetSockOpt(IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)) == SOCKET_ERROR) { 570 LogDebug(BCLog::NET, "Unable to set TCP_NODELAY on a newly created socket, continuing anyway\n"); 571 } 572 } 573 574 return sock; 575 } 576 577 std::function<std::unique_ptr<Sock>(int, int, int)> CreateSock = CreateSockOS; 578 579 template<typename... Args> 580 static void LogConnectFailure(bool manual_connection, util::ConstevalFormatString<sizeof...(Args)> fmt, const Args&... args) 581 { 582 std::string error_message = tfm::format(fmt, args...); 583 if (manual_connection) { 584 LogInfo("%s\n", error_message); 585 } else { 586 LogDebug(BCLog::NET, "%s\n", error_message); 587 } 588 } 589 590 static bool ConnectToSocket(const Sock& sock, struct sockaddr* sockaddr, socklen_t len, const std::string& dest_str, bool manual_connection) 591 { 592 // Connect to `sockaddr` using `sock`. 593 if (sock.Connect(sockaddr, len) == SOCKET_ERROR) { 594 int nErr = WSAGetLastError(); 595 // WSAEINVAL is here because some legacy version of winsock uses it 596 if (nErr == WSAEINPROGRESS || nErr == WSAEWOULDBLOCK || nErr == WSAEINVAL) 597 { 598 // Connection didn't actually fail, but is being established 599 // asynchronously. Thus, use async I/O api (select/poll) 600 // synchronously to check for successful connection with a timeout. 601 const Sock::Event requested = Sock::RECV | Sock::SEND; 602 Sock::Event occurred; 603 if (!sock.Wait(std::chrono::milliseconds{nConnectTimeout}, requested, &occurred)) { 604 LogInfo("wait for connect to %s failed: %s\n", 605 dest_str, 606 NetworkErrorString(WSAGetLastError())); 607 return false; 608 } else if (occurred == 0) { 609 LogDebug(BCLog::NET, "connection attempt to %s timed out\n", dest_str); 610 return false; 611 } 612 613 // Even if the wait was successful, the connect might not 614 // have been successful. The reason for this failure is hidden away 615 // in the SO_ERROR for the socket in modern systems. We read it into 616 // sockerr here. 617 int sockerr; 618 socklen_t sockerr_len = sizeof(sockerr); 619 if (sock.GetSockOpt(SOL_SOCKET, SO_ERROR, &sockerr, &sockerr_len) == 620 SOCKET_ERROR) { 621 LogInfo("getsockopt() for %s failed: %s\n", dest_str, NetworkErrorString(WSAGetLastError())); 622 return false; 623 } 624 if (sockerr != 0) { 625 LogConnectFailure(manual_connection, 626 "connect() to %s failed after wait: %s", 627 dest_str, 628 NetworkErrorString(sockerr)); 629 return false; 630 } 631 } 632 #ifdef WIN32 633 else if (WSAGetLastError() != WSAEISCONN) 634 #else 635 else 636 #endif 637 { 638 LogConnectFailure(manual_connection, "connect() to %s failed: %s", dest_str, NetworkErrorString(WSAGetLastError())); 639 return false; 640 } 641 } 642 return true; 643 } 644 645 std::unique_ptr<Sock> ConnectDirectly(const CService& dest, bool manual_connection) 646 { 647 auto sock = CreateSock(dest.GetSAFamily(), SOCK_STREAM, IPPROTO_TCP); 648 if (!sock) { 649 LogError("Cannot create a socket for connecting to %s\n", dest.ToStringAddrPort()); 650 return {}; 651 } 652 653 // Create a sockaddr from the specified service. 654 struct sockaddr_storage sockaddr; 655 socklen_t len = sizeof(sockaddr); 656 if (!dest.GetSockAddr((struct sockaddr*)&sockaddr, &len)) { 657 LogInfo("Cannot get sockaddr for %s: unsupported network\n", dest.ToStringAddrPort()); 658 return {}; 659 } 660 661 if (!ConnectToSocket(*sock, (struct sockaddr*)&sockaddr, len, dest.ToStringAddrPort(), manual_connection)) { 662 return {}; 663 } 664 665 return sock; 666 } 667 668 std::unique_ptr<Sock> Proxy::Connect() const 669 { 670 if (!IsValid()) return {}; 671 672 if (!m_is_unix_socket) return ConnectDirectly(proxy, /*manual_connection=*/true); 673 674 #ifdef HAVE_SOCKADDR_UN 675 auto sock = CreateSock(AF_UNIX, SOCK_STREAM, 0); 676 if (!sock) { 677 LogError("Cannot create a socket for connecting to %s\n", m_unix_socket_path); 678 return {}; 679 } 680 681 const std::string path{m_unix_socket_path.substr(ADDR_PREFIX_UNIX.length())}; 682 683 struct sockaddr_un addrun; 684 memset(&addrun, 0, sizeof(addrun)); 685 addrun.sun_family = AF_UNIX; 686 // leave the last char in addrun.sun_path[] to be always '\0' 687 memcpy(addrun.sun_path, path.c_str(), std::min(sizeof(addrun.sun_path) - 1, path.length())); 688 socklen_t len = sizeof(addrun); 689 690 if(!ConnectToSocket(*sock, (struct sockaddr*)&addrun, len, path, /*manual_connection=*/true)) { 691 return {}; 692 } 693 694 return sock; 695 #else 696 return {}; 697 #endif 698 } 699 700 bool SetProxy(enum Network net, const Proxy &addrProxy) { 701 assert(net >= 0 && net < NET_MAX); 702 if (!addrProxy.IsValid()) 703 return false; 704 LOCK(g_proxyinfo_mutex); 705 proxyInfo[net] = addrProxy; 706 return true; 707 } 708 709 std::optional<Proxy> GetProxy(enum Network net) 710 { 711 assert(net >= 0 && net < NET_MAX); 712 LOCK(g_proxyinfo_mutex); 713 if (!proxyInfo[net].IsValid()) { 714 return std::nullopt; 715 } 716 return proxyInfo[net]; 717 } 718 719 bool SetNameProxy(const Proxy &addrProxy) { 720 if (!addrProxy.IsValid()) 721 return false; 722 LOCK(g_proxyinfo_mutex); 723 nameProxy = addrProxy; 724 return true; 725 } 726 727 std::optional<Proxy> GetNameProxy() 728 { 729 LOCK(g_proxyinfo_mutex); 730 if (!nameProxy.IsValid()) { 731 return std::nullopt; 732 } 733 return nameProxy; 734 } 735 736 bool HaveNameProxy() { 737 LOCK(g_proxyinfo_mutex); 738 return nameProxy.IsValid(); 739 } 740 741 bool IsProxy(const CNetAddr &addr) { 742 LOCK(g_proxyinfo_mutex); 743 for (int i = 0; i < NET_MAX; i++) { 744 if (addr == static_cast<CNetAddr>(proxyInfo[i].proxy)) 745 return true; 746 } 747 return false; 748 } 749 750 /** 751 * Generate unique credentials for Tor stream isolation. Tor will create 752 * separate circuits for SOCKS5 proxy connections with different credentials, which 753 * makes it harder to correlate the connections. 754 */ 755 class TorStreamIsolationCredentialsGenerator 756 { 757 public: 758 TorStreamIsolationCredentialsGenerator(): 759 m_prefix(GenerateUniquePrefix()) { 760 } 761 762 /** Return the next unique proxy credentials. */ 763 ProxyCredentials Generate() { 764 ProxyCredentials auth; 765 auth.username = auth.password = strprintf("%s%i", m_prefix, m_counter); 766 ++m_counter; 767 return auth; 768 } 769 770 /** Size of session prefix in bytes. */ 771 static constexpr size_t PREFIX_BYTE_LENGTH = 8; 772 private: 773 const std::string m_prefix; 774 std::atomic<uint64_t> m_counter; 775 776 /** Generate a random prefix for each of the credentials returned by this generator. 777 * This makes sure that different launches of the application (either successively or in parallel) 778 * will not share the same circuits, as would be the case with a bare counter. 779 */ 780 static std::string GenerateUniquePrefix() { 781 std::array<uint8_t, PREFIX_BYTE_LENGTH> prefix_bytes; 782 GetRandBytes(prefix_bytes); 783 return HexStr(prefix_bytes) + "-"; 784 } 785 }; 786 787 std::unique_ptr<Sock> ConnectThroughProxy(const Proxy& proxy, 788 const std::string& dest, 789 uint16_t port, 790 bool& proxy_connection_failed) 791 { 792 // first connect to proxy server 793 auto sock = proxy.Connect(); 794 if (!sock) { 795 proxy_connection_failed = true; 796 return {}; 797 } 798 799 // do socks negotiation 800 if (proxy.m_tor_stream_isolation) { 801 static TorStreamIsolationCredentialsGenerator generator; 802 ProxyCredentials random_auth{generator.Generate()}; 803 if (!Socks5(dest, port, &random_auth, *sock)) { 804 return {}; 805 } 806 } else { 807 if (!Socks5(dest, port, nullptr, *sock)) { 808 return {}; 809 } 810 } 811 return sock; 812 } 813 814 CSubNet LookupSubNet(const std::string& subnet_str) 815 { 816 CSubNet subnet; 817 assert(!subnet.IsValid()); 818 if (!ContainsNoNUL(subnet_str)) { 819 return subnet; 820 } 821 822 const size_t slash_pos{subnet_str.find_last_of('/')}; 823 const std::string str_addr{subnet_str.substr(0, slash_pos)}; 824 std::optional<CNetAddr> addr{LookupHost(str_addr, /*fAllowLookup=*/false)}; 825 826 if (addr.has_value()) { 827 addr = static_cast<CNetAddr>(MaybeFlipIPv6toCJDNS(CService{addr.value(), /*port=*/0})); 828 if (slash_pos != subnet_str.npos) { 829 const std::string netmask_str{subnet_str.substr(slash_pos + 1)}; 830 if (const auto netmask{ToIntegral<uint8_t>(netmask_str)}) { 831 // Valid number; assume CIDR variable-length subnet masking. 832 subnet = CSubNet{addr.value(), *netmask}; 833 } else { 834 // Invalid number; try full netmask syntax. Never allow lookup for netmask. 835 const std::optional<CNetAddr> full_netmask{LookupHost(netmask_str, /*fAllowLookup=*/false)}; 836 if (full_netmask.has_value()) { 837 subnet = CSubNet{addr.value(), full_netmask.value()}; 838 } 839 } 840 } else { 841 // Single IP subnet (<ipv4>/32 or <ipv6>/128). 842 subnet = CSubNet{addr.value()}; 843 } 844 } 845 846 return subnet; 847 } 848 849 bool IsBadPort(uint16_t port) 850 { 851 /* Don't forget to update doc/p2p-bad-ports.md if you change this list. */ 852 853 switch (port) { 854 case 1: // tcpmux 855 case 7: // echo 856 case 9: // discard 857 case 11: // systat 858 case 13: // daytime 859 case 15: // netstat 860 case 17: // qotd 861 case 19: // chargen 862 case 20: // ftp data 863 case 21: // ftp access 864 case 22: // ssh 865 case 23: // telnet 866 case 25: // smtp 867 case 37: // time 868 case 42: // name 869 case 43: // nicname 870 case 53: // domain 871 case 69: // tftp 872 case 77: // priv-rjs 873 case 79: // finger 874 case 87: // ttylink 875 case 95: // supdup 876 case 101: // hostname 877 case 102: // iso-tsap 878 case 103: // gppitnp 879 case 104: // acr-nema 880 case 109: // pop2 881 case 110: // pop3 882 case 111: // sunrpc 883 case 113: // auth 884 case 115: // sftp 885 case 117: // uucp-path 886 case 119: // nntp 887 case 123: // NTP 888 case 135: // loc-srv /epmap 889 case 137: // netbios 890 case 139: // netbios 891 case 143: // imap2 892 case 161: // snmp 893 case 179: // BGP 894 case 389: // ldap 895 case 427: // SLP (Also used by Apple Filing Protocol) 896 case 465: // smtp+ssl 897 case 512: // print / exec 898 case 513: // login 899 case 514: // shell 900 case 515: // printer 901 case 526: // tempo 902 case 530: // courier 903 case 531: // chat 904 case 532: // netnews 905 case 540: // uucp 906 case 548: // AFP (Apple Filing Protocol) 907 case 554: // rtsp 908 case 556: // remotefs 909 case 563: // nntp+ssl 910 case 587: // smtp (rfc6409) 911 case 601: // syslog-conn (rfc3195) 912 case 636: // ldap+ssl 913 case 989: // ftps-data 914 case 990: // ftps 915 case 993: // ldap+ssl 916 case 995: // pop3+ssl 917 case 1719: // h323gatestat 918 case 1720: // h323hostcall 919 case 1723: // pptp 920 case 2049: // nfs 921 case 3306: // MySQL 922 case 3389: // RDP / Windows Remote Desktop 923 case 3659: // apple-sasl / PasswordServer 924 case 4045: // lockd 925 case 5060: // sip 926 case 5061: // sips 927 case 5432: // PostgreSQL 928 case 5900: // VNC 929 case 6000: // X11 930 case 6566: // sane-port 931 case 6665: // Alternate IRC 932 case 6666: // Alternate IRC 933 case 6667: // Standard IRC 934 case 6668: // Alternate IRC 935 case 6669: // Alternate IRC 936 case 6697: // IRC + TLS 937 case 10080: // Amanda 938 case 27017: // MongoDB 939 return true; 940 } 941 return false; 942 } 943 944 CService MaybeFlipIPv6toCJDNS(const CService& service) 945 { 946 CService ret{service}; 947 if (ret.IsIPv6() && ret.HasCJDNSPrefix() && g_reachable_nets.Contains(NET_CJDNS)) { 948 ret.m_net = NET_CJDNS; 949 } 950 return ret; 951 } 952 953 CService GetBindAddress(const Sock& sock) 954 { 955 CService addr_bind; 956 sockaddr_storage storage; 957 socklen_t len = sizeof(storage); 958 959 auto sa = reinterpret_cast<sockaddr*>(&storage); 960 961 if (sock.GetSockName(sa, &len) == 0) { 962 addr_bind.SetSockAddr(sa, len); 963 } else { 964 LogWarning("getsockname failed\n"); 965 } 966 return addr_bind; 967 }