netbase.cpp
1 // Copyright (c) 2009-2010 Satoshi Nakamoto 2 // Copyright (c) 2009-2022 The Bitcoin Core developers 3 // Distributed under the MIT software license, see the accompanying 4 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 5 6 #include <bitcoin-build-config.h> // IWYU pragma: keep 7 8 #include <netbase.h> 9 10 #include <compat/compat.h> 11 #include <logging.h> 12 #include <sync.h> 13 #include <tinyformat.h> 14 #include <util/sock.h> 15 #include <util/strencodings.h> 16 #include <util/string.h> 17 #include <util/time.h> 18 19 #include <atomic> 20 #include <chrono> 21 #include <cstdint> 22 #include <functional> 23 #include <limits> 24 #include <memory> 25 26 #ifdef HAVE_SOCKADDR_UN 27 #include <sys/un.h> 28 #endif 29 30 using util::ContainsNoNUL; 31 32 // Settings 33 static GlobalMutex g_proxyinfo_mutex; 34 static Proxy proxyInfo[NET_MAX] GUARDED_BY(g_proxyinfo_mutex); 35 static Proxy nameProxy GUARDED_BY(g_proxyinfo_mutex); 36 int nConnectTimeout = DEFAULT_CONNECT_TIMEOUT; 37 bool fNameLookup = DEFAULT_NAME_LOOKUP; 38 39 // Need ample time for negotiation for very slow proxies such as Tor 40 std::chrono::milliseconds g_socks5_recv_timeout = 20s; 41 CThreadInterrupt g_socks5_interrupt; 42 43 ReachableNets g_reachable_nets; 44 45 std::vector<CNetAddr> WrappedGetAddrInfo(const std::string& name, bool allow_lookup) 46 { 47 addrinfo ai_hint{}; 48 // We want a TCP port, which is a streaming socket type 49 ai_hint.ai_socktype = SOCK_STREAM; 50 ai_hint.ai_protocol = IPPROTO_TCP; 51 // We don't care which address family (IPv4 or IPv6) is returned 52 ai_hint.ai_family = AF_UNSPEC; 53 54 // If we allow lookups of hostnames, use the AI_ADDRCONFIG flag to only 55 // return addresses whose family we have an address configured for. 56 // 57 // If we don't allow lookups, then use the AI_NUMERICHOST flag for 58 // getaddrinfo to only decode numerical network addresses and suppress 59 // hostname lookups. 60 ai_hint.ai_flags = allow_lookup ? AI_ADDRCONFIG : AI_NUMERICHOST; 61 62 addrinfo* ai_res{nullptr}; 63 const int n_err{getaddrinfo(name.c_str(), nullptr, &ai_hint, &ai_res)}; 64 if (n_err != 0) { 65 if ((ai_hint.ai_flags & AI_ADDRCONFIG) == AI_ADDRCONFIG) { 66 // AI_ADDRCONFIG on some systems may exclude loopback-only addresses 67 // If first lookup failed we perform a second lookup without AI_ADDRCONFIG 68 ai_hint.ai_flags = (ai_hint.ai_flags & ~AI_ADDRCONFIG); 69 const int n_err_retry{getaddrinfo(name.c_str(), nullptr, &ai_hint, &ai_res)}; 70 if (n_err_retry != 0) { 71 return {}; 72 } 73 } else { 74 return {}; 75 } 76 } 77 78 // Traverse the linked list starting with ai_trav. 79 addrinfo* ai_trav{ai_res}; 80 std::vector<CNetAddr> resolved_addresses; 81 while (ai_trav != nullptr) { 82 if (ai_trav->ai_family == AF_INET) { 83 assert(ai_trav->ai_addrlen >= sizeof(sockaddr_in)); 84 resolved_addresses.emplace_back(reinterpret_cast<sockaddr_in*>(ai_trav->ai_addr)->sin_addr); 85 } 86 if (ai_trav->ai_family == AF_INET6) { 87 assert(ai_trav->ai_addrlen >= sizeof(sockaddr_in6)); 88 const sockaddr_in6* s6{reinterpret_cast<sockaddr_in6*>(ai_trav->ai_addr)}; 89 resolved_addresses.emplace_back(s6->sin6_addr, s6->sin6_scope_id); 90 } 91 ai_trav = ai_trav->ai_next; 92 } 93 freeaddrinfo(ai_res); 94 95 return resolved_addresses; 96 } 97 98 DNSLookupFn g_dns_lookup{WrappedGetAddrInfo}; 99 100 enum Network ParseNetwork(const std::string& net_in) { 101 std::string net = ToLower(net_in); 102 if (net == "ipv4") return NET_IPV4; 103 if (net == "ipv6") return NET_IPV6; 104 if (net == "onion") return NET_ONION; 105 if (net == "tor") { 106 LogWarning("Net name 'tor' is deprecated and will be removed in the future. You should use 'onion' instead."); 107 return NET_ONION; 108 } 109 if (net == "i2p") { 110 return NET_I2P; 111 } 112 if (net == "cjdns") { 113 return NET_CJDNS; 114 } 115 return NET_UNROUTABLE; 116 } 117 118 std::string GetNetworkName(enum Network net) 119 { 120 switch (net) { 121 case NET_UNROUTABLE: return "not_publicly_routable"; 122 case NET_IPV4: return "ipv4"; 123 case NET_IPV6: return "ipv6"; 124 case NET_ONION: return "onion"; 125 case NET_I2P: return "i2p"; 126 case NET_CJDNS: return "cjdns"; 127 case NET_INTERNAL: return "internal"; 128 case NET_MAX: assert(false); 129 } // no default case, so the compiler can warn about missing cases 130 131 assert(false); 132 } 133 134 std::vector<std::string> GetNetworkNames(bool append_unroutable) 135 { 136 std::vector<std::string> names; 137 for (int n = 0; n < NET_MAX; ++n) { 138 const enum Network network{static_cast<Network>(n)}; 139 if (network == NET_UNROUTABLE || network == NET_INTERNAL) continue; 140 names.emplace_back(GetNetworkName(network)); 141 } 142 if (append_unroutable) { 143 names.emplace_back(GetNetworkName(NET_UNROUTABLE)); 144 } 145 return names; 146 } 147 148 static std::vector<CNetAddr> LookupIntern(const std::string& name, unsigned int nMaxSolutions, bool fAllowLookup, DNSLookupFn dns_lookup_function) 149 { 150 if (!ContainsNoNUL(name)) return {}; 151 { 152 CNetAddr addr; 153 // From our perspective, onion addresses are not hostnames but rather 154 // direct encodings of CNetAddr much like IPv4 dotted-decimal notation 155 // or IPv6 colon-separated hextet notation. Since we can't use 156 // getaddrinfo to decode them and it wouldn't make sense to resolve 157 // them, we return a network address representing it instead. See 158 // CNetAddr::SetSpecial(const std::string&) for more details. 159 if (addr.SetSpecial(name)) return {addr}; 160 } 161 162 std::vector<CNetAddr> addresses; 163 164 for (const CNetAddr& resolved : dns_lookup_function(name, fAllowLookup)) { 165 if (nMaxSolutions > 0 && addresses.size() >= nMaxSolutions) { 166 break; 167 } 168 /* Never allow resolving to an internal address. Consider any such result invalid */ 169 if (!resolved.IsInternal()) { 170 addresses.push_back(resolved); 171 } 172 } 173 174 return addresses; 175 } 176 177 std::vector<CNetAddr> LookupHost(const std::string& name, unsigned int nMaxSolutions, bool fAllowLookup, DNSLookupFn dns_lookup_function) 178 { 179 if (!ContainsNoNUL(name)) return {}; 180 std::string strHost = name; 181 if (strHost.empty()) return {}; 182 if (strHost.front() == '[' && strHost.back() == ']') { 183 strHost = strHost.substr(1, strHost.size() - 2); 184 } 185 186 return LookupIntern(strHost, nMaxSolutions, fAllowLookup, dns_lookup_function); 187 } 188 189 std::optional<CNetAddr> LookupHost(const std::string& name, bool fAllowLookup, DNSLookupFn dns_lookup_function) 190 { 191 const std::vector<CNetAddr> addresses{LookupHost(name, 1, fAllowLookup, dns_lookup_function)}; 192 return addresses.empty() ? std::nullopt : std::make_optional(addresses.front()); 193 } 194 195 std::vector<CService> Lookup(const std::string& name, uint16_t portDefault, bool fAllowLookup, unsigned int nMaxSolutions, DNSLookupFn dns_lookup_function) 196 { 197 if (name.empty() || !ContainsNoNUL(name)) { 198 return {}; 199 } 200 uint16_t port{portDefault}; 201 std::string hostname; 202 SplitHostPort(name, port, hostname); 203 204 const std::vector<CNetAddr> addresses{LookupIntern(hostname, nMaxSolutions, fAllowLookup, dns_lookup_function)}; 205 if (addresses.empty()) return {}; 206 std::vector<CService> services; 207 services.reserve(addresses.size()); 208 for (const auto& addr : addresses) 209 services.emplace_back(addr, port); 210 return services; 211 } 212 213 std::optional<CService> Lookup(const std::string& name, uint16_t portDefault, bool fAllowLookup, DNSLookupFn dns_lookup_function) 214 { 215 const std::vector<CService> services{Lookup(name, portDefault, fAllowLookup, 1, dns_lookup_function)}; 216 217 return services.empty() ? std::nullopt : std::make_optional(services.front()); 218 } 219 220 CService LookupNumeric(const std::string& name, uint16_t portDefault, DNSLookupFn dns_lookup_function) 221 { 222 if (!ContainsNoNUL(name)) { 223 return {}; 224 } 225 // "1.2:345" will fail to resolve the ip, but will still set the port. 226 // If the ip fails to resolve, re-init the result. 227 return Lookup(name, portDefault, /*fAllowLookup=*/false, dns_lookup_function).value_or(CService{}); 228 } 229 230 bool IsUnixSocketPath(const std::string& name) 231 { 232 #ifdef HAVE_SOCKADDR_UN 233 if (!name.starts_with(ADDR_PREFIX_UNIX)) return false; 234 235 // Split off "unix:" prefix 236 std::string str{name.substr(ADDR_PREFIX_UNIX.length())}; 237 238 // Path size limit is platform-dependent 239 // see https://manpages.ubuntu.com/manpages/xenial/en/man7/unix.7.html 240 if (str.size() + 1 > sizeof(((sockaddr_un*)nullptr)->sun_path)) return false; 241 242 return true; 243 #else 244 return false; 245 #endif 246 } 247 248 /** SOCKS version */ 249 enum SOCKSVersion: uint8_t { 250 SOCKS4 = 0x04, 251 SOCKS5 = 0x05 252 }; 253 254 /** Values defined for METHOD in RFC1928 */ 255 enum SOCKS5Method: uint8_t { 256 NOAUTH = 0x00, //!< No authentication required 257 GSSAPI = 0x01, //!< GSSAPI 258 USER_PASS = 0x02, //!< Username/password 259 NO_ACCEPTABLE = 0xff, //!< No acceptable methods 260 }; 261 262 /** Values defined for CMD in RFC1928 */ 263 enum SOCKS5Command: uint8_t { 264 CONNECT = 0x01, 265 BIND = 0x02, 266 UDP_ASSOCIATE = 0x03 267 }; 268 269 /** Values defined for REP in RFC1928 and https://spec.torproject.org/socks-extensions.html */ 270 enum SOCKS5Reply: uint8_t { 271 SUCCEEDED = 0x00, //!< RFC1928: Succeeded 272 GENFAILURE = 0x01, //!< RFC1928: General failure 273 NOTALLOWED = 0x02, //!< RFC1928: Connection not allowed by ruleset 274 NETUNREACHABLE = 0x03, //!< RFC1928: Network unreachable 275 HOSTUNREACHABLE = 0x04, //!< RFC1928: Network unreachable 276 CONNREFUSED = 0x05, //!< RFC1928: Connection refused 277 TTLEXPIRED = 0x06, //!< RFC1928: TTL expired 278 CMDUNSUPPORTED = 0x07, //!< RFC1928: Command not supported 279 ATYPEUNSUPPORTED = 0x08, //!< RFC1928: Address type not supported 280 TOR_HS_DESC_NOT_FOUND = 0xf0, //!< Tor: Onion service descriptor can not be found 281 TOR_HS_DESC_INVALID = 0xf1, //!< Tor: Onion service descriptor is invalid 282 TOR_HS_INTRO_FAILED = 0xf2, //!< Tor: Onion service introduction failed 283 TOR_HS_REND_FAILED = 0xf3, //!< Tor: Onion service rendezvous failed 284 TOR_HS_MISSING_CLIENT_AUTH = 0xf4, //!< Tor: Onion service missing client authorization 285 TOR_HS_WRONG_CLIENT_AUTH = 0xf5, //!< Tor: Onion service wrong client authorization 286 TOR_HS_BAD_ADDRESS = 0xf6, //!< Tor: Onion service invalid address 287 TOR_HS_INTRO_TIMEOUT = 0xf7, //!< Tor: Onion service introduction timed out 288 }; 289 290 /** Values defined for ATYPE in RFC1928 */ 291 enum SOCKS5Atyp: uint8_t { 292 IPV4 = 0x01, 293 DOMAINNAME = 0x03, 294 IPV6 = 0x04, 295 }; 296 297 /** Status codes that can be returned by InterruptibleRecv */ 298 enum class IntrRecvError { 299 OK, 300 Timeout, 301 Disconnected, 302 NetworkError, 303 Interrupted 304 }; 305 306 /** 307 * Try to read a specified number of bytes from a socket. Please read the "see 308 * also" section for more detail. 309 * 310 * @param data The buffer where the read bytes should be stored. 311 * @param len The number of bytes to read into the specified buffer. 312 * @param timeout The total timeout for this read. 313 * @param sock The socket (has to be in non-blocking mode) from which to read bytes. 314 * 315 * @returns An IntrRecvError indicating the resulting status of this read. 316 * IntrRecvError::OK only if all of the specified number of bytes were 317 * read. 318 * 319 * @see This function can be interrupted by calling g_socks5_interrupt(). 320 * Sockets can be made non-blocking with Sock::SetNonBlocking(). 321 */ 322 static IntrRecvError InterruptibleRecv(uint8_t* data, size_t len, std::chrono::milliseconds timeout, const Sock& sock) 323 { 324 auto curTime{Now<SteadyMilliseconds>()}; 325 const auto endTime{curTime + timeout}; 326 while (len > 0 && curTime < endTime) { 327 ssize_t ret = sock.Recv(data, len, 0); // Optimistically try the recv first 328 if (ret > 0) { 329 len -= ret; 330 data += ret; 331 } else if (ret == 0) { // Unexpected disconnection 332 return IntrRecvError::Disconnected; 333 } else { // Other error or blocking 334 int nErr = WSAGetLastError(); 335 if (nErr == WSAEINPROGRESS || nErr == WSAEWOULDBLOCK || nErr == WSAEINVAL) { 336 // Only wait at most MAX_WAIT_FOR_IO at a time, unless 337 // we're approaching the end of the specified total timeout 338 const auto remaining = std::chrono::milliseconds{endTime - curTime}; 339 const auto timeout = std::min(remaining, std::chrono::milliseconds{MAX_WAIT_FOR_IO}); 340 if (!sock.Wait(timeout, Sock::RECV)) { 341 return IntrRecvError::NetworkError; 342 } 343 } else { 344 return IntrRecvError::NetworkError; 345 } 346 } 347 if (g_socks5_interrupt) { 348 return IntrRecvError::Interrupted; 349 } 350 curTime = Now<SteadyMilliseconds>(); 351 } 352 return len == 0 ? IntrRecvError::OK : IntrRecvError::Timeout; 353 } 354 355 /** Convert SOCKS5 reply to an error message */ 356 static std::string Socks5ErrorString(uint8_t err) 357 { 358 switch(err) { 359 case SOCKS5Reply::GENFAILURE: 360 return "general failure"; 361 case SOCKS5Reply::NOTALLOWED: 362 return "connection not allowed"; 363 case SOCKS5Reply::NETUNREACHABLE: 364 return "network unreachable"; 365 case SOCKS5Reply::HOSTUNREACHABLE: 366 return "host unreachable"; 367 case SOCKS5Reply::CONNREFUSED: 368 return "connection refused"; 369 case SOCKS5Reply::TTLEXPIRED: 370 return "TTL expired"; 371 case SOCKS5Reply::CMDUNSUPPORTED: 372 return "protocol error"; 373 case SOCKS5Reply::ATYPEUNSUPPORTED: 374 return "address type not supported"; 375 case SOCKS5Reply::TOR_HS_DESC_NOT_FOUND: 376 return "onion service descriptor can not be found"; 377 case SOCKS5Reply::TOR_HS_DESC_INVALID: 378 return "onion service descriptor is invalid"; 379 case SOCKS5Reply::TOR_HS_INTRO_FAILED: 380 return "onion service introduction failed"; 381 case SOCKS5Reply::TOR_HS_REND_FAILED: 382 return "onion service rendezvous failed"; 383 case SOCKS5Reply::TOR_HS_MISSING_CLIENT_AUTH: 384 return "onion service missing client authorization"; 385 case SOCKS5Reply::TOR_HS_WRONG_CLIENT_AUTH: 386 return "onion service wrong client authorization"; 387 case SOCKS5Reply::TOR_HS_BAD_ADDRESS: 388 return "onion service invalid address"; 389 case SOCKS5Reply::TOR_HS_INTRO_TIMEOUT: 390 return "onion service introduction timed out"; 391 default: 392 return strprintf("unknown (0x%02x)", err); 393 } 394 } 395 396 bool Socks5(const std::string& strDest, uint16_t port, const ProxyCredentials* auth, const Sock& sock) 397 { 398 try { 399 IntrRecvError recvr; 400 LogDebug(BCLog::NET, "SOCKS5 connecting %s\n", strDest); 401 if (strDest.size() > 255) { 402 LogError("Hostname too long\n"); 403 return false; 404 } 405 // Construct the version identifier/method selection message 406 std::vector<uint8_t> vSocks5Init; 407 vSocks5Init.push_back(SOCKSVersion::SOCKS5); // We want the SOCK5 protocol 408 if (auth) { 409 vSocks5Init.push_back(0x02); // 2 method identifiers follow... 410 vSocks5Init.push_back(SOCKS5Method::NOAUTH); 411 vSocks5Init.push_back(SOCKS5Method::USER_PASS); 412 } else { 413 vSocks5Init.push_back(0x01); // 1 method identifier follows... 414 vSocks5Init.push_back(SOCKS5Method::NOAUTH); 415 } 416 sock.SendComplete(vSocks5Init, g_socks5_recv_timeout, g_socks5_interrupt); 417 uint8_t pchRet1[2]; 418 if (InterruptibleRecv(pchRet1, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) { 419 LogPrintf("Socks5() connect to %s:%d failed: InterruptibleRecv() timeout or other failure\n", strDest, port); 420 return false; 421 } 422 if (pchRet1[0] != SOCKSVersion::SOCKS5) { 423 LogError("Proxy failed to initialize\n"); 424 return false; 425 } 426 if (pchRet1[1] == SOCKS5Method::USER_PASS && auth) { 427 // Perform username/password authentication (as described in RFC1929) 428 std::vector<uint8_t> vAuth; 429 vAuth.push_back(0x01); // Current (and only) version of user/pass subnegotiation 430 if (auth->username.size() > 255 || auth->password.size() > 255) { 431 LogError("Proxy username or password too long\n"); 432 return false; 433 } 434 vAuth.push_back(auth->username.size()); 435 vAuth.insert(vAuth.end(), auth->username.begin(), auth->username.end()); 436 vAuth.push_back(auth->password.size()); 437 vAuth.insert(vAuth.end(), auth->password.begin(), auth->password.end()); 438 sock.SendComplete(vAuth, g_socks5_recv_timeout, g_socks5_interrupt); 439 LogDebug(BCLog::PROXY, "SOCKS5 sending proxy authentication %s:%s\n", auth->username, auth->password); 440 uint8_t pchRetA[2]; 441 if (InterruptibleRecv(pchRetA, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) { 442 LogError("Error reading proxy authentication response\n"); 443 return false; 444 } 445 if (pchRetA[0] != 0x01 || pchRetA[1] != 0x00) { 446 LogError("Proxy authentication unsuccessful\n"); 447 return false; 448 } 449 } else if (pchRet1[1] == SOCKS5Method::NOAUTH) { 450 // Perform no authentication 451 } else { 452 LogError("Proxy requested wrong authentication method %02x\n", pchRet1[1]); 453 return false; 454 } 455 std::vector<uint8_t> vSocks5; 456 vSocks5.push_back(SOCKSVersion::SOCKS5); // VER protocol version 457 vSocks5.push_back(SOCKS5Command::CONNECT); // CMD CONNECT 458 vSocks5.push_back(0x00); // RSV Reserved must be 0 459 vSocks5.push_back(SOCKS5Atyp::DOMAINNAME); // ATYP DOMAINNAME 460 vSocks5.push_back(strDest.size()); // Length<=255 is checked at beginning of function 461 vSocks5.insert(vSocks5.end(), strDest.begin(), strDest.end()); 462 vSocks5.push_back((port >> 8) & 0xFF); 463 vSocks5.push_back((port >> 0) & 0xFF); 464 sock.SendComplete(vSocks5, g_socks5_recv_timeout, g_socks5_interrupt); 465 uint8_t pchRet2[4]; 466 if ((recvr = InterruptibleRecv(pchRet2, 4, g_socks5_recv_timeout, sock)) != IntrRecvError::OK) { 467 if (recvr == IntrRecvError::Timeout) { 468 /* If a timeout happens here, this effectively means we timed out while connecting 469 * to the remote node. This is very common for Tor, so do not print an 470 * error message. */ 471 return false; 472 } else { 473 LogError("Error while reading proxy response\n"); 474 return false; 475 } 476 } 477 if (pchRet2[0] != SOCKSVersion::SOCKS5) { 478 LogError("Proxy failed to accept request\n"); 479 return false; 480 } 481 if (pchRet2[1] != SOCKS5Reply::SUCCEEDED) { 482 // Failures to connect to a peer that are not proxy errors 483 LogPrintLevel(BCLog::NET, BCLog::Level::Debug, 484 "Socks5() connect to %s:%d failed: %s\n", strDest, port, Socks5ErrorString(pchRet2[1])); 485 return false; 486 } 487 if (pchRet2[2] != 0x00) { // Reserved field must be 0 488 LogError("Error: malformed proxy response\n"); 489 return false; 490 } 491 uint8_t pchRet3[256]; 492 switch (pchRet2[3]) { 493 case SOCKS5Atyp::IPV4: recvr = InterruptibleRecv(pchRet3, 4, g_socks5_recv_timeout, sock); break; 494 case SOCKS5Atyp::IPV6: recvr = InterruptibleRecv(pchRet3, 16, g_socks5_recv_timeout, sock); break; 495 case SOCKS5Atyp::DOMAINNAME: { 496 recvr = InterruptibleRecv(pchRet3, 1, g_socks5_recv_timeout, sock); 497 if (recvr != IntrRecvError::OK) { 498 LogError("Error reading from proxy\n"); 499 return false; 500 } 501 int nRecv = pchRet3[0]; 502 recvr = InterruptibleRecv(pchRet3, nRecv, g_socks5_recv_timeout, sock); 503 break; 504 } 505 default: { 506 LogError("Error: malformed proxy response\n"); 507 return false; 508 } 509 } 510 if (recvr != IntrRecvError::OK) { 511 LogError("Error reading from proxy\n"); 512 return false; 513 } 514 if (InterruptibleRecv(pchRet3, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) { 515 LogError("Error reading from proxy\n"); 516 return false; 517 } 518 LogDebug(BCLog::NET, "SOCKS5 connected %s\n", strDest); 519 return true; 520 } catch (const std::runtime_error& e) { 521 LogError("Error during SOCKS5 proxy handshake: %s\n", e.what()); 522 return false; 523 } 524 } 525 526 std::unique_ptr<Sock> CreateSockOS(int domain, int type, int protocol) 527 { 528 // Not IPv4, IPv6 or UNIX 529 if (domain == AF_UNSPEC) return nullptr; 530 531 // Create a socket in the specified address family. 532 SOCKET hSocket = socket(domain, type, protocol); 533 if (hSocket == INVALID_SOCKET) { 534 return nullptr; 535 } 536 537 auto sock = std::make_unique<Sock>(hSocket); 538 539 if (domain != AF_INET && domain != AF_INET6 && domain != AF_UNIX) { 540 return sock; 541 } 542 543 // Ensure that waiting for I/O on this socket won't result in undefined 544 // behavior. 545 if (!sock->IsSelectable()) { 546 LogPrintf("Cannot create connection: non-selectable socket created (fd >= FD_SETSIZE ?)\n"); 547 return nullptr; 548 } 549 550 #ifdef SO_NOSIGPIPE 551 int set = 1; 552 // Set the no-sigpipe option on the socket for BSD systems, other UNIXes 553 // should use the MSG_NOSIGNAL flag for every send. 554 if (sock->SetSockOpt(SOL_SOCKET, SO_NOSIGPIPE, &set, sizeof(int)) == SOCKET_ERROR) { 555 LogPrintf("Error setting SO_NOSIGPIPE on socket: %s, continuing anyway\n", 556 NetworkErrorString(WSAGetLastError())); 557 } 558 #endif 559 560 // Set the non-blocking option on the socket. 561 if (!sock->SetNonBlocking()) { 562 LogPrintf("Error setting socket to non-blocking: %s\n", NetworkErrorString(WSAGetLastError())); 563 return nullptr; 564 } 565 566 #ifdef HAVE_SOCKADDR_UN 567 if (domain == AF_UNIX) return sock; 568 #endif 569 570 if (protocol == IPPROTO_TCP) { 571 // Set the no-delay option (disable Nagle's algorithm) on the TCP socket. 572 const int on{1}; 573 if (sock->SetSockOpt(IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)) == SOCKET_ERROR) { 574 LogDebug(BCLog::NET, "Unable to set TCP_NODELAY on a newly created socket, continuing anyway\n"); 575 } 576 } 577 578 return sock; 579 } 580 581 std::function<std::unique_ptr<Sock>(int, int, int)> CreateSock = CreateSockOS; 582 583 template<typename... Args> 584 static void LogConnectFailure(bool manual_connection, util::ConstevalFormatString<sizeof...(Args)> fmt, const Args&... args) 585 { 586 std::string error_message = tfm::format(fmt, args...); 587 if (manual_connection) { 588 LogPrintf("%s\n", error_message); 589 } else { 590 LogDebug(BCLog::NET, "%s\n", error_message); 591 } 592 } 593 594 static bool ConnectToSocket(const Sock& sock, struct sockaddr* sockaddr, socklen_t len, const std::string& dest_str, bool manual_connection) 595 { 596 // Connect to `sockaddr` using `sock`. 597 if (sock.Connect(sockaddr, len) == SOCKET_ERROR) { 598 int nErr = WSAGetLastError(); 599 // WSAEINVAL is here because some legacy version of winsock uses it 600 if (nErr == WSAEINPROGRESS || nErr == WSAEWOULDBLOCK || nErr == WSAEINVAL) 601 { 602 // Connection didn't actually fail, but is being established 603 // asynchronously. Thus, use async I/O api (select/poll) 604 // synchronously to check for successful connection with a timeout. 605 const Sock::Event requested = Sock::RECV | Sock::SEND; 606 Sock::Event occurred; 607 if (!sock.Wait(std::chrono::milliseconds{nConnectTimeout}, requested, &occurred)) { 608 LogPrintf("wait for connect to %s failed: %s\n", 609 dest_str, 610 NetworkErrorString(WSAGetLastError())); 611 return false; 612 } else if (occurred == 0) { 613 LogPrintLevel(BCLog::NET, BCLog::Level::Debug, "connection attempt to %s timed out\n", dest_str); 614 return false; 615 } 616 617 // Even if the wait was successful, the connect might not 618 // have been successful. The reason for this failure is hidden away 619 // in the SO_ERROR for the socket in modern systems. We read it into 620 // sockerr here. 621 int sockerr; 622 socklen_t sockerr_len = sizeof(sockerr); 623 if (sock.GetSockOpt(SOL_SOCKET, SO_ERROR, &sockerr, &sockerr_len) == 624 SOCKET_ERROR) { 625 LogPrintf("getsockopt() for %s failed: %s\n", dest_str, NetworkErrorString(WSAGetLastError())); 626 return false; 627 } 628 if (sockerr != 0) { 629 LogConnectFailure(manual_connection, 630 "connect() to %s failed after wait: %s", 631 dest_str, 632 NetworkErrorString(sockerr)); 633 return false; 634 } 635 } 636 #ifdef WIN32 637 else if (WSAGetLastError() != WSAEISCONN) 638 #else 639 else 640 #endif 641 { 642 LogConnectFailure(manual_connection, "connect() to %s failed: %s", dest_str, NetworkErrorString(WSAGetLastError())); 643 return false; 644 } 645 } 646 return true; 647 } 648 649 std::unique_ptr<Sock> ConnectDirectly(const CService& dest, bool manual_connection) 650 { 651 auto sock = CreateSock(dest.GetSAFamily(), SOCK_STREAM, IPPROTO_TCP); 652 if (!sock) { 653 LogPrintLevel(BCLog::NET, BCLog::Level::Error, "Cannot create a socket for connecting to %s\n", dest.ToStringAddrPort()); 654 return {}; 655 } 656 657 // Create a sockaddr from the specified service. 658 struct sockaddr_storage sockaddr; 659 socklen_t len = sizeof(sockaddr); 660 if (!dest.GetSockAddr((struct sockaddr*)&sockaddr, &len)) { 661 LogPrintf("Cannot get sockaddr for %s: unsupported network\n", dest.ToStringAddrPort()); 662 return {}; 663 } 664 665 if (!ConnectToSocket(*sock, (struct sockaddr*)&sockaddr, len, dest.ToStringAddrPort(), manual_connection)) { 666 return {}; 667 } 668 669 return sock; 670 } 671 672 std::unique_ptr<Sock> Proxy::Connect() const 673 { 674 if (!IsValid()) return {}; 675 676 if (!m_is_unix_socket) return ConnectDirectly(proxy, /*manual_connection=*/true); 677 678 #ifdef HAVE_SOCKADDR_UN 679 auto sock = CreateSock(AF_UNIX, SOCK_STREAM, 0); 680 if (!sock) { 681 LogPrintLevel(BCLog::NET, BCLog::Level::Error, "Cannot create a socket for connecting to %s\n", m_unix_socket_path); 682 return {}; 683 } 684 685 const std::string path{m_unix_socket_path.substr(ADDR_PREFIX_UNIX.length())}; 686 687 struct sockaddr_un addrun; 688 memset(&addrun, 0, sizeof(addrun)); 689 addrun.sun_family = AF_UNIX; 690 // leave the last char in addrun.sun_path[] to be always '\0' 691 memcpy(addrun.sun_path, path.c_str(), std::min(sizeof(addrun.sun_path) - 1, path.length())); 692 socklen_t len = sizeof(addrun); 693 694 if(!ConnectToSocket(*sock, (struct sockaddr*)&addrun, len, path, /*manual_connection=*/true)) { 695 return {}; 696 } 697 698 return sock; 699 #else 700 return {}; 701 #endif 702 } 703 704 bool SetProxy(enum Network net, const Proxy &addrProxy) { 705 assert(net >= 0 && net < NET_MAX); 706 if (!addrProxy.IsValid()) 707 return false; 708 LOCK(g_proxyinfo_mutex); 709 proxyInfo[net] = addrProxy; 710 return true; 711 } 712 713 bool GetProxy(enum Network net, Proxy &proxyInfoOut) { 714 assert(net >= 0 && net < NET_MAX); 715 LOCK(g_proxyinfo_mutex); 716 if (!proxyInfo[net].IsValid()) 717 return false; 718 proxyInfoOut = proxyInfo[net]; 719 return true; 720 } 721 722 bool SetNameProxy(const Proxy &addrProxy) { 723 if (!addrProxy.IsValid()) 724 return false; 725 LOCK(g_proxyinfo_mutex); 726 nameProxy = addrProxy; 727 return true; 728 } 729 730 bool GetNameProxy(Proxy &nameProxyOut) { 731 LOCK(g_proxyinfo_mutex); 732 if(!nameProxy.IsValid()) 733 return false; 734 nameProxyOut = nameProxy; 735 return true; 736 } 737 738 bool HaveNameProxy() { 739 LOCK(g_proxyinfo_mutex); 740 return nameProxy.IsValid(); 741 } 742 743 bool IsProxy(const CNetAddr &addr) { 744 LOCK(g_proxyinfo_mutex); 745 for (int i = 0; i < NET_MAX; i++) { 746 if (addr == static_cast<CNetAddr>(proxyInfo[i].proxy)) 747 return true; 748 } 749 return false; 750 } 751 752 /** 753 * Generate unique credentials for Tor stream isolation. Tor will create 754 * separate circuits for SOCKS5 proxy connections with different credentials, which 755 * makes it harder to correlate the connections. 756 */ 757 class TorStreamIsolationCredentialsGenerator 758 { 759 public: 760 TorStreamIsolationCredentialsGenerator(): 761 m_prefix(GenerateUniquePrefix()) { 762 } 763 764 /** Return the next unique proxy credentials. */ 765 ProxyCredentials Generate() { 766 ProxyCredentials auth; 767 auth.username = auth.password = strprintf("%s%i", m_prefix, m_counter); 768 ++m_counter; 769 return auth; 770 } 771 772 /** Size of session prefix in bytes. */ 773 static constexpr size_t PREFIX_BYTE_LENGTH = 8; 774 private: 775 const std::string m_prefix; 776 std::atomic<uint64_t> m_counter; 777 778 /** Generate a random prefix for each of the credentials returned by this generator. 779 * This makes sure that different launches of the application (either successively or in parallel) 780 * will not share the same circuits, as would be the case with a bare counter. 781 */ 782 static std::string GenerateUniquePrefix() { 783 std::array<uint8_t, PREFIX_BYTE_LENGTH> prefix_bytes; 784 GetRandBytes(prefix_bytes); 785 return HexStr(prefix_bytes) + "-"; 786 } 787 }; 788 789 std::unique_ptr<Sock> ConnectThroughProxy(const Proxy& proxy, 790 const std::string& dest, 791 uint16_t port, 792 bool& proxy_connection_failed) 793 { 794 // first connect to proxy server 795 auto sock = proxy.Connect(); 796 if (!sock) { 797 proxy_connection_failed = true; 798 return {}; 799 } 800 801 // do socks negotiation 802 if (proxy.m_tor_stream_isolation) { 803 static TorStreamIsolationCredentialsGenerator generator; 804 ProxyCredentials random_auth{generator.Generate()}; 805 if (!Socks5(dest, port, &random_auth, *sock)) { 806 return {}; 807 } 808 } else { 809 if (!Socks5(dest, port, nullptr, *sock)) { 810 return {}; 811 } 812 } 813 return sock; 814 } 815 816 CSubNet LookupSubNet(const std::string& subnet_str) 817 { 818 CSubNet subnet; 819 assert(!subnet.IsValid()); 820 if (!ContainsNoNUL(subnet_str)) { 821 return subnet; 822 } 823 824 const size_t slash_pos{subnet_str.find_last_of('/')}; 825 const std::string str_addr{subnet_str.substr(0, slash_pos)}; 826 std::optional<CNetAddr> addr{LookupHost(str_addr, /*fAllowLookup=*/false)}; 827 828 if (addr.has_value()) { 829 addr = static_cast<CNetAddr>(MaybeFlipIPv6toCJDNS(CService{addr.value(), /*port=*/0})); 830 if (slash_pos != subnet_str.npos) { 831 const std::string netmask_str{subnet_str.substr(slash_pos + 1)}; 832 if (const auto netmask{ToIntegral<uint8_t>(netmask_str)}) { 833 // Valid number; assume CIDR variable-length subnet masking. 834 subnet = CSubNet{addr.value(), *netmask}; 835 } else { 836 // Invalid number; try full netmask syntax. Never allow lookup for netmask. 837 const std::optional<CNetAddr> full_netmask{LookupHost(netmask_str, /*fAllowLookup=*/false)}; 838 if (full_netmask.has_value()) { 839 subnet = CSubNet{addr.value(), full_netmask.value()}; 840 } 841 } 842 } else { 843 // Single IP subnet (<ipv4>/32 or <ipv6>/128). 844 subnet = CSubNet{addr.value()}; 845 } 846 } 847 848 return subnet; 849 } 850 851 bool IsBadPort(uint16_t port) 852 { 853 /* Don't forget to update doc/p2p-bad-ports.md if you change this list. */ 854 855 switch (port) { 856 case 1: // tcpmux 857 case 7: // echo 858 case 9: // discard 859 case 11: // systat 860 case 13: // daytime 861 case 15: // netstat 862 case 17: // qotd 863 case 19: // chargen 864 case 20: // ftp data 865 case 21: // ftp access 866 case 22: // ssh 867 case 23: // telnet 868 case 25: // smtp 869 case 37: // time 870 case 42: // name 871 case 43: // nicname 872 case 53: // domain 873 case 69: // tftp 874 case 77: // priv-rjs 875 case 79: // finger 876 case 87: // ttylink 877 case 95: // supdup 878 case 101: // hostname 879 case 102: // iso-tsap 880 case 103: // gppitnp 881 case 104: // acr-nema 882 case 109: // pop2 883 case 110: // pop3 884 case 111: // sunrpc 885 case 113: // auth 886 case 115: // sftp 887 case 117: // uucp-path 888 case 119: // nntp 889 case 123: // NTP 890 case 135: // loc-srv /epmap 891 case 137: // netbios 892 case 139: // netbios 893 case 143: // imap2 894 case 161: // snmp 895 case 179: // BGP 896 case 389: // ldap 897 case 427: // SLP (Also used by Apple Filing Protocol) 898 case 465: // smtp+ssl 899 case 512: // print / exec 900 case 513: // login 901 case 514: // shell 902 case 515: // printer 903 case 526: // tempo 904 case 530: // courier 905 case 531: // chat 906 case 532: // netnews 907 case 540: // uucp 908 case 548: // AFP (Apple Filing Protocol) 909 case 554: // rtsp 910 case 556: // remotefs 911 case 563: // nntp+ssl 912 case 587: // smtp (rfc6409) 913 case 601: // syslog-conn (rfc3195) 914 case 636: // ldap+ssl 915 case 989: // ftps-data 916 case 990: // ftps 917 case 993: // ldap+ssl 918 case 995: // pop3+ssl 919 case 1719: // h323gatestat 920 case 1720: // h323hostcall 921 case 1723: // pptp 922 case 2049: // nfs 923 case 3306: // MySQL 924 case 3389: // RDP / Windows Remote Desktop 925 case 3659: // apple-sasl / PasswordServer 926 case 4045: // lockd 927 case 5060: // sip 928 case 5061: // sips 929 case 5432: // PostgreSQL 930 case 5900: // VNC 931 case 6000: // X11 932 case 6566: // sane-port 933 case 6665: // Alternate IRC 934 case 6666: // Alternate IRC 935 case 6667: // Standard IRC 936 case 6668: // Alternate IRC 937 case 6669: // Alternate IRC 938 case 6697: // IRC + TLS 939 case 10080: // Amanda 940 case 27017: // MongoDB 941 return true; 942 } 943 return false; 944 } 945 946 CService MaybeFlipIPv6toCJDNS(const CService& service) 947 { 948 CService ret{service}; 949 if (ret.IsIPv6() && ret.HasCJDNSPrefix() && g_reachable_nets.Contains(NET_CJDNS)) { 950 ret.m_net = NET_CJDNS; 951 } 952 return ret; 953 }