net: support unix domain sockets for -proxy and -onion

pinheadmz commented at 7:29 pm on March 30, 2023: member

UNIX domain sockets are a mechanism for inter-process communication that are faster than local TCP ports (because there is no need for TCP overhead) and potentially more secure because access is managed by the filesystem instead of serving an open port on the system.

There has been work on unix domain sockets before but for now I just wanted to start on this single use-case which is enabling unix sockets from the client side, specifically connecting to a local Tor proxy (Tor can listen on unix sockets and even enforces strict curent-user-only access permission before binding) configured by -onion= or -proxy=

I copied the prefix unix: usage from Tor. With this patch built locally you can test with your own filesystem path (example):

tor --SocksPort unix:/Users/matthewzipkin/torsocket/x

bitcoind -proxy=unix:/Users/matthewzipkin/torsocket/x

Prep work for this feature includes:

Moving where and how we create sockaddr and Sock to accommodate AF_UNIX without disturbing CService
Expanding Proxy class to represent either a CService or a UNIX socket (by its file path)

Future work:

Enable UNIX sockets for ZMQ (https://github.com/bitcoin/bitcoin/pull/27679)
Enable UNIX sockets for I2P SAM proxy (some code is included in this PR but not tested or exposed to user options yet)
Enable UNIX sockets on windows where supported
Update Network Proxies dialog in GUI to support UNIX sockets

DrahtBot commented at 7:29 pm on March 30, 2023: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	Sjors, vasild, tdb3, achow101
Stale ACK	willcl-ark

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

#29641 (scripted-diff: Use LogInfo/LogDebug over LogPrintf/LogPrint by maflcko)
#29015 (kernel: Streamline util library by ryanofsky)
#28834 (net: attempts to connect to all resolved addresses when connecting to a node by sr-gi)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

DrahtBot added the label P2P on Mar 30, 2023

pinheadmz force-pushed on Mar 31, 2023

in src/netbase.cpp:115 in 7785e4d179 outdated

111@@ -112,6 +112,7 @@ std::string GetNetworkName(enum Network net)
112     case NET_I2P: return "i2p";
113     case NET_CJDNS: return "cjdns";
114     case NET_INTERNAL: return "internal";
115+    case NET_UNIX: return "unix_domain_socket";

willcl-ark commented at 7:36 am on March 31, 2023:

I think I’d go for unix here (but only because it’s shorter).

pinheadmz commented at 5:43 pm on March 31, 2023:

agreed, updated.

in test/functional/feature_proxy.py:93 in 7785e4d179 outdated

89@@ -89,13 +90,22 @@ def setup_nodes(self):
90         else:
91             self.log.warning("Testing without local IPv6 support")
92 
93+        socket_path = os.path.join(self.options.tmpdir, "socket_path")

willcl-ark commented at 7:59 am on March 31, 2023:

This needs to be shorter (< 92 chars?). From man 7 unix:

 0   Pathname sockets
 1       When binding a socket to a pathname, a few rules should be observed for maximum portability and ease of coding:
 2
 3       *  The pathname in sun_path should be null-terminated.
 4
 5       *  The length of the pathname, including the terminating null byte, should not exceed the size of sun_path.
 6
 7       *  The addrlen argument that describes the enclosing sockaddr_un structure should have a value of at least:
 8
 9              offsetof(struct sockaddr_un, sun_path)+strlen(addr.sun_path)+1
10
11          or, more simply, addrlen can be specified as sizeof(struct sockaddr_un).
12
13       There is some variation in how implementations handle UNIX domain socket addresses that do not follow the above rules.  For example, some (but not all) implementations append a null terminator if none is present in the supplied
14       sun_path.
15
16       When coding portable applications, keep in mind that some implementations have sun_path as short as 92 bytes.

It probably makes most sense to check this early on in init.cpp?

willcl-ark commented at 8:00 am on March 31, 2023:

On the test this is trying to use a path

/private/var/folders/v7/fs2b0v3s0lz1n57gj9y4xb5m0000gn/T/cirrus-ci-build/ci/scratch/test_runner/test_runner_₿_🏃_20230331_010828/feature_proxy_156

…

pinheadmz commented at 6:36 pm on March 31, 2023:

Yeah this one may be tricky to work around. Some of the CI temp dir paths are crazy long like that. I’m going to add an init check & test to throw on socket paths longer than 92 characters. For the sake of passing the tests, I’ll try using a temp path that is in the parent of test_runner_... and we’ll see if that is short enough to pass on the CI VMs.

in src/net.cpp:527 in 7785e4d179 outdated

523@@ -524,8 +524,10 @@ CNode* CConnman::ConnectNode(CAddress addrConnect, const char *pszDest, bool fCo
524         } else if (use_proxy) {
525             sock = CreateSock(proxy.proxy);
526             if (!sock) {
527+                LogPrintLevel(BCLog::PROXY, BCLog::Level::Debug, "Failed to create socket to proxy: %s\n", proxy.proxy.ToStringAddr());

willcl-ark commented at 8:08 am on March 31, 2023:

I wonder if this should be a Warning or at least an Info level message?

pinheadmz commented at 5:43 pm on March 31, 2023:

I only added this for my own debugging, we could even just take it out. There is also a “proxy failed to initialize” error message in Socks5() which will get thrown by ConnectThroughProxy() below.

vasild commented at 7:16 am on April 13, 2023:

CreateSock() already logs a detailed message if it returns nullptr. This LogPrintLevel() call here is redundant.

in src/init.cpp:1287 in 7785e4d179 outdated

1282@@ -1283,7 +1283,10 @@ bool AppInitMain(NodeContext& node, interfaces::BlockAndHeaderTipInfo* tip_info)
1283             std::string host_out;
1284             uint16_t port_out{0};
1285             if (!SplitHostPort(socket_addr, port_out, host_out)) {
1286-                return InitError(InvalidPortErrMsg(port_option, socket_addr));
1287+                // Allow unix domain sockets for proxy e.g. unix:/some/file/path
1288+                if (port_option != "-proxy" || socket_addr.find(ADDR_PREFIX_UNIX) != 0) {

willcl-ark commented at 8:48 am on March 31, 2023:

Im curious why you didn’t enable it for -onion here, as it seems a compartiviely small addtion:

 0diff --git a/src/init.cpp b/src/init.cpp
 1index c0a320136..53b6b2a4b 100644
 2--- a/src/init.cpp
 3+++ b/src/init.cpp
 4@@ -1283,8 +1283,8 @@ bool AppInitMain(NodeContext& node, interfaces::BlockAndHeaderTipInfo* tip_info)
 5             std::string host_out;
 6             uint16_t port_out{0};
 7             if (!SplitHostPort(socket_addr, port_out, host_out)) {
 8-                // Allow unix domain sockets for proxy e.g. unix:/some/file/path
 9-                if (port_option != "-proxy" || socket_addr.find(ADDR_PREFIX_UNIX) != 0) {
10+                // Allow unix domain sockets for -proxy and -onion e.g. unix:/some/file/path
11+                if ((port_option != "-proxy" || port_option != "-onion") || socket_addr.find(ADDR_PREFIX_UNIX) != 0) {
12                     return InitError(InvalidPortErrMsg(port_option, socket_addr));
13                 }
14             }

pinheadmz commented at 5:41 pm on March 31, 2023:

To literally answer your question: I was not clear on what -onion actually does! Now I do, adding this in next update.

willcl-ark commented at 9:01 am on March 31, 2023: contributor

Concept ACK

With some light testing it seems to work pretty nicely:

 0will@ubuntu in ~/src/bitcoin on  tor-unix-domain-socket [$?] via 🐍 3.7.16 took 6s
 1₿ sudo exa -al /proc/(pidof bitcoind)/fd
 2lrwx------  64 will 31 Mar 09:21 0 -> /dev/null
 3lrwx------  64 will 31 Mar 09:21 1 -> /dev/null
 4lrwx------  64 will 31 Mar 09:21 2 -> /dev/null
 5lr-x------  64 will 31 Mar 09:21 3 -> pipe:[47084978]
 6l-wx------  64 will 31 Mar 09:21 4 -> pipe:[47084978]
 7lrwx------  64 will 31 Mar 09:21 5 -> /home/will/.bitcoin/signet/.lock
 8l-wx------  64 will 31 Mar 09:21 6 -> /home/will/.bitcoin/signet/debug.log
 9lrwx------  64 will 31 Mar 09:21 7 -> anon_inode:[eventpoll]
10lr-x------  64 will 31 Mar 09:21 8 -> pipe:[47101090]
11l-wx------  64 will 31 Mar 09:21 9 -> pipe:[47101090]
12lrwx------  64 will 31 Mar 09:21 10 -> anon_inode:[eventfd]
13lrwx------@ 64 will 31 Mar 09:21 11 -> socket:[47101093]
14lrwx------@ 64 will 31 Mar 09:21 12 -> socket:[47101095]
15lrwx------  64 will 31 Mar 09:21 13 -> /home/will/.bitcoin/signet/blocks/index/LOCK
16l-wx------  64 will 31 Mar 09:21 14 -> /home/will/.bitcoin/signet/blocks/index/000387.log
17l-wx------  64 will 31 Mar 09:21 15 -> /home/will/.bitcoin/signet/blocks/index/MANIFEST-000385
18lrwx------  64 will 31 Mar 09:21 16 -> /home/will/.bitcoin/signet/chainstate/LOCK
19l-wx------  64 will 31 Mar 09:21 17 -> /home/will/.bitcoin/signet/chainstate/002594.log
20l-wx------  64 will 31 Mar 09:21 18 -> /home/will/.bitcoin/signet/chainstate/MANIFEST-002593
21lrwx------  64 will 31 Mar 09:21 19 -> /home/will/.bitcoin/signet/wallets/legacy/.walletlock
22l-wx------  64 will 31 Mar 09:21 20 -> /home/will/.bitcoin/signet/wallets/legacy/db.log
23lrwx------  64 will 31 Mar 09:21 21 -> /home/will/.bitcoin/signet/wallets/legacy/wallet.dat
24lrwx------  64 will 31 Mar 09:21 22 -> /home/will/.bitcoin/signet/wallets/legacy/database/log.0000000001
25lrwx------  64 will 31 Mar 09:21 23 -> /home/will/.bitcoin/signet/wallets/test-descriptor/wallet.dat
26lrwx------  64 will 31 Mar 09:21 24 -> /home/will/.bitcoin/signet/wallets/test-descriptor/wallet.dat-journal
27lrwx------  64 will 31 Mar 09:21 25 -> anon_inode:[eventpoll]
28lr-x------  64 will 31 Mar 09:21 26 -> pipe:[47084995]
29l-wx------  64 will 31 Mar 09:21 27 -> pipe:[47084995]
30lrwx------  64 will 31 Mar 09:21 28 -> anon_inode:[eventfd]
31lrwx------@ 64 will 31 Mar 09:21 29 -> socket:[47099059]
32lrwx------@ 64 will 31 Mar 09:21 30 -> socket:[47084996]
33lrwx------@ 64 will 31 Mar 09:21 31 -> socket:[47084997]
34lrwx------@ 64 will 31 Mar 09:21 32 -> socket:[47099065]
35lrwx------@ 64 will 31 Mar 09:21 33 -> socket:[47084998]
36lrwx------@ 64 will 31 Mar 09:21 34 -> socket:[47100197]
37lrwx------@ 64 will 31 Mar 09:21 35 -> socket:[47099299]
38lrwx------@ 64 will 31 Mar 09:21 36 -> socket:[47099533]
39lrwx------@ 64 will 31 Mar 09:22 37 -> socket:[47099588]
40lrwx------@ 64 will 31 Mar 09:22 38 -> socket:[47085043]
41lrwx------@ 64 will 31 Mar 09:22 39 -> socket:[47085047]

With new socket connections being opened for each connection.

As I mentioned in one of my comments, I am curious why you didn’t go for the -onion case too, to reduce the scope of the change?

Enabling -onion in the PortErrorMessage check loop did appear to also work nicely (although i did not check whether there were any other side-effects).

The info shown by -netinfo 4 looked correct in both cases.

pinheadmz force-pushed on Mar 31, 2023

pinheadmz commented at 6:47 pm on March 31, 2023: member

Thanks for the feedback @willcl-ark. force-push to 2436b00f2231c52e6bee6d7f79690c5e709cd6f9 should address your notes. I’m still expecting some CI failures from platforms that don’t support unix sockets, then I’ll add configure options like wumpus did here

pinheadmz force-pushed on Mar 31, 2023

DrahtBot added the label Needs rebase on Apr 1, 2023

pinheadmz force-pushed on Apr 2, 2023

DrahtBot removed the label Needs rebase on Apr 2, 2023

pinheadmz force-pushed on Apr 3, 2023

pinheadmz renamed this:
~~net: support unix domain sockets for -proxy~~
net: support unix domain sockets for -proxy and -onion
on Apr 3, 2023

pinheadmz force-pushed on Apr 3, 2023

pinheadmz marked this as ready for review on Apr 3, 2023

in src/netaddress.cpp:928 in 44dd4cb505 outdated

923+    if (IsUnix()) {
924+        if (*addrlen < (socklen_t)sizeof(struct sockaddr_un))
925+            return false;
926+        struct sockaddr_un* paddrun = (struct sockaddr_un*)paddr;
927+        paddrun->sun_family = AF_UNIX;
928+        strcpy(paddrun->sun_path, fs::PathToString(m_path).c_str());

vasild commented at 8:28 am on April 13, 2023:

This is dangerous. Better check the size before copying (untested):

0        const std::string path{fs::PathToString(m_path)};
1        if (sizeof(paddrun->sun_path) < path.length() + 1) {
2            return false;
3        }
4        memcpy(paddrun->sun_path, path.c_str(), path.length() + 1);

in src/netaddress.cpp:929 in 44dd4cb505 outdated

924+        if (*addrlen < (socklen_t)sizeof(struct sockaddr_un))
925+            return false;
926+        struct sockaddr_un* paddrun = (struct sockaddr_un*)paddr;
927+        paddrun->sun_family = AF_UNIX;
928+        strcpy(paddrun->sun_path, fs::PathToString(m_path).c_str());
929+        *addrlen = strlen(paddrun->sun_path) + sizeof(paddrun);

vasild commented at 8:37 am on April 13, 2023:

This looks wrong as paddrun is a pointer (sizeof(paddrun) will be always 8 bytes on 64 bit computers). According to https://www.man7.org/linux/man-pages/man7/unix.7.html it should be:

0offsetof(struct sockaddr_un, sun_path)+strlen(addr.sun_path)+1

FreeBSD has this, defined in sys/un.h:

0#define SUN_LEN(su) \
1        (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path))

and Linux has:

0/* Evaluate to actual length of the `sockaddr_un' structure.  */
1# define SUN_LEN(ptr) ((size_t) (((struct sockaddr_un *) 0)->sun_path)        \
2                      + strlen ((ptr)->sun_path))

in src/netbase.cpp:233 in 44dd4cb505 outdated

228+
229+        // https://www.man7.org/linux/man-pages/man7/unix.7.html
230+        //   "When coding portable applications, keep in mind that some
231+        //   implementations have sun_path as short as 92 bytes."
232+        if (str.size() > 92)
233+            return false;

vasild commented at 9:16 am on April 13, 2023:

Better check the actual sun_path on the system, and also sun_path is supposed to contain the terminating '\0':

0        if (str.size() + 1 > sizeof(sockaddr_un::sun_path)) {
1            return false;
2        }

in src/netbase.cpp:237 in 44dd4cb505 outdated

232+        if (str.size() > 92)
233+            return false;
234+
235+        fs::path path = fs::PathFromString(str);
236+        if (!fs::exists(path))
237+            return false;

vasild commented at 9:20 am on April 13, 2023:

style: from doc/developer-notes.md:

If an if only has a single-statement then-clause, it can appear on the same line as the if, without braces. In every other case, braces are required, and the then and else clauses must appear correctly indented on a new line.

in src/netbase.cpp:224 in 44dd4cb505 outdated

219@@ -219,6 +220,26 @@ bool Lookup(const std::string& name, CService& addr, uint16_t portDefault, bool
220     if (!ContainsNoNUL(name)) {
221         return false;
222     }
223+
224+    // unix domain socket

vasild commented at 9:29 am on April 13, 2023:

It is a bit odd to support unix:/path/to/socket in Lookup() because there is nothing to lookup in that and it is not like the other inputs supported by Lookup() begin with the socket type, e.g. ipv4://1.2.3.4.

in src/netbase.cpp:415 in 44dd4cb505 outdated

411@@ -391,7 +412,7 @@ bool Socks5(const std::string& strDest, uint16_t port, const ProxyCredentials* a
412         return false;
413     }
414     if (pchRet1[0] != SOCKSVersion::SOCKS5) {
415-        return error("Proxy failed to initialize");
416+        return error("Proxy failed to initialize.");

vasild commented at 9:30 am on April 13, 2023:

Unrelated change.

in src/netbase.cpp:518 in 44dd4cb505 outdated

513@@ -493,8 +514,10 @@ std::unique_ptr<Sock> CreateSockTCP(const CService& address_family)
514     }
515 
516     // Create a TCP socket in the address family of the specified service.
517-    SOCKET hSocket = socket(((struct sockaddr*)&sockaddr)->sa_family, SOCK_STREAM, IPPROTO_TCP);
518+    int protocol = address_family.IsUnix() ? 0 : IPPROTO_TCP;
519+    SOCKET hSocket = socket(((struct sockaddr*)&sockaddr)->sa_family, SOCK_STREAM, protocol);

vasild commented at 9:40 am on April 13, 2023:

It is odd to have CreateSockTCP() create a non-TCP socket.

Also, the code below sets TCP_NODELAY on the socket which does not apply to UNIX sockets.

in test/functional/feature_proxy.py:67 in 44dd4cb505 outdated

62@@ -60,14 +63,17 @@
63 # Networks returned by RPC getnetworkinfo, defined in src/rpc/net.cpp::GetNetworksInfo()
64 NETWORKS = frozenset({NET_IPV4, NET_IPV6, NET_ONION, NET_I2P, NET_CJDNS})
65 
66+# Use the shortest temp path possible since socket paths have a 92-char limit
67+socket_path = os.path.join(tempfile.gettempdir(), "sockpath")

vasild commented at 10:07 am on April 13, 2023:

It is better to stay inside the individual test directory. This allows running multiple tests in parallel. With the above code multiple tests will collide on the common /tmp/sockpath.

/tmp/bitcoin_func_test_99opr6sq/socks5_proxy is just 44 chars, should be below the limit on any platform, even if TMPDIR expands to something longer than /tmp.

pinheadmz commented at 4:55 pm on April 13, 2023:

See this ci failure: https://cirrus-ci.com/task/5039125594636288?logs=ci#L2638-L2640

This is why I used a shorter path, sometimes TMPDIR is > 50 characters! You have a good point about getting max sun_path from the system though, maybe it will balance out

0File "/private/var/folders/v7/fs2b0v3s0lz1n57gj9y4xb5m0000gn/T/cirrus-ci-build/ci/scratch/build/bitcoin-arm64-apple-darwin/test/functional/test_framework/socks5.py", line 131, in __init__
1self.s.bind(conf.addr)
2OSError: AF_UNIX path too long

vasild commented at 11:19 am on April 14, 2023:

I see. Then, to avoid multiple tests colliding on /tmp/socket, maybe this:

0socket_path = os.path.join(tempfile.TemporaryDirectory(), "s")

in test/functional/feature_proxy.py:443 in 44dd4cb505 outdated

436@@ -383,6 +437,18 @@ def networks_dict(d):
437         msg = "Error: Unknown network specified in -onlynet: 'abc'"
438         self.nodes[1].assert_start_raises_init_error(expected_msg=msg)
439 
440+        self.log.info("Test passing too-long unix path to -proxy raises init error")
441+        self.nodes[1].extra_args = [f"-proxy=unix:{'x' * 93}"]
442+        if self.have_unix_sockets:
443+            msg = f"Error: Invalid -proxy address or hostname: 'unix:{'x' * 93}'"

vasild commented at 10:10 am on April 13, 2023:

Given that the actual limit is platform-dependent, I would suggest to pass something really longer here, e.g. 1000 or 5000 chars.

in src/netaddress.cpp:25 in 44dd4cb505 outdated

19@@ -20,6 +20,10 @@
20 #include <iterator>
21 #include <tuple>
22 
23+#if HAVE_SOCKADDR_UN
24+#include <sys/un.h>
25+#endif

vasild commented at 10:26 am on April 13, 2023:

The include is introduced in the first commit and surrounded by #if HAVE_SOCKADDR_UN in the second commit. This means that the first commit is not self-contained (would not compile on some platforms). Better introduce the configure check first.

in src/netaddress.h:149 in 44dd4cb505 outdated

142@@ -136,9 +143,16 @@ class CNetAddr
143      */
144     uint32_t m_scope_id{0};
145 
146+    /**
147+     * Filesystem path for unix domain socket (NET_UNIX)
148+     */
149+    fs::path m_path;

vasild commented at 10:34 am on April 13, 2023:

If this approach is chosen (to extend CNetAddr to support unix file addresses), then it would be better to store the path in the m_addr member instead of introducing a new one. m_addr is a vector of uint8_t - that is generic enough to store anything in it.

sizeof(CNetAddr) on master is 32 and sizeof(fs::path) is 24 bytes, so CNetAddr would become almost twice as big.

pinheadmz commented at 8:38 pm on April 13, 2023:

I’m a bit intimidated by the syntax prevector<ADDR_IPV6_SIZE, uint8_t> m_addr{ADDR_IPV6_SIZE, 0x0}; – is that only 16 bytes?

vasild commented at 11:33 am on April 14, 2023:

It begins its life with 16 bytes pre-allocated (without using new or malloc()), but this is just an optimization which can be ignored. It is supposed to behave like std::vector.

Something like this should work to store std::string in it (untested):

0std::string path = ...;
1m_addr.assign(path.begin(), path.end());

vasild commented at 3:45 pm on April 13, 2023: contributor

Concept ACK, this would be nice to have.

I do not like that the current approach expands enum Network and CNetAddr with the UNIX type, making it first-class-citizen network that has to be handled all over the networking code, whereas it is only needed to connect to the proxy. It is not like this PR adds support for connecting to other Bitcoin nodes over UNIX sockets (using the P2P protocol). This creates meaningless situations like having a CService on a UNIX socket (it is meaningless because CService has port, whereas UNIX sockets don’t have port). Similarly CSubNet on a UNIX socket is meaningless.

I will play a bit with this to see if it would be possible to constrain the logic in the Proxy class and hide from the rest of the code whether the proxy is at addr:port or unix:/path.

pinheadmz force-pushed on Apr 13, 2023

pinheadmz commented at 8:33 pm on April 13, 2023: member

Thanks so much for the great review @vasild I think I addressed all your feedback up to the adding UNIX to CNetAddr. I understand your concerns there and we can chat about it, I’ll look at alternatives as well. What I did do in this last push was mostly separate unix sockets from regular sockets, and adding Proxy.GetSocket() to decide which socket factory to call.

pinheadmz force-pushed on Apr 13, 2023

in configure.ac:1198 in 2c19dd7c1a outdated

1259@@ -1260,10 +1260,23 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
1260   ]], [[
1261     getauxval(AT_HWCAP);
1262   ]])],
1263- [ AC_MSG_RESULT([yes]); HAVE_STRONG_GETAUXVAL=1; AC_DEFINE([HAVE_STRONG_GETAUXVAL], [1], [Define this symbol to build code that uses getauxval)]) ],
1264+ [ AC_MSG_RESULT([yes]); HAVE_STRONG_GETAUXVAL=1; AC_DEFINE([HAVE_STRONG_GETAUXVAL], [1], [Define this symbol to build code that uses getauxval]) ],

vasild commented at 12:59 pm on April 14, 2023:

Unrelated change, I am not sure I fully understand. Is it the case that before the message was Define this symbol to build code that uses getauxval) and this change just fixes the message to not have a trailing )?

pinheadmz commented at 10:28 am on May 16, 2023:

Yeah

pinheadmz force-pushed on Apr 14, 2023

DrahtBot added the label CI failed on May 17, 2023

DrahtBot removed the label CI failed on May 18, 2023

pinheadmz force-pushed on May 26, 2023

pinheadmz commented at 6:58 pm on May 26, 2023: member

@vasild did an overhaul of this PR and implemented more how we discussed on IRC. Edited the description to explain. I ended up not using std::variant because I felt it added uneeded complexity. Current approach is Proxy just has a is_unix flag and abstracts away the CService methods like IsValid() etc to support TCP or UNIX sockets

pinheadmz force-pushed on May 26, 2023

DrahtBot added the label CI failed on May 26, 2023

pinheadmz force-pushed on May 26, 2023

DrahtBot removed the label CI failed on May 26, 2023

DrahtBot added the label Needs rebase on May 30, 2023

pinheadmz force-pushed on May 30, 2023

pinheadmz commented at 8:30 pm on May 30, 2023: member

🐙 This pull request conflicts with the target branch and needs rebase.

🕺

DrahtBot added the label CI failed on May 30, 2023

DrahtBot removed the label Needs rebase on May 30, 2023

DrahtBot removed the label CI failed on May 31, 2023

DrahtBot added the label CI failed on Jun 5, 2023

in src/compat/compat.h:40 in 1a2095baf1 outdated

36@@ -37,6 +37,12 @@
37 #include <unistd.h>
38 #endif
39 
40+// Linux defines sa_family_t as `unsigned short` but on Windows it's `u_short`
41+// See https://learn.microsoft.com/en-us/windows/win32/api/winsock/ns-winsock-sockaddr#syntax
42+#ifdef WIN32
43+typedef u_short sa_family_t;
44+#endif

vasild commented at 4:55 am on June 5, 2023:

The comment gives the impression that sa_family_t is defined on Windows (as u_short), but it is not defined at all (otherwise this typedef u_short sa_family_t; would not compile because it redefines it, right?). Maybe reword the comment to something like:

0// Windows does not have `sa_family_t` - it defines `sockaddr::sa_family` as `u_short`.
1// Thus define `sa_family_t` on Windows too so that the rest of the code can use `sa_family_t`.

in src/netaddress.h:532 in 1a2095baf1 outdated

528@@ -529,6 +529,7 @@ class CService : public CNetAddr
529     uint16_t GetPort() const;
530     bool GetSockAddr(struct sockaddr* paddr, socklen_t* addrlen) const;
531     bool SetSockAddr(const struct sockaddr* paddr);
532+    [[nodiscard]] sa_family_t GetTCPFamily() const;

vasild commented at 8:05 am on June 5, 2023:

TCP is a specific protocol (at layer 4 in the OSI model) while this refers to layer 3. Maybe rename it to something like GetProtocolFamily(), GetAddressFamily(), GetFamily() or GetSAFamily().

in src/netaddress.cpp:854 in 1a2095baf1 outdated

849+    case NET_IPV4:
850+        return AF_INET;
851+    case NET_IPV6:
852+        return AF_INET6;
853+    default:
854+        return AF_UNSPEC; // Not TCP

vasild commented at 8:07 am on June 5, 2023:

0        return AF_UNSPEC;

in src/netaddress.cpp:832 in 1a2095baf1 outdated

852+        return AF_INET6;
853+    default:
854+        return AF_UNSPEC; // Not TCP
855+    }
856+
857+}

vasild commented at 8:08 am on June 5, 2023:

Unnecessary empty line.

in src/netaddress.cpp:828 in 1a2095baf1 outdated

847+{
848+    switch (m_net) {
849+    case NET_IPV4:
850+        return AF_INET;
851+    case NET_IPV6:
852+        return AF_INET6;

vasild commented at 8:10 am on June 5, 2023:

CService::GetSockAddr() treats CJDNS as IPv6. So:

0    case NET_IPV6:
1    case NET_CJDNS:
2        return AF_INET6;

in src/netbase.h:216 in 1a2095baf1 outdated

213+ * Create a TCP or UNIX socket in the given address family.
214  * @param[in] address_family The socket is created in the same address family as this address.
215  * @return pointer to the created Sock object or unique_ptr that owns nothing in case of failure
216  */
217-std::unique_ptr<Sock> CreateSockTCP(const CService& address_family);
218+std::unique_ptr<Sock> CreateSockOS(const sa_family_t& address_family);

vasild commented at 8:17 am on June 5, 2023:

sa_family_t is cheap to copy. No need to pass it as a const reference:

0std::unique_ptr<Sock> CreateSockOS(sa_family_t address_family);

in src/netbase.cpp:495 in 1a2095baf1 outdated

497+#if HAVE_SOCKADDR_UN
498+    // Create a UNIX socket.
499+    if (address_family == AF_UNIX) {
500+        SOCKET hSocket = socket(AF_UNIX, SOCK_STREAM, 0);
501+        if (hSocket == INVALID_SOCKET) return nullptr;
502+        return std::make_unique<Sock>(hSocket);

vasild commented at 8:31 am on June 5, 2023:

All tuning that happens to the socket below in this function seems relevant to UNIX sockets too, except TCP_NODELAY.

 0--- i/src/netbase.cpp
 1+++ w/src/netbase.cpp
 2@@ -484,23 +484,21 @@ bool Socks5(const std::string& strDest, uint16_t port, const ProxyCredentials* a
 3 
 4 std::unique_ptr<Sock> CreateSockOS(const sa_family_t& address_family)
 5 {
 6     // Not IPv4, IPv6 or UNIX
 7     if (address_family == AF_UNSPEC) return nullptr;
 8 
 9+    int protocol{IPPROTO_TCP};
10 #if HAVE_SOCKADDR_UN
11-    // Create a UNIX socket.
12     if (address_family == AF_UNIX) {
13-        SOCKET hSocket = socket(AF_UNIX, SOCK_STREAM, 0);
14-        if (hSocket == INVALID_SOCKET) return nullptr;
15-        return std::make_unique<Sock>(hSocket);
16+        protocol = 0;
17     }
18 #endif
19 
20-    // Create a TCP socket in the address family of the specified service.
21-    SOCKET hSocket = socket(address_family, SOCK_STREAM, IPPROTO_TCP);
22+    // Create a socket in the specified address family.
23+    SOCKET hSocket = socket(address_family, SOCK_STREAM, protocol);
24     if (hSocket == INVALID_SOCKET) {
25         return nullptr;
26     }
27 
28     auto sock = std::make_unique<Sock>(hSocket);
29 
30@@ -518,23 +516,30 @@ std::unique_ptr<Sock> CreateSockOS(const sa_family_t& address_family)
31     if (sock->SetSockOpt(SOL_SOCKET, SO_NOSIGPIPE, (void*)&set, sizeof(int)) == SOCKET_ERROR) {
32         LogPrintf("Error setting SO_NOSIGPIPE on socket: %s, continuing anyway\n",
33                   NetworkErrorString(WSAGetLastError()));
34     }
35 #endif
36 
37+    // Set the non-blocking option on the socket.
38+    if (!sock->SetNonBlocking()) {
39+        LogPrintf("Error setting socket to non-blocking: %s\n", NetworkErrorString(WSAGetLastError()));
40+        return nullptr;
41+    }
42+
43+#if HAVE_SOCKADDR_UN
44+    if (address_family == AF_UNIX) {
45+        return sock;
46+    }
47+#endif
48+
49     // Set the no-delay option (disable Nagle's algorithm) on the TCP socket.
50     const int on{1};
51     if (sock->SetSockOpt(IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)) == SOCKET_ERROR) {
52         LogPrint(BCLog::NET, "Unable to set TCP_NODELAY on a newly created socket, continuing anyway\n");
53     }
54 
55-    // Set the non-blocking option on the socket.
56-    if (!sock->SetNonBlocking()) {
57-        LogPrintf("Error setting socket to non-blocking: %s\n", NetworkErrorString(WSAGetLastError()));
58-        return nullptr;
59-    }
60     return sock;
61 }

in src/netbase.h:65 in 1a2095baf1 outdated

64-    explicit Proxy(const CService &_proxy, bool _randomize_credentials=false): proxy(_proxy), randomize_credentials(_randomize_credentials) {}
65-
66-    bool IsValid() const { return proxy.IsValid(); }
67+    Proxy(): is_unix_socket(false), randomize_credentials(false) {}
68+    explicit Proxy(const CService &_proxy, bool _randomize_credentials=false): proxy(_proxy), is_unix_socket(false), randomize_credentials(_randomize_credentials) {}
69+    explicit Proxy(const std::string path, bool _randomize_credentials=false): unix_socket_path(path), is_unix_socket(true), randomize_credentials(_randomize_credentials) {}

vasild commented at 8:48 am on June 5, 2023:

Pass path by const reference, strings are expensive to copy.

0    explicit Proxy(const std::string& path, bool _randomize_credentials=false): unix_socket_path(path), is_unix_socket(true), randomize_credentials(_randomize_credentials) {}

in src/netbase.h:70 in 1a2095baf1 outdated

69+    explicit Proxy(const std::string path, bool _randomize_credentials=false): unix_socket_path(path), is_unix_socket(true), randomize_credentials(_randomize_credentials) {}
70 
71     CService proxy;
72+    std::string unix_socket_path;
73+    bool is_unix_socket;
74     bool randomize_credentials;

vasild commented at 8:50 am on June 5, 2023:

Members should start with m_. Maybe also rename the existent randomize_credentials to m_randomize_credentials (in a separate commit).

vasild commented at 4:13 pm on June 29, 2023:

The new member unix_socket_path is still without m_ prefix. Only is_unix_socket was renamed to m_is_unix_socket.

in src/netbase.h:86 in 1a2095baf1 outdated

87+
88+    std::string ToStringAddrPort() const
89+    {
90+        if (is_unix_socket) return unix_socket_path;
91+        return proxy.ToStringAddrPort();
92+    }

vasild commented at 8:53 am on June 5, 2023:

Better omit AddrPort from the name of this method because it does not apply to UNIX sockets. Just ToString() seems fine (but still call proxy.ToStringAddrPort() for non-UNIX sockets).

in src/netbase.cpp:235 in 1a2095baf1 outdated

230+    // see https://manpages.ubuntu.com/manpages/xenial/en/man7/unix.7.html
231+    if (str.size() + 1 > sizeof(((sockaddr_un*)nullptr)->sun_path)) return false;
232+
233+    // Path must exist
234+    fs::path path = fs::PathFromString(str);
235+    if (!fs::exists(path)) return false;

vasild commented at 9:15 am on June 5, 2023:

I wonder if this check is desirable. It makes IsUnixSocketPath() volatile - for example if the Tor server is not yet started it will be false and the moment it is started it will become true, or if the Tor server is restarted it will flip from true to false and back.

With this check bitcoind will refuse to start if the Tor server is not started yet. This differs from the TCP case where the Tor server can start later.

With TCP we only check if the given address is something we can try to connect to. Like “ok, it is 4 digits separated by 3 dots, maybe I can connect to this later when needed”. CService::IsValid() does not check whether somebody is listening on that address and port and that we can connect to it. An equivalent check for UNIX sockets would be “ok, if it starts with unix: and is short enough maybe I can connect to this later when needed”.

in src/init.cpp:1311 in 1a2095baf1 outdated

1285@@ -1286,7 +1286,14 @@ bool AppInitMain(NodeContext& node, interfaces::BlockAndHeaderTipInfo* tip_info)
1286             std::string host_out;
1287             uint16_t port_out{0};
1288             if (!SplitHostPort(socket_addr, port_out, host_out)) {
1289+#if HAVE_SOCKADDR_UN
1290+                // Allow unix domain sockets for -proxy and -onion e.g. unix:/some/file/path
1291+                if ((port_option != "-proxy" && port_option != "-onion") || socket_addr.find(ADDR_PREFIX_UNIX) != 0) {

vasild commented at 9:21 am on June 5, 2023:

This should use IsUnixSocketPath()?

0                if ((port_option != "-proxy" && port_option != "-onion") || !IsUnixSocketPath(socket_addr)) {

pinheadmz commented at 5:32 pm on June 5, 2023:

This change would make feature_proxy.py test fail because the error would be "Invalid port..." which is misleading if the real problem is (for example) a too-long file path, which will get caught by IsUnixSocketPath() on L1370 and described as "Invalid -proxy address or hostname...". So I think it makes more sense to keep this line as-is: if we think the user is trying to set a UNIX socket path, we just ignore the invalid port check.

in test/functional/feature_proxy.py:66 in 1a2095baf1 outdated

62@@ -60,14 +63,17 @@
63 # Networks returned by RPC getnetworkinfo, defined in src/rpc/net.cpp::GetNetworksInfo()
64 NETWORKS = frozenset({NET_IPV4, NET_IPV6, NET_ONION, NET_I2P, NET_CJDNS})
65 
66+# Use the shortest temp path possible since paths may have as little as 92-char limit

vasild commented at 9:28 am on June 5, 2023:

nit:

0# Use the shortest temp path possible since UNIX sockets may have as little as 92-char limit

vasild commented at 9:48 am on June 5, 2023: contributor

Approach ACK 1a2095baf12b8f8995bed513a23d5faf16917fba

DrahtBot removed the label CI failed on Jun 5, 2023

pinheadmz force-pushed on Jun 5, 2023

pinheadmz commented at 5:35 pm on June 5, 2023: member

@vasild thanks for the excellent detailed review! All comments addressed except where noted.

pinheadmz force-pushed on Jun 22, 2023

pinheadmz commented at 2:43 pm on June 22, 2023: member

Rebased on master to pass CI (✅ ). @vasild and @willcl-ark would really love re-review from you handsome chaps when convenient!

in test/functional/test_framework/netutil.py:165 in 64d0f234e9 outdated

152@@ -153,3 +153,12 @@ def test_ipv6_local():
153     except socket.error:
154         have_ipv6 = False
155     return have_ipv6
156+
157+def test_unix_socket():
158+    '''Return True if UNIX sockets are available on this platform.'''
159+    try:
160+        socket.AF_UNIX

luke-jr commented at 10:14 pm on June 22, 2023:

It’s possible this could pass, but the necessary configure check fail, in theory. But maybe we want the test(s) to fail in that scenario anyway.

DrahtBot added the label Needs rebase on Jun 29, 2023

in src/netbase.h:216 in 64d0f234e9 outdated

213+ * Create a TCP or UNIX socket in the given address family.
214  * @param[in] address_family The socket is created in the same address family as this address.
215  * @return pointer to the created Sock object or unique_ptr that owns nothing in case of failure
216  */
217-std::unique_ptr<Sock> CreateSockTCP(const CService& address_family);
218+std::unique_ptr<Sock> CreateSockOS(const sa_family_t address_family);

vasild commented at 3:10 pm on June 29, 2023:

nit: it does not have to be const when passing by value - there is no way to for the function to modify the variable that is being passed (and have effects visible outside of the function).

0std::unique_ptr<Sock> CreateSockOS(sa_family_t address_family);

See f3() in http://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines#Rf-in

pinheadmz commented at 7:14 pm on July 3, 2023:

ah great tip thanks ;-)

vasild commented at 4:12 pm on June 29, 2023: contributor

64d0f234e9 looks good, except there is some messup in the contents of these two commits:

87064712899dacfac7f66f60c8ed1c0f4e65c24f netbase: refactor CreateSock() to accept sa_family_t bbff39d3619428df3745d884ea36d7febff337b1 netbase: extend Proxy class to wrap UNIX socket as well as TCP

The first one introduces one more IsValid() method, in addition to the existent one. The new method uses a variable that does not exist: is_unix_socket, thus it will not compile. Then the other commit removes one of the IsValid() methods, introduces m_is_unix_socket and changes usage from is_unix_socket to m_is_unix_socket.

To resolve this:

 0diff --git a/src/net.cpp b/src/net.cpp
 1index a50807fb64..556c8a84e7 100644
 2--- a/src/net.cpp
 3+++ b/src/net.cpp
 4@@ -515,13 +515,13 @@ CNode* CConnman::ConnectNode(CAddress addrConnect, const char *pszDest, bool fCo
 5 
 6             if (connected) {
 7                 sock = std::move(conn.sock);
 8                 addr_bind = CAddress{conn.me, NODE_NONE};
 9             }
10         } else if (use_proxy) {
11-            sock = CreateSock(proxy.proxy.GetTCPFamily());
12+            sock = CreateSock(proxy.proxy.GetSAFamily());
13             if (!sock) {
14                 return nullptr;
15             }
16             LogPrintLevel(BCLog::PROXY, BCLog::Level::Debug, "Using proxy: %s to connect to %s:%s\n", proxy.proxy.ToStringAddrPort(), addrConnect.ToStringAddr(), addrConnect.GetPort());
17             connected = ConnectThroughProxy(proxy, addrConnect.ToStringAddr(), addrConnect.GetPort(),
18                                             *sock, nConnectTimeout, proxyConnectionFailed);
19@@ -537,13 +537,13 @@ CNode* CConnman::ConnectNode(CAddress addrConnect, const char *pszDest, bool fCo
20         if (!proxyConnectionFailed) {
21             // If a connection to the node was attempted, and failure (if any) is not caused by a problem connecting to
22             // the proxy, mark this as an attempt.
23             addrman.Attempt(addrConnect, fCountFailure);
24         }
25     } else if (pszDest && GetNameProxy(proxy)) {
26-        sock = CreateSock(proxy.proxy.GetTCPFamily());
27+        sock = CreateSock(proxy.proxy.GetSAFamily());
28         if (!sock) {
29             return nullptr;
30         }
31         std::string host;
32         uint16_t port{default_port};
33         SplitHostPort(std::string(pszDest), port, host);
34diff --git a/src/netbase.h b/src/netbase.h
35index 320496f73b..a9e1ea4c62 100644
36--- a/src/netbase.h
37+++ b/src/netbase.h
38@@ -52,30 +52,12 @@ public:
39     explicit Proxy(const CService &_proxy, bool _randomize_credentials=false): proxy(_proxy), randomize_credentials(_randomize_credentials) {}
40 
41     bool IsValid() const { return proxy.IsValid(); }
42 
43     CService proxy;
44     bool randomize_credentials;
45-
46-    bool IsValid() const
47-    {
48-        if (is_unix_socket) return IsUnixSocketPath(unix_socket_path);
49-        return proxy.IsValid();
50-    }
51-
52-    sa_family_t GetFamily() const
53-    {
54-        if (is_unix_socket) return AF_UNIX;
55-        return proxy.GetSAFamily();
56-    }
57-
58-    std::string ToStringAddrPort() const
59-    {
60-        if (is_unix_socket) return unix_socket_path;
61-        return proxy.ToStringAddrPort();
62-    }
63 };
64 
65 /** Credentials for proxy authentication */
66 struct ProxyCredentials
67 {
68     std::string username;

and make sure that the state of the tree after commit netbase: extend Proxy class to wrap UNIX socket as well as TCP is the same as it is now.

It is also here: https://github.com/vasild/bitcoin/tree/tor-unix-domain-socket

pinheadmz force-pushed on Jul 3, 2023

pinheadmz commented at 7:17 pm on July 3, 2023: member

64d0f23 looks good, except there is some messup in the contents of these two commits:

Thanks @vasild sorry about the messy rebase there. I cleaned up the commits and fixed the const and m_... nits. Rebased on master for merge conflicts.

pinheadmz force-pushed on Jul 3, 2023

DrahtBot added the label CI failed on Jul 3, 2023

DrahtBot removed the label Needs rebase on Jul 3, 2023

DrahtBot removed the label CI failed on Jul 3, 2023

vasild approved

vasild commented at 9:09 am on July 6, 2023: contributor

ACK c3b0f137a9ccd894f2f1d287ccdab26310b3aaf2

Would be an excellent addition, thank you!

willcl-ark commented at 11:37 am on July 11, 2023: contributor

It’s a tNACK from me currently @ c3b0f137a9 as I can no longer get this functionality to work in practice on Ubuntu 23.04 with Tor 0.4.7.13.

The send of the data in vSocks5Init seems to be failing, meaning the proxy cannot be used: https://github.com/pinheadmz/bitcoin/blob/c3b0f137a9ccd894f2f1d287ccdab26310b3aaf2/src/netbase.cpp#L372-L375

I haven’t yet totally ruled out issues with Tor, but I do get responses from the unix socket about it not being an HTTP proxy if I try to send an HTTP request over it, so I conclude that the Tor daemon is listening on the socket correctly waiting for SOCKS requests, and the issue may lie with Bitcoin Core.

Will continue investigating and report back.

 02023-07-11T11:12:35Z Config file: /home/will/.bitcoin/bitcoin.conf
 12023-07-11T11:12:35Z Config file arg: [main] addnode="xx.xx.xx.xx:8333"
 22023-07-11T11:12:35Z Config file arg: [main] blockfilterindex="1"
 32023-07-11T11:12:35Z Config file arg: [main] blocksdir="/media/will/crucial1/bitcoin"
 42023-07-11T11:12:35Z Config file arg: [main] daemon="1"
 52023-07-11T11:12:35Z Config file arg: [main] debug="net"
 62023-07-11T11:12:35Z Config file arg: [main] debug="proxy"
 72023-07-11T11:12:35Z Config file arg: [main] debug="tor"
 82023-07-11T11:12:35Z Config file arg: [main] discover="1"
 92023-07-11T11:12:35Z Config file arg: [main] externalip="xx.xx.xx.xx"
102023-07-11T11:12:35Z Config file arg: [main] i2pacceptincoming="1"
112023-07-11T11:12:35Z Config file arg: [main] i2psam="127.0.0.1:7656"
122023-07-11T11:12:35Z Config file arg: [main] listen="1"
132023-07-11T11:12:35Z Config file arg: [main] listenonion="1"
142023-07-11T11:12:35Z Config file arg: [main] maxconnections="125"
152023-07-11T11:12:35Z Config file arg: [main] mempoolfullrbf="1"
162023-07-11T11:12:35Z Config file arg: [main] onion="unix:/run/tor/socks"
172023-07-11T11:12:35Z Config file arg: [main] onlynet="onion"
182023-07-11T11:12:35Z Config file arg: [main] port="8833"
192023-07-11T11:12:35Z Config file arg: [main] rpcauth=****
202023-07-11T11:12:35Z Config file arg: [main] rpcthreads="16"
212023-07-11T11:12:35Z Config file arg: [main] rpcworkqueue="64"
222023-07-11T11:12:35Z Config file arg: [main] server="1"
232023-07-11T11:12:35Z Config file arg: [main] txindex="1"

0SocksPort unix:/run/tor/socks WorldWritable
1ControlPort 9051
2CookieAuthentication 1
3CookieAuthFileGroupReadable 1
4DataDirectoryGroupReadable 1

vasild referenced this in commit af4eb52ff6 on Jul 12, 2023

pinheadmz force-pushed on Jul 12, 2023

pinheadmz commented at 8:51 pm on July 12, 2023: member

@willcl-ark wow thank you so much for catching that. After all the refactoring, we had forgotten to actually connect to the unix socket! I added a functional test to ensure that the proxy works now and I have also tested in production with Tor locally.

This required a fairly intense refactor that included inserting 2 new commits and rebasing several others:

git range-diff 32a5a20225 c3b0f137a9 b1199bce0f

pinheadmz commented at 8:52 pm on July 12, 2023: member

@vasild Thanks for your work on this :-) I reorganized the extra commit you sent me. For now, still going without variant for Proxy just to keep the refator more simple, so leaving the i2p stuff mostly alone as well.

DrahtBot added the label CI failed on Jul 12, 2023

in src/netbase.cpp:607 in b1199bce0f outdated

606+    struct sockaddr_storage sockaddr;
607+    socklen_t len = sizeof(sockaddr);
608+    if (sock->Get() == INVALID_SOCKET) {
609+        LogPrintf("Cannot connect to %s: invalid socket\n", dest.ToStringAddrPort());
610+        return {};
611+    }

vasild commented at 8:05 am on July 13, 2023:

This check can be omitted from commit dc2361401c net: move CreateSock() calls from ConnectNode() to netbase methods since the code checks if (!sock) earlier. CreateSock() will never return a non-empty unique_ptr that contains a Sock object with a bogus internal file descriptor (INVALID_SOCKED).

pinheadmz commented at 2:00 pm on July 13, 2023:

thanks

in src/netbase.cpp:539 in b1199bce0f outdated

535@@ -509,22 +536,10 @@ static void LogConnectFailure(bool manual_connection, const char* fmt, const Arg
536     }
537 }
538 
539-bool ConnectSocketDirectly(const CService &addrConnect, const Sock& sock, int nTimeout, bool manual_connection)
540+std::unique_ptr<Sock> ConnectToSocket(std::unique_ptr<Sock> sock, struct sockaddr* sockaddr, socklen_t len, std::string dest_str, bool manual_connection)

vasild commented at 9:54 am on July 13, 2023:

The interface of taking unique_ptr as an argument and returning the same is a bit weird. Usually functions take unique_ptr when the ownership of the object is transferred from the caller to the function. But in this case it is transferred to the function which then returns it back to the caller. It would be better to have an interface like:

 0bool ConnectToSocket(const Sock& sock, ...);
 1
 2// and call it like:
 3
 4sock = ... // is unique_ptr<Sock>
 5if (!ConnectToSocket(*sock, ...)) {
 6    handle the error
 7    return {}; // empty unique_ptr
 8}
 9
10return sock;

vasild commented at 9:59 am on July 13, 2023:

Make the string argument const reference and the function static since it is used only in netbase.cpp:

0static std::unique_ptr<Sock> ConnectToSocket(std::unique_ptr<Sock> sock, struct sockaddr* sockaddr, socklen_t len, const std::string& dest_str, bool manual_connection)

pinheadmz commented at 2:13 pm on July 13, 2023:

ah great thanks

pinheadmz commented at 2:13 pm on July 13, 2023:

:+1:

in src/netbase.cpp:624 in b1199bce0f outdated

617+    return ConnectToSocket(std::move(sock), (struct sockaddr*)&sockaddr, len, dest.ToStringAddrPort(), manual_connection);
618+}
619+
620+std::unique_ptr<Sock> Proxy::Connect() const
621+{
622+    if (!m_is_unix_socket) return ConnectDirectly(proxy, /*manual_connection=*/true);

vasild commented at 10:30 am on July 13, 2023:

Calling this on an invalid Proxy (e.g. default-constructed) will cause weird results. Better check if (!IsValid()) { log; return {}; } at the start of this function.

pinheadmz commented at 2:18 pm on July 13, 2023:

good catch thanks

in src/netbase.cpp:630 in b1199bce0f outdated

628+    }
629+
630+    const std::string path{m_unix_socket_path.substr(ADDR_PREFIX_UNIX.length())};
631+
632+    struct sockaddr_storage sockaddr;
633+    struct sockaddr_un* paddrun = (struct sockaddr_un*)&sockaddr;

vasild commented at 10:35 am on July 13, 2023:

There is no need to use the generic sockaddr_storage since we know it is going to be sockaddr_un. Also, clear it for compatibility, see the example in https://www.man7.org/linux/man-pages/man7/unix.7.html

0    struct sockaddr_un addrun;
1    memset(&addrun, 0, sizeof(addrun));

pinheadmz commented at 2:27 pm on July 13, 2023:

ah, thanks. I had a hard time with this one for some reason because casting to sockaddr kept truncating the unix socket path to 14 bytes before it got to Connect(). Anyway this works and I don’t know why I didn’t try it like this at first.

in src/netbase.cpp:627 in b1199bce0f outdated

619+
620+std::unique_ptr<Sock> Proxy::Connect() const
621+{
622+    if (!m_is_unix_socket) return ConnectDirectly(proxy, /*manual_connection=*/true);
623+
624+    auto sock = CreateSock(AF_UNIX);

vasild commented at 10:37 am on July 13, 2023:

This and below I guess have to be inside #if HAVE_SOCKADDR_UN, otherwise it does not compile on Windows (CI has choked on it).

https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ is relevant. Would it compile on Windows if we just #include <afunix.h>?

pinheadmz commented at 2:33 pm on July 13, 2023:

Ok thanks I added the preprocessor logic to the function.

I’ll look into adding afunix.h for windows, maybe in compat.h? also add it to the first commit to test for AF_UNIX in configure.ac. Might be better in a follow-up PR since not all windows platforms will have afunix.h and well need to test for it

in src/netbase.cpp:632 in b1199bce0f outdated

630+    const std::string path{m_unix_socket_path.substr(ADDR_PREFIX_UNIX.length())};
631+
632+    struct sockaddr_storage sockaddr;
633+    struct sockaddr_un* paddrun = (struct sockaddr_un*)&sockaddr;
634+    paddrun->sun_family = AF_UNIX;
635+    strcpy(paddrun->sun_path, path.c_str());

vasild commented at 10:39 am on July 13, 2023:

strcpy() is a dangerous function because it can be easily misused in a way that leads to security flaws. There is not a single usage of it in Bitcoin Core. In this particular case if path is longer it will buffer overflow the fixed size array sun_path[].

I would suggest to do something like this:

0// leave the last char in addrun.sun_path[] to be always '\0'
1memcpy(addrun.sun_path, path.c_str(), std::min(sizeof(addrun.sun_path) - 1, path.length()));

pinheadmz commented at 2:41 pm on July 13, 2023:

great catch thanks yeah I saw that in your commit but I was confused. makes sense now

in src/netbase.cpp:635 in b1199bce0f outdated

633+    struct sockaddr_un* paddrun = (struct sockaddr_un*)&sockaddr;
634+    paddrun->sun_family = AF_UNIX;
635+    strcpy(paddrun->sun_path, path.c_str());
636+    socklen_t len = strlen(paddrun->sun_path) + sizeof(paddrun);
637+
638+    return ConnectToSocket(std::move(sock), (struct sockaddr*)&sockaddr, len, path, /*manual_connection=*/true);

vasild commented at 11:21 am on July 13, 2023:

The len calculation seems to be wrong since sizeof(paddrun) is just 8 bytes (it is a pointer). Anyway, you can use just sizeof(sockaddr) (not the pointer) or sizeof(addrun) if you change it to sockaddr_un addrun;

0    return ConnectToSocket(std::move(sock), (struct sockaddr*)&addrun, sizeof(addrun), path, /*manual_connection=*/true);

pinheadmz commented at 2:43 pm on July 13, 2023:

got it thanks, fixed this when changing sockaddr_storage to sockaddr_un and it’s now addrun

vasild commented at 1:49 pm on July 19, 2023:

In the latest code it is:

0      socklen_t len = sizeof(addrun);
1  
2      if(!ConnectToSocket(*sock, (struct sockaddr*)&addrun, len, path, /*manual_connection=*/true)) {

feel free to ditch the len variable and use sizeof(addrun) directly when calling ConnectToSocket().

in test/functional/feature_proxy.py:256 in b1199bce0f outdated

252@@ -230,6 +253,13 @@ def run_test(self):
253             proxies=[self.serv1, self.serv1, self.serv1, self.serv1],
254             auth=False, test_onion=True, test_cjdns=True)
255 
256+        # -proxyrandomize=0

vasild commented at 11:26 am on July 13, 2023:

What is the meaning of this comment here?

pinheadmz commented at 3:47 pm on July 13, 2023:

ah sorry

in test/functional/feature_proxy.py:138 in b1199bce0f outdated

134         ]
135         if self.have_ipv6:
136             args[3] = ['-listen', f'-proxy=[{self.conf3.addr[0]}]:{self.conf3.addr[1]}','-proxyrandomize=0', '-noonion']
137+        if self.have_unix_sockets:
138+            args[5] = ['-listen', f'-proxy=unix:{socket_path}', '-proxyrandomize=0']
139+            args[6] = ['-listen', f'-onion=unix:{socket_path}', '-proxyrandomize=0']

vasild commented at 11:26 am on July 13, 2023:

Why use -proxyrandomize=0 is it not irrelevant for this test?

pinheadmz commented at 2:59 pm on July 13, 2023:

ok fixed this, just using default (with auth) for the test

in src/netbase.h:65 in b1199bce0f outdated

66-    bool IsValid() const { return proxy.IsValid(); }
67+    Proxy() : m_is_unix_socket(false), m_randomize_credentials(false) {}
68+    explicit Proxy(const CService& _proxy, bool _randomize_credentials = false) : proxy(_proxy), m_is_unix_socket(false), m_randomize_credentials(_randomize_credentials) {}
69+    explicit Proxy(const std::string path, bool _randomize_credentials = false) : m_unix_socket_path(path), m_is_unix_socket(true), m_randomize_credentials(_randomize_credentials) {}
70 
71     CService proxy;

vasild commented at 11:41 am on July 13, 2023:

The Proxy::proxy member is still accessed directly from some high level code:

0src/net.cpp:494:                            std::make_unique<i2p::sam::Session>(proxy.proxy, &interruptNet);
1src/qt/optionsdialog.cpp:416:    ui->proxyReachIPv4->setChecked(has_proxy && proxy.proxy == ui_proxy);
2src/qt/optionsdialog.cpp:419:    ui->proxyReachIPv6->setChecked(has_proxy && proxy.proxy == ui_proxy);
3src/qt/optionsdialog.cpp:422:    ui->proxyReachTor->setChecked(has_proxy && proxy.proxy == ui_proxy);

even though it may not be set if it is a UNIX socket proxy.

For the I2P case we can kind of assume it is a TCP proxy, but then better add assert(!proxy.m_is_unix_socket); to ensure that (eh, that’s ugly). Or you can pass the Proxy object to the Session() constructor, change m_control_host from CService to Proxy and use m_control_host.Connect() in Session::Hello() to create the socket. This will transparently add support for UNIX sockets also for the I2P proxy.

For the GUI case, this function has to be changed:

https://github.com/bitcoin/bitcoin/blob/b4794740f82e1a08294c8a5f5d586bc1925412f3/src/qt/optionsdialog.cpp#L407-L423

First it has to check if ui->proxyIp->text().toStdString() starts with unix: and if yes, avoid LookupHost(). Then create Proxy ui_proxy instead of CService ui_proxy.

When this is done, then Proxy::proxy can be made private inside the Proxy class, together with the m_unix_socket_path and m_is_unix_socket members.

pinheadmz commented at 6:33 pm on July 13, 2023:

Ok adding two commits to handle these two affected areas. For the GUI I’ve written logic that accommodates the new Proxy features but I’ll have to submit a follow-up PR to enable unix socket path configuration from the GUI as a separate element from address:port proxy configuration.

So with this only PR, the user can only set unix sockets outside the GUI, and in the network tab they will see "Options set in this dialog are overridden by the command line..." anyway.

in src/netbase.cpp:512 in b1199bce0f outdated

517 
518     // Set the non-blocking option on the socket.
519     if (!sock->SetNonBlocking()) {
520         LogPrintf("Error setting socket to non-blocking: %s\n", NetworkErrorString(WSAGetLastError()));
521         return nullptr;
522     }

vasild commented at 12:27 pm on July 13, 2023:

This will leave the socket in a blocking mode. I think the rest of the P2P code expects and assumes non-blocking sockets. Better set this also to non-blocking and make the Socks5() more robust:

  0commit 4c8d08ca2b495da609d5586247dbd2b306e90e61 (HEAD -> tor-unix-domain-socket)
  1Parent: af4eb52ff611342dbd285f218474649f16badbaf
  2Author:     Vasil Dimov <vd@FreeBSD.org>
  3AuthorDate: Thu Jul 13 14:17:30 2023 +0200
  4Commit:     Vasil Dimov <vd@FreeBSD.org>
  5CommitDate: Thu Jul 13 14:17:30 2023 +0200
  6gpg: Signature made Thu Jul 13 14:23:03 2023 CEST
  7gpg:                using RSA key E64D8D45614DB07545D9CCC154DF06F64B55CBBF
  8gpg: Good signature from "Vasil Dimov <vd@myforest.net>" [ultimate]
  9gpg:                 aka "Vasil Dimov <vd@FreeBSD.org>" [ultimate]
 10gpg:                 aka "Vasil Dimov <vasild@gmail.com>" [ultimate]
 11
 12
 13    netbase: use reliable send() during SOCKS5 handshake
 14    
 15    `send(2)` can be interrupted or for another reason it may not fully
 16    complete sending all the bytes. We should be ready to retry the send
 17    with the remaining bytes. This is what `Sock::SendComplete()` does,
 18    thus use it in `Socks5()`.
 19    
 20    Since `Sock::SendComplete()` takes a `CThreadInterrupt` argument,
 21    change also the recv part of `Socks5()` to use `CThreadInterrupt`
 22    instead of a boolean.
 23    
 24    Easier reviewed with `git show -b` (ignore white-space changes).
 25
 26diff --git a/src/net.cpp b/src/net.cpp
 27index a46cd25e90..4eb96f950d 100644
 28--- a/src/net.cpp
 29+++ b/src/net.cpp
 30@@ -2336,13 +2336,12 @@ bool CConnman::Start(CScheduler& scheduler, const Options& connOptions)
 31     }
 32 
 33     //
 34     // Start threads
 35     //
 36     assert(m_msgproc);
 37-    InterruptSocks5(false);
 38     interruptNet.reset();
 39     flagInterruptMsgProc = false;
 40 
 41     {
 42         LOCK(mutexMsgProc);
 43         fMsgProcWake = false;
 44@@ -2408,13 +2407,13 @@ void CConnman::Interrupt()
 45         LOCK(mutexMsgProc);
 46         flagInterruptMsgProc = true;
 47     }
 48     condMsgProc.notify_all();
 49 
 50     interruptNet();
 51-    InterruptSocks5(true);
 52+    g_socks5_interrupt();
 53 
 54     if (semOutbound) {
 55         for (int i=0; i<m_max_outbound; i++) {
 56             semOutbound->post();
 57         }
 58     }
 59diff --git a/src/netbase.cpp b/src/netbase.cpp
 60index 548e1483b8..cee50e67bb 100644
 61--- a/src/netbase.cpp
 62+++ b/src/netbase.cpp
 63@@ -32,13 +32,13 @@ static Proxy proxyInfo[NET_MAX] GUARDED_BY(g_proxyinfo_mutex);
 64 static Proxy nameProxy GUARDED_BY(g_proxyinfo_mutex);
 65 int nConnectTimeout = DEFAULT_CONNECT_TIMEOUT;
 66 bool fNameLookup = DEFAULT_NAME_LOOKUP;
 67 
 68 // Need ample time for negotiation for very slow proxies such as Tor
 69 std::chrono::milliseconds g_socks5_recv_timeout = 20s;
 70-static std::atomic<bool> interruptSocks5Recv(false);
 71+CThreadInterrupt g_socks5_interrupt;
 72 
 73 std::vector<CNetAddr> WrappedGetAddrInfo(const std::string& name, bool allow_lookup)
 74 {
 75     addrinfo ai_hint{};
 76     // We want a TCP port, which is a streaming socket type
 77     ai_hint.ai_socktype = SOCK_STREAM;
 78@@ -289,13 +289,13 @@ enum class IntrRecvError {
 79  * [@param](/bitcoin-bitcoin/contributor/param/) sock The socket (has to be in non-blocking mode) from which to read bytes.
 80  *
 81  * [@returns](/bitcoin-bitcoin/contributor/returns/) An IntrRecvError indicating the resulting status of this read.
 82  *          IntrRecvError::OK only if all of the specified number of bytes were
 83  *          read.
 84  *
 85- * [@see](/bitcoin-bitcoin/contributor/see/) This function can be interrupted by calling InterruptSocks5(bool).
 86+ * [@see](/bitcoin-bitcoin/contributor/see/) This function can be interrupted by calling g_socks5_interrupt().
 87  *      Sockets can be made non-blocking with Sock::SetNonBlocking().
 88  */
 89 static IntrRecvError InterruptibleRecv(uint8_t* data, size_t len, std::chrono::milliseconds timeout, const Sock& sock)
 90 {
 91     auto curTime{Now<SteadyMilliseconds>()};
 92     const auto endTime{curTime + timeout};
 93@@ -317,14 +317,15 @@ static IntrRecvError InterruptibleRecv(uint8_t* data, size_t len, std::chrono::m
 94                     return IntrRecvError::NetworkError;
 95                 }
 96             } else {
 97                 return IntrRecvError::NetworkError;
 98             }
 99         }
100-        if (interruptSocks5Recv)
101+        if (g_socks5_interrupt) {
102             return IntrRecvError::Interrupted;
103+        }
104         curTime = Now<SteadyMilliseconds>();
105     }
106     return len == 0 ? IntrRecvError::OK : IntrRecvError::Timeout;
107 }
108 
109 /** Convert SOCKS5 reply to an error message */
110@@ -351,127 +352,120 @@ static std::string Socks5ErrorString(uint8_t err)
111             return "unknown";
112     }
113 }
114 
115 bool Socks5(const std::string& strDest, uint16_t port, const ProxyCredentials* auth, const Sock& sock)
116 {
117-    IntrRecvError recvr;
118-    LogPrint(BCLog::NET, "SOCKS5 connecting %s\n", strDest);
119-    if (strDest.size() > 255) {
120-        return error("Hostname too long");
121-    }
122-    // Construct the version identifier/method selection message
123-    std::vector<uint8_t> vSocks5Init;
124-    vSocks5Init.push_back(SOCKSVersion::SOCKS5); // We want the SOCK5 protocol
125-    if (auth) {
126-        vSocks5Init.push_back(0x02); // 2 method identifiers follow...
127-        vSocks5Init.push_back(SOCKS5Method::NOAUTH);
128-        vSocks5Init.push_back(SOCKS5Method::USER_PASS);
129-    } else {
130-        vSocks5Init.push_back(0x01); // 1 method identifier follows...
131-        vSocks5Init.push_back(SOCKS5Method::NOAUTH);
132-    }
133-    ssize_t ret = sock.Send(vSocks5Init.data(), vSocks5Init.size(), MSG_NOSIGNAL);
134-    if (ret != (ssize_t)vSocks5Init.size()) {
135-        return error("Error sending to proxy");
136-    }
137-    uint8_t pchRet1[2];
138-    if (InterruptibleRecv(pchRet1, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) {
139-        LogPrintf("Socks5() connect to %s:%d failed: InterruptibleRecv() timeout or other failure\n", strDest, port);
140-        return false;
141-    }
142-    if (pchRet1[0] != SOCKSVersion::SOCKS5) {
143-        return error("Proxy failed to initialize");
144-    }
145-    if (pchRet1[1] == SOCKS5Method::USER_PASS && auth) {
146-        // Perform username/password authentication (as described in RFC1929)
147-        std::vector<uint8_t> vAuth;
148-        vAuth.push_back(0x01); // Current (and only) version of user/pass subnegotiation
149-        if (auth->username.size() > 255 || auth->password.size() > 255)
150-            return error("Proxy username or password too long");
151-        vAuth.push_back(auth->username.size());
152-        vAuth.insert(vAuth.end(), auth->username.begin(), auth->username.end());
153-        vAuth.push_back(auth->password.size());
154-        vAuth.insert(vAuth.end(), auth->password.begin(), auth->password.end());
155-        ret = sock.Send(vAuth.data(), vAuth.size(), MSG_NOSIGNAL);
156-        if (ret != (ssize_t)vAuth.size()) {
157-            return error("Error sending authentication to proxy");
158-        }
159-        LogPrint(BCLog::PROXY, "SOCKS5 sending proxy authentication %s:%s\n", auth->username, auth->password);
160-        uint8_t pchRetA[2];
161-        if (InterruptibleRecv(pchRetA, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) {
162-            return error("Error reading proxy authentication response");
163+    try {
164+        IntrRecvError recvr;
165+        LogPrint(BCLog::NET, "SOCKS5 connecting %s\n", strDest);
166+        if (strDest.size() > 255) {
167+            return error("Hostname too long");
168         }
169-        if (pchRetA[0] != 0x01 || pchRetA[1] != 0x00) {
170-            return error("Proxy authentication unsuccessful");
171+        // Construct the version identifier/method selection message
172+        std::string vSocks5Init;
173+        vSocks5Init.push_back(SOCKSVersion::SOCKS5); // We want the SOCK5 protocol
174+        if (auth) {
175+            vSocks5Init.push_back(0x02); // 2 method identifiers follow...
176+            vSocks5Init.push_back(SOCKS5Method::NOAUTH);
177+            vSocks5Init.push_back(SOCKS5Method::USER_PASS);
178+        } else {
179+            vSocks5Init.push_back(0x01); // 1 method identifier follows...
180+            vSocks5Init.push_back(SOCKS5Method::NOAUTH);
181         }
182-    } else if (pchRet1[1] == SOCKS5Method::NOAUTH) {
183-        // Perform no authentication
184-    } else {
185-        return error("Proxy requested wrong authentication method %02x", pchRet1[1]);
186-    }
187-    std::vector<uint8_t> vSocks5;
188-    vSocks5.push_back(SOCKSVersion::SOCKS5); // VER protocol version
189-    vSocks5.push_back(SOCKS5Command::CONNECT); // CMD CONNECT
190-    vSocks5.push_back(0x00); // RSV Reserved must be 0
191-    vSocks5.push_back(SOCKS5Atyp::DOMAINNAME); // ATYP DOMAINNAME
192-    vSocks5.push_back(strDest.size()); // Length<=255 is checked at beginning of function
193-    vSocks5.insert(vSocks5.end(), strDest.begin(), strDest.end());
194-    vSocks5.push_back((port >> 8) & 0xFF);
195-    vSocks5.push_back((port >> 0) & 0xFF);
196-    ret = sock.Send(vSocks5.data(), vSocks5.size(), MSG_NOSIGNAL);
197-    if (ret != (ssize_t)vSocks5.size()) {
198-        return error("Error sending to proxy");
199-    }
200-    uint8_t pchRet2[4];
201-    if ((recvr = InterruptibleRecv(pchRet2, 4, g_socks5_recv_timeout, sock)) != IntrRecvError::OK) {
202-        if (recvr == IntrRecvError::Timeout) {
203-            /* If a timeout happens here, this effectively means we timed out while connecting
204-             * to the remote node. This is very common for Tor, so do not print an
205-             * error message. */
206+        sock.SendComplete(vSocks5Init, g_socks5_recv_timeout, g_socks5_interrupt);
207+        uint8_t pchRet1[2];
208+        if (InterruptibleRecv(pchRet1, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) {
209+            LogPrintf("Socks5() connect to %s:%d failed: InterruptibleRecv() timeout or other failure\n", strDest, port);
210             return false;
211+        }
212+        if (pchRet1[0] != SOCKSVersion::SOCKS5) {
213+            return error("Proxy failed to initialize");
214+        }
215+        if (pchRet1[1] == SOCKS5Method::USER_PASS && auth) {
216+            // Perform username/password authentication (as described in RFC1929)
217+            std::string vAuth;
218+            vAuth.push_back(0x01); // Current (and only) version of user/pass subnegotiation
219+            if (auth->username.size() > 255 || auth->password.size() > 255)
220+                return error("Proxy username or password too long");
221+            vAuth.push_back(auth->username.size());
222+            vAuth.insert(vAuth.end(), auth->username.begin(), auth->username.end());
223+            vAuth.push_back(auth->password.size());
224+            vAuth.insert(vAuth.end(), auth->password.begin(), auth->password.end());
225+            sock.SendComplete(vAuth, g_socks5_recv_timeout, g_socks5_interrupt);
226+            LogPrint(BCLog::PROXY, "SOCKS5 sending proxy authentication %s:%s\n", auth->username, auth->password);
227+            uint8_t pchRetA[2];
228+            if (InterruptibleRecv(pchRetA, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) {
229+                return error("Error reading proxy authentication response");
230+            }
231+            if (pchRetA[0] != 0x01 || pchRetA[1] != 0x00) {
232+                return error("Proxy authentication unsuccessful");
233+            }
234+        } else if (pchRet1[1] == SOCKS5Method::NOAUTH) {
235+            // Perform no authentication
236         } else {
237-            return error("Error while reading proxy response");
238+            return error("Proxy requested wrong authentication method %02x", pchRet1[1]);
239         }
240-    }
241-    if (pchRet2[0] != SOCKSVersion::SOCKS5) {
242-        return error("Proxy failed to accept request");
243-    }
244-    if (pchRet2[1] != SOCKS5Reply::SUCCEEDED) {
245-        // Failures to connect to a peer that are not proxy errors
246-        LogPrintf("Socks5() connect to %s:%d failed: %s\n", strDest, port, Socks5ErrorString(pchRet2[1]));
247-        return false;
248-    }
249-    if (pchRet2[2] != 0x00) { // Reserved field must be 0
250-        return error("Error: malformed proxy response");
251-    }
252-    uint8_t pchRet3[256];
253-    switch (pchRet2[3])
254-    {
255+        std::string vSocks5;
256+        vSocks5.push_back(SOCKSVersion::SOCKS5);   // VER protocol version
257+        vSocks5.push_back(SOCKS5Command::CONNECT); // CMD CONNECT
258+        vSocks5.push_back(0x00);                   // RSV Reserved must be 0
259+        vSocks5.push_back(SOCKS5Atyp::DOMAINNAME); // ATYP DOMAINNAME
260+        vSocks5.push_back(strDest.size());         // Length<=255 is checked at beginning of function
261+        vSocks5.insert(vSocks5.end(), strDest.begin(), strDest.end());
262+        vSocks5.push_back((port >> 8) & 0xFF);
263+        vSocks5.push_back((port >> 0) & 0xFF);
264+        sock.SendComplete(vSocks5, g_socks5_recv_timeout, g_socks5_interrupt);
265+        uint8_t pchRet2[4];
266+        if ((recvr = InterruptibleRecv(pchRet2, 4, g_socks5_recv_timeout, sock)) != IntrRecvError::OK) {
267+            if (recvr == IntrRecvError::Timeout) {
268+                /* If a timeout happens here, this effectively means we timed out while connecting
269+                 * to the remote node. This is very common for Tor, so do not print an
270+                 * error message. */
271+                return false;
272+            } else {
273+                return error("Error while reading proxy response");
274+            }
275+        }
276+        if (pchRet2[0] != SOCKSVersion::SOCKS5) {
277+            return error("Proxy failed to accept request");
278+        }
279+        if (pchRet2[1] != SOCKS5Reply::SUCCEEDED) {
280+            // Failures to connect to a peer that are not proxy errors
281+            LogPrintf("Socks5() connect to %s:%d failed: %s\n", strDest, port, Socks5ErrorString(pchRet2[1]));
282+            return false;
283+        }
284+        if (pchRet2[2] != 0x00) { // Reserved field must be 0
285+            return error("Error: malformed proxy response");
286+        }
287+        uint8_t pchRet3[256];
288+        switch (pchRet2[3]) {
289         case SOCKS5Atyp::IPV4: recvr = InterruptibleRecv(pchRet3, 4, g_socks5_recv_timeout, sock); break;
290         case SOCKS5Atyp::IPV6: recvr = InterruptibleRecv(pchRet3, 16, g_socks5_recv_timeout, sock); break;
291-        case SOCKS5Atyp::DOMAINNAME:
292-        {
293+        case SOCKS5Atyp::DOMAINNAME: {
294             recvr = InterruptibleRecv(pchRet3, 1, g_socks5_recv_timeout, sock);
295             if (recvr != IntrRecvError::OK) {
296                 return error("Error reading from proxy");
297             }
298             int nRecv = pchRet3[0];
299             recvr = InterruptibleRecv(pchRet3, nRecv, g_socks5_recv_timeout, sock);
300             break;
301         }
302         default: return error("Error: malformed proxy response");
303+        }
304+        if (recvr != IntrRecvError::OK) {
305+            return error("Error reading from proxy");
306+        }
307+        if (InterruptibleRecv(pchRet3, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) {
308+            return error("Error reading from proxy");
309+        }
310+        LogPrint(BCLog::NET, "SOCKS5 connected %s\n", strDest);
311+        return true;
312+    } catch (const std::runtime_error& e) {
313+        return error("Error during SOCKS5 proxy handshake: %s", e.what());
314     }
315-    if (recvr != IntrRecvError::OK) {
316-        return error("Error reading from proxy");
317-    }
318-    if (InterruptibleRecv(pchRet3, 2, g_socks5_recv_timeout, sock) != IntrRecvError::OK) {
319-        return error("Error reading from proxy");
320-    }
321-    LogPrint(BCLog::NET, "SOCKS5 connected %s\n", strDest);
322-    return true;
323 }
324 
325 std::unique_ptr<Sock> CreateSockOS(sa_family_t address_family)
326 {
327     // Not IPv4, IPv6 or UNIX
328     if (address_family == AF_UNSPEC) return nullptr;
329@@ -743,17 +737,12 @@ bool LookupSubNet(const std::string& subnet_str, CSubNet& subnet_out)
330             return subnet_out.IsValid();
331         }
332     }
333     return false;
334 }
335 
336-void InterruptSocks5(bool interrupt)
337-{
338-    interruptSocks5Recv = interrupt;
339-}
340-
341 bool IsBadPort(uint16_t port)
342 {
343     /* Don't forget to update doc/p2p-bad-ports.md if you change this list. */
344 
345     switch (port) {
346     case 1:     // tcpmux
347diff --git a/src/netbase.h b/src/netbase.h
348index 997bccf30d..3c41ba3834 100644
349--- a/src/netbase.h
350+++ b/src/netbase.h
351@@ -10,12 +10,13 @@
352 #endif
353 
354 #include <compat/compat.h>
355 #include <netaddress.h>
356 #include <serialize.h>
357 #include <util/sock.h>
358+#include <util/threadinterrupt.h>
359 
360 #include <functional>
361 #include <memory>
362 #include <stdint.h>
363 #include <string>
364 #include <type_traits>
365@@ -266,13 +267,16 @@ std::unique_ptr<Sock> ConnectDirectly(const CService& dest, bool manual_connecti
366  */
367 std::unique_ptr<Sock> ConnectThroughProxy(const Proxy& proxy,
368                                           const std::string& dest,
369                                           uint16_t port,
370                                           bool& proxy_connection_failed);
371 
372-void InterruptSocks5(bool interrupt);
373+/**
374+ * Interrupt SOCKS5 reads or writes.
375+ */
376+extern CThreadInterrupt g_socks5_interrupt;
377 
378 /**
379  * Connect to a specified destination service through an already connected
380  * SOCKS5 proxy.
381  *
382  * [@param](/bitcoin-bitcoin/contributor/param/) strDest The destination fully-qualified domain name.
383diff --git a/src/test/fuzz/socks5.cpp b/src/test/fuzz/socks5.cpp
384index 73235b7ced..7378cec7b8 100644
385--- a/src/test/fuzz/socks5.cpp
386+++ b/src/test/fuzz/socks5.cpp
387@@ -29,13 +29,15 @@ void initialize_socks5()
388 FUZZ_TARGET_INIT(socks5, initialize_socks5)
389 {
390     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
391     ProxyCredentials proxy_credentials;
392     proxy_credentials.username = fuzzed_data_provider.ConsumeRandomLengthString(512);
393     proxy_credentials.password = fuzzed_data_provider.ConsumeRandomLengthString(512);
394-    InterruptSocks5(fuzzed_data_provider.ConsumeBool());
395+    if (fuzzed_data_provider.ConsumeBool()) {
396+        g_socks5_interrupt();
397+    }
398     // Set FUZZED_SOCKET_FAKE_LATENCY=1 to exercise recv timeout code paths. This
399     // will slow down fuzzing.
400     g_socks5_recv_timeout = (fuzzed_data_provider.ConsumeBool() && std::getenv("FUZZED_SOCKET_FAKE_LATENCY") != nullptr) ? 1ms : default_socks5_recv_timeout;
401     FuzzedSock fuzzed_sock = ConsumeSock(fuzzed_data_provider);
402     // This Socks5(...) fuzzing harness would have caught CVE-2017-18350 within
403     // a few seconds of fuzzing.

pinheadmz commented at 6:36 pm on July 13, 2023:

Ok I’ll put this statement after SetNonBlocking() but I think the Socks5 stuff should live in a follow-up PR?

vasild commented at 4:52 pm on July 14, 2023:

This resulted in netbase.cpp:415:27: runtime error: implicit conversion from type 'int' of value 210 (32-bit, signed) to type 'char' changed the value to -46 (8-bit, signed). This is ok in practice because the data is transferred as bytes anyway over the socket (not as integers). Anyway, to silence the sanitizer:

  0commit 8467080a08327aaf0d853a73412456c44558a9b3
  1Parent: af4eb52ff611342dbd285f218474649f16badbaf
  2Author:     Vasil Dimov <vd@FreeBSD.org>
  3AuthorDate: Fri Jul 14 18:36:34 2023 +0200
  4Commit:     Vasil Dimov <vd@FreeBSD.org>
  5CommitDate: Fri Jul 14 18:36:34 2023 +0200
  6gpg: Signature made Fri Jul 14 18:38:55 2023 CEST
  7gpg:                using RSA key E64D8D45614DB07545D9CCC154DF06F64B55CBBF
  8gpg: Good signature from "Vasil Dimov <vd@myforest.net>" [ultimate]
  9gpg:                 aka "Vasil Dimov <vd@FreeBSD.org>" [ultimate]
 10gpg:                 aka "Vasil Dimov <vasild@gmail.com>" [ultimate]
 11
 12
 13    sock: introduce a generic Sock::SendComplete(const void*, size_t, ...)
 14    
 15    Use that in `Sock::SendComplete(const std::string&, ...)` and introduce
 16    a new `Sock::SendComplete(const std::vector<uint8_t>&, ...)` to be used
 17    in the `Socks5()` function.
 18
 19diff --git a/src/util/sock.cpp b/src/util/sock.cpp
 20index c83869bc77..6cf1b84f18 100644
 21--- a/src/util/sock.cpp
 22+++ b/src/util/sock.cpp
 23@@ -248,25 +248,26 @@ bool Sock::WaitMany(std::chrono::milliseconds timeout, EventsPerSock& events_per
 24     }
 25 
 26     return true;
 27 #endif /* USE_POLL */
 28 }
 29 
 30-void Sock::SendComplete(const std::string& data,
 31+void Sock::SendComplete(const void* data,
 32+                        size_t len,
 33                         std::chrono::milliseconds timeout,
 34                         CThreadInterrupt& interrupt) const
 35 {
 36     const auto deadline = GetTime<std::chrono::milliseconds>() + timeout;
 37     size_t sent{0};
 38 
 39     for (;;) {
 40-        const ssize_t ret{Send(data.data() + sent, data.size() - sent, MSG_NOSIGNAL)};
 41+        const ssize_t ret{Send(static_cast<const uint8_t*>(data) + sent, len - sent, MSG_NOSIGNAL)};
 42 
 43         if (ret > 0) {
 44             sent += static_cast<size_t>(ret);
 45-            if (sent == data.size()) {
 46+            if (sent == len) {
 47                 break;
 48             }
 49         } else {
 50             const int err{WSAGetLastError()};
 51             if (IOErrorIsPermanent(err)) {
 52                 throw std::runtime_error(strprintf("send(): %s", NetworkErrorString(err)));
 53@@ -274,27 +275,41 @@ void Sock::SendComplete(const std::string& data,
 54         }
 55 
 56         const auto now = GetTime<std::chrono::milliseconds>();
 57 
 58         if (now >= deadline) {
 59             throw std::runtime_error(strprintf(
 60-                "Send timeout (sent only %u of %u bytes before that)", sent, data.size()));
 61+                "Send timeout (sent only %u of %u bytes before that)", sent, len));
 62         }
 63 
 64         if (interrupt) {
 65             throw std::runtime_error(strprintf(
 66-                "Send interrupted (sent only %u of %u bytes before that)", sent, data.size()));
 67+                "Send interrupted (sent only %u of %u bytes before that)", sent, len));
 68         }
 69 
 70         // Wait for a short while (or the socket to become ready for sending) before retrying
 71         // if nothing was sent.
 72         const auto wait_time = std::min(deadline - now, std::chrono::milliseconds{MAX_WAIT_FOR_IO});
 73         (void)Wait(wait_time, SEND);
 74     }
 75 }
 76 
 77+void Sock::SendComplete(const std::string& data,
 78+                        std::chrono::milliseconds timeout,
 79+                        CThreadInterrupt& interrupt) const
 80+{
 81+    SendComplete(data.data(), data.size(), timeout, interrupt);
 82+}
 83+
 84+void Sock::SendComplete(const std::vector<uint8_t>& data,
 85+                        std::chrono::milliseconds timeout,
 86+                        CThreadInterrupt& interrupt) const
 87+{
 88+    SendComplete(data.data(), data.size(), timeout, interrupt);
 89+}
 90+
 91 std::string Sock::RecvUntilTerminator(uint8_t terminator,
 92                                       std::chrono::milliseconds timeout,
 93                                       CThreadInterrupt& interrupt,
 94                                       size_t max_data) const
 95 {
 96     const auto deadline = GetTime<std::chrono::milliseconds>() + timeout;
 97diff --git a/src/util/sock.h b/src/util/sock.h
 98index 6bac2dfd34..7f7b426665 100644
 99--- a/src/util/sock.h
100+++ b/src/util/sock.h
101@@ -230,21 +230,37 @@ public:
102 
103     /* Higher level, convenience, methods. These may throw. */
104 
105     /**
106      * Send the given data, retrying on transient errors.
107      * [@param](/bitcoin-bitcoin/contributor/param/)[in] data Data to send.
108+     * [@param](/bitcoin-bitcoin/contributor/param/)[in] len Length of the data in bytes.
109      * [@param](/bitcoin-bitcoin/contributor/param/)[in] timeout Timeout for the entire operation.
110      * [@param](/bitcoin-bitcoin/contributor/param/)[in] interrupt If this is signaled then the operation is canceled.
111      * [@throws](/bitcoin-bitcoin/contributor/throws/) std::runtime_error if the operation cannot be completed. In this case only some of
112      * the data will be written to the socket.
113      */
114+    virtual void SendComplete(const void* data,
115+                              size_t len,
116+                              std::chrono::milliseconds timeout,
117+                              CThreadInterrupt& interrupt) const;
118+
119+    /**
120+     * Convenience method, equivalent to `SendComplete(data.data(), data.size(), timeout, interrupt)`.
121+     */
122     virtual void SendComplete(const std::string& data,
123                               std::chrono::milliseconds timeout,
124                               CThreadInterrupt& interrupt) const;
125 
126+    /**
127+     * Convenience method, equivalent to `SendComplete(data.data(), data.size(), timeout, interrupt)`.
128+     */
129+    virtual void SendComplete(const std::vector<uint8_t>& data,
130+                              std::chrono::milliseconds timeout,
131+                              CThreadInterrupt& interrupt) const;
132+
133     /**
134      * Read from socket until a terminator character is encountered. Will never consume bytes past
135      * the terminator from the socket.
136      * [@param](/bitcoin-bitcoin/contributor/param/)[in] terminator Character up to which to read from the socket.
137      * [@param](/bitcoin-bitcoin/contributor/param/)[in] timeout Timeout for the entire operation.
138      * [@param](/bitcoin-bitcoin/contributor/param/)[in] interrupt If this is signaled then the operation is canceled.

Also in this branch: https://github.com/vasild/bitcoin/tree/tor-unix-domain-socket (the second commit)

and adapt Socks5() to use std::vector<uint8_t> for the arguments it passes to SendComplete() (done in the last commit of https://github.com/vasild/bitcoin/tree/tor-unix-domain-socket).

That is, I think the two topmost commits from https://github.com/vasild/bitcoin/tree/tor-unix-domain-socket should be the first commits in this PR.

pinheadmz commented at 6:33 pm on July 14, 2023:

Now its ERROR: Error during SOCKS5 proxy handshake: send(): Transport endpoint is not connected (107) I’m still digging in to this…

vasild commented at 12:13 pm on July 17, 2023:

Transport endpoint is not connected

Is this still a problem or it got resolved?

pinheadmz commented at 12:18 pm on July 17, 2023:

Resolved!

pinheadmz force-pushed on Jul 13, 2023

pinheadmz force-pushed on Jul 14, 2023

pinheadmz force-pushed on Jul 16, 2023

DrahtBot removed the label CI failed on Jul 16, 2023

pinheadmz commented at 4:13 pm on July 16, 2023: member

@vasild OK I got this branch passing all CI. ✅ I ran tests locally on Ubuntu and MacOS and also tested the feature in production on both platforms with tor --SocksPort unix:/... Everything is working! yay.

The real fix was here actually (diff below) Embarrassingly simple. This was a bug on Linux but NOT on macOS.

I did not need the SendComplete changes or Socks5 changes which is great because that keeps review simple and the branch focused. I will be happy to review those changes if you want to open a new PR for them (or I can open it if you like)

The only other new change to the branch besides this is adding a release note and explanation in help text for -onion and -proxy

 0diff --git a/src/netbase.cpp b/src/netbase.cpp
 1index a49f882130..044b0ba6c3 100644
 2--- a/src/netbase.cpp
 3+++ b/src/netbase.cpp
 4@@ -638,7 +638,7 @@ std::unique_ptr<Sock> Proxy::Connect() const
 5     addrun.sun_family = AF_UNIX;
 6     // leave the last char in addrun.sun_path[] to be always '\0'
 7     memcpy(addrun.sun_path, path.c_str(), std::min(sizeof(addrun.sun_path) - 1, path.length()));
 8-    socklen_t len = strlen(addrun.sun_path) + sizeof(addrun);
 9+    socklen_t len = sizeof(addrun);
10 
11     if(!ConnectToSocket(*sock, (struct sockaddr*)&addrun, len, path, /*manual_connection=*/true)) {
12         LogPrintf("Cannot connect to socket for %s\n", path);

in src/init.cpp:495 in f74da5eba9 outdated

491@@ -492,7 +492,7 @@ void SetupServerArgs(ArgsManager& argsman)
492     argsman.AddArg("-maxsendbuffer=<n>", strprintf("Maximum per-connection send buffer, <n>*1000 bytes (default: %u)", DEFAULT_MAXSENDBUFFER), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
493     argsman.AddArg("-maxtimeadjustment", strprintf("Maximum allowed median peer time offset adjustment. Local perspective of time may be influenced by outbound peers forward or backward by this amount (default: %u seconds).", DEFAULT_MAX_TIME_ADJUSTMENT), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
494     argsman.AddArg("-maxuploadtarget=<n>", strprintf("Tries to keep outbound traffic under the given target per 24h. Limit does not apply to peers with 'download' permission or blocks created within past week. 0 = no limit (default: %s). Optional suffix units [k|K|m|M|g|G|t|T] (default: M). Lowercase is 1000 base while uppercase is 1024 base", DEFAULT_MAX_UPLOAD_TARGET), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
495-    argsman.AddArg("-onion=<ip:port>", "Use separate SOCKS5 proxy to reach peers via Tor onion services, set -noonion to disable (default: -proxy)", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
496+    argsman.AddArg("-onion=<ip:port|path>", "Use separate SOCKS5 proxy to reach peers via Tor onion services, set -noonion to disable (default: -proxy). May be a local file path prefixed with 'unix:' if UNIX domain sockets are supported by the platform.", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);

vasild commented at 2:19 pm on July 19, 2023:

We have already checked if UNIX sockets are supported.

0#if HAVE_SOCKADDR_UN
1    argsman.AddArg("-onion=<ip:port|path>", "Use separate SOCKS5 proxy to reach peers via Tor onion services, set -noonion to disable (default: -proxy). May be a local file path prefixed with 'unix:'.", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
2#else
3    argsman.AddArg("-onion=<ip:port>", "Use separate SOCKS5 proxy to reach peers via Tor onion services, set -noonion to disable (default: -proxy)", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION);
4#endif

pinheadmz commented at 4:32 pm on July 19, 2023:

ah of course thanks, fixed and pushed

pinheadmz force-pushed on Jul 19, 2023

achow101 requested review from willcl-ark on Sep 20, 2023

achow101 requested review from vasild on Sep 20, 2023

DrahtBot added the label Needs rebase on Oct 3, 2023

in src/netbase.cpp:541 in d8f993b77d outdated

551-        return false;
552-    }
553-
554-    // Connect to the addrConnect service on the hSocket socket.
555-    if (sock.Connect(reinterpret_cast<struct sockaddr*>(&sockaddr), len) == SOCKET_ERROR) {
556+    // Connect to the dest service on the hSocket socket.

vasild commented at 12:44 pm on October 13, 2023:

nit:

0    // Connect to `sockaddr` using `sock`.

or drop the comment altogether.

in src/init.cpp:510 in d8f993b77d outdated

505@@ -502,7 +506,11 @@ void SetupServerArgs(ArgsManager& argsman)
506     // TODO: remove the sentence "Nodes not using ... incoming connections." once the changes from
507     // https://github.com/bitcoin/bitcoin/pull/23542 have become widespread.
508     argsman.AddArg("-port=<port>", strprintf("Listen for connections on <port>. Nodes not using the default ports (default: %u, testnet: %u, signet: %u, regtest: %u) are unlikely to get incoming connections. Not relevant for I2P (see doc/i2p.md).", defaultChainParams->GetDefaultPort(), testnetChainParams->GetDefaultPort(), signetChainParams->GetDefaultPort(), regtestChainParams->GetDefaultPort()), ArgsManager::ALLOW_ANY | ArgsManager::NETWORK_ONLY, OptionsCategory::CONNECTION);
509+#if HAVE_SOCKADDR_UN
510+    argsman.AddArg("-proxy=<ip:port|path>", "Connect through SOCKS5 proxy, set -noproxy to disable (default: disabled). May be a local file path prefixed with 'unix:' if UNIX domain sockets are supported by the platform.", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_ELISION, OptionsCategory::CONNECTION);

vasild commented at 1:08 pm on October 13, 2023:

nit:

0    argsman.AddArg("-proxy=<ip:port|path>", "Connect through SOCKS5 proxy, set -noproxy to disable (default: disabled). May be a local file path prefixed with 'unix:'.", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_ELISION, OptionsCategory::CONNECTION);

(this is inside #if HAVE_SOCKADDR_UN)

vasild approved

vasild commented at 2:44 pm on October 13, 2023: contributor

ACK d8f993b77d2f0bad0e7a5659885ffbbd9f75dbec (needs rebase)

I tested this and it works. Got one unexpected failure to connect (it stalled for more than a minute after the first 4 lines):

 02023-10-13T13:36:50Z [net:debug] trying connection <strip>.onion:8333 lastseen=0.0hrs
 12023-10-13T13:36:50Z [proxy:debug] Using proxy: unix:/var/run/tor/socks to connect to <strip>.onion:8333
 22023-10-13T13:36:50Z [net] SOCKS5 connecting <strip>.onion
 32023-10-13T13:36:50Z [proxy] SOCKS5 sending proxy authentication 0:0
 42023-10-13T13:38:11Z [net:debug] trying connection <strip>.onion:8333 lastseen=0.0hrs
 52023-10-13T13:38:11Z [proxy:debug] Using proxy: unix:/var/run/tor/socks to connect to <strip>.onion:8333
 62023-10-13T13:38:11Z [net] SOCKS5 connecting <strip>.onion
 72023-10-13T13:38:11Z [proxy] SOCKS5 sending proxy authentication 1:1
 82023-10-13T13:38:11Z [net] SOCKS5 connected <strip>.onion
 92023-10-13T13:38:11Z [net] Added connection to <strip>.onion:8333 peer=0
102023-10-13T13:38:11Z [net] sending version (103 bytes) peer=0

It could be some intermediate problem from the Tor network. The address it managed to connect later is the same.

I have submitted the discussed Sock5() improvement here: https://github.com/bitcoin/bitcoin/pull/28649

pinheadmz force-pushed on Oct 16, 2023

pinheadmz commented at 2:36 pm on October 16, 2023: member

@vasild thanks again for your review! Nits addressed and rebased on master. I will help you review https://github.com/bitcoin/bitcoin/pull/28649

DrahtBot removed the label Needs rebase on Oct 16, 2023

vasild approved

vasild commented at 8:26 am on October 17, 2023: contributor

ACK e60df927bffa844d08fa908128b10303b352cfc5

in src/netbase.cpp:644 in 7239ec264a outdated

643 {
644     // first connect to proxy server
645-    if (!ConnectSocketDirectly(proxy.proxy, sock, nTimeout, true)) {
646-        outProxyConnectionFailed = true;
647-        return false;
648+    auto sock = ConnectDirectly(proxy.proxy, /*manual_connection=*/true);

willcl-ark commented at 9:57 am on October 17, 2023:

In 7239ec264a1def8e8aeff8c1ca57ece2ea90f65c

Why do we always set manual_connection = true here (I appreciate it was existing code)? If we come via ConnectThroughProxy I don’t think that’s always the case, even though the docstring implies it should be.

edit: it doesn’t seem to have much effect anyway, besides logging a different error message on failure.

Sjors commented at 2:32 pm on February 28, 2024:

Both call sites of ConnectThroughProxy have access to conn_type so might as well pass in manual_connection.

in src/netbase.cpp:230 in 892e0f4fae outdated

219+    std::string str{name.substr(ADDR_PREFIX_UNIX.length())};
220+
221+    // Path size limit is platform-dependent
222+    // see https://manpages.ubuntu.com/manpages/xenial/en/man7/unix.7.html
223+    if (str.size() + 1 > sizeof(((sockaddr_un*)nullptr)->sun_path)) return false;
224+

willcl-ark commented at 10:26 am on October 17, 2023:

nit: if you touch again we could also check here whether the path exists and return an appropriate error if it doesn’t?

I tried some (wrong) unix onion options, like onion=unix:%2Frun%2Ftor%2Fsocks and onion=127.0.0.1:9050 and these are accepted by init, but (obviously) fail to connect:

02023-10-17T10:25:01Z connect() to 127.0.0.1:9050 failed: No such file or directory (2)
12023-10-17T10:25:01Z Cannot connect to socket for 127.0.0.1:9050
22023-10-17T10:25:02Z New block-relay-only v1 peer connected: version: 70016, blocks=812593, peer=2
32023-10-17T10:25:07Z Cannot connect to socket for 117.86.73.230:8333
42023-10-17T10:25:08Z Cannot connect to socket for 203.91.85.237:8333
52023-10-17T10:25:08Z connect() to 127.0.0.1:9050 failed: No such file or directory (2)
62023-10-17T10:25:08Z Cannot connect to socket for 127.0.0.1:9050
72023-10-17T10:25:14Z Cannot connect to socket for 178.66.156.78:8333

The logs are kind of clear about this, but could be improved.

pinheadmz commented at 5:34 pm on October 17, 2023:

This was discussed but we don’t normally check this kind of option that deeply. For example, you can set -onion=127.0.0.1:9050 and if Tor isn’t running, all you get is a log message. The user should be able to start Tor after Bitcoin.

#27375 (review)

willcl-ark approved

willcl-ark commented at 11:02 am on October 17, 2023: contributor

ACK e60df927bffa844d08fa908128b10303b352cfc5

Reviewed the changes since last time, and tested both options again pretty thoroughly. Left a few nits which don’t need to be addressed unless re-touching.

I wonder if we should update doc/tor.md in a followup? We currently describe options needed for ControlPort in torrc, and could add the directive for unix sockets (and explain permissions needed to access the socket, or include the WorldWritable arg):

0SocksPort /run/tor/socks
1# or
2SocksPort /run/tor/socks WorldWritable

…along with benefits/differences of using unix sockets for onion/proxy too? (easier access control to socket via filesystem vs network namespace, marginal speed gain, etc.) Other reasons discussed in https://riseup.net/en/security/network-security/tor/onionservices-best-practices#protecting-your-services

in configure.ac:1281 in e60df927bf outdated

1277+    #include <sys/un.h>
1278+  ]], [[
1279+    struct sockaddr_un addr;
1280+    addr.sun_family = AF_UNIX;
1281+  ]])],
1282+ [ AC_MSG_RESULT([yes]); HAVE_SOCKADDR_UN=1; AC_DEFINE([HAVE_SOCKADDR_UN], [1], [Define this symbol if platform supports unix domain sockets]) ],

fanquake commented at 2:27 pm on October 19, 2023:

There shouldn’t be a need for the HAVE_SOCKADDR_UN=1 or HAVE_SOCKADDR_UN=0 in the AC_MSG_RESULT’s?

pinheadmz force-pushed on Oct 19, 2023

DrahtBot added the label Needs rebase on Oct 19, 2023

vasild approved

vasild commented at 11:05 am on October 23, 2023: contributor

ACK b46e24ccc19d8a7dc40d0b5e993f245ede3c7086 (needs rebase)

DrahtBot requested review from willcl-ark on Oct 23, 2023

pinheadmz force-pushed on Oct 24, 2023

pinheadmz commented at 5:46 pm on October 24, 2023: member

Thanks again @vasild rebased on master - I see some new I2P tests in there now! Had to update those with the changes to CreateSock()

DrahtBot removed the label Needs rebase on Oct 24, 2023

pinheadmz force-pushed on Oct 24, 2023

DrahtBot added the label CI failed on Oct 25, 2023

DrahtBot removed the label CI failed on Oct 25, 2023

vasild approved

vasild commented at 3:16 pm on October 30, 2023: contributor

ACK b6da3897f36547139b83abde486bddbf50dab54e

DrahtBot added the label CI failed on Nov 2, 2023

maflcko commented at 7:35 am on November 4, 2023: member

0test/i2p_tests.cpp:162:79: error: no matching function for call to ‘i2p::sam::Session::Session(const fs::path&, CService, CThreadInterrupt*)’

pinheadmz force-pushed on Nov 5, 2023

pinheadmz commented at 7:36 pm on November 5, 2023: member

Rebased on master to fix silent conflict with new I2P tests. @maflcko thanks. Can you help me understand why this only broke the previous builds task?

DrahtBot removed the label CI failed on Nov 5, 2023

maflcko commented at 12:33 pm on November 6, 2023: member

To preserve CI resources, only one task is re-run to detect silent merge conflicts.

in src/net.cpp:486 in 0c5f8c36c9 outdated

482-            if (!sock) {
483-                return nullptr;
484-            }
485-            connected = ConnectThroughProxy(proxy, addrConnect.ToStringAddr(), addrConnect.GetPort(),
486-                                            *sock, nConnectTimeout, proxyConnectionFailed);
487+            LogPrintLevel(BCLog::PROXY, BCLog::Level::Debug, "Using proxy: %s to connect to %s:%s\n", proxy.ToString(), addrConnect.ToStringAddr(), addrConnect.GetPort());

willcl-ark commented at 10:06 pm on November 6, 2023:

nit: in c079e29c266a413de1859c0cbc8ebb55ea6a3203

I get a compilation failure:

 0net.cpp:481:109: error: no member named 'ToString' in 'Proxy'
 1            LogPrintLevel(BCLog::PROXY, BCLog::Level::Debug, "Using proxy: %s to connect to %s:%s\n", proxy.ToString(), addrConnect.ToStringAddr(), addrConnect.GetPort());
 2                                                                                                      ~~~~~ ^
 3./logging.h:257:45: note: expanded from macro 'LogPrintLevel'
 4            LogPrintLevel_(category, level, __VA_ARGS__); \
 5                                            ^~~~~~~~~~~
 6./logging.h:234:104: note: expanded from macro 'LogPrintLevel_'
 7#define LogPrintLevel_(category, level, ...) LogPrintf_(__func__, __FILE__, __LINE__, category, level, __VA_ARGS__)
 8                                                                                                       ^~~~~~~~~~~
 91 error generated.
10make: *** [Makefile:10385: libbitcoin_node_a-net.o] Error 1
11make: Leaving directory '/home/will/src/bitcoin/src'

Looks like ToString() is added to Proxy in e7d29d5

pinheadmz commented at 5:00 pm on November 8, 2023:

great catch thanks, will fix.

in src/netbase.h:284 in 0c5f8c36c9 outdated

295  *
296- * @returns Whether or not a connection was successfully made.
297+ * @returns the connected socket if the operation succeeded, empty unique_ptr otherwise
298  */
299-bool ConnectSocketDirectly(const CService &addrConnect, const Sock& sock, int nTimeout, bool manual_connection);
300+std::unique_ptr<Sock> ConnectDirectly(const CService& dest, bool manual_connection);

willcl-ark commented at 12:43 pm on November 7, 2023:

In c079e29

ConnectDirectly and ConnectThroughProxy now differ in their primary args, with Directly taking a CService and Proxy remaining with std::string& (for host and port) which results in:

src/net.cpp

0        } else if (use_proxy) {
1            LogPrintLevel(BCLog::PROXY, BCLog::Level::Debug, "Using proxy: %s to connect to %s:%s\n", proxy.proxy.ToStringAddrPort(), addrConnect.ToStringAddr(), addrConnect.GetPort());
2            sock = ConnectThroughProxy(proxy, addrConnect.ToStringAddr(), addrConnect.GetPort(), proxyConnectionFailed);
3        } else {
4            // no proxy needed (none set for target network)
5            sock = ConnectDirectly(addrConnect, conn_type == ConnectionType::MANUAL);
6        }

If you touch again we could take the chance to synchronise the interfaces for these two similar functions?

pinheadmz commented at 5:00 pm on November 8, 2023:

Good observation. This is how ConnectSocketDirectly() and ConnectThroughProxy() are implemented on master currently as well. I think the reason is that we actually send the SOCKS5 proxy the destination host as a string whereas for the direct connection we actually get a socket from the OS. So even if throughProxy accepted a CService, we’d have to split into host string and port right away, anyway. I think I’ll leave this alone for now unless other reviewers want to weigh in.

willcl-ark approved

willcl-ark commented at 2:23 pm on November 7, 2023: contributor

tACK 0c5f8c36c90fab4fb39ce39d1b4c204a2edd25c4

Left a few nits which IMO don’t need addressing. Tested out new socket type for proxy and onion and found it working as expected.

DrahtBot requested review from vasild on Nov 7, 2023

achow101 referenced this in commit 0528cfd307 on Nov 7, 2023

pinheadmz force-pushed on Nov 8, 2023

pinheadmz commented at 5:56 pm on November 8, 2023: member

force pushed to clean up git commit history. diff is null

vasild approved

vasild commented at 9:49 am on November 14, 2023: contributor

ACK 6dddc1c2eda514d35219cce03c229bd6f822be55

DrahtBot requested review from willcl-ark on Nov 14, 2023

DrahtBot added the label CI failed on Jan 13, 2024

tdb3 commented at 8:48 pm on February 12, 2024: contributor

ACK for 6dddc1c2eda514d35219cce03c229bd6f822be55. Great work on a great feature. Seems to work well. Reviewed the code changes, but didn’t see anything noteworthy over what vasild, luke-jr, and willcl-ark already saw.

Ran the following test actions:

Cloned and checked out PR branch, compiled, and ran all functional tests (all passed)
Configured Tor to listen on only the unix domain socket /run/tor/socks (SocksPort 9050 and ControlPort 9051 disabled)
Started bitcoind (signet), proxy=/run/tor/socks set, onion and onlynet not set. Connections were established with multiple peers and successful block download was observed. Sniffed the unix socket (/run/tor/socks) with https://github.com/mechpen/sockdump, and observed bitcoin traffic in Wireshark with a pcap dump from sockdump. getpeerinfo command to the node showed ipv4, ipv6, and onion addr peers.
Started bitcoind (signet), onion=/run/tor/socks set, proxy not set, but onlynet=onion set. Manually added seed v7ajjeirttkbnt32wpy3c6w3emwnfr3fkla7hpxcfokr3ysd3kqtzmqd.onion:38333 with addnode command. Connections were established with multiple peers and successful block download was observed. Sniffed the unix socket and again observed bitcoin traffic over the socket. getpeerinfo showed multiple onion addr peers.

Sjors commented at 11:41 am on February 28, 2024: member

Would be nice to have this for RPC too, but can wait for a followup.

Ditto for direct peer connections.

in src/netaddress.h:547 in 4ca9b322f0 outdated

543@@ -544,6 +544,7 @@ class CService : public CNetAddr
544     uint16_t GetPort() const;
545     bool GetSockAddr(struct sockaddr* paddr, socklen_t* addrlen) const;
546     bool SetSockAddr(const struct sockaddr* paddr);
547+    [[nodiscard]] sa_family_t GetSAFamily() const;

Sjors commented at 12:07 pm on February 28, 2024:

4ca9b322f00db56a390301f08d3de8a13ff66694: suggested documentation:

0    /**
1     * Get the address family
2     * [@returns](/bitcoin-bitcoin/contributor/returns/) AF_UNSPEC if unspecified
3     */

in src/netbase.h:269 in 4ca9b322f0 outdated

235@@ -236,12 +236,12 @@ CSubNet LookupSubNet(const std::string& subnet_str);
236  * @param[in] address_family The socket is created in the same address family as this address.
237  * @return pointer to the created Sock object or unique_ptr that owns nothing in case of failure
238  */
239-std::unique_ptr<Sock> CreateSockTCP(const CService& address_family);
240+std::unique_ptr<Sock> CreateSockOS(sa_family_t address_family);

Sjors commented at 12:12 pm on February 28, 2024:

4ca9b322f00db56a390301f08d3de8a13ff66694: “Create a TCP socket” should be changed to create “Create a socket”?

And:

0* [@param](/bitcoin-bitcoin/contributor/param/)[in] address_family to use for the socket.

in src/i2p.cpp:329 in 4ca9b322f0 outdated

325@@ -326,7 +326,7 @@ Session::Reply Session::SendRequestAndGetReply(const Sock& sock,
326 
327 std::unique_ptr<Sock> Session::Hello() const
328 {
329-    auto sock = CreateSock(m_control_host);
330+    auto sock = CreateSock(m_control_host.GetSAFamily());

Sjors commented at 12:24 pm on February 28, 2024:

4ca9b322f00db56a390301f08d3de8a13ff66694: this is a nice readability improvement; makes it clear CreateSock only needs the socket address family and the real work happens in ConnectSocketDirectly.

in src/netbase.cpp:464 in d513ac7bf6 outdated

462 
463-    // Create a TCP socket in the address family of the specified service.
464-    SOCKET hSocket = socket(address_family, SOCK_STREAM, IPPROTO_TCP);
465+    int protocol{IPPROTO_TCP};
466+#if HAVE_SOCKADDR_UN
467+    if (address_family == AF_UNIX)

Sjors commented at 12:38 pm on February 28, 2024:

d513ac7bf615239053762a4f9d64db9f4c70d12a nit: brackets or on the same line

in src/netbase.cpp:484 in d513ac7bf6 outdated

467+    if (address_family == AF_UNIX)
468+        protocol = 0;
469+#endif
470+
471+    // Create a socket in the specified address family.
472+    SOCKET hSocket = socket(address_family, SOCK_STREAM, protocol);

Sjors commented at 12:46 pm on February 28, 2024:

d513ac7bf615239053762a4f9d64db9f4c70d12a: On macOS man 2 socket lists PF_LOCAL (alias for PF_UNIX), PF_INET and PF_INET6 for the domain parameter of socket (first argument).

They map to the same integer values as AF_UNIX, AF_INET and AF_INET6, so it’s just a cosmetic thing. And apparently nobody cares: https://stackoverflow.com/a/6737450/313633

pinheadmz commented at 9:40 pm on February 29, 2024:

That’s… weird 🤷 Do you think I need to change anything here?

vasild commented at 7:56 am on March 1, 2024:

On FreeBSD all of AF_UNIX, AF_LOCAL, PF_UNIX, PF_LOCAL have the same value: https://cgit.freebsd.org/src/tree/sys/sys/socket.h

Sjors commented at 11:25 am on March 1, 2024:

I think if someone cares, they can make a followup PR.

in src/init.cpp:513 in 6dddc1c2ed outdated

508@@ -505,7 +509,11 @@ void SetupServerArgs(ArgsManager& argsman)
509     // TODO: remove the sentence "Nodes not using ... incoming connections." once the changes from
510     // https://github.com/bitcoin/bitcoin/pull/23542 have become widespread.
511     argsman.AddArg("-port=<port>", strprintf("Listen for connections on <port>. Nodes not using the default ports (default: %u, testnet: %u, signet: %u, regtest: %u) are unlikely to get incoming connections. Not relevant for I2P (see doc/i2p.md).", defaultChainParams->GetDefaultPort(), testnetChainParams->GetDefaultPort(), signetChainParams->GetDefaultPort(), regtestChainParams->GetDefaultPort()), ArgsManager::ALLOW_ANY | ArgsManager::NETWORK_ONLY, OptionsCategory::CONNECTION);
512+#if HAVE_SOCKADDR_UN
513+    argsman.AddArg("-proxy=<ip:port|path>", "Connect through SOCKS5 proxy, set -noproxy to disable (default: disabled). May be a local file path prefixed with 'unix:'.", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_ELISION, OptionsCategory::CONNECTION);

Sjors commented at 1:54 pm on February 28, 2024:

6dddc1c2eda514d35219cce03c229bd6f822be55 the SOCKS5 standard seems to assume that clients are connecting via either TCP or UDP. Other than Tor, are there other SOCKS5 proxies out there that support connecting via socket? https://datatracker.ietf.org/doc/html/rfc1928

(it’s probably fine to allow it even if not)

pinheadmz commented at 10:02 pm on February 29, 2024:

Hm good question, I found some vague docs that imply NordVPN client has a unix socket option… Would you suggest specifying Tor in the help description of the proxy arg?

Sjors commented at 11:24 am on March 1, 2024:

No I think that would be confusing. Perhaps add something something like “unix: if the proxy supports it” (assuming it’s not standard)

in src/netbase.cpp:232 in 8d06446fc7 outdated

223+    // Path size limit is platform-dependent
224+    // see https://manpages.ubuntu.com/manpages/xenial/en/man7/unix.7.html
225+    if (str.size() + 1 > sizeof(((sockaddr_un*)nullptr)->sun_path)) return false;
226+
227+    return true;
228+#else

Sjors commented at 2:43 pm on February 28, 2024:

8d06446fc7a17b593466fccd0f638eb2527a493b: maybe add Assume(false); here? Since the answer of this function is unreliable for systems that don’t support unix sockets.

pinheadmz commented at 9:45 pm on February 29, 2024:

Hm not sure what you mean by unreliable. Wont the pre-processor directives here guaruntee this function always returns false on systems that don’t support unix sockets?

Sjors commented at 11:21 am on March 1, 2024:

It would, but “unix:/somepath” is valid unix socket path, so IsUnixSocketPath should return true. So it seems better to ensure nobody accidentally calls this function on a system that doesn’t support unix sockets.

pinheadmz commented at 5:46 pm on March 1, 2024:

is valid unix socket path,

This can actually only be determined if sockaddr_un is defined, because different platforms have different length limits for the path (https://manpages.ubuntu.com/manpages/xenial/en/man7/unix.7.html)

So if sockaddr_un is not defined, nothing can be a valid unix socket path.

Also I think Assume(false) is overkill because this function will be called from AppInitMain() regardless of platform. If a user without unix socket support still tries to set -onion=unix:/whatever they’ll get an init error

in src/netbase.cpp:639 in 9eb40e6f39 outdated

639+
640+    struct sockaddr_un addrun;
641+    memset(&addrun, 0, sizeof(addrun));
642+    addrun.sun_family = AF_UNIX;
643+    // leave the last char in addrun.sun_path[] to be always '\0'
644+    memcpy(addrun.sun_path, path.c_str(), std::min(sizeof(addrun.sun_path) - 1, path.length()));

Sjors commented at 4:28 pm on February 28, 2024:

9eb40e6f399169ade8e96c60ba633e8a0e4ddadc: Given the IsValid() check above, you could also do Assume(path.length() < sizeof(addrun.sun_path) - 1) and leave out the std::min stuff, but maybe this is more robust.

pinheadmz commented at 10:03 pm on February 29, 2024:

Yeah I think this was recommended by vasild in an earlier interation of the branch.

Sjors approved

Sjors commented at 4:55 pm on February 28, 2024: member

utACK 6dddc1c2eda514d35219cce03c229bd6f822be55

Mostly cosmetic feedback.

pinheadmz commented at 10:13 pm on February 29, 2024: member

@Sjors #27375 (review)

Both call sites of ConnectThroughProxy have access to conn_type so might as well pass in manual_connection.

Do you mean to pass it ConnectThroughProxy() -> proxy.Connect() -> ConnectDirectly()?

That would also mean we need manual_connection in i2p.cpp where we call proxy.Connect() ?

Sjors commented at 11:28 am on March 1, 2024: member

That would also mean we need manual_connection in i2p.cpp where we call proxy.Connect() ? @vasild does the i2p code know if a connection is manual? We can always set manual_connection to true if we don’t know (or it adds too much complexity), but we should set it to the correct value if we do know.

pinheadmz commented at 6:04 pm on March 1, 2024: member

@Sjors If I’m following this correctly, the only benefit of passing manual_connection to ConnectDirectly() is that it is then passed to ConnectToSocket() which only uses the boolean when logging with LogConnectFailure().

On current master, ConnectThroughProxy() calls ConnectSocketDirectly() with a hard-coded true for manual_connection. I believe the motivation is in #12569

So I’m inclined to leave this hard-coded as true because IIUC the connection being described by the boolean in this context isn’t “manual” in the “p2p addrman vs addnode” sense, but is used to refer to the connection between bitcoind and the input to the proxy.

configure: test for unix domain sockets

Copied from https://github.com/bitcoin/bitcoin/pull/9979

Co-authored-by: laanwj <126646+laanwj@users.noreply.github.com>

adb3a3e51d

netbase: refactor CreateSock() to accept sa_family_t

Also implement CService::GetSAFamily() to provide sa_family_t

bae86c8d31

netbase: allow CreateSock() to create UNIX sockets if supported 74f568cb6f

net: move CreateSock() calls from ConnectNode() to netbase methods 3a7d6548ef

netbase: extend Proxy class to wrap UNIX socket as well as TCP a89c3f59dc

proxy: rename randomize_credentials to m_randomize_credentials ac2ecf3182

net: split ConnectToSocket() from ConnectDirectly() for unix sockets d9318a37ec

i2p: construct Session with Proxy instead of CService a88bf9dedd

gui: accomodate unix socket Proxy in updateDefaultProxyNets()

This will require a follow-up to add unix socket options to the GUI

c3bd43142e

init: allow UNIX socket path for -proxy and -onion c65c0d0163

test: cover UNIX sockets in feature_proxy.py bfe5192891

doc: add release notes and help text for unix sockets 567cec9a05

pinheadmz force-pushed on Mar 1, 2024

pinheadmz commented at 7:51 pm on March 1, 2024: member

git range-diff master 6dddc1c2eda514d35219cce03c229bd6f822be55 567cec9a05e1261e955535f734826b12341684b6

Rebased on master to fix conflicts and ( 🤞 ) pass CI. @Sjors thank you so much for the review, I addressed all your nits except the one or two where indicated in discussion.

DrahtBot removed the label CI failed on Mar 1, 2024

Sjors commented at 11:09 am on March 4, 2024: member

but is used to refer to the connection between bitcoind and the input to the proxy

I agree that shouldn’t be called “manual”.

re-ACK 567cec9a05e1261e955535f734826b12341684b6

DrahtBot requested review from tdb3 on Mar 4, 2024

DrahtBot requested review from vasild on Mar 4, 2024

vasild approved

vasild commented at 8:38 am on March 7, 2024: contributor

ACK 567cec9a05e1261e955535f734826b12341684b6

I agree it is better to keep the hardcoded /*manual=*/true because in this case that is about connecting to the proxy itself, not to the bitcoin peer. In this case it is better to log with higher severity.

In the future maybe it would be better to rename the manual_connection argument of ConnectToSocket() to log_severity or error_severity or is_imporant_please_log_errorswithhigherseverity.

DrahtBot removed review request from tdb3 on Mar 7, 2024

DrahtBot requested review from tdb3 on Mar 7, 2024

tdb3 commented at 8:43 pm on March 8, 2024: contributor

re ACK for 567cec9a05e1261e955535f734826b12341684b6.

Pulled, built, ran all unit and functional tests (all passed).

Re-ran the test actions (quote below) from #27375#pullrequestreview-1876248880

Overall, similar results were observed. Each test action was performed with a fresh signet directory (with the exception of blocks and chainstate, which were not cleared, to prevent IBD). For the first action (i.e. running with proxy=unix:/run/tor/socks set, but onion and onlynet not set), peer connection was observed to grow over the span of a half our (with ipv4, ipv6, and onion peers connected). debug log showed general socks connection failures (although these also occur in v26.0 when using localhost:9050 for socks):

0<date> Socks5() connect to <IPv4 ADDR>:38333 failed: general failure

For the second action (i.e. running with proxy and onlynet=onion with manual seed added), onion peer connections were observed.

For both actions, UNIX socket traffic was sniffed and contained bitcoin protocol traffic.

ACK for 6dddc1c. Great work on a great feature. Seems to work well. Reviewed the code changes, but didn’t see anything noteworthy over what vasild, luke-jr, and willcl-ark already saw.

Ran the following test actions:

* Cloned and checked out PR branch, compiled, and ran all functional tests (all passed)

* Configured Tor to listen on only the unix domain socket /run/tor/socks (SocksPort 9050 and ControlPort 9051 disabled)

* Started bitcoind (signet), `proxy=/run/tor/socks` set, `onion` and `onlynet` not set.  Connections were established with multiple peers and successful block download was observed.  Sniffed the unix socket (`/run/tor/socks`) with https://github.com/mechpen/sockdump, and observed bitcoin traffic in Wireshark with a pcap dump from sockdump.  `getpeerinfo` command to the node showed ipv4, ipv6, and onion addr peers.

* Started bitcoind (signet), `onion=/run/tor/socks` set, `proxy` not set, but `onlynet=onion` set.  Manually added seed `v7ajjeirttkbnt32wpy3c6w3emwnfr3fkla7hpxcfokr3ysd3kqtzmqd.onion:38333` with `addnode` command.  Connections were established with multiple peers and successful block download was observed.  Sniffed the unix socket and again observed bitcoin traffic over the socket.  `getpeerinfo` showed multiple onion addr peers.

DrahtBot removed review request from tdb3 on Mar 8, 2024

achow101 commented at 5:55 pm on March 12, 2024: member

ACK 567cec9a05e1261e955535f734826b12341684b6

achow101 commented at 6:13 pm on March 12, 2024: member

Seems like there’s a silent merge conflict somewhere, getting a functional test failure when merged with master:

02024-03-12T18:12:19.695000Z TestFramework (ERROR): Assertion failed
1Traceback (most recent call last):
2  File "/home/ava/bitcoin/bitcoin/master/test/functional/test_framework/test_framework.py", line 565, in start_nodes
3    node.wait_for_rpc_connection()
4  File "/home/ava/bitcoin/bitcoin/master/test/functional/test_framework/test_node.py", line 255, in wait_for_rpc_connection
5    raise FailedToStartError(self._node_msg(
6test_framework.test_node.FailedToStartError: [node 5] bitcoind exited with status 1 during initialization. Error: Invalid -proxy address or hostname: 'unix:/tmp/tmp9eh_pwt0'

in src/netbase.cpp:8 in 567cec9a05

2@@ -3,6 +3,10 @@
3 // Distributed under the MIT software license, see the accompanying
4 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 
6+#if defined(HAVE_CONFIG_H)
7+#include <config/bitcoin-config.h>
8+#endif

pinheadmz commented at 3:50 am on March 13, 2024:

@achow101 Its very mysterious, when I rebase this branch on master (git rebase master) these lines disappear. I can’t figure out why!

However when I do interactive git rebase master -i and stop on this commit with an edit command, DO NOTHING, and just git rebase --continue… the lines remain intact. I am force-pushing this interactive rebase branch now. :face_with_spiral_eyes:

maflcko commented at 7:41 am on March 13, 2024:

when I rebase this branch on master (git rebase master) these lines disappear. I can’t figure out why!

What are the exact steps to reproduce?

I did

0git checkout  567cec9a05e1261e955535f734826b12341684b6
1git rebase bitcoin-core/master
2git range-diff bitcoin-core/master 6df896fc37f5b2023b891d5300345e2a4352e521

And got an empty diff (only the commit ids are different)

maflcko commented at 7:44 am on March 13, 2024:

Maybe you two are using a different git --version (with a bug)?

pinheadmz force-pushed on Mar 13, 2024

maflcko commented at 7:39 am on March 13, 2024: member

Seems like there’s a silent merge conflict somewhere, getting a functional test failure when merged with master:

I re-ran the CI and it didn’t fail. Are you sure this is a silent conflict, because if it was, the CI should be detecting it on a re-run?

achow101 commented at 10:33 am on March 13, 2024: member

Oh! The test command I use doesn’t rerun autogen.sh every time, I think that’s what caused the test failure. @pinheadmz You can reset the branch back to 567cec9a05e and this can be merged. Sorry about the confusion.

pinheadmz force-pushed on Mar 13, 2024

pinheadmz commented at 10:35 am on March 13, 2024: member

Oh! The test command I use doesn’t rerun autogen.sh every time, I think that’s what caused the test failure. @pinheadmz You can reset the branch back to 567cec9 and this can be merged. Sorry about the confusion.

Ugh and when I was trying to reproduce I ALSO didn’t rerun autogen or config :facepalm: wow THANKS @maflcko for the sanity check

achow101 merged this on Mar 13, 2024

achow101 closed this on Mar 13, 2024

vasild commented at 12:19 pm on March 13, 2024: contributor

autogen

wen cmake?

fanquake commented at 12:27 pm on March 13, 2024: member

Is the expectation here that we should see a lot more Cannot connect to socket for xxxxx in debug.logs? (when not using any of these new features).

pinheadmz commented at 2:11 pm on March 13, 2024: member

Is the expectation here that we should see a lot more Cannot connect to socket for xxxxx in debug.logs? (when not using any of these new features).

Yes but that log message can be removed or set to debug in a follow-up. With -debug=net you can see what the original messages were for that code path, with the extra message following:

02024-03-13T14:08:49Z [net] connection attempt to 95.165.161.198:8333 timed out
12024-03-13T14:08:49Z Cannot connect to socket for 95.165.161.198:8333
2...
32024-03-13T14:08:50Z [net] connect() to 31.150.240.73:8333 failed after wait: Connection refused (61)
42024-03-13T14:08:50Z Cannot connect to socket for 31.150.240.73:8333

I have a few unix sockets follow ups planned: RPC & bitcoin-cli (maybe speed up the tests!) and ZMQ. I’ll clean up this log message in those

fanquake commented at 2:13 pm on March 13, 2024: member

Ok, it needs to be cleaned up because it’s just spammy/pointless. i.e:

 02024-03-13T13:26:00Z Cannot connect to socket for 151.213.177.128:8333
 12024-03-13T13:26:24Z Cannot connect to socket for 75.88.65.59:8333
 22024-03-13T13:26:48Z Cannot connect to socket for 76.114.61.112:8333
 32024-03-13T13:28:55Z Cannot connect to socket for [2600:8805:5c26:eb00:61b0:c6a7:451:1b39]:8333
 42024-03-13T13:30:45Z New block-relay-only v1 peer connected: version: 70016, blocks=834513, peer=39
 52024-03-13T13:32:01Z Cannot connect to socket for [2a04:6ec0:20d:d050:819a:ceb8:4416:2bc0]:8333
 62024-03-13T13:32:14Z New block-relay-only v1 peer connected: version: 70016, blocks=834513, peer=40
 72024-03-13T13:34:47Z New block-relay-only v1 peer connected: version: 70016, blocks=834513, peer=41
 82024-03-13T13:34:58Z Cannot connect to socket for 122.206.190.60:8333
 92024-03-13T13:36:23Z New block-relay-only v1 peer connected: version: 70016, blocks=834513, peer=42
102024-03-13T13:37:38Z Cannot connect to socket for 138.199.60.26:8333
112024-03-13T13:38:34Z Cannot connect to socket for 120.236.171.239:8333
122024-03-13T13:39:00Z Cannot connect to socket for 35.72.149.104:8333
132024-03-13T13:41:22Z Cannot connect to socket for 176.199.211.63:8333
142024-03-13T13:41:25Z Cannot connect to socket for [2804:7f0:7c80:196f:b0b2:1642:e4a9:b794]:8333
152024-03-13T13:41:37Z Cannot connect to socket for [2a00:b700::3:379]:8333
162024-03-13T13:42:55Z Cannot connect to socket for [2001:871:24b:ab3e:d1f2:1f7e:b950:692f]:8333
172024-03-13T13:43:01Z New block-relay-only v1 peer connected: version: 70016, blocks=834513, peer=43
182024-03-13T13:45:30Z Cannot connect to socket for 121.237.138.96:8333
192024-03-13T13:46:56Z Cannot connect to socket for 110.153.86.87:8333
202024-03-13T13:48:32Z Saw new header hash=0000000000000000000071923ef5a18dc17d47717fae386296dfe8902414ea71 height=834514
212024-03-13T13:48:32Z Saw new cmpctblock header hash=0000000000000000000071923ef5a18dc17d47717fae386296dfe8902414ea71 peer=16
222024-03-13T13:48:32Z UpdateTip: new best=0000000000000000000071923ef5a18dc17d47717fae386296dfe8902414ea71 height=834514 version=0x2fffe000 log2_work=94.792163 tx=976064192 date='2024-03-13T13:48:27Z' progress=1.000000 cache=232.4MiB(1767736txo)
232024-03-13T13:50:28Z Cannot connect to socket for 58.219.96.208:8333
242024-03-13T13:50:41Z Cannot connect to socket for 189.19.183.194:8333
252024-03-13T13:52:56Z New block-relay-only v1 peer connected: version: 70016, blocks=834514, peer=45
262024-03-13T13:53:12Z Cannot connect to socket for [2600:381:6a90:cfa5:b0a4:5c43:fdb8:9298]:8333
272024-03-13T13:56:25Z Cannot connect to socket for [2003:d7:df24:a900:53a3:8916:d525:9958]:8333
282024-03-13T14:00:04Z Cannot connect to socket for 97.96.100.48:8333
292024-03-13T14:03:56Z Cannot connect to socket for 195.181.167.197:8333
302024-03-13T14:04:02Z Saw new header hash=00000000000000000001ee20083bb8df96e256bb46dd856c48f686b692dbc29b height=834515
312024-03-13T14:04:02Z Saw new cmpctblock header hash=00000000000000000001ee20083bb8df96e256bb46dd856c48f686b692dbc29b peer=16
322024-03-13T14:04:02Z UpdateTip: new best=00000000000000000001ee20083bb8df96e256bb46dd856c48f686b692dbc29b height=834515 version=0x294c8000 log2_work=94.792178 tx=976067423 date='2024-03-13T14:03:37Z' progress=1.000000 cache=234.9MiB(1785815txo)
332024-03-13T14:04:31Z Cannot connect to socket for [2606:6080:1001:30:5f94:f242:c829:1017]:8333
342024-03-13T14:04:32Z Saw new header hash=00000000000000000001cee842398455cae402ab13037a450fe4829db7efd2e2 height=834516
352024-03-13T14:04:32Z Saw new cmpctblock header hash=00000000000000000001cee842398455cae402ab13037a450fe4829db7efd2e2 peer=16
362024-03-13T14:04:33Z UpdateTip: new best=00000000000000000001cee842398455cae402ab13037a450fe4829db7efd2e2 height=834516 version=0x27fd4000 log2_work=94.792192 tx=976069773 date='2024-03-13T14:04:13Z' progress=1.000000 cache=236.4MiB(1799558txo)
372024-03-13T14:04:59Z Cannot connect to socket for 178.70.102.186:8333
382024-03-13T14:05:43Z Cannot connect to socket for [2409:8a55:6ad:7101:49d4:4737:ccad:17c]:8333
392024-03-13T14:06:21Z Saw new header hash=000000000000000000030739bcd83bfdfc6a03a1a58e21e4c61d6b59ac047569 height=834517
402024-03-13T14:06:21Z Saw new cmpctblock header hash=000000000000000000030739bcd83bfdfc6a03a1a58e21e4c61d6b59ac047569 peer=16
412024-03-13T14:06:21Z UpdateTip: new best=000000000000000000030739bcd83bfdfc6a03a1a58e21e4c61d6b59ac047569 height=834517 version=0x2cbea000 log2_work=94.792206 tx=976071288 date='2024-03-13T14:05:33Z' progress=1.000000 cache=236.4MiB(1802022txo)
422024-03-13T14:06:45Z Cannot connect to socket for 86.168.50.224:8333
432024-03-13T14:08:29Z Cannot connect to socket for 194.163.131.91:39388
442024-03-13T14:11:12Z Cannot connect to socket for [2603:6080:7a0e:59ff:9da7:4932:3d76:58ec]:8333
452024-03-13T14:11:41Z Cannot connect to socket for 108.214.8.13:60501
462024-03-13T14:12:06Z Cannot connect to socket for 84.178.138.51:8333

pinheadmz referenced this in commit 95fda8a339 on Mar 13, 2024

pinheadmz referenced this in commit bdd38fc6e3 on Mar 13, 2024

pinheadmz referenced this in commit c70e4fc9a3 on Mar 13, 2024

fanquake referenced this in commit 55c6323434 on Mar 14, 2024

net: support unix domain sockets for -proxy and -onion #27375

Code Coverage

Reviews

Conflicts