diff -r 000000000000 -r 6474c204b198 netwerk/socket/nsSOCKSIOLayer.cpp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/netwerk/socket/nsSOCKSIOLayer.cpp Wed Dec 31 06:09:35 2014 +0100 @@ -0,0 +1,1420 @@ +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ +/* vim:set expandtab ts=4 sw=4 sts=4 cin: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nspr.h" +#include "private/pprio.h" +#include "nsString.h" +#include "nsCRT.h" + +#include "nsIServiceManager.h" +#include "nsIDNSService.h" +#include "nsIDNSRecord.h" +#include "nsISOCKSSocketInfo.h" +#include "nsISocketProvider.h" +#include "nsSOCKSIOLayer.h" +#include "nsNetCID.h" +#include "nsIDNSListener.h" +#include "nsICancelable.h" +#include "nsThreadUtils.h" +#include "mozilla/net/DNS.h" + +using namespace mozilla::net; + +static PRDescIdentity nsSOCKSIOLayerIdentity; +static PRIOMethods nsSOCKSIOLayerMethods; +static bool firstTime = true; +static bool ipv6Supported = true; + +#if defined(PR_LOGGING) +static PRLogModuleInfo *gSOCKSLog; +#define LOGDEBUG(args) PR_LOG(gSOCKSLog, PR_LOG_DEBUG, args) +#define LOGERROR(args) PR_LOG(gSOCKSLog, PR_LOG_ERROR , args) + +#else +#define LOGDEBUG(args) +#define LOGERROR(args) +#endif + +class nsSOCKSSocketInfo : public nsISOCKSSocketInfo + , public nsIDNSListener +{ + enum State { + SOCKS_INITIAL, + SOCKS_DNS_IN_PROGRESS, + SOCKS_DNS_COMPLETE, + SOCKS_CONNECTING_TO_PROXY, + SOCKS4_WRITE_CONNECT_REQUEST, + SOCKS4_READ_CONNECT_RESPONSE, + SOCKS5_WRITE_AUTH_REQUEST, + SOCKS5_READ_AUTH_RESPONSE, + SOCKS5_WRITE_USERNAME_REQUEST, + SOCKS5_READ_USERNAME_RESPONSE, + SOCKS5_WRITE_CONNECT_REQUEST, + SOCKS5_READ_CONNECT_RESPONSE_TOP, + SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, + SOCKS_CONNECTED, + SOCKS_FAILED + }; + + // A buffer of 520 bytes should be enough for any request and response + // in case of SOCKS4 as well as SOCKS5 + static const uint32_t BUFFER_SIZE = 520; + static const uint32_t MAX_HOSTNAME_LEN = 255; + static const uint32_t MAX_USERNAME_LEN = 255; + static const uint32_t MAX_PASSWORD_LEN = 255; + +public: + nsSOCKSSocketInfo(); + virtual ~nsSOCKSSocketInfo() { HandshakeFinished(); } + + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSISOCKSSOCKETINFO + NS_DECL_NSIDNSLISTENER + + void Init(int32_t version, + int32_t family, + nsIProxyInfo *proxy, + const char *destinationHost, + uint32_t flags); + + void SetConnectTimeout(PRIntervalTime to); + PRStatus DoHandshake(PRFileDesc *fd, int16_t oflags = -1); + int16_t GetPollFlags() const; + bool IsConnected() const { return (mState == SOCKS_CONNECTED || + mState == SOCKS5_READ_CONNECT_RESPONSE_TOP); } + + void ForgetFD() { mFD = nullptr; } + +private: + void HandshakeFinished(PRErrorCode err = 0); + PRStatus StartDNS(PRFileDesc *fd); + PRStatus ConnectToProxy(PRFileDesc *fd); + void FixupAddressFamily(PRFileDesc *fd, NetAddr *proxy); + PRStatus ContinueConnectingToProxy(PRFileDesc *fd, int16_t oflags); + PRStatus WriteV4ConnectRequest(); + PRStatus ReadV4ConnectResponse(); + PRStatus WriteV5AuthRequest(); + PRStatus ReadV5AuthResponse(); + PRStatus WriteV5UsernameRequest(); + PRStatus ReadV5UsernameResponse(); + PRStatus WriteV5ConnectRequest(); + PRStatus ReadV5AddrTypeAndLength(uint8_t *type, uint32_t *len); + PRStatus ReadV5ConnectResponseTop(); + PRStatus ReadV5ConnectResponseBottom(); + + void WriteUint8(uint8_t d); + void WriteUint16(uint16_t d); + void WriteUint32(uint32_t d); + void WriteNetAddr(const NetAddr *addr); + void WriteNetPort(const NetAddr *addr); + void WriteString(const nsACString &str); + + uint8_t ReadUint8(); + uint16_t ReadUint16(); + uint32_t ReadUint32(); + void ReadNetAddr(NetAddr *addr, uint16_t fam); + void ReadNetPort(NetAddr *addr); + + void WantRead(uint32_t sz); + PRStatus ReadFromSocket(PRFileDesc *fd); + PRStatus WriteToSocket(PRFileDesc *fd); + +private: + State mState; + uint8_t * mData; + uint8_t * mDataIoPtr; + uint32_t mDataLength; + uint32_t mReadOffset; + uint32_t mAmountToRead; + nsCOMPtr mDnsRec; + nsCOMPtr mLookup; + nsresult mLookupStatus; + PRFileDesc *mFD; + + nsCString mDestinationHost; + nsCOMPtr mProxy; + int32_t mVersion; // SOCKS version 4 or 5 + int32_t mDestinationFamily; + uint32_t mFlags; + NetAddr mInternalProxyAddr; + NetAddr mExternalProxyAddr; + NetAddr mDestinationAddr; + PRIntervalTime mTimeout; + nsCString mProxyUsername; // Cache, from mProxy +}; + +nsSOCKSSocketInfo::nsSOCKSSocketInfo() + : mState(SOCKS_INITIAL) + , mDataIoPtr(nullptr) + , mDataLength(0) + , mReadOffset(0) + , mAmountToRead(0) + , mVersion(-1) + , mDestinationFamily(AF_INET) + , mFlags(0) + , mTimeout(PR_INTERVAL_NO_TIMEOUT) +{ + mData = new uint8_t[BUFFER_SIZE]; + + mInternalProxyAddr.raw.family = AF_INET; + mInternalProxyAddr.inet.ip = htonl(INADDR_ANY); + mInternalProxyAddr.inet.port = htons(0); + + mExternalProxyAddr.raw.family = AF_INET; + mExternalProxyAddr.inet.ip = htonl(INADDR_ANY); + mExternalProxyAddr.inet.port = htons(0); + + mDestinationAddr.raw.family = AF_INET; + mDestinationAddr.inet.ip = htonl(INADDR_ANY); + mDestinationAddr.inet.port = htons(0); +} + +void +nsSOCKSSocketInfo::Init(int32_t version, int32_t family, nsIProxyInfo *proxy, const char *host, uint32_t flags) +{ + mVersion = version; + mDestinationFamily = family; + mProxy = proxy; + mDestinationHost = host; + mFlags = flags; + mProxy->GetUsername(mProxyUsername); // cache +} + +NS_IMPL_ISUPPORTS(nsSOCKSSocketInfo, nsISOCKSSocketInfo, nsIDNSListener) + +NS_IMETHODIMP +nsSOCKSSocketInfo::GetExternalProxyAddr(NetAddr * *aExternalProxyAddr) +{ + memcpy(*aExternalProxyAddr, &mExternalProxyAddr, sizeof(NetAddr)); + return NS_OK; +} + +NS_IMETHODIMP +nsSOCKSSocketInfo::SetExternalProxyAddr(NetAddr *aExternalProxyAddr) +{ + memcpy(&mExternalProxyAddr, aExternalProxyAddr, sizeof(NetAddr)); + return NS_OK; +} + +NS_IMETHODIMP +nsSOCKSSocketInfo::GetDestinationAddr(NetAddr * *aDestinationAddr) +{ + memcpy(*aDestinationAddr, &mDestinationAddr, sizeof(NetAddr)); + return NS_OK; +} + +NS_IMETHODIMP +nsSOCKSSocketInfo::SetDestinationAddr(NetAddr *aDestinationAddr) +{ + memcpy(&mDestinationAddr, aDestinationAddr, sizeof(NetAddr)); + return NS_OK; +} + +NS_IMETHODIMP +nsSOCKSSocketInfo::GetInternalProxyAddr(NetAddr * *aInternalProxyAddr) +{ + memcpy(*aInternalProxyAddr, &mInternalProxyAddr, sizeof(NetAddr)); + return NS_OK; +} + +NS_IMETHODIMP +nsSOCKSSocketInfo::SetInternalProxyAddr(NetAddr *aInternalProxyAddr) +{ + memcpy(&mInternalProxyAddr, aInternalProxyAddr, sizeof(NetAddr)); + return NS_OK; +} + +// There needs to be a means of distinguishing between connection errors +// that the SOCKS server reports when it rejects a connection request, and +// connection errors that happen while attempting to connect to the SOCKS +// server. Otherwise, Firefox will report incorrectly that the proxy server +// is refusing connections when a SOCKS request is rejected by the proxy. +// When a SOCKS handshake failure occurs, the PR error is set to +// PR_UNKNOWN_ERROR, and the real error code is returned via the OS error. +void +nsSOCKSSocketInfo::HandshakeFinished(PRErrorCode err) +{ + if (err == 0) { + mState = SOCKS_CONNECTED; + } else { + mState = SOCKS_FAILED; + PR_SetError(PR_UNKNOWN_ERROR, err); + } + + // We don't need the buffer any longer, so free it. + delete [] mData; + mData = nullptr; + mDataIoPtr = nullptr; + mDataLength = 0; + mReadOffset = 0; + mAmountToRead = 0; + if (mLookup) { + mLookup->Cancel(NS_ERROR_FAILURE); + mLookup = nullptr; + } +} + +PRStatus +nsSOCKSSocketInfo::StartDNS(PRFileDesc *fd) +{ + NS_ABORT_IF_FALSE(!mDnsRec && mState == SOCKS_INITIAL, + "Must be in initial state to make DNS Lookup"); + + nsCOMPtr dns = do_GetService(NS_DNSSERVICE_CONTRACTID); + if (!dns) + return PR_FAILURE; + + nsCString proxyHost; + mProxy->GetHost(proxyHost); + + mFD = fd; + nsresult rv = dns->AsyncResolve(proxyHost, 0, this, + NS_GetCurrentThread(), + getter_AddRefs(mLookup)); + + if (NS_FAILED(rv)) { + LOGERROR(("socks: DNS lookup for SOCKS proxy %s failed", + proxyHost.get())); + return PR_FAILURE; + } + mState = SOCKS_DNS_IN_PROGRESS; + PR_SetError(PR_IN_PROGRESS_ERROR, 0); + return PR_FAILURE; +} + +NS_IMETHODIMP +nsSOCKSSocketInfo::OnLookupComplete(nsICancelable *aRequest, + nsIDNSRecord *aRecord, + nsresult aStatus) +{ + NS_ABORT_IF_FALSE(aRequest == mLookup, "wrong DNS query"); + mLookup = nullptr; + mLookupStatus = aStatus; + mDnsRec = aRecord; + mState = SOCKS_DNS_COMPLETE; + if (mFD) { + ConnectToProxy(mFD); + ForgetFD(); + } + return NS_OK; +} + +PRStatus +nsSOCKSSocketInfo::ConnectToProxy(PRFileDesc *fd) +{ + PRStatus status; + nsresult rv; + + NS_ABORT_IF_FALSE(mState == SOCKS_DNS_COMPLETE, + "Must have DNS to make connection!"); + + if (NS_FAILED(mLookupStatus)) { + PR_SetError(PR_BAD_ADDRESS_ERROR, 0); + return PR_FAILURE; + } + + // Try socks5 if the destination addrress is IPv6 + if (mVersion == 4 && + mDestinationAddr.raw.family == AF_INET6) { + mVersion = 5; + } + + int32_t proxyPort; + mProxy->GetPort(&proxyPort); + + int32_t addresses = 0; + do { + if (addresses++) + mDnsRec->ReportUnusable(proxyPort); + + rv = mDnsRec->GetNextAddr(proxyPort, &mInternalProxyAddr); + // No more addresses to try? If so, we'll need to bail + if (NS_FAILED(rv)) { + nsCString proxyHost; + mProxy->GetHost(proxyHost); + LOGERROR(("socks: unable to connect to SOCKS proxy, %s", + proxyHost.get())); + return PR_FAILURE; + } + +#if defined(PR_LOGGING) + char buf[kIPv6CStrBufSize]; + NetAddrToString(&mInternalProxyAddr, buf, sizeof(buf)); + LOGDEBUG(("socks: trying proxy server, %s:%hu", + buf, ntohs(mInternalProxyAddr.inet.port))); +#endif + NetAddr proxy = mInternalProxyAddr; + FixupAddressFamily(fd, &proxy); + PRNetAddr prProxy; + NetAddrToPRNetAddr(&proxy, &prProxy); + status = fd->lower->methods->connect(fd->lower, &prProxy, mTimeout); + if (status != PR_SUCCESS) { + PRErrorCode c = PR_GetError(); + // If EINPROGRESS, return now and check back later after polling + if (c == PR_WOULD_BLOCK_ERROR || c == PR_IN_PROGRESS_ERROR) { + mState = SOCKS_CONNECTING_TO_PROXY; + return status; + } + } + } while (status != PR_SUCCESS); + + // Connected now, start SOCKS + if (mVersion == 4) + return WriteV4ConnectRequest(); + return WriteV5AuthRequest(); +} + +void +nsSOCKSSocketInfo::FixupAddressFamily(PRFileDesc *fd, NetAddr *proxy) +{ + int32_t proxyFamily = mInternalProxyAddr.raw.family; + // Do nothing if the address family is already matched + if (proxyFamily == mDestinationFamily) { + return; + } + // If the system does not support IPv6 and the proxy address is IPv6, + // We can do nothing here. + if (proxyFamily == AF_INET6 && !ipv6Supported) { + return; + } + // If the system does not support IPv6 and the destination address is + // IPv6, convert IPv4 address to IPv4-mapped IPv6 address to satisfy + // the emulation layer + if (mDestinationFamily == AF_INET6 && !ipv6Supported) { + proxy->inet6.family = AF_INET6; + proxy->inet6.port = mInternalProxyAddr.inet.port; + uint8_t *proxyp = proxy->inet6.ip.u8; + memset(proxyp, 0, 10); + memset(proxyp + 10, 0xff, 2); + memcpy(proxyp + 12,(char *) &mInternalProxyAddr.inet.ip, 4); + // mDestinationFamily should not be updated + return; + } + // Get an OS native handle from a specified FileDesc + PROsfd osfd = PR_FileDesc2NativeHandle(fd); + if (osfd == -1) { + return; + } + // Create a new FileDesc with a specified family + PRFileDesc *tmpfd = PR_OpenTCPSocket(proxyFamily); + if (!tmpfd) { + return; + } + PROsfd newsd = PR_FileDesc2NativeHandle(tmpfd); + if (newsd == -1) { + PR_Close(tmpfd); + return; + } + // Must succeed because PR_FileDesc2NativeHandle succeeded + fd = PR_GetIdentitiesLayer(fd, PR_NSPR_IO_LAYER); + MOZ_ASSERT(fd); + // Swap OS native handles + PR_ChangeFileDescNativeHandle(fd, newsd); + PR_ChangeFileDescNativeHandle(tmpfd, osfd); + // Close temporary FileDesc which is now associated with + // old OS native handle + PR_Close(tmpfd); + mDestinationFamily = proxyFamily; +} + +PRStatus +nsSOCKSSocketInfo::ContinueConnectingToProxy(PRFileDesc *fd, int16_t oflags) +{ + PRStatus status; + + NS_ABORT_IF_FALSE(mState == SOCKS_CONNECTING_TO_PROXY, + "Continuing connection in wrong state!"); + + LOGDEBUG(("socks: continuing connection to proxy")); + + status = fd->lower->methods->connectcontinue(fd->lower, oflags); + if (status != PR_SUCCESS) { + PRErrorCode c = PR_GetError(); + if (c != PR_WOULD_BLOCK_ERROR && c != PR_IN_PROGRESS_ERROR) { + // A connection failure occured, try another address + mState = SOCKS_DNS_COMPLETE; + return ConnectToProxy(fd); + } + + // We're still connecting + return PR_FAILURE; + } + + // Connected now, start SOCKS + if (mVersion == 4) + return WriteV4ConnectRequest(); + return WriteV5AuthRequest(); +} + +PRStatus +nsSOCKSSocketInfo::WriteV4ConnectRequest() +{ + if (mProxyUsername.Length() > MAX_USERNAME_LEN) { + LOGERROR(("socks username is too long")); + HandshakeFinished(PR_UNKNOWN_ERROR); + return PR_FAILURE; + } + + NetAddr *addr = &mDestinationAddr; + int32_t proxy_resolve; + + NS_ABORT_IF_FALSE(mState == SOCKS_CONNECTING_TO_PROXY, + "Invalid state!"); + + proxy_resolve = mFlags & nsISocketProvider::PROXY_RESOLVES_HOST; + + mDataLength = 0; + mState = SOCKS4_WRITE_CONNECT_REQUEST; + + LOGDEBUG(("socks4: sending connection request (socks4a resolve? %s)", + proxy_resolve? "yes" : "no")); + + // Send a SOCKS 4 connect request. + WriteUint8(0x04); // version -- 4 + WriteUint8(0x01); // command -- connect + WriteNetPort(addr); + if (proxy_resolve) { + // Add the full name, null-terminated, to the request + // according to SOCKS 4a. A fake IP address, with the first + // four bytes set to 0 and the last byte set to something other + // than 0, is used to notify the proxy that this is a SOCKS 4a + // request. This request type works for Tor and perhaps others. + WriteUint32(htonl(0x00000001)); // Fake IP + WriteString(mProxyUsername); // Send username. May be empty. + WriteUint8(0x00); // Null-terminate username + // Password not supported by V4. + if (mDestinationHost.Length() > MAX_HOSTNAME_LEN) { + LOGERROR(("socks4: destination host name is too long!")); + HandshakeFinished(PR_BAD_ADDRESS_ERROR); + return PR_FAILURE; + } + WriteString(mDestinationHost); // Hostname + WriteUint8(0x00); + } else if (addr->raw.family == AF_INET) { + WriteNetAddr(addr); // Add the IPv4 address + WriteString(mProxyUsername); // Send username. May be empty. + WriteUint8(0x00); // Null-terminate username + // Password not supported by V4. + } else if (addr->raw.family == AF_INET6) { + LOGERROR(("socks: SOCKS 4 can't handle IPv6 addresses!")); + HandshakeFinished(PR_BAD_ADDRESS_ERROR); + return PR_FAILURE; + } + + return PR_SUCCESS; +} + +PRStatus +nsSOCKSSocketInfo::ReadV4ConnectResponse() +{ + NS_ABORT_IF_FALSE(mState == SOCKS4_READ_CONNECT_RESPONSE, + "Handling SOCKS 4 connection reply in wrong state!"); + + LOGDEBUG(("socks4: checking connection reply")); + + if (mDataLength != 8) { + LOGERROR(("SOCKS 4 connection reply must be 8 bytes!")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } + + if (ReadUint8() != 0x00) { + LOGERROR(("socks4: wrong connection reply")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } + + // See if our connection request was granted + if (ReadUint8() == 90) { + LOGDEBUG(("socks4: connection successful!")); + HandshakeFinished(); + return PR_SUCCESS; + } + + LOGERROR(("socks4: unable to connect")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; +} + +PRStatus +nsSOCKSSocketInfo::WriteV5AuthRequest() +{ + NS_ABORT_IF_FALSE(mVersion == 5, "SOCKS version must be 5!"); + + mDataLength = 0; + mState = SOCKS5_WRITE_AUTH_REQUEST; + + // Send an initial SOCKS 5 greeting + LOGDEBUG(("socks5: sending auth methods")); + WriteUint8(0x05); // version -- 5 + WriteUint8(0x01); // # of auth methods -- 1 + if (mProxyUsername.IsEmpty()) { + WriteUint8(0x00); // no authentication + } else { + WriteUint8(0x02); // username/password + } + + return PR_SUCCESS; +} + +PRStatus +nsSOCKSSocketInfo::ReadV5AuthResponse() +{ + NS_ABORT_IF_FALSE(mState == SOCKS5_READ_AUTH_RESPONSE, + "Handling SOCKS 5 auth method reply in wrong state!"); + + if (mDataLength != 2) { + LOGERROR(("SOCKS 5 auth method reply must be 2 bytes")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } + + // Check version number + if (ReadUint8() != 0x05) { + LOGERROR(("socks5: unexpected version in the reply")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } + + // Make sure our authentication choice was accepted, + // and continue accordingly + uint8_t authMethod = ReadUint8(); + if (mProxyUsername.IsEmpty() && authMethod == 0x00) { // no auth + LOGDEBUG(("socks5: server allows connection without authentication")); + return WriteV5ConnectRequest(); + } else if (!mProxyUsername.IsEmpty() && authMethod == 0x02) { // username/pw + LOGDEBUG(("socks5: auth method accepted by server")); + return WriteV5UsernameRequest(); + } else { // 0xFF signals error + LOGERROR(("socks5: server did not accept our authentication method")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } +} + +PRStatus +nsSOCKSSocketInfo::WriteV5UsernameRequest() +{ + NS_ABORT_IF_FALSE(mVersion == 5, "SOCKS version must be 5!"); + + if (mProxyUsername.Length() > MAX_USERNAME_LEN) { + LOGERROR(("socks username is too long")); + HandshakeFinished(PR_UNKNOWN_ERROR); + return PR_FAILURE; + } + + nsCString password; + mProxy->GetPassword(password); + if (password.Length() > MAX_PASSWORD_LEN) { + LOGERROR(("socks password is too long")); + HandshakeFinished(PR_UNKNOWN_ERROR); + return PR_FAILURE; + } + + mDataLength = 0; + mState = SOCKS5_WRITE_USERNAME_REQUEST; + + LOGDEBUG(("socks5: sending username and password")); + // RFC 1929 Username/password auth for SOCKS 5 + WriteUint8(0x01); // version 1 (not 5) + WriteUint8(mProxyUsername.Length()); // username length + WriteString(mProxyUsername); // username + WriteUint8(password.Length()); // password length + WriteString(password); // password. WARNING: Sent unencrypted! + + return PR_SUCCESS; +} + +PRStatus +nsSOCKSSocketInfo::ReadV5UsernameResponse() +{ + NS_ABORT_IF_FALSE(mState == SOCKS5_READ_USERNAME_RESPONSE, + "Handling SOCKS 5 username/password reply in wrong state!"); + + if (mDataLength != 2) { + LOGERROR(("SOCKS 5 username reply must be 2 bytes")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } + + // Check version number, must be 1 (not 5) + if (ReadUint8() != 0x01) { + LOGERROR(("socks5: unexpected version in the reply")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } + + // Check whether username/password were accepted + if (ReadUint8() != 0x00) { // 0 = success + LOGERROR(("socks5: username/password not accepted")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } + + LOGDEBUG(("socks5: username/password accepted by server")); + + return WriteV5ConnectRequest(); +} + +PRStatus +nsSOCKSSocketInfo::WriteV5ConnectRequest() +{ + // Send SOCKS 5 connect request + NetAddr *addr = &mDestinationAddr; + int32_t proxy_resolve; + proxy_resolve = mFlags & nsISocketProvider::PROXY_RESOLVES_HOST; + + LOGDEBUG(("socks5: sending connection request (socks5 resolve? %s)", + proxy_resolve? "yes" : "no")); + + mDataLength = 0; + mState = SOCKS5_WRITE_CONNECT_REQUEST; + + WriteUint8(0x05); // version -- 5 + WriteUint8(0x01); // command -- connect + WriteUint8(0x00); // reserved + + // Add the address to the SOCKS 5 request. SOCKS 5 supports several + // address types, so we pick the one that works best for us. + if (proxy_resolve) { + // Add the host name. Only a single byte is used to store the length, + // so we must prevent long names from being used. + if (mDestinationHost.Length() > MAX_HOSTNAME_LEN) { + LOGERROR(("socks5: destination host name is too long!")); + HandshakeFinished(PR_BAD_ADDRESS_ERROR); + return PR_FAILURE; + } + WriteUint8(0x03); // addr type -- domainname + WriteUint8(mDestinationHost.Length()); // name length + WriteString(mDestinationHost); + } else if (addr->raw.family == AF_INET) { + WriteUint8(0x01); // addr type -- IPv4 + WriteNetAddr(addr); + } else if (addr->raw.family == AF_INET6) { + WriteUint8(0x04); // addr type -- IPv6 + WriteNetAddr(addr); + } else { + LOGERROR(("socks5: destination address of unknown type!")); + HandshakeFinished(PR_BAD_ADDRESS_ERROR); + return PR_FAILURE; + } + + WriteNetPort(addr); // port + + return PR_SUCCESS; +} + +PRStatus +nsSOCKSSocketInfo::ReadV5AddrTypeAndLength(uint8_t *type, uint32_t *len) +{ + NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_TOP || + mState == SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, + "Invalid state!"); + NS_ABORT_IF_FALSE(mDataLength >= 5, + "SOCKS 5 connection reply must be at least 5 bytes!"); + + // Seek to the address location + mReadOffset = 3; + + *type = ReadUint8(); + + switch (*type) { + case 0x01: // ipv4 + *len = 4 - 1; + break; + case 0x04: // ipv6 + *len = 16 - 1; + break; + case 0x03: // fqdn + *len = ReadUint8(); + break; + default: // wrong address type + LOGERROR(("socks5: wrong address type in connection reply!")); + return PR_FAILURE; + } + + return PR_SUCCESS; +} + +PRStatus +nsSOCKSSocketInfo::ReadV5ConnectResponseTop() +{ + uint8_t res; + uint32_t len; + + NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_TOP, + "Invalid state!"); + NS_ABORT_IF_FALSE(mDataLength == 5, + "SOCKS 5 connection reply must be exactly 5 bytes!"); + + LOGDEBUG(("socks5: checking connection reply")); + + // Check version number + if (ReadUint8() != 0x05) { + LOGERROR(("socks5: unexpected version in the reply")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } + + // Check response + res = ReadUint8(); + if (res != 0x00) { + PRErrorCode c = PR_CONNECT_REFUSED_ERROR; + + switch (res) { + case 0x01: + LOGERROR(("socks5: connect failed: " + "01, General SOCKS server failure.")); + break; + case 0x02: + LOGERROR(("socks5: connect failed: " + "02, Connection not allowed by ruleset.")); + break; + case 0x03: + LOGERROR(("socks5: connect failed: 03, Network unreachable.")); + c = PR_NETWORK_UNREACHABLE_ERROR; + break; + case 0x04: + LOGERROR(("socks5: connect failed: 04, Host unreachable.")); + break; + case 0x05: + LOGERROR(("socks5: connect failed: 05, Connection refused.")); + break; + case 0x06: + LOGERROR(("socks5: connect failed: 06, TTL expired.")); + c = PR_CONNECT_TIMEOUT_ERROR; + break; + case 0x07: + LOGERROR(("socks5: connect failed: " + "07, Command not supported.")); + break; + case 0x08: + LOGERROR(("socks5: connect failed: " + "08, Address type not supported.")); + c = PR_BAD_ADDRESS_ERROR; + break; + default: + LOGERROR(("socks5: connect failed.")); + break; + } + + HandshakeFinished(c); + return PR_FAILURE; + } + + if (ReadV5AddrTypeAndLength(&res, &len) != PR_SUCCESS) { + HandshakeFinished(PR_BAD_ADDRESS_ERROR); + return PR_FAILURE; + } + + mState = SOCKS5_READ_CONNECT_RESPONSE_BOTTOM; + WantRead(len + 2); + + return PR_SUCCESS; +} + +PRStatus +nsSOCKSSocketInfo::ReadV5ConnectResponseBottom() +{ + uint8_t type; + uint32_t len; + + NS_ABORT_IF_FALSE(mState == SOCKS5_READ_CONNECT_RESPONSE_BOTTOM, + "Invalid state!"); + + if (ReadV5AddrTypeAndLength(&type, &len) != PR_SUCCESS) { + HandshakeFinished(PR_BAD_ADDRESS_ERROR); + return PR_FAILURE; + } + + NS_ABORT_IF_FALSE(mDataLength == 7+len, + "SOCKS 5 unexpected length of connection reply!"); + + LOGDEBUG(("socks5: loading source addr and port")); + // Read what the proxy says is our source address + switch (type) { + case 0x01: // ipv4 + ReadNetAddr(&mExternalProxyAddr, AF_INET); + break; + case 0x04: // ipv6 + ReadNetAddr(&mExternalProxyAddr, AF_INET6); + break; + case 0x03: // fqdn (skip) + mReadOffset += len; + mExternalProxyAddr.raw.family = AF_INET; + break; + } + + ReadNetPort(&mExternalProxyAddr); + + LOGDEBUG(("socks5: connected!")); + HandshakeFinished(); + + return PR_SUCCESS; +} + +void +nsSOCKSSocketInfo::SetConnectTimeout(PRIntervalTime to) +{ + mTimeout = to; +} + +PRStatus +nsSOCKSSocketInfo::DoHandshake(PRFileDesc *fd, int16_t oflags) +{ + LOGDEBUG(("socks: DoHandshake(), state = %d", mState)); + + switch (mState) { + case SOCKS_INITIAL: + return StartDNS(fd); + case SOCKS_DNS_IN_PROGRESS: + PR_SetError(PR_IN_PROGRESS_ERROR, 0); + return PR_FAILURE; + case SOCKS_DNS_COMPLETE: + return ConnectToProxy(fd); + case SOCKS_CONNECTING_TO_PROXY: + return ContinueConnectingToProxy(fd, oflags); + case SOCKS4_WRITE_CONNECT_REQUEST: + if (WriteToSocket(fd) != PR_SUCCESS) + return PR_FAILURE; + WantRead(8); + mState = SOCKS4_READ_CONNECT_RESPONSE; + return PR_SUCCESS; + case SOCKS4_READ_CONNECT_RESPONSE: + if (ReadFromSocket(fd) != PR_SUCCESS) + return PR_FAILURE; + return ReadV4ConnectResponse(); + + case SOCKS5_WRITE_AUTH_REQUEST: + if (WriteToSocket(fd) != PR_SUCCESS) + return PR_FAILURE; + WantRead(2); + mState = SOCKS5_READ_AUTH_RESPONSE; + return PR_SUCCESS; + case SOCKS5_READ_AUTH_RESPONSE: + if (ReadFromSocket(fd) != PR_SUCCESS) + return PR_FAILURE; + return ReadV5AuthResponse(); + case SOCKS5_WRITE_USERNAME_REQUEST: + if (WriteToSocket(fd) != PR_SUCCESS) + return PR_FAILURE; + WantRead(2); + mState = SOCKS5_READ_USERNAME_RESPONSE; + return PR_SUCCESS; + case SOCKS5_READ_USERNAME_RESPONSE: + if (ReadFromSocket(fd) != PR_SUCCESS) + return PR_FAILURE; + return ReadV5UsernameResponse(); + case SOCKS5_WRITE_CONNECT_REQUEST: + if (WriteToSocket(fd) != PR_SUCCESS) + return PR_FAILURE; + + // The SOCKS 5 response to the connection request is variable + // length. First, we'll read enough to tell how long the response + // is, and will read the rest later. + WantRead(5); + mState = SOCKS5_READ_CONNECT_RESPONSE_TOP; + return PR_SUCCESS; + case SOCKS5_READ_CONNECT_RESPONSE_TOP: + if (ReadFromSocket(fd) != PR_SUCCESS) + return PR_FAILURE; + return ReadV5ConnectResponseTop(); + case SOCKS5_READ_CONNECT_RESPONSE_BOTTOM: + if (ReadFromSocket(fd) != PR_SUCCESS) + return PR_FAILURE; + return ReadV5ConnectResponseBottom(); + + case SOCKS_CONNECTED: + LOGERROR(("socks: already connected")); + HandshakeFinished(PR_IS_CONNECTED_ERROR); + return PR_FAILURE; + case SOCKS_FAILED: + LOGERROR(("socks: already failed")); + return PR_FAILURE; + } + + LOGERROR(("socks: executing handshake in invalid state, %d", mState)); + HandshakeFinished(PR_INVALID_STATE_ERROR); + + return PR_FAILURE; +} + +int16_t +nsSOCKSSocketInfo::GetPollFlags() const +{ + switch (mState) { + case SOCKS_DNS_IN_PROGRESS: + case SOCKS_DNS_COMPLETE: + case SOCKS_CONNECTING_TO_PROXY: + return PR_POLL_EXCEPT | PR_POLL_WRITE; + case SOCKS4_WRITE_CONNECT_REQUEST: + case SOCKS5_WRITE_AUTH_REQUEST: + case SOCKS5_WRITE_USERNAME_REQUEST: + case SOCKS5_WRITE_CONNECT_REQUEST: + return PR_POLL_WRITE; + case SOCKS4_READ_CONNECT_RESPONSE: + case SOCKS5_READ_AUTH_RESPONSE: + case SOCKS5_READ_USERNAME_RESPONSE: + case SOCKS5_READ_CONNECT_RESPONSE_TOP: + case SOCKS5_READ_CONNECT_RESPONSE_BOTTOM: + return PR_POLL_READ; + default: + break; + } + + return 0; +} + +inline void +nsSOCKSSocketInfo::WriteUint8(uint8_t v) +{ + MOZ_RELEASE_ASSERT(mDataLength + sizeof(v) <= BUFFER_SIZE, + "Can't write that much data!"); + mData[mDataLength] = v; + mDataLength += sizeof(v); +} + +inline void +nsSOCKSSocketInfo::WriteUint16(uint16_t v) +{ + MOZ_RELEASE_ASSERT(mDataLength + sizeof(v) <= BUFFER_SIZE, + "Can't write that much data!"); + memcpy(mData + mDataLength, &v, sizeof(v)); + mDataLength += sizeof(v); +} + +inline void +nsSOCKSSocketInfo::WriteUint32(uint32_t v) +{ + MOZ_RELEASE_ASSERT(mDataLength + sizeof(v) <= BUFFER_SIZE, + "Can't write that much data!"); + memcpy(mData + mDataLength, &v, sizeof(v)); + mDataLength += sizeof(v); +} + +void +nsSOCKSSocketInfo::WriteNetAddr(const NetAddr *addr) +{ + const char *ip = nullptr; + uint32_t len = 0; + + if (addr->raw.family == AF_INET) { + ip = (const char*)&addr->inet.ip; + len = sizeof(addr->inet.ip); + } else if (addr->raw.family == AF_INET6) { + ip = (const char*)addr->inet6.ip.u8; + len = sizeof(addr->inet6.ip.u8); + } + + MOZ_RELEASE_ASSERT(ip != nullptr, "Unknown address"); + MOZ_RELEASE_ASSERT(mDataLength + len <= BUFFER_SIZE, + "Can't write that much data!"); + + memcpy(mData + mDataLength, ip, len); + mDataLength += len; +} + +void +nsSOCKSSocketInfo::WriteNetPort(const NetAddr *addr) +{ + WriteUint16(addr->inet.port); +} + +void +nsSOCKSSocketInfo::WriteString(const nsACString &str) +{ + MOZ_RELEASE_ASSERT(mDataLength + str.Length() <= BUFFER_SIZE, + "Can't write that much data!"); + memcpy(mData + mDataLength, str.Data(), str.Length()); + mDataLength += str.Length(); +} + +inline uint8_t +nsSOCKSSocketInfo::ReadUint8() +{ + uint8_t rv; + MOZ_RELEASE_ASSERT(mReadOffset + sizeof(rv) <= mDataLength, + "Not enough space to pop a uint8_t!"); + rv = mData[mReadOffset]; + mReadOffset += sizeof(rv); + return rv; +} + +inline uint16_t +nsSOCKSSocketInfo::ReadUint16() +{ + uint16_t rv; + MOZ_RELEASE_ASSERT(mReadOffset + sizeof(rv) <= mDataLength, + "Not enough space to pop a uint16_t!"); + memcpy(&rv, mData + mReadOffset, sizeof(rv)); + mReadOffset += sizeof(rv); + return rv; +} + +inline uint32_t +nsSOCKSSocketInfo::ReadUint32() +{ + uint32_t rv; + MOZ_RELEASE_ASSERT(mReadOffset + sizeof(rv) <= mDataLength, + "Not enough space to pop a uint32_t!"); + memcpy(&rv, mData + mReadOffset, sizeof(rv)); + mReadOffset += sizeof(rv); + return rv; +} + +void +nsSOCKSSocketInfo::ReadNetAddr(NetAddr *addr, uint16_t fam) +{ + uint32_t amt = 0; + const uint8_t *ip = mData + mReadOffset; + + addr->raw.family = fam; + if (fam == AF_INET) { + amt = sizeof(addr->inet.ip); + MOZ_RELEASE_ASSERT(mReadOffset + amt <= mDataLength, + "Not enough space to pop an ipv4 addr!"); + memcpy(&addr->inet.ip, ip, amt); + } else if (fam == AF_INET6) { + amt = sizeof(addr->inet6.ip.u8); + MOZ_RELEASE_ASSERT(mReadOffset + amt <= mDataLength, + "Not enough space to pop an ipv6 addr!"); + memcpy(addr->inet6.ip.u8, ip, amt); + } + + mReadOffset += amt; +} + +void +nsSOCKSSocketInfo::ReadNetPort(NetAddr *addr) +{ + addr->inet.port = ReadUint16(); +} + +void +nsSOCKSSocketInfo::WantRead(uint32_t sz) +{ + NS_ABORT_IF_FALSE(mDataIoPtr == nullptr, + "WantRead() called while I/O already in progress!"); + MOZ_RELEASE_ASSERT(mDataLength + sz <= BUFFER_SIZE, + "Can't read that much data!"); + mAmountToRead = sz; +} + +PRStatus +nsSOCKSSocketInfo::ReadFromSocket(PRFileDesc *fd) +{ + int32_t rc; + const uint8_t *end; + + if (!mAmountToRead) { + LOGDEBUG(("socks: ReadFromSocket(), nothing to do")); + return PR_SUCCESS; + } + + if (!mDataIoPtr) { + mDataIoPtr = mData + mDataLength; + mDataLength += mAmountToRead; + } + + end = mData + mDataLength; + + while (mDataIoPtr < end) { + rc = PR_Read(fd, mDataIoPtr, end - mDataIoPtr); + if (rc <= 0) { + if (rc == 0) { + LOGERROR(("socks: proxy server closed connection")); + HandshakeFinished(PR_CONNECT_REFUSED_ERROR); + return PR_FAILURE; + } else if (PR_GetError() == PR_WOULD_BLOCK_ERROR) { + LOGDEBUG(("socks: ReadFromSocket(), want read")); + } + break; + } + + mDataIoPtr += rc; + } + + LOGDEBUG(("socks: ReadFromSocket(), have %u bytes total", + unsigned(mDataIoPtr - mData))); + if (mDataIoPtr == end) { + mDataIoPtr = nullptr; + mAmountToRead = 0; + mReadOffset = 0; + return PR_SUCCESS; + } + + return PR_FAILURE; +} + +PRStatus +nsSOCKSSocketInfo::WriteToSocket(PRFileDesc *fd) +{ + int32_t rc; + const uint8_t *end; + + if (!mDataLength) { + LOGDEBUG(("socks: WriteToSocket(), nothing to do")); + return PR_SUCCESS; + } + + if (!mDataIoPtr) + mDataIoPtr = mData; + + end = mData + mDataLength; + + while (mDataIoPtr < end) { + rc = PR_Write(fd, mDataIoPtr, end - mDataIoPtr); + if (rc < 0) { + if (PR_GetError() == PR_WOULD_BLOCK_ERROR) { + LOGDEBUG(("socks: WriteToSocket(), want write")); + } + break; + } + + mDataIoPtr += rc; + } + + if (mDataIoPtr == end) { + mDataIoPtr = nullptr; + mDataLength = 0; + mReadOffset = 0; + return PR_SUCCESS; + } + + return PR_FAILURE; +} + +static PRStatus +nsSOCKSIOLayerConnect(PRFileDesc *fd, const PRNetAddr *addr, PRIntervalTime to) +{ + PRStatus status; + NetAddr dst; + + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + if (info == nullptr) return PR_FAILURE; + + if (addr->raw.family == PR_AF_INET6 && + PR_IsNetAddrType(addr, PR_IpAddrV4Mapped)) { + const uint8_t *srcp; + + LOGDEBUG(("socks: converting ipv4-mapped ipv6 address to ipv4")); + + // copied from _PR_ConvertToIpv4NetAddr() + dst.raw.family = AF_INET; + dst.inet.ip = htonl(INADDR_ANY); + dst.inet.port = htons(0); + srcp = addr->ipv6.ip.pr_s6_addr; + memcpy(&dst.inet.ip, srcp + 12, 4); + dst.inet.family = AF_INET; + dst.inet.port = addr->ipv6.port; + } else { + memcpy(&dst, addr, sizeof(dst)); + } + + info->SetDestinationAddr(&dst); + info->SetConnectTimeout(to); + + do { + status = info->DoHandshake(fd, -1); + } while (status == PR_SUCCESS && !info->IsConnected()); + + return status; +} + +static PRStatus +nsSOCKSIOLayerConnectContinue(PRFileDesc *fd, int16_t oflags) +{ + PRStatus status; + + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + if (info == nullptr) return PR_FAILURE; + + do { + status = info->DoHandshake(fd, oflags); + } while (status == PR_SUCCESS && !info->IsConnected()); + + return status; +} + +static int16_t +nsSOCKSIOLayerPoll(PRFileDesc *fd, int16_t in_flags, int16_t *out_flags) +{ + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + if (info == nullptr) return PR_FAILURE; + + if (!info->IsConnected()) { + *out_flags = 0; + return info->GetPollFlags(); + } + + return fd->lower->methods->poll(fd->lower, in_flags, out_flags); +} + +static PRStatus +nsSOCKSIOLayerClose(PRFileDesc *fd) +{ + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + PRDescIdentity id = PR_GetLayersIdentity(fd); + + if (info && id == nsSOCKSIOLayerIdentity) + { + info->ForgetFD(); + NS_RELEASE(info); + fd->identity = PR_INVALID_IO_LAYER; + } + + return fd->lower->methods->close(fd->lower); +} + +static PRFileDesc* +nsSOCKSIOLayerAccept(PRFileDesc *fd, PRNetAddr *addr, PRIntervalTime timeout) +{ + // TODO: implement SOCKS support for accept + return fd->lower->methods->accept(fd->lower, addr, timeout); +} + +static int32_t +nsSOCKSIOLayerAcceptRead(PRFileDesc *sd, PRFileDesc **nd, PRNetAddr **raddr, void *buf, int32_t amount, PRIntervalTime timeout) +{ + // TODO: implement SOCKS support for accept, then read from it + return sd->lower->methods->acceptread(sd->lower, nd, raddr, buf, amount, timeout); +} + +static PRStatus +nsSOCKSIOLayerBind(PRFileDesc *fd, const PRNetAddr *addr) +{ + // TODO: implement SOCKS support for bind (very similar to connect) + return fd->lower->methods->bind(fd->lower, addr); +} + +static PRStatus +nsSOCKSIOLayerGetName(PRFileDesc *fd, PRNetAddr *addr) +{ + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + + if (info != nullptr && addr != nullptr) { + NetAddr temp; + NetAddr *tempPtr = &temp; + if (info->GetExternalProxyAddr(&tempPtr) == NS_OK) { + NetAddrToPRNetAddr(tempPtr, addr); + return PR_SUCCESS; + } + } + + return PR_FAILURE; +} + +static PRStatus +nsSOCKSIOLayerGetPeerName(PRFileDesc *fd, PRNetAddr *addr) +{ + nsSOCKSSocketInfo * info = (nsSOCKSSocketInfo*) fd->secret; + + if (info != nullptr && addr != nullptr) { + NetAddr temp; + NetAddr *tempPtr = &temp; + if (info->GetDestinationAddr(&tempPtr) == NS_OK) { + NetAddrToPRNetAddr(tempPtr, addr); + return PR_SUCCESS; + } + } + + return PR_FAILURE; +} + +static PRStatus +nsSOCKSIOLayerListen(PRFileDesc *fd, int backlog) +{ + // TODO: implement SOCKS support for listen + return fd->lower->methods->listen(fd->lower, backlog); +} + +// add SOCKS IO layer to an existing socket +nsresult +nsSOCKSIOLayerAddToSocket(int32_t family, + const char *host, + int32_t port, + nsIProxyInfo *proxy, + int32_t socksVersion, + uint32_t flags, + PRFileDesc *fd, + nsISupports** info) +{ + NS_ENSURE_TRUE((socksVersion == 4) || (socksVersion == 5), NS_ERROR_NOT_INITIALIZED); + + + if (firstTime) + { + //XXX hack until NSPR provides an official way to detect system IPv6 + // support (bug 388519) + PRFileDesc *tmpfd = PR_OpenTCPSocket(PR_AF_INET6); + if (!tmpfd) { + ipv6Supported = false; + } else { + // If the system does not support IPv6, NSPR will push + // IPv6-to-IPv4 emulation layer onto the native layer + ipv6Supported = PR_GetIdentitiesLayer(tmpfd, PR_NSPR_IO_LAYER) == tmpfd; + PR_Close(tmpfd); + } + + nsSOCKSIOLayerIdentity = PR_GetUniqueIdentity("SOCKS layer"); + nsSOCKSIOLayerMethods = *PR_GetDefaultIOMethods(); + + nsSOCKSIOLayerMethods.connect = nsSOCKSIOLayerConnect; + nsSOCKSIOLayerMethods.connectcontinue = nsSOCKSIOLayerConnectContinue; + nsSOCKSIOLayerMethods.poll = nsSOCKSIOLayerPoll; + nsSOCKSIOLayerMethods.bind = nsSOCKSIOLayerBind; + nsSOCKSIOLayerMethods.acceptread = nsSOCKSIOLayerAcceptRead; + nsSOCKSIOLayerMethods.getsockname = nsSOCKSIOLayerGetName; + nsSOCKSIOLayerMethods.getpeername = nsSOCKSIOLayerGetPeerName; + nsSOCKSIOLayerMethods.accept = nsSOCKSIOLayerAccept; + nsSOCKSIOLayerMethods.listen = nsSOCKSIOLayerListen; + nsSOCKSIOLayerMethods.close = nsSOCKSIOLayerClose; + + firstTime = false; + +#if defined(PR_LOGGING) + gSOCKSLog = PR_NewLogModule("SOCKS"); +#endif + + } + + LOGDEBUG(("Entering nsSOCKSIOLayerAddToSocket().")); + + PRFileDesc *layer; + PRStatus rv; + + layer = PR_CreateIOLayerStub(nsSOCKSIOLayerIdentity, &nsSOCKSIOLayerMethods); + if (! layer) + { + LOGERROR(("PR_CreateIOLayerStub() failed.")); + return NS_ERROR_FAILURE; + } + + nsSOCKSSocketInfo * infoObject = new nsSOCKSSocketInfo(); + if (!infoObject) + { + // clean up IOLayerStub + LOGERROR(("Failed to create nsSOCKSSocketInfo().")); + PR_DELETE(layer); + return NS_ERROR_FAILURE; + } + + NS_ADDREF(infoObject); + infoObject->Init(socksVersion, family, proxy, host, flags); + layer->secret = (PRFilePrivate*) infoObject; + rv = PR_PushIOLayer(fd, PR_GetLayersIdentity(fd), layer); + + if (rv == PR_FAILURE) { + LOGERROR(("PR_PushIOLayer() failed. rv = %x.", rv)); + NS_RELEASE(infoObject); + PR_DELETE(layer); + return NS_ERROR_FAILURE; + } + + *info = static_cast(infoObject); + NS_ADDREF(*info); + return NS_OK; +}