When talking to a SOCKS v5 proxy, default to sending addresses as raw domains rather than IP addresses.

Before, we would default to client-side DNS resolution (sending IP addresses to the proxy) for both v4 and v5. However if you are using a v5 server, it is most likely that you want to do the resolves on the proxy-side. And in fact if you are using a SOCKS 5 proxy to anonymize your browsing, you definitely don't want that as the default policy.

Embedders of the network stack can select the alternate policy by passing a non-NULL Host resolver into SOCKS5ClientSocket.

BUG=29914
TEST=HttpNetworkTransactionTest.SOCKS5_HTTP_GET, HttpNetworkTransactionTest.SOCKS5_SSL_GET

Review URL: http://codereview.chromium.org/507033

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@34903 0039d316-1c4b-4281-b951-d872f2087c98

6 files changed, 112 insertions, 25 deletions

diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 3a964c8..28c09bc 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -652,7 +652,7 @@ int HttpNetworkTransaction::DoSOCKSConnect() {
   req_info.set_referrer(request_->referrer);
 
   if (proxy_info_.proxy_server().scheme() == ProxyServer::SCHEME_SOCKS5)
-    s = new SOCKS5ClientSocket(s, req_info, session_->host_resolver());
+    s = new SOCKS5ClientSocket(s, req_info, NULL /*use proxy-side resolving*/);
   else
     s = new SOCKSClientSocket(s, req_info, session_->host_resolver());
   connection_.set_socket(s);
diff --git a/net/http/http_network_transaction_unittest.cc b/net/http/http_network_transaction_unittest.cc
index 1106757..53481ba 100644
--- a/net/http/http_network_transaction_unittest.cc
+++ b/net/http/http_network_transaction_unittest.cc
@@ -3366,8 +3366,16 @@ TEST_F(HttpNetworkTransactionTest, SOCKS5_HTTP_GET) {
 
   const char kSOCKS5GreetRequest[] = { 0x05, 0x01, 0x00 };
   const char kSOCKS5GreetResponse[] = { 0x05, 0x00 };
-  const char kSOCKS5OkRequest[] =
-      { 0x05, 0x01, 0x00, 0x01, 127, 0, 0, 1, 0x00, 0x50 };
+  const char kSOCKS5OkRequest[] = {
+    0x05,  // Version
+    0x01,  // Command (CONNECT)
+    0x00,  // Reserved.
+    0x03,  // Address type (DOMAINNAME).
+    0x0E,  // Length of domain (14)
+    // Domain string:
+    'w', 'w', 'w', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'c', 'o', 'm',
+    0x00, 0x50,  // 16-bit port (80)
+  };
   const char kSOCKS5OkResponse[] =
       { 0x05, 0x00, 0x00, 0x01, 127, 0, 0, 1, 0x00, 0x50 };
 
@@ -3422,8 +3430,17 @@ TEST_F(HttpNetworkTransactionTest, SOCKS5_SSL_GET) {
 
   const char kSOCKS5GreetRequest[] = { 0x05, 0x01, 0x00 };
   const char kSOCKS5GreetResponse[] = { 0x05, 0x00 };
-  const unsigned char kSOCKS5OkRequest[] =
-      { 0x05, 0x01, 0x00, 0x01, 127, 0, 0, 1, 0x01, 0xBB };
+  const unsigned char kSOCKS5OkRequest[] = {
+    0x05,  // Version
+    0x01,  // Command (CONNECT)
+    0x00,  // Reserved.
+    0x03,  // Address type (DOMAINNAME).
+    0x0E,  // Length of domain (14)
+    // Domain string:
+    'w', 'w', 'w', '.', 'g', 'o', 'o', 'g', 'l', 'e', '.', 'c', 'o', 'm',
+    0x01, 0xBB,  // 16-bit port (443)
+  };
+
   const char kSOCKS5OkResponse[] =
       { 0x05, 0x00, 0x00, 0x01, 0, 0, 0, 0, 0x00, 0x00 };
 
diff --git a/net/socket/socks5_client_socket.cc b/net/socket/socks5_client_socket.cc
index a2fabfd..8874d7a 100644
--- a/net/socket/socks5_client_socket.cc
+++ b/net/socket/socks5_client_socket.cc
@@ -37,8 +37,9 @@ SOCKS5ClientSocket::SOCKS5ClientSocket(ClientSocket* transport_socket,
       bytes_sent_(0),
       bytes_received_(0),
       read_header_size(kReadHeaderSize),
-      host_resolver_(host_resolver),
       host_request_info_(req_info) {
+  if (host_resolver)
+    host_resolver_.reset(new SingleRequestHostResolver(host_resolver));
 }
 
 SOCKS5ClientSocket::~SOCKS5ClientSocket() {
@@ -56,11 +57,18 @@ int SOCKS5ClientSocket::Connect(CompletionCallback* callback,
   if (completed_handshake_)
     return OK;
 
-  next_state_ = STATE_RESOLVE_HOST;
   load_log_ = load_log;
-
   LoadLog::BeginEvent(load_log, LoadLog::TYPE_SOCKS5_CONNECT);
 
+  // If a host resolver was given, try to resolve the address locally.
+  // Otherwise let the proxy server handle the resolving.
+  if (host_resolver_.get()) {
+    next_state_ = STATE_RESOLVE_HOST;
+  } else {
+    next_state_ = STATE_GREET_WRITE;
+    address_type_ = kEndPointFailedDomain;
+  }
+
   int rv = DoLoop(OK);
   if (rv == ERR_IO_PENDING) {
     user_callback_ = callback;
@@ -191,7 +199,7 @@ int SOCKS5ClientSocket::DoResolveHost() {
   DCHECK_EQ(kEndPointUnresolved, address_type_);
 
   next_state_ = STATE_RESOLVE_HOST_COMPLETE;
-  return host_resolver_.Resolve(
+  return host_resolver_->Resolve(
       host_request_info_, &addresses_, &io_callback_, load_log_);
 }
 
diff --git a/net/socket/socks5_client_socket.h b/net/socket/socks5_client_socket.h
index a5db645..9a05f4a 100644
--- a/net/socket/socks5_client_socket.h
+++ b/net/socket/socks5_client_socket.h
@@ -31,6 +31,21 @@ class SOCKS5ClientSocket : public ClientSocket {
   //
   // |req_info| contains the hostname and port to which the socket above will
   // communicate to via the SOCKS layer.
+  //
+  // SOCKS5 supports three modes of specifying connection endpoints:
+  //  (1) as an IPv4 address.
+  //  (2) as an IPv6 address.
+  //  (3) as a hostname string.
+  //
+  // To select mode (3), pass NULL for |host_resolver|.
+  //
+  // Otherwise if a non-NULL |host_resolver| is given, Connect() will first
+  // try to resolve the hostname using |host_resolver|, and pass that
+  // resolved address to the proxy server. If the resolve failed, Connect()
+  // will fall-back to mode (3) and simply send the unresolved hosname string
+  // to the SOCKS v5 proxy server.
+  //
+  // Passing NULL for |host_resolver| is the recommended default.
   SOCKS5ClientSocket(ClientSocket* transport_socket,
                      const HostResolver::RequestInfo& req_info,
                      HostResolver* host_resolver);
@@ -142,8 +157,10 @@ class SOCKS5ClientSocket : public ClientSocket {
 
   size_t read_header_size;
 
-  // Used to resolve the hostname to which the SOCKS proxy will connect.
-  SingleRequestHostResolver host_resolver_;
+  // If non-NULL, we will use this host resolver to resolve DNS client-side
+  // (and fall back to proxy-side resolving if it fails).
+  // Otherwise, we will do proxy-side DNS resolving.
+  scoped_ptr<SingleRequestHostResolver> host_resolver_;
   AddressList addresses_;
   HostResolver::RequestInfo host_request_info_;
 
diff --git a/net/socket/socks5_client_socket_unittest.cc b/net/socket/socks5_client_socket_unittest.cc
index aa4c454..b03d92b 100644
--- a/net/socket/socks5_client_socket_unittest.cc
+++ b/net/socket/socks5_client_socket_unittest.cc
@@ -31,7 +31,9 @@ class SOCKS5ClientSocketTest : public PlatformTest {
   SOCKS5ClientSocket* BuildMockSocket(MockRead reads[],
                                       MockWrite writes[],
                                       const std::string& hostname,
-                                      int port);
+                                      int port,
+                                      HostResolver* host_resolver);
+
   virtual void SetUp();
 
  protected:
@@ -65,8 +67,8 @@ SOCKS5ClientSocket* SOCKS5ClientSocketTest::BuildMockSocket(
     MockRead reads[],
     MockWrite writes[],
     const std::string& hostname,
-    int port) {
-
+    int port,
+    net::HostResolver* host_resolver) {
   TestCompletionCallback callback;
   data_.reset(new StaticSocketDataProvider(reads, writes));
   tcp_sock_ = new MockTCPClientSocket(address_list_, data_.get());
@@ -79,7 +81,7 @@ SOCKS5ClientSocket* SOCKS5ClientSocketTest::BuildMockSocket(
 
   return new SOCKS5ClientSocket(tcp_sock_,
       HostResolver::RequestInfo(hostname, port),
-      host_resolver_);
+      host_resolver);
 }
 
 const char kSOCKS5GreetRequest[] = { 0x05, 0x01, 0x00 };
@@ -104,7 +106,8 @@ TEST_F(SOCKS5ClientSocketTest, CompleteHandshake) {
       MockRead(true, kSOCKS5OkResponse, arraysize(kSOCKS5OkResponse)),
       MockRead(true, payload_read.data(), payload_read.size()) };
 
-  user_sock_.reset(BuildMockSocket(data_reads, data_writes, "localhost", 80));
+  user_sock_.reset(BuildMockSocket(data_reads, data_writes, "localhost", 80,
+                                   new MockHostResolver));
 
   // At this state the TCP connection is completed but not the SOCKS handshake.
   EXPECT_TRUE(tcp_sock_->IsConnected());
@@ -150,7 +153,8 @@ TEST_F(SOCKS5ClientSocketTest, FailedDNS) {
   const std::string hostname = "unresolved.ipv4.address";
   const char kSOCKS5DomainRequest[] = { 0x05, 0x01, 0x00, 0x03 };
 
-  host_resolver_->rules()->AddSimulatedFailure(hostname.c_str());
+  scoped_refptr<MockHostResolver> mock_resolver = new MockHostResolver;
+  mock_resolver->rules()->AddSimulatedFailure(hostname);
 
   std::string request(kSOCKS5DomainRequest,
                       arraysize(kSOCKS5DomainRequest));
@@ -165,7 +169,8 @@ TEST_F(SOCKS5ClientSocketTest, FailedDNS) {
       MockRead(false, kSOCKS5GreetResponse, arraysize(kSOCKS5GreetResponse)),
       MockRead(false, kSOCKS5OkResponse, arraysize(kSOCKS5OkResponse)) };
 
-  user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80));
+  user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80,
+                                   mock_resolver));
 
   scoped_refptr<LoadLog> log(new LoadLog(LoadLog::kUnbounded));
   int rv = user_sock_->Connect(&callback_, log);
@@ -181,6 +186,40 @@ TEST_F(SOCKS5ClientSocketTest, FailedDNS) {
       *log, -1, LoadLog::TYPE_SOCKS5_CONNECT, LoadLog::PHASE_END));
 }
 
+// Connect to a domain, making sure to defer the host resolving to the proxy
+// server.
+TEST_F(SOCKS5ClientSocketTest, ResolveHostsProxySide) {
+  const std::string hostname = "my-host-name";
+  const char kSOCKS5DomainRequest[] = {
+      0x05,  // VER
+      0x01,  // CMD
+      0x00,  // RSV
+      0x03,  // ATYPE
+  };
+
+  std::string request(kSOCKS5DomainRequest,
+                      arraysize(kSOCKS5DomainRequest));
+  request.push_back(hostname.size());
+  request.append(hostname);
+  request.append(reinterpret_cast<const char*>(&kNwPort), sizeof(kNwPort));
+
+  MockWrite data_writes[] = {
+      MockWrite(false, kSOCKS5GreetRequest, arraysize(kSOCKS5GreetRequest)),
+      MockWrite(false, request.data(), request.size())
+  };
+  MockRead data_reads[] = {
+      MockRead(false, kSOCKS5GreetResponse, arraysize(kSOCKS5GreetResponse)),
+      MockRead(false, kSOCKS5OkResponse, arraysize(kSOCKS5OkResponse))
+  };
+
+  user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80,
+                                   NULL));
+
+  int rv = user_sock_->Connect(&callback_, NULL);
+  EXPECT_EQ(OK, rv);
+  EXPECT_TRUE(user_sock_->IsConnected());
+}
+
 // Tries to connect to a domain that resolves to IPv6.
 TEST_F(SOCKS5ClientSocketTest, IPv6Domain) {
   const std::string hostname = "an.ipv6.address";
@@ -188,7 +227,8 @@ TEST_F(SOCKS5ClientSocketTest, IPv6Domain) {
   const uint8 ipv6_addr[] = { 0x20, 0x01, 0x0d, 0xb8, 0x87, 0x14, 0x3a, 0x90,
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x000, 0x00, 0x12 };
 
-  host_resolver_->rules()->AddIPv6Rule(hostname, "2001:db8:8714:3a90::12");
+  scoped_refptr<MockHostResolver> mock_resolver = new MockHostResolver;
+  mock_resolver->rules()->AddIPv6Rule(hostname, "2001:db8:8714:3a90::12");
 
   std::string request(kSOCKS5IPv6Request,
                       arraysize(kSOCKS5IPv6Request));
@@ -202,7 +242,8 @@ TEST_F(SOCKS5ClientSocketTest, IPv6Domain) {
       MockRead(false, kSOCKS5GreetResponse, arraysize(kSOCKS5GreetResponse)),
       MockRead(false, kSOCKS5OkResponse, arraysize(kSOCKS5OkResponse)) };
 
-  user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80));
+  user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80,
+                                   mock_resolver));
 
   scoped_refptr<LoadLog> log(new LoadLog(LoadLog::kUnbounded));
   int rv = user_sock_->Connect(&callback_, log);
@@ -232,7 +273,8 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
     MockRead data_reads[] = {
         MockRead(true, kSOCKS5GreetResponse, arraysize(kSOCKS5GreetResponse)),
         MockRead(true, kSOCKS5OkResponse, arraysize(kSOCKS5OkResponse)) };
-    user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80));
+    user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80,
+                                     new MockHostResolver));
     scoped_refptr<LoadLog> log(new LoadLog(LoadLog::kUnbounded));
     int rv = user_sock_->Connect(&callback_, log);
     EXPECT_EQ(ERR_IO_PENDING, rv);
@@ -256,7 +298,8 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
         MockRead(true, partial1, arraysize(partial1)),
         MockRead(true, partial2, arraysize(partial2)),
         MockRead(true, kSOCKS5OkResponse, arraysize(kSOCKS5OkResponse)) };
-    user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80));
+    user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80,
+                                     new MockHostResolver));
     scoped_refptr<LoadLog> log(new LoadLog(LoadLog::kUnbounded));
     int rv = user_sock_->Connect(&callback_, log);
     EXPECT_EQ(ERR_IO_PENDING, rv);
@@ -280,7 +323,8 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
     MockRead data_reads[] = {
         MockRead(true, kSOCKS5GreetResponse, arraysize(kSOCKS5GreetResponse)),
         MockRead(true, kSOCKS5OkResponse, arraysize(kSOCKS5OkResponse)) };
-    user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80));
+    user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80,
+                                     new MockHostResolver));
     scoped_refptr<LoadLog> log(new LoadLog(LoadLog::kUnbounded));
     int rv = user_sock_->Connect(&callback_, log);
     EXPECT_EQ(ERR_IO_PENDING, rv);
@@ -304,7 +348,8 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
         MockRead(true, kSOCKS5GreetResponse, arraysize(kSOCKS5GreetResponse)),
         MockRead(true, partial1, arraysize(partial1)),
         MockRead(true, partial2, arraysize(partial2)) };
-    user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80));
+    user_sock_.reset(BuildMockSocket(data_reads, data_writes, hostname, 80,
+                                     new MockHostResolver));
     scoped_refptr<LoadLog> log(new LoadLog(LoadLog::kUnbounded));
     int rv = user_sock_->Connect(&callback_, log);
     EXPECT_EQ(ERR_IO_PENDING, rv);
diff --git a/net/socket_stream/socket_stream.cc b/net/socket_stream/socket_stream.cc
index f232c61..e746022 100644
--- a/net/socket_stream/socket_stream.cc
+++ b/net/socket_stream/socket_stream.cc
@@ -704,7 +704,7 @@ int SocketStream::DoSOCKSConnect() {
                                      url_.EffectiveIntPort());
 
   if (proxy_info_.proxy_server().scheme() == ProxyServer::SCHEME_SOCKS5)
-    s = new SOCKS5ClientSocket(s, req_info, host_resolver_.get());
+    s = new SOCKS5ClientSocket(s, req_info, NULL /*use proxy-side resolving*/);
   else
     s = new SOCKSClientSocket(s, req_info, host_resolver_.get());
   socket_.reset(s);