8 files changed, 653 insertions, 24 deletions
diff --git a/indra/llmessage/CMakeLists.txt b/indra/llmessage/CMakeLists.txt
index c5f82cf052..4b679ef6a5 100644
--- a/indra/llmessage/CMakeLists.txt
+++ b/indra/llmessage/CMakeLists.txt
@@ -76,6 +76,7 @@ set(llmessage_SOURCE_FILES
     llsdrpcserver.cpp
     llservicebuilder.cpp
     llservice.cpp
+    llsocks5.cpp
     llstoredmessage.cpp
     lltemplatemessagebuilder.cpp
     lltemplatemessagedispatcher.cpp
@@ -174,6 +175,7 @@ set(llmessage_HEADER_FILES
     llsdrpcserver.h
     llservice.h
     llservicebuilder.h
+    llsocks5.h
     llstoredmessage.h
     lltaskname.h
     llteleportflags.h
diff --git a/indra/llmessage/llcurl.cpp b/indra/llmessage/llcurl.cpp
index 7c8b7e3584..32dd438e68 100644
--- a/indra/llmessage/llcurl.cpp
+++ b/indra/llmessage/llcurl.cpp
@@ -51,6 +51,8 @@
 #include "llthread.h"
 #include "lltimer.h"
 
+#include "llsocks5.h"
+
 //////////////////////////////////////////////////////////////////////////////
 /*
 	The trick to getting curl to do keep-alives is to reuse the
@@ -355,6 +357,27 @@ LLCurl::Easy* LLCurl::Easy::getEasy()
 	// multi handles cache if they are added to one.
 	CURLcode result = curl_easy_setopt(easy->mCurlEasyHandle, CURLOPT_DNS_CACHE_TIMEOUT, 0);
 	check_curl_code(result);
+
+	//Set the CURL options for either Socks or HTTP proxy
+	if (LLSocks::getInstance()->isHTTPProxyEnabled())
+	{
+		std::string address = LLSocks::getInstance()->getHTTPProxy().getIPString();
+		U16 port = LLSocks::getInstance()->getHTTPProxy().getPort();
+		curl_easy_setopt(easy->mCurlEasyHandle, CURLOPT_PROXY,address.c_str());
+		curl_easy_setopt(easy->mCurlEasyHandle, CURLOPT_PROXYPORT,port);
+		if (LLSocks::getInstance()->getHTTPProxyType() == LLPROXY_SOCKS)
+		{
+			curl_easy_setopt(easy->mCurlEasyHandle, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
+			if(LLSocks::getInstance()->getSelectedAuthMethod()==METHOD_PASSWORD)
+			{
+				curl_easy_setopt(easy->mCurlEasyHandle, CURLOPT_PROXYUSERPWD,LLSocks::getInstance()->getProxyUserPwd().c_str());
+			}
+		}
+		else
+		{
+			curl_easy_setopt(easy->mCurlEasyHandle, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
+		}
+	}
 	
 	++gCurlEasyCount;
 	return easy;
@@ -534,6 +557,26 @@ void LLCurl::Easy::prepRequest(const std::string& url,
 	//setopt(CURLOPT_VERBOSE, 1); // usefull for debugging
 	setopt(CURLOPT_NOSIGNAL, 1);
 
+	if (LLSocks::getInstance()->isHTTPProxyEnabled())
+	{
+		std::string address = LLSocks::getInstance()->getHTTPProxy().getIPString();
+		U16 port = LLSocks::getInstance()->getHTTPProxy().getPort();
+		setoptString(CURLOPT_PROXY, address.c_str());
+		setopt(CURLOPT_PROXYPORT, port);
+		if (LLSocks::getInstance()->getHTTPProxyType() == LLPROXY_SOCKS)
+		{
+			setopt(CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
+			if(LLSocks::getInstance()->getSelectedAuthMethod()==METHOD_PASSWORD)
+			{
+				setoptString(CURLOPT_PROXYUSERPWD,LLSocks::getInstance()->getProxyUserPwd());
+			}
+		}
+		else
+		{
+			setopt(CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
+		}
+	}
+
 	mOutput.reset(new LLBufferArray);
 	setopt(CURLOPT_WRITEFUNCTION, (void*)&curlWriteCallback);
 	setopt(CURLOPT_WRITEDATA, (void*)this);
diff --git a/indra/llmessage/llpacketring.cpp b/indra/llmessage/llpacketring.cpp
index 8999dec64a..62aaca0672 100644
--- a/indra/llmessage/llpacketring.cpp
+++ b/indra/llmessage/llpacketring.cpp
@@ -28,13 +28,28 @@
 
 #include "llpacketring.h"
 
+#if LL_WINDOWS
+	#include <winsock2.h>
+#else
+	#include <sys/socket.h>
+	#include <netinet/in.h>
+#endif
+
 // linden library includes
 #include "llerror.h"
+#include "message.h"
+#include "llsocks5.h"
 #include "lltimer.h"
 #include "timing.h"
 #include "llrand.h"
 #include "u64.h"
 
+
+
+
+
+
+
 ///////////////////////////////////////////////////////////
 LLPacketRing::LLPacketRing () :
 	mUseInThrottle(FALSE),
@@ -216,8 +231,30 @@ S32 LLPacketRing::receivePacket (S32 socket, char *datap)
 	else
 	{
 		// no delay, pull straight from net
+		if (LLSocks::isEnabled())
+		{
+			U8 buffer[MAX_BUFFER_SIZE];
+			packet_size = receive_packet(socket, (char*)buffer);
+			
+			if (packet_size > 10)
+			{
+				memcpy(datap,buffer+10,packet_size-10);
+			}
+			else
+			{
+				packet_size=0;
+			}
+
+			proxywrap_t * header = (proxywrap_t *)buffer;
+			mLastSender.setAddress(header->addr);
+			mLastSender.setPort(ntohs(header->port));
+		}
+		else
+		{
 		packet_size = receive_packet(socket, datap);		
 		mLastSender = ::get_sender();
+		}
+
 		mLastReceivingIF = ::get_receiving_interface();
 
 		if (packet_size)  // did we actually get a packet?
@@ -243,7 +280,7 @@ BOOL LLPacketRing::sendPacket(int h_socket, char * send_buffer, S32 buf_size, LL
 	BOOL status = TRUE;
 	if (!mUseOutThrottle)
 	{
-		return send_packet(h_socket, send_buffer, buf_size, host.getAddress(), host.getPort() );
+		return doSendPacket(h_socket, send_buffer, buf_size, host );
 	}
 	else
 	{
@@ -264,7 +301,7 @@ BOOL LLPacketRing::sendPacket(int h_socket, char * send_buffer, S32 buf_size, LL
 				mOutBufferLength -= packetp->getSize();
 				packet_size = packetp->getSize();
 
-				status = send_packet(h_socket, packetp->getData(), packet_size, packetp->getHost().getAddress(), packetp->getHost().getPort());
+				status = doSendPacket(h_socket, packetp->getData(), packet_size, packetp->getHost());
 				
 				delete packetp;
 				// Update the throttle
@@ -273,7 +310,7 @@ BOOL LLPacketRing::sendPacket(int h_socket, char * send_buffer, S32 buf_size, LL
 			else
 			{
 				// If the queue's empty, we can just send this packet right away.
-				status = send_packet(h_socket, send_buffer, buf_size, host.getAddress(), host.getPort() );
+				status =  doSendPacket(h_socket, send_buffer, buf_size, host );
 				packet_size = buf_size;
 
 				// Update the throttle
@@ -311,3 +348,23 @@ BOOL LLPacketRing::sendPacket(int h_socket, char * send_buffer, S32 buf_size, LL
 
 	return status;
 }
+
+BOOL LLPacketRing::doSendPacket(int h_socket, const char * send_buffer, S32 buf_size, LLHost host)
+{
+	
+	if (!LLSocks::isEnabled())
+	{
+		return send_packet(h_socket, send_buffer, buf_size, host.getAddress(), host.getPort());
+	}
+
+	proxywrap_t *socks_header = (proxywrap_t *)&mProxyWrappedSendBuffer;
+	socks_header->rsv   = 0;
+	socks_header->addr  = host.getAddress();
+	socks_header->port  = htons(host.getPort());
+	socks_header->atype = ADDRESS_IPV4;
+	socks_header->frag  = 0;
+
+	memcpy(mProxyWrappedSendBuffer+10, send_buffer, buf_size);
+
+	return send_packet(h_socket,(const char*) mProxyWrappedSendBuffer, buf_size+10, LLSocks::getInstance()->getUDPProxy().getAddress(), LLSocks::getInstance()->getUDPProxy().getPort());
+}
diff --git a/indra/llmessage/llpacketring.h b/indra/llmessage/llpacketring.h
index e6409d2048..2fe2f8e1e9 100644
--- a/indra/llmessage/llpacketring.h
+++ b/indra/llmessage/llpacketring.h
@@ -82,6 +82,9 @@ protected:
 
 	LLHost mLastSender;
 	LLHost mLastReceivingIF;
+
+	BOOL doSendPacket(int h_socket, const char * send_buffer, S32 buf_size, LLHost host);
+	U8 mProxyWrappedSendBuffer[NET_BUFFER_SIZE];
 };
 
 
diff --git a/indra/llmessage/llsocks5.cpp b/indra/llmessage/llsocks5.cpp
new file mode 100644
index 0000000000..27a31e35b3
--- /dev/null
+++ b/indra/llmessage/llsocks5.cpp
@@ -0,0 +1,216 @@
+/**
+ * @file llsocks5.cpp
+ * @brief SOCKS 5 implementation
+ *
+ * $LicenseInfo:firstyear=2011&license=viewerlgpl$
+ * Second Life Viewer Source Code
+ * Copyright (C) 2011, Linden Research, Inc.
+ * 
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation;
+ * version 2.1 of the License only.
+ * 
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ * 
+ * Linden Research, Inc., 945 Battery Street, San Francisco, CA  94111  USA
+ * $/LicenseInfo$
+ */
+
+#include <string>
+
+#include "linden_common.h"
+#include "net.h"
+#include "llhost.h"
+#include "message.h"
+#include "llsocks5.h"
+
+// Static class variable instances
+
+// We want this to be static to avoid excessive indirection on every
+// incoming packet just to do a simple bool test. The getter for this
+// member is also static
+bool LLSocks::sUDPProxyEnabled;
+bool LLSocks::sHTTPProxyEnabled;
+
+LLSocks::LLSocks()
+{
+	sUDPProxyEnabled  = false;
+	sHTTPProxyEnabled = false;
+	mProxyControlChannel.reset();
+	mProxyType = LLPROXY_SOCKS;
+}
+
+// Perform a SOCKS 5 authentication and UDP association to the proxy
+// specified by proxy, and associate UDP port message_port
+int LLSocks::proxyHandshake(LLHost proxy, U32 message_port)
+{
+	int result;
+
+	/* SOCKS 5 Auth request */
+	socks_auth_request_t  socks_auth_request;
+	socks_auth_response_t socks_auth_response;
+
+	socks_auth_request.version     = SOCKS_VERSION;       // SOCKS version 5
+	socks_auth_request.num_methods = 1;                   // Sending 1 method.
+	socks_auth_request.methods     = mAuthMethodSelected; // Send only the selected method.
+
+	result = tcp_handshake(mProxyControlChannel, (char*)&socks_auth_request, sizeof(socks_auth_request_t), (char*)&socks_auth_response, sizeof(socks_auth_response_t));
+	if (result != 0)
+	{
+		llwarns << "SOCKS authentication request failed, error on TCP control channel : " << result << llendl;
+		stopProxy();
+		return SOCKS_CONNECT_ERROR;
+	}
+
+	if (socks_auth_response.method == AUTH_NOT_ACCEPTABLE)
+	{
+		llwarns << "SOCKS 5 server refused all our authentication methods" << llendl;
+		stopProxy();
+		return SOCKS_NOT_ACCEPTABLE;
+	}
+
+	// SOCKS 5 USERNAME/PASSWORD authentication
+	if (socks_auth_response.method == METHOD_PASSWORD)
+	{
+		// The server has requested a username/password combination
+		U32 request_size = mSocksUsername.size() + mSocksPassword.size() + 3;
+		char * password_auth = new char[request_size];
+		password_auth[0] = 0x01;
+		password_auth[1] = mSocksUsername.size();
+		memcpy(&password_auth[2], mSocksUsername.c_str(), mSocksUsername.size());
+		password_auth[mSocksUsername.size()+2] = mSocksPassword.size();
+		memcpy(&password_auth[mSocksUsername.size()+3], mSocksPassword.c_str(), mSocksPassword.size());
+
+		authmethod_password_reply_t password_reply;
+
+		result = tcp_handshake(mProxyControlChannel, password_auth, request_size, (char*)&password_reply, sizeof(authmethod_password_reply_t));
+		delete[] password_auth;
+
+		if (result != 0)
+		{
+			llwarns << "SOCKS authentication failed, error on TCP control channel : " << result << llendl;
+			stopProxy();
+			return SOCKS_CONNECT_ERROR;
+		}
+
+		if (password_reply.status != AUTH_SUCCESS)
+		{
+			llwarns << "SOCKS authentication failed" << llendl;
+			stopProxy();
+			return SOCKS_AUTH_FAIL;
+		}
+	}
+
+	/* SOCKS5 connect request */
+
+	socks_command_request_t  connect_request;
+	socks_command_response_t connect_reply;
+
+	connect_request.version		= SOCKS_VERSION;         // SOCKS V5
+	connect_request.command		= COMMAND_UDP_ASSOCIATE; // Associate UDP
+	connect_request.reserved	= FIELD_RESERVED;
+	connect_request.atype		= ADDRESS_IPV4;
+	connect_request.address		= htonl(0); // 0.0.0.0
+	connect_request.port		= htons(0); // 0
+	// "If the client is not in possesion of the information at the time of the UDP ASSOCIATE,
+	//  the client MUST use a port number and address of all zeros. RFC 1928"
+
+	result = tcp_handshake(mProxyControlChannel, (char*)&connect_request, sizeof(socks_command_request_t), (char*)&connect_reply, sizeof(socks_command_response_t));
+	if (result != 0)
+	{
+		llwarns << "SOCKS connect request failed, error on TCP control channel : " << result << llendl;
+		stopProxy();
+		return SOCKS_CONNECT_ERROR;
+	}
+
+	if (connect_reply.reply != REPLY_REQUEST_GRANTED)
+	{
+		//Something went wrong
+		llwarns << "Connection to SOCKS 5 server failed, UDP forward request not granted" << llendl;
+		stopProxy();
+		return SOCKS_UDP_FWD_NOT_GRANTED;
+	}
+
+	mUDPProxy.setPort(ntohs(connect_reply.port)); // reply port is in network byte order
+	mUDPProxy.setAddress(proxy.getAddress());
+	// All good now we have been given the UDP port to send requests that need forwarding.
+	llinfos << "SOCKS 5 UDP proxy connected on " << mUDPProxy << llendl;
+	return SOCKS_OK;
+}
+
+int LLSocks::startProxy(LLHost proxy, U32 message_port)
+{
+	int status;
+
+	mTCPProxy = proxy;
+
+	if (mProxyControlChannel)
+	{
+		tcp_close_channel(mProxyControlChannel);
+	}
+
+	mProxyControlChannel = tcp_open_channel(mTCPProxy);
+	if (!mProxyControlChannel)
+	{
+		return SOCKS_HOST_CONNECT_FAILED;
+	}
+	status = proxyHandshake(proxy, message_port);
+	if (status == SOCKS_OK)
+	{
+		sUDPProxyEnabled = true;
+	}
+	return status;
+}
+
+int LLSocks::startProxy(std::string host, U32 port)
+{
+	mTCPProxy.setHostByName(host);
+	mTCPProxy.setPort(port);
+	return startProxy(mTCPProxy, (U32)gMessageSystem->mPort);
+}
+
+void LLSocks::stopProxy()
+{
+	sUDPProxyEnabled = false;
+
+	// If the SOCKS proxy is requested to stop and we are using that for http as well
+	// then we must shut down any http proxy operations. But it is allowable if web
+	// proxy is being used to continue proxying http.
+
+	if(LLPROXY_SOCKS == mProxyType)
+	{
+		sHTTPProxyEnabled = false;
+	}
+
+	if (mProxyControlChannel)
+	{
+		tcp_close_channel(mProxyControlChannel);
+	}
+}
+
+void LLSocks::setAuthNone()
+{
+	mAuthMethodSelected = METHOD_NOAUTH;
+}
+
+void LLSocks::setAuthPassword(std::string username, std::string password)
+{
+	mAuthMethodSelected = METHOD_PASSWORD;
+	mSocksUsername      = username;
+	mSocksPassword      = password;
+}
+
+void LLSocks::enableHTTPProxy(LLHost httpHost, LLHttpProxyType type)
+{ 
+	sHTTPProxyEnabled = true;
+	mHTTPProxy        = httpHost;
+	mProxyType        = type;
+}
diff --git a/indra/llmessage/llsocks5.h b/indra/llmessage/llsocks5.h
new file mode 100644
index 0000000000..43a7c82fea
--- /dev/null
+++ b/indra/llmessage/llsocks5.h
@@ -0,0 +1,240 @@
+/**
+ * @file llsocks5.h
+ * @brief Socks 5 implementation
+ *
+ * $LicenseInfo:firstyear=2011&license=viewerlgpl$
+ * Second Life Viewer Source Code
+ * Copyright (C) 2011, Linden Research, Inc.
+ * 
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation;
+ * version 2.1 of the License only.
+ * 
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ * 
+ * Linden Research, Inc., 945 Battery Street, San Francisco, CA  94111  USA
+ * $/LicenseInfo$
+ */
+
+#ifndef LL_SOCKS5_H
+#define LL_SOCKS5_H
+
+#include "llhost.h"
+#include "llmemory.h"
+#include "llsingleton.h"
+#include <string>
+
+// Error codes returned from the StartProxy method
+
+#define SOCKS_OK 0
+#define SOCKS_CONNECT_ERROR (-1)
+#define SOCKS_NOT_PERMITTED (-2)
+#define SOCKS_NOT_ACCEPTABLE (-3)
+#define SOCKS_AUTH_FAIL (-4)
+#define SOCKS_UDP_FWD_NOT_GRANTED (-5)
+#define SOCKS_HOST_CONNECT_FAILED (-6)
+
+#ifndef MAXHOSTNAMELEN
+#define	MAXHOSTNAMELEN (255 + 1) /* socks5: 255, +1 for len. */
+#endif
+
+#define SOCKS_VERSION 0x05 // we are using SOCKS 5
+
+// SOCKS 5 address/hostname types
+#define ADDRESS_IPV4     0x01
+#define ADDRESS_HOSTNAME 0x03
+#define ADDRESS_IPV6     0x04
+
+// Lets just use our own ipv4 struct rather than dragging in system
+// specific headers
+union ipv4_address_t {
+	U8		octets[4];
+	U32		addr32;
+};
+
+// SOCKS 5 control channel commands
+#define COMMAND_TCP_STREAM    0x01
+#define COMMAND_TCP_BIND      0x02
+#define COMMAND_UDP_ASSOCIATE 0x03
+
+// SOCKS 5 command replies
+#define REPLY_REQUEST_GRANTED     0x00
+#define REPLY_GENERAL_FAIL        0x01
+#define REPLY_RULESET_FAIL        0x02
+#define REPLY_NETWORK_UNREACHABLE 0x03
+#define REPLY_HOST_UNREACHABLE    0x04
+#define REPLY_CONNECTION_REFUSED  0x05
+#define REPLY_TTL_EXPIRED         0x06
+#define REPLY_PROTOCOL_ERROR      0x07
+#define REPLY_TYPE_NOT_SUPPORTED  0x08
+
+#define FIELD_RESERVED 0x00
+
+// The standard SOCKS 5 request packet
+// Push current alignment to stack and set alignment to 1 byte boundary
+// This enabled us to use structs directly to set up and receive network packets
+// into the correct fields, without fear of boundary alignment causing issues
+#pragma pack(push,1)
+
+// SOCKS 5 command packet
+struct socks_command_request_t {
+	U8		version;
+	U8		command;
+	U8		reserved;
+	U8		atype;
+	U32		address;
+	U16		port;
+};
+
+// Standard SOCKS 5 reply packet
+struct socks_command_response_t {
+	U8		version;
+	U8		reply;
+	U8		reserved;
+	U8		atype;
+	U8		add_bytes[4];
+	U16		port;
+};
+
+#define AUTH_NOT_ACCEPTABLE 0xFF // reply if preferred methods are not available
+#define AUTH_SUCCESS        0x00 // reply if authentication successful
+
+// SOCKS 5 authentication request, stating which methods the client supports
+struct socks_auth_request_t {
+	U8		version;
+	U8		num_methods;
+	U8		methods; // We are only using a single method currently
+};
+
+// SOCKS 5 authentication response packet, stating server preferred method
+struct socks_auth_response_t {
+	U8		version;
+	U8		method;
+};
+
+// SOCKS 5 password reply packet
+struct authmethod_password_reply_t {
+	U8		version;
+	U8		status;
+};
+
+// SOCKS 5 UDP packet header
+struct proxywrap_t {
+	U16		rsv;
+	U8		frag;
+	U8		atype;
+	U32		addr;
+	U16		port;
+};
+
+#pragma pack(pop) /* restore original alignment from stack */
+
+
+// Currently selected http proxy type
+enum LLHttpProxyType
+{
+	LLPROXY_SOCKS = 0,
+	LLPROXY_HTTP  = 1
+};
+
+// Auth types
+enum LLSocks5AuthType
+{
+	METHOD_NOAUTH   = 0x00,	// Client supports no auth
+	METHOD_GSSAPI   = 0x01,	// Client supports GSSAPI (Not currently supported)
+	METHOD_PASSWORD = 0x02 	// Client supports username/password
+};
+
+class LLSocks: public LLSingleton<LLSocks>
+{
+public:
+	LLSocks();
+
+	// Start a connection to the SOCKS 5 proxy
+	int startProxy(std::string host, U32 port);
+	int startProxy(LLHost proxy, U32 messagePort);
+
+	// Disconnect and clean up any connection to the SOCKS 5 proxy
+	void stopProxy();
+
+	// Set up to use Password auth when connecting to the SOCKS proxy
+	void setAuthPassword(std::string username, std::string password);
+
+	// Set up to use No Auth when connecting to the SOCKS proxy
+	void setAuthNone();
+
+	// get the currently selected auth method
+	LLSocks5AuthType getSelectedAuthMethod() const { return mAuthMethodSelected; }
+
+	// static check for enabled status for UDP packets
+	static bool isEnabled() { return sUDPProxyEnabled; }
+
+	// static check for enabled status for http packets
+	static bool isHTTPProxyEnabled() { return sHTTPProxyEnabled; }
+
+	// Proxy HTTP packets via httpHost, which can be a SOCKS 5 or a HTTP proxy
+	// as specified in type
+	void enableHTTPProxy(LLHost httpHost, LLHttpProxyType type);
+
+	// Stop proxying HTTP packets
+	void disableHTTPProxy() { sHTTPProxyEnabled = false; };
+
+	// Get the UDP proxy address and port
+	LLHost getUDPProxy() const { return mUDPProxy; }
+
+	// Get the SOCKS 5 TCP control channel address and port
+	LLHost getTCPProxy() const { return mTCPProxy; }
+
+	// Get the HTTP proxy address and port
+	LLHost getHTTPProxy() const { return mHTTPProxy; }
+
+	// Get the currently selected HTTP proxy type
+	LLHttpProxyType getHTTPProxyType() const { return mProxyType; }
+
+	// Get the username password in a curl compatible format
+	std::string getProxyUserPwd() const { return (mSocksUsername + ":" + mSocksPassword); }
+
+private:
+
+	// Open a communication channel to the SOCKS 5 proxy proxy, at port messagePort
+	int proxyHandshake(LLHost proxy, U32 messagePort);
+
+	// socket handle to proxy TCP control channel
+	LLSocket::ptr_t mProxyControlChannel;
+
+	// is the UDP proxy enabled?
+	static bool sUDPProxyEnabled;
+	// is the http proxy enabled?
+	static bool sHTTPProxyEnabled;
+
+	// currently selected http proxy type
+	LLHttpProxyType mProxyType;
+
+	// UDP proxy address and port
+	LLHost mUDPProxy;
+	// TCP Proxy control channel address and port
+	LLHost mTCPProxy;
+	// HTTP proxy address and port
+	LLHost mHTTPProxy;
+
+	// SOCKS 5 auth method selected
+	LLSocks5AuthType mAuthMethodSelected;
+
+	// SOCKS 5 username
+	std::string mSocksUsername;
+	// SOCKS 5 password
+	std::string mSocksPassword;
+
+	// APR pool for the socket
+	apr_pool_t* mPool;
+};
+
+#endif
diff --git a/indra/llmessage/net.cpp b/indra/llmessage/net.cpp
index 97611c3b51..366a1835ca 100644
--- a/indra/llmessage/net.cpp
+++ b/indra/llmessage/net.cpp
@@ -50,6 +50,7 @@
 #include "lltimer.h"
 #include "indra_constants.h"
 
+#include "llsocks5.h"
 
 // Globals
 #if LL_WINDOWS
@@ -174,7 +175,7 @@ U32 ip_string_to_u32(const char* ip_string)
 	// use wildcard addresses. -Ambroff
 	U32 ip = inet_addr(ip_string);
 	if (ip == INADDR_NONE 
-	    && strncmp(ip_string, BROADCAST_ADDRESS_STRING, MAXADDRSTR) != 0)
+			&& strncmp(ip_string, BROADCAST_ADDRESS_STRING, MAXADDRSTR) != 0)
 	{
 		llwarns << "ip_string_to_u32() failed, Error: Invalid IP string '" << ip_string << "'" << llendl;
 		return INVALID_HOST_IP_ADDRESS;
@@ -188,11 +189,11 @@ U32 ip_string_to_u32(const char* ip_string)
 //////////////////////////////////////////////////////////////////////////////////////////
 
 #if LL_WINDOWS
- 
+
 S32 start_net(S32& socket_out, int& nPort) 
 {			
 	// Create socket, make non-blocking
-    // Init WinSock 
+	// Init WinSock
 	int nRet;
 	int hSocket;
 
@@ -201,7 +202,7 @@ S32 start_net(S32& socket_out, int& nPort)
 	int buff_size = 4;
  
 	// Initialize windows specific stuff
-	if(WSAStartup(0x0202, &stWSAData))
+	if (WSAStartup(0x0202, &stWSAData))
 	{
 		S32 err = WSAGetLastError();
 		WSACleanup();
@@ -210,8 +211,8 @@ S32 start_net(S32& socket_out, int& nPort)
 	}
 
 	// Get a datagram socket
-    hSocket = (int)socket(AF_INET, SOCK_DGRAM, 0);
-    if (hSocket == INVALID_SOCKET)
+	hSocket = (int)socket(AF_INET, SOCK_DGRAM, 0);
+	if (hSocket == INVALID_SOCKET)
 	{
 		S32 err = WSAGetLastError();
 		WSACleanup();
@@ -304,7 +305,7 @@ S32 start_net(S32& socket_out, int& nPort)
 	//  Setup a destination address
 	stDstAddr.sin_family =      AF_INET;
 	stDstAddr.sin_addr.s_addr = INVALID_HOST_IP_ADDRESS;
-    stDstAddr.sin_port =        htons(nPort);
+	stDstAddr.sin_port =        htons(nPort);
 
 	socket_out = hSocket;
 	return 0;
@@ -393,10 +394,10 @@ S32 start_net(S32& socket_out, int& nPort)
 	int rec_size = RECEIVE_BUFFER_SIZE;
 
 	socklen_t buff_size = 4;
-    
+
 	//  Create socket
-    hSocket = socket(AF_INET, SOCK_DGRAM, 0);
-    if (hSocket < 0)
+	hSocket = socket(AF_INET, SOCK_DGRAM, 0);
+	if (hSocket < 0)
 	{
 		llwarns << "socket() failed" << llendl;
 		return 1;
@@ -429,7 +430,7 @@ S32 start_net(S32& socket_out, int& nPort)
 	}
 	else
 	{
-	    // Name the socket (assign the local port number to receive on)
+		// Name the socket (assign the local port number to receive on)
 		stLclAddr.sin_family      = AF_INET;
 		stLclAddr.sin_addr.s_addr = htonl(INADDR_ANY);
 		stLclAddr.sin_port        = htons(nPort);
@@ -474,7 +475,7 @@ S32 start_net(S32& socket_out, int& nPort)
 		nPort = attempt_port;
 	}
 	// Set socket to be non-blocking
- 	fcntl(hSocket, F_SETFL, O_NONBLOCK);
+	fcntl(hSocket, F_SETFL, O_NONBLOCK);
 	// set a large receive buffer
 	nRet = setsockopt(hSocket, SOL_SOCKET, SO_RCVBUF, (char *)&rec_size, buff_size);
 	if (nRet)
@@ -510,8 +511,8 @@ S32 start_net(S32& socket_out, int& nPort)
 	//  Setup a destination address
 	char achMCAddr[MAXADDRSTR] = "127.0.0.1";	/* Flawfinder: ignore */ 
 	stDstAddr.sin_family =      AF_INET;
-        stDstAddr.sin_addr.s_addr = ip_string_to_u32(achMCAddr);
-        stDstAddr.sin_port =        htons(nPort);
+	stDstAddr.sin_addr.s_addr = ip_string_to_u32(achMCAddr);
+	stDstAddr.sin_port =        htons(nPort);
 
 	socket_out = hSocket;
 	return 0;
@@ -537,7 +538,7 @@ static int recvfrom_destip( int socket, void *buf, int len, struct sockaddr *fro
 	iov[0].iov_base = buf;
 	iov[0].iov_len = len;
 
-	memset( &msg, 0, sizeof msg );
+	memset(&msg, 0, sizeof msg);
 	msg.msg_name = from;
 	msg.msg_namelen = *fromlen;
 	msg.msg_iov = iov;
@@ -545,14 +546,14 @@ static int recvfrom_destip( int socket, void *buf, int len, struct sockaddr *fro
 	msg.msg_control = &cmsg;
 	msg.msg_controllen = sizeof(cmsg);
 
-	size = recvmsg( socket, &msg, 0 );
+	size = recvmsg(socket, &msg, 0);
 
-	if( size == -1 )
+	if (size == -1)
 	{
 		return -1;
 	}
 
-	for( cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL; cmsgptr = CMSG_NXTHDR( &msg, cmsgptr ) )
+	for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL; cmsgptr = CMSG_NXTHDR( &msg, cmsgptr))
 	{
 		if( cmsgptr->cmsg_level == SOL_IP && cmsgptr->cmsg_type == IP_PKTINFO )
 		{
@@ -650,7 +651,7 @@ BOOL send_packet(int hSocket, const char * sendBuffer, int size, U32 recipient,
 			}
 		}
 	}
-	while ( resend && send_attempts < 3);
+	while (resend && send_attempts < 3);
 
 	if (send_attempts >= 3)
 	{
@@ -663,4 +664,63 @@ BOOL send_packet(int hSocket, const char * sendBuffer, int size, U32 recipient,
 
 #endif
 
+int tcp_handshake(LLSocket::ptr_t handle, char * dataout, apr_size_t outlen, char * datain, apr_size_t maxinlen)
+{
+	apr_socket_t* apr_socket = handle->getSocket();
+	apr_status_t rv;
+
+	apr_size_t expected_len = outlen;
+
+    apr_socket_opt_set(apr_socket, APR_SO_NONBLOCK, -5); // Blocking connection, 5 second timeout
+    apr_socket_timeout_set(apr_socket, (APR_USEC_PER_SEC * 5));
+
+	rv = apr_socket_send(apr_socket, dataout, &outlen);
+	if (rv != APR_SUCCESS || expected_len != outlen)
+	{
+		llwarns << "Error sending data to proxy control channel" << llendl;
+		ll_apr_warn_status(rv);
+		return -1;
+	}
+
+	expected_len = maxinlen;
+	do
+	{
+		rv = apr_socket_recv(apr_socket, datain, &maxinlen);
+		llinfos << "Receiving packets." << llendl;
+		llwarns << "Proxy control channel status: " << rv << llendl;
+	} while (APR_STATUS_IS_EAGAIN(rv));
+
+	if (rv != APR_SUCCESS)
+	{
+		llwarns << "Error receiving data from proxy control channel, status: " << rv << llendl;
+		llwarns << "Received " << maxinlen << " bytes." << llendl;
+		ll_apr_warn_status(rv);
+		return rv;
+	}
+	else if (expected_len != maxinlen)
+	{
+		llwarns << "Incorrect data received length in proxy control channel" << llendl;
+		return -1;
+	}
+
+	return 0;
+}
+
+LLSocket::ptr_t tcp_open_channel(LLHost host)
+{
+	LLSocket::ptr_t socket = LLSocket::create(gAPRPoolp, LLSocket::STREAM_TCP);
+	bool connected = socket->blockingConnect(host);
+	if (!connected)
+	{
+		tcp_close_channel(socket);
+	}
+
+	return socket;
+}
+
+void tcp_close_channel(LLSocket::ptr_t handle)
+{
+	handle.reset();
+}
+
 //EOF
diff --git a/indra/llmessage/net.h b/indra/llmessage/net.h
index 9f4f5c5821..0d91cf2a2f 100644
--- a/indra/llmessage/net.h
+++ b/indra/llmessage/net.h
@@ -27,6 +27,9 @@
 #ifndef LL_NET_H					
 #define LL_NET_H
 
+#include "lliosocket.h"
+#include "llapr.h"
+
 class LLTimer;
 class LLHost;
 
@@ -46,12 +49,17 @@ S32		receive_packet(int hSocket, char * receiveBuffer);
 BOOL	send_packet(int hSocket, const char *sendBuffer, int size, U32 recipient, int nPort);	// Returns TRUE on success.
 
 //void	get_sender(char * tmp);
-LLHost  get_sender();
+LLHost	get_sender();
 U32		get_sender_port();
 U32		get_sender_ip(void);
-LLHost  get_receiving_interface();
+LLHost	get_receiving_interface();
 U32		get_receiving_interface_ip(void);
 
+// Some helpful TCP functions
+LLSocket::ptr_t tcp_open_channel(LLHost host); // Open a TCP channel to a given host
+void tcp_close_channel(LLSocket::ptr_t handle); // Close an open TCP channel
+int tcp_handshake(LLSocket::ptr_t handle, char * dataout, apr_size_t outlen, char * datain, apr_size_t maxinlen); // Do a TCP data handshake
+
 const char*	u32_to_ip_string(U32 ip);					// Returns pointer to internal string buffer, "(bad IP addr)" on failure, cannot nest calls 
 char*		u32_to_ip_string(U32 ip, char *ip_string);	// NULL on failure, ip_string on success, you must allocate at least MAXADDRSTR chars
 U32			ip_string_to_u32(const char* ip_string);	// Wrapper for inet_addr()