2 This file is part of GNUnet.
3 Copyright (C) 2009-2013 GNUnet e.V.
5 GNUnet is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published
7 by the Free Software Foundation; either version 3, or (at your
8 option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with GNUnet; see the file COPYING. If not, write to the
17 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
18 Boston, MA 02110-1301, USA.
23 * @brief SOCKS5 connection support
24 * @author Jeffrey Burdges
26 * These routines should be called only on newly active connections.
29 #include "gnunet_util_lib.h"
32 #define LOG(kind,...) GNUNET_log_from (kind, "socks", __VA_ARGS__)
34 #define LOG_STRERROR(kind,syscall) GNUNET_log_from_strerror (kind, "socks", syscall)
37 /* SOCKS5 authentication methods */
38 #define SOCKS5_AUTH_REJECT 0xFF /* No acceptable auth method */
39 #define SOCKS5_AUTH_NOAUTH 0x00 /* without authentication */
40 #define SOCKS5_AUTH_GSSAPI 0x01 /* GSSAPI */
41 #define SOCKS5_AUTH_USERPASS 0x02 /* User/Password */
42 #define SOCKS5_AUTH_CHAP 0x03 /* Challenge-Handshake Auth Proto. */
43 #define SOCKS5_AUTH_EAP 0x05 /* Extensible Authentication Proto. */
44 #define SOCKS5_AUTH_MAF 0x08 /* Multi-Authentication Framework */
47 /* SOCKS5 connection responces */
48 #define SOCKS5_REP_SUCCEEDED 0x00 /* succeeded */
49 #define SOCKS5_REP_FAIL 0x01 /* general SOCKS serer failure */
50 #define SOCKS5_REP_NALLOWED 0x02 /* connection not allowed by ruleset */
51 #define SOCKS5_REP_NUNREACH 0x03 /* Network unreachable */
52 #define SOCKS5_REP_HUNREACH 0x04 /* Host unreachable */
53 #define SOCKS5_REP_REFUSED 0x05 /* connection refused */
54 #define SOCKS5_REP_EXPIRED 0x06 /* TTL expired */
55 #define SOCKS5_REP_CNOTSUP 0x07 /* Command not supported */
56 #define SOCKS5_REP_ANOTSUP 0x08 /* Address not supported */
57 #define SOCKS5_REP_INVADDR 0x09 /* Inalid address */
59 const char * SOCKS5_REP_names(int rep)
62 case SOCKS5_REP_SUCCEEDED: return "succeeded";
63 case SOCKS5_REP_FAIL: return "general SOCKS server failure";
64 case SOCKS5_REP_NALLOWED: return "connection not allowed by ruleset";
65 case SOCKS5_REP_NUNREACH: return "Network unreachable";
66 case SOCKS5_REP_HUNREACH: return "Host unreachable";
67 case SOCKS5_REP_REFUSED: return "connection refused";
68 case SOCKS5_REP_EXPIRED: return "TTL expired";
69 case SOCKS5_REP_CNOTSUP: return "Command not supported";
70 case SOCKS5_REP_ANOTSUP: return "Address not supported";
71 case SOCKS5_REP_INVADDR: return "Invalid address";
78 * Encode a string for the SOCKS5 protocol by prefixing it a byte stating its
79 * length and stipping the trailing zero byte. Truncates any string longer
82 * @param b buffer to contain the encoded string
83 * @param s string to encode
84 * @return pointer to the end of the encoded string in the buffer
86 unsigned char * SOCK5_proto_string(unsigned char * b, const char * s)
90 LOG (GNUNET_ERROR_TYPE_WARNING,
91 "SOCKS5 cannot handle hostnames, usernames, or passwords over 255 bytes, truncating.\n");
94 *(b++) = (unsigned char)l;
95 strncpy((char *)b,s,l);
100 #define SOCKS5_step_greet 0
101 #define SOCKS5_step_auth 1
102 #define SOCKS5_step_cmd 2
103 #define SOCKS5_step_done 3
106 * State of the SOCKS5 handshake.
108 struct GNUNET_SOCKS_Handshake
112 * Connection handle used for SOCKS5
114 struct GNUNET_CONNECTION_Handle *socks5_connection;
117 * Connection handle initially returned to client
119 struct GNUNET_CONNECTION_Handle *target_connection;
122 * Transmission handle on socks5_connection.
124 struct GNUNET_CONNECTION_TransmitHandle *th;
127 * Our stage in the SOCKS5 handshake
132 * Precomputed SOCKS5 handshake ouput buffer
134 unsigned char outbuf[1024];
137 * Pointers delineating protoocol steps in the outbut buffer
139 unsigned char * (outstep[4]);
142 * SOCKS5 handshake input buffer
144 unsigned char inbuf[1024];
147 * Pointers delimiting the current step in the input buffer
149 unsigned char * instart;
150 unsigned char * inend;
154 /* Regitering prototypes */
157 register_reciever (struct GNUNET_SOCKS_Handshake *ih, int want);
159 /* In fact, the client sends first rule in GNUNet suggests one could take
160 * large mac read sizes without fear of screwing up the proxied protocol,
161 * but we make a proper SOCKS5 client. */
162 #define register_reciever_wants(ih) ((SOCKS5_step_cmd == ih->step) ? 10 : 2)
165 struct GNUNET_CONNECTION_TransmitHandle *
166 register_sender (struct GNUNET_SOCKS_Handshake *ih);
170 * Conclude the SOCKS5 handshake successfully.
172 * @param ih SOCKS5 handshake, consumed here.
173 * @param c open unused connection, consumed here.
174 * @return Connection handle that becomes usable when the handshake completes.
177 SOCKS5_handshake_done(struct GNUNET_SOCKS_Handshake *ih)
179 GNUNET_CONNECTION_acivate_proxied (ih->target_connection);
184 * Read one step in the SOCKS5 handshake.
186 * @param ih SOCKS5 Handshake
189 SOCKS5_handshake_step (struct GNUNET_SOCKS_Handshake *ih)
191 unsigned char * b = ih->instart;
192 size_t available = ih->inend - b;
194 int want = register_reciever_wants(ih);
195 if (available < want) {
196 register_reciever (ih, want - available);
199 GNUNET_assert (SOCKS5_step_done > ih->step && ih->step >= 0);
201 case SOCKS5_step_greet: /* SOCKS5 server's greeting */
204 LOG (GNUNET_ERROR_TYPE_ERROR,
205 "Not a SOCKS5 server\n");
209 case SOCKS5_AUTH_NOAUTH:
210 ih->step=SOCKS5_step_cmd; /* no authentication to do */
212 case SOCKS5_AUTH_USERPASS:
213 ih->step=SOCKS5_step_auth;
215 case SOCKS5_AUTH_REJECT:
216 LOG (GNUNET_ERROR_TYPE_ERROR,
217 "No authentication method accepted\n");
220 LOG (GNUNET_ERROR_TYPE_ERROR,
221 "Not a SOCKS5 server / Nonsensical authentication\n");
226 case SOCKS5_step_auth: /* SOCKS5 server's responce to authentication */
229 LOG (GNUNET_ERROR_TYPE_ERROR,
230 "SOCKS5 authentication failed\n");
233 ih->step=SOCKS5_step_cmd;
236 case SOCKS5_step_cmd: /* SOCKS5 server's responce to command */
239 LOG (GNUNET_ERROR_TYPE_ERROR,
240 "SOCKS5 protocol error\n");
244 LOG (GNUNET_ERROR_TYPE_ERROR,
245 "SOCKS5 connection error : %s\n",
246 SOCKS5_REP_names(b[1]));
250 /* There is no reason to verify host and port afaik. */
253 b += sizeof(struct in_addr); /* 4 */
256 b += sizeof(struct in6_addr); /* 16 */
258 case 3: /* hostname */
264 register_reciever (ih, b - ih->inend);
267 ih->step = SOCKS5_step_done;
268 LOG (GNUNET_ERROR_TYPE_DEBUG,
269 "SOCKS5 server : %s\n",
270 SOCKS5_REP_names(b[1]));
272 SOCKS5_handshake_done (ih);
274 case SOCKS5_step_done:
278 /* Do not reschedule the sender unless we're done reading.
279 * I imagine this lets us avoid ever cancelling the transmit handle. */
280 register_sender (ih);
285 * Callback to read from the SOCKS5 proxy.
287 * @param client the service
288 * @param handler function to call with the message
289 * @param handler_cls closure for @a handler
293 const void *buf, size_t available,
294 const struct sockaddr * addr,
295 socklen_t addrlen, int errCode)
297 struct GNUNET_SOCKS_Handshake * ih = cls;
298 GNUNET_assert (&ih->inend[available] < &ih->inbuf[1024]);
299 memcpy(ih->inend, buf, available);
300 ih->inend += available;
301 SOCKS5_handshake_step (ih);
306 * Register callback to read from the SOCKS5 proxy.
308 * @param client the service
309 * @param handler function to call with the message
310 * @param handler_cls closure for @a handler
313 register_reciever (struct GNUNET_SOCKS_Handshake *ih, int want)
315 GNUNET_CONNECTION_receive (ih->socks5_connection,
317 GNUNET_TIME_relative_get_minute_ (),
324 * Register SOCKS5 handshake sender
326 * @param cls closure (SOCKS handshake)
327 * @param size number of bytes available in @a buf
328 * @param buf where the callee should write the message
329 * @return number of bytes written to @a buf
332 transmit_ready (void *cls,
336 struct GNUNET_SOCKS_Handshake * ih = cls;
338 /* connection.c has many routines that call us with buf == NULL :
339 * signal_transmit_error() - DNS, etc. active
340 * connect_fail_continuation()
341 * connect_probe_continuation() - timeout
342 * try_connect_using_address() - DNS failure/timeout
343 * transmit_timeout() - retry failed?
344 * GNUNET_CONNECTION_notify_transmit_ready() can schedule :
345 * transmit_timeout() - DNS still working
346 * connect_error() - DNS done but no socket?
347 * transmit_ready() - scheduler shutdown or timeout, or signal_transmit_error()
348 * We'd need to dig into the scheduler to guess at the reason, as
349 * connection.c tells us nothing itself, but mostly its timouts.
350 * Initially, we'll simply ignore this and leave massive timeouts, but
351 * maybe that should change for error handling pruposes. It appears that
352 * successful operations, including DNS resolution, do not use this. */
357 LOG (GNUNET_ERROR_TYPE_WARNING,
358 "Timeout contacting SOCKS server, retrying indefinitely, but probably hopeless.\n");
359 register_sender (ih);
363 LOG (GNUNET_ERROR_TYPE_ERROR,
364 "Timeout during mid SOCKS handshake (step %u), probably not a SOCKS server.\n",
371 GNUNET_assert (1024 >= size && size > 0);
372 GNUNET_assert (SOCKS5_step_done > ih->step && ih->step >= 0);
373 unsigned char * b = ih->outstep[ih->step];
374 unsigned char * e = ih->outstep[ih->step+1];
375 GNUNET_assert (e <= &ih->outbuf[1024]);
377 GNUNET_assert (size >= l && l >= 0);
379 register_reciever (ih, register_reciever_wants(ih));
385 * Register SOCKS5 handshake sender
387 * @param ih handshake
388 * @return non-NULL if the notify callback was queued,
389 * NULL if we are already going to notify someone else (busy)
391 struct GNUNET_CONNECTION_TransmitHandle *
392 register_sender (struct GNUNET_SOCKS_Handshake *ih)
394 struct GNUNET_TIME_Relative timeout = GNUNET_TIME_UNIT_MINUTES;
396 GNUNET_assert (SOCKS5_step_done > ih->step);
397 GNUNET_assert (ih->step >= 0);
399 timeout = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MINUTES, 3);
400 unsigned char * b = ih->outstep[ih->step];
401 unsigned char * e = ih->outstep[ih->step+1];
402 GNUNET_assert (ih->outbuf <= b && b < e && e < &ih->outbuf[1024]);
403 ih->th = GNUNET_CONNECTION_notify_transmit_ready (ih->socks5_connection,
413 * Initialize a SOCKS5 handshake for authentication via username and
414 * password. Tor uses SOCKS username and password authentication to assign
415 * programs unique circuits.
417 * @param user username for the proxy
418 * @param pass password for the proxy
419 * @return Valid SOCKS5 hanbdshake handle
421 struct GNUNET_SOCKS_Handshake *
422 GNUNET_SOCKS_init_handshake (const char *user, const char *pass)
424 struct GNUNET_SOCKS_Handshake *ih = GNUNET_new (struct GNUNET_SOCKS_Handshake);
425 unsigned char * b = ih->outbuf;
427 ih->outstep[SOCKS5_step_greet] = b;
428 *(b++) = 5; /* SOCKS5 */
429 unsigned char * n = b++;
430 *n = 1; /* Number of authentication methods */
431 /* We support no authentication even when requesting authentication,
432 * but this appears harmless, given the way that Tor uses authentication.
433 * And some SOCKS5 servers might require this. */
434 *(b++) = SOCKS5_AUTH_NOAUTH;
436 *(b++) = SOCKS5_AUTH_USERPASS;
439 /* There is no apperent reason to support authentication methods beyond
440 * username and password since afaik Tor does not support them. */
442 /* We authenticate with an empty username and password if the server demands
443 * them but we do not have any. */
449 ih->outstep[SOCKS5_step_auth] = b;
450 *(b++) = 1; /* subnegotiation ver.: 1 */
451 b = SOCK5_proto_string(b,user);
452 b = SOCK5_proto_string(b,pass);
454 ih->outstep[SOCKS5_step_cmd] = b;
456 ih->inend = ih->instart = ih->inbuf;
463 * Initialize a SOCKS5 handshake without authentication, thereby possibly
464 * sharing a Tor circuit with another process.
466 * @return Valid SOCKS5 hanbdshake handle
468 struct GNUNET_SOCKS_Handshake *
469 GNUNET_SOCKS_init_handshake_noauth ()
471 return GNUNET_SOCKS_init_handshake (NULL,NULL);
476 * Build request that the SOCKS5 proxy open a TCP/IP stream to the given host
479 * @param ih SOCKS5 handshake
484 GNUNET_SOCKS_set_handshake_destination (struct GNUNET_SOCKS_Handshake *ih,
485 const char *host, uint16_t port)
491 unsigned char * b = ih->outstep[SOCKS5_step_cmd];
493 *(b++) = 5; /* SOCKS5 */
494 *(b++) = 1; /* Establish a TCP/IP stream */
495 *(b++) = 0; /* reserved */
497 /* Specify destination */
498 if (1 == inet_pton(AF_INET,host,&ia.in4)) {
499 *(b++)= 1; /* IPv4 */
500 memcpy (b, &ia.in4, sizeof(struct in_addr));
501 b += sizeof(struct in_addr); /* 4 */
502 } else if (1 == inet_pton(AF_INET6,host,&ia.in6)) {
503 *(b++)= 4; /* IPv6 */
504 memcpy (b, &ia.in6, sizeof(struct in6_addr));
505 b += sizeof(struct in6_addr); /* 16 */
507 *(b++)= 3; /* hostname */
508 b = SOCK5_proto_string (b, host);
512 *(uint16_t*)b = htons (port);
515 ih->outstep[SOCKS5_step_done] = b;
520 * Run a SOCKS5 handshake on an open but unused TCP connection.
522 * @param ih SOCKS5 handshake, consumed here.
523 * @param c open unused connection, consumed here.
524 * @return Connection handle that becomes usable when the SOCKS5 handshake completes.
526 struct GNUNET_CONNECTION_Handle *
527 GNUNET_SOCKS_run_handshake(struct GNUNET_SOCKS_Handshake *ih,
528 struct GNUNET_CONNECTION_Handle *c)
530 ih->socks5_connection=c;
531 ih->target_connection = GNUNET_CONNECTION_create_proxied_from_handshake (c);
532 register_sender (ih);
534 return ih->target_connection;
539 * Check if a SOCKS proxy is required by a service. Do not use local service
540 * if a SOCKS proxy port is configured as this could deanonymize a user.
542 * @param service_name name of service to connect to
543 * @param cfg configuration to use
544 * @return GNUNET_YES if so, GNUNET_NO if not
547 GNUNET_SOCKS_check_service (const char *service_name,
548 const struct GNUNET_CONFIGURATION_Handle *cfg)
550 return GNUNET_CONFIGURATION_have_value (cfg, service_name, "SOCKSPORT") ||
551 GNUNET_CONFIGURATION_have_value (cfg, service_name, "SOCKSHOST");
556 * Try to connect to a service configured to use a SOCKS5 proxy.
558 * @param service_name name of service to connect to
559 * @param cfg configuration to use
560 * @return Connection handle that becomes usable when the handshake completes.
561 * NULL if SOCKS not configured or not configured properly
563 struct GNUNET_CONNECTION_Handle *
564 GNUNET_SOCKS_do_connect (const char *service_name,
565 const struct GNUNET_CONFIGURATION_Handle *cfg)
567 struct GNUNET_SOCKS_Handshake *ih;
568 struct GNUNET_CONNECTION_Handle *socks5; /* *proxied */
569 char *host0,*host1,*user,*pass;
570 unsigned long long port0,port1;
572 if (GNUNET_YES != GNUNET_SOCKS_check_service (service_name, cfg))
575 GNUNET_CONFIGURATION_get_value_number (cfg, service_name, "SOCKSPORT", &port0))
577 /* A typical Tor client should usually try port 9150 for the TBB too, but
578 * GUNNet can probably assume a system Tor instalation. */
580 GNUNET_CONFIGURATION_get_value_string (cfg, service_name, "SOCKSHOST", &host0))
582 if (port0 > 65535 || port0 <= 0)
584 LOG (GNUNET_ERROR_TYPE_WARNING,
586 ("Attempting to use invalid port %d as SOCKS proxy for service `%s'.\n"),
592 GNUNET_CONFIGURATION_get_value_number (cfg, service_name, "PORT", &port1))
593 || (port1 > 65535) || (port1 <= 0) ||
595 GNUNET_CONFIGURATION_get_value_string (cfg, service_name, "HOSTNAME", &host1)))
597 LOG (GNUNET_ERROR_TYPE_WARNING,
599 ("Attempting to proxy service `%s' to invalid port %d or hostname `%s'.\n"),
600 service_name,port1,host1);
604 socks5 = GNUNET_CONNECTION_create_from_connect (cfg, host0, port0);
607 /* Sets to NULL if they do not exist */
608 GNUNET_CONFIGURATION_get_value_string (cfg, service_name, "SOCKSUSER", &user);
609 GNUNET_CONFIGURATION_get_value_string (cfg, service_name, "SOCKSPASS", &pass);
610 ih = GNUNET_SOCKS_init_handshake(user,pass);
611 if (NULL != user) GNUNET_free (user);
612 if (NULL != pass) GNUNET_free (pass);
614 GNUNET_SOCKS_set_handshake_destination (ih,host1,port1);
617 return GNUNET_SOCKS_run_handshake(ih,socks5);