2 This file is part of GNUnet.
3 Copyright (C) 2009-2013 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
23 * @brief SOCKS5 connection support
24 * @author Jeffrey Burdges
26 * These routines should be called only on newly active connections.
29 #include "gnunet_util_lib.h"
32 #define LOG(kind, ...) GNUNET_log_from (kind, "util-socks", __VA_ARGS__)
34 #define LOG_STRERROR(kind, syscall) \
35 GNUNET_log_from_strerror (kind, "util-socks", syscall)
38 /* SOCKS5 authentication methods */
39 #define SOCKS5_AUTH_REJECT 0xFF /* No acceptable auth method */
40 #define SOCKS5_AUTH_NOAUTH 0x00 /* without authentication */
41 #define SOCKS5_AUTH_GSSAPI 0x01 /* GSSAPI */
42 #define SOCKS5_AUTH_USERPASS 0x02 /* User/Password */
43 #define SOCKS5_AUTH_CHAP 0x03 /* Challenge-Handshake Auth Proto. */
44 #define SOCKS5_AUTH_EAP 0x05 /* Extensible Authentication Proto. */
45 #define SOCKS5_AUTH_MAF 0x08 /* Multi-Authentication Framework */
48 /* SOCKS5 connection responces */
49 #define SOCKS5_REP_SUCCEEDED 0x00 /* succeeded */
50 #define SOCKS5_REP_FAIL 0x01 /* general SOCKS serer failure */
51 #define SOCKS5_REP_NALLOWED 0x02 /* connection not allowed by ruleset */
52 #define SOCKS5_REP_NUNREACH 0x03 /* Network unreachable */
53 #define SOCKS5_REP_HUNREACH 0x04 /* Host unreachable */
54 #define SOCKS5_REP_REFUSED 0x05 /* connection refused */
55 #define SOCKS5_REP_EXPIRED 0x06 /* TTL expired */
56 #define SOCKS5_REP_CNOTSUP 0x07 /* Command not supported */
57 #define SOCKS5_REP_ANOTSUP 0x08 /* Address not supported */
58 #define SOCKS5_REP_INVADDR 0x09 /* Inalid address */
61 SOCKS5_REP_names (int rep)
65 case SOCKS5_REP_SUCCEEDED:
69 return "general SOCKS server failure";
71 case SOCKS5_REP_NALLOWED:
72 return "connection not allowed by ruleset";
74 case SOCKS5_REP_NUNREACH:
75 return "Network unreachable";
77 case SOCKS5_REP_HUNREACH:
78 return "Host unreachable";
80 case SOCKS5_REP_REFUSED:
81 return "connection refused";
83 case SOCKS5_REP_EXPIRED:
86 case SOCKS5_REP_CNOTSUP:
87 return "Command not supported";
89 case SOCKS5_REP_ANOTSUP:
90 return "Address not supported";
92 case SOCKS5_REP_INVADDR:
93 return "Invalid address";
102 * Encode a string for the SOCKS5 protocol by prefixing it a byte stating its
103 * length and stripping the trailing zero byte. Truncates any string longer
106 * @param b buffer to contain the encoded string
107 * @param s string to encode
108 * @return pointer to the end of the encoded string in the buffer
111 SOCK5_proto_string (unsigned char *b, const char *s)
113 size_t l = strlen (s);
117 LOG (GNUNET_ERROR_TYPE_WARNING,
118 "SOCKS5 cannot handle hostnames, usernames, or passwords over 255 bytes, truncating.\n");
121 *(b++) = (unsigned char) l;
127 #define SOCKS5_step_greet 0
128 #define SOCKS5_step_auth 1
129 #define SOCKS5_step_cmd 2
130 #define SOCKS5_step_done 3
133 * State of the SOCKS5 handshake.
135 struct GNUNET_SOCKS_Handshake
138 * Connection handle used for SOCKS5
140 struct GNUNET_CONNECTION_Handle *socks5_connection;
143 * Connection handle initially returned to client
145 struct GNUNET_CONNECTION_Handle *target_connection;
148 * Transmission handle on socks5_connection.
150 struct GNUNET_CONNECTION_TransmitHandle *th;
153 * Our stage in the SOCKS5 handshake
158 * Precomputed SOCKS5 handshake ouput buffer
160 unsigned char outbuf[1024];
163 * Pointers delineating protoocol steps in the outbut buffer
165 unsigned char *(outstep[4]);
168 * SOCKS5 handshake input buffer
170 unsigned char inbuf[1024];
173 * Pointers delimiting the current step in the input buffer
175 unsigned char *instart;
176 unsigned char *inend;
180 /* Regitering prototypes */
183 register_reciever (struct GNUNET_SOCKS_Handshake *ih, int want);
185 /* In fact, the client sends first rule in GNUnet suggests one could take
186 * large mac read sizes without fear of screwing up the proxied protocol,
187 * but we make a proper SOCKS5 client. */
188 #define register_reciever_wants(ih) ((SOCKS5_step_cmd == ih->step) ? 10 : 2)
191 struct GNUNET_CONNECTION_TransmitHandle *
192 register_sender (struct GNUNET_SOCKS_Handshake *ih);
196 * Conclude the SOCKS5 handshake successfully.
198 * @param ih SOCKS5 handshake, consumed here.
199 * @param c open unused connection, consumed here.
200 * @return Connection handle that becomes usable when the handshake completes.
203 SOCKS5_handshake_done (struct GNUNET_SOCKS_Handshake *ih)
205 GNUNET_CONNECTION_acivate_proxied (ih->target_connection);
210 * Read one step in the SOCKS5 handshake.
212 * @param ih SOCKS5 Handshake
215 SOCKS5_handshake_step (struct GNUNET_SOCKS_Handshake *ih)
217 unsigned char *b = ih->instart;
218 size_t available = ih->inend - b;
220 int want = register_reciever_wants (ih);
222 if (available < want)
224 register_reciever (ih, want - available);
227 GNUNET_assert (SOCKS5_step_done > ih->step && ih->step >= 0);
230 case SOCKS5_step_greet: /* SOCKS5 server's greeting */
233 LOG (GNUNET_ERROR_TYPE_ERROR, "Not a SOCKS5 server\n");
238 case SOCKS5_AUTH_NOAUTH:
239 ih->step = SOCKS5_step_cmd; /* no authentication to do */
242 case SOCKS5_AUTH_USERPASS:
243 ih->step = SOCKS5_step_auth;
246 case SOCKS5_AUTH_REJECT:
247 LOG (GNUNET_ERROR_TYPE_ERROR, "No authentication method accepted\n");
251 LOG (GNUNET_ERROR_TYPE_ERROR,
252 "Not a SOCKS5 server / Nonsensical authentication\n");
258 case SOCKS5_step_auth: /* SOCKS5 server's responce to authentication */
261 LOG (GNUNET_ERROR_TYPE_ERROR, "SOCKS5 authentication failed\n");
264 ih->step = SOCKS5_step_cmd;
268 case SOCKS5_step_cmd: /* SOCKS5 server's responce to command */
271 LOG (GNUNET_ERROR_TYPE_ERROR, "SOCKS5 protocol error\n");
276 LOG (GNUNET_ERROR_TYPE_ERROR,
277 "SOCKS5 connection error : %s\n",
278 SOCKS5_REP_names (b[1]));
282 /* There is no reason to verify host and port afaik. */
286 b += sizeof(struct in_addr); /* 4 */
290 b += sizeof(struct in6_addr); /* 16 */
293 case 3: /* hostname */
300 register_reciever (ih, b - ih->inend);
303 ih->step = SOCKS5_step_done;
304 LOG (GNUNET_ERROR_TYPE_DEBUG,
305 "SOCKS5 server : %s\n",
306 SOCKS5_REP_names (b[1]));
308 SOCKS5_handshake_done (ih);
311 case SOCKS5_step_done:
315 /* Do not reschedule the sender unless we're done reading.
316 * I imagine this lets us avoid ever cancelling the transmit handle. */
317 register_sender (ih);
322 * Callback to read from the SOCKS5 proxy.
324 * @param client the service
325 * @param handler function to call with the message
326 * @param handler_cls closure for @a handler
332 const struct sockaddr *addr,
336 struct GNUNET_SOCKS_Handshake *ih = cls;
338 GNUNET_assert (&ih->inend[available] < &ih->inbuf[1024]);
339 GNUNET_memcpy (ih->inend, buf, available);
340 ih->inend += available;
341 SOCKS5_handshake_step (ih);
346 * Register callback to read from the SOCKS5 proxy.
348 * @param client the service
349 * @param handler function to call with the message
350 * @param handler_cls closure for @a handler
353 register_reciever (struct GNUNET_SOCKS_Handshake *ih, int want)
355 GNUNET_CONNECTION_receive (ih->socks5_connection,
357 GNUNET_TIME_relative_get_minute_ (),
364 * Register SOCKS5 handshake sender
366 * @param cls closure (SOCKS handshake)
367 * @param size number of bytes available in @a buf
368 * @param buf where the callee should write the message
369 * @return number of bytes written to @a buf
372 transmit_ready (void *cls, size_t size, void *buf)
374 struct GNUNET_SOCKS_Handshake *ih = cls;
376 /* connection.c has many routines that call us with buf == NULL :
377 * signal_transmit_error() - DNS, etc. active
378 * connect_fail_continuation()
379 * connect_probe_continuation() - timeout
380 * try_connect_using_address() - DNS failure/timeout
381 * transmit_timeout() - retry failed?
382 * GNUNET_CONNECTION_notify_transmit_ready() can schedule :
383 * transmit_timeout() - DNS still working
384 * connect_error() - DNS done but no socket?
385 * transmit_ready() - scheduler shutdown or timeout, or signal_transmit_error()
386 * We'd need to dig into the scheduler to guess at the reason, as
387 * connection.c tells us nothing itself, but mostly its timouts.
388 * Initially, we'll simply ignore this and leave massive timeouts, but
389 * maybe that should change for error handling pruposes. It appears that
390 * successful operations, including DNS resolution, do not use this. */
395 LOG (GNUNET_ERROR_TYPE_WARNING,
396 "Timeout contacting SOCKS server, retrying indefinitely, but probably hopeless.\n");
397 register_sender (ih);
401 LOG (GNUNET_ERROR_TYPE_ERROR,
402 "Timeout during mid SOCKS handshake (step %u), probably not a SOCKS server.\n",
409 GNUNET_assert ((1024 >= size) && (size > 0));
410 GNUNET_assert ((SOCKS5_step_done > ih->step) && (ih->step >= 0));
411 unsigned char *b = ih->outstep[ih->step];
412 unsigned char *e = ih->outstep[ih->step + 1];
413 GNUNET_assert (e <= &ih->outbuf[1024]);
414 unsigned int l = e - b;
415 GNUNET_assert (size >= l);
416 GNUNET_memcpy (buf, b, l);
417 register_reciever (ih, register_reciever_wants (ih));
423 * Register SOCKS5 handshake sender
425 * @param ih handshake
426 * @return non-NULL if the notify callback was queued,
427 * NULL if we are already going to notify someone else (busy)
429 struct GNUNET_CONNECTION_TransmitHandle *
430 register_sender (struct GNUNET_SOCKS_Handshake *ih)
432 struct GNUNET_TIME_Relative timeout = GNUNET_TIME_UNIT_MINUTES;
434 GNUNET_assert (SOCKS5_step_done > ih->step);
435 GNUNET_assert (ih->step >= 0);
437 timeout = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MINUTES, 3);
438 unsigned char *b = ih->outstep[ih->step];
439 unsigned char *e = ih->outstep[ih->step + 1];
440 GNUNET_assert (ih->outbuf <= b && b < e && e < &ih->outbuf[1024]);
441 ih->th = GNUNET_CONNECTION_notify_transmit_ready (ih->socks5_connection,
451 * Initialize a SOCKS5 handshake for authentication via username and
452 * password. Tor uses SOCKS username and password authentication to assign
453 * programs unique circuits.
455 * @param user username for the proxy
456 * @param pass password for the proxy
457 * @return Valid SOCKS5 hanbdshake handle
459 struct GNUNET_SOCKS_Handshake *
460 GNUNET_SOCKS_init_handshake (const char *user, const char *pass)
462 struct GNUNET_SOCKS_Handshake *ih =
463 GNUNET_new (struct GNUNET_SOCKS_Handshake);
464 unsigned char *b = ih->outbuf;
466 ih->outstep[SOCKS5_step_greet] = b;
467 *(b++) = 5; /* SOCKS5 */
468 unsigned char *n = b++;
469 *n = 1; /* Number of authentication methods */
470 /* We support no authentication even when requesting authentication,
471 * but this appears harmless, given the way that Tor uses authentication.
472 * And some SOCKS5 servers might require this. */
473 *(b++) = SOCKS5_AUTH_NOAUTH;
476 *(b++) = SOCKS5_AUTH_USERPASS;
479 /* There is no apperent reason to support authentication methods beyond
480 * username and password since afaik Tor does not support them. */
482 /* We authenticate with an empty username and password if the server demands
483 * them but we do not have any. */
489 ih->outstep[SOCKS5_step_auth] = b;
490 *(b++) = 1; /* subnegotiation ver.: 1 */
491 b = SOCK5_proto_string (b, user);
492 b = SOCK5_proto_string (b, pass);
494 ih->outstep[SOCKS5_step_cmd] = b;
496 ih->inend = ih->instart = ih->inbuf;
503 * Initialize a SOCKS5 handshake without authentication, thereby possibly
504 * sharing a Tor circuit with another process.
506 * @return Valid SOCKS5 hanbdshake handle
508 struct GNUNET_SOCKS_Handshake *
509 GNUNET_SOCKS_init_handshake_noauth ()
511 return GNUNET_SOCKS_init_handshake (NULL, NULL);
516 * Build request that the SOCKS5 proxy open a TCP/IP stream to the given host
519 * @param ih SOCKS5 handshake
524 GNUNET_SOCKS_set_handshake_destination (struct GNUNET_SOCKS_Handshake *ih,
533 unsigned char *b = ih->outstep[SOCKS5_step_cmd];
535 *(b++) = 5; /* SOCKS5 */
536 *(b++) = 1; /* Establish a TCP/IP stream */
537 *(b++) = 0; /* reserved */
539 /* Specify destination */
540 if (1 == inet_pton (AF_INET, host, &ia.in4))
542 *(b++) = 1; /* IPv4 */
543 GNUNET_memcpy (b, &ia.in4, sizeof(struct in_addr));
544 b += sizeof(struct in_addr); /* 4 */
546 else if (1 == inet_pton (AF_INET6, host, &ia.in6))
548 *(b++) = 4; /* IPv6 */
549 GNUNET_memcpy (b, &ia.in6, sizeof(struct in6_addr));
550 b += sizeof(struct in6_addr); /* 16 */
554 *(b++) = 3; /* hostname */
555 b = SOCK5_proto_string (b, host);
559 *(uint16_t *) b = htons (port);
562 ih->outstep[SOCKS5_step_done] = b;
567 * Run a SOCKS5 handshake on an open but unused TCP connection.
569 * @param ih SOCKS5 handshake, consumed here.
570 * @param c open unused connection, consumed here.
571 * @return Connection handle that becomes usable when the SOCKS5 handshake completes.
573 struct GNUNET_CONNECTION_Handle *
574 GNUNET_SOCKS_run_handshake (struct GNUNET_SOCKS_Handshake *ih,
575 struct GNUNET_CONNECTION_Handle *c)
577 ih->socks5_connection = c;
578 ih->target_connection = GNUNET_CONNECTION_create_proxied_from_handshake (c);
579 register_sender (ih);
581 return ih->target_connection;
586 * Check if a SOCKS proxy is required by a service. Do not use local service
587 * if a SOCKS proxy port is configured as this could deanonymize a user.
589 * @param service_name name of service to connect to
590 * @param cfg configuration to use
591 * @return GNUNET_YES if so, GNUNET_NO if not
594 GNUNET_SOCKS_check_service (const char *service_name,
595 const struct GNUNET_CONFIGURATION_Handle *cfg)
597 return GNUNET_CONFIGURATION_have_value (cfg, service_name, "SOCKSPORT") ||
598 GNUNET_CONFIGURATION_have_value (cfg, service_name, "SOCKSHOST");
603 * Try to connect to a service configured to use a SOCKS5 proxy.
605 * @param service_name name of service to connect to
606 * @param cfg configuration to use
607 * @return Connection handle that becomes usable when the handshake completes.
608 * NULL if SOCKS not configured or not configured properly
610 struct GNUNET_CONNECTION_Handle *
611 GNUNET_SOCKS_do_connect (const char *service_name,
612 const struct GNUNET_CONFIGURATION_Handle *cfg)
614 struct GNUNET_SOCKS_Handshake *ih;
615 struct GNUNET_CONNECTION_Handle *socks5; /* *proxied */
620 unsigned long long port0;
621 unsigned long long port1;
623 if (GNUNET_YES != GNUNET_SOCKS_check_service (service_name, cfg))
625 if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_number (cfg,
630 /* A typical Tor client should usually try port 9150 for the TBB too, but
631 * GNUnet can probably assume a system Tor installation. */
632 if ((port0 > 65535)||(port0 <= 0))
634 LOG (GNUNET_ERROR_TYPE_WARNING,
636 "Attempting to use invalid port %d as SOCKS proxy for service `%s'.\n"),
641 if ((GNUNET_OK != GNUNET_CONFIGURATION_get_value_number (cfg,
645 (port1 > 65535) || (port1 <= 0) ||
646 (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
651 LOG (GNUNET_ERROR_TYPE_WARNING,
653 "Attempting to proxy service `%s' to invalid port %d or hostname.\n"),
658 /* Appeared to still work after host0 corrupted, so either test case is broken, or
659 this whole routine is not being called. */
660 if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
665 socks5 = GNUNET_CONNECTION_create_from_connect (cfg,
666 (host0 != NULL) ? host0
669 GNUNET_free_non_null (host0);
671 /* Sets to NULL if they do not exist */
672 (void) GNUNET_CONFIGURATION_get_value_string (cfg,
676 (void) GNUNET_CONFIGURATION_get_value_string (cfg,
680 ih = GNUNET_SOCKS_init_handshake (user, pass);
681 GNUNET_free_non_null (user);
682 GNUNET_free_non_null (pass);
684 GNUNET_SOCKS_set_handshake_destination (ih, host1, port1);
686 return GNUNET_SOCKS_run_handshake (ih, socks5);