Initial Cut of Tor/Service/Authentication App
This commit is contained in:
parent
ed506c3f4a
commit
a97f5ce12c
|
@ -3,6 +3,8 @@
|
||||||
<component name="NewModuleRootManager">
|
<component name="NewModuleRootManager">
|
||||||
<content url="file://$MODULE_DIR$">
|
<content url="file://$MODULE_DIR$">
|
||||||
<sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
|
<sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
|
||||||
|
<sourceFolder url="file://$MODULE_DIR$/tests" isTestSource="true" />
|
||||||
|
<sourceFolder url="file://$MODULE_DIR$/deps/rust-socks/src" isTestSource="false" />
|
||||||
<excludeFolder url="file://$MODULE_DIR$/target" />
|
<excludeFolder url="file://$MODULE_DIR$/target" />
|
||||||
</content>
|
</content>
|
||||||
<orderEntry type="inheritedJdk" />
|
<orderEntry type="inheritedJdk" />
|
||||||
|
|
19
Cargo.toml
19
Cargo.toml
|
@ -1,16 +1,31 @@
|
||||||
[package]
|
[package]
|
||||||
name = "tapir-rs"
|
name = "tapir"
|
||||||
version = "0.1.0"
|
version = "0.1.0"
|
||||||
authors = ["Sarah Jamie Lewis <sarah@openprivacy.ca>"]
|
authors = ["Sarah Jamie Lewis <sarah@openprivacy.ca>"]
|
||||||
edition = "2018"
|
edition = "2018"
|
||||||
|
|
||||||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||||
|
|
||||||
|
[workspace]
|
||||||
|
members = ["deps/rust-socks"]
|
||||||
|
|
||||||
|
|
||||||
|
[[test]]
|
||||||
|
name = "simple_setup"
|
||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
torut = "0.1.6"
|
|
||||||
rand = "0.7.3"
|
rand = "0.7.3"
|
||||||
curve25519-dalek = "3.0.0"
|
curve25519-dalek = "3.0.0"
|
||||||
x25519-dalek = "1.1"
|
x25519-dalek = "1.1"
|
||||||
ed25519-dalek = "1.0.1"
|
ed25519-dalek = "1.0.1"
|
||||||
merlin = "2.0.0"
|
merlin = "2.0.0"
|
||||||
hex = "0.4.2"
|
hex = "0.4.2"
|
||||||
|
base32 = "0.4.0"
|
||||||
|
base64 = "0.13.0"
|
||||||
|
sha3 = "0.9.1"
|
||||||
|
serde = { version = "1.0", features = ["derive"] }
|
||||||
|
serde_json = "1.0.59"
|
||||||
|
byteorder = "1.3.4"
|
||||||
|
socks = {path="./deps/rust-socks"}
|
||||||
|
integer-encoding = "2.1.1"
|
||||||
|
secretbox = "0.1.2"
|
|
@ -0,0 +1,42 @@
|
||||||
|
restore_registry: &RESTORE_REGISTRY
|
||||||
|
restore_cache:
|
||||||
|
key: registry
|
||||||
|
save_registry: &SAVE_REGISTRY
|
||||||
|
save_cache:
|
||||||
|
key: registry-{{ .BuildNum }}
|
||||||
|
paths:
|
||||||
|
- /usr/local/cargo/registry/index
|
||||||
|
deps_key: &DEPS_KEY
|
||||||
|
key: deps-{{ checksum "~/rust-version" }}-{{ checksum "Cargo.lock" }}
|
||||||
|
restore_deps: &RESTORE_DEPS
|
||||||
|
restore_cache:
|
||||||
|
<<: *DEPS_KEY
|
||||||
|
save_deps: &SAVE_DEPS
|
||||||
|
save_cache:
|
||||||
|
<<: *DEPS_KEY
|
||||||
|
paths:
|
||||||
|
- target
|
||||||
|
- /usr/local/cargo/registry/cache
|
||||||
|
|
||||||
|
version: 2
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
docker:
|
||||||
|
- image: rust:1.19.0
|
||||||
|
working_directory: ~/build
|
||||||
|
environment:
|
||||||
|
RUSTFLAGS: -D warnings
|
||||||
|
steps:
|
||||||
|
- checkout
|
||||||
|
- run: apt-get update
|
||||||
|
- run: apt-get install -y --no-install-recommends dante-server
|
||||||
|
- run: danted -D -f .circleci/danted_no_auth.conf
|
||||||
|
- run: danted -D -f .circleci/danted_password.conf
|
||||||
|
- run: useradd testuser -p '$1$DLEVM6FQ$dNm6etLDprLfwWSLCUtQY/' # password: testpass
|
||||||
|
- *RESTORE_REGISTRY
|
||||||
|
- run: cargo generate-lockfile
|
||||||
|
- *SAVE_REGISTRY
|
||||||
|
- run: rustc --version > ~/rust-version
|
||||||
|
- *RESTORE_DEPS
|
||||||
|
- run: cargo test
|
||||||
|
- *SAVE_DEPS
|
|
@ -0,0 +1,17 @@
|
||||||
|
logoutput: stdout
|
||||||
|
|
||||||
|
internal: lo port = 1080
|
||||||
|
external: eth0
|
||||||
|
|
||||||
|
socksmethod: none
|
||||||
|
clientmethod: none
|
||||||
|
|
||||||
|
user.unprivileged: nobody
|
||||||
|
|
||||||
|
client pass {
|
||||||
|
from: 127.0.0.1/0 port 1-65535 to: 0.0.0.0/0
|
||||||
|
}
|
||||||
|
|
||||||
|
socks pass {
|
||||||
|
from: 127.0.0.1/0 to: 0.0.0.0/0
|
||||||
|
}
|
|
@ -0,0 +1,17 @@
|
||||||
|
logoutput: stdout
|
||||||
|
|
||||||
|
internal: lo port = 1081
|
||||||
|
external: eth0
|
||||||
|
|
||||||
|
socksmethod: username
|
||||||
|
clientmethod: none
|
||||||
|
|
||||||
|
user.unprivileged: nobody
|
||||||
|
|
||||||
|
client pass {
|
||||||
|
from: 127.0.0.1/0 port 1-65535 to: 0.0.0.0/0
|
||||||
|
}
|
||||||
|
|
||||||
|
socks pass {
|
||||||
|
from: 127.0.0.1/0 to: 0.0.0.0/0
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
target
|
||||||
|
Cargo.lock
|
||||||
|
.idea
|
||||||
|
*.iml
|
|
@ -0,0 +1,19 @@
|
||||||
|
[package]
|
||||||
|
name = "socks"
|
||||||
|
version = "0.3.2"
|
||||||
|
authors = ["Steven Fackler <sfackler@gmail.com>"]
|
||||||
|
license = "MIT/Apache-2.0"
|
||||||
|
description = "SOCKS proxy clients"
|
||||||
|
repository = "https://github.com/sfackler/rust-socks"
|
||||||
|
documentation = "https://docs.rs/socks/0.3.0/socks"
|
||||||
|
readme = "README.md"
|
||||||
|
|
||||||
|
[dependencies]
|
||||||
|
byteorder = "1.0"
|
||||||
|
|
||||||
|
[target.'cfg(unix)'.dependencies]
|
||||||
|
libc = "0.2"
|
||||||
|
|
||||||
|
[target.'cfg(windows)'.dependencies]
|
||||||
|
winapi = "0.2.8"
|
||||||
|
ws2_32-sys = "0.2.1"
|
|
@ -0,0 +1,202 @@
|
||||||
|
Apache License
|
||||||
|
Version 2.0, January 2004
|
||||||
|
http://www.apache.org/licenses/
|
||||||
|
|
||||||
|
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||||
|
|
||||||
|
1. Definitions.
|
||||||
|
|
||||||
|
"License" shall mean the terms and conditions for use, reproduction,
|
||||||
|
and distribution as defined by Sections 1 through 9 of this document.
|
||||||
|
|
||||||
|
"Licensor" shall mean the copyright owner or entity authorized by
|
||||||
|
the copyright owner that is granting the License.
|
||||||
|
|
||||||
|
"Legal Entity" shall mean the union of the acting entity and all
|
||||||
|
other entities that control, are controlled by, or are under common
|
||||||
|
control with that entity. For the purposes of this definition,
|
||||||
|
"control" means (i) the power, direct or indirect, to cause the
|
||||||
|
direction or management of such entity, whether by contract or
|
||||||
|
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||||
|
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||||
|
|
||||||
|
"You" (or "Your") shall mean an individual or Legal Entity
|
||||||
|
exercising permissions granted by this License.
|
||||||
|
|
||||||
|
"Source" form shall mean the preferred form for making modifications,
|
||||||
|
including but not limited to software source code, documentation
|
||||||
|
source, and configuration files.
|
||||||
|
|
||||||
|
"Object" form shall mean any form resulting from mechanical
|
||||||
|
transformation or translation of a Source form, including but
|
||||||
|
not limited to compiled object code, generated documentation,
|
||||||
|
and conversions to other media types.
|
||||||
|
|
||||||
|
"Work" shall mean the work of authorship, whether in Source or
|
||||||
|
Object form, made available under the License, as indicated by a
|
||||||
|
copyright notice that is included in or attached to the work
|
||||||
|
(an example is provided in the Appendix below).
|
||||||
|
|
||||||
|
"Derivative Works" shall mean any work, whether in Source or Object
|
||||||
|
form, that is based on (or derived from) the Work and for which the
|
||||||
|
editorial revisions, annotations, elaborations, or other modifications
|
||||||
|
represent, as a whole, an original work of authorship. For the purposes
|
||||||
|
of this License, Derivative Works shall not include works that remain
|
||||||
|
separable from, or merely link (or bind by name) to the interfaces of,
|
||||||
|
the Work and Derivative Works thereof.
|
||||||
|
|
||||||
|
"Contribution" shall mean any work of authorship, including
|
||||||
|
the original version of the Work and any modifications or additions
|
||||||
|
to that Work or Derivative Works thereof, that is intentionally
|
||||||
|
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||||
|
or by an individual or Legal Entity authorized to submit on behalf of
|
||||||
|
the copyright owner. For the purposes of this definition, "submitted"
|
||||||
|
means any form of electronic, verbal, or written communication sent
|
||||||
|
to the Licensor or its representatives, including but not limited to
|
||||||
|
communication on electronic mailing lists, source code control systems,
|
||||||
|
and issue tracking systems that are managed by, or on behalf of, the
|
||||||
|
Licensor for the purpose of discussing and improving the Work, but
|
||||||
|
excluding communication that is conspicuously marked or otherwise
|
||||||
|
designated in writing by the copyright owner as "Not a Contribution."
|
||||||
|
|
||||||
|
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||||
|
on behalf of whom a Contribution has been received by Licensor and
|
||||||
|
subsequently incorporated within the Work.
|
||||||
|
|
||||||
|
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
copyright license to reproduce, prepare Derivative Works of,
|
||||||
|
publicly display, publicly perform, sublicense, and distribute the
|
||||||
|
Work and such Derivative Works in Source or Object form.
|
||||||
|
|
||||||
|
3. Grant of Patent License. Subject to the terms and conditions of
|
||||||
|
this License, each Contributor hereby grants to You a perpetual,
|
||||||
|
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||||
|
(except as stated in this section) patent license to make, have made,
|
||||||
|
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||||
|
where such license applies only to those patent claims licensable
|
||||||
|
by such Contributor that are necessarily infringed by their
|
||||||
|
Contribution(s) alone or by combination of their Contribution(s)
|
||||||
|
with the Work to which such Contribution(s) was submitted. If You
|
||||||
|
institute patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||||
|
or a Contribution incorporated within the Work constitutes direct
|
||||||
|
or contributory patent infringement, then any patent licenses
|
||||||
|
granted to You under this License for that Work shall terminate
|
||||||
|
as of the date such litigation is filed.
|
||||||
|
|
||||||
|
4. Redistribution. You may reproduce and distribute copies of the
|
||||||
|
Work or Derivative Works thereof in any medium, with or without
|
||||||
|
modifications, and in Source or Object form, provided that You
|
||||||
|
meet the following conditions:
|
||||||
|
|
||||||
|
(a) You must give any other recipients of the Work or
|
||||||
|
Derivative Works a copy of this License; and
|
||||||
|
|
||||||
|
(b) You must cause any modified files to carry prominent notices
|
||||||
|
stating that You changed the files; and
|
||||||
|
|
||||||
|
(c) You must retain, in the Source form of any Derivative Works
|
||||||
|
that You distribute, all copyright, patent, trademark, and
|
||||||
|
attribution notices from the Source form of the Work,
|
||||||
|
excluding those notices that do not pertain to any part of
|
||||||
|
the Derivative Works; and
|
||||||
|
|
||||||
|
(d) If the Work includes a "NOTICE" text file as part of its
|
||||||
|
distribution, then any Derivative Works that You distribute must
|
||||||
|
include a readable copy of the attribution notices contained
|
||||||
|
within such NOTICE file, excluding those notices that do not
|
||||||
|
pertain to any part of the Derivative Works, in at least one
|
||||||
|
of the following places: within a NOTICE text file distributed
|
||||||
|
as part of the Derivative Works; within the Source form or
|
||||||
|
documentation, if provided along with the Derivative Works; or,
|
||||||
|
within a display generated by the Derivative Works, if and
|
||||||
|
wherever such third-party notices normally appear. The contents
|
||||||
|
of the NOTICE file are for informational purposes only and
|
||||||
|
do not modify the License. You may add Your own attribution
|
||||||
|
notices within Derivative Works that You distribute, alongside
|
||||||
|
or as an addendum to the NOTICE text from the Work, provided
|
||||||
|
that such additional attribution notices cannot be construed
|
||||||
|
as modifying the License.
|
||||||
|
|
||||||
|
You may add Your own copyright statement to Your modifications and
|
||||||
|
may provide additional or different license terms and conditions
|
||||||
|
for use, reproduction, or distribution of Your modifications, or
|
||||||
|
for any such Derivative Works as a whole, provided Your use,
|
||||||
|
reproduction, and distribution of the Work otherwise complies with
|
||||||
|
the conditions stated in this License.
|
||||||
|
|
||||||
|
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||||
|
any Contribution intentionally submitted for inclusion in the Work
|
||||||
|
by You to the Licensor shall be under the terms and conditions of
|
||||||
|
this License, without any additional terms or conditions.
|
||||||
|
Notwithstanding the above, nothing herein shall supersede or modify
|
||||||
|
the terms of any separate license agreement you may have executed
|
||||||
|
with Licensor regarding such Contributions.
|
||||||
|
|
||||||
|
6. Trademarks. This License does not grant permission to use the trade
|
||||||
|
names, trademarks, service marks, or product names of the Licensor,
|
||||||
|
except as required for reasonable and customary use in describing the
|
||||||
|
origin of the Work and reproducing the content of the NOTICE file.
|
||||||
|
|
||||||
|
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||||
|
agreed to in writing, Licensor provides the Work (and each
|
||||||
|
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||||
|
implied, including, without limitation, any warranties or conditions
|
||||||
|
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||||
|
appropriateness of using or redistributing the Work and assume any
|
||||||
|
risks associated with Your exercise of permissions under this License.
|
||||||
|
|
||||||
|
8. Limitation of Liability. In no event and under no legal theory,
|
||||||
|
whether in tort (including negligence), contract, or otherwise,
|
||||||
|
unless required by applicable law (such as deliberate and grossly
|
||||||
|
negligent acts) or agreed to in writing, shall any Contributor be
|
||||||
|
liable to You for damages, including any direct, indirect, special,
|
||||||
|
incidental, or consequential damages of any character arising as a
|
||||||
|
result of this License or out of the use or inability to use the
|
||||||
|
Work (including but not limited to damages for loss of goodwill,
|
||||||
|
work stoppage, computer failure or malfunction, or any and all
|
||||||
|
other commercial damages or losses), even if such Contributor
|
||||||
|
has been advised of the possibility of such damages.
|
||||||
|
|
||||||
|
9. Accepting Warranty or Additional Liability. While redistributing
|
||||||
|
the Work or Derivative Works thereof, You may choose to offer,
|
||||||
|
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||||
|
or other liability obligations and/or rights consistent with this
|
||||||
|
License. However, in accepting such obligations, You may act only
|
||||||
|
on Your own behalf and on Your sole responsibility, not on behalf
|
||||||
|
of any other Contributor, and only if You agree to indemnify,
|
||||||
|
defend, and hold each Contributor harmless for any liability
|
||||||
|
incurred by, or claims asserted against, such Contributor by reason
|
||||||
|
of your accepting any such warranty or additional liability.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
APPENDIX: How to apply the Apache License to your work.
|
||||||
|
|
||||||
|
To apply the Apache License to your work, attach the following
|
||||||
|
boilerplate notice, with the fields enclosed by brackets "{}"
|
||||||
|
replaced with your own identifying information. (Don't include
|
||||||
|
the brackets!) The text should be enclosed in the appropriate
|
||||||
|
comment syntax for the file format. We also recommend that a
|
||||||
|
file or class name and description of purpose be included on the
|
||||||
|
same "printed page" as the copyright notice for easier
|
||||||
|
identification within third-party archives.
|
||||||
|
|
||||||
|
Copyright {yyyy} {name of copyright owner}
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
Copyright (c) 2015 The rust-socks Developers
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in all
|
||||||
|
copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
|
SOFTWARE.
|
|
@ -0,0 +1,22 @@
|
||||||
|
# rust-socks
|
||||||
|
[![Build Status](https://travis-ci.org/sfackler/rust-socks.svg?branch=master)](https://travis-ci.org/sfackler/rust-socks)
|
||||||
|
|
||||||
|
[Documentation](https://docs.rs/socks/0.2.3/socks)
|
||||||
|
|
||||||
|
SOCKS proxy support for Rust.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
Licensed under either of
|
||||||
|
|
||||||
|
* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
|
||||||
|
* MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)
|
||||||
|
|
||||||
|
at your option.
|
||||||
|
|
||||||
|
### Contribution
|
||||||
|
|
||||||
|
Unless you explicitly state otherwise, any contribution intentionally
|
||||||
|
submitted for inclusion in the work by you, as defined in the Apache-2.0
|
||||||
|
license, shall be dual licensed as above, without any additional terms or
|
||||||
|
conditions.
|
|
@ -0,0 +1,162 @@
|
||||||
|
//! SOCKS proxy clients
|
||||||
|
#![doc(html_root_url="https://docs.rs/socks/0.3.0")]
|
||||||
|
#![warn(missing_docs)]
|
||||||
|
|
||||||
|
extern crate byteorder;
|
||||||
|
|
||||||
|
#[cfg(unix)]
|
||||||
|
extern crate libc;
|
||||||
|
#[cfg(windows)]
|
||||||
|
extern crate winapi;
|
||||||
|
#[cfg(windows)]
|
||||||
|
extern crate ws2_32;
|
||||||
|
|
||||||
|
use std::io;
|
||||||
|
use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6, ToSocketAddrs};
|
||||||
|
use std::vec;
|
||||||
|
|
||||||
|
pub use v4::{Socks4Stream, Socks4Listener};
|
||||||
|
pub use v5::{Socks5Stream, Socks5Listener, Socks5Datagram};
|
||||||
|
|
||||||
|
mod v4;
|
||||||
|
mod v5;
|
||||||
|
mod writev;
|
||||||
|
|
||||||
|
/// A description of a connection target.
|
||||||
|
#[derive(Debug, Clone)]
|
||||||
|
pub enum TargetAddr {
|
||||||
|
/// Connect to an IP address.
|
||||||
|
Ip(SocketAddr),
|
||||||
|
/// Connect to a fully qualified domain name.
|
||||||
|
///
|
||||||
|
/// The domain name will be passed along to the proxy server and DNS lookup
|
||||||
|
/// will happen there.
|
||||||
|
Domain(String, u16),
|
||||||
|
}
|
||||||
|
|
||||||
|
impl ToSocketAddrs for TargetAddr {
|
||||||
|
type Iter = Iter;
|
||||||
|
|
||||||
|
fn to_socket_addrs(&self) -> io::Result<Iter> {
|
||||||
|
let inner = match *self {
|
||||||
|
TargetAddr::Ip(addr) => IterInner::Ip(Some(addr)),
|
||||||
|
TargetAddr::Domain(ref domain, port) => {
|
||||||
|
let it = (&**domain, port).to_socket_addrs()?;
|
||||||
|
IterInner::Domain(it)
|
||||||
|
}
|
||||||
|
};
|
||||||
|
Ok(Iter(inner))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
enum IterInner {
|
||||||
|
Ip(Option<SocketAddr>),
|
||||||
|
Domain(vec::IntoIter<SocketAddr>),
|
||||||
|
}
|
||||||
|
|
||||||
|
/// An iterator over `SocketAddr`s associated with a `TargetAddr`.
|
||||||
|
pub struct Iter(IterInner);
|
||||||
|
|
||||||
|
impl Iterator for Iter {
|
||||||
|
type Item = SocketAddr;
|
||||||
|
|
||||||
|
fn next(&mut self) -> Option<SocketAddr> {
|
||||||
|
match self.0 {
|
||||||
|
IterInner::Ip(ref mut addr) => addr.take(),
|
||||||
|
IterInner::Domain(ref mut it) => it.next(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A trait for objects that can be converted to `TargetAddr`.
|
||||||
|
pub trait ToTargetAddr {
|
||||||
|
/// Converts the value of `self` to a `TargetAddr`.
|
||||||
|
fn to_target_addr(&self) -> io::Result<TargetAddr>;
|
||||||
|
}
|
||||||
|
|
||||||
|
impl ToTargetAddr for TargetAddr {
|
||||||
|
fn to_target_addr(&self) -> io::Result<TargetAddr> {
|
||||||
|
Ok(self.clone())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl ToTargetAddr for SocketAddr {
|
||||||
|
fn to_target_addr(&self) -> io::Result<TargetAddr> {
|
||||||
|
Ok(TargetAddr::Ip(*self))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl ToTargetAddr for SocketAddrV4 {
|
||||||
|
fn to_target_addr(&self) -> io::Result<TargetAddr> {
|
||||||
|
SocketAddr::V4(*self).to_target_addr()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl ToTargetAddr for SocketAddrV6 {
|
||||||
|
fn to_target_addr(&self) -> io::Result<TargetAddr> {
|
||||||
|
SocketAddr::V6(*self).to_target_addr()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl ToTargetAddr for (Ipv4Addr, u16) {
|
||||||
|
fn to_target_addr(&self) -> io::Result<TargetAddr> {
|
||||||
|
SocketAddrV4::new(self.0, self.1).to_target_addr()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl ToTargetAddr for (Ipv6Addr, u16) {
|
||||||
|
fn to_target_addr(&self) -> io::Result<TargetAddr> {
|
||||||
|
SocketAddrV6::new(self.0, self.1, 0, 0).to_target_addr()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'a> ToTargetAddr for (&'a str, u16) {
|
||||||
|
fn to_target_addr(&self) -> io::Result<TargetAddr> {
|
||||||
|
// try to parse as an IP first
|
||||||
|
if let Ok(addr) = self.0.parse::<Ipv4Addr>() {
|
||||||
|
return (addr, self.1).to_target_addr();
|
||||||
|
}
|
||||||
|
|
||||||
|
if let Ok(addr) = self.0.parse::<Ipv6Addr>() {
|
||||||
|
return (addr, self.1).to_target_addr();
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(TargetAddr::Domain(self.0.to_owned(), self.1))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'a> ToTargetAddr for &'a str {
|
||||||
|
fn to_target_addr(&self) -> io::Result<TargetAddr> {
|
||||||
|
// try to parse as an IP first
|
||||||
|
if let Ok(addr) = self.parse::<SocketAddrV4>() {
|
||||||
|
return addr.to_target_addr();
|
||||||
|
}
|
||||||
|
|
||||||
|
if let Ok(addr) = self.parse::<SocketAddrV6>() {
|
||||||
|
return addr.to_target_addr();
|
||||||
|
}
|
||||||
|
|
||||||
|
// split the string by ':' and convert the second part to u16
|
||||||
|
let mut parts_iter = self.rsplitn(2, ':');
|
||||||
|
let port_str = match parts_iter.next() {
|
||||||
|
Some(s) => s,
|
||||||
|
None => {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidInput, "invalid socket address"))
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
let host = match parts_iter.next() {
|
||||||
|
Some(s) => s,
|
||||||
|
None => {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidInput, "invalid socket address"))
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
let port: u16 = match port_str.parse() {
|
||||||
|
Ok(p) => p,
|
||||||
|
Err(_) => return Err(io::Error::new(io::ErrorKind::InvalidInput, "invalid port value")),
|
||||||
|
};
|
||||||
|
|
||||||
|
(host, port).to_target_addr()
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,266 @@
|
||||||
|
use byteorder::{ReadBytesExt, WriteBytesExt, BigEndian};
|
||||||
|
use std::io::{self, Read, Write};
|
||||||
|
use std::net::{SocketAddr, ToSocketAddrs, SocketAddrV4, SocketAddrV6, TcpStream, Ipv4Addr};
|
||||||
|
|
||||||
|
use {ToTargetAddr, TargetAddr};
|
||||||
|
|
||||||
|
fn read_response(socket: &mut TcpStream) -> io::Result<SocketAddrV4> {
|
||||||
|
let mut response = [0u8; 8];
|
||||||
|
socket.read_exact(&mut response)?;
|
||||||
|
let mut response = &response[..];
|
||||||
|
|
||||||
|
if response.read_u8()? != 0 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidData, "invalid response version"));
|
||||||
|
}
|
||||||
|
|
||||||
|
match response.read_u8()? {
|
||||||
|
90 => {}
|
||||||
|
91 => return Err(io::Error::new(io::ErrorKind::Other, "request rejected or failed")),
|
||||||
|
92 => {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::PermissionDenied,
|
||||||
|
"request rejected because SOCKS server cannot connect to \
|
||||||
|
idnetd on the client"))
|
||||||
|
}
|
||||||
|
93 => {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::PermissionDenied,
|
||||||
|
"request rejected because the client program and identd \
|
||||||
|
report different user-ids"))
|
||||||
|
}
|
||||||
|
_ => return Err(io::Error::new(io::ErrorKind::InvalidData, "invalid response code")),
|
||||||
|
}
|
||||||
|
|
||||||
|
let port = response.read_u16::<BigEndian>()?;
|
||||||
|
let ip = Ipv4Addr::from(response.read_u32::<BigEndian>()?);
|
||||||
|
|
||||||
|
Ok(SocketAddrV4::new(ip, port))
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A SOCKS4 client.
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct Socks4Stream {
|
||||||
|
socket: TcpStream,
|
||||||
|
proxy_addr: SocketAddrV4,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Socks4Stream {
|
||||||
|
/// Connects to a target server through a SOCKS4 proxy.
|
||||||
|
///
|
||||||
|
/// # Note
|
||||||
|
///
|
||||||
|
/// If `target` is a `TargetAddr::Domain`, the domain name will be forwarded
|
||||||
|
/// to the proxy server using the SOCKS4A protocol extension. If the proxy
|
||||||
|
/// server does not support SOCKS4A, consider performing the DNS lookup
|
||||||
|
/// locally and passing a `TargetAddr::Ip`.
|
||||||
|
pub fn connect<T, U>(proxy: T, target: U, userid: &str) -> io::Result<Socks4Stream>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToTargetAddr
|
||||||
|
{
|
||||||
|
Self::connect_raw(1, proxy, target, userid)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn connect_raw<T, U>(command: u8, proxy: T, target: U, userid: &str) -> io::Result<Socks4Stream>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToTargetAddr
|
||||||
|
{
|
||||||
|
let mut socket = TcpStream::connect(proxy)?;
|
||||||
|
|
||||||
|
let target = target.to_target_addr()?;
|
||||||
|
|
||||||
|
let mut packet = vec![];
|
||||||
|
let _ = packet.write_u8(4); // version
|
||||||
|
let _ = packet.write_u8(command); // command code
|
||||||
|
match target.to_target_addr()? {
|
||||||
|
TargetAddr::Ip(addr) => {
|
||||||
|
let addr = match addr {
|
||||||
|
SocketAddr::V4(addr) => addr,
|
||||||
|
SocketAddr::V6(_) => {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidInput,
|
||||||
|
"SOCKS4 does not support IPv6"));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
let _ = packet.write_u16::<BigEndian>(addr.port());
|
||||||
|
let _ = packet.write_u32::<BigEndian>((*addr.ip()).into());
|
||||||
|
let _ = packet.write_all(userid.as_bytes());
|
||||||
|
let _ = packet.write_u8(0);
|
||||||
|
}
|
||||||
|
TargetAddr::Domain(ref host, port) => {
|
||||||
|
let _ = packet.write_u16::<BigEndian>(port);
|
||||||
|
let _ = packet.write_u32::<BigEndian>(Ipv4Addr::new(0, 0, 0, 1).into());
|
||||||
|
let _ = packet.write_all(userid.as_bytes());
|
||||||
|
let _ = packet.write_u8(0);
|
||||||
|
let _ = packet.extend(host.as_bytes());
|
||||||
|
let _ = packet.write_u8(0);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
socket.write_all(&packet)?;
|
||||||
|
let proxy_addr = read_response(&mut socket)?;
|
||||||
|
|
||||||
|
Ok(Socks4Stream {
|
||||||
|
socket: socket,
|
||||||
|
proxy_addr: proxy_addr,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Returns the proxy-side address of the connection between the proxy and
|
||||||
|
/// target server.
|
||||||
|
pub fn proxy_addr(&self) -> SocketAddrV4 {
|
||||||
|
self.proxy_addr
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Returns a shared reference to the inner `TcpStream`.
|
||||||
|
pub fn get_ref(&self) -> &TcpStream {
|
||||||
|
&self.socket
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Returns a mutable reference to the inner `TcpStream`.
|
||||||
|
pub fn get_mut(&mut self) -> &mut TcpStream {
|
||||||
|
&mut self.socket
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Consumes the `Socks4Stream`, returning the inner `TcpStream`.
|
||||||
|
pub fn into_inner(self) -> TcpStream {
|
||||||
|
self.socket
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Read for Socks4Stream {
|
||||||
|
fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
|
||||||
|
self.socket.read(buf)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'a> Read for &'a Socks4Stream {
|
||||||
|
fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
|
||||||
|
(&self.socket).read(buf)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Write for Socks4Stream {
|
||||||
|
fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
|
||||||
|
self.socket.write(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn flush(&mut self) -> io::Result<()> {
|
||||||
|
self.socket.flush()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'a> Write for &'a Socks4Stream {
|
||||||
|
fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
|
||||||
|
(&self.socket).write(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn flush(&mut self) -> io::Result<()> {
|
||||||
|
(&self.socket).flush()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A SOCKS4 BIND client.
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct Socks4Listener(Socks4Stream);
|
||||||
|
|
||||||
|
impl Socks4Listener {
|
||||||
|
/// Initiates a BIND request to the specified proxy.
|
||||||
|
///
|
||||||
|
/// The proxy will filter incoming connections based on the value of
|
||||||
|
/// `target`.
|
||||||
|
pub fn bind<T, U>(proxy: T, target: U, userid: &str) -> io::Result<Socks4Listener>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToTargetAddr
|
||||||
|
{
|
||||||
|
Socks4Stream::connect_raw(2, proxy, target, userid).map(Socks4Listener)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// The address of the proxy-side TCP listener.
|
||||||
|
///
|
||||||
|
/// This should be forwarded to the remote process, which should open a
|
||||||
|
/// connection to it.
|
||||||
|
pub fn proxy_addr(&self) -> io::Result<SocketAddr> {
|
||||||
|
if self.0.proxy_addr.ip().octets() != [0, 0, 0, 0] {
|
||||||
|
Ok(SocketAddr::V4(self.0.proxy_addr()))
|
||||||
|
} else {
|
||||||
|
let port = self.0.proxy_addr.port();
|
||||||
|
let peer = match self.0.socket.peer_addr()? {
|
||||||
|
SocketAddr::V4(addr) => SocketAddr::V4(SocketAddrV4::new(*addr.ip(), port)),
|
||||||
|
SocketAddr::V6(addr) => SocketAddr::V6(SocketAddrV6::new(*addr.ip(), port, 0, 0)),
|
||||||
|
};
|
||||||
|
Ok(peer)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Waits for the remote process to connect to the proxy server.
|
||||||
|
///
|
||||||
|
/// The value of `proxy_addr` should be forwarded to the remote process
|
||||||
|
/// before this method is called.
|
||||||
|
pub fn accept(mut self) -> io::Result<Socks4Stream> {
|
||||||
|
self.0.proxy_addr = read_response(&mut self.0.socket)?;
|
||||||
|
Ok(self.0)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod test {
|
||||||
|
use std::io::{Read, Write};
|
||||||
|
use std::net::{SocketAddr, SocketAddrV4, ToSocketAddrs, TcpStream};
|
||||||
|
|
||||||
|
use super::*;
|
||||||
|
|
||||||
|
fn google_ip() -> SocketAddrV4 {
|
||||||
|
"google.com:80"
|
||||||
|
.to_socket_addrs()
|
||||||
|
.unwrap()
|
||||||
|
.filter_map(|a| {
|
||||||
|
match a {
|
||||||
|
SocketAddr::V4(a) => Some(a),
|
||||||
|
SocketAddr::V6(_) => None,
|
||||||
|
}
|
||||||
|
})
|
||||||
|
.next()
|
||||||
|
.unwrap()
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn google() {
|
||||||
|
let mut socket = Socks4Stream::connect("127.0.0.1:1080", google_ip(), "").unwrap();
|
||||||
|
|
||||||
|
socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
|
||||||
|
let mut result = vec![];
|
||||||
|
socket.read_to_end(&mut result).unwrap();
|
||||||
|
|
||||||
|
println!("{}", String::from_utf8_lossy(&result));
|
||||||
|
assert!(result.starts_with(b"HTTP/1.0"));
|
||||||
|
assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
#[ignore] // dante doesn't support SOCKS4A
|
||||||
|
fn google_dns() {
|
||||||
|
let mut socket = Socks4Stream::connect("127.0.0.1:8080", "google.com:80", "").unwrap();
|
||||||
|
|
||||||
|
socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
|
||||||
|
let mut result = vec![];
|
||||||
|
socket.read_to_end(&mut result).unwrap();
|
||||||
|
|
||||||
|
println!("{}", String::from_utf8_lossy(&result));
|
||||||
|
assert!(result.starts_with(b"HTTP/1.0"));
|
||||||
|
assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn bind() {
|
||||||
|
// First figure out our local address that we'll be connecting from
|
||||||
|
let socket = Socks4Stream::connect("127.0.0.1:1080", google_ip(), "").unwrap();
|
||||||
|
let addr = socket.proxy_addr();
|
||||||
|
|
||||||
|
let listener = Socks4Listener::bind("127.0.0.1:1080", addr, "").unwrap();
|
||||||
|
let addr = listener.proxy_addr().unwrap();
|
||||||
|
let mut end = TcpStream::connect(addr).unwrap();
|
||||||
|
let mut conn = listener.accept().unwrap();
|
||||||
|
conn.write_all(b"hello world").unwrap();
|
||||||
|
drop(conn);
|
||||||
|
let mut result = vec![];
|
||||||
|
end.read_to_end(&mut result).unwrap();
|
||||||
|
assert_eq!(result, b"hello world");
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,681 @@
|
||||||
|
use byteorder::{ReadBytesExt, WriteBytesExt, BigEndian};
|
||||||
|
use std::cmp;
|
||||||
|
use std::io::{self, Read, Write};
|
||||||
|
use std::net::{SocketAddr, ToSocketAddrs, SocketAddrV4, SocketAddrV6, TcpStream, Ipv4Addr,
|
||||||
|
Ipv6Addr, UdpSocket};
|
||||||
|
use std::ptr;
|
||||||
|
|
||||||
|
use {ToTargetAddr, TargetAddr};
|
||||||
|
use writev::WritevExt;
|
||||||
|
|
||||||
|
const MAX_ADDR_LEN: usize = 260;
|
||||||
|
|
||||||
|
fn read_addr<R: Read>(socket: &mut R) -> io::Result<TargetAddr> {
|
||||||
|
match socket.read_u8()? {
|
||||||
|
1 => {
|
||||||
|
let ip = Ipv4Addr::from(socket.read_u32::<BigEndian>()?);
|
||||||
|
let port = socket.read_u16::<BigEndian>()?;
|
||||||
|
Ok(TargetAddr::Ip(SocketAddr::V4(SocketAddrV4::new(ip, port))))
|
||||||
|
}
|
||||||
|
3 => {
|
||||||
|
let len = socket.read_u8()?;
|
||||||
|
let mut domain = vec![0; len as usize];
|
||||||
|
socket.read_exact(&mut domain)?;
|
||||||
|
let domain = String::from_utf8(domain)
|
||||||
|
.map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?;
|
||||||
|
let port = socket.read_u16::<BigEndian>()?;
|
||||||
|
Ok(TargetAddr::Domain(domain, port))
|
||||||
|
}
|
||||||
|
4 => {
|
||||||
|
let mut ip = [0; 16];
|
||||||
|
socket.read_exact(&mut ip)?;
|
||||||
|
let ip = Ipv6Addr::from(ip);
|
||||||
|
let port = socket.read_u16::<BigEndian>()?;
|
||||||
|
Ok(TargetAddr::Ip(SocketAddr::V6(SocketAddrV6::new(ip, port, 0, 0))))
|
||||||
|
}
|
||||||
|
_ => Err(io::Error::new(io::ErrorKind::Other, "unsupported address type")),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn read_response(socket: &mut TcpStream) -> io::Result<TargetAddr> {
|
||||||
|
xs
|
||||||
|
if socket.read_u8()? != 5 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidData, "invalid response version"));
|
||||||
|
}
|
||||||
|
|
||||||
|
match socket.read_u8()? {
|
||||||
|
0 => {}
|
||||||
|
1 => return Err(io::Error::new(io::ErrorKind::Other, "general SOCKS server failure")),
|
||||||
|
2 => return Err(io::Error::new(io::ErrorKind::Other, "connection not allowed by ruleset")),
|
||||||
|
3 => return Err(io::Error::new(io::ErrorKind::Other, "network unreachable")),
|
||||||
|
4 => return Err(io::Error::new(io::ErrorKind::Other, "host unreachable")),
|
||||||
|
5 => return Err(io::Error::new(io::ErrorKind::Other, "connection refused")),
|
||||||
|
6 => return Err(io::Error::new(io::ErrorKind::Other, "TTL expired")),
|
||||||
|
7 => return Err(io::Error::new(io::ErrorKind::Other, "command not supported")),
|
||||||
|
8 => return Err(io::Error::new(io::ErrorKind::Other, "address kind not supported")),
|
||||||
|
_ => return Err(io::Error::new(io::ErrorKind::Other, "unknown error")),
|
||||||
|
}
|
||||||
|
|
||||||
|
if socket.read_u8()? != 0 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidData, "invalid reserved byte"));
|
||||||
|
}
|
||||||
|
|
||||||
|
read_addr(socket)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn write_addr(mut packet: &mut [u8], target: &TargetAddr) -> io::Result<usize> {
|
||||||
|
let start_len = packet.len();
|
||||||
|
match *target {
|
||||||
|
TargetAddr::Ip(SocketAddr::V4(addr)) => {
|
||||||
|
packet.write_u8(1).unwrap();
|
||||||
|
packet.write_u32::<BigEndian>((*addr.ip()).into()).unwrap();
|
||||||
|
packet.write_u16::<BigEndian>(addr.port()).unwrap();
|
||||||
|
}
|
||||||
|
TargetAddr::Ip(SocketAddr::V6(addr)) => {
|
||||||
|
packet.write_u8(4).unwrap();
|
||||||
|
packet.write_all(&addr.ip().octets()).unwrap();
|
||||||
|
packet.write_u16::<BigEndian>(addr.port()).unwrap();
|
||||||
|
}
|
||||||
|
TargetAddr::Domain(ref domain, port) => {
|
||||||
|
packet.write_u8(3).unwrap();
|
||||||
|
if domain.len() > u8::max_value() as usize {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidInput, "domain name too long"));
|
||||||
|
}
|
||||||
|
packet.write_u8(domain.len() as u8).unwrap();
|
||||||
|
packet.write_all(domain.as_bytes()).unwrap();
|
||||||
|
packet.write_u16::<BigEndian>(port).unwrap();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(start_len - packet.len())
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Authentication methods
|
||||||
|
#[derive(Debug)]
|
||||||
|
enum Authentication<'a> {
|
||||||
|
Password { username: &'a str, password: &'a str },
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'a> Authentication<'a> {
|
||||||
|
fn id(&self) -> u8 {
|
||||||
|
match *self {
|
||||||
|
Authentication::Password { .. } => 2,
|
||||||
|
Authentication::None => 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn is_no_auth(&self) -> bool {
|
||||||
|
if let Authentication::None = *self {
|
||||||
|
true
|
||||||
|
} else {
|
||||||
|
false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A SOCKS5 client.
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct Socks5Stream {
|
||||||
|
socket: TcpStream,
|
||||||
|
proxy_addr: TargetAddr,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Socks5Stream {
|
||||||
|
/// Connects to a target server through a SOCKS5 proxy.
|
||||||
|
pub fn connect<T, U>(proxy: T, target: U) -> io::Result<Socks5Stream>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToTargetAddr
|
||||||
|
{
|
||||||
|
Self::connect_raw(1, proxy, target, &Authentication::None)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Connects to a target server through a SOCKS5 proxy using given
|
||||||
|
/// username and password.
|
||||||
|
pub fn connect_with_password<T, U>(proxy: T, target: U, username: &str, password: &str) -> io::Result<Socks5Stream>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToTargetAddr
|
||||||
|
{
|
||||||
|
let auth = Authentication::Password { username, password };
|
||||||
|
Self::connect_raw(1, proxy, target, &auth)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn connect_raw<T, U>(command: u8, proxy: T, target: U, auth: &Authentication) -> io::Result<Socks5Stream>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToTargetAddr
|
||||||
|
{
|
||||||
|
let mut socket = TcpStream::connect(proxy)?;
|
||||||
|
|
||||||
|
let target = target.to_target_addr()?;
|
||||||
|
|
||||||
|
let packet_len = if auth.is_no_auth() { 3 } else { 4 };
|
||||||
|
let packet = [
|
||||||
|
5, // protocol version
|
||||||
|
if auth.is_no_auth() { 1 } else { 2 }, // method count
|
||||||
|
auth.id(), // method
|
||||||
|
0, // no auth (always offered)
|
||||||
|
];
|
||||||
|
socket.write_all(&packet[..packet_len])?;
|
||||||
|
|
||||||
|
let mut buf = [0; 2];
|
||||||
|
socket.read_exact(&mut buf)?;
|
||||||
|
let response_version = buf[0];
|
||||||
|
let selected_method = buf[1];
|
||||||
|
|
||||||
|
if response_version != 5 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidData, "invalid response version"));
|
||||||
|
}
|
||||||
|
|
||||||
|
if selected_method == 0xff {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::Other, "no acceptable auth methods"))
|
||||||
|
}
|
||||||
|
|
||||||
|
if selected_method != auth.id() && selected_method != Authentication::None.id() {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::Other, "unknown auth method"))
|
||||||
|
}
|
||||||
|
|
||||||
|
match *auth {
|
||||||
|
Authentication::Password { username, password } if selected_method == auth.id() => {
|
||||||
|
Self::password_authentication(&mut socket, username, password)?
|
||||||
|
},
|
||||||
|
_ => ()
|
||||||
|
}
|
||||||
|
|
||||||
|
let mut packet = [0; MAX_ADDR_LEN + 3];
|
||||||
|
packet[0] = 5; // protocol version
|
||||||
|
packet[1] = command; // command
|
||||||
|
packet[2] = 0; // reserved
|
||||||
|
let len = write_addr(&mut packet[3..], &target)?;
|
||||||
|
socket.write_all(&packet[..len + 3])?;
|
||||||
|
|
||||||
|
let proxy_addr = read_response(&mut socket)?;
|
||||||
|
|
||||||
|
Ok(Socks5Stream {
|
||||||
|
socket: socket,
|
||||||
|
proxy_addr: proxy_addr,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
fn password_authentication(socket: &mut TcpStream, username: &str, password: &str) -> io::Result<()> {
|
||||||
|
if username.len() < 1 || username.len() > 255 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidInput, "invalid username"))
|
||||||
|
};
|
||||||
|
if password.len() < 1 || password.len() > 255 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidInput, "invalid password"))
|
||||||
|
}
|
||||||
|
|
||||||
|
let mut packet = [0; 515];
|
||||||
|
let packet_size = 3 + username.len() + password.len();
|
||||||
|
packet[0] = 1; // version
|
||||||
|
packet[1] = username.len() as u8;
|
||||||
|
packet[2..2 + username.len()].copy_from_slice(username.as_bytes());
|
||||||
|
packet[2 + username.len()] = password.len() as u8;
|
||||||
|
packet[3 + username.len()..packet_size].copy_from_slice(password.as_bytes());
|
||||||
|
socket.write_all(&packet[..packet_size])?;
|
||||||
|
|
||||||
|
let mut buf = [0; 2];
|
||||||
|
socket.read_exact(&mut buf)?;
|
||||||
|
if buf[0] != 1 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidData, "invalid response version"));
|
||||||
|
}
|
||||||
|
if buf[1] != 0 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::PermissionDenied, "password authentication failed"));
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Returns the proxy-side address of the connection between the proxy and
|
||||||
|
/// target server.
|
||||||
|
pub fn proxy_addr(&self) -> &TargetAddr {
|
||||||
|
&self.proxy_addr
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Returns a shared reference to the inner `TcpStream`.
|
||||||
|
pub fn get_ref(&self) -> &TcpStream {
|
||||||
|
&self.socket
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Returns a mutable reference to the inner `TcpStream`.
|
||||||
|
pub fn get_mut(&mut self) -> &mut TcpStream {
|
||||||
|
&mut self.socket
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Consumes the `Socks5Stream`, returning the inner `TcpStream`.
|
||||||
|
pub fn into_inner(self) -> TcpStream {
|
||||||
|
self.socket
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Read for Socks5Stream {
|
||||||
|
fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
|
||||||
|
self.socket.read(buf)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'a> Read for &'a Socks5Stream {
|
||||||
|
fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
|
||||||
|
(&self.socket).read(buf)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Write for Socks5Stream {
|
||||||
|
fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
|
||||||
|
self.socket.write(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn flush(&mut self) -> io::Result<()> {
|
||||||
|
self.socket.flush()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<'a> Write for &'a Socks5Stream {
|
||||||
|
fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
|
||||||
|
(&self.socket).write(buf)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn flush(&mut self) -> io::Result<()> {
|
||||||
|
(&self.socket).flush()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A SOCKS5 BIND client.
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct Socks5Listener(Socks5Stream);
|
||||||
|
|
||||||
|
impl Socks5Listener {
|
||||||
|
/// Initiates a BIND request to the specified proxy.
|
||||||
|
///
|
||||||
|
/// The proxy will filter incoming connections based on the value of
|
||||||
|
/// `target`.
|
||||||
|
pub fn bind<T, U>(proxy: T, target: U) -> io::Result<Socks5Listener>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToTargetAddr
|
||||||
|
{
|
||||||
|
Socks5Stream::connect_raw(2, proxy, target, &Authentication::None).map(Socks5Listener)
|
||||||
|
}
|
||||||
|
/// Initiates a BIND request to the specified proxy using given username
|
||||||
|
/// and password.
|
||||||
|
///
|
||||||
|
/// The proxy will filter incoming connections based on the value of
|
||||||
|
/// `target`.
|
||||||
|
pub fn bind_with_password<T, U>(proxy: T, target: U, username: &str, password: &str) -> io::Result<Socks5Listener>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToTargetAddr
|
||||||
|
{
|
||||||
|
let auth = Authentication::Password { username, password };
|
||||||
|
Socks5Stream::connect_raw(2, proxy, target, &auth).map(Socks5Listener)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// The address of the proxy-side TCP listener.
|
||||||
|
///
|
||||||
|
/// This should be forwarded to the remote process, which should open a
|
||||||
|
/// connection to it.
|
||||||
|
pub fn proxy_addr(&self) -> &TargetAddr {
|
||||||
|
&self.0.proxy_addr
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Waits for the remote process to connect to the proxy server.
|
||||||
|
///
|
||||||
|
/// The value of `proxy_addr` should be forwarded to the remote process
|
||||||
|
/// before this method is called.
|
||||||
|
pub fn accept(mut self) -> io::Result<Socks5Stream> {
|
||||||
|
self.0.proxy_addr = read_response(&mut self.0.socket)?;
|
||||||
|
Ok(self.0)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A SOCKS5 UDP client.
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct Socks5Datagram {
|
||||||
|
socket: UdpSocket,
|
||||||
|
// keeps the session alive
|
||||||
|
stream: Socks5Stream,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Socks5Datagram {
|
||||||
|
/// Creates a UDP socket bound to the specified address which will have its
|
||||||
|
/// traffic routed through the specified proxy.
|
||||||
|
pub fn bind<T, U>(proxy: T, addr: U) -> io::Result<Socks5Datagram>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToSocketAddrs
|
||||||
|
{
|
||||||
|
Self::bind_internal(proxy, addr, &Authentication::None)
|
||||||
|
}
|
||||||
|
/// Creates a UDP socket bound to the specified address which will have its
|
||||||
|
/// traffic routed through the specified proxy. The given username and password
|
||||||
|
/// is used to authenticate to the SOCKS proxy.
|
||||||
|
pub fn bind_with_password<T, U>(proxy: T, addr: U, username: &str, password: &str) -> io::Result<Socks5Datagram>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToSocketAddrs
|
||||||
|
{
|
||||||
|
let auth = Authentication::Password { username, password };
|
||||||
|
Self::bind_internal(proxy, addr, &auth)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn bind_internal<T, U>(proxy: T, addr: U, auth: &Authentication) -> io::Result<Socks5Datagram>
|
||||||
|
where T: ToSocketAddrs,
|
||||||
|
U: ToSocketAddrs
|
||||||
|
{
|
||||||
|
// we don't know what our IP is from the perspective of the proxy, so
|
||||||
|
// don't try to pass `addr` in here.
|
||||||
|
let dst = TargetAddr::Ip(SocketAddr::V4(SocketAddrV4::new(Ipv4Addr::new(0, 0, 0, 0), 0)));
|
||||||
|
let stream = Socks5Stream::connect_raw(3, proxy, dst, auth)?;
|
||||||
|
|
||||||
|
let socket = UdpSocket::bind(addr)?;
|
||||||
|
socket.connect(&stream.proxy_addr)?;
|
||||||
|
|
||||||
|
Ok(Socks5Datagram {
|
||||||
|
socket: socket,
|
||||||
|
stream: stream,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Like `UdpSocket::send_to`.
|
||||||
|
///
|
||||||
|
/// # Note
|
||||||
|
///
|
||||||
|
/// The SOCKS protocol inserts a header at the beginning of the message. The
|
||||||
|
/// header will be 10 bytes for an IPv4 address, 22 bytes for an IPv6
|
||||||
|
/// address, and 7 bytes plus the length of the domain for a domain address.
|
||||||
|
pub fn send_to<A>(&self, buf: &[u8], addr: A) -> io::Result<usize>
|
||||||
|
where A: ToTargetAddr
|
||||||
|
{
|
||||||
|
let addr = addr.to_target_addr()?;
|
||||||
|
|
||||||
|
let mut header = [0; MAX_ADDR_LEN + 3];
|
||||||
|
// first two bytes are reserved at 0
|
||||||
|
// third byte is the fragment id at 0
|
||||||
|
let len = write_addr(&mut header[3..], &addr)?;
|
||||||
|
|
||||||
|
self.socket.writev([&header[..len + 3], buf])
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Like `UdpSocket::recv_from`.
|
||||||
|
pub fn recv_from(&self, buf: &mut [u8]) -> io::Result<(usize, TargetAddr)> {
|
||||||
|
let mut header = [0; MAX_ADDR_LEN + 3];
|
||||||
|
let len = self.socket.readv([&mut header, buf])?;
|
||||||
|
|
||||||
|
let overflow = len.saturating_sub(header.len());
|
||||||
|
|
||||||
|
let header_len = cmp::min(header.len(), len);
|
||||||
|
let mut header = &mut &header[..header_len];
|
||||||
|
|
||||||
|
if header.read_u16::<BigEndian>()? != 0 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidData, "invalid reserved bytes"));
|
||||||
|
}
|
||||||
|
if header.read_u8()? != 0 {
|
||||||
|
return Err(io::Error::new(io::ErrorKind::InvalidData, "invalid fragment id"));
|
||||||
|
}
|
||||||
|
let addr = read_addr(&mut header)?;
|
||||||
|
|
||||||
|
unsafe {
|
||||||
|
ptr::copy(buf.as_ptr(), buf.as_mut_ptr().offset(header.len() as isize), overflow);
|
||||||
|
}
|
||||||
|
buf[..header.len()].copy_from_slice(header);
|
||||||
|
|
||||||
|
Ok((header.len() + overflow, addr))
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Returns the address of the proxy-side UDP socket through which all
|
||||||
|
/// messages will be routed.
|
||||||
|
pub fn proxy_addr(&self) -> &TargetAddr {
|
||||||
|
&self.stream.proxy_addr
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Returns a shared reference to the inner socket.
|
||||||
|
pub fn get_ref(&self) -> &UdpSocket {
|
||||||
|
&self.socket
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Returns a mutable reference to the inner socket.
|
||||||
|
pub fn get_mut(&mut self) -> &mut UdpSocket {
|
||||||
|
&mut self.socket
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod test {
|
||||||
|
use std::error::Error;
|
||||||
|
use std::io::{Read, Write};
|
||||||
|
use std::net::{ToSocketAddrs, TcpStream, UdpSocket};
|
||||||
|
|
||||||
|
use super::*;
|
||||||
|
|
||||||
|
const SOCKS_PROXY_NO_AUTH_ONLY: &str = "127.0.0.1:1080";
|
||||||
|
const SOCKS_PROXY_PASSWD_ONLY: &str = "127.0.0.1:1081";
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn google_no_auth() {
|
||||||
|
let addr = "google.com:80".to_socket_addrs().unwrap().next().unwrap();
|
||||||
|
let socket = Socks5Stream::connect(SOCKS_PROXY_NO_AUTH_ONLY, addr).unwrap();
|
||||||
|
google(socket);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn google_with_password() {
|
||||||
|
let addr = "google.com:80".to_socket_addrs().unwrap().next().unwrap();
|
||||||
|
let socket = Socks5Stream::connect_with_password(
|
||||||
|
SOCKS_PROXY_PASSWD_ONLY,
|
||||||
|
addr,
|
||||||
|
"testuser",
|
||||||
|
"testpass"
|
||||||
|
).unwrap();
|
||||||
|
google(socket);
|
||||||
|
}
|
||||||
|
|
||||||
|
fn google(mut socket: Socks5Stream) {
|
||||||
|
socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
|
||||||
|
let mut result = vec![];
|
||||||
|
socket.read_to_end(&mut result).unwrap();
|
||||||
|
|
||||||
|
println!("{}", String::from_utf8_lossy(&result));
|
||||||
|
assert!(result.starts_with(b"HTTP/1.0"));
|
||||||
|
assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn google_dns() {
|
||||||
|
let mut socket = Socks5Stream::connect(SOCKS_PROXY_NO_AUTH_ONLY, "google.com:80").unwrap();
|
||||||
|
|
||||||
|
socket.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
|
||||||
|
let mut result = vec![];
|
||||||
|
socket.read_to_end(&mut result).unwrap();
|
||||||
|
|
||||||
|
println!("{}", String::from_utf8_lossy(&result));
|
||||||
|
assert!(result.starts_with(b"HTTP/1.0"));
|
||||||
|
assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn bind_no_auth() {
|
||||||
|
let addr = find_address();
|
||||||
|
let listener = Socks5Listener::bind(SOCKS_PROXY_NO_AUTH_ONLY, addr).unwrap();
|
||||||
|
bind(listener);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn bind_with_password_supported_but_no_auth_used() {
|
||||||
|
let addr = find_address();
|
||||||
|
let listener = Socks5Listener::bind_with_password(
|
||||||
|
SOCKS_PROXY_NO_AUTH_ONLY,
|
||||||
|
addr,
|
||||||
|
"unused_and_invalid_username",
|
||||||
|
"unused_and_invalid_password"
|
||||||
|
).unwrap();
|
||||||
|
bind(listener);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn bind_with_password() {
|
||||||
|
let addr = find_address();
|
||||||
|
let listener = Socks5Listener::bind_with_password(
|
||||||
|
"127.0.0.1:1081",
|
||||||
|
addr,
|
||||||
|
"testuser",
|
||||||
|
"testpass"
|
||||||
|
).unwrap();
|
||||||
|
bind(listener);
|
||||||
|
}
|
||||||
|
|
||||||
|
fn bind(listener: Socks5Listener) {
|
||||||
|
let addr = listener.proxy_addr().clone();
|
||||||
|
let mut end = TcpStream::connect(addr).unwrap();
|
||||||
|
let mut conn = listener.accept().unwrap();
|
||||||
|
conn.write_all(b"hello world").unwrap();
|
||||||
|
drop(conn);
|
||||||
|
let mut result = vec![];
|
||||||
|
end.read_to_end(&mut result).unwrap();
|
||||||
|
assert_eq!(result, b"hello world");
|
||||||
|
}
|
||||||
|
|
||||||
|
// First figure out our local address that we'll be connecting from
|
||||||
|
fn find_address() -> TargetAddr {
|
||||||
|
let socket = Socks5Stream::connect(SOCKS_PROXY_NO_AUTH_ONLY, "google.com:80").unwrap();
|
||||||
|
socket.proxy_addr().to_owned()
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn associate_no_auth() {
|
||||||
|
let socks = Socks5Datagram::bind(SOCKS_PROXY_NO_AUTH_ONLY, "127.0.0.1:15410").unwrap();
|
||||||
|
associate(socks, "127.0.0.1:15411");
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn associate_with_password() {
|
||||||
|
let socks = Socks5Datagram::bind_with_password(
|
||||||
|
SOCKS_PROXY_PASSWD_ONLY,
|
||||||
|
"127.0.0.1:15414",
|
||||||
|
"testuser",
|
||||||
|
"testpass"
|
||||||
|
).unwrap();
|
||||||
|
associate(socks, "127.0.0.1:15415");
|
||||||
|
}
|
||||||
|
|
||||||
|
fn associate(socks: Socks5Datagram, socket_addr: &str) {
|
||||||
|
let socket = UdpSocket::bind(socket_addr).unwrap();
|
||||||
|
|
||||||
|
socks.send_to(b"hello world!", socket_addr).unwrap();
|
||||||
|
let mut buf = [0; 13];
|
||||||
|
let (len, addr) = socket.recv_from(&mut buf).unwrap();
|
||||||
|
assert_eq!(len, 12);
|
||||||
|
assert_eq!(&buf[..12], b"hello world!");
|
||||||
|
|
||||||
|
socket.send_to(b"hello world!", addr).unwrap();
|
||||||
|
|
||||||
|
let len = socks.recv_from(&mut buf).unwrap().0;
|
||||||
|
assert_eq!(len, 12);
|
||||||
|
assert_eq!(&buf[..12], b"hello world!");
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn associate_long() {
|
||||||
|
let socks = Socks5Datagram::bind(SOCKS_PROXY_NO_AUTH_ONLY, "127.0.0.1:15412").unwrap();
|
||||||
|
let socket_addr = "127.0.0.1:15413";
|
||||||
|
let socket = UdpSocket::bind(socket_addr).unwrap();
|
||||||
|
|
||||||
|
let mut msg = vec![];
|
||||||
|
for i in 0..(MAX_ADDR_LEN + 100) {
|
||||||
|
msg.push(i as u8);
|
||||||
|
}
|
||||||
|
|
||||||
|
socks.send_to(&msg, socket_addr).unwrap();
|
||||||
|
let mut buf = vec![0; msg.len() + 1];
|
||||||
|
let (len, addr) = socket.recv_from(&mut buf).unwrap();
|
||||||
|
assert_eq!(len, msg.len());
|
||||||
|
assert_eq!(msg, &buf[..msg.len()]);
|
||||||
|
|
||||||
|
socket.send_to(&msg, addr).unwrap();
|
||||||
|
|
||||||
|
let mut buf = vec![0; msg.len() + 1];
|
||||||
|
let len = socks.recv_from(&mut buf).unwrap().0;
|
||||||
|
assert_eq!(len, msg.len());
|
||||||
|
assert_eq!(msg, &buf[..msg.len()]);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn incorrect_password() {
|
||||||
|
let addr = "google.com:80".to_socket_addrs().unwrap().next().unwrap();
|
||||||
|
let err = Socks5Stream::connect_with_password(
|
||||||
|
SOCKS_PROXY_PASSWD_ONLY,
|
||||||
|
addr,
|
||||||
|
"testuser",
|
||||||
|
"invalid"
|
||||||
|
).unwrap_err();
|
||||||
|
|
||||||
|
assert_eq!(err.kind(), io::ErrorKind::PermissionDenied);
|
||||||
|
assert_eq!(err.description(), "password authentication failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn auth_method_not_supported() {
|
||||||
|
let addr = "google.com:80".to_socket_addrs().unwrap().next().unwrap();
|
||||||
|
let err = Socks5Stream::connect(SOCKS_PROXY_PASSWD_ONLY, addr).unwrap_err();
|
||||||
|
|
||||||
|
assert_eq!(err.kind(), io::ErrorKind::Other);
|
||||||
|
assert_eq!(err.description(), "no acceptable auth methods");
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn username_and_password_length() {
|
||||||
|
let addr = "google.com:80".to_socket_addrs().unwrap().next().unwrap();
|
||||||
|
|
||||||
|
let err = Socks5Stream::connect_with_password(
|
||||||
|
SOCKS_PROXY_PASSWD_ONLY,
|
||||||
|
addr,
|
||||||
|
&string_of_size(1),
|
||||||
|
&string_of_size(1)
|
||||||
|
).unwrap_err();
|
||||||
|
assert_eq!(err.kind(), io::ErrorKind::PermissionDenied);
|
||||||
|
assert_eq!(err.description(), "password authentication failed");
|
||||||
|
|
||||||
|
let err = Socks5Stream::connect_with_password(
|
||||||
|
SOCKS_PROXY_PASSWD_ONLY,
|
||||||
|
addr,
|
||||||
|
&string_of_size(255),
|
||||||
|
&string_of_size(255)
|
||||||
|
).unwrap_err();
|
||||||
|
assert_eq!(err.kind(), io::ErrorKind::PermissionDenied);
|
||||||
|
assert_eq!(err.description(), "password authentication failed");
|
||||||
|
|
||||||
|
let err = Socks5Stream::connect_with_password(
|
||||||
|
SOCKS_PROXY_PASSWD_ONLY,
|
||||||
|
addr,
|
||||||
|
&string_of_size(0),
|
||||||
|
&string_of_size(255)
|
||||||
|
).unwrap_err();
|
||||||
|
assert_eq!(err.kind(), io::ErrorKind::InvalidInput);
|
||||||
|
assert_eq!(err.description(), "invalid username");
|
||||||
|
|
||||||
|
let err = Socks5Stream::connect_with_password(
|
||||||
|
SOCKS_PROXY_PASSWD_ONLY,
|
||||||
|
addr,
|
||||||
|
&string_of_size(256),
|
||||||
|
&string_of_size(255)
|
||||||
|
).unwrap_err();
|
||||||
|
assert_eq!(err.kind(), io::ErrorKind::InvalidInput);
|
||||||
|
assert_eq!(err.description(), "invalid username");
|
||||||
|
|
||||||
|
let err = Socks5Stream::connect_with_password(
|
||||||
|
SOCKS_PROXY_PASSWD_ONLY,
|
||||||
|
addr,
|
||||||
|
&string_of_size(255),
|
||||||
|
&string_of_size(0)
|
||||||
|
).unwrap_err();
|
||||||
|
assert_eq!(err.kind(), io::ErrorKind::InvalidInput);
|
||||||
|
assert_eq!(err.description(), "invalid password");
|
||||||
|
|
||||||
|
let err = Socks5Stream::connect_with_password(
|
||||||
|
SOCKS_PROXY_PASSWD_ONLY,
|
||||||
|
addr,
|
||||||
|
&string_of_size(255),
|
||||||
|
&string_of_size(256)
|
||||||
|
).unwrap_err();
|
||||||
|
assert_eq!(err.kind(), io::ErrorKind::InvalidInput);
|
||||||
|
assert_eq!(err.description(), "invalid password");
|
||||||
|
}
|
||||||
|
|
||||||
|
fn string_of_size(size: usize) -> String {
|
||||||
|
(0..size).map(|_| 'x').collect()
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,132 @@
|
||||||
|
use std::io;
|
||||||
|
use std::net::UdpSocket;
|
||||||
|
|
||||||
|
pub trait WritevExt {
|
||||||
|
fn writev(&self, bufs: [&[u8]; 2]) -> io::Result<usize>;
|
||||||
|
fn readv(&self, bufs: [&mut [u8]; 2]) -> io::Result<usize>;
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(unix)]
|
||||||
|
mod imp {
|
||||||
|
use libc;
|
||||||
|
use std::os::unix::io::AsRawFd;
|
||||||
|
|
||||||
|
use super::*;
|
||||||
|
|
||||||
|
impl WritevExt for UdpSocket {
|
||||||
|
fn writev(&self, bufs: [&[u8]; 2]) -> io::Result<usize> {
|
||||||
|
unsafe {
|
||||||
|
let iovecs = [
|
||||||
|
libc::iovec {
|
||||||
|
iov_base: bufs[0].as_ptr() as *const _ as *mut _,
|
||||||
|
iov_len: bufs[0].len(),
|
||||||
|
},
|
||||||
|
libc::iovec {
|
||||||
|
iov_base: bufs[1].as_ptr() as *const _ as *mut _,
|
||||||
|
iov_len: bufs[1].len(),
|
||||||
|
},
|
||||||
|
];
|
||||||
|
let r = libc::writev(self.as_raw_fd(), iovecs.as_ptr(), 2);
|
||||||
|
if r < 0 {
|
||||||
|
Err(io::Error::last_os_error())
|
||||||
|
} else {
|
||||||
|
Ok(r as usize)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn readv(&self, bufs: [&mut [u8]; 2]) -> io::Result<usize> {
|
||||||
|
unsafe {
|
||||||
|
let mut iovecs = [
|
||||||
|
libc::iovec {
|
||||||
|
iov_base: bufs[0].as_mut_ptr() as *mut _,
|
||||||
|
iov_len: bufs[0].len(),
|
||||||
|
},
|
||||||
|
libc::iovec {
|
||||||
|
iov_base: bufs[1].as_mut_ptr() as *mut _,
|
||||||
|
iov_len: bufs[1].len(),
|
||||||
|
},
|
||||||
|
];
|
||||||
|
let r = libc::readv(self.as_raw_fd(), iovecs.as_mut_ptr(), 2);
|
||||||
|
if r < 0 {
|
||||||
|
Err(io::Error::last_os_error())
|
||||||
|
} else {
|
||||||
|
Ok(r as usize)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(windows)]
|
||||||
|
mod imp {
|
||||||
|
use winapi;
|
||||||
|
use ws2_32;
|
||||||
|
use std::os::windows::io::AsRawSocket;
|
||||||
|
use std::ptr;
|
||||||
|
|
||||||
|
use super::*;
|
||||||
|
|
||||||
|
impl WritevExt for UdpSocket {
|
||||||
|
fn writev(&self, bufs: [&[u8]; 2]) -> io::Result<usize> {
|
||||||
|
unsafe {
|
||||||
|
let mut wsabufs = [
|
||||||
|
winapi::WSABUF {
|
||||||
|
len: bufs[0].len() as winapi::u_long,
|
||||||
|
buf: bufs[0].as_ptr() as *const _ as *mut _,
|
||||||
|
},
|
||||||
|
winapi::WSABUF {
|
||||||
|
len: bufs[1].len() as winapi::u_long,
|
||||||
|
buf: bufs[1].as_ptr() as *const _ as *mut _,
|
||||||
|
},
|
||||||
|
];
|
||||||
|
let mut sent = 0;
|
||||||
|
let r = ws2_32::WSASend(
|
||||||
|
self.as_raw_socket(),
|
||||||
|
wsabufs.as_mut_ptr(),
|
||||||
|
bufs.len() as winapi::DWORD,
|
||||||
|
&mut sent,
|
||||||
|
0,
|
||||||
|
ptr::null_mut(),
|
||||||
|
None,
|
||||||
|
);
|
||||||
|
if r == 0 {
|
||||||
|
Ok(sent as usize)
|
||||||
|
} else {
|
||||||
|
Err(io::Error::last_os_error())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn readv(&self, bufs: [&mut [u8]; 2]) -> io::Result<usize> {
|
||||||
|
unsafe {
|
||||||
|
let mut wsabufs = [
|
||||||
|
winapi::WSABUF {
|
||||||
|
len: bufs[0].len() as winapi::u_long,
|
||||||
|
buf: bufs[0].as_mut_ptr() as *mut _,
|
||||||
|
},
|
||||||
|
winapi::WSABUF {
|
||||||
|
len: bufs[1].len() as winapi::u_long,
|
||||||
|
buf: bufs[1].as_mut_ptr() as *mut _,
|
||||||
|
},
|
||||||
|
];
|
||||||
|
let mut recved = 0;
|
||||||
|
let mut flags = 0;
|
||||||
|
let r = ws2_32::WSARecv(
|
||||||
|
self.as_raw_socket(),
|
||||||
|
wsabufs.as_mut_ptr(),
|
||||||
|
bufs.len() as winapi::DWORD,
|
||||||
|
&mut recved,
|
||||||
|
&mut flags,
|
||||||
|
ptr::null_mut(),
|
||||||
|
None,
|
||||||
|
);
|
||||||
|
if r == 0 {
|
||||||
|
Ok(recved as usize)
|
||||||
|
} else {
|
||||||
|
Err(io::Error::last_os_error())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,7 @@
|
||||||
|
pub mod tor;
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub enum ACNError {
|
||||||
|
AuthenticationError(String),
|
||||||
|
ServiceSetupError(String),
|
||||||
|
}
|
|
@ -0,0 +1,24 @@
|
||||||
|
use std::net::TcpStream;
|
||||||
|
use std::io::Write;
|
||||||
|
|
||||||
|
pub trait TorAuthenticationMethod {
|
||||||
|
fn authenticate(&self, conn: &mut TcpStream);
|
||||||
|
}
|
||||||
|
|
||||||
|
pub struct HashedPassword {
|
||||||
|
password: String
|
||||||
|
}
|
||||||
|
|
||||||
|
impl HashedPassword {
|
||||||
|
pub fn new(password: String) -> HashedPassword {
|
||||||
|
HashedPassword {
|
||||||
|
password
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl TorAuthenticationMethod for HashedPassword {
|
||||||
|
fn authenticate(&self, conn: &mut TcpStream) {
|
||||||
|
write!(conn, "AUTHENTICATE \"{}\"\r\n", self.password);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,114 @@
|
||||||
|
use std::net::TcpStream;
|
||||||
|
use std::io::{Error, BufReader, BufRead};
|
||||||
|
use crate::acns::ACNError;
|
||||||
|
use crate::acns::ACNError::{AuthenticationError, ServiceSetupError};
|
||||||
|
use std::io::Write;
|
||||||
|
use crate::acns::tor::authentication::TorAuthenticationMethod;
|
||||||
|
use ed25519_dalek::ExpandedSecretKey;
|
||||||
|
|
||||||
|
pub mod authentication;
|
||||||
|
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct TorDisconnected(());
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct TorConnected(());
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct TorAuthenticated(());
|
||||||
|
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct TorProcess<ConnectionStatus> {
|
||||||
|
conn: TcpStream,
|
||||||
|
status: ConnectionStatus
|
||||||
|
}
|
||||||
|
|
||||||
|
impl TorProcess<TorDisconnected> {
|
||||||
|
|
||||||
|
pub fn connect(control_port: u16) -> Result<TorProcess<TorConnected>, Error> {
|
||||||
|
match TcpStream::connect(&format!("127.0.0.1:{}", control_port)) {
|
||||||
|
Ok(conn) => {
|
||||||
|
Ok(TorProcess{
|
||||||
|
conn,
|
||||||
|
status: TorConnected(())
|
||||||
|
})
|
||||||
|
},
|
||||||
|
Err(err) => {
|
||||||
|
return Err(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// From the control port spec...
|
||||||
|
/// Before the client has authenticated, no command other than
|
||||||
|
/// PROTOCOLINFO, AUTHCHALLENGE, AUTHENTICATE, or QUIT is valid. If the
|
||||||
|
/// controller sends any other command, or sends a malformed command, or
|
||||||
|
/// sends an unsuccessful AUTHENTICATE command, or sends PROTOCOLINFO or
|
||||||
|
/// AUTHCHALLENGE more than once, Tor sends an error reply and closes
|
||||||
|
/// the connection.
|
||||||
|
/// We are more strict as we only allow the caller to authenticate
|
||||||
|
impl TorProcess<TorConnected> {
|
||||||
|
pub fn authenticate(mut self, authMethod: Box<dyn TorAuthenticationMethod>) -> Result<TorProcess<TorAuthenticated>, ACNError> {
|
||||||
|
authMethod.authenticate(&mut self.conn);
|
||||||
|
let mut reader = BufReader::new(self.conn.try_clone().unwrap());
|
||||||
|
let mut result = String::new();
|
||||||
|
reader.read_line(&mut result);
|
||||||
|
match result.as_str() {
|
||||||
|
"250 OK\r\n" => {
|
||||||
|
Ok(TorProcess{
|
||||||
|
conn: self.conn,
|
||||||
|
status: TorAuthenticated(())
|
||||||
|
})
|
||||||
|
}
|
||||||
|
"515 Bad authentication\r\n" => {
|
||||||
|
Err(AuthenticationError(String::from("515 Bad authentication")))
|
||||||
|
}
|
||||||
|
_ => {
|
||||||
|
Err(AuthenticationError(String::from(result)))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// We are now authenticated!
|
||||||
|
impl TorProcess<TorAuthenticated> {
|
||||||
|
|
||||||
|
/// Tell the control port to create a new Onion V3 service given the ed25519 secret key...
|
||||||
|
pub fn add_onion_v3(&mut self, secret_key: ed25519_dalek::SecretKey, virtual_port: u16, target_port: u16) -> Result<String,ACNError> {
|
||||||
|
let esk = ExpandedSecretKey::from(&secret_key);
|
||||||
|
write!(self.conn, "ADD_ONION ED25519-V3:{} Flags=Detach Port={},{}\r\n", base64::encode(esk.to_bytes()), virtual_port, target_port);
|
||||||
|
let mut reader = BufReader::new(self.conn.try_clone().unwrap());
|
||||||
|
let mut result = String::new();
|
||||||
|
reader.read_line(&mut result);
|
||||||
|
if result.starts_with("250-ServiceID=") {
|
||||||
|
// We authenticated!
|
||||||
|
return Ok(result);
|
||||||
|
}
|
||||||
|
Err(ServiceSetupError(result))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod tests {
|
||||||
|
use crate::acns::tor::TorProcess;
|
||||||
|
use crate::acns::tor::authentication::HashedPassword;
|
||||||
|
use ed25519_dalek::{Keypair};
|
||||||
|
use rand::rngs::OsRng;
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn connect_tor() {
|
||||||
|
let mut auth_control_port = TorProcess::connect(9051).unwrap().authenticate(Box::new(HashedPassword::new(String::from("examplehashedpassword")))).unwrap();
|
||||||
|
let mut csprng = OsRng{};
|
||||||
|
let keypair = ed25519_dalek::Keypair::generate(&mut csprng);
|
||||||
|
match auth_control_port.add_onion_v3(keypair.secret, 9878, 10029) {
|
||||||
|
Ok(_) => {
|
||||||
|
// we authenticated!
|
||||||
|
},
|
||||||
|
Err(err) => {
|
||||||
|
println!("{:?}", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,104 @@
|
||||||
|
use crate::primitives::transcript::Transcript;
|
||||||
|
use std::net::TcpStream;
|
||||||
|
use std::sync::Arc;
|
||||||
|
use crate::primitives::identity::Identity;
|
||||||
|
use ed25519_dalek::PublicKey;
|
||||||
|
use std::io::{Write, Read};
|
||||||
|
use serde::Serialize;
|
||||||
|
use serde::Deserialize;
|
||||||
|
use byteorder::{WriteBytesExt, BigEndian, ReadBytesExt, LittleEndian};
|
||||||
|
use integer_encoding::{FixedInt, VarInt};
|
||||||
|
use crate::connections::utils::{expect, expect_encrypted, public_key_to_hostname, send_encrypted, send};
|
||||||
|
use sha3::Digest;
|
||||||
|
|
||||||
|
pub struct AuthenicationApp {
|
||||||
|
identity: Arc<Identity>
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#[derive(Serialize, Deserialize, Debug)]
|
||||||
|
struct AuthMessage {
|
||||||
|
#[serde(rename(serialize = "LongTermPublicKey", deserialize = "LongTermPublicKey"))]
|
||||||
|
longterm_public_key: String,
|
||||||
|
#[serde(rename(serialize = "EphemeralPublicKey", deserialize = "EphemeralPublicKey"))]
|
||||||
|
ephemeral_public_key: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl AuthenicationApp {
|
||||||
|
pub fn new(identity: Arc<Identity>) -> AuthenicationApp {
|
||||||
|
AuthenicationApp {
|
||||||
|
identity
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn run(&mut self, conn: &mut TcpStream, transcript: &mut Transcript) {
|
||||||
|
let longterm_public_key = self.identity.public_key().to_bytes();
|
||||||
|
let ephemeral_identity = Identity::initialize_ephemeral_identity();
|
||||||
|
let auth_message = AuthMessage{longterm_public_key: base64::encode(longterm_public_key), ephemeral_public_key: base64::encode(ephemeral_identity.public_key().to_bytes())};
|
||||||
|
let auth_message_json = serde_json::to_string(&auth_message).unwrap();
|
||||||
|
println!("TCP Timeout: {:?}", conn.read_timeout());
|
||||||
|
let mut len = [0u8;2];
|
||||||
|
(auth_message_json.len() as u16).encode_var(&mut len);
|
||||||
|
// println!("len {} {:?}", auth_message_json.len(), len);
|
||||||
|
let mut msg = vec![];
|
||||||
|
msg.extend_from_slice(len.as_slice());
|
||||||
|
msg.extend_from_slice(auth_message_json.as_bytes());
|
||||||
|
send(conn, msg);
|
||||||
|
|
||||||
|
let remote_auth_message_json = String::from_utf8(expect(conn)).unwrap();
|
||||||
|
println!("Received Auth Message: {}", remote_auth_message_json);
|
||||||
|
|
||||||
|
let remote_auth_message : AuthMessage = serde_json::from_str(remote_auth_message_json.as_str()).unwrap();
|
||||||
|
println!("Remote auth message: {:?}",remote_auth_message);
|
||||||
|
let remote_public_key = PublicKey::from_bytes(base64::decode(&remote_auth_message.longterm_public_key).unwrap().as_slice()).unwrap();
|
||||||
|
let remote_ephemeral_key = PublicKey::from_bytes(base64::decode(&remote_auth_message.ephemeral_public_key).unwrap().as_slice()).unwrap();
|
||||||
|
|
||||||
|
let l2e = self.identity.edh(remote_ephemeral_key);
|
||||||
|
let e2l = ephemeral_identity.edh(remote_public_key);
|
||||||
|
let e2e = ephemeral_identity.edh(remote_ephemeral_key);
|
||||||
|
|
||||||
|
let mut shared_secret = vec![];
|
||||||
|
// todo if outbound
|
||||||
|
shared_secret.extend_from_slice(l2e.as_bytes());
|
||||||
|
shared_secret.extend_from_slice(e2l.as_bytes());
|
||||||
|
shared_secret.extend_from_slice(e2e.as_bytes());
|
||||||
|
// todo else
|
||||||
|
|
||||||
|
let key = sha3::Sha3_256::digest(shared_secret.as_slice());
|
||||||
|
|
||||||
|
transcript.new_protocol("auth-app");
|
||||||
|
transcript.add_to_transcript("outbound-hostname", self.identity.hostname().as_bytes());
|
||||||
|
transcript.add_to_transcript("inbound-hostname", public_key_to_hostname(&remote_public_key).as_bytes());
|
||||||
|
transcript.add_to_transcript("outbound-challenge", auth_message_json.as_bytes());
|
||||||
|
transcript.add_to_transcript("inbound-challenge",remote_auth_message_json.as_bytes());
|
||||||
|
|
||||||
|
let challenge_bytes = transcript.commit_to_transcript("3dh-auth-challenge");
|
||||||
|
println!("Calculated Challenge: {}", hex::encode(challenge_bytes));
|
||||||
|
|
||||||
|
let mut msg = vec![];
|
||||||
|
let mut len = [0u8;2];
|
||||||
|
((challenge_bytes.len()+self.identity.hostname().as_bytes().len()) as u16).encode_var(&mut len);
|
||||||
|
msg.extend_from_slice(len.as_slice());
|
||||||
|
msg.extend_from_slice(challenge_bytes.as_slice());
|
||||||
|
msg.extend_from_slice(self.identity.hostname().as_bytes());
|
||||||
|
println!("Sending: {:?}", hex::encode(&msg));
|
||||||
|
send_encrypted(conn, key.as_slice(), msg);
|
||||||
|
|
||||||
|
let challenge = expect_encrypted(conn, key.as_slice());
|
||||||
|
let challenge_parts = challenge.split_at(64);
|
||||||
|
println!("Received Challenge: {:?} {:?}", hex::encode(challenge_parts.0), String::from_utf8(challenge_parts.1.to_vec()));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod tests {
|
||||||
|
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_transcript_app() {
|
||||||
|
//let mut transcript_app = TranscriptApp::NewInstance();
|
||||||
|
// transcript_app.Init();
|
||||||
|
// transcript_app.Transcript();
|
||||||
|
//println!("Transcript App Initial Commit: {:x}", transcript_app.Transcript().challenge_bytes())
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,10 +1,2 @@
|
||||||
use crate::primitives::transcript::Transcript;
|
|
||||||
|
|
||||||
pub mod transcript_app;
|
pub mod transcript_app;
|
||||||
|
pub mod authentication_app;
|
||||||
pub trait Application {
|
|
||||||
fn new_instance(&self) -> Box<dyn Application>;
|
|
||||||
fn init(&mut self);
|
|
||||||
fn transcript(&mut self) -> Option<&mut Transcript>;
|
|
||||||
fn propagate_transcript(&mut self, transcript: &Transcript);
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,19 +1,20 @@
|
||||||
use crate::primitives::transcript::Transcript;
|
use crate::primitives::transcript::Transcript;
|
||||||
use crate::applications::Application;
|
use std::net::TcpStream;
|
||||||
|
use std::sync::Arc;
|
||||||
|
|
||||||
#[derive(Clone)]
|
#[derive(Clone)]
|
||||||
pub struct TranscriptApp {
|
pub struct TranscriptApp {
|
||||||
transcript: Option<Transcript>
|
transcript: Option<Transcript>
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Application for TranscriptApp {
|
impl TranscriptApp {
|
||||||
fn new_instance(&self) -> Box<dyn Application> {
|
fn new() -> TranscriptApp {
|
||||||
Box::new(TranscriptApp {
|
TranscriptApp {
|
||||||
transcript: None
|
transcript: None
|
||||||
})
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn init(&mut self) {
|
fn run(&mut self, conn: &TcpStream) {
|
||||||
self.transcript = Some(Transcript::new_transcript("primitives-transcript".as_ref()))
|
self.transcript = Some(Transcript::new_transcript("primitives-transcript".as_ref()))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
/// Connections provides an interface for manage sets of connections on top of a particular
|
||||||
|
/// ACN.
|
||||||
|
|
||||||
|
|
||||||
|
pub mod service;
|
||||||
|
pub mod utils;
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub enum ServiceError {
|
||||||
|
ClosedNormally,
|
||||||
|
ConnectionFailed(String),
|
||||||
|
ListenFailed(String),
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
pub struct Hostname {
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,123 @@
|
||||||
|
use crate::primitives::identity::Identity;
|
||||||
|
use crate::connections::{Hostname, ServiceError};
|
||||||
|
use std::net::{TcpListener, TcpStream};
|
||||||
|
use std::thread::{spawn, JoinHandle};
|
||||||
|
use crate::connections::ServiceError::{ClosedNormally, ConnectionFailed};
|
||||||
|
use std::sync::Arc;
|
||||||
|
use crate::acns::tor::TorProcess;
|
||||||
|
use socks::{Socks5Stream};
|
||||||
|
use socks::TargetAddr::Domain;
|
||||||
|
use std::io::Write;
|
||||||
|
|
||||||
|
|
||||||
|
pub struct NoListenService(());
|
||||||
|
pub struct ApplicationListenService(());
|
||||||
|
|
||||||
|
pub struct Service<ListenService> {
|
||||||
|
identity: Arc<Identity>,
|
||||||
|
listen_service: ListenService
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<ListenService> Service<ListenService> {
|
||||||
|
pub fn connect<F>(&mut self, hostname:&str, application:F) -> Result<(), ServiceError> where F: FnOnce(TcpStream) + Send + Clone + 'static, {
|
||||||
|
let conn = Socks5Stream::connect(format!("127.0.0.1:9050"), Domain(format!("{}.onion", hostname),9878));
|
||||||
|
match conn {
|
||||||
|
Ok(mut conn) => {
|
||||||
|
let application = application.clone();
|
||||||
|
spawn( move || {
|
||||||
|
application(conn.into_inner())
|
||||||
|
});
|
||||||
|
Ok(())
|
||||||
|
},
|
||||||
|
Err(err) => {
|
||||||
|
Err(ConnectionFailed(err.to_string()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Service<NoListenService> {
|
||||||
|
pub fn init(identity: Arc<Identity>) -> Service<NoListenService> {
|
||||||
|
Service {
|
||||||
|
identity,
|
||||||
|
listen_service: NoListenService(())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn listen<F>(mut self, port: u16, application: F) -> Result<Service<JoinHandle<ServiceError>>, ServiceError> where F: FnOnce(TcpStream) + Send + Clone + 'static, {
|
||||||
|
|
||||||
|
let jh =spawn(move || {
|
||||||
|
let listener = TcpListener::bind(format!("127.0.0.1:{}", port));
|
||||||
|
match listener {
|
||||||
|
Ok(listener) => {
|
||||||
|
for stream in listener.incoming() {
|
||||||
|
match stream {
|
||||||
|
Ok(conn) => {
|
||||||
|
let application = application.clone();
|
||||||
|
spawn( move || {
|
||||||
|
application(conn)
|
||||||
|
});
|
||||||
|
},
|
||||||
|
Err(_) =>{}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
ClosedNormally
|
||||||
|
},
|
||||||
|
Err(err) => {
|
||||||
|
ServiceError::ListenFailed(err.to_string())
|
||||||
|
}
|
||||||
|
}});
|
||||||
|
|
||||||
|
Ok(Service{
|
||||||
|
identity: self.identity,
|
||||||
|
listen_service: jh
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Service<JoinHandle<ServiceError>> {
|
||||||
|
pub fn close(self) {
|
||||||
|
let result = self.listen_service.join();
|
||||||
|
match result {
|
||||||
|
Ok(err) => {
|
||||||
|
eprintln!("{:?}", err)
|
||||||
|
}
|
||||||
|
_ => {
|
||||||
|
eprintln!("Error joining listen thread")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[cfg(test)]
|
||||||
|
mod tests {
|
||||||
|
use crate::connections::service::Service;
|
||||||
|
use crate::primitives::identity::Identity;
|
||||||
|
use ed25519_dalek::SecretKey;
|
||||||
|
use rand::rngs::OsRng;
|
||||||
|
use crate::applications::transcript_app::TranscriptApp;
|
||||||
|
use crate::connections::Hostname;
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn service_state() {
|
||||||
|
let mut csprng = OsRng{};
|
||||||
|
let keypair = ed25519_dalek::Keypair::generate(&mut csprng);
|
||||||
|
let secret_key = SecretKey::from_bytes(&keypair.secret.to_bytes());
|
||||||
|
let identity = Identity::initialize(keypair);
|
||||||
|
let mut service = Service::init(identity);
|
||||||
|
//let mut listen_service = service.listen(10000, TranscriptApp::new_instance()).unwrap_or_else(|_| panic!());
|
||||||
|
// this will not compile! wish we could test that service.connect(Hostname{},TranscriptApp::new_instance());
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn service_lifetime() {
|
||||||
|
let mut csprng = OsRng{};
|
||||||
|
let keypair = ed25519_dalek::Keypair::generate(&mut csprng);
|
||||||
|
let secret_key = SecretKey::from_bytes(&keypair.secret.to_bytes());
|
||||||
|
let identity = Identity::initialize(keypair);
|
||||||
|
let service = Service::init(identity);
|
||||||
|
//let listen_service = service.listen(1000, TranscriptApp::new_instance()).unwrap_or_else(|_| panic!());
|
||||||
|
// TODO use trybuild to test that this fails: service.connect(Hostname{},TranscriptApp::new_instance());
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,82 @@
|
||||||
|
use std::net::TcpStream;
|
||||||
|
use std::io::{Read, Write, BufReader};
|
||||||
|
use integer_encoding::{VarInt, FixedInt};
|
||||||
|
use secretbox::SecretBox;
|
||||||
|
use secretbox::CipherType::Salsa20;
|
||||||
|
use ed25519_dalek::PublicKey;
|
||||||
|
use sha3::Digest;
|
||||||
|
|
||||||
|
pub fn expect(conn: &mut TcpStream) -> Vec<u8> {
|
||||||
|
let mut msg = [0;8192];
|
||||||
|
let mut buf = BufReader::new(conn.try_clone().unwrap());
|
||||||
|
let result = buf.read_exact(&mut msg);
|
||||||
|
match result {
|
||||||
|
Err(e) =>{
|
||||||
|
println!("{:?}",e);
|
||||||
|
vec![]
|
||||||
|
}
|
||||||
|
Ok(()) => {
|
||||||
|
// TODO why did I decide to use varints here?!?!
|
||||||
|
let len = u16::decode_var(&msg[0..2]).unwrap().0 as usize;
|
||||||
|
println!("{} [{}]", len, String::from_utf8(msg[2..len+2].to_vec()).unwrap());
|
||||||
|
return msg[2..len+2].to_vec()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn public_key_to_hostname(public_key: &PublicKey) -> String {
|
||||||
|
let mut buf = [0u8; 35];
|
||||||
|
public_key.to_bytes().iter().copied().enumerate().for_each(|(i, b)| {
|
||||||
|
buf[i] = b;
|
||||||
|
});
|
||||||
|
|
||||||
|
let mut h = sha3::Sha3_256::new();
|
||||||
|
h.update(b".onion checksum");
|
||||||
|
h.update(public_key);
|
||||||
|
h.update(b"\x03");
|
||||||
|
let res_vec = h.finalize().to_vec();
|
||||||
|
buf[32] = res_vec[0];
|
||||||
|
buf[33] = res_vec[1];
|
||||||
|
buf[34] = 0x03;
|
||||||
|
base32::encode(base32::Alphabet::RFC4648 {padding:false}, &buf).to_ascii_lowercase()
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn send(conn: &mut TcpStream, msg: Vec<u8>) {
|
||||||
|
let mut msg = msg;
|
||||||
|
while msg.len() < 8192 {
|
||||||
|
msg.push(0);
|
||||||
|
}
|
||||||
|
// println!("Sending Auth Message: {}", hex::encode(&msg));
|
||||||
|
conn.write_all(msg.as_slice());
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn send_encrypted(conn: &mut TcpStream, key: &[u8], msg: Vec<u8>) {
|
||||||
|
let mut msg = msg;
|
||||||
|
while msg.len() < 8192-40 {
|
||||||
|
msg.push(0);
|
||||||
|
}
|
||||||
|
let secret_box = SecretBox::new(key, Salsa20).unwrap();
|
||||||
|
let msg = secret_box.easy_seal(msg.as_slice());
|
||||||
|
conn.write_all(msg.as_slice());
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn expect_encrypted(conn: &mut TcpStream, key: &[u8]) -> Vec<u8> {
|
||||||
|
let secret_box = SecretBox::new(key, Salsa20).unwrap();
|
||||||
|
let mut result = [0u8;8192];
|
||||||
|
match conn.read_exact(&mut result) {
|
||||||
|
Err(e) =>{
|
||||||
|
eprintln!("{}",e.to_string())
|
||||||
|
}
|
||||||
|
_ => {}
|
||||||
|
}
|
||||||
|
|
||||||
|
let msg = secret_box.easy_unseal(&result).unwrap();
|
||||||
|
let msg = msg.as_slice();
|
||||||
|
let mut len_bytes = [0u8;2];
|
||||||
|
let len = u16::decode_fixed(&msg[0..2]) as usize;
|
||||||
|
if len > 8192 {
|
||||||
|
eprintln!("invalid length: {}", len);
|
||||||
|
return vec![] // lol no.
|
||||||
|
}
|
||||||
|
msg[2..len].to_vec()
|
||||||
|
}
|
|
@ -1,8 +1,13 @@
|
||||||
#![feature(array_methods)]
|
#![feature(array_methods)]
|
||||||
|
// #[deny(missing_docs)]
|
||||||
|
#![feature(external_doc)]
|
||||||
|
#![doc(include = "../README.md")]
|
||||||
|
#![doc(html_logo_url = "https://git.openprivacy.ca/cwtch.im/tapir/media/branch/master/tapir.png")]
|
||||||
|
|
||||||
|
pub mod acns;
|
||||||
pub mod applications;
|
pub mod applications;
|
||||||
pub mod networks;
|
|
||||||
pub mod primitives;
|
pub mod primitives;
|
||||||
|
pub mod connections;
|
||||||
|
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
pub mod tor;
|
|
|
@ -1,31 +0,0 @@
|
||||||
use std::net::TcpStream;
|
|
||||||
use std::io::Error;
|
|
||||||
|
|
||||||
#[derive(Debug)]
|
|
||||||
pub struct TorProcess {
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
impl TorProcess {
|
|
||||||
pub fn connect() -> Result<TorProcess, Error> {
|
|
||||||
match TcpStream::connect(&format!("127.0.0.1:{}", 9051)) {
|
|
||||||
Ok(_conn) => {
|
|
||||||
Ok(TorProcess{})
|
|
||||||
},
|
|
||||||
Err(err) => {
|
|
||||||
return Err(err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
#[cfg(test)]
|
|
||||||
mod tests {
|
|
||||||
use crate::networks::tor::TorProcess;
|
|
||||||
|
|
||||||
#[test]
|
|
||||||
fn connect_tor() {
|
|
||||||
println!("{:?}", TorProcess::connect());
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -3,6 +3,10 @@ use x25519_dalek::{StaticSecret, SharedSecret};
|
||||||
use x25519_dalek::PublicKey as X25519PublicKey ;
|
use x25519_dalek::PublicKey as X25519PublicKey ;
|
||||||
use rand::rngs::OsRng;
|
use rand::rngs::OsRng;
|
||||||
use std::intrinsics::transmute;
|
use std::intrinsics::transmute;
|
||||||
|
use sha3::Digest;
|
||||||
|
use std::sync::Arc;
|
||||||
|
use crate::connections::utils::public_key_to_hostname;
|
||||||
|
|
||||||
|
|
||||||
/// Identity - An ed25519 keypair, required for established a Tor v3 onion service and used to
|
/// Identity - An ed25519 keypair, required for established a Tor v3 onion service and used to
|
||||||
/// maintain a consistent cryptographic identity for a peer.
|
/// maintain a consistent cryptographic identity for a peer.
|
||||||
|
@ -13,10 +17,10 @@ pub struct Identity {
|
||||||
impl Identity {
|
impl Identity {
|
||||||
|
|
||||||
/// Initialize a persistent identity
|
/// Initialize a persistent identity
|
||||||
pub fn initialize(keypair: Keypair) ->Identity {
|
pub fn initialize(keypair: Keypair) -> Arc<Identity> {
|
||||||
Identity {
|
Arc::new(Identity {
|
||||||
keypair
|
keypair
|
||||||
}
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Initialize an ephemeral identity - used for both ephemeral diffie hellman key exchanges
|
/// Initialize an ephemeral identity - used for both ephemeral diffie hellman key exchanges
|
||||||
|
@ -29,6 +33,14 @@ impl Identity {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn public_key(&self) -> ed25519_dalek::PublicKey {
|
||||||
|
self.keypair.public.clone()
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn hostname(&self) -> String {
|
||||||
|
public_key_to_hostname(&self.keypair.public)
|
||||||
|
}
|
||||||
|
|
||||||
/// Perform a diffie hellman exchange between `self` and the `remote_pub_key`
|
/// Perform a diffie hellman exchange between `self` and the `remote_pub_key`
|
||||||
/// Implementation: this method converts the secret key of `self` into a `StaticSecret`
|
/// Implementation: this method converts the secret key of `self` into a `StaticSecret`
|
||||||
/// and the `remote_pub_key` into a `x25519_dalek::PublicKey` such that they can be used
|
/// and the `remote_pub_key` into a `x25519_dalek::PublicKey` such that they can be used
|
||||||
|
@ -61,7 +73,7 @@ mod tests {
|
||||||
let bob = Identity::initialize_ephemeral_identity();
|
let bob = Identity::initialize_ephemeral_identity();
|
||||||
|
|
||||||
assert_eq!(alice.edh(bob.keypair.public).to_bytes(), bob.edh(alice.keypair.public).to_bytes());
|
assert_eq!(alice.edh(bob.keypair.public).to_bytes(), bob.edh(alice.keypair.public).to_bytes());
|
||||||
println!("Alice Shared Secret: {:?}", alice.edh(bob.keypair.public).to_bytes());
|
println!("Alice Shared Secret: {} {:?}", alice.hostname(), alice.edh(bob.keypair.public).to_bytes());
|
||||||
println!("Bob Shared Secret: {:?}", bob.edh(alice.keypair.public).to_bytes());
|
println!("Bob Shared Secret: {} {:?}", bob.hostname(), bob.edh(alice.keypair.public).to_bytes());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
#[cfg(test)]
|
||||||
|
mod test {
|
||||||
|
use tapir::acns::tor::authentication::HashedPassword;
|
||||||
|
use tapir::acns::tor::TorProcess;
|
||||||
|
use rand::rngs::OsRng;
|
||||||
|
use tapir::primitives::identity::Identity;
|
||||||
|
use ed25519_dalek::SecretKey;
|
||||||
|
use tapir::connections::service::Service;
|
||||||
|
use tapir::applications::transcript_app::TranscriptApp;
|
||||||
|
use std::net::TcpStream;
|
||||||
|
use std::io::Write;
|
||||||
|
use tapir::applications::authentication_app::AuthenicationApp;
|
||||||
|
use tapir::primitives::transcript::Transcript;
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_simple_setup() {
|
||||||
|
let mut auth_control_port = TorProcess::connect(9051).unwrap().authenticate(Box::new(HashedPassword::new(String::from("examplehashedpassword")))).unwrap();
|
||||||
|
let mut csprng = OsRng{};
|
||||||
|
let keypair = ed25519_dalek::Keypair::generate(&mut csprng);
|
||||||
|
match auth_control_port.add_onion_v3(SecretKey::from_bytes(&keypair.secret.to_bytes()).unwrap(), 9878, 10029) {
|
||||||
|
Ok(service_id) => {
|
||||||
|
// we authenticated!
|
||||||
|
let identity = Identity::initialize(keypair);
|
||||||
|
println!("Service Id: {}", service_id);
|
||||||
|
println!("Setup: {}", identity.hostname());
|
||||||
|
|
||||||
|
let mut service = Service::init(identity.clone());
|
||||||
|
|
||||||
|
let identity = identity.clone();
|
||||||
|
let function = |mut conn: TcpStream| {
|
||||||
|
let mut transcript = Transcript::new_transcript("tapir-transcript");
|
||||||
|
let mut auth_app = AuthenicationApp::new(identity);
|
||||||
|
auth_app.run(&mut conn, &mut transcript);
|
||||||
|
};
|
||||||
|
|
||||||
|
// let mut service = service.listen(10029, function.clone()).unwrap_or_else(|_|panic!());
|
||||||
|
service.connect("hejcfc3pduhcymo7i3zkoxezbjvw3vdsbavyy7gfsd677l5py7ccnlyd", function.clone());
|
||||||
|
// service.close();
|
||||||
|
loop{}
|
||||||
|
},
|
||||||
|
Err(err) => {
|
||||||
|
println!("{:?}", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue