1 files changed, 690 insertions, 0 deletions

diff --git a/src/lib/util/socks.c b/src/lib/util/socks.c
new file mode 100644
index 000000000..ffde8a667
--- /dev/null
+++ b/src/lib/util/socks.c
@@ -0,0 +1,690 @@
+/*
+     This file is part of GNUnet.
+     Copyright (C) 2009-2013 GNUnet e.V.
+
+     GNUnet is free software: you can redistribute it and/or modify it
+     under the terms of the GNU Affero General Public License as published
+     by the Free Software Foundation, either version 3 of the License,
+     or (at your option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Affero General Public License for more details.
+
+     You should have received a copy of the GNU Affero General Public License
+     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+     SPDX-License-Identifier: AGPL3.0-or-later
+ */
+
+/**
+ * @file util/socks.c
+ * @brief  SOCKS5 connection support
+ * @author Jeffrey Burdges
+ *
+ * These routines should be called only on newly active connections.
+ */
+
+#include "platform.h"
+#include "gnunet_util_lib.h"
+
+
+#define LOG(kind, ...) GNUNET_log_from (kind, "util-socks", __VA_ARGS__)
+
+#define LOG_STRERROR(kind, syscall) \
+  GNUNET_log_from_strerror (kind, "util-socks", syscall)
+
+
+/* SOCKS5 authentication methods */
+#define SOCKS5_AUTH_REJECT 0xFF /* No acceptable auth method */
+#define SOCKS5_AUTH_NOAUTH 0x00 /* without authentication */
+#define SOCKS5_AUTH_GSSAPI 0x01 /* GSSAPI */
+#define SOCKS5_AUTH_USERPASS 0x02 /* User/Password */
+#define SOCKS5_AUTH_CHAP 0x03 /* Challenge-Handshake Auth Proto. */
+#define SOCKS5_AUTH_EAP 0x05 /* Extensible Authentication Proto. */
+#define SOCKS5_AUTH_MAF 0x08 /* Multi-Authentication Framework */
+
+
+/* SOCKS5 connection responses */
+#define SOCKS5_REP_SUCCEEDED 0x00 /* succeeded */
+#define SOCKS5_REP_FAIL 0x01 /* general SOCKS serer failure */
+#define SOCKS5_REP_NALLOWED 0x02 /* connection not allowed by ruleset */
+#define SOCKS5_REP_NUNREACH 0x03 /* Network unreachable */
+#define SOCKS5_REP_HUNREACH 0x04 /* Host unreachable */
+#define SOCKS5_REP_REFUSED 0x05 /* connection refused */
+#define SOCKS5_REP_EXPIRED 0x06 /* TTL expired */
+#define SOCKS5_REP_CNOTSUP 0x07 /* Command not supported */
+#define SOCKS5_REP_ANOTSUP 0x08 /* Address not supported */
+#define SOCKS5_REP_INVADDR 0x09 /* Invalid address */
+
+const char *
+SOCKS5_REP_names (int rep)
+{
+  switch (rep)
+  {
+  case SOCKS5_REP_SUCCEEDED:
+    return "succeeded";
+
+  case SOCKS5_REP_FAIL:
+    return "general SOCKS server failure";
+
+  case SOCKS5_REP_NALLOWED:
+    return "connection not allowed by ruleset";
+
+  case SOCKS5_REP_NUNREACH:
+    return "Network unreachable";
+
+  case SOCKS5_REP_HUNREACH:
+    return "Host unreachable";
+
+  case SOCKS5_REP_REFUSED:
+    return "connection refused";
+
+  case SOCKS5_REP_EXPIRED:
+    return "TTL expired";
+
+  case SOCKS5_REP_CNOTSUP:
+    return "Command not supported";
+
+  case SOCKS5_REP_ANOTSUP:
+    return "Address not supported";
+
+  case SOCKS5_REP_INVADDR:
+    return "Invalid address";
+
+  default:
+    return NULL;
+  }
+};
+
+
+/**
+ * Encode a string for the SOCKS5 protocol by prefixing it a byte stating its
+ * length and stripping the trailing zero byte.  Truncates any string longer
+ * than 255 bytes.
+ *
+ * @param b buffer to contain the encoded string
+ * @param s string to encode
+ * @return pointer to the end of the encoded string in the buffer
+ */
+unsigned char *
+SOCK5_proto_string (unsigned char *b, const char *s)
+{
+  size_t l = strlen (s);
+
+  if (l > 255)
+  {
+    LOG (GNUNET_ERROR_TYPE_WARNING,
+         "SOCKS5 cannot handle hostnames, usernames, or passwords over 255 bytes, truncating.\n");
+    l = 255;
+  }
+  *(b++) = (unsigned char) l;
+  memcpy (b, s, l);
+  return b + l;
+}
+
+
+#define SOCKS5_step_greet 0
+#define SOCKS5_step_auth 1
+#define SOCKS5_step_cmd 2
+#define SOCKS5_step_done 3
+
+/**
+ * State of the SOCKS5 handshake.
+ */
+struct GNUNET_SOCKS_Handshake
+{
+  /**
+   * Connection handle used for SOCKS5
+   */
+  struct GNUNET_CONNECTION_Handle *socks5_connection;
+
+  /**
+   * Connection handle initially returned to client
+   */
+  struct GNUNET_CONNECTION_Handle *target_connection;
+
+  /**
+   * Transmission handle on socks5_connection.
+   */
+  struct GNUNET_CONNECTION_TransmitHandle *th;
+
+  /**
+   * Our stage in the SOCKS5 handshake
+   */
+  int step;
+
+  /**
+   * Precomputed SOCKS5 handshake output buffer
+   */
+  unsigned char outbuf[1024];
+
+  /**
+   * Pointers delineating protoocol steps in the output buffer
+   */
+  unsigned char *(outstep[4]);
+
+  /**
+   * SOCKS5 handshake input buffer
+   */
+  unsigned char inbuf[1024];
+
+  /**
+   * Pointers delimiting the current step in the input buffer
+   */
+  unsigned char *instart;
+  unsigned char *inend;
+};
+
+
+/* Registering prototypes */
+
+void
+register_reciever (struct GNUNET_SOCKS_Handshake *ih, int want);
+
+/* In fact, the client sends first rule in GNUnet suggests one could take
+ * large mac read sizes without fear of screwing up the proxied protocol,
+ * but we make a proper SOCKS5 client. */
+#define register_reciever_wants(ih) ((SOCKS5_step_cmd == ih->step) ? 10 : 2)
+
+
+struct GNUNET_CONNECTION_TransmitHandle *
+register_sender (struct GNUNET_SOCKS_Handshake *ih);
+
+
+/**
+ * Conclude the SOCKS5 handshake successfully.
+ *
+ * @param ih SOCKS5 handshake, consumed here.
+ * @param c open unused connection, consumed here.
+ * @return Connection handle that becomes usable when the handshake completes.
+ */
+void
+SOCKS5_handshake_done (struct GNUNET_SOCKS_Handshake *ih)
+{
+  GNUNET_CONNECTION_acivate_proxied (ih->target_connection);
+}
+
+
+/**
+ * Read one step in the SOCKS5 handshake.
+ *
+ * @param ih SOCKS5 Handshake
+ */
+void
+SOCKS5_handshake_step (struct GNUNET_SOCKS_Handshake *ih)
+{
+  unsigned char *b = ih->instart;
+  size_t available = ih->inend - b;
+
+  int want = register_reciever_wants (ih);
+
+  if (available < want)
+  {
+    register_reciever (ih, want - available);
+    return;
+  }
+  GNUNET_assert (SOCKS5_step_done > ih->step && ih->step >= 0);
+  switch (ih->step)
+  {
+  case SOCKS5_step_greet:   /* SOCKS5 server's greeting */
+    if (b[0] != 5)
+    {
+      LOG (GNUNET_ERROR_TYPE_ERROR, "Not a SOCKS5 server\n");
+      GNUNET_assert (0);
+    }
+    switch (b[1])
+    {
+    case SOCKS5_AUTH_NOAUTH:
+      ih->step = SOCKS5_step_cmd;     /* no authentication to do */
+      break;
+
+    case SOCKS5_AUTH_USERPASS:
+      ih->step = SOCKS5_step_auth;
+      break;
+
+    case SOCKS5_AUTH_REJECT:
+      LOG (GNUNET_ERROR_TYPE_ERROR, "No authentication method accepted\n");
+      return;
+
+    default:
+      LOG (GNUNET_ERROR_TYPE_ERROR,
+           "Not a SOCKS5 server / Nonsensical authentication\n");
+      return;
+    }
+    b += 2;
+    break;
+
+  case SOCKS5_step_auth:   /* SOCKS5 server's response to authentication */
+    if (b[1] != 0)
+    {
+      LOG (GNUNET_ERROR_TYPE_ERROR, "SOCKS5 authentication failed\n");
+      GNUNET_assert (0);
+    }
+    ih->step = SOCKS5_step_cmd;
+    b += 2;
+    break;
+
+  case SOCKS5_step_cmd:   /* SOCKS5 server's response to command */
+    if (b[0] != 5)
+    {
+      LOG (GNUNET_ERROR_TYPE_ERROR, "SOCKS5 protocol error\n");
+      GNUNET_assert (0);
+    }
+    if (0 != b[1])
+    {
+      LOG (GNUNET_ERROR_TYPE_ERROR,
+           "SOCKS5 connection error : %s\n",
+           SOCKS5_REP_names (b[1]));
+      return;
+    }
+    b += 3;
+    /* There is no reason to verify host and port afaik. */
+    switch (*(b++))
+    {
+    case 1:     /* IPv4 */
+      b += sizeof(struct in_addr);     /* 4 */
+      break;
+
+    case 4:     /* IPv6 */
+      b += sizeof(struct in6_addr);     /* 16 */
+      break;
+
+    case 3:     /* hostname */
+      b += *b;
+      break;
+    }
+    b += 2;   /* port */
+    if (b > ih->inend)
+    {
+      register_reciever (ih, b - ih->inend);
+      return;
+    }
+    ih->step = SOCKS5_step_done;
+    LOG (GNUNET_ERROR_TYPE_DEBUG,
+         "SOCKS5 server : %s\n",
+         SOCKS5_REP_names (b[1]));
+    ih->instart = b;
+    SOCKS5_handshake_done (ih);
+    return;
+
+  case SOCKS5_step_done:
+    GNUNET_assert (0);
+  }
+  ih->instart = b;
+  /* Do not reschedule the sender unless we're done reading.
+   * I imagine this lets us avoid ever cancelling the transmit handle. */
+  register_sender (ih);
+}
+
+
+/**
+ * Callback to read from the SOCKS5 proxy.
+ *
+ * @param client the service
+ * @param handler function to call with the message
+ * @param handler_cls closure for @a handler
+ */
+void
+receiver (void *cls,
+          const void *buf,
+          size_t available,
+          const struct sockaddr *addr,
+          socklen_t addrlen,
+          int errCode)
+{
+  struct GNUNET_SOCKS_Handshake *ih = cls;
+
+  GNUNET_assert (&ih->inend[available] < &ih->inbuf[1024]);
+  GNUNET_memcpy (ih->inend, buf, available);
+  ih->inend += available;
+  SOCKS5_handshake_step (ih);
+}
+
+
+/**
+ * Register callback to read from the SOCKS5 proxy.
+ *
+ * @param client the service
+ * @param handler function to call with the message
+ * @param handler_cls closure for @a handler
+ */
+void
+register_reciever (struct GNUNET_SOCKS_Handshake *ih, int want)
+{
+  GNUNET_CONNECTION_receive (ih->socks5_connection,
+                             want,
+                             GNUNET_TIME_relative_get_minute_ (),
+                             &receiver,
+                             ih);
+}
+
+
+/**
+ * Register SOCKS5 handshake sender
+ *
+ * @param cls closure (SOCKS handshake)
+ * @param size number of bytes available in @a buf
+ * @param buf where the callee should write the message
+ * @return number of bytes written to @a buf
+ */
+size_t
+transmit_ready (void *cls, size_t size, void *buf)
+{
+  struct GNUNET_SOCKS_Handshake *ih = cls;
+
+  /* connection.c has many routines that call us with buf == NULL :
+   * signal_transmit_error() - DNS, etc. active
+   *   connect_fail_continuation()
+   *     connect_probe_continuation() - timeout
+   *     try_connect_using_address() - DNS failure/timeout
+   *     transmit_timeout() - retry failed?
+   * GNUNET_CONNECTION_notify_transmit_ready() can schedule :
+   *   transmit_timeout() - DNS still working
+   *   connect_error() - DNS done but no socket?
+   * transmit_ready() - scheduler shutdown or timeout, or signal_transmit_error()
+   * We'd need to dig into the scheduler to guess at the reason, as
+   * connection.c tells us nothing itself, but mostly its timouts.
+   * Initially, we'll simply ignore this and leave massive timeouts, but
+   * maybe that should change for error handling pruposes.  It appears that
+   * successful operations, including DNS resolution, do not use this.  */if (NULL == buf)
+  {
+    if (0 == ih->step)
+    {
+      LOG (GNUNET_ERROR_TYPE_WARNING,
+           "Timeout contacting SOCKS server, retrying indefinitely, but probably hopeless.\n");
+      register_sender (ih);
+    }
+    else
+    {
+      LOG (GNUNET_ERROR_TYPE_ERROR,
+           "Timeout during mid SOCKS handshake (step %u), probably not a SOCKS server.\n",
+           ih->step);
+      GNUNET_break (0);
+    }
+    return 0;
+  }
+
+  GNUNET_assert ((1024 >= size) && (size > 0));
+  GNUNET_assert ((SOCKS5_step_done > ih->step) && (ih->step >= 0));
+  unsigned char *b = ih->outstep[ih->step];
+  unsigned char *e = ih->outstep[ih->step + 1];
+  GNUNET_assert (e <= &ih->outbuf[1024]);
+  unsigned int l = e - b;
+  GNUNET_assert (size >= l);
+  GNUNET_memcpy (buf, b, l);
+  register_reciever (ih, register_reciever_wants (ih));
+  return l;
+}
+
+
+/**
+ * Register SOCKS5 handshake sender
+ *
+ * @param ih handshake
+ * @return non-NULL if the notify callback was queued,
+ *         NULL if we are already going to notify someone else (busy)
+ */
+struct GNUNET_CONNECTION_TransmitHandle *
+register_sender (struct GNUNET_SOCKS_Handshake *ih)
+{
+  struct GNUNET_TIME_Relative timeout = GNUNET_TIME_UNIT_MINUTES;
+
+  GNUNET_assert (SOCKS5_step_done > ih->step);
+  GNUNET_assert (ih->step >= 0);
+  if (0 == ih->step)
+    timeout = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MINUTES, 3);
+  unsigned char *b = ih->outstep[ih->step];
+  unsigned char *e = ih->outstep[ih->step + 1];
+  GNUNET_assert (ih->outbuf <= b && b < e && e < &ih->outbuf[1024]);
+  ih->th = GNUNET_CONNECTION_notify_transmit_ready (ih->socks5_connection,
+                                                    e - b,
+                                                    timeout,
+                                                    &transmit_ready,
+                                                    ih);
+  return ih->th;
+}
+
+
+/**
+ * Initialize a SOCKS5 handshake for authentication via username and
+ * password.  Tor uses SOCKS username and password authentication to assign
+ * programs unique circuits.
+ *
+ * @param user username for the proxy
+ * @param pass password for the proxy
+ * @return Valid SOCKS5 hanbdshake handle
+ */
+struct GNUNET_SOCKS_Handshake *
+GNUNET_SOCKS_init_handshake (const char *user, const char *pass)
+{
+  struct GNUNET_SOCKS_Handshake *ih =
+    GNUNET_new (struct GNUNET_SOCKS_Handshake);
+  unsigned char *b = ih->outbuf;
+
+  ih->outstep[SOCKS5_step_greet] = b;
+  *(b++) = 5; /* SOCKS5 */
+  unsigned char *n = b++;
+  *n = 1; /* Number of authentication methods */
+  /* We support no authentication even when requesting authentication,
+   * but this appears harmless, given the way that Tor uses authentication.
+   * And some SOCKS5 servers might require this.  */
+  *(b++) = SOCKS5_AUTH_NOAUTH;
+  if (NULL != user)
+  {
+    *(b++) = SOCKS5_AUTH_USERPASS;
+    (*n)++;
+  }
+  /* There is no apparent reason to support authentication methods beyond
+   * username and password since afaik Tor does not support them. */
+
+  /* We authenticate with an empty username and password if the server demands
+   * them but we do not have any. */
+  if (user == NULL)
+    user = "";
+  if (pass == NULL)
+    pass = "";
+
+  ih->outstep[SOCKS5_step_auth] = b;
+  *(b++) = 1; /* subnegotiation ver.: 1 */
+  b = SOCK5_proto_string (b, user);
+  b = SOCK5_proto_string (b, pass);
+
+  ih->outstep[SOCKS5_step_cmd] = b;
+
+  ih->inend = ih->instart = ih->inbuf;
+
+  return ih;
+}
+
+
+/**
+ * Initialize a SOCKS5 handshake without authentication, thereby possibly
+ * sharing a Tor circuit with another process.
+ *
+ * @return Valid SOCKS5 hanbdshake handle
+ */
+struct GNUNET_SOCKS_Handshake *
+GNUNET_SOCKS_init_handshake_noauth ()
+{
+  return GNUNET_SOCKS_init_handshake (NULL, NULL);
+}
+
+
+/**
+ * Build request that the SOCKS5 proxy open a TCP/IP stream to the given host
+ * and port.
+ *
+ * @param ih SOCKS5 handshake
+ * @param host
+ * @param port
+ */
+void
+GNUNET_SOCKS_set_handshake_destination (struct GNUNET_SOCKS_Handshake *ih,
+                                        const char *host,
+                                        uint16_t port)
+{
+  union
+  {
+    struct in_addr in4;
+    struct in6_addr in6;
+  } ia;
+  unsigned char *b = ih->outstep[SOCKS5_step_cmd];
+
+  *(b++) = 5; /* SOCKS5 */
+  *(b++) = 1; /* Establish a TCP/IP stream */
+  *(b++) = 0; /* reserved */
+
+  /* Specify destination */
+  if (1 == inet_pton (AF_INET, host, &ia.in4))
+  {
+    *(b++) = 1;   /* IPv4 */
+    GNUNET_memcpy (b, &ia.in4, sizeof(struct in_addr));
+    b += sizeof(struct in_addr);   /* 4 */
+  }
+  else if (1 == inet_pton (AF_INET6, host, &ia.in6))
+  {
+    *(b++) = 4;   /* IPv6 */
+    GNUNET_memcpy (b, &ia.in6, sizeof(struct in6_addr));
+    b += sizeof(struct in6_addr);   /* 16 */
+  }
+  else
+  {
+    *(b++) = 3;   /* hostname */
+    b = SOCK5_proto_string (b, host);
+  }
+
+  /* Specify port */
+  *(uint16_t *) b = htons (port);
+  b += 2;
+
+  ih->outstep[SOCKS5_step_done] = b;
+}
+
+
+/**
+ * Run a SOCKS5 handshake on an open but unused TCP connection.
+ *
+ * @param ih SOCKS5 handshake, consumed here.
+ * @param c open unused connection, consumed here.
+ * @return Connection handle that becomes usable when the SOCKS5 handshake completes.
+ */
+struct GNUNET_CONNECTION_Handle *
+GNUNET_SOCKS_run_handshake (struct GNUNET_SOCKS_Handshake *ih,
+                            struct GNUNET_CONNECTION_Handle *c)
+{
+  ih->socks5_connection = c;
+  ih->target_connection = GNUNET_CONNECTION_create_proxied_from_handshake (c);
+  register_sender (ih);
+
+  return ih->target_connection;
+}
+
+
+/**
+ * Check if a SOCKS proxy is required by a service.  Do not use local service
+ * if a SOCKS proxy port is configured as this could deanonymize a user.
+ *
+ * @param service_name name of service to connect to
+ * @param cfg configuration to use
+ * @return GNUNET_YES if so, GNUNET_NO if not
+ */
+int
+GNUNET_SOCKS_check_service (const char *service_name,
+                            const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  return GNUNET_CONFIGURATION_have_value (cfg, service_name, "SOCKSPORT") ||
+         GNUNET_CONFIGURATION_have_value (cfg, service_name, "SOCKSHOST");
+}
+
+
+/**
+ * Try to connect to a service configured to use a SOCKS5 proxy.
+ *
+ * @param service_name name of service to connect to
+ * @param cfg configuration to use
+ * @return Connection handle that becomes usable when the handshake completes.
+ *         NULL if SOCKS not configured or not configured properly
+ */
+struct GNUNET_CONNECTION_Handle *
+GNUNET_SOCKS_do_connect (const char *service_name,
+                         const struct GNUNET_CONFIGURATION_Handle *cfg)
+{
+  struct GNUNET_SOCKS_Handshake *ih;
+  struct GNUNET_CONNECTION_Handle *socks5; /* *proxied */
+  char *host0;
+  char *host1;
+  char *user;
+  char *pass;
+  unsigned long long port0;
+  unsigned long long port1;
+
+  if (GNUNET_YES != GNUNET_SOCKS_check_service (service_name, cfg))
+    return NULL;
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_number (cfg,
+                                                          service_name,
+                                                          "SOCKSPORT",
+                                                          &port0))
+    port0 = 9050;
+  /* A typical Tor client should usually try port 9150 for the TBB too, but
+   * GNUnet can probably assume a system Tor installation. */
+  if ((port0 > 65535) || (port0 <= 0))
+  {
+    LOG (GNUNET_ERROR_TYPE_WARNING,
+         _ (
+           "Attempting to use invalid port %d as SOCKS proxy for service `%s'.\n"),
+         port0,
+         service_name);
+    return NULL;
+  }
+  if ((GNUNET_OK != GNUNET_CONFIGURATION_get_value_number (cfg,
+                                                           service_name,
+                                                           "PORT",
+                                                           &port1)) ||
+      (port1 > 65535) || (port1 <= 0) ||
+      (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
+                                                           service_name,
+                                                           "HOSTNAME",
+                                                           &host1)))
+  {
+    LOG (GNUNET_ERROR_TYPE_WARNING,
+         _ (
+           "Attempting to proxy service `%s' to invalid port %d or hostname.\n"),
+         service_name,
+         port1);
+    return NULL;
+  }
+  /* Appeared to still work after host0 corrupted, so either test case is broken, or
+     this whole routine is not being called. */
+  if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg,
+                                                          service_name,
+                                                          "SOCKSHOST",
+                                                          &host0))
+    host0 = NULL;
+  socks5 = GNUNET_CONNECTION_create_from_connect (cfg,
+                                                  (host0 != NULL) ? host0
+                                                  : "127.0.0.1",
+                                                  port0);
+  GNUNET_free (host0);
+
+  /* Sets to NULL if they do not exist */
+  (void) GNUNET_CONFIGURATION_get_value_string (cfg,
+                                                service_name,
+                                                "SOCKSUSER",
+                                                &user);
+  (void) GNUNET_CONFIGURATION_get_value_string (cfg,
+                                                service_name,
+                                                "SOCKSPASS",
+                                                &pass);
+  ih = GNUNET_SOCKS_init_handshake (user, pass);
+  GNUNET_free (user);
+  GNUNET_free (pass);
+
+  GNUNET_SOCKS_set_handshake_destination (ih, host1, port1);
+  GNUNET_free (host1);
+  return GNUNET_SOCKS_run_handshake (ih, socks5);
+}
+
+
+/* socks.c */