Lines
91.89 %
Functions
78.57 %
Branches
100 %
//! Implement the socks handshakes.
#[cfg(any(feature = "proxy-handshake", feature = "client-handshake"))]
#[macro_use]
pub(crate) mod framework;
#[cfg(feature = "client-handshake")]
pub(crate) mod client;
#[cfg(feature = "proxy-handshake")]
pub(crate) mod proxy;
use crate::msg::SocksAddr;
use std::net::IpAddr;
use tor_bytes::Result as BytesResult;
use tor_bytes::{EncodeResult, Error as BytesError, Readable, Reader, Writeable, Writer};
/// Constant for Username/Password-style authentication.
/// (See RFC 1929)
const USERNAME_PASSWORD: u8 = 0x02;
/// Constant for "no authentication".
const NO_AUTHENTICATION: u8 = 0x00;
/// An action to take in response to a SOCKS handshake message.
#[derive(Clone, Debug)]
#[non_exhaustive]
pub struct Action {
/// If nonzero, this many bytes should be drained from the
/// client's inputs.
pub drain: usize,
/// If nonempty, this reply should be sent to the other party.
pub reply: Vec<u8>,
/// If true, then this handshake is over, either successfully or not.
pub finished: bool,
}
impl Readable for SocksAddr {
fn take_from(r: &mut Reader<'_>) -> BytesResult<SocksAddr> {
let atype = r.take_u8()?;
match atype {
1 => {
let ip4: std::net::Ipv4Addr = r.extract()?;
Ok(SocksAddr::Ip(ip4.into()))
3 => {
let hlen = r.take_u8()?;
let hostname = r.take(hlen as usize)?;
let hostname = std::str::from_utf8(hostname)
.map_err(|_| BytesError::InvalidMessage("bad utf8 on hostname".into()))?
.to_string();
let hostname = hostname
.try_into()
.map_err(|_| BytesError::InvalidMessage("hostname too long".into()))?;
Ok(SocksAddr::Hostname(hostname))
4 => {
let ip6: std::net::Ipv6Addr = r.extract()?;
Ok(SocksAddr::Ip(ip6.into()))
_ => Err(BytesError::InvalidMessage(
"unrecognized address type.".into(),
)),
impl Writeable for SocksAddr {
fn write_onto<W: Writer + ?Sized>(&self, w: &mut W) -> EncodeResult<()> {
match self {
SocksAddr::Ip(IpAddr::V4(ip)) => {
w.write_u8(1);
w.write(ip)?;
SocksAddr::Ip(IpAddr::V6(ip)) => {
w.write_u8(4);
SocksAddr::Hostname(h) => {
let h = h.as_ref();
assert!(h.len() < 256);
let hlen = h.len() as u8;
w.write_u8(3);
w.write_u8(hlen);
w.write(h.as_bytes())?;
Ok(())
#[cfg(all(feature = "client-handshake", feature = "proxy-handshake"))]
#[cfg(test)]
mod test_roundtrip {
// @@ begin test lint list
#![allow(clippy::bool_assert_comparison)]
#![allow(clippy::clone_on_copy)]
#![allow(clippy::dbg_macro)]
#![allow(clippy::mixed_attributes_style)]
#![allow(clippy::print_stderr)]
#![allow(clippy::print_stdout)]
#![allow(clippy::single_char_pattern)]
#![allow(clippy::unwrap_used)]
#![allow(clippy::unchecked_duration_subtraction)]
#![allow(clippy::useless_vec)]
#![allow(clippy::needless_pass_by_value)]
//! <!-- @@ end test lint list
use crate::*;
use std::collections::VecDeque;
/// Given a socks request, run a complete (successful round) trip, reply with the
/// the given status code, and return both sides' results.
///
/// Use the (deprecated) `Handshake::handshake` and `Action` API
fn run_handshake_old_api(
request: SocksRequest,
status: SocksStatus,
) -> (SocksRequest, SocksReply) {
let mut client_hs = SocksClientHandshake::new(request);
let mut proxy_hs = SocksProxyHandshake::new();
let mut received_request = None;
let mut last_proxy_msg = vec![];
// Prevent infinite loop in case of bugs.
for _ in 0..100 {
// Make sure that the client says "truncated" for all prefixes of the proxy's message.
for truncate in 0..last_proxy_msg.len() {
let r = client_hs.handshake_for_tests(&last_proxy_msg[..truncate]);
assert!(r.is_err());
// Get the client's actual message.
let client_action = client_hs
.handshake_for_tests(&last_proxy_msg)
.unwrap()
.unwrap();
assert_eq!(client_action.drain, last_proxy_msg.len());
if client_action.finished {
let received_reply = client_hs.into_reply();
return (received_request.unwrap(), received_reply.unwrap());
let client_msg = client_action.reply;
// Make sure that the proxy says "truncated" for all prefixes of the client's message.
for truncate in 0..client_msg.len() {
let r = proxy_hs.handshake_for_tests(&client_msg[..truncate]);
// Get the proxy's actual reply (if any).
let proxy_action = proxy_hs.handshake_for_tests(&client_msg).unwrap().unwrap();
assert_eq!(proxy_action.drain, client_msg.len());
last_proxy_msg = if proxy_action.finished {
// The proxy is done: have it reply with a status code.
received_request = proxy_hs.clone().into_request();
received_request
.as_ref()
.reply(status, None)
} else {
proxy_action.reply
};
panic!("Handshake ran for too many steps")
/// Use the (new) `Handshake::step` API
fn run_handshake_new_api<P: ReadPrecision, const MAX_RECV: usize>(
struct State<P: ReadPrecision, H: Handshake> {
hs: H,
buf: Buffer<P>,
fin: Option<H::Output>,
struct DidSomething;
let mut client = State::<P, _>::new(SocksClientHandshake::new(request));
let mut server = State::<P, _>::new(SocksProxyHandshake::new());
let mut c2s = VecDeque::new();
let mut s2c = VecDeque::new();
let mut status = Some(status);
impl<P: ReadPrecision, H: Handshake> State<P, H> {
fn new(hs: H) -> Self {
State {
hs,
buf: Default::default(),
fin: None,
fn progress_1(
&mut self,
max_recv: usize,
rx: &mut VecDeque<u8>,
tx: &mut VecDeque<u8>,
) -> Option<DidSomething> {
use NextStep as NS;
if self.fin.is_some() {
return None;
match self.hs.step(&mut self.buf).unwrap() {
NS::Recv(mut recv) => {
let n = [recv.buf().len(), rx.len(), max_recv]
.into_iter()
.min()
for p in &mut recv.buf()[0..n] {
*p = rx.pop_front().unwrap();
recv.note_received(n).unwrap_or_else(|e| match e {
// This is actually expected; our test case produces 0-byte reads
// sometimes.
Error::UnexpectedEof => {}
other => panic!("{:?}", other),
});
if n != 0 {
Some(DidSomething)
None
NS::Send(send) => {
for c in send {
tx.push_back(c);
NS::Finished(fin) => {
self.fin = Some(fin.into_output_forbid_pipelining().unwrap());
loop {
let ds = [
client.progress_1(MAX_RECV, &mut s2c, &mut c2s),
server.progress_1(MAX_RECV, &mut c2s, &mut s2c),
]
.flatten()
.next();
if let Some(DidSomething) = ds {
continue;
let Some(status) = status.take() else { break };
let reply = server.fin.as_ref().unwrap().reply(status, None).unwrap();
for c in reply {
s2c.push_back(c);
(server.fin.unwrap(), client.fin.unwrap())
// Invoke run_handshake and assert that the output matches the input.
fn test_handshake(request: &SocksRequest, status: SocksStatus) {
for run_handshake in [
run_handshake_old_api,
run_handshake_new_api::<(), 1>,
run_handshake_new_api::<(), 100>,
run_handshake_new_api::<PreciseReads, 1>,
run_handshake_new_api::<PreciseReads, 100>,
] {
let (request_out, status_out) = run_handshake(request.clone(), status);
assert_eq!(&request_out, request);
assert_eq!(status_out.status(), status);
#[test]
fn socks4() {
test_handshake(
&SocksRequest::new(
SocksVersion::V4,
SocksCmd::CONNECT,
SocksAddr::Hostname("www.torproject.org".to_string().try_into().unwrap()),
443,
SocksAuth::NoAuth,
)
.unwrap(),
SocksStatus::SUCCEEDED,
);
SocksAddr::Ip("192.0.2.33".parse().unwrap()),
22,
SocksAuth::Socks4(b"swordfish".to_vec()),
SocksStatus::GENERAL_FAILURE,
fn socks5() {
SocksVersion::V5,
SocksAddr::Ip("2001:db8::32".parse().unwrap()),
SocksAuth::Username(b"belbo".to_vec(), b"non".to_vec()),