[tbb-commits] [tor-browser-bundle/master] Use a SOCKS5 listener instead of a SOCKS4a for goptlib.

gk at torproject.org gk at torproject.org
Mon Mar 23 08:52:19 UTC 2015


commit 9d26e0009fc6a8e89a48db2a976097459f14f45e
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Mon Mar 23 01:02:39 2015 +0000

    Use a SOCKS5 listener instead of a SOCKS4a for goptlib.
    
    This is done in the form of a patch that has yet to be merged into
    goptlib.  Once the branch is merged, this change should be reverted,
    and the goptlib tag updated.
---
 .../linux/gitian-pluggable-transports.yml          |    6 +
 .../mac/gitian-pluggable-transports.yml            |    6 +
 .../windows/gitian-pluggable-transports.yml        |    6 +
 gitian/patches/bug12535.patch                      | 1032 ++++++++++++++++++++
 4 files changed, 1050 insertions(+)

diff --git a/gitian/descriptors/linux/gitian-pluggable-transports.yml b/gitian/descriptors/linux/gitian-pluggable-transports.yml
index 9596b7f..2f8e70e 100644
--- a/gitian/descriptors/linux/gitian-pluggable-transports.yml
+++ b/gitian/descriptors/linux/gitian-pluggable-transports.yml
@@ -55,6 +55,7 @@ files:
 - "openssl-linux32-utils.zip"
 - "openssl-linux64-utils.zip"
 - "go.net.tar.bz2"
+- "bug12535.patch"
 script: |
   INSTDIR="$HOME/install"
   PTDIR="$INSTDIR/Tor/PluggableTransports"
@@ -206,6 +207,11 @@ script: |
 
   # Building goptlib
   cd goptlib
+  git update-index --refresh -q
+  export GIT_COMMITTER_NAME="nobody"
+  export GIT_COMMITTER_EMAIL="nobody at localhost"
+  export GIT_COMMITTER_DATE="$REFERENCE_DATETIME"
+  git am ~/build/bug12535.patch
   find -type f | xargs touch --date="$REFERENCE_DATETIME"
   mkdir -p "$GOPATH/src/git.torproject.org/pluggable-transports"
   ln -sf "$PWD" "$GOPATH/src/git.torproject.org/pluggable-transports/goptlib.git"
diff --git a/gitian/descriptors/mac/gitian-pluggable-transports.yml b/gitian/descriptors/mac/gitian-pluggable-transports.yml
index a1bdff9..0ed896e 100644
--- a/gitian/descriptors/mac/gitian-pluggable-transports.yml
+++ b/gitian/descriptors/mac/gitian-pluggable-transports.yml
@@ -51,6 +51,7 @@ files:
 - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz"
 - "dzip.sh"
 - "go.net.tar.bz2"
+- "bug12535.patch"
 - "gmp-mac64-utils.zip"
 - "openssl-mac64-utils.zip"
 script: |
@@ -232,6 +233,11 @@ script: |
 
   # Building goptlib
   cd goptlib
+  git update-index --refresh -q
+  export GIT_COMMITTER_NAME="nobody"
+  export GIT_COMMITTER_EMAIL="nobody at localhost"
+  export GIT_COMMITTER_DATE="$REFERENCE_DATETIME"
+  git am ~/build/bug12535.patch
   find -type f | xargs touch --date="$REFERENCE_DATETIME"
   mkdir -p "$GOPATH/src/git.torproject.org/pluggable-transports"
   ln -sf "$PWD" "$GOPATH/src/git.torproject.org/pluggable-transports/goptlib.git"
diff --git a/gitian/descriptors/windows/gitian-pluggable-transports.yml b/gitian/descriptors/windows/gitian-pluggable-transports.yml
index 4ca477e..0ea6e6d 100644
--- a/gitian/descriptors/windows/gitian-pluggable-transports.yml
+++ b/gitian/descriptors/windows/gitian-pluggable-transports.yml
@@ -58,6 +58,7 @@ files:
 - "gmp-win32-utils.zip"
 - "gcclibs-win32-utils.zip"
 - "go.net.tar.bz2"
+- "bug12535.patch"
 script: |
   # Set the timestamp on every .pyc file in a zip file, and re-dzip the zip file.
   function py2exe_zip_timestomp {
@@ -308,6 +309,11 @@ script: |
 
   # Building goptlib
   cd goptlib
+  git update-index --refresh -q
+  export GIT_COMMITTER_NAME="nobody"
+  export GIT_COMMITTER_EMAIL="nobody at localhost"
+  export GIT_COMMITTER_DATE="$REFERENCE_DATETIME"
+  git am ~/build/bug12535.patch
   find -type f | xargs touch --date="$REFERENCE_DATETIME"
   mkdir -p "$GOPATH/src/git.torproject.org/pluggable-transports"
   ln -sf "$PWD" "$GOPATH/src/git.torproject.org/pluggable-transports/goptlib.git"
diff --git a/gitian/patches/bug12535.patch b/gitian/patches/bug12535.patch
new file mode 100644
index 0000000..dae6818
--- /dev/null
+++ b/gitian/patches/bug12535.patch
@@ -0,0 +1,1032 @@
+From 743ae58b6c33dda837ffb1267867f564597dd59d Mon Sep 17 00:00:00 2001
+From: Yawning Angel <yawning at schwanenlied.me>
+Date: Mon, 8 Sep 2014 18:24:08 +0000
+Subject: [PATCH] Replace the SOCKS4a listener with a SOCKS5 listener.
+
+The change is designed to be transparent to calling code and implements
+enough of RFC1928/RFC1929 such that pluggable transports can be written.
+
+Notable incompatibilities/limitations:
+ * GSSAPI authentication is not supported.
+ * BND.ADDR/BND.PORT in responses is always "0.0.0.0:0" instead of the
+   bound address/port of the outgoing socket.
+ * RFC1929 Username/Password authentication is setup exclusively for
+   pluggable transport arguments.
+ * The BIND and UDP ASSOCIATE commands are not supported.
+---
+ pt.go         |   5 +-
+ socks.go      | 386 +++++++++++++++++++++++++++++++++++++-------
+ socks_test.go | 510 +++++++++++++++++++++++++++++++++++++++++-----------------
+ 3 files changed, 685 insertions(+), 216 deletions(-)
+
+diff --git a/pt.go b/pt.go
+index 62dfc38..47f8273 100644
+--- a/pt.go
++++ b/pt.go
+@@ -119,10 +119,11 @@
+ // Extended ORPort Authentication:
+ // https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/217-ext-orport-auth.txt.
+ //
+-// The package implements a SOCKS4a server sufficient for a Tor client transport
++// The package implements a SOCKS5 server sufficient for a Tor client transport
+ // plugin.
+ //
+-// http://ftp.icm.edu.pl/packages/socks/socks4/SOCKS4.protocol
++// https://www.ietf.org/rfc/rfc1928.txt
++// https://www.ietf.org/rfc/rfc1929.txt
+ package pt
+ 
+ import (
+diff --git a/socks.go b/socks.go
+index 6ad6542..e4488e8 100644
+--- a/socks.go
++++ b/socks.go
+@@ -9,11 +9,40 @@ import (
+ )
+ 
+ const (
+-	socksVersion         = 0x04
+-	socksCmdConnect      = 0x01
+-	socksResponseVersion = 0x00
+-	socksRequestGranted  = 0x5a
+-	socksRequestRejected = 0x5b
++	socksVersion = 0x05
++
++	socksAuthNoneRequired        = 0x00
++	socksAuthUsernamePassword    = 0x02
++	socksAuthNoAcceptableMethods = 0xff
++
++	socksCmdConnect = 0x01
++	socksRsv        = 0x00
++
++	socksAtypeV4         = 0x01
++	socksAtypeDomainName = 0x03
++	socksAtypeV6         = 0x04
++
++	socksAuthRFC1929Ver     = 0x01
++	socksAuthRFC1929Success = 0x00
++	socksAuthRFC1929Fail    = 0x01
++
++	socksRepSucceeded = 0x00
++	// "general SOCKS server failure"
++	SocksRepGeneralFailure = 0x01
++	// "connection not allowed by ruleset"
++	SocksRepConnectionNotAllowed = 0x02
++	// "Network unreachable"
++	SocksRepNetworkUnreachable = 0x03
++	// "Host unreachable"
++	SocksRepHostUnreachable = 0x04
++	// "Connection refused"
++	SocksRepConnectionRefused = 0x05
++	// "TTL expired"
++	SocksRepTTLExpired = 0x06
++	// "Command not supported"
++	SocksRepCommandNotSupported = 0x07
++	// "Address type not supported"
++	SocksRepAddressNotSupported = 0x08
+ )
+ 
+ // Put a sanity timeout on how long we wait for a SOCKS request.
+@@ -25,6 +54,8 @@ type SocksRequest struct {
+ 	Target string
+ 	// The userid string sent by the client.
+ 	Username string
++	// The password string sent by the client.
++	Password string
+ 	// The parsed contents of Username as a key–value mapping.
+ 	Args Args
+ }
+@@ -36,15 +67,23 @@ type SocksConn struct {
+ }
+ 
+ // Send a message to the proxy client that access to the given address is
+-// granted. If the IP field inside addr is not an IPv4 address, the IP portion
+-// of the response will be four zero bytes.
++// granted. Addr is ignored, and "0.0.0.0:0" is always sent back for
++// BND.ADDR/BND.PORT in the SOCKS response.
+ func (conn *SocksConn) Grant(addr *net.TCPAddr) error {
+-	return sendSocks4aResponseGranted(conn, addr)
++	return sendSocks5ResponseGranted(conn)
+ }
+ 
+-// Send a message to the proxy client that access was rejected or failed.
++// Send a message to the proxy client that access was rejected or failed.  This
++// sends back a "General Failure" error code.  RejectReason should be used if
++// more specific error reporting is desired.
+ func (conn *SocksConn) Reject() error {
+-	return sendSocks4aResponseRejected(conn)
++	return conn.RejectReason(SocksRepGeneralFailure)
++}
++
++// Send a message to the proxy client that access was rejected, with the
++// specific error code indicating the reason behind the rejection.
++func (conn *SocksConn) RejectReason(reason byte) error {
++	return sendSocks5ResponseRejected(conn, reason)
+ }
+ 
+ // SocksListener wraps a net.Listener in order to read a SOCKS request on Accept.
+@@ -138,7 +177,7 @@ func (ln *SocksListener) AcceptSocks() (*SocksConn, error) {
+ 	if err != nil {
+ 		return nil, err
+ 	}
+-	conn.Req, err = readSocks4aConnect(conn)
++	conn.Req, err = socks5Handshake(conn)
+ 	if err != nil {
+ 		conn.Close()
+ 		return nil, err
+@@ -150,58 +189,251 @@ func (ln *SocksListener) AcceptSocks() (*SocksConn, error) {
+ 	return conn, nil
+ }
+ 
+-// Returns "socks4", suitable to be included in a call to Cmethod.
++// Returns "socks5", suitable to be included in a call to Cmethod.
+ func (ln *SocksListener) Version() string {
+-	return "socks4"
++	return "socks5"
+ }
+ 
+-// Read a SOCKS4a connect request. Returns a SocksRequest.
+-func readSocks4aConnect(s io.Reader) (req SocksRequest, err error) {
+-	r := bufio.NewReader(s)
++// socks5handshake conducts the SOCKS5 handshake up to the point where the
++// client command is read and the proxy must open the outgoing connection.
++// Returns a SocksRequest.
++func socks5Handshake(s io.ReadWriter) (req SocksRequest, err error) {
++	rw := bufio.NewReadWriter(bufio.NewReader(s), bufio.NewWriter(s))
+ 
+-	var h [8]byte
+-	_, err = io.ReadFull(r, h[:])
+-	if err != nil {
++	// Negotiate the authentication method.
++	var method byte
++	if method, err = socksNegotiateAuth(rw); err != nil {
+ 		return
+ 	}
+-	if h[0] != socksVersion {
+-		err = fmt.Errorf("SOCKS header had version 0x%02x, not 0x%02x", h[0], socksVersion)
++
++	// Authenticate the client.
++	if err = socksAuthenticate(rw, method, &req); err != nil {
+ 		return
+ 	}
+-	if h[1] != socksCmdConnect {
+-		err = fmt.Errorf("SOCKS header had command 0x%02x, not 0x%02x", h[1], socksCmdConnect)
++
++	// Read the command.
++	err = socksReadCommand(rw, &req)
++	return
++}
++
++// socksNegotiateAuth negotiates the authentication method and returns the
++// selected method as a byte.  On negotiation failures an error is returned.
++func socksNegotiateAuth(rw *bufio.ReadWriter) (method byte, err error) {
++	// Validate the version.
++	if err = socksReadByteVerify(rw, "version", socksVersion); err != nil {
+ 		return
+ 	}
+ 
+-	var usernameBytes []byte
+-	usernameBytes, err = r.ReadBytes('\x00')
+-	if err != nil {
++	// Read the number of methods.
++	var nmethods byte
++	if nmethods, err = socksReadByte(rw); err != nil {
+ 		return
+ 	}
+-	req.Username = string(usernameBytes[:len(usernameBytes)-1])
+ 
+-	req.Args, err = parseClientParameters(req.Username)
+-	if err != nil {
++	// Read the methods.
++	var methods []byte
++	if methods, err = socksReadBytes(rw, int(nmethods)); err != nil {
+ 		return
+ 	}
+ 
+-	var port int
+-	var host string
++	// Pick the most "suitable" method.
++	method = socksAuthNoAcceptableMethods
++	for _, m := range methods {
++		switch m {
++		case socksAuthNoneRequired:
++			// Pick Username/Password over None if the client happens to
++			// send both.
++			if method == socksAuthNoAcceptableMethods {
++				method = m
++			}
++
++		case socksAuthUsernamePassword:
++			method = m
++		}
++	}
++
++	// Send the negotiated method.
++	var msg [2]byte
++	msg[0] = socksVersion
++	msg[1] = method
++	if _, err = rw.Writer.Write(msg[:]); err != nil {
++		return
++	}
++
++	if err = socksFlushBuffers(rw); err != nil {
++		return
++	}
++	return
++}
++
++// socksAuthenticate authenticates the client via the chosen authentication
++// mechanism.
++func socksAuthenticate(rw *bufio.ReadWriter, method byte, req *SocksRequest) (err error) {
++	switch method {
++	case socksAuthNoneRequired:
++		// Straight into reading the connect.
+ 
+-	port = int(h[2])<<8 | int(h[3])<<0
+-	if h[4] == 0 && h[5] == 0 && h[6] == 0 && h[7] != 0 {
+-		var hostBytes []byte
+-		hostBytes, err = r.ReadBytes('\x00')
+-		if err != nil {
++	case socksAuthUsernamePassword:
++		if err = socksAuthRFC1929(rw, req); err != nil {
+ 			return
+ 		}
+-		host = string(hostBytes[:len(hostBytes)-1])
++
++	case socksAuthNoAcceptableMethods:
++		err = fmt.Errorf("SOCKS method select had no compatible methods")
++		return
++
++	default:
++		err = fmt.Errorf("SOCKS method select picked a unsupported method 0x%02x", method)
++		return
++	}
++
++	if err = socksFlushBuffers(rw); err != nil {
++		return
++	}
++	return
++}
++
++// socksAuthRFC1929 authenticates the client via RFC 1929 username/password
++// auth.  As a design decision any valid username/password is accepted as this
++// field is primarily used as an out-of-band argument passing mechanism for
++// pluggable transports.
++func socksAuthRFC1929(rw *bufio.ReadWriter, req *SocksRequest) (err error) {
++	sendErrResp := func() {
++		// Swallow the write/flush error here, we are going to close the
++		// connection and the original failure is more useful.
++		resp := []byte{socksAuthRFC1929Ver, socksAuthRFC1929Fail}
++		rw.Write(resp[:])
++		socksFlushBuffers(rw)
++	}
++
++	// Validate the fixed parts of the command message.
++	if err = socksReadByteVerify(rw, "auth version", socksAuthRFC1929Ver); err != nil {
++		sendErrResp()
++		return
++	}
++
++	// Read the username.
++	var ulen byte
++	if ulen, err = socksReadByte(rw); err != nil {
++		return
++	}
++	if ulen < 1 {
++		sendErrResp()
++		err = fmt.Errorf("RFC1929 username with 0 length")
++		return
++	}
++	var uname []byte
++	if uname, err = socksReadBytes(rw, int(ulen)); err != nil {
++		return
++	}
++	req.Username = string(uname)
++
++	// Read the password.
++	var plen byte
++	if plen, err = socksReadByte(rw); err != nil {
++		return
++	}
++	if plen < 1 {
++		sendErrResp()
++		err = fmt.Errorf("RFC1929 password with 0 length")
++		return
++	}
++	var passwd []byte
++	if passwd, err = socksReadBytes(rw, int(plen)); err != nil {
++		return
++	}
++	if !(plen == 1 && passwd[0] == 0x00) {
++		// tor will set the password to 'NUL' if there are no arguments.
++		req.Password = string(passwd)
++	}
++
++	// Mash the username/password together and parse it as a pluggable
++	// transport argument string.
++	if req.Args, err = parseClientParameters(req.Username + req.Password); err != nil {
++		sendErrResp()
+ 	} else {
+-		host = net.IPv4(h[4], h[5], h[6], h[7]).String()
++		resp := []byte{socksAuthRFC1929Ver, socksAuthRFC1929Success}
++		_, err = rw.Write(resp[:])
++	}
++	return
++}
++
++// socksReadCommand reads a SOCKS5 client command and parses out the relevant
++// fields into a SocksRequest.  Only CMD_CONNECT is supported.
++func socksReadCommand(rw *bufio.ReadWriter, req *SocksRequest) (err error) {
++	sendErrResp := func(reason byte) {
++		// Swallow errors that occur when writing/flushing the response,
++		// connection will be closed anyway.
++		sendSocks5ResponseRejected(rw, reason)
++		socksFlushBuffers(rw)
++	}
++
++	// Validate the fixed parts of the command message.
++	if err = socksReadByteVerify(rw, "version", socksVersion); err != nil {
++		sendErrResp(SocksRepGeneralFailure)
++		return
++	}
++	if err = socksReadByteVerify(rw, "command", socksCmdConnect); err != nil {
++		sendErrResp(SocksRepCommandNotSupported)
++		return
++	}
++	if err = socksReadByteVerify(rw, "reserved", socksRsv); err != nil {
++		sendErrResp(SocksRepGeneralFailure)
++		return
++	}
++
++	// Read the destination address/port.
++	// XXX: This should probably eventually send socks 5 error messages instead
++	// of rudely closing connections on invalid addresses.
++	var atype byte
++	if atype, err = socksReadByte(rw); err != nil {
++		return
++	}
++	var host string
++	switch atype {
++	case socksAtypeV4:
++		var addr []byte
++		if addr, err = socksReadBytes(rw, net.IPv4len); err != nil {
++			return
++		}
++		host = net.IPv4(addr[0], addr[1], addr[2], addr[3]).String()
++
++	case socksAtypeDomainName:
++		var alen byte
++		if alen, err = socksReadByte(rw); err != nil {
++			return
++		}
++		if alen == 0 {
++			err = fmt.Errorf("SOCKS request had domain name with 0 length")
++			return
++		}
++		var addr []byte
++		if addr, err = socksReadBytes(rw, int(alen)); err != nil {
++			return
++		}
++		host = string(addr)
++
++	case socksAtypeV6:
++		var rawAddr []byte
++		if rawAddr, err = socksReadBytes(rw, net.IPv6len); err != nil {
++			return
++		}
++		addr := make(net.IP, net.IPv6len)
++		copy(addr[:], rawAddr[:])
++		host = fmt.Sprintf("[%s]", addr.String())
++
++	default:
++		sendErrResp(SocksRepAddressNotSupported)
++		err = fmt.Errorf("SOCKS request had unsupported address type 0x%02x", atype)
++		return
+ 	}
++	var rawPort []byte
++	if rawPort, err = socksReadBytes(rw, 2); err != nil {
++		return
++	}
++	port := int(rawPort[0])<<8 | int(rawPort[1])<<0
+ 
+-	if r.Buffered() != 0 {
+-		err = fmt.Errorf("%d bytes left after SOCKS header", r.Buffered())
++	if err = socksFlushBuffers(rw); err != nil {
+ 		return
+ 	}
+ 
+@@ -209,34 +441,64 @@ func readSocks4aConnect(s io.Reader) (req SocksRequest, err error) {
+ 	return
+ }
+ 
+-// Send a SOCKS4a response with the given code and address. If the IP field
+-// inside addr is not an IPv4 address, the IP portion of the response will be
+-// four zero bytes.
+-func sendSocks4aResponse(w io.Writer, code byte, addr *net.TCPAddr) error {
+-	var resp [8]byte
+-	resp[0] = socksResponseVersion
++// Send a SOCKS5 response with the given code. BND.ADDR/BND.PORT is always the
++// IPv4 address/port "0.0.0.0:0".
++func sendSocks5Response(w io.Writer, code byte) error {
++	resp := make([]byte, 4+4+2)
++	resp[0] = socksVersion
+ 	resp[1] = code
+-	resp[2] = byte((addr.Port >> 8) & 0xff)
+-	resp[3] = byte((addr.Port >> 0) & 0xff)
+-	ipv4 := addr.IP.To4()
+-	if ipv4 != nil {
+-		resp[4] = ipv4[0]
+-		resp[5] = ipv4[1]
+-		resp[6] = ipv4[2]
+-		resp[7] = ipv4[3]
+-	}
++	resp[2] = socksRsv
++	resp[3] = socksAtypeV4
++
++	// BND.ADDR/BND.PORT should be the address and port that the outgoing
++	// connection is bound to on the proxy, but Tor does not use this
++	// information, so all zeroes are sent.
++
+ 	_, err := w.Write(resp[:])
+ 	return err
+ }
+ 
+-var emptyAddr = net.TCPAddr{IP: net.IPv4(0, 0, 0, 0), Port: 0}
++// Send a SOCKS5 response code 0x00.
++func sendSocks5ResponseGranted(w io.Writer) error {
++	return sendSocks5Response(w, socksRepSucceeded)
++}
+ 
+-// Send a SOCKS4a response code 0x5a.
+-func sendSocks4aResponseGranted(w io.Writer, addr *net.TCPAddr) error {
+-	return sendSocks4aResponse(w, socksRequestGranted, addr)
++// Send a SOCKS5 response with the provided failure reason.
++func sendSocks5ResponseRejected(w io.Writer, reason byte) error {
++	return sendSocks5Response(w, reason)
+ }
+ 
+-// Send a SOCKS4a response code 0x5b (with an all-zero address).
+-func sendSocks4aResponseRejected(w io.Writer) error {
+-	return sendSocks4aResponse(w, socksRequestRejected, &emptyAddr)
++func socksFlushBuffers(rw *bufio.ReadWriter) error {
++	if err := rw.Writer.Flush(); err != nil {
++		return err
++	}
++	if rw.Reader.Buffered() > 0 {
++		return fmt.Errorf("%d bytes left after SOCKS message", rw.Reader.Buffered())
++	}
++	return nil
++}
++
++func socksReadByte(rw *bufio.ReadWriter) (byte, error) {
++	return rw.Reader.ReadByte()
++}
++
++func socksReadBytes(rw *bufio.ReadWriter, n int) ([]byte, error) {
++	ret := make([]byte, n)
++	if _, err := io.ReadFull(rw.Reader, ret); err != nil {
++		return nil, err
++	}
++	return ret, nil
+ }
++
++func socksReadByteVerify(rw *bufio.ReadWriter, descr string, expected byte) error {
++	val, err := socksReadByte(rw)
++	if err != nil {
++		return err
++	}
++	if val != expected {
++		return fmt.Errorf("SOCKS message field %s was 0x%02x, not 0x%02x", descr, val, expected)
++	}
++	return nil
++}
++
++var _ net.Listener = (*SocksListener)(nil)
+diff --git a/socks_test.go b/socks_test.go
+index 18d141a..aa27d4c 100644
+--- a/socks_test.go
++++ b/socks_test.go
+@@ -1,162 +1,368 @@
+ package pt
+ 
+ import (
++	"bufio"
+ 	"bytes"
++	"encoding/hex"
++	"io"
+ 	"net"
+ 	"testing"
+ )
+ 
+-func TestReadSocks4aConnect(t *testing.T) {
+-	badTests := [...][]byte{
+-		[]byte(""),
+-		// missing userid
+-		[]byte("\x04\x01\x12\x34\x01\x02\x03\x04"),
+-		// missing \x00 after userid
+-		[]byte("\x04\x01\x12\x34\x01\x02\x03\x04key=value"),
+-		// missing hostname
+-		[]byte("\x04\x01\x12\x34\x00\x00\x00\x01key=value\x00"),
+-		// missing \x00 after hostname
+-		[]byte("\x04\x01\x12\x34\x00\x00\x00\x01key=value\x00hostname"),
+-		// bad name–value mapping
+-		[]byte("\x04\x01\x12\x34\x00\x00\x00\x01userid\x00hostname\x00"),
+-		// bad version number
+-		[]byte("\x03\x01\x12\x34\x01\x02\x03\x04\x00"),
+-		// BIND request
+-		[]byte("\x04\x02\x12\x34\x01\x02\x03\x04\x00"),
+-		// SOCKS5
+-		[]byte("\x05\x01\x00"),
+-	}
+-	ipTests := [...]struct {
+-		input  []byte
+-		addr   net.TCPAddr
+-		userid string
+-	}{
+-		{
+-			[]byte("\x04\x01\x12\x34\x01\x02\x03\x04key=value\x00"),
+-			net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 0x1234},
+-			"key=value",
+-		},
+-		{
+-			[]byte("\x04\x01\x12\x34\x01\x02\x03\x04\x00"),
+-			net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 0x1234},
+-			"",
+-		},
+-	}
+-	hostnameTests := [...]struct {
+-		input  []byte
+-		target string
+-		userid string
+-	}{
+-		{
+-			[]byte("\x04\x01\x12\x34\x00\x00\x00\x01key=value\x00hostname\x00"),
+-			"hostname:4660",
+-			"key=value",
+-		},
+-		{
+-			[]byte("\x04\x01\x12\x34\x00\x00\x00\x01\x00hostname\x00"),
+-			"hostname:4660",
+-			"",
+-		},
+-		{
+-			[]byte("\x04\x01\x12\x34\x00\x00\x00\x01key=value\x00\x00"),
+-			":4660",
+-			"key=value",
+-		},
+-		{
+-			[]byte("\x04\x01\x12\x34\x00\x00\x00\x01\x00\x00"),
+-			":4660",
+-			"",
+-		},
+-	}
+-
+-	for _, input := range badTests {
+-		var buf bytes.Buffer
+-		buf.Write(input)
+-		_, err := readSocks4aConnect(&buf)
+-		if err == nil {
+-			t.Errorf("%q unexpectedly succeeded", input)
+-		}
+-	}
+-
+-	for _, test := range ipTests {
+-		var buf bytes.Buffer
+-		buf.Write(test.input)
+-		req, err := readSocks4aConnect(&buf)
+-		if err != nil {
+-			t.Errorf("%q unexpectedly returned an error: %s", test.input, err)
+-		}
+-		addr, err := net.ResolveTCPAddr("tcp", req.Target)
+-		if err != nil {
+-			t.Errorf("%q → target %q: cannot resolve: %s", test.input,
+-				req.Target, err)
+-		}
+-		if !tcpAddrsEqual(addr, &test.addr) {
+-			t.Errorf("%q → address %s (expected %s)", test.input,
+-				req.Target, test.addr.String())
+-		}
+-		if req.Username != test.userid {
+-			t.Errorf("%q → username %q (expected %q)", test.input,
+-				req.Username, test.userid)
+-		}
+-		if req.Args == nil {
+-			t.Errorf("%q → unexpected nil Args from username %q", test.input, req.Username)
+-		}
+-	}
+-
+-	for _, test := range hostnameTests {
+-		var buf bytes.Buffer
+-		buf.Write(test.input)
+-		req, err := readSocks4aConnect(&buf)
+-		if err != nil {
+-			t.Errorf("%q unexpectedly returned an error: %s", test.input, err)
+-		}
+-		if req.Target != test.target {
+-			t.Errorf("%q → target %q (expected %q)", test.input,
+-				req.Target, test.target)
+-		}
+-		if req.Username != test.userid {
+-			t.Errorf("%q → username %q (expected %q)", test.input,
+-				req.Username, test.userid)
+-		}
+-		if req.Args == nil {
+-			t.Errorf("%q → unexpected nil Args from username %q", test.input, req.Username)
+-		}
+-	}
+-}
+-
+-func TestSendSocks4aResponse(t *testing.T) {
+-	tests := [...]struct {
+-		code     byte
+-		addr     net.TCPAddr
+-		expected []byte
+-	}{
+-		{
+-			socksRequestGranted,
+-			net.TCPAddr{IP: net.ParseIP("1.2.3.4"), Port: 0x1234},
+-			[]byte("\x00\x5a\x12\x34\x01\x02\x03\x04"),
+-		},
+-		{
+-			socksRequestRejected,
+-			net.TCPAddr{IP: net.ParseIP("1:2::3:4"), Port: 0x1234},
+-			[]byte("\x00\x5b\x12\x34\x00\x00\x00\x00"),
+-		},
+-	}
+-
+-	for _, test := range tests {
+-		var buf bytes.Buffer
+-		err := sendSocks4aResponse(&buf, test.code, &test.addr)
+-		if err != nil {
+-			t.Errorf("0x%02x %s unexpectedly returned an error: %s", test.code, &test.addr, err)
+-		}
+-		p := make([]byte, 1024)
+-		n, err := buf.Read(p)
+-		if err != nil {
+-			t.Fatal(err)
+-		}
+-		output := p[:n]
+-		if !bytes.Equal(output, test.expected) {
+-			t.Errorf("0x%02x %s → %v (expected %v)",
+-				test.code, &test.addr, output, test.expected)
+-		}
++// testReadWriter is a bytes.Buffer backed io.ReadWriter used for testing.  The
++// Read and Write routines are to be used by the component being tested.  Data
++// can be written to and read back via the writeHex and readHex routines.
++type testReadWriter struct {
++	readBuf  bytes.Buffer
++	writeBuf bytes.Buffer
++}
++
++func (c *testReadWriter) Read(buf []byte) (n int, err error) {
++	return c.readBuf.Read(buf)
++}
++
++func (c *testReadWriter) Write(buf []byte) (n int, err error) {
++	return c.writeBuf.Write(buf)
++}
++
++func (c *testReadWriter) writeHex(str string) (n int, err error) {
++	var buf []byte
++	if buf, err = hex.DecodeString(str); err != nil {
++		return
++	}
++	return c.readBuf.Write(buf)
++}
++
++func (c *testReadWriter) readHex() string {
++	return hex.EncodeToString(c.writeBuf.Bytes())
++}
++
++func (c *testReadWriter) toBufio() *bufio.ReadWriter {
++	return bufio.NewReadWriter(bufio.NewReader(c), bufio.NewWriter(c))
++}
++
++func (c *testReadWriter) reset() {
++	c.readBuf.Reset()
++	c.writeBuf.Reset()
++}
++
++// TestAuthInvalidVersion tests auth negotiation with an invalid version.
++func TestAuthInvalidVersion(t *testing.T) {
++	c := new(testReadWriter)
++
++	// VER = 03, NMETHODS = 01, METHODS = [00]
++	c.writeHex("030100")
++	if _, err := socksNegotiateAuth(c.toBufio()); err == nil {
++		t.Error("socksNegotiateAuth(InvalidVersion) succeded")
++	}
++}
++
++// TestAuthInvalidNMethods tests auth negotiaton with no methods.
++func TestAuthInvalidNMethods(t *testing.T) {
++	c := new(testReadWriter)
++	var err error
++	var method byte
++
++	// VER = 05, NMETHODS = 00
++	c.writeHex("0500")
++	if method, err = socksNegotiateAuth(c.toBufio()); err != nil {
++		t.Error("socksNegotiateAuth(No Methods) failed:", err)
++	}
++	if method != socksAuthNoAcceptableMethods {
++		t.Error("socksNegotiateAuth(No Methods) picked unexpected method:", method)
++	}
++	if msg := c.readHex(); msg != "05ff" {
++		t.Error("socksNegotiateAuth(No Methods) invalid response:", msg)
++	}
++}
++
++// TestAuthNoneRequired tests auth negotiaton with NO AUTHENTICATION REQUIRED.
++func TestAuthNoneRequired(t *testing.T) {
++	c := new(testReadWriter)
++	var err error
++	var method byte
++
++	// VER = 05, NMETHODS = 01, METHODS = [00]
++	c.writeHex("050100")
++	if method, err = socksNegotiateAuth(c.toBufio()); err != nil {
++		t.Error("socksNegotiateAuth(None) failed:", err)
++	}
++	if method != socksAuthNoneRequired {
++		t.Error("socksNegotiateAuth(None) unexpected method:", method)
++	}
++	if msg := c.readHex(); msg != "0500" {
++		t.Error("socksNegotiateAuth(None) invalid response:", msg)
++	}
++}
++
++// TestAuthUsernamePassword tests auth negotiation with USERNAME/PASSWORD.
++func TestAuthUsernamePassword(t *testing.T) {
++	c := new(testReadWriter)
++	var err error
++	var method byte
++
++	// VER = 05, NMETHODS = 01, METHODS = [02]
++	c.writeHex("050102")
++	if method, err = socksNegotiateAuth(c.toBufio()); err != nil {
++		t.Error("socksNegotiateAuth(UsernamePassword) failed:", err)
++	}
++	if method != socksAuthUsernamePassword {
++		t.Error("socksNegotiateAuth(UsernamePassword) unexpected method:", method)
++	}
++	if msg := c.readHex(); msg != "0502" {
++		t.Error("socksNegotiateAuth(UsernamePassword) invalid response:", msg)
+ 	}
+ }
++
++// TestAuthBoth tests auth negotiation containing both NO AUTHENTICATION
++// REQUIRED and USERNAME/PASSWORD.
++func TestAuthBoth(t *testing.T) {
++	c := new(testReadWriter)
++	var err error
++	var method byte
++
++	// VER = 05, NMETHODS = 02, METHODS = [00, 02]
++	c.writeHex("05020002")
++	if method, err = socksNegotiateAuth(c.toBufio()); err != nil {
++		t.Error("socksNegotiateAuth(Both) failed:", err)
++	}
++	if method != socksAuthUsernamePassword {
++		t.Error("socksNegotiateAuth(Both) unexpected method:", method)
++	}
++	if msg := c.readHex(); msg != "0502" {
++		t.Error("socksNegotiateAuth(Both) invalid response:", msg)
++	}
++}
++
++// TestAuthUnsupported tests auth negotiation with a unsupported method.
++func TestAuthUnsupported(t *testing.T) {
++	c := new(testReadWriter)
++	var err error
++	var method byte
++
++	// VER = 05, NMETHODS = 01, METHODS = [01] (GSSAPI)
++	c.writeHex("050101")
++	if method, err = socksNegotiateAuth(c.toBufio()); err != nil {
++		t.Error("socksNegotiateAuth(Unknown) failed:", err)
++	}
++	if method != socksAuthNoAcceptableMethods {
++		t.Error("socksNegotiateAuth(Unknown) picked unexpected method:", method)
++	}
++	if msg := c.readHex(); msg != "05ff" {
++		t.Error("socksNegotiateAuth(Unknown) invalid response:", msg)
++	}
++}
++
++// TestAuthUnsupported2 tests auth negotiation with supported and unsupported
++// methods.
++func TestAuthUnsupported2(t *testing.T) {
++	c := new(testReadWriter)
++	var err error
++	var method byte
++
++	// VER = 05, NMETHODS = 03, METHODS = [00,01,02]
++	c.writeHex("0503000102")
++	if method, err = socksNegotiateAuth(c.toBufio()); err != nil {
++		t.Error("socksNegotiateAuth(Unknown2) failed:", err)
++	}
++	if method != socksAuthUsernamePassword {
++		t.Error("socksNegotiateAuth(Unknown2) picked unexpected method:", method)
++	}
++	if msg := c.readHex(); msg != "0502" {
++		t.Error("socksNegotiateAuth(Unknown2) invalid response:", msg)
++	}
++}
++
++// TestRFC1929InvalidVersion tests RFC1929 auth with an invalid version.
++func TestRFC1929InvalidVersion(t *testing.T) {
++	c := new(testReadWriter)
++	var req SocksRequest
++
++	// VER = 03, ULEN = 5, UNAME = "ABCDE", PLEN = 5, PASSWD = "abcde"
++	c.writeHex("03054142434445056162636465")
++	if err := socksAuthenticate(c.toBufio(), socksAuthUsernamePassword, &req); err == nil {
++		t.Error("socksAuthenticate(InvalidVersion) succeded")
++	}
++	if msg := c.readHex(); msg != "0101" {
++		t.Error("socksAuthenticate(InvalidVersion) invalid response:", msg)
++	}
++}
++
++// TestRFC1929InvalidUlen tests RFC1929 auth with an invalid ULEN.
++func TestRFC1929InvalidUlen(t *testing.T) {
++	c := new(testReadWriter)
++	var req SocksRequest
++
++	// VER = 01, ULEN = 0, UNAME = "", PLEN = 5, PASSWD = "abcde"
++	c.writeHex("0100056162636465")
++	if err := socksAuthenticate(c.toBufio(), socksAuthUsernamePassword, &req); err == nil {
++		t.Error("socksAuthenticate(InvalidUlen) succeded")
++	}
++	if msg := c.readHex(); msg != "0101" {
++		t.Error("socksAuthenticate(InvalidUlen) invalid response:", msg)
++	}
++}
++
++// TestRFC1929InvalidPlen tests RFC1929 auth with an invalid PLEN.
++func TestRFC1929InvalidPlen(t *testing.T) {
++	c := new(testReadWriter)
++	var req SocksRequest
++
++	// VER = 01, ULEN = 5, UNAME = "ABCDE", PLEN = 0, PASSWD = ""
++	c.writeHex("0105414243444500")
++	if err := socksAuthenticate(c.toBufio(), socksAuthUsernamePassword, &req); err == nil {
++		t.Error("socksAuthenticate(InvalidPlen) succeded")
++	}
++	if msg := c.readHex(); msg != "0101" {
++		t.Error("socksAuthenticate(InvalidPlen) invalid response:", msg)
++	}
++}
++
++// TestRFC1929InvalidArgs tests RFC1929 auth with invalid pt args.
++func TestRFC1929InvalidPTArgs(t *testing.T) {
++	c := new(testReadWriter)
++	var req SocksRequest
++
++	// VER = 01, ULEN = 5, UNAME = "ABCDE", PLEN = 5, PASSWD = "abcde"
++	c.writeHex("01054142434445056162636465")
++	if err := socksAuthenticate(c.toBufio(), socksAuthUsernamePassword, &req); err == nil {
++		t.Error("socksAuthenticate(InvalidArgs) succeded")
++	}
++	if msg := c.readHex(); msg != "0101" {
++		t.Error("socksAuthenticate(InvalidArgs) invalid response:", msg)
++	}
++}
++
++// TestRFC1929Success tests RFC1929 auth with valid pt args.
++func TestRFC1929Success(t *testing.T) {
++	c := new(testReadWriter)
++	var req SocksRequest
++
++	// VER = 01, ULEN = 9, UNAME = "key=value", PLEN = 1, PASSWD = "\0"
++	c.writeHex("01096b65793d76616c75650100")
++	if err := socksAuthenticate(c.toBufio(), socksAuthUsernamePassword, &req); err != nil {
++		t.Error("socksAuthenticate(Success) failed:", err)
++	}
++	if msg := c.readHex(); msg != "0100" {
++		t.Error("socksAuthenticate(Success) invalid response:", msg)
++	}
++	v, ok := req.Args.Get("key")
++	if v != "value" || !ok {
++		t.Error("RFC1929 k,v parse failure:", v)
++	}
++}
++
++// TestRequestInvalidHdr tests SOCKS5 requests with invalid VER/CMD/RSV/ATYPE
++func TestRequestInvalidHdr(t *testing.T) {
++	c := new(testReadWriter)
++	var req SocksRequest
++
++	// VER = 03, CMD = 01, RSV = 00, ATYPE = 01, DST.ADDR = 127.0.0.1, DST.PORT = 9050
++	c.writeHex("030100017f000001235a")
++	if err := socksReadCommand(c.toBufio(), &req); err == nil {
++		t.Error("socksReadCommand(InvalidVer) succeded")
++	}
++	if msg := c.readHex(); msg != "05010001000000000000" {
++		t.Error("socksReadCommand(InvalidVer) invalid response:", msg)
++	}
++	c.reset()
++
++	// VER = 05, CMD = 05, RSV = 00, ATYPE = 01, DST.ADDR = 127.0.0.1, DST.PORT = 9050
++	c.writeHex("050500017f000001235a")
++	if err := socksReadCommand(c.toBufio(), &req); err == nil {
++		t.Error("socksReadCommand(InvalidCmd) succeded")
++	}
++	if msg := c.readHex(); msg != "05070001000000000000" {
++		t.Error("socksReadCommand(InvalidCmd) invalid response:", msg)
++	}
++	c.reset()
++
++	// VER = 05, CMD = 01, RSV = 30, ATYPE = 01, DST.ADDR = 127.0.0.1, DST.PORT = 9050
++	c.writeHex("050130017f000001235a")
++	if err := socksReadCommand(c.toBufio(), &req); err == nil {
++		t.Error("socksReadCommand(InvalidRsv) succeded")
++	}
++	if msg := c.readHex(); msg != "05010001000000000000" {
++		t.Error("socksReadCommand(InvalidRsv) invalid response:", msg)
++	}
++	c.reset()
++
++	// VER = 05, CMD = 01, RSV = 01, ATYPE = 05, DST.ADDR = 127.0.0.1, DST.PORT = 9050
++	c.writeHex("050100057f000001235a")
++	if err := socksReadCommand(c.toBufio(), &req); err == nil {
++		t.Error("socksReadCommand(InvalidAtype) succeded")
++	}
++	if msg := c.readHex(); msg != "05080001000000000000" {
++		t.Error("socksAuthenticate(InvalidAtype) invalid response:", msg)
++	}
++	c.reset()
++}
++
++// TestRequestIPv4 tests IPv4 SOCKS5 requests.
++func TestRequestIPv4(t *testing.T) {
++	c := new(testReadWriter)
++	var req SocksRequest
++
++	// VER = 05, CMD = 01, RSV = 00, ATYPE = 01, DST.ADDR = 127.0.0.1, DST.PORT = 9050
++	c.writeHex("050100017f000001235a")
++	if err := socksReadCommand(c.toBufio(), &req); err != nil {
++		t.Error("socksReadCommand(IPv4) failed:", err)
++	}
++	addr, err := net.ResolveTCPAddr("tcp", req.Target)
++	if err != nil {
++		t.Error("net.ResolveTCPAddr failed:", err)
++	}
++	if !tcpAddrsEqual(addr, &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 9050}) {
++		t.Error("Unexpected target:", addr)
++	}
++}
++
++// TestRequestIPv6 tests IPv4 SOCKS5 requests.
++func TestRequestIPv6(t *testing.T) {
++	c := new(testReadWriter)
++	var req SocksRequest
++
++	// VER = 05, CMD = 01, RSV = 00, ATYPE = 04, DST.ADDR = 0102:0304:0506:0708:090a:0b0c:0d0e:0f10, DST.PORT = 9050
++	c.writeHex("050100040102030405060708090a0b0c0d0e0f10235a")
++	if err := socksReadCommand(c.toBufio(), &req); err != nil {
++		t.Error("socksReadCommand(IPv6) failed:", err)
++	}
++	addr, err := net.ResolveTCPAddr("tcp", req.Target)
++	if err != nil {
++		t.Error("net.ResolveTCPAddr failed:", err)
++	}
++	if !tcpAddrsEqual(addr, &net.TCPAddr{IP: net.ParseIP("0102:0304:0506:0708:090a:0b0c:0d0e:0f10"), Port: 9050}) {
++		t.Error("Unexpected target:", addr)
++	}
++}
++
++// TestRequestFQDN tests FQDN (DOMAINNAME) SOCKS5 requests.
++func TestRequestFQDN(t *testing.T) {
++	c := new(testReadWriter)
++	var req SocksRequest
++
++	// VER = 05, CMD = 01, RSV = 00, ATYPE = 04, DST.ADDR = example.com, DST.PORT = 9050
++	c.writeHex("050100030b6578616d706c652e636f6d235a")
++	if err := socksReadCommand(c.toBufio(), &req); err != nil {
++		t.Error("socksReadCommand(FQDN) failed:", err)
++	}
++	if req.Target != "example.com:9050" {
++		t.Error("Unexpected target:", req.Target)
++	}
++}
++
++// TestResponseNil tests nil address SOCKS5 responses.
++func TestResponseNil(t *testing.T) {
++	c := new(testReadWriter)
++
++	b := c.toBufio()
++	if err := sendSocks5ResponseGranted(b); err != nil {
++		t.Error("sendSocks5ResponseGranted() failed:", err)
++	}
++	b.Flush()
++	if msg := c.readHex(); msg != "05000001000000000000" {
++		t.Error("sendSocks5ResponseGranted(nil) invalid response:", msg)
++	}
++}
++
++var _ io.ReadWriter = (*testReadWriter)(nil)
+-- 
+2.3.3
+





More information about the tbb-commits mailing list