1 /** 2 * All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); 3 * you may not use this file except in compliance with the License. 4 * You may obtain a copy of the License at 5 * 6 * http://www.apache.org/licenses/LICENSE-2.0 7 * 8 * Unless required by applicable law or agreed to in writing, software 9 * distributed under the License is distributed on an "AS IS" BASIS, 10 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 * See the License for the specific language governing permissions and 12 * limitations under the License. 13 */ 14 package org.jivesoftware.smackx.bytestreams.socks5; 15 16 import java.io.DataInputStream; 17 import java.io.DataOutputStream; 18 import java.io.IOException; 19 import java.net.InetAddress; 20 import java.net.ServerSocket; 21 import java.net.Socket; 22 import java.net.SocketException; 23 import java.net.UnknownHostException; 24 import java.util.ArrayList; 25 import java.util.Collections; 26 import java.util.LinkedHashSet; 27 import java.util.LinkedList; 28 import java.util.List; 29 import java.util.Map; 30 import java.util.Set; 31 import java.util.concurrent.ConcurrentHashMap; 32 33 import org.jivesoftware.smack.SmackConfiguration; 34 import org.jivesoftware.smack.XMPPException; 35 36 /** 37 * The Socks5Proxy class represents a local SOCKS5 proxy server. It can be enabled/disabled by 38 * setting the <code>localSocks5ProxyEnabled</code> flag in the <code>smack-config.xml</code> or by 39 * invoking {@link SmackConfiguration#setLocalSocks5ProxyEnabled(boolean)}. The proxy is enabled by 40 * default. 41 * <p> 42 * The port of the local SOCKS5 proxy can be configured by setting <code>localSocks5ProxyPort</code> 43 * in the <code>smack-config.xml</code> or by invoking 44 * {@link SmackConfiguration#setLocalSocks5ProxyPort(int)}. Default port is 7777. If you set the 45 * port to a negative value Smack tries to the absolute value and all following until it finds an 46 * open port. 47 * <p> 48 * If your application is running on a machine with multiple network interfaces or if you want to 49 * provide your public address in case you are behind a NAT router, invoke 50 * {@link #addLocalAddress(String)} or {@link #replaceLocalAddresses(List)} to modify the list of 51 * local network addresses used for outgoing SOCKS5 Bytestream requests. 52 * <p> 53 * The local SOCKS5 proxy server refuses all connections except the ones that are explicitly allowed 54 * in the process of establishing a SOCKS5 Bytestream ( 55 * {@link Socks5BytestreamManager#establishSession(String)}). 56 * <p> 57 * This Implementation has the following limitations: 58 * <ul> 59 * <li>only supports the no-authentication authentication method</li> 60 * <li>only supports the <code>connect</code> command and will not answer correctly to other 61 * commands</li> 62 * <li>only supports requests with the domain address type and will not correctly answer to requests 63 * with other address types</li> 64 * </ul> 65 * (see <a href="http://tools.ietf.org/html/rfc1928">RFC 1928</a>) 66 * 67 * @author Henning Staib 68 */ 69 public class Socks5Proxy { 70 71 /* SOCKS5 proxy singleton */ 72 private static Socks5Proxy socks5Server; 73 74 /* reusable implementation of a SOCKS5 proxy server process */ 75 private Socks5ServerProcess serverProcess; 76 77 /* thread running the SOCKS5 server process */ 78 private Thread serverThread; 79 80 /* server socket to accept SOCKS5 connections */ 81 private ServerSocket serverSocket; 82 83 /* assigns a connection to a digest */ 84 private final Map<String, Socket> connectionMap = new ConcurrentHashMap<String, Socket>(); 85 86 /* list of digests connections should be stored */ 87 private final List<String> allowedConnections = Collections.synchronizedList(new LinkedList<String>()); 88 89 private final Set<String> localAddresses = Collections.synchronizedSet(new LinkedHashSet<String>()); 90 91 /** 92 * Private constructor. 93 */ 94 private Socks5Proxy() { 95 this.serverProcess = new Socks5ServerProcess(); 96 97 // add default local address 98 try { 99 this.localAddresses.add(InetAddress.getLocalHost().getHostAddress()); 100 } 101 catch (UnknownHostException e) { 102 // do nothing 103 } 104 105 } 106 107 /** 108 * Returns the local SOCKS5 proxy server. 109 * 110 * @return the local SOCKS5 proxy server 111 */ 112 public static synchronized Socks5Proxy getSocks5Proxy() { 113 if (socks5Server == null) { 114 socks5Server = new Socks5Proxy(); 115 } 116 if (SmackConfiguration.isLocalSocks5ProxyEnabled()) { 117 socks5Server.start(); 118 } 119 return socks5Server; 120 } 121 122 /** 123 * Starts the local SOCKS5 proxy server. If it is already running, this method does nothing. 124 */ 125 public synchronized void start() { 126 if (isRunning()) { 127 return; 128 } 129 try { 130 if (SmackConfiguration.getLocalSocks5ProxyPort() < 0) { 131 int port = Math.abs(SmackConfiguration.getLocalSocks5ProxyPort()); 132 for (int i = 0; i < 65535 - port; i++) { 133 try { 134 this.serverSocket = new ServerSocket(port + i); 135 break; 136 } 137 catch (IOException e) { 138 // port is used, try next one 139 } 140 } 141 } 142 else { 143 this.serverSocket = new ServerSocket(SmackConfiguration.getLocalSocks5ProxyPort()); 144 } 145 146 if (this.serverSocket != null) { 147 this.serverThread = new Thread(this.serverProcess); 148 this.serverThread.start(); 149 } 150 } 151 catch (IOException e) { 152 // couldn't setup server 153 System.err.println("couldn't setup local SOCKS5 proxy on port " 154 + SmackConfiguration.getLocalSocks5ProxyPort() + ": " + e.getMessage()); 155 } 156 } 157 158 /** 159 * Stops the local SOCKS5 proxy server. If it is not running this method does nothing. 160 */ 161 public synchronized void stop() { 162 if (!isRunning()) { 163 return; 164 } 165 166 try { 167 this.serverSocket.close(); 168 } 169 catch (IOException e) { 170 // do nothing 171 } 172 173 if (this.serverThread != null && this.serverThread.isAlive()) { 174 try { 175 this.serverThread.interrupt(); 176 this.serverThread.join(); 177 } 178 catch (InterruptedException e) { 179 // do nothing 180 } 181 } 182 this.serverThread = null; 183 this.serverSocket = null; 184 185 } 186 187 /** 188 * Adds the given address to the list of local network addresses. 189 * <p> 190 * Use this method if you want to provide multiple addresses in a SOCKS5 Bytestream request. 191 * This may be necessary if your application is running on a machine with multiple network 192 * interfaces or if you want to provide your public address in case you are behind a NAT router. 193 * <p> 194 * The order of the addresses used is determined by the order you add addresses. 195 * <p> 196 * Note that the list of addresses initially contains the address returned by 197 * <code>InetAddress.getLocalHost().getHostAddress()</code>. You can replace the list of 198 * addresses by invoking {@link #replaceLocalAddresses(List)}. 199 * 200 * @param address the local network address to add 201 */ 202 public void addLocalAddress(String address) { 203 if (address == null) { 204 throw new IllegalArgumentException("address may not be null"); 205 } 206 this.localAddresses.add(address); 207 } 208 209 /** 210 * Removes the given address from the list of local network addresses. This address will then no 211 * longer be used of outgoing SOCKS5 Bytestream requests. 212 * 213 * @param address the local network address to remove 214 */ 215 public void removeLocalAddress(String address) { 216 this.localAddresses.remove(address); 217 } 218 219 /** 220 * Returns an unmodifiable list of the local network addresses that will be used for streamhost 221 * candidates of outgoing SOCKS5 Bytestream requests. 222 * 223 * @return unmodifiable list of the local network addresses 224 */ 225 public List<String> getLocalAddresses() { 226 return Collections.unmodifiableList(new ArrayList<String>(this.localAddresses)); 227 } 228 229 /** 230 * Replaces the list of local network addresses. 231 * <p> 232 * Use this method if you want to provide multiple addresses in a SOCKS5 Bytestream request and 233 * want to define their order. This may be necessary if your application is running on a machine 234 * with multiple network interfaces or if you want to provide your public address in case you 235 * are behind a NAT router. 236 * 237 * @param addresses the new list of local network addresses 238 */ 239 public void replaceLocalAddresses(List<String> addresses) { 240 if (addresses == null) { 241 throw new IllegalArgumentException("list must not be null"); 242 } 243 this.localAddresses.clear(); 244 this.localAddresses.addAll(addresses); 245 246 } 247 248 /** 249 * Returns the port of the local SOCKS5 proxy server. If it is not running -1 will be returned. 250 * 251 * @return the port of the local SOCKS5 proxy server or -1 if proxy is not running 252 */ 253 public int getPort() { 254 if (!isRunning()) { 255 return -1; 256 } 257 return this.serverSocket.getLocalPort(); 258 } 259 260 /** 261 * Returns the socket for the given digest. A socket will be returned if the given digest has 262 * been in the list of allowed transfers (see {@link #addTransfer(String)}) while the peer 263 * connected to the SOCKS5 proxy. 264 * 265 * @param digest identifying the connection 266 * @return socket or null if there is no socket for the given digest 267 */ 268 protected Socket getSocket(String digest) { 269 return this.connectionMap.get(digest); 270 } 271 272 /** 273 * Add the given digest to the list of allowed transfers. Only connections for allowed transfers 274 * are stored and can be retrieved by invoking {@link #getSocket(String)}. All connections to 275 * the local SOCKS5 proxy that don't contain an allowed digest are discarded. 276 * 277 * @param digest to be added to the list of allowed transfers 278 */ 279 protected void addTransfer(String digest) { 280 this.allowedConnections.add(digest); 281 } 282 283 /** 284 * Removes the given digest from the list of allowed transfers. After invoking this method 285 * already stored connections with the given digest will be removed. 286 * <p> 287 * The digest should be removed after establishing the SOCKS5 Bytestream is finished, an error 288 * occurred while establishing the connection or if the connection is not allowed anymore. 289 * 290 * @param digest to be removed from the list of allowed transfers 291 */ 292 protected void removeTransfer(String digest) { 293 this.allowedConnections.remove(digest); 294 this.connectionMap.remove(digest); 295 } 296 297 /** 298 * Returns <code>true</code> if the local SOCKS5 proxy server is running, otherwise 299 * <code>false</code>. 300 * 301 * @return <code>true</code> if the local SOCKS5 proxy server is running, otherwise 302 * <code>false</code> 303 */ 304 public boolean isRunning() { 305 return this.serverSocket != null; 306 } 307 308 /** 309 * Implementation of a simplified SOCKS5 proxy server. 310 */ 311 private class Socks5ServerProcess implements Runnable { 312 313 public void run() { 314 while (true) { 315 Socket socket = null; 316 317 try { 318 319 if (Socks5Proxy.this.serverSocket.isClosed() 320 || Thread.currentThread().isInterrupted()) { 321 return; 322 } 323 324 // accept connection 325 socket = Socks5Proxy.this.serverSocket.accept(); 326 327 // initialize connection 328 establishConnection(socket); 329 330 } 331 catch (SocketException e) { 332 /* 333 * do nothing, if caused by closing the server socket, thread will terminate in 334 * next loop 335 */ 336 } 337 catch (Exception e) { 338 try { 339 if (socket != null) { 340 socket.close(); 341 } 342 } 343 catch (IOException e1) { 344 /* do nothing */ 345 } 346 } 347 } 348 349 } 350 351 /** 352 * Negotiates a SOCKS5 connection and stores it on success. 353 * 354 * @param socket connection to the client 355 * @throws XMPPException if client requests a connection in an unsupported way 356 * @throws IOException if a network error occurred 357 */ 358 private void establishConnection(Socket socket) throws XMPPException, IOException { 359 DataOutputStream out = new DataOutputStream(socket.getOutputStream()); 360 DataInputStream in = new DataInputStream(socket.getInputStream()); 361 362 // first byte is version should be 5 363 int b = in.read(); 364 if (b != 5) { 365 throw new XMPPException("Only SOCKS5 supported"); 366 } 367 368 // second byte number of authentication methods supported 369 b = in.read(); 370 371 // read list of supported authentication methods 372 byte[] auth = new byte[b]; 373 in.readFully(auth); 374 375 byte[] authMethodSelectionResponse = new byte[2]; 376 authMethodSelectionResponse[0] = (byte) 0x05; // protocol version 377 378 // only authentication method 0, no authentication, supported 379 boolean noAuthMethodFound = false; 380 for (int i = 0; i < auth.length; i++) { 381 if (auth[i] == (byte) 0x00) { 382 noAuthMethodFound = true; 383 break; 384 } 385 } 386 387 if (!noAuthMethodFound) { 388 authMethodSelectionResponse[1] = (byte) 0xFF; // no acceptable methods 389 out.write(authMethodSelectionResponse); 390 out.flush(); 391 throw new XMPPException("Authentication method not supported"); 392 } 393 394 authMethodSelectionResponse[1] = (byte) 0x00; // no-authentication method 395 out.write(authMethodSelectionResponse); 396 out.flush(); 397 398 // receive connection request 399 byte[] connectionRequest = Socks5Utils.receiveSocks5Message(in); 400 401 // extract digest 402 String responseDigest = new String(connectionRequest, 5, connectionRequest[4]); 403 404 // return error if digest is not allowed 405 if (!Socks5Proxy.this.allowedConnections.contains(responseDigest)) { 406 connectionRequest[1] = (byte) 0x05; // set return status to 5 (connection refused) 407 out.write(connectionRequest); 408 out.flush(); 409 410 throw new XMPPException("Connection is not allowed"); 411 } 412 413 connectionRequest[1] = (byte) 0x00; // set return status to 0 (success) 414 out.write(connectionRequest); 415 out.flush(); 416 417 // store connection 418 Socks5Proxy.this.connectionMap.put(responseDigest, socket); 419 } 420 421 } 422 423 } 424
