-
-
Notifications
You must be signed in to change notification settings - Fork 15.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Socks5 Compatible with multiple authentication methods #14036
base: 4.1
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The DefaultSocks5PasswordAuthRequest/Response are only concerned with password auth, not other auth types.
I don't think this is going in the right direction for adding support for other auth modes.
if (version != 1) { | ||
throw new DecoderException("unsupported subnegotiation version: " + version + " (expected: 1)"); | ||
} | ||
Socks5AuthMethod authMethod = Socks5AuthMethod.valueOf(version); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
version
is not an auth mode tag
@@ -75,7 +75,7 @@ private static void encodeAuthMethodResponse(Socks5InitialResponse msg, ByteBuf | |||
} | |||
|
|||
private static void encodePasswordAuthResponse(Socks5PasswordAuthResponse msg, ByteBuf out) { | |||
out.writeByte(0x01); | |||
out.writeByte(msg.authMethod().byteValue()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, version is always 1
The SOCKS5 protocol does not specify messages format for other authentication methods, so it is an unpredictable variation. Removing the restriction of the authentication method being set to 1 allows for better scalability and reuse. We have a requirement that newly connected customer accounts and passwords need to be encrypted instead of using plaintext, but it also needs to be compatible with the plaintext of old customers. Therefore, there will be two different authentication methods, but the decoding and encoding behaviors are consistent. |
SOCKS5 encoder and decoder are both limited to only performing username password authentication. Such a design obviously violates the SRP. Whether authentication methods are supported should be handled by the application layer rather than the encoding layer. Besides, when we implement other authentication methods, we have to rewrite these decoders and encoders.