proxychains-masq 0.1.5

TUN-based proxy chain engine — routes TCP flows through SOCKS4/5, HTTP CONNECT, and HTTPS CONNECT proxy chains via a userspace network stack.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388

use std::sync::{
    atomic::{AtomicU32, Ordering},
    Arc,
};

use tokio::{
    io::{AsyncReadExt, AsyncWriteExt},
    net::{TcpListener, TcpStream},
};
use tokio_rustls::TlsAcceptor;

/// Bind to a random local port, accept one connection, and echo bytes back.
/// Returns the bound port and a hit counter.
pub async fn echo_server() -> (u16, Arc<AtomicU32>) {
    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let port = listener.local_addr().unwrap().port();
    let hits = Arc::new(AtomicU32::new(0));
    let hits2 = hits.clone();
    tokio::spawn(async move {
        loop {
            let (mut stream, _) = listener.accept().await.unwrap();
            hits2.fetch_add(1, Ordering::SeqCst);
            tokio::spawn(async move {
                let mut buf = vec![0u8; 4096];
                loop {
                    let n = stream.read(&mut buf).await.unwrap_or(0);
                    if n == 0 {
                        break;
                    }
                    if stream.write_all(&buf[..n]).await.is_err() {
                        break;
                    }
                }
            });
        }
    });
    (port, hits)
}

/// A minimal SOCKS4/SOCKS4a server. Accepts one connection, forwards to the
/// address specified in the CONNECT request, then relays bidirectionally.
pub async fn socks4_server(hits: Arc<AtomicU32>) -> u16 {
    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let port = listener.local_addr().unwrap().port();
    tokio::spawn(async move {
        loop {
            let (mut client, _) = listener.accept().await.unwrap();
            hits.fetch_add(1, Ordering::SeqCst);
            tokio::spawn(async move {
                // Read SOCKS4 header: VER CMD DSTPORT DSTIP
                let mut hdr = [0u8; 8];
                client.read_exact(&mut hdr).await.unwrap();
                assert_eq!(hdr[0], 4, "SOCKS version");
                assert_eq!(hdr[1], 1, "CONNECT command");
                let port = u16::from_be_bytes([hdr[2], hdr[3]]);
                let ip_bytes = &hdr[4..8];
                // Read null-terminated username
                let mut username = Vec::new();
                loop {
                    let b = client.read_u8().await.unwrap();
                    if b == 0 {
                        break;
                    }
                    username.push(b);
                }
                // SOCKS4a: if IP is 0.0.0.x, read hostname
                let target_addr = if ip_bytes[0] == 0
                    && ip_bytes[1] == 0
                    && ip_bytes[2] == 0
                    && ip_bytes[3] != 0
                {
                    let mut hostname = Vec::new();
                    loop {
                        let b = client.read_u8().await.unwrap();
                        if b == 0 {
                            break;
                        }
                        hostname.push(b);
                    }
                    let hostname = String::from_utf8(hostname).unwrap();
                    format!("{hostname}:{port}")
                } else {
                    let ip =
                        std::net::Ipv4Addr::new(ip_bytes[0], ip_bytes[1], ip_bytes[2], ip_bytes[3]);
                    format!("{ip}:{port}")
                };
                // Send success response
                client.write_all(&[0, 90, 0, 0, 0, 0, 0, 0]).await.unwrap();
                // Connect to target and relay
                let mut upstream = TcpStream::connect(&target_addr).await.unwrap();
                tokio::io::copy_bidirectional(&mut client, &mut upstream)
                    .await
                    .ok();
            });
        }
    });
    port
}

/// A minimal SOCKS5 server. Supports no-auth and user/pass auth.
/// Supports IPv4, IPv6, and domain name CONNECT.
pub async fn socks5_server(
    require_user: Option<(&'static str, &'static str)>,
    hits: Arc<AtomicU32>,
) -> u16 {
    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let port = listener.local_addr().unwrap().port();
    tokio::spawn(async move {
        loop {
            let (mut client, _) = listener.accept().await.unwrap();
            hits.fetch_add(1, Ordering::SeqCst);
            tokio::spawn(async move {
                // Method negotiation
                let ver = client.read_u8().await.unwrap();
                assert_eq!(ver, 5);
                let n_methods = client.read_u8().await.unwrap() as usize;
                let mut methods = vec![0u8; n_methods];
                client.read_exact(&mut methods).await.unwrap();

                if let Some((exp_user, exp_pass)) = require_user {
                    // Require user/pass (method 2)
                    client.write_all(&[5, 2]).await.unwrap();
                    // Sub-negotiation
                    let _ver = client.read_u8().await.unwrap();
                    let ulen = client.read_u8().await.unwrap() as usize;
                    let mut user = vec![0u8; ulen];
                    client.read_exact(&mut user).await.unwrap();
                    let plen = client.read_u8().await.unwrap() as usize;
                    let mut pass = vec![0u8; plen];
                    client.read_exact(&mut pass).await.unwrap();
                    if user == exp_user.as_bytes() && pass == exp_pass.as_bytes() {
                        client.write_all(&[1, 0]).await.unwrap(); // success
                    } else {
                        client.write_all(&[1, 1]).await.unwrap(); // failure
                        return;
                    }
                } else {
                    client.write_all(&[5, 0]).await.unwrap(); // no-auth
                }

                // CONNECT request
                let mut req = [0u8; 4];
                client.read_exact(&mut req).await.unwrap();
                assert_eq!(req[0], 5);
                assert_eq!(req[1], 1); // CONNECT
                let atype = req[3];
                let target = match atype {
                    1 => {
                        let mut ip = [0u8; 4];
                        client.read_exact(&mut ip).await.unwrap();
                        let port_bytes = [
                            client.read_u8().await.unwrap(),
                            client.read_u8().await.unwrap(),
                        ];
                        let port = u16::from_be_bytes(port_bytes);
                        format!("{}:{}", std::net::Ipv4Addr::from(ip), port)
                    }
                    4 => {
                        let mut ip = [0u8; 16];
                        client.read_exact(&mut ip).await.unwrap();
                        let port_bytes = [
                            client.read_u8().await.unwrap(),
                            client.read_u8().await.unwrap(),
                        ];
                        let port = u16::from_be_bytes(port_bytes);
                        format!("[{}]:{}", std::net::Ipv6Addr::from(ip), port)
                    }
                    3 => {
                        let len = client.read_u8().await.unwrap() as usize;
                        let mut host = vec![0u8; len];
                        client.read_exact(&mut host).await.unwrap();
                        let port_bytes = [
                            client.read_u8().await.unwrap(),
                            client.read_u8().await.unwrap(),
                        ];
                        let port = u16::from_be_bytes(port_bytes);
                        format!("{}:{}", String::from_utf8(host).unwrap(), port)
                    }
                    _ => panic!("unknown atype {atype}"),
                };
                // Send success reply
                client
                    .write_all(&[5, 0, 0, 1, 0, 0, 0, 0, 0, 0])
                    .await
                    .unwrap();
                // Relay
                let mut upstream = TcpStream::connect(&target).await.unwrap();
                tokio::io::copy_bidirectional(&mut client, &mut upstream)
                    .await
                    .ok();
            });
        }
    });
    port
}

/// A minimal HTTP CONNECT proxy. Optionally requires Proxy-Authorization Basic.
pub async fn http_connect_server(
    require_auth: Option<(&'static str, &'static str)>,
    hits: Arc<AtomicU32>,
) -> u16 {
    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let port = listener.local_addr().unwrap().port();
    tokio::spawn(async move {
        loop {
            let (mut client, _) = listener.accept().await.unwrap();
            hits.fetch_add(1, Ordering::SeqCst);
            tokio::spawn(async move {
                // Read request line + headers (line-by-line)
                let mut lines: Vec<String> = Vec::new();
                let mut buf = Vec::new();
                let mut b_prev = 0u8;
                loop {
                    let b = client.read_u8().await.unwrap();
                    if b == b'\n' {
                        let line = String::from_utf8(buf.clone()).unwrap();
                        let line = line.trim_end_matches('\r').to_owned();
                        if line.is_empty() {
                            break;
                        }
                        lines.push(line);
                        buf.clear();
                    } else {
                        buf.push(b);
                    }
                    b_prev = b;
                }
                let _ = b_prev;

                // Parse request line: CONNECT host:port HTTP/1.x
                let req_line = lines.first().unwrap();
                let mut parts = req_line.split_whitespace();
                assert_eq!(parts.next().unwrap(), "CONNECT");
                let target = parts.next().unwrap().to_owned();

                // Check auth if required
                if let Some((exp_user, exp_pass)) = require_auth {
                    let expected =
                        format!("Basic {}", base64_encode(&format!("{exp_user}:{exp_pass}")));
                    let auth_header = lines
                        .iter()
                        .find(|l| l.to_ascii_lowercase().starts_with("proxy-authorization:"));
                    let authed = auth_header
                        .map(|h| h.split_once(':').unwrap().1.trim() == expected)
                        .unwrap_or(false);
                    if !authed {
                        client
                            .write_all(b"HTTP/1.0 407 Proxy Authentication Required\r\n\r\n")
                            .await
                            .unwrap();
                        return;
                    }
                }

                client
                    .write_all(b"HTTP/1.0 200 Connection established\r\n\r\n")
                    .await
                    .unwrap();
                let mut upstream = TcpStream::connect(&target).await.unwrap();
                tokio::io::copy_bidirectional(&mut client, &mut upstream)
                    .await
                    .ok();
            });
        }
    });
    port
}

/// A minimal TLS-wrapped HTTP CONNECT proxy for testing HTTPS proxy support.
///
/// Uses a freshly generated self-signed certificate so that the client's
/// insecure `SkipCertVerify` verifier is exercised.  Optionally requires
/// `Proxy-Authorization: Basic` credentials.
pub async fn tls_connect_server(
    require_auth: Option<(&'static str, &'static str)>,
    hits: Arc<AtomicU32>,
) -> u16 {
    use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
    use rustls::ServerConfig;
    use std::sync::Arc as StdArc;

    // Generate a throwaway self-signed cert for this test run.
    let rcgen::CertifiedKey { cert, key_pair } =
        rcgen::generate_simple_self_signed(vec!["localhost".to_string()]).unwrap();
    let cert_der = CertificateDer::from(cert.der().to_vec());
    let key_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialize_der()));

    let server_config = ServerConfig::builder()
        .with_no_client_auth()
        .with_single_cert(vec![cert_der], key_der)
        .unwrap();
    let acceptor = TlsAcceptor::from(StdArc::new(server_config));

    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
    let port = listener.local_addr().unwrap().port();

    tokio::spawn(async move {
        loop {
            let (tcp, _) = listener.accept().await.unwrap();
            hits.fetch_add(1, Ordering::SeqCst);
            let acceptor = acceptor.clone();
            tokio::spawn(async move {
                let mut stream = acceptor.accept(tcp).await.unwrap();

                // Read HTTP CONNECT request line + headers over TLS.
                let mut lines: Vec<String> = Vec::new();
                let mut buf: Vec<u8> = Vec::new();
                loop {
                    let b = stream.read_u8().await.unwrap();
                    if b == b'\n' {
                        let line = String::from_utf8(buf.clone())
                            .unwrap()
                            .trim_end_matches('\r')
                            .to_owned();
                        if line.is_empty() {
                            break;
                        }
                        lines.push(line);
                        buf.clear();
                    } else {
                        buf.push(b);
                    }
                }

                // Parse "CONNECT host:port HTTP/1.x"
                let req_line = lines.first().unwrap();
                let mut parts = req_line.split_whitespace();
                assert_eq!(parts.next().unwrap(), "CONNECT");
                let target = parts.next().unwrap().to_owned();

                // Check auth if required.
                if let Some((exp_user, exp_pass)) = require_auth {
                    let expected =
                        format!("Basic {}", base64_encode(&format!("{exp_user}:{exp_pass}")));
                    let authed = lines.iter().any(|l| {
                        l.to_ascii_lowercase().starts_with("proxy-authorization:")
                            && l.split_once(':')
                                .map(|(_, v)| v.trim() == expected)
                                .unwrap_or(false)
                    });
                    if !authed {
                        stream
                            .write_all(b"HTTP/1.0 407 Proxy Authentication Required\r\n\r\n")
                            .await
                            .unwrap();
                        return;
                    }
                }

                stream
                    .write_all(b"HTTP/1.0 200 Connection established\r\n\r\n")
                    .await
                    .unwrap();
                let mut upstream = TcpStream::connect(&target).await.unwrap();
                tokio::io::copy_bidirectional(&mut stream, &mut upstream)
                    .await
                    .ok();
            });
        }
    });

    port
}

fn base64_encode(s: &str) -> String {
    const CHARS: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    let input = s.as_bytes();
    let mut out = String::new();
    for chunk in input.chunks(3) {
        let b0 = chunk[0] as u32;
        let b1 = if chunk.len() > 1 { chunk[1] as u32 } else { 0 };
        let b2 = if chunk.len() > 2 { chunk[2] as u32 } else { 0 };
        let n = (b0 << 16) | (b1 << 8) | b2;
        out.push(CHARS[((n >> 18) & 0x3f) as usize] as char);
        out.push(CHARS[((n >> 12) & 0x3f) as usize] as char);
        out.push(if chunk.len() > 1 {
            CHARS[((n >> 6) & 0x3f) as usize] as char
        } else {
            '='
        });
        out.push(if chunk.len() > 2 {
            CHARS[(n & 0x3f) as usize] as char
        } else {
            '='
        });
    }
    out
}