fix(network): introduce Socks5 proxy connection

The Arti project does not have an official MSRV, and the dependency list has
a number of failed security audits caught by the CI job in this repository.
The legacy Tor client is sufficient for desktop and some mobile users, and
no developers have expressed interest in using Arti directly. A simple Socks5
proxy that connects to a Tor daemon allows for Tor connections without an
explicit dependency that causes MSRV conflicts, security audits, and lib-sqlite
version conflicts.

Author: rustaceanrob

README.md

@@ -101,8 +101,6 @@ async fn main() {
 
 The `kyoto` core library with default features supports an MSRV of Rust 1.63.
 
-While connections over the Tor protocol are supported by the feature `tor`, the dependencies required cannot support the MSRV. As such, no MSRV guarantees will be made when using Tor, and the feature should be considered experimental.
-
 ## Integration Testing
 
 The preferred workflow is by using `just`. If you do not have `just` installed, check out the [installation page](https://just.systems/man/en/chapter_4.html).

src/lib.rs

@@ -76,8 +76,6 @@
 //! `database`: use the default `rusqlite` database implementations. Default and recommend feature.
 //!
 //! `filter-control`: check filters and request blocks directly. Recommended for silent payments or strict chain ordering implementations.
-//!
-//! `tor` *No MSRV guarantees*: connect to nodes over the Tor network.
 
 #![warn(missing_docs)]
 pub mod chain;

src/network/error.rs

@@ -29,7 +29,7 @@ impl_sourceless_error!(PeerReadError);
 
 // TODO: (@leonardo) Should the error variants wrap inner errors for richer information ?
 #[derive(Debug)]
-pub enum PeerError {
+pub(crate) enum PeerError {
     ConnectionFailed,
     MessageEncryption,
     MessageSerialization,
@@ -39,6 +39,7 @@ pub enum PeerError {
     DisconnectCommand,
     Reader,
     UnreachableSocketAddr,
+    Socks5(Socks5Error),
 }
 
 impl core::fmt::Display for PeerError {
@@ -68,12 +69,50 @@ impl core::fmt::Display for PeerError {
             PeerError::MessageEncryption => {
                 write!(f, "encrypting a serialized message failed.")
             }
+            PeerError::Socks5(err) => {
+                write!(f, "could not connect via Socks5 proxy: {err}")
+            }
         }
     }
 }
 
 impl_sourceless_error!(PeerError);
 
+#[derive(Debug, Clone)]
+pub(crate) enum Socks5Error {
+    WrongVersion,
+    AuthRequired,
+    ConnectionTimeout,
+    ConnectionFailed,
+    IO,
+}
+
+impl core::fmt::Display for Socks5Error {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        match self {
+            Socks5Error::WrongVersion => write!(f, "server responded with an unsupported version."),
+            Socks5Error::AuthRequired => write!(f, "server requires authentication."),
+            Socks5Error::ConnectionTimeout => write!(f, "connection to server timed out."),
+            Socks5Error::ConnectionFailed => write!(
+                f,
+                "the server could not connect to the requested destination."
+            ),
+            Socks5Error::IO => write!(
+                f,
+                "reading or writing to the TCP stream failed unexpectedly."
+            ),
+        }
+    }
+}
+
+impl_sourceless_error!(Socks5Error);
+
+impl From<std::io::Error> for Socks5Error {
+    fn from(_value: std::io::Error) -> Self {
+        Socks5Error::IO
+    }
+}
+
 #[derive(Debug)]
 pub(crate) enum DnsBootstrapError {
     NotEnoughPeersError,

src/network/mod.rs

@@ -8,6 +8,7 @@ use bitcoin::{
     io::Read,
     p2p::{address::AddrV2, message::CommandString, Magic},
 };
+use socks::create_socks5;
 use tokio::{
     io::{AsyncRead, AsyncWrite},
     net::TcpStream,
@@ -32,6 +33,7 @@ pub(crate) mod traits;
 pub const PROTOCOL_VERSION: u32 = 70016;
 pub const KYOTO_VERSION: &str = "0.8.0";
 pub const RUST_BITCOIN_VERSION: &str = "0.32.4";
+
 const THIRTY_MINS: u64 = 60 * 30;
 const CONNECTION_TIMEOUT: u64 = 2;
 
@@ -124,18 +126,28 @@ impl ConnectionType {
             AddrV2::Ipv6(ip) => IpAddr::V6(ip),
             _ => return Err(PeerError::UnreachableSocketAddr),
         };
-        let timeout = tokio::time::timeout(
-            Duration::from_secs(CONNECTION_TIMEOUT),
-            TcpStream::connect((socket_addr, port)),
-        )
-        .await
-        .map_err(|_| PeerError::ConnectionFailed)?;
-        match timeout {
-            Ok(stream) => {
-                let (reader, writer) = stream.into_split();
+        match &self {
+            Self::ClearNet => {
+                let timeout = tokio::time::timeout(
+                    Duration::from_secs(CONNECTION_TIMEOUT),
+                    TcpStream::connect((socket_addr, port)),
+                )
+                .await
+                .map_err(|_| PeerError::ConnectionFailed)?;
+                let tcp_stream = timeout.map_err(|_| PeerError::ConnectionFailed)?;
+                let (reader, writer) = tcp_stream.into_split();
                 Ok((Box::new(reader), Box::new(writer)))
             }
-            Err(_) => Err(PeerError::ConnectionFailed),
+            Self::Socks5Proxy(proxy) => {
+                let socks5_timeout = tokio::time::timeout(
+                    Duration::from_secs(CONNECTION_TIMEOUT),
+                    create_socks5(*proxy, socket_addr, port),
+                )
+                .await
+                .map_err(|_| PeerError::ConnectionFailed)?;
+                let (reader, writer) = socks5_timeout.map_err(PeerError::Socks5)?;
+                Ok((reader, writer))
+            }
         }
     }
 }

src/network/socks.rs

@@ -1 +1,94 @@
+// Partial implementation of RFC 1928, Socks5 protocol
+// ref: https://datatracker.ietf.org/doc/html/rfc1928#section-1
 
+use std::{
+    net::{IpAddr, SocketAddr},
+    time::Duration,
+};
+
+use tokio::{
+    io::{AsyncReadExt, AsyncWriteExt},
+    net::TcpStream,
+};
+
+use crate::network::{StreamReader, StreamWriter};
+
+use super::error::Socks5Error;
+
+const CONNECTION_TIMEOUT: u64 = 2;
+const VERSION: u8 = 5;
+const NOAUTH: u8 = 0;
+const METHODS: u8 = 1;
+const CMD_CONNECT: u8 = 1;
+const RESPONSE_SUCCESS: u8 = 0;
+const RSV: u8 = 0;
+const ADDR_TYPE_IPV4: u8 = 1;
+const ADDR_TYPE_IPV6: u8 = 4;
+
+pub(crate) async fn create_socks5(
+    proxy: SocketAddr,
+    ip_addr: IpAddr,
+    port: u16,
+) -> Result<(StreamReader, StreamWriter), Socks5Error> {
+    // Connect to the proxy, likely a local Tor daemon.
+    let timeout = tokio::time::timeout(
+        Duration::from_secs(CONNECTION_TIMEOUT),
+        TcpStream::connect(proxy),
+    )
+    .await
+    .map_err(|_| Socks5Error::ConnectionTimeout)?;
+    // Format the destination IP address and port according to the Socks5 spec
+    let dest_ip_bytes = match ip_addr {
+        IpAddr::V4(ipv4) => ipv4.octets().to_vec(),
+        IpAddr::V6(ipv6) => ipv6.octets().to_vec(),
+    };
+    let dest_port_bytes = port.to_be_bytes();
+    let ip_type_byte = match ip_addr {
+        IpAddr::V4(_) => ADDR_TYPE_IPV4,
+        IpAddr::V6(_) => ADDR_TYPE_IPV6,
+    };
+    // Begin the handshake by requesting a connection to the proxy.
+    let mut tcp_stream = timeout.map_err(|_| Socks5Error::ConnectionFailed)?;
+    tcp_stream.write_all(&[VERSION, METHODS, NOAUTH]).await?;
+    // Read the response from the proxy
+    let mut buf = [0_u8; 2];
+    tcp_stream.read_exact(&mut buf).await?;
+    if buf[0] != VERSION {
+        return Err(Socks5Error::WrongVersion);
+    }
+    if buf[1] != NOAUTH {
+        return Err(Socks5Error::AuthRequired);
+    }
+    // Write the request to the proxy to connect to our destination
+    tcp_stream
+        .write_all(&[VERSION, CMD_CONNECT, RSV, ip_type_byte])
+        .await?;
+    tcp_stream.write_all(&dest_ip_bytes).await?;
+    tcp_stream.write_all(&dest_port_bytes).await?;
+    // First 4 bytes of the response: version, success/failure, reserved byte, ip type
+    let mut buf = [0_u8; 4];
+    tcp_stream.read_exact(&mut buf).await?;
+    if buf[0] != VERSION {
+        return Err(Socks5Error::WrongVersion);
+    }
+    if buf[1] != RESPONSE_SUCCESS {
+        return Err(Socks5Error::ConnectionFailed);
+    }
+    // Read off the destination of our request
+    match buf[3] {
+        ADDR_TYPE_IPV4 => {
+            // Read the IPv4 address and additonal two bytes for the port
+            let mut buf = [0_u8; 6];
+            tcp_stream.read_exact(&mut buf).await?;
+        }
+        ADDR_TYPE_IPV6 => {
+            // Read the IPv6 address and additonal two bytes for the port
+            let mut buf = [0_u8; 18];
+            tcp_stream.read_exact(&mut buf).await?;
+        }
+        _ => return Err(Socks5Error::ConnectionFailed),
+    }
+    // Proxy handshake is complete, the TCP reader/writer can be returned
+    let (reader, writer) = tcp_stream.into_split();
+    Ok((Box::new(reader), Box::new(writer)))
+}