netty
diff --git a/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/DefaultSocks5PrivateAuthRequest.java‎
Lines changed: 66 additions & 0 deletions b/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/DefaultSocks5PrivateAuthRequest.java‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/DefaultSocks5PrivateAuthResponse.java‎
Lines changed: 66 additions & 0 deletions b/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/DefaultSocks5PrivateAuthResponse.java‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5AuthMethod.java‎
Lines changed: 17 additions & 0 deletions b/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5AuthMethod.java‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5ClientEncoder.java‎
Lines changed: 9 additions & 0 deletions b/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5ClientEncoder.java‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5PrivateAuthRequest.java‎
Lines changed: 40 additions & 0 deletions b/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5PrivateAuthRequest.java‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5PrivateAuthRequestDecoder.java‎
Lines changed: 94 additions & 0 deletions b/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5PrivateAuthRequestDecoder.java‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5PrivateAuthResponse.java‎
Lines changed: 36 additions & 0 deletions b/‎codec-socks/src/main/java/io/netty/handler/codec/socksx/v5/Socks5PrivateAuthResponse.java‎
Lines changed: 36 additions & 0 deletions
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.socksx.v5;
+
+import io.netty.handler.codec.DecoderResult;
+import io.netty.util.internal.ObjectUtil;
+import io.netty.util.internal.StringUtil;
+
+/**
+ * The default {@link Socks5PrivateAuthRequest} implementation.
+ * <p>
+ * For custom private authentication protocols, you should implement the {@link Socks5PrivateAuthRequest}
+ * interface directly. Custom protocols should also implement their own encoder/decoder to handle the wire format.
+ * </p>
+ */
+public final class DefaultSocks5PrivateAuthRequest extends AbstractSocks5Message
+    implements Socks5PrivateAuthRequest {
+
+    /**
+     * The private authentication token.
+     */
+    private final byte[] privateToken;
+
+    /**
+     * Creates a new instance with the specified token.
+     *
+     * @param privateAuthToken the private authentication token
+     */
+    public DefaultSocks5PrivateAuthRequest(final byte[] privateAuthToken) {
+        this.privateToken = ObjectUtil.checkNotNull(privateAuthToken, "privateToken").clone();
+    }
+
+    @Override
+    public byte[] privateToken() {
+        return privateToken.clone();
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder buf = new StringBuilder(StringUtil.simpleClassName(this));
+
+        DecoderResult decoderResult = decoderResult();
+        if (!decoderResult.isSuccess()) {
+            buf.append("(decoderResult: ");
+            buf.append(decoderResult);
+            buf.append(", privateToken: ****)");
+        } else {
+            buf.append("(privateToken: ****)");
+        }
+
+        return buf.toString();
+    }
+}
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.socksx.v5;
+
+import io.netty.handler.codec.DecoderResult;
+import io.netty.util.internal.ObjectUtil;
+import io.netty.util.internal.StringUtil;
+
+/**
+ * The default {@link Socks5PrivateAuthResponse} implementation.
+ */
+public final class DefaultSocks5PrivateAuthResponse extends AbstractSocks5Message
+    implements Socks5PrivateAuthResponse {
+
+    /**
+     * The authentication status.
+     */
+    private final Socks5PrivateAuthStatus status;
+
+    /**
+     * Creates a new instance with the specified status.
+     *
+     * @param authStatus the authentication status
+     */
+    public DefaultSocks5PrivateAuthResponse(final Socks5PrivateAuthStatus authStatus) {
+        this.status = ObjectUtil.checkNotNull(authStatus, "authStatus");
+    }
+
+    @Override
+    public Socks5PrivateAuthStatus status() {
+        return status;
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder buf = new StringBuilder(StringUtil.simpleClassName(this));
+
+        DecoderResult decoderResult = decoderResult();
+        if (!decoderResult.isSuccess()) {
+            buf.append("(decoderResult: ");
+            buf.append(decoderResult);
+            buf.append(", status: ");
+            buf.append(status);
+            buf.append(')');
+        } else {
+            buf.append("(status: ");
+            buf.append(status);
+            buf.append(')');
+        }
+
+        return buf.toString();
+    }
+}
@@ -32,6 +32,18 @@ public class Socks5AuthMethod implements Comparable<Socks5AuthMethod> {
      */
     public static final Socks5AuthMethod UNACCEPTED = new Socks5AuthMethod(0xff, "UNACCEPTED");
 
+    /**
+     * Returns whether the authentication method code is in the private methods range (0x80-0xFE)
+     * as defined by <a href="https://www.ietf.org/rfc/rfc1928.txt">RFC 1928 section 3</a>.
+     *
+     * @param b The authentication method code
+     * @return true if the code is in the private methods range
+     */
+    public static boolean isPrivateMethod(byte b) {
+        int ubyte = b & 0xFF;
+        return ubyte >= 0x80 && ubyte <= 0xFE;
+    }
+
     public static Socks5AuthMethod valueOf(byte b) {
         switch (b) {
         case 0x00:
@@ -44,6 +56,11 @@ public static Socks5AuthMethod valueOf(byte b) {
             return UNACCEPTED;
         }
 
+        // Handle all private methods (0x80-0xFE)
+        if (isPrivateMethod(b)) {
+            return new Socks5AuthMethod(b, "PRIVATE_" + (b & 0xFF));
+        }
+
         return new Socks5AuthMethod(b);
     }
 
 
@@ -66,6 +66,8 @@ protected void encode(ChannelHandlerContext ctx, Socks5Message msg, ByteBuf out)
             encodeAuthMethodRequest((Socks5InitialRequest) msg, out);
         } else if (msg instanceof Socks5PasswordAuthRequest) {
             encodePasswordAuthRequest((Socks5PasswordAuthRequest) msg, out);
+        } else if (msg instanceof Socks5PrivateAuthRequest) {
+            encodePrivateAuthRequest((Socks5PrivateAuthRequest) msg, out);
         } else if (msg instanceof Socks5CommandRequest) {
             encodeCommandRequest((Socks5CommandRequest) msg, out);
         } else {
@@ -103,6 +105,13 @@ private static void encodePasswordAuthRequest(Socks5PasswordAuthRequest msg, Byt
         ByteBufUtil.writeAscii(out, password);
     }
 
+    private static void encodePrivateAuthRequest(Socks5PrivateAuthRequest msg, ByteBuf out) {
+        byte[] bytes = msg.privateToken();
+        out.writeByte(0x01);
+        out.writeByte(bytes.length);
+        out.writeBytes(bytes);
+    }
+
     private void encodeCommandRequest(Socks5CommandRequest msg, ByteBuf out) throws Exception {
         out.writeByte(msg.version().byteValue());
         out.writeByte(msg.type().byteValue());
 
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.socksx.v5;
+
+/**
+ * A SOCKS5 subnegotiation request for private authentication.
+ * <p>
+ * RFC 1928 reserves method codes 0x80-0xFE for private authentication methods.
+ * This interface provides a base implementation for method 0x80, but can be extended
+ * for other private authentication methods by implementing custom encoders/decoders.
+ * </p>
+ *
+ * @see <a href="https://www.ietf.org/rfc/rfc1928.txt">RFC 1928 Section 3</a>
+ */
+public interface Socks5PrivateAuthRequest extends Socks5Message {
+
+    /**
+     * Returns the private token of this request.
+     * <p>
+     * For custom subnegotiation protocols, this could be extended by adding
+     * additional methods in a subinterface.
+     * </p>
+     *
+     * @return the private authentication token
+     */
+    byte[] privateToken();
+}
@@ -0,0 +1,94 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.socksx.v5;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.codec.DecoderException;
+import io.netty.handler.codec.DecoderResult;
+import io.netty.handler.codec.ByteToMessageDecoder;
+import io.netty.util.internal.EmptyArrays;
+
+import java.util.List;
+
+/**
+ * Decodes a single {@link Socks5PrivateAuthRequest} from the inbound {@link ByteBuf}s.
+ * On successful decode, this decoder will forward the received data to the next handler, so that
+ * other handler can remove or replace this decoder later.
+ */
+public final class Socks5PrivateAuthRequestDecoder extends ByteToMessageDecoder {
+
+    private boolean decoded;
+
+    @Override
+    protected void decode(ChannelHandlerContext ctx, ByteBuf in, List<Object> out) throws Exception {
+        try {
+            if (decoded) {
+                int readableBytes = in.readableBytes();
+                if (readableBytes > 0) {
+                    out.add(in.readRetainedSlice(readableBytes));
+                }
+                return;
+            }
+
+            // Check if we have enough data to decode the message
+            if (in.readableBytes() < 2) {
+                return;
+            }
+
+            final int startOffset = in.readerIndex();
+            final byte version = in.getByte(startOffset);
+            if (version != 1) {
+                throw new DecoderException("unsupported subnegotiation version: " + version + " (expected: 1)");
+            }
+
+            final int tokenLength = in.getUnsignedByte(startOffset + 1);
+
+            // Check if the full message is available
+            if (in.readableBytes() < 2 + tokenLength) {
+                return;
+            }
+
+            // Read the version and token length
+            in.skipBytes(2);
+
+            // Read the token
+            byte[] token = new byte[tokenLength];
+            in.readBytes(token);
+
+            // Add the decoded token to the output list
+            out.add(new DefaultSocks5PrivateAuthRequest(token));
+
+            // Mark as decoded to handle remaining bytes in future calls
+            decoded = true;
+        } catch (Exception e) {
+            fail(out, e);
+        }
+    }
+
+    private void fail(List<Object> out, Exception cause) {
+        if (!(cause instanceof DecoderException)) {
+            cause = new DecoderException(cause);
+        }
+
+        decoded = true;
+
+        Socks5Message m = new
+            DefaultSocks5PrivateAuthRequest(EmptyArrays.EMPTY_BYTES);
+        m.setDecoderResult(DecoderResult.failure(cause));
+        out.add(m);
+    }
+}
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.socksx.v5;
+
+/**
+ * A SOCKS5 subnegotiation response for private authentication.
+ * <p>
+ * This interface corresponds to the response for private authentication methods
+ * in the range 0x80-0xFE as defined in RFC 1928. For custom private authentication
+ * protocols, this interface can be extended with additional methods.
+ * </p>
+ *
+ * @see <a href="https://www.ietf.org/rfc/rfc1928.txt">RFC 1928 Section 3</a>
+ */
+public interface Socks5PrivateAuthResponse extends Socks5Message {
+
+    /**
+     * Returns the status of this response.
+     *
+     * @return the authentication status
+     */
+    Socks5PrivateAuthStatus status();
+}