diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-11-05 16:28:09 +0100 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-11-05 16:28:09 +0100 |
commit | 8dd0350e1607aa30f7a043c8d5ec7a7eeb874115 (patch) | |
tree | 566d0620eb693320cb121dfd93a5675fa704a30b /src/openvpn/socks.c | |
parent | 349cfa7acb95abe865209a28e417ec74b56f9bba (diff) |
Imported Upstream version 2.3_rc1
Diffstat (limited to 'src/openvpn/socks.c')
-rw-r--r-- | src/openvpn/socks.c | 544 |
1 files changed, 544 insertions, 0 deletions
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c new file mode 100644 index 0000000..235982e --- /dev/null +++ b/src/openvpn/socks.c @@ -0,0 +1,544 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * 2004-01-30: Added Socks5 proxy support, see RFC 1928 + * (Christof Meerwald, http://cmeerw.org) + * + * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929) + * (Pierre Bourdon <delroth@gmail.com>) + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#ifdef ENABLE_SOCKS + +#include "common.h" +#include "misc.h" +#include "win32.h" +#include "socket.h" +#include "fdmisc.h" +#include "misc.h" +#include "proxy.h" + +#include "memdbg.h" + +#define UP_TYPE_SOCKS "SOCKS Proxy" + +void +socks_adjust_frame_parameters (struct frame *frame, int proto) +{ + if (proto == PROTO_UDPv4) + frame_add_to_extra_link (frame, 10); +} + +struct socks_proxy_info * +socks_proxy_new (const char *server, + int port, + const char *authfile, + bool retry) +{ + struct socks_proxy_info *p; + + ALLOC_OBJ_CLEAR (p, struct socks_proxy_info); + + ASSERT (server); + ASSERT (legal_ipv4_port (port)); + + strncpynt (p->server, server, sizeof (p->server)); + p->port = port; + + if (authfile) + strncpynt (p->authfile, authfile, sizeof (p->authfile)); + else + p->authfile[0] = 0; + + p->retry = retry; + p->defined = true; + + return p; +} + +void +socks_proxy_close (struct socks_proxy_info *sp) +{ + free (sp); +} + +static bool +socks_username_password_auth (struct socks_proxy_info *p, + socket_descriptor_t sd, + volatile int *signal_received) +{ + char to_send[516]; + char buf[2]; + int len = 0; + const int timeout_sec = 5; + struct user_pass creds; + ssize_t size; + + creds.defined = 0; + get_user_pass (&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT); + + if( !creds.username || (strlen(creds.username) > 255) + || !creds.password || (strlen(creds.password) > 255) ) { + msg (M_NONFATAL, + "SOCKS username and/or password exceeds 255 characters. " + "Authentication not possible."); + return false; + } + openvpn_snprintf (to_send, sizeof (to_send), "\x01%c%s%c%s", (int) strlen(creds.username), + creds.username, (int) strlen(creds.password), creds.password); + size = send (sd, to_send, strlen(to_send), MSG_NOSIGNAL); + + if (size != strlen (to_send)) + { + msg (D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port write failed on send()"); + return false; + } + + while (len < 2) + { + int status; + ssize_t size; + fd_set reads; + struct timeval tv; + char c; + + FD_ZERO (&reads); + FD_SET (sd, &reads); + tv.tv_sec = timeout_sec; + tv.tv_usec = 0; + + status = select (sd + 1, &reads, NULL, NULL, &tv); + + get_signal (signal_received); + if (*signal_received) + return false; + + /* timeout? */ + if (status == 0) + { + msg (D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read timeout expired"); + return false; + } + + /* error */ + if (status < 0) + { + msg (D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on select()"); + return false; + } + + /* read single char */ + size = recv(sd, &c, 1, MSG_NOSIGNAL); + + /* error? */ + if (size != 1) + { + msg (D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on recv()"); + return false; + } + + /* store char in buffer */ + buf[len++] = c; + } + + /* VER = 5, SUCCESS = 0 --> auth success */ + if (buf[0] != 5 && buf[1] != 0) + { + msg (D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication"); + return false; + } + + return true; +} + +static bool +socks_handshake (struct socks_proxy_info *p, + socket_descriptor_t sd, + volatile int *signal_received) +{ + char buf[2]; + int len = 0; + const int timeout_sec = 5; + + /* VER = 5, NMETHODS = 2, METHODS = [0 (no auth), 2 (plain login)] */ + const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL); + if (size != 4) + { + msg (D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port write failed on send()"); + return false; + } + + while (len < 2) + { + int status; + ssize_t size; + fd_set reads; + struct timeval tv; + char c; + + FD_ZERO (&reads); + FD_SET (sd, &reads); + tv.tv_sec = timeout_sec; + tv.tv_usec = 0; + + status = select (sd + 1, &reads, NULL, NULL, &tv); + + get_signal (signal_received); + if (*signal_received) + return false; + + /* timeout? */ + if (status == 0) + { + msg (D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read timeout expired"); + return false; + } + + /* error */ + if (status < 0) + { + msg (D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on select()"); + return false; + } + + /* read single char */ + size = recv(sd, &c, 1, MSG_NOSIGNAL); + + /* error? */ + if (size != 1) + { + msg (D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on recv()"); + return false; + } + + /* store char in buffer */ + buf[len++] = c; + } + + /* VER == 5 */ + if (buf[0] != '\x05') + { + msg (D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status"); + return false; + } + + /* select the appropriate authentication method */ + switch (buf[1]) + { + case 0: /* no authentication */ + break; + + case 2: /* login/password */ + if (!p->authfile[0]) + { + msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were " + "not provided any credentials"); + return false; + } + + if (!socks_username_password_auth(p, sd, signal_received)) + return false; + + break; + + default: /* unknown auth method */ + msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method"); + return false; + } + + return true; +} + +static bool +recv_socks_reply (socket_descriptor_t sd, + struct openvpn_sockaddr *addr, + volatile int *signal_received) +{ + char atyp = '\0'; + int alen = 0; + int len = 0; + char buf[22]; + const int timeout_sec = 5; + + if (addr != NULL) + { + addr->addr.in4.sin_family = AF_INET; + addr->addr.in4.sin_addr.s_addr = htonl (INADDR_ANY); + addr->addr.in4.sin_port = htons (0); + } + + while (len < 4 + alen + 2) + { + int status; + ssize_t size; + fd_set reads; + struct timeval tv; + char c; + + FD_ZERO (&reads); + FD_SET (sd, &reads); + tv.tv_sec = timeout_sec; + tv.tv_usec = 0; + + status = select (sd + 1, &reads, NULL, NULL, &tv); + + get_signal (signal_received); + if (*signal_received) + return false; + + /* timeout? */ + if (status == 0) + { + msg (D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read timeout expired"); + return false; + } + + /* error */ + if (status < 0) + { + msg (D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on select()"); + return false; + } + + /* read single char */ + size = recv(sd, &c, 1, MSG_NOSIGNAL); + + /* error? */ + if (size != 1) + { + msg (D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on recv()"); + return false; + } + + if (len == 3) + atyp = c; + + if (len == 4) + { + switch (atyp) + { + case '\x01': /* IP V4 */ + alen = 4; + break; + + case '\x03': /* DOMAINNAME */ + alen = (unsigned char) c; + break; + + case '\x04': /* IP V6 */ + alen = 16; + break; + + default: + msg (D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad address type"); + return false; + } + } + + /* store char in buffer */ + if (len < (int)sizeof(buf)) + buf[len] = c; + ++len; + } + + /* VER == 5 && REP == 0 (succeeded) */ + if (buf[0] != '\x05' || buf[1] != '\x00') + { + msg (D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad reply"); + return false; + } + + /* ATYP == 1 (IP V4 address) */ + if (atyp == '\x01' && addr != NULL) + { + memcpy (&addr->addr.in4.sin_addr, buf + 4, sizeof (addr->addr.in4.sin_addr)); + memcpy (&addr->addr.in4.sin_port, buf + 8, sizeof (addr->addr.in4.sin_port)); + } + + + return true; +} + +void +establish_socks_proxy_passthru (struct socks_proxy_info *p, + socket_descriptor_t sd, /* already open to proxy */ + const char *host, /* openvpn server remote */ + const int port, /* openvpn server port */ + volatile int *signal_received) +{ + char buf[128]; + size_t len; + + if (!socks_handshake (p, sd, signal_received)) + goto error; + + /* format Socks CONNECT message */ + buf[0] = '\x05'; /* VER = 5 */ + buf[1] = '\x01'; /* CMD = 1 (CONNECT) */ + buf[2] = '\x00'; /* RSV */ + buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */ + + len = strlen(host); + len = (5 + len + 2 > sizeof(buf)) ? (sizeof(buf) - 5 - 2) : len; + + buf[4] = (char) len; + memcpy(buf + 5, host, len); + + buf[5 + len] = (char) (port >> 8); + buf[5 + len + 1] = (char) (port & 0xff); + + { + const ssize_t size = send (sd, buf, 5 + len + 2, MSG_NOSIGNAL); + if ((int)size != 5 + (int)len + 2) + { + msg (D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()"); + goto error; + } + } + + /* receive reply from Socks proxy and discard */ + if (!recv_socks_reply (sd, NULL, signal_received)) + goto error; + + return; + + error: + /* on error, should we exit or restart? */ + if (!*signal_received) + *signal_received = (p->retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- socks error */ + return; +} + +void +establish_socks_proxy_udpassoc (struct socks_proxy_info *p, + socket_descriptor_t ctrl_sd, /* already open to proxy */ + socket_descriptor_t udp_sd, + struct openvpn_sockaddr *relay_addr, + volatile int *signal_received) +{ + if (!socks_handshake (p, ctrl_sd, signal_received)) + goto error; + + { + /* send Socks UDP ASSOCIATE message */ + /* VER = 5, CMD = 3 (UDP ASSOCIATE), RSV = 0, ATYP = 1 (IP V4), + BND.ADDR = 0, BND.PORT = 0 */ + const ssize_t size = send (ctrl_sd, + "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00", + 10, MSG_NOSIGNAL); + if (size != 10) + { + msg (D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()"); + goto error; + } + } + + /* receive reply from Socks proxy */ + CLEAR (*relay_addr); + if (!recv_socks_reply (ctrl_sd, relay_addr, signal_received)) + goto error; + + return; + + error: + /* on error, should we exit or restart? */ + if (!*signal_received) + *signal_received = (p->retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- socks error */ + return; +} + +/* + * Remove the 10 byte socks5 header from an incoming + * UDP packet, setting *from to the source address. + * + * Run after UDP read. + */ +void +socks_process_incoming_udp (struct buffer *buf, + struct link_socket_actual *from) +{ + int atyp; + + if (BLEN (buf) < 10) + goto error; + + buf_read_u16 (buf); + if (buf_read_u8 (buf) != 0) + goto error; + + atyp = buf_read_u8 (buf); + if (atyp != 1) /* ATYP == 1 (IP V4) */ + goto error; + + buf_read (buf, &from->dest.addr.in4.sin_addr, sizeof (from->dest.addr.in4.sin_addr)); + buf_read (buf, &from->dest.addr.in4.sin_port, sizeof (from->dest.addr.in4.sin_port)); + + return; + + error: + buf->len = 0; +} + +/* + * Add a 10 byte socks header prior to UDP write. + * *to is the destination address. + * + * Run before UDP write. + * Returns the size of the header. + */ +int +socks_process_outgoing_udp (struct buffer *buf, + const struct link_socket_actual *to) +{ + /* + * Get a 10 byte subset buffer prepended to buf -- + * we expect these bytes will be here because + * we allocated frame space in socks_adjust_frame_parameters. + */ + struct buffer head = buf_sub (buf, 10, true); + + /* crash if not enough headroom in buf */ + ASSERT (buf_defined (&head)); + + buf_write_u16 (&head, 0); /* RSV = 0 */ + buf_write_u8 (&head, 0); /* FRAG = 0 */ + buf_write_u8 (&head, '\x01'); /* ATYP = 1 (IP V4) */ + buf_write (&head, &to->dest.addr.in4.sin_addr, sizeof (to->dest.addr.in4.sin_addr)); + buf_write (&head, &to->dest.addr.in4.sin_port, sizeof (to->dest.addr.in4.sin_port)); + + return 10; +} + +#else +static void dummy(void) {} +#endif /* ENABLE_SOCKS */ |