OpenVPN
socks.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 /*
25  * 2004-01-30: Added Socks5 proxy support, see RFC 1928
26  * (Christof Meerwald, http://cmeerw.org)
27  *
28  * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929)
29  * (Pierre Bourdon <delroth@gmail.com>)
30  */
31 
32 #ifdef HAVE_CONFIG_H
33 #include "config.h"
34 #elif defined(_MSC_VER)
35 #include "config-msvc.h"
36 #endif
37 
38 #include "syshead.h"
39 
40 #include "common.h"
41 #include "misc.h"
42 #include "win32.h"
43 #include "socket.h"
44 #include "fdmisc.h"
45 #include "misc.h"
46 #include "proxy.h"
47 
48 #include "memdbg.h"
49 
50 #define UP_TYPE_SOCKS "SOCKS Proxy"
51 
52 void
54 {
55  if (proto == PROTO_UDP)
56  {
57  frame_add_to_extra_link(frame, 10);
58  }
59 }
60 
61 struct socks_proxy_info *
62 socks_proxy_new(const char *server,
63  const char *port,
64  const char *authfile)
65 {
66  struct socks_proxy_info *p;
67 
69 
70  ASSERT(server);
71  ASSERT(port);
72 
73  strncpynt(p->server, server, sizeof(p->server));
74  p->port = port;
75 
76  if (authfile)
77  {
78  strncpynt(p->authfile, authfile, sizeof(p->authfile));
79  }
80  else
81  {
82  p->authfile[0] = 0;
83  }
84 
85  p->defined = true;
86 
87  return p;
88 }
89 
90 void
92 {
93  free(sp);
94 }
95 
96 static bool
99  volatile int *signal_received)
100 {
101  char to_send[516];
102  char buf[2];
103  int len = 0;
104  const int timeout_sec = 5;
105  struct user_pass creds;
106  ssize_t size;
107 
108  creds.defined = 0;
110  {
111  msg(M_NONFATAL, "SOCKS failed to get username/password.");
112  return false;
113  }
114 
115  if ( (strlen(creds.username) > 255) || (strlen(creds.password) > 255) )
116  {
117  msg(M_NONFATAL,
118  "SOCKS username and/or password exceeds 255 characters. "
119  "Authentication not possible.");
120  return false;
121  }
122  openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int) strlen(creds.username),
123  creds.username, (int) strlen(creds.password), creds.password);
124  size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);
125 
126  if (size != strlen(to_send))
127  {
128  msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port write failed on send()");
129  return false;
130  }
131 
132  while (len < 2)
133  {
134  int status;
135  ssize_t size;
136  fd_set reads;
137  struct timeval tv;
138  char c;
139 
140  FD_ZERO(&reads);
141  openvpn_fd_set(sd, &reads);
142  tv.tv_sec = timeout_sec;
143  tv.tv_usec = 0;
144 
145  status = select(sd + 1, &reads, NULL, NULL, &tv);
146 
147  get_signal(signal_received);
148  if (*signal_received)
149  {
150  return false;
151  }
152 
153  /* timeout? */
154  if (status == 0)
155  {
156  msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read timeout expired");
157  return false;
158  }
159 
160  /* error */
161  if (status < 0)
162  {
163  msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on select()");
164  return false;
165  }
166 
167  /* read single char */
168  size = recv(sd, &c, 1, MSG_NOSIGNAL);
169 
170  /* error? */
171  if (size != 1)
172  {
173  msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on recv()");
174  return false;
175  }
176 
177  /* store char in buffer */
178  buf[len++] = c;
179  }
180 
181  /* VER = 5, SUCCESS = 0 --> auth success */
182  if (buf[0] != 5 && buf[1] != 0)
183  {
184  msg(D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication");
185  return false;
186  }
187 
188  return true;
189 }
190 
191 static bool
194  volatile int *signal_received)
195 {
196  char buf[2];
197  int len = 0;
198  const int timeout_sec = 5;
199  ssize_t size;
200 
201  /* VER = 5, NMETHODS = 1, METHODS = [0 (no auth)] */
202  char method_sel[3] = { 0x05, 0x01, 0x00 };
203  if (p->authfile[0])
204  {
205  method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
206 
207  }
208  size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL);
209  if (size != sizeof(method_sel))
210  {
211  msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port write failed on send()");
212  return false;
213  }
214 
215  while (len < 2)
216  {
217  int status;
218  ssize_t size;
219  fd_set reads;
220  struct timeval tv;
221  char c;
222 
223  FD_ZERO(&reads);
224  openvpn_fd_set(sd, &reads);
225  tv.tv_sec = timeout_sec;
226  tv.tv_usec = 0;
227 
228  status = select(sd + 1, &reads, NULL, NULL, &tv);
229 
230  get_signal(signal_received);
231  if (*signal_received)
232  {
233  return false;
234  }
235 
236  /* timeout? */
237  if (status == 0)
238  {
239  msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read timeout expired");
240  return false;
241  }
242 
243  /* error */
244  if (status < 0)
245  {
246  msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on select()");
247  return false;
248  }
249 
250  /* read single char */
251  size = recv(sd, &c, 1, MSG_NOSIGNAL);
252 
253  /* error? */
254  if (size != 1)
255  {
256  msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on recv()");
257  return false;
258  }
259 
260  /* store char in buffer */
261  buf[len++] = c;
262  }
263 
264  /* VER == 5 */
265  if (buf[0] != '\x05')
266  {
267  msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status");
268  return false;
269  }
270 
271  /* validate that the auth method returned is the one sent */
272  if (buf[1] != method_sel[2])
273  {
274  msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned unexpected auth");
275  return false;
276  }
277 
278  /* select the appropriate authentication method */
279  switch (buf[1])
280  {
281  case 0: /* no authentication */
282  break;
283 
284  case 2: /* login/password */
285  if (!p->authfile[0])
286  {
287  msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were "
288  "not provided any credentials");
289  return false;
290  }
291 
292  if (!socks_username_password_auth(p, sd, signal_received))
293  {
294  return false;
295  }
296 
297  break;
298 
299  default: /* unknown auth method */
300  msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method");
301  return false;
302  }
303 
304  return true;
305 }
306 
307 static bool
309  struct openvpn_sockaddr *addr,
310  volatile int *signal_received)
311 {
312  char atyp = '\0';
313  int alen = 0;
314  int len = 0;
315  char buf[270]; /* 4 + alen(max 256) + 2 */
316  const int timeout_sec = 5;
317 
318  if (addr != NULL)
319  {
320  addr->addr.in4.sin_family = AF_INET;
321  addr->addr.in4.sin_addr.s_addr = htonl(INADDR_ANY);
322  addr->addr.in4.sin_port = htons(0);
323  }
324 
325  while (len < 4 + alen + 2)
326  {
327  int status;
328  ssize_t size;
329  fd_set reads;
330  struct timeval tv;
331  char c;
332 
333  FD_ZERO(&reads);
334  openvpn_fd_set(sd, &reads);
335  tv.tv_sec = timeout_sec;
336  tv.tv_usec = 0;
337 
338  status = select(sd + 1, &reads, NULL, NULL, &tv);
339 
340  get_signal(signal_received);
341  if (*signal_received)
342  {
343  return false;
344  }
345 
346  /* timeout? */
347  if (status == 0)
348  {
349  msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read timeout expired");
350  return false;
351  }
352 
353  /* error */
354  if (status < 0)
355  {
356  msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on select()");
357  return false;
358  }
359 
360  /* read single char */
361  size = recv(sd, &c, 1, MSG_NOSIGNAL);
362 
363  /* error? */
364  if (size != 1)
365  {
366  msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on recv()");
367  return false;
368  }
369 
370  if (len == 3)
371  {
372  atyp = c;
373  }
374 
375  if (len == 4)
376  {
377  switch (atyp)
378  {
379  case '\x01': /* IP V4 */
380  alen = 4;
381  break;
382 
383  case '\x03': /* DOMAINNAME */
384  /* RFC 1928, section 5: 1 byte length, <n> bytes name,
385  * so the total "address length" is (length+1)
386  */
387  alen = (unsigned char) c + 1;
388  break;
389 
390  case '\x04': /* IP V6 */
391  alen = 16;
392  break;
393 
394  default:
395  msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad address type");
396  return false;
397  }
398  }
399 
400  /* store char in buffer */
401  if (len < (int)sizeof(buf))
402  {
403  buf[len] = c;
404  }
405  ++len;
406  }
407 
408  /* VER == 5 && REP == 0 (succeeded) */
409  if (buf[0] != '\x05' || buf[1] != '\x00')
410  {
411  msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad reply");
412  return false;
413  }
414 
415  /* ATYP == 1 (IP V4 address) */
416  if (atyp == '\x01' && addr != NULL)
417  {
418  memcpy(&addr->addr.in4.sin_addr, buf + 4, sizeof(addr->addr.in4.sin_addr));
419  memcpy(&addr->addr.in4.sin_port, buf + 8, sizeof(addr->addr.in4.sin_port));
420  struct gc_arena gc = gc_new();
421  msg(M_INFO, "SOCKS proxy wants us to send UDP to %s",
422  print_openvpn_sockaddr(addr, &gc));
423  gc_free(&gc);
424  }
425 
426 
427  return true;
428 }
429 
430 static int
431 port_from_servname(const char *servname)
432 {
433  int port = 0;
434  port = atoi(servname);
435  if (port >0 && port < 65536)
436  {
437  return port;
438  }
439 
440  struct servent *service;
441  service = getservbyname(servname, NULL);
442  if (service)
443  {
444  return service->s_port;
445  }
446 
447  return 0;
448 }
449 
450 void
452  socket_descriptor_t sd, /* already open to proxy */
453  const char *host, /* openvpn server remote */
454  const char *servname, /* openvpn server port */
455  volatile int *signal_received)
456 {
457  char buf[270];
458  size_t len;
459 
460  if (!socks_handshake(p, sd, signal_received))
461  {
462  goto error;
463  }
464 
465  /* format Socks CONNECT message */
466  buf[0] = '\x05'; /* VER = 5 */
467  buf[1] = '\x01'; /* CMD = 1 (CONNECT) */
468  buf[2] = '\x00'; /* RSV */
469  buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */
470 
471  len = strlen(host);
472  len = (5 + len + 2 > sizeof(buf)) ? (sizeof(buf) - 5 - 2) : len;
473 
474  buf[4] = (char) len;
475  memcpy(buf + 5, host, len);
476 
477  int port = port_from_servname(servname);
478  if (port ==0)
479  {
480  msg(D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number", servname);
481  goto error;
482  }
483 
484  buf[5 + len] = (char) (port >> 8);
485  buf[5 + len + 1] = (char) (port & 0xff);
486 
487  {
488  const ssize_t size = send(sd, buf, 5 + len + 2, MSG_NOSIGNAL);
489  if ((int)size != 5 + (int)len + 2)
490  {
491  msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()");
492  goto error;
493  }
494  }
495 
496 
497  /* receive reply from Socks proxy and discard */
498  if (!recv_socks_reply(sd, NULL, signal_received))
499  {
500  goto error;
501  }
502 
503  return;
504 
505 error:
506  if (!*signal_received)
507  {
508  *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */
509  }
510  return;
511 }
512 
513 void
515  socket_descriptor_t ctrl_sd, /* already open to proxy */
516  socket_descriptor_t udp_sd,
517  struct openvpn_sockaddr *relay_addr,
518  volatile int *signal_received)
519 {
520  if (!socks_handshake(p, ctrl_sd, signal_received))
521  {
522  goto error;
523  }
524 
525  {
526  /* send Socks UDP ASSOCIATE message */
527  /* VER = 5, CMD = 3 (UDP ASSOCIATE), RSV = 0, ATYP = 1 (IP V4),
528  * BND.ADDR = 0, BND.PORT = 0 */
529  const ssize_t size = send(ctrl_sd,
530  "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00",
531  10, MSG_NOSIGNAL);
532  if (size != 10)
533  {
534  msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()");
535  goto error;
536  }
537  }
538 
539  /* receive reply from Socks proxy */
540  CLEAR(*relay_addr);
541  if (!recv_socks_reply(ctrl_sd, relay_addr, signal_received))
542  {
543  goto error;
544  }
545 
546  return;
547 
548 error:
549  if (!*signal_received)
550  {
551  *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */
552  }
553  return;
554 }
555 
556 /*
557  * Remove the 10 byte socks5 header from an incoming
558  * UDP packet, setting *from to the source address.
559  *
560  * Run after UDP read.
561  */
562 void
564  struct link_socket_actual *from)
565 {
566  int atyp;
567 
568  if (BLEN(buf) < 10)
569  {
570  goto error;
571  }
572 
573  buf_read_u16(buf);
574  if (buf_read_u8(buf) != 0)
575  {
576  goto error;
577  }
578 
579  atyp = buf_read_u8(buf);
580  if (atyp != 1) /* ATYP == 1 (IP V4) */
581  {
582  goto error;
583  }
584 
585  buf_read(buf, &from->dest.addr.in4.sin_addr, sizeof(from->dest.addr.in4.sin_addr));
586  buf_read(buf, &from->dest.addr.in4.sin_port, sizeof(from->dest.addr.in4.sin_port));
587 
588  return;
589 
590 error:
591  buf->len = 0;
592 }
593 
594 /*
595  * Add a 10 byte socks header prior to UDP write.
596  * *to is the destination address.
597  *
598  * Run before UDP write.
599  * Returns the size of the header.
600  */
601 int
603  const struct link_socket_actual *to)
604 {
605  /*
606  * Get a 10 byte subset buffer prepended to buf --
607  * we expect these bytes will be here because
608  * we allocated frame space in socks_adjust_frame_parameters.
609  */
610  struct buffer head = buf_sub(buf, 10, true);
611 
612  /* crash if not enough headroom in buf */
613  ASSERT(buf_defined(&head));
614 
615  buf_write_u16(&head, 0); /* RSV = 0 */
616  buf_write_u8(&head, 0); /* FRAG = 0 */
617  buf_write_u8(&head, '\x01'); /* ATYP = 1 (IP V4) */
618  buf_write(&head, &to->dest.addr.in4.sin_addr, sizeof(to->dest.addr.in4.sin_addr));
619  buf_write(&head, &to->dest.addr.in4.sin_port, sizeof(to->dest.addr.in4.sin_port));
620 
621  return 10;
622 }
#define M_NONFATAL
Definition: error.h:95
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
#define MSG_NOSIGNAL
Definition: socket.h:257
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
void establish_socks_proxy_passthru(struct socks_proxy_info *p, socket_descriptor_t sd, const char *host, const char *servname, volatile int *signal_received)
Definition: socks.c:451
#define M_INFO
Definition: errlevel.h:55
Packet geometry parameters.
Definition: mtu.h:93
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
#define SIGUSR1
Definition: config-msvc.h:152
bool defined
Definition: misc.h:65
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static bool recv_socks_reply(socket_descriptor_t sd, struct openvpn_sockaddr *addr, volatile int *signal_received)
Definition: socks.c:308
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
static const char * print_openvpn_sockaddr(const struct openvpn_sockaddr *addr, struct gc_arena *gc)
Definition: socket.h:372
static void get_signal(volatile int *sig)
Definition: sig.h:89
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition: socks.c:563
#define ASSERT(x)
Definition: error.h:221
char username[USER_PASS_LEN]
Definition: misc.h:75
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
static bool buf_read(struct buffer *src, void *dest, int size)
Definition: buffer.h:800
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
static bool buf_write(struct buffer *dest, const void *src, int size)
Definition: buffer.h:689
#define CLEAR(x)
Definition: basic.h:33
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:296
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
static void openvpn_fd_set(int fd, fd_set *setp)
Definition: fdmisc.h:40
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
struct buffer buf_sub(struct buffer *buf, int size, bool prepend)
Definition: buffer.c:223
bool defined
Definition: socks.h:38
struct sockaddr_in in4
Definition: socket.h:69
static bool buf_write_u16(struct buffer *dest, int data)
Definition: buffer.h:720
static SERVICE_STATUS status
Definition: automatic.c:43
union openvpn_sockaddr::@10 addr
#define M_ERRNO
Definition: error.h:99
static SERVICE_STATUS_HANDLE service
Definition: automatic.c:42
#define msg
Definition: error.h:173
static int port_from_servname(const char *servname)
Definition: socks.c:431
static bool socks_username_password_auth(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received)
Definition: socks.c:97
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition: socks.c:602
#define BLEN(buf)
Definition: buffer.h:127
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Definition: misc.h:134
static bool buf_defined(const struct buffer *buf)
Definition: buffer.h:215
char authfile[256]
Definition: socks.h:42
SOCKET socket_descriptor_t
Definition: syshead.h:489
char server[128]
Definition: socks.h:40
Definition: misc.h:63
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define UP_TYPE_SOCKS
Definition: socks.c:50
const char * port
Definition: socks.h:41
#define free
Definition: cmocka.c:1850
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void establish_socks_proxy_udpassoc(struct socks_proxy_info *p, socket_descriptor_t ctrl_sd, socket_descriptor_t udp_sd, struct openvpn_sockaddr *relay_addr, volatile int *signal_received)
Definition: socks.c:514
static int buf_read_u16(struct buffer *buf)
Definition: buffer.h:825
char password[USER_PASS_LEN]
Definition: misc.h:76
static bool socks_handshake(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received)
Definition: socks.c:192
#define ssize_t
Definition: config-msvc.h:141
#define D_LINK_ERRORS
Definition: errlevel.h:57
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:113