OpenVPN
socks.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 /*
25  * 2004-01-30: Added Socks5 proxy support, see RFC 1928
26  * (Christof Meerwald, http://cmeerw.org)
27  *
28  * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929)
29  * (Pierre Bourdon <delroth@gmail.com>)
30  */
31 
32 #ifdef HAVE_CONFIG_H
33 #include "config.h"
34 #elif defined(_MSC_VER)
35 #include "config-msvc.h"
36 #endif
37 
38 #include "syshead.h"
39 
40 #include "common.h"
41 #include "misc.h"
42 #include "win32.h"
43 #include "socket.h"
44 #include "fdmisc.h"
45 #include "misc.h"
46 #include "proxy.h"
47 
48 #include "memdbg.h"
49 
50 #define UP_TYPE_SOCKS "SOCKS Proxy"
51 
52 void
54 {
55  if (proto == PROTO_UDP)
56  {
57  frame_add_to_extra_link(frame, 10);
58  }
59 }
60 
61 struct socks_proxy_info *
62 socks_proxy_new(const char *server,
63  const char *port,
64  const char *authfile)
65 {
66  struct socks_proxy_info *p;
67 
69 
70  ASSERT(server);
71  ASSERT(port);
72 
73  strncpynt(p->server, server, sizeof(p->server));
74  p->port = port;
75 
76  if (authfile)
77  {
78  strncpynt(p->authfile, authfile, sizeof(p->authfile));
79  }
80  else
81  {
82  p->authfile[0] = 0;
83  }
84 
85  p->defined = true;
86 
87  return p;
88 }
89 
90 void
92 {
93  free(sp);
94 }
95 
96 static bool
99  volatile int *signal_received)
100 {
101  char to_send[516];
102  char buf[2];
103  int len = 0;
104  const int timeout_sec = 5;
105  struct user_pass creds;
106  ssize_t size;
107 
108  creds.defined = 0;
110  {
111  msg(M_NONFATAL, "SOCKS failed to get username/password.");
112  return false;
113  }
114 
115  if ( (strlen(creds.username) > 255) || (strlen(creds.password) > 255) )
116  {
117  msg(M_NONFATAL,
118  "SOCKS username and/or password exceeds 255 characters. "
119  "Authentication not possible.");
120  return false;
121  }
122  openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int) strlen(creds.username),
123  creds.username, (int) strlen(creds.password), creds.password);
124  size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);
125 
126  if (size != strlen(to_send))
127  {
128  msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port write failed on send()");
129  return false;
130  }
131 
132  while (len < 2)
133  {
134  int status;
135  ssize_t size;
136  fd_set reads;
137  struct timeval tv;
138  char c;
139 
140  FD_ZERO(&reads);
141  openvpn_fd_set(sd, &reads);
142  tv.tv_sec = timeout_sec;
143  tv.tv_usec = 0;
144 
145  status = select(sd + 1, &reads, NULL, NULL, &tv);
146 
147  get_signal(signal_received);
148  if (*signal_received)
149  {
150  return false;
151  }
152 
153  /* timeout? */
154  if (status == 0)
155  {
156  msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read timeout expired");
157  return false;
158  }
159 
160  /* error */
161  if (status < 0)
162  {
163  msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on select()");
164  return false;
165  }
166 
167  /* read single char */
168  size = recv(sd, &c, 1, MSG_NOSIGNAL);
169 
170  /* error? */
171  if (size != 1)
172  {
173  msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on recv()");
174  return false;
175  }
176 
177  /* store char in buffer */
178  buf[len++] = c;
179  }
180 
181  /* VER = 5, SUCCESS = 0 --> auth success */
182  if (buf[0] != 5 && buf[1] != 0)
183  {
184  msg(D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication");
185  return false;
186  }
187 
188  return true;
189 }
190 
191 static bool
194  volatile int *signal_received)
195 {
196  char buf[2];
197  int len = 0;
198  const int timeout_sec = 5;
199  ssize_t size;
200 
201  /* VER = 5, NMETHODS = 1, METHODS = [0 (no auth)] */
202  char method_sel[3] = { 0x05, 0x01, 0x00 };
203  if (p->authfile[0])
204  {
205  method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
206 
207  }
208  size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL);
209  if (size != sizeof(method_sel))
210  {
211  msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port write failed on send()");
212  return false;
213  }
214 
215  while (len < 2)
216  {
217  int status;
218  ssize_t size;
219  fd_set reads;
220  struct timeval tv;
221  char c;
222 
223  FD_ZERO(&reads);
224  openvpn_fd_set(sd, &reads);
225  tv.tv_sec = timeout_sec;
226  tv.tv_usec = 0;
227 
228  status = select(sd + 1, &reads, NULL, NULL, &tv);
229 
230  get_signal(signal_received);
231  if (*signal_received)
232  {
233  return false;
234  }
235 
236  /* timeout? */
237  if (status == 0)
238  {
239  msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read timeout expired");
240  return false;
241  }
242 
243  /* error */
244  if (status < 0)
245  {
246  msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on select()");
247  return false;
248  }
249 
250  /* read single char */
251  size = recv(sd, &c, 1, MSG_NOSIGNAL);
252 
253  /* error? */
254  if (size != 1)
255  {
256  msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on recv()");
257  return false;
258  }
259 
260  /* store char in buffer */
261  buf[len++] = c;
262  }
263 
264  /* VER == 5 */
265  if (buf[0] != '\x05')
266  {
267  msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status");
268  return false;
269  }
270 
271  /* validate that the auth method returned is the one sent */
272  if (buf[1] != method_sel[2])
273  {
274  msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned unexpected auth");
275  return false;
276  }
277 
278  /* select the appropriate authentication method */
279  switch (buf[1])
280  {
281  case 0: /* no authentication */
282  break;
283 
284  case 2: /* login/password */
285  if (!p->authfile[0])
286  {
287  msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were "
288  "not provided any credentials");
289  return false;
290  }
291 
292  if (!socks_username_password_auth(p, sd, signal_received))
293  {
294  return false;
295  }
296 
297  break;
298 
299  default: /* unknown auth method */
300  msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method");
301  return false;
302  }
303 
304  return true;
305 }
306 
307 static bool
309  struct openvpn_sockaddr *addr,
310  volatile int *signal_received)
311 {
312  char atyp = '\0';
313  int alen = 0;
314  int len = 0;
315  char buf[22];
316  const int timeout_sec = 5;
317 
318  if (addr != NULL)
319  {
320  addr->addr.in4.sin_family = AF_INET;
321  addr->addr.in4.sin_addr.s_addr = htonl(INADDR_ANY);
322  addr->addr.in4.sin_port = htons(0);
323  }
324 
325  while (len < 4 + alen + 2)
326  {
327  int status;
328  ssize_t size;
329  fd_set reads;
330  struct timeval tv;
331  char c;
332 
333  FD_ZERO(&reads);
334  openvpn_fd_set(sd, &reads);
335  tv.tv_sec = timeout_sec;
336  tv.tv_usec = 0;
337 
338  status = select(sd + 1, &reads, NULL, NULL, &tv);
339 
340  get_signal(signal_received);
341  if (*signal_received)
342  {
343  return false;
344  }
345 
346  /* timeout? */
347  if (status == 0)
348  {
349  msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read timeout expired");
350  return false;
351  }
352 
353  /* error */
354  if (status < 0)
355  {
356  msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on select()");
357  return false;
358  }
359 
360  /* read single char */
361  size = recv(sd, &c, 1, MSG_NOSIGNAL);
362 
363  /* error? */
364  if (size != 1)
365  {
366  msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on recv()");
367  return false;
368  }
369 
370  if (len == 3)
371  {
372  atyp = c;
373  }
374 
375  if (len == 4)
376  {
377  switch (atyp)
378  {
379  case '\x01': /* IP V4 */
380  alen = 4;
381  break;
382 
383  case '\x03': /* DOMAINNAME */
384  alen = (unsigned char) c;
385  break;
386 
387  case '\x04': /* IP V6 */
388  alen = 16;
389  break;
390 
391  default:
392  msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad address type");
393  return false;
394  }
395  }
396 
397  /* store char in buffer */
398  if (len < (int)sizeof(buf))
399  {
400  buf[len] = c;
401  }
402  ++len;
403  }
404 
405  /* VER == 5 && REP == 0 (succeeded) */
406  if (buf[0] != '\x05' || buf[1] != '\x00')
407  {
408  msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad reply");
409  return false;
410  }
411 
412  /* ATYP == 1 (IP V4 address) */
413  if (atyp == '\x01' && addr != NULL)
414  {
415  memcpy(&addr->addr.in4.sin_addr, buf + 4, sizeof(addr->addr.in4.sin_addr));
416  memcpy(&addr->addr.in4.sin_port, buf + 8, sizeof(addr->addr.in4.sin_port));
417  }
418 
419 
420  return true;
421 }
422 
423 static int
424 port_from_servname(const char *servname)
425 {
426  int port = 0;
427  port = atoi(servname);
428  if (port >0 && port < 65536)
429  {
430  return port;
431  }
432 
433  struct servent *service;
434  service = getservbyname(servname, NULL);
435  if (service)
436  {
437  return service->s_port;
438  }
439 
440  return 0;
441 }
442 
443 void
445  socket_descriptor_t sd, /* already open to proxy */
446  const char *host, /* openvpn server remote */
447  const char *servname, /* openvpn server port */
448  volatile int *signal_received)
449 {
450  char buf[128];
451  size_t len;
452 
453  if (!socks_handshake(p, sd, signal_received))
454  {
455  goto error;
456  }
457 
458  /* format Socks CONNECT message */
459  buf[0] = '\x05'; /* VER = 5 */
460  buf[1] = '\x01'; /* CMD = 1 (CONNECT) */
461  buf[2] = '\x00'; /* RSV */
462  buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */
463 
464  len = strlen(host);
465  len = (5 + len + 2 > sizeof(buf)) ? (sizeof(buf) - 5 - 2) : len;
466 
467  buf[4] = (char) len;
468  memcpy(buf + 5, host, len);
469 
470  int port = port_from_servname(servname);
471  if (port ==0)
472  {
473  msg(D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number", servname);
474  goto error;
475  }
476 
477  buf[5 + len] = (char) (port >> 8);
478  buf[5 + len + 1] = (char) (port & 0xff);
479 
480  {
481  const ssize_t size = send(sd, buf, 5 + len + 2, MSG_NOSIGNAL);
482  if ((int)size != 5 + (int)len + 2)
483  {
484  msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()");
485  goto error;
486  }
487  }
488 
489 
490  /* receive reply from Socks proxy and discard */
491  if (!recv_socks_reply(sd, NULL, signal_received))
492  {
493  goto error;
494  }
495 
496  return;
497 
498 error:
499  if (!*signal_received)
500  {
501  *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */
502  }
503  return;
504 }
505 
506 void
508  socket_descriptor_t ctrl_sd, /* already open to proxy */
509  socket_descriptor_t udp_sd,
510  struct openvpn_sockaddr *relay_addr,
511  volatile int *signal_received)
512 {
513  if (!socks_handshake(p, ctrl_sd, signal_received))
514  {
515  goto error;
516  }
517 
518  {
519  /* send Socks UDP ASSOCIATE message */
520  /* VER = 5, CMD = 3 (UDP ASSOCIATE), RSV = 0, ATYP = 1 (IP V4),
521  * BND.ADDR = 0, BND.PORT = 0 */
522  const ssize_t size = send(ctrl_sd,
523  "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00",
524  10, MSG_NOSIGNAL);
525  if (size != 10)
526  {
527  msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()");
528  goto error;
529  }
530  }
531 
532  /* receive reply from Socks proxy */
533  CLEAR(*relay_addr);
534  if (!recv_socks_reply(ctrl_sd, relay_addr, signal_received))
535  {
536  goto error;
537  }
538 
539  return;
540 
541 error:
542  if (!*signal_received)
543  {
544  *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */
545  }
546  return;
547 }
548 
549 /*
550  * Remove the 10 byte socks5 header from an incoming
551  * UDP packet, setting *from to the source address.
552  *
553  * Run after UDP read.
554  */
555 void
557  struct link_socket_actual *from)
558 {
559  int atyp;
560 
561  if (BLEN(buf) < 10)
562  {
563  goto error;
564  }
565 
566  buf_read_u16(buf);
567  if (buf_read_u8(buf) != 0)
568  {
569  goto error;
570  }
571 
572  atyp = buf_read_u8(buf);
573  if (atyp != 1) /* ATYP == 1 (IP V4) */
574  {
575  goto error;
576  }
577 
578  buf_read(buf, &from->dest.addr.in4.sin_addr, sizeof(from->dest.addr.in4.sin_addr));
579  buf_read(buf, &from->dest.addr.in4.sin_port, sizeof(from->dest.addr.in4.sin_port));
580 
581  return;
582 
583 error:
584  buf->len = 0;
585 }
586 
587 /*
588  * Add a 10 byte socks header prior to UDP write.
589  * *to is the destination address.
590  *
591  * Run before UDP write.
592  * Returns the size of the header.
593  */
594 int
596  const struct link_socket_actual *to)
597 {
598  /*
599  * Get a 10 byte subset buffer prepended to buf --
600  * we expect these bytes will be here because
601  * we allocated frame space in socks_adjust_frame_parameters.
602  */
603  struct buffer head = buf_sub(buf, 10, true);
604 
605  /* crash if not enough headroom in buf */
606  ASSERT(buf_defined(&head));
607 
608  buf_write_u16(&head, 0); /* RSV = 0 */
609  buf_write_u8(&head, 0); /* FRAG = 0 */
610  buf_write_u8(&head, '\x01'); /* ATYP = 1 (IP V4) */
611  buf_write(&head, &to->dest.addr.in4.sin_addr, sizeof(to->dest.addr.in4.sin_addr));
612  buf_write(&head, &to->dest.addr.in4.sin_port, sizeof(to->dest.addr.in4.sin_port));
613 
614  return 10;
615 }
#define M_NONFATAL
Definition: error.h:95
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
#define MSG_NOSIGNAL
Definition: socket.h:256
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
void establish_socks_proxy_passthru(struct socks_proxy_info *p, socket_descriptor_t sd, const char *host, const char *servname, volatile int *signal_received)
Definition: socks.c:444
Packet geometry parameters.
Definition: mtu.h:93
union openvpn_sockaddr::@8 addr
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
#define SIGUSR1
Definition: config-msvc.h:116
bool defined
Definition: misc.h:64
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static bool recv_socks_reply(socket_descriptor_t sd, struct openvpn_sockaddr *addr, volatile int *signal_received)
Definition: socks.c:308
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
static void get_signal(volatile int *sig)
Definition: sig.h:92
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition: socks.c:556
#define ASSERT(x)
Definition: error.h:221
char username[USER_PASS_LEN]
Definition: misc.h:74
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
static bool buf_read(struct buffer *src, void *dest, int size)
Definition: buffer.h:800
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
static bool buf_write(struct buffer *dest, const void *src, int size)
Definition: buffer.h:689
#define CLEAR(x)
Definition: basic.h:33
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:299
static void openvpn_fd_set(int fd, fd_set *setp)
Definition: fdmisc.h:40
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
struct buffer buf_sub(struct buffer *buf, int size, bool prepend)
Definition: buffer.c:226
bool defined
Definition: socks.h:38
struct sockaddr_in in4
Definition: socket.h:69
static bool buf_write_u16(struct buffer *dest, int data)
Definition: buffer.h:720
static SERVICE_STATUS status
Definition: automatic.c:43
#define M_ERRNO
Definition: error.h:99
static SERVICE_STATUS_HANDLE service
Definition: automatic.c:42
#define msg
Definition: error.h:173
static int port_from_servname(const char *servname)
Definition: socks.c:424
static bool socks_username_password_auth(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received)
Definition: socks.c:97
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition: socks.c:595
#define BLEN(buf)
Definition: buffer.h:127
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Definition: misc.h:133
static bool buf_defined(const struct buffer *buf)
Definition: buffer.h:215
char authfile[256]
Definition: socks.h:42
SOCKET socket_descriptor_t
Definition: syshead.h:488
char server[128]
Definition: socks.h:40
Definition: misc.h:62
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define UP_TYPE_SOCKS
Definition: socks.c:50
const char * port
Definition: socks.h:41
#define free
Definition: cmocka.c:1850
void establish_socks_proxy_udpassoc(struct socks_proxy_info *p, socket_descriptor_t ctrl_sd, socket_descriptor_t udp_sd, struct openvpn_sockaddr *relay_addr, volatile int *signal_received)
Definition: socks.c:507
static int buf_read_u16(struct buffer *buf)
Definition: buffer.h:825
char password[USER_PASS_LEN]
Definition: misc.h:75
static bool socks_handshake(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received)
Definition: socks.c:192
#define ssize_t
Definition: config-msvc.h:105
#define D_LINK_ERRORS
Definition: errlevel.h:57
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:112