OpenVPN
socks.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23/*
24 * 2004-01-30: Added Socks5 proxy support, see RFC 1928
25 * (Christof Meerwald, http://cmeerw.org)
26 *
27 * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929)
28 * (Pierre Bourdon <delroth@gmail.com>)
29 */
30
31#ifdef HAVE_CONFIG_H
32#include "config.h"
33#endif
34
35#include "syshead.h"
36
37#include "common.h"
38#include "misc.h"
39#include "win32.h"
40#include "socket.h"
41#include "fdmisc.h"
42#include "misc.h"
43#include "proxy.h"
44#include "forward.h"
45
46#include "memdbg.h"
47
48#define UP_TYPE_SOCKS "SOCKS Proxy"
49
50struct socks_proxy_info *
51socks_proxy_new(const char *server, const char *port, const char *authfile)
52{
53 struct socks_proxy_info *p;
54
55 ALLOC_OBJ_CLEAR(p, struct socks_proxy_info);
56
57 ASSERT(server);
58 ASSERT(port);
59
60 strncpynt(p->server, server, sizeof(p->server));
61 p->port = port;
62
63 if (authfile)
64 {
65 strncpynt(p->authfile, authfile, sizeof(p->authfile));
66 }
67 else
68 {
69 p->authfile[0] = 0;
70 }
71
72 p->defined = true;
73
74 return p;
75}
76
77void
78socks_proxy_close(struct socks_proxy_info *sp)
79{
80 free(sp);
81}
82
83#if defined(__GNUC__) || defined(__clang__)
84#pragma GCC diagnostic push
85#pragma GCC diagnostic ignored "-Wconversion"
86#endif
87
88static bool
89socks_proxy_recv_char(char *c, const char *name, socket_descriptor_t sd,
90 struct event_timeout *server_poll_timeout,
91 volatile int *signal_received)
92{
93 fd_set reads;
94 FD_ZERO(&reads);
95 openvpn_fd_set(sd, &reads);
96
97 struct timeval tv;
98 tv.tv_sec = get_server_poll_remaining_time(server_poll_timeout);
99 tv.tv_usec = 0;
100
101 const int status = select(sd + 1, &reads, NULL, NULL, &tv);
102
103 get_signal(signal_received);
104 if (*signal_received)
105 {
106 return false;
107 }
108
109 /* timeout? */
110 if (status == 0)
111 {
112 msg(D_LINK_ERRORS | M_ERRNO, "%s: TCP port read timeout expired", name);
113 return false;
114 }
115
116 /* error */
117 if (status < 0)
118 {
119 msg(D_LINK_ERRORS | M_ERRNO, "%s: TCP port read failed on select()", name);
120 return false;
121 }
122
123 /* read single char */
124 const ssize_t size = recv(sd, c, 1, MSG_NOSIGNAL);
125
126 /* error? */
127 if (size != 1)
128 {
129 msg(D_LINK_ERRORS | M_ERRNO, "%s: TCP port read failed on recv()", name);
130 return false;
131 }
132
133 return true;
134}
135
136static bool
137socks_username_password_auth(struct socks_proxy_info *p, socket_descriptor_t sd,
138 struct event_timeout *server_poll_timeout,
139 volatile int *signal_received)
140{
141 char to_send[516];
142 char buf[2];
143 int len = 0;
144 struct user_pass creds;
145 ssize_t size;
146 bool ret = false;
147
148 CLEAR(creds);
149 if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT))
150 {
151 msg(M_NONFATAL, "SOCKS failed to get username/password.");
152 goto cleanup;
153 }
154
155 if ((strlen(creds.username) > 255) || (strlen(creds.password) > 255))
156 {
157 msg(M_NONFATAL, "SOCKS username and/or password exceeds 255 characters. "
158 "Authentication not possible.");
159 goto cleanup;
160 }
161
162 int sret = snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int)strlen(creds.username),
163 creds.username, (int)strlen(creds.password), creds.password);
164 ASSERT(sret <= sizeof(to_send));
165
166 size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL);
167
168 if (size != strlen(to_send))
169 {
170 msg(D_LINK_ERRORS | M_ERRNO,
171 "socks_username_password_auth: TCP port write failed on send()");
172 goto cleanup;
173 }
174
175 while (len < 2)
176 {
177 char c;
178
179 if (!socks_proxy_recv_char(&c, __func__, sd, server_poll_timeout, signal_received))
180 {
181 goto cleanup;
182 }
183 /* store char in buffer */
184 buf[len++] = c;
185 }
186
187 /* VER = 5, SUCCESS = 0 --> auth success */
188 if (buf[0] != 5 && buf[1] != 0)
189 {
190 msg(D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication");
191 goto cleanup;
192 }
193
194 ret = true;
195cleanup:
196 secure_memzero(&creds, sizeof(creds));
197 secure_memzero(to_send, sizeof(to_send));
198 return ret;
199}
200
201static bool
202socks_handshake(struct socks_proxy_info *p, socket_descriptor_t sd,
203 struct event_timeout *server_poll_timeout, volatile int *signal_received)
204{
205 char buf[2];
206 int len = 0;
207 ssize_t size;
208
209 /* VER = 5, NMETHODS = 1, METHODS = [0 (no auth)] */
210 char method_sel[3] = { 0x05, 0x01, 0x00 };
211 if (p->authfile[0])
212 {
213 method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
214 }
215 size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL);
216 if (size != sizeof(method_sel))
217 {
218 msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port write failed on send()");
219 return false;
220 }
221
222 while (len < 2)
223 {
224 char c;
225
226 if (!socks_proxy_recv_char(&c, __func__, sd, server_poll_timeout, signal_received))
227 {
228 return false;
229 }
230 /* store char in buffer */
231 buf[len++] = c;
232 }
233
234 /* VER == 5 */
235 if (buf[0] != '\x05')
236 {
237 msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status");
238 return false;
239 }
240
241 /* validate that the auth method returned is the one sent */
242 if (buf[1] != method_sel[2])
243 {
244 msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned unexpected auth");
245 return false;
246 }
247
248 /* select the appropriate authentication method */
249 switch (buf[1])
250 {
251 case 0: /* no authentication */
252 break;
253
254 case 2: /* login/password */
255 if (!p->authfile[0])
256 {
257 msg(D_LINK_ERRORS,
258 "socks_handshake: server asked for username/login auth but we were "
259 "not provided any credentials");
260 return false;
261 }
262
263 if (!socks_username_password_auth(p, sd, server_poll_timeout, signal_received))
264 {
265 return false;
266 }
267
268 break;
269
270 default: /* unknown auth method */
271 msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method");
272 return false;
273 }
274
275 return true;
276}
277
278static bool
279recv_socks_reply(socket_descriptor_t sd, struct openvpn_sockaddr *addr,
280 struct event_timeout *server_poll_timeout, volatile int *signal_received)
281{
282 char atyp = '\0';
283 int alen = 0;
284 int len = 0;
285 char buf[270]; /* 4 + alen(max 256) + 2 */
286
287 if (addr != NULL)
288 {
289 addr->addr.in4.sin_family = AF_INET;
290 addr->addr.in4.sin_addr.s_addr = htonl(INADDR_ANY);
291 addr->addr.in4.sin_port = htons(0);
292 }
293
294 while (len < 4 + alen + 2)
295 {
296 char c;
297
298 if (!socks_proxy_recv_char(&c, __func__, sd, server_poll_timeout, signal_received))
299 {
300 return false;
301 }
302
303 if (len == 3)
304 {
305 atyp = c;
306 }
307
308 if (len == 4)
309 {
310 switch (atyp)
311 {
312 case '\x01': /* IP V4 */
313 alen = 4;
314 break;
315
316 case '\x03': /* DOMAINNAME */
317 /* RFC 1928, section 5: 1 byte length, <n> bytes name,
318 * so the total "address length" is (length+1)
319 */
320 alen = (unsigned char)c + 1;
321 break;
322
323 case '\x04': /* IP V6 */
324 alen = 16;
325 break;
326
327 default:
328 msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad address type");
329 return false;
330 }
331 }
332
333 /* store char in buffer */
334 if (len < (int)sizeof(buf))
335 {
336 buf[len] = c;
337 }
338 ++len;
339 }
340
341 /* VER == 5 && REP == 0 (succeeded) */
342 if (buf[0] != '\x05' || buf[1] != '\x00')
343 {
344 msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad reply");
345 return false;
346 }
347
348 /* ATYP == 1 (IP V4 address) */
349 if (atyp == '\x01' && addr != NULL)
350 {
351 memcpy(&addr->addr.in4.sin_addr, buf + 4, sizeof(addr->addr.in4.sin_addr));
352 memcpy(&addr->addr.in4.sin_port, buf + 8, sizeof(addr->addr.in4.sin_port));
353 struct gc_arena gc = gc_new();
354 msg(M_INFO, "SOCKS proxy wants us to send UDP to %s", print_openvpn_sockaddr(addr, &gc));
355 gc_free(&gc);
356 }
357
358
359 return true;
360}
361
362static int
363port_from_servname(const char *servname)
364{
365 int port = 0;
366 port = atoi(servname);
367 if (port > 0 && port < 65536)
368 {
369 return port;
370 }
371
372 struct servent *service;
373 service = getservbyname(servname, NULL);
374 if (service)
375 {
376 return service->s_port;
377 }
378
379 return 0;
380}
381
382void
383establish_socks_proxy_passthru(struct socks_proxy_info *p,
384 socket_descriptor_t sd, /* already open to proxy */
385 const char *host, /* openvpn server remote */
386 const char *servname, /* openvpn server port */
387 struct event_timeout *server_poll_timeout,
388 struct signal_info *sig_info)
389{
390 char buf[270];
391 size_t len;
392
393 if (!socks_handshake(p, sd, server_poll_timeout, &sig_info->signal_received))
394 {
395 goto error;
396 }
397
398 /* format Socks CONNECT message */
399 buf[0] = '\x05'; /* VER = 5 */
400 buf[1] = '\x01'; /* CMD = 1 (CONNECT) */
401 buf[2] = '\x00'; /* RSV */
402 buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */
403
404 len = strlen(host);
405 len = (5 + len + 2 > sizeof(buf)) ? (sizeof(buf) - 5 - 2) : len;
406
407 buf[4] = (char)len;
408 memcpy(buf + 5, host, len);
409
410 int port = port_from_servname(servname);
411 if (port == 0)
412 {
413 msg(D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number",
414 servname);
415 goto error;
416 }
417
418 buf[5 + len] = (char)(port >> 8);
419 buf[5 + len + 1] = (char)(port & 0xff);
420
421 {
422 const ssize_t size = send(sd, buf, 5 + len + 2, MSG_NOSIGNAL);
423 if ((int)size != 5 + (int)len + 2)
424 {
425 msg(D_LINK_ERRORS | M_ERRNO,
426 "establish_socks_proxy_passthru: TCP port write failed on send()");
427 goto error;
428 }
429 }
430
431
432 /* receive reply from Socks proxy and discard */
433 if (!recv_socks_reply(sd, NULL, server_poll_timeout, &sig_info->signal_received))
434 {
435 goto error;
436 }
437
438 return;
439
440error:
441 /* SOFT-SIGUSR1 -- socks error */
442 register_signal(sig_info, SIGUSR1, "socks-error");
443 return;
444}
445
446#if defined(__GNUC__) || defined(__clang__)
447#pragma GCC diagnostic pop
448#endif
449
450void
451establish_socks_proxy_udpassoc(struct socks_proxy_info *p,
452 socket_descriptor_t ctrl_sd, /* already open to proxy */
453 struct openvpn_sockaddr *relay_addr,
454 struct event_timeout *server_poll_timeout,
455 struct signal_info *sig_info)
456{
457 if (!socks_handshake(p, ctrl_sd, server_poll_timeout, &sig_info->signal_received))
458 {
459 goto error;
460 }
461
462 {
463 /* send Socks UDP ASSOCIATE message */
464 /* VER = 5, CMD = 3 (UDP ASSOCIATE), RSV = 0, ATYP = 1 (IP V4),
465 * BND.ADDR = 0, BND.PORT = 0 */
466 const ssize_t size =
467 send(ctrl_sd, "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00", 10, MSG_NOSIGNAL);
468 if (size != 10)
469 {
470 msg(D_LINK_ERRORS | M_ERRNO,
471 "establish_socks_proxy_passthru: TCP port write failed on send()");
472 goto error;
473 }
474 }
475
476 /* receive reply from Socks proxy */
477 CLEAR(*relay_addr);
478 if (!recv_socks_reply(ctrl_sd, relay_addr, server_poll_timeout, &sig_info->signal_received))
479 {
480 goto error;
481 }
482
483 return;
484
485error:
486 /* SOFT-SIGUSR1 -- socks error */
487 register_signal(sig_info, SIGUSR1, "socks-error");
488 return;
489}
490
491/*
492 * Remove the 10 byte socks5 header from an incoming
493 * UDP packet, setting *from to the source address.
494 *
495 * Run after UDP read.
496 */
497void
498socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
499{
500 int atyp;
501
502 if (BLEN(buf) < 10)
503 {
504 goto error;
505 }
506
507 buf_read_u16(buf);
508 if (buf_read_u8(buf) != 0)
509 {
510 goto error;
511 }
512
513 atyp = buf_read_u8(buf);
514 if (atyp != 1) /* ATYP == 1 (IP V4) */
515 {
516 goto error;
517 }
518
519 buf_read(buf, &from->dest.addr.in4.sin_addr, sizeof(from->dest.addr.in4.sin_addr));
520 buf_read(buf, &from->dest.addr.in4.sin_port, sizeof(from->dest.addr.in4.sin_port));
521
522 return;
523
524error:
525 buf->len = 0;
526}
527
528/*
529 * Add a 10 byte socks header prior to UDP write.
530 * *to is the destination address.
531 *
532 * Run before UDP write.
533 * Returns the size of the header.
534 */
535int
536socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
537{
538 /*
539 * Get a 10 byte subset buffer prepended to buf --
540 * we expect these bytes will be here because
541 * we always allocate space for these bytes
542 */
543 struct buffer head = buf_sub(buf, 10, true);
544
545 /* crash if not enough headroom in buf */
546 ASSERT(buf_defined(&head));
547
548 buf_write_u16(&head, 0); /* RSV = 0 */
549 buf_write_u8(&head, 0); /* FRAG = 0 */
550 buf_write_u8(&head, '\x01'); /* ATYP = 1 (IP V4) */
551 buf_write(&head, &to->dest.addr.in4.sin_addr, sizeof(to->dest.addr.in4.sin_addr));
552 buf_write(&head, &to->dest.addr.in4.sin_port, sizeof(to->dest.addr.in4.sin_port));
553
554 return 10;
555}
buf_sub
struct buffer buf_sub(struct buffer *buf, int size, bool prepend)
Definition buffer.c:222
buf_write_u16
static bool buf_write_u16(struct buffer *dest, uint16_t data)
Definition buffer.h:690
buf_read_u16
static int buf_read_u16(struct buffer *buf)
Definition buffer.h:787
buf_read
static bool buf_read(struct buffer *src, void *dest, int size)
Definition buffer.h:762
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:660
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:684
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:774
BLEN
#define BLEN(buf)
Definition buffer.h:126
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
buf_defined
static bool buf_defined(const struct buffer *buf)
Definition buffer.h:228
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1007
M_INFO
#define M_INFO
Definition errlevel.h:54
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition errlevel.h:56
openvpn_fd_set
static void openvpn_fd_set(socket_descriptor_t fd, fd_set *setp)
Definition fdmisc.h:39
get_server_poll_remaining_time
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition forward.c:503
forward.h
Interface functions to the internal and external multiplexers.
status
static SERVICE_STATUS status
Definition interactive.c:51
service
static SERVICE_STATUS_HANDLE service
Definition interactive.c:50
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:110
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
CLEAR
#define CLEAR(x)
Definition basic.h:32
M_NONFATAL
#define M_NONFATAL
Definition error.h:91
msg
#define msg(flags,...)
Definition error.h:152
ASSERT
#define ASSERT(x)
Definition error.h:219
M_ERRNO
#define M_ERRNO
Definition error.h:95
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
get_signal
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition sig.h:109
MSG_NOSIGNAL
#define MSG_NOSIGNAL
Definition socket.h:242
print_openvpn_sockaddr
static const char * print_openvpn_sockaddr(const struct openvpn_sockaddr *addr, struct gc_arena *gc)
Definition socket_util.h:71
port_from_servname
static int port_from_servname(const char *servname)
Definition socks.c:363
establish_socks_proxy_passthru
void establish_socks_proxy_passthru(struct socks_proxy_info *p, socket_descriptor_t sd, const char *host, const char *servname, struct event_timeout *server_poll_timeout, struct signal_info *sig_info)
Definition socks.c:383
socks_handshake
static bool socks_handshake(struct socks_proxy_info *p, socket_descriptor_t sd, struct event_timeout *server_poll_timeout, volatile int *signal_received)
Definition socks.c:202
socks_process_outgoing_udp
int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to)
Definition socks.c:536
socks_proxy_recv_char
static bool socks_proxy_recv_char(char *c, const char *name, socket_descriptor_t sd, struct event_timeout *server_poll_timeout, volatile int *signal_received)
Definition socks.c:89
socks_username_password_auth
static bool socks_username_password_auth(struct socks_proxy_info *p, socket_descriptor_t sd, struct event_timeout *server_poll_timeout, volatile int *signal_received)
Definition socks.c:137
UP_TYPE_SOCKS
#define UP_TYPE_SOCKS
Definition socks.c:48
socks_process_incoming_udp
void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from)
Definition socks.c:498
recv_socks_reply
static bool recv_socks_reply(socket_descriptor_t sd, struct openvpn_sockaddr *addr, struct event_timeout *server_poll_timeout, volatile int *signal_received)
Definition socks.c:279
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition socks.c:51
establish_socks_proxy_udpassoc
void establish_socks_proxy_udpassoc(struct socks_proxy_info *p, socket_descriptor_t ctrl_sd, struct openvpn_sockaddr *relay_addr, struct event_timeout *server_poll_timeout, struct signal_info *sig_info)
Definition socks.c:451
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition socks.c:78
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
event_timeout
Definition interval.h:135
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
link_socket_actual
Definition socket_util.h:50
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket_util.h:53
openvpn_sockaddr
Definition socket_util.h:38
openvpn_sockaddr::addr
union openvpn_sockaddr::@27 addr
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition socket_util.h:43
signal_info
Definition sig.h:41
signal_info::signal_received
volatile int signal_received
Definition sig.h:42
socks_proxy_info
Definition socks.h:37
socks_proxy_info::authfile
char authfile[256]
Definition socks.h:42
socks_proxy_info::server
char server[128]
Definition socks.h:40
socks_proxy_info::port
const char * port
Definition socks.h:41
socks_proxy_info::defined
bool defined
Definition socks.h:38
user_pass
Definition misc.h:52
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:68
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:67
socket_descriptor_t
SOCKET socket_descriptor_t
Definition syshead.h:440
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:289
gc
struct gc_arena gc
Definition test_ssl.c:131
Generated by doxygen 1.9.8