search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Dropbear: 2012.55 update
[tomato.git] / release / src / router / openvpn / socks.c
blob82872743221c9d44a7be562cdf4d80cb1245ffca
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 /*
26 * 2004-01-30: Added Socks5 proxy support, see RFC 1928
27 * (Christof Meerwald, http://cmeerw.org)
28 *
29 * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929)
30 * (Pierre Bourdon <delroth@gmail.com>)
31 */
32
33 #include "syshead.h"
34
35 #ifdef ENABLE_SOCKS
36
37 #include "common.h"
38 #include "misc.h"
39 #include "win32.h"
40 #include "socket.h"
41 #include "fdmisc.h"
42 #include "misc.h"
43 #include "proxy.h"
44
45 #include "memdbg.h"
46
47 #define UP_TYPE_SOCKS "SOCKS Proxy"
48
49 void
50 socks_adjust_frame_parameters (struct frame *frame, int proto)
51 {
52 if (proto == PROTO_UDPv4)
53 frame_add_to_extra_link (frame, 10);
54 }
55
56 struct socks_proxy_info *
57 socks_proxy_new (const char *server,
58 int port,
59 const char *authfile,
60 bool retry,
61 struct auto_proxy_info *auto_proxy_info)
62 {
63 struct socks_proxy_info *p;
64
65 if (auto_proxy_info)
66 {
67 if (!server)
68 {
69 if (!auto_proxy_info->socks.server)
70 return NULL;
71
72 server = auto_proxy_info->socks.server;
73 port = auto_proxy_info->socks.port;
74 }
75 }
76
77 ALLOC_OBJ_CLEAR (p, struct socks_proxy_info);
78
79 ASSERT (server);
80 ASSERT (legal_ipv4_port (port));
81
82 strncpynt (p->server, server, sizeof (p->server));
83 p->port = port;
84
85 if (authfile)
86 strncpynt (p->authfile, authfile, sizeof (p->authfile));
87 else
88 p->authfile[0] = 0;
89
90 p->retry = retry;
91 p->defined = true;
92
93 return p;
94 }
95
96 void
97 socks_proxy_close (struct socks_proxy_info *sp)
98 {
99 free (sp);
100 }
101
102 static bool
103 socks_username_password_auth (struct socks_proxy_info *p,
104 socket_descriptor_t sd,
105 volatile int *signal_received)
106 {
107 char to_send[516];
108 char buf[2];
109 int len = 0;
110 const int timeout_sec = 5;
111 struct user_pass creds;
112 ssize_t size;
113
114 creds.defined = 0;
115 get_user_pass (&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT);
116
117 if( !creds.username || (strlen(creds.username) > 255)
118 || !creds.password || (strlen(creds.password) > 255) ) {
119 msg (M_NONFATAL,
120 "SOCKS username and/or password exceeds 255 characters. "
121 "Authentication not possible.");
122 return false;
123 }
124 openvpn_snprintf (to_send, sizeof (to_send), "\x01%c%s%c%s", (int) strlen(creds.username),
125 creds.username, (int) strlen(creds.password), creds.password);
126 size = send (sd, to_send, strlen(to_send), MSG_NOSIGNAL);
127
128 if (size != strlen (to_send))
129 {
130 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port write failed on send()");
131 return false;
132 }
133
134 while (len < 2)
135 {
136 int status;
137 ssize_t size;
138 fd_set reads;
139 struct timeval tv;
140 char c;
141
142 FD_ZERO (&reads);
143 FD_SET (sd, &reads);
144 tv.tv_sec = timeout_sec;
145 tv.tv_usec = 0;
146
147 status = select (sd + 1, &reads, NULL, NULL, &tv);
148
149 get_signal (signal_received);
150 if (*signal_received)
151 return false;
152
153 /* timeout? */
154 if (status == 0)
155 {
156 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read timeout expired");
157 return false;
158 }
159
160 /* error */
161 if (status < 0)
162 {
163 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read failed on select()");
164 return false;
165 }
166
167 /* read single char */
168 size = recv(sd, &c, 1, MSG_NOSIGNAL);
169
170 /* error? */
171 if (size != 1)
172 {
173 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read failed on recv()");
174 return false;
175 }
176
177 /* store char in buffer */
178 buf[len++] = c;
179 }
180
181 /* VER = 5, SUCCESS = 0 --> auth success */
182 if (buf[0] != 5 && buf[1] != 0)
183 {
184 msg (D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication");
185 return false;
186 }
187
188 return true;
189 }
190
191 static bool
192 socks_handshake (struct socks_proxy_info *p,
193 socket_descriptor_t sd,
194 volatile int *signal_received)
195 {
196 char buf[2];
197 int len = 0;
198 const int timeout_sec = 5;
199
200 /* VER = 5, NMETHODS = 2, METHODS = [0 (no auth), 2 (plain login)] */
201 const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL);
202 if (size != 4)
203 {
204 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_handshake: TCP port write failed on send()");
205 return false;
206 }
207
208 while (len < 2)
209 {
210 int status;
211 ssize_t size;
212 fd_set reads;
213 struct timeval tv;
214 char c;
215
216 FD_ZERO (&reads);
217 FD_SET (sd, &reads);
218 tv.tv_sec = timeout_sec;
219 tv.tv_usec = 0;
220
221 status = select (sd + 1, &reads, NULL, NULL, &tv);
222
223 get_signal (signal_received);
224 if (*signal_received)
225 return false;
226
227 /* timeout? */
228 if (status == 0)
229 {
230 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_handshake: TCP port read timeout expired");
231 return false;
232 }
233
234 /* error */
235 if (status < 0)
236 {
237 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_handshake: TCP port read failed on select()");
238 return false;
239 }
240
241 /* read single char */
242 size = recv(sd, &c, 1, MSG_NOSIGNAL);
243
244 /* error? */
245 if (size != 1)
246 {
247 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_handshake: TCP port read failed on recv()");
248 return false;
249 }
250
251 /* store char in buffer */
252 buf[len++] = c;
253 }
254
255 /* VER == 5 */
256 if (buf[0] != '\x05')
257 {
258 msg (D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status");
259 return false;
260 }
261
262 /* select the appropriate authentication method */
263 switch (buf[1])
264 {
265 case 0: /* no authentication */
266 break;
267
268 case 2: /* login/password */
269 if (!p->authfile[0])
270 {
271 msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were "
272 "not provided any credentials");
273 return false;
274 }
275
276 if (!socks_username_password_auth(p, sd, signal_received))
277 return false;
278
279 break;
280
281 default: /* unknown auth method */
282 msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method");
283 return false;
284 }
285
286 return true;
287 }
288
289 static bool
290 recv_socks_reply (socket_descriptor_t sd,
291 struct openvpn_sockaddr *addr,
292 volatile int *signal_received)
293 {
294 char atyp = '\0';
295 int alen = 0;
296 int len = 0;
297 char buf[22];
298 const int timeout_sec = 5;
299
300 if (addr != NULL)
301 {
302 addr->sa.sin_family = AF_INET;
303 addr->sa.sin_addr.s_addr = htonl (INADDR_ANY);
304 addr->sa.sin_port = htons (0);
305 }
306
307 while (len < 4 + alen + 2)
308 {
309 int status;
310 ssize_t size;
311 fd_set reads;
312 struct timeval tv;
313 char c;
314
315 FD_ZERO (&reads);
316 FD_SET (sd, &reads);
317 tv.tv_sec = timeout_sec;
318 tv.tv_usec = 0;
319
320 status = select (sd + 1, &reads, NULL, NULL, &tv);
321
322 get_signal (signal_received);
323 if (*signal_received)
324 return false;
325
326 /* timeout? */
327 if (status == 0)
328 {
329 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "recv_socks_reply: TCP port read timeout expired");
330 return false;
331 }
332
333 /* error */
334 if (status < 0)
335 {
336 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "recv_socks_reply: TCP port read failed on select()");
337 return false;
338 }
339
340 /* read single char */
341 size = recv(sd, &c, 1, MSG_NOSIGNAL);
342
343 /* error? */
344 if (size != 1)
345 {
346 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "recv_socks_reply: TCP port read failed on recv()");
347 return false;
348 }
349
350 if (len == 3)
351 atyp = c;
352
353 if (len == 4)
354 {
355 switch (atyp)
356 {
357 case '\x01': /* IP V4 */
358 alen = 4;
359 break;
360
361 case '\x03': /* DOMAINNAME */
362 alen = (unsigned char) c;
363 break;
364
365 case '\x04': /* IP V6 */
366 alen = 16;
367 break;
368
369 default:
370 msg (D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad address type");
371 return false;
372 }
373 }
374
375 /* store char in buffer */
376 if (len < (int)sizeof(buf))
377 buf[len] = c;
378 ++len;
379 }
380
381 /* VER == 5 && REP == 0 (succeeded) */
382 if (buf[0] != '\x05' || buf[1] != '\x00')
383 {
384 msg (D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad reply");
385 return false;
386 }
387
388 /* ATYP == 1 (IP V4 address) */
389 if (atyp == '\x01' && addr != NULL)
390 {
391 memcpy (&addr->sa.sin_addr, buf + 4, sizeof (addr->sa.sin_addr));
392 memcpy (&addr->sa.sin_port, buf + 8, sizeof (addr->sa.sin_port));
393 }
394
395
396 return true;
397 }
398
399 void
400 establish_socks_proxy_passthru (struct socks_proxy_info *p,
401 socket_descriptor_t sd, /* already open to proxy */
402 const char *host, /* openvpn server remote */
403 const int port, /* openvpn server port */
404 volatile int *signal_received)
405 {
406 char buf[128];
407 size_t len;
408
409 if (!socks_handshake (p, sd, signal_received))
410 goto error;
411
412 /* format Socks CONNECT message */
413 buf[0] = '\x05'; /* VER = 5 */
414 buf[1] = '\x01'; /* CMD = 1 (CONNECT) */
415 buf[2] = '\x00'; /* RSV */
416 buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */
417
418 len = strlen(host);
419 len = (5 + len + 2 > sizeof(buf)) ? (sizeof(buf) - 5 - 2) : len;
420
421 buf[4] = (char) len;
422 memcpy(buf + 5, host, len);
423
424 buf[5 + len] = (char) (port >> 8);
425 buf[5 + len + 1] = (char) (port & 0xff);
426
427 {
428 const ssize_t size = send (sd, buf, 5 + len + 2, MSG_NOSIGNAL);
429 if ((int)size != 5 + (int)len + 2)
430 {
431 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "establish_socks_proxy_passthru: TCP port write failed on send()");
432 goto error;
433 }
434 }
435
436 /* receive reply from Socks proxy and discard */
437 if (!recv_socks_reply (sd, NULL, signal_received))
438 goto error;
439
440 return;
441
442 error:
443 /* on error, should we exit or restart? */
444 if (!*signal_received)
445 *signal_received = (p->retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- socks error */
446 return;
447 }
448
449 void
450 establish_socks_proxy_udpassoc (struct socks_proxy_info *p,
451 socket_descriptor_t ctrl_sd, /* already open to proxy */
452 socket_descriptor_t udp_sd,
453 struct openvpn_sockaddr *relay_addr,
454 volatile int *signal_received)
455 {
456 if (!socks_handshake (p, ctrl_sd, signal_received))
457 goto error;
458
459 {
460 /* send Socks UDP ASSOCIATE message */
461 /* VER = 5, CMD = 3 (UDP ASSOCIATE), RSV = 0, ATYP = 1 (IP V4),
462 BND.ADDR = 0, BND.PORT = 0 */
463 const ssize_t size = send (ctrl_sd,
464 "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00",
465 10, MSG_NOSIGNAL);
466 if (size != 10)
467 {
468 msg (D_LINK_ERRORS | M_ERRNO_SOCK, "establish_socks_proxy_passthru: TCP port write failed on send()");
469 goto error;
470 }
471 }
472
473 /* receive reply from Socks proxy */
474 CLEAR (*relay_addr);
475 if (!recv_socks_reply (ctrl_sd, relay_addr, signal_received))
476 goto error;
477
478 return;
479
480 error:
481 /* on error, should we exit or restart? */
482 if (!*signal_received)
483 *signal_received = (p->retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- socks error */
484 return;
485 }
486
487 /*
488 * Remove the 10 byte socks5 header from an incoming
489 * UDP packet, setting *from to the source address.
490 *
491 * Run after UDP read.
492 */
493 void
494 socks_process_incoming_udp (struct buffer *buf,
495 struct link_socket_actual *from)
496 {
497 int atyp;
498
499 if (BLEN (buf) < 10)
500 goto error;
501
502 buf_read_u16 (buf);
503 if (buf_read_u8 (buf) != 0)
504 goto error;
505
506 atyp = buf_read_u8 (buf);
507 if (atyp != 1) /* ATYP == 1 (IP V4) */
508 goto error;
509
510 buf_read (buf, &from->dest.sa.sin_addr, sizeof (from->dest.sa.sin_addr));
511 buf_read (buf, &from->dest.sa.sin_port, sizeof (from->dest.sa.sin_port));
512
513 return;
514
515 error:
516 buf->len = 0;
517 }
518
519 /*
520 * Add a 10 byte socks header prior to UDP write.
521 * *to is the destination address.
522 *
523 * Run before UDP write.
524 * Returns the size of the header.
525 */
526 int
527 socks_process_outgoing_udp (struct buffer *buf,
528 const struct link_socket_actual *to)
529 {
530 /*
531 * Get a 10 byte subset buffer prepended to buf --
532 * we expect these bytes will be here because
533 * we allocated frame space in socks_adjust_frame_parameters.
534 */
535 struct buffer head = buf_sub (buf, 10, true);
536
537 /* crash if not enough headroom in buf */
538 ASSERT (buf_defined (&head));
539
540 buf_write_u16 (&head, 0); /* RSV = 0 */
541 buf_write_u8 (&head, 0); /* FRAG = 0 */
542 buf_write_u8 (&head, '\x01'); /* ATYP = 1 (IP V4) */
543 buf_write (&head, &to->dest.sa.sin_addr, sizeof (to->dest.sa.sin_addr));
544 buf_write (&head, &to->dest.sa.sin_port, sizeof (to->dest.sa.sin_port));
545
546 return 10;
547 }
548
549 #else
550 static void dummy(void) {}
551 #endif /* ENABLE_SOCKS */
Tomato firmware and modifications.