/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2018 OpenVPN Inc * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* * 2004-01-30: Added Socks5 proxy support, see RFC 1928 * (Christof Meerwald, http://cmeerw.org) * * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929) * (Pierre Bourdon ) */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #include "syshead.h" #include "common.h" #include "misc.h" #include "win32.h" #include "socket.h" #include "fdmisc.h" #include "misc.h" #include "proxy.h" #include "memdbg.h" #define UP_TYPE_SOCKS "SOCKS Proxy" void socks_adjust_frame_parameters(struct frame *frame, int proto) { if (proto == PROTO_UDP) { frame_add_to_extra_link(frame, 10); } } struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile) { struct socks_proxy_info *p; ALLOC_OBJ_CLEAR(p, struct socks_proxy_info); ASSERT(server); ASSERT(port); strncpynt(p->server, server, sizeof(p->server)); p->port = port; if (authfile) { strncpynt(p->authfile, authfile, sizeof(p->authfile)); } else { p->authfile[0] = 0; } p->defined = true; return p; } void socks_proxy_close(struct socks_proxy_info *sp) { free(sp); } static bool socks_username_password_auth(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received) { char to_send[516]; char buf[2]; int len = 0; const int timeout_sec = 5; struct user_pass creds; ssize_t size; creds.defined = 0; if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT)) { msg(M_NONFATAL, "SOCKS failed to get username/password."); return false; } if ( (strlen(creds.username) > 255) || (strlen(creds.password) > 255) ) { msg(M_NONFATAL, "SOCKS username and/or password exceeds 255 characters. " "Authentication not possible."); return false; } openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int) strlen(creds.username), creds.username, (int) strlen(creds.password), creds.password); size = send(sd, to_send, strlen(to_send), MSG_NOSIGNAL); if (size != strlen(to_send)) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port write failed on send()"); return false; } while (len < 2) { int status; ssize_t size; fd_set reads; struct timeval tv; char c; FD_ZERO(&reads); openvpn_fd_set(sd, &reads); tv.tv_sec = timeout_sec; tv.tv_usec = 0; status = select(sd + 1, &reads, NULL, NULL, &tv); get_signal(signal_received); if (*signal_received) { return false; } /* timeout? */ if (status == 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read timeout expired"); return false; } /* error */ if (status < 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on select()"); return false; } /* read single char */ size = recv(sd, &c, 1, MSG_NOSIGNAL); /* error? */ if (size != 1) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on recv()"); return false; } /* store char in buffer */ buf[len++] = c; } /* VER = 5, SUCCESS = 0 --> auth success */ if (buf[0] != 5 && buf[1] != 0) { msg(D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication"); return false; } return true; } static bool socks_handshake(struct socks_proxy_info *p, socket_descriptor_t sd, volatile int *signal_received) { char buf[2]; int len = 0; const int timeout_sec = 5; ssize_t size; /* VER = 5, NMETHODS = 1, METHODS = [0 (no auth)] */ char method_sel[3] = { 0x05, 0x01, 0x00 }; if (p->authfile[0]) { method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */ } size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL); if (size != sizeof(method_sel)) { msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port write failed on send()"); return false; } while (len < 2) { int status; ssize_t size; fd_set reads; struct timeval tv; char c; FD_ZERO(&reads); openvpn_fd_set(sd, &reads); tv.tv_sec = timeout_sec; tv.tv_usec = 0; status = select(sd + 1, &reads, NULL, NULL, &tv); get_signal(signal_received); if (*signal_received) { return false; } /* timeout? */ if (status == 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read timeout expired"); return false; } /* error */ if (status < 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on select()"); return false; } /* read single char */ size = recv(sd, &c, 1, MSG_NOSIGNAL); /* error? */ if (size != 1) { msg(D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port read failed on recv()"); return false; } /* store char in buffer */ buf[len++] = c; } /* VER == 5 */ if (buf[0] != '\x05') { msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status"); return false; } /* validate that the auth method returned is the one sent */ if (buf[1] != method_sel[2]) { msg(D_LINK_ERRORS, "socks_handshake: Socks proxy returned unexpected auth"); return false; } /* select the appropriate authentication method */ switch (buf[1]) { case 0: /* no authentication */ break; case 2: /* login/password */ if (!p->authfile[0]) { msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were " "not provided any credentials"); return false; } if (!socks_username_password_auth(p, sd, signal_received)) { return false; } break; default: /* unknown auth method */ msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method"); return false; } return true; } static bool recv_socks_reply(socket_descriptor_t sd, struct openvpn_sockaddr *addr, volatile int *signal_received) { char atyp = '\0'; int alen = 0; int len = 0; char buf[22]; const int timeout_sec = 5; if (addr != NULL) { addr->addr.in4.sin_family = AF_INET; addr->addr.in4.sin_addr.s_addr = htonl(INADDR_ANY); addr->addr.in4.sin_port = htons(0); } while (len < 4 + alen + 2) { int status; ssize_t size; fd_set reads; struct timeval tv; char c; FD_ZERO(&reads); openvpn_fd_set(sd, &reads); tv.tv_sec = timeout_sec; tv.tv_usec = 0; status = select(sd + 1, &reads, NULL, NULL, &tv); get_signal(signal_received); if (*signal_received) { return false; } /* timeout? */ if (status == 0) { msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read timeout expired"); return false; } /* error */ if (status < 0) { msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on select()"); return false; } /* read single char */ size = recv(sd, &c, 1, MSG_NOSIGNAL); /* error? */ if (size != 1) { msg(D_LINK_ERRORS | M_ERRNO, "recv_socks_reply: TCP port read failed on recv()"); return false; } if (len == 3) { atyp = c; } if (len == 4) { switch (atyp) { case '\x01': /* IP V4 */ alen = 4; break; case '\x03': /* DOMAINNAME */ alen = (unsigned char) c; break; case '\x04': /* IP V6 */ alen = 16; break; default: msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad address type"); return false; } } /* store char in buffer */ if (len < (int)sizeof(buf)) { buf[len] = c; } ++len; } /* VER == 5 && REP == 0 (succeeded) */ if (buf[0] != '\x05' || buf[1] != '\x00') { msg(D_LINK_ERRORS, "recv_socks_reply: Socks proxy returned bad reply"); return false; } /* ATYP == 1 (IP V4 address) */ if (atyp == '\x01' && addr != NULL) { memcpy(&addr->addr.in4.sin_addr, buf + 4, sizeof(addr->addr.in4.sin_addr)); memcpy(&addr->addr.in4.sin_port, buf + 8, sizeof(addr->addr.in4.sin_port)); } return true; } static int port_from_servname(const char *servname) { int port = 0; port = atoi(servname); if (port >0 && port < 65536) { return port; } struct servent *service; service = getservbyname(servname, NULL); if (service) { return service->s_port; } return 0; } void establish_socks_proxy_passthru(struct socks_proxy_info *p, socket_descriptor_t sd, /* already open to proxy */ const char *host, /* openvpn server remote */ const char *servname, /* openvpn server port */ volatile int *signal_received) { char buf[128]; size_t len; if (!socks_handshake(p, sd, signal_received)) { goto error; } /* format Socks CONNECT message */ buf[0] = '\x05'; /* VER = 5 */ buf[1] = '\x01'; /* CMD = 1 (CONNECT) */ buf[2] = '\x00'; /* RSV */ buf[3] = '\x03'; /* ATYP = 3 (DOMAINNAME) */ len = strlen(host); len = (5 + len + 2 > sizeof(buf)) ? (sizeof(buf) - 5 - 2) : len; buf[4] = (char) len; memcpy(buf + 5, host, len); int port = port_from_servname(servname); if (port ==0) { msg(D_LINK_ERRORS, "establish_socks_proxy_passthrough: Cannot convert %s to port number", servname); goto error; } buf[5 + len] = (char) (port >> 8); buf[5 + len + 1] = (char) (port & 0xff); { const ssize_t size = send(sd, buf, 5 + len + 2, MSG_NOSIGNAL); if ((int)size != 5 + (int)len + 2) { msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()"); goto error; } } /* receive reply from Socks proxy and discard */ if (!recv_socks_reply(sd, NULL, signal_received)) { goto error; } return; error: if (!*signal_received) { *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */ } return; } void establish_socks_proxy_udpassoc(struct socks_proxy_info *p, socket_descriptor_t ctrl_sd, /* already open to proxy */ socket_descriptor_t udp_sd, struct openvpn_sockaddr *relay_addr, volatile int *signal_received) { if (!socks_handshake(p, ctrl_sd, signal_received)) { goto error; } { /* send Socks UDP ASSOCIATE message */ /* VER = 5, CMD = 3 (UDP ASSOCIATE), RSV = 0, ATYP = 1 (IP V4), * BND.ADDR = 0, BND.PORT = 0 */ const ssize_t size = send(ctrl_sd, "\x05\x03\x00\x01\x00\x00\x00\x00\x00\x00", 10, MSG_NOSIGNAL); if (size != 10) { msg(D_LINK_ERRORS | M_ERRNO, "establish_socks_proxy_passthru: TCP port write failed on send()"); goto error; } } /* receive reply from Socks proxy */ CLEAR(*relay_addr); if (!recv_socks_reply(ctrl_sd, relay_addr, signal_received)) { goto error; } return; error: if (!*signal_received) { *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- socks error */ } return; } /* * Remove the 10 byte socks5 header from an incoming * UDP packet, setting *from to the source address. * * Run after UDP read. */ void socks_process_incoming_udp(struct buffer *buf, struct link_socket_actual *from) { int atyp; if (BLEN(buf) < 10) { goto error; } buf_read_u16(buf); if (buf_read_u8(buf) != 0) { goto error; } atyp = buf_read_u8(buf); if (atyp != 1) /* ATYP == 1 (IP V4) */ { goto error; } buf_read(buf, &from->dest.addr.in4.sin_addr, sizeof(from->dest.addr.in4.sin_addr)); buf_read(buf, &from->dest.addr.in4.sin_port, sizeof(from->dest.addr.in4.sin_port)); return; error: buf->len = 0; } /* * Add a 10 byte socks header prior to UDP write. * *to is the destination address. * * Run before UDP write. * Returns the size of the header. */ int socks_process_outgoing_udp(struct buffer *buf, const struct link_socket_actual *to) { /* * Get a 10 byte subset buffer prepended to buf -- * we expect these bytes will be here because * we allocated frame space in socks_adjust_frame_parameters. */ struct buffer head = buf_sub(buf, 10, true); /* crash if not enough headroom in buf */ ASSERT(buf_defined(&head)); buf_write_u16(&head, 0); /* RSV = 0 */ buf_write_u8(&head, 0); /* FRAG = 0 */ buf_write_u8(&head, '\x01'); /* ATYP = 1 (IP V4) */ buf_write(&head, &to->dest.addr.in4.sin_addr, sizeof(to->dest.addr.in4.sin_addr)); buf_write(&head, &to->dest.addr.in4.sin_port, sizeof(to->dest.addr.in4.sin_port)); return 10; }