aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--init.c1
-rw-r--r--options.c8
-rw-r--r--options.h1
-rw-r--r--route.c8
-rw-r--r--socks.c138
-rw-r--r--socks.h2
-rw-r--r--tun.c147
7 files changed, 266 insertions, 39 deletions
diff --git a/init.c b/init.c
index 5f64c05..01bcfc0 100644
--- a/init.c
+++ b/init.c
@@ -417,6 +417,7 @@ init_proxy_dowork (struct context *c)
{
c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server,
c->options.ce.socks_proxy_port,
+ c->options.ce.socks_proxy_authfile,
c->options.ce.socks_proxy_retry,
c->options.auto_proxy_info);
if (c->c1.socks_proxy)
diff --git a/options.c b/options.c
index 717c5d7..bc6616b 100644
--- a/options.c
+++ b/options.c
@@ -128,8 +128,11 @@ static const char usage_message[] =
" AGENT user-agent\n"
#endif
#ifdef ENABLE_SOCKS
- "--socks-proxy s [p]: Connect to remote host through a Socks5 proxy at address\n"
- " s and port p (default port = 1080).\n"
+ "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
+ " address s and port p (default port = 1080).\n"
+ " If proxy authentication is required,\n"
+ " up is a file containing username/password on 2 lines, or\n"
+ " 'stdin' to prompt for console.\n"
"--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
#endif
"--resolv-retry n: If hostname resolve fails for --remote, retry\n"
@@ -4505,6 +4508,7 @@ add_option (struct options *options,
options->ce.socks_proxy_port = 1080;
}
options->ce.socks_proxy_server = p[1];
+ options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
}
else if (streq (p[0], "socks-proxy-retry"))
{
diff --git a/options.h b/options.h
index cb29d79..c51a10d 100644
--- a/options.h
+++ b/options.h
@@ -95,6 +95,7 @@ struct connection_entry
#ifdef ENABLE_SOCKS
const char *socks_proxy_server;
int socks_proxy_port;
+ const char *socks_proxy_authfile;
bool socks_proxy_retry;
#endif
diff --git a/route.c b/route.c
index 20f62d5..c63eb41 100644
--- a/route.c
+++ b/route.c
@@ -952,16 +952,14 @@ add_route (struct route *r, const struct tuntap *tt, unsigned int flags, const s
argv_printf (&argv, "%s add",
ROUTE_PATH);
-#if 0
- if (r->metric_defined)
- argv_printf_cat (&argv, "-rtt %d", r->metric);
-#endif
-
argv_printf_cat (&argv, "%s -netmask %s %s",
network,
netmask,
gateway);
+ if (r->metric_defined)
+ argv_printf_cat (&argv, "%d", r->metric);
+
argv_msg (D_ROUTE, &argv);
status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed");
diff --git a/socks.c b/socks.c
index 0c1bb3e..7c9edd1 100644
--- a/socks.c
+++ b/socks.c
@@ -23,10 +23,11 @@
*/
/*
- * 2004-01-30: Added Socks5 proxy support
+ * 2004-01-30: Added Socks5 proxy support, see RFC 1928
* (Christof Meerwald, http://cmeerw.org)
*
- * see RFC 1928, only supports "no authentication"
+ * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929)
+ * (Pierre Bourdon <delroth@gmail.com>)
*/
#include "syshead.h"
@@ -38,10 +39,12 @@
#include "win32.h"
#include "socket.h"
#include "fdmisc.h"
+#include "misc.h"
#include "proxy.h"
#include "memdbg.h"
+#define UP_TYPE_SOCKS "SOCKS Proxy"
void
socks_adjust_frame_parameters (struct frame *frame, int proto)
@@ -53,6 +56,7 @@ socks_adjust_frame_parameters (struct frame *frame, int proto)
struct socks_proxy_info *
socks_proxy_new (const char *server,
int port,
+ const char *authfile,
bool retry,
struct auto_proxy_info *auto_proxy_info)
{
@@ -77,6 +81,12 @@ socks_proxy_new (const char *server,
strncpynt (p->server, server, sizeof (p->server));
p->port = port;
+
+ if (authfile)
+ strncpynt (p->authfile, authfile, sizeof (p->authfile));
+ else
+ p->authfile[0] = 0;
+
p->retry = retry;
p->defined = true;
@@ -90,15 +100,99 @@ socks_proxy_close (struct socks_proxy_info *sp)
}
static bool
-socks_handshake (socket_descriptor_t sd, volatile int *signal_received)
+socks_username_password_auth (struct socks_proxy_info *p,
+ socket_descriptor_t sd,
+ volatile int *signal_received)
+{
+ char to_send[516];
+ char buf[2];
+ int len = 0;
+ const int timeout_sec = 5;
+ struct user_pass creds;
+ ssize_t size;
+
+ creds.defined = 0;
+
+ get_user_pass (&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT);
+ snprintf (to_send, sizeof (to_send), "\x01%c%s%c%s", strlen(creds.username),
+ creds.username, strlen(creds.password), creds.password);
+ size = send (sd, to_send, strlen(to_send), MSG_NOSIGNAL);
+
+ if (size != strlen (to_send))
+ {
+ msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port write failed on send()");
+ return false;
+ }
+
+ while (len < 2)
+ {
+ int status;
+ ssize_t size;
+ fd_set reads;
+ struct timeval tv;
+ char c;
+
+ FD_ZERO (&reads);
+ FD_SET (sd, &reads);
+ tv.tv_sec = timeout_sec;
+ tv.tv_usec = 0;
+
+ status = select (sd + 1, &reads, NULL, NULL, &tv);
+
+ get_signal (signal_received);
+ if (*signal_received)
+ return false;
+
+ /* timeout? */
+ if (status == 0)
+ {
+ msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read timeout expired");
+ return false;
+ }
+
+ /* error */
+ if (status < 0)
+ {
+ msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read failed on select()");
+ return false;
+ }
+
+ /* read single char */
+ size = recv(sd, &c, 1, MSG_NOSIGNAL);
+
+ /* error? */
+ if (size != 1)
+ {
+ msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read failed on recv()");
+ return false;
+ }
+
+ /* store char in buffer */
+ buf[len++] = c;
+ }
+
+ /* VER = 5, SUCCESS = 0 --> auth success */
+ if (buf[0] != 5 && buf[1] != 0)
+ {
+ msg (D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication");
+ return false;
+ }
+
+ return true;
+}
+
+static bool
+socks_handshake (struct socks_proxy_info *p,
+ socket_descriptor_t sd,
+ volatile int *signal_received)
{
char buf[2];
int len = 0;
const int timeout_sec = 5;
- /* VER = 5, NMETHODS = 1, METHODS = [0] */
- const ssize_t size = send (sd, "\x05\x01\x00", 3, MSG_NOSIGNAL);
- if (size != 3)
+ /* VER = 5, NMETHODS = 2, METHODS = [0 (no auth), 2 (plain login)] */
+ const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL);
+ if (size != 4)
{
msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_handshake: TCP port write failed on send()");
return false;
@@ -151,13 +245,37 @@ socks_handshake (socket_descriptor_t sd, volatile int *signal_received)
buf[len++] = c;
}
- /* VER == 5 && METHOD == 0 */
- if (buf[0] != '\x05' || buf[1] != '\x00')
+ /* VER == 5 */
+ if (buf[0] != '\x05')
{
msg (D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status");
return false;
}
+ /* select the appropriate authentication method */
+ switch (buf[1])
+ {
+ case 0: /* no authentication */
+ break;
+
+ case 2: /* login/password */
+ if (!p->authfile[0])
+ {
+ msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were "
+ "not provided any credentials");
+ return false;
+ }
+
+ if (!socks_username_password_auth(p, sd, signal_received))
+ return false;
+
+ break;
+
+ default: /* unknown auth method */
+ msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method");
+ return false;
+ }
+
return true;
}
@@ -281,7 +399,7 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p,
char buf[128];
size_t len;
- if (!socks_handshake (sd, signal_received))
+ if (!socks_handshake (p, sd, signal_received))
goto error;
/* format Socks CONNECT message */
@@ -328,7 +446,7 @@ establish_socks_proxy_udpassoc (struct socks_proxy_info *p,
struct openvpn_sockaddr *relay_addr,
volatile int *signal_received)
{
- if (!socks_handshake (ctrl_sd, signal_received))
+ if (!socks_handshake (p, ctrl_sd, signal_received))
goto error;
{
diff --git a/socks.h b/socks.h
index 702aa06..b748bb3 100644
--- a/socks.h
+++ b/socks.h
@@ -43,12 +43,14 @@ struct socks_proxy_info {
char server[128];
int port;
+ char authfile[256];
};
void socks_adjust_frame_parameters (struct frame *frame, int proto);
struct socks_proxy_info *socks_proxy_new (const char *server,
int port,
+ const char *authfile,
bool retry,
struct auto_proxy_info *auto_proxy_info);
diff --git a/tun.c b/tun.c
index 10dde6b..0e4476e 100644
--- a/tun.c
+++ b/tun.c
@@ -63,6 +63,7 @@ static const char *netsh_get_id (const char *dev_node, struct gc_arena *gc);
#ifdef TARGET_SOLARIS
static void solaris_error_close (struct tuntap *tt, const struct env_set *es, const char *actual);
+#include <stropts.h>
#endif
bool
@@ -701,12 +702,45 @@ do_ifconfig (struct tuntap *tt,
);
}
else
- no_tap_ifconfig ();
+ if (tt->topology == TOP_SUBNET)
+ {
+ argv_printf (&argv,
+ "%s %s %s %s netmask %s mtu %d up",
+ IFCONFIG_PATH,
+ actual,
+ ifconfig_local,
+ ifconfig_local,
+ ifconfig_remote_netmask,
+ tun_mtu
+ );
+ }
+ else
+ argv_printf (&argv,
+ " %s %s %s netmask %s broadcast + up",
+ IFCONFIG_PATH,
+ actual,
+ ifconfig_local,
+ ifconfig_remote_netmask
+ );
argv_msg (M_INFO, &argv);
if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig phase-2 failed"))
solaris_error_close (tt, es, actual);
+ if (!tun && tt->topology == TOP_SUBNET)
+ {
+ /* Add a network route for the local tun interface */
+ struct route r;
+ CLEAR (r);
+ r.defined = true;
+ r.network = tt->local & tt->remote_netmask;
+ r.netmask = tt->remote_netmask;
+ r.gateway = tt->local;
+ r.metric_defined = true;
+ r.metric = 0;
+ add_route (&r, tt, 0, es);
+ }
+
tt->did_ifconfig = true;
#elif defined(TARGET_OPENBSD)
@@ -1372,15 +1406,17 @@ read_tun (struct tuntap* tt, uint8_t *buf, int len)
void
open_tun (const char *dev, const char *dev_type, const char *dev_node, bool ipv6, struct tuntap *tt)
{
- int if_fd, muxid, ppa = -1;
- struct ifreq ifr;
+ int if_fd, ip_muxid, arp_muxid, arp_fd, ppa = -1;
+ struct lifreq ifr;
const char *ptr;
- const char *ip_node;
+ const char *ip_node, *arp_node;
const char *dev_tuntap_type;
int link_type;
bool is_tun;
+ struct strioctl strioc_if, strioc_ppa;
- ipv6_support (ipv6, false, tt);
+ ipv6_support (ipv6, true, tt);
+ memset(&ifr, 0x0, sizeof(ifr));
if (tt->type == DEV_TYPE_NULL)
{
@@ -1399,9 +1435,10 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, bool ipv6
}
else if (tt->type == DEV_TYPE_TAP)
{
- ip_node = "/dev/ip";
+ ip_node = "/dev/udp";
if (!dev_node)
dev_node = "/dev/tap";
+ arp_node = dev_node;
dev_tuntap_type = "tap";
link_type = I_PLINK; /* was: I_LINK */
is_tun = false;
@@ -1428,7 +1465,11 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, bool ipv6
msg (M_ERR, "Can't open %s", dev_node);
/* Assign a new PPA and get its unit number. */
- if ((ppa = ioctl (tt->fd, TUNNEWPPA, ppa)) < 0)
+ strioc_ppa.ic_cmd = TUNNEWPPA;
+ strioc_ppa.ic_timout = 0;
+ strioc_ppa.ic_len = sizeof(ppa);
+ strioc_ppa.ic_dp = (char *)&ppa;
+ if ((ppa = ioctl (tt->fd, I_STR, &strioc_ppa)) < 0)
msg (M_ERR, "Can't assign new interface");
if ((if_fd = open (dev_node, O_RDWR, 0)) < 0)
@@ -1437,27 +1478,83 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, bool ipv6
if (ioctl (if_fd, I_PUSH, "ip") < 0)
msg (M_ERR, "Can't push IP module");
+ if (tt->type == DEV_TYPE_TUN)
+ {
/* Assign ppa according to the unit number returned by tun device */
if (ioctl (if_fd, IF_UNITSEL, (char *) &ppa) < 0)
msg (M_ERR, "Can't set PPA %d", ppa);
-
- if ((muxid = ioctl (tt->ip_fd, link_type, if_fd)) < 0)
- msg (M_ERR, "Can't link %s device to IP", dev_tuntap_type);
-
- close (if_fd);
+ }
tt->actual_name = (char *) malloc (32);
check_malloc_return (tt->actual_name);
openvpn_snprintf (tt->actual_name, 32, "%s%d", dev_tuntap_type, ppa);
+ if (tt->type == DEV_TYPE_TAP)
+ {
+ if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0)
+ msg (M_ERR, "Can't get flags\n");
+ strncpynt (ifr.lifr_name, tt->actual_name, sizeof (ifr.lifr_name));
+ ifr.lifr_ppa = ppa;
+ /* Assign ppa according to the unit number returned by tun device */
+ if (ioctl (if_fd, SIOCSLIFNAME, &ifr) < 0)
+ msg (M_ERR, "Can't set PPA %d", ppa);
+ if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) <0)
+ msg (M_ERR, "Can't get flags\n");
+ /* Push arp module to if_fd */
+ if (ioctl (if_fd, I_PUSH, "arp") < 0)
+ msg (M_ERR, "Can't push ARP module");
+
+ /* Pop any modules on the stream */
+ while (true)
+ {
+ if (ioctl (tt->ip_fd, I_POP, NULL) < 0)
+ break;
+ }
+ /* Push arp module to ip_fd */
+ if (ioctl (tt->ip_fd, I_PUSH, "arp") < 0)
+ msg (M_ERR, "Can't push ARP module\n");
+
+ /* Open arp_fd */
+ if ((arp_fd = open (arp_node, O_RDWR, 0)) < 0)
+ msg (M_ERR, "Can't open %s\n", arp_node);
+ /* Push arp module to arp_fd */
+ if (ioctl (arp_fd, I_PUSH, "arp") < 0)
+ msg (M_ERR, "Can't push ARP module\n");
+
+ /* Set ifname to arp */
+ strioc_if.ic_cmd = SIOCSLIFNAME;
+ strioc_if.ic_timout = 0;
+ strioc_if.ic_len = sizeof(ifr);
+ strioc_if.ic_dp = (char *)&ifr;
+ if (ioctl(arp_fd, I_STR, &strioc_if) < 0){
+ msg (M_ERR, "Can't set ifname to arp\n");
+ }
+ }
+
+ if ((ip_muxid = ioctl (tt->ip_fd, link_type, if_fd)) < 0)
+ msg (M_ERR, "Can't link %s device to IP", dev_tuntap_type);
+
+ if (tt->type == DEV_TYPE_TAP) {
+ if ((arp_muxid = ioctl (tt->ip_fd, link_type, arp_fd)) < 0)
+ msg (M_ERR, "Can't link %s device to ARP", dev_tuntap_type);
+ close (arp_fd);
+ }
+
CLEAR (ifr);
- strncpynt (ifr.ifr_name, tt->actual_name, sizeof (ifr.ifr_name));
- ifr.ifr_ip_muxid = muxid;
+ strncpynt (ifr.lifr_name, tt->actual_name, sizeof (ifr.lifr_name));
+ ifr.lifr_ip_muxid = ip_muxid;
+ if (tt->type == DEV_TYPE_TAP) {
+ ifr.lifr_arp_muxid = arp_muxid;
+ }
- if (ioctl (tt->ip_fd, SIOCSIFMUXID, &ifr) < 0)
+ if (ioctl (tt->ip_fd, SIOCSLIFMUXID, &ifr) < 0)
{
- ioctl (tt->ip_fd, I_PUNLINK, muxid);
+ if (tt->type == DEV_TYPE_TAP)
+ {
+ ioctl (tt->ip_fd, I_PUNLINK , arp_muxid);
+ }
+ ioctl (tt->ip_fd, I_PUNLINK, ip_muxid);
msg (M_ERR, "Can't set multiplexor id");
}
@@ -1475,18 +1572,24 @@ solaris_close_tun (struct tuntap *tt)
{
if (tt->ip_fd >= 0)
{
- struct ifreq ifr;
+ struct lifreq ifr;
CLEAR (ifr);
- strncpynt (ifr.ifr_name, tt->actual_name, sizeof (ifr.ifr_name));
+ strncpynt (ifr.lifr_name, tt->actual_name, sizeof (ifr.lifr_name));
- if (ioctl (tt->ip_fd, SIOCGIFFLAGS, &ifr) < 0)
+ if (ioctl (tt->ip_fd, SIOCGLIFFLAGS, &ifr) < 0)
msg (M_WARN | M_ERRNO, "Can't get iface flags");
- if (ioctl (tt->ip_fd, SIOCGIFMUXID, &ifr) < 0)
+ if (ioctl (tt->ip_fd, SIOCGLIFMUXID, &ifr) < 0)
msg (M_WARN | M_ERRNO, "Can't get multiplexor id");
- if (ioctl (tt->ip_fd, I_PUNLINK, ifr.ifr_ip_muxid) < 0)
- msg (M_WARN | M_ERRNO, "Can't unlink interface");
+ if (tt->type == DEV_TYPE_TAP)
+ {
+ if (ioctl (tt->ip_fd, I_PUNLINK, ifr.lifr_arp_muxid) < 0)
+ msg (M_WARN | M_ERRNO, "Can't unlink interface(arp)");
+ }
+
+ if (ioctl (tt->ip_fd, I_PUNLINK, ifr.lifr_ip_muxid) < 0)
+ msg (M_WARN | M_ERRNO, "Can't unlink interface(ip)");
close (tt->ip_fd);
tt->ip_fd = -1;