diff options
Diffstat (limited to 'socks.c')
-rw-r--r-- | socks.c | 163 |
1 files changed, 144 insertions, 19 deletions
@@ -23,10 +23,11 @@ */ /* - * 2004-01-30: Added Socks5 proxy support + * 2004-01-30: Added Socks5 proxy support, see RFC 1928 * (Christof Meerwald, http://cmeerw.org) * - * see RFC 1928, only supports "no authentication" + * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929) + * (Pierre Bourdon <delroth@gmail.com>) */ #include "syshead.h" @@ -38,10 +39,12 @@ #include "win32.h" #include "socket.h" #include "fdmisc.h" +#include "misc.h" #include "proxy.h" #include "memdbg.h" +#define UP_TYPE_SOCKS "SOCKS Proxy" void socks_adjust_frame_parameters (struct frame *frame, int proto) @@ -53,6 +56,7 @@ socks_adjust_frame_parameters (struct frame *frame, int proto) struct socks_proxy_info * socks_proxy_new (const char *server, int port, + const char *authfile, bool retry, struct auto_proxy_info *auto_proxy_info) { @@ -77,6 +81,12 @@ socks_proxy_new (const char *server, strncpynt (p->server, server, sizeof (p->server)); p->port = port; + + if (authfile) + strncpynt (p->authfile, authfile, sizeof (p->authfile)); + else + p->authfile[0] = 0; + p->retry = retry; p->defined = true; @@ -90,15 +100,106 @@ socks_proxy_close (struct socks_proxy_info *sp) } static bool -socks_handshake (socket_descriptor_t sd, volatile int *signal_received) +socks_username_password_auth (struct socks_proxy_info *p, + socket_descriptor_t sd, + volatile int *signal_received) { + char to_send[516]; char buf[2]; int len = 0; const int timeout_sec = 5; + struct user_pass creds; + ssize_t size; + + creds.defined = 0; + get_user_pass (&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT); + + if( !creds.username || (strlen(creds.username) > 255) + || !creds.password || (strlen(creds.password) > 255) ) { + msg (M_NONFATAL, + "SOCKS username and/or password exceeds 255 characters. " + "Authentication not possible."); + return false; + } + openvpn_snprintf (to_send, sizeof (to_send), "\x01%c%s%c%s", (int) strlen(creds.username), + creds.username, (int) strlen(creds.password), creds.password); + size = send (sd, to_send, strlen(to_send), MSG_NOSIGNAL); + + if (size != strlen (to_send)) + { + msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port write failed on send()"); + return false; + } - /* VER = 5, NMETHODS = 1, METHODS = [0] */ - const ssize_t size = send (sd, "\x05\x01\x00", 3, MSG_NOSIGNAL); - if (size != 3) + while (len < 2) + { + int status; + ssize_t size; + fd_set reads; + struct timeval tv; + char c; + + FD_ZERO (&reads); + FD_SET (sd, &reads); + tv.tv_sec = timeout_sec; + tv.tv_usec = 0; + + status = select (sd + 1, &reads, NULL, NULL, &tv); + + get_signal (signal_received); + if (*signal_received) + return false; + + /* timeout? */ + if (status == 0) + { + msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read timeout expired"); + return false; + } + + /* error */ + if (status < 0) + { + msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read failed on select()"); + return false; + } + + /* read single char */ + size = recv(sd, &c, 1, MSG_NOSIGNAL); + + /* error? */ + if (size != 1) + { + msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read failed on recv()"); + return false; + } + + /* store char in buffer */ + buf[len++] = c; + } + + /* VER = 5, SUCCESS = 0 --> auth success */ + if (buf[0] != 5 && buf[1] != 0) + { + msg (D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication"); + return false; + } + + return true; +} + +static bool +socks_handshake (struct socks_proxy_info *p, + socket_descriptor_t sd, + volatile int *signal_received) +{ + char buf[2]; + int len = 0; + const int timeout_sec = 5; + + /* VER = 5, NMETHODS = 2, METHODS = [0 (no auth), 2 (plain login)] */ + const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL); + if (size != 4) { msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_handshake: TCP port write failed on send()"); return false; @@ -151,13 +252,37 @@ socks_handshake (socket_descriptor_t sd, volatile int *signal_received) buf[len++] = c; } - /* VER == 5 && METHOD == 0 */ - if (buf[0] != '\x05' || buf[1] != '\x00') + /* VER == 5 */ + if (buf[0] != '\x05') { msg (D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status"); return false; } + /* select the appropriate authentication method */ + switch (buf[1]) + { + case 0: /* no authentication */ + break; + + case 2: /* login/password */ + if (!p->authfile[0]) + { + msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were " + "not provided any credentials"); + return false; + } + + if (!socks_username_password_auth(p, sd, signal_received)) + return false; + + break; + + default: /* unknown auth method */ + msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method"); + return false; + } + return true; } @@ -174,9 +299,9 @@ recv_socks_reply (socket_descriptor_t sd, if (addr != NULL) { - addr->sa.sin_family = AF_INET; - addr->sa.sin_addr.s_addr = htonl (INADDR_ANY); - addr->sa.sin_port = htons (0); + addr->addr.in4.sin_family = AF_INET; + addr->addr.in4.sin_addr.s_addr = htonl (INADDR_ANY); + addr->addr.in4.sin_port = htons (0); } while (len < 4 + alen + 2) @@ -263,8 +388,8 @@ recv_socks_reply (socket_descriptor_t sd, /* ATYP == 1 (IP V4 address) */ if (atyp == '\x01' && addr != NULL) { - memcpy (&addr->sa.sin_addr, buf + 4, sizeof (addr->sa.sin_addr)); - memcpy (&addr->sa.sin_port, buf + 8, sizeof (addr->sa.sin_port)); + memcpy (&addr->addr.in4.sin_addr, buf + 4, sizeof (addr->addr.in4.sin_addr)); + memcpy (&addr->addr.in4.sin_port, buf + 8, sizeof (addr->addr.in4.sin_port)); } @@ -281,7 +406,7 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p, char buf[128]; size_t len; - if (!socks_handshake (sd, signal_received)) + if (!socks_handshake (p, sd, signal_received)) goto error; /* format Socks CONNECT message */ @@ -328,7 +453,7 @@ establish_socks_proxy_udpassoc (struct socks_proxy_info *p, struct openvpn_sockaddr *relay_addr, volatile int *signal_received) { - if (!socks_handshake (ctrl_sd, signal_received)) + if (!socks_handshake (p, ctrl_sd, signal_received)) goto error; { @@ -382,8 +507,8 @@ socks_process_incoming_udp (struct buffer *buf, if (atyp != 1) /* ATYP == 1 (IP V4) */ goto error; - buf_read (buf, &from->dest.sa.sin_addr, sizeof (from->dest.sa.sin_addr)); - buf_read (buf, &from->dest.sa.sin_port, sizeof (from->dest.sa.sin_port)); + buf_read (buf, &from->dest.addr.in4.sin_addr, sizeof (from->dest.addr.in4.sin_addr)); + buf_read (buf, &from->dest.addr.in4.sin_port, sizeof (from->dest.addr.in4.sin_port)); return; @@ -415,8 +540,8 @@ socks_process_outgoing_udp (struct buffer *buf, buf_write_u16 (&head, 0); /* RSV = 0 */ buf_write_u8 (&head, 0); /* FRAG = 0 */ buf_write_u8 (&head, '\x01'); /* ATYP = 1 (IP V4) */ - buf_write (&head, &to->dest.sa.sin_addr, sizeof (to->dest.sa.sin_addr)); - buf_write (&head, &to->dest.sa.sin_port, sizeof (to->dest.sa.sin_port)); + buf_write (&head, &to->dest.addr.in4.sin_addr, sizeof (to->dest.addr.in4.sin_addr)); + buf_write (&head, &to->dest.addr.in4.sin_port, sizeof (to->dest.addr.in4.sin_port)); return 10; } |