/* * Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2005, 2008, 2009, 2010, * 2011, 2012, 2013, 2014 * Inferno Nettverk A/S, Norway. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. The above copyright notice, this list of conditions and the following * disclaimer must appear in all copies of the software, derivative works * or modified versions, and any portions thereof, aswell as in all * supporting documentation. * 2. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by * Inferno Nettverk A/S, Norway. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * Inferno Nettverk A/S requests users of this software to return to * * Software Distribution Coordinator or sdc@inet.no * Inferno Nettverk A/S * Oslo Research Park * Gaustadalléen 21 * NO-0349 Oslo * Norway * * any improvements or extensions that they make and grant Inferno Nettverk A/S * the rights to redistribute these changes. * */ #include "common.h" static const char rcsid[] = "$Id: sockd_protocol.c,v 1.214.4.1 2014/08/15 18:16:43 karls Exp $"; #if SOCKS_SERVER static negotiate_result_t recv_v4req(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_v5req(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_methods(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_ver(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_cmd(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_flag(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_sockshost(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_atyp(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_port(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_address(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_domain(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t recv_username(int s, request_t *request, negotiate_state_t *state); static negotiate_result_t methodnegotiate(int s, request_t *request, negotiate_state_t *state); #endif /* SOCKS_SERVER */ negotiate_result_t recv_clientrequest(s, request, state) int s; request_t *request; negotiate_state_t *state; { const char *function = "recv_clientrequest()"; #if HAVE_NEGOTIATE_PHASE negotiate_result_t rc; #endif /* HAVE_NEGOTIATE_PHASE */ slog(LOG_DEBUG, "%s: fd %d, client %s, state->complete: %d, read so far: %lu", function, s, sockshost2string(&state->src, NULL, 0), state->complete, (unsigned long)state->reqread); if (state->complete) return NEGOTIATE_FINISHED; #if HAVE_NEGOTIATE_PHASE #if SOCKS_SERVER CTASSERT(sizeof(state->mem) > (MAXMETHODS + MAXNAMELEN + MAXPWLEN)); #endif /* SOCKS_SERVER */ if (state->rcurrent != NULL) /* not first call on this client. */ rc = state->rcurrent(s, request, state); else { char src[MAXSOCKSHOSTSTRING], dst[sizeof(src)]; #if SOCKS_SERVER INIT(sizeof(request->version)); CHECK(&request->version, request->auth, NULL); switch (request->version) { case PROXY_SOCKS_V4: state->rcurrent = recv_v4req; break; case PROXY_SOCKS_V5: state->rcurrent = recv_v5req; break; default: snprintf(state->emsg, sizeof(state->emsg), "unknown SOCKS version %d in client request", request->version); return NEGOTIATE_ERROR; } #elif COVENANT state->rcurrent = recv_httprequest; #else /* !COVENANT */ SASSERTX(0); /* should never have been called. */ #endif slog(LOG_DEBUG, "%s: initiating negotiation with client at %s " "which connected to us on %s", function, sockshost2string(&state->src, src, sizeof(src)), sockshost2string(&state->dst, dst, sizeof(dst))); rc = state->rcurrent(s, request, state); } state->complete = (rc == NEGOTIATE_FINISHED); return rc; #else /* !HAVE_NEGOTIATE_PHASE */ SASSERTX(state->complete); return NEGOTIATE_FINISHED; /* NOTREACHED */ #endif /* !HAVE_NEGOTIATE_PHASE */ } #if HAVE_NEGOTIATE_PHASE void send_failure(s, response, failure) const int s; response_t *response; const unsigned int failure; { const char *function = "send_failure()"; socks_set_responsevalue(response, sockscode(response->version, failure)); if (send_response(s, response) != 0) slog(LOG_DEBUG, "%s: could not send failure to client: %s", function, strerror(errno)); #if HAVE_GSSAPI if (response->auth->method == AUTHMETHOD_GSSAPI && response->auth->mdata.gssapi.state.id != GSS_C_NO_CONTEXT) { OM_uint32 major_status, minor_status; char buf[512]; if ((major_status = gss_delete_sec_context(&minor_status, &response->auth->mdata.gssapi.state.id, GSS_C_NO_BUFFER)) != GSS_S_COMPLETE) { if (!gss_err_isset(major_status, minor_status, buf, sizeof(buf))) *buf = NUL; swarn("%s: gss_delete_sec_context() failed%s%s", function, *buf == NUL ? "" : ": ", *buf == NUL ? "" : buf); } } #endif /* HAVE_GSSAPI */ } int send_response(s, response) int s; const response_t *response; { const char *function = "send_response()"; iobuffer_t *tmpiobuf; sendto_info_t sendtoflags; ssize_t sent; size_t length; #if SOCKS_SERVER unsigned char responsemem[sizeof(*response)], *p = responsemem; #else /* !SOCKS_SERVER */ char responsemem[1024], *p = responsemem; #endif switch (response->version) { #if SOCKS_SERVER case PROXY_SOCKS_V4REPLY_VERSION: /* * socks V4 reply packet: * * VN CD DSTPORT DSTIP * 1 + 1 + 2 + 4 * * Always 8 octets long. */ memcpy(p, &response->version, sizeof(response->version)); p += sizeof(response->version); /* CD (reply) */ memcpy(p, &response->reply.socks, sizeof(response->reply.socks)); p += sizeof(response->reply.socks); p = sockshost2mem(&response->host, p, response->version); length = p - responsemem; break; case PROXY_SOCKS_V5: /* * socks V5 reply: * * +----+-----+-------+------+----------+----------+ * |VER | REP | FLAG | ATYP | BND.ADDR | BND.PORT | * +----+-----+-------+------+----------+----------+ * | 1 | 1 | 1 | 1 | Variable | 2 | * +----+-----+-------+------+----------+----------+ * 1 1 1 1 2 * * Which gives a fixed size of at least 6 octets. * The first octet of DST.ADDR when it is SOCKS_ADDR_DOMAINNAME * contains the length. * */ /* VER */ memcpy(p, &response->version, sizeof(response->version)); p += sizeof(response->version); /* REP */ memcpy(p, &response->reply.socks, sizeof(response->reply.socks)); p += sizeof(response->reply.socks); /* FLAG */ memcpy(p, &response->flag, sizeof(response->flag)); p += sizeof(response->flag); p = sockshost2mem(&response->host, p, response->version); break; #elif COVENANT /* !SOCKS_SERVER */ case PROXY_HTTP_10: case PROXY_HTTP_11: { size_t l; l = httpresponse2mem(s, response, responsemem, sizeof(responsemem)); p += l; break; } #endif /* COVENANT */ default: SERRX(response->version); } length = p - responsemem; #if SOCKS_SERVER slog(LOG_DEBUG, "%s: sending response: %s, authmethod %d", function, socks_packet2string(response, 0), response->auth->method); #else /* COVENANT */ slog(LOG_DEBUG, "%s: sending response:\n%s", function, responsemem); #endif /* * If sending response from a process that normally does not send * any response, and thus does not allocate a buffer for this fd. */ if (socks_getbuffer(s) == NULL) tmpiobuf = socks_allocbuffer(s, SOCK_STREAM); else tmpiobuf = NULL; bzero(&sendtoflags, sizeof(sendtoflags)); sendtoflags.side = INTERNALIF; sent = socks_sendton(s, responsemem, length, 1, 0, NULL, 0, &sendtoflags, response->auth); if (tmpiobuf != NULL) socks_freebuffer(s); if (sent != (ssize_t)length) { slog(LOG_DEBUG, "%s: socks_sendton(): %ld/%lu: %s", function, (long)sent, (long unsigned)length, strerror(errno)); return -1; } return 0; } int send_connectresponse(s, error, io) const int s; const int error; sockd_io_t *io; { response_t response; create_response( #if SOCKS_SERVER sockaddr2sockshost(&io->dst.laddr, NULL), #elif COVENANT &io->dst.host, #else /* !COVENANT */ #error "who are we?" #endif &io->src.auth, io->state.proxyprotocol, error == 0 ? SOCKS_SUCCESS : (int)errno2reply(error, io->state.proxyprotocol), &response); if (send_response(s, &response) != 0) return -1; return 0; } response_t * create_response(host, auth, version, responsecode, response) const sockshost_t *host; authmethod_t *auth; const int version; const int responsecode; response_t *response; { bzero(response, sizeof(*response)); response->auth = auth; switch (version) { #if SOCKS_SERVER case PROXY_SOCKS_V4: response->version = PROXY_SOCKS_V4REPLY_VERSION; break; case PROXY_SOCKS_V5: #elif COVENANT /* !SOCKS_SERVER */ case PROXY_HTTP_10: case PROXY_HTTP_11: #endif /* COVENANT */ response->version = version; break; default: SERRX(version); } if (host != NULL) response->host = *host; else response->host.atype = SOCKS_ADDR_IPV4; /* rest can be 0. */ socks_set_responsevalue(response, sockscode(version, responsecode)); return response; } #if SOCKS_SERVER negotiate_result_t recv_sockspacket(s, request, state) int s; request_t *request; negotiate_state_t *state; { return recv_ver(s, request, state); } static negotiate_result_t recv_v4req (s, request, state) int s; request_t *request; negotiate_state_t *state; { /* * v4 request: * VN CD DSTPORT DSTIP USERID NUL * 1 + 1 + 2 + 4 + ? + 1 * * so minimum length is 9. */ /* * No methods supported in v4. */ request->auth->method = AUTHMETHOD_NONE; /* CD */ state->rcurrent = recv_cmd; return state->rcurrent(s, request, state); } static negotiate_result_t recv_v5req (s, request, state) int s; request_t *request; negotiate_state_t *state; { /* * method negotiation; * client first sends method selection message: * * +----+----------+----------+ * |VER | NMETHODS | METHODS | * +----+----------+----------+ * | 1 | 1 | 1 to 255 | * +----+----------+----------+ */ /* * then the request: * * +----+-----+-------+------+----------+----------+ * |VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT | * +----+-----+-------+------+----------+----------+ * | 1 | 1 | X'00' | 1 | Variable | 2 | * +----+-----+-------+------+----------+----------+ * * 1 1 1 1 ? 2 * * Since the request can contain different address types * we do not know how long the request is before we have * read the address type (ATYP) field. * */ /* NMETHODS */ INIT(sizeof(char)); CHECK(&state->mem[start], request->auth, NULL); /* LINTED conversion from 'int' may lose accuracy */ OCTETIFY(state->mem[start]); state->rcurrent = recv_methods; return state->rcurrent(s, request, state); } static negotiate_result_t recv_methods(s, request, state) int s; request_t *request; negotiate_state_t *state; { const char *function = "recv_methods()"; sendto_info_t sendtoflags; const unsigned char methodc = state->mem[AUTH_NMETHODS]; unsigned char reply[ 1 /* VERSION */ + 1 /* METHOD */ ]; char buf[(AUTHMETHOD_MAX + 1) * (sizeof("0x00 (some methodname") + sizeof(", ")) + 1]; size_t bufused; int i; INIT(methodc); CHECK(&state->mem[start], request->auth, NULL); *buf = NUL; for (i = bufused = 0; i < methodc; ++i) bufused += snprintf(&buf[bufused], sizeof(buf) - bufused, "0x%x (%s), ", state->mem[start + i], method2string(state->mem[start + i])); if (bufused >= sizeof(buf) - 1) swarnx("%s: suspiciously many (%u) methods offered by client %s", function, methodc, sockshost2string(&state->src, NULL, 0)); if (bufused >= strlen(", ") && buf[bufused - strlen(", ")] == ',') buf[bufused - strlen(", ")] = NUL; slog(LOG_DEBUG, "%s: client %s offered %d authentication method%s: %s", function, sockshost2string(&state->src, NULL, 0), methodc, methodc == 1 ? "" : "s", buf); switch (request->auth->method) { case AUTHMETHOD_NOTSET: slog(LOG_DEBUG, "%s: socksmethod to use not set, selecting amongst the " "following %lu method%s: %s", function, (unsigned long)state->crule->state.smethodc, (unsigned long)state->crule->state.smethodc == 1 ? "" : "s", methods2string(state->crule->state.smethodc, state->crule->state.smethodv, NULL, 0)); request->auth->method = selectmethod(state->crule->state.smethodv, state->crule->state.smethodc, &state->mem[start], (size_t)methodc); break; default: { /* * Socks-methods that can be decided for use before we receive * the actual request. Normally only gssapi, but if the * rule has singleauth enabled and the client matches the * criteria for it, the socks-method will also have been * chosen already (should be NONE). */ size_t i; slog(LOG_DEBUG, "%s: method %d already chosen for this rule, not selecting again", function, request->auth->method); for (i = 0; i < methodc; ++i) if (state->mem[start + i] == request->auth->method) break; if (i >= methodc) request->auth->method = AUTHMETHOD_NOACCEPT; break; } } /* send reply: * * +----+--------+ * |VER | METHOD | * +----+--------+ * | 1 | 1 | * +----+--------+ */ slog(LOG_DEBUG, "%s: sending authentication reply: VER: %d METHOD: %d (%s)", function, request->version, request->auth->method, method2string(request->auth->method)); reply[AUTH_VERSION] = request->version; reply[AUTH_SELECTEDMETHOD] = (unsigned char)request->auth->method; bzero(&sendtoflags, sizeof(sendtoflags)); sendtoflags.side = EXTERNALIF; if (socks_sendton(s, reply, sizeof(reply), sizeof(reply), 0, NULL, 0, &sendtoflags, request->auth) != sizeof(reply)) return NEGOTIATE_ERROR; if (request->auth->method == AUTHMETHOD_NOACCEPT) { snprintf(state->emsg, sizeof(state->emsg), "client offered no acceptable authentication method"); return NEGOTIATE_ERROR; } state->rcurrent = methodnegotiate; return NEGOTIATE_CONTINUE; /* presumably client is awaiting our response. */ } static negotiate_result_t methodnegotiate(s, request, state) int s; request_t *request; negotiate_state_t *state; { /* authentication method dependent negotiation */ switch (request->auth->method) { case AUTHMETHOD_NONE: state->rcurrent = recv_sockspacket; break; #if HAVE_GSSAPI case AUTHMETHOD_GSSAPI: state->rcurrent = method_gssapi; break; #endif /* HAVE_GSSAPI */ case AUTHMETHOD_UNAME: state->rcurrent = method_uname; break; default: SERRX(request->auth->method); } return state->rcurrent(s, request, state); } static negotiate_result_t recv_ver(s, request, state) int s; request_t *request; negotiate_state_t *state; { /* VER */ { INIT(sizeof(request->version)); CHECK(&request->version, request->auth, NULL); switch (request->version) { case PROXY_SOCKS_V4: case PROXY_SOCKS_V5: break; default: slog(LOG_DEBUG, "unknown version %d in request", request->version); return NEGOTIATE_ERROR; } } state->rcurrent = recv_cmd; return state->rcurrent(s, request, state); } static negotiate_result_t recv_cmd(s, request, state) int s; request_t *request; negotiate_state_t *state; { const char *function = "recv_cmd()"; INIT(sizeof(request->command)); CHECK(&request->command, request->auth, NULL); switch (request->command) { case SOCKS_BIND: case SOCKS_CONNECT: request->protocol = SOCKS_TCP; break; case SOCKS_UDPASSOCIATE: request->protocol = SOCKS_UDP; break; default: snprintf(state->emsg, sizeof(state->emsg), "unknown %s command: %d", proxyprotocol2string(request->version), request->command); return NEGOTIATE_ERROR; } switch (request->version) { case PROXY_SOCKS_V4: state->rcurrent = recv_sockshost; break; case PROXY_SOCKS_V5: state->rcurrent = recv_flag; break; default: SERRX(request->version); } return state->rcurrent(s, request, state); } static negotiate_result_t recv_flag(s, request, state) int s; request_t *request; negotiate_state_t *state; { INIT(sizeof(request->flag)); CHECK(&request->flag, request->auth, recv_sockshost); SERRX(0); /* NOTREACHED */ } static negotiate_result_t recv_sockshost(s, request, state) int s; request_t *request; negotiate_state_t *state; { switch (request->version) { case PROXY_SOCKS_V4: state->rcurrent = recv_port; break; case PROXY_SOCKS_V5: state->rcurrent = recv_atyp; break; default: SERRX(request->version); } return state->rcurrent(s, request, state); } static negotiate_result_t recv_atyp(s, request, state) int s; request_t *request; negotiate_state_t *state; { INIT(sizeof(request->host.atype)); CHECK(&request->host.atype, request->auth, recv_address); SERRX(0); /* NOTREACHED */ } static negotiate_result_t recv_address(s, request, state) int s; request_t *request; negotiate_state_t *state; { switch (request->version) { case PROXY_SOCKS_V4: { INIT(sizeof(request->host.addr.ipv4)); /* only one supported in v4. */ request->host.atype = SOCKS_ADDR_IPV4; CHECK(&request->host.addr.ipv4, request->auth, recv_username); SERRX(0); /* NOTREACHED */ } case PROXY_SOCKS_V5: switch(request->host.atype) { case SOCKS_ADDR_IPV4: { INIT(sizeof(request->host.addr.ipv4)); CHECK(&request->host.addr.ipv4, request->auth, recv_port); SERRX(0); /* NOTREACHED */ } case SOCKS_ADDR_IPV6: { INIT(sizeof(request->host.addr.ipv6.ip)); CHECK(&request->host.addr.ipv6.ip, request->auth, recv_port); SERRX(0); /* NOTREACHED */ } case SOCKS_ADDR_DOMAIN: { INIT(sizeof(*request->host.addr.domain)); CHECK(request->host.addr.domain, request->auth, NULL); /* LINTED conversion from 'int' may lose accuracy */ OCTETIFY(*request->host.addr.domain); state->rcurrent = recv_domain; return state->rcurrent(s, request, state); } default: snprintf(state->emsg, sizeof(state->emsg), "unknown %s command: %d", proxyprotocol2string(request->version), request->command); return NEGOTIATE_ERROR; } default: SERRX(request->version); } SERRX(0); /* NOTREACHED */ } static negotiate_result_t recv_domain(s, request, state) int s; request_t *request; negotiate_state_t *state; { unsigned char alen; /* first byte gives length. */ INIT((unsigned char)*request->host.addr.domain); CHECK(request->host.addr.domain + 1, request->auth, NULL); alen = *request->host.addr.domain; /* convert to C string. */ memmove(request->host.addr.domain, request->host.addr.domain + 1, (size_t)alen); request->host.addr.domain[alen] = NUL; state->rcurrent = recv_port; return state->rcurrent(s, request, state); } static negotiate_result_t recv_port(s, request, state) int s; request_t *request; negotiate_state_t *state; { INIT(sizeof(request->host.port)); CHECK(&request->host.port, request->auth, NULL); switch (request->version) { case PROXY_SOCKS_V4: state->rcurrent = recv_address; /* in v4, address after port. */ return state->rcurrent(s, request, state); case PROXY_SOCKS_V5: return NEGOTIATE_FINISHED; /* all done. */ default: SERRX(request->version); } SERRX(0); /* NOTREACHED */ } static negotiate_result_t recv_username(s, request, state) int s; request_t *request; negotiate_state_t *state; { const char *function = "recv_username()"; char *username = (char *)&state->mem[sizeof(request->version) + sizeof(request->command) + sizeof(request->host.port) + sizeof(request->host.addr.ipv4)]; /* read until 0. */ do { INIT(MIN(1, MEMLEFT())); if (MEMLEFT() == 0) { char visstring[MAXNAMELEN * 4 + 1]; /* * Normally this would indicate an internal error and thus * be caught in CHECK(), but for the v4 case it could be * someone sending a really long username, which is strange * enough to log a warning about, but not an internal error. */ state->mem[state->reqread - 1] = NUL; snprintf(state->emsg, sizeof(state->emsg), "%s username received from client is too long. Max length " "s %lu, length of received name is longer than %lu: " "\"%s ...\"", proxyprotocol2string(request->version), (unsigned long)(MAXNAMELEN - 1), (unsigned long)strlen(username), str2vis(username, strlen(username), visstring, sizeof(visstring))); slog(LOG_NOTICE, "%s: strange data from client %s: %s", function, sockshost2string(&state->src, NULL, 0), state->emsg); return NEGOTIATE_ERROR; } CHECK(&state->mem[start], request->auth, NULL); /* * Since we don't know how long the username is, we can only read one * byte at a time. We don't want CHECK() to set state->rcurrent to * NULL after each successful read of that one byte, since * recv_clientrequest() will then think we are starting from the * beginning next time we call it. */ state->rcurrent = recv_username; } while (state->mem[state->reqread - 1] != 0); state->mem[state->reqread - 1] = NUL; /* style. */ slog(LOG_DEBUG, "%s: got socks v4 username: \"%s\"", function, username); state->rcurrent = NULL; return NEGOTIATE_FINISHED; /* end of request. */ } #endif /* SOCKS_SERVER */ #endif /* HAVE_NEGOTIATE_PHASE */