usr.bin/nc/socks.c

*01d44e2bSdjm/*	$OpenBSD: socks.c,v 1.31 2022/06/08 20:20:26 djm Exp $	*/
fbaf6de6Sjakob
fbaf6de6Sjakob/*
fbaf6de6Sjakob * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
6ec9605aSdjm * Copyright (c) 2004, 2005 Damien Miller.  All rights reserved.
fbaf6de6Sjakob *
fbaf6de6Sjakob * Redistribution and use in source and binary forms, with or without
fbaf6de6Sjakob * modification, are permitted provided that the following conditions
fbaf6de6Sjakob * are met:
fbaf6de6Sjakob * 1. Redistributions of source code must retain the above copyright
fbaf6de6Sjakob *    notice, this list of conditions and the following disclaimer.
fbaf6de6Sjakob * 2. Redistributions in binary form must reproduce the above copyright
fbaf6de6Sjakob *    notice, this list of conditions and the following disclaimer in the
fbaf6de6Sjakob *    documentation and/or other materials provided with the distribution.
fbaf6de6Sjakob *
fbaf6de6Sjakob * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
fbaf6de6Sjakob * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
fbaf6de6Sjakob * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
fbaf6de6Sjakob * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
fbaf6de6Sjakob * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
fbaf6de6Sjakob * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
fbaf6de6Sjakob * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
fbaf6de6Sjakob * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
fbaf6de6Sjakob * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
fbaf6de6Sjakob * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
fbaf6de6Sjakob */
fbaf6de6Sjakob
fbaf6de6Sjakob#include <sys/types.h>
fbaf6de6Sjakob#include <sys/socket.h>
fbaf6de6Sjakob#include <netinet/in.h>
fbaf6de6Sjakob#include <arpa/inet.h>
fbaf6de6Sjakob
fbaf6de6Sjakob#include <err.h>
85956792Sdjm#include <errno.h>
fbaf6de6Sjakob#include <netdb.h>
fbaf6de6Sjakob#include <stdio.h>
fbaf6de6Sjakob#include <stdlib.h>
fbaf6de6Sjakob#include <string.h>
fbaf6de6Sjakob#include <unistd.h>
8a2928d1Sdjm#include <resolv.h>
8a2928d1Sdjm#include <readpassphrase.h>
dcb0a6f6Savsm#include "atomicio.h"
fbaf6de6Sjakob
fbaf6de6Sjakob#define SOCKS_PORT	"1080"
85956792Sdjm#define HTTP_PROXY_PORT	"3128"
85956792Sdjm#define HTTP_MAXHDRS	64
4ae91adcSmarkus#define SOCKS_V5	5
4ae91adcSmarkus#define SOCKS_V4	4
fbaf6de6Sjakob#define SOCKS_NOAUTH	0
fbaf6de6Sjakob#define SOCKS_NOMETHOD	0xff
fbaf6de6Sjakob#define SOCKS_CONNECT	1
fbaf6de6Sjakob#define SOCKS_IPV4	1
6ec9605aSdjm#define SOCKS_DOMAIN	3
6ec9605aSdjm#define SOCKS_IPV6	4
85956792Sdjm
db8da9c7Smillertint	remote_connect(const char *, const char *, struct addrinfo, char *);
8a2928d1Sdjmint	socks_connect(const char *, const char *, struct addrinfo,
8a2928d1Sdjm	    const char *, const char *, struct addrinfo, int,
8a2928d1Sdjm	    const char *);
234a317aSericj
6ec9605aSdjmstatic int
6ec9605aSdjmdecode_addrport(const char *h, const char *p, struct sockaddr *addr,
6ec9605aSdjm    socklen_t addrlen, int v4only, int numeric)
fbaf6de6Sjakob{
6ec9605aSdjm	int r;
6ec9605aSdjm	struct addrinfo hints, *res;
fbaf6de6Sjakob
cfa2976eSmestre	memset(&hints, 0, sizeof(hints));
6ec9605aSdjm	hints.ai_family = v4only ? PF_INET : PF_UNSPEC;
6ec9605aSdjm	hints.ai_flags = numeric ? AI_NUMERICHOST : 0;
6ec9605aSdjm	hints.ai_socktype = SOCK_STREAM;
6ec9605aSdjm	r = getaddrinfo(h, p, &hints, &res);
6ec9605aSdjm	/* Don't fatal when attempting to convert a numeric address */
6ec9605aSdjm	if (r != 0) {
6ec9605aSdjm		if (!numeric) {
6ec9605aSdjm			errx(1, "getaddrinfo(\"%.64s\", \"%.64s\"): %s", h, p,
6ec9605aSdjm			    gai_strerror(r));
fbaf6de6Sjakob		}
6ec9605aSdjm		return (-1);
fbaf6de6Sjakob	}
6ec9605aSdjm	if (addrlen < res->ai_addrlen) {
6ec9605aSdjm		freeaddrinfo(res);
6ec9605aSdjm		errx(1, "internal error: addrlen < res->ai_addrlen");
6ec9605aSdjm	}
6ec9605aSdjm	memcpy(addr, res->ai_addr, res->ai_addrlen);
6ec9605aSdjm	freeaddrinfo(res);
6ec9605aSdjm	return (0);
fbaf6de6Sjakob}
fbaf6de6Sjakob
85956792Sdjmstatic int
dcb0a6f6Savsmproxy_read_line(int fd, char *buf, size_t bufsz)
85956792Sdjm{
dcb0a6f6Savsm	size_t off;
85956792Sdjm
85956792Sdjm	for(off = 0;;) {
85956792Sdjm		if (off >= bufsz)
85956792Sdjm			errx(1, "proxy read too long");
dcb0a6f6Savsm		if (atomicio(read, fd, buf + off, 1) != 1)
85956792Sdjm			err(1, "proxy read");
85956792Sdjm		/* Skip CR */
85956792Sdjm		if (buf[off] == '\r')
85956792Sdjm			continue;
85956792Sdjm		if (buf[off] == '\n') {
85956792Sdjm			buf[off] = '\0';
85956792Sdjm			break;
85956792Sdjm		}
85956792Sdjm		off++;
85956792Sdjm	}
85956792Sdjm	return (off);
85956792Sdjm}
85956792Sdjm
b4690bfbSderaadtstatic void
b4690bfbSderaadtgetproxypass(const char *proxyuser, const char *proxyhost,
b4690bfbSderaadt    char *pw, size_t pwlen)
8a2928d1Sdjm{
8a2928d1Sdjm	char prompt[512];
8a2928d1Sdjm
8a2928d1Sdjm	snprintf(prompt, sizeof(prompt), "Proxy password for %s@%s: ",
8a2928d1Sdjm	   proxyuser, proxyhost);
b4690bfbSderaadt	if (readpassphrase(prompt, pw, pwlen, RPP_REQUIRE_TTY) == NULL)
8a2928d1Sdjm		errx(1, "Unable to read proxy passphrase");
8a2928d1Sdjm}
8a2928d1Sdjm
7f7ce286Smmcc/*
7f7ce286Smmcc * Error strings adapted from the generally accepted SOCKSv4 spec:
7f7ce286Smmcc *
7f7ce286Smmcc * http://ftp.icm.edu.pl/packages/socks/socks4/SOCKS4.protocol
7f7ce286Smmcc */
7f7ce286Smmccstatic const char *
7f7ce286Smmccsocks4_strerror(int e)
7f7ce286Smmcc{
7f7ce286Smmcc	switch (e) {
7f7ce286Smmcc	case 90:
7f7ce286Smmcc		return "Succeeded";
7f7ce286Smmcc	case 91:
7f7ce286Smmcc		return "Request rejected or failed";
7f7ce286Smmcc	case 92:
7f7ce286Smmcc		return "SOCKS server cannot connect to identd on the client";
7f7ce286Smmcc	case 93:
7f7ce286Smmcc		return "Client program and identd report different user-ids";
7f7ce286Smmcc	default:
7f7ce286Smmcc		return "Unknown error";
7f7ce286Smmcc	}
7f7ce286Smmcc}
7f7ce286Smmcc
7f7ce286Smmcc/*
7f7ce286Smmcc * Error strings taken almost directly from RFC 1928.
7f7ce286Smmcc */
7f7ce286Smmccstatic const char *
7f7ce286Smmccsocks5_strerror(int e)
7f7ce286Smmcc{
7f7ce286Smmcc	switch (e) {
7f7ce286Smmcc	case 0:
7f7ce286Smmcc		return "Succeeded";
7f7ce286Smmcc	case 1:
7f7ce286Smmcc		return "General SOCKS server failure";
7f7ce286Smmcc	case 2:
7f7ce286Smmcc		return "Connection not allowed by ruleset";
7f7ce286Smmcc	case 3:
7f7ce286Smmcc		return "Network unreachable";
7f7ce286Smmcc	case 4:
7f7ce286Smmcc		return "Host unreachable";
7f7ce286Smmcc	case 5:
7f7ce286Smmcc		return "Connection refused";
7f7ce286Smmcc	case 6:
7f7ce286Smmcc		return "TTL expired";
7f7ce286Smmcc	case 7:
7f7ce286Smmcc		return "Command not supported";
7f7ce286Smmcc	case 8:
7f7ce286Smmcc		return "Address type not supported";
7f7ce286Smmcc	default:
7f7ce286Smmcc		return "Unknown error";
7f7ce286Smmcc	}
7f7ce286Smmcc}
7f7ce286Smmcc
fbaf6de6Sjakobint
c3ee19eaSottosocks_connect(const char *host, const char *port,
c3ee19eaSotto    struct addrinfo hints __attribute__ ((__unused__)),
c3ee19eaSotto    const char *proxyhost, const char *proxyport, struct addrinfo proxyhints,
8a2928d1Sdjm    int socksv, const char *proxyuser)
fbaf6de6Sjakob{
8a2928d1Sdjm	int proxyfd, r, authretry = 0;
6ec9605aSdjm	size_t hlen, wlen;
85956792Sdjm	unsigned char buf[1024];
dcb0a6f6Savsm	size_t cnt;
6ec9605aSdjm	struct sockaddr_storage addr;
6ec9605aSdjm	struct sockaddr_in *in4 = (struct sockaddr_in *)&addr;
6ec9605aSdjm	struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)&addr;
fbaf6de6Sjakob	in_port_t serverport;
fbaf6de6Sjakob
85956792Sdjm	if (proxyport == NULL)
85956792Sdjm		proxyport = (socksv == -1) ? HTTP_PROXY_PORT : SOCKS_PORT;
85956792Sdjm
6ec9605aSdjm	/* Abuse API to lookup port */
6ec9605aSdjm	if (decode_addrport("0.0.0.0", port, (struct sockaddr *)&addr,
6ec9605aSdjm	    sizeof(addr), 1, 1) == -1)
6ec9605aSdjm		errx(1, "unknown port \"%.64s\"", port);
6ec9605aSdjm	serverport = in4->sin_port;
fbaf6de6Sjakob
8a2928d1Sdjm again:
8a2928d1Sdjm	if (authretry++ > 3)
8a2928d1Sdjm		errx(1, "Too many authentication failures");
8a2928d1Sdjm
db8da9c7Smillert	proxyfd = remote_connect(proxyhost, proxyport, proxyhints, NULL);
8a2928d1Sdjm
8a2928d1Sdjm	if (proxyfd < 0)
8a2928d1Sdjm		return (-1);
8a2928d1Sdjm
4ae91adcSmarkus	if (socksv == 5) {
6ec9605aSdjm		if (decode_addrport(host, port, (struct sockaddr *)&addr,
6ec9605aSdjm		    sizeof(addr), 0, 1) == -1)
6ec9605aSdjm			addr.ss_family = 0; /* used in switch below */
6ec9605aSdjm
fbaf6de6Sjakob		/* Version 5, one method: no authentication */
4ae91adcSmarkus		buf[0] = SOCKS_V5;
fbaf6de6Sjakob		buf[1] = 1;
fbaf6de6Sjakob		buf[2] = SOCKS_NOAUTH;
dcb0a6f6Savsm		cnt = atomicio(vwrite, proxyfd, buf, 3);
fbaf6de6Sjakob		if (cnt != 3)
9d5021f5Snicm			err(1, "write failed (%zu/3)", cnt);
fbaf6de6Sjakob
dcb0a6f6Savsm		cnt = atomicio(read, proxyfd, buf, 2);
dcb0a6f6Savsm		if (cnt != 2)
9d5021f5Snicm			err(1, "read failed (%zu/3)", cnt);
dcb0a6f6Savsm
fbaf6de6Sjakob		if (buf[1] == SOCKS_NOMETHOD)
fbaf6de6Sjakob			errx(1, "authentication method negotiation failed");
fbaf6de6Sjakob
6ec9605aSdjm		switch (addr.ss_family) {
6ec9605aSdjm		case 0:
6ec9605aSdjm			/* Version 5, connect: domain name */
6ec9605aSdjm
6ec9605aSdjm			/* Max domain name length is 255 bytes */
6ec9605aSdjm			hlen = strlen(host);
6ec9605aSdjm			if (hlen > 255)
6ec9605aSdjm				errx(1, "host name too long for SOCKS5");
6ec9605aSdjm			buf[0] = SOCKS_V5;
6ec9605aSdjm			buf[1] = SOCKS_CONNECT;
6ec9605aSdjm			buf[2] = 0;
6ec9605aSdjm			buf[3] = SOCKS_DOMAIN;
6ec9605aSdjm			buf[4] = hlen;
6ec9605aSdjm			memcpy(buf + 5, host, hlen);
6ec9605aSdjm			memcpy(buf + 5 + hlen, &serverport, sizeof serverport);
6ec9605aSdjm			wlen = 7 + hlen;
6ec9605aSdjm			break;
6ec9605aSdjm		case AF_INET:
fbaf6de6Sjakob			/* Version 5, connect: IPv4 address */
4ae91adcSmarkus			buf[0] = SOCKS_V5;
fbaf6de6Sjakob			buf[1] = SOCKS_CONNECT;
fbaf6de6Sjakob			buf[2] = 0;
fbaf6de6Sjakob			buf[3] = SOCKS_IPV4;
6ec9605aSdjm			memcpy(buf + 4, &in4->sin_addr, sizeof in4->sin_addr);
6ec9605aSdjm			memcpy(buf + 8, &in4->sin_port, sizeof in4->sin_port);
6ec9605aSdjm			wlen = 10;
6ec9605aSdjm			break;
6ec9605aSdjm		case AF_INET6:
6ec9605aSdjm			/* Version 5, connect: IPv6 address */
6ec9605aSdjm			buf[0] = SOCKS_V5;
6ec9605aSdjm			buf[1] = SOCKS_CONNECT;
6ec9605aSdjm			buf[2] = 0;
6ec9605aSdjm			buf[3] = SOCKS_IPV6;
6ec9605aSdjm			memcpy(buf + 4, &in6->sin6_addr, sizeof in6->sin6_addr);
6ec9605aSdjm			memcpy(buf + 20, &in6->sin6_port,
6ec9605aSdjm			    sizeof in6->sin6_port);
6ec9605aSdjm			wlen = 22;
6ec9605aSdjm			break;
6ec9605aSdjm		default:
6ec9605aSdjm			errx(1, "internal error: silly AF");
6ec9605aSdjm		}
fbaf6de6Sjakob
dcb0a6f6Savsm		cnt = atomicio(vwrite, proxyfd, buf, wlen);
6ec9605aSdjm		if (cnt != wlen)
9d5021f5Snicm			err(1, "write failed (%zu/%zu)", cnt, wlen);
fbaf6de6Sjakob
a1d68469Sokan		cnt = atomicio(read, proxyfd, buf, 4);
a1d68469Sokan		if (cnt != 4)
a1d68469Sokan			err(1, "read failed (%zu/4)", cnt);
7f7ce286Smmcc		if (buf[1] != 0) {
dac0c0beSmmcc			errx(1, "connection failed, SOCKSv5 error: %s",
7f7ce286Smmcc			    socks5_strerror(buf[1]));
7f7ce286Smmcc		}
a1d68469Sokan		switch (buf[3]) {
a1d68469Sokan		case SOCKS_IPV4:
a1d68469Sokan			cnt = atomicio(read, proxyfd, buf + 4, 6);
a1d68469Sokan			if (cnt != 6)
0e859d3eSespie				err(1, "read failed (%zu/6)", cnt);
a1d68469Sokan			break;
a1d68469Sokan		case SOCKS_IPV6:
a1d68469Sokan			cnt = atomicio(read, proxyfd, buf + 4, 18);
a1d68469Sokan			if (cnt != 18)
0e859d3eSespie				err(1, "read failed (%zu/18)", cnt);
a1d68469Sokan			break;
a1d68469Sokan		default:
a1d68469Sokan			errx(1, "connection failed, unsupported address type");
a1d68469Sokan		}
85956792Sdjm	} else if (socksv == 4) {
6ec9605aSdjm		/* This will exit on lookup failure */
6ec9605aSdjm		decode_addrport(host, port, (struct sockaddr *)&addr,
6ec9605aSdjm		    sizeof(addr), 1, 0);
6ec9605aSdjm
4ae91adcSmarkus		/* Version 4 */
4ae91adcSmarkus		buf[0] = SOCKS_V4;
4ae91adcSmarkus		buf[1] = SOCKS_CONNECT;	/* connect */
6ec9605aSdjm		memcpy(buf + 2, &in4->sin_port, sizeof in4->sin_port);
6ec9605aSdjm		memcpy(buf + 4, &in4->sin_addr, sizeof in4->sin_addr);
4ae91adcSmarkus		buf[8] = 0;	/* empty username */
6ec9605aSdjm		wlen = 9;
4ae91adcSmarkus
dcb0a6f6Savsm		cnt = atomicio(vwrite, proxyfd, buf, wlen);
6ec9605aSdjm		if (cnt != wlen)
9d5021f5Snicm			err(1, "write failed (%zu/%zu)", cnt, wlen);
4ae91adcSmarkus
6ec9605aSdjm		cnt = atomicio(read, proxyfd, buf, 8);
4ae91adcSmarkus		if (cnt != 8)
9d5021f5Snicm			err(1, "read failed (%zu/8)", cnt);
7f7ce286Smmcc		if (buf[1] != 90) {
dac0c0beSmmcc			errx(1, "connection failed, SOCKSv4 error: %s",
7f7ce286Smmcc			    socks4_strerror(buf[1]));
7f7ce286Smmcc		}
85956792Sdjm	} else if (socksv == -1) {
85956792Sdjm		/* HTTP proxy CONNECT */
85956792Sdjm
85956792Sdjm		/* Disallow bad chars in hostname */
*01d44e2bSdjm		if (strcspn(host, "\r\n\t []") != strlen(host))
85956792Sdjm			errx(1, "Invalid hostname");
85956792Sdjm
85956792Sdjm		/* Try to be sane about numeric IPv6 addresses */
85956792Sdjm		if (strchr(host, ':') != NULL) {
85956792Sdjm			r = snprintf(buf, sizeof(buf),
8a2928d1Sdjm			    "CONNECT [%s]:%d HTTP/1.0\r\n",
85956792Sdjm			    host, ntohs(serverport));
85956792Sdjm		} else {
85956792Sdjm			r = snprintf(buf, sizeof(buf),
8a2928d1Sdjm			    "CONNECT %s:%d HTTP/1.0\r\n",
85956792Sdjm			    host, ntohs(serverport));
4ae91adcSmarkus		}
515e489cSderaadt		if (r < 0 || (size_t)r >= sizeof(buf))
85956792Sdjm			errx(1, "hostname too long");
85956792Sdjm		r = strlen(buf);
85956792Sdjm
dcb0a6f6Savsm		cnt = atomicio(vwrite, proxyfd, buf, r);
85956792Sdjm		if (cnt != r)
9d5021f5Snicm			err(1, "write failed (%zu/%d)", cnt, r);
85956792Sdjm
8a2928d1Sdjm		if (authretry > 1) {
b4690bfbSderaadt			char proxypass[256];
8a2928d1Sdjm			char resp[1024];
8a2928d1Sdjm
b4690bfbSderaadt			getproxypass(proxyuser, proxyhost,
b4690bfbSderaadt			    proxypass, sizeof proxypass);
8a2928d1Sdjm			r = snprintf(buf, sizeof(buf), "%s:%s",
8a2928d1Sdjm			    proxyuser, proxypass);
b4690bfbSderaadt			explicit_bzero(proxypass, sizeof proxypass);
8a2928d1Sdjm			if (r == -1 || (size_t)r >= sizeof(buf) ||
8a2928d1Sdjm			    b64_ntop(buf, strlen(buf), resp,
8a2928d1Sdjm			    sizeof(resp)) == -1)
8a2928d1Sdjm				errx(1, "Proxy username/password too long");
8a2928d1Sdjm			r = snprintf(buf, sizeof(buf), "Proxy-Authorization: "
8a2928d1Sdjm			    "Basic %s\r\n", resp);
515e489cSderaadt			if (r < 0 || (size_t)r >= sizeof(buf))
8a2928d1Sdjm				errx(1, "Proxy auth response too long");
8a2928d1Sdjm			r = strlen(buf);
8a2928d1Sdjm			if ((cnt = atomicio(vwrite, proxyfd, buf, r)) != r)
9d5021f5Snicm				err(1, "write failed (%zu/%d)", cnt, r);
b4690bfbSderaadt			explicit_bzero(proxypass, sizeof proxypass);
b4690bfbSderaadt			explicit_bzero(buf, sizeof buf);
8a2928d1Sdjm		}
8a2928d1Sdjm
8a2928d1Sdjm		/* Terminate headers */
239b25b8Stobias		if ((cnt = atomicio(vwrite, proxyfd, "\r\n", 2)) != 2)
239b25b8Stobias			err(1, "write failed (%zu/2)", cnt);
8a2928d1Sdjm
8a2928d1Sdjm		/* Read status reply */
8a2928d1Sdjm		proxy_read_line(proxyfd, buf, sizeof(buf));
8a2928d1Sdjm		if (proxyuser != NULL &&
dd094f59Sbenno		    (strncmp(buf, "HTTP/1.0 407 ", 12) == 0 ||
dd094f59Sbenno		    strncmp(buf, "HTTP/1.1 407 ", 12) == 0)) {
8a2928d1Sdjm			if (authretry > 1) {
8a2928d1Sdjm				fprintf(stderr, "Proxy authentication "
8a2928d1Sdjm				    "failed\n");
8a2928d1Sdjm			}
8a2928d1Sdjm			close(proxyfd);
8a2928d1Sdjm			goto again;
95ab6b06Sray		} else if (strncmp(buf, "HTTP/1.0 200 ", 12) != 0 &&
95ab6b06Sray		    strncmp(buf, "HTTP/1.1 200 ", 12) != 0)
8a2928d1Sdjm			errx(1, "Proxy error: \"%s\"", buf);
8a2928d1Sdjm
8a2928d1Sdjm		/* Headers continue until we hit an empty line */
85956792Sdjm		for (r = 0; r < HTTP_MAXHDRS; r++) {
85956792Sdjm			proxy_read_line(proxyfd, buf, sizeof(buf));
85956792Sdjm			if (*buf == '\0')
85956792Sdjm				break;
85956792Sdjm		}
8a2928d1Sdjm		if (*buf != '\0')
8a2928d1Sdjm			errx(1, "Too many proxy headers received");
85956792Sdjm	} else
85956792Sdjm		errx(1, "Unknown proxy protocol %d", socksv);
fbaf6de6Sjakob
e3d30cfdSdjm	return (proxyfd);
fbaf6de6Sjakob}