/*************************************************************************** * proxy_socks4.c -- SOCKS4 proxying. * * * ***********************IMPORTANT NSOCK LICENSE TERMS*********************** * * * The nsock parallel socket event library is (C) 1999-2015 Insecure.Com * * LLC This library is free software; you may redistribute and/or * * modify it under the terms of the GNU General Public License as * * published by the Free Software Foundation; Version 2. This guarantees * * your right to use, modify, and redistribute this software under certain * * conditions. If this license is unacceptable to you, Insecure.Com LLC * * may be willing to sell alternative licenses (contact * * sales@insecure.com ). * * * * As a special exception to the GPL terms, Insecure.Com LLC grants * * permission to link the code of this program with any version of the * * OpenSSL library which is distributed under a license identical to that * * listed in the included docs/licenses/OpenSSL.txt file, and distribute * * linked combinations including the two. You must obey the GNU GPL in all * * respects for all of the code used other than OpenSSL. If you modify * * this file, you may extend this exception to your version of the file, * * but you are not obligated to do so. * * * * If you received these files with a written license agreement stating * * terms other than the (GPL) terms above, then that alternative license * * agreement takes precedence over this comment. * * * * Source is provided to this software because we believe users have a * * right to know exactly what a program is going to do before they run it. * * This also allows you to audit the software for security holes. * * * * Source code also allows you to port Nmap to new platforms, fix bugs, * * and add new features. You are highly encouraged to send your changes * * to the dev@nmap.org mailing list for possible incorporation into the * * main distribution. By sending these changes to Fyodor or one of the * * Insecure.Org development mailing lists, or checking them into the Nmap * * source code repository, it is understood (unless you specify otherwise) * * that you are offering the Nmap Project (Insecure.Com LLC) the * * unlimited, non-exclusive right to reuse, modify, and relicense the * * code. Nmap will always be available Open Source, but this is important * * because the inability to relicense code has caused devastating problems * * for other Free Software projects (such as KDE and NASM). We also * * occasionally relicense the code to third parties as discussed above. * * If you wish to specify special license conditions of your * * contributions, just say so when you send them. * * * * This program is distributed in the hope that it will be useful, but * * WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * * General Public License v2.0 for more details * * (http://www.gnu.org/licenses/gpl-2.0.html). * * * ***************************************************************************/ /* $Id $ */ #define _GNU_SOURCE #include #include "nsock.h" #include "nsock_internal.h" #include "nsock_log.h" #include #define DEFAULT_PROXY_PORT_SOCKS 1080 extern struct timeval nsock_tod; extern const struct proxy_spec ProxySpecSocks4; extern const struct proxy_spec ProxySpecSocks4a; extern const struct proxy_spec ProxySpecSocks5; struct socks4_data { uint8_t version; uint8_t type; uint16_t port; uint32_t address; uint8_t null; } __attribute__((packed)); static int proxy_socks_node_new(struct proxy_node **node, const struct uri *uri) { int rc; struct proxy_node *proxy; proxy = (struct proxy_node *)safe_zalloc(sizeof(struct proxy_node)); rc = proxy_resolve(uri->host, (struct sockaddr *)&proxy->ss, &proxy->sslen); if (rc < 0) goto err_out; if (uri->port == -1) proxy->port = DEFAULT_PROXY_PORT_SOCKS; else proxy->port = (unsigned short)uri->port; if (uri->user) { proxy->user = strdup(uri->user); if (!proxy->user) fatal("Out of memory"); } if (uri->pass) { proxy->pass = strdup(uri->pass); if (!proxy->pass) fatal("Out of memory"); } rc = asprintf(&proxy->nodestr, "%s://%s:%d", uri->scheme, uri->host, proxy->port); if (rc < 0) { /* asprintf() failed for some reason but this is not a disaster (yet). * Set nodestr to NULL and try to keep on going. */ proxy->nodestr = NULL; } if (!strcmp(uri->scheme, "socks4")) { proxy->spec = &ProxySpecSocks4; } else if (!strcmp(uri->scheme, "socks4a")) { proxy->spec = &ProxySpecSocks4a; } else if (!strcmp(uri->scheme, "socks5")) { proxy->spec = &ProxySpecSocks5; } else { rc = -1; goto err_out; } rc = 1; err_out: if (rc < 0) { free(proxy); proxy = NULL; } *node = proxy; return rc; } static void proxy_socks_node_delete(struct proxy_node *node) { if (!node) return; free(node->user); free(node->pass); free(node->nodestr); free(node); } static inline void socks4_data_init(struct socks4_data *socks4, struct sockaddr_storage *ss, size_t sslen, unsigned short port) { struct sockaddr_in *sin = (struct sockaddr_in *)ss; memset(socks4, 0x00, sizeof(struct socks4_data)); socks4->version = 4; socks4->type = 1; socks4->port = htons(port); if (ss) { assert(ss->ss_family == AF_INET); socks4->address = sin->sin_addr.s_addr; } else { socks4->address = htonl(0xff); } } static int handle_state_initial_socks4(struct npool *nsp, struct nevent *nse, void *udata) { struct proxy_chain_context *px_ctx = nse->iod->px_ctx; struct sockaddr_storage *ss; size_t sslen; unsigned short port; struct proxy_node *next; struct socks4_data socks4; int timeout; char *outgoing; size_t outgoing_len; px_ctx->px_state = PROXY_STATE_SOCKS_TCP_CONNECTED; next = proxy_ctx_node_next(px_ctx); if (next) { ss = &next->ss; sslen = next->sslen; port = next->port; } else { ss = &px_ctx->target_ss; sslen = px_ctx->target_sslen; port = px_ctx->target_port; } socks4_data_init(&socks4, ss, sslen, port); timeout = TIMEVAL_MSEC_SUBTRACT(nse->timeout, nsock_tod); /* If a user name is supplied, we will need to place this into outgoing packet */ if (px_ctx->px_current->user != NULL) { outgoing_len = sizeof(socks4) + strlen(px_ctx->px_current->user); outgoing = safe_zalloc(outgoing_len); memcpy(outgoing, &socks4, sizeof(socks4)); memcpy(outgoing + sizeof(socks4) - 1, px_ctx->px_current->user, strlen(px_ctx->px_current->user) + 1); nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, outgoing, outgoing_len); free(outgoing); } else { nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, (char *)&socks4, sizeof(struct socks4_data)); } nsock_readbytes(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, 8); return 0; } static int handle_state_initial_socks4a(struct npool *nsp, struct nevent *nse, void *udata) { struct proxy_chain_context *px_ctx = nse->iod->px_ctx; char *target_name = nse->iod->hostname; size_t target_name_len = strlen(target_name) * sizeof(char); unsigned short port; struct proxy_node *next; struct socks4_data socks4a; size_t outgoing_len = sizeof(struct socks4_data) + target_name_len + sizeof(uint8_t); uint8_t *outgoing; int timeout; int user_len = 0; px_ctx->px_state = PROXY_STATE_SOCKS_TCP_CONNECTED; next = proxy_ctx_node_next(px_ctx); if (next) { port = next->port; } else { port = px_ctx->target_port; } socks4_data_init(&socks4a, NULL, 0, port); timeout = TIMEVAL_MSEC_SUBTRACT(nse->timeout, nsock_tod); if (px_ctx->px_current->user) { user_len = strlen(px_ctx->px_current->user); outgoing_len = sizeof(socks4a) + target_name_len + user_len + 1; } outgoing = safe_zalloc(outgoing_len); /* Copy contents of socks4a data packet into memory */ memcpy(outgoing, &socks4a, sizeof(socks4a)); /* If user id is supplied, overwrite the last null byte of socks4_data and * include the last null byte in the user id string. */ if (user_len) memcpy(outgoing + sizeof(socks4a) - 1, px_ctx->px_current->user, user_len + 1); memcpy(outgoing + sizeof(socks4a) + user_len, target_name, target_name_len + 1); nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, (char *)outgoing, outgoing_len); free(outgoing); nsock_readbytes(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, 8); return 0; } static int handle_state_initial_socks5(struct npool *nsp, struct nevent *nse, void *udata) { int timeout; char *request = "\x05\x01\x00"; timeout = TIMEVAL_MSEC_SUBTRACT(nse->timeout, nsock_tod); nse->iod->px_ctx->px_state = PROXY_STATE_SOCKS5_TCP_CONNECTED; nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, request, 3); nsock_readbytes(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, 2); return 0; } static int handle_state_socks5_respond(struct npool *nsp, struct nevent *nse, void *udata) { struct proxy_chain_context *px_ctx = nse->iod->px_ctx; struct sockaddr_storage *ss; unsigned short port; struct proxy_node *next; int timeout, reslen; char *res; char *outgoing; size_t outgoing_len, addr_len; uint16_t dstport; uint32_t *dstaddr4; uint8_t *dstaddr6; char ver_cmd_rsv_atyp[4] = "\x05\x01\x00\x01"; res = nse_readbuf(nse, &reslen); if (!(reslen == 2 && res[1] == '\x00')) { struct proxy_node *node = px_ctx->px_current; nsock_log_debug("Ignoring invalid socks reply from proxy %s", node->nodestr); return -EINVAL; } px_ctx->px_state = PROXY_STATE_SOCKS_TCP_CONNECTED; next = proxy_ctx_node_next(px_ctx); if (next) { ss = &next->ss; port = next->port; } else { ss = &px_ctx->target_ss; port = px_ctx->target_port; } timeout = TIMEVAL_MSEC_SUBTRACT(nse->timeout, nsock_tod); /* Here we want to send a tunnel request packet to the proxy server. * This packet should have the following form (rfc1928): * +----+-----+-------+------+----------+----------+ * |VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT | * +----+-----+-------+------+----------+----------+ * | 1 | 1 | X'00' | 1 | Variable | 2 | * +----+-----+-------+------+----------+----------+ */ dstport = htons(port); if (ss->ss_family == AF_INET) { dstaddr4 = &((struct sockaddr_in *)ss)->sin_addr.s_addr; addr_len = 4; } else if (ss->ss_family == AF_INET6) { addr_len = 16; dstaddr6 = ((struct sockaddr_in6 *)ss)->sin6_addr.s6_addr; ver_cmd_rsv_atyp[3] = '\x04'; } else { nsock_log_debug("Unknown socket family request to proxy %s", px_ctx->px_current->nodestr); return -1; } outgoing_len = 6 + addr_len; outgoing = safe_zalloc(outgoing_len); memcpy(outgoing, ver_cmd_rsv_atyp, 4); if (dstaddr4) memcpy(outgoing + 4, (char *)dstaddr4, addr_len); else if (dstaddr6) memcpy(outgoing + 4, (char *)dstaddr6, addr_len); memcpy(outgoing + addr_len + 4, (char *)&dstport, 2); nsock_write(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, (char *)outgoing, outgoing_len); free(outgoing); nsock_readbytes(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, 4); return 0; } static int handle_state_tcp_connected(struct npool *nsp, struct nevent *nse, void *udata) { struct proxy_chain_context *px_ctx = nse->iod->px_ctx; char *res; int reslen; res = nse_readbuf(nse, &reslen); if (!(reslen == 8 && res[1] == 90) && !(reslen >= 4 && res[0] == 0x05 && res[1] == 0x00 && res[2] == 0x00)) { struct proxy_node *node = px_ctx->px_current; nsock_log_debug("Ignoring invalid socks reply from proxy %s", node->nodestr); return -EINVAL; } px_ctx->px_state = PROXY_STATE_SOCKS_TUNNEL_ESTABLISHED; if (proxy_ctx_node_next(px_ctx) == NULL) { forward_event(nsp, nse, udata); } else { px_ctx->px_current = proxy_ctx_node_next(px_ctx); px_ctx->px_state = PROXY_STATE_INITIAL; nsock_proxy_ev_dispatch(nsp, nse, udata); } return 0; } static void proxy_socks_handler_common(nsock_pool nspool, nsock_event nsevent, void *udata, enum nsock_proxy_type proxy_type) { int rc = 0; struct npool *nsp = (struct npool *)nspool; struct nevent *nse = (struct nevent *)nsevent; switch (nse->iod->px_ctx->px_state) { case PROXY_STATE_INITIAL: if (proxy_type == PROXY_TYPE_SOCKS4) handle_state_initial_socks4(nsp, nse, udata); else if (proxy_type == PROXY_TYPE_SOCKS4A) handle_state_initial_socks4a(nsp, nse, udata); else if (proxy_type == PROXY_TYPE_SOCKS5) handle_state_initial_socks5(nsp, nse, udata); break; case PROXY_STATE_SOCKS5_TCP_CONNECTED: if (nse->type == NSE_TYPE_READ) rc = handle_state_socks5_respond(nsp, nse, udata); break; case PROXY_STATE_SOCKS_TCP_CONNECTED: if (nse->type == NSE_TYPE_READ) rc = handle_state_tcp_connected(nsp, nse, udata); break; case PROXY_STATE_SOCKS_TUNNEL_ESTABLISHED: forward_event(nsp, nse, udata); break; default: fatal("Invalid proxy state!"); } if (rc) { nse->status = NSE_STATUS_PROXYERROR; forward_event(nsp, nse, udata); } } static void proxy_socks4_handler(nsock_pool nspool, nsock_event nsevent, void *udata) { proxy_socks_handler_common(nspool, nsevent, udata, PROXY_TYPE_SOCKS4); } static void proxy_socks4a_handler(nsock_pool nspool, nsock_event nsevent, void *udata) { proxy_socks_handler_common(nspool, nsevent, udata, PROXY_TYPE_SOCKS4A); } static void proxy_socks5_handler(nsock_pool nspool, nsock_event nsevent, void *udata) { proxy_socks_handler_common(nspool, nsevent, udata, PROXY_TYPE_SOCKS5); } /* ---- PROXY DEFINITION ---- */ static const struct proxy_op ProxyOpsSocks4 = { proxy_socks_node_new, proxy_socks_node_delete, proxy_socks4_handler, }; static const struct proxy_op ProxyOpsSocks4a = { proxy_socks_node_new, proxy_socks_node_delete, proxy_socks4a_handler, }; static const struct proxy_op ProxyOpsSocks5 = { proxy_socks_node_new, proxy_socks_node_delete, proxy_socks5_handler, }; const struct proxy_spec ProxySpecSocks4 = { "socks4://", PROXY_TYPE_SOCKS4, &ProxyOpsSocks4, }; const struct proxy_spec ProxySpecSocks4a = { "socks4a://", PROXY_TYPE_SOCKS4A, &ProxyOpsSocks4a, }; const struct proxy_spec ProxySpecSocks5 = { "socks5://", PROXY_TYPE_SOCKS5, &ProxyOpsSocks5, };