Implement SOCKS5 user/pass handling

2024-11-28 14:23:30 +01:00 · 2018-05-16 15:41:57 +02:00 · 2018-05-16 15:41:57 +02:00 · 9068ac3cac
commit 9068ac3cac
parent 75106a26b4
1 changed files with 127 additions and 8 deletions
--- a/src/or/proto_socks.c
+++ b/src/or/proto_socks.c
@ -293,7 +293,7 @@ parse_socks5_methods_request(const uint8_t *raw_data, socks_request_t *req,
      *have_no_auth = 1;
    }
  }
-  
+
  end:
  socks5_client_version_free(trunnel_req);

@ -338,10 +338,10 @@ process_socks5_methods_request(socks_request_t *req, int have_user_pass,
             errmsg);
    res = -1;
  } else {
-    ssize_t encoded = 
+    ssize_t encoded =
    socks5_server_method_encode(req->reply, sizeof(req->reply),
                                trunnel_resp);
-    
+
    if (encoded < 0) {
      log_warn(LD_APP, "socks5: method selection encoding failed");
      res = -1;
@ -354,6 +354,105 @@ process_socks5_methods_request(socks_request_t *req, int have_user_pass,
  return res;
 }

+static int
+parse_socks5_userpass_auth(const uint8_t *raw_data, socks_request_t *req,
+                           size_t datalen, size_t *drain_out)
+{
+  int res = 1;
+  socks5_client_userpass_auth_t *trunnel_req = NULL;
+  ssize_t parsed = socks5_client_userpass_auth_parse(&trunnel_req, raw_data,
+                                                     datalen);
+
+  tor_assert(drain_out);
+  *drain_out = 0;
+
+  if (parsed == -1) {
+    log_warn(LD_APP, "socks5: parsing failed - invalid user/pass "
+                     "authentication message.");
+    res = -1;
+    goto end;
+  } else if (parsed == -2) {
+    res = 0;
+    goto end;
+  }
+
+  tor_assert(parsed >= 0);
+  *drain_out = (size_t)parsed;
+
+  uint8_t usernamelen =
+   socks5_client_userpass_auth_get_username_len(trunnel_req);
+  uint8_t passwordlen =
+   socks5_client_userpass_auth_get_passwd_len(trunnel_req);
+  const char *username =
+   socks5_client_userpass_auth_getconstarray_username(trunnel_req);
+  const char *password =
+   socks5_client_userpass_auth_getconstarray_passwd(trunnel_req);
+
+  if (usernamelen && username) {
+    req->username = tor_memdup_nulterm(username, usernamelen);
+    req->usernamelen = usernamelen;
+
+    req->got_auth = 1;
+  }
+
+  if (passwordlen && password) {
+    req->password = tor_memdup_nulterm(password, passwordlen);
+    req->passwordlen = passwordlen;
+
+    req->got_auth = 1;
+  }
+
+  end:
+  socks5_client_userpass_auth_free(trunnel_req);
+  return res;
+}
+
+static int
+process_socks5_userpass_auth(socks_request_t *req)
+{
+  int res = 1;
+  socks5_server_userpass_auth_t *trunnel_resp =
+    socks5_server_userpass_auth_new();
+
+  if (req->socks_version != 5) {
+    res = -1;
+    goto end;
+  }
+
+  if (req->auth_type != SOCKS_USER_PASS &&
+      req->auth_type != SOCKS_NO_AUTH) {
+    res = -1;
+    goto end;
+  }
+
+  socks5_server_userpass_auth_set_version(trunnel_resp, 1);
+  socks5_server_userpass_auth_set_status(trunnel_resp, 0); // auth OK
+
+  const char *errmsg = socks5_server_userpass_auth_check(trunnel_resp);
+  if (errmsg) {
+    log_warn(LD_APP, "socks5: server userpass auth validation failed: %s",
+             errmsg);
+    res = -1;
+    goto end;
+  }
+
+  ssize_t encoded = socks5_server_userpass_auth_encode(req->reply,
+                                                       sizeof(req->reply),
+                                                       trunnel_resp);
+
+  if (encoded < 0) {
+    log_warn(LD_APP, "socks5: server userpass auth encoding failed");
+    res = -1;
+    goto end;
+  }
+
+  req->replylen = (size_t)encoded;
+
+  end:
+  socks5_server_userpass_auth_free(trunnel_resp);
+  return res;
+}
+
 static int
 handle_socks_message(const uint8_t *raw_data, size_t datalen, socks_request_t *req,
                     int log_sockstype, int safe_socks, size_t *drain_out)
@ -362,6 +461,9 @@ handle_socks_message(const uint8_t *raw_data, size_t datalen, socks_request_t *r

  uint8_t socks_version = raw_data[0];

+  if (socks_version == 1)
+    socks_version = 5; // SOCKS5 username/pass subnegotiation
+
  if (socks_version == 4) {
    if (datalen < SOCKS4_NETWORK_LEN) {
      res = 0;
@ -394,12 +496,26 @@ handle_socks_message(const uint8_t *raw_data, size_t datalen, socks_request_t *r
      res = 0;
      goto end;
    }
+    /* RFC1929 SOCKS5 username/password subnegotiation. */
+    if ((!req->got_auth && raw_data[0] == 1) ||
+        req->auth_type == SOCKS_USER_PASS) {
+      int parse_status = parse_socks5_userpass_auth(raw_data, req, datalen,
+                                                    drain_out);

-    if (!req->got_auth) {
+      if (parse_status != 1) {
+        res = parse_status;
+        goto end;
+      }

-    }
+      int process_status = process_socks5_userpass_auth(req);
+      if (process_status != 1) {
+        res = process_status;
+        goto end;
+      }

-    if (req->socks_version != 5) {
+      res = 0;
+      goto end;
+    } else if (req->socks_version != 5) {
      int have_user_pass, have_no_auth;
      int parse_status = parse_socks5_methods_request(raw_data,
                                                      req,
@ -425,6 +541,9 @@ handle_socks_message(const uint8_t *raw_data, size_t datalen, socks_request_t *r
      res = 0;
      goto end;
    }
+  } else {
+    *drain_out = datalen;
+    res = -1;
  }

  end:
@ -562,8 +681,8 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req,

  socksver = get_uint8(data);

-  if ((socksver == 5 && req->socks_version != 5) ||
-      socksver == 4) {
+  if (socksver == 5 || socksver == 4 ||
+      socksver == 1) { // XXX: RFC 1929
    *want_length_out = 128; // TODO remove this arg later
    return handle_socks_message((const uint8_t *)data, datalen, req,
                                log_sockstype, safe_socks, drain_out);