socks.c 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at http://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * $Id$
  22. ***************************************************************************/
  23. #include "setup.h"
  24. #include <string.h>
  25. #ifdef NEED_MALLOC_H
  26. #include <malloc.h>
  27. #endif
  28. #ifdef HAVE_STDLIB_H
  29. #include <stdlib.h>
  30. #endif
  31. #include "urldata.h"
  32. #include "sendf.h"
  33. #include "strequal.h"
  34. #include "select.h"
  35. #include "connect.h"
  36. #include "timeval.h"
  37. #include "socks.h"
  38. /* The last #include file should be: */
  39. #include "memdebug.h"
  40. /*
  41. * Helper read-from-socket functions. Does the same as Curl_read() but it
  42. * blocks until all bytes amount of buffersize will be read. No more, no less.
  43. *
  44. * This is STUPID BLOCKING behaviour which we frown upon, but right now this
  45. * is what we have...
  46. */
  47. static int blockread_all(struct connectdata *conn, /* connection data */
  48. curl_socket_t sockfd, /* read from this socket */
  49. char *buf, /* store read data here */
  50. ssize_t buffersize, /* max amount to read */
  51. ssize_t *n, /* amount bytes read */
  52. long conn_timeout) /* timeout for data wait
  53. relative to
  54. conn->created */
  55. {
  56. ssize_t nread;
  57. ssize_t allread = 0;
  58. int result;
  59. struct timeval tvnow;
  60. long conntime;
  61. *n = 0;
  62. do {
  63. tvnow = Curl_tvnow();
  64. /* calculating how long connection is establishing */
  65. conntime = Curl_tvdiff(tvnow, conn->created);
  66. if(conntime > conn_timeout) {
  67. /* we already got the timeout */
  68. result = ~CURLE_OK;
  69. break;
  70. }
  71. if(Curl_select(sockfd, CURL_SOCKET_BAD,
  72. (int)(conn_timeout - conntime)) <= 0) {
  73. result = ~CURLE_OK;
  74. break;
  75. }
  76. result = Curl_read(conn, sockfd, buf, buffersize, &nread);
  77. if(result)
  78. break;
  79. if(buffersize == nread) {
  80. allread += nread;
  81. *n = allread;
  82. result = CURLE_OK;
  83. break;
  84. }
  85. buffersize -= nread;
  86. buf += nread;
  87. allread += nread;
  88. } while(1);
  89. return result;
  90. }
  91. /*
  92. * This function logs in to a SOCKS4 proxy and sends the specifics to the final
  93. * destination server.
  94. *
  95. * Reference :
  96. * http://socks.permeo.com/protocol/socks4.protocol
  97. *
  98. * Note :
  99. * Nonsupport "SOCKS 4A (Simple Extension to SOCKS 4 Protocol)"
  100. * Nonsupport "Identification Protocol (RFC1413)"
  101. */
  102. CURLcode Curl_SOCKS4(const char *proxy_name,
  103. struct connectdata *conn)
  104. {
  105. unsigned char socksreq[262]; /* room for SOCKS4 request incl. user id */
  106. int result;
  107. CURLcode code;
  108. curl_socket_t sock = conn->sock[FIRSTSOCKET];
  109. long timeout;
  110. struct SessionHandle *data = conn->data;
  111. /* get timeout */
  112. if(data->set.timeout && data->set.connecttimeout) {
  113. if (data->set.timeout < data->set.connecttimeout)
  114. timeout = data->set.timeout*1000;
  115. else
  116. timeout = data->set.connecttimeout*1000;
  117. }
  118. else if(data->set.timeout)
  119. timeout = data->set.timeout*1000;
  120. else if(data->set.connecttimeout)
  121. timeout = data->set.connecttimeout*1000;
  122. else
  123. timeout = DEFAULT_CONNECT_TIMEOUT;
  124. Curl_nonblock(sock, FALSE);
  125. /*
  126. * Compose socks4 request
  127. *
  128. * Request format
  129. *
  130. * +----+----+----+----+----+----+----+----+----+----+....+----+
  131. * | VN | CD | DSTPORT | DSTIP | USERID |NULL|
  132. * +----+----+----+----+----+----+----+----+----+----+....+----+
  133. * # of bytes: 1 1 2 4 variable 1
  134. */
  135. socksreq[0] = 4; /* version (SOCKS4) */
  136. socksreq[1] = 1; /* connect */
  137. *((unsigned short*)&socksreq[2]) = htons(conn->remote_port);
  138. /* DNS resolve */
  139. {
  140. struct Curl_dns_entry *dns;
  141. Curl_addrinfo *hp=NULL;
  142. int rc;
  143. rc = Curl_resolv(conn, conn->host.name, (int)conn->remote_port, &dns);
  144. if(rc == CURLRESOLV_ERROR)
  145. return CURLE_COULDNT_RESOLVE_PROXY;
  146. if(rc == CURLRESOLV_PENDING)
  147. /* this requires that we're in "wait for resolve" state */
  148. rc = Curl_wait_for_resolv(conn, &dns);
  149. /*
  150. * We cannot use 'hostent' as a struct that Curl_resolv() returns. It
  151. * returns a Curl_addrinfo pointer that may not always look the same.
  152. */
  153. if(dns)
  154. hp=dns->addr;
  155. if (hp) {
  156. char buf[64];
  157. unsigned short ip[4];
  158. Curl_printable_address(hp, buf, sizeof(buf));
  159. if(4 == sscanf( buf, "%hu.%hu.%hu.%hu",
  160. &ip[0], &ip[1], &ip[2], &ip[3])) {
  161. /* Set DSTIP */
  162. socksreq[4] = (unsigned char)ip[0];
  163. socksreq[5] = (unsigned char)ip[1];
  164. socksreq[6] = (unsigned char)ip[2];
  165. socksreq[7] = (unsigned char)ip[3];
  166. }
  167. else
  168. hp = NULL; /* fail! */
  169. Curl_resolv_unlock(data, dns); /* not used anymore from now on */
  170. }
  171. if(!hp) {
  172. failf(data, "Failed to resolve \"%s\" for SOCKS4 connect.",
  173. conn->host.name);
  174. return CURLE_COULDNT_RESOLVE_HOST;
  175. }
  176. }
  177. /*
  178. * This is currently not supporting "Identification Protocol (RFC1413)".
  179. */
  180. socksreq[8] = 0; /* ensure empty userid is NUL-terminated */
  181. if (proxy_name)
  182. strlcat((char*)socksreq + 8, proxy_name, sizeof(socksreq) - 8);
  183. /*
  184. * Make connection
  185. */
  186. {
  187. ssize_t actualread;
  188. ssize_t written;
  189. int packetsize = 9 +
  190. (int)strlen((char*)socksreq + 8); /* size including NUL */
  191. /* Send request */
  192. code = Curl_write(conn, sock, (char *)socksreq, packetsize, &written);
  193. if ((code != CURLE_OK) || (written != packetsize)) {
  194. failf(data, "Failed to send SOCKS4 connect request.");
  195. return CURLE_COULDNT_CONNECT;
  196. }
  197. packetsize = 8; /* receive data size */
  198. /* Receive response */
  199. result = blockread_all(conn, sock, (char *)socksreq, packetsize,
  200. &actualread, timeout);
  201. if ((result != CURLE_OK) || (actualread != packetsize)) {
  202. failf(data, "Failed to receive SOCKS4 connect request ack.");
  203. return CURLE_COULDNT_CONNECT;
  204. }
  205. /*
  206. * Response format
  207. *
  208. * +----+----+----+----+----+----+----+----+
  209. * | VN | CD | DSTPORT | DSTIP |
  210. * +----+----+----+----+----+----+----+----+
  211. * # of bytes: 1 1 2 4
  212. *
  213. * VN is the version of the reply code and should be 0. CD is the result
  214. * code with one of the following values:
  215. *
  216. * 90: request granted
  217. * 91: request rejected or failed
  218. * 92: request rejected because SOCKS server cannot connect to
  219. * identd on the client
  220. * 93: request rejected because the client program and identd
  221. * report different user-ids
  222. */
  223. /* wrong version ? */
  224. if (socksreq[0] != 0) {
  225. failf(data,
  226. "SOCKS4 reply has wrong version, version should be 4.");
  227. return CURLE_COULDNT_CONNECT;
  228. }
  229. /* Result */
  230. switch(socksreq[1])
  231. {
  232. case 90:
  233. infof(data, "SOCKS4 request granted.\n");
  234. break;
  235. case 91:
  236. failf(data,
  237. "Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d)"
  238. ", request rejected or failed.",
  239. (unsigned char)socksreq[4], (unsigned char)socksreq[5],
  240. (unsigned char)socksreq[6], (unsigned char)socksreq[7],
  241. (unsigned int)ntohs(*(unsigned short*)(&socksreq[8])),
  242. socksreq[1]);
  243. return CURLE_COULDNT_CONNECT;
  244. case 92:
  245. failf(data,
  246. "Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d)"
  247. ", request rejected because SOCKS server cannot connect to "
  248. "identd on the client.",
  249. (unsigned char)socksreq[4], (unsigned char)socksreq[5],
  250. (unsigned char)socksreq[6], (unsigned char)socksreq[7],
  251. (unsigned int)ntohs(*(unsigned short*)(&socksreq[8])),
  252. socksreq[1]);
  253. return CURLE_COULDNT_CONNECT;
  254. case 93:
  255. failf(data,
  256. "Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d)"
  257. ", request rejected because the client program and identd "
  258. "report different user-ids.",
  259. (unsigned char)socksreq[4], (unsigned char)socksreq[5],
  260. (unsigned char)socksreq[6], (unsigned char)socksreq[7],
  261. (unsigned int)ntohs(*(unsigned short*)(&socksreq[8])),
  262. socksreq[1]);
  263. return CURLE_COULDNT_CONNECT;
  264. default:
  265. failf(data,
  266. "Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d)"
  267. ", Unknown.",
  268. (unsigned char)socksreq[4], (unsigned char)socksreq[5],
  269. (unsigned char)socksreq[6], (unsigned char)socksreq[7],
  270. (unsigned int)ntohs(*(unsigned short*)(&socksreq[8])),
  271. socksreq[1]);
  272. return CURLE_COULDNT_CONNECT;
  273. }
  274. }
  275. Curl_nonblock(sock, TRUE);
  276. return CURLE_OK; /* Proxy was successful! */
  277. }
  278. /*
  279. * This function logs in to a SOCKS5 proxy and sends the specifics to the final
  280. * destination server.
  281. */
  282. CURLcode Curl_SOCKS5(const char *proxy_name,
  283. const char *proxy_password,
  284. struct connectdata *conn)
  285. {
  286. /*
  287. According to the RFC1928, section "6. Replies". This is what a SOCK5
  288. replies:
  289. +----+-----+-------+------+----------+----------+
  290. |VER | REP | RSV | ATYP | BND.ADDR | BND.PORT |
  291. +----+-----+-------+------+----------+----------+
  292. | 1 | 1 | X'00' | 1 | Variable | 2 |
  293. +----+-----+-------+------+----------+----------+
  294. Where:
  295. o VER protocol version: X'05'
  296. o REP Reply field:
  297. o X'00' succeeded
  298. */
  299. unsigned char socksreq[600]; /* room for large user/pw (255 max each) */
  300. ssize_t actualread;
  301. ssize_t written;
  302. int result;
  303. CURLcode code;
  304. curl_socket_t sock = conn->sock[FIRSTSOCKET];
  305. struct SessionHandle *data = conn->data;
  306. long timeout;
  307. /* get timeout */
  308. if(data->set.timeout && data->set.connecttimeout) {
  309. if (data->set.timeout < data->set.connecttimeout)
  310. timeout = data->set.timeout*1000;
  311. else
  312. timeout = data->set.connecttimeout*1000;
  313. }
  314. else if(data->set.timeout)
  315. timeout = data->set.timeout*1000;
  316. else if(data->set.connecttimeout)
  317. timeout = data->set.connecttimeout*1000;
  318. else
  319. timeout = DEFAULT_CONNECT_TIMEOUT;
  320. Curl_nonblock(sock, TRUE);
  321. /* wait until socket gets connected */
  322. result = Curl_select(CURL_SOCKET_BAD, sock, (int)timeout);
  323. if(-1 == result) {
  324. failf(conn->data, "SOCKS5: no connection here");
  325. return CURLE_COULDNT_CONNECT;
  326. }
  327. else if(0 == result) {
  328. failf(conn->data, "SOCKS5: connection timeout");
  329. return CURLE_OPERATION_TIMEDOUT;
  330. }
  331. if(result & CSELECT_ERR) {
  332. failf(conn->data, "SOCKS5: error occured during connection");
  333. return CURLE_COULDNT_CONNECT;
  334. }
  335. socksreq[0] = 5; /* version */
  336. socksreq[1] = (char)(proxy_name ? 2 : 1); /* number of methods (below) */
  337. socksreq[2] = 0; /* no authentication */
  338. socksreq[3] = 2; /* username/password */
  339. Curl_nonblock(sock, FALSE);
  340. code = Curl_write(conn, sock, (char *)socksreq, (2 + (int)socksreq[1]),
  341. &written);
  342. if ((code != CURLE_OK) || (written != (2 + (int)socksreq[1]))) {
  343. failf(data, "Unable to send initial SOCKS5 request.");
  344. return CURLE_COULDNT_CONNECT;
  345. }
  346. Curl_nonblock(sock, TRUE);
  347. result = Curl_select(sock, CURL_SOCKET_BAD, (int)timeout);
  348. if(-1 == result) {
  349. failf(conn->data, "SOCKS5 nothing to read");
  350. return CURLE_COULDNT_CONNECT;
  351. }
  352. else if(0 == result) {
  353. failf(conn->data, "SOCKS5 read timeout");
  354. return CURLE_OPERATION_TIMEDOUT;
  355. }
  356. if(result & CSELECT_ERR) {
  357. failf(conn->data, "SOCKS5 read error occured");
  358. return CURLE_RECV_ERROR;
  359. }
  360. Curl_nonblock(sock, FALSE);
  361. result=blockread_all(conn, sock, (char *)socksreq, 2, &actualread, timeout);
  362. if ((result != CURLE_OK) || (actualread != 2)) {
  363. failf(data, "Unable to receive initial SOCKS5 response.");
  364. return CURLE_COULDNT_CONNECT;
  365. }
  366. if (socksreq[0] != 5) {
  367. failf(data, "Received invalid version in initial SOCKS5 response.");
  368. return CURLE_COULDNT_CONNECT;
  369. }
  370. if (socksreq[1] == 0) {
  371. /* Nothing to do, no authentication needed */
  372. ;
  373. }
  374. else if (socksreq[1] == 2) {
  375. /* Needs user name and password */
  376. size_t userlen, pwlen;
  377. int len;
  378. if(proxy_name && proxy_password) {
  379. userlen = strlen(proxy_name);
  380. pwlen = proxy_password?strlen(proxy_password):0;
  381. }
  382. else {
  383. userlen = 0;
  384. pwlen = 0;
  385. }
  386. /* username/password request looks like
  387. * +----+------+----------+------+----------+
  388. * |VER | ULEN | UNAME | PLEN | PASSWD |
  389. * +----+------+----------+------+----------+
  390. * | 1 | 1 | 1 to 255 | 1 | 1 to 255 |
  391. * +----+------+----------+------+----------+
  392. */
  393. len = 0;
  394. socksreq[len++] = 1; /* username/pw subnegotiation version */
  395. socksreq[len++] = (char) userlen;
  396. memcpy(socksreq + len, proxy_name, (int) userlen);
  397. len += userlen;
  398. socksreq[len++] = (char) pwlen;
  399. memcpy(socksreq + len, proxy_password, (int) pwlen);
  400. len += pwlen;
  401. code = Curl_write(conn, sock, (char *)socksreq, len, &written);
  402. if ((code != CURLE_OK) || (len != written)) {
  403. failf(data, "Failed to send SOCKS5 sub-negotiation request.");
  404. return CURLE_COULDNT_CONNECT;
  405. }
  406. result=blockread_all(conn, sock, (char *)socksreq, 2, &actualread,
  407. timeout);
  408. if ((result != CURLE_OK) || (actualread != 2)) {
  409. failf(data, "Unable to receive SOCKS5 sub-negotiation response.");
  410. return CURLE_COULDNT_CONNECT;
  411. }
  412. /* ignore the first (VER) byte */
  413. if (socksreq[1] != 0) { /* status */
  414. failf(data, "User was rejected by the SOCKS5 server (%d %d).",
  415. socksreq[0], socksreq[1]);
  416. return CURLE_COULDNT_CONNECT;
  417. }
  418. /* Everything is good so far, user was authenticated! */
  419. }
  420. else {
  421. /* error */
  422. if (socksreq[1] == 1) {
  423. failf(data,
  424. "SOCKS5 GSSAPI per-message authentication is not supported.");
  425. return CURLE_COULDNT_CONNECT;
  426. }
  427. else if (socksreq[1] == 255) {
  428. if (!proxy_name || !*proxy_name) {
  429. failf(data,
  430. "No authentication method was acceptable. (It is quite likely"
  431. " that the SOCKS5 server wanted a username/password, since none"
  432. " was supplied to the server on this connection.)");
  433. }
  434. else {
  435. failf(data, "No authentication method was acceptable.");
  436. }
  437. return CURLE_COULDNT_CONNECT;
  438. }
  439. else {
  440. failf(data,
  441. "Undocumented SOCKS5 mode attempted to be used by server.");
  442. return CURLE_COULDNT_CONNECT;
  443. }
  444. }
  445. /* Authentication is complete, now specify destination to the proxy */
  446. socksreq[0] = 5; /* version (SOCKS5) */
  447. socksreq[1] = 1; /* connect */
  448. socksreq[2] = 0; /* must be zero */
  449. socksreq[3] = 1; /* IPv4 = 1 */
  450. {
  451. struct Curl_dns_entry *dns;
  452. Curl_addrinfo *hp=NULL;
  453. int rc = Curl_resolv(conn, conn->host.name, (int)conn->remote_port, &dns);
  454. if(rc == CURLRESOLV_ERROR)
  455. return CURLE_COULDNT_RESOLVE_HOST;
  456. if(rc == CURLRESOLV_PENDING)
  457. /* this requires that we're in "wait for resolve" state */
  458. rc = Curl_wait_for_resolv(conn, &dns);
  459. /*
  460. * We cannot use 'hostent' as a struct that Curl_resolv() returns. It
  461. * returns a Curl_addrinfo pointer that may not always look the same.
  462. */
  463. if(dns)
  464. hp=dns->addr;
  465. if (hp) {
  466. char buf[64];
  467. unsigned short ip[4];
  468. Curl_printable_address(hp, buf, sizeof(buf));
  469. if(4 == sscanf( buf, "%hu.%hu.%hu.%hu",
  470. &ip[0], &ip[1], &ip[2], &ip[3])) {
  471. socksreq[4] = (unsigned char)ip[0];
  472. socksreq[5] = (unsigned char)ip[1];
  473. socksreq[6] = (unsigned char)ip[2];
  474. socksreq[7] = (unsigned char)ip[3];
  475. }
  476. else
  477. hp = NULL; /* fail! */
  478. Curl_resolv_unlock(data, dns); /* not used anymore from now on */
  479. }
  480. if(!hp) {
  481. failf(data, "Failed to resolve \"%s\" for SOCKS5 connect.",
  482. conn->host.name);
  483. return CURLE_COULDNT_RESOLVE_HOST;
  484. }
  485. }
  486. *((unsigned short*)&socksreq[8]) = htons(conn->remote_port);
  487. {
  488. const int packetsize = 10;
  489. code = Curl_write(conn, sock, (char *)socksreq, packetsize, &written);
  490. if ((code != CURLE_OK) || (written != packetsize)) {
  491. failf(data, "Failed to send SOCKS5 connect request.");
  492. return CURLE_COULDNT_CONNECT;
  493. }
  494. result = blockread_all(conn, sock, (char *)socksreq, packetsize,
  495. &actualread, timeout);
  496. if ((result != CURLE_OK) || (actualread != packetsize)) {
  497. failf(data, "Failed to receive SOCKS5 connect request ack.");
  498. return CURLE_COULDNT_CONNECT;
  499. }
  500. if (socksreq[0] != 5) { /* version */
  501. failf(data,
  502. "SOCKS5 reply has wrong version, version should be 5.");
  503. return CURLE_COULDNT_CONNECT;
  504. }
  505. if (socksreq[1] != 0) { /* Anything besides 0 is an error */
  506. failf(data,
  507. "Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)",
  508. (unsigned char)socksreq[4], (unsigned char)socksreq[5],
  509. (unsigned char)socksreq[6], (unsigned char)socksreq[7],
  510. (unsigned int)ntohs(*(unsigned short*)(&socksreq[8])),
  511. socksreq[1]);
  512. return CURLE_COULDNT_CONNECT;
  513. }
  514. }
  515. Curl_nonblock(sock, TRUE);
  516. return CURLE_OK; /* Proxy was successful! */
  517. }