From 4d8c03359614356244be9591abac4c5f6dc1e34b Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Wed, 30 May 2018 22:36:20 +0100 Subject: [PATCH] Rewrite SOCKS client code using BinarySource. I've also replaced the entire SOCKS state machine whose states were barely-documented literal integers with one that uses an actual enum. I think the result is a great deal clearer. In the course of this rewrite I noticed that PuTTY's dynamic port forwarding had never got round to supporting the SOCKS5 IPv6 address format - though there was a FIXME comment saying it ought to. So now it does: if a SOCKS5 client provides a binary IPv6 address (which PuTTY's _own_ SOCKS5 client, in proxy.c, is quite capable of doing!), then that will be translated into the usual IPv6 hex literal representation to put in the "direct-tcpip" channel open request. --- portfwd.c | 486 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 252 insertions(+), 234 deletions(-) diff --git a/portfwd.c b/portfwd.c index 1e4d2d1f..069bc3bf 100644 --- a/portfwd.c +++ b/portfwd.c @@ -2,12 +2,25 @@ * SSH port forwarding. */ +#include #include #include #include "putty.h" #include "ssh.h" +/* + * Enumeration of values that live in the 'socks_state' field of + * struct PortForwarding. + */ +typedef enum { + SOCKS_NONE, /* direct connection (no SOCKS, or SOCKS already done) */ + SOCKS_INITIAL, /* don't know if we're SOCKS 4 or 5 yet */ + SOCKS_4, /* expect a SOCKS 4 (or 4A) connection message */ + SOCKS_5_INITIAL, /* expect a SOCKS 5 preliminary message */ + SOCKS_5_CONNECT /* expect a SOCKS 5 connection message */ +} SocksState; + struct PortForwarding { struct ssh_channel *c; /* channel structure held by ssh.c */ void *backhandle; /* instance of SSH backend itself */ @@ -15,13 +28,7 @@ struct PortForwarding { Socket s; int throttled, throttle_override; int ready; - /* - * `dynamic' does double duty. It's set to 0 for an ordinary - * forwarded port, and nonzero for SOCKS-style dynamic port - * forwarding; but the nonzero values are also a state machine - * tracking where the SOCKS exchange has got to. - */ - int dynamic; + SocksState socks_state; /* * `hostname' and `port' are the real hostname and port, once * we know what we're connecting to. @@ -29,18 +36,12 @@ struct PortForwarding { char *hostname; int port; /* - * `socksbuf' is the buffer we use to accumulate a SOCKS request. + * `socksbuf' is the buffer we use to accumulate the initial SOCKS + * segment of the incoming data, plus anything after that that we + * receive before we're ready to send data to the SSH server. */ - char *socksbuf; - int sockslen, sockssize; - /* - * When doing dynamic port forwarding, we can receive - * connection data before we are actually able to send it; so - * we may have to temporarily hold some in a dynamically - * allocated buffer here. - */ - void *buffer; - int buflen; + strbuf *socksbuf; + size_t socksbuf_consumed; const Plug_vtable *plugvt; }; @@ -48,11 +49,7 @@ struct PortForwarding { struct PortListener { void *backhandle; /* instance of SSH backend itself */ Socket s; - /* - * `dynamic' is set to 0 for an ordinary forwarded port, and - * nonzero for SOCKS-style dynamic port forwarding. - */ - int dynamic; + int is_dynamic; /* * `hostname' and `port' are the real hostname and port, for * ordinary forwardings. @@ -68,8 +65,6 @@ static struct PortForwarding *new_portfwd_state(void) struct PortForwarding *pf = snew(struct PortForwarding); pf->hostname = NULL; pf->socksbuf = NULL; - pf->sockslen = pf->sockssize = 0; - pf->buffer = NULL; return pf; } @@ -78,8 +73,8 @@ static void free_portfwd_state(struct PortForwarding *pf) if (!pf) return; sfree(pf->hostname); - sfree(pf->socksbuf); - sfree(pf->buffer); + if (pf->socksbuf) + strbuf_free(pf->socksbuf); sfree(pf); } @@ -162,207 +157,238 @@ static void wrap_send_port_open(void *channel, const char *hostname, int port, sfree(description); } +static char *ipv4_to_string(unsigned ipv4) +{ + return dupprintf("%u.%u.%u.%u", + (ipv4 >> 24) & 0xFF, (ipv4 >> 16) & 0xFF, + (ipv4 >> 8) & 0xFF, (ipv4 ) & 0xFF); +} + +static char *ipv6_to_string(ptrlen ipv6) +{ + const unsigned char *addr = ipv6.ptr; + assert(ipv6.len == 16); + return dupprintf("%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x", + (unsigned)GET_16BIT_MSB_FIRST(addr + 0), + (unsigned)GET_16BIT_MSB_FIRST(addr + 2), + (unsigned)GET_16BIT_MSB_FIRST(addr + 4), + (unsigned)GET_16BIT_MSB_FIRST(addr + 6), + (unsigned)GET_16BIT_MSB_FIRST(addr + 8), + (unsigned)GET_16BIT_MSB_FIRST(addr + 10), + (unsigned)GET_16BIT_MSB_FIRST(addr + 12), + (unsigned)GET_16BIT_MSB_FIRST(addr + 14)); +} + static void pfd_receive(Plug plug, int urgent, char *data, int len) { struct PortForwarding *pf = FROMFIELD(plug, struct PortForwarding, plugvt); - if (pf->dynamic) { - while (len--) { - if (pf->sockslen >= pf->sockssize) { - pf->sockssize = pf->sockslen * 5 / 4 + 256; - pf->socksbuf = sresize(pf->socksbuf, pf->sockssize, char); - } - pf->socksbuf[pf->sockslen++] = *data++; - /* - * Now check what's in the buffer to see if it's a - * valid and complete message in the SOCKS exchange. - */ - if ((pf->dynamic == 1 || (pf->dynamic >> 12) == 4) && - pf->socksbuf[0] == 4) { - /* - * SOCKS 4. - */ - if (pf->dynamic == 1) - pf->dynamic = 0x4000; - if (pf->sockslen < 2) - continue; /* don't have command code yet */ - if (pf->socksbuf[1] != 1) { - /* Not CONNECT. */ - /* Send back a SOCKS 4 error before closing. */ - char data[8]; - memset(data, 0, sizeof(data)); - data[1] = 91; /* generic `request rejected' */ - sk_write(pf->s, data, 8); - pfd_close(pf); - return; - } - if (pf->sockslen <= 8) - continue; /* haven't started user/hostname */ - if (pf->socksbuf[pf->sockslen-1] != 0) - continue; /* haven't _finished_ user/hostname */ - /* - * Now we have a full SOCKS 4 request. Check it to - * see if it's a SOCKS 4A request. - */ - if (pf->socksbuf[4] == 0 && pf->socksbuf[5] == 0 && - pf->socksbuf[6] == 0 && pf->socksbuf[7] != 0) { - /* - * It's SOCKS 4A. So if we haven't yet - * collected the host name, we should continue - * waiting for data in order to do so; if we - * have, we can go ahead. - */ - int len; - if (pf->dynamic == 0x4000) { - pf->dynamic = 0x4001; - pf->sockslen = 8; /* reset buffer to overwrite name */ - continue; - } - pf->socksbuf[0] = 0; /* reply version code */ - pf->socksbuf[1] = 90; /* request granted */ - sk_write(pf->s, pf->socksbuf, 8); - len = pf->sockslen - 8; - pf->port = GET_16BIT_MSB_FIRST(pf->socksbuf+2); - pf->hostname = snewn(len+1, char); - pf->hostname[len] = '\0'; - memcpy(pf->hostname, pf->socksbuf + 8, len); - goto connect; - } else { - /* - * It's SOCKS 4, which means we should format - * the IP address into the hostname string and - * then just go. - */ - pf->socksbuf[0] = 0; /* reply version code */ - pf->socksbuf[1] = 90; /* request granted */ - sk_write(pf->s, pf->socksbuf, 8); - pf->port = GET_16BIT_MSB_FIRST(pf->socksbuf+2); - pf->hostname = dupprintf("%d.%d.%d.%d", - (unsigned char)pf->socksbuf[4], - (unsigned char)pf->socksbuf[5], - (unsigned char)pf->socksbuf[6], - (unsigned char)pf->socksbuf[7]); - goto connect; - } - } + if (len == 0) + return; - if ((pf->dynamic == 1 || (pf->dynamic >> 12) == 5) && - pf->socksbuf[0] == 5) { - /* - * SOCKS 5. - */ - if (pf->dynamic == 1) - pf->dynamic = 0x5000; + if (pf->socks_state != SOCKS_NONE) { + BinarySource src[1]; - if (pf->dynamic == 0x5000) { - int i, method; - char data[2]; - /* - * We're receiving a set of method identifiers. - */ - if (pf->sockslen < 2) - continue; /* no method count yet */ - if (pf->sockslen < 2 + (unsigned char)pf->socksbuf[1]) - continue; /* no methods yet */ - method = 0xFF; /* invalid */ - for (i = 0; i < (unsigned char)pf->socksbuf[1]; i++) - if (pf->socksbuf[2+i] == 0) { - method = 0;/* no auth */ - break; - } - data[0] = 5; - data[1] = method; - sk_write(pf->s, data, 2); - pf->dynamic = 0x5001; - pf->sockslen = 0; /* re-empty the buffer */ - continue; - } + /* + * Store all the data we've got in socksbuf. + */ + put_data(pf->socksbuf, data, len); - if (pf->dynamic == 0x5001) { - /* - * We're receiving a SOCKS request. - */ - unsigned char reply[10]; /* SOCKS5 atyp=1 reply */ - int atype, alen = 0; + /* + * Check the start of socksbuf to see if it's a valid and + * complete message in the SOCKS exchange. + */ - /* - * Pre-fill reply packet. - * In all cases, we set BND.{HOST,ADDR} to 0.0.0.0:0 - * (atyp=1) in the reply; if we succeed, we don't know - * the right answers, and if we fail, they should be - * ignored. - */ - memset(reply, 0, lenof(reply)); - reply[0] = 5; /* VER */ - reply[3] = 1; /* ATYP = 1 (IPv4, 0.0.0.0:0) */ + if (pf->socks_state == SOCKS_INITIAL) { + /* Preliminary: check the first byte of the data (which we + * _must_ have by now) to find out which SOCKS major + * version we're speaking. */ + switch (pf->socksbuf->u[0]) { + case 4: + pf->socks_state = SOCKS_4; + break; + case 5: + pf->socks_state = SOCKS_5_INITIAL; + break; + default: + pfd_close(pf); /* unrecognised version */ + return; + } + } - if (pf->sockslen < 6) continue; - atype = (unsigned char)pf->socksbuf[3]; - if (atype == 1) /* IPv4 address */ - alen = 4; - if (atype == 4) /* IPv6 address */ - alen = 16; - if (atype == 3) /* domain name has leading length */ - alen = 1 + (unsigned char)pf->socksbuf[4]; - if (pf->sockslen < 6 + alen) continue; - if (pf->socksbuf[1] != 1 || pf->socksbuf[2] != 0) { - /* Not CONNECT or reserved field nonzero - error */ - reply[1] = 1; /* generic failure */ - sk_write(pf->s, reply, lenof(reply)); - pfd_close(pf); - return; - } - /* - * Now we have a viable connect request. Switch - * on atype. - */ - pf->port = GET_16BIT_MSB_FIRST(pf->socksbuf+4+alen); - if (atype == 1) { - /* REP=0 (success) already */ - sk_write(pf->s, reply, lenof(reply)); - pf->hostname = dupprintf("%d.%d.%d.%d", - (unsigned char)pf->socksbuf[4], - (unsigned char)pf->socksbuf[5], - (unsigned char)pf->socksbuf[6], - (unsigned char)pf->socksbuf[7]); - goto connect; - } else if (atype == 3) { - /* REP=0 (success) already */ - sk_write(pf->s, reply, lenof(reply)); - pf->hostname = snewn(alen, char); - pf->hostname[alen-1] = '\0'; - memcpy(pf->hostname, pf->socksbuf + 5, alen-1); - goto connect; - } else { - /* - * Unknown address type. (FIXME: support IPv6!) - */ - reply[1] = 8; /* atype not supported */ - sk_write(pf->s, reply, lenof(reply)); - pfd_close(pf); - return; - } - } - } + BinarySource_BARE_INIT(src, pf->socksbuf->u, pf->socksbuf->len); + get_data(src, pf->socksbuf_consumed); - /* - * If we get here without either having done `continue' - * or `goto connect', it must be because there is no - * sensible interpretation of what's in our buffer. So - * close the connection rudely. - */ - pfd_close(pf); - break; - } - return; + while (pf->socks_state != SOCKS_NONE) { + unsigned socks_version, message_type, reserved_byte; + unsigned reply_code, port, ipv4, method; + ptrlen methods; + const char *socks4_hostname; + strbuf *output; + + switch (pf->socks_state) { + case SOCKS_INITIAL: + case SOCKS_NONE: + assert(0 && "These case values cannot appear"); + + case SOCKS_4: + /* SOCKS 4/4A connect message */ + socks_version = get_byte(src); + message_type = get_byte(src); + + if (get_err(src) == BSE_OUT_OF_DATA) + return; + if (socks_version == 4 && message_type == 1) { + /* CONNECT message */ + int name_based = FALSE; + + port = get_uint16(src); + ipv4 = get_uint32(src); + if (ipv4 > 0x00000000 && ipv4 < 0x00000100) { + /* + * Addresses in this range indicate the SOCKS 4A + * extension to specify a hostname, which comes + * after the username. + */ + name_based = TRUE; + } + get_asciz(src); /* skip username */ + socks4_hostname = name_based ? get_asciz(src) : NULL; + + if (get_err(src) == BSE_OUT_OF_DATA) + return; + if (get_err(src)) + goto socks4_reject; + + pf->port = port; + if (name_based) { + pf->hostname = dupstr(socks4_hostname); + } else { + pf->hostname = ipv4_to_string(ipv4); + } + + output = strbuf_new(); + put_byte(output, 0); /* reply version */ + put_byte(output, 90); /* SOCKS 4 'request granted' */ + put_uint16(output, 0); /* null port field */ + put_uint32(output, 0); /* null address field */ + sk_write(pf->s, output->u, output->len); + strbuf_free(output); + + pf->socks_state = SOCKS_NONE; + pf->socksbuf_consumed = src->pos; + break; + } + + socks4_reject: + output = strbuf_new(); + put_byte(output, 0); /* reply version */ + put_byte(output, 91); /* SOCKS 4 'request rejected' */ + put_uint16(output, 0); /* null port field */ + put_uint32(output, 0); /* null address field */ + sk_write(pf->s, output->u, output->len); + strbuf_free(output); + pfd_close(pf); + return; + + case SOCKS_5_INITIAL: + /* SOCKS 5 initial method list */ + socks_version = get_byte(src); + methods = get_pstring(src); + + method = 0xFF; /* means 'no usable method found' */ + { + int i; + for (i = 0; i < methods.len; i++) { + if (((const unsigned char *)methods.ptr)[i] == 0 ) { + method = 0; /* no auth */ + break; + } + } + } + + if (get_err(src) == BSE_OUT_OF_DATA) + return; + if (get_err(src)) + method = 0xFF; + + output = strbuf_new(); + put_byte(output, 5); /* SOCKS version */ + put_byte(output, method); /* selected auth method */ + sk_write(pf->s, output->u, output->len); + strbuf_free(output); + + if (method == 0xFF) { + pfd_close(pf); + return; + } + + pf->socks_state = SOCKS_5_CONNECT; + pf->socksbuf_consumed = src->pos; + break; + + case SOCKS_5_CONNECT: + /* SOCKS 5 connect message */ + socks_version = get_byte(src); + message_type = get_byte(src); + reserved_byte = get_byte(src); + + if (socks_version == 5 && message_type == 1 && + reserved_byte == 0) { + + reply_code = 0; /* success */ + + switch (get_byte(src)) { + case 1: /* IPv4 */ + pf->hostname = ipv4_to_string(get_uint32(src)); + break; + case 4: /* IPv6 */ + pf->hostname = ipv6_to_string(get_data(src, 16)); + break; + case 3: /* unresolved domain name */ + pf->hostname = mkstr(get_pstring(src)); + break; + default: + pf->hostname = NULL; + reply_code = 8; /* address type not supported */ + break; + } + + pf->port = get_uint16(src); + } else { + reply_code = 7; /* command not supported */ + } + + if (get_err(src) == BSE_OUT_OF_DATA) + return; + if (get_err(src)) + reply_code = 1; /* general server failure */ + + output = strbuf_new(); + put_byte(output, 5); /* SOCKS version */ + put_byte(output, reply_code); + put_byte(output, 0); /* reserved */ + put_byte(output, 1); /* IPv4 address follows */ + put_uint32(output, 0); /* bound IPv4 address (unused) */ + put_uint16(output, 0); /* bound port number (unused) */ + sk_write(pf->s, output->u, output->len); + strbuf_free(output); + + if (reply_code != 0) { + pfd_close(pf); + return; + } + + pf->socks_state = SOCKS_NONE; + pf->socksbuf_consumed = src->pos; + break; + } + } /* * We come here when we're ready to make an actual * connection. */ - connect: - sfree(pf->socksbuf); - pf->socksbuf = NULL; /* * Freeze the socket until the SSH server confirms the @@ -378,17 +404,6 @@ static void pfd_receive(Plug plug, int urgent, char *data, int len) /* asks to forward to the specified host/port for this */ wrap_send_port_open(pf->c, pf->hostname, pf->port, pf->s); } - pf->dynamic = 0; - - /* - * If there's any data remaining in our current buffer, - * save it to be sent on pfd_confirm(). - */ - if (len > 0) { - pf->buffer = snewn(len, char); - memcpy(pf->buffer, data, len); - pf->buflen = len; - } } if (pf->ready) { if (sshfwd_write(pf->c, data, len) > 0) { @@ -450,7 +465,7 @@ char *pfd_connect(struct PortForwarding **pf_ret, char *hostname,int port, pf->ready = 1; pf->c = c; pf->backhandle = NULL; /* we shouldn't need this */ - pf->dynamic = 0; + pf->socks_state = SOCKS_NONE; pf->s = new_connection(addr, dummy_realhost, port, 0, 1, 0, 0, &pf->plugvt, conf); @@ -493,12 +508,14 @@ static int pfl_accepting(Plug p, accept_fn_t constructor, accept_ctx_t ctx) pf->throttled = pf->throttle_override = 0; pf->ready = 0; - if (pl->dynamic) { - pf->dynamic = 1; + if (pl->is_dynamic) { + pf->socks_state = SOCKS_INITIAL; + pf->socksbuf = strbuf_new(); + pf->socksbuf_consumed = 0; pf->port = 0; /* "hostname" buffer is so far empty */ sk_set_frozen(s, 0); /* we want to receive SOCKS _now_! */ } else { - pf->dynamic = 0; + pf->socks_state = SOCKS_NONE; pf->hostname = dupstr(pl->hostname); pf->port = pl->port; pf->c = new_sock_channel(pl->backhandle, pf); @@ -544,9 +561,9 @@ char *pfl_listen(char *desthost, int destport, char *srcaddr, if (desthost) { pl->hostname = dupstr(desthost); pl->port = destport; - pl->dynamic = 0; + pl->is_dynamic = FALSE; } else - pl->dynamic = 1; + pl->is_dynamic = TRUE; pl->backhandle = backhandle; pl->s = new_listener(srcaddr, port, &pl->plugvt, @@ -625,9 +642,10 @@ void pfd_confirm(struct PortForwarding *pf) pf->ready = 1; sk_set_frozen(pf->s, 0); sk_write(pf->s, NULL, 0); - if (pf->buffer) { - sshfwd_write(pf->c, pf->buffer, pf->buflen); - sfree(pf->buffer); - pf->buffer = NULL; + if (pf->socksbuf) { + sshfwd_write(pf->c, pf->socksbuf->u + pf->socksbuf_consumed, + pf->socksbuf->len - pf->socksbuf_consumed); + strbuf_free(pf->socksbuf); + pf->socksbuf = NULL; } }