projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
DANE: smtp transport option dane_require_tls_ciphers
[exim.git] / src / src / transports / smtp_socks.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) Jeremy Harris 2015 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* SOCKS version 5 proxy, client-mode */
9
10 #include "../exim.h"
11 #include "smtp.h"
12
13 #ifdef SUPPORT_SOCKS /* entire file */
14
15 #ifndef nelem
16 # define nelem(arr) (sizeof(arr)/sizeof(*arr))
17 #endif
18
19
20 /* Defaults */
21 #define SOCKS_PORT 1080
22 #define SOCKS_TIMEOUT 5
23 #define SOCKS_WEIGHT 1
24 #define SOCKS_PRIORITY 1
25
26 #define AUTH_NONE 0
27 #define AUTH_NAME 2 /* user/password per RFC 1929 */
28 #define AUTH_NAME_VER 1
29
30 struct socks_err
31 {
32 uschar * reason;
33 int errcode;
34 } socks_errs[] =
35 {
36 {NULL, 0},
37 {US"general SOCKS server failure", EIO},
38 {US"connection not allowed by ruleset", EACCES},
39 {US"Network unreachable", ENETUNREACH},
40 {US"Host unreachable", EHOSTUNREACH},
41 {US"Connection refused", ECONNREFUSED},
42 {US"TTL expired", ECANCELED},
43 {US"Command not supported", EOPNOTSUPP},
44 {US"Address type not supported", EAFNOSUPPORT}
45 };
46
47 typedef struct
48 {
49 const uschar * proxy_host;
50 uschar auth_type; /* RFC 1928 encoding */
51 const uschar * auth_name;
52 const uschar * auth_pwd;
53 short port;
54 BOOL is_failed;
55 unsigned timeout;
56 unsigned weight;
57 unsigned priority;
58 } socks_opts;
59
60 static void
61 socks_option_defaults(socks_opts * sob)
62 {
63 sob->proxy_host = NULL;
64 sob->auth_type = AUTH_NONE;
65 sob->auth_name = US"";
66 sob->auth_pwd = US"";
67 sob->is_failed = FALSE;
68 sob->port = SOCKS_PORT;
69 sob->timeout = SOCKS_TIMEOUT;
70 sob->weight = SOCKS_WEIGHT;
71 sob->priority = SOCKS_PRIORITY;
72 }
73
74 static void
75 socks_option(socks_opts * sob, const uschar * opt)
76 {
77 if (Ustrncmp(opt, "auth=", 5) == 0)
78 {
79 opt += 5;
80 if (Ustrcmp(opt, "none") == 0) sob->auth_type = AUTH_NONE;
81 else if (Ustrcmp(opt, "name") == 0) sob->auth_type = AUTH_NAME;
82 }
83 else if (Ustrncmp(opt, "name=", 5) == 0)
84 sob->auth_name = opt + 5;
85 else if (Ustrncmp(opt, "pass=", 5) == 0)
86 sob->auth_pwd = opt + 5;
87 else if (Ustrncmp(opt, "port=", 5) == 0)
88 sob->port = atoi(opt + 5);
89 else if (Ustrncmp(opt, "tmo=", 4) == 0)
90 sob->timeout = atoi(CCS opt + 4);
91 else if (Ustrncmp(opt, "pri=", 4) == 0)
92 sob->priority = atoi(CCS opt + 4);
93 else if (Ustrncmp(opt, "weight=", 7) == 0)
94 sob->weight = atoi(CCS opt + 7);
95 return;
96 }
97
98 static int
99 socks_auth(int fd, int method, socks_opts * sob, time_t tmo)
100 {
101 uschar * s;
102 int len, i, j;
103
104 switch(method)
105 {
106 default:
107 log_write(0, LOG_MAIN|LOG_PANIC,
108 "Unrecognised socks auth method %d", method);
109 return FAIL;
110 case AUTH_NONE:
111 return OK;
112 case AUTH_NAME:
113 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" socks auth NAME '%s' '%s'\n",
114 sob->auth_name, sob->auth_pwd);
115 i = Ustrlen(sob->auth_name);
116 j = Ustrlen(sob->auth_pwd);
117 s = string_sprintf("%c%c%.255s%c%.255s", AUTH_NAME_VER,
118 i, sob->auth_name, j, sob->auth_pwd);
119 len = i + j + 3;
120 HDEBUG(D_transport|D_acl|D_v)
121 {
122 int i;
123 debug_printf_indent(" SOCKS>>");
124 for (i = 0; i<len; i++) debug_printf(" %02x", s[i]);
125 debug_printf("\n");
126 }
127 if (send(fd, s, len, 0) < 0)
128 return FAIL;
129 #ifdef TCP_QUICKACK
130 (void) setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
131 #endif
132 if (!fd_ready(fd, tmo-time(NULL)) || read(fd, s, 2) != 2)
133 return FAIL;
134 HDEBUG(D_transport|D_acl|D_v)
135 debug_printf_indent(" SOCKS<< %02x %02x\n", s[0], s[1]);
136 if (s[0] == AUTH_NAME_VER && s[1] == 0)
137 {
138 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" socks auth OK\n");
139 return OK;
140 }
141
142 log_write(0, LOG_MAIN|LOG_PANIC, "socks auth failed");
143 errno = EPROTO;
144 return FAIL;
145 }
146 }
147
148
149
150 /* Find a suitable proxy to use from the list.
151 Possible common code with spamd_get_server() ?
152
153 Return: index into proxy spec array, or -1
154 */
155
156 static int
157 socks_get_proxy(socks_opts * proxies, unsigned nproxies)
158 {
159 unsigned int i;
160 socks_opts * sd;
161 socks_opts * lim = &proxies[nproxies];
162 long rnd, weights;
163 unsigned pri;
164 static BOOL srandomed = FALSE;
165
166 if (nproxies == 1) /* shortcut, if we have only 1 server */
167 return (proxies[0].is_failed ? -1 : 0);
168
169 /* init random */
170 if (!srandomed)
171 {
172 struct timeval tv;
173 gettimeofday(&tv, NULL);
174 srandom((unsigned int)(tv.tv_usec/1000));
175 srandomed = TRUE;
176 }
177
178 /* scan for highest pri */
179 for (pri = 0, sd = proxies; sd < lim; sd++)
180 if (!sd->is_failed && sd->priority > pri)
181 pri = sd->priority;
182
183 /* get sum of weights at this pri */
184 for (weights = 0, sd = proxies; sd < lim; sd++)
185 if (!sd->is_failed && sd->priority == pri)
186 weights += sd->weight;
187 if (weights == 0) /* all servers failed */
188 return -1;
189
190 for (rnd = random() % weights, i = 0; i < nproxies; i++)
191 {
192 sd = &proxies[i];
193 if (!sd->is_failed && sd->priority == pri)
194 if ((rnd -= sd->weight) <= 0)
195 return i;
196 }
197
198 log_write(0, LOG_MAIN|LOG_PANIC,
199 "%s unknown error (memory/cpu corruption?)", __FUNCTION__);
200 return -1;
201 }
202
203
204
205 /* Make a connection via a socks proxy
206
207 Arguments:
208 host smtp target host
209 host_af address family
210 port remote tcp port number
211 interface local interface
212 tb transport
213 timeout connection timeout (zero for indefinite)
214
215 Return value:
216 0 on success; -1 on failure, with errno set
217 */
218
219 int
220 socks_sock_connect(host_item * host, int host_af, int port, uschar * interface,
221 transport_instance * tb, int timeout)
222 {
223 smtp_transport_options_block * ob =
224 (smtp_transport_options_block *)tb->options_block;
225 const uschar * proxy_list;
226 const uschar * proxy_spec;
227 int sep = 0;
228 int fd;
229 time_t tmo;
230 const uschar * state;
231 uschar buf[24];
232 socks_opts proxies[32]; /* max #proxies handled */
233 unsigned nproxies;
234 socks_opts * sob;
235 unsigned size;
236 blob early_data;
237
238 if (!timeout) timeout = 24*60*60; /* use 1 day for "indefinite" */
239 tmo = time(NULL) + timeout;
240
241 if (!(proxy_list = expand_string(ob->socks_proxy)))
242 {
243 log_write(0, LOG_MAIN|LOG_PANIC, "Bad expansion for socks_proxy in %s",
244 tb->name);
245 return -1;
246 }
247
248 /* Read proxy list */
249
250 for (nproxies = 0;
251 nproxies < nelem(proxies)
252 && (proxy_spec = string_nextinlist(&proxy_list, &sep, NULL, 0));
253 nproxies++)
254 {
255 int subsep = -' ';
256 const uschar * option;
257
258 socks_option_defaults(sob = &proxies[nproxies]);
259
260 if (!(sob->proxy_host = string_nextinlist(&proxy_spec, &subsep, NULL, 0)))
261 {
262 /* paniclog config error */
263 return -1;
264 }
265
266 /*XXX consider global options eg. "hide socks_password = wibble" on the tpt */
267 /* extract any further per-proxy options */
268 while ((option = string_nextinlist(&proxy_spec, &subsep, NULL, 0)))
269 socks_option(sob, option);
270 }
271
272 /* Set up the socks protocol method-selection message,
273 for sending on connection */
274
275 state = US"method select";
276 buf[0] = 5; buf[1] = 1; buf[2] = sob->auth_type;
277 early_data.data = buf;
278 early_data.len = 3;
279
280 /* Try proxies until a connection succeeds */
281
282 for(;;)
283 {
284 int idx;
285 host_item proxy;
286 int proxy_af;
287
288 if ((idx = socks_get_proxy(proxies, nproxies)) < 0)
289 {
290 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" no proxies left\n");
291 errno = EBUSY;
292 return -1;
293 }
294 sob = &proxies[idx];
295
296 /* bodge up a host struct for the proxy */
297 proxy.address = proxy.name = sob->proxy_host;
298 proxy_af = Ustrchr(sob->proxy_host, ':') ? AF_INET6 : AF_INET;
299
300 if ((fd = smtp_sock_connect(&proxy, proxy_af, sob->port,
301 interface, tb, sob->timeout, &early_data)) >= 0)
302 {
303 proxy_local_address = string_copy(proxy.address);
304 proxy_local_port = sob->port;
305 break;
306 }
307
308 log_write(0, LOG_MAIN, "%s: %s", __FUNCTION__, strerror(errno));
309 sob->is_failed = TRUE;
310 }
311
312 /* Do the socks protocol stuff */
313
314 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SOCKS>> 05 01 %02x\n", sob->auth_type);
315
316 /* expect method response */
317
318 #ifdef TCP_QUICKACK
319 (void) setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
320 #endif
321
322 if ( !fd_ready(fd, tmo-time(NULL))
323 || read(fd, buf, 2) != 2
324 )
325 goto rcv_err;
326 HDEBUG(D_transport|D_acl|D_v)
327 debug_printf_indent(" SOCKS<< %02x %02x\n", buf[0], buf[1]);
328 if ( buf[0] != 5
329 || socks_auth(fd, buf[1], sob, tmo) != OK
330 )
331 goto proxy_err;
332
333 {
334 union sockaddr_46 sin;
335 (void) ip_addr(&sin, host_af, host->address, port);
336
337 /* send connect (ipver, ipaddr, port) */
338
339 buf[0] = 5; buf[1] = 1; buf[2] = 0; buf[3] = host_af == AF_INET6 ? 4 : 1;
340 #if HAVE_IPV6
341 if (host_af == AF_INET6)
342 {
343 memcpy(buf+4, &sin.v6.sin6_addr, sizeof(sin.v6.sin6_addr));
344 memcpy(buf+4+sizeof(sin.v6.sin6_addr),
345 &sin.v6.sin6_port, sizeof(sin.v6.sin6_port));
346 size = 4+sizeof(sin.v6.sin6_addr)+sizeof(sin.v6.sin6_port);
347 }
348 else
349 #endif
350 {
351 memcpy(buf+4, &sin.v4.sin_addr.s_addr, sizeof(sin.v4.sin_addr.s_addr));
352 memcpy(buf+4+sizeof(sin.v4.sin_addr.s_addr),
353 &sin.v4.sin_port, sizeof(sin.v4.sin_port));
354 size = 4+sizeof(sin.v4.sin_addr.s_addr)+sizeof(sin.v4.sin_port);
355 }
356 }
357
358 state = US"connect";
359 HDEBUG(D_transport|D_acl|D_v)
360 {
361 int i;
362 debug_printf_indent(" SOCKS>>");
363 for (i = 0; i<size; i++) debug_printf(" %02x", buf[i]);
364 debug_printf("\n");
365 }
366 if (send(fd, buf, size, 0) < 0)
367 goto snd_err;
368
369 /* expect conn-reply (success, local(ipver, addr, port))
370 of same length as conn-request, or non-success fail code */
371
372 if ( !fd_ready(fd, tmo-time(NULL))
373 || (size = read(fd, buf, size)) < 2
374 )
375 goto rcv_err;
376 HDEBUG(D_transport|D_acl|D_v)
377 {
378 int i;
379 debug_printf_indent(" SOCKS>>");
380 for (i = 0; i<size; i++) debug_printf(" %02x", buf[i]);
381 debug_printf("\n");
382 }
383 if ( buf[0] != 5
384 || buf[1] != 0
385 )
386 goto proxy_err;
387
388 proxy_external_address = string_copy(
389 host_ntoa(buf[3] == 4 ? AF_INET6 : AF_INET, buf+4, NULL, NULL));
390 proxy_external_port = ntohs(*((uint16_t *)(buf + (buf[3] == 4 ? 20 : 8))));
391 proxy_session = TRUE;
392
393 HDEBUG(D_transport|D_acl|D_v)
394 debug_printf_indent(" proxy farside: [%s]:%d\n", proxy_external_address, proxy_external_port);
395
396 return fd;
397
398 snd_err:
399 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" proxy snd_err %s: %s\n", state, strerror(errno));
400 return -1;
401
402 proxy_err:
403 {
404 struct socks_err * se =
405 buf[1] > nelem(socks_errs) ? NULL : socks_errs + buf[1];
406 HDEBUG(D_transport|D_acl|D_v)
407 debug_printf_indent(" proxy %s: %s\n", state, se ? se->reason : US"unknown error code received");
408 errno = se ? se->errcode : EPROTO;
409 }
410
411 rcv_err:
412 HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" proxy rcv_err %s: %s\n", state, strerror(errno));
413 if (!errno) errno = EPROTO;
414 else if (errno == ENOENT) errno = ECONNABORTED;
415 return -1;
416 }
417
418 #endif /* entire file */
419 /* vi: aw ai sw=2
420 */
Unnamed repository; edit this file 'description' to name the repository.