Exec argv in ucspi-socketserver - ccx-utils - Miscellaneous utilities written in C

commit c7890bbe0a836b61dd6052cd6d468080d850d58e
parent f724fcf66ad2f1cf9d9d51a379aae2346d9caf56
Author: Jan Pobrislo <ccx@te2000.cz>
Date:   Tue, 27 Aug 2024 16:42:47 +0000

Exec argv in ucspi-socketserver

Diffstat:
M src/Makefile  | 13 ++++++++++---
M src/ucspi-socksserver-access.c  | 52 ++++++++++++++++++++++++++++++++++++++--------------
M src/ucspi-socksserver.c  | 13 ++++---------

3 files changed, 52 insertions(+), 26 deletions(-)
diff --git a/src/Makefile b/src/Makefile
@@ -2,7 +2,10 @@
 tools_simple:=argv0exec nosuid pidns_run safelink spawn-pty fdsend fdrecv fdrecvto socketpair ptsname mtime_to_uuidv7 ucspi-socksserver ucspi-socksserver-connected
 
 tools_libcap:=applyuidgid-caps
-tools=$(tools_simple) $(tools_libcap)
+
+tools_libs6:=ucspi-socksserver-access
+
+tools=$(tools_simple) $(tools_libcap) $(tools_libs6)
 
 all: $(tools)
 .PHONY: all
@@ -18,13 +21,17 @@ define link_simple =
 $(1): $(1).o ../link
 	../link -o '$$@' '$(1).o'
 endef
-
 $(foreach var,$(tools_simple),$(eval $(call link_simple,$(var))))
 
 define link_libcap =
 $(1): $(1).o ../link
 	../link -o '$$@' '$(1).o' -lcap
 endef
-
 $(foreach var,$(tools_libcap),$(eval $(call link_libcap,$(var))))
 
+define link_libs6 =
+$(1): $(1).o ../link
+	../link -o '$$@' '$(1).o' -ls6
+endef
+$(foreach var,$(tools_libs6),$(eval $(call link_libs6,$(var))))
+
diff --git a/src/ucspi-socksserver-access.c b/src/ucspi-socksserver-access.c
@@ -26,8 +26,11 @@ typedef struct app_options_s {
     char const * port;
     char const * addr_type;
     char const * addr;
+    unsigned char socks_version;
 } app_options;
 
+const app_options const * options = NULL;
+
 typedef struct check_result_s {
     s6_accessrules_result_t accepted;
     s6_accessrules_params_t params;
@@ -81,22 +84,29 @@ void socks4_reply_fail()
     close(1);
 }
 
+void socks_reply_fail_generic(socks5_reply_t status) {
+    if (options->socks_version == 5) {
+        socks5_reply_fail(status);
+    } else {
+        socks4_reply_fail();
+    }
+}
 
-void check_access_ip(app_options *opt, check_result *result) {
+void check_access_ip(check_result *result) {
     ip46 ip;
-    if (!ip46_scan(opt->addr_type, &ip)) {
+    if (!ip46_scan(options->addr, &ip)) {
         strerr_dieinvalid(100, "SOCKS_ADDR") ;
     }
-    switch (opt->rulestype)
+    switch (options->rulestype)
     {
         case 1 :
-            result->accepted = s6_accessrules_ip46_fs(&ip, (void *)opt->rules, &result->params);
+            result->accepted = s6_accessrules_ip46_fs(&ip, (void *)options->rules, &result->params);
             break;
         case 2 :
             {
                 cdb c = CDB_ZERO ;
-                if (!cdb_init(&c, opt->rules)) {
-                    strerr_diefu2sys(111, "cdb_init ", opt->rules);
+                if (!cdb_init(&c, options->rules)) {
+                    strerr_diefu2sys(111, "cdb_init ", options->rules);
                 }
                 result->accepted = s6_accessrules_ip46_cdb(&ip, &c, &result->params);
                 if (result->accepted == S6_ACCESSRULES_ALLOW) {
@@ -108,19 +118,19 @@ void check_access_ip(app_options *opt, check_result *result) {
     }
 }
 
-s6_accessrules_result_t check_access_dns(app_options *opt, check_result *result) {
-    switch (opt->rulestype)
+s6_accessrules_result_t check_access_dns(check_result *result) {
+    switch (options->rulestype)
     {
         case 1 :
-            result->accepted = s6_accessrules_reversedns_fs(opt->addr, (void *)opt->rules, &result->params);
+            result->accepted = s6_accessrules_reversedns_fs(options->addr, (void *)options->rules, &result->params);
             break;
         case 2 :
             {
                 cdb c = CDB_ZERO ;
-                if (!cdb_init(&c, opt->rules)) {
-                    strerr_diefu2sys(111, "cdb_init ", opt->rules);
+                if (!cdb_init(&c, options->rules)) {
+                    strerr_diefu2sys(111, "cdb_init ", options->rules);
                 }
-                result->accepted = s6_accessrules_reversedns_cdb(opt->addr, &c, &result->params);
+                result->accepted = s6_accessrules_reversedns_cdb(options->addr, &c, &result->params);
                 if (result->accepted == S6_ACCESSRULES_ALLOW) {
                     cdb_free(&c);
                 }
@@ -155,10 +165,21 @@ int main (int argc, char const *const *argv)
     if (!argc) dieusage() ;
     if (!*argv[0]) dieusage() ;
 
+    char const * env_socks_version = required_getenv("SOCKS_VERSION");
+    if(strcmp(env_socks_version, "4") == 0) {
+        opt.socks_version = 5;
+    } else if (strcmp(env_socks_version, "5") == 0) {
+        opt.socks_version = 5;
+    } else {
+        strerr_dieinvalid(100, "SOCKS_VERSION") ;
+    }
+
     opt.port = required_getenv("SOCKS_PORT");
     opt.addr_type = required_getenv("SOCKS_ADDR_TYPE");
     opt.addr = required_getenv("SOCKS_ADDR");
 
+    options = &opt;
+
     if(opt.rulestype == 0) {
         xexec(argv);
     }
@@ -166,22 +187,25 @@ int main (int argc, char const *const *argv)
     check_result result = { S6_ACCESSRULES_ALLOW, S6_ACCESSRULES_PARAMS_ZERO };
 
     if(strcmp(opt.addr_type, "dns") == 0) {
-        check_access_dns(&opt, &result);
+        check_access_dns(&result);
     } else if ( strcmp(opt.addr_type, "ip4") == 0 || strcmp(opt.addr_type, "ip6") == 0) {
-        check_access_ip(&opt, &result);
+        check_access_ip(&result);
     } else {
         strerr_dieinvalid(100, "SOCKS_ADDR_TYPE") ;
     }
 
     switch (result.accepted) {
         case S6_ACCESSRULES_ERROR:
+            socks_reply_fail_generic(SOCKS5_REPLY_ERR_GENERAL);
             strerr_diefu6sys(111, "check ", rulestypestr[opt.rulestype], " ruleset for ", opt.addr_type, " in ", opt.rules);
         case S6_ACCESSRULES_ALLOW:
             break ;
         case S6_ACCESSRULES_DENY:
+            socks_reply_fail_generic(SOCKS5_REPLY_ERR_FORBIDDEN);
             // if (verbosity >= 2) log_deny(getpid(), &remoteip) ;
             return 1;
         case S6_ACCESSRULES_NOTFOUND:
+            socks_reply_fail_generic(SOCKS5_REPLY_ERR_FORBIDDEN);
             // if (flagdnslookup) {
             //     break;
             // }
diff --git a/src/ucspi-socksserver.c b/src/ucspi-socksserver.c
@@ -31,10 +31,13 @@ void socks5_command(socks5_request_header *rhdr);
 void handle_socks4(void);
 void do_connect(unsigned char socks_version, socks5_addr_type_t addr_type, char *buf, unsigned short int port);
 
+char const *const *new_argv = NULL;
+
 int main (int argc, char const *const *argv)
 {
     fd_block(STDIN_FILENO);
     fd_block(STDOUT_FILENO);
+    new_argv = argv+1;
     interact();
 }
 
@@ -333,14 +336,6 @@ void do_connect(unsigned char socks_version, socks5_addr_type_t addr_type, char 
     snprintf(port_string, sizeof(port_string), "%d", port);
     xenv("SOCKS_PORT", port_string);
 
-    const char *argv[] = {
-        "importas", "-i", "SOCKS_ADDR", "SOCKS_ADDR",
-        "importas", "-i", "SOCKS_PORT", "SOCKS_PORT",
-        "s6-tcpclient", "-v", "$SOCKS_ADDR", "$SOCKS_PORT",
-        "ucspi-socksserver-connected", "s6-ioconnect",
-        0
-    };
-
     switch (addr_type) {
         case SOCKS5_ADDR_TYPE_IP4:
             socks_env_ip4(buf);
@@ -356,7 +351,7 @@ void do_connect(unsigned char socks_version, socks5_addr_type_t addr_type, char 
     }
 
     log_connect(socks_version, addr_type, buf, port);
-    xmexec(argv);
+    xmexec(new_argv);
 }
 
 /* vim: sw=4 sts=4 et

	ccx-utils Miscellaneous utilities written in C
	git clone https://ccx.te2000.cz/git/ccx-utils
	Log \| Files \| Refs

M	src/Makefile	\|	13	++++++++++---
M	src/ucspi-socksserver-access.c	\|	52	++++++++++++++++++++++++++++++++++++++--------------
M	src/ucspi-socksserver.c	\|	13	++++---------