2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2010 Intel Corporation.
5 * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
7 * Author: David Woodhouse <dwmw2@infradead.org>
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * version 2.1, as published by the Free Software Foundation.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to:
21 * Free Software Foundation, Inc.
22 * 51 Franklin Street, Fifth Floor,
23 * Boston, MA 02110-1301 USA
35 #include <sys/types.h>
37 #include <openssl/ssl.h>
38 #include <openssl/err.h>
39 #include <openssl/engine.h>
41 #include "openconnect.h"
43 static int proxy_write(int fd, unsigned char *buf, size_t len);
45 #define MAX_BUF_LEN 131072
47 * We didn't really want to have to do this for ourselves -- one might have
48 * thought that it would be available in a library somewhere. But neither
49 * cURL nor Neon have reliable cross-platform ways of either using a cert
50 * from the TPM, or just reading from / writing to a transport which is
51 * provided by their caller.
54 static int http_add_cookie(struct openconnect_info *vpninfo,
55 const char *option, const char *value)
57 struct vpn_option *new, **this;
60 new = malloc(sizeof(*new));
62 vpninfo->progress(vpninfo, PRG_ERR, "No memory for allocating cookies\n");
66 new->option = strdup(option);
67 new->value = strdup(value);
68 if (!new->option || !new->value) {
75 /* Kill cookie; don't replace it */
78 for (this = &vpninfo->cookies; *this; this = &(*this)->next) {
79 if (!strcmp(option, (*this)->option)) {
80 /* Replace existing cookie */
82 new->next = (*this)->next;
86 free((*this)->option);
100 #define BODY_HTTP10 -1
101 #define BODY_CHUNKED -2
103 static int process_http_response(struct openconnect_info *vpninfo, int *result,
104 int (*header_cb)(struct openconnect_info *, char *, char *),
107 char buf[MAX_BUF_LEN];
109 int bodylen = BODY_HTTP10;
115 if (openconnect_SSL_gets(vpninfo->https_ssl, buf, sizeof(buf)) < 0) {
116 vpninfo->progress(vpninfo, PRG_ERR, "Error fetching HTTPS response\n");
120 if (!strncmp(buf, "HTTP/1.0 ", 9))
123 if ((!closeconn && strncmp(buf, "HTTP/1.1 ", 9)) || !(*result = atoi(buf+9))) {
124 vpninfo->progress(vpninfo, PRG_ERR, "Failed to parse HTTP response '%s'\n", buf);
128 vpninfo->progress(vpninfo, (*result==200)?PRG_TRACE:PRG_INFO,
129 "Got HTTP response: %s\n", buf);
132 while ((i = openconnect_SSL_gets(vpninfo->https_ssl, buf, sizeof(buf)))) {
136 vpninfo->progress(vpninfo, PRG_ERR, "Error processing HTTP response\n");
139 colon = strchr(buf, ':');
141 vpninfo->progress(vpninfo, PRG_ERR, "Ignoring unknown HTTP response line '%s'\n", buf);
148 /* Handle Set-Cookie first so that we can avoid printing the
149 webvpn cookie in the verbose debug output */
150 if (!strcasecmp(buf, "Set-Cookie")) {
151 char *semicolon = strchr(colon, ';');
152 char *print_equals, *equals = strchr(colon, '=');
159 vpninfo->progress(vpninfo, PRG_ERR, "Invalid cookie offered: %s\n", buf);
164 print_equals = equals;
165 /* Don't print the webvpn cookie; we don't want people posting it
166 in public with debugging output */
167 if (!strcmp(colon, "webvpn"))
168 print_equals = "<elided>";
169 vpninfo->progress(vpninfo, PRG_TRACE, "%s: %s=%s%s%s\n",
170 buf, colon, print_equals, semicolon?";":"",
171 semicolon?(semicolon+1):"");
173 ret = http_add_cookie(vpninfo, colon, equals);
177 vpninfo->progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
180 if (!strcasecmp(buf, "Connection")) {
181 if (!strcasecmp(colon, "Close"))
184 /* This might seem reasonable, but in fact it breaks
185 certificate authentication with some servers. If
186 they give an HTTP/1.0 response, even if they
187 explicitly give a Connection: Keep-Alive header,
188 just close the connection. */
189 else if (!strcasecmp(colon, "Keep-Alive"))
193 if (!strcasecmp(buf, "Location")) {
194 vpninfo->redirect_url = strdup(colon);
195 if (!vpninfo->redirect_url)
198 if (!strcasecmp(buf, "Content-Length")) {
199 bodylen = atoi(colon);
201 vpninfo->progress(vpninfo, PRG_ERR, "Response body has negative size (%d)\n",
206 if (!strcasecmp(buf, "Transfer-Encoding")) {
207 if (!strcasecmp(colon, "chunked"))
208 bodylen = BODY_CHUNKED;
210 vpninfo->progress(vpninfo, PRG_ERR, "Unknown Transfer-Encoding: %s\n", colon);
214 if (header_cb && !strncmp(buf, "X-", 2))
215 header_cb(vpninfo, buf, colon);
218 /* Handle 'HTTP/1.1 100 Continue'. Not that we should ever see it */
222 /* Now the body, if there is one */
223 vpninfo->progress(vpninfo, PRG_TRACE, "HTTP body %s (%d)\n",
224 bodylen==BODY_HTTP10?"http 1.0" :
225 bodylen==BODY_CHUNKED?"chunked" : "length: ",
228 /* If we were given Content-Length, it's nice and easy... */
230 body = malloc(bodylen + 1);
233 while (done < bodylen) {
234 i = SSL_read(vpninfo->https_ssl, body + done, bodylen - done);
236 vpninfo->progress(vpninfo, PRG_ERR, "Error reading HTTP response body\n");
242 } else if (bodylen == BODY_CHUNKED) {
243 /* ... else, chunked */
244 while ((i = openconnect_SSL_gets(vpninfo->https_ssl, buf, sizeof(buf)))) {
245 int chunklen, lastchunk = 0;
248 vpninfo->progress(vpninfo, PRG_ERR, "Error fetching chunk header\n");
251 chunklen = strtol(buf, NULL, 16);
256 body = realloc(body, done + chunklen + 1);
260 i = SSL_read(vpninfo->https_ssl, body + done, chunklen);
262 vpninfo->progress(vpninfo, PRG_ERR, "Error reading HTTP response body\n");
270 if ((i = openconnect_SSL_gets(vpninfo->https_ssl, buf, sizeof(buf)))) {
272 vpninfo->progress(vpninfo, PRG_ERR, "Error fetching HTTP response body\n");
274 vpninfo->progress(vpninfo, PRG_ERR, "Error in chunked decoding. Expected '', got: '%s'",
284 } else if (bodylen == BODY_HTTP10) {
286 vpninfo->progress(vpninfo, PRG_ERR, "Cannot receive HTTP 1.0 body without closing connection\n");
290 /* HTTP 1.0 response. Just eat all we can in 16KiB chunks */
292 body = realloc(body, done + 16384);
295 i = SSL_read(vpninfo->https_ssl, body + done, 16384);
297 body = realloc(body, done + 1);
306 if (closeconn || vpninfo->no_http_keepalive) {
307 SSL_free(vpninfo->https_ssl);
308 vpninfo->https_ssl = NULL;
309 close(vpninfo->ssl_fd);
310 vpninfo->ssl_fd = -1;
319 static int fetch_config(struct openconnect_info *vpninfo, char *fu, char *bu,
322 struct vpn_option *opt;
323 char buf[MAX_BUF_LEN];
324 char *config_buf = NULL;
326 unsigned char local_sha1_bin[SHA_DIGEST_LENGTH];
327 char local_sha1_ascii[(SHA_DIGEST_LENGTH * 2)+1];
331 sprintf(buf, "GET %s%s HTTP/1.1\r\n", fu, bu);
332 sprintf(buf + strlen(buf), "Host: %s\r\n", vpninfo->hostname);
333 sprintf(buf + strlen(buf), "User-Agent: %s\r\n", vpninfo->useragent);
334 sprintf(buf + strlen(buf), "Accept: */*\r\n");
335 sprintf(buf + strlen(buf), "Accept-Encoding: identity\r\n");
337 if (vpninfo->cookies) {
338 sprintf(buf + strlen(buf), "Cookie: ");
339 for (opt = vpninfo->cookies; opt; opt = opt->next)
340 sprintf(buf + strlen(buf), "%s=%s%s", opt->option,
341 opt->value, opt->next ? "; " : "\r\n");
343 sprintf(buf + strlen(buf), "X-Transcend-Version: 1\r\n\r\n");
345 SSL_write(vpninfo->https_ssl, buf, strlen(buf));
347 buflen = process_http_response(vpninfo, &result, NULL, &config_buf);
349 /* We'll already have complained about whatever offended us */
359 EVP_Digest(config_buf, buflen, local_sha1_bin, NULL, EVP_sha1(), NULL);
360 EVP_MD_CTX_cleanup(&c);
362 for (i = 0; i < SHA_DIGEST_LENGTH; i++)
363 sprintf(&local_sha1_ascii[i*2], "%02x", local_sha1_bin[i]);
365 if (strcasecmp(server_sha1, local_sha1_ascii)) {
366 vpninfo->progress(vpninfo, PRG_ERR, "Downloaded config file did not match intended SHA1\n");
371 result = vpninfo->write_new_config(vpninfo, config_buf, buflen);
376 static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int buflen)
381 if (!vpninfo->uid_csd_given && !vpninfo->csd_wrapper) {
382 vpninfo->progress(vpninfo, PRG_ERR,
383 "Error: Server asked us to download and run a 'Cisco Secure Desktop' trojan.\n"
384 "This facility is disabled by default for security reasons, so you may wish to enable it.");
389 vpninfo->progress(vpninfo, PRG_INFO,
390 "Trying to run Linux CSD trojan script.");
393 sprintf(fname, "/tmp/csdXXXXXX");
397 vpninfo->progress(vpninfo, PRG_ERR, "Failed to open temporary CSD script file: %s\n",
402 ret = proxy_write(fd, (void *)buf, buflen);
404 vpninfo->progress(vpninfo, PRG_ERR, "Failed to write temporary CSD script file: %s\n",
412 X509 *scert = SSL_get_peer_certificate(vpninfo->https_ssl);
413 X509 *ccert = SSL_get_certificate(vpninfo->https_ssl);
414 char scertbuf[EVP_MAX_MD_SIZE * 2 + 1];
415 char ccertbuf[EVP_MAX_MD_SIZE * 2 + 1];
419 if (vpninfo->uid_csd != getuid()) {
422 if (setuid(vpninfo->uid_csd)) {
423 fprintf(stderr, "Failed to set uid %d\n",
427 if (!(pw = getpwuid(vpninfo->uid_csd))) {
428 fprintf(stderr, "Invalid user uid=%d\n",
432 setenv("HOME", pw->pw_dir, 1);
433 if (chdir(pw->pw_dir)) {
434 fprintf(stderr, "Failed to change to CSD home directory '%s': %s\n",
435 pw->pw_dir, strerror(errno));
439 if (vpninfo->uid_csd == 0 && !vpninfo->csd_wrapper) {
440 fprintf(stderr, "Warning: you are running insecure "
441 "CSD code with root privileges\n"
442 "\t Use command line option \"--csd-user\"\n");
444 if (vpninfo->uid_csd_given == 2) {
445 /* The NM tool really needs not to get spurious output
446 on stdout, which the CSD trojan spews. */
449 if (vpninfo->csd_wrapper)
450 csd_argv[i++] = vpninfo->csd_wrapper;
451 csd_argv[i++] = fname;
452 csd_argv[i++] = "-ticket";
453 if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->csd_ticket) == -1)
455 csd_argv[i++] = "-stub";
456 csd_argv[i++] = "\"0\"";
457 csd_argv[i++] = "-group";
458 if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->authgroup?:"") == -1)
461 get_cert_md5_fingerprint(vpninfo, scert, scertbuf);
463 get_cert_md5_fingerprint(vpninfo, ccert, ccertbuf);
467 csd_argv[i++] = "-certhash";
468 if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
470 csd_argv[i++] = "-url";
471 if (asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl) == -1)
473 /* WTF would it want to know this for? */
474 csd_argv[i++] = "-vpnclient";
475 csd_argv[i++] = "\"/opt/cisco/vpn/bin/vpnui";
476 csd_argv[i++] = "-connect";
477 if (asprintf(&csd_argv[i++], "https://%s/%s", vpninfo->hostname, vpninfo->csd_preurl) == -1)
479 csd_argv[i++] = "-connectparam";
480 if (asprintf(&csd_argv[i++], "#csdtoken=%s\"", vpninfo->csd_token) == -1)
482 csd_argv[i++] = "-langselen";
483 csd_argv[i++] = NULL;
485 execv(csd_argv[0], csd_argv);
486 vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", csd_argv[0]);
490 free(vpninfo->csd_stuburl);
491 vpninfo->csd_stuburl = NULL;
492 vpninfo->urlpath = strdup(vpninfo->csd_waiturl +
493 (vpninfo->csd_waiturl[0] == '/' ? 1 : 0));
494 vpninfo->csd_waiturl = NULL;
495 vpninfo->csd_scriptname = strdup(fname);
497 http_add_cookie(vpninfo, "sdesktop", vpninfo->csd_token);
503 char *local_strcasestr(const char *haystack, const char *needle)
505 int hlen = strlen(haystack);
506 int nlen = strlen(needle);
509 for (i = 0; i < hlen - nlen + 1; i++) {
510 for (j = 0; j < nlen; j++) {
511 if (tolower(haystack[i + j]) !=
516 return (char *)haystack + i;
520 #define strcasestr local_strcasestr
523 int openconnect_parse_url(char *url, char **res_proto, char **res_host, int *res_port,
524 char **res_path, int default_port)
527 char *host, *path, *port_str;
530 host = strstr(url, "://");
535 if (!strcasecmp(proto, "https"))
537 else if (!strcasecmp(proto, "http"))
539 else if (!strcasecmp(proto, "socks") ||
540 !strcasecmp(proto, "socks4") ||
541 !strcasecmp(proto, "socks5"))
544 return -EPROTONOSUPPORT;
554 path = strchr(host, '/');
558 port_str = strrchr(host, ':');
561 int new_port = strtol(port_str + 1, &end, 10);
570 *res_proto = proto ? strdup(proto) : NULL;
572 *res_host = strdup(host);
576 *res_path = (path && *path) ? strdup(path) : NULL;
578 /* Undo the damage we did to the original string */
588 * = 0, no cookie (user cancel)
589 * = 1, obtained cookie
591 int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
593 struct vpn_option *opt, *next;
594 char buf[MAX_BUF_LEN];
595 char *form_buf = NULL;
597 char request_body[2048];
598 char *request_body_type = NULL;
599 char *method = "GET";
602 if (!vpninfo->https_ssl && openconnect_open_https(vpninfo)) {
603 vpninfo->progress(vpninfo, PRG_ERR, "Failed to open HTTPS connection to %s\n",
609 * It would be nice to use cURL for this, but we really need to guarantee
610 * that we'll be using OpenSSL (for the TPM stuff), and it doesn't seem
611 * to have any way to let us provide our own socket read/write functions.
612 * We can only provide a socket _open_ function. Which would require having
613 * a socketpair() and servicing the "other" end of it.
615 * So we process the HTTP for ourselves...
617 sprintf(buf, "%s /%s HTTP/1.1\r\n", method, vpninfo->urlpath ?: "");
618 sprintf(buf + strlen(buf), "Host: %s\r\n", vpninfo->hostname);
619 sprintf(buf + strlen(buf), "User-Agent: %s\r\n", vpninfo->useragent);
620 sprintf(buf + strlen(buf), "Accept: */*\r\n");
621 sprintf(buf + strlen(buf), "Accept-Encoding: identity\r\n");
623 if (vpninfo->cookies) {
624 sprintf(buf + strlen(buf), "Cookie: ");
625 for (opt = vpninfo->cookies; opt; opt = opt->next)
626 sprintf(buf + strlen(buf), "%s=%s%s", opt->option,
627 opt->value, opt->next ? "; " : "\r\n");
629 if (request_body_type) {
630 sprintf(buf + strlen(buf), "Content-Type: %s\r\n",
632 sprintf(buf + strlen(buf), "Content-Length: %zd\r\n",
633 strlen(request_body));
635 sprintf(buf + strlen(buf), "X-Transcend-Version: 1\r\n\r\n");
636 if (request_body_type)
637 sprintf(buf + strlen(buf), "%s", request_body);
639 if (vpninfo->port == 443)
640 vpninfo->progress(vpninfo, PRG_INFO, "%s https://%s/%s\n",
641 method, vpninfo->hostname,
642 vpninfo->urlpath ?: "");
644 vpninfo->progress(vpninfo, PRG_INFO, "%s https://%s:%d/%s\n",
645 method, vpninfo->hostname, vpninfo->port,
646 vpninfo->urlpath ?: "");
648 SSL_write(vpninfo->https_ssl, buf, strlen(buf));
650 buflen = process_http_response(vpninfo, &result, NULL, &form_buf);
652 /* We'll already have complained about whatever offended us */
656 if (result != 200 && vpninfo->redirect_url) {
658 if (!strncmp(vpninfo->redirect_url, "https://", 8)) {
659 /* New host. Tear down the existing connection and make a new one */
664 free(vpninfo->urlpath);
665 vpninfo->urlpath = NULL;
667 ret = openconnect_parse_url(vpninfo->redirect_url, NULL, &host, &port, &vpninfo->urlpath, 0);
669 vpninfo->progress(vpninfo, PRG_ERR, "Failed to parse redirected URL '%s': %s\n",
670 vpninfo->redirect_url, strerror(-ret));
671 free(vpninfo->redirect_url);
676 if (strcasecmp(vpninfo->hostname, host) || port != vpninfo->port) {
677 free(vpninfo->hostname);
678 vpninfo->hostname = host;
679 vpninfo->port = port;
681 /* Kill the existing connection, and a new one will happen */
682 free(vpninfo->peer_addr);
683 vpninfo->peer_addr = NULL;
684 if (vpninfo->https_ssl) {
685 SSL_free(vpninfo->https_ssl);
686 vpninfo->https_ssl = NULL;
687 close(vpninfo->ssl_fd);
688 vpninfo->ssl_fd = -1;
691 for (opt = vpninfo->cookies; opt; opt = next) {
698 vpninfo->cookies = NULL;
702 free(vpninfo->redirect_url);
703 vpninfo->redirect_url = NULL;
706 } else if (vpninfo->redirect_url[0] == '/') {
707 /* Absolute redirect within same host */
708 free(vpninfo->urlpath);
709 vpninfo->urlpath = strdup(vpninfo->redirect_url + 1);
710 free(vpninfo->redirect_url);
711 vpninfo->redirect_url = NULL;
714 char *lastslash = NULL;
715 if (vpninfo->urlpath)
716 lastslash = strrchr(vpninfo->urlpath, '/');
718 free(vpninfo->urlpath);
719 vpninfo->urlpath = vpninfo->redirect_url;
720 vpninfo->redirect_url = NULL;
722 char *oldurl = vpninfo->urlpath;
724 vpninfo->urlpath = NULL;
725 if (asprintf(&vpninfo->urlpath, "%s/%s",
726 oldurl, vpninfo->redirect_url) == -1) {
728 vpninfo->progress(vpninfo, PRG_ERR,
729 "Allocating new path for relative redirect failed: %s\n",
734 free(vpninfo->redirect_url);
735 vpninfo->redirect_url = NULL;
740 if (!form_buf || result != 200) {
741 vpninfo->progress(vpninfo, PRG_ERR,
742 "Unexpected %d result from server\n",
747 if (vpninfo->csd_stuburl) {
748 /* This is the CSD stub script, which we now need to run */
749 result = run_csd_script(vpninfo, form_buf, buflen);
755 /* Now we'll be redirected to the waiturl */
758 if (strncmp(form_buf, "<?xml", 5)) {
759 /* Not XML? Perhaps it's HTML with a refresh... */
760 if (strcasestr(form_buf, "http-equiv=\"refresh\"")) {
761 vpninfo->progress(vpninfo, PRG_INFO, "Refreshing %s after 1 second...\n",
766 vpninfo->progress(vpninfo, PRG_ERR, "Unknown response from server\n");
771 result = parse_xml_response(vpninfo, form_buf, request_body, sizeof(request_body),
772 &method, &request_body_type);
782 /* A return value of 2 means the XML form indicated
783 success. We _should_ have a cookie... */
785 for (opt = vpninfo->cookies; opt; opt = opt->next) {
787 if (!strcmp(opt->option, "webvpn"))
788 vpninfo->cookie = opt->value;
789 else if (vpninfo->write_new_config && !strcmp(opt->option, "webvpnc")) {
790 char *tok = opt->value;
791 char *bu = NULL, *fu = NULL, *sha = NULL;
794 if (tok != opt->value)
797 if (!strncmp(tok, "bu:", 3))
799 else if (!strncmp(tok, "fu:", 3))
801 else if (!strncmp(tok, "fh:", 3)) {
802 if (!strncasecmp(tok+3, vpninfo->xmlsha1,
803 SHA_DIGEST_LENGTH * 2))
807 } while ((tok = strchr(tok, '&')));
810 fetch_config(vpninfo, bu, fu, sha);
813 if (vpninfo->csd_scriptname) {
814 unlink(vpninfo->csd_scriptname);
815 free(vpninfo->csd_scriptname);
816 vpninfo->csd_scriptname = NULL;
821 char *openconnect_create_useragent(char *base)
825 if (asprintf(&uagent, "%s %s", base, openconnect_version) < 0)
831 static int proxy_gets(int fd, char *buf, size_t len)
839 while ( (ret = read(fd, buf + i, 1)) == 1) {
840 if (buf[i] == '\n') {
842 if (i && buf[i-1] == '\r') {
862 static int proxy_write(int fd, unsigned char *buf, size_t len)
866 for (count = 0; count < len; ) {
867 int i = write(fd, buf + count, len - count);
876 static int proxy_read(int fd, unsigned char *buf, size_t len)
880 for (count = 0; count < len; ) {
881 int i = read(fd, buf + count, len - count);
890 static const char *socks_errors[] = {
893 "connection not allowed by ruleset",
894 "network unreachable",
896 "connection refused by destination host",
898 "command not supported / protocol error",
899 "address type not supported"
902 static int process_socks_proxy(struct openconnect_info *vpninfo, int ssl_sock)
904 unsigned char buf[1024];
907 buf[0] = 5; /* SOCKS version */
908 buf[1] = 1; /* # auth methods */
909 buf[2] = 0; /* No auth supported */
911 if ((i = proxy_write(ssl_sock, buf, 3))) {
912 vpninfo->progress(vpninfo, PRG_ERR,
913 "Error writing auth request to SOCKS proxy: %s\n",
918 if ((i = proxy_read(ssl_sock, buf, 2))) {
919 vpninfo->progress(vpninfo, PRG_ERR,
920 "Error reading auth response from SOCKS proxy: %s\n",
925 vpninfo->progress(vpninfo, PRG_ERR,
926 "Unexpected auth response from SOCKS proxy: %02x %02x\n",
932 if (buf[1] < sizeof(socks_errors) / sizeof(socks_errors[0]))
933 vpninfo->progress(vpninfo, PRG_ERR,
934 "SOCKS proxy error %02x: %s\n",
935 buf[1], socks_errors[buf[1]]);
937 vpninfo->progress(vpninfo, PRG_ERR,
938 "SOCKS proxy error %02x\n",
943 vpninfo->progress(vpninfo, PRG_INFO, "Requesting SOCKS proxy connection to %s:%d\n",
944 vpninfo->hostname, vpninfo->port);
946 buf[0] = 5; /* SOCKS version */
947 buf[1] = 1; /* CONNECT */
948 buf[2] = 0; /* Reserved */
949 buf[3] = 3; /* Address type is domain name */
950 buf[4] = strlen(vpninfo->hostname);
951 strcpy((char *)buf + 5, vpninfo->hostname);
952 i = strlen(vpninfo->hostname) + 5;
953 buf[i++] = vpninfo->port >> 8;
954 buf[i++] = vpninfo->port & 0xff;
956 if ((i = proxy_write(ssl_sock, buf, i))) {
957 vpninfo->progress(vpninfo, PRG_ERR,
958 "Error writing connect request to SOCKS proxy: %s\n",
962 /* Read 5 bytes -- up to and including the first byte of the returned
963 address (which might be the length byte of a domain name) */
964 if ((i = proxy_read(ssl_sock, buf, 5))) {
965 vpninfo->progress(vpninfo, PRG_ERR,
966 "Error reading connect response from SOCKS proxy: %s\n",
971 vpninfo->progress(vpninfo, PRG_ERR,
972 "Unexpected connect response from SOCKS proxy: %02x %02x...\n",
979 /* Connect responses contain an address */
981 case 1: /* Legacy IP */
984 case 3: /* Domain name */
991 vpninfo->progress(vpninfo, PRG_ERR,
992 "Unexpected address type %02x in SOCKS connect response\n",
997 if ((i = proxy_read(ssl_sock, buf, i))) {
998 vpninfo->progress(vpninfo, PRG_ERR,
999 "Error reading connect response from SOCKS proxy: %s\n",
1006 static int process_http_proxy(struct openconnect_info *vpninfo, int ssl_sock)
1008 char buf[MAX_BUF_LEN];
1011 sprintf(buf, "CONNECT %s:%d HTTP/1.1\r\n", vpninfo->hostname, vpninfo->port);
1012 sprintf(buf + strlen(buf), "Host: %s\r\n", vpninfo->hostname);
1013 sprintf(buf + strlen(buf), "User-Agent: %s\r\n", vpninfo->useragent);
1014 sprintf(buf + strlen(buf), "Proxy-Connection: keep-alive\r\n");
1015 sprintf(buf + strlen(buf), "Connection: keep-alive\r\n");
1016 sprintf(buf + strlen(buf), "Accept-Encoding: identity\r\n");
1017 sprintf(buf + strlen(buf), "\r\n");
1019 vpninfo->progress(vpninfo, PRG_INFO, "Requesting HTTP proxy connection to %s:%d\n",
1020 vpninfo->hostname, vpninfo->port);
1022 if (proxy_write(ssl_sock, (unsigned char *)buf, strlen(buf))) {
1024 vpninfo->progress(vpninfo, PRG_ERR, "Sending proxy request failed: %s\n",
1029 if (proxy_gets(ssl_sock, buf, sizeof(buf)) < 0) {
1030 vpninfo->progress(vpninfo, PRG_ERR, "Error fetching proxy response\n");
1034 if (strncmp(buf, "HTTP/1.", 7) || (buf[7] != '0' && buf[7] != '1') ||
1035 buf[8] != ' ' || !(result = atoi(buf+9))) {
1036 vpninfo->progress(vpninfo, PRG_ERR, "Failed to parse proxy response '%s'\n",
1041 if (result != 200) {
1042 vpninfo->progress(vpninfo, PRG_ERR, "Proxy CONNECT request failed: %s\n",
1047 while ((buflen = proxy_gets(ssl_sock, buf, sizeof(buf)))) {
1049 vpninfo->progress(vpninfo, PRG_ERR, "Failed to read proxy response\n");
1052 vpninfo->progress(vpninfo, PRG_ERR,
1053 "Unexpected continuation line after CONNECT response: '%s'\n",
1060 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock)
1062 if (!vpninfo->proxy_type || !strcmp(vpninfo->proxy_type, "http"))
1063 return process_http_proxy(vpninfo, ssl_sock);
1065 if (!strcmp(vpninfo->proxy_type, "socks") ||
1066 !strcmp(vpninfo->proxy_type, "socks5"))
1067 return process_socks_proxy(vpninfo, ssl_sock);
1069 vpninfo->progress(vpninfo, PRG_ERR, "Unknown proxy type '%s'\n",
1070 vpninfo->proxy_type);
1074 int openconnect_set_http_proxy(struct openconnect_info *vpninfo, char *proxy)
1076 char *url = strdup(proxy);
1082 free(vpninfo->proxy_type);
1083 vpninfo->proxy_type = NULL;
1084 free(vpninfo->proxy);
1085 vpninfo->proxy = NULL;
1087 ret = openconnect_parse_url(url, &vpninfo->proxy_type, &vpninfo->proxy,
1088 &vpninfo->proxy_port, NULL, 80);
1092 if (vpninfo->proxy_type &&
1093 strcmp(vpninfo->proxy_type, "http") &&
1094 strcmp(vpninfo->proxy_type, "socks") &&
1095 strcmp(vpninfo->proxy_type, "socks5")) {
1096 vpninfo->progress(vpninfo, PRG_ERR,
1097 "Only http or socks(5) proxies supported\n");
1098 free(vpninfo->proxy_type);
1099 vpninfo->proxy_type = NULL;
1100 free(vpninfo->proxy);
1101 vpninfo->proxy = NULL;
projects / platform / upstream / openconnect.git / blob