Disable libproxy by default

Most people don't need to go through a proxy, but might have one
configured anyway for https because it's harmless. But it's _not_ actually
harmless for openconnect, because it'll prevent DTLS from working. So if
a user really needs proxy support, let them ask for it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/http.c b/http.c
index 788399a..8057281 100644 (file)
--- a/http.c
+++ b/http.c
@@ -955,3 +955,37 @@ int process_proxy(struct openconnect_info *vpninfo, int ssl_sock)
        return -EIO;
 }
 
+int set_http_proxy(struct openconnect_info *vpninfo, char *proxy)
+{
+       char *url = strdup(proxy);
+       int ret;
+
+       if (!url)
+               return -ENOMEM;
+
+       free(vpninfo->proxy_type);
+       vpninfo->proxy_type = NULL;
+       free(vpninfo->proxy);
+       vpninfo->proxy = NULL;
+
+       ret = parse_url(url, &vpninfo->proxy_type, &vpninfo->proxy,
+                       &vpninfo->proxy_port, NULL, 80);
+       if (ret)
+               goto out;
+
+       if (vpninfo->proxy_type &&
+           strcmp(vpninfo->proxy_type, "http") &&
+           strcmp(vpninfo->proxy_type, "socks") &&
+           strcmp(vpninfo->proxy_type, "socks5")) {
+               vpninfo->progress(vpninfo, PRG_ERR,
+                                 "Only http or socks(5) proxies supported\n");
+               free(vpninfo->proxy_type);
+               vpninfo->proxy_type = NULL;
+               free(vpninfo->proxy);
+               vpninfo->proxy = NULL;
+               return -EINVAL;
+       }
+ out:
+       free(url);
+       return ret;
+}

diff --git a/main.c b/main.c
index 91d7cab..5b9537b 100644 (file)
--- a/main.c
+++ b/main.c
@@ -94,6 +94,7 @@ static struct option long_options[] = {
        {"csd-user", 1, 0, 0x04},
        {"disable-ipv6", 0, 0, 0x05},
        {"no-proxy", 0, 0, 0x06},
+       {"libproxy", 0, 0, 0x07},
        {NULL, 0, 0, 0},
 };
 
@@ -120,6 +121,10 @@ void usage(void)
        printf("      --key-password-from-fsid    Key passphrase is fsid of file system\n");
        printf("  -P, --proxy=URL                 Set proxy server\n");
        printf("      --no-proxy                  Disable proxy\n");
+       printf("      --libproxy                  Use libproxy to automatically configure proxy\n");
+#ifndef OPENCONNECT_LIBPROXY
+       printf("                                  (NOTE: libproxy disabled in this build)\n");
+#endif
        printf("  -q, --quiet                     Less output\n");
        printf("  -Q, --queue-len=LEN             Set packet queue limit to LEN pkts\n");
        printf("  -s, --script=SCRIPT             Use vpnc-compatible config script\n");
@@ -176,7 +181,8 @@ int main(int argc, char **argv)
        struct sigaction sa;
        int cookieonly = 0;
        int use_syslog = 0;
-       int autoproxy = 1;
+       char *proxy = NULL;
+       int autoproxy = 0;
        uid_t uid = getuid();
        int opt;
 
@@ -306,31 +312,21 @@ int main(int argc, char **argv)
                case 'p':
                        vpninfo->cert_password = optarg;
                        break;
-               case 'P': {
-                       char *url = strdup(optarg);
-
-                       free(vpninfo->proxy_type);
-                       vpninfo->proxy_type = NULL;
-                       free(vpninfo->proxy);
-                       vpninfo->proxy = NULL;
-
-                       parse_url(url, &vpninfo->proxy_type, &vpninfo->proxy,
-                                 &vpninfo->proxy_port, NULL, 80);
-                       if (vpninfo->proxy_type &&
-                           strcmp(vpninfo->proxy_type, "http") &&
-                           strcmp(vpninfo->proxy_type, "socks") &&
-                           strcmp(vpninfo->proxy_type, "socks5")) {
-                               fprintf(stderr, "Only http or socks[5] proxy scheme supported\n");
-                               exit(1);
-                       }
+               case 'P': 
+                       proxy = optarg;
                        autoproxy = 0;
-                       free(url);
                        break;
-               }
                case 0x06:
                        autoproxy = 0;
-                       free(vpninfo->proxy);
-                       vpninfo->proxy = NULL;
+                       proxy = NULL;
+               case 0x07:
+#ifndef OPENCONNECT_LIBPROXY
+                       fprintf(stderr, "This version of openconnect was built without libproxy support\n");
+                       exit(1);
+#endif
+                       autoproxy = 1;
+                       proxy = NULL;
+                       break;
                case 's':
                        vpninfo->vpnc_script = optarg;
                        break;
@@ -403,10 +399,6 @@ int main(int argc, char **argv)
                        usage();
                }
        }
-#ifdef OPENCONNECT_LIBPROXY
-       if (autoproxy)
-               vpninfo->proxy_factory = px_proxy_factory_new();
-#endif
 
        if (optind != argc - 1) {
                fprintf(stderr, "No server specified\n");
@@ -416,12 +408,20 @@ int main(int argc, char **argv)
        if (!vpninfo->sslkey)
                vpninfo->sslkey = vpninfo->cert;
 
+       vpninfo->progress = write_progress;
+
+#ifdef OPENCONNECT_LIBPROXY
+       if (autoproxy)
+               vpninfo->proxy_factory = px_proxy_factory_new();
+#endif
+       if (proxy && set_http_proxy(vpninfo, proxy))
+               exit(1);
+
        if (use_syslog) {
                openlog("openconnect", LOG_PID, LOG_DAEMON);
                vpninfo->progress = syslog_progress;
-       } else {
-               vpninfo->progress = write_progress;
        }
+
        memset(&sa, 0, sizeof(sa));
        sa.sa_handler = handle_sigusr;
 

diff --git a/nm-auth-dialog.c b/nm-auth-dialog.c
index cc81171..f173212 100644 (file)
--- a/nm-auth-dialog.c
+++ b/nm-auth-dialog.c
@@ -1394,7 +1394,7 @@ static auth_ui_data *init_ui_data (char *vpn_name)
        ui_data->vpninfo->validate_peer_cert = validate_peer_cert;
        ui_data->vpninfo->vpn_name = vpn_name;
        ui_data->vpninfo->process_auth_form = nm_process_auth_form;
-#ifdef OPENCONNECT_LIBPROXY
+#if 0
        ui_data->vpninfo->proxy_factory = px_proxy_factory_new();
 #endif
 

diff --git a/openconnect.8 b/openconnect.8
index 830f75d..2b2a8a4 100644 (file)
--- a/openconnect.8
+++ b/openconnect.8
@@ -69,6 +69,9 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .B --no-proxy
 ]
 [
+.B --libproxy
+]
+[
 .B --key-password-from-fsid
 ]
 [
@@ -234,6 +237,9 @@ Use HTTP proxy for connection
 .B --no-proxy
 Disable use of HTTP proxy
 .TP
+.B --libproxy
+Use libproxy to configure proxy automatically (when built with libproxy support)
+.TP
 .B --key-password-from-fsid
 Passphrase for certificate file is automatically generated from the fsid of
 the file system on which it is stored

diff --git a/openconnect.h b/openconnect.h
index 2558d44..3438e78 100644 (file)
--- a/openconnect.h
+++ b/openconnect.h
@@ -335,6 +335,7 @@ char *openconnect_create_useragent(char *base);
 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
 int parse_url(char *url, char **res_proto, char **res_host, int *res_port,
              char **res_path, int default_port);
+int set_http_proxy(struct openconnect_info *vpninfo, char *proxy);
 
 /* ssl_ui.c */
 int set_openssl_ui(void);