From c708667688180b44fe0d82cbfe3a8522b08ee0a7 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Sat, 2 Jan 2010 14:26:52 +0000 Subject: [PATCH] Disable libproxy by default Most people don't need to go through a proxy, but might have one configured anyway for https because it's harmless. But it's _not_ actually harmless for openconnect, because it'll prevent DTLS from working. So if a user really needs proxy support, let them ask for it. Signed-off-by: David Woodhouse --- http.c | 34 ++++++++++++++++++++++++++++++++++ main.c | 56 ++++++++++++++++++++++++++++---------------------------- nm-auth-dialog.c | 2 +- openconnect.8 | 6 ++++++ openconnect.h | 1 + 5 files changed, 70 insertions(+), 29 deletions(-) diff --git a/http.c b/http.c index 788399a..8057281 100644 --- a/http.c +++ b/http.c @@ -955,3 +955,37 @@ int process_proxy(struct openconnect_info *vpninfo, int ssl_sock) return -EIO; } +int set_http_proxy(struct openconnect_info *vpninfo, char *proxy) +{ + char *url = strdup(proxy); + int ret; + + if (!url) + return -ENOMEM; + + free(vpninfo->proxy_type); + vpninfo->proxy_type = NULL; + free(vpninfo->proxy); + vpninfo->proxy = NULL; + + ret = parse_url(url, &vpninfo->proxy_type, &vpninfo->proxy, + &vpninfo->proxy_port, NULL, 80); + if (ret) + goto out; + + if (vpninfo->proxy_type && + strcmp(vpninfo->proxy_type, "http") && + strcmp(vpninfo->proxy_type, "socks") && + strcmp(vpninfo->proxy_type, "socks5")) { + vpninfo->progress(vpninfo, PRG_ERR, + "Only http or socks(5) proxies supported\n"); + free(vpninfo->proxy_type); + vpninfo->proxy_type = NULL; + free(vpninfo->proxy); + vpninfo->proxy = NULL; + return -EINVAL; + } + out: + free(url); + return ret; +} diff --git a/main.c b/main.c index 91d7cab..5b9537b 100644 --- a/main.c +++ b/main.c @@ -94,6 +94,7 @@ static struct option long_options[] = { {"csd-user", 1, 0, 0x04}, {"disable-ipv6", 0, 0, 0x05}, {"no-proxy", 0, 0, 0x06}, + {"libproxy", 0, 0, 0x07}, {NULL, 0, 0, 0}, }; @@ -120,6 +121,10 @@ void usage(void) printf(" --key-password-from-fsid Key passphrase is fsid of file system\n"); printf(" -P, --proxy=URL Set proxy server\n"); printf(" --no-proxy Disable proxy\n"); + printf(" --libproxy Use libproxy to automatically configure proxy\n"); +#ifndef OPENCONNECT_LIBPROXY + printf(" (NOTE: libproxy disabled in this build)\n"); +#endif printf(" -q, --quiet Less output\n"); printf(" -Q, --queue-len=LEN Set packet queue limit to LEN pkts\n"); printf(" -s, --script=SCRIPT Use vpnc-compatible config script\n"); @@ -176,7 +181,8 @@ int main(int argc, char **argv) struct sigaction sa; int cookieonly = 0; int use_syslog = 0; - int autoproxy = 1; + char *proxy = NULL; + int autoproxy = 0; uid_t uid = getuid(); int opt; @@ -306,31 +312,21 @@ int main(int argc, char **argv) case 'p': vpninfo->cert_password = optarg; break; - case 'P': { - char *url = strdup(optarg); - - free(vpninfo->proxy_type); - vpninfo->proxy_type = NULL; - free(vpninfo->proxy); - vpninfo->proxy = NULL; - - parse_url(url, &vpninfo->proxy_type, &vpninfo->proxy, - &vpninfo->proxy_port, NULL, 80); - if (vpninfo->proxy_type && - strcmp(vpninfo->proxy_type, "http") && - strcmp(vpninfo->proxy_type, "socks") && - strcmp(vpninfo->proxy_type, "socks5")) { - fprintf(stderr, "Only http or socks[5] proxy scheme supported\n"); - exit(1); - } + case 'P': + proxy = optarg; autoproxy = 0; - free(url); break; - } case 0x06: autoproxy = 0; - free(vpninfo->proxy); - vpninfo->proxy = NULL; + proxy = NULL; + case 0x07: +#ifndef OPENCONNECT_LIBPROXY + fprintf(stderr, "This version of openconnect was built without libproxy support\n"); + exit(1); +#endif + autoproxy = 1; + proxy = NULL; + break; case 's': vpninfo->vpnc_script = optarg; break; @@ -403,10 +399,6 @@ int main(int argc, char **argv) usage(); } } -#ifdef OPENCONNECT_LIBPROXY - if (autoproxy) - vpninfo->proxy_factory = px_proxy_factory_new(); -#endif if (optind != argc - 1) { fprintf(stderr, "No server specified\n"); @@ -416,12 +408,20 @@ int main(int argc, char **argv) if (!vpninfo->sslkey) vpninfo->sslkey = vpninfo->cert; + vpninfo->progress = write_progress; + +#ifdef OPENCONNECT_LIBPROXY + if (autoproxy) + vpninfo->proxy_factory = px_proxy_factory_new(); +#endif + if (proxy && set_http_proxy(vpninfo, proxy)) + exit(1); + if (use_syslog) { openlog("openconnect", LOG_PID, LOG_DAEMON); vpninfo->progress = syslog_progress; - } else { - vpninfo->progress = write_progress; } + memset(&sa, 0, sizeof(sa)); sa.sa_handler = handle_sigusr; diff --git a/nm-auth-dialog.c b/nm-auth-dialog.c index cc81171..f173212 100644 --- a/nm-auth-dialog.c +++ b/nm-auth-dialog.c @@ -1394,7 +1394,7 @@ static auth_ui_data *init_ui_data (char *vpn_name) ui_data->vpninfo->validate_peer_cert = validate_peer_cert; ui_data->vpninfo->vpn_name = vpn_name; ui_data->vpninfo->process_auth_form = nm_process_auth_form; -#ifdef OPENCONNECT_LIBPROXY +#if 0 ui_data->vpninfo->proxy_factory = px_proxy_factory_new(); #endif diff --git a/openconnect.8 b/openconnect.8 index 830f75d..2b2a8a4 100644 --- a/openconnect.8 +++ b/openconnect.8 @@ -69,6 +69,9 @@ openconnect \- Connect to Cisco AnyConnect VPN .B --no-proxy ] [ +.B --libproxy +] +[ .B --key-password-from-fsid ] [ @@ -234,6 +237,9 @@ Use HTTP proxy for connection .B --no-proxy Disable use of HTTP proxy .TP +.B --libproxy +Use libproxy to configure proxy automatically (when built with libproxy support) +.TP .B --key-password-from-fsid Passphrase for certificate file is automatically generated from the fsid of the file system on which it is stored diff --git a/openconnect.h b/openconnect.h index 2558d44..3438e78 100644 --- a/openconnect.h +++ b/openconnect.h @@ -335,6 +335,7 @@ char *openconnect_create_useragent(char *base); int process_proxy(struct openconnect_info *vpninfo, int ssl_sock); int parse_url(char *url, char **res_proto, char **res_host, int *res_port, char **res_path, int default_port); +int set_http_proxy(struct openconnect_info *vpninfo, char *proxy); /* ssl_ui.c */ int set_openssl_ui(void); -- 2.7.4