mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
984cf0036c
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@689 e7ae566f-a301-0410-adde-c780ea21d3b5
519 lines
13 KiB
C
519 lines
13 KiB
C
/*
|
|
* OpenVPN -- An application to securely tunnel IP networks
|
|
* over a single TCP/UDP port, with support for SSL/TLS-based
|
|
* session authentication and key exchange,
|
|
* packet encryption, packet authentication, and
|
|
* packet compression.
|
|
*
|
|
* Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2
|
|
* as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program (see the file COPYING included with this
|
|
* distribution); if not, write to the Free Software Foundation, Inc.,
|
|
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
|
|
#ifdef WIN32
|
|
#include "config-win32.h"
|
|
#else
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#ifdef ENABLE_HTTP_PROXY
|
|
|
|
#include "syshead.h"
|
|
|
|
#include "common.h"
|
|
#include "misc.h"
|
|
#include "win32.h"
|
|
#include "socket.h"
|
|
#include "fdmisc.h"
|
|
#include "proxy.h"
|
|
#include "ntlm.h"
|
|
|
|
#include "memdbg.h"
|
|
|
|
/* cached proxy username/password */
|
|
static struct user_pass static_proxy_user_pass;
|
|
|
|
static bool
|
|
recv_line (socket_descriptor_t sd,
|
|
char *buf,
|
|
int len,
|
|
const int timeout_sec,
|
|
const bool verbose,
|
|
struct buffer *lookahead,
|
|
volatile int *signal_received)
|
|
{
|
|
struct buffer la;
|
|
int lastc = 0;
|
|
|
|
CLEAR (la);
|
|
if (lookahead)
|
|
la = *lookahead;
|
|
|
|
while (true)
|
|
{
|
|
int status;
|
|
ssize_t size;
|
|
fd_set reads;
|
|
struct timeval tv;
|
|
uint8_t c;
|
|
|
|
if (buf_defined (&la))
|
|
{
|
|
ASSERT (buf_init (&la, 0));
|
|
}
|
|
|
|
FD_ZERO (&reads);
|
|
FD_SET (sd, &reads);
|
|
tv.tv_sec = timeout_sec;
|
|
tv.tv_usec = 0;
|
|
|
|
status = select (sd + 1, &reads, NULL, NULL, &tv);
|
|
|
|
get_signal (signal_received);
|
|
if (*signal_received)
|
|
goto error;
|
|
|
|
/* timeout? */
|
|
if (status == 0)
|
|
{
|
|
if (verbose)
|
|
msg (D_LINK_ERRORS | M_ERRNO_SOCK, "recv_line: TCP port read timeout expired");
|
|
goto error;
|
|
}
|
|
|
|
/* error */
|
|
if (status < 0)
|
|
{
|
|
if (verbose)
|
|
msg (D_LINK_ERRORS | M_ERRNO_SOCK, "recv_line: TCP port read failed on select()");
|
|
goto error;
|
|
}
|
|
|
|
/* read single char */
|
|
size = recv (sd, &c, 1, MSG_NOSIGNAL);
|
|
|
|
/* error? */
|
|
if (size != 1)
|
|
{
|
|
if (verbose)
|
|
msg (D_LINK_ERRORS | M_ERRNO_SOCK, "recv_line: TCP port read failed on recv()");
|
|
goto error;
|
|
}
|
|
|
|
#if 0
|
|
if (isprint(c))
|
|
msg (M_INFO, "PROXY: read '%c' (%d)", c, (int)c);
|
|
else
|
|
msg (M_INFO, "PROXY: read (%d)", (int)c);
|
|
#endif
|
|
|
|
/* store char in buffer */
|
|
if (len > 1)
|
|
{
|
|
*buf++ = c;
|
|
--len;
|
|
}
|
|
|
|
/* also store char in lookahead buffer */
|
|
if (buf_defined (&la))
|
|
{
|
|
buf_write_u8 (&la, c);
|
|
if (!isprint(c) && !isspace(c)) /* not ascii? */
|
|
{
|
|
if (verbose)
|
|
msg (D_LINK_ERRORS | M_ERRNO_SOCK, "recv_line: Non-ASCII character (%d) read on recv()", (int)c);
|
|
*lookahead = la;
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/* end of line? */
|
|
if (lastc == '\r' && c == '\n')
|
|
break;
|
|
|
|
lastc = c;
|
|
}
|
|
|
|
/* append trailing null */
|
|
if (len > 0)
|
|
*buf++ = '\0';
|
|
|
|
return true;
|
|
|
|
error:
|
|
return false;
|
|
}
|
|
|
|
static bool
|
|
send_line (socket_descriptor_t sd,
|
|
const char *buf)
|
|
{
|
|
const ssize_t size = send (sd, buf, strlen (buf), MSG_NOSIGNAL);
|
|
if (size != (ssize_t) strlen (buf))
|
|
{
|
|
msg (D_LINK_ERRORS | M_ERRNO_SOCK, "send_line: TCP port write failed on send()");
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
static bool
|
|
send_line_crlf (socket_descriptor_t sd,
|
|
const char *src)
|
|
{
|
|
bool ret;
|
|
|
|
struct buffer buf = alloc_buf (strlen (src) + 3);
|
|
ASSERT (buf_write (&buf, src, strlen (src)));
|
|
ASSERT (buf_write (&buf, "\r\n", 3));
|
|
ret = send_line (sd, BSTR (&buf));
|
|
free_buf (&buf);
|
|
return ret;
|
|
}
|
|
|
|
static bool
|
|
send_crlf (socket_descriptor_t sd)
|
|
{
|
|
return send_line_crlf (sd, "");
|
|
}
|
|
|
|
uint8_t *
|
|
make_base64_string2 (const uint8_t *str, int src_len, struct gc_arena *gc)
|
|
{
|
|
static const char base64_table[] =
|
|
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
|
|
|
|
uint8_t *buf;
|
|
const uint8_t *src;
|
|
uint8_t *dst;
|
|
int bits, data, dst_len;
|
|
|
|
/* make base64 string */
|
|
dst_len = (src_len + 2) / 3 * 4;
|
|
buf = gc_malloc (dst_len + 1, false, gc);
|
|
bits = data = 0;
|
|
src = str;
|
|
dst = buf;
|
|
while (dst_len--)
|
|
{
|
|
if (bits < 6)
|
|
{
|
|
data = (data << 8) | *src;
|
|
bits += 8;
|
|
src++;
|
|
}
|
|
*dst++ = base64_table[0x3F & (data >> (bits - 6))];
|
|
bits -= 6;
|
|
}
|
|
*dst = '\0';
|
|
|
|
/* fix-up tail padding */
|
|
switch (src_len % 3)
|
|
{
|
|
case 1:
|
|
*--dst = '=';
|
|
case 2:
|
|
*--dst = '=';
|
|
}
|
|
return buf;
|
|
}
|
|
|
|
uint8_t *
|
|
make_base64_string (const uint8_t *str, struct gc_arena *gc)
|
|
{
|
|
return make_base64_string2 (str, strlen ((const char *)str), gc);
|
|
}
|
|
|
|
static const char *
|
|
username_password_as_base64 (const struct http_proxy_info *p,
|
|
struct gc_arena *gc)
|
|
{
|
|
struct buffer out = alloc_buf_gc (strlen (p->up.username) + strlen (p->up.password) + 2, gc);
|
|
ASSERT (strlen (p->up.username) > 0);
|
|
buf_printf (&out, "%s:%s", p->up.username, p->up.password);
|
|
return (const char *)make_base64_string ((const uint8_t*)BSTR (&out), gc);
|
|
}
|
|
|
|
struct http_proxy_info *
|
|
new_http_proxy (const struct http_proxy_options *o,
|
|
struct gc_arena *gc)
|
|
{
|
|
struct http_proxy_info *p;
|
|
ALLOC_OBJ_CLEAR_GC (p, struct http_proxy_info, gc);
|
|
|
|
if (!o->server)
|
|
msg (M_FATAL, "HTTP_PROXY: server not specified");
|
|
|
|
ASSERT (legal_ipv4_port (o->port));
|
|
|
|
p->options = *o;
|
|
|
|
/* parse authentication method */
|
|
p->auth_method = HTTP_AUTH_NONE;
|
|
if (o->auth_method_string)
|
|
{
|
|
if (!strcmp (o->auth_method_string, "none"))
|
|
p->auth_method = HTTP_AUTH_NONE;
|
|
else if (!strcmp (o->auth_method_string, "basic"))
|
|
p->auth_method = HTTP_AUTH_BASIC;
|
|
else if (!strcmp (o->auth_method_string, "ntlm"))
|
|
p->auth_method = HTTP_AUTH_NTLM;
|
|
else
|
|
msg (M_FATAL, "ERROR: unknown HTTP authentication method: '%s' -- only the 'none', 'basic', or 'ntlm' methods are currently supported",
|
|
o->auth_method_string);
|
|
}
|
|
|
|
/* only basic and NTLM authentication supported so far */
|
|
if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM)
|
|
{
|
|
get_user_pass (&static_proxy_user_pass,
|
|
o->auth_file,
|
|
"HTTP Proxy",
|
|
GET_USER_PASS_MANAGEMENT);
|
|
p->up = static_proxy_user_pass;
|
|
}
|
|
|
|
#if !NTLM
|
|
if (p->auth_method == HTTP_AUTH_NTLM)
|
|
msg (M_FATAL, "Sorry, this version of " PACKAGE_NAME " was built without NTLM Proxy support.");
|
|
#endif
|
|
|
|
p->defined = true;
|
|
return p;
|
|
}
|
|
|
|
void
|
|
establish_http_proxy_passthru (struct http_proxy_info *p,
|
|
socket_descriptor_t sd, /* already open to proxy */
|
|
const char *host, /* openvpn server remote */
|
|
const int port, /* openvpn server port */
|
|
struct buffer *lookahead,
|
|
volatile int *signal_received)
|
|
{
|
|
struct gc_arena gc = gc_new ();
|
|
char buf[256];
|
|
char buf2[128];
|
|
char get[80];
|
|
int status;
|
|
int nparms;
|
|
|
|
/* format HTTP CONNECT message */
|
|
openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s",
|
|
host,
|
|
port,
|
|
p->options.http_version);
|
|
|
|
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
|
|
|
|
/* send HTTP CONNECT message to proxy */
|
|
if (!send_line_crlf (sd, buf))
|
|
goto error;
|
|
|
|
/* send User-Agent string if provided */
|
|
if (p->options.user_agent)
|
|
{
|
|
openvpn_snprintf (buf, sizeof(buf), "User-Agent: %s",
|
|
p->options.user_agent);
|
|
if (!send_line_crlf (sd, buf))
|
|
goto error;
|
|
}
|
|
|
|
/* auth specified? */
|
|
switch (p->auth_method)
|
|
{
|
|
case HTTP_AUTH_NONE:
|
|
break;
|
|
|
|
case HTTP_AUTH_BASIC:
|
|
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: Basic %s",
|
|
username_password_as_base64 (p, &gc));
|
|
msg (D_PROXY, "Attempting Basic Proxy-Authorization");
|
|
dmsg (D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf);
|
|
openvpn_sleep (1);
|
|
if (!send_line_crlf (sd, buf))
|
|
goto error;
|
|
break;
|
|
|
|
#if NTLM
|
|
case HTTP_AUTH_NTLM:
|
|
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s",
|
|
ntlm_phase_1 (p, &gc));
|
|
msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 1");
|
|
dmsg (D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf);
|
|
openvpn_sleep (1);
|
|
if (!send_line_crlf (sd, buf))
|
|
goto error;
|
|
break;
|
|
#endif
|
|
|
|
default:
|
|
ASSERT (0);
|
|
}
|
|
|
|
/* send empty CR, LF */
|
|
openvpn_sleep (1);
|
|
if (!send_crlf (sd))
|
|
goto error;
|
|
|
|
/* receive reply from proxy */
|
|
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
|
|
goto error;
|
|
|
|
/* remove trailing CR, LF */
|
|
chomp (buf);
|
|
|
|
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
|
|
|
|
/* parse return string */
|
|
nparms = sscanf (buf, "%*s %d", &status);
|
|
|
|
/* check for a "407 Proxy Authentication Required" response */
|
|
if (nparms >= 1 && status == 407)
|
|
{
|
|
msg (D_PROXY, "Proxy requires authentication");
|
|
|
|
/* check for NTLM */
|
|
if (p->auth_method == HTTP_AUTH_NTLM)
|
|
{
|
|
#if NTLM
|
|
/* look for the phase 2 response */
|
|
|
|
while (true)
|
|
{
|
|
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
|
|
goto error;
|
|
chomp (buf);
|
|
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
|
|
|
|
openvpn_snprintf (get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof (buf2) - 1);
|
|
nparms = sscanf (buf, get, buf2);
|
|
buf2[127] = 0; /* we only need the beginning - ensure it's null terminated. */
|
|
|
|
/* check for "Proxy-Authenticate: NTLM TlRM..." */
|
|
if (nparms == 1)
|
|
{
|
|
/* parse buf2 */
|
|
msg (D_PROXY, "auth string: '%s'", buf2);
|
|
break;
|
|
}
|
|
}
|
|
/* if we are here then auth string was got */
|
|
msg (D_PROXY, "Received NTLM Proxy-Authorization phase 2 response");
|
|
|
|
/* receive and discard everything else */
|
|
while (recv_line (sd, NULL, 0, p->options.timeout, true, NULL, signal_received))
|
|
;
|
|
|
|
/* now send the phase 3 reply */
|
|
|
|
/* format HTTP CONNECT message */
|
|
openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s",
|
|
host,
|
|
port,
|
|
p->options.http_version);
|
|
|
|
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
|
|
|
|
/* send HTTP CONNECT message to proxy */
|
|
if (!send_line_crlf (sd, buf))
|
|
goto error;
|
|
|
|
/* send HOST etc, */
|
|
openvpn_sleep (1);
|
|
openvpn_snprintf (buf, sizeof(buf), "Host: %s", host);
|
|
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
|
|
if (!send_line_crlf (sd, buf))
|
|
goto error;
|
|
|
|
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s",
|
|
ntlm_phase_3 (p, buf2, &gc));
|
|
msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 3");
|
|
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
|
|
openvpn_sleep (1);
|
|
if (!send_line_crlf (sd, buf))
|
|
goto error;
|
|
/* ok so far... */
|
|
/* send empty CR, LF */
|
|
openvpn_sleep (1);
|
|
if (!send_crlf (sd))
|
|
goto error;
|
|
|
|
/* receive reply from proxy */
|
|
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
|
|
goto error;
|
|
|
|
/* remove trailing CR, LF */
|
|
chomp (buf);
|
|
|
|
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
|
|
|
|
/* parse return string */
|
|
nparms = sscanf (buf, "%*s %d", &status);
|
|
#else
|
|
ASSERT (0); /* No NTLM support */
|
|
#endif
|
|
}
|
|
else goto error;
|
|
}
|
|
|
|
|
|
/* check return code, success = 200 */
|
|
if (nparms < 1 || status != 200)
|
|
{
|
|
msg (D_LINK_ERRORS, "HTTP proxy returned bad status");
|
|
#if 0
|
|
/* DEBUGGING -- show a multi-line HTTP error response */
|
|
while (true)
|
|
{
|
|
if (!recv_line (sd, buf, sizeof (buf), p->options.timeout, true, NULL, signal_received))
|
|
goto error;
|
|
chomp (buf);
|
|
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
|
|
}
|
|
#endif
|
|
goto error;
|
|
}
|
|
|
|
/* receive line from proxy and discard */
|
|
if (!recv_line (sd, NULL, 0, p->options.timeout, true, NULL, signal_received))
|
|
goto error;
|
|
|
|
/*
|
|
* Toss out any extraneous chars, but don't throw away the
|
|
* start of the OpenVPN data stream (put it in lookahead).
|
|
*/
|
|
while (recv_line (sd, NULL, 0, 2, false, lookahead, signal_received))
|
|
;
|
|
|
|
#if 0
|
|
if (lookahead && BLEN (lookahead))
|
|
msg (M_INFO, "HTTP PROXY: lookahead: %s", format_hex (BPTR (lookahead), BLEN (lookahead), 0));
|
|
#endif
|
|
|
|
gc_free (&gc);
|
|
return;
|
|
|
|
error:
|
|
/* on error, should we exit or restart? */
|
|
if (!*signal_received)
|
|
*signal_received = (p->options.retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- HTTP proxy error */
|
|
gc_free (&gc);
|
|
return;
|
|
}
|
|
|
|
#else
|
|
static void dummy(void) {}
|
|
#endif /* ENABLE_HTTP_PROXY */
|