bool
establish_http_proxy_passthru (struct http_proxy_info *p,
socket_descriptor_t sd, /* already open to proxy */
const char *host, /* openvpn server remote */
const int port, /* openvpn server port */
struct buffer *lookahead,
volatile int *signal_received)
{
struct gc_arena gc = gc_new ();
char buf[256];
char buf2[128];
char get[80];
int status;
int nparms;
bool ret = false;
/* get user/pass if not previously given or if --auto-proxy is being used */
if (p->auth_method == HTTP_AUTH_BASIC
|| p->auth_method == HTTP_AUTH_NTLM)
get_user_pass_http (p, false);
/* format HTTP CONNECT message */
openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s\r\nHOST: %s:%d",
host,
port,
p->options.http_version,
host,
port);
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
/* send HTTP CONNECT message to proxy */
if (!send_line_crlf (sd, buf))
goto error;
/* send User-Agent string if provided */
if (p->options.user_agent)
{
openvpn_snprintf (buf, sizeof(buf), "User-Agent: %s",
p->options.user_agent);
if (!send_line_crlf (sd, buf))
goto error;
}
/* auth specified? */
switch (p->auth_method)
{
case HTTP_AUTH_NONE:
break;
case HTTP_AUTH_BASIC:
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: Basic %s",
username_password_as_base64 (p, &gc));
msg (D_PROXY, "Attempting Basic Proxy-Authorization");
dmsg (D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf);
openvpn_sleep (1);
if (!send_line_crlf (sd, buf))
goto error;
break;
#if NTLM
case HTTP_AUTH_NTLM:
case HTTP_AUTH_NTLM2:
/* keep-alive connection */
openvpn_snprintf (buf, sizeof(buf), "Proxy-Connection: Keep-Alive");
if (!send_line_crlf (sd, buf))
goto error;
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s",
ntlm_phase_1 (p, &gc));
msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 1");
dmsg (D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf);
openvpn_sleep (1);
if (!send_line_crlf (sd, buf))
goto error;
break;
#endif
default:
ASSERT (0);
}
/* send empty CR, LF */
openvpn_sleep (1);
if (!send_crlf (sd))
goto error;
/* receive reply from proxy */
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
/* parse return string */
nparms = sscanf (buf, "%*s %d", &status);
/* check for a "407 Proxy Authentication Required" response */
if (nparms >= 1 && status == 407)
{
msg (D_PROXY, "Proxy requires authentication");
/* check for NTLM */
if (p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2)
{
#if NTLM
/* look for the phase 2 response */
while (true)
{
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
goto error;
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
openvpn_snprintf (get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof (buf2) - 1);
nparms = sscanf (buf, get, buf2);
buf2[127] = 0; /* we only need the beginning - ensure it's null terminated. */
/* check for "Proxy-Authenticate: NTLM TlRM..." */
if (nparms == 1)
{
/* parse buf2 */
msg (D_PROXY, "auth string: '%s'", buf2);
break;
}
}
/* if we are here then auth string was got */
msg (D_PROXY, "Received NTLM Proxy-Authorization phase 2 response");
/* receive and discard everything else */
while (recv_line (sd, NULL, 0, p->options.timeout, true, NULL, signal_received))
;
/* now send the phase 3 reply */
/* format HTTP CONNECT message */
openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s",
host,
port,
p->options.http_version);
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
/* send HTTP CONNECT message to proxy */
if (!send_line_crlf (sd, buf))
goto error;
/* keep-alive connection */
openvpn_snprintf (buf, sizeof(buf), "Proxy-Connection: Keep-Alive");
if (!send_line_crlf (sd, buf))
goto error;
/* send HOST etc, */
openvpn_sleep (1);
openvpn_snprintf (buf, sizeof(buf), "Host: %s", host);
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf (sd, buf))
goto error;
msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 3");
{
const char *np3 = ntlm_phase_3 (p, buf2, &gc);
if (!np3)
{
msg (D_PROXY, "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server");
goto error;
}
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s", np3);
}
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
openvpn_sleep (1);
if (!send_line_crlf (sd, buf))
goto error;
/* ok so far... */
/* send empty CR, LF */
openvpn_sleep (1);
if (!send_crlf (sd))
goto error;
/* receive reply from proxy */
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
/* parse return string */
nparms = sscanf (buf, "%*s %d", &status);
#else
ASSERT (0); /* No NTLM support */
#endif
}
else if (p->auth_method == HTTP_AUTH_NONE && p->options.auth_retry)
{
/*
* Proxy needs authentication, but we don't have a user/pass.
* Now we will change p->auth_method and return true so that
* our caller knows to call us again on a newly opened socket.
* JYFIXME: This code needs to check proxy error output and set
* JYFIXME: p->auth_method = HTTP_AUTH_NTLM if necessary.
*/
p->auth_method = HTTP_AUTH_BASIC;
ret = true;
goto done;
}
else
goto error;
}
/* check return code, success = 200 */
if (nparms < 1 || status != 200)
{
msg (D_LINK_ERRORS, "HTTP proxy returned bad status");
#if 0
/* DEBUGGING -- show a multi-line HTTP error response */
while (true)
{
if (!recv_line (sd, buf, sizeof (buf), p->options.timeout, true, NULL, signal_received))
goto error;
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
}
#endif
goto error;
}
/* receive line from proxy and discard */
if (!recv_line (sd, NULL, 0, p->options.timeout, true, NULL, signal_received))
goto error;
/*
* Toss out any extraneous chars, but don't throw away the
* start of the OpenVPN data stream (put it in lookahead).
*/
while (recv_line (sd, NULL, 0, 2, false, lookahead, signal_received))
;
#if 0
if (lookahead && BLEN (lookahead))
msg (M_INFO, "HTTP PROXY: lookahead: %s", format_hex (BPTR (lookahead), BLEN (lookahead), 0));
#endif
done:
gc_free (&gc);
return ret;
error:
/* on error, should we exit or restart? */
if (!*signal_received)
*signal_received = (p->options.retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- HTTP proxy error */
gc_free (&gc);
return ret;
}
bool
establish_http_proxy_passthru (struct http_proxy_info *p,
socket_descriptor_t sd, /* already open to proxy */
const char *host, /* openvpn server remote */
const int port, /* openvpn server port */
struct buffer *lookahead,
volatile int *signal_received)
{
struct gc_arena gc = gc_new ();
char buf[512];
char buf2[128];
char get[80];
int status;
int nparms;
bool ret = false;
bool processed = false;
/* get user/pass if not previously given */
if (p->auth_method == HTTP_AUTH_BASIC
|| p->auth_method == HTTP_AUTH_DIGEST
|| p->auth_method == HTTP_AUTH_NTLM)
get_user_pass_http (p, false);
/* are we being called again after getting the digest server nonce in the previous transaction? */
if (p->auth_method == HTTP_AUTH_DIGEST && p->proxy_authenticate)
{
nparms = 1;
status = 407;
}
else
{
/* format HTTP CONNECT message */
openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s",
host,
port,
p->options.http_version);
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
/* send HTTP CONNECT message to proxy */
if (!send_line_crlf (sd, buf))
goto error;
openvpn_snprintf(buf, sizeof(buf), "Host: %s", host);
if (!send_line_crlf(sd, buf))
goto error;
/* send User-Agent string if provided */
if (p->options.user_agent)
{
openvpn_snprintf (buf, sizeof(buf), "User-Agent: %s",
p->options.user_agent);
if (!send_line_crlf (sd, buf))
goto error;
}
/* auth specified? */
switch (p->auth_method)
{
case HTTP_AUTH_NONE:
break;
case HTTP_AUTH_BASIC:
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: Basic %s",
username_password_as_base64 (p, &gc));
msg (D_PROXY, "Attempting Basic Proxy-Authorization");
dmsg (D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf (sd, buf))
goto error;
break;
#if NTLM
case HTTP_AUTH_NTLM:
case HTTP_AUTH_NTLM2:
/* keep-alive connection */
openvpn_snprintf (buf, sizeof(buf), "Proxy-Connection: Keep-Alive");
if (!send_line_crlf (sd, buf))
goto error;
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s",
ntlm_phase_1 (p, &gc));
msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 1");
dmsg (D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf (sd, buf))
goto error;
break;
#endif
default:
ASSERT (0);
}
/* send empty CR, LF */
if (!send_crlf (sd))
goto error;
/* receive reply from proxy */
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
/* parse return string */
nparms = sscanf (buf, "%*s %d", &status);
}
/* check for a "407 Proxy Authentication Required" response */
while (nparms >= 1 && status == 407)
{
msg (D_PROXY, "Proxy requires authentication");
if (p->auth_method == HTTP_AUTH_BASIC && !processed)
{
processed = true;
}
else if ((p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check for NTLM */
{
#if NTLM
/* look for the phase 2 response */
while (true)
{
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
goto error;
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
openvpn_snprintf (get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof (buf2) - 1);
nparms = sscanf (buf, get, buf2);
buf2[127] = 0; /* we only need the beginning - ensure it's null terminated. */
/* check for "Proxy-Authenticate: NTLM TlRM..." */
if (nparms == 1)
{
/* parse buf2 */
msg (D_PROXY, "auth string: '%s'", buf2);
break;
}
}
/* if we are here then auth string was got */
msg (D_PROXY, "Received NTLM Proxy-Authorization phase 2 response");
/* receive and discard everything else */
while (recv_line (sd, NULL, 0, 2, true, NULL, signal_received))
;
/* now send the phase 3 reply */
/* format HTTP CONNECT message */
openvpn_snprintf (buf, sizeof(buf), "CONNECT %s:%d HTTP/%s",
host,
port,
p->options.http_version);
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
/* send HTTP CONNECT message to proxy */
if (!send_line_crlf (sd, buf))
goto error;
/* keep-alive connection */
openvpn_snprintf (buf, sizeof(buf), "Proxy-Connection: Keep-Alive");
if (!send_line_crlf (sd, buf))
goto error;
/* send HOST etc, */
openvpn_snprintf (buf, sizeof(buf), "Host: %s", host);
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf (sd, buf))
goto error;
msg (D_PROXY, "Attempting NTLM Proxy-Authorization phase 3");
{
const char *np3 = ntlm_phase_3 (p, buf2, &gc);
if (!np3)
{
msg (D_PROXY, "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server");
goto error;
}
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: NTLM %s", np3);
}
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf (sd, buf))
goto error;
/* ok so far... */
/* send empty CR, LF */
if (!send_crlf (sd))
goto error;
/* receive reply from proxy */
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
/* parse return string */
nparms = sscanf (buf, "%*s %d", &status);
processed = true;
#endif
}
#if PROXY_DIGEST_AUTH
else if (p->auth_method == HTTP_AUTH_DIGEST && !processed)
{
char *pa = p->proxy_authenticate;
const int method = p->auth_method;
ASSERT(pa);
if (method == HTTP_AUTH_DIGEST)
{
const char *http_method = "CONNECT";
const char *nonce_count = "00000001";
const char *qop = "auth";
const char *username = p->up.username;
const char *password = p->up.password;
char *opaque_kv = "";
char uri[128];
uint8_t cnonce_raw[8];
uint8_t *cnonce;
HASHHEX session_key;
HASHHEX response;
const char *realm = get_pa_var("realm", pa, &gc);
const char *nonce = get_pa_var("nonce", pa, &gc);
const char *algor = get_pa_var("algorithm", pa, &gc);
const char *opaque = get_pa_var("opaque", pa, &gc);
/* generate a client nonce */
ASSERT(rand_bytes(cnonce_raw, sizeof(cnonce_raw)));
cnonce = make_base64_string2(cnonce_raw, sizeof(cnonce_raw), &gc);
/* build the digest response */
openvpn_snprintf (uri, sizeof(uri), "%s:%d",
host,
port);
if (opaque)
{
const int len = strlen(opaque)+16;
opaque_kv = gc_malloc(len, false, &gc);
openvpn_snprintf (opaque_kv, len, ", opaque=\"%s\"", opaque);
}
DigestCalcHA1(algor,
username,
realm,
password,
nonce,
(char *)cnonce,
session_key);
DigestCalcResponse(session_key,
nonce,
nonce_count,
(char *)cnonce,
qop,
http_method,
uri,
NULL,
response);
/* format HTTP CONNECT message */
openvpn_snprintf (buf, sizeof(buf), "%s %s HTTP/%s",
http_method,
uri,
p->options.http_version);
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
/* send HTTP CONNECT message to proxy */
if (!send_line_crlf (sd, buf))
goto error;
/* send HOST etc, */
openvpn_snprintf (buf, sizeof(buf), "Host: %s", host);
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf (sd, buf))
goto error;
/* send digest response */
openvpn_snprintf (buf, sizeof(buf), "Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
username,
realm,
nonce,
uri,
qop,
nonce_count,
cnonce,
response,
opaque_kv
);
msg (D_PROXY, "Send to HTTP proxy: '%s'", buf);
if (!send_line_crlf (sd, buf))
goto error;
if (!send_crlf (sd))
goto error;
/* receive reply from proxy */
if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
/* parse return string */
nparms = sscanf (buf, "%*s %d", &status);
processed = true;
}
else
{
msg (D_PROXY, "HTTP proxy: digest method not supported");
goto error;
}
}
#endif
else if (p->options.auth_retry)
{
/* figure out what kind of authentication the proxy needs */
char *pa = NULL;
const int method = get_proxy_authenticate(sd,
p->options.timeout,
&pa,
NULL,
signal_received);
if (method != HTTP_AUTH_NONE)
{
if (pa)
msg (D_PROXY, "HTTP proxy authenticate '%s'", pa);
if (p->options.auth_retry == PAR_NCT && method == HTTP_AUTH_BASIC)
{
msg (D_PROXY, "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled");
goto error;
}
p->auth_method = method;
store_proxy_authenticate(p, pa);
ret = true;
goto done;
}
else
{
msg (D_PROXY, "HTTP proxy: do not recognize the authentication method required by proxy");
free (pa);
goto error;
}
}
else
{
if (!processed)
msg (D_PROXY, "HTTP proxy: no support for proxy authentication method");
goto error;
}
/* clear state */
if (p->options.auth_retry)
clear_user_pass_http();
store_proxy_authenticate(p, NULL);
}
/* check return code, success = 200 */
if (nparms < 1 || status != 200)
{
msg (D_LINK_ERRORS, "HTTP proxy returned bad status");
#if 0
/* DEBUGGING -- show a multi-line HTTP error response */
dump_residual(sd, p->options.timeout, signal_received);
#endif
goto error;
}
/* SUCCESS */
/* receive line from proxy and discard */
if (!recv_line (sd, NULL, 0, p->options.timeout, true, NULL, signal_received))
goto error;
/*
* Toss out any extraneous chars, but don't throw away the
* start of the OpenVPN data stream (put it in lookahead).
*/
while (recv_line (sd, NULL, 0, 2, false, lookahead, signal_received))
;
/* reset queried_creds so that we don't think that the next creds request is due to an auth error */
p->queried_creds = false;
#if 0
if (lookahead && BLEN (lookahead))
msg (M_INFO, "HTTP PROXY: lookahead: %s", format_hex (BPTR (lookahead), BLEN (lookahead), 0));
#endif
done:
gc_free (&gc);
return ret;
error:
/* on error, should we exit or restart? */
if (!*signal_received)
*signal_received = (p->options.retry ? SIGUSR1 : SIGTERM); /* SOFT-SIGUSR1 -- HTTP proxy error */
gc_free (&gc);
return ret;
}