int connectViaHttpProxy( INOUT STREAM *stream,
INOUT ERROR_INFO *errorInfo )
{
NET_STREAM_INFO *netStream = ( NET_STREAM_INFO * ) stream->netStreamInfo;
HTTP_DATA_INFO httpDataInfo;
BYTE buffer[ 64 + 8 ];
int length, status;
assert( isWritePtr( stream, sizeof( STREAM ) ) );
assert( isWritePtr( errorInfo, sizeof( ERROR_INFO ) ) );
REQUIRES_S( netStream != NULL );
REQUIRES_S( stream->type == STREAM_TYPE_NETWORK );
/* Open the connection via the proxy. To do this we temporarily layer
HTTP I/O over the TCP I/O, then once the proxy messaging has been
completed we re-set the stream to pure TCP I/O and clear any stream
flags that were set during the proxying */
setStreamLayerHTTP( netStream );
initHttpDataInfo( &httpDataInfo, "", 0 );
status = netStream->writeFunction( stream, &httpDataInfo,
sizeof( HTTP_DATA_INFO ), &length );
if( cryptStatusOK( status ) )
{
initHttpDataInfo( &httpDataInfo, buffer, 64 );
status = netStream->readFunction( stream, &httpDataInfo,
sizeof( HTTP_DATA_INFO ), &length );
}
setStreamLayerDirect( netStream );
stream->flags = 0;
if( cryptStatusError( status ) )
{
/* The involvement of a proxy complicates matters somewhat because
we can usually connect to the proxy OK but may run into problems
going from the proxy to the remote server so if we get an error
at this stage (which will typically show up as a read error from
the proxy) we report it as an open error instead */
if( status == CRYPT_ERROR_READ || status == CRYPT_ERROR_COMPLETE )
status = CRYPT_ERROR_OPEN;
copyErrorInfo( errorInfo, NETSTREAM_ERRINFO );
netStream->transportDisconnectFunction( netStream, TRUE );
}
return( status );
}
int writeUint24( INOUT STREAM *stream, IN_LENGTH const int length )
{
assert( isWritePtr( stream, sizeof( STREAM ) ) );
REQUIRES_S( length >= 0 && \
length < MAX_PACKET_SIZE + EXTRA_PACKET_SIZE );
sputc( stream, 0 );
return( writeUint16( stream, length ) );
}
int connectViaSocksProxy( INOUT STREAM *stream )
{
MESSAGE_DATA msgData;
BYTE socksBuffer[ 64 + CRYPT_MAX_TEXTSIZE + 8 ], *bufPtr = socksBuffer;
char userName[ CRYPT_MAX_TEXTSIZE + 8 ];
int length, status;
assert( isWritePtr( stream, sizeof( STREAM ) ) );
REQUIRES_S( stream->type == STREAM_TYPE_NETWORK );
/* Get the SOCKS user name, defaulting to "cryptlib" if there's none
set */
setMessageData( &msgData, userName, CRYPT_MAX_TEXTSIZE );
status = krnlSendMessage( DEFAULTUSER_OBJECT_HANDLE,
IMESSAGE_GETATTRIBUTE_S, &msgData,
CRYPT_OPTION_NET_SOCKS_USERNAME );
if( cryptStatusOK( status ) )
userName[ msgData.length ] = '\0';
else
strlcpy_s( userName, CRYPT_MAX_TEXTSIZE, "cryptlib" );
/* Build up the SOCKSv4 request string:
BYTE: version = 4
BYTE: command = 1 (connect)
WORD: port
LONG: IP address
STRING: userName + '\0'
Note that this has a potential problem in that it requires a DNS
lookup by the client, which can lead to problems if the client
can't get DNS requests out because only SOCKSified access is allowed.
A related problem occurs when SOCKS is being used as a tunnelling
interface because the DNS lookup will communicate data about the
client to an observer outside the tunnel.
To work around this there's a so-called SOCKSv4a protocol that has
the SOCKS proxy perform the lookup:
BYTE: version = 4
BYTE: command = 1 (connect)
WORD: port
LONG: IP address = 0x00 0x00 0x00 0xFF
STRING: userName + '\0'
STRING: FQDN + '\0'
Unfortunately there's no way to tell whether a SOCKS server supports
4a or only 4, but in any case since SOCKS support is currently
disabled we leave the poke-and-hope 4a detection until such time as
someone actually requests it */
*bufPtr++ = 4; *bufPtr++ = 1;
mputWord( bufPtr, netStream->port );
status = getIPAddress( stream, bufPtr, netStream->host );
strlcpy_s( bufPtr + 4, CRYPT_MAX_TEXTSIZE, userName );
length = 1 + 1 + 2 + 4 + strlen( userName ) + 1;
if( cryptStatusError( status ) )
{
netStream->transportDisconnectFunction( stream, TRUE );
return( status );
}
/* Send the data to the server and read back the reply */
status = netStream->transportWriteFunction( stream, socksBuffer, length,
TRANSPORT_FLAG_FLUSH );
if( cryptStatusOK( status ) )
status = netStream->transportReadFunction( stream, socksBuffer, 8,
TRANSPORT_FLAG_BLOCKING );
if( cryptStatusError( status ) )
{
/* The involvement of a proxy complicates matters somewhat because
we can usually connect to the proxy OK but may run into problems
going from the proxy to the remote server, so if we get an error
at this stage (which will typically show up as a read error from
the proxy) we report it as an open error instead */
if( status == CRYPT_ERROR_READ || status == CRYPT_ERROR_COMPLETE )
status = CRYPT_ERROR_OPEN;
netStream->transportDisconnectFunction( stream, TRUE );
return( status );
}
/* Make sure that everything is OK:
BYTE: null = 0
BYTE: status = 90 (OK)
WORD: port
LONG: IP address */
if( socksBuffer[ 1 ] != 90 )
{
int i;
netStream->transportDisconnectFunction( stream, TRUE );
strlcpy_s( netStream->errorInfo->errorString, MAX_ERRMSG_SIZE,
"Socks proxy returned" );
for( i = 0; i < 8; i++ )
{
sprintf_s( netStream->errorInfo->errorString + 20 + ( i * 3 ),
MAX_ERRMSG_SIZE - ( 20 + ( i * 3 ) ), " %02X",
socksBuffer[ i ] );
}
strlcat_s( netStream->errorInfo->errorString, MAX_ERRMSG_SIZE, "." );
netStream->errorCode = socksBuffer[ 1 ];
return( CRYPT_ERROR_OPEN );
}
return( CRYPT_OK );
}
int writeDN( INOUT STREAM *stream,
IN_OPT const DN_PTR *dnComponentList,
IN_TAG const int tag )
{
DN_COMPONENT *dnComponentPtr;
int size, iterationCount, status;
assert( isWritePtr( stream, sizeof( STREAM ) ) );
assert( dnComponentList == NULL || \
isReadPtr( dnComponentList, sizeof( DN_COMPONENT ) ) );
REQUIRES_S( tag == DEFAULT_TAG || ( tag >= 0 && tag < MAX_TAG_VALUE ) );
/* Special case for empty DNs */
if( dnComponentList == NULL )
return( writeConstructed( stream, 0, tag ) );
status = preEncodeDN( ( DN_COMPONENT * ) dnComponentList, &size );
if( cryptStatusError( status ) )
return( status );
/* Write the DN */
writeConstructed( stream, size, tag );
for( dnComponentPtr = ( DN_COMPONENT * ) dnComponentList, \
iterationCount = 0;
dnComponentPtr != NULL && \
iterationCount < FAILSAFE_ITERATIONS_MED;
dnComponentPtr = dnComponentPtr->next, iterationCount++ )
{
const DN_COMPONENT_INFO *dnComponentInfo = dnComponentPtr->typeInfo;
BYTE dnString[ MAX_ATTRIBUTE_SIZE + 8 ];
int dnStringLength;
/* Write the RDN wrapper */
if( dnComponentPtr->encodedRDNdataSize > 0 )
{
/* If it's the start of an RDN, write the RDN header */
writeSet( stream, dnComponentPtr->encodedRDNdataSize );
}
writeSequence( stream, dnComponentPtr->encodedAVAdataSize );
status = swrite( stream, dnComponentInfo->oid,
sizeofOID( dnComponentInfo->oid ) );
if( cryptStatusError( status ) )
return( status );
/* Convert the string to an ASN.1-compatible format and write it
out */
status = copyToAsn1String( dnString, MAX_ATTRIBUTE_SIZE,
&dnStringLength, dnComponentPtr->value,
dnComponentPtr->valueLength,
dnComponentPtr->valueStringType );
if( cryptStatusError( status ) )
return( status );
if( dnComponentPtr->asn1EncodedStringType == BER_STRING_IA5 && \
!dnComponentInfo->ia5OK )
{
/* If an IA5String isn't allowed in this instance, use a
T61String instead */
dnComponentPtr->asn1EncodedStringType = BER_STRING_T61;
}
status = writeCharacterString( stream, dnString, dnStringLength,
dnComponentPtr->asn1EncodedStringType );
if( cryptStatusError( status ) )
return( status );
}
ENSURES( iterationCount < FAILSAFE_ITERATIONS_MED );
return( CRYPT_OK );
}
