OpenVPN
proxy.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "common.h"
33 #include "misc.h"
34 #include "crypto.h"
35 #include "win32.h"
36 #include "socket.h"
37 #include "fdmisc.h"
38 #include "proxy.h"
39 #include "base64.h"
40 #include "httpdigest.h"
41 #include "ntlm.h"
42 #include "memdbg.h"
43 #include "forward.h"
44 
45 #define UP_TYPE_PROXY "HTTP Proxy"
46 
47 struct http_proxy_options *
48 init_http_proxy_options_once(struct http_proxy_options **hpo,
49  struct gc_arena *gc)
50 {
51  if (!*hpo)
52  {
53  ALLOC_OBJ_CLEAR_GC(*hpo, struct http_proxy_options, gc);
54  /* http proxy defaults */
55  (*hpo)->http_version = "1.0";
56  }
57  return *hpo;
58 }
59 
60 
61 /* cached proxy username/password */
62 static struct user_pass static_proxy_user_pass;
63 
64 static bool
65 recv_line(socket_descriptor_t sd,
66  char *buf,
67  int len,
68  const int timeout_sec,
69  const bool verbose,
70  struct buffer *lookahead,
71  volatile int *signal_received)
72 {
73  struct buffer la;
74  int lastc = 0;
75 
76  CLEAR(la);
77  if (lookahead)
78  {
79  la = *lookahead;
80  }
81 
82  while (true)
83  {
84  int status;
85  ssize_t size;
86  fd_set reads;
87  struct timeval tv;
88  uint8_t c;
89 
90  if (buf_defined(&la))
91  {
92  ASSERT(buf_init(&la, 0));
93  }
94 
95  FD_ZERO(&reads);
96  openvpn_fd_set(sd, &reads);
97  tv.tv_sec = timeout_sec;
98  tv.tv_usec = 0;
99 
100  status = select(sd + 1, &reads, NULL, NULL, &tv);
101 
102  get_signal(signal_received);
103  if (*signal_received)
104  {
105  goto error;
106  }
107 
108  /* timeout? */
109  if (status == 0)
110  {
111  if (verbose)
112  {
113  msg(D_LINK_ERRORS | M_ERRNO, "recv_line: TCP port read timeout expired");
114  }
115  goto error;
116  }
117 
118  /* error */
119  if (status < 0)
120  {
121  if (verbose)
122  {
123  msg(D_LINK_ERRORS | M_ERRNO, "recv_line: TCP port read failed on select()");
124  }
125  goto error;
126  }
127 
128  /* read single char */
129  size = recv(sd, &c, 1, MSG_NOSIGNAL);
130 
131  /* error? */
132  if (size != 1)
133  {
134  if (verbose)
135  {
136  msg(D_LINK_ERRORS | M_ERRNO, "recv_line: TCP port read failed on recv()");
137  }
138  goto error;
139  }
140 
141 #if 0
142  if (isprint(c))
143  {
144  msg(M_INFO, "PROXY: read '%c' (%d)", c, (int)c);
145  }
146  else
147  {
148  msg(M_INFO, "PROXY: read (%d)", (int)c);
149  }
150 #endif
151 
152  /* store char in buffer */
153  if (len > 1)
154  {
155  *buf++ = c;
156  --len;
157  }
158 
159  /* also store char in lookahead buffer */
160  if (buf_defined(&la))
161  {
162  buf_write_u8(&la, c);
163  if (!isprint(c) && !isspace(c)) /* not ascii? */
164  {
165  if (verbose)
166  {
167  msg(D_LINK_ERRORS | M_ERRNO, "recv_line: Non-ASCII character (%d) read on recv()", (int)c);
168  }
169  *lookahead = la;
170  return false;
171  }
172  }
173 
174  /* end of line? */
175  if (lastc == '\r' && c == '\n')
176  {
177  break;
178  }
179 
180  lastc = c;
181  }
182 
183  /* append trailing null */
184  if (len > 0)
185  {
186  *buf++ = '\0';
187  }
188 
189  return true;
190 
191 error:
192  return false;
193 }
194 
195 static bool
196 send_line(socket_descriptor_t sd,
197  const char *buf)
198 {
199  const ssize_t size = send(sd, buf, strlen(buf), MSG_NOSIGNAL);
200  if (size != (ssize_t) strlen(buf))
201  {
202  msg(D_LINK_ERRORS | M_ERRNO, "send_line: TCP port write failed on send()");
203  return false;
204  }
205  return true;
206 }
207 
208 static bool
209 send_line_crlf(socket_descriptor_t sd,
210  const char *src)
211 {
212  bool ret;
213 
214  struct buffer buf = alloc_buf(strlen(src) + 3);
215  ASSERT(buf_write(&buf, src, strlen(src)));
216  ASSERT(buf_write(&buf, "\r\n", 3));
217  ret = send_line(sd, BSTR(&buf));
218  free_buf(&buf);
219  return ret;
220 }
221 
222 static bool
223 send_crlf(socket_descriptor_t sd)
224 {
225  return send_line_crlf(sd, "");
226 }
227 
228 uint8_t *
229 make_base64_string2(const uint8_t *str, int src_len, struct gc_arena *gc)
230 {
231  uint8_t *ret = NULL;
232  char *b64out = NULL;
233  ASSERT(openvpn_base64_encode((const void *)str, src_len, &b64out) >= 0);
234  ret = (uint8_t *) string_alloc(b64out, gc);
235  free(b64out);
236  return ret;
237 }
238 
239 uint8_t *
240 make_base64_string(const uint8_t *str, struct gc_arena *gc)
241 {
242  return make_base64_string2(str, strlen((const char *)str), gc);
243 }
244 
245 static const char *
246 username_password_as_base64(const struct http_proxy_info *p,
247  struct gc_arena *gc)
248 {
249  struct buffer out = alloc_buf_gc(strlen(p->up.username) + strlen(p->up.password) + 2, gc);
250  ASSERT(strlen(p->up.username) > 0);
251  buf_printf(&out, "%s:%s", p->up.username, p->up.password);
252  return (const char *)make_base64_string((const uint8_t *)BSTR(&out), gc);
253 }
254 
255 static void
256 clear_user_pass_http(void)
257 {
258  purge_user_pass(&static_proxy_user_pass, true);
259 }
260 
261 static void
262 get_user_pass_http(struct http_proxy_info *p, const bool force)
263 {
264  /*
265  * in case of forced (re)load, make sure the static storage is set as
266  * undefined, otherwise get_user_pass() won't try to load any credential
267  */
268  if (force)
269  {
270  clear_user_pass_http();
271  }
272 
273  if (!static_proxy_user_pass.defined)
274  {
275  unsigned int flags = GET_USER_PASS_MANAGEMENT;
276  if (p->queried_creds)
277  {
278  flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED;
279  }
280  if (p->options.inline_creds)
281  {
282  flags |= GET_USER_PASS_INLINE_CREDS;
283  }
284  get_user_pass(&static_proxy_user_pass,
285  p->options.auth_file,
286  UP_TYPE_PROXY,
287  flags);
288  p->queried_creds = true;
289  p->up = static_proxy_user_pass;
290  }
291 }
292 
293 #if 0
294 /* function only used in #if 0 debug statement */
295 static void
296 dump_residual(socket_descriptor_t sd,
297  int timeout,
298  volatile int *signal_received)
299 {
300  char buf[256];
301  while (true)
302  {
303  if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received))
304  {
305  return;
306  }
307  chomp(buf);
308  msg(D_PROXY, "PROXY HEADER: '%s'", buf);
309  }
310 }
311 #endif
312 
313 /*
314  * Extract the Proxy-Authenticate header from the stream.
315  * Consumes all headers.
316  */
317 static int
318 get_proxy_authenticate(socket_descriptor_t sd,
319  int timeout,
320  char **data,
321  volatile int *signal_received)
322 {
323  char buf[256];
324  int ret = HTTP_AUTH_NONE;
325  while (true)
326  {
327  if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received))
328  {
329  free(*data);
330  *data = NULL;
331  return HTTP_AUTH_NONE;
332  }
333  chomp(buf);
334  if (!strlen(buf))
335  {
336  return ret;
337  }
338  if (ret == HTTP_AUTH_NONE && !strncmp(buf, "Proxy-Authenticate: ", 20))
339  {
340  if (!strncmp(buf+20, "Basic ", 6))
341  {
342  msg(D_PROXY, "PROXY AUTH BASIC: '%s'", buf);
343  *data = string_alloc(buf+26, NULL);
344  ret = HTTP_AUTH_BASIC;
345  }
346 #if PROXY_DIGEST_AUTH
347  else if (!strncmp(buf+20, "Digest ", 7))
348  {
349  msg(D_PROXY, "PROXY AUTH DIGEST: '%s'", buf);
350  *data = string_alloc(buf+27, NULL);
351  ret = HTTP_AUTH_DIGEST;
352  }
353 #endif
354 #if NTLM
355  else if (!strncmp(buf+20, "NTLM", 4))
356  {
357  msg(D_PROXY, "PROXY AUTH NTLM: '%s'", buf);
358  *data = NULL;
359  ret = HTTP_AUTH_NTLM;
360  }
361 #endif
362  }
363  }
364 }
365 
366 static void
367 store_proxy_authenticate(struct http_proxy_info *p, char *data)
368 {
369  free(p->proxy_authenticate);
370  p->proxy_authenticate = data;
371 }
372 
373 /*
374  * Parse out key/value pairs from Proxy-Authenticate string.
375  * Return true on success, or false on parse failure.
376  */
377 static bool
378 get_key_value(const char *str, /* source string */
379  char *key, /* key stored here */
380  char *value, /* value stored here */
381  int max_key_len,
382  int max_value_len,
383  const char **endptr) /* next search position */
384 {
385  int c;
386  bool starts_with_quote = false;
387  bool escape = false;
388 
389  for (c = max_key_len-1; (*str && (*str != '=') && c--); )
390  {
391  *key++ = *str++;
392  }
393  *key = '\0';
394 
395  if ('=' != *str++)
396  {
397  /* no key/value found */
398  return false;
399  }
400 
401  if ('\"' == *str)
402  {
403  /* quoted string */
404  str++;
405  starts_with_quote = true;
406  }
407 
408  for (c = max_value_len-1; *str && c--; str++)
409  {
410  switch (*str)
411  {
412  case '\\':
413  if (!escape)
414  {
415  /* possibly the start of an escaped quote */
416  escape = true;
417  *value++ = '\\'; /* even though this is an escape character, we still
418  * store it as-is in the target buffer */
419  continue;
420  }
421  break;
422 
423  case ',':
424  if (!starts_with_quote)
425  {
426  /* this signals the end of the value if we didn't get a starting quote
427  * and then we do "sloppy" parsing */
428  c = 0; /* the end */
429  continue;
430  }
431  break;
432 
433  case '\r':
434  case '\n':
435  /* end of string */
436  c = 0;
437  continue;
438 
439  case '\"':
440  if (!escape && starts_with_quote)
441  {
442  /* end of string */
443  c = 0;
444  continue;
445  }
446  break;
447  }
448  escape = false;
449  *value++ = *str;
450  }
451  *value = '\0';
452 
453  *endptr = str;
454 
455  return true; /* success */
456 }
457 
458 static char *
459 get_pa_var(const char *key, const char *pa, struct gc_arena *gc)
460 {
461  char k[64];
462  char v[256];
463  const char *content = pa;
464 
465  while (true)
466  {
467  const int status = get_key_value(content, k, v, sizeof(k), sizeof(v), &content);
468  if (status)
469  {
470  if (!strcmp(key, k))
471  {
472  return string_alloc(v, gc);
473  }
474  }
475  else
476  {
477  return NULL;
478  }
479 
480  /* advance to start of next key */
481  if (*content == ',')
482  {
483  ++content;
484  }
485  while (*content && isspace(*content))
486  {
487  ++content;
488  }
489  }
490 }
491 
492 struct http_proxy_info *
493 http_proxy_new(const struct http_proxy_options *o)
494 {
495  struct http_proxy_info *p;
496 
497  if (!o || !o->server)
498  {
499  msg(M_FATAL, "HTTP_PROXY: server not specified");
500  }
501 
502  ASSERT( o->port);
503 
504  ALLOC_OBJ_CLEAR(p, struct http_proxy_info);
505  p->options = *o;
506 
507  /* parse authentication method */
508  p->auth_method = HTTP_AUTH_NONE;
509  if (o->auth_method_string)
510  {
511  if (!strcmp(o->auth_method_string, "none"))
512  {
513  p->auth_method = HTTP_AUTH_NONE;
514  }
515  else if (!strcmp(o->auth_method_string, "basic"))
516  {
517  p->auth_method = HTTP_AUTH_BASIC;
518  }
519 #if NTLM
520  else if (!strcmp(o->auth_method_string, "ntlm"))
521  {
522  p->auth_method = HTTP_AUTH_NTLM;
523  }
524  else if (!strcmp(o->auth_method_string, "ntlm2"))
525  {
526  p->auth_method = HTTP_AUTH_NTLM2;
527  }
528 #endif
529  else
530  {
531  msg(M_FATAL, "ERROR: unknown HTTP authentication method: '%s'",
532  o->auth_method_string);
533  }
534  }
535 
536  /* only basic and NTLM/NTLMv2 authentication supported so far */
537  if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2)
538  {
539  get_user_pass_http(p, true);
540  }
541 
542 #if !NTLM
543  if (p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2)
544  {
545  msg(M_FATAL, "Sorry, this version of " PACKAGE_NAME " was built without NTLM Proxy support.");
546  }
547 #endif
548 
549  p->defined = true;
550  return p;
551 }
552 
553 void
554 http_proxy_close(struct http_proxy_info *hp)
555 {
556  free(hp);
557 }
558 
559 static bool
560 add_proxy_headers(struct http_proxy_info *p,
561  socket_descriptor_t sd, /* already open to proxy */
562  const char *host, /* openvpn server remote */
563  const char *port /* openvpn server port */
564  )
565 {
566  char buf[512];
567  int i;
568  bool host_header_sent = false;
569 
570  /*
571  * Send custom headers if provided
572  * If content is NULL the whole header is in name
573  * Also remember if we already sent a Host: header
574  */
575  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && p->options.custom_headers[i].name; i++)
576  {
577  if (p->options.custom_headers[i].content)
578  {
579  openvpn_snprintf(buf, sizeof(buf), "%s: %s",
580  p->options.custom_headers[i].name,
581  p->options.custom_headers[i].content);
582  if (!strcasecmp(p->options.custom_headers[i].name, "Host"))
583  {
584  host_header_sent = true;
585  }
586  }
587  else
588  {
589  openvpn_snprintf(buf, sizeof(buf), "%s",
590  p->options.custom_headers[i].name);
591  if (!strncasecmp(p->options.custom_headers[i].name, "Host:", 5))
592  {
593  host_header_sent = true;
594  }
595  }
596 
597  msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
598  if (!send_line_crlf(sd, buf))
599  {
600  return false;
601  }
602  }
603 
604  if (!host_header_sent)
605  {
606  openvpn_snprintf(buf, sizeof(buf), "Host: %s", host);
607  msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
608  if (!send_line_crlf(sd, buf))
609  {
610  return false;
611  }
612  }
613 
614  /* send User-Agent string if provided */
615  if (p->options.user_agent)
616  {
617  openvpn_snprintf(buf, sizeof(buf), "User-Agent: %s",
618  p->options.user_agent);
619  msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
620  if (!send_line_crlf(sd, buf))
621  {
622  return false;
623  }
624  }
625 
626  return true;
627 }
628 
629 
630 bool
631 establish_http_proxy_passthru(struct http_proxy_info *p,
632  socket_descriptor_t sd, /* already open to proxy */
633  const char *host, /* openvpn server remote */
634  const char *port, /* openvpn server port */
635  struct event_timeout *server_poll_timeout,
636  struct buffer *lookahead,
637  volatile int *signal_received)
638 {
639  struct gc_arena gc = gc_new();
640  char buf[512];
641  char buf2[129];
642  char get[80];
643  int status;
644  int nparms;
645  bool ret = false;
646  bool processed = false;
647 
648  /* get user/pass if not previously given */
649  if (p->auth_method == HTTP_AUTH_BASIC
650  || p->auth_method == HTTP_AUTH_DIGEST
651  || p->auth_method == HTTP_AUTH_NTLM)
652  {
653  get_user_pass_http(p, false);
654  }
655 
656  /* are we being called again after getting the digest server nonce in the previous transaction? */
657  if (p->auth_method == HTTP_AUTH_DIGEST && p->proxy_authenticate)
658  {
659  nparms = 1;
660  status = 407;
661  }
662  else
663  {
664  /* format HTTP CONNECT message */
665  openvpn_snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s",
666  host,
667  port,
668  p->options.http_version);
669 
670  msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
671 
672  /* send HTTP CONNECT message to proxy */
673  if (!send_line_crlf(sd, buf))
674  {
675  goto error;
676  }
677 
678  if (!add_proxy_headers(p, sd, host, port))
679  {
680  goto error;
681  }
682 
683  /* auth specified? */
684  switch (p->auth_method)
685  {
686  case HTTP_AUTH_NONE:
687  break;
688 
689  case HTTP_AUTH_BASIC:
690  openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: Basic %s",
691  username_password_as_base64(p, &gc));
692  msg(D_PROXY, "Attempting Basic Proxy-Authorization");
693  dmsg(D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf);
694  if (!send_line_crlf(sd, buf))
695  {
696  goto error;
697  }
698  break;
699 
700 #if NTLM
701  case HTTP_AUTH_NTLM:
702  case HTTP_AUTH_NTLM2:
703  /* keep-alive connection */
704  openvpn_snprintf(buf, sizeof(buf), "Proxy-Connection: Keep-Alive");
705  if (!send_line_crlf(sd, buf))
706  {
707  goto error;
708  }
709 
710  openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s",
711  ntlm_phase_1(p, &gc));
712  msg(D_PROXY, "Attempting NTLM Proxy-Authorization phase 1");
713  dmsg(D_SHOW_KEYS, "Send to HTTP proxy: '%s'", buf);
714  if (!send_line_crlf(sd, buf))
715  {
716  goto error;
717  }
718  break;
719 #endif
720 
721  default:
722  ASSERT(0);
723  }
724 
725  /* send empty CR, LF */
726  if (!send_crlf(sd))
727  {
728  goto error;
729  }
730 
731  /* receive reply from proxy */
732  if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
733  {
734  goto error;
735  }
736 
737  /* remove trailing CR, LF */
738  chomp(buf);
739 
740  msg(D_PROXY, "HTTP proxy returned: '%s'", buf);
741 
742  /* parse return string */
743  nparms = sscanf(buf, "%*s %d", &status);
744 
745  }
746 
747  /* check for a "407 Proxy Authentication Required" response */
748  while (nparms >= 1 && status == 407)
749  {
750  msg(D_PROXY, "Proxy requires authentication");
751 
752  if (p->auth_method == HTTP_AUTH_BASIC && !processed)
753  {
754  processed = true;
755  }
756  else if ((p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2) && !processed) /* check for NTLM */
757  {
758 #if NTLM
759  /* look for the phase 2 response */
760 
761  while (true)
762  {
763  if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
764  {
765  goto error;
766  }
767  chomp(buf);
768  msg(D_PROXY, "HTTP proxy returned: '%s'", buf);
769 
770  openvpn_snprintf(get, sizeof get, "%%*s NTLM %%%ds", (int) sizeof(buf2) - 1);
771  nparms = sscanf(buf, get, buf2);
772  buf2[128] = 0; /* we only need the beginning - ensure it's null terminated. */
773 
774  /* check for "Proxy-Authenticate: NTLM TlRM..." */
775  if (nparms == 1)
776  {
777  /* parse buf2 */
778  msg(D_PROXY, "auth string: '%s'", buf2);
779  break;
780  }
781  }
782  /* if we are here then auth string was got */
783  msg(D_PROXY, "Received NTLM Proxy-Authorization phase 2 response");
784 
785  /* receive and discard everything else */
786  while (recv_line(sd, NULL, 0, 2, true, NULL, signal_received))
787  {
788  }
789 
790  /* now send the phase 3 reply */
791 
792  /* format HTTP CONNECT message */
793  openvpn_snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/%s",
794  host,
795  port,
796  p->options.http_version);
797 
798  msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
799 
800  /* send HTTP CONNECT message to proxy */
801  if (!send_line_crlf(sd, buf))
802  {
803  goto error;
804  }
805 
806  /* keep-alive connection */
807  openvpn_snprintf(buf, sizeof(buf), "Proxy-Connection: Keep-Alive");
808  if (!send_line_crlf(sd, buf))
809  {
810  goto error;
811  }
812 
813  /* send HOST etc, */
814  if (!add_proxy_headers(p, sd, host, port))
815  {
816  goto error;
817  }
818 
819  msg(D_PROXY, "Attempting NTLM Proxy-Authorization phase 3");
820  {
821  const char *np3 = ntlm_phase_3(p, buf2, &gc);
822  if (!np3)
823  {
824  msg(D_PROXY, "NTLM Proxy-Authorization phase 3 failed: received corrupted data from proxy server");
825  goto error;
826  }
827  openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: NTLM %s", np3);
828  }
829 
830  msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
831  if (!send_line_crlf(sd, buf))
832  {
833  goto error;
834  }
835  /* ok so far... */
836  /* send empty CR, LF */
837  if (!send_crlf(sd))
838  {
839  goto error;
840  }
841 
842  /* receive reply from proxy */
843  if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
844  {
845  goto error;
846  }
847 
848  /* remove trailing CR, LF */
849  chomp(buf);
850 
851  msg(D_PROXY, "HTTP proxy returned: '%s'", buf);
852 
853  /* parse return string */
854  nparms = sscanf(buf, "%*s %d", &status);
855  processed = true;
856 #endif /* if NTLM */
857  }
858 #if PROXY_DIGEST_AUTH
859  else if (p->auth_method == HTTP_AUTH_DIGEST && !processed)
860  {
861  char *pa = p->proxy_authenticate;
862  const int method = p->auth_method;
863  ASSERT(pa);
864 
865  if (method == HTTP_AUTH_DIGEST)
866  {
867  const char *http_method = "CONNECT";
868  const char *nonce_count = "00000001";
869  const char *qop = "auth";
870  const char *username = p->up.username;
871  const char *password = p->up.password;
872  char *opaque_kv = "";
873  char uri[128];
874  uint8_t cnonce_raw[8];
875  uint8_t *cnonce;
876  HASHHEX session_key;
877  HASHHEX response;
878 
879  const char *realm = get_pa_var("realm", pa, &gc);
880  const char *nonce = get_pa_var("nonce", pa, &gc);
881  const char *algor = get_pa_var("algorithm", pa, &gc);
882  const char *opaque = get_pa_var("opaque", pa, &gc);
883 
884  if (!realm || !nonce)
885  {
886  msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response "
887  "from server: realm= or nonce= missing" );
888  goto error;
889  }
890 
891  /* generate a client nonce */
892  ASSERT(rand_bytes(cnonce_raw, sizeof(cnonce_raw)));
893  cnonce = make_base64_string2(cnonce_raw, sizeof(cnonce_raw), &gc);
894 
895 
896  /* build the digest response */
897  openvpn_snprintf(uri, sizeof(uri), "%s:%s",
898  host,
899  port);
900 
901  if (opaque)
902  {
903  const int len = strlen(opaque)+16;
904  opaque_kv = gc_malloc(len, false, &gc);
905  openvpn_snprintf(opaque_kv, len, ", opaque=\"%s\"", opaque);
906  }
907 
908  DigestCalcHA1(algor,
909  username,
910  realm,
911  password,
912  nonce,
913  (char *)cnonce,
914  session_key);
915  DigestCalcResponse(session_key,
916  nonce,
917  nonce_count,
918  (char *)cnonce,
919  qop,
920  http_method,
921  uri,
922  NULL,
923  response);
924 
925  /* format HTTP CONNECT message */
926  openvpn_snprintf(buf, sizeof(buf), "%s %s HTTP/%s",
927  http_method,
928  uri,
929  p->options.http_version);
930 
931  msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
932 
933  /* send HTTP CONNECT message to proxy */
934  if (!send_line_crlf(sd, buf))
935  {
936  goto error;
937  }
938 
939  /* send HOST etc, */
940  if (!add_proxy_headers(p, sd, host, port))
941  {
942  goto error;
943  }
944 
945  /* send digest response */
946  openvpn_snprintf(buf, sizeof(buf), "Proxy-Authorization: Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", qop=%s, nc=%s, cnonce=\"%s\", response=\"%s\"%s",
947  username,
948  realm,
949  nonce,
950  uri,
951  qop,
952  nonce_count,
953  cnonce,
954  response,
955  opaque_kv
956  );
957  msg(D_PROXY, "Send to HTTP proxy: '%s'", buf);
958  if (!send_line_crlf(sd, buf))
959  {
960  goto error;
961  }
962  if (!send_crlf(sd))
963  {
964  goto error;
965  }
966 
967  /* receive reply from proxy */
968  if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
969  {
970  goto error;
971  }
972 
973  /* remove trailing CR, LF */
974  chomp(buf);
975 
976  msg(D_PROXY, "HTTP proxy returned: '%s'", buf);
977 
978  /* parse return string */
979  nparms = sscanf(buf, "%*s %d", &status);
980  processed = true;
981  }
982  else
983  {
984  msg(D_PROXY, "HTTP proxy: digest method not supported");
985  goto error;
986  }
987  }
988 #endif /* if PROXY_DIGEST_AUTH */
989  else if (p->options.auth_retry)
990  {
991  /* figure out what kind of authentication the proxy needs */
992  char *pa = NULL;
993  const int method = get_proxy_authenticate(sd,
994  get_server_poll_remaining_time(server_poll_timeout),
995  &pa,
996  signal_received);
997  if (method != HTTP_AUTH_NONE)
998  {
999  if (pa)
1000  {
1001  msg(D_PROXY, "HTTP proxy authenticate '%s'", pa);
1002  }
1003  if (p->options.auth_retry == PAR_NCT && method == HTTP_AUTH_BASIC)
1004  {
1005  msg(D_PROXY, "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled");
1006  free(pa);
1007  goto error;
1008  }
1009  p->auth_method = method;
1010  store_proxy_authenticate(p, pa);
1011  ret = true;
1012  goto done;
1013  }
1014  else
1015  {
1016  msg(D_PROXY, "HTTP proxy: do not recognize the authentication method required by proxy");
1017  free(pa);
1018  goto error;
1019  }
1020  }
1021  else
1022  {
1023  if (!processed)
1024  {
1025  msg(D_PROXY, "HTTP proxy: no support for proxy authentication method");
1026  }
1027  goto error;
1028  }
1029 
1030  /* clear state */
1031  if (p->options.auth_retry)
1032  {
1033  clear_user_pass_http();
1034  }
1035  store_proxy_authenticate(p, NULL);
1036  }
1037 
1038  /* check return code, success = 200 */
1039  if (nparms < 1 || status != 200)
1040  {
1041  msg(D_LINK_ERRORS, "HTTP proxy returned bad status");
1042 #if 0
1043  /* DEBUGGING -- show a multi-line HTTP error response */
1044  dump_residual(sd, get_server_poll_remaining_time(server_poll_timeout), signal_received);
1045 #endif
1046  goto error;
1047  }
1048 
1049  /* SUCCESS */
1050 
1051  /* receive line from proxy and discard */
1052  if (!recv_line(sd, NULL, 0, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
1053  {
1054  goto error;
1055  }
1056 
1057  /*
1058  * Toss out any extraneous chars, but don't throw away the
1059  * start of the OpenVPN data stream (put it in lookahead).
1060  */
1061  while (recv_line(sd, NULL, 0, 2, false, lookahead, signal_received))
1062  {
1063  }
1064 
1065  /* reset queried_creds so that we don't think that the next creds request is due to an auth error */
1066  p->queried_creds = false;
1067 
1068 #if 0
1069  if (lookahead && BLEN(lookahead))
1070  {
1071  msg(M_INFO, "HTTP PROXY: lookahead: %s", format_hex(BPTR(lookahead), BLEN(lookahead), 0));
1072  }
1073 #endif
1074 
1075 done:
1076  gc_free(&gc);
1077  return ret;
1078 
1079 error:
1080  if (!*signal_received)
1081  {
1082  *signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- HTTP proxy error */
1083  }
1084  gc_free(&gc);
1085  return ret;
1086 }
buf_write_u8
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
MSG_NOSIGNAL
#define MSG_NOSIGNAL
Definition: socket.h:252
http_proxy_options::http_version
const char * http_version
Definition: proxy.h:55
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
http_proxy_info::defined
bool defined
Definition: proxy.h:68
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
M_INFO
#define M_INFO
Definition: errlevel.h:55
get_key_value
static bool get_key_value(const char *str, char *key, char *value, int max_key_len, int max_value_len, const char **endptr)
Definition: proxy.c:378
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
ntlm_phase_3
const char * ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc)
Definition: ntlm.c:192
UP_TYPE_PROXY
#define UP_TYPE_PROXY
Definition: proxy.c:45
GET_USER_PASS_INLINE_CREDS
#define GET_USER_PASS_INLINE_CREDS
Definition: misc.h:120
get_pa_var
static char * get_pa_var(const char *key, const char *pa, struct gc_arena *gc)
Definition: proxy.c:459
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
HTTP_AUTH_BASIC
#define HTTP_AUTH_BASIC
Definition: proxy.h:32
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:115
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
http_proxy_options::custom_headers
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition: proxy.h:57
http_custom_header::content
const char * content
Definition: proxy.h:40
http_proxy_info::auth_method
int auth_method
Definition: proxy.h:69
HTTP_AUTH_NONE
#define HTTP_AUTH_NONE
Definition: proxy.h:31
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
user_pass::defined
bool defined
Definition: misc.h:58
dmsg
#define dmsg(flags,...)
Definition: error.h:157
http_proxy_options::port
const char * port
Definition: proxy.h:46
get_signal
static void get_signal(volatile int *sig)
Definition: sig.h:89
ntlm_phase_1
const char * ntlm_phase_1(const struct http_proxy_info *p, struct gc_arena *gc)
Definition: ntlm.c:175
ASSERT
#define ASSERT(x)
Definition: error.h:204
strcasecmp
#define strcasecmp
Definition: config-msvc.h:93
clear_user_pass_http
static void clear_user_pass_http(void)
Definition: proxy.c:256
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:70
http_proxy_options::auth_method_string
const char * auth_method_string
Definition: proxy.h:53
static_proxy_user_pass
static struct user_pass static_proxy_user_pass
Definition: proxy.c:62
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
flags
list flags
Definition: .ycm_extra_conf.py:4
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
GET_USER_PASS_PREVIOUS_CREDS_FAILED
#define GET_USER_PASS_PREVIOUS_CREDS_FAILED
Definition: misc.h:114
CLEAR
#define CLEAR(x)
Definition: basic.h:33
BPTR
#define BPTR(buf)
Definition: buffer.h:124
openvpn_snprintf
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:296
HTTP_AUTH_NTLM
#define HTTP_AUTH_NTLM
Definition: proxy.h:34
make_base64_string
uint8_t * make_base64_string(const uint8_t *str, struct gc_arena *gc)
Definition: proxy.c:240
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition: crypto_openssl.c:484
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
http_proxy_options::inline_creds
bool inline_creds
Definition: proxy.h:58
chomp
void chomp(char *str)
Definition: buffer.c:650
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:730
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
username_password_as_base64
static const char * username_password_as_base64(const struct http_proxy_info *p, struct gc_arena *gc)
Definition: proxy.c:246
get_server_poll_remaining_time
int get_server_poll_remaining_time(struct event_timeout *server_poll_timeout)
Definition: forward.c:418
get_user_pass_http
static void get_user_pass_http(struct http_proxy_info *p, const bool force)
Definition: proxy.c:262
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:405
make_base64_string2
uint8_t * make_base64_string2(const uint8_t *str, int src_len, struct gc_arena *gc)
Definition: proxy.c:229
openvpn_fd_set
static void openvpn_fd_set(socket_descriptor_t fd, fd_set *setp)
Definition: fdmisc.h:40
DigestCalcHA1
void DigestCalcHA1(IN char *pszAlg, IN char *pszUserName, IN char *pszRealm, IN char *pszPassword, IN char *pszNonce, IN char *pszCNonce, OUT HASHHEX SessionKey)
Definition: httpdigest.c:72
M_ERRNO
#define M_ERRNO
Definition: error.h:103
forward.h
Interface functions to the internal and external multiplexers.
openvpn_base64_encode
int openvpn_base64_encode(const void *data, int size, char **str)
Definition: base64.c:54
event_timeout
Definition: interval.h:136
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
http_proxy_options::server
const char * server
Definition: proxy.h:45
http_proxy_info::queried_creds
bool queried_creds
Definition: proxy.h:73
store_proxy_authenticate
static void store_proxy_authenticate(struct http_proxy_info *p, char *data)
Definition: proxy.c:367
BLEN
#define BLEN(buf)
Definition: buffer.h:127
MAX_CUSTOM_HTTP_HEADER
#define MAX_CUSTOM_HTTP_HEADER
Definition: proxy.h:43
http_proxy_options::user_agent
const char * user_agent
Definition: proxy.h:56
msg
#define msg(flags,...)
Definition: error.h:153
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Definition: misc.h:129
buf_defined
static bool buf_defined(const struct buffer *buf)
Definition: buffer.h:215
http_proxy_info::proxy_authenticate
char * proxy_authenticate
Definition: proxy.h:72
purge_user_pass
void purge_user_pass(struct user_pass *up, const bool force)
Definition: misc.c:469
strncasecmp
#define strncasecmp
Definition: config-msvc.h:92
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
http_custom_header::name
const char * name
Definition: proxy.h:39
D_PROXY
#define D_PROXY
Definition: errlevel.h:74
socket_descriptor_t
SOCKET socket_descriptor_t
Definition: syshead.h:445
user_pass
Definition: misc.h:56
add_proxy_headers
static bool add_proxy_headers(struct http_proxy_info *p, socket_descriptor_t sd, const char *host, const char *port)
Definition: proxy.c:560
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
M_FATAL
#define M_FATAL
Definition: error.h:98
buf_init
#define buf_init(buf, offset)
Definition: buffer.h:196
HTTP_AUTH_NTLM2
#define HTTP_AUTH_NTLM2
Definition: proxy.h:35
http_proxy_info
Definition: proxy.h:67
D_SHOW_KEYS
#define D_SHOW_KEYS
Definition: errlevel.h:117
recv_line
static bool recv_line(socket_descriptor_t sd, char *buf, int len, const int timeout_sec, const bool verbose, struct buffer *lookahead, volatile int *signal_received)
Definition: proxy.c:65
get_proxy_authenticate
static int get_proxy_authenticate(socket_descriptor_t sd, int timeout, char **data, volatile int *signal_received)
Definition: proxy.c:318
send_line
static bool send_line(socket_descriptor_t sd, const char *buf)
Definition: proxy.c:196
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
establish_http_proxy_passthru
bool establish_http_proxy_passthru(struct http_proxy_info *p, socket_descriptor_t sd, const char *host, const char *port, struct event_timeout *server_poll_timeout, struct buffer *lookahead, volatile int *signal_received)
Definition: proxy.c:631
free
#define free
Definition: cmocka.c:1850
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition: buffer.h:689
http_proxy_info::up
struct user_pass up
Definition: proxy.h:71
BSTR
#define BSTR(buf)
Definition: buffer.h:129
send_line_crlf
static bool send_line_crlf(socket_descriptor_t sd, const char *src)
Definition: proxy.c:209
http_proxy_options::auth_file
const char * auth_file
Definition: proxy.h:54
user_pass::password
char password[USER_PASS_LEN]
Definition: misc.h:71
HTTP_AUTH_DIGEST
#define HTTP_AUTH_DIGEST
Definition: proxy.h:33
DigestCalcResponse
void DigestCalcResponse(IN HASHHEX HA1, IN char *pszNonce, IN char *pszNonceCount, IN char *pszCNonce, IN char *pszQop, IN char *pszMethod, IN char *pszDigestUri, IN HASHHEX HEntity, OUT HASHHEX Response)
Definition: httpdigest.c:110
status
static SERVICE_STATUS status
Definition: interactive.c:56
ssize_t
#define ssize_t
Definition: config-msvc.h:104
http_proxy_options
Definition: proxy.h:44
http_proxy_info::options
struct http_proxy_options options
Definition: proxy.h:70
send_crlf
static bool send_crlf(socket_descriptor_t sd)
Definition: proxy.c:223
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition: errlevel.h:57
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:108
Generated by   doxygen 1.8.13