proxytunnel-svn/0000755000175000017500000000000012267562030012366 5ustar jdgjdgproxytunnel-svn/cmdline.h0000644000175000017500000000750512267561753014174 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* cmdline.h */ /* File autogenerated by gengetopt version 2.4 - Modified by Maniac */ #ifndef _cmdline_h #define _cmdline_h #define MAX_HEADER_SIZE 1024 struct gengetopt_args_info { char *user_arg; /* Username to send to HTTPS proxy for auth. */ char *pass_arg; /* Password to send to HTTPS proxy for auth. */ char *remuser_arg; /* Username to send to remote HTTPS proxy for auth. */ char *rempass_arg; /* Password to send to remote HTTPS proxy for auth. */ char *domain_arg; /* NTLM Domain override */ char *proxy_arg; /* HTTPS Proxy host to connect to. */ char *proxyauth_arg; /* Local proxy auth. */ char *proxyhost_arg; /* HTTPS Proxy host to connect to. */ int proxyport_arg; /* HTTPS Proxy host portnumber to connect to. */ char *dest_arg; /* Destination host to built the tunnel to. */ char header_arg[MAX_HEADER_SIZE]; /* Extra headers to send to proxy */ char *remproxy_arg; /* Remote proxy to tunnel to. */ char *remproxyauth_arg; /* Remote proxy auth. */ int verbose_flag; /* Turn on verbosity (default=off). */ int ntlm_flag; /* Turn on ntlm (default=off). */ int inetd_flag; /* Turn on inetd (default=off). */ int quiet_flag; /* Turn on quiet mode (default=off). */ int standalone_arg; /* Turn on stdalone (-a) on port */ int encrypt_flag; /* Turn on SSL encryption (default=off). */ int encryptproxy_flag; /* Turn on client to proxy SSL encryption (def=off).*/ int encryptremproxy_flag; /* Turn on local to remote proxy SSL encryption (def=off).*/ char *proctitle_arg; /* Override process title (default=off). */ int help_given; /* Whether help was given. */ int version_given; /* Whether version was given. */ int user_given; /* Whether user was given. */ int pass_given; /* Whether pass was given. */ int remuser_given; /* Whether remote user was given. */ int rempass_given; /* Whether remote pass was given. */ int domain_given; /* Whether domain was given. */ int proxy_given; /* Whether proxyhost was given. */ int proxyauth_given; /* Whether proxyhost was given. */ int proxyhost_given; /* Whether proxyhost was given. */ int proxyport_given; /* Whether proxyport was given. */ int dest_given; /* Whether dest was given. */ int remproxy_given; /* Whether remproxy was given. */ int remproxyauth_given; /* Whether remproxy was given. */ int verbose_given; /* Whether verbose was given. */ int ntlm_given; /* Whether ntlm was given. */ int inetd_given; /* Whether inetd was given. */ int quiet_given; /* Whether quiet mode was given. */ int header_given; /* Whether extra headers are given */ int encrypt_given; /* Whether encrypt was given */ int encryptproxy_given; /* Whether encrypt was given */ int encryptremproxy_given; /* Whether encrypt was given */ int proctitle_given; /* Whether to override process title */ }; int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *args_info ); void cmdline_parser_print_help( void ); void cmdline_parser_print_version( void ); #endif /* _cmdline_h */ // vim:noexpandtab:ts=4 proxytunnel-svn/INSTALL0000644000175000017500000000177212267561753013441 0ustar jdgjdgShort guide to installing proxytunnel On most modern unix systems, use the normal Makefile, possibly uncommenting the section related to your system (darwin/cygwin/solaris/openbsd) If you want to enable setproctitle functionality, add a CFLAGS define -DSETPROCTITLE (uncomment sample in Makefile) Run make and optionally 'make install'. If you manually want to install, copy proxytunnel to /usr/local/bin and optionally the manual-page from the debian-subdirectory to your manpath --------------------------------------------------------------------------------- Cygwin: Currently cygwin's openssl isn't in a compilable state, change md4.h and md5.h in /usr/include and replace 'size_t' with 'unsigned long' To link the final executable: gcc -o proxytunnel *.o /lib/libcrypto.dll.a /lib/libssl.dll.a To run, copy the required dll's from the cygwin-bin dir to the windows system dir, or the proxytunnel directory (cygcrypto-0.9.8.dll, cygssl-0.9.8.dll, cygwin1.dll ) Setproctitle doesn't work on cygwin (afaik) proxytunnel-svn/docs/0000755000175000017500000000000012267562030013316 5ustar jdgjdgproxytunnel-svn/docs/proxytunnel-paper.txt0000644000175000017500000001004312267561753017604 0ustar jdgjdg= Proxytunnel: punching holes through the corporate firewall Proxytunnel developers $Id: proxytunnel-paper.txt 233 2008-08-09 17:49:16Z dag- $ == Introduction ProxyTunnel is a program that connects stdin and stdout to a server somewhere on the network, through a standard HTTPS proxy. We mostly use it to tunnel SSH sessions through HTTP(S) proxies, allowing us to do many things that wouldn't be possible without ProxyTunnel. Proxytunnel can currently do the following: * Create tunnels using HTTP and HTTPS proxies (That understand the HTTP CONNECT command). * Work as a back-end driver for an OpenSSH client, and create SSH connections through HTTP(S) proxies. * Work as a stand-alone application, listening on a port for connections, and then tunneling these connections to a specified destination. If you want to make effective use of ProxyTunnel, the proxy server you are going to be tunneling through must adhere to some requirements. * Must support HTTP CONNECT command * Must allow you to connect to destination machine and host, with or without HTTP proxy authentication Most proxies however only allow connections to a number of pre-defined ports. These ports usually include 80(http) and 443(https). Some other proxies also allow traffic on other ports or ranges. Try to find out what ports your proxy allows you to connect through. You best guess is to test for the named 80 and 443, and then check for some other common ports like 8000, 8080, 8081, 8082 and the nntp ports 119(nntp) and 563(snntp). If you have figured out what ports your proxy allows you to connect through, the fun can start. If it allows you to connect to a port you want access too, like the pop3 or imap ports you are in luck, since you can now set up a direct tunnel to these servers and read mail for example. Usually however you will be stuck with access to only port 80 and 443 (like we were, when we wrote ProxyTunnel). To be able to get access to more then just these ports you need access to a server on the internet where you are able to log-in via SSH on one of these ports. In our case we set up the SSH daemons on our home and office systems to listen to port 443(https), since these weren't used (and 80 was), and the port was allowed by the firewall/proxy. After having setup a SSH daemon on an accessable port, we configured our local SSH clients to use ProxyTunnel as a back-end to make the connection. Doing this involves creating a ~/.ssh/config file, specifying a host-alias there, and telling SSH to use a proxy-command, using the ProxyCommand statement and our ProxyTunnel tool to do it. We now have access to SSH on our 'unrestricted' system on the internet. As you may know, SSH allows you to do port-forwarding and other nice tricks. Using this knowledge it is possible to forward and port anywhere. I myself usually setup some port-forwardings for my mail (2 imap tunnels) and usenet. But i'm sure you can think up of many things you'd like to connect to. Now you can. == History == Requirements What is required to use proxytunnel ? What Operating Systems are supported ? == How does it work ? === Normal HTTP connection === SSL HTTP connection === Proxytunnel == Use cases === Connect without authentication === Connect with basic authentication === Connect with NTLM authentication === Connect using SSL client to proxy === Connect using SSL between proxy and destination === Connect with local and remote proxy === Connect using SSL between proxy and remote proxy == Configuration === Configuring SSH === Using Socks === Configuring Apache === Configuring Tinyproxy === Configuring Squid == Troubleshooting === Using verbose === Using Telnet to mimic behaviour == Alternative tools === cockscrew === connecttunnel === desproxy === htun === ntlmaps === prtunnel === SOHT == Links - http://proxytunnel.sourceforge.net/[Proxytunnel homepage] - https://proxytunnel.svn.sourceforge.net/svnroot/proxytunnel/[Proxytunnel subversion] - https://lists.sourceforge.net/lists/listinfo/proxytunnel-users[Proxytunnel mailinglist] // vim: set syntax=asciidoc: proxytunnel-svn/docs/Makefile0000644000175000017500000000074612267561753015000 0ustar jdgjdgprefix = /usr/local datadir = $(prefix)/share mandir = $(datadir)/man txttargets = $(shell echo *.txt) htmltargets = $(patsubst %.txt, %.html, $(txttargets)) docs: proxytunnel.1 $(htmltargets) install: proxytunnel.1 install -Dp -m0644 proxytunnel.1 $(DESTDIR)$(mandir)/man1/proxytunnel.1 clean: rm -f proxytunnel.1 *.html *.xml %.1.html: %.1.txt asciidoc -d manpage $< %.1: %.1.xml xmlto man $< %.html: %.txt asciidoc $< %.1.xml: %.1.txt asciidoc -b docbook -d manpage $< proxytunnel-svn/docs/proxytunnel.1.txt0000644000175000017500000001503012267561753016637 0ustar jdgjdg= proxytunnel(1) Proxytunnel developers v1.9.0, Augustus 2008 == NAME proxytunnel - program to tunnel a connection through a standard HTTPS proxy == SYNOPSIS *proxytunnel* _[OPTION]_... == DESCRIPTION *proxytunnel* is a program to tunnel any connection through a standard HTTPS proxy, circumventing standard HTTP filtering mechanisms. It's mostly used as a backend for OpenSSH's ProxyCommand, and as a proxy backend for Putty. It can also be used for other proxy-traversing purposes like proxy bouncing. == OPTIONS *-i*, *--inetd*:: Run from inetd (default: off) *-a*, *--standalone*=_port_:: Run as standalone daemon on specified _port_ *-p*, *--proxy*=_host_:_port_:: Use _host_ and _port_ as the local proxy to connect to, if not specified the *HTTP_PROXY* environment variable, if set, will be used instead *-r*, *--remproxy*=_host_:_port_:: Use _host_ and _port_ as the remote (secondary) proxy to connect to *-d*, *--dest*=_host_:_port_:: Use _host_ and _port_ as the destination for the tunnel, you can also specify them as the argument to the proxytunnel command *-e*, *--encrypt*:: SSL encrypt data between local proxy and destination *-E*, *--encrypt-proxy*:: SSL encrypt data between client and local proxy *-X*, *--encrypt-remproxy*:: SSL encrypt data between local and remote (secondary) proxy == ADDITIONAL OPTIONS *-F*, *--passfile*=_filename_:: Use _filename_ for reading username and password for HTTPS proxy authentication, the file uses the same format as .wgetrc and can be shared with wget. Use this option, or environment variables to hide the password from other users *-P*, *--proxyauth*=_username_:_password_:: Use _username_ and _password_ as credentials to authenticate against a local HTTPS proxy, the username and password can also be specified in the *PROXYUSER* and *PROXYPASS* environment variables to hide them from other users. If the _password_ is ommited and no *PROXYPASS* environment variable is set, proxytunnel will prompt for a password *-R*, *--remproxyauth*=_username_:_password_:: Use _username_ and _password_ as credentials to authenticate against a remote (secondary) HTTPS proxy, the username and password can also be specified in the *REMPROXYUSER* and *REMPROXYPASS* environment variables to hide them from other users. If the _password_ is ommited and no *REMPROXYPASS* environment variable is set, proxytunnel will prompt for a password *-N*, *--ntlm*:: Use NTLM basd authentication *-t*, *--domain*=_STRING_:: Specify NTLM domain (default: autodetect) *-H*, *--header*=_STRING_:: Add additional HTTP headers to send to proxy *-x*, *--proctitle*=_STRING_:: Use a different process title == MISCELLANEOUS OPTIONS *-v*, *--verbose*:: Turn on verbosity *-q*, *--quiet*:: Suppress messages *-h*, *--help*:: Print help and exit *-V*, *--version*:: Print version and exit == ARGUMENTS _host_:_port_ is the destination hostname and port number combination NOTE: Specifying the destination as arguments is exactly the same as specifying them using the *-d* or *--dest* option. == USAGE Depending on your situation you might want to do any of the following things: * *Connect through a local proxy to your home system on port 22* $ proxytunnel -v -p proxy.company.com:8080 -d system.home.nl:22 * *Connect through a local proxy (with authentication) to your home system* $ proxytunnel -v -p proxy.company.com:8080 -P username:password -d system.home.nl:22 * *Connect through a local proxy (with authentication) hiding your password* $ export PROXYPASS=password $ proxytunnel -v -p proxy.company.com:8080 -P username -d system.home.nl:22 * *Connect through a local proxy to a remote proxy and bounce to any system* $ proxytunnel -v -p proxy.company.com:8080 -r proxy.athome.nl:443 -d system.friend.nl:22 * *Connect using SSL through a local proxy to your home system* $ proxytunnel -v -E -p proxy.company.com:8080 -d system.home.nl:22 == OPENSSH CONFIGURATION To use this program with OpenSSH to connect to a host somewhere, create a _~/.ssh/config_ file with the following content: ---- Host system.athome.nl ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p ServerAliveInterval 30 ---- NOTE: The +ServerAliveInterval+ directive makes sure that idle connections are not being dropped by intermediate firewalls that remove active sessions aggresively. If you see your connection dropping out, try to lower the value even more. To use the dynamic (SOCKS) portforwarding capability of the SSH client, you can specify the +DynamicForward+ directive in your ssh_config file like: ---- Host system.athome.nl DynamicForward 1080 ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p ServerAliveInterval 30 ---- == NOTES IMPORTANT: Most HTTPS proxies do not allow access to ports other than HTTPS (tcp/443) and SNEWS (tcp/563). In this case you need to make sure the SSH daemon or remote proxy on the destination system is listening on either tcp/443 or tcp/563 to get through. == ENVIRONMENT Proxytunnel can be influenced by setting one of the following environment variables: *HTTP_PROXY*:: If this environment variable is set, proxytunnel will use it as the _local proxy_ if *-p* or *--proxy* is not provided *PROXYUSER*:: If this environment variable is set, proxytunnel will use it as the _username_ for proxy authentication, unless specified using the *-P* or *--proxyauth* option *PROXYPASS*:: If this environment variable is set, proxytunnel will use it as the _password_ for proxy authentication, unless specified using the *-P* or *--proxyauth* option *REMPROXYUSER*:: If this environment variable is set, proxytunnel will use it as the _username_ for remote (secondary) proxy authentication, unless specified using the *-R* or *--remproxyauth* option *REMPROXYPASS*:: If this environment variable is set, proxytunnel will use it as the _password_ for remote (secondary) proxy authentication, unless specified using the *-R* or *--remproxyauth* option == SEE ALSO ssh(1), ssh_config(8) == BUGS This software is bug-free, at least we'd like to think so. If you do not agree with us, please attach the proof to your friendly email :) == AUTHOR This manpage was initially written by Loïc Le Guyader for the Debian GNU/Linux system, revamped in asciidoc by Dag Wieërs and is now maintained by the Proxytunnel developers. Homepage at http://proxytunnel.sourceforge.net/ proxytunnel-svn/basicauth.h0000644000175000017500000000166312267561753014523 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* basicauth.h */ /* Functions */ char *basicauth(char *user, char *pass); // vim:noexpandtab:ts=4 proxytunnel-svn/README0000644000175000017500000001254012267561753013263 0ustar jdgjdg----------- proxytunnel ----------- Author: Jos Visser , Mark Janssen Date: Mon Mar 3 22:49:43 CET 2008 Version: 1.9.0 Hi all, This is proxytunnel, a program that connects stdin and stdout to an origin server somewhere in the Internet through an industry standard HTTPS proxy. I originally wrote this program to be used as an extension to SSH, to be able to SSH to my box at home. In this file, I will describe the use with SSH. If you want to use it with some other application, feel free, and let me know! Usage: Proxytunnel is very easy to use, when running proxytunnel with the help option it specifies it's command-line options. $ ./proxytunnel --help proxytunnel 1.9.0 (rev 224) Copyright 2001-2008 Proxytunnel Project Usage: proxytunnel [OPTIONS]... Build generic tunnels trough HTTPS proxy's, supports HTTP authorization Standard options: -i, --inetd Run from inetd (default=off) -a, --standalone=INT Run as standalone daemon on specified port -p, --proxy=STRING Local proxy host:port combination -r, --remproxy=STRING Remote proxy host:port combination (using 2 proxies) -d, --dest=STRING Destination host:port combination -e, --encrypt SSL encrypt data between local proxy and destination -E, --encrypt-proxy SSL encrypt data between client and local proxy -X, --encrypt-remproxy Encrypt between 1st and 2nd proxy using SSL Additional options for specific features: -F, --passfile=STRING File with credentials for proxy authentication -P, --proxyauth=STRING Proxy auth credentials user:pass combination -R, --remproxyauth=STRING Remote proxy auth credentials user:pass combination -N, --ntlm Use NTLM based authentication -t, --domain=STRING NTLM domain (default: autodetect) -H, --header=STRING Add additional HTTP headers to send to proxy -x, --proctitle=STRING Use a different process title Miscellaneous options: -v, --verbose Turn on verbosity -q, --quiet Suppress messages -h, --help Print help and exit -V, --version Print version and exit To use this program with OpenSSH to connect to a host somewhere, create a $HOME/.ssh/config file with the following content: Host foobar ProtocolKeepAlives 30 ProxyCommand /path/to/proxytunnel -p proxy:8080 -P username -d mybox.athome.nl:443 With: - foobar The symbolic name of the host you want to connect to - proxy The host name of the proxy you want to connect through - 8080 The port number where the proxy software listens to - username Your proxy userid (password will be prompted) - mybox.athome.nl The hostname of the box you want to connect to (ultimately) - 443 The port number of the SSH daemon on mybox.athome.nl If your proxy doesn't require the username and password for using it, you can skip these options. If you don't provide the password on the command-line (which is recommended) you will be prompted for it by proxytunnel. If you are on a trusted system you can also put the password in an environment variable, and tell proxytunnel where to find it with '-S'. If you want to run proxytunnel from inetd add the '--inetd' option. Most HTTPS proxies do not allow access to ports other than 443 (HTTPS) and 563 (SNEWS), so some hacking is necessary to start the SSH daemon on the required port. (On the server side add an extra Port statement in the sshd_config file, or use a redirect rule in your firewall.) When your proxy uses NTLM authentication (like Microsoft IIS proxy) you need to specify -N to enable NTLM, and then specify your username and password (and optionally domain, if autodetection fails). The NT domain can be specified on the commandline if the auto-detection doesn't work for you (which is usually doesn't) If you want to have the first proxy connect to another http proxy (like one you can control, specify -r proxy2:port. The first proxy will then connect to this remote proxy, which will be asked to connect to the requested destination. Note that authentication doesn't (yet) work on this remote proxy. For more information regarding this feature, check out http://dag.wieers.com/howto/ssh-http-tunneling/ If your proxy is more advanced, and does protocol inspection it will detect that your connection is not a real HTTPS/SSL connection. You can enable SSL encryption (using -e), which will work around this problem, however, you need to setup stunnel4 on the other side, or connect to a process that understands SSL itself. When all this is in place, execute an "ssh foobar" and you're in business! Environment Variables ===================== Proxytunnel can make use of the following environment variables: PROXYUSER Username for the proxy-authentication PROXYPASS Password for the proxy-authentication REMPROXYUSER Username for remote proxy-authentication REMPROXYPASS Password for remote proxy-authentication HTTP_PROXY Primary proxy host and port information Format: HTTP_PROXY=http://:/ Authentication File =================== Proxytunnel can read authentication data from a file (-F/--passfile) The format for this file is: = = etc One entry per line, 1 space before and after the equal sign. The accepted fields are: * proxy_user * proxy_passwd * remproxy_user * remproxy_passwd Share and Enjoy! Jos Visser Mark Janssen proxytunnel-svn/base64.c0000644000175000017500000001001312267561753013624 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include "config.h" #include "cmdline.h" #include "base64.h" #include /* Needed for base64 encoding... */ static const char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; #define BAD -1 static const char base64val[] = { BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD, 62, BAD,BAD,BAD, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61,BAD,BAD, BAD,BAD,BAD,BAD, BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,BAD, BAD,BAD,BAD,BAD, BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51,BAD, BAD,BAD,BAD,BAD }; #define DECODE64(c) (isascii(c) ? base64val[c] : BAD) /* Small MAX macro */ #ifndef MAX #define MAX( x, y ) ( ( (x)>(y) ) ? (x) : (y) ) #endif /* * This base64 code is heavily modified from fetchmail (also GPL'd, of * course) by Brendan Cully . * * Original copyright notice: * * The code in the fetchmail distribution is Copyright 1997 by Eric * S. Raymond. Portions are also copyrighted by Carl Harris, 1993 * and 1995. Copyright retained for the purpose of protecting free * redistribution of source. * */ /* raw bytes to null-terminated base 64 string */ void base64(unsigned char *out, const unsigned char *in, int len) { while (len >= 3) { *out++ = base64digits[in[0] >> 2]; *out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)]; *out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)]; *out++ = base64digits[in[2] & 0x3f]; len -= 3; in += 3; } /* clean up remainder */ if (len > 0) { unsigned char fragment; *out++ = base64digits[in[0] >> 2]; fragment = (in[0] << 4) & 0x30; if (len > 1) fragment |= in[1] >> 4; *out++ = base64digits[fragment]; *out++ = (len < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c]; *out++ = '='; } *out = '\0'; } /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ /* maxlen limits output buffer size, set to zero to ignore */ int unbase64(unsigned char *out, const unsigned char *in, int maxlen) { int len = 0; register unsigned char digit1, digit2, digit3, digit4; if (in[0] == '+' && in[1] == ' ') in += 2; if (*in == '\r') return(0); do { digit1 = in[0]; if (DECODE64(digit1) == BAD) return(-1); digit2 = in[1]; if (DECODE64(digit2) == BAD) return(-1); digit3 = in[2]; if (digit3 != '=' && DECODE64(digit3) == BAD) return(-1); digit4 = in[3]; if (digit4 != '=' && DECODE64(digit4) == BAD) return(-1); in += 4; ++len; if (maxlen && len > maxlen) return(-1); *out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4); if (digit3 != '=') { ++len; if (maxlen && len > maxlen) return(-1); *out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2); if (digit4 != '=') { ++len; if (maxlen && len > maxlen) return(-1); *out++ = ((DECODE64(digit3) << 6) & 0xc0) | DECODE64(digit4); } } } while (*in && *in != '\r' && digit4 != '='); return (len); } // vim:noexpandtab:ts=4 proxytunnel-svn/Makefile0000644000175000017500000000473512267561753014052 0ustar jdgjdg# Makefile for proxytunnel # # Please uncomment the appropriate settings name = proxytunnel version = $(shell awk 'BEGIN { FS="\"" } /^\#define VERSION / { print $$2 }' config.h) ifneq ($(wildcard .svn),) revision = $(shell svnversion | awk 'BEGIN { RS=":" } { next } END { print $$1 }') else revision = $(shell echo '$$Revision: 242 $$' | sed -e 's/\$$Revision: \([0-9]\+\) \$$$$/\1/') endif CC ?= cc CFLAGS ?= -Wall -O2 -ggdb OPTFLAGS = -DREVISION=\"$(revision)\" # Comment on non-gnu systems OPTFLAGS += -DHAVE_GETOPT_LONG # Comment if you don't have/want ssl OPTFLAGS += -DUSE_SSL # Most systems OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2 # Comment if you don't have this flag OPTFLAGS += -DSO_REUSEPORT # System dependant blocks... if your system is listed below, uncomment # the relevant lines # OpenBSD #OPTFLAGS += -DHAVE_SYS_PSTAT_H # DARWIN #OPTFLAGS += -DDARWIN # CYGWIN #OPTFLAGS += -DCYGWIN # SOLARIS #LDFLAGS += -lsocket -lnsl #LDFLAGS += -L/usr/local/ssl/lib # Path to your SSL lib dir # END system dependant block SSL_LIBS := $(shell pkg-config --libs libssl 2>/dev/null) ifeq ($(SSL_LIBS),) SSL_LIBS := $(shell pkg-config --libs openssl 2>/dev/null) endif ifeq ($(SSL_LIBS),) SSL_LIBS := -lssl -lcrypto endif LDFLAGS += $(SSL_LIBS) prefix = /usr/local bindir = $(prefix)/bin datadir = $(prefix)/share mandir = $(datadir)/man # Remove strlcpy/strlcat on (open)bsd/darwin systems OBJ = proxytunnel.o \ base64.o \ strlcpy.o \ strlcat.o \ strzcat.o \ setproctitle.o \ io.o \ http.o \ basicauth.o \ readpassphrase.o \ messages.o \ cmdline.o \ ntlm.o \ ptstream.o .PHONY: all clean docs install all: proxytunnel docs docs: $(MAKE) -C docs proxytunnel: $(OBJ) $(CC) -o $(name) $(CFLAGS) $(OPTFLAGS) $(OBJ) $(LDFLAGS) clean: @rm -f $(name) $(OBJ) $(MAKE) -C docs clean install: install -Dp -m0755 $(name) $(DESTDIR)$(bindir)/$(name) $(MAKE) -C docs install .c.o: $(CC) $(CFLAGS) $(OPTFLAGS) -c -o $@ $< dist: clean docs sed -i -e 's/^Version:.*$$/Version: $(version)/' contrib/proxytunnel.spec find . ! -wholename '*/.svn*' | pax -d -w -x ustar -s ,^./,$(name)-$(version)/, | bzip2 >../$(name)-$(version).tar.bz2 rpm: dist rpmbuild -tb --clean --rmsource --rmspec --define "_rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" --define "_rpmdir ../" ../$(name)-$(version).tar.bz2 srpm: dist rpmbuild -ts --clean --rmsource --rmspec --define "_rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" --define "_srcrpmdir ../" ../$(name)-$(version).tar.bz2 proxytunnel-svn/config.h0000644000175000017500000000224712267561753014024 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #define VERSION "1.9.0" #define PACKAGE "proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) " #ifndef _PATH_TTY #define _PATH_TTY "/dev/tty" #endif #ifndef _PASSWORD_LEN #define _PASSWORD_LEN 80 #endif // vim:noexpandtab:ts=4 proxytunnel-svn/proxytunnel.c0000644000175000017500000002534112267561753015161 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "proxytunnel.h" #include "io.h" #include "config.h" #include "cmdline.h" #include "basicauth.h" #include "ntlm.h" /* Define DARWIN if compiling on MacOS-X (Darwin), to work around some * inconsistencies. (Darwin doesn't know socklen_t) */ #ifdef DARWIN #define socklen_t int #endif /* DARWIN */ /* Globals */ int read_fd=0; /* The file descriptor to read from */ int write_fd=1; /* The file destriptor to write to */ /* * Kill the program (signal handler) */ void signal_handler( int signal ) { if( args_info.verbose_flag ) message( "Tunnel received signal %d. Ignoring signal.\n", signal ); // closeall(); } /* * Create and connect the socket that connects to the proxy. Returns * the socket that is connected to the proxy */ int tunnel_connect() { struct sockaddr_in sa; struct hostent *he; int sd; /* Create the socket */ if( ( sd = socket( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { my_perror("Can not create socket"); exit(1); } /* Lookup the IP address of the proxy */ if( ! ( he = gethostbyname( args_info.proxyhost_arg ) ) ) { // FIXME: my_perror("Local proxy %s could not be resolved", args_info.proxyhost_arg); my_perror("Local proxy could not be resolved." ); exit(1); } char ip[16]; snprintf(ip, 16, "%d.%d.%d.%d", he->h_addr[0] & 255, he->h_addr[1] & 255, he->h_addr[2] & 255, he->h_addr[3] & 255); if( args_info.verbose_flag && strcmp(args_info.proxyhost_arg, ip)) { message( "Local proxy %s resolves to %d.%d.%d.%d\n", args_info.proxyhost_arg, he->h_addr[0] & 255, he->h_addr[1] & 255, he->h_addr[2] & 255, he->h_addr[3] & 255 ); } /* Set up the structure to connect to the proxy port of the proxy host */ memset( &sa, '\0', sizeof( sa ) ); sa.sin_family = AF_INET; memcpy( &sa.sin_addr.s_addr, he->h_addr, 4); sa.sin_port = htons( args_info.proxyport_arg ); /* Connect the socket */ if( connect( sd, (struct sockaddr*) &sa, sizeof( sa ) ) < 0 ) { my_perror("connect() failed"); exit(1); } /* Increase interactivity of tunnel, patch by Ingo Molnar */ int flag = 1; setsockopt( sd, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int)); /* Make sure we get warned when someone hangs up on us */ signal(SIGHUP,signal_handler); if( ! args_info.quiet_flag ) { if ( ! args_info.verbose_flag ) { if ( args_info.remproxy_given ) { message( "Via %s -> %s -> %s\n", args_info.proxy_arg, args_info.remproxy_arg, args_info.dest_arg ); } else { message( "Via %s -> %s\n", args_info.proxy_arg, args_info.dest_arg ); } } else { message( "Connected to %s (local proxy)\n", args_info.proxy_arg ); } } /* Return the socket */ return sd; } /* Leave a goodbye message */ void closeall() { #ifndef CYGWIN closelog(); #endif /* CYGWIN */ /* Close all streams */ if (stunnel) { stream_close(stunnel); stunnel = NULL; } if (std) { stream_close(std); std = NULL; } if( args_info.verbose_flag ) { message( "Tunnel closed.\n" ); } } /* Run as a standalone daemon */ void do_daemon() { int listen_sd; int one = 1; struct sockaddr_in sa_serv; struct sockaddr_in sa_cli; socklen_t client_len; int pid = 0; int sd_client; char buf[80]; unsigned char addr[4]; /* Socket descriptor */ int sd; if ( ( listen_sd = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ) ) < 0 ) { my_perror( "Server socket creation failed" ); exit(1); } #ifdef SO_REUSEPORT /* doesnt exist everywhere... */ setsockopt(listen_sd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)); #endif /* SO_REUSEPORT */ setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); memset( &sa_serv, '\0', sizeof( sa_serv ) ); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = htonl(INADDR_ANY); sa_serv.sin_port = htons( args_info.standalone_arg ); if ( bind( listen_sd, (struct sockaddr * )&sa_serv, sizeof( struct sockaddr ) ) < 0) { my_perror("Server socket bind failed"); exit(1); } signal(SIGHUP,SIG_IGN); signal(SIGCHLD,SIG_IGN); #ifdef SETPROCTITLE if( ! args_info.proctitle_given ) setproctitle( "[daemon]\0" ); else setproctitle( "\0" ); #else if( args_info.proctitle_given ) message( "Setting process-title is not supported in this build\n"); #endif /* SETPROCTITLE */ /* For the moment, turn of forking into background on the cygwin platform * so users can run it in a command window and ctrl-c it to cancel. * Also so we can put logging there, since there's no syslog on cygwin (AFAIK) * -- Maniac */ #ifndef CYGWIN /* if ( ( pid = fork( ) ) < 0 ) { my_perror( "Cannot fork into the background" ); exit(1); } else if ( pid > 0 ) { message( "Forked into the background with pid %d\n", pid ); exit(0); } */ openlog( program_name, LOG_CONS|LOG_PID,LOG_DAEMON ); i_am_daemon = 1; #endif /* CYGWIN */ atexit( closeall ); listen( listen_sd, 8 ); while (1==1) { /* 2002/04/21 * * Workaround a CYGWIN bug, see: * http://www.gnu.org/software/serveez/manual/BUGS * for bug #B0007 * * 2004/06/23: Apparently Solaris needs this too, so * we'll do it by default, can't hurt * * -- Maniac */ client_len = sizeof( sa_cli ); sd_client = accept( listen_sd, (struct sockaddr *)&sa_cli, &client_len ); if ( sd_client < 0 ) { my_perror( "accept() failed. Bailing out..." ); exit(1); } if ( ( pid = fork() ) < 0 ) { my_perror( "Cannot fork worker" ); } else if ( pid == 0 ) { read_fd = write_fd = sd_client; /* Create a stdin/out stream */ std = stream_open(read_fd, write_fd); /* Create a tunnel stream */ sd = tunnel_connect(); stunnel = stream_open(sd, sd); #ifdef USE_SSL /* If --encrypt-proxy is specified, connect to the proxy using SSL */ if ( args_info.encryptproxy_flag ) stream_enable_ssl(stunnel); #endif /* USE_SSL */ /* Open the tunnel */ proxy_protocol(stunnel); #ifdef USE_SSL /* If --encrypt is specified, wrap all traffic after the proxy handoff in SSL */ if( args_info.encrypt_flag ) stream_enable_ssl(stunnel); #endif /* USE_SSL */ #ifdef SETPROCTITLE if( ! args_info.proctitle_given ) setproctitle( "[cpio]\0" ); else setproctitle( "\0" ); #else if( args_info.proctitle_given ) message( "Setting process-title is not supported in this build\n"); #endif /* SETPROCTITLE */ /* Run the tunnel - we should stay here indefinitely */ cpio(std, stunnel); exit( 0 ); } memcpy( &addr, &sa_cli.sin_addr.s_addr, 4 ); snprintf( (char *) buf, 16, "%u.%u.%u.%u", addr[0], addr[1], addr[2], addr[3] ); message( "Started tunnel pid=%d for connection from %s", pid, buf ); close( sd_client ); } } /* We begin at the beginning */ int main( int argc, char *argv[] ) { /* Socket descriptor */ int sd; /* Clear all stream variables (so we know whether we need to clear up) */ stunnel = NULL; std = NULL; program_name = argv[0]; cmdline_parser( argc, argv, &args_info ); #ifdef SETPROCTITLE initsetproctitle( argc, argv ); #endif /* * This is what we do: * - Check if we need to run as a daemon. If so, a completely * different mainline is needed... * - Set a signal for the hangup (HUP) signal * - Optionally create the proxy basic authentication cookie * - Connect to the proxy * - Execute the proxy protocol to connect it to the origin server * - Enter copy in-out mode to channel data hence and forth */ signal( SIGHUP, signal_handler ); /* If the usename is given, but password is not, prompt for it */ if( args_info.user_given && !args_info.pass_given ) { char *cp; cp = getpass_x ("Enter local proxy password for user %s: ", args_info.user_arg); if (cp != NULL && strlen (cp) > 0) { args_info.pass_arg = strdup (cp); args_info.pass_given = 1; memset (cp, 0, strlen(cp)); } } if( args_info.remuser_given && !args_info.rempass_given ) { char *cp; cp = getpass_x ("Enter remote proxy password for user %s: ", args_info.remuser_arg); if (cp != NULL && strlen (cp) > 0) { args_info.rempass_arg = strdup (cp); args_info.rempass_given = 1; memset (cp, 0, strlen(cp)); } } if( args_info.user_given && args_info.pass_given ) { if (args_info.ntlm_flag) { build_type1(); if ( args_info.verbose_flag ) message("Build Type 1 NTLM Message : %s\n", ntlm_type1_buf); } } /* Only one of -E/-e/-R can be specified. */ if ((args_info.encrypt_flag ? 1 : 0) + (args_info.encryptproxy_flag ? 1 : 0) + (args_info.encryptremproxy_flag ? 1 : 0) > 1) { message("Error: only one of --encrypt-proxy, --encrypt-remproxy and --encrypt can be specified for a tunnel\n"); exit( 1 ); } /* Do we need to run as a standalone daemon? */ if ( args_info.standalone_arg > 0 ) { /* Do processing in the other mainline... */ do_daemon(); } else { /* Inetd trick */ if( args_info.inetd_flag ) { write_fd=0; } /* Create a stdin/out stream */ std = stream_open(read_fd, write_fd); /* Create a tunnel stream */ sd = tunnel_connect(); stunnel = stream_open(sd, sd); /* If --encrypt-proxy is specified, connect to the proxy using SSL */ #ifdef USE_SSL if ( args_info.encryptproxy_flag ) stream_enable_ssl(stunnel); #endif /* USE_SSL */ /* Open the tunnel */ proxy_protocol(stunnel); /* If --encrypt is specified, wrap all traffic after the proxy handoff in SSL */ #ifdef USE_SSL if( args_info.encrypt_flag ) stream_enable_ssl(stunnel); #endif /* USE_SSL */ #ifdef SETPROCTITLE if( ! args_info.proctitle_given ) setproctitle( "[cpio]\0" ); else setproctitle( "\0" ); #else if( args_info.proctitle_given ) message( "Setting process-title is not supported in this build\n"); #endif /* SETPROCTITLE */ /* Run the tunnel - we should stay here indefinitely */ cpio(std, stunnel); } exit( 0 ); } // vim:noexpandtab:ts=4 proxytunnel-svn/messages.c0000644000175000017500000000275312267561753014363 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include #include #include "proxytunnel.h" /* * Give a message to the user */ void message( char *s, ... ) { va_list ap; char buf[1024]; va_start( ap, s ); vsnprintf( (char *)buf, sizeof( buf ), s, ap ); va_end( ap ); if ( i_am_daemon ) syslog( LOG_NOTICE, "%s", buf ); else fputs( buf, stderr ); } /* My own perror function (uses the internal message) */ void my_perror( char *msg ) { if (errno == 0) { message( "error: %s.\n", msg ); } else { char *errstr = strerror( errno ); message( "error: %s: [%d] %s\n", msg, errno, errstr ); } } // vim:noexpandtab:ts=4 proxytunnel-svn/global.h0000644000175000017500000000145112267561753014013 0ustar jdgjdg/* GLOBAL.H - RSAREF types and constants */ /* PROTOTYPES should be set to one if and only if the compiler supports function argument prototyping. The following makes PROTOTYPES default to 0 if it has not already been defined with C compiler flags. */ #ifndef PROTOTYPES #define PROTOTYPES 0 #endif /* POINTER defines a generic pointer type */ typedef unsigned char *POINTER; /* UINT2 defines a two byte word */ typedef unsigned short int UINT2; /* UINT4 defines a four byte word */ typedef unsigned long int UINT4; /* PROTO_LIST is defined depending on how PROTOTYPES is defined above. If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it returns an empty list. */ #if PROTOTYPES #define PROTO_LIST(list) list #else #define PROTO_LIST(list) () #endif // vim:noexpandtab:ts=4 proxytunnel-svn/strlcat.c0000644000175000017500000000406612267561753014227 0ustar jdgjdg/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */ /* $OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $ */ /* * Copyright (c) 1998 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include #include #include #include #include #include #ifndef HAVE_STRLCAT #if defined(LIBC_SCCS) && !defined(lint) static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $"; #endif /* LIBC_SCCS and not lint */ #include #include /* * Appends src to string dst of size siz (unlike strncat, siz is the * full size of dst, not space left). At most siz-1 characters * will be copied. Always NUL terminates (unless siz <= strlen(dst)). * Returns strlen(src) + MIN(siz, strlen(initial dst)). * If retval >= siz, truncation occurred. */ size_t strlcat(char *dst, const char *src, size_t siz) { register char *d = dst; register const char *s = src; register size_t n = siz; size_t dlen; /* Find the end of dst and adjust bytes left but don't go past end */ while (n-- != 0 && *d != '\0') d++; dlen = d - dst; n = siz - dlen; if (n == 0) return(dlen + strlen(s)); while (*s != '\0') { if (n != 1) { *d++ = *s; n--; } s++; } *d = '\0'; return(dlen + (s - src)); /* count does not include NUL */ } #endif /* !HAVE_STRLCAT */ proxytunnel-svn/ptstream.h0000644000175000017500000000301612267561753014411 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* ptstream.h */ #ifdef USE_SSL #include #include #include #include #endif typedef struct ptstream { int incoming_fd; int outgoing_fd; #ifdef USE_SSL SSL *ssl; SSL_CTX *ctx; #else void *ssl; void *ctx; #endif } PTSTREAM; PTSTREAM *stream_open(int incoming_fd, int outgoing_fd); int stream_close(PTSTREAM *pts); int stream_read(PTSTREAM *pts, void *buf, size_t len); int stream_write(PTSTREAM *pts, void *buf, size_t len); int stream_copy(PTSTREAM *pts_from, PTSTREAM *pts_to); int stream_enable_ssl(PTSTREAM *pts); int stream_get_incoming_fd(PTSTREAM *pts); int stream_get_outgoing_fd(PTSTREAM *pts); // vim:noexpandtab:ts=4 proxytunnel-svn/readpassphrase.c0000644000175000017500000001412312267561753015553 0ustar jdgjdg/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */ /* $OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $ */ /* * Copyright (c) 2000-2002 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * * Sponsored in part by the Defense Advanced Research Projects * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. */ #if defined(LIBC_SCCS) && !defined(lint) static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $"; #endif /* LIBC_SCCS and not lint */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "proxytunnel.h" #include "config.h" #ifndef HAVE_READPASSPHRASE #ifdef TCSASOFT # define _T_FLUSH (TCSAFLUSH|TCSASOFT) #else # define _T_FLUSH (TCSAFLUSH) #endif /* SunOS 4.x which lacks _POSIX_VDISABLE, but has VDISABLE */ #if !defined(_POSIX_VDISABLE) && defined(VDISABLE) # define _POSIX_VDISABLE VDISABLE #endif #define RPP_ECHO_OFF 0x00 /* Turn off echo (default). */ #define RPP_ECHO_ON 0x01 /* Leave echo on. */ #define RPP_REQUIRE_TTY 0x02 /* Fail if there is no tty. */ #define RPP_FORCELOWER 0x04 /* Force input to lower case. */ #define RPP_FORCEUPPER 0x08 /* Force input to upper case. */ #define RPP_SEVENBIT 0x10 /* Strip the high bit from input. */ #define RPP_STDIN 0x20 /* Read from stdin, not /dev/tty */ static volatile sig_atomic_t signo; static void handler(int); char * readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags) { ssize_t nr; int input, output, save_errno; char ch, *p, *end; struct termios term, oterm; struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm; struct sigaction savetstp, savettin, savettou, savepipe; /* I suppose we could alloc on demand in this case (XXX). */ if (bufsiz == 0) { errno = EINVAL; return(NULL); } restart: signo = 0; /* * Read and write to /dev/tty if available. If not, read from * stdin and write to stderr unless a tty is required. */ if ((flags & RPP_STDIN) || (input = output = open(_PATH_TTY, O_RDWR)) == -1) { if (flags & RPP_REQUIRE_TTY) { errno = ENOTTY; return(NULL); } input = STDIN_FILENO; output = STDERR_FILENO; } /* * Catch signals that would otherwise cause the user to end * up with echo turned off in the shell. Don't worry about * things like SIGXCPU and SIGVTALRM for now. */ sigemptyset(&sa.sa_mask); sa.sa_flags = 0; /* don't restart system calls */ sa.sa_handler = handler; (void)sigaction(SIGALRM, &sa, &savealrm); (void)sigaction(SIGHUP, &sa, &savehup); (void)sigaction(SIGINT, &sa, &saveint); (void)sigaction(SIGPIPE, &sa, &savepipe); (void)sigaction(SIGQUIT, &sa, &savequit); (void)sigaction(SIGTERM, &sa, &saveterm); (void)sigaction(SIGTSTP, &sa, &savetstp); (void)sigaction(SIGTTIN, &sa, &savettin); (void)sigaction(SIGTTOU, &sa, &savettou); /* Turn off echo if possible. */ if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) { memcpy(&term, &oterm, sizeof(term)); if (!(flags & RPP_ECHO_ON)) term.c_lflag &= ~(ECHO | ECHONL); #ifdef VSTATUS if (term.c_cc[VSTATUS] != _POSIX_VDISABLE) term.c_cc[VSTATUS] = _POSIX_VDISABLE; #endif (void)tcsetattr(input, _T_FLUSH, &term); } else { memset(&term, 0, sizeof(term)); term.c_lflag |= ECHO; memset(&oterm, 0, sizeof(oterm)); oterm.c_lflag |= ECHO; } if (!(flags & RPP_STDIN)) (void)write(output, prompt, strlen(prompt)); end = buf + bufsiz - 1; for (p = buf; (nr = read(input, &ch, 1)) == 1 && ch != '\n' && ch != '\r';) { if (p < end) { if ((flags & RPP_SEVENBIT)) ch &= 0x7f; if (isalpha(ch)) { if ((flags & RPP_FORCELOWER)) ch = tolower(ch); if ((flags & RPP_FORCEUPPER)) ch = toupper(ch); } *p++ = ch; } } *p = '\0'; save_errno = errno; if (!(term.c_lflag & ECHO)) (void)write(output, "\n", 1); /* Restore old terminal settings and signals. */ if (memcmp(&term, &oterm, sizeof(term)) != 0) { while (tcsetattr(input, _T_FLUSH, &oterm) == -1 && errno == EINTR) continue; } (void)sigaction(SIGALRM, &savealrm, NULL); (void)sigaction(SIGHUP, &savehup, NULL); (void)sigaction(SIGINT, &saveint, NULL); (void)sigaction(SIGQUIT, &savequit, NULL); (void)sigaction(SIGPIPE, &savepipe, NULL); (void)sigaction(SIGTERM, &saveterm, NULL); (void)sigaction(SIGTSTP, &savetstp, NULL); (void)sigaction(SIGTTIN, &savettin, NULL); if (input != STDIN_FILENO) (void)close(input); /* * If we were interrupted by a signal, resend it to ourselves * now that we have restored the signal handlers. */ if (signo) { kill(getpid(), signo); switch (signo) { case SIGTSTP: case SIGTTIN: case SIGTTOU: goto restart; } } errno = save_errno; return(nr == -1 ? NULL : buf); } char * getpass_x(const char *format, ...) { static char buf[_PASSWORD_LEN + 1]; char *prompt = malloc(SIZE); va_list ap; va_start(ap, format); vsnprintf(prompt, SIZE, format, ap); va_end(ap); return(readpassphrase(prompt, buf, sizeof(buf), RPP_ECHO_OFF)); } static void handler(int s) { signo = s; } #endif /* HAVE_READPASSPHRASE */ // vim:noexpandtab:ts=4 proxytunnel-svn/CREDITS0000644000175000017500000000237212267561753013425 0ustar jdgjdgProxytunnel was made possible due to help and support from the following people. Jos Visser - Initial coder and developer a.k.a. The Muppet Mark Janssen - Maintainer / Developer a.k.a. Maniac Ralph Loader - Broken DNS w/ DynDNS patch, rpm Spec file Martin Senft - Solaris patches Andrew Griffiths - String format fixes Dieter Heiliger - User-agent header idea Fred Donck - User/Pass Env Vars Leigh.Wedding @ telstra.com - User/Pass from file Paul Solomon - NTLM support Joerg Wunsch - Password prompt suggestion Roberto Veldhoven at atosorigin.com - Tandem compile fix Stephane Engel at macchiati.org - Fix for broken proxy Mike Frysinger - Makefile fix, 64bit fix Dag Wieers - Remote proxy support, various other Alex Peuchert proxytunnel@peuchert.de - SSL/Encrypt support Mark.Cave-Ayland @ ilande.co.uk - SSL to Proxy, Streams Ingo Molnar - Interactivity improvement Furthermore we would like to thank the wonderful people at SourceForge for hosting our development. Jos Visser && Mark Janssen proxytunnel-svn/RELNOTES0000644000175000017500000000346512267561753013567 0ustar jdgjdgProxytunnel 1.9.0 release notes Proxytunnel 1.9.0 summarizes the development in Proxytunnel over the last year. It includes many bugfixes and a few new features. This release wouln't have been possible without the help from the Proxytunnel community, and I especially would like to thank Dag Wieers for his many patches and fixes. Proxytunnel 1.9.0 should work on all Posix compliant systems, including Linux *BSD, Windows and OS X. It can work with 1 proxy (default, and most used) or with 2 proxies chained together (-r). For information regarding the use of 2 proxies, why you would want or need this, see Dag's page at: http://dag.wieers.com/howto/ssh-http-tunneling/ Proxytunnel now supports SSL encryption on 3 different phases in the connection chain. Between proxytunnel and the primary proxy (-E), between the local primary and the destination (-e), and between the primary and secondary proxies (-X) Proxytunnel supports proxies with Basic (-P/-R) and NTLM (-N) authentication, and can read the username/password information from the commandline, the environment or a configfile. The old -u/--user and -s/--pass options have been deprecated, and replaced by a single -P/--proxyauth option. This accepts the authentication information in the format user:password, or will prompt for the password when only the username is given (omit the ':' sign in this case) The -U/--uservar -S/--passvar options have been removed, use the environment variables named in the README file in stead. Proxytunnel can now also read the proxy configuration from the environment by reading the HTTP_PROXY (format http://host:port/) If you require any assistance, have any comments or want to participate in proxytunnel development, you can send a message to the proxytunnel-users mailinglist: proxytunnel-users@sourceforge.net The Proxytunnel Team proxytunnel-svn/ntlm.c0000644000175000017500000002752712267561753013534 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* ntlm.c -- Code for handling NTLM authentication */ /* NTLM Code from Paul Solomon */ #include "ntlm.h" #include "global.h" #include "base64.h" #include #include #include "proxytunnel.h" #include #include #include #include #define TYPE1_DATA_SEG 8 #define TYPE2_BUF_SIZE 2048 #define DOMAIN_BUFLEN 256 #define LM2_DIGEST_LEN 24 int ntlm_challenge = 0; void message( char *s, ... ); int unicode = 0; unsigned char challenge[8]; char domain[DOMAIN_BUFLEN]; char workstation[] = "WORKSTATION"; unsigned char unipasswd[DOMAIN_BUFLEN * 2]; unsigned char t2_buf[TYPE2_BUF_SIZE]; unsigned char *pblob = NULL; int bloblen; unsigned char *t_info; int t_info_len; unsigned long flags; unsigned char lm2digest[LM2_DIGEST_LEN]; void build_type1() { ntlm_type1 *type1; int len = sizeof(ntlm_type1) + sizeof(unsigned char) * TYPE1_DATA_SEG; type1 = (ntlm_type1 *)malloc(len); if (!type1) { message("Fatal Error in build type1, Malloc failed\n"); exit(-1); } memset(type1, 0, len); type1->signature[0] = 'N'; type1->signature[1] = 'T'; type1->signature[2] = 'L'; type1->signature[3] = 'M'; type1->signature[4] = 'S'; type1->signature[5] = 'S'; type1->signature[6] = 'P'; type1->signature[7] = '\0'; type1->message_type = NTLM_TYPE_1; type1->flags = NEG_UNICODE | NEG_OEM | REQ_TARGET | NEG_NTLM | NEG_ASIGN | NEG_NTLM2 | NEG_128 | NEG_56 | IE_SETSTHIS; base64((unsigned char *)ntlm_type1_buf, (unsigned char *)type1, len); free(type1); return; } int parse_type2(unsigned char *buf) { int len = unbase64(t2_buf, buf, TYPE2_BUF_SIZE); ntlm_type2 *t2 = (ntlm_type2 *)t2_buf; int i; if (len <= 0) { message("parse_type2: failed to decode the message\n"); return -1; } if (strcmp((const char *)t2->signature, "NTLMSSP") != 0) { message("parse_type2: Signature did not match\n"); return -1; } if( args_info.verbose_flag ) message("parse_type2: Signature matched\n"); if (t2->message_type != NTLM_TYPE_2) { message("parse_type2: Incorrect message type sent\n"); return -1; } if (t2->target_name.length > 0 && t2->target_name.length < DOMAIN_BUFLEN && (t2->target_name.length + t2->target_name.offset < len)) { int sp = 1; if (t2->flags & NEG_UNICODE) sp = 2; for (i = 0; i < t2->target_name.length / sp; i++) domain[i] = t2_buf[t2->target_name.offset + i * sp]; domain[i] = 0; } else { domain[0] = 0; } for (i = 0; i < 8; i++) challenge[i] = t2->challenge[i]; if( args_info.verbose_flag ) message("NTLM Got Domain: %s\n", domain); if( args_info.domain_given ) { if( ! args_info.quiet_flag ) message( "NTLM Overriding domain: %s\n", args_info.domain_arg ); for( i = 0; i < strlen(args_info.domain_arg); i++ ) { domain[i] = args_info.domain_arg[i]; } domain[i] = 0; } if( args_info.verbose_flag ) { message("NTLM Domain: %s\n", domain); message("NTLM Got Challenge: "); for (i = 0; i < 8; i++) message("%02X", challenge[i]); message("\n"); } if (!(t2->flags & NEG_NTLM && t2->flags & NEG_NTLM2)) { message("parse_type2: Sorry, only NTLMv2 is supported at this time\n"); return -1; } if (t2->flags & NEG_UNICODE) unicode = 1; else unicode = 0; t_info = &t2_buf[t2->target_info.offset]; t_info_len = t2->target_info.length; flags = t2->flags; ntlm_challenge = 1; build_ntlm2_response(); return 0; } void build_type3_response() { unsigned char *t3; ntlm_type3 *type3; int len; int sp = 1; int i; if (unicode) sp = 2; len = sizeof(ntlm_type3) + sizeof(unsigned char) * (LM2_DIGEST_LEN + bloblen + (strlen(domain) + strlen(args_info.user_arg) + strlen(workstation)) * sp); type3 = (ntlm_type3 *)malloc(len); if (!type3) { message("Fatal Error in build type3, Malloc failed\n"); exit(-1); } t3 = (unsigned char *) type3; memset(type3, 0, len); type3->signature[0] = 'N'; type3->signature[1] = 'T'; type3->signature[2] = 'L'; type3->signature[3] = 'M'; type3->signature[4] = 'S'; type3->signature[5] = 'S'; type3->signature[6] = 'P'; type3->signature[7] = '\0'; type3->message_type = NTLM_TYPE_3; type3->flags = flags & ~TAR_DOMAIN & ~NEG_TARINFO; type3->LM_response.length = LM2_DIGEST_LEN; type3->LM_response.space = LM2_DIGEST_LEN; type3->LM_response.offset = sizeof(ntlm_type3); memcpy(&t3[type3->LM_response.offset], lm2digest, LM2_DIGEST_LEN); type3->NTLM_response.length = bloblen; type3->NTLM_response.space = bloblen; type3->NTLM_response.offset = type3->LM_response.offset + type3->LM_response.space; memcpy(&t3[type3->NTLM_response.offset], pblob, bloblen); type3->domain.length = strlen(domain) * sp; type3->domain.space = strlen(domain) * sp; type3->domain.offset = type3->NTLM_response.offset + type3->NTLM_response.space; for (i = 0; i < strlen(domain); i++) t3[type3->domain.offset + i * sp] = domain[i]; type3->user.length = strlen(args_info.user_arg) * sp; type3->user.space = strlen(args_info.user_arg) * sp; type3->user.offset = type3->domain.offset + type3->domain.space; for (i = 0; i < strlen(args_info.user_arg); i++) t3[type3->user.offset + i * sp] = args_info.user_arg[i]; type3->workstation.length = strlen(workstation) * sp; type3->workstation.space = strlen(workstation) * sp; type3->workstation.offset = type3->user.offset + type3->user.space; for (i = 0; i < strlen(workstation); i++) t3[type3->workstation.offset + i * sp] = workstation[i]; base64((unsigned char *)ntlm_type3_buf, (unsigned char *)type3, len); free(type3); return; } /* ** Function: hmac_md5 */ void hmac_md5(text, text_len, key, key_len, digest) unsigned char* text; /* pointer to data stream */ int text_len; /* length of data stream */ unsigned char* key; /* pointer to authentication key */ int key_len; /* length of authentication key */ unsigned char digest[16]; /* caller digest to be filled in */ { MD5_CTX context; unsigned char k_ipad[65]; /* inner padding - key XORd with ipad */ unsigned char k_opad[65]; /* outer padding - key XORd with opad */ unsigned char tk[16]; int i; /* if key is longer than 64 bytes reset it to key=MD5(key) */ if (key_len > 64) { MD5_CTX tctx; MD5_Init( &tctx ); MD5_Update( &tctx, key, key_len ); MD5_Final( tk, &tctx ); key = tk; key_len = 16; } /* * the HMAC_MD5 transform looks like: * * MD5(K XOR opad, MD5(K XOR ipad, text)) * * where K is an n byte key * ipad is the byte 0x36 repeated 64 times * opad is the byte 0x5c repeated 64 times * and text is the data being protected */ /* start out by storing key in pads */ bzero( k_ipad, sizeof k_ipad); bzero( k_opad, sizeof k_opad); bcopy( key, k_ipad, key_len); bcopy( key, k_opad, key_len); /* XOR key with ipad and opad values */ for (i=0; i<64; i++) { k_ipad[i] ^= 0x36; k_opad[i] ^= 0x5c; } /* perform inner MD5 */ MD5_Init(&context); /* init context for 1st pass */ MD5_Update(&context, k_ipad, 64); /* start with inner pad */ MD5_Update(&context, text, text_len); /* then text of datagram */ MD5_Final(digest, &context); /* finish up 1st pass */ /* perform outer MD5 */ MD5_Init(&context); /* init context for 2nd pass */ MD5_Update(&context, k_opad, 64); /* start with outer pad */ MD5_Update(&context, digest, 16); /* then results of 1st hash */ MD5_Final(digest, &context); /* finish up 2nd pass */ } void build_ntlm2_response() { int i, j; int passlen = 0; MD4_CTX passcontext; unsigned char passdigest[16]; unsigned char *userdom; int userdomlen; unsigned char userdomdigest[16]; blob *b; struct timeval t; unsigned char responsedigest[16]; unsigned char lm2data[16]; if (pblob != NULL) free(pblob); memset(unipasswd, 0, sizeof(unsigned char) * DOMAIN_BUFLEN * 2); for (i = 0; i < strlen(args_info.pass_arg); i++) { if (unicode) { unipasswd[i * 2] = args_info.pass_arg[i]; passlen++; passlen++; } else { unipasswd[i] = args_info.pass_arg[i]; passlen++; } } MD4_Init (&passcontext); MD4_Update (&passcontext, unipasswd, passlen); MD4_Final (passdigest, &passcontext); if( args_info.verbose_flag ) { message("NTLM: MD4 of password is: "); for( i = 0; i < 16; i++) message("%02X", passdigest[i]); message("\nDOMAIN: %s\nUSER: %s\n", domain, args_info.user_arg); } userdomlen = sizeof(unsigned char) * (strlen(args_info.user_arg) + strlen(domain)) * 2; userdom = (unsigned char *)malloc(userdomlen); memset(userdom, 0, userdomlen); if (!userdom) { message("Fatal Error in build_ntlm2_response, Malloc failed\n"); exit(-1); } userdomlen = 0; for (i = 0; i < strlen(args_info.user_arg); i++) { if (unicode) { userdom[i * 2] = toupper(args_info.user_arg[i]); userdomlen++; userdomlen++; } else { userdom[i] = toupper(args_info.user_arg[i]); userdomlen++; } } for (j = 0; j < strlen(domain); j++) { if (unicode) { userdom[i * 2 + j * 2] = toupper(domain[j]); userdomlen++; userdomlen++; } else { userdom[i + j] = toupper(domain[j]); userdomlen++; } } if( args_info.verbose_flag ) { message("userdom is: "); for( i = 0; i < userdomlen; i++) message("%02X", userdom[i]); message("\n"); } hmac_md5(userdom, userdomlen, passdigest, 16, userdomdigest); free(userdom); if( args_info.verbose_flag ) { message("HMAC_MD5 of userdom keyed with MD4 pass is: "); for( i = 0; i < 16; i++) message("%02X", userdomdigest[i]); message("\n"); } if ((sizeof(long long) != 8)) { message("We are in trouble here.. long long support is not here!!\n"); exit(-1); } bloblen = sizeof(blob) + sizeof(unsigned char) * t_info_len; pblob = (unsigned char *)malloc(bloblen); if (!pblob) { message("Fatal Error in build_ntlm2_response, Malloc failed\n"); exit(-1); } memset(pblob, 0, bloblen); b = (blob *)pblob; for (i = 0; i < 8; i++) b->digest[8 + i] = challenge[i]; b->signature = 0x00000101; /* This is nasty, also not sure all this 64bit arithmetic will * work all the time.. basically the spec says you need the * number of 10ths of microseconds since jan 1, 1601. */ gettimeofday(&t, NULL); b->timestamp = (long long)t.tv_sec; b->timestamp += 11644473600LL; b->timestamp *= 1000000LL; b->timestamp += (long long)t.tv_usec; b->timestamp *= 10LL; // need a ramdom client challenge for (i = 0; i < 8; i++) b->client_challenge[i] = (unsigned char) ((256.0 * rand()) / (RAND_MAX + 1.0)) ; if( args_info.verbose_flag ) { message("client_challenge is: "); for( i = 0; i < 8; i++) message("%02X", b->client_challenge[i]); message("\n"); } memcpy(&b->data_start, t_info, t_info_len); hmac_md5(&pblob[8], bloblen - 8, userdomdigest, 16, responsedigest); for(i = 0; i < 16; i++) b->digest[i] = responsedigest[i]; if( args_info.verbose_flag ) { message("HMAC is: "); for( i = 0; i < 16; i++) message("%02X", responsedigest[i]); message("\n"); } // LM2 response generation for (i = 0; i < 8; i++) lm2data[i] = challenge[i]; for (i = 0; i < 8; i++) lm2data[8 + i] = b->client_challenge[i]; hmac_md5(lm2data, 16, userdomdigest, 16, lm2digest); for (i = 0; i < 8; i++) lm2digest[16 + i] = b->client_challenge[i]; } // vim:noexpandtab:ts=4 proxytunnel-svn/io.h0000644000175000017500000000170012267561753013157 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* io.h */ int readline(PTSTREAM *pts); void cpio(PTSTREAM *stream1, PTSTREAM *stream2); // vim:noexpandtab:ts=4 proxytunnel-svn/strzcat.c0000644000175000017500000000246712267561753014250 0ustar jdgjdg /* * Copyright (c) 2008 Dag Wieers * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include #include #include #ifndef HAVE_STRZCAT #define STRZCAT_SIZE 65535 /* * Append an variable number of strings together */ size_t strzcat(char *dst, char *format, ...) { // FIXME: Implement similar boundary checks as strlcat int offset = strlen(dst); va_list ap; va_start(ap, format); size_t dlen = vsnprintf(&dst[offset], STRZCAT_SIZE-offset, format, ap); va_end(ap); return ( dlen+offset ); } #endif /* !HAVE_STRZCAT */ proxytunnel-svn/io.c0000644000175000017500000000741712267561753013165 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* io.c */ #include #include #include #include #include #include #include "proxytunnel.h" #include "io.h" /* * Read one line of data from the tunnel. Line is terminated by a * newline character. Result is stored in buf. */ int readline(PTSTREAM *pts) { char *p = buf; char c = 0; int i = 0; /* Read one character at a time into buf, until a newline is encountered. */ while ( c != 10 && ( i < SIZE - 1 ) ) { if( stream_read( pts, &c ,1) < 0) { my_perror( "Socket read error" ); exit( 1 ); } *p = c; p++; i++; } *p = 0; if( args_info.verbose_flag ) { /* Copy line of data into dstr without trailing newline */ char *dstr = malloc(sizeof(buf) + 1); strlcpy( dstr, buf, strlen(buf) - 1); if (strcmp(dstr, "")) message( " <- %s\n", dstr ); } return strlen( buf ); } /* * Bond stream1 and stream2 together; any data received in stream1 is relayed * to stream2, and vice-versa. */ void cpio(PTSTREAM *stream1, PTSTREAM *stream2) { fd_set readfds; fd_set writefds; fd_set exceptfds; int in_max_fd, out_max_fd, max_fd; /* Find the biggest file descriptor for select() */ in_max_fd = MAX(stream_get_incoming_fd(stream1), stream_get_incoming_fd(stream2)); out_max_fd = MAX(stream_get_outgoing_fd(stream1), stream_get_outgoing_fd(stream2)); max_fd = MAX(in_max_fd, out_max_fd); /* We are never interested in sockets being available for write */ FD_ZERO( &writefds ); if( args_info.verbose_flag ) message( "\nTunnel established.\n" ); /* Only diamonds are forever :-) */ while( 1==1 ) { /* Clear the interesting socket sets */ FD_ZERO( &readfds ); FD_ZERO( &exceptfds ); /* We want to know whether stream1 or stream2 is ready for reading */ FD_SET( stream_get_incoming_fd(stream1), &readfds ); FD_SET( stream_get_incoming_fd(stream2), &readfds ); /* And we want to know about exceptional conditions on either stream */ FD_SET( stream_get_incoming_fd(stream1), &exceptfds ); FD_SET( stream_get_outgoing_fd(stream1), &exceptfds ); FD_SET( stream_get_incoming_fd(stream2), &exceptfds ); FD_SET( stream_get_outgoing_fd(stream2), &exceptfds ); /* Wait until something happens on the registered sockets/files */ if ( select( max_fd + 1, &readfds, &writefds, &exceptfds, 0 ) < 0 ) { perror("select error"); exit(1); } /* * Is stream1 ready for read? If so, copy a block of data * from stream1 to stream2. Or else if stream2 * is ready for read, copy a block of data from the * stream2 to stream1. Otherwise an exceptional condition * is flagged and the program is terminated. */ if ( FD_ISSET( stream_get_incoming_fd(stream1), &readfds ) ) { if ( stream_copy(stream1, stream2 ) ) break; } else if( FD_ISSET( stream_get_incoming_fd(stream2), &readfds ) ) { if( stream_copy(stream2, stream1 ) ) break; } else { my_perror( "Exceptional condition" ); break; } } closeall(); } // vim:noexpandtab:ts=4 proxytunnel-svn/setproctitle.c0000644000175000017500000001107012267561753015265 0ustar jdgjdg/* Based on conf.c from UCB sendmail 8.8.8 */ /* * Copyright 2003 Damien Miller * Copyright (c) 1983, 1995-1997 Eric P. Allman * Copyright (c) 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #include #include #include #include #include #include #include "proxytunnel.h" #ifndef HAVE_SETPROCTITLE #define SPT_NONE 0 /* don't use it at all */ #define SPT_PSTAT 1 /* use pstat(PSTAT_SETCMD, ...) */ #define SPT_REUSEARGV 2 /* cover argv with title information */ #include #ifdef HAVE_SYS_PSTAT_H #include #define SPT_TYPE SPT_PSTAT #endif #ifndef SPT_TYPE # define SPT_TYPE SPT_NONE #endif #ifndef SPT_PADCHAR # define SPT_PADCHAR '\0' #endif #if SPT_TYPE == SPT_REUSEARGV static char *argv_start = NULL; static size_t argv_env_len = 0; #endif #endif /* HAVE_SETPROCTITLE */ void initsetproctitle(int argc, char *argv[]) { #if defined(SPT_TYPE) && SPT_TYPE == SPT_REUSEARGV extern char **environ; char *lastargv = NULL; char **envp = environ; int i; /* * NB: This assumes that argv has already been copied out of the * way. This is true for sshd, but may not be true for other * programs. Beware. */ if (argc == 0 || argv[0] == NULL) return; /* Fail if we can't allocate room for the new environment */ for (i = 0; envp[i] != NULL; i++) ; if ((environ = malloc(sizeof(*environ) * (i + 1))) == NULL) { environ = envp; /* put it back */ return; } /* * Find the last argv string or environment variable within * our process memory area. */ for (i = 0; i < argc; i++) { if (lastargv == NULL || lastargv + 1 == argv[i]) lastargv = argv[i] + strlen(argv[i]); } for (i = 0; envp[i] != NULL; i++) { if (lastargv + 1 == envp[i]) lastargv = envp[i] + strlen(envp[i]); } argv[1] = NULL; argv_start = argv[0]; argv_env_len = lastargv - argv[0] - 1; /* * Copy environment * XXX - will truncate env on strdup fail */ for (i = 0; envp[i] != NULL; i++) environ[i] = strdup(envp[i]); environ[i] = NULL; #endif /* SPT_REUSEARGV */ } #ifndef HAVE_SETPROCTITLE void setproctitle(const char *fmt, ...) { #if SPT_TYPE != SPT_NONE va_list ap; char buf[1024]; size_t len; extern char *__progname; #if SPT_TYPE == SPT_PSTAT union pstun pst; #endif #if SPT_TYPE == SPT_REUSEARGV if (argv_env_len <= 0) return; #endif if( args_info.proctitle_given ) { strlcpy(buf, args_info.proctitle_arg, sizeof(buf)); } else { strlcpy(buf, __progname, sizeof(buf)); strlcat(buf, ": ", sizeof(buf)); } va_start(ap, fmt); if (fmt != NULL) { len = strlen(buf); if (len < sizeof(buf)) vsnprintf(buf + len, sizeof(buf) - len , fmt, ap); } va_end(ap); #if SPT_TYPE == SPT_PSTAT pst.pst_command = buf; pstat(PSTAT_SETCMD, pst, strlen(buf), 0, 0); #elif SPT_TYPE == SPT_REUSEARGV // message("setproctitle: copy \"%s\" into len %d", buf, argv_env_len); len = strlcpy(argv_start, buf, argv_env_len); for(; len < argv_env_len; len++) argv_start[len] = SPT_PADCHAR; #endif #endif /* SPT_NONE */ } #endif /* HAVE_SETPROCTITLE */ // vim:noexpandtab:ts=4 proxytunnel-svn/debian/0000755000175000017500000000000012267562030013610 5ustar jdgjdgproxytunnel-svn/debian/docs0000644000175000017500000000002712267561753014475 0ustar jdgjdgCREDITS README CHANGES proxytunnel-svn/debian/changelog0000644000175000017500000000266512267561753015506 0ustar jdgjdgproxytunnel (1.7.0-1) unstable; urgency=high * New upstream version -- Mark Janssen Mon, 19 Mar 2007 13:50:32 +0100 proxytunnel (1.5.2-1) unstable; urgency=high * New version * NTLM Cleanups, removed md[45] code in favour of using libssl -- Mark Janssen Fri, 16 Dec 2005 10:00:00 +0200 proxytunnel (1.5.0-1) unstable; urgency=high * New version * NTLM support -- Mark Janssen Mon, 15 Aug 2005 12:24:00 +0200 proxytunnel (1.2.3-1) unstable; urgency=high * Added security-patch from gentoo security team, fix buffer overflow -- Mark Janssen Wed, 20 Nov 2002 15:12:10 +0200 proxytunnel (1.2.0-1) unstable; urgency=low * Added patch by Fred Donck to store proxy username and password in environment variables. -- Mark Janssen Thu Sep 30 11:22:03 CEST 2004 proxytunnel (1.1.2-1) unstable; urgency=low * More cleaning up, added manpage. * Added patches/suggestions by Loïc Le Guyader -- Mark Janssen Wed, 20 Nov 2002 15:12:10 +0200 proxytunnel (1.1-2) unstable; urgency=low * Some more cleaning up build-environment * Added Suggests: ssh -- Mark Janssen Wed, 4 Sep 2002 14:46:20 +0200 proxytunnel (1.1-1) unstable; urgency=low * Initial Release. -- Mark Janssen Wed, 4 Sep 2002 13:55:15 +0200 proxytunnel-svn/debian/control0000644000175000017500000000120112267561753015220 0ustar jdgjdgSource: proxytunnel Section: net Priority: optional Maintainer: Mark Janssen Build-Depends: debhelper (>> 3.0.0), libssl-dev Standards-Version: 3.5.2 Package: proxytunnel Architecture: any Depends: ${shlibs:Depends} Suggests: ssh Description: Create tcp tunnels trough HTTPS proxies, for using with SSH Proxytunnel is a program that connects stdin and stdout to an origin server somewhere in the Internet through an industry standard HTTPS proxy. It was originally written to be used as an extension to SSH, to be used to SSH to a box at home. It's possible to use proxytunnel along with other applications as well. proxytunnel-svn/debian/rules0000755000175000017500000000342512267561753014707 0ustar jdgjdg#!/usr/bin/make -f # Sample debian/rules that uses debhelper. # GNU copyright 1997 to 1999 by Joey Hess. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 # This is the debhelper compatibility version to use. export DH_COMPAT=3 ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) CFLAGS += -g endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif configure: configure-stamp configure-stamp: dh_testdir # Add here commands to configure the package. touch configure-stamp build: build-stamp build-stamp: configure-stamp dh_testdir # Add here commands to compile the package. $(MAKE) #/usr/bin/docbook-to-man debian/proxytunnel.sgml > proxytunnel.1 touch build-stamp clean: dh_testdir dh_testroot rm -f build-stamp configure-stamp # Add here commands to clean up after the build process. -$(MAKE) clean dh_clean install: build dh_testdir dh_testroot dh_clean -k dh_installdirs # Add here commands to install the package into debian/proxytunnel. $(MAKE) install DESTDIR=$(CURDIR)/debian/proxytunnel # Build architecture-independent files here. binary-indep: build install # We have nothing to do by default. # Build architecture-dependent files here. binary-arch: build install dh_testdir dh_testroot # dh_installdebconf dh_installdocs # dh_installexamples # dh_installmenu # dh_installlogrotate # dh_installemacsen # dh_installpam # dh_installmime # dh_installinit # dh_installcron dh_installman debian/proxytunnel.1 # dh_installinfo # dh_undocumented dh_installchangelogs CHANGES dh_link dh_strip dh_compress dh_fixperms # dh_makeshlibs dh_installdeb # dh_perl dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install configure proxytunnel-svn/debian/dirs0000644000175000017500000000004312267561753014504 0ustar jdgjdgusr/bin usr/share/man usr/man/man1 proxytunnel-svn/debian/copyright0000644000175000017500000000204612267561753015560 0ustar jdgjdgThis package was debianized by Mark Janssen on Mon Aug 15 12:20:26 CEST 2005 It was downloaded from http://proxytunnel.sourceforge.net Upstream Author(s): Mark Janssen and Jos Visser Copyright: Proxytunnel is (C) Copyright 2001, 2004 Mark Janssen and Jos Visser Proxytunnel is covered by the GNU GPL. It can be found in /usr/share/common-licenses/GPL. Most of the code was written by Jos Visser and Mark Janssen, the snippet of base64 code came from mutt, and was written by: Brendan Cully and came with the following copyright notice: /* * This code is heavily modified from fetchmail (also GPL'd, of * course) by Brendan Cully . * * Original copyright notice: * * The code in the fetchmail distribution is Copyright 1997 by Eric * S. Raymond. Portions are also copyrighted by Carl Harris, 1993 * and 1995. Copyright retained for the purpose of protecting free * redistribution of source. */ Other contributors can be found in the CREDITS file proxytunnel-svn/_copyright.inc0000644000175000017500000000154312267561753015246 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* filename.[ch] */ proxytunnel-svn/ntlm.h0000644000175000017500000000536412267561753013534 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* ntlm.h */ void build_type1(); int parse_type2(unsigned char *buf); void build_type3_response(); void build_ntlm2_response(); extern int ntlm_challenge; char ntlm_type1_buf[160]; char ntlm_type3_buf[4096]; // Below are the flag definitions. #define NEG_UNICODE 0x00000001 #define NEG_OEM 0x00000002 #define REQ_TARGET 0x00000004 #define NEG_NTLM 0x00000200 #define NEG_DOMAIN 0x00001000 #define NEG_WORK 0x00002000 #define NEG_LOCAL 0x00004000 #define NEG_ASIGN 0x00008000 #define TAR_DOMAIN 0x00010000 #define TAR_SERVER 0x00020000 #define TAR_SHARE 0x00040000 #define NEG_NTLM2 0x00080000 #define NEG_TARINFO 0x00800000 #define IE_SETSTHIS 0x02000000 #define NEG_128 0x20000000 #define NEG_56 0x80000000 // Below are the NTLM Message Types #define NTLM_TYPE_1 0x00000001 #define NTLM_TYPE_2 0x00000002 #define NTLM_TYPE_3 0x00000003 typedef struct { unsigned short length; unsigned short space; unsigned long offset; } security_buf_t; typedef struct { unsigned char signature[8]; unsigned long message_type; unsigned long flags; security_buf_t domain; security_buf_t workstation; } ntlm_type1; typedef struct { unsigned char signature[8]; unsigned long message_type; security_buf_t target_name; unsigned long flags; unsigned char challenge[8]; unsigned long context1; unsigned long context2; security_buf_t target_info; unsigned char data_start; } ntlm_type2; typedef struct { unsigned char signature[8]; unsigned long message_type; security_buf_t LM_response; security_buf_t NTLM_response; security_buf_t domain; security_buf_t user; security_buf_t workstation; unsigned char session[8]; unsigned long flags; unsigned char pad[8]; } ntlm_type3; typedef struct { unsigned char digest[16]; unsigned long signature; unsigned long reserved; unsigned long long timestamp; unsigned char client_challenge[8]; unsigned long unknown; unsigned long data_start; } blob; // vim:noexpandtab:ts=4 proxytunnel-svn/LICENSE.txt0000644000175000017500000005351612267561753014236 0ustar jdgjdgProxytunnel is covered by the GNU GPL, version 2, included below. Most of the code was written by Jos Visser and Mark Janssen. Linking to OpenSSL In addition, as a special exception, Mark Janssen and Jos Visser give permission to link the code of proxytunnel with the OpenSSL project's "OpenSSL" library (or with modified versions of it that use the same license as the "OpenSSL" library), and distribute the linked executables. You must obey the GNU General Public License in all respects for all of the code used other than "OpenSSL". If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. Code Snippets Various bits of code came from other packages. The following copyright notices apply to those bits: The snippet of base64 code came from mutt, and was written by: Brendan Cully and came with the following copyright notice: /* * This code is heavily modified from fetchmail (also GPL'd, of * course) by Brendan Cully . * * Original copyright notice: * * The code in the fetchmail distribution is Copyright 1997 by Eric * S. Raymond. Portions are also copyrighted by Carl Harris, 1993 * and 1995. Copyright retained for the purpose of protecting free * redistribution of source. */ The setproctitle code and getpass replacement code, including strlcat/strlcpy came from openssh, and comes with the following 3-clause BSD license. /* Based on conf.c from UCB sendmail 8.8.8 */ /* * Copyright 2003 Damien Miller * Copyright (c) 1983, 1995-1997 Eric P. Allman * Copyright (c) 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ Readpassphrase license text: /* * Copyright (c) 2000-2002 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * * Sponsored in part by the Defense Advanced Research Projects * Agency (DARPA) and Air Force Research Laboratory, Air Force * Materiel Command, USAF, under agreement number F39502-99-1-0512. */ Other contributors can be found in the CREDITS file GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. proxytunnel-svn/TODO0000644000175000017500000000323112267561753013070 0ustar jdgjdg### Proxy bouncing support - Add multi-level proxy bouncing support with new syntax eg. proxytunnel -p local-proxy:port -r remote-proxy1:port -r remote-proxy2:port -d %h:%p - Add proxy bouncing authentication support with new syntax eg. proxytunnel -p user@local-proxy:port -r user@remote-proxy:port -d %h:%p or: proxytunnel -p username:password@local-proxy:port -r username:password@remote-proxy:port -d %h:%p ### SSL proxy support - Lobby for the Apache project to allow CONNECT over SSL (much like GET, PUT and HEAD is supported over SSL) see: http://issues.apache.org/bugzilla/show_bug.cgi?id=29744 ### Code cleanup - Fix permissions in subversion tree (some files are wrongly executable) - Find some hardcore C experts to help us improve the code quality - Improve the error output, make it consistent throughout the program - Add different verbosity-levels (with or without data exchange) - Get rid of the "ssh_exchange_identification: Connection closed by remote host" message when proxytunnel fails to set up tunnel. proxytunnel should give a sensible cause instead of the weird ssh error. (Users need to understand that proxytunnel fails, not ssh itself) ### Add default test-cases - Before releasing proxytunnel, we should validate the different error-cases + local proxy does not exist (unresolvable) + local proxy exists but does not answer (tcp timeout) + local proxy does not talk HTTP + local proxy is not a proxy (does not accept CONNECT) o remote proxy does not exist (unresolvable) o remote proxy exists but does not answer (tcp-timeout) + remote proxy does not talk HTTP + remote proxy is not a proxy (does not accept CONNECT) proxytunnel-svn/KNOWN_ISSUES0000644000175000017500000000053512267561753014316 0ustar jdgjdgKnown Issues with proxytunnel Apache might need: http://issues.apache.org/bugzilla/attachment.cgi?id=16105 for SSL proxying ;) (see http://issues.apache.org/bugzilla/show_bug.cgi?id=29744) Setproctitle mode 1 only works on openbsd Setproctitle mode 2 should work on linux and some other platforms Platforms confirmed without setproctitle: CYGWIN proxytunnel-svn/base64.h0000644000175000017500000000200112267561753013627 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* base64.h */ void base64(unsigned char *out, const unsigned char *in, int len); int unbase64(unsigned char *out, const unsigned char *in, int maxlen); // vim:noexpandtab:ts=4 proxytunnel-svn/ptstream.c0000644000175000017500000001114612267561753014407 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* ptstream.c */ #include #include #include #include #include #include #include "proxytunnel.h" /* Open a stream for incoming and outgoing data with the specified fds */ PTSTREAM *stream_open(int incoming_fd, int outgoing_fd) { PTSTREAM *pts; /* Initialise the structure and store the file descriptor */ pts = malloc(sizeof(PTSTREAM)); pts->incoming_fd = incoming_fd; pts->outgoing_fd = outgoing_fd; pts->ssl = NULL; pts->ctx = NULL; /* Return a pointer to the structure */ return pts; } /* Close a stream */ int stream_close(PTSTREAM *pts) { #ifdef USE_SSL /* Destroy the SSL context */ if (pts->ssl) { SSL_shutdown (pts->ssl); SSL_free (pts->ssl); SSL_CTX_free (pts->ctx); } #endif /* USE_SSL */ /* Close the incoming fd */ close(pts->incoming_fd); /* Close the outgoing fd */ close(pts->outgoing_fd); /* Free the structure */ free(pts); return 1; } /* Read from a stream */ int stream_read(PTSTREAM *pts, void *buf, size_t len) { /* Read up to the specified number of bytes into the buffer */ int bytes_read; if (!pts->ssl) { /* For a non-SSL stream... */ bytes_read = read(pts->incoming_fd, buf, len); } else { #ifdef USE_SSL /* For an SSL stream... */ bytes_read = SSL_read(pts->ssl, buf, len); #else /* No SSL support, so must use a non-SSL stream */ bytes_read = read(pts->incoming_fd, buf, len); #endif /* USE_SSL */ } return bytes_read; } /* Write to a stream */ int stream_write(PTSTREAM *pts, void *buf, size_t len) { /* Write the specified number of bytes from the buffer */ int bytes_written; if (!pts->ssl) { /* For a non-SSL stream... */ bytes_written = write(pts->outgoing_fd, buf, len); } else { #ifdef USE_SSL /* For an SSL stream... */ bytes_written = SSL_write(pts->ssl, buf, len); #else /* No SSL support, so must use a non-SSL stream */ bytes_written = write(pts->outgoing_fd, buf, len); #endif /* USE_SSL */ } return bytes_written; } /* * Copy a block of data from one stream to another. A true * return code signifies EOF on the from socket descriptor. */ int stream_copy(PTSTREAM *pts_from, PTSTREAM *pts_to) { char buf[SIZE]; int n; /* Read a buffer from the source socket */ if ( ( n = stream_read( pts_from, buf, SIZE ) ) < 0 ) { my_perror( "Socket read error" ); exit( 1 ); } /* If we have read 0 bytes, there is an EOF on src */ if( n==0 ) return 1; /* Write the buffer to the destination socket */ if ( stream_write( pts_to, buf, n ) != n ) { my_perror( "Socket write error" ); exit( 1 ); } /* We're not yet at EOF */ return 0; } /* Initiate an SSL handshake on this stream and encrypt all subsequent data */ int stream_enable_ssl(PTSTREAM *pts) { #ifdef USE_SSL SSL_METHOD *meth; SSL *ssl; SSL_CTX *ctx; /* Initialise the connection */ SSLeay_add_ssl_algorithms(); meth = SSLv3_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); ssl = SSL_new (ctx); SSL_set_rfd (ssl, stream_get_incoming_fd(pts)); SSL_set_wfd (ssl, stream_get_outgoing_fd(pts)); SSL_connect (ssl); /* Store ssl and ctx parameters */ pts->ssl = ssl; pts->ctx = ctx; #else message("Warning: stream_open(): SSL stream requested but no SSL support available; using unencrypted connection"); #endif /* USE_SSL */ return 1; } /* Return the incoming_fd for a given stream */ int stream_get_incoming_fd(PTSTREAM *pts) { if (!pts->ssl) return pts->incoming_fd; else #ifdef USE_SSL return SSL_get_rfd(pts->ssl); #else return pts->incoming_fd; #endif /* USE_SSL */ } /* Return the outgoing_fd for a given stream */ int stream_get_outgoing_fd(PTSTREAM *pts) { if (!pts->ssl) return pts->outgoing_fd; else #ifdef USE_SSL return SSL_get_wfd(pts->ssl); #else return pts->outgoing_fd; #endif /* USE_SSL */ } // vim:noexpandtab:ts=4 proxytunnel-svn/http.c0000644000175000017500000001402712267561753013530 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* http.c */ #include #include #include #include #include #include #include #include "proxytunnel.h" #include "io.h" #include "basicauth.h" #include "ntlm.h" /* * Analyze the proxy's HTTP response. This must be a HTTP/1.? 200 OK type * header */ void analyze_HTTP(PTSTREAM *pts) { char *p = strtok( buf, " "); /* Strip html error pages for faulty proxies (Stephane Engel ) */ while (strncmp( p, "HTTP/", 5) != 0 ) { if ( readline(pts) ) { p = strtok( buf, " "); } else { message( "analyze_HTTP: readline failed: Connection closed by remote host\n" ); exit(2); } } if (strcmp( p, "HTTP/1.0" ) != 0 && strcmp( p, "HTTP/1.1" ) != 0) { message( "Unsupported HTTP version number %s\n", p ); exit( 1 ); } p = strtok( NULL, " "); if( strcmp( p, "200" ) != 0 ) { if( ! args_info.quiet_flag ) message( "HTTP return code: %s ", p ); p += strlen( p ) + 1; if( ! args_info.quiet_flag ) message( "%s", p ); if (!ntlm_challenge && strcmp( p, "407") != 0) { do { readline(pts); if (strncmp( buf, "Proxy-Authenticate: NTLM ", 25) == 0) { if (parse_type2((unsigned char *)&buf[25]) < 0) exit(1); } } while ( strcmp( buf, "\r\n" ) != 0 ); } if (ntlm_challenge == 1) { proxy_protocol(pts); return; } exit( 1 ); } } /* * Prints lines from a buffer prepended with a prefix */ void print_line_prefix(char *buf, char *prefix) { buf = strdup(buf); char *cur = strtok(buf, "\r\n"); while ( cur != NULL) { message( "%s%s\n", prefix, cur ); cur = strtok(NULL, "\r\n"); } // message( "%s: '%s\n", prefix, buf ); } /* * Execute the basic proxy protocol of CONNECT and response, until the * last line of the response has been read. The tunnel is then open. */ void proxy_protocol(PTSTREAM *pts) { /* Create the proxy CONNECT command into buf */ if (args_info.remproxy_given ) { if( args_info.verbose_flag ) message( "\nTunneling to %s (remote proxy)\n", args_info.remproxy_arg ); sprintf( buf, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n", args_info.remproxy_arg, args_info.remproxy_arg ); } else { if( args_info.verbose_flag ) message( "\nTunneling to %s (destination)\n", args_info.dest_arg ); sprintf( buf, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n", args_info.dest_arg, args_info.dest_arg ); } if ( args_info.user_given && args_info.pass_given ) { /* Create connect string including the authorization part */ if (args_info.ntlm_flag) { if (ntlm_challenge == 1) { build_type3_response(); strzcat( buf, "Proxy-Authorization: NTLM %s\r\n", ntlm_type3_buf ); } else if (ntlm_challenge == 0) { strzcat( buf, "Proxy-Authorization: NTLM %s\r\n", ntlm_type1_buf ); } } else { strzcat( buf, "Proxy-Authorization: Basic %s\r\n", basicauth(args_info.user_arg, args_info.pass_arg ) ); } } strzcat( buf, "Proxy-Connection: Keep-Alive\r\n"); /* Add extra header(s), headers are already \r\n terminated */ if ( args_info.header_given ) strzcat( buf, "%s", args_info.header_arg ); strzcat( buf, "\r\n" ); /* Print the CONNECT instruction before sending to proxy */ if( args_info.verbose_flag ) { message( "Communication with local proxy:\n"); print_line_prefix(buf, " -> "); } /* Send the CONNECT instruction to the proxy */ if( stream_write( pts, buf, strlen( buf )) < 0 ) { my_perror( "Socket write error" ); exit( 1 ); } // if( args_info.verbose_flag ) // message( "Data received from local proxy:\n"); /* Read the first line of the response and analyze it */ analyze_HTTP(pts); if (args_info.remproxy_given ) { /* Clean buffer for next analysis */ while ( strcmp( buf, "\r\n" ) != 0 ) readline(pts); /* If --encrypt-remproxy is specified, connect to the remote proxy using SSL */ if ( args_info.encryptremproxy_flag ) stream_enable_ssl(stunnel); if( args_info.verbose_flag ) message( "\nTunneling to %s (destination)\n", args_info.dest_arg ); sprintf( buf, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n", args_info.dest_arg, args_info.dest_arg); if ( args_info.remuser_given && args_info.rempass_given ) strzcat( buf, "Proxy-Authorization: Basic %s\r\n", basicauth(args_info.remuser_arg, args_info.rempass_arg )); strzcat( buf, "Proxy-Connection: Keep-Alive\r\n"); /* Add extra header(s), headers are already \r\n terminated */ if ( args_info.header_given ) strzcat( buf, "%s", args_info.header_arg ); strzcat( buf, "\r\n" ); /* Print the CONNECT instruction before sending to proxy */ if( args_info.verbose_flag ) { message( "Communication with remote proxy:\n"); print_line_prefix(buf, " -> "); } /* Send the CONNECT instruction to the proxy */ if( stream_write( pts, buf, strlen( buf )) < 0 ) { my_perror( "Socket write error" ); exit( 1 ); } // if( args_info.verbose_flag ) // message( "Received from remote proxy:\n"); /* Read the first line of the response and analyze it */ analyze_HTTP(pts); } /* * Then, repeat reading lines of the responses until a blank line * (which signifies the end of the response) is encountered. */ if (ntlm_challenge == 1) { ntlm_challenge = 2; } else { do { readline(pts); } while ( strcmp( buf, "\r\n" ) != 0 ); } } // vim:noexpandtab:ts=4 proxytunnel-svn/strlcpy.c0000644000175000017500000000370512267561753014252 0ustar jdgjdg/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */ /* $OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $ */ /* * Copyright (c) 1998 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include #include #include #include #include #include #ifndef HAVE_STRLCPY #if defined(LIBC_SCCS) && !defined(lint) static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $"; #endif /* LIBC_SCCS and not lint */ #include #include /* * Copy src to string dst of size siz. At most siz-1 characters * will be copied. Always NUL terminates (unless siz == 0). * Returns strlen(src); if retval >= siz, truncation occurred. */ size_t strlcpy(char *dst, const char *src, size_t siz) { register char *d = dst; register const char *s = src; register size_t n = siz; /* Copy as many bytes as will fit */ if (n != 0 && --n != 0) { do { if ((*d++ = *s++) == 0) break; } while (--n != 0); } /* Not enough room in dst, add NUL and traverse rest of src */ if (n == 0) { if (siz != 0) *d = '\0'; /* NUL-terminate dst */ while (*s++) ; } return(s - src - 1); /* count does not include NUL */ } #endif /* !HAVE_STRLCPY */ proxytunnel-svn/basicauth.c0000644000175000017500000000322512267561753014512 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include "base64.h" #include "config.h" #include "cmdline.h" #include "proxytunnel.h" #include "basicauth.h" /* * Create the HTTP basic authentication cookie for use by the proxy. Result * is stored in basicauth. */ char *basicauth(char *user, char *pass) { char *b64str = malloc(80); int len = strlen( user ) + strlen( pass ) + 2; char *p = (char *) malloc( len ); /* Set up the cookie in clear text */ sprintf( p, "%s:%s", user, pass ); /* * Base64 encode the clear text cookie to create the HTTP base64 * authentication cookie */ base64( (unsigned char *)b64str, (unsigned char *)p, strlen(p) ); // if( args_info.verbose_flag ) { // message( "Proxy basic auth of %s is %s\n", p, basicauth ); // } free( p ); return b64str; } // vim:noexpandtab:ts=4 proxytunnel-svn/contrib/0000755000175000017500000000000012267562030014026 5ustar jdgjdgproxytunnel-svn/contrib/proxytunnel.spec0000644000175000017500000000423312267561753017326 0ustar jdgjdg# $Id: proxytunnel.spec 239 2008-08-10 01:20:26Z dag- $ # Authority: dag # Upstream: Summary: Punching holes through HTTPS proxies Name: proxytunnel Version: 1.9.0 Release: 1 License: GPL Group: Applications/Internet URL: http://proxytunnel.sourceforge.net/ Source: http://dl.sf.net/proxytunnel/proxytunnel-%{version}.tar.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: openssl-devel %description ProxyTunnel is a program that connects stdin and stdout to a server somewhere on the network, through a standard HTTPS proxy. We mostly use it to tunnel SSH sessions through HTTP(S) proxies, allowing us to do many things that wouldn't be possible without ProxyTunnel. Proxytunnel can create tunnels using HTTP and HTTPS proxies, can work as a back-end driver for an OpenSSH client, and create SSH connections through HTTP(S) proxies and can work as a stand-alone application, listening on a port for connections, and then tunneling these connections to a specified destination. If you want to make effective use of ProxyTunnel, the proxy server you are going to be tunneling through must support HTTP CONNECT command and must allow you to connect to destination machine and host, with or without HTTP proxy authentication. %prep %setup %build %{__make} %{?_smp_mflags} CFLAGS="%{optflags} -I/usr/kerberos/include" %install %{__rm} -rf %{buildroot} %{__make} install DESTDIR="%{buildroot}" prefix="%{_prefix}" %clean %{__rm} -rf %{buildroot} %files %defattr(-, root, root, 0755) %doc CHANGES CREDITS INSTALL KNOWN_ISSUES LICENSE.txt README RELNOTES TODO docs/*.txt docs/*.html %doc %{_mandir}/man1/proxytunnel.1* %{_bindir}/proxytunnel %changelog * Tue Mar 04 2008 Dag Wieers - 1.9.0-1 - Updated to release 1.9.0. * Fri Jan 18 2008 Dag Wieers - 1.8.0-1 - Updated to release 1.8.0. * Fri Mar 16 2007 Dag Wieers - 1.7.0-1 - Updated to release 1.7.0. * Sun Aug 06 2006 Dag Wieers - 1.6.3-1 - Updated to release 1.6.3. * Tue Nov 2 2004 Mark Janssen - Updated to v1.6.0 * Tue Nov 21 2001 Ralph Loader - Created. proxytunnel-svn/CHANGES0000755000175000017500000002537312267561753013411 0ustar jdgjdgChanges to proxytunnel after 1.9.1 -- Tue Mar 22 16:02:40 CET 2011 - Switch to HTTP/1.1 commands, so we can tunnel over JoikuSpot's which don't understand http/1.0 command (Mark Janssen) - NTLMv2 fixes by Giulio Galante Changes to proxytunnel version 1.9.0 -- Sat Feb 23 22:03:10 CET 2008 - Fixes for runtime error on RHEL5/CENTOS-5 (gcc4 and -D_FORTIFY_SOURCE=2) (Dag Wieers) - Small thinko in io.c wrt. malloc() (Dag Wieers) - Disable output by default on Windows build (Dag Wieers) - Updated SPEC file to RPMforge standards (Dag Wieers) - Improved verbose output, easier for the eyes (Dag Wieers) - Improved help output (Dag Wieers) - Added basic authentication support for remote proxy (Mark) - Removed custom environment variables, now use PROXYUSER, PROXYPASS (Dag Wieers) - Replaced -U/--user and -S/--pass by -P/--proxyauth (Dag Wieers) - Added remote proxy authentication (-R/--remproxyauth) (Dag Wieers) - Use REMPROXYUSER and REMPROXYPASS environment variables (Dag Wieers) - Pick up proxy settings from HTTP_PROXY env var (Mark) - Remote Proxy SSL (-X --encrypt-remproxy) (Mark) Changes to proxytunnel version 1.8.0 -- Mon Dec 31 16:46:52 CET 2007 - Added passfile options to read username/password from a file - Moved manual-page from debian/ to / in source-tree - Cleanup quiet mode, quiet/verbose mutually exclusive (fd0) - Performance patch from Ingo Molnar - This release was prepared at 24C3, Berlin (http://events.ccc.de/congress/2007/) - Have a nice year, or as they say here: "Einen guten Rutsch ins 1984" Changes to proxytunnel version 1.7.2 -- Mon Jul 30 10:18:26 CEST 2007 - Fixed buffer/malloc issue - Clean-up usage info/help text - Remove spurious syslog Changes to proxytunnel version 1.7.1 -- Thu Apr 12 13:40:27 CEST 2007 - Cygwin SO_REUSEPORT stuff by Marc Heuse - Fix some string-handling related core-dumps - NTLM/SSL fixes by Taco IJsselmuiden - NTLM fixes by Taco IJsselmuiden Changes to proxytunnel version 1.7.0 -- Sun Feb 25 17:45:38 CET 2007 - Allow multiple '-H' options (headers), total size of the headers should not exceed 1k. - Reworked setproctitle calls, giving an argument to -x should now really hide all traces of the original name, not only the arguments Also remove argument-info on normal (without -x) runs. - Suggested changes (From Dag Wieers) to install-target applied - Change debug-output line-endings - Change error message on 'connection closed' in analyze_HTTP - Reworked debug-output (Dag Wieers) - Signal handling (Dag Wieers) - Applied (reworked) changes from Mark Cave-Ayland to support -E option encrypting data to the proxy with SSL Changes to proxytunnel version 1.6.3 -- Mon Apr 10 12:48:02 CEST 2006 - Replaced call to getpass to getpass_x, which comes from openssh's readpassphrase.c. This should handle longer passwords on systems with broken (crappy) getpass calls (solaris/hpux) Changes to proxytunnel version 1.6.2 -- Wed Mar 8 10:08:53 CET 2006 - Fix NTLM in stand-alone mode Changes to proxytunnel version 1.6.1 -- Sat Feb 25 14:45:25 CET 2006 - FOSDEM build (www.fosdem.org) - Do setproctitle and ssl stuff on 'standalone' mode too - Changed scanning/malloc's for proxy-hostname, we could overflow there - Ripped out setproctitle and replaced it with openssh's code from openbsd-compat/setproctitle.c, also took in strlcat/strlcpy - Removed all non-default Makefiles (darwin/solaris/cygwin etc) uncomment the -D's in the regular Makefile for your system/config - Removed extra message in closeall() function - Removed Proctitle override message Changes to proxytunnel version 1.6.0 -- Mon Feb 6 17:00:00 CET 2006 - Replaced -g/-G (proxy host and port) with -p proxy:post shorthand - Replaced -d/-D (dest host and port) with -d host:post shorthand - Dropped -n option (dottedquad) - Small change to make compiler on tandem/hp-nonstop happy by Roberto Veldhoven - Small change to work around broken proxies by Stephane Engel - Changed client_len from size_t to socklen_t (64bit required) - Makefile vars now no longer override environment versions - Cleaned up the output, in quiet mode there are now no messages, in normal mode a lot less (unless verbose is on) - Added proxy-bouncing support, courtesy of Dag Wieers, authentication only works on the FIRST proxy, not on a second proxy !! - Added SSL encryption to the data-layer to fool proxies that do deep- packet inspection, by: Alex Peuchert proxytunnel@peuchert.de - Added -x/--proctitle option, to hide/obfuscate the proxytunnel command-line in process-listings. This code is disabled by default But can be enabled by uncommenting the define in the Makefile. Please test this code on systems available to you :) Changes to proxytunnel version 1.5.2 -- Fri Dec 16 09:27:11 CET 2005 - Moved some declarations around in ntlm.c to make gcc/openbsd happier Changes to proxytunnel version 1.5.1 -- Fri Sep 30 12:17:14 CEST 2005 - If you specify a username, but not a password, query the user for the password at runtime. - Removed md[45].[ch] and use functions from openssl Changes to proxytunnel version 1.5.0 -- Mon Aug 15 12:18:41 CEST 2005 - Allow overriding of NTLM 'DOMAIN', using -t Changes to proxytunnel version 1.4.0 -- Mon Aug 15 11:40:18 CEST 2005 - Included version-2 of the NTLM patch by Paul Solomon Changes to proxytunnel version 1.2.3 -- Tue Nov 2 17:03:00 CET 2004 - Patched a possible buffer overflow as reported by Dan Margolis of the Gentoo Security Team Changes to proxytunnel version 1.2.2 -- Tue Oct 12 16:43:16 CEST 2004 - Added patch from Fred Donck to fix his previous patch, after testing at a client with authenticating proxies he found a small problem. Changes to proxytunnel version 1.2.1 -- Fri Oct 1 08:50:03 CEST 2004 - Added patch by drwr that fixes some compiler warnings and introduces Makefile.cc for non-gnu compilers Changes to proxytunnel version 1.2.0 -- Thu Sep 30 11:22:03 CEST 2004 - Added patch by Fred Donck to store proxy username and password in environment variables. Security fix ------------ - Modified cmdline.c to allow passing of proxyuser and proxypass as environment variables to prevent other users on same machine from snooping sensitive info. -U for env var that contains the proxy user -S for env var that contains the proxy user's password Changes to proxytunnel version 1.1.4 -- Wed Jun 23 21:05:35 CEST 2004 - Small solaris fix Changes to proxytunnel version 1.1.3 -- Tue Dec 02 14:00:00 CET 2003 - Fix small compilation warning - Install proxytunnel manual page on 'make install' Changes to proxytunnel version 1.1.2 -- Wed Nov 20 14:45:00 CET 2002 - Cleaned up debian packaging, added manpage from Loïc Le Guyader Changes to proxytunnel version 1.1.1 -- Tue May 14 12:09:07 CEST 2002 - Added a reworked version of Dieter Heiliger's idea to add a switch to specify a User-Agent header to the CONNECT message. I made it into a generic 'Header' function, so you can add whatever you like to the connect string ( --header "MyCustomHeader: Value" ) Changes to proxytunnel version 1.1.0 -- Mon Apr 22 22:58:05 CEST 2002 - Ported new features (like stand-alone mode) to CYGWIN and fixed some bugs when running on CYGWIN. The cygwin version differs from the normal proxytunnel in these issues: - Syslog isn't used, messages in stand-alone mode are displayed in the window where the proxytunnel proces runs. - Proxytunnel doesn't fork into the background on cygwin, so it's logging messages can be seen here, and it can easily be killed using CTRL-C in the window. - Added Makefile.cygwin for use on CYGWIN platform. Changes to proxytunnel version 1.1.0 -- Sat Apr 20 16:00:00 CET 2002 - Added the -a (--standalone=INT) option. It is mutually exclusive with -i (--inetd), and it instructs proxytunnel to fork in the background as a standalone daemon, listening on connections on the specified port and forwarding these connections through the specified proxy/tunnel. - Forked base64 encoding code to base64.[ch] file, authentication to basicauth.[ch], messaging to messages.c and io handling to io.[ch] - Tested and ported on Linux(i386/ppc/alpha/sparc), Freebsd(i386), Solaris(Sparc) and Mac-OS-X(Darwin/ppc). Created some new makefiles for the non-complient systems (Solaris, Darwin) Changes to proxytunnel version 1.0.8 -- Fri Apr 19 10:25:00 CET 2002 - Fixed help-text when system doesn't support long-options - Cleaned up some code w.r.t short and/or long options, added includes for getopt on freebsd. Changes to proxytunnel version 1.0.7 -- Wed Nov 28 09:49:41 CET 2001 - Added rpm spec file by Ralph Loader -- Maniac - Updated textfiles Changes to proxytunnel version 1.0.7 -- Sat Nov 24 12:32:02 CET 2001 - Applied patch from "Andrew Griffiths" to fix possible string format attacks. -- Maniac - Some code cleanup and reformatting -- Maniac - Added '-q' / '--quiet' flag to suppress status messages, Proxytunnel can now be completely quiet and transparent. (Not when also providing the '-v' flag naturally) -- Maniac - Changed ipbuf size to 16, which should be enough. -- Maniac Changes to proxytunnel version 1.0.6 -- Thu Nov 22 10:38:10 CET 2001 - Added support for compiling on Solaris, uncomment some lines in the Makefile to enable this, patch from: Martin Senft - Included (modified) patch from Ralph Loader to work around broken DNS resolving in some proxies when using DynDNS hosts (the -n or --dottedquad option) -- Maniac Changes to proxytunnel version 1.0.5 -- Mon Nov 19 21:26:45 CET 2001 - Added support for running from inetd, using the --inetd option or the -i option. Also some cleanups in the tunneling code -- Muppet Changes to proxytunnel version 1.0.4 -- Sun Nov 11 00:44:39 CET 2001 - All the code by Jos and Mark now covered under GPL, the few lines of base64 code came from mutt (also GPL), so the entire program is now covered by the GPL -- Maniac Changes to proxytunnel version 1.0.3 -- Sat Nov 10 21:36:42 CET 2001 - Supporting GNU getopts, the entire command line processing has changed. If you were using an old version, please check up on the '--help' option, and update your .ssh/config files :) -- Maniac - Added a --verbose option, which occasionally can print some interesting details -- Maniac - Due to getopts, some error handling when entering incorrect command line options -- Maniac - In addition to using HTTP auth, which we already had, we can now also connect to proxy's that do NOT use HTTP auth, simply do not specify a username and password. If you specify these, they will be passed on to the proxy, otherwise we won't go into auth phase. -- Maniac - Added simple 'make install' to the makefile -- Maniac proxytunnel-svn/cmdline.c0000644000175000017500000004465012267561753014171 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include #include #include #include #include #include "config.h" #include "proxytunnel.h" #ifndef HAVE_GETOPT_LONG extern char * optarg; #else #include #endif #include "cmdline.h" static char *getCredentialsFromFile( const char* filename, char **user, char **pass, char **rem_user, char **rem_pass); void cmdline_parser_print_version (void) { printf ("%s %s (rev %s) Copyright 2001-2008 Proxytunnel Project\n", PACKAGE, VERSION, REVISION); } void cmdline_parser_print_help (void) { cmdline_parser_print_version (); printf( "Usage: %s [OPTIONS]...\n" "Build generic tunnels trough HTTPS proxies using HTTP authentication\n" "\n" "Standard options:\n" // FIXME: " -c, --config=FILE Read config options from file\n" " -i, --inetd Run from inetd (default: off)\n" " -a, --standalone=INT Run as standalone daemon on specified port\n" // FIXME: " -f, --nobackground Don't for tok background in standalone mode\n" " -p, --proxy=STRING Local proxy host:port combination\n" " -r, --remproxy=STRING Remote proxy host:port combination (using 2 proxies)\n" " -d, --dest=STRING Destination host:port combination\n" #ifdef USE_SSL " -e, --encrypt SSL encrypt data between local proxy and destination\n" " -E, --encrypt-proxy SSL encrypt data between client and local proxy\n" " -X, --encrypt-remproxy SSL encrypt data between local and remote proxy\n" #endif "\n" "Additional options for specific features:\n" " -F, --passfile=STRING File with credentials for proxy authentication\n" " -P, --proxyauth=STRING Proxy auth credentials user:pass combination\n" " -R, --remproxyauth=STRING Remote proxy auth credentials user:pass combination\n" // " -u, --user=STRING Username for proxy authentication\n" // " -s, --pass=STRING Password for proxy authentication\n" // " -U, --uservar=STRING Environment variable that holds username\n" // " -S, --passvar=STRING Environment variable that holds password\n" " -N, --ntlm Use NTLM based authentication\n" " -t, --domain=STRING NTLM domain (default: autodetect)\n" " -H, --header=STRING Add additional HTTP headers to send to proxy\n" #ifdef SETPROCTITLE " -x, --proctitle=STRING Use a different process title\n" #endif "\n" "Miscellaneous options:\n" " -v, --verbose Turn on verbosity\n" " -q, --quiet Suppress messages\n" " -h, --help Print help and exit\n" " -V, --version Print version and exit\n", PACKAGE); #ifndef HAVE_GETOPT_LONG printf( "\n" "Notice: This version is compiled without support for long options.\n" "This means you can only use the short (1 letter) options on the commandline.\n" ); #endif } static char * gengetopt_strdup (char * s) { char * n, * pn, * ps = s; while (*ps) ps++; n = (char *) malloc (1 + ps - s); if (n != NULL) { for (ps=s,pn=n; *ps; ps++,pn++) *pn = *ps; *pn = 0; } return n; } int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *args_info ) { /* Character of the parsed option. */ int c; /* Tmd retval */ int r; int missing_required_options = 0; args_info->help_given = 0; args_info->version_given = 0; args_info->user_given = 0; args_info->pass_given = 0; args_info->remuser_given = 0; args_info->rempass_given = 0; args_info->proxy_given = 0; args_info->proxyauth_given = 0; args_info->proxyhost_given = 0; args_info->proxyport_given = 0; args_info->dest_given = 0; args_info->remproxy_given = 0; args_info->remproxyauth_given = 0; args_info->verbose_given = 0; args_info->ntlm_given = 0; args_info->inetd_given = 0; args_info->quiet_given = 0; args_info->header_given = 0; args_info->domain_given = 0; args_info->encrypt_given = 0; args_info->encryptproxy_given = 0; args_info->encryptremproxy_given = 0; args_info->proctitle_given = 0; /* No... we can't make this a function... -- Maniac */ #define clear_args() \ { \ args_info->user_arg = NULL; \ args_info->pass_arg = NULL; \ args_info->remuser_arg = NULL; \ args_info->rempass_arg = NULL; \ args_info->domain_arg = NULL; \ args_info->proxy_arg = NULL; \ args_info->proxyauth_arg = NULL; \ args_info->proxyhost_arg = NULL; \ args_info->dest_arg = NULL; \ args_info->remproxy_arg = NULL; \ args_info->remproxyauth_arg = NULL; \ args_info->header_arg[0] = '\0'; \ args_info->verbose_flag = 0; \ args_info->ntlm_flag = 0; \ args_info->inetd_flag = 0; \ args_info->quiet_flag = 0; \ args_info->standalone_arg = 0; \ args_info->encrypt_flag = 0; \ args_info->encryptproxy_flag = 0; \ args_info->encryptremproxy_flag = 0; \ args_info->proctitle_arg = NULL; \ } clear_args(); optarg = 0; #ifdef HAVE_GETOPT_LONG optind = 1; opterr = 1; optopt = '?'; #endif while (1) { #ifdef HAVE_GETOPT_LONG int option_index = 0; /* Struct option: Name, Has_arg, Flag, Value */ static struct option long_options[] = { { "help", 0, NULL, 'h' }, { "version", 0, NULL, 'V' }, { "user", 1, NULL, 'u' }, { "pass", 1, NULL, 's' }, { "domain", 1, NULL, 't' }, // { "uservar", 1, NULL, 'U' }, // { "passvar", 1, NULL, 'S' }, { "passfile", 1, NULL, 'F' }, { "proxy", 1, NULL, 'p' }, { "proxyauth", 1, NULL, 'P' }, { "dest", 1, NULL, 'd' }, { "remproxy", 1, NULL, 'r' }, { "remproxyauth", 1, NULL, 'R' }, { "proctitle", 1, NULL, 'x' }, { "header", 1, NULL, 'H' }, { "verbose", 0, NULL, 'v' }, { "ntlm", 0, NULL, 'N' }, { "inetd", 0, NULL, 'i' }, { "standalone", 1, NULL, 'a' }, { "quiet", 0, NULL, 'q' }, { "encrypt", 0, NULL, 'e' }, { "encrypt-proxy", 0, NULL, 'E' }, { "encrypt-remproxy",0,NULL, 'X' }, { NULL, 0, NULL, 0 } }; c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXq", long_options, &option_index); #else c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXq" ); #endif if (c == -1) break; /* Exit from `while (1)' loop. */ switch (c) { case 'h': /* Print help and exit. */ clear_args (); cmdline_parser_print_help (); exit(0); #ifdef USE_SSL case 'e': /* Turn on SSL encryption */ args_info->encrypt_flag = !(args_info->encrypt_flag); if( args_info->verbose_flag ) message("SSL enabled\n"); break; case 'E': /* Turn on client to proxy SSL encryption */ args_info->encryptproxy_flag = !(args_info->encryptproxy_flag); if( args_info->verbose_flag ) message("SSL client to proxy enabled\n"); break; #endif case 'i': /* Run from inetd. */ if ( args_info->standalone_arg > 0 ) { fprintf( stderr, "%s: '--inetd' ('-i') conflicts with '--standalone' ('-a')\n", PACKAGE ); clear_args(); exit( 1 ); } args_info->inetd_flag = !(args_info->inetd_flag); break; case 'a': /* Run as standalone daemon */ if ( args_info->inetd_flag ) { fprintf( stderr, "%s: `--standalone' (`-a') conflicts with `--inetd' (`-i')\n", PACKAGE ); clear_args(); exit(1); } if ( ( args_info->standalone_arg = atoi( optarg ) ) < 1 ) { fprintf( stderr, "%s: Illegal port value for `--standalone' (`-a')\n", PACKAGE); clear_args(); exit(1); } break; case 'V': /* Print version and exit. */ clear_args (); cmdline_parser_print_version (); exit(0); case 'x': args_info->proctitle_given = 1; message( "Proctitle override enabled\n" ); args_info->proctitle_arg = gengetopt_strdup (optarg); break; case 'u': /* Username to send to HTTPS proxy for authentication. */ if (args_info->user_given) { fprintf (stderr, "%s: `--user' (`-u'), `--proxyauth' (`-P') or `--passfile' (`-F') option given more than once\n", PACKAGE); clear_args (); exit(1); } args_info->user_given = 1; args_info->user_arg = gengetopt_strdup (optarg); message ("Option -u/--user is deprecated, please use -P/--proxyauth user:pass\n"); break; case 's': /* Password to send to HTTPS proxy for authentication. */ if (args_info->pass_given) { fprintf (stderr, "%s: `--pass' (`-s') or `--passfile' (`-F') option given more than once\n", PACKAGE); clear_args (); exit(1); } args_info->pass_given = 1; args_info->pass_arg = gengetopt_strdup (optarg); message ("Option -s/--pass is deprecated, please use -P/--proxyauth user:pass\n"); break; case 't': /* Env Var with NTLM DOMAIN (when overriding). */ if (args_info->domain_given) { fprintf (stderr, "%s: `--domain' (`-t') option given more than once\n", PACKAGE); clear_args (); exit(1); } args_info->domain_given = 1; args_info->domain_arg = gengetopt_strdup (optarg); break; case 'F': /* File containing Username & Password to send to HTTPS proxy for authentication. */ if (args_info->user_given) { fprintf (stderr, "%s: `--user' (`-u') or `--passfile' (`-F') option given more than once\n", PACKAGE); clear_args (); exit(1); } if (args_info->pass_given) { fprintf (stderr, "%s: `--pass' (`-s') or `--passfile' (`-F') option given more than once\n", PACKAGE); clear_args (); exit(1); } char *result = getCredentialsFromFile(optarg, &(args_info->user_arg), &(args_info->pass_arg), &(args_info->remuser_arg), &(args_info->rempass_arg) ); if ( args_info->user_arg != NULL ) args_info->user_given = 1; if ( args_info->pass_arg != NULL ) args_info->pass_given = 1; if ( args_info->remuser_arg != NULL ) args_info->remuser_given = 1; if ( args_info->rempass_arg != NULL ) args_info->rempass_given = 1; if( result != NULL ) { fprintf( stderr, "%s: Bad password file for `--passfile' (`-F')\n%s\n", PACKAGE, result); clear_args(); exit(1); } break; case 'p': /* HTTPS Proxy host:port to connect to. */ if (args_info->proxy_given) { fprintf (stderr, "%s: `--proxy' (`-p') option given more than once\n", PACKAGE); clear_args (); exit(1); } args_info->proxy_given = 1; args_info->proxy_arg = gengetopt_strdup (optarg); break; case 'P': /* HTTPS Proxy auth user:pass for local proxy */ if (args_info->proxyauth_given) { fprintf (stderr, "%s: `--proxyauth' (`-P') option given more than once\n", PACKAGE); clear_args (); exit(1); } args_info->proxyauth_given = 1; args_info->proxyauth_arg = gengetopt_strdup (optarg); break; case 'r': /* Use a remote proxy */ if (args_info->remproxy_given) { fprintf (stderr, "%s: `--remproxy' (`-r') option given more than once\n", PACKAGE); clear_args (); exit(1); } args_info->remproxy_given = 1; args_info->remproxy_arg = gengetopt_strdup (optarg); break; case 'R': /* HTTPS Proxy auth user:pass for remote proxy */ if (args_info->remproxyauth_given) { fprintf (stderr, "%s: `--remproxyauth' (`-P') option given more than once\n", PACKAGE); clear_args (); exit(1); } args_info->remproxyauth_given = 1; args_info->remproxyauth_arg = gengetopt_strdup (optarg); break; case 'X': /* Turn on local to remote proxy SSL encryption */ args_info->encryptremproxy_flag = !(args_info->encryptremproxy_flag); if( args_info->verbose_flag ) message("SSL local to remote proxy enabled\n"); break; case 'd': /* Destination host to built the tunnel to. */ if (args_info->dest_given) { fprintf (stderr, "%s: `--dest' (`-d') option given more than once\n", PACKAGE); clear_args (); exit(1); } args_info->dest_given = 1; args_info->dest_arg = gengetopt_strdup (optarg); break; case 'H': /* Extra headers to send to HTTPS proxy. */ args_info->header_given++; strzcat( args_info->header_arg, "%s\r\n", optarg); break; case 'v': /* Turn on verbosity. */ if (args_info->quiet_flag) { /* -q also on cmd line */ fprintf (stderr, "-v and -q are mutually exclusive\n"); clear_args(); exit(1); } args_info->verbose_flag = !(args_info->verbose_flag); break; case 'N': /* Turn on NTLM. */ args_info->ntlm_flag = !(args_info->ntlm_flag); break; case 'q': /* Suppress messages -- Quiet mode */ args_info->quiet_flag = !(args_info->quiet_flag); break; case 0: /* Long option with no short option */ case '?': /* Invalid option. */ /* `getopt_long' already printed an error message. */ clear_args(); exit(1); default: /* bug: option not considered. */ fprintf (stderr, "%s: option unknown: %c\n", PACKAGE, c); clear_args(); abort(); } /* switch */ } /* while */ /* For Windows quiet is the default output. -- Dag */ #ifdef CYGWIN if (! args_info->verbose_flag ) { args_info->quiet_flag = 1; } #endif /* Get credentials from environment. -- Dag */ char *tmp = NULL; if ( args_info->user_arg == NULL ) { if ( (tmp = getenv("PROXYUSER")) != NULL) { args_info->user_given = 1; args_info->user_arg = gengetopt_strdup (tmp); if( args_info->verbose_flag ) message( "Found user '%s' in env variable PROXYUSER.\n", args_info->user_arg); } } if ( args_info->pass_arg == NULL ) { if ( (tmp = getenv("PROXYPASS")) != NULL ) { args_info->pass_given = 1; args_info->pass_arg = gengetopt_strdup (tmp); if( args_info->verbose_flag ) message( "Found password in env variable PROXYPASS.\n", args_info->pass_arg); } } if ( args_info->remuser_arg == NULL ) { if ( (tmp = getenv("REMPROXYUSER")) != NULL ) { args_info->remuser_given = 1; args_info->user_arg = gengetopt_strdup (tmp); if( args_info->verbose_flag ) message( "Found remote user '%s' in env variable REMPROXYPASS.\n", args_info->remuser_arg); } } if ( args_info->rempass_arg == NULL ) { if ( (tmp = getenv("REMPROXYPASS")) != NULL ) { args_info->rempass_given = 1; args_info->user_arg = gengetopt_strdup (tmp); if( args_info->verbose_flag ) message( "Found remote password in env variable REMPROXYPASS.\n" ); } } if ( args_info->proxy_arg == NULL ) { if ( ((tmp = getenv("http_proxy")) != NULL) || ((tmp = getenv("HTTP_PROXY")) != NULL) ) { int r; char * temp; temp = malloc( 56+1 ); r = sscanf( tmp, "http://%56[^/]/", temp ); // message( "r = '%d'\ntemp = '%s'\n", r, temp); args_info->proxy_given = 1; args_info->proxy_arg = gengetopt_strdup (temp); if( args_info->verbose_flag ) message( "Proxy info found using env variable HTTP_PROXY (%s).\n", args_info->proxy_arg); } } if (! args_info->proxy_given || ! args_info->dest_given ) { clear_args (); // cmdline_parser_print_help (); message( "No proxy or destination given, exiting\nUse '--help' flag for usage info\n" ); exit(1); } if (args_info->proxy_given ) { char * phost; int pport; phost = malloc( 50+1 ); r = sscanf( args_info->proxy_arg, "%50[^:]:%5u", phost, &pport ); if ( r == 2 ) { args_info->proxyhost_arg = phost; args_info->proxyport_arg = pport; args_info->proxyhost_given = 1; args_info->proxyport_given = 1; } else { message( "parse_cmdline: could not find your proxy hostname/ip (%s)\n", args_info->proxy_arg ); missing_required_options++; } } /* Parse -P/--proxyauth information */ if (args_info->proxyauth_given ) { char *puser = NULL; char *ppass = NULL; puser = malloc( 24+1 ); ppass = malloc( 24+1 ); r = sscanf( args_info->proxyauth_arg, "%24[^:]:%24s", puser, ppass ); if ( r == 2 ) { args_info->user_arg = puser; args_info->pass_arg = ppass; args_info->user_given = 1; args_info->pass_given = 1; } else if ( r == 1 ) { args_info->user_arg = args_info->proxyauth_arg; args_info->user_given = 1; } else { message( "parse_cmdline: could not find your proxy auth user/pass\n" ); missing_required_options++; } } /* Parse -R/--remproxyauth information */ if (args_info->remproxyauth_given ) { char *ruser = NULL; char *rpass = NULL; ruser = malloc( 24+1 ); rpass = malloc( 24+1 ); r = sscanf( args_info->remproxyauth_arg, "%24[^:]:%24s", ruser, rpass ); if ( r == 2 ) { args_info->remuser_arg = ruser; args_info->rempass_arg = rpass; args_info->remuser_given = 1; args_info->rempass_given = 1; } else if ( r == 1 ) { args_info->remuser_arg = args_info->remproxyauth_arg; args_info->remuser_given = 1; } else { message( "parse_cmdline: could not find your proxy auth user/pass\n" ); missing_required_options++; } } if ( missing_required_options ) exit(1); return 0; } static char *getCredentialsFromFile( const char* filename, char **user, char **pass, char **remuser, char **rempass ) { /* Check file permissions, must have '0' for group and other */ struct stat statbuf; if ( stat( filename, &statbuf ) == 0 ) { if ( statbuf.st_mode & (S_IRWXG|S_IRWXO) ) { return strdup( "Stricter permissions required for password file" ); } } else { return strdup( strerror(errno) ); } FILE* pwfile = fopen( filename, "r" ); char line[80], buf[80]; *user = NULL; *pass = NULL; *remuser = NULL; *rempass = NULL; if( pwfile ) { /* Read a line */ while (fgets( line, 80, pwfile ) != NULL ) { if ( sscanf( line, "proxy_user = %s", buf ) == 1 ) { *user = strdup( buf ); } else if ( sscanf( line, "proxy_passwd = %s", buf ) == 1 ) { *pass = strdup( buf ); } else if ( sscanf( line, "remproxy_user = %s", buf ) == 1 ) { *remuser = strdup( buf ); } else if ( sscanf( line, "remproxy_passwd = %s", buf ) == 1 ) { *rempass = strdup( buf ); } } fclose( pwfile ); if ( *user == NULL && *pass == NULL && *remuser == NULL && *rempass == NULL) { return strdup( "proxy_user & proxy_passwd not found in password file" ); } else { return NULL; } } return strdup( "Error opening password file" ); } // vim:noexpandtab:ts=4 proxytunnel-svn/proxytunnel.h0000644000175000017500000000413712267561753015166 0ustar jdgjdg/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ /* Contact: josv@osp.nl / maniac@maniac.nl */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* proxytunnel.h */ #include "cmdline.h" #include "ptstream.h" void message( char *s, ... ); void my_perror( char *msg ); void signal_handler( int signal ); int tunnel_connect(); void analyze_HTTP(); void proxy_protocol(); void closeall(); void do_daemon(); void initsetproctitle(int argc, char *argv[]); void setproctitle(const char *fmt, ...); size_t strlcat(char *dst, const char *src, size_t siz); size_t strlcpy(char *dst, const char *src, size_t siz); size_t strzcat(char *dst, char *format, ...); int main( int argc, char *argv[] ); char * readpassphrase(const char *, char *, size_t, int); char * getpass_x(const char *format, ...); /* Globals */ int read_fd; /* The file descriptor to read from */ int write_fd; /* The file destriptor to write to */ char *program_name; /* Guess what? */ int i_am_daemon; /* Also... */ PTSTREAM *stunnel; /* stream representing the socket from us to proxy */ PTSTREAM *std; /* stream representing stdin/stdout */ /* * All the command line options */ struct gengetopt_args_info args_info; #define SIZE 65536 char buf[SIZE]; /* Data transfer buffer */ /* * Small MAX macro */ #ifndef MAX #define MAX( x, y ) ( ( (x)>(y) ) ? (x) : (y) ) #endif // vim:noexpandtab:ts=4