From ab33f01fbd21c7527da7e39d0d6b883bcbc82204 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 28 Jan 2021 22:14:02 +0100 Subject: [PATCH 01/90] Apply debian patches for Makefile --- Makefile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index ecdaa5f..d2fc076 100644 --- a/Makefile +++ b/Makefile @@ -17,9 +17,6 @@ OPTFLAGS += -DUSE_SSL # Most systems OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2 -# Comment if you don't have this flag -OPTFLAGS += -DSO_REUSEPORT - # System dependant blocks... if your system is listed below, uncomment # the relevant lines @@ -81,7 +78,7 @@ docs: $(MAKE) -C docs proxytunnel: $(OBJ) - $(CC) -o $(name) $(CFLAGS) $(OPTFLAGS) $(OBJ) $(LDFLAGS) + $(CC) -o $(name) $(CPPFLAGS) $(CFLAGS) $(OPTFLAGS) $(OBJ) $(LDFLAGS) clean: @rm -f $(name) $(OBJ) @@ -93,7 +90,7 @@ install: $(MAKE) -C docs install .c.o: - $(CC) $(CFLAGS) $(OPTFLAGS) -c -o $@ $< + $(CC) $(CPPFLAGS) $(CFLAGS) $(OPTFLAGS) -c -o $@ $< dist: clean docs sed -i -e 's/^Version:.*$$/Version: $(version)/' contrib/proxytunnel.spec From 69c48599e4084f74cbb8fda572d1f519674e3594 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 28 Jan 2021 22:55:15 +0100 Subject: [PATCH 02/90] Error handling on SSL_new and SSL_connect --- CHANGES | 6 ++++++ ptstream.c | 9 ++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 38321b2..84ca425 100755 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +Changed to proxytunnel 1.10.20210128 -- Thu 28 Jan 2021 10:23:24 PM CET + +- Changed version to 1.10.20210128 +- Applied 2 more debian patches by Julian Gilbey +- Error handling on SSL_new / SSL_connect + Changes to proxytunnel 1.10.20200507 -- Thu 07 May 2020 05:13:01 PM CEST - Applied 3 patches from debian's package diff --git a/ptstream.c b/ptstream.c index 7f6a174..0ef5f57 100644 --- a/ptstream.c +++ b/ptstream.c @@ -309,6 +309,10 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { } ssl = SSL_new (ctx); + if ( ssl == NULL ) { + message("SSL_new failed\n"); + goto fail; + } SSL_set_rfd (ssl, stream_get_incoming_fd(pts)); SSL_set_wfd (ssl, stream_get_outgoing_fd(pts)); @@ -334,7 +338,10 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { exit( 1 ); } - SSL_connect (ssl); + if ( SSL_connect (ssl) <= 0) { + message( "SSL_connect failed\n"); + goto fail; + } if ( !args_info.no_check_cert_flag ) { /* Make sure peer presented a certificate */ From c38722e87ebb40c5edd923bc78784b2d17586b31 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 28 Jan 2021 22:55:39 +0100 Subject: [PATCH 03/90] Allow for longer usernames and passwords on proxy-auth --- basicauth.c | 2 +- cmdline.c | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/basicauth.c b/basicauth.c index ea2b925..ccb843c 100644 --- a/basicauth.c +++ b/basicauth.c @@ -32,7 +32,7 @@ * is stored in basicauth. */ char *basicauth(char *user, char *pass) { - char *b64str = malloc(80); + char *b64str = malloc(160); int len = strlen( user ) + strlen( pass ) + 2; char *p = (char *) malloc( len ); diff --git a/cmdline.c b/cmdline.c index 7ccadee..6296e36 100644 --- a/cmdline.c +++ b/cmdline.c @@ -591,10 +591,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar char *puser = NULL; char *ppass = NULL; - puser = malloc( 24+1 ); - ppass = malloc( 24+1 ); + puser = malloc( 80+1 ); + ppass = malloc( 80+1 ); - r = sscanf( args_info->proxyauth_arg, "%24[^:]:%24s", puser, ppass ); + r = sscanf( args_info->proxyauth_arg, "%80[^:]:%80s", puser, ppass ); if ( r == 2 ) { args_info->user_arg = puser; args_info->pass_arg = ppass; @@ -614,10 +614,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar char *ruser = NULL; char *rpass = NULL; - ruser = malloc( 24+1 ); - rpass = malloc( 24+1 ); + ruser = malloc( 80+1 ); + rpass = malloc( 80+1 ); - r = sscanf( args_info->remproxyauth_arg, "%24[^:]:%24s", ruser, rpass ); + r = sscanf( args_info->remproxyauth_arg, "%80[^:]:%80s", ruser, rpass ); if ( r == 2 ) { args_info->remuser_arg = ruser; args_info->rempass_arg = rpass; From 1026053ed2acfb2b990f96ee9f1b76342e1b4bb1 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 28 Jan 2021 23:12:52 +0100 Subject: [PATCH 04/90] Update changelog --- .gitignore | 2 ++ CHANGES | 1 + 2 files changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index c15583a..292e8da 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ *.exec proxytunnel.exe proxytunnel +passfile +test.sh diff --git a/CHANGES b/CHANGES index 84ca425..3469b00 100755 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,7 @@ Changed to proxytunnel 1.10.20210128 -- Thu 28 Jan 2021 10:23:24 PM CET - Changed version to 1.10.20210128 - Applied 2 more debian patches by Julian Gilbey - Error handling on SSL_new / SSL_connect +- Allow for longer username/passwords fields (was 24 chars) Changes to proxytunnel 1.10.20200507 -- Thu 07 May 2020 05:13:01 PM CEST From 6014edcc61a89b2baa7ce0b9af5b68f1b591e716 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Wed, 9 Jun 2021 11:56:36 +0200 Subject: [PATCH 05/90] Migrated builds to travis-ci.com --- CHANGES | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 3469b00..204c848 100755 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,9 @@ -Changed to proxytunnel 1.10.20210128 -- Thu 28 Jan 2021 10:23:24 PM CET +Changes to proxytunnel 1.10.20210609 -- Wed Jun 9 11:55:54 CEST 2021 + +- No functional changes +- Builds have been migrated to travis-ci.com (from .org) + +Changes to proxytunnel 1.10.20210128 -- Thu 28 Jan 2021 10:23:24 PM CET - Changed version to 1.10.20210128 - Applied 2 more debian patches by Julian Gilbey From e448313d686bd4ef3b99778ea88f666a3c82e040 Mon Sep 17 00:00:00 2001 From: David <31015441+deFractal@users.noreply.github.com> Date: Wed, 4 Aug 2021 16:45:07 -0700 Subject: [PATCH 06/90] Add option for local default OpenSSL 1.1 CA file Provides non-empty default for Homebrew on macOS --- ptstream.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ptstream.c b/ptstream.c index 0ef5f57..46f7e4f 100644 --- a/ptstream.c +++ b/ptstream.c @@ -263,8 +263,13 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { X509* cert = NULL; int status; struct stat st_buf; +#ifndef LOCAL_OPENSSL11 const char *ca_file = NULL; const char *ca_dir = "/etc/ssl/certs/"; /* Default cert directory if none given */ +#else + const char *ca_file = "/usr/local/etc/openssl@1.1/cacert.pem"; + const char *ca_dir = NULL; +#endif /* !LOCAL_OPENSSL11 */ long vresult; char *peer_host = NULL; char proxy_arg_fmt[32]; From a269b94ad8f6411225f55c79e7f4207c1621f5d1 Mon Sep 17 00:00:00 2001 From: David <31015441+deFractal@users.noreply.github.com> Date: Wed, 4 Aug 2021 18:13:37 -0700 Subject: [PATCH 07/90] Accept alt ca_file and ca_dir as compiler options --- ptstream.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/ptstream.c b/ptstream.c index 46f7e4f..e11a958 100644 --- a/ptstream.c +++ b/ptstream.c @@ -263,13 +263,16 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { X509* cert = NULL; int status; struct stat st_buf; -#ifndef LOCAL_OPENSSL11 +#ifndef DEFAULT_CA_FILE const char *ca_file = NULL; +#else + const char *ca_file = DEFAULT_CA_FILE; /* Default cert file from in Makefile */ +#endif /* !DEFAULT_CA_FILE */ +#ifndef DEFAULT_CA_DIR const char *ca_dir = "/etc/ssl/certs/"; /* Default cert directory if none given */ #else - const char *ca_file = "/usr/local/etc/openssl@1.1/cacert.pem"; - const char *ca_dir = NULL; -#endif /* !LOCAL_OPENSSL11 */ + const char *ca_dir = DEFAULT_CA_DIR; /* Default cert directory from Makefile */ +#endif /* !DEFAULT_CA_DIR */ long vresult; char *peer_host = NULL; char proxy_arg_fmt[32]; From 8cfcd00045db0489ce23dbafacb7f6742fe094c6 Mon Sep 17 00:00:00 2001 From: David <31015441+deFractal@users.noreply.github.com> Date: Wed, 4 Aug 2021 19:03:12 -0700 Subject: [PATCH 08/90] Document CA file & dir compiler options and fix a trivia typo --- Makefile | 6 ++++++ docs/proxytunnel.1.adoc | 3 ++- ptstream.c | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d2fc076..1da0ce7 100644 --- a/Makefile +++ b/Makefile @@ -26,6 +26,12 @@ OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2 # DARWIN #OPTFLAGS += -DDARWIN +# DARWIN, continued, if compiling for macOS with Homebrew +#CFLAGS += -I/usr/local/opt/openssl/include +#LDFLAGS += -L/usr/local/opt/openssl/lib +#OPTFLAGS += -DDEFAULT_CA_FILE='"/usr/local/etc/openssl@1.1/cacert.pem"' +#OPTFLAGS += -DDEFAULT_CA_DIR=NULL + # CYGWIN #OPTFLAGS += -DCYGWIN diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 7d136ee..0be08f8 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -69,7 +69,8 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-C*, *--cacert*=_filename/directory_:: Specify a CA certificate file (or directory containing CA certificate(s)) to trust when verifying a server SSL certificate. If a directory is provided, - it must be prepared with OpenSSL's c_rehash tool. (default: /etc/ssl/certs) + it must be prepared with OpenSSL's c_rehash tool. (default, unless changed at + compile time using DEFAULT_CA_FILE or DEFAULT_CA_DIR options: /etc/ssl/certs) *-F*, *--passfile*=_filename_:: Use _filename_ for reading username and password for HTTPS proxy diff --git a/ptstream.c b/ptstream.c index e11a958..8d46c69 100644 --- a/ptstream.c +++ b/ptstream.c @@ -266,7 +266,7 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { #ifndef DEFAULT_CA_FILE const char *ca_file = NULL; #else - const char *ca_file = DEFAULT_CA_FILE; /* Default cert file from in Makefile */ + const char *ca_file = DEFAULT_CA_FILE; /* Default cert file from Makefile */ #endif /* !DEFAULT_CA_FILE */ #ifndef DEFAULT_CA_DIR const char *ca_dir = "/etc/ssl/certs/"; /* Default cert directory if none given */ From 4bac945fc78121277d3735ffb22ba83a64b91c16 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sat, 28 May 2022 15:56:31 +0200 Subject: [PATCH 09/90] Apply patch to fix: #57 --- CHANGES | 4 ++++ ptstream.c | 6 ++++-- ptstream.h | 1 + 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 204c848..61f94e2 100755 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +Changes to proxytunnel 1.10.20220528 -- Sat 28 May 2022 03:54:20 PM CEST + +- Patch from https://github.com/ZjYwMj fixes https://github.com/proxytunnel/proxytunnel/issues/57 + Changes to proxytunnel 1.10.20210609 -- Wed Jun 9 11:55:54 CEST 2021 - No functional changes diff --git a/ptstream.c b/ptstream.c index 8d46c69..7146862 100644 --- a/ptstream.c +++ b/ptstream.c @@ -341,8 +341,10 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { message( "Set SNI hostname to %s\n", peer_host); } res = SSL_set_tlsext_host_name(ssl, peer_host); - if (res < 0) { - message( "TLS SNI error, giving up: SSL_set_tlsext_host_name returned error message:\n %u\n", res ); + if (res != SSL_TLSEXT_ERR_OK) { + unsigned long ssl_err = (res == SSL_TLSEXT_ERR_ALERT_WARNING ? SSL_TLSEXT_ERR_ALERT_WARNING : ERR_get_error()); + message( "SSL_set_tlsext_host_name returned: %lu (0x%lx). " + "TLS SNI error, giving up\n", ssl_err, ssl_err ); exit( 1 ); } diff --git a/ptstream.h b/ptstream.h index ee36af2..36610d9 100644 --- a/ptstream.h +++ b/ptstream.h @@ -21,6 +21,7 @@ #ifdef USE_SSL #include +#include #include #include #include From e7fa8259337609ecf5bb7c8c39c0f901ddcc28df Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sat, 28 May 2022 21:24:55 +0200 Subject: [PATCH 10/90] Close #58 --- cmdline.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline.c b/cmdline.c index 6296e36..d646747 100644 --- a/cmdline.c +++ b/cmdline.c @@ -581,7 +581,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->proxyhost_given = 1; args_info->proxyport_given = 1; } else { - message( "parse_cmdline: could not find your proxy hostname/ip (%s)\n", args_info->proxy_arg ); + message( "parse_cmdline: specified proxy hostname/ip:port (%s) does not fit expected pattern\n", args_info->proxy_arg ); missing_required_options++; } } From 09bf837c50543ef113b9db7f5360683f88c409da Mon Sep 17 00:00:00 2001 From: Mark Janssen Date: Wed, 21 Sep 2022 17:18:08 +0200 Subject: [PATCH 11/90] Update README.md Looking for maintainer --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index c11fe86..bd2f72d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ [![Build Status](https://travis-ci.org/proxytunnel/proxytunnel.svg?branch=master)](https://travis-ci.org/proxytunnel/proxytunnel) +[![Maintainers Wanted](https://img.shields.io/badge/maintainers-wanted-red.svg)](https://github.com/pickhardt/maintainers-wanted) + # Proxytunnel From 97d2f516ff75ba53272dc935ae4ecc0977a09ae6 Mon Sep 17 00:00:00 2001 From: "yuri@FreeBSD" Date: Fri, 5 May 2023 15:48:07 -0700 Subject: [PATCH 12/90] Add practically important option descriptions to the example in README 1. nginx with the http_proxy module doesn't by default (or ever) accept CONNECT through http, so https should be used. -E is added for this. 2. Many/most users would use self-signed certificates. -z is described for this. This README change would potentially simplify the setup process for users. --- README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bd2f72d..95dc5f7 100644 --- a/README.md +++ b/README.md @@ -71,14 +71,14 @@ a $HOME/.ssh/config file with the following content: ``` Host foobar ProtocolKeepAlives 30 - ProxyCommand /path/to/proxytunnel -p proxy:8080 -P username --d mybox.athome.nl:443 + ProxyCommand /path/to/proxytunnel -E -p proxy:8080 -P username -d mybox.athome.nl:443 ``` With: ``` - foobar The symbolic name of the host you want to connect to +- -E Option to use encryption to communicate to the proxy (use https) - proxy The host name of the proxy you want to connect through - 8080 The port number where the proxy software listens to - username Your proxy userid (password will be prompted) @@ -86,6 +86,11 @@ With: - 443 The port number of the SSH daemon on mybox.athome.nl ``` +Optional arguments: +``` +- -z Don't verify server SSL certificate (for example in case of self-signed certificate) +``` + If your proxy doesn't require the username and password for using it, you can skip these options. If you don't provide the password on the command-line (which is recommended) you will be prompted for it by From 20e1ea379a1d17c5cca4811ef077baebc5ebfeaa Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 2 Sep 2023 19:29:47 +0200 Subject: [PATCH 13/90] Add options to enforce IPv4 or IPv6 connections to the local proxy --- cmdline.c | 32 ++++++++++++++++++++++++++++++-- cmdline.h | 2 ++ docs/proxytunnel.1.adoc | 6 ++++++ proxytunnel.c | 4 ++++ 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/cmdline.c b/cmdline.c index d646747..bf6f102 100644 --- a/cmdline.c +++ b/cmdline.c @@ -73,6 +73,8 @@ void cmdline_parser_print_help (void) { " -z, --no-check-certificate Don't verify server SSL certificate\n" " -C, --cacert=STRING Path to trusted CA certificate or directory\n" #endif +" -4, --ipv4 Enforce IPv4 connection to local proxy\n" +" -6, --ipv6 Enforce IPv6 connection to local proxy\n" " -F, --passfile=STRING File with credentials for proxy authentication\n" " -P, --proxyauth=STRING Proxy auth credentials user:pass combination\n" " -R, --remproxyauth=STRING Remote proxy auth credentials user:pass combination\n" @@ -179,6 +181,8 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->host_arg = NULL; \ args_info->no_check_cert_flag = 0; \ args_info->cacert_arg = NULL; \ + args_info->enforceipv4_flag = 0; \ + args_info->enforceipv6_flag = 0; \ } clear_args(); @@ -227,12 +231,14 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar { "no-ssl3", 0, NULL, 'T' }, { "no-check-certificate",0,NULL,'z' }, { "cacert", 1, NULL, 'C' }, + { "ipv4", 0, NULL, '4' }, + { "ipv6", 0, NULL, '6' }, { NULL, 0, NULL, 0 } }; - c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:", long_options, &option_index); + c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:46", long_options, &option_index); #else - c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:" ); + c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:46" ); #endif if (c == -1) @@ -478,6 +484,28 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->cacert_arg = gengetopt_strdup (optarg); break; + case '4': /* Enforce IPv4 */ + if ( args_info->enforceipv6_flag ) { + fprintf( stderr, "%s: `--ipv4' (`-4') conflicts with `--ipv6' (`-6')\n", PACKAGE ); + clear_args(); + exit(1); + } + args_info->enforceipv4_flag = 1; + if( args_info->verbose_flag ) + message("IPv4 enforced\n"); + break; + + case '6': /* Enforce IPv6 */ + if ( args_info->enforceipv4_flag ) { + fprintf( stderr, "%s: `--ipv6' (`-6') conflicts with `--ipv4' (`-4')\n", PACKAGE ); + clear_args(); + exit(1); + } + args_info->enforceipv6_flag = 1; + if( args_info->verbose_flag ) + message("IPv6 enforced\n"); + break; + case 0: /* Long option with no short option */ case '?': /* Invalid option. */ diff --git a/cmdline.h b/cmdline.h index 6ce019a..d0fe282 100644 --- a/cmdline.h +++ b/cmdline.h @@ -53,6 +53,8 @@ struct gengetopt_args_info { int enforcetls1_flag; /* Override default and enforce TLSv1 */ char *host_arg; /* Optional Host Header */ int no_check_cert_flag; /* Turn off server SSL certificate verification (default=on) */ + int enforceipv4_flag; /* Enforce IPv4 (default=off). */ + int enforceipv6_flag; /* Enforce IPv6 (default=off). */ char *cacert_arg; /* Trusted CA certificate (or directory) for server SSL certificate verification */ int help_given; /* Whether help was given. */ int version_given; /* Whether version was given. */ diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 0be08f8..9649227 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -72,6 +72,12 @@ also be used for other proxy-traversing purposes like proxy bouncing. it must be prepared with OpenSSL's c_rehash tool. (default, unless changed at compile time using DEFAULT_CA_FILE or DEFAULT_CA_DIR options: /etc/ssl/certs) +*-4*, *--ipv4*:: + Enforce the use of IPv4 when connecting to the local proxy. + +*-6*, *--ipv6*:: + Enforce the use of IPv6 when connecting to the local proxy. + *-F*, *--passfile*=_filename_:: Use _filename_ for reading username and password for HTTPS proxy authentication, the file uses the same format as .wgetrc and can be shared diff --git a/proxytunnel.c b/proxytunnel.c index e5127d8..514fde5 100644 --- a/proxytunnel.c +++ b/proxytunnel.c @@ -77,6 +77,10 @@ int tunnel_connect() { char service[6]; int sd; + if ( args_info.enforceipv4_flag ) + hints.ai_family = AF_INET; + else if ( args_info.enforceipv6_flag ) + hints.ai_family = AF_INET6; rc = snprintf( service, sizeof(service), "%d", args_info.proxyport_arg ); if( ( rc < 0 ) || ( rc >= sizeof(service) ) ) { /* this should never happen */ From a04b20de16200e497a2bc0e1c17a53ae956a0e1d Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Sun, 3 Sep 2023 00:05:19 +0200 Subject: [PATCH 14/90] Bump version and changelogs --- CHANGES | 4 ++++ config.h | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 61f94e2..1ca8c97 100755 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +Changes to proxytunnel 1.11-- Sun Sep 3 12:04:27 AM CEST 2023 + +- Patch from https://github.com/68420948 to add -4 and -6 options + Changes to proxytunnel 1.10.20220528 -- Sat 28 May 2022 03:54:20 PM CEST - Patch from https://github.com/ZjYwMj fixes https://github.com/proxytunnel/proxytunnel/issues/57 diff --git a/config.h b/config.h index 242236e..7f77b79 100644 --- a/config.h +++ b/config.h @@ -1,5 +1,5 @@ -/* Proxytunnel - (C) 2001-2008 Jos Visser / Mark Janssen */ -/* Contact: josv@osp.nl / maniac@maniac.nl */ +/* Proxytunnel - (C) 2001-2023 Jos Visser / Mark Janssen */ +/* Contact: josv@osp.nl / mark@sig-io.nl */ /* * This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define VERSION "1.10.20210128" +#define VERSION "1.11" #define PACKAGE "proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) " From 08d0552ef433023c691c6e098a958a2f7482a28f Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Mon, 4 Sep 2023 12:43:45 +0200 Subject: [PATCH 15/90] Remediate faulty patch for #57 --- ptstream.c | 9 ++++----- ptstream.h | 1 - 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ptstream.c b/ptstream.c index 7146862..0ba3bf4 100644 --- a/ptstream.c +++ b/ptstream.c @@ -341,11 +341,10 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { message( "Set SNI hostname to %s\n", peer_host); } res = SSL_set_tlsext_host_name(ssl, peer_host); - if (res != SSL_TLSEXT_ERR_OK) { - unsigned long ssl_err = (res == SSL_TLSEXT_ERR_ALERT_WARNING ? SSL_TLSEXT_ERR_ALERT_WARNING : ERR_get_error()); - message( "SSL_set_tlsext_host_name returned: %lu (0x%lx). " - "TLS SNI error, giving up\n", ssl_err, ssl_err ); - exit( 1 ); + if ( res != 1 ) { + message( "SSL_set_tlsext_host_name() failed for host name '%s'. " + "TLS SNI error, giving up\n", peer_host); + goto fail; } if ( SSL_connect (ssl) <= 0) { diff --git a/ptstream.h b/ptstream.h index 36610d9..ee36af2 100644 --- a/ptstream.h +++ b/ptstream.h @@ -21,7 +21,6 @@ #ifdef USE_SSL #include -#include #include #include #include From 620e08e5ce9bae4171d68bbe14d9fd2cf1ae40a2 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Wed, 13 Sep 2023 14:53:34 +0200 Subject: [PATCH 16/90] Fix NTLM based authentication on 64bit machines See #60 for details. --- ntlm.c | 2 +- ntlm.h | 53 ++++++++++++++++++++++++++++------------------------- 2 files changed, 29 insertions(+), 26 deletions(-) diff --git a/ntlm.c b/ntlm.c index 13928c4..598dbe7 100644 --- a/ntlm.c +++ b/ntlm.c @@ -54,7 +54,7 @@ int bloblen; unsigned char *t_info; int t_info_len; -unsigned long flags; +uint32_t flags; unsigned char lm2digest[LM2_DIGEST_LEN]; diff --git a/ntlm.h b/ntlm.h index 01a6434..3d91c8d 100644 --- a/ntlm.h +++ b/ntlm.h @@ -18,6 +18,9 @@ */ /* ntlm.h */ + +#include + void build_type1(); int parse_type2(unsigned char *buf); void build_type3_response(); @@ -55,53 +58,53 @@ extern char ntlm_type3_buf[4096]; typedef struct { - unsigned short length; - unsigned short space; - unsigned long offset; + uint16_t length; + uint16_t space; + uint32_t offset; } security_buf_t; typedef struct { - unsigned char signature[8]; - unsigned long message_type; - unsigned long flags; + uint8_t signature[8]; + uint32_t message_type; + uint32_t flags; security_buf_t domain; security_buf_t workstation; } ntlm_type1; typedef struct { - unsigned char signature[8]; - unsigned long message_type; + uint8_t signature[8]; + uint32_t message_type; security_buf_t target_name; - unsigned long flags; - unsigned char challenge[8]; - unsigned long context1; - unsigned long context2; + uint32_t flags; + uint8_t challenge[8]; + uint32_t context1; + uint32_t context2; security_buf_t target_info; - unsigned char data_start; + uint8_t data_start; } ntlm_type2; typedef struct { - unsigned char signature[8]; - unsigned long message_type; + uint8_t signature[8]; + uint32_t message_type; security_buf_t LM_response; security_buf_t NTLM_response; security_buf_t domain; security_buf_t user; security_buf_t workstation; - unsigned char session[8]; - unsigned long flags; - unsigned char pad[8]; + uint8_t session[8]; + uint32_t flags; + uint8_t pad[8]; } ntlm_type3; typedef struct { - unsigned char digest[16]; - unsigned long signature; - unsigned long reserved; - unsigned long long timestamp; - unsigned char client_challenge[8]; - unsigned long unknown; - unsigned long data_start; + uint8_t digest[16]; + uint32_t signature; + uint32_t reserved; + uint64_t timestamp; + uint8_t client_challenge[8]; + uint32_t unknown; + uint32_t data_start; } blob; // vim:noexpandtab:ts=4 From 70935051eb9368e6ac79fd51770901f31fa0c6b9 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Wed, 27 Sep 2023 16:29:56 +0200 Subject: [PATCH 17/90] Remove the author and the revision line The author line results in a second garbled author paragraph in addition to the author paragraph already included in the document. The revision line provides only static data. The attributes revnumber and revdate will be set dynamically via command line instead. --- docs/proxytunnel.1.adoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 9649227..16d1809 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -1,6 +1,4 @@ = proxytunnel(1) -Proxytunnel developers -v1.9.0, Augustus 2008 == NAME From afbab76cf14acc37b12ec98ee129c873b329ee37 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Wed, 27 Sep 2023 16:55:56 +0200 Subject: [PATCH 18/90] Add macros VERSION_YEAR and VERSION_DATE --- config.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config.h b/config.h index 7f77b79..f75fec6 100644 --- a/config.h +++ b/config.h @@ -18,6 +18,8 @@ */ #define VERSION "1.11" +#define VERSION_YEAR "2023" +#define VERSION_DATE "2023-09-03" #define PACKAGE "proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) " From 2f733348ccc6d63d4014a80088cfa6c5077e8da7 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Wed, 27 Sep 2023 17:01:00 +0200 Subject: [PATCH 19/90] Use VERSION_YEAR to build an up-to-date copyright string --- cmdline.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline.c b/cmdline.c index bf6f102..8b2a0f7 100644 --- a/cmdline.c +++ b/cmdline.c @@ -38,7 +38,7 @@ extern char * optarg; static char *getCredentialsFromFile( const char* filename, char **user, char **pass, char **rem_user, char **rem_pass); void cmdline_parser_print_version (void) { - printf ("%s %s Copyright 2001-2020 Proxytunnel Project\n", PACKAGE, VERSION); + printf ("%s %s Copyright 2001-%s Proxytunnel Project\n", PACKAGE, VERSION, VERSION_YEAR); } void cmdline_parser_print_help (void) { From 5888c89a3c2766017a869ae32a120e25d26e8230 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Wed, 27 Sep 2023 17:04:22 +0200 Subject: [PATCH 20/90] Submit VERSION and VERSION_DATE when generating the manual page --- docs/Makefile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/Makefile b/docs/Makefile index f313c38..8e71490 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -5,6 +5,9 @@ mandir = $(datadir)/man adoctargets = $(shell echo *.adoc) htmltargets = $(patsubst %.adoc, %.html, $(adoctargets)) +version = $(shell grep ' VERSION ' ../config.h | cut -d'"' -f2) +version_date = $(shell grep ' VERSION_DATE ' ../config.h | cut -d'"' -f2) + docs: proxytunnel.1 $(htmltargets) install: proxytunnel.1 @@ -15,7 +18,7 @@ clean: rm -f proxytunnel.1 *.html *.xml %.1.html: %.1.adoc - asciidoc -d manpage $< + asciidoc -d manpage -arevnumber=$(version) -arevdate=$(version_date) $< %.1: %.1.xml xmlto man $< @@ -24,4 +27,4 @@ clean: asciidoc $< %.1.xml: %.1.adoc - asciidoc -b docbook -d manpage $< + asciidoc -b docbook -d manpage -arevnumber=$(version) -arevdate=$(version_date) $< From 62f57fd8658c7e36901fd3c79707d3e4e843da78 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Wed, 27 Sep 2023 17:36:36 +0200 Subject: [PATCH 21/90] Quote colons (:) in _host_:_port_ and similar strings This makes sure the substring after the colon is displayed with the intended text styles. --- docs/proxytunnel.1.adoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 16d1809..9cea792 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -24,14 +24,14 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-a*, *--standalone*=_port_:: Run as standalone daemon on specified _port_ -*-p*, *--proxy*=_host_:_port_:: +*-p*, *--proxy*=_host_++:++_port_:: Use _host_ and _port_ as the local proxy to connect to, if not specified the *HTTP_PROXY* environment variable, if set, will be used instead -*-r*, *--remproxy*=_host_:_port_:: +*-r*, *--remproxy*=_host_++:++_port_:: Use _host_ and _port_ as the remote (secondary) proxy to connect to -*-d*, *--dest*=_host_:_port_:: +*-d*, *--dest*=_host_++:++_port_:: Use _host_ and _port_ as the destination for the tunnel, you can also specify them as the argument to the proxytunnel command @@ -82,7 +82,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. with wget. Use this option, or environment variables to hide the password from other users -*-P*, *--proxyauth*=_username_:_password_:: +*-P*, *--proxyauth*=_username_++:++_password_:: Use _username_ and _password_ as credentials to authenticate against a local HTTPS proxy, the username and password can also be specified in the *PROXYUSER* and *PROXYPASS* environment variables to hide them from @@ -90,7 +90,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. If the _password_ is omitted and no *PROXYPASS* environment variable is set, proxytunnel will prompt for a password -*-R*, *--remproxyauth*=_username_:_password_:: +*-R*, *--remproxyauth*=_username_++:++_password_:: Use _username_ and _password_ as credentials to authenticate against a remote (secondary) HTTPS proxy, the username and password can also be specified in the *REMPROXYUSER* and *REMPROXYPASS* environment variables @@ -127,7 +127,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. == ARGUMENTS -_host_:_port_ is the destination hostname and port number combination +_host_++:++_port_ is the destination hostname and port number combination NOTE: Specifying the destination as arguments is exactly the same as specifying them using the *-d* or *--dest* option. From 034963563587ad4802f4c6b11e0658f61a2bcb98 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sun, 1 Oct 2023 21:09:49 +0200 Subject: [PATCH 22/90] Harmonize output of --help and manual page Also fix some typos and missing newlines. --- cmdline.c | 16 ++++++++-------- docs/proxytunnel.1.adoc | 18 ++++++++++++------ 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/cmdline.c b/cmdline.c index 8b2a0f7..7dcba7a 100644 --- a/cmdline.c +++ b/cmdline.c @@ -51,7 +51,7 @@ void cmdline_parser_print_help (void) { // FIXME: " -c, --config=FILE Read config options from file\n" " -i, --inetd Run from inetd (default: off)\n" " -a, --standalone=INT Run as standalone daemon on specified port\n" -// FIXME: " -f, --nobackground Don't for tok background in standalone mode\n" +// FIXME: " -f, --nobackground Don't fork to background in standalone mode\n" " -p, --proxy=STRING Local proxy host:port combination\n" " -r, --remproxy=STRING Remote proxy host:port combination (using 2 proxies)\n" " -d, --dest=STRING Destination host:port combination\n" @@ -59,17 +59,17 @@ void cmdline_parser_print_help (void) { " -e, --encrypt SSL encrypt data between local proxy and destination\n" " -E, --encrypt-proxy SSL encrypt data between client and local proxy\n" " -X, --encrypt-remproxy SSL encrypt data between local and remote proxy\n" +#endif +"\n" +"Additional options for specific features:\n" +#ifdef USE_SSL " -W, --wa-bug-29744 Workaround ASF Bugzilla 29744: if SSL is active stop\n" " using it after CONNECT (might not work on all setups; see\n" " /usr/share/doc/proxytunnel/README.Debian.gz)\n" " -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards\n" " compatibility\n" -" -L (legacy) enforce TLSv1 connection\n" +" -L Enforce TLSv1 connection (legacy)\n" " -T, --no-ssl3 Do not connect using SSLv3\n" -#endif -"\n" -"Additional options for specific features:\n" -#ifdef USE_SSL " -z, --no-check-certificate Don't verify server SSL certificate\n" " -C, --cacert=STRING Path to trusted CA certificate or directory\n" #endif @@ -85,7 +85,7 @@ void cmdline_parser_print_help (void) { " -N, --ntlm Use NTLM based authentication\n" " -t, --domain=STRING NTLM domain (default: autodetect)\n" " -H, --header=STRING Add additional HTTP headers to send to proxy\n" -" -o STRING send custom Host Header\n" +" -o STRING Send custom Host Header\n" #ifdef SETPROCTITLE " -x, --proctitle=STRING Use a different process title\n" #endif @@ -312,7 +312,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar case 'L': args_info->enforcetls1_given = 1; - message("Enforcing TLSv1"); + message("Enforcing TLSv1\n"); args_info->enforcetls1_flag = 1; break; diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 9cea792..7015982 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -44,16 +44,19 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-X*, *--encrypt-remproxy*:: SSL encrypt data between local and remote (secondary) proxy +== ADDITIONAL OPTIONS + *-W*, *--wa-bug-29744*:: - If SSL is in use (by *-e*, *-E*, *-X* options), stop using it - immediately after the CONNECT exchange to workaround apache server - bugs. (This might not work on all setups; see + Workaround ASF Bugzilla 29744: If SSL is in use (by *-e*, *-E*, *-X* + options), stop using it immediately after the CONNECT exchange to + workaround apache server bugs. (This might not work on all setups; see /usr/share/doc/proxytunnel/README.Debian.gz for more details.) *-B*, *--buggy-encrypt-proxy*:: Equivalent to *-E -W*. (Provided for backwards compatibility.) -== ADDITIONAL OPTIONS +*-L*:: + Enforce TLSv1 connection (legacy) *-T*, *--no-ssl3*:: Prevent the use of SSLv3 in encrypted connections (default: enabled) @@ -99,7 +102,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. set, proxytunnel will prompt for a password *-N*, *--ntlm*:: - Use NTLM basd authentication + Use NTLM based authentication *-t*, *--domain*=_STRING_:: Specify NTLM domain (default: autodetect) @@ -107,6 +110,9 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-H*, *--header*=_STRING_:: Add additional HTTP headers to send to proxy +*-o* _STRING_:: + Send a customer Host Header + *-x*, *--proctitle*=_STRING_:: Use a different process title @@ -170,7 +176,7 @@ Host system.athome.nl NOTE: The +ServerAliveInterval+ directive makes sure that idle connections are not being dropped by intermediate firewalls that remove active sessions -aggresively. If you see your connection dropping out, try to lower the value +aggressively. If you see your connection dropping out, try to lower the value even more. To use the dynamic (SOCKS) portforwarding capability of the SSH client, you From c76499093b7348ba8686b3e2f3a02cee62004489 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Mon, 16 Oct 2023 18:40:29 +0200 Subject: [PATCH 23/90] Drop obsolete Makefile flavor. --- Makefile.ssl10 | 106 ------------------------------------------------- 1 file changed, 106 deletions(-) delete mode 100644 Makefile.ssl10 diff --git a/Makefile.ssl10 b/Makefile.ssl10 deleted file mode 100644 index 9f931a2..0000000 --- a/Makefile.ssl10 +++ /dev/null @@ -1,106 +0,0 @@ -# Makefile for proxytunnel -# -# Please uncomment the appropriate settings - -name = proxytunnel -version = $(shell awk 'BEGIN { FS="\"" } /^\#define VERSION / { print $$2 }' config.h) - -CC ?= cc -CFLAGS ?= -Wall -O2 -ggdb -DOPENSSL10 - -# Comment on non-gnu systems -OPTFLAGS += -DHAVE_GETOPT_LONG - -# Comment if you don't have/want ssl -OPTFLAGS += -DUSE_SSL - -# Most systems -OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2 - -# Comment if you don't have this flag -OPTFLAGS += -DSO_REUSEPORT - -# System dependant blocks... if your system is listed below, uncomment -# the relevant lines - -# OpenBSD -#OPTFLAGS += -DHAVE_SYS_PSTAT_H - -# DARWIN -#OPTFLAGS += -DDARWIN - -# CYGWIN -#OPTFLAGS += -DCYGWIN - -# SOLARIS -#LDFLAGS += -lsocket -lnsl -#LDFLAGS += -L/usr/local/ssl/lib # Path to your SSL lib dir - -# END system dependant block - -SSL_LIBS := $(shell pkg-config --libs openssl 2>/dev/null) -ifeq ($(SSL_LIBS),) -SSL_LIBS := $(shell pkg-config --libs libssl 2>/dev/null) -endif -ifeq ($(SSL_LIBS),) -SSL_LIBS := -lssl -lcrypto -endif -LDFLAGS += $(SSL_LIBS) - -prefix = /usr/local -bindir = $(prefix)/bin -datadir = $(prefix)/share -mandir = $(datadir)/man - -# Remove strlcpy/strlcat on (open)bsd/darwin systems -OBJ = proxytunnel.o \ - base64.o \ - strzcat.o \ - setproctitle.o \ - io.o \ - http.o \ - basicauth.o \ - globals.o \ - readpassphrase.o \ - messages.o \ - cmdline.o \ - ntlm.o \ - ptstream.o - -UNAME = $(shell uname) -ifneq ($(UNAME),Darwin) -OBJ += strlcpy.o \ - strlcat.o -endif - -.PHONY: all clean docs install - -all: proxytunnel - -docs: - $(MAKE) -C docs - -proxytunnel: $(OBJ) - $(CC) -o $(name) $(CFLAGS) $(OPTFLAGS) $(OBJ) $(LDFLAGS) - -clean: - @rm -f $(name) $(OBJ) - $(MAKE) -C docs clean - -install: - install -d $(DESTDIR)$(bindir) - install -p -m555 $(name) $(DESTDIR)$(bindir) - $(MAKE) -C docs install - -.c.o: - $(CC) $(CFLAGS) $(OPTFLAGS) -c -o $@ $< - -dist: clean docs - sed -i -e 's/^Version:.*$$/Version: $(version)/' contrib/proxytunnel.spec - find . ! -wholename '*/.svn*' | pax -d -w -x ustar -s ,^./,$(name)-$(version)/, | bzip2 >../$(name)-$(version).tar.bz2 - -rpm: dist - rpmbuild -tb --clean --rmsource --rmspec --define "_rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" --define "_rpmdir ../" ../$(name)-$(version).tar.bz2 - -srpm: dist - rpmbuild -ts --clean --rmsource --rmspec --define "_rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" --define "_srcrpmdir ../" ../$(name)-$(version).tar.bz2 From 352c89cd5a7b61fd5875fbb16da1211d03b271f0 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Mon, 16 Oct 2023 21:01:01 +0200 Subject: [PATCH 24/90] Bump version and changelogs --- CHANGES | 17 +++++++++++++++-- config.h | 4 ++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 1ca8c97..4a88d3f 100755 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,23 @@ -Changes to proxytunnel 1.11-- Sun Sep 3 12:04:27 AM CEST 2023 +Changes to proxytunnel 1.11.1 -- Mon Oct 16 20:01:04 CEST 2023 + +- Remediate the faulty patch for issue #57, thanks to https://github.com/e9hack + and https://github.com/yurivict for raising issues #59 and #69 +- Fix NTLM based authentication on 64bit machines, thanks to + https://github.com/e9hack for raising issue #60 +- Harmonize output of option --help and content of the manual page +- Correct formatting errors and typos in the manual page +- Make config.c central for setting version related information in the manual + page and the application +- Return to version number format major.minor.patch + +Changes to proxytunnel 1.11 -- Sun Sep 3 12:04:27 AM CEST 2023 - Patch from https://github.com/68420948 to add -4 and -6 options Changes to proxytunnel 1.10.20220528 -- Sat 28 May 2022 03:54:20 PM CEST -- Patch from https://github.com/ZjYwMj fixes https://github.com/proxytunnel/proxytunnel/issues/57 +- Patch from https://github.com/ZjYwMj fixes + https://github.com/proxytunnel/proxytunnel/issues/57 Changes to proxytunnel 1.10.20210609 -- Wed Jun 9 11:55:54 CEST 2021 diff --git a/config.h b/config.h index f75fec6..0faa2d9 100644 --- a/config.h +++ b/config.h @@ -17,9 +17,9 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define VERSION "1.11" +#define VERSION "1.11.1" #define VERSION_YEAR "2023" -#define VERSION_DATE "2023-09-03" +#define VERSION_DATE "2023-10-16" #define PACKAGE "proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) " From be12e0219a1ea73daaf10a41b7f8a8eb0f0c0dcb Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 2 Dec 2023 18:28:13 +0100 Subject: [PATCH 25/90] Add long options missing from --help and manual page --- cmdline.c | 4 ++-- docs/proxytunnel.1.adoc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cmdline.c b/cmdline.c index 7dcba7a..b32761f 100644 --- a/cmdline.c +++ b/cmdline.c @@ -68,7 +68,7 @@ void cmdline_parser_print_help (void) { " /usr/share/doc/proxytunnel/README.Debian.gz)\n" " -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards\n" " compatibility\n" -" -L Enforce TLSv1 connection (legacy)\n" +" -L, --tlsenforce Enforce TLSv1 connection (legacy)\n" " -T, --no-ssl3 Do not connect using SSLv3\n" " -z, --no-check-certificate Don't verify server SSL certificate\n" " -C, --cacert=STRING Path to trusted CA certificate or directory\n" @@ -85,7 +85,7 @@ void cmdline_parser_print_help (void) { " -N, --ntlm Use NTLM based authentication\n" " -t, --domain=STRING NTLM domain (default: autodetect)\n" " -H, --header=STRING Add additional HTTP headers to send to proxy\n" -" -o STRING Send custom Host Header\n" +" -o, --host=STRING Send custom Host Header\n" #ifdef SETPROCTITLE " -x, --proctitle=STRING Use a different process title\n" #endif diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 7015982..16e23f2 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -55,7 +55,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-B*, *--buggy-encrypt-proxy*:: Equivalent to *-E -W*. (Provided for backwards compatibility.) -*-L*:: +*-L*, *--tlsenforce*:: Enforce TLSv1 connection (legacy) *-T*, *--no-ssl3*:: @@ -110,7 +110,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-H*, *--header*=_STRING_:: Add additional HTTP headers to send to proxy -*-o* _STRING_:: +*-o*, *--host*=_STRING_:: Send a customer Host Header *-x*, *--proctitle*=_STRING_:: From b314a1c725a3e17da5024946b7cd2703fdfcae5a Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 2 Dec 2023 18:33:33 +0100 Subject: [PATCH 26/90] Fix configuration of option --tlsenforce --- cmdline.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline.c b/cmdline.c index b32761f..529e3b7 100644 --- a/cmdline.c +++ b/cmdline.c @@ -216,7 +216,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar { "remproxyauth", 1, NULL, 'R' }, { "proctitle", 1, NULL, 'x' }, { "host", 1, NULL, 'o' }, - { "tlsenforce", 1, NULL, 'L' }, + { "tlsenforce", 0, NULL, 'L' }, { "header", 1, NULL, 'H' }, { "verbose", 0, NULL, 'v' }, { "ntlm", 0, NULL, 'N' }, From f2fdb5ee896d7116db224e0d667a89ca7e6b11f5 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 2 Dec 2023 18:44:53 +0100 Subject: [PATCH 27/90] Fix a typo --- docs/proxytunnel.1.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 16e23f2..cf2846e 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -111,7 +111,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. Add additional HTTP headers to send to proxy *-o*, *--host*=_STRING_:: - Send a customer Host Header + Send a custom Host Header *-x*, *--proctitle*=_STRING_:: Use a different process title From 8d6943585437701ebc055473d48ebdd31623b427 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 2 Dec 2023 19:02:24 +0100 Subject: [PATCH 28/90] Ignore generated documentation files --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 292e8da..094661f 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ proxytunnel.exe proxytunnel passfile test.sh +docs/*.html +docs/*.1 From 470ac87f7367228dee6a94b921ac4eb082234dee Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 2 Dec 2023 19:37:56 +0100 Subject: [PATCH 29/90] Use alloca() instead of malloc() This make code more readable and spares us some explicit calls to free(). --- ptstream.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/ptstream.c b/ptstream.c index 0ba3bf4..6131fa4 100644 --- a/ptstream.c +++ b/ptstream.c @@ -327,10 +327,7 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { /* Determine the host name we are connecting to */ proxy_arg_len = strlen(proxy_arg); - if ((peer_host = malloc(proxy_arg_len + 1)) == NULL) { - message("Out of memory\n"); - goto fail; - } + peer_host = alloca(proxy_arg_len + 1); snprintf( proxy_arg_fmt, sizeof(proxy_arg_fmt), proxy_arg[0] == '[' ? "[%%%zu[^]]]" : "%%%zu[^:]", proxy_arg_len - 1 ); if ( sscanf( proxy_arg, proxy_arg_fmt, peer_host ) != 1 ) { goto fail; @@ -373,7 +370,6 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { goto fail; } - free(peer_host); X509_free(cert); } @@ -391,9 +387,6 @@ fail: if (cert != NULL) { X509_free(cert); } - if (peer_host != NULL) { - free(peer_host); - } #endif /* USE_SSL */ exit(1); } From 097a0a2453f0bf87bd47b3833a71493d0c4a5140 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 2 Dec 2023 19:49:20 +0100 Subject: [PATCH 30/90] Honor -o/--host on determining the SNI host name --- ptstream.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/ptstream.c b/ptstream.c index 6131fa4..1fae54c 100644 --- a/ptstream.c +++ b/ptstream.c @@ -326,11 +326,15 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { SSL_set_wfd (ssl, stream_get_outgoing_fd(pts)); /* Determine the host name we are connecting to */ - proxy_arg_len = strlen(proxy_arg); - peer_host = alloca(proxy_arg_len + 1); - snprintf( proxy_arg_fmt, sizeof(proxy_arg_fmt), proxy_arg[0] == '[' ? "[%%%zu[^]]]" : "%%%zu[^:]", proxy_arg_len - 1 ); - if ( sscanf( proxy_arg, proxy_arg_fmt, peer_host ) != 1 ) { - goto fail; + if (args_info.host_given ) + peer_host = args_info.host_arg; + else { + proxy_arg_len = strlen(proxy_arg); + peer_host = alloca(proxy_arg_len + 1); + snprintf( proxy_arg_fmt, sizeof(proxy_arg_fmt), proxy_arg[0] == '[' ? "[%%%zu[^]]]" : "%%%zu[^:]", proxy_arg_len - 1 ); + if ( sscanf( proxy_arg, proxy_arg_fmt, peer_host ) != 1 ) { + goto fail; + } } /* SNI support */ From 5b0e803f25023ae4d752e34dd0fe2960767befd7 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 2 Dec 2023 21:15:23 +0100 Subject: [PATCH 31/90] Some more alloca() instead of malloc() --- basicauth.c | 4 +--- ntlm.c | 22 +++------------------- 2 files changed, 4 insertions(+), 22 deletions(-) diff --git a/basicauth.c b/basicauth.c index ccb843c..cc857e2 100644 --- a/basicauth.c +++ b/basicauth.c @@ -35,7 +35,7 @@ char *basicauth(char *user, char *pass) { char *b64str = malloc(160); int len = strlen( user ) + strlen( pass ) + 2; - char *p = (char *) malloc( len ); + char *p = (char *) alloca( len ); /* Set up the cookie in clear text */ sprintf( p, "%s:%s", user, pass ); @@ -50,8 +50,6 @@ char *basicauth(char *user, char *pass) { // message( "Proxy basic auth of %s is %s\n", p, basicauth ); // } - free( p ); - return b64str; } diff --git a/ntlm.c b/ntlm.c index 598dbe7..21c8b62 100644 --- a/ntlm.c +++ b/ntlm.c @@ -62,11 +62,7 @@ void build_type1() { ntlm_type1 *type1; int len = sizeof(ntlm_type1) + sizeof(unsigned char) * TYPE1_DATA_SEG; - type1 = (ntlm_type1 *)malloc(len); - if (!type1) { - message("Fatal Error in build type1, Malloc failed\n"); - exit(-1); - } + type1 = (ntlm_type1 *)alloca(len); memset(type1, 0, len); type1->signature[0] = 'N'; @@ -83,7 +79,6 @@ void build_type1() { base64((unsigned char *)ntlm_type1_buf, (unsigned char *)type1, len); - free(type1); return; } @@ -181,11 +176,7 @@ void build_type3_response() { len = sizeof(ntlm_type3) + sizeof(unsigned char) * (LM2_DIGEST_LEN + bloblen + (strlen(domain) + strlen(args_info.user_arg) + strlen(workstation)) * sp); - type3 = (ntlm_type3 *)malloc(len); - if (!type3) { - message("Fatal Error in build type3, Malloc failed\n"); - exit(-1); - } + type3 = (ntlm_type3 *)alloca(len); t3 = (unsigned char *) type3; memset(type3, 0, len); @@ -231,7 +222,6 @@ void build_type3_response() { base64((unsigned char *)ntlm_type3_buf, (unsigned char *)type3, len); - free(type3); return; } @@ -339,12 +329,8 @@ void build_ntlm2_response() { } userdomlen = sizeof(unsigned char) * (strlen(args_info.user_arg) + strlen(domain)) * 2; - userdom = (unsigned char *)malloc(userdomlen); + userdom = (unsigned char *)alloca(userdomlen); memset(userdom, 0, userdomlen); - if (!userdom) { - message("Fatal Error in build_ntlm2_response, Malloc failed\n"); - exit(-1); - } userdomlen = 0; for (i = 0; i < strlen(args_info.user_arg); i++) { @@ -378,8 +364,6 @@ void build_ntlm2_response() { hmac_md5(userdom, userdomlen, passdigest, 16, userdomdigest); - free(userdom); - if( args_info.verbose_flag ) { message("HMAC_MD5 of userdom keyed with MD4 pass is: "); for( i = 0; i < 16; i++) From 51c3a0be035609265250f17745f8174402a6b9bf Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 2 Dec 2023 23:20:48 +0100 Subject: [PATCH 32/90] Flag it as a version under development --- config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config.h b/config.h index 0faa2d9..7b1284c 100644 --- a/config.h +++ b/config.h @@ -17,9 +17,9 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define VERSION "1.11.1" +#define VERSION "1.11.2-DEVEL" #define VERSION_YEAR "2023" -#define VERSION_DATE "2023-10-16" +#define VERSION_DATE "2023-12-02" #define PACKAGE "proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) " From a65239015dec49347b1d327b8cb6f780e415afcb Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sun, 10 Dec 2023 22:45:17 +0100 Subject: [PATCH 33/90] Correct derivation of peer_host Combine the derivations from proxy_arg and args_info.host_arg. --- ptstream.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/ptstream.c b/ptstream.c index 1fae54c..33010a1 100644 --- a/ptstream.c +++ b/ptstream.c @@ -274,9 +274,10 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { const char *ca_dir = DEFAULT_CA_DIR; /* Default cert directory from Makefile */ #endif /* !DEFAULT_CA_DIR */ long vresult; + const char *peer_arg = NULL; + size_t peer_arg_len; + char peer_arg_fmt[32]; char *peer_host = NULL; - char proxy_arg_fmt[32]; - size_t proxy_arg_len; /* Initialise the connection */ SSLeay_add_ssl_algorithms(); @@ -326,15 +327,12 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { SSL_set_wfd (ssl, stream_get_outgoing_fd(pts)); /* Determine the host name we are connecting to */ - if (args_info.host_given ) - peer_host = args_info.host_arg; - else { - proxy_arg_len = strlen(proxy_arg); - peer_host = alloca(proxy_arg_len + 1); - snprintf( proxy_arg_fmt, sizeof(proxy_arg_fmt), proxy_arg[0] == '[' ? "[%%%zu[^]]]" : "%%%zu[^:]", proxy_arg_len - 1 ); - if ( sscanf( proxy_arg, proxy_arg_fmt, peer_host ) != 1 ) { - goto fail; - } + peer_arg = args_info.host_given ? args_info.host_arg : proxy_arg; + peer_arg_len = strlen(peer_arg); + peer_host = alloca(peer_arg_len + 1); + snprintf( peer_arg_fmt, sizeof(peer_arg_fmt), peer_arg[0] == '[' ? "[%%%zu[^]]]" : "%%%zu[^:]", peer_arg_len); + if ( sscanf( peer_arg, peer_arg_fmt, peer_host ) != 1 ) { + goto fail; } /* SNI support */ From a425fa20d8b6ffdbe7889e476e3760c5fc5abf3a Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Mon, 11 Dec 2023 18:31:42 +0100 Subject: [PATCH 34/90] On SSL connections, introduce authentication by client certificate --- cmdline.c | 42 ++++++++++++++++++++++++++++++++++++++--- cmdline.h | 4 ++++ docs/proxytunnel.1.adoc | 22 +++++++++++++++++++-- ptstream.c | 12 ++++++++++++ 4 files changed, 75 insertions(+), 5 deletions(-) diff --git a/cmdline.c b/cmdline.c index 529e3b7..ab96d96 100644 --- a/cmdline.c +++ b/cmdline.c @@ -78,6 +78,10 @@ void cmdline_parser_print_help (void) { " -F, --passfile=STRING File with credentials for proxy authentication\n" " -P, --proxyauth=STRING Proxy auth credentials user:pass combination\n" " -R, --remproxyauth=STRING Remote proxy auth credentials user:pass combination\n" +#ifdef USE_SSL +" -c, --cert=FILENAME client SSL certificate (chain)\n" +" -k, --key=FILENAME client SSL key\n" +#endif // " -u, --user=STRING Username for proxy authentication\n" // " -s, --pass=STRING Password for proxy authentication\n" // " -U, --uservar=STRING Environment variable that holds username\n" @@ -145,6 +149,8 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->encrypt_given = 0; args_info->encryptproxy_given = 0; args_info->encryptremproxy_given = 0; + args_info->clientcert_given = 0; + args_info->clientkey_given = 0; args_info->wa_bug_29744_given = 0; args_info->proctitle_given = 0; args_info->enforcetls1_given = 0; @@ -174,6 +180,8 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->encrypt_flag = 0; \ args_info->encryptproxy_flag = 0; \ args_info->encryptremproxy_flag = 0; \ + args_info->clientcert_arg = NULL; \ + args_info->clientkey_arg = NULL; \ args_info->wa_bug_29744_flag = 0; \ args_info->no_ssl3_flag = 0; \ args_info->proctitle_arg = NULL; \ @@ -226,6 +234,8 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar { "encrypt", 0, NULL, 'e' }, { "encrypt-proxy", 0, NULL, 'E' }, { "encrypt-remproxy",0,NULL, 'X' }, + { "cert", 1, NULL, 'c' }, + { "key", 1, NULL, 'k' }, { "wa-bug-29744", 0, NULL, 'W' }, { "buggy-encrypt-proxy", 0, NULL, 'B' }, { "no-ssl3", 0, NULL, 'T' }, @@ -236,9 +246,9 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar { NULL, 0, NULL, 0 } }; - c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:46", long_options, &option_index); + c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:c:k:vNeEXWBqLo:TzC:46", long_options, &option_index); #else - c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:46" ); + c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:c:k:vNeEXWBqLo:TzC:46" ); #endif if (c == -1) @@ -263,6 +273,26 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar message("SSL client to proxy enabled\n"); break; + case 'c': /* client SSL certificate (chain) */ + if (args_info->clientcert_given) { + fprintf (stderr, "%s: '--cert' ('-c') option given more than once\n", PACKAGE); + clear_args (); + exit(1); + } + args_info->clientcert_given = 1; + args_info->clientcert_arg = gengetopt_strdup (optarg); + break; + + case 'k': /* client SSL key */ + if (args_info->clientkey_given) { + fprintf (stderr, "%s: '--key' ('-k') option given more than once\n", PACKAGE); + clear_args (); + exit(1); + } + args_info->clientkey_given = 1; + args_info->clientkey_arg = gengetopt_strdup (optarg); + break; + case 'W': /* if SSL is active stop it after CONNECT */ args_info->wa_bug_29744_flag = !(args_info->wa_bug_29744_flag); if( args_info->verbose_flag ) @@ -318,7 +348,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar case 'o': args_info->host_given = 1; - message("Host-header override enabled\n"); + message("Host-header/SNI override enabled\n"); args_info->host_arg = gengetopt_strdup (optarg); break; @@ -585,6 +615,12 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar exit(1); } + if ( args_info->clientcert_given ^ args_info->clientkey_given ) { + clear_args (); + message( "Both of '--cert' ('-c') and '--key' ('-k') must be specified\n" ); + exit(1); + } + if (args_info->proxy_given ) { char proxy_arg_fmt[32]; size_t proxy_arg_len; diff --git a/cmdline.h b/cmdline.h index d0fe282..498a5e6 100644 --- a/cmdline.h +++ b/cmdline.h @@ -47,6 +47,8 @@ struct gengetopt_args_info { int encrypt_flag; /* Turn on SSL encryption (default=off). */ int encryptproxy_flag; /* Turn on client to proxy SSL encryption (def=off).*/ int encryptremproxy_flag; /* Turn on local to remote proxy SSL encryption (def=off).*/ + char *clientcert_arg; /* client SSL certificate */ + char *clientkey_arg; /* client SSL key */ int wa_bug_29744_flag; /* Use SSL encryption only until CONNECT, if at all (def=off).*/ int no_ssl3_flag; /* Turn off SSLv3 (default=on) */ char *proctitle_arg; /* Override process title (default=off). */ @@ -78,6 +80,8 @@ struct gengetopt_args_info { int encrypt_given; /* Whether encrypt was given */ int encryptproxy_given; /* Whether encrypt was given */ int encryptremproxy_given; /* Whether encrypt was given */ + int clientcert_given; /* Whether client SSL certificate was given */ + int clientkey_given; /* Whether client SSL key was given */ int wa_bug_29744_given; /* Whether work around was given */ int proctitle_given; /* Whether to override process title */ int enforcetls1_given; /* Wheter to enforce TLSv1 */ diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index cf2846e..e45b766 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -101,6 +101,24 @@ also be used for other proxy-traversing purposes like proxy bouncing. If the _password_ is omitted and no *REMPROXYPASS* environment variable is set, proxytunnel will prompt for a password +*-c*, *--cert*=_filename_:: + Provide the name of the file containing the client SSL certificate to + authenticate by client certificate against a local proxy, remote proxy or + the destination. The file must be in PEM format. + On top of this it may contain one or more intermediary certificates missing + at the servers's end, effectively forming a certificate chain. + Requires specification of *-k*, *--key* in addition. + Ignored if neither *-e*, *--encrypt** nor *-E*, *--encrypt-proxy* nor + *-X*, *--encrypt-remproxy* is given. + +*-k*, *--key*=_filename_:: + Provide the name of the file containing the client SSL key to authenticate + by client certificate against a local proxy, remote proxy or the + destination. The file must be in PEM format. + Requires specification of *-c*, *--cert* in addition. + Ignored if neither *-e*, *--encrypt** nor *-E*, *--encrypt-proxy* nor + *-X*, *--encrypt-remproxy* is given. + *-N*, *--ntlm*:: Use NTLM based authentication @@ -110,8 +128,8 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-H*, *--header*=_STRING_:: Add additional HTTP headers to send to proxy -*-o*, *--host*=_STRING_:: - Send a custom Host Header +*-o*, *--host*=_fully_qualified_domain_name_:: + Send a custom Host Header. Also used as SNI with SSL connections. *-x*, *--proctitle*=_STRING_:: Use a different process title diff --git a/ptstream.c b/ptstream.c index 33010a1..64a4782 100644 --- a/ptstream.c +++ b/ptstream.c @@ -317,6 +317,18 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { } } + /* If given, load client certificate (chain) and key */ + if ( args_info.clientcert_given && args_info.clientkey_given ) { + if ( 1 != SSL_CTX_use_certificate_chain_file(ctx, args_info.clientcert_arg) ) { + message("Error loading client certificate (chain) from %s\n", args_info.clientcert_arg); + goto fail; + } + if ( 1 != SSL_CTX_use_PrivateKey_file(ctx, args_info.clientkey_arg, SSL_FILETYPE_PEM) ) { + message("Error loading client key from %s, or key does not match certificate\n", args_info.clientkey_arg); + goto fail; + } + } + ssl = SSL_new (ctx); if ( ssl == NULL ) { message("SSL_new failed\n"); From b7aab076d2ca3cb69658f57672d24923ed683979 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Mon, 11 Dec 2023 19:10:32 +0100 Subject: [PATCH 35/90] Fix loading REMPROXYUSER/REMPROXYPASS from the environment --- cmdline.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmdline.c b/cmdline.c index ab96d96..ddca50f 100644 --- a/cmdline.c +++ b/cmdline.c @@ -578,7 +578,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar if ( args_info->remuser_arg == NULL ) { if ( (tmp = getenv("REMPROXYUSER")) != NULL ) { args_info->remuser_given = 1; - args_info->user_arg = gengetopt_strdup (tmp); + args_info->remuser_arg = gengetopt_strdup (tmp); if( args_info->verbose_flag ) message( "Found remote user '%s' in env variable REMPROXYPASS.\n", args_info->remuser_arg); } @@ -586,7 +586,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar if ( args_info->rempass_arg == NULL ) { if ( (tmp = getenv("REMPROXYPASS")) != NULL ) { args_info->rempass_given = 1; - args_info->user_arg = gengetopt_strdup (tmp); + args_info->rempass_arg = gengetopt_strdup (tmp); if( args_info->verbose_flag ) message( "Found remote password in env variable REMPROXYPASS.\n" ); } From bd28fefd0241810bf081aa602b5b2f271a4a4eab Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Mon, 11 Dec 2023 20:59:32 +0100 Subject: [PATCH 36/90] Bump VERSION and VERSION_DATE --- config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config.h b/config.h index 7b1284c..7dfd435 100644 --- a/config.h +++ b/config.h @@ -17,9 +17,9 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define VERSION "1.11.2-DEVEL" +#define VERSION "1.12.0-DEVEL" #define VERSION_YEAR "2023" -#define VERSION_DATE "2023-12-02" +#define VERSION_DATE "2023-12-11" #define PACKAGE "proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) " From 8148cca5210a10305b5e10f52ea66a3298d90e9e Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Thu, 14 Dec 2023 00:08:09 +0100 Subject: [PATCH 37/90] Small fixes to the --help output --- cmdline.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cmdline.c b/cmdline.c index ddca50f..a10a704 100644 --- a/cmdline.c +++ b/cmdline.c @@ -69,7 +69,7 @@ void cmdline_parser_print_help (void) { " -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards\n" " compatibility\n" " -L, --tlsenforce Enforce TLSv1 connection (legacy)\n" -" -T, --no-ssl3 Do not connect using SSLv3\n" +" -T, --no-ssl3 Do not connect using SSLv3 (legacy)\n" " -z, --no-check-certificate Don't verify server SSL certificate\n" " -C, --cacert=STRING Path to trusted CA certificate or directory\n" #endif @@ -89,7 +89,11 @@ void cmdline_parser_print_help (void) { " -N, --ntlm Use NTLM based authentication\n" " -t, --domain=STRING NTLM domain (default: autodetect)\n" " -H, --header=STRING Add additional HTTP headers to send to proxy\n" +#ifdef USE_SSL +" -o, --host=STRING Send custom Host Header/SNI\n" +#else " -o, --host=STRING Send custom Host Header\n" +#endif #ifdef SETPROCTITLE " -x, --proctitle=STRING Use a different process title\n" #endif From 65795065e678b4031ea4d3a3f934f772722a4ff0 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Thu, 14 Dec 2023 00:09:11 +0100 Subject: [PATCH 38/90] Add a missing #include noticed when trying to build without USE_SSL --- ptstream.h | 1 + 1 file changed, 1 insertion(+) diff --git a/ptstream.h b/ptstream.h index ee36af2..e944c54 100644 --- a/ptstream.h +++ b/ptstream.h @@ -19,6 +19,7 @@ /* ptstream.h */ +#include #ifdef USE_SSL #include #include From a5b69f666c66cce470d1433423c347d49a924ce7 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Thu, 14 Dec 2023 01:07:08 +0100 Subject: [PATCH 39/90] Minor corrections to the manpage. --- docs/proxytunnel.1.adoc | 70 ++++++++++++++++++++--------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index e45b766..1967825 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -6,7 +6,7 @@ proxytunnel - program to tunnel a connection through a standard HTTPS proxy == SYNOPSIS -*proxytunnel* _[OPTION]_... +*proxytunnel* [_OPTION…_] [_host_++:++_port_] == DESCRIPTION @@ -19,47 +19,47 @@ also be used for other proxy-traversing purposes like proxy bouncing. == OPTIONS *-i*, *--inetd*:: - Run from inetd (default: off) + Run from inetd (default: off). *-a*, *--standalone*=_port_:: - Run as standalone daemon on specified _port_ + Run as standalone daemon on specified _port_. *-p*, *--proxy*=_host_++:++_port_:: Use _host_ and _port_ as the local proxy to connect to, if not specified - the *HTTP_PROXY* environment variable, if set, will be used instead + the *HTTP_PROXY* environment variable, if set, will be used instead. *-r*, *--remproxy*=_host_++:++_port_:: - Use _host_ and _port_ as the remote (secondary) proxy to connect to + Use _host_ and _port_ as the remote (secondary) proxy to connect to. *-d*, *--dest*=_host_++:++_port_:: Use _host_ and _port_ as the destination for the tunnel, you can also - specify them as the argument to the proxytunnel command + specify them as the argument to the proxytunnel command. *-e*, *--encrypt*:: - SSL encrypt data between local proxy and destination + SSL encrypt data between local proxy and destination. *-E*, *--encrypt-proxy*:: - SSL encrypt data between client and local proxy + SSL encrypt data between client and local proxy. *-X*, *--encrypt-remproxy*:: - SSL encrypt data between local and remote (secondary) proxy + SSL encrypt data between local and remote (secondary) proxy. == ADDITIONAL OPTIONS *-W*, *--wa-bug-29744*:: Workaround ASF Bugzilla 29744: If SSL is in use (by *-e*, *-E*, *-X* options), stop using it immediately after the CONNECT exchange to - workaround apache server bugs. (This might not work on all setups; see - /usr/share/doc/proxytunnel/README.Debian.gz for more details.) + workaround apache server bugs (This might not work on all setups; see + /usr/share/doc/proxytunnel/README.Debian.gz for more details). *-B*, *--buggy-encrypt-proxy*:: - Equivalent to *-E -W*. (Provided for backwards compatibility.) + Equivalent to *-E -W* (Provided for backwards compatibility). *-L*, *--tlsenforce*:: - Enforce TLSv1 connection (legacy) + Enforce TLSv1 connection (legacy). *-T*, *--no-ssl3*:: - Prevent the use of SSLv3 in encrypted connections (default: enabled) + Prevent the use of SSLv3 in encrypted connections (default: enabled). *-z*, *--no-check-certificate*:: Do not verify server SSL certificate when establishing an SSL connection. @@ -70,8 +70,8 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-C*, *--cacert*=_filename/directory_:: Specify a CA certificate file (or directory containing CA certificate(s)) to trust when verifying a server SSL certificate. If a directory is provided, - it must be prepared with OpenSSL's c_rehash tool. (default, unless changed at - compile time using DEFAULT_CA_FILE or DEFAULT_CA_DIR options: /etc/ssl/certs) + it must be prepared with OpenSSL's c_rehash tool (default, unless changed at + compile time using DEFAULT_CA_FILE or DEFAULT_CA_DIR options: /etc/ssl/certs). *-4*, *--ipv4*:: Enforce the use of IPv4 when connecting to the local proxy. @@ -83,7 +83,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. Use _filename_ for reading username and password for HTTPS proxy authentication, the file uses the same format as .wgetrc and can be shared with wget. Use this option, or environment variables to hide the password - from other users + from other users. *-P*, *--proxyauth*=_username_++:++_password_:: Use _username_ and _password_ as credentials to authenticate against a @@ -91,7 +91,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. the *PROXYUSER* and *PROXYPASS* environment variables to hide them from other users. If the _password_ is omitted and no *PROXYPASS* environment variable is - set, proxytunnel will prompt for a password + set, proxytunnel will prompt for a password. *-R*, *--remproxyauth*=_username_++:++_password_:: Use _username_ and _password_ as credentials to authenticate against a @@ -99,7 +99,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. specified in the *REMPROXYUSER* and *REMPROXYPASS* environment variables to hide them from other users. If the _password_ is omitted and no *REMPROXYPASS* environment variable is - set, proxytunnel will prompt for a password + set, proxytunnel will prompt for a password. *-c*, *--cert*=_filename_:: Provide the name of the file containing the client SSL certificate to @@ -120,38 +120,38 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-X*, *--encrypt-remproxy* is given. *-N*, *--ntlm*:: - Use NTLM based authentication + Use NTLM based authentication. *-t*, *--domain*=_STRING_:: - Specify NTLM domain (default: autodetect) + Specify NTLM domain (default: autodetect). *-H*, *--header*=_STRING_:: - Add additional HTTP headers to send to proxy + Add additional HTTP headers to send to proxy. -*-o*, *--host*=_fully_qualified_domain_name_:: - Send a custom Host Header. Also used as SNI with SSL connections. +*-o*, *--host*=_host_++[:++_port_]:: + Send a custom Host header. With SSL connections _host_ is also sent as SNI. *-x*, *--proctitle*=_STRING_:: - Use a different process title + Use a different process title. == MISCELLANEOUS OPTIONS *-v*, *--verbose*:: - Turn on verbosity + Turn on verbosity. *-q*, *--quiet*:: - Suppress messages + Suppress messages. *-h*, *--help*:: - Print help and exit + Print help and exit. *-V*, *--version*:: - Print version and exit + Print version and exit. == ARGUMENTS -_host_++:++_port_ is the destination hostname and port number combination +_host_++:++_port_ is the destination hostname and port number combination. NOTE: Specifying the destination as arguments is exactly the same as specifying them using the *-d* or *--dest* option. @@ -221,27 +221,27 @@ variables: *HTTP_PROXY*:: If this environment variable is set, proxytunnel will use it as the - _local proxy_ if *-p* or *--proxy* is not provided + _local proxy_ if *-p* or *--proxy* is not provided. *PROXYUSER*:: If this environment variable is set, proxytunnel will use it as the _username_ for proxy authentication, unless specified using the *-P* or - *--proxyauth* option + *--proxyauth* option. *PROXYPASS*:: If this environment variable is set, proxytunnel will use it as the _password_ for proxy authentication, unless specified using the *-P* or - *--proxyauth* option + *--proxyauth* option. *REMPROXYUSER*:: If this environment variable is set, proxytunnel will use it as the _username_ for remote (secondary) proxy authentication, unless specified - using the *-R* or *--remproxyauth* option + using the *-R* or *--remproxyauth* option. *REMPROXYPASS*:: If this environment variable is set, proxytunnel will use it as the _password_ for remote (secondary) proxy authentication, unless specified - using the *-R* or *--remproxyauth* option + using the *-R* or *--remproxyauth* option. == SEE ALSO From 5f1674159bb775df0704742ae37443ab5a53ef24 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Fri, 15 Dec 2023 15:32:12 +0100 Subject: [PATCH 40/90] In standalone mode, allow also for IPv6 connections --- proxytunnel.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/proxytunnel.c b/proxytunnel.c index 514fde5..94dcb54 100644 --- a/proxytunnel.c +++ b/proxytunnel.c @@ -164,7 +164,7 @@ void do_daemon() { int listen_sd; int one = 1; - struct sockaddr_in sa_serv; + struct sockaddr_in6 sa_serv; struct sockaddr_in sa_cli; socklen_t client_len; int pid = 0; @@ -175,7 +175,7 @@ void do_daemon() /* Socket descriptor */ int sd; - if ( ( listen_sd = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ) ) < 0 ) { + if ( ( listen_sd = socket( AF_INET6, SOCK_STREAM, IPPROTO_TCP ) ) < 0 ) { my_perror( "Server socket creation failed" ); exit(1); } @@ -186,11 +186,11 @@ void do_daemon() setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); memset( &sa_serv, '\0', sizeof( sa_serv ) ); - sa_serv.sin_family = AF_INET; - sa_serv.sin_addr.s_addr = htonl(INADDR_ANY); - sa_serv.sin_port = htons( args_info.standalone_arg ); + sa_serv.sin6_family = AF_INET6; + sa_serv.sin6_addr = in6addr_any; + sa_serv.sin6_port = htons( args_info.standalone_arg ); - if ( bind( listen_sd, (struct sockaddr * )&sa_serv, sizeof( struct sockaddr ) ) < 0) { + if ( bind( listen_sd, (struct sockaddr *)&sa_serv, sizeof(sa_serv) ) < 0) { my_perror("Server socket bind failed"); exit(1); } From ae7fcc8a1ff9444c8c84bff5718bda88854280ec Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Fri, 15 Dec 2023 15:42:49 +0100 Subject: [PATCH 41/90] Make sure stdlib.c is only included once --- proxytunnel.c | 1 - 1 file changed, 1 deletion(-) diff --git a/proxytunnel.c b/proxytunnel.c index 94dcb54..e96a717 100644 --- a/proxytunnel.c +++ b/proxytunnel.c @@ -33,7 +33,6 @@ #include #include #include -#include #include "proxytunnel.h" #include "io.h" From 513c8a2fc9f53b2d82300d9376076e52edf6905e Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Fri, 15 Dec 2023 22:29:01 +0100 Subject: [PATCH 42/90] In standalone mode, allow for binding to a specified IP address --- cmdline.c | 61 ++++++++++++++++++++++++++++++++++------- cmdline.h | 10 +++++-- docs/proxytunnel.1.adoc | 6 ++-- proxytunnel.c | 15 +++++++++- 4 files changed, 76 insertions(+), 16 deletions(-) diff --git a/cmdline.c b/cmdline.c index a10a704..fd38953 100644 --- a/cmdline.c +++ b/cmdline.c @@ -50,7 +50,8 @@ void cmdline_parser_print_help (void) { "Standard options:\n" // FIXME: " -c, --config=FILE Read config options from file\n" " -i, --inetd Run from inetd (default: off)\n" -" -a, --standalone=INT Run as standalone daemon on specified port\n" +" -a, --standalone=STRING Run as standalone daemon on specified port or\n" +" address:port combination\n" // FIXME: " -f, --nobackground Don't fork to background in standalone mode\n" " -p, --proxy=STRING Local proxy host:port combination\n" " -r, --remproxy=STRING Remote proxy host:port combination (using 2 proxies)\n" @@ -145,9 +146,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->remproxy_given = 0; args_info->remproxyauth_given = 0; args_info->verbose_given = 0; + args_info->quiet_given = 0; args_info->ntlm_given = 0; args_info->inetd_given = 0; - args_info->quiet_given = 0; + args_info->standalone_given = 0; args_info->header_given = 0; args_info->domain_given = 0; args_info->encrypt_given = 0; @@ -177,10 +179,12 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->remproxyauth_arg = NULL; \ args_info->header_arg[0] = '\0'; \ args_info->verbose_flag = 0; \ + args_info->quiet_flag = 0; \ args_info->ntlm_flag = 0; \ args_info->inetd_flag = 0; \ - args_info->quiet_flag = 0; \ - args_info->standalone_arg = 0; \ + args_info->standalone_arg = NULL; \ + args_info->standalone_addr = NULL; \ + args_info->standalone_port = 0; \ args_info->encrypt_flag = 0; \ args_info->encryptproxy_flag = 0; \ args_info->encryptremproxy_flag = 0; \ @@ -321,16 +325,18 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar break; case 'a': /* Run as standalone daemon */ + if (args_info->standalone_given) { + fprintf (stderr, "%s: '--standalone' ('-a') option given more than once\n", PACKAGE); + clear_args (); + exit(1); + } if ( args_info->inetd_flag ) { fprintf( stderr, "%s: `--standalone' (`-a') conflicts with `--inetd' (`-i')\n", PACKAGE ); clear_args(); exit(1); } - if ( ( args_info->standalone_arg = atoi( optarg ) ) < 1 ) { - fprintf( stderr, "%s: Illegal port value for `--standalone' (`-a')\n", PACKAGE); - clear_args(); - exit(1); - } + args_info->standalone_given = 1; + args_info->standalone_arg = gengetopt_strdup (optarg); break; case 'V': /* Print version and exit. */ @@ -625,6 +631,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar exit(1); } + /* Parse -p/--proxy information */ if (args_info->proxy_given ) { char proxy_arg_fmt[32]; size_t proxy_arg_len; @@ -649,7 +656,40 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->proxyhost_given = 1; args_info->proxyport_given = 1; } else { - message( "parse_cmdline: specified proxy hostname/ip:port (%s) does not fit expected pattern\n", args_info->proxy_arg ); + message( "parse_cmdline: specified proxy (%s) does not fit the expected pattern hostname/ip:port\n", args_info->proxy_arg ); + missing_required_options++; + } + } + + /* Parse -a/--standalone information */ + if ( args_info->standalone_given ) { + char standalone_arg_fmt[32]; + size_t standalone_arg_len; + char * aaddr; + int aport; + + standalone_arg_len = strlen( args_info->standalone_arg ); + if ( (aaddr = malloc( standalone_arg_len + 1 )) == NULL ) { + message( "Out of memory\n" ); + exit(1); + } + /* try IPv4 literal and port */ + snprintf( standalone_arg_fmt, sizeof(standalone_arg_fmt), "%%%zu[0-9.]:%%5u", standalone_arg_len - 1 ); + r = sscanf( args_info->standalone_arg, standalone_arg_fmt, aaddr, &aport ); + if ( r != 2 ) { + /* try bracket-enclosed IPv6 literal and port */ + snprintf( standalone_arg_fmt, sizeof(standalone_arg_fmt), "[%%%zu[0-9A-Fa-f:]]:%%5u", standalone_arg_len - 1 ); + r = sscanf( args_info->standalone_arg, standalone_arg_fmt, aaddr, &aport ); + } + if ( r == 2 ) { + args_info->standalone_addr = aaddr; + args_info->standalone_port = aport; + args_info->standalone_addr_given = 1; + /* try port only */ + } else if ( sscanf( args_info->standalone_arg, "%5u", &aport ) ) { + args_info->standalone_port = aport; + } else { + message( "parse_cmdline: specified standalone argument (%s) does not fit the expected pattern [ip:]port\n", args_info->standalone_arg ); missing_required_options++; } } @@ -699,6 +739,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar missing_required_options++; } } + if ( missing_required_options ) exit(1); diff --git a/cmdline.h b/cmdline.h index 498a5e6..a5a2e48 100644 --- a/cmdline.h +++ b/cmdline.h @@ -40,10 +40,12 @@ struct gengetopt_args_info { char *remproxy_arg; /* Remote proxy to tunnel to. */ char *remproxyauth_arg; /* Remote proxy auth. */ int verbose_flag; /* Turn on verbosity (default=off). */ + int quiet_flag; /* Turn on quiet mode (default=off). */ int ntlm_flag; /* Turn on ntlm (default=off). */ int inetd_flag; /* Turn on inetd (default=off). */ - int quiet_flag; /* Turn on quiet mode (default=off). */ - int standalone_arg; /* Turn on stdalone (-a) on port */ + char *standalone_arg; /* Turn on standalone (-a) on [addr:]port */ + char *standalone_addr; + int standalone_port; int encrypt_flag; /* Turn on SSL encryption (default=off). */ int encryptproxy_flag; /* Turn on client to proxy SSL encryption (def=off).*/ int encryptremproxy_flag; /* Turn on local to remote proxy SSL encryption (def=off).*/ @@ -73,9 +75,11 @@ struct gengetopt_args_info { int remproxy_given; /* Whether remproxy was given. */ int remproxyauth_given; /* Whether remproxy was given. */ int verbose_given; /* Whether verbose was given. */ + int quiet_given; /* Whether quiet mode was given. */ int ntlm_given; /* Whether ntlm was given. */ int inetd_given; /* Whether inetd was given. */ - int quiet_given; /* Whether quiet mode was given. */ + int standalone_given; /* Whether standalone was given */ + int standalone_addr_given; /* Whether standalone address was given */ int header_given; /* Whether extra headers are given */ int encrypt_given; /* Whether encrypt was given */ int encryptproxy_given; /* Whether encrypt was given */ diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 1967825..317f881 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -21,8 +21,10 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-i*, *--inetd*:: Run from inetd (default: off). -*-a*, *--standalone*=_port_:: - Run as standalone daemon on specified _port_. +*-a*, *--standalone*=++[++_address_++:]++_port_:: + Run as standalone daemon on specified _address_ and _port_. _address_ may + be a IPv4 address or a bracket-enclosed IPv6 address. Listens on any + address if _address_ is not given. *-p*, *--proxy*=_host_++:++_port_:: Use _host_ and _port_ as the local proxy to connect to, if not specified diff --git a/proxytunnel.c b/proxytunnel.c index e96a717..2e5e8ce 100644 --- a/proxytunnel.c +++ b/proxytunnel.c @@ -187,7 +187,20 @@ void do_daemon() memset( &sa_serv, '\0', sizeof( sa_serv ) ); sa_serv.sin6_family = AF_INET6; sa_serv.sin6_addr = in6addr_any; - sa_serv.sin6_port = htons( args_info.standalone_arg ); + sa_serv.sin6_port = htons( args_info.standalone_port ); + + /* In case a standalone address was specified ... */ + if ( args_info.standalone_addr_given ) { + /* ... try to set it as an IPv6 address ... */ + if ( inet_pton(AF_INET6, args_info.standalone_addr, &sa_serv.sin6_addr) < 1 ) { + /* ... if this failed, try to set it as an IPv4-mapped address */ + snprintf(buf, sizeof(buf), "::FFFF:%s", args_info.standalone_addr); + if ( inet_pton(AF_INET6, buf, &sa_serv.sin6_addr) < 1 ) { + my_perror("Setting server socket IP address failed, possibly malformed"); + exit(1); + } + } + } if ( bind( listen_sd, (struct sockaddr *)&sa_serv, sizeof(sa_serv) ) < 0) { my_perror("Server socket bind failed"); From 002410f449a6247f0ce1ad2914a63b7218625169 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Fri, 15 Dec 2023 22:51:48 +0100 Subject: [PATCH 43/90] Remove Debian-specific reference from --help output --- cmdline.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmdline.c b/cmdline.c index fd38953..e1103a2 100644 --- a/cmdline.c +++ b/cmdline.c @@ -64,9 +64,9 @@ void cmdline_parser_print_help (void) { "\n" "Additional options for specific features:\n" #ifdef USE_SSL -" -W, --wa-bug-29744 Workaround ASF Bugzilla 29744: if SSL is active stop\n" -" using it after CONNECT (might not work on all setups; see\n" -" /usr/share/doc/proxytunnel/README.Debian.gz)\n" +" -W, --wa-bug-29744 Workaround ASF Bugzilla 29744: if SSL is active\n" +" stop using it after CONNECT (might not work on all\n" +" setups)\n" " -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards\n" " compatibility\n" " -L, --tlsenforce Enforce TLSv1 connection (legacy)\n" From 4cc6aa11dbe038a9a47a1e0edb40089d61d17084 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Fri, 15 Dec 2023 23:10:47 +0100 Subject: [PATCH 44/90] Corrections and updates to the manual page --- docs/proxytunnel.1.adoc | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 317f881..af9c791 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -105,20 +105,20 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-c*, *--cert*=_filename_:: Provide the name of the file containing the client SSL certificate to - authenticate by client certificate against a local proxy, remote proxy or - the destination. The file must be in PEM format. + authenticate by client certificate against local proxy, remote proxy or + destination. The file must be in PEM format. On top of this it may contain one or more intermediary certificates missing at the servers's end, effectively forming a certificate chain. Requires specification of *-k*, *--key* in addition. - Ignored if neither *-e*, *--encrypt** nor *-E*, *--encrypt-proxy* nor + Ignored if neither *-e*, *--encrypt* nor *-E*, *--encrypt-proxy* nor *-X*, *--encrypt-remproxy* is given. *-k*, *--key*=_filename_:: Provide the name of the file containing the client SSL key to authenticate - by client certificate against a local proxy, remote proxy or the - destination. The file must be in PEM format. + by client certificate against local proxy, remote proxy or destination. The + file must be in PEM format. Requires specification of *-c*, *--cert* in addition. - Ignored if neither *-e*, *--encrypt** nor *-E*, *--encrypt-proxy* nor + Ignored if neither *-e*, *--encrypt* nor *-E*, *--encrypt-proxy* nor *-X*, *--encrypt-remproxy* is given. *-N*, *--ntlm*:: @@ -252,7 +252,8 @@ variables: == BUGS This software is bug-free, at least we'd like to think so. If you do not -agree with us, please attach the proof to your friendly email :) +agree with us, please provide the proof with your friendly report at +https://github.com/proxytunnel/proxytunnel/issues :) == AUTHOR @@ -261,4 +262,4 @@ This manpage was initially written by Loïc Le Guyader asciidoc by Dag Wieërs and is now maintained by the Proxytunnel developers. -Homepage at http://proxytunnel.sourceforge.net/ +Homepages at https://proxytunnel.sourceforge.io and https://github.com/proxytunnel/proxytunnel From 4100c006f7854cf124a196e0a401a0f5426865d2 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 16 Dec 2023 17:32:59 +0100 Subject: [PATCH 45/90] Replace reference to the already removed option -S --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 95dc5f7..d4ee24f 100644 --- a/README.md +++ b/README.md @@ -95,8 +95,7 @@ If your proxy doesn't require the username and password for using it, you can skip these options. If you don't provide the password on the command-line (which is recommended) you will be prompted for it by proxytunnel. If you are on a trusted system you can also put the -password in an environment variable, and tell proxytunnel where to -find it with '-S'. +password in the environment variable PROXYPASS. If you want to run proxytunnel from inetd add the '--inetd' option. From 6f665372954323c335e745700179d65bb8c38e69 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 16 Dec 2023 17:34:55 +0100 Subject: [PATCH 46/90] Remove sentence about not working authentication on remote proxies --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index d4ee24f..2393810 100644 --- a/README.md +++ b/README.md @@ -113,8 +113,7 @@ auto-detection doesn't work for you (which is usually doesn't) If you want to have the first proxy connect to another http proxy (like one you can control, specify -r proxy2:port. The first proxy will then connect to this remote proxy, which will be asked to connect to the -requested destination. Note that authentication doesn't (yet) work on -this remote proxy. For more information regarding this feature, check +requested destination. For more information regarding this feature, check out http://dag.wieers.com/howto/ssh-http-tunneling/ If your proxy is more advanced, and does protocol inspection it will From 3c3b5b08586af58f40bd768e156435f23a8bebc1 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 16 Dec 2023 19:31:06 +0100 Subject: [PATCH 47/90] Remove Debian-specific reference --- docs/proxytunnel.1.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index af9c791..093dfd2 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -51,8 +51,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-W*, *--wa-bug-29744*:: Workaround ASF Bugzilla 29744: If SSL is in use (by *-e*, *-E*, *-X* options), stop using it immediately after the CONNECT exchange to - workaround apache server bugs (This might not work on all setups; see - /usr/share/doc/proxytunnel/README.Debian.gz for more details). + workaround apache server bugs (This might not work on all setups). *-B*, *--buggy-encrypt-proxy*:: Equivalent to *-E -W* (Provided for backwards compatibility). From c9503273a7a0879dc8847c6a961904f7bb6d01e3 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 16 Dec 2023 23:37:36 +0100 Subject: [PATCH 48/90] Allow for binding to a link-local IPv6 address Requires to also give the interface like ipv6%interface --- cmdline.c | 23 +++++++++++++++++++++-- cmdline.h | 2 ++ proxytunnel.c | 10 ++++++++++ 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/cmdline.c b/cmdline.c index e1103a2..a8a0adf 100644 --- a/cmdline.c +++ b/cmdline.c @@ -150,6 +150,8 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->ntlm_given = 0; args_info->inetd_given = 0; args_info->standalone_given = 0; + args_info->standalone_addr_given = 0; + args_info->standalone_iface_given = 0; args_info->header_given = 0; args_info->domain_given = 0; args_info->encrypt_given = 0; @@ -184,6 +186,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->inetd_flag = 0; \ args_info->standalone_arg = NULL; \ args_info->standalone_addr = NULL; \ + args_info->standalone_iface = NULL; \ args_info->standalone_port = 0; \ args_info->encrypt_flag = 0; \ args_info->encryptproxy_flag = 0; \ @@ -665,7 +668,8 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar if ( args_info->standalone_given ) { char standalone_arg_fmt[32]; size_t standalone_arg_len; - char * aaddr; + char *aaddr; + char *aiface; int aport; standalone_arg_len = strlen( args_info->standalone_arg ); @@ -673,6 +677,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar message( "Out of memory\n" ); exit(1); } + if ( (aiface = malloc( standalone_arg_len + 1 )) == NULL ) { + message( "Out of memory\n" ); + exit(1); + } /* try IPv4 literal and port */ snprintf( standalone_arg_fmt, sizeof(standalone_arg_fmt), "%%%zu[0-9.]:%%5u", standalone_arg_len - 1 ); r = sscanf( args_info->standalone_arg, standalone_arg_fmt, aaddr, &aport ); @@ -681,6 +689,17 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar snprintf( standalone_arg_fmt, sizeof(standalone_arg_fmt), "[%%%zu[0-9A-Fa-f:]]:%%5u", standalone_arg_len - 1 ); r = sscanf( args_info->standalone_arg, standalone_arg_fmt, aaddr, &aport ); } + if ( r != 2 ) { + /* try bracket-enclosed IPv6 literal, interface and port */ + snprintf( standalone_arg_fmt, sizeof(standalone_arg_fmt), "[%%%zu[0-9A-Fa-f:]%%%%%%%zu[^]]]:%%5u", standalone_arg_len - 1, standalone_arg_len - 1 ); + if ( sscanf( args_info->standalone_arg, standalone_arg_fmt, aaddr, aiface, &aport ) == 3 ) + r = 3; + } + if ( r == 3 ) { + args_info->standalone_iface = aiface; + args_info->standalone_iface_given = 1; + r--; + } if ( r == 2 ) { args_info->standalone_addr = aaddr; args_info->standalone_port = aport; @@ -689,7 +708,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar } else if ( sscanf( args_info->standalone_arg, "%5u", &aport ) ) { args_info->standalone_port = aport; } else { - message( "parse_cmdline: specified standalone argument (%s) does not fit the expected pattern [ip:]port\n", args_info->standalone_arg ); + message( "parse_cmdline: specified standalone argument (%s) does not fit one of the expected patterns: port, ipv4:port, [ipv6]:port, [ipv6%%interface]:port\n", args_info->standalone_arg ); missing_required_options++; } } diff --git a/cmdline.h b/cmdline.h index a5a2e48..b0cddd2 100644 --- a/cmdline.h +++ b/cmdline.h @@ -45,6 +45,7 @@ struct gengetopt_args_info { int inetd_flag; /* Turn on inetd (default=off). */ char *standalone_arg; /* Turn on standalone (-a) on [addr:]port */ char *standalone_addr; + char *standalone_iface; int standalone_port; int encrypt_flag; /* Turn on SSL encryption (default=off). */ int encryptproxy_flag; /* Turn on client to proxy SSL encryption (def=off).*/ @@ -80,6 +81,7 @@ struct gengetopt_args_info { int inetd_given; /* Whether inetd was given. */ int standalone_given; /* Whether standalone was given */ int standalone_addr_given; /* Whether standalone address was given */ + int standalone_iface_given; /* Whether standalone interface was given */ int header_given; /* Whether extra headers are given */ int encrypt_given; /* Whether encrypt was given */ int encryptproxy_given; /* Whether encrypt was given */ diff --git a/proxytunnel.c b/proxytunnel.c index 2e5e8ce..7d08b2a 100644 --- a/proxytunnel.c +++ b/proxytunnel.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -189,6 +190,15 @@ void do_daemon() sa_serv.sin6_addr = in6addr_any; sa_serv.sin6_port = htons( args_info.standalone_port ); + /* In case a standalone interface was specified ... */ + if ( args_info.standalone_iface_given ) { + /* ... try to get and set the interface's index */ + if ( !(sa_serv.sin6_scope_id = if_nametoindex(args_info.standalone_iface)) ) { + my_perror("Setting server socket interface failed, possibly mis-spelled"); + exit(1); + } + } + /* In case a standalone address was specified ... */ if ( args_info.standalone_addr_given ) { /* ... try to set it as an IPv6 address ... */ From 11f50d20c3f851de197a976c711879eefc0cfa1b Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sun, 17 Dec 2023 01:25:40 +0100 Subject: [PATCH 49/90] Update manual page regarding -a/--standalone --- docs/proxytunnel.1.adoc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 093dfd2..3587c40 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -23,8 +23,13 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-a*, *--standalone*=++[++_address_++:]++_port_:: Run as standalone daemon on specified _address_ and _port_. _address_ may - be a IPv4 address or a bracket-enclosed IPv6 address. Listens on any - address if _address_ is not given. + be a IPv4 address, a bracket-enclosed IPv6 address or a bracket-enclosed + combination of IPv6 address, \'%' and interface name. The latter format is + only required with link-local IPv6 addresses. The daemon listens on any + address if _address_ is not given. + *Examples*::: + 22, 123.45.67.89:22, [2001:db8::123:4567:89ab:cdef]:22, + [2001:db8::123:4567:89ab:cdef%eth0]:22 *-p*, *--proxy*=_host_++:++_port_:: Use _host_ and _port_ as the local proxy to connect to, if not specified From a0b916a1778e95e1ccb8090f31a5cea118b8dfac Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sun, 17 Dec 2023 19:49:28 +0100 Subject: [PATCH 50/90] client SSL * -> SSL client * --- docs/proxytunnel.1.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 3587c40..1550011 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -108,7 +108,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. set, proxytunnel will prompt for a password. *-c*, *--cert*=_filename_:: - Provide the name of the file containing the client SSL certificate to + Provide the name of the file containing the SSL client certificate to authenticate by client certificate against local proxy, remote proxy or destination. The file must be in PEM format. On top of this it may contain one or more intermediary certificates missing @@ -118,7 +118,7 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-X*, *--encrypt-remproxy* is given. *-k*, *--key*=_filename_:: - Provide the name of the file containing the client SSL key to authenticate + Provide the name of the file containing the SSL client key to authenticate by client certificate against local proxy, remote proxy or destination. The file must be in PEM format. Requires specification of *-c*, *--cert* in addition. From 6adc78ec08372ae9bab93ceb8f5c432dfe2ce452 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sun, 17 Dec 2023 19:50:52 +0100 Subject: [PATCH 51/90] Prepare CHANGES and config.h for release --- CHANGES | 16 ++++++++++++++++ config.h | 4 ++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 4a88d3f..4b117eb 100755 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,21 @@ +Changes to proxytunnel 1.12.0 -- Sun Dec 17 19:51:57 CET 2023 + +[ Sven Geuer, https://github.com/68420948 ] +- New: Support authentication by SSL client certificate on SSL encrypted + tunnels, thanks to https://github.com/yayo for providing an initial patch + with issue #76, closes also issue #51. +- New: Listen also for IPv6 connections in standalone mode. +- New: Extend -a/--standalone option to allow for binding to a specified IPv4 + or IPv6 address, thanks to https://github.com/saper for providing an initial + implementation with PR #77. +- Honor -o/--host on determining the SNI host name. +- Fix loading REMPROXYUSER/REMPROXYPASS from the environment. +- Update manual page, correct errors, fix typos. +- Minor corrections to README.md + Changes to proxytunnel 1.11.1 -- Mon Oct 16 20:01:04 CEST 2023 +[ Sven Geuer, https://github.com/68420948 ] - Remediate the faulty patch for issue #57, thanks to https://github.com/e9hack and https://github.com/yurivict for raising issues #59 and #69 - Fix NTLM based authentication on 64bit machines, thanks to diff --git a/config.h b/config.h index 7dfd435..ff45073 100644 --- a/config.h +++ b/config.h @@ -17,9 +17,9 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define VERSION "1.12.0-DEVEL" +#define VERSION "1.12.0" #define VERSION_YEAR "2023" -#define VERSION_DATE "2023-12-11" +#define VERSION_DATE "2023-12-17" #define PACKAGE "proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) " From 65562596b7bb0d8b630057650fa22c6aa443bf39 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sun, 21 Jan 2024 21:06:38 +0100 Subject: [PATCH 52/90] Use an AF_INET socket when binding to a specified IPv4 address. --- proxytunnel.c | 107 ++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 77 insertions(+), 30 deletions(-) diff --git a/proxytunnel.c b/proxytunnel.c index 7d08b2a..e26a044 100644 --- a/proxytunnel.c +++ b/proxytunnel.c @@ -159,12 +159,84 @@ void closeall() { } } +/* Get the filled in sockaddr structure to the standalone daemon */ +void get_sa_serv(struct sockaddr **sa_serv_pp, socklen_t *sa_serv_len_p) +{ + static union { + struct sockaddr_in v4; + struct sockaddr_in6 v6; + } sa_serv; + int set_addr_result = 1; + + memset( &sa_serv, '\0', sizeof( sa_serv ) ); + + /* In case a standalone address has been specified ... */ + if ( args_info.standalone_addr_given ) { + /* ... and it looks like a IPv6 address ... */ + if ( strchr( args_info.standalone_addr, ':' ) ){ + /* ... set IPv6 address family and port, ... */ + sa_serv.v6.sin6_family = AF_INET6; + sa_serv.v6.sin6_port = htons( args_info.standalone_port ); + /* ... in case a standalone interface has been specified ... */ + if ( args_info.standalone_iface_given ) { + /* ... try to get and set the interface's index */ + if ( !(sa_serv.v6.sin6_scope_id = if_nametoindex(args_info.standalone_iface)) ) { + set_addr_result = -2; + } + } + /* If no error happened regarding the interface ... */ + if ( set_addr_result != -2 ) { + /* ... try to set the presumed IPv6 address. */ + set_addr_result = + inet_pton(AF_INET6, + args_info.standalone_addr, + &sa_serv.v6.sin6_addr); + } + /* ... otherwise (if it does not look like a IPv6 address) ... */ + } else { + /* ... set IPv4 address family and port, ... */ + sa_serv.v4.sin_family = AF_INET; + sa_serv.v4.sin_port = htons( args_info.standalone_port ); + /* ... try to set the presumed IPv4 address. */ + set_addr_result = + inet_pton(AF_INET, + args_info.standalone_addr, + &sa_serv.v4.sin_addr); + } + /* In case no standalone address has been specified ... */ + } else { + /* ... set IPv6 family, port and any address */ + sa_serv.v6.sin6_family = AF_INET6; + sa_serv.v6.sin6_port = htons( args_info.standalone_port ); + sa_serv.v6.sin6_addr = in6addr_any; + } + + /* Bail out on errors */ + switch (set_addr_result) { + case 0: + my_perror("Setting server socket IP address failed, possibly malformed"); + exit(1); + case -1: + my_perror("Setting server socket address family failed."); + exit(1); + case -2: + my_perror("Setting server socket interface failed, possibly mis-spelled"); + exit(1); + } + + /* Return pointer to sockaddr struct and its size */ + *sa_serv_pp = (struct sockaddr *)&sa_serv; + *sa_serv_len_p = sizeof( sa_serv ); + return; +} + /* Run as a standalone daemon */ void do_daemon() { int listen_sd; int one = 1; - struct sockaddr_in6 sa_serv; + struct sockaddr *sa_serv_p; + socklen_t sa_serv_len; struct sockaddr_in sa_cli; socklen_t client_len; int pid = 0; @@ -175,7 +247,9 @@ void do_daemon() /* Socket descriptor */ int sd; - if ( ( listen_sd = socket( AF_INET6, SOCK_STREAM, IPPROTO_TCP ) ) < 0 ) { + get_sa_serv(&sa_serv_p, &sa_serv_len); + + if ( ( listen_sd = socket( sa_serv_p->sa_family, SOCK_STREAM, IPPROTO_TCP ) ) < 0 ) { my_perror( "Server socket creation failed" ); exit(1); } @@ -185,34 +259,7 @@ void do_daemon() #endif /* SO_REUSEPORT */ setsockopt(listen_sd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); - memset( &sa_serv, '\0', sizeof( sa_serv ) ); - sa_serv.sin6_family = AF_INET6; - sa_serv.sin6_addr = in6addr_any; - sa_serv.sin6_port = htons( args_info.standalone_port ); - - /* In case a standalone interface was specified ... */ - if ( args_info.standalone_iface_given ) { - /* ... try to get and set the interface's index */ - if ( !(sa_serv.sin6_scope_id = if_nametoindex(args_info.standalone_iface)) ) { - my_perror("Setting server socket interface failed, possibly mis-spelled"); - exit(1); - } - } - - /* In case a standalone address was specified ... */ - if ( args_info.standalone_addr_given ) { - /* ... try to set it as an IPv6 address ... */ - if ( inet_pton(AF_INET6, args_info.standalone_addr, &sa_serv.sin6_addr) < 1 ) { - /* ... if this failed, try to set it as an IPv4-mapped address */ - snprintf(buf, sizeof(buf), "::FFFF:%s", args_info.standalone_addr); - if ( inet_pton(AF_INET6, buf, &sa_serv.sin6_addr) < 1 ) { - my_perror("Setting server socket IP address failed, possibly malformed"); - exit(1); - } - } - } - - if ( bind( listen_sd, (struct sockaddr *)&sa_serv, sizeof(sa_serv) ) < 0) { + if ( bind( listen_sd, sa_serv_p, sa_serv_len ) < 0) { my_perror("Server socket bind failed"); exit(1); } From 4690473fbabe3f542ccc68c38e729b1fbe7d843d Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sun, 21 Jan 2024 22:52:36 +0100 Subject: [PATCH 53/90] In standalone mode, fix logging of IPv6 clients. --- proxytunnel.c | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/proxytunnel.c b/proxytunnel.c index e26a044..210948b 100644 --- a/proxytunnel.c +++ b/proxytunnel.c @@ -230,6 +230,21 @@ void get_sa_serv(struct sockaddr **sa_serv_pp, socklen_t *sa_serv_len_p) return; } +/* Log pid and IP address of client */ +void log_client(int pid, struct sockaddr_storage *ss_client_p) +{ + char buf[40]; + + inet_ntop(ss_client_p->ss_family, + ss_client_p->ss_family == AF_INET ? + (void *)&(((struct sockaddr_in *)ss_client_p)->sin_addr) : + (void *)&(((struct sockaddr_in6 *)ss_client_p)->sin6_addr), + buf, + sizeof(buf)); + message( "Started tunnel pid=%d for connection from %s", pid, buf ); + return; +} + /* Run as a standalone daemon */ void do_daemon() { @@ -237,12 +252,10 @@ void do_daemon() int one = 1; struct sockaddr *sa_serv_p; socklen_t sa_serv_len; - struct sockaddr_in sa_cli; + struct sockaddr_storage sa_cli; socklen_t client_len; int pid = 0; int sd_client; - char buf[80]; - unsigned char addr[4]; /* Socket descriptor */ int sd; @@ -311,6 +324,10 @@ void do_daemon() * we'll do it by default, can't hurt * * -- Maniac + * + * 2024/01/21: Not sure what makes up the workaround + * + * -- Sven */ client_len = sizeof( sa_cli ); @@ -365,9 +382,7 @@ void do_daemon() exit( 0 ); } - memcpy( &addr, &sa_cli.sin_addr.s_addr, 4 ); - snprintf( (char *) buf, 16, "%u.%u.%u.%u", addr[0], addr[1], addr[2], addr[3] ); - message( "Started tunnel pid=%d for connection from %s", pid, buf ); + log_client(pid, &sa_cli); close( sd_client ); } } From cef27b8576a7967f87f58b091e8b622b4b134b1b Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sun, 21 Jan 2024 23:04:33 +0100 Subject: [PATCH 54/90] As worker, close the unneeded listening socket. --- proxytunnel.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/proxytunnel.c b/proxytunnel.c index 210948b..e489a5a 100644 --- a/proxytunnel.c +++ b/proxytunnel.c @@ -343,6 +343,9 @@ void do_daemon() if ( ( pid = fork() ) < 0 ) { my_perror( "Cannot fork worker" ); } else if ( pid == 0 ) { + /* As worker, we do not need to listen for new connections */ + close(listen_sd); + read_fd = write_fd = sd_client; /* Create a stdin/out stream */ From 33399b33126efa56830ea378dd64140c85469150 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Fri, 26 Jan 2024 01:44:37 +0100 Subject: [PATCH 55/90] Remove deprecated options. Remove options -u and -s deprecated since 2008. Remove also commented remnants of options -U and -S. --- cmdline.c | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/cmdline.c b/cmdline.c index a8a0adf..30ab52d 100644 --- a/cmdline.c +++ b/cmdline.c @@ -222,11 +222,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar static struct option long_options[] = { { "help", 0, NULL, 'h' }, { "version", 0, NULL, 'V' }, - { "user", 1, NULL, 'u' }, - { "pass", 1, NULL, 's' }, { "domain", 1, NULL, 't' }, -// { "uservar", 1, NULL, 'U' }, -// { "passvar", 1, NULL, 'S' }, { "passfile", 1, NULL, 'F' }, { "proxy", 1, NULL, 'p' }, { "proxyauth", 1, NULL, 'P' }, @@ -365,29 +361,6 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->host_arg = gengetopt_strdup (optarg); break; - case 'u': /* Username to send to HTTPS proxy for authentication. */ - if (args_info->user_given) { - fprintf (stderr, "%s: `--user' (`-u'), `--proxyauth' (`-P') or `--passfile' (`-F') option given more than once\n", PACKAGE); - clear_args (); - exit(1); - } - args_info->user_given = 1; - args_info->user_arg = gengetopt_strdup (optarg); - message ("Option -u/--user is deprecated, please use -P/--proxyauth user:pass\n"); - break; - - - case 's': /* Password to send to HTTPS proxy for authentication. */ - if (args_info->pass_given) { - fprintf (stderr, "%s: `--pass' (`-s') or `--passfile' (`-F') option given more than once\n", PACKAGE); - clear_args (); - exit(1); - } - args_info->pass_given = 1; - args_info->pass_arg = gengetopt_strdup (optarg); - message ("Option -s/--pass is deprecated, please use -P/--proxyauth user:pass\n"); - break; - case 't': /* Env Var with NTLM DOMAIN (when overriding). */ if (args_info->domain_given) { fprintf (stderr, "%s: `--domain' (`-t') option given more than once\n", PACKAGE); From 945f205796430c367e49d6c15c1619b786ce1e2b Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:46:15 +0100 Subject: [PATCH 56/90] Deprecate -L/--tlsenforce and -T/--no-ssl3. --- cmdline.c | 20 +++++++++++--------- cmdline.h | 6 +++--- docs/proxytunnel.1.adoc | 6 ------ ptstream.c | 13 +++---------- 4 files changed, 17 insertions(+), 28 deletions(-) diff --git a/cmdline.c b/cmdline.c index 30ab52d..36aafae 100644 --- a/cmdline.c +++ b/cmdline.c @@ -69,8 +69,8 @@ void cmdline_parser_print_help (void) { " setups)\n" " -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards\n" " compatibility\n" -" -L, --tlsenforce Enforce TLSv1 connection (legacy)\n" -" -T, --no-ssl3 Do not connect using SSLv3 (legacy)\n" +/*" -L, --tlsenforce Enforce TLSv1 connection (legacy)\n" +" -T, --no-ssl3 Do not connect using SSLv3 (legacy)\n"*/ " -z, --no-check-certificate Don't verify server SSL certificate\n" " -C, --cacert=STRING Path to trusted CA certificate or directory\n" #endif @@ -161,7 +161,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->clientkey_given = 0; args_info->wa_bug_29744_given = 0; args_info->proctitle_given = 0; - args_info->enforcetls1_given = 0; + /* args_info->enforcetls1_given = 0; */ args_info->host_given = 0; args_info->cacert_given = 0; @@ -194,9 +194,9 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->clientcert_arg = NULL; \ args_info->clientkey_arg = NULL; \ args_info->wa_bug_29744_flag = 0; \ - args_info->no_ssl3_flag = 0; \ + /* args_info->no_ssl3_flag = 0; */\ args_info->proctitle_arg = NULL; \ - args_info->enforcetls1_flag = 0; \ + /* args_info->enforcetls1_flag = 0; */\ args_info->host_arg = NULL; \ args_info->no_check_cert_flag = 0; \ args_info->cacert_arg = NULL; \ @@ -350,9 +350,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar break; case 'L': - args_info->enforcetls1_given = 1; + /* args_info->enforcetls1_given = 1; message("Enforcing TLSv1\n"); - args_info->enforcetls1_flag = 1; + args_info->enforcetls1_flag = 1; */ + message ("Option -L/--tlsenforce is deprecated and without effect\n"); break; case 'o': @@ -447,9 +448,10 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar break; case 'T': /* Turn off SSLv3 */ - args_info->no_ssl3_flag = !(args_info->no_ssl3_flag); + /* args_info->no_ssl3_flag = !(args_info->no_ssl3_flag); if( args_info->verbose_flag ) - message("SSLv3 disabled\n"); + message("SSLv3 disabled\n"); */ + message ("Option -T/--no-ssl3 is deprecated and without effect\n"); break; case 'd': /* Destination host to built the tunnel to. */ diff --git a/cmdline.h b/cmdline.h index b0cddd2..18b77e9 100644 --- a/cmdline.h +++ b/cmdline.h @@ -53,9 +53,9 @@ struct gengetopt_args_info { char *clientcert_arg; /* client SSL certificate */ char *clientkey_arg; /* client SSL key */ int wa_bug_29744_flag; /* Use SSL encryption only until CONNECT, if at all (def=off).*/ - int no_ssl3_flag; /* Turn off SSLv3 (default=on) */ + /* int no_ssl3_flag; Turn off SSLv3 (default=on) */ char *proctitle_arg; /* Override process title (default=off). */ - int enforcetls1_flag; /* Override default and enforce TLSv1 */ + /* int enforcetls1_flag; Override default and enforce TLSv1 */ char *host_arg; /* Optional Host Header */ int no_check_cert_flag; /* Turn off server SSL certificate verification (default=on) */ int enforceipv4_flag; /* Enforce IPv4 (default=off). */ @@ -90,7 +90,7 @@ struct gengetopt_args_info { int clientkey_given; /* Whether client SSL key was given */ int wa_bug_29744_given; /* Whether work around was given */ int proctitle_given; /* Whether to override process title */ - int enforcetls1_given; /* Wheter to enforce TLSv1 */ + /* int enforcetls1_given; Wheter to enforce TLSv1 */ int host_given; /* Wheter we override the Host Header */ int cacert_given; /* Whether cacert was given */ }; diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 1550011..e04b4ac 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -61,12 +61,6 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-B*, *--buggy-encrypt-proxy*:: Equivalent to *-E -W* (Provided for backwards compatibility). -*-L*, *--tlsenforce*:: - Enforce TLSv1 connection (legacy). - -*-T*, *--no-ssl3*:: - Prevent the use of SSLv3 in encrypted connections (default: enabled). - *-z*, *--no-check-certificate*:: Do not verify server SSL certificate when establishing an SSL connection. By default, the server SSL certificate is verified and the target host name diff --git a/ptstream.c b/ptstream.c index 64a4782..8080145 100644 --- a/ptstream.c +++ b/ptstream.c @@ -226,7 +226,6 @@ int check_cert_names(X509 *cert, char *peer_host) { if (check_cert_valid_host((char*)ASN1_STRING_get0_data(gn->d.ia5), peer_host)) { #else if (check_cert_valid_host((char*)ASN1_STRING_data(gn->d.ia5), peer_host)) { - #endif return 1; } @@ -281,21 +280,15 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { /* Initialise the connection */ SSLeay_add_ssl_algorithms(); - if (args_info.enforcetls1_flag) { #ifdef OPENSSL11 - meth = TLS_client_method(); + meth = TLS_client_method(); #else - meth = TLSv1_client_method(); + meth = SSLv23_client_method(); #endif - } else { - meth = SSLv23_client_method(); - } SSL_load_error_strings(); ctx = SSL_CTX_new (meth); - if (args_info.no_ssl3_flag) { - ssl_options |= SSL_OP_NO_SSLv3; - } + ssl_options |= SSL_OP_NO_SSLv3; SSL_CTX_set_options (ctx, ssl_options); if ( !args_info.no_check_cert_flag ) { From 351d2dffc333f8c813ac751b270e440f3989fa17 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Tue, 30 Jan 2024 19:47:34 +0100 Subject: [PATCH 57/90] Use OPENSSL_VERSION_NUMBER to compile code matching the applied libssl version. This renders Makefile.ssl11 redundant. --- Makefile.ssl11 | 106 ------------------------------------------------- ptstream.c | 4 +- ptstream.h | 1 + 3 files changed, 3 insertions(+), 108 deletions(-) delete mode 100644 Makefile.ssl11 diff --git a/Makefile.ssl11 b/Makefile.ssl11 deleted file mode 100644 index 709b05f..0000000 --- a/Makefile.ssl11 +++ /dev/null @@ -1,106 +0,0 @@ -# Makefile for proxytunnel -# -# Please uncomment the appropriate settings - -name = proxytunnel -version = $(shell awk 'BEGIN { FS="\"" } /^\#define VERSION / { print $$2 }' config.h) - -CC ?= cc -CFLAGS ?= -Wall -O2 -ggdb -DOPENSSL11 - -# Comment on non-gnu systems -OPTFLAGS += -DHAVE_GETOPT_LONG - -# Comment if you don't have/want ssl -OPTFLAGS += -DUSE_SSL - -# Most systems -OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2 - -# Comment if you don't have this flag -OPTFLAGS += -DSO_REUSEPORT - -# System dependant blocks... if your system is listed below, uncomment -# the relevant lines - -# OpenBSD -#OPTFLAGS += -DHAVE_SYS_PSTAT_H - -# DARWIN -#OPTFLAGS += -DDARWIN - -# CYGWIN -#OPTFLAGS += -DCYGWIN - -# SOLARIS -#LDFLAGS += -lsocket -lnsl -#LDFLAGS += -L/usr/local/ssl/lib # Path to your SSL lib dir - -# END system dependant block - -SSL_LIBS := $(shell pkg-config --libs openssl 2>/dev/null) -ifeq ($(SSL_LIBS),) -SSL_LIBS := $(shell pkg-config --libs libssl 2>/dev/null) -endif -ifeq ($(SSL_LIBS),) -SSL_LIBS := -lssl -lcrypto -endif -LDFLAGS += $(SSL_LIBS) - -prefix = /usr/local -bindir = $(prefix)/bin -datadir = $(prefix)/share -mandir = $(datadir)/man - -# Remove strlcpy/strlcat on (open)bsd/darwin systems -OBJ = proxytunnel.o \ - base64.o \ - strzcat.o \ - setproctitle.o \ - io.o \ - http.o \ - basicauth.o \ - globals.o \ - readpassphrase.o \ - messages.o \ - cmdline.o \ - ntlm.o \ - ptstream.o - -UNAME = $(shell uname) -ifneq ($(UNAME),Darwin) -OBJ += strlcpy.o \ - strlcat.o -endif - -.PHONY: all clean docs install - -all: proxytunnel - -docs: - $(MAKE) -C docs - -proxytunnel: $(OBJ) - $(CC) -o $(name) $(CFLAGS) $(OPTFLAGS) $(OBJ) $(LDFLAGS) - -clean: - @rm -f $(name) $(OBJ) - $(MAKE) -C docs clean - -install: - install -d $(DESTDIR)$(bindir) - install -p -m555 $(name) $(DESTDIR)$(bindir) - $(MAKE) -C docs install - -.c.o: - $(CC) $(CFLAGS) $(OPTFLAGS) -c -o $@ $< - -dist: clean docs - sed -i -e 's/^Version:.*$$/Version: $(version)/' contrib/proxytunnel.spec - find . ! -wholename '*/.svn*' | pax -d -w -x ustar -s ,^./,$(name)-$(version)/, | bzip2 >../$(name)-$(version).tar.bz2 - -rpm: dist - rpmbuild -tb --clean --rmsource --rmspec --define "_rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" --define "_rpmdir ../" ../$(name)-$(version).tar.bz2 - -srpm: dist - rpmbuild -ts --clean --rmsource --rmspec --define "_rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm" --define "_srcrpmdir ../" ../$(name)-$(version).tar.bz2 diff --git a/ptstream.c b/ptstream.c index 8080145..d7c6424 100644 --- a/ptstream.c +++ b/ptstream.c @@ -222,7 +222,7 @@ int check_cert_names(X509 *cert, char *peer_host) { for (i = 0; i < san_count; i++) { gn = sk_GENERAL_NAME_value(gen_names, i); if (gn->type == GEN_DNS && !(peer_host_is_ipv4 || peer_host_is_ipv6)) { -#ifdef OPENSSL11 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L if (check_cert_valid_host((char*)ASN1_STRING_get0_data(gn->d.ia5), peer_host)) { #else if (check_cert_valid_host((char*)ASN1_STRING_data(gn->d.ia5), peer_host)) { @@ -280,7 +280,7 @@ int stream_enable_ssl(PTSTREAM *pts, const char *proxy_arg) { /* Initialise the connection */ SSLeay_add_ssl_algorithms(); -#ifdef OPENSSL11 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L meth = TLS_client_method(); #else meth = SSLv23_client_method(); diff --git a/ptstream.h b/ptstream.h index e944c54..ccfd717 100644 --- a/ptstream.h +++ b/ptstream.h @@ -21,6 +21,7 @@ #include #ifdef USE_SSL +#include #include #include #include From abb82a7807c4cca060b3ba7b5a44c158cf27766a Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Thu, 1 Feb 2024 16:08:09 +0100 Subject: [PATCH 58/90] Make sure no deprecated libssl functions are called. --- ntlm.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++----- ntlm.h | 1 + proxytunnel.c | 5 ++++ 3 files changed, 64 insertions(+), 6 deletions(-) diff --git a/ntlm.c b/ntlm.c index 21c8b62..60699ee 100644 --- a/ntlm.c +++ b/ntlm.c @@ -28,14 +28,25 @@ #include "proxytunnel.h" #include #include -#include -#include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include + #include +#else + #include + #include +#endif #define TYPE1_DATA_SEG 8 #define TYPE2_BUF_SIZE 2048 #define DOMAIN_BUFLEN 256 #define LM2_DIGEST_LEN 24 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +const EVP_MD *md4alg; +const EVP_MD *md5alg; +EVP_MD_CTX *mdctx; +#endif + int ntlm_challenge = 0; void message( char *s, ... ); int unicode = 0; @@ -58,6 +69,16 @@ uint32_t flags; unsigned char lm2digest[LM2_DIGEST_LEN]; +void init_ntlm() { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + OSSL_PROVIDER_load(NULL, "default"); + OSSL_PROVIDER_load(NULL, "legacy"); + md4alg = EVP_md4(); + md5alg = EVP_md5(); + mdctx = EVP_MD_CTX_new(); +#endif +} + void build_type1() { ntlm_type1 *type1; int len = sizeof(ntlm_type1) + sizeof(unsigned char) * TYPE1_DATA_SEG; @@ -237,7 +258,10 @@ unsigned char* key; /* pointer to authentication key */ int key_len; /* length of authentication key */ unsigned char digest[16]; /* caller digest to be filled in */ { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#else MD5_CTX context; +#endif unsigned char k_ipad[65]; /* inner padding - key XORd with ipad */ unsigned char k_opad[65]; /* outer padding - key XORd with opad */ unsigned char tk[16]; @@ -245,10 +269,15 @@ unsigned char digest[16]; /* caller digest to be filled in */ /* if key is longer than 64 bytes reset it to key=MD5(key) */ if (key_len > 64) { - MD5_CTX tctx; - MD5_Init( &tctx ); - MD5_Update( &tctx, key, key_len ); - MD5_Final( tk, &tctx ); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_DigestInit_ex(mdctx, md5alg, NULL); + EVP_DigestUpdate(mdctx, key, key_len); + EVP_DigestFinal_ex(mdctx, tk, NULL); +#else + MD5_Init(&context); + MD5_Update(&context, key, key_len); + MD5_Final(tk, &context); +#endif key = tk; key_len = 16; } @@ -277,22 +306,39 @@ unsigned char digest[16]; /* caller digest to be filled in */ } /* perform inner MD5 */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_DigestInit_ex(mdctx, md5alg, NULL); /* init context for 1st pass */ + EVP_DigestUpdate(mdctx, k_ipad, 64); /* start with inner pad */ + EVP_DigestUpdate(mdctx, text, text_len); /* then text of datagram */ + EVP_DigestFinal_ex(mdctx, digest, NULL); /* finish up 1st pass */ +#else MD5_Init(&context); /* init context for 1st pass */ MD5_Update(&context, k_ipad, 64); /* start with inner pad */ MD5_Update(&context, text, text_len); /* then text of datagram */ MD5_Final(digest, &context); /* finish up 1st pass */ +#endif /* perform outer MD5 */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_DigestInit_ex(mdctx, md5alg, NULL); /* init context for 1st pass */ + EVP_DigestUpdate(mdctx, k_opad, 64); /* start with inner pad */ + EVP_DigestUpdate(mdctx, digest, 16); /* then text of datagram */ + EVP_DigestFinal_ex(mdctx, digest, NULL); /* finish up 1st pass */ +#else MD5_Init(&context); /* init context for 2nd pass */ MD5_Update(&context, k_opad, 64); /* start with outer pad */ MD5_Update(&context, digest, 16); /* then results of 1st hash */ MD5_Final(digest, &context); /* finish up 2nd pass */ +#endif } void build_ntlm2_response() { int i, j; int passlen = 0; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#else MD4_CTX passcontext; +#endif unsigned char passdigest[16]; unsigned char *userdom; int userdomlen; @@ -317,9 +363,15 @@ void build_ntlm2_response() { } } +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_DigestInit_ex(mdctx, md4alg, NULL); + EVP_DigestUpdate(mdctx, unipasswd, passlen); + EVP_DigestFinal_ex(mdctx, passdigest, NULL); +#else MD4_Init (&passcontext); MD4_Update (&passcontext, unipasswd, passlen); MD4_Final (passdigest, &passcontext); +#endif if( args_info.verbose_flag ) { message("NTLM: MD4 of password is: "); diff --git a/ntlm.h b/ntlm.h index 3d91c8d..48a3384 100644 --- a/ntlm.h +++ b/ntlm.h @@ -21,6 +21,7 @@ #include +void init_ntlm(); void build_type1(); int parse_type2(unsigned char *buf); void build_type3_response(); diff --git a/proxytunnel.c b/proxytunnel.c index e489a5a..a847223 100644 --- a/proxytunnel.c +++ b/proxytunnel.c @@ -420,6 +420,11 @@ int main( int argc, char *argv[] ) { signal( SIGHUP, signal_handler ); + /* Initialize the NTLM module, if needed. */ + if (args_info.ntlm_flag) { + init_ntlm(); + } + /* If the usename is given, but password is not, prompt for it */ if( args_info.user_given && !args_info.pass_given ) { char *cp; From e999ab0acd0051aad19ad4d926ce13ad9f7ddcda Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Thu, 1 Feb 2024 16:14:56 +0100 Subject: [PATCH 59/90] Replace deprecated functions bzero/bcopy by memset/memcpy. --- ntlm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ntlm.c b/ntlm.c index 60699ee..54761f5 100644 --- a/ntlm.c +++ b/ntlm.c @@ -294,10 +294,10 @@ unsigned char digest[16]; /* caller digest to be filled in */ */ /* start out by storing key in pads */ - bzero( k_ipad, sizeof k_ipad); - bzero( k_opad, sizeof k_opad); - bcopy( key, k_ipad, key_len); - bcopy( key, k_opad, key_len); + memset(k_ipad, 0, sizeof(k_ipad)); + memset(k_opad, 0, sizeof(k_opad)); + memcpy(k_ipad, key, key_len); + memcpy(k_opad, key, key_len); /* XOR key with ipad and opad values */ for (i=0; i<64; i++) { From 08b84fe0548ffb389cb09cd6e67e4d5b9cfb7a60 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Thu, 1 Feb 2024 16:33:38 +0100 Subject: [PATCH 60/90] Update the --help output to the recent version. --- README.md | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 2393810..4023b95 100644 --- a/README.md +++ b/README.md @@ -25,37 +25,40 @@ option it specifies it's command-line options. ``` $ ./proxytunnel --help -proxytunnel 1.9.9 Copyright 2001-2018 Proxytunnel Project +proxytunnel 1.12.1 Copyright 2001-2024 Proxytunnel Project Usage: proxytunnel [OPTIONS]... Build generic tunnels through HTTPS proxies using HTTP authentication Standard options: -i, --inetd Run from inetd (default: off) - -a, --standalone=INT Run as standalone daemon on specified port + -a, --standalone=STRING Run as standalone daemon on specified port or + address:port combination -p, --proxy=STRING Local proxy host:port combination -r, --remproxy=STRING Remote proxy host:port combination (using 2 proxies) -d, --dest=STRING Destination host:port combination -e, --encrypt SSL encrypt data between local proxy and destination -E, --encrypt-proxy SSL encrypt data between client and local proxy -X, --encrypt-remproxy SSL encrypt data between local and remote proxy - -W, --wa-bug-29744 workaround ASF Bugzilla 29744, if SSL is active stop - using it after CONNECT (might not work on all setups; - see /usr/share/doc/proxytunnel/README.Debian.gz) - -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards - compatibility - -L (legacy) enforce TLSv1 connection - -T, --no-ssl3 Do not connect using SSLv3 Additional options for specific features: + -W, --wa-bug-29744 Workaround ASF Bugzilla 29744: if SSL is active + stop using it after CONNECT (might not work on all + setups) + -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards + compatibility -z, --no-check-certificate Don't verify server SSL certificate -C, --cacert=STRING Path to trusted CA certificate or directory + -4, --ipv4 Enforce IPv4 connection to local proxy + -6, --ipv6 Enforce IPv6 connection to local proxy -F, --passfile=STRING File with credentials for proxy authentication -P, --proxyauth=STRING Proxy auth credentials user:pass combination -R, --remproxyauth=STRING Remote proxy auth credentials user:pass combination + -c, --cert=FILENAME client SSL certificate (chain) + -k, --key=FILENAME client SSL key -N, --ntlm Use NTLM based authentication -t, --domain=STRING NTLM domain (default: autodetect) -H, --header=STRING Add additional HTTP headers to send to proxy - -o STRING send custom Host Header + -o, --host=STRING Send custom Host Header/SNI -x, --proctitle=STRING Use a different process title Miscellaneous options: From d2c636bef4c5fc7d830b80f249ee1f0398e8f9fe Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Tue, 6 Feb 2024 17:41:38 +0100 Subject: [PATCH 61/90] Prepare CHANGES and config.h for release. --- CHANGES | 18 ++++++++++++++++++ config.h | 6 +++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 4b117eb..35753b4 100755 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,21 @@ +Changes to proxytunnel 1.12.1 -- Tue Feb 6 17:36:38 CET 2024 + +[ Sven Geuer, https://github.com/68420948 ] +- -a/--standalone option: + - Use an AF_INET socket when binding to a specified IPv4 address. This makes + sure IPv4 works regardless of the IPV6_V6ONLY socket option being turned on + or off. Thanks to https://github.com/saper for noting the shortcoming. + - Fix logging of IPv6 clients. + - Close unneeded listening socket in worker. +- Deprecate -L/--tlsenforce and -T/--no-ssl3. SSLv3 has been disabled in likely + all distributions nowadays. +- Apply OPENSSL_VERSION_NUMBER to compile code matching the libssl version in + use. Consequently the file Makefile.ssl11 has been removed. +- Make sure no deprecated libssl functions are called, depending on the libssl + version in use. +- Replace calls to deprecated functions bzero()/bcopy() by memset()/memcpy(). +- Update README.md to show recent --help output. + Changes to proxytunnel 1.12.0 -- Sun Dec 17 19:51:57 CET 2023 [ Sven Geuer, https://github.com/68420948 ] diff --git a/config.h b/config.h index ff45073..80914fd 100644 --- a/config.h +++ b/config.h @@ -17,9 +17,9 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define VERSION "1.12.0" -#define VERSION_YEAR "2023" -#define VERSION_DATE "2023-12-17" +#define VERSION "1.12.1" +#define VERSION_YEAR "2024" +#define VERSION_DATE "2024-02-06" #define PACKAGE "proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) " From af80b39f2de75036d3089454627d8f5b6edfba6a Mon Sep 17 00:00:00 2001 From: hoilc Date: Wed, 20 Mar 2024 13:18:20 +0800 Subject: [PATCH 62/90] enable github action --- .github/workflows/windows.yml | 56 +++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/windows.yml diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml new file mode 100644 index 0000000..a67bc67 --- /dev/null +++ b/.github/workflows/windows.yml @@ -0,0 +1,56 @@ +name: Build for Windows + +on: + push: + branches: + - '**' + paths-ignore: + - 'README.md' + - 'LICENSE.txt' + - 'RELNOTES' + - 'TODO' + pull_request: + release: + types: [published] + +jobs: + build: + runs-on: windows-latest + steps: + - uses: actions/checkout@v4 + - uses: msys2/setup-msys2@v2 + with: + msystem: msys + install: >- + mingw-w64-x86_64-toolchain + gcc + make + openssl + openssl-devel + zip + unzip + xmlto + asciidoc + curl + awk + bash + - name: Build + shell: msys2 {0} + run: | + make + make docs + ldd proxytunnel.exe | grep msys.*\.dll | awk '{print $3}' | xargs cp -t . + zip proxytunnel.zip proxytunnel.exe *.dll docs/proxytunnel.1 docs/*.html + - name: Upload CI Artifact + uses: actions/upload-artifact@v4 + with: + name: proxytunnel-${{ github.sha }}-x86_64-windows-msys + path: proxytunnel.zip + - name: Upload to GitHub Release + uses: svenstaro/upload-release-action@v2 + if: github.event_name == 'release' + with: + file: proxytunnel.zip + asset_name: proxytunnel-${{ github.ref.name }}-x86_64-windows-msys.zip + tag: ${{ github.ref }} + overwrite: true From 0d62ae5af3c1fb96c48273a729c23714848b19c4 Mon Sep 17 00:00:00 2001 From: hoilc Date: Mon, 25 Mar 2024 21:25:00 +0800 Subject: [PATCH 63/90] Fix typo in package name --- .github/workflows/windows.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index a67bc67..c7f078a 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -51,6 +51,6 @@ jobs: if: github.event_name == 'release' with: file: proxytunnel.zip - asset_name: proxytunnel-${{ github.ref.name }}-x86_64-windows-msys.zip + asset_name: proxytunnel-${{ github.ref_name }}-x86_64-windows-msys.zip tag: ${{ github.ref }} overwrite: true From 9df98a6e31bf3a2332759aa5770a414698d5e375 Mon Sep 17 00:00:00 2001 From: Matt Merhar Date: Fri, 13 Sep 2024 18:30:25 -0400 Subject: [PATCH 64/90] Avoid printing unterminated string in readline() When running with -v, readline() in io.c uses strncpy() to copy a string (*without* the terminating NULL) into an uninitialized buffer created by malloc(). When message() then prints this, it can lead to garbage data being emitted since it's potentially reading past the intended end of the string. In practice, this appears to only be an additional byte or 2 before a NULL is encountered. The issue was hit when readline() encountered "\r\n\r\n", not longer strings, but I imagine it's dependent on things like compiler / libc / the weather as to whether the end of the buffer returned by malloc() will be zeroed or not; I've seen similar issues pop up with "working" code running on newer distros. --- io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/io.c b/io.c index e8df31a..56d516e 100644 --- a/io.c +++ b/io.c @@ -57,7 +57,7 @@ int readline(PTSTREAM *pts) { if( args_info.verbose_flag ) { /* Copy line of data into dstr without trailing newline */ - char *dstr = malloc(strlen(buf) + 1); + char *dstr = calloc(1, strlen(buf) + 1); strncpy( dstr, buf, strlen(buf)); if (strcmp(dstr, "")) message( " <- %s\n", dstr ); From 8ff6d58f1bca6805ce4a30b6c7025af4485af8e4 Mon Sep 17 00:00:00 2001 From: e9hack Date: Fri, 29 Nov 2024 12:08:56 +0100 Subject: [PATCH 65/90] Fixed loading of default and legacy provider - Verify that the default and legacy provider was loaded successfully. If not bail out. - On Windows, try to load the legacy.dll from multiple locations before bailing out. - Added legacy.dll to the proxytunnel.zip archive. --- Makefile | 7 +++++++ buildwin.sh | 10 +++++----- ntlm.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 64 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 1da0ce7..0f97693 100644 --- a/Makefile +++ b/Makefile @@ -20,6 +20,13 @@ OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2 # System dependant blocks... if your system is listed below, uncomment # the relevant lines +# MSYS +# The current version of gcc from MSYS defines __MSYS__ and __CYGWIN__. +# To avoid to change the code, simply define CYGWIN additionally. +ifneq ($(filter $(MSYSTEM),MSYS MINGW32 MINGW64 UCRT64),) +CFLAGS += -DCYGWIN +endif + # OpenBSD #OPTFLAGS += -DHAVE_SYS_PSTAT_H diff --git a/buildwin.sh b/buildwin.sh index 52d8b59..5e1165c 100644 --- a/buildwin.sh +++ b/buildwin.sh @@ -4,13 +4,13 @@ echo "Build docs..." make -C docs echo "Build proxytunnel..." -make -f Makefile.ssl11 - -echo "Copy msys/openssl dll to build dir..." -cp /usr/bin/msys-2.0.dll /usr/bin/msys-crypto-1.1.dll /usr/bin/msys-ssl-1.1.dll /usr/bin/msys-z.dll . +make -f Makefile +strip -s proxytunnel.exe echo "Generate proxytunnel.zip with docs, exe and msys/openssl dll..." -zip proxytunnel.zip proxytunnel.exe *.dll docs/proxytunnel.1 docs/proxytunnel.1.html docs/proxytunnel-paper.html +zip proxytunnel.zip proxytunnel.exe docs/proxytunnel.1 docs/proxytunnel.1.html docs/proxytunnel-paper.html +DLLS="$(ldd proxytunnel.exe | grep msys.*\.dll | awk '{print $3}' | xargs) /usr/lib/ossl-modules/legacy.dll" +zip proxytunnel.zip -j $DLLS if [ ! -z "${TRAVIS_TAG}" ]; then echo "Deploy proxytunnel.zip to github release tag:${TRAVIS_TAG}..." diff --git a/ntlm.c b/ntlm.c index 54761f5..5159202 100644 --- a/ntlm.c +++ b/ntlm.c @@ -29,6 +29,9 @@ #include #include #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #ifdef CYGWIN + #include + #endif #include #include #else @@ -71,8 +74,55 @@ unsigned char lm2digest[LM2_DIGEST_LEN]; void init_ntlm() { #if OPENSSL_VERSION_NUMBER >= 0x30000000L - OSSL_PROVIDER_load(NULL, "default"); - OSSL_PROVIDER_load(NULL, "legacy"); + OSSL_PROVIDER *provider; + provider = OSSL_PROVIDER_load(NULL, "default"); + if (!provider) { + my_perror("Loading default provider failed"); + exit(1); + } + provider = OSSL_PROVIDER_load(NULL, "legacy"); +#ifdef CYGWIN + if (!provider) { + // available at msys and git for windows + // the msys version has an additional dependency on libcrypto-3-x64.dll + provider = OSSL_PROVIDER_load(NULL, "/mingw64/lib/ossl-modules/legacy.dll"); + } + if (!provider) { + // available at msys (without dependency on libcrypto-3-x64.dll) + provider = OSSL_PROVIDER_load(NULL, "/usr/lib/ossl-modules/legacy.dll"); + } + if (!provider) { + // default installation path for additional tools + provider = OSSL_PROVIDER_load(NULL, "/usr/local/bin/legacy.dll"); + } + if (!provider) { + // directory of proxytunnel itself + const char *p = strrchr(program_name, '/'); + if (p) { + const int len = p - program_name; + char *tmp = (char*)alloca(len + sizeof("/legacy.dll")); + memcpy(tmp, program_name, len); + strcpy(tmp + len, "/legacy.dll"); + provider = OSSL_PROVIDER_load(NULL, tmp); + } + } + if (!provider) { + // current working directory + char *cwd = getcwd(NULL, 0); + if (cwd) { + const int len = strlen(cwd); + char *tmp = (char*)alloca(len + sizeof("/legacy.dll")); + memcpy(tmp, cwd, len); + free(cwd); + strcpy(tmp + len, "/legacy.dll"); + provider = OSSL_PROVIDER_load(NULL, tmp); + } + } +#endif + if (!provider) { + my_perror("Loading legacy provider failed"); + exit(1); + } md4alg = EVP_md4(); md5alg = EVP_md5(); mdctx = EVP_MD_CTX_new(); From b6daf27b8f6b72a089486623cf729be68ed3e6bb Mon Sep 17 00:00:00 2001 From: e9hack Date: Fri, 29 Nov 2024 12:41:27 +0100 Subject: [PATCH 66/90] Fixed NTLM authentication - analyse_HTTP: Read first something from the connection before analyse it - analyse_HTTP: Accepte a TAB as a second delimiter during parsing an answer from a proxy. - proxy_protocol(): In case of NTLM authentication, this function is called twice recursively. Use variable ntlm_challenge as marker of the state of the authentication to avoid endless recursive calls in case of an error and avoid to try to connect to the remote proxy twice. --- http.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/http.c b/http.c index a4e020c..12e1956 100644 --- a/http.c +++ b/http.c @@ -37,17 +37,16 @@ * header */ void analyze_HTTP(PTSTREAM *pts) { - char *p = strtok( buf, " "); + char *p; /* Strip html error pages for faulty proxies (Stephane Engel ) */ - while (strncmp( p, "HTTP/", 5) != 0 ) { - if ( readline(pts) ) { - p = strtok( buf, " "); - } else { + do { + if (readline(pts) <= 0) { message( "analyze_HTTP: readline failed: Connection closed by remote host\n" ); exit(2); } - } + p = strtok( buf, " \t"); + } while (strncmp( p, "HTTP/", 5) != 0 ); if (strcmp( p, "HTTP/1.0" ) != 0 && strcmp( p, "HTTP/1.1" ) != 0) { message( "Unsupported HTTP version number %s\n", p ); @@ -117,6 +116,7 @@ void proxy_protocol(PTSTREAM *pts) { if (args_info.ntlm_flag) { if (ntlm_challenge == 1) { build_type3_response(); + ntlm_challenge = 2; strzcat( buf, "Proxy-Authorization: NTLM %s\r\n", ntlm_type3_buf ); } else if (ntlm_challenge == 0) { strzcat( buf, "Proxy-Authorization: NTLM %s\r\n", ntlm_type1_buf ); @@ -157,7 +157,7 @@ void proxy_protocol(PTSTREAM *pts) { /* Read the first line of the response and analyze it */ analyze_HTTP(pts); - if (args_info.remproxy_given ) { + if (ntlm_challenge < 3 && args_info.remproxy_given ) { /* Clean buffer for next analysis */ while ( strcmp( buf, "\r\n" ) != 0 ) readline(pts); @@ -209,8 +209,8 @@ void proxy_protocol(PTSTREAM *pts) { * Then, repeat reading lines of the responses until a blank line * (which signifies the end of the response) is encountered. */ - if (ntlm_challenge == 1) { - ntlm_challenge = 2; + if (ntlm_challenge == 2) { + ntlm_challenge = 3; } else { do { readline(pts); From fb9b85a40e1c7c0626bd1dbbd466b0c3427a07ff Mon Sep 17 00:00:00 2001 From: Nick Braun Date: Fri, 20 Dec 2024 04:56:18 -0800 Subject: [PATCH 67/90] Increase MAX_HEADER_SIZE Increases the MAX_HEADER_SIZE in cmdline to be 4K --- cmdline.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline.h b/cmdline.h index 18b77e9..93cf460 100644 --- a/cmdline.h +++ b/cmdline.h @@ -23,7 +23,7 @@ #ifndef _cmdline_h #define _cmdline_h -#define MAX_HEADER_SIZE 1024 +#define MAX_HEADER_SIZE 4096 struct gengetopt_args_info { char *user_arg; /* Username to send to HTTPS proxy for auth. */ From 0e202442e5dcf0391240c9f6409db0c0acf3528b Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Fri, 7 Mar 2025 22:23:12 +0100 Subject: [PATCH 68/90] CHANGES: chmode 755 to 644. --- CHANGES | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 CHANGES diff --git a/CHANGES b/CHANGES old mode 100755 new mode 100644 From 6b99bb78984e16c2e02611446edd06eb59297da8 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Fri, 7 Mar 2025 22:27:28 +0100 Subject: [PATCH 69/90] TODO: Drop note about SSL proxy support, it has been added meanwhile. --- TODO | 5 ----- 1 file changed, 5 deletions(-) diff --git a/TODO b/TODO index 45c19e4..8ac9281 100644 --- a/TODO +++ b/TODO @@ -7,11 +7,6 @@ or: proxytunnel -p username:password@local-proxy:port -r username:password@remote-proxy:port -d %h:%p -### SSL proxy support -- Starting with Apache 2.4 using CONNECT over SSL is supported !! - See: http://issues.apache.org/bugzilla/show_bug.cgi?id=29744 - - ### Code cleanup - Find some hardcore C experts to help us improve the code quality From dc0945afb8383a196019cb8143f442d7f4011995 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Fri, 7 Mar 2025 23:04:56 +0100 Subject: [PATCH 70/90] Update CHANGES and config.h for release 1.12.3 --- CHANGES | 15 +++++++++++++++ config.h | 6 +++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 35753b4..24d5bfb 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,18 @@ +Changes to proxytunnel 1.12.3 -- Fri Mar 7 23:04:25 CET 2025 + +- PR #83 from https://github.com/tofurky to avoid printing unterminated string + in readline(). +- PR #86 from https://github.com/e9hack to fix and improve ntlm authentication. +- PR #89 from https://github.com/njbraun to increase MAX_HEADER_SIZE to 4k. +- From Sven Geuer, https://github.com/68420948 + - Chmode 755 to 644 for file CHANGES. + - Drop obsolete entry about SSL proxy support from file TODO. + +Changes to proxytunnel 1.12.2 -- Mon Mar 25 14:50:38 CET 2024 + +- PRs #79 and #80 from https://github.com/hoilc implementing github action to + build windows binary. + Changes to proxytunnel 1.12.1 -- Tue Feb 6 17:36:38 CET 2024 [ Sven Geuer, https://github.com/68420948 ] diff --git a/config.h b/config.h index 80914fd..f73e2ed 100644 --- a/config.h +++ b/config.h @@ -17,9 +17,9 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#define VERSION "1.12.1" -#define VERSION_YEAR "2024" -#define VERSION_DATE "2024-02-06" +#define VERSION "1.12.3" +#define VERSION_YEAR "2025" +#define VERSION_DATE "2025-03-07" #define PACKAGE "proxytunnel" #define PURPOSE "Build generic tunnels through HTTPS proxies" #define AUTHORS "Jos Visser (Muppet) , Mark Janssen (Maniac) " From c5ab4648776ab415dba7012fd39fe4e7a7c97e33 Mon Sep 17 00:00:00 2001 From: zsuper Date: Tue, 1 Apr 2025 19:27:26 -0700 Subject: [PATCH 71/90] Added basic flake support for x86_64-linux. --- flake.lock | 27 +++++++++++++++++++++++++++ flake.nix | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..e0fe2d9 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1743315132, + "narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "52faf482a3889b7619003c0daec593a1912fddc1", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..fa6fc9e --- /dev/null +++ b/flake.nix @@ -0,0 +1,39 @@ +{ + description = "A flake that provides the proxytunnel command"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + }; + + outputs = { + self, + nixpkgs, + ... + }: let + # TODO: Check functionality and add support for other architectures. + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + in { + packages.x86_64-linux.default = pkgs.stdenv.mkDerivation { + pname = "proxytunnel"; + + version = "1.0.0"; + + src = ./.; + nativeBuildInputs = [pkgs.gnumake]; + buildInputs = [pkgs.openssl]; + + buildPhase = '' + make + ''; + + installPhase = '' + mkdir -p $out/bin + cp ./proxytunnel $out/bin + ''; + }; + + devShells.x86_64-linux.default = pkgs.mkShell { + packages = [self.packages.x86_64-linux.default]; + }; + }; +} From 20be023202745f67cba98c8f230836e28d1b9568 Mon Sep 17 00:00:00 2001 From: zsuper Date: Tue, 1 Apr 2025 19:58:45 -0700 Subject: [PATCH 72/90] Extended flake so support can easily be added for diff archs in the future --- flake.nix | 53 ++++++++++++++++++++++++++++++++--------------------- 1 file changed, 32 insertions(+), 21 deletions(-) diff --git a/flake.nix b/flake.nix index fa6fc9e..9068cbf 100644 --- a/flake.nix +++ b/flake.nix @@ -11,29 +11,40 @@ ... }: let # TODO: Check functionality and add support for other architectures. - pkgs = nixpkgs.legacyPackages."x86_64-linux"; + supportedSystems = ["x86_64-linux"]; + forAllSystems = nixpkgs.lib.genAttrs supportedSystems; + + mkProxyTunnel = system: let + pkgs = nixpkgs.legacyPackages.${system}; + in + pkgs.stdenv.mkDerivation { + pname = "proxytunnel"; + + version = "1.0.0"; + + src = ./.; + nativeBuildInputs = [pkgs.gnumake]; + buildInputs = [pkgs.openssl]; + + buildPhase = '' + make + ''; + + installPhase = '' + mkdir -p $out/bin + cp ./proxytunnel $out/bin + ''; + }; in { - packages.x86_64-linux.default = pkgs.stdenv.mkDerivation { - pname = "proxytunnel"; + packages = forAllSystems mkProxyTunnel; - version = "1.0.0"; + defaultPackage = forAllSystems (system: self.packages.${system}); - src = ./.; - nativeBuildInputs = [pkgs.gnumake]; - buildInputs = [pkgs.openssl]; - - buildPhase = '' - make - ''; - - installPhase = '' - mkdir -p $out/bin - cp ./proxytunnel $out/bin - ''; - }; - - devShells.x86_64-linux.default = pkgs.mkShell { - packages = [self.packages.x86_64-linux.default]; - }; + devShells = forAllSystems (system: let + pkgs = nixpkgs.legacyPackages.${system}; + in + pkgs.mkShell { + packages = [self.defaultPackage.${system}]; + }); }; } From 3ec1efe42ef895b2bda31b285a31d3f39c15a555 Mon Sep 17 00:00:00 2001 From: zsuper Date: Tue, 1 Apr 2025 23:09:45 -0700 Subject: [PATCH 73/90] Changed flake.nix to use flake-parts for modular arch support. Updated INSTALL.md --- INSTALL.md | 40 ++++++++++++++++++++++++++++++ flake.lock | 48 ++++++++++++++++++++++++++++++------ flake.nix | 71 +++++++++++++++++++++++++----------------------------- 3 files changed, 114 insertions(+), 45 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 9e2e7fa..c5b6905 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -10,6 +10,46 @@ to build simply run `make` and optionally `make install`. If you manually want to install, copy proxytunnel to /usr/local/bin and optionally the manual-page from the debian-subdirectory to your manpath +# Nix Flakes + +> NOTE: The Nix Flake installation currently only supports the default Makefile flags (i.e. GNU system assumed + SSL enabled). + +A simple Nix Flake is included to allow for use via flake inputs. To create a temporary Nix Shell with access to the `proxytunnel` binary, you can run the command: +```console +nix develop github:proxytunnel/proxytunnel +``` +If you instead want to include it as a flake input, the following `flake.nix` shows how to do so: +```nix +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + # Add proxytunnel as an input + proxytunnel.url = "github:proxytunnel/proxytunnel"; + }; + + outputs = { + nixpkgs, + proxytunnel, + ... + }: let + system = "x86_64-linux"; + pkgs = import nixpkgs {system = "x86_64-linux";}; + in { + devShells.${system}.default = pkgs.mkShell { + buildInputs = [ + # Make the `proxytunnel` binary available in a Nix Shell + proxytunnel.packages.${system}.default + + # And include any other packages as desired... + pkgs.gcc + pkgs.glibc.dev + ]; + }; + }; +} +``` + # msys2 To install msys2 with [chocolatey](https://chocolatey.org/install): diff --git a/flake.lock b/flake.lock index e0fe2d9..d496322 100644 --- a/flake.lock +++ b/flake.lock @@ -1,23 +1,57 @@ { "nodes": { - "nixpkgs": { + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, "locked": { - "lastModified": 1743315132, - "narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "52faf482a3889b7619003c0daec593a1912fddc1", + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", "type": "github" }, "original": { - "owner": "nixos", + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1743448293, + "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "77b584d61ff80b4cef9245829a6f1dfad5afdfa3", + "type": "github" + }, + "original": { + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1743296961, + "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, "root": { "inputs": { + "flake-parts": "flake-parts", "nixpkgs": "nixpkgs" } } diff --git a/flake.nix b/flake.nix index 9068cbf..e83f8ff 100644 --- a/flake.nix +++ b/flake.nix @@ -1,50 +1,45 @@ { - description = "A flake that provides the proxytunnel command"; + description = "Basic flake that provides proxytunnel as a package or as a binary in a nix shell"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + flake-parts.url = "github:hercules-ci/flake-parts"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; }; - outputs = { - self, - nixpkgs, - ... - }: let - # TODO: Check functionality and add support for other architectures. - supportedSystems = ["x86_64-linux"]; - forAllSystems = nixpkgs.lib.genAttrs supportedSystems; + outputs = inputs @ {flake-parts, ...}: + flake-parts.lib.mkFlake {inherit inputs;} { + # TODO: Add support for more systems once checked. + # TODO: Maybe add configuration options for toggling Makefile {C/LD/OPT}FLAGS + systems = ["x86_64-linux"]; - mkProxyTunnel = system: let - pkgs = nixpkgs.legacyPackages.${system}; - in - pkgs.stdenv.mkDerivation { - pname = "proxytunnel"; + perSystem = { + config, + pkgs, + ... + }: { + packages.default = config.packages.proxytunnel; - version = "1.0.0"; + packages.proxytunnel = pkgs.stdenv.mkDerivation { + pname = "proxytunnel"; + version = "1.0.0"; + src = ./.; - src = ./.; - nativeBuildInputs = [pkgs.gnumake]; - buildInputs = [pkgs.openssl]; + nativeBuildInputs = [pkgs.gnumake]; + buildInputs = [pkgs.openssl]; - buildPhase = '' - make - ''; + buildPhase = '' + make + ''; - installPhase = '' - mkdir -p $out/bin - cp ./proxytunnel $out/bin - ''; + installPhase = '' + mkdir -p $out/bin + cp ./proxytunnel $out/bin + ''; + }; + + devShells.default = pkgs.mkShell { + packages = [config.packages.default]; + }; }; - in { - packages = forAllSystems mkProxyTunnel; - - defaultPackage = forAllSystems (system: self.packages.${system}); - - devShells = forAllSystems (system: let - pkgs = nixpkgs.legacyPackages.${system}; - in - pkgs.mkShell { - packages = [self.defaultPackage.${system}]; - }); - }; + }; } From 8ab065fca1d6e7b1513cf4251ae5e85864b1d747 Mon Sep 17 00:00:00 2001 From: Piyush Kumbhare <130249145+zSuperx@users.noreply.github.com> Date: Tue, 1 Apr 2025 23:39:13 -0700 Subject: [PATCH 74/90] Update flake.nix version to match github Release v1.12.3 version --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index e83f8ff..ced1f98 100644 --- a/flake.nix +++ b/flake.nix @@ -21,7 +21,7 @@ packages.proxytunnel = pkgs.stdenv.mkDerivation { pname = "proxytunnel"; - version = "1.0.0"; + version = "1.12.3"; src = ./.; nativeBuildInputs = [pkgs.gnumake]; From 49824201601bde8c9fec8a12f24a167369ab8a96 Mon Sep 17 00:00:00 2001 From: zsuper Date: Thu, 3 Apr 2025 09:46:52 -0700 Subject: [PATCH 75/90] flake overlay test --- flake.lock | 6 +++--- flake.nix | 15 +++++++++++++-- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index d496322..d28337e 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1743448293, - "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=", + "lastModified": 1743583204, + "narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "77b584d61ff80b4cef9245829a6f1dfad5afdfa3", + "rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ced1f98..1d29a2f 100644 --- a/flake.nix +++ b/flake.nix @@ -12,12 +12,17 @@ # TODO: Maybe add configuration options for toggling Makefile {C/LD/OPT}FLAGS systems = ["x86_64-linux"]; + imports = [inputs.flake-parts.flakeModules.easyOverlay]; + perSystem = { config, pkgs, ... }: { - packages.default = config.packages.proxytunnel; + overlayAttrs = { + inherit (config.packages) proxytunnel; + enableSSL = true; + }; packages.proxytunnel = pkgs.stdenv.mkDerivation { pname = "proxytunnel"; @@ -33,10 +38,16 @@ installPhase = '' mkdir -p $out/bin - cp ./proxytunnel $out/bin + cp ./proxytunnel $out/bin/${ + if config.overlayAttrs.enableSSL + then "proxytunnel-yes-ssl" + else "proxytunnel-no-ssl" + } ''; }; + packages.default = config.packages.proxytunnel; + devShells.default = pkgs.mkShell { packages = [config.packages.default]; }; From c4c6caafbb358fcb8c500e967c73fe324216d867 Mon Sep 17 00:00:00 2001 From: zsuper Date: Thu, 3 Apr 2025 11:20:21 -0700 Subject: [PATCH 76/90] use callPackage --- flake.nix | 48 +++++++++++++++++++++++------------------------- 1 file changed, 23 insertions(+), 25 deletions(-) diff --git a/flake.nix b/flake.nix index 1d29a2f..2b8a3bc 100644 --- a/flake.nix +++ b/flake.nix @@ -12,40 +12,38 @@ # TODO: Maybe add configuration options for toggling Makefile {C/LD/OPT}FLAGS systems = ["x86_64-linux"]; - imports = [inputs.flake-parts.flakeModules.easyOverlay]; - perSystem = { config, pkgs, ... }: { - overlayAttrs = { - inherit (config.packages) proxytunnel; - enableSSL = true; - }; + packages.proxytunnel = pkgs.callPackage ( + { + enableSSL ? true, + stdenv, + }: + stdenv.mkDerivation { + pname = "proxytunnel"; + version = "1.12.3"; + src = ./.; - packages.proxytunnel = pkgs.stdenv.mkDerivation { - pname = "proxytunnel"; - version = "1.12.3"; - src = ./.; + nativeBuildInputs = [pkgs.gnumake]; + buildInputs = [pkgs.openssl]; - nativeBuildInputs = [pkgs.gnumake]; - buildInputs = [pkgs.openssl]; + buildPhase = '' + make + ''; - buildPhase = '' - make - ''; - - installPhase = '' - mkdir -p $out/bin - cp ./proxytunnel $out/bin/${ - if config.overlayAttrs.enableSSL - then "proxytunnel-yes-ssl" - else "proxytunnel-no-ssl" + installPhase = '' + mkdir -p $out/bin + cp ./proxytunnel $out/bin/${ + if enableSSL + then "proxytunnel-yes-ssl" + else "proxytunnel-no-ssl" + } + ''; } - ''; - }; - + ) {}; packages.default = config.packages.proxytunnel; devShells.default = pkgs.mkShell { From 5e9a22d035ce7d111a75cad5e0186891b1eb9e9c Mon Sep 17 00:00:00 2001 From: zsuper Date: Thu, 3 Apr 2025 15:17:29 -0700 Subject: [PATCH 77/90] moved package mkDerivation to ./nix/proxytunnel.nix --- flake.nix | 33 ++++++--------------------------- nix/proxytunnel.nix | 31 +++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 27 deletions(-) create mode 100644 nix/proxytunnel.nix diff --git a/flake.nix b/flake.nix index 2b8a3bc..eb73249 100644 --- a/flake.nix +++ b/flake.nix @@ -9,41 +9,20 @@ outputs = inputs @ {flake-parts, ...}: flake-parts.lib.mkFlake {inherit inputs;} { # TODO: Add support for more systems once checked. - # TODO: Maybe add configuration options for toggling Makefile {C/LD/OPT}FLAGS systems = ["x86_64-linux"]; + imports = [inputs.flake-parts.flakeModules.easyOverlay]; + perSystem = { config, pkgs, ... }: { - packages.proxytunnel = pkgs.callPackage ( - { - enableSSL ? true, - stdenv, - }: - stdenv.mkDerivation { - pname = "proxytunnel"; - version = "1.12.3"; - src = ./.; + overlayAttrs = { + inherit (config.packages) proxytunnel; + }; - nativeBuildInputs = [pkgs.gnumake]; - buildInputs = [pkgs.openssl]; - - buildPhase = '' - make - ''; - - installPhase = '' - mkdir -p $out/bin - cp ./proxytunnel $out/bin/${ - if enableSSL - then "proxytunnel-yes-ssl" - else "proxytunnel-no-ssl" - } - ''; - } - ) {}; + packages.proxytunnel = pkgs.callPackage ./nix/proxytunnel.nix {}; packages.default = config.packages.proxytunnel; devShells.default = pkgs.mkShell { diff --git a/nix/proxytunnel.nix b/nix/proxytunnel.nix new file mode 100644 index 0000000..b72c112 --- /dev/null +++ b/nix/proxytunnel.nix @@ -0,0 +1,31 @@ +{ + enableSSL ? true, + set-proc-title ? true, + pkgs, +}: let + optflags = "${ + if enableSSL + then "-DUSE_SSL" + else "" + } ${ + if set-proc-title + then "-DSETPROCTITLE -DSPT_TYPE=2" + else "" + }"; +in + pkgs.stdenv.mkDerivation { + pname = "proxytunnel"; + version = "1.12.3"; + src = ./..; + + buildInputs = [pkgs.openssl]; + + buildPhase = '' + make OPTFLAGS="${optflags}" + ''; + + installPhase = '' + mkdir -p $out/bin + cp ./proxytunnel $out/bin + ''; + } From ad8a6a1c7e93473bcc5a616567a2f4186670119d Mon Sep 17 00:00:00 2001 From: zsuper Date: Thu, 3 Apr 2025 19:43:15 -0700 Subject: [PATCH 78/90] Added options for gnu-systems & setproctitle to flake --- nix/proxytunnel.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nix/proxytunnel.nix b/nix/proxytunnel.nix index b72c112..7272eec 100644 --- a/nix/proxytunnel.nix +++ b/nix/proxytunnel.nix @@ -1,11 +1,12 @@ { - enableSSL ? true, + gnu-system ? true, set-proc-title ? true, pkgs, }: let - optflags = "${ - if enableSSL - then "-DUSE_SSL" + # TODO: Due to the way the OPENSSL_VERSION_NUMBER macro is checked, the -DUSE_SSL flag is NECESSARY + optflags = "-DUSE_SSL ${ + if gnu-system + then "-DHAVE_GETOPT_LONG" else "" } ${ if set-proc-title From f320f2bf634a0a0e3e08e41f01d83019dad2d24e Mon Sep 17 00:00:00 2001 From: zsuper Date: Thu, 3 Apr 2025 19:50:31 -0700 Subject: [PATCH 79/90] Added preprocessor #ifdef USE_SSL around every instance of OPENSSL_VERSION_NUMBER --- nix/proxytunnel.nix | 9 +++++++-- ntlm.c | 14 ++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/nix/proxytunnel.nix b/nix/proxytunnel.nix index 7272eec..7940719 100644 --- a/nix/proxytunnel.nix +++ b/nix/proxytunnel.nix @@ -1,10 +1,15 @@ { + use-ssl ? true, gnu-system ? true, set-proc-title ? true, pkgs, }: let - # TODO: Due to the way the OPENSSL_VERSION_NUMBER macro is checked, the -DUSE_SSL flag is NECESSARY - optflags = "-DUSE_SSL ${ + optflags = "${ + if use-ssl + then "-DUSE_SSL" + else "" + } + ${ if gnu-system then "-DHAVE_GETOPT_LONG" else "" diff --git a/ntlm.c b/ntlm.c index 5159202..e33c437 100644 --- a/ntlm.c +++ b/ntlm.c @@ -28,6 +28,7 @@ #include "proxytunnel.h" #include #include +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L #ifdef CYGWIN #include @@ -38,6 +39,7 @@ #include #include #endif +#endif /* USE_SSL */ #define TYPE1_DATA_SEG 8 #define TYPE2_BUF_SIZE 2048 @@ -73,6 +75,7 @@ uint32_t flags; unsigned char lm2digest[LM2_DIGEST_LEN]; void init_ntlm() { +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L OSSL_PROVIDER *provider; provider = OSSL_PROVIDER_load(NULL, "default"); @@ -127,6 +130,7 @@ void init_ntlm() { md5alg = EVP_md5(); mdctx = EVP_MD_CTX_new(); #endif +#endif /* ifdef USE_SSL */ } void build_type1() { @@ -308,10 +312,12 @@ unsigned char* key; /* pointer to authentication key */ int key_len; /* length of authentication key */ unsigned char digest[16]; /* caller digest to be filled in */ { +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L #else MD5_CTX context; #endif +#endif /* ifdef USE_SSL */ unsigned char k_ipad[65]; /* inner padding - key XORd with ipad */ unsigned char k_opad[65]; /* outer padding - key XORd with opad */ unsigned char tk[16]; @@ -319,6 +325,7 @@ unsigned char digest[16]; /* caller digest to be filled in */ /* if key is longer than 64 bytes reset it to key=MD5(key) */ if (key_len > 64) { +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L EVP_DigestInit_ex(mdctx, md5alg, NULL); EVP_DigestUpdate(mdctx, key, key_len); @@ -328,6 +335,7 @@ unsigned char digest[16]; /* caller digest to be filled in */ MD5_Update(&context, key, key_len); MD5_Final(tk, &context); #endif +#endif /* ifdef USE_SSL */ key = tk; key_len = 16; } @@ -356,6 +364,7 @@ unsigned char digest[16]; /* caller digest to be filled in */ } /* perform inner MD5 */ +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L EVP_DigestInit_ex(mdctx, md5alg, NULL); /* init context for 1st pass */ EVP_DigestUpdate(mdctx, k_ipad, 64); /* start with inner pad */ @@ -380,15 +389,18 @@ unsigned char digest[16]; /* caller digest to be filled in */ MD5_Update(&context, digest, 16); /* then results of 1st hash */ MD5_Final(digest, &context); /* finish up 2nd pass */ #endif +#endif /* ifdef USE_SSL */ } void build_ntlm2_response() { int i, j; int passlen = 0; +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L #else MD4_CTX passcontext; #endif +#endif /* ifdef USE_SSL */ unsigned char passdigest[16]; unsigned char *userdom; int userdomlen; @@ -413,6 +425,7 @@ void build_ntlm2_response() { } } +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L EVP_DigestInit_ex(mdctx, md4alg, NULL); EVP_DigestUpdate(mdctx, unipasswd, passlen); @@ -422,6 +435,7 @@ void build_ntlm2_response() { MD4_Update (&passcontext, unipasswd, passlen); MD4_Final (passdigest, &passcontext); #endif +#endif /* ifdef USE_SSL */ if( args_info.verbose_flag ) { message("NTLM: MD4 of password is: "); From 2ef739f7c2c52608fa47b7daa727f28cc7cd22fb Mon Sep 17 00:00:00 2001 From: zsuper Date: Thu, 3 Apr 2025 19:51:48 -0700 Subject: [PATCH 80/90] Fixed formatting issue that caused an error with OPTFLAGS --- nix/proxytunnel.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nix/proxytunnel.nix b/nix/proxytunnel.nix index 7940719..454eac6 100644 --- a/nix/proxytunnel.nix +++ b/nix/proxytunnel.nix @@ -8,8 +8,7 @@ if use-ssl then "-DUSE_SSL" else "" - } - ${ + } ${ if gnu-system then "-DHAVE_GETOPT_LONG" else "" From 226c45c9698c3b7fa09a7032d1531584100aa5a9 Mon Sep 17 00:00:00 2001 From: zsuper Date: Thu, 3 Apr 2025 20:00:14 -0700 Subject: [PATCH 81/90] Added one more #ifdef for consistency --- ntlm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ntlm.c b/ntlm.c index e33c437..945fb4c 100644 --- a/ntlm.c +++ b/ntlm.c @@ -46,11 +46,13 @@ #define DOMAIN_BUFLEN 256 #define LM2_DIGEST_LEN 24 +#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L const EVP_MD *md4alg; const EVP_MD *md5alg; EVP_MD_CTX *mdctx; #endif +#endif /* ifdef USE_SSL */ int ntlm_challenge = 0; void message( char *s, ... ); From 2e61c609bb4cd20701796856be679f08ea3bc687 Mon Sep 17 00:00:00 2001 From: zsuper Date: Thu, 3 Apr 2025 21:13:45 -0700 Subject: [PATCH 82/90] Updated INSTALL.md --- INSTALL.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index c5b6905..2cb85f2 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -34,16 +34,30 @@ If you instead want to include it as a flake input, the following `flake.nix` sh ... }: let system = "x86_64-linux"; - pkgs = import nixpkgs {system = "x86_64-linux";}; + pkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = [ + (_: _: { + # Add an overlay with this line to add proxytunnel's default features to your nixpkgs + proxytunnel = proxytunnel.packages.${system}.default; + + # Add an overlay with this line to override options (i.e. disable SSL support) + proxytunnel = proxytunnel.packages.${system}.default.override { use-ssl = false }; + + # For a full list of override options, see `nix/proxytunnel.nix` + }) + ] + }; in { devShells.${system}.default = pkgs.mkShell { - buildInputs = [ + packages = [ # Make the `proxytunnel` binary available in a Nix Shell proxytunnel.packages.${system}.default # And include any other packages as desired... pkgs.gcc pkgs.glibc.dev + # ... ]; }; }; From 85eeaabe28fb75940314cb7658c25b8705155d8a Mon Sep 17 00:00:00 2001 From: zsuper Date: Thu, 3 Apr 2025 21:29:38 -0700 Subject: [PATCH 83/90] Updated INSTALL.md again --- INSTALL.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/INSTALL.md b/INSTALL.md index 2cb85f2..b3b4918 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -52,7 +52,8 @@ If you instead want to include it as a flake input, the following `flake.nix` sh devShells.${system}.default = pkgs.mkShell { packages = [ # Make the `proxytunnel` binary available in a Nix Shell - proxytunnel.packages.${system}.default + # The above overlay adds it to nixpkgs. Without the overlay, use proxytunnel.packages.${system}.default + pkgs.proxytunnel # And include any other packages as desired... pkgs.gcc From b4ed20677c0986ac42e82c7e7e95c4b3b372bb47 Mon Sep 17 00:00:00 2001 From: zsuper Date: Fri, 4 Apr 2025 09:52:26 -0700 Subject: [PATCH 84/90] Removed use-ssl option as it does not make sense to disable SSL. Also added default overlay updated INSTALL.md with flake overlay --- INSTALL.md | 14 ++++---------- nix/proxytunnel.nix | 7 +------ 2 files changed, 5 insertions(+), 16 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index b3b4918..a7db3fe 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -12,7 +12,7 @@ and optionally the manual-page from the debian-subdirectory to your manpath # Nix Flakes -> NOTE: The Nix Flake installation currently only supports the default Makefile flags (i.e. GNU system assumed + SSL enabled). +> NOTE: The Nix Flake installation currently only supports the `x86_64-linux` platform, and has not been tested on other architectures. A simple Nix Flake is included to allow for use via flake inputs. To create a temporary Nix Shell with access to the `proxytunnel` binary, you can run the command: ```console @@ -37,16 +37,11 @@ If you instead want to include it as a flake input, the following `flake.nix` sh pkgs = import nixpkgs { system = "x86_64-linux"; overlays = [ - (_: _: { - # Add an overlay with this line to add proxytunnel's default features to your nixpkgs - proxytunnel = proxytunnel.packages.${system}.default; - - # Add an overlay with this line to override options (i.e. disable SSL support) - proxytunnel = proxytunnel.packages.${system}.default.override { use-ssl = false }; + # Add proxytunnel's default features to your nixpkgs + proxytunnel = proxytunnel.overlays.default; # For a full list of override options, see `nix/proxytunnel.nix` - }) - ] + ]; }; in { devShells.${system}.default = pkgs.mkShell { @@ -57,7 +52,6 @@ If you instead want to include it as a flake input, the following `flake.nix` sh # And include any other packages as desired... pkgs.gcc - pkgs.glibc.dev # ... ]; }; diff --git a/nix/proxytunnel.nix b/nix/proxytunnel.nix index 454eac6..ad3a010 100644 --- a/nix/proxytunnel.nix +++ b/nix/proxytunnel.nix @@ -1,14 +1,9 @@ { - use-ssl ? true, gnu-system ? true, set-proc-title ? true, pkgs, }: let - optflags = "${ - if use-ssl - then "-DUSE_SSL" - else "" - } ${ + optflags = "-DUSE_SSL ${ if gnu-system then "-DHAVE_GETOPT_LONG" else "" From 77b9afda276f23e7f81776ece1772fa5ea9ab708 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Wed, 14 May 2025 22:24:24 +0200 Subject: [PATCH 85/90] Fix #96 --- Makefile | 5 ++++- proxytunnel.h | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0f97693..0aa9db2 100644 --- a/Makefile +++ b/Makefile @@ -66,7 +66,6 @@ mandir = $(datadir)/man OBJ = proxytunnel.o \ base64.o \ strzcat.o \ - setproctitle.o \ io.o \ http.o \ basicauth.o \ @@ -77,6 +76,10 @@ OBJ = proxytunnel.o \ ntlm.o \ ptstream.o +ifneq (,$(findstring -DSETPROCTITLE,$(OPTFLAGS))) +OBJ += setproctitle.o +endif + UNAME = $(shell uname) ifneq ($(UNAME),Darwin) OBJ += strlcpy.o \ diff --git a/proxytunnel.h b/proxytunnel.h index 74547f8..88a5471 100644 --- a/proxytunnel.h +++ b/proxytunnel.h @@ -30,8 +30,10 @@ void analyze_HTTP(PTSTREAM *pts); void proxy_protocol(PTSTREAM *pts); void closeall(); void do_daemon(); +#ifdef SETPROCTITLE void initsetproctitle(int argc, char *argv[]); void setproctitle(const char *fmt, ...); +#endif #if defined(__APPLE__) && defined(__MACH__) /* Don't include strlcat and strlcpy since they are provided as macros on OSX */ From 882a22d80d8b0e08468cce9ecf95fb027f938310 Mon Sep 17 00:00:00 2001 From: zsuper Date: Wed, 14 May 2025 14:41:01 -0700 Subject: [PATCH 86/90] Reverted changes to ntlm.c --- ntlm.c | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/ntlm.c b/ntlm.c index 945fb4c..5159202 100644 --- a/ntlm.c +++ b/ntlm.c @@ -28,7 +28,6 @@ #include "proxytunnel.h" #include #include -#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L #ifdef CYGWIN #include @@ -39,20 +38,17 @@ #include #include #endif -#endif /* USE_SSL */ #define TYPE1_DATA_SEG 8 #define TYPE2_BUF_SIZE 2048 #define DOMAIN_BUFLEN 256 #define LM2_DIGEST_LEN 24 -#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L const EVP_MD *md4alg; const EVP_MD *md5alg; EVP_MD_CTX *mdctx; #endif -#endif /* ifdef USE_SSL */ int ntlm_challenge = 0; void message( char *s, ... ); @@ -77,7 +73,6 @@ uint32_t flags; unsigned char lm2digest[LM2_DIGEST_LEN]; void init_ntlm() { -#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L OSSL_PROVIDER *provider; provider = OSSL_PROVIDER_load(NULL, "default"); @@ -132,7 +127,6 @@ void init_ntlm() { md5alg = EVP_md5(); mdctx = EVP_MD_CTX_new(); #endif -#endif /* ifdef USE_SSL */ } void build_type1() { @@ -314,12 +308,10 @@ unsigned char* key; /* pointer to authentication key */ int key_len; /* length of authentication key */ unsigned char digest[16]; /* caller digest to be filled in */ { -#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L #else MD5_CTX context; #endif -#endif /* ifdef USE_SSL */ unsigned char k_ipad[65]; /* inner padding - key XORd with ipad */ unsigned char k_opad[65]; /* outer padding - key XORd with opad */ unsigned char tk[16]; @@ -327,7 +319,6 @@ unsigned char digest[16]; /* caller digest to be filled in */ /* if key is longer than 64 bytes reset it to key=MD5(key) */ if (key_len > 64) { -#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L EVP_DigestInit_ex(mdctx, md5alg, NULL); EVP_DigestUpdate(mdctx, key, key_len); @@ -337,7 +328,6 @@ unsigned char digest[16]; /* caller digest to be filled in */ MD5_Update(&context, key, key_len); MD5_Final(tk, &context); #endif -#endif /* ifdef USE_SSL */ key = tk; key_len = 16; } @@ -366,7 +356,6 @@ unsigned char digest[16]; /* caller digest to be filled in */ } /* perform inner MD5 */ -#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L EVP_DigestInit_ex(mdctx, md5alg, NULL); /* init context for 1st pass */ EVP_DigestUpdate(mdctx, k_ipad, 64); /* start with inner pad */ @@ -391,18 +380,15 @@ unsigned char digest[16]; /* caller digest to be filled in */ MD5_Update(&context, digest, 16); /* then results of 1st hash */ MD5_Final(digest, &context); /* finish up 2nd pass */ #endif -#endif /* ifdef USE_SSL */ } void build_ntlm2_response() { int i, j; int passlen = 0; -#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L #else MD4_CTX passcontext; #endif -#endif /* ifdef USE_SSL */ unsigned char passdigest[16]; unsigned char *userdom; int userdomlen; @@ -427,7 +413,6 @@ void build_ntlm2_response() { } } -#ifdef USE_SSL #if OPENSSL_VERSION_NUMBER >= 0x30000000L EVP_DigestInit_ex(mdctx, md4alg, NULL); EVP_DigestUpdate(mdctx, unipasswd, passlen); @@ -437,7 +422,6 @@ void build_ntlm2_response() { MD4_Update (&passcontext, unipasswd, passlen); MD4_Final (passdigest, &passcontext); #endif -#endif /* ifdef USE_SSL */ if( args_info.verbose_flag ) { message("NTLM: MD4 of password is: "); From 9203bdfef7994c0089ffba5810c4a22fbf559cd3 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 22 Nov 2025 15:49:53 +0100 Subject: [PATCH 87/90] cmdline.c: Fix check of proxy and destination being given. --- cmdline.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdline.c b/cmdline.c index 36aafae..7e5db30 100644 --- a/cmdline.c +++ b/cmdline.c @@ -596,7 +596,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar } } - if (! args_info->proxy_given && ! args_info->dest_given ) { + if (! args_info->proxy_given || ! args_info->dest_given ) { clear_args (); // cmdline_parser_print_help (); message( "No proxy or destination given, exiting\nUse '--help' flag for usage info\n" ); From c43ba13e02465f357e2f2529aa914bb0d8d4e3b3 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 22 Nov 2025 15:52:05 +0100 Subject: [PATCH 88/90] Corrections to the manual page - Drop mentioning of non-existent positional parameter. - Mark -p (or HTTP_PROXY) and -d as mandatory --- docs/proxytunnel.1.adoc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index e04b4ac..467643d 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -6,7 +6,7 @@ proxytunnel - program to tunnel a connection through a standard HTTPS proxy == SYNOPSIS -*proxytunnel* [_OPTION…_] [_host_++:++_port_] +*proxytunnel* [_OPTION…_] == DESCRIPTION @@ -32,15 +32,16 @@ also be used for other proxy-traversing purposes like proxy bouncing. [2001:db8::123:4567:89ab:cdef%eth0]:22 *-p*, *--proxy*=_host_++:++_port_:: - Use _host_ and _port_ as the local proxy to connect to, if not specified - the *HTTP_PROXY* environment variable, if set, will be used instead. + Use _host_ and _port_ as the local (primary) proxy to connect to, if not + specified the *HTTP_PROXY* environment variable, if set, will be used + instead. This option or the environment variable are mandatory. *-r*, *--remproxy*=_host_++:++_port_:: Use _host_ and _port_ as the remote (secondary) proxy to connect to. *-d*, *--dest*=_host_++:++_port_:: - Use _host_ and _port_ as the destination for the tunnel, you can also - specify them as the argument to the proxytunnel command. + Use _host_ and _port_ as the destination for the tunnel. This is a + mandatory option. *-e*, *--encrypt*:: SSL encrypt data between local proxy and destination. From 320ad4be83272cb5620df7d1ebdc000faed9e842 Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Sat, 22 Nov 2025 19:08:08 +0100 Subject: [PATCH 89/90] More corrections to the manual page - Drop sections "Arguments", it describes the non-existent positional parameter in detail. --- docs/proxytunnel.1.adoc | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 467643d..0e8e6b5 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -151,13 +151,6 @@ also be used for other proxy-traversing purposes like proxy bouncing. Print version and exit. -== ARGUMENTS -_host_++:++_port_ is the destination hostname and port number combination. - -NOTE: Specifying the destination as arguments is exactly the same as -specifying them using the *-d* or *--dest* option. - - == USAGE Depending on your situation you might want to do any of the following things: From 7f32a099f92cd6b3d980840a840d9750d0d2cf3a Mon Sep 17 00:00:00 2001 From: Sven Geuer <68420948@users.noreply.github.com> Date: Tue, 9 Dec 2025 16:58:00 +0100 Subject: [PATCH 90/90] Makefile: Fix issue #101 by not emitting '-DSETPROCTITLE' with MSYS2. --- Makefile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 0aa9db2..a925a89 100644 --- a/Makefile +++ b/Makefile @@ -14,19 +14,19 @@ OPTFLAGS += -DHAVE_GETOPT_LONG # Comment if you don't have/want ssl OPTFLAGS += -DUSE_SSL -# Most systems -OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2 - -# System dependant blocks... if your system is listed below, uncomment -# the relevant lines - # MSYS # The current version of gcc from MSYS defines __MSYS__ and __CYGWIN__. # To avoid to change the code, simply define CYGWIN additionally. ifneq ($(filter $(MSYSTEM),MSYS MINGW32 MINGW64 UCRT64),) CFLAGS += -DCYGWIN +else +# Most systems, MSYS definitely not +OPTFLAGS += -DSETPROCTITLE -DSPT_TYPE=2 endif +# System dependant blocks... if your system is listed below, uncomment +# the relevant lines + # OpenBSD #OPTFLAGS += -DHAVE_SYS_PSTAT_H