moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity
curl/lib/socks.c

793 lines
25 KiB
C
Raw Normal View History

standard curl source code headers
2006-09-23 15:09:39 -04:00
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
code style: use spaces around equals signs
2017-09-09 17:09:06 -04:00
* Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
standard curl source code headers
2006-09-23 15:09:39 -04:00
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
URLs: change all http:// URLs to https://
2016-02-02 18:19:02 -05:00
* are also available at https://curl.haxx.se/docs/copyright.html.
standard curl source code headers
2006-09-23 15:09:39 -04:00
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
build: fix circular header inclusion with other packages This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
2013-01-06 13:06:49 -05:00
#include "curl_setup.h"
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
SOCKS: truly disable it if CURL_DISABLE_PROXY is defined Bug: http://curl.haxx.se/bug/view.cgi?id=3561305 Patch by: Marcel Raad
2012-09-06 14:51:30 -04:00
#if !defined(CURL_DISABLE_PROXY)
Compiler warning fix
2006-09-24 19:55:53 -04:00
Include some possible dependencies of arpa/inet.h
2007-02-21 13:05:38 -05:00
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
Include network byte order conversion macros on Minix.
2007-02-20 12:31:20 -05:00
#ifdef HAVE_ARPA_INET_H
#include <arpa/inet.h>
#endif
Compiler warning fix
2006-09-24 19:55:53 -04:00
Revert changes relative to lib/*.[ch] recent renaming This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2013-01-03 20:50:28 -05:00
#include "urldata.h"
#include "sendf.h"
#include "select.h"
#include "connect.h"
#include "timeval.h"
#include "socks.h"
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/* The last #include file should be: */
Revert changes relative to lib/*.[ch] recent renaming This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2013-01-03 20:50:28 -05:00
#include "memdebug.h"
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/*
* Helper read-from-socket functions. Does the same as Curl_read() but it
* blocks until all bytes amount of buffersize will be read. No more, no less.
*
* This is STUPID BLOCKING behaviour which we frown upon, but right now this
* is what we have...
*/
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
int Curl_blockread_all(struct connectdata *conn, /* connection data */
curl_socket_t sockfd, /* read from this socket */
char *buf, /* store read data here */
ssize_t buffersize, /* max amount to read */
SOCKS: fix the connect timeout The connect timeout logic when using SOCKS was done wrong Bug: http://curl.haxx.se/mail/lib-2011-07/0177.html Reported by: "Spoon Man"
2011-08-08 05:10:17 -04:00
ssize_t *n) /* amount bytes read */
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
{
ssize_t nread;
ssize_t allread = 0;
int result;
lib: fix compiler warnings after de4de4e3c7c Visual C++ now complains about implicitly casting time_t (64-bit) to long (32-bit). Fix this by changing some variables from long to time_t, or explicitly casting to long where the public interface would be affected. Closes #1131
2016-11-18 04:07:08 -05:00
time_t timeleft;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
*n = 0;
Fix compiler warning: conditional expression is constant
2010-02-02 11:25:07 -05:00
for(;;) {
SOCKS: fix the connect timeout The connect timeout logic when using SOCKS was done wrong Bug: http://curl.haxx.se/mail/lib-2011-07/0177.html Reported by: "Spoon Man"
2011-08-08 05:10:17 -04:00
timeleft = Curl_timeleft(conn->data, NULL, TRUE);
if(timeleft < 0) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/* we already got the timeout */
sendrecv: split the I/O handling into private handler Howard Chu brought the bulk work of this patch that properly moves out the sending and recving of data to the parts of the code that are properly responsible for the various ways of doing so. Daniel Stenberg assisted with polishing a few bits and fixed some minor flaws in the original patch. Another upside of this patch is that we now abuse CURLcodes less with the "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
2010-05-07 09:05:34 -04:00
result = CURLE_OPERATION_TIMEDOUT;
Compiler warning fix
2006-10-26 22:18:29 -04:00
break;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
select: switch to macros in uppercase Curl_select_ready() was the former API that was replaced with Curl_select_check() a while back and the former arg setup was provided with a define (in order to leave existing code unmodified). Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most common shortcuts where only one socket is checked. They're also more visibly macros.
2016-10-18 04:58:58 -04:00
if(SOCKET_READABLE(sockfd, timeleft) <= 0) {
Compiler warning fix
2006-10-26 22:18:29 -04:00
result = ~CURLE_OK;
break;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
- Made the SOCKS code use the new Curl_read_plain() function to fix the bug Markus Moeller reported: http://curl.haxx.se/mail/archive-2008-09/0016.html - recv() errors other than those equal to EAGAIN now cause proper CURLE_RECV_ERROR to get returned. This made test case 160 fail so I've now disabled it until we can figure out another way to exercise that logic.
2008-09-22 19:12:00 -04:00
result = Curl_read_plain(sockfd, buf, buffersize, &nread);
sendrecv: split the I/O handling into private handler Howard Chu brought the bulk work of this patch that properly moves out the sending and recving of data to the parts of the code that are properly responsible for the various ways of doing so. Daniel Stenberg assisted with polishing a few bits and fixed some minor flaws in the original patch. Another upside of this patch is that we now abuse CURLcodes less with the "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
2010-05-07 09:05:34 -04:00
if(CURLE_AGAIN == result)
continue;
Improve code readbility ... by removing the else branch after a return, break or continue. Closes #1310
2017-03-10 08:28:37 -05:00
if(result)
Compiler warning fix
2006-10-26 22:18:29 -04:00
break;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
if(buffersize == nread) {
allread += nread;
*n = allread;
Compiler warning fix
2006-10-26 22:18:29 -04:00
result = CURLE_OK;
break;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
if we read zero bytes from the proxy, the connection is broken and we need to bail out
2007-06-05 09:42:23 -04:00
if(!nread) {
result = ~CURLE_OK;
break;
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
buffersize -= nread;
buf += nread;
allread += nread;
Fix compiler warning: conditional expression is constant
2010-02-02 11:25:07 -05:00
}
Compiler warning fix
2006-10-26 22:18:29 -04:00
return result;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
/*
* This function logs in to a SOCKS4 proxy and sends the specifics to the final
* destination server.
*
* Reference :
* http://socks.permeo.com/protocol/socks4.protocol
*
* Note :
Richard Atterer brought a patch that added support for SOCKS4a proxies, which is an inofficial PROXY4 variant that sends the hostname to the proxy instead of the resolved address (which is already supported by SOCKS5). --socks4a is the curl command line option for it and CURLOPT_PROXYTYPE can now be set to CURLPROXY_SOCKS4A as well.
2008-01-02 16:40:11 -05:00
* Set protocol4a=true for "SOCKS 4A (Simple Extension to SOCKS 4 Protocol)"
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
* Nonsupport "Identification Protocol (RFC1413)"
*/
socks: use proxy_user instead of proxy_name ... to make it obvious what the data is used for
2017-03-08 06:21:09 -05:00
CURLcode Curl_SOCKS4(const char *proxy_user,
Fixed some minor type mismatches and missing consts mainly found by splint.
2007-08-27 02:31:28 -04:00
const char *hostname,
- Robson Braga Araujo made passive FTP transfers work with SOCKS (both 4 and 5).
2007-02-19 06:53:54 -05:00
int remote_port,
int sockindex,
proxy: Support HTTPS proxy and SOCKS+HTTP(s) * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-16 12:49:15 -05:00
struct connectdata *conn)
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
{
proxy: Support HTTPS proxy and SOCKS+HTTP(s) * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-16 12:49:15 -05:00
const bool protocol4a =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS4A) ? TRUE : FALSE;
Richard Atterer brought a patch that added support for SOCKS4a proxies, which is an inofficial PROXY4 variant that sends the hostname to the proxy instead of the resolved address (which is already supported by SOCKS5). --socks4a is the curl command line option for it and CURLOPT_PROXYTYPE can now be set to CURLPROXY_SOCKS4A as well.
2008-01-02 16:40:11 -05:00
#define SOCKS4REQLEN 262
unsigned char socksreq[SOCKS4REQLEN]; /* room for SOCKS4 request incl. user
id */
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
int result;
CURLcode code;
- Robson Braga Araujo made passive FTP transfers work with SOCKS (both 4 and 5).
2007-02-19 06:53:54 -05:00
curl_socket_t sock = conn->sock[sockindex];
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 09:47:12 -04:00
struct Curl_easy *data = conn->data;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
SOCKS: fix the connect timeout The connect timeout logic when using SOCKS was done wrong Bug: http://curl.haxx.se/mail/lib-2011-07/0177.html Reported by: "Spoon Man"
2011-08-08 05:10:17 -04:00
if(Curl_timeleft(data, NULL, TRUE) < 0) {
Yang Tse pointed out a few remaining quirks from my timeout refactoring from Feb 7 that didn't abort properly on timeouts. These are actually old problems but now they should be fixed.
2008-02-11 17:03:31 -05:00
/* time-out, bail out, go home */
failf(data, "Connection time-out");
return CURLE_OPERATION_TIMEDOUT;
}
proxy: Support HTTPS proxy and SOCKS+HTTP(s) * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-16 12:49:15 -05:00
if(conn->bits.httpproxy)
infof(conn->data, "SOCKS4%s: connecting to HTTP proxy %s port %d\n",
protocol4a ? "a" : "", hostname, remote_port);
nonblock: call with (void) to show we ignore the return code Coverity pointed out several of these.
2014-10-04 09:14:27 -04:00
(void)curlx_nonblock(sock, FALSE);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
FTP: make the data connection work when going through proxy This is a regression since the switch to always-multi internally c43127414d89c. Test 1316 was modified since we now clearly call the Curl_client_write() function when doing the LIST transfer part and then the handler->protocol says FTP and ftpc.transfertype is 'A' which implies text converting even though that the response is initially a HTTP CONNECT response in this case.
2013-10-26 14:19:27 -04:00
infof(data, "SOCKS4 communication to %s:%d\n", hostname, remote_port);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/*
* Compose socks4 request
*
* Request format
*
* +----+----+----+----+----+----+----+----+----+----+....+----+
* | VN | CD | DSTPORT | DSTIP | USERID |NULL|
* +----+----+----+----+----+----+----+----+----+----+....+----+
* # of bytes: 1 1 2 4 variable 1
*/
socksreq[0] = 4; /* version (SOCKS4) */
socksreq[1] = 1; /* connect */
socks: fix unaligned memory access
2011-05-26 08:53:13 -04:00
socksreq[2] = (unsigned char)((remote_port >> 8) & 0xff); /* PORT MSB */
socksreq[3] = (unsigned char)(remote_port & 0xff); /* PORT LSB */
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
Richard Atterer brought a patch that added support for SOCKS4a proxies, which is an inofficial PROXY4 variant that sends the hostname to the proxy instead of the resolved address (which is already supported by SOCKS5). --socks4a is the curl command line option for it and CURLOPT_PROXYTYPE can now be set to CURLPROXY_SOCKS4A as well.
2008-01-02 16:40:11 -05:00
/* DNS resolve only for SOCKS4, not SOCKS4a */
source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20 09:17:42 -04:00
if(!protocol4a) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
struct Curl_dns_entry *dns;
code style: use spaces around equals signs
2017-09-09 17:09:06 -04:00
Curl_addrinfo *hp = NULL;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
int rc;
- Robson Braga Araujo made passive FTP transfers work with SOCKS (both 4 and 5).
2007-02-19 06:53:54 -05:00
rc = Curl_resolv(conn, hostname, remote_port, &dns);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
if(rc == CURLRESOLV_ERROR)
return CURLE_COULDNT_RESOLVE_PROXY;
if(rc == CURLRESOLV_PENDING)
SOCKS4: Value stored to 'rc' is never read
2010-04-16 17:03:55 -04:00
/* ignores the return code, but 'dns' remains NULL on failure */
async resolvers: further cleanups asyn-ares.c and asyn-thread.c are two separate backends that implement the same (internal) async resolver API for libcurl to use. Backend is specified at build time. The internal resolver API is defined in asyn.h for asynch resolvers.
2011-01-30 18:10:35 -05:00
(void)Curl_resolver_wait_resolv(conn, &dns);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/*
* We cannot use 'hostent' as a struct that Curl_resolv() returns. It
* returns a Curl_addrinfo pointer that may not always look the same.
*/
if(dns)
code style: use spaces around equals signs
2017-09-09 17:09:06 -04:00
hp = dns->addr;
removed space after if and while before the parenthesis for better source code consistency
2007-11-05 04:45:09 -05:00
if(hp) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
char buf[64];
Curl_printable_address(hp, buf, sizeof(buf));
socks.c: align SOCKS4 connection sequence with SOCKS5 Calling sscanf is not required since the raw IPv4 address is available and the protocol can be detected using ai_family.
2016-08-20 15:12:34 -04:00
if(hp->ai_family == AF_INET) {
struct sockaddr_in *saddr_in;
checksrc: white space edits to comply to stricter checksrc
2016-11-23 02:30:18 -05:00
saddr_in = (struct sockaddr_in *)(void *)hp->ai_addr;
socksreq[4] = ((unsigned char *)&saddr_in->sin_addr.s_addr)[0];
socksreq[5] = ((unsigned char *)&saddr_in->sin_addr.s_addr)[1];
socksreq[6] = ((unsigned char *)&saddr_in->sin_addr.s_addr)[2];
socksreq[7] = ((unsigned char *)&saddr_in->sin_addr.s_addr)[3];
socks.c: align SOCKS4 connection sequence with SOCKS5 Calling sscanf is not required since the raw IPv4 address is available and the protocol can be detected using ai_family.
2016-08-20 15:12:34 -04:00
infof(data, "SOCKS4 connect to IPv4 %s (locally resolved)\n", buf);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
socks.c: align SOCKS4 connection sequence with SOCKS5 Calling sscanf is not required since the raw IPv4 address is available and the protocol can be detected using ai_family.
2016-08-20 15:12:34 -04:00
else {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
hp = NULL; /* fail! */
socks.c: align SOCKS4 connection sequence with SOCKS5 Calling sscanf is not required since the raw IPv4 address is available and the protocol can be detected using ai_family.
2016-08-20 15:12:34 -04:00
failf(data, "SOCKS4 connection to %s not supported\n", buf);
}
FTP: make the data connection work when going through proxy This is a regression since the switch to always-multi internally c43127414d89c. Test 1316 was modified since we now clearly call the Curl_client_write() function when doing the LIST transfer part and then the handler->protocol says FTP and ftpc.transfertype is 'A' which implies text converting even though that the response is initially a HTTP CONNECT response in this case.
2013-10-26 14:19:27 -04:00
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
Curl_resolv_unlock(data, dns); /* not used anymore from now on */
}
if(!hp) {
failf(data, "Failed to resolve \"%s\" for SOCKS4 connect.",
- Robson Braga Araujo made passive FTP transfers work with SOCKS (both 4 and 5).
2007-02-19 06:53:54 -05:00
hostname);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_COULDNT_RESOLVE_HOST;
}
}
/*
* This is currently not supporting "Identification Protocol (RFC1413)".
*/
socksreq[8] = 0; /* ensure empty userid is NUL-terminated */
socks: use proxy_user instead of proxy_name ... to make it obvious what the data is used for
2017-03-08 06:21:09 -05:00
if(proxy_user) {
size_t plen = strlen(proxy_user);
strlcat: remove function This function was only used twice, both in places where performance isn't crucial (socks + if2ip). Removing the use of this function removes the need to have our private version for systems without it == reduced amount of code. Also, in the SOCKS case it is clearly better to fail gracefully rather than to truncate the results. This work was triggered by a bug report on the strcal prototype in strequal.h. strlcat was added in commit db70cd28 in February 2001! Bug: http://curl.haxx.se/bug/view.cgi?id=1192 Reported by: Jeremy Huddleston
2013-02-13 07:18:43 -05:00
if(plen >= sizeof(socksreq) - 8) {
failf(data, "Too long SOCKS proxy name, can't use!\n");
return CURLE_COULDNT_CONNECT;
}
/* copy the proxy name WITH trailing zero */
socks: use proxy_user instead of proxy_name ... to make it obvious what the data is used for
2017-03-08 06:21:09 -05:00
memcpy(socksreq + 8, proxy_user, plen+1);
strlcat: remove function This function was only used twice, both in places where performance isn't crucial (socks + if2ip). Removing the use of this function removes the need to have our private version for systems without it == reduced amount of code. Also, in the SOCKS case it is clearly better to fail gracefully rather than to truncate the results. This work was triggered by a bug report on the strcal prototype in strequal.h. strlcat was added in commit db70cd28 in February 2001! Bug: http://curl.haxx.se/bug/view.cgi?id=1192 Reported by: Jeremy Huddleston
2013-02-13 07:18:43 -05:00
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/*
* Make connection
*/
{
ssize_t actualread;
ssize_t written;
Richard Atterer brought a patch that added support for SOCKS4a proxies, which is an inofficial PROXY4 variant that sends the hostname to the proxy instead of the resolved address (which is already supported by SOCKS5). --socks4a is the curl command line option for it and CURLOPT_PROXYTYPE can now be set to CURLPROXY_SOCKS4A as well.
2008-01-02 16:40:11 -05:00
ssize_t hostnamelen = 0;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
int packetsize = 9 +
checksrc: white space edits to comply to stricter checksrc
2016-11-23 02:30:18 -05:00
(int)strlen((char *)socksreq + 8); /* size including NUL */
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
Richard Atterer brought a patch that added support for SOCKS4a proxies, which is an inofficial PROXY4 variant that sends the hostname to the proxy instead of the resolved address (which is already supported by SOCKS5). --socks4a is the curl command line option for it and CURLOPT_PROXYTYPE can now be set to CURLPROXY_SOCKS4A as well.
2008-01-02 16:40:11 -05:00
/* If SOCKS4a, set special invalid IP address 0.0.0.x */
source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20 09:17:42 -04:00
if(protocol4a) {
Richard Atterer brought a patch that added support for SOCKS4a proxies, which is an inofficial PROXY4 variant that sends the hostname to the proxy instead of the resolved address (which is already supported by SOCKS5). --socks4a is the curl command line option for it and CURLOPT_PROXYTYPE can now be set to CURLPROXY_SOCKS4A as well.
2008-01-02 16:40:11 -05:00
socksreq[4] = 0;
socksreq[5] = 0;
socksreq[6] = 0;
socksreq[7] = 1;
/* If still enough room in buffer, also append hostname */
fix compiler warning
2008-01-09 14:11:56 -05:00
hostnamelen = (ssize_t)strlen(hostname) + 1; /* length including NUL */
source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20 09:17:42 -04:00
if(packetsize + hostnamelen <= SOCKS4REQLEN)
checksrc: white space edits to comply to stricter checksrc
2016-11-23 02:30:18 -05:00
strcpy((char *)socksreq + packetsize, hostname);
Richard Atterer brought a patch that added support for SOCKS4a proxies, which is an inofficial PROXY4 variant that sends the hostname to the proxy instead of the resolved address (which is already supported by SOCKS5). --socks4a is the curl command line option for it and CURLOPT_PROXYTYPE can now be set to CURLPROXY_SOCKS4A as well.
2008-01-02 16:40:11 -05:00
else
hostnamelen = 0; /* Flag: hostname did not fit in buffer */
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/* Send request */
- Hans-Jurgen May pointed out that trying SCP or SFTP over a SOCKS proxy crashed libcurl. This is now addressed by making sure we use "plain send" internally when doing the socks handshake instead of the Curl_write() function which is designed to use the "target" protocol. That's then SCP or SFTP in this case. I also took the opportunity and cleaned up some ssh- related #ifdefs in the code for readability.
2008-06-20 06:43:32 -04:00
code = Curl_write_plain(conn, sock, (char *)socksreq,
packetsize + hostnamelen,
&written);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(code || (written != packetsize + hostnamelen)) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data, "Failed to send SOCKS4 connect request.");
return CURLE_COULDNT_CONNECT;
}
source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20 09:17:42 -04:00
if(protocol4a && hostnamelen == 0) {
Richard Atterer brought a patch that added support for SOCKS4a proxies, which is an inofficial PROXY4 variant that sends the hostname to the proxy instead of the resolved address (which is already supported by SOCKS5). --socks4a is the curl command line option for it and CURLOPT_PROXYTYPE can now be set to CURLPROXY_SOCKS4A as well.
2008-01-02 16:40:11 -05:00
/* SOCKS4a with very long hostname - send that name separately */
fix compiler warning
2008-01-09 14:11:56 -05:00
hostnamelen = (ssize_t)strlen(hostname) + 1;
- Hans-Jurgen May pointed out that trying SCP or SFTP over a SOCKS proxy crashed libcurl. This is now addressed by making sure we use "plain send" internally when doing the socks handshake instead of the Curl_write() function which is designed to use the "target" protocol. That's then SCP or SFTP in this case. I also took the opportunity and cleaned up some ssh- related #ifdefs in the code for readability.
2008-06-20 06:43:32 -04:00
code = Curl_write_plain(conn, sock, (char *)hostname, hostnamelen,
&written);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(code || (written != hostnamelen)) {
Richard Atterer brought a patch that added support for SOCKS4a proxies, which is an inofficial PROXY4 variant that sends the hostname to the proxy instead of the resolved address (which is already supported by SOCKS5). --socks4a is the curl command line option for it and CURLOPT_PROXYTYPE can now be set to CURLPROXY_SOCKS4A as well.
2008-01-02 16:40:11 -05:00
failf(data, "Failed to send SOCKS4 connect request.");
return CURLE_COULDNT_CONNECT;
}
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
packetsize = 8; /* receive data size */
/* Receive response */
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
result = Curl_blockread_all(conn, sock, (char *)socksreq, packetsize,
SOCKS: fix the connect timeout The connect timeout logic when using SOCKS was done wrong Bug: http://curl.haxx.se/mail/lib-2011-07/0177.html Reported by: "Spoon Man"
2011-08-08 05:10:17 -04:00
&actualread);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(result || (actualread != packetsize)) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data, "Failed to receive SOCKS4 connect request ack.");
return CURLE_COULDNT_CONNECT;
}
/*
* Response format
*
* +----+----+----+----+----+----+----+----+
* | VN | CD | DSTPORT | DSTIP |
* +----+----+----+----+----+----+----+----+
* # of bytes: 1 1 2 4
*
* VN is the version of the reply code and should be 0. CD is the result
* code with one of the following values:
*
* 90: request granted
* 91: request rejected or failed
* 92: request rejected because SOCKS server cannot connect to
* identd on the client
* 93: request rejected because the client program and identd
* report different user-ids
*/
/* wrong version ? */
removed space after if and while before the parenthesis for better source code consistency
2007-11-05 04:45:09 -05:00
if(socksreq[0] != 0) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data,
"SOCKS4 reply has wrong version, version should be 4.");
return CURLE_COULDNT_CONNECT;
}
/* Result */
source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20 09:17:42 -04:00
switch(socksreq[1]) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
case 90:
Curl_SOCKS4: minor code compression
2011-08-18 17:28:50 -04:00
infof(data, "SOCKS4%s request granted.\n", protocol4a?"a":"");
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
break;
case 91:
failf(data,
"Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d)"
", request rejected or failed.",
(unsigned char)socksreq[4], (unsigned char)socksreq[5],
(unsigned char)socksreq[6], (unsigned char)socksreq[7],
socks: Fix incorrect port numbers in failed connect messages
2015-10-27 02:39:00 -04:00
(((unsigned char)socksreq[8] << 8) | (unsigned char)socksreq[9]),
(unsigned char)socksreq[1]);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_COULDNT_CONNECT;
case 92:
failf(data,
"Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d)"
", request rejected because SOCKS server cannot connect to "
"identd on the client.",
(unsigned char)socksreq[4], (unsigned char)socksreq[5],
(unsigned char)socksreq[6], (unsigned char)socksreq[7],
socks: Fix incorrect port numbers in failed connect messages
2015-10-27 02:39:00 -04:00
(((unsigned char)socksreq[8] << 8) | (unsigned char)socksreq[9]),
(unsigned char)socksreq[1]);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_COULDNT_CONNECT;
case 93:
failf(data,
"Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d)"
", request rejected because the client program and identd "
"report different user-ids.",
(unsigned char)socksreq[4], (unsigned char)socksreq[5],
(unsigned char)socksreq[6], (unsigned char)socksreq[7],
socks: Fix incorrect port numbers in failed connect messages
2015-10-27 02:39:00 -04:00
(((unsigned char)socksreq[8] << 8) | (unsigned char)socksreq[9]),
(unsigned char)socksreq[1]);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_COULDNT_CONNECT;
default:
failf(data,
"Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d)"
", Unknown.",
(unsigned char)socksreq[4], (unsigned char)socksreq[5],
(unsigned char)socksreq[6], (unsigned char)socksreq[7],
socks: Fix incorrect port numbers in failed connect messages
2015-10-27 02:39:00 -04:00
(((unsigned char)socksreq[8] << 8) | (unsigned char)socksreq[9]),
(unsigned char)socksreq[1]);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_COULDNT_CONNECT;
}
}
nonblock: call with (void) to show we ignore the return code Coverity pointed out several of these.
2014-10-04 09:14:27 -04:00
(void)curlx_nonblock(sock, TRUE);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_OK; /* Proxy was successful! */
}
/*
* This function logs in to a SOCKS5 proxy and sends the specifics to the final
* destination server.
*/
socks: use proxy_user instead of proxy_name ... to make it obvious what the data is used for
2017-03-08 06:21:09 -05:00
CURLcode Curl_SOCKS5(const char *proxy_user,
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
const char *proxy_password,
Fixed some minor type mismatches and missing consts mainly found by splint.
2007-08-27 02:31:28 -04:00
const char *hostname,
- Robson Braga Araujo made passive FTP transfers work with SOCKS (both 4 and 5).
2007-02-19 06:53:54 -05:00
int remote_port,
int sockindex,
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
struct connectdata *conn)
{
/*
According to the RFC1928, section "6. Replies". This is what a SOCK5
replies:
+----+-----+-------+------+----------+----------+
|VER | REP | RSV | ATYP | BND.ADDR | BND.PORT |
+----+-----+-------+------+----------+----------+
| 1 | 1 | X'00' | 1 | Variable | 2 |
+----+-----+-------+------+----------+----------+
Where:
o VER protocol version: X'05'
o REP Reply field:
o X'00' succeeded
*/
unsigned char socksreq[600]; /* room for large user/pw (255 max each) */
socks: deduplicate the code for auth request
2017-03-08 06:16:01 -05:00
int idx;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
ssize_t actualread;
ssize_t written;
int result;
CURLcode code;
- Robson Braga Araujo made passive FTP transfers work with SOCKS (both 4 and 5).
2007-02-19 06:53:54 -05:00
curl_socket_t sock = conn->sock[sockindex];
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 09:47:12 -04:00
struct Curl_easy *data = conn->data;
lib: fix compiler warnings after de4de4e3c7c Visual C++ now complains about implicitly casting time_t (64-bit) to long (32-bit). Fix this by changing some variables from long to time_t, or explicitly casting to long where the public interface would be affected. Closes #1131
2016-11-18 04:07:08 -05:00
time_t timeout;
proxy: Support HTTPS proxy and SOCKS+HTTP(s) * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-16 12:49:15 -05:00
bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
const size_t hostname_len = strlen(hostname);
lib/socks.c: Merged two size variables into one
2012-10-04 15:27:46 -04:00
ssize_t len = 0;
CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth If libcurl was built with GSS-API support, it unconditionally advertised GSS-API authentication while connecting to a SOCKS5 proxy. This caused problems in environments with improperly configured Kerberos: a stock libcurl failed to connect, despite libcurl built without GSS-API connected fine using username and password. This commit introduces the CURLOPT_SOCKS5_AUTH option to control the allowed methods for SOCKS5 authentication at run time. Note that a new option was preferred over reusing CURLOPT_PROXYAUTH for compatibility reasons because the set of authentication methods allowed by default was different for HTTP and SOCKS5 proxies. Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html Closes https://github.com/curl/curl/pull/1454
2017-04-27 09:18:49 -04:00
const unsigned long auth = data->set.socks5auth;
bool allow_gssapi = FALSE;
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
proxy: Support HTTPS proxy and SOCKS+HTTP(s) * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-16 12:49:15 -05:00
if(conn->bits.httpproxy)
infof(conn->data, "SOCKS5: connecting to HTTP proxy %s port %d\n",
hostname, remote_port);
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20 09:17:42 -04:00
if(!socks5_resolve_local && hostname_len > 255) {
checksrc: use space after comma
2015-03-17 08:41:49 -04:00
infof(conn->data, "SOCKS5: server resolving disabled for hostnames of "
fix printf-style format strings
2010-02-04 14:44:31 -05:00
"length > 255 [actual len=%zu]\n", hostname_len);
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
socks5_resolve_local = TRUE;
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/* get timeout */
Curl_timeleft: s/conn/data in first argument As the function doesn't really use the connectdata struct but only the SessionHanadle struct I modified what argument it wants.
2011-01-04 17:07:58 -05:00
timeout = Curl_timeleft(data, NULL, TRUE);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
Yang Tse pointed out a few remaining quirks from my timeout refactoring from Feb 7 that didn't abort properly on timeouts. These are actually old problems but now they should be fixed.
2008-02-11 17:03:31 -05:00
if(timeout < 0) {
/* time-out, bail out, go home */
failf(data, "Connection time-out");
return CURLE_OPERATION_TIMEDOUT;
}
nonblock: call with (void) to show we ignore the return code Coverity pointed out several of these.
2014-10-04 09:14:27 -04:00
(void)curlx_nonblock(sock, TRUE);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/* wait until socket gets connected */
select: switch to macros in uppercase Curl_select_ready() was the former API that was replaced with Curl_select_check() a while back and the former arg setup was provided with a define (in order to leave existing code unmodified). Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most common shortcuts where only one socket is checked. They're also more visibly macros.
2016-10-18 04:58:58 -04:00
result = SOCKET_WRITABLE(sock, timeout);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
if(-1 == result) {
failf(conn->data, "SOCKS5: no connection here");
return CURLE_COULDNT_CONNECT;
}
Improve code readbility ... by removing the else branch after a return, break or continue. Closes #1310
2017-03-10 08:28:37 -05:00
if(0 == result) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(conn->data, "SOCKS5: connection timeout");
return CURLE_OPERATION_TIMEDOUT;
}
- Robert Iakobashvil added curl_multi_socket_action() to libcurl, which is a function that deprecates the curl_multi_socket() function. Using the new function the application tell libcurl what action that was found in the socket that it passes in. This gives a significant performance boost as it allows libcurl to avoid a call to poll()/select() for every call to curl_multi_socket*().
2007-04-16 12:34:08 -04:00
if(result & CURL_CSELECT_ERR) {
Fix a couple of spelling errors in lib/ Found with codespell.
2011-04-19 09:54:13 -04:00
failf(conn->data, "SOCKS5: error occurred during connection");
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_COULDNT_CONNECT;
}
CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth If libcurl was built with GSS-API support, it unconditionally advertised GSS-API authentication while connecting to a SOCKS5 proxy. This caused problems in environments with improperly configured Kerberos: a stock libcurl failed to connect, despite libcurl built without GSS-API connected fine using username and password. This commit introduces the CURLOPT_SOCKS5_AUTH option to control the allowed methods for SOCKS5 authentication at run time. Note that a new option was preferred over reusing CURLOPT_PROXYAUTH for compatibility reasons because the set of authentication methods allowed by default was different for HTTP and SOCKS5 proxies. Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html Closes https://github.com/curl/curl/pull/1454
2017-04-27 09:18:49 -04:00
if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
infof(conn->data,
"warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n",
auth);
if(!(auth & CURLAUTH_BASIC))
/* disable username/password auth */
proxy_user = NULL;
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
if(auth & CURLAUTH_GSSAPI)
allow_gssapi = TRUE;
#endif
socks: deduplicate the code for auth request
2017-03-08 06:16:01 -05:00
idx = 0;
socksreq[idx++] = 5; /* version */
idx++; /* reserve for the number of authentication methods */
socksreq[idx++] = 0; /* no authentication */
CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth If libcurl was built with GSS-API support, it unconditionally advertised GSS-API authentication while connecting to a SOCKS5 proxy. This caused problems in environments with improperly configured Kerberos: a stock libcurl failed to connect, despite libcurl built without GSS-API connected fine using username and password. This commit introduces the CURLOPT_SOCKS5_AUTH option to control the allowed methods for SOCKS5 authentication at run time. Note that a new option was preferred over reusing CURLOPT_PROXYAUTH for compatibility reasons because the set of authentication methods allowed by default was different for HTTP and SOCKS5 proxies. Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html Closes https://github.com/curl/curl/pull/1454
2017-04-27 09:18:49 -04:00
if(allow_gssapi)
socksreq[idx++] = 1; /* GSS-API */
socks: deduplicate the code for auth request
2017-03-08 06:16:01 -05:00
if(proxy_user)
socksreq[idx++] = 2; /* username/password */
/* write the number of authentication methods */
socksreq[1] = (unsigned char) (idx - 2);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
nonblock: call with (void) to show we ignore the return code Coverity pointed out several of these.
2014-10-04 09:14:27 -04:00
(void)curlx_nonblock(sock, FALSE);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
socks.c: use Curl_printable_address in SOCKS5 connection sequence Replace custom string formatting with Curl_printable_address. Add additional debug and error output in case of failures.
2016-08-20 15:14:46 -04:00
infof(data, "SOCKS5 communication to %s:%d\n", hostname, remote_port);
- Hans-Jurgen May pointed out that trying SCP or SFTP over a SOCKS proxy crashed libcurl. This is now addressed by making sure we use "plain send" internally when doing the socks handshake instead of the Curl_write() function which is designed to use the "target" protocol. That's then SCP or SFTP in this case. I also took the opportunity and cleaned up some ssh- related #ifdefs in the code for readability.
2008-06-20 06:43:32 -04:00
code = Curl_write_plain(conn, sock, (char *)socksreq, (2 + (int)socksreq[1]),
&written);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(code || (written != (2 + (int)socksreq[1]))) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data, "Unable to send initial SOCKS5 request.");
return CURLE_COULDNT_CONNECT;
}
nonblock: call with (void) to show we ignore the return code Coverity pointed out several of these.
2014-10-04 09:14:27 -04:00
(void)curlx_nonblock(sock, TRUE);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
select: switch to macros in uppercase Curl_select_ready() was the former API that was replaced with Curl_select_check() a while back and the former arg setup was provided with a define (in order to leave existing code unmodified). Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most common shortcuts where only one socket is checked. They're also more visibly macros.
2016-10-18 04:58:58 -04:00
result = SOCKET_READABLE(sock, timeout);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
if(-1 == result) {
failf(conn->data, "SOCKS5 nothing to read");
return CURLE_COULDNT_CONNECT;
}
Improve code readbility ... by removing the else branch after a return, break or continue. Closes #1310
2017-03-10 08:28:37 -05:00
if(0 == result) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(conn->data, "SOCKS5 read timeout");
return CURLE_OPERATION_TIMEDOUT;
}
- Robert Iakobashvil added curl_multi_socket_action() to libcurl, which is a function that deprecates the curl_multi_socket() function. Using the new function the application tell libcurl what action that was found in the socket that it passes in. This gives a significant performance boost as it allows libcurl to avoid a call to poll()/select() for every call to curl_multi_socket*().
2007-04-16 12:34:08 -04:00
if(result & CURL_CSELECT_ERR) {
Fix a couple of spelling errors in lib/ Found with codespell.
2011-04-19 09:54:13 -04:00
failf(conn->data, "SOCKS5 read error occurred");
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_RECV_ERROR;
}
nonblock: call with (void) to show we ignore the return code Coverity pointed out several of these.
2014-10-04 09:14:27 -04:00
(void)curlx_nonblock(sock, FALSE);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
code style: use spaces around equals signs
2017-09-09 17:09:06 -04:00
result = Curl_blockread_all(conn, sock, (char *)socksreq, 2, &actualread);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(result || (actualread != 2)) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data, "Unable to receive initial SOCKS5 response.");
return CURLE_COULDNT_CONNECT;
}
removed space after if and while before the parenthesis for better source code consistency
2007-11-05 04:45:09 -05:00
if(socksreq[0] != 5) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data, "Received invalid version in initial SOCKS5 response.");
return CURLE_COULDNT_CONNECT;
}
removed space after if and while before the parenthesis for better source code consistency
2007-11-05 04:45:09 -05:00
if(socksreq[1] == 0) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/* Nothing to do, no authentication needed */
;
}
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth If libcurl was built with GSS-API support, it unconditionally advertised GSS-API authentication while connecting to a SOCKS5 proxy. This caused problems in environments with improperly configured Kerberos: a stock libcurl failed to connect, despite libcurl built without GSS-API connected fine using username and password. This commit introduces the CURLOPT_SOCKS5_AUTH option to control the allowed methods for SOCKS5 authentication at run time. Note that a new option was preferred over reusing CURLOPT_PROXYAUTH for compatibility reasons because the set of authentication methods allowed by default was different for HTTP and SOCKS5 proxies. Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html Closes https://github.com/curl/curl/pull/1454
2017-04-27 09:18:49 -04:00
else if(allow_gssapi && (socksreq[1] == 1)) {
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
code = Curl_SOCKS5_gssapi_negotiate(sockindex, conn);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(code) {
docs: Improve inline GSS-API naming in code documentation
2014-07-21 03:53:47 -04:00
failf(data, "Unable to negotiate SOCKS5 GSS-API context.");
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
return CURLE_COULDNT_CONNECT;
}
}
#endif
removed space after if and while before the parenthesis for better source code consistency
2007-11-05 04:45:09 -05:00
else if(socksreq[1] == 2) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/* Needs user name and password */
socks: use proxy_user instead of proxy_name ... to make it obvious what the data is used for
2017-03-08 06:21:09 -05:00
size_t proxy_user_len, proxy_password_len;
if(proxy_user && proxy_password) {
proxy_user_len = strlen(proxy_user);
lib/socks.c: Avoid type conversions where possible Streamlined variable names and types to avoid type conversions that may result in data being lost on non 32-bit systems.
2012-10-04 14:17:49 -04:00
proxy_password_len = strlen(proxy_password);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
else {
socks: use proxy_user instead of proxy_name ... to make it obvious what the data is used for
2017-03-08 06:21:09 -05:00
proxy_user_len = 0;
lib/socks.c: Avoid type conversions where possible Streamlined variable names and types to avoid type conversions that may result in data being lost on non 32-bit systems.
2012-10-04 14:17:49 -04:00
proxy_password_len = 0;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
/* username/password request looks like
* +----+------+----------+------+----------+
* |VER | ULEN | UNAME | PLEN | PASSWD |
* +----+------+----------+------+----------+
* | 1 | 1 | 1 to 255 | 1 | 1 to 255 |
* +----+------+----------+------+----------+
*/
len = 0;
socksreq[len++] = 1; /* username/pw subnegotiation version */
socks: use proxy_user instead of proxy_name ... to make it obvious what the data is used for
2017-03-08 06:21:09 -05:00
socksreq[len++] = (unsigned char) proxy_user_len;
if(proxy_user && proxy_user_len)
memcpy(socksreq + len, proxy_user, proxy_user_len);
len += proxy_user_len;
lib/socks.c: Avoid type conversions where possible Streamlined variable names and types to avoid type conversions that may result in data being lost on non 32-bit systems.
2012-10-04 14:17:49 -04:00
socksreq[len++] = (unsigned char) proxy_password_len;
if(proxy_password && proxy_password_len)
memcpy(socksreq + len, proxy_password, proxy_password_len);
len += proxy_password_len;
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
- Hans-Jurgen May pointed out that trying SCP or SFTP over a SOCKS proxy crashed libcurl. This is now addressed by making sure we use "plain send" internally when doing the socks handshake instead of the Curl_write() function which is designed to use the "target" protocol. That's then SCP or SFTP in this case. I also took the opportunity and cleaned up some ssh- related #ifdefs in the code for readability.
2008-06-20 06:43:32 -04:00
code = Curl_write_plain(conn, sock, (char *)socksreq, len, &written);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(code || (len != written)) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data, "Failed to send SOCKS5 sub-negotiation request.");
return CURLE_COULDNT_CONNECT;
}
code style: use spaces around equals signs
2017-09-09 17:09:06 -04:00
result = Curl_blockread_all(conn, sock, (char *)socksreq, 2, &actualread);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(result || (actualread != 2)) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data, "Unable to receive SOCKS5 sub-negotiation response.");
return CURLE_COULDNT_CONNECT;
}
/* ignore the first (VER) byte */
removed space after if and while before the parenthesis for better source code consistency
2007-11-05 04:45:09 -05:00
if(socksreq[1] != 0) { /* status */
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data, "User was rejected by the SOCKS5 server (%d %d).",
socksreq[0], socksreq[1]);
return CURLE_COULDNT_CONNECT;
}
/* Everything is good so far, user was authenticated! */
}
else {
/* error */
CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth If libcurl was built with GSS-API support, it unconditionally advertised GSS-API authentication while connecting to a SOCKS5 proxy. This caused problems in environments with improperly configured Kerberos: a stock libcurl failed to connect, despite libcurl built without GSS-API connected fine using username and password. This commit introduces the CURLOPT_SOCKS5_AUTH option to control the allowed methods for SOCKS5 authentication at run time. Note that a new option was preferred over reusing CURLOPT_PROXYAUTH for compatibility reasons because the set of authentication methods allowed by default was different for HTTP and SOCKS5 proxies. Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html Closes https://github.com/curl/curl/pull/1454
2017-04-27 09:18:49 -04:00
if(!allow_gssapi && (socksreq[1] == 1)) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data,
"SOCKS5 GSSAPI per-message authentication is not supported.");
return CURLE_COULDNT_CONNECT;
}
Improve code readbility ... by removing the else branch after a return, break or continue. Closes #1310
2017-03-10 08:28:37 -05:00
if(socksreq[1] == 255) {
socks: use proxy_user instead of proxy_name ... to make it obvious what the data is used for
2017-03-08 06:21:09 -05:00
if(!proxy_user || !*proxy_user) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
failf(data,
"No authentication method was acceptable. (It is quite likely"
" that the SOCKS5 server wanted a username/password, since none"
" was supplied to the server on this connection.)");
}
else {
failf(data, "No authentication method was acceptable.");
}
return CURLE_COULDNT_CONNECT;
}
else {
failf(data,
"Undocumented SOCKS5 mode attempted to be used by server.");
return CURLE_COULDNT_CONNECT;
}
}
/* Authentication is complete, now specify destination to the proxy */
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
len = 0;
socksreq[len++] = 5; /* version (SOCKS5) */
socksreq[len++] = 1; /* connect */
socksreq[len++] = 0; /* must be zero */
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
if(!socks5_resolve_local) {
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
socksreq[len++] = 3; /* ATYP: domain name = 3 */
socksreq[len++] = (char) hostname_len; /* address length */
checksrc: Fixed line length and comment indentation
2012-09-13 18:44:16 -04:00
memcpy(&socksreq[len], hostname, hostname_len); /* address str w/o NULL */
lib/socks.c: Avoid type conversions where possible Streamlined variable names and types to avoid type conversions that may result in data being lost on non 32-bit systems.
2012-10-04 14:17:49 -04:00
len += hostname_len;
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
}
else {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
struct Curl_dns_entry *dns;
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
Curl_addrinfo *hp = NULL;
- Robson Braga Araujo made passive FTP transfers work with SOCKS (both 4 and 5).
2007-02-19 06:53:54 -05:00
int rc = Curl_resolv(conn, hostname, remote_port, &dns);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
if(rc == CURLRESOLV_ERROR)
return CURLE_COULDNT_RESOLVE_HOST;
SOCKS5: when name resolves fail return immediately This makes the code flow more obvious and reacts on the return code properly, even if the code acted the same way before.
2010-04-16 16:58:04 -04:00
if(rc == CURLRESOLV_PENDING) {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/* this requires that we're in "wait for resolve" state */
async resolvers: further cleanups asyn-ares.c and asyn-thread.c are two separate backends that implement the same (internal) async resolver API for libcurl to use. Backend is specified at build time. The internal resolver API is defined in asyn.h for asynch resolvers.
2011-01-30 18:10:35 -05:00
code = Curl_resolver_wait_resolv(conn, &dns);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(code)
fix compiler warning: enumerated type mixed with another type
2010-05-31 10:36:05 -04:00
return code;
SOCKS5: when name resolves fail return immediately This makes the code flow more obvious and reacts on the return code properly, even if the code acted the same way before.
2010-04-16 16:58:04 -04:00
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
/*
* We cannot use 'hostent' as a struct that Curl_resolv() returns. It
* returns a Curl_addrinfo pointer that may not always look the same.
*/
if(dns)
code style: use spaces around equals signs
2017-09-09 17:09:06 -04:00
hp = dns->addr;
removed space after if and while before the parenthesis for better source code consistency
2007-11-05 04:45:09 -05:00
if(hp) {
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
int i;
socks.c: use Curl_printable_address in SOCKS5 connection sequence Replace custom string formatting with Curl_printable_address. Add additional debug and error output in case of failures.
2016-08-20 15:14:46 -04:00
char buf[64];
Curl_printable_address(hp, buf, sizeof(buf));
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
if(hp->ai_family == AF_INET) {
socks.c: use Curl_printable_address in SOCKS5 connection sequence Replace custom string formatting with Curl_printable_address. Add additional debug and error output in case of failures.
2016-08-20 15:14:46 -04:00
struct sockaddr_in *saddr_in;
checksrc: Fixed line length and comment indentation
2012-09-13 18:44:16 -04:00
socksreq[len++] = 1; /* ATYP: IPv4 = 1 */
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
checksrc: white space edits to comply to stricter checksrc
2016-11-23 02:30:18 -05:00
saddr_in = (struct sockaddr_in *)(void *)hp->ai_addr;
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
for(i = 0; i < 4; i++) {
checksrc: white space edits to comply to stricter checksrc
2016-11-23 02:30:18 -05:00
socksreq[len++] = ((unsigned char *)&saddr_in->sin_addr.s_addr)[i];
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
}
socks.c: use Curl_printable_address in SOCKS5 connection sequence Replace custom string formatting with Curl_printable_address. Add additional debug and error output in case of failures.
2016-08-20 15:14:46 -04:00
infof(data, "SOCKS5 connect to IPv4 %s (locally resolved)\n", buf);
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
}
socks.c: Check that IPv6 is enabled before using it's features
2012-09-14 02:12:07 -04:00
#ifdef ENABLE_IPV6
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
else if(hp->ai_family == AF_INET6) {
socks.c: use Curl_printable_address in SOCKS5 connection sequence Replace custom string formatting with Curl_printable_address. Add additional debug and error output in case of failures.
2016-08-20 15:14:46 -04:00
struct sockaddr_in6 *saddr_in6;
checksrc: Fixed line length and comment indentation
2012-09-13 18:44:16 -04:00
socksreq[len++] = 4; /* ATYP: IPv6 = 4 */
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
checksrc: white space edits to comply to stricter checksrc
2016-11-23 02:30:18 -05:00
saddr_in6 = (struct sockaddr_in6 *)(void *)hp->ai_addr;
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
for(i = 0; i < 16; i++) {
checksrc: white space edits to comply to stricter checksrc
2016-11-23 02:30:18 -05:00
socksreq[len++] =
((unsigned char *)&saddr_in6->sin6_addr.s6_addr)[i];
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
}
socks.c: use Curl_printable_address in SOCKS5 connection sequence Replace custom string formatting with Curl_printable_address. Add additional debug and error output in case of failures.
2016-08-20 15:14:46 -04:00
infof(data, "SOCKS5 connect to IPv6 %s (locally resolved)\n", buf);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
socks.c: Check that IPv6 is enabled before using it's features
2012-09-14 02:12:07 -04:00
#endif
socks.c: use Curl_printable_address in SOCKS5 connection sequence Replace custom string formatting with Curl_printable_address. Add additional debug and error output in case of failures.
2016-08-20 15:14:46 -04:00
else {
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
hp = NULL; /* fail! */
socks.c: use Curl_printable_address in SOCKS5 connection sequence Replace custom string formatting with Curl_printable_address. Add additional debug and error output in case of failures.
2016-08-20 15:14:46 -04:00
failf(data, "SOCKS5 connection to %s not supported\n", buf);
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
Curl_resolv_unlock(data, dns); /* not used anymore from now on */
}
if(!hp) {
failf(data, "Failed to resolve \"%s\" for SOCKS5 connect.",
- Robson Braga Araujo made passive FTP transfers work with SOCKS (both 4 and 5).
2007-02-19 06:53:54 -05:00
hostname);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_COULDNT_RESOLVE_HOST;
}
}
socks.c: Added support for IPv6 connections through SOCKSv5 proxy
2012-09-10 06:44:37 -04:00
socksreq[len++] = (unsigned char)((remote_port >> 8) & 0xff); /* PORT MSB */
socksreq[len++] = (unsigned char)(remote_port & 0xff); /* PORT LSB */
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
if(conn->socks5_gssapi_enctype) {
docs: Improve inline GSS-API naming in code documentation
2014-07-21 03:53:47 -04:00
failf(data, "SOCKS5 GSS-API protection not yet implemented.");
source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20 09:17:42 -04:00
}
else
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
#endif
lib/socks.c: Merged two size variables into one
2012-10-04 15:27:46 -04:00
code = Curl_write_plain(conn, sock, (char *)socksreq, len, &written);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(code || (len != written)) {
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
failf(data, "Failed to send SOCKS5 connect request.");
return CURLE_COULDNT_CONNECT;
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
lib/socks.c: Merged two size variables into one
2012-10-04 15:27:46 -04:00
len = 10; /* minimum packet size is 10 */
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
if(conn->socks5_gssapi_enctype) {
docs: Improve inline GSS-API naming in code documentation
2014-07-21 03:53:47 -04:00
failf(data, "SOCKS5 GSS-API protection not yet implemented.");
source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20 09:17:42 -04:00
}
else
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
#endif
lib/socks.c: Merged two size variables into one
2012-10-04 15:27:46 -04:00
result = Curl_blockread_all(conn, sock, (char *)socksreq,
len, &actualread);
code cleanup: we prefer 'CURLcode result' ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-23 16:56:35 -04:00
if(result || (len != actualread)) {
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
failf(data, "Failed to receive SOCKS5 connect request ack.");
return CURLE_COULDNT_CONNECT;
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
if(socksreq[0] != 5) { /* version */
failf(data,
"SOCKS5 reply has wrong version, version should be 5.");
return CURLE_COULDNT_CONNECT;
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
/* Fix: in general, returned BND.ADDR is variable length parameter by RFC
1928, so the reply packet should be read until the end to avoid errors at
subsequent protocol level.
+----+-----+-------+------+----------+----------+
|VER | REP | RSV | ATYP | BND.ADDR | BND.PORT |
+----+-----+-------+------+----------+----------+
| 1 | 1 | X'00' | 1 | Variable | 2 |
+----+-----+-------+------+----------+----------+
ATYP:
o IP v4 address: X'01', BND.ADDR = 4 byte
o domain name: X'03', BND.ADDR = [ 1 byte length, string ]
o IP v6 address: X'04', BND.ADDR = 16 byte
*/
/* Calculate real packet size */
if(socksreq[3] == 3) {
/* domain name */
int addrlen = (int) socksreq[4];
lib/socks.c: Merged two size variables into one
2012-10-04 15:27:46 -04:00
len = 5 + addrlen + 2;
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
}
else if(socksreq[3] == 4) {
/* IPv6 */
lib/socks.c: Merged two size variables into one
2012-10-04 15:27:46 -04:00
len = 4 + 16 + 2;
Based on Maxim Perenesenko's patch, we now do SOCKS5 operations and let the proxy do the host name resolving and only if --socks5ip (or CURLOPT_SOCKS5_RESOLVE_LOCAL) is used we resolve the host name locally and pass on the IP address only to the proxy.
2008-01-04 18:01:00 -05:00
}
/* At this point we already read first 10 bytes */
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
if(!conn->socks5_gssapi_enctype) {
/* decrypt_gssapi_blockread already read the whole packet */
#endif
lib/socks.c: Merged two size variables into one
2012-10-04 15:27:46 -04:00
if(len > 10) {
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
result = Curl_blockread_all(conn, sock, (char *)&socksreq[10],
socks.c: Do not modify and invalidate calculated response length Second commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:05:32 -04:00
len - 10, &actualread);
if(result || ((len - 10) != actualread)) {
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
failf(data, "Failed to receive SOCKS5 connect request ack.");
return CURLE_COULDNT_CONNECT;
}
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
}
- Markus Moeller introduced two new options to libcurl: CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28 16:33:58 -05:00
#endif
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
socks.c: Move error output after reading the whole response packet First commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:01:13 -04:00
if(socksreq[1] != 0) { /* Anything besides 0 is an error */
if(socksreq[3] == 1) {
failf(data,
"Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)",
(unsigned char)socksreq[4], (unsigned char)socksreq[5],
(unsigned char)socksreq[6], (unsigned char)socksreq[7],
socks.c: Correctly calculate position of port in response packet Third commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:07:11 -04:00
(((unsigned char)socksreq[8] << 8) |
(unsigned char)socksreq[9]),
socks.c: Move error output after reading the whole response packet First commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:01:13 -04:00
(unsigned char)socksreq[1]);
}
else if(socksreq[3] == 3) {
socks.c: display the hostname returned by the SOCKS5 proxy server Instead of displaying the requested hostname the one returned by the SOCKS5 proxy server is used in case of connection error. The requested hostname is displayed earlier in the connection sequence. The upper-value of the port is moved to a temporary variable and replaced with a 0-byte to make sure the hostname is 0-terminated.
2016-08-20 15:38:09 -04:00
unsigned char port_upper = (unsigned char)socksreq[len - 2];
socksreq[len - 2] = 0;
socks.c: Move error output after reading the whole response packet First commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:01:13 -04:00
failf(data,
"Can't complete SOCKS5 connection to %s:%d. (%d)",
socks.c: display the hostname returned by the SOCKS5 proxy server Instead of displaying the requested hostname the one returned by the SOCKS5 proxy server is used in case of connection error. The requested hostname is displayed earlier in the connection sequence. The upper-value of the port is moved to a temporary variable and replaced with a 0-byte to make sure the hostname is 0-terminated.
2016-08-20 15:38:09 -04:00
(char *)&socksreq[5],
((port_upper << 8) |
socks.c: Correctly calculate position of port in response packet Third commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:07:11 -04:00
(unsigned char)socksreq[len - 1]),
socks.c: Move error output after reading the whole response packet First commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:01:13 -04:00
(unsigned char)socksreq[1]);
socks.c: display the hostname returned by the SOCKS5 proxy server Instead of displaying the requested hostname the one returned by the SOCKS5 proxy server is used in case of connection error. The requested hostname is displayed earlier in the connection sequence. The upper-value of the port is moved to a temporary variable and replaced with a 0-byte to make sure the hostname is 0-terminated.
2016-08-20 15:38:09 -04:00
socksreq[len - 2] = port_upper;
socks.c: Move error output after reading the whole response packet First commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:01:13 -04:00
}
else if(socksreq[3] == 4) {
failf(data,
"Can't complete SOCKS5 connection to %02x%02x:%02x%02x:"
"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%d. (%d)",
(unsigned char)socksreq[4], (unsigned char)socksreq[5],
(unsigned char)socksreq[6], (unsigned char)socksreq[7],
(unsigned char)socksreq[8], (unsigned char)socksreq[9],
(unsigned char)socksreq[10], (unsigned char)socksreq[11],
(unsigned char)socksreq[12], (unsigned char)socksreq[13],
(unsigned char)socksreq[14], (unsigned char)socksreq[15],
(unsigned char)socksreq[16], (unsigned char)socksreq[17],
(unsigned char)socksreq[18], (unsigned char)socksreq[19],
socks.c: Correctly calculate position of port in response packet Third commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:07:11 -04:00
(((unsigned char)socksreq[20] << 8) |
(unsigned char)socksreq[21]),
socks.c: Move error output after reading the whole response packet First commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:01:13 -04:00
(unsigned char)socksreq[1]);
}
return CURLE_COULDNT_CONNECT;
}
Improve code readbility ... by removing the else branch after a return, break or continue. Closes #1310
2017-03-10 08:28:37 -05:00
infof(data, "SOCKS5 request granted.\n");
socks.c: Move error output after reading the whole response packet First commit to fix issue #944 regarding SOCKS5 error handling. Reported-by: David Kalnischkies
2016-08-14 11:01:13 -04:00
nonblock: call with (void) to show we ignore the return code Coverity pointed out several of these.
2014-10-04 09:14:27 -04:00
(void)curlx_nonblock(sock, TRUE);
Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better as it now will read the full data sent from servers. The SOCKS-related code was also moved to the new lib/socks.c source file.
2006-09-23 15:07:20 -04:00
return CURLE_OK; /* Proxy was successful! */
}
- Daniel Egger provided a patch that allows you to disable proxy support in libcurl to somewhat reduce the size of the binary. Run configure --disable-proxy.
2008-09-29 17:46:04 -04:00
#endif /* CURL_DISABLE_PROXY */