/** * FreeRDP: A Remote Desktop Protocol Implementation * HTTP Proxy support * * Copyright 2016 Christian Plattner * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include #include #include "proxy.h" #include "freerdp/settings.h" #include "tcp.h" #include "winpr/environment.h" /* For GetEnvironmentVariableA */ #define CRLF "\r\n" #define TAG FREERDP_TAG("core.proxy") /* SOCKS Proxy auth methods by rfc1928 */ enum { AUTH_M_NO_AUTH = 0, AUTH_M_GSSAPI = 1, AUTH_M_USR_PASS = 2 }; enum { SOCKS_CMD_CONNECT = 1, SOCKS_CMD_BIND = 2, SOCKS_CMD_UDP_ASSOCIATE = 3 }; enum { SOCKS_ADDR_IPV4 = 1, SOCKS_ADDR_FQDN = 3, SOCKS_ADDR_IPV6 = 4, }; /* CONN REQ replies in enum. order */ static const char* rplstat[] = { "succeeded", "general SOCKS server failure", "connection not allowed by ruleset", "Network unreachable", "Host unreachable", "Connection refused", "TTL expired", "Command not supported", "Address type not supported" }; static BOOL http_proxy_connect(BIO* bufferedBio, const char* hostname, UINT16 port); static BOOL socks_proxy_connect(BIO* bufferedBio, const char* proxyUsername, const char* proxyPassword, const char* hostname, UINT16 port); void proxy_read_environment(rdpSettings* settings, char* envname); BOOL proxy_prepare(rdpSettings* settings, const char** lpPeerHostname, UINT16* lpPeerPort, const char** lpProxyUsername, const char** lpProxyPassword) { if (settings->ProxyType == PROXY_TYPE_IGNORE) return FALSE; /* For TSGateway, find the system HTTPS proxy automatically */ if (settings->ProxyType == PROXY_TYPE_NONE) proxy_read_environment(settings, "https_proxy"); if (settings->ProxyType == PROXY_TYPE_NONE) proxy_read_environment(settings, "HTTPS_PROXY"); if (settings->ProxyType != PROXY_TYPE_NONE) proxy_read_environment(settings, "no_proxy"); if (settings->ProxyType != PROXY_TYPE_NONE) proxy_read_environment(settings, "NO_PROXY"); if (settings->ProxyType != PROXY_TYPE_NONE) { *lpPeerHostname = settings->ProxyHostname; *lpPeerPort = settings->ProxyPort; *lpProxyUsername = settings->ProxyUsername; *lpProxyPassword = settings->ProxyPassword; return TRUE; } return FALSE; } static BOOL check_no_proxy(rdpSettings* settings, const char* no_proxy) { const char* delimiter = ","; BOOL result = FALSE; char* current; char* copy; size_t host_len; if (!no_proxy || !settings) return FALSE; host_len = strlen(settings->ServerHostname); copy = _strdup(no_proxy); if (!copy) return FALSE; current = strtok(copy, delimiter); while (current && !result) { const size_t currentlen = strlen(current); if (currentlen > 0) { WLog_DBG(TAG, "%s => %s (%"PRIdz")", settings->ServerHostname, current, currentlen); /* detect left and right "*" wildcard */ if (current[0] == '*') { if (host_len >= currentlen) { const size_t offset = host_len + 1 - currentlen; if (strncmp(current + 1, settings->ServerHostname + offset, currentlen - 1) == 0) result = TRUE; } } else if (current[currentlen - 1] == '*') { if (strncmp(current, settings->ServerHostname, currentlen - 1) == 0) result = TRUE; } else { if (strcmp(current, settings->ServerHostname) == 0) result = TRUE; /* exact match */ else { struct sockaddr_in sa4; struct sockaddr_in6 sa6; BOOL is_ip = FALSE; if (inet_pton(AF_INET, settings->ServerHostname, &sa4.sin_addr) == 1) is_ip = TRUE; else if (inet_pton(AF_INET6, settings->ServerHostname, &sa6.sin6_addr) == 1) is_ip = TRUE; if (is_ip) { if (!strncmp(current, settings->ServerHostname, currentlen)) result = TRUE; /* left-aligned match for IPs */ } else if (current[0] == '.') /* Only compare if the no_proxy variable contains a whole domain. */ { if (host_len >= currentlen) { const size_t offset = host_len - currentlen; if (!strncmp(current, settings->ServerHostname + offset, currentlen)) result = TRUE; /* right-aligned match for host names */ } } } } } current = strtok(NULL, delimiter); } free(copy); return result; } void proxy_read_environment(rdpSettings* settings, char* envname) { DWORD envlen; char* env; envlen = GetEnvironmentVariableA(envname, NULL, 0); if (!envlen) return; env = calloc(1, envlen); if (!env) { WLog_ERR(TAG, "Not enough memory"); return; } if (GetEnvironmentVariableA(envname, env, envlen) == envlen - 1) { if (_strnicmp("NO_PROXY", envname, 9) == 0) { if (check_no_proxy(settings, env)) { WLog_INFO(TAG, "deactivating proxy: %s [%s=%s]", settings->ServerHostname, envname, env); settings->ProxyType = PROXY_TYPE_NONE; } } else { proxy_parse_uri(settings, env); } } free(env); } BOOL proxy_parse_uri(rdpSettings* settings, const char* uri) { const char* hostname, *pport; const char* protocol; const char* p; UINT16 port; int hostnamelen; p = strstr(uri, "://"); if (p) { if (p == uri + 4 && !strncmp("http", uri, 4)) { settings->ProxyType = PROXY_TYPE_HTTP; protocol = "http"; } else { WLog_ERR(TAG, "Only HTTP proxys supported by now"); return FALSE; } uri = p + 3; } else { WLog_ERR(TAG, "No scheme in proxy URI"); return FALSE; } hostname = uri; pport = strchr(hostname, ':'); if (pport) { long val; errno = 0; val = strtol(pport + 1, NULL, 0); if ((errno != 0) || (val <= 0) || (val > UINT16_MAX)) return FALSE; port = val; } else { /* The default is 80. Also for Proxys. */ port = 80; pport = strchr(hostname, '/'); } if (pport) { hostnamelen = pport - hostname; } else { hostnamelen = strlen(hostname); } settings->ProxyHostname = calloc(hostnamelen + 1, 1); if (!settings->ProxyHostname) { WLog_ERR(TAG, "Not enough memory"); return FALSE; } memcpy(settings->ProxyHostname, hostname, hostnamelen); settings->ProxyPort = port; WLog_INFO(TAG, "Parsed proxy configuration: %s://%s:%d", protocol, settings->ProxyHostname, settings->ProxyPort); return TRUE; } BOOL proxy_connect(rdpSettings* settings, BIO* bufferedBio, const char* proxyUsername, const char* proxyPassword, const char* hostname, UINT16 port) { switch (settings->ProxyType) { case PROXY_TYPE_NONE: case PROXY_TYPE_IGNORE: return TRUE; case PROXY_TYPE_HTTP: return http_proxy_connect(bufferedBio, hostname, port); case PROXY_TYPE_SOCKS: return socks_proxy_connect(bufferedBio, proxyUsername, proxyPassword, hostname, port); default: WLog_ERR(TAG, "Invalid internal proxy configuration"); return FALSE; } } static BOOL http_proxy_connect(BIO* bufferedBio, const char* hostname, UINT16 port) { int status; wStream* s; char port_str[10], recv_buf[256], *eol; int resultsize; _itoa_s(port, port_str, sizeof(port_str), 10); s = Stream_New(NULL, 200); Stream_Write(s, "CONNECT ", 8); Stream_Write(s, hostname, strlen(hostname)); Stream_Write_UINT8(s, ':'); Stream_Write(s, port_str, strlen(port_str)); Stream_Write(s, " HTTP/1.1" CRLF "Host: ", 17); Stream_Write(s, hostname, strlen(hostname)); Stream_Write_UINT8(s, ':'); Stream_Write(s, port_str, strlen(port_str)); Stream_Write(s, CRLF CRLF, 4); status = BIO_write(bufferedBio, Stream_Buffer(s), Stream_GetPosition(s)); if (status != Stream_GetPosition(s)) { Stream_Free(s, TRUE); WLog_ERR(TAG, "HTTP proxy: failed to write CONNECT request"); return FALSE; } Stream_Free(s, TRUE); s = NULL; /* Read result until CR-LF-CR-LF. * Keep recv_buf a null-terminated string. */ memset(recv_buf, '\0', sizeof(recv_buf)); resultsize = 0; while (strstr(recv_buf, CRLF CRLF) == NULL) { if (resultsize >= sizeof(recv_buf) - 1) { WLog_ERR(TAG, "HTTP Reply headers too long."); return FALSE; } status = BIO_read(bufferedBio, (BYTE*)recv_buf + resultsize, sizeof(recv_buf) - resultsize - 1); if (status < 0) { /* Error? */ if (BIO_should_retry(bufferedBio)) { USleep(100); continue; } WLog_ERR(TAG, "Failed reading reply from HTTP proxy (Status %d)", status); return FALSE; } else if (status == 0) { /* Error? */ WLog_ERR(TAG, "Failed reading reply from HTTP proxy (BIO_read returned zero)"); return FALSE; } resultsize += status; } /* Extract HTTP status line */ eol = strchr(recv_buf, '\r'); if (!eol) { /* should never happen */ return FALSE; } *eol = '\0'; WLog_INFO(TAG, "HTTP Proxy: %s", recv_buf); if (strlen(recv_buf) < 12) { return FALSE; } recv_buf[7] = 'X'; if (strncmp(recv_buf, "HTTP/1.X 200", 12)) return FALSE; return TRUE; } static int recv_socks_reply(BIO* bufferedBio, BYTE* buf, int len, char* reason, BYTE checkVer) { int status; for (;;) { status = BIO_read(bufferedBio, buf, len); if (status > 0) break; if (status < 0) { /* Error? */ if (BIO_should_retry(bufferedBio)) { USleep(100); continue; } WLog_ERR(TAG, "Failed reading %s reply from SOCKS proxy (Status %d)", reason, status); return -1; } if (status == 0) { /* Error? */ WLog_ERR(TAG, "Failed reading %s reply from SOCKS proxy (BIO_read returned zero)", reason); return -1; } } if (status < 2) { WLog_ERR(TAG, "SOCKS Proxy reply packet too short (%s)", reason); return -1; } if (buf[0] != checkVer) { WLog_ERR(TAG, "SOCKS Proxy version is not 5 (%s)", reason); return -1; } return status; } static BOOL socks_proxy_connect(BIO* bufferedBio, const char* proxyUsername, const char* proxyPassword, const char* hostname, UINT16 port) { int status; int nauthMethods = 1, writeLen = 3; BYTE buf[3 + 255 + 255]; /* biggest packet is user/pass auth */ size_t hostnlen = strnlen(hostname, 255); if (proxyUsername && proxyPassword) { nauthMethods++; writeLen++; } /* select auth. method */ buf[0] = 5; /* SOCKS version */ buf[1] = nauthMethods; /* #of methods offered */ buf[2] = AUTH_M_NO_AUTH; if (nauthMethods > 1) buf[3] = AUTH_M_USR_PASS; status = BIO_write(bufferedBio, buf, writeLen); if (status != writeLen) { WLog_ERR(TAG, "SOCKS proxy: failed to write AUTH METHOD request"); return FALSE; } status = recv_socks_reply(bufferedBio, buf, 2, "AUTH REQ", 5); if (status <= 0) return FALSE; switch (buf[1]) { case AUTH_M_NO_AUTH: WLog_DBG(TAG, "SOCKS Proxy: (NO AUTH) method was selected"); break; case AUTH_M_USR_PASS: if (!proxyUsername || !proxyPassword) return FALSE; else { int usernameLen = strnlen(proxyUsername, 255); int userpassLen = strnlen(proxyPassword, 255); BYTE* ptr; if (nauthMethods < 2) { WLog_ERR(TAG, "SOCKS Proxy: USER/PASS method was not proposed to server"); return FALSE; } /* user/password v1 method */ ptr = buf + 2; buf[0] = 1; buf[1] = usernameLen; memcpy(ptr, proxyUsername, usernameLen); ptr += usernameLen; *ptr = userpassLen; ptr++; memcpy(ptr, proxyPassword, userpassLen); status = BIO_write(bufferedBio, buf, 3 + usernameLen + userpassLen); if (status != 3 + usernameLen + userpassLen) { WLog_ERR(TAG, "SOCKS Proxy: error writing user/password request"); return FALSE; } status = recv_socks_reply(bufferedBio, buf, 2, "AUTH REQ", 1); if (status < 2) return FALSE; if (buf[1] != 0x00) { WLog_ERR(TAG, "SOCKS Proxy: invalid user/password"); return FALSE; } } break; default: WLog_ERR(TAG, "SOCKS Proxy: unknown method 0x%x was selected by proxy", buf[1]); return FALSE; } /* CONN request */ buf[0] = 5; /* SOCKS version */ buf[1] = SOCKS_CMD_CONNECT; /* command */ buf[2] = 0; /* 3rd octet is reserved x00 */ buf[3] = SOCKS_ADDR_FQDN; /* addr.type */ buf[4] = hostnlen; /* DST.ADDR */ memcpy(buf + 5, hostname, hostnlen); /* follows DST.PORT in netw. format */ buf[hostnlen + 5] = (port >> 8) & 0xff; buf[hostnlen + 6] = port & 0xff; status = BIO_write(bufferedBio, buf, hostnlen + 7); if (status != (hostnlen + 7)) { WLog_ERR(TAG, "SOCKS proxy: failed to write CONN REQ"); return FALSE; } status = recv_socks_reply(bufferedBio, buf, sizeof(buf), "CONN REQ", 5); if (status < 4) return FALSE; if (buf[1] == 0) { WLog_INFO(TAG, "Successfully connected to %s:%d", hostname, port); return TRUE; } if (buf[1] > 0 && buf[1] < 9) WLog_INFO(TAG, "SOCKS Proxy replied: %s", rplstat[buf[1]]); else WLog_INFO(TAG, "SOCKS Proxy replied: %d status not listed in rfc1928", buf[1]); return FALSE; }