diff --git a/.cvsignore b/.cvsignore new file mode 100644 index 0000000..e69de29 diff --git a/.gitignore b/.gitignore deleted file mode 100644 index c0a15ec..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/ssh-connect-1.105.tar.gz diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..91cf132 --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +# Makefile for source rpm: connect-proxy +# $Id$ +NAME := connect-proxy +SPECFILE = $(firstword $(wildcard *.spec)) + +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attept a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) diff --git a/connect-1.100.c b/connect-1.100.c new file mode 100644 index 0000000..b275b77 --- /dev/null +++ b/connect-1.100.c @@ -0,0 +1,2982 @@ +/*********************************************************************** + * connect.c -- Make socket connection using SOCKS4/5 and HTTP tunnel. + * + * Copyright (c) 2000-2006 Shun-ichi Goto + * Copyright (c) 2002, J. Grant (English Corrections) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + * --------------------------------------------------------- + * PROJECT: My Test Program + * AUTHOR: Shun-ichi GOTO + * CREATE: Wed Jun 21, 2000 + * REVISION: $Revision$ + * --------------------------------------------------------- + * + * Getting Source + * ============== + * + * Recent version of 'connect.c' is available from + * http://www.taiyo.co.jp/~gotoh/ssh/connect.c + * + * Related tool, ssh-askpass.exe (alternative ssh-askpass on UNIX) + * is available: + * http://www.taiyo.co.jp/~gotoh/ssh/ssh-askpass.exe.gz + * + * See more detail: + * http://www.taiyo.co.jp/~gotoh/ssh/connect.html + * + * How To Compile + * ============== + * + * On UNIX environment: + * $ gcc connect.c -o connect + * + * On SOLARIS: + * $ gcc -o connect -lresolv -lsocket -lnsl connect.c + * + * on Win32 environment: + * $ cl connect.c wsock32.lib advapi32.lib + * or + * $ bcc32 connect.c wsock32.lib advapi32.lib + * or + * $ gcc connect.c -o connect + * + * on Mac OS X environment: + * $ gcc connect.c -o connect -lresolv + * or + * $ gcc connect.c -o connect -DBIND_8_COMPAT=1 + * + * How To Use + * ========== + * + * You can specify proxy method in an environment variable or in a + * command line option. + * + * usage: connect [-dnhst45] [-R resolve] [-p local-port] [-w sec] + * [-H [user@]proxy-server[:port]] + * [-S [user@]socks-server[:port]] + * [-T proxy-server[:port]] + * [-c telnet proxy command] + * host port + * + * "host" and "port" is for the target hostname and port-number to + * connect to. + * + * The -H option specifys a hostname and port number of the http proxy + * server to relay. If port is omitted, 80 is used. You can specify this + * value in the environment variable HTTP_PROXY and pass the -h option + * to use it. + * + * The -S option specifys the hostname and port number of the SOCKS + * server to relay. Like -H, port number can be omitted and the default + * is 1080. You can also specify this value pair in the environment + * variable SOCKS5_SERVER and give the -s option to use it. + * + * The '-4' and the '-5' options are for specifying SOCKS relaying and + * indicates protocol version to use. It is valid only when used with + * '-s' or '-S'. Default is '-5' (protocol version 5) + * + * The '-R' option is for specifying method to resolve the + * hostname. Three keywords ("local", "remote", "both") or dot-notation + * IP address are acceptable. The keyword "both" means, "Try local + * first, then remote". If a dot-notation IP address is specified, use + * this host as nameserver. The default is "remote" for SOCKS5 or + * "local" for others. On SOCKS4 protocol, remote resolving method + * ("remote" and "both") requires protocol 4a supported server. + * + * The '-p' option will forward a local TCP port instead of using the + * standard input and output. + * + * The '-P' option is same to '-p' except keep remote session. The + * program repeats waiting the port with holding remote session without + * disconnecting. To disconnect the remote session, send EOF to stdin or + * kill the program. + * + * The '-w' option specifys timeout seconds for making connection with + * TARGET host. + * + * The '-d' option is used for debug. If you fail to connect, use this + * and check request to and response from server. + * + * You can omit the "port" argument when program name is special format + * containing port number itself. For example, + * $ ln -s connect connect-25 + * means this connect-25 command is spcifying port number 25 already + * so you need not 2nd argument (and ignored if specified). + * + * To use proxy, this example is for SOCKS5 connection to connect to + * 'host' at port 25 via SOCKS5 server on 'firewall' host. + * $ connect -S firewall host 25 + * or + * $ SOCKS5_SERVER=firewall; export SOCKS5_SERVER + * $ connect -s host 25 + * + * For a HTTP-PROXY connection: + * $ connect -H proxy-server:8080 host 25 + * or + * $ HTTP_PROXY=proxy-server:8080; export HTTP_PROXY + * $ connect -h host 25 + * To forward a local port, for example to use ssh: + * $ connect -p 5550 -H proxy-server:8080 host 22 + * ($ ssh -l user -p 5550 localhost ) + * + * TIPS + * ==== + * + * Connect.c doesn't have any configuration to specify the SOCKS server. + * If you are a mobile user, this limitation might bother you. However, + * You can compile connect.c and link with other standard SOCKS library + * like the NEC SOCKS5 library or Dante. This means connect.c is + * socksified and uses a configration file like to other SOCKSified + * network commands and you can switch configuration file any time + * (ex. when ppp startup) that brings you switching of SOCKS server for + * connect.c in same way with other commands. For this case, you can + * write ~/.ssh/config like this: + * + * ProxyCommand connect -n %h %p + * + * SOCKS5 authentication + * ===================== + * + * Only USER/PASS authentication is supported. + * + * Proxy authentication + * ==================== + * + * Only BASIC scheme is supported. + * + * Authentication informations + * =========================== + * + * User name for authentication is specifed by an environment variable + * or system login name. And password is specified from environment + * variable or external program (specified in $SSH_ASKPASS) or tty. + * + * Following environment variable is used for specifying user name. + * SOCKS: $SOCKS5_USER, $LOGNAME, $USER + * HTTP Proxy: $HTTP_PROXY_USER, $LOGNAME, $USER + * + * ssh-askpass support + * =================== + * + * You can use ssh-askpass (came from OpenSSH or else) to specify + * password on graphical environment (X-Window or MS Windows). To use + * this, set program name to environment variable SSH_ASKPASS. On UNIX, + * X-Window must be required, so $DISPLAY environment variable is also + * needed. On Win32 environment, $DISPLAY is not mentioned. + * + * Related Informations + * ==================== + * + * SOCKS5 -- RFC 1928, RFC 1929, RFC 1961 + * NEC SOCKS Reference Implementation is available from: + * http://www.socks.nec.com + * DeleGate version 5 or earlier can be SOCKS4 server, + * and version 6 can be SOCKS5 and SOCKS4 server. + * and version 7.7.0 or later can be SOCKS5 and SOCKS4a server. + * http://www.delegate.org/delegate/ + * + * HTTP-Proxy -- + * Many http proxy servers supports this, but https should + * be allowed as configuration on your host. + * For example on DeleGate, you should add "https" to the + * "REMITTABLE" parameter to allow HTTP-Proxy like this: + * delegated -Pxxxx ...... REMITTABLE="+,https" ... + * + * Hypertext Transfer Protocol -- HTTP/1.1 -- RFC 2616 + * HTTP Authentication: Basic and Digest Access Authentication -- RFC 2617 + * For proxy authentication, refer these documents. + * + ***********************************************************************/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef __CYGWIN32__ +#undef _WIN32 +#endif + +#ifdef _WIN32 +#include +#include +#include +#include +#include +#else /* !_WIN32 */ +#include +#include +#include +#include +#ifndef __hpux +#include +#endif /* __hpux */ +#include +#include +#include +#include +#if !defined(_WIN32) && !defined(__CYGWIN32__) +#define WITH_RESOLVER 1 +#include +#include +#else /* not ( not _WIN32 && not __CYGWIN32__) */ +#undef WITH_RESOLVER +#endif /* not ( not _WIN32 && not __CYGWIN32__) */ +#endif /* !_WIN32 */ + +#ifdef _WIN32 +#define ECONNRESET WSAECONNRESET +#endif /* _WI32 */ + + + +#ifndef LINT +static char *vcid = "$Id$"; +#endif + +/* Microsoft Visual C/C++ has _snprintf() and _vsnprintf() */ +#ifdef _MSC_VER +#define snprintf _snprintf +#define vsnprintf _vsnprintf +#endif + +/* consider Borland C */ +#ifdef __BORLANDC__ +#define _kbhit kbhit +#define _setmode setmode +#endif + +/* help message. + Win32 environment does not support -R option (vc and cygwin) + Win32 native compilers does not support -w option, yet (vc) +*/ +static char *usage = "usage: %s [-dnhst45] [-p local-port]" +#ifdef _WIN32 +#ifdef __CYGWIN32__ +"[-w timeout] \n" /* cygwin cannot -R */ +#else /* not __CYGWIN32__ */ +" \n" /* VC cannot -w nor -R */ +#endif /* not __CYGWIN32__ */ +#else /* not _WIN32 */ +/* help message for UNIX */ +"[-R resolve] [-w timeout] \n" +#endif /* not _WIN32 */ +" [-H proxy-server[:port]] [-S [user@]socks-server[:port]] \n" +" [-T proxy-server[:port]]\n" +" [-c telnet-proxy-command]\n" +" host port\n"; + +/* name of this program */ +char *progname = NULL; +char *progdesc = "connect --- simple relaying command via proxy."; +char *rcs_revstr = "$Revision$"; +char *revstr = NULL; +int major_version = 1; +int minor_version = 0; + +/* set of character for strspn() */ +const char *digits = "0123456789"; +const char *dotdigits = "0123456789."; + +/* options */ +int f_debug = 0; + +/* report flag to hide secure information */ +int f_report = 1; + +int connect_timeout = 0; + +/* local input type */ +#define LOCAL_STDIO 0 +#define LOCAL_SOCKET 1 +char *local_type_names[] = { "stdio", "socket" }; +int local_type = LOCAL_STDIO; +u_short local_port = 0; /* option 'p' */ +int f_hold_session = 0; /* option 'P' */ + +char *telnet_command = "telnet %h %p"; + +/* utiity types, pair holder of number and string */ +typedef struct { + int num; + const char *str; +} LOOKUP_ITEM; + +/* relay method, server and port */ +#define METHOD_UNDECIDED 0 +#define METHOD_DIRECT 1 +#define METHOD_SOCKS 2 +#define METHOD_HTTP 3 +#define METHOD_TELNET 4 +char *method_names[] = { "UNDECIDED", "DIRECT", "SOCKS", "HTTP", "TELNET" }; + +int relay_method = METHOD_UNDECIDED; /* relaying method */ +char *relay_host = NULL; /* hostname of relay server */ +u_short relay_port = 0; /* port of relay server */ +char *relay_user = NULL; /* user name for auth */ + +/* destination target host and port */ +char *dest_host = NULL; +struct sockaddr_in dest_addr; +u_short dest_port = 0; + +/* informations for SOCKS */ +#define SOCKS5_REP_SUCCEEDED 0x00 /* succeeded */ +#define SOCKS5_REP_FAIL 0x01 /* general SOCKS serer failure */ +#define SOCKS5_REP_NALLOWED 0x02 /* connection not allowed by ruleset */ +#define SOCKS5_REP_NUNREACH 0x03 /* Network unreachable */ +#define SOCKS5_REP_HUNREACH 0x04 /* Host unreachable */ +#define SOCKS5_REP_REFUSED 0x05 /* connection refused */ +#define SOCKS5_REP_EXPIRED 0x06 /* TTL expired */ +#define SOCKS5_REP_CNOTSUP 0x07 /* Command not supported */ +#define SOCKS5_REP_ANOTSUP 0x08 /* Address not supported */ +#define SOCKS5_REP_INVADDR 0x09 /* Inalid address */ + +LOOKUP_ITEM socks5_rep_names[] = { + { SOCKS5_REP_SUCCEEDED, "succeeded"}, + { SOCKS5_REP_FAIL, "general SOCKS server failure"}, + { SOCKS5_REP_NALLOWED, "connection not allowed by ruleset"}, + { SOCKS5_REP_NUNREACH, "Network unreachable"}, + { SOCKS5_REP_HUNREACH, "Host unreachable"}, + { SOCKS5_REP_REFUSED, "connection refused"}, + { SOCKS5_REP_EXPIRED, "TTL expired"}, + { SOCKS5_REP_CNOTSUP, "Command not supported"}, + { SOCKS5_REP_ANOTSUP, "Address not supported"}, + { SOCKS5_REP_INVADDR, "Invalid address"}, + { -1, NULL } +}; + +/* SOCKS5 authentication methods */ +#define SOCKS5_AUTH_REJECT 0xFF /* No acceptable auth method */ +#define SOCKS5_AUTH_NOAUTH 0x00 /* without authentication */ +#define SOCKS5_AUTH_GSSAPI 0x01 /* GSSAPI */ +#define SOCKS5_AUTH_USERPASS 0x02 /* User/Password */ +#define SOCKS5_AUTH_CHAP 0x03 /* Challenge-Handshake Auth Proto. */ +#define SOCKS5_AUTH_EAP 0x05 /* Extensible Authentication Proto. */ +#define SOCKS5_AUTH_MAF 0x08 /* Multi-Authentication Framework */ + +#define SOCKS4_REP_SUCCEEDED 90 /* rquest granted (succeeded) */ +#define SOCKS4_REP_REJECTED 91 /* request rejected or failed */ +#define SOCKS4_REP_IDENT_FAIL 92 /* cannot connect identd */ +#define SOCKS4_REP_USERID 93 /* user id not matched */ + +LOOKUP_ITEM socks4_rep_names[] = { + { SOCKS4_REP_SUCCEEDED, "request granted (succeeded)"}, + { SOCKS4_REP_REJECTED, "request rejected or failed"}, + { SOCKS4_REP_IDENT_FAIL, "cannot connect identd"}, + { SOCKS4_REP_USERID, "user id not matched"}, + { -1, NULL } +}; + +#define RESOLVE_UNKNOWN 0 +#define RESOLVE_LOCAL 1 +#define RESOLVE_REMOTE 2 +#define RESOLVE_BOTH 3 +char *resolve_names[] = { "UNKNOWN", "LOCAL", "REMOTE", "BOTH" }; + +int socks_version = 5; /* SOCKS protocol version */ +int socks_resolve = RESOLVE_UNKNOWN; +struct sockaddr_in socks_ns; +char *socks5_auth = NULL; + +/* Environment variable names */ +#define ENV_SOCKS_SERVER "SOCKS_SERVER" /* SOCKS server */ +#define ENV_SOCKS5_SERVER "SOCKS5_SERVER" +#define ENV_SOCKS4_SERVER "SOCKS4_SERVER" + +#define ENV_SOCKS_RESOLVE "SOCKS_RESOLVE" /* resolve method */ +#define ENV_SOCKS5_RESOLVE "SOCKS5_RESOLVE" +#define ENV_SOCKS4_RESOLVE "SOCKS4_RESOLVE" + +#define ENV_SOCKS5_USER "SOCKS5_USER" /* auth user for SOCKS5 */ +#define ENV_SOCKS4_USER "SOCKS4_USER" /* auth user for SOCKS4 */ +#define ENV_SOCKS_USER "SOCKS_USER" /* auth user for SOCKS */ +#define ENV_SOCKS5_PASSWD "SOCKS5_PASSWD" /* auth password for SOCKS5 */ +#define ENV_SOCKS5_PASSWORD "SOCKS5_PASSWORD" /* old style */ + +#define ENV_HTTP_PROXY "HTTP_PROXY" /* common env var */ +#define ENV_HTTP_PROXY_USER "HTTP_PROXY_USER" /* auth user */ +#define ENV_HTTP_PROXY_PASSWORD "HTTP_PROXY_PASSWORD" /* auth password */ + +#define ENV_TELNET_PROXY "TELNET_PROXY" /* common env var */ + +#define ENV_CONNECT_USER "CONNECT_USER" /* default auth user name */ +#define ENV_CONNECT_PASSWORD "CONNECT_PASSWORD" /* default auth password */ + +#define ENV_SOCKS_DIRECT "SOCKS_DIRECT" /* addr-list for non-proxy */ +#define ENV_SOCKS5_DIRECT "SOCKS5_DIRECT" +#define ENV_SOCKS4_DIRECT "SOCKS4_DIRECT" +#define ENV_HTTP_DIRECT "HTTP_DIRECT" +#define ENV_CONNECT_DIRECT "CONNECT_DIRECT" + +#define ENV_SOCKS5_AUTH "SOCKS5_AUTH" +#define ENV_SSH_ASKPASS "SSH_ASKPASS" /* askpass program */ + +/* Prefix string of HTTP_PROXY */ +#define HTTP_PROXY_PREFIX "http://" +#define PROXY_AUTH_NONE 0 +#define PROXY_AUTH_BASIC 1 +#define PROXY_AUTH_DIGEST 2 +int proxy_auth_type = PROXY_AUTH_NONE; + +/* reason of end repeating */ +#define REASON_UNK -2 +#define REASON_ERROR -1 +#define REASON_CLOSED_BY_LOCAL 0 +#define REASON_CLOSED_BY_REMOTE 1 + +/* return value of relay start function. */ +#define START_ERROR -1 +#define START_OK 0 +#define START_RETRY 1 + +/* socket related definitions */ +#ifndef _WIN32 +#define SOCKET int +#endif +#ifndef SOCKET_ERROR +#define SOCKET_ERROR -1 +#endif + +#ifdef _WIN32 +#define socket_errno() WSAGetLastError() +#else /* !_WIN32 */ +#define closesocket close +#define socket_errno() (errno) +#endif /* !_WIN32 */ + +#ifdef _WIN32 +#define popen _popen +#endif /* WIN32 */ + +/* packet operation macro */ +#define PUT_BYTE(ptr,data) (*(unsigned char*)ptr = data) + +/* debug message output */ +void +debug( const char *fmt, ... ) +{ + va_list args; + if ( f_debug ) { + va_start( args, fmt ); + fprintf(stderr, "DEBUG: "); + vfprintf( stderr, fmt, args ); + va_end( args ); + } +} + +void +debug_( const char *fmt, ... ) /* without prefix */ +{ + va_list args; + if ( f_debug ) { + va_start( args, fmt ); + vfprintf( stderr, fmt, args ); + va_end( args ); + } +} + +/* error message output */ +void +error( const char *fmt, ... ) +{ + va_list args; + va_start( args, fmt ); + fprintf(stderr, "ERROR: "); + vfprintf( stderr, fmt, args ); + va_end( args ); +} + +void +fatal( const char *fmt, ... ) +{ + va_list args; + va_start( args, fmt ); + fprintf(stderr, "FATAL: "); + vfprintf( stderr, fmt, args ); + va_end( args ); + exit (EXIT_FAILURE); +} + + +void * +xmalloc (size_t size) +{ + void *ret = malloc(size); + if (ret == NULL) + fatal("Cannot allocate memory: %d bytes.\n", size); + return ret; +} + +char * +downcase( char *str ) +{ + char *buf = str; + while ( *buf ) { + if ( isupper(*buf) ) + *buf += 'a'-'A'; + buf++; + } + return str; /* return converted arg */ +} + +char * +expand_host_and_port (const char *fmt, const char *host, int port) +{ + const char *src; + char *buf, *dst, *ptr; + size_t len = strlen(fmt) + strlen(host) + 20; + buf = xmalloc (len); + dst = buf; + src = fmt; + + while (*src) { + if (*src == '%') { + switch (src[1]) { + case 'h': + strcpy (dst, host); + src += 2; + break; + case 'p': + snprintf (dst, len, "%d", port); + src += 2; + break; + default: + src ++; + break; + } + dst = buf + strlen (buf); + } else if (*src == '\\') { + switch (src[1]) { + case 'r': /* CR */ + *dst++ = '\r'; + src += 2; + break; + case 'n': /* LF */ + *dst++ = '\n'; + src += 2; + break; + case 't': /* TAB */ + *dst++ = '\t'; + src += 2; + break; + default: + src ++; + break; + } + } else { + /* usual */ + *dst++ = *src++; + } + *dst = '\0'; + } + assert (strlen(buf) < len); + return buf; +} + + +int +lookup_resolve( const char *str ) +{ + char *buf = strdup( str ); + int ret; + + downcase( buf ); + if ( strcmp( buf, "both" ) == 0 ) + ret = RESOLVE_BOTH; + else if ( strcmp( buf, "remote" ) == 0 ) + ret = RESOLVE_REMOTE; + else if ( strcmp( buf, "local" ) == 0 ) + ret = RESOLVE_LOCAL; + else if ( strspn(buf, dotdigits) == strlen(buf) ) { +#ifndef WITH_RESOLVER + fatal("Sorry, you can't specify to resolve the hostname with the -R option on Win32 environment."); +#endif /* not WITH_RESOLVER */ + ret = RESOLVE_LOCAL; /* this case is also 'local' */ + socks_ns.sin_addr.s_addr = inet_addr(buf); + socks_ns.sin_family = AF_INET; + } + else + ret = RESOLVE_UNKNOWN; + free(buf); + return ret; +} + +char * +getusername(void) +{ +#ifdef _WIN32 + static char buf[1024]; + DWORD size = sizeof(buf); + buf[0] = '\0'; + GetUserName( buf, &size); + return buf; +#else /* not _WIN32 */ + struct passwd *pw = getpwuid(getuid()); + if ( pw == NULL ) + fatal("getpwuid() failed for uid: %d\n", getuid()); + return pw->pw_name; +#endif /* not _WIN32 */ +} + +/* expect + check STR is begin with substr with case-ignored comparison. + Return 1 if matched, otherwise 0. +*/ +int +expect( char *str, char *substr) +{ + int len = strlen(substr); + while ( 0 < len-- ) { + if ( toupper(*str) != toupper(*substr) ) + return 0; /* not matched */ + str++, substr++; + } + return 1; /* good, matched */ +} + + +/** PARAMETER operation **/ +#define PARAMETER_FILE "/etc/connectrc" +#define PARAMETER_DOTFILE ".connectrc" +typedef struct { + char* name; + char* value; +} PARAMETER_ITEM; +PARAMETER_ITEM parameter_table[] = { + { ENV_SOCKS_SERVER, NULL }, + { ENV_SOCKS5_SERVER, NULL }, + { ENV_SOCKS4_SERVER, NULL }, + { ENV_SOCKS_RESOLVE, NULL }, + { ENV_SOCKS5_RESOLVE, NULL }, + { ENV_SOCKS4_RESOLVE, NULL }, + { ENV_SOCKS5_USER, NULL }, + { ENV_SOCKS5_PASSWD, NULL }, + { ENV_SOCKS5_PASSWORD, NULL }, + { ENV_HTTP_PROXY, NULL }, + { ENV_HTTP_PROXY_USER, NULL }, + { ENV_HTTP_PROXY_PASSWORD, NULL }, + { ENV_CONNECT_USER, NULL }, + { ENV_CONNECT_PASSWORD, NULL }, + { ENV_SSH_ASKPASS, NULL }, + { ENV_SOCKS5_DIRECT, NULL }, + { ENV_SOCKS4_DIRECT, NULL }, + { ENV_SOCKS_DIRECT, NULL }, + { ENV_HTTP_DIRECT, NULL }, + { ENV_CONNECT_DIRECT, NULL }, + { ENV_SOCKS5_AUTH, NULL }, + { NULL, NULL } +}; + +PARAMETER_ITEM* +find_parameter_item(const char* name) +{ + int i; + for( i = 0; parameter_table[i].name != NULL; i++ ){ + if ( strcmp(name, parameter_table[i].name) == 0 ) + return ¶meter_table[i]; + } + return NULL; +} + +void +read_parameter_file_1(const char* name) +{ + FILE* f; + int line; + char lbuf[1025]; + f = fopen(name, "r"); + if( f ){ + debug("Reading parameter file(%s)\n", name); + for ( line = 1; fgets(lbuf, 1024, f); line++ ) { + char *p, *q, *param, *value; + p = strchr(lbuf, '\n'); + if ( p == NULL ) + fatal("%s:%d: buffer overflow\n", name, line); + *p = '\0'; + p = strchr(lbuf, '#'); + if ( p ) + *p = '\0'; + for ( p = lbuf; *p; p++ ) + if( *p != ' ' && *p != '\t' ) break; + if ( *p == '\0' ) continue; + param = p; + p = strchr(p, '='); + if ( p == NULL ) { + error("%s:%d: missing equal sign\n", name, line); + continue; + } + for ( q = p - 1; q >= lbuf; q-- ) + if ( *q != ' ' && *q != '\t' ) break; + *++q = '\0'; + for ( ++p; *p; p++ ) + if ( *p != ' ' && *p != '\t' ) break; + value = p; + for ( ; *p; p++ ); + for ( p--; p >= lbuf; p-- ) + if ( *p != ' ' && *p != '\t' ) break; + *++p = '\0'; + if ( param && value ) { + PARAMETER_ITEM *item; + item = find_parameter_item(param); + if ( item == NULL ) { + error("%s:%d: unknown parameter `%s'\n", name, line, param); + continue; + } + item->value = strdup(value); + debug("Parameter `%s' is set to `%s'\n", param, value); + } + } + } +} + +void +read_parameter_file(void) +{ +#if !defined(_WIN32) || defined(cygwin) + char *name; + struct passwd *pw; +#endif + + read_parameter_file_1(PARAMETER_FILE); +#if !defined(_WIN32) || defined(cygwin) + pw = getpwuid(getuid()); + if ( pw == NULL ) + fatal("getpwuid() failed for uid: %d\n", getuid()); + name = xmalloc(strlen(pw->pw_dir) + strlen(PARAMETER_DOTFILE) + 2); + strcpy(name, pw->pw_dir); + strcat(name, "/" PARAMETER_DOTFILE); + read_parameter_file_1(name); + free(name); +#endif /* _WIN32 */ +} + +char* +getparam(const char* name) +{ + char *value = getenv(name); + if ( value == NULL ){ + PARAMETER_ITEM *item = find_parameter_item(name); + if ( item != NULL ) + value = item->value; + } + return value; +} + + +/** DIRECT connection **/ +#define MAX_DIRECT_ADDR_LIST 256 + +struct ADDRPAIR { + struct in_addr addr; + struct in_addr mask; + char *name; + int negative; +}; + +struct ADDRPAIR direct_addr_list[MAX_DIRECT_ADDR_LIST]; +int n_direct_addr_list = 0; + +void +mask_addr (void *addr, void *mask, int addrlen) +{ + char *a, *m; + a = addr; + m = mask; + while ( 0 < addrlen-- ) + *a++ &= *m++; +} + +int +add_direct_addr (struct in_addr *addr, struct in_addr *mask, int negative) +{ + struct in_addr iaddr; + char *s; + if ( MAX_DIRECT_ADDR_LIST <= n_direct_addr_list ) { + error("direct address table is full!\n"); + return -1; + } + iaddr = *addr; + mask_addr(&iaddr, mask, sizeof(iaddr)); + s = strdup(inet_ntoa(iaddr)); + debug("adding direct addr entry: %s%s/%s\n", + negative? "!": "", s, inet_ntoa(*mask)); + free(s); + memcpy( &direct_addr_list[n_direct_addr_list].addr, + &iaddr, sizeof(iaddr)); + memcpy( &direct_addr_list[n_direct_addr_list].mask, + mask, sizeof(*mask)); + direct_addr_list[n_direct_addr_list].name = NULL; + direct_addr_list[n_direct_addr_list].negative = negative; + n_direct_addr_list++; + return 0; +} + + +/* add domain/host name entry to direct name table */ +int +add_direct_host( const char *name, int negative) +{ + if ( MAX_DIRECT_ADDR_LIST <= n_direct_addr_list ) { + error("direct address table is full!\n"); + return -1; + } + if (*name == '*') + name++; + if (*name == '.') + name++; + debug("adding direct name entry: %s%s\n", negative? "!": "", name); + direct_addr_list[n_direct_addr_list].name = downcase(strdup(name)); + direct_addr_list[n_direct_addr_list].negative = negative; + n_direct_addr_list++; + return 0; +} + + +int +parse_addr_pair (const char *str, struct in_addr *addr, struct in_addr *mask) +{ + /* NOTE: */ + /* Assume already be splitted by separator + and formatted as folowing: + 1) 12.34.56.789/255.255.255.0 + 2) 12.34.56.789/24 + 3) 12.34.56. + All above generates same addr/mask pair 12.34.56.0 and 255.255.255.0 + */ + const char *ptr; + u_char *dsta, *dstm; + int i, n; + + assert( str != NULL ); + addr->s_addr = 0; + mask->s_addr = 0; + ptr = str; + dsta = (u_char*)&addr->s_addr; + dstm = (u_char*)&mask->s_addr; + for (i=0; i<4; i++ ) { + if ( *ptr == '\0' ) + break; /* case of format #3 */ + if ( !isdigit(*ptr) ) + return -1; /* format error: */ + *dsta++ = atoi( ptr ); + *dstm++ = 255; /* automatic mask for format #3 */ + while ( isdigit(*ptr) ) /* skip digits */ + ptr++; + if ( *ptr == '.' ) + ptr++; + else + break; + } + /* At this point, *ptr points '/' or EOS ('\0') */ + if ( *ptr == '\0' ) + return 0; /* complete as format #3 */ + if ( *ptr != '/' ) + return -1; /* format error */ + /* Now parse mask for format #1 or #2 */ + ptr++; + mask->s_addr = 0; /* clear automatic mask */ + + if ( strchr( ptr, '.') ) { + /* case of format #1 */ + dstm = (u_char*)&mask->s_addr; + for (i=0; i<4; i++) { + if ( !isdigit(*ptr) ) + return -1; /* format error: */ + *dstm++ = atoi(ptr); + while ( isdigit(*ptr) ) /* skip digits */ + ptr++; + if ( *ptr == '.' ) + ptr++; + else + break; /* from for loop */ + } + /* complete as format #1 */ + } else { + /* case of format #2 */ + if ( !isdigit(*ptr) ) + return -1; /* format error: */ + n = atoi(ptr); + if ( n<0 || 32s_addr = (n==0)? 0: htonl(((u_long)0xFFFFFFFF)<<(32-n)); + /* complete as format #1 */ + } + return 0; +} + +void +initialize_direct_addr (void) +{ + int negative; + int n_entries; + char *env = NULL, *beg, *next, *envkey = NULL; + struct in_addr addr, mask; + + if ( relay_method == METHOD_SOCKS ){ + if ( socks_version == 5 ) + envkey = ENV_SOCKS5_DIRECT; + else + envkey = ENV_SOCKS4_DIRECT; + env = getparam(envkey); + if ( env == NULL ) + env = getparam(ENV_SOCKS_DIRECT); + } else if ( relay_method == METHOD_HTTP ){ + env = getparam(ENV_HTTP_DIRECT); + } + + if ( env == NULL ) + env = getparam(ENV_CONNECT_DIRECT); + + if ( env == NULL ) + return; /* no entry */ + debug("making direct addr list from: '%s'\n", env); + env = strdup( env ); /* reallocate to modify */ + beg = next = env; + n_entries = 0; + do { + if ( MAX_DIRECT_ADDR_LIST <= n_entries ) { + error("too many entries in %s", envkey); + break; /* from do loop */ + } + next = strchr( beg, ','); + if ( next != NULL ) + *next++ = '\0'; + addr.s_addr = 0; + mask.s_addr = 0; + if (*beg == '!') { + negative = 1; + beg++; + } else + negative = 0; + if ( !parse_addr_pair( beg, &addr, &mask ) ) { + add_direct_addr( &addr, &mask, negative ); + } else { + add_direct_host( beg, negative ); + } + if ( next != NULL ) + beg = next; + } while ( next != NULL ); + + free( env ); + return; +} + +int +cmp_addr (void *addr1, void *addr2, int addrlen) +{ + return memcmp( addr1, addr2, addrlen ); +} + +int +is_direct_address (const struct in_addr addr) +{ + int i, neg; + struct in_addr iaddr; + + /* Note: assume IPV4 address !! */ + for (i=0; i 1 (exact match) + ends_with("foo.bar.com", "bar.com") => 1 (domain match) + ends_with("foo.beebar.com", "bar.com") => 0 (partial match) + ends_with("bar", "bar.com") => 0 (shorter) + */ +domain_match(const char *s1, const char *s2) +{ + int len1, len2; + const char *tail1, *tail2; + len1 = strlen(s1); + len2 = strlen(s2); + if (len1 < len2 || len1 == 0 || len2 == 0) + return 0; /* not match */ + tail1 = s1 + len1; + tail2 = s2 + len2; + while (0 < len1 && 0 < len2) { + if (*--tail1 != *--tail2) + break; /* not match */ + len1--, len2--; + } + if (len2 != 0) + return 0; /* not match */ + /* Now exact match, domain match or partial match. + Return true if exact or domain match. + Or continue checking. */ + if (tail1 == s1 || tail1[-1] == '.') + return 1; /* match! */ + return 0; /* not match */ +} + +/* Check given NAME is ends with one of + registered direct name entry. + Return 1 if matched, or 0. +*/ +int +is_direct_name (const char *name) +{ + int len, i; + const char *tail; + debug("checking %s is for direct?\n", name); + name = downcase(strdup(name)); + len = strlen(name); + if (len < 1) + return 0; /* false */ + tail = &name[len]; + for (i=0; is_port); + debug("service: %s => %d\n", service, port); + } + } + return (u_short)port; +} + +void +make_revstr(void) +{ + char *ptr; + size_t len; + ptr = strstr(rcs_revstr, ": "); + if (!ptr) { + revstr = strdup("unknown"); + return; + } + ptr += 2; + /* assume subversion's keyword expansion like "Revision: 96". */ + minor_version = atoi(ptr); + revstr = xmalloc(20); + snprintf(revstr, 20, "%d.%d", major_version, minor_version); +} + +int +getarg( int argc, char **argv ) +{ + int err = 0; + char *ptr, *server = (char*)NULL; + int method = METHOD_DIRECT; + + progname = *argv; + argc--, argv++; + + /* check optinos */ + while ( (0 < argc) && (**argv == '-') ) { + ptr = *argv + 1; + while ( *ptr ) { + switch ( *ptr ) { + case 's': /* use SOCKS */ + method = METHOD_SOCKS; + break; + + case 'n': /* no proxy */ + method = METHOD_DIRECT; + break; + + case 'h': /* use http-proxy */ + method = METHOD_HTTP; + break; + case 't': + method = METHOD_TELNET; + break; + + case 'S': /* specify SOCKS server */ + if ( 1 < argc ) { + argv++, argc--; + method = METHOD_SOCKS; + server = *argv; + } else { + error("option '-%c' needs argument.\n", *ptr); + err++; + } + break; + + case 'H': /* specify http-proxy server */ + if ( 1 < argc ) { + argv++, argc--; + method = METHOD_HTTP; + server = *argv; + } else { + error("option '-%c' needs argument.\n", *ptr); + err++; + } + break; + case 'T': /* specify telnet proxy server */ + if ( 1 < argc ) { + argv++, argc--; + method = METHOD_TELNET; + server = *argv; + } else { + error("option '-%c' needs argument.\n", *ptr); + err++; + } + break; + + case 'c': + if (1 < argc) { + argv++, argc--; + telnet_command = *argv; + } else { + error("option '%c' needs argument.\n", *ptr); + err++; + } + break; + + case 'P': + f_hold_session = 1; + /* without break */ + case 'p': /* specify port to forward */ + if ( 1 < argc ) { + argv++, argc--; + local_type = LOCAL_SOCKET; + local_port = resolve_port(*argv); + } else { + error("option '-%c' needs argument.\n", *ptr); + err++; + } + break; + +#ifndef _WIN32 + case 'w': + if ( 1 < argc ) { + argv++, argc--; + connect_timeout = atoi(*argv); + } else { + error("option '-%c' needs argument.\n", *ptr); + err++; + } + break; +#endif /* not _WIN32 */ + + case '4': + socks_version = 4; + break; + + case '5': + socks_version = 5; + break; + + case 'a': + if ( 1 < argc ) { + argv++, argc--; + socks5_auth = *argv; + } else { + error("option '-%c' needs argument.\n", *ptr); + err++; + } + break; + + case 'R': /* specify resolve method */ + if ( 1 < argc ) { + argv++, argc--; + socks_resolve = lookup_resolve( *argv ); + } else { + error("option '-%c' needs argument.\n", *ptr); + err++; + } + break; + + case 'V': /* print version */ + fprintf(stderr, "%s\nVersion %s\n", progdesc, revstr); + exit(0); + + case 'd': /* debug mode */ + f_debug++; + break; + + default: + error("unknown option '-%c'\n", *ptr); + err++; + } + ptr++; + } + argc--, argv++; + } + + /* check error */ + if ( 0 < err ) + goto quit; + + set_relay( method, server ); + + /* check destination HOST (MUST) */ + if ( argc == 0 ) { + fprintf(stderr, "%s\nVersion %s\n", progdesc, revstr); + fprintf(stderr, usage, progname); + exit(0); + } + dest_host = argv[0]; + /* decide port or service name from programname or argument */ + if ( ((ptr=strrchr( progname, '/' )) != NULL) || + ((ptr=strchr( progname, '\\')) != NULL) ) + ptr++; + else + ptr = progname; + if ( dest_port == 0 ) { + /* accept only if -P is not specified. */ + if ( 1 < argc ) { + /* get port number from argument (prior to progname) */ + /* NOTE: This way is for cvs ext method. */ + dest_port = resolve_port(argv[1]); + } else if ( strncmp( ptr, "connect-", 8) == 0 ) { + /* decide port number from program name */ + char *str = strdup( ptr+8 ); + str[strcspn( str, "." )] = '\0'; + dest_port = resolve_port(str); + free(str); + } + } + /* check port number */ + if ( dest_port <= 0 ) { + error( "You must specify the destination port correctly.\n"); + err++; + goto quit; + } + if ( (relay_method != METHOD_DIRECT) && (relay_port <= 0) ) { + error("Invalid relay port: %d\n", dest_port); + err++; + goto quit; + } + +quit: + /* report for debugging */ + debug("relay_method = %s (%d)\n", + method_names[relay_method], relay_method); + if ( relay_method != METHOD_DIRECT ) { + debug("relay_host=%s\n", relay_host); + debug("relay_port=%d\n", relay_port); + debug("relay_user=%s\n", relay_user); + } + if ( relay_method == METHOD_SOCKS ) { + debug("socks_version=%d\n", socks_version); + debug("socks_resolve=%s (%d)\n", + resolve_names[socks_resolve], socks_resolve); + } + debug("local_type=%s\n", local_type_names[local_type]); + if ( local_type == LOCAL_SOCKET ) { + debug("local_port=%d\n", local_port); + if (f_hold_session) + debug (" with holding remote session.\n"); + } + debug("dest_host=%s\n", dest_host); + debug("dest_port=%d\n", dest_port); + if ( 0 < err ) { + fprintf(stderr, usage, progname); + exit(1); + } + return 0; +} + +#ifndef _WIN32 +/* Time-out feature is not allowed for Win32 native compilers. */ +/* MSVC and Borland C cannot but Cygwin and UNIXes can. */ + +/* timeout signal hander */ +void +sig_timeout(void) +{ + signal( SIGALRM, SIG_IGN ); + alarm( 0 ); + error( "timed out\n" ); + exit(1); +} + +/* set timeout param = seconds, 0 clears */ +void +set_timeout(int timeout) +{ + /* This feature is allowed for UNIX or cygwin environments, currently */ + if ( timeout == 0 ) { + debug( "clearing timeout\n" ); + signal( SIGALRM, SIG_IGN ); + alarm( 0 ); + } else { + debug( "setting timeout: %d seconds\n", timeout ); + signal(SIGALRM, (void *)sig_timeout); + alarm( timeout ); + } +} +#endif + +#if !defined(_WIN32) && !defined(__CYGWIN32__) +void +switch_ns (struct sockaddr_in *ns) +{ + res_init(); + memcpy (&_res.nsaddr_list[0], ns, sizeof(*ns)); + _res.nscount = 1; + debug("Using nameserver at %s\n", inet_ntoa(ns->sin_addr)); +} +#endif /* !_WIN32 && !__CYGWIN32__ */ + +/* TODO: IPv6 + TODO: fallback if askpass execution failed. + */ + +int +local_resolve (const char *host, struct sockaddr_in *addr) +{ + struct hostent *ent; + if ( strspn(host, dotdigits) == strlen(host) ) { + /* given by IPv4 address */ + addr->sin_family = AF_INET; + addr->sin_addr.s_addr = inet_addr(host); + } else { + debug("resolving host by name: %s\n", host); + ent = gethostbyname (host); + if ( ent ) { + memcpy (&addr->sin_addr, ent->h_addr, ent->h_length); + addr->sin_family = ent->h_addrtype; + debug("resolved: %s (%s)\n", + host, inet_ntoa(addr->sin_addr)); + } else { + debug("failed to resolve locally.\n"); + return -1; /* failed */ + } + } + return 0; /* good */ +} + +int +open_connection( const char *host, u_short port ) +{ + SOCKET s; + struct sockaddr_in saddr; + + /* resolve address of proxy or direct target */ + if (local_resolve (host, &saddr) < 0) { + error("can't resolve hostname: %s\n", host); + return SOCKET_ERROR; + } + saddr.sin_port = htons(port); + + debug("connecting to %s:%u\n", inet_ntoa(saddr.sin_addr), port); + s = socket( AF_INET, SOCK_STREAM, 0 ); + if ( connect( s, (struct sockaddr *)&saddr, sizeof(saddr)) + == SOCKET_ERROR) { + debug( "connect() failed.\n"); + return SOCKET_ERROR; + } + return s; +} + +void +report_text( char *prefix, char *buf ) +{ + static char work[1024]; + char *tmp; + + if ( !f_debug ) + return; + if ( !f_report ) + return; /* don't report */ + debug("%s \"", prefix); + while ( *buf ) { + memset( work, 0, sizeof(work)); + tmp = work; + while ( *buf && ((tmp-work) < (int)sizeof(work)-5) ) { + switch ( *buf ) { + case '\t': *tmp++ = '\\'; *tmp++ = 't'; break; + case '\r': *tmp++ = '\\'; *tmp++ = 'r'; break; + case '\n': *tmp++ = '\\'; *tmp++ = 'n'; break; + case '\\': *tmp++ = '\\'; *tmp++ = '\\'; break; + default: + if ( isprint(*buf) ) { + *tmp++ = *buf; + } else { + int consumed = tmp - work; + snprintf( tmp, sizeof(work)-consumed, + "\\x%02X", (unsigned char)*buf); + tmp += strlen(tmp); + } + } + buf++; + *tmp = '\0'; + } + debug_("%s", work); + } + + debug_("\"\n"); +} + + +void +report_bytes( char *prefix, char *buf, int len ) +{ + if ( ! f_debug ) + return; + debug( "%s", prefix ); + while ( 0 < len ) { + fprintf( stderr, " %02x", *(unsigned char *)buf); + buf++; + len--; + } + fprintf(stderr, "\n"); + return; +} + +int +atomic_out( SOCKET s, char *buf, int size ) +{ + int ret, len; + + assert( buf != NULL ); + assert( 0<=size ); + /* do atomic out */ + ret = 0; + while ( 0 < size ) { + len = send( s, buf+ret, size, 0 ); + if ( len == -1 ) + fatal("atomic_out() failed to send(), %d\n", socket_errno()); + ret += len; + size -= len; + } + if (!f_report) { + debug("atomic_out() [some bytes]\n"); + debug(">>> xx xx xx xx ...\n"); + } else { + debug("atomic_out() [%d bytes]\n", ret); + report_bytes(">>>", buf, ret); + } + return ret; +} + +int +atomic_in( SOCKET s, char *buf, int size ) +{ + int ret, len; + + assert( buf != NULL ); + assert( 0<=size ); + + /* do atomic in */ + ret = 0; + while ( 0 < size ) { + len = recv( s, buf+ret, size, 0 ); + if ( len == -1 ) { + fatal("atomic_in() failed to recv(), %d\n", socket_errno()); + } else if ( len == 0 ) { + fatal( "Connection closed by peer.\n"); + } + ret += len; + size -= len; + } + if (!f_report) { + debug("atomic_in() [some bytes]\n"); + debug("<<< xx xx xx xx ...\n"); + } else { + debug("atomic_in() [%d bytes]\n", ret); + report_bytes("<<<", buf, ret); + } + return ret; +} + +int +line_input( SOCKET s, char *buf, int size ) +{ + char *dst = buf; + if ( size == 0 ) + return 0; /* no error */ + size--; + while ( 0 < size ) { + switch ( recv( s, dst, 1, 0) ) { /* recv one-by-one */ + case SOCKET_ERROR: + error("recv() error\n"); + return -1; /* error */ + case 0: + size = 0; /* end of stream */ + break; + default: + /* continue reading until last 1 char is EOL? */ + if ( *dst == '\n' ) { + /* finished */ + size = 0; + } else { + /* more... */ + size--; + } + dst++; + } + } + *dst = '\0'; + report_text( "<<<", buf); + return 0; +} + +/* cut_token() + Span token in given string STR until char in DELIM is appeared. + Then replace contiguous DELIMS with '\0' for string termination + and returns next pointer. + If no next token, return NULL. +*/ +char * +cut_token( char *str, char *delim) +{ + char *ptr = str + strcspn(str, delim); + char *end = ptr + strspn(ptr, delim); + if ( ptr == str ) + return NULL; + while ( ptr < end ) + *ptr++ = '\0'; + return ptr; +} + +const char * +lookup(int num, LOOKUP_ITEM *items) +{ + int i = 0; + while (0 <= items[i].num) { + if (items[i].num == num) + return items[i].str; + i++; + } + return "(unknown)"; +} + +/* readpass() + password input routine + Use ssh-askpass (same mechanism to OpenSSH) +*/ +char * +readpass( const char* prompt, ...) +{ + static char buf[1000]; /* XXX, don't be fix length */ + va_list args; + va_start(args, prompt); + vsnprintf(buf, sizeof(buf), prompt, args); + va_end(args); + + if ( getparam(ENV_SSH_ASKPASS) +#if !defined(_WIN32) && !defined(__CYGWIN32__) + && getenv("DISPLAY") +#endif /* not _WIN32 && not __CYGWIN32__ */ + ) { + /* use ssh-askpass to get password */ + FILE *fp; + char *askpass = getparam(ENV_SSH_ASKPASS), *cmd; + int cmd_size = strlen(askpass) +1 +1 +strlen(buf) +1 +1; + cmd = xmalloc(cmd_size); + snprintf(cmd, cmd_size, "%s \"%s\"", askpass, buf); + fp = popen(cmd, "r"); + free(cmd); + if ( fp == NULL ) + return NULL; /* fail */ + buf[0] = '\0'; + if (fgets(buf, sizeof(buf), fp) == NULL) + return NULL; /* fail */ + fclose(fp); + } else { + tty_readpass( buf, buf, sizeof(buf)); + } + buf[strcspn(buf, "\r\n")] = '\0'; + return buf; +} + +static int +socks5_do_auth_userpass( int s ) +{ + unsigned char buf[1024], *ptr; + char *pass = NULL; + int len; + + /* do User/Password authentication. */ + /* This feature requires username and password from + command line argument or environment variable, + or terminal. */ + if (relay_user == NULL) + fatal("cannot determine user name.\n"); + + /* get password from environment variable if exists. */ + if ((pass=determine_relay_password()) == NULL && + (pass=readpass("Enter SOCKS5 password for %s@%s: ", + relay_user, relay_host)) == NULL) + fatal("Cannot get password for user: %s\n", relay_user); + + /* make authentication packet */ + ptr = buf; + PUT_BYTE( ptr++, 1 ); /* subnegotiation ver.: 1 */ + len = strlen( relay_user ); /* ULEN and UNAME */ + PUT_BYTE( ptr++, len ); + strcpy( ptr, relay_user ); + ptr += len; + len = strlen( pass ); /* PLEN and PASSWD */ + PUT_BYTE( ptr++, strlen(pass)); + strcpy( ptr, pass ); + ptr += len; + memset (pass, 0, strlen(pass)); /* erase password */ + + /* send it and get answer */ + f_report = 0; + atomic_out( s, buf, ptr-buf ); + f_report = 1; + atomic_in( s, buf, 2 ); + + /* check status */ + if ( buf[1] == 0 ) + return 0; /* success */ + else + return -1; /* fail */ +} + +static const char * +socks5_getauthname( int auth ) +{ + switch ( auth ) { + case SOCKS5_AUTH_REJECT: return "REJECTED"; + case SOCKS5_AUTH_NOAUTH: return "NO-AUTH"; + case SOCKS5_AUTH_GSSAPI: return "GSSAPI"; + case SOCKS5_AUTH_USERPASS: return "USERPASS"; + case SOCKS5_AUTH_CHAP: return "CHAP"; + case SOCKS5_AUTH_EAP: return "EAP"; + case SOCKS5_AUTH_MAF: return "MAF"; + default: return "(unknown)"; + } +} + +typedef struct { + char* name; + unsigned char auth; +} AUTH_METHOD_ITEM; + +AUTH_METHOD_ITEM socks5_auth_table[] = { + { "none", SOCKS5_AUTH_NOAUTH }, + { "gssapi", SOCKS5_AUTH_GSSAPI }, + { "userpass", SOCKS5_AUTH_USERPASS }, + { "chap", SOCKS5_AUTH_CHAP }, + { NULL, -1 }, +}; + +int +socks5_auth_parse_1(char *start, char *end){ + int i, len; + for ( ; *start; start++ ) + if ( *start != ' ' && *start != '\t') break; + for ( end--; end >= start; end-- ) { + if ( *end != ' ' && *end != '\t'){ + end++; + break; + } + } + len = end - start; + for ( i = 0; socks5_auth_table[i].name != NULL; i++ ){ + if ( strncmp(start, socks5_auth_table[i].name, len) == 0) { + return socks5_auth_table[i].auth; + } + } + fatal("Unknown auth method: %s\n", start); + return -1; +} + +int +socks5_auth_parse(char *start, unsigned char *auth_list, int max_auth){ + char *end; + int i = 0; + while ( i < max_auth ) { + end = strchr(start, ','); + if (*start && end) { + auth_list[i++] = socks5_auth_parse_1(start, end); + start = ++end; + } else { + break; + } + } + if ( *start && ( i < max_auth ) ){ + for( end = start; *end; end++ ); + auth_list[i++] = socks5_auth_parse_1(start, end); + } else { + fatal("Too much auth method.\n"); + } + return i; +} + +/* begin SOCKS5 relaying + And no authentication is supported. + */ +int +begin_socks5_relay( SOCKET s ) +{ + unsigned char buf[256], *ptr, *env = socks5_auth; + unsigned char n_auth = 0; unsigned char auth_list[10], auth_method; + int len, auth_result, i; + + debug( "begin_socks_relay()\n"); + + /* request authentication */ + ptr = buf; + PUT_BYTE( ptr++, 5); /* SOCKS version (5) */ + + if ( env == NULL ) + env = getparam(ENV_SOCKS5_AUTH); + if ( env == NULL ) { + /* add no-auth authentication */ + auth_list[n_auth++] = SOCKS5_AUTH_NOAUTH; + /* add user/pass authentication */ + auth_list[n_auth++] = SOCKS5_AUTH_USERPASS; + } else { + n_auth = socks5_auth_parse(env, auth_list, 10); + } + PUT_BYTE( ptr++, n_auth); /* num auth */ + for (i=0; i>8); /* DST.PORT */ + PUT_BYTE( ptr++, dest_port&0xFF); + atomic_out( s, buf, ptr-buf); /* send request */ + atomic_in( s, buf, 4 ); /* recv response */ + if ( (buf[1] != SOCKS5_REP_SUCCEEDED) ) { /* check reply code */ + error("Got error response from SOCKS server: %d (%s).\n", + buf[1], lookup(buf[1], socks5_rep_names)); + return -1; + } + ptr = buf + 4; + switch ( buf[3] ) { /* case by ATYP */ + case 1: /* IP v4 ADDR*/ + atomic_in( s, ptr, 4+2 ); /* recv IPv4 addr and port */ + break; + case 3: /* DOMAINNAME */ + atomic_in( s, ptr, 1 ); /* recv name and port */ + atomic_in( s, ptr+1, *(unsigned char*)ptr + 2); + break; + case 4: /* IP v6 ADDR */ + atomic_in( s, ptr, 16+2 ); /* recv IPv6 addr and port */ + break; + } + + /* Conguraturation, connected via SOCKS5 server! */ + return 0; +} + +/* begin SOCKS protocol 4 relaying + And no authentication is supported. + + There's SOCKS protocol version 4 and 4a. Protocol version + 4a has capability to resolve hostname by SOCKS server, so + we don't need resolving IP address of destination host on + local machine. + + Environment variable SOCKS_RESOLVE directs how to resolve + IP addess. There's 3 keywords allowed; "local", "remote" + and "both" (case insensitive). Keyword "local" means taht + target host name is resolved by localhost resolver + (usualy with gethostbyname()), "remote" means by remote + SOCKS server, "both" means to try resolving by localhost + then remote. + + SOCKS4 protocol and authentication of SOCKS5 protocol + requires user name on connect request. + User name is determined by following method. + + 1. If server spec has user@hostname:port format then + user part is used for this SOCKS server. + + 2. Get user name from environment variable LOGNAME, USER + (in this order). + +*/ +int +begin_socks4_relay( SOCKET s ) +{ + unsigned char buf[256], *ptr; + + debug( "begin_socks_relay()\n"); + + /* make connect request packet + protocol v4: + VN:1, CD:1, PORT:2, ADDR:4, USER:n, NULL:1 + protocol v4a: + VN:1, CD:1, PORT:2, DUMMY:4, USER:n, NULL:1, HOSTNAME:n, NULL:1 + */ + ptr = buf; + PUT_BYTE( ptr++, 4); /* protocol version (4) */ + PUT_BYTE( ptr++, 1); /* CONNECT command */ + PUT_BYTE( ptr++, dest_port>>8); /* destination Port */ + PUT_BYTE( ptr++, dest_port&0xFF); + /* destination IP */ + memcpy(ptr, &dest_addr.sin_addr, sizeof(dest_addr.sin_addr)); + ptr += sizeof(dest_addr.sin_addr); + if ( dest_addr.sin_addr.s_addr == 0 ) + *(ptr-1) = 1; /* fake, protocol 4a */ + /* username */ + if (relay_user == NULL) + fatal( "Cannot determine user name.\n"); + strcpy( ptr, relay_user ); + ptr += strlen( relay_user ) +1; + /* destination host name (for protocol 4a) */ + if ( (socks_version == 4) && (dest_addr.sin_addr.s_addr == 0)) { + strcpy( ptr, dest_host ); + ptr += strlen( dest_host ) +1; + } + /* send command and get response + response is: VN:1, CD:1, PORT:2, ADDR:4 */ + atomic_out( s, buf, ptr-buf); /* send request */ + atomic_in( s, buf, 8 ); /* recv response */ + if ( (buf[1] != SOCKS4_REP_SUCCEEDED) ) { /* check reply code */ + error("Got error response: %d: '%s'.\n", + buf[1], lookup(buf[1], socks4_rep_names)); + return -1; /* failed */ + } + + /* Conguraturation, connected via SOCKS4 server! */ + return 0; +} + +int +sendf(SOCKET s, const char *fmt,...) +{ + static char buf[10240]; /* xxx, enough? */ + + va_list args; + va_start( args, fmt ); + vsnprintf( buf, sizeof(buf), fmt, args ); + va_end( args ); + + report_text(">>>", buf); + if ( send(s, buf, strlen(buf), 0) == SOCKET_ERROR ) { + debug("failed to send http request. errno=%d\n", socket_errno()); + return -1; + } + return 0; +} + +const char *base64_table = +"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + +char * +make_base64_string(const char *str) +{ + static char *buf; + unsigned char *src; + char *dst; + int bits, data, src_len, dst_len; + /* make base64 string */ + src_len = strlen(str); + dst_len = (src_len+2)/3*4; + buf = xmalloc(dst_len+1); + bits = data = 0; + src = (unsigned char *)str; + dst = (unsigned char *)buf; + while ( dst_len-- ) { + if ( bits < 6 ) { + data = (data << 8) | *src; + bits += 8; + if ( *src != 0 ) + src++; + } + *dst++ = base64_table[0x3F & (data >> (bits-6))]; + bits -= 6; + } + *dst = '\0'; + /* fix-up tail padding */ + switch ( src_len%3 ) { + case 1: + *--dst = '='; + case 2: + *--dst = '='; + } + return buf; +} + + +int +basic_auth (SOCKET s) +{ + char *userpass; + char *cred; + const char *user = relay_user; + char *pass = NULL; + int len, ret; + + /* Get username/password for authentication */ + if (user == NULL) + fatal("Cannot decide username for proxy authentication."); + if ((pass = determine_relay_password ()) == NULL && + (pass = readpass("Enter proxy authentication password for %s@%s: ", + relay_user, relay_host)) == NULL) + fatal("Cannot decide password for proxy authentication."); + + len = strlen(user)+strlen(pass)+1; + userpass = xmalloc(len+1); + snprintf(userpass, len+1, "%s:%s", user, pass); + memset (pass, 0, strlen(pass)); + cred = make_base64_string(userpass); + memset (userpass, 0, len); + + f_report = 0; /* don't report for security */ + ret = sendf(s, "Proxy-Authorization: Basic %s\r\n", cred); + f_report = 1; + report_text(">>>", "Proxy-Authorization: Basic xxxxx\r\n"); + + memset(cred, 0, strlen(cred)); + free(cred); + + return ret; +} + +/* begin relaying via HTTP proxy + Directs CONNECT method to proxy server to connect to + destination host (and port). It may not be allowed on your + proxy server. + */ +int +begin_http_relay( SOCKET s ) +{ + char buf[1024]; + int result; + char *auth_what; + + debug("begin_http_relay()\n"); + + if (sendf(s,"CONNECT %s:%d HTTP/1.0\r\n", dest_host, dest_port) < 0) + return START_ERROR; + if (proxy_auth_type == PROXY_AUTH_BASIC && basic_auth (s) < 0) + return START_ERROR; + if (sendf(s,"\r\n") < 0) + return START_ERROR; + + /* get response */ + if ( line_input(s, buf, sizeof(buf)) < 0 ) { + debug("failed to read http response.\n"); + return START_ERROR; + } + + /* check status */ + if (!strchr(buf, ' ')) { + error ("Unexpected http response: '%s'.\n", buf); + return START_ERROR; + } + result = atoi(strchr(buf,' ')); + + switch ( result ) { + case 200: + /* Conguraturation, connected via http proxy server! */ + debug("connected, start user session.\n"); + break; + case 302: /* redirect */ + do { + if (line_input(s, buf, sizeof(buf))) + break; + downcase(buf); + if (expect(buf, "Location: ")) { + relay_host = cut_token(buf, "//"); + cut_token(buf, "/"); + relay_port = atoi(cut_token(buf, ":")); + } + } while (strcmp(buf,"\r\n") != 0); + return START_RETRY; + + /* We handle both 401 and 407 codes here: 401 is WWW-Authenticate, which + * not strictly the correct response, but some proxies do send this (e.g. + * Symantec's Raptor firewall) */ + case 401: /* WWW-Auth required */ + case 407: /* Proxy-Auth required */ + /** NOTE: As easy implementation, we support only BASIC scheme + and ignore realm. */ + /* If proxy_auth_type is PROXY_AUTH_BASIC and get + this result code, authentication was failed. */ + if (proxy_auth_type != PROXY_AUTH_NONE) { + error("Authentication failed.\n"); + return START_ERROR; + } + auth_what = (result == 401) ? "WWW-Authenticate:" : "Proxy-Authenticate:"; + do { + if ( line_input(s, buf, sizeof(buf)) ) { + break; + } + downcase(buf); + if (expect(buf, auth_what)) { + /* parse type and realm */ + char *scheme, *realm; + scheme = cut_token(buf, " "); + realm = cut_token(scheme, " "); + if ( scheme == NULL || realm == NULL ) { + debug("Invalid format of %s field.", auth_what); + return START_ERROR; /* fail */ + } + /* check supported auth type */ + if (expect(scheme, "basic")) { + proxy_auth_type = PROXY_AUTH_BASIC; + } else { + debug("Unsupported authentication type: %s", scheme); + } + } + } while (strcmp(buf,"\r\n") != 0); + if ( proxy_auth_type == PROXY_AUTH_NONE ) { + debug("Can't find %s in response header.", auth_what); + return START_ERROR; + } else { + return START_RETRY; + } + + default: + /* Not allowed */ + debug("http proxy is not allowed.\n"); + return START_ERROR; + } + /* skip to end of response header */ + do { + if ( line_input(s, buf, sizeof(buf) ) ) { + debug("Can't skip response headers\n"); + return START_ERROR; + } + } while ( strcmp(buf,"\r\n") != 0 ); + + return START_OK; +} + +/* begin relaying via TELNET proxy. + Sends string specified by telnet_command (-c option) with + replacing host name and port number to the socket. */ +int +begin_telnet_relay( SOCKET s ) +{ + char buf[1024]; + char *cmd; + char *good_phrase = "connected to"; + char *bad_phrase_list[] = { + " failed", " refused", " rejected", " closed" + }; + char sep = ' '; + int i; + + debug("begin_telnet_relay()\n"); + + /* report phrase */ + debug("good phrase: '%s'\n", good_phrase); + debug("bad phrases"); + sep = ':'; + for (i=0; i< (sizeof(bad_phrase_list) / sizeof(char*)); i++) { + debug_("%c '%s'", sep, bad_phrase_list[i]); + sep = ','; + } + debug_("\n"); + + /* make request string with replacing %h by destination hostname + and %p by port number, etc. */ + cmd = expand_host_and_port(telnet_command, dest_host, dest_port); + + /* Sorry, we send request string now without waiting a prompt. */ + if (sendf(s, "%s\r\n", cmd) < 0) { + free(cmd); + return START_ERROR; + } + free(cmd); + + /* Process answer from proxy until good or bad phrase is detected. We + assume that the good phrase should be appeared only in the final + line of proxy responses. Bad keywods in the line causes operation + fail. First checks a good phrase, then checks bad phrases. + If no match, continue reading line from proxy. */ + while (!line_input(s, buf, sizeof(buf)) && buf[0] != '\0') { + downcase(buf); + /* first, check good phrase */ + if (strstr(buf, good_phrase)) { + debug("good phrase is detected: '%s'\n", good_phrase); + return START_OK; + } + /* then, check bad phrase */ + for (i=0; i<(sizeof(bad_phrase_list)/sizeof(char*)); i++) { + if (strstr(buf, bad_phrase_list[i]) != NULL) { + debug("bad phrase is detected: '%s'\n", bad_phrase_list[i]); + return START_ERROR; + } + } + } + debug("error reading from telnet proxy\n"); + + return START_ERROR; +} + + +#ifdef _WIN32 +/* ddatalen() + Returns 1 if data is available, otherwise return 0 + */ +int +stdindatalen (void) +{ + DWORD len = 0; + struct stat st; + fstat( 0, &st ); + if ( st.st_mode & _S_IFIFO ) { + /* in case of PIPE */ + if ( !PeekNamedPipe( GetStdHandle(STD_INPUT_HANDLE), + NULL, 0, NULL, &len, NULL) ) { + if ( GetLastError() == ERROR_BROKEN_PIPE ) { + /* PIPE source is closed */ + /* read() will detects EOF */ + len = 1; + } else { + fatal("PeekNamedPipe() failed, errno=%d\n", + GetLastError()); + } + } + } else if ( st.st_mode & _S_IFREG ) { + /* in case of regular file (redirected) */ + len = 1; /* always data ready */ + } else if ( _kbhit() ) { + /* in case of console */ + len = 1; + } + return len; +} +#endif /* _WIN32 */ + +/* relay byte from stdin to socket and fro socket to stdout. + returns reason of termination */ +int +do_repeater( SOCKET local_in, SOCKET local_out, SOCKET remote ) +{ + /** vars for local input data **/ + char lbuf[1024]; /* local input buffer */ + int lbuf_len; /* available data in lbuf */ + int f_local; /* read local input more? */ + /** vars for remote input data **/ + char rbuf[1024]; /* remote input buffer */ + int rbuf_len; /* available data in rbuf */ + int f_remote; /* read remote input more? */ + int close_reason = REASON_UNK; /* reason of end repeating */ + /** other variables **/ + int nfds, len; + fd_set ifds, ofds; + struct timeval *tmo; +#ifdef _WIN32 + struct timeval win32_tmo; +#endif /* _WIN32 */ + + /* repeater between stdin/out and socket */ + nfds = ((local_in local */ + if ( FD_ISSET(remote, &ifds) && (rbuf_len < (int)sizeof(rbuf)) ) { + len = recv( remote, rbuf + rbuf_len, sizeof(rbuf)-rbuf_len, 0); + if ( len == 0 || (len == -1 && socket_errno() == ECONNRESET)) { + debug("connection %s by peer\n", + (len==0)? "closed": "reset"); + close_reason = REASON_CLOSED_BY_REMOTE; + f_remote = 0; /* no more read from socket */ + f_local = 0; + } else if ( len == -1 ) { + /* error */ + fatal("recv() failed, %d\n", socket_errno()); + } else { + debug("recv %d bytes\n", len); + if ( 1 < f_debug ) /* more verbose */ + report_bytes( "<<<", rbuf+rbuf_len, len); + rbuf_len += len; + } + } + + /* local => remote */ + if ( FD_ISSET(local_in, &ifds) && (lbuf_len < (int)sizeof(lbuf)) ) { + if (local_type == LOCAL_SOCKET) + len = recv(local_in, lbuf + lbuf_len, + sizeof(lbuf)-lbuf_len, 0); + else + len = read(local_in, lbuf + lbuf_len, sizeof(lbuf)-lbuf_len); + if ( len == 0 ) { + /* stdin is EOF */ + debug("local input is EOF\n"); + if (!f_hold_session) + shutdown(remote, 1); /* no-more writing */ + f_local = 0; + close_reason = REASON_CLOSED_BY_LOCAL; + } else if ( len == -1 ) { + /* error on reading from stdin */ + if (f_hold_session) { + debug ("failed to read from local\n"); + f_local = 0; + close_reason = REASON_CLOSED_BY_LOCAL; + } else + fatal("recv() failed, errno = %d\n", errno); + } else { + /* repeat */ + lbuf_len += len; + } + } + + /* flush data in buffer to socket */ + if ( 0 < lbuf_len ) { + len = send(remote, lbuf, lbuf_len, 0); + if ( len == -1 ) { + fatal("send() failed, %d\n", socket_errno()); + } else if ( 0 < len ) { + if ( 1 < f_debug ) /* more verbose */ + report_bytes( ">>>", lbuf, len); + /* move data on to top of buffer */ + debug("sent %d bytes\n", len); + lbuf_len -= len; + if ( 0 < lbuf_len ) + memcpy( lbuf, lbuf+len, lbuf_len ); + assert( 0 <= lbuf_len ); + } + } + + /* flush data in buffer to local output */ + if ( 0 < rbuf_len ) { + if (local_type == LOCAL_SOCKET) + len = send( local_out, rbuf, rbuf_len, 0); + else + len = write( local_out, rbuf, rbuf_len); + if ( len == -1 ) { + fatal("output (local) failed, errno=%d\n", errno); + } + rbuf_len -= len; + if ( len < rbuf_len ) + memcpy( rbuf, rbuf+len, rbuf_len ); + assert( 0 <= rbuf_len ); + } + if (f_local == 0 && f_hold_session) { + debug ("closing local port without disconnecting from remote\n"); + f_remote = 0; + shutdown (local_out, 2); + close (local_out); + break; + } + } + + return close_reason; +} + +int +accept_connection (u_short port) +{ + static int sock = -1; + int connection; + struct sockaddr_in name; + struct sockaddr client; + int socklen; + fd_set ifds; + int nfds; + int sockopt; + + /* Create the socket. */ + debug("Creating source port to forward.\n"); + sock = socket (PF_INET, SOCK_STREAM, 0); + if (sock < 0) + fatal("socket() failed, errno=%d\n", socket_errno()); + sockopt = 1; + setsockopt (sock, SOL_SOCKET, SO_REUSEADDR, + (void*)&sockopt, sizeof(sockopt)); + + /* Give the socket a name. */ + name.sin_family = AF_INET; + name.sin_port = htons (port); + name.sin_addr.s_addr = htonl (INADDR_ANY); + if (bind (sock, (struct sockaddr *) &name, sizeof (name)) < 0) + fatal ("bind() failed, errno=%d\n", socket_errno()); + + if (listen( sock, 1) < 0) + fatal ("listen() failed, errno=%d\n", socket_errno()); + + /* wait for new connection with watching EOF of stdin. */ + debug ("waiting new connection at port %d (socket=%d)\n", port, sock); + nfds = sock + 1; + do { + int n; + struct timeval *ptmo = NULL; +#ifdef _WIN32 + struct timeval tmo; + tmo.tv_sec = 0; + tmo.tv_usec = 100*1000; /* On Windows, 100ms timeout */ + ptmo = &tmo; +#endif /* _WIN32 */ + FD_ZERO (&ifds); + FD_SET ((SOCKET)sock, &ifds); +#ifndef _WIN32 + FD_SET (0, &ifds); /* watch stdin */ +#endif + n = select (nfds, &ifds, NULL, NULL, ptmo); + if (n == -1) { + fatal ("select() failed, %d\n", socket_errno()); + exit (1); + } +#ifdef _WIN32 + if (0 < stdindatalen()) { + FD_SET (0, &ifds); /* fake */ + n++; + } +#endif + if (0 < n) { + if (FD_ISSET(0, &ifds) && (getchar() <= 0)) { + /* EOF */ + debug ("Give-up waiting port because stdin is closed."); + exit(0); + } + if (FD_ISSET(sock, &ifds)) + break; /* socket is stimulated */ + } + } while (1); + socklen = sizeof(client); + connection = accept( sock, &client, &socklen); + if ( connection < 0 ) + fatal ("accept() failed, errno=%d\n", socket_errno()); + return connection; +} + + + +/** Main of program **/ +int +main( int argc, char **argv ) +{ + int ret; + int remote; /* socket */ + int local_in; /* Local input */ + int local_out; /* Local output */ + int reason; +#ifdef _WIN32 + WSADATA wsadata; + WSAStartup( 0x101, &wsadata); +#endif /* _WIN32 */ + + /* initialization */ + make_revstr(); + getarg( argc, argv ); + debug("Program is $Revision$\n"); + + /* Open local_in and local_out if forwarding a port */ + if ( local_type == LOCAL_SOCKET ) { + /* Relay between local port and destination */ + local_in = local_out = accept_connection( local_port ); + } else { + /* Relay between stdin/stdout and desteination */ + local_in = 0; + local_out = 1; +#ifdef _WIN32 + _setmode(local_in, O_BINARY); + _setmode(local_out, O_BINARY); +#endif + } + +retry: +#ifndef _WIN32 + if (0 < connect_timeout) + set_timeout (connect_timeout); +#endif /* not _WIN32 */ + + if (check_direct(dest_host)) + relay_method = METHOD_DIRECT; + /* make connection */ + if ( relay_method == METHOD_DIRECT ) { + remote = open_connection (dest_host, dest_port); + if ( remote == SOCKET_ERROR ) + fatal( "Unable to connect to destination host, errno=%d\n", + socket_errno()); + } else { + remote = open_connection (relay_host, relay_port); + if ( remote == SOCKET_ERROR ) + fatal( "Unable to connect to relay host, errno=%d\n", + socket_errno()); + } + + /** resolve destination host (SOCKS) **/ +#if !defined(_WIN32) && !defined(__CYGWIN32__) + if (socks_ns.sin_addr.s_addr != 0) + switch_ns (&socks_ns); +#endif /* not _WIN32 && not __CYGWIN32__ */ + if (relay_method == METHOD_SOCKS && + socks_resolve == RESOLVE_LOCAL && + local_resolve (dest_host, &dest_addr) < 0) { + fatal("Unknown host: %s", dest_host); + } + + /** relay negociation **/ + switch ( relay_method ) { + case METHOD_SOCKS: + if ( ((socks_version == 5) && (begin_socks5_relay(remote) < 0)) || + ((socks_version == 4) && (begin_socks4_relay(remote) < 0)) ) + fatal( "failed to begin relaying via SOCKS.\n"); + break; + + case METHOD_HTTP: + ret = begin_http_relay(remote); + switch (ret) { + case START_ERROR: + close (remote); + fatal("failed to begin relaying via HTTP.\n"); + case START_OK: + break; + case START_RETRY: + /* retry with authentication */ + close (remote); + goto retry; + } + break; + case METHOD_TELNET: + if (begin_telnet_relay(remote) < 0) + fatal("failed to begin relaying via telnet.\n"); + break; + } + debug("connected\n"); + +#ifndef _WIN32 + if (0 < connect_timeout) + set_timeout (0); +#endif /* not _WIN32 */ + + /* main loop */ + debug ("start relaying.\n"); +do_repeater: + reason = do_repeater(local_in, local_out, remote); + debug ("relaying done.\n"); + if (local_type == LOCAL_SOCKET && + reason == REASON_CLOSED_BY_LOCAL && + f_hold_session) { + /* re-wait at local port without closing remote session */ + debug ("re-waiting at local port %d\n", local_port); + local_in = local_out = accept_connection( local_port ); + debug ("re-start relaying\n"); + goto do_repeater; + } + closesocket(remote); + if ( local_type == LOCAL_SOCKET) + closesocket(local_in); +#ifdef _WIN32 + WSACleanup(); +#endif /* _WIN32 */ + debug ("that's all, bye.\n"); + + return 0; +} + +/* ------------------------------------------------------------ + Local Variables: + compile-command: "cc connect.c -o connect" + tab-width: 8 + fill-column: 74 + comment-column: 48 + End: + ------------------------------------------------------------ */ + +/*** end of connect.c ***/ diff --git a/connect-proxy-1.105-socklen.patch b/connect-proxy-1.105-socklen.patch deleted file mode 100644 index d2c1d87..0000000 --- a/connect-proxy-1.105-socklen.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/connect.c 2024-05-17 09:06:35.176046528 +0200 -+++ b/connect.c 2024-05-17 09:02:00.234749758 +0200 -@@ -2822,7 +2822,7 @@ - int connection; - struct sockaddr_in name; - struct sockaddr client; -- SOCKLEN_T socklen; -+ socklen_t socklen; - fd_set ifds; - int nfds; - int sockopt; diff --git a/connect-proxy.1 b/connect-proxy.1 deleted file mode 100644 index 058ccb7..0000000 --- a/connect-proxy.1 +++ /dev/null @@ -1,198 +0,0 @@ -.TH "CONNECT-PROXY" "1" -.SH "NAME" -connect-proxy \(em connect over SOCKS4/5, HTTP or HTTPS proxy -.SH "SYNOPSIS" -.PP -\fBconnect-proxy\fR [\fB-dnhsxt45\fP] [\fB-R \fIresolve\fR \fP] [\fB-p \fIlocal-port\fR \fP] [\fB-w \fIsecs\fR \fP] [\fB-H \fI[user@]proxy-server[:port]]\fR \fP] [\fB-S \fI[user@]socks-server[:port]]\fR \fP] [\fB-a \fIsocks-auth-method\fR \fP] [\fB-T \fIproxy-server[:port]\fR \fP] [\fB-c \fItelnet-proxy-command\fR \fP] [\fB-X \fI[user@]proxy-server:[port]]\fR \fP] [host] [port] -.SH "DESCRIPTION" -.PP -\fBconnect-proxy\fR opens a connection to a remote host over SOCKS4/5, HTTP or HTTPS proxies. -.PP -Please, note that any HTTP-Proxy tunnel won't work with content-inspection firewall (unless using SSL). -.SH "OPTIONS" -.TP -\fB\-\-help -Show options. -.\"********************************************************* -.TP -\fB\-H [user@]proxy-server[:port] \fRor\fB \-\-http-proxy-server [user@]proxy-server[:port] -specifies a hostname and port number of the HTTP proxy server to relay. -If the port is omitted, 80 is used. You can specify this value in the environment variable -HTTP_PROXY and pass the \-h option to use it. -If the user is omitted, the current userid is used. You can specify this value in the environment variable -HTTP_PROXY_USER. Simple HTTP Basic-Auth is supported. -.TP -.\"********************************************************* -\fB\-S [user@]proxy-server[:port] \fRor\fB \-\-socks-proxy-server [user@]proxy-server[:port] -specifies the hostname and port number of the SOCKS server to relay. -Like \-H, the port number can be omitted and the default is 1080. -You can also specify this value pair in the environment -variable SOCKS_SERVER or SOCKS5_SERVER and give the \-s option to use it. -If the user is omitted, the current userid is used. You can specify this value in the environment variable -SOCKS_USER or SOCKS5_USER. -.\"********************************************************* -.TP -\fB\-T proxy-server[:port] \fRor\fB \-\-telnet-server proxy-server[:port] -(EXPERIMENTAL) specifies a hostname and port number of the Telnet proxy server to relay. -If the port is omitted, 22 is used. You can specify this value in the environment variable -TELNET_PROXY and pass the \-t option to use it. -.\"********************************************************* -.TP -\fB\-X [user@]proxy-server[:port] \fRor\fB \-\-https-proxy-server [user@]proxy-server[:port] -specifies a hostname and port number of the HTTPS proxy server to relay. -If the port is omitted, 443 is used. You can specify this value in the environment variable -HTTPS_PROXY and pass the \-x option to use it. -If the user is omitted, the current userid is used. You can specify this value in the environment variable -HTTPS_PROXY_USER. Simple HTTPS Basic-Auth as well as client-side certificate authentication is supported. -If a password is required for remote authentiation, either a simple terminal prompt or the $SSH_ASKPASS -program will be used to query the user for the password. -.\"********************************************************* -.TP -\fB\-\-https-proxy-ca CA-cert-file.pem -specifies a PEM-formatted file containing the Certificate Authorities (CA\'s) to trust when connecting -to an HTTPS proxy server. -.\"********************************************************* -.TP -\fB\-\-https-proxy-ca-path CA-dir-path -specifies a directory containing hashed PEM-formatted public certificate files of the Certificate -Authorities (CA\'s) to trust when connecting to an HTTPS proxy server. -.\"********************************************************* -.TP -\fB \-\-https-proxy-certname name -specifies the name of the HTTPS proxy server certificate (/CN=...) if this name is different from -the remote hostname of the HTTPS proxy server itself. -.\"********************************************************* -.TP -\fB--no-check-certificate -disable the verification of the HTTPS proxy server certificate and hostname. -.\"********************************************************* -.TP -\fB\-\-https-user-cert certfile.pem -specifies a PEM-formatted file containing the user (client-side) certificate. Use this, together -with the \'--http-user-key\' option to perform client-side certificate authentication when -connecting to an HTTPS proxy server. -.\"********************************************************* -.TP -\fB\-\-https-user-key keyfile.pem -specifies a PEM-formatted file containing the user (client-side) private key. Use this, together -with the \'--http-user-cert\' option to perform client-side certificate authentication when -connecting to an HTTPS proxy server. -If the private key is protected using a passphrase, either a simple terminal prompt or the $SSH_ASKPASS -program will be used to query the user for the passphrase. -.\"********************************************************* -.TP -\fB-4 -specifies SOCKS relaying and indicates protocol version to use. -It is valid only when used with '\-s' or '\-S'. -Default is '\-5' (protocol version 5). -.\"********************************************************* -.TP -\fB-a socks5-auth-method -(EXPERIMENTAL) specifies the authentication method when connecting to a SOCKS5 server. -The keywords "none", "gssapi", "userpass" and "chap" are acceptable. -You can specify this value in the environment variable SOCKS5_AUTH. -.\"********************************************************* -.TP -\fB-c telnet-command -(EXPERIMENTAL) specifies the \'telnet\' command to use when connecting to a Telnet proxy server. -.\"********************************************************* -.TP -\fB-R -specifies the method to resolve the hostname when connecting to a SOCKS server. -Three keywords ("local", "remote", "both") or dot-notation IP address are acceptable. -The keyword "both" means, "Try local first, then remote". -If a dot-notation IP address is specified, use this host as nameserver. The default is "remote" for SOCKS5 or -"local" for SOCKS4. -On SOCKS4 protocol, remote resolving method ("remote" and "both") requires protocol 4a supported server. -You can specify this value in the environment variable SOCKS_RESOLVE or SOCKS5_RESOLVE. -.\"********************************************************* -.TP -\fB-p local-port -will forward a local TCP port instead of using the standard input and output. -.\"********************************************************* -.TP -\fB-P local-port -same to '\-p' except keep remote session. The program repeats waiting the port with holding -remote session without disconnecting. To connect the remote session, send EOF to stdin or -kill the program. -.\"********************************************************* -.TP -\fB-w secs -timeout in seconds for making connection with TARGET host. -.\"********************************************************* -.TP -\fB-d -used for debug. If you fail to connect, use this and check request to and response from server. - -.SH "USAGE" -.PP -To use proxy, this example is for SOCKS5 connection to connect to -\host\' at port 25 via SOCKS5 server on \'firewall\' host. - -\fBconnect-proxy \-S firewall host 25\fR - -\fBSOCKS5_SERVER=firewall; export SOCKS5_SERVER; -connect-proxy \-s host 25\fR -.PP -For a HTTP-PROXY connection: - -\fBconnect-proxy \-H proxy-server:8080 host 25\fR - -\fBHTTP_PROXY=proxy-server:8080; export HTTP_PROXY; -connect-proxy \-h host 25\fR -.PP -To forward a local port, for example to use ssh: - -\fBconnect-proxy \-H proxy-server:8080 host 22 \fR -\fBssh \-l user \-p 5550 localhost\fR -.PP -For an HTTPS PROXY connection: - -\fBconnect-proxy \-X proxy-server:443 host 25\fR - -\fBHTTPS_PROXY=proxy-server:443; export HTTPS_PROXY; -connect-proxy \-x host 25\fR -.PP -For an HTTPS PROXY connection with client-side certificate authentication: - -\fBconnect-proxy \-X proxy-server:8443 --https-user-cert ~/.config/usercert.pem ---https-user-key ~/.config/userkey.pem host 25\fR - -.PP -To use it along ssh transparently: -\fB # file://~/.ssh/config -Host * -ProxyCommand connect-proxy \-H proxy-server:8080 %h %p\fR -.SH "ENVIRONMENT" -.PP -LOGNAME, USER, SSH_ASKPASS, -.TP -SOCKS_PROXY, SOCKS_USER, SOCKS_RESOLVE, -.TP -SOCKS5_PROXY, SOCKS5_USER, SOCKS5_RESOLVE, SOCKS5_AUTH, -.TP -HTTP_PROXY, HTTP_PROXY_USER, HTTPS_PROXY, HTTPS_PROXY_USER, -.TP -HTTPS_PROXY_CERTNAME, HTTPS_PROXY_CA_FILE, HTTPS_PROXY_CA_PATH, -HTTPS_PROXY_USERCERT, HTTPS_PROXY_USERKEY - -.SH "SEE ALSO" -.PP -ssh (1). -.SH "WWW" -.PP -https://github.com/jjkeijser/connect-proxy -.PP -http://www.taiyo.co.jp/~gotoh/ssh/connect.html -.SH "COPYRIGHT" -.PP -Permission is granted to copy, distribute and/or modify this document under -the terms of the GNU General Public License, Version 2 any -later version published by the Free Software Foundation. -.SH "AUTHOR" -.PP -This manual page was adapted by Jan Just Keijser jan.just.keijser@gmail.com -from the \fBDebian\fP manual page, written by Philippe COVAL Philippe.COVAL@laposte.net. -.PP -HTTPS support and the \'long\' format options were added by Jan Just Keijser -jan.just.keijser@gmail.com. diff --git a/connect-proxy.spec b/connect-proxy.spec index 57ec0c3..92acfbb 100644 --- a/connect-proxy.spec +++ b/connect-proxy.spec @@ -1,22 +1,20 @@ Name: connect-proxy -Version: 1.105 -Release: 5%{?dist} +Version: 1.100 +Release: 4%{?dist} Summary: SSH Proxy command helper -# Automatically converted from old format: GPLv2+ - review is highly recommended. -License: GPL-2.0-or-later +Group: Applications/System +License: GPLv2+ URL: http://www.taiyo.co.jp/~gotoh/ssh/connect.html -Source0: ssh-connect-%{version}.tar.gz +Source0: connect-%{version}.c # Real source listed below, it was renamed for sanity's sake -#Source0: https://github.com/gotoh/ssh-connect/archive/refs/tags/1.105-tar.gz -Source1: connect-proxy.1 -Patch0: connect-proxy-1.105-socklen.patch +#Source0: http://www.taiyo.co.jp/~gotoh/ssh/connect.c +Source1: http://www.taiyo.co.jp/~gotoh/ssh/connect.html +Patch0: connect-proxy-make-man.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: openssh -BuildRequires: gcc -BuildRequires: make -BuildRequires: add-determinism %description connect-proxy is the simple relaying command to make network connection via SOCKS and https proxy. It is mainly intended to be used as proxy command @@ -32,121 +30,32 @@ Features of connect-proxy are: * You can also relay local socket stream instead of standard I/O. %prep -%setup -q -n ssh-connect-%{version} -%patch -P 0 -p1 +#setup -q -T -c -n %{name}-%{version} +%setup -q -T -c +cp %{SOURCE0} connect.c +cp %{SOURCE1} . +%patch0 -p1 %build make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags} %install rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT/%{_bindir} -cp connect $RPM_BUILD_ROOT/%{_bindir}/connect-proxy +mkdir -p $RPM_BUILD_ROOT +make DESTDIR=$RPM_BUILD_ROOT install mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 -cp -p %{SOURCE1} $RPM_BUILD_ROOT%{_mandir}/man1/ +cp -p %{name}.1 $RPM_BUILD_ROOT%{_mandir}/man1/ + +%clean +rm -rf $RPM_BUILD_ROOT %files -%doc doc/manual.html +%defattr(-,root,root,-) +%doc connect.html %{_mandir}/man1/* %{_bindir}/%{name} %changelog -* Wed Jul 23 2025 Fedora Release Engineering - 1.105-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Thu Jan 16 2025 Fedora Release Engineering - 1.105-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Thu Jul 25 2024 Miroslav Suchý - 1.105-3 -- convert license to SPDX - -* Wed Jul 17 2024 Fedora Release Engineering - 1.105-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Fri May 17 2024 Timotheus Pokorra - 1.105-1 -- Update to upstream 1.105 - -* Wed Jan 24 2024 Fedora Release Engineering - 1.100-31 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 1.100-30 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Wed Jul 19 2023 Fedora Release Engineering - 1.100-29 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jan 19 2023 Fedora Release Engineering - 1.100-28 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Tue Dec 6 2022 Florian Weimer - 1.100-27 -- Port to C99 (#2151093) - -* Wed Jul 20 2022 Fedora Release Engineering - 1.100-26 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Wed Jan 19 2022 Fedora Release Engineering - 1.100-25 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Wed Jul 21 2021 Fedora Release Engineering - 1.100-24 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Tue Jan 26 2021 Fedora Release Engineering - 1.100-23 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Mon Jul 27 2020 Fedora Release Engineering - 1.100-22 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jan 28 2020 Fedora Release Engineering - 1.100-21 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Wed Jul 24 2019 Fedora Release Engineering - 1.100-20 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Jan 31 2019 Fedora Release Engineering - 1.100-19 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Thu Jul 12 2018 Fedora Release Engineering - 1.100-18 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Wed Feb 07 2018 Fedora Release Engineering - 1.100-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Wed Aug 02 2017 Fedora Release Engineering - 1.100-16 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 1.100-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri Feb 10 2017 Fedora Release Engineering - 1.100-14 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Wed Feb 03 2016 Fedora Release Engineering - 1.100-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Wed Jun 17 2015 Fedora Release Engineering - 1.100-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Sat Aug 16 2014 Fedora Release Engineering - 1.100-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Sat Jun 07 2014 Fedora Release Engineering - 1.100-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Sat Aug 03 2013 Fedora Release Engineering - 1.100-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Wed Feb 13 2013 Fedora Release Engineering - 1.100-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Jul 18 2012 Fedora Release Engineering - 1.100-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu Jan 12 2012 Fedora Release Engineering - 1.100-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Tue Feb 08 2011 Fedora Release Engineering - 1.100-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - * Fri Jul 24 2009 Fedora Release Engineering - 1.100-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild diff --git a/connect.html b/connect.html new file mode 100644 index 0000000..53db26e --- /dev/null +++ b/connect.html @@ -0,0 +1,1142 @@ + + + + + SSH Proxy Command -- connect.c + + + + + + + + +

SSH Proxy Command -- connect.c

+ +

+connect.c is the simple relaying command to make network +connection via SOCKS and https proxy. It is mainly intended to +be used as proxy command of OpenSSH. You can make SSH session +beyond the firewall with this command, + +

+ +

+Features of connect.c are: + +

+ +
    +
  • Supports SOCKS (version 4/4a/5) and https CONNECT method. +
    • +
  • Supports NO-AUTH and USERPASS authentication of SOCKS +
    • +
  • Partially supports telnet proxy (experimental). +
    • +
  • You can input password from tty, ssh-askpass or + environment variable. +
    • +
  • Run on UNIX or Windows platform. +
    • +
  • You can compile with various C compiler (cc, gcc, Visual C, Borland C. etc.) +
    • +
  • Simple and general program independent from OpenSSH. +
    • +
  • You can also relay local socket stream instead of standard I/O. +
    • +
+ +

+Download source code from: +http://www.taiyo.co.jp/~gotoh/ssh/connect.c +
+For windows user, pre-compiled binary is also available: +http://www.taiyo.co.jp/~gotoh/ssh/connect.exe (compiled with MSVC) + +

+ +

Contents

+
+
+News +
+
+What is 'proxy command' +
+
+How to Use +
+
+
+
+Get Source +
+
+Compile and Install +
+
+Modify your ~/.ssh/config +
+
+Use SSH +
+
+Have trouble? +
+
+
+
+More Detail +
+
+Specifying user name via environment variables +
+
+Specifying password via environment variables +
+
+Limitations +
+
+
+
+SOCKS5 authentication +
+
+HTTP authentication +
+
+Switching proxy server +
+
+Telnet Proxy +
+
+
+
+Tips +
+
+
+
+Proxying socket connection +
+
+Use with ssh-askpass command +
+
+Use for Network Stream of Emacs +
+
+Remote resolver +
+
+Hopping Connection via SSH +
+
+
+
+Break The More Restricted Wall +
+
+F.Y.I. +
+
+
+
+Difference between SOCKS versions. +
+
+Configuration to use HTTPS +
+
+SOCKS5 Servers +
+
+Specifications +
+
+Related Links +
+
+Similars +
+
+
+
+hisotry +
+
+ + +

News

+
+
2005-07-08
+
+Rev. 1.95. Buf fix for previous change. The bug causes the fail of + basic authentication. And also fixed bug of parameter file handling. + Thanks reporting, Johannes Schindelin . +
+
2005-07-07
+
+Rev. 1.94. Changed to use snprintf()/vsnprintf() for security issue + that gcc complained them on OpenBSD 3.7/x86. The features are not + changed. +
+
2005-03-04
+
+Updated compile option for Mac OS X. +
+
2005-02-21
+
+Rev.1.92. Removed assertions which has no mean and worse for windows + suggested by OZAWA Takahiro. +
+
2005-01-12
+
+Rev.1.90. Fixed not to cause seg-fault on accessing to non HTTP + port. This problem is reported by Jason Armstrong . +
+
2004-10-30
+
+Rev.1.89. Partial support for telnet proxy. + Thanks to Gregory Shimansky <gshimansky at mail dot ru>. + (Note: This is ad-hoc implementation, so it is not enough for + various type of telnet proxies. + And password interaction is not supported.) +
+
+ +

What is 'proxy command'

+ +

+OpenSSH development team decides to stop supporting SOCKS and any +other tunneling mechanism. It was aimed to separate complexity to +support various mechanism of proxying from core code. And they +recommends more flexible mechanism: ProxyCommand option +instead. + +

+ +

+Proxy command mechanism is delegation of network stream +communication. If ProxyCommand options is specified, SSH +invoke specified external command and talk with standard I/O of thid +command. Invoked command undertakes network communication with +relaying to/from standard input/output including iniitial +communication or negotiation for proxying. Thus, ssh can split out +proxying code into external command. + +

+ +

+The connect.c program was made for this purpose. + +

+ +

How to Use

+ +

Get Source

+ +

+Download source code from here. +
+If you are MS Windows user, you can get pre-compiled binary from +here. + +

+ +

Compile and Install

+ +

+In most environment, you can compile connect.c simply. +On UNIX environment, you can use cc or gcc. +On Windows environment, you can use Microsoft Visual C, Borland C or Cygwin gcc. + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Compilercommand line to compile
UNIX cccc connect.c -o connect
UNIX gccgcc connect.c -o connect
Solarisgcc connect.c -o connect -lnsl -lsocket -lresolv
Microsoft Visual C/C++cl connect.c wsock32.lib advapi32.lib
Borland Cbcc32 connect.c wsock32.lib advapi32.lib
Cygwin gccgcc connect.c -o connect
Mac OS Xgcc connect.c -o connect -lresolv
or
gcc connect.c -o connect -DBIND_8_COMPAT=1
+ +

+To install connect command, simply copy compiled binary to directory +in your PATH (ex. /usr/local/bin). Like this: + +

+ +
+$ cp connect /usr/local/bin
+
+ +

Modify your ~/.ssh/config

+ +

+Modify your ~/.ssh/config file to use connect command as +proxy command. For the case of SOCKS server is running on +firewall host socks.local.net with port 1080, you can add +ProxyCommand option in ~/.ssh/config, like this: + +

+ +
+Host remote.outside.net
+  ProxyCommand connect -S socks.local.net %h %p
+
+ +

+%h and %p will be replaced on invoking proxy command with +target hostname and port specified to SSH command. + +

+ +

+If you hate writing many entries of remote hosts, following example +may help you. + +

+ +
+## Inside of the firewall, use connect command with direct connection.
+Host *.local.net
+  ProxyCommand connect %h %p
+
+## Outside of the firewall, use connect command with SOCKS conenction.
+Host *
+  ProxyCommand connect -S socks.local.net %h %p
+
+ +

+If you want to use http proxy, use -H option instead of -S +option in examle above, like this: + +

+ +
+## Inside of the firewall, direct
+Host *.local.net
+  ProxyCommand connect %h %p
+
+## Outside of the firewall, with HTTP proxy
+Host *
+  ProxyCommand connect -H proxy.local.net:8080 %h %p
+
+ +

Use SSH

+ +

+After editing your ~/.ssh/config file, you are ready to use ssh. +You can execute ssh without any special options as if remote host is +IP reachable host. Following is an example to execute hostname +command on host remote.outside.net. + +

+ +
+$ ssh remote.outside.net hostname
+remote.outside.net
+$
+
+ +

Have trouble?

+ +

+If you have trouble, execute connect command from command line +with -d option to see what is happened. Some debug message may +appear and reports progress. This information may tell you what is +wrong. In this example, error has occurred on authentication stage of +SOCKS5 protocol. + +

+ +
+$ connect -d -S socks.local.net unknown.remote.outside.net 110
+DEBUG: relay_method = SOCKS (2)
+DEBUG: relay_host=socks.local.net
+DEBUG: relay_port=1080
+DEBUG: relay_user=gotoh
+DEBUG: socks_version=5
+DEBUG: socks_resolve=REMOTE (2)
+DEBUG: local_type=stdio
+DEBUG: dest_host=unknown.remote.outside.net
+DEBUG: dest_port=110
+DEBUG: Program is $Revision: 1.1 $
+DEBUG: connecting to xxx.xxx.xxx.xxx:1080
+DEBUG: begin_socks_relay()
+DEBUG: atomic_out()  [4 bytes]
+DEBUG: >>> 05 02 00 02
+DEBUG: atomic_in() [2 bytes]
+DEBUG: <<< 05 02
+DEBUG: auth method: USERPASS
+DEBUG: atomic_out()  [some bytes]
+DEBUG: >>> xx xx xx xx ...
+DEBUG: atomic_in() [2 bytes]
+DEBUG: <<< 01 01
+ERROR: Authentication faield.
+FATAL: failed to begin relaying via SOCKS.
+
+ +

More Detail

+ +

+Command line usage is here: + +

+ +
+usage:  connect [-dnhst45] [-R resolve] [-p local-port] [-w sec]
+		[-H [user@]proxy-server[:port]]
+		[-S [user@]socks-server[:port]]
+		[-T socks-server:[port]]
+                [-c telnet-proxy-command]
+		host port
+
+ +

+host and port is target hostname and port-number to connect. + +

+ +

+-H option specify hostname and port number of http proxy server to +relay. If port is omitted, 80 is used. You can specify this value by +environment variable HTTP_PROXY and give -h option to use it. + +

+ +

+-S option specify hostname and port number of SOCKS server to +relay. Like -H option, port number can be omit and default is 1080. +You can also specify this value pair by environment variable +SOCKS5_SERVER and give -s option to use it. + +

+ +

+-T option specify hostname and port number of telnet proxy to +relay. The port number can be omit and default is 23. +You can also specify this value pair by environment variable +TELNET_PROXY and give -t option to use it. + +

+ +

+-4 and -5 is for specifying SOCKS protocol version. It is +valid only using with -s or -S. Default is -5 +(protocol version 5) + +

+ +

+-R is for specifying method to resolve hostname. 3 keywords +(local, remote, both) or dot-notation IP address is +allowed. Keyword both means; "Try local first, then +remote". If dot-notation IP address is specified, use this host as +nameserver (UNIX only). Default is remote for SOCKS5 or local +for others. On SOCKS4 protocol, remote resolving method (remote +and both) use protocol version 4a. + +

+ +

+The -p option specifys to wait a local TCP port and make relaying +with it instead of standard input and output. + +

+ +

+The -w option specifys timeout seconds on making connection with +target host. + +

+ +

+The -c option specifys request string against telnet +proxy server. The special word '%h' and '%p' in this string are replaced +as hostname and port number before sending. +For telnet proxy by DeleGate, both "telnet %h %p" and "%h:%p" +are acceptable. +Default is "telnet %h %p". + +

+ +

+The -a option specifiys user intended authentication methods +separated by comma. Currently userpass and none are +supported. Default is userpass. You can also specifying this +parameter by the environment variable SOCKS5_AUTH. + +

+ +

+The -d option is used for debug. If you fail to connect, use this +and check request to and response from server. + +

+ +

+You can omit port argument when program name is special format +containing port number itself. For example, + +

+ +
+$ ln -s connect connect-25
+$ ./connect-25 smtphost.outside.net
+220 smtphost.outside.net ESMTP Sendmail
+QUIT
+221 2.0.0 smtphost.remote.net closing connection
+$
+
+ +

+This example means that the command name "connect-25" contains port number +25 so you can omit 2nd argument (and used if specified explicitly). + +

+ +

Specifying user name via environment variables

+ +

+There are 5 environemnt variables to specify +user name without command line option. This mechanism is usefull +for the user who using another user name different from system account. + +

+ +
+
SOCKS5_USER
+
+Used for SOCKS v5 access. +
+
SOCKS4_USER
+
+Used for SOCKS v4 access. +
+
SOCKS_USER
+
+Used for SOCKS v5 or v4 access and varaibles above are not defined. +
+
HTTP_PROXY_USER
+
+Used for HTTP proxy access. +
+
CONNECT_USER
+
+Used for all type of access if all above are not defined. +
+
+ +

+Following table describes how user name is determined. +Left most number is order to check. If variable is not defined, +check next variable, and so on. + +

+ + + + + + + +
SOCKS v5SOCKS v4HTTP proxy
1SOCKS5_USERSOCKS4_USERHTTP_PROXY_USER
2SOCKS_USER
3CONNECT_USER
4(query user name to system)
+ +

Specifying password via environment variables

+ +

+There are 5 environemnt variables to specify +password. If you use this feature, please note that it is +not secure way. + +

+ +
+
SOCKS5_PASSWD
+
+Used for SOCKS v5 access. This variables is compatible + with NEC SOCKS implementation. +
+
SOCKS5_PASSWORD
+
+Used for SOCKS v5 access if SOCKS5_PASSWD is not defined. +
+
SOCKS_PASSWORD
+
+Used for SOCKS v5 (or v4) access all above is not defined. +
+
HTTP_PROXY_PASSWORD
+
+Used for HTTP proxy access. +
+
CONNECT_PASSWORD
+
+Used for all type of access if all above are not defined. +
+
+ +

+Following table describes how password is determined. +Left most number is order to check. If variable is not defined, +check next variable, and so on. Finally ask to user interactively +using external program or tty input. + +

+ + + + + + + +
SOCKS v5HTTP proxy
1SOCKS5_PASSWDHTTP_PROXY_PASSWORD
2SOCKS_PASSWORD
3CONNECT_PASSWORD
4(ask to user interactively)
+ +

Limitations

+ +

SOCKS5 authentication

+ +

+Only NO-AUTH and USER/PASSWORD authentications are supported. +GSSAPI authentication (RFC 1961) and other draft authentications (CHAP, +EAP, MAF, etc.) is not supported. + +

+ +

HTTP authentication

+ +

+BASIC authentication is supported but DIGEST authentication is not. + +

+ +

Switching proxy server

+ +

+There is no mechanism to switch proxy server regarding to PC environment. +This limitation might be bad news for mobile user. +Since I do not want to make this program complex, I do not want to +support although this feature is already requested. Please advice me +if there is good idea of detecting environment to swich and simple way +to specify conditioned directive of servers. + +

+ +

+One tricky workaround exists. It is replacing ~/.ssh/config file +by script on ppp up/down. + +

+ +

+There's another example of wrapper script (contributed by Darren Tucker). +This script costs executing ifconfig and grep to detect +current environment, but it works. (NOTE: you should modify addresses +if you use it.) + +

+ +
+#!/bin/sh
+## ~/bin/myconnect --- Proxy server switching wrapper
+
+if ifconfig eth0 |grep "inet addr:192\.168\.1" >/dev/null; then
+	opts="-S 192.168.1.1:1080"  
+elif ifconfig eth0 |grep "inet addr:10\." >/dev/null; then
+	opts="-H 10.1.1.1:80"
+else
+	opts="-s"
+fi
+exec /usr/local/bin/connect $opts $@
+
+ +

Telnet Proxy

+ +

+At first, note that the telnet proxy support is an partial feature. +In this implementation, connect single requestinting and proxy +returns some success/error detective in talked back lines including +greeting, prompt and connected messages. + +

+ +

+The connect simply send request after connection to proxy is +established before any response reading, then repeat reading response +strings from proxy to decide remote connection request is succeeded or +not by checking pre-defined phrase in each lines. There are +pre-defined phrases which are good-phrase and bad-phrases. First +good-phrase is checked and change state as relaying if exist. +connect treat this line as final response from proxy before +starting acutal communication with remote host. Or if good-phrase is +not matched, bad-phrases will be checked. If one of bad-phrase +matched, it cause connection error immediately. + +

+ +

+The pre-defined phrases are currently fixed string so you cannot +change without modifying and compiling. The good-phrase is: +"connected to". The bad-phrases are: " failed", " refused", " +rejected", " closed". + +

+ +

Tips

+ +

Proxying socket connection

+ +

+In usual, connect.c relays network connection to/from standard +input/output. By specifying -p option, however, connect.c +relays local network stream instead of standard input/output. +With this option, connect command waits connection +from other program, then start relaying between both network stream. + +

+ +

+This feature may be useful for the program which is hard to SOCKSify. + +

+ +

Use with ssh-askpass command

+ +

+connect.c ask you password when authentication is required. If +you are using on tty/pty terminal, connect can input from terminal +with prompt. But you can also use ssh-askpass program to input +password. If you are graphical environment like X Window or MS +Windows, and program does not have tty/pty, and environment variable +SSH_ASKPASS is specified, then connect.c invoke command +specified by environment variable SSH_ASKPASS to input password. +ssh-askpass program might be installed if you are using OpenSSH on +UNIX environment. On Windows environment, pre-compiled binary is +available from +here. + +

+ +

+This feature is limited on window system environment. + +

+ +

+And also useful on Emacs on MS Windows (NT Emacs or Meadow). It is +hard to send passphrase to connect command (and also ssh) +because external command is invoked on hidden terminal and do I/O with +this terminal. Using ssh-askpass avoids this problem. + +

+ +

Use for Network Stream of Emacs

+ +

+Although connect.c is made for OpenSSH, it is generic and +independent from OpenSSH. So we can use this for other purpose. For +example, you can use this command in Emacs to open network connection +with remote host over the firewall via SOCKS or HTTP proxy without +SOCKSifying Emacs itself. + +

+ +

+There is sample code: +http://www.taiyo.co.jp/~gotoh/lisp/relay.el + +

+ +

+With this code, you can use relay-open-network-stream function +instead of open-network-stream to make network connection. See top +comments of source for more detail. + +

+ +

Remote resolver

+ +

+If you are SOCKS4 user on UNIX environment, you might want specify +nameserver to resolve remote hostname. You can do it specifying +-R option followed by IP address of resolver. + +

+ +

Hopping Connection via SSH

+ +

+Conbination of ssh and connect command have more interesting usage. +Following command makes indirect connection to host2:port from your +current host via host1. + +

+ +
+ssh host1 connect host2 port
+
+ +

+This method is useful for the situations like: + +

+ +
    +
  • You are outside of organizasion now, but you want to access an + internal host barriered by firewall. +
    • +
  • You want to use some service which is allowed only from some + limited hosts. +
    • +
+ +

+For example, I want to use local NetNews service in my office +from home. I cannot make NNTP session directly because NNTP host is +barriered by firewall. Fortunately, I have ssh account on internal +host and allowed using SOCKS5 on firewall from outside. So I use +following command to connect to NNTP service. + +

+ +
+$ ssh host1 connect news 119
+200 news.my-office.com InterNetNews NNRP server INN 2.3.2 ready (posting ok).
+quit
+205 .
+$
+
+ +

+By combinating hopping connection and relay.el, I can read NetNews +using Wanderlust on Emacs at home. + +

+ +
+                        |
+    External (internet) | Internal (office)
+                        |
++------+           +----------+          +-------+           +-----------+
+| HOME |           | firewall |          | host1 |           | NNTP host |
++------+           +----------+          +-------+           +-----------+
+ emacs <-------------- ssh ---------------> sshd <-- connect --> nntpd
+       <-- connect --> socksd <-- SOCKS -->
+
+ +

+As an advanced example, you can use SSH hopping as fetchmail's plug-in +program to access via secure tunnel. This method requires that +connect program is insatalled on remote host. There's example +of .fetchmailrc bellow. When fetchmail access to mail-server, you will +login to remote host using SSH then execute connect program on +remote host to relay conversation with pop server. Thus fetchmail can +retrieve mails in secure. + +

+ +
+poll mail-server
+  protocol pop3
+  plugin "ssh %h connect localhost %p"
+  username "username"
+  password "password"
+</exmaple>
+
+* <a name="sec23" id="sec23"></a>Break The More Restricted Wall
+
+If firewall does not provide SOCKS nor HTTPS other than port 443, you
+cannot break the wall in usual way.  But if you have you own host
+which is accessible from internet, you can make ssh connection to your
+own host by configuring sshd as waiting at port 443 instead of
+standard 22. By this, you can login to your own host via port 443.
+Once you have logged-in to extenal home machine, you can execute
+**connect** as second hop to make connection from your own host to
+final target host, like this:
+
+<example>
+$ cat ~/.ssh/config
+Host home
+  ProxyCommand connect -H firewall:8080 %h 443
+
+Host server
+  ProxyCommand ssh home connect %h %p
+...
+internal$ ssh home
+You are logged in to home!
+home# exit
+internal$ ssh server
+You are logged in to server!
+server# exit
+internal$
+
+ +

+This way is similar to "Hopping connection via SSH" except configuring +outer sshd as waiting at port 443 (https). This means that you have a +capability to break the strongly restricted wall if you have own host +out side of the wall. + +

+ +
+                        |
+      Internal (office) | External (internet)
+                        |
++--------+         +----------+                 +------+          +--------+
+| office |         | firewall |                 | home |          | server |
++--------+         +----------+                 +------+          +--------+
+   <------------------ ssh --------------------->sshd:443
+    <-- connect --> http-proxy <-- https:443 -->                      any
+                                                 connect <-- tcp -->  port
+
+ +

+NOTE: If you wanna use this, you should give up hosting https service +at port 443 on you external host 'home'. + +

+ +

F.Y.I.

+ +

Difference between SOCKS versions.

+ +

+SOCKS version 4 is first popular implementation which is documented +here. Since +this protocol provide IP address based requesting, client program +should resolve name of outer host by itself. Version 4a (documented +here) is +enhanced to allow request by hostname instead of IP address. + +

+ +

+SOCKS version 5 is re-designed protocol stands on experience of +version 4 and 4a. There is no compativility with previous +versions. Instead, there's some improvement: IPv6 support, request by +hostname, UDP proxying, etc. + +

+ +

Configuration to use HTTPS

+ +

+Many http proxy servers implementation supports https CONNECT method +(SLL). You might add configuration to allow using https. For the +example of DeleGate ( +DeleGate is a multi-purpose application level gateway, or a proxy +server) , you should add https to REMITTABLE parameter to +allow HTTP-Proxy like this: + +

+ +
+delegated -Pxxxx ...... REMITTABLE='+,https' ...
+
+ +

+For the case of Squid, you should allow target ports via https by ACL, +and so on. + +

+ +

SOCKS5 Servers

+ +
+
NEC SOCKS Reference Implementation
+
+Reference implementation of SOKCS server and library. +
+
Dante
+
+Dante is free implementation of SOKCS server and library. + Many enhancements and modulalized. +
+
DeleGate
+
+DeleGate is multi function proxy service provider. + DeleGate 5.x.x or earlier can be SOCKS4 server, + and 6.x.x can be SOCKS5 and SOCKS4 server. + and 7.7.0 or later can be SOCKS5 and SOCKS4a server. +
+
+ +

Specifications

+ +
+
socks4.protocol.txt
+
+SOCKS: A protocol for TCP proxy across firewalls +
+
socks4a.protocol.txt
+
+SOCKS 4A: A Simple Extension to SOCKS 4 Protocol +
+
RFC 1928
+
+SOCKS Protocol Version 5 +
+
RFC 1929
+
+Username/Password Authentication for SOCKS V5 +
+
RFC 2616
+
+Hypertext Transfer Protocol -- HTTP/1.1 +
+
RFC 2617
+
+HTTP Authentication: Basic and Digest Access Authentication +
+
+ +

Related Links

+ + + +

Similars

+ +
    +
  • Proxy Tunnel -- Proxying command using https CONNECT. +
    • +
  • stunnel -- Proxy through an https tunnel (Perl script) +
    • +
+ +

hisotry

+ +
+
2004-07-21
+
+Rev.1.84. Fixed some typo. +
+
2004-05-18
+
+Rev.1.83. Fixed problem not work on Solaris. +
+
2004-04-27
+
+Rev.1.82. Bug fix of memory clear on http proxying. +
+
2004-04-22
+
+Rev. 1.81. Fixed memory violation and memory leak bug. New environment + variable SOCKS5_PASSWD for sharing value with NEC SOCKS implementation. + And document (this page) is updated. +
+
2004-03-30
+
+Rev. 1.76. Fixed to accept multiple 'Proxy-Authorization' response. +
+
2003-01-07
+
+Rev. 1.68. Fixed a trouble around timeout support. +
+
2002-11-21
+
+Rev. 1.64 supports reading parameters from file /etc/connectrc or + ~/.connectrc instead of specifying via environment variables. For + examle, you can use this feature to switch setting by replacing file + when network environment is changed. And added SOCKS_DIRECT, + SOCKS5_DIRECT, SOCKS4_DIRECT, HTTP_DIRECT, SOCKS5_AUTH, environment + parameters. (Thanks Masatoshi TSUCHIYA) +
+
2002-11-20
+
+Rev. 1.63 supports some old proxies which make response 401 with + WWW-Authenticate: header. And fixed to use username specified in + proxy host by -H option correctly. (contributed from Des Herriott, thanks) +
+
2002-10-14
+
+Rev. 1.61 with New option -w for specifying connection timeout. + Currently, it works on UNIX only. (contributed from Darren Tucker, thanks) +
+
2002-09-29
+
+Add sample script for switching proxy server + advised from Darren Tucker, thanks. +
+
2002-08-27
+
+connect.c is updataed to rev. 1.60. +
+
2002-04-08
+
+Updated "Using OpenSSH through a SOCKS compatible PROXY on your LAN" written by J. Grant. (version 0.8) +
+
2002-02-20
+
+Add link of new document "Using OpenSSH through a SOCKS compatible PROXY on your LAN" + written by J. Grant. +
+
2002-01-31
+
+Rev. 1.53 -- On Win32 and with MSVC, handle password + input from console correctly. +
+
2002-01-30
+
+Rev. 1.50 -- [Security Fix] Do not print secure info in debug mode. +
+
2002-01-09
+
+Web page was made. + connect.c is rev. 1.48. +
+
+
+ + +
+
+ + + + + +
+ Last Updated: 2005-07-18
+ 		+ This page is authored by Shun-ichi GOTO + using emacs-wiki.el
+
+
+ + diff --git a/sources b/sources index 1d448f2..e69de29 100644 --- a/sources +++ b/sources @@ -1 +0,0 @@ -SHA512 (ssh-connect-1.105.tar.gz) = f49001043a8ffbda3823d0ea3640cc85536ce3d23302fd4d704d8a520f99271a2ed66fda11a5402382edc1dcf874988339ebcaf1d6335249a8dd2a8b4ae965a3