From 69738dadcda1b242a0b5e41d5d2fe4be3f55a448 Mon Sep 17 00:00:00 2001 From: Marc <34656315+MarcT512@users.noreply.github.com> Date: Thu, 3 Jan 2019 00:32:00 +0000 Subject: [PATCH] s_client: Add basic proxy authentication support 1) Add two new flags (-proxy_user & -proxy_pass) to s_client to add support for basic (base64) proxy authentication. 2) Add a "Proxy-Connection: Keep-Alive" HTTP header which is a workaround for some broken proxies which otherwise close the connection when entering tunnel mode (eg Squid 2.6). Reviewed-by: Paul Dale Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7975) --- apps/s_client.c | 81 ++++++++++++++++++++++++++++++++++++++++--- doc/man1/s_client.pod | 17 +++++++++ 2 files changed, 93 insertions(+), 5 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index 51001d5766..d788b89dee 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -74,6 +74,7 @@ static void print_stuff(BIO *berr, SSL *con, int full); static int ocsp_resp_cb(SSL *s, void *arg); #endif static int ldap_ExtendedResponse_parse(const char *buf, long rem); +static char *base64encode (const void *buf, size_t len); static int saved_errno; @@ -590,7 +591,8 @@ typedef enum OPTION_choice { OPT_V_ENUM, OPT_X_ENUM, OPT_S_ENUM, - OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN, + OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_PROXY_USER, OPT_PROXY_PASS, + OPT_DANE_TLSA_DOMAIN, #ifndef OPENSSL_NO_CT OPT_CT, OPT_NOCT, OPT_CTLOG_FILE, #endif @@ -608,6 +610,8 @@ const OPTIONS s_client_options[] = { {"bind", OPT_BIND, 's', "bind local address for connection"}, {"proxy", OPT_PROXY, 's', "Connect to via specified proxy to the real server"}, + {"proxy_user", OPT_PROXY_USER, 's', "UserID for proxy authentication"}, + {"proxy_pass", OPT_PROXY_PASS, 's', "Proxy authentication password source"}, #ifdef AF_UNIX {"unix", OPT_UNIX, 's', "Connect over the specified Unix-domain socket"}, #endif @@ -894,8 +898,10 @@ int s_client_main(int argc, char **argv) STACK_OF(X509_CRL) *crls = NULL; const SSL_METHOD *meth = TLS_client_method(); const char *CApath = NULL, *CAfile = NULL; - char *cbuf = NULL, *sbuf = NULL; - char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL, *bindstr = NULL; + char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL; + char *proxystr = NULL, *proxyuser = NULL; + char *proxypassarg = NULL, *proxypass = NULL; + char *connectstr = NULL, *bindstr = NULL; char *cert_file = NULL, *key_file = NULL, *chain_file = NULL; char *chCApath = NULL, *chCAfile = NULL, *host = NULL; char *port = OPENSSL_strdup(PORT); @@ -1075,6 +1081,12 @@ int s_client_main(int argc, char **argv) proxystr = opt_arg(); starttls_proto = PROTO_CONNECT; break; + case OPT_PROXY_USER: + proxyuser = opt_arg(); + break; + case OPT_PROXY_PASS: + proxypassarg = opt_arg(); + break; #ifdef AF_UNIX case OPT_UNIX: connect_type = use_unix; @@ -1619,7 +1631,17 @@ int s_client_main(int argc, char **argv) #endif if (!app_passwd(passarg, NULL, &pass, NULL)) { - BIO_printf(bio_err, "Error getting password\n"); + BIO_printf(bio_err, "Error getting private key password\n"); + goto end; + } + + if (!app_passwd(proxypassarg, NULL, &proxypass, NULL)) { + BIO_printf(bio_err, "Error getting proxy password\n"); + goto end; + } + + if (proxypass != NULL && proxyuser == NULL) { + BIO_printf(bio_err, "Error: Must specify proxy_user with proxy_pass\n"); goto end; } @@ -2322,7 +2344,31 @@ int s_client_main(int argc, char **argv) BIO *fbio = BIO_new(BIO_f_buffer()); BIO_push(fbio, sbio); - BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n\r\n", connectstr); + BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n", connectstr); + /* + * Workaround for broken proxies which would otherwise close + * the connection when entering tunnel mode (eg Squid 2.6) + */ + BIO_printf(fbio, "Proxy-Connection: Keep-Alive\r\n"); + + /* Support for basic (base64) proxy authentication */ + if (proxyuser != NULL) { + size_t l; + char *proxyauth, *proxyauthenc; + + l = strlen(proxyuser); + if (proxypass != NULL) + l += strlen(proxypass); + proxyauth = app_malloc(l + 2, "Proxy auth string"); + snprintf(proxyauth, l + 2, "%s:%s", proxyuser, (proxypass != NULL) ? proxypass : ""); + proxyauthenc = base64encode(proxyauth, strlen(proxyauth)); + BIO_printf(fbio, "Proxy-Authorization: Basic %s\r\n", proxyauthenc); + OPENSSL_clear_free(proxyauth, strlen(proxyauth)); + OPENSSL_clear_free(proxyauthenc, strlen(proxyauthenc)); + } + + /* Terminate the HTTP CONNECT request */ + BIO_printf(fbio, "\r\n"); (void)BIO_flush(fbio); /* * The first line is the HTTP response. According to RFC 7230, @@ -3128,6 +3174,8 @@ int s_client_main(int argc, char **argv) OPENSSL_clear_free(cbuf, BUFSIZZ); OPENSSL_clear_free(sbuf, BUFSIZZ); OPENSSL_clear_free(mbuf, BUFSIZZ); + if (proxypass != NULL) + OPENSSL_clear_free(proxypass, strlen(proxypass)); release_engine(e); BIO_free(bio_c_out); bio_c_out = NULL; @@ -3467,4 +3515,27 @@ static int ldap_ExtendedResponse_parse(const char *buf, long rem) return ret; } +/* + * BASE64 encoder: used only for encoding basic proxy authentication credentials + */ +static char *base64encode (const void *buf, size_t len) +{ + int i; + size_t outl; + char *out; + + /* Calculate size of encoded data */ + outl = (len / 3); + if (len % 3 > 0) + outl++; + outl <<= 2; + out = app_malloc(outl + 1, "base64 encode buffer"); + + i = EVP_EncodeBlock((unsigned char *)out, buf, len); + assert(i <= (int)outl); + if (i < 0) + *out = '\0'; + return out; +} + #endif /* OPENSSL_NO_SOCK */ diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index 1a241e606f..70b97bf43d 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -12,6 +12,8 @@ B B [B<-connect host:port>] [B<-bind host:port>] [B<-proxy host:port>] +[B<-proxy_user userid>] +[B<-proxy_pass arg>] [B<-unix path>] [B<-4>] [B<-6>] @@ -175,6 +177,21 @@ When used with the B<-connect> flag, the program uses the host and port specified with this flag and issues an HTTP CONNECT command to connect to the desired server. +=item B<-proxy_user userid> + +When used with the B<-proxy> flag, the program will attempt to authenticate +with the specified proxy using basic (base64) authentication. +NB: Basic authentication is insecure; the credentials are sent to the proxy +in easily reversible base64 encoding before any TLS/SSL session is established. +Therefore these credentials are easily recovered by anyone able to sniff/trace +the network. Use with caution. + +=item B<-proxy_pass arg> + +The proxy password source, used with the B<-proxy_user> flag. +For more information about the format of B see the B +section in L. + =item B<-unix path> Connect over the specified Unix-domain socket. -- 2.25.1