/*************************************************************************** * proxy_http.c -- HTTP Connect proxying. * * * ***********************IMPORTANT NSOCK LICENSE TERMS*********************** * * * The nsock parallel socket event library is (C) 1999-2015 Insecure.Com * * LLC This library is free software; you may redistribute and/or * * modify it under the terms of the GNU General Public License as * * published by the Free Software Foundation; Version 2. This guarantees * * your right to use, modify, and redistribute this software under certain * * conditions. If this license is unacceptable to you, Insecure.Com LLC * * may be willing to sell alternative licenses (contact * * sales@insecure.com ). * * * * As a special exception to the GPL terms, Insecure.Com LLC grants * * permission to link the code of this program with any version of the * * OpenSSL library which is distributed under a license identical to that * * listed in the included docs/licenses/OpenSSL.txt file, and distribute * * linked combinations including the two. You must obey the GNU GPL in all * * respects for all of the code used other than OpenSSL. If you modify * * this file, you may extend this exception to your version of the file, * * but you are not obligated to do so. * * * * If you received these files with a written license agreement stating * * terms other than the (GPL) terms above, then that alternative license * * agreement takes precedence over this comment. * * * * Source is provided to this software because we believe users have a * * right to know exactly what a program is going to do before they run it. * * This also allows you to audit the software for security holes. * * * * Source code also allows you to port Nmap to new platforms, fix bugs, * * and add new features. You are highly encouraged to send your changes * * to the dev@nmap.org mailing list for possible incorporation into the * * main distribution. By sending these changes to Fyodor or one of the * * Insecure.Org development mailing lists, or checking them into the Nmap * * source code repository, it is understood (unless you specify otherwise) * * that you are offering the Nmap Project (Insecure.Com LLC) the * * unlimited, non-exclusive right to reuse, modify, and relicense the * * code. Nmap will always be available Open Source, but this is important * * because the inability to relicense code has caused devastating problems * * for other Free Software projects (such as KDE and NASM). We also * * occasionally relicense the code to third parties as discussed above. * * If you wish to specify special license conditions of your * * contributions, just say so when you send them. * * * * This program is distributed in the hope that it will be useful, but * * WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * * General Public License v2.0 for more details * * (http://www.gnu.org/licenses/gpl-2.0.html). * * * ***************************************************************************/ /* $Id $ */ #define _GNU_SOURCE #include #include "nsock.h" #include "nbase.h" #include "nsock_internal.h" #include "nsock_log.h" #include #ifdef HAVE_OPENSSL #include #endif #define DEFAULT_PROXY_PORT_HTTP 8080 extern struct timeval nsock_tod; extern const struct proxy_spec ProxySpecHttp; static long check_http_status_code(const char *http) { char *tail; long res; char *start_code = strchr(http, ' '); if (start_code == NULL) return -1; start_code++; /* Skip the space after "HTTP/x.y" */ res = parse_long(start_code, &tail); if (tail == start_code) return -1; return res; } static char *enhex(char *dest, const unsigned char *src, size_t n) { unsigned int i; for (i = 0; i < n; i++) Snprintf(dest + i * 2, 3, "%02x", src[i]); return dest; } static int proxy_http_node_new(struct proxy_node **node, const struct uri *uri) { int rc; struct proxy_node *proxy; proxy = (struct proxy_node *)safe_zalloc(sizeof(struct proxy_node)); proxy->spec = &ProxySpecHttp; rc = proxy_resolve(uri->host, (struct sockaddr *)&proxy->ss, &proxy->sslen); if (rc < 0) { free(proxy); *node = NULL; return -1; } if (uri->port == -1) proxy->port = DEFAULT_PROXY_PORT_HTTP; else proxy->port = (unsigned short)uri->port; if (uri->user) { proxy->user = strdup(uri->user); if (!proxy->user) fatal("Out of Memory!"); } if (uri->pass) { proxy->pass = strdup(uri->pass); if (!proxy->pass) fatal("Out of Memory!"); } rc = asprintf(&proxy->nodestr, "http://%s:%d", uri->host, proxy->port); if (rc < 0) { /* asprintf() failed for some reason but this is not a disaster (yet). * Set nodestr to NULL and try to keep on going. */ proxy->nodestr = NULL; } *node = proxy; return 1; } static void proxy_http_node_delete(struct proxy_node *node) { if (!node) return; free(node->user); free(node->pass); free(node->nodestr); free(node); } static int handle_state_initial(struct npool *nsp, struct nevent *nse, void *udata) { struct proxy_chain_context *px_ctx = nse->iod->px_ctx; struct sockaddr_storage *ss; size_t sslen; unsigned short port; struct proxy_node *next; int timeout; next = proxy_ctx_node_next(px_ctx); if (next) { ss = &next->ss; sslen = next->sslen; port = next->port; } else { ss = &px_ctx->target_ss; sslen = px_ctx->target_sslen; port = px_ctx->target_port; } timeout = TIMEVAL_MSEC_SUBTRACT(nse->timeout, nsock_tod); nsock_printf(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, "CONNECT %s:%d HTTP/1.1\r\n\r\n", inet_ntop_ez(ss, sslen), (int)port); px_ctx->px_state = PROXY_STATE_HTTP_TCP_CONNECTED; nsock_readlines(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, 1); return 0; } static int handle_state_unauthenticated_basic(struct npool *nsp, struct nevent *nse, void *udata) { struct proxy_chain_context *px_ctx = nse->iod->px_ctx; struct sockaddr_storage *ss; size_t sslen; unsigned short port; struct proxy_node *next; char *auth_str; int rc = 1; int timeout; next = proxy_ctx_node_next(px_ctx); if (next) { ss = &next->ss; sslen = next->sslen; port = next->port; } else { ss = &px_ctx->target_ss; sslen = px_ctx->target_sslen; port = px_ctx->target_port; } timeout = TIMEVAL_MSEC_SUBTRACT(nse->timeout, nsock_tod); if (px_ctx->px_current->user && px_ctx->px_current->pass) { rc = asprintf(&auth_str, "%s:%s", px_ctx->px_current->user, px_ctx->px_current->pass); } else if (px_ctx->px_current->user) { auth_str = strdup(px_ctx->px_current->user); } else { auth_str = ""; } if (!auth_str || rc <= 0) return 1; auth_str = b64enc((unsigned char *) auth_str, strlen(auth_str)); nsock_printf(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, "CONNECT %s:%d HTTP/1.1\r\nProxy-Authorization : Basic %s\r\n\r\n", inet_ntop_ez(ss, sslen), (int)port, auth_str); px_ctx->px_state = PROXY_STATE_AUTHENTICATION_ATTEMPTED; nsock_readlines(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, 1); return 0; } static int handle_state_unauthenticated_digest(struct npool *nsp, struct nevent *nse, void *udata, const char *res) { struct proxy_chain_context *px_ctx = nse->iod->px_ctx; struct sockaddr_storage *ss; size_t sslen; unsigned short port; struct proxy_node *next; char *nonce; char *realm; char *uri; char *qop; char *opaque; char *temp; unsigned char cnonce[8]; char cnonce_buf[17]; MD5_CTX md5; char HA1_hex[MD5_DIGEST_LENGTH * 2 + 1], HA2_hex[MD5_DIGEST_LENGTH * 2 + 1], buf[MD5_DIGEST_LENGTH * 2 + 1]; unsigned char hashbuf[MD5_DIGEST_LENGTH]; int timeout; /* This function should never be called if HAVE_OPENSSL is not defined */ #ifndef HAVE_OPENSSL nsock_log_debug("Digest authentication attempted without OpenSSL on proxy %s", px_ctx->px_current->nodestr); return -1; #endif next = proxy_ctx_node_next(px_ctx); if (next) { ss = &next->ss; sslen = next->sslen; port = next->port; } else { ss = &px_ctx->target_ss; sslen = px_ctx->target_sslen; port = px_ctx->target_port; } timeout = TIMEVAL_MSEC_SUBTRACT(nse->timeout, nsock_tod); if (!res) { nsock_log_debug("Digest authentication attempted without challenge for proxy %s", px_ctx->px_current->nodestr); return -1; } /* Now we have to parse out each value from the authentication challenge that * we will need in order to construct the response. */ res = strstr(res, "Digest "); /* Parsing the realm (mandatory) */ temp = strstr(res, "realm="); if (!temp) { nsock_log_debug("Realm required for digest authentication for proxy %s", px_ctx->px_current->nodestr); return -1; } temp = temp + strlen("realm= "); if (*temp == '"') temp += 1; realm = safe_zalloc((strchr(temp, '"') - temp) + 1); memcpy(realm, temp, strchr(temp, '"') - temp); /* Parsing the nonce (mandantory) */ temp = strstr(res, "nonce="); if (!temp) { nsock_log_debug("Nonce required for digest authenticatoin for proxy %s", px_ctx->px_current->nodestr); return -1; } temp = temp + strlen("nonce= "); if (*temp == '"') temp += 1; nonce = safe_zalloc((strchr(temp, '"') - temp) + 1); memcpy(nonce, temp, strchr(temp, '"') - temp); /* Parsing the opaque field (optional) */ temp = strstr(res, "opaque="); if (temp) { temp = temp + strlen("opaque= "); if (*temp == '"') temp += 1; opaque = safe_zalloc((strchr(temp, '"') - temp) + 1); memcpy(opaque, temp, strchr(temp, '"') - temp); } else { opaque = NULL; } /* Parsing the qop (optional) */ temp = strstr(res, "qop="); if (temp) { temp = temp + strlen("qop= "); if (*temp == '"') temp += 1; qop = safe_zalloc((strchr(temp, '"') - temp) + 1); memcpy(qop, temp, strchr(temp, '"') - temp); } else { qop = NULL; } if (asprintf(&uri, "%s:%d", inet_ntop_ez(ss, sslen), port) < 0) { nsock_log_debug("Asprintf failure, aborting proxy authentication"); return -1; } /* Calculate H(A1). */ MD5_Init(&md5); if (px_ctx->px_current->user) MD5_Update(&md5, px_ctx->px_current->user, strlen(px_ctx->px_current->user)); MD5_Update(&md5, ":", 1); MD5_Update(&md5, realm, strlen(realm)); MD5_Update(&md5, ":", 1); if (px_ctx->px_current->pass) MD5_Update(&md5, px_ctx->px_current->pass, strlen(px_ctx->px_current->pass)); MD5_Final(hashbuf, &md5); enhex(HA1_hex, hashbuf, sizeof(hashbuf)); /* Calculate H(A2). */ MD5_Init(&md5); MD5_Update(&md5, "CONNECT", strlen("CONNECT")); MD5_Update(&md5, ":", 1); MD5_Update(&md5, uri, strlen(uri)); MD5_Final(hashbuf, &md5); enhex(HA2_hex, hashbuf, sizeof(hashbuf)); /* Calculate response */ MD5_Init(&md5); MD5_Update(&md5, HA1_hex, strlen(HA1_hex)); MD5_Update(&md5, ":", 1); MD5_Update(&md5, nonce, strlen(nonce)); if (qop) { if (!RAND_status()) return -1; if (RAND_bytes(cnonce, sizeof(cnonce)) != 1) return -1; enhex(cnonce_buf, cnonce, sizeof(cnonce)); MD5_Update(&md5, ":", 1); MD5_Update(&md5, "00000001", 8); MD5_Update(&md5, ":", 1); MD5_Update(&md5, cnonce_buf, strlen(cnonce_buf)); MD5_Update(&md5, ":", 1); MD5_Update(&md5, qop, strlen(qop)); } MD5_Update(&md5, ":", 1); MD5_Update(&md5, HA2_hex, strlen(HA2_hex)); MD5_Final(hashbuf, &md5); enhex(buf, hashbuf, sizeof(hashbuf)); if (qop && opaque) { nsock_printf(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, "CONNECT %s HTTP/1.1\r\nProxy-Authorization: Digest " "username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", " "qop=%s, cnonce=\"%s\", nc=00000001, response=\"%s\", " "opaque= \"%s\"\r\n\r\n", uri, px_ctx->px_current->user ? px_ctx->px_current->user : "", realm, nonce, uri, qop, cnonce_buf, buf, opaque); } else if (qop) { nsock_printf(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, "CONNECT %s HTTP/1.1\r\nProxy-Authorization: Digest " "username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", " "qop=%s, cnonce=\"%s\", nc=00000001, response=\"%s\"\r\n\r\n", uri, px_ctx->px_current->user ? px_ctx->px_current->user : "", realm, nonce, uri, qop, cnonce_buf, buf); } else if (opaque) { nsock_printf(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, "CONNECT %s HTTP/1.1\r\nProxy-Authorization: Digest " "username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", " "response=\"%s\", opaque=\"%s\"\r\n\r\n", uri, px_ctx->px_current->user ? px_ctx->px_current->user : "", realm, nonce, uri, buf, opaque); } else { nsock_printf(nsp, (nsock_iod)nse->iod, nsock_proxy_ev_dispatch, timeout, udata, "CONNECT %s HTTP/1.1\r\nProxy-Authorization: Digest " "username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", " "response=\"%s\"\r\n\r\n", uri, px_ctx->px_current->user ? px_ctx->px_current->user : "", realm, nonce, uri, buf); } free(uri); free(nonce); free(realm); free(qop); free(opaque); return 0; } static int handle_state_authentication_attempted(struct npool *nsp, struct nevent *nse, void *udata) { struct proxy_chain_context *px_ctx = nse->iod->px_ctx; char *res; int reslen; res = nse_readbuf(nse, &reslen); if (reslen >= 15 && check_http_status_code(res) == 407) { nsock_log_debug("Authentication failed for proxy %s", px_ctx->px_current->nodestr); return -EINVAL; } else if (!((reslen >= 15) && check_http_status_code(res) == 200)) { nsock_log_debug("Connection refused from proxy %s", px_ctx->px_current->nodestr); return -EINVAL; } else { if (proxy_ctx_node_next(px_ctx) == NULL) { px_ctx->px_state = PROXY_STATE_HTTP_TUNNEL_ESTABLISHED; forward_event(nsp, nse, udata); } else { px_ctx->px_current = proxy_ctx_node_next(px_ctx); px_ctx->px_state = PROXY_STATE_INITIAL; nsock_proxy_ev_dispatch(nsp, nse, udata); } } return 0; } static int handle_state_tcp_connected(struct npool *nsp, struct nevent *nse, void *udata) { struct proxy_chain_context *px_ctx = nse->iod->px_ctx; char *res; int reslen; res = nse_readbuf(nse, &reslen); if (reslen >= 15 && check_http_status_code(res) == 407) { #ifdef HAVE_OPENSSL if (strstr(res, "Digest")) { px_ctx->px_state = PROXY_STATE_UNAUTHENTICATED_DIGEST; handle_state_unauthenticated_digest(nsp, nse, udata, res); return 0; } #endif px_ctx->px_state = PROXY_STATE_UNAUTHENTICATED_BASIC; handle_state_unauthenticated_basic(nsp, nse, udata); return 0; } else if (!((reslen >= 15) && check_http_status_code(res) == 200)) { nsock_log_debug("Connection refused from proxy %s", px_ctx->px_current->nodestr); return -EINVAL; } else { if (proxy_ctx_node_next(px_ctx) == NULL) { px_ctx->px_state = PROXY_STATE_HTTP_TUNNEL_ESTABLISHED; forward_event(nsp, nse, udata); } else { px_ctx->px_current = proxy_ctx_node_next(px_ctx); px_ctx->px_state = PROXY_STATE_INITIAL; nsock_proxy_ev_dispatch(nsp, nse, udata); } } return 0; } static void proxy_http_handler(nsock_pool nspool, nsock_event nsevent, void *udata) { int rc = 0; struct npool *nsp = (struct npool *)nspool; struct nevent *nse = (struct nevent *)nsevent; switch (nse->iod->px_ctx->px_state) { case PROXY_STATE_INITIAL: rc = handle_state_initial(nsp, nse, udata); break; case PROXY_STATE_UNAUTHENTICATED_BASIC: rc = handle_state_unauthenticated_basic(nsp, nse, udata); break; case PROXY_STATE_UNAUTHENTICATED_DIGEST: rc = handle_state_unauthenticated_digest(nsp, nse, udata, NULL); break; case PROXY_STATE_HTTP_TCP_CONNECTED: if (nse->type == NSE_TYPE_READ) rc = handle_state_tcp_connected(nsp, nse, udata); break; case PROXY_STATE_AUTHENTICATION_ATTEMPTED: if (nse->type == NSE_TYPE_READ) rc = handle_state_authentication_attempted(nsp, nse, udata); break; case PROXY_STATE_HTTP_TUNNEL_ESTABLISHED: forward_event(nsp, nse, udata); break; default: fatal("Invalid proxy state!"); } if (rc) { nse->status = NSE_STATUS_PROXYERROR; forward_event(nsp, nse, udata); } } /* ---- PROXY DEFINITION ---- */ static const struct proxy_op ProxyOpsHttp = { proxy_http_node_new, proxy_http_node_delete, proxy_http_handler, }; const struct proxy_spec ProxySpecHttp = { "http://", PROXY_TYPE_HTTP, &ProxyOpsHttp, };