Disable libproxy by default

Most people don't need to go through a proxy, but might have one
configured anyway for https because it's harmless. But it's _not_ actually
harmless for openconnect, because it'll prevent DTLS from working. So if
a user really needs proxy support, let them ask for it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

http.c

@@ -955,3 +955,37 @@ int process_proxy(struct openconnect_info *vpninfo, int ssl_sock)
 	return -EIO;
 }
 
+int set_http_proxy(struct openconnect_info *vpninfo, char *proxy)
+{
+	char *url = strdup(proxy);
+	int ret;
+
+	if (!url)
+		return -ENOMEM;
+
+	free(vpninfo->proxy_type);
+	vpninfo->proxy_type = NULL;
+	free(vpninfo->proxy);
+	vpninfo->proxy = NULL;
+
+	ret = parse_url(url, &vpninfo->proxy_type, &vpninfo->proxy,
+			&vpninfo->proxy_port, NULL, 80);
+	if (ret)
+		goto out;
+
+	if (vpninfo->proxy_type &&
+	    strcmp(vpninfo->proxy_type, "http") &&
+	    strcmp(vpninfo->proxy_type, "socks") &&
+	    strcmp(vpninfo->proxy_type, "socks5")) {
+		vpninfo->progress(vpninfo, PRG_ERR,
+				  "Only http or socks(5) proxies supported\n");
+		free(vpninfo->proxy_type);
+		vpninfo->proxy_type = NULL;
+		free(vpninfo->proxy);
+		vpninfo->proxy = NULL;
+		return -EINVAL;
+	}
+ out:
+	free(url);
+	return ret;
+}

main.c

@@ -94,6 +94,7 @@ static struct option long_options[] = {
 	{"csd-user", 1, 0, 0x04},
 	{"disable-ipv6", 0, 0, 0x05},
 	{"no-proxy", 0, 0, 0x06},
+	{"libproxy", 0, 0, 0x07},
 	{NULL, 0, 0, 0},
 };
 
@@ -120,6 +121,10 @@ void usage(void)
 	printf("      --key-password-from-fsid    Key passphrase is fsid of file system\n");
 	printf("  -P, --proxy=URL                 Set proxy server\n");
 	printf("      --no-proxy                  Disable proxy\n");
+	printf("      --libproxy                  Use libproxy to automatically configure proxy\n");
+#ifndef OPENCONNECT_LIBPROXY
+	printf("                                  (NOTE: libproxy disabled in this build)\n");
+#endif
 	printf("  -q, --quiet                     Less output\n");
 	printf("  -Q, --queue-len=LEN             Set packet queue limit to LEN pkts\n");
 	printf("  -s, --script=SCRIPT             Use vpnc-compatible config script\n");
@@ -176,7 +181,8 @@ int main(int argc, char **argv)
 	struct sigaction sa;
 	int cookieonly = 0;
 	int use_syslog = 0;
-	int autoproxy = 1;
+	char *proxy = NULL;
+	int autoproxy = 0;
 	uid_t uid = getuid();
 	int opt;
 
@@ -306,31 +312,21 @@ int main(int argc, char **argv)
 		case 'p':
 			vpninfo->cert_password = optarg;
 			break;
-		case 'P': {
-			char *url = strdup(optarg);
-
-			free(vpninfo->proxy_type);
-			vpninfo->proxy_type = NULL;
-			free(vpninfo->proxy);
-			vpninfo->proxy = NULL;
-
-			parse_url(url, &vpninfo->proxy_type, &vpninfo->proxy,
-				  &vpninfo->proxy_port, NULL, 80);
-			if (vpninfo->proxy_type &&
-			    strcmp(vpninfo->proxy_type, "http") &&
-			    strcmp(vpninfo->proxy_type, "socks") &&
-			    strcmp(vpninfo->proxy_type, "socks5")) {
-				fprintf(stderr, "Only http or socks[5] proxy scheme supported\n");
-				exit(1);
-			}
+		case 'P': 
+			proxy = optarg;
 			autoproxy = 0;
-			free(url);
 			break;
-		}
 		case 0x06:
 			autoproxy = 0;
-			free(vpninfo->proxy);
-			vpninfo->proxy = NULL;
+			proxy = NULL;
+		case 0x07:
+#ifndef OPENCONNECT_LIBPROXY
+			fprintf(stderr, "This version of openconnect was built without libproxy support\n");
+			exit(1);
+#endif
+			autoproxy = 1;
+			proxy = NULL;
+			break;
 		case 's':
 			vpninfo->vpnc_script = optarg;
 			break;
@@ -403,10 +399,6 @@ int main(int argc, char **argv)
 			usage();
 		}
 	}
-#ifdef OPENCONNECT_LIBPROXY
-	if (autoproxy)
-		vpninfo->proxy_factory = px_proxy_factory_new();
-#endif
 
 	if (optind != argc - 1) {
 		fprintf(stderr, "No server specified\n");
@@ -416,12 +408,20 @@ int main(int argc, char **argv)
 	if (!vpninfo->sslkey)
 		vpninfo->sslkey = vpninfo->cert;
 
+	vpninfo->progress = write_progress;
+
+#ifdef OPENCONNECT_LIBPROXY
+	if (autoproxy)
+		vpninfo->proxy_factory = px_proxy_factory_new();
+#endif
+	if (proxy && set_http_proxy(vpninfo, proxy))
+		exit(1);
+
 	if (use_syslog) {
 		openlog("openconnect", LOG_PID, LOG_DAEMON);
 		vpninfo->progress = syslog_progress;
-	} else {
-		vpninfo->progress = write_progress;
 	}
+
 	memset(&sa, 0, sizeof(sa));
 	sa.sa_handler = handle_sigusr;
 

nm-auth-dialog.c

@@ -1394,7 +1394,7 @@ static auth_ui_data *init_ui_data (char *vpn_name)
 	ui_data->vpninfo->validate_peer_cert = validate_peer_cert;
 	ui_data->vpninfo->vpn_name = vpn_name;
 	ui_data->vpninfo->process_auth_form = nm_process_auth_form;
-#ifdef OPENCONNECT_LIBPROXY
+#if 0
 	ui_data->vpninfo->proxy_factory = px_proxy_factory_new();
 #endif
 

openconnect.8

@@ -69,6 +69,9 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .B --no-proxy
 ]
 [
+.B --libproxy
+]
+[
 .B --key-password-from-fsid
 ]
 [
@@ -234,6 +237,9 @@ Use HTTP proxy for connection
 .B --no-proxy
 Disable use of HTTP proxy
 .TP
+.B --libproxy
+Use libproxy to configure proxy automatically (when built with libproxy support)
+.TP
 .B --key-password-from-fsid
 Passphrase for certificate file is automatically generated from the fsid of
 the file system on which it is stored

openconnect.h

@@ -335,6 +335,7 @@ char *openconnect_create_useragent(char *base);
 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
 int parse_url(char *url, char **res_proto, char **res_host, int *res_port,
 	      char **res_path, int default_port);
+int set_http_proxy(struct openconnect_info *vpninfo, char *proxy);
 
 /* ssl_ui.c */
 int set_openssl_ui(void);