Add libproxy support, conditionally

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Makefile

@@ -59,6 +59,12 @@ ifneq ($(IF_TUN_HDR),)
 CFLAGS_tun.o += -DIF_TUN_HDR=\"$(patsubst $(SYSTEM_INCLUDES)/%,%,$(IF_TUN_HDR))\"
 endif
 
+LIBPROXY := $(firstword $(wildcard $(SYSTEM_INCLUDES)/libproxy/proxy.h))
+ifneq ($(LIBPROXY),)
+CFLAGS += -DOPENCONNECT_LIBPROXY
+LDFLAGS += -lproxy
+endif
+
 OPENCONNECT_OBJS := main.o $(SSL_UI) xml.o
 CONNECTION_OBJS := dtls.o cstp.o mainloop.o tun.o 
 AUTH_OBJECTS := ssl.o http.o version.o securid.o auth.o

dtls.c

@@ -118,7 +118,13 @@ int connect_dtls_socket(struct openconnect_info *vpninfo)
 		vpninfo->dtls_attempt_period = 0;
 		return -EINVAL;
 	}
-
+
+	if (vpninfo->proxy) {
+		vpninfo->progress(vpninfo, PRG_ERR, "No DTLS when connected via HTTP proxy\n");
+		vpninfo->dtls_attempt_period = 0;
+		return -EINVAL;
+	}
+
 	dtls_fd = socket(vpninfo->peer_addr->sa_family, SOCK_DGRAM, IPPROTO_UDP);
 	if (dtls_fd < 0) {
 		perror("Open UDP socket for DTLS:");

main.c

@@ -37,6 +37,7 @@
 #include <sys/utsname.h>
 #include <sys/types.h>
 #include <openssl/rand.h>
+#include <libproxy/proxy.h>
 
 #define _GNU_SOURCE
 #include <getopt.h>
@@ -173,6 +174,7 @@ int main(int argc, char **argv)
 	struct sigaction sa;
 	int cookieonly = 0;
 	int use_syslog = 0;
+	int autoproxy = 1;
 	uid_t uid = getuid();
 	int opt;
 
@@ -305,17 +307,19 @@ int main(int argc, char **argv)
 		case 'P': {
 			char *url = strdup(optarg);
 			char *scheme;
+
+			autoproxy = 0;
 			parse_url(url, &scheme, &vpninfo->proxy, &vpninfo->proxy_port, NULL, 80);
 			if (scheme && strcmp(scheme, "http")) {
 				fprintf(stderr, "Non-http proxy not supported\n");
 				exit(1);
 			}
 			free(scheme);
 			free(url);
-			vpninfo->dtls_attempt_period = 0;
 			break;
 		}
 		case 0x06:
+			autoproxy = 0;
 			free(vpninfo->proxy);
 			vpninfo->proxy = NULL;
 		case 's':
@@ -390,6 +394,11 @@ int main(int argc, char **argv)
 			usage();
 		}
 	}
+#ifdef OPENCONNECT_LIBPROXY
+	if (autoproxy)
+		vpninfo->proxy_factory = px_proxy_factory_new();
+#endif
+
 	if (optind != argc - 1) {
 		fprintf(stderr, "No server specified\n");
 		usage();

nm-auth-dialog.c

@@ -1386,6 +1386,9 @@ static auth_ui_data *init_ui_data (char *vpn_name)
 	ui_data->vpninfo->validate_peer_cert = validate_peer_cert;
 	ui_data->vpninfo->vpn_name = vpn_name;
 	ui_data->vpninfo->process_auth_form = nm_process_auth_form;
+#ifdef OPENCONNECT_LIBPROXY
+	ui_data->vpninfo->proxy_factory = px_proxy_factory_new();
+#endif
 
 	return ui_data;
 }

openconnect.h

@@ -34,6 +34,10 @@
 #include <sys/time.h>
 #include <sys/types.h>
 #include <unistd.h>
+#ifdef OPENCONNECT_LIBPROXY
+#include <libproxy/proxy.h>
+#endif
+
 
 /****************************************************************************/
 
@@ -143,6 +147,9 @@ struct openconnect_info {
 	char sid_tokencode[9];
 	char sid_nexttokencode[9];
 
+#ifdef OPENCONNECT_LIBPROXY
+	pxProxyFactory *proxy_factory;
+#endif
 	char *proxy;
 	int proxy_port;
 

openconnect.html

@@ -88,6 +88,7 @@ <H2>Supported Platforms</H2>
 
 <H2>Features</H2>
 <UL>
+  <LI>Connection through HTTP proxy, including <A HREF="http://code.google.com/p/libproxy/">libproxy</A> support for automatic proxy configuration.</LI>
   <LI>Automatic detection of IPv4 and IPv6 address, routes.</LI>
   <LI>Authentication via HTTP forms.</LI>
       <LI>Authentication using SSL certificates, from local file or <A HREF="http://en.wikipedia.org/wiki/Trusted_Platform_Module">Trusted Platform Module</A>.</LI>
@@ -143,6 +144,7 @@ <H2>Mailing list</H2>
 
 <H2>TODO</H2>
 <UL>
+  <LI>SOCKS proxy support.</LI>
   <LI>Testing IPv6 on more platforms (only Linux, FreeBSD, Solaris are tested so far).</LI>
   <LI>Better support for running or emulating the 'Cisco Secure Desktop' trojan.</LI>
   <LI>More platform support: Windows, Symbian, etc.</LI>
@@ -295,6 +297,7 @@ <H2>Requirements</H2>
   <LI><B>OpenSSL</B> &mdash; all versions from 0.9.7 onwards will work for basic connectivity, but see note on DTLS compatibility below.</LI>
   <LI><B>libxml2</B></LI>
   <LI><B>zlib</B></LI>
+  <LI><B><A HREF="http://code.google.com/p/libproxy/">libproxy</A></B></LI>
 </UL>
 Mac OS X users will also need to install the
 <A HREF="http://tuntaposx.sourceforge.net/">Mac OS X tun/tap driver</A>, and Solaris users will need the <A HREF="http://www.whiteboard.ne.jp/~admin2/tuntap/">Solaris one</A>. Note that for IPv6 support, the Solaris tun/tap driver from 16th Nov 2009 or newer is required.<P>

ssl.c

@@ -510,6 +510,38 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 		   this way than if we pass NULL to getaddrinfo() and
 		   then try to fill in the numeric value into
 		   different types of returned sockaddr_in{6,}. */
+#ifdef OPENCONNECT_LIBPROXY
+		if (vpninfo->proxy_factory) {
+			char *url;
+			char **proxies;
+			int i = 0;
+
+			free(vpninfo->proxy);
+			vpninfo->proxy = NULL;
+
+			if (vpninfo->port == 443)
+				asprintf(&url, "https://%s/%s", vpninfo->hostname,
+					 vpninfo->urlpath?:"");
+			else
+				asprintf(&url, "https://%s:%d/%s", vpninfo->hostname,
+					 vpninfo->port, vpninfo->urlpath?:"");
+
+			proxies = px_proxy_factory_get_proxies(vpninfo->proxy_factory,
+							       url);
+
+			while (proxies && proxies[i]) {
+				if (!vpninfo->proxy && !strncmp(proxies[i], "http://", 7))
+					parse_url(proxies[i], NULL, &vpninfo->proxy,
+						  &vpninfo->proxy_port, NULL, 0);
+				i++;
+			}
+			free(url);
+			free(proxies);
+			if (vpninfo->proxy)
+				vpninfo->progress(vpninfo, PRG_TRACE, "Proxy from libproxy: http://%s:%d/\n",
+						  vpninfo->proxy, vpninfo->port);
+		}
+#endif
 		if (vpninfo->proxy) {
 			hostname = vpninfo->proxy;
 			snprintf(port, 5, "%d", vpninfo->proxy_port);