Avoid sleep on service thread sync

Added:
-H option - expect HAProxy proxy v1 header, e.g. `proxy -H`

parent ha type - send HAProxy proxy v1 header (must be last in redirection), e.g.

allow *
parent 1000 ha
parent 1000 proxy 1.2.3.4 3128
socks

.github/workflows/c-cpp.yml

@@ -0,0 +1,50 @@
+name: C/C++ CI
+
+on:
+  push:
+    branches: [ "master" ]
+    paths: [ '**.c', '**.h', 'Makefile.**', '.github/configs', '.github/workflows/c-cpp.yml' ]
+  pull_request:
+    branches: [ "master" ]
+    paths: [ '**.c', '**.h', 'Makefile.**', '.github/configs', '.github/workflows/c-cpp.yml' ]
+
+jobs:
+  ci:
+    name: "${{ matrix.target }}"
+    strategy:
+      matrix:
+        target:
+          - ubuntu-latest
+          - ubuntu-24.04-arm
+          - macos-15
+          - windows-2022
+    runs-on: ${{ matrix.target }}
+    steps:
+    - uses: actions/checkout@v4
+#    - name: configure
+#      run: ./configure
+    - name: ln Linux
+      if: ${{ startsWith(matrix.target, 'ubuntu') }}
+      run: ln -s Makefile.Linux Makefile
+    - name: ln Mac
+      if: ${{ startsWith(matrix.target, 'macos') }}
+      run: ln -s Makefile.FreeBSD Makefile
+    - name: ln Windows
+      if: ${{ startsWith(matrix.target, 'windows') }}
+      run: copy Makefile.win Makefile
+    - name: dirs Windows
+      if: ${{ startsWith(matrix.target, 'windows') }}
+      run: cmd /C 'echo LIBS := -L "c:/program files/openssl/lib" $(LIBS) >>Makefile.win && echo CFLAGS := -I "c:/program files/openssl/include" $(CFLAGS) >>Makefile.win && type Makefile.win'
+    - name: SSLPlugin Linux
+      if: ${{ startsWith(matrix.target, 'ubuntu') }}
+      run: 'echo PLUGINS := $(PLUGINS) SSLPlugin >>Makefile & echo LIBS := $(LIBS) -lcrypto -lssl >>Makefile'
+    - name: make
+      run: make
+    - name: mkdir
+      if: ${{ startsWith(matrix.target, 'ubuntu') }}
+      run: mkdir ~/3proxy
+    - name: make install
+      if: ${{ startsWith(matrix.target, 'ubuntu') }}
+      run: make DESTDIR=~/3proxy install
+    - name: make clean
+      run: make clean

Makefile.llvm

@@ -10,13 +10,13 @@
 
 BUILDDIR = ../bin/
 CC = clang
-CFLAGS = -O2 -fno-strict-aliasing -c -pthread -static -DWITH_STD_MALLOC -DNOIPV6
+CFLAGS = -O2 -fno-strict-aliasing -c -pthread -DWITH_STD_MALLOC -DWITH_WSAPOLL
 COUT = -o 
 LN = $(CC)
-LDFLAGS = -O2 -fno-strict-aliasing -static -s
+LDFLAGS = -O2 -fno-strict-aliasing -s
 DLFLAGS = -shared
 DLSUFFICS = .dll
-LIBS = -lws2_32 -lodbc32 -ladvapi32
+LIBS = -lws2_32 -lodbc32 -ladvapi32 -luser32 -lcrypto -lssl
 LIBSPREFIX = -l
 LIBSSUFFIX = 
 LNOUT = -o 
@@ -28,10 +28,19 @@ REMOVECOMMAND = rm -f
 AFTERCLEAN = find src/ -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete
 TYPECOMMAND = cat
 COMPATLIBS =
-MAKEFILE = Makefile.win
+MAKEFILE = Makefile.llvm
-PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin
+PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin SSLPlugin
+VERFILE := 3proxy.res $(VERFILE)
+VERSION := $(VERSION)
+VERSIONDEP := 3proxy.res $(VERSIONDEP)
+BUILDDATE := $(BUILDDATE)
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find . -type f -name "*.res" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 
 include Makefile.inc
 
+3proxy.res:
+	llvm-rc 3proxy.rc
+
 allplugins:
-	for /D %%i in ($(PLUGINS)) do (copy Makefile plugins\%%i && copy Makefile.var plugins\%%i && cd plugins\%%i && nmake && del *.o &&cd ..\..)
+	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done
+

Makefile.win

@@ -10,13 +10,13 @@
 
 BUILDDIR = ../bin/
 CC = gcc
-CFLAGS = -O2 -s -c -mthreads -DWITH_STD_MALLOC -DNOIPV6 -DNORADIUS
+CFLAGS = -O2 -s -c -mthreads -DWITH_STD_MALLOC -DWITH_WSAPOLL 
 COUT = -o 
 LN = gcc
 LDFLAGS = -O2 -s -mthreads
 DLFLAGS = -shared
 DLSUFFICS = .dll
-LIBS = -lws2_32 -lodbc32 -ladvapi32
+LIBS = -lws2_32 -lodbc32 -ladvapi32 -luser32 -lcrypto -lssl
 LIBSPREFIX = -l
 LIBSSUFFIX = 
 LNOUT = -o 
@@ -28,9 +28,18 @@ REMOVECOMMAND = rm -f
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.win
-PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin
+PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin SSLPLugin
+VERFILE := 3proxyres.o $(VERFILE)
+VERSION := $(VERSION)
+VERSIONDEP := 3proxyres.o $(VERSIONDEP)
+BUILDDATE := $(BUILDDATE)
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find . -type f -name "*.res" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 
 include Makefile.inc
 
+3proxyres.o:
+	windres 3proxy.rc -o 3proxyres.o
+
 allplugins:
-	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;  rm *.o ; cd ../.. ; done
+	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done
+

README

@@ -4,20 +4,22 @@
 
 Branches:
 Master (stable) branch - 3proxy 0.9 
-Devel branch - 3proxy 10
+Devel branch - 3proxy 10 (don't use it)
 
 
-Download: 
+* Download
-	Binaries for released (master) versions (Windows, Linux):
+	Binaries and sources for released (master) versions (Windows, Linux):
 	https://github.com/z3APA3A/3proxy/releases
-	Binaries for devel version (Windows, Linux):
+
-	https://3proxy.org/download/devel/
 	Docker images:
 	https://hub.docker.com/repository/docker/3proxy/3proxy
-Archive of old versions: https://github.com/z3APA3A/3proxy-archive
+	Archive of old versions: https://github.com/z3APA3A/3proxy-archive
 
+* Documentation
+	Documentation (man pages and HTML) available with download, on https://3proxy.org/
+	and in github wiki https://github.com/3proxy/3proxy/wiki
 
-Windows installation:
+* Windows installation
 
 3proxy --install 
 	
@@ -29,7 +31,9 @@ Windows installation:
 	removes the service (should be stopped before via
 	'net stop 3proxy').
 
-To build in Linux install git and build-essential packages, use
+* To build in Linux
+
+install git and build-essential packages, use
 
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
@@ -54,7 +58,14 @@ usage: /etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidt
 
 or modify /etc/3proxy/conf/ files directly.
 
-Please read doc/html/index.html and man pages.
+* For MacOS X / FreeBSD / *BSD
+
+git clone https://github.com/z3apa3a/3proxy
+cd 3proxy
+ln -s Makefile.FreeBSD Makefile
+make
+
+(binaries are in bin/ directory)
 
  Features:
   1. General

src/3proxy.c

@@ -521,6 +521,14 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 #ifndef NORADIUS
   pthread_mutex_init(&rad_mutex, NULL);
 #endif
+#ifdef _WIN32
+  if(!CreatePipe(&conf.threadinit[0], &conf.threadinit[1], NULL, 1)){
+#else
+  if(pipe(conf.threadinit)) {
+#endif
+    fprintf(stderr, "CreatePipe failed\n");
+    return 1;
+  };
 
   freeconf(&conf);
   res = readconfig(fp);

src/Makefile.inc

@@ -144,18 +144,12 @@ $(BUILDDIR)mycrypt$(EXESUFFICS): md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycryptmain$(
 md4$(OBJSUFFICS):  libs/md4.h libs/md4.c
 	$(CC) $(COUT)md4$(OBJSUFFICS) $(CFLAGS) libs/md4.c
 
-smbdes$(OBJSUFFICS):  libs/smbdes.c
-	$(CC) $(COUT)smbdes$(OBJSUFFICS) $(CFLAGS) libs/smbdes.c
-
 md5$(OBJSUFFICS):  libs/md5.h libs/md5.c
 	$(CC) $(COUT)md5$(OBJSUFFICS) $(CFLAGS) libs/md5.c
 
-ntlm$(OBJSUFFICS):  ntlm.c
-	$(CC) $(COUT)ntlm$(OBJSUFFICS) $(CFLAGS) ntlm.c
-
 stringtable$(OBJSUFFICS):  stringtable.c
 	$(CC) $(COUT)stringtable$(OBJSUFFICS) $(CFLAGS) stringtable.c
 
-$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycrypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) smbdes$(OBJSUFFICS) ntlm$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
+$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycrypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
-	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) mycrypt$(OBJSUFFICS) md5$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) smbdes$(OBJSUFFICS) ntlm$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) mycrypt$(OBJSUFFICS) md5$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 

src/auth.c

@@ -222,6 +222,7 @@ int handleredirect(struct clientparam * param, struct ace * acentry){
 	int weight = 1000;
 	int res;
 	int done = 0;
+	int ha = 0;
 	struct chain * cur;
 	struct chain * redir = NULL;
 	int r2;
@@ -278,6 +279,7 @@ int handleredirect(struct clientparam * param, struct ace * acentry){
 				return 0;
 			}
 			else if(SAISNULL(&cur->addr) && !*SAPORT(&cur->addr)){
+				int i;
 				if(cur->extuser){
 					if(param->extusername)
 						myfree(param->extusername);
@@ -289,27 +291,18 @@ int handleredirect(struct clientparam * param, struct ace * acentry){
 					}
 					if(*cur->extuser == '*' && !param->username) return 4;
 				}
-				switch(cur->type){
+				
-					case R_POP3:
+				for(i=0; redirs[i].name; i++){
-						param->redirectfunc = pop3pchild;
+				    if(cur->type == redirs[i].redir) {
-						break;
+					param->redirectfunc = redirs[i].func;
-					case R_FTP:
+					break;
-						param->redirectfunc = ftpprchild;
+				    }
-						break;
+				}
-					case R_ADMIN:
+				if(cur->type == R_HA){
-						param->redirectfunc = adminchild;
+				    ha = 1;
-						break;
-					case R_SMTP:
-						param->redirectfunc = smtppchild;
-						break;
-					case R_TLS:
-						param->redirectfunc = tlsprchild;
-						break;
-					default:
-						param->redirectfunc = proxychild;
 				}
 				if(cur->next)continue;
-				return 0;
+				if(!ha) return 0;
 			}
 			else if(!*SAPORT(&cur->addr) && !SAISNULL(&cur->addr)) {
 				unsigned short port = *SAPORT(&param->sinsr);
@@ -324,6 +317,21 @@ int handleredirect(struct clientparam * param, struct ace * acentry){
 			if((res = alwaysauth(param))){
 				return (res >= 10)? res : 60+res;
 			}
+			if(ha) {
+			    char buf[128];
+			    int len; 
+			    len = sprintf(buf, "PROXY %s ",
+				*SAFAMILY(&param->sincr) == AF_INET6 ? "TCP6" : "TCP4");
+			    len += myinet_ntop(*SAFAMILY(&param->sincr), SAADDR(&param->sincr), buf+len, sizeof(param->sincr));
+			    buf[len++] = ' ';
+			    len += myinet_ntop(*SAFAMILY(&param->sincl), SAADDR(&param->sincl), buf+len, sizeof(param->sincl));
+			    len += sprintf(buf + len, " %hu %hu\r\n",
+				ntohs(*SAPORT(&param->sincr)),
+				ntohs(*SAPORT(&param->sincl))
+			    );
+			    if(socksend(param, param->remsock, (unsigned char *)buf, len, conf.timeouts[CHAIN_TO])!=len) return 39;
+			    return 0;
+			}
 		}
 		else {
 			res = (redir)?clientnegotiate(redir, param, (struct sockaddr *)&cur->addr, cur->exthost):0;
@@ -963,15 +971,6 @@ int strongauth(struct clientparam * param){
 				else if (!param->pwtype && param->password && !strcmp((char *)param->password, (char *)pwl->password)){
 					break;
 				}
-#ifndef NOCRYPT
-				else if (param->pwtype == 2 && param->password) {
-					ntpwdhash(buf, pwl->password, 0);
-					mschap(buf, param->password, buf + 16);
-					if(!memcmp(buf+16, param->password+8, 24)) {
-						break;
-					}
-				}
-#endif
 				pthread_mutex_unlock(&pwl_mutex);
 				return 6;
 #ifndef NOCRYPT
@@ -985,13 +984,6 @@ int strongauth(struct clientparam * param){
 				if(param->password && !param->pwtype && !memcmp(pwl->password, ntpwdhash(buf,param->password, 1), 32)) {
 					break;
 				}
-				else if (param->pwtype == 2){
-					fromhex(pwl->password, buf, 16);
-					mschap(buf, param->password, buf + 16);
-					if(!memcmp(buf + 16, param->password+8, 24)) {
-						break;
-					}
-				}
 				pthread_mutex_unlock(&pwl_mutex);
 				return 8;
 #endif				

src/auto.c

@@ -23,6 +23,7 @@ void * autochild(struct clientparam* param) {
 	dolog(param, (unsigned char *)"");
     }
     if(*param->clibuf == 4 || *param->clibuf == 5) return sockschild(param);
+    if(*param->clibuf == 22) return tlsprchild(param);
     return proxychild(param);
 }
 

src/common.c

@@ -93,6 +93,7 @@ char *rotations[] = {
 
 
 struct extparam conf = {
+	{0, 0},
 	{1, 5, 30, 60, 180, 1800, 15, 60, 15, 5, 0, 0},
 	NULL,
 	NULL,
@@ -101,7 +102,7 @@ struct extparam conf = {
 	NULL,
 	NULL,
 	0,
-	0, -1, 0, 0, 0, 0, 
+	-1, 0, 0, 0, 0, 
 	0, 500, 0, 0, 0, 0, 0, 0, 2,
 	0, 0, 0,
 	6, 600,

src/conf.c

@@ -150,8 +150,8 @@ int start_proxy_thread(struct child * chp){
 #ifdef _WIN32
   HANDLE h;
 #endif
+  char r[1];
 
-	conf.threadinit = 1;
 #ifdef _WIN32
 #ifndef _WINCE
 	h = (HANDLE)_beginthreadex((LPSECURITY_ATTRIBUTES )NULL, 16384+conf.stacksize, (void *)startsrv, (void *) chp, (DWORD)0, &thread);
@@ -166,7 +166,14 @@ int start_proxy_thread(struct child * chp){
 	pthread_create(&thread, &pa, startsrv, (void *)chp);
 	pthread_attr_destroy(&pa);
 #endif
-	while(conf.threadinit)usleep(SLEEPTIME);
+#ifdef _WIN32
+	ReadFile(conf.threadinit[0], r, 1, NULL, NULL);
+#else
+	while(read(conf.threadinit[0], r, 1) !=1) if(errno != EINTR) {
+	    fprintf(stderr, "pipe failed\n");
+	    return 40;
+	}
+#endif
 	if(haveerror)  {
 		fprintf(stderr, "Service not started on line: %d%s\n", linenum, haveerror == 2? ": insufficient memory":"");
 		return(40);
@@ -729,10 +736,34 @@ static int h_monitor(int argc, unsigned char **argv){
 	return 0;
 }
 
+
+struct redirdesc redirs[] = {
+    {R_TCP, "tcp", tcppmchild},
+    {R_CONNECT, "connect", proxychild},
+    {R_SOCKS4, "socks4", sockschild},
+    {R_SOCKS5, "socks5", sockschild},
+    {R_HTTP, "http", proxychild},
+    {R_POP3, "pop3", pop3pchild},
+    {R_SMTP, "smtp", smtppchild},
+    {R_FTP, "ftp", ftpprchild},
+    {R_CONNECTP, "connect+", proxychild},
+    {R_SOCKS4P, "socks4+", sockschild},
+    {R_SOCKS5P, "socks5+", sockschild},
+    {R_SOCKS4B, "socks4b", sockschild},
+    {R_SOCKS5B, "socks5b", sockschild},
+    {R_ADMIN, "admin", adminchild},
+    {R_EXTIP, "extip", NULL},
+    {R_TLS, "tls", tlsprchild},
+    {R_HA, "ha", NULL},
+    {R_DNS, "dns", dnsprchild},
+    {0, NULL, NULL}
+};
+
 static int h_parent(int argc, unsigned char **argv){
   struct ace *acl = NULL;
   struct chain *chains;
   char * cidr;
+  int i;
 
 	acl = conf.acl;
 	while(acl && acl->next) acl = acl->next;
@@ -752,23 +783,13 @@ static int h_parent(int argc, unsigned char **argv){
 		fprintf(stderr, "Chaining error: bad chain weight %u line %d\n", chains->weight, linenum);
 		return(3);
 	}
-	if(!strcmp((char *)argv[2], "tcp"))chains->type = R_TCP;
+	for(i = 0; redirs[i].name ; i++){
-	else if(!strcmp((char *)argv[2], "http"))chains->type = R_HTTP;
+	    if(!strcmp((char *)argv[2], redirs[i].name)) {
-	else if(!strcmp((char *)argv[2], "connect"))chains->type = R_CONNECT;
+		chains->type = redirs[i].redir;
-	else if(!strcmp((char *)argv[2], "socks4"))chains->type = R_SOCKS4;
+		break;
-	else if(!strcmp((char *)argv[2], "socks5"))chains->type = R_SOCKS5;
+	    }
-	else if(!strcmp((char *)argv[2], "connect+"))chains->type = R_CONNECTP;
+	}
-	else if(!strcmp((char *)argv[2], "socks4+"))chains->type = R_SOCKS4P;
+	if(!redirs[i].name) {
-	else if(!strcmp((char *)argv[2], "socks5+"))chains->type = R_SOCKS5P;
-	else if(!strcmp((char *)argv[2], "socks4b"))chains->type = R_SOCKS4B;
-	else if(!strcmp((char *)argv[2], "socks5b"))chains->type = R_SOCKS5B;
-	else if(!strcmp((char *)argv[2], "pop3"))chains->type = R_POP3;
-	else if(!strcmp((char *)argv[2], "tls"))chains->type = R_TLS;
-	else if(!strcmp((char *)argv[2], "ftp"))chains->type = R_FTP;
-	else if(!strcmp((char *)argv[2], "admin"))chains->type = R_ADMIN;
-	else if(!strcmp((char *)argv[2], "extip"))chains->type = R_EXTIP;
-	else if(!strcmp((char *)argv[2], "smtp"))chains->type = R_SMTP;
-	else {
 		fprintf(stderr, "Chaining error: bad chain type (%s)\n", argv[2]);
 		return(4);
 	}

src/datatypes.c

@@ -325,24 +325,12 @@ static void * ef_chain_next(struct node * node){
 }
 
 static void * ef_chain_type(struct node * node){
-	switch (((struct chain *)node->value) -> type) {
+	int i;
-		case R_TCP:
+	
-			return "tcp";
+	for(i=0; redirs[i].name; i++){
-		case R_CONNECT:
+	    if(((struct chain *)node->value) -> type == redirs[i].redir) return redirs[i].name;
-			return "connect";
-		case R_SOCKS4:
-			return "socks4";
-		case R_SOCKS5:
-			return "socks5";
-		case R_HTTP:
-			return "http";
-		case R_FTP:
-			return "ftp";
-		case R_POP3:
-			return "pop3";
-		default:
-			return "";
 	}
+	return "";
 }
 
 static void * ef_chain_addr(struct node * node){

src/libs/regex.h

@@ -1,74 +0,0 @@
-/*
-
-  Minimal version of Henry Spencer's regex library 
-  with minor modifications
-
-*/
-
-
-#ifndef _REGEX_H_
-#define	_REGEX_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef off_t regoff_t;
-typedef struct {
-	int re_magic;
-	size_t re_nsub;		/* number of parenthesized subexpressions */
-	const char *re_endp;	/* end pointer for REG_PEND */
-	struct re_guts *re_g;	/* none of your business :-) */
-} regex_t;
-typedef struct {
-	regoff_t rm_so;		/* start of match */
-	regoff_t rm_eo;		/* end of match */
-} regmatch_t;
-
-
-extern int regcomp(regex_t *, const char *, int);
-#define	REG_BASIC	0000
-#define	REG_EXTENDED	0001
-#define	REG_ICASE	0002
-#define	REG_NOSUB	0004
-#define	REG_NEWLINE	0010
-#define	REG_NOSPEC	0020
-#define	REG_PEND	0040
-#define	REG_DUMP	0200
-
-
-#define	REG_OKAY	 0
-#define	REG_NOMATCH	 1
-#define	REG_BADPAT	 2
-#define	REG_ECOLLATE	 3
-#define	REG_ECTYPE	 4
-#define	REG_EESCAPE	 5
-#define	REG_ESUBREG	 6
-#define	REG_EBRACK	 7
-#define	REG_EPAREN	 8
-#define	REG_EBRACE	 9
-#define	REG_BADBR	10
-#define	REG_ERANGE	11
-#define	REG_ESPACE	12
-#define	REG_BADRPT	13
-#define	REG_EMPTY	14
-#define	REG_ASSERT	15
-#define	REG_INVARG	16
-#define	REG_ATOI	255	/* convert name to number (!) */
-#define	REG_ITOA	0400	/* convert number to name (!) */
-
-
-extern int regexec(const regex_t *, const char *, size_t, regmatch_t [], int);
-#define	REG_NOTBOL	00001
-#define	REG_NOTEOL	00002
-#define	REG_STARTEND	00004
-#define	REG_TRACE	00400	/* tracing of execution */
-#define	REG_LARGE	01000	/* force large representation */
-#define	REG_BACKR	02000	/* force use of backref code */
-
-
-extern void regfree(regex_t *);
-
-#ifdef __cplusplus
-}
-#endif
-#endif

src/libs/smbdes.c

@@ -1,321 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-
-   a partial implementation of DES designed for use in the 
-   SMB authentication protocol
-
-   Copyright (C) Andrew Tridgell 1998
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include <string.h>
-#include <ctype.h>
-
-
-#define uchar unsigned char
-
-static const uchar perm1[56] = {57, 49, 41, 33, 25, 17,  9,
-			 1, 58, 50, 42, 34, 26, 18,
-			10,  2, 59, 51, 43, 35, 27,
-			19, 11,  3, 60, 52, 44, 36,
-			63, 55, 47, 39, 31, 23, 15,
-			 7, 62, 54, 46, 38, 30, 22,
-			14,  6, 61, 53, 45, 37, 29,
-			21, 13,  5, 28, 20, 12,  4};
-
-static const uchar perm2[48] = {14, 17, 11, 24,  1,  5,
-                         3, 28, 15,  6, 21, 10,
-                        23, 19, 12,  4, 26,  8,
-                        16,  7, 27, 20, 13,  2,
-                        41, 52, 31, 37, 47, 55,
-                        30, 40, 51, 45, 33, 48,
-                        44, 49, 39, 56, 34, 53,
-                        46, 42, 50, 36, 29, 32};
-
-static const uchar perm3[64] = {58, 50, 42, 34, 26, 18, 10,  2,
-			60, 52, 44, 36, 28, 20, 12,  4,
-			62, 54, 46, 38, 30, 22, 14,  6,
-			64, 56, 48, 40, 32, 24, 16,  8,
-			57, 49, 41, 33, 25, 17,  9,  1,
-			59, 51, 43, 35, 27, 19, 11,  3,
-			61, 53, 45, 37, 29, 21, 13,  5,
-			63, 55, 47, 39, 31, 23, 15,  7};
-
-static const uchar perm4[48] = {   32,  1,  2,  3,  4,  5,
-                            4,  5,  6,  7,  8,  9,
-                            8,  9, 10, 11, 12, 13,
-                           12, 13, 14, 15, 16, 17,
-                           16, 17, 18, 19, 20, 21,
-                           20, 21, 22, 23, 24, 25,
-                           24, 25, 26, 27, 28, 29,
-                           28, 29, 30, 31, 32,  1};
-
-static const uchar perm5[32] = {      16,  7, 20, 21,
-                              29, 12, 28, 17,
-                               1, 15, 23, 26,
-                               5, 18, 31, 10,
-                               2,  8, 24, 14,
-                              32, 27,  3,  9,
-                              19, 13, 30,  6,
-                              22, 11,  4, 25};
-
-
-static const uchar perm6[64] ={ 40,  8, 48, 16, 56, 24, 64, 32,
-                        39,  7, 47, 15, 55, 23, 63, 31,
-                        38,  6, 46, 14, 54, 22, 62, 30,
-                        37,  5, 45, 13, 53, 21, 61, 29,
-                        36,  4, 44, 12, 52, 20, 60, 28,
-                        35,  3, 43, 11, 51, 19, 59, 27,
-                        34,  2, 42, 10, 50, 18, 58, 26,
-                        33,  1, 41,  9, 49, 17, 57, 25};
-
-
-static const uchar sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
-
-static const uchar sbox[8][4][16] = {
-	{{14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7},
-	 {0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8},
-	 {4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0},
-	 {15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13}},
-
-	{{15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10},
-	 {3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5},
-	 {0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15},
-	 {13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9}},
-
-	{{10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8},
-	 {13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1},
-	 {13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7},
-	 {1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12}},
-
-	{{7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15},
-	 {13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9},
-	 {10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4},
-	 {3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14}},
-
-	{{2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9},
-	 {14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6},
-	 {4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14},
-	 {11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3}},
-
-	{{12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11},
-	 {10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8},
-	 {9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6},
-	 {4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13}},
-
-	{{4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1},
-	 {13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6},
-	 {1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2},
-	 {6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12}},
-
-	{{13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7},
-	 {1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2},
-	 {7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8},
-	 {2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11}}};
-
-static void permute(char *out, const char *in, const uchar *p, int n)
-{
-	int i;
-	for (i=0;i<n;i++)
-		out[i] = in[p[i]-1];
-}
-
-static void lshift(char *d, int count, int n)
-{
-	char out[64];
-	int i;
-	for (i=0;i<n;i++)
-		out[i] = d[(i+count)%n];
-	for (i=0;i<n;i++)
-		d[i] = out[i];
-}
-
-static void concat(char *out, char *in1, char *in2, int l1, int l2)
-{
-	while (l1--)
-		*out++ = *in1++;
-	while (l2--)
-		*out++ = *in2++;
-}
-
-static void xor(char *out, char *in1, char *in2, int n)
-{
-	int i;
-	for (i=0;i<n;i++)
-		out[i] = in1[i] ^ in2[i];
-}
-
-static void dohash(char *out, char *in, char *key)
-{
-	int i, j, k;
-	char pk1[56];
-	char c[28];
-	char d[28];
-	char cd[56];
-	char ki[16][48];
-	char pd1[64];
-	char l[32], r[32];
-	char rl[64];
-
-	permute(pk1, key, perm1, 56);
-
-	for (i=0;i<28;i++)
-		c[i] = pk1[i];
-	for (i=0;i<28;i++)
-		d[i] = pk1[i+28];
-
-	for (i=0;i<16;i++) {
-		lshift(c, sc[i], 28);
-		lshift(d, sc[i], 28);
-
-		concat(cd, c, d, 28, 28); 
-		permute(ki[i], cd, perm2, 48); 
-	}
-
-	permute(pd1, in, perm3, 64);
-
-	for (j=0;j<32;j++) {
-		l[j] = pd1[j];
-		r[j] = pd1[j+32];
-	}
-
-	for (i=0;i<16;i++) {
-		char er[48];
-		char erk[48];
-		char b[8][6];
-		char cb[32];
-		char pcb[32];
-		char r2[32];
-
-		permute(er, r, perm4, 48);
-
-		xor(erk, er, ki[i], 48);
-
-		for (j=0;j<8;j++)
-			for (k=0;k<6;k++)
-				b[j][k] = erk[j*6 + k];
-
-		for (j=0;j<8;j++) {
-			int m, n;
-			m = (b[j][0]<<1) | b[j][5];
-
-			n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4]; 
-
-			for (k=0;k<4;k++) 
-				b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0; 
-		}
-
-		for (j=0;j<8;j++)
-			for (k=0;k<4;k++)
-				cb[j*4+k] = b[j][k];
-		permute(pcb, cb, perm5, 32);
-
-		xor(r2, l, pcb, 32);
-
-		for (j=0;j<32;j++)
-			l[j] = r[j];
-
-		for (j=0;j<32;j++)
-			r[j] = r2[j];
-	}
-
-	concat(rl, r, l, 32, 32);
-
-	permute(out, rl, perm6, 64);
-}
-
-static void str_to_key(unsigned char *str,unsigned char *key)
-{
-	int i;
-
-	key[0] = str[0]>>1;
-	key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
-	key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
-	key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
-	key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
-	key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
-	key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
-	key[7] = str[6]&0x7F;
-	for (i=0;i<8;i++) {
-		key[i] = (key[i]<<1);
-	}
-}
-
-
-static void smbhash(unsigned char *out, const unsigned char *in, unsigned char *key)
-{
-	int i;
-	char outb[64];
-	char inb[64];
-	char keyb[64];
-	unsigned char key2[8];
-
-	str_to_key(key, key2);
-
-	for (i=0;i<64;i++) {
-		inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
-		keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
-		outb[i] = 0;
-	}
-
-	dohash(outb, inb, keyb);
-
-	for (i=0;i<8;i++) {
-		out[i] = 0;
-	}
-
-	for (i=0;i<64;i++) {
-		if (outb[i])
-			out[i/8] |= (1<<(7-(i%8)));
-	}
-}
-
-/*
- *	Converts the password to uppercase, and creates the LM
- *	password hash.
- */
-void lmpwdhash(const unsigned char *password,unsigned char *lmhash)
-{
-	int i;
-	unsigned char p14[14];
-	static unsigned char sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
-
-	memset(p14, 0, sizeof(p14));
-	for (i = 0; i < 14 && password[i]; i++) {
-		p14[i] = toupper((int) password[i]);
-	}
-
-	smbhash(lmhash, sp8, p14);
-	smbhash(lmhash+8, sp8, p14+7);
-}
-
-/*
- *	Take the NT or LM password, and return the MSCHAP response
- *
- *	The win_password MUST be exactly 16 bytes long.
- */
-void mschap(const unsigned char *win_password,
-		 const unsigned char *challenge, unsigned char *response)
-{
-	unsigned char p21[21];
-
-	memset(p21, 0, sizeof(p21));
-	memcpy(p21, win_password, 16);
-
-	smbhash(response, challenge, p21);
-	smbhash(response+8, challenge, p21+7);
-	smbhash(response+16, challenge, p21+14);
-}

src/ntlm.c

@@ -1,88 +0,0 @@
-/*
-   3APA3A simpliest proxy server
-   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
-
-   please read License Agreement
-
-*/
-
-#include "proxy.h"
-struct ntlmchal {
-	unsigned char sig[8];
-	unsigned char messtype[4];
-	unsigned char dom_len[2];
-	unsigned char dom_max_len[2];
-	unsigned char dom_offset[4];
-	unsigned char flags[4];
-	unsigned char challenge[8];
-	unsigned char reserved[8];
-	unsigned char addr_len[2];
-	unsigned char addr_max_len[2];
-	unsigned char addr_offset[4];
-	unsigned char data[1];
-};
-
-struct ntlmreq {
-	unsigned char sig[8];
-	unsigned char messtype[4];
-	unsigned char flags[4];
-	unsigned char dom_len[2];
-	unsigned char dom_max_len[2];
-	unsigned char dom_offset[4];
-	unsigned char pad1[2];
-	unsigned char host_len[2];
-	unsigned char host_max_len[2];
-	unsigned char host_offset[4];
-	unsigned char pad2[2];
-	unsigned char data[1];
-};
-
-int text2unicode(const char * text, char * buf, int buflen){
-	int count = 0;
-	buflen = ((buflen>>1)<<1);
-	if(!text || !buflen) return 0;
-	do {
-		buf[count++] = toupper(*text++);
-		buf[count++] = '\0';
-	} while (*text && count < buflen);
-	return count;
-}
-
-void unicode2text(const char *unicode, char * buf, int len){
-	int i;
-	if(!unicode || !len) return;
-	for(i=0; i<len; i++){
-		buf[i] = unicode[(i<<1)];
-	}
-	buf[i] = 0;
-}
-
-void genchallenge(struct clientparam *param, char * challenge, char *buf){
-	struct ntlmchal *chal;
-	char tmpbuf[1024];
-	char hostname[128];
-	int len, i;
-	
-
-	chal = (struct ntlmchal *)tmpbuf;
-	memset(chal, 0, 1024);
-	memcpy(chal->sig, "NTLMSSP", 8);
-	chal->messtype[0] = 2;
-	gethostname(hostname, 128);
-	hostname[15] = 0;
-	len = (((int)strlen(hostname)) << 1);
-	chal->dom_len[0] = len;
-	chal->dom_max_len[0] = len;
-	chal->dom_offset[0] =  (unsigned char)((unsigned char *)chal->data - (unsigned char *)chal);
-	chal->flags[0] = 0x03;
-	chal->flags[1] = 0x82;
-	chal->flags[2] = 0x81;
-	chal->flags[3] = 0xA0;
-	text2unicode(hostname, (char *)chal->data, 64);
-	time((time_t *)challenge);
-	memcpy(challenge+4, SAADDR(&param->sincr), 4);
-	challenge[1]^=*SAPORT(&param->sincr);
-	for(i = 0; i < 8; i++) challenge[i] ^= myrand(challenge, 8);
-	memcpy(chal->challenge, challenge, 8);
-	en64((unsigned char *)tmpbuf, (unsigned char *)buf, (int)((unsigned char *)chal->data - (unsigned char *)chal) + len);	
-}

src/plugins/PCREPlugin/pcre_plugin.c

@@ -7,6 +7,7 @@
 
 #include "../../structures.h"
 #include <string.h>
+#define PCRE_STATIC
 #include "pcre.h"
 
 #ifdef  __cplusplus

src/plugins/SSLPlugin/my_ssl.c

@@ -45,6 +45,11 @@ static char hexMap[] = {
 static BIO *bio_err=NULL;
 
 
+
+char * getSSLErr(){
+    return ERR_error_string(ERR_get_error(), errbuf);
+}
+
 static size_t bin2hex (const unsigned char* bin, size_t bin_length, char* str, size_t str_length) 
 {
 	char *p;
@@ -186,11 +191,19 @@ SSL_CERT ssl_copy_cert(SSL_CERT cert, SSL_CONFIG *config)
 SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config, SSL_CERT *server_cert, char **errSSL)
 {
 	int err = 0;
-	X509 *cert;
 	ssl_conn *conn;
+	unsigned long ul;
 
 	*errSSL = NULL;
 
+/*FIXME: support SSL_ERROR_WANT_(READ|WRITE) */
+#ifdef _WIN32
+ ul = 0; 
+ ioctlsocket(s, FIONBIO, &ul);
+#else
+ fcntl(s,F_SETFL,0);
+#endif
+
 	conn = (ssl_conn *)malloc(sizeof(ssl_conn));
 	if ( conn == NULL ){
 		return NULL;
@@ -201,7 +214,7 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config,
 		free(conn);
 		return NULL;
 	}
-	if(config->client_verify){
+	if(hostname && *hostname && config->client_verify){
 	    X509_VERIFY_PARAM *param;
 	    
 	    param = SSL_get0_param(conn->ssl);
@@ -210,70 +223,53 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config,
 
 	if(!SSL_set_fd(conn->ssl, s)){
 		ssl_conn_free(conn);
-		*errSSL = ERR_error_string(ERR_get_error(), errbuf);
+		*errSSL = getSSLErr();
 		return NULL;
 	}
 	if(hostname && *hostname)SSL_set_tlsext_host_name(conn->ssl, hostname);
 	err = SSL_connect(conn->ssl);
 	if ( err == -1 ) {
-		*errSSL = ERR_error_string(ERR_get_error(), errbuf);
+		*errSSL = getSSLErr();
 		ssl_conn_free(conn);
 		return NULL;
 	}
 
-	cert = SSL_get_peer_certificate(conn->ssl);     
+	if(server_cert){
-	if(!cert) {
+	    X509 *cert;
+	    cert = SSL_get_peer_certificate(conn->ssl);     
+	    if(!cert) {
 		ssl_conn_free(conn);
 		return NULL;
+	    }
+
+	    *server_cert = cert;
 	}
 
-	/* TODO: Verify certificate */
+#ifdef _WIN32 
-
+ ul = 1;
-	*server_cert = cert;
+ ioctlsocket(s, FIONBIO, &ul);
-
+#else
+ fcntl(s,F_SETFL,O_NONBLOCK);
+#endif
 	return conn;
 }
 
 
-SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char** errSSL){
-    SSL_CTX *ctx;
-    int err = 0;
-
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    ctx = SSL_CTX_new(SSLv23_server_method());
-#else
-    ctx = SSL_CTX_new(TLS_server_method());
-#endif
-    if (!ctx) {
-	*errSSL = ERR_error_string(ERR_get_error(), errbuf);
-	return NULL;
-    }
-
-    err = SSL_CTX_use_certificate(ctx, (X509 *) server_cert);
-    if ( err <= 0 ) {
-	*errSSL = ERR_error_string(ERR_get_error(), errbuf);
-	SSL_CTX_free(ctx);
-	return NULL;
-    }
-
-    err = SSL_CTX_use_PrivateKey(ctx, server_key);
-    if ( err <= 0 ) {
-	*errSSL = ERR_error_string(ERR_get_error(), errbuf);
-	SSL_CTX_free(ctx);
-	return NULL;
-    }
-    if(config->server_min_proto_version)SSL_CTX_set_min_proto_version(ctx, config->server_min_proto_version);
-    if(config->server_max_proto_version)SSL_CTX_set_max_proto_version(ctx, config->server_max_proto_version);
-    if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
-    if(config->server_ciphersuites)SSL_CTX_set_ciphersuites(ctx, config->server_ciphersuites);
-    return ctx;
-}
-
 SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char** errSSL){
 	int err = 0;
 	X509 *cert;
 	ssl_conn *conn;
+	unsigned long ul;
+	
+/*FIXME: support SSL_ERROR_WANT_(READ|WRITE)*/
+
+#ifdef _WIN32
+ ul = 0;
+ ioctlsocket(s, FIONBIO, &ul);
+#else
+ fcntl(s,F_SETFL,0);
+#endif
+
 
 	*errSSL = NULL;
 
@@ -293,7 +289,7 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert
 
 	conn->ssl = SSL_new(config->cli_ctx?config->cli_ctx : conn->ctx);
 	if ( conn->ssl == NULL ) {
-		*errSSL = ERR_error_string(ERR_get_error(), errbuf);
+		*errSSL = getSSLErr();
 		if(conn->ctx)SSL_CTX_free(conn->ctx);
 		free(conn);
 		return NULL;
@@ -302,7 +298,7 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert
 	SSL_set_fd(conn->ssl, s);
 	err = SSL_accept(conn->ssl);
 	if ( err <= 0 ) {
-		*errSSL = ERR_error_string(ERR_get_error(), errbuf);
+		*errSSL = getSSLErr();
 		ssl_conn_free(conn);
 		return NULL;
 	}
@@ -316,6 +312,12 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert
 	if ( cert != NULL )
 		X509_free(cert);
 
+#ifdef _WIN32 
+ ul = 1;
+ ioctlsocket(s, FIONBIO, &ul);
+#else
+ fcntl(s,F_SETFL,O_NONBLOCK);
+#endif
 	return conn;
 }
 

src/plugins/SSLPlugin/my_ssl.h

@@ -11,20 +11,15 @@ typedef void *SSL_CONN;
 typedef void *SSL_CERT;
 
 struct ssl_config {
-    int mitm;
-    int serv;
-    char *certcache;
     X509 *CA_cert;
     X509 *server_cert;
+    X509 *client_cert;
     EVP_PKEY *CA_key;
     EVP_PKEY *server_key;
+    EVP_PKEY *client_key;
     SSL_CTX *cli_ctx;
     SSL_CTX *srv_ctx;
-    int client_min_proto_version;
+    char *certcache;
-    int client_max_proto_version;
-    int server_min_proto_version;
-    int server_max_proto_version;
-    int client_verify;
     char * client_ciphersuites;
     char * server_ciphersuites;
     char * client_cipher_list;
@@ -32,6 +27,18 @@ struct ssl_config {
     char * client_ca_file;
     char * client_ca_dir;
     char * client_ca_store;
+    char * server_ca_file;
+    char * server_ca_dir;
+    char * server_ca_store;
+    int mitm;
+    int serv;
+    int cli;
+    int client_min_proto_version;
+    int client_max_proto_version;
+    int server_min_proto_version;
+    int server_max_proto_version;
+    int client_verify;
+    int server_verify;
 };
 
 typedef struct ssl_config SSL_CONFIG;
@@ -66,6 +73,7 @@ void _ssl_cert_free(SSL_CERT cert);
 // Global (de)initialization
 //
 void ssl_init(void);
+char * getSSLErr(void);
 
 
 #endif // __my_ssl_h__

src/plugins/SSLPlugin/ssl_plugin.c

@@ -6,7 +6,6 @@
 */
 
 #include "../../structures.h"
-#include <openssl/rsa.h>       /* SSLeay stuff */
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
@@ -36,19 +35,25 @@ static int ssl_connect_timeout = 0;
 char *certcache = NULL;
 char *srvcert = NULL;
 char *srvkey = NULL;
+char *clicert = NULL;
+char *clikey = NULL;
 char *server_ca_file = NULL;
+char *server_ca_dir = NULL;
+char *server_ca_store = NULL;
 char *server_ca_key = NULL;
 char *client_ca_file = NULL;
 char *client_ca_dir = NULL;
 char *client_ca_store = NULL;
 int mitm = 0;
 int serv = 0;
+int cli = 0;
 int ssl_inited = 0;
 int client_min_proto_version = 0;
 int client_max_proto_version = 0;
 int server_min_proto_version = 0;
 int server_max_proto_version = 0;
 int client_verify = 0;
+int server_verify = 0;
 char * client_ciphersuites = NULL;
 char * server_ciphersuites = NULL;
 char * client_cipher_list = NULL;
@@ -234,38 +239,42 @@ static int ssl_poll(void *state, struct pollfd *fds, nfds_t nfds, int timeout){
 
 #define PCONF (((struct SSLstate *)param->sostate)->config)
 
-int domitm(struct clientparam* param){
+SSL_CONN dosrvcon(struct clientparam* param, SSL_CERT* cert){
- SSL_CERT ServerCert=NULL, FakeCert=NULL;
+ SSL_CONN ServerConn;
- SSL_CONN ServerConn, ClientConn;
  char *errSSL=NULL;
  unsigned long ul;
 
-#ifdef _WIN32
- ul = 0; 
- ioctlsocket(param->remsock, FIONBIO, &ul);
- ul = 0;
- ioctlsocket(param->clisock, FIONBIO, &ul);
-#else
- fcntl(param->remsock,F_SETFL,0);
- fcntl(param->clisock,F_SETFL,0);
-#endif
-
  if(ssl_connect_timeout){
 	ul = ((unsigned long)ssl_connect_timeout)*1000;
 	setsockopt(param->remsock, SOL_SOCKET, SO_RCVTIMEO, (char *)&ul, 4);
 	ul = ((unsigned long)ssl_connect_timeout)*1000;
 	setsockopt(param->remsock, SOL_SOCKET, SO_SNDTIMEO, (char *)&ul, 4);
  }
- ServerConn = ssl_handshake_to_server(param->remsock, (char *)param->hostname, PCONF, &ServerCert, &errSSL);
+ ServerConn = ssl_handshake_to_server(param->remsock, (char *)param->hostname, PCONF, cert, &errSSL);
- if ( ServerConn == NULL || ServerCert == NULL ) {
+ if ( ServerConn == NULL) {
 	if(ServerConn) ssl_conn_free(ServerConn);
 	param->res = 8011;
 	param->srv->logfunc(param, (unsigned char *)"SSL handshake to server failed");
 	if(ServerConn == NULL) 	param->srv->logfunc(param, (unsigned char *)"ServerConn is NULL");
-	if(ServerCert == NULL) 	param->srv->logfunc(param, (unsigned char *)"ServerCert is NULL");
+	if(cert && *cert == NULL) 	param->srv->logfunc(param, (unsigned char *)"ServerCert is NULL");
 	if(errSSL)param->srv->logfunc(param, (unsigned char *)errSSL);
-	return 1;
+	return NULL;
  }
+
+ SSL_set_mode((SSL *)((ssl_conn *)ServerConn)->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_AUTO_RETRY);
+ SSL_set_read_ahead((SSL *)((ssl_conn *)ServerConn)->ssl, 0);
+
+
+ return ServerConn;
+}
+
+int domitm(struct clientparam* param){
+ SSL_CERT ServerCert=NULL, FakeCert=NULL;
+ SSL_CONN ServerConn, ClientConn;
+ char *errSSL=NULL;
+
+ ServerConn = dosrvcon(param, &ServerCert);
+ if(!ServerConn) return 1;
  FakeCert = ssl_copy_cert(ServerCert, PCONF);
  _ssl_cert_free(ServerCert);
  if ( FakeCert == NULL ) {
@@ -286,26 +295,28 @@ int domitm(struct clientparam* param){
 	return 3;
  }
 
-#ifdef _WIN32 
- ul = 1;
- ioctlsocket(param->remsock, FIONBIO, &ul);
- ul = 1;
- ioctlsocket(param->clisock, FIONBIO, &ul);
-#else
- fcntl(param->remsock,F_SETFL,O_NONBLOCK);
- fcntl(param->clisock,F_SETFL,O_NONBLOCK);
-#endif
-
-
- SSL_set_mode((SSL *)((ssl_conn *)ServerConn)->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_AUTO_RETRY);
  SSL_set_mode((SSL *)((ssl_conn *)ClientConn)->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_AUTO_RETRY);
- SSL_set_read_ahead((SSL *)((ssl_conn *)ServerConn)->ssl, 0);
  SSL_set_read_ahead((SSL *)((ssl_conn *)ClientConn)->ssl, 0);
+
  addSSL(param->clisock, ClientConn, param->remsock, ServerConn, param);
 
  return 0;
 }
 
+int docli(struct clientparam* param){
+
+ SSL_CONN ServerConn;
+ SSL_CERT ServerCert=NULL;
+ 
+ ServerConn = dosrvcon(param, &ServerCert);
+ _ssl_cert_free(ServerCert);
+
+ if(!ServerConn) return 1;
+
+ addSSL(INVALID_SOCKET, NULL, param->remsock, ServerConn, param);
+ return 0;
+}
+
 X509 * getCert (const char *fname){
     BIO *f;
     X509 *CA_cert;
@@ -333,10 +344,64 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx){
     return preverify_ok;
 }
 
+
+SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_key, char** errSSL){
+    SSL_CTX *ctx;
+    int err = 0;
+
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    ctx = SSL_CTX_new(SSLv23_server_method());
+#else
+    ctx = SSL_CTX_new(TLS_server_method());
+#endif
+
+    if (!ctx) {
+	*errSSL = getSSLErr();
+	return NULL;
+    }
+
+    err = SSL_CTX_use_certificate(ctx, (X509 *) server_cert);
+    if ( err <= 0 ) {
+	*errSSL = getSSLErr();
+	SSL_CTX_free(ctx);
+	return NULL;
+    }
+
+    err = SSL_CTX_use_PrivateKey(ctx, server_key);
+    if ( err <= 0 ) {
+	*errSSL = getSSLErr();
+	SSL_CTX_free(ctx);
+	return NULL;
+    }
+    if(config->server_min_proto_version)SSL_CTX_set_min_proto_version(ctx, config->server_min_proto_version);
+    if(config->server_max_proto_version)SSL_CTX_set_max_proto_version(ctx, config->server_max_proto_version);
+    if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
+    if(config->server_ciphersuites)SSL_CTX_set_ciphersuites(ctx, config->server_ciphersuites);
+    if(config->server_verify){
+fprintf(stderr, "server verify\n");
+fflush(stderr);
+                if(config->server_ca_file || config->server_ca_dir){
+                    SSL_CTX_load_verify_locations(ctx, config->server_ca_file, config->server_ca_dir);
+                }
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+                else if(config->server_ca_store){
+                    SSL_CTX_load_verify_store(ctx, config->server_ca_store);
+                }
+#endif          
+                else 
+                    SSL_CTX_set_default_verify_paths(ctx);
+                SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|SSL_VERIFY_CLIENT_ONCE, NULL);
+    }
+    return ctx;
+}
+
+
 static void* ssl_filter_open(void * idata, struct srvparam * srv){
 	char fname[256];
 	char *errSSL;
 	struct ssl_config *sc;
+	
 	sc = malloc(sizeof(struct ssl_config));
 	if(!sc) return NULL;
 	memset(sc, 0, sizeof(struct ssl_config));
@@ -346,6 +411,7 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
 	sc->server_min_proto_version = server_min_proto_version;
 	sc->server_max_proto_version = server_max_proto_version;
 	sc->client_verify = client_verify;
+	sc->server_verify = server_verify;
 	if(client_ciphersuites) sc->client_ciphersuites = strdup(client_ciphersuites);
 	if(server_ciphersuites) sc->server_ciphersuites = strdup(server_ciphersuites);
 	if(client_cipher_list) sc->client_cipher_list = strdup(client_cipher_list);
@@ -357,9 +423,19 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
 		return sc;
 	    }
 	}
+	if(clikey){
+	    sc->client_key = getKey(clikey);
+	    if(!sc->client_key){
+		fprintf(stderr, "failed to read: %s\n", clikey);
+		return sc;
+	    }
+	}
 	if(client_ca_file)sc->client_ca_file=client_ca_file;
 	if(client_ca_dir)sc->client_ca_dir=client_ca_dir;
-	if(client_ca_store)sc->client_ca_dir=client_ca_store;
+	if(client_ca_store)sc->client_ca_store=client_ca_store;
+	if(server_ca_file)sc->server_ca_file=server_ca_file;
+	if(server_ca_dir)sc->server_ca_dir=server_ca_dir;
+	if(server_ca_store)sc->server_ca_store=server_ca_store;
 
 
 	if(mitm){
@@ -390,15 +466,20 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
 		sc->server_key = getKey(fname);
 	    }
 	    sc->mitm = 1;
-	    srv->so._send = ssl_send;
+	}
-	    srv->so._recv = ssl_recv;
+	if(cli){
-	    srv->so._sendto = ssl_sendto;
+	    if(clicert){
-	    srv->so._recvfrom = ssl_recvfrom;
+		sc->client_cert = getCert(clicert);
-	    srv->so._closesocket = ssl_closesocket;
+		if(!sc->client_cert){
-	    srv->so._poll = ssl_poll;
+		    fprintf(stderr, "failed to read client cert from: %s\n", clicert);
-#ifdef WIWHSPLICE
+		    return sc;
-	    srv->usesplice = 0;
+		}
-#endif
+		if(!sc->client_key){
+		    fprintf(stderr, "no client key\n");
+		    return sc;
+		}
+	    }
+	    sc->cli = 1;
 	}
 	if(serv){
 	    if(!srvcert || !srvkey) return sc;
@@ -415,47 +496,50 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
 		return sc;
 	    }
 	    sc->serv = 1;
+	}
+	if(mitm || cli || serv){
 	    srv->so._send = ssl_send;
 	    srv->so._recv = ssl_recv;
 	    srv->so._sendto = ssl_sendto;
 	    srv->so._recvfrom = ssl_recvfrom;
 	    srv->so._closesocket = ssl_closesocket;
 	    srv->so._poll = ssl_poll;
-#ifdef WIWHSPLICE
-	    srv->usesplice = 0;
-#endif
 	}
-	if(sc && sc->mitm){
+	if(sc && (sc->mitm || sc->cli)){
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	    sc->srv_ctx = SSL_CTX_new(SSLv23_client_method());
 #else
 	    sc->srv_ctx = SSL_CTX_new(TLS_client_method());
 #endif
 	    if ( sc->srv_ctx == NULL ) {
-		sc->mitm = 0;
+		fprintf(stderr, "failed to set client context\n");
+		sc->mitm = sc->cli = 0;
+	    }
+	    if(sc->client_cert){
+		SSL_CTX_use_certificate(sc->srv_ctx, (X509 *) sc->client_cert);
+		SSL_CTX_use_PrivateKey(sc->srv_ctx, sc->client_key);
 	    }
 	    if(sc->client_min_proto_version)SSL_CTX_set_min_proto_version(sc->srv_ctx, sc->client_min_proto_version);
 	    if(sc->client_max_proto_version)SSL_CTX_set_max_proto_version(sc->srv_ctx, sc->client_max_proto_version);
 	    if(sc->client_cipher_list)SSL_CTX_set_cipher_list(sc->srv_ctx, sc->client_cipher_list);
 	    if(sc->client_ciphersuites)SSL_CTX_set_ciphersuites(sc->srv_ctx, sc->client_ciphersuites);
 	    if(sc->client_verify){
-		if(sc->client_ca_file && sc->client_ca_dir){
+		if(sc->client_ca_file || sc->client_ca_dir){
 		    SSL_CTX_load_verify_locations(sc->srv_ctx, sc->client_ca_file, sc->client_ca_dir);
 		}
-		else if(sc->client_ca_file){
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-		    SSL_CTX_load_verify_file(sc->srv_ctx, sc->client_ca_file);
-		}
-		else if(sc->client_ca_dir){
-		    SSL_CTX_load_verify_dir(sc->srv_ctx, sc->client_ca_dir);
-		}
 		else if(sc->client_ca_store){
 		    SSL_CTX_load_verify_store(sc->srv_ctx, sc->client_ca_store);
 		}
+#endif		
 		else 
 		    SSL_CTX_set_default_verify_paths(sc->srv_ctx);
-		SSL_CTX_set_verify(sc->srv_ctx, SSL_VERIFY_PEER, verify_callback);
+		SSL_CTX_set_verify(sc->srv_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
 	    }
 	}
+#ifdef WIWHSPLICE
+	srv->usesplice = 0;
+#endif
 	return sc;
 }
 
@@ -474,13 +558,6 @@ static FILTER_ACTION ssl_filter_client(void *fo, struct clientparam * param, voi
 	    SSL_CONN ClientConn;
 	    char *err;
 
-#ifdef _WIN32
- unsigned long ul = 0;
- ioctlsocket(param->clisock, FIONBIO, &ul);
-#else
- fcntl(param->clisock,F_SETFL,0);
-#endif
-
 	    ClientConn = ssl_handshake_to_client(param->clisock, ssls->config, NULL, NULL, &err);
 	    if ( ClientConn == NULL ) {
 		param->res = 8013;
@@ -488,16 +565,6 @@ static FILTER_ACTION ssl_filter_client(void *fo, struct clientparam * param, voi
 		if(err)param->srv->logfunc(param, (unsigned char *)err);
 		return REJECT;
 	    }
-#ifdef _WIN32 
-	     {
-		unsigned long ul = 1;
-	     	ioctlsocket(param->clisock, FIONBIO, &ul);
-	     }
-#else
-	     fcntl(param->clisock,F_SETFL,O_NONBLOCK);
-#endif
-
-
 	    SSL_set_mode((SSL *)((ssl_conn *)ClientConn)->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE|SSL_MODE_AUTO_RETRY);
 	    SSL_set_read_ahead((SSL *)((ssl_conn *)ClientConn)->ssl, 0);
 	    addSSL(param->clisock, ClientConn, INVALID_SOCKET, NULL, param);
@@ -506,13 +573,21 @@ static FILTER_ACTION ssl_filter_client(void *fo, struct clientparam * param, voi
 }
 
 static FILTER_ACTION ssl_filter_predata(void *fc, struct clientparam * param){
+
 	if(param->operation != HTTP_CONNECT && param->operation != CONNECT) return PASS;
-	if(!PCONF->mitm) return PASS;
+	if(PCONF->mitm){
-	if(domitm(param)) {
+	    if(domitm(param)) {
 		return REJECT;
+	    }
+	    if(!param->redirectfunc) param->redirectfunc = proxyfunc;
+	    return CONTINUE;
 	}
-	if(!param->redirectfunc) param->redirectfunc = proxyfunc;
+	else if(PCONF->cli) {
-	return CONTINUE;
+	    if(docli(param)) {
+		return REJECT;
+	    }
+	}
+	return PASS;
 }
 
 
@@ -530,12 +605,18 @@ static void ssl_filter_close(void *fo){
     if ( CONFIG->server_cert != NULL ) {
 	X509_free(CONFIG->server_cert);
     }
+    if ( CONFIG->client_cert != NULL ) {
+	X509_free(CONFIG->server_cert);
+    }
     if ( CONFIG->CA_key != NULL ) {
 	EVP_PKEY_free(CONFIG->CA_key);
     }
     if ( CONFIG->server_key != NULL ) {
 	EVP_PKEY_free(CONFIG->server_key);
     }
+    if ( CONFIG->client_key != NULL ) {
+	EVP_PKEY_free(CONFIG->server_key);
+    }
     if ( CONFIG->srv_ctx != NULL ) {
 	SSL_CTX_free(CONFIG->srv_ctx);
     }
@@ -612,7 +693,8 @@ static int h_serv(int argc, unsigned char **argv){
 
 static int h_noserv(int argc, unsigned char **argv){
 	struct filter * sf;
-	if(!mitm) return 1;
+	if(!serv) return 1;
+	serv = 0;
 	if(pl->conf->filters == &ssl_filter_serv) pl->conf->filters = ssl_filter_serv.next;
 	else for(sf = pl->conf->filters; sf && sf->next; sf=sf->next){
 		if(sf->next == &ssl_filter_serv) {
@@ -620,10 +702,46 @@ static int h_noserv(int argc, unsigned char **argv){
 			break;
 		}
 	}
-	serv = 0;
 	return 0;
 }
 
+static struct filter ssl_filter_cli = {
+	NULL,
+	"ssl filter",
+	"cli",
+	ssl_filter_open,
+	ssl_filter_client,
+	NULL, NULL, NULL, ssl_filter_predata, NULL, NULL,
+	ssl_filter_clear, 
+	ssl_filter_close
+};
+
+
+static int h_cli(int argc, unsigned char **argv){
+	if(mitm) return 1;
+	if(cli) return 2;
+	ssl_filter_cli.next = pl->conf->filters;
+	pl->conf->filters = &ssl_filter_cli;
+	sso = *pl->so;
+	cli = 1;
+	return 0;
+}
+
+static int h_nocli(int argc, unsigned char **argv){
+	struct filter * sf;
+	if(!cli) return 1;
+	cli = 0;
+	if(pl->conf->filters == &ssl_filter_cli) pl->conf->filters = ssl_filter_cli.next;
+	else for(sf = pl->conf->filters; sf && sf->next; sf=sf->next){
+		if(sf->next == &ssl_filter_cli) {
+			sf->next = ssl_filter_cli.next;
+			break;
+		}
+	}
+	return 0;
+}
+
+
 static int h_certcache(int argc, unsigned char **argv){
 	size_t len;
 	len = strlen((char *)argv[1]);
@@ -645,6 +763,19 @@ static int h_srvkey(int argc, unsigned char **argv){
 	return 0;
 }
 
+static int h_clicert(int argc, unsigned char **argv){
+	free(clicert);
+	clicert = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_clikey(int argc, unsigned char **argv){
+	free(clikey);
+	clikey = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+
 static int h_client_cipher_list(int argc, unsigned char **argv){
 	free(client_cipher_list);
 	client_cipher_list = argc > 1? strdup((char *)argv[1]) : NULL;
@@ -699,6 +830,18 @@ static int h_client_ca_store(int argc, unsigned char **argv){
 	return 0;
 }
 
+static int h_server_ca_dir(int argc, unsigned char **argv){
+	free(server_ca_dir);
+	server_ca_dir = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
+static int h_server_ca_store(int argc, unsigned char **argv){
+	free(server_ca_store);
+	server_ca_store = argc > 1? strdup((char *)argv[1]) : NULL;
+	return 0;
+}
+
 struct vermap{
     char *sver;
     int iver;
@@ -765,11 +908,20 @@ static int h_no_client_verify(int argc, unsigned char **argv){
 	return 0;
 }
 
+static int h_server_verify(int argc, unsigned char **argv){
+	server_verify = 1;
+	return 0;
+}
+static int h_no_server_verify(int argc, unsigned char **argv){
+	server_verify = 0;
+	return 0;
+}
+
 static struct commands ssl_commandhandlers[] = {
 	{ssl_commandhandlers+1, "ssl_mitm", h_mitm, 1, 1},
 	{ssl_commandhandlers+2, "ssl_nomitm", h_nomitm, 1, 1},
 	{ssl_commandhandlers+3, "ssl_serv", h_serv, 1, 1},
-	{ssl_commandhandlers+4, "ssl_noserv", h_serv, 1, 1},
+	{ssl_commandhandlers+4, "ssl_noserv", h_noserv, 1, 1},
 	{ssl_commandhandlers+5, "ssl_server_cert", h_srvcert, 1, 2},
 	{ssl_commandhandlers+6, "ssl_server_key", h_srvkey, 1, 2},
 	{ssl_commandhandlers+7, "ssl_server_ca_file", h_server_ca_file, 1, 2},
@@ -787,6 +939,18 @@ static struct commands ssl_commandhandlers[] = {
 	{ssl_commandhandlers+19, "ssl_server_max_proto_version", h_server_max_proto_version, 1, 2},
 	{ssl_commandhandlers+20, "ssl_client_verify", h_client_verify, 1, 1},
 	{ssl_commandhandlers+21, "ssl_client_no_verify", h_no_client_verify, 1, 1},
+	{ssl_commandhandlers+22, "ssl_cli", h_cli, 1, 1},
+	{ssl_commandhandlers+23, "ssl_nocli", h_nocli, 1, 1},
+	{ssl_commandhandlers+24, "ssl_client_cert", h_clicert, 1, 2},
+	{ssl_commandhandlers+25, "ssl_client_key", h_clikey, 1, 2},
+	{ssl_commandhandlers+26, "ssl_server", h_serv, 1, 1},
+	{ssl_commandhandlers+27, "ssl_noserver", h_noserv, 1, 1},
+	{ssl_commandhandlers+28, "ssl_client", h_cli, 1, 1},
+	{ssl_commandhandlers+29, "ssl_noclient", h_nocli, 1, 1},
+	{ssl_commandhandlers+30, "ssl_server_verify", h_server_verify, 1, 1},
+	{ssl_commandhandlers+31, "ssl_server_no_verify", h_no_server_verify, 1, 1},
+	{ssl_commandhandlers+32, "ssl_server_ca_dir", h_server_ca_dir, 1, 2},
+	{ssl_commandhandlers+33, "ssl_server_ca_store", h_server_ca_store, 1, 2},
 	{NULL, "ssl_certcache", h_certcache, 2, 2},
 };
 
@@ -800,22 +964,30 @@ static struct commands ssl_commandhandlers[] = {
 PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink, 
 					 int argc, char** argv){
 
+	mitm = 0;
+	serv = 0;
+	cli = 0;
+
 	pl = pluginlink;
 
 	ssl_connect_timeout = 0;
+
 	free(certcache);
 	certcache = NULL;
 	free(srvcert);
 	srvcert = NULL;
 	free(srvkey);
 	srvkey = NULL;
-	mitm = 0;
+	free(clicert);
-	serv = 0;
+	clicert = NULL;
+	free(clikey);
+	clikey = NULL;
 	client_min_proto_version = 0;
 	client_max_proto_version = 0;
 	server_min_proto_version = 0;
 	server_max_proto_version = 0;
 	client_verify = 0;
+	server_verify = 0;
 	free(client_ciphersuites);
 	client_ciphersuites = NULL;
 	free(server_ciphersuites);
@@ -834,6 +1006,10 @@ PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink,
 	client_ca_dir = NULL;
 	free(client_ca_store);
 	client_ca_store = NULL;
+	free(server_ca_dir);
+	server_ca_dir = NULL;
+	free(server_ca_store);
+	server_ca_store = NULL;
 
 
 	if(!ssl_loaded){

src/proxy.c

@@ -381,54 +381,6 @@ for(;;){
 			param->username = (unsigned char *)mystrdup((char *)username);
 			continue;
 		}
-#ifndef NOCRYPT
-		if(param->srv->usentlm && !strncasecmp((char *)sb, "ntlm", 4)){
-			sb+=4;
-			while(isspace(*sb))sb++;
-			i = de64(sb, username, 1023);
-			if(i<=16)continue;
-			username[i] = 0;
-			if(strncasecmp((char *)username, "NTLMSSP", 8)) continue;
-			if(username[8] == 1) {
-				while( (i = sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 1, '\n', conf.timeouts[STRING_S])) > 2){
-					if(i> 15 && (!strncasecmp((char *)(buf), "content-length", 14))){
-						buf[i]=0;
-						sscanf((char *)buf + 15, "%"PRINTF_INT64_MODIFIER"u", &contentlength64);
-					}
-				}
-				while( contentlength64 > 0 && (i = sockgetlinebuf(param, CLIENT, buf, (BUFSIZE < contentlength64)? BUFSIZE - 1:(int)contentlength64, '\n', conf.timeouts[STRING_S])) > 0){
-					if ((uint64_t)i > contentlength64) break;
-					contentlength64-=i;
-				}
-				contentlength64 = 0;
-				if(param->password)myfree(param->password);
-				param->password = myalloc(32);
-				param->pwtype = 2;
-				i = (int)strlen(proxy_stringtable[13]);
-				memcpy(buf, proxy_stringtable[13], i);
-				genchallenge(param, (char *)param->password, (char *)buf + i);
-				memcpy(buf + strlen((char *)buf), "\r\n\r\n", 5);
-				socksend(param, param->clisock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S]);
-				ckeepalive = keepalive = 1;
-				goto REQUESTEND;
-			}
-			if(username[8] == 3 && param->pwtype == 2 && i>=80) {
-				unsigned offset, len;
-
-				len = username[20] + (((unsigned)username[21]) << 8);
-				offset = username[24] + (((unsigned)username[25]) << 8);
-				if(len != 24 || len + offset > (unsigned)i) continue;
-				memcpy(param->password + 8, username + offset, 24);
-				len = username[36] + (((unsigned)username[37]) << 8);
-				offset = username[40] + (((unsigned)username[41]) << 8);
-				if(len> 255 || len + offset > (unsigned)i) continue;
-				if(param->username) myfree(param->username);
-				unicode2text((char *)username+offset, (char *)username+offset, (len>>1));
-				param->username = (unsigned char *)mystrdup((char *)username+offset);
-			}
-			continue;
-		}
-#endif
 	}
 #endif
 	if(!isconnect && (

src/proxymain.c

@@ -74,6 +74,37 @@ void * threadfunc (void *p) {
 #endif
 #endif
 
+	if(param->srv->haproxy){
+	    char buf[128];
+	    int i;
+	    i = sockgetlinebuf(param, CLIENT, (unsigned char *)buf, sizeof(buf)-1, '\n', conf.timeouts[STRING_S]);
+	    if(i > 12 && !strncasecmp(buf, "PROXY TCP", 9)){
+		char *token, *token2=NULL;
+		unsigned short u1=0, u2=0;
+		buf[i] = 0;
+		token = strchr(buf, ' ');
+		if(token) token = strchr(token+1, ' ');
+		if(token) token++;
+		if(token) token2 = strchr(token+1, ' ');
+		if(token2) {
+		    *token2 = 0;
+		    getip46(46, (unsigned char*) token, (struct sockaddr *)&param->sincr);
+		    token = token2+1;
+		    token2 = strchr(token, ' ');
+		}
+		if(token2) {
+		    *token2 = 0;
+		    getip46(46, (unsigned char *) token, (struct sockaddr *)&param->sincl);
+		    token = token2+1;
+		    token2 = strchr(token, ' ');
+		}
+		if(token){
+		    sscanf(token,"%hu%hu", &u1, &u2);
+		    if(u1) *SAPORT(&param->sincr) = htons(u1);
+		    if(u2) *SAPORT(&param->sincl) = htons(u1);
+		}
+	    }
+	}
 	((struct clientparam *) p)->srv->pf((struct clientparam *)p);
  }
 #ifdef _WIN32
@@ -84,6 +115,15 @@ void * threadfunc (void *p) {
 }
 #undef param
 
+int pushthreadinit(){
+    return 
+#ifdef _WIN32
+    WriteFile(conf.threadinit[1], "1", 1, NULL, NULL);
+#else
+    write(conf.threadinit[1], "1", 1);
+#endif
+}
+
 
 struct socketoptions sockopts[] = {
 #ifdef TCP_NODELAY
@@ -417,6 +457,9 @@ int MODULEMAINFUNC (int argc, char** argv){
 		 case 'h':
 			hostname = argv[i] + 2;
 			break;
+		 case 'H':
+			srv.haproxy=1;
+			break;
 		 case 'c':
 			srv.requirecert = 1;
 			if(isdigit(argv[i][2])) srv.requirecert = atoi(argv[i]+2);
@@ -492,7 +535,7 @@ int MODULEMAINFUNC (int argc, char** argv){
 	if (error || i!=argc) {
 #ifndef STDMAIN
 		haveerror = 1;
-		conf.threadinit = 0;
+		pushthreadinit();
 #endif
 		fprintf(stderr, "%s of %s\n"
 			"Usage: %s options\n"
@@ -524,7 +567,7 @@ int MODULEMAINFUNC (int argc, char** argv){
 	if (error || argc != i+3 || *argv[i]=='-'|| (*SAPORT(&srv.intsa) = htons((unsigned short)atoi(argv[i])))==0 || (srv.targetport = htons((unsigned short)atoi(argv[i+2])))==0) {
 #ifndef STDMAIN
 		haveerror = 1;
-		conf.threadinit = 0;
+		pushthreadinit();
 #endif
 		fprintf(stderr, "%s of %s\n"
 			"Usage: %s options"
@@ -590,7 +633,7 @@ int MODULEMAINFUNC (int argc, char** argv){
 #ifndef STDMAIN
 
  copyfilter(conf.filters, &srv);
- conf.threadinit = 0;
+ pushthreadinit();
 
 
 #endif
@@ -1380,6 +1423,8 @@ FILTER_ACTION handlepredatflt(struct clientparam *cparam){
 	FILTER_ACTION action;
 	int i;
 
+	if(cparam->predatdone) return PASS;
+	cparam->predatdone = 1;
 	for(i=0; i<cparam->npredatfilters ;i++){
 		action =  (*cparam->predatfilters[i]->filter->filter_predata)(cparam->predatfilters[i]->data, cparam);
 		if(action!=CONTINUE) return action;

src/socks.c

@@ -15,6 +15,11 @@ unsigned char * commands[] = {(unsigned char *)"UNKNOWN", (unsigned char *)"CONN
 #define BUFSIZE 1024
 #define LARGEBUFSIZE 67000
 
+#if SOCKSTRACE > 0
+char tracebuf[256];
+#endif
+
+
 static void printcommand(unsigned char * buf, int command, struct clientparam *param){
     sprintf((char *)buf, "%s ", commands[command]);
     if(param->hostname){
@@ -234,7 +239,7 @@ void * sockschild(struct clientparam* param) {
 		*SAPORT(&param->sinsl) = 0;
 		if(param->srv->so._bind(param->sostate, param->remsock,(struct sockaddr *)&param->sinsl,SASIZE(&param->sinsl)))RETURN (12);
 #if SOCKSTRACE > 0
-fprintf(stderr, "%hu bound to communicate with server\n", *SAPORT(&param->sins));
+fprintf(stderr, "%hu bound to communicate with server\n", *SAPORT(&param->sinsl));
 fflush(stderr);
 #endif
 	}
@@ -271,11 +276,12 @@ CLEANRET:
 	if(command != 3 && param->remsock != INVALID_SOCKET) param->srv->so._getsockname(param->sostate, param->remsock, (struct sockaddr *)&sin,  &sasize);
 	else param->srv->so._getsockname(param->sostate, param->clisock, (struct sockaddr *)&sin,  &sasize);
 #if SOCKSTRACE > 0
+myinet_ntop(*SAFAMILY(&sin), &sin, tracebuf, SASIZE(&sin));
 fprintf(stderr, "Sending confirmation to client with code %d for %s with %s:%hu\n",
 			param->res,
 			commands[command],
-			inet_ntoa(sin.sin_addr),
+			tracebuf,
-			ntohs(sin.sin_port)
+			ntohs(*SAPORT(&sin))
 	);
 fflush(stderr);
 #endif
@@ -362,7 +368,7 @@ fflush(stderr);
 fprintf(stderr, "Sending incoming connection to client with code %d for %s with %hu\n",
 			param->res,
 			commands[command],
-			*SAPORT(param->sins);
+			*SAPORT(&param->sinsr)
 	);
 fflush(stderr);
 #endif
@@ -445,15 +451,18 @@ fflush(stderr);
 							param->statscli64+=(len - i);
 							param->nwrites++;
 #if SOCKSTRACE > 1
+myinet_ntop(*SAFAMILY(&param->sinsr), &param->sinsr, tracebuf, SASIZE(&param->sinsr));
+
 fprintf(stderr, "UDP packet relayed from client to %s:%hu size %d, header %d\n",
-			inet_ntoa(param->sins.sin_addr),
+			tracebuf,
-			ntohs(param->sins.sin_port),
+			ntohs(*SAPORT(&param->sinsr)),
 			(len - i),
 			i
 	);
+myinet_ntop(*SAFAMILY(&sin), &sin, tracebuf, SASIZE(&sin));
 fprintf(stderr, "client address is assumed to be %s:%hu\n",
-			inet_ntoa(sin.sin_addr),
+			tracebuf,
-			ntohs(sin.sin_port)
+			ntohs(*SAPORT(&sin))
 	);
 fflush(stderr);
 #endif

src/structures.h

@@ -266,7 +266,7 @@ struct passwords {
 };
 
 typedef enum {
-	R_TCP,
+	R_TCP = 1,
 	R_CONNECT,
 	R_SOCKS4,
 	R_SOCKS5,
@@ -281,9 +281,20 @@ typedef enum {
 	R_SOCKS5B,
 	R_ADMIN,
 	R_EXTIP,
-	R_TLS
+	R_TLS,
+	R_HA,
+	R_DNS
 } REDIRTYPE;
 
+struct redirdesc {
+    REDIRTYPE redir;
+    char * name;
+    void * (*func)(struct clientparam *);
+};
+
+extern struct redirdesc redirs[];
+
+
 struct chain {
 	struct chain * next;
 	int type;
@@ -490,6 +501,7 @@ struct srvparam {
 	int clisockopts, srvsockopts, lissockopts, cbcsockopts, cbssockopts;
 	int gracetraf, gracenum, gracedelay;
 	int requirecert;
+	int haproxy;
 #ifdef WITHSPLICE
 	int usesplice;
 #endif
@@ -572,7 +584,8 @@ struct clientparam {
 		chunked,
 		paused,
 		version,
-		connlim;
+		connlim,
+		predatdone;
 
 	unsigned char 	*hostname,
 			*username,
@@ -619,6 +632,11 @@ struct filemon {
 
 
 struct extparam {
+#ifdef _WIN32
+	HANDLE threadinit[2];
+#else
+	int threadinit[2];
+#endif
 	int timeouts[12];
 	struct ace * acl;
 	char * conffile;
@@ -627,7 +645,7 @@ struct extparam {
 	struct trafcount * trafcounter;
 	struct srvparam *services;
 	int stacksize,
-		threadinit, counterd, haveerror, rotate, paused, archiverc,
+		counterd, haveerror, rotate, paused, archiverc,
 		demon, maxchild, backlog, needreload, timetoexit, version, noforce, bandlimver, parentretries;
 	int authcachetype, authcachetime;
 	int filtermaxsize;