@@ -417,6 +417,7 @@ init_proxy_dowork (struct context *c)

     {

       c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server,

 					   c->options.ce.socks_proxy_port,

+					   c->options.ce.socks_proxy_authfile,

 					   c->options.ce.socks_proxy_retry,

 					   c->options.auto_proxy_info);

       if (c->c1.socks_proxy)

@@ -128,8 +128,11 @@ static const char usage_message[] =

   "                  AGENT user-agent\n"

 #endif

 #ifdef ENABLE_SOCKS

-  "--socks-proxy s [p]: Connect to remote host through a Socks5 proxy at address\n"

-  "                  s and port p (default port = 1080).\n"

+  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"

+  "                  address s and port p (default port = 1080).\n"

+  "                  If proxy authentication is required,\n"

+  "                  up is a file containing username/password on 2 lines, or\n"

+  "                  'stdin' to prompt for console.\n"

   "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"

 #endif

   "--resolv-retry n: If hostname resolve fails for --remote, retry\n"

@@ -4505,6 +4508,7 @@ add_option (struct options *options,

 	  options->ce.socks_proxy_port = 1080;

 	}

       options->ce.socks_proxy_server = p[1];

+      options->ce.socks_proxy_authfile = p[3]; /* might be NULL */

     }

   else if (streq (p[0], "socks-proxy-retry"))

     {

@@ -95,6 +95,7 @@ struct connection_entry

 #ifdef ENABLE_SOCKS

   const char *socks_proxy_server;

   int socks_proxy_port;

+  const char *socks_proxy_authfile;

   bool socks_proxy_retry;

 #endif

@@ -952,16 +952,14 @@ add_route (struct route *r, const struct tuntap *tt, unsigned int flags, const s

   argv_printf (&argv, "%s add",

 		ROUTE_PATH);

-#if 0

-  if (r->metric_defined)

-    argv_printf_cat (&argv, "-rtt %d", r->metric);

-#endif

-

   argv_printf_cat (&argv, "%s -netmask %s %s",

 	      network,

 	      netmask,

 	      gateway);

+  if (r->metric_defined)

+    argv_printf_cat (&argv, "%d", r->metric);

+

   argv_msg (D_ROUTE, &argv);

   status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed");

@@ -23,10 +23,11 @@

  */

 /*

- * 2004-01-30: Added Socks5 proxy support

+ * 2004-01-30: Added Socks5 proxy support, see RFC 1928

  *   (Christof Meerwald, http://cmeerw.org)

  *

- * see RFC 1928, only supports "no authentication"

+ * 2010-10-10: Added Socks5 plain text authentication support (RFC 1929)

+ *   (Pierre Bourdon <delroth@gmail.com>)

  */

 #include "syshead.h"

@@ -38,10 +39,12 @@

 #include "win32.h"

 #include "socket.h"

 #include "fdmisc.h"

+#include "misc.h"

 #include "proxy.h"

 #include "memdbg.h"

+#define UP_TYPE_SOCKS		"SOCKS Proxy"

 void

 socks_adjust_frame_parameters (struct frame *frame, int proto)

@@ -53,6 +56,7 @@ socks_adjust_frame_parameters (struct frame *frame, int proto)

 struct socks_proxy_info *

 socks_proxy_new (const char *server,

 		 int port,

+		 const char *authfile,

 		 bool retry,

 		 struct auto_proxy_info *auto_proxy_info)

 {

@@ -77,6 +81,12 @@ socks_proxy_new (const char *server,

   strncpynt (p->server, server, sizeof (p->server));

   p->port = port;

+

+  if (authfile)

+    strncpynt (p->authfile, authfile, sizeof (p->authfile));

+  else

+    p->authfile[0] = 0;

+

   p->retry = retry;

   p->defined = true;

@@ -90,15 +100,99 @@ socks_proxy_close (struct socks_proxy_info *sp)

 }

 static bool

-socks_handshake (socket_descriptor_t sd, volatile int *signal_received)

+socks_username_password_auth (struct socks_proxy_info *p,

+                              socket_descriptor_t sd,

+                              volatile int *signal_received)

+{

+  char to_send[516];

+  char buf[2];

+  int len = 0;

+  const int timeout_sec = 5;

+  struct user_pass creds;

+  ssize_t size;

+

+  creds.defined = 0;

+

+  get_user_pass (&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT);

+  snprintf (to_send, sizeof (to_send), "\x01%c%s%c%s", strlen(creds.username),

+            creds.username, strlen(creds.password), creds.password);

+  size = send (sd, to_send, strlen(to_send), MSG_NOSIGNAL);

+

+  if (size != strlen (to_send))

+    {

+      msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port write failed on send()");

+      return false;

+    }

+

+  while (len < 2)

+    {

+      int status;

+      ssize_t size;

+      fd_set reads;

+      struct timeval tv;

+      char c;

+

+      FD_ZERO (&reads);

+      FD_SET (sd, &reads);

+      tv.tv_sec = timeout_sec;

+      tv.tv_usec = 0;

+

+      status = select (sd + 1, &reads, NULL, NULL, &tv);

+

+      get_signal (signal_received);

+      if (*signal_received)

+	return false;

+

+      /* timeout? */

+      if (status == 0)

+	{

+	  msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read timeout expired");

+	  return false;

+	}

+

+      /* error */

+      if (status < 0)

+	{

+	  msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read failed on select()");

+	  return false;

+	}

+

+      /* read single char */

+      size = recv(sd, &c, 1, MSG_NOSIGNAL);

+

+      /* error? */

+      if (size != 1)

+	{

+	  msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_username_password_auth: TCP port read failed on recv()");

+	  return false;

+	}

+

+      /* store char in buffer */

+      buf[len++] = c;

+    }

+

+  /* VER = 5, SUCCESS = 0 --> auth success */

+  if (buf[0] != 5 && buf[1] != 0)

+  {

+    msg (D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication");

+    return false;

+  }

+

+  return true;

+}

+

+static bool

+socks_handshake (struct socks_proxy_info *p,

+                 socket_descriptor_t sd,

+                 volatile int *signal_received)

 {

   char buf[2];

   int len = 0;

   const int timeout_sec = 5;

-  /* VER = 5, NMETHODS = 1, METHODS = [0] */

-  const ssize_t size = send (sd, "\x05\x01\x00", 3, MSG_NOSIGNAL);

-  if (size != 3)

+  /* VER = 5, NMETHODS = 2, METHODS = [0 (no auth), 2 (plain login)] */

+  const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL);

+  if (size != 4)

     {

       msg (D_LINK_ERRORS | M_ERRNO_SOCK, "socks_handshake: TCP port write failed on send()");

       return false;

@@ -151,13 +245,37 @@ socks_handshake (socket_descriptor_t sd, volatile int *signal_received)

       buf[len++] = c;

     }

-  /* VER == 5 && METHOD == 0 */

-  if (buf[0] != '\x05' || buf[1] != '\x00')

+  /* VER == 5 */

+  if (buf[0] != '\x05')

     {

       msg (D_LINK_ERRORS, "socks_handshake: Socks proxy returned bad status");

       return false;

     }

+  /* select the appropriate authentication method */

+  switch (buf[1])

+    {

+    case 0: /* no authentication */

+      break;

+

+    case 2: /* login/password */

+      if (!p->authfile[0])

+      {

+	msg(D_LINK_ERRORS, "socks_handshake: server asked for username/login auth but we were "

+	                   "not provided any credentials");

+	return false;

+      }

+

+      if (!socks_username_password_auth(p, sd, signal_received))

+	return false;

+

+      break;

+

+    default: /* unknown auth method */

+      msg(D_LINK_ERRORS, "socks_handshake: unknown SOCKS auth method");

+      return false;

+    }

+

   return true;

 }

@@ -281,7 +399,7 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p,

   char buf[128];

   size_t len;

-  if (!socks_handshake (sd, signal_received))

+  if (!socks_handshake (p, sd, signal_received))

     goto error;

   /* format Socks CONNECT message */

@@ -328,7 +446,7 @@ establish_socks_proxy_udpassoc (struct socks_proxy_info *p,

 				struct openvpn_sockaddr *relay_addr,

 			        volatile int *signal_received)

 {

-  if (!socks_handshake (ctrl_sd, signal_received))

+  if (!socks_handshake (p, ctrl_sd, signal_received))

     goto error;

   {

@@ -43,12 +43,14 @@ struct socks_proxy_info {

   char server[128];

   int port;

+  char authfile[256];

 };

 void socks_adjust_frame_parameters (struct frame *frame, int proto);

 struct socks_proxy_info *socks_proxy_new (const char *server,

 					  int port,

+					  const char *authfile,

 					  bool retry,

 					  struct auto_proxy_info *auto_proxy_info);

@@ -63,6 +63,7 @@ static const char *netsh_get_id (const char *dev_node, struct gc_arena *gc);

 #ifdef TARGET_SOLARIS

 static void solaris_error_close (struct tuntap *tt, const struct env_set *es, const char *actual);

+#include <stropts.h>

 #endif

 bool

@@ -701,12 +702,45 @@ do_ifconfig (struct tuntap *tt,

 			    );

 	}

       else

-	no_tap_ifconfig ();

+        if (tt->topology == TOP_SUBNET)

+	{

+          argv_printf (&argv,

+                              "%s %s %s %s netmask %s mtu %d up",

+                              IFCONFIG_PATH,

+                              actual,

+                              ifconfig_local,

+                              ifconfig_local,

+                              ifconfig_remote_netmask,

+                              tun_mtu

+                              );

+	}

+        else

+          argv_printf (&argv,

+                            " %s %s %s netmask %s broadcast + up",

+                            IFCONFIG_PATH,

+                            actual,

+                            ifconfig_local,

+                            ifconfig_remote_netmask

+                            );

       argv_msg (M_INFO, &argv);

       if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig phase-2 failed"))

 	solaris_error_close (tt, es, actual);

+      if (!tun && tt->topology == TOP_SUBNET)

+	{

+	  /* Add a network route for the local tun interface */

+	  struct route r;

+	  CLEAR (r);      

+	  r.defined = true;       

+	  r.network = tt->local & tt->remote_netmask;

+	  r.netmask = tt->remote_netmask;

+	  r.gateway = tt->local;  

+	  r.metric_defined = true;

+	  r.metric = 0;

+	  add_route (&r, tt, 0, es);

+	}

+

       tt->did_ifconfig = true;

 #elif defined(TARGET_OPENBSD)

@@ -1372,15 +1406,17 @@ read_tun (struct tuntap* tt, uint8_t *buf, int len)

 void

 open_tun (const char *dev, const char *dev_type, const char *dev_node, bool ipv6, struct tuntap *tt)

 {

-  int if_fd, muxid, ppa = -1;

-  struct ifreq ifr;

+  int if_fd, ip_muxid, arp_muxid, arp_fd, ppa = -1;

+  struct lifreq ifr;

   const char *ptr;

-  const char *ip_node;

+  const char *ip_node, *arp_node;

   const char *dev_tuntap_type;

   int link_type;

   bool is_tun;

+  struct strioctl  strioc_if, strioc_ppa;

-  ipv6_support (ipv6, false, tt);

+  ipv6_support (ipv6, true, tt);

+  memset(&ifr, 0x0, sizeof(ifr));

   if (tt->type == DEV_TYPE_NULL)

     {

@@ -1399,9 +1435,10 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, bool ipv6

     }

   else if (tt->type == DEV_TYPE_TAP)

     {

-      ip_node = "/dev/ip";

+      ip_node = "/dev/udp";

       if (!dev_node)

 	dev_node = "/dev/tap";

+      arp_node = dev_node;

       dev_tuntap_type = "tap";

       link_type = I_PLINK; /* was: I_LINK */

       is_tun = false;

@@ -1428,7 +1465,11 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, bool ipv6

     msg (M_ERR, "Can't open %s", dev_node);

   /* Assign a new PPA and get its unit number. */

-  if ((ppa = ioctl (tt->fd, TUNNEWPPA, ppa)) < 0)

+  strioc_ppa.ic_cmd = TUNNEWPPA;

+  strioc_ppa.ic_timout = 0;

+  strioc_ppa.ic_len = sizeof(ppa);

+  strioc_ppa.ic_dp = (char *)&ppa;

+  if ((ppa = ioctl (tt->fd, I_STR, &strioc_ppa)) < 0)

     msg (M_ERR, "Can't assign new interface");

   if ((if_fd = open (dev_node, O_RDWR, 0)) < 0)

@@ -1437,27 +1478,83 @@ open_tun (const char *dev, const char *dev_type, const char *dev_node, bool ipv6

   if (ioctl (if_fd, I_PUSH, "ip") < 0)

     msg (M_ERR, "Can't push IP module");

+  if (tt->type == DEV_TYPE_TUN)

+    {

   /* Assign ppa according to the unit number returned by tun device */

   if (ioctl (if_fd, IF_UNITSEL, (char *) &ppa) < 0)

     msg (M_ERR, "Can't set PPA %d", ppa);

-

-  if ((muxid = ioctl (tt->ip_fd, link_type, if_fd)) < 0)

-    msg (M_ERR, "Can't link %s device to IP", dev_tuntap_type);

-

-  close (if_fd);

+    }

   tt->actual_name = (char *) malloc (32);

   check_malloc_return (tt->actual_name);

   openvpn_snprintf (tt->actual_name, 32, "%s%d", dev_tuntap_type, ppa);

+  if (tt->type == DEV_TYPE_TAP)

+    {

+          if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0)

+            msg (M_ERR, "Can't get flags\n");

+          strncpynt (ifr.lifr_name, tt->actual_name, sizeof (ifr.lifr_name));

+          ifr.lifr_ppa = ppa;

+          /* Assign ppa according to the unit number returned by tun device */

+          if (ioctl (if_fd, SIOCSLIFNAME, &ifr) < 0)

+            msg (M_ERR, "Can't set PPA %d", ppa);

+          if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) <0)

+            msg (M_ERR, "Can't get flags\n");

+          /* Push arp module to if_fd */

+          if (ioctl (if_fd, I_PUSH, "arp") < 0)

+            msg (M_ERR, "Can't push ARP module");

+

+          /* Pop any modules on the stream */

+          while (true)

+            {

+                 if (ioctl (tt->ip_fd, I_POP, NULL) < 0)

+                     break;

+            }

+          /* Push arp module to ip_fd */

+          if (ioctl (tt->ip_fd, I_PUSH, "arp") < 0)

+            msg (M_ERR, "Can't push ARP module\n");

+

+          /* Open arp_fd */

+          if ((arp_fd = open (arp_node, O_RDWR, 0)) < 0)

+            msg (M_ERR, "Can't open %s\n", arp_node);

+          /* Push arp module to arp_fd */

+          if (ioctl (arp_fd, I_PUSH, "arp") < 0)

+            msg (M_ERR, "Can't push ARP module\n");

+

+          /* Set ifname to arp */

+          strioc_if.ic_cmd = SIOCSLIFNAME;

+          strioc_if.ic_timout = 0;

+          strioc_if.ic_len = sizeof(ifr);

+          strioc_if.ic_dp = (char *)𝔦

+          if (ioctl(arp_fd, I_STR, &strioc_if) < 0){

+              msg (M_ERR, "Can't set ifname to arp\n");

+          }

+   }

+

+  if ((ip_muxid = ioctl (tt->ip_fd, link_type, if_fd)) < 0)

+    msg (M_ERR, "Can't link %s device to IP", dev_tuntap_type);

+

+  if (tt->type == DEV_TYPE_TAP) {

+          if ((arp_muxid = ioctl (tt->ip_fd, link_type, arp_fd)) < 0)

+            msg (M_ERR, "Can't link %s device to ARP", dev_tuntap_type);

+          close (arp_fd);

+  }

+

   CLEAR (ifr);

-  strncpynt (ifr.ifr_name, tt->actual_name, sizeof (ifr.ifr_name));

-  ifr.ifr_ip_muxid = muxid;

+  strncpynt (ifr.lifr_name, tt->actual_name, sizeof (ifr.lifr_name));

+  ifr.lifr_ip_muxid  = ip_muxid;

+  if (tt->type == DEV_TYPE_TAP) {

+          ifr.lifr_arp_muxid = arp_muxid;

+  }

-  if (ioctl (tt->ip_fd, SIOCSIFMUXID, &ifr) < 0)

+  if (ioctl (tt->ip_fd, SIOCSLIFMUXID, &ifr) < 0)

     {

-      ioctl (tt->ip_fd, I_PUNLINK, muxid);

+      if (tt->type == DEV_TYPE_TAP)

+        {

+              ioctl (tt->ip_fd, I_PUNLINK , arp_muxid);

+        }

+      ioctl (tt->ip_fd, I_PUNLINK, ip_muxid);

       msg (M_ERR, "Can't set multiplexor id");

     }

@@ -1475,18 +1572,24 @@ solaris_close_tun (struct tuntap *tt)

     {

       if (tt->ip_fd >= 0)

 	{

-	  struct ifreq ifr;

+          struct lifreq ifr;

 	  CLEAR (ifr);

-	  strncpynt (ifr.ifr_name, tt->actual_name, sizeof (ifr.ifr_name));

+          strncpynt (ifr.lifr_name, tt->actual_name, sizeof (ifr.lifr_name));

-	  if (ioctl (tt->ip_fd, SIOCGIFFLAGS, &ifr) < 0)

+          if (ioctl (tt->ip_fd, SIOCGLIFFLAGS, &ifr) < 0)

 	    msg (M_WARN | M_ERRNO, "Can't get iface flags");

-	  if (ioctl (tt->ip_fd, SIOCGIFMUXID, &ifr) < 0)

+          if (ioctl (tt->ip_fd, SIOCGLIFMUXID, &ifr) < 0)

 	    msg (M_WARN | M_ERRNO, "Can't get multiplexor id");

-	  if (ioctl (tt->ip_fd, I_PUNLINK, ifr.ifr_ip_muxid) < 0)

-	    msg (M_WARN | M_ERRNO, "Can't unlink interface");

+          if (tt->type == DEV_TYPE_TAP)

+            {

+                  if (ioctl (tt->ip_fd, I_PUNLINK, ifr.lifr_arp_muxid) < 0)

+                    msg (M_WARN | M_ERRNO, "Can't unlink interface(arp)");

+            }

+

+          if (ioctl (tt->ip_fd, I_PUNLINK, ifr.lifr_ip_muxid) < 0)

+            msg (M_WARN | M_ERRNO, "Can't unlink interface(ip)");

 	  close (tt->ip_fd);

 	  tt->ip_fd = -1;