1 files changed, 15 insertions, 9 deletions

diff --git a/main/openvpn/src/openvpn/socks.c b/main/openvpn/src/openvpn/socks.c
index 1551da84..72bdf550 100644
--- a/main/openvpn/src/openvpn/socks.c
+++ b/main/openvpn/src/openvpn/socks.c
@@ -38,8 +38,6 @@
 
 #include "syshead.h"
 
-#ifdef ENABLE_SOCKS
-
 #include "common.h"
 #include "misc.h"
 #include "win32.h"
@@ -189,10 +187,15 @@ socks_handshake (struct socks_proxy_info *p,
   char buf[2];
   int len = 0;
   const int timeout_sec = 5;
+  ssize_t size;
 
-  /* VER = 5, NMETHODS = 2, METHODS = [0 (no auth), 2 (plain login)] */
-  const ssize_t size = send (sd, "\x05\x02\x00\x02", 4, MSG_NOSIGNAL);
-  if (size != 4)
+  /* VER = 5, NMETHODS = 1, METHODS = [0 (no auth)] */
+  char method_sel[3] = { 0x05, 0x01, 0x00 };
+  if (p->authfile[0])
+      method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
+
+  size = send (sd, method_sel, sizeof (method_sel), MSG_NOSIGNAL);
+  if (size != sizeof (method_sel))
     {
       msg (D_LINK_ERRORS | M_ERRNO, "socks_handshake: TCP port write failed on send()");
       return false;
@@ -252,6 +255,13 @@ socks_handshake (struct socks_proxy_info *p,
       return false;
     }
 
+  /* validate that the auth method returned is the one sent */
+  if (buf[1] != method_sel[2])
+    {
+      msg (D_LINK_ERRORS, "socks_handshake: Socks proxy returned unexpected auth");
+      return false;
+    }
+
   /* select the appropriate authentication method */
   switch (buf[1])
     {
@@ -562,7 +572,3 @@ socks_process_outgoing_udp (struct buffer *buf,
 
   return 10;
 }
-
-#else
-static void dummy(void) {}
-#endif /* ENABLE_SOCKS */