op public repos

Blob

Date:: Wed Oct 18 17:15:47 2023 UTC
Message:: copyright++
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2021, 2022, 2023 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #include <ctype.h>
20 #include <errno.h>
21 #include <string.h>
22 
23 #include "log.h"
24 
25 #define MIN(a, b)	((a) < (b) ? (a) : (b))
26 
27 static const struct timeval handshake_timeout = { 5, 0 };
28 
29 static void	proxy_tls_readcb(int, short, void *);
30 static void	proxy_tls_writecb(int, short, void *);
31 static void	proxy_read(struct bufferevent *, void *);
32 static void	proxy_write(struct bufferevent *, void *);
33 static void	proxy_error(struct bufferevent *, short, void *);
34 
35 static void
36 proxy_tls_readcb(int fd, short event, void *d)
37 {
38 	struct bufferevent	*bufev = d;
39 	struct client		*c = bufev->cbarg;
40 	char			 buf[IBUF_READ_SIZE];
41 	int			 what = EVBUFFER_READ;
42 	int			 howmuch = IBUF_READ_SIZE;
43 	int			 res;
44 	ssize_t			 ret;
45 	size_t			 len;
46 
47 	if (event == EV_TIMEOUT) {
48 		what |= EVBUFFER_TIMEOUT;
49 		goto err;
50 	}
51 
52 	if (bufev->wm_read.high != 0)
53 		howmuch = MIN(sizeof(buf), bufev->wm_read.high);
54 
55 	switch (ret = tls_read(c->proxyctx, buf, howmuch)) {
56 	case TLS_WANT_POLLIN:
57 	case TLS_WANT_POLLOUT:
58 		goto retry;
59 	case -1:
60 		what |= EVBUFFER_ERROR;
61 		goto err;
62 	}
63 	len = ret;
64 
65 	if (len == 0) {
66 		what |= EVBUFFER_EOF;
67 		goto err;
68 	}
69 
70 	res = evbuffer_add(bufev->input, buf, len);
71 	if (res == -1) {
72 		what |= EVBUFFER_ERROR;
73 		goto err;
74 	}
75 
76 	event_add(&bufev->ev_read, NULL);
77 
78 	len = EVBUFFER_LENGTH(bufev->input);
79 	if (bufev->wm_read.low != 0 && len < bufev->wm_read.low)
80 		return;
81 
82 	if (bufev->readcb != NULL)
83 		(*bufev->readcb)(bufev, bufev->cbarg);
84 	return;
85 
86 retry:
87 	event_add(&bufev->ev_read, NULL);
88 	return;
89 
90 err:
91 	(*bufev->errorcb)(bufev, what, bufev->cbarg);
92 }
93 
94 static void
95 proxy_tls_writecb(int fd, short event, void *d)
96 {
97 	struct bufferevent	*bufev = d;
98 	struct client		*c = bufev->cbarg;
99 	ssize_t			 ret;
100 	size_t			 len;
101 	short			 what = EVBUFFER_WRITE;
102 
103 	if (event & EV_TIMEOUT) {
104 		what |= EVBUFFER_TIMEOUT;
105 		goto err;
106 	}
107 
108 	if (EVBUFFER_LENGTH(bufev->output) != 0) {
109 		ret = tls_write(c->proxyctx, EVBUFFER_DATA(bufev->output),
110 		    EVBUFFER_LENGTH(bufev->output));
111 		switch (ret) {
112 		case TLS_WANT_POLLIN:
113 		case TLS_WANT_POLLOUT:
114 			goto retry;
115 		case -1:
116 			what |= EVBUFFER_ERROR;
117 			goto err;
118 		}
119 		len = ret;
120 
121 		evbuffer_drain(bufev->output, len);
122 	}
123 
124 	if (EVBUFFER_LENGTH(bufev->output) != 0)
125 		event_add(&bufev->ev_write, NULL);
126 
127 	if (bufev->writecb != NULL &&
128 	    EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low)
129 		(*bufev->writecb)(bufev, bufev->cbarg);
130 	return;
131 
132 retry:
133 	event_add(&bufev->ev_write, NULL);
134 	return;
135 
136 err:
137 	(*bufev->errorcb)(bufev, what, bufev->cbarg);
138 }
139 
140 static void
141 proxy_read(struct bufferevent *bev, void *d)
142 {
143 	struct client	*c = d;
144 	struct evbuffer	*src = EVBUFFER_INPUT(bev);
145 	char		*hdr;
146 	size_t		 len;
147 	int		 code;
148 
149 	/* intercept the header */
150 	if (c->code == 0) {
151 		hdr = evbuffer_readln(src, &len, EVBUFFER_EOL_CRLF_STRICT);
152 		if (hdr == NULL) {
153 			/* max reply + \r\n */
154 			if (EVBUFFER_LENGTH(src) > 1029) {
155 				log_warnx("upstream server is trying to "
156 				    "send a header that's too long.");
157 				proxy_error(bev, EVBUFFER_READ, c);
158 			}
159 
160 			/* wait a bit */
161 			return;
162 		}
163 
164 		if (len < 3 || len > 1029 ||
165 		    !isdigit((unsigned char)hdr[0]) ||
166 		    !isdigit((unsigned char)hdr[1]) ||
167 		    !isspace((unsigned char)hdr[2])) {
168 			free(hdr);
169 			log_warnx("upstream server is trying to send a "
170 			    "header that's too long.");
171 			proxy_error(bev, EVBUFFER_READ, c);
172 			return;
173 		}
174 
175 		c->header = hdr;
176 		code = (hdr[0] - '0') * 10 + (hdr[1] - '0');
177 
178 		if (code < 10 || code >= 70) {
179 			log_warnx("upstream server is trying to send an "
180 			    "invalid reply code: %d", code);
181 			proxy_error(bev, EVBUFFER_READ, c);
182 			return;
183 		}
184 
185 		if (start_reply(c, code, hdr + 3) == -1 ||
186 		    c->code < 20 || c->code > 29) {
187 			proxy_error(bev, EVBUFFER_EOF, c);
188 			return;
189 		}
190 	}
191 
192 	bufferevent_write_buffer(c->bev, src);
193 }
194 
195 static void
196 proxy_write(struct bufferevent *bev, void *d)
197 {
198 	struct evbuffer	*dst = EVBUFFER_OUTPUT(bev);
199 
200 	/* request successfully sent */
201 	if (EVBUFFER_LENGTH(dst) == 0)
202 		bufferevent_disable(bev, EV_WRITE);
203 }
204 
205 static void
206 proxy_error(struct bufferevent *bev, short error, void *d)
207 {
208 	struct client	*c = d;
209 
210 	/*
211 	 * If we're here it means that some kind of non-recoverable
212 	 * error happened.
213 	 */
214 
215 	bufferevent_free(bev);
216 	c->proxybev = NULL;
217 
218 	tls_free(c->proxyctx);
219 	c->proxyctx = NULL;
220 
221 	close(c->pfd);
222 	c->pfd = -1;
223 
224 	/* EOF and no header */
225 	if (c->code == 0) {
226 		start_reply(c, PROXY_ERROR, "protocol error");
227 		return;
228 	}
229 
230 	c->type = REQUEST_DONE;
231 	client_write(c->bev, c);
232 }
233 
234 static void
235 proxy_enqueue_req(struct client *c)
236 {
237 	struct proxy *p = c->proxy;
238 	struct evbuffer	*evb;
239 	char		 iribuf[GEMINI_URL_LEN];
240 
241 	c->proxybev = bufferevent_new(c->pfd, proxy_read, proxy_write,
242 	    proxy_error, c);
243 	if (c->proxybev == NULL)
244 		fatal("can't allocate bufferevent");
245 
246 	if (!p->notls) {
247 		event_set(&c->proxybev->ev_read, c->pfd, EV_READ,
248 		    proxy_tls_readcb, c->proxybev);
249 		event_set(&c->proxybev->ev_write, c->pfd, EV_WRITE,
250 		    proxy_tls_writecb, c->proxybev);
251 
252 #if HAVE_LIBEVENT2
253 		evbuffer_unfreeze(c->proxybev->input, 0);
254 		evbuffer_unfreeze(c->proxybev->output, 1);
255 #endif
256 	}
257 
258 	serialize_iri(&c->iri, iribuf, sizeof(iribuf));
259 
260 	evb = EVBUFFER_OUTPUT(c->proxybev);
261 	evbuffer_add_printf(evb, "%s\r\n", iribuf);
262 
263 	bufferevent_enable(c->proxybev, EV_READ|EV_WRITE);
264 }
265 
266 static void
267 proxy_handshake(int fd, short event, void *d)
268 {
269 	struct client	*c = d;
270 
271 	if (event == EV_TIMEOUT) {
272 		start_reply(c, PROXY_ERROR, "timeout");
273 		return;
274 	}
275 
276 	switch (tls_handshake(c->proxyctx)) {
277 	case TLS_WANT_POLLIN:
278 		event_set(&c->proxyev, fd, EV_READ, proxy_handshake, c);
279 		event_add(&c->proxyev, &handshake_timeout);
280 		return;
281 	case TLS_WANT_POLLOUT:
282 		event_set(&c->proxyev, fd, EV_WRITE, proxy_handshake, c);
283 		event_add(&c->proxyev, &handshake_timeout);
284 		return;
285 	case -1:
286 		log_warnx("handshake with proxy failed: %s",
287 		    tls_error(c->proxyctx));
288 		start_reply(c, PROXY_ERROR, "handshake failed");
289 		return;
290 	}
291 
292 	c->proxyevset = 0;
293 	proxy_enqueue_req(c);
294 }
295 
296 static int
297 proxy_setup_tls(struct client *c)
298 {
299 	struct proxy *p = c->proxy;
300 	struct tls_config *conf = NULL;
301 	const char *hn;
302 
303 	if ((conf = tls_config_new()) == NULL)
304 		return -1;
305 
306 	if (p->noverifyname)
307 		tls_config_insecure_noverifyname(conf);
308 
309 	tls_config_insecure_noverifycert(conf);
310 	tls_config_set_protocols(conf, p->protocols);
311 
312 	if (p->cert != NULL) {
313 		int r;
314 
315 		r = tls_config_set_cert_mem(conf, p->cert, p->certlen);
316 		if (r == -1)
317 			goto err;
318 
319 		r = tls_config_set_key_mem(conf, p->key, p->keylen);
320 		if (r == -1)
321 			goto err;
322 	}
323 
324 	if ((c->proxyctx = tls_client()) == NULL)
325 		goto err;
326 
327 	if (tls_configure(c->proxyctx, conf) == -1)
328 		goto err;
329 
330 	if (*(hn = p->sni) == '\0')
331 		hn = p->host;
332 	if (tls_connect_socket(c->proxyctx, c->pfd, hn) == -1)
333 		goto err;
334 
335 	c->proxyevset = 1;
336 	event_set(&c->proxyev, c->pfd, EV_READ|EV_WRITE, proxy_handshake, c);
337 	event_add(&c->proxyev, &handshake_timeout);
338 
339 	tls_config_free(conf);
340 	return 0;
341 
342 err:
343 	tls_config_free(conf);
344 	if (c->proxyctx != NULL) {
345 		tls_free(c->proxyctx);
346 		c->proxyctx = NULL;
347 	}
348 	return -1;
349 }
350 
351 int
352 proxy_init(struct client *c)
353 {
354 	struct proxy *p = c->proxy;
355 
356 	if (!p->notls && proxy_setup_tls(c) == -1)
357 		return -1;
358 	else if (p->notls)
359 		proxy_enqueue_req(c);
360 
361 	c->type = REQUEST_PROXY;
362 
363 	return 0;
364 }