2 * Copyright (c) 2021, 2022 Omar Polo <op@omarpolo.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 #define MIN(a, b) ((a) < (b) ? (a) : (b))
27 static const struct timeval handshake_timeout = { 5, 0 };
29 static void proxy_tls_readcb(int, short, void *);
30 static void proxy_tls_writecb(int, short, void *);
31 static void proxy_read(struct bufferevent *, void *);
32 static void proxy_write(struct bufferevent *, void *);
33 static void proxy_error(struct bufferevent *, short, void *);
36 proxy_tls_readcb(int fd, short event, void *d)
38 struct bufferevent *bufev = d;
39 struct client *c = bufev->cbarg;
40 char buf[IBUF_READ_SIZE];
41 int what = EVBUFFER_READ;
42 int howmuch = IBUF_READ_SIZE;
47 if (event == EV_TIMEOUT) {
48 what |= EVBUFFER_TIMEOUT;
52 if (bufev->wm_read.high != 0)
53 howmuch = MIN(sizeof(buf), bufev->wm_read.high);
55 switch (ret = tls_read(c->proxyctx, buf, howmuch)) {
57 case TLS_WANT_POLLOUT:
60 what |= EVBUFFER_ERROR;
70 res = evbuffer_add(bufev->input, buf, len);
72 what |= EVBUFFER_ERROR;
76 event_add(&bufev->ev_read, NULL);
78 len = EVBUFFER_LENGTH(bufev->input);
79 if (bufev->wm_read.low != 0 && len < bufev->wm_read.low)
82 if (bufev->readcb != NULL)
83 (*bufev->readcb)(bufev, bufev->cbarg);
87 event_add(&bufev->ev_read, NULL);
91 (*bufev->errorcb)(bufev, what, bufev->cbarg);
95 proxy_tls_writecb(int fd, short event, void *d)
97 struct bufferevent *bufev = d;
98 struct client *c = bufev->cbarg;
101 short what = EVBUFFER_WRITE;
103 if (event & EV_TIMEOUT) {
104 what |= EVBUFFER_TIMEOUT;
108 if (EVBUFFER_LENGTH(bufev->output) != 0) {
109 ret = tls_write(c->proxyctx, EVBUFFER_DATA(bufev->output),
110 EVBUFFER_LENGTH(bufev->output));
112 case TLS_WANT_POLLIN:
113 case TLS_WANT_POLLOUT:
116 what |= EVBUFFER_ERROR;
121 evbuffer_drain(bufev->output, len);
124 if (EVBUFFER_LENGTH(bufev->output) != 0)
125 event_add(&bufev->ev_write, NULL);
127 if (bufev->writecb != NULL &&
128 EVBUFFER_LENGTH(bufev->output) <= bufev->wm_write.low)
129 (*bufev->writecb)(bufev, bufev->cbarg);
133 event_add(&bufev->ev_write, NULL);
137 (*bufev->errorcb)(bufev, what, bufev->cbarg);
141 proxy_read(struct bufferevent *bev, void *d)
143 struct client *c = d;
144 struct evbuffer *src = EVBUFFER_INPUT(bev);
149 /* intercept the header */
151 hdr = evbuffer_readln(src, &len, EVBUFFER_EOL_CRLF_STRICT);
153 /* max reply + \r\n */
154 if (EVBUFFER_LENGTH(src) > 1029) {
155 log_warnx("upstream server is trying to "
156 "send a header that's too long.");
157 proxy_error(bev, EVBUFFER_READ, c);
164 if (len < 3 || len > 1029 ||
165 !isdigit((unsigned char)hdr[0]) ||
166 !isdigit((unsigned char)hdr[1]) ||
167 !isspace((unsigned char)hdr[2])) {
169 log_warnx("upstream server is trying to send a "
170 "header that's too long.");
171 proxy_error(bev, EVBUFFER_READ, c);
176 code = (hdr[0] - '0') * 10 + (hdr[1] - '0');
178 if (code < 10 || code >= 70) {
179 log_warnx("upstream server is trying to send an "
180 "invalid reply code: %d", code);
181 proxy_error(bev, EVBUFFER_READ, c);
185 start_reply(c, code, hdr + 3);
187 if (c->code < 20 || c->code > 29) {
188 proxy_error(bev, EVBUFFER_EOF, c);
193 bufferevent_write_buffer(c->bev, src);
197 proxy_write(struct bufferevent *bev, void *d)
199 struct evbuffer *dst = EVBUFFER_OUTPUT(bev);
201 /* request successfully sent */
202 if (EVBUFFER_LENGTH(dst) == 0)
203 bufferevent_disable(bev, EV_WRITE);
207 proxy_error(struct bufferevent *bev, short error, void *d)
209 struct client *c = d;
212 * If we're here it means that some kind of non-recoverable
216 bufferevent_free(bev);
219 tls_free(c->proxyctx);
225 /* EOF and no header */
227 start_reply(c, PROXY_ERROR, "protocol error");
231 c->type = REQUEST_DONE;
232 client_write(c->bev, c);
236 proxy_enqueue_req(struct client *c)
238 struct proxy *p = c->proxy;
239 struct evbuffer *evb;
240 char iribuf[GEMINI_URL_LEN];
242 c->proxybev = bufferevent_new(c->pfd, proxy_read, proxy_write,
244 if (c->proxybev == NULL)
245 fatal("can't allocate bufferevent");
248 event_set(&c->proxybev->ev_read, c->pfd, EV_READ,
249 proxy_tls_readcb, c->proxybev);
250 event_set(&c->proxybev->ev_write, c->pfd, EV_WRITE,
251 proxy_tls_writecb, c->proxybev);
254 evbuffer_unfreeze(c->proxybev->input, 0);
255 evbuffer_unfreeze(c->proxybev->output, 1);
259 serialize_iri(&c->iri, iribuf, sizeof(iribuf));
261 evb = EVBUFFER_OUTPUT(c->proxybev);
262 evbuffer_add_printf(evb, "%s\r\n", iribuf);
264 bufferevent_enable(c->proxybev, EV_READ|EV_WRITE);
268 proxy_handshake(int fd, short event, void *d)
270 struct client *c = d;
272 if (event == EV_TIMEOUT) {
273 start_reply(c, PROXY_ERROR, "timeout");
277 switch (tls_handshake(c->proxyctx)) {
278 case TLS_WANT_POLLIN:
279 event_set(&c->proxyev, fd, EV_READ, proxy_handshake, c);
280 event_add(&c->proxyev, &handshake_timeout);
282 case TLS_WANT_POLLOUT:
283 event_set(&c->proxyev, fd, EV_WRITE, proxy_handshake, c);
284 event_add(&c->proxyev, &handshake_timeout);
287 log_warnx("handshake with proxy failed: %s",
288 tls_error(c->proxyctx));
289 start_reply(c, PROXY_ERROR, "handshake failed");
294 proxy_enqueue_req(c);
298 proxy_setup_tls(struct client *c)
300 struct proxy *p = c->proxy;
301 struct tls_config *conf = NULL;
304 if ((conf = tls_config_new()) == NULL)
308 tls_config_insecure_noverifyname(conf);
310 tls_config_insecure_noverifycert(conf);
311 tls_config_set_protocols(conf, p->protocols);
313 if (p->cert != NULL) {
316 r = tls_config_set_cert_mem(conf, p->cert, p->certlen);
320 r = tls_config_set_key_mem(conf, p->key, p->keylen);
325 if ((c->proxyctx = tls_client()) == NULL)
328 if (tls_configure(c->proxyctx, conf) == -1)
331 if (*(hn = p->sni) == '\0')
333 if (tls_connect_socket(c->proxyctx, c->pfd, hn) == -1)
337 event_set(&c->proxyev, c->pfd, EV_READ|EV_WRITE, proxy_handshake, c);
338 event_add(&c->proxyev, &handshake_timeout);
340 tls_config_free(conf);
344 tls_config_free(conf);
345 if (c->proxyctx != NULL) {
346 tls_free(c->proxyctx);
353 proxy_init(struct client *c)
355 struct proxy *p = c->proxy;
357 if (!p->notls && proxy_setup_tls(c) == -1)
360 proxy_enqueue_req(c);
362 c->type = REQUEST_PROXY;