1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1998-2016 Dag-Erling Smørgrav 5 * Copyright (c) 2013 Michael Gmelin <freebsd@grem.de> 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer 13 * in this position and unchanged. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include <sys/param.h> 36 #include <sys/socket.h> 37 #include <sys/time.h> 38 #include <sys/uio.h> 39 40 #include <netinet/in.h> 41 42 #include <ctype.h> 43 #include <errno.h> 44 #include <fcntl.h> 45 #include <inttypes.h> 46 #include <netdb.h> 47 #include <poll.h> 48 #include <pwd.h> 49 #include <stdarg.h> 50 #include <stdlib.h> 51 #include <stdio.h> 52 #include <string.h> 53 #include <unistd.h> 54 55 #ifdef WITH_SSL 56 #include <openssl/x509v3.h> 57 #endif 58 59 #include "fetch.h" 60 #include "common.h" 61 62 63 /*** Local data **************************************************************/ 64 65 /* 66 * Error messages for resolver errors 67 */ 68 static struct fetcherr netdb_errlist[] = { 69 #ifdef EAI_NODATA 70 { EAI_NODATA, FETCH_RESOLV, "Host not found" }, 71 #endif 72 { EAI_AGAIN, FETCH_TEMP, "Transient resolver failure" }, 73 { EAI_FAIL, FETCH_RESOLV, "Non-recoverable resolver failure" }, 74 { EAI_NONAME, FETCH_RESOLV, "No address record" }, 75 { -1, FETCH_UNKNOWN, "Unknown resolver error" } 76 }; 77 78 /* 79 * SOCKS5 error enumerations 80 */ 81 enum SOCKS5_ERR { 82 /* Protocol errors */ 83 SOCKS5_ERR_SELECTION, 84 SOCKS5_ERR_READ_METHOD, 85 SOCKS5_ERR_VER5_ONLY, 86 SOCKS5_ERR_NOMETHODS, 87 SOCKS5_ERR_NOTIMPLEMENTED, 88 SOCKS5_ERR_HOSTNAME_SIZE, 89 SOCKS5_ERR_REQUEST, 90 SOCKS5_ERR_REPLY, 91 SOCKS5_ERR_NON_VER5_RESP, 92 SOCKS5_ERR_GENERAL, 93 SOCKS5_ERR_NOT_ALLOWED, 94 SOCKS5_ERR_NET_UNREACHABLE, 95 SOCKS5_ERR_HOST_UNREACHABLE, 96 SOCKS5_ERR_CONN_REFUSED, 97 SOCKS5_ERR_TTL_EXPIRED, 98 SOCKS5_ERR_COM_UNSUPPORTED, 99 SOCKS5_ERR_ADDR_UNSUPPORTED, 100 SOCKS5_ERR_UNSPECIFIED, 101 /* Configuration errors */ 102 SOCKS5_ERR_BAD_HOST, 103 SOCKS5_ERR_BAD_PROXY_FORMAT, 104 SOCKS5_ERR_BAD_PORT 105 }; 106 107 /* 108 * Error messages for SOCKS5 errors 109 */ 110 static struct fetcherr socks5_errlist[] = { 111 /* SOCKS5 protocol errors */ 112 { SOCKS5_ERR_SELECTION, FETCH_ABORT, "SOCKS5: Failed to send selection method" }, 113 { SOCKS5_ERR_READ_METHOD, FETCH_ABORT, "SOCKS5: Failed to read method" }, 114 { SOCKS5_ERR_VER5_ONLY, FETCH_PROTO, "SOCKS5: Only version 5 is implemented" }, 115 { SOCKS5_ERR_NOMETHODS, FETCH_PROTO, "SOCKS5: No acceptable methods" }, 116 { SOCKS5_ERR_NOTIMPLEMENTED, FETCH_PROTO, "SOCKS5: Method currently not implemented" }, 117 { SOCKS5_ERR_HOSTNAME_SIZE, FETCH_PROTO, "SOCKS5: Hostname size is above 256 bytes" }, 118 { SOCKS5_ERR_REQUEST, FETCH_PROTO, "SOCKS5: Failed to request" }, 119 { SOCKS5_ERR_REPLY, FETCH_PROTO, "SOCKS5: Failed to receive reply" }, 120 { SOCKS5_ERR_NON_VER5_RESP, FETCH_PROTO, "SOCKS5: Server responded with a non-version 5 response" }, 121 { SOCKS5_ERR_GENERAL, FETCH_ABORT, "SOCKS5: General server failure" }, 122 { SOCKS5_ERR_NOT_ALLOWED, FETCH_AUTH, "SOCKS5: Connection not allowed by ruleset" }, 123 { SOCKS5_ERR_NET_UNREACHABLE, FETCH_NETWORK, "SOCKS5: Network unreachable" }, 124 { SOCKS5_ERR_HOST_UNREACHABLE, FETCH_ABORT, "SOCKS5: Host unreachable" }, 125 { SOCKS5_ERR_CONN_REFUSED, FETCH_ABORT, "SOCKS5: Connection refused" }, 126 { SOCKS5_ERR_TTL_EXPIRED, FETCH_TIMEOUT, "SOCKS5: TTL expired" }, 127 { SOCKS5_ERR_COM_UNSUPPORTED, FETCH_PROTO, "SOCKS5: Command not supported" }, 128 { SOCKS5_ERR_ADDR_UNSUPPORTED, FETCH_ABORT, "SOCKS5: Address type not supported" }, 129 { SOCKS5_ERR_UNSPECIFIED, FETCH_UNKNOWN, "SOCKS5: Unspecified error" }, 130 /* Configuration error */ 131 { SOCKS5_ERR_BAD_HOST, FETCH_ABORT, "SOCKS5: Bad proxy host" }, 132 { SOCKS5_ERR_BAD_PROXY_FORMAT, FETCH_ABORT, "SOCKS5: Bad proxy format" }, 133 { SOCKS5_ERR_BAD_PORT, FETCH_ABORT, "SOCKS5: Bad port" } 134 }; 135 136 /* End-of-Line */ 137 static const char ENDL[2] = "\r\n"; 138 139 140 /*** Error-reporting functions ***********************************************/ 141 142 /* 143 * Map error code to string 144 */ 145 static struct fetcherr * 146 fetch_finderr(struct fetcherr *p, int e) 147 { 148 while (p->num != -1 && p->num != e) 149 p++; 150 return (p); 151 } 152 153 /* 154 * Set error code 155 */ 156 void 157 fetch_seterr(struct fetcherr *p, int e) 158 { 159 p = fetch_finderr(p, e); 160 fetchLastErrCode = p->cat; 161 snprintf(fetchLastErrString, MAXERRSTRING, "%s", p->string); 162 } 163 164 /* 165 * Set error code according to errno 166 */ 167 void 168 fetch_syserr(void) 169 { 170 switch (errno) { 171 case 0: 172 fetchLastErrCode = FETCH_OK; 173 break; 174 case EPERM: 175 case EACCES: 176 case EROFS: 177 case EAUTH: 178 case ENEEDAUTH: 179 fetchLastErrCode = FETCH_AUTH; 180 break; 181 case ENOENT: 182 case EISDIR: /* XXX */ 183 fetchLastErrCode = FETCH_UNAVAIL; 184 break; 185 case ENOMEM: 186 fetchLastErrCode = FETCH_MEMORY; 187 break; 188 case EBUSY: 189 case EAGAIN: 190 fetchLastErrCode = FETCH_TEMP; 191 break; 192 case EEXIST: 193 fetchLastErrCode = FETCH_EXISTS; 194 break; 195 case ENOSPC: 196 fetchLastErrCode = FETCH_FULL; 197 break; 198 case EADDRINUSE: 199 case EADDRNOTAVAIL: 200 case ENETDOWN: 201 case ENETUNREACH: 202 case ENETRESET: 203 case EHOSTUNREACH: 204 fetchLastErrCode = FETCH_NETWORK; 205 break; 206 case ECONNABORTED: 207 case ECONNRESET: 208 fetchLastErrCode = FETCH_ABORT; 209 break; 210 case ETIMEDOUT: 211 fetchLastErrCode = FETCH_TIMEOUT; 212 break; 213 case ECONNREFUSED: 214 case EHOSTDOWN: 215 fetchLastErrCode = FETCH_DOWN; 216 break; 217 default: 218 fetchLastErrCode = FETCH_UNKNOWN; 219 } 220 snprintf(fetchLastErrString, MAXERRSTRING, "%s", strerror(errno)); 221 } 222 223 224 /* 225 * Emit status message 226 */ 227 void 228 fetch_info(const char *fmt, ...) 229 { 230 va_list ap; 231 232 va_start(ap, fmt); 233 vfprintf(stderr, fmt, ap); 234 va_end(ap); 235 fputc('\n', stderr); 236 } 237 238 239 /*** Network-related utility functions ***************************************/ 240 241 /* 242 * Return the default port for a scheme 243 */ 244 int 245 fetch_default_port(const char *scheme) 246 { 247 struct servent *se; 248 249 if ((se = getservbyname(scheme, "tcp")) != NULL) 250 return (ntohs(se->s_port)); 251 if (strcmp(scheme, SCHEME_FTP) == 0) 252 return (FTP_DEFAULT_PORT); 253 if (strcmp(scheme, SCHEME_HTTP) == 0) 254 return (HTTP_DEFAULT_PORT); 255 return (0); 256 } 257 258 /* 259 * Return the default proxy port for a scheme 260 */ 261 int 262 fetch_default_proxy_port(const char *scheme) 263 { 264 if (strcmp(scheme, SCHEME_FTP) == 0) 265 return (FTP_DEFAULT_PROXY_PORT); 266 if (strcmp(scheme, SCHEME_HTTP) == 0) 267 return (HTTP_DEFAULT_PROXY_PORT); 268 return (0); 269 } 270 271 272 /* 273 * Create a connection for an existing descriptor. 274 */ 275 conn_t * 276 fetch_reopen(int sd) 277 { 278 conn_t *conn; 279 int opt = 1; 280 281 /* allocate and fill connection structure */ 282 if ((conn = calloc(1, sizeof(*conn))) == NULL) 283 return (NULL); 284 fcntl(sd, F_SETFD, FD_CLOEXEC); 285 setsockopt(sd, SOL_SOCKET, SO_NOSIGPIPE, &opt, sizeof opt); 286 conn->sd = sd; 287 ++conn->ref; 288 return (conn); 289 } 290 291 292 /* 293 * Bump a connection's reference count. 294 */ 295 conn_t * 296 fetch_ref(conn_t *conn) 297 { 298 299 ++conn->ref; 300 return (conn); 301 } 302 303 304 /* 305 * Resolve an address 306 */ 307 struct addrinfo * 308 fetch_resolve(const char *addr, int port, int af) 309 { 310 char hbuf[256], sbuf[8]; 311 struct addrinfo hints, *res; 312 const char *hb, *he, *sep; 313 const char *host, *service; 314 int err, len; 315 316 /* first, check for a bracketed IPv6 address */ 317 if (*addr == '[') { 318 hb = addr + 1; 319 if ((sep = strchr(hb, ']')) == NULL) { 320 errno = EINVAL; 321 goto syserr; 322 } 323 he = sep++; 324 } else { 325 hb = addr; 326 sep = strchrnul(hb, ':'); 327 he = sep; 328 } 329 330 /* see if we need to copy the host name */ 331 if (*he != '\0') { 332 len = snprintf(hbuf, sizeof(hbuf), 333 "%.*s", (int)(he - hb), hb); 334 if (len < 0) 335 goto syserr; 336 if (len >= (int)sizeof(hbuf)) { 337 errno = ENAMETOOLONG; 338 goto syserr; 339 } 340 host = hbuf; 341 } else { 342 host = hb; 343 } 344 345 /* was it followed by a service name? */ 346 if (*sep == '\0' && port != 0) { 347 if (port < 1 || port > 65535) { 348 errno = EINVAL; 349 goto syserr; 350 } 351 if (snprintf(sbuf, sizeof(sbuf), "%d", port) < 0) 352 goto syserr; 353 service = sbuf; 354 } else if (*sep != '\0') { 355 service = sep + 1; 356 } else { 357 service = NULL; 358 } 359 360 /* resolve */ 361 memset(&hints, 0, sizeof(hints)); 362 hints.ai_family = af; 363 hints.ai_socktype = SOCK_STREAM; 364 hints.ai_flags = AI_ADDRCONFIG; 365 if ((err = getaddrinfo(host, service, &hints, &res)) != 0) { 366 netdb_seterr(err); 367 return (NULL); 368 } 369 return (res); 370 syserr: 371 fetch_syserr(); 372 return (NULL); 373 } 374 375 376 /* 377 * Bind a socket to a specific local address 378 */ 379 int 380 fetch_bind(int sd, int af, const char *addr) 381 { 382 struct addrinfo *cliai, *ai; 383 int err; 384 385 if ((cliai = fetch_resolve(addr, 0, af)) == NULL) 386 return (-1); 387 for (ai = cliai; ai != NULL; ai = ai->ai_next) 388 if ((err = bind(sd, ai->ai_addr, ai->ai_addrlen)) == 0) 389 break; 390 if (err != 0) 391 fetch_syserr(); 392 freeaddrinfo(cliai); 393 return (err == 0 ? 0 : -1); 394 } 395 396 397 /* 398 * SOCKS5 connection initiation, based on RFC 1928 399 * Default DNS resolution over SOCKS5 400 */ 401 int 402 fetch_socks5_init(conn_t *conn, const char *host, int port, int verbose) 403 { 404 /* 405 * Size is based on largest packet prefix (4 bytes) + 406 * Largest FQDN (256) + one byte size (1) + 407 * Port (2) 408 */ 409 unsigned char buf[BUFF_SIZE]; 410 unsigned char *ptr; 411 int ret = 1; 412 413 if (verbose) 414 fetch_info("Initializing SOCKS5 connection: %s:%d", host, port); 415 416 /* Connection initialization */ 417 ptr = buf; 418 *ptr++ = SOCKS_VERSION_5; 419 *ptr++ = SOCKS_CONNECTION; 420 *ptr++ = SOCKS_RSV; 421 422 if (fetch_write(conn, buf, 3) != 3) { 423 ret = SOCKS5_ERR_SELECTION; 424 goto fail; 425 } 426 427 /* Verify response from SOCKS5 server */ 428 if (fetch_read(conn, buf, 2) != 2) { 429 ret = SOCKS5_ERR_READ_METHOD; 430 goto fail; 431 } 432 433 ptr = buf; 434 if (ptr[0] != SOCKS_VERSION_5) { 435 ret = SOCKS5_ERR_VER5_ONLY; 436 goto fail; 437 } 438 if (ptr[1] == SOCKS_NOMETHODS) { 439 ret = SOCKS5_ERR_NOMETHODS; 440 goto fail; 441 } 442 else if (ptr[1] != SOCKS5_NOTIMPLEMENTED) { 443 ret = SOCKS5_ERR_NOTIMPLEMENTED; 444 goto fail; 445 } 446 447 /* Send Request */ 448 *ptr++ = SOCKS_VERSION_5; 449 *ptr++ = SOCKS_CONNECTION; 450 *ptr++ = SOCKS_RSV; 451 /* Encode all targets as a hostname to avoid DNS leaks */ 452 *ptr++ = SOCKS_ATYP_DOMAINNAME; 453 if (strlen(host) > FQDN_SIZE) { 454 ret = SOCKS5_ERR_HOSTNAME_SIZE; 455 goto fail; 456 } 457 *ptr++ = strlen(host); 458 strncpy(ptr, host, strlen(host)); 459 ptr = ptr + strlen(host); 460 461 port = htons(port); 462 *ptr++ = port & 0x00ff; 463 *ptr++ = (port & 0xff00) >> 8; 464 465 if (fetch_write(conn, buf, ptr - buf) != ptr - buf) { 466 ret = SOCKS5_ERR_REQUEST; 467 goto fail; 468 } 469 470 /* BND.ADDR is variable length, read the largest on non-blocking socket */ 471 if (!fetch_read(conn, buf, BUFF_SIZE)) { 472 ret = SOCKS5_ERR_REPLY; 473 goto fail; 474 } 475 476 ptr = buf; 477 if (*ptr++ != SOCKS_VERSION_5) { 478 ret = SOCKS5_ERR_NON_VER5_RESP; 479 goto fail; 480 } 481 482 switch(*ptr++) { 483 case SOCKS_SUCCESS: 484 break; 485 case SOCKS_GENERAL_FAILURE: 486 ret = SOCKS5_ERR_GENERAL; 487 goto fail; 488 case SOCKS_CONNECTION_NOT_ALLOWED: 489 ret = SOCKS5_ERR_NOT_ALLOWED; 490 goto fail; 491 case SOCKS_NETWORK_UNREACHABLE: 492 ret = SOCKS5_ERR_NET_UNREACHABLE; 493 goto fail; 494 case SOCKS_HOST_UNREACHABLE: 495 ret = SOCKS5_ERR_HOST_UNREACHABLE; 496 goto fail; 497 case SOCKS_CONNECTION_REFUSED: 498 ret = SOCKS5_ERR_CONN_REFUSED; 499 goto fail; 500 case SOCKS_TTL_EXPIRED: 501 ret = SOCKS5_ERR_TTL_EXPIRED; 502 goto fail; 503 case SOCKS_COMMAND_NOT_SUPPORTED: 504 ret = SOCKS5_ERR_COM_UNSUPPORTED; 505 goto fail; 506 case SOCKS_ADDRESS_NOT_SUPPORTED: 507 ret = SOCKS5_ERR_ADDR_UNSUPPORTED; 508 goto fail; 509 default: 510 ret = SOCKS5_ERR_UNSPECIFIED; 511 goto fail; 512 } 513 514 return (ret); 515 516 fail: 517 socks5_seterr(ret); 518 return (0); 519 } 520 521 /* 522 * Perform SOCKS5 initialization 523 */ 524 int 525 fetch_socks5_getenv(char **host, int *port) 526 { 527 char *socks5env, *endptr, *ext; 528 const char *portDelim; 529 size_t slen; 530 531 portDelim = ":"; 532 if ((socks5env = getenv("SOCKS5_PROXY")) == NULL || *socks5env == '\0') { 533 *host = NULL; 534 *port = -1; 535 return (-1); 536 } 537 538 /* 539 * IPv6 addresses begin and end in brackets. Set the port delimiter 540 * accordingly and search for it so we can do appropriate validation. 541 */ 542 if (socks5env[0] == '[') 543 portDelim = "]:"; 544 545 slen = strlen(socks5env); 546 ext = strstr(socks5env, portDelim); 547 if (socks5env[0] == '[') { 548 if (socks5env[slen - 1] == ']') { 549 *host = strndup(socks5env, slen); 550 } else if (ext != NULL) { 551 *host = strndup(socks5env, ext - socks5env + 1); 552 } else { 553 socks5_seterr(SOCKS5_ERR_BAD_PROXY_FORMAT); 554 return (0); 555 } 556 } else { 557 *host = strndup(socks5env, ext - socks5env); 558 } 559 560 if (*host == NULL) { 561 fprintf(stderr, "Failure to allocate memory, exiting.\n"); 562 return (-1); 563 } 564 if (ext == NULL) { 565 *port = 1080; /* Default port as defined in RFC1928 */ 566 } else { 567 ext += strlen(portDelim); 568 errno = 0; 569 *port = strtoimax(ext, (char **)&endptr, 10); 570 if (*endptr != '\0' || errno != 0 || *port < 0 || 571 *port > 65535) { 572 free(*host); 573 *host = NULL; 574 socks5_seterr(SOCKS5_ERR_BAD_PORT); 575 return (0); 576 } 577 } 578 579 return (2); 580 } 581 582 583 /* 584 * Establish a TCP connection to the specified port on the specified host. 585 */ 586 conn_t * 587 fetch_connect(const char *host, int port, int af, int verbose) 588 { 589 struct addrinfo *cais = NULL, *sais = NULL, *cai, *sai; 590 const char *bindaddr; 591 conn_t *conn = NULL; 592 int err = 0, sd = -1; 593 char *sockshost; 594 int socksport; 595 596 DEBUGF("---> %s:%d\n", host, port); 597 598 /* 599 * Check if SOCKS5_PROXY env variable is set. fetch_socks5_getenv 600 * will either set sockshost = NULL or allocate memory in all cases. 601 */ 602 sockshost = NULL; 603 if (!fetch_socks5_getenv(&sockshost, &socksport)) 604 goto fail; 605 606 /* Not using SOCKS5 proxy */ 607 if (sockshost == NULL) { 608 /* resolve server address */ 609 if (verbose) 610 fetch_info("resolving server address: %s:%d", host, 611 port); 612 if ((sais = fetch_resolve(host, port, af)) == NULL) 613 goto fail; 614 615 /* resolve client address */ 616 bindaddr = getenv("FETCH_BIND_ADDRESS"); 617 if (bindaddr != NULL && *bindaddr != '\0') { 618 if (verbose) 619 fetch_info("resolving client address: %s", 620 bindaddr); 621 if ((cais = fetch_resolve(bindaddr, 0, af)) == NULL) 622 goto fail; 623 } 624 } else { 625 /* resolve socks5 proxy address */ 626 if (verbose) 627 fetch_info("resolving SOCKS5 server address: %s:%d", 628 sockshost, socksport); 629 if ((sais = fetch_resolve(sockshost, socksport, af)) == NULL) { 630 socks5_seterr(SOCKS5_ERR_BAD_HOST); 631 goto fail; 632 } 633 } 634 635 /* try each server address in turn */ 636 for (err = 0, sai = sais; sai != NULL; sai = sai->ai_next) { 637 /* open socket */ 638 if ((sd = socket(sai->ai_family, SOCK_STREAM, 0)) < 0) 639 goto syserr; 640 /* attempt to bind to client address */ 641 for (err = 0, cai = cais; cai != NULL; cai = cai->ai_next) { 642 if (cai->ai_family != sai->ai_family) 643 continue; 644 if ((err = bind(sd, cai->ai_addr, cai->ai_addrlen)) == 0) 645 break; 646 } 647 if (err != 0) { 648 if (verbose) 649 fetch_info("failed to bind to %s", bindaddr); 650 goto syserr; 651 } 652 /* attempt to connect to server address */ 653 if ((err = connect(sd, sai->ai_addr, sai->ai_addrlen)) == 0) 654 break; 655 /* clean up before next attempt */ 656 close(sd); 657 sd = -1; 658 } 659 if (err != 0) { 660 if (verbose && sockshost == NULL) { 661 fetch_info("failed to connect to %s:%d", host, port); 662 goto syserr; 663 } else if (sockshost != NULL) { 664 if (verbose) 665 fetch_info( 666 "failed to connect to SOCKS5 server %s:%d", 667 sockshost, socksport); 668 socks5_seterr(SOCKS5_ERR_CONN_REFUSED); 669 goto fail; 670 } 671 goto syserr; 672 } 673 674 if ((conn = fetch_reopen(sd)) == NULL) 675 goto syserr; 676 677 if (sockshost) 678 if (!fetch_socks5_init(conn, host, port, verbose)) 679 goto fail; 680 if (cais != NULL) 681 freeaddrinfo(cais); 682 if (sais != NULL) 683 freeaddrinfo(sais); 684 return (conn); 685 syserr: 686 fetch_syserr(); 687 fail: 688 free(sockshost); 689 if (sd >= 0) 690 close(sd); 691 if (cais != NULL) 692 freeaddrinfo(cais); 693 if (sais != NULL) 694 freeaddrinfo(sais); 695 return (NULL); 696 } 697 698 #ifdef WITH_SSL 699 /* 700 * Convert characters A-Z to lowercase (intentionally avoid any locale 701 * specific conversions). 702 */ 703 static char 704 fetch_ssl_tolower(char in) 705 { 706 if (in >= 'A' && in <= 'Z') 707 return (in + 32); 708 else 709 return (in); 710 } 711 712 /* 713 * isalpha implementation that intentionally avoids any locale specific 714 * conversions. 715 */ 716 static int 717 fetch_ssl_isalpha(char in) 718 { 719 return ((in >= 'A' && in <= 'Z') || (in >= 'a' && in <= 'z')); 720 } 721 722 /* 723 * Check if passed hostnames a and b are equal. 724 */ 725 static int 726 fetch_ssl_hname_equal(const char *a, size_t alen, const char *b, 727 size_t blen) 728 { 729 size_t i; 730 731 if (alen != blen) 732 return (0); 733 for (i = 0; i < alen; ++i) { 734 if (fetch_ssl_tolower(a[i]) != fetch_ssl_tolower(b[i])) 735 return (0); 736 } 737 return (1); 738 } 739 740 /* 741 * Check if domain label is traditional, meaning that only A-Z, a-z, 0-9 742 * and '-' (hyphen) are allowed. Hyphens have to be surrounded by alpha- 743 * numeric characters. Double hyphens (like they're found in IDN a-labels 744 * 'xn--') are not allowed. Empty labels are invalid. 745 */ 746 static int 747 fetch_ssl_is_trad_domain_label(const char *l, size_t len, int wcok) 748 { 749 size_t i; 750 751 if (!len || l[0] == '-' || l[len-1] == '-') 752 return (0); 753 for (i = 0; i < len; ++i) { 754 if (!isdigit(l[i]) && 755 !fetch_ssl_isalpha(l[i]) && 756 !(l[i] == '*' && wcok) && 757 !(l[i] == '-' && l[i - 1] != '-')) 758 return (0); 759 } 760 return (1); 761 } 762 763 /* 764 * Check if host name consists only of numbers. This might indicate an IP 765 * address, which is not a good idea for CN wildcard comparison. 766 */ 767 static int 768 fetch_ssl_hname_is_only_numbers(const char *hostname, size_t len) 769 { 770 size_t i; 771 772 for (i = 0; i < len; ++i) { 773 if (!((hostname[i] >= '0' && hostname[i] <= '9') || 774 hostname[i] == '.')) 775 return (0); 776 } 777 return (1); 778 } 779 780 /* 781 * Check if the host name h passed matches the pattern passed in m which 782 * is usually part of subjectAltName or CN of a certificate presented to 783 * the client. This includes wildcard matching. The algorithm is based on 784 * RFC6125, sections 6.4.3 and 7.2, which clarifies RFC2818 and RFC3280. 785 */ 786 static int 787 fetch_ssl_hname_match(const char *h, size_t hlen, const char *m, 788 size_t mlen) 789 { 790 int delta, hdotidx, mdot1idx, wcidx; 791 const char *hdot, *mdot1, *mdot2; 792 const char *wc; /* wildcard */ 793 794 if (!(h && *h && m && *m)) 795 return (0); 796 if ((wc = strnstr(m, "*", mlen)) == NULL) 797 return (fetch_ssl_hname_equal(h, hlen, m, mlen)); 798 wcidx = wc - m; 799 /* hostname should not be just dots and numbers */ 800 if (fetch_ssl_hname_is_only_numbers(h, hlen)) 801 return (0); 802 /* only one wildcard allowed in pattern */ 803 if (strnstr(wc + 1, "*", mlen - wcidx - 1) != NULL) 804 return (0); 805 /* 806 * there must be at least two more domain labels and 807 * wildcard has to be in the leftmost label (RFC6125) 808 */ 809 mdot1 = strnstr(m, ".", mlen); 810 if (mdot1 == NULL || mdot1 < wc || (mlen - (mdot1 - m)) < 4) 811 return (0); 812 mdot1idx = mdot1 - m; 813 mdot2 = strnstr(mdot1 + 1, ".", mlen - mdot1idx - 1); 814 if (mdot2 == NULL || (mlen - (mdot2 - m)) < 2) 815 return (0); 816 /* hostname must contain a dot and not be the 1st char */ 817 hdot = strnstr(h, ".", hlen); 818 if (hdot == NULL || hdot == h) 819 return (0); 820 hdotidx = hdot - h; 821 /* 822 * host part of hostname must be at least as long as 823 * pattern it's supposed to match 824 */ 825 if (hdotidx < mdot1idx) 826 return (0); 827 /* 828 * don't allow wildcards in non-traditional domain names 829 * (IDN, A-label, U-label...) 830 */ 831 if (!fetch_ssl_is_trad_domain_label(h, hdotidx, 0) || 832 !fetch_ssl_is_trad_domain_label(m, mdot1idx, 1)) 833 return (0); 834 /* match domain part (part after first dot) */ 835 if (!fetch_ssl_hname_equal(hdot, hlen - hdotidx, mdot1, 836 mlen - mdot1idx)) 837 return (0); 838 /* match part left of wildcard */ 839 if (!fetch_ssl_hname_equal(h, wcidx, m, wcidx)) 840 return (0); 841 /* match part right of wildcard */ 842 delta = mdot1idx - wcidx - 1; 843 if (!fetch_ssl_hname_equal(hdot - delta, delta, 844 mdot1 - delta, delta)) 845 return (0); 846 /* all tests succeeded, it's a match */ 847 return (1); 848 } 849 850 /* 851 * Get numeric host address info - returns NULL if host was not an IP 852 * address. The caller is responsible for deallocation using 853 * freeaddrinfo(3). 854 */ 855 static struct addrinfo * 856 fetch_ssl_get_numeric_addrinfo(const char *hostname, size_t len) 857 { 858 struct addrinfo hints, *res; 859 char *host; 860 861 host = (char *)malloc(len + 1); 862 memcpy(host, hostname, len); 863 host[len] = '\0'; 864 memset(&hints, 0, sizeof(hints)); 865 hints.ai_family = PF_UNSPEC; 866 hints.ai_socktype = SOCK_STREAM; 867 hints.ai_protocol = 0; 868 hints.ai_flags = AI_NUMERICHOST; 869 /* port is not relevant for this purpose */ 870 if (getaddrinfo(host, "443", &hints, &res) != 0) 871 res = NULL; 872 free(host); 873 return res; 874 } 875 876 /* 877 * Compare ip address in addrinfo with address passes. 878 */ 879 static int 880 fetch_ssl_ipaddr_match_bin(const struct addrinfo *lhost, const char *rhost, 881 size_t rhostlen) 882 { 883 const void *left; 884 885 if (lhost->ai_family == AF_INET && rhostlen == 4) { 886 left = (void *)&((struct sockaddr_in*)(void *) 887 lhost->ai_addr)->sin_addr.s_addr; 888 #ifdef INET6 889 } else if (lhost->ai_family == AF_INET6 && rhostlen == 16) { 890 left = (void *)&((struct sockaddr_in6 *)(void *) 891 lhost->ai_addr)->sin6_addr; 892 #endif 893 } else 894 return (0); 895 return (!memcmp(left, (const void *)rhost, rhostlen) ? 1 : 0); 896 } 897 898 /* 899 * Compare ip address in addrinfo with host passed. If host is not an IP 900 * address, comparison will fail. 901 */ 902 static int 903 fetch_ssl_ipaddr_match(const struct addrinfo *laddr, const char *r, 904 size_t rlen) 905 { 906 struct addrinfo *raddr; 907 int ret; 908 char *rip; 909 910 ret = 0; 911 if ((raddr = fetch_ssl_get_numeric_addrinfo(r, rlen)) == NULL) 912 return 0; /* not a numeric host */ 913 914 if (laddr->ai_family == raddr->ai_family) { 915 if (laddr->ai_family == AF_INET) { 916 rip = (char *)&((struct sockaddr_in *)(void *) 917 raddr->ai_addr)->sin_addr.s_addr; 918 ret = fetch_ssl_ipaddr_match_bin(laddr, rip, 4); 919 #ifdef INET6 920 } else if (laddr->ai_family == AF_INET6) { 921 rip = (char *)&((struct sockaddr_in6 *)(void *) 922 raddr->ai_addr)->sin6_addr; 923 ret = fetch_ssl_ipaddr_match_bin(laddr, rip, 16); 924 #endif 925 } 926 927 } 928 freeaddrinfo(raddr); 929 return (ret); 930 } 931 932 /* 933 * Verify server certificate by subjectAltName. 934 */ 935 static int 936 fetch_ssl_verify_altname(STACK_OF(GENERAL_NAME) *altnames, 937 const char *host, struct addrinfo *ip) 938 { 939 const GENERAL_NAME *name; 940 size_t nslen; 941 int i; 942 const char *ns; 943 944 for (i = 0; i < sk_GENERAL_NAME_num(altnames); ++i) { 945 #if OPENSSL_VERSION_NUMBER < 0x10000000L 946 /* 947 * This is a workaround, since the following line causes 948 * alignment issues in clang: 949 * name = sk_GENERAL_NAME_value(altnames, i); 950 * OpenSSL explicitly warns not to use those macros 951 * directly, but there isn't much choice (and there 952 * shouldn't be any ill side effects) 953 */ 954 name = (GENERAL_NAME *)SKM_sk_value(void, altnames, i); 955 #else 956 name = sk_GENERAL_NAME_value(altnames, i); 957 #endif 958 #if OPENSSL_VERSION_NUMBER < 0x10100000L 959 ns = (const char *)ASN1_STRING_data(name->d.ia5); 960 #else 961 ns = (const char *)ASN1_STRING_get0_data(name->d.ia5); 962 #endif 963 nslen = (size_t)ASN1_STRING_length(name->d.ia5); 964 965 if (name->type == GEN_DNS && ip == NULL && 966 fetch_ssl_hname_match(host, strlen(host), ns, nslen)) 967 return (1); 968 else if (name->type == GEN_IPADD && ip != NULL && 969 fetch_ssl_ipaddr_match_bin(ip, ns, nslen)) 970 return (1); 971 } 972 return (0); 973 } 974 975 /* 976 * Verify server certificate by CN. 977 */ 978 static int 979 fetch_ssl_verify_cn(X509_NAME *subject, const char *host, 980 struct addrinfo *ip) 981 { 982 ASN1_STRING *namedata; 983 X509_NAME_ENTRY *nameentry; 984 int cnlen, lastpos, loc, ret; 985 unsigned char *cn; 986 987 ret = 0; 988 lastpos = -1; 989 loc = -1; 990 cn = NULL; 991 /* get most specific CN (last entry in list) and compare */ 992 while ((lastpos = X509_NAME_get_index_by_NID(subject, 993 NID_commonName, lastpos)) != -1) 994 loc = lastpos; 995 996 if (loc > -1) { 997 nameentry = X509_NAME_get_entry(subject, loc); 998 namedata = X509_NAME_ENTRY_get_data(nameentry); 999 cnlen = ASN1_STRING_to_UTF8(&cn, namedata); 1000 if (ip == NULL && 1001 fetch_ssl_hname_match(host, strlen(host), cn, cnlen)) 1002 ret = 1; 1003 else if (ip != NULL && fetch_ssl_ipaddr_match(ip, cn, cnlen)) 1004 ret = 1; 1005 OPENSSL_free(cn); 1006 } 1007 return (ret); 1008 } 1009 1010 /* 1011 * Verify that server certificate subjectAltName/CN matches 1012 * hostname. First check, if there are alternative subject names. If yes, 1013 * those have to match. Only if those don't exist it falls back to 1014 * checking the subject's CN. 1015 */ 1016 static int 1017 fetch_ssl_verify_hname(X509 *cert, const char *host) 1018 { 1019 struct addrinfo *ip; 1020 STACK_OF(GENERAL_NAME) *altnames; 1021 X509_NAME *subject; 1022 int ret; 1023 1024 ret = 0; 1025 ip = fetch_ssl_get_numeric_addrinfo(host, strlen(host)); 1026 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, 1027 NULL, NULL); 1028 1029 if (altnames != NULL) { 1030 ret = fetch_ssl_verify_altname(altnames, host, ip); 1031 } else { 1032 subject = X509_get_subject_name(cert); 1033 if (subject != NULL) 1034 ret = fetch_ssl_verify_cn(subject, host, ip); 1035 } 1036 1037 if (ip != NULL) 1038 freeaddrinfo(ip); 1039 if (altnames != NULL) 1040 GENERAL_NAMES_free(altnames); 1041 return (ret); 1042 } 1043 1044 /* 1045 * Configure transport security layer based on environment. 1046 */ 1047 static void 1048 fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) 1049 { 1050 long ssl_ctx_options; 1051 1052 ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET; 1053 if (getenv("SSL_ALLOW_SSL3") == NULL) 1054 ssl_ctx_options |= SSL_OP_NO_SSLv3; 1055 if (getenv("SSL_NO_TLS1") != NULL) 1056 ssl_ctx_options |= SSL_OP_NO_TLSv1; 1057 if (getenv("SSL_NO_TLS1_1") != NULL) 1058 ssl_ctx_options |= SSL_OP_NO_TLSv1_1; 1059 if (getenv("SSL_NO_TLS1_2") != NULL) 1060 ssl_ctx_options |= SSL_OP_NO_TLSv1_2; 1061 if (verbose) 1062 fetch_info("SSL options: %lx", ssl_ctx_options); 1063 SSL_CTX_set_options(ctx, ssl_ctx_options); 1064 } 1065 1066 1067 /* 1068 * Configure peer verification based on environment. 1069 */ 1070 #define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem" 1071 #define BASE_CERT_FILE "/etc/ssl/cert.pem" 1072 static int 1073 fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) 1074 { 1075 X509_LOOKUP *crl_lookup; 1076 X509_STORE *crl_store; 1077 const char *ca_cert_file, *ca_cert_path, *crl_file; 1078 1079 if (getenv("SSL_NO_VERIFY_PEER") == NULL) { 1080 ca_cert_file = getenv("SSL_CA_CERT_FILE"); 1081 if (ca_cert_file == NULL && 1082 access(LOCAL_CERT_FILE, R_OK) == 0) 1083 ca_cert_file = LOCAL_CERT_FILE; 1084 if (ca_cert_file == NULL && 1085 access(BASE_CERT_FILE, R_OK) == 0) 1086 ca_cert_file = BASE_CERT_FILE; 1087 ca_cert_path = getenv("SSL_CA_CERT_PATH"); 1088 if (verbose) { 1089 fetch_info("Peer verification enabled"); 1090 if (ca_cert_file != NULL) 1091 fetch_info("Using CA cert file: %s", 1092 ca_cert_file); 1093 if (ca_cert_path != NULL) 1094 fetch_info("Using CA cert path: %s", 1095 ca_cert_path); 1096 if (ca_cert_file == NULL && ca_cert_path == NULL) 1097 fetch_info("Using OpenSSL default " 1098 "CA cert file and path"); 1099 } 1100 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 1101 fetch_ssl_cb_verify_crt); 1102 if (ca_cert_file != NULL || ca_cert_path != NULL) 1103 SSL_CTX_load_verify_locations(ctx, ca_cert_file, 1104 ca_cert_path); 1105 else 1106 SSL_CTX_set_default_verify_paths(ctx); 1107 if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) { 1108 if (verbose) 1109 fetch_info("Using CRL file: %s", crl_file); 1110 crl_store = SSL_CTX_get_cert_store(ctx); 1111 crl_lookup = X509_STORE_add_lookup(crl_store, 1112 X509_LOOKUP_file()); 1113 if (crl_lookup == NULL || 1114 !X509_load_crl_file(crl_lookup, crl_file, 1115 X509_FILETYPE_PEM)) { 1116 fprintf(stderr, 1117 "Could not load CRL file %s\n", 1118 crl_file); 1119 return (0); 1120 } 1121 X509_STORE_set_flags(crl_store, 1122 X509_V_FLAG_CRL_CHECK | 1123 X509_V_FLAG_CRL_CHECK_ALL); 1124 } 1125 } 1126 return (1); 1127 } 1128 1129 /* 1130 * Configure client certificate based on environment. 1131 */ 1132 static int 1133 fetch_ssl_setup_client_certificate(SSL_CTX *ctx, int verbose) 1134 { 1135 const char *client_cert_file, *client_key_file; 1136 1137 if ((client_cert_file = getenv("SSL_CLIENT_CERT_FILE")) != NULL) { 1138 client_key_file = getenv("SSL_CLIENT_KEY_FILE") != NULL ? 1139 getenv("SSL_CLIENT_KEY_FILE") : client_cert_file; 1140 if (verbose) { 1141 fetch_info("Using client cert file: %s", 1142 client_cert_file); 1143 fetch_info("Using client key file: %s", 1144 client_key_file); 1145 } 1146 if (SSL_CTX_use_certificate_chain_file(ctx, 1147 client_cert_file) != 1) { 1148 fprintf(stderr, 1149 "Could not load client certificate %s\n", 1150 client_cert_file); 1151 return (0); 1152 } 1153 if (SSL_CTX_use_PrivateKey_file(ctx, client_key_file, 1154 SSL_FILETYPE_PEM) != 1) { 1155 fprintf(stderr, 1156 "Could not load client key %s\n", 1157 client_key_file); 1158 return (0); 1159 } 1160 } 1161 return (1); 1162 } 1163 1164 /* 1165 * Callback for SSL certificate verification, this is called on server 1166 * cert verification. It takes no decision, but informs the user in case 1167 * verification failed. 1168 */ 1169 int 1170 fetch_ssl_cb_verify_crt(int verified, X509_STORE_CTX *ctx) 1171 { 1172 X509 *crt; 1173 X509_NAME *name; 1174 char *str; 1175 1176 str = NULL; 1177 if (!verified) { 1178 if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL && 1179 (name = X509_get_subject_name(crt)) != NULL) 1180 str = X509_NAME_oneline(name, 0, 0); 1181 fprintf(stderr, "Certificate verification failed for %s\n", 1182 str != NULL ? str : "no relevant certificate"); 1183 OPENSSL_free(str); 1184 } 1185 return (verified); 1186 } 1187 1188 #endif 1189 1190 /* 1191 * Enable SSL on a connection. 1192 */ 1193 int 1194 fetch_ssl(conn_t *conn, const struct url *URL, int verbose) 1195 { 1196 #ifdef WITH_SSL 1197 int ret, ssl_err; 1198 X509_NAME *name; 1199 char *str; 1200 1201 /* Init the SSL library and context */ 1202 if (!SSL_library_init()){ 1203 fprintf(stderr, "SSL library init failed\n"); 1204 return (-1); 1205 } 1206 1207 SSL_load_error_strings(); 1208 1209 conn->ssl_meth = SSLv23_client_method(); 1210 conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth); 1211 SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY); 1212 1213 fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose); 1214 if (!fetch_ssl_setup_peer_verification(conn->ssl_ctx, verbose)) 1215 return (-1); 1216 if (!fetch_ssl_setup_client_certificate(conn->ssl_ctx, verbose)) 1217 return (-1); 1218 1219 conn->ssl = SSL_new(conn->ssl_ctx); 1220 if (conn->ssl == NULL) { 1221 fprintf(stderr, "SSL context creation failed\n"); 1222 return (-1); 1223 } 1224 SSL_set_fd(conn->ssl, conn->sd); 1225 1226 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) 1227 if (!SSL_set_tlsext_host_name(conn->ssl, 1228 __DECONST(struct url *, URL)->host)) { 1229 fprintf(stderr, 1230 "TLS server name indication extension failed for host %s\n", 1231 URL->host); 1232 return (-1); 1233 } 1234 #endif 1235 while ((ret = SSL_connect(conn->ssl)) == -1) { 1236 ssl_err = SSL_get_error(conn->ssl, ret); 1237 if (ssl_err != SSL_ERROR_WANT_READ && 1238 ssl_err != SSL_ERROR_WANT_WRITE) { 1239 ERR_print_errors_fp(stderr); 1240 return (-1); 1241 } 1242 } 1243 conn->ssl_cert = SSL_get_peer_certificate(conn->ssl); 1244 1245 if (conn->ssl_cert == NULL) { 1246 fprintf(stderr, "No server SSL certificate\n"); 1247 return (-1); 1248 } 1249 1250 if (getenv("SSL_NO_VERIFY_HOSTNAME") == NULL) { 1251 if (verbose) 1252 fetch_info("Verify hostname"); 1253 if (!fetch_ssl_verify_hname(conn->ssl_cert, URL->host)) { 1254 fprintf(stderr, 1255 "SSL certificate subject doesn't match host %s\n", 1256 URL->host); 1257 return (-1); 1258 } 1259 } 1260 1261 if (verbose) { 1262 fetch_info("%s connection established using %s", 1263 SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl)); 1264 name = X509_get_subject_name(conn->ssl_cert); 1265 str = X509_NAME_oneline(name, 0, 0); 1266 fetch_info("Certificate subject: %s", str); 1267 OPENSSL_free(str); 1268 name = X509_get_issuer_name(conn->ssl_cert); 1269 str = X509_NAME_oneline(name, 0, 0); 1270 fetch_info("Certificate issuer: %s", str); 1271 OPENSSL_free(str); 1272 } 1273 1274 return (0); 1275 #else 1276 (void)conn; 1277 (void)verbose; 1278 (void)URL; 1279 fprintf(stderr, "SSL support disabled\n"); 1280 return (-1); 1281 #endif 1282 } 1283 1284 #define FETCH_READ_WAIT -2 1285 #define FETCH_READ_ERROR -1 1286 #define FETCH_READ_DONE 0 1287 1288 #ifdef WITH_SSL 1289 static ssize_t 1290 fetch_ssl_read(SSL *ssl, char *buf, size_t len) 1291 { 1292 ssize_t rlen; 1293 int ssl_err; 1294 1295 rlen = SSL_read(ssl, buf, len); 1296 if (rlen < 0) { 1297 ssl_err = SSL_get_error(ssl, rlen); 1298 if (ssl_err == SSL_ERROR_WANT_READ || 1299 ssl_err == SSL_ERROR_WANT_WRITE) { 1300 return (FETCH_READ_WAIT); 1301 } else { 1302 ERR_print_errors_fp(stderr); 1303 return (FETCH_READ_ERROR); 1304 } 1305 } 1306 return (rlen); 1307 } 1308 #endif 1309 1310 static ssize_t 1311 fetch_socket_read(int sd, char *buf, size_t len) 1312 { 1313 ssize_t rlen; 1314 1315 rlen = read(sd, buf, len); 1316 if (rlen < 0) { 1317 if (errno == EAGAIN || (errno == EINTR && fetchRestartCalls)) 1318 return (FETCH_READ_WAIT); 1319 else 1320 return (FETCH_READ_ERROR); 1321 } 1322 return (rlen); 1323 } 1324 1325 /* 1326 * Read a character from a connection w/ timeout 1327 */ 1328 ssize_t 1329 fetch_read(conn_t *conn, char *buf, size_t len) 1330 { 1331 struct timeval now, timeout, delta; 1332 struct pollfd pfd; 1333 ssize_t rlen; 1334 int deltams; 1335 1336 if (fetchTimeout > 0) { 1337 gettimeofday(&timeout, NULL); 1338 timeout.tv_sec += fetchTimeout; 1339 } 1340 1341 deltams = INFTIM; 1342 memset(&pfd, 0, sizeof pfd); 1343 pfd.fd = conn->sd; 1344 pfd.events = POLLIN | POLLERR; 1345 1346 for (;;) { 1347 /* 1348 * The socket is non-blocking. Instead of the canonical 1349 * poll() -> read(), we do the following: 1350 * 1351 * 1) call read() or SSL_read(). 1352 * 2) if we received some data, return it. 1353 * 3) if an error occurred, return -1. 1354 * 4) if read() or SSL_read() signaled EOF, return. 1355 * 5) if we did not receive any data but we're not at EOF, 1356 * call poll(). 1357 * 1358 * In the SSL case, this is necessary because if we 1359 * receive a close notification, we have to call 1360 * SSL_read() one additional time after we've read 1361 * everything we received. 1362 * 1363 * In the non-SSL case, it may improve performance (very 1364 * slightly) when reading small amounts of data. 1365 */ 1366 #ifdef WITH_SSL 1367 if (conn->ssl != NULL) 1368 rlen = fetch_ssl_read(conn->ssl, buf, len); 1369 else 1370 #endif 1371 rlen = fetch_socket_read(conn->sd, buf, len); 1372 if (rlen >= 0) { 1373 break; 1374 } else if (rlen == FETCH_READ_ERROR) { 1375 fetch_syserr(); 1376 return (-1); 1377 } 1378 // assert(rlen == FETCH_READ_WAIT); 1379 if (fetchTimeout > 0) { 1380 gettimeofday(&now, NULL); 1381 if (!timercmp(&timeout, &now, >)) { 1382 errno = ETIMEDOUT; 1383 fetch_syserr(); 1384 return (-1); 1385 } 1386 timersub(&timeout, &now, &delta); 1387 deltams = delta.tv_sec * 1000 + 1388 delta.tv_usec / 1000;; 1389 } 1390 errno = 0; 1391 pfd.revents = 0; 1392 if (poll(&pfd, 1, deltams) < 0) { 1393 if (errno == EINTR && fetchRestartCalls) 1394 continue; 1395 fetch_syserr(); 1396 return (-1); 1397 } 1398 } 1399 return (rlen); 1400 } 1401 1402 1403 /* 1404 * Read a line of text from a connection w/ timeout 1405 */ 1406 #define MIN_BUF_SIZE 1024 1407 1408 int 1409 fetch_getln(conn_t *conn) 1410 { 1411 char *tmp; 1412 size_t tmpsize; 1413 ssize_t len; 1414 char c; 1415 1416 if (conn->buf == NULL) { 1417 if ((conn->buf = malloc(MIN_BUF_SIZE)) == NULL) { 1418 errno = ENOMEM; 1419 return (-1); 1420 } 1421 conn->bufsize = MIN_BUF_SIZE; 1422 } 1423 1424 conn->buf[0] = '\0'; 1425 conn->buflen = 0; 1426 1427 do { 1428 len = fetch_read(conn, &c, 1); 1429 if (len == -1) 1430 return (-1); 1431 if (len == 0) 1432 break; 1433 conn->buf[conn->buflen++] = c; 1434 if (conn->buflen == conn->bufsize) { 1435 tmp = conn->buf; 1436 tmpsize = conn->bufsize * 2 + 1; 1437 if ((tmp = realloc(tmp, tmpsize)) == NULL) { 1438 errno = ENOMEM; 1439 return (-1); 1440 } 1441 conn->buf = tmp; 1442 conn->bufsize = tmpsize; 1443 } 1444 } while (c != '\n'); 1445 1446 conn->buf[conn->buflen] = '\0'; 1447 DEBUGF("<<< %s", conn->buf); 1448 return (0); 1449 } 1450 1451 1452 /* 1453 * Write to a connection w/ timeout 1454 */ 1455 ssize_t 1456 fetch_write(conn_t *conn, const char *buf, size_t len) 1457 { 1458 struct iovec iov; 1459 1460 iov.iov_base = __DECONST(char *, buf); 1461 iov.iov_len = len; 1462 return fetch_writev(conn, &iov, 1); 1463 } 1464 1465 /* 1466 * Write a vector to a connection w/ timeout 1467 * Note: can modify the iovec. 1468 */ 1469 ssize_t 1470 fetch_writev(conn_t *conn, struct iovec *iov, int iovcnt) 1471 { 1472 struct timeval now, timeout, delta; 1473 struct pollfd pfd; 1474 ssize_t wlen, total; 1475 int deltams; 1476 1477 memset(&pfd, 0, sizeof pfd); 1478 if (fetchTimeout) { 1479 pfd.fd = conn->sd; 1480 pfd.events = POLLOUT | POLLERR; 1481 gettimeofday(&timeout, NULL); 1482 timeout.tv_sec += fetchTimeout; 1483 } 1484 1485 total = 0; 1486 while (iovcnt > 0) { 1487 while (fetchTimeout && pfd.revents == 0) { 1488 gettimeofday(&now, NULL); 1489 if (!timercmp(&timeout, &now, >)) { 1490 errno = ETIMEDOUT; 1491 fetch_syserr(); 1492 return (-1); 1493 } 1494 timersub(&timeout, &now, &delta); 1495 deltams = delta.tv_sec * 1000 + 1496 delta.tv_usec / 1000; 1497 errno = 0; 1498 pfd.revents = 0; 1499 if (poll(&pfd, 1, deltams) < 0) { 1500 /* POSIX compliance */ 1501 if (errno == EAGAIN) 1502 continue; 1503 if (errno == EINTR && fetchRestartCalls) 1504 continue; 1505 return (-1); 1506 } 1507 } 1508 errno = 0; 1509 #ifdef WITH_SSL 1510 if (conn->ssl != NULL) 1511 wlen = SSL_write(conn->ssl, 1512 iov->iov_base, iov->iov_len); 1513 else 1514 #endif 1515 wlen = writev(conn->sd, iov, iovcnt); 1516 if (wlen == 0) { 1517 /* we consider a short write a failure */ 1518 /* XXX perhaps we shouldn't in the SSL case */ 1519 errno = EPIPE; 1520 fetch_syserr(); 1521 return (-1); 1522 } 1523 if (wlen < 0) { 1524 if (errno == EINTR && fetchRestartCalls) 1525 continue; 1526 return (-1); 1527 } 1528 total += wlen; 1529 while (iovcnt > 0 && wlen >= (ssize_t)iov->iov_len) { 1530 wlen -= iov->iov_len; 1531 iov++; 1532 iovcnt--; 1533 } 1534 if (iovcnt > 0) { 1535 iov->iov_len -= wlen; 1536 iov->iov_base = __DECONST(char *, iov->iov_base) + wlen; 1537 } 1538 } 1539 return (total); 1540 } 1541 1542 1543 /* 1544 * Write a line of text to a connection w/ timeout 1545 */ 1546 int 1547 fetch_putln(conn_t *conn, const char *str, size_t len) 1548 { 1549 struct iovec iov[2]; 1550 int ret; 1551 1552 DEBUGF(">>> %s\n", str); 1553 iov[0].iov_base = __DECONST(char *, str); 1554 iov[0].iov_len = len; 1555 iov[1].iov_base = __DECONST(char *, ENDL); 1556 iov[1].iov_len = sizeof(ENDL); 1557 if (len == 0) 1558 ret = fetch_writev(conn, &iov[1], 1); 1559 else 1560 ret = fetch_writev(conn, iov, 2); 1561 if (ret == -1) 1562 return (-1); 1563 return (0); 1564 } 1565 1566 1567 /* 1568 * Close connection 1569 */ 1570 int 1571 fetch_close(conn_t *conn) 1572 { 1573 int ret; 1574 1575 if (--conn->ref > 0) 1576 return (0); 1577 #ifdef WITH_SSL 1578 if (conn->ssl) { 1579 SSL_shutdown(conn->ssl); 1580 SSL_set_connect_state(conn->ssl); 1581 SSL_free(conn->ssl); 1582 conn->ssl = NULL; 1583 } 1584 if (conn->ssl_ctx) { 1585 SSL_CTX_free(conn->ssl_ctx); 1586 conn->ssl_ctx = NULL; 1587 } 1588 if (conn->ssl_cert) { 1589 X509_free(conn->ssl_cert); 1590 conn->ssl_cert = NULL; 1591 } 1592 #endif 1593 ret = close(conn->sd); 1594 free(conn->buf); 1595 free(conn); 1596 return (ret); 1597 } 1598 1599 1600 /*** Directory-related utility functions *************************************/ 1601 1602 int 1603 fetch_add_entry(struct url_ent **p, int *size, int *len, 1604 const char *name, struct url_stat *us) 1605 { 1606 struct url_ent *tmp; 1607 1608 if (*p == NULL) { 1609 *size = 0; 1610 *len = 0; 1611 } 1612 1613 if (*len >= *size - 1) { 1614 tmp = reallocarray(*p, *size * 2 + 1, sizeof(**p)); 1615 if (tmp == NULL) { 1616 errno = ENOMEM; 1617 fetch_syserr(); 1618 return (-1); 1619 } 1620 *size = (*size * 2 + 1); 1621 *p = tmp; 1622 } 1623 1624 tmp = *p + *len; 1625 snprintf(tmp->name, PATH_MAX, "%s", name); 1626 memcpy(&tmp->stat, us, sizeof(*us)); 1627 1628 (*len)++; 1629 (++tmp)->name[0] = 0; 1630 1631 return (0); 1632 } 1633 1634 1635 /*** Authentication-related utility functions ********************************/ 1636 1637 static const char * 1638 fetch_read_word(FILE *f) 1639 { 1640 static char word[1024]; 1641 1642 if (fscanf(f, " %1023s ", word) != 1) 1643 return (NULL); 1644 return (word); 1645 } 1646 1647 static int 1648 fetch_netrc_open(void) 1649 { 1650 struct passwd *pwd; 1651 char fn[PATH_MAX]; 1652 const char *p; 1653 int fd, serrno; 1654 1655 if ((p = getenv("NETRC")) != NULL) { 1656 DEBUGF("NETRC=%s\n", p); 1657 if (snprintf(fn, sizeof(fn), "%s", p) >= (int)sizeof(fn)) { 1658 fetch_info("$NETRC specifies a file name " 1659 "longer than PATH_MAX"); 1660 return (-1); 1661 } 1662 } else { 1663 if ((p = getenv("HOME")) == NULL) { 1664 if ((pwd = getpwuid(getuid())) == NULL || 1665 (p = pwd->pw_dir) == NULL) 1666 return (-1); 1667 } 1668 if (snprintf(fn, sizeof(fn), "%s/.netrc", p) >= (int)sizeof(fn)) 1669 return (-1); 1670 } 1671 1672 if ((fd = open(fn, O_RDONLY)) < 0) { 1673 serrno = errno; 1674 DEBUGF("%s: %s\n", fn, strerror(serrno)); 1675 errno = serrno; 1676 } 1677 return (fd); 1678 } 1679 1680 /* 1681 * Get authentication data for a URL from .netrc 1682 */ 1683 int 1684 fetch_netrc_auth(struct url *url) 1685 { 1686 const char *word; 1687 int serrno; 1688 FILE *f; 1689 1690 if (url->netrcfd < 0) 1691 url->netrcfd = fetch_netrc_open(); 1692 if (url->netrcfd < 0) 1693 return (-1); 1694 if ((f = fdopen(url->netrcfd, "r")) == NULL) { 1695 serrno = errno; 1696 DEBUGF("fdopen(netrcfd): %s", strerror(errno)); 1697 close(url->netrcfd); 1698 url->netrcfd = -1; 1699 errno = serrno; 1700 return (-1); 1701 } 1702 rewind(f); 1703 DEBUGF("searching netrc for %s\n", url->host); 1704 while ((word = fetch_read_word(f)) != NULL) { 1705 if (strcmp(word, "default") == 0) { 1706 DEBUGF("using default netrc settings\n"); 1707 break; 1708 } 1709 if (strcmp(word, "machine") == 0 && 1710 (word = fetch_read_word(f)) != NULL && 1711 strcasecmp(word, url->host) == 0) { 1712 DEBUGF("using netrc settings for %s\n", word); 1713 break; 1714 } 1715 } 1716 if (word == NULL) 1717 goto ferr; 1718 while ((word = fetch_read_word(f)) != NULL) { 1719 if (strcmp(word, "login") == 0) { 1720 if ((word = fetch_read_word(f)) == NULL) 1721 goto ferr; 1722 if (snprintf(url->user, sizeof(url->user), 1723 "%s", word) > (int)sizeof(url->user)) { 1724 fetch_info("login name in .netrc is too long"); 1725 url->user[0] = '\0'; 1726 } 1727 } else if (strcmp(word, "password") == 0) { 1728 if ((word = fetch_read_word(f)) == NULL) 1729 goto ferr; 1730 if (snprintf(url->pwd, sizeof(url->pwd), 1731 "%s", word) > (int)sizeof(url->pwd)) { 1732 fetch_info("password in .netrc is too long"); 1733 url->pwd[0] = '\0'; 1734 } 1735 } else if (strcmp(word, "account") == 0) { 1736 if ((word = fetch_read_word(f)) == NULL) 1737 goto ferr; 1738 /* XXX not supported! */ 1739 } else { 1740 break; 1741 } 1742 } 1743 fclose(f); 1744 url->netrcfd = -1; 1745 return (0); 1746 ferr: 1747 serrno = errno; 1748 fclose(f); 1749 url->netrcfd = -1; 1750 errno = serrno; 1751 return (-1); 1752 } 1753 1754 /* 1755 * The no_proxy environment variable specifies a set of domains for 1756 * which the proxy should not be consulted; the contents is a comma-, 1757 * or space-separated list of domain names. A single asterisk will 1758 * override all proxy variables and no transactions will be proxied 1759 * (for compatibility with lynx and curl, see the discussion at 1760 * <http://curl.haxx.se/mail/archive_pre_oct_99/0009.html>). 1761 */ 1762 int 1763 fetch_no_proxy_match(const char *host) 1764 { 1765 const char *no_proxy, *p, *q; 1766 size_t h_len, d_len; 1767 1768 if ((no_proxy = getenv("NO_PROXY")) == NULL && 1769 (no_proxy = getenv("no_proxy")) == NULL) 1770 return (0); 1771 1772 /* asterisk matches any hostname */ 1773 if (strcmp(no_proxy, "*") == 0) 1774 return (1); 1775 1776 h_len = strlen(host); 1777 p = no_proxy; 1778 do { 1779 /* position p at the beginning of a domain suffix */ 1780 while (*p == ',' || isspace((unsigned char)*p)) 1781 p++; 1782 1783 /* position q at the first separator character */ 1784 for (q = p; *q; ++q) 1785 if (*q == ',' || isspace((unsigned char)*q)) 1786 break; 1787 1788 d_len = q - p; 1789 if (d_len > 0 && h_len >= d_len && 1790 strncasecmp(host + h_len - d_len, 1791 p, d_len) == 0) { 1792 /* domain name matches */ 1793 return (1); 1794 } 1795 1796 p = q + 1; 1797 } while (*q); 1798 1799 return (0); 1800 } 1801