1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1998-2016 Dag-Erling Smørgrav 5 * Copyright (c) 2013 Michael Gmelin <freebsd@grem.de> 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer 13 * in this position and unchanged. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include <sys/param.h> 36 #include <sys/socket.h> 37 #include <sys/time.h> 38 #include <sys/uio.h> 39 40 #include <netinet/in.h> 41 42 #include <ctype.h> 43 #include <errno.h> 44 #include <fcntl.h> 45 #include <inttypes.h> 46 #include <netdb.h> 47 #include <poll.h> 48 #include <pwd.h> 49 #include <stdarg.h> 50 #include <stdlib.h> 51 #include <stdio.h> 52 #include <string.h> 53 #include <unistd.h> 54 55 #ifdef WITH_SSL 56 #include <openssl/x509v3.h> 57 #endif 58 59 #include "fetch.h" 60 #include "common.h" 61 62 63 /*** Local data **************************************************************/ 64 65 /* 66 * Error messages for resolver errors 67 */ 68 static struct fetcherr netdb_errlist[] = { 69 #ifdef EAI_NODATA 70 { EAI_NODATA, FETCH_RESOLV, "Host not found" }, 71 #endif 72 { EAI_AGAIN, FETCH_TEMP, "Transient resolver failure" }, 73 { EAI_FAIL, FETCH_RESOLV, "Non-recoverable resolver failure" }, 74 { EAI_NONAME, FETCH_RESOLV, "No address record" }, 75 { -1, FETCH_UNKNOWN, "Unknown resolver error" } 76 }; 77 78 /* 79 * SOCKS5 error enumerations 80 */ 81 enum SOCKS5_ERR { 82 /* Protocol errors */ 83 SOCKS5_ERR_SELECTION, 84 SOCKS5_ERR_READ_METHOD, 85 SOCKS5_ERR_VER5_ONLY, 86 SOCKS5_ERR_NOMETHODS, 87 SOCKS5_ERR_NOTIMPLEMENTED, 88 SOCKS5_ERR_HOSTNAME_SIZE, 89 SOCKS5_ERR_REQUEST, 90 SOCKS5_ERR_REPLY, 91 SOCKS5_ERR_NON_VER5_RESP, 92 SOCKS5_ERR_GENERAL, 93 SOCKS5_ERR_NOT_ALLOWED, 94 SOCKS5_ERR_NET_UNREACHABLE, 95 SOCKS5_ERR_HOST_UNREACHABLE, 96 SOCKS5_ERR_CONN_REFUSED, 97 SOCKS5_ERR_TTL_EXPIRED, 98 SOCKS5_ERR_COM_UNSUPPORTED, 99 SOCKS5_ERR_ADDR_UNSUPPORTED, 100 SOCKS5_ERR_UNSPECIFIED, 101 /* Configuration errors */ 102 SOCKS5_ERR_BAD_HOST, 103 SOCKS5_ERR_BAD_PROXY_FORMAT, 104 SOCKS5_ERR_BAD_PORT 105 }; 106 107 /* 108 * Error messages for SOCKS5 errors 109 */ 110 static struct fetcherr socks5_errlist[] = { 111 /* SOCKS5 protocol errors */ 112 { SOCKS5_ERR_SELECTION, FETCH_ABORT, "SOCKS5: Failed to send selection method" }, 113 { SOCKS5_ERR_READ_METHOD, FETCH_ABORT, "SOCKS5: Failed to read method" }, 114 { SOCKS5_ERR_VER5_ONLY, FETCH_PROTO, "SOCKS5: Only version 5 is implemented" }, 115 { SOCKS5_ERR_NOMETHODS, FETCH_PROTO, "SOCKS5: No acceptable methods" }, 116 { SOCKS5_ERR_NOTIMPLEMENTED, FETCH_PROTO, "SOCKS5: Method currently not implemented" }, 117 { SOCKS5_ERR_HOSTNAME_SIZE, FETCH_PROTO, "SOCKS5: Hostname size is above 256 bytes" }, 118 { SOCKS5_ERR_REQUEST, FETCH_PROTO, "SOCKS5: Failed to request" }, 119 { SOCKS5_ERR_REPLY, FETCH_PROTO, "SOCKS5: Failed to receive reply" }, 120 { SOCKS5_ERR_NON_VER5_RESP, FETCH_PROTO, "SOCKS5: Server responded with a non-version 5 response" }, 121 { SOCKS5_ERR_GENERAL, FETCH_ABORT, "SOCKS5: General server failure" }, 122 { SOCKS5_ERR_NOT_ALLOWED, FETCH_AUTH, "SOCKS5: Connection not allowed by ruleset" }, 123 { SOCKS5_ERR_NET_UNREACHABLE, FETCH_NETWORK, "SOCKS5: Network unreachable" }, 124 { SOCKS5_ERR_HOST_UNREACHABLE, FETCH_ABORT, "SOCKS5: Host unreachable" }, 125 { SOCKS5_ERR_CONN_REFUSED, FETCH_ABORT, "SOCKS5: Connection refused" }, 126 { SOCKS5_ERR_TTL_EXPIRED, FETCH_TIMEOUT, "SOCKS5: TTL expired" }, 127 { SOCKS5_ERR_COM_UNSUPPORTED, FETCH_PROTO, "SOCKS5: Command not supported" }, 128 { SOCKS5_ERR_ADDR_UNSUPPORTED, FETCH_ABORT, "SOCKS5: Address type not supported" }, 129 { SOCKS5_ERR_UNSPECIFIED, FETCH_UNKNOWN, "SOCKS5: Unspecified error" }, 130 /* Configuration error */ 131 { SOCKS5_ERR_BAD_HOST, FETCH_ABORT, "SOCKS5: Bad proxy host" }, 132 { SOCKS5_ERR_BAD_PROXY_FORMAT, FETCH_ABORT, "SOCKS5: Bad proxy format" }, 133 { SOCKS5_ERR_BAD_PORT, FETCH_ABORT, "SOCKS5: Bad port" } 134 }; 135 136 /* End-of-Line */ 137 static const char ENDL[2] = "\r\n"; 138 139 140 /*** Error-reporting functions ***********************************************/ 141 142 /* 143 * Map error code to string 144 */ 145 static struct fetcherr * 146 fetch_finderr(struct fetcherr *p, int e) 147 { 148 while (p->num != -1 && p->num != e) 149 p++; 150 return (p); 151 } 152 153 /* 154 * Set error code 155 */ 156 void 157 fetch_seterr(struct fetcherr *p, int e) 158 { 159 p = fetch_finderr(p, e); 160 fetchLastErrCode = p->cat; 161 snprintf(fetchLastErrString, MAXERRSTRING, "%s", p->string); 162 } 163 164 /* 165 * Set error code according to errno 166 */ 167 void 168 fetch_syserr(void) 169 { 170 switch (errno) { 171 case 0: 172 fetchLastErrCode = FETCH_OK; 173 break; 174 case EPERM: 175 case EACCES: 176 case EROFS: 177 case EAUTH: 178 case ENEEDAUTH: 179 fetchLastErrCode = FETCH_AUTH; 180 break; 181 case ENOENT: 182 case EISDIR: /* XXX */ 183 fetchLastErrCode = FETCH_UNAVAIL; 184 break; 185 case ENOMEM: 186 fetchLastErrCode = FETCH_MEMORY; 187 break; 188 case EBUSY: 189 case EAGAIN: 190 fetchLastErrCode = FETCH_TEMP; 191 break; 192 case EEXIST: 193 fetchLastErrCode = FETCH_EXISTS; 194 break; 195 case ENOSPC: 196 fetchLastErrCode = FETCH_FULL; 197 break; 198 case EADDRINUSE: 199 case EADDRNOTAVAIL: 200 case ENETDOWN: 201 case ENETUNREACH: 202 case ENETRESET: 203 case EHOSTUNREACH: 204 fetchLastErrCode = FETCH_NETWORK; 205 break; 206 case ECONNABORTED: 207 case ECONNRESET: 208 fetchLastErrCode = FETCH_ABORT; 209 break; 210 case ETIMEDOUT: 211 fetchLastErrCode = FETCH_TIMEOUT; 212 break; 213 case ECONNREFUSED: 214 case EHOSTDOWN: 215 fetchLastErrCode = FETCH_DOWN; 216 break; 217 default: 218 fetchLastErrCode = FETCH_UNKNOWN; 219 } 220 snprintf(fetchLastErrString, MAXERRSTRING, "%s", strerror(errno)); 221 } 222 223 224 /* 225 * Emit status message 226 */ 227 void 228 fetch_info(const char *fmt, ...) 229 { 230 va_list ap; 231 232 va_start(ap, fmt); 233 vfprintf(stderr, fmt, ap); 234 va_end(ap); 235 fputc('\n', stderr); 236 } 237 238 239 /*** Network-related utility functions ***************************************/ 240 241 /* 242 * Return the default port for a scheme 243 */ 244 int 245 fetch_default_port(const char *scheme) 246 { 247 struct servent *se; 248 249 if ((se = getservbyname(scheme, "tcp")) != NULL) 250 return (ntohs(se->s_port)); 251 if (strcmp(scheme, SCHEME_FTP) == 0) 252 return (FTP_DEFAULT_PORT); 253 if (strcmp(scheme, SCHEME_HTTP) == 0) 254 return (HTTP_DEFAULT_PORT); 255 return (0); 256 } 257 258 /* 259 * Return the default proxy port for a scheme 260 */ 261 int 262 fetch_default_proxy_port(const char *scheme) 263 { 264 if (strcmp(scheme, SCHEME_FTP) == 0) 265 return (FTP_DEFAULT_PROXY_PORT); 266 if (strcmp(scheme, SCHEME_HTTP) == 0) 267 return (HTTP_DEFAULT_PROXY_PORT); 268 return (0); 269 } 270 271 272 /* 273 * Create a connection for an existing descriptor. 274 */ 275 conn_t * 276 fetch_reopen(int sd) 277 { 278 conn_t *conn; 279 int opt = 1; 280 281 /* allocate and fill connection structure */ 282 if ((conn = calloc(1, sizeof(*conn))) == NULL) 283 return (NULL); 284 fcntl(sd, F_SETFD, FD_CLOEXEC); 285 setsockopt(sd, SOL_SOCKET, SO_NOSIGPIPE, &opt, sizeof opt); 286 conn->sd = sd; 287 ++conn->ref; 288 return (conn); 289 } 290 291 292 /* 293 * Bump a connection's reference count. 294 */ 295 conn_t * 296 fetch_ref(conn_t *conn) 297 { 298 299 ++conn->ref; 300 return (conn); 301 } 302 303 304 /* 305 * Resolve an address 306 */ 307 struct addrinfo * 308 fetch_resolve(const char *addr, int port, int af) 309 { 310 char hbuf[256], sbuf[8]; 311 struct addrinfo hints, *res; 312 const char *hb, *he, *sep; 313 const char *host, *service; 314 int err, len; 315 316 /* first, check for a bracketed IPv6 address */ 317 if (*addr == '[') { 318 hb = addr + 1; 319 if ((sep = strchr(hb, ']')) == NULL) { 320 errno = EINVAL; 321 goto syserr; 322 } 323 he = sep++; 324 } else { 325 hb = addr; 326 sep = strchrnul(hb, ':'); 327 he = sep; 328 } 329 330 /* see if we need to copy the host name */ 331 if (*he != '\0') { 332 len = snprintf(hbuf, sizeof(hbuf), 333 "%.*s", (int)(he - hb), hb); 334 if (len < 0) 335 goto syserr; 336 if (len >= (int)sizeof(hbuf)) { 337 errno = ENAMETOOLONG; 338 goto syserr; 339 } 340 host = hbuf; 341 } else { 342 host = hb; 343 } 344 345 /* was it followed by a service name? */ 346 if (*sep == '\0' && port != 0) { 347 if (port < 1 || port > 65535) { 348 errno = EINVAL; 349 goto syserr; 350 } 351 if (snprintf(sbuf, sizeof(sbuf), "%d", port) < 0) 352 goto syserr; 353 service = sbuf; 354 } else if (*sep != '\0') { 355 service = sep + 1; 356 } else { 357 service = NULL; 358 } 359 360 /* resolve */ 361 memset(&hints, 0, sizeof(hints)); 362 hints.ai_family = af; 363 hints.ai_socktype = SOCK_STREAM; 364 hints.ai_flags = AI_ADDRCONFIG; 365 if ((err = getaddrinfo(host, service, &hints, &res)) != 0) { 366 netdb_seterr(err); 367 return (NULL); 368 } 369 return (res); 370 syserr: 371 fetch_syserr(); 372 return (NULL); 373 } 374 375 376 /* 377 * Bind a socket to a specific local address 378 */ 379 int 380 fetch_bind(int sd, int af, const char *addr) 381 { 382 struct addrinfo *cliai, *ai; 383 int err; 384 385 if ((cliai = fetch_resolve(addr, 0, af)) == NULL) 386 return (-1); 387 for (ai = cliai; ai != NULL; ai = ai->ai_next) 388 if ((err = bind(sd, ai->ai_addr, ai->ai_addrlen)) == 0) 389 break; 390 if (err != 0) 391 fetch_syserr(); 392 freeaddrinfo(cliai); 393 return (err == 0 ? 0 : -1); 394 } 395 396 397 /* 398 * SOCKS5 connection initiation, based on RFC 1928 399 * Default DNS resolution over SOCKS5 400 */ 401 int 402 fetch_socks5_init(conn_t *conn, const char *host, int port, int verbose) 403 { 404 /* 405 * Size is based on largest packet prefix (4 bytes) + 406 * Largest FQDN (256) + one byte size (1) + 407 * Port (2) 408 */ 409 unsigned char buf[BUFF_SIZE]; 410 unsigned char *ptr; 411 int ret = 1; 412 413 if (verbose) 414 fetch_info("Initializing SOCKS5 connection: %s:%d", host, port); 415 416 /* Connection initialization */ 417 ptr = buf; 418 *ptr++ = SOCKS_VERSION_5; 419 *ptr++ = SOCKS_CONNECTION; 420 *ptr++ = SOCKS_RSV; 421 422 if (fetch_write(conn, buf, 3) != 3) { 423 ret = SOCKS5_ERR_SELECTION; 424 goto fail; 425 } 426 427 /* Verify response from SOCKS5 server */ 428 if (fetch_read(conn, buf, 2) != 2) { 429 ret = SOCKS5_ERR_READ_METHOD; 430 goto fail; 431 } 432 433 ptr = buf; 434 if (ptr[0] != SOCKS_VERSION_5) { 435 ret = SOCKS5_ERR_VER5_ONLY; 436 goto fail; 437 } 438 if (ptr[1] == SOCKS_NOMETHODS) { 439 ret = SOCKS5_ERR_NOMETHODS; 440 goto fail; 441 } 442 else if (ptr[1] != SOCKS5_NOTIMPLEMENTED) { 443 ret = SOCKS5_ERR_NOTIMPLEMENTED; 444 goto fail; 445 } 446 447 /* Send Request */ 448 *ptr++ = SOCKS_VERSION_5; 449 *ptr++ = SOCKS_CONNECTION; 450 *ptr++ = SOCKS_RSV; 451 /* Encode all targets as a hostname to avoid DNS leaks */ 452 *ptr++ = SOCKS_ATYP_DOMAINNAME; 453 if (strlen(host) > FQDN_SIZE) { 454 ret = SOCKS5_ERR_HOSTNAME_SIZE; 455 goto fail; 456 } 457 *ptr++ = strlen(host); 458 strncpy(ptr, host, strlen(host)); 459 ptr = ptr + strlen(host); 460 461 port = htons(port); 462 *ptr++ = port & 0x00ff; 463 *ptr++ = (port & 0xff00) >> 8; 464 465 if (fetch_write(conn, buf, ptr - buf) != ptr - buf) { 466 ret = SOCKS5_ERR_REQUEST; 467 goto fail; 468 } 469 470 /* BND.ADDR is variable length, read the largest on non-blocking socket */ 471 if (!fetch_read(conn, buf, BUFF_SIZE)) { 472 ret = SOCKS5_ERR_REPLY; 473 goto fail; 474 } 475 476 ptr = buf; 477 if (*ptr++ != SOCKS_VERSION_5) { 478 ret = SOCKS5_ERR_NON_VER5_RESP; 479 goto fail; 480 } 481 482 switch(*ptr++) { 483 case SOCKS_SUCCESS: 484 break; 485 case SOCKS_GENERAL_FAILURE: 486 ret = SOCKS5_ERR_GENERAL; 487 goto fail; 488 case SOCKS_CONNECTION_NOT_ALLOWED: 489 ret = SOCKS5_ERR_NOT_ALLOWED; 490 goto fail; 491 case SOCKS_NETWORK_UNREACHABLE: 492 ret = SOCKS5_ERR_NET_UNREACHABLE; 493 goto fail; 494 case SOCKS_HOST_UNREACHABLE: 495 ret = SOCKS5_ERR_HOST_UNREACHABLE; 496 goto fail; 497 case SOCKS_CONNECTION_REFUSED: 498 ret = SOCKS5_ERR_CONN_REFUSED; 499 goto fail; 500 case SOCKS_TTL_EXPIRED: 501 ret = SOCKS5_ERR_TTL_EXPIRED; 502 goto fail; 503 case SOCKS_COMMAND_NOT_SUPPORTED: 504 ret = SOCKS5_ERR_COM_UNSUPPORTED; 505 goto fail; 506 case SOCKS_ADDRESS_NOT_SUPPORTED: 507 ret = SOCKS5_ERR_ADDR_UNSUPPORTED; 508 goto fail; 509 default: 510 ret = SOCKS5_ERR_UNSPECIFIED; 511 goto fail; 512 } 513 514 return (ret); 515 516 fail: 517 socks5_seterr(ret); 518 return (0); 519 } 520 521 /* 522 * Perform SOCKS5 initialization 523 */ 524 int 525 fetch_socks5_getenv(char **host, int *port) 526 { 527 char *socks5env, *endptr, *ext; 528 const char *portDelim; 529 size_t slen; 530 531 portDelim = ":"; 532 if ((socks5env = getenv("SOCKS5_PROXY")) == NULL || *socks5env == '\0') { 533 *host = NULL; 534 *port = -1; 535 return (-1); 536 } 537 538 /* 539 * IPv6 addresses begin and end in brackets. Set the port delimiter 540 * accordingly and search for it so we can do appropriate validation. 541 */ 542 if (socks5env[0] == '[') 543 portDelim = "]:"; 544 545 slen = strlen(socks5env); 546 ext = strstr(socks5env, portDelim); 547 if (socks5env[0] == '[') { 548 if (socks5env[slen - 1] == ']') { 549 *host = strndup(socks5env, slen); 550 } else if (ext != NULL) { 551 *host = strndup(socks5env, ext - socks5env + 1); 552 } else { 553 socks5_seterr(SOCKS5_ERR_BAD_PROXY_FORMAT); 554 return (0); 555 } 556 } else { 557 *host = strndup(socks5env, ext - socks5env); 558 } 559 560 if (*host == NULL) { 561 fprintf(stderr, "Failure to allocate memory, exiting.\n"); 562 return (-1); 563 } 564 if (ext == NULL) { 565 *port = 1080; /* Default port as defined in RFC1928 */ 566 } else { 567 ext += strlen(portDelim); 568 errno = 0; 569 *port = strtoimax(ext, (char **)&endptr, 10); 570 if (*endptr != '\0' || errno != 0 || *port < 0 || 571 *port > 65535) { 572 free(*host); 573 *host = NULL; 574 socks5_seterr(SOCKS5_ERR_BAD_PORT); 575 return (0); 576 } 577 } 578 579 return (2); 580 } 581 582 583 /* 584 * Establish a TCP connection to the specified port on the specified host. 585 */ 586 conn_t * 587 fetch_connect(const char *host, int port, int af, int verbose) 588 { 589 struct addrinfo *cais = NULL, *sais = NULL, *cai, *sai; 590 const char *bindaddr; 591 conn_t *conn = NULL; 592 int err = 0, sd = -1; 593 char *sockshost; 594 int socksport; 595 596 DEBUGF("---> %s:%d\n", host, port); 597 598 /* 599 * Check if SOCKS5_PROXY env variable is set. fetch_socks5_getenv 600 * will either set sockshost = NULL or allocate memory in all cases. 601 */ 602 sockshost = NULL; 603 if (!fetch_socks5_getenv(&sockshost, &socksport)) 604 goto fail; 605 606 /* Not using SOCKS5 proxy */ 607 if (sockshost == NULL) { 608 /* resolve server address */ 609 if (verbose) 610 fetch_info("resolving server address: %s:%d", host, 611 port); 612 if ((sais = fetch_resolve(host, port, af)) == NULL) 613 goto fail; 614 615 /* resolve client address */ 616 bindaddr = getenv("FETCH_BIND_ADDRESS"); 617 if (bindaddr != NULL && *bindaddr != '\0') { 618 if (verbose) 619 fetch_info("resolving client address: %s", 620 bindaddr); 621 if ((cais = fetch_resolve(bindaddr, 0, af)) == NULL) 622 goto fail; 623 } 624 } else { 625 /* resolve socks5 proxy address */ 626 if (verbose) 627 fetch_info("resolving SOCKS5 server address: %s:%d", 628 sockshost, socksport); 629 if ((sais = fetch_resolve(sockshost, socksport, af)) == NULL) { 630 socks5_seterr(SOCKS5_ERR_BAD_HOST); 631 goto fail; 632 } 633 } 634 635 /* try each server address in turn */ 636 for (err = 0, sai = sais; sai != NULL; sai = sai->ai_next) { 637 /* open socket */ 638 if ((sd = socket(sai->ai_family, SOCK_STREAM, 0)) < 0) 639 goto syserr; 640 /* attempt to bind to client address */ 641 for (err = 0, cai = cais; cai != NULL; cai = cai->ai_next) { 642 if (cai->ai_family != sai->ai_family) 643 continue; 644 if ((err = bind(sd, cai->ai_addr, cai->ai_addrlen)) == 0) 645 break; 646 } 647 if (err != 0) { 648 if (verbose) 649 fetch_info("failed to bind to %s", bindaddr); 650 goto syserr; 651 } 652 /* attempt to connect to server address */ 653 if ((err = connect(sd, sai->ai_addr, sai->ai_addrlen)) == 0) 654 break; 655 /* clean up before next attempt */ 656 close(sd); 657 sd = -1; 658 } 659 if (err != 0) { 660 if (verbose && sockshost == NULL) { 661 fetch_info("failed to connect to %s:%d", host, port); 662 goto syserr; 663 } else if (sockshost != NULL) { 664 if (verbose) 665 fetch_info( 666 "failed to connect to SOCKS5 server %s:%d", 667 sockshost, socksport); 668 socks5_seterr(SOCKS5_ERR_CONN_REFUSED); 669 goto fail; 670 } 671 goto syserr; 672 } 673 674 if ((conn = fetch_reopen(sd)) == NULL) 675 goto syserr; 676 677 if (sockshost) 678 if (!fetch_socks5_init(conn, host, port, verbose)) 679 goto fail; 680 free(sockshost); 681 if (cais != NULL) 682 freeaddrinfo(cais); 683 if (sais != NULL) 684 freeaddrinfo(sais); 685 return (conn); 686 syserr: 687 fetch_syserr(); 688 fail: 689 free(sockshost); 690 /* Fully close if it was opened; otherwise just don't leak the fd. */ 691 if (conn != NULL) 692 fetch_close(conn); 693 else if (sd >= 0) 694 close(sd); 695 if (cais != NULL) 696 freeaddrinfo(cais); 697 if (sais != NULL) 698 freeaddrinfo(sais); 699 return (NULL); 700 } 701 702 #ifdef WITH_SSL 703 /* 704 * Convert characters A-Z to lowercase (intentionally avoid any locale 705 * specific conversions). 706 */ 707 static char 708 fetch_ssl_tolower(char in) 709 { 710 if (in >= 'A' && in <= 'Z') 711 return (in + 32); 712 else 713 return (in); 714 } 715 716 /* 717 * isalpha implementation that intentionally avoids any locale specific 718 * conversions. 719 */ 720 static int 721 fetch_ssl_isalpha(char in) 722 { 723 return ((in >= 'A' && in <= 'Z') || (in >= 'a' && in <= 'z')); 724 } 725 726 /* 727 * Check if passed hostnames a and b are equal. 728 */ 729 static int 730 fetch_ssl_hname_equal(const char *a, size_t alen, const char *b, 731 size_t blen) 732 { 733 size_t i; 734 735 if (alen != blen) 736 return (0); 737 for (i = 0; i < alen; ++i) { 738 if (fetch_ssl_tolower(a[i]) != fetch_ssl_tolower(b[i])) 739 return (0); 740 } 741 return (1); 742 } 743 744 /* 745 * Check if domain label is traditional, meaning that only A-Z, a-z, 0-9 746 * and '-' (hyphen) are allowed. Hyphens have to be surrounded by alpha- 747 * numeric characters. Double hyphens (like they're found in IDN a-labels 748 * 'xn--') are not allowed. Empty labels are invalid. 749 */ 750 static int 751 fetch_ssl_is_trad_domain_label(const char *l, size_t len, int wcok) 752 { 753 size_t i; 754 755 if (!len || l[0] == '-' || l[len-1] == '-') 756 return (0); 757 for (i = 0; i < len; ++i) { 758 if (!isdigit(l[i]) && 759 !fetch_ssl_isalpha(l[i]) && 760 !(l[i] == '*' && wcok) && 761 !(l[i] == '-' && l[i - 1] != '-')) 762 return (0); 763 } 764 return (1); 765 } 766 767 /* 768 * Check if host name consists only of numbers. This might indicate an IP 769 * address, which is not a good idea for CN wildcard comparison. 770 */ 771 static int 772 fetch_ssl_hname_is_only_numbers(const char *hostname, size_t len) 773 { 774 size_t i; 775 776 for (i = 0; i < len; ++i) { 777 if (!((hostname[i] >= '0' && hostname[i] <= '9') || 778 hostname[i] == '.')) 779 return (0); 780 } 781 return (1); 782 } 783 784 /* 785 * Check if the host name h passed matches the pattern passed in m which 786 * is usually part of subjectAltName or CN of a certificate presented to 787 * the client. This includes wildcard matching. The algorithm is based on 788 * RFC6125, sections 6.4.3 and 7.2, which clarifies RFC2818 and RFC3280. 789 */ 790 static int 791 fetch_ssl_hname_match(const char *h, size_t hlen, const char *m, 792 size_t mlen) 793 { 794 int delta, hdotidx, mdot1idx, wcidx; 795 const char *hdot, *mdot1, *mdot2; 796 const char *wc; /* wildcard */ 797 798 if (!(h && *h && m && *m)) 799 return (0); 800 if ((wc = strnstr(m, "*", mlen)) == NULL) 801 return (fetch_ssl_hname_equal(h, hlen, m, mlen)); 802 wcidx = wc - m; 803 /* hostname should not be just dots and numbers */ 804 if (fetch_ssl_hname_is_only_numbers(h, hlen)) 805 return (0); 806 /* only one wildcard allowed in pattern */ 807 if (strnstr(wc + 1, "*", mlen - wcidx - 1) != NULL) 808 return (0); 809 /* 810 * there must be at least two more domain labels and 811 * wildcard has to be in the leftmost label (RFC6125) 812 */ 813 mdot1 = strnstr(m, ".", mlen); 814 if (mdot1 == NULL || mdot1 < wc || (mlen - (mdot1 - m)) < 4) 815 return (0); 816 mdot1idx = mdot1 - m; 817 mdot2 = strnstr(mdot1 + 1, ".", mlen - mdot1idx - 1); 818 if (mdot2 == NULL || (mlen - (mdot2 - m)) < 2) 819 return (0); 820 /* hostname must contain a dot and not be the 1st char */ 821 hdot = strnstr(h, ".", hlen); 822 if (hdot == NULL || hdot == h) 823 return (0); 824 hdotidx = hdot - h; 825 /* 826 * host part of hostname must be at least as long as 827 * pattern it's supposed to match 828 */ 829 if (hdotidx < mdot1idx) 830 return (0); 831 /* 832 * don't allow wildcards in non-traditional domain names 833 * (IDN, A-label, U-label...) 834 */ 835 if (!fetch_ssl_is_trad_domain_label(h, hdotidx, 0) || 836 !fetch_ssl_is_trad_domain_label(m, mdot1idx, 1)) 837 return (0); 838 /* match domain part (part after first dot) */ 839 if (!fetch_ssl_hname_equal(hdot, hlen - hdotidx, mdot1, 840 mlen - mdot1idx)) 841 return (0); 842 /* match part left of wildcard */ 843 if (!fetch_ssl_hname_equal(h, wcidx, m, wcidx)) 844 return (0); 845 /* match part right of wildcard */ 846 delta = mdot1idx - wcidx - 1; 847 if (!fetch_ssl_hname_equal(hdot - delta, delta, 848 mdot1 - delta, delta)) 849 return (0); 850 /* all tests succeeded, it's a match */ 851 return (1); 852 } 853 854 /* 855 * Get numeric host address info - returns NULL if host was not an IP 856 * address. The caller is responsible for deallocation using 857 * freeaddrinfo(3). 858 */ 859 static struct addrinfo * 860 fetch_ssl_get_numeric_addrinfo(const char *hostname, size_t len) 861 { 862 struct addrinfo hints, *res; 863 char *host; 864 865 host = (char *)malloc(len + 1); 866 memcpy(host, hostname, len); 867 host[len] = '\0'; 868 memset(&hints, 0, sizeof(hints)); 869 hints.ai_family = PF_UNSPEC; 870 hints.ai_socktype = SOCK_STREAM; 871 hints.ai_protocol = 0; 872 hints.ai_flags = AI_NUMERICHOST; 873 /* port is not relevant for this purpose */ 874 if (getaddrinfo(host, "443", &hints, &res) != 0) 875 res = NULL; 876 free(host); 877 return res; 878 } 879 880 /* 881 * Compare ip address in addrinfo with address passes. 882 */ 883 static int 884 fetch_ssl_ipaddr_match_bin(const struct addrinfo *lhost, const char *rhost, 885 size_t rhostlen) 886 { 887 const void *left; 888 889 if (lhost->ai_family == AF_INET && rhostlen == 4) { 890 left = (void *)&((struct sockaddr_in*)(void *) 891 lhost->ai_addr)->sin_addr.s_addr; 892 #ifdef INET6 893 } else if (lhost->ai_family == AF_INET6 && rhostlen == 16) { 894 left = (void *)&((struct sockaddr_in6 *)(void *) 895 lhost->ai_addr)->sin6_addr; 896 #endif 897 } else 898 return (0); 899 return (!memcmp(left, (const void *)rhost, rhostlen) ? 1 : 0); 900 } 901 902 /* 903 * Compare ip address in addrinfo with host passed. If host is not an IP 904 * address, comparison will fail. 905 */ 906 static int 907 fetch_ssl_ipaddr_match(const struct addrinfo *laddr, const char *r, 908 size_t rlen) 909 { 910 struct addrinfo *raddr; 911 int ret; 912 char *rip; 913 914 ret = 0; 915 if ((raddr = fetch_ssl_get_numeric_addrinfo(r, rlen)) == NULL) 916 return 0; /* not a numeric host */ 917 918 if (laddr->ai_family == raddr->ai_family) { 919 if (laddr->ai_family == AF_INET) { 920 rip = (char *)&((struct sockaddr_in *)(void *) 921 raddr->ai_addr)->sin_addr.s_addr; 922 ret = fetch_ssl_ipaddr_match_bin(laddr, rip, 4); 923 #ifdef INET6 924 } else if (laddr->ai_family == AF_INET6) { 925 rip = (char *)&((struct sockaddr_in6 *)(void *) 926 raddr->ai_addr)->sin6_addr; 927 ret = fetch_ssl_ipaddr_match_bin(laddr, rip, 16); 928 #endif 929 } 930 931 } 932 freeaddrinfo(raddr); 933 return (ret); 934 } 935 936 /* 937 * Verify server certificate by subjectAltName. 938 */ 939 static int 940 fetch_ssl_verify_altname(STACK_OF(GENERAL_NAME) *altnames, 941 const char *host, struct addrinfo *ip) 942 { 943 const GENERAL_NAME *name; 944 size_t nslen; 945 int i; 946 const char *ns; 947 948 for (i = 0; i < sk_GENERAL_NAME_num(altnames); ++i) { 949 #if OPENSSL_VERSION_NUMBER < 0x10000000L 950 /* 951 * This is a workaround, since the following line causes 952 * alignment issues in clang: 953 * name = sk_GENERAL_NAME_value(altnames, i); 954 * OpenSSL explicitly warns not to use those macros 955 * directly, but there isn't much choice (and there 956 * shouldn't be any ill side effects) 957 */ 958 name = (GENERAL_NAME *)SKM_sk_value(void, altnames, i); 959 #else 960 name = sk_GENERAL_NAME_value(altnames, i); 961 #endif 962 #if OPENSSL_VERSION_NUMBER < 0x10100000L 963 ns = (const char *)ASN1_STRING_data(name->d.ia5); 964 #else 965 ns = (const char *)ASN1_STRING_get0_data(name->d.ia5); 966 #endif 967 nslen = (size_t)ASN1_STRING_length(name->d.ia5); 968 969 if (name->type == GEN_DNS && ip == NULL && 970 fetch_ssl_hname_match(host, strlen(host), ns, nslen)) 971 return (1); 972 else if (name->type == GEN_IPADD && ip != NULL && 973 fetch_ssl_ipaddr_match_bin(ip, ns, nslen)) 974 return (1); 975 } 976 return (0); 977 } 978 979 /* 980 * Verify server certificate by CN. 981 */ 982 static int 983 fetch_ssl_verify_cn(X509_NAME *subject, const char *host, 984 struct addrinfo *ip) 985 { 986 ASN1_STRING *namedata; 987 X509_NAME_ENTRY *nameentry; 988 int cnlen, lastpos, loc, ret; 989 unsigned char *cn; 990 991 ret = 0; 992 lastpos = -1; 993 loc = -1; 994 cn = NULL; 995 /* get most specific CN (last entry in list) and compare */ 996 while ((lastpos = X509_NAME_get_index_by_NID(subject, 997 NID_commonName, lastpos)) != -1) 998 loc = lastpos; 999 1000 if (loc > -1) { 1001 nameentry = X509_NAME_get_entry(subject, loc); 1002 namedata = X509_NAME_ENTRY_get_data(nameentry); 1003 cnlen = ASN1_STRING_to_UTF8(&cn, namedata); 1004 if (ip == NULL && 1005 fetch_ssl_hname_match(host, strlen(host), cn, cnlen)) 1006 ret = 1; 1007 else if (ip != NULL && fetch_ssl_ipaddr_match(ip, cn, cnlen)) 1008 ret = 1; 1009 OPENSSL_free(cn); 1010 } 1011 return (ret); 1012 } 1013 1014 /* 1015 * Verify that server certificate subjectAltName/CN matches 1016 * hostname. First check, if there are alternative subject names. If yes, 1017 * those have to match. Only if those don't exist it falls back to 1018 * checking the subject's CN. 1019 */ 1020 static int 1021 fetch_ssl_verify_hname(X509 *cert, const char *host) 1022 { 1023 struct addrinfo *ip; 1024 STACK_OF(GENERAL_NAME) *altnames; 1025 X509_NAME *subject; 1026 int ret; 1027 1028 ret = 0; 1029 ip = fetch_ssl_get_numeric_addrinfo(host, strlen(host)); 1030 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, 1031 NULL, NULL); 1032 1033 if (altnames != NULL) { 1034 ret = fetch_ssl_verify_altname(altnames, host, ip); 1035 } else { 1036 subject = X509_get_subject_name(cert); 1037 if (subject != NULL) 1038 ret = fetch_ssl_verify_cn(subject, host, ip); 1039 } 1040 1041 if (ip != NULL) 1042 freeaddrinfo(ip); 1043 if (altnames != NULL) 1044 GENERAL_NAMES_free(altnames); 1045 return (ret); 1046 } 1047 1048 /* 1049 * Configure transport security layer based on environment. 1050 */ 1051 static void 1052 fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) 1053 { 1054 long ssl_ctx_options; 1055 1056 ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET; 1057 if (getenv("SSL_ALLOW_SSL3") == NULL) 1058 ssl_ctx_options |= SSL_OP_NO_SSLv3; 1059 if (getenv("SSL_NO_TLS1") != NULL) 1060 ssl_ctx_options |= SSL_OP_NO_TLSv1; 1061 if (getenv("SSL_NO_TLS1_1") != NULL) 1062 ssl_ctx_options |= SSL_OP_NO_TLSv1_1; 1063 if (getenv("SSL_NO_TLS1_2") != NULL) 1064 ssl_ctx_options |= SSL_OP_NO_TLSv1_2; 1065 if (verbose) 1066 fetch_info("SSL options: %lx", ssl_ctx_options); 1067 SSL_CTX_set_options(ctx, ssl_ctx_options); 1068 } 1069 1070 1071 /* 1072 * Configure peer verification based on environment. 1073 */ 1074 #define LOCAL_CERT_FILE "/usr/local/etc/ssl/cert.pem" 1075 #define BASE_CERT_FILE "/etc/ssl/cert.pem" 1076 static int 1077 fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) 1078 { 1079 X509_LOOKUP *crl_lookup; 1080 X509_STORE *crl_store; 1081 const char *ca_cert_file, *ca_cert_path, *crl_file; 1082 1083 if (getenv("SSL_NO_VERIFY_PEER") == NULL) { 1084 ca_cert_file = getenv("SSL_CA_CERT_FILE"); 1085 if (ca_cert_file == NULL && 1086 access(LOCAL_CERT_FILE, R_OK) == 0) 1087 ca_cert_file = LOCAL_CERT_FILE; 1088 if (ca_cert_file == NULL && 1089 access(BASE_CERT_FILE, R_OK) == 0) 1090 ca_cert_file = BASE_CERT_FILE; 1091 ca_cert_path = getenv("SSL_CA_CERT_PATH"); 1092 if (verbose) { 1093 fetch_info("Peer verification enabled"); 1094 if (ca_cert_file != NULL) 1095 fetch_info("Using CA cert file: %s", 1096 ca_cert_file); 1097 if (ca_cert_path != NULL) 1098 fetch_info("Using CA cert path: %s", 1099 ca_cert_path); 1100 if (ca_cert_file == NULL && ca_cert_path == NULL) 1101 fetch_info("Using OpenSSL default " 1102 "CA cert file and path"); 1103 } 1104 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 1105 fetch_ssl_cb_verify_crt); 1106 if (ca_cert_file != NULL || ca_cert_path != NULL) 1107 SSL_CTX_load_verify_locations(ctx, ca_cert_file, 1108 ca_cert_path); 1109 else 1110 SSL_CTX_set_default_verify_paths(ctx); 1111 if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) { 1112 if (verbose) 1113 fetch_info("Using CRL file: %s", crl_file); 1114 crl_store = SSL_CTX_get_cert_store(ctx); 1115 crl_lookup = X509_STORE_add_lookup(crl_store, 1116 X509_LOOKUP_file()); 1117 if (crl_lookup == NULL || 1118 !X509_load_crl_file(crl_lookup, crl_file, 1119 X509_FILETYPE_PEM)) { 1120 fprintf(stderr, 1121 "Could not load CRL file %s\n", 1122 crl_file); 1123 return (0); 1124 } 1125 X509_STORE_set_flags(crl_store, 1126 X509_V_FLAG_CRL_CHECK | 1127 X509_V_FLAG_CRL_CHECK_ALL); 1128 } 1129 } 1130 return (1); 1131 } 1132 1133 /* 1134 * Configure client certificate based on environment. 1135 */ 1136 static int 1137 fetch_ssl_setup_client_certificate(SSL_CTX *ctx, int verbose) 1138 { 1139 const char *client_cert_file, *client_key_file; 1140 1141 if ((client_cert_file = getenv("SSL_CLIENT_CERT_FILE")) != NULL) { 1142 client_key_file = getenv("SSL_CLIENT_KEY_FILE") != NULL ? 1143 getenv("SSL_CLIENT_KEY_FILE") : client_cert_file; 1144 if (verbose) { 1145 fetch_info("Using client cert file: %s", 1146 client_cert_file); 1147 fetch_info("Using client key file: %s", 1148 client_key_file); 1149 } 1150 if (SSL_CTX_use_certificate_chain_file(ctx, 1151 client_cert_file) != 1) { 1152 fprintf(stderr, 1153 "Could not load client certificate %s\n", 1154 client_cert_file); 1155 return (0); 1156 } 1157 if (SSL_CTX_use_PrivateKey_file(ctx, client_key_file, 1158 SSL_FILETYPE_PEM) != 1) { 1159 fprintf(stderr, 1160 "Could not load client key %s\n", 1161 client_key_file); 1162 return (0); 1163 } 1164 } 1165 return (1); 1166 } 1167 1168 /* 1169 * Callback for SSL certificate verification, this is called on server 1170 * cert verification. It takes no decision, but informs the user in case 1171 * verification failed. 1172 */ 1173 int 1174 fetch_ssl_cb_verify_crt(int verified, X509_STORE_CTX *ctx) 1175 { 1176 X509 *crt; 1177 X509_NAME *name; 1178 char *str; 1179 1180 str = NULL; 1181 if (!verified) { 1182 if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL && 1183 (name = X509_get_subject_name(crt)) != NULL) 1184 str = X509_NAME_oneline(name, 0, 0); 1185 fprintf(stderr, "Certificate verification failed for %s\n", 1186 str != NULL ? str : "no relevant certificate"); 1187 OPENSSL_free(str); 1188 } 1189 return (verified); 1190 } 1191 1192 #endif 1193 1194 /* 1195 * Enable SSL on a connection. 1196 */ 1197 int 1198 fetch_ssl(conn_t *conn, const struct url *URL, int verbose) 1199 { 1200 #ifdef WITH_SSL 1201 int ret, ssl_err; 1202 X509_NAME *name; 1203 char *str; 1204 1205 /* Init the SSL library and context */ 1206 if (!SSL_library_init()){ 1207 fprintf(stderr, "SSL library init failed\n"); 1208 return (-1); 1209 } 1210 1211 SSL_load_error_strings(); 1212 1213 conn->ssl_meth = SSLv23_client_method(); 1214 conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth); 1215 SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY); 1216 1217 fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose); 1218 if (!fetch_ssl_setup_peer_verification(conn->ssl_ctx, verbose)) 1219 return (-1); 1220 if (!fetch_ssl_setup_client_certificate(conn->ssl_ctx, verbose)) 1221 return (-1); 1222 1223 conn->ssl = SSL_new(conn->ssl_ctx); 1224 if (conn->ssl == NULL) { 1225 fprintf(stderr, "SSL context creation failed\n"); 1226 return (-1); 1227 } 1228 SSL_set_fd(conn->ssl, conn->sd); 1229 1230 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) 1231 if (!SSL_set_tlsext_host_name(conn->ssl, 1232 __DECONST(struct url *, URL)->host)) { 1233 fprintf(stderr, 1234 "TLS server name indication extension failed for host %s\n", 1235 URL->host); 1236 return (-1); 1237 } 1238 #endif 1239 while ((ret = SSL_connect(conn->ssl)) == -1) { 1240 ssl_err = SSL_get_error(conn->ssl, ret); 1241 if (ssl_err != SSL_ERROR_WANT_READ && 1242 ssl_err != SSL_ERROR_WANT_WRITE) { 1243 ERR_print_errors_fp(stderr); 1244 return (-1); 1245 } 1246 } 1247 conn->ssl_cert = SSL_get_peer_certificate(conn->ssl); 1248 1249 if (conn->ssl_cert == NULL) { 1250 fprintf(stderr, "No server SSL certificate\n"); 1251 return (-1); 1252 } 1253 1254 if (getenv("SSL_NO_VERIFY_HOSTNAME") == NULL) { 1255 if (verbose) 1256 fetch_info("Verify hostname"); 1257 if (!fetch_ssl_verify_hname(conn->ssl_cert, URL->host)) { 1258 fprintf(stderr, 1259 "SSL certificate subject doesn't match host %s\n", 1260 URL->host); 1261 return (-1); 1262 } 1263 } 1264 1265 if (verbose) { 1266 fetch_info("%s connection established using %s", 1267 SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl)); 1268 name = X509_get_subject_name(conn->ssl_cert); 1269 str = X509_NAME_oneline(name, 0, 0); 1270 fetch_info("Certificate subject: %s", str); 1271 OPENSSL_free(str); 1272 name = X509_get_issuer_name(conn->ssl_cert); 1273 str = X509_NAME_oneline(name, 0, 0); 1274 fetch_info("Certificate issuer: %s", str); 1275 OPENSSL_free(str); 1276 } 1277 1278 return (0); 1279 #else 1280 (void)conn; 1281 (void)verbose; 1282 (void)URL; 1283 fprintf(stderr, "SSL support disabled\n"); 1284 return (-1); 1285 #endif 1286 } 1287 1288 #define FETCH_READ_WAIT -2 1289 #define FETCH_READ_ERROR -1 1290 #define FETCH_READ_DONE 0 1291 1292 #ifdef WITH_SSL 1293 static ssize_t 1294 fetch_ssl_read(SSL *ssl, char *buf, size_t len) 1295 { 1296 ssize_t rlen; 1297 int ssl_err; 1298 1299 rlen = SSL_read(ssl, buf, len); 1300 if (rlen < 0) { 1301 ssl_err = SSL_get_error(ssl, rlen); 1302 if (ssl_err == SSL_ERROR_WANT_READ || 1303 ssl_err == SSL_ERROR_WANT_WRITE) { 1304 return (FETCH_READ_WAIT); 1305 } else { 1306 ERR_print_errors_fp(stderr); 1307 return (FETCH_READ_ERROR); 1308 } 1309 } 1310 return (rlen); 1311 } 1312 #endif 1313 1314 static ssize_t 1315 fetch_socket_read(int sd, char *buf, size_t len) 1316 { 1317 ssize_t rlen; 1318 1319 rlen = read(sd, buf, len); 1320 if (rlen < 0) { 1321 if (errno == EAGAIN || (errno == EINTR && fetchRestartCalls)) 1322 return (FETCH_READ_WAIT); 1323 else 1324 return (FETCH_READ_ERROR); 1325 } 1326 return (rlen); 1327 } 1328 1329 /* 1330 * Read a character from a connection w/ timeout 1331 */ 1332 ssize_t 1333 fetch_read(conn_t *conn, char *buf, size_t len) 1334 { 1335 struct timeval now, timeout, delta; 1336 struct pollfd pfd; 1337 ssize_t rlen; 1338 int deltams; 1339 1340 if (fetchTimeout > 0) { 1341 gettimeofday(&timeout, NULL); 1342 timeout.tv_sec += fetchTimeout; 1343 } 1344 1345 deltams = INFTIM; 1346 memset(&pfd, 0, sizeof pfd); 1347 pfd.fd = conn->sd; 1348 pfd.events = POLLIN | POLLERR; 1349 1350 for (;;) { 1351 /* 1352 * The socket is non-blocking. Instead of the canonical 1353 * poll() -> read(), we do the following: 1354 * 1355 * 1) call read() or SSL_read(). 1356 * 2) if we received some data, return it. 1357 * 3) if an error occurred, return -1. 1358 * 4) if read() or SSL_read() signaled EOF, return. 1359 * 5) if we did not receive any data but we're not at EOF, 1360 * call poll(). 1361 * 1362 * In the SSL case, this is necessary because if we 1363 * receive a close notification, we have to call 1364 * SSL_read() one additional time after we've read 1365 * everything we received. 1366 * 1367 * In the non-SSL case, it may improve performance (very 1368 * slightly) when reading small amounts of data. 1369 */ 1370 #ifdef WITH_SSL 1371 if (conn->ssl != NULL) 1372 rlen = fetch_ssl_read(conn->ssl, buf, len); 1373 else 1374 #endif 1375 rlen = fetch_socket_read(conn->sd, buf, len); 1376 if (rlen >= 0) { 1377 break; 1378 } else if (rlen == FETCH_READ_ERROR) { 1379 fetch_syserr(); 1380 return (-1); 1381 } 1382 // assert(rlen == FETCH_READ_WAIT); 1383 if (fetchTimeout > 0) { 1384 gettimeofday(&now, NULL); 1385 if (!timercmp(&timeout, &now, >)) { 1386 errno = ETIMEDOUT; 1387 fetch_syserr(); 1388 return (-1); 1389 } 1390 timersub(&timeout, &now, &delta); 1391 deltams = delta.tv_sec * 1000 + 1392 delta.tv_usec / 1000;; 1393 } 1394 errno = 0; 1395 pfd.revents = 0; 1396 if (poll(&pfd, 1, deltams) < 0) { 1397 if (errno == EINTR && fetchRestartCalls) 1398 continue; 1399 fetch_syserr(); 1400 return (-1); 1401 } 1402 } 1403 return (rlen); 1404 } 1405 1406 1407 /* 1408 * Read a line of text from a connection w/ timeout 1409 */ 1410 #define MIN_BUF_SIZE 1024 1411 1412 int 1413 fetch_getln(conn_t *conn) 1414 { 1415 char *tmp; 1416 size_t tmpsize; 1417 ssize_t len; 1418 char c; 1419 1420 if (conn->buf == NULL) { 1421 if ((conn->buf = malloc(MIN_BUF_SIZE)) == NULL) { 1422 errno = ENOMEM; 1423 return (-1); 1424 } 1425 conn->bufsize = MIN_BUF_SIZE; 1426 } 1427 1428 conn->buf[0] = '\0'; 1429 conn->buflen = 0; 1430 1431 do { 1432 len = fetch_read(conn, &c, 1); 1433 if (len == -1) 1434 return (-1); 1435 if (len == 0) 1436 break; 1437 conn->buf[conn->buflen++] = c; 1438 if (conn->buflen == conn->bufsize) { 1439 tmp = conn->buf; 1440 tmpsize = conn->bufsize * 2 + 1; 1441 if ((tmp = realloc(tmp, tmpsize)) == NULL) { 1442 errno = ENOMEM; 1443 return (-1); 1444 } 1445 conn->buf = tmp; 1446 conn->bufsize = tmpsize; 1447 } 1448 } while (c != '\n'); 1449 1450 conn->buf[conn->buflen] = '\0'; 1451 DEBUGF("<<< %s", conn->buf); 1452 return (0); 1453 } 1454 1455 1456 /* 1457 * Write to a connection w/ timeout 1458 */ 1459 ssize_t 1460 fetch_write(conn_t *conn, const char *buf, size_t len) 1461 { 1462 struct iovec iov; 1463 1464 iov.iov_base = __DECONST(char *, buf); 1465 iov.iov_len = len; 1466 return fetch_writev(conn, &iov, 1); 1467 } 1468 1469 /* 1470 * Write a vector to a connection w/ timeout 1471 * Note: can modify the iovec. 1472 */ 1473 ssize_t 1474 fetch_writev(conn_t *conn, struct iovec *iov, int iovcnt) 1475 { 1476 struct timeval now, timeout, delta; 1477 struct pollfd pfd; 1478 ssize_t wlen, total; 1479 int deltams; 1480 1481 memset(&pfd, 0, sizeof pfd); 1482 if (fetchTimeout) { 1483 pfd.fd = conn->sd; 1484 pfd.events = POLLOUT | POLLERR; 1485 gettimeofday(&timeout, NULL); 1486 timeout.tv_sec += fetchTimeout; 1487 } 1488 1489 total = 0; 1490 while (iovcnt > 0) { 1491 while (fetchTimeout && pfd.revents == 0) { 1492 gettimeofday(&now, NULL); 1493 if (!timercmp(&timeout, &now, >)) { 1494 errno = ETIMEDOUT; 1495 fetch_syserr(); 1496 return (-1); 1497 } 1498 timersub(&timeout, &now, &delta); 1499 deltams = delta.tv_sec * 1000 + 1500 delta.tv_usec / 1000; 1501 errno = 0; 1502 pfd.revents = 0; 1503 if (poll(&pfd, 1, deltams) < 0) { 1504 /* POSIX compliance */ 1505 if (errno == EAGAIN) 1506 continue; 1507 if (errno == EINTR && fetchRestartCalls) 1508 continue; 1509 return (-1); 1510 } 1511 } 1512 errno = 0; 1513 #ifdef WITH_SSL 1514 if (conn->ssl != NULL) 1515 wlen = SSL_write(conn->ssl, 1516 iov->iov_base, iov->iov_len); 1517 else 1518 #endif 1519 wlen = writev(conn->sd, iov, iovcnt); 1520 if (wlen == 0) { 1521 /* we consider a short write a failure */ 1522 /* XXX perhaps we shouldn't in the SSL case */ 1523 errno = EPIPE; 1524 fetch_syserr(); 1525 return (-1); 1526 } 1527 if (wlen < 0) { 1528 if (errno == EINTR && fetchRestartCalls) 1529 continue; 1530 return (-1); 1531 } 1532 total += wlen; 1533 while (iovcnt > 0 && wlen >= (ssize_t)iov->iov_len) { 1534 wlen -= iov->iov_len; 1535 iov++; 1536 iovcnt--; 1537 } 1538 if (iovcnt > 0) { 1539 iov->iov_len -= wlen; 1540 iov->iov_base = __DECONST(char *, iov->iov_base) + wlen; 1541 } 1542 } 1543 return (total); 1544 } 1545 1546 1547 /* 1548 * Write a line of text to a connection w/ timeout 1549 */ 1550 int 1551 fetch_putln(conn_t *conn, const char *str, size_t len) 1552 { 1553 struct iovec iov[2]; 1554 int ret; 1555 1556 DEBUGF(">>> %s\n", str); 1557 iov[0].iov_base = __DECONST(char *, str); 1558 iov[0].iov_len = len; 1559 iov[1].iov_base = __DECONST(char *, ENDL); 1560 iov[1].iov_len = sizeof(ENDL); 1561 if (len == 0) 1562 ret = fetch_writev(conn, &iov[1], 1); 1563 else 1564 ret = fetch_writev(conn, iov, 2); 1565 if (ret == -1) 1566 return (-1); 1567 return (0); 1568 } 1569 1570 1571 /* 1572 * Close connection 1573 */ 1574 int 1575 fetch_close(conn_t *conn) 1576 { 1577 int ret; 1578 1579 if (--conn->ref > 0) 1580 return (0); 1581 #ifdef WITH_SSL 1582 if (conn->ssl) { 1583 SSL_shutdown(conn->ssl); 1584 SSL_set_connect_state(conn->ssl); 1585 SSL_free(conn->ssl); 1586 conn->ssl = NULL; 1587 } 1588 if (conn->ssl_ctx) { 1589 SSL_CTX_free(conn->ssl_ctx); 1590 conn->ssl_ctx = NULL; 1591 } 1592 if (conn->ssl_cert) { 1593 X509_free(conn->ssl_cert); 1594 conn->ssl_cert = NULL; 1595 } 1596 #endif 1597 ret = close(conn->sd); 1598 free(conn->buf); 1599 free(conn); 1600 return (ret); 1601 } 1602 1603 1604 /*** Directory-related utility functions *************************************/ 1605 1606 int 1607 fetch_add_entry(struct url_ent **p, int *size, int *len, 1608 const char *name, struct url_stat *us) 1609 { 1610 struct url_ent *tmp; 1611 1612 if (*p == NULL) { 1613 *size = 0; 1614 *len = 0; 1615 } 1616 1617 if (*len >= *size - 1) { 1618 tmp = reallocarray(*p, *size * 2 + 1, sizeof(**p)); 1619 if (tmp == NULL) { 1620 errno = ENOMEM; 1621 fetch_syserr(); 1622 return (-1); 1623 } 1624 *size = (*size * 2 + 1); 1625 *p = tmp; 1626 } 1627 1628 tmp = *p + *len; 1629 snprintf(tmp->name, PATH_MAX, "%s", name); 1630 memcpy(&tmp->stat, us, sizeof(*us)); 1631 1632 (*len)++; 1633 (++tmp)->name[0] = 0; 1634 1635 return (0); 1636 } 1637 1638 1639 /*** Authentication-related utility functions ********************************/ 1640 1641 static const char * 1642 fetch_read_word(FILE *f) 1643 { 1644 static char word[1024]; 1645 1646 if (fscanf(f, " %1023s ", word) != 1) 1647 return (NULL); 1648 return (word); 1649 } 1650 1651 static int 1652 fetch_netrc_open(void) 1653 { 1654 struct passwd *pwd; 1655 char fn[PATH_MAX]; 1656 const char *p; 1657 int fd, serrno; 1658 1659 if ((p = getenv("NETRC")) != NULL) { 1660 DEBUGF("NETRC=%s\n", p); 1661 if (snprintf(fn, sizeof(fn), "%s", p) >= (int)sizeof(fn)) { 1662 fetch_info("$NETRC specifies a file name " 1663 "longer than PATH_MAX"); 1664 return (-1); 1665 } 1666 } else { 1667 if ((p = getenv("HOME")) == NULL) { 1668 if ((pwd = getpwuid(getuid())) == NULL || 1669 (p = pwd->pw_dir) == NULL) 1670 return (-1); 1671 } 1672 if (snprintf(fn, sizeof(fn), "%s/.netrc", p) >= (int)sizeof(fn)) 1673 return (-1); 1674 } 1675 1676 if ((fd = open(fn, O_RDONLY)) < 0) { 1677 serrno = errno; 1678 DEBUGF("%s: %s\n", fn, strerror(serrno)); 1679 errno = serrno; 1680 } 1681 return (fd); 1682 } 1683 1684 /* 1685 * Get authentication data for a URL from .netrc 1686 */ 1687 int 1688 fetch_netrc_auth(struct url *url) 1689 { 1690 const char *word; 1691 int serrno; 1692 FILE *f; 1693 1694 if (url->netrcfd < 0) 1695 url->netrcfd = fetch_netrc_open(); 1696 if (url->netrcfd < 0) 1697 return (-1); 1698 if ((f = fdopen(url->netrcfd, "r")) == NULL) { 1699 serrno = errno; 1700 DEBUGF("fdopen(netrcfd): %s", strerror(errno)); 1701 close(url->netrcfd); 1702 url->netrcfd = -1; 1703 errno = serrno; 1704 return (-1); 1705 } 1706 rewind(f); 1707 DEBUGF("searching netrc for %s\n", url->host); 1708 while ((word = fetch_read_word(f)) != NULL) { 1709 if (strcmp(word, "default") == 0) { 1710 DEBUGF("using default netrc settings\n"); 1711 break; 1712 } 1713 if (strcmp(word, "machine") == 0 && 1714 (word = fetch_read_word(f)) != NULL && 1715 strcasecmp(word, url->host) == 0) { 1716 DEBUGF("using netrc settings for %s\n", word); 1717 break; 1718 } 1719 } 1720 if (word == NULL) 1721 goto ferr; 1722 while ((word = fetch_read_word(f)) != NULL) { 1723 if (strcmp(word, "login") == 0) { 1724 if ((word = fetch_read_word(f)) == NULL) 1725 goto ferr; 1726 if (snprintf(url->user, sizeof(url->user), 1727 "%s", word) > (int)sizeof(url->user)) { 1728 fetch_info("login name in .netrc is too long"); 1729 url->user[0] = '\0'; 1730 } 1731 } else if (strcmp(word, "password") == 0) { 1732 if ((word = fetch_read_word(f)) == NULL) 1733 goto ferr; 1734 if (snprintf(url->pwd, sizeof(url->pwd), 1735 "%s", word) > (int)sizeof(url->pwd)) { 1736 fetch_info("password in .netrc is too long"); 1737 url->pwd[0] = '\0'; 1738 } 1739 } else if (strcmp(word, "account") == 0) { 1740 if ((word = fetch_read_word(f)) == NULL) 1741 goto ferr; 1742 /* XXX not supported! */ 1743 } else { 1744 break; 1745 } 1746 } 1747 fclose(f); 1748 url->netrcfd = -1; 1749 return (0); 1750 ferr: 1751 serrno = errno; 1752 fclose(f); 1753 url->netrcfd = -1; 1754 errno = serrno; 1755 return (-1); 1756 } 1757 1758 /* 1759 * The no_proxy environment variable specifies a set of domains for 1760 * which the proxy should not be consulted; the contents is a comma-, 1761 * or space-separated list of domain names. A single asterisk will 1762 * override all proxy variables and no transactions will be proxied 1763 * (for compatibility with lynx and curl, see the discussion at 1764 * <http://curl.haxx.se/mail/archive_pre_oct_99/0009.html>). 1765 */ 1766 int 1767 fetch_no_proxy_match(const char *host) 1768 { 1769 const char *no_proxy, *p, *q; 1770 size_t h_len, d_len; 1771 1772 if ((no_proxy = getenv("NO_PROXY")) == NULL && 1773 (no_proxy = getenv("no_proxy")) == NULL) 1774 return (0); 1775 1776 /* asterisk matches any hostname */ 1777 if (strcmp(no_proxy, "*") == 0) 1778 return (1); 1779 1780 h_len = strlen(host); 1781 p = no_proxy; 1782 do { 1783 /* position p at the beginning of a domain suffix */ 1784 while (*p == ',' || isspace((unsigned char)*p)) 1785 p++; 1786 1787 /* position q at the first separator character */ 1788 for (q = p; *q; ++q) 1789 if (*q == ',' || isspace((unsigned char)*q)) 1790 break; 1791 1792 d_len = q - p; 1793 if (d_len > 0 && h_len >= d_len && 1794 strncasecmp(host + h_len - d_len, 1795 p, d_len) == 0) { 1796 /* domain name matches */ 1797 return (1); 1798 } 1799 1800 p = q + 1; 1801 } while (*q); 1802 1803 return (0); 1804 } 1805