Style cosmetics for the IPv6 code.

[privoxy.git] / filters.c

diff --git a/filters.c b/filters.c
index ae7e96d..c5d8d6e 100644 (file)
--- a/filters.c
+++ b/filters.c
@@ -1,4 +1,4 @@
-const char filters_rcs[] = "$Id: filters.c,v 1.108 2008/05/21 15:35:08 fabiankeil Exp $";
+const char filters_rcs[] = "$Id: filters.c,v 1.115 2009/04/17 11:29:18 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/filters.c,v $
@@ -40,6 +40,30 @@ const char filters_rcs[] = "$Id: filters.c,v 1.108 2008/05/21 15:35:08 fabiankei
  *
  * Revisions   :
  *    $Log: filters.c,v $
+ *    Revision 1.115  2009/04/17 11:29:18  fabiankeil
+ *    Compile fix for BSD libc.
+ *
+ *    Revision 1.114  2009/04/17 11:27:49  fabiankeil
+ *    Petr Pisar's privoxy-3.0.12-ipv6-3.diff.
+ *
+ *    Revision 1.113  2009/03/08 14:19:23  fabiankeil
+ *    Fix justified (but harmless) compiler warnings
+ *    on platforms where sizeof(int) < sizeof(long).
+ *
+ *    Revision 1.112  2009/03/01 18:28:23  fabiankeil
+ *    Help clang understand that we aren't dereferencing
+ *    NULL pointers here.
+ *
+ *    Revision 1.111  2008/12/04 18:13:46  fabiankeil
+ *    Fix a cparser warning.
+ *
+ *    Revision 1.110  2008/11/10 16:40:25  fabiankeil
+ *    Fix a gcc44 warning.
+ *
+ *    Revision 1.109  2008/11/08 15:48:41  fabiankeil
+ *    Mention actual values when complaining about
+ *    the chunk size exceeding the buffer size.
+ *
  *    Revision 1.108  2008/05/21 15:35:08  fabiankeil
  *    - Mark csp as immutable for block_acl().
  *    - Remove an obsolete complaint about filter_popups().
@@ -647,6 +671,11 @@ const char filters_rcs[] = "$Id: filters.c,v 1.108 2008/05/21 15:35:08 fabiankei
 #include <string.h>
 #include <assert.h>
 
+#ifdef HAVE_GETADDRINFO
+#include <netdb.h>
+#include <sys/socket.h>
+#endif /* def HAVE_GETADDRINFO */
+
 #ifndef _WIN32
 #ifndef __OS2__
 #include <unistd.h>
@@ -694,6 +723,151 @@ static jb_err remove_chunked_transfer_coding(char *buffer, size_t *size);
 static jb_err prepare_for_filtering(struct client_state *csp);
 
 #ifdef FEATURE_ACL
+#ifdef HAVE_GETADDRINFO
+/*********************************************************************
+ *
+ * Function    :  sockaddr_storage_to_ip
+ *
+ * Description :  Access internal structure of sockaddr_storage
+ *
+ * Parameters  :
+ *          1  :  addr = socket address
+ *          2  :  ip   = IP address as array of octets in network order
+ *                       (it points into addr)
+ *          3  :  len  = length of IP address in octets
+ *          4  :  port = port number in network order;
+ *
+ * Returns     :  0 = no errror; -1 otherwise.
+ *
+ *********************************************************************/
+int sockaddr_storage_to_ip(const struct sockaddr_storage *addr, uint8_t **ip,
+      unsigned int *len, in_port_t **port)
+{
+   if (NULL == addr)
+   {
+      return(-1);
+   }
+
+   switch (addr->ss_family)
+   {
+      case AF_INET:
+         if (NULL != len)
+         {
+            *len = 4;
+         }
+         if (NULL != ip)
+         {
+            *ip = (uint8_t *)
+               &(((struct sockaddr_in *)addr)->sin_addr.s_addr);
+         }
+         if (NULL != port)
+         {
+            *port = &((struct sockaddr_in *)addr)->sin_port;
+         }
+         break;
+
+      case AF_INET6:
+         if (NULL != len)
+         {
+            *len = 16;
+         }
+         if (NULL != ip)
+         {
+            *ip = ((struct sockaddr_in6 *)addr)->sin6_addr.s6_addr;
+         }
+         if (NULL != port)
+         {
+            *port = &((struct sockaddr_in6 *)addr)->sin6_port;
+         }
+         break;
+
+      default:
+         /* Unsupported address family */
+         return(-1);
+   }
+
+   return(0);
+}
+
+
+/*********************************************************************
+ *
+ * Function    :  match_sockaddr
+ *
+ * Description :  Check whether address matches network (IP address and port)
+ *
+ * Parameters  :
+ *          1  :  network = socket address of subnework
+ *          2  :  netmask = network mask as socket address
+ *          3  :  address = checked socket address against given network
+ *
+ * Returns     :  0 = doesn't match; 1 = does match
+ *
+ *********************************************************************/
+int match_sockaddr(const struct sockaddr_storage *network,
+      const struct sockaddr_storage *netmask,
+      const struct sockaddr_storage *address)
+{
+   uint8_t *network_addr, *netmask_addr, *address_addr;
+   unsigned int addr_len;
+   in_port_t *network_port, *netmask_port, *address_port;
+   int i;
+
+   if (network->ss_family != netmask->ss_family)
+   {
+      /* This should never happen */
+      log_error(LOG_LEVEL_ERROR,
+         "Internal error at %s:%llu: network and netmask differ in family",
+         __FILE__, __LINE__);
+      return 0;
+   }
+
+   sockaddr_storage_to_ip(network, &network_addr, &addr_len, &network_port);
+   sockaddr_storage_to_ip(netmask, &netmask_addr, NULL, &netmask_port);
+   sockaddr_storage_to_ip(address, &address_addr, NULL, &address_port);
+
+   /* Check for family */
+   if ((network->ss_family == AF_INET) && (address->ss_family == AF_INET6)
+      && IN6_IS_ADDR_V4MAPPED((struct in6_addr *)address_addr))
+   {
+      /* Map AF_INET6 V4MAPPED address into AF_INET */
+      address_addr += 12;
+      addr_len = 4;
+   }
+   else if ((network->ss_family == AF_INET6) && (address->ss_family == AF_INET)
+      && IN6_IS_ADDR_V4MAPPED((struct in6_addr *)network_addr))
+   {
+      /* Map AF_INET6 V4MAPPED network into AF_INET */
+      network_addr += 12;
+      netmask_addr += 12;
+      addr_len = 4;
+   }
+   else if (network->ss_family != address->ss_family)
+   {
+      return 0;
+   }
+
+   /* XXX: Port check is signaled in netmask */
+   if (*netmask_port && *network_port != *address_port)
+   {
+      return 0;
+   }
+
+   /* TODO: Optimize by checking by words insted of octets */
+   for (i = 0; (i < addr_len) && netmask_addr[i]; i++)
+   {
+      if ((network_addr[i] & netmask_addr[i]) !=
+          (address_addr[i] & netmask_addr[i]))
+      {
+         return 0;
+      }
+   }
+
+   return 1;
+}
+#endif /* def HAVE_GETADDRINFO */
+
+
 /*********************************************************************
  *
  * Function    :  block_acl
@@ -723,7 +897,13 @@ int block_acl(const struct access_control_addr *dst, const struct client_state *
    /* search the list */
    while (acl != NULL)
    {
-      if ((csp->ip_addr_long & acl->src->mask) == acl->src->addr)
+      if (
+#ifdef HAVE_GETADDRINFO
+            match_sockaddr(&acl->src->addr, &acl->src->mask, &csp->tcp_addr)
+#else
+            (csp->ip_addr_long & acl->src->mask) == acl->src->addr
+#endif
+            )
       {
          if (dst == NULL)
          {
@@ -733,8 +913,23 @@ int block_acl(const struct access_control_addr *dst, const struct client_state *
                return(0);
             }
          }
-         else if ( ((dst->addr & acl->dst->mask) == acl->dst->addr)
-           && ((dst->port == acl->dst->port) || (acl->dst->port == 0)))
+         else if (
+#ifdef HAVE_GETADDRINFO
+               /*
+                * XXX: An undefined acl->dst is full of zeros and should be
+                * considered a wildcard address. sockaddr_storage_to_ip()
+                * fails on such destinations because of unknown sa_familly
+                * (glibc only?). However this test is not portable.
+                *
+                * So, we signal the acl->dst is wildcard in wildcard_dst.
+                */
+               acl->wildcard_dst ||
+                  match_sockaddr(&acl->dst->addr, &acl->dst->mask, &dst->addr)
+#else
+               ((dst->addr & acl->dst->mask) == acl->dst->addr)
+           && ((dst->port == acl->dst->port) || (acl->dst->port == 0))
+#endif
+           )
          {
             if (acl->action == ACL_PERMIT)
             {
@@ -770,12 +965,24 @@ int block_acl(const struct access_control_addr *dst, const struct client_state *
 int acl_addr(const char *aspec, struct access_control_addr *aca)
 {
    int i, masklength;
+#ifdef HAVE_GETADDRINFO
+   struct addrinfo hints, *result;
+   uint8_t *mask_data;
+   in_port_t *mask_port;
+   unsigned int addr_len;
+#else
    long port;
+#endif /* def HAVE_GETADDRINFO */
    char *p;
    char *acl_spec = NULL;
 
+#ifdef HAVE_GETADDRINFO
+   /* XXX: Depend on ai_family */
+   masklength = 128;
+#else
    masklength = 32;
    port       =  0;
+#endif
 
    /*
     * Use a temporary acl spec copy so we can log
@@ -799,13 +1006,53 @@ int acl_addr(const char *aspec, struct access_control_addr *aca)
       masklength = atoi(p);
    }
 
-   if ((masklength < 0) || (masklength > 32))
+   if ((masklength < 0) ||
+#ifdef HAVE_GETADDRINFO
+         (masklength > 128)
+#else
+         (masklength > 32)
+#endif
+         )
    {
       freez(acl_spec);
       return(-1);
    }
 
-   if ((p = strchr(acl_spec, ':')) != NULL)
+   if ((*acl_spec == '[') && (NULL != (p = strchr(acl_spec, ']'))))
+   {
+      *p = '\0';
+      memmove(acl_spec, acl_spec + 1, (size_t)(p - acl_spec));
+
+      if (*++p != ':')
+      {
+         p = NULL;
+      }
+   }
+   else
+   {
+      p = strchr(acl_spec, ':');
+   }
+
+#ifdef HAVE_GETADDRINFO
+   memset(&hints, 0, sizeof(struct addrinfo));
+   hints.ai_family = AF_UNSPEC;
+   hints.ai_socktype = SOCK_STREAM;
+
+   i = getaddrinfo(acl_spec, ((p) ? ++p : NULL), &hints, &result);
+   freez(acl_spec);
+
+   if (i != 0)
+   {
+      log_error(LOG_LEVEL_ERROR, "Can not resolve [%s]:%s: %s",
+         acl_spec, p, gai_strerror(i));
+      return(-1);
+   }
+
+   /* TODO: Allow multihomed hostnames */
+   memcpy(&(aca->addr), result->ai_addr, result->ai_addrlen);
+   freeaddrinfo(result);
+#else
+   if (p != NULL)
    {
       char *endptr;
 
@@ -829,18 +1076,67 @@ int acl_addr(const char *aspec, struct access_control_addr *aca)
       /* XXX: This will be logged as parse error. */
       return(-1);
    }
+#endif /* def HAVE_GETADDRINFO */
 
    /* build the netmask */
+#ifdef HAVE_GETADDRINFO
+   /* Clip masklength according to current family. */
+   if ((aca->addr.ss_family == AF_INET) && (masklength > 32))
+   {
+      masklength = 32;
+   }
+
+   aca->mask.ss_family = aca->addr.ss_family;
+   if (sockaddr_storage_to_ip(&aca->mask, &mask_data, &addr_len, &mask_port))
+   {
+      return(-1);
+   }
+
+   if (p)
+   {
+      /* ACL contains a port number, check ports in the future. */
+      *mask_port = 1;
+   }
+
+   /*
+    * XXX: This could be optimized to operate on whole words instead
+    * of octets (128-bit CPU could do it in one iteration).
+    */
+   /*
+    * Octets after prefix can be ommitted because of
+    * previous initialization to zeros.
+    */
+   for (i = 0; (i < addr_len) && masklength; i++)
+   {
+      if (masklength >= 8)
+      {
+         mask_data[i] = 0xFF;
+         masklength -= 8;
+      }
+      else
+      {
+         /*
+          * XXX: This assumes MSB of octet is on the left side.
+          * This should be true for all architectures or solved
+          * by the link layer.
+          */
+         mask_data[i] = ~((1 << (8 - masklength)) - 1);
+         masklength = 0;
+      }
+   }
+
+#else
    aca->mask = 0;
    for (i=1; i <= masklength ; i++)
    {
-      aca->mask |= (1 << (32 - i));
+      aca->mask |= (1U << (32 - i));
    }
 
    /* now mask off the host portion of the ip address
     * (i.e. save on the network portion of the address).
     */
    aca->addr = aca->addr & aca->mask;
+#endif /* def HAVE_GETADDRINFO */
 
    return(0);
 
@@ -1781,7 +2077,7 @@ int is_untrusted_url(const struct client_state *csp)
                /* since this path points into a user's home space
                 * be sure to include this spec in the trustfile.
                 */
-               int path_len = path_end - path; /* save offset */
+               long path_len = path_end - path; /* save offset */
                path = strdup(path); /* Copy string */
                if (path != NULL)
                {
@@ -2178,7 +2474,7 @@ static jb_err remove_chunked_transfer_coding(char *buffer, size_t *size)
       return JB_ERR_PARSE;
    }
 
-   while (chunksize > 0)
+   while (chunksize > 0U)
    {
       if (NULL == (from_p = strstr(from_p, "\r\n")))
       {
@@ -2468,6 +2764,7 @@ const static struct forward_spec *get_forward_override_settings(struct client_st
       log_error(LOG_LEVEL_FATAL,
          "can't allocate memory for forward-override{%s}", forward_override_line);
       /* Never get here - LOG_LEVEL_FATAL causes program exit */
+      return NULL;
    }
 
    vec_count = ssplit(forward_settings, " \t", vec, SZ(vec), 1, 1);
@@ -2507,7 +2804,7 @@ const static struct forward_spec *get_forward_override_settings(struct client_st
          if (NULL != (socks_proxy = strchr(fwd->gateway_host, ':')))
          {
             *socks_proxy++ = '\0';
-            fwd->gateway_port = strtol(socks_proxy, NULL, 0);
+            fwd->gateway_port = (int)strtol(socks_proxy, NULL, 0);
          }
 
          if (fwd->gateway_port <= 0)
@@ -2534,7 +2831,7 @@ const static struct forward_spec *get_forward_override_settings(struct client_st
       if (NULL != (http_parent = strchr(fwd->forward_host, ':')))
       {
          *http_parent++ = '\0';
-         fwd->forward_port = strtol(http_parent, NULL, 0);
+         fwd->forward_port = (int)strtol(http_parent, NULL, 0);
       }
 
       if (fwd->forward_port <= 0)