#else /* ifndef _WIN32 */
-# if !defined (__OS2__)
# include <unistd.h>
# include <sys/wait.h>
-# endif /* ndef __OS2__ */
# include <sys/time.h>
# include <sys/stat.h>
# include <sys/ioctl.h>
# include <OS.h> /* declarations for threads and stuff. */
# endif
-# if defined(__EMX__) || defined(__OS2__)
-# include <sys/select.h> /* OS/2/EMX needs a little help with select */
-# endif
-# ifdef __OS2__
-#define INCL_DOS
-# include <os2.h>
-# endif
-
#ifdef HAVE_POLL
#ifdef __GLIBC__
#include <sys/poll.h>
int g_terminate = 0;
#endif
-#if !defined(_WIN32) && !defined(__OS2__)
+#if !defined(_WIN32)
static void sig_handler(int the_signal);
#endif
static int client_protocol_is_unsupported(struct client_state *csp, char *req);
static jb_err parse_client_request(struct client_state *csp);
static void build_request_line(struct client_state *csp, const struct forward_spec *fwd, char **request_line);
static jb_err change_request_destination(struct client_state *csp);
+static void handle_established_connection(struct client_state *csp);
static void chat(struct client_state *csp);
static void serve(struct client_state *csp);
#if !defined(_WIN32) || defined(_WIN_CONSOLE)
#define sleep(N) Sleep(((N) * 1000))
#endif
-#ifdef __OS2__
-#define sleep(N) DosSleep(((N) * 100))
-#endif
-
#ifdef FUZZ
int process_fuzzed_input(char *fuzz_input_type, char *fuzz_input_file);
void show_fuzz_usage(const char *name);
#ifdef FEATURE_HTTPS_INSPECTION
privoxy_mutex_t certificate_mutex;
-privoxy_mutex_t rng_mutex;
+privoxy_mutex_t ssl_init_mutex;
#endif
#ifdef FEATURE_EXTERNAL_FILTERS
*
* here?
*/
-#if !defined(_WIN32) && !defined(__OS2__)
+#if !defined(_WIN32)
/*********************************************************************
*
* Function : sig_handler
#ifdef FEATURE_HTTPS_INSPECTION
if (client_use_ssl(csp))
{
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)response, strlen(response),
get_write_delay(csp));
}
#ifdef FEATURE_HTTPS_INSPECTION
if (client_use_ssl(csp))
{
- if ((ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ if ((ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)rsp->head, rsp->head_length,
get_write_delay(csp)) < 0)
- || (ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ || (ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)rsp->body, rsp->content_length,
get_write_delay(csp)) < 0))
{
/* There is nothing we can do about it. */
log_error(LOG_LEVEL_CONNECT, "Couldn't deliver the error message "
- "for %s through client socket %d using TLS/SSL",
- http->url, csp->cfd);
+ "for https://%s%s through client socket %d using TLS/SSL",
+ http->hostport, http->url, csp->cfd);
}
}
else
}
server_connection->forward_port = fwd->forward_port;
}
+#endif /* FEATURE_CONNECTION_KEEP_ALIVE */
/*********************************************************************
log_error(LOG_LEVEL_CONNECT, "Complete client request received.");
}
}
-#endif /* FEATURE_CONNECTION_KEEP_ALIVE */
/*********************************************************************
/* Assume persistence until further notice */
csp->flags |= CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE;
}
+#endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
if (csp->http->ssl == 0)
{
}
verify_request_length(csp);
}
+#ifndef FEATURE_HTTPS_INSPECTION
else
{
csp->flags |= CSP_FLAG_SERVER_SOCKET_TAINTED;
}
-#endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
+#endif
err = sed(csp, FILTER_CLIENT_HEADERS);
if (JB_ERR_OK != err)
{
int content_length_known = csp->expected_client_content_length != 0;
- while (is_ssl_pending(&(csp->mbedtls_client_attr.ssl))
+ while (is_ssl_pending(&(csp->ssl_client_attr))
|| (content_length_known && csp->expected_client_content_length != 0))
{
unsigned char buf[BUFFER_SIZE];
log_error(LOG_LEVEL_CONNECT,
"Waiting for up to %d bytes of POST data from the client.",
max_bytes_to_read);
- len = ssl_recv_data(&(csp->mbedtls_client_attr.ssl), buf,
+ len = ssl_recv_data(&(csp->ssl_client_attr), buf,
(unsigned)max_bytes_to_read);
if (len == -1)
{
}
log_error(LOG_LEVEL_CONNECT, "Forwarding %d bytes of encrypted POST data",
len);
- len = ssl_send_data(&(csp->mbedtls_server_attr.ssl), buf, (size_t)len);
+ len = ssl_send_data(&(csp->ssl_server_attr), buf, (size_t)len);
if (len == -1)
{
return 1;
* Write the client's (modified) header to the server
* (along with anything else that may be in the buffer)
*/
- ret = ssl_send_data(&(csp->mbedtls_server_attr.ssl),
+ ret = ssl_send_data(&(csp->ssl_server_attr),
(const unsigned char *)hdr, strlen(hdr));
freez(hdr);
}
if (((csp->flags & CSP_FLAG_PIPELINED_REQUEST_WAITING) == 0)
- && ((flushed = ssl_flush_socket(&(csp->mbedtls_server_attr.ssl),
+ && ((flushed = ssl_flush_socket(&(csp->ssl_server_attr),
csp->client_iob)) < 0))
{
log_error(LOG_LEVEL_CONNECT, "Failed sending request body to: %s: %E",
do
{
log_error(LOG_LEVEL_HEADER, "Reading encrypted headers");
- if (!is_ssl_pending(&(csp->mbedtls_client_attr.ssl)) &&
+ if (!is_ssl_pending(&(csp->ssl_client_attr)) &&
!data_is_available(csp->cfd, csp->config->socket_timeout))
{
log_error(LOG_LEVEL_CONNECT,
"Socket %d timed out while waiting for client headers", csp->cfd);
return JB_ERR_PARSE;
}
- len = ssl_recv_data(&(csp->mbedtls_client_attr.ssl),
+ len = ssl_recv_data(&(csp->ssl_client_attr),
(unsigned char *)buf, sizeof(buf));
+ if (len == 0)
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Socket %d closed while waiting for client headers", csp->cfd);
+ return JB_ERR_PARSE;
+ }
if (len == -1)
{
return JB_ERR_PARSE;
struct list header_list;
struct list *headers = &header_list;
+ assert(csp->ssl_with_client_is_opened);
+
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+ if (csp->config->feature_flags & RUNTIME_FEATURE_CONNECTION_KEEP_ALIVE)
+ {
+ csp->flags |= CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE;
+ }
+#endif
err = receive_encrypted_request(csp);
if (err != JB_ERR_OK)
{
+ if (csp->client_iob->cur == NULL)
+ {
+ /*
+ * We did not receive any data, most likely because the
+ * client is done. Don't log this as a parse failure.
+ */
+ return JB_ERR_PARSE;
+ }
/* XXX: Also used for JB_ERR_MEMORY */
log_error(LOG_LEVEL_ERROR, "Failed to receive encrypted request: %s",
jb_err_to_string(err));
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp));
return err;
}
if (request_line == NULL)
{
log_error(LOG_LEVEL_ERROR, "Failed to get the encrypted request line");
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp));
return JB_ERR_PARSE;
}
freez(request_line);
if (JB_ERR_OK != err)
{
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp));
/* XXX: Use correct size */
log_error(LOG_LEVEL_CLF, "%s - - [%T] \"Invalid request\" 400 0", csp->ip_addr_str);
*/
log_error(LOG_LEVEL_ERROR,
"Failed to get the encrypted request destination");
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp));
return JB_ERR_PARSE;
}
/* Split the domain we just got for pattern matching */
init_domain_components(csp->http);
+#ifdef FEATURE_CLIENT_TAGS
+ /* XXX: If the headers were enlisted sooner, passing csp would do. */
+ if (csp->client_address == NULL)
+ {
+ set_client_address(csp, headers);
+ get_tag_list_for_client(csp->client_tags, csp->client_address);
+ }
+#endif
+
#ifdef FEATURE_TOGGLE
if ((csp->flags & CSP_FLAG_TOGGLED_ON) != 0)
#endif
{
- /* Determine the actions for this URL */
+ /*
+ * Determine the actions for this request after
+ * clearing the ones from the previous one.
+ */
+ free_current_action(csp->action);
get_url_actions(csp, csp->http);
}
err = sed_https(csp);
if (JB_ERR_OK != err)
{
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp));
log_error(LOG_LEVEL_ERROR, "Failed to parse client request from %s.",
csp->ip_addr_str);
}
+
+#ifdef FEATURE_CONNECTION_KEEP_ALIVE
+/*********************************************************************
+ *
+ * Function : continue_https_chat
+ *
+ * Description : Behaves similar to chat() but only deals with
+ * https-inspected requests that arrive on an already
+ * established connection. The first request is always
+ * served by chat() which is a lot more complex as it
+ * has to deal with forwarding settings and connection
+ * failures etc.
+ *
+ * If a connection to the server has already been
+ * opened it is reused unless the request is blocked
+ * or the forwarder changed.
+ *
+ * If a connection to the server has not yet been
+ * opened (because the previous request was crunched),
+ * or the forwarder changed, the connection is dropped
+ * so that the client retries on a fresh one.
+ *
+ * Parameters :
+ * 1 : csp = Current client state (buffers, headers, etc...)
+ *
+ * Returns : Nothing.
+ *
+ *********************************************************************/
+static void continue_https_chat(struct client_state *csp)
+{
+ const struct forward_spec *fwd;
+
+ if (JB_ERR_OK != process_encrypted_request(csp))
+ {
+ return;
+ }
+
+ csp->requests_received_total++;
+
+ /*
+ * We have an encrypted request. Check if one of the crunchers wants it.
+ */
+ if (crunch_response_triggered(csp, crunchers_all))
+ {
+ /*
+ * Yes. The client got the crunch response and we're done here.
+ */
+ return;
+ }
+ if (csp->ssl_with_server_is_opened == 0)
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Dropping the client connection on socket %d. "
+ "The server connection has not been established yet.",
+ csp->cfd);
+ csp->flags &= ~CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE;
+ return;
+ }
+ assert(csp->server_connection.sfd != JB_INVALID_SOCKET);
+
+ fwd = forward_url(csp, csp->http);
+ if (!connection_destination_matches(&csp->server_connection, csp->http, fwd))
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "Dropping the client connection on socket %d with "
+ "server socket %d connected to %s. The forwarder has changed.",
+ csp->cfd, csp->server_connection.sfd, csp->server_connection.host);
+ csp->flags &= ~CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE;
+ return;
+ }
+
+ log_error(LOG_LEVEL_CONNECT,
+ "Reusing server socket %d connected to %s. Requests already sent: %u.",
+ csp->server_connection.sfd, csp->server_connection.host,
+ csp->server_connection.requests_sent_total);
+
+ if (send_https_request(csp))
+ {
+ /*
+ * Most likely the server connection timed out. We can't easily
+ * create a new one so simply drop the client connection without a
+ * error response to let the client retry.
+ */
+ log_error(LOG_LEVEL_CONNECT,
+ "Dropping client connection on socket %d. "
+ "Forwarding the encrypted client request failed.",
+ csp->cfd);
+ return;
+ }
+ csp->server_connection.requests_sent_total++;
+ handle_established_connection(csp);
+ freez(csp->receive_buffer);
+}
+#endif /* def FEATURE_CONNECTION_KEEP_ALIVE */
#endif
for (;;)
{
#ifndef HAVE_POLL
-#ifdef __OS2__
- /*
- * FD_ZERO here seems to point to an errant macro which crashes.
- * So do this by hand for now...
- */
- memset(&rfds,0x00,sizeof(fd_set));
-#else
FD_ZERO(&rfds);
-#endif
#ifdef FEATURE_CONNECTION_KEEP_ALIVE
if (!watch_client_socket)
{
*/
if (server_use_ssl(csp))
{
- len = ssl_recv_data(&(csp->mbedtls_server_attr.ssl),
+ len = ssl_recv_data(&(csp->ssl_server_attr),
(unsigned char *)csp->receive_buffer, csp->receive_buffer_size);
}
else
*/
if (client_use_ssl(csp))
{
- if ((ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ if ((ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)hdr, strlen(hdr),
get_write_delay(csp)) < 0)
- || (ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ || (ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *) ((p != NULL) ? p : csp->iob->cur),
csp->content_length, get_write_delay(csp)) < 0))
{
*/
if (client_use_ssl(csp))
{
- if ((ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ if ((ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)hdr, hdrlen, get_write_delay(csp)) < 0)
- || ((flushed = ssl_flush_socket(&(csp->mbedtls_client_attr.ssl),
+ || ((flushed = ssl_flush_socket(&(csp->ssl_client_attr),
csp->iob)) < 0)
- || (ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ || (ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)csp->receive_buffer, (size_t)len,
get_write_delay(csp)) < 0))
{
*/
if (client_use_ssl(csp))
{
- ret = ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ret = ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)csp->receive_buffer, (size_t)len,
get_write_delay(csp));
if (ret < 0)
*/
if (client_use_ssl(csp))
{
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)INVALID_SERVER_HEADERS_RESPONSE,
strlen(INVALID_SERVER_HEADERS_RESPONSE), get_write_delay(csp));
}
*/
if (client_use_ssl(csp))
{
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)INVALID_SERVER_HEADERS_RESPONSE,
strlen(INVALID_SERVER_HEADERS_RESPONSE),
get_write_delay(csp));
*/
if (client_use_ssl(csp))
{
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)INVALID_SERVER_HEADERS_RESPONSE,
strlen(INVALID_SERVER_HEADERS_RESPONSE),
get_write_delay(csp));
#ifdef FEATURE_HTTPS_INSPECTION
if (client_use_ssl(csp))
{
- if ((ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ if ((ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)hdr, strlen(hdr),
get_write_delay(csp)) < 0)
- || (len = ssl_flush_socket(&(csp->mbedtls_client_attr.ssl),
+ || (len = ssl_flush_socket(&(csp->ssl_client_attr),
csp->iob) < 0))
{
log_error(LOG_LEVEL_CONNECT, "Write header to client failed");
*/
if (client_use_ssl(csp))
{
- ssl_send_data_delayed(&(csp->mbedtls_client_attr.ssl),
+ ssl_send_data_delayed(&(csp->ssl_client_attr),
(const unsigned char *)INVALID_SERVER_HEADERS_RESPONSE,
strlen(INVALID_SERVER_HEADERS_RESPONSE),
get_write_delay(csp));
#endif
return; /* huh? we should never get here */
}
-#ifdef FEATURE_HTTPS_INSPECTION
- close_client_and_server_ssl_connections(csp);
-#endif
+
if (csp->content_length == 0)
{
/*
if (csp->server_connection.sfd != JB_INVALID_SOCKET)
{
#ifdef FEATURE_CONNECTION_SHARING
- if (csp->config->feature_flags & RUNTIME_FEATURE_CONNECTION_SHARING)
+ if (csp->config->feature_flags & RUNTIME_FEATURE_CONNECTION_SHARING
+#ifdef FEATURE_HTTPS_INSPECTION
+ && !server_use_ssl(csp)
+#endif
+ )
{
remember_connection(&csp->server_connection);
}
}
if (JB_ERR_OK != process_encrypted_request(csp))
{
- log_error(LOG_LEVEL_ERROR, "Failed to parse encrypted request.");
close_client_ssl_connection(csp);
return;
}
/*
* Yes. The client got the crunch response and we're done here.
*/
- close_client_ssl_connection(csp);
return;
}
}
if (strcmp(fuzz_input_file, "-") == 0)
{
- /* XXX: Doesn'T work yet. */
+ /* XXX: Doesn't work yet. */
csp->server_connection.sfd = 0;
}
else
freez(csp->error_message);
free_http_request(csp->http);
destroy_list(csp->headers);
+#ifdef FEATURE_HTTPS_INSPECTION
+ destroy_list(csp->https_headers);
+#endif
destroy_list(csp->tags);
#ifdef FEATURE_CLIENT_TAGS
destroy_list(csp->client_tags);
{
unsigned int latency;
- chat(csp);
+#ifdef FEATURE_HTTPS_INSPECTION
+ if (continue_chatting && client_use_ssl(csp))
+ {
+ continue_https_chat(csp);
+ }
+ else
+#endif
+ {
+ chat(csp);
+ }
/*
* If the request has been crunched,
forget_connection(csp->server_connection.sfd);
}
#endif /* def FEATURE_CONNECTION_SHARING */
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_server_ssl_connection(csp);
+#endif
close_socket(csp->server_connection.sfd);
mark_connection_closed(&csp->server_connection);
}
continue_chatting = 0;
config_file_change_detected = 1;
}
+#ifdef FEATURE_HTTPS_INSPECTION
+ if (continue_chatting && client_use_ssl(csp) &&
+ csp->ssl_with_client_is_opened == 0)
+ {
+ continue_chatting = 0;
+ log_error(LOG_LEVEL_CONNECT, "Client socket %d is no longer usable. "
+ "The TLS session has been terminated.", csp->cfd);
+ }
+#endif
if (continue_chatting)
{
&& socket_is_still_alive(csp->cfd))
{
log_error(LOG_LEVEL_CONNECT,
- "Client request %u arrived in time on socket %d.",
- csp->requests_received_total+1, csp->cfd);
+ "Data arrived in time on client socket %d. Requests so far: %u",
+ csp->cfd, csp->requests_received_total);
prepare_csp_for_next_request(csp);
}
else
#ifdef FEATURE_CONNECTION_SHARING
if ((csp->config->feature_flags & RUNTIME_FEATURE_CONNECTION_SHARING)
&& (csp->server_connection.sfd != JB_INVALID_SOCKET)
- && (socket_is_still_alive(csp->server_connection.sfd)))
+ && (socket_is_still_alive(csp->server_connection.sfd))
+#ifdef FEATURE_HTTPS_INSPECTION
+ && !server_use_ssl(csp)
+#endif
+ )
{
time_t time_open = time(NULL) - csp->server_connection.timestamp;
forget_connection(csp->server_connection.sfd);
}
#endif /* def FEATURE_CONNECTION_SHARING */
+
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_server_ssl_connection(csp);
+#endif /* def FEATURE_HTTPS_INSPECTION */
+
close_socket(csp->server_connection.sfd);
}
csp->cfd, 0 != (csp->flags & CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE),
socket_is_still_alive(csp->cfd), data_is_available(csp->cfd, 0),
config_file_change_detected, csp->requests_received_total);
+#ifdef FEATURE_HTTPS_INSPECTION
+ close_client_ssl_connection(csp);
+#endif
drain_and_close_socket(csp->cfd);
}
#ifdef FEATURE_HTTPS_INSPECTION
privoxy_mutex_init(&certificate_mutex);
- privoxy_mutex_init(&rng_mutex);
+ privoxy_mutex_init(&ssl_init_mutex);
#endif
privoxy_mutex_init(&log_mutex);
* are handled when and where they occur without relying
* on a signal.
*/
-#if !defined(_WIN32) && !defined(__OS2__)
+#if !defined(_WIN32)
{
int idx;
const int catched_signals[] = { SIGTERM, SIGINT, SIGHUP };
for (;;)
#endif
{
-#if !defined(FEATURE_PTHREAD) && !defined(_WIN32) && !defined(__BEOS__) && !defined(__OS2__)
+#if !defined(FEATURE_PTHREAD) && !defined(_WIN32) && !defined(__BEOS__)
while (waitpid(-1, NULL, WNOHANG) > 0)
{
/* zombie children */
#define SELECTED_ONE_OPTION
{
pthread_t the_thread;
+ int ret;
- errno = pthread_create(&the_thread, &attrs,
+ ret = pthread_create(&the_thread, &attrs,
(void * (*)(void *))serve, csp);
- child_id = errno ? -1 : 0;
+ child_id = ret ? -1 : 0;
}
#endif
csp);
#endif
-#if defined(__OS2__) && !defined(SELECTED_ONE_OPTION)
-#define SELECTED_ONE_OPTION
- child_id = _beginthread(
- (void(* _Optlink)(void*))serve,
- NULL,
- 64 * 1024,
- csp);
-#endif
-
#if defined(__BEOS__) && !defined(SELECTED_ONE_OPTION)
#define SELECTED_ONE_OPTION
{
#ifdef FEATURE_HTTPS_INSPECTION
/* Clean up. Aim: free all memory (no leaks) */
- if (rng_seeded == 1)
- {
- mbedtls_ctr_drbg_free(&ctr_drbg);
- mbedtls_entropy_free(&entropy);
- }
+ ssl_release();
#endif
#ifdef FEATURE_GRACEFUL_TERMINATION
- log_error(LOG_LEVEL_ERROR, "Graceful termination requested");
+ log_error(LOG_LEVEL_INFO, "Graceful termination requested");
unload_current_config_file();
unload_current_actions_file();
projects / privoxy.git / blobdiff