X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=jcc.c;h=26fc6304631fac44c5f6d97f568e46f69983db7e;hp=1e8ad445066da86bde6853023569d109d82a7487;hb=59d3fb7457a63f1c1aca6fc6e5517b7d88c224b2;hpb=d6c9b0e695a20c79e3365b6c5eec71f78f50750f diff --git a/jcc.c b/jcc.c index 1e8ad445..26fc6304 100644 --- a/jcc.c +++ b/jcc.c @@ -5,7 +5,7 @@ * Purpose : Main file. Contains main() method, main loop, and * the main connection-handling function. * - * Copyright : Written by and Copyright (C) 2001-2021 the + * Copyright : Written by and Copyright (C) 2001-2022 the * Privoxy team. https://www.privoxy.org/ * * Based on the Internet Junkbuster originally written @@ -127,6 +127,10 @@ struct file_list files[1]; #ifdef FEATURE_STATISTICS int urls_read = 0; /* total nr of urls read inc rejected */ int urls_rejected = 0; /* total nr of urls rejected */ +#ifdef MUTEX_LOCKS_AVAILABLE +unsigned long long number_of_requests_received = 0; +unsigned long long number_of_requests_blocked = 0; +#endif #endif /* def FEATURE_STATISTICS */ #ifdef FEATURE_GRACEFUL_TERMINATION @@ -191,9 +195,12 @@ privoxy_mutex_t external_filter_mutex; #ifdef FEATURE_CLIENT_TAGS privoxy_mutex_t client_tags_mutex; #endif +#ifdef FEATURE_STATISTICS +privoxy_mutex_t block_statistics_mutex; +#endif #ifdef FEATURE_EXTENDED_STATISTICS privoxy_mutex_t filter_statistics_mutex; -privoxy_mutex_t block_statistics_mutex; +privoxy_mutex_t block_reason_statistics_mutex; #endif #if !defined(HAVE_GETHOSTBYADDR_R) || !defined(HAVE_GETHOSTBYNAME_R) @@ -945,6 +952,11 @@ static int crunch_response_triggered(struct client_state *csp, const struct crun #ifdef FEATURE_STATISTICS if (c->flags & CF_COUNT_AS_REJECT) { +#ifdef MUTEX_LOCKS_AVAILABLE + privoxy_mutex_lock(&block_statistics_mutex); + number_of_requests_blocked++; + privoxy_mutex_unlock(&block_statistics_mutex); +#endif csp->flags |= CSP_FLAG_REJECTED; } #endif /* def FEATURE_STATISTICS */ @@ -995,12 +1007,35 @@ static void build_request_line(struct client_state *csp, const struct forward_sp * Rebuild the request line. */ freez(*request_line); - *request_line = strdup(http->gpc); - string_append(request_line, " "); +#ifdef FEATURE_HTTPS_INSPECTION + if (fwd != NULL && fwd->forward_host && + fwd->type != FORWARD_WEBSERVER && client_use_ssl(csp)) + { + *request_line = strdup("CONNECT "); + } + else +#endif + { + *request_line = strdup(http->gpc); + string_append(request_line, " "); + } if (fwd != NULL && fwd->forward_host && fwd->type != FORWARD_WEBSERVER) { - string_append(request_line, http->url); +#ifdef FEATURE_HTTPS_INSPECTION + if (client_use_ssl(csp)) + { + char port_string[10]; + + string_append(request_line, http->host); + snprintf(port_string, sizeof(port_string), ":%d", http->port); + string_append(request_line, port_string); + } + else +#endif + { + string_append(request_line, http->url); + } } else { @@ -1153,10 +1188,10 @@ static void wait_for_alive_connections(void) * Returns : void * *********************************************************************/ -void save_connection_destination(jb_socket sfd, - const struct http_request *http, - const struct forward_spec *fwd, - struct reusable_connection *server_connection) +static void save_connection_destination(jb_socket sfd, + const struct http_request *http, + const struct forward_spec *fwd, + struct reusable_connection *server_connection) { assert(sfd != JB_INVALID_SOCKET); assert(NULL != http->host); @@ -1503,6 +1538,12 @@ static enum chunk_status chunked_body_is_complete(struct iob *iob, size_t *lengt /* Move beyond the chunkdata. */ p += 2 + chunksize; + /* Make sure we're still within the buffer and have two bytes left */ + if (p + 2 > iob->eod) + { + return CHUNK_STATUS_MISSING_DATA; + } + /* There should be another "\r\n" to skip */ if (memcmp(p, "\r\n", 2)) { @@ -1784,6 +1825,19 @@ static jb_err receive_client_request(struct client_state *csp) free_http_request(http); return JB_ERR_PARSE; } + if (http->ssl && strcmpic(http->gpc, "CONNECT")) + { + write_socket_delayed(csp->cfd, CHEADER, strlen(CHEADER), + get_write_delay(csp)); + /* XXX: Use correct size */ + log_error(LOG_LEVEL_CLF, "%s - - [%T] \"Invalid request\" 400 0", + csp->ip_addr_str); + log_error(LOG_LEVEL_ERROR, "Client %s tried to send a https " + "URL without sending a CONNECT request first", + csp->ip_addr_str); + free_http_request(http); + return JB_ERR_PARSE; + } /* grab the rest of the client's headers */ init_list(headers); @@ -1806,7 +1860,8 @@ static jb_err receive_client_request(struct client_state *csp) if (!data_is_available(csp->cfd, csp->config->socket_timeout)) { log_error(LOG_LEVEL_ERROR, - "Stopped grabbing the client headers."); + "Client headers did not arrive in time. Timeout: %d", + csp->config->socket_timeout); destroy_list(headers); return JB_ERR_PARSE; } @@ -2051,12 +2106,13 @@ static int read_http_request_body(struct client_state *csp) if (to_read != 0) { - log_error(LOG_LEVEL_CONNECT, "Not enough request body has been read: expected %llu more bytes", - csp->expected_client_content_length); + log_error(LOG_LEVEL_CONNECT, + "Not enough request body has been read: expected %lu more bytes", + to_read); return 1; } - log_error(LOG_LEVEL_CONNECT, "The last %llu bytes of the request body have been read", - csp->expected_client_content_length); + log_error(LOG_LEVEL_CONNECT, + "The last %d bytes of the request body have been read", len); return 0; } @@ -2129,7 +2185,7 @@ static int can_filter_request_body(const struct client_state *csp) { log_error(LOG_LEVEL_INFO, "Not filtering request body from %s: buffer limit %lu will be exceeded " - "(content length %lluu)", csp->ip_addr_str, csp->config->buffer_limit, + "(content length %llu)", csp->ip_addr_str, csp->config->buffer_limit, csp->expected_client_content_length); return FALSE; } @@ -2176,6 +2232,7 @@ static int send_http_request(struct client_state *csp) update_client_headers(csp, to_send_len)) { log_error(LOG_LEVEL_HEADER, "Error updating client headers"); + freez(to_send); return 1; } csp->expected_client_content_length = 0; @@ -2200,6 +2257,10 @@ static int send_http_request(struct client_state *csp) { log_error(LOG_LEVEL_CONNECT, "Failed sending request headers to: %s: %E", csp->http->hostport); + if (filter_client_body) + { + freez(to_send); + } return 1; } @@ -2261,13 +2322,15 @@ static int read_https_request_body(struct client_state *csp) size_t max_bytes_to_read = to_read < sizeof(buf) ? to_read : sizeof(buf); log_error(LOG_LEVEL_CONNECT, - "Waiting for up to %lu bytes of request body from the client.", + "Buffering encrypted client body. Prepared to read up to %lu bytes.", max_bytes_to_read); len = ssl_recv_data(&(csp->ssl_client_attr), buf, (unsigned)max_bytes_to_read); if (len <= 0) { - log_error(LOG_LEVEL_CONNECT, "Failed receiving request body from %s", csp->ip_addr_str); + log_error(LOG_LEVEL_CONNECT, + "Did not receive the whole encrypted request body from %s", + csp->ip_addr_str); return 1; } if (add_to_iob(csp->client_iob, csp->config->buffer_limit, (char *)buf, len)) @@ -2280,13 +2343,13 @@ static int read_https_request_body(struct client_state *csp) if (to_read != 0) { log_error(LOG_LEVEL_CONNECT, - "Not enough request body has been read: expected %lu more bytes", + "Not enough encrypted request body has been read: expected %lu more bytes", to_read); return 1; } log_error(LOG_LEVEL_CONNECT, - "The last %llu bytes of the request body have been read", + "The last %llu bytes of the encrypted request body have been read", csp->expected_client_content_length); return 0; } @@ -2309,8 +2372,9 @@ static int receive_and_send_encrypted_post_data(struct client_state *csp) { int content_length_known = csp->expected_client_content_length != 0; - while (is_ssl_pending(&(csp->ssl_client_attr)) - || (content_length_known && csp->expected_client_content_length != 0)) + while ((content_length_known && csp->expected_client_content_length != 0) || + (is_ssl_pending(&(csp->ssl_client_attr)) || + data_is_available(csp->cfd, csp->config->socket_timeout))) { unsigned char buf[BUFFER_SIZE]; int len; @@ -2491,9 +2555,10 @@ static int send_https_request(struct client_state *csp) /********************************************************************* * - * Function : receive_encrypted_request + * Function : receive_encrypted_request_headers * - * Description : Receives an encrypted request. + * Description : Receives the encrypted request headers when + * https-inspecting. * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) @@ -2502,7 +2567,7 @@ static int send_https_request(struct client_state *csp) * JB_ERR_PARSE or JB_ERR_MEMORY otherwise * *********************************************************************/ -static jb_err receive_encrypted_request(struct client_state *csp) +static jb_err receive_encrypted_request_headers(struct client_state *csp) { char buf[BUFFER_SIZE]; int len; @@ -2510,7 +2575,7 @@ static jb_err receive_encrypted_request(struct client_state *csp) do { - log_error(LOG_LEVEL_HEADER, "Reading encrypted headers"); + log_error(LOG_LEVEL_HEADER, "Waiting for encrypted client headers"); if (!is_ssl_pending(&(csp->ssl_client_attr)) && !data_is_available(csp->cfd, csp->config->socket_timeout)) { @@ -2646,9 +2711,10 @@ static jb_err change_encrypted_request_destination(struct client_state *csp) /********************************************************************* * - * Function : process_encrypted_request + * Function : process_encrypted_request_headers * - * Description : Receives and parses an encrypted request. + * Description : Receives and parses the encrypted headers send + * by the client when https-inspecting. * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) @@ -2657,7 +2723,7 @@ static jb_err change_encrypted_request_destination(struct client_state *csp) * JB_ERR_PARSE or JB_ERR_MEMORY otherwise * *********************************************************************/ -static jb_err process_encrypted_request(struct client_state *csp) +static jb_err process_encrypted_request_headers(struct client_state *csp) { char *p; char *request_line; @@ -2674,7 +2740,7 @@ static jb_err process_encrypted_request(struct client_state *csp) csp->flags |= CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE; } #endif - err = receive_encrypted_request(csp); + err = receive_encrypted_request_headers(csp); if (err != JB_ERR_OK) { if (csp->client_iob->cur == NULL || @@ -2769,6 +2835,8 @@ static jb_err process_encrypted_request(struct client_state *csp) "Failed to get the encrypted request destination"); ssl_send_data_delayed(&(csp->ssl_client_attr), (const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp)); + destroy_list(headers); + return JB_ERR_PARSE; } @@ -2841,8 +2909,7 @@ static jb_err process_encrypted_request(struct client_state *csp) return JB_ERR_PARSE; } - log_error(LOG_LEVEL_HEADER, "Encrypted request processed"); - log_applied_actions(csp->action); + log_error(LOG_LEVEL_HEADER, "Encrypted request headers processed"); log_error(LOG_LEVEL_REQUEST, "https://%s%s", csp->http->hostport, csp->http->path); @@ -2908,12 +2975,18 @@ static void continue_https_chat(struct client_state *csp) { const struct forward_spec *fwd; - if (JB_ERR_OK != process_encrypted_request(csp)) + if (JB_ERR_OK != process_encrypted_request_headers(csp)) { csp->flags &= ~CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE; return; } +#if defined(FEATURE_STATISTICS) && defined(MUTEX_LOCKS_AVAILABLE) + privoxy_mutex_lock(&block_statistics_mutex); + number_of_requests_received++; + privoxy_mutex_unlock(&block_statistics_mutex); +#endif + csp->requests_received_total++; /* @@ -2948,6 +3021,8 @@ static void continue_https_chat(struct client_state *csp) return; } + log_applied_actions(csp->action); + log_error(LOG_LEVEL_CONNECT, "Reusing server socket %d connected to %s. Requests already sent: %u.", csp->server_connection.sfd, csp->server_connection.host, @@ -2966,6 +3041,7 @@ static void continue_https_chat(struct client_state *csp) csp->cfd); return; } + csp->server_connection.request_sent = time(NULL); csp->server_connection.requests_sent_total++; handle_established_connection(csp); freez(csp->receive_buffer); @@ -2979,7 +3055,8 @@ static void continue_https_chat(struct client_state *csp) * Function : handle_established_connection * * Description : Shuffle data between client and server once the - * connection has been established. + * connection has been established and the request + * has been sent. * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) @@ -3055,6 +3132,28 @@ static void handle_established_connection(struct client_state *csp) for (;;) { +#ifdef FEATURE_HTTPS_INSPECTION + if (server_use_ssl(csp) && is_ssl_pending(&(csp->ssl_server_attr))) + { + /* + * It's possible that the TLS library already consumed all the + * data the server intends to send. If that happens poll() and + * select() will no longer see the data as available so we have + * to skip the calls. + */ + goto server_wants_to_talk; + } + if (watch_client_socket && client_use_ssl(csp) && + is_ssl_pending(&(csp->ssl_client_attr))) + { + /* + * The TLS libray may also consume all of the remaining data + * from the client when we're shuffling the data from an + * unbuffered request body to the server. + */ + goto client_wants_to_talk; + } +#endif #ifndef HAVE_POLL FD_ZERO(&rfds); #ifdef FEATURE_CONNECTION_KEEP_ALIVE @@ -3141,7 +3240,7 @@ static void handle_established_connection(struct client_state *csp) n = select((int)maxfd + 1, &rfds, NULL, NULL, &timeout); #endif /* def HAVE_POLL */ - /*server or client not responding in timeout */ + /* Server or client not responding in timeout */ if (n == 0) { log_error(LOG_LEVEL_CONNECT, "Socket timeout %d reached: %s", @@ -3195,7 +3294,13 @@ static void handle_established_connection(struct client_state *csp) if (FD_ISSET(csp->cfd, &rfds)) #endif /* def HAVE_POLL*/ { - int max_bytes_to_read = (int)csp->receive_buffer_size; + int max_bytes_to_read; + +#ifdef FEATURE_HTTPS_INSPECTION + client_wants_to_talk: +#endif + + max_bytes_to_read = (int)csp->receive_buffer_size; #ifdef FEATURE_CONNECTION_KEEP_ALIVE if ((csp->flags & CSP_FLAG_CLIENT_REQUEST_COMPLETELY_READ)) @@ -3328,6 +3433,9 @@ static void handle_established_connection(struct client_state *csp) if (FD_ISSET(csp->server_connection.sfd, &rfds)) #endif /* HAVE_POLL */ { +#ifdef FEATURE_HTTPS_INSPECTION + server_wants_to_talk: +#endif #ifdef FEATURE_CONNECTION_KEEP_ALIVE /* * If we are buffering content, we don't want to eat up to @@ -3532,8 +3640,8 @@ static void handle_established_connection(struct client_state *csp) (const unsigned char *) ((p != NULL) ? p : csp->iob->cur), csp->content_length, get_write_delay(csp)) < 0)) { - log_error(LOG_LEVEL_ERROR, "write modified content to " - "client over TLS/SSL failed"); + log_error(LOG_LEVEL_ERROR, + "Failed to send the modified content to the client over TLS"); freez(hdr); freez(p); mark_server_socket_tainted(csp); @@ -3564,8 +3672,8 @@ static void handle_established_connection(struct client_state *csp) } /* - * This is NOT the body, so - * Let's pretend the server just sent us a blank line. + * This is not the body, so let's pretend the server just sent + * us a blank line. */ snprintf(csp->receive_buffer, csp->receive_buffer_size, "\r\n"); len = (int)strlen(csp->receive_buffer); @@ -3858,6 +3966,18 @@ static void handle_established_connection(struct client_state *csp) return; } + /* + * Disable redirect checkers, so that they will be only run + * again if the user also enables them through tags. + * + * From a performance point of view it doesn't matter, + * but it prevents duplicated log messages. + */ +#ifdef FEATURE_FAST_REDIRECTS + csp->action->flags &= ~ACTION_FAST_REDIRECTS; +#endif + csp->action->flags &= ~ACTION_REDIRECT; + /* * We have now received the entire server header, * filter it and send the result to the client @@ -4108,14 +4228,18 @@ static void chat(struct client_state *csp) { return; } + +#if defined(FEATURE_STATISTICS) && defined(MUTEX_LOCKS_AVAILABLE) + privoxy_mutex_lock(&block_statistics_mutex); + number_of_requests_received++; + privoxy_mutex_unlock(&block_statistics_mutex); +#endif + if (parse_client_request(csp) != JB_ERR_OK) { return; } - /* decide how to route the HTTP request */ - fwd = forward_url(csp, http); - #ifdef FEATURE_HTTPS_INSPECTION /* * Setting flags to use old solution with SSL tunnel and to disable @@ -4218,10 +4342,6 @@ static void chat(struct client_state *csp) #endif } - - freez(csp->headers->first->str); - build_request_line(csp, fwd, &csp->headers->first->str); - /* * We have a request. Check if one of the crunchers wants it * unless the client wants to use TLS/SSL in which case we @@ -4240,7 +4360,60 @@ static void chat(struct client_state *csp) return; } +#ifdef FEATURE_HTTPS_INSPECTION + if (client_use_ssl(csp) && !use_ssl_tunnel) + { + int ret; + /* + * Creating a SSL proxy. + * + * By sending the CSUCCEED message we're lying to the client as + * the connection hasn't actually been established yet. We don't + * establish the connection until we have seen and parsed the + * encrypted client headers. + */ + if (write_socket_delayed(csp->cfd, CSUCCEED, + strlen(CSUCCEED), get_write_delay(csp)) != 0) + { + log_error(LOG_LEVEL_ERROR, "Sending SUCCEED to client failed"); + return; + } + + ret = create_client_ssl_connection(csp); + if (ret != 0) + { + log_error(LOG_LEVEL_ERROR, + "Failed to open a secure connection with the client"); + return; + } + if (JB_ERR_OK != process_encrypted_request_headers(csp)) + { + close_client_ssl_connection(csp); + return; + } + /* + * We have an encrypted request. Check if one of the crunchers now + * wants it (for example because the previously invisible path was + * required to match). + */ + if (crunch_response_triggered(csp, crunchers_all)) + { + /* + * Yes. The client got the crunch response and we're done here. + */ + return; + } + } +#endif + log_applied_actions(csp->action); + + /* decide how to route the HTTP request */ + fwd = forward_url(csp, http); + + freez(csp->headers->first->str); + build_request_line(csp, fwd, &csp->headers->first->str); + if (fwd->forward_host) { log_error(LOG_LEVEL_CONNECT, "via [%s]:%d to: %s", @@ -4288,51 +4461,7 @@ static void chat(struct client_state *csp) mark_connection_closed(&csp->server_connection); } #endif /* def FEATURE_CONNECTION_KEEP_ALIVE */ -#ifdef FEATURE_HTTPS_INSPECTION - if (client_use_ssl(csp) && !use_ssl_tunnel) - { - int ret; - /* - * Creating a SSL proxy. - * - * By sending the CSUCCEED message we're lying to the client as - * the connection hasn't actually been established yet. We don't - * establish the connection until we have seen and parsed the - * encrypted client headers. - */ - if (write_socket_delayed(csp->cfd, CSUCCEED, - strlen(CSUCCEED), get_write_delay(csp)) != 0) - { - log_error(LOG_LEVEL_ERROR, "Sending SUCCEED to client failed"); - return; - } - ret = create_client_ssl_connection(csp); - if (ret != 0) - { - log_error(LOG_LEVEL_ERROR, - "Failed to open a secure connection with the client"); - return; - } - if (JB_ERR_OK != process_encrypted_request(csp)) - { - close_client_ssl_connection(csp); - return; - } - /* - * We have an encrypted request. Check if one of the crunchers now - * wants it (for example because the previously invisible path was - * required to match). - */ - if (crunch_response_triggered(csp, crunchers_all)) - { - /* - * Yes. The client got the crunch response and we're done here. - */ - return; - } - } -#endif /* * Connecting to destination server */ @@ -4828,6 +4957,22 @@ static void serve(struct client_state *csp) #endif close_socket(csp->server_connection.sfd); mark_connection_closed(&csp->server_connection); +#ifdef FEATURE_HTTPS_INSPECTION + if (continue_chatting && client_use_ssl(csp)) + { + /* + * Close the client socket as well as Privoxy currently + * can't establish a new server connection when the client + * socket is reused and would drop the connection in + * continue_https_chat() anyway. + */ + continue_chatting = 0; + csp->flags &= ~CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE; + log_error(LOG_LEVEL_CONNECT, + "Client socket %d is no longer usable. " + "The server socket has been closed.", csp->cfd); + } +#endif } } @@ -5164,9 +5309,12 @@ static void initialize_mutexes(void) #ifdef FEATURE_CLIENT_TAGS privoxy_mutex_init(&client_tags_mutex); #endif +#ifdef FEATURE_STATISTICS + privoxy_mutex_init(&block_statistics_mutex); +#endif #ifdef FEATURE_EXTENDED_STATISTICS privoxy_mutex_init(&filter_statistics_mutex); - privoxy_mutex_init(&block_statistics_mutex); + privoxy_mutex_init(&block_reason_statistics_mutex); #endif /* @@ -5745,15 +5893,18 @@ static jb_socket bind_port_helper(const char *haddr, int hport, int backlog) "can't bind to %s:%d: There may be another Privoxy " "or some other proxy running on port %d", bind_address, hport, hport); + exit(-1); case -2: log_error(LOG_LEVEL_FATAL, "can't bind to %s:%d: The hostname is not resolvable", bind_address, hport); + exit(-1); default: log_error(LOG_LEVEL_FATAL, "can't bind to %s:%d: %E", bind_address, hport); + exit(-1); } /* shouldn't get here */ @@ -6023,7 +6174,7 @@ static void listen_loop(void) if ((0 != config->max_client_connections) && (active_threads >= config->max_client_connections)) { - log_error(LOG_LEVEL_CONNECT, + log_error(LOG_LEVEL_ERROR, "Rejecting connection from %s. Maximum number of connections reached.", csp->ip_addr_str); write_socket_delayed(csp->cfd, TOO_MANY_CONNECTIONS_RESPONSE, @@ -6059,7 +6210,7 @@ static void listen_loop(void) } #endif -#if defined(_WIN32) && !defined(_CYGWIN) && !defined(SELECTED_ONE_OPTION) +#if defined(_WIN32) && !defined(SELECTED_ONE_OPTION) #define SELECTED_ONE_OPTION child_id = _beginthread( (void (*)(void *))serve, @@ -6193,6 +6344,8 @@ static void listen_loop(void) log_error(LOG_LEVEL_INFO, "Graceful termination requested."); + close_ports_helper(bfds); + unload_current_config_file(); unload_current_actions_file(); unload_current_re_filterfile();