X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=jcc.c;h=a5e561f5e69bd9b9c166077014cd6a45642e3fd4;hp=bb57dedb5fc9acfc0785c214f3717ac183d07c76;hb=aa5ec3cea82a006dbc031c8fdde5a26fcefa2c18;hpb=ec6182134a54004b5d159eb58fafbea88ad4b5d7 diff --git a/jcc.c b/jcc.c index bb57dedb..a5e561f5 100644 --- a/jcc.c +++ b/jcc.c @@ -5,7 +5,7 @@ * Purpose : Main file. Contains main() method, main loop, and * the main connection-handling function. * - * Copyright : Written by and Copyright (C) 2001-2020 the + * Copyright : Written by and Copyright (C) 2001-2021 the * Privoxy team. https://www.privoxy.org/ * * Based on the Internet Junkbuster originally written @@ -559,8 +559,6 @@ static int client_has_unsupported_expectations(const struct client_state *csp) *********************************************************************/ static jb_err get_request_destination_elsewhere(struct client_state *csp, struct list *headers) { - char *req; - if (!(csp->config->feature_flags & RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS)) { log_error(LOG_LEVEL_ERROR, "%s's request: \'%s\' is invalid." @@ -587,15 +585,12 @@ static jb_err get_request_destination_elsewhere(struct client_state *csp, struct { /* We can't work without destination. Go spread the news.*/ - req = list_to_text(headers); - chomp(req); /* XXX: Use correct size */ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 400 0", csp->ip_addr_str, csp->http->cmd); log_error(LOG_LEVEL_ERROR, - "Privoxy was unable to get the destination for %s's request:\n%s\n%s", - csp->ip_addr_str, csp->http->cmd, req); - freez(req); + "Privoxy was unable to get the destination for %s's request: %s", + csp->ip_addr_str, csp->http->cmd); write_socket_delayed(csp->cfd, MISSING_DESTINATION_RESPONSE, strlen(MISSING_DESTINATION_RESPONSE), get_write_delay(csp)); @@ -973,8 +968,8 @@ static int crunch_response_triggered(struct client_state *csp, const struct crun * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) - * 2 : fwd = The forwarding spec used for the request - * XXX: Should use http->fwd instead. + * 2 : fwd = The forwarding spec used for the request. + * Can be NULL. * 3 : request_line = The old request line which will be replaced. * * Returns : Nothing. Terminates in case of memory problems. @@ -1002,7 +997,7 @@ static void build_request_line(struct client_state *csp, const struct forward_sp *request_line = strdup(http->gpc); string_append(request_line, " "); - if (fwd->forward_host && fwd->type != FORWARD_WEBSERVER) + if (fwd != NULL && fwd->forward_host && fwd->type != FORWARD_WEBSERVER) { string_append(request_line, http->url); } @@ -1994,6 +1989,142 @@ static jb_err parse_client_request(struct client_state *csp) } +/********************************************************************* + * + * Function : read_http_request_body + * + * Description : Reads remaining request body from the client. + * + * Parameters : + * 1 : csp = Current client state (buffers, headers, etc...) + * + * Returns : 0 on success, anything else is an error. + * + *********************************************************************/ +static int read_http_request_body(struct client_state *csp) +{ + size_t to_read = csp->expected_client_content_length; + int len; + + assert(to_read != 0); + + /* check if all data has been already read */ + if (to_read <= (csp->client_iob->eod - csp->client_iob->cur)) + { + return 0; + } + + for (to_read -= (size_t)(csp->client_iob->eod - csp->client_iob->cur); + to_read > 0 && data_is_available(csp->cfd, csp->config->socket_timeout); + to_read -= (unsigned)len) + { + char buf[BUFFER_SIZE]; + size_t max_bytes_to_read = to_read < sizeof(buf) ? to_read : sizeof(buf); + + log_error(LOG_LEVEL_CONNECT, + "Waiting for up to %d bytes of request body from the client.", + max_bytes_to_read); + len = read_socket(csp->cfd, buf, (int)max_bytes_to_read); + if (len <= -1) + { + log_error(LOG_LEVEL_CONNECT, "Failed receiving request body from %s: %E", csp->ip_addr_str); + return 1; + } + if (add_to_iob(csp->client_iob, csp->config->buffer_limit, (char *)buf, len)) + { + return 1; + } + assert(to_read >= len); + } + + if (to_read != 0) + { + log_error(LOG_LEVEL_CONNECT, "Not enough request body has been read: expected %d more bytes", + csp->expected_client_content_length); + return 1; + } + log_error(LOG_LEVEL_CONNECT, "The last %d bytes of the request body have been read", + csp->expected_client_content_length); + return 0; +} + + +/********************************************************************* + * + * Function : update_client_headers + * + * Description : Updates the HTTP headers from the client request. + * + * Parameters : + * 1 : csp = Current client state (buffers, headers, etc...) + * 2 : new_content_length = new content length value to set + * + * Returns : 0 on success, anything else is an error. + * + *********************************************************************/ +static int update_client_headers(struct client_state *csp, size_t new_content_length) +{ + static const char content_length[] = "Content-Length:"; + int updated = 0; + struct list_entry *p; + +#ifndef FEATURE_HTTPS_INSPECTION + for (p = csp->headers->first; +#else + for (p = csp->http->client_ssl ? csp->https_headers->first : csp->headers->first; +#endif + !updated && (p != NULL); p = p->next) + { + /* Header crunch()ed in previous run? -> ignore */ + if (p->str == NULL) + { + continue; + } + + /* Does the current parser handle this header? */ + if (0 == strncmpic(p->str, content_length, sizeof(content_length) - 1)) + { + updated = (JB_ERR_OK == header_adjust_content_length((char **)&(p->str), new_content_length)); + if (!updated) + { + return 1; + } + } + } + + return !updated; +} + + +/********************************************************************* + * + * Function : can_filter_request_body + * + * Description : Checks if the current request body can be stored in + * the client_iob without hitting buffer limit. + * + * Parameters : + * 1 : csp = Current client state (buffers, headers, etc...) + * + * Returns : TRUE if the current request size do not exceed buffer limit + * FALSE otherwise. + * + *********************************************************************/ +static int can_filter_request_body(const struct client_state *csp) +{ + if (!can_add_to_iob(csp->client_iob, csp->config->buffer_limit, + csp->expected_client_content_length)) + { + log_error(LOG_LEVEL_INFO, + "Not filtering request body from %s: buffer limit %d will be exceeded " + "(content length %d)", csp->ip_addr_str, csp->config->buffer_limit, + csp->expected_client_content_length); + return FALSE; + } + return TRUE; +} + + /********************************************************************* * * Function : send_http_request @@ -2011,6 +2142,32 @@ static int send_http_request(struct client_state *csp) { char *hdr; int write_failure; + const char *to_send; + size_t to_send_len; + int filter_client_body = csp->expected_client_content_length != 0 && + client_body_filters_enabled(csp->action) && can_filter_request_body(csp); + + if (filter_client_body) + { + if (read_http_request_body(csp)) + { + return 1; + } + to_send_len = csp->expected_client_content_length; + to_send = execute_client_body_filters(csp, &to_send_len); + if (to_send == NULL) + { + /* just flush client_iob */ + filter_client_body = FALSE; + } + else if (to_send_len != csp->expected_client_content_length && + update_client_headers(csp, to_send_len)) + { + log_error(LOG_LEVEL_HEADER, "Error updating client headers"); + return 1; + } + csp->expected_client_content_length = 0; + } hdr = list_to_text(csp->headers); if (hdr == NULL) @@ -2031,26 +2188,100 @@ static int send_http_request(struct client_state *csp) { log_error(LOG_LEVEL_CONNECT, "Failed sending request headers to: %s: %E", csp->http->hostport); + return 1; } - else if (((csp->flags & CSP_FLAG_PIPELINED_REQUEST_WAITING) == 0) + + if (filter_client_body) + { + write_failure = 0 != write_socket(csp->server_connection.sfd, to_send, to_send_len); + freez(to_send); + if (write_failure) + { + log_error(LOG_LEVEL_CONNECT, "Failed sending filtered request body to: %s: %E", + csp->http->hostport); + return 1; + } + } + + if (((csp->flags & CSP_FLAG_PIPELINED_REQUEST_WAITING) == 0) && (flush_iob(csp->server_connection.sfd, csp->client_iob, 0) < 0)) { - write_failure = 1; log_error(LOG_LEVEL_CONNECT, "Failed sending request body to: %s: %E", csp->http->hostport); + return 1; + } + return 0; +} + + +#ifdef FEATURE_HTTPS_INSPECTION +/********************************************************************* + * + * Function : read_https_request_body + * + * Description : Reads remaining request body from the client. + * + * Parameters : + * 1 : csp = Current client state (buffers, headers, etc...) + * + * Returns : 0 on success, anything else is an error. + * + *********************************************************************/ +static int read_https_request_body(struct client_state *csp) +{ + size_t to_read = csp->expected_client_content_length; + int len; + + assert(to_read != 0); + + /* check if all data has been already read */ + if (to_read <= (csp->client_iob->eod - csp->client_iob->cur)) + { + return 0; + } + + for (to_read -= (size_t)(csp->client_iob->eod - csp->client_iob->cur); + to_read > 0 && (is_ssl_pending(&(csp->ssl_client_attr)) || + data_is_available(csp->cfd, csp->config->socket_timeout)); + to_read -= (unsigned)len) + { + unsigned char buf[BUFFER_SIZE]; + size_t max_bytes_to_read = to_read < sizeof(buf) ? to_read : sizeof(buf); + + log_error(LOG_LEVEL_CONNECT, + "Waiting for up to %d bytes of request body from the client.", + max_bytes_to_read); + len = ssl_recv_data(&(csp->ssl_client_attr), buf, + (unsigned)max_bytes_to_read); + if (len <= 0) + { + log_error(LOG_LEVEL_CONNECT, "Failed receiving request body from %s", csp->ip_addr_str); + return 1; + } + if (add_to_iob(csp->client_iob, csp->config->buffer_limit, (char *)buf, len)) + { + return 1; + } + assert(to_read >= len); } - return write_failure; + if (to_read != 0) + { + log_error(LOG_LEVEL_CONNECT, "Not enough request body has been read: expected %d more bytes", to_read); + return 1; + } + log_error(LOG_LEVEL_CONNECT, "The last %d bytes of the request body have been read", + csp->expected_client_content_length); + return 0; } -#ifdef FEATURE_HTTPS_INSPECTION /********************************************************************* * * Function : receive_and_send_encrypted_post_data * - * Description : Reads remaining POST data from the client and sends + * Description : Reads remaining request body from the client and sends * it to the server. * * Parameters : @@ -2075,7 +2306,7 @@ static int receive_and_send_encrypted_post_data(struct client_state *csp) max_bytes_to_read = (int)csp->expected_client_content_length; } log_error(LOG_LEVEL_CONNECT, - "Waiting for up to %d bytes of POST data from the client.", + "Waiting for up to %d bytes of request body from the client.", max_bytes_to_read); len = ssl_recv_data(&(csp->ssl_client_attr), buf, (unsigned)max_bytes_to_read); @@ -2088,7 +2319,7 @@ static int receive_and_send_encrypted_post_data(struct client_state *csp) /* XXX: Does this actually happen? */ break; } - log_error(LOG_LEVEL_CONNECT, "Forwarding %d bytes of encrypted POST data", + log_error(LOG_LEVEL_CONNECT, "Forwarding %d bytes of encrypted request body", len); len = ssl_send_data(&(csp->ssl_server_attr), buf, (size_t)len); if (len == -1) @@ -2109,7 +2340,7 @@ static int receive_and_send_encrypted_post_data(struct client_state *csp) } } - log_error(LOG_LEVEL_CONNECT, "Done forwarding encrypted POST data"); + log_error(LOG_LEVEL_CONNECT, "Done forwarding encrypted request body"); return 0; @@ -2134,6 +2365,32 @@ static int send_https_request(struct client_state *csp) char *hdr; int ret; long flushed = 0; + const char *to_send; + size_t to_send_len; + int filter_client_body = csp->expected_client_content_length != 0 && + client_body_filters_enabled(csp->action) && can_filter_request_body(csp); + + if (filter_client_body) + { + if (read_https_request_body(csp)) + { + return 1; + } + to_send_len = csp->expected_client_content_length; + to_send = execute_client_body_filters(csp, &to_send_len); + if (to_send == NULL) + { + /* just flush client_iob */ + filter_client_body = FALSE; + } + else if (to_send_len != csp->expected_client_content_length && + update_client_headers(csp, to_send_len)) + { + log_error(LOG_LEVEL_HEADER, "Error updating client headers"); + return 1; + } + csp->expected_client_content_length = 0; + } hdr = list_to_text(csp->https_headers); if (hdr == NULL) @@ -2160,6 +2417,18 @@ static int send_https_request(struct client_state *csp) return 1; } + if (filter_client_body) + { + ret = ssl_send_data(&(csp->ssl_server_attr), (const unsigned char *)to_send, to_send_len); + freez(to_send); + if (ret < 0) + { + log_error(LOG_LEVEL_CONNECT, "Failed sending filtered request body to: %s", + csp->http->hostport); + return 1; + } + } + if (((csp->flags & CSP_FLAG_PIPELINED_REQUEST_WAITING) == 0) && ((flushed = ssl_flush_socket(&(csp->ssl_server_attr), csp->client_iob)) < 0)) @@ -2259,6 +2528,95 @@ static jb_err receive_encrypted_request(struct client_state *csp) } +/********************************************************************* + * + * Function : change_encrypted_request_destination + * + * Description : Parse a (rewritten) request line from an encrypted + * request and regenerate the http request data. + * + * Parameters : + * 1 : csp = Current client state (buffers, headers, etc...) + * + * Returns : Forwards the parse_http_request() return code. + * Terminates in case of memory problems. + * + *********************************************************************/ +static jb_err change_encrypted_request_destination(struct client_state *csp) +{ + jb_err err; + char *original_host = csp->http->host; + + log_error(LOG_LEVEL_REDIRECTS, "Rewrite detected: %s", + csp->https_headers->first->str); + csp->http->host = NULL; + free_http_request(csp->http); + err = parse_http_request(csp->https_headers->first->str, csp->http); + if (JB_ERR_OK != err) + { + log_error(LOG_LEVEL_ERROR, "Couldn't parse rewritten request: %s.", + jb_err_to_string(err)); + return err; + } + + if (csp->http->host == NULL) + { + /* + * The rewritten request line did not specify a host + * which means we can use the original host specified + * by the client. + */ + csp->http->host = original_host; + log_error(LOG_LEVEL_REDIRECTS, "Keeping the original host: %s", + csp->http->host); + /* + * If the rewritten request line didn't contain a host + * it also didn't contain a port so we can reuse the host + * and set the port to 443. + */ + freez(csp->http->hostport); + csp->http->hostport = strdup_or_die(csp->http->host); + csp->http->port = 443; + /* + * While the request line didn't mention it, + * we're https-inspecting and want to speak TLS + * with the server. + */ + csp->http->server_ssl = 1; + csp->http->ssl = 1; + } + else + { + /* The rewrite filter added a host so we can ditch the original */ + freez(original_host); + csp->http->server_ssl = csp->http->ssl; + } + + csp->http->client_ssl = 1; + + freez(csp->https_headers->first->str); + build_request_line(csp, NULL, &csp->https_headers->first->str); + + if (!server_use_ssl(csp)) + { + log_error(LOG_LEVEL_REDIRECTS, + "Rewritten request line results in downgrade to http"); + /* + * Replace the unencryptd headers received with the + * CONNECT request with the ones we received securely. + */ + destroy_list(csp->headers); + csp->headers->first = csp->https_headers->first; + csp->headers->last = csp->https_headers->last; + csp->https_headers->first = NULL; + csp->https_headers->last = NULL; + } + + return JB_ERR_OK; + +} + + /********************************************************************* * * Function : process_encrypted_request @@ -2440,6 +2798,17 @@ static jb_err process_encrypted_request(struct client_state *csp) return JB_ERR_PARSE; } + if ((NULL == csp->https_headers->first->str) + || (strcmp(csp->http->cmd, csp->https_headers->first->str) && + (JB_ERR_OK != change_encrypted_request_destination(csp)))) + { + log_error(LOG_LEVEL_ERROR, + "Failed to get the request destination in the rewritten headers"); + ssl_send_data_delayed(&(csp->ssl_client_attr), + (const unsigned char *)CHEADER, strlen(CHEADER), get_write_delay(csp)); + return JB_ERR_PARSE; + } + log_error(LOG_LEVEL_HEADER, "Encrypted request processed"); log_applied_actions(csp->action); log_error(LOG_LEVEL_REQUEST, "https://%s%s", csp->http->hostport, @@ -2841,6 +3210,37 @@ static void handle_established_connection(struct client_state *csp) #ifdef FEATURE_HTTPS_INSPECTION if (client_use_ssl(csp)) { + if (csp->http->status == 101) + { + len = ssl_recv_data(&(csp->ssl_client_attr), + (unsigned char *)csp->receive_buffer, + (size_t)max_bytes_to_read); + if (len == -1) + { + log_error(LOG_LEVEL_ERROR, "Failed to receive data " + "on client socket %d for an upgraded connection", + csp->cfd); + break; + } + if (len == 0) + { + log_error(LOG_LEVEL_CONNECT, "Done receiving data " + "on client socket %d for an upgraded connection", + csp->cfd); + break; + } + byte_count += (unsigned long long)len; + len = ssl_send_data(&(csp->ssl_server_attr), + (unsigned char *)csp->receive_buffer, (size_t)len); + if (len == -1) + { + log_error(LOG_LEVEL_ERROR, "Failed to send data " + "on server socket %d for an upgraded connection", + csp->server_connection.sfd); + break; + } + continue; + } log_error(LOG_LEVEL_CONNECT, "Breaking with TLS/SSL."); break; } @@ -3694,7 +4094,7 @@ static void chat(struct client_state *csp) use_ssl_tunnel = 1; } - if (http->ssl && csp->action->flags & ACTION_IGNORE_CERTIFICATE_ERRORS) + if (http->ssl && (csp->action->flags & ACTION_IGNORE_CERTIFICATE_ERRORS)) { csp->dont_verify_certificate = 1; } @@ -3856,7 +4256,7 @@ static void chat(struct client_state *csp) } #endif /* def FEATURE_CONNECTION_KEEP_ALIVE */ #ifdef FEATURE_HTTPS_INSPECTION - if (http->ssl && !use_ssl_tunnel) + if (client_use_ssl(csp) && !use_ssl_tunnel) { int ret; /* @@ -5156,7 +5556,10 @@ int main(int argc, char **argv) } #endif - chdir("/"); + if (chdir("/") != 0) + { + log_error(LOG_LEVEL_FATAL, "Failed to cd into '/': %E"); + } } /* -END- if (daemon_mode) */