1: /***************************************************************************
2: * _ _ ____ _
3: * Project ___| | | | _ \| |
4: * / __| | | | |_) | |
5: * | (__| |_| | _ <| |___
6: * \___|\___/|_| \_\_____|
7: *
8: * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
9: *
10: * This software is licensed as described in the file COPYING, which
11: * you should have received as part of this distribution. The terms
12: * are also available at https://curl.haxx.se/docs/copyright.html.
13: *
14: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15: * copies of the Software, and permit persons to whom the Software is
16: * furnished to do so, under the terms of the COPYING file.
17: *
18: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19: * KIND, either express or implied.
20: *
21: ***************************************************************************/
22:
23: #include "curl_setup.h"
24:
25: #include "http_proxy.h"
26:
27: #if !defined(CURL_DISABLE_PROXY) && !defined(CURL_DISABLE_HTTP)
28:
29: #include <curl/curl.h>
30: #include "sendf.h"
31: #include "http.h"
32: #include "url.h"
33: #include "select.h"
34: #include "progress.h"
35: #include "non-ascii.h"
36: #include "connect.h"
37: #include "curlx.h"
38: #include "vtls/vtls.h"
39:
40: /* The last 3 #include files should be in this order */
41: #include "curl_printf.h"
42: #include "curl_memory.h"
43: #include "memdebug.h"
44:
45: /*
46: * Perform SSL initialization for HTTPS proxy. Sets
47: * proxy_ssl_connected connection bit when complete. Can be
48: * called multiple times.
49: */
50: static CURLcode https_proxy_connect(struct connectdata *conn, int sockindex)
51: {
52: #ifdef USE_SSL
53: CURLcode result = CURLE_OK;
54: DEBUGASSERT(conn->http_proxy.proxytype == CURLPROXY_HTTPS);
55: if(!conn->bits.proxy_ssl_connected[sockindex]) {
56: /* perform SSL initialization for this socket */
57: result =
58: Curl_ssl_connect_nonblocking(conn, sockindex,
59: &conn->bits.proxy_ssl_connected[sockindex]);
60: if(result)
61: /* a failed connection is marked for closure to prevent (bad) re-use or
62: similar */
63: connclose(conn, "TLS handshake failed");
64: }
65: return result;
66: #else
67: (void) conn;
68: (void) sockindex;
69: return CURLE_NOT_BUILT_IN;
70: #endif
71: }
72:
73: CURLcode Curl_proxy_connect(struct connectdata *conn, int sockindex)
74: {
75: if(conn->http_proxy.proxytype == CURLPROXY_HTTPS) {
76: const CURLcode result = https_proxy_connect(conn, sockindex);
77: if(result)
78: return result;
79: if(!conn->bits.proxy_ssl_connected[sockindex])
80: return result; /* wait for HTTPS proxy SSL initialization to complete */
81: }
82:
83: if(conn->bits.tunnel_proxy && conn->bits.httpproxy) {
84: #ifndef CURL_DISABLE_PROXY
85: /* for [protocol] tunneled through HTTP proxy */
86: struct HTTP http_proxy;
87: void *prot_save;
88: const char *hostname;
89: int remote_port;
90: CURLcode result;
91:
92: /* BLOCKING */
93: /* We want "seamless" operations through HTTP proxy tunnel */
94:
95: /* Curl_proxyCONNECT is based on a pointer to a struct HTTP at the
96: * member conn->proto.http; we want [protocol] through HTTP and we have
97: * to change the member temporarily for connecting to the HTTP
98: * proxy. After Curl_proxyCONNECT we have to set back the member to the
99: * original pointer
100: *
101: * This function might be called several times in the multi interface case
102: * if the proxy's CONNECT response is not instant.
103: */
104: prot_save = conn->data->req.protop;
105: memset(&http_proxy, 0, sizeof(http_proxy));
106: conn->data->req.protop = &http_proxy;
107: connkeep(conn, "HTTP proxy CONNECT");
108:
109: /* for the secondary socket (FTP), use the "connect to host"
110: * but ignore the "connect to port" (use the secondary port)
111: */
112:
113: if(conn->bits.conn_to_host)
114: hostname = conn->conn_to_host.name;
115: else if(sockindex == SECONDARYSOCKET)
116: hostname = conn->secondaryhostname;
117: else
118: hostname = conn->host.name;
119:
120: if(sockindex == SECONDARYSOCKET)
121: remote_port = conn->secondary_port;
122: else if(conn->bits.conn_to_port)
123: remote_port = conn->conn_to_port;
124: else
125: remote_port = conn->remote_port;
126: result = Curl_proxyCONNECT(conn, sockindex, hostname, remote_port);
127: conn->data->req.protop = prot_save;
128: if(CURLE_OK != result)
129: return result;
130: Curl_safefree(conn->allocptr.proxyuserpwd);
131: #else
132: return CURLE_NOT_BUILT_IN;
133: #endif
134: }
135: /* no HTTP tunnel proxy, just return */
136: return CURLE_OK;
137: }
138:
139: bool Curl_connect_complete(struct connectdata *conn)
140: {
141: return !conn->connect_state ||
142: (conn->connect_state->tunnel_state == TUNNEL_COMPLETE);
143: }
144:
145: bool Curl_connect_ongoing(struct connectdata *conn)
146: {
147: return conn->connect_state &&
148: (conn->connect_state->tunnel_state != TUNNEL_COMPLETE);
149: }
150:
151: static CURLcode connect_init(struct connectdata *conn, bool reinit)
152: {
153: struct http_connect_state *s;
154: if(!reinit) {
155: DEBUGASSERT(!conn->connect_state);
156: s = calloc(1, sizeof(struct http_connect_state));
157: if(!s)
158: return CURLE_OUT_OF_MEMORY;
159: infof(conn->data, "allocate connect buffer!\n");
160: conn->connect_state = s;
161: }
162: else {
163: DEBUGASSERT(conn->connect_state);
164: s = conn->connect_state;
165: }
166: s->tunnel_state = TUNNEL_INIT;
167: s->keepon = TRUE;
168: s->line_start = s->connect_buffer;
169: s->ptr = s->line_start;
170: s->cl = 0;
171: s->close_connection = FALSE;
172: return CURLE_OK;
173: }
174:
175: static void connect_done(struct connectdata *conn)
176: {
177: struct http_connect_state *s = conn->connect_state;
178: s->tunnel_state = TUNNEL_COMPLETE;
179: infof(conn->data, "CONNECT phase completed!\n");
180: }
181:
182: static CURLcode CONNECT(struct connectdata *conn,
183: int sockindex,
184: const char *hostname,
185: int remote_port)
186: {
187: int subversion = 0;
188: struct Curl_easy *data = conn->data;
189: struct SingleRequest *k = &data->req;
190: CURLcode result;
191: curl_socket_t tunnelsocket = conn->sock[sockindex];
192: struct http_connect_state *s = conn->connect_state;
193:
194: #define SELECT_OK 0
195: #define SELECT_ERROR 1
196:
197: if(Curl_connect_complete(conn))
198: return CURLE_OK; /* CONNECT is already completed */
199:
200: conn->bits.proxy_connect_closed = FALSE;
201:
202: do {
203: timediff_t check;
204: if(TUNNEL_INIT == s->tunnel_state) {
205: /* BEGIN CONNECT PHASE */
206: char *host_port;
207: Curl_send_buffer *req_buffer;
208:
209: infof(data, "Establish HTTP proxy tunnel to %s:%d\n",
210: hostname, remote_port);
211:
212: /* This only happens if we've looped here due to authentication
213: reasons, and we don't really use the newly cloned URL here
214: then. Just free() it. */
215: free(data->req.newurl);
216: data->req.newurl = NULL;
217:
218: /* initialize a dynamic send-buffer */
219: req_buffer = Curl_add_buffer_init();
220:
221: if(!req_buffer)
222: return CURLE_OUT_OF_MEMORY;
223:
224: host_port = aprintf("%s:%d", hostname, remote_port);
225: if(!host_port) {
226: Curl_add_buffer_free(&req_buffer);
227: return CURLE_OUT_OF_MEMORY;
228: }
229:
230: /* Setup the proxy-authorization header, if any */
231: result = Curl_http_output_auth(conn, "CONNECT", host_port, TRUE);
232:
233: free(host_port);
234:
235: if(!result) {
236: char *host = NULL;
237: const char *proxyconn = "";
238: const char *useragent = "";
239: const char *http = (conn->http_proxy.proxytype == CURLPROXY_HTTP_1_0) ?
240: "1.0" : "1.1";
241: bool ipv6_ip = conn->bits.ipv6_ip;
242: char *hostheader;
243:
244: /* the hostname may be different */
245: if(hostname != conn->host.name)
246: ipv6_ip = (strchr(hostname, ':') != NULL);
247: hostheader = /* host:port with IPv6 support */
248: aprintf("%s%s%s:%d", ipv6_ip?"[":"", hostname, ipv6_ip?"]":"",
249: remote_port);
250: if(!hostheader) {
251: Curl_add_buffer_free(&req_buffer);
252: return CURLE_OUT_OF_MEMORY;
253: }
254:
255: if(!Curl_checkProxyheaders(conn, "Host")) {
256: host = aprintf("Host: %s\r\n", hostheader);
257: if(!host) {
258: free(hostheader);
259: Curl_add_buffer_free(&req_buffer);
260: return CURLE_OUT_OF_MEMORY;
261: }
262: }
263: if(!Curl_checkProxyheaders(conn, "Proxy-Connection"))
264: proxyconn = "Proxy-Connection: Keep-Alive\r\n";
265:
266: if(!Curl_checkProxyheaders(conn, "User-Agent") &&
267: data->set.str[STRING_USERAGENT])
268: useragent = conn->allocptr.uagent;
269:
270: result =
271: Curl_add_bufferf(&req_buffer,
272: "CONNECT %s HTTP/%s\r\n"
273: "%s" /* Host: */
274: "%s" /* Proxy-Authorization */
275: "%s" /* User-Agent */
276: "%s", /* Proxy-Connection */
277: hostheader,
278: http,
279: host?host:"",
280: conn->allocptr.proxyuserpwd?
281: conn->allocptr.proxyuserpwd:"",
282: useragent,
283: proxyconn);
284:
285: if(host)
286: free(host);
287: free(hostheader);
288:
289: if(!result)
290: result = Curl_add_custom_headers(conn, TRUE, req_buffer);
291:
292: if(!result)
293: /* CRLF terminate the request */
294: result = Curl_add_bufferf(&req_buffer, "\r\n");
295:
296: if(!result) {
297: /* Send the connect request to the proxy */
298: /* BLOCKING */
299: result =
300: Curl_add_buffer_send(&req_buffer, conn,
301: &data->info.request_size, 0, sockindex);
302: }
303: req_buffer = NULL;
304: if(result)
305: failf(data, "Failed sending CONNECT to proxy");
306: }
307:
308: Curl_add_buffer_free(&req_buffer);
309: if(result)
310: return result;
311:
312: s->tunnel_state = TUNNEL_CONNECT;
313: s->perline = 0;
314: } /* END CONNECT PHASE */
315:
316: check = Curl_timeleft(data, NULL, TRUE);
317: if(check <= 0) {
318: failf(data, "Proxy CONNECT aborted due to timeout");
319: return CURLE_OPERATION_TIMEDOUT;
320: }
321:
322: if(!Curl_conn_data_pending(conn, sockindex))
323: /* return so we'll be called again polling-style */
324: return CURLE_OK;
325:
326: /* at this point, the tunnel_connecting phase is over. */
327:
328: { /* READING RESPONSE PHASE */
329: int error = SELECT_OK;
330:
331: while(s->keepon) {
332: ssize_t gotbytes;
333:
334: /* make sure we have space to read more data */
335: if(s->ptr >= &s->connect_buffer[CONNECT_BUFFER_SIZE]) {
336: failf(data, "CONNECT response too large!");
337: return CURLE_RECV_ERROR;
338: }
339:
340: /* Read one byte at a time to avoid a race condition. Wait at most one
341: second before looping to ensure continuous pgrsUpdates. */
342: result = Curl_read(conn, tunnelsocket, s->ptr, 1, &gotbytes);
343: if(result == CURLE_AGAIN)
344: /* socket buffer drained, return */
345: return CURLE_OK;
346:
347: if(Curl_pgrsUpdate(conn))
348: return CURLE_ABORTED_BY_CALLBACK;
349:
350: if(result) {
351: s->keepon = FALSE;
352: break;
353: }
354: else if(gotbytes <= 0) {
355: if(data->set.proxyauth && data->state.authproxy.avail) {
356: /* proxy auth was requested and there was proxy auth available,
357: then deem this as "mere" proxy disconnect */
358: conn->bits.proxy_connect_closed = TRUE;
359: infof(data, "Proxy CONNECT connection closed\n");
360: }
361: else {
362: error = SELECT_ERROR;
363: failf(data, "Proxy CONNECT aborted");
364: }
365: s->keepon = FALSE;
366: break;
367: }
368:
369:
370: if(s->keepon > TRUE) {
371: /* This means we are currently ignoring a response-body */
372:
373: s->ptr = s->connect_buffer;
374: if(s->cl) {
375: /* A Content-Length based body: simply count down the counter
376: and make sure to break out of the loop when we're done! */
377: s->cl--;
378: if(s->cl <= 0) {
379: s->keepon = FALSE;
380: s->tunnel_state = TUNNEL_COMPLETE;
381: break;
382: }
383: }
384: else {
385: /* chunked-encoded body, so we need to do the chunked dance
386: properly to know when the end of the body is reached */
387: CHUNKcode r;
388: CURLcode extra;
389: ssize_t tookcareof = 0;
390:
391: /* now parse the chunked piece of data so that we can
392: properly tell when the stream ends */
393: r = Curl_httpchunk_read(conn, s->ptr, 1, &tookcareof, &extra);
394: if(r == CHUNKE_STOP) {
395: /* we're done reading chunks! */
396: infof(data, "chunk reading DONE\n");
397: s->keepon = FALSE;
398: /* we did the full CONNECT treatment, go COMPLETE */
399: s->tunnel_state = TUNNEL_COMPLETE;
400: }
401: }
402: continue;
403: }
404:
405: s->perline++; /* amount of bytes in this line so far */
406:
407: /* if this is not the end of a header line then continue */
408: if(*s->ptr != 0x0a) {
409: s->ptr++;
410: continue;
411: }
412:
413: /* convert from the network encoding */
414: result = Curl_convert_from_network(data, s->line_start,
415: (size_t)s->perline);
416: /* Curl_convert_from_network calls failf if unsuccessful */
417: if(result)
418: return result;
419:
420: /* output debug if that is requested */
421: if(data->set.verbose)
422: Curl_debug(data, CURLINFO_HEADER_IN,
423: s->line_start, (size_t)s->perline);
424:
425: if(!data->set.suppress_connect_headers) {
426: /* send the header to the callback */
427: int writetype = CLIENTWRITE_HEADER;
428: if(data->set.include_header)
429: writetype |= CLIENTWRITE_BODY;
430:
431: result = Curl_client_write(conn, writetype,
432: s->line_start, s->perline);
433: if(result)
434: return result;
435: }
436:
437: data->info.header_size += (long)s->perline;
438: data->req.headerbytecount += (long)s->perline;
439:
440: /* Newlines are CRLF, so the CR is ignored as the line isn't
441: really terminated until the LF comes. Treat a following CR
442: as end-of-headers as well.*/
443:
444: if(('\r' == s->line_start[0]) ||
445: ('\n' == s->line_start[0])) {
446: /* end of response-headers from the proxy */
447: s->ptr = s->connect_buffer;
448: if((407 == k->httpcode) && !data->state.authproblem) {
449: /* If we get a 407 response code with content length
450: when we have no auth problem, we must ignore the
451: whole response-body */
452: s->keepon = 2;
453:
454: if(s->cl) {
455: infof(data, "Ignore %" CURL_FORMAT_CURL_OFF_T
456: " bytes of response-body\n", s->cl);
457: }
458: else if(s->chunked_encoding) {
459: CHUNKcode r;
460: CURLcode extra;
461:
462: infof(data, "Ignore chunked response-body\n");
463:
464: /* We set ignorebody true here since the chunked
465: decoder function will acknowledge that. Pay
466: attention so that this is cleared again when this
467: function returns! */
468: k->ignorebody = TRUE;
469:
470: if(s->line_start[1] == '\n') {
471: /* this can only be a LF if the letter at index 0
472: was a CR */
473: s->line_start++;
474: }
475:
476: /* now parse the chunked piece of data so that we can
477: properly tell when the stream ends */
478: r = Curl_httpchunk_read(conn, s->line_start + 1, 1, &gotbytes,
479: &extra);
480: if(r == CHUNKE_STOP) {
481: /* we're done reading chunks! */
482: infof(data, "chunk reading DONE\n");
483: s->keepon = FALSE;
484: /* we did the full CONNECT treatment, go to COMPLETE */
485: s->tunnel_state = TUNNEL_COMPLETE;
486: }
487: }
488: else {
489: /* without content-length or chunked encoding, we
490: can't keep the connection alive since the close is
491: the end signal so we bail out at once instead */
492: s->keepon = FALSE;
493: }
494: }
495: else
496: s->keepon = FALSE;
497: if(!s->cl)
498: /* we did the full CONNECT treatment, go to COMPLETE */
499: s->tunnel_state = TUNNEL_COMPLETE;
500: continue;
501: }
502:
503: s->line_start[s->perline] = 0; /* zero terminate the buffer */
504: if((checkprefix("WWW-Authenticate:", s->line_start) &&
505: (401 == k->httpcode)) ||
506: (checkprefix("Proxy-authenticate:", s->line_start) &&
507: (407 == k->httpcode))) {
508:
509: bool proxy = (k->httpcode == 407) ? TRUE : FALSE;
510: char *auth = Curl_copy_header_value(s->line_start);
511: if(!auth)
512: return CURLE_OUT_OF_MEMORY;
513:
514: result = Curl_http_input_auth(conn, proxy, auth);
515:
516: free(auth);
517:
518: if(result)
519: return result;
520: }
521: else if(checkprefix("Content-Length:", s->line_start)) {
522: if(k->httpcode/100 == 2) {
523: /* A client MUST ignore any Content-Length or Transfer-Encoding
524: header fields received in a successful response to CONNECT.
525: "Successful" described as: 2xx (Successful). RFC 7231 4.3.6 */
526: infof(data, "Ignoring Content-Length in CONNECT %03d response\n",
527: k->httpcode);
528: }
529: else {
530: (void)curlx_strtoofft(s->line_start +
531: strlen("Content-Length:"), NULL, 10, &s->cl);
532: }
533: }
534: else if(Curl_compareheader(s->line_start, "Connection:", "close"))
535: s->close_connection = TRUE;
536: else if(checkprefix("Transfer-Encoding:", s->line_start)) {
537: if(k->httpcode/100 == 2) {
538: /* A client MUST ignore any Content-Length or Transfer-Encoding
539: header fields received in a successful response to CONNECT.
540: "Successful" described as: 2xx (Successful). RFC 7231 4.3.6 */
541: infof(data, "Ignoring Transfer-Encoding in "
542: "CONNECT %03d response\n", k->httpcode);
543: }
544: else if(Curl_compareheader(s->line_start,
545: "Transfer-Encoding:", "chunked")) {
546: infof(data, "CONNECT responded chunked\n");
547: s->chunked_encoding = TRUE;
548: /* init our chunky engine */
549: Curl_httpchunk_init(conn);
550: }
551: }
552: else if(Curl_compareheader(s->line_start,
553: "Proxy-Connection:", "close"))
554: s->close_connection = TRUE;
555: else if(2 == sscanf(s->line_start, "HTTP/1.%d %d",
556: &subversion,
557: &k->httpcode)) {
558: /* store the HTTP code from the proxy */
559: data->info.httpproxycode = k->httpcode;
560: }
561:
562: s->perline = 0; /* line starts over here */
563: s->ptr = s->connect_buffer;
564: s->line_start = s->ptr;
565: } /* while there's buffer left and loop is requested */
566:
567: if(Curl_pgrsUpdate(conn))
568: return CURLE_ABORTED_BY_CALLBACK;
569:
570: if(error)
571: return CURLE_RECV_ERROR;
572:
573: if(data->info.httpproxycode/100 != 2) {
574: /* Deal with the possibly already received authenticate
575: headers. 'newurl' is set to a new URL if we must loop. */
576: result = Curl_http_auth_act(conn);
577: if(result)
578: return result;
579:
580: if(conn->bits.close)
581: /* the connection has been marked for closure, most likely in the
582: Curl_http_auth_act() function and thus we can kill it at once
583: below */
584: s->close_connection = TRUE;
585: }
586:
587: if(s->close_connection && data->req.newurl) {
588: /* Connection closed by server. Don't use it anymore */
589: Curl_closesocket(conn, conn->sock[sockindex]);
590: conn->sock[sockindex] = CURL_SOCKET_BAD;
591: break;
592: }
593: } /* END READING RESPONSE PHASE */
594:
595: /* If we are supposed to continue and request a new URL, which basically
596: * means the HTTP authentication is still going on so if the tunnel
597: * is complete we start over in INIT state */
598: if(data->req.newurl && (TUNNEL_COMPLETE == s->tunnel_state)) {
599: connect_init(conn, TRUE); /* reinit */
600: }
601:
602: } while(data->req.newurl);
603:
604: if(data->info.httpproxycode/100 != 2) {
605: if(s->close_connection && data->req.newurl) {
606: conn->bits.proxy_connect_closed = TRUE;
607: infof(data, "Connect me again please\n");
608: connect_done(conn);
609: }
610: else {
611: free(data->req.newurl);
612: data->req.newurl = NULL;
613: /* failure, close this connection to avoid re-use */
614: streamclose(conn, "proxy CONNECT failure");
615: Curl_closesocket(conn, conn->sock[sockindex]);
616: conn->sock[sockindex] = CURL_SOCKET_BAD;
617: }
618:
619: /* to back to init state */
620: s->tunnel_state = TUNNEL_INIT;
621:
622: if(conn->bits.proxy_connect_closed)
623: /* this is not an error, just part of the connection negotiation */
624: return CURLE_OK;
625: failf(data, "Received HTTP code %d from proxy after CONNECT",
626: data->req.httpcode);
627: return CURLE_RECV_ERROR;
628: }
629:
630: s->tunnel_state = TUNNEL_COMPLETE;
631:
632: /* If a proxy-authorization header was used for the proxy, then we should
633: make sure that it isn't accidentally used for the document request
634: after we've connected. So let's free and clear it here. */
635: Curl_safefree(conn->allocptr.proxyuserpwd);
636: conn->allocptr.proxyuserpwd = NULL;
637:
638: data->state.authproxy.done = TRUE;
639: data->state.authproxy.multipass = FALSE;
640:
641: infof(data, "Proxy replied %d to CONNECT request\n",
642: data->info.httpproxycode);
643: data->req.ignorebody = FALSE; /* put it (back) to non-ignore state */
644: conn->bits.rewindaftersend = FALSE; /* make sure this isn't set for the
645: document request */
646: return CURLE_OK;
647: }
648:
649: void Curl_connect_free(struct Curl_easy *data)
650: {
651: struct connectdata *conn = data->conn;
652: struct http_connect_state *s = conn->connect_state;
653: if(s) {
654: free(s);
655: conn->connect_state = NULL;
656: }
657: }
658:
659: /*
660: * Curl_proxyCONNECT() requires that we're connected to a HTTP proxy. This
661: * function will issue the necessary commands to get a seamless tunnel through
662: * this proxy. After that, the socket can be used just as a normal socket.
663: */
664:
665: CURLcode Curl_proxyCONNECT(struct connectdata *conn,
666: int sockindex,
667: const char *hostname,
668: int remote_port)
669: {
670: CURLcode result;
671: if(!conn->connect_state) {
672: result = connect_init(conn, FALSE);
673: if(result)
674: return result;
675: }
676: result = CONNECT(conn, sockindex, hostname, remote_port);
677:
678: if(result || Curl_connect_complete(conn))
679: connect_done(conn);
680:
681: return result;
682: }
683:
684: #else
685: void Curl_connect_free(struct Curl_easy *data)
686: {
687: (void)data;
688: }
689:
690: #endif /* CURL_DISABLE_PROXY */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to http_proxy.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib