2 This file is part of GNUnet.
3 Copyright (C) 2012-2014 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
16 * @author Martin Schanzenbach
17 * @author Christian Grothoff
18 * @file src/gns/gnunet-gns-proxy.c
19 * @brief HTTP(S) proxy that rewrites URIs and fakes certificats to make GNS work
20 * with legacy browsers
23 * - double-check queueing logic
26 #include <microhttpd.h>
28 #include <curl/curl.h>
29 #elif HAVE_GNURL_CURL_H
30 #include <gnurl/curl.h>
32 #include <gnutls/gnutls.h>
33 #include <gnutls/x509.h>
34 #include <gnutls/abstract.h>
35 #include <gnutls/crypto.h>
37 #include <gnutls/dane.h>
40 #include "gnunet_util_lib.h"
41 #include "gnunet_gns_service.h"
42 #include "gnunet_identity_service.h"
47 * FIXME: GnuTLS right now sometimes rejects valid certs, so as a
48 * VERY temporary workaround we just WARN the user instead of
49 * dropping the page. THIS SHOULD NOT BE USED IN PRODUCTION,
50 * set to 1 in production!!! FIXME!!!
52 #define FIXED_CERT_VALIDATION_BUG 0
56 * Default Socks5 listen port.
58 #define GNUNET_GNS_PROXY_PORT 7777
61 * Maximum supported length for a URI.
62 * Should die. @deprecated
64 #define MAX_HTTP_URI_LENGTH 2048
67 * Size of the buffer for the data upload / download. Must be
68 * enough for curl, thus CURL_MAX_WRITE_SIZE is needed here (16k).
70 #define IO_BUFFERSIZE CURL_MAX_WRITE_SIZE
73 * Size of the read/write buffers for Socks. Uses
74 * 256 bytes for the hostname (at most), plus a few
75 * bytes overhead for the messages.
77 #define SOCKS_BUFFERSIZE (256 + 32)
80 * Port for plaintext HTTP.
87 #define HTTPS_PORT 443
90 * Largest allowed size for a PEM certificate.
92 #define MAX_PEM_SIZE (10 * 1024)
95 * After how long do we clean up unused MHD TLS instances?
97 #define MHD_CACHE_TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MINUTES, 5)
100 * After how long do we clean up Socks5 handles that failed to show any activity
101 * with their respective MHD instance?
103 #define HTTP_HANDSHAKE_TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 15)
109 * @param level log level
110 * @param fun name of curl_easy-function that gave the error
111 * @param rc return code from curl
113 #define LOG_CURL_EASY(level,fun,rc) \
115 _("%s failed at %s:%d: `%s'\n"), \
119 curl_easy_strerror (rc))
122 /* *************** Socks protocol definitions (move to TUN?) ****************** */
125 * Which SOCKS version do we speak?
127 #define SOCKS_VERSION_5 0x05
130 * Flag to set for 'no authentication'.
132 #define SOCKS_AUTH_NONE 0
136 * Commands in Socks5.
141 * Establish TCP/IP stream.
143 SOCKS5_CMD_TCP_STREAM = 1,
146 * Establish TCP port binding.
148 SOCKS5_CMD_TCP_PORT = 2,
151 * Establish UDP port binding.
153 SOCKS5_CMD_UDP_PORT = 3
158 * Address types in Socks5.
160 enum Socks5AddressType
170 SOCKS5_AT_DOMAINNAME = 3,
181 * Status codes in Socks5 response.
183 enum Socks5StatusCode
185 SOCKS5_STATUS_REQUEST_GRANTED = 0,
186 SOCKS5_STATUS_GENERAL_FAILURE = 1,
187 SOCKS5_STATUS_CONNECTION_NOT_ALLOWED_BY_RULE = 2,
188 SOCKS5_STATUS_NETWORK_UNREACHABLE = 3,
189 SOCKS5_STATUS_HOST_UNREACHABLE = 4,
190 SOCKS5_STATUS_CONNECTION_REFUSED_BY_HOST = 5,
191 SOCKS5_STATUS_TTL_EXPIRED = 6,
192 SOCKS5_STATUS_COMMAND_NOT_SUPPORTED = 7,
193 SOCKS5_STATUS_ADDRESS_TYPE_NOT_SUPPORTED = 8
198 * Client hello in Socks5 protocol.
200 struct Socks5ClientHelloMessage
203 * Should be #SOCKS_VERSION_5.
208 * How many authentication methods does the client support.
210 uint8_t num_auth_methods;
212 /* followed by supported authentication methods, 1 byte per method */
218 * Server hello in Socks5 protocol.
220 struct Socks5ServerHelloMessage
223 * Should be #SOCKS_VERSION_5.
228 * Chosen authentication method, for us always #SOCKS_AUTH_NONE,
229 * which skips the authentication step.
236 * Client socks request in Socks5 protocol.
238 struct Socks5ClientRequestMessage
241 * Should be #SOCKS_VERSION_5.
246 * Command code, we only uspport #SOCKS5_CMD_TCP_STREAM.
251 * Reserved, always zero.
256 * Address type, an `enum Socks5AddressType`.
261 * Followed by either an ip4/ipv6 address or a domain name with a
262 * length field (uint8_t) in front (depending on @e addr_type).
263 * followed by port number in network byte order (uint16_t).
269 * Server response to client requests in Socks5 protocol.
271 struct Socks5ServerResponseMessage
274 * Should be #SOCKS_VERSION_5.
279 * Status code, an `enum Socks5StatusCode`
289 * Address type, an `enum Socks5AddressType`.
294 * Followed by either an ip4/ipv6 address or a domain name with a
295 * length field (uint8_t) in front (depending on @e addr_type).
296 * followed by port number in network byte order (uint16_t).
303 /* *********************** Datastructures for HTTP handling ****************** */
306 * A structure for CA cert/key
313 gnutls_x509_crt_t cert;
318 gnutls_x509_privkey_t key;
323 * Structure for GNS certificates
325 struct ProxyGNSCertificate
328 * The certificate as PEM
330 char cert[MAX_PEM_SIZE];
333 * The private key as PEM
335 char key[MAX_PEM_SIZE];
341 * A structure for all running Httpds
348 struct MhdHttpList *prev;
353 struct MhdHttpList *next;
356 * the domain name to server (only important for TLS)
363 struct MHD_Daemon *daemon;
366 * Optional proxy certificate used
368 struct ProxyGNSCertificate *proxy_cert;
373 struct GNUNET_SCHEDULER_Task *httpd_task;
376 * is this an ssl daemon?
383 /* ***************** Datastructures for Socks handling **************** */
392 * We're waiting to get the client hello.
397 * We're waiting to get the initial request.
402 * We are currently resolving the destination.
407 * We're in transfer mode.
409 SOCKS5_DATA_TRANSFER,
412 * Finish writing the write buffer, then clean up.
414 SOCKS5_WRITE_THEN_CLEANUP,
417 * Socket has been passed to MHD, do not close it anymore.
419 SOCKS5_SOCKET_WITH_MHD,
422 * We've started receiving upload data from MHD.
424 SOCKS5_SOCKET_UPLOAD_STARTED,
427 * We've finished receiving upload data from MHD.
429 SOCKS5_SOCKET_UPLOAD_DONE,
432 * We've finished uploading data via CURL and can now download.
434 SOCKS5_SOCKET_DOWNLOAD_STARTED,
437 * We've finished receiving download data from cURL.
439 SOCKS5_SOCKET_DOWNLOAD_DONE
446 struct HttpResponseHeader
451 struct HttpResponseHeader *next;
456 struct HttpResponseHeader *prev;
470 * A structure for socks requests
478 struct Socks5Request *next;
483 struct Socks5Request *prev;
488 struct GNUNET_NETWORK_Handle *sock;
491 * Handle to GNS lookup, during #SOCKS5_RESOLVING phase.
493 struct GNUNET_GNS_LookupWithTldRequest *gns_lookup;
496 * Client socket read task
498 struct GNUNET_SCHEDULER_Task *rtask;
501 * Client socket write task
503 struct GNUNET_SCHEDULER_Task *wtask;
508 struct GNUNET_SCHEDULER_Task *timeout_task;
513 char rbuf[SOCKS_BUFFERSIZE];
518 char wbuf[SOCKS_BUFFERSIZE];
521 * Buffer we use for moving data between MHD and curl (in both directions).
523 char io_buf[IO_BUFFERSIZE];
526 * MHD HTTP instance handling this request, NULL for none.
528 struct MhdHttpList *hd;
531 * MHD connection for this request.
533 struct MHD_Connection *con;
536 * MHD response object for this request.
538 struct MHD_Response *response;
541 * the domain name to server (only important for TLS)
546 * DNS Legacy Host Name as given by GNS, NULL if not given.
551 * Payload of the (last) DANE record encountered.
566 * HTTP request headers for the curl request.
568 struct curl_slist *headers;
571 * DNS->IP mappings resolved through GNS
573 struct curl_slist *hosts;
576 * HTTP response code to give to MHD for the response.
578 unsigned int response_code;
581 * Number of bytes in @e dane_data.
583 size_t dane_data_len;
586 * Number of bytes already in read buffer
591 * Number of bytes already in write buffer
596 * Number of bytes already in the IO buffer.
601 * Once known, what's the target address for the connection?
603 struct sockaddr_storage destination_address;
608 enum SocksPhase state;
611 * Desired destination port.
616 * Headers from response
618 struct HttpResponseHeader *header_head;
621 * Headers from response
623 struct HttpResponseHeader *header_tail;
626 * X.509 Certificate status
631 * Was the hostname resolved via GNS?
636 * Did we suspend MHD processing?
641 * Did we pause CURL processing?
648 /* *********************** Globals **************************** */
652 * The port the proxy is running on (default 7777)
654 static uint16_t port = GNUNET_GNS_PROXY_PORT;
657 * The CA file (pem) to use for the proxy CA
659 static char *cafile_opt;
662 * The listen socket of the proxy for IPv4
664 static struct GNUNET_NETWORK_Handle *lsock4;
667 * The listen socket of the proxy for IPv6
669 static struct GNUNET_NETWORK_Handle *lsock6;
672 * The listen task ID for IPv4
674 static struct GNUNET_SCHEDULER_Task * ltask4;
677 * The listen task ID for IPv6
679 static struct GNUNET_SCHEDULER_Task * ltask6;
682 * The cURL download task (curl multi API).
684 static struct GNUNET_SCHEDULER_Task * curl_download_task;
687 * The cURL multi handle
689 static CURLM *curl_multi;
692 * Handle to the GNS service
694 static struct GNUNET_GNS_Handle *gns_handle;
699 static int disable_v6;
702 * DLL for http/https daemons
704 static struct MhdHttpList *mhd_httpd_head;
707 * DLL for http/https daemons
709 static struct MhdHttpList *mhd_httpd_tail;
712 * Daemon for HTTP (we have one per X.509 certificate, and then one for
713 * all HTTP connections; this is the one for HTTP, not HTTPS).
715 static struct MhdHttpList *httpd;
718 * DLL of active socks requests.
720 static struct Socks5Request *s5r_head;
723 * DLL of active socks requests.
725 static struct Socks5Request *s5r_tail;
728 * The CA for X.509 certificate generation
730 static struct ProxyCA proxy_ca;
733 * Response we return on cURL failures.
735 static struct MHD_Response *curl_failure_response;
740 static const struct GNUNET_CONFIGURATION_Handle *cfg;
743 /* ************************* Global helpers ********************* */
747 * Run MHD now, we have extra data ready for the callback.
749 * @param hd the daemon to run now.
752 run_mhd_now (struct MhdHttpList *hd);
756 * Clean up s5r handles.
758 * @param s5r the handle to destroy
761 cleanup_s5r (struct Socks5Request *s5r)
763 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
764 "Cleaning up socks request\n");
765 if (NULL != s5r->curl)
767 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
768 "Cleaning up cURL handle\n");
769 curl_multi_remove_handle (curl_multi,
771 curl_easy_cleanup (s5r->curl);
776 s5r->suspended = GNUNET_NO;
777 MHD_resume_connection (s5r->con);
779 curl_slist_free_all (s5r->headers);
780 if (NULL != s5r->hosts)
782 curl_slist_free_all (s5r->hosts);
784 if ( (NULL != s5r->response) &&
785 (curl_failure_response != s5r->response) )
787 MHD_destroy_response (s5r->response);
788 s5r->response = NULL;
790 if (NULL != s5r->rtask)
792 GNUNET_SCHEDULER_cancel (s5r->rtask);
795 if (NULL != s5r->timeout_task)
797 GNUNET_SCHEDULER_cancel (s5r->timeout_task);
798 s5r->timeout_task = NULL;
800 if (NULL != s5r->wtask)
802 GNUNET_SCHEDULER_cancel (s5r->wtask);
805 if (NULL != s5r->gns_lookup)
807 GNUNET_GNS_lookup_with_tld_cancel (s5r->gns_lookup);
808 s5r->gns_lookup = NULL;
810 if (NULL != s5r->sock)
812 if (SOCKS5_SOCKET_WITH_MHD <= s5r->state)
813 GNUNET_NETWORK_socket_free_memory_only_ (s5r->sock);
815 GNUNET_NETWORK_socket_close (s5r->sock);
818 GNUNET_CONTAINER_DLL_remove (s5r_head,
821 GNUNET_free_non_null (s5r->domain);
822 GNUNET_free_non_null (s5r->leho);
823 GNUNET_free_non_null (s5r->url);
824 GNUNET_free_non_null (s5r->dane_data);
829 /* ************************* HTTP handling with cURL *********************** */
832 curl_download_prepare ();
836 * Callback for MHD response generation. This function is called from
837 * MHD whenever MHD expects to get data back. Copies data from the
838 * io_buf, if available.
840 * @param cls closure with our `struct Socks5Request`
841 * @param pos in buffer
842 * @param buf where to copy data
843 * @param max available space in @a buf
844 * @return number of bytes written to @a buf
847 mhd_content_cb (void *cls,
852 struct Socks5Request *s5r = cls;
853 size_t bytes_to_copy;
855 if ( (SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state) ||
856 (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state) )
858 /* we're still not done with the upload, do not yet
859 start the download, the IO buffer is still full
861 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
862 "Pausing MHD download %s%s, not yet ready for download\n",
865 return 0; /* not yet ready for data download */
867 bytes_to_copy = GNUNET_MIN (max,
869 if ( (0 == bytes_to_copy) &&
870 (SOCKS5_SOCKET_DOWNLOAD_DONE != s5r->state) )
872 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
873 "Pausing MHD download %s%s, no data available\n",
876 if (NULL != s5r->curl)
878 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
879 "Continuing CURL interaction for %s%s\n",
882 if (GNUNET_YES == s5r->curl_paused)
884 s5r->curl_paused = GNUNET_NO;
885 curl_easy_pause (s5r->curl,
888 curl_download_prepare ();
890 if (GNUNET_NO == s5r->suspended)
892 MHD_suspend_connection (s5r->con);
893 s5r->suspended = GNUNET_YES;
895 return 0; /* more data later */
897 if ( (0 == bytes_to_copy) &&
898 (SOCKS5_SOCKET_DOWNLOAD_DONE == s5r->state) )
900 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
901 "Completed MHD download %s%s\n",
904 return MHD_CONTENT_READER_END_OF_STREAM;
906 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
907 "Writing %llu/%llu bytes to %s%s\n",
908 (unsigned long long) bytes_to_copy,
909 (unsigned long long) s5r->io_len,
915 memmove (s5r->io_buf,
916 &s5r->io_buf[bytes_to_copy],
917 s5r->io_len - bytes_to_copy);
918 s5r->io_len -= bytes_to_copy;
919 if ( (NULL != s5r->curl) &&
920 (GNUNET_YES == s5r->curl_paused) )
922 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
923 "Continuing CURL interaction for %s%s\n",
926 s5r->curl_paused = GNUNET_NO;
927 curl_easy_pause (s5r->curl,
930 return bytes_to_copy;
935 * Check that the website has presented us with a valid X.509 certificate.
936 * The certificate must either match the domain name or the LEHO name
937 * (or, if available, the TLSA record).
939 * @param s5r request to check for.
940 * @return #GNUNET_OK if the certificate is valid
943 check_ssl_certificate (struct Socks5Request *s5r)
945 unsigned int cert_list_size;
946 const gnutls_datum_t *chainp;
947 const struct curl_tlssessioninfo *tlsinfo;
948 char certdn[GNUNET_DNSPARSER_MAX_NAME_LENGTH + 3];
950 gnutls_x509_crt_t x509_cert;
954 s5r->ssl_checked = GNUNET_YES;
955 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
956 "Checking X.509 certificate\n");
958 curl_easy_getinfo (s5r->curl,
959 CURLINFO_TLS_SESSION,
960 (struct curl_slist **) &tlsinfo))
961 return GNUNET_SYSERR;
962 if (CURLSSLBACKEND_GNUTLS != tlsinfo->backend)
964 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
965 _("Unsupported CURL TLS backend %d\n"),
967 return GNUNET_SYSERR;
969 chainp = gnutls_certificate_get_peers (tlsinfo->internals,
972 (0 == cert_list_size) )
973 return GNUNET_SYSERR;
975 size = sizeof (certdn);
976 /* initialize an X.509 certificate structure. */
977 gnutls_x509_crt_init (&x509_cert);
978 gnutls_x509_crt_import (x509_cert,
980 GNUTLS_X509_FMT_DER);
982 if (0 != (rc = gnutls_x509_crt_get_dn_by_oid (x509_cert,
983 GNUTLS_OID_X520_COMMON_NAME,
984 0, /* the first and only one */
985 0 /* no DER encoding */,
989 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
990 _("Failed to fetch CN from cert: %s\n"),
991 gnutls_strerror(rc));
992 gnutls_x509_crt_deinit (x509_cert);
993 return GNUNET_SYSERR;
995 /* check for TLSA/DANE records */
997 if (NULL != s5r->dane_data)
999 char *dd[] = { s5r->dane_data, NULL };
1000 int dlen[] = { s5r->dane_data_len, 0};
1001 dane_state_t dane_state;
1002 dane_query_t dane_query;
1003 unsigned int verify;
1005 /* FIXME: add flags to gnutls to NOT read UNBOUND_ROOT_KEY_FILE here! */
1006 if (0 != (rc = dane_state_init (&dane_state,
1007 #ifdef DANE_F_IGNORE_DNSSEC
1008 DANE_F_IGNORE_DNSSEC |
1010 DANE_F_IGNORE_LOCAL_RESOLVER)))
1012 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1013 _("Failed to initialize DANE: %s\n"),
1015 gnutls_x509_crt_deinit (x509_cert);
1016 return GNUNET_SYSERR;
1018 if (0 != (rc = dane_raw_tlsa (dane_state,
1025 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1026 _("Failed to parse DANE record: %s\n"),
1028 dane_state_deinit (dane_state);
1029 gnutls_x509_crt_deinit (x509_cert);
1030 return GNUNET_SYSERR;
1032 if (0 != (rc = dane_verify_crt_raw (dane_state,
1035 gnutls_certificate_type_get (tlsinfo->internals),
1040 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1041 _("Failed to verify TLS connection using DANE: %s\n"),
1043 dane_query_deinit (dane_query);
1044 dane_state_deinit (dane_state);
1045 gnutls_x509_crt_deinit (x509_cert);
1046 return GNUNET_SYSERR;
1050 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1051 _("Failed DANE verification failed with GnuTLS verify status code: %u\n"),
1053 dane_query_deinit (dane_query);
1054 dane_state_deinit (dane_state);
1055 gnutls_x509_crt_deinit (x509_cert);
1056 return GNUNET_SYSERR;
1058 dane_query_deinit (dane_query);
1059 dane_state_deinit (dane_state);
1065 /* try LEHO or ordinary domain name X509 verification */
1067 if (NULL != s5r->leho)
1071 if (0 == (rc = gnutls_x509_crt_check_hostname (x509_cert,
1074 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1075 _("TLS certificate subject name (%s) does not match `%s': %d\n"),
1079 #if FIXED_CERT_VALIDATION_BUG
1080 gnutls_x509_crt_deinit (x509_cert);
1081 return GNUNET_SYSERR;
1087 /* we did not even have the domain name!? */
1089 return GNUNET_SYSERR;
1092 gnutls_x509_crt_deinit (x509_cert);
1098 * We're getting an HTTP response header from cURL. Convert it to the
1099 * MHD response headers. Mostly copies the headers, but makes special
1100 * adjustments to "Set-Cookie" and "Location" headers as those may need
1101 * to be changed from the LEHO to the domain the browser expects.
1103 * @param buffer curl buffer with a single line of header data; not 0-terminated!
1104 * @param size curl blocksize
1105 * @param nmemb curl blocknumber
1106 * @param cls our `struct Socks5Request *`
1107 * @return size of processed bytes
1110 curl_check_hdr (void *buffer,
1115 struct Socks5Request *s5r = cls;
1116 struct HttpResponseHeader *header;
1117 size_t bytes = size * nmemb;
1119 const char *hdr_type;
1120 const char *cookie_domain;
1122 char *new_cookie_hdr;
1125 size_t delta_cdomain;
1129 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1130 "Receiving HTTP response header from CURL\n");
1131 /* first, check TLS certificate */
1132 if ( (GNUNET_YES != s5r->ssl_checked) &&
1133 (HTTPS_PORT == s5r->port))
1135 if (GNUNET_OK != check_ssl_certificate (s5r))
1138 ndup = GNUNET_strndup (buffer,
1140 hdr_type = strtok (ndup,
1142 if (NULL == hdr_type)
1147 hdr_val = strtok (NULL,
1149 if (NULL == hdr_val)
1154 if (' ' == *hdr_val)
1157 /* custom logic for certain header types */
1158 new_cookie_hdr = NULL;
1159 if ( (NULL != s5r->leho) &&
1160 (0 == strcasecmp (hdr_type,
1161 MHD_HTTP_HEADER_SET_COOKIE)) )
1164 new_cookie_hdr = GNUNET_malloc (strlen (hdr_val) +
1165 strlen (s5r->domain) + 1);
1167 domain_matched = GNUNET_NO; /* make sure we match domain at most once */
1168 for (tok = strtok (hdr_val, ";"); NULL != tok; tok = strtok (NULL, ";"))
1170 if ( (0 == strncasecmp (tok,
1172 strlen (" domain"))) &&
1173 (GNUNET_NO == domain_matched) )
1175 domain_matched = GNUNET_YES;
1176 cookie_domain = tok + strlen (" domain") + 1;
1177 if (strlen (cookie_domain) < strlen (s5r->leho))
1179 delta_cdomain = strlen (s5r->leho) - strlen (cookie_domain);
1180 if (0 == strcasecmp (cookie_domain,
1181 s5r->leho + delta_cdomain))
1183 offset += sprintf (new_cookie_hdr + offset,
1189 else if (0 == strcmp (cookie_domain,
1192 offset += sprintf (new_cookie_hdr + offset,
1197 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1198 _("Cookie domain `%s' supplied by server is invalid\n"),
1201 GNUNET_memcpy (new_cookie_hdr + offset,
1204 offset += strlen (tok);
1205 new_cookie_hdr[offset++] = ';';
1207 hdr_val = new_cookie_hdr;
1210 new_location = NULL;
1211 if (0 == strcasecmp (MHD_HTTP_HEADER_TRANSFER_ENCODING,
1214 /* Ignore transfer encoding, set automatically by MHD if required */
1217 if (0 == strcasecmp (MHD_HTTP_HEADER_LOCATION,
1222 GNUNET_asprintf (&leho_host,
1223 (HTTPS_PORT != s5r->port)
1227 if (0 == strncmp (leho_host,
1229 strlen (leho_host)))
1231 GNUNET_asprintf (&new_location,
1233 (HTTPS_PORT != s5r->port)
1237 hdr_val + strlen (leho_host));
1238 hdr_val = new_location;
1240 GNUNET_free (leho_host);
1242 /* MHD does not allow certain characters in values, remove those */
1243 if (NULL != (tok = strchr (hdr_val, '\n')))
1245 if (NULL != (tok = strchr (hdr_val, '\r')))
1247 if (NULL != (tok = strchr (hdr_val, '\t')))
1249 if (0 != strlen (hdr_val)) /* Rely in MHD to set those */
1251 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1252 "Adding header %s: %s to MHD response\n",
1255 header = GNUNET_new (struct HttpResponseHeader);
1256 header->type = GNUNET_strdup (hdr_type);
1257 header->value = GNUNET_strdup (hdr_val);
1258 GNUNET_CONTAINER_DLL_insert (s5r->header_head,
1264 GNUNET_free_non_null (new_cookie_hdr);
1265 GNUNET_free_non_null (new_location);
1271 * Create an MHD response object in @a s5r matching the
1272 * information we got from curl.
1274 * @param s5r the request for which we convert the response
1275 * @return #GNUNET_OK on success, #GNUNET_SYSERR if response was
1276 * already initialized before
1279 create_mhd_response_from_s5r (struct Socks5Request *s5r)
1282 double content_length;
1284 if (NULL != s5r->response)
1286 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1287 "Response already set!\n");
1288 return GNUNET_SYSERR;
1291 GNUNET_break (CURLE_OK ==
1292 curl_easy_getinfo (s5r->curl,
1293 CURLINFO_RESPONSE_CODE,
1295 GNUNET_break (CURLE_OK ==
1296 curl_easy_getinfo (s5r->curl,
1297 CURLINFO_CONTENT_LENGTH_DOWNLOAD,
1299 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1300 "Creating MHD response with code %d and size %d for %s%s\n",
1302 (int) content_length,
1305 s5r->response_code = resp_code;
1306 s5r->response = MHD_create_response_from_callback ((-1 == content_length)
1313 for (struct HttpResponseHeader *header = s5r->header_head;
1315 header = header->next)
1317 GNUNET_break (MHD_YES ==
1318 MHD_add_response_header (s5r->response,
1323 if (NULL != s5r->leho)
1327 GNUNET_asprintf (&cors_hdr,
1328 (HTTPS_PORT == s5r->port)
1333 GNUNET_break (MHD_YES ==
1334 MHD_add_response_header (s5r->response,
1335 MHD_HTTP_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
1337 GNUNET_free (cors_hdr);
1339 /* force connection to be closed after each request, as we
1340 do not support HTTP pipelining (yet, FIXME!) */
1341 /*GNUNET_break (MHD_YES ==
1342 MHD_add_response_header (s5r->response,
1343 MHD_HTTP_HEADER_CONNECTION,
1345 MHD_resume_connection (s5r->con);
1346 s5r->suspended = GNUNET_NO;
1352 * Handle response payload data from cURL. Copies it into our `io_buf` to make
1353 * it available to MHD.
1355 * @param ptr pointer to the data
1356 * @param size number of blocks of data
1357 * @param nmemb blocksize
1358 * @param ctx our `struct Socks5Request *`
1359 * @return number of bytes handled
1362 curl_download_cb (void *ptr,
1367 struct Socks5Request *s5r = ctx;
1368 size_t total = size * nmemb;
1370 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1371 "Receiving %ux%u bytes for `%s%s' from cURL\n",
1372 (unsigned int) size,
1373 (unsigned int) nmemb,
1376 if (NULL == s5r->response)
1377 GNUNET_assert (GNUNET_OK ==
1378 create_mhd_response_from_s5r (s5r));
1380 if ( (SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state) ||
1381 (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state) )
1383 /* we're still not done with the upload, do not yet
1384 start the download, the IO buffer is still full
1385 with upload data. */
1386 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1387 "Pausing CURL download `%s%s', waiting for UPLOAD to finish\n",
1390 s5r->curl_paused = GNUNET_YES;
1391 return CURL_WRITEFUNC_PAUSE; /* not yet ready for data download */
1393 if (sizeof (s5r->io_buf) - s5r->io_len < total)
1395 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1396 "Pausing CURL `%s%s' download, not enough space %llu %llu %llu\n",
1399 (unsigned long long) sizeof (s5r->io_buf),
1400 (unsigned long long) s5r->io_len,
1401 (unsigned long long) total);
1402 s5r->curl_paused = GNUNET_YES;
1403 return CURL_WRITEFUNC_PAUSE; /* not enough space */
1405 GNUNET_memcpy (&s5r->io_buf[s5r->io_len],
1408 s5r->io_len += total;
1409 if (GNUNET_YES == s5r->suspended)
1411 MHD_resume_connection (s5r->con);
1412 s5r->suspended = GNUNET_NO;
1414 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1415 "Received %llu bytes of payload via cURL from %s\n",
1416 (unsigned long long) total,
1418 if (s5r->io_len == total)
1419 run_mhd_now (s5r->hd);
1425 * cURL callback for uploaded (PUT/POST) data. Copies it into our `io_buf`
1426 * to make it available to MHD.
1428 * @param buf where to write the data
1429 * @param size number of bytes per member
1430 * @param nmemb number of members available in @a buf
1431 * @param cls our `struct Socks5Request` that generated the data
1432 * @return number of bytes copied to @a buf
1435 curl_upload_cb (void *buf,
1440 struct Socks5Request *s5r = cls;
1441 size_t len = size * nmemb;
1444 if ( (0 == s5r->io_len) &&
1445 (SOCKS5_SOCKET_UPLOAD_DONE != s5r->state) )
1447 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1448 "Pausing CURL UPLOAD %s%s, need more data\n",
1451 return CURL_READFUNC_PAUSE;
1453 if ( (0 == s5r->io_len) &&
1454 (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state) )
1456 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
1457 if (GNUNET_YES == s5r->curl_paused)
1459 s5r->curl_paused = GNUNET_NO;
1460 curl_easy_pause (s5r->curl,
1463 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1464 "Completed CURL UPLOAD %s%s\n",
1467 return 0; /* upload finished, can now download */
1469 if ( (SOCKS5_SOCKET_UPLOAD_STARTED != s5r->state) &&
1470 (SOCKS5_SOCKET_UPLOAD_DONE != s5r->state) )
1473 return CURL_READFUNC_ABORT;
1475 to_copy = GNUNET_MIN (s5r->io_len,
1480 memmove (s5r->io_buf,
1481 &s5r->io_buf[to_copy],
1482 s5r->io_len - to_copy);
1483 s5r->io_len -= to_copy;
1484 if (s5r->io_len + to_copy == sizeof (s5r->io_buf))
1485 run_mhd_now (s5r->hd); /* got more space for upload now */
1490 /* ************************** main loop of cURL interaction ****************** */
1494 * Task that is run when we are ready to receive more data
1497 * @param cls closure
1500 curl_task_download (void *cls);
1504 * Ask cURL for the select() sets and schedule cURL operations.
1507 curl_download_prepare ()
1514 struct GNUNET_NETWORK_FDSet *grs;
1515 struct GNUNET_NETWORK_FDSet *gws;
1517 struct GNUNET_TIME_Relative rtime;
1519 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1520 "Scheduling CURL interaction\n");
1521 if (NULL != curl_download_task)
1523 GNUNET_SCHEDULER_cancel (curl_download_task);
1524 curl_download_task = NULL;
1530 if (CURLM_OK != (mret = curl_multi_fdset (curl_multi,
1536 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1537 "%s failed at %s:%d: `%s'\n",
1538 "curl_multi_fdset", __FILE__, __LINE__,
1539 curl_multi_strerror (mret));
1543 GNUNET_break (CURLM_OK ==
1544 curl_multi_timeout (curl_multi,
1547 rtime = GNUNET_TIME_UNIT_FOREVER_REL;
1549 rtime = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS,
1553 grs = GNUNET_NETWORK_fdset_create ();
1554 gws = GNUNET_NETWORK_fdset_create ();
1555 GNUNET_NETWORK_fdset_copy_native (grs,
1558 GNUNET_NETWORK_fdset_copy_native (gws,
1561 curl_download_task = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
1565 &curl_task_download,
1567 GNUNET_NETWORK_fdset_destroy (gws);
1568 GNUNET_NETWORK_fdset_destroy (grs);
1572 curl_download_task = GNUNET_SCHEDULER_add_delayed (rtime,
1573 &curl_task_download,
1580 * Task that is run when we are ready to receive more data from curl.
1582 * @param cls closure, NULL
1585 curl_task_download (void *cls)
1589 struct CURLMsg *msg;
1591 struct Socks5Request *s5r;
1593 curl_download_task = NULL;
1594 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1595 "Running CURL interaction\n");
1599 mret = curl_multi_perform (curl_multi,
1601 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1602 "Checking CURL multi status: %d\n",
1604 while (NULL != (msg = curl_multi_info_read (curl_multi,
1607 GNUNET_break (CURLE_OK ==
1608 curl_easy_getinfo (msg->easy_handle,
1619 /* documentation says this is not used */
1623 switch (msg->data.result)
1626 case CURLE_GOT_NOTHING:
1627 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1628 "CURL download %s%s completed.\n",
1631 if (NULL == s5r->response)
1633 GNUNET_assert (GNUNET_OK ==
1634 create_mhd_response_from_s5r (s5r));
1636 s5r->state = SOCKS5_SOCKET_DOWNLOAD_DONE;
1637 if (GNUNET_YES == s5r->suspended)
1639 MHD_resume_connection (s5r->con);
1640 s5r->suspended = GNUNET_NO;
1642 run_mhd_now (s5r->hd);
1645 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1646 "Download curl %s%s failed: %s\n",
1649 curl_easy_strerror (msg->data.result));
1650 /* FIXME: indicate error somehow? close MHD connection badly as well? */
1651 s5r->state = SOCKS5_SOCKET_DOWNLOAD_DONE;
1652 if (GNUNET_YES == s5r->suspended)
1654 MHD_resume_connection (s5r->con);
1655 s5r->suspended = GNUNET_NO;
1657 run_mhd_now (s5r->hd);
1660 if (NULL == s5r->response)
1661 s5r->response = curl_failure_response;
1664 /* documentation says this is not used */
1668 /* unexpected status code */
1673 } while (mret == CURLM_CALL_MULTI_PERFORM);
1674 if (CURLM_OK != mret)
1675 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1676 "%s failed at %s:%d: `%s'\n",
1677 "curl_multi_perform", __FILE__, __LINE__,
1678 curl_multi_strerror (mret));
1681 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1682 "Suspending cURL multi loop, no more events pending\n");
1683 if (NULL != curl_download_task)
1685 GNUNET_SCHEDULER_cancel (curl_download_task);
1686 curl_download_task = NULL;
1688 return; /* nothing more in progress */
1690 curl_download_prepare ();
1694 /* ********************************* MHD response generation ******************* */
1698 * Read HTTP request header field from the request. Copies the fields
1699 * over to the 'headers' that will be given to curl. However, 'Host'
1700 * is substituted with the LEHO if present. We also change the
1701 * 'Connection' header value to "close" as the proxy does not support
1704 * @param cls our `struct Socks5Request`
1705 * @param kind value kind
1706 * @param key field key
1707 * @param value field value
1708 * @return #MHD_YES to continue to iterate
1711 con_val_iter (void *cls,
1712 enum MHD_ValueKind kind,
1716 struct Socks5Request *s5r = cls;
1719 if ( (0 == strcasecmp (MHD_HTTP_HEADER_HOST,
1721 (NULL != s5r->leho) )
1723 if (0 == strcasecmp (MHD_HTTP_HEADER_CONTENT_LENGTH,
1726 if (0 == strcasecmp (MHD_HTTP_HEADER_ACCEPT_ENCODING,
1729 GNUNET_asprintf (&hdr,
1733 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1734 "Adding HEADER `%s' to HTTP request\n",
1736 s5r->headers = curl_slist_append (s5r->headers,
1744 * Main MHD callback for handling requests.
1747 * @param con MHD connection handle
1748 * @param url the url in the request
1749 * @param meth the HTTP method used ("GET", "PUT", etc.)
1750 * @param ver the HTTP version string (i.e. "HTTP/1.1")
1751 * @param upload_data the data being uploaded (excluding HEADERS,
1752 * for a POST that fits into memory and that is encoded
1753 * with a supported encoding, the POST data will NOT be
1754 * given in upload_data and is instead available as
1755 * part of MHD_get_connection_values; very large POST
1756 * data *will* be made available incrementally in
1758 * @param upload_data_size set initially to the size of the
1759 * @a upload_data provided; the method must update this
1760 * value to the number of bytes NOT processed;
1761 * @param con_cls pointer to location where we store the `struct Request`
1762 * @return #MHD_YES if the connection was handled successfully,
1763 * #MHD_NO if the socket must be closed due to a serious
1764 * error while handling the request
1767 create_response (void *cls,
1768 struct MHD_Connection *con,
1772 const char *upload_data,
1773 size_t *upload_data_size,
1776 struct Socks5Request *s5r = *con_cls;
1778 char ipstring[INET6_ADDRSTRLEN];
1779 char ipaddr[INET6_ADDRSTRLEN + 2];
1780 const struct sockaddr *sa;
1781 const struct sockaddr_in *s4;
1782 const struct sockaddr_in6 *s6;
1792 /* Fresh connection. */
1793 if (SOCKS5_SOCKET_WITH_MHD == s5r->state)
1795 /* first time here, initialize curl handle */
1798 sa = (const struct sockaddr *) &s5r->destination_address;
1799 switch (sa->sa_family)
1802 s4 = (const struct sockaddr_in *) &s5r->destination_address;
1803 if (NULL == inet_ntop (AF_INET,
1811 GNUNET_snprintf (ipaddr,
1815 port = ntohs (s4->sin_port);
1818 s6 = (const struct sockaddr_in6 *) &s5r->destination_address;
1819 if (NULL == inet_ntop (AF_INET6,
1827 GNUNET_snprintf (ipaddr,
1831 port = ntohs (s6->sin6_port);
1842 if (NULL == s5r->curl)
1843 s5r->curl = curl_easy_init ();
1844 if (NULL == s5r->curl)
1845 return MHD_queue_response (con,
1846 MHD_HTTP_INTERNAL_SERVER_ERROR,
1847 curl_failure_response);
1848 curl_easy_setopt (s5r->curl,
1849 CURLOPT_HEADERFUNCTION,
1851 curl_easy_setopt (s5r->curl,
1854 curl_easy_setopt (s5r->curl,
1855 CURLOPT_FOLLOWLOCATION,
1858 curl_easy_setopt (s5r->curl,
1861 curl_easy_setopt (s5r->curl,
1862 CURLOPT_CONNECTTIMEOUT,
1864 curl_easy_setopt (s5r->curl,
1867 curl_easy_setopt (s5r->curl,
1870 curl_easy_setopt (s5r->curl,
1871 CURLOPT_HTTP_CONTENT_DECODING,
1873 curl_easy_setopt (s5r->curl,
1876 curl_easy_setopt (s5r->curl,
1879 curl_easy_setopt (s5r->curl,
1883 * Pre-populate cache to resolve Hostname.
1884 * This is necessary as the DNS name in the CURLOPT_URL is used
1885 * for SNI http://de.wikipedia.org/wiki/Server_Name_Indication
1887 if (NULL != s5r->leho)
1891 GNUNET_asprintf (&curl_hosts,
1896 s5r->hosts = curl_slist_append (NULL,
1898 curl_easy_setopt (s5r->curl,
1901 GNUNET_free (curl_hosts);
1905 GNUNET_asprintf (&curlurl,
1906 (HTTPS_PORT != s5r->port)
1908 : "https://%s:%d%s",
1917 GNUNET_asprintf (&curlurl,
1918 (HTTPS_PORT != s5r->port)
1920 : "https://%s:%d%s",
1925 curl_easy_setopt (s5r->curl,
1928 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1929 "Launching %s CURL interaction, fetching `%s'\n",
1930 (s5r->is_gns) ? "GNS" : "DNS",
1932 GNUNET_free (curlurl);
1933 if (0 == strcasecmp (meth,
1934 MHD_HTTP_METHOD_PUT))
1936 s5r->state = SOCKS5_SOCKET_UPLOAD_STARTED;
1937 curl_easy_setopt (s5r->curl,
1940 curl_easy_setopt (s5r->curl,
1941 CURLOPT_WRITEFUNCTION,
1943 curl_easy_setopt (s5r->curl,
1946 GNUNET_assert (CURLE_OK ==
1947 curl_easy_setopt (s5r->curl,
1948 CURLOPT_READFUNCTION,
1950 curl_easy_setopt (s5r->curl,
1957 us = MHD_lookup_connection_value (con,
1959 MHD_HTTP_HEADER_CONTENT_LENGTH);
1960 if ( (1 == sscanf (us,
1963 (upload_size >= 0) )
1965 curl_easy_setopt (s5r->curl,
1971 else if (0 == strcasecmp (meth, MHD_HTTP_METHOD_POST))
1973 s5r->state = SOCKS5_SOCKET_UPLOAD_STARTED;
1974 curl_easy_setopt (s5r->curl,
1977 curl_easy_setopt (s5r->curl,
1978 CURLOPT_WRITEFUNCTION,
1980 curl_easy_setopt (s5r->curl,
1983 curl_easy_setopt (s5r->curl,
1984 CURLOPT_READFUNCTION,
1986 curl_easy_setopt (s5r->curl,
1993 us = MHD_lookup_connection_value (con,
1995 MHD_HTTP_HEADER_CONTENT_LENGTH);
1996 if ( (NULL != us) && (1 == sscanf (us,
1999 (upload_size >= 0) )
2001 curl_easy_setopt (s5r->curl,
2005 curl_easy_setopt (s5r->curl,
2011 else if (0 == strcasecmp (meth,
2012 MHD_HTTP_METHOD_HEAD))
2014 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2015 curl_easy_setopt (s5r->curl,
2019 else if (0 == strcasecmp (meth,
2020 MHD_HTTP_METHOD_OPTIONS))
2022 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2023 curl_easy_setopt (s5r->curl,
2024 CURLOPT_CUSTOMREQUEST,
2027 else if (0 == strcasecmp (meth,
2028 MHD_HTTP_METHOD_GET))
2030 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2031 curl_easy_setopt (s5r->curl,
2034 curl_easy_setopt (s5r->curl,
2035 CURLOPT_WRITEFUNCTION,
2037 curl_easy_setopt (s5r->curl,
2043 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2044 _("Unsupported HTTP method `%s'\n"),
2046 curl_easy_cleanup (s5r->curl);
2051 if (0 == strcasecmp (ver, MHD_HTTP_VERSION_1_0))
2053 curl_easy_setopt (s5r->curl,
2054 CURLOPT_HTTP_VERSION,
2055 CURL_HTTP_VERSION_1_0);
2057 else if (0 == strcasecmp (ver, MHD_HTTP_VERSION_1_1))
2059 curl_easy_setopt (s5r->curl,
2060 CURLOPT_HTTP_VERSION,
2061 CURL_HTTP_VERSION_1_1);
2065 curl_easy_setopt (s5r->curl,
2066 CURLOPT_HTTP_VERSION,
2067 CURL_HTTP_VERSION_NONE);
2070 if (HTTPS_PORT == s5r->port)
2072 curl_easy_setopt (s5r->curl,
2075 if (NULL != s5r->dane_data)
2076 curl_easy_setopt (s5r->curl,
2077 CURLOPT_SSL_VERIFYPEER,
2080 curl_easy_setopt (s5r->curl,
2081 CURLOPT_SSL_VERIFYPEER,
2083 /* Disable cURL checking the hostname, as we will check ourselves
2084 as only we have the domain name or the LEHO or the DANE record */
2085 curl_easy_setopt (s5r->curl,
2086 CURLOPT_SSL_VERIFYHOST,
2091 curl_easy_setopt (s5r->curl,
2097 curl_multi_add_handle (curl_multi,
2101 curl_easy_cleanup (s5r->curl);
2105 MHD_get_connection_values (con,
2109 curl_easy_setopt (s5r->curl,
2112 curl_download_prepare ();
2116 /* continuing to process request */
2117 if (0 != *upload_data_size)
2119 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2120 "Processing %u bytes UPLOAD\n",
2121 (unsigned int) *upload_data_size);
2123 /* FIXME: This must be set or a header with Transfer-Encoding: chunked. Else
2124 * upload callback is not called!
2126 curl_easy_setopt (s5r->curl,
2127 CURLOPT_POSTFIELDSIZE,
2130 left = GNUNET_MIN (*upload_data_size,
2131 sizeof (s5r->io_buf) - s5r->io_len);
2132 GNUNET_memcpy (&s5r->io_buf[s5r->io_len],
2135 s5r->io_len += left;
2136 *upload_data_size -= left;
2137 GNUNET_assert (NULL != s5r->curl);
2138 if (GNUNET_YES == s5r->curl_paused)
2140 s5r->curl_paused = GNUNET_NO;
2141 curl_easy_pause (s5r->curl,
2146 if (SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state)
2148 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2149 "Finished processing UPLOAD\n");
2150 s5r->state = SOCKS5_SOCKET_UPLOAD_DONE;
2152 if (NULL == s5r->response)
2154 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2155 "Waiting for HTTP response for %s%s...\n",
2158 MHD_suspend_connection (con);
2159 s5r->suspended = GNUNET_YES;
2162 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2163 "Queueing response for %s%s with MHD\n",
2166 run_mhd_now (s5r->hd);
2167 return MHD_queue_response (con,
2173 /* ******************** MHD HTTP setup and event loop ******************** */
2177 * Function called when MHD decides that we are done with a request.
2180 * @param connection connection handle
2181 * @param con_cls value as set by the last call to
2182 * the MHD_AccessHandlerCallback, should be our `struct Socks5Request *`
2183 * @param toe reason for request termination (ignored)
2186 mhd_completed_cb (void *cls,
2187 struct MHD_Connection *connection,
2189 enum MHD_RequestTerminationCode toe)
2191 struct Socks5Request *s5r = *con_cls;
2195 if (MHD_REQUEST_TERMINATED_COMPLETED_OK != toe)
2196 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
2197 "MHD encountered error handling request: %d\n",
2199 if (NULL != s5r->curl)
2201 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2202 "Removing cURL handle (MHD interaction complete)\n");
2203 curl_multi_remove_handle (curl_multi,
2205 curl_slist_free_all (s5r->headers);
2206 s5r->headers = NULL;
2207 curl_easy_reset (s5r->curl);
2211 curl_download_prepare ();
2213 if ( (NULL != s5r->response) &&
2214 (curl_failure_response != s5r->response) )
2215 MHD_destroy_response (s5r->response);
2216 for (struct HttpResponseHeader *header = s5r->header_head;
2218 header = s5r->header_head)
2220 GNUNET_CONTAINER_DLL_remove (s5r->header_head,
2223 GNUNET_free (header->type);
2224 GNUNET_free (header->value);
2225 GNUNET_free (header);
2227 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2228 "Finished request for %s\n",
2230 GNUNET_free (s5r->url);
2231 s5r->state = SOCKS5_SOCKET_WITH_MHD;
2233 s5r->response = NULL;
2239 * Function called when MHD connection is opened or closed.
2242 * @param connection connection handle
2243 * @param con_cls value as set by the last call to
2244 * the MHD_AccessHandlerCallback, should be our `struct Socks5Request *`
2245 * @param toe connection notification type
2248 mhd_connection_cb (void *cls,
2249 struct MHD_Connection *connection,
2251 enum MHD_ConnectionNotificationCode cnc)
2253 struct Socks5Request *s5r;
2254 const union MHD_ConnectionInfo *ci;
2259 case MHD_CONNECTION_NOTIFY_STARTED:
2260 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Connection started...\n");
2261 ci = MHD_get_connection_info (connection,
2262 MHD_CONNECTION_INFO_CONNECTION_FD);
2268 sock = ci->connect_fd;
2269 for (s5r = s5r_head; NULL != s5r; s5r = s5r->next)
2271 if (GNUNET_NETWORK_get_fd (s5r->sock) == sock)
2273 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2274 "Context set...\n");
2275 s5r->ssl_checked = GNUNET_NO;
2281 case MHD_CONNECTION_NOTIFY_CLOSED:
2282 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2283 "Connection closed... cleaning up\n");
2287 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2288 "Connection stale!\n");
2292 curl_download_prepare ();
2301 * Function called when MHD first processes an incoming connection.
2302 * Gives us the respective URI information.
2304 * We use this to associate the `struct MHD_Connection` with our
2305 * internal `struct Socks5Request` data structure (by checking
2306 * for matching sockets).
2308 * @param cls the HTTP server handle (a `struct MhdHttpList`)
2309 * @param url the URL that is being requested
2310 * @param connection MHD connection object for the request
2311 * @return the `struct Socks5Request` that this @a connection is for
2314 mhd_log_callback (void *cls,
2316 struct MHD_Connection *connection)
2318 struct Socks5Request *s5r;
2319 const union MHD_ConnectionInfo *ci;
2321 ci = MHD_get_connection_info (connection,
2322 MHD_CONNECTION_INFO_SOCKET_CONTEXT);
2323 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Processing %s\n", url);
2329 s5r = ci->socket_context;
2330 if (NULL != s5r->url)
2335 s5r->url = GNUNET_strdup (url);
2336 if (NULL != s5r->timeout_task)
2338 GNUNET_SCHEDULER_cancel (s5r->timeout_task);
2339 s5r->timeout_task = NULL;
2341 GNUNET_assert (s5r->state == SOCKS5_SOCKET_WITH_MHD);
2347 * Kill the given MHD daemon.
2349 * @param hd daemon to stop
2352 kill_httpd (struct MhdHttpList *hd)
2354 GNUNET_CONTAINER_DLL_remove (mhd_httpd_head,
2357 GNUNET_free_non_null (hd->domain);
2358 MHD_stop_daemon (hd->daemon);
2359 if (NULL != hd->httpd_task)
2361 GNUNET_SCHEDULER_cancel (hd->httpd_task);
2362 hd->httpd_task = NULL;
2364 GNUNET_free_non_null (hd->proxy_cert);
2372 * Task run whenever HTTP server is idle for too long. Kill it.
2374 * @param cls the `struct MhdHttpList *`
2377 kill_httpd_task (void *cls)
2379 struct MhdHttpList *hd = cls;
2381 hd->httpd_task = NULL;
2387 * Task run whenever HTTP server operations are pending.
2389 * @param cls the `struct MhdHttpList *` of the daemon that is being run
2392 do_httpd (void *cls);
2396 * Schedule MHD. This function should be called initially when an
2397 * MHD is first getting its client socket, and will then automatically
2398 * always be called later whenever there is work to be done.
2400 * @param hd the daemon to schedule
2403 schedule_httpd (struct MhdHttpList *hd)
2408 struct GNUNET_NETWORK_FDSet *wrs;
2409 struct GNUNET_NETWORK_FDSet *wws;
2412 MHD_UNSIGNED_LONG_LONG timeout;
2413 struct GNUNET_TIME_Relative tv;
2420 MHD_get_fdset (hd->daemon,
2429 haveto = MHD_get_timeout (hd->daemon,
2431 if (MHD_YES == haveto)
2432 tv.rel_value_us = (uint64_t) timeout * 1000LL;
2434 tv = GNUNET_TIME_UNIT_FOREVER_REL;
2437 wrs = GNUNET_NETWORK_fdset_create ();
2438 wws = GNUNET_NETWORK_fdset_create ();
2439 GNUNET_NETWORK_fdset_copy_native (wrs, &rs, max + 1);
2440 GNUNET_NETWORK_fdset_copy_native (wws, &ws, max + 1);
2447 if (NULL != hd->httpd_task)
2449 GNUNET_SCHEDULER_cancel (hd->httpd_task);
2450 hd->httpd_task = NULL;
2452 if ( (MHD_YES != haveto) &&
2456 /* daemon is idle, kill after timeout */
2457 hd->httpd_task = GNUNET_SCHEDULER_add_delayed (MHD_CACHE_TIMEOUT,
2464 GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
2469 GNUNET_NETWORK_fdset_destroy (wrs);
2471 GNUNET_NETWORK_fdset_destroy (wws);
2476 * Task run whenever HTTP server operations are pending.
2478 * @param cls the `struct MhdHttpList` of the daemon that is being run
2481 do_httpd (void *cls)
2483 struct MhdHttpList *hd = cls;
2485 hd->httpd_task = NULL;
2486 MHD_run (hd->daemon);
2487 schedule_httpd (hd);
2492 * Run MHD now, we have extra data ready for the callback.
2494 * @param hd the daemon to run now.
2497 run_mhd_now (struct MhdHttpList *hd)
2499 if (NULL != hd->httpd_task)
2500 GNUNET_SCHEDULER_cancel (hd->httpd_task);
2501 hd->httpd_task = GNUNET_SCHEDULER_add_now (&do_httpd,
2507 * Read file in filename
2509 * @param filename file to read
2510 * @param size pointer where filesize is stored
2511 * @return NULL on error
2514 load_file (const char* filename,
2521 GNUNET_DISK_file_size (filename,
2526 if (fsize > MAX_PEM_SIZE)
2528 *size = (unsigned int) fsize;
2529 buffer = GNUNET_malloc (*size);
2531 GNUNET_DISK_fn_read (filename,
2535 GNUNET_free (buffer);
2543 * Load PEM key from file
2545 * @param key where to store the data
2546 * @param keyfile path to the PEM file
2547 * @return #GNUNET_OK on success
2550 load_key_from_file (gnutls_x509_privkey_t key,
2551 const char* keyfile)
2553 gnutls_datum_t key_data;
2556 key_data.data = load_file (keyfile,
2558 if (NULL == key_data.data)
2559 return GNUNET_SYSERR;
2560 ret = gnutls_x509_privkey_import (key, &key_data,
2561 GNUTLS_X509_FMT_PEM);
2562 if (GNUTLS_E_SUCCESS != ret)
2564 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2565 _("Unable to import private key from file `%s'\n"),
2568 GNUNET_free_non_null (key_data.data);
2569 return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
2574 * Load cert from file
2576 * @param crt struct to store data in
2577 * @param certfile path to pem file
2578 * @return #GNUNET_OK on success
2581 load_cert_from_file (gnutls_x509_crt_t crt,
2582 const char* certfile)
2584 gnutls_datum_t cert_data;
2587 cert_data.data = load_file (certfile,
2589 if (NULL == cert_data.data)
2590 return GNUNET_SYSERR;
2591 ret = gnutls_x509_crt_import (crt,
2593 GNUTLS_X509_FMT_PEM);
2594 if (GNUTLS_E_SUCCESS != ret)
2596 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2597 _("Unable to import certificate from `%s'\n"),
2600 GNUNET_free_non_null (cert_data.data);
2601 return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
2606 * Generate new certificate for specific name
2608 * @param name the subject name to generate a cert for
2609 * @return a struct holding the PEM data, NULL on error
2611 static struct ProxyGNSCertificate *
2612 generate_gns_certificate (const char *name)
2614 unsigned int serial;
2615 size_t key_buf_size;
2616 size_t cert_buf_size;
2617 gnutls_x509_crt_t request;
2620 struct ProxyGNSCertificate *pgc;
2622 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2623 "Generating x.509 certificate for `%s'\n",
2625 GNUNET_break (GNUTLS_E_SUCCESS == gnutls_x509_crt_init (&request));
2626 GNUNET_break (GNUTLS_E_SUCCESS == gnutls_x509_crt_set_key (request, proxy_ca.key));
2627 pgc = GNUNET_new (struct ProxyGNSCertificate);
2628 gnutls_x509_crt_set_dn_by_oid (request,
2629 GNUTLS_OID_X520_COUNTRY_NAME,
2633 gnutls_x509_crt_set_dn_by_oid (request,
2634 GNUTLS_OID_X520_ORGANIZATION_NAME,
2637 strlen ("GNU Name System"));
2638 gnutls_x509_crt_set_dn_by_oid (request,
2639 GNUTLS_OID_X520_COMMON_NAME,
2643 GNUNET_break (GNUTLS_E_SUCCESS ==
2644 gnutls_x509_crt_set_version (request,
2646 gnutls_rnd (GNUTLS_RND_NONCE,
2649 gnutls_x509_crt_set_serial (request,
2652 etime = time (NULL);
2653 tm_data = localtime (&etime);
2655 etime = mktime(tm_data);
2656 gnutls_x509_crt_set_activation_time (request,
2659 etime = mktime (tm_data);
2660 gnutls_x509_crt_set_expiration_time (request,
2662 gnutls_x509_crt_sign2 (request,
2667 key_buf_size = sizeof (pgc->key);
2668 cert_buf_size = sizeof (pgc->cert);
2669 gnutls_x509_crt_export (request,
2670 GNUTLS_X509_FMT_PEM,
2673 gnutls_x509_privkey_export (proxy_ca.key,
2674 GNUTLS_X509_FMT_PEM,
2677 gnutls_x509_crt_deinit (request);
2683 * Function called by MHD with errors, suppresses them all.
2685 * @param cls closure
2686 * @param fm format string (`printf()`-style)
2687 * @param ap arguments to @a fm
2690 mhd_error_log_callback (void *cls,
2699 * Lookup (or create) an TLS MHD instance for a particular domain.
2701 * @param domain the domain the TLS daemon has to serve
2702 * @return NULL on error
2704 static struct MhdHttpList *
2705 lookup_ssl_httpd (const char* domain)
2707 struct MhdHttpList *hd;
2708 struct ProxyGNSCertificate *pgc;
2715 for (hd = mhd_httpd_head; NULL != hd; hd = hd->next)
2716 if ( (NULL != hd->domain) &&
2717 (0 == strcmp (hd->domain, domain)) )
2719 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2720 "Starting fresh MHD HTTPS instance for domain `%s'\n",
2722 pgc = generate_gns_certificate (domain);
2723 hd = GNUNET_new (struct MhdHttpList);
2724 hd->is_ssl = GNUNET_YES;
2725 hd->domain = GNUNET_strdup (domain);
2726 hd->proxy_cert = pgc;
2727 hd->daemon = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_SSL | MHD_USE_NO_LISTEN_SOCKET | MHD_ALLOW_SUSPEND_RESUME,
2730 &create_response, hd,
2731 MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 16,
2732 MHD_OPTION_NOTIFY_COMPLETED, &mhd_completed_cb, NULL,
2733 MHD_OPTION_NOTIFY_CONNECTION, &mhd_connection_cb, NULL,
2734 MHD_OPTION_URI_LOG_CALLBACK, &mhd_log_callback, NULL,
2735 MHD_OPTION_EXTERNAL_LOGGER, &mhd_error_log_callback, NULL,
2736 MHD_OPTION_HTTPS_MEM_KEY, pgc->key,
2737 MHD_OPTION_HTTPS_MEM_CERT, pgc->cert,
2739 if (NULL == hd->daemon)
2745 GNUNET_CONTAINER_DLL_insert (mhd_httpd_head,
2753 * Task run when a Socks5Request somehow fails to be associated with
2754 * an MHD connection (i.e. because the client never speaks HTTP after
2755 * the SOCKS5 handshake). Clean up.
2757 * @param cls the `struct Socks5Request *`
2760 timeout_s5r_handshake (void *cls)
2762 struct Socks5Request *s5r = cls;
2764 s5r->timeout_task = NULL;
2770 * We're done with the Socks5 protocol, now we need to pass the
2771 * connection data through to the final destination, either
2772 * direct (if the protocol might not be HTTP), or via MHD
2773 * (if the port looks like it should be HTTP).
2775 * @param s5r socks request that has reached the final stage
2778 setup_data_transfer (struct Socks5Request *s5r)
2780 struct MhdHttpList *hd;
2782 const struct sockaddr *addr;
2789 GNUNET_asprintf (&domain,
2792 hd = lookup_ssl_httpd (domain);
2795 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2796 _("Failed to start HTTPS server for `%s'\n"),
2799 GNUNET_free (domain);
2806 GNUNET_assert (NULL != httpd);
2810 fd = GNUNET_NETWORK_get_fd (s5r->sock);
2811 addr = GNUNET_NETWORK_get_addr (s5r->sock);
2812 len = GNUNET_NETWORK_get_addrlen (s5r->sock);
2813 s5r->state = SOCKS5_SOCKET_WITH_MHD;
2815 MHD_add_connection (hd->daemon,
2820 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2821 _("Failed to pass client to MHD\n"));
2823 GNUNET_free_non_null (domain);
2827 schedule_httpd (hd);
2828 s5r->timeout_task = GNUNET_SCHEDULER_add_delayed (HTTP_HANDSHAKE_TIMEOUT,
2829 &timeout_s5r_handshake,
2831 GNUNET_free_non_null (domain);
2835 /* ********************* SOCKS handling ************************* */
2839 * Write data from buffer to socks5 client, then continue with state machine.
2841 * @param cls the closure with the `struct Socks5Request`
2844 do_write (void *cls)
2846 struct Socks5Request *s5r = cls;
2850 len = GNUNET_NETWORK_socket_send (s5r->sock,
2855 /* write error: connection closed, shutdown, etc.; just clean up */
2856 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2863 s5r->wbuf_len - len);
2864 s5r->wbuf_len -= len;
2865 if (s5r->wbuf_len > 0)
2867 /* not done writing */
2869 GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
2875 /* we're done writing, continue with state machine! */
2882 case SOCKS5_REQUEST:
2883 GNUNET_assert (NULL != s5r->rtask);
2885 case SOCKS5_DATA_TRANSFER:
2886 setup_data_transfer (s5r);
2888 case SOCKS5_WRITE_THEN_CLEANUP:
2899 * Return a server response message indicating a failure to the client.
2901 * @param s5r request to return failure code for
2902 * @param sc status code to return
2905 signal_socks_failure (struct Socks5Request *s5r,
2906 enum Socks5StatusCode sc)
2908 struct Socks5ServerResponseMessage *s_resp;
2910 s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len];
2911 memset (s_resp, 0, sizeof (struct Socks5ServerResponseMessage));
2912 s_resp->version = SOCKS_VERSION_5;
2914 s5r->state = SOCKS5_WRITE_THEN_CLEANUP;
2915 if (NULL != s5r->wtask)
2917 GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
2924 * Return a server response message indicating success.
2926 * @param s5r request to return success status message for
2929 signal_socks_success (struct Socks5Request *s5r)
2931 struct Socks5ServerResponseMessage *s_resp;
2933 s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len];
2934 s_resp->version = SOCKS_VERSION_5;
2935 s_resp->reply = SOCKS5_STATUS_REQUEST_GRANTED;
2936 s_resp->reserved = 0;
2937 s_resp->addr_type = SOCKS5_AT_IPV4;
2938 /* zero out IPv4 address and port */
2941 sizeof (struct in_addr) + sizeof (uint16_t));
2942 s5r->wbuf_len += sizeof (struct Socks5ServerResponseMessage) +
2943 sizeof (struct in_addr) + sizeof (uint16_t);
2944 if (NULL == s5r->wtask)
2946 GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
2953 * Process GNS results for target domain.
2955 * @param cls the `struct Socks5Request *`
2956 * @param tld #GNUNET_YES if this was a GNS TLD.
2957 * @param rd_count number of records returned
2958 * @param rd record data
2961 handle_gns_result (void *cls,
2964 const struct GNUNET_GNSRECORD_Data *rd)
2966 struct Socks5Request *s5r = cls;
2967 const struct GNUNET_GNSRECORD_Data *r;
2970 s5r->gns_lookup = NULL;
2973 for (uint32_t i=0;i<rd_count;i++)
2976 switch (r->record_type)
2978 case GNUNET_DNSPARSER_TYPE_A:
2980 struct sockaddr_in *in;
2982 if (sizeof (struct in_addr) != r->data_size)
2984 GNUNET_break_op (0);
2987 if (GNUNET_YES == got_ip)
2990 GNUNET_NETWORK_test_pf (PF_INET))
2992 got_ip = GNUNET_YES;
2993 in = (struct sockaddr_in *) &s5r->destination_address;
2994 in->sin_family = AF_INET;
2995 GNUNET_memcpy (&in->sin_addr,
2998 in->sin_port = htons (s5r->port);
2999 #if HAVE_SOCKADDR_IN_SIN_LEN
3000 in->sin_len = sizeof (*in);
3004 case GNUNET_DNSPARSER_TYPE_AAAA:
3006 struct sockaddr_in6 *in;
3008 if (sizeof (struct in6_addr) != r->data_size)
3010 GNUNET_break_op (0);
3013 if (GNUNET_YES == got_ip)
3015 if (GNUNET_YES == disable_v6)
3018 GNUNET_NETWORK_test_pf (PF_INET6))
3020 /* FIXME: allow user to disable IPv6 per configuration option... */
3021 got_ip = GNUNET_YES;
3022 in = (struct sockaddr_in6 *) &s5r->destination_address;
3023 in->sin6_family = AF_INET6;
3024 GNUNET_memcpy (&in->sin6_addr,
3027 in->sin6_port = htons (s5r->port);
3028 #if HAVE_SOCKADDR_IN_SIN_LEN
3029 in->sin6_len = sizeof (*in);
3033 case GNUNET_GNSRECORD_TYPE_VPN:
3034 GNUNET_break (0); /* should have been translated within GNS */
3036 case GNUNET_GNSRECORD_TYPE_LEHO:
3037 GNUNET_free_non_null (s5r->leho);
3038 s5r->leho = GNUNET_strndup (r->data,
3041 case GNUNET_GNSRECORD_TYPE_BOX:
3043 const struct GNUNET_GNSRECORD_BoxRecord *box;
3045 if (r->data_size < sizeof (struct GNUNET_GNSRECORD_BoxRecord))
3047 GNUNET_break_op (0);
3051 if ( (ntohl (box->record_type) != GNUNET_DNSPARSER_TYPE_TLSA) ||
3052 (ntohs (box->protocol) != IPPROTO_TCP) ||
3053 (ntohs (box->service) != s5r->port) )
3054 break; /* BOX record does not apply */
3055 GNUNET_free_non_null (s5r->dane_data);
3056 s5r->dane_data_len = r->data_size - sizeof (struct GNUNET_GNSRECORD_BoxRecord);
3057 s5r->dane_data = GNUNET_malloc (s5r->dane_data_len);
3058 GNUNET_memcpy (s5r->dane_data,
3060 s5r->dane_data_len);
3068 if ( (GNUNET_YES != got_ip) &&
3069 (GNUNET_YES == tld) )
3071 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3072 "Name resolution failed to yield useful IP address.\n");
3073 signal_socks_failure (s5r,
3074 SOCKS5_STATUS_GENERAL_FAILURE);
3077 s5r->state = SOCKS5_DATA_TRANSFER;
3078 signal_socks_success (s5r);
3083 * Remove the first @a len bytes from the beginning of the read buffer.
3085 * @param s5r the handle clear the read buffer for
3086 * @param len number of bytes in read buffer to advance
3089 clear_from_s5r_rbuf (struct Socks5Request *s5r,
3092 GNUNET_assert (len <= s5r->rbuf_len);
3095 s5r->rbuf_len - len);
3096 s5r->rbuf_len -= len;
3101 * Read data from incoming Socks5 connection
3103 * @param cls the closure with the `struct Socks5Request`
3106 do_s5r_read (void *cls)
3108 struct Socks5Request *s5r = cls;
3109 const struct Socks5ClientHelloMessage *c_hello;
3110 struct Socks5ServerHelloMessage *s_hello;
3111 const struct Socks5ClientRequestMessage *c_req;
3114 const struct GNUNET_SCHEDULER_TaskContext *tc;
3117 tc = GNUNET_SCHEDULER_get_task_context ();
3118 if ( (NULL != tc->read_ready) &&
3119 (GNUNET_NETWORK_fdset_isset (tc->read_ready,
3122 rlen = GNUNET_NETWORK_socket_recv (s5r->sock,
3123 &s5r->rbuf[s5r->rbuf_len],
3124 sizeof (s5r->rbuf) - s5r->rbuf_len);
3127 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3128 "socks5 client disconnected.\n");
3132 s5r->rbuf_len += rlen;
3134 s5r->rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3137 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3138 "Processing %zu bytes of socks data in state %d\n",
3144 c_hello = (const struct Socks5ClientHelloMessage*) &s5r->rbuf;
3145 if ( (s5r->rbuf_len < sizeof (struct Socks5ClientHelloMessage)) ||
3146 (s5r->rbuf_len < sizeof (struct Socks5ClientHelloMessage) + c_hello->num_auth_methods) )
3147 return; /* need more data */
3148 if (SOCKS_VERSION_5 != c_hello->version)
3150 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3151 _("Unsupported socks version %d\n"),
3152 (int) c_hello->version);
3156 clear_from_s5r_rbuf (s5r,
3157 sizeof (struct Socks5ClientHelloMessage) + c_hello->num_auth_methods);
3158 GNUNET_assert (0 == s5r->wbuf_len);
3159 s_hello = (struct Socks5ServerHelloMessage *) &s5r->wbuf;
3160 s5r->wbuf_len = sizeof (struct Socks5ServerHelloMessage);
3161 s_hello->version = SOCKS_VERSION_5;
3162 s_hello->auth_method = SOCKS_AUTH_NONE;
3163 GNUNET_assert (NULL == s5r->wtask);
3164 s5r->wtask = GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
3167 s5r->state = SOCKS5_REQUEST;
3169 case SOCKS5_REQUEST:
3170 c_req = (const struct Socks5ClientRequestMessage *) &s5r->rbuf;
3171 if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage))
3173 switch (c_req->command)
3175 case SOCKS5_CMD_TCP_STREAM:
3179 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3180 _("Unsupported socks command %d\n"),
3181 (int) c_req->command);
3182 signal_socks_failure (s5r,
3183 SOCKS5_STATUS_COMMAND_NOT_SUPPORTED);
3186 switch (c_req->addr_type)
3188 case SOCKS5_AT_IPV4:
3190 const struct in_addr *v4 = (const struct in_addr *) &c_req[1];
3191 const uint16_t *port = (const uint16_t *) &v4[1];
3192 struct sockaddr_in *in;
3194 s5r->port = ntohs (*port);
3195 alen = sizeof (struct in_addr);
3196 if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage) +
3197 alen + sizeof (uint16_t))
3198 return; /* need more data */
3199 in = (struct sockaddr_in *) &s5r->destination_address;
3200 in->sin_family = AF_INET;
3202 in->sin_port = *port;
3203 #if HAVE_SOCKADDR_IN_SIN_LEN
3204 in->sin_len = sizeof (*in);
3206 s5r->state = SOCKS5_DATA_TRANSFER;
3209 case SOCKS5_AT_IPV6:
3211 const struct in6_addr *v6 = (const struct in6_addr *) &c_req[1];
3212 const uint16_t *port = (const uint16_t *) &v6[1];
3213 struct sockaddr_in6 *in;
3215 s5r->port = ntohs (*port);
3216 alen = sizeof (struct in6_addr);
3217 if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage) +
3218 alen + sizeof (uint16_t))
3219 return; /* need more data */
3220 in = (struct sockaddr_in6 *) &s5r->destination_address;
3221 in->sin6_family = AF_INET6;
3222 in->sin6_addr = *v6;
3223 in->sin6_port = *port;
3224 #if HAVE_SOCKADDR_IN_SIN_LEN
3225 in->sin6_len = sizeof (*in);
3227 s5r->state = SOCKS5_DATA_TRANSFER;
3230 case SOCKS5_AT_DOMAINNAME:
3232 const uint8_t *dom_len;
3233 const char *dom_name;
3234 const uint16_t *port;
3236 dom_len = (const uint8_t *) &c_req[1];
3237 alen = *dom_len + 1;
3238 if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage) +
3239 alen + sizeof (uint16_t))
3240 return; /* need more data */
3241 dom_name = (const char *) &dom_len[1];
3242 port = (const uint16_t*) &dom_name[*dom_len];
3243 s5r->domain = GNUNET_strndup (dom_name,
3245 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3246 "Requested connection is to http%s://%s:%d\n",
3247 (HTTPS_PORT == s5r->port) ? "s" : "",
3250 s5r->state = SOCKS5_RESOLVING;
3251 s5r->port = ntohs (*port);
3252 s5r->gns_lookup = GNUNET_GNS_lookup_with_tld (gns_handle,
3254 GNUNET_DNSPARSER_TYPE_A,
3255 GNUNET_NO /* only cached */,
3261 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3262 _("Unsupported socks address type %d\n"),
3263 (int) c_req->addr_type);
3264 signal_socks_failure (s5r,
3265 SOCKS5_STATUS_ADDRESS_TYPE_NOT_SUPPORTED);
3268 clear_from_s5r_rbuf (s5r,
3269 sizeof (struct Socks5ClientRequestMessage) +
3270 alen + sizeof (uint16_t));
3271 if (0 != s5r->rbuf_len)
3273 /* read more bytes than healthy, why did the client send more!? */
3274 GNUNET_break_op (0);
3275 signal_socks_failure (s5r,
3276 SOCKS5_STATUS_GENERAL_FAILURE);
3279 if (SOCKS5_DATA_TRANSFER == s5r->state)
3281 /* if we are not waiting for GNS resolution, signal success */
3282 signal_socks_success (s5r);
3284 /* We are done reading right now */
3285 GNUNET_SCHEDULER_cancel (s5r->rtask);
3288 case SOCKS5_RESOLVING:
3291 case SOCKS5_DATA_TRANSFER:
3302 * Accept new incoming connections
3304 * @param cls the closure with the lsock4 or lsock6
3305 * @param tc the scheduler context
3308 do_accept (void *cls)
3310 struct GNUNET_NETWORK_Handle *lsock = cls;
3311 struct GNUNET_NETWORK_Handle *s;
3312 struct Socks5Request *s5r;
3314 GNUNET_assert (NULL != lsock);
3315 if (lsock == lsock4)
3316 ltask4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3320 else if (lsock == lsock6)
3321 ltask6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3327 s = GNUNET_NETWORK_socket_accept (lsock,
3332 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3336 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3337 "Got an inbound connection, waiting for data\n");
3338 s5r = GNUNET_new (struct Socks5Request);
3339 GNUNET_CONTAINER_DLL_insert (s5r_head,
3343 s5r->state = SOCKS5_INIT;
3344 s5r->rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3351 /* ******************* General / main code ********************* */
3355 * Task run on shutdown
3357 * @param cls closure
3360 do_shutdown (void *cls)
3362 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
3363 "Shutting down...\n");
3364 /* MHD requires resuming before destroying the daemons */
3365 for (struct Socks5Request *s5r = s5r_head;
3371 s5r->suspended = GNUNET_NO;
3372 MHD_resume_connection (s5r->con);
3375 while (NULL != mhd_httpd_head)
3376 kill_httpd (mhd_httpd_head);
3377 while (NULL != s5r_head)
3378 cleanup_s5r (s5r_head);
3381 GNUNET_NETWORK_socket_close (lsock4);
3386 GNUNET_NETWORK_socket_close (lsock6);
3389 if (NULL != curl_multi)
3391 curl_multi_cleanup (curl_multi);
3394 if (NULL != gns_handle)
3396 GNUNET_GNS_disconnect (gns_handle);
3399 if (NULL != curl_download_task)
3401 GNUNET_SCHEDULER_cancel (curl_download_task);
3402 curl_download_task = NULL;
3406 GNUNET_SCHEDULER_cancel (ltask4);
3411 GNUNET_SCHEDULER_cancel (ltask6);
3414 gnutls_x509_crt_deinit (proxy_ca.cert);
3415 gnutls_x509_privkey_deinit (proxy_ca.key);
3416 gnutls_global_deinit ();
3421 * Create an IPv4 listen socket bound to our port.
3423 * @return NULL on error
3425 static struct GNUNET_NETWORK_Handle *
3428 struct GNUNET_NETWORK_Handle *ls;
3429 struct sockaddr_in sa4;
3432 memset (&sa4, 0, sizeof (sa4));
3433 sa4.sin_family = AF_INET;
3434 sa4.sin_port = htons (port);
3435 #if HAVE_SOCKADDR_IN_SIN_LEN
3436 sa4.sin_len = sizeof (sa4);
3438 ls = GNUNET_NETWORK_socket_create (AF_INET,
3444 GNUNET_NETWORK_socket_bind (ls,
3445 (const struct sockaddr *) &sa4,
3449 GNUNET_NETWORK_socket_close (ls);
3458 * Create an IPv6 listen socket bound to our port.
3460 * @return NULL on error
3462 static struct GNUNET_NETWORK_Handle *
3465 struct GNUNET_NETWORK_Handle *ls;
3466 struct sockaddr_in6 sa6;
3469 memset (&sa6, 0, sizeof (sa6));
3470 sa6.sin6_family = AF_INET6;
3471 sa6.sin6_port = htons (port);
3472 #if HAVE_SOCKADDR_IN_SIN_LEN
3473 sa6.sin6_len = sizeof (sa6);
3475 ls = GNUNET_NETWORK_socket_create (AF_INET6,
3481 GNUNET_NETWORK_socket_bind (ls,
3482 (const struct sockaddr *) &sa6,
3486 GNUNET_NETWORK_socket_close (ls);
3495 * Main function that will be run
3497 * @param cls closure
3498 * @param args remaining command-line arguments
3499 * @param cfgfile name of the configuration file used (for saving, can be NULL!)
3500 * @param c configuration
3505 const char *cfgfile,
3506 const struct GNUNET_CONFIGURATION_Handle *c)
3508 char* cafile_cfg = NULL;
3510 struct MhdHttpList *hd;
3514 if (NULL == (curl_multi = curl_multi_init ()))
3516 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3517 "Failed to create cURL multi handle!\n");
3520 cafile = cafile_opt;
3524 GNUNET_CONFIGURATION_get_value_filename (cfg,
3529 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
3534 cafile = cafile_cfg;
3536 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3537 "Using `%s' as CA\n",
3540 gnutls_global_init ();
3541 gnutls_x509_crt_init (&proxy_ca.cert);
3542 gnutls_x509_privkey_init (&proxy_ca.key);
3545 load_cert_from_file (proxy_ca.cert,
3548 load_key_from_file (proxy_ca.key,
3551 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3552 _("Failed to load X.509 key and certificate from `%s'\n"),
3554 gnutls_x509_crt_deinit (proxy_ca.cert);
3555 gnutls_x509_privkey_deinit (proxy_ca.key);
3556 gnutls_global_deinit ();
3557 GNUNET_free_non_null (cafile_cfg);
3560 GNUNET_free_non_null (cafile_cfg);
3561 if (NULL == (gns_handle = GNUNET_GNS_connect (cfg)))
3563 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3564 "Unable to connect to GNS!\n");
3565 gnutls_x509_crt_deinit (proxy_ca.cert);
3566 gnutls_x509_privkey_deinit (proxy_ca.key);
3567 gnutls_global_deinit ();
3570 GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
3573 /* Open listen socket for socks proxy */
3574 lsock6 = bind_v6 ();
3577 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3583 GNUNET_NETWORK_socket_listen (lsock6,
3586 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3588 GNUNET_NETWORK_socket_close (lsock6);
3593 ltask6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3599 lsock4 = bind_v4 ();
3602 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3608 GNUNET_NETWORK_socket_listen (lsock4,
3611 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3613 GNUNET_NETWORK_socket_close (lsock4);
3618 ltask4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3624 if ( (NULL == lsock4) &&
3627 GNUNET_SCHEDULER_shutdown ();
3630 if (0 != curl_global_init (CURL_GLOBAL_WIN32))
3632 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3633 "cURL global init failed!\n");
3634 GNUNET_SCHEDULER_shutdown ();
3637 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3638 "Proxy listens on port %u\n",
3639 (unsigned int) port);
3641 /* start MHD daemon for HTTP */
3642 hd = GNUNET_new (struct MhdHttpList);
3643 hd->daemon = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_NO_LISTEN_SOCKET | MHD_ALLOW_SUSPEND_RESUME,
3646 &create_response, hd,
3647 MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 16,
3648 MHD_OPTION_NOTIFY_COMPLETED, &mhd_completed_cb, NULL,
3649 MHD_OPTION_NOTIFY_CONNECTION, &mhd_connection_cb, NULL,
3650 MHD_OPTION_URI_LOG_CALLBACK, &mhd_log_callback, NULL,
3652 if (NULL == hd->daemon)
3655 GNUNET_SCHEDULER_shutdown ();
3659 GNUNET_CONTAINER_DLL_insert (mhd_httpd_head,
3666 * The main function for gnunet-gns-proxy.
3668 * @param argc number of arguments from the command line
3669 * @param argv command line arguments
3670 * @return 0 ok, 1 on error
3676 struct GNUNET_GETOPT_CommandLineOption options[] = {
3677 GNUNET_GETOPT_option_uint16 ('p',
3680 gettext_noop ("listen on specified port (default: 7777)"),
3682 GNUNET_GETOPT_option_string ('a',
3685 gettext_noop ("pem file to use as CA"),
3687 GNUNET_GETOPT_option_flag ('6',
3689 gettext_noop ("disable use of IPv6"),
3692 GNUNET_GETOPT_OPTION_END
3694 static const char* page =
3695 "<html><head><title>gnunet-gns-proxy</title>"
3696 "</head><body>cURL fail</body></html>";
3700 GNUNET_STRINGS_get_utf8_args (argc, argv,
3703 GNUNET_log_setup ("gnunet-gns-proxy",
3706 curl_failure_response
3707 = MHD_create_response_from_buffer (strlen (page),
3709 MHD_RESPMEM_PERSISTENT);
3713 GNUNET_PROGRAM_run (argc, argv,
3715 _("GNUnet GNS proxy"),
3717 &run, NULL)) ? 0 : 1;
3718 MHD_destroy_response (curl_failure_response);
3719 GNUNET_free_non_null ((char *) argv);
3723 /* end of gnunet-gns-proxy.c */