2 This file is part of GNUnet.
3 Copyright (C) 2012-2018 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
21 * @author Martin Schanzenbach
22 * @author Christian Grothoff
23 * @file src/gns/gnunet-gns-proxy.c
24 * @brief HTTP(S) proxy that rewrites URIs and fakes certificats to make GNS work
25 * with legacy browsers
28 * - double-check queueing logic
31 #include <microhttpd.h>
32 /* Just included for the right curl.h */
33 #include "gnunet_curl_lib.h"
34 #include <gnutls/gnutls.h>
35 #include <gnutls/x509.h>
36 #include <gnutls/abstract.h>
37 #include <gnutls/crypto.h>
39 #include <gnutls/dane.h>
42 #include "gnunet_util_lib.h"
43 #include "gnunet_gns_service.h"
44 #include "gnunet_identity_service.h"
50 * Default Socks5 listen port.
52 #define GNUNET_GNS_PROXY_PORT 7777
55 * Maximum supported length for a URI.
56 * Should die. @deprecated
58 #define MAX_HTTP_URI_LENGTH 2048
61 * Maximum number of DANE records we support
62 * per domain name (and port and protocol).
67 * Size of the buffer for the data upload / download. Must be
68 * enough for curl, thus CURL_MAX_WRITE_SIZE is needed here (16k).
70 #define IO_BUFFERSIZE CURL_MAX_WRITE_SIZE
73 * Size of the read/write buffers for Socks. Uses
74 * 256 bytes for the hostname (at most), plus a few
75 * bytes overhead for the messages.
77 #define SOCKS_BUFFERSIZE (256 + 32)
80 * Port for plaintext HTTP.
87 #define HTTPS_PORT 443
90 * Largest allowed size for a PEM certificate.
92 #define MAX_PEM_SIZE (10 * 1024)
95 * After how long do we clean up unused MHD TLS instances?
97 #define MHD_CACHE_TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MINUTES, 5)
100 * After how long do we clean up Socks5 handles that failed to show any activity
101 * with their respective MHD instance?
103 #define HTTP_HANDSHAKE_TIMEOUT GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_SECONDS, 15)
109 * @param level log level
110 * @param fun name of curl_easy-function that gave the error
111 * @param rc return code from curl
113 #define LOG_CURL_EASY(level,fun,rc) \
115 _("%s failed at %s:%d: `%s'\n"), \
119 curl_easy_strerror (rc))
122 /* *************** Socks protocol definitions (move to TUN?) ****************** */
125 * Which SOCKS version do we speak?
127 #define SOCKS_VERSION_5 0x05
130 * Flag to set for 'no authentication'.
132 #define SOCKS_AUTH_NONE 0
136 * Commands in Socks5.
141 * Establish TCP/IP stream.
143 SOCKS5_CMD_TCP_STREAM = 1,
146 * Establish TCP port binding.
148 SOCKS5_CMD_TCP_PORT = 2,
151 * Establish UDP port binding.
153 SOCKS5_CMD_UDP_PORT = 3
158 * Address types in Socks5.
160 enum Socks5AddressType
170 SOCKS5_AT_DOMAINNAME = 3,
181 * Status codes in Socks5 response.
183 enum Socks5StatusCode
185 SOCKS5_STATUS_REQUEST_GRANTED = 0,
186 SOCKS5_STATUS_GENERAL_FAILURE = 1,
187 SOCKS5_STATUS_CONNECTION_NOT_ALLOWED_BY_RULE = 2,
188 SOCKS5_STATUS_NETWORK_UNREACHABLE = 3,
189 SOCKS5_STATUS_HOST_UNREACHABLE = 4,
190 SOCKS5_STATUS_CONNECTION_REFUSED_BY_HOST = 5,
191 SOCKS5_STATUS_TTL_EXPIRED = 6,
192 SOCKS5_STATUS_COMMAND_NOT_SUPPORTED = 7,
193 SOCKS5_STATUS_ADDRESS_TYPE_NOT_SUPPORTED = 8
198 * Client hello in Socks5 protocol.
200 struct Socks5ClientHelloMessage
203 * Should be #SOCKS_VERSION_5.
208 * How many authentication methods does the client support.
210 uint8_t num_auth_methods;
212 /* followed by supported authentication methods, 1 byte per method */
218 * Server hello in Socks5 protocol.
220 struct Socks5ServerHelloMessage
223 * Should be #SOCKS_VERSION_5.
228 * Chosen authentication method, for us always #SOCKS_AUTH_NONE,
229 * which skips the authentication step.
236 * Client socks request in Socks5 protocol.
238 struct Socks5ClientRequestMessage
241 * Should be #SOCKS_VERSION_5.
246 * Command code, we only uspport #SOCKS5_CMD_TCP_STREAM.
251 * Reserved, always zero.
256 * Address type, an `enum Socks5AddressType`.
261 * Followed by either an ip4/ipv6 address or a domain name with a
262 * length field (uint8_t) in front (depending on @e addr_type).
263 * followed by port number in network byte order (uint16_t).
269 * Server response to client requests in Socks5 protocol.
271 struct Socks5ServerResponseMessage
274 * Should be #SOCKS_VERSION_5.
279 * Status code, an `enum Socks5StatusCode`
289 * Address type, an `enum Socks5AddressType`.
294 * Followed by either an ip4/ipv6 address or a domain name with a
295 * length field (uint8_t) in front (depending on @e addr_type).
296 * followed by port number in network byte order (uint16_t).
303 /* *********************** Datastructures for HTTP handling ****************** */
306 * A structure for CA cert/key
313 gnutls_x509_crt_t cert;
318 gnutls_x509_privkey_t key;
323 * Structure for GNS certificates
325 struct ProxyGNSCertificate
328 * The certificate as PEM
330 char cert[MAX_PEM_SIZE];
333 * The private key as PEM
335 char key[MAX_PEM_SIZE];
341 * A structure for all running Httpds
348 struct MhdHttpList *prev;
353 struct MhdHttpList *next;
356 * the domain name to server (only important for TLS)
363 struct MHD_Daemon *daemon;
366 * Optional proxy certificate used
368 struct ProxyGNSCertificate *proxy_cert;
373 struct GNUNET_SCHEDULER_Task *httpd_task;
376 * is this an ssl daemon?
383 /* ***************** Datastructures for Socks handling **************** */
392 * We're waiting to get the client hello.
397 * We're waiting to get the initial request.
402 * We are currently resolving the destination.
407 * We're in transfer mode.
409 SOCKS5_DATA_TRANSFER,
412 * Finish writing the write buffer, then clean up.
414 SOCKS5_WRITE_THEN_CLEANUP,
417 * Socket has been passed to MHD, do not close it anymore.
419 SOCKS5_SOCKET_WITH_MHD,
422 * We've started receiving upload data from MHD.
424 SOCKS5_SOCKET_UPLOAD_STARTED,
427 * We've finished receiving upload data from MHD.
429 SOCKS5_SOCKET_UPLOAD_DONE,
432 * We've finished uploading data via CURL and can now download.
434 SOCKS5_SOCKET_DOWNLOAD_STARTED,
437 * We've finished receiving download data from cURL.
439 SOCKS5_SOCKET_DOWNLOAD_DONE
446 struct HttpResponseHeader
451 struct HttpResponseHeader *next;
456 struct HttpResponseHeader *prev;
470 * A structure for socks requests
478 struct Socks5Request *next;
483 struct Socks5Request *prev;
488 struct GNUNET_NETWORK_Handle *sock;
491 * Handle to GNS lookup, during #SOCKS5_RESOLVING phase.
493 struct GNUNET_GNS_LookupWithTldRequest *gns_lookup;
496 * Client socket read task
498 struct GNUNET_SCHEDULER_Task *rtask;
501 * Client socket write task
503 struct GNUNET_SCHEDULER_Task *wtask;
508 struct GNUNET_SCHEDULER_Task *timeout_task;
513 char rbuf[SOCKS_BUFFERSIZE];
518 char wbuf[SOCKS_BUFFERSIZE];
521 * Buffer we use for moving data between MHD and curl (in both directions).
523 char io_buf[IO_BUFFERSIZE];
526 * MHD HTTP instance handling this request, NULL for none.
528 struct MhdHttpList *hd;
531 * MHD connection for this request.
533 struct MHD_Connection *con;
536 * MHD response object for this request.
538 struct MHD_Response *response;
541 * the domain name to server (only important for TLS)
546 * DNS Legacy Host Name as given by GNS, NULL if not given.
551 * Payload of the DANE records encountered.
553 char *dane_data[MAX_DANES + 1];
566 * HTTP request headers for the curl request.
568 struct curl_slist *headers;
571 * DNS->IP mappings resolved through GNS
573 struct curl_slist *hosts;
576 * HTTP response code to give to MHD for the response.
578 unsigned int response_code;
581 * Number of bytes in @e dane_data.
583 int dane_data_len[MAX_DANES + 1];
586 * Number of entries used in @e dane_data_len
589 unsigned int num_danes;
592 * Number of bytes already in read buffer
597 * Number of bytes already in write buffer
602 * Number of bytes already in the IO buffer.
607 * Once known, what's the target address for the connection?
609 struct sockaddr_storage destination_address;
614 enum SocksPhase state;
617 * Desired destination port.
622 * Headers from response
624 struct HttpResponseHeader *header_head;
627 * Headers from response
629 struct HttpResponseHeader *header_tail;
632 * X.509 Certificate status
637 * Was the hostname resolved via GNS?
642 * This is (probably) a TLS connection
647 * Did we suspend MHD processing?
652 * Did we pause CURL processing?
659 /* *********************** Globals **************************** */
662 * The address to bind to
664 static in_addr_t address;
667 * The IPv6 address to bind to
669 static struct in6_addr address6;
672 * The port the proxy is running on (default 7777)
674 static uint16_t port = GNUNET_GNS_PROXY_PORT;
677 * The CA file (pem) to use for the proxy CA
679 static char *cafile_opt;
682 * The listen socket of the proxy for IPv4
684 static struct GNUNET_NETWORK_Handle *lsock4;
687 * The listen socket of the proxy for IPv6
689 static struct GNUNET_NETWORK_Handle *lsock6;
692 * The listen task ID for IPv4
694 static struct GNUNET_SCHEDULER_Task * ltask4;
697 * The listen task ID for IPv6
699 static struct GNUNET_SCHEDULER_Task * ltask6;
702 * The cURL download task (curl multi API).
704 static struct GNUNET_SCHEDULER_Task * curl_download_task;
707 * The cURL multi handle
709 static CURLM *curl_multi;
712 * Handle to the GNS service
714 static struct GNUNET_GNS_Handle *gns_handle;
719 static int disable_v6;
722 * DLL for http/https daemons
724 static struct MhdHttpList *mhd_httpd_head;
727 * DLL for http/https daemons
729 static struct MhdHttpList *mhd_httpd_tail;
732 * Daemon for HTTP (we have one per X.509 certificate, and then one for
733 * all HTTP connections; this is the one for HTTP, not HTTPS).
735 static struct MhdHttpList *httpd;
738 * DLL of active socks requests.
740 static struct Socks5Request *s5r_head;
743 * DLL of active socks requests.
745 static struct Socks5Request *s5r_tail;
748 * The CA for X.509 certificate generation
750 static struct ProxyCA proxy_ca;
753 * Response we return on cURL failures.
755 static struct MHD_Response *curl_failure_response;
760 static const struct GNUNET_CONFIGURATION_Handle *cfg;
763 /* ************************* Global helpers ********************* */
767 * Run MHD now, we have extra data ready for the callback.
769 * @param hd the daemon to run now.
772 run_mhd_now (struct MhdHttpList *hd);
776 * Clean up s5r handles.
778 * @param s5r the handle to destroy
781 cleanup_s5r (struct Socks5Request *s5r)
783 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
784 "Cleaning up socks request\n");
785 if (NULL != s5r->curl)
787 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
788 "Cleaning up cURL handle\n");
789 curl_multi_remove_handle (curl_multi,
791 curl_easy_cleanup (s5r->curl);
796 s5r->suspended = GNUNET_NO;
797 MHD_resume_connection (s5r->con);
799 curl_slist_free_all (s5r->headers);
800 if (NULL != s5r->hosts)
802 curl_slist_free_all (s5r->hosts);
804 if ( (NULL != s5r->response) &&
805 (curl_failure_response != s5r->response) )
807 MHD_destroy_response (s5r->response);
808 s5r->response = NULL;
810 if (NULL != s5r->rtask)
812 GNUNET_SCHEDULER_cancel (s5r->rtask);
815 if (NULL != s5r->timeout_task)
817 GNUNET_SCHEDULER_cancel (s5r->timeout_task);
818 s5r->timeout_task = NULL;
820 if (NULL != s5r->wtask)
822 GNUNET_SCHEDULER_cancel (s5r->wtask);
825 if (NULL != s5r->gns_lookup)
827 GNUNET_GNS_lookup_with_tld_cancel (s5r->gns_lookup);
828 s5r->gns_lookup = NULL;
830 if (NULL != s5r->sock)
832 if (SOCKS5_SOCKET_WITH_MHD <= s5r->state)
833 GNUNET_NETWORK_socket_free_memory_only_ (s5r->sock);
835 GNUNET_NETWORK_socket_close (s5r->sock);
838 GNUNET_CONTAINER_DLL_remove (s5r_head,
841 GNUNET_free_non_null (s5r->domain);
842 GNUNET_free_non_null (s5r->leho);
843 GNUNET_free_non_null (s5r->url);
844 for (unsigned int i=0;i<s5r->num_danes;i++)
845 GNUNET_free (s5r->dane_data[i]);
850 /* ************************* HTTP handling with cURL *********************** */
853 curl_download_prepare ();
857 * Callback for MHD response generation. This function is called from
858 * MHD whenever MHD expects to get data back. Copies data from the
859 * io_buf, if available.
861 * @param cls closure with our `struct Socks5Request`
862 * @param pos in buffer
863 * @param buf where to copy data
864 * @param max available space in @a buf
865 * @return number of bytes written to @a buf
868 mhd_content_cb (void *cls,
873 struct Socks5Request *s5r = cls;
874 size_t bytes_to_copy;
876 if ( (SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state) ||
877 (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state) )
879 /* we're still not done with the upload, do not yet
880 start the download, the IO buffer is still full
882 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
883 "Pausing MHD download %s%s, not yet ready for download\n",
886 return 0; /* not yet ready for data download */
888 bytes_to_copy = GNUNET_MIN (max,
890 if ( (0 == bytes_to_copy) &&
891 (SOCKS5_SOCKET_DOWNLOAD_DONE != s5r->state) )
893 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
894 "Pausing MHD download %s%s, no data available\n",
897 if (NULL != s5r->curl)
899 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
900 "Continuing CURL interaction for %s%s\n",
903 if (GNUNET_YES == s5r->curl_paused)
905 s5r->curl_paused = GNUNET_NO;
906 curl_easy_pause (s5r->curl,
909 curl_download_prepare ();
911 if (GNUNET_NO == s5r->suspended)
913 MHD_suspend_connection (s5r->con);
914 s5r->suspended = GNUNET_YES;
916 return 0; /* more data later */
918 if ( (0 == bytes_to_copy) &&
919 (SOCKS5_SOCKET_DOWNLOAD_DONE == s5r->state) )
921 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
922 "Completed MHD download %s%s\n",
925 return MHD_CONTENT_READER_END_OF_STREAM;
927 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
928 "Writing %llu/%llu bytes to %s%s\n",
929 (unsigned long long) bytes_to_copy,
930 (unsigned long long) s5r->io_len,
936 memmove (s5r->io_buf,
937 &s5r->io_buf[bytes_to_copy],
938 s5r->io_len - bytes_to_copy);
939 s5r->io_len -= bytes_to_copy;
940 if ( (NULL != s5r->curl) &&
941 (GNUNET_YES == s5r->curl_paused) )
943 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
944 "Continuing CURL interaction for %s%s\n",
947 s5r->curl_paused = GNUNET_NO;
948 curl_easy_pause (s5r->curl,
951 return bytes_to_copy;
956 * Check that the website has presented us with a valid X.509 certificate.
957 * The certificate must either match the domain name or the LEHO name
958 * (or, if available, the TLSA record).
960 * @param s5r request to check for.
961 * @return #GNUNET_OK if the certificate is valid
964 check_ssl_certificate (struct Socks5Request *s5r)
966 unsigned int cert_list_size;
967 const gnutls_datum_t *chainp;
968 const struct curl_tlssessioninfo *tlsinfo;
969 char certdn[GNUNET_DNSPARSER_MAX_NAME_LENGTH + 3];
971 gnutls_x509_crt_t x509_cert;
975 s5r->ssl_checked = GNUNET_YES;
976 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
977 "Checking X.509 certificate\n");
979 curl_easy_getinfo (s5r->curl,
980 CURLINFO_TLS_SESSION,
982 return GNUNET_SYSERR;
983 if (CURLSSLBACKEND_GNUTLS != tlsinfo->backend)
985 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
986 _("Unsupported CURL TLS backend %d\n"),
988 return GNUNET_SYSERR;
990 chainp = gnutls_certificate_get_peers (tlsinfo->internals,
993 (0 == cert_list_size) )
994 return GNUNET_SYSERR;
996 size = sizeof (certdn);
997 /* initialize an X.509 certificate structure. */
998 gnutls_x509_crt_init (&x509_cert);
999 gnutls_x509_crt_import (x509_cert,
1001 GNUTLS_X509_FMT_DER);
1003 if (0 != (rc = gnutls_x509_crt_get_dn_by_oid (x509_cert,
1004 GNUTLS_OID_X520_COMMON_NAME,
1005 0, /* the first and only one */
1006 0 /* no DER encoding */,
1010 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1011 _("Failed to fetch CN from cert: %s\n"),
1012 gnutls_strerror(rc));
1013 gnutls_x509_crt_deinit (x509_cert);
1014 return GNUNET_SYSERR;
1016 /* check for TLSA/DANE records */
1017 #if HAVE_GNUTLS_DANE
1018 if (0 != s5r->num_danes)
1020 dane_state_t dane_state;
1021 dane_query_t dane_query;
1022 unsigned int verify;
1024 /* FIXME: add flags to gnutls to NOT read UNBOUND_ROOT_KEY_FILE here! */
1025 if (0 != (rc = dane_state_init (&dane_state,
1026 #ifdef DANE_F_IGNORE_DNSSEC
1027 DANE_F_IGNORE_DNSSEC |
1029 DANE_F_IGNORE_LOCAL_RESOLVER)))
1031 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1032 _("Failed to initialize DANE: %s\n"),
1034 gnutls_x509_crt_deinit (x509_cert);
1035 return GNUNET_SYSERR;
1037 s5r->dane_data[s5r->num_danes] = NULL;
1038 s5r->dane_data_len[s5r->num_danes] = 0;
1039 if (0 != (rc = dane_raw_tlsa (dane_state,
1046 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1047 _("Failed to parse DANE record: %s\n"),
1049 dane_state_deinit (dane_state);
1050 gnutls_x509_crt_deinit (x509_cert);
1051 return GNUNET_SYSERR;
1053 if (0 != (rc = dane_verify_crt_raw (dane_state,
1056 gnutls_certificate_type_get (tlsinfo->internals),
1061 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1062 _("Failed to verify TLS connection using DANE: %s\n"),
1064 dane_query_deinit (dane_query);
1065 dane_state_deinit (dane_state);
1066 gnutls_x509_crt_deinit (x509_cert);
1067 return GNUNET_SYSERR;
1071 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1072 _("Failed DANE verification failed with GnuTLS verify status code: %u\n"),
1074 dane_query_deinit (dane_query);
1075 dane_state_deinit (dane_state);
1076 gnutls_x509_crt_deinit (x509_cert);
1077 return GNUNET_SYSERR;
1079 dane_query_deinit (dane_query);
1080 dane_state_deinit (dane_state);
1086 /* try LEHO or ordinary domain name X509 verification */
1088 if (NULL != s5r->leho)
1092 if (0 == (rc = gnutls_x509_crt_check_hostname (x509_cert,
1095 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1096 _("TLS certificate subject name (%s) does not match `%s': %d\n"),
1100 gnutls_x509_crt_deinit (x509_cert);
1101 return GNUNET_SYSERR;
1106 /* we did not even have the domain name!? */
1108 return GNUNET_SYSERR;
1111 gnutls_x509_crt_deinit (x509_cert);
1117 * We're getting an HTTP response header from cURL. Convert it to the
1118 * MHD response headers. Mostly copies the headers, but makes special
1119 * adjustments to "Set-Cookie" and "Location" headers as those may need
1120 * to be changed from the LEHO to the domain the browser expects.
1122 * @param buffer curl buffer with a single line of header data; not 0-terminated!
1123 * @param size curl blocksize
1124 * @param nmemb curl blocknumber
1125 * @param cls our `struct Socks5Request *`
1126 * @return size of processed bytes
1129 curl_check_hdr (void *buffer,
1134 struct Socks5Request *s5r = cls;
1135 struct HttpResponseHeader *header;
1136 size_t bytes = size * nmemb;
1138 const char *hdr_type;
1139 const char *cookie_domain;
1141 char *new_cookie_hdr;
1144 size_t delta_cdomain;
1148 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1149 "Receiving HTTP response header from CURL\n");
1150 /* first, check TLS certificate */
1151 if ( (GNUNET_YES != s5r->ssl_checked) &&
1152 (GNUNET_YES == s5r->is_tls))
1153 //(HTTPS_PORT == s5r->port))
1155 if (GNUNET_OK != check_ssl_certificate (s5r))
1158 ndup = GNUNET_strndup (buffer,
1160 hdr_type = strtok (ndup,
1162 if (NULL == hdr_type)
1167 hdr_val = strtok (NULL,
1169 if (NULL == hdr_val)
1174 if (' ' == *hdr_val)
1177 /* custom logic for certain header types */
1178 new_cookie_hdr = NULL;
1179 if ( (NULL != s5r->leho) &&
1180 (0 == strcasecmp (hdr_type,
1181 MHD_HTTP_HEADER_SET_COOKIE)) )
1184 new_cookie_hdr = GNUNET_malloc (strlen (hdr_val) +
1185 strlen (s5r->domain) + 1);
1187 domain_matched = GNUNET_NO; /* make sure we match domain at most once */
1188 for (tok = strtok (hdr_val, ";"); NULL != tok; tok = strtok (NULL, ";"))
1190 if ( (0 == strncasecmp (tok,
1192 strlen (" domain"))) &&
1193 (GNUNET_NO == domain_matched) )
1195 domain_matched = GNUNET_YES;
1196 cookie_domain = tok + strlen (" domain") + 1;
1197 if (strlen (cookie_domain) < strlen (s5r->leho))
1199 delta_cdomain = strlen (s5r->leho) - strlen (cookie_domain);
1200 if (0 == strcasecmp (cookie_domain,
1201 s5r->leho + delta_cdomain))
1203 offset += sprintf (new_cookie_hdr + offset,
1209 else if (0 == strcmp (cookie_domain,
1212 offset += sprintf (new_cookie_hdr + offset,
1217 else if ( ('.' == cookie_domain[0]) &&
1218 (0 == strcmp (&cookie_domain[1],
1221 offset += sprintf (new_cookie_hdr + offset,
1226 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1227 _("Cookie domain `%s' supplied by server is invalid\n"),
1230 GNUNET_memcpy (new_cookie_hdr + offset,
1233 offset += strlen (tok);
1234 new_cookie_hdr[offset++] = ';';
1236 hdr_val = new_cookie_hdr;
1239 new_location = NULL;
1240 if (0 == strcasecmp (MHD_HTTP_HEADER_TRANSFER_ENCODING,
1243 /* Ignore transfer encoding, set automatically by MHD if required */
1246 if ((0 == strcasecmp (MHD_HTTP_HEADER_LOCATION,
1251 GNUNET_asprintf (&leho_host,
1252 (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
1256 if (0 == strncmp (leho_host,
1258 strlen (leho_host)))
1260 GNUNET_asprintf (&new_location,
1262 (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
1266 hdr_val + strlen (leho_host));
1267 hdr_val = new_location;
1269 GNUNET_free (leho_host);
1271 if (0 == strcasecmp (MHD_HTTP_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
1276 GNUNET_asprintf (&leho_host,
1277 (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
1281 if (0 == strncmp (leho_host,
1283 strlen (leho_host)))
1285 GNUNET_asprintf (&new_location,
1287 (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
1291 hdr_val = new_location;
1293 GNUNET_free (leho_host);
1296 /* MHD does not allow certain characters in values, remove those */
1297 if (NULL != (tok = strchr (hdr_val, '\n')))
1299 if (NULL != (tok = strchr (hdr_val, '\r')))
1301 if (NULL != (tok = strchr (hdr_val, '\t')))
1303 if (0 != strlen (hdr_val)) /* Rely in MHD to set those */
1305 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1306 "Adding header %s: %s to MHD response\n",
1309 header = GNUNET_new (struct HttpResponseHeader);
1310 header->type = GNUNET_strdup (hdr_type);
1311 header->value = GNUNET_strdup (hdr_val);
1312 GNUNET_CONTAINER_DLL_insert (s5r->header_head,
1318 GNUNET_free_non_null (new_cookie_hdr);
1319 GNUNET_free_non_null (new_location);
1325 * Create an MHD response object in @a s5r matching the
1326 * information we got from curl.
1328 * @param s5r the request for which we convert the response
1329 * @return #GNUNET_OK on success, #GNUNET_SYSERR if response was
1330 * already initialized before
1333 create_mhd_response_from_s5r (struct Socks5Request *s5r)
1336 double content_length;
1338 if (NULL != s5r->response)
1340 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1341 "Response already set!\n");
1342 return GNUNET_SYSERR;
1345 GNUNET_break (CURLE_OK ==
1346 curl_easy_getinfo (s5r->curl,
1347 CURLINFO_RESPONSE_CODE,
1349 GNUNET_break (CURLE_OK ==
1350 curl_easy_getinfo (s5r->curl,
1351 CURLINFO_CONTENT_LENGTH_DOWNLOAD,
1353 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1354 "Creating MHD response with code %d and size %d for %s%s\n",
1356 (int) content_length,
1359 s5r->response_code = resp_code;
1360 s5r->response = MHD_create_response_from_callback ((-1 == content_length)
1367 for (struct HttpResponseHeader *header = s5r->header_head;
1369 header = header->next)
1371 if (0 == strcasecmp (header->type,
1372 MHD_HTTP_HEADER_CONTENT_LENGTH))
1373 continue; /* MHD won't let us mess with those, for good reason */
1374 if ( (0 == strcasecmp (header->type,
1375 MHD_HTTP_HEADER_TRANSFER_ENCODING)) &&
1376 ( (0 == strcasecmp (header->value,
1378 (0 == strcasecmp (header->value,
1380 continue; /* MHD won't let us mess with those, for good reason */
1382 MHD_add_response_header (s5r->response,
1387 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1388 "Failed to add header `%s:%s'\n",
1393 /* force connection to be closed after each request, as we
1394 do not support HTTP pipelining (yet, FIXME!) */
1395 /*GNUNET_break (MHD_YES ==
1396 MHD_add_response_header (s5r->response,
1397 MHD_HTTP_HEADER_CONNECTION,
1399 MHD_resume_connection (s5r->con);
1400 s5r->suspended = GNUNET_NO;
1406 * Handle response payload data from cURL. Copies it into our `io_buf` to make
1407 * it available to MHD.
1409 * @param ptr pointer to the data
1410 * @param size number of blocks of data
1411 * @param nmemb blocksize
1412 * @param ctx our `struct Socks5Request *`
1413 * @return number of bytes handled
1416 curl_download_cb (void *ptr,
1421 struct Socks5Request *s5r = ctx;
1422 size_t total = size * nmemb;
1424 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1425 "Receiving %ux%u bytes for `%s%s' from cURL to download\n",
1426 (unsigned int) size,
1427 (unsigned int) nmemb,
1430 if (NULL == s5r->response)
1431 GNUNET_assert (GNUNET_OK ==
1432 create_mhd_response_from_s5r (s5r));
1433 if ( (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state) &&
1436 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1437 "Previous upload finished... starting DOWNLOAD.\n");
1438 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
1440 if ( (SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state) ||
1441 (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state) )
1443 /* we're still not done with the upload, do not yet
1444 start the download, the IO buffer is still full
1445 with upload data. */
1446 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1447 "Pausing CURL download `%s%s', waiting for UPLOAD to finish\n",
1450 s5r->curl_paused = GNUNET_YES;
1451 return CURL_WRITEFUNC_PAUSE; /* not yet ready for data download */
1453 if (sizeof (s5r->io_buf) - s5r->io_len < total)
1455 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1456 "Pausing CURL `%s%s' download, not enough space %llu %llu %llu\n",
1459 (unsigned long long) sizeof (s5r->io_buf),
1460 (unsigned long long) s5r->io_len,
1461 (unsigned long long) total);
1462 s5r->curl_paused = GNUNET_YES;
1463 return CURL_WRITEFUNC_PAUSE; /* not enough space */
1465 GNUNET_memcpy (&s5r->io_buf[s5r->io_len],
1468 s5r->io_len += total;
1469 if (GNUNET_YES == s5r->suspended)
1471 MHD_resume_connection (s5r->con);
1472 s5r->suspended = GNUNET_NO;
1474 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1475 "Received %llu bytes of payload via cURL from %s\n",
1476 (unsigned long long) total,
1478 if (s5r->io_len == total)
1479 run_mhd_now (s5r->hd);
1485 * cURL callback for uploaded (PUT/POST) data. Copies it into our `io_buf`
1486 * to make it available to MHD.
1488 * @param buf where to write the data
1489 * @param size number of bytes per member
1490 * @param nmemb number of members available in @a buf
1491 * @param cls our `struct Socks5Request` that generated the data
1492 * @return number of bytes copied to @a buf
1495 curl_upload_cb (void *buf,
1500 struct Socks5Request *s5r = cls;
1501 size_t len = size * nmemb;
1504 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1505 "Receiving %ux%u bytes for `%s%s' from cURL to upload\n",
1506 (unsigned int) size,
1507 (unsigned int) nmemb,
1511 if ( (0 == s5r->io_len) &&
1512 (SOCKS5_SOCKET_UPLOAD_DONE != s5r->state) )
1514 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1515 "Pausing CURL UPLOAD %s%s, need more data\n",
1518 return CURL_READFUNC_PAUSE;
1520 if ( (0 == s5r->io_len) &&
1521 (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state) )
1523 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
1524 if (GNUNET_YES == s5r->curl_paused)
1526 s5r->curl_paused = GNUNET_NO;
1527 curl_easy_pause (s5r->curl,
1530 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1531 "Completed CURL UPLOAD %s%s\n",
1534 return 0; /* upload finished, can now download */
1536 if ( (SOCKS5_SOCKET_UPLOAD_STARTED != s5r->state) &&
1537 (SOCKS5_SOCKET_UPLOAD_DONE != s5r->state) )
1540 return CURL_READFUNC_ABORT;
1542 to_copy = GNUNET_MIN (s5r->io_len,
1547 memmove (s5r->io_buf,
1548 &s5r->io_buf[to_copy],
1549 s5r->io_len - to_copy);
1550 s5r->io_len -= to_copy;
1551 if (s5r->io_len + to_copy == sizeof (s5r->io_buf))
1552 run_mhd_now (s5r->hd); /* got more space for upload now */
1557 /* ************************** main loop of cURL interaction ****************** */
1561 * Task that is run when we are ready to receive more data
1564 * @param cls closure
1567 curl_task_download (void *cls);
1571 * Ask cURL for the select() sets and schedule cURL operations.
1574 curl_download_prepare ()
1581 struct GNUNET_NETWORK_FDSet *grs;
1582 struct GNUNET_NETWORK_FDSet *gws;
1584 struct GNUNET_TIME_Relative rtime;
1586 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1587 "Scheduling CURL interaction\n");
1588 if (NULL != curl_download_task)
1590 GNUNET_SCHEDULER_cancel (curl_download_task);
1591 curl_download_task = NULL;
1597 if (CURLM_OK != (mret = curl_multi_fdset (curl_multi,
1603 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1604 "%s failed at %s:%d: `%s'\n",
1605 "curl_multi_fdset", __FILE__, __LINE__,
1606 curl_multi_strerror (mret));
1610 GNUNET_break (CURLM_OK ==
1611 curl_multi_timeout (curl_multi,
1614 rtime = GNUNET_TIME_UNIT_FOREVER_REL;
1616 rtime = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS,
1620 grs = GNUNET_NETWORK_fdset_create ();
1621 gws = GNUNET_NETWORK_fdset_create ();
1622 GNUNET_NETWORK_fdset_copy_native (grs,
1625 GNUNET_NETWORK_fdset_copy_native (gws,
1628 curl_download_task = GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
1632 &curl_task_download,
1634 GNUNET_NETWORK_fdset_destroy (gws);
1635 GNUNET_NETWORK_fdset_destroy (grs);
1639 curl_download_task = GNUNET_SCHEDULER_add_delayed (rtime,
1640 &curl_task_download,
1647 * Task that is run when we are ready to receive more data from curl.
1649 * @param cls closure, NULL
1652 curl_task_download (void *cls)
1656 struct CURLMsg *msg;
1658 struct Socks5Request *s5r;
1660 curl_download_task = NULL;
1661 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1662 "Running CURL interaction\n");
1666 mret = curl_multi_perform (curl_multi,
1668 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1669 "Checking CURL multi status: %d\n",
1671 while (NULL != (msg = curl_multi_info_read (curl_multi,
1674 GNUNET_break (CURLE_OK ==
1675 curl_easy_getinfo (msg->easy_handle,
1686 /* documentation says this is not used */
1690 switch (msg->data.result)
1693 case CURLE_GOT_NOTHING:
1694 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1695 "CURL download %s%s completed.\n",
1698 if (NULL == s5r->response)
1700 GNUNET_assert (GNUNET_OK ==
1701 create_mhd_response_from_s5r (s5r));
1703 s5r->state = SOCKS5_SOCKET_DOWNLOAD_DONE;
1704 if (GNUNET_YES == s5r->suspended)
1706 MHD_resume_connection (s5r->con);
1707 s5r->suspended = GNUNET_NO;
1709 run_mhd_now (s5r->hd);
1712 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1713 "Download curl %s%s failed: %s\n",
1716 curl_easy_strerror (msg->data.result));
1717 /* FIXME: indicate error somehow? close MHD connection badly as well? */
1718 s5r->state = SOCKS5_SOCKET_DOWNLOAD_DONE;
1719 if (GNUNET_YES == s5r->suspended)
1721 MHD_resume_connection (s5r->con);
1722 s5r->suspended = GNUNET_NO;
1724 run_mhd_now (s5r->hd);
1727 if (NULL == s5r->response)
1728 s5r->response = curl_failure_response;
1731 /* documentation says this is not used */
1735 /* unexpected status code */
1740 } while (mret == CURLM_CALL_MULTI_PERFORM);
1741 if (CURLM_OK != mret)
1742 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1743 "%s failed at %s:%d: `%s'\n",
1744 "curl_multi_perform", __FILE__, __LINE__,
1745 curl_multi_strerror (mret));
1748 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1749 "Suspending cURL multi loop, no more events pending\n");
1750 if (NULL != curl_download_task)
1752 GNUNET_SCHEDULER_cancel (curl_download_task);
1753 curl_download_task = NULL;
1755 return; /* nothing more in progress */
1757 curl_download_prepare ();
1761 /* ********************************* MHD response generation ******************* */
1765 * Read HTTP request header field from the request. Copies the fields
1766 * over to the 'headers' that will be given to curl. However, 'Host'
1767 * is substituted with the LEHO if present. We also change the
1768 * 'Connection' header value to "close" as the proxy does not support
1771 * @param cls our `struct Socks5Request`
1772 * @param kind value kind
1773 * @param key field key
1774 * @param value field value
1775 * @return #MHD_YES to continue to iterate
1778 con_val_iter (void *cls,
1779 enum MHD_ValueKind kind,
1783 struct Socks5Request *s5r = cls;
1786 if ( (0 == strcasecmp (MHD_HTTP_HEADER_HOST,
1788 (NULL != s5r->leho) )
1790 GNUNET_asprintf (&hdr,
1794 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1795 "Adding HEADER `%s' to HTTP request\n",
1797 s5r->headers = curl_slist_append (s5r->headers,
1805 * Main MHD callback for handling requests.
1808 * @param con MHD connection handle
1809 * @param url the url in the request
1810 * @param meth the HTTP method used ("GET", "PUT", etc.)
1811 * @param ver the HTTP version string (i.e. "HTTP/1.1")
1812 * @param upload_data the data being uploaded (excluding HEADERS,
1813 * for a POST that fits into memory and that is encoded
1814 * with a supported encoding, the POST data will NOT be
1815 * given in upload_data and is instead available as
1816 * part of MHD_get_connection_values; very large POST
1817 * data *will* be made available incrementally in
1819 * @param upload_data_size set initially to the size of the
1820 * @a upload_data provided; the method must update this
1821 * value to the number of bytes NOT processed;
1822 * @param con_cls pointer to location where we store the `struct Request`
1823 * @return #MHD_YES if the connection was handled successfully,
1824 * #MHD_NO if the socket must be closed due to a serious
1825 * error while handling the request
1828 create_response (void *cls,
1829 struct MHD_Connection *con,
1833 const char *upload_data,
1834 size_t *upload_data_size,
1837 struct Socks5Request *s5r = *con_cls;
1839 char ipstring[INET6_ADDRSTRLEN];
1840 char ipaddr[INET6_ADDRSTRLEN + 2];
1841 const struct sockaddr *sa;
1842 const struct sockaddr_in *s4;
1843 const struct sockaddr_in6 *s6;
1853 /* Fresh connection. */
1854 if (SOCKS5_SOCKET_WITH_MHD == s5r->state)
1856 /* first time here, initialize curl handle */
1859 sa = (const struct sockaddr *) &s5r->destination_address;
1860 switch (sa->sa_family)
1863 s4 = (const struct sockaddr_in *) &s5r->destination_address;
1864 if (NULL == inet_ntop (AF_INET,
1872 GNUNET_snprintf (ipaddr,
1876 port = ntohs (s4->sin_port);
1879 s6 = (const struct sockaddr_in6 *) &s5r->destination_address;
1880 if (NULL == inet_ntop (AF_INET6,
1888 GNUNET_snprintf (ipaddr,
1892 port = ntohs (s6->sin6_port);
1903 if (NULL == s5r->curl)
1904 s5r->curl = curl_easy_init ();
1905 if (NULL == s5r->curl)
1906 return MHD_queue_response (con,
1907 MHD_HTTP_INTERNAL_SERVER_ERROR,
1908 curl_failure_response);
1909 curl_easy_setopt (s5r->curl,
1910 CURLOPT_HEADERFUNCTION,
1912 curl_easy_setopt (s5r->curl,
1915 curl_easy_setopt (s5r->curl,
1916 CURLOPT_FOLLOWLOCATION,
1919 curl_easy_setopt (s5r->curl,
1922 curl_easy_setopt (s5r->curl,
1923 CURLOPT_CONNECTTIMEOUT,
1925 curl_easy_setopt (s5r->curl,
1928 curl_easy_setopt (s5r->curl,
1931 curl_easy_setopt (s5r->curl,
1932 CURLOPT_HTTP_CONTENT_DECODING,
1934 curl_easy_setopt (s5r->curl,
1937 curl_easy_setopt (s5r->curl,
1940 curl_easy_setopt (s5r->curl,
1944 * Pre-populate cache to resolve Hostname.
1945 * This is necessary as the DNS name in the CURLOPT_URL is used
1946 * for SNI http://de.wikipedia.org/wiki/Server_Name_Indication
1948 if (NULL != s5r->leho)
1952 GNUNET_asprintf (&curl_hosts,
1957 s5r->hosts = curl_slist_append (NULL,
1959 curl_easy_setopt (s5r->curl,
1962 GNUNET_free (curl_hosts);
1966 GNUNET_asprintf (&curlurl,
1967 (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
1969 : "https://%s:%d%s",
1978 GNUNET_asprintf (&curlurl,
1979 (GNUNET_YES != s5r->is_tls) //(HTTPS_PORT != s5r->port)
1981 : "https://%s:%d%s",
1986 curl_easy_setopt (s5r->curl,
1989 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1990 "Launching %s CURL interaction, fetching `%s'\n",
1991 (s5r->is_gns) ? "GNS" : "DNS",
1993 GNUNET_free (curlurl);
1994 if (0 == strcasecmp (meth,
1995 MHD_HTTP_METHOD_PUT))
1997 s5r->state = SOCKS5_SOCKET_UPLOAD_STARTED;
1998 curl_easy_setopt (s5r->curl,
2001 curl_easy_setopt (s5r->curl,
2002 CURLOPT_WRITEFUNCTION,
2004 curl_easy_setopt (s5r->curl,
2007 GNUNET_assert (CURLE_OK ==
2008 curl_easy_setopt (s5r->curl,
2009 CURLOPT_READFUNCTION,
2011 curl_easy_setopt (s5r->curl,
2016 long upload_size = 0;
2018 us = MHD_lookup_connection_value (con,
2020 MHD_HTTP_HEADER_CONTENT_LENGTH);
2021 if ( (1 == sscanf (us,
2024 (upload_size >= 0) )
2026 curl_easy_setopt (s5r->curl,
2032 else if (0 == strcasecmp (meth, MHD_HTTP_METHOD_POST))
2034 s5r->state = SOCKS5_SOCKET_UPLOAD_STARTED;
2035 curl_easy_setopt (s5r->curl,
2038 curl_easy_setopt (s5r->curl,
2039 CURLOPT_WRITEFUNCTION,
2041 curl_easy_setopt (s5r->curl,
2044 curl_easy_setopt (s5r->curl,
2045 CURLOPT_READFUNCTION,
2047 curl_easy_setopt (s5r->curl,
2055 us = MHD_lookup_connection_value (con,
2057 MHD_HTTP_HEADER_CONTENT_LENGTH);
2058 if ( (NULL != us) &&
2062 (upload_size >= 0) )
2064 curl_easy_setopt (s5r->curl,
2068 curl_easy_setopt (s5r->curl,
2074 else if (0 == strcasecmp (meth,
2075 MHD_HTTP_METHOD_HEAD))
2077 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2078 curl_easy_setopt (s5r->curl,
2082 else if (0 == strcasecmp (meth,
2083 MHD_HTTP_METHOD_OPTIONS))
2085 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2086 curl_easy_setopt (s5r->curl,
2087 CURLOPT_CUSTOMREQUEST,
2089 curl_easy_setopt (s5r->curl,
2090 CURLOPT_WRITEFUNCTION,
2092 curl_easy_setopt (s5r->curl,
2097 else if (0 == strcasecmp (meth,
2098 MHD_HTTP_METHOD_GET))
2100 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2101 curl_easy_setopt (s5r->curl,
2104 curl_easy_setopt (s5r->curl,
2105 CURLOPT_WRITEFUNCTION,
2107 curl_easy_setopt (s5r->curl,
2111 else if (0 == strcasecmp (meth,
2112 MHD_HTTP_METHOD_DELETE))
2114 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2115 curl_easy_setopt (s5r->curl,
2116 CURLOPT_CUSTOMREQUEST,
2118 curl_easy_setopt (s5r->curl,
2119 CURLOPT_WRITEFUNCTION,
2121 curl_easy_setopt (s5r->curl,
2127 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2128 _("Unsupported HTTP method `%s'\n"),
2130 curl_easy_cleanup (s5r->curl);
2135 if (0 == strcasecmp (ver, MHD_HTTP_VERSION_1_0))
2137 curl_easy_setopt (s5r->curl,
2138 CURLOPT_HTTP_VERSION,
2139 CURL_HTTP_VERSION_1_0);
2141 else if (0 == strcasecmp (ver, MHD_HTTP_VERSION_1_1))
2143 curl_easy_setopt (s5r->curl,
2144 CURLOPT_HTTP_VERSION,
2145 CURL_HTTP_VERSION_1_1);
2149 curl_easy_setopt (s5r->curl,
2150 CURLOPT_HTTP_VERSION,
2151 CURL_HTTP_VERSION_NONE);
2154 if (GNUNET_YES == s5r->is_tls) //(HTTPS_PORT == s5r->port)
2156 curl_easy_setopt (s5r->curl,
2159 if (0 < s5r->num_danes)
2160 curl_easy_setopt (s5r->curl,
2161 CURLOPT_SSL_VERIFYPEER,
2164 curl_easy_setopt (s5r->curl,
2165 CURLOPT_SSL_VERIFYPEER,
2167 /* Disable cURL checking the hostname, as we will check ourselves
2168 as only we have the domain name or the LEHO or the DANE record */
2169 curl_easy_setopt (s5r->curl,
2170 CURLOPT_SSL_VERIFYHOST,
2175 curl_easy_setopt (s5r->curl,
2181 curl_multi_add_handle (curl_multi,
2185 curl_easy_cleanup (s5r->curl);
2189 MHD_get_connection_values (con,
2191 (MHD_KeyValueIterator) &con_val_iter,
2193 curl_easy_setopt (s5r->curl,
2196 curl_download_prepare ();
2200 /* continuing to process request */
2201 if (0 != *upload_data_size)
2203 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2204 "Processing %u bytes UPLOAD\n",
2205 (unsigned int) *upload_data_size);
2207 /* FIXME: This must be set or a header with Transfer-Encoding: chunked. Else
2208 * upload callback is not called!
2210 curl_easy_setopt (s5r->curl,
2211 CURLOPT_POSTFIELDSIZE,
2214 left = GNUNET_MIN (*upload_data_size,
2215 sizeof (s5r->io_buf) - s5r->io_len);
2216 GNUNET_memcpy (&s5r->io_buf[s5r->io_len],
2219 s5r->io_len += left;
2220 *upload_data_size -= left;
2221 GNUNET_assert (NULL != s5r->curl);
2222 if (GNUNET_YES == s5r->curl_paused)
2224 s5r->curl_paused = GNUNET_NO;
2225 curl_easy_pause (s5r->curl,
2230 if (SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state)
2232 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2233 "Finished processing UPLOAD\n");
2234 s5r->state = SOCKS5_SOCKET_UPLOAD_DONE;
2236 if (NULL == s5r->response)
2238 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2239 "Waiting for HTTP response for %s%s...\n",
2242 MHD_suspend_connection (con);
2243 s5r->suspended = GNUNET_YES;
2246 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2247 "Queueing response for %s%s with MHD\n",
2250 run_mhd_now (s5r->hd);
2251 return MHD_queue_response (con,
2257 /* ******************** MHD HTTP setup and event loop ******************** */
2261 * Function called when MHD decides that we are done with a request.
2264 * @param connection connection handle
2265 * @param con_cls value as set by the last call to
2266 * the MHD_AccessHandlerCallback, should be our `struct Socks5Request *`
2267 * @param toe reason for request termination (ignored)
2270 mhd_completed_cb (void *cls,
2271 struct MHD_Connection *connection,
2273 enum MHD_RequestTerminationCode toe)
2275 struct Socks5Request *s5r = *con_cls;
2279 if (MHD_REQUEST_TERMINATED_COMPLETED_OK != toe)
2280 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
2281 "MHD encountered error handling request: %d\n",
2283 if (NULL != s5r->curl)
2285 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2286 "Removing cURL handle (MHD interaction complete)\n");
2287 curl_multi_remove_handle (curl_multi,
2289 curl_slist_free_all (s5r->headers);
2290 s5r->headers = NULL;
2291 curl_easy_reset (s5r->curl);
2295 curl_download_prepare ();
2297 if ( (NULL != s5r->response) &&
2298 (curl_failure_response != s5r->response) )
2299 MHD_destroy_response (s5r->response);
2300 for (struct HttpResponseHeader *header = s5r->header_head;
2302 header = s5r->header_head)
2304 GNUNET_CONTAINER_DLL_remove (s5r->header_head,
2307 GNUNET_free (header->type);
2308 GNUNET_free (header->value);
2309 GNUNET_free (header);
2311 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2312 "Finished request for %s\n",
2314 GNUNET_free (s5r->url);
2315 s5r->state = SOCKS5_SOCKET_WITH_MHD;
2317 s5r->response = NULL;
2323 * Function called when MHD connection is opened or closed.
2326 * @param connection connection handle
2327 * @param con_cls value as set by the last call to
2328 * the MHD_AccessHandlerCallback, should be our `struct Socks5Request *`
2329 * @param toe connection notification type
2332 mhd_connection_cb (void *cls,
2333 struct MHD_Connection *connection,
2335 enum MHD_ConnectionNotificationCode cnc)
2337 struct Socks5Request *s5r;
2338 const union MHD_ConnectionInfo *ci;
2343 case MHD_CONNECTION_NOTIFY_STARTED:
2344 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Connection started...\n");
2345 ci = MHD_get_connection_info (connection,
2346 MHD_CONNECTION_INFO_CONNECTION_FD);
2352 sock = ci->connect_fd;
2353 for (s5r = s5r_head; NULL != s5r; s5r = s5r->next)
2355 if (GNUNET_NETWORK_get_fd (s5r->sock) == sock)
2357 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2358 "Context set...\n");
2359 s5r->ssl_checked = GNUNET_NO;
2365 case MHD_CONNECTION_NOTIFY_CLOSED:
2366 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2367 "Connection closed... cleaning up\n");
2371 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2372 "Connection stale!\n");
2376 curl_download_prepare ();
2385 * Function called when MHD first processes an incoming connection.
2386 * Gives us the respective URI information.
2388 * We use this to associate the `struct MHD_Connection` with our
2389 * internal `struct Socks5Request` data structure (by checking
2390 * for matching sockets).
2392 * @param cls the HTTP server handle (a `struct MhdHttpList`)
2393 * @param url the URL that is being requested
2394 * @param connection MHD connection object for the request
2395 * @return the `struct Socks5Request` that this @a connection is for
2398 mhd_log_callback (void *cls,
2400 struct MHD_Connection *connection)
2402 struct Socks5Request *s5r;
2403 const union MHD_ConnectionInfo *ci;
2405 ci = MHD_get_connection_info (connection,
2406 MHD_CONNECTION_INFO_SOCKET_CONTEXT);
2407 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Processing %s\n", url);
2413 s5r = ci->socket_context;
2414 if (NULL != s5r->url)
2419 s5r->url = GNUNET_strdup (url);
2420 if (NULL != s5r->timeout_task)
2422 GNUNET_SCHEDULER_cancel (s5r->timeout_task);
2423 s5r->timeout_task = NULL;
2425 GNUNET_assert (s5r->state == SOCKS5_SOCKET_WITH_MHD);
2431 * Kill the given MHD daemon.
2433 * @param hd daemon to stop
2436 kill_httpd (struct MhdHttpList *hd)
2438 GNUNET_CONTAINER_DLL_remove (mhd_httpd_head,
2441 GNUNET_free_non_null (hd->domain);
2442 MHD_stop_daemon (hd->daemon);
2443 if (NULL != hd->httpd_task)
2445 GNUNET_SCHEDULER_cancel (hd->httpd_task);
2446 hd->httpd_task = NULL;
2448 GNUNET_free_non_null (hd->proxy_cert);
2456 * Task run whenever HTTP server is idle for too long. Kill it.
2458 * @param cls the `struct MhdHttpList *`
2461 kill_httpd_task (void *cls)
2463 struct MhdHttpList *hd = cls;
2465 hd->httpd_task = NULL;
2471 * Task run whenever HTTP server operations are pending.
2473 * @param cls the `struct MhdHttpList *` of the daemon that is being run
2476 do_httpd (void *cls);
2480 * Schedule MHD. This function should be called initially when an
2481 * MHD is first getting its client socket, and will then automatically
2482 * always be called later whenever there is work to be done.
2484 * @param hd the daemon to schedule
2487 schedule_httpd (struct MhdHttpList *hd)
2492 struct GNUNET_NETWORK_FDSet *wrs;
2493 struct GNUNET_NETWORK_FDSet *wws;
2496 MHD_UNSIGNED_LONG_LONG timeout;
2497 struct GNUNET_TIME_Relative tv;
2504 MHD_get_fdset (hd->daemon,
2513 haveto = MHD_get_timeout (hd->daemon,
2515 if (MHD_YES == haveto)
2516 tv.rel_value_us = (uint64_t) timeout * 1000LL;
2518 tv = GNUNET_TIME_UNIT_FOREVER_REL;
2521 wrs = GNUNET_NETWORK_fdset_create ();
2522 wws = GNUNET_NETWORK_fdset_create ();
2523 GNUNET_NETWORK_fdset_copy_native (wrs, &rs, max + 1);
2524 GNUNET_NETWORK_fdset_copy_native (wws, &ws, max + 1);
2531 if (NULL != hd->httpd_task)
2533 GNUNET_SCHEDULER_cancel (hd->httpd_task);
2534 hd->httpd_task = NULL;
2536 if ( (MHD_YES != haveto) &&
2540 /* daemon is idle, kill after timeout */
2541 hd->httpd_task = GNUNET_SCHEDULER_add_delayed (MHD_CACHE_TIMEOUT,
2548 GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
2553 GNUNET_NETWORK_fdset_destroy (wrs);
2555 GNUNET_NETWORK_fdset_destroy (wws);
2560 * Task run whenever HTTP server operations are pending.
2562 * @param cls the `struct MhdHttpList` of the daemon that is being run
2565 do_httpd (void *cls)
2567 struct MhdHttpList *hd = cls;
2569 hd->httpd_task = NULL;
2570 MHD_run (hd->daemon);
2571 schedule_httpd (hd);
2576 * Run MHD now, we have extra data ready for the callback.
2578 * @param hd the daemon to run now.
2581 run_mhd_now (struct MhdHttpList *hd)
2583 if (NULL != hd->httpd_task)
2584 GNUNET_SCHEDULER_cancel (hd->httpd_task);
2585 hd->httpd_task = GNUNET_SCHEDULER_add_now (&do_httpd,
2591 * Read file in filename
2593 * @param filename file to read
2594 * @param size pointer where filesize is stored
2595 * @return NULL on error
2598 load_file (const char* filename,
2605 GNUNET_DISK_file_size (filename,
2610 if (fsize > MAX_PEM_SIZE)
2612 *size = (unsigned int) fsize;
2613 buffer = GNUNET_malloc (*size);
2615 GNUNET_DISK_fn_read (filename,
2619 GNUNET_free (buffer);
2627 * Load PEM key from file
2629 * @param key where to store the data
2630 * @param keyfile path to the PEM file
2631 * @return #GNUNET_OK on success
2634 load_key_from_file (gnutls_x509_privkey_t key,
2635 const char* keyfile)
2637 gnutls_datum_t key_data;
2640 key_data.data = load_file (keyfile,
2642 if (NULL == key_data.data)
2643 return GNUNET_SYSERR;
2644 ret = gnutls_x509_privkey_import (key, &key_data,
2645 GNUTLS_X509_FMT_PEM);
2646 if (GNUTLS_E_SUCCESS != ret)
2648 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2649 _("Unable to import private key from file `%s'\n"),
2652 GNUNET_free_non_null (key_data.data);
2653 return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
2658 * Load cert from file
2660 * @param crt struct to store data in
2661 * @param certfile path to pem file
2662 * @return #GNUNET_OK on success
2665 load_cert_from_file (gnutls_x509_crt_t crt,
2666 const char* certfile)
2668 gnutls_datum_t cert_data;
2671 cert_data.data = load_file (certfile,
2673 if (NULL == cert_data.data)
2674 return GNUNET_SYSERR;
2675 ret = gnutls_x509_crt_import (crt,
2677 GNUTLS_X509_FMT_PEM);
2678 if (GNUTLS_E_SUCCESS != ret)
2680 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2681 _("Unable to import certificate from `%s'\n"),
2684 GNUNET_free_non_null (cert_data.data);
2685 return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
2690 * Generate new certificate for specific name
2692 * @param name the subject name to generate a cert for
2693 * @return a struct holding the PEM data, NULL on error
2695 static struct ProxyGNSCertificate *
2696 generate_gns_certificate (const char *name)
2698 unsigned int serial;
2699 size_t key_buf_size;
2700 size_t cert_buf_size;
2701 gnutls_x509_crt_t request;
2704 struct ProxyGNSCertificate *pgc;
2706 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2707 "Generating x.509 certificate for `%s'\n",
2709 GNUNET_break (GNUTLS_E_SUCCESS == gnutls_x509_crt_init (&request));
2710 GNUNET_break (GNUTLS_E_SUCCESS == gnutls_x509_crt_set_key (request, proxy_ca.key));
2711 pgc = GNUNET_new (struct ProxyGNSCertificate);
2712 gnutls_x509_crt_set_dn_by_oid (request,
2713 GNUTLS_OID_X520_COUNTRY_NAME,
2717 gnutls_x509_crt_set_dn_by_oid (request,
2718 GNUTLS_OID_X520_ORGANIZATION_NAME,
2721 strlen ("GNU Name System"));
2722 gnutls_x509_crt_set_dn_by_oid (request,
2723 GNUTLS_OID_X520_COMMON_NAME,
2727 gnutls_x509_crt_set_subject_alternative_name (request,
2730 GNUNET_break (GNUTLS_E_SUCCESS ==
2731 gnutls_x509_crt_set_version (request,
2733 gnutls_rnd (GNUTLS_RND_NONCE,
2736 gnutls_x509_crt_set_serial (request,
2739 etime = time (NULL);
2740 tm_data = localtime (&etime);
2742 etime = mktime(tm_data);
2743 gnutls_x509_crt_set_activation_time (request,
2746 etime = mktime (tm_data);
2747 gnutls_x509_crt_set_expiration_time (request,
2749 gnutls_x509_crt_sign2 (request,
2754 key_buf_size = sizeof (pgc->key);
2755 cert_buf_size = sizeof (pgc->cert);
2756 gnutls_x509_crt_export (request,
2757 GNUTLS_X509_FMT_PEM,
2760 gnutls_x509_privkey_export (proxy_ca.key,
2761 GNUTLS_X509_FMT_PEM,
2764 gnutls_x509_crt_deinit (request);
2770 * Function called by MHD with errors, suppresses them all.
2772 * @param cls closure
2773 * @param fm format string (`printf()`-style)
2774 * @param ap arguments to @a fm
2777 mhd_error_log_callback (void *cls,
2786 * Lookup (or create) an TLS MHD instance for a particular domain.
2788 * @param domain the domain the TLS daemon has to serve
2789 * @return NULL on error
2791 static struct MhdHttpList *
2792 lookup_ssl_httpd (const char* domain)
2794 struct MhdHttpList *hd;
2795 struct ProxyGNSCertificate *pgc;
2802 for (hd = mhd_httpd_head; NULL != hd; hd = hd->next)
2803 if ( (NULL != hd->domain) &&
2804 (0 == strcmp (hd->domain, domain)) )
2806 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2807 "Starting fresh MHD HTTPS instance for domain `%s'\n",
2809 pgc = generate_gns_certificate (domain);
2810 hd = GNUNET_new (struct MhdHttpList);
2811 hd->is_ssl = GNUNET_YES;
2812 hd->domain = GNUNET_strdup (domain);
2813 hd->proxy_cert = pgc;
2814 hd->daemon = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_SSL | MHD_USE_NO_LISTEN_SOCKET | MHD_ALLOW_SUSPEND_RESUME,
2817 &create_response, hd,
2818 MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 16,
2819 MHD_OPTION_NOTIFY_COMPLETED, &mhd_completed_cb, NULL,
2820 MHD_OPTION_NOTIFY_CONNECTION, &mhd_connection_cb, NULL,
2821 MHD_OPTION_URI_LOG_CALLBACK, &mhd_log_callback, NULL,
2822 MHD_OPTION_EXTERNAL_LOGGER, &mhd_error_log_callback, NULL,
2823 MHD_OPTION_HTTPS_MEM_KEY, pgc->key,
2824 MHD_OPTION_HTTPS_MEM_CERT, pgc->cert,
2826 if (NULL == hd->daemon)
2832 GNUNET_CONTAINER_DLL_insert (mhd_httpd_head,
2840 * Task run when a Socks5Request somehow fails to be associated with
2841 * an MHD connection (i.e. because the client never speaks HTTP after
2842 * the SOCKS5 handshake). Clean up.
2844 * @param cls the `struct Socks5Request *`
2847 timeout_s5r_handshake (void *cls)
2849 struct Socks5Request *s5r = cls;
2851 s5r->timeout_task = NULL;
2857 * We're done with the Socks5 protocol, now we need to pass the
2858 * connection data through to the final destination, either
2859 * direct (if the protocol might not be HTTP), or via MHD
2860 * (if the port looks like it should be HTTP).
2862 * @param s5r socks request that has reached the final stage
2865 setup_data_transfer (struct Socks5Request *s5r)
2867 struct MhdHttpList *hd;
2869 const struct sockaddr *addr;
2873 if (GNUNET_YES == s5r->is_tls)
2875 GNUNET_asprintf (&domain,
2878 hd = lookup_ssl_httpd (domain);
2881 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2882 _("Failed to start HTTPS server for `%s'\n"),
2885 GNUNET_free (domain);
2890 GNUNET_assert (NULL != httpd);
2893 fd = GNUNET_NETWORK_get_fd (s5r->sock);
2894 addr = GNUNET_NETWORK_get_addr (s5r->sock);
2895 len = GNUNET_NETWORK_get_addrlen (s5r->sock);
2896 s5r->state = SOCKS5_SOCKET_WITH_MHD;
2898 MHD_add_connection (hd->daemon,
2903 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2904 _("Failed to pass client to MHD\n"));
2906 GNUNET_free_non_null (domain);
2910 schedule_httpd (hd);
2911 s5r->timeout_task = GNUNET_SCHEDULER_add_delayed (HTTP_HANDSHAKE_TIMEOUT,
2912 &timeout_s5r_handshake,
2914 GNUNET_free_non_null (domain);
2918 /* ********************* SOCKS handling ************************* */
2922 * Write data from buffer to socks5 client, then continue with state machine.
2924 * @param cls the closure with the `struct Socks5Request`
2927 do_write (void *cls)
2929 struct Socks5Request *s5r = cls;
2933 len = GNUNET_NETWORK_socket_send (s5r->sock,
2938 /* write error: connection closed, shutdown, etc.; just clean up */
2939 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2946 s5r->wbuf_len - len);
2947 s5r->wbuf_len -= len;
2948 if (s5r->wbuf_len > 0)
2950 /* not done writing */
2952 GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
2958 /* we're done writing, continue with state machine! */
2965 case SOCKS5_REQUEST:
2966 GNUNET_assert (NULL != s5r->rtask);
2968 case SOCKS5_DATA_TRANSFER:
2969 setup_data_transfer (s5r);
2971 case SOCKS5_WRITE_THEN_CLEANUP:
2982 * Return a server response message indicating a failure to the client.
2984 * @param s5r request to return failure code for
2985 * @param sc status code to return
2988 signal_socks_failure (struct Socks5Request *s5r,
2989 enum Socks5StatusCode sc)
2991 struct Socks5ServerResponseMessage *s_resp;
2993 s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len];
2994 memset (s_resp, 0, sizeof (struct Socks5ServerResponseMessage));
2995 s_resp->version = SOCKS_VERSION_5;
2997 s5r->state = SOCKS5_WRITE_THEN_CLEANUP;
2998 if (NULL != s5r->wtask)
3000 GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
3007 * Return a server response message indicating success.
3009 * @param s5r request to return success status message for
3012 signal_socks_success (struct Socks5Request *s5r)
3014 struct Socks5ServerResponseMessage *s_resp;
3016 s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len];
3017 s_resp->version = SOCKS_VERSION_5;
3018 s_resp->reply = SOCKS5_STATUS_REQUEST_GRANTED;
3019 s_resp->reserved = 0;
3020 s_resp->addr_type = SOCKS5_AT_IPV4;
3021 /* zero out IPv4 address and port */
3024 sizeof (struct in_addr) + sizeof (uint16_t));
3025 s5r->wbuf_len += sizeof (struct Socks5ServerResponseMessage) +
3026 sizeof (struct in_addr) + sizeof (uint16_t);
3027 if (NULL == s5r->wtask)
3029 GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
3036 * Process GNS results for target domain.
3038 * @param cls the `struct Socks5Request *`
3039 * @param tld #GNUNET_YES if this was a GNS TLD.
3040 * @param rd_count number of records returned
3041 * @param rd record data
3044 handle_gns_result (void *cls,
3047 const struct GNUNET_GNSRECORD_Data *rd)
3049 struct Socks5Request *s5r = cls;
3050 const struct GNUNET_GNSRECORD_Data *r;
3053 s5r->gns_lookup = NULL;
3056 for (uint32_t i=0;i<rd_count;i++)
3059 switch (r->record_type)
3061 case GNUNET_DNSPARSER_TYPE_A:
3063 struct sockaddr_in *in;
3065 if (sizeof (struct in_addr) != r->data_size)
3067 GNUNET_break_op (0);
3070 if (GNUNET_YES == got_ip)
3073 GNUNET_NETWORK_test_pf (PF_INET))
3075 got_ip = GNUNET_YES;
3076 in = (struct sockaddr_in *) &s5r->destination_address;
3077 in->sin_family = AF_INET;
3078 GNUNET_memcpy (&in->sin_addr,
3081 in->sin_port = htons (s5r->port);
3082 #if HAVE_SOCKADDR_IN_SIN_LEN
3083 in->sin_len = sizeof (*in);
3087 case GNUNET_DNSPARSER_TYPE_AAAA:
3089 struct sockaddr_in6 *in;
3091 if (sizeof (struct in6_addr) != r->data_size)
3093 GNUNET_break_op (0);
3096 if (GNUNET_YES == got_ip)
3098 if (GNUNET_YES == disable_v6)
3101 GNUNET_NETWORK_test_pf (PF_INET6))
3103 /* FIXME: allow user to disable IPv6 per configuration option... */
3104 got_ip = GNUNET_YES;
3105 in = (struct sockaddr_in6 *) &s5r->destination_address;
3106 in->sin6_family = AF_INET6;
3107 GNUNET_memcpy (&in->sin6_addr,
3110 in->sin6_port = htons (s5r->port);
3111 #if HAVE_SOCKADDR_IN_SIN_LEN
3112 in->sin6_len = sizeof (*in);
3116 case GNUNET_GNSRECORD_TYPE_VPN:
3117 GNUNET_break (0); /* should have been translated within GNS */
3119 case GNUNET_GNSRECORD_TYPE_LEHO:
3120 GNUNET_free_non_null (s5r->leho);
3121 s5r->leho = GNUNET_strndup (r->data,
3124 case GNUNET_GNSRECORD_TYPE_BOX:
3126 const struct GNUNET_GNSRECORD_BoxRecord *box;
3128 if (r->data_size < sizeof (struct GNUNET_GNSRECORD_BoxRecord))
3130 GNUNET_break_op (0);
3134 if ( (ntohl (box->record_type) != GNUNET_DNSPARSER_TYPE_TLSA) ||
3135 (ntohs (box->protocol) != IPPROTO_TCP) ||
3136 (ntohs (box->service) != s5r->port) )
3137 break; /* BOX record does not apply */
3138 if (s5r->num_danes >= MAX_DANES)
3140 GNUNET_break (0); /* MAX_DANES too small */
3143 s5r->is_tls = GNUNET_YES; /* This should be TLS */
3144 s5r->dane_data_len[s5r->num_danes]
3145 = r->data_size - sizeof (struct GNUNET_GNSRECORD_BoxRecord);
3146 s5r->dane_data[s5r->num_danes]
3147 = GNUNET_memdup (&box[1],
3148 s5r->dane_data_len[s5r->num_danes]);
3157 if ( (GNUNET_YES != got_ip) &&
3158 (GNUNET_YES == tld) )
3160 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3161 "Name resolution failed to yield useful IP address.\n");
3162 signal_socks_failure (s5r,
3163 SOCKS5_STATUS_GENERAL_FAILURE);
3166 s5r->state = SOCKS5_DATA_TRANSFER;
3167 signal_socks_success (s5r);
3172 * Remove the first @a len bytes from the beginning of the read buffer.
3174 * @param s5r the handle clear the read buffer for
3175 * @param len number of bytes in read buffer to advance
3178 clear_from_s5r_rbuf (struct Socks5Request *s5r,
3181 GNUNET_assert (len <= s5r->rbuf_len);
3184 s5r->rbuf_len - len);
3185 s5r->rbuf_len -= len;
3190 * Read data from incoming Socks5 connection
3192 * @param cls the closure with the `struct Socks5Request`
3195 do_s5r_read (void *cls)
3197 struct Socks5Request *s5r = cls;
3198 const struct Socks5ClientHelloMessage *c_hello;
3199 struct Socks5ServerHelloMessage *s_hello;
3200 const struct Socks5ClientRequestMessage *c_req;
3203 const struct GNUNET_SCHEDULER_TaskContext *tc;
3206 tc = GNUNET_SCHEDULER_get_task_context ();
3207 if ( (NULL != tc->read_ready) &&
3208 (GNUNET_NETWORK_fdset_isset (tc->read_ready,
3211 rlen = GNUNET_NETWORK_socket_recv (s5r->sock,
3212 &s5r->rbuf[s5r->rbuf_len],
3213 sizeof (s5r->rbuf) - s5r->rbuf_len);
3216 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3217 "socks5 client disconnected.\n");
3221 s5r->rbuf_len += rlen;
3223 s5r->rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3226 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3227 "Processing %zu bytes of socks data in state %d\n",
3233 c_hello = (const struct Socks5ClientHelloMessage*) &s5r->rbuf;
3234 if ( (s5r->rbuf_len < sizeof (struct Socks5ClientHelloMessage)) ||
3235 (s5r->rbuf_len < sizeof (struct Socks5ClientHelloMessage) + c_hello->num_auth_methods) )
3236 return; /* need more data */
3237 if (SOCKS_VERSION_5 != c_hello->version)
3239 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3240 _("Unsupported socks version %d\n"),
3241 (int) c_hello->version);
3245 clear_from_s5r_rbuf (s5r,
3246 sizeof (struct Socks5ClientHelloMessage) + c_hello->num_auth_methods);
3247 GNUNET_assert (0 == s5r->wbuf_len);
3248 s_hello = (struct Socks5ServerHelloMessage *) &s5r->wbuf;
3249 s5r->wbuf_len = sizeof (struct Socks5ServerHelloMessage);
3250 s_hello->version = SOCKS_VERSION_5;
3251 s_hello->auth_method = SOCKS_AUTH_NONE;
3252 GNUNET_assert (NULL == s5r->wtask);
3253 s5r->wtask = GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
3256 s5r->state = SOCKS5_REQUEST;
3258 case SOCKS5_REQUEST:
3259 c_req = (const struct Socks5ClientRequestMessage *) &s5r->rbuf;
3260 if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage))
3262 switch (c_req->command)
3264 case SOCKS5_CMD_TCP_STREAM:
3268 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3269 _("Unsupported socks command %d\n"),
3270 (int) c_req->command);
3271 signal_socks_failure (s5r,
3272 SOCKS5_STATUS_COMMAND_NOT_SUPPORTED);
3275 switch (c_req->addr_type)
3277 case SOCKS5_AT_IPV4:
3279 const struct in_addr *v4 = (const struct in_addr *) &c_req[1];
3280 const uint16_t *port = (const uint16_t *) &v4[1];
3281 struct sockaddr_in *in;
3283 s5r->port = ntohs (*port);
3284 alen = sizeof (struct in_addr);
3285 if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage) +
3286 alen + sizeof (uint16_t))
3287 return; /* need more data */
3288 in = (struct sockaddr_in *) &s5r->destination_address;
3289 in->sin_family = AF_INET;
3291 in->sin_port = *port;
3292 #if HAVE_SOCKADDR_IN_SIN_LEN
3293 in->sin_len = sizeof (*in);
3295 s5r->state = SOCKS5_DATA_TRANSFER;
3298 case SOCKS5_AT_IPV6:
3300 const struct in6_addr *v6 = (const struct in6_addr *) &c_req[1];
3301 const uint16_t *port = (const uint16_t *) &v6[1];
3302 struct sockaddr_in6 *in;
3304 s5r->port = ntohs (*port);
3305 alen = sizeof (struct in6_addr);
3306 if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage) +
3307 alen + sizeof (uint16_t))
3308 return; /* need more data */
3309 in = (struct sockaddr_in6 *) &s5r->destination_address;
3310 in->sin6_family = AF_INET6;
3311 in->sin6_addr = *v6;
3312 in->sin6_port = *port;
3313 #if HAVE_SOCKADDR_IN_SIN_LEN
3314 in->sin6_len = sizeof (*in);
3316 s5r->state = SOCKS5_DATA_TRANSFER;
3319 case SOCKS5_AT_DOMAINNAME:
3321 const uint8_t *dom_len;
3322 const char *dom_name;
3323 const uint16_t *port;
3325 dom_len = (const uint8_t *) &c_req[1];
3326 alen = *dom_len + 1;
3327 if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage) +
3328 alen + sizeof (uint16_t))
3329 return; /* need more data */
3330 dom_name = (const char *) &dom_len[1];
3331 port = (const uint16_t*) &dom_name[*dom_len];
3332 s5r->domain = GNUNET_strndup (dom_name,
3334 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3335 "Requested connection is to %s:%d\n",
3336 //(HTTPS_PORT == s5r->port) ? "s" : "",
3339 s5r->state = SOCKS5_RESOLVING;
3340 s5r->port = ntohs (*port);
3341 s5r->is_tls = (HTTPS_PORT == s5r->port) ? GNUNET_YES : GNUNET_NO;
3342 s5r->gns_lookup = GNUNET_GNS_lookup_with_tld (gns_handle,
3344 GNUNET_DNSPARSER_TYPE_A,
3345 GNUNET_NO /* only cached */,
3351 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3352 _("Unsupported socks address type %d\n"),
3353 (int) c_req->addr_type);
3354 signal_socks_failure (s5r,
3355 SOCKS5_STATUS_ADDRESS_TYPE_NOT_SUPPORTED);
3358 clear_from_s5r_rbuf (s5r,
3359 sizeof (struct Socks5ClientRequestMessage) +
3360 alen + sizeof (uint16_t));
3361 if (0 != s5r->rbuf_len)
3363 /* read more bytes than healthy, why did the client send more!? */
3364 GNUNET_break_op (0);
3365 signal_socks_failure (s5r,
3366 SOCKS5_STATUS_GENERAL_FAILURE);
3369 if (SOCKS5_DATA_TRANSFER == s5r->state)
3371 /* if we are not waiting for GNS resolution, signal success */
3372 signal_socks_success (s5r);
3374 /* We are done reading right now */
3375 GNUNET_SCHEDULER_cancel (s5r->rtask);
3378 case SOCKS5_RESOLVING:
3381 case SOCKS5_DATA_TRANSFER:
3392 * Accept new incoming connections
3394 * @param cls the closure with the lsock4 or lsock6
3395 * @param tc the scheduler context
3398 do_accept (void *cls)
3400 struct GNUNET_NETWORK_Handle *lsock = cls;
3401 struct GNUNET_NETWORK_Handle *s;
3402 struct Socks5Request *s5r;
3404 GNUNET_assert (NULL != lsock);
3405 if (lsock == lsock4)
3406 ltask4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3410 else if (lsock == lsock6)
3411 ltask6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3417 s = GNUNET_NETWORK_socket_accept (lsock,
3422 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3426 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3427 "Got an inbound connection, waiting for data\n");
3428 s5r = GNUNET_new (struct Socks5Request);
3429 GNUNET_CONTAINER_DLL_insert (s5r_head,
3433 s5r->state = SOCKS5_INIT;
3434 s5r->rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3441 /* ******************* General / main code ********************* */
3445 * Task run on shutdown
3447 * @param cls closure
3450 do_shutdown (void *cls)
3452 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
3453 "Shutting down...\n");
3454 /* MHD requires resuming before destroying the daemons */
3455 for (struct Socks5Request *s5r = s5r_head;
3461 s5r->suspended = GNUNET_NO;
3462 MHD_resume_connection (s5r->con);
3465 while (NULL != mhd_httpd_head)
3466 kill_httpd (mhd_httpd_head);
3467 while (NULL != s5r_head)
3468 cleanup_s5r (s5r_head);
3471 GNUNET_NETWORK_socket_close (lsock4);
3476 GNUNET_NETWORK_socket_close (lsock6);
3479 if (NULL != curl_multi)
3481 curl_multi_cleanup (curl_multi);
3484 if (NULL != gns_handle)
3486 GNUNET_GNS_disconnect (gns_handle);
3489 if (NULL != curl_download_task)
3491 GNUNET_SCHEDULER_cancel (curl_download_task);
3492 curl_download_task = NULL;
3496 GNUNET_SCHEDULER_cancel (ltask4);
3501 GNUNET_SCHEDULER_cancel (ltask6);
3504 gnutls_x509_crt_deinit (proxy_ca.cert);
3505 gnutls_x509_privkey_deinit (proxy_ca.key);
3506 gnutls_global_deinit ();
3511 * Create an IPv4 listen socket bound to our port.
3513 * @return NULL on error
3515 static struct GNUNET_NETWORK_Handle *
3518 struct GNUNET_NETWORK_Handle *ls;
3519 struct sockaddr_in sa4;
3522 memset (&sa4, 0, sizeof (sa4));
3523 sa4.sin_family = AF_INET;
3524 sa4.sin_port = htons (port);
3525 sa4.sin_addr.s_addr = address;
3526 #if HAVE_SOCKADDR_IN_SIN_LEN
3527 sa4.sin_len = sizeof (sa4);
3529 ls = GNUNET_NETWORK_socket_create (AF_INET,
3535 GNUNET_NETWORK_socket_bind (ls,
3536 (const struct sockaddr *) &sa4,
3540 GNUNET_NETWORK_socket_close (ls);
3549 * Create an IPv6 listen socket bound to our port.
3551 * @return NULL on error
3553 static struct GNUNET_NETWORK_Handle *
3556 struct GNUNET_NETWORK_Handle *ls;
3557 struct sockaddr_in6 sa6;
3560 memset (&sa6, 0, sizeof (sa6));
3561 sa6.sin6_family = AF_INET6;
3562 sa6.sin6_port = htons (port);
3563 sa6.sin6_addr = address6;
3564 #if HAVE_SOCKADDR_IN_SIN_LEN
3565 sa6.sin6_len = sizeof (sa6);
3567 ls = GNUNET_NETWORK_socket_create (AF_INET6,
3573 GNUNET_NETWORK_socket_bind (ls,
3574 (const struct sockaddr *) &sa6,
3578 GNUNET_NETWORK_socket_close (ls);
3587 * Main function that will be run
3589 * @param cls closure
3590 * @param args remaining command-line arguments
3591 * @param cfgfile name of the configuration file used (for saving, can be NULL!)
3592 * @param c configuration
3597 const char *cfgfile,
3598 const struct GNUNET_CONFIGURATION_Handle *c)
3600 char* cafile_cfg = NULL;
3603 struct MhdHttpList *hd;
3607 /* Get address to bind to */
3608 if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, "gns-proxy",
3612 //No address specified
3613 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3614 "Don't know what to bind to...\n");
3615 GNUNET_free (addr_str);
3616 GNUNET_SCHEDULER_shutdown ();
3619 if (1 != inet_pton (AF_INET, addr_str, &address))
3621 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3622 "Unable to parse address %s\n",
3624 GNUNET_free (addr_str);
3625 GNUNET_SCHEDULER_shutdown ();
3628 GNUNET_free (addr_str);
3629 /* Get address to bind to */
3630 if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, "gns-proxy",
3634 //No address specified
3635 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3636 "Don't know what to bind6 to...\n");
3637 GNUNET_free (addr_str);
3638 GNUNET_SCHEDULER_shutdown ();
3641 if (1 != inet_pton (AF_INET6, addr_str, &address6))
3643 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3644 "Unable to parse IPv6 address %s\n",
3646 GNUNET_free (addr_str);
3647 GNUNET_SCHEDULER_shutdown ();
3650 GNUNET_free (addr_str);
3652 if (NULL == (curl_multi = curl_multi_init ()))
3654 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3655 "Failed to create cURL multi handle!\n");
3658 cafile = cafile_opt;
3662 GNUNET_CONFIGURATION_get_value_filename (cfg,
3667 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
3672 cafile = cafile_cfg;
3674 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3675 "Using `%s' as CA\n",
3678 gnutls_global_init ();
3679 gnutls_x509_crt_init (&proxy_ca.cert);
3680 gnutls_x509_privkey_init (&proxy_ca.key);
3683 load_cert_from_file (proxy_ca.cert,
3686 load_key_from_file (proxy_ca.key,
3689 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3690 _("Failed to load X.509 key and certificate from `%s'\n"),
3692 gnutls_x509_crt_deinit (proxy_ca.cert);
3693 gnutls_x509_privkey_deinit (proxy_ca.key);
3694 gnutls_global_deinit ();
3695 GNUNET_free_non_null (cafile_cfg);
3698 GNUNET_free_non_null (cafile_cfg);
3699 if (NULL == (gns_handle = GNUNET_GNS_connect (cfg)))
3701 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3702 "Unable to connect to GNS!\n");
3703 gnutls_x509_crt_deinit (proxy_ca.cert);
3704 gnutls_x509_privkey_deinit (proxy_ca.key);
3705 gnutls_global_deinit ();
3708 GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
3711 /* Open listen socket for socks proxy */
3712 lsock6 = bind_v6 ();
3715 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3721 GNUNET_NETWORK_socket_listen (lsock6,
3724 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3726 GNUNET_NETWORK_socket_close (lsock6);
3731 ltask6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3737 lsock4 = bind_v4 ();
3740 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3746 GNUNET_NETWORK_socket_listen (lsock4,
3749 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3751 GNUNET_NETWORK_socket_close (lsock4);
3756 ltask4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3762 if ( (NULL == lsock4) &&
3765 GNUNET_SCHEDULER_shutdown ();
3768 if (0 != curl_global_init (CURL_GLOBAL_WIN32))
3770 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3771 "cURL global init failed!\n");
3772 GNUNET_SCHEDULER_shutdown ();
3775 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3776 "Proxy listens on port %u\n",
3777 (unsigned int) port);
3779 /* start MHD daemon for HTTP */
3780 hd = GNUNET_new (struct MhdHttpList);
3781 hd->daemon = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_NO_LISTEN_SOCKET | MHD_ALLOW_SUSPEND_RESUME,
3784 &create_response, hd,
3785 MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 16,
3786 MHD_OPTION_NOTIFY_COMPLETED, &mhd_completed_cb, NULL,
3787 MHD_OPTION_NOTIFY_CONNECTION, &mhd_connection_cb, NULL,
3788 MHD_OPTION_URI_LOG_CALLBACK, &mhd_log_callback, NULL,
3790 if (NULL == hd->daemon)
3793 GNUNET_SCHEDULER_shutdown ();
3797 GNUNET_CONTAINER_DLL_insert (mhd_httpd_head,
3804 * The main function for gnunet-gns-proxy.
3806 * @param argc number of arguments from the command line
3807 * @param argv command line arguments
3808 * @return 0 ok, 1 on error
3814 struct GNUNET_GETOPT_CommandLineOption options[] = {
3815 GNUNET_GETOPT_option_uint16 ('p',
3818 gettext_noop ("listen on specified port (default: 7777)"),
3820 GNUNET_GETOPT_option_string ('a',
3823 gettext_noop ("pem file to use as CA"),
3825 GNUNET_GETOPT_option_flag ('6',
3827 gettext_noop ("disable use of IPv6"),
3830 GNUNET_GETOPT_OPTION_END
3832 static const char* page =
3833 "<html><head><title>gnunet-gns-proxy</title>"
3834 "</head><body>cURL fail</body></html>";
3838 GNUNET_STRINGS_get_utf8_args (argc, argv,
3841 GNUNET_log_setup ("gnunet-gns-proxy",
3844 curl_failure_response
3845 = MHD_create_response_from_buffer (strlen (page),
3847 MHD_RESPMEM_PERSISTENT);
3851 GNUNET_PROGRAM_run (argc, argv,
3853 _("GNUnet GNS proxy"),
3855 &run, NULL)) ? 0 : 1;
3856 MHD_destroy_response (curl_failure_response);
3857 GNUNET_free_non_null ((char *) argv);
3861 /* end of gnunet-gns-proxy.c */
projects / oweals / gnunet.git / blob