2 This file is part of GNUnet.
3 Copyright (C) 2012-2018 GNUnet e.V.
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
21 * @author Martin Schanzenbach
22 * @author Christian Grothoff
23 * @file src/gns/gnunet-gns-proxy.c
24 * @brief HTTP(S) proxy that rewrites URIs and fakes certificats to make GNS work
25 * with legacy browsers
28 * - double-check queueing logic
31 #include <microhttpd.h>
32 /* Just included for the right curl.h */
33 #include "gnunet_curl_lib.h"
34 #include <gnutls/gnutls.h>
35 #include <gnutls/x509.h>
36 #include <gnutls/abstract.h>
37 #include <gnutls/crypto.h>
39 #include <gnutls/dane.h>
42 #include "gnunet_util_lib.h"
43 #include "gnunet_gns_service.h"
44 #include "gnunet_identity_service.h"
46 #include "gnunet_mhd_compat.h"
49 * Default Socks5 listen port.
51 #define GNUNET_GNS_PROXY_PORT 7777
54 * Maximum supported length for a URI.
55 * Should die. @deprecated
57 #define MAX_HTTP_URI_LENGTH 2048
60 * Maximum number of DANE records we support
61 * per domain name (and port and protocol).
66 * Size of the buffer for the data upload / download. Must be
67 * enough for curl, thus CURL_MAX_WRITE_SIZE is needed here (16k).
69 #define IO_BUFFERSIZE CURL_MAX_WRITE_SIZE
72 * Size of the read/write buffers for Socks. Uses
73 * 256 bytes for the hostname (at most), plus a few
74 * bytes overhead for the messages.
76 #define SOCKS_BUFFERSIZE (256 + 32)
79 * Port for plaintext HTTP.
86 #define HTTPS_PORT 443
89 * Largest allowed size for a PEM certificate.
91 #define MAX_PEM_SIZE (10 * 1024)
94 * After how long do we clean up unused MHD TLS instances?
96 #define MHD_CACHE_TIMEOUT GNUNET_TIME_relative_multiply ( \
97 GNUNET_TIME_UNIT_MINUTES, 5)
100 * After how long do we clean up Socks5 handles that failed to show any activity
101 * with their respective MHD instance?
103 #define HTTP_HANDSHAKE_TIMEOUT GNUNET_TIME_relative_multiply ( \
104 GNUNET_TIME_UNIT_SECONDS, 15)
110 * @param level log level
111 * @param fun name of curl_easy-function that gave the error
112 * @param rc return code from curl
114 #define LOG_CURL_EASY(level, fun, rc) \
116 _ ("%s failed at %s:%d: `%s'\n"), \
120 curl_easy_strerror (rc))
123 /* *************** Socks protocol definitions (move to TUN?) ****************** */
126 * Which SOCKS version do we speak?
128 #define SOCKS_VERSION_5 0x05
131 * Flag to set for 'no authentication'.
133 #define SOCKS_AUTH_NONE 0
137 * Commands in Socks5.
142 * Establish TCP/IP stream.
144 SOCKS5_CMD_TCP_STREAM = 1,
147 * Establish TCP port binding.
149 SOCKS5_CMD_TCP_PORT = 2,
152 * Establish UDP port binding.
154 SOCKS5_CMD_UDP_PORT = 3
159 * Address types in Socks5.
161 enum Socks5AddressType
171 SOCKS5_AT_DOMAINNAME = 3,
181 * Status codes in Socks5 response.
183 enum Socks5StatusCode
185 SOCKS5_STATUS_REQUEST_GRANTED = 0,
186 SOCKS5_STATUS_GENERAL_FAILURE = 1,
187 SOCKS5_STATUS_CONNECTION_NOT_ALLOWED_BY_RULE = 2,
188 SOCKS5_STATUS_NETWORK_UNREACHABLE = 3,
189 SOCKS5_STATUS_HOST_UNREACHABLE = 4,
190 SOCKS5_STATUS_CONNECTION_REFUSED_BY_HOST = 5,
191 SOCKS5_STATUS_TTL_EXPIRED = 6,
192 SOCKS5_STATUS_COMMAND_NOT_SUPPORTED = 7,
193 SOCKS5_STATUS_ADDRESS_TYPE_NOT_SUPPORTED = 8
198 * Client hello in Socks5 protocol.
200 struct Socks5ClientHelloMessage
203 * Should be #SOCKS_VERSION_5.
208 * How many authentication methods does the client support.
210 uint8_t num_auth_methods;
212 /* followed by supported authentication methods, 1 byte per method */
217 * Server hello in Socks5 protocol.
219 struct Socks5ServerHelloMessage
222 * Should be #SOCKS_VERSION_5.
227 * Chosen authentication method, for us always #SOCKS_AUTH_NONE,
228 * which skips the authentication step.
235 * Client socks request in Socks5 protocol.
237 struct Socks5ClientRequestMessage
240 * Should be #SOCKS_VERSION_5.
245 * Command code, we only uspport #SOCKS5_CMD_TCP_STREAM.
250 * Reserved, always zero.
255 * Address type, an `enum Socks5AddressType`.
260 * Followed by either an ip4/ipv6 address or a domain name with a
261 * length field (uint8_t) in front (depending on @e addr_type).
262 * followed by port number in network byte order (uint16_t).
268 * Server response to client requests in Socks5 protocol.
270 struct Socks5ServerResponseMessage
273 * Should be #SOCKS_VERSION_5.
278 * Status code, an `enum Socks5StatusCode`
288 * Address type, an `enum Socks5AddressType`.
293 * Followed by either an ip4/ipv6 address or a domain name with a
294 * length field (uint8_t) in front (depending on @e addr_type).
295 * followed by port number in network byte order (uint16_t).
300 /* *********************** Datastructures for HTTP handling ****************** */
303 * A structure for CA cert/key
310 gnutls_x509_crt_t cert;
315 gnutls_x509_privkey_t key;
320 * Structure for GNS certificates
322 struct ProxyGNSCertificate
325 * The certificate as PEM
327 char cert[MAX_PEM_SIZE];
330 * The private key as PEM
332 char key[MAX_PEM_SIZE];
337 * A structure for all running Httpds
344 struct MhdHttpList *prev;
349 struct MhdHttpList *next;
352 * the domain name to server (only important for TLS)
359 struct MHD_Daemon *daemon;
362 * Optional proxy certificate used
364 struct ProxyGNSCertificate *proxy_cert;
369 struct GNUNET_SCHEDULER_Task *httpd_task;
372 * is this an ssl daemon?
378 /* ***************** Datastructures for Socks handling **************** */
387 * We're waiting to get the client hello.
392 * We're waiting to get the initial request.
397 * We are currently resolving the destination.
402 * We're in transfer mode.
404 SOCKS5_DATA_TRANSFER,
407 * Finish writing the write buffer, then clean up.
409 SOCKS5_WRITE_THEN_CLEANUP,
412 * Socket has been passed to MHD, do not close it anymore.
414 SOCKS5_SOCKET_WITH_MHD,
417 * We've started receiving upload data from MHD.
419 SOCKS5_SOCKET_UPLOAD_STARTED,
422 * We've finished receiving upload data from MHD.
424 SOCKS5_SOCKET_UPLOAD_DONE,
427 * We've finished uploading data via CURL and can now download.
429 SOCKS5_SOCKET_DOWNLOAD_STARTED,
432 * We've finished receiving download data from cURL.
434 SOCKS5_SOCKET_DOWNLOAD_DONE
441 struct HttpResponseHeader
446 struct HttpResponseHeader *next;
451 struct HttpResponseHeader *prev;
465 * A structure for socks requests
472 struct Socks5Request *next;
477 struct Socks5Request *prev;
482 struct GNUNET_NETWORK_Handle *sock;
485 * Handle to GNS lookup, during #SOCKS5_RESOLVING phase.
487 struct GNUNET_GNS_LookupWithTldRequest *gns_lookup;
490 * Client socket read task
492 struct GNUNET_SCHEDULER_Task *rtask;
495 * Client socket write task
497 struct GNUNET_SCHEDULER_Task *wtask;
502 struct GNUNET_SCHEDULER_Task *timeout_task;
507 char rbuf[SOCKS_BUFFERSIZE];
512 char wbuf[SOCKS_BUFFERSIZE];
515 * Buffer we use for moving data between MHD and curl (in both directions).
517 char io_buf[IO_BUFFERSIZE];
520 * MHD HTTP instance handling this request, NULL for none.
522 struct MhdHttpList *hd;
525 * MHD connection for this request.
527 struct MHD_Connection *con;
530 * MHD response object for this request.
532 struct MHD_Response *response;
535 * the domain name to server (only important for TLS)
540 * DNS Legacy Host Name as given by GNS, NULL if not given.
545 * Payload of the DANE records encountered.
547 char *dane_data[MAX_DANES + 1];
560 * HTTP request headers for the curl request.
562 struct curl_slist *headers;
565 * DNS->IP mappings resolved through GNS
567 struct curl_slist *hosts;
570 * HTTP response code to give to MHD for the response.
572 unsigned int response_code;
575 * Number of bytes in @e dane_data.
577 int dane_data_len[MAX_DANES + 1];
580 * Number of entries used in @e dane_data_len
583 unsigned int num_danes;
586 * Number of bytes already in read buffer
591 * Number of bytes already in write buffer
596 * Number of bytes already in the IO buffer.
601 * Once known, what's the target address for the connection?
603 struct sockaddr_storage destination_address;
608 enum SocksPhase state;
611 * Desired destination port.
616 * Headers from response
618 struct HttpResponseHeader *header_head;
621 * Headers from response
623 struct HttpResponseHeader *header_tail;
626 * X.509 Certificate status
631 * Was the hostname resolved via GNS?
636 * This is (probably) a TLS connection
641 * Did we suspend MHD processing?
646 * Did we pause CURL processing?
652 /* *********************** Globals **************************** */
655 * The address to bind to
657 static in_addr_t address;
660 * The IPv6 address to bind to
662 static struct in6_addr address6;
665 * The port the proxy is running on (default 7777)
667 static uint16_t port = GNUNET_GNS_PROXY_PORT;
670 * The CA file (pem) to use for the proxy CA
672 static char *cafile_opt;
675 * The listen socket of the proxy for IPv4
677 static struct GNUNET_NETWORK_Handle *lsock4;
680 * The listen socket of the proxy for IPv6
682 static struct GNUNET_NETWORK_Handle *lsock6;
685 * The listen task ID for IPv4
687 static struct GNUNET_SCHEDULER_Task *ltask4;
690 * The listen task ID for IPv6
692 static struct GNUNET_SCHEDULER_Task *ltask6;
695 * The cURL download task (curl multi API).
697 static struct GNUNET_SCHEDULER_Task *curl_download_task;
700 * The cURL multi handle
702 static CURLM *curl_multi;
705 * Handle to the GNS service
707 static struct GNUNET_GNS_Handle *gns_handle;
712 static int disable_v6;
715 * DLL for http/https daemons
717 static struct MhdHttpList *mhd_httpd_head;
720 * DLL for http/https daemons
722 static struct MhdHttpList *mhd_httpd_tail;
725 * Daemon for HTTP (we have one per X.509 certificate, and then one for
726 * all HTTP connections; this is the one for HTTP, not HTTPS).
728 static struct MhdHttpList *httpd;
731 * DLL of active socks requests.
733 static struct Socks5Request *s5r_head;
736 * DLL of active socks requests.
738 static struct Socks5Request *s5r_tail;
741 * The CA for X.509 certificate generation
743 static struct ProxyCA proxy_ca;
746 * Response we return on cURL failures.
748 static struct MHD_Response *curl_failure_response;
753 static const struct GNUNET_CONFIGURATION_Handle *cfg;
756 /* ************************* Global helpers ********************* */
760 * Run MHD now, we have extra data ready for the callback.
762 * @param hd the daemon to run now.
765 run_mhd_now (struct MhdHttpList *hd);
769 * Clean up s5r handles.
771 * @param s5r the handle to destroy
774 cleanup_s5r (struct Socks5Request *s5r)
776 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
777 "Cleaning up socks request\n");
778 if (NULL != s5r->curl)
780 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
781 "Cleaning up cURL handle\n");
782 curl_multi_remove_handle (curl_multi,
784 curl_easy_cleanup (s5r->curl);
789 s5r->suspended = GNUNET_NO;
790 MHD_resume_connection (s5r->con);
792 curl_slist_free_all (s5r->headers);
793 if (NULL != s5r->hosts)
795 curl_slist_free_all (s5r->hosts);
797 if ((NULL != s5r->response) &&
798 (curl_failure_response != s5r->response))
800 MHD_destroy_response (s5r->response);
801 s5r->response = NULL;
803 if (NULL != s5r->rtask)
805 GNUNET_SCHEDULER_cancel (s5r->rtask);
808 if (NULL != s5r->timeout_task)
810 GNUNET_SCHEDULER_cancel (s5r->timeout_task);
811 s5r->timeout_task = NULL;
813 if (NULL != s5r->wtask)
815 GNUNET_SCHEDULER_cancel (s5r->wtask);
818 if (NULL != s5r->gns_lookup)
820 GNUNET_GNS_lookup_with_tld_cancel (s5r->gns_lookup);
821 s5r->gns_lookup = NULL;
823 if (NULL != s5r->sock)
825 if (SOCKS5_SOCKET_WITH_MHD <= s5r->state)
826 GNUNET_NETWORK_socket_free_memory_only_ (s5r->sock);
828 GNUNET_NETWORK_socket_close (s5r->sock);
831 GNUNET_CONTAINER_DLL_remove (s5r_head,
834 GNUNET_free_non_null (s5r->domain);
835 GNUNET_free_non_null (s5r->leho);
836 GNUNET_free_non_null (s5r->url);
837 for (unsigned int i = 0; i < s5r->num_danes; i++)
838 GNUNET_free (s5r->dane_data[i]);
843 /* ************************* HTTP handling with cURL *********************** */
846 curl_download_prepare ();
850 * Callback for MHD response generation. This function is called from
851 * MHD whenever MHD expects to get data back. Copies data from the
852 * io_buf, if available.
854 * @param cls closure with our `struct Socks5Request`
855 * @param pos in buffer
856 * @param buf where to copy data
857 * @param max available space in @a buf
858 * @return number of bytes written to @a buf
861 mhd_content_cb (void *cls,
866 struct Socks5Request *s5r = cls;
867 size_t bytes_to_copy;
869 if ((SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state) ||
870 (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state))
872 /* we're still not done with the upload, do not yet
873 start the download, the IO buffer is still full
875 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
876 "Pausing MHD download %s%s, not yet ready for download\n",
879 return 0; /* not yet ready for data download */
881 bytes_to_copy = GNUNET_MIN (max,
883 if ((0 == bytes_to_copy) &&
884 (SOCKS5_SOCKET_DOWNLOAD_DONE != s5r->state))
886 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
887 "Pausing MHD download %s%s, no data available\n",
890 if (NULL != s5r->curl)
892 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
893 "Continuing CURL interaction for %s%s\n",
896 if (GNUNET_YES == s5r->curl_paused)
898 s5r->curl_paused = GNUNET_NO;
899 curl_easy_pause (s5r->curl,
902 curl_download_prepare ();
904 if (GNUNET_NO == s5r->suspended)
906 MHD_suspend_connection (s5r->con);
907 s5r->suspended = GNUNET_YES;
909 return 0; /* more data later */
911 if ((0 == bytes_to_copy) &&
912 (SOCKS5_SOCKET_DOWNLOAD_DONE == s5r->state))
914 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
915 "Completed MHD download %s%s\n",
918 return MHD_CONTENT_READER_END_OF_STREAM;
920 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
921 "Writing %llu/%llu bytes to %s%s\n",
922 (unsigned long long) bytes_to_copy,
923 (unsigned long long) s5r->io_len,
929 memmove (s5r->io_buf,
930 &s5r->io_buf[bytes_to_copy],
931 s5r->io_len - bytes_to_copy);
932 s5r->io_len -= bytes_to_copy;
933 if ((NULL != s5r->curl) &&
934 (GNUNET_YES == s5r->curl_paused))
936 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
937 "Continuing CURL interaction for %s%s\n",
940 s5r->curl_paused = GNUNET_NO;
941 curl_easy_pause (s5r->curl,
944 return bytes_to_copy;
949 * Check that the website has presented us with a valid X.509 certificate.
950 * The certificate must either match the domain name or the LEHO name
951 * (or, if available, the TLSA record).
953 * @param s5r request to check for.
954 * @return #GNUNET_OK if the certificate is valid
957 check_ssl_certificate (struct Socks5Request *s5r)
959 unsigned int cert_list_size;
960 const gnutls_datum_t *chainp;
961 const struct curl_tlssessioninfo *tlsinfo;
962 char certdn[GNUNET_DNSPARSER_MAX_NAME_LENGTH + 3];
964 gnutls_x509_crt_t x509_cert;
968 s5r->ssl_checked = GNUNET_YES;
969 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
970 "Checking X.509 certificate\n");
972 curl_easy_getinfo (s5r->curl,
973 CURLINFO_TLS_SESSION,
975 return GNUNET_SYSERR;
976 if (CURLSSLBACKEND_GNUTLS != tlsinfo->backend)
978 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
979 _ ("Unsupported CURL TLS backend %d\n"),
981 return GNUNET_SYSERR;
983 chainp = gnutls_certificate_get_peers (tlsinfo->internals,
986 (0 == cert_list_size))
987 return GNUNET_SYSERR;
989 size = sizeof(certdn);
990 /* initialize an X.509 certificate structure. */
991 gnutls_x509_crt_init (&x509_cert);
992 gnutls_x509_crt_import (x509_cert,
994 GNUTLS_X509_FMT_DER);
996 if (0 != (rc = gnutls_x509_crt_get_dn_by_oid (x509_cert,
997 GNUTLS_OID_X520_COMMON_NAME,
998 0, /* the first and only one */
999 0 /* no DER encoding */,
1003 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1004 _ ("Failed to fetch CN from cert: %s\n"),
1005 gnutls_strerror (rc));
1006 gnutls_x509_crt_deinit (x509_cert);
1007 return GNUNET_SYSERR;
1009 /* check for TLSA/DANE records */
1010 #if HAVE_GNUTLS_DANE
1011 if (0 != s5r->num_danes)
1013 dane_state_t dane_state;
1014 dane_query_t dane_query;
1015 unsigned int verify;
1017 /* FIXME: add flags to gnutls to NOT read UNBOUND_ROOT_KEY_FILE here! */
1018 if (0 != (rc = dane_state_init (&dane_state,
1019 #ifdef DANE_F_IGNORE_DNSSEC
1020 DANE_F_IGNORE_DNSSEC |
1022 DANE_F_IGNORE_LOCAL_RESOLVER)))
1024 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1025 _ ("Failed to initialize DANE: %s\n"),
1026 dane_strerror (rc));
1027 gnutls_x509_crt_deinit (x509_cert);
1028 return GNUNET_SYSERR;
1030 s5r->dane_data[s5r->num_danes] = NULL;
1031 s5r->dane_data_len[s5r->num_danes] = 0;
1032 if (0 != (rc = dane_raw_tlsa (dane_state,
1039 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1040 _ ("Failed to parse DANE record: %s\n"),
1041 dane_strerror (rc));
1042 dane_state_deinit (dane_state);
1043 gnutls_x509_crt_deinit (x509_cert);
1044 return GNUNET_SYSERR;
1046 if (0 != (rc = dane_verify_crt_raw (dane_state,
1049 gnutls_certificate_type_get (
1050 tlsinfo->internals),
1055 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1056 _ ("Failed to verify TLS connection using DANE: %s\n"),
1057 dane_strerror (rc));
1058 dane_query_deinit (dane_query);
1059 dane_state_deinit (dane_state);
1060 gnutls_x509_crt_deinit (x509_cert);
1061 return GNUNET_SYSERR;
1065 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1067 "Failed DANE verification failed with GnuTLS verify status code: %u\n"),
1069 dane_query_deinit (dane_query);
1070 dane_state_deinit (dane_state);
1071 gnutls_x509_crt_deinit (x509_cert);
1072 return GNUNET_SYSERR;
1074 dane_query_deinit (dane_query);
1075 dane_state_deinit (dane_state);
1081 /* try LEHO or ordinary domain name X509 verification */
1083 if (NULL != s5r->leho)
1087 if (0 == (rc = gnutls_x509_crt_check_hostname (x509_cert,
1090 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1092 "TLS certificate subject name (%s) does not match `%s': %d\n"),
1096 gnutls_x509_crt_deinit (x509_cert);
1097 return GNUNET_SYSERR;
1102 /* we did not even have the domain name!? */
1104 return GNUNET_SYSERR;
1107 gnutls_x509_crt_deinit (x509_cert);
1113 * We're getting an HTTP response header from cURL. Convert it to the
1114 * MHD response headers. Mostly copies the headers, but makes special
1115 * adjustments to "Set-Cookie" and "Location" headers as those may need
1116 * to be changed from the LEHO to the domain the browser expects.
1118 * @param buffer curl buffer with a single line of header data; not 0-terminated!
1119 * @param size curl blocksize
1120 * @param nmemb curl blocknumber
1121 * @param cls our `struct Socks5Request *`
1122 * @return size of processed bytes
1125 curl_check_hdr (void *buffer,
1130 struct Socks5Request *s5r = cls;
1131 struct HttpResponseHeader *header;
1132 size_t bytes = size * nmemb;
1134 const char *hdr_type;
1135 const char *cookie_domain;
1137 char *new_cookie_hdr;
1140 size_t delta_cdomain;
1144 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1145 "Receiving HTTP response header from CURL\n");
1146 /* first, check TLS certificate */
1147 if ((GNUNET_YES != s5r->ssl_checked) &&
1148 (GNUNET_YES == s5r->is_tls))
1149 // (HTTPS_PORT == s5r->port))
1151 if (GNUNET_OK != check_ssl_certificate (s5r))
1154 ndup = GNUNET_strndup (buffer,
1156 hdr_type = strtok (ndup,
1158 if (NULL == hdr_type)
1163 hdr_val = strtok (NULL,
1165 if (NULL == hdr_val)
1170 if (' ' == *hdr_val)
1173 /* custom logic for certain header types */
1174 new_cookie_hdr = NULL;
1175 if ((NULL != s5r->leho) &&
1176 (0 == strcasecmp (hdr_type,
1177 MHD_HTTP_HEADER_SET_COOKIE)))
1180 new_cookie_hdr = GNUNET_malloc (strlen (hdr_val)
1181 + strlen (s5r->domain) + 1);
1183 domain_matched = GNUNET_NO; /* make sure we match domain at most once */
1184 for (tok = strtok (hdr_val, ";"); NULL != tok; tok = strtok (NULL, ";"))
1186 if ((0 == strncasecmp (tok,
1188 strlen (" domain"))) &&
1189 (GNUNET_NO == domain_matched))
1191 domain_matched = GNUNET_YES;
1192 cookie_domain = tok + strlen (" domain") + 1;
1193 if (strlen (cookie_domain) < strlen (s5r->leho))
1195 delta_cdomain = strlen (s5r->leho) - strlen (cookie_domain);
1196 if (0 == strcasecmp (cookie_domain,
1197 s5r->leho + delta_cdomain))
1199 offset += sprintf (new_cookie_hdr + offset,
1205 else if (0 == strcmp (cookie_domain,
1208 offset += sprintf (new_cookie_hdr + offset,
1213 else if (('.' == cookie_domain[0]) &&
1214 (0 == strcmp (&cookie_domain[1],
1217 offset += sprintf (new_cookie_hdr + offset,
1222 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1223 _ ("Cookie domain `%s' supplied by server is invalid\n"),
1226 GNUNET_memcpy (new_cookie_hdr + offset,
1229 offset += strlen (tok);
1230 new_cookie_hdr[offset++] = ';';
1232 hdr_val = new_cookie_hdr;
1235 new_location = NULL;
1236 if (0 == strcasecmp (MHD_HTTP_HEADER_TRANSFER_ENCODING,
1239 /* Ignore transfer encoding, set automatically by MHD if required */
1242 if ((0 == strcasecmp (MHD_HTTP_HEADER_LOCATION,
1247 GNUNET_asprintf (&leho_host,
1248 (GNUNET_YES != s5r->is_tls) // (HTTPS_PORT != s5r->port)
1252 if (0 == strncmp (leho_host,
1254 strlen (leho_host)))
1256 GNUNET_asprintf (&new_location,
1258 (GNUNET_YES != s5r->is_tls) // (HTTPS_PORT != s5r->port)
1262 hdr_val + strlen (leho_host));
1263 hdr_val = new_location;
1265 GNUNET_free (leho_host);
1267 if (0 == strcasecmp (MHD_HTTP_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
1272 GNUNET_asprintf (&leho_host,
1273 (GNUNET_YES != s5r->is_tls) // (HTTPS_PORT != s5r->port)
1277 if (0 == strncmp (leho_host,
1279 strlen (leho_host)))
1281 GNUNET_asprintf (&new_location,
1283 (GNUNET_YES != s5r->is_tls) // (HTTPS_PORT != s5r->port)
1287 hdr_val = new_location;
1289 GNUNET_free (leho_host);
1292 /* MHD does not allow certain characters in values, remove those */
1293 if (NULL != (tok = strchr (hdr_val, '\n')))
1295 if (NULL != (tok = strchr (hdr_val, '\r')))
1297 if (NULL != (tok = strchr (hdr_val, '\t')))
1299 if (0 != strlen (hdr_val)) /* Rely in MHD to set those */
1301 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1302 "Adding header %s: %s to MHD response\n",
1305 header = GNUNET_new (struct HttpResponseHeader);
1306 header->type = GNUNET_strdup (hdr_type);
1307 header->value = GNUNET_strdup (hdr_val);
1308 GNUNET_CONTAINER_DLL_insert (s5r->header_head,
1314 GNUNET_free_non_null (new_cookie_hdr);
1315 GNUNET_free_non_null (new_location);
1321 * Create an MHD response object in @a s5r matching the
1322 * information we got from curl.
1324 * @param s5r the request for which we convert the response
1325 * @return #GNUNET_OK on success, #GNUNET_SYSERR if response was
1326 * already initialized before
1329 create_mhd_response_from_s5r (struct Socks5Request *s5r)
1332 double content_length;
1334 if (NULL != s5r->response)
1336 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1337 "Response already set!\n");
1338 return GNUNET_SYSERR;
1341 GNUNET_break (CURLE_OK ==
1342 curl_easy_getinfo (s5r->curl,
1343 CURLINFO_RESPONSE_CODE,
1345 GNUNET_break (CURLE_OK ==
1346 curl_easy_getinfo (s5r->curl,
1347 CURLINFO_CONTENT_LENGTH_DOWNLOAD,
1349 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1350 "Creating MHD response with code %d and size %d for %s%s\n",
1352 (int) content_length,
1355 s5r->response_code = resp_code;
1356 s5r->response = MHD_create_response_from_callback ((-1 == content_length)
1363 for (struct HttpResponseHeader *header = s5r->header_head;
1365 header = header->next)
1367 if (0 == strcasecmp (header->type,
1368 MHD_HTTP_HEADER_CONTENT_LENGTH))
1369 continue; /* MHD won't let us mess with those, for good reason */
1370 if ((0 == strcasecmp (header->type,
1371 MHD_HTTP_HEADER_TRANSFER_ENCODING)) &&
1372 ((0 == strcasecmp (header->value,
1374 (0 == strcasecmp (header->value,
1376 continue; /* MHD won't let us mess with those, for good reason */
1378 MHD_add_response_header (s5r->response,
1383 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
1384 "Failed to add header `%s:%s'\n",
1389 /* force connection to be closed after each request, as we
1390 do not support HTTP pipelining (yet, FIXME!) */
1391 /*GNUNET_break (MHD_YES ==
1392 MHD_add_response_header (s5r->response,
1393 MHD_HTTP_HEADER_CONNECTION,
1395 MHD_resume_connection (s5r->con);
1396 s5r->suspended = GNUNET_NO;
1402 * Handle response payload data from cURL. Copies it into our `io_buf` to make
1403 * it available to MHD.
1405 * @param ptr pointer to the data
1406 * @param size number of blocks of data
1407 * @param nmemb blocksize
1408 * @param ctx our `struct Socks5Request *`
1409 * @return number of bytes handled
1412 curl_download_cb (void *ptr,
1417 struct Socks5Request *s5r = ctx;
1418 size_t total = size * nmemb;
1420 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1421 "Receiving %ux%u bytes for `%s%s' from cURL to download\n",
1422 (unsigned int) size,
1423 (unsigned int) nmemb,
1426 if (NULL == s5r->response)
1427 GNUNET_assert (GNUNET_OK ==
1428 create_mhd_response_from_s5r (s5r));
1429 if ((SOCKS5_SOCKET_UPLOAD_DONE == s5r->state) &&
1432 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1433 "Previous upload finished... starting DOWNLOAD.\n");
1434 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
1436 if ((SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state) ||
1437 (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state))
1439 /* we're still not done with the upload, do not yet
1440 start the download, the IO buffer is still full
1441 with upload data. */
1442 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1443 "Pausing CURL download `%s%s', waiting for UPLOAD to finish\n",
1446 s5r->curl_paused = GNUNET_YES;
1447 return CURL_WRITEFUNC_PAUSE; /* not yet ready for data download */
1449 if (sizeof(s5r->io_buf) - s5r->io_len < total)
1451 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1452 "Pausing CURL `%s%s' download, not enough space %llu %llu %llu\n",
1455 (unsigned long long) sizeof(s5r->io_buf),
1456 (unsigned long long) s5r->io_len,
1457 (unsigned long long) total);
1458 s5r->curl_paused = GNUNET_YES;
1459 return CURL_WRITEFUNC_PAUSE; /* not enough space */
1461 GNUNET_memcpy (&s5r->io_buf[s5r->io_len],
1464 s5r->io_len += total;
1465 if (GNUNET_YES == s5r->suspended)
1467 MHD_resume_connection (s5r->con);
1468 s5r->suspended = GNUNET_NO;
1470 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1471 "Received %llu bytes of payload via cURL from %s\n",
1472 (unsigned long long) total,
1474 if (s5r->io_len == total)
1475 run_mhd_now (s5r->hd);
1481 * cURL callback for uploaded (PUT/POST) data. Copies it into our `io_buf`
1482 * to make it available to MHD.
1484 * @param buf where to write the data
1485 * @param size number of bytes per member
1486 * @param nmemb number of members available in @a buf
1487 * @param cls our `struct Socks5Request` that generated the data
1488 * @return number of bytes copied to @a buf
1491 curl_upload_cb (void *buf,
1496 struct Socks5Request *s5r = cls;
1497 size_t len = size * nmemb;
1500 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1501 "Receiving %ux%u bytes for `%s%s' from cURL to upload\n",
1502 (unsigned int) size,
1503 (unsigned int) nmemb,
1507 if ((0 == s5r->io_len) &&
1508 (SOCKS5_SOCKET_UPLOAD_DONE != s5r->state))
1510 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1511 "Pausing CURL UPLOAD %s%s, need more data\n",
1514 return CURL_READFUNC_PAUSE;
1516 if ((0 == s5r->io_len) &&
1517 (SOCKS5_SOCKET_UPLOAD_DONE == s5r->state))
1519 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
1520 if (GNUNET_YES == s5r->curl_paused)
1522 s5r->curl_paused = GNUNET_NO;
1523 curl_easy_pause (s5r->curl,
1526 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1527 "Completed CURL UPLOAD %s%s\n",
1530 return 0; /* upload finished, can now download */
1532 if ((SOCKS5_SOCKET_UPLOAD_STARTED != s5r->state) &&
1533 (SOCKS5_SOCKET_UPLOAD_DONE != s5r->state))
1536 return CURL_READFUNC_ABORT;
1538 to_copy = GNUNET_MIN (s5r->io_len,
1543 memmove (s5r->io_buf,
1544 &s5r->io_buf[to_copy],
1545 s5r->io_len - to_copy);
1546 s5r->io_len -= to_copy;
1547 if (s5r->io_len + to_copy == sizeof(s5r->io_buf))
1548 run_mhd_now (s5r->hd); /* got more space for upload now */
1553 /* ************************** main loop of cURL interaction ****************** */
1557 * Task that is run when we are ready to receive more data
1560 * @param cls closure
1563 curl_task_download (void *cls);
1567 * Ask cURL for the select() sets and schedule cURL operations.
1570 curl_download_prepare ()
1577 struct GNUNET_NETWORK_FDSet *grs;
1578 struct GNUNET_NETWORK_FDSet *gws;
1580 struct GNUNET_TIME_Relative rtime;
1582 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1583 "Scheduling CURL interaction\n");
1584 if (NULL != curl_download_task)
1586 GNUNET_SCHEDULER_cancel (curl_download_task);
1587 curl_download_task = NULL;
1593 if (CURLM_OK != (mret = curl_multi_fdset (curl_multi,
1599 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1600 "%s failed at %s:%d: `%s'\n",
1601 "curl_multi_fdset", __FILE__, __LINE__,
1602 curl_multi_strerror (mret));
1606 GNUNET_break (CURLM_OK ==
1607 curl_multi_timeout (curl_multi,
1610 rtime = GNUNET_TIME_UNIT_FOREVER_REL;
1612 rtime = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS,
1616 grs = GNUNET_NETWORK_fdset_create ();
1617 gws = GNUNET_NETWORK_fdset_create ();
1618 GNUNET_NETWORK_fdset_copy_native (grs,
1621 GNUNET_NETWORK_fdset_copy_native (gws,
1624 curl_download_task = GNUNET_SCHEDULER_add_select (
1625 GNUNET_SCHEDULER_PRIORITY_DEFAULT,
1629 &curl_task_download,
1631 GNUNET_NETWORK_fdset_destroy (gws);
1632 GNUNET_NETWORK_fdset_destroy (grs);
1636 curl_download_task = GNUNET_SCHEDULER_add_delayed (rtime,
1637 &curl_task_download,
1644 * Task that is run when we are ready to receive more data from curl.
1646 * @param cls closure, NULL
1649 curl_task_download (void *cls)
1653 struct CURLMsg *msg;
1655 struct Socks5Request *s5r;
1657 curl_download_task = NULL;
1658 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1659 "Running CURL interaction\n");
1663 mret = curl_multi_perform (curl_multi,
1665 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1666 "Checking CURL multi status: %d\n",
1668 while (NULL != (msg = curl_multi_info_read (curl_multi,
1671 GNUNET_break (CURLE_OK ==
1672 curl_easy_getinfo (msg->easy_handle,
1683 /* documentation says this is not used */
1688 switch (msg->data.result)
1691 case CURLE_GOT_NOTHING:
1692 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1693 "CURL download %s%s completed.\n",
1696 if (NULL == s5r->response)
1698 GNUNET_assert (GNUNET_OK ==
1699 create_mhd_response_from_s5r (s5r));
1701 s5r->state = SOCKS5_SOCKET_DOWNLOAD_DONE;
1702 if (GNUNET_YES == s5r->suspended)
1704 MHD_resume_connection (s5r->con);
1705 s5r->suspended = GNUNET_NO;
1707 run_mhd_now (s5r->hd);
1711 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1712 "Download curl %s%s failed: %s\n",
1715 curl_easy_strerror (msg->data.result));
1716 /* FIXME: indicate error somehow? close MHD connection badly as well? */
1717 s5r->state = SOCKS5_SOCKET_DOWNLOAD_DONE;
1718 if (GNUNET_YES == s5r->suspended)
1720 MHD_resume_connection (s5r->con);
1721 s5r->suspended = GNUNET_NO;
1723 run_mhd_now (s5r->hd);
1726 if (NULL == s5r->response)
1727 s5r->response = curl_failure_response;
1731 /* documentation says this is not used */
1736 /* unexpected status code */
1743 while (mret == CURLM_CALL_MULTI_PERFORM);
1744 if (CURLM_OK != mret)
1745 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1746 "%s failed at %s:%d: `%s'\n",
1747 "curl_multi_perform", __FILE__, __LINE__,
1748 curl_multi_strerror (mret));
1751 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1752 "Suspending cURL multi loop, no more events pending\n");
1753 if (NULL != curl_download_task)
1755 GNUNET_SCHEDULER_cancel (curl_download_task);
1756 curl_download_task = NULL;
1758 return; /* nothing more in progress */
1760 curl_download_prepare ();
1764 /* ********************************* MHD response generation ******************* */
1768 * Read HTTP request header field from the request. Copies the fields
1769 * over to the 'headers' that will be given to curl. However, 'Host'
1770 * is substituted with the LEHO if present. We also change the
1771 * 'Connection' header value to "close" as the proxy does not support
1774 * @param cls our `struct Socks5Request`
1775 * @param kind value kind
1776 * @param key field key
1777 * @param value field value
1778 * @return #MHD_YES to continue to iterate
1781 con_val_iter (void *cls,
1782 enum MHD_ValueKind kind,
1786 struct Socks5Request *s5r = cls;
1789 if ((0 == strcasecmp (MHD_HTTP_HEADER_HOST,
1791 (NULL != s5r->leho))
1793 GNUNET_asprintf (&hdr,
1797 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1798 "Adding HEADER `%s' to HTTP request\n",
1800 s5r->headers = curl_slist_append (s5r->headers,
1808 * Main MHD callback for handling requests.
1811 * @param con MHD connection handle
1812 * @param url the url in the request
1813 * @param meth the HTTP method used ("GET", "PUT", etc.)
1814 * @param ver the HTTP version string (i.e. "HTTP/1.1")
1815 * @param upload_data the data being uploaded (excluding HEADERS,
1816 * for a POST that fits into memory and that is encoded
1817 * with a supported encoding, the POST data will NOT be
1818 * given in upload_data and is instead available as
1819 * part of MHD_get_connection_values; very large POST
1820 * data *will* be made available incrementally in
1822 * @param upload_data_size set initially to the size of the
1823 * @a upload_data provided; the method must update this
1824 * value to the number of bytes NOT processed;
1825 * @param con_cls pointer to location where we store the `struct Request`
1826 * @return #MHD_YES if the connection was handled successfully,
1827 * #MHD_NO if the socket must be closed due to a serious
1828 * error while handling the request
1831 create_response (void *cls,
1832 struct MHD_Connection *con,
1836 const char *upload_data,
1837 size_t *upload_data_size,
1840 struct Socks5Request *s5r = *con_cls;
1842 char ipstring[INET6_ADDRSTRLEN];
1843 char ipaddr[INET6_ADDRSTRLEN + 2];
1844 const struct sockaddr *sa;
1845 const struct sockaddr_in *s4;
1846 const struct sockaddr_in6 *s6;
1856 /* Fresh connection. */
1857 if (SOCKS5_SOCKET_WITH_MHD == s5r->state)
1859 /* first time here, initialize curl handle */
1862 sa = (const struct sockaddr *) &s5r->destination_address;
1863 switch (sa->sa_family)
1866 s4 = (const struct sockaddr_in *) &s5r->destination_address;
1867 if (NULL == inet_ntop (AF_INET,
1875 GNUNET_snprintf (ipaddr,
1879 port = ntohs (s4->sin_port);
1883 s6 = (const struct sockaddr_in6 *) &s5r->destination_address;
1884 if (NULL == inet_ntop (AF_INET6,
1892 GNUNET_snprintf (ipaddr,
1896 port = ntohs (s6->sin6_port);
1908 if (NULL == s5r->curl)
1909 s5r->curl = curl_easy_init ();
1910 if (NULL == s5r->curl)
1911 return MHD_queue_response (con,
1912 MHD_HTTP_INTERNAL_SERVER_ERROR,
1913 curl_failure_response);
1914 curl_easy_setopt (s5r->curl,
1915 CURLOPT_HEADERFUNCTION,
1917 curl_easy_setopt (s5r->curl,
1920 curl_easy_setopt (s5r->curl,
1921 CURLOPT_FOLLOWLOCATION,
1924 curl_easy_setopt (s5r->curl,
1927 curl_easy_setopt (s5r->curl,
1928 CURLOPT_CONNECTTIMEOUT,
1930 curl_easy_setopt (s5r->curl,
1933 curl_easy_setopt (s5r->curl,
1936 curl_easy_setopt (s5r->curl,
1937 CURLOPT_HTTP_CONTENT_DECODING,
1939 curl_easy_setopt (s5r->curl,
1942 curl_easy_setopt (s5r->curl,
1945 curl_easy_setopt (s5r->curl,
1949 * Pre-populate cache to resolve Hostname.
1950 * This is necessary as the DNS name in the CURLOPT_URL is used
1951 * for SNI http://de.wikipedia.org/wiki/Server_Name_Indication
1952 */if (NULL != s5r->leho)
1956 GNUNET_asprintf (&curl_hosts,
1961 s5r->hosts = curl_slist_append (NULL,
1963 curl_easy_setopt (s5r->curl,
1966 GNUNET_free (curl_hosts);
1970 GNUNET_asprintf (&curlurl,
1971 (GNUNET_YES != s5r->is_tls) // (HTTPS_PORT != s5r->port)
1973 : "https://%s:%d%s",
1982 GNUNET_asprintf (&curlurl,
1983 (GNUNET_YES != s5r->is_tls) // (HTTPS_PORT != s5r->port)
1985 : "https://%s:%d%s",
1990 curl_easy_setopt (s5r->curl,
1993 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
1994 "Launching %s CURL interaction, fetching `%s'\n",
1995 (s5r->is_gns) ? "GNS" : "DNS",
1997 GNUNET_free (curlurl);
1998 if (0 == strcasecmp (meth,
1999 MHD_HTTP_METHOD_PUT))
2001 s5r->state = SOCKS5_SOCKET_UPLOAD_STARTED;
2002 curl_easy_setopt (s5r->curl,
2005 curl_easy_setopt (s5r->curl,
2006 CURLOPT_WRITEFUNCTION,
2008 curl_easy_setopt (s5r->curl,
2011 GNUNET_assert (CURLE_OK ==
2012 curl_easy_setopt (s5r->curl,
2013 CURLOPT_READFUNCTION,
2015 curl_easy_setopt (s5r->curl,
2020 long upload_size = 0;
2022 us = MHD_lookup_connection_value (con,
2024 MHD_HTTP_HEADER_CONTENT_LENGTH);
2025 if ((1 == sscanf (us,
2030 curl_easy_setopt (s5r->curl,
2036 else if (0 == strcasecmp (meth, MHD_HTTP_METHOD_POST))
2038 s5r->state = SOCKS5_SOCKET_UPLOAD_STARTED;
2039 curl_easy_setopt (s5r->curl,
2042 curl_easy_setopt (s5r->curl,
2043 CURLOPT_WRITEFUNCTION,
2045 curl_easy_setopt (s5r->curl,
2048 curl_easy_setopt (s5r->curl,
2049 CURLOPT_READFUNCTION,
2051 curl_easy_setopt (s5r->curl,
2059 us = MHD_lookup_connection_value (con,
2061 MHD_HTTP_HEADER_CONTENT_LENGTH);
2068 curl_easy_setopt (s5r->curl,
2074 curl_easy_setopt (s5r->curl,
2080 else if (0 == strcasecmp (meth,
2081 MHD_HTTP_METHOD_HEAD))
2083 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2084 curl_easy_setopt (s5r->curl,
2088 else if (0 == strcasecmp (meth,
2089 MHD_HTTP_METHOD_OPTIONS))
2091 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2092 curl_easy_setopt (s5r->curl,
2093 CURLOPT_CUSTOMREQUEST,
2095 curl_easy_setopt (s5r->curl,
2096 CURLOPT_WRITEFUNCTION,
2098 curl_easy_setopt (s5r->curl,
2102 else if (0 == strcasecmp (meth,
2103 MHD_HTTP_METHOD_GET))
2105 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2106 curl_easy_setopt (s5r->curl,
2109 curl_easy_setopt (s5r->curl,
2110 CURLOPT_WRITEFUNCTION,
2112 curl_easy_setopt (s5r->curl,
2116 else if (0 == strcasecmp (meth,
2117 MHD_HTTP_METHOD_DELETE))
2119 s5r->state = SOCKS5_SOCKET_DOWNLOAD_STARTED;
2120 curl_easy_setopt (s5r->curl,
2121 CURLOPT_CUSTOMREQUEST,
2123 curl_easy_setopt (s5r->curl,
2124 CURLOPT_WRITEFUNCTION,
2126 curl_easy_setopt (s5r->curl,
2132 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2133 _ ("Unsupported HTTP method `%s'\n"),
2135 curl_easy_cleanup (s5r->curl);
2140 if (0 == strcasecmp (ver, MHD_HTTP_VERSION_1_0))
2142 curl_easy_setopt (s5r->curl,
2143 CURLOPT_HTTP_VERSION,
2144 CURL_HTTP_VERSION_1_0);
2146 else if (0 == strcasecmp (ver, MHD_HTTP_VERSION_1_1))
2148 curl_easy_setopt (s5r->curl,
2149 CURLOPT_HTTP_VERSION,
2150 CURL_HTTP_VERSION_1_1);
2154 curl_easy_setopt (s5r->curl,
2155 CURLOPT_HTTP_VERSION,
2156 CURL_HTTP_VERSION_NONE);
2159 if (GNUNET_YES == s5r->is_tls) // (HTTPS_PORT == s5r->port)
2161 curl_easy_setopt (s5r->curl,
2164 if (0 < s5r->num_danes)
2165 curl_easy_setopt (s5r->curl,
2166 CURLOPT_SSL_VERIFYPEER,
2169 curl_easy_setopt (s5r->curl,
2170 CURLOPT_SSL_VERIFYPEER,
2172 /* Disable cURL checking the hostname, as we will check ourselves
2173 as only we have the domain name or the LEHO or the DANE record */
2174 curl_easy_setopt (s5r->curl,
2175 CURLOPT_SSL_VERIFYHOST,
2180 curl_easy_setopt (s5r->curl,
2186 curl_multi_add_handle (curl_multi,
2190 curl_easy_cleanup (s5r->curl);
2194 MHD_get_connection_values (con,
2196 (MHD_KeyValueIterator) & con_val_iter,
2198 curl_easy_setopt (s5r->curl,
2201 curl_download_prepare ();
2205 /* continuing to process request */
2206 if (0 != *upload_data_size)
2208 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2209 "Processing %u bytes UPLOAD\n",
2210 (unsigned int) *upload_data_size);
2212 /* FIXME: This must be set or a header with Transfer-Encoding: chunked. Else
2213 * upload callback is not called!
2215 curl_easy_setopt (s5r->curl,
2216 CURLOPT_POSTFIELDSIZE,
2219 left = GNUNET_MIN (*upload_data_size,
2220 sizeof(s5r->io_buf) - s5r->io_len);
2221 GNUNET_memcpy (&s5r->io_buf[s5r->io_len],
2224 s5r->io_len += left;
2225 *upload_data_size -= left;
2226 GNUNET_assert (NULL != s5r->curl);
2227 if (GNUNET_YES == s5r->curl_paused)
2229 s5r->curl_paused = GNUNET_NO;
2230 curl_easy_pause (s5r->curl,
2235 if (SOCKS5_SOCKET_UPLOAD_STARTED == s5r->state)
2237 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2238 "Finished processing UPLOAD\n");
2239 s5r->state = SOCKS5_SOCKET_UPLOAD_DONE;
2241 if (NULL == s5r->response)
2243 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2244 "Waiting for HTTP response for %s%s...\n",
2247 MHD_suspend_connection (con);
2248 s5r->suspended = GNUNET_YES;
2251 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2252 "Queueing response for %s%s with MHD\n",
2255 run_mhd_now (s5r->hd);
2256 return MHD_queue_response (con,
2262 /* ******************** MHD HTTP setup and event loop ******************** */
2266 * Function called when MHD decides that we are done with a request.
2269 * @param connection connection handle
2270 * @param con_cls value as set by the last call to
2271 * the MHD_AccessHandlerCallback, should be our `struct Socks5Request *`
2272 * @param toe reason for request termination (ignored)
2275 mhd_completed_cb (void *cls,
2276 struct MHD_Connection *connection,
2278 enum MHD_RequestTerminationCode toe)
2280 struct Socks5Request *s5r = *con_cls;
2284 if (MHD_REQUEST_TERMINATED_COMPLETED_OK != toe)
2285 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
2286 "MHD encountered error handling request: %d\n",
2288 if (NULL != s5r->curl)
2290 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2291 "Removing cURL handle (MHD interaction complete)\n");
2292 curl_multi_remove_handle (curl_multi,
2294 curl_slist_free_all (s5r->headers);
2295 s5r->headers = NULL;
2296 curl_easy_reset (s5r->curl);
2300 curl_download_prepare ();
2302 if ((NULL != s5r->response) &&
2303 (curl_failure_response != s5r->response))
2304 MHD_destroy_response (s5r->response);
2305 for (struct HttpResponseHeader *header = s5r->header_head;
2307 header = s5r->header_head)
2309 GNUNET_CONTAINER_DLL_remove (s5r->header_head,
2312 GNUNET_free (header->type);
2313 GNUNET_free (header->value);
2314 GNUNET_free (header);
2316 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2317 "Finished request for %s\n",
2319 GNUNET_free (s5r->url);
2320 s5r->state = SOCKS5_SOCKET_WITH_MHD;
2322 s5r->response = NULL;
2328 * Function called when MHD connection is opened or closed.
2331 * @param connection connection handle
2332 * @param con_cls value as set by the last call to
2333 * the MHD_AccessHandlerCallback, should be our `struct Socks5Request *`
2334 * @param toe connection notification type
2337 mhd_connection_cb (void *cls,
2338 struct MHD_Connection *connection,
2340 enum MHD_ConnectionNotificationCode cnc)
2342 struct Socks5Request *s5r;
2343 const union MHD_ConnectionInfo *ci;
2348 case MHD_CONNECTION_NOTIFY_STARTED:
2349 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Connection started...\n");
2350 ci = MHD_get_connection_info (connection,
2351 MHD_CONNECTION_INFO_CONNECTION_FD);
2357 sock = ci->connect_fd;
2358 for (s5r = s5r_head; NULL != s5r; s5r = s5r->next)
2360 if (GNUNET_NETWORK_get_fd (s5r->sock) == sock)
2362 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2363 "Context set...\n");
2364 s5r->ssl_checked = GNUNET_NO;
2371 case MHD_CONNECTION_NOTIFY_CLOSED:
2372 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2373 "Connection closed... cleaning up\n");
2377 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2378 "Connection stale!\n");
2382 curl_download_prepare ();
2393 * Function called when MHD first processes an incoming connection.
2394 * Gives us the respective URI information.
2396 * We use this to associate the `struct MHD_Connection` with our
2397 * internal `struct Socks5Request` data structure (by checking
2398 * for matching sockets).
2400 * @param cls the HTTP server handle (a `struct MhdHttpList`)
2401 * @param url the URL that is being requested
2402 * @param connection MHD connection object for the request
2403 * @return the `struct Socks5Request` that this @a connection is for
2406 mhd_log_callback (void *cls,
2408 struct MHD_Connection *connection)
2410 struct Socks5Request *s5r;
2411 const union MHD_ConnectionInfo *ci;
2413 ci = MHD_get_connection_info (connection,
2414 MHD_CONNECTION_INFO_SOCKET_CONTEXT);
2415 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Processing %s\n", url);
2421 s5r = ci->socket_context;
2422 if (NULL != s5r->url)
2427 s5r->url = GNUNET_strdup (url);
2428 if (NULL != s5r->timeout_task)
2430 GNUNET_SCHEDULER_cancel (s5r->timeout_task);
2431 s5r->timeout_task = NULL;
2433 GNUNET_assert (s5r->state == SOCKS5_SOCKET_WITH_MHD);
2439 * Kill the given MHD daemon.
2441 * @param hd daemon to stop
2444 kill_httpd (struct MhdHttpList *hd)
2446 GNUNET_CONTAINER_DLL_remove (mhd_httpd_head,
2449 GNUNET_free_non_null (hd->domain);
2450 MHD_stop_daemon (hd->daemon);
2451 if (NULL != hd->httpd_task)
2453 GNUNET_SCHEDULER_cancel (hd->httpd_task);
2454 hd->httpd_task = NULL;
2456 GNUNET_free_non_null (hd->proxy_cert);
2464 * Task run whenever HTTP server is idle for too long. Kill it.
2466 * @param cls the `struct MhdHttpList *`
2469 kill_httpd_task (void *cls)
2471 struct MhdHttpList *hd = cls;
2473 hd->httpd_task = NULL;
2479 * Task run whenever HTTP server operations are pending.
2481 * @param cls the `struct MhdHttpList *` of the daemon that is being run
2484 do_httpd (void *cls);
2488 * Schedule MHD. This function should be called initially when an
2489 * MHD is first getting its client socket, and will then automatically
2490 * always be called later whenever there is work to be done.
2492 * @param hd the daemon to schedule
2495 schedule_httpd (struct MhdHttpList *hd)
2500 struct GNUNET_NETWORK_FDSet *wrs;
2501 struct GNUNET_NETWORK_FDSet *wws;
2504 MHD_UNSIGNED_LONG_LONG timeout;
2505 struct GNUNET_TIME_Relative tv;
2512 MHD_get_fdset (hd->daemon,
2521 haveto = MHD_get_timeout (hd->daemon,
2523 if (MHD_YES == haveto)
2524 tv.rel_value_us = (uint64_t) timeout * 1000LL;
2526 tv = GNUNET_TIME_UNIT_FOREVER_REL;
2529 wrs = GNUNET_NETWORK_fdset_create ();
2530 wws = GNUNET_NETWORK_fdset_create ();
2531 GNUNET_NETWORK_fdset_copy_native (wrs, &rs, max + 1);
2532 GNUNET_NETWORK_fdset_copy_native (wws, &ws, max + 1);
2539 if (NULL != hd->httpd_task)
2541 GNUNET_SCHEDULER_cancel (hd->httpd_task);
2542 hd->httpd_task = NULL;
2544 if ((MHD_YES != haveto) &&
2548 /* daemon is idle, kill after timeout */
2549 hd->httpd_task = GNUNET_SCHEDULER_add_delayed (MHD_CACHE_TIMEOUT,
2556 GNUNET_SCHEDULER_add_select (GNUNET_SCHEDULER_PRIORITY_DEFAULT,
2561 GNUNET_NETWORK_fdset_destroy (wrs);
2563 GNUNET_NETWORK_fdset_destroy (wws);
2568 * Task run whenever HTTP server operations are pending.
2570 * @param cls the `struct MhdHttpList` of the daemon that is being run
2573 do_httpd (void *cls)
2575 struct MhdHttpList *hd = cls;
2577 hd->httpd_task = NULL;
2578 MHD_run (hd->daemon);
2579 schedule_httpd (hd);
2584 * Run MHD now, we have extra data ready for the callback.
2586 * @param hd the daemon to run now.
2589 run_mhd_now (struct MhdHttpList *hd)
2591 if (NULL != hd->httpd_task)
2592 GNUNET_SCHEDULER_cancel (hd->httpd_task);
2593 hd->httpd_task = GNUNET_SCHEDULER_add_now (&do_httpd,
2599 * Read file in filename
2601 * @param filename file to read
2602 * @param size pointer where filesize is stored
2603 * @return NULL on error
2606 load_file (const char*filename,
2613 GNUNET_DISK_file_size (filename,
2618 if (fsize > MAX_PEM_SIZE)
2620 *size = (unsigned int) fsize;
2621 buffer = GNUNET_malloc (*size);
2623 GNUNET_DISK_fn_read (filename,
2627 GNUNET_free (buffer);
2635 * Load PEM key from file
2637 * @param key where to store the data
2638 * @param keyfile path to the PEM file
2639 * @return #GNUNET_OK on success
2642 load_key_from_file (gnutls_x509_privkey_t key,
2645 gnutls_datum_t key_data;
2648 key_data.data = load_file (keyfile,
2650 if (NULL == key_data.data)
2651 return GNUNET_SYSERR;
2652 ret = gnutls_x509_privkey_import (key, &key_data,
2653 GNUTLS_X509_FMT_PEM);
2654 if (GNUTLS_E_SUCCESS != ret)
2656 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2657 _ ("Unable to import private key from file `%s'\n"),
2660 GNUNET_free_non_null (key_data.data);
2661 return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
2666 * Load cert from file
2668 * @param crt struct to store data in
2669 * @param certfile path to pem file
2670 * @return #GNUNET_OK on success
2673 load_cert_from_file (gnutls_x509_crt_t crt,
2674 const char*certfile)
2676 gnutls_datum_t cert_data;
2679 cert_data.data = load_file (certfile,
2681 if (NULL == cert_data.data)
2682 return GNUNET_SYSERR;
2683 ret = gnutls_x509_crt_import (crt,
2685 GNUTLS_X509_FMT_PEM);
2686 if (GNUTLS_E_SUCCESS != ret)
2688 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2689 _ ("Unable to import certificate from `%s'\n"),
2692 GNUNET_free_non_null (cert_data.data);
2693 return (GNUTLS_E_SUCCESS != ret) ? GNUNET_SYSERR : GNUNET_OK;
2698 * Generate new certificate for specific name
2700 * @param name the subject name to generate a cert for
2701 * @return a struct holding the PEM data, NULL on error
2703 static struct ProxyGNSCertificate *
2704 generate_gns_certificate (const char *name)
2706 unsigned int serial;
2707 size_t key_buf_size;
2708 size_t cert_buf_size;
2709 gnutls_x509_crt_t request;
2712 struct ProxyGNSCertificate *pgc;
2714 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2715 "Generating x.509 certificate for `%s'\n",
2717 GNUNET_break (GNUTLS_E_SUCCESS == gnutls_x509_crt_init (&request));
2718 GNUNET_break (GNUTLS_E_SUCCESS == gnutls_x509_crt_set_key (request,
2720 pgc = GNUNET_new (struct ProxyGNSCertificate);
2721 gnutls_x509_crt_set_dn_by_oid (request,
2722 GNUTLS_OID_X520_COUNTRY_NAME,
2726 gnutls_x509_crt_set_dn_by_oid (request,
2727 GNUTLS_OID_X520_ORGANIZATION_NAME,
2730 strlen ("GNU Name System"));
2731 gnutls_x509_crt_set_dn_by_oid (request,
2732 GNUTLS_OID_X520_COMMON_NAME,
2736 gnutls_x509_crt_set_subject_alternative_name (request,
2739 GNUNET_break (GNUTLS_E_SUCCESS ==
2740 gnutls_x509_crt_set_version (request,
2742 gnutls_rnd (GNUTLS_RND_NONCE,
2745 gnutls_x509_crt_set_serial (request,
2748 etime = time (NULL);
2749 tm_data = localtime (&etime);
2751 etime = mktime (tm_data);
2752 gnutls_x509_crt_set_activation_time (request,
2755 etime = mktime (tm_data);
2756 gnutls_x509_crt_set_expiration_time (request,
2758 gnutls_x509_crt_sign2 (request,
2763 key_buf_size = sizeof(pgc->key);
2764 cert_buf_size = sizeof(pgc->cert);
2765 gnutls_x509_crt_export (request,
2766 GNUTLS_X509_FMT_PEM,
2769 gnutls_x509_privkey_export (proxy_ca.key,
2770 GNUTLS_X509_FMT_PEM,
2773 gnutls_x509_crt_deinit (request);
2779 * Function called by MHD with errors, suppresses them all.
2781 * @param cls closure
2782 * @param fm format string (`printf()`-style)
2783 * @param ap arguments to @a fm
2786 mhd_error_log_callback (void *cls,
2795 * Lookup (or create) an TLS MHD instance for a particular domain.
2797 * @param domain the domain the TLS daemon has to serve
2798 * @return NULL on error
2800 static struct MhdHttpList *
2801 lookup_ssl_httpd (const char*domain)
2803 struct MhdHttpList *hd;
2804 struct ProxyGNSCertificate *pgc;
2811 for (hd = mhd_httpd_head; NULL != hd; hd = hd->next)
2812 if ((NULL != hd->domain) &&
2813 (0 == strcmp (hd->domain, domain)))
2815 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
2816 "Starting fresh MHD HTTPS instance for domain `%s'\n",
2818 pgc = generate_gns_certificate (domain);
2819 hd = GNUNET_new (struct MhdHttpList);
2820 hd->is_ssl = GNUNET_YES;
2821 hd->domain = GNUNET_strdup (domain);
2822 hd->proxy_cert = pgc;
2823 hd->daemon = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_SSL
2824 | MHD_USE_NO_LISTEN_SOCKET
2825 | MHD_ALLOW_SUSPEND_RESUME,
2828 &create_response, hd,
2829 MHD_OPTION_CONNECTION_TIMEOUT, (unsigned
2831 MHD_OPTION_NOTIFY_COMPLETED, &mhd_completed_cb,
2833 MHD_OPTION_NOTIFY_CONNECTION,
2834 &mhd_connection_cb, NULL,
2835 MHD_OPTION_URI_LOG_CALLBACK, &mhd_log_callback,
2837 MHD_OPTION_EXTERNAL_LOGGER,
2838 &mhd_error_log_callback, NULL,
2839 MHD_OPTION_HTTPS_MEM_KEY, pgc->key,
2840 MHD_OPTION_HTTPS_MEM_CERT, pgc->cert,
2842 if (NULL == hd->daemon)
2848 GNUNET_CONTAINER_DLL_insert (mhd_httpd_head,
2856 * Task run when a Socks5Request somehow fails to be associated with
2857 * an MHD connection (i.e. because the client never speaks HTTP after
2858 * the SOCKS5 handshake). Clean up.
2860 * @param cls the `struct Socks5Request *`
2863 timeout_s5r_handshake (void *cls)
2865 struct Socks5Request *s5r = cls;
2867 s5r->timeout_task = NULL;
2873 * We're done with the Socks5 protocol, now we need to pass the
2874 * connection data through to the final destination, either
2875 * direct (if the protocol might not be HTTP), or via MHD
2876 * (if the port looks like it should be HTTP).
2878 * @param s5r socks request that has reached the final stage
2881 setup_data_transfer (struct Socks5Request *s5r)
2883 struct MhdHttpList *hd;
2885 const struct sockaddr *addr;
2889 if (GNUNET_YES == s5r->is_tls)
2891 GNUNET_asprintf (&domain,
2894 hd = lookup_ssl_httpd (domain);
2897 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2898 _ ("Failed to start HTTPS server for `%s'\n"),
2901 GNUNET_free (domain);
2908 GNUNET_assert (NULL != httpd);
2911 fd = GNUNET_NETWORK_get_fd (s5r->sock);
2912 addr = GNUNET_NETWORK_get_addr (s5r->sock);
2913 len = GNUNET_NETWORK_get_addrlen (s5r->sock);
2914 s5r->state = SOCKS5_SOCKET_WITH_MHD;
2916 MHD_add_connection (hd->daemon,
2921 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
2922 _ ("Failed to pass client to MHD\n"));
2924 GNUNET_free_non_null (domain);
2928 schedule_httpd (hd);
2929 s5r->timeout_task = GNUNET_SCHEDULER_add_delayed (HTTP_HANDSHAKE_TIMEOUT,
2930 &timeout_s5r_handshake,
2932 GNUNET_free_non_null (domain);
2936 /* ********************* SOCKS handling ************************* */
2940 * Write data from buffer to socks5 client, then continue with state machine.
2942 * @param cls the closure with the `struct Socks5Request`
2945 do_write (void *cls)
2947 struct Socks5Request *s5r = cls;
2951 len = GNUNET_NETWORK_socket_send (s5r->sock,
2956 /* write error: connection closed, shutdown, etc.; just clean up */
2957 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
2964 s5r->wbuf_len - len);
2965 s5r->wbuf_len -= len;
2966 if (s5r->wbuf_len > 0)
2968 /* not done writing */
2970 GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
2976 /* we're done writing, continue with state machine! */
2984 case SOCKS5_REQUEST:
2985 GNUNET_assert (NULL != s5r->rtask);
2988 case SOCKS5_DATA_TRANSFER:
2989 setup_data_transfer (s5r);
2992 case SOCKS5_WRITE_THEN_CLEANUP:
3004 * Return a server response message indicating a failure to the client.
3006 * @param s5r request to return failure code for
3007 * @param sc status code to return
3010 signal_socks_failure (struct Socks5Request *s5r,
3011 enum Socks5StatusCode sc)
3013 struct Socks5ServerResponseMessage *s_resp;
3015 GNUNET_break (0 == s5r->wbuf_len); /* Should happen first in any transmission, right? */
3016 GNUNET_assert (SOCKS_BUFFERSIZE - s5r->wbuf_len >=
3017 sizeof(struct Socks5ServerResponseMessage));
3018 s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len];
3019 memset (s_resp, 0, sizeof(struct Socks5ServerResponseMessage));
3020 s_resp->version = SOCKS_VERSION_5;
3022 s5r->state = SOCKS5_WRITE_THEN_CLEANUP;
3023 if (NULL != s5r->wtask)
3025 GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
3032 * Return a server response message indicating success.
3034 * @param s5r request to return success status message for
3037 signal_socks_success (struct Socks5Request *s5r)
3039 struct Socks5ServerResponseMessage *s_resp;
3041 s_resp = (struct Socks5ServerResponseMessage *) &s5r->wbuf[s5r->wbuf_len];
3042 s_resp->version = SOCKS_VERSION_5;
3043 s_resp->reply = SOCKS5_STATUS_REQUEST_GRANTED;
3044 s_resp->reserved = 0;
3045 s_resp->addr_type = SOCKS5_AT_IPV4;
3046 /* zero out IPv4 address and port */
3049 sizeof(struct in_addr) + sizeof(uint16_t));
3050 s5r->wbuf_len += sizeof(struct Socks5ServerResponseMessage)
3051 + sizeof(struct in_addr) + sizeof(uint16_t);
3052 if (NULL == s5r->wtask)
3054 GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
3061 * Process GNS results for target domain.
3063 * @param cls the `struct Socks5Request *`
3064 * @param tld #GNUNET_YES if this was a GNS TLD.
3065 * @param rd_count number of records returned
3066 * @param rd record data
3069 handle_gns_result (void *cls,
3072 const struct GNUNET_GNSRECORD_Data *rd)
3074 struct Socks5Request *s5r = cls;
3075 const struct GNUNET_GNSRECORD_Data *r;
3078 s5r->gns_lookup = NULL;
3081 for (uint32_t i = 0; i < rd_count; i++)
3084 switch (r->record_type)
3086 case GNUNET_DNSPARSER_TYPE_A:
3088 struct sockaddr_in *in;
3090 if (sizeof(struct in_addr) != r->data_size)
3092 GNUNET_break_op (0);
3095 if (GNUNET_YES == got_ip)
3098 GNUNET_NETWORK_test_pf (PF_INET))
3100 got_ip = GNUNET_YES;
3101 in = (struct sockaddr_in *) &s5r->destination_address;
3102 in->sin_family = AF_INET;
3103 GNUNET_memcpy (&in->sin_addr,
3106 in->sin_port = htons (s5r->port);
3107 #if HAVE_SOCKADDR_IN_SIN_LEN
3108 in->sin_len = sizeof(*in);
3113 case GNUNET_DNSPARSER_TYPE_AAAA:
3115 struct sockaddr_in6 *in;
3117 if (sizeof(struct in6_addr) != r->data_size)
3119 GNUNET_break_op (0);
3122 if (GNUNET_YES == got_ip)
3124 if (GNUNET_YES == disable_v6)
3127 GNUNET_NETWORK_test_pf (PF_INET6))
3129 /* FIXME: allow user to disable IPv6 per configuration option... */
3130 got_ip = GNUNET_YES;
3131 in = (struct sockaddr_in6 *) &s5r->destination_address;
3132 in->sin6_family = AF_INET6;
3133 GNUNET_memcpy (&in->sin6_addr,
3136 in->sin6_port = htons (s5r->port);
3137 #if HAVE_SOCKADDR_IN_SIN_LEN
3138 in->sin6_len = sizeof(*in);
3143 case GNUNET_GNSRECORD_TYPE_VPN:
3144 GNUNET_break (0); /* should have been translated within GNS */
3147 case GNUNET_GNSRECORD_TYPE_LEHO:
3148 GNUNET_free_non_null (s5r->leho);
3149 s5r->leho = GNUNET_strndup (r->data,
3153 case GNUNET_GNSRECORD_TYPE_BOX:
3155 const struct GNUNET_GNSRECORD_BoxRecord *box;
3157 if (r->data_size < sizeof(struct GNUNET_GNSRECORD_BoxRecord))
3159 GNUNET_break_op (0);
3163 if ((ntohl (box->record_type) != GNUNET_DNSPARSER_TYPE_TLSA) ||
3164 (ntohs (box->protocol) != IPPROTO_TCP) ||
3165 (ntohs (box->service) != s5r->port))
3166 break; /* BOX record does not apply */
3167 if (s5r->num_danes >= MAX_DANES)
3169 GNUNET_break (0); /* MAX_DANES too small */
3172 s5r->is_tls = GNUNET_YES; /* This should be TLS */
3173 s5r->dane_data_len[s5r->num_danes]
3174 = r->data_size - sizeof(struct GNUNET_GNSRECORD_BoxRecord);
3175 s5r->dane_data[s5r->num_danes]
3176 = GNUNET_memdup (&box[1],
3177 s5r->dane_data_len[s5r->num_danes]);
3187 if ((GNUNET_YES != got_ip) &&
3188 (GNUNET_YES == tld))
3190 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3191 "Name resolution failed to yield useful IP address.\n");
3192 signal_socks_failure (s5r,
3193 SOCKS5_STATUS_GENERAL_FAILURE);
3196 s5r->state = SOCKS5_DATA_TRANSFER;
3197 signal_socks_success (s5r);
3202 * Remove the first @a len bytes from the beginning of the read buffer.
3204 * @param s5r the handle clear the read buffer for
3205 * @param len number of bytes in read buffer to advance
3208 clear_from_s5r_rbuf (struct Socks5Request *s5r,
3211 GNUNET_assert (len <= s5r->rbuf_len);
3214 s5r->rbuf_len - len);
3215 s5r->rbuf_len -= len;
3220 * Read data from incoming Socks5 connection
3222 * @param cls the closure with the `struct Socks5Request`
3225 do_s5r_read (void *cls)
3227 struct Socks5Request *s5r = cls;
3228 const struct Socks5ClientHelloMessage *c_hello;
3229 struct Socks5ServerHelloMessage *s_hello;
3230 const struct Socks5ClientRequestMessage *c_req;
3233 const struct GNUNET_SCHEDULER_TaskContext *tc;
3236 tc = GNUNET_SCHEDULER_get_task_context ();
3237 if ((NULL != tc->read_ready) &&
3238 (GNUNET_NETWORK_fdset_isset (tc->read_ready,
3241 rlen = GNUNET_NETWORK_socket_recv (s5r->sock,
3242 &s5r->rbuf[s5r->rbuf_len],
3243 sizeof(s5r->rbuf) - s5r->rbuf_len);
3246 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3247 "socks5 client disconnected.\n");
3251 s5r->rbuf_len += rlen;
3253 s5r->rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3256 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3257 "Processing %zu bytes of socks data in state %d\n",
3263 c_hello = (const struct Socks5ClientHelloMessage*) &s5r->rbuf;
3264 if ((s5r->rbuf_len < sizeof(struct Socks5ClientHelloMessage)) ||
3265 (s5r->rbuf_len < sizeof(struct Socks5ClientHelloMessage)
3266 + c_hello->num_auth_methods))
3267 return; /* need more data */
3268 if (SOCKS_VERSION_5 != c_hello->version)
3270 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3271 _ ("Unsupported socks version %d\n"),
3272 (int) c_hello->version);
3276 clear_from_s5r_rbuf (s5r,
3277 sizeof(struct Socks5ClientHelloMessage)
3278 + c_hello->num_auth_methods);
3279 GNUNET_assert (0 == s5r->wbuf_len);
3280 s_hello = (struct Socks5ServerHelloMessage *) &s5r->wbuf;
3281 s5r->wbuf_len = sizeof(struct Socks5ServerHelloMessage);
3282 s_hello->version = SOCKS_VERSION_5;
3283 s_hello->auth_method = SOCKS_AUTH_NONE;
3284 GNUNET_assert (NULL == s5r->wtask);
3285 s5r->wtask = GNUNET_SCHEDULER_add_write_net (GNUNET_TIME_UNIT_FOREVER_REL,
3288 s5r->state = SOCKS5_REQUEST;
3291 case SOCKS5_REQUEST:
3292 c_req = (const struct Socks5ClientRequestMessage *) &s5r->rbuf;
3293 if (s5r->rbuf_len < sizeof(struct Socks5ClientRequestMessage))
3295 switch (c_req->command)
3297 case SOCKS5_CMD_TCP_STREAM:
3302 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3303 _ ("Unsupported socks command %d\n"),
3304 (int) c_req->command);
3305 signal_socks_failure (s5r,
3306 SOCKS5_STATUS_COMMAND_NOT_SUPPORTED);
3309 switch (c_req->addr_type)
3311 case SOCKS5_AT_IPV4:
3313 const struct in_addr *v4 = (const struct in_addr *) &c_req[1];
3314 const uint16_t *port = (const uint16_t *) &v4[1];
3315 struct sockaddr_in *in;
3317 s5r->port = ntohs (*port);
3318 alen = sizeof(struct in_addr);
3319 if (s5r->rbuf_len < sizeof(struct Socks5ClientRequestMessage)
3320 + alen + sizeof(uint16_t))
3321 return; /* need more data */
3322 in = (struct sockaddr_in *) &s5r->destination_address;
3323 in->sin_family = AF_INET;
3325 in->sin_port = *port;
3326 #if HAVE_SOCKADDR_IN_SIN_LEN
3327 in->sin_len = sizeof(*in);
3329 s5r->state = SOCKS5_DATA_TRANSFER;
3333 case SOCKS5_AT_IPV6:
3335 const struct in6_addr *v6 = (const struct in6_addr *) &c_req[1];
3336 const uint16_t *port = (const uint16_t *) &v6[1];
3337 struct sockaddr_in6 *in;
3339 s5r->port = ntohs (*port);
3340 alen = sizeof(struct in6_addr);
3341 if (s5r->rbuf_len < sizeof(struct Socks5ClientRequestMessage)
3342 + alen + sizeof(uint16_t))
3343 return; /* need more data */
3344 in = (struct sockaddr_in6 *) &s5r->destination_address;
3345 in->sin6_family = AF_INET6;
3346 in->sin6_addr = *v6;
3347 in->sin6_port = *port;
3348 #if HAVE_SOCKADDR_IN_SIN_LEN
3349 in->sin6_len = sizeof(*in);
3351 s5r->state = SOCKS5_DATA_TRANSFER;
3355 case SOCKS5_AT_DOMAINNAME:
3357 const uint8_t *dom_len;
3358 const char *dom_name;
3359 const uint16_t *port;
3361 dom_len = (const uint8_t *) &c_req[1];
3362 alen = *dom_len + 1;
3363 if (s5r->rbuf_len < sizeof(struct Socks5ClientRequestMessage)
3364 + alen + sizeof(uint16_t))
3365 return; /* need more data */
3366 dom_name = (const char *) &dom_len[1];
3367 port = (const uint16_t *) &dom_name[*dom_len];
3368 s5r->domain = GNUNET_strndup (dom_name,
3370 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3371 "Requested connection is to %s:%d\n",
3372 // (HTTPS_PORT == s5r->port) ? "s" : "",
3375 s5r->state = SOCKS5_RESOLVING;
3376 s5r->port = ntohs (*port);
3377 s5r->is_tls = (HTTPS_PORT == s5r->port) ? GNUNET_YES : GNUNET_NO;
3378 s5r->gns_lookup = GNUNET_GNS_lookup_with_tld (gns_handle,
3380 GNUNET_DNSPARSER_TYPE_A,
3381 GNUNET_GNS_LO_LOCAL_MASTER /* only cached */,
3388 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3389 _ ("Unsupported socks address type %d\n"),
3390 (int) c_req->addr_type);
3391 signal_socks_failure (s5r,
3392 SOCKS5_STATUS_ADDRESS_TYPE_NOT_SUPPORTED);
3395 clear_from_s5r_rbuf (s5r,
3396 sizeof(struct Socks5ClientRequestMessage)
3397 + alen + sizeof(uint16_t));
3398 if (0 != s5r->rbuf_len)
3400 /* read more bytes than healthy, why did the client send more!? */
3401 GNUNET_break_op (0);
3402 signal_socks_failure (s5r,
3403 SOCKS5_STATUS_GENERAL_FAILURE);
3406 if (SOCKS5_DATA_TRANSFER == s5r->state)
3408 /* if we are not waiting for GNS resolution, signal success */
3409 signal_socks_success (s5r);
3411 /* We are done reading right now */
3412 GNUNET_SCHEDULER_cancel (s5r->rtask);
3416 case SOCKS5_RESOLVING:
3420 case SOCKS5_DATA_TRANSFER:
3432 * Accept new incoming connections
3434 * @param cls the closure with the lsock4 or lsock6
3435 * @param tc the scheduler context
3438 do_accept (void *cls)
3440 struct GNUNET_NETWORK_Handle *lsock = cls;
3441 struct GNUNET_NETWORK_Handle *s;
3442 struct Socks5Request *s5r;
3444 GNUNET_assert (NULL != lsock);
3445 if (lsock == lsock4)
3446 ltask4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3450 else if (lsock == lsock6)
3451 ltask6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3457 s = GNUNET_NETWORK_socket_accept (lsock,
3462 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3466 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3467 "Got an inbound connection, waiting for data\n");
3468 s5r = GNUNET_new (struct Socks5Request);
3469 GNUNET_CONTAINER_DLL_insert (s5r_head,
3473 s5r->state = SOCKS5_INIT;
3474 s5r->rtask = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3481 /* ******************* General / main code ********************* */
3485 * Task run on shutdown
3487 * @param cls closure
3490 do_shutdown (void *cls)
3492 GNUNET_log (GNUNET_ERROR_TYPE_INFO,
3493 "Shutting down...\n");
3494 /* MHD requires resuming before destroying the daemons */
3495 for (struct Socks5Request *s5r = s5r_head;
3501 s5r->suspended = GNUNET_NO;
3502 MHD_resume_connection (s5r->con);
3505 while (NULL != mhd_httpd_head)
3506 kill_httpd (mhd_httpd_head);
3507 while (NULL != s5r_head)
3508 cleanup_s5r (s5r_head);
3511 GNUNET_NETWORK_socket_close (lsock4);
3516 GNUNET_NETWORK_socket_close (lsock6);
3519 if (NULL != curl_multi)
3521 curl_multi_cleanup (curl_multi);
3524 if (NULL != gns_handle)
3526 GNUNET_GNS_disconnect (gns_handle);
3529 if (NULL != curl_download_task)
3531 GNUNET_SCHEDULER_cancel (curl_download_task);
3532 curl_download_task = NULL;
3536 GNUNET_SCHEDULER_cancel (ltask4);
3541 GNUNET_SCHEDULER_cancel (ltask6);
3544 gnutls_x509_crt_deinit (proxy_ca.cert);
3545 gnutls_x509_privkey_deinit (proxy_ca.key);
3546 gnutls_global_deinit ();
3551 * Create an IPv4 listen socket bound to our port.
3553 * @return NULL on error
3555 static struct GNUNET_NETWORK_Handle *
3558 struct GNUNET_NETWORK_Handle *ls;
3559 struct sockaddr_in sa4;
3562 memset (&sa4, 0, sizeof(sa4));
3563 sa4.sin_family = AF_INET;
3564 sa4.sin_port = htons (port);
3565 sa4.sin_addr.s_addr = address;
3566 #if HAVE_SOCKADDR_IN_SIN_LEN
3567 sa4.sin_len = sizeof(sa4);
3569 ls = GNUNET_NETWORK_socket_create (AF_INET,
3575 GNUNET_NETWORK_socket_bind (ls,
3576 (const struct sockaddr *) &sa4,
3580 GNUNET_NETWORK_socket_close (ls);
3589 * Create an IPv6 listen socket bound to our port.
3591 * @return NULL on error
3593 static struct GNUNET_NETWORK_Handle *
3596 struct GNUNET_NETWORK_Handle *ls;
3597 struct sockaddr_in6 sa6;
3600 memset (&sa6, 0, sizeof(sa6));
3601 sa6.sin6_family = AF_INET6;
3602 sa6.sin6_port = htons (port);
3603 sa6.sin6_addr = address6;
3604 #if HAVE_SOCKADDR_IN_SIN_LEN
3605 sa6.sin6_len = sizeof(sa6);
3607 ls = GNUNET_NETWORK_socket_create (AF_INET6,
3613 GNUNET_NETWORK_socket_bind (ls,
3614 (const struct sockaddr *) &sa6,
3618 GNUNET_NETWORK_socket_close (ls);
3627 * Main function that will be run
3629 * @param cls closure
3630 * @param args remaining command-line arguments
3631 * @param cfgfile name of the configuration file used (for saving, can be NULL!)
3632 * @param c configuration
3637 const char *cfgfile,
3638 const struct GNUNET_CONFIGURATION_Handle *c)
3640 char*cafile_cfg = NULL;
3643 struct MhdHttpList *hd;
3647 /* Get address to bind to */
3648 if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, "gns-proxy",
3652 // No address specified
3653 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3654 "Don't know what to bind to...\n");
3655 GNUNET_free (addr_str);
3656 GNUNET_SCHEDULER_shutdown ();
3659 if (1 != inet_pton (AF_INET, addr_str, &address))
3661 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3662 "Unable to parse address %s\n",
3664 GNUNET_free (addr_str);
3665 GNUNET_SCHEDULER_shutdown ();
3668 GNUNET_free (addr_str);
3669 /* Get address to bind to */
3670 if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, "gns-proxy",
3674 // No address specified
3675 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3676 "Don't know what to bind6 to...\n");
3677 GNUNET_free (addr_str);
3678 GNUNET_SCHEDULER_shutdown ();
3681 if (1 != inet_pton (AF_INET6, addr_str, &address6))
3683 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3684 "Unable to parse IPv6 address %s\n",
3686 GNUNET_free (addr_str);
3687 GNUNET_SCHEDULER_shutdown ();
3690 GNUNET_free (addr_str);
3692 if (NULL == (curl_multi = curl_multi_init ()))
3694 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3695 "Failed to create cURL multi handle!\n");
3698 cafile = cafile_opt;
3702 GNUNET_CONFIGURATION_get_value_filename (cfg,
3707 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
3712 cafile = cafile_cfg;
3714 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3715 "Using `%s' as CA\n",
3718 gnutls_global_init ();
3719 gnutls_x509_crt_init (&proxy_ca.cert);
3720 gnutls_x509_privkey_init (&proxy_ca.key);
3723 load_cert_from_file (proxy_ca.cert,
3726 load_key_from_file (proxy_ca.key,
3729 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3730 _ ("Failed to load X.509 key and certificate from `%s'\n"),
3732 gnutls_x509_crt_deinit (proxy_ca.cert);
3733 gnutls_x509_privkey_deinit (proxy_ca.key);
3734 gnutls_global_deinit ();
3735 GNUNET_free_non_null (cafile_cfg);
3738 GNUNET_free_non_null (cafile_cfg);
3739 if (NULL == (gns_handle = GNUNET_GNS_connect (cfg)))
3741 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3742 "Unable to connect to GNS!\n");
3743 gnutls_x509_crt_deinit (proxy_ca.cert);
3744 gnutls_x509_privkey_deinit (proxy_ca.key);
3745 gnutls_global_deinit ();
3748 GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
3751 /* Open listen socket for socks proxy */
3752 lsock6 = bind_v6 ();
3755 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3761 GNUNET_NETWORK_socket_listen (lsock6,
3764 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3766 GNUNET_NETWORK_socket_close (lsock6);
3771 ltask6 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3777 lsock4 = bind_v4 ();
3780 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3786 GNUNET_NETWORK_socket_listen (lsock4,
3789 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
3791 GNUNET_NETWORK_socket_close (lsock4);
3796 ltask4 = GNUNET_SCHEDULER_add_read_net (GNUNET_TIME_UNIT_FOREVER_REL,
3802 if ((NULL == lsock4) &&
3805 GNUNET_SCHEDULER_shutdown ();
3808 if (0 != curl_global_init (CURL_GLOBAL_WIN32))
3810 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
3811 "cURL global init failed!\n");
3812 GNUNET_SCHEDULER_shutdown ();
3815 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3816 "Proxy listens on port %u\n",
3817 (unsigned int) port);
3819 /* start MHD daemon for HTTP */
3820 hd = GNUNET_new (struct MhdHttpList);
3821 hd->daemon = MHD_start_daemon (MHD_USE_DEBUG | MHD_USE_NO_LISTEN_SOCKET
3822 | MHD_ALLOW_SUSPEND_RESUME,
3825 &create_response, hd,
3826 MHD_OPTION_CONNECTION_TIMEOUT, (unsigned
3828 MHD_OPTION_NOTIFY_COMPLETED, &mhd_completed_cb,
3830 MHD_OPTION_NOTIFY_CONNECTION,
3831 &mhd_connection_cb, NULL,
3832 MHD_OPTION_URI_LOG_CALLBACK, &mhd_log_callback,
3835 if (NULL == hd->daemon)
3838 GNUNET_SCHEDULER_shutdown ();
3842 GNUNET_CONTAINER_DLL_insert (mhd_httpd_head,
3849 * The main function for gnunet-gns-proxy.
3851 * @param argc number of arguments from the command line
3852 * @param argv command line arguments
3853 * @return 0 ok, 1 on error
3859 struct GNUNET_GETOPT_CommandLineOption options[] = {
3860 GNUNET_GETOPT_option_uint16 ('p',
3864 "listen on specified port (default: 7777)"),
3866 GNUNET_GETOPT_option_string ('a',
3869 gettext_noop ("pem file to use as CA"),
3871 GNUNET_GETOPT_option_flag ('6',
3873 gettext_noop ("disable use of IPv6"),
3876 GNUNET_GETOPT_OPTION_END
3878 static const char*page =
3879 "<html><head><title>gnunet-gns-proxy</title>"
3880 "</head><body>cURL fail</body></html>";
3884 GNUNET_STRINGS_get_utf8_args (argc, argv,
3887 GNUNET_log_setup ("gnunet-gns-proxy",
3890 curl_failure_response
3891 = MHD_create_response_from_buffer (strlen (page),
3893 MHD_RESPMEM_PERSISTENT);
3897 GNUNET_PROGRAM_run (argc, argv,
3899 _ ("GNUnet GNS proxy"),
3901 &run, NULL)) ? 0 : 1;
3902 MHD_destroy_response (curl_failure_response);
3903 GNUNET_free_non_null ((char *) argv);
3908 /* end of gnunet-gns-proxy.c */
projects / oweals / gnunet.git / blob