From 2851ec6cf037d552118b885be0dd7796d74730c6 Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <jak@debian.org>
Date: Wed, 28 Jun 2017 10:55:57 +0200
Subject: methods: Add HTTPS support to http method, using GnuTLS

The http method will eventually replace the curl-based
https method, but for now, this is an opt-in experiment
that can be enabled by setting Dir::Bin::Methods::https
to "http".

Known issues:
- We do not support HTTPS proxies yet
- We do not support proxying HTTPS connections yet (CONNECT)
- IssuerCert and SslForceVersion are unsupported

Gbp-Dch: Full
---
 methods/http.cc | 187 +++-----------------------------------------------------
 1 file changed, 10 insertions(+), 177 deletions(-)

(limited to 'methods/http.cc')

diff --git a/methods/http.cc b/methods/http.cc
index d62f97be3..4d8c0808b 100644
--- a/methods/http.cc
+++ b/methods/http.cc
@@ -298,24 +298,6 @@ HttpServerState::HttpServerState(URI Srv,HttpMethod *Owner) : ServerState(Srv, O
 // HttpServerState::Open - Open a connection to the server		/*{{{*/
 // ---------------------------------------------------------------------
 /* This opens a connection to the server. */
-static bool TalkToSocksProxy(int const ServerFd, std::string const &Proxy,
-      char const * const type, bool const ReadWrite, uint8_t * const ToFrom,
-      unsigned int const Size, unsigned int const Timeout)
-{
-   if (WaitFd(ServerFd, ReadWrite, Timeout) == false)
-      return _error->Error("Waiting for the SOCKS proxy %s to %s timed out", URI::SiteOnly(Proxy).c_str(), type);
-   if (ReadWrite == false)
-   {
-      if (FileFd::Read(ServerFd, ToFrom, Size) == false)
-	 return _error->Error("Reading the %s from SOCKS proxy %s failed", type, URI::SiteOnly(Proxy).c_str());
-   }
-   else
-   {
-      if (FileFd::Write(ServerFd, ToFrom, Size) == false)
-	 return _error->Error("Writing the %s to SOCKS proxy %s failed", type, URI::SiteOnly(Proxy).c_str());
-   }
-   return true;
-}
 bool HttpServerState::Open()
 {
    // Use the already open connection if possible.
@@ -361,169 +343,15 @@ bool HttpServerState::Open()
    if (Proxy.empty() == false)
       Owner->AddProxyAuth(Proxy, ServerName);
 
+   bool tls = ServerName.Access == "https";
    if (Proxy.Access == "socks5h")
    {
       if (Connect(Proxy.Host, Proxy.Port, "socks", 1080, ServerFd, TimeOut, Owner) == false)
 	 return false;
 
-      /* We implement a very basic SOCKS5 client here complying mostly to RFC1928 expect
-       * for not offering GSSAPI auth which is a must (we only do no or user/pass auth).
-       * We also expect the SOCKS5 server to do hostname lookup (aka socks5h) */
-      std::string const ProxyInfo = URI::SiteOnly(Proxy);
-      Owner->Status(_("Connecting to %s (%s)"),"SOCKS5h proxy",ProxyInfo.c_str());
-      auto const Timeout = Owner->ConfigFindI("TimeOut", 120);
-#define APT_WriteOrFail(TYPE, DATA, LENGTH)                                                     \
-   if (TalkToSocksProxy(ServerFd->Fd(), ProxyInfo, TYPE, true, DATA, LENGTH, Timeout) == false) \
-   return false
-#define APT_ReadOrFail(TYPE, DATA, LENGTH)                                                       \
-   if (TalkToSocksProxy(ServerFd->Fd(), ProxyInfo, TYPE, false, DATA, LENGTH, Timeout) == false) \
-   return false
-      if (ServerName.Host.length() > 255)
-	 return _error->Error("Can't use SOCKS5h as hostname %s is too long!", ServerName.Host.c_str());
-      if (Proxy.User.length() > 255 || Proxy.Password.length() > 255)
-	 return _error->Error("Can't use user&pass auth as they are too long (%lu and %lu) for the SOCKS5!", Proxy.User.length(), Proxy.Password.length());
-      if (Proxy.User.empty())
-      {
-	 uint8_t greeting[] = { 0x05, 0x01, 0x00 };
-	 APT_WriteOrFail("greet-1", greeting, sizeof(greeting));
-      }
-      else
-      {
-	 uint8_t greeting[] = { 0x05, 0x02, 0x00, 0x02 };
-	 APT_WriteOrFail("greet-2", greeting, sizeof(greeting));
-      }
-      uint8_t greeting[2];
-      APT_ReadOrFail("greet back", greeting, sizeof(greeting));
-      if (greeting[0] != 0x05)
-	 return _error->Error("SOCKS proxy %s greets back with wrong version: %d", ProxyInfo.c_str(), greeting[0]);
-      if (greeting[1] == 0x00)
-	 ; // no auth has no method-dependent sub-negotiations
-      else if (greeting[1] == 0x02)
-      {
-	 if (Proxy.User.empty())
-	    return _error->Error("SOCKS proxy %s negotiated user&pass auth, but we had not offered it!", ProxyInfo.c_str());
-	 // user&pass auth sub-negotiations are defined by RFC1929
-	 std::vector<uint8_t> auth = {{ 0x01, static_cast<uint8_t>(Proxy.User.length()) }};
-	 std::copy(Proxy.User.begin(), Proxy.User.end(), std::back_inserter(auth));
-	 auth.push_back(static_cast<uint8_t>(Proxy.Password.length()));
-	 std::copy(Proxy.Password.begin(), Proxy.Password.end(), std::back_inserter(auth));
-	 APT_WriteOrFail("user&pass auth", auth.data(), auth.size());
-	 uint8_t authstatus[2];
-	 APT_ReadOrFail("auth report", authstatus, sizeof(authstatus));
-	 if (authstatus[0] != 0x01)
-	    return _error->Error("SOCKS proxy %s auth status response with wrong version: %d", ProxyInfo.c_str(), authstatus[0]);
-	 if (authstatus[1] != 0x00)
-	    return _error->Error("SOCKS proxy %s reported authorization failure: username or password incorrect? (%d)", ProxyInfo.c_str(), authstatus[1]);
-      }
-      else
-	 return _error->Error("SOCKS proxy %s greets back having not found a common authorization method: %d", ProxyInfo.c_str(), greeting[1]);
-      union { uint16_t * i; uint8_t * b; } portu;
-      uint16_t port = htons(static_cast<uint16_t>(ServerName.Port == 0 ? 80 : ServerName.Port));
-      portu.i = &port;
-      std::vector<uint8_t> request = {{ 0x05, 0x01, 0x00, 0x03, static_cast<uint8_t>(ServerName.Host.length()) }};
-      std::copy(ServerName.Host.begin(), ServerName.Host.end(), std::back_inserter(request));
-      request.push_back(portu.b[0]);
-      request.push_back(portu.b[1]);
-      APT_WriteOrFail("request", request.data(), request.size());
-      uint8_t response[4];
-      APT_ReadOrFail("first part of response", response, sizeof(response));
-      if (response[0] != 0x05)
-	 return _error->Error("SOCKS proxy %s response with wrong version: %d", ProxyInfo.c_str(), response[0]);
-      if (response[2] != 0x00)
-	 return _error->Error("SOCKS proxy %s has unexpected non-zero reserved field value: %d", ProxyInfo.c_str(), response[2]);
-      std::string bindaddr;
-      if (response[3] == 0x01) // IPv4 address
-      {
-	 uint8_t ip4port[6];
-	 APT_ReadOrFail("IPv4+Port of response", ip4port, sizeof(ip4port));
-	 portu.b[0] = ip4port[4];
-	 portu.b[1] = ip4port[5];
-	 port = ntohs(*portu.i);
-	 strprintf(bindaddr, "%d.%d.%d.%d:%d", ip4port[0], ip4port[1], ip4port[2], ip4port[3], port);
-      }
-      else if (response[3] == 0x03) // hostname
-      {
-	 uint8_t namelength;
-	 APT_ReadOrFail("hostname length of response", &namelength, 1);
-	 uint8_t hostname[namelength + 2];
-	 APT_ReadOrFail("hostname of response", hostname, sizeof(hostname));
-	 portu.b[0] = hostname[namelength];
-	 portu.b[1] = hostname[namelength + 1];
-	 port = ntohs(*portu.i);
-	 hostname[namelength] = '\0';
-	 strprintf(bindaddr, "%s:%d", hostname, port);
-      }
-      else if (response[3] == 0x04) // IPv6 address
-      {
-	 uint8_t ip6port[18];
-	 APT_ReadOrFail("IPv6+port of response", ip6port, sizeof(ip6port));
-	 portu.b[0] = ip6port[16];
-	 portu.b[1] = ip6port[17];
-	 port = ntohs(*portu.i);
-	 strprintf(bindaddr, "[%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X:%02X%02X]:%d",
-	       ip6port[0], ip6port[1], ip6port[2], ip6port[3], ip6port[4], ip6port[5], ip6port[6], ip6port[7],
-	       ip6port[8], ip6port[9], ip6port[10], ip6port[11], ip6port[12], ip6port[13], ip6port[14], ip6port[15],
-	       port);
-      }
-      else
-	 return _error->Error("SOCKS proxy %s destination address is of unknown type: %d",
-	       ProxyInfo.c_str(), response[3]);
-      if (response[1] != 0x00)
-      {
-	 char const * errstr = nullptr;
-	 auto errcode = response[1];
-	 // Tor error reporting can be a bit arcane, lets try to detect & fix it up
-	 if (bindaddr == "0.0.0.0:0")
-	 {
-	    auto const lastdot = ServerName.Host.rfind('.');
-	    if (lastdot == std::string::npos || ServerName.Host.substr(lastdot) != ".onion")
-	       ;
-	    else if (errcode == 0x01)
-	    {
-	       auto const prevdot = ServerName.Host.rfind('.', lastdot - 1);
-	       if (lastdot == 16 && prevdot == std::string::npos)
-		  ; // valid .onion address
-	       else if (prevdot != std::string::npos && (lastdot - prevdot) == 17)
-		  ; // valid .onion address with subdomain(s)
-	       else
-	       {
-		  errstr = "Invalid hostname: onion service name must be 16 characters long";
-		  Owner->SetFailReason("SOCKS");
-	       }
-	    }
-	    // in all likelihood the service is either down or the address has
-	    // a typo and so "Host unreachable" is the better understood error
-	    // compared to the technically correct "TLL expired".
-	    else if (errcode == 0x06)
-	       errcode = 0x04;
-	 }
-	 if (errstr == nullptr)
-	 {
-	    switch (errcode)
-	    {
-	       case 0x01: errstr = "general SOCKS server failure"; Owner->SetFailReason("SOCKS"); break;
-	       case 0x02: errstr = "connection not allowed by ruleset"; Owner->SetFailReason("SOCKS"); break;
-	       case 0x03: errstr = "Network unreachable"; Owner->SetFailReason("ConnectionTimedOut"); break;
-	       case 0x04: errstr = "Host unreachable"; Owner->SetFailReason("ConnectionTimedOut"); break;
-	       case 0x05: errstr = "Connection refused"; Owner->SetFailReason("ConnectionRefused"); break;
-	       case 0x06: errstr = "TTL expired"; Owner->SetFailReason("Timeout"); break;
-	       case 0x07: errstr = "Command not supported"; Owner->SetFailReason("SOCKS"); break;
-	       case 0x08: errstr = "Address type not supported"; Owner->SetFailReason("SOCKS"); break;
-	       default: errstr = "Unknown error"; Owner->SetFailReason("SOCKS"); break;
-	    }
-	 }
-	 return _error->Error("SOCKS proxy %s could not connect to %s (%s) due to: %s (%d)",
-	       ProxyInfo.c_str(), ServerName.Host.c_str(), bindaddr.c_str(), errstr, response[1]);
-      }
-      else if (Owner->DebugEnabled())
-	 ioprintf(std::clog, "http: SOCKS proxy %s connection established to %s (%s)\n",
-	       ProxyInfo.c_str(), ServerName.Host.c_str(), bindaddr.c_str());
-
-      if (WaitFd(ServerFd->Fd(), true, Timeout) == false)
-	 return _error->Error("SOCKS proxy %s reported connection to %s (%s), but timed out",
-	       ProxyInfo.c_str(), ServerName.Host.c_str(), bindaddr.c_str());
-      #undef APT_ReadOrFail
-      #undef APT_WriteOrFail
+      if (UnwrapSocks(ServerName.Host, ServerName.Port == 0 ? 80 : ServerName.Port,
+		      Proxy, ServerFd, Owner->ConfigFindI("TimeOut", 120), Owner) == false)
+	 return false;
    }
    else
    {
@@ -544,8 +372,13 @@ bool HttpServerState::Open()
 	    Port = Proxy.Port;
 	 Host = Proxy.Host;
       }
-      return Connect(Host,Port,"http",80,ServerFd,TimeOut,Owner);
+      if (!Connect(Host, Port, tls ? "https" : "http", tls ? 443 : 80, ServerFd, TimeOut, Owner))
+	 return false;
    }
+
+   if (tls && UnwrapTLS(ServerName.Host, ServerFd, TimeOut, Owner) == false)
+      return false;
+
    return true;
 }
 									/*}}}*/
-- 
cgit v1.2.3