Commit Graph

15 Commits (d441cf523cea6ab2d2ee1c0f50fab0bb620f2ea1)

Author SHA1 Message Date
Timo Teräs b30e94c0ac libfetch: fix http chunked mode handling
Unbreak handling of base 16 in fetch_parseuint(). It is used
only in http chunked mode handling.

Fixes: "libfetch: fix range checking for http/ftp protocol parsing"
2021-08-03 21:33:49 +03:00
Timo Teräs ca1d975e5e libfetch: fix range checking for http/ftp protocol parsing
Various parsing of numeric strings were not having adequate range
checking causing information leak or potential crash.

CVE-2021-36159
fixes #10749

Co-authored-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Samanta Navarro <ferivoz@riseup.net>
2021-07-26 14:43:14 +03:00
Rosen Penev c4c8aa5ba0 fix compilation without deprecated OpenSSL APIs
(De)initialization is deprecated under OpenSSL 1.0 and above.

[TT: Some simplifications, and additional edits.]

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-27 09:13:07 +02:00
Timo Teräs acca5cbff0 libfetch: fix connection pooling for proxied http/https requests
The connection pooling was broken in two ways:

 1. The original URL was always used as the connection pool URL,
    resulting in duplicate connections to the proxy for http URLs
    (each http URL would get separate proxy connection)

 2. The cache_url stored was always the socket level connect URL.
    In case of HTTPS, the lookup was done done with the real URL,
    but the proxy URL was stored as the "cache URL". Thus HTTPS
    CONNECT connections were never re-used.

This fixes the code with following logic:

 1. The cache key url is the real URL when no-proxy, or when HTTPS
    with proxy (the socket is connected to proxy, but logically it
    is connected to the real URL due to HTTP CONNECT request).
    And for HTTP with proxy, it's the proxy URL so same proxy
    connection can be reused for all requests going through it.

 2. fetch_connect() now gets cache key URL separately, and it always
    gets the same value as the fetch_cache_get() calls.
2021-01-19 16:42:38 +02:00
Timo Teräs d430a98976 libfetch: fix use-after-free in connection cache management
fixes #10734
2021-01-19 16:10:08 +02:00
Timo Teräs 167fd86794 libfetch: support for CIDR subnets in no_proxy/NO_PROXY
This enables matching numeric hosts against CIDR style subnet
matches in no_proxy environment variable.

Based on work by Thermi.

Co-authored-by: Noel Kuntze <noel.kuntze@thermi.consulting>
2021-01-17 15:04:17 +02:00
Ariadne Conill ffcdd350d0 libfetch: implement default port for HTTPS.
If getservbyname() fails, libfetch will attempt to connect to port 0.
2020-05-29 08:00:22 +03:00
Timo Teräs d6c54f9320 libfetch: fix no_proxy domain name comparision
Fix comparing of the hostname portion that matches exactly.
The no_proxy matching is pretty rudimentary though and probably
could go through a bit of additional rework.

Fixes #10681
2020-04-01 11:08:43 +03:00
A. Wilcox 36f5cf8e4b libfetch: support OpenSSL
TLS_client_method is a LibreSSL extension.
SSLv23_client_method is generic, and doesn't mean SSL v2/v3 only.
2018-01-31 20:04:46 +00:00
Timo Teräs 0d814ba35b libfetch: fix certificate host name check
OpenSSL allows passing zero-length to indicate "use strlen".
LibreSSL requires using the real length always, so pass the length.
2017-10-06 18:09:37 +03:00
Timo Teräs 52fd85a8dc libfetch: improve ssl connections
loosely based on the freebsd implementation, implement https
connection settings to override CA, and use client certificate.

new files supported in /etc/apk/:
  ca.pem   - if exists, it contains CAs acceptable for https
	     (otherwise system wide CAs are used)
  crl.pem  - if ca.pem is used, this is the (optional) CRL for it
  cert.pem - used as client authentication certificate (+ key)
  cert.key - used as client key (can be also inside cert.pem)
2017-10-05 16:59:14 +03:00
Timo Teräs 531fea4c90 libfetch: remove unwanted code conditionals 2017-10-05 16:59:14 +03:00
Timo Teräs f6860e0e11 libfetch: fix ssl context leak
from freebsd
2017-10-05 16:59:14 +03:00
Timo Teräs 86436fce2f build and use bundled libfetch natively 2017-10-05 16:59:14 +03:00
Timo Teräs 9dc6278c7b import libfetch-2.38 from NetBSD
ftp://ftp.fu-berlin.de/unix/NetBSD/packages/current-src/pkgsrc/net/libfetch/files

libfetch comes (at least) in netbsd and freebsd flavors which
differing functionality. Alpine and Arch package netbsd one,
but it's not widely packaged across other distributions.

We need NetBSD version as it does not use funopen(3) which is not
supported in musl, and supports connection pooling.

FreeBSD seems to be the orignal and better maintained version
with support for SSL CAs, client certificate authentication,
proxy authentication, and improved http redirect handling.

So this imports NetBSD version, and future commits will pick up
the needed improvements from FreeBSD tree.

Incidentally, this also fixes #7857 and likes for good.
2017-10-05 16:58:09 +03:00