Commit Graph

34 Commits (f4f7796ccc9e398b047bc537e28a065dfa83c8a9)

Author SHA1 Message Date
Ariadne Conill 4846c498c7 libfetch: avoid use of strdupa GNU extension
ref #10794
2021-12-09 10:34:31 -06:00
Timo Teräs b30e94c0ac libfetch: fix http chunked mode handling
Unbreak handling of base 16 in fetch_parseuint(). It is used
only in http chunked mode handling.

Fixes: "libfetch: fix range checking for http/ftp protocol parsing"
2021-08-03 21:33:49 +03:00
Timo Teräs ca1d975e5e libfetch: fix range checking for http/ftp protocol parsing
Various parsing of numeric strings were not having adequate range
checking causing information leak or potential crash.

CVE-2021-36159
fixes #10749

Co-authored-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Samanta Navarro <ferivoz@riseup.net>
2021-07-26 14:43:14 +03:00
Timo Teräs d909ebc25b libfetch: simplify code by merging protocol error handling branches
removes some code duplication
2021-07-16 10:25:14 +03:00
Timo Teräs bc0ed3774a libfetch: send Proxy-Authorization also for https connect
fixes #10738
2021-03-16 16:22:11 +02:00
Martin Vahlensieck 8e993fe969 Use correct port when redirected
If server redirects from http to https, libfetch detects this, but
wrongly uses the old url scheme to determine the port. This subsequently
leads to the following OpenSSL error:

139741541575496:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:

Using the new scheme fixes this.  This error message comes from trying
to connect to port 80 with TLS, it can also be observed by issuing
  $ openssl s_client -connect alpinelinux.org:80

This bug was introduced in commit:
7158474 libfetch: keep http auth only if redirect is for the same host
2021-03-13 12:53:20 +02:00
Rosen Penev c4c8aa5ba0 fix compilation without deprecated OpenSSL APIs
(De)initialization is deprecated under OpenSSL 1.0 and above.

[TT: Some simplifications, and additional edits.]

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-27 09:13:07 +02:00
Timo Teräs bcbcbfc1fc libfetch: harden URL parsing
Treat URLs with too long individual components as malformed instead
of silently truncating that field. There might be unexpected results
if hostname, username or password field gets truncated.
2021-01-19 17:51:13 +02:00
Timo Teräs acca5cbff0 libfetch: fix connection pooling for proxied http/https requests
The connection pooling was broken in two ways:

 1. The original URL was always used as the connection pool URL,
    resulting in duplicate connections to the proxy for http URLs
    (each http URL would get separate proxy connection)

 2. The cache_url stored was always the socket level connect URL.
    In case of HTTPS, the lookup was done done with the real URL,
    but the proxy URL was stored as the "cache URL". Thus HTTPS
    CONNECT connections were never re-used.

This fixes the code with following logic:

 1. The cache key url is the real URL when no-proxy, or when HTTPS
    with proxy (the socket is connected to proxy, but logically it
    is connected to the real URL due to HTTP CONNECT request).
    And for HTTP with proxy, it's the proxy URL so same proxy
    connection can be reused for all requests going through it.

 2. fetch_connect() now gets cache key URL separately, and it always
    gets the same value as the fetch_cache_get() calls.
2021-01-19 16:42:38 +02:00
Timo Teräs d430a98976 libfetch: fix use-after-free in connection cache management
fixes #10734
2021-01-19 16:10:08 +02:00
Conny Seifert 4087ab92c4 libfetch: fix parsing of proxy response to CONNECT requests
Instead of skipping just one line, properly parse the response headers.

[TT: reworded commit message]
2021-01-19 12:08:52 +02:00
Timo Teräs 167fd86794 libfetch: support for CIDR subnets in no_proxy/NO_PROXY
This enables matching numeric hosts against CIDR style subnet
matches in no_proxy environment variable.

Based on work by Thermi.

Co-authored-by: Noel Kuntze <noel.kuntze@thermi.consulting>
2021-01-17 15:04:17 +02:00
Mike Detwiler b58d79e78f libfetch: Increase URL password length
Signed-off-by: Mike Detwiler <det@shift5.io>
2021-01-08 10:55:37 +02:00
Rasmus Thomsen 0cfa6cfb83 build: make sure to use helper scripts from git tree and not system 2020-10-09 16:09:19 +03:00
Rasmus Thomsen fe1de720d0 build: add support for building with meson 2020-10-09 16:09:19 +03:00
Timo Teräs 7158474f1b libfetch: keep http auth only if redirect is for the same host
fixes #10688
2020-10-06 11:24:05 +03:00
Ariadne Conill ffcdd350d0 libfetch: implement default port for HTTPS.
If getservbyname() fails, libfetch will attempt to connect to port 0.
2020-05-29 08:00:22 +03:00
Timo Teräs 5258b484bf add script to autogenerate help from man pages
This creates main help like:
--
usage: apk [<OPTIONS>...] COMMAND [<ARGUMENTS>...]

Package installation and removal:
  add        Add packages to WORLD and commit changes
  del        Remove packages from WORLD and commit changes

System maintenance:
  fix        Check WORLD against the system and ensure consistency
  update     Update repository indexes
  upgrade    Install upgrades available from repositories
  cache      Commands related to the management of an offline package cache

Querying package information:
  info       Give detailed information about packages or repositories
  list       List packages matching a pattern or other criteria
  dot        Generate graphviz graphs
  policy     Show repository policy for packages

Repository maintenance:
  index      Create repository index file from packages
  fetch      Download packages from global repositories to a local directory
  manifest   Show checksums of package contents
  verify     Verify package integrity and signature

Miscellaneous:
  audit      Audit directories for changes
  stats      Show statistics about repositories and installations
  version    Compare package versions or perform tests on version strings

This apk has coffee making abilities.
--

And applet specific help like:
--
usage: apk add [<OPTIONS>...] PACKAGES...

Description:
  apk add adds the requested packages to WORLD and installs (or upgrades)
  them if not already present, ensuring all dependencies are met.

Options:
  --initdb         Initialize a new package database
  -l, --latest     Disables normal heuristics for choosing which repository to install a
  -u, --upgrade    When adding packages which are already installed, upgrade them rather
  -t, --virtual NAME
                   Instead of adding the specified packages to WORLD, create a new
  --no-chown       Do not change file owner or group
--
2020-05-06 13:05:19 +03:00
Timo Teräs d6c54f9320 libfetch: fix no_proxy domain name comparision
Fix comparing of the hostname portion that matches exactly.
The no_proxy matching is pretty rudimentary though and probably
could go through a bit of additional rework.

Fixes #10681
2020-04-01 11:08:43 +03:00
Timo Teräs eae92bbacf libfetch: fixups to packetization socket option setting
- split the code to a helper function
- do not set sockets to corked state when putting back to
  cache so socket state is always deterministic
- cork/uncork also when sending CONNECT to a proxy, this
  can reduce a little bit the latency how fast the packet
  gets sent out
- also pair corking with uncorking in http_request to make
  it more obvious pairing
2020-03-25 08:50:44 +02:00
Alexander Wauck 09dbe46a76 libfetch: minor HTTP handling improvement
The recent TCP_CORK change missed this bit of code.  This change
should improve performance a bit when making HTTP requests by calling
http_cmd only once instead of three times.
2020-03-25 08:33:37 +02:00
Timo Teräs 271047cc93 libfetch: support TCP_CORK
Unfortunately libfetch operates on raw sockets and is sending
each HTTP request line using separate syscall which causes the
HTTP request to be sent as multiple packets over the wire in most
configurations. This is not good for performance, but can also
cause subtle breakage if there's DPI firewall that does not get
the Host header.

Incidentally, it seems that on BSDs libfetch already sets
TCP_NOPUSH optimize the packetization. This commit adds same
logic for using TCP_CORK if available. When using TCP_CORK
there is no requirement to set TCP_NODELAY as uncorking will
also cause immediate send. Keep TCP_NODELAY in the fallback
codepaths.

Long term, it might make sense to replace or rewrite libfetch
to use application level buffering.
2020-02-18 15:36:01 +02:00
Timo Teräs 44daf80873 fix strncpy bounds errors
error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]

Based on patch by Elan Ruusamäe <glen@delfi.ee>
2019-02-13 16:05:27 +02:00
Timo Teräs e4f54cfe66 libfetch: do not give out user/hostname as ftp anonymous password
This is unwanted information disclosure.

Reported-by: Max Justicz <max@justi.cz>
2018-09-05 10:32:00 +03:00
A. Wilcox 36f5cf8e4b libfetch: support OpenSSL
TLS_client_method is a LibreSSL extension.
SSLv23_client_method is generic, and doesn't mean SSL v2/v3 only.
2018-01-31 20:04:46 +00:00
Timo Teräs f90af35e9c libfetch: add option to set "Cache-Control: no-cache"
ref #8161
2018-01-03 14:25:07 +02:00
Timo Teräs 99e7bb93df libfetch: honor https_proxy variable for https
fixes #8160
2018-01-03 10:43:31 +02:00
Timo Teräs 0d814ba35b libfetch: fix certificate host name check
OpenSSL allows passing zero-length to indicate "use strlen".
LibreSSL requires using the real length always, so pass the length.
2017-10-06 18:09:37 +03:00
Timo Teräs eb8f44d629 libfetch: improve openssl/libressl compatibility
X509_check_host() is introduced in libressl-2.5.0 and openssl-1.0.2
which are not yet universally available. Add support for building
against the older versions.
2017-10-06 13:25:27 +03:00
Timo Teräs 52fd85a8dc libfetch: improve ssl connections
loosely based on the freebsd implementation, implement https
connection settings to override CA, and use client certificate.

new files supported in /etc/apk/:
  ca.pem   - if exists, it contains CAs acceptable for https
	     (otherwise system wide CAs are used)
  crl.pem  - if ca.pem is used, this is the (optional) CRL for it
  cert.pem - used as client authentication certificate (+ key)
  cert.key - used as client key (can be also inside cert.pem)
2017-10-05 16:59:14 +03:00
Timo Teräs 531fea4c90 libfetch: remove unwanted code conditionals 2017-10-05 16:59:14 +03:00
Timo Teräs f6860e0e11 libfetch: fix ssl context leak
from freebsd
2017-10-05 16:59:14 +03:00
Timo Teräs 86436fce2f build and use bundled libfetch natively 2017-10-05 16:59:14 +03:00
Timo Teräs 9dc6278c7b import libfetch-2.38 from NetBSD
ftp://ftp.fu-berlin.de/unix/NetBSD/packages/current-src/pkgsrc/net/libfetch/files

libfetch comes (at least) in netbsd and freebsd flavors which
differing functionality. Alpine and Arch package netbsd one,
but it's not widely packaged across other distributions.

We need NetBSD version as it does not use funopen(3) which is not
supported in musl, and supports connection pooling.

FreeBSD seems to be the orignal and better maintained version
with support for SSL CAs, client certificate authentication,
proxy authentication, and improved http redirect handling.

So this imports NetBSD version, and future commits will pick up
the needed improvements from FreeBSD tree.

Incidentally, this also fixes #7857 and likes for good.
2017-10-05 16:58:09 +03:00