putty/proxy/http.c

/*
 * HTTP CONNECT proxy negotiation.
 */

#include "putty.h"
#include "network.h"
#include "proxy.h"
#include "sshcr.h"

static bool read_line(bufchain *input, strbuf *output, bool is_header)
{
    char c;

    while (bufchain_try_fetch(input, &c, 1)) {
        if (is_header && output->len > 0 &&
            output->s[output->len - 1] == '\n') {
            /*
             * A newline terminates the header, provided we're sure it
             * is _not_ followed by a space or a tab.
             */
            if (c != ' ' && c != '\t')
                goto done;  /* we have a complete header line */
        } else {
            put_byte(output, c);
            bufchain_consume(input, 1);

            if (!is_header && output->len > 0 &&
                output->s[output->len - 1] == '\n') {
                /* If we're looking for just a line, not an HTTP
                 * header, then any newline terminates it. */
                goto done;
            }
        }
    }

    return false;

  done:
    strbuf_chomp(output, '\n');
    strbuf_chomp(output, '\r');
    return true;
}

/* Types of HTTP authentication, in preference order. */
typedef enum HttpAuthType {
    AUTH_ERROR, /* if an HttpAuthDetails was never satisfactorily filled in */
    AUTH_NONE,  /* if no auth header is seen, assume no auth required */
    AUTH_BASIC, /* username + password sent in clear (only keyless base64) */
    AUTH_DIGEST, /* cryptographic hash, most preferred if available */
} HttpAuthType;

typedef struct HttpAuthDetails {
    HttpAuthType auth_type;
    bool digest_nonce_was_stale;
    HttpDigestHash digest_hash;
    strbuf *realm, *nonce, *opaque, *error;
    bool got_opaque;
    bool hash_username;
} HttpAuthDetails;

typedef struct HttpProxyNegotiator {
    int crLine;
    strbuf *response, *header, *token;
    int http_status_pos;
    size_t header_pos;
    strbuf *username, *password;
    int http_status;
    bool connection_close;
    HttpAuthDetails *next_auth;
    bool try_auth_from_conf;
    strbuf *uri;
    uint32_t nonce_count;
    prompts_t *prompts;
    int username_prompt_index, password_prompt_index;
    size_t content_length, chunk_length;
    bool chunked_transfer;
    ProxyNegotiator pn;
} HttpProxyNegotiator;

static inline HttpAuthDetails *auth_error(HttpAuthDetails *d,
                                          const char *fmt, ...)
{
    d->auth_type = AUTH_ERROR;
    put_fmt(d->error, "Unable to parse auth header from HTTP proxy");
    if (fmt) {
        va_list ap;
        va_start(ap, fmt);
        put_datalit(d->error, ": ");
        put_fmtv(d->error, fmt, ap);
        va_end(ap);
    }
    return d;
}

static HttpAuthDetails *http_auth_details_new(void)
{
    HttpAuthDetails *d = snew(HttpAuthDetails);
    memset(d, 0, sizeof(*d));
    d->realm = strbuf_new();
    d->nonce = strbuf_new();
    d->opaque = strbuf_new();
    d->error = strbuf_new();
    return d;
}

static void http_auth_details_free(HttpAuthDetails *d)
{
    strbuf_free(d->realm);
    strbuf_free(d->nonce);
    strbuf_free(d->opaque);
    strbuf_free(d->error);
    sfree(d);
}

static ProxyNegotiator *proxy_http_new(const ProxyNegotiatorVT *vt)
{
    HttpProxyNegotiator *s = snew(HttpProxyNegotiator);
    memset(s, 0, sizeof(*s));
    s->pn.vt = vt;
    s->response = strbuf_new();
    s->header = strbuf_new();
    s->token = strbuf_new();
    s->username = strbuf_new();
    s->password = strbuf_new_nm();
    s->uri = strbuf_new();
    s->nonce_count = 0;
    /*
     * Always start with a CONNECT request containing no auth. If the
     * proxy rejects that, it will tell us what kind of auth it would
     * prefer.
     */
    s->next_auth = http_auth_details_new();
    s->next_auth->auth_type = AUTH_NONE;
    return &s->pn;
}

static void proxy_http_free(ProxyNegotiator *pn)
{
    HttpProxyNegotiator *s = container_of(pn, HttpProxyNegotiator, pn);
    strbuf_free(s->response);
    strbuf_free(s->header);
    strbuf_free(s->token);
    strbuf_free(s->username);
    strbuf_free(s->password);
    strbuf_free(s->uri);
    http_auth_details_free(s->next_auth);
    if (s->prompts)
        free_prompts(s->prompts);
    sfree(s);
}

#define HTTP_HEADER_LIST(X) \
    X(HDR_CONNECTION, "Connection") \
    X(HDR_CONTENT_LENGTH, "Content-Length") \
    X(HDR_TRANSFER_ENCODING, "Transfer-Encoding") \
    X(HDR_PROXY_AUTHENTICATE, "Proxy-Authenticate") \
    X(HDR_PROXY_CONNECTION, "Proxy-Connection") \
    /* end of list */

typedef enum HttpHeader {
    #define ENUM_DEF(id, string) id,
    HTTP_HEADER_LIST(ENUM_DEF)
    #undef ENUM_DEF
    HDR_UNKNOWN
} HttpHeader;

static inline bool is_whitespace(char c)
{
    return (c == ' ' || c == '\t' || c == '\n');
}

static inline bool is_separator(char c)
{
    return (c == '(' || c == ')' || c == '<' || c == '>' || c == '@' ||
            c == ',' || c == ';' || c == ':' || c == '\\' || c == '"' ||
            c == '/' || c == '[' || c == ']' || c == '?' || c == '=' ||
            c == '{' || c == '}');
}

#define HTTP_SEPARATORS

static bool get_end_of_header(HttpProxyNegotiator *s)
{
    size_t pos = s->header_pos;

    while (pos < s->header->len && is_whitespace(s->header->s[pos]))
        pos++;

    if (pos == s->header->len) {
        s->header_pos = pos;
        return true;
    }

    return false;
}

static bool get_token(HttpProxyNegotiator *s)
{
    size_t pos = s->header_pos;

    while (pos < s->header->len && is_whitespace(s->header->s[pos]))
        pos++;

    if (pos == s->header->len)
        return false;                  /* end of string */

    if (is_separator(s->header->s[pos]))
        return false;

    strbuf_clear(s->token);
    while (pos < s->header->len &&
           !is_whitespace(s->header->s[pos]) &&
           !is_separator(s->header->s[pos]))
        put_byte(s->token, s->header->s[pos++]);

    s->header_pos = pos;
    return true;
}

static bool get_separator(HttpProxyNegotiator *s, char sep)
{
    size_t pos = s->header_pos;

    while (pos < s->header->len && is_whitespace(s->header->s[pos]))
        pos++;

    if (pos == s->header->len)
        return false;                  /* end of string */

    if (s->header->s[pos] != sep)
        return false;

    s->header_pos = ++pos;
    return true;
}

static bool get_quoted_string(HttpProxyNegotiator *s)
{
    size_t pos = s->header_pos;

    while (pos < s->header->len && is_whitespace(s->header->s[pos]))
        pos++;

    if (pos == s->header->len)
        return false;                  /* end of string */

    if (s->header->s[pos] != '"')
        return false;
    pos++;

    strbuf_clear(s->token);
    while (pos < s->header->len && s->header->s[pos] != '"') {
        if (s->header->s[pos] == '\\') {
            /* Backslash makes the next char literal, even if it's " or \ */
            pos++;
            if (pos == s->header->len)
                return false;          /* unexpected end of string */
        }
        put_byte(s->token, s->header->s[pos++]);
    }

    if (pos == s->header->len)
        return false;                  /* no closing quote */
    pos++;

    s->header_pos = pos;
    return true;
}

static HttpAuthDetails *parse_http_auth_header(HttpProxyNegotiator *s)
{
    HttpAuthDetails *d = http_auth_details_new();

    /* Default hash for HTTP Digest is MD5, if none specified explicitly */
    d->digest_hash = HTTP_DIGEST_MD5;

    if (!get_token(s))
        return auth_error(d, "parse error");

    if (!stricmp(s->token->s, "Basic")) {
        /* For Basic authentication, we don't need anything else. The
         * realm string is not required for the protocol. */
        d->auth_type = AUTH_BASIC;
        return d;
    }

    if (!stricmp(s->token->s, "Digest")) {
        /* Parse all the additional parts of the Digest header. */
        if (!http_digest_available)
            return auth_error(d, "Digest authentication not supported");

        /* Parse the rest of the Digest header */
        while (true) {
            if (!get_token(s))
                return auth_error(d, "parse error in Digest header");

            if (!stricmp(s->token->s, "realm")) {
                if (!get_separator(s, '=') ||
                    !get_quoted_string(s))
                    return auth_error(d, "parse error in Digest realm field");
                put_datapl(d->realm, ptrlen_from_strbuf(s->token));
            } else if (!stricmp(s->token->s, "nonce")) {
                if (!get_separator(s, '=') ||
                    !get_quoted_string(s))
                    return auth_error(d, "parse error in Digest nonce field");
                put_datapl(d->nonce, ptrlen_from_strbuf(s->token));
            } else if (!stricmp(s->token->s, "opaque")) {
                if (!get_separator(s, '=') ||
                    !get_quoted_string(s))
                    return auth_error(d, "parse error in Digest opaque field");
                put_datapl(d->opaque,
                           ptrlen_from_strbuf(s->token));
                d->got_opaque = true;
            } else if (!stricmp(s->token->s, "stale")) {
                if (!get_separator(s, '=') ||
                    !get_token(s))
                    return auth_error(d, "parse error in Digest stale field");
                d->digest_nonce_was_stale = !stricmp(
                    s->token->s, "true");
            } else if (!stricmp(s->token->s, "userhash")) {
                if (!get_separator(s, '=') ||
                    !get_token(s))
                    return auth_error(d, "parse error in Digest userhash "
                                      "field");
                d->hash_username = !stricmp(s->token->s, "true");
            } else if (!stricmp(s->token->s, "algorithm")) {
                if (!get_separator(s, '=') ||
                    (!get_token(s) && !get_quoted_string(s)))
                    return auth_error(d, "parse error in Digest algorithm "
                                      "field");
                bool found = false;
                size_t i;

                for (i = 0; i < N_HTTP_DIGEST_HASHES; i++) {
                    if (!stricmp(s->token->s, httphashnames[i])) {
                        found = true;
                        break;
                    }
                }

                if (!found) {
                    /* We don't even recognise the name */
                    return auth_error(d, "Digest hash algorithm '%s' not "
                                      "recognised", s->token->s);
                }

                if (!httphashaccepted[i]) {
                    /* We do recognise the name but we
                     * don't like it (see comment in cproxy.h) */
                    return auth_error(d, "Digest hash algorithm '%s' not "
                                      "supported", s->token->s);
                }

                d->digest_hash = i;
            } else if (!stricmp(s->token->s, "qop")) {
                if (!get_separator(s, '=') ||
                    !get_quoted_string(s))
                    return auth_error(d, "parse error in Digest qop field");
                if (stricmp(s->token->s, "auth"))
                    return auth_error(d, "quality-of-protection type '%s' not "
                                      "supported", s->token->s);
            } else {
                /* Ignore any other auth-param */
                if (!get_separator(s, '=') ||
                    (!get_quoted_string(s) && !get_token(s)))
                    return auth_error(d, "parse error in Digest header");
            }

            if (get_end_of_header(s))
                break;
            if (!get_separator(s, ','))
                return auth_error(d, "parse error in Digest header");
        }
        d->auth_type = AUTH_DIGEST;
        return d;
    }

    return auth_error(d, "authentication type '%s' not supported",
                      s->token->s);
}

static void proxy_http_process_queue(ProxyNegotiator *pn)
{
    HttpProxyNegotiator *s = container_of(pn, HttpProxyNegotiator, pn);

    crBegin(s->crLine);

    /*
     * Initialise our username and password strbufs from the Conf.
     */
    put_dataz(s->username, conf_get_str(pn->ps->conf, CONF_proxy_username));
    put_dataz(s->password, conf_get_str(pn->ps->conf, CONF_proxy_password));
    if (s->username->len || s->password->len)
        s->try_auth_from_conf = true;

    /*
     * Set up the host:port string we're trying to connect to, also
     * used as the URI string in HTTP Digest auth.
     */
    {
        char dest[512];
        sk_getaddr(pn->ps->remote_addr, dest, lenof(dest));
        put_fmt(s->uri, "%s:%d", dest, pn->ps->remote_port);
    }

    while (true) {
        /*
         * Standard prefix for the HTTP CONNECT request.
         */
        put_fmt(pn->output,
                "CONNECT %s HTTP/1.1\r\n"
                "Host: %s\r\n", s->uri->s, s->uri->s);

        /*
         * Add an auth header, if we're planning to this time round.
         */
        if (s->next_auth->auth_type == AUTH_BASIC) {
            put_datalit(pn->output, "Proxy-Authorization: Basic ");

            strbuf *base64_input = strbuf_new_nm();
            put_datapl(base64_input, ptrlen_from_strbuf(s->username));
            put_byte(base64_input, ':');
            put_datapl(base64_input, ptrlen_from_strbuf(s->password));

            char base64_output[4];
            for (size_t i = 0, e = base64_input->len; i < e; i += 3) {
                base64_encode_atom(base64_input->u + i,
                                   e-i > 3 ? 3 : e-i, base64_output);
                put_data(pn->output, base64_output, 4);
            }
            strbuf_free(base64_input);
            smemclr(base64_output, sizeof(base64_output));
            put_datalit(pn->output, "\r\n");
        } else if (s->next_auth->auth_type == AUTH_DIGEST) {
            put_datalit(pn->output, "Proxy-Authorization: Digest ");

            /* If we have a fresh nonce, reset the
             * nonce count. Otherwise, keep incrementing it. */
            if (!ptrlen_eq_ptrlen(ptrlen_from_strbuf(s->token),
                                  ptrlen_from_strbuf(s->next_auth->nonce)))
                s->nonce_count = 0;

            http_digest_response(BinarySink_UPCAST(pn->output),
                                 ptrlen_from_strbuf(s->username),
                                 ptrlen_from_strbuf(s->password),
                                 ptrlen_from_strbuf(s->next_auth->realm),
                                 PTRLEN_LITERAL("CONNECT"),
                                 ptrlen_from_strbuf(s->uri),
                                 PTRLEN_LITERAL("auth"),
                                 ptrlen_from_strbuf(s->next_auth->nonce),
                                 (s->next_auth->got_opaque ?
                                  ptrlen_from_strbuf(s->next_auth->opaque) :
                                  make_ptrlen(NULL, 0)),
                                 ++s->nonce_count, s->next_auth->digest_hash,
                                 s->next_auth->hash_username);
            put_datalit(pn->output, "\r\n");
        }

        /*
         * Blank line to terminate the HTTP request.
         */
        put_datalit(pn->output, "\r\n");
        crReturnV;

        s->content_length = 0;
        s->chunked_transfer = false;
        s->connection_close = false;

        /*
         * Read and parse the HTTP status line, and check if it's a 2xx
         * for success.
         */
        strbuf_clear(s->response);
        crMaybeWaitUntilV(read_line(pn->input, s->response, false));
        {
            int maj_ver, min_ver, n_scanned;
            n_scanned = sscanf(
                s->response->s, "HTTP/%d.%d %n%d",
                &maj_ver, &min_ver, &s->http_status_pos, &s->http_status);

            if (n_scanned < 3) {
                pn->error = dupstr("HTTP response was absent or malformed");
                crStopV;
            }

            if (maj_ver < 1 || (maj_ver == 1 && min_ver < 1)) {
                /* Before HTTP/1.1, connections close by default */
                s->connection_close = true;
            }
        }

        if (s->http_status == 407) {
            /*
             * If this is going to be an auth request, we expect to
             * see at least one Proxy-Authorization header offering us
             * auth options. Start by preloading s->next_auth with a
             * fallback error message, which will be used if nothing
             * better is available.
             */
            http_auth_details_free(s->next_auth);
            s->next_auth = http_auth_details_new();
            auth_error(s->next_auth, "no Proxy-Authorization header seen in "
                       "HTTP 407 Proxy Authentication Required response");
        }

        /*
         * Read the HTTP response header section.
         */
        do {
            strbuf_clear(s->header);
            crMaybeWaitUntilV(read_line(pn->input, s->header, true));
            s->header_pos = 0;

            if (!get_token(s)) {
                /* Possibly we ought to panic if we see an HTTP header
                 * we can't make any sense of at all? But whatever,
                 * ignore it and hope the next one makes more sense */
                continue;
            }

            /* Parse the header name */
            HttpHeader hdr = HDR_UNKNOWN;
            {
                #define CHECK_HEADER(id, string) \
                    if (!stricmp(s->token->s, string)) hdr = id;
                HTTP_HEADER_LIST(CHECK_HEADER);
                #undef CHECK_HEADER
            }

            if (!get_separator(s, ':'))
                continue;

            if (hdr == HDR_CONTENT_LENGTH) {
                if (!get_token(s))
                    continue;
                s->content_length = strtoumax(s->token->s, NULL, 10);
            } else if (hdr == HDR_TRANSFER_ENCODING) {
                /*
                 * The Transfer-Encoding header value should be a
                 * comma-separated list of keywords including
                 * "chunked", "deflate" and "gzip". We parse it in the
                 * most superficial way, by just looking for "chunked"
                 * and ignoring everything else.
                 *
                 * It's OK to do that because we're not actually
                 * _using_ the error document - we only have to skip
                 * over it to find the end of the HTTP response. So we
                 * don't care if it's gzipped or not.
                 */
                while (get_token(s)) {
                    if (!stricmp(s->token->s, "chunked"))
                        s->chunked_transfer = true;
                }
            } else if (hdr == HDR_CONNECTION ||
                       hdr == HDR_PROXY_CONNECTION) {
                if (!get_token(s))
                    continue;
                if (!stricmp(s->token->s, "close"))
                    s->connection_close = true;
                else if (!stricmp(s->token->s, "keep-alive"))
                    s->connection_close = false;
            } else if (hdr == HDR_PROXY_AUTHENTICATE) {
                HttpAuthDetails *auth = parse_http_auth_header(s);

                /*
                 * See if we prefer this set of auth details to the
                 * previous one we had (either from a previous auth
                 * header, or the fallback when no auth header is
                 * provided at all).
                 */
                bool change;

                if (auth->auth_type != s->next_auth->auth_type) {
                    /* Use the preference order implied by the enum */
                    change = auth->auth_type > s->next_auth->auth_type;
                } else if (auth->auth_type == AUTH_DIGEST &&
                           auth->digest_hash != s->next_auth->digest_hash) {
                    /* Choose based on the hash functions */
                    change = auth->digest_hash > s->next_auth->digest_hash;
                } else {
                    /*
                     * If in doubt, go with the later one of the
                     * headers.
                     *
                     * The main reason for this is so that an error in
                     * interpreting an auth header will supersede the
                     * default error we preload saying 'no header
                     * found', because that would be a particularly
                     * bad error to report if there _was_ one.
                     *
                     * But we're in a tie-breaking situation by now,
                     * so there's no other reason to choose - we might
                     * as well apply the same policy everywhere else
                     * too.
                     */
                    change = true;
                }

                if (change) {
                    http_auth_details_free(s->next_auth);
                    s->next_auth = auth;
                } else {
                    http_auth_details_free(auth);
                }
            }
        } while (s->header->len > 0);

        /* Read and ignore the entire response document */
        if (!s->chunked_transfer) {
            /* Simple approach: read exactly Content-Length bytes */
            crMaybeWaitUntilV(bufchain_try_consume(
                                  pn->input, s->content_length));
        } else {
            /* Chunked transfer: read a sequence of
             * <hex length>\r\n<data>\r\n chunks, terminating in one with
             * zero length */
            do {
                /*
                 * Expect a chunk length
                 */
                s->chunk_length = 0;
                while (true) {
                    char c;
                    crMaybeWaitUntilV(bufchain_try_fetch_consume(
                                          pn->input, &c, 1));
                    if (c == '\r') {
                        continue;
                    } else if (c == '\n') {
                        break;
                    } else if ('0' <= c && c <= '9') {
                        s->chunk_length = s->chunk_length*16 + (c-'0');
                    } else if ('A' <= c && c <= 'F') {
                        s->chunk_length = s->chunk_length*16 + (c-'A'+10);
                    } else if ('a' <= c && c <= 'f') {
                        s->chunk_length = s->chunk_length*16 + (c-'a'+10);
                    } else {
                        pn->error = dupprintf(
                            "Received bad character 0x%02X in chunk length "
                            "during HTTP chunked transfer encoding",
                            (unsigned)(unsigned char)c);
                        crStopV;
                    }
                }

                /*
                 * Expect that many bytes of chunked data
                 */
                crMaybeWaitUntilV(bufchain_try_consume(
                                      pn->input, s->chunk_length));

                /* Now expect \r\n */
                {
                    char buf[2];
                    crMaybeWaitUntilV(bufchain_try_fetch_consume(
                                          pn->input, buf, 2));
                    if (memcmp(buf, "\r\n", 2)) {
                        pn->error = dupprintf(
                            "Missing CRLF after chunk "
                            "during HTTP chunked transfer encoding");
                        crStopV;
                    }
                }
            } while (s->chunk_length);
        }

        if (200 <= s->http_status && s->http_status < 300) {
            /* Any 2xx HTTP response means we're done */
            goto authenticated;
        } else if (s->http_status == 407) {
            /* 407 is Proxy Authentication Required, which we may be
             * able to do something about. */
            if (s->connection_close) {
                /* If we got 407 + connection closed, reconnect before
                 * sending our next request. */
                pn->reconnect = true;
            }

            /* If the best we can do is report some kind of error from
             * a Proxy-Auth header (or an error saying there wasn't
             * one at all), and no successful parsing of an auth
             * header superseded that, then just throw that error and
             * die. */
            if (s->next_auth->auth_type == AUTH_ERROR) {
                pn->error = dupstr(s->next_auth->error->s);
                crStopV;
            }

            /* If we have auth details from the Conf and haven't tried
             * them yet, that's our first step. */
            if (s->try_auth_from_conf) {
                s->try_auth_from_conf = false;
                continue;
            }

            /* If the server sent us stale="true" in a Digest auth
             * header, that means we _don't_ need to request a new
             * password yet; just try again with the existing details
             * and the fresh nonce it sent us. */
            if (s->next_auth->digest_nonce_was_stale)
                continue;

            /* Either we never had a password in the first place, or
             * the one we already presented was rejected. We can only
             * proceed from here if we have a way to ask the user
             * questions. */
            if (!pn->itr) {
                pn->error = dupprintf("HTTP proxy requested authentication "
                                      "which we do not have");
                crStopV;
            }

            /*
             * Send some prompts to the user. We'll assume the
             * password is always required (since it's just been
             * rejected, even if we did send one before), and we'll
             * prompt for the username only if we don't have one from
             * the Conf.
             */
            s->prompts = proxy_new_prompts(pn->ps);
            s->prompts->to_server = true;
            s->prompts->from_server = false;
            s->prompts->name = dupstr("HTTP proxy authentication");
            if (!s->username->len) {
                s->username_prompt_index = s->prompts->n_prompts;
                add_prompt(s->prompts, dupstr("Proxy username: "), true);
            } else {
                s->username_prompt_index = -1;
            }

            s->password_prompt_index = s->prompts->n_prompts;
            add_prompt(s->prompts, dupstr("Proxy password: "), false);

            while (true) {
                SeatPromptResult spr = seat_get_userpass_input(
                    interactor_announce(pn->itr), s->prompts);
                if (spr.kind == SPRK_OK) {
                    break;
                } else if (spr_is_abort(spr)) {
                    proxy_spr_abort(pn, spr);
                    crStopV;
                }
                crReturnV;
            }

            if (s->username_prompt_index != -1) {
                strbuf_clear(s->username);
                put_dataz(s->username,
                          prompt_get_result_ref(
                              s->prompts->prompts[s->username_prompt_index]));
            }

            strbuf_clear(s->password);
            put_dataz(s->password,
                      prompt_get_result_ref(
                          s->prompts->prompts[s->password_prompt_index]));

            free_prompts(s->prompts);
            s->prompts = NULL;
        } else {
            /* Any other HTTP response is treated as permanent failure */
            pn->error = dupprintf("HTTP response %s",
                                  s->response->s + s->http_status_pos);
            crStopV;
        }
    }

  authenticated:
    /*
     * Success! Hand over to the main connection.
     */
    pn->done = true;

    crFinishV;
}

const struct ProxyNegotiatorVT http_proxy_negotiator_vt = {
    .new = proxy_http_new,
    .free = proxy_http_free,
    .process_queue = proxy_http_process_queue,
    .type = "HTTP",
};