net/stunnel/patches/106-stunnel-xforwardedfor.patch

   1 --- a/doc/stunnel.8
   2 +++ b/doc/stunnel.8
   3 @@ -504,7 +504,10 @@ time to keep an idle connection
   4  .IP "\fBtransparent\fR = yes | no (Unix only)" 4
   5  .IX Item "transparent = yes | no (Unix only)"
   6  transparent proxy mode
   7 -.Sp
   8 +.IP "\fBxforwardedfor\fR = yes | no" 4
   9 +.IX Item "xforwardedfor = yes | no"
  10 +append an 'X-Forwarded-For:' HTTP request header providing the
  11 +client's IP address to the server.
  12  Re-write address to appear as if wrapped daemon is connecting
  13  from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
  14  .Sp
  15 --- a/doc/stunnel.fr.8
  16 +++ b/doc/stunnel.fr.8
  17 @@ -445,6 +445,10 @@ Cette option permet de relier une adress
  18  Négocie avec \s-1SSL\s0 selon le protocole indiqué
  19  .Sp
  20  Actuellement gérés\ : cifs, nntp, pop3, smtp
  21 +.IP "\fBxforwardedfor\fR = yes | no" 4
  22 +.IX Item "xforwardedfor = yes | no"
  23 +Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant
  24 +au serveur l'adresse IP du client.
  25  .IP "\fBpty\fR = yes | no (Unix seulement)" 4
  26  .IX Item "pty = yes | no (Unix seulement)"
  27  Alloue un pseudo-terminal pour l'option «\ exec\ »
  28 --- a/src/client.c
  29 +++ b/src/client.c
  30 @@ -86,6 +86,12 @@ CLI *alloc_client_session(SERVICE_OPTION
  31          return NULL;
  32      }
  33      c->opt=opt;
  34 +    /* some options need space to add some information */
  35 +    if (c->opt->option.xforwardedfor)
  36 +        c->buffsize = BUFFSIZE - BUFF_RESERVED;
  37 +    else
  38 +        c->buffsize = BUFFSIZE;
  39 +    c->crlf_seen=0;
  40      c->local_rfd.fd=rfd;
  41      c->local_wfd.fd=wfd;
  42      return c;
  43 @@ -376,6 +382,29 @@ static void init_ssl(CLI *c) {
  44      }
  45  }
  46
  47 +/* Moves all data from the buffer <buffer> between positions <start> and <stop>
  48 + * to insert <string> of length <len>. <start> and <stop> are updated to their
  49 + * new respective values, and the number of characters inserted is returned.
  50 + * If <len> is too long, nothing is done and -1 is returned.
  51 + * Note that neither <string> nor <buffer> can be NULL.
  52 +*/
  53 +static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) {
  54 +    if (len > limit - *stop)
  55 +       return -1;
  56 +    if (*start > *stop)
  57 +       return -1;
  58 +    memmove(buffer + *start + len, buffer + *start, *stop - *start);
  59 +    memcpy(buffer + *start, string, len);
  60 +    *start += len;
  61 +    *stop += len;
  62 +    return len;
  63 +}
  64 +
  65 +static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) {
  66 +    return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string));
  67 +}
  68 +
  69 +
  70  /****************************** some defines for transfer() */
  71  /* is socket/SSL open for read/write? */
  72  #define sock_rd (c->sock_rfd->rd)
  73 @@ -410,13 +439,16 @@ static void transfer(CLI *c) {
  74          check_SSL_pending=0;
  75
  76          SSL_read_wants_read=
  77 -            ssl_rd && c->ssl_ptr<BUFFSIZE && !SSL_read_wants_write;
  78 +            //ssl_rd && c->ssl_ptr<BUFFSIZE && !SSL_read_wants_write;
  79 +            ssl_rd && c->ssl_ptr<c->buffsize && !SSL_read_wants_write;
  80 +
  81          SSL_write_wants_write=
  82              ssl_wr && c->sock_ptr && !SSL_write_wants_read;
  83
  84          /****************************** setup c->fds structure */
  85          s_poll_init(&c->fds); /* initialize the structure */
  86 -        if(sock_rd && c->sock_ptr<BUFFSIZE)
  87 +        //if(sock_rd && c->sock_ptr<BUFFSIZE)
  88 +        if(sock_rd && c->sock_ptr<c->buffsize)
  89              s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0);
  90          if(SSL_read_wants_read ||
  91                  SSL_write_wants_read ||
  92 @@ -515,7 +547,8 @@ static void transfer(CLI *c) {
  93                  break;
  94              default:
  95                  memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num);
  96 -                if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
  97 +                //if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
  98 +                if(c->ssl_ptr>=c->buffsize) /* buffer was previously full */
  99                      check_SSL_pending=1; /* check for data buffered by SSL */
 100                  c->ssl_ptr-=num;
 101                  c->sock_bytes+=num;
 102 @@ -577,7 +610,8 @@ static void transfer(CLI *c) {
 103          /****************************** read from socket */
 104          if(sock_rd && sock_can_rd) {
 105              num=readsocket(c->sock_rfd->fd,
 106 -                c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
 107 +                //c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
 108 +                c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr);
 109              switch(num) {
 110              case -1:
 111                  parse_socket_error(c, "readsocket");
 112 @@ -597,10 +631,73 @@ static void transfer(CLI *c) {
 113                  (SSL_read_wants_write && ssl_can_wr) ||
 114                  (check_SSL_pending && SSL_pending(c->ssl))) {
 115              SSL_read_wants_write=0;
 116 -            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
 117 +            //num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
 118 +            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr);
 119              switch(err=SSL_get_error(c->ssl, num)) {
 120              case SSL_ERROR_NONE:
 121 +                //c->ssl_ptr+=num;
 122 +                if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */
 123 +                    int last = c->ssl_ptr;
 124 +                    c->ssl_ptr += num;
 125 +
 126 +                    /* Look for end of HTTP headers between last and ssl_ptr.
 127 +                     * To achieve this reliably, we have to count the number of
 128 +                     * successive [CR]LF and to memorize it in case it's spread
 129 +                     * over multiple segments. --WT.
 130 +                     */
 131 +                    while (last < c->ssl_ptr) {
 132 +                  if (c->ssl_buff[last] == '\n') {
 133 +                      if (++c->crlf_seen == 2)
 134 +                    break;
 135 +                  } else if (last < c->ssl_ptr - 1 &&
 136 +                             c->ssl_buff[last] == '\r' &&
 137 +                       c->ssl_buff[last+1] == '\n') {
 138 +                      if (++c->crlf_seen == 2)
 139 +                    break;
 140 +                      last++;
 141 +                  } else if (c->ssl_buff[last] != '\r')
 142 +                      /* don't refuse '\r' because we may get a '\n' on next read */
 143 +                      c->crlf_seen = 0;
 144 +                  last++;
 145 +                    }
 146 +                    if (c->crlf_seen >= 2) {
 147 +                  /* We have all the HTTP headers now. We don't need to
 148 +                   * reserve any space anymore. <ssl_ptr> points to the
 149 +                   * first byte of unread data, and <last> points to the
 150 +                   * exact location where we want to insert our headers,
 151 +                   * which is right before the empty line.
 152 +                   */
 153 +                  c->buffsize = BUFFSIZE;
 154 +
 155 +                  if (c->opt->option.xforwardedfor) {
 156 +                      /* X-Forwarded-For: xxxx \r\n\0 */
 157 +                      char xforw[17 + IPLEN + 3];
 158 +
 159 +                      /* We will insert our X-Forwarded-For: header here.
 160 +                       * We need to write the IP address, but if we use
 161 +                       * sprintf, it will pad with the terminating 0.
 162 +                       * So we will pass via a temporary buffer allocated
 163 +                       * on the stack.
 164 +                       */
 165 +                      memcpy(xforw, "X-Forwarded-For: ", 17);
 166 +                      if (getnameinfo(&c->peer_addr.addr[0].sa,
 167 +                          addr_len(c->peer_addr.addr[0]),
 168 +                          xforw + 17, IPLEN, NULL, 0,
 169 +                          NI_NUMERICHOST) == 0) {
 170 +                    strcat(xforw + 17, "\r\n");
 171 +                    buffer_insert(c->ssl_buff, &last, &c->ssl_ptr,
 172 +                            c->buffsize, xforw);
 173 +                      }
 174 +                      /* last still points to the \r\n and ssl_ptr to the
 175 +                       * end of the buffer, so we may add as many headers
 176 +                       * as wee need to.
 177 +                       */
 178 +                  }
 179 +                    }
 180 +                }
 181 +                else
 182                  c->ssl_ptr+=num;
 183 +
 184                  watchdog=0; /* reset watchdog */
 185                  break;
 186              case SSL_ERROR_WANT_WRITE:
 187 --- a/src/common.h
 188 +++ b/src/common.h
 189 @@ -53,6 +53,9 @@
 190  /* I/O buffer size */
 191  #define BUFFSIZE 16384
 192
 193 +/* maximum space reserved for header insertion in BUFFSIZE */
 194 +#define BUFF_RESERVED  1024
 195 +
 196  /* length of strings (including the terminating '\0' character) */
 197  /* it can't be lower than 256 bytes or NTLM authentication will break */
 198  #define STRLEN 256
 199 --- a/src/options.c
 200 +++ b/src/options.c
 201 @@ -792,6 +792,28 @@ static char *parse_service_option(CMD cm
 202      }
 203  #endif
 204
 205 +    /* xforwardedfor */
 206 +    switch(cmd) {
 207 +    case CMD_INIT:
 208 +        section->option.xforwardedfor=0;
 209 +        break;
 210 +    case CMD_EXEC:
 211 +        if(strcasecmp(opt, "xforwardedfor"))
 212 +            break;
 213 +        if(!strcasecmp(arg, "yes"))
 214 +            section->option.xforwardedfor=1;
 215 +        else if(!strcasecmp(arg, "no"))
 216 +            section->option.xforwardedfor=0;
 217 +        else
 218 +            return "argument should be either 'yes' or 'no'";
 219 +        return NULL; /* OK */
 220 +    case CMD_DEFAULT:
 221 +        break;
 222 +    case CMD_HELP:
 223 +        s_log("%-15s = yes|no append an HTTP X-Forwarded-For header","xforwardedfor");
 224 +        break;
 225 +    }
 226 +
 227      /* exec */
 228      switch(cmd) {
 229      case CMD_INIT:
 230 --- a/src/prototypes.h
 231 +++ b/src/prototypes.h
 232 @@ -177,6 +177,7 @@ typedef struct service_options_struct {
 233          unsigned int remote:1;
 234          unsigned int retry:1; /* loop remote+program */
 235          unsigned int sessiond:1;
 236 +        unsigned int xforwardedfor:1;
 237          unsigned int program:1;
 238  #ifndef USE_WIN32
 239          unsigned int pty:1;
 240 @@ -351,6 +352,8 @@ typedef struct {
 241      FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */
 242      int sock_bytes, ssl_bytes; /* bytes written to socket and ssl */
 243      s_poll_set fds; /* file descriptors */
 244 +    int buffsize;  /* current buffer size, may be lower than BUFFSIZE */
 245 +    int crlf_seen; /* the number of successive CRLF seen */
 246  } CLI;
 247
 248  extern int max_fds, max_clients;