]> git.saurik.com Git - apt.git/blob - methods/connect.cc
projects / apt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
block direct connections to .onion domains (RFC7687)
[apt.git] / methods / connect.cc
1 // -*- mode: cpp; mode: fold -*-
2 // Description /*{{{*/
3 // $Id: connect.cc,v 1.10.2.1 2004/01/16 18:58:50 mdz Exp $
4 /* ######################################################################
5
6 Connect - Replacement connect call
7
8 This was originally authored by Jason Gunthorpe <jgg@debian.org>
9 and is placed in the Public Domain, do with it what you will.
10
11 ##################################################################### */
12 /*}}}*/
13 // Include Files /*{{{*/
14 #include <config.h>
15
16 #include <apt-pkg/error.h>
17 #include <apt-pkg/fileutl.h>
18 #include <apt-pkg/strutl.h>
19 #include <apt-pkg/acquire-method.h>
20 #include <apt-pkg/configuration.h>
21 #include <apt-pkg/srvrec.h>
22
23 #include <stdio.h>
24 #include <errno.h>
25 #include <unistd.h>
26 #include <sstream>
27 #include <string.h>
28 #include<set>
29 #include<string>
30
31 // Internet stuff
32 #include <netinet/in.h>
33 #include <sys/socket.h>
34 #include <arpa/inet.h>
35 #include <netdb.h>
36
37 #include "connect.h"
38 #include "rfc2553emu.h"
39 #include <apti18n.h>
40 /*}}}*/
41
42 static std::string LastHost;
43 static int LastPort = 0;
44 static struct addrinfo *LastHostAddr = 0;
45 static struct addrinfo *LastUsed = 0;
46
47 static std::vector<SrvRec> SrvRecords;
48
49 // Set of IP/hostnames that we timed out before or couldn't resolve
50 static std::set<std::string> bad_addr;
51
52 // RotateDNS - Select a new server from a DNS rotation /*{{{*/
53 // ---------------------------------------------------------------------
54 /* This is called during certain errors in order to recover by selecting a
55 new server */
56 void RotateDNS()
57 {
58 if (LastUsed != 0 && LastUsed->ai_next != 0)
59 LastUsed = LastUsed->ai_next;
60 else
61 LastUsed = LastHostAddr;
62 }
63 /*}}}*/
64 static bool ConnectionAllowed(char const * const Service, std::string const &Host)/*{{{*/
65 {
66 if (APT::String::Endswith(Host, ".onion") && _config->FindB("Acquire::BlockDotOnion", true))
67 {
68 // TRANSLATOR: %s is e.g. Tor's ".onion" which would likely fail or leak info (RFC7686)
69 _error->Error(_("Direct connection to %s domains is blocked by default."), ".onion");
70 if (strcmp(Service, "http") == 0)
71 _error->Error(_("If you meant to use Tor remember to use %s instead of %s."), "tor+http", "http");
72 return false;
73 }
74 return true;
75 }
76 /*}}}*/
77 // DoConnect - Attempt a connect operation /*{{{*/
78 // ---------------------------------------------------------------------
79 /* This helper function attempts a connection to a single address. */
80 static bool DoConnect(struct addrinfo *Addr,std::string const &Host,
81 unsigned long TimeOut,int &Fd,pkgAcqMethod *Owner)
82 {
83 // Show a status indicator
84 char Name[NI_MAXHOST];
85 char Service[NI_MAXSERV];
86
87 Name[0] = 0;
88 Service[0] = 0;
89 getnameinfo(Addr->ai_addr,Addr->ai_addrlen,
90 Name,sizeof(Name),Service,sizeof(Service),
91 NI_NUMERICHOST|NI_NUMERICSERV);
92 Owner->Status(_("Connecting to %s (%s)"),Host.c_str(),Name);
93
94 // if that addr did timeout before, we do not try it again
95 if(bad_addr.find(std::string(Name)) != bad_addr.end())
96 return false;
97
98 /* If this is an IP rotation store the IP we are using.. If something goes
99 wrong this will get tacked onto the end of the error message */
100 if (LastHostAddr->ai_next != 0)
101 {
102 std::stringstream ss;
103 ioprintf(ss, _("[IP: %s %s]"),Name,Service);
104 Owner->SetIP(ss.str());
105 }
106
107 // Get a socket
108 if ((Fd = socket(Addr->ai_family,Addr->ai_socktype,
109 Addr->ai_protocol)) < 0)
110 return _error->Errno("socket",_("Could not create a socket for %s (f=%u t=%u p=%u)"),
111 Name,Addr->ai_family,Addr->ai_socktype,Addr->ai_protocol);
112
113 SetNonBlock(Fd,true);
114 if (connect(Fd,Addr->ai_addr,Addr->ai_addrlen) < 0 &&
115 errno != EINPROGRESS)
116 return _error->Errno("connect",_("Cannot initiate the connection "
117 "to %s:%s (%s)."),Host.c_str(),Service,Name);
118
119 /* This implements a timeout for connect by opening the connection
120 nonblocking */
121 if (WaitFd(Fd,true,TimeOut) == false) {
122 bad_addr.insert(bad_addr.begin(), std::string(Name));
123 Owner->SetFailReason("Timeout");
124 return _error->Error(_("Could not connect to %s:%s (%s), "
125 "connection timed out"),Host.c_str(),Service,Name);
126 }
127
128 // Check the socket for an error condition
129 unsigned int Err;
130 unsigned int Len = sizeof(Err);
131 if (getsockopt(Fd,SOL_SOCKET,SO_ERROR,&Err,&Len) != 0)
132 return _error->Errno("getsockopt",_("Failed"));
133
134 if (Err != 0)
135 {
136 errno = Err;
137 if(errno == ECONNREFUSED)
138 Owner->SetFailReason("ConnectionRefused");
139 else if (errno == ETIMEDOUT)
140 Owner->SetFailReason("ConnectionTimedOut");
141 bad_addr.insert(bad_addr.begin(), std::string(Name));
142 return _error->Errno("connect",_("Could not connect to %s:%s (%s)."),Host.c_str(),
143 Service,Name);
144 }
145
146 return true;
147 }
148 /*}}}*/
149 // Connect to a given Hostname /*{{{*/
150 static bool ConnectToHostname(std::string const &Host, int const Port,
151 const char * const Service, int DefPort, int &Fd,
152 unsigned long const TimeOut, pkgAcqMethod * const Owner)
153 {
154 if (ConnectionAllowed(Service, Host) == false)
155 return false;
156 // Convert the port name/number
157 char ServStr[300];
158 if (Port != 0)
159 snprintf(ServStr,sizeof(ServStr),"%i", Port);
160 else
161 snprintf(ServStr,sizeof(ServStr),"%s", Service);
162
163 /* We used a cached address record.. Yes this is against the spec but
164 the way we have setup our rotating dns suggests that this is more
165 sensible */
166 if (LastHost != Host || LastPort != Port)
167 {
168 Owner->Status(_("Connecting to %s"),Host.c_str());
169
170 // Free the old address structure
171 if (LastHostAddr != 0)
172 {
173 freeaddrinfo(LastHostAddr);
174 LastHostAddr = 0;
175 LastUsed = 0;
176 }
177
178 // We only understand SOCK_STREAM sockets.
179 struct addrinfo Hints;
180 memset(&Hints,0,sizeof(Hints));
181 Hints.ai_socktype = SOCK_STREAM;
182 Hints.ai_flags = 0;
183 if (_config->FindB("Acquire::Connect::IDN", true) == true)
184 Hints.ai_flags |= AI_IDN;
185 // see getaddrinfo(3): only return address if system has such a address configured
186 // useful if system is ipv4 only, to not get ipv6, but that fails if the system has
187 // no address configured: e.g. offline and trying to connect to localhost.
188 if (_config->FindB("Acquire::Connect::AddrConfig", true) == true)
189 Hints.ai_flags |= AI_ADDRCONFIG;
190 Hints.ai_protocol = 0;
191
192 if(_config->FindB("Acquire::ForceIPv4", false) == true)
193 Hints.ai_family = AF_INET;
194 else if(_config->FindB("Acquire::ForceIPv6", false) == true)
195 Hints.ai_family = AF_INET6;
196 else
197 Hints.ai_family = AF_UNSPEC;
198
199 // if we couldn't resolve the host before, we don't try now
200 if(bad_addr.find(Host) != bad_addr.end())
201 return _error->Error(_("Could not resolve '%s'"),Host.c_str());
202
203 // Resolve both the host and service simultaneously
204 while (1)
205 {
206 int Res;
207 if ((Res = getaddrinfo(Host.c_str(),ServStr,&Hints,&LastHostAddr)) != 0 ||
208 LastHostAddr == 0)
209 {
210 if (Res == EAI_NONAME || Res == EAI_SERVICE)
211 {
212 if (DefPort != 0)
213 {
214 snprintf(ServStr, sizeof(ServStr), "%i", DefPort);
215 DefPort = 0;
216 continue;
217 }
218 bad_addr.insert(bad_addr.begin(), Host);
219 Owner->SetFailReason("ResolveFailure");
220 return _error->Error(_("Could not resolve '%s'"),Host.c_str());
221 }
222
223 if (Res == EAI_AGAIN)
224 {
225 Owner->SetFailReason("TmpResolveFailure");
226 return _error->Error(_("Temporary failure resolving '%s'"),
227 Host.c_str());
228 }
229 if (Res == EAI_SYSTEM)
230 return _error->Errno("getaddrinfo", _("System error resolving '%s:%s'"),
231 Host.c_str(),ServStr);
232 return _error->Error(_("Something wicked happened resolving '%s:%s' (%i - %s)"),
233 Host.c_str(),ServStr,Res,gai_strerror(Res));
234 }
235 break;
236 }
237
238 LastHost = Host;
239 LastPort = Port;
240 }
241
242 // When we have an IP rotation stay with the last IP.
243 struct addrinfo *CurHost = LastHostAddr;
244 if (LastUsed != 0)
245 CurHost = LastUsed;
246
247 while (CurHost != 0)
248 {
249 if (DoConnect(CurHost,Host,TimeOut,Fd,Owner) == true)
250 {
251 LastUsed = CurHost;
252 return true;
253 }
254 close(Fd);
255 Fd = -1;
256
257 // Ignore UNIX domain sockets
258 do
259 {
260 CurHost = CurHost->ai_next;
261 }
262 while (CurHost != 0 && CurHost->ai_family == AF_UNIX);
263
264 /* If we reached the end of the search list then wrap around to the
265 start */
266 if (CurHost == 0 && LastUsed != 0)
267 CurHost = LastHostAddr;
268
269 // Reached the end of the search cycle
270 if (CurHost == LastUsed)
271 break;
272
273 if (CurHost != 0)
274 _error->Discard();
275 }
276
277 if (_error->PendingError() == true)
278 return false;
279 return _error->Error(_("Unable to connect to %s:%s:"),Host.c_str(),ServStr);
280 }
281 /*}}}*/
282 // Connect - Connect to a server /*{{{*/
283 // ---------------------------------------------------------------------
284 /* Performs a connection to the server (including SRV record lookup) */
285 bool Connect(std::string Host,int Port,const char *Service,
286 int DefPort,int &Fd,
287 unsigned long TimeOut,pkgAcqMethod *Owner)
288 {
289 if (_error->PendingError() == true)
290 return false;
291
292 if (ConnectionAllowed(Service, Host) == false)
293 return false;
294
295 if(LastHost != Host || LastPort != Port)
296 {
297 SrvRecords.clear();
298 if (_config->FindB("Acquire::EnableSrvRecords", true) == true)
299 GetSrvRecords(Host, DefPort, SrvRecords);
300 }
301
302 size_t stackSize = 0;
303 // try to connect in the priority order of the srv records
304 std::string initialHost{std::move(Host)};
305 while(SrvRecords.empty() == false)
306 {
307 _error->PushToStack();
308 ++stackSize;
309 // PopFromSrvRecs will also remove the server
310 Host = PopFromSrvRecs(SrvRecords).target;
311 auto const ret = ConnectToHostname(Host, Port, Service, DefPort, Fd, TimeOut, Owner);
312 if (ret)
313 {
314 while(stackSize--)
315 _error->RevertToStack();
316 return true;
317 }
318 }
319 Host = std::move(initialHost);
320
321 // we have no (good) SrvRecords for this host, connect right away
322 _error->PushToStack();
323 ++stackSize;
324 auto const ret = ConnectToHostname(Host, Port, Service, DefPort, Fd,
325 TimeOut, Owner);
326 while(stackSize--)
327 if (ret)
328 _error->RevertToStack();
329 else
330 _error->MergeWithStack();
331 return ret;
332 }
APT (for Cydia)