NetBSD Problem Report #58656

From www@netbsd.org  Thu Aug 29 22:18:16 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 298E41A923F
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 29 Aug 2024 22:18:16 +0000 (UTC)
Message-Id: <20240829221815.1FDDF1A9241@mollari.NetBSD.org>
Date: Thu, 29 Aug 2024 22:18:15 +0000 (UTC)
From: rvp@SDF.ORG
Reply-To: rvp@SDF.ORG
To: gnats-bugs@NetBSD.org
Subject: libfetch: multiple issues with SSL+CONNECT
X-Send-Pr-Version: www-1.0

>Number:         58656
>Category:       lib
>Synopsis:       libfetch: multiple issues with SSL+CONNECT
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          feedback
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 29 22:20:01 +0000 2024
>Closed-Date:    
>Last-Modified:  Tue Oct 08 22:06:25 +0000 2024
>Originator:     RVP
>Release:        NetBSD/amd64 10.99.12
>Organization:
>Environment:
NetBSD/amd64 10.99.12
>Description:
1. Fetching files via a proxy doesn't work for HTTPS when the proxy
   server (here, `polipo`) doesn't doesn't add any HTTP headers (as
   reqd. by the RFCs):

```
$ echo $http_proxy
http://localhost:8118/

$ time -p pkgin pc libfetch
00B88063247F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:/usr/src/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_s3.c:322:
pkg_info: can't find package `https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/x86_64/10.0/All/libfetch-2.40.tgz', skipped
real 61.60
user 0.05
sys 0.08

$ no_proxy=\* time -p pkgin pc libfetch
Information for https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/x86_64/10.0/All/libfetch-2.40.tgz:
Files:
/usr/pkg/include/fetch.h
/usr/pkg/lib/libfetch.a
/usr/pkg/man/man3/fetch.3
real         0.29
user         0.07
sys          0.08

$
```

This is caused by an extra read in the NetBSD version of libfetch for
headers which never arrive. The FreeBSD library removes trailing blanks,
then checks for a 0-length HTTP header before going to read a new line.

2. Even if you fix 1), Proxy-authentication isn't done for HTTPS URLs:

```
$ cat /tmp/fetchstat.c
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <fetch.h>
int main(int argc, char* argv[]) {
        struct url_stat us;
        if (argc != 2)
                exit(EXIT_FAILURE);
        if (fetchStatURL(argv[1], &us, "v") != 0)
                err(1, "fetchStat(%s) failed", argv[1]);
        printf("%zu bytes\n", us.size);
        return 0;
}

$ cc -o /tmp/f /tmp/fetchstat.c -L/tmp/fetch/lib -lfetch -lssl

$ HTTP_PROXY_AUTH='basic:*:rvp:not_very_secret' /tmp/f https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/x86_64/10.0/All/libfetch-2.40.tgz
looking up localhost
connecting to localhost:8118
f: fetchStat(https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/x86_64/10.0/All/libfetch-2.40.tgz) failed: Undefined error: 0

$
```

Send Basic auth for proxy+SSL also.

3. Wrong test when reading HTTP headers in libfetch/http.c:http_connect():

```
    794                         }
    795                 } while (h < hdr_end);
    796         }
```

Surely that should be `while (h > hdr_end)` to discard headers (if any)
from the proxy server?
>How-To-Repeat:
As shown above.
>Fix:
Note this is for the libfetch in base.

---START patch---
diff -urN fetch.orig/dist/libfetch/http.c fetch/dist/libfetch/http.c
--- fetch.orig/dist/libfetch/http.c	2024-02-03 01:51:49.796872219 +0000
+++ fetch/dist/libfetch/http.c	2024-08-29 00:31:49.955206679 +0000
@@ -771,16 +771,20 @@
 				URL->host, URL->port);
 		http_cmd(conn, "Host: %s:%d\r\n",
 				URL->host, URL->port);
+		/* proxy authorization */
+		if (purl) {
+			if (*purl->user || *purl->pwd)
+				http_basic_auth(conn, "Proxy-Authorization",
+				    purl->user, purl->pwd);
+			else if ((p = getenv("HTTP_PROXY_AUTH")) != NULL && *p != '\0')
+				http_authorize(conn, "Proxy-Authorization", p);
+		}
 		http_cmd(conn, "\r\n");
 		if (http_get_reply(conn) != HTTP_OK) {
 			http_seterr(conn->err);
 			goto ouch;
 		}
-		/* Read and discard the rest of the proxy response */
-		if (fetch_getln(conn) < 0) {
-			fetch_syserr();
-			goto ouch;
-		}
+		/* Read and discard the rest of the proxy response (if any) */
 		do {
 			switch ((h = http_next_header(conn, &p))) {
 			case hdr_syserror:
@@ -792,7 +796,7 @@
 			default:
 				/* ignore */ ;
 			}
-		} while (h < hdr_end);
+		} while (h > hdr_end);
 	}
 	if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 &&
 	    fetch_ssl(conn, URL, verbose) == -1) {
---END patch---

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58656 CVS commit: src/external/bsd/fetch/dist/libfetch
Date: Sun, 1 Sep 2024 11:07:31 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Sun Sep  1 15:07:31 UTC 2024

 Modified Files:
 	src/external/bsd/fetch/dist/libfetch: http.c

 Log Message:
 PR/58656: RVP: Fix proxy authentication for https and when proxy does not
 add any extra headers.


 To generate a diff of this commit:
 cvs rdiff -u -r1.5 -r1.6 src/external/bsd/fetch/dist/libfetch/http.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Tue, 08 Oct 2024 22:06:25 +0000
State-Changed-Why:
Fixed in HEAD?  Does this need pullups?


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.