| /* |
| * HTTP/2 protocol processing |
| * |
| * Copyright 2017 Willy Tarreau <w@1wt.eu> |
| * Copyright (C) 2017 HAProxy Technologies |
| * |
| * Permission is hereby granted, free of charge, to any person obtaining |
| * a copy of this software and associated documentation files (the |
| * "Software"), to deal in the Software without restriction, including |
| * without limitation the rights to use, copy, modify, merge, publish, |
| * distribute, sublicense, and/or sell copies of the Software, and to |
| * permit persons to whom the Software is furnished to do so, subject to |
| * the following conditions: |
| * |
| * The above copyright notice and this permission notice shall be |
| * included in all copies or substantial portions of the Software. |
| * |
| * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
| * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
| * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
| * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
| * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
| * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
| * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
| * OTHER DEALINGS IN THE SOFTWARE. |
| */ |
| |
| #include <inttypes.h> |
| #include <haproxy/api.h> |
| #include <haproxy/global.h> |
| #include <haproxy/h2.h> |
| #include <haproxy/http-hdr-t.h> |
| #include <haproxy/http.h> |
| #include <haproxy/http_htx.h> |
| #include <haproxy/htx.h> |
| #include <import/ist.h> |
| |
| |
| struct h2_frame_definition h2_frame_definition[H2_FT_ENTRIES] = { |
| [H2_FT_DATA ] = { .dir = 3, .min_id = 1, .max_id = H2_MAX_STREAM_ID, .min_len = 0, .max_len = H2_MAX_FRAME_LEN, }, |
| [H2_FT_HEADERS ] = { .dir = 3, .min_id = 1, .max_id = H2_MAX_STREAM_ID, .min_len = 1, .max_len = H2_MAX_FRAME_LEN, }, |
| [H2_FT_PRIORITY ] = { .dir = 3, .min_id = 1, .max_id = H2_MAX_STREAM_ID, .min_len = 5, .max_len = 5, }, |
| [H2_FT_RST_STREAM ] = { .dir = 3, .min_id = 1, .max_id = H2_MAX_STREAM_ID, .min_len = 4, .max_len = 4, }, |
| [H2_FT_SETTINGS ] = { .dir = 3, .min_id = 0, .max_id = 0, .min_len = 0, .max_len = H2_MAX_FRAME_LEN, }, |
| [H2_FT_PUSH_PROMISE ] = { .dir = 0, .min_id = 1, .max_id = H2_MAX_STREAM_ID, .min_len = 4, .max_len = H2_MAX_FRAME_LEN, }, |
| [H2_FT_PING ] = { .dir = 3, .min_id = 0, .max_id = 0, .min_len = 8, .max_len = 8, }, |
| [H2_FT_GOAWAY ] = { .dir = 3, .min_id = 0, .max_id = 0, .min_len = 8, .max_len = H2_MAX_FRAME_LEN, }, |
| [H2_FT_WINDOW_UPDATE] = { .dir = 3, .min_id = 0, .max_id = H2_MAX_STREAM_ID, .min_len = 4, .max_len = 4, }, |
| [H2_FT_CONTINUATION ] = { .dir = 3, .min_id = 1, .max_id = H2_MAX_STREAM_ID, .min_len = 0, .max_len = H2_MAX_FRAME_LEN, }, |
| }; |
| |
| /* Looks into <ist> for forbidden characters for header values (0x00, 0x0A, |
| * 0x0D), starting at pointer <start> which must be within <ist>. Returns |
| * non-zero if such a character is found, 0 otherwise. When run on unlikely |
| * header match, it's recommended to first check for the presence of control |
| * chars using ist_find_ctl(). |
| */ |
| static int has_forbidden_char(const struct ist ist, const char *start) |
| { |
| do { |
| if ((uint8_t)*start <= 0x0d && |
| (1U << (uint8_t)*start) & ((1<<13) | (1<<10) | (1<<0))) |
| return 1; |
| start++; |
| } while (start < istend(ist)); |
| return 0; |
| } |
| |
| /* Parse the Content-Length header field of an HTTP/2 request. The function |
| * checks all possible occurrences of a comma-delimited value, and verifies |
| * if any of them doesn't match a previous value. It returns <0 if a value |
| * differs, 0 if the whole header can be dropped (i.e. already known), or >0 |
| * if the value can be indexed (first one). In the last case, the value might |
| * be adjusted and the caller must only add the updated value. |
| */ |
| int h2_parse_cont_len_header(unsigned int *msgf, struct ist *value, unsigned long long *body_len) |
| { |
| char *e, *n; |
| unsigned long long cl; |
| int not_first = !!(*msgf & H2_MSGF_BODY_CL); |
| struct ist word; |
| |
| word.ptr = value->ptr - 1; // -1 for next loop's pre-increment |
| e = value->ptr + value->len; |
| |
| while (++word.ptr < e) { |
| /* skip leading delimiter and blanks */ |
| if (unlikely(HTTP_IS_LWS(*word.ptr))) |
| continue; |
| |
| /* digits only now */ |
| for (cl = 0, n = word.ptr; n < e; n++) { |
| unsigned int c = *n - '0'; |
| if (unlikely(c > 9)) { |
| /* non-digit */ |
| if (unlikely(n == word.ptr)) // spaces only |
| goto fail; |
| break; |
| } |
| if (unlikely(cl > ULLONG_MAX / 10ULL)) |
| goto fail; /* multiply overflow */ |
| cl = cl * 10ULL; |
| if (unlikely(cl + c < cl)) |
| goto fail; /* addition overflow */ |
| cl = cl + c; |
| } |
| |
| /* keep a copy of the exact cleaned value */ |
| word.len = n - word.ptr; |
| |
| /* skip trailing LWS till next comma or EOL */ |
| for (; n < e; n++) { |
| if (!HTTP_IS_LWS(*n)) { |
| if (unlikely(*n != ',')) |
| goto fail; |
| break; |
| } |
| } |
| |
| /* if duplicate, must be equal */ |
| if (*msgf & H2_MSGF_BODY_CL && cl != *body_len) |
| goto fail; |
| |
| /* OK, store this result as the one to be indexed */ |
| *msgf |= H2_MSGF_BODY_CL; |
| *body_len = cl; |
| *value = word; |
| word.ptr = n; |
| } |
| /* here we've reached the end with a single value or a series of |
| * identical values, all matching previous series if any. The last |
| * parsed value was sent back into <value>. We just have to decide |
| * if this occurrence has to be indexed (it's the first one) or |
| * silently skipped (it's not the first one) |
| */ |
| return !not_first; |
| fail: |
| return -1; |
| } |
| |
| /* Prepare the request line into <htx> from pseudo headers stored in <phdr[]>. |
| * <fields> indicates what was found so far. This should be called once at the |
| * detection of the first general header field or at the end of the request if |
| * no general header field was found yet. Returns the created start line on |
| * success, or NULL on failure. Upon success, <msgf> is updated with a few |
| * H2_MSGF_* flags indicating what was found while parsing. |
| * |
| * The rules below deserve a bit of explanation. There tends to be some |
| * confusion regarding H2's authority vs the Host header. They are different |
| * though may sometimes be exchanged. In H2, the request line is broken into : |
| * - :method |
| * - :scheme |
| * - :authority |
| * - :path |
| * |
| * An equivalent HTTP/1.x absolute-form request would then look like : |
| * <:method> <:scheme>://<:authority><:path> HTTP/x.y |
| * |
| * Except for CONNECT which doesn't have scheme nor path and looks like : |
| * <:method> <:authority> HTTP/x.y |
| * |
| * It's worth noting that H2 still supports an encoding to map H1 origin-form |
| * and asterisk-form requests. These ones do not specify the authority. However |
| * in H2 they must still specify the scheme, which is not present in H1. Also, |
| * when encoding an absolute-form H1 request without a path, the path |
| * automatically becomes "/" except for the OPTIONS method where it |
| * becomes "*". |
| * |
| * As such it is explicitly permitted for an H2 client to send a request |
| * featuring a Host header and no :authority, though it's not the recommended |
| * way to use H2 for a client. It is however the only permitted way to encode |
| * an origin-form H1 request over H2. Thus we need to respect such differences |
| * as much as possible when re-encoding the H2 request into HTX. |
| */ |
| static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr, struct htx *htx, unsigned int *msgf) |
| { |
| struct ist uri, meth_sl; |
| unsigned int flags = HTX_SL_F_NONE; |
| struct htx_sl *sl; |
| size_t i; |
| |
| if ((fields & H2_PHDR_FND_METH) && isteq(phdr[H2_PHDR_IDX_METH], ist("CONNECT"))) { |
| if (fields & H2_PHDR_FND_PROT) { |
| /* rfc 8441 Extended Connect Protocol |
| * #4 :scheme and :path must be present, as well as |
| * :authority like all h2 requests |
| */ |
| if (!(fields & H2_PHDR_FND_SCHM)) { |
| /* missing scheme */ |
| goto fail; |
| } |
| else if (!(fields & H2_PHDR_FND_PATH)) { |
| /* missing path */ |
| goto fail; |
| } |
| else if (!(fields & H2_PHDR_FND_AUTH)) { |
| /* missing authority */ |
| goto fail; |
| } |
| |
| flags |= HTX_SL_F_HAS_SCHM; |
| if (isteqi(phdr[H2_PHDR_IDX_SCHM], ist("http"))) |
| flags |= HTX_SL_F_SCHM_HTTP; |
| else if (isteqi(phdr[H2_PHDR_IDX_SCHM], ist("https"))) |
| flags |= HTX_SL_F_SCHM_HTTPS; |
| else if (!http_validate_scheme(phdr[H2_PHDR_IDX_SCHM])) |
| htx->flags |= HTX_FL_PARSING_ERROR; |
| |
| meth_sl = ist("GET"); |
| |
| *msgf |= H2_MSGF_EXT_CONNECT; |
| /* no ES on the HEADERS frame but no body either for |
| * Extended CONNECT */ |
| *msgf &= ~H2_MSGF_BODY; |
| } |
| else { |
| /* RFC 7540 #8.2.6 regarding CONNECT: ":scheme" and ":path" |
| * MUST be omitted ; ":authority" contains the host and port |
| * to connect to. |
| */ |
| if (fields & H2_PHDR_FND_SCHM) { |
| /* scheme not allowed */ |
| goto fail; |
| } |
| else if (fields & H2_PHDR_FND_PATH) { |
| /* path not allowed */ |
| goto fail; |
| } |
| else if (!(fields & H2_PHDR_FND_AUTH)) { |
| /* missing authority */ |
| goto fail; |
| } |
| |
| meth_sl = phdr[H2_PHDR_IDX_METH]; |
| } |
| |
| *msgf |= H2_MSGF_BODY_TUNNEL; |
| } |
| else if ((fields & (H2_PHDR_FND_METH|H2_PHDR_FND_SCHM|H2_PHDR_FND_PATH)) != |
| (H2_PHDR_FND_METH|H2_PHDR_FND_SCHM|H2_PHDR_FND_PATH)) { |
| /* RFC 7540 #8.1.2.3 : all requests MUST include exactly one |
| * valid value for the ":method", ":scheme" and ":path" phdr |
| * unless it is a CONNECT request. |
| */ |
| if (!(fields & H2_PHDR_FND_METH)) { |
| /* missing method */ |
| goto fail; |
| } |
| else if (!(fields & H2_PHDR_FND_SCHM)) { |
| /* missing scheme */ |
| goto fail; |
| } |
| else { |
| /* missing path */ |
| goto fail; |
| } |
| } |
| else { /* regular methods */ |
| /* RFC3986#6.2.2.1: scheme is case-insensitive. We need to |
| * classify the scheme as "present/http", "present/https", |
| * "present/other", "absent" so as to decide whether or not |
| * we're facing a normalized URI that will have to be encoded |
| * in origin or absolute form. Indeed, 7540#8.1.2.3 says that |
| * clients should use the absolute form, thus we cannot infer |
| * whether or not the client wanted to use a proxy here. |
| */ |
| flags |= HTX_SL_F_HAS_SCHM; |
| if (isteqi(phdr[H2_PHDR_IDX_SCHM], ist("http"))) |
| flags |= HTX_SL_F_SCHM_HTTP; |
| else if (isteqi(phdr[H2_PHDR_IDX_SCHM], ist("https"))) |
| flags |= HTX_SL_F_SCHM_HTTPS; |
| else if (!http_validate_scheme(phdr[H2_PHDR_IDX_SCHM])) |
| htx->flags |= HTX_FL_PARSING_ERROR; |
| |
| meth_sl = phdr[H2_PHDR_IDX_METH]; |
| } |
| |
| if (fields & H2_PHDR_FND_PATH) { |
| /* 7540#8.1.2.3: :path must not be empty, and must be either |
| * '*' or an RFC3986 "path-absolute" starting with a "/" but |
| * not with "//". |
| * However, this "path-absolute" was a mistake which was |
| * later fixed in http2bis as "absolute-path" to match |
| * HTTP/1, thus also allowing "//". |
| */ |
| if (unlikely(!phdr[H2_PHDR_IDX_PATH].len)) |
| goto fail; |
| else if (unlikely(phdr[H2_PHDR_IDX_PATH].ptr[0] != '/')) { |
| if (!isteq(phdr[H2_PHDR_IDX_PATH], ist("*"))) |
| goto fail; |
| } |
| } |
| |
| if (!(flags & HTX_SL_F_HAS_SCHM)) { |
| /* no scheme, use authority only (CONNECT) */ |
| uri = phdr[H2_PHDR_IDX_AUTH]; |
| flags |= HTX_SL_F_HAS_AUTHORITY; |
| } |
| else if (fields & H2_PHDR_FND_AUTH) { |
| /* authority is present, let's use the absolute form. We simply |
| * use the trash to concatenate them since all of them MUST fit |
| * in a bufsize since it's where they come from. |
| */ |
| uri = ist2bin(trash.area, phdr[H2_PHDR_IDX_SCHM]); |
| istcat(&uri, ist("://"), trash.size); |
| istcat(&uri, phdr[H2_PHDR_IDX_AUTH], trash.size); |
| if (!isteq(phdr[H2_PHDR_IDX_PATH], ist("*"))) |
| istcat(&uri, phdr[H2_PHDR_IDX_PATH], trash.size); |
| flags |= HTX_SL_F_HAS_AUTHORITY; |
| |
| if (flags & (HTX_SL_F_SCHM_HTTP|HTX_SL_F_SCHM_HTTPS)) { |
| /* we don't know if it was originally an absolute or a |
| * relative request because newer versions of HTTP use |
| * the absolute URI format by default, which we call |
| * the normalized URI format internally. This is the |
| * strongly recommended way of sending a request for |
| * a regular client, so we cannot distinguish this |
| * from a request intended for a proxy. For other |
| * schemes however there is no doubt. |
| */ |
| flags |= HTX_SL_F_NORMALIZED_URI; |
| } |
| } |
| else { |
| /* usual schemes with or without authority, use origin form */ |
| uri = phdr[H2_PHDR_IDX_PATH]; |
| if (fields & H2_PHDR_FND_AUTH) |
| flags |= HTX_SL_F_HAS_AUTHORITY; |
| } |
| |
| /* The method is a non-empty token (RFC7231#4.1) */ |
| if (!meth_sl.len) |
| goto fail; |
| for (i = 0; i < meth_sl.len; i++) { |
| if (!HTTP_IS_TOKEN(meth_sl.ptr[i])) |
| htx->flags |= HTX_FL_PARSING_ERROR; |
| } |
| |
| /* make sure the final URI isn't empty. Note that 7540#8.1.2.3 states |
| * that :path must not be empty. |
| */ |
| if (!uri.len) |
| goto fail; |
| |
| /* The final URI must not contain LWS nor CTL characters */ |
| for (i = 0; i < uri.len; i++) { |
| unsigned char c = uri.ptr[i]; |
| if (HTTP_IS_LWS(c) || HTTP_IS_CTL(c)) |
| htx->flags |= HTX_FL_PARSING_ERROR; |
| } |
| |
| /* Set HTX start-line flags */ |
| flags |= HTX_SL_F_VER_11; // V2 in fact |
| flags |= HTX_SL_F_XFER_LEN; // xfer len always known with H2 |
| |
| sl = htx_add_stline(htx, HTX_BLK_REQ_SL, flags, meth_sl, uri, ist("HTTP/2.0")); |
| if (!sl) |
| goto fail; |
| |
| sl->info.req.meth = find_http_meth(meth_sl.ptr, meth_sl.len); |
| if (sl->info.req.meth == HTTP_METH_HEAD) |
| *msgf |= H2_MSGF_BODYLESS_RSP; |
| return sl; |
| fail: |
| return NULL; |
| } |
| |
| /* Takes an H2 request present in the headers list <list> terminated by a name |
| * being <NULL,0> and emits the equivalent HTX request according to the rules |
| * documented in RFC7540 #8.1.2. The output contents are emitted in <htx>, and |
| * non-zero is returned if some bytes were emitted. In case of error, a |
| * negative error code is returned. |
| * |
| * Upon success, <msgf> is filled with a few H2_MSGF_* flags indicating what |
| * was found while parsing. The caller must set it to zero in or H2_MSGF_BODY |
| * if a body is detected (!ES). |
| * |
| * The headers list <list> must be composed of : |
| * - n.name != NULL, n.len > 0 : literal header name |
| * - n.name == NULL, n.len > 0 : indexed pseudo header name number <n.len> |
| * among H2_PHDR_IDX_* |
| * - n.name ignored, n.len == 0 : end of list |
| * - in all cases except the end of list, v.name and v.len must designate a |
| * valid value. |
| * |
| * The Cookie header will be reassembled at the end, and for this, the <list> |
| * will be used to create a linked list, so its contents may be destroyed. |
| */ |
| int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len) |
| { |
| struct ist phdr_val[H2_PHDR_NUM_ENTRIES]; |
| uint32_t fields; /* bit mask of H2_PHDR_FND_* */ |
| uint32_t idx; |
| int ck, lck; /* cookie index and last cookie index */ |
| int phdr; |
| int ret; |
| int i; |
| struct htx_sl *sl = NULL; |
| unsigned int sl_flags = 0; |
| const char *ctl; |
| |
| lck = ck = -1; // no cookie for now |
| fields = 0; |
| for (idx = 0; list[idx].n.len != 0; idx++) { |
| if (!list[idx].n.ptr) { |
| /* this is an indexed pseudo-header */ |
| phdr = list[idx].n.len; |
| } |
| else { |
| /* this can be any type of header */ |
| /* RFC7540#8.1.2: upper case not allowed in header field names. |
| * #10.3: header names must be valid (i.e. match a token). |
| * For pseudo-headers we check from 2nd char and for other ones |
| * from the first char, because HTTP_IS_TOKEN() also excludes |
| * the colon. |
| */ |
| phdr = h2_str_to_phdr(list[idx].n); |
| |
| for (i = !!phdr; i < list[idx].n.len; i++) |
| if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i])) |
| goto fail; |
| } |
| |
| /* RFC7540#10.3: intermediaries forwarding to HTTP/1 must take care of |
| * rejecting NUL, CR and LF characters. |
| */ |
| ctl = ist_find_ctl(list[idx].v); |
| if (unlikely(ctl) && has_forbidden_char(list[idx].v, ctl)) |
| goto fail; |
| |
| if (phdr > 0 && phdr < H2_PHDR_NUM_ENTRIES) { |
| /* insert a pseudo header by its index (in phdr) and value (in value) */ |
| if (fields & ((1 << phdr) | H2_PHDR_FND_NONE)) { |
| if (fields & H2_PHDR_FND_NONE) { |
| /* pseudo header field after regular headers */ |
| goto fail; |
| } |
| else { |
| /* repeated pseudo header field */ |
| goto fail; |
| } |
| } |
| fields |= 1 << phdr; |
| phdr_val[phdr] = list[idx].v; |
| continue; |
| } |
| else if (phdr != 0) { |
| /* invalid pseudo header -- should never happen here */ |
| goto fail; |
| } |
| |
| /* regular header field in (name,value) */ |
| if (unlikely(!(fields & H2_PHDR_FND_NONE))) { |
| /* no more pseudo-headers, time to build the request line */ |
| sl = h2_prepare_htx_reqline(fields, phdr_val, htx, msgf); |
| if (!sl) |
| goto fail; |
| fields |= H2_PHDR_FND_NONE; |
| |
| /* http2bis draft recommends to drop Host in favor of :authority when |
| * the latter is present. This is required to make sure there is no |
| * discrepancy between the authority and the host header, especially |
| * since routing rules usually involve Host. Here we already know if |
| * :authority was found so we can emit it right now and mark the host |
| * as filled so that it's skipped later. |
| */ |
| if (fields & H2_PHDR_FND_AUTH) { |
| if (!htx_add_header(htx, ist("host"), phdr_val[H2_PHDR_IDX_AUTH])) |
| goto fail; |
| fields |= H2_PHDR_FND_HOST; |
| } |
| } |
| |
| if (isteq(list[idx].n, ist("host"))) { |
| if (fields & H2_PHDR_FND_HOST) |
| continue; |
| |
| fields |= H2_PHDR_FND_HOST; |
| } |
| |
| if (isteq(list[idx].n, ist("content-length"))) { |
| ret = h2_parse_cont_len_header(msgf, &list[idx].v, body_len); |
| if (ret < 0) |
| goto fail; |
| |
| sl_flags |= HTX_SL_F_CLEN; |
| if (ret == 0) |
| continue; // skip this duplicate |
| } |
| |
| /* these ones are forbidden in requests (RFC7540#8.1.2.2) */ |
| if (isteq(list[idx].n, ist("connection")) || |
| isteq(list[idx].n, ist("proxy-connection")) || |
| isteq(list[idx].n, ist("keep-alive")) || |
| isteq(list[idx].n, ist("upgrade")) || |
| isteq(list[idx].n, ist("transfer-encoding"))) |
| goto fail; |
| |
| if (isteq(list[idx].n, ist("te")) && !isteq(list[idx].v, ist("trailers"))) |
| goto fail; |
| |
| /* cookie requires special processing at the end */ |
| if (isteq(list[idx].n, ist("cookie"))) { |
| list[idx].n.len = -1; |
| |
| if (ck < 0) |
| ck = idx; |
| else |
| list[lck].n.len = idx; |
| |
| lck = idx; |
| continue; |
| } |
| |
| if (!htx_add_header(htx, list[idx].n, list[idx].v)) |
| goto fail; |
| } |
| |
| /* RFC7540#8.1.2.1 mandates to reject response pseudo-headers (:status) */ |
| if (fields & H2_PHDR_FND_STAT) |
| goto fail; |
| |
| /* Let's dump the request now if not yet emitted. */ |
| if (!(fields & H2_PHDR_FND_NONE)) { |
| sl = h2_prepare_htx_reqline(fields, phdr_val, htx, msgf); |
| if (!sl) |
| goto fail; |
| } |
| |
| if (*msgf & H2_MSGF_BODY_TUNNEL) |
| *msgf &= ~(H2_MSGF_BODY|H2_MSGF_BODY_CL); |
| |
| if (!(*msgf & H2_MSGF_BODY) || ((*msgf & H2_MSGF_BODY_CL) && *body_len == 0) || |
| (*msgf & H2_MSGF_BODY_TUNNEL)) { |
| /* Request without body or tunnel requested */ |
| sl_flags |= HTX_SL_F_BODYLESS; |
| htx->flags |= HTX_FL_EOM; |
| } |
| |
| if (*msgf & H2_MSGF_EXT_CONNECT) { |
| if (!htx_add_header(htx, ist("upgrade"), phdr_val[H2_PHDR_IDX_PROT])) |
| goto fail; |
| if (!htx_add_header(htx, ist("connection"), ist("upgrade"))) |
| goto fail; |
| sl_flags |= HTX_SL_F_CONN_UPG; |
| } |
| |
| /* update the start line with last detected header info */ |
| sl->flags |= sl_flags; |
| |
| /* complete with missing Host if needed (we may validate this test if |
| * no regular header was found). |
| */ |
| if ((fields & (H2_PHDR_FND_HOST|H2_PHDR_FND_AUTH)) == H2_PHDR_FND_AUTH) { |
| /* missing Host field, use :authority instead */ |
| if (!htx_add_header(htx, ist("host"), phdr_val[H2_PHDR_IDX_AUTH])) |
| goto fail; |
| } |
| |
| /* now we may have to build a cookie list. We'll dump the values of all |
| * visited headers. |
| */ |
| if (ck >= 0) { |
| uint32_t fs; // free space |
| uint32_t bs; // block size |
| uint32_t vl; // value len |
| uint32_t tl; // total length |
| struct htx_blk *blk; |
| |
| blk = htx_add_header(htx, ist("cookie"), list[ck].v); |
| if (!blk) |
| goto fail; |
| |
| tl = list[ck].v.len; |
| fs = htx_free_data_space(htx); |
| bs = htx_get_blksz(blk); |
| |
| /* for each extra cookie, we'll extend the cookie's value and |
| * insert "; " before the new value. |
| */ |
| fs += tl; // first one is already counted |
| while ((ck = list[ck].n.len) >= 0) { |
| vl = list[ck].v.len; |
| tl += vl + 2; |
| if (tl > fs) |
| goto fail; |
| |
| htx_change_blk_value_len(htx, blk, tl); |
| *(char *)(htx_get_blk_ptr(htx, blk) + bs + 0) = ';'; |
| *(char *)(htx_get_blk_ptr(htx, blk) + bs + 1) = ' '; |
| memcpy(htx_get_blk_ptr(htx, blk) + bs + 2, list[ck].v.ptr, vl); |
| bs += vl + 2; |
| } |
| |
| } |
| |
| /* now send the end of headers marker */ |
| if (!htx_add_endof(htx, HTX_BLK_EOH)) |
| goto fail; |
| |
| /* proceed to scheme-based normalization on target-URI */ |
| if (fields & H2_PHDR_FND_SCHM) |
| http_scheme_based_normalize(htx); |
| |
| ret = 1; |
| return ret; |
| |
| fail: |
| return -1; |
| } |
| |
| /* Prepare the status line into <htx> from pseudo headers stored in <phdr[]>. |
| * <fields> indicates what was found so far. This should be called once at the |
| * detection of the first general header field or at the end of the message if |
| * no general header field was found yet. Returns the created start line on |
| * success, or NULL on failure. Upon success, <msgf> is updated with a few |
| * H2_MSGF_* flags indicating what was found while parsing. |
| */ |
| static struct htx_sl *h2_prepare_htx_stsline(uint32_t fields, struct ist *phdr, struct htx *htx, unsigned int *msgf) |
| { |
| unsigned int status, flags = HTX_SL_F_NONE; |
| struct htx_sl *sl; |
| struct ist stat; |
| |
| /* only :status is allowed as a pseudo header */ |
| if (!(fields & H2_PHDR_FND_STAT)) |
| goto fail; |
| |
| if (phdr[H2_PHDR_IDX_STAT].len != 3) |
| goto fail; |
| |
| /* if Extended CONNECT is used, convert status code from 200 to htx 101 |
| * following rfc 8441 */ |
| if (unlikely(*msgf & H2_MSGF_EXT_CONNECT) && |
| isteq(phdr[H2_PHDR_IDX_STAT], ist("200"))) { |
| stat = ist("101"); |
| status = 101; |
| } |
| else { |
| unsigned char h, t, u; |
| |
| stat = phdr[H2_PHDR_IDX_STAT]; |
| |
| h = stat.ptr[0] - '0'; |
| t = stat.ptr[1] - '0'; |
| u = stat.ptr[2] - '0'; |
| if (h > 9 || t > 9 || u > 9) |
| goto fail; |
| status = h * 100 + t * 10 + u; |
| } |
| |
| /* 101 responses are not supported in H2, so return a error. |
| * On 1xx responses there is no ES on the HEADERS frame but there is no |
| * body. So remove the flag H2_MSGF_BODY and add H2_MSGF_RSP_1XX to |
| * notify the decoder another HEADERS frame is expected. |
| * 204/304 response have no body by definition. So remove the flag |
| * H2_MSGF_BODY and set H2_MSGF_BODYLESS_RSP. |
| * |
| * Note however that there is a special condition for Extended CONNECT. |
| * In this case, we explicitly convert it to HTX 101 to mimic |
| * Get+Upgrade HTTP/1.1 mechanism |
| */ |
| if (status == 101) { |
| if (!(*msgf & H2_MSGF_EXT_CONNECT)) |
| goto fail; |
| } |
| else if (status < 200) { |
| *msgf |= H2_MSGF_RSP_1XX; |
| *msgf &= ~H2_MSGF_BODY; |
| } |
| else if (status == 204 || status == 304) { |
| *msgf &= ~H2_MSGF_BODY; |
| *msgf |= H2_MSGF_BODYLESS_RSP; |
| } |
| |
| /* Set HTX start-line flags */ |
| flags |= HTX_SL_F_VER_11; // V2 in fact |
| flags |= HTX_SL_F_XFER_LEN; // xfer len always known with H2 |
| |
| sl = htx_add_stline(htx, HTX_BLK_RES_SL, flags, ist("HTTP/2.0"), stat, ist("")); |
| if (!sl) |
| goto fail; |
| sl->info.res.status = status; |
| return sl; |
| fail: |
| return NULL; |
| } |
| |
| /* Takes an H2 response present in the headers list <list> terminated by a name |
| * being <NULL,0> and emits the equivalent HTX response according to the rules |
| * documented in RFC7540 #8.1.2. The output contents are emitted in <htx>, and |
| * a positive value is returned if some bytes were emitted. In case of error, a |
| * negative error code is returned. |
| * |
| * Upon success, <msgf> is filled with a few H2_MSGF_* flags indicating what |
| * was found while parsing. The caller must set it to zero in or H2_MSGF_BODY |
| * if a body is detected (!ES). |
| * |
| * The headers list <list> must be composed of : |
| * - n.name != NULL, n.len > 0 : literal header name |
| * - n.name == NULL, n.len > 0 : indexed pseudo header name number <n.len> |
| * among H2_PHDR_IDX_* |
| * - n.name ignored, n.len == 0 : end of list |
| * - in all cases except the end of list, v.name and v.len must designate a |
| * valid value. |
| * |
| * <upgrade_protocol> is only used if the htx status code is 101 indicating a |
| * response to an upgrade or h2-equivalent request. |
| */ |
| int h2_make_htx_response(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len, char *upgrade_protocol) |
| { |
| struct ist phdr_val[H2_PHDR_NUM_ENTRIES]; |
| uint32_t fields; /* bit mask of H2_PHDR_FND_* */ |
| uint32_t idx; |
| int phdr; |
| int ret; |
| int i; |
| struct htx_sl *sl = NULL; |
| unsigned int sl_flags = 0; |
| const char *ctl; |
| |
| fields = 0; |
| for (idx = 0; list[idx].n.len != 0; idx++) { |
| if (!list[idx].n.ptr) { |
| /* this is an indexed pseudo-header */ |
| phdr = list[idx].n.len; |
| } |
| else { |
| /* this can be any type of header */ |
| /* RFC7540#8.1.2: upper case not allowed in header field names. |
| * #10.3: header names must be valid (i.e. match a token). |
| * For pseudo-headers we check from 2nd char and for other ones |
| * from the first char, because HTTP_IS_TOKEN() also excludes |
| * the colon. |
| */ |
| phdr = h2_str_to_phdr(list[idx].n); |
| |
| for (i = !!phdr; i < list[idx].n.len; i++) |
| if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i])) |
| goto fail; |
| } |
| |
| /* RFC7540#10.3: intermediaries forwarding to HTTP/1 must take care of |
| * rejecting NUL, CR and LF characters. |
| */ |
| ctl = ist_find_ctl(list[idx].v); |
| if (unlikely(ctl) && has_forbidden_char(list[idx].v, ctl)) |
| goto fail; |
| |
| if (phdr > 0 && phdr < H2_PHDR_NUM_ENTRIES) { |
| /* insert a pseudo header by its index (in phdr) and value (in value) */ |
| if (fields & ((1 << phdr) | H2_PHDR_FND_NONE)) { |
| if (fields & H2_PHDR_FND_NONE) { |
| /* pseudo header field after regular headers */ |
| goto fail; |
| } |
| else { |
| /* repeated pseudo header field */ |
| goto fail; |
| } |
| } |
| fields |= 1 << phdr; |
| phdr_val[phdr] = list[idx].v; |
| continue; |
| } |
| else if (phdr != 0) { |
| /* invalid pseudo header -- should never happen here */ |
| goto fail; |
| } |
| |
| /* regular header field in (name,value) */ |
| if (!(fields & H2_PHDR_FND_NONE)) { |
| /* no more pseudo-headers, time to build the status line */ |
| sl = h2_prepare_htx_stsline(fields, phdr_val, htx, msgf); |
| if (!sl) |
| goto fail; |
| fields |= H2_PHDR_FND_NONE; |
| } |
| |
| if (isteq(list[idx].n, ist("content-length"))) { |
| ret = h2_parse_cont_len_header(msgf, &list[idx].v, body_len); |
| if (ret < 0) |
| goto fail; |
| |
| sl_flags |= HTX_SL_F_CLEN; |
| if (ret == 0) |
| continue; // skip this duplicate |
| } |
| |
| /* these ones are forbidden in responses (RFC7540#8.1.2.2) */ |
| if (isteq(list[idx].n, ist("connection")) || |
| isteq(list[idx].n, ist("proxy-connection")) || |
| isteq(list[idx].n, ist("keep-alive")) || |
| isteq(list[idx].n, ist("upgrade")) || |
| isteq(list[idx].n, ist("transfer-encoding"))) |
| goto fail; |
| |
| if (!htx_add_header(htx, list[idx].n, list[idx].v)) |
| goto fail; |
| } |
| |
| /* RFC7540#8.1.2.1 mandates to reject request pseudo-headers */ |
| if (fields & (H2_PHDR_FND_AUTH|H2_PHDR_FND_METH|H2_PHDR_FND_PATH|H2_PHDR_FND_SCHM)) |
| goto fail; |
| |
| /* Let's dump the request now if not yet emitted. */ |
| if (!(fields & H2_PHDR_FND_NONE)) { |
| sl = h2_prepare_htx_stsline(fields, phdr_val, htx, msgf); |
| if (!sl) |
| goto fail; |
| } |
| |
| if (sl->info.res.status == 101 && upgrade_protocol) { |
| if (!htx_add_header(htx, ist("connection"), ist("upgrade"))) |
| goto fail; |
| if (!htx_add_header(htx, ist("upgrade"), ist(upgrade_protocol))) |
| goto fail; |
| sl_flags |= HTX_SL_F_CONN_UPG; |
| } |
| |
| if ((*msgf & H2_MSGF_BODY_TUNNEL) && |
| ((sl->info.res.status >= 200 && sl->info.res.status < 300) || sl->info.res.status == 101)) |
| *msgf &= ~(H2_MSGF_BODY|H2_MSGF_BODY_CL); |
| else |
| *msgf &= ~H2_MSGF_BODY_TUNNEL; |
| |
| if (!(*msgf & H2_MSGF_BODY) || ((*msgf & H2_MSGF_BODY_CL) && *body_len == 0) || |
| (*msgf & H2_MSGF_BODY_TUNNEL)) { |
| /* Response without body or tunnel successfully established */ |
| sl_flags |= HTX_SL_F_BODYLESS; |
| htx->flags |= HTX_FL_EOM; |
| } |
| |
| /* update the start line with last detected header info */ |
| sl->flags |= sl_flags; |
| |
| if ((*msgf & (H2_MSGF_BODY|H2_MSGF_BODY_TUNNEL|H2_MSGF_BODY_CL)) == H2_MSGF_BODY) { |
| /* FIXME: Do we need to signal anything when we have a body and |
| * no content-length, to have the equivalent of H1's chunked |
| * encoding? |
| */ |
| } |
| |
| /* now send the end of headers marker */ |
| if (!htx_add_endof(htx, HTX_BLK_EOH)) |
| goto fail; |
| |
| ret = 1; |
| return ret; |
| |
| fail: |
| return -1; |
| } |
| |
| /* Takes an H2 headers list <list> terminated by a name being <NULL,0> and emits |
| * the equivalent HTX trailers blocks. The output contents are emitted in <htx>, |
| * and a positive value is returned if some bytes were emitted. In case of |
| * error, a negative error code is returned. The caller must have verified that |
| * the message in the buffer is compatible with receipt of trailers. |
| * |
| * The headers list <list> must be composed of : |
| * - n.name != NULL, n.len > 0 : literal header name |
| * - n.name == NULL, n.len > 0 : indexed pseudo header name number <n.len> |
| * among H2_PHDR_IDX_* (illegal here) |
| * - n.name ignored, n.len == 0 : end of list |
| * - in all cases except the end of list, v.name and v.len must designate a |
| * valid value. |
| */ |
| int h2_make_htx_trailers(struct http_hdr *list, struct htx *htx) |
| { |
| const char *ctl; |
| uint32_t idx; |
| int i; |
| |
| for (idx = 0; list[idx].n.len != 0; idx++) { |
| if (!list[idx].n.ptr) { |
| /* This is an indexed pseudo-header (RFC7540#8.1.2.1) */ |
| goto fail; |
| } |
| |
| /* RFC7540#8.1.2: upper case not allowed in header field names. |
| * #10.3: header names must be valid (i.e. match a token). This |
| * also catches pseudo-headers which are forbidden in trailers. |
| */ |
| for (i = 0; i < list[idx].n.len; i++) |
| if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(list[idx].n.ptr[i])) |
| goto fail; |
| |
| /* these ones are forbidden in trailers (RFC7540#8.1.2.2) */ |
| if (isteq(list[idx].n, ist("host")) || |
| isteq(list[idx].n, ist("content-length")) || |
| isteq(list[idx].n, ist("connection")) || |
| isteq(list[idx].n, ist("proxy-connection")) || |
| isteq(list[idx].n, ist("keep-alive")) || |
| isteq(list[idx].n, ist("upgrade")) || |
| isteq(list[idx].n, ist("te")) || |
| isteq(list[idx].n, ist("transfer-encoding"))) |
| goto fail; |
| |
| /* RFC7540#10.3: intermediaries forwarding to HTTP/1 must take care of |
| * rejecting NUL, CR and LF characters. |
| */ |
| ctl = ist_find_ctl(list[idx].v); |
| if (unlikely(ctl) && has_forbidden_char(list[idx].v, ctl)) |
| goto fail; |
| |
| if (!htx_add_trailer(htx, list[idx].n, list[idx].v)) |
| goto fail; |
| } |
| |
| if (!htx_add_endof(htx, HTX_BLK_EOT)) |
| goto fail; |
| |
| return 1; |
| |
| fail: |
| return -1; |
| } |