Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / ef8d0dcefdf00b043697df971533daf01290811a / . / src / hpack-dec.c
blob: 6620570e0dadc8efc8547ae933718056788b7d8c [file] [log] [blame]
Willy Tarreau679790b2017-05-30 19:09:44 +0200[diff] [blame]1/*
2 * HPACK decompressor (RFC7541)
3 *
4 * Copyright (C) 2014-2017 Willy Tarreau <willy@haproxy.org>
5 * Copyright (C) 2017 HAProxy Technologies
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining
8 * a copy of this software and associated documentation files (the
9 * "Software"), to deal in the Software without restriction, including
10 * without limitation the rights to use, copy, modify, merge, publish,
11 * distribute, sublicense, and/or sell copies of the Software, and to
12 * permit persons to whom the Software is furnished to do so, subject to
13 * the following conditions:
14 *
15 * The above copyright notice and this permission notice shall be
16 * included in all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
19 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
20 * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
21 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
22 * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
23 * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
24 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
25 * OTHER DEALINGS IN THE SOFTWARE.
26 */
27
28#include <stdint.h>
29#include <stdio.h>
30#include <stdlib.h>
31#include <string.h>
32
33#include <common/hpack-dec.h>
34#include <common/hpack-huff.h>
35#include <common/hpack-tbl.h>
36#include <common/ist.h>
37
38#include <types/global.h>
39
40/* indexes of most important pseudo headers can be simplified to an almost
41 * linear array by dividing the index by 2 for all values from 1 to 9, and
42 * caping to 4 for values up to 14 ; thus it fits in a single 24-bit array
43 * shifted by 3 times the index value/2, or a 32-bit array shifted by 4x.
44 * Don't change these values, they are assumed by get_pseudo_hdr(). There
45 * is an entry for the Host header field which is not a pseudo-header but
46 * need to be tracked as we should only use :authority if it's absent.
47 */
48enum {
49 PHDR_IDX_NONE = 0,
50 PHDR_IDX_AUTH = 1, /* :authority = 1 */
51 PHDR_IDX_METH = 2, /* :method = 2..3 */
52 PHDR_IDX_PATH = 3, /* :path = 4..5 */
53 PHDR_IDX_SCHM = 4, /* :scheme = 6..7 */
54 PHDR_IDX_STAT = 5, /* :status = 8..14 */
55 PHDR_IDX_HOST = 6, /* Host, never returned, just a place-holder */
56 PHDR_NUM_ENTRIES /* must be last */
57};
58
59/* bit fields indicating the pseudo-headers found. It also covers the HOST
60 * header field ad well as any non-pseudo-header field (NONE).
61 */
62enum {
63 PHDR_FND_NONE = 1 << PHDR_IDX_NONE, /* found a regular header */
64 PHDR_FND_AUTH = 1 << PHDR_IDX_AUTH,
65 PHDR_FND_METH = 1 << PHDR_IDX_METH,
66 PHDR_FND_PATH = 1 << PHDR_IDX_PATH,
67 PHDR_FND_SCHM = 1 << PHDR_IDX_SCHM,
68 PHDR_FND_STAT = 1 << PHDR_IDX_STAT,
69 PHDR_FND_HOST = 1 << PHDR_IDX_HOST,
70};
71
72static const struct ist phdr_names[PHDR_NUM_ENTRIES] = {
73 { "", 0},
74 { ":authority", 10},
75 { ":method", 7},
76 { ":path", 5},
77 { ":scheme", 7},
78 { ":status", 7},
79 { "Host", 4},
80};
81
82
83#if defined(DEBUG_HPACK)
84#define hpack_debug_printf printf
85#else
86#define hpack_debug_printf(...) do { } while (0)
87#endif
88
89/* reads a varint from <raw>'s lowest <b> bits and <len> bytes max (raw included).
90 * returns the 32-bit value on success after updating raw_in and len_in. Forces
91 * len_in to (uint32_t)-1 on truncated input.
92 */
93static uint32_t get_var_int(const uint8_t **raw_in, uint32_t *len_in, int b)
94{
95 uint32_t ret = 0;
96 int len = *len_in;
97 const uint8_t *raw = *raw_in;
98 uint8_t shift = 0;
99
100 len--;
101 ret = *(raw++) & ((1 << b) - 1);
102 if (ret != (uint32_t)((1 << b) - 1))
103 goto end;
104
105 while (1) {
106 if (!len)
107 goto too_short;
108 if (!(*raw & 128))
109 break;
110 ret += ((uint32_t)(*raw++) & 127) << shift;
111 shift += 7;
112 len--;
113 }
114
115 /* last 7 bits */
116 if (!len)
117 goto too_short;
118 len--;
119 ret += ((uint32_t)(*raw++) & 127) << shift;
120
121 end:
122 *raw_in = raw;
123 *len_in = len;
124 return ret;
125
126 too_short:
127 *len_in = (uint32_t)-1;
128 return 0;
129}
130
131/* returns the pseudo-header <str> corresponds to among PHDR_IDX_*, 0 if not a
132 * pseudo-header, or -1 if not a valid pseudo-header.
133 */
134static inline int hpack_str_to_phdr(const struct ist str)
135{
136 if (*str.ptr == ':') {
137 if (isteq(str, ist(":path"))) return PHDR_IDX_PATH;
138 else if (isteq(str, ist(":method"))) return PHDR_IDX_METH;
139 else if (isteq(str, ist(":scheme"))) return PHDR_IDX_SCHM;
140 else if (isteq(str, ist(":status"))) return PHDR_IDX_STAT;
141 else if (isteq(str, ist(":authority"))) return PHDR_IDX_AUTH;
142
143 /* all other names starting with ':' */
144 return -1;
145 }
146
147 /* not a pseudo header */
148 return 0;
149}
150
151/* returns the pseudo-header <idx> corresponds to among PHDR_IDX_*, or 0 the
152 * header's string has to be parsed. The magic value at the end comes from
153 * PHDR_IDX_* values.
154 */
155static inline int hpack_idx_to_phdr(uint32_t idx)
156{
157 if (idx > 14)
158 return 0;
159
160 idx >>= 1;
161 idx <<= 2;
162 return (0x55554321U >> idx) & 0xF;
163}
164
165/* Prepare the request line into <*ptr> (stopping at <end>) from pseudo headers
166 * stored in <phdr[]>. <fields> indicates what was found so far. This should be
167 * called once at the detection of the first general header field or at the end
168 * of the request if no general header field was found yet. Returns 0 on success
169 * or a negative HPACK_ERR_* error code.
170 */
171static int hpack_prepare_reqline(uint32_t fields, struct ist *phdr, char **ptr, char *end)
172{
173 char *out = *ptr;
174 int uri_idx = PHDR_IDX_PATH;
175
176 if ((fields & PHDR_FND_METH) && isteq(phdr[PHDR_IDX_METH], ist("CONNECT"))) {
177 /* RFC 7540 #8.2.6 regarding CONNECT: ":scheme" and ":path"
178 * MUST be omitted ; ":authority" contains the host and port
179 * to connect to.
180 */
181 if (fields & PHDR_FND_SCHM) {
182 hpack_debug_printf("--:scheme not allowed with CONNECT--\n");
183 return -HPACK_ERR_SCHEME_NOT_ALLOWED;
184 }
185 else if (fields & PHDR_FND_PATH) {
186 hpack_debug_printf("--:path not allowed with CONNECT--\n");
187 return -HPACK_ERR_PATH_NOT_ALLOWED;
188 }
189 else if (!(fields & PHDR_FND_AUTH)) {
190 hpack_debug_printf("--CONNECT: missing :authority--\n");
191 return -HPACK_ERR_MISSING_AUTHORITY;
192 }
193 // otherwise OK ; let's use the authority instead of the URI
194 uri_idx = PHDR_IDX_AUTH;
195 }
196 else if ((fields & (PHDR_FND_METH|PHDR_FND_SCHM|PHDR_FND_PATH)) !=
197 (PHDR_FND_METH|PHDR_FND_SCHM|PHDR_FND_PATH)) {
198 /* RFC 7540 #8.1.2.3 : all requests MUST include exactly one
199 * valid value for the ":method", ":scheme" and ":path" phdr
200 * unless it is a CONNECT request.
201 */
202 if (!(fields & PHDR_FND_METH)) {
203 hpack_debug_printf("--missing :method--\n");
204 return -HPACK_ERR_MISSING_METHOD;
205 }
206 else if (!(fields & PHDR_FND_SCHM)) {
207 hpack_debug_printf("--missing :scheme--\n");
208 return -HPACK_ERR_MISSING_SCHEME;
209 }
210 else {
211 hpack_debug_printf("--missing :path--\n");
212 return -HPACK_ERR_MISSING_PATH;
213 }
214 }
215
216 hpack_debug_printf("%s ", istpad(trash.str, phdr[PHDR_IDX_METH]).ptr);
217 hpack_debug_printf("%s HTTP/1.1\r\n", istpad(trash.str, phdr[uri_idx]).ptr);
218
219 if (out + phdr[uri_idx].len + 1 + phdr[uri_idx].len + 11 > end) {
220 hpack_debug_printf("too large request\n");
221 return -HPACK_ERR_TOO_LARGE;
222 }
223
224 memcpy(out, phdr[PHDR_IDX_METH].ptr, phdr[PHDR_IDX_METH].len);
225 out += phdr[PHDR_IDX_METH].len;
226 *(out++) = ' ';
227
228 memcpy(out, phdr[uri_idx].ptr, phdr[uri_idx].len);
229 out += phdr[uri_idx].len;
230 memcpy(out, " HTTP/1.1\r\n", 11);
231 out += 11;
232
233 *ptr = out;
234 return 0;
235}
236
237/* only takes care of frames affecting the dynamic table for now and directly
238 * prints the output on stdout. Writes the output to <out> for at most <osize>
239 * bytes. Returns the number of bytes written, or < 0 on error, in which case
240 * the value is the negative of HPACK_ERR_*.
241 */
242int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len, char *out, int osize)
243{
244 uint32_t idx;
245 uint32_t nlen;
246 uint32_t vlen;
247 uint8_t huff;
248 uint32_t fields; /* bit mask of PHDR_FND_* */
249 struct ist name;
250 struct ist value;
251 struct ist phdr_str[PHDR_NUM_ENTRIES];
252 struct chunk *phdr_trash = get_trash_chunk();
253 struct chunk *tmp = get_trash_chunk();
254 char *phdr_next = phdr_trash->str;
255 int phdr;
256 int must_index;
257 int ret;
258 char *out_end = out + osize;
259
260 fields = 0;
261 while (len) {
262 int code __attribute__((unused)) = *raw; /* first byte, only for debugging */
263
264 must_index = 0;
265 if (*raw >= 0x80) {
266 /* indexed header field */
267 if (*raw == 0x80) {
268 hpack_debug_printf("unhandled code 0x%02x (raw=%p, len=%d)\n", *raw, raw, len);
269 ret = -HPACK_ERR_UNKNOWN_OPCODE;
270 goto leave;
271 }
272
273 hpack_debug_printf("%02x: p14: indexed header field : ", code);
274
275 idx = get_var_int(&raw, &len, 7);
276 if (len == (uint32_t)-1) { // truncated
277 ret = -HPACK_ERR_TRUNCATED;
278 goto leave;
279 }
280
281 value = hpack_idx_to_value(dht, idx);
282 phdr = hpack_idx_to_phdr(idx);
283 if (phdr > 0)
284 goto phdr_by_idx;
285
286 name = hpack_idx_to_name(dht, idx);
287 phdr = hpack_str_to_phdr(name);
288 if (phdr > 0)
289 goto phdr_by_idx;
290 if (phdr == 0)
291 goto regular_hdr;
292
293 /* invalid pseudo header -- should never happen here */
294 goto bad_phdr;
295 }
296 else if (*raw >= 0x20 && *raw <= 0x3f) {
297 /* max dyn table size change */
298 idx = get_var_int(&raw, &len, 5);
299 if (len == (uint32_t)-1) { // truncated
300 ret = -HPACK_ERR_TRUNCATED;
301 goto leave;
302 }
303 continue;
304 }
305 else if (!(*raw & (*raw - 0x10))) {
306 /* 0x00, 0x10, and 0x40 (0x20 and 0x80 were already handled above) */
307
308 /* literal header field without/never/with incremental indexing -- literal name */
309 if (*raw == 0x00)
310 hpack_debug_printf("%02x: p17: literal without indexing : ", code);
311 else if (*raw == 0x10)
312 hpack_debug_printf("%02x: p18: literal never indexed : ", code);
313 else if (*raw == 0x40)
314 hpack_debug_printf("%02x: p16: literal with indexing : ", code);
315
316 if (*raw == 0x40)
317 must_index = 1;
318
319 raw++; len--;
320
321 /* retrieve name */
322 if (!len) { // truncated
323 ret = -HPACK_ERR_TRUNCATED;
324 goto leave;
325 }
326
327 huff = *raw & 0x80;
328 nlen = get_var_int(&raw, &len, 7);
329 if (len == (uint32_t)-1 || len < nlen) { // truncated
330 ret = -HPACK_ERR_TRUNCATED;
331 goto leave;
332 }
333
334 name = ist2(raw, nlen);
335
336 raw += nlen;
337 len -= nlen;
338 chunk_reset(tmp);
339
340 if (huff) {
341 nlen = huff_dec((const uint8_t *)name.ptr, name.len, tmp->str, tmp->size);
342 if (nlen == (uint32_t)-1) {
343 hpack_debug_printf("2: can't decode huffman.\n");
344 ret = -HPACK_ERR_HUFFMAN;
345 goto leave;
346 }
347 tmp->len += nlen; // make room for the value
348 name = ist2(tmp->str, nlen);
349 }
350
351 /* retrieve value */
352 if (!len) { // truncated
353 ret = -HPACK_ERR_TRUNCATED;
354 goto leave;
355 }
356
357 huff = *raw & 0x80;
358 vlen = get_var_int(&raw, &len, 7);
359 if (len == (uint32_t)-1 || len < vlen) { // truncated
360 ret = -HPACK_ERR_TRUNCATED;
361 goto leave;
362 }
363
364 value = ist2(raw, vlen);
365 raw += vlen;
366 len -= vlen;
367
368 if (huff) {
369 char *vtrash = chunk_newstr(tmp);
370 if (!vtrash) {
371 ret = HPACK_ERR_TOO_LARGE;
372 goto leave;
373 }
374
375 vlen = huff_dec((const uint8_t *)value.ptr, value.len, vtrash, tmp->str + tmp->size - vtrash);
376 if (vlen == (uint32_t)-1) {
377 hpack_debug_printf("3: can't decode huffman.\n");
378 ret = -HPACK_ERR_HUFFMAN;
379 goto leave;
380 }
381 value = ist2(vtrash, vlen);
382 }
383
384 phdr = hpack_str_to_phdr(name);
385 if (phdr > 0)
386 goto phdr_by_idx;
387 if (phdr == 0)
388 goto regular_hdr;
389
390 /* invalid pseudo header -- should never happen here */
391 goto bad_phdr;
392 }
393 else {
394 /* 0x01..0x0f : literal header field without indexing -- indexed name */
395 /* 0x11..0x1f : literal header field never indexed -- indexed name */
396 /* 0x41..0x7f : literal header field with incremental indexing -- indexed name */
397
398 if (*raw <= 0x0f)
399 hpack_debug_printf("%02x: p16: literal without indexing -- indexed name : ", code);
400 else if (*raw >= 0x41)
401 hpack_debug_printf("%02x: p15: literal with indexing -- indexed name : ", code);
402 else
403 hpack_debug_printf("%02x: p16: literal never indexed -- indexed name : ", code);
404
405 /* retrieve name index */
406 if (*raw >= 0x41) {
407 must_index = 1;
408 idx = get_var_int(&raw, &len, 6);
409 }
410 else
411 idx = get_var_int(&raw, &len, 4);
412
413 if (len == (uint32_t)-1 || !len) { // truncated
414 ret = -HPACK_ERR_TRUNCATED;
415 goto leave;
416 }
417
418 /* retrieve value */
419 huff = *raw & 0x80;
420 vlen = get_var_int(&raw, &len, 7);
421 if (len == (uint32_t)-1 || len < vlen) { // truncated
422 ret = -HPACK_ERR_TRUNCATED;
423 goto leave;
424 }
425
426 value = ist2(raw, vlen);
427 raw += vlen;
428 len -= vlen;
429
430 if (huff) {
431 vlen = huff_dec((const uint8_t *)value.ptr, value.len, tmp->str, tmp->size);
432 if (vlen == (uint32_t)-1) {
433 hpack_debug_printf("1: can't decode huffman.\n");
434 ret = -HPACK_ERR_HUFFMAN;
435 goto leave;
436 }
437 value = ist2(tmp->str, vlen);
438 }
439
440 phdr = hpack_idx_to_phdr(idx);
441 if (phdr > 0)
442 goto phdr_by_idx;
443
444 name = hpack_idx_to_name(dht, idx);
445 phdr = hpack_str_to_phdr(name);
446 if (phdr > 0)
447 goto phdr_by_idx;
448 if (phdr == 0)
449 goto regular_hdr;
450
451 /* invalid pseudo header -- should never happen here */
452 goto bad_phdr;
453 }
454
455 phdr_by_idx:
456 /* insert a pseudo header by its index (in phdr) and value (in value) */
457 if (fields & ((1 << phdr) | PHDR_FND_NONE)) {
458 if (fields & PHDR_FND_NONE) {
459 hpack_debug_printf("%02x: pseudo header field after regular headers : %d\n", code, phdr);
460 ret = -HPACK_ERR_MISPLACED_PHDR;
461 goto leave;
462 }
463 else {
464 hpack_debug_printf("%02x: repeated pseudo header field %d\n", code, phdr);
465 ret = -HPACK_ERR_DUPLICATE_PHDR;
466 goto leave;
467 }
468 }
469 fields |= 1 << phdr;
470
471 if (phdr_next + value.len > phdr_trash->str + phdr_trash->size) {
472 hpack_debug_printf("too large request\n");
473 ret = -HPACK_ERR_TOO_LARGE;
474 goto leave;
475 }
476
477 memcpy(phdr_next, value.ptr, value.len);
478 phdr_str[phdr].ptr = phdr_next;
479 phdr_str[phdr].len = value.len;
480 phdr_next += value.len;
481
482 if (must_index && hpack_dht_insert(dht, phdr_names[phdr], value) < 0) {
483 hpack_debug_printf("failed to find some room in the dynamic table\n");
484 ret = -HPACK_ERR_DHT_INSERT_FAIL;
485 goto leave;
486 }
487
488 hpack_debug_printf("phdr=%d(\e[1;34m%s\e[0m) ptr=%d len=%d (\e[1;35m%s\e[0m) [idx=%d, used=%d]\n",
489 phdr, phdr_names[phdr].ptr,
490 (int)(phdr_str[phdr].ptr - phdr_trash->str), (int)phdr_str[phdr].len,
491 istpad(trash.str, phdr_str[phdr]).ptr, must_index, dht->used);
492 continue;
493
494 regular_hdr:
495 /* regular header field in (name,value) */
496
497 if (!(fields & PHDR_FND_NONE)) {
498 hpack_debug_printf("--end of pseudo-headers--\n");
499 ret = hpack_prepare_reqline(fields, phdr_str, &out, out_end);
500 if (ret)
501 goto leave;
502 fields |= PHDR_FND_NONE;
503 }
504
505 if (must_index && hpack_dht_insert(dht, name, value) < 0) {
506 hpack_debug_printf("failed to find some room in the dynamic table\n");
507 ret = -HPACK_ERR_DHT_INSERT_FAIL;
508 goto leave;
509 }
510
511 if (isteq(name, ist("host")))
512 fields |= PHDR_FND_HOST;
513
514 if (out + name.len + 2 + value.len + 2 > out_end) {
515 hpack_debug_printf("too large request\n");
516 ret = -HPACK_ERR_TOO_LARGE;
517 goto leave;
518 }
519
520 memcpy(out, name.ptr, name.len);
521 out += name.len;
522 *(out++) = ':';
523 *(out++) = ' ';
524
525 memcpy(out, value.ptr, value.len);
526 out += value.len;
527 *(out++) = '\r';
528 *(out++) = '\n';
529
530 hpack_debug_printf("\e[1;34m%s\e[0m: ",
531 istpad(trash.str, name).ptr);
532
533 hpack_debug_printf("\e[1;35m%s\e[0m [idx=%d, used=%d]\n",
534 istpad(trash.str, value).ptr,
535 must_index, dht->used);
536
537 continue;
538
539 bad_phdr:
540 hpack_debug_printf("%02x: invalid pseudo header field %d\n", code, phdr);
541 ret = -HPACK_ERR_INVALID_PHDR;
542 goto leave;
543 }
544
545 /* Let's dump the request now if not yet emitted. */
546 if (!(fields & PHDR_FND_NONE)) {
547 ret = hpack_prepare_reqline(fields, phdr_str, &out, out_end);
548 if (ret)
549 goto leave;
550 }
551
552 /* complete with missing Host if needed */
553 if ((fields & (PHDR_FND_HOST|PHDR_FND_AUTH)) == PHDR_FND_AUTH) {
554 /* missing Host field, use :authority instead */
555 hpack_debug_printf("\e[1;34m%s\e[0m: \e[1;35m%s\e[0m\n", "Host", istpad(trash.str, phdr_str[PHDR_IDX_AUTH]).ptr);
556
557 if (out + 6 + phdr_str[PHDR_IDX_AUTH].len + 2 > out_end) {
558 hpack_debug_printf("too large request\n");
559 ret = -HPACK_ERR_TOO_LARGE;
560 goto leave;
561 }
562
563 memcpy(out, "host: ", 6);
564 memcpy(out + 6, phdr_str[PHDR_IDX_AUTH].ptr, phdr_str[PHDR_IDX_AUTH].len);
565 out += 6 + phdr_str[PHDR_IDX_AUTH].len;
566 *(out++) = '\r';
567 *(out++) = '\n';
568 }
569
570 /* And finish */
571 if (out + 2 > out_end) {
572 hpack_debug_printf("too large request\n");
573 ret = -HPACK_ERR_TOO_LARGE;
574 goto leave;
575 }
576
577 *(out++) = '\r';
578 *(out++) = '\n';
579
580 hpack_debug_printf("done : %d bytes emitted\n", (int)(out + osize - out_end));
581
582 ret = out + osize - out_end;
583 leave:
584 return ret;
585}