1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25 #include "curl_setup.h"
26
27 #ifndef CURL_DISABLE_PROXY
28
29 #include "inet_pton.h"
30 #include "strcase.h"
31 #include "noproxy.h"
32
33 #ifdef HAVE_NETINET_IN_H
34 #include <netinet/in.h>
35 #endif
36
37 #ifdef HAVE_ARPA_INET_H
38 #include <arpa/inet.h>
39 #endif
40
41 /*
42 * Curl_cidr4_match() returns TRUE if the given IPv4 address is within the
43 * specified CIDR address range.
44 */
Curl_cidr4_match(const char * ipv4,const char * network,unsigned int bits)45 UNITTEST bool Curl_cidr4_match(const char *ipv4, /* 1.2.3.4 address */
46 const char *network, /* 1.2.3.4 address */
47 unsigned int bits)
48 {
49 unsigned int address = 0;
50 unsigned int check = 0;
51
52 if(bits > 32)
53 /* strange input */
54 return FALSE;
55
56 if(1 != Curl_inet_pton(AF_INET, ipv4, &address))
57 return FALSE;
58 if(1 != Curl_inet_pton(AF_INET, network, &check))
59 return FALSE;
60
61 if(bits && (bits != 32)) {
62 unsigned int mask = 0xffffffff << (32 - bits);
63 unsigned int haddr = htonl(address);
64 unsigned int hcheck = htonl(check);
65 #if 0
66 fprintf(stderr, "Host %s (%x) network %s (%x) bits %u mask %x => %x\n",
67 ipv4, haddr, network, hcheck, bits, mask,
68 (haddr ^ hcheck) & mask);
69 #endif
70 if((haddr ^ hcheck) & mask)
71 return FALSE;
72 return TRUE;
73 }
74 return (address == check);
75 }
76
Curl_cidr6_match(const char * ipv6,const char * network,unsigned int bits)77 UNITTEST bool Curl_cidr6_match(const char *ipv6,
78 const char *network,
79 unsigned int bits)
80 {
81 #ifdef USE_IPV6
82 unsigned int bytes;
83 unsigned int rest;
84 unsigned char address[16];
85 unsigned char check[16];
86
87 if(!bits)
88 bits = 128;
89
90 bytes = bits / 8;
91 rest = bits & 0x07;
92 if((bytes > 16) || ((bytes == 16) && rest))
93 return FALSE;
94 if(1 != Curl_inet_pton(AF_INET6, ipv6, address))
95 return FALSE;
96 if(1 != Curl_inet_pton(AF_INET6, network, check))
97 return FALSE;
98 if(bytes && memcmp(address, check, bytes))
99 return FALSE;
100 if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
101 return FALSE;
102
103 return TRUE;
104 #else
105 (void)ipv6;
106 (void)network;
107 (void)bits;
108 return FALSE;
109 #endif
110 }
111
112 enum nametype {
113 TYPE_HOST,
114 TYPE_IPV4,
115 TYPE_IPV6
116 };
117
118 /****************************************************************
119 * Checks if the host is in the noproxy list. returns TRUE if it matches and
120 * therefore the proxy should NOT be used.
121 ****************************************************************/
Curl_check_noproxy(const char * name,const char * no_proxy)122 bool Curl_check_noproxy(const char *name, const char *no_proxy)
123 {
124 char hostip[128];
125
126 /*
127 * If we don't have a hostname at all, like for example with a FILE
128 * transfer, we have nothing to interrogate the noproxy list with.
129 */
130 if(!name || name[0] == '\0')
131 return FALSE;
132
133 /* no_proxy=domain1.dom,host.domain2.dom
134 * (a comma-separated list of hosts which should
135 * not be proxied, or an asterisk to override
136 * all proxy variables)
137 */
138 if(no_proxy && no_proxy[0]) {
139 const char *p = no_proxy;
140 size_t namelen;
141 enum nametype type = TYPE_HOST;
142 if(!strcmp("*", no_proxy))
143 return TRUE;
144
145 /* NO_PROXY was specified and it wasn't just an asterisk */
146
147 if(name[0] == '[') {
148 char *endptr;
149 /* IPv6 numerical address */
150 endptr = strchr(name, ']');
151 if(!endptr)
152 return FALSE;
153 name++;
154 namelen = endptr - name;
155 if(namelen >= sizeof(hostip))
156 return FALSE;
157 memcpy(hostip, name, namelen);
158 hostip[namelen] = 0;
159 name = hostip;
160 type = TYPE_IPV6;
161 }
162 else {
163 unsigned int address;
164 namelen = strlen(name);
165 if(1 == Curl_inet_pton(AF_INET, name, &address))
166 type = TYPE_IPV4;
167 else {
168 /* ignore trailing dots in the host name */
169 if(name[namelen - 1] == '.')
170 namelen--;
171 }
172 }
173
174 while(*p) {
175 const char *token;
176 size_t tokenlen = 0;
177 bool match = FALSE;
178
179 /* pass blanks */
180 while(*p && ISBLANK(*p))
181 p++;
182
183 token = p;
184 /* pass over the pattern */
185 while(*p && !ISBLANK(*p) && (*p != ',')) {
186 p++;
187 tokenlen++;
188 }
189
190 if(tokenlen) {
191 switch(type) {
192 case TYPE_HOST:
193 /* ignore trailing dots in the token to check */
194 if(token[tokenlen - 1] == '.')
195 tokenlen--;
196
197 if(tokenlen && (*token == '.')) {
198 /* ignore leading token dot as well */
199 token++;
200 tokenlen--;
201 }
202 /* A: example.com matches 'example.com'
203 B: www.example.com matches 'example.com'
204 C: nonexample.com DOES NOT match 'example.com'
205 */
206 if(tokenlen == namelen)
207 /* case A, exact match */
208 match = strncasecompare(token, name, namelen);
209 else if(tokenlen < namelen) {
210 /* case B, tailmatch domain */
211 match = (name[namelen - tokenlen - 1] == '.') &&
212 strncasecompare(token, name + (namelen - tokenlen),
213 tokenlen);
214 }
215 /* case C passes through, not a match */
216 break;
217 case TYPE_IPV4:
218 case TYPE_IPV6: {
219 const char *check = token;
220 char *slash;
221 unsigned int bits = 0;
222 char checkip[128];
223 if(tokenlen >= sizeof(checkip))
224 /* this cannot match */
225 break;
226 /* copy the check name to a temp buffer */
227 memcpy(checkip, check, tokenlen);
228 checkip[tokenlen] = 0;
229 check = checkip;
230
231 slash = strchr(check, '/');
232 /* if the slash is part of this token, use it */
233 if(slash) {
234 /* if the bits variable gets a crazy value here, that is fine as
235 the value will then be rejected in the cidr function */
236 bits = (unsigned int)atoi(slash + 1);
237 *slash = 0; /* null terminate there */
238 }
239 if(type == TYPE_IPV6)
240 match = Curl_cidr6_match(name, check, bits);
241 else
242 match = Curl_cidr4_match(name, check, bits);
243 break;
244 }
245 }
246 if(match)
247 return TRUE;
248 } /* if(tokenlen) */
249 /* pass blanks after pattern */
250 while(ISBLANK(*p))
251 p++;
252 /* if not a comma, this ends the loop */
253 if(*p != ',')
254 break;
255 /* pass any number of commas */
256 while(*p == ',')
257 p++;
258 } /* while(*p) */
259 } /* NO_PROXY was specified and it wasn't just an asterisk */
260
261 return FALSE;
262 }
263
264 #endif /* CURL_DISABLE_PROXY */
265
