varnish-cache/bin/varnishd/http2/cache_http2_hpack.c
0
/*-
1
 * Copyright (c) 2016 Varnish Software AS
2
 * All rights reserved.
3
 *
4
 * Author: Martin Blix Grydeland <martin@varnish-software.com>
5
 *
6
 * SPDX-License-Identifier: BSD-2-Clause
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, this list of conditions and the following disclaimer.
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20
 * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
21
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27
 * SUCH DAMAGE.
28
 *
29
 */
30
31
#include "config.h"
32
33
#include "cache/cache_varnishd.h"
34
35
#include <ctype.h>
36
#include <stdio.h>
37
38
#include "http2/cache_http2.h"
39
#include "vct.h"
40
41
static void
42 24240
h2h_assert_ready(const struct h2h_decode *d)
43
{
44
45 24240
        CHECK_OBJ_NOTNULL(d, H2H_DECODE_MAGIC);
46 24240
        AN(d->out);
47 24240
        assert(d->namelen >= 2); /* 2 chars from the ": " that we added */
48 24240
        assert(d->namelen <= d->out_u);
49 24240
        assert(d->out[d->namelen - 2] == ':');
50 24240
        assert(d->out[d->namelen - 1] == ' ');
51 24240
}
52
53
// rfc9113,l,2493,2528
54
static h2_error
55 24240
h2h_checkhdr(struct vsl_log *vsl, txt nm, txt val)
56
{
57
        const char *p;
58
        int l;
59
        enum {
60
                FLD_NAME_FIRST,
61
                FLD_NAME,
62
                FLD_VALUE_FIRST,
63
                FLD_VALUE
64
        } state;
65
66 24240
        if (Tlen(nm) == 0) {
67 0
                VSLb(vsl, SLT_BogoHeader, "Empty name");
68 0
                return (H2SE_PROTOCOL_ERROR);
69
        }
70
71
        // VSLb(vsl, SLT_Debug, "CHDR [%.*s] [%.*s]",
72
        //     (int)Tlen(nm), nm.b, (int)Tlen(val), val.b);
73
74 24240
        l = vmin_t(int, Tlen(nm) + 2 + Tlen(val), 20);
75 24240
        state = FLD_NAME_FIRST;
76 183280
        Tforeach(p, nm) {
77 159200
                switch(state) {
78
                case FLD_NAME_FIRST:
79 24240
                        state = FLD_NAME;
80 24240
                        if (*p == ':')
81 19440
                                break;
82
                        /* FALLTHROUGH */
83
                case FLD_NAME:
84 139760
                        if (isupper(*p)) {
85 80
                                VSLb(vsl, SLT_BogoHeader,
86
                                    "Illegal field header name (upper-case): %.*s",
87 40
                                    l, nm.b);
88 40
                                return (H2SE_PROTOCOL_ERROR);
89
                        }
90 139720
                        if (!vct_istchar(*p) || *p == ':') {
91 240
                                VSLb(vsl, SLT_BogoHeader,
92
                                    "Illegal field header name (non-token): %.*s",
93 120
                                    l, nm.b);
94 120
                                return (H2SE_PROTOCOL_ERROR);
95
                        }
96 139600
                        break;
97
                default:
98 0
                        WRONG("http2 field name validation state");
99 0
                }
100 159040
        }
101
102 24080
        state = FLD_VALUE_FIRST;
103 1280640
        Tforeach(p, val) {
104 1256960
                switch(state) {
105
                case FLD_VALUE_FIRST:
106 23800
                        if (vct_issp(*p)) {
107 720
                                VSLb(vsl, SLT_BogoHeader,
108
                                    "Illegal field value 0x%02x start %.*s",
109 360
                                    *p, l, nm.b);
110 360
                                return (H2SE_PROTOCOL_ERROR);
111
                        }
112 23440
                        state = FLD_VALUE;
113
                        /* FALLTHROUGH */
114
                case FLD_VALUE:
115 1256600
                        if (!vct_ishdrval(*p)) {
116 80
                                VSLb(vsl, SLT_BogoHeader,
117
                                    "Illegal field value 0x%02x %.*s",
118 40
                                    *p, l, nm.b);
119 40
                                return (H2SE_PROTOCOL_ERROR);
120
                        }
121 1256560
                        break;
122
                default:
123 0
                        WRONG("http2 field value validation state");
124 0
                }
125 1256560
        }
126 23680
        if (state == FLD_VALUE && vct_issp(val.e[-1])) {
127 160
                VSLb(vsl, SLT_BogoHeader,
128
                    "Illegal field value 0x%02x (end) at %.*s",
129 80
                    val.e[-1], l, nm.b);
130 80
                return (H2SE_PROTOCOL_ERROR);
131
        }
132 23600
        return (0);
133 24240
}
134
135
static h2_error
136 24240
h2h_addhdr(struct http *hp, struct h2h_decode *d)
137
{
138
        /* XXX: This might belong in cache/cache_http.c */
139
        txt hdr, nm, val;
140
        int disallow_empty;
141
        const char *p;
142
        unsigned n, has_dup;
143
        h2_error err;
144
145 24240
        CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
146 24240
        h2h_assert_ready(d);
147
148
        /* Assume hdr is by default a regular header from what we decoded. */
149 24240
        hdr.b = d->out;
150 24240
        hdr.e = hdr.b + d->out_u;
151 24240
        n = hp->nhd;
152
153
        /* nm and val are separated by ": " */
154 24240
        nm.b = hdr.b;
155 24240
        nm.e = nm.b + d->namelen - 2;
156 24240
        val.b = nm.e + 2;
157 24240
        val.e = hdr.e;
158
159 24240
        err = h2h_checkhdr(hp->vsl, nm, val);
160 24240
        if (err != NULL)
161 640
                return (err);
162
163 23600
        disallow_empty = 0;
164 23600
        has_dup = 0;
165
166 23600
        if (Tlen(hdr) > cache_param->http_req_hdr_len) {
167 40
                VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", hdr.b);
168 40
                return (H2SE_ENHANCE_YOUR_CALM);
169
        }
170
171
        /* Match H/2 pseudo headers */
172
        /* XXX: Should probably have some include tbl for pseudo-headers */
173 23560
        if (!Tstrcmp(nm, ":method")) {
174 6040
                hdr.b = val.b;
175 6040
                n = HTTP_HDR_METHOD;
176 6040
                disallow_empty = 1;
177
178
                /* Check HTTP token */
179 25360
                Tforeach(p, hdr) {
180 19320
                        if (!vct_istchar(*p))
181 0
                                return (H2SE_PROTOCOL_ERROR);
182 19320
                }
183 23560
        } else if (!Tstrcmp(nm, ":path")) {
184 6280
                hdr.b = val.b;
185 6280
                n = HTTP_HDR_URL;
186 6280
                disallow_empty = 1;
187
188
                // rfc9113,l,2693,2705
189 6280
                if (Tlen(val) > 0 && val.b[0] != '/' && Tstrcmp(val, "*")) {
190 160
                        VSLb(hp->vsl, SLT_BogoHeader,
191
                            "Illegal :path pseudo-header %.*s",
192 80
                            (int)Tlen(val), val.b);
193 80
                        return (H2SE_PROTOCOL_ERROR);
194
                }
195
196
                /* Path cannot contain LWS or CTL */
197 19680
                Tforeach(p, hdr) {
198 13480
                        if (vct_islws(*p) || vct_isctl(*p))
199 0
                                return (H2SE_PROTOCOL_ERROR);
200 13480
                }
201 17440
        } else if (!Tstrcmp(nm, ":scheme")) {
202
                /* XXX: What to do about this one? (typically
203
                   "http" or "https"). For now set it as a normal
204
                   header, stripping the first ':'. */
205 6080
                hdr.b++;
206 6080
                has_dup = d->has_scheme;
207 6080
                d->has_scheme = 1;
208 6080
                disallow_empty = 1;
209
210
                /* Check HTTP token */
211 30120
                Tforeach(p, val) {
212 24040
                        if (!vct_istchar(*p))
213 0
                                return (H2SE_PROTOCOL_ERROR);
214 24040
                }
215 11240
        } else if (!Tstrcmp(nm, ":authority")) {
216
                /* NB: we inject "host" in place of "rity" for
217
                 * the ":authority" pseudo-header.
218
                 */
219 680
                memcpy(d->out + 6, "host", 4);
220 680
                hdr.b += 6;
221 680
                nm = Tstr(":authority"); /* preserve original */
222 680
                has_dup = d->has_authority;
223 680
                d->has_authority = 1;
224 5160
        } else if (nm.b[0] == ':') {
225 160
                VSLb(hp->vsl, SLT_BogoHeader,
226
                    "Unknown pseudo-header: %.*s",
227 80
                    vmin_t(int, Tlen(hdr), 20), hdr.b);
228 80
                return (H2SE_PROTOCOL_ERROR);   // rfc7540,l,2990,2992
229
        }
230
231 23400
        if (disallow_empty && Tlen(val) == 0) {
232 480
                VSLb(hp->vsl, SLT_BogoHeader,
233
                    "Empty pseudo-header %.*s",
234 240
                    (int)Tlen(nm), nm.b);
235 240
                return (H2SE_PROTOCOL_ERROR);
236
        }
237
238 23160
        if (n >= HTTP_HDR_FIRST) {
239
                /* Check for space in struct http */
240 11080
                if (n >= hp->shd) {
241 80
                        VSLb(hp->vsl, SLT_LostHeader,
242
                            "Too many headers: %.*s",
243 40
                            vmin_t(int, Tlen(hdr), 20), hdr.b);
244 40
                        return (H2SE_ENHANCE_YOUR_CALM);
245
                }
246 11040
                hp->nhd++;
247 11040
                AZ(hp->hd[n].b);
248 11040
        }
249
250 23120
        if (has_dup || hp->hd[n].b != NULL) {
251 200
                assert(nm.b[0] == ':');
252 400
                VSLb(hp->vsl, SLT_BogoHeader,
253
                    "Duplicate pseudo-header %.*s",
254 200
                    (int)Tlen(nm), nm.b);
255 200
                return (H2SE_PROTOCOL_ERROR);   // rfc7540,l,3158,3162
256
        }
257
258 22920
        hp->hd[n] = hdr;
259 22920
        return (0);
260 24240
}
261
262
static void
263 7440
h2h_decode_init(const struct h2_sess *h2, struct ws *ws)
264
{
265
        struct h2h_decode *d;
266
267 7440
        CHECK_OBJ_NOTNULL(h2, H2_SESS_MAGIC);
268 7440
        CHECK_OBJ_NOTNULL(ws, WS_MAGIC);
269
270 7440
        AN(h2->decode);
271 7440
        d = h2->decode;
272 7440
        INIT_OBJ(d, H2H_DECODE_MAGIC);
273 7440
        VHD_Init(d->vhd);
274 7440
        d->out_l = WS_ReserveSize(ws, cache_param->http_req_size);
275
        /*
276
         * Can't do any work without any buffer
277
         * space. Require non-zero size.
278
         */
279 7440
        XXXAN(d->out_l);
280 7440
        d->out = WS_Reservation(ws);
281
282 7440
        if (cache_param->h2_max_header_list_size == 0)
283 7440
                d->limit =
284 7440
                    (long)(h2->local_settings.max_header_list_size * 1.5);
285
        else
286 0
                d->limit = cache_param->h2_max_header_list_size;
287
288 7440
        if (d->limit < h2->local_settings.max_header_list_size)
289 0
                d->limit = INT64_MAX;
290
291 7440
        d->ws = ws;
292 7440
}
293
294
void
295 7440
h2h_decode_hdr_init(const struct h2_sess *h2)
296
{
297
298 7440
        CHECK_OBJ_NOTNULL(h2, H2_SESS_MAGIC);
299 7440
        CHECK_OBJ_NOTNULL(h2->new_req, REQ_MAGIC);
300 7440
        CHECK_OBJ_NOTNULL(h2->new_req->http, HTTP_MAGIC);
301 7440
        h2h_decode_init(h2, h2->new_req->ws);
302 7440
}
303
304
/* Possible error returns:
305
 *
306
 * H2E_COMPRESSION_ERROR: Lost compression state due to incomplete header
307
 * block. This is a connection level error.
308
 *
309
 * H2E_ENHANCE_YOUR_CALM: Ran out of workspace or http header space. This
310
 * is a stream level error.
311
 */
312
h2_error
313 7440
h2h_decode_hdr_fini(const struct h2_sess *h2)
314
{
315
        h2_error ret;
316
        struct h2h_decode *d;
317
318 7440
        CHECK_OBJ_NOTNULL(h2, H2_SESS_MAGIC);
319 7440
        d = h2->decode;
320 7440
        CHECK_OBJ_NOTNULL(h2->new_req, REQ_MAGIC);
321 7440
        CHECK_OBJ_NOTNULL(d, H2H_DECODE_MAGIC);
322 7440
        WS_ReleaseP(d->ws, d->out);
323 7440
        if (d->vhd_ret != VHD_OK) {
324
                /* HPACK header block didn't finish at an instruction
325
                   boundary */
326 2800
                VSLb(h2->new_req->http->vsl, SLT_BogoHeader,
327 1400
                    "HPACK compression error/fini (%s)", VHD_Error(d->vhd_ret));
328 1400
                ret = H2CE_COMPRESSION_ERROR;
329 7440
        } else if (d->error == NULL && !d->has_scheme) {
330 160
                H2S_Lock_VSLb(h2, SLT_Debug, "Missing :scheme");
331 160
                ret = H2SE_MISSING_SCHEME; //rfc7540,l,3087,3090
332 160
        } else
333 5880
                ret = d->error;
334 7440
        FINI_OBJ(d);
335 7440
        if (ret == H2SE_REQ_SIZE) {
336 40
                VSLb(h2->new_req->http->vsl, SLT_LostHeader,
337
                    "Header list too large");
338 40
        }
339 7440
        return (ret);
340
}
341
342
/* Possible error returns:
343
 *
344
 * H2E_COMPRESSION_ERROR: Lost compression state due to invalid header
345
 * block. This is a connection level error.
346
 *
347
 * H2E_PROTOCOL_ERROR: Malformed header or duplicate pseudo-header.
348
 *                     Violation of field name/value charsets
349
 */
350
h2_error
351 8000
h2h_decode_bytes(struct h2_sess *h2, const uint8_t *in, size_t in_l)
352
{
353
        struct http *hp;
354
        struct h2h_decode *d;
355 8000
        size_t in_u = 0;
356
        const char *r, *e;
357
358 8000
        CHECK_OBJ_NOTNULL(h2, H2_SESS_MAGIC);
359 8000
        CHECK_OBJ_NOTNULL(h2->new_req, REQ_MAGIC);
360 8000
        hp = h2->new_req->http;
361 8000
        CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
362 8000
        d = h2->decode;
363 8000
        CHECK_OBJ_NOTNULL(d, H2H_DECODE_MAGIC);
364 8000
        CHECK_OBJ_NOTNULL(d->ws, WS_MAGIC);
365 8000
        r = WS_Reservation(d->ws);
366 8000
        AN(r);
367 8000
        e = r + WS_ReservationSize(d->ws);
368
369
        /* Only H2E_ENHANCE_YOUR_CALM indicates that we should continue
370
           processing. Other errors should have been returned and handled
371
           by the caller. */
372 8000
        if (d->error != NULL)
373 160
                assert(H2_ERROR_MATCH(d->error, H2SE_ENHANCE_YOUR_CALM));
374
375 56440
        while (d->limit >= 0) {
376 56400
                AN(d->out);
377 56400
                assert(d->out_u <= d->out_l);
378 112800
                d->vhd_ret = VHD_Decode(d->vhd, h2->dectbl, in, in_l, &in_u,
379 56400
                    d->out, d->out_l, &d->out_u);
380
381 56400
                if (d->vhd_ret < 0) {
382 160
                        H2S_Lock_VSLb(h2, SLT_BogoHeader,
383
                            "HPACK compression error (%s)",
384 80
                            VHD_Error(d->vhd_ret));
385 80
                        d->error = H2CE_COMPRESSION_ERROR;
386 80
                        break;
387 56320
                } else if (d->vhd_ret == VHD_OK || d->vhd_ret == VHD_MORE) {
388 6640
                        assert(in_u == in_l);
389 6640
                        break;
390
                }
391
392 49680
                if (H2_ERROR_MATCH(d->error, H2SE_ENHANCE_YOUR_CALM)) {
393 1040
                        d->limit -= d->out_u;
394 1040
                        d->out_u = 0;
395 1040
                        assert(d->out_u < d->out_l);
396 1040
                        continue;
397
                }
398
399 48640
                switch (d->vhd_ret) {
400
                case VHD_NAME_SEC:
401
                        /* XXX: header flag for never-indexed header */
402
                case VHD_NAME:
403 24360
                        assert(d->namelen == 0);
404 24360
                        if (d->out_l - d->out_u < 2) {
405 40
                                d->error = H2SE_REQ_SIZE;
406 40
                                break;
407
                        }
408 24320
                        d->out[d->out_u++] = ':';
409 24320
                        d->out[d->out_u++] = ' ';
410 24320
                        d->namelen = d->out_u;
411 24320
                        break;
412
413
                case VHD_VALUE_SEC:
414
                        /* XXX: header flag for never-indexed header */
415
                case VHD_VALUE:
416 24240
                        assert(d->namelen > 0);
417 24240
                        if (d->out_l - d->out_u < 1) {
418 0
                                d->error = H2SE_REQ_SIZE;
419 0
                                break;
420
                        }
421 24240
                        d->error = h2h_addhdr(hp, d);
422 24240
                        if (d->error)
423 1320
                                break;
424 22920
                        d->out[d->out_u++] = '\0'; /* Zero guard */
425 22920
                        d->out += d->out_u;
426 22920
                        d->out_l -= d->out_u;
427 22920
                        d->limit -= d->out_u;
428 22920
                        d->out_u = 0;
429 22920
                        d->namelen = 0;
430 22920
                        break;
431
432
                case VHD_BUF:
433 40
                        d->error = H2SE_REQ_SIZE;
434 40
                        break;
435
436
                default:
437 0
                        WRONG("Unhandled return value");
438 0
                        break;
439
                }
440
441 48640
                if (H2_ERROR_MATCH(d->error, H2SE_ENHANCE_YOUR_CALM)) {
442 160
                        d->out = WS_Reservation(d->ws);
443 160
                        d->out_l = e - d->out;
444 160
                        d->limit -= d->out_u;
445 160
                        d->out_u = 0;
446 160
                        assert(d->out_l > 0);
447 48640
                } else if (d->error)
448 1240
                        break;
449
        }
450
451 8000
        if (d->limit < 0) {
452
                /* Fatal error, the client exceeded both http_req_size
453
                 * and h2_max_header_list_size. */
454 40
                H2S_Lock_VSLb(h2, SLT_SessError, "Header list too large");
455 40
                return (H2CE_ENHANCE_YOUR_CALM);
456
        }
457
458 7960
        if (H2_ERROR_MATCH(d->error, H2SE_ENHANCE_YOUR_CALM)) {
459
                /* Stream error, delay reporting until h2h_decode_hdr_fini so
460
                 * that we can process the complete header block. */
461 280
                return (NULL);
462
        }
463
464 7680
        return (d->error);
465 8000
}