static pr_response_t *send_recv(pool *p, conn_t *conn, cmd_rec *cmd,
unsigned int *resp_nlines) {
int res, xerrno;
pr_response_t *resp;
res = proxy_ftp_ctrl_send_cmd(p, conn, cmd);
if (res < 0) {
xerrno = errno;
pr_trace_msg(trace_channel, 4,
"error sending '%s %s' to backend: %s", (char *) cmd->argv[0], cmd->arg,
strerror(xerrno));
errno = xerrno;
return NULL;
}
resp = proxy_ftp_ctrl_recv_resp(p, conn, resp_nlines);
if (resp == NULL) {
xerrno = errno;
pr_trace_msg(trace_channel, 4,
"error receiving %s response from backend: %s", (char *) cmd->argv[0],
strerror(xerrno));
errno = xerrno;
return NULL;
}
return resp;
}
static int forward_handle_pass_passthru(cmd_rec *cmd,
struct proxy_session *proxy_sess, int *successful) {
int res, xerrno;
pr_response_t *resp;
unsigned int resp_nlines = 0;
res = proxy_ftp_ctrl_send_cmd(cmd->tmp_pool, proxy_sess->backend_ctrl_conn,
cmd);
if (res < 0) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error sending %s to backend: %s", (char *) cmd->argv[0],
strerror(xerrno));
errno = xerrno;
return -1;
}
resp = proxy_ftp_ctrl_recv_resp(cmd->tmp_pool, proxy_sess->backend_ctrl_conn,
&resp_nlines);
if (resp == NULL) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error receiving %s response from backend: %s", (char *) cmd->argv[0],
strerror(xerrno));
/* If we receive an EPERM here, it is probably because the backend
* closed its control connection, yielding an EOF. To better indicate
* this situation, propagate the error using EPIPE.
*/
if (xerrno == EPERM) {
xerrno = EPIPE;
}
errno = xerrno;
return -1;
}
/* XXX What about other response codes for PASS? */
if (resp->num[0] == '2') {
*successful = TRUE;
proxy_sess_state |= PROXY_SESS_STATE_BACKEND_AUTHENTICATED;
}
res = proxy_ftp_ctrl_send_resp(cmd->tmp_pool, proxy_sess->frontend_ctrl_conn,
resp, resp_nlines);
if (res < 0) {
xerrno = errno;
pr_response_block(TRUE);
errno = xerrno;
return -1;
}
return 1;
}
int proxy_ftp_sess_get_feat(pool *p, struct proxy_session *proxy_sess) {
pool *tmp_pool;
int res, xerrno = 0;
cmd_rec *cmd;
pr_response_t *resp;
unsigned int resp_nlines = 0;
char *feats, *token;
size_t token_len = 0;
tmp_pool = make_sub_pool(p);
cmd = pr_cmd_alloc(tmp_pool, 1, C_FEAT);
res = proxy_ftp_ctrl_send_cmd(tmp_pool, proxy_sess->backend_ctrl_conn, cmd);
if (res < 0) {
xerrno = errno;
pr_trace_msg(trace_channel, 4,
"error sending %s to backend: %s", (char *) cmd->argv[0],
strerror(xerrno));
destroy_pool(tmp_pool);
errno = xerrno;
return -1;
}
resp = proxy_ftp_ctrl_recv_resp(tmp_pool, proxy_sess->backend_ctrl_conn,
&resp_nlines);
if (resp == NULL) {
xerrno = errno;
pr_trace_msg(trace_channel, 4,
"error receiving %s response from backend: %s", (char *) cmd->argv[0],
strerror(xerrno));
destroy_pool(tmp_pool);
errno = xerrno;
return -1;
}
if (resp->num[0] != '2') {
pr_trace_msg(trace_channel, 4,
"received unexpected %s response code %s from backend",
(char *) cmd->argv[0], resp->num);
/* Note: If the UseProxyProtocol ProxyOption is enabled, AND if the
* response message mentions a "PROXY" command, we might read an
* error response here that is NOT actually for the FEAT command we just
* sent.
*
* A backend FTP server which does not understand the PROXY protocol
* will treat it as a normal FTP command, and respond. And that will
* put us, the client, out of lockstep with the server, for how do we know
* that we need to read that error response FIRST, then send another
* command?
*/
destroy_pool(tmp_pool);
errno = EPERM;
return -1;
}
proxy_sess->backend_features = pr_table_nalloc(p, 0, 4);
feats = resp->msg;
token = pr_str_get_token2(&feats, (char *) feat_crlf, &token_len);
while (token != NULL) {
pr_signals_handle();
if (token_len > 0) {
/* The FEAT response lines in which we are interested all start with
* a single space, per RFC spec. Ignore any other lines.
*/
if (token[0] == ' ') {
char *key, *val, *ptr;
/* Find the next space in the string, to delimit our key/value pairs. */
ptr = strchr(token + 1, ' ');
if (ptr != NULL) {
key = pstrndup(p, token + 1, ptr - token - 1);
val = pstrdup(p, ptr + 1);
} else {
key = pstrdup(p, token + 1);
val = pstrdup(p, "");
}
pr_table_add(proxy_sess->backend_features, key, val, 0);
}
}
feats = token + token_len + 1;
token = pr_str_get_token2(&feats, (char *) feat_crlf, &token_len);
}
destroy_pool(tmp_pool);
return 0;
}
int proxy_ftp_xfer_prepare_active(int policy_id, cmd_rec *cmd,
const char *error_code, struct proxy_session *proxy_sess, int flags) {
int backend_family, bind_family, res, xerrno = 0;
cmd_rec *actv_cmd;
const pr_netaddr_t *bind_addr = NULL;
pr_response_t *resp;
unsigned int resp_nlines = 0;
conn_t *data_conn = NULL;
char *active_cmd;
const char *resp_msg = NULL;
if (cmd == NULL ||
error_code == NULL ||
proxy_sess == NULL ||
proxy_sess->backend_ctrl_conn == NULL) {
errno = EINVAL;
return -1;
}
switch (policy_id) {
case PR_CMD_PORT_ID:
active_cmd = C_PORT;
break;
case PR_CMD_EPRT_ID:
/* If the remote host does not mention EPRT in its features, fall back
* to using PORT.
*/
active_cmd = C_EPRT;
if (pr_table_get(proxy_sess->backend_features, C_EPRT, NULL) == NULL) {
pr_trace_msg(trace_channel, 19,
"EPRT not supported by backend server (via FEAT), using PORT");
if (proxy_sess->dataxfer_policy == PR_CMD_EPRT_ID) {
proxy_sess->dataxfer_policy = PR_CMD_PORT_ID;
}
active_cmd = C_PORT;
policy_id = PR_CMD_PORT_ID;
}
break;
default:
/* In this case, the cmd we were given is the one we should send to
* the backend server -- but only if it is either EPRT or PORT.
*/
if (pr_cmd_cmp(cmd, PR_CMD_EPRT_ID) != 0 &&
pr_cmd_cmp(cmd, PR_CMD_PORT_ID) != 0) {
pr_trace_msg(trace_channel, 9,
"illegal FTP active transfer command '%s'", (char *) cmd->argv[0]);
errno = EINVAL;
return -1;
}
active_cmd = cmd->argv[0];
if (pr_cmd_cmp(cmd, PR_CMD_EPRT_ID) == 0) {
/* If the remote host does not mention EPRT in its features, fall back
* to using PORT.
*/
if (pr_table_get(proxy_sess->backend_features, C_EPRT, NULL) == NULL) {
pr_trace_msg(trace_channel, 19,
"EPRT not supported by backend server (via FEAT), using PORT");
if (proxy_sess->dataxfer_policy == PR_CMD_EPRT_ID) {
proxy_sess->dataxfer_policy = PR_CMD_PORT_ID;
}
active_cmd = C_PORT;
policy_id = PR_CMD_PORT_ID;
}
}
break;
}
bind_addr = proxy_sess->src_addr;
if (bind_addr == NULL) {
bind_addr = session.c->local_addr;
}
if (pr_netaddr_is_loopback(bind_addr) == TRUE &&
pr_netaddr_is_loopback(proxy_sess->backend_ctrl_conn->remote_addr) != TRUE) {
const char *local_name;
const pr_netaddr_t *local_addr;
local_name = pr_netaddr_get_localaddr_str(cmd->pool);
local_addr = pr_netaddr_get_addr(cmd->pool, local_name, NULL);
if (local_addr != NULL) {
pr_trace_msg(trace_channel, 14,
"%s is a loopback address, using %s instead",
pr_netaddr_get_ipstr(bind_addr), pr_netaddr_get_ipstr(local_addr));
bind_addr = local_addr;
}
}
/* Need to check the family of the bind addr against the family of the
* backend server.
*/
backend_family = pr_netaddr_get_family(proxy_sess->backend_ctrl_conn->remote_addr);
bind_family = pr_netaddr_get_family(bind_addr);
if (bind_family == backend_family) {
#ifdef PR_USE_IPV6
if (pr_netaddr_use_ipv6()) {
/* Make sure that the family is NOT IPv6, even though the local and
* remote families match. The PORT command cannot be used for IPv6
* addresses -- but EPRT CAN be used for IPv6 addresses.
*/
if (bind_family == AF_INET6 &&
policy_id == PR_CMD_PORT_ID) {
pr_netaddr_t *mapped_addr;
mapped_addr = pr_netaddr_v6tov4(cmd->pool, bind_addr);
if (mapped_addr != NULL) {
pr_trace_msg(trace_channel, 9,
"converting local IPv6 address '%s' to IPv4 address '%s' for "
"active transfer using PORT", pr_netaddr_get_ipstr(bind_addr),
pr_netaddr_get_ipstr(mapped_addr));
bind_addr = mapped_addr;
}
}
}
#endif /* PR_USE_IPV6 */
} else {
if (backend_family == AF_INET) {
pr_netaddr_t *mapped_addr;
/* In this scenario, the remote peer is an IPv4 (or IPv4-mapped IPv6)
* peer, so make sure we use an IPv4 local address.
*/
mapped_addr = pr_netaddr_v6tov4(cmd->pool, bind_addr);
if (mapped_addr != NULL) {
pr_trace_msg(trace_channel, 9,
"converting local IPv6 address '%s' to IPv4 address '%s' for "
"active transfer with IPv4 peer", pr_netaddr_get_ipstr(bind_addr),
pr_netaddr_get_ipstr(mapped_addr));
bind_addr = mapped_addr;
}
}
}
if (proxy_sess->backend_data_conn != NULL) {
/* Make sure that we only have one backend data connection. */
proxy_inet_close(session.pool, proxy_sess->backend_data_conn);
proxy_sess->backend_data_conn = NULL;
}
data_conn = proxy_ftp_conn_listen(cmd->tmp_pool, bind_addr, FALSE);
if (data_conn == NULL) {
xerrno = errno;
pr_response_add_err(error_code,
_("Unable to build data connection: Internal error"));
pr_response_flush(&resp_err_list);
errno = xerrno;
return -1;
}
proxy_sess->backend_data_conn = data_conn;
switch (pr_cmd_get_id(active_cmd)) {
case PR_CMD_PORT_ID:
resp_msg = proxy_ftp_msg_fmt_addr(cmd->tmp_pool, data_conn->local_addr,
data_conn->local_port, FALSE);
break;
case PR_CMD_EPRT_ID:
resp_msg = proxy_ftp_msg_fmt_ext_addr(cmd->tmp_pool,
data_conn->local_addr, data_conn->local_port, PR_CMD_EPRT_ID, FALSE);
break;
}
actv_cmd = pr_cmd_alloc(cmd->tmp_pool, 2, active_cmd, resp_msg);
actv_cmd->arg = (char *) resp_msg;
pr_cmd_clear_cache(actv_cmd);
res = proxy_ftp_ctrl_send_cmd(cmd->tmp_pool, proxy_sess->backend_ctrl_conn,
actv_cmd);
if (res < 0) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error sending %s to backend: %s", (char *) actv_cmd->argv[0],
strerror(xerrno));
proxy_inet_close(session.pool, proxy_sess->backend_data_conn);
proxy_sess->backend_data_conn = NULL;
pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
strerror(xerrno));
pr_response_flush(&resp_err_list);
errno = xerrno;
return -1;
}
resp = proxy_ftp_ctrl_recv_resp(cmd->tmp_pool, proxy_sess->backend_ctrl_conn,
&resp_nlines, flags);
if (resp == NULL) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error receiving %s response from backend: %s",
(char *) actv_cmd->argv[0], strerror(xerrno));
proxy_inet_close(session.pool, proxy_sess->backend_data_conn);
proxy_sess->backend_data_conn = NULL;
pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
strerror(xerrno));
pr_response_flush(&resp_err_list);
errno = xerrno;
return -1;
}
if (resp->num[0] != '2') {
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"received non-2xx response from backend for %s: %s %s",
(char *) actv_cmd->argv[0], resp->num, resp->msg);
proxy_inet_close(session.pool, proxy_sess->backend_data_conn);
proxy_sess->backend_data_conn = NULL;
if (policy_id == PR_CMD_EPRT_ID) {
/* If using EPRT failed, try again using PORT, and switch the
* DataTransferPolicy (if EPRT) to be PORT, for future attempts.
*/
if (proxy_sess->dataxfer_policy == PR_CMD_EPRT_ID) {
pr_trace_msg(trace_channel, 15,
"falling back from EPRT to PORT DataTransferPolicy");
proxy_sess->dataxfer_policy = PR_CMD_PORT_ID;
}
return proxy_ftp_xfer_prepare_active(PR_CMD_PORT_ID, cmd,
error_code, proxy_sess, flags);
}
pr_response_add_err(error_code, "%s", resp->msg);
pr_response_flush(&resp_err_list);
errno = EINVAL;
return -1;
}
return 0;
}
const pr_netaddr_t *proxy_ftp_xfer_prepare_passive(int policy_id, cmd_rec *cmd,
const char *error_code, struct proxy_session *proxy_sess, int flags) {
int res, xerrno = 0;
cmd_rec *pasv_cmd;
const pr_netaddr_t *remote_addr = NULL;
pr_response_t *resp;
unsigned int resp_nlines = 0;
unsigned short remote_port;
char *passive_cmd, *passive_respcode = NULL;
if (cmd == NULL ||
error_code == NULL ||
proxy_sess == NULL ||
proxy_sess->backend_ctrl_conn == NULL) {
errno = EINVAL;
return NULL;
}
/* Whether we send a PASV (and expect 227) or an EPSV (and expect 229)
* need to depend on the policy_id.
*/
switch (policy_id) {
case PR_CMD_PASV_ID:
passive_cmd = C_PASV;
break;
case PR_CMD_EPSV_ID:
/* If the remote host does not mention EPSV in its features, fall back
* to using PASV.
*/
passive_cmd = C_EPSV;
if (pr_table_get(proxy_sess->backend_features, C_EPSV, NULL) == NULL) {
pr_trace_msg(trace_channel, 19,
"EPSV not supported by backend server (via FEAT), using PASV");
if (proxy_sess->dataxfer_policy == PR_CMD_EPSV_ID) {
proxy_sess->dataxfer_policy = PR_CMD_PASV_ID;
}
passive_cmd = C_PASV;
policy_id = PR_CMD_PASV_ID;
}
break;
default:
/* In this case, the cmd we were given is the one we should send to
* the backend server -- but only if it is either EPSV or PASV.
*/
if (pr_cmd_cmp(cmd, PR_CMD_EPSV_ID) != 0 &&
pr_cmd_cmp(cmd, PR_CMD_PASV_ID) != 0) {
pr_trace_msg(trace_channel, 9,
"illegal FTP passive transfer command '%s'", (char *) cmd->argv[0]);
errno = EINVAL;
return NULL;
}
passive_cmd = cmd->argv[0];
if (pr_cmd_cmp(cmd, PR_CMD_EPSV_ID) == 0) {
/* If the remote host does not mention EPSV in its features, fall back
* to using PASV.
*/
if (pr_table_get(proxy_sess->backend_features, C_EPSV, NULL) == NULL) {
pr_trace_msg(trace_channel, 19,
"EPSV not supported by backend server (via FEAT), using PASV");
if (proxy_sess->dataxfer_policy == PR_CMD_EPSV_ID) {
proxy_sess->dataxfer_policy = PR_CMD_PASV_ID;
}
passive_cmd = C_PASV;
policy_id = PR_CMD_PASV_ID;
}
}
break;
}
pasv_cmd = pr_cmd_alloc(cmd->tmp_pool, 1, passive_cmd);
switch (pr_cmd_get_id(pasv_cmd->argv[0])) {
case PR_CMD_PASV_ID:
passive_respcode = R_227;
break;
case PR_CMD_EPSV_ID:
passive_respcode = R_229;
break;
}
res = proxy_ftp_ctrl_send_cmd(cmd->tmp_pool, proxy_sess->backend_ctrl_conn,
pasv_cmd);
if (res < 0) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error sending %s to backend: %s", (char *) pasv_cmd->argv[0],
strerror(xerrno));
pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
strerror(xerrno));
pr_response_flush(&resp_err_list);
errno = xerrno;
return NULL;
}
resp = proxy_ftp_ctrl_recv_resp(cmd->tmp_pool, proxy_sess->backend_ctrl_conn,
&resp_nlines, flags);
if (resp == NULL) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error receiving %s response from backend: %s",
(char *) pasv_cmd->argv[0], strerror(xerrno));
pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
strerror(xerrno));
pr_response_flush(&resp_err_list);
errno = xerrno;
return NULL;
}
/* We specifically expect a 227 or 229 response code here; anything else is
* an error. Right?
*/
if (strncmp(resp->num, passive_respcode, 4) != 0) {
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"received response code %s, but expected %s for %s command", resp->num,
passive_respcode, (char *) pasv_cmd->argv[0]);
if (policy_id == PR_CMD_EPSV_ID) {
/* If using EPSV failed, try again using PASV, and switch the
* DataTransferPolicy (if EPSV) to be PASV, for future attempts.
*/
if (proxy_sess->dataxfer_policy == PR_CMD_EPSV_ID) {
pr_trace_msg(trace_channel, 15,
"falling back from EPSV to PASV DataTransferPolicy");
proxy_sess->dataxfer_policy = PR_CMD_PASV_ID;
}
return proxy_ftp_xfer_prepare_passive(PR_CMD_PASV_ID, cmd,
error_code, proxy_sess, flags);
}
res = proxy_ftp_ctrl_send_resp(cmd->tmp_pool,
proxy_sess->frontend_ctrl_conn, resp, resp_nlines);
errno = EPERM;
return NULL;
}
switch (pr_cmd_get_id(pasv_cmd->argv[0])) {
case PR_CMD_PASV_ID:
remote_addr = proxy_ftp_msg_parse_addr(cmd->tmp_pool, resp->msg,
pr_netaddr_get_family(session.c->local_addr));
break;
case PR_CMD_EPSV_ID:
remote_addr = proxy_ftp_msg_parse_ext_addr(cmd->tmp_pool, resp->msg,
session.c->remote_addr, PR_CMD_EPSV_ID, NULL);
break;
}
if (remote_addr == NULL) {
xerrno = errno;
pr_trace_msg(trace_channel, 2, "error parsing %s response '%s': %s",
(char *) pasv_cmd->argv[0], resp->msg, strerror(xerrno));
xerrno = EPERM;
pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
strerror(xerrno));
pr_response_flush(&resp_err_list);
errno = xerrno;
return NULL;
}
remote_port = ntohs(pr_netaddr_get_port(remote_addr));
/* Make sure that the given address matches the address to which we
* originally connected.
*/
if (pr_netaddr_cmp(remote_addr,
proxy_sess->backend_ctrl_conn->remote_addr) != 0) {
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"Refused %s address %s (address mismatch with %s)",
(char *) pasv_cmd->argv[0], pr_netaddr_get_ipstr(remote_addr),
pr_netaddr_get_ipstr(proxy_sess->backend_ctrl_conn->remote_addr));
xerrno = EPERM;
pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
strerror(xerrno));
pr_response_flush(&resp_err_list);
errno = xerrno;
return NULL;
}
if (remote_port < 1024) {
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"Refused %s port %hu (below 1024)",
(char *) pasv_cmd->argv[0], remote_port);
xerrno = EPERM;
pr_response_add_err(error_code, "%s: %s", (char *) cmd->argv[0],
strerror(xerrno));
pr_response_flush(&resp_err_list);
errno = xerrno;
return NULL;
}
return remote_addr;
}
static int forward_handle_user_passthru(cmd_rec *cmd,
struct proxy_session *proxy_sess, int *successful, int flags) {
int res, xerrno;
char *user = NULL;
cmd_rec *user_cmd = NULL;
pr_response_t *resp = NULL;
unsigned int resp_nlines = 0;
if (flags & PROXY_FORWARD_USER_PASSTHRU_FL_PARSE_DSTADDR) {
struct proxy_conn *pconn = NULL;
pr_netaddr_t *remote_addr = NULL;
array_header *other_addrs = NULL;
res = forward_cmd_parse_dst(cmd->tmp_pool, cmd->arg, &user, &pconn);
if (res < 0) {
errno = EINVAL;
return -1;
}
remote_addr = proxy_conn_get_addr(pconn, &other_addrs);
/* Ensure that the requested remote address is NOT (blatantly) ourselves,
* i.e. the proxy itself. This prevents easy-to-detect proxy loops.
*/
if (pr_netaddr_cmp(remote_addr, session.c->local_addr) == 0 &&
pr_netaddr_get_port(remote_addr) == pr_netaddr_get_port(session.c->local_addr)) {
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"requested destination %s#%u is local address %s#%u, rejecting",
pr_netaddr_get_ipstr(remote_addr),
ntohs(pr_netaddr_get_port(remote_addr)),
pr_netaddr_get_ipstr(session.c->local_addr),
ntohs(pr_netaddr_get_port(session.c->local_addr)));
pr_response_send(R_530, _("Unable to connect to %s: %s"),
proxy_conn_get_hostport(pconn), strerror(EPERM));
return 1;
}
proxy_sess->dst_addr = remote_addr;
proxy_sess->other_addrs = other_addrs;
proxy_sess->dst_pconn = pconn;
/* Change the command so that it no longer includes the proxy info. */
user_cmd = pr_cmd_alloc(cmd->pool, 2, C_USER, user);
user_cmd->arg = user;
} else {
user_cmd = cmd;
}
if (flags & PROXY_FORWARD_USER_PASSTHRU_FL_CONNECT_DSTADDR) {
pr_response_t *banner = NULL;
unsigned int banner_nlines = 0;
res = forward_connect(proxy_pool, proxy_sess, &banner, &banner_nlines);
if (res < 0) {
xerrno = errno;
*successful = FALSE;
/* Send a failed USER response to our waiting frontend client, but do
* not necessarily close the frontend connection.
*/
resp = pcalloc(cmd->tmp_pool, sizeof(pr_response_t));
resp->num = R_530;
if (banner != NULL) {
resp->msg = banner->msg;
resp_nlines = banner_nlines;
} else {
resp->msg = pstrcat(cmd->tmp_pool, "Unable to connect to ",
proxy_conn_get_hostport(proxy_sess->dst_pconn), ": ",
strerror(xerrno), NULL);
resp_nlines = 1;
}
res = proxy_ftp_ctrl_send_resp(cmd->tmp_pool,
proxy_sess->frontend_ctrl_conn, resp, resp_nlines);
if (res < 0) {
xerrno = errno;
pr_response_block(TRUE);
errno = xerrno;
return -1;
}
return 1;
}
}
res = proxy_ftp_ctrl_send_cmd(cmd->tmp_pool, proxy_sess->backend_ctrl_conn,
user_cmd);
if (res < 0) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error sending %s to backend: %s", (char *) user_cmd->argv[0],
strerror(xerrno));
errno = xerrno;
return -1;
}
resp = proxy_ftp_ctrl_recv_resp(cmd->tmp_pool, proxy_sess->backend_ctrl_conn,
&resp_nlines);
if (resp == NULL) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error receiving %s response from backend: %s", (char *) cmd->argv[0],
strerror(xerrno));
errno = xerrno;
return -1;
}
if (resp->num[0] == '2' ||
resp->num[0] == '3') {
*successful = TRUE;
if (strcmp(resp->num, R_232) == 0) {
proxy_sess_state |= PROXY_SESS_STATE_BACKEND_AUTHENTICATED;
pr_timer_remove(PR_TIMER_LOGIN, ANY_MODULE);
}
}
/* XXX TODO: Concatenate the banner from the connect with the USER response
* message here, and send the entire kit to the frontend client, e.g.:
*
* Name (gatekeeper:you): [email protected]
* 331-(----GATEWAY CONNECTED TO ftp.uu.net----)
* 331-(220 ftp.uu.net FTP server (SunOS 4.1) ready.
* 331 Guest login ok, send ident as password.
* Password: ######
* 230 Guest login ok, access restrictions apply.
* ftp> dir
*/
res = proxy_ftp_ctrl_send_resp(cmd->tmp_pool, proxy_sess->frontend_ctrl_conn,
resp, resp_nlines);
if (res < 0) {
xerrno = errno;
pr_response_block(TRUE);
errno = xerrno;
return -1;
}
return 1;
}
static int forward_connect(pool *p, struct proxy_session *proxy_sess,
pr_response_t **resp, unsigned int *resp_nlines) {
conn_t *server_conn = NULL;
int banner_ok = TRUE, use_tls, xerrno = 0;
pr_netaddr_t *dst_addr;
array_header *other_addrs = NULL;
dst_addr = proxy_sess->dst_addr;
other_addrs = proxy_sess->other_addrs;
server_conn = proxy_conn_get_server_conn(p, proxy_sess, dst_addr);
if (server_conn == NULL) {
xerrno = errno;
if (other_addrs != NULL) {
register unsigned int i;
/* Try the other IP addresses for the requested name (if any) as well. */
for (i = 0; i < other_addrs->nelts; i++) {
dst_addr = ((pr_netaddr_t **) other_addrs->elts)[i];
pr_trace_msg(trace_channel, 8,
"attempting to connect to other address #%u (%s) for requested "
"URI '%.100s'", i+1, pr_netaddr_get_ipstr(dst_addr),
proxy_conn_get_uri(proxy_sess->dst_pconn));
server_conn = proxy_conn_get_server_conn(p, proxy_sess, dst_addr);
if (server_conn != NULL) {
proxy_sess->dst_addr = dst_addr;
break;
}
}
}
if (server_conn == NULL) {
xerrno = errno;
/* EINVALs lead to strange-looking error responses; change them to
* EPERM.
*/
if (xerrno == EINVAL) {
xerrno = EPERM;
}
}
errno = xerrno;
return -1;
}
/* XXX Support/send a CLNT command of our own? Configurable via e.g.
* "UserAgent" string?
*/
proxy_sess->frontend_ctrl_conn = session.c;
proxy_sess->backend_ctrl_conn = server_conn;
/* Read the response from the backend server. */
*resp = proxy_ftp_ctrl_recv_resp(p, proxy_sess->backend_ctrl_conn,
resp_nlines);
if (*resp == NULL) {
xerrno = errno;
pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"unable to read banner from server %s:%u: %s",
pr_netaddr_get_ipstr(proxy_sess->backend_ctrl_conn->remote_addr),
ntohs(pr_netaddr_get_port(proxy_sess->backend_ctrl_conn->remote_addr)),
strerror(xerrno));
errno = EPERM;
return -1;
}
if ((*resp)->num[0] != '2') {
banner_ok = FALSE;
}
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"received banner from backend %s:%u%s: %s %s",
pr_netaddr_get_ipstr(proxy_sess->backend_ctrl_conn->remote_addr),
ntohs(pr_netaddr_get_port(proxy_sess->backend_ctrl_conn->remote_addr)),
banner_ok ? "" : ", DISCONNECTING", (*resp)->num, (*resp)->msg);
if (banner_ok == FALSE) {
pr_inet_close(p, proxy_sess->backend_ctrl_conn);
proxy_sess->backend_ctrl_conn = NULL;
errno = EPERM;
return -1;
}
/* Get the features supported by the backend server */
if (proxy_ftp_sess_get_feat(p, proxy_sess) < 0) {
if (errno != EPERM) {
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"unable to determine features of backend server: %s", strerror(errno));
}
}
use_tls = proxy_tls_use_tls();
if (use_tls != PROXY_TLS_ENGINE_OFF) {
if (proxy_ftp_sess_send_auth_tls(p, proxy_sess) < 0) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error enabling TLS on control connection to backend server: %s",
strerror(xerrno));
pr_inet_close(p, proxy_sess->backend_ctrl_conn);
proxy_sess->backend_ctrl_conn = NULL;
*resp = NULL;
errno = xerrno;
return -1;
}
}
if (proxy_netio_postopen(server_conn->instrm) < 0) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"postopen error for backend control connection input stream: %s",
strerror(xerrno));
proxy_inet_close(session.pool, server_conn);
proxy_sess->backend_ctrl_conn = NULL;
*resp = NULL;
errno = xerrno;
return -1;
}
if (proxy_netio_postopen(server_conn->outstrm) < 0) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"postopen error for backend control connection output stream: %s",
strerror(xerrno));
proxy_inet_close(session.pool, server_conn);
proxy_sess->backend_ctrl_conn = NULL;
*resp = NULL;
errno = xerrno;
return -1;
}
if (use_tls != PROXY_TLS_ENGINE_OFF) {
if (proxy_sess_state & PROXY_SESS_STATE_BACKEND_HAS_CTRL_TLS) {
/* NOTE: should this be a fatal error? */
(void) proxy_ftp_sess_send_pbsz_prot(p, proxy_sess);
}
}
(void) proxy_ftp_sess_send_host(p, proxy_sess);
proxy_sess_state |= PROXY_SESS_STATE_CONNECTED;
return 0;
}
int proxy_ftp_ctrl_handle_async(pool *p, conn_t *backend_conn,
conn_t *frontend_conn) {
if (!(proxy_sess_state & PROXY_SESS_STATE_CONNECTED)) {
/* Nothing to do if we're not yet connected to the backend server. */
return 0;
}
while (TRUE) {
fd_set rfds;
struct timeval tv;
int ctrlfd, res, xerrno = 0;
/* By using a timeout of zero, we effect a poll on the fd. */
tv.tv_sec = 0;
tv.tv_usec = 0;
pr_signals_handle();
FD_ZERO(&rfds);
ctrlfd = PR_NETIO_FD(backend_conn->instrm);
FD_SET(ctrlfd, &rfds);
res = select(ctrlfd + 1, &rfds, NULL, NULL, &tv);
if (res < 0) {
xerrno = errno;
if (xerrno == EINTR) {
pr_signals_handle();
continue;
}
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error calling select(2) on backend control connection (fd %d): %s",
ctrlfd, strerror(xerrno));
return 0;
}
if (res == 0) {
/* Nothing there. */
break;
}
pr_trace_msg(trace_channel, 19,
"select(2) reported %d for backend %s (fd %d)", res,
backend_conn->remote_name, ctrlfd);
if (FD_ISSET(ctrlfd, &rfds)) {
unsigned int resp_nlines = 0;
pr_response_t *resp;
pr_timer_reset(PR_TIMER_IDLE, ANY_MODULE);
pr_trace_msg(trace_channel, 9, "reading async response from backend %s",
backend_conn->remote_name);
resp = proxy_ftp_ctrl_recv_resp(p, backend_conn, &resp_nlines);
if (resp == NULL) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error receiving response from backend control connection: %s",
strerror(xerrno));
errno = xerrno;
return -1;
}
res = proxy_ftp_ctrl_send_resp(p, frontend_conn, resp, resp_nlines);
if (res < 0) {
xerrno = errno;
(void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
"error sending response to frontend control connection: %s",
strerror(xerrno));
errno = xerrno;
return -1;
}
}
break;
}
return 0;
}