src/connection.c: Send HTML in error messages.

[tlsproxy/tlsproxy.git] / src / connection.c

diff --git a/src/connection.c b/src/connection.c
index 0f491e2011c0447adbcd2dbf6c7190c38c0ea674..af14477cb71592c9dd1dcc90d75ef71d37e75db2 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -36,6 +36,22 @@
  * should be a good limit to make processing simpler. */
 #define MAX_REQUEST_LINE 4096
 
+/* Format string used to send HTTP/1.0 error responses to the client.
+ *
+ * %s is used 4 times, first three are the error code (no %n$s!), the last is
+ * the message. */
+#define HTTP_RESPONSE_FORMAT "HTTP/1.0 %s\r\n\
+Content-Type: text/html; charset=US-ASCII\r\n\
+\r\n\
+<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n\
+<html>\n\
+<head><title>%s</title></head>\n\
+<body>\n\
+<h1>%s</h1>\n\
+<p>%s</p>\n\
+</body>\n\
+</html>\n"
+
 
 static int initialize_tls_session_client(int peer_socket,
         const char *hostname,
@@ -50,10 +66,8 @@ static void send_bad_request(FILE *client_fd);
 static void send_forwarding_failure(FILE *client_fd);
 static void tls_send_invalid_cert_message(gnutls_session_t session);
 
-#if 0
 static void transfer_data(int client, int server);
 static int read_from_write_to(int from, int to);
-#endif
 static void transfer_data_tls(int client, int server,
                               gnutls_session_t client_session,
                               gnutls_session_t server_session);
@@ -179,6 +193,35 @@ void handle_connection(int client_socket) {
 
     LOG(LOG_DEBUG, "connection to server established");
 
+    /* If the -u option is used and we don't know this hostname's server
+     * certificate then just pass through the connection and let the client
+     * verify the server certificate. */
+    if (global_passthrough_unknown) {
+        char path[1024];
+        FILE *file = NULL;
+
+        if (-2 == server_certificate_path(&file, host, path, sizeof(path))) {
+            /* We've established a connection, tell the client. */
+            fprintf(client_fd, "HTTP/1.0 200 Connection established\r\n");
+            fprintf(client_fd, "\r\n");
+            fflush(client_fd);
+
+            LOG(LOG_DEBUG, "transferring data");
+
+            /* Proxy data between client and server until one suite is done
+             * (EOF or error). */
+            transfer_data(client_socket, server_socket);
+
+            LOG(LOG_DEBUG, "finished transferring data");
+
+            goto out;
+        }
+        /* server_certificate_path() may open the file, close it. */
+        if (NULL != file) {
+            fclose(file);
+        }
+    }
+
     result = initialize_tls_session_server(server_socket, &server_session,
                                                           &server_x509_cred);
     /* Initialize TLS client credentials to talk to the server. */
@@ -253,14 +296,14 @@ void handle_connection(int client_socket) {
         goto out;
     }
 
-    LOG(LOG_DEBUG, "transferring data");
+    LOG(LOG_DEBUG, "transferring TLS data");
 
     /* Proxy data between client and server until one suite is done (EOF or
      * error). */
     transfer_data_tls(client_socket, server_socket,
                       client_session, server_session);
 
-    LOG(LOG_DEBUG, "finished transferring data");
+    LOG(LOG_DEBUG, "finished transferring TLS data");
 
 out:
     /* Close TLS sessions if necessary. Use GNUTLS_SHUT_RDWR so the data is
@@ -491,20 +534,44 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) {
 }
 
 static void send_bad_request(FILE *client_fd) {
-    fprintf(client_fd, "HTTP/1.0 400 Bad Request\r\n");
-    fprintf(client_fd, "\r\n");
+#define RESPONSE_ERROR "400 Bad Request"
+#define RESPONSE_MSG   "Your browser sent an invalid request."
+    fprintf(client_fd, HTTP_RESPONSE_FORMAT,
+                       RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR,
+                       RESPONSE_MSG);
+#undef RESPONSE_ERROR
+#undef RESPONSE_MSG
 }
 static void send_forwarding_failure(FILE *client_fd) {
-    fprintf(client_fd, "HTTP/1.0 503 Forwarding failure\r\n");
-    fprintf(client_fd, "\r\n");
+#define RESPONSE_ERROR "503 Forwarding failure"
+#define RESPONSE_MSG   "Failed to connect to server, check logs."
+    fprintf(client_fd, HTTP_RESPONSE_FORMAT,
+                       RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR,
+                       RESPONSE_MSG);
+#undef RESPONSE_ERROR
+#undef RESPONSE_MSG
 }
 static void tls_send_invalid_cert_message(gnutls_session_t session) {
-    gnutls_record_send(session, "HTTP/1.0 500 Internal Server Error\r\n", 36);
-    gnutls_record_send(session, "\r\n", 2);
+#define RESPONSE_ERROR "500 Internal Server Error"
+#define RESPONSE_MSG   "Server certificate validation failed, check logs."
+
+    char buffer[sizeof(HTTP_RESPONSE_FORMAT) - 1 /* '\0' */
+                                             - 4 * 2 /* four %s */
+                + (sizeof(RESPONSE_ERROR) - 1 /* '\0' */) * 3
+                + sizeof(RESPONSE_MSG)    - 1 /* '\0' */
+                + 1 /* '\0' */];
+
+    snprintf(buffer, sizeof(buffer),
+             HTTP_RESPONSE_FORMAT,
+             RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_MSG);
+
+    gnutls_record_send(session, buffer, sizeof(buffer) - 1);
+                                        /* don't send trailing '\0' */
+#undef RESPONSE_ERROR
+#undef RESPONSE_MSG
 }
 
 
-#if 0
 /* Transfer data between client and server sockets until one closes the
  * connection. */
 static void transfer_data(int client, int server) {
@@ -556,6 +623,8 @@ static int read_from_write_to(int from, int to) {
     ssize_t size_written;
     char buffer[4096];
 
+    LOG(LOG_DEBUG, "read_from_write_to(): %d -> %d", from, to);
+
     size_read = read(from, buffer, sizeof(buffer));
     if (0 > size_read) {
         LOG_PERROR(LOG_WARNING, "read_from_write_to(): read()");
@@ -579,7 +648,6 @@ static int read_from_write_to(int from, int to) {
 
     return 0;
 }
-#endif
 
 /* Transfer data between client and server TLS connection until one closes the
  * connection. */