X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=184ee5a4231a302ee520dfecb05b845cdde0e4bb;hb=7eba49d24d56288d83746f3f0ce383d7c0c36552;hp=54752aceae38a547dd80f5bcacd7e549ac459c6e;hpb=e4f2d047eeb0750c7126bd6e3300cd4eab996437;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/connection.c b/src/connection.c
index 54752ac..184ee5a 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1,7 +1,7 @@
 /*
  * Handle connections.
  *
- * Copyright (C) 2011-2013  Simon Ruderich
+ * Copyright (C) 2011-2014  Simon Ruderich
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -26,6 +26,7 @@
 #include <limits.h>
 #include <netdb.h>
 #include <poll.h>
+#include <sys/socket.h>
 #include <unistd.h>
 
 #include <gnutls/x509.h>
@@ -206,7 +207,7 @@ void handle_connection(int client_socket) {
     LOG(DEBUG1, "connection to server established");
 
     /* If the -u option is used and we don't know this hostname's server
-     * certificate then just pass through the connection and let the client
+     * certificate, then just pass through the connection and let the client
      * verify the server certificate. */
     if (global_passthrough_unknown) {
         char path[TLSPROXY_MAX_PATH_LENGTH];
@@ -617,6 +618,7 @@ static void tls_send_invalid_cert_message(gnutls_session_t session) {
     const char msg[]   = "Server certificate validation failed, check logs.";
 
     int result;
+    ssize_t size_written;
     char buffer[sizeof(HTTP_RESPONSE_FORMAT)
                 + 3 * sizeof(error) + sizeof(msg)];
 
@@ -624,7 +626,13 @@ static void tls_send_invalid_cert_message(gnutls_session_t session) {
                                               error, "", error, error, msg);
     assert(result > 0 && (size_t)result < sizeof(buffer));
 
-    gnutls_record_send(session, buffer, strlen(buffer));
+    size_written = gnutls_record_send(session, buffer, strlen(buffer));
+    if (size_written < 0) {
+        LOG(WARNING, "tls_send_invalid_cert_message(): "
+                     "gnutls_record_send(): %s",
+                     gnutls_strerror((int)size_written));
+    }
+    /* Just an error message, no need to check if everything was written. */
 }
 
 
@@ -696,8 +704,8 @@ static int read_from_write_to(int from, int to) {
         return -1;
     }
     if (size_read != size_written) {
-        LOG(ERROR, "read_from_write_to(): only written %ld of %ld bytes!",
-                   (long int)size_written, (long int)size_read);
+        LOG(ERROR, "read_from_write_to(): only written %zu of %zu bytes!",
+                   size_written, size_read);
         return -1;
     }
 
@@ -724,8 +732,8 @@ static void transfer_data_tls(int client, int server,
     if (gnutls_record_get_max_size(server_session) < buffer_size) {
         buffer_size = gnutls_record_get_max_size(server_session);
     }
-    LOG(DEBUG2, "transfer_data_tls(): suggested buffer size: %ld",
-                (long int)buffer_size);
+    LOG(DEBUG2, "transfer_data_tls(): suggested buffer size: %zu",
+                buffer_size);
 
     for (;;) {
         int result = poll(fds, 2 /* fd count */, -1 /* no timeout */);
@@ -771,13 +779,29 @@ static int read_from_write_to_tls(gnutls_session_t from,
     char buffer[16384]; /* GnuTLS default maximum */
 
     if (buffer_size > sizeof(buffer)) {
-        LOG(WARNING, "read_from_write_to_tls(): reduced buffer size to %ld",
-                     (long int)(sizeof(buffer)));
+        LOG(WARNING, "read_from_write_to_tls(): reduced buffer size to %zu",
+                     sizeof(buffer));
         buffer_size = sizeof(buffer);
     }
 
     size_read = gnutls_record_recv(from, buffer, buffer_size);
     if (size_read < 0) {
+        /* Allow rehandshakes. As handshakes might be insecure make sure that
+         * %SAFE_RENEGOTIATION is used in GnuTLS's priority string. */
+        if (size_read == GNUTLS_E_REHANDSHAKE) {
+            int result;
+
+            LOG(DEBUG1, "server requested TLS rehandshake");
+
+            result = gnutls_handshake(from);
+            if (result != GNUTLS_E_SUCCESS) {
+                LOG(WARNING, "server TLS rehandshake failed: %s",
+                             gnutls_strerror(result));
+                return -1;
+            }
+            return 0;
+        }
+
         LOG(WARNING, "read_from_write_to_tls(): gnutls_record_recv(): %s",
                      gnutls_strerror((int)size_read));
         return -1;
@@ -793,8 +817,8 @@ static int read_from_write_to_tls(gnutls_session_t from,
         return -1;
     }
     if (size_read != size_written) {
-        LOG(ERROR, "read_from_write_to_tls(): only written %ld of %ld bytes!",
-                   (long int)size_written, (long int)size_read);
+        LOG(ERROR, "read_from_write_to_tls(): only written %zu of %zu bytes!",
+                   size_written, size_read);
         return -1;
     }
 
@@ -820,8 +844,10 @@ static int connect_to_host(const char *hostname, const char *port) {
     gai_hints.ai_socktype = SOCK_STREAM;
     gai_hints.ai_protocol = 0;
     gai_hints.ai_flags    = AI_NUMERICSERV /* given port is numeric */
+#ifdef AI_ADDRCONFIG
                           | AI_ADDRCONFIG  /* supported by this computer */
-                          | AI_V4MAPPED;   /* support IPv4 through IPv6 */
+#endif
+                          ;
     gai_return = getaddrinfo(hostname, port, &gai_hints, &gai_result);
     if (gai_return != 0) {
         if (gai_return == EAI_SYSTEM) {