X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=4a9b40d4af51d5e2e3347fd3cdbbcf279b79c565;hb=d591fce15342d7998fcd77c2b282ee2cfc5dfa22;hp=a860a494c2b18e7d1bbe04b9f8902d7d77b83272;hpb=075cfe8260e8924bc62f08980e7034e439dddbcf;p=tlsproxy%2Ftlsproxy.git diff --git a/src/connection.c b/src/connection.c index a860a49..4a9b40d 100644 --- a/src/connection.c +++ b/src/connection.c @@ -59,7 +59,7 @@ static int initialize_tls_session_client(int peer_socket, static int initialize_tls_session_server(int peer_socket, gnutls_session_t *session, gnutls_certificate_credentials_t *x509_cred); -static int initialize_tls_session_both(int flags, +static int initialize_tls_session_both(unsigned int flags, int peer_socket, gnutls_session_t *session, gnutls_certificate_credentials_t *x509_cred); @@ -138,7 +138,7 @@ void handle_connection(int client_socket) { send_bad_request(client_fd_write); goto out; } else if (result == -3) { - LOG(DEBUG1, "read_http_request(): proxy authentication failed"); + LOG(WARNING, "read_http_request(): proxy authentication failed"); send_authentication_required(client_fd_write); goto out; } @@ -149,7 +149,7 @@ void handle_connection(int client_socket) { goto out; } - LOG(DEBUG1, "target: %s:%s (HTTP 1.%d)", host, port, version_minor); + LOG(DEBUG2, "target: %s:%s (HTTP 1.%d)", host, port, version_minor); /* Connect to proxy server or directly to server. */ if (global_proxy_host != NULL && global_proxy_port != NULL) { @@ -192,7 +192,7 @@ void handle_connection(int client_socket) { /* Check response of proxy server. */ if (strncmp(buffer, "HTTP/1.0 200", 12)) { - LOG(WARNING, "bad proxy response: %s", buffer); + LOG(WARNING, "bad proxy response: >%s<", buffer); send_forwarding_failure(client_fd_write); goto out; } @@ -406,6 +406,11 @@ static int initialize_tls_session_client(int peer_socket, PROXY_CA_PATH); gnutls_certificate_free_credentials(*x509_cred); return -1; + } else if (result != 1) { + /* Must contain only one CA, our proxy CA. */ + LOG(ERROR, "initialize_tls_session_client(): multiple CAs found"); + gnutls_certificate_free_credentials(*x509_cred); + return -1; } } /* If the invalid hostname was specified do nothing, we use a self-signed @@ -457,7 +462,7 @@ static int initialize_tls_session_server(int peer_socket, return initialize_tls_session_both(GNUTLS_CLIENT, peer_socket, session, x509_cred); } -static int initialize_tls_session_both(int flags, +static int initialize_tls_session_both(unsigned int flags, int peer_socket, gnutls_session_t *session, gnutls_certificate_credentials_t *x509_cred) { @@ -566,6 +571,8 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) { if (ferror(client_fd)) { LOG_PERROR(WARNING, "read_http_request(): fgets()"); return -1; + } else if (feof(client_fd)) { + return -2; } if (global_http_digest_authorization != NULL && !found_proxy_authorization) { @@ -621,7 +628,7 @@ static void transfer_data(int client, int server) { fds[1].events = POLLIN | POLLPRI | POLLHUP | POLLERR; fds[1].revents = 0; - LOG(DEBUG1, "transfer_data(): %d -> %d", client, server); + LOG(DEBUG2, "transfer_data(): %d -> %d", client, server); for (;;) { int result = poll(fds, 2 /* fd count */, -1 /* no timeout */); @@ -706,7 +713,7 @@ static void transfer_data_tls(int client, int server, if (gnutls_record_get_max_size(server_session) < buffer_size) { buffer_size = gnutls_record_get_max_size(server_session); } - LOG(DEBUG1, "transfer_data_tls(): suggested buffer size: %ld", + LOG(DEBUG2, "transfer_data_tls(): suggested buffer size: %ld", (long int)buffer_size); for (;;) {