X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=507a18d1c54ad000578f1f5c06344a5336b57b70;hb=9f104f23e70b190d3b45555b12e540d0788e14e5;hp=28f2e699f1d68ae2a41e7d3a36c4cf0f3adb03c1;hpb=28bc2ca1129818da944dcd5f2073cffdc497065c;p=tlsproxy%2Ftlsproxy.git diff --git a/src/connection.c b/src/connection.c index 28f2e69..507a18d 100644 --- a/src/connection.c +++ b/src/connection.c @@ -59,7 +59,7 @@ static int initialize_tls_session_client(int peer_socket, static int initialize_tls_session_server(int peer_socket, gnutls_session_t *session, gnutls_certificate_credentials_t *x509_cred); -static int initialize_tls_session_both(int flags, +static int initialize_tls_session_both(unsigned int flags, int peer_socket, gnutls_session_t *session, gnutls_certificate_credentials_t *x509_cred); @@ -138,18 +138,18 @@ void handle_connection(int client_socket) { send_bad_request(client_fd_write); goto out; } else if (result == -3) { - LOG(DEBUG1, "read_http_request(): proxy authentication failed"); + LOG(WARNING, "read_http_request(): proxy authentication failed"); send_authentication_required(client_fd_write); goto out; } if (parse_request(buffer, host, port, &version_minor) != 0) { - LOG(WARNING, "bad request: %s", buffer); + LOG(WARNING, "bad request: >%s<", buffer); send_bad_request(client_fd_write); goto out; } - LOG(DEBUG1, "target: %s:%s (HTTP 1.%d)", host, port, version_minor); + LOG(DEBUG2, "target: %s:%s (HTTP 1.%d)", host, port, version_minor); /* Connect to proxy server or directly to server. */ if (global_proxy_host != NULL && global_proxy_port != NULL) { @@ -406,6 +406,11 @@ static int initialize_tls_session_client(int peer_socket, PROXY_CA_PATH); gnutls_certificate_free_credentials(*x509_cred); return -1; + } else if (result != 1) { + /* Must contain only one CA, our proxy CA. */ + LOG(ERROR, "initialize_tls_session_client(): multiple CAs found"); + gnutls_certificate_free_credentials(*x509_cred); + return -1; } } /* If the invalid hostname was specified do nothing, we use a self-signed @@ -457,28 +462,27 @@ static int initialize_tls_session_server(int peer_socket, return initialize_tls_session_both(GNUTLS_CLIENT, peer_socket, session, x509_cred); } -static int initialize_tls_session_both(int flags, +static int initialize_tls_session_both(unsigned int flags, int peer_socket, gnutls_session_t *session, gnutls_certificate_credentials_t *x509_cred) { int result; + *session = NULL; + result = gnutls_init(session, flags); if (result != GNUTLS_E_SUCCESS) { LOG(ERROR, "initialize_tls_session_both(): gnutls_init(): %s", gnutls_strerror(result)); - gnutls_certificate_free_credentials(*x509_cred); - return -1; + goto err; } result = gnutls_priority_set(*session, global_tls_priority_cache); if (result != GNUTLS_E_SUCCESS) { LOG(ERROR, "initialize_tls_session_both(): gnutls_priority_set(): %s", gnutls_strerror(result)); - gnutls_deinit(*session); - gnutls_certificate_free_credentials(*x509_cred); - return -1; + goto err; } result = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, *x509_cred); @@ -486,14 +490,24 @@ static int initialize_tls_session_both(int flags, LOG(ERROR, "initialize_tls_session_both(): gnutls_credentials_set(): %s", gnutls_strerror(result)); - gnutls_deinit(*session); - gnutls_certificate_free_credentials(*x509_cred); - return -1; + goto err; } +#ifdef HAVE_GNUTLS_TRANSPORT_SET_INT2 + /* gnutls_transport_set_int() is a macro. */ + gnutls_transport_set_int(*session, peer_socket); +#else gnutls_transport_set_ptr(*session, (gnutls_transport_ptr_t)peer_socket); +#endif return 0; + +err: + if (*session) { + gnutls_deinit(*session); + } + gnutls_certificate_free_credentials(*x509_cred); + return -1; } @@ -537,14 +551,14 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) { while (fgets(buffer, sizeof(buffer), client_fd) != NULL) { const char *authentication = "Proxy-Authorization: Basic "; - if (http_digest_authorization != NULL + if (global_http_digest_authorization != NULL && !strncmp(buffer, authentication, strlen(authentication))) { found_proxy_authorization = 1; /* Check if the passphrase matches. */ strtok(buffer, "\r\n"); if (strcmp(buffer + strlen(authentication), - http_digest_authorization)) { + global_http_digest_authorization)) { return -3; } } @@ -557,9 +571,11 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) { if (ferror(client_fd)) { LOG_PERROR(WARNING, "read_http_request(): fgets()"); return -1; + } else if (feof(client_fd)) { + return -2; } - if (http_digest_authorization != NULL && !found_proxy_authorization) { + if (global_http_digest_authorization != NULL && !found_proxy_authorization) { return -3; } @@ -612,7 +628,7 @@ static void transfer_data(int client, int server) { fds[1].events = POLLIN | POLLPRI | POLLHUP | POLLERR; fds[1].revents = 0; - LOG(DEBUG1, "transfer_data(): %d -> %d", client, server); + LOG(DEBUG2, "transfer_data(): %d -> %d", client, server); for (;;) { int result = poll(fds, 2 /* fd count */, -1 /* no timeout */); @@ -697,7 +713,7 @@ static void transfer_data_tls(int client, int server, if (gnutls_record_get_max_size(server_session) < buffer_size) { buffer_size = gnutls_record_get_max_size(server_session); } - LOG(DEBUG1, "transfer_data_tls(): suggested buffer size: %ld", + LOG(DEBUG2, "transfer_data_tls(): suggested buffer size: %ld", (long int)buffer_size); for (;;) {