X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=b7b9d683d6e6840af314dc2d87a4a049f06aa050;hb=19b4321866194060cfc28419d52531a924f1b986;hp=7f2071a7975340737e68acdd06237ae759e4d5ca;hpb=8b2ed4a58229f9b377f3a4ae74af36c31c5db1c0;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/connection.c b/src/connection.c
index 7f2071a..b7b9d68 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -21,6 +21,7 @@
 #include "connection.h"
 #include "verify.h"
 
+#include <assert.h>
 #include <errno.h>
 #include <netdb.h>
 #include <poll.h>
@@ -35,11 +36,11 @@
 
 /* Format string used to send HTTP/1.0 error responses to the client.
  *
- * %s is used 4 times, first three are the error code (no %n$s!), the last is
- * the message. */
+ * %s is used 5 times, first is the error code, then additional headers, next
+ * two are the error code (no %n$s!), the last is the message. */
 #define HTTP_RESPONSE_FORMAT "HTTP/1.0 %s\r\n\
 Content-Type: text/html; charset=US-ASCII\r\n\
-\r\n\
+%s\r\n\
 <!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n\
 <html>\n\
 <head><title>%s</title></head>\n\
@@ -61,6 +62,7 @@ static int initialize_tls_session_server(int peer_socket,
 static int fdopen_read_write(int socket, FILE **read_fd, FILE **write_fd);
 static int read_http_request(FILE *client_fd, char *request, size_t length);
 static void send_bad_request(FILE *client_fd);
+static void send_authentication_required(FILE *client_fd);
 static void send_forwarding_failure(FILE *client_fd);
 static void tls_send_invalid_cert_message(gnutls_session_t session);
 
@@ -130,6 +132,10 @@ void handle_connection(int client_socket) {
         LOG(WARNING, "read_http_request(): client EOF");
         send_bad_request(client_fd_write);
         goto out;
+    } else if (result == -3) {
+        LOG(DEBUG, "read_http_request(): proxy authentication failed");
+        send_authentication_required(client_fd_write);
+        goto out;
     }
 
     if (parse_request(buffer, host, port, &version_minor) != 0) {
@@ -150,7 +156,7 @@ void handle_connection(int client_socket) {
         server_socket = connect_to_host(host, port);
     }
 
-    if (server_socket == -1) {
+    if (server_socket < 0) {
         LOG(WARNING, "failed to connect to server");
         send_forwarding_failure(client_fd_write);
         goto out;
@@ -520,6 +526,7 @@ static int fdopen_read_write(int socket, FILE **read_fd, FILE **write_fd) {
  */
 static int read_http_request(FILE *client_fd, char *request, size_t length) {
     char buffer[MAX_REQUEST_LINE];
+    int found_proxy_authorization;
 
     if (fgets(request, (int)length, client_fd) == NULL) {
         if (ferror(client_fd)) {
@@ -530,7 +537,22 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) {
         return -2;
     }
 
+    found_proxy_authorization = 0;
     while (fgets(buffer, sizeof(buffer), client_fd) != NULL) {
+        const char *authentication = "Proxy-Authorization: Basic ";
+
+        if (http_digest_authorization != NULL
+                && !strncmp(buffer, authentication, strlen(authentication))) {
+            found_proxy_authorization = 1;
+
+            /* Check if the passphrase matches. */
+            strtok(buffer, "\r\n");
+            if (strcmp(buffer + strlen(authentication),
+                       http_digest_authorization)) {
+                return -3;
+            }
+        }
+
         /* End of header. */
         if (!strcmp(buffer, "\n") || !strcmp(buffer, "\r\n")) {
             break;
@@ -541,58 +563,45 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) {
         return -1;
     }
 
+    if (http_digest_authorization != NULL && !found_proxy_authorization) {
+        return -3;
+    }
+
     return 0;
 }
 
 static void send_bad_request(FILE *client_fd) {
-#define RESPONSE_ERROR "400 Bad Request"
-#define RESPONSE_MSG   "Your browser sent an invalid request."
-    fprintf(client_fd, HTTP_RESPONSE_FORMAT,
-                       RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR,
-                       RESPONSE_MSG);
+    const char error[] = "400 Bad Request";
+    const char msg[]   = "Your browser sent an invalid request.";
+    fprintf(client_fd, HTTP_RESPONSE_FORMAT, error, "", error, error, msg);
+    fflush(client_fd);
+}
+static void send_authentication_required(FILE *client_fd) {
+    const char error[] = "407 Proxy Authentication Required";
+    const char auth[]  = "Proxy-Authenticate: Basic realm=\"tlsproxy\"\r\n";
+    const char msg[]   = "TODO";
+    fprintf(client_fd, HTTP_RESPONSE_FORMAT, error, auth, error, error, msg);
     fflush(client_fd);
-#undef RESPONSE_ERROR
-#undef RESPONSE_MSG
 }
 static void send_forwarding_failure(FILE *client_fd) {
-#define RESPONSE_ERROR "503 Forwarding failure"
-#define RESPONSE_MSG   "Failed to connect to server, check logs."
-    fprintf(client_fd, HTTP_RESPONSE_FORMAT,
-                       RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR,
-                       RESPONSE_MSG);
+    const char error[] = "503 Forwarding failure";
+    const char msg[]   = "Failed to connect to server, check logs.";
+    fprintf(client_fd, HTTP_RESPONSE_FORMAT, error, "", error, error, msg);
     fflush(client_fd);
-#undef RESPONSE_ERROR
-#undef RESPONSE_MSG
 }
 static void tls_send_invalid_cert_message(gnutls_session_t session) {
-#define RESPONSE_ERROR "500 Internal Server Error"
-#define RESPONSE_MSG   "Server certificate validation failed, check logs."
+    const char error[] = "500 Internal Server Error";
+    const char msg[]   = "Server certificate validation failed, check logs.";
 
     int result;
-    char buffer[sizeof(HTTP_RESPONSE_FORMAT) - 1 /* '\0' */
-                                             - 4 * 2 /* four %s */
-                + (sizeof(RESPONSE_ERROR) - 1 /* '\0' */) * 3
-                + sizeof(RESPONSE_MSG)    - 1 /* '\0' */
-                + 1 /* '\0' */];
-
-    result = snprintf(buffer, sizeof(buffer),
-                      HTTP_RESPONSE_FORMAT,
-                      RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR,
-                      RESPONSE_MSG);
-    if (result < 0) {
-        LOG_PERROR(ERROR,
-                   "tls_send_invalid_cert_message(): snprintf failed");
-        return;
-    } else if ((size_t)result >= sizeof(buffer)) {
-        LOG(ERROR,
-            "tls_send_invalid_cert_message(): snprintf buffer too short");
-        return;
-    }
+    char buffer[sizeof(HTTP_RESPONSE_FORMAT)
+                + 3 * sizeof(error) + sizeof(msg)];
+
+    result = snprintf(buffer, sizeof(buffer), HTTP_RESPONSE_FORMAT,
+                                              error, "", error, error, msg);
+    assert(result > 0 && (size_t)result < sizeof(buffer));
 
-    gnutls_record_send(session, buffer, sizeof(buffer) - 1);
-                                        /* don't send trailing '\0' */
-#undef RESPONSE_ERROR
-#undef RESPONSE_MSG
+    gnutls_record_send(session, buffer, strlen(buffer));
 }
 
 
@@ -807,12 +816,12 @@ static int connect_to_host(const char *hostname, const char *port) {
         server_socket = socket(server->ai_family,
                                server->ai_socktype,
                                server->ai_protocol);
-        if (server_socket == -1) {
+        if (server_socket < 0) {
             LOG_PERROR(DEBUG, "connect_to_host(): socket(), trying next");
             continue;
         }
 
-        if (connect(server_socket, server->ai_addr, server->ai_addrlen) != -1) {
+        if (connect(server_socket, server->ai_addr, server->ai_addrlen) == 0) {
             break;
         }
         LOG_PERROR(DEBUG, "connect_to_host(): connect(), trying next");