X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=c91eae358e6a3b7cfa44376afba42c928e96ff6b;hb=f012f75b2ed64fe9955b1dc2013c06e054bafd7f;hp=aa42bfd2bffb60b9e8011b03a11c28bbbaf7013a;hpb=c51f4531e09a0fcf27aa9f3b5150fbadcf4f1a79;p=tlsproxy%2Ftlsproxy.git diff --git a/src/connection.c b/src/connection.c index aa42bfd..c91eae3 100644 --- a/src/connection.c +++ b/src/connection.c @@ -59,7 +59,7 @@ static int initialize_tls_session_client(int peer_socket, static int initialize_tls_session_server(int peer_socket, gnutls_session_t *session, gnutls_certificate_credentials_t *x509_cred); -static int initialize_tls_session_both(int flags, +static int initialize_tls_session_both(unsigned int flags, int peer_socket, gnutls_session_t *session, gnutls_certificate_credentials_t *x509_cred); @@ -144,7 +144,7 @@ void handle_connection(int client_socket) { } if (parse_request(buffer, host, port, &version_minor) != 0) { - LOG(WARNING, "bad request: %s", buffer); + LOG(WARNING, "bad request: >%s<", buffer); send_bad_request(client_fd_write); goto out; } @@ -406,6 +406,11 @@ static int initialize_tls_session_client(int peer_socket, PROXY_CA_PATH); gnutls_certificate_free_credentials(*x509_cred); return -1; + } else if (result != 1) { + /* Must contain only one CA, our proxy CA. */ + LOG(ERROR, "initialize_tls_session_client(): multiple CAs found"); + gnutls_certificate_free_credentials(*x509_cred); + return -1; } } /* If the invalid hostname was specified do nothing, we use a self-signed @@ -457,28 +462,27 @@ static int initialize_tls_session_server(int peer_socket, return initialize_tls_session_both(GNUTLS_CLIENT, peer_socket, session, x509_cred); } -static int initialize_tls_session_both(int flags, +static int initialize_tls_session_both(unsigned int flags, int peer_socket, gnutls_session_t *session, gnutls_certificate_credentials_t *x509_cred) { int result; + *session = NULL; + result = gnutls_init(session, flags); if (result != GNUTLS_E_SUCCESS) { LOG(ERROR, "initialize_tls_session_both(): gnutls_init(): %s", gnutls_strerror(result)); - gnutls_certificate_free_credentials(*x509_cred); - return -1; + goto err; } result = gnutls_priority_set(*session, global_tls_priority_cache); if (result != GNUTLS_E_SUCCESS) { LOG(ERROR, "initialize_tls_session_both(): gnutls_priority_set(): %s", gnutls_strerror(result)); - gnutls_deinit(*session); - gnutls_certificate_free_credentials(*x509_cred); - return -1; + goto err; } result = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE, *x509_cred); @@ -486,9 +490,7 @@ static int initialize_tls_session_both(int flags, LOG(ERROR, "initialize_tls_session_both(): gnutls_credentials_set(): %s", gnutls_strerror(result)); - gnutls_deinit(*session); - gnutls_certificate_free_credentials(*x509_cred); - return -1; + goto err; } #ifdef HAVE_GNUTLS_TRANSPORT_SET_INT2 @@ -499,6 +501,13 @@ static int initialize_tls_session_both(int flags, #endif return 0; + +err: + if (*session) { + gnutls_deinit(*session); + } + gnutls_certificate_free_credentials(*x509_cred); + return -1; } @@ -542,14 +551,14 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) { while (fgets(buffer, sizeof(buffer), client_fd) != NULL) { const char *authentication = "Proxy-Authorization: Basic "; - if (http_digest_authorization != NULL + if (global_http_digest_authorization != NULL && !strncmp(buffer, authentication, strlen(authentication))) { found_proxy_authorization = 1; /* Check if the passphrase matches. */ strtok(buffer, "\r\n"); if (strcmp(buffer + strlen(authentication), - http_digest_authorization)) { + global_http_digest_authorization)) { return -3; } } @@ -562,9 +571,11 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) { if (ferror(client_fd)) { LOG_PERROR(WARNING, "read_http_request(): fgets()"); return -1; + } else if (feof(client_fd)) { + return -2; } - if (http_digest_authorization != NULL && !found_proxy_authorization) { + if (global_http_digest_authorization != NULL && !found_proxy_authorization) { return -3; }