X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=c91eae358e6a3b7cfa44376afba42c928e96ff6b;hb=f012f75b2ed64fe9955b1dc2013c06e054bafd7f;hp=abd89758c463c5399ce1a51f0672442d269b201c;hpb=3eebfbd0b124c034d57e9ddba051e82fe99ba05f;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/connection.c b/src/connection.c
index abd8975..c91eae3 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -59,7 +59,7 @@ static int initialize_tls_session_client(int peer_socket,
 static int initialize_tls_session_server(int peer_socket,
         gnutls_session_t *session,
         gnutls_certificate_credentials_t *x509_cred);
-static int initialize_tls_session_both(int flags,
+static int initialize_tls_session_both(unsigned int flags,
         int peer_socket,
         gnutls_session_t *session,
         gnutls_certificate_credentials_t *x509_cred);
@@ -144,7 +144,7 @@ void handle_connection(int client_socket) {
     }
 
     if (parse_request(buffer, host, port, &version_minor) != 0) {
-        LOG(WARNING, "bad request: %s", buffer);
+        LOG(WARNING, "bad request: >%s<", buffer);
         send_bad_request(client_fd_write);
         goto out;
     }
@@ -406,6 +406,11 @@ static int initialize_tls_session_client(int peer_socket,
                 PROXY_CA_PATH);
             gnutls_certificate_free_credentials(*x509_cred);
             return -1;
+        } else if (result != 1) {
+            /* Must contain only one CA, our proxy CA. */
+            LOG(ERROR, "initialize_tls_session_client(): multiple CAs found");
+            gnutls_certificate_free_credentials(*x509_cred);
+            return -1;
         }
     }
     /* If the invalid hostname was specified do nothing, we use a self-signed
@@ -457,28 +462,27 @@ static int initialize_tls_session_server(int peer_socket,
     return initialize_tls_session_both(GNUTLS_CLIENT,
                                        peer_socket, session, x509_cred);
 }
-static int initialize_tls_session_both(int flags,
+static int initialize_tls_session_both(unsigned int flags,
         int peer_socket,
         gnutls_session_t *session,
         gnutls_certificate_credentials_t *x509_cred) {
     int result;
 
+    *session = NULL;
+
     result = gnutls_init(session, flags);
     if (result != GNUTLS_E_SUCCESS) {
         LOG(ERROR,
             "initialize_tls_session_both(): gnutls_init(): %s",
             gnutls_strerror(result));
-        gnutls_certificate_free_credentials(*x509_cred);
-        return -1;
+        goto err;
     }
     result = gnutls_priority_set(*session, global_tls_priority_cache);
     if (result != GNUTLS_E_SUCCESS) {
         LOG(ERROR,
             "initialize_tls_session_both(): gnutls_priority_set(): %s",
             gnutls_strerror(result));
-        gnutls_deinit(*session);
-        gnutls_certificate_free_credentials(*x509_cred);
-        return -1;
+        goto err;
     }
     result = gnutls_credentials_set(*session,
                                     GNUTLS_CRD_CERTIFICATE, *x509_cred);
@@ -486,9 +490,7 @@ static int initialize_tls_session_both(int flags,
         LOG(ERROR,
             "initialize_tls_session_both(): gnutls_credentials_set(): %s",
             gnutls_strerror(result));
-        gnutls_deinit(*session);
-        gnutls_certificate_free_credentials(*x509_cred);
-        return -1;
+        goto err;
     }
 
 #ifdef HAVE_GNUTLS_TRANSPORT_SET_INT2
@@ -499,6 +501,13 @@ static int initialize_tls_session_both(int flags,
 #endif
 
     return 0;
+
+err:
+    if (*session) {
+        gnutls_deinit(*session);
+    }
+    gnutls_certificate_free_credentials(*x509_cred);
+    return -1;
 }
 
 
@@ -562,6 +571,8 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) {
     if (ferror(client_fd)) {
         LOG_PERROR(WARNING, "read_http_request(): fgets()");
         return -1;
+    } else if (feof(client_fd)) {
+        return -2;
     }
 
     if (global_http_digest_authorization != NULL && !found_proxy_authorization) {