Update copyright year.

[tlsproxy/tlsproxy.git] / src / connection.c
diff --git a/src/connection.c b/src/connection.c

index 54752aceae38a547dd80f5bcacd7e549ac459c6e..184ee5a4231a302ee520dfecb05b845cdde0e4bb 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -1,7 +1,7 @@
  /*
   * Handle connections.
   *
- * Copyright (C) 2011-2013  Simon Ruderich
+ * Copyright (C) 2011-2014  Simon Ruderich
   *
   * This program is free software: you can redistribute it and/or modify
   * it under the terms of the GNU General Public License as published by
@@ -26,6 +26,7 @@
  #include <limits.h>
  #include <netdb.h>
  #include <poll.h>
+#include <sys/socket.h>
  #include <unistd.h>
  
  #include <gnutls/x509.h>
@@ -206,7 +207,7 @@ void handle_connection(int client_socket) {
      LOG(DEBUG1, "connection to server established");
  
      /* If the -u option is used and we don't know this hostname's server
-     * certificate then just pass through the connection and let the client
+     * certificate, then just pass through the connection and let the client
       * verify the server certificate. */
      if (global_passthrough_unknown) {
          char path[TLSPROXY_MAX_PATH_LENGTH];
@@ -617,6 +618,7 @@ static void tls_send_invalid_cert_message(gnutls_session_t session) {
      const char msg[]   = "Server certificate validation failed, check logs.";
  
      int result;
+    ssize_t size_written;
      char buffer[sizeof(HTTP_RESPONSE_FORMAT)
                  + 3 * sizeof(error) + sizeof(msg)];
  
@@ -624,7 +626,13 @@ static void tls_send_invalid_cert_message(gnutls_session_t session) {
                                                error, "", error, error, msg);
      assert(result > 0 && (size_t)result < sizeof(buffer));
  
-    gnutls_record_send(session, buffer, strlen(buffer));
+    size_written = gnutls_record_send(session, buffer, strlen(buffer));
+    if (size_written < 0) {
+        LOG(WARNING, "tls_send_invalid_cert_message(): "
+                     "gnutls_record_send(): %s",
+                     gnutls_strerror((int)size_written));
+    }
+    /* Just an error message, no need to check if everything was written. */
  }
  
  
@@ -696,8 +704,8 @@ static int read_from_write_to(int from, int to) {
          return -1;
      }
      if (size_read != size_written) {
-        LOG(ERROR, "read_from_write_to(): only written %ld of %ld bytes!",
-                   (long int)size_written, (long int)size_read);
+        LOG(ERROR, "read_from_write_to(): only written %zu of %zu bytes!",
+                   size_written, size_read);
          return -1;
      }
  
@@ -724,8 +732,8 @@ static void transfer_data_tls(int client, int server,
      if (gnutls_record_get_max_size(server_session) < buffer_size) {
          buffer_size = gnutls_record_get_max_size(server_session);
      }
-    LOG(DEBUG2, "transfer_data_tls(): suggested buffer size: %ld",
-                (long int)buffer_size);
+    LOG(DEBUG2, "transfer_data_tls(): suggested buffer size: %zu",
+                buffer_size);
  
      for (;;) {
          int result = poll(fds, 2 /* fd count */, -1 /* no timeout */);
@@ -771,13 +779,29 @@ static int read_from_write_to_tls(gnutls_session_t from,
      char buffer[16384]; /* GnuTLS default maximum */
  
      if (buffer_size > sizeof(buffer)) {
-        LOG(WARNING, "read_from_write_to_tls(): reduced buffer size to %ld",
-                     (long int)(sizeof(buffer)));
+        LOG(WARNING, "read_from_write_to_tls(): reduced buffer size to %zu",
+                     sizeof(buffer));
          buffer_size = sizeof(buffer);
      }
  
      size_read = gnutls_record_recv(from, buffer, buffer_size);
      if (size_read < 0) {
+        /* Allow rehandshakes. As handshakes might be insecure make sure that
+         * %SAFE_RENEGOTIATION is used in GnuTLS's priority string. */
+        if (size_read == GNUTLS_E_REHANDSHAKE) {
+            int result;
+
+            LOG(DEBUG1, "server requested TLS rehandshake");
+
+            result = gnutls_handshake(from);
+            if (result != GNUTLS_E_SUCCESS) {
+                LOG(WARNING, "server TLS rehandshake failed: %s",
+                             gnutls_strerror(result));
+                return -1;
+            }
+            return 0;
+        }
+
          LOG(WARNING, "read_from_write_to_tls(): gnutls_record_recv(): %s",
                       gnutls_strerror((int)size_read));
          return -1;
@@ -793,8 +817,8 @@ static int read_from_write_to_tls(gnutls_session_t from,
          return -1;
      }
      if (size_read != size_written) {
-        LOG(ERROR, "read_from_write_to_tls(): only written %ld of %ld bytes!",
-                   (long int)size_written, (long int)size_read);
+        LOG(ERROR, "read_from_write_to_tls(): only written %zu of %zu bytes!",
+                   size_written, size_read);
          return -1;
      }
  
@@ -820,8 +844,10 @@ static int connect_to_host(const char *hostname, const char *port) {
      gai_hints.ai_socktype = SOCK_STREAM;
      gai_hints.ai_protocol = 0;
      gai_hints.ai_flags    = AI_NUMERICSERV /* given port is numeric */
+#ifdef AI_ADDRCONFIG
                            | AI_ADDRCONFIG  /* supported by this computer */
-                          | AI_V4MAPPED;   /* support IPv4 through IPv6 */
+#endif
+                          ;
      gai_return = getaddrinfo(hostname, port, &gai_hints, &gai_result);
      if (gai_return != 0) {
          if (gai_return == EAI_SYSTEM) {