static int initialize_tls_session_server(int peer_socket,
gnutls_session_t *session,
gnutls_certificate_credentials_t *x509_cred);
-static int initialize_tls_session_both(int flags,
+static int initialize_tls_session_both(unsigned int flags,
int peer_socket,
gnutls_session_t *session,
gnutls_certificate_credentials_t *x509_cred);
send_bad_request(client_fd_write);
goto out;
} else if (result == -3) {
- LOG(DEBUG1, "read_http_request(): proxy authentication failed");
+ LOG(WARNING, "read_http_request(): proxy authentication failed");
send_authentication_required(client_fd_write);
goto out;
}
if (parse_request(buffer, host, port, &version_minor) != 0) {
- LOG(WARNING, "bad request: %s", buffer);
+ LOG(WARNING, "bad request: >%s<", buffer);
send_bad_request(client_fd_write);
goto out;
}
- LOG(DEBUG1, "target: %s:%s (HTTP 1.%d)", host, port, version_minor);
+ LOG(DEBUG2, "target: %s:%s (HTTP 1.%d)", host, port, version_minor);
/* Connect to proxy server or directly to server. */
if (global_proxy_host != NULL && global_proxy_port != NULL) {
PROXY_CA_PATH);
gnutls_certificate_free_credentials(*x509_cred);
return -1;
+ } else if (result != 1) {
+ /* Must contain only one CA, our proxy CA. */
+ LOG(ERROR, "initialize_tls_session_client(): multiple CAs found");
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
}
}
/* If the invalid hostname was specified do nothing, we use a self-signed
return initialize_tls_session_both(GNUTLS_CLIENT,
peer_socket, session, x509_cred);
}
-static int initialize_tls_session_both(int flags,
+static int initialize_tls_session_both(unsigned int flags,
int peer_socket,
gnutls_session_t *session,
gnutls_certificate_credentials_t *x509_cred) {
int result;
+ *session = NULL;
+
result = gnutls_init(session, flags);
if (result != GNUTLS_E_SUCCESS) {
LOG(ERROR,
"initialize_tls_session_both(): gnutls_init(): %s",
gnutls_strerror(result));
- gnutls_certificate_free_credentials(*x509_cred);
- return -1;
+ goto err;
}
result = gnutls_priority_set(*session, global_tls_priority_cache);
if (result != GNUTLS_E_SUCCESS) {
LOG(ERROR,
"initialize_tls_session_both(): gnutls_priority_set(): %s",
gnutls_strerror(result));
- gnutls_deinit(*session);
- gnutls_certificate_free_credentials(*x509_cred);
- return -1;
+ goto err;
}
result = gnutls_credentials_set(*session,
GNUTLS_CRD_CERTIFICATE, *x509_cred);
LOG(ERROR,
"initialize_tls_session_both(): gnutls_credentials_set(): %s",
gnutls_strerror(result));
- gnutls_deinit(*session);
- gnutls_certificate_free_credentials(*x509_cred);
- return -1;
+ goto err;
}
+#ifdef HAVE_GNUTLS_TRANSPORT_SET_INT2
+ /* gnutls_transport_set_int() is a macro. */
+ gnutls_transport_set_int(*session, peer_socket);
+#else
gnutls_transport_set_ptr(*session, (gnutls_transport_ptr_t)peer_socket);
+#endif
return 0;
+
+err:
+ if (*session) {
+ gnutls_deinit(*session);
+ }
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
}
while (fgets(buffer, sizeof(buffer), client_fd) != NULL) {
const char *authentication = "Proxy-Authorization: Basic ";
- if (http_digest_authorization != NULL
+ if (global_http_digest_authorization != NULL
&& !strncmp(buffer, authentication, strlen(authentication))) {
found_proxy_authorization = 1;
/* Check if the passphrase matches. */
strtok(buffer, "\r\n");
if (strcmp(buffer + strlen(authentication),
- http_digest_authorization)) {
+ global_http_digest_authorization)) {
return -3;
}
}
if (ferror(client_fd)) {
LOG_PERROR(WARNING, "read_http_request(): fgets()");
return -1;
+ } else if (feof(client_fd)) {
+ return -2;
}
- if (http_digest_authorization != NULL && !found_proxy_authorization) {
+ if (global_http_digest_authorization != NULL && !found_proxy_authorization) {
return -3;
}
fds[1].events = POLLIN | POLLPRI | POLLHUP | POLLERR;
fds[1].revents = 0;
- LOG(DEBUG1, "transfer_data(): %d -> %d", client, server);
+ LOG(DEBUG2, "transfer_data(): %d -> %d", client, server);
for (;;) {
int result = poll(fds, 2 /* fd count */, -1 /* no timeout */);
if (gnutls_record_get_max_size(server_session) < buffer_size) {
buffer_size = gnutls_record_get_max_size(server_session);
}
- LOG(DEBUG1, "transfer_data_tls(): suggested buffer size: %ld",
+ LOG(DEBUG2, "transfer_data_tls(): suggested buffer size: %ld",
(long int)buffer_size);
for (;;) {
ruderich.org/simon / tlsproxy / tlsproxy.git / blobdiff