Fix log level for proxy authentication failure.

[tlsproxy/tlsproxy.git] / src / connection.c

diff --git a/src/connection.c b/src/connection.c
index 3602842b596486daef1ef8cbb07c030b3f28575b..507a18d1c54ad000578f1f5c06344a5336b57b70 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -59,6 +59,10 @@ static int initialize_tls_session_client(int peer_socket,
 static int initialize_tls_session_server(int peer_socket,
         gnutls_session_t *session,
         gnutls_certificate_credentials_t *x509_cred);
+static int initialize_tls_session_both(unsigned int flags,
+        int peer_socket,
+        gnutls_session_t *session,
+        gnutls_certificate_credentials_t *x509_cred);
 
 static int fdopen_read_write(int socket, FILE **read_fd, FILE **write_fd);
 static int read_http_request(FILE *client_fd, char *request, size_t length);
@@ -134,18 +138,18 @@ void handle_connection(int client_socket) {
         send_bad_request(client_fd_write);
         goto out;
     } else if (result == -3) {
-        LOG(DEBUG1, "read_http_request(): proxy authentication failed");
+        LOG(WARNING, "read_http_request(): proxy authentication failed");
         send_authentication_required(client_fd_write);
         goto out;
     }
 
     if (parse_request(buffer, host, port, &version_minor) != 0) {
-        LOG(WARNING, "bad request: %s", buffer);
+        LOG(WARNING, "bad request: >%s<", buffer);
         send_bad_request(client_fd_write);
         goto out;
     }
 
-    LOG(DEBUG1, "target: %s:%s (HTTP 1.%d)", host, port, version_minor);
+    LOG(DEBUG2, "target: %s:%s (HTTP 1.%d)", host, port, version_minor);
 
     /* Connect to proxy server or directly to server. */
     if (global_proxy_host != NULL && global_proxy_port != NULL) {
@@ -394,12 +398,17 @@ static int initialize_tls_session_client(int peer_socket,
     /* Load proxy CA file, this CA "list" is send to the client. */
     if (!use_invalid_cert) {
         result = gnutls_certificate_set_x509_trust_file(*x509_cred,
-                                                        PROXY_CA_FILE,
+                                                        PROXY_CA_PATH,
                                                         GNUTLS_X509_FMT_PEM);
         if (result <= 0) {
             LOG(ERROR,
                 "initialize_tls_session_client(): can't read CA file: '%s'",
-                PROXY_CA_FILE);
+                PROXY_CA_PATH);
+            gnutls_certificate_free_credentials(*x509_cred);
+            return -1;
+        } else if (result != 1) {
+            /* Must contain only one CA, our proxy CA. */
+            LOG(ERROR, "initialize_tls_session_client(): multiple CAs found");
             gnutls_certificate_free_credentials(*x509_cred);
             return -1;
         }
@@ -410,21 +419,22 @@ static int initialize_tls_session_client(int peer_socket,
     /* And certificate for this website and proxy's private key. */
     if (!use_invalid_cert) {
         result = gnutls_certificate_set_x509_key_file(*x509_cred,
-                                                      path, PROXY_KEY_FILE,
+                                                      path,
+                                                      PROXY_KEY_PATH,
                                                       GNUTLS_X509_FMT_PEM);
     /* If the invalid hostname was specified load our special "invalid"
      * certificate. */
     } else {
         result = gnutls_certificate_set_x509_key_file(*x509_cred,
-                                                      PROXY_INVALID_CERT_FILE,
-                                                      PROXY_KEY_FILE,
+                                                      PROXY_INVALID_CERT_PATH,
+                                                      PROXY_KEY_PATH,
                                                       GNUTLS_X509_FMT_PEM);
     }
     if (result != GNUTLS_E_SUCCESS) {
         LOG(ERROR,
             "initialize_tls_session_client(): "
             "can't read server certificate ('%s') or key file ('%s'): %s",
-            path, PROXY_KEY_FILE, gnutls_strerror(result));
+            path, PROXY_KEY_PATH, gnutls_strerror(result));
         gnutls_certificate_free_credentials(*x509_cred);
         /* Could be a missing certificate. */
         return -2;
@@ -432,37 +442,8 @@ static int initialize_tls_session_client(int peer_socket,
 
     gnutls_certificate_set_dh_params(*x509_cred, global_tls_dh_params);
 
-    result = gnutls_init(session, GNUTLS_SERVER);
-    if (result != GNUTLS_E_SUCCESS) {
-        LOG(ERROR,
-            "initialize_tls_session_client(): gnutls_init(): %s",
-            gnutls_strerror(result));
-        gnutls_certificate_free_credentials(*x509_cred);
-        return -1;
-    }
-    result = gnutls_priority_set(*session, global_tls_priority_cache);
-    if (result != GNUTLS_E_SUCCESS) {
-        LOG(ERROR,
-            "initialize_tls_session_client(): gnutls_priority_set(): %s",
-            gnutls_strerror(result));
-        gnutls_deinit(*session);
-        gnutls_certificate_free_credentials(*x509_cred);
-        return -1;
-    }
-    result = gnutls_credentials_set(*session,
-                                    GNUTLS_CRD_CERTIFICATE, *x509_cred);
-    if (result != GNUTLS_E_SUCCESS) {
-        LOG(ERROR,
-            "initialize_tls_session_client(): gnutls_credentials_set(): %s",
-            gnutls_strerror(result));
-        gnutls_deinit(*session);
-        gnutls_certificate_free_credentials(*x509_cred);
-        return -1;
-    }
-
-    gnutls_transport_set_ptr(*session, (gnutls_transport_ptr_t)peer_socket);
-
-    return 0;
+    return initialize_tls_session_both(GNUTLS_SERVER,
+                                       peer_socket, session, x509_cred);
 }
 static int initialize_tls_session_server(int peer_socket,
         gnutls_session_t *session,
@@ -478,37 +459,55 @@ static int initialize_tls_session_server(int peer_socket,
         return -1;
     }
 
-    result = gnutls_init(session, GNUTLS_CLIENT);
+    return initialize_tls_session_both(GNUTLS_CLIENT,
+                                       peer_socket, session, x509_cred);
+}
+static int initialize_tls_session_both(unsigned int flags,
+        int peer_socket,
+        gnutls_session_t *session,
+        gnutls_certificate_credentials_t *x509_cred) {
+    int result;
+
+    *session = NULL;
+
+    result = gnutls_init(session, flags);
     if (result != GNUTLS_E_SUCCESS) {
         LOG(ERROR,
-            "initialize_tls_session_server(): gnutls_init(): %s",
+            "initialize_tls_session_both(): gnutls_init(): %s",
             gnutls_strerror(result));
-        gnutls_certificate_free_credentials(*x509_cred);
-        return -1;
+        goto err;
     }
     result = gnutls_priority_set(*session, global_tls_priority_cache);
     if (result != GNUTLS_E_SUCCESS) {
         LOG(ERROR,
-            "initialize_tls_session_server(): gnutls_priority_set(): %s",
+            "initialize_tls_session_both(): gnutls_priority_set(): %s",
             gnutls_strerror(result));
-        gnutls_deinit(*session);
-        gnutls_certificate_free_credentials(*x509_cred);
-        return -1;
+        goto err;
     }
     result = gnutls_credentials_set(*session,
                                     GNUTLS_CRD_CERTIFICATE, *x509_cred);
     if (result != GNUTLS_E_SUCCESS) {
         LOG(ERROR,
-            "initialize_tls_session_server(): gnutls_credentials_set(): %s",
+            "initialize_tls_session_both(): gnutls_credentials_set(): %s",
             gnutls_strerror(result));
-        gnutls_deinit(*session);
-        gnutls_certificate_free_credentials(*x509_cred);
-        return -1;
+        goto err;
     }
 
+#ifdef HAVE_GNUTLS_TRANSPORT_SET_INT2
+    /* gnutls_transport_set_int() is a macro. */
+    gnutls_transport_set_int(*session, peer_socket);
+#else
     gnutls_transport_set_ptr(*session, (gnutls_transport_ptr_t)peer_socket);
+#endif
 
     return 0;
+
+err:
+    if (*session) {
+        gnutls_deinit(*session);
+    }
+    gnutls_certificate_free_credentials(*x509_cred);
+    return -1;
 }
 
 
@@ -552,14 +551,14 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) {
     while (fgets(buffer, sizeof(buffer), client_fd) != NULL) {
         const char *authentication = "Proxy-Authorization: Basic ";
 
-        if (http_digest_authorization != NULL
+        if (global_http_digest_authorization != NULL
                 && !strncmp(buffer, authentication, strlen(authentication))) {
             found_proxy_authorization = 1;
 
             /* Check if the passphrase matches. */
             strtok(buffer, "\r\n");
             if (strcmp(buffer + strlen(authentication),
-                       http_digest_authorization)) {
+                       global_http_digest_authorization)) {
                 return -3;
             }
         }
@@ -572,9 +571,11 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) {
     if (ferror(client_fd)) {
         LOG_PERROR(WARNING, "read_http_request(): fgets()");
         return -1;
+    } else if (feof(client_fd)) {
+        return -2;
     }
 
-    if (http_digest_authorization != NULL && !found_proxy_authorization) {
+    if (global_http_digest_authorization != NULL && !found_proxy_authorization) {
         return -3;
     }
 
@@ -627,7 +628,7 @@ static void transfer_data(int client, int server) {
     fds[1].events  = POLLIN | POLLPRI | POLLHUP | POLLERR;
     fds[1].revents = 0;
 
-    LOG(DEBUG1, "transfer_data(): %d -> %d", client, server);
+    LOG(DEBUG2, "transfer_data(): %d -> %d", client, server);
 
     for (;;) {
         int result = poll(fds, 2 /* fd count */, -1 /* no timeout */);
@@ -712,7 +713,7 @@ static void transfer_data_tls(int client, int server,
     if (gnutls_record_get_max_size(server_session) < buffer_size) {
         buffer_size = gnutls_record_get_max_size(server_session);
     }
-    LOG(DEBUG1, "transfer_data_tls(): suggested buffer size: %ld",
+    LOG(DEBUG2, "transfer_data_tls(): suggested buffer size: %ld",
                 (long int)buffer_size);
 
     for (;;) {