static int initialize_tls_session_server(int peer_socket,
gnutls_session_t *session,
gnutls_certificate_credentials_t *x509_cred);
-static int initialize_tls_session_both(int flags,
+static int initialize_tls_session_both(unsigned int flags,
int peer_socket,
gnutls_session_t *session,
gnutls_certificate_credentials_t *x509_cred);
PROXY_CA_PATH);
gnutls_certificate_free_credentials(*x509_cred);
return -1;
+ } else if (result != 1) {
+ /* Must contain only one CA, our proxy CA. */
+ LOG(ERROR, "initialize_tls_session_client(): multiple CAs found");
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
}
}
/* If the invalid hostname was specified do nothing, we use a self-signed
return initialize_tls_session_both(GNUTLS_CLIENT,
peer_socket, session, x509_cred);
}
-static int initialize_tls_session_both(int flags,
+static int initialize_tls_session_both(unsigned int flags,
int peer_socket,
gnutls_session_t *session,
gnutls_certificate_credentials_t *x509_cred) {
int result;
+ *session = NULL;
+
result = gnutls_init(session, flags);
if (result != GNUTLS_E_SUCCESS) {
LOG(ERROR,
"initialize_tls_session_both(): gnutls_init(): %s",
gnutls_strerror(result));
- gnutls_certificate_free_credentials(*x509_cred);
- return -1;
+ goto err;
}
result = gnutls_priority_set(*session, global_tls_priority_cache);
if (result != GNUTLS_E_SUCCESS) {
LOG(ERROR,
"initialize_tls_session_both(): gnutls_priority_set(): %s",
gnutls_strerror(result));
- gnutls_deinit(*session);
- gnutls_certificate_free_credentials(*x509_cred);
- return -1;
+ goto err;
}
result = gnutls_credentials_set(*session,
GNUTLS_CRD_CERTIFICATE, *x509_cred);
LOG(ERROR,
"initialize_tls_session_both(): gnutls_credentials_set(): %s",
gnutls_strerror(result));
- gnutls_deinit(*session);
- gnutls_certificate_free_credentials(*x509_cred);
- return -1;
+ goto err;
}
#ifdef HAVE_GNUTLS_TRANSPORT_SET_INT2
#endif
return 0;
+
+err:
+ if (*session) {
+ gnutls_deinit(*session);
+ }
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
}
if (ferror(client_fd)) {
LOG_PERROR(WARNING, "read_http_request(): fgets()");
return -1;
+ } else if (feof(client_fd)) {
+ return -2;
}
if (global_http_digest_authorization != NULL && !found_proxy_authorization) {