Add basic digest authentication (-a option).

[tlsproxy/tlsproxy.git] / src / connection.c

diff --git a/src/connection.c b/src/connection.c
index 08a72809a2f30c308f6e9e3fc4b7acd3575e48ad..ed1bc63c6e030c5349f9d2aa46a179c8d60bf2f9 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -62,6 +62,7 @@ static int initialize_tls_session_server(int peer_socket,
 static int fdopen_read_write(int socket, FILE **read_fd, FILE **write_fd);
 static int read_http_request(FILE *client_fd, char *request, size_t length);
 static void send_bad_request(FILE *client_fd);
+static void send_authentication_required(FILE *client_fd);
 static void send_forwarding_failure(FILE *client_fd);
 static void tls_send_invalid_cert_message(gnutls_session_t session);
 
@@ -131,6 +132,10 @@ void handle_connection(int client_socket) {
         LOG(WARNING, "read_http_request(): client EOF");
         send_bad_request(client_fd_write);
         goto out;
+    } else if (result == -3) {
+        LOG(DEBUG, "read_http_request(): proxy authentication failed");
+        send_authentication_required(client_fd_write);
+        goto out;
     }
 
     if (parse_request(buffer, host, port, &version_minor) != 0) {
@@ -521,6 +526,7 @@ static int fdopen_read_write(int socket, FILE **read_fd, FILE **write_fd) {
  */
 static int read_http_request(FILE *client_fd, char *request, size_t length) {
     char buffer[MAX_REQUEST_LINE];
+    int found_proxy_authorization;
 
     if (fgets(request, (int)length, client_fd) == NULL) {
         if (ferror(client_fd)) {
@@ -531,7 +537,22 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) {
         return -2;
     }
 
+    found_proxy_authorization = 0;
     while (fgets(buffer, sizeof(buffer), client_fd) != NULL) {
+        const char *authentication = "Proxy-Authorization: Basic ";
+
+        if (http_digest_authorization != NULL
+                && !strncmp(buffer, authentication, strlen(authentication))) {
+            found_proxy_authorization = 1;
+
+            /* Check if the passphrase matches. */
+            strtok(buffer, "\r\n");
+            if (strcmp(buffer + strlen(authentication),
+                       http_digest_authorization)) {
+                return -3;
+            }
+        }
+
         /* End of header. */
         if (!strcmp(buffer, "\n") || !strcmp(buffer, "\r\n")) {
             break;
@@ -542,6 +563,10 @@ static int read_http_request(FILE *client_fd, char *request, size_t length) {
         return -1;
     }
 
+    if (http_digest_authorization != NULL && !found_proxy_authorization) {
+        return -3;
+    }
+
     return 0;
 }
 
@@ -551,6 +576,13 @@ static void send_bad_request(FILE *client_fd) {
     fprintf(client_fd, HTTP_RESPONSE_FORMAT, error, "", error, error, msg);
     fflush(client_fd);
 }
+static void send_authentication_required(FILE *client_fd) {
+    const char error[] = "407 Proxy Authentication Required";
+    const char auth[]  = "Proxy-Authenticate: Basic realm=\"tlsproxy\"\r\n";
+    const char msg[]   = "TODO";
+    fprintf(client_fd, HTTP_RESPONSE_FORMAT, error, auth, error, error, msg);
+    fflush(client_fd);
+}
 static void send_forwarding_failure(FILE *client_fd) {
     const char error[] = "503 Forwarding failure";
     const char msg[]   = "Failed to connect to server, check logs.";