/*
- * tlsproxy is a transparent TLS proxy for HTTPS connections.
+ * tlsproxy is a TLS proxy for HTTPS which intercepts the connections and
+ * ensures the server certificate doesn't change. Normally this isn't detected
+ * if a trusted CA for the new server certificate is installed.
*
- * Copyright (C) 2011 Simon Ruderich
+ * Copyright (C) 2011-2013 Simon Ruderich
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include <stdlib.h>
-#include <stdio.h>
-/* socket(), bind(), accept(), listen() */
-#include <sys/types.h>
-#include <sys/socket.h>
-/* close() */
-#include <unistd.h>
-/* htons() */
+#include "tlsproxy.h"
+#include "sem.h"
+#include "connection.h"
+
#include <arpa/inet.h>
-/* getaddrinfo() */
-#include <netdb.h>
-/* strncmp() */
-#include <string.h>
-/* sigaction() */
+#include <errno.h>
+#include <pthread.h>
#include <signal.h>
-/* poll() */
-#include <poll.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
-#include <config.h>
+#if GNUTLS_VERSION_NUMBER <= 0x020b00
+/* Necessary for GnuTLS when used with threads. */
+#include <gcrypt.h>
+GCRY_THREAD_OPTION_PTHREAD_IMPL;
+#endif
-/* Maximum line of the request line. Longer request lines are aborted with an
- * error. The standard doesn't specify a maximum line length but this should
- * be a good limit to make processing simpler. */
-#define MAX_REQUEST_LINE 4096
+/* Size of ringbuffer. */
+#define RINGBUFFER_SIZE 10
+
+/* Bit size of Diffie-Hellman key exchange parameters. */
+#define DH_SIZE 1024
+
+
+/* For gnutls_*() functions. */
+#define GNUTLS_ERROR_EXIT(error, message) \
+ if (error != GNUTLS_E_SUCCESS) { \
+ fprintf(stderr, "%s: %s\n", message, gnutls_strerror(error)); \
+ exit(EXIT_FAILURE); \
+ }
/* Server should shut down. Set by SIGINT handler. */
-static volatile int done;
+static volatile int done; /* = 0 */
+
+/* Number of threads. */
+static size_t thread_count;
-/* Proxy hostname and port if specified on the command line. */
-static char *use_proxy_host;
-static char *use_proxy_port;
+/* Synchronized ring buffer storing accept()ed client sockets. */
+static int ringbuffer[RINGBUFFER_SIZE];
+static int ringbuffer_read;
+static int ringbuffer_write;
+static SEM *ringbuffer_full; /* At least one element in the buffer? */
+static SEM *ringbuffer_free; /* Space for another element in the buffer? */
+static SEM *ringbuffer_lock; /* Read lock. */
+#ifdef DEBUG
static void sigint_handler(int signal);
+#endif
static void parse_arguments(int argc, char **argv);
static void print_usage(const char *argv);
+static char *slurp_file(const char *path);
-static void handle_connection(int socket);
-static int read_http_request(FILE *client_fd, char *request, size_t length);
-static void send_close_bad_request(FILE *client_fd);
-static void send_close_forwarding_failure(FILE *client_fd);
+static void initialize_gnutls(void);
+static void deinitialize_gnutls(void);
-static void transfer_data(int client, int server);
-static int read_from_write_to(int from, int to);
-
-static int connect_to_host(const char *hostname, const char *port);
-
-static int parse_request(const char *buffer, char *host, char *port,
- int *version_minor);
+static void *worker_thread(void *unused);
int main(int argc, char **argv) {
int port;
int client_socket, server_socket;
+#ifdef USE_IPV4_ONLY
+ struct sockaddr_in server_in;
+#else
struct sockaddr_in6 server_in;
+#endif
+
+ size_t i;
+ pthread_t *threads;
struct sigaction action;
+ /* Required in a few places. */
+ ct_assert(sizeof(size_t) >= sizeof(int));
+ ct_assert(sizeof(size_t) >= sizeof(ssize_t));
+
parse_arguments(argc, argv);
port = atoi(argv[argc - 1]);
- if (0 >= port || 0xffff < port) {
- print_usage(argv[0]);
- fprintf(stderr, "\ninvalid port");
+ if (port <= 0 || port > 0xffff ) {
+ fprintf(stderr, "invalid port: '%s'\n", argv[argc - 1]);
return EXIT_FAILURE;
}
- /* Setup our SIGINT signal handler which allows a "normal" termination of
- * the server. */
+ memset(&action, 0, sizeof(action));
sigemptyset(&action.sa_mask);
+#ifdef DEBUG
+ /* Setup our SIGINT signal handler which allows a "normal" termination of
+ * the server in DEBUG mode. */
action.sa_handler = sigint_handler;
- action.sa_flags = 0;
sigaction(SIGINT, &action, NULL);
+#endif
+ /* Ignore SIGPIPEs. */
+ action.sa_handler = SIG_IGN;
+ sigaction(SIGPIPE, &action, NULL);
+
+ /* Initialize ring buffer. */
+ ringbuffer_read = 0;
+ ringbuffer_write = 0;
+ ringbuffer_full = sem_init(0);
+ ringbuffer_free = sem_init(RINGBUFFER_SIZE);
+ ringbuffer_lock = sem_init(1);
+ if (NULL == ringbuffer_full
+ || NULL == ringbuffer_free
+ || NULL == ringbuffer_lock) {
+ perror("sem_init()");
+ return EXIT_FAILURE;
+ }
+
+ initialize_gnutls();
+ /* Spawn worker threads to handle requests. */
+ threads = malloc(thread_count * sizeof(*threads));
+ if (threads == NULL) {
+ perror("thread malloc failed");
+ return EXIT_FAILURE;
+ }
+ for (i = 0; i < thread_count; i++) {
+ errno = pthread_create(threads + i, NULL, &worker_thread, NULL);
+ if (errno != 0) {
+ perror("failed to create worker thread");
+ return EXIT_FAILURE;
+ }
+ }
+
+#ifdef USE_IPV4_ONLY
+ server_socket = socket(PF_INET, SOCK_STREAM, 0);
+#else
server_socket = socket(PF_INET6, SOCK_STREAM, 0);
- if (-1 == server_socket) {
+#endif
+ if (server_socket < 0) {
perror("socket()");
return EXIT_FAILURE;
}
-#ifdef DEBUG
/* Fast rebinding for debug mode, could cause invalid packets. */
- {
+ if (global_log_level >= LOG_DEBUG1_LEVEL) {
int socket_option = 1;
setsockopt(server_socket, SOL_SOCKET, SO_REUSEADDR,
&socket_option, sizeof(socket_option));
}
-#endif
/* Bind to the listen socket. */
memset(&server_in, 0, sizeof(server_in));
+#ifdef USE_IPV4_ONLY
+ server_in.sin_family = AF_INET; /* IPv4 only */
+ server_in.sin_addr.s_addr = htonl(INADDR_ANY); /* bind to any address */
+ server_in.sin_port = htons((uint16_t)port); /* port to bind to */
+#else
server_in.sin6_family = AF_INET6; /* IPv6 (and IPv4) */
server_in.sin6_addr = in6addr_any; /* bind to any address */
server_in.sin6_port = htons((uint16_t)port); /* port to bind to */
- if (-1 == bind(server_socket, (struct sockaddr *)&server_in,
- sizeof(server_in))) {
+#endif
+ if (bind(server_socket, (struct sockaddr *)&server_in,
+ sizeof(server_in)) != 0) {
perror("bind()");
return EXIT_FAILURE;
}
/* And accept connections. */
- if (-1 == listen(server_socket, 5)) {
+ if (listen(server_socket, 5) != 0) {
perror("listen()");
return EXIT_FAILURE;
}
-#ifdef DEBUG
- printf("Listening for connections on port %d.\n", port);
+ if (global_log_level >= LOG_DEBUG1_LEVEL) {
+ printf("tlsproxy %s\n", VERSION);
+ printf("Listening for connections on port %d.\n", port);
- if (NULL != use_proxy_host && NULL != use_proxy_port) {
- printf("Using proxy: %s:%s.\n", use_proxy_host, use_proxy_port);
+ if (global_proxy_host != NULL && global_proxy_port != NULL) {
+ printf("Using proxy: %s:%s.\n", global_proxy_host,
+ global_proxy_port);
+ }
}
-#endif
while (!done) {
/* Accept new connection. */
client_socket = accept(server_socket, NULL, NULL);
- if (-1 == client_socket) {
+ if (client_socket < 0) {
perror("accept()");
break;
}
- handle_connection(client_socket);
+ /* No lock necessary, we only have one producer! */
+ P(ringbuffer_free);
+ ringbuffer[ringbuffer_write] = client_socket;
+ ringbuffer_write = (ringbuffer_write + 1) % RINGBUFFER_SIZE;
+ V(ringbuffer_full);
}
close(server_socket);
- free(use_proxy_host);
- free(use_proxy_port);
+ /* Poison all threads and shut them down. */
+ for (i = 0; i < thread_count; i++) {
+ P(ringbuffer_free);
+ ringbuffer[ringbuffer_write] = -1; /* poison */
+ ringbuffer_write = (ringbuffer_write + 1) % RINGBUFFER_SIZE;
+ V(ringbuffer_full);
+ }
+ for (i = 0; i < thread_count; i++) {
+ errno = pthread_join(threads[i], NULL);
+ if (errno != 0) {
+ perror("pthread_join()");
+ }
+ }
+
+ sem_del(ringbuffer_full);
+ sem_del(ringbuffer_free);
+ sem_del(ringbuffer_lock);
+
+ free(threads);
+
+ deinitialize_gnutls();
+
+ free(global_proxy_host);
+ free(global_proxy_port);
return EXIT_FAILURE;
}
+#ifdef DEBUG
static void sigint_handler(int signal_number) {
(void)signal_number;
done = 1;
}
+#endif
static void parse_arguments(int argc, char **argv) {
int option;
- while (-1 != (option = getopt(argc, argv, "p:h?"))) {
+ /* Default values. */
+ thread_count = 10;
+#ifdef DEBUG
+ global_log_level = LOG_DEBUG_LEVEL;
+#else
+ global_log_level = LOG_WARNING_LEVEL;
+#endif
+ global_passthrough_unknown = 0;
+
+ while ((option = getopt(argc, argv, "a:d:p:t:uh?")) != -1) {
switch (option) {
+ case 'a': {
+ http_digest_authorization = slurp_file(optarg);
+ if (http_digest_authorization == NULL) {
+ fprintf(stderr, "failed to open authorization file '%s': ",
+ optarg);
+ perror("");
+ exit(EXIT_FAILURE);
+ } else if (strlen(http_digest_authorization) == 0) {
+ fprintf(stderr, "empty authorization file '%s'\n",
+ optarg);
+ exit(EXIT_FAILURE);
+ }
+
+ /* Just in case the file has a trailing newline. */
+ strtok(http_digest_authorization, "\r\n");
+
+ break;
+ }
+ case 'd': {
+ global_log_level = atoi(optarg);
+ if (global_log_level < 0) {
+ fprintf(stderr, "-d positive number required: '%s'\n",
+ optarg);
+ exit(EXIT_FAILURE);
+ }
+ break;
+ }
case 'p': {
char *position;
/* -p must have the format host:port. */
- if (NULL == (position = strchr(optarg, ':'))
- || position == optarg
- || 0 == strlen(position + 1)
- || 0 >= atoi(position + 1)
- || 0xffff < atoi(position + 1)) {
- fprintf(stderr, "-p host:port\n");
+ if ((position = strchr(optarg, ':')) == NULL
+ || optarg == position
+ || strlen(position + 1) == 0
+ || atoi(position + 1) <= 0
+ || atoi(position + 1) > 0xffff) {
+ fprintf(stderr, "invalid -p: '%s', format host:port\n",
+ optarg);
exit(EXIT_FAILURE);
}
- use_proxy_host = malloc((size_t)(position - optarg) + 1);
- if (NULL == use_proxy_host) {
+ global_proxy_host = malloc((size_t)(position - optarg) + 1);
+ if (global_proxy_host == NULL) {
perror("malloc()");
exit(EXIT_FAILURE);
}
- memcpy(use_proxy_host, optarg, (size_t)(position - optarg));
- use_proxy_host[position - optarg] = '\0';
+ memcpy(global_proxy_host, optarg, (size_t)(position - optarg));
+ global_proxy_host[position - optarg] = '\0';
- use_proxy_port = malloc(strlen(position + 1) + 1);
- if (NULL == use_proxy_port) {
+ global_proxy_port = malloc(strlen(position + 1) + 1);
+ if (global_proxy_port == NULL) {
perror("malloc()");
exit(EXIT_FAILURE);
}
- strcpy(use_proxy_port, position + 1);
+ strcpy(global_proxy_port, position + 1);
break;
}
+ case 't': {
+ if (atoi(optarg) <= 0) {
+ fprintf(stderr, "-t positive number required: '%s'\n",
+ optarg);
+ exit(EXIT_FAILURE);
+ }
+ thread_count = (size_t)atoi(optarg);
+ break;
+ }
+ case 'u': {
+ global_passthrough_unknown = 1;
+ break;
+ }
case 'h':
default: /* '?' */
print_usage(argv[0]);
}
if (optind >= argc) {
- print_usage(argv[0]);
+ fprintf(stderr, "port missing\n");
exit(EXIT_FAILURE);
}
}
static void print_usage(const char *argv) {
- fprintf(stderr, "Usage: %s [-p host:port] port\n", argv);
+ fprintf(stderr, "tlsproxy %s, a certificate checking TLS proxy\n",
+ VERSION);
+ fprintf(stderr, "Usage: %s [-a file] [-d level] [-p host:port] [-t count] [-u] port\n",
+ argv);
fprintf(stderr, "\n");
+ fprintf(stderr, "-a digest authentication file [default: none]\n");
+ fprintf(stderr, "-d debug level: 0=errors only, 2=debug [default: 1]\n");
fprintf(stderr, "-p proxy hostname and port\n");
+ fprintf(stderr, "-t number of threads [default: 10]\n");
+ fprintf(stderr, "-u passthrough connection if no certificate is stored \
+[default: error]\n");
+ fprintf(stderr, " WARNING: might be a security problem!\n");
}
-static void handle_connection(int client_socket) {
- int server_socket;
- FILE *client_fd, *server_fd;
-
- char buffer[MAX_REQUEST_LINE];
- char host[MAX_REQUEST_LINE];
- char port[5 + 1];
-
- int version_minor;
+static void initialize_gnutls(void) {
int result;
-
- client_fd = fdopen(client_socket, "a+");
- if (NULL == client_fd) {
- perror("fdopen()");
- close(client_socket);
- return;
- }
-
-#ifdef DEBUG
- printf("New connection:\n");
-#endif
-
- /* Read request line (CONNECT ..) and headers (they are discarded). */
- result = read_http_request(client_fd, buffer, sizeof(buffer));
- if (result == -1) {
- /* Read error. */
- return;
- } else if (result == -2) {
- /* EOF */
- send_close_bad_request(client_fd);
- return;
- }
-
-#ifdef DEBUG
- printf(" request: %s", buffer);
-#endif
-
- if (0 != parse_request(buffer, host, port, &version_minor)) {
- send_close_bad_request(client_fd);
-#ifdef DEBUG
- printf(" bad request\n");
-#endif
- return;
- }
-
-#ifdef DEBUG
- printf(" %s:%s (HTTP 1.%d)\n", host, port, version_minor);
-#endif
-
- /* Connect to proxy server or directly to server. */
- if (NULL != use_proxy_host && NULL != use_proxy_port) {
- server_socket = connect_to_host(use_proxy_host, use_proxy_port);
- } else {
- server_socket = connect_to_host(host, port);
- }
-
- if (-1 == server_socket) {
- send_close_forwarding_failure(client_fd);
- return;
- }
- server_fd = fdopen(server_socket, "a+");
- if (NULL == server_fd) {
- send_close_forwarding_failure(client_fd);
- return;
+/* Recent versions of GnuTLS automatically initialize the cryptography layer
+ * in gnutls_global_init(). */
+#if GNUTLS_VERSION_NUMBER <= 0x020b00
+ gcry_error_t error;
+
+ /* Thread safe setup. Must be called before gnutls_global_init(). */
+ error = gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+ if (error != 0) {
+ fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error),
+ gcry_strerror(error));
+ exit(EXIT_FAILURE);
}
-
- /* Connect to proxy if requested (command line option). */
- if (NULL != use_proxy_host && NULL != use_proxy_port) {
- fprintf(server_fd, "CONNECT %s:%s HTTP/1.0\r\n", host, port);
- fprintf(server_fd, "\r\n");
-
- /* Read response line from proxy server. */
- result = read_http_request(server_fd, buffer, sizeof(buffer));
- if (result == -1) {
- /* Read error. */
- send_close_forwarding_failure(client_fd);
- return;
- } else if (result == -2) {
- /* EOF */
- fclose(server_fd);
- send_close_forwarding_failure(client_fd);
- return;
- }
-
- /* Check response of proxy server. */
- if (0 != strncmp(buffer, "HTTP/1.0 200", 12)) {
-#ifdef DEBUG
- printf(" bad proxy response\n");
-#endif
- fclose(server_fd);
- send_close_forwarding_failure(client_fd);
- return;
- }
+ /* Prevent usage of blocking /dev/random. */
+ error = gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+ if (error != 0) {
+ fprintf(stderr, "gcry_control(): %s/%s\n", gcry_strsource(error),
+ gcry_strerror(error));
+ exit(EXIT_FAILURE);
}
-
-#ifdef DEBUG
- printf(" connection to server established\n");
#endif
- /* We've established a connection, tell the client. */
- fprintf(client_fd, "HTTP/1.0 200 Connection established\r\n");
- fprintf(client_fd, "\r\n");
- fflush(client_fd);
+ /* Initialize GnuTLS. */
+ result = gnutls_global_init();
+ GNUTLS_ERROR_EXIT(result, "gnutls_global_init()");
- /* And transfer all data between client and server transparently. */
- transfer_data(client_socket, server_socket);
+ /* Setup GnuTLS cipher suites. */
+ result = gnutls_priority_init(&global_tls_priority_cache, "NORMAL", NULL);
+ GNUTLS_ERROR_EXIT(result, "gnutls_priority_init()");
- fclose(client_fd);
- fclose(server_fd);
+ /* Generate Diffie-Hellman parameters. */
+ result = gnutls_dh_params_init(&global_tls_dh_params);
+ GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_init()");
+ result = gnutls_dh_params_generate2(global_tls_dh_params, DH_SIZE);
+ GNUTLS_ERROR_EXIT(result, "gnutls_dh_params_generate2()");
}
+static void deinitialize_gnutls(void) {
+ gnutls_dh_params_deinit(global_tls_dh_params);
+ gnutls_priority_deinit(global_tls_priority_cache);
-/* Read HTTP request line and headers (ignored).
- *
- * On success 0 is returned, -1 on client error (we close client descriptor in
- * this case), -2 on unexpected EOF.
- */
-static int read_http_request(FILE *client_fd, char *request, size_t length) {
- char buffer[MAX_REQUEST_LINE];
-
- if (NULL == fgets(request, (int)length, client_fd)) {
- if (ferror(client_fd)) {
- perror("fgets(), request");
- fclose(client_fd);
- return -1;
- }
-
- return -2;
- }
-
- while (NULL != fgets(buffer, MAX_REQUEST_LINE, client_fd)) {
- /* End of header. */
- if (0 == strcmp(buffer, "\n") || 0 == strcmp(buffer, "\r\n")) {
- break;
- }
- }
- if (ferror(client_fd)) {
- perror("fgets(), header");
- fclose(client_fd);
- return -1;
- }
-
- return 0;
-}
-
-static void send_close_bad_request(FILE *client_fd) {
- fprintf(client_fd, "HTTP/1.0 400 Bad Request\r\n");
- fprintf(client_fd, "\r\n");
- fclose(client_fd);
-}
-static void send_close_forwarding_failure(FILE *client_fd) {
- fprintf(client_fd, "HTTP/1.0 503 Forwarding failure\r\n");
- fprintf(client_fd, "\r\n");
- fclose(client_fd);
+ gnutls_global_deinit();
}
+static void *worker_thread(void *unused) {
+ int client_socket;
-/* Transfer data between client and server sockets until one closes the
- * connection. */
-static void transfer_data(int client, int server) {
- struct pollfd fds[2];
- fds[0].fd = client;
- fds[0].events = POLLIN | POLLPRI | POLLHUP | POLLERR;
- fds[0].revents = 0;
- fds[1].fd = server;
- fds[1].events = POLLIN | POLLPRI | POLLHUP | POLLERR;
- fds[1].revents = 0;
+ (void)unused;
for (;;) {
- int result = poll(fds, 2, -1 /* no timeout */);
- if (result < 0) {
- perror("poll()");
- return;
- }
-
- /* Data available from client. */
- if (fds[0].revents & POLLIN || fds[0].revents & POLLPRI) {
- if (0 != read_from_write_to(client, server)) {
- /* EOF (or other error) */
- break;
- }
- }
- /* Data available from server. */
- if (fds[1].revents & POLLIN || fds[1].revents & POLLPRI) {
- if (0 != read_from_write_to(server, client)) {
- /* EOF (or other error) */
- break;
- }
- }
-
- /* Client closed connection. */
- if (fds[0].revents & POLLERR || fds[0].revents & POLLHUP) {
- break;
- }
- /* Server closed connection. */
- if (fds[1].revents & POLLERR || fds[1].revents & POLLHUP) {
+ /* Get next element from ring buffer. */
+ P(ringbuffer_full);
+ P(ringbuffer_lock);
+ client_socket = ringbuffer[ringbuffer_read];
+ ringbuffer_read = (ringbuffer_read + 1) % RINGBUFFER_SIZE;
+ V(ringbuffer_lock);
+ V(ringbuffer_free);
+
+ /* Negative value indicates we should shut down our thread. */
+ if (client_socket < 0) {
break;
}
- }
-}
-/* Read available data from socket from and write it to socket to. At maximum
- * 4096 bytes are read/written. */
-static int read_from_write_to(int from, int to) {
- ssize_t size_read;
- ssize_t size_written;
- char buffer[4096];
-
- size_read = read(from, buffer, sizeof(buffer));
- if (0 > size_read) {
- perror("read()");
- return -1;
- }
- /* EOF */
- if (0 == size_read) {
- return -1;
- }
-
- size_written = write(to, buffer, (size_t)size_read);
- if (0 > size_written) {
- perror("write()");
- return -1;
- }
- if (size_read != size_written) {
- printf("only written %ld of %ld bytes!\n", (long int)size_read,
- (long int)size_written);
- return -1;
+ handle_connection(client_socket);
}
- return 0;
+ return NULL;
}
+static char *slurp_file(const char *path) {
+ struct stat stat;
+ size_t size_read;
+ char *content = NULL;
-static int connect_to_host(const char *hostname, const char *port) {
- struct addrinfo gai_hints;
- struct addrinfo *gai_result;
- int gai_return;
+ FILE *file = fopen(path, "r");
+ if (file == NULL) {
+ return NULL;
+ }
- int server_socket;
- struct addrinfo *server;
+ ct_assert(sizeof(stat.st_size) <= sizeof(size_t));
- if (NULL == hostname || NULL == port) {
- return -1;
+ if (fstat(fileno(file), &stat) != 0) {
+ goto out;
}
-
- /* Get IP of hostname server. */
- memset(&gai_hints, 0, sizeof(gai_hints));
- gai_hints.ai_family = AF_UNSPEC;
- gai_hints.ai_socktype = SOCK_STREAM;
- gai_hints.ai_protocol = 0;
- gai_hints.ai_flags = AI_NUMERICSERV /* given port is numeric */
- | AI_ADDRCONFIG /* supported by this computer */
- | AI_V4MAPPED; /* support IPv4 through IPv6 */
- gai_return = getaddrinfo(hostname, port, &gai_hints, &gai_result);
- if (0 != gai_return) {
- perror("getaddrinfo()");
- return -1;
+ if (stat.st_size < 0) { /* just in case ... */
+ abort();
+ } else if ((size_t)stat.st_size >= SIZE_MAX - 1) {
+ errno = 0;
+ goto out;
}
- /* Now try to connect to each server returned by getaddrinfo(), use the
- * first successful connect. */
- for (server = gai_result; NULL != server; server = server->ai_next) {
- server_socket = socket(server->ai_family,
- server->ai_socktype,
- server->ai_protocol);
- if (-1 == server_socket) {
- perror("socket(), trying next");
- continue;
- }
-
- if (-1 != connect(server_socket, server->ai_addr,
- server->ai_addrlen)) {
- break;
- }
- perror("connect(), trying next");
-
- close(server_socket);
+ content = malloc((size_t)stat.st_size + 1);
+ if (content == NULL) {
+ goto out;
}
- /* Make sure we free the result from getaddrinfo(). */
- freeaddrinfo(gai_result);
- if (NULL == server) {
- fprintf(stderr, "no server found, aborting\n");
- return -1;
+ errno = 0;
+ size_read = fread(content, 1, (size_t)stat.st_size, file);
+ if (size_read != (size_t)stat.st_size) {
+ free(content);
+ content = NULL;
+ goto out;
}
+ content[size_read] = '\0';
- return server_socket;
-}
-
-
-/* Parse HTTP CONNECT request string and save its parameters.
- *
- * The following format is expected: "CONNECT host:port HTTP/1.y".
- *
- * request and host must have the same size! port must be at least 6 bytes
- * long (5 + '\0').
- */
-static int parse_request(const char *request, char *host, char *port,
- int *version_minor) {
- int port_unused; /* just used to verify the port is numeric */
- char *position;
-
- /* scanf() doesn't check spaces. */
- if (0 != strncmp(request, "CONNECT ", 8)) {
- return -1;
- }
- /* Check request and extract data, "host:port" is not yet separated. */
- if (2 != sscanf(request, "CONNECT %s HTTP/1.%d",
- host, version_minor)) {
- return -1;
- }
- /* Make sure ":port" is there. */
- if (NULL == (position = strchr(host, ':'))) {
- return -1;
- }
- /* Make sure port is numeric. */
- if (1 != sscanf(position + 1, "%d", &port_unused)) {
- return -1;
- }
- /* Store it in *port. */
- strncpy(port, position + 1, 5);
- port[5] = '\0';
- /* And remove port from host. */
- *position = '\0';
+out:
+ fclose(file);
- return 0;
+ return content;
}
ruderich.org/simon / tlsproxy / tlsproxy.git / blobdiff