]> ruderich.org/simon Gitweb - tlsproxy/tlsproxy.git/blobdiff - src/verify.c
ruderich.org/simon / tlsproxy / tlsproxy.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Update copyright year.
[tlsproxy/tlsproxy.git] / src / verify.c
diff --git a/src/verify.c b/src/verify.c
index dfc6bfb2930c4f1f31dc2775bfb8cd600e50075d..0208af21b526a0bb028d71793fd7b3c0c68fc295 100644 (file)
--- a/src/verify.c
+++ b/src/verify.c
@@ -1,7 +1,7 @@
 /*
  * Verify established TLS connections.
  *
- * Copyright (C) 2011-2013  Simon Ruderich
+ * Copyright (C) 2011-2014  Simon Ruderich
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -20,11 +20,37 @@
 #include "tlsproxy.h"
 #include "verify.h"
 
+#include <assert.h>
 #include <errno.h>
 
 #include <gnutls/x509.h>
 
 
+/* Compatibility for older GnuTLS versions. Define the constants in a way
+ * which doesn't affect the status check below. */
+#ifndef GNUTLS_CERT_SIGNER_NOT_CA
+# define GNUTLS_CERT_SIGNER_NOT_CA 0
+#endif
+#ifndef GNUTLS_CERT_SIGNATURE_FAILURE
+# define GNUTLS_CERT_SIGNATURE_FAILURE 0
+#endif
+#ifndef GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED
+# define GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED 0
+#endif
+#ifndef GNUTLS_CERT_UNEXPECTED_OWNER
+# define GNUTLS_CERT_UNEXPECTED_OWNER 0
+#endif
+#ifndef GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE
+# define GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE 0
+#endif
+#ifndef GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
+# define GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE 0
+#endif
+#ifndef GNUTLS_CERT_MISMATCH
+# define GNUTLS_CERT_MISMATCH 0
+#endif
+
+
 static int get_certificate_path(const char *format,
         const char *hostname, char *buffer, size_t size);
 
@@ -47,18 +73,26 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
     /* Verification failed (!= invalid certificate but worse), no need for any
      * more checks. */
     if (result < 0) {
-        LOG(LOG_WARNING,
-            "verify_tls_connection(): gnutls_certificate_verify_peers2() failed: %s",
+        LOG(WARNING,
+            "verify_tls_connection(): "
+            "gnutls_certificate_verify_peers2() failed: %s",
             gnutls_strerror(result));
         return -1;
     }
-    /* Definitely an invalid certificate, abort. */
-    if (status & GNUTLS_CERT_EXPIRED
-            || status & GNUTLS_CERT_REVOKED
+    /* Definitely an invalid certificate, abort. We don't perform any CA
+     * verification so don't check for GNUTLS_CERT_INVALID. */
+    if (status & GNUTLS_CERT_REVOKED
+            || status & GNUTLS_CERT_SIGNER_NOT_CA
+            || status & GNUTLS_CERT_INSECURE_ALGORITHM
             || status & GNUTLS_CERT_NOT_ACTIVATED
-            || status & GNUTLS_CERT_INSECURE_ALGORITHM) {
-        LOG(LOG_WARNING,
-            "verify_tls_connection(): invalid server certificate");
+            || status & GNUTLS_CERT_EXPIRED
+            || status & GNUTLS_CERT_SIGNATURE_FAILURE
+            || status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED
+            || status & GNUTLS_CERT_UNEXPECTED_OWNER
+            || status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE
+            || status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
+            || status & GNUTLS_CERT_MISMATCH) {
+        LOG(WARNING, "verify_tls_connection(): invalid server certificate");
         return -1;
     }
 
@@ -66,8 +100,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
      * prevent an attacker from changing the certificate type to prevent
      * detection. */
     if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) {
-        LOG(LOG_WARNING,
-            "verify_tls_connection(): no X509 server certificate");
+        LOG(WARNING, "verify_tls_connection(): no X509 server certificate");
         return -1;
     }
 
@@ -75,7 +108,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
 
     result = gnutls_x509_crt_init(&cert);
     if (result < 0) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
             "verify_tls_connection(): gnutls_x509_crt_init() failed: %s",
             gnutls_strerror(result));
         return -1;
@@ -83,7 +116,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
 
     cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
     if (cert_list == NULL) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
             "verify_tls_connection(): gnutls_certificate_get_peers() failed");
         gnutls_x509_crt_deinit(cert);
         return -1;
@@ -91,7 +124,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
 
     result = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
     if (result < 0) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
             "verify_tls_connection(): gnutls_x509_crt_import() failed: %s",
             gnutls_strerror(result));
         gnutls_x509_crt_deinit(cert);
@@ -104,7 +137,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
     result = gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM,
                                     server_cert, &size);
     if (result != GNUTLS_E_SUCCESS) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
             "verify_tls_connection(): gnutls_x509_crt_export() failed: %s",
             gnutls_strerror(result));
         gnutls_x509_crt_deinit(cert);
@@ -115,7 +148,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
 
     /* Open stored server certificate file. */
     if (server_certificate_file(&file, hostname, path, sizeof(path)) != 0) {
-        LOG(LOG_DEBUG, "server certificate:\n%s", server_cert);
+        LOG(DEBUG1, "server certificate:\n%s", server_cert);
         return -1;
     }
 
@@ -126,45 +159,48 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
         size += strlen(buffer);
         /* Make sure the buffer is big enough. */
         if (size >= sizeof(stored_cert)) {
-            LOG(LOG_WARNING, "verify_tls_connection(): '%s' too big", path);
+            LOG(WARNING, "verify_tls_connection(): '%s' too big", path);
             fclose(file);
 
-            LOG(LOG_DEBUG, "server certificate:\n%s", server_cert);
+            LOG(DEBUG1, "server certificate:\n%s", server_cert);
             return -1;
         }
 
         strcat(stored_cert, buffer);
     }
     if (ferror(file)) {
+        LOG(WARNING, "verify_tls_connection(): failed to read from '%s': %s",
+                     path, strerror(errno));
         fclose(file);
-        LOG(LOG_WARNING,
-            "verify_tls_connection(): failed to read from '%s': %s",
-            path, strerror(errno));
 
-        LOG(LOG_DEBUG, "server certificate:\n%s", server_cert);
+        LOG(DEBUG1, "server certificate:\n%s", server_cert);
         return -1;
     }
     fclose(file);
 
     /* Check if the server certificate matches our stored certificate. */
     if (strcmp(stored_cert, server_cert)) {
-        LOG(LOG_ERROR,
-            "verify_tls_connection(): server certificate changed!",
-            path, strerror(errno));
+        LOG(ERROR, "verify_tls_connection(): server certificate changed!",
+                   path, strerror(errno));
 
-        LOG(LOG_WARNING, "server certificate:\n%s", server_cert);
+        LOG(WARNING, "server certificate:\n%s", server_cert);
         return -2;
     }
 
-    /* Check that the proxy certificate file exists and is readable for this
-     * domain. This ensures we send an "invalid" certificate even if the proxy
-     * certificate doesn't exist. */
+    /* Check that the proxy certificate file for this domain exists and is
+     * readable. This ensures we send an "invalid" certificate if the proxy
+     * certificate doesn't exist.
+     *
+     * If the file gets removed or becomes unreadable after the check we won't
+     * be able to establish a connection to the real server so this
+     * race-condition has no security issues and is only a convenience for the
+     * user. */
     if (proxy_certificate_path(hostname, path, sizeof(path)) != 0) {
         return -1;
     }
     file = fopen(path, "r");
     if (file == NULL) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
             "verify_tls_connection(): proxy certificate doesn't exist: '%s'",
             path);
         return -1;
@@ -180,26 +216,25 @@ static int get_certificate_path(const char *format,
     int result;
 
     /* Hostname too long. */
+    assert(size > strlen(format));
     if (size - strlen(format) <= strlen(hostname)) {
-        LOG(LOG_WARNING,
-            "get_certificate_path(): hostname too long: '%s'",
-            hostname);
+        LOG(WARNING, "get_certificate_path(): hostname too long: '%s'",
+                     hostname);
         return -1;
     }
     /* Try to prevent path traversals in hostnames. */
     if (strstr(hostname, "..") != NULL) {
-        LOG(LOG_WARNING,
-            "get_certificate_path(): possible path traversal: '%s'",
-            hostname);
+        LOG(WARNING, "get_certificate_path(): possible path traversal: '%s'",
+                     hostname);
         return -1;
     }
     /* Safe as format is no user input. */
     result = snprintf(buffer, size, format, hostname);
     if (result < 0) {
-        LOG_PERROR(LOG_ERROR, "get_certificate_path(): snprintf failed");
+        LOG_PERROR(ERROR, "get_certificate_path(): snprintf failed");
         return -1;
     } else if ((size_t)result >= size) {
-        LOG(LOG_ERROR, "get_certificate_path(): snprintf buffer too short");
+        LOG(ERROR, "get_certificate_path(): snprintf buffer too short");
         return -1;
     }
 
@@ -207,16 +242,15 @@ static int get_certificate_path(const char *format,
 }
 
 int proxy_certificate_path(const char *hostname, char *path, size_t size) {
-    return get_certificate_path(PROXY_SERVER_CERT_FORMAT,
+    return get_certificate_path(PROXY_SERVER_CERT_FILE_FORMAT,
                                 hostname, path, size);
 }
 
 int server_certificate_file(FILE **file, const char *hostname,
                             char *path, size_t size) {
-    if (get_certificate_path(STORED_SERVER_CERT_FORMAT,
+    if (get_certificate_path(STORED_SERVER_CERT_FILE_FORMAT,
                              hostname, path, size) != 0) {
-        LOG_PERROR(LOG_ERROR,
-                   "server_certificate_file(): failed to get path");
+        LOG_PERROR(ERROR, "server_certificate_file(): failed to get path");
         return -1;
     }
 
@@ -224,13 +258,11 @@ int server_certificate_file(FILE **file, const char *hostname,
     *file = fopen(path, "rb");
     if (*file == NULL) {
         if (global_passthrough_unknown) {
-            LOG(LOG_DEBUG,
-                "server_certificate_file(): failed to open '%s': %s",
-                path, strerror(errno));
+            LOG(DEBUG1, "server_certificate_file(): failed to open '%s': %s",
+                        path, strerror(errno));
         } else {
-            LOG(LOG_WARNING,
-                "server_certificate_file(): failed to open '%s': %s",
-                path, strerror(errno));
+            LOG(WARNING, "server_certificate_file(): failed to open '%s': %s",
+                         path, strerror(errno));
         }
         /* Couldn't open the file, special case. */
         return -2;
Certificate verifying tlsproxy, prevents MITMs by (manipulated) CAs by verifying the server certificate.