Fix indentation of LOG() calls.

[tlsproxy/tlsproxy.git] / src / verify.c
diff --git a/src/verify.c b/src/verify.c

index 487ad2ede213e1fc266d4e890fc5ce5ee50f1980..34a081493e81b1a41ef044ff69dffb77d2c8ef99 100644 (file)
--- a/src/verify.c
+++ b/src/verify.c
@@ -20,6 +20,7 @@
  #include "tlsproxy.h"
  #include "verify.h"
  
+#include <assert.h>
  #include <errno.h>
  
  #include <gnutls/x509.h>
@@ -40,15 +41,16 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
      unsigned int cert_list_size;
      FILE *file;
      char buffer[66]; /* one line in a PEM file is 64 bytes + '\n' + '\0' */
-    char server_cert[8192];
-    char stored_cert[8192];
+    char server_cert[16384];
+    char stored_cert[16384];
  
      result = gnutls_certificate_verify_peers2(session, &status);
      /* Verification failed (!= invalid certificate but worse), no need for any
       * more checks. */
      if (result < 0) {
-        LOG(LOG_WARNING,
-            "verify_tls_connection(): gnutls_certificate_verify_peers2() failed: %s",
+        LOG(WARNING,
+            "verify_tls_connection(): "
+            "gnutls_certificate_verify_peers2() failed: %s",
              gnutls_strerror(result));
          return -1;
      }
@@ -57,8 +59,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
              || status & GNUTLS_CERT_REVOKED
              || status & GNUTLS_CERT_NOT_ACTIVATED
              || status & GNUTLS_CERT_INSECURE_ALGORITHM) {
-        LOG(LOG_WARNING,
-            "verify_tls_connection(): invalid server certificate");
+        LOG(WARNING, "verify_tls_connection(): invalid server certificate");
          return -1;
      }
  
@@ -66,8 +67,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
       * prevent an attacker from changing the certificate type to prevent
       * detection. */
      if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) {
-        LOG(LOG_WARNING,
-            "verify_tls_connection(): no X509 server certificate");
+        LOG(WARNING, "verify_tls_connection(): no X509 server certificate");
          return -1;
      }
  
@@ -75,7 +75,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
  
      result = gnutls_x509_crt_init(&cert);
      if (result < 0) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
              "verify_tls_connection(): gnutls_x509_crt_init() failed: %s",
              gnutls_strerror(result));
          return -1;
@@ -83,7 +83,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
  
      cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
      if (cert_list == NULL) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
              "verify_tls_connection(): gnutls_certificate_get_peers() failed");
          gnutls_x509_crt_deinit(cert);
          return -1;
@@ -91,7 +91,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
  
      result = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER);
      if (result < 0) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
              "verify_tls_connection(): gnutls_x509_crt_import() failed: %s",
              gnutls_strerror(result));
          gnutls_x509_crt_deinit(cert);
@@ -104,7 +104,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
      result = gnutls_x509_crt_export(cert, GNUTLS_X509_FMT_PEM,
                                      server_cert, &size);
      if (result != GNUTLS_E_SUCCESS) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
              "verify_tls_connection(): gnutls_x509_crt_export() failed: %s",
              gnutls_strerror(result));
          gnutls_x509_crt_deinit(cert);
@@ -115,7 +115,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
  
      /* Open stored server certificate file. */
      if (server_certificate_file(&file, hostname, path, sizeof(path)) != 0) {
-        LOG(LOG_DEBUG, "server certificate:\n%s", server_cert);
+        LOG(DEBUG, "server certificate:\n%s", server_cert);
          return -1;
      }
  
@@ -126,33 +126,31 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
          size += strlen(buffer);
          /* Make sure the buffer is big enough. */
          if (size >= sizeof(stored_cert)) {
-            LOG(LOG_WARNING, "verify_tls_connection(): '%s' too big", path);
+            LOG(WARNING, "verify_tls_connection(): '%s' too big", path);
              fclose(file);
  
-            LOG(LOG_DEBUG, "server certificate:\n%s", server_cert);
+            LOG(DEBUG, "server certificate:\n%s", server_cert);
              return -1;
          }
  
          strcat(stored_cert, buffer);
      }
      if (ferror(file)) {
+        LOG(WARNING, "verify_tls_connection(): failed to read from '%s': %s",
+                     path, strerror(errno));
          fclose(file);
-        LOG(LOG_WARNING,
-            "verify_tls_connection(): failed to read from '%s': %s",
-            path, strerror(errno));
  
-        LOG(LOG_DEBUG, "server certificate:\n%s", server_cert);
+        LOG(DEBUG, "server certificate:\n%s", server_cert);
          return -1;
      }
      fclose(file);
  
      /* Check if the server certificate matches our stored certificate. */
      if (strcmp(stored_cert, server_cert)) {
-        LOG(LOG_ERROR,
-            "verify_tls_connection(): server certificate changed!",
-            path, strerror(errno));
+        LOG(ERROR, "verify_tls_connection(): server certificate changed!",
+                   path, strerror(errno));
  
-        LOG(LOG_WARNING, "server certificate:\n%s", server_cert);
+        LOG(WARNING, "server certificate:\n%s", server_cert);
          return -2;
      }
  
@@ -164,7 +162,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
      }
      file = fopen(path, "r");
      if (file == NULL) {
-        LOG(LOG_WARNING,
+        LOG(WARNING,
              "verify_tls_connection(): proxy certificate doesn't exist: '%s'",
              path);
          return -1;
@@ -180,26 +178,25 @@ static int get_certificate_path(const char *format,
      int result;
  
      /* Hostname too long. */
+    assert(size > strlen(format));
      if (size - strlen(format) <= strlen(hostname)) {
-        LOG(LOG_WARNING,
-            "get_certificate_path(): hostname too long: '%s'",
-            hostname);
+        LOG(WARNING, "get_certificate_path(): hostname too long: '%s'",
+                     hostname);
          return -1;
      }
      /* Try to prevent path traversals in hostnames. */
      if (strstr(hostname, "..") != NULL) {
-        LOG(LOG_WARNING,
-            "get_certificate_path(): possible path traversal: '%s'",
-            hostname);
+        LOG(WARNING, "get_certificate_path(): possible path traversal: '%s'",
+                     hostname);
          return -1;
      }
      /* Safe as format is no user input. */
      result = snprintf(buffer, size, format, hostname);
      if (result < 0) {
-        LOG_PERROR(LOG_ERROR, "get_certificate_path(): snprintf failed");
+        LOG_PERROR(ERROR, "get_certificate_path(): snprintf failed");
          return -1;
      } else if ((size_t)result >= size) {
-        LOG(LOG_ERROR, "get_certificate_path(): snprintf buffer too short");
+        LOG(ERROR, "get_certificate_path(): snprintf buffer too short");
          return -1;
      }
  
@@ -215,8 +212,7 @@ int server_certificate_file(FILE **file, const char *hostname,
                              char *path, size_t size) {
      if (get_certificate_path(STORED_SERVER_CERT_FORMAT,
                               hostname, path, size) != 0) {
-        LOG_PERROR(LOG_ERROR,
-                   "server_certificate_file(): failed to get path");
+        LOG_PERROR(ERROR, "server_certificate_file(): failed to get path");
          return -1;
      }
  
@@ -224,13 +220,11 @@ int server_certificate_file(FILE **file, const char *hostname,
      *file = fopen(path, "rb");
      if (*file == NULL) {
          if (global_passthrough_unknown) {
-            LOG(LOG_DEBUG,
-                "server_certificate_file(): failed to open '%s': %s",
-                path, strerror(errno));
+            LOG(DEBUG, "server_certificate_file(): failed to open '%s': %s",
+                       path, strerror(errno));
          } else {
-            LOG(LOG_WARNING,
-                "server_certificate_file(): failed to open '%s': %s",
-                path, strerror(errno));
+            LOG(WARNING, "server_certificate_file(): failed to open '%s': %s",
+                         path, strerror(errno));
          }
          /* Couldn't open the file, special case. */
          return -2;