+ fprintf(client_fd_write, "HTTP/1.0 200 Connection established\r\n");
+ fprintf(client_fd_write, "\r\n");
+ fflush(client_fd_write);
+
+ LOG(DEBUG, "starting client TLS handshake");
+
+ /* Try to establish TLS handshake between client and us. */
+ result = gnutls_handshake(client_session);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(WARNING, "client TLS handshake failed: %s",
+ gnutls_strerror(result));
+ send_forwarding_failure(client_fd_write);
+ goto out;
+ }
+ client_session_started = 1;
+
+ LOG(DEBUG, "client TLS handshake finished");
+
+ /* Tell the client that the verification failed. Shouldn't be necessary as
+ * the client should terminate the connection because he received the
+ * invalid certificate but better be sure. */
+ if (validation_failed) {
+ tls_send_invalid_cert_message(client_session);
+ goto out;
+ }
+
+ LOG(DEBUG, "transferring TLS data");
+
+ /* Proxy data between client and server until one side is done (EOF or
+ * error). */
+ transfer_data_tls(client_socket, server_socket,
+ client_session, server_session);
+
+ LOG(DEBUG, "finished transferring TLS data");
+
+out:
+ /* Close TLS sessions if necessary. Use GNUTLS_SHUT_RDWR so the data is
+ * reliable transmitted. */
+ if (server_session_started) {
+ gnutls_bye(server_session, GNUTLS_SHUT_RDWR);
+ }
+ if (client_session_started) {
+ gnutls_bye(client_session, GNUTLS_SHUT_RDWR);
+ }
+ if (server_session_init) {
+ gnutls_deinit(server_session);
+ gnutls_certificate_free_credentials(server_x509_cred);
+ }
+ if (client_session_init) {
+ gnutls_deinit(client_session);
+ gnutls_certificate_free_cas(client_x509_cred);
+ gnutls_certificate_free_keys(client_x509_cred);
+ gnutls_certificate_free_credentials(client_x509_cred);
+ }
+
+ /* Close connection to server/proxy. */
+ if (server_fd_read != NULL) {
+ if (server_fd_write != NULL) {
+ fclose(server_fd_write);
+ }
+ fclose(server_fd_read);
+ } else if (server_socket != -1) {
+ close(server_socket);
+ }
+ LOG(DEBUG, "connection to server closed");
+ /* Close connection to client. */
+ if (client_fd_read != NULL) {
+ if (client_fd_write != NULL) {
+ fclose(client_fd_write);
+ }
+ fclose(client_fd_read);
+ } else {
+ close(client_socket);
+ }
+ LOG(DEBUG, "connection to client closed");
+
+ LOG(DEBUG, "connection finished");
+}
+
+
+static int initialize_tls_session_client(int peer_socket,
+ const char *hostname,
+ gnutls_session_t *session,
+ gnutls_certificate_credentials_t *x509_cred) {
+ int result;
+ int use_invalid_cert;
+ char path[TLSPROXY_MAX_PATH_LENGTH];
+
+ /* The "invalid" hostname is special. If it's used we send an invalid
+ * certificate to let the client know something is wrong. */
+ use_invalid_cert = (!strcmp(hostname, "invalid"));
+
+ if (proxy_certificate_path(hostname, path, sizeof(path)) != 0) {
+ LOG(ERROR,
+ "initialize_tls_session_client(): \
+failed to get proxy certificate path");
+ return -1;
+ }
+
+ result = gnutls_certificate_allocate_credentials(x509_cred);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(ERROR,
+ "initialize_tls_session_client(): \
+gnutls_certificate_allocate_credentials(): %s",
+ gnutls_strerror(result));
+ return -1;
+ }
+
+ /* Load proxy CA file, this CA "list" is send to the client. */
+ if (!use_invalid_cert) {
+ result = gnutls_certificate_set_x509_trust_file(*x509_cred,
+ PROXY_CA_FILE,
+ GNUTLS_X509_FMT_PEM);
+ if (result <= 0) {
+ LOG(ERROR,
+ "initialize_tls_session_client(): can't read CA file: '%s'",
+ PROXY_CA_FILE);
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
+ }
+ }
+ /* If the invalid hostname was specified do nothing, we use a self-signed
+ * certificate in this case. */
+
+ /* And certificate for this website and proxy's private key. */
+ if (!use_invalid_cert) {
+ result = gnutls_certificate_set_x509_key_file(*x509_cred,
+ path, PROXY_KEY_FILE,
+ GNUTLS_X509_FMT_PEM);
+ /* If the invalid hostname was specified load our special "invalid"
+ * certificate. */
+ } else {
+ result = gnutls_certificate_set_x509_key_file(*x509_cred,
+ PROXY_INVALID_CERT_FILE,
+ PROXY_KEY_FILE,
+ GNUTLS_X509_FMT_PEM);
+ }
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(ERROR,
+ "initialize_tls_session_client(): \
+can't read server certificate ('%s') or key file ('%s'): %s",
+ path, PROXY_KEY_FILE, gnutls_strerror(result));
+ gnutls_certificate_free_credentials(*x509_cred);
+ /* Could be a missing certificate. */
+ return -2;
+ }
+
+ gnutls_certificate_set_dh_params(*x509_cred, global_tls_dh_params);
+
+ result = gnutls_init(session, GNUTLS_SERVER);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(ERROR,
+ "initialize_tls_session_client(): gnutls_init(): %s",
+ gnutls_strerror(result));
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
+ }
+ result = gnutls_priority_set(*session, global_tls_priority_cache);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(ERROR,
+ "initialize_tls_session_client(): gnutls_priority_set(): %s",
+ gnutls_strerror(result));
+ gnutls_deinit(*session);
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
+ }
+ result = gnutls_credentials_set(*session,
+ GNUTLS_CRD_CERTIFICATE, *x509_cred);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(ERROR,
+ "initialize_tls_session_client(): gnutls_credentials_set(): %s",
+ gnutls_strerror(result));
+ gnutls_deinit(*session);
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
+ }
+
+ gnutls_transport_set_ptr(*session, (gnutls_transport_ptr_t)peer_socket);
+
+ return 0;
+}
+static int initialize_tls_session_server(int peer_socket,
+ gnutls_session_t *session,
+ gnutls_certificate_credentials_t *x509_cred) {
+ int result;
+
+ result = gnutls_certificate_allocate_credentials(x509_cred);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(ERROR,
+ "initialize_tls_session_server(): \
+gnutls_certificate_allocate_credentials(): %s",
+ gnutls_strerror(result));
+ return -1;
+ }
+
+ result = gnutls_init(session, GNUTLS_CLIENT);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(ERROR,
+ "initialize_tls_session_server(): gnutls_init(): %s",
+ gnutls_strerror(result));
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
+ }
+ result = gnutls_priority_set(*session, global_tls_priority_cache);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(ERROR,
+ "initialize_tls_session_server(): gnutls_priority_set(): %s",
+ gnutls_strerror(result));
+ gnutls_deinit(*session);
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
+ }
+ result = gnutls_credentials_set(*session,
+ GNUTLS_CRD_CERTIFICATE, *x509_cred);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(ERROR,
+ "initialize_tls_session_server(): gnutls_credentials_set(): %s",
+ gnutls_strerror(result));
+ gnutls_deinit(*session);
+ gnutls_certificate_free_credentials(*x509_cred);
+ return -1;
+ }