+ /* Initialize TLS server credentials to talk to the client. */
+ result = initialize_tls_session_client(client_socket, host,
+ &client_session,
+ &client_x509_cred);
+ if (0 != result) {
+ LOG(LOG_WARNING, "initialize_tls_session_client() failed");
+ send_forwarding_failure(client_fd);
+ goto out;
+ }
+ client_session_init = 1;
+
+ LOG(LOG_DEBUG, "starting client TLS handshake");
+
+ /* Try to establish TLS handshake between client and us. */
+ result = gnutls_handshake(client_session);
+ if (GNUTLS_E_SUCCESS != result) {
+ LOG(LOG_WARNING, "client TLS handshake failed: %s",
+ gnutls_strerror(result));
+ send_forwarding_failure(client_fd);
+ goto out;
+ }
+ client_session_started = 1;
+
+ LOG(LOG_DEBUG, "client TLS handshake finished");
+
+ result = initialize_tls_session_server(server_socket, &server_session,
+ &server_x509_cred);
+ /* Initialize TLS client credentials to talk to the server. */
+ if (0 != result) {
+ LOG(LOG_WARNING, "initialize_tls_session_server() failed");
+ send_forwarding_failure(client_fd);
+ goto out;
+ }
+ server_session_init = 1;
+
+ LOG(LOG_DEBUG, "starting server TLS handshake");
+
+ /* Try to establish TLS handshake between us and server. */
+ result = gnutls_handshake(server_session);
+ if (GNUTLS_E_SUCCESS != result) {
+ LOG(LOG_WARNING, "server TLS handshake failed: %s",
+ gnutls_strerror(result));
+ send_forwarding_failure(client_fd);
+ goto out;
+ }
+ server_session_started = 1;
+
+ LOG(LOG_DEBUG, "server TLS handshake finished, transferring data");
+
+ /* FIXME: verify server's fingerprint */
+
+ /* Proxy data between client and server until one suite is done (EOF or
+ * error). */
+ transfer_data_tls(client_socket, server_socket,
+ client_session, server_session);
+
+ LOG(LOG_DEBUG, "finished transferring data");
+
+out:
+ /* Close TLS sessions if necessary. */
+ if (0 != server_session_started) {
+ gnutls_bye(server_session, GNUTLS_SHUT_WR);
+ }
+ if (0 != client_session_started) {
+ gnutls_bye(client_session, GNUTLS_SHUT_WR);
+ }
+ if (0 != server_session_init) {
+ gnutls_deinit(server_session);
+ gnutls_certificate_free_credentials(server_x509_cred);
+ }
+ if (0 != client_session_init) {
+ gnutls_deinit(client_session);
+ gnutls_certificate_free_cas(client_x509_cred);
+ gnutls_certificate_free_keys(client_x509_cred);
+ gnutls_certificate_free_credentials(client_x509_cred);
+ }
+
+ /* Close connection to server/proxy. */
+ if (NULL != server_fd) {
+ fclose(server_fd);
+ } else if (-1 != server_socket) {
+ close(server_socket);
+ }
+ LOG(LOG_DEBUG, "connection to server closed");
+ /* Close connection to client. */
+ if (NULL != client_fd) {
+ fclose(client_fd);
+ } else {
+ close(client_socket);
+ }
+ LOG(LOG_DEBUG, "connection to client closed");
+
+ LOG(LOG_DEBUG, "connection finished");
+}
+
+
+static int initialize_tls_session_client(int peer_socket,
+ const char *hostname,
+ gnutls_session_t *session,
+ gnutls_certificate_credentials_t *x509_cred) {
+ int result;
+ char path[1024];
+ /* The server certificate for the given hostname is stored in
+ * "./certificate-hostname-proxy.pem". */
+#define PATH_FORMAT "./certificate-%s-proxy.pem"
+
+ /* Hostname too long. */
+ if (sizeof(path) - strlen(PATH_FORMAT) <= strlen(hostname)) {
+ LOG(LOG_WARNING,
+ "initialize_tls_session_client(): hostname too long: '%s'",
+ hostname);
+ return -1;
+ }
+ /* Try to prevent path traversals in hostnames. */
+ if (NULL != strstr(hostname, "..")) {
+ LOG(LOG_WARNING,
+ "initialize_tls_session_client(): possible path traversal: '%s'",
+ hostname);
+ return -1;
+ }
+ snprintf(path, sizeof(path), PATH_FORMAT, hostname);
+#undef PATH_FORMAT
+
+ result = gnutls_certificate_allocate_credentials(x509_cred);
+ if (GNUTLS_E_SUCCESS != result) {
+ LOG(LOG_ERROR,
+ "initialize_tls_session_client(): \
+gnutls_certificate_allocate_credentials(): %s",
+ gnutls_strerror(result));
+ return -1;
+ }
+
+ /* Load proxy CA file, this CA "list" is send to the client. */
+ result = gnutls_certificate_set_x509_trust_file(*x509_cred,
+ PROXY_CA_FILE,
+ GNUTLS_X509_FMT_PEM);
+ if (0 >= result) {
+ LOG(LOG_ERROR,
+ "initialize_tls_session_client(): can't read CA file: '%s'",
+ PROXY_CA_FILE);
+ return -1;
+ }
+ /* And certificate for this website and proxy's private key. */
+ result = gnutls_certificate_set_x509_key_file(*x509_cred,
+ path, PROXY_KEY_FILE,
+ GNUTLS_X509_FMT_PEM);
+ if (GNUTLS_E_SUCCESS != result) {
+ LOG(LOG_ERROR,
+ "initialize_tls_session_client(): \
+can't read server certificate ('%s') or key file ('%s'): %s",
+ path, PROXY_KEY_FILE, gnutls_strerror(result));
+ /* Could be a missing certificate. */
+ return -2;
+ }
+
+ gnutls_certificate_set_dh_params(*x509_cred, tls_dh_params);