Verify the server certificate against a stored copy.

[tlsproxy/tlsproxy.git] / src / connection.c

diff --git a/src/connection.c b/src/connection.c
index 7ea6eb24a7573dd14d5d21facf89a06dc2546c9d..1421afa0c384073e51776b5bda129f031d1fcf29 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -19,6 +19,7 @@
 
 #include "tlsproxy.h"
 #include "connection.h"
+#include "verify.h"
 
 /* close() */
 #include <unistd.h>
@@ -35,10 +36,6 @@
  * should be a good limit to make processing simpler. */
 #define MAX_REQUEST_LINE 4096
 
-/* Paths to necessary TLS files: the CA and the server key. */
-#define PROXY_CA_FILE  "proxy-ca.pem"
-#define PROXY_KEY_FILE "proxy-key.pem"
-
 
 static int initialize_tls_session_client(int peer_socket,
         const char *hostname,
@@ -51,6 +48,7 @@ static int initialize_tls_session_server(int peer_socket,
 static int read_http_request(FILE *client_fd, char *request, size_t length);
 static void send_bad_request(FILE *client_fd);
 static void send_forwarding_failure(FILE *client_fd);
+static void tls_send_server_error(gnutls_session_t session);
 
 #if 0
 static void transfer_data(int client, int server);
@@ -231,7 +229,12 @@ void handle_connection(int client_socket) {
 
     LOG(LOG_DEBUG, "server TLS handshake finished, transferring data");
 
-    /* FIXME: verify server's fingerprint */
+    /* Make sure the server certificate is valid and known. */
+    if (0 != verify_tls_connection(server_session, host)) {
+        LOG(LOG_ERROR, "server certificate validation failed!");
+        tls_send_server_error(client_session);
+        goto out;
+    }
 
     /* Proxy data between client and server until one suite is done (EOF or
      * error). */
@@ -241,12 +244,13 @@ void handle_connection(int client_socket) {
     LOG(LOG_DEBUG, "finished transferring data");
 
 out:
-    /* Close TLS sessions if necessary. */
+    /* Close TLS sessions if necessary. Use GNUTLS_SHUT_RDWR so the data is
+     * reliable transmitted. */
     if (0 != server_session_started) {
-        gnutls_bye(server_session, GNUTLS_SHUT_WR);
+        gnutls_bye(server_session, GNUTLS_SHUT_RDWR);
     }
     if (0 != client_session_started) {
-        gnutls_bye(client_session, GNUTLS_SHUT_WR);
+        gnutls_bye(client_session, GNUTLS_SHUT_RDWR);
     }
     if (0 != server_session_init) {
         gnutls_deinit(server_session);
@@ -284,12 +288,9 @@ static int initialize_tls_session_client(int peer_socket,
         gnutls_certificate_credentials_t *x509_cred) {
     int result;
     char path[1024];
-    /* The server certificate for the given hostname is stored in
-     * "./certificate-hostname-proxy.pem". */
-#define PATH_FORMAT "./certificate-%s-proxy.pem"
 
     /* Hostname too long. */
-    if (sizeof(path) - strlen(PATH_FORMAT) <= strlen(hostname)) {
+    if (sizeof(path) - strlen(PROXY_SERVER_CERT_FORMAT) <= strlen(hostname)) {
         LOG(LOG_WARNING,
             "initialize_tls_session_client(): hostname too long: '%s'",
             hostname);
@@ -302,8 +303,7 @@ static int initialize_tls_session_client(int peer_socket,
             hostname);
         return -1;
     }
-    snprintf(path, sizeof(path), PATH_FORMAT, hostname);
-#undef PATH_FORMAT
+    snprintf(path, sizeof(path), PROXY_SERVER_CERT_FORMAT, hostname);
 
     result = gnutls_certificate_allocate_credentials(x509_cred);
     if (GNUTLS_E_SUCCESS != result) {
@@ -447,6 +447,10 @@ static void send_forwarding_failure(FILE *client_fd) {
     fprintf(client_fd, "HTTP/1.0 503 Forwarding failure\r\n");
     fprintf(client_fd, "\r\n");
 }
+static void tls_send_server_error(gnutls_session_t session) {
+    gnutls_record_send(session, "HTTP/1.0 500 Internal Server Error\r\n", 36);
+    gnutls_record_send(session, "\r\n", 2);
+}
 
 
 #if 0