X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=1421afa0c384073e51776b5bda129f031d1fcf29;hb=946885b04de70f8481f58160de12f3ee3b0b380a;hp=8e023fe551718c75359a5d9f70d48fa82c00e782;hpb=14106ea40a55acbba0d14a6f66350221ade044ab;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/connection.c b/src/connection.c
index 8e023fe..1421afa 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -19,6 +19,7 @@
 
 #include "tlsproxy.h"
 #include "connection.h"
+#include "verify.h"
 
 /* close() */
 #include <unistd.h>
@@ -28,10 +29,6 @@
 #include <poll.h>
 /* errno */
 #include <errno.h>
-/* va_*() */
-#include <stdarg.h>
-/* pthread_*() */
-#include <pthread.h>
 
 
 /* Maximum line of a HTTP request line. Longer request lines are aborted with
@@ -39,26 +36,6 @@
  * should be a good limit to make processing simpler. */
 #define MAX_REQUEST_LINE 4096
 
-/* Paths to necessary TLS files: the CA and the server key. */
-#define PROXY_CA_FILE  "proxy-ca.pem"
-#define PROXY_KEY_FILE "proxy-key.pem"
-
-/* Helper macro for LOG/LOG_PERROR. Print file/line number if compiled with
- * debug output. */
-#ifdef DEBUG
-#define LOG_PRINT_LOCATION fprintf(stdout, "%s:%-3d ", __FILE__, __LINE__);
-#else
-#define LOG_PRINT_LOCATION
-#endif
-/* Call log_message() and print current file and line number. */
-#define LOG \
-    LOG_PRINT_LOCATION \
-    log_message
-/* perror() replacement with debug level support. */
-#define LOG_PERROR(level, message) \
-    LOG_PRINT_LOCATION \
-    log_message(level, "%s: %s", message, strerror(errno))
-
 
 static int initialize_tls_session_client(int peer_socket,
         const char *hostname,
@@ -71,6 +48,7 @@ static int initialize_tls_session_server(int peer_socket,
 static int read_http_request(FILE *client_fd, char *request, size_t length);
 static void send_bad_request(FILE *client_fd);
 static void send_forwarding_failure(FILE *client_fd);
+static void tls_send_server_error(gnutls_session_t session);
 
 #if 0
 static void transfer_data(int client, int server);
@@ -86,8 +64,6 @@ static int connect_to_host(const char *hostname, const char *port);
 static int parse_request(const char *buffer, char *host, char *port,
                                              int *version_minor);
 
-static void log_message(int level, const char *format, ...);
-
 
 void handle_connection(int client_socket) {
     int server_socket;
@@ -253,7 +229,12 @@ void handle_connection(int client_socket) {
 
     LOG(LOG_DEBUG, "server TLS handshake finished, transferring data");
 
-    /* FIXME: verify server's fingerprint */
+    /* Make sure the server certificate is valid and known. */
+    if (0 != verify_tls_connection(server_session, host)) {
+        LOG(LOG_ERROR, "server certificate validation failed!");
+        tls_send_server_error(client_session);
+        goto out;
+    }
 
     /* Proxy data between client and server until one suite is done (EOF or
      * error). */
@@ -263,12 +244,13 @@ void handle_connection(int client_socket) {
     LOG(LOG_DEBUG, "finished transferring data");
 
 out:
-    /* Close TLS sessions if necessary. */
+    /* Close TLS sessions if necessary. Use GNUTLS_SHUT_RDWR so the data is
+     * reliable transmitted. */
     if (0 != server_session_started) {
-        gnutls_bye(server_session, GNUTLS_SHUT_WR);
+        gnutls_bye(server_session, GNUTLS_SHUT_RDWR);
     }
     if (0 != client_session_started) {
-        gnutls_bye(client_session, GNUTLS_SHUT_WR);
+        gnutls_bye(client_session, GNUTLS_SHUT_RDWR);
     }
     if (0 != server_session_init) {
         gnutls_deinit(server_session);
@@ -306,12 +288,9 @@ static int initialize_tls_session_client(int peer_socket,
         gnutls_certificate_credentials_t *x509_cred) {
     int result;
     char path[1024];
-    /* The server certificate for the given hostname is stored in
-     * "./certificate-hostname-proxy.pem". */
-#define PATH_FORMAT "./certificate-%s-proxy.pem"
 
     /* Hostname too long. */
-    if (sizeof(path) - strlen(PATH_FORMAT) <= strlen(hostname)) {
+    if (sizeof(path) - strlen(PROXY_SERVER_CERT_FORMAT) <= strlen(hostname)) {
         LOG(LOG_WARNING,
             "initialize_tls_session_client(): hostname too long: '%s'",
             hostname);
@@ -324,8 +303,7 @@ static int initialize_tls_session_client(int peer_socket,
             hostname);
         return -1;
     }
-    snprintf(path, sizeof(path), PATH_FORMAT, hostname);
-#undef PATH_FORMAT
+    snprintf(path, sizeof(path), PROXY_SERVER_CERT_FORMAT, hostname);
 
     result = gnutls_certificate_allocate_credentials(x509_cred);
     if (GNUTLS_E_SUCCESS != result) {
@@ -469,6 +447,10 @@ static void send_forwarding_failure(FILE *client_fd) {
     fprintf(client_fd, "HTTP/1.0 503 Forwarding failure\r\n");
     fprintf(client_fd, "\r\n");
 }
+static void tls_send_server_error(gnutls_session_t session) {
+    gnutls_record_send(session, "HTTP/1.0 500 Internal Server Error\r\n", 36);
+    gnutls_record_send(session, "\r\n", 2);
+}
 
 
 #if 0
@@ -736,26 +718,3 @@ static int parse_request(const char *request, char *host, char *port,
 
     return 0;
 }
-
-
-static void log_message(int level, const char *format, ...) {
-    va_list ap;
-    const char *level_string;
-
-    if (global_log_level < level) {
-        return;
-    }
-
-    switch (level) {
-        case LOG_ERROR:   level_string = "ERROR"; break;
-        case LOG_WARNING: level_string = "WARN "; break;
-        case LOG_DEBUG:   level_string = "DEBUG"; break;
-        default:          level_string = "UNKNOWN";
-    }
-
-    va_start(ap, format);
-    fprintf(stdout, "[%s] [%d] ", level_string, (int)pthread_self());
-    vfprintf(stdout, format, ap);
-    fprintf(stdout, "\n");
-    va_end(ap);
-}