X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=1421afa0c384073e51776b5bda129f031d1fcf29;hb=946885b04de70f8481f58160de12f3ee3b0b380a;hp=9a47ee1829389428c29691dec7c8e4a630f6e2cb;hpb=8901c257215d60e07dd12ad2dad8d2c9569892aa;p=tlsproxy%2Ftlsproxy.git diff --git a/src/connection.c b/src/connection.c index 9a47ee1..1421afa 100644 --- a/src/connection.c +++ b/src/connection.c @@ -19,6 +19,7 @@ #include "tlsproxy.h" #include "connection.h" +#include "verify.h" /* close() */ #include @@ -28,10 +29,6 @@ #include /* errno */ #include -/* va_*() */ -#include -/* pthread_*() */ -#include /* Maximum line of a HTTP request line. Longer request lines are aborted with @@ -39,37 +36,34 @@ * should be a good limit to make processing simpler. */ #define MAX_REQUEST_LINE 4096 -/* Helper macro for LOG/LOG_PERROR. Print file/line number if compiled with - * debug output. */ -#ifdef DEBUG -#define LOG_PRINT_LOCATION fprintf(stdout, "%s:%-3d ", __FILE__, __LINE__); -#else -#define LOG_PRINT_LOCATION -#endif -/* Call log_message() and print current file and line number. */ -#define LOG \ - LOG_PRINT_LOCATION \ - log_message -/* perror() replacement with debug level support. */ -#define LOG_PERROR(level, message) \ - LOG_PRINT_LOCATION \ - log_message(level, "%s: %s", message, strerror(errno)) +static int initialize_tls_session_client(int peer_socket, + const char *hostname, + gnutls_session_t *session, + gnutls_certificate_credentials_t *x509_cred); +static int initialize_tls_session_server(int peer_socket, + gnutls_session_t *session, + gnutls_certificate_credentials_t *x509_cred); static int read_http_request(FILE *client_fd, char *request, size_t length); static void send_bad_request(FILE *client_fd); static void send_forwarding_failure(FILE *client_fd); +static void tls_send_server_error(gnutls_session_t session); +#if 0 static void transfer_data(int client, int server); static int read_from_write_to(int from, int to); +#endif +static void transfer_data_tls(int client, int server, + gnutls_session_t client_session, + gnutls_session_t server_session); +static int read_from_write_to_tls(gnutls_session_t from, gnutls_session_t to); static int connect_to_host(const char *hostname, const char *port); static int parse_request(const char *buffer, char *host, char *port, int *version_minor); -static void log_message(int level, const char *format, ...); - void handle_connection(int client_socket) { int server_socket; @@ -82,11 +76,26 @@ void handle_connection(int client_socket) { int version_minor; int result; + /* client_x509_cred is used when talking to the client (acting as a TSL + * server), server_x509_cred is used when talking to the server (acting as + * a TSL client). */ + gnutls_certificate_credentials_t client_x509_cred, server_x509_cred; + + gnutls_session_t client_session, server_session; + /* initialize_tls_session_*() called? - used for goto out */ + int client_session_init, server_session_init; + /* gnutls_handshake() called? - used for goto out */ + int client_session_started, server_session_started; + LOG(LOG_DEBUG, "new connection"); server_socket = -1; client_fd = NULL; server_fd = NULL; + client_session_init = 0; + server_session_init = 0; + client_session_started = 0; + server_session_started = 0; client_fd = fdopen(client_socket, "a+"); if (NULL == client_fd) { @@ -171,10 +180,89 @@ void handle_connection(int client_socket) { fprintf(client_fd, "\r\n"); fflush(client_fd); - /* And transfer all data between client and server transparently. */ - transfer_data(client_socket, server_socket); + /* Initialize TLS server credentials to talk to the client. */ + result = initialize_tls_session_client(client_socket, host, + &client_session, + &client_x509_cred); + if (0 != result) { + LOG(LOG_WARNING, "initialize_tls_session_client() failed"); + send_forwarding_failure(client_fd); + goto out; + } + client_session_init = 1; + + LOG(LOG_DEBUG, "starting client TLS handshake"); + + /* Try to establish TLS handshake between client and us. */ + result = gnutls_handshake(client_session); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_WARNING, "client TLS handshake failed: %s", + gnutls_strerror(result)); + send_forwarding_failure(client_fd); + goto out; + } + client_session_started = 1; + + LOG(LOG_DEBUG, "client TLS handshake finished"); + + result = initialize_tls_session_server(server_socket, &server_session, + &server_x509_cred); + /* Initialize TLS client credentials to talk to the server. */ + if (0 != result) { + LOG(LOG_WARNING, "initialize_tls_session_server() failed"); + send_forwarding_failure(client_fd); + goto out; + } + server_session_init = 1; + + LOG(LOG_DEBUG, "starting server TLS handshake"); + + /* Try to establish TLS handshake between us and server. */ + result = gnutls_handshake(server_session); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_WARNING, "server TLS handshake failed: %s", + gnutls_strerror(result)); + send_forwarding_failure(client_fd); + goto out; + } + server_session_started = 1; + + LOG(LOG_DEBUG, "server TLS handshake finished, transferring data"); + + /* Make sure the server certificate is valid and known. */ + if (0 != verify_tls_connection(server_session, host)) { + LOG(LOG_ERROR, "server certificate validation failed!"); + tls_send_server_error(client_session); + goto out; + } + + /* Proxy data between client and server until one suite is done (EOF or + * error). */ + transfer_data_tls(client_socket, server_socket, + client_session, server_session); + + LOG(LOG_DEBUG, "finished transferring data"); out: + /* Close TLS sessions if necessary. Use GNUTLS_SHUT_RDWR so the data is + * reliable transmitted. */ + if (0 != server_session_started) { + gnutls_bye(server_session, GNUTLS_SHUT_RDWR); + } + if (0 != client_session_started) { + gnutls_bye(client_session, GNUTLS_SHUT_RDWR); + } + if (0 != server_session_init) { + gnutls_deinit(server_session); + gnutls_certificate_free_credentials(server_x509_cred); + } + if (0 != client_session_init) { + gnutls_deinit(client_session); + gnutls_certificate_free_cas(client_x509_cred); + gnutls_certificate_free_keys(client_x509_cred); + gnutls_certificate_free_credentials(client_x509_cred); + } + /* Close connection to server/proxy. */ if (NULL != server_fd) { fclose(server_fd); @@ -193,6 +281,134 @@ out: LOG(LOG_DEBUG, "connection finished"); } + +static int initialize_tls_session_client(int peer_socket, + const char *hostname, + gnutls_session_t *session, + gnutls_certificate_credentials_t *x509_cred) { + int result; + char path[1024]; + + /* Hostname too long. */ + if (sizeof(path) - strlen(PROXY_SERVER_CERT_FORMAT) <= strlen(hostname)) { + LOG(LOG_WARNING, + "initialize_tls_session_client(): hostname too long: '%s'", + hostname); + return -1; + } + /* Try to prevent path traversals in hostnames. */ + if (NULL != strstr(hostname, "..")) { + LOG(LOG_WARNING, + "initialize_tls_session_client(): possible path traversal: '%s'", + hostname); + return -1; + } + snprintf(path, sizeof(path), PROXY_SERVER_CERT_FORMAT, hostname); + + result = gnutls_certificate_allocate_credentials(x509_cred); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_ERROR, + "initialize_tls_session_client(): \ +gnutls_certificate_allocate_credentials(): %s", + gnutls_strerror(result)); + return -1; + } + + /* Load proxy CA file, this CA "list" is send to the client. */ + result = gnutls_certificate_set_x509_trust_file(*x509_cred, + PROXY_CA_FILE, + GNUTLS_X509_FMT_PEM); + if (0 >= result) { + LOG(LOG_ERROR, + "initialize_tls_session_client(): can't read CA file: '%s'", + PROXY_CA_FILE); + return -1; + } + /* And certificate for this website and proxy's private key. */ + result = gnutls_certificate_set_x509_key_file(*x509_cred, + path, PROXY_KEY_FILE, + GNUTLS_X509_FMT_PEM); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_ERROR, + "initialize_tls_session_client(): \ +can't read server certificate ('%s') or key file ('%s'): %s", + path, PROXY_KEY_FILE, gnutls_strerror(result)); + /* Could be a missing certificate. */ + return -2; + } + + gnutls_certificate_set_dh_params(*x509_cred, tls_dh_params); + + result = gnutls_init(session, GNUTLS_SERVER); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_ERROR, + "initialize_tls_session_client(): gnutls_init(): %s", + gnutls_strerror(result)); + return -1; + } + result = gnutls_priority_set(*session, tls_priority_cache); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_ERROR, + "initialize_tls_session_client(): gnutls_priority_set(): %s", + gnutls_strerror(result)); + return -1; + } + result = gnutls_credentials_set(*session, + GNUTLS_CRD_CERTIFICATE, *x509_cred); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_ERROR, + "initialize_tls_session_client(): gnutls_credentials_set(): %s", + gnutls_strerror(result)); + return -1; + } + + gnutls_transport_set_ptr(*session, (gnutls_transport_ptr_t)peer_socket); + + return 0; +} +static int initialize_tls_session_server(int peer_socket, + gnutls_session_t *session, + gnutls_certificate_credentials_t *x509_cred) { + int result; + + result = gnutls_certificate_allocate_credentials(x509_cred); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_ERROR, + "initialize_tls_session_server(): \ +gnutls_certificate_allocate_credentials(): %s", + gnutls_strerror(result)); + return -1; + } + + result = gnutls_init(session, GNUTLS_CLIENT); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_ERROR, + "initialize_tls_session_server(): gnutls_init(): %s", + gnutls_strerror(result)); + return -1; + } + gnutls_priority_set(*session, tls_priority_cache); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_ERROR, + "initialize_tls_session_server(): gnutls_priority_set(): %s", + gnutls_strerror(result)); + return -1; + } + result = gnutls_credentials_set(*session, + GNUTLS_CRD_CERTIFICATE, *x509_cred); + if (GNUTLS_E_SUCCESS != result) { + LOG(LOG_ERROR, + "initialize_tls_session_server(): gnutls_credentials_set(): %s", + gnutls_strerror(result)); + return -1; + } + + gnutls_transport_set_ptr(*session, (gnutls_transport_ptr_t)peer_socket); + + return 0; +} + + /* Read HTTP request line and headers (ignored). * * On success 0 is returned, -1 on client error, -2 on unexpected EOF. @@ -231,8 +447,13 @@ static void send_forwarding_failure(FILE *client_fd) { fprintf(client_fd, "HTTP/1.0 503 Forwarding failure\r\n"); fprintf(client_fd, "\r\n"); } +static void tls_send_server_error(gnutls_session_t session) { + gnutls_record_send(session, "HTTP/1.0 500 Internal Server Error\r\n", 36); + gnutls_record_send(session, "\r\n", 2); +} +#if 0 /* Transfer data between client and server sockets until one closes the * connection. */ static void transfer_data(int client, int server) { @@ -307,6 +528,100 @@ static int read_from_write_to(int from, int to) { return 0; } +#endif + +/* Transfer data between client and server TLS connection until one closes the + * connection. */ +static void transfer_data_tls(int client, int server, + gnutls_session_t client_session, + gnutls_session_t server_session) { + struct pollfd fds[2]; + fds[0].fd = client; + fds[0].events = POLLIN | POLLPRI | POLLHUP | POLLERR; + fds[0].revents = 0; + fds[1].fd = server; + fds[1].events = POLLIN | POLLPRI | POLLHUP | POLLERR; + fds[1].revents = 0; + + for (;;) { + int result = poll(fds, 2, -1 /* no timeout */); + if (result < 0) { + LOG_PERROR(LOG_ERROR, "transfer_data(): poll()"); + return; + } + + /* Data available from client. */ + if (fds[0].revents & POLLIN || fds[0].revents & POLLPRI) { + if (0 != read_from_write_to_tls(client_session, server_session)) { + /* EOF (or other error) */ + break; + } + } + /* Data available from server. */ + if (fds[1].revents & POLLIN || fds[1].revents & POLLPRI) { + if (0 != read_from_write_to_tls(server_session, client_session)) { + /* EOF (or other error) */ + break; + } + } + + /* Client closed connection. */ + if (fds[0].revents & POLLERR || fds[0].revents & POLLHUP) { + break; + } + /* Server closed connection. */ + if (fds[1].revents & POLLERR || fds[1].revents & POLLHUP) { + break; + } + } +} + +/* Read available data from session from and write to session to. */ +static int read_from_write_to_tls(gnutls_session_t from, + gnutls_session_t to) { + size_t size; + ssize_t size_read; + ssize_t size_written; + char buffer[16384]; + + /* Get maximum possible buffer size. */ + size = gnutls_record_get_max_size(from); + LOG(LOG_DEBUG, "read_from_write_to_tls(): suggested buffer size: %ld", + (long int)size); + if (size > gnutls_record_get_max_size(to)) { + size = gnutls_record_get_max_size(to); + } + if (size > sizeof(buffer)) { + size = sizeof(buffer); + } + LOG(LOG_DEBUG, "read_from_write_to_tls(): used buffer size: %ld", + (long int)size); + + size_read = gnutls_record_recv(from, buffer, size); + if (0 > size_read) { + LOG(LOG_WARNING, "read_from_write_to_tls(): gnutls_record_recv(): %s", + gnutls_strerror((int)size_read)); + return -1; + } + /* EOF */ + if (0 == size_read) { + return -1; + } + + size_written = gnutls_record_send(to, buffer, (size_t)size_read); + if (0 > size_written) { + LOG(LOG_WARNING, "read_from_write_to_tls(): gnutls_record_send(): %s", + gnutls_strerror((int)size_written)); + return -1; + } + if (size_read != size_written) { + LOG(LOG_ERROR, "read_from_write_to_tls(): only written %ld of %ld bytes!", + (long int)size_written, (long int)size_read); + return -1; + } + + return 0; +} static int connect_to_host(const char *hostname, const char *port) { @@ -403,26 +718,3 @@ static int parse_request(const char *request, char *host, char *port, return 0; } - - -static void log_message(int level, const char *format, ...) { - va_list ap; - const char *level_string; - - if (global_log_level < level) { - return; - } - - switch (level) { - case LOG_ERROR: level_string = "ERROR"; break; - case LOG_WARNING: level_string = "WARNING"; break; - case LOG_DEBUG: level_string = "DEBUG"; break; - default: level_string = "UNKNOWN"; - } - - va_start(ap, format); - fprintf(stdout, "[%s] [%d] ", level_string, (int)pthread_self()); - vfprintf(stdout, format, ap); - fprintf(stdout, "\n"); - va_end(ap); -}