X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=bfdac1c6db59df105ae2ac9fdc659be004da9e3a;hb=f1a626728ee8be94ebb023c6cfb2f68684671450;hp=09bfd0aa2739b982ff28acaba99735a96f8e8bdd;hpb=cb291e5cd62b9bd9a740e86b85bd4ae84595b3d3;p=tlsproxy%2Ftlsproxy.git diff --git a/src/connection.c b/src/connection.c index 09bfd0a..bfdac1c 100644 --- a/src/connection.c +++ b/src/connection.c @@ -31,9 +31,10 @@ #include -/* Maximum line of a HTTP request line. Longer request lines are aborted with - * an error. The standard doesn't specify a maximum line length but this - * should be a good limit to make processing simpler. */ +/* Maximum length of a HTTP request line. Longer request lines are aborted + * with an error. The standard doesn't specify a maximum line length but this + * should be a good limit to make processing simpler. As HTTPS is used this + * doesn't limit long GET requests. */ #define MAX_REQUEST_LINE 4096 /* Format string used to send HTTP/1.0 error responses to the client. @@ -216,7 +217,7 @@ void handle_connection(int client_socket) { goto out; } - /* server_certificate_path() may open the file, close it. */ + /* server_certificate_path() may have opened the file, close it. */ if (NULL != file) { fclose(file); } @@ -257,7 +258,7 @@ void handle_connection(int client_socket) { /* Initialize TLS server credentials to talk to the client. */ result = initialize_tls_session_client(client_socket, - /* use special host if the server + /* use a special host if the server * certificate was invalid */ (validation_failed) ? "invalid" : host, @@ -371,7 +372,16 @@ static int initialize_tls_session_client(int peer_socket, hostname); return -1; } - snprintf(path, sizeof(path), PROXY_SERVER_CERT_FORMAT, hostname); + result = snprintf(path, sizeof(path), PROXY_SERVER_CERT_FORMAT, hostname); + if (result < 0) { + LOG_PERROR(LOG_ERROR, + "initialize_tls_session_client(): snprintf failed"); + return -1; + } else if ((size_t)result >= sizeof(path)) { + LOG(LOG_ERROR, + "initialize_tls_session_client(): snprintf buffer too short"); + return -1; + } result = gnutls_certificate_allocate_credentials(x509_cred); if (GNUTLS_E_SUCCESS != result) { @@ -387,18 +397,17 @@ gnutls_certificate_allocate_credentials(): %s", result = gnutls_certificate_set_x509_trust_file(*x509_cred, PROXY_CA_FILE, GNUTLS_X509_FMT_PEM); + if (0 >= result) { + LOG(LOG_ERROR, + "initialize_tls_session_client(): can't read CA file: '%s'", + PROXY_CA_FILE); + gnutls_certificate_free_credentials(*x509_cred); + return -1; + } + } /* If the invalid hostname was specified do nothing, we use a self-signed * certificate in this case. */ - } else { - result = 1; - } - if (0 >= result) { - LOG(LOG_ERROR, - "initialize_tls_session_client(): can't read CA file: '%s'", - PROXY_CA_FILE); - gnutls_certificate_free_credentials(*x509_cred); - return -1; - } + /* And certificate for this website and proxy's private key. */ if (!use_invalid_cert) { result = gnutls_certificate_set_x509_key_file(*x509_cred, @@ -556,15 +565,26 @@ static void tls_send_invalid_cert_message(gnutls_session_t session) { #define RESPONSE_ERROR "500 Internal Server Error" #define RESPONSE_MSG "Server certificate validation failed, check logs." + int result; char buffer[sizeof(HTTP_RESPONSE_FORMAT) - 1 /* '\0' */ - 4 * 2 /* four %s */ + (sizeof(RESPONSE_ERROR) - 1 /* '\0' */) * 3 + sizeof(RESPONSE_MSG) - 1 /* '\0' */ + 1 /* '\0' */]; - snprintf(buffer, sizeof(buffer), - HTTP_RESPONSE_FORMAT, - RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_MSG); + result = snprintf(buffer, sizeof(buffer), + HTTP_RESPONSE_FORMAT, + RESPONSE_ERROR, RESPONSE_ERROR, RESPONSE_ERROR, + RESPONSE_MSG); + if (result < 0) { + LOG_PERROR(LOG_ERROR, + "tls_send_invalid_cert_message(): snprintf failed"); + return; + } else if ((size_t)result >= sizeof(buffer)) { + LOG(LOG_ERROR, + "tls_send_invalid_cert_message(): snprintf buffer too short"); + return; + } gnutls_record_send(session, buffer, sizeof(buffer) - 1); /* don't send trailing '\0' */