X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fverify.c;h=e3a86294755c4283bc3c899a03b72501659b61f3;hb=e279b81dba5901ad6ed7fa73901acab10f1d4a63;hp=14c7127b7c39cd01ad0b9aa0082cb1396b35f6ca;hpb=2cc876ebafc566267a6de49fe722257977967091;p=tlsproxy%2Ftlsproxy.git diff --git a/src/verify.c b/src/verify.c index 14c7127..e3a8629 100644 --- a/src/verify.c +++ b/src/verify.c @@ -111,6 +111,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) { /* Open stored server certificate file. */ if (0 != server_certificate_path(&file, hostname, path, sizeof(path))) { + LOG(LOG_DEBUG, "server certificate:\n%s", server_cert); return -1; } @@ -123,6 +124,8 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) { if (sizeof(stored_cert) <= size) { LOG(LOG_WARNING, "verify_tls_connection(): '%s' too big", path); fclose(file); + + LOG(LOG_DEBUG, "server certificate:\n%s", server_cert); return -1; } @@ -133,6 +136,8 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) { LOG(LOG_WARNING, "verify_tls_connection(): failed to read from '%s': %s", path, strerror(errno)); + + LOG(LOG_DEBUG, "server certificate:\n%s", server_cert); return -1; } fclose(file); @@ -142,14 +147,50 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) { LOG(LOG_ERROR, "verify_tls_connection(): server certificate changed!", path, strerror(errno)); + + LOG(LOG_WARNING, "server certificate:\n%s", server_cert); return -2; } return 0; } + +int proxy_certificate_path(const char *hostname, char *path, size_t size) { + int result; + + /* Hostname too long. */ + if (size - strlen(PROXY_SERVER_CERT_FORMAT) <= strlen(hostname)) { + LOG(LOG_WARNING, + "proxy_certificate_path(): hostname too long: '%s'", + hostname); + return -1; + } + /* Try to prevent path traversals in hostnames. */ + if (NULL != strstr(hostname, "..")) { + LOG(LOG_WARNING, + "proxy_certificate_path(): possible path traversal: '%s'", + hostname); + return -1; + } + result = snprintf(path, size, PROXY_SERVER_CERT_FORMAT, hostname); + if (result < 0) { + LOG_PERROR(LOG_ERROR, + "proxy_certificate_path(): snprintf failed"); + return -1; + } else if ((size_t)result >= size) { + LOG(LOG_ERROR, + "proxy_certificate_path(): snprintf buffer too short"); + return -1; + } + + return 0; +} + int server_certificate_path(FILE **file, const char *hostname, char *path, size_t size) { + int result; + /* Hostname too long. */ if (size - strlen(STORED_SERVER_CERT_FORMAT) <= strlen(hostname)) { LOG(LOG_WARNING, @@ -164,14 +205,29 @@ int server_certificate_path(FILE **file, const char *hostname, hostname); return -1; } - snprintf(path, size, STORED_SERVER_CERT_FORMAT, hostname); + result = snprintf(path, size, STORED_SERVER_CERT_FORMAT, hostname); + if (result < 0) { + LOG_PERROR(LOG_ERROR, + "server_certificate_path(): snprintf failed"); + return -1; + } else if ((size_t)result >= size) { + LOG(LOG_ERROR, + "server_certificate_path(): snprintf buffer too short"); + return -1; + } /* Open the stored certificate file. */ *file = fopen(path, "rb"); if (NULL == *file) { - LOG(global_passthrough_unknown ? LOG_DEBUG : LOG_WARNING, - "server_certificate_path(): failed to open '%s': %s", - path, strerror(errno)); + if (global_passthrough_unknown) { + LOG(LOG_DEBUG, + "server_certificate_path(): failed to open '%s': %s", + path, strerror(errno)); + } else { + LOG(LOG_WARNING, + "server_certificate_path(): failed to open '%s': %s", + path, strerror(errno)); + } /* Couldn't open the file, special case. */ return -2; }