*
* TODO:
* - double-check queueing logic
- * - actually check SSL certificates (#3038)
*/
#include "platform.h"
#include <microhttpd.h>
static int
check_ssl_certificate (struct Socks5Request *s5r)
{
- struct curl_tlsinfo tlsinfo;
unsigned int cert_list_size;
const gnutls_datum_t *chainp;
- union {
- struct curl_tlsinfo *tlsinfo;
- struct curl_slist *to_slist;
- } gptr;
+ const struct curl_tlssessioninfo *tlsinfo;
char certdn[GNUNET_DNSPARSER_MAX_NAME_LENGTH + 3];
size_t size;
gnutls_x509_crt_t x509_cert;
int rc;
const char *name;
- memset (&tlsinfo, 0, sizeof (tlsinfo));
- gptr.tlsinfo = &tlsinfo;
if (CURLE_OK !=
curl_easy_getinfo (s5r->curl,
CURLINFO_TLS_SESSION,
- &gptr))
+ (struct curl_slist **) &tlsinfo))
return GNUNET_SYSERR;
- if (CURLSSLBACKEND_GNUTLS != tlsinfo.ssl_backend)
+ if (CURLSSLBACKEND_GNUTLS != tlsinfo->backend)
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
_("Unsupported CURL SSL backend %d\n"),
- tlsinfo.ssl_backend);
+ tlsinfo->backend);
return GNUNET_SYSERR;
}
- chainp = gnutls_certificate_get_peers (tlsinfo.internals, &cert_list_size);
+ chainp = gnutls_certificate_get_peers (tlsinfo->internals, &cert_list_size);
if ( (! chainp) || (0 == cert_list_size) )
return GNUNET_SYSERR;
/* FIXME: add flags to gnutls to NOT read UNBOUND_ROOT_KEY_FILE here! */
if (0 != (rc = dane_state_init (&dane_state,
+#ifdef DANE_F_IGNORE_DNSSEC
+ DANE_F_IGNORE_DNSSEC |
+#endif
DANE_F_IGNORE_LOCAL_RESOLVER)))
{
GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
if (0 != (rc = dane_verify_crt_raw (dane_state,
chainp,
cert_list_size,
- gnutls_certificate_type_get (tlsinfo.internals),
+ gnutls_certificate_type_get (tlsinfo->internals),
dane_query,
0, 0,
&verify)))
}
}
gnutls_x509_crt_deinit (x509_cert);
-#if 0
- {
- unsigned int i;
-
- for(i=0;i<cert_list_size;i++)
- {
- gnutls_x509_crt_t cert;
- gnutls_datum_t dn;
-
- if (GNUTLS_E_SUCCESS == gnutls_x509_crt_init (&cert))
- {
- if (GNUTLS_E_SUCCESS ==
- gnutls_x509_crt_import (cert, &chainp[i],
- GNUTLS_X509_FMT_DER))
- {
- if (GNUTLS_E_SUCCESS ==
- gnutls_x509_crt_print (cert,
- GNUTLS_CRT_PRINT_FULL,
- &dn))
- {
- GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
- "Certificate #%d: %.*s", i, dn.size, dn.data);
- gnutls_free (dn.data);
- }
- }
- gnutls_x509_crt_deinit (cert);
- }
- }
- }
-#endif
return GNUNET_OK;
}
GNUNET_break (CURLE_OK ==
curl_easy_getinfo (msg->easy_handle,
CURLINFO_PRIVATE,
- &s5r));
+ (char **) &s5r ));
if (NULL == s5r)
{
GNUNET_break (0);
size_t *upload_data_size,
void **con_cls)
{
- /* struct MhdHttpList* hd = cls; */
struct Socks5Request *s5r = *con_cls;
char *curlurl;
char ipstring[INET6_ADDRSTRLEN];
return s5r;
}
}
+ GNUNET_break (0);
return NULL;
}
GNUNET_break (GNUTLS_E_SUCCESS == gnutls_x509_crt_set_key (request, proxy_ca.key));
pgc = GNUNET_new (struct ProxyGNSCertificate);
gnutls_x509_crt_set_dn_by_oid (request, GNUTLS_OID_X520_COUNTRY_NAME,
- 0, "TNR", 2);
+ 0, "ZZ", 2);
gnutls_x509_crt_set_dn_by_oid (request, GNUTLS_OID_X520_ORGANIZATION_NAME,
0, "GNU Name System", 4);
gnutls_x509_crt_set_dn_by_oid (request, GNUTLS_OID_X520_COMMON_NAME,
* Lookup (or create) an SSL MHD instance for a particular domain.
*
* @param domain the domain the SSL daemon has to serve
- * @return NULL on errro
+ * @return NULL on error
*/
static struct MhdHttpList *
lookup_ssl_httpd (const char* domain)
struct MhdHttpList *hd;
struct ProxyGNSCertificate *pgc;
+ if (NULL == domain)
+ {
+ GNUNET_break (0);
+ return NULL;
+ }
for (hd = mhd_httpd_head; NULL != hd; hd = hd->next)
if ( (NULL != hd->domain) &&
(0 == strcmp (hd->domain, domain)) )
struct sockaddr_in *in;
s5r->port = ntohs (*port);
+ if (HTTPS_PORT == s5r->port)
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ _("SSL connection to plain IPv4 address requested\n"));
+ signal_socks_failure (s5r,
+ SOCKS5_STATUS_CONNECTION_NOT_ALLOWED_BY_RULE);
+ return;
+ }
alen = sizeof (struct in_addr);
if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage) +
alen + sizeof (uint16_t))
struct sockaddr_in6 *in;
s5r->port = ntohs (*port);
+ if (HTTPS_PORT == s5r->port)
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ _("SSL connection to plain IPv4 address requested\n"));
+ signal_socks_failure (s5r,
+ SOCKS5_STATUS_CONNECTION_NOT_ALLOWED_BY_RULE);
+ return;
+ }
alen = sizeof (struct in6_addr);
if (s5r->rbuf_len < sizeof (struct Socks5ClientRequestMessage) +
alen + sizeof (uint16_t))
projects / oweals / gnunet.git / blobdiff