aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2018-06-07 15:36:53 +0200
committerChristian Grothoff <christian@grothoff.org>2018-06-07 16:17:14 +0200
commit50e9c61954ebe7ec3bfde169249d49ac6d849687 (patch)
tree0f78b1b6c847427de6182e910dc3bc5a2a7a56a1
parentedc238be68955758e99da87337b984abaa656e93 (diff)
downloadgnunet-50e9c61954ebe7ec3bfde169249d49ac6d849687.tar.gz
gnunet-50e9c61954ebe7ec3bfde169249d49ac6d849687.zip
add option to disable v6, do not pass chunked encoding along, enable bypass of cert validation
-rw-r--r--src/gns/gnunet-gns-proxy.c59
1 files changed, 47 insertions, 12 deletions
diff --git a/src/gns/gnunet-gns-proxy.c b/src/gns/gnunet-gns-proxy.c
index cf1901de1..486911ec8 100644
--- a/src/gns/gnunet-gns-proxy.c
+++ b/src/gns/gnunet-gns-proxy.c
@@ -44,6 +44,15 @@
44 44
45 45
46/** 46/**
47 * FIXME: GnuTLS right now sometimes rejects valid certs, so as a
48 * VERY temporary workaround we just WARN the user instead of
49 * dropping the page. THIS SHOULD NOT BE USED IN PRODUCTION,
50 * set to 1 in production!!! FIXME!!!
51 */
52#define FIXED_CERT_VALIDATION_BUG 0
53
54
55/**
47 * Default Socks5 listen port. 56 * Default Socks5 listen port.
48 */ 57 */
49#define GNUNET_GNS_PROXY_PORT 7777 58#define GNUNET_GNS_PROXY_PORT 7777
@@ -685,6 +694,11 @@ static CURLM *curl_multi;
685static struct GNUNET_GNS_Handle *gns_handle; 694static struct GNUNET_GNS_Handle *gns_handle;
686 695
687/** 696/**
697 * Disable IPv6.
698 */
699static int disable_v6;
700
701/**
688 * DLL for http/https daemons 702 * DLL for http/https daemons
689 */ 703 */
690static struct MhdHttpList *mhd_httpd_head; 704static struct MhdHttpList *mhd_httpd_head;
@@ -890,7 +904,7 @@ mhd_content_cb (void *cls,
890 return MHD_CONTENT_READER_END_OF_STREAM; 904 return MHD_CONTENT_READER_END_OF_STREAM;
891 } 905 }
892 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, 906 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
893 "Writing %llu/%llu bytes for %s%s\n", 907 "Writing %llu/%llu bytes to %s%s\n",
894 (unsigned long long) bytes_to_copy, 908 (unsigned long long) bytes_to_copy,
895 (unsigned long long) s5r->io_len, 909 (unsigned long long) s5r->io_len,
896 s5r->domain, 910 s5r->domain,
@@ -952,8 +966,10 @@ check_ssl_certificate (struct Socks5Request *s5r)
952 tlsinfo->backend); 966 tlsinfo->backend);
953 return GNUNET_SYSERR; 967 return GNUNET_SYSERR;
954 } 968 }
955 chainp = gnutls_certificate_get_peers (tlsinfo->internals, &cert_list_size); 969 chainp = gnutls_certificate_get_peers (tlsinfo->internals,
956 if ( (! chainp) || (0 == cert_list_size) ) 970 &cert_list_size);
971 if ( (! chainp) ||
972 (0 == cert_list_size) )
957 return GNUNET_SYSERR; 973 return GNUNET_SYSERR;
958 974
959 size = sizeof (certdn); 975 size = sizeof (certdn);
@@ -1056,11 +1072,14 @@ check_ssl_certificate (struct Socks5Request *s5r)
1056 name))) 1072 name)))
1057 { 1073 {
1058 GNUNET_log (GNUNET_ERROR_TYPE_WARNING, 1074 GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
1059 _("TLS certificate subject name (%s) does not match `%s'\n"), 1075 _("TLS certificate subject name (%s) does not match `%s': %d\n"),
1060 certdn, 1076 certdn,
1061 name); 1077 name,
1078 rc);
1079#if FIXED_CERT_VALIDATION_BUG
1062 gnutls_x509_crt_deinit (x509_cert); 1080 gnutls_x509_crt_deinit (x509_cert);
1063 return GNUNET_SYSERR; 1081 return GNUNET_SYSERR;
1082#endif
1064 } 1083 }
1065 } 1084 }
1066 else 1085 else
@@ -1116,15 +1135,17 @@ curl_check_hdr (void *buffer,
1116 if (GNUNET_OK != check_ssl_certificate (s5r)) 1135 if (GNUNET_OK != check_ssl_certificate (s5r))
1117 return 0; 1136 return 0;
1118 } 1137 }
1119 1138 ndup = GNUNET_strndup (buffer,
1120 ndup = GNUNET_strndup (buffer, bytes); 1139 bytes);
1121 hdr_type = strtok (ndup, ":"); 1140 hdr_type = strtok (ndup,
1141 ":");
1122 if (NULL == hdr_type) 1142 if (NULL == hdr_type)
1123 { 1143 {
1124 GNUNET_free (ndup); 1144 GNUNET_free (ndup);
1125 return bytes; 1145 return bytes;
1126 } 1146 }
1127 hdr_val = strtok (NULL, ""); 1147 hdr_val = strtok (NULL,
1148 "");
1128 if (NULL == hdr_val) 1149 if (NULL == hdr_val)
1129 { 1150 {
1130 GNUNET_free (ndup); 1151 GNUNET_free (ndup);
@@ -1187,6 +1208,12 @@ curl_check_hdr (void *buffer,
1187 } 1208 }
1188 1209
1189 new_location = NULL; 1210 new_location = NULL;
1211 if (0 == strcasecmp (MHD_HTTP_HEADER_TRANSFER_ENCODING,
1212 hdr_type))
1213 {
1214 /* Ignore transfer encoding, set automatically by MHD if required */
1215 goto cleanup;
1216 }
1190 if (0 == strcasecmp (MHD_HTTP_HEADER_LOCATION, 1217 if (0 == strcasecmp (MHD_HTTP_HEADER_LOCATION,
1191 hdr_type)) 1218 hdr_type))
1192 { 1219 {
@@ -1232,6 +1259,7 @@ curl_check_hdr (void *buffer,
1232 s5r->header_tail, 1259 s5r->header_tail,
1233 header); 1260 header);
1234 } 1261 }
1262 cleanup:
1235 GNUNET_free (ndup); 1263 GNUNET_free (ndup);
1236 GNUNET_free_non_null (new_cookie_hdr); 1264 GNUNET_free_non_null (new_cookie_hdr);
1237 GNUNET_free_non_null (new_location); 1265 GNUNET_free_non_null (new_location);
@@ -1761,7 +1789,7 @@ create_response (void *cls,
1761 return MHD_NO; 1789 return MHD_NO;
1762 } 1790 }
1763 s5r->con = con; 1791 s5r->con = con;
1764 //Fresh connection. 1792 /* Fresh connection. */
1765 if (SOCKS5_SOCKET_WITH_MHD == s5r->state) 1793 if (SOCKS5_SOCKET_WITH_MHD == s5r->state)
1766 { 1794 {
1767 /* first time here, initialize curl handle */ 1795 /* first time here, initialize curl handle */
@@ -2984,8 +3012,10 @@ handle_gns_result (void *cls,
2984 } 3012 }
2985 if (GNUNET_YES == got_ip) 3013 if (GNUNET_YES == got_ip)
2986 break; 3014 break;
3015 if (GNUNET_YES == disable_v6)
3016 break;
2987 if (GNUNET_OK != 3017 if (GNUNET_OK !=
2988 GNUNET_NETWORK_test_pf (PF_INET)) 3018 GNUNET_NETWORK_test_pf (PF_INET6))
2989 break; 3019 break;
2990 /* FIXME: allow user to disable IPv6 per configuration option... */ 3020 /* FIXME: allow user to disable IPv6 per configuration option... */
2991 got_ip = GNUNET_YES; 3021 got_ip = GNUNET_YES;
@@ -3213,7 +3243,8 @@ do_s5r_read (void *cls)
3213 s5r->domain = GNUNET_strndup (dom_name, 3243 s5r->domain = GNUNET_strndup (dom_name,
3214 *dom_len); 3244 *dom_len);
3215 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, 3245 GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
3216 "Requested connection is to %s:%d\n", 3246 "Requested connection is to http%s://%s:%d\n",
3247 (HTTPS_PORT == s5r->port) ? "s" : "",
3217 s5r->domain, 3248 s5r->domain,
3218 ntohs (*port)); 3249 ntohs (*port));
3219 s5r->state = SOCKS5_RESOLVING; 3250 s5r->state = SOCKS5_RESOLVING;
@@ -3653,6 +3684,10 @@ main (int argc,
3653 NULL, 3684 NULL,
3654 gettext_noop ("pem file to use as CA"), 3685 gettext_noop ("pem file to use as CA"),
3655 &cafile_opt), 3686 &cafile_opt),
3687 GNUNET_GETOPT_option_flag ('6',
3688 "disable-ivp6",
3689 gettext_noop ("disable use of IPv6"),
3690 &disable_v6),
3656 3691
3657 GNUNET_GETOPT_OPTION_END 3692 GNUNET_GETOPT_OPTION_END
3658 }; 3693 };