diff options
author | Christian Grothoff <christian@grothoff.org> | 2018-06-07 15:36:53 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2018-06-07 16:17:14 +0200 |
commit | 50e9c61954ebe7ec3bfde169249d49ac6d849687 (patch) | |
tree | 0f78b1b6c847427de6182e910dc3bc5a2a7a56a1 | |
parent | edc238be68955758e99da87337b984abaa656e93 (diff) | |
download | gnunet-50e9c61954ebe7ec3bfde169249d49ac6d849687.tar.gz gnunet-50e9c61954ebe7ec3bfde169249d49ac6d849687.zip |
add option to disable v6, do not pass chunked encoding along, enable bypass of cert validation
-rw-r--r-- | src/gns/gnunet-gns-proxy.c | 59 |
1 files changed, 47 insertions, 12 deletions
diff --git a/src/gns/gnunet-gns-proxy.c b/src/gns/gnunet-gns-proxy.c index cf1901de1..486911ec8 100644 --- a/src/gns/gnunet-gns-proxy.c +++ b/src/gns/gnunet-gns-proxy.c | |||
@@ -44,6 +44,15 @@ | |||
44 | 44 | ||
45 | 45 | ||
46 | /** | 46 | /** |
47 | * FIXME: GnuTLS right now sometimes rejects valid certs, so as a | ||
48 | * VERY temporary workaround we just WARN the user instead of | ||
49 | * dropping the page. THIS SHOULD NOT BE USED IN PRODUCTION, | ||
50 | * set to 1 in production!!! FIXME!!! | ||
51 | */ | ||
52 | #define FIXED_CERT_VALIDATION_BUG 0 | ||
53 | |||
54 | |||
55 | /** | ||
47 | * Default Socks5 listen port. | 56 | * Default Socks5 listen port. |
48 | */ | 57 | */ |
49 | #define GNUNET_GNS_PROXY_PORT 7777 | 58 | #define GNUNET_GNS_PROXY_PORT 7777 |
@@ -685,6 +694,11 @@ static CURLM *curl_multi; | |||
685 | static struct GNUNET_GNS_Handle *gns_handle; | 694 | static struct GNUNET_GNS_Handle *gns_handle; |
686 | 695 | ||
687 | /** | 696 | /** |
697 | * Disable IPv6. | ||
698 | */ | ||
699 | static int disable_v6; | ||
700 | |||
701 | /** | ||
688 | * DLL for http/https daemons | 702 | * DLL for http/https daemons |
689 | */ | 703 | */ |
690 | static struct MhdHttpList *mhd_httpd_head; | 704 | static struct MhdHttpList *mhd_httpd_head; |
@@ -890,7 +904,7 @@ mhd_content_cb (void *cls, | |||
890 | return MHD_CONTENT_READER_END_OF_STREAM; | 904 | return MHD_CONTENT_READER_END_OF_STREAM; |
891 | } | 905 | } |
892 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | 906 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, |
893 | "Writing %llu/%llu bytes for %s%s\n", | 907 | "Writing %llu/%llu bytes to %s%s\n", |
894 | (unsigned long long) bytes_to_copy, | 908 | (unsigned long long) bytes_to_copy, |
895 | (unsigned long long) s5r->io_len, | 909 | (unsigned long long) s5r->io_len, |
896 | s5r->domain, | 910 | s5r->domain, |
@@ -952,8 +966,10 @@ check_ssl_certificate (struct Socks5Request *s5r) | |||
952 | tlsinfo->backend); | 966 | tlsinfo->backend); |
953 | return GNUNET_SYSERR; | 967 | return GNUNET_SYSERR; |
954 | } | 968 | } |
955 | chainp = gnutls_certificate_get_peers (tlsinfo->internals, &cert_list_size); | 969 | chainp = gnutls_certificate_get_peers (tlsinfo->internals, |
956 | if ( (! chainp) || (0 == cert_list_size) ) | 970 | &cert_list_size); |
971 | if ( (! chainp) || | ||
972 | (0 == cert_list_size) ) | ||
957 | return GNUNET_SYSERR; | 973 | return GNUNET_SYSERR; |
958 | 974 | ||
959 | size = sizeof (certdn); | 975 | size = sizeof (certdn); |
@@ -1056,11 +1072,14 @@ check_ssl_certificate (struct Socks5Request *s5r) | |||
1056 | name))) | 1072 | name))) |
1057 | { | 1073 | { |
1058 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | 1074 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, |
1059 | _("TLS certificate subject name (%s) does not match `%s'\n"), | 1075 | _("TLS certificate subject name (%s) does not match `%s': %d\n"), |
1060 | certdn, | 1076 | certdn, |
1061 | name); | 1077 | name, |
1078 | rc); | ||
1079 | #if FIXED_CERT_VALIDATION_BUG | ||
1062 | gnutls_x509_crt_deinit (x509_cert); | 1080 | gnutls_x509_crt_deinit (x509_cert); |
1063 | return GNUNET_SYSERR; | 1081 | return GNUNET_SYSERR; |
1082 | #endif | ||
1064 | } | 1083 | } |
1065 | } | 1084 | } |
1066 | else | 1085 | else |
@@ -1116,15 +1135,17 @@ curl_check_hdr (void *buffer, | |||
1116 | if (GNUNET_OK != check_ssl_certificate (s5r)) | 1135 | if (GNUNET_OK != check_ssl_certificate (s5r)) |
1117 | return 0; | 1136 | return 0; |
1118 | } | 1137 | } |
1119 | 1138 | ndup = GNUNET_strndup (buffer, | |
1120 | ndup = GNUNET_strndup (buffer, bytes); | 1139 | bytes); |
1121 | hdr_type = strtok (ndup, ":"); | 1140 | hdr_type = strtok (ndup, |
1141 | ":"); | ||
1122 | if (NULL == hdr_type) | 1142 | if (NULL == hdr_type) |
1123 | { | 1143 | { |
1124 | GNUNET_free (ndup); | 1144 | GNUNET_free (ndup); |
1125 | return bytes; | 1145 | return bytes; |
1126 | } | 1146 | } |
1127 | hdr_val = strtok (NULL, ""); | 1147 | hdr_val = strtok (NULL, |
1148 | ""); | ||
1128 | if (NULL == hdr_val) | 1149 | if (NULL == hdr_val) |
1129 | { | 1150 | { |
1130 | GNUNET_free (ndup); | 1151 | GNUNET_free (ndup); |
@@ -1187,6 +1208,12 @@ curl_check_hdr (void *buffer, | |||
1187 | } | 1208 | } |
1188 | 1209 | ||
1189 | new_location = NULL; | 1210 | new_location = NULL; |
1211 | if (0 == strcasecmp (MHD_HTTP_HEADER_TRANSFER_ENCODING, | ||
1212 | hdr_type)) | ||
1213 | { | ||
1214 | /* Ignore transfer encoding, set automatically by MHD if required */ | ||
1215 | goto cleanup; | ||
1216 | } | ||
1190 | if (0 == strcasecmp (MHD_HTTP_HEADER_LOCATION, | 1217 | if (0 == strcasecmp (MHD_HTTP_HEADER_LOCATION, |
1191 | hdr_type)) | 1218 | hdr_type)) |
1192 | { | 1219 | { |
@@ -1232,6 +1259,7 @@ curl_check_hdr (void *buffer, | |||
1232 | s5r->header_tail, | 1259 | s5r->header_tail, |
1233 | header); | 1260 | header); |
1234 | } | 1261 | } |
1262 | cleanup: | ||
1235 | GNUNET_free (ndup); | 1263 | GNUNET_free (ndup); |
1236 | GNUNET_free_non_null (new_cookie_hdr); | 1264 | GNUNET_free_non_null (new_cookie_hdr); |
1237 | GNUNET_free_non_null (new_location); | 1265 | GNUNET_free_non_null (new_location); |
@@ -1761,7 +1789,7 @@ create_response (void *cls, | |||
1761 | return MHD_NO; | 1789 | return MHD_NO; |
1762 | } | 1790 | } |
1763 | s5r->con = con; | 1791 | s5r->con = con; |
1764 | //Fresh connection. | 1792 | /* Fresh connection. */ |
1765 | if (SOCKS5_SOCKET_WITH_MHD == s5r->state) | 1793 | if (SOCKS5_SOCKET_WITH_MHD == s5r->state) |
1766 | { | 1794 | { |
1767 | /* first time here, initialize curl handle */ | 1795 | /* first time here, initialize curl handle */ |
@@ -2984,8 +3012,10 @@ handle_gns_result (void *cls, | |||
2984 | } | 3012 | } |
2985 | if (GNUNET_YES == got_ip) | 3013 | if (GNUNET_YES == got_ip) |
2986 | break; | 3014 | break; |
3015 | if (GNUNET_YES == disable_v6) | ||
3016 | break; | ||
2987 | if (GNUNET_OK != | 3017 | if (GNUNET_OK != |
2988 | GNUNET_NETWORK_test_pf (PF_INET)) | 3018 | GNUNET_NETWORK_test_pf (PF_INET6)) |
2989 | break; | 3019 | break; |
2990 | /* FIXME: allow user to disable IPv6 per configuration option... */ | 3020 | /* FIXME: allow user to disable IPv6 per configuration option... */ |
2991 | got_ip = GNUNET_YES; | 3021 | got_ip = GNUNET_YES; |
@@ -3213,7 +3243,8 @@ do_s5r_read (void *cls) | |||
3213 | s5r->domain = GNUNET_strndup (dom_name, | 3243 | s5r->domain = GNUNET_strndup (dom_name, |
3214 | *dom_len); | 3244 | *dom_len); |
3215 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | 3245 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, |
3216 | "Requested connection is to %s:%d\n", | 3246 | "Requested connection is to http%s://%s:%d\n", |
3247 | (HTTPS_PORT == s5r->port) ? "s" : "", | ||
3217 | s5r->domain, | 3248 | s5r->domain, |
3218 | ntohs (*port)); | 3249 | ntohs (*port)); |
3219 | s5r->state = SOCKS5_RESOLVING; | 3250 | s5r->state = SOCKS5_RESOLVING; |
@@ -3653,6 +3684,10 @@ main (int argc, | |||
3653 | NULL, | 3684 | NULL, |
3654 | gettext_noop ("pem file to use as CA"), | 3685 | gettext_noop ("pem file to use as CA"), |
3655 | &cafile_opt), | 3686 | &cafile_opt), |
3687 | GNUNET_GETOPT_option_flag ('6', | ||
3688 | "disable-ivp6", | ||
3689 | gettext_noop ("disable use of IPv6"), | ||
3690 | &disable_v6), | ||
3656 | 3691 | ||
3657 | GNUNET_GETOPT_OPTION_END | 3692 | GNUNET_GETOPT_OPTION_END |
3658 | }; | 3693 | }; |