Commit 58dc1947 authored by Joel Martin's avatar Joel Martin

wsproxy: warn when no cert. C sock close cleanup.

Warn early about no SSL cert and add clearer warning when a connection
comes in as SSL but no cert file exists.

For the C version, cleanup closing of the connection socket. Use
shutdown for a cleaner cleanup with the client.
parent 58da507b
...@@ -187,6 +187,7 @@ int ws_socket_free(ws_ctx_t *ctx) { ...@@ -187,6 +187,7 @@ int ws_socket_free(ws_ctx_t *ctx) {
ctx->ssl_ctx = NULL; ctx->ssl_ctx = NULL;
} }
if (ctx->sockfd) { if (ctx->sockfd) {
shutdown(ctx->sockfd, SHUT_RDWR);
close(ctx->sockfd); close(ctx->sockfd);
ctx->sockfd = 0; ctx->sockfd = 0;
} }
...@@ -350,26 +351,30 @@ ws_ctx_t *do_handshake(int sock) { ...@@ -350,26 +351,30 @@ ws_ctx_t *do_handshake(int sock) {
handshake[len] = 0; handshake[len] = 0;
if (len == 0) { if (len == 0) {
handler_msg("ignoring empty handshake\n"); handler_msg("ignoring empty handshake\n");
close(sock);
return NULL; return NULL;
} else if (bcmp(handshake, "<policy-file-request/>", 22) == 0) { } else if (bcmp(handshake, "<policy-file-request/>", 22) == 0) {
len = recv(sock, handshake, 1024, 0); len = recv(sock, handshake, 1024, 0);
handshake[len] = 0; handshake[len] = 0;
handler_msg("sending flash policy response\n"); handler_msg("sending flash policy response\n");
send(sock, policy_response, sizeof(policy_response), 0); send(sock, policy_response, sizeof(policy_response), 0);
close(sock);
return NULL; return NULL;
} else if ((bcmp(handshake, "\x16", 1) == 0) || } else if ((bcmp(handshake, "\x16", 1) == 0) ||
(bcmp(handshake, "\x80", 1) == 0)) { (bcmp(handshake, "\x80", 1) == 0)) {
// SSL // SSL
if (! settings.cert) { return NULL; } if (!settings.cert) {
handler_msg("SSL connection but no cert specified\n");
return NULL;
} else if (access(settings.cert, R_OK) != 0) {
handler_msg("SSL connection but '%s' not found\n",
settings.cert);
return NULL;
}
ws_ctx = ws_socket_ssl(sock, settings.cert, settings.key); ws_ctx = ws_socket_ssl(sock, settings.cert, settings.key);
if (! ws_ctx) { return NULL; } if (! ws_ctx) { return NULL; }
scheme = "wss"; scheme = "wss";
handler_msg("using SSL socket\n"); handler_msg("using SSL socket\n");
} else if (settings.ssl_only) { } else if (settings.ssl_only) {
handler_msg("non-SSL connection disallowed\n"); handler_msg("non-SSL connection disallowed\n");
close(sock);
return NULL; return NULL;
} else { } else {
ws_ctx = ws_socket(sock); ws_ctx = ws_socket(sock);
...@@ -380,14 +385,12 @@ ws_ctx_t *do_handshake(int sock) { ...@@ -380,14 +385,12 @@ ws_ctx_t *do_handshake(int sock) {
len = ws_recv(ws_ctx, handshake, 4096); len = ws_recv(ws_ctx, handshake, 4096);
if (len == 0) { if (len == 0) {
handler_emsg("Client closed during handshake\n"); handler_emsg("Client closed during handshake\n");
close(sock);
return NULL; return NULL;
} }
handshake[len] = 0; handshake[len] = 0;
if (!parse_handshake(handshake, &headers)) { if (!parse_handshake(handshake, &headers)) {
handler_emsg("Invalid WS request\n"); handler_emsg("Invalid WS request\n");
close(sock);
return NULL; return NULL;
} }
...@@ -524,8 +527,7 @@ void start_server() { ...@@ -524,8 +527,7 @@ void start_server() {
if (pid == 0) { // handler process if (pid == 0) { // handler process
ws_ctx = do_handshake(csock); ws_ctx = do_handshake(csock);
if (ws_ctx == NULL) { if (ws_ctx == NULL) {
close(csock); handler_msg("No connection after handshake\n");
handler_msg("No connection after handshake");
break; // Child process exits break; // Child process exits
} }
...@@ -533,13 +535,22 @@ void start_server() { ...@@ -533,13 +535,22 @@ void start_server() {
if (pipe_error) { if (pipe_error) {
handler_emsg("Closing due to SIGPIPE\n"); handler_emsg("Closing due to SIGPIPE\n");
} }
close(csock);
handler_msg("handler exit\n");
break; // Child process exits break; // Child process exits
} else { // parent process } else { // parent process
settings.handler_id += 1; settings.handler_id += 1;
} }
} }
if (pid == 0) {
if (ws_ctx) {
ws_socket_free(ws_ctx);
} else {
shutdown(csock, SHUT_RDWR);
close(csock);
}
handler_msg("handler exit\n");
} else {
handler_msg("wsproxy exit\n");
}
} }
...@@ -112,6 +112,11 @@ def do_handshake(sock): ...@@ -112,6 +112,11 @@ def do_handshake(sock):
sock.close() sock.close()
return False return False
elif handshake[0] in ("\x16", "\x80"): elif handshake[0] in ("\x16", "\x80"):
if not os.path.exists(settings['cert']):
handler_msg("SSL connection but '%s' not found"
% settings['cert'])
sock.close()
return False
retsock = ssl.wrap_socket( retsock = ssl.wrap_socket(
sock, sock,
server_side=True, server_side=True,
......
...@@ -257,6 +257,10 @@ int main(int argc, char *argv[]) ...@@ -257,6 +257,10 @@ int main(int argc, char *argv[])
}; };
settings.cert = realpath("self.pem", NULL); settings.cert = realpath("self.pem", NULL);
if (!settings.cert) {
/* Make sure it's always set to something */
settings.cert = "self.pem";
}
settings.key = ""; settings.key = "";
while (1) { while (1) {
...@@ -326,9 +330,11 @@ int main(int argc, char *argv[]) ...@@ -326,9 +330,11 @@ int main(int argc, char *argv[])
} }
if (ssl_only) { if (ssl_only) {
if (!settings.cert || !access(settings.cert, R_OK)) { if (!access(settings.cert, R_OK)) {
usage("SSL only and cert file not found\n"); usage("SSL only and cert file '%s' not found\n", settings.cert);
} }
} else if (access(settings.cert, R_OK) != 0) {
fprintf(stderr, "Warning: '%s' not found\n", settings.cert);
} }
//printf(" verbose: %d\n", settings.verbose); //printf(" verbose: %d\n", settings.verbose);
......
...@@ -162,6 +162,8 @@ if __name__ == '__main__': ...@@ -162,6 +162,8 @@ if __name__ == '__main__':
if options.ssl_only and not os.path.exists(options.cert): if options.ssl_only and not os.path.exists(options.cert):
parser.error("SSL only and %s not found" % options.cert) parser.error("SSL only and %s not found" % options.cert)
elif not os.path.exists(options.cert):
print "Warning: %s not found" % options.cert
settings['verbose'] = options.verbose settings['verbose'] = options.verbose
settings['listen_host'] = host settings['listen_host'] = host
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment