Fabian Keil [Sun, 11 Oct 2020 09:41:57 +0000 (11:41 +0200)]
 
Bump copyright
Fabian Keil [Sun, 11 Oct 2020 09:41:41 +0000 (11:41 +0200)]
 
Add ChangeLog entries for 3.0.29 stable
Fabian Keil [Tue, 24 Nov 2020 16:46:01 +0000 (17:46 +0100)]
 
Rebuild user manual with typo fix
Fabian Keil [Tue, 24 Nov 2020 16:45:05 +0000 (17:45 +0100)]
 
Rebuild config file
Fabian Keil [Tue, 24 Nov 2020 16:45:42 +0000 (17:45 +0100)]
 
Fix commment typo
Fabian Keil [Tue, 24 Nov 2020 16:43:49 +0000 (17:43 +0100)]
 
Fix typo
Fabian Keil [Tue, 24 Nov 2020 16:25:49 +0000 (17:25 +0100)]
 
Fix comment typos
Fabian Keil [Tue, 24 Nov 2020 16:24:45 +0000 (17:24 +0100)]
 
Fix comment typo
Fabian Keil [Mon, 23 Nov 2020 11:22:12 +0000 (12:22 +0100)]
 
Rebuild config file
Fabian Keil [Mon, 23 Nov 2020 11:20:26 +0000 (12:20 +0100)]
 
Rebuild docs for 3.0.29 stable
Fabian Keil [Mon, 23 Nov 2020 11:16:13 +0000 (12:16 +0100)]
 
Bump SMGL entities for 3.0.29 stable
Fabian Keil [Mon, 23 Nov 2020 11:11:57 +0000 (12:11 +0100)]
 
Mention that FEATURE_HTTPS_INSPECTION is required for https inspection to work
Fabian Keil [Mon, 23 Nov 2020 11:06:46 +0000 (12:06 +0100)]
 
Rename section 7 to 'HTTPS Inspection'
Fabian Keil [Fri, 20 Nov 2020 15:22:15 +0000 (16:22 +0100)]
 
Mention https inspection as new feature
Fabian Keil [Thu, 19 Nov 2020 13:52:10 +0000 (14:52 +0100)]
 
Add #165: Add a max-connections-per-client directive
Fabian Keil [Thu, 19 Nov 2020 03:49:44 +0000 (04:49 +0100)]
 
Bump version to 3.0.29 stable
Fabian Keil [Thu, 19 Nov 2020 03:45:45 +0000 (04:45 +0100)]
 
Note that sponsor levels 'Gold' and 'Silver' don't require a logo link
Fabian Keil [Thu, 19 Nov 2020 03:42:51 +0000 (04:42 +0100)]
 
Don't claim that the logo will be shown randomly for sponsor level 'Silver'
The website is static and is unlikely to become dynamic in the
near future.
Fabian Keil [Wed, 18 Nov 2020 19:05:22 +0000 (20:05 +0100)]
 
After detecting OpenSSL/LibreSSL explicitly mention the "special exception" from section 3 of the GPLv2
Fabian Keil [Wed, 18 Nov 2020 10:33:24 +0000 (11:33 +0100)]
 
Bump SOURCE_DATE_EPOCH
Fabian Keil [Wed, 18 Nov 2020 10:56:04 +0000 (11:56 +0100)]
 
Rebuild FAQ without Zwiebelfreunde e.V. information
Fabian Keil [Wed, 18 Nov 2020 09:37:24 +0000 (10:37 +0100)]
 
Remove Zwiebelfreunde e.V. from the list of fiduciary sponsors
As of 2021 they no longer handle donations for foreign organisations
due to lack of resources.
Fabian Keil [Thu, 12 Nov 2020 09:54:14 +0000 (10:54 +0100)]
 
Only set SOURCE_DATE_EPOCH if it's not already set
... so distributions can overwrite it through the environment.
Fabian Keil [Tue, 10 Nov 2020 12:58:48 +0000 (13:58 +0100)]
 
Remove list_to_text() from the list of supposedly declared functions
Fabian Keil [Tue, 10 Nov 2020 12:50:59 +0000 (13:50 +0100)]
 
get_request_destination_elsewhere(): Prevent unlikely dereference of a NULL-pointer
... if getting the destination fails and list_to_text() fails
as well.
CID 267165
Fabian Keil [Tue, 10 Nov 2020 11:33:53 +0000 (12:33 +0100)]
 
cgi_show_client_tags(): Plug memory leaks
CID 267168
Fabian Keil [Tue, 10 Nov 2020 11:22:04 +0000 (12:22 +0100)]
 
Plug another memory leak in cgi_show_status()
CID 305233
Fabian Keil [Tue, 10 Nov 2020 10:54:55 +0000 (11:54 +0100)]
 
ssl_send_certificate_error(): Cast ssl_send_data() return code to void
... to silence CID 305232.
Fabian Keil [Tue, 10 Nov 2020 10:47:18 +0000 (11:47 +0100)]
 
Plug memory leak in cgi_show_status()
CID 305233
Fabian Keil [Tue, 10 Nov 2020 10:37:21 +0000 (11:37 +0100)]
 
Fix memory leak in cgi_show_status() with extended statistics enabled
CID 305235
Fabian Keil [Thu, 5 Nov 2020 11:25:03 +0000 (12:25 +0100)]
 
Regenerate docs with updated license explanation
Fabian Keil [Thu, 5 Nov 2020 11:19:06 +0000 (12:19 +0100)]
 
Complicate the license explanation even further
The GPLv3 only has to be used if the MbedTLS version
is licensed under the Apache 2.0 license which will
be the case for future releases.
At the moment the 2.16 releases are still dual licensed.
Fabian Keil [Fri, 30 Oct 2020 08:08:20 +0000 (09:08 +0100)]
 
Unblock .tagesschau.de/
Fabian Keil [Sun, 18 Oct 2020 09:06:02 +0000 (11:06 +0200)]
 
Block requests to pixel.wp.com/
Fabian Keil [Sat, 10 Oct 2020 06:20:25 +0000 (08:20 +0200)]
 
Remove the reference to a non-existant 'hash' program in a comment
Fabian Keil [Wed, 16 Sep 2020 12:20:45 +0000 (14:20 +0200)]
 
Block requests to /(.*/)?piwik\.php
Fabian Keil [Wed, 7 Oct 2020 17:59:34 +0000 (19:59 +0200)]
 
Disable fast-redirects for .librarything.com/
Fabian Keil [Wed, 7 Oct 2020 09:29:22 +0000 (11:29 +0200)]
 
Block requests to .connectaserver.de/
Fabian Keil [Tue, 6 Oct 2020 14:07:38 +0000 (16:07 +0200)]
 
Rebuild config file
Fabian Keil [Tue, 6 Oct 2020 14:04:58 +0000 (16:04 +0200)]
 
Rebuild docs
Fabian Keil [Tue, 6 Oct 2020 14:04:08 +0000 (16:04 +0200)]
 
Add documentation for the cipher-list directive
Fabian Keil [Tue, 6 Oct 2020 11:28:14 +0000 (13:28 +0200)]
 
Add a cipher-list directive to specify the ciphers used
... in the TLS handshake.
The get_ciphersuites_from_string() function in the
MbedTLS code is based on code contributed by Václav Švec.
Fabian Keil [Tue, 6 Oct 2020 13:54:44 +0000 (15:54 +0200)]
 
Use 'Example' (singular) in sections that only contain one example
Fabian Keil [Tue, 6 Oct 2020 11:35:09 +0000 (13:35 +0200)]
 
Fix white-space
Fabian Keil [Sun, 4 Oct 2020 10:22:16 +0000 (12:22 +0200)]
 
Disable fast-redirects for issue.freebsdfoundation.org/
Fabian Keil [Sat, 3 Oct 2020 18:17:48 +0000 (20:17 +0200)]
 
Lowercase the host name in functions that set it
In case of get_destination_from_https_headers() it's important
to get stable hashes for certificates.
In case of get_destination_from_headers() and parse_http_url()
it's mainly cosmetic.
Fabian Keil [Sun, 4 Oct 2020 01:45:29 +0000 (03:45 +0200)]
 
Add string_tolower()
Fabian Keil [Sat, 3 Oct 2020 11:53:17 +0000 (13:53 +0200)]
 
Add support for Websockets with https inspection enabled
Set the CT_TABOO flag in case of status code 101 and
continue shuffling data around until one of the sockets
gets closed.
Fabian Keil [Sat, 3 Oct 2020 15:35:03 +0000 (17:35 +0200)]
 
MbedTLS ssl_send_data(): Include the socket in the log messages
Fabian Keil [Sat, 3 Oct 2020 15:33:26 +0000 (17:33 +0200)]
 
MbedTLS ssl_recv_data(): Include the socket in the log messages
Fabian Keil [Sat, 3 Oct 2020 11:37:29 +0000 (13:37 +0200)]
 
OpenSSL ssl_send_data(): Include the file descriptor in the log messages
Fabian Keil [Sat, 3 Oct 2020 11:35:56 +0000 (13:35 +0200)]
 
OpenSSL ssl_recv_data(): Include the file descriptor in the log messages
Fabian Keil [Mon, 28 Sep 2020 10:52:57 +0000 (12:52 +0200)]
 
Disable fast-redirects for .twitter.com/.*origin=http
Fabian Keil [Mon, 28 Sep 2020 10:38:34 +0000 (12:38 +0200)]
 
Remove #119 "Evaluate using pcre's jit mode"
Support has been added.
Fabian Keil [Fri, 25 Sep 2020 20:35:29 +0000 (22:35 +0200)]
 
pcrs: Use the D flag to disable JIT-compilation
... and use it in pcrs_compile_dynamic_command().
Fabian Keil [Fri, 25 Sep 2020 15:22:03 +0000 (17:22 +0200)]
 
pcrs: Request JIT compilation if it's supported
Fabian Keil [Mon, 5 Oct 2020 08:58:39 +0000 (10:58 +0200)]
 
Unblock belco24.de/
Fabian Keil [Sun, 4 Oct 2020 15:21:35 +0000 (17:21 +0200)]
 
Mark FEATURE_HTTPS_INSPECTION as experimental in the show-status template
Fabian Keil [Sun, 4 Oct 2020 10:30:20 +0000 (12:30 +0200)]
 
Add #164: Evaluate switching from pcreposix(3) to pcre's native api for URL matching
Fabian Keil [Sun, 4 Oct 2020 06:56:24 +0000 (08:56 +0200)]
 
Add #163: Use subdirectories in the certificate-directory
Fabian Keil [Sun, 4 Oct 2020 02:26:07 +0000 (04:26 +0200)]
 
Add #162: Delete generated keys and certificates in case of connection failures
Fabian Keil [Sun, 4 Oct 2020 01:52:40 +0000 (03:52 +0200)]
 
Add #161: Properly support requests with chunked transfer-encoding with https inspection
Fabian Keil [Sun, 4 Oct 2020 04:44:10 +0000 (06:44 +0200)]
 
Rebuild config file
Fabian Keil [Sun, 4 Oct 2020 04:42:32 +0000 (06:42 +0200)]
 
Regenerate docs
Fabian Keil [Sun, 4 Oct 2020 01:38:51 +0000 (03:38 +0200)]
 
Add a warning that Privoxy currently does not garbage-collect obsolete keys and certificates
Fabian Keil [Sun, 4 Oct 2020 01:32:31 +0000 (03:32 +0200)]
 
Remove stray space
Fabian Keil [Tue, 29 Sep 2020 10:52:35 +0000 (12:52 +0200)]
 
Declare https-inspection experimental
Fabian Keil [Tue, 29 Sep 2020 10:37:27 +0000 (12:37 +0200)]
 
process_encrypted_request(): If we received no data after a CONNECT request, don't report it as a parse error
Fabian Keil [Mon, 28 Sep 2020 11:56:43 +0000 (13:56 +0200)]
 
send_https_request(): Call receive_and_send_encrypted_post_data() if
... nothing was flushed but we're expecting a request body.
Previously we would only call receive_and_send_encrypted_post_data()
if we flushed part of the request body which does not work if the
client headers are read without a single byte of request body.
Fabian Keil [Sun, 27 Sep 2020 13:09:36 +0000 (15:09 +0200)]
 
privoxy-log-parser.pl: Add a --keep-date option to keep the date in highlighted messages
Fabian Keil [Mon, 28 Sep 2020 11:09:03 +0000 (13:09 +0200)]
 
Block requests to pixel.inforsea.com/
Fabian Keil [Mon, 28 Sep 2020 11:02:29 +0000 (13:02 +0200)]
 
Block requests to t.vi-serve.com/
Fabian Keil [Sun, 27 Sep 2020 12:38:13 +0000 (14:38 +0200)]
 
Block requests to .ioam.de/
Fabian Keil [Sun, 27 Sep 2020 12:33:37 +0000 (14:33 +0200)]
 
Relocate the block of t.9gag.com/img\.gif to the 'web-bug that is an image' section
Fabian Keil [Fri, 25 Sep 2020 19:52:02 +0000 (21:52 +0200)]
 
Relocate a variable declaration to the function where it is used
Fabian Keil [Fri, 25 Sep 2020 19:46:29 +0000 (21:46 +0200)]
 
Remove stray space
Fabian Keil [Fri, 25 Sep 2020 11:09:49 +0000 (13:09 +0200)]
 
Make it more obvious that the OpenSSL code is also expected to work with LibreSSL
Fabian Keil [Thu, 24 Sep 2020 08:44:00 +0000 (10:44 +0200)]
 
pcrs_filter_response(): Free the old data if there are no hits
... and it's different from the data in iob and the new data.
Fixes a memory leak if multiple filters are executed
and the last one is skipped due to a pcre error.
Fabian Keil [Thu, 24 Sep 2020 09:14:36 +0000 (11:14 +0200)]
 
chat(): Don't send the certificate error response if the certificate hasn't been verified
Fabian Keil [Thu, 24 Sep 2020 07:50:45 +0000 (09:50 +0200)]
 
Rebuild docs
Fabian Keil [Thu, 24 Sep 2020 07:29:25 +0000 (09:29 +0200)]
 
Add Hớ Hờ Hợ as contributor
Use Vietnamese Quoted-Readable for the vowels as the numeric
character sets are rejected by openjade.
Fabian Keil [Thu, 24 Sep 2020 06:27:58 +0000 (08:27 +0200)]
 
Add withoutname as contributor
Fabian Keil [Wed, 23 Sep 2020 17:08:14 +0000 (19:08 +0200)]
 
cgi_edit_actions_submit(): Check the toggle state of filters until no filters are left
Previously we would stop looking after the first filter
index wasn't found in the request URL.
This worked in case of "split-large-forms 0" but resulted in
filter state being ignored in case of "split-large-forms 1"
which leads to request URLs that only contain a subset of
the filters.
Reported by withoutname in #921.
Fabian Keil [Wed, 23 Sep 2020 12:26:56 +0000 (14:26 +0200)]
 
OpenSSL: Use %y instead of %Y in VALID_DATETIME_FMT
Otherwise OpenSSL uses the GENERALIZEDTIME ASN.1 encoding
which results in LibreSSL-based clients rejecting
the certificate because they want the UTCTIME encoding
if the year is before 2050.
Example:
    fk@openbsd ~ $curl https://www.electrobsd.org/
    curl: (60) SSL certificate problem: format error in certificate's notBefore field
    [...]
Fabian Keil [Wed, 23 Sep 2020 09:19:32 +0000 (11:19 +0200)]
 
ssl_certificate_is_invalid(): If the validity check fails, consider the certificate invalid
Fabian Keil [Wed, 23 Sep 2020 08:10:43 +0000 (10:10 +0200)]
 
ssl_release(): Fix build with LibreSSL
... by only calling SSL_COMP_free_compression_methods()
and COMP_zlib_cleanup() if OPENSSL_NO_COMP is undefined.
Briefly tested with LibreSSL 3.1.1 on OpenBSD 6.7.
Fabian Keil [Wed, 23 Sep 2020 07:54:29 +0000 (09:54 +0200)]
 
Downgrade a 'Blocked URL' to  so the test works without FEATURE_HTTPS_INSPECTION
Fabian Keil [Wed, 16 Sep 2020 12:55:34 +0000 (14:55 +0200)]
 
Block requests to t.9gag.com/img.gif
Fabian Keil [Tue, 22 Sep 2020 11:13:03 +0000 (13:13 +0200)]
 
close_server_ssl_connection(): Set SSL_RECEIVED_SHUTDOWN
... so the BIO_free_all() call later on does not result
in OpenSSL waiting for a shutdown alert.
Prevents temporary hangs like:
   #0  0x0000000801d1f8da in _read () from /lib/libc.so.7
   #1  0x00000008019aebe6 in __thr_read (fd=59, buf=0x8084ecc43, nbytes=5) at /usr/src/lib/libthr/thread/thr_syscalls.c:418
   #2  0x0000000800cafb62 in sock_read (b=0x80459d470, out=0x8084ecc43 "\027\003\003\062m\234o*\370\005\371\v\242\nxX\364\n\r\020\344H=\261?Y\377Y\177\302\034Y!\004\064&H", outl=5) at /usr/src/crypto/openssl/crypto/bio/bss_sock.c:140
   #3  0x0000000800db9f34 in BIO_read (b=0x80459d470, out=0x8084ecc43, outl=5) at /usr/src/crypto/openssl/crypto/bio/bio_lib.c:210
   #4  0x000000080176a80d in ssl3_read_n (s=0x808515500, n=5, max=5, extend=<optimized out>) at /usr/src/crypto/openssl/ssl/s3_pkt.c:258
   #5  0x000000080176b87c in ssl3_get_record (s=0x808515500) at /usr/src/crypto/openssl/ssl/s3_pkt.c:342
   #6  ssl3_read_bytes (s=<optimized out>, type=<optimized out>, buf=<optimized out>, len=<optimized out>, peek=0) at /usr/src/crypto/openssl/ssl/s3_pkt.c:1233
   #7  0x000000080176e7bb in ssl3_shutdown (s=0x808515500) at /usr/src/crypto/openssl/ssl/s3_lib.c:4396
   #8  0x00000008017505b0 in ssl_free (a=0x8085b73f0) at /usr/src/crypto/openssl/ssl/bio_ssl.c:126
   #9  0x0000000800dbab7e in BIO_free (a=0x8085b73f0) at /usr/src/crypto/openssl/crypto/bio/bio_lib.c:133
   #10 BIO_free_all (bio=0x0) at /usr/src/crypto/openssl/crypto/bio/bio_lib.c:509
   #11 0x000000000045b481 in free_server_ssl_structures (csp=0x807720948) at openssl.c:1147
   #12 0x000000000045b411 in close_server_ssl_connection (csp=0x807720948) at openssl.c:942
   #13 0x0000000000438654 in serve (csp=0x807720948) at jcc.c:4531
   #14 0x00000008019ac08c in thread_start (curthread=0x8051fd200) at /usr/src/lib/libthr/thread/thr_create.c:290
   #15 0x0000000000000000 in ?? ()
Fabian Keil [Tue, 22 Sep 2020 11:09:41 +0000 (13:09 +0200)]
 
close_client_ssl_connection(): Set SSL_RECEIVED_SHUTDOWN
... so the BIO_free_all() call later on does not result
in OpenSSL waiting for a shutdown alert.
Prevents temporary hangs like this:
   (gdb) where
   #0  0x0000000801d1f8da in _read () from /lib/libc.so.7
   #1  0x00000008019aebe6 in __thr_read (fd=26, buf=0x804a2e8c3, nbytes=5) at /usr/src/lib/libthr/thread/thr_syscalls.c:418
   #2  0x0000000800cafb62 in sock_read (b=0x80895ffb0, out=0x804a2e8c3 "\027\003\003\004\a", outl=5) at /usr/src/crypto/openssl/crypto/bio/bss_sock.c:140
   #3  0x0000000800db9f34 in BIO_read (b=0x80895ffb0, out=0x804a2e8c3, outl=5) at /usr/src/crypto/openssl/crypto/bio/bio_lib.c:210
   #4  0x000000080176a80d in ssl3_read_n (s=0x806371a80, n=5, max=5, extend=<optimized out>) at /usr/src/crypto/openssl/ssl/s3_pkt.c:258
   #5  0x000000080176b87c in ssl3_get_record (s=0x806371a80) at /usr/src/crypto/openssl/ssl/s3_pkt.c:342
   #6  ssl3_read_bytes (s=<optimized out>, type=<optimized out>, buf=<optimized out>, len=<optimized out>, peek=0) at /usr/src/crypto/openssl/ssl/s3_pkt.c:1233
   #7  0x000000080176e7bb in ssl3_shutdown (s=0x806371a80) at /usr/src/crypto/openssl/ssl/s3_lib.c:4396
   #8  0x00000008017505b0 in ssl_free (a=0x80895fed0) at /usr/src/crypto/openssl/ssl/bio_ssl.c:126
   #9  0x0000000800dbab7e in BIO_free (a=0x80895fed0) at /usr/src/crypto/openssl/crypto/bio/bio_lib.c:133
   #10 BIO_free_all (bio=0x0) at /usr/src/crypto/openssl/crypto/bio/bio_lib.c:509
   #11 0x000000000045b301 in free_client_ssl_structures (csp=0x807678a88) at openssl.c:907
   #12 0x000000000045b391 in close_client_ssl_connection (csp=0x807678a88) at openssl.c:883
   #13 0x0000000000438603 in serve (csp=0x807678a88) at jcc.c:4516
   #14 0x00000008019ac08c in thread_start (curthread=0x807744200) at /usr/src/lib/libthr/thread/thr_create.c:290
   #15 0x0000000000000000 in ?? ()
Fabian Keil [Tue, 22 Sep 2020 11:04:51 +0000 (13:04 +0200)]
 
create_client_ssl_connection(): Fix whitespace
Fabian Keil [Tue, 22 Sep 2020 08:31:20 +0000 (10:31 +0200)]
 
serve(): Close the client socket before closing the server socket
When using OpenSSL, closing the server socket sometimes
takes a long time so make sure this does not delay the
closing of the client socket.
While this is a work around, it doesn't hurt and
can be kept once the OpenSSL issue is fixed in
follow-up commits.
Fabian Keil [Tue, 22 Sep 2020 11:33:51 +0000 (13:33 +0200)]
 
privoxy-log-parser: Highlight 'The client socket 16 has become unusable while the server socket 24 is still open.'
Fabian Keil [Tue, 22 Sep 2020 07:57:24 +0000 (09:57 +0200)]
 
privoxy-log-parser: Highlight 'Dropping the client connection on socket 71. The server connection has not been established yet.'
Fabian Keil [Fri, 11 Sep 2020 18:51:14 +0000 (20:51 +0200)]
 
privoxy-log-parser: Completely highlight 'Reusing server socket 35 connected to nl.wikipedia.org. Requests already sent: 5.'
Fabian Keil [Mon, 21 Sep 2020 13:42:04 +0000 (15:42 +0200)]
 
Include wincrypt.h when compiling with OpenSSL on Windows
... but undefine X509_NAME and X509_EXTENSIONS.
Fixes:
    x86_64-w64-mingw32-gcc -c -pipe -O2 -Wshadow -DWINVER=0x501   -mwindows
    -Wall -Ipcre  openssl.c -o openssl.o
    In file included from
    P:/msys64/mingw64/x86_64-w64-mingw32/include/windows.h:95,
                     from project.h:62,
                     from openssl.c:42:
    P:/msys64/mingw64/include/openssl/ssl.h:1611:5: error: expected
    specifier-qualifier-list before '(' token
     1611 |     X509_EXTENSIONS *tlsext_ocsp_exts;
          |     ^~~~~~~~~~~~~~~
when using OpenSSL 1.0.2.
Reported and partially submitted by: Hớ Hờ Hợ
Fabian Keil [Sun, 13 Sep 2020 12:13:41 +0000 (14:13 +0200)]
 
Rebuild docs
Fabian Keil [Sun, 13 Sep 2020 12:11:09 +0000 (14:11 +0200)]
 
Add a missing apostroph in the 'More Privoxy' menu
Fabian Keil [Sun, 13 Sep 2020 12:11:02 +0000 (14:11 +0200)]
 
Add a missing apostroph in the 'More Privoxy' menu
Fabian Keil [Fri, 11 Sep 2020 17:56:20 +0000 (19:56 +0200)]
 
Register dependencies of the ssl_common object file so it is rebuilt when needed