* creating, using and closing TLS/SSL connections.
*
* Copyright : Written by and Copyright (c) 2017 Vaclav Svec. FIT CVUT.
- * Copyright (C) 2018-2019 by Fabian Keil <fk@fabiankeil.de>
+ * Copyright (C) 2018-2020 by Fabian Keil <fk@fabiankeil.de>
*
* This program is free software; you can redistribute it
* and/or modify it under the terms of the GNU General
#include "mbedtls/base64.h"
#include "mbedtls/error.h"
+#include "config.h"
#include "project.h"
#include "miscutil.h"
#include "errlog.h"
#include "jcc.h"
-#include "config.h"
#include "ssl.h"
char *key_file_path; /* filename of the key file */
} key_options;
-extern int generate_webpage_certificate(struct client_state *csp);
+static int generate_webpage_certificate(struct client_state *csp);
static char *make_certs_path(const char *conf_dir, const char *file_name, const char *suffix);
static int file_exists(const char *path);
static int host_to_hash(struct client_state *csp);
{
char err_buf[ERROR_BUF_SIZE];
- memset(err_buf, 0, sizeof(err_buf));
mbedtls_strerror(ret, err_buf, sizeof(err_buf));
log_error(LOG_LEVEL_ERROR,
"Sending data over TLS/SSL failed: %s", err_buf);
* 2 : buf = Pointer to buffer where data will be written
* 3 : max_length = Maximum number of bytes to read
*
- * Returns : Number of bytes read, 0 for EOF, or negative
- * value on error.
+ * Returns : Number of bytes read, 0 for EOF, or -1
+ * on error.
*
*********************************************************************/
extern int ssl_recv_data(mbedtls_ssl_context *ssl, unsigned char *buf, size_t max_length)
{
char err_buf[ERROR_BUF_SIZE];
- memset(err_buf, 0, sizeof(err_buf));
+ if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
+ {
+ log_error(LOG_LEVEL_CONNECT,
+ "The peer notified us that the connection is going to be closed");
+ return 0;
+ }
mbedtls_strerror(ret, err_buf, sizeof(err_buf));
log_error(LOG_LEVEL_ERROR,
"Receiving data over TLS/SSL failed: %s", err_buf);
+
+ return -1;
}
return ret;
int ret = 0;
char err_buf[ERROR_BUF_SIZE];
- memset(err_buf, 0, sizeof(err_buf));
-
/*
* Initializing mbedtls structures for TLS/SSL connection
*/
char *trusted_cas_file = NULL;
int auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED;
- memset(err_buf, 0, sizeof(err_buf));
-
csp->server_cert_verification_result = SSL_CERT_NOT_VERIFIED;
csp->server_certs_chain.next = NULL;
mbedtls_net_init(&(csp->mbedtls_server_attr.socket_fd));
mbedtls_ssl_init(&(csp->mbedtls_server_attr.ssl));
mbedtls_ssl_config_init(&(csp->mbedtls_server_attr.conf));
- mbedtls_x509_crt_init( &(csp->mbedtls_server_attr.ca_cert));
+ mbedtls_x509_crt_init(&(csp->mbedtls_server_attr.ca_cert));
/*
* Setting socket fd in mbedtls_net_context structure. This structure
int ret = 0;
char err_buf[ERROR_BUF_SIZE];
- memset(err_buf, 0, sizeof(err_buf));
memset(cert_buf, 0, sizeof(cert_buf));
/*
int ret = 0;
char err_buf[ERROR_BUF_SIZE];
- memset(err_buf, 0, sizeof(err_buf));
-
/* Initializing buffer for key file content */
*ret_buf = zalloc_or_die(PRIVATE_KEY_BUF_SIZE + 1);
* contain NULL and no private key is generated.
*
* Parameters :
- * 1 : key_buf = buffer to save new generated key
- * 2 : csp = Current client state (buffers, headers, etc...)
+ * 1 : csp = Current client state (buffers, headers, etc...)
+ * 2 : key_buf = buffer to save new generated key
*
* Returns : -1 => Error while generating private key
* 0 => Key already exists
* >0 => Length of generated private key
*
*********************************************************************/
-static int generate_key(unsigned char **key_buf, struct client_state *csp)
+static int generate_key(struct client_state *csp, unsigned char **key_buf)
{
mbedtls_pk_context key;
key_options key_opt;
char err_buf[ERROR_BUF_SIZE];
key_opt.key_file_path = NULL;
- memset(err_buf, 0, sizeof(err_buf));
/*
* Initializing structures for key generating
* 1 : csp = Current client state (buffers, headers, etc...)
*
* Returns : -1 => Error while creating certificate.
- * 0 => Certificate alreaday exist.
+ * 0 => Certificate already exists.
* >0 => Length of created certificate.
*
*********************************************************************/
-extern int generate_webpage_certificate(struct client_state *csp)
+static int generate_webpage_certificate(struct client_state *csp)
{
mbedtls_x509_crt issuer_cert;
mbedtls_pk_context loaded_issuer_key, loaded_subject_key;
char err_buf[ERROR_BUF_SIZE];
cert_options cert_opt;
- memset(err_buf, 0, sizeof(err_buf));
-
/* Paths to keys and certificates needed to create certificate */
cert_opt.issuer_key = NULL;
cert_opt.subject_key = NULL;
/*
* Create key for requested host
*/
- int subject_key_len = generate_key(&key_buf, csp);
+ int subject_key_len = generate_key(csp, &key_buf);
if (subject_key_len < 0)
{
log_error(LOG_LEVEL_ERROR, "Key generating failed");
* Initializing structures for certificate generating
*/
mbedtls_x509write_crt_init(&cert);
- mbedtls_x509write_crt_set_md_alg( &cert, CERT_SIGNATURE_ALGORITHM);
+ mbedtls_x509write_crt_set_md_alg(&cert, CERT_SIGNATURE_ALGORITHM);
mbedtls_pk_init(&loaded_issuer_key);
mbedtls_pk_init(&loaded_subject_key);
mbedtls_mpi_init(&serial);
if (!mbedtls_pk_can_do(&issuer_cert.pk, MBEDTLS_PK_RSA) ||
mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->N,
&mbedtls_pk_rsa(*issuer_key)->N) != 0 ||
- mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa(issuer_cert.pk)->E,
- &mbedtls_pk_rsa(*issuer_key )->E) != 0)
+ mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->E,
+ &mbedtls_pk_rsa(*issuer_key)->E) != 0)
{
log_error(LOG_LEVEL_ERROR,
"Issuer key doesn't match issuer certificate");
* absolute path to cwd.
*/
path_size += strlen(basedir) + 2;
- path = (char *)malloc(path_size);
- if (path == NULL)
- {
- log_error(LOG_LEVEL_ERROR, "make_certs_path failed: malloc fail");
- return NULL;
- }
- memset(path, 0, path_size);
+ path = zalloc_or_die(path_size);
strlcpy(path, basedir, path_size);
strlcat(path, delim, path_size);
else
#endif /* defined unix */
{
- path = (char *)malloc(path_size);
- if (path == NULL)
- {
- log_error(LOG_LEVEL_ERROR, "make_certs_path failed: malloc fail");
- return NULL;
- }
- memset(path, 0, path_size);
+ path = zalloc_or_die(path_size);
strlcpy(path, conf_dir, path_size);
strlcat(path, delim, path_size);
/*
* Preparing next item in linked list for next certificate
- * If malloc fails, we are continuing without this certificate
*/
- last->next = (struct certs_chain *)malloc(sizeof(struct certs_chain));
- if (last->next != NULL)
- {
- last->next->next = NULL;
- memset(last->next->text_buf, 0, sizeof(last->next->text_buf));
- memset(last->next->file_buf, 0, sizeof(last->next->file_buf));
-
- /*
- * Saving certificate file into buffer
- */
- if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_CRT, PEM_END_CRT,
- crt->raw.p, crt->raw.len, (unsigned char *)last->file_buf,
- sizeof(last->file_buf)-1, &olen)) != 0)
- {
- return(ret);
- }
+ last->next = malloc_or_die(sizeof(struct certs_chain));
+ last->next->next = NULL;
+ memset(last->next->text_buf, 0, sizeof(last->next->text_buf));
+ memset(last->next->file_buf, 0, sizeof(last->next->file_buf));
- /*
- * Saving certificate information into buffer
- */
- mbedtls_x509_crt_info(last->text_buf, sizeof(last->text_buf) - 1,
- CERT_INFO_PREFIX, crt);
- }
- else
+ /*
+ * Saving certificate file into buffer
+ */
+ if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_CRT, PEM_END_CRT,
+ crt->raw.p, crt->raw.len, (unsigned char *)last->file_buf,
+ sizeof(last->file_buf)-1, &olen)) != 0)
{
- log_error(LOG_LEVEL_ERROR,
- "Malloc memory for server certificate informations failed");
- return -1;
+ return(ret);
}
+ /*
+ * Saving certificate information into buffer
+ */
+ mbedtls_x509_crt_info(last->text_buf, sizeof(last->text_buf) - 1,
+ CERT_INFO_PREFIX, crt);
+
return 0;
}
/* Cleaning buffers */
memset(csp->server_certs_chain.text_buf, 0,
sizeof(csp->server_certs_chain.text_buf));
- memset(csp->server_certs_chain.text_buf, 0,
+ memset(csp->server_certs_chain.file_buf, 0,
sizeof(csp->server_certs_chain.file_buf));
csp->server_certs_chain.next = NULL;
int ret = 0;
char err_buf[ERROR_BUF_SIZE];
- memset(err_buf, 0, sizeof(err_buf));
-
if (rng_seeded == 0)
{
privoxy_mutex_lock(&rng_mutex);