X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=ssl.c;h=4862609574983d7ab87b0c3029a6ad2f279f160d;hb=62b77bfd9b83e2ead4aa580200282c6ffeae42fd;hp=13203de96e7440c441b6a049868214b210ef1228;hpb=734909ce59b2c906eeaf92489ecc686781374ece;p=privoxy.git diff --git a/ssl.c b/ssl.c index 13203de9..48626095 100644 --- a/ssl.c +++ b/ssl.c @@ -88,7 +88,7 @@ static mbedtls_ctr_drbg_context ctr_drbg; static mbedtls_entropy_context entropy; static int rng_seeded; -static int generate_webpage_certificate(struct client_state *csp); +static int generate_host_certificate(struct client_state *csp); static int host_to_hash(struct client_state *csp); static int ssl_verify_callback(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags); static void free_client_ssl_structures(struct client_state *csp); @@ -325,11 +325,11 @@ extern int create_client_ssl_connection(struct client_state *csp) */ privoxy_mutex_lock(&certificate_mutex); - ret = generate_webpage_certificate(csp); + ret = generate_host_certificate(csp); if (ret < 0) { log_error(LOG_LEVEL_ERROR, - "Generate_webpage_certificate failed: %d", ret); + "generate_host_certificate failed: %d", ret); privoxy_mutex_unlock(&certificate_mutex); ret = -1; goto exit; @@ -479,7 +479,10 @@ extern int create_client_ssl_connection(struct client_state *csp) } } - log_error(LOG_LEVEL_CONNECT, "Client successfully connected over TLS/SSL"); + log_error(LOG_LEVEL_CONNECT, "Client successfully connected over %s (%s).", + mbedtls_ssl_get_version(&(ssl_attr->mbedtls_attr.ssl)), + mbedtls_ssl_get_ciphersuite(&(ssl_attr->mbedtls_attr.ssl))); + csp->ssl_with_client_is_opened = 1; exit: @@ -754,7 +757,9 @@ extern int create_server_ssl_connection(struct client_state *csp) } } - log_error(LOG_LEVEL_CONNECT, "Server successfully connected over TLS/SSL"); + log_error(LOG_LEVEL_CONNECT, "Server successfully connected over %s (%s).", + mbedtls_ssl_get_version(&(ssl_attr->mbedtls_attr.ssl)), + mbedtls_ssl_get_ciphersuite(&(ssl_attr->mbedtls_attr.ssl))); /* * Server certificate chain is valid, so we can clean @@ -1257,7 +1262,7 @@ exit: /********************************************************************* * - * Function : generate_webpage_certificate + * Function : generate_host_certificate * * Description : Creates certificate file in presetted directory. * If certificate already exists, no other certificate @@ -1273,7 +1278,7 @@ exit: * >0 => Length of created certificate. * *********************************************************************/ -static int generate_webpage_certificate(struct client_state *csp) +static int generate_host_certificate(struct client_state *csp) { mbedtls_x509_crt issuer_cert; mbedtls_pk_context loaded_issuer_key, loaded_subject_key; @@ -1310,6 +1315,15 @@ static int generate_webpage_certificate(struct client_state *csp) return -1; } + if (enforce_sane_certificate_state(cert_opt.output_file, + cert_opt.subject_key)) + { + freez(cert_opt.output_file); + freez(cert_opt.subject_key); + + return -1; + } + if (file_exists(cert_opt.output_file) == 1) { /* The file exists, but is it valid? */ @@ -1348,25 +1362,6 @@ static int generate_webpage_certificate(struct client_state *csp) } } - if (file_exists(cert_opt.output_file) == 0 && - file_exists(cert_opt.subject_key) == 1) - { - log_error(LOG_LEVEL_ERROR, - "A website key already exists but there's no matching certificate. " - "Removing %s before creating a new key and certificate.", - cert_opt.subject_key); - if (unlink(cert_opt.subject_key)) - { - log_error(LOG_LEVEL_ERROR, "Failed to unlink %s: %E", - cert_opt.subject_key); - - freez(cert_opt.output_file); - freez(cert_opt.subject_key); - - return -1; - } - } - /* * Create key for requested host */ @@ -1750,6 +1745,7 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt, { char buf[CERT_INFO_BUF_SIZE]; char *encoded_text; +#define CERT_INFO_PREFIX "" mbedtls_x509_crt_info(buf, sizeof(buf), CERT_INFO_PREFIX, crt); encoded_text = html_encode(buf); @@ -1777,7 +1773,7 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt, * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) * - * Returns : 1 => Error while creating hash + * Returns : -1 => Error while creating hash * 0 => Hash created successfully * *********************************************************************/ @@ -1789,8 +1785,15 @@ static int host_to_hash(struct client_state *csp) #error mbedTLS needs to be compiled with md5 support #else memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host)); - mbedtls_md5((unsigned char *)csp->http->host, strlen(csp->http->host), - csp->http->hash_of_host); + ret = mbedtls_md5_ret((unsigned char *)csp->http->host, + strlen(csp->http->host), csp->http->hash_of_host); + if (ret != 0) + { + log_error(LOG_LEVEL_ERROR, + "Failed to generate md5 hash of host %s: %d", + csp->http->host, ret); + return -1; + } /* Converting hash into string with hex */ size_t i = 0; @@ -1891,10 +1894,20 @@ extern int ssl_base64_encode(unsigned char *dst, size_t dlen, size_t *olen, *********************************************************************/ extern void ssl_crt_verify_info(char *buf, size_t size, struct client_state *csp) { - mbedtls_x509_crt_verify_info(buf, size, " ", csp->server_cert_verification_result); + char *last_byte; + + mbedtls_x509_crt_verify_info(buf, size, "", + csp->server_cert_verification_result); + last_byte = buf + strlen(buf)-1; + if (*last_byte == '\n') + { + /* Overwrite trailing new line character */ + *last_byte = '\0'; + } } +#ifdef FEATURE_GRACEFUL_TERMINATION /********************************************************************* * * Function : ssl_release @@ -1914,6 +1927,7 @@ extern void ssl_release(void) mbedtls_entropy_free(&entropy); } } +#endif /* def FEATURE_GRACEFUL_TERMINATION */ /*********************************************************************