change_request_destination(): Reject rewrites from http to https

[privoxy.git] / openssl.c

diff --git a/openssl.c b/openssl.c
index 37b8069..e3717af 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -396,6 +396,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
    }
    else
    {
+      int i;
       if (bs->type == V_ASN1_NEG_INTEGER)
       {
          if (BIO_puts(bio, " (Negative)") < 0)
@@ -405,7 +406,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
             goto exit;
          }
       }
-      for (int i = 0; i < bs->length; i++)
+      for (i = 0; i < bs->length; i++)
       {
          if (BIO_printf(bio, "%02x%c", bs->data[i],
                ((i + 1 == bs->length) ? '\n' : ':')) <= 0)
@@ -653,6 +654,13 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
    BIO_write(bio, &zero, 1);
 
    len = BIO_get_mem_data(bio, &bio_mem_data);
+   if (len <= 0)
+   {
+      log_error(LOG_LEVEL_ERROR, "BIO_get_mem_data() returned %d "
+         "while gathering certificate information", len);
+      ret = -1;
+      goto exit;
+   }
    encoded_text = html_encode(bio_mem_data);
    if (encoded_text == NULL)
    {
@@ -735,7 +743,6 @@ extern int create_client_ssl_connection(struct client_state *csp)
    struct ssl_attr *ssl_attr = &csp->ssl_client_attr;
    /* Paths to certificates file and key file */
    char *key_file  = NULL;
-   char *ca_file   = NULL;
    char *cert_file = NULL;
    int ret = 0;
    SSL *ssl;
@@ -759,7 +766,6 @@ extern int create_client_ssl_connection(struct client_state *csp)
    /*
     * Preparing paths to certificates files and key file
     */
-   ca_file   = csp->config->ca_cert_file;
    cert_file = make_certs_path(csp->config->certificate_directory,
       (const char *)csp->http->hash_of_host_hex, CERT_FILE_TYPE);
    key_file  = make_certs_path(csp->config->certificate_directory,
@@ -837,6 +843,18 @@ extern int create_client_ssl_connection(struct client_state *csp)
       goto exit;
    }
 
+   if (csp->config->cipher_list != NULL)
+   {
+      if (!SSL_set_cipher_list(ssl, csp->config->cipher_list))
+      {
+         log_ssl_errors(LOG_LEVEL_ERROR,
+            "Setting the cipher list '%s' for the client connection failed",
+            csp->config->cipher_list);
+         ret = -1;
+         goto exit;
+      }
+   }
+
    /*
     *  Handshake with client
     */
@@ -1061,6 +1079,18 @@ extern int create_server_ssl_connection(struct client_state *csp)
       goto exit;
    }
 
+   if (csp->config->cipher_list != NULL)
+   {
+      if (!SSL_set_cipher_list(ssl, csp->config->cipher_list))
+      {
+         log_ssl_errors(LOG_LEVEL_ERROR,
+            "Setting the cipher list '%s' for the server connection failed",
+            csp->config->cipher_list);
+         ret = -1;
+         goto exit;
+      }
+   }
+
    /*
     * Set the hostname to check against the received server certificate
     */
@@ -1118,7 +1148,8 @@ extern int create_server_ssl_connection(struct client_state *csp)
    chain = SSL_get_peer_cert_chain(ssl);
    if (chain)
    {
-      for (int i = 0; i < sk_X509_num(chain); i++)
+      int i;
+      for (i = 0; i < sk_X509_num(chain); i++)
       {
          if (ssl_store_cert(csp, sk_X509_value(chain, i)) != 0)
          {
@@ -1771,6 +1802,25 @@ static int generate_webpage_certificate(struct client_state *csp)
       }
    }
 
+   if (file_exists(cert_opt.output_file) == 0 &&
+       file_exists(cert_opt.subject_key) == 1)
+   {
+      log_error(LOG_LEVEL_ERROR,
+         "A website key already exists but there's no matching certificate. "
+         "Removing %s before creating a new key and certificate.",
+         cert_opt.subject_key);
+      if (unlink(cert_opt.subject_key))
+      {
+         log_error(LOG_LEVEL_ERROR, "Failed to unlink %s: %E",
+            cert_opt.subject_key);
+
+         freez(cert_opt.output_file);
+         freez(cert_opt.subject_key);
+
+         return -1;
+      }
+   }
+
    /*
     * Create key for requested host
     */