static int host_to_hash(struct client_state *csp);
static int ssl_verify_callback(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags);
static void free_certificate_chain(struct client_state *csp);
-static unsigned int get_certificate_mutex_id(struct client_state *csp);
static unsigned long get_certificate_serial(struct client_state *csp);
static void free_client_ssl_structures(struct client_state *csp);
static void free_server_ssl_structures(struct client_state *csp);
* Generating certificate for requested host. Mutex to prevent
* certificate and key inconsistence must be locked.
*/
- unsigned int cert_mutex_id = get_certificate_mutex_id(csp);
- privoxy_mutex_lock(&(certificates_mutexes[cert_mutex_id]));
+ privoxy_mutex_lock(&certificate_mutex);
ret = generate_webpage_certificate(csp);
if (ret < 0)
{
log_error(LOG_LEVEL_ERROR,
"Generate_webpage_certificate failed: %d", ret);
- privoxy_mutex_unlock(&(certificates_mutexes[cert_mutex_id]));
+ privoxy_mutex_unlock(&certificate_mutex);
ret = -1;
goto exit;
}
- privoxy_mutex_unlock(&(certificates_mutexes[cert_mutex_id]));
+ privoxy_mutex_unlock(&certificate_mutex);
/*
* Seed the RNG
if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
{
- log_error(LOG_LEVEL_ERROR,
- "Server certificate verification failed: %s", err_buf);
+ char reason[INVALID_CERT_INFO_BUF_SIZE];
+
csp->server_cert_verification_result =
mbedtls_ssl_get_verify_result(&(csp->mbedtls_server_attr.ssl));
+ mbedtls_x509_crt_verify_info(reason, sizeof(reason), "",
+ csp->server_cert_verification_result);
+ /* Log the reason without the trailing new line */
+ log_error(LOG_LEVEL_ERROR,
+ "The X509 certificate verification failed: %N",
+ strlen(reason)-1, reason);
ret = -1;
}
else
}
-/*********************************************************************
- *
- * Function : get_certificate_mutex_id
- *
- * Description : Computes mutex id from host name hash. This hash must
- * be already saved in csp structure
- *
- * Parameters :
- * 1 : csp = Current client state (buffers, headers, etc...)
- *
- * Returns : Mutex id for given host name
- *
- *********************************************************************/
-static unsigned int get_certificate_mutex_id(struct client_state *csp) {
-#ifdef LIMIT_MUTEX_NUMBER
- return (unsigned int)(csp->http->hash_of_host[0] % 32);
-#else
- return (unsigned int)(csp->http->hash_of_host[1]
- + 256 * (int)csp->http->hash_of_host[0]);
-#endif /* LIMIT_MUTEX_NUMBER */
-}
-
-
/*********************************************************************
*
* Function : get_certificate_serial
* Returns : Serial number for new certificate
*
*********************************************************************/
-static unsigned long get_certificate_serial(struct client_state *csp) {
+static unsigned long get_certificate_serial(struct client_state *csp)
+{
unsigned long exp = 1;
unsigned long serial = 0;
int ret = 0;
#if !defined(MBEDTLS_MD5_C)
- log_error(LOG_LEVEL_ERROR, "MBEDTLS_MD5_C is not defined. Can't create"
- "MD5 hash for certificate and key name.");
- return -1;
+#error mbedTLS needs to be compiled with md5 support
#else
memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host));
mbedtls_md5((unsigned char *)csp->http->host, strlen(csp->http->host),