static int host_to_hash(struct client_state *csp);
static int ssl_verify_callback(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags);
static void free_certificate_chain(struct client_state *csp);
-static unsigned int get_certificate_mutex_id(struct client_state *csp);
static unsigned long get_certificate_serial(struct client_state *csp);
static void free_client_ssl_structures(struct client_state *csp);
static void free_server_ssl_structures(struct client_state *csp);
send_len = (int)max_fragment_size;
}
+ log_error(LOG_LEVEL_WRITING, "TLS: %N", send_len, buf+pos);
+
/*
* Sending one part of the buffer
*/
return -1;
}
+ log_error(LOG_LEVEL_RECEIVED, "TLS: %N", ret, buf);
+
return ret;
}
* Generating certificate for requested host. Mutex to prevent
* certificate and key inconsistence must be locked.
*/
- unsigned int cert_mutex_id = get_certificate_mutex_id(csp);
- privoxy_mutex_lock(&(certificates_mutexes[cert_mutex_id]));
+ privoxy_mutex_lock(&certificate_mutex);
ret = generate_webpage_certificate(csp);
if (ret < 0)
{
log_error(LOG_LEVEL_ERROR,
"Generate_webpage_certificate failed: %d", ret);
- privoxy_mutex_unlock(&(certificates_mutexes[cert_mutex_id]));
+ privoxy_mutex_unlock(&certificate_mutex);
ret = -1;
goto exit;
}
- privoxy_mutex_unlock(&(certificates_mutexes[cert_mutex_id]));
+ privoxy_mutex_unlock(&certificate_mutex);
/*
* Seed the RNG
* Handshake with server
*/
log_error(LOG_LEVEL_CONNECT,
- "Performing the TLS/SSL handshake with server");
+ "Performing the TLS/SSL handshake with the server");
while ((ret = mbedtls_ssl_handshake(&(csp->mbedtls_server_attr.ssl))) != 0)
{
if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
{
- log_error(LOG_LEVEL_ERROR,
- "Server certificate verification failed: %s", err_buf);
+ char reason[INVALID_CERT_INFO_BUF_SIZE];
+
csp->server_cert_verification_result =
mbedtls_ssl_get_verify_result(&(csp->mbedtls_server_attr.ssl));
+ mbedtls_x509_crt_verify_info(reason, sizeof(reason), "",
+ csp->server_cert_verification_result);
+ /* Log the reason without the trailing new line */
+ log_error(LOG_LEVEL_ERROR,
+ "The X509 certificate verification failed: %N",
+ strlen(reason)-1, reason);
ret = -1;
}
else
* function, we change fd to -1, which is the same what does
* rest of mbedtls_net_free function.
*/
- csp->mbedtls_client_attr.socket_fd.fd = -1;
+ csp->mbedtls_server_attr.socket_fd.fd = -1;
mbedtls_x509_crt_free(&(csp->mbedtls_server_attr.ca_cert));
mbedtls_ssl_free(&(csp->mbedtls_server_attr.ssl));
}
-/*********************************************************************
- *
- * Function : get_certificate_mutex_id
- *
- * Description : Computes mutex id from host name hash. This hash must
- * be already saved in csp structure
- *
- * Parameters :
- * 1 : csp = Current client state (buffers, headers, etc...)
- *
- * Returns : Mutex id for given host name
- *
- *********************************************************************/
-static unsigned int get_certificate_mutex_id(struct client_state *csp) {
-#ifdef LIMIT_MUTEX_NUMBER
- return (unsigned int)(csp->http->hash_of_host[0] % 32);
-#else
- return (unsigned int)(csp->http->hash_of_host[1]
- + 256 * (int)csp->http->hash_of_host[0]);
-#endif /* LIMIT_MUTEX_NUMBER */
-}
-
-
/*********************************************************************
*
* Function : get_certificate_serial
* Returns : Serial number for new certificate
*
*********************************************************************/
-static unsigned long get_certificate_serial(struct client_state *csp) {
+static unsigned long get_certificate_serial(struct client_state *csp)
+{
unsigned long exp = 1;
unsigned long serial = 0;
int ret = 0;
#if !defined(MBEDTLS_MD5_C)
- log_error(LOG_LEVEL_ERROR, "MBEDTLS_MD5_C is not defined. Can't create"
- "MD5 hash for certificate and key name.");
- return -1;
+#error mbedTLS needs to be compiled with md5 support
#else
memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host));
mbedtls_md5((unsigned char *)csp->http->host, strlen(csp->http->host),