X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=openssl.c;h=685995f763b1cfd71b1054ed76aa421d428d0db1;hp=8239e3362e8e04c4b30d17f9d075aa1bcad2db33;hb=df3009593f549a975ecb66a475a34be3e3014834;hpb=292734022187241c1a0348050df15ea806a8e363

diff --git a/openssl.c b/openssl.c
index 8239e336..685995f7 100644
--- a/openssl.c
+++ b/openssl.c
@@ -3,7 +3,8 @@
  * File        :  $Source: /cvsroot/ijbswa/current/openssl.c,v $
  *
  * Purpose     :  File with TLS/SSL extension. Contains methods for
- *                creating, using and closing TLS/SSL connections.
+ *                creating, using and closing TLS/SSL connections
+ *                using OpenSSL (or LibreSSL).
  *
  * Copyright   :  Written by and Copyright (c) 2020 Maxim Antonov <mantonov@gmail.com>
  *                Copyright (C) 2017 Vaclav Svec. FIT CVUT.
@@ -61,7 +62,7 @@
 static int generate_host_certificate(struct client_state *csp);
 static void free_client_ssl_structures(struct client_state *csp);
 static void free_server_ssl_structures(struct client_state *csp);
-static int ssl_store_cert(struct client_state *csp, X509* crt);
+static int ssl_store_cert(struct client_state *csp, X509 *crt);
 static void log_ssl_errors(int debuglevel, const char* fmt, ...) __attribute__((format(printf, 2, 3)));
 
 static int ssl_inited = 0;
@@ -265,14 +266,14 @@ extern int ssl_recv_data(struct ssl_attr *ssl_attr, unsigned char *buf, size_t m
  * Returns     :  0 on success and negative value on error
  *
  *********************************************************************/
-static int ssl_store_cert(struct client_state *csp, X509* crt)
+static int ssl_store_cert(struct client_state *csp, X509 *crt)
 {
-   long len = 0;
+   long len;
    struct certs_chain  *last = &(csp->server_certs_chain);
    int ret = 0;
    BIO *bio = BIO_new(BIO_s_mem());
    EVP_PKEY *pkey = NULL;
-   char *bio_mem_data = 0;
+   char *bio_mem_data = NULL;
    char *encoded_text;
    long l;
    const ASN1_INTEGER *bs;
@@ -283,7 +284,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
 
    if (!bio)
    {
-      log_ssl_errors(LOG_LEVEL_ERROR, "BIO_new_mem_buf() failed");
+      log_ssl_errors(LOG_LEVEL_ERROR, "BIO_new() failed");
       return -1;
    }
 
@@ -301,7 +302,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
    last->next = malloc_or_die(sizeof(struct certs_chain));
    last->next->next = NULL;
    memset(last->next->info_buf, 0, sizeof(last->next->info_buf));
-   memset(last->next->file_buf, 0, sizeof(last->next->file_buf));
+   last->next->file_buf = NULL;
 
    /*
     * Saving certificate file into buffer
@@ -315,20 +316,23 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
 
    len = BIO_get_mem_data(bio, &bio_mem_data);
 
-   if (len > (sizeof(last->file_buf) - 1))
+   last->file_buf = malloc((size_t)len + 1);
+   if (last->file_buf == NULL)
    {
       log_error(LOG_LEVEL_ERROR,
-         "X509 PEM cert len %ld is larger than buffer len %lu",
-         len, sizeof(last->file_buf) - 1);
-      len = sizeof(last->file_buf) - 1;
+         "Failed to allocate %lu bytes to store the X509 PEM certificate",
+         len + 1);
+      ret = -1;
+      goto exit;
    }
 
    strncpy(last->file_buf, bio_mem_data, (size_t)len);
+   last->file_buf[len] = '\0';
    BIO_free(bio);
    bio = BIO_new(BIO_s_mem());
    if (!bio)
    {
-      log_ssl_errors(LOG_LEVEL_ERROR, "BIO_new_mem_buf() failed");
+      log_ssl_errors(LOG_LEVEL_ERROR, "BIO_new() failed");
       ret = -1;
       goto exit;
    }
@@ -387,7 +391,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
          ul = (unsigned long)l;
          neg = "";
       }
-      if (BIO_printf(bio, " %s%lu (%s0x%lx)\n", neg, ul, neg, ul) <= 0)
+      if (BIO_printf(bio, "%s%lu (%s0x%lx)\n", neg, ul, neg, ul) <= 0)
       {
          log_ssl_errors(LOG_LEVEL_ERROR, "BIO_printf() for serial failed");
          ret = -1;
@@ -500,8 +504,12 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
       case EVP_PKEY_DSA:
          ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "DSA key size", EVP_PKEY_bits(pkey));
          break;
+      case EVP_PKEY_EC:
+         ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "EC key size", EVP_PKEY_bits(pkey));
+         break;
       default:
-         ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "non-RSA/DSA key size", EVP_PKEY_bits(pkey));
+         ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "non-RSA/DSA/EC key size",
+            EVP_PKEY_bits(pkey));
          break;
    }
    if (ret <= 0)
@@ -656,7 +664,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
    len = BIO_get_mem_data(bio, &bio_mem_data);
    if (len <= 0)
    {
-      log_error(LOG_LEVEL_ERROR, "BIO_get_mem_data() returned %d "
+      log_error(LOG_LEVEL_ERROR, "BIO_get_mem_data() returned %ld "
          "while gathering certificate information", len);
       ret = -1;
       goto exit;
@@ -869,7 +877,9 @@ extern int create_client_ssl_connection(struct client_state *csp)
        goto exit;
    }
 
-   log_error(LOG_LEVEL_CONNECT, "Client successfully connected over TLS/SSL");
+   log_error(LOG_LEVEL_CONNECT, "Client successfully connected over %s (%s).",
+      SSL_get_version(ssl), SSL_get_cipher_name(ssl));
+
    csp->ssl_with_client_is_opened = 1;
    ret = 0;
 
@@ -1145,6 +1155,11 @@ extern int create_server_ssl_connection(struct client_state *csp)
       goto exit;
    }
 
+   /*
+    * XXX: Do we really have to do this always?
+    *      Probably it's sufficient to do if the verification fails
+    *      in which case we're sending the certificates to the client.
+    */
    chain = SSL_get_peer_cert_chain(ssl);
    if (chain)
    {
@@ -1179,7 +1194,8 @@ extern int create_server_ssl_connection(struct client_state *csp)
       }
    }
 
-   log_error(LOG_LEVEL_CONNECT, "Server successfully connected over TLS/SSL");
+   log_error(LOG_LEVEL_CONNECT, "Server successfully connected over %s (%s).",
+     SSL_get_version(ssl), SSL_get_cipher_name(ssl));
 
    /*
     * Server certificate chain is valid, so we can clean
@@ -1286,7 +1302,7 @@ static void log_ssl_errors(int debuglevel, const char* fmt, ...)
 extern int ssl_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
                              const unsigned char *src, size_t slen)
 {
-   *olen = 4 * ((slen/3)  + ((slen%3) ? 1 : 0)) + 1;
+   *olen = 4 * ((slen/3) + ((slen%3) ? 1 : 0)) + 1;
    if (*olen > dlen)
    {
       return ENOBUFS;
@@ -1572,7 +1588,7 @@ exit:
  *                   pointer to certificate instance otherwise
  *
  *********************************************************************/
-static X509* ssl_certificate_load(const char *cert_path)
+static X509 *ssl_certificate_load(const char *cert_path)
 {
    X509 *cert = NULL;
    FILE *cert_f = NULL;
@@ -1743,6 +1759,8 @@ static int generate_host_certificate(struct client_state *csp)
    cert_options cert_opt;
    char cert_valid_from[VALID_DATETIME_BUFLEN];
    char cert_valid_to[VALID_DATETIME_BUFLEN];
+   const char *common_name;
+   enum { CERT_PARAM_COMMON_NAME_MAX = 64 };
 
    /* Paths to keys and certificates needed to create certificate */
    cert_opt.issuer_key  = NULL;
@@ -1853,13 +1871,20 @@ static int generate_host_certificate(struct client_state *csp)
    subject_name = X509_NAME_new();
    if (!subject_name)
    {
-      log_ssl_errors(LOG_LEVEL_ERROR, "RSA key memory allocation failure");
+      log_ssl_errors(LOG_LEVEL_ERROR, "X509 memory allocation failure");
       ret = -1;
       goto exit;
    }
 
+   /*
+    * Make sure OpenSSL doesn't reject the common name due to its length.
+    * The clients should only care about the Subject Alternative Name anyway
+    * and we always use the real host name for that.
+    */
+   common_name = (strlen(csp->http->host) > CERT_PARAM_COMMON_NAME_MAX) ?
+      CGI_SITE_2_HOST : csp->http->host;
    if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_COMMON_NAME_FCODE,
-         MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+         MBSTRING_ASC, (void *)common_name, -1, -1, 0))
    {
       log_ssl_errors(LOG_LEVEL_ERROR,
          "X509 subject name (code: %s, val: %s) error",
@@ -1868,7 +1893,7 @@ static int generate_host_certificate(struct client_state *csp)
       goto exit;
    }
    if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORGANIZATION_FCODE,
-         MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+         MBSTRING_ASC, (void *)common_name, -1, -1, 0))
    {
       log_ssl_errors(LOG_LEVEL_ERROR,
          "X509 subject name (code: %s, val: %s) error",
@@ -1877,7 +1902,7 @@ static int generate_host_certificate(struct client_state *csp)
       goto exit;
    }
    if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORG_UNIT_FCODE,
-         MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+         MBSTRING_ASC, (void *)common_name, -1, -1, 0))
    {
       log_ssl_errors(LOG_LEVEL_ERROR,
          "X509 subject name (code: %s, val: %s) error",
@@ -1890,7 +1915,7 @@ static int generate_host_certificate(struct client_state *csp)
    {
       log_ssl_errors(LOG_LEVEL_ERROR,
          "X509 subject name (code: %s, val: %s) error",
-         CERT_PARAM_COUNTRY_FCODE, csp->http->host);
+         CERT_PARAM_COUNTRY_FCODE, CERT_PARAM_COUNTRY_CODE);
       ret = -1;
       goto exit;
    }