X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=ssl.c;h=85701ce03a47fe6b1b88b8d0700fa18b4365e230;hp=0bb549bff7652bf5fc47753b9d3aa1488a644740;hb=4a7bcb1cedd46a7adf0fe09e99ae7b15300d6c78;hpb=9c5023572da8d77913f62358f46fc6e053085909

diff --git a/ssl.c b/ssl.c
index 0bb549bf..85701ce0 100644
--- a/ssl.c
+++ b/ssl.c
@@ -28,6 +28,7 @@
  *
  *********************************************************************/
 
+#include <ctype.h>
 #include <string.h>
 #include <unistd.h>
 
@@ -260,6 +261,69 @@ extern int ssl_send_data(mbedtls_ssl_context *ssl, const unsigned char *buf, siz
 }
 
 
+/*********************************************************************
+ *
+ * Function    :  ssl_send_data_delayed
+ *
+ * Description :  Sends the contents of buf (for n bytes) to given SSL
+ *                connection, optionally delaying the operation.
+ *
+ * Parameters  :
+ *          1  :  ssl = SSL context to send data to
+ *          2  :  buf = Pointer to data to be sent
+ *          3  :  len = Length of data to be sent to the SSL context
+ *          4  :  delay = Delay in milliseconds.
+ *
+ * Returns     :  0 on success (entire buffer sent).
+ *                nonzero on error.
+ *
+ *********************************************************************/
+extern int ssl_send_data_delayed(mbedtls_ssl_context *ssl,
+                                 const unsigned char *buf, size_t len,
+                                 unsigned int delay)
+{
+   size_t i = 0;
+
+   if (delay == 0)
+   {
+      if (ssl_send_data(ssl, buf, len) < 0)
+      {
+         return -1;
+      }
+      else
+      {
+         return 0;
+      }
+   }
+
+   while (i < len)
+   {
+      size_t write_length;
+      enum { MAX_WRITE_LENGTH = 10 };
+
+      if ((i + MAX_WRITE_LENGTH) > len)
+      {
+         write_length = len - i;
+      }
+      else
+      {
+         write_length = MAX_WRITE_LENGTH;
+      }
+
+      privoxy_millisleep(delay);
+
+      if (ssl_send_data(ssl, buf + i, write_length) < 0)
+      {
+         return -1;
+      }
+      i += write_length;
+   }
+
+   return 0;
+
+}
+
+
 /*********************************************************************
  *
  * Function    :  ssl_recv_data
@@ -1274,17 +1338,16 @@ static int generate_certificate_valid_date(time_t time_spec, char *buffer,
                                            size_t buffer_size)
 {
    struct tm valid_date;
+   struct tm *timeptr;
    size_t ret;
 
-#ifndef HAVE_GMTIME_R
-#error HTTP inspection currently requires gmtime_r() which seems to be missing
-#endif
-   if (NULL == gmtime_r(&time_spec, &valid_date))
+   timeptr = privoxy_gmtime_r(&time_spec, &valid_date);
+   if (NULL == timeptr)
    {
       return 1;
    }
 
-   ret = strftime(buffer, buffer_size, "%Y%m%d%H%M%S", &valid_date);
+   ret = strftime(buffer, buffer_size, "%Y%m%d%H%M%S", timeptr);
    if (ret != 14)
    {
       return 1;
@@ -1457,6 +1520,50 @@ exit:
 
 }
 
+
+/*********************************************************************
+ *
+ * Function    :  host_is_ip_address
+ *
+ * Description :  Checks whether or not a host is specified by
+ *                IP address. Does not actually validate the
+ *                address.
+ *
+ * Parameters  :
+ *          1  :  host = The host name to check
+ *
+ * Returns     :   1 => Yes
+ *                 0 => No
+ *
+ *********************************************************************/
+static int host_is_ip_address(const char *host)
+{
+   const char *p;
+
+   if (NULL != strstr(host, ":"))
+   {
+      /* Assume an IPv6 address. */
+      return 1;
+   }
+
+   for (p = host; *p; p++)
+   {
+      if ((*p != '.') && !privoxy_isdigit(*p))
+      {
+         /* Not a dot or digit so it can't be an IPv4 address. */
+         return 0;
+      }
+   }
+
+   /*
+    * Host only consists of dots and digits so
+    * assume that is an IPv4 address.
+    */
+   return 1;
+
+}
+
+
 /*********************************************************************
  *
  * Function    :  generate_webpage_certificate
@@ -1832,7 +1939,8 @@ static int generate_webpage_certificate(struct client_state *csp)
    }
 #endif /* MBEDTLS_SHA1_C */
 
-   if (set_subject_alternative_name(&cert, csp->http->host))
+   if (!host_is_ip_address(csp->http->host) &&
+      set_subject_alternative_name(&cert, csp->http->host))
    {
       /* Errors are already logged by set_subject_alternative_name() */
       ret = -1;
@@ -2002,7 +2110,12 @@ extern void ssl_send_certificate_error(struct client_state *csp)
       "HTTP/1.1 200 OK\r\n"
       "Content-Type: text/html\r\n"
       "Connection: close\r\n\r\n"
-      "<html><body><h1>Server certificate verification failed</h1><p>Reason: ";
+      "<!DOCTYPE html>\n"
+      "<html><head><title>Server certificate verification failed</title></head>\n"
+      "<body><h1>Server certificate verification failed</h1>\n"
+      "<p><a href=\"https://" CGI_SITE_2_HOST "/\">Privoxy</a> was unable "
+      "to securely connnect to the destination server.</p>"
+      "<p>Reason: ";
    const char message_end[] = "</body></html>\r\n\r\n";
    char reason[INVALID_CERT_INFO_BUF_SIZE];
    memset(reason, 0, sizeof(reason));