X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=ssl.c;h=a7f92ebd73d117510529cb74b81a39cff2493277;hp=194092b2ae40a227878d38a62362b37e2120dfbc;hb=c2f9616484d244750f40356a62b456ed50450da5;hpb=d6f2d069a7d978d9f27f9f2d82a64cd48a4d96d8 diff --git a/ssl.c b/ssl.c index 194092b2..a7f92ebd 100644 --- a/ssl.c +++ b/ssl.c @@ -1,32 +1,32 @@ /********************************************************************* -* -* File : $Source: /cvsroot/ijbswa/current/ssl.c,v $ -* -* Purpose : File with TLS/SSL extension. Contains methods for -* creating, using and closing TLS/SSL connections. -* -* Copyright : Written by and Copyright (c) 2017 Vaclav Svec. FIT CVUT. -* Copyright (C) 2018-2019 by Fabian Keil -* -* This program is free software; you can redistribute it -* and/or modify it under the terms of the GNU General -* Public License as published by the Free Software -* Foundation; either version 2 of the License, or (at -* your option) any later version. -* -* This program is distributed in the hope that it will -* be useful, but WITHOUT ANY WARRANTY; without even the -* implied warranty of MERCHANTABILITY or FITNESS FOR A -* PARTICULAR PURPOSE. See the GNU General Public -* License for more details. -* -* The GNU General Public License should be included with -* this file. If not, you can view it at -* http://www.gnu.org/copyleft/gpl.html -* or write to the Free Software Foundation, Inc., 59 -* Temple Place - Suite 330, Boston, MA 02111-1307, USA. -* -*********************************************************************/ + * + * File : $Source: /cvsroot/ijbswa/current/ssl.c,v $ + * + * Purpose : File with TLS/SSL extension. Contains methods for + * creating, using and closing TLS/SSL connections. + * + * Copyright : Written by and Copyright (c) 2017 Vaclav Svec. FIT CVUT. + * Copyright (C) 2018-2019 by Fabian Keil + * + * This program is free software; you can redistribute it + * and/or modify it under the terms of the GNU General + * Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will + * be useful, but WITHOUT ANY WARRANTY; without even the + * implied warranty of MERCHANTABILITY or FITNESS FOR A + * PARTICULAR PURPOSE. See the GNU General Public + * License for more details. + * + * The GNU General Public License should be included with + * this file. If not, you can view it at + * http://www.gnu.org/copyleft/gpl.html + * or write to the Free Software Foundation, Inc., 59 + * Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * + *********************************************************************/ #include #include @@ -42,11 +42,11 @@ #include "mbedtls/base64.h" #include "mbedtls/error.h" +#include "config.h" #include "project.h" #include "miscutil.h" #include "errlog.h" #include "jcc.h" -#include "config.h" #include "ssl.h" @@ -66,10 +66,9 @@ #define RSA_KEY_PUBLIC_EXPONENT 65537 /* Public exponent for RSA private key generating */ #define RSA_KEYSIZE 2048 /* Size of generated RSA keys */ #define GENERATED_CERT_VALID_FROM "20100101000000" /* Date and time, which will be set in generated certificates as parameter valid from */ -#define GENERATED_CERT_VALID_TO "20401231235959" /* Date and time, which will be setted in generated certificates as parameter valid to */ +#define GENERATED_CERT_VALID_TO "20401231235959" /* Date and time, which will be set in generated certificates as parameter valid to */ #define CERT_SIGNATURE_ALGORITHM MBEDTLS_MD_SHA256 /* The MD algorithm to use for the signature */ #define CERT_SERIAL_NUM_LENGTH 4 /* Bytes of hash to be used for creating serial number of certificate. Min=2 and max=16 */ -#define LIMIT_MUTEX_NUMBER /* If this macro is defined, mutexes count for generating private keys is changed from 65536 to 32 */ #define INVALID_CERT_INFO_BUF_SIZE 2048 /* Size of buffer for message with information about reason of certificate invalidity. Data after the end of buffer will not be saved */ #define CERT_PARAM_COMMON_NAME "CN=" #define CERT_PARAM_ORGANIZATION ",O=" @@ -108,9 +107,9 @@ typedef struct { char *key_file_path; /* filename of the key file */ } key_options; -extern int generate_webpage_certificate(struct client_state * csp); -static char * make_certs_path(const char * conf_dir, const char * file_name, const char * suffix); -static int file_exists(const char * path); +static int generate_webpage_certificate(struct client_state *csp); +static char *make_certs_path(const char *conf_dir, const char *file_name, const char *suffix); +static int file_exists(const char *path); static int host_to_hash(struct client_state *csp); static int ssl_verify_callback(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags); static void free_certificate_chain(struct client_state *csp); @@ -161,18 +160,18 @@ extern int server_use_ssl(const struct client_state *csp) /********************************************************************* -* -* Function : is_ssl_pending -* -* Description : Tests if there are some waitting data on ssl connection -* -* Parameters : -* 1 : ssl = SSL context to test -* -* Returns : 0 => No data are pending -* >0 => Pending data length -* -*********************************************************************/ + * + * Function : is_ssl_pending + * + * Description : Tests if there are some waiting data on ssl connection + * + * Parameters : + * 1 : ssl = SSL context to test + * + * Returns : 0 => No data are pending + * >0 => Pending data length + * + *********************************************************************/ extern size_t is_ssl_pending(mbedtls_ssl_context *ssl) { if (ssl == NULL) @@ -242,7 +241,6 @@ extern int ssl_send_data(mbedtls_ssl_context *ssl, const unsigned char *buf, siz { char err_buf[ERROR_BUF_SIZE]; - memset(err_buf, 0, sizeof(err_buf)); mbedtls_strerror(ret, err_buf, sizeof(err_buf)); log_error(LOG_LEVEL_ERROR, "Sending data over TLS/SSL failed: %s", err_buf); @@ -291,7 +289,6 @@ extern int ssl_recv_data(mbedtls_ssl_context *ssl, unsigned char *buf, size_t ma { char err_buf[ERROR_BUF_SIZE]; - memset(err_buf, 0, sizeof(err_buf)); mbedtls_strerror(ret, err_buf, sizeof(err_buf)); log_error(LOG_LEVEL_ERROR, "Receiving data over TLS/SSL failed: %s", err_buf); @@ -386,8 +383,6 @@ extern int create_client_ssl_connection(struct client_state *csp) int ret = 0; char err_buf[ERROR_BUF_SIZE]; - memset(err_buf, 0, sizeof(err_buf)); - /* * Initializing mbedtls structures for TLS/SSL connection */ @@ -680,8 +675,6 @@ extern int create_server_ssl_connection(struct client_state *csp) char *trusted_cas_file = NULL; int auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED; - memset(err_buf, 0, sizeof(err_buf)); - csp->server_cert_verification_result = SSL_CERT_NOT_VERIFIED; csp->server_certs_chain.next = NULL; @@ -694,7 +687,7 @@ extern int create_server_ssl_connection(struct client_state *csp) mbedtls_net_init(&(csp->mbedtls_server_attr.socket_fd)); mbedtls_ssl_init(&(csp->mbedtls_server_attr.ssl)); mbedtls_ssl_config_init(&(csp->mbedtls_server_attr.conf)); - mbedtls_x509_crt_init( &(csp->mbedtls_server_attr.ca_cert)); + mbedtls_x509_crt_init(&(csp->mbedtls_server_attr.ca_cert)); /* * Setting socket fd in mbedtls_net_context structure. This structure @@ -962,11 +955,10 @@ static int write_certificate(mbedtls_x509write_cert *crt, const char *output_fil int ret = 0; char err_buf[ERROR_BUF_SIZE]; - memset(err_buf, 0, sizeof(err_buf)); memset(cert_buf, 0, sizeof(cert_buf)); /* - * Writing certificate into PEM string. If buffer is too small, fuction + * Writing certificate into PEM string. If buffer is too small, function * returns specific error and no buffer overflow can happen. */ if ((ret = mbedtls_x509write_crt_pem(crt, cert_buf, @@ -1030,18 +1022,8 @@ static int write_private_key(mbedtls_pk_context *key, unsigned char **ret_buf, int ret = 0; char err_buf[ERROR_BUF_SIZE]; - memset(err_buf, 0, sizeof(err_buf)); - /* Initializing buffer for key file content */ - *ret_buf = (unsigned char *)malloc(PRIVATE_KEY_BUF_SIZE + 1); - if (*ret_buf == NULL) - { - log_error(LOG_LEVEL_ERROR, - "Creating buffer for private key failed: malloc fail"); - ret = -1; - goto exit; - } - memset(*ret_buf, 0, PRIVATE_KEY_BUF_SIZE + 1); + *ret_buf = zalloc_or_die(PRIVATE_KEY_BUF_SIZE + 1); /* * Writing private key into PEM string @@ -1119,7 +1101,6 @@ static int generate_key(unsigned char **key_buf, struct client_state *csp) char err_buf[ERROR_BUF_SIZE]; key_opt.key_file_path = NULL; - memset(err_buf, 0, sizeof(err_buf)); /* * Initializing structures for key generating @@ -1218,11 +1199,11 @@ exit: * 1 : csp = Current client state (buffers, headers, etc...) * * Returns : -1 => Error while creating certificate. - * 0 => Certificate alreaday exist. + * 0 => Certificate already exists. * >0 => Length of created certificate. * *********************************************************************/ -extern int generate_webpage_certificate(struct client_state * csp) +static int generate_webpage_certificate(struct client_state *csp) { mbedtls_x509_crt issuer_cert; mbedtls_pk_context loaded_issuer_key, loaded_subject_key; @@ -1237,8 +1218,6 @@ extern int generate_webpage_certificate(struct client_state * csp) char err_buf[ERROR_BUF_SIZE]; cert_options cert_opt; - memset(err_buf, 0, sizeof(err_buf)); - /* Paths to keys and certificates needed to create certificate */ cert_opt.issuer_key = NULL; cert_opt.subject_key = NULL; @@ -1259,7 +1238,7 @@ extern int generate_webpage_certificate(struct client_state * csp) * Initializing structures for certificate generating */ mbedtls_x509write_crt_init(&cert); - mbedtls_x509write_crt_set_md_alg( &cert, CERT_SIGNATURE_ALGORITHM); + mbedtls_x509write_crt_set_md_alg(&cert, CERT_SIGNATURE_ALGORITHM); mbedtls_pk_init(&loaded_issuer_key); mbedtls_pk_init(&loaded_subject_key); mbedtls_mpi_init(&serial); @@ -1428,8 +1407,8 @@ extern int generate_webpage_certificate(struct client_state * csp) if (!mbedtls_pk_can_do(&issuer_cert.pk, MBEDTLS_PK_RSA) || mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->N, &mbedtls_pk_rsa(*issuer_key)->N) != 0 || - mbedtls_mpi_cmp_mpi( &mbedtls_pk_rsa(issuer_cert.pk)->E, - &mbedtls_pk_rsa(*issuer_key )->E) != 0) + mbedtls_mpi_cmp_mpi(&mbedtls_pk_rsa(issuer_cert.pk)->E, + &mbedtls_pk_rsa(*issuer_key)->E) != 0) { log_error(LOG_LEVEL_ERROR, "Issuer key doesn't match issuer certificate"); @@ -1606,13 +1585,7 @@ static char *make_certs_path(const char *conf_dir, const char *file_name, * absolute path to cwd. */ path_size += strlen(basedir) + 2; - path = (char *)malloc(path_size); - if (path == NULL) - { - log_error(LOG_LEVEL_ERROR, "make_certs_path failed: malloc fail"); - return NULL; - } - memset(path, 0, path_size); + path = zalloc_or_die(path_size); strlcpy(path, basedir, path_size); strlcat(path, delim, path_size); @@ -1624,13 +1597,7 @@ static char *make_certs_path(const char *conf_dir, const char *file_name, else #endif /* defined unix */ { - path = (char *)malloc(path_size); - if (path == NULL) - { - log_error(LOG_LEVEL_ERROR, "make_certs_path failed: malloc fail"); - return NULL; - } - memset(path, 0, path_size); + path = zalloc_or_die(path_size); strlcpy(path, conf_dir, path_size); strlcat(path, delim, path_size); @@ -1804,7 +1771,7 @@ extern void ssl_send_certificate_error(struct client_state *csp) ssl_send_data(&(csp->mbedtls_client_attr.ssl), (const unsigned char *)message, strlen(message)); /* - * Waiting before closing connection. Some browsers doesn't show received + * Waiting before closing connection. Some browsers don't show received * message if there isn't this delay. */ sleep(1); @@ -1850,38 +1817,28 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt, /* * Preparing next item in linked list for next certificate - * If malloc fails, we are continuing without this certificate */ - last->next = (struct certs_chain *)malloc(sizeof(struct certs_chain)); - if (last->next != NULL) - { - last->next->next = NULL; - memset(last->next->text_buf, 0, sizeof(last->next->text_buf)); - memset(last->next->file_buf, 0, sizeof(last->next->file_buf)); - - /* - * Saving certificate file into buffer - */ - if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_CRT, PEM_END_CRT, - crt->raw.p, crt->raw.len, (unsigned char *)last->file_buf, - sizeof(last->file_buf)-1, &olen)) != 0) - { - return(ret); - } + last->next = malloc_or_die(sizeof(struct certs_chain)); + last->next->next = NULL; + memset(last->next->text_buf, 0, sizeof(last->next->text_buf)); + memset(last->next->file_buf, 0, sizeof(last->next->file_buf)); - /* - * Saving certificate information into buffer - */ - mbedtls_x509_crt_info(last->text_buf, sizeof(last->text_buf) - 1, - CERT_INFO_PREFIX, crt); - } - else + /* + * Saving certificate file into buffer + */ + if ((ret = mbedtls_pem_write_buffer(PEM_BEGIN_CRT, PEM_END_CRT, + crt->raw.p, crt->raw.len, (unsigned char *)last->file_buf, + sizeof(last->file_buf)-1, &olen)) != 0) { - log_error(LOG_LEVEL_ERROR, - "Malloc memory for server certificate informations failed"); - return -1; + return(ret); } + /* + * Saving certificate information into buffer + */ + mbedtls_x509_crt_info(last->text_buf, sizeof(last->text_buf) - 1, + CERT_INFO_PREFIX, crt); + return 0; } @@ -1907,7 +1864,7 @@ static void free_certificate_chain(struct client_state *csp) /* Cleaning buffers */ memset(csp->server_certs_chain.text_buf, 0, sizeof(csp->server_certs_chain.text_buf)); - memset(csp->server_certs_chain.text_buf, 0, + memset(csp->server_certs_chain.file_buf, 0, sizeof(csp->server_certs_chain.file_buf)); csp->server_certs_chain.next = NULL; @@ -1925,18 +1882,18 @@ static void free_certificate_chain(struct client_state *csp) /********************************************************************* -* -* Function : file_exists -* -* Description : Tests if file exists and is readable. -* -* Parameters : -* 1 : path = Path to tested file. -* -* Returns : 1 => File exists and is readable. -* 0 => File doesn't exist or is not readable. -* -*********************************************************************/ + * + * Function : file_exists + * + * Description : Tests if file exists and is readable. + * + * Parameters : + * 1 : path = Path to tested file. + * + * Returns : 1 => File exists and is readable. + * 0 => File doesn't exist or is not readable. + * + *********************************************************************/ static int file_exists(const char *path) { FILE *f; @@ -1964,7 +1921,7 @@ static int file_exists(const char *path) * 0 => Hash created successfully * *********************************************************************/ -static int host_to_hash(struct client_state * csp) +static int host_to_hash(struct client_state *csp) { int ret = 0; @@ -2073,8 +2030,6 @@ static int seed_rng(struct client_state *csp) int ret = 0; char err_buf[ERROR_BUF_SIZE]; - memset(err_buf, 0, sizeof(err_buf)); - if (rng_seeded == 0) { privoxy_mutex_lock(&rng_mutex);