X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=ssl.c;h=e2389f0800ff057285f183f116f0f30246d21de6;hp=649b301d0e890d1d24dd79ed15c6b0a486315b43;hb=416fb84eaeaeaef12a88f4cc5885cf0ec7f74dd7;hpb=5740519e561441eb4addaf571ffbf2e3da74c997 diff --git a/ssl.c b/ssl.c index 649b301d..e2389f08 100644 --- a/ssl.c +++ b/ssl.c @@ -28,6 +28,7 @@ * *********************************************************************/ +#include #include #include @@ -41,6 +42,8 @@ #include "mbedtls/pem.h" #include "mbedtls/base64.h" #include "mbedtls/error.h" +#include "mbedtls/oid.h" +#include "mbedtls/asn1write.h" #include "config.h" #include "project.h" @@ -48,6 +51,7 @@ #include "errlog.h" #include "jcc.h" #include "ssl.h" +#include "encode.h" /* @@ -160,7 +164,10 @@ extern int server_use_ssl(const struct client_state *csp) * * Function : is_ssl_pending * - * Description : Tests if there are some waiting data on ssl connection + * Description : Tests if there are some waiting data on ssl connection. + * Only considers data that has actually been received + * locally and ignores data that is still on the fly + * or has not yet been sent by the remote end. * * Parameters : * 1 : ssl = SSL context to test @@ -254,6 +261,69 @@ extern int ssl_send_data(mbedtls_ssl_context *ssl, const unsigned char *buf, siz } +/********************************************************************* + * + * Function : ssl_send_data_delayed + * + * Description : Sends the contents of buf (for n bytes) to given SSL + * connection, optionally delaying the operation. + * + * Parameters : + * 1 : ssl = SSL context to send data to + * 2 : buf = Pointer to data to be sent + * 3 : len = Length of data to be sent to the SSL context + * 4 : delay = Delay in milliseconds. + * + * Returns : 0 on success (entire buffer sent). + * nonzero on error. + * + *********************************************************************/ +extern int ssl_send_data_delayed(mbedtls_ssl_context *ssl, + const unsigned char *buf, size_t len, + unsigned int delay) +{ + size_t i = 0; + + if (delay == 0) + { + if (ssl_send_data(ssl, buf, len) < 0) + { + return -1; + } + else + { + return 0; + } + } + + while (i < len) + { + size_t write_length; + enum { MAX_WRITE_LENGTH = 10 }; + + if ((i + MAX_WRITE_LENGTH) > len) + { + write_length = len - i; + } + else + { + write_length = MAX_WRITE_LENGTH; + } + + privoxy_millisleep(delay); + + if (ssl_send_data(ssl, buf + i, write_length) < 0) + { + return -1; + } + i += write_length; + } + + return 0; + +} + + /********************************************************************* * * Function : ssl_recv_data @@ -646,7 +716,7 @@ static void free_client_ssl_structures(struct client_state *csp) { /* * We can't use function mbedtls_net_free, because this function - * inter alia close TCP connection on setted fd. Instead of this + * inter alia close TCP connection on set fd. Instead of this * function, we change fd to -1, which is the same what does * rest of mbedtls_net_free function. */ @@ -826,6 +896,7 @@ extern int create_server_ssl_connection(struct client_state *csp) { log_error(LOG_LEVEL_ERROR, "mbedtls_ssl_handshake with server failed: %s", err_buf); + free_certificate_chain(csp); ret = -1; } goto exit; @@ -905,7 +976,7 @@ static void free_server_ssl_structures(struct client_state *csp) { /* * We can't use function mbedtls_net_free, because this function - * inter alia close TCP connection on setted fd. Instead of this + * inter alia close TCP connection on set fd. Instead of this * function, we change fd to -1, which is the same what does * rest of mbedtls_net_free function. */ @@ -1267,17 +1338,16 @@ static int generate_certificate_valid_date(time_t time_spec, char *buffer, size_t buffer_size) { struct tm valid_date; + struct tm *timeptr; size_t ret; -#ifndef HAVE_GMTIME_R -#error HTTP inspection currently requires gmtime_r() which seems to be missing -#endif - if (NULL == gmtime_r(&time_spec, &valid_date)) + timeptr = privoxy_gmtime_r(&time_spec, &valid_date); + if (NULL == timeptr) { return 1; } - ret = strftime(buffer, buffer_size, "%Y%m%d%H%M%S", &valid_date); + ret = strftime(buffer, buffer_size, "%Y%m%d%H%M%S", timeptr); if (ret != 14) { return 1; @@ -1344,6 +1414,159 @@ static int get_certificate_valid_to_date(char *buffer, size_t buffer_size) } +/********************************************************************* + * + * Function : set_subject_alternative_name + * + * Description : Sets the Subject Alternative Name extension to a cert + * + * Parameters : + * 1 : cert = The certificate to modify + * 2 : hostname = The hostname to add + * + * Returns : <0 => Error while creating certificate. + * 0 => It worked + * + *********************************************************************/ +static int set_subject_alternative_name(mbedtls_x509write_cert *cert, const char *hostname) +{ + char err_buf[ERROR_BUF_SIZE]; + int ret; + char *subject_alternative_name; + size_t subject_alternative_name_len; +#define MBEDTLS_SUBJECT_ALTERNATIVE_NAME_MAX_LEN 255 + unsigned char san_buf[MBEDTLS_SUBJECT_ALTERNATIVE_NAME_MAX_LEN + 1]; + unsigned char *c; + int len; + + subject_alternative_name_len = strlen(hostname) + 1; + subject_alternative_name = zalloc_or_die(subject_alternative_name_len); + + strlcpy(subject_alternative_name, hostname, subject_alternative_name_len); + + memset(san_buf, 0, sizeof(san_buf)); + + c = san_buf + sizeof(san_buf); + len = 0; + + ret = mbedtls_asn1_write_raw_buffer(&c, san_buf, + (const unsigned char *)subject_alternative_name, + strlen(subject_alternative_name)); + if (ret < 0) + { + mbedtls_strerror(ret, err_buf, sizeof(err_buf)); + log_error(LOG_LEVEL_ERROR, + "mbedtls_asn1_write_raw_buffer() failed: %s", err_buf); + goto exit; + } + len += ret; + + ret = mbedtls_asn1_write_len(&c, san_buf, strlen(subject_alternative_name)); + if (ret < 0) + { + mbedtls_strerror(ret, err_buf, sizeof(err_buf)); + log_error(LOG_LEVEL_ERROR, + "mbedtls_asn1_write_len() failed: %s", err_buf); + goto exit; + } + len += ret; + + ret = mbedtls_asn1_write_tag(&c, san_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2); + if (ret < 0) + { + mbedtls_strerror(ret, err_buf, sizeof(err_buf)); + log_error(LOG_LEVEL_ERROR, + "mbedtls_asn1_write_tag() failed: %s", err_buf); + goto exit; + } + len += ret; + + ret = mbedtls_asn1_write_len(&c, san_buf, (size_t)len); + if (ret < 0) + { + mbedtls_strerror(ret, err_buf, sizeof(err_buf)); + log_error(LOG_LEVEL_ERROR, + "mbedtls_asn1_write_len() failed: %s", err_buf); + goto exit; + } + len += ret; + + ret = mbedtls_asn1_write_tag(&c, san_buf, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + if (ret < 0) + { + mbedtls_strerror(ret, err_buf, sizeof(err_buf)); + log_error(LOG_LEVEL_ERROR, + "mbedtls_asn1_write_tag() failed: %s", err_buf); + goto exit; + } + len += ret; + + ret = mbedtls_x509write_crt_set_extension(cert, + MBEDTLS_OID_SUBJECT_ALT_NAME, + MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME), + 0, san_buf + sizeof(san_buf) - len, (size_t)len); + if (ret < 0) + { + mbedtls_strerror(ret, err_buf, sizeof(err_buf)); + log_error(LOG_LEVEL_ERROR, + "mbedtls_x509write_crt_set_extension() failed: %s", err_buf); + } + +exit: + freez(subject_alternative_name); + + return ret; + +} + + +/********************************************************************* + * + * Function : host_is_ip_address + * + * Description : Checks whether or not a host is specified by + * IP address. Does not actually validate the + * address. + * + * Parameters : + * 1 : host = The host name to check + * + * Returns : 1 => Yes + * 0 => No + * + *********************************************************************/ +static int host_is_ip_address(const char *host) +{ + const char *p; + + if (NULL != strstr(host, ":")) + { + /* Assume an IPv6 address. */ + return 1; + } + + for (p = host; *p; p++) + { + if (*p != '.') + { + if (!privoxy_isdigit(*p)) + { + /* Not a dot or digit so it can't be an IPv4 address. */ + return 0; + } + } + } + + /* + * Host only consists of dots and digits so + * assume that is an IPv4 address. + */ + return 1; + +} + + /********************************************************************* * * Function : generate_webpage_certificate @@ -1719,6 +1942,14 @@ static int generate_webpage_certificate(struct client_state *csp) } #endif /* MBEDTLS_SHA1_C */ + if (!host_is_ip_address(csp->http->host) && + set_subject_alternative_name(&cert, csp->http->host)) + { + /* Errors are already logged by set_subject_alternative_name() */ + ret = -1; + goto exit; + } + /* * Writing certificate into file */ @@ -1877,12 +2108,17 @@ extern void ssl_send_certificate_error(struct client_state *csp) int ret = 0; struct certs_chain *cert = NULL; - /* Header of message with certificate informations */ + /* Header of message with certificate information */ const char message_begin[] = "HTTP/1.1 200 OK\r\n" "Content-Type: text/html\r\n" "Connection: close\r\n\r\n" - "

Server certificate verification failed

Reason: "; + "\n" + "Server certificate verification failed\n" + "

Server certificate verification failed

\n" + "

Privoxy was unable " + "to securely connnect to the destination server.

" + "

Reason: "; const char message_end[] = "\r\n\r\n"; char reason[INVALID_CERT_INFO_BUF_SIZE]; memset(reason, 0, sizeof(reason)); @@ -1902,7 +2138,7 @@ extern void ssl_send_certificate_error(struct client_state *csp) { size_t base64_len = 4 * ((strlen(cert->file_buf) + 2) / 3) + 1; - message_len += strlen(cert->text_buf) + strlen("

\n")
+      message_len += strlen(cert->info_buf) + strlen("
\n")
                      +  base64_len + strlen("Download certificate");
       cert = cert->next;
@@ -1937,7 +2173,7 @@ extern void ssl_send_certificate_error(struct client_state *csp)
       }
 
       strlcat(message, "
",        message_len);
-      strlcat(message, cert->text_buf, message_len);
+      strlcat(message, cert->info_buf, message_len);
       strlcat(message, "
\n",     message_len);
 
       if (ret == 0)
@@ -1967,10 +2203,10 @@ extern void ssl_send_certificate_error(struct client_state *csp)
  * Function    :  ssl_verify_callback
  *
  * Description :  This is a callback function for certificate verification.
- *                It's called for all certificates in server certificate
- *                trusted chain and it's preparing information about this
- *                certificates. Prepared informations can be used to inform
- *                user about invalid certificates.
+ *                It's called once for each certificate in the server's
+ *                certificate trusted chain and prepares information about
+ *                the certificate. The information can be used to inform
+ *                the user about invalid certificates.
  *
  * Parameters  :
  *          1  :  csp_void = Current client state (buffers, headers, etc...)
@@ -2002,7 +2238,7 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt,
     */
    last->next = malloc_or_die(sizeof(struct certs_chain));
    last->next->next = NULL;
-   memset(last->next->text_buf, 0, sizeof(last->next->text_buf));
+   memset(last->next->info_buf, 0, sizeof(last->next->info_buf));
    memset(last->next->file_buf, 0, sizeof(last->next->file_buf));
 
    /*
@@ -2012,14 +2248,27 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt,
       crt->raw.p, crt->raw.len, (unsigned char *)last->file_buf,
       sizeof(last->file_buf)-1, &olen)) != 0)
    {
+      char err_buf[ERROR_BUF_SIZE];
+
+      mbedtls_strerror(ret, err_buf, sizeof(err_buf));
+      log_error(LOG_LEVEL_ERROR, "mbedtls_pem_write_buffer() failed: %s",
+         err_buf);
+
       return(ret);
    }
 
    /*
     * Saving certificate information into buffer
     */
-   mbedtls_x509_crt_info(last->text_buf, sizeof(last->text_buf) - 1,
-      CERT_INFO_PREFIX, crt);
+   {
+      char buf[CERT_INFO_BUF_SIZE];
+      char *encoded_text;
+
+      mbedtls_x509_crt_info(buf, sizeof(buf), CERT_INFO_PREFIX, crt);
+      encoded_text = html_encode(buf);
+      strlcpy(last->info_buf, encoded_text, sizeof(last->info_buf));
+      freez(encoded_text);
+   }
 
    return 0;
 }
@@ -2030,7 +2279,7 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt,
  * Function    :  free_certificate_chain
  *
  * Description :  Frees certificates linked list. This linked list is
- *                used to save informations about certificates in
+ *                used to save information about certificates in
  *                trusted chain.
  *
  * Parameters  :
@@ -2044,21 +2293,18 @@ static void free_certificate_chain(struct client_state *csp)
    struct certs_chain *cert = csp->server_certs_chain.next;
 
    /* Cleaning buffers */
-   memset(csp->server_certs_chain.text_buf, 0,
-      sizeof(csp->server_certs_chain.text_buf));
+   memset(csp->server_certs_chain.info_buf, 0,
+      sizeof(csp->server_certs_chain.info_buf));
    memset(csp->server_certs_chain.file_buf, 0,
       sizeof(csp->server_certs_chain.file_buf));
    csp->server_certs_chain.next = NULL;
 
    /* Freeing memory in whole linked list */
-   if (cert != NULL)
+   while (cert != NULL)
    {
-      do
-      {
-         struct certs_chain *cert_for_free = cert;
-         cert = cert->next;
-         freez(cert_for_free);
-      } while (cert != NULL);
+      struct certs_chain *cert_for_free = cert;
+      cert = cert->next;
+      freez(cert_for_free);
    }
 }
 
@@ -2136,7 +2382,7 @@ static int host_to_hash(struct client_state *csp)
  * Function    :  tunnel_established_successfully
  *
  * Description :  Check if parent proxy server response contains
- *                informations about successfully created connection with
+ *                information about successfully created connection with
  *                destination server. (HTTP/... 2xx ...)
  *
  * Parameters  :