From 5415008eafe007b95daa7801ff53bcf13ae52a6a Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Fri, 10 Jun 2022 17:56:44 +0200 Subject: [PATCH 01/16] Add test scenario acl-destination-permitted Sponsored by: Privoxy project funds collected at SPI --- .../cts/acl-destination-permitted/data/test1 | 32 +++++++++++++++++++ .../acl-destination-permitted/privoxy.conf | 19 +++++++++++ 2 files changed, 51 insertions(+) create mode 100644 tests/cts/acl-destination-permitted/data/test1 create mode 100644 tests/cts/acl-destination-permitted/privoxy.conf diff --git a/tests/cts/acl-destination-permitted/data/test1 b/tests/cts/acl-destination-permitted/data/test1 new file mode 100644 index 00000000..fb726451 --- /dev/null +++ b/tests/cts/acl-destination-permitted/data/test1 @@ -0,0 +1,32 @@ + + + +HTTP +HTTP GET + + + + + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 14 + +Blafaseldieda + + + + + +http + + +Request from permitted IP address to permitted destination address + + +http://%HOSTIP:%HTTPPORT/%TESTNUMBER + + + + diff --git a/tests/cts/acl-destination-permitted/privoxy.conf b/tests/cts/acl-destination-permitted/privoxy.conf new file mode 100644 index 00000000..d738cd88 --- /dev/null +++ b/tests/cts/acl-destination-permitted/privoxy.conf @@ -0,0 +1,19 @@ +listen-address 127.0.0.1:9119 + +debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. +debug 2 # show each connection status +debug 4 # show tagging-related messages +debug 8 # show header parsing +debug 32 # debug force feature +debug 64 # debug regular expression filters +debug 128 # debug redirects +debug 256 # debug GIF de-animation +debug 512 # Common Log Format +debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. +debug 4096 # Startup banner and warnings. +debug 8192 # Non-fatal errors + +deny-access 127.0.0.1 127.0.0.2 +deny-access 127.0.0.2 127.0.0.1 +permit-access 127.0.0.1 127.0.0.1 + -- 2.39.2 From c2f3e69c41b88bd018a618c8de2e6fe01799edfb Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 17 Mar 2024 18:59:35 +0100 Subject: [PATCH 02/16] handle_established_connection(): Add a period to a log message --- jcc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jcc.c b/jcc.c index b7f50fa8..0e110a3c 100644 --- a/jcc.c +++ b/jcc.c @@ -4174,7 +4174,7 @@ static void handle_established_connection(struct client_state *csp) else { log_error(LOG_LEVEL_CONNECT, - "Keeping chunk offset at %lu despite flushing %ld bytes", + "Keeping chunk offset at %lu despite flushing %ld bytes.", chunk_offset, len); /* * If we can't parse the chunk-encoded data we should -- 2.39.2 From de207b7461b11dce70902251c5a1cdc111f773e9 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 17 Mar 2024 19:00:05 +0100 Subject: [PATCH 03/16] privoxy-log-parser: Highlight 'Keeping chunk offset at 0 despite flushing 31 bytes.' --- tools/privoxy-log-parser.pl | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/privoxy-log-parser.pl b/tools/privoxy-log-parser.pl index 29b8e1e8..b499237e 100755 --- a/tools/privoxy-log-parser.pl +++ b/tools/privoxy-log-parser.pl @@ -1970,6 +1970,12 @@ sub handle_loglevel_connect($) { $c = highlight_matched_url($c, "(?<=error message for )[^ ]*"); $c =~ s@(?<=client socket )(\d+)@$h{'Number'}$1$h{'Standard'}@; + } elsif ($c =~ m/^Keeping chunk offset at/) { + + # Keeping chunk offset at 0 despite flushing 31 bytes. + $c =~ s@(?<=offset at )(\d+)@$h{'Number'}$1$h{'Standard'}@; + $c =~ s@(?<=flushing )(\d+)@$h{'Number'}$1$h{'Standard'}@; + } elsif ($c =~ m/^Looks like we / or $c =~ m/^Unsetting keep-alive flag/ or $c =~ m/^No connections to wait/ or -- 2.39.2 From 35e52506aa63610bb3c6979d78bbd91bc006a169 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 17 Mar 2024 19:00:25 +0100 Subject: [PATCH 04/16] privoxy-log-parser: Bump copyright --- tools/privoxy-log-parser.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/privoxy-log-parser.pl b/tools/privoxy-log-parser.pl index b499237e..6dc5450a 100755 --- a/tools/privoxy-log-parser.pl +++ b/tools/privoxy-log-parser.pl @@ -23,7 +23,7 @@ # hash key as input. # - Add --compress and --decompress options. # -# Copyright (c) 2007-2023 Fabian Keil +# Copyright (c) 2007-2024 Fabian Keil # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above -- 2.39.2 From d34fee8964a03d51d573ef494270c0f2ce33e818 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 31 Mar 2024 12:54:25 +0200 Subject: [PATCH 05/16] wolfSSL: Use WOLFSSL_X509_V_OK instead of X509_V_OK They have the same value but X509_V_OK may need an additional header. Reported by withoutname in #1765. --- wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl.c b/wolfssl.c index bdbf8e9b..04108e83 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -1200,7 +1200,7 @@ extern int create_server_ssl_connection(struct client_state *csp) { long verify_result = wolfSSL_get_error(ssl, connect_ret); - if (verify_result == X509_V_OK) + if (verify_result == WOLFSSL_X509_V_OK) { ret = 0; csp->server_cert_verification_result = SSL_CERT_VALID; -- 2.39.2 From 01d592a196a854c295773bbd959b52a572adb6d3 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 31 Mar 2024 13:11:59 +0200 Subject: [PATCH 06/16] wolfSSL: Include wolfssl/openssl/pem.h Apparently this is needed on some systems including Linux Mint 21.2. Reported by by Juliusz Sosinowicz. --- wolfssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/wolfssl.c b/wolfssl.c index 04108e83..1b1a5e06 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -37,6 +37,7 @@ #include #include +#include #include #include #include -- 2.39.2 From d811a9ebccf077f3938c92f7a1b050ad2573ca78 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 31 Mar 2024 13:15:33 +0200 Subject: [PATCH 07/16] Add Juliusz Sosinowicz as contributor --- doc/source/p-authors.sgml | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/source/p-authors.sgml b/doc/source/p-authors.sgml index 69078f85..c82129dd 100644 --- a/doc/source/p-authors.sgml +++ b/doc/source/p-authors.sgml @@ -217,6 +217,7 @@ Current Privoxy Team: Gagan Sidhu Johan Sintorn Benjamin C. Wiley Sittler + Juliusz Sosinowicz DRS David Soft Simon South Dan Stahlke -- 2.39.2 From 34dbb5e07a859c5d1f14de8dfbf688ce7bf0e6f0 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 31 Mar 2024 13:50:02 +0200 Subject: [PATCH 08/16] wolfSSL: Make it more obvious that Subject Alternative Name support is mandatory --- wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl.c b/wolfssl.c index 1b1a5e06..08f3d715 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -1736,7 +1736,7 @@ static int load_rsa_key(const char *rsa_key_path, const char *password, RsaKey * } #ifndef WOLFSSL_ALT_NAMES -#error wolfSSL lacks Subject Alternative Name support +#error wolfSSL lacks Subject Alternative Name support (WOLFSSL_ALT_NAMES) which is mandatory #endif /********************************************************************* * -- 2.39.2 From e3785036766088f2eaafbede89eff8502cc9a720 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 31 Mar 2024 17:01:36 +0200 Subject: [PATCH 09/16] wolfSSL: Use variable type WC_RNG instead of RNG As Roland reported [0] the latter may not be available. [0] --- wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl.c b/wolfssl.c index 08f3d715..0ca0605f 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -66,7 +66,7 @@ static int wolfssl_initialized = 0; * doesn't matter because we only use it with * the certificate_mutex locked. */ -static RNG wolfssl_rng; +static WC_RNG wolfssl_rng; #ifndef WOLFSSL_ALT_CERT_CHAINS /* -- 2.39.2 From 6c44c20c21ee03820b9d526af0b74818e7ffbda6 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 31 Mar 2024 17:04:43 +0200 Subject: [PATCH 10/16] wolfSSL: Use variable type wc_Md5 instead of md5 As Roland reported [0] the latter may not be available. [0] --- wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl.c b/wolfssl.c index 0ca0605f..0357efa1 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -736,7 +736,7 @@ exit: *********************************************************************/ static int host_to_hash(struct client_state *csp) { - Md5 md5; + wc_Md5 md5; int ret; size_t i; -- 2.39.2 From 838bc3c0ebadef1b068ea223e0a2df28cd5a66b7 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 31 Mar 2024 17:16:46 +0200 Subject: [PATCH 11/16] wolfSSL: Use X509_V_OK if it's available Older wolfSSL releases don't have WOLFSSL_X509_V_OK yet. Reported by Roland [0]. [0]: --- wolfssl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wolfssl.c b/wolfssl.c index 0357efa1..a13fbb1c 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -1201,7 +1201,11 @@ extern int create_server_ssl_connection(struct client_state *csp) { long verify_result = wolfSSL_get_error(ssl, connect_ret); +#ifdef X509_V_OK + if (verify_result == X509_V_OK) +#else if (verify_result == WOLFSSL_X509_V_OK) +#endif { ret = 0; csp->server_cert_verification_result = SSL_CERT_VALID; -- 2.39.2 From e230f893812e3e09b5afb287fb85ef189174244e Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 31 Mar 2024 17:50:18 +0200 Subject: [PATCH 12/16] Bump copyright --- wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl.c b/wolfssl.c index a13fbb1c..ede20478 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -6,7 +6,7 @@ * creating, using and closing TLS/SSL connections * using wolfSSL. * - * Copyright : Copyright (C) 2018-2021 by Fabian Keil + * Copyright : Copyright (C) 2018-2024 by Fabian Keil * Copyright (C) 2020 Maxim Antonov * Copyright (C) 2017 Vaclav Svec. FIT CVUT. * -- 2.39.2 From 30cb9a4ab4e11889f7416f4b15b3f74950b96f07 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Mon, 1 Apr 2024 13:31:20 +0200 Subject: [PATCH 13/16] privoxy-log-parser: Highlight 'Not shutting down client connection on socket 8. The socket is no longer alive.' --- tools/privoxy-log-parser.pl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/privoxy-log-parser.pl b/tools/privoxy-log-parser.pl index 6dc5450a..ae18c57e 100755 --- a/tools/privoxy-log-parser.pl +++ b/tools/privoxy-log-parser.pl @@ -1976,6 +1976,11 @@ sub handle_loglevel_connect($) { $c =~ s@(?<=offset at )(\d+)@$h{'Number'}$1$h{'Standard'}@; $c =~ s@(?<=flushing )(\d+)@$h{'Number'}$1$h{'Standard'}@; + } elsif ($c =~ m/^Not shutting down client connection on/) { + + # Not shutting down client connection on socket 8. The socket is no longer alive. + $c =~ s@(?<=socket )(\d+)@$h{'Number'}$1$h{'Standard'}@; + } elsif ($c =~ m/^Looks like we / or $c =~ m/^Unsetting keep-alive flag/ or $c =~ m/^No connections to wait/ or -- 2.39.2 From 81f919346d325b86b6e2efaafdeb4fa4c2bf4bac Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Mon, 1 Apr 2024 13:46:39 +0200 Subject: [PATCH 14/16] wolfSSL: Bump MAX_SHUTDOWN_ATTEMPTS to 5 as an experiment --- wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl.c b/wolfssl.c index ede20478..f011491b 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -960,7 +960,7 @@ static void shutdown_connection(WOLFSSL *ssl, const char *type) int shutdown_attempts = 0; int ret; int fd; - enum { MAX_SHUTDOWN_ATTEMPTS = 2 }; + enum { MAX_SHUTDOWN_ATTEMPTS = 5 }; fd = wolfSSL_get_fd(ssl); -- 2.39.2 From 23dcf9be0e91645fe420fdf0c699f99d457d3fc9 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Mon, 1 Apr 2024 16:41:27 +0200 Subject: [PATCH 15/16] wolfSSL: Unconditionally increment shutdown_attempts Previously the succeeding attempt wasn't counted. --- wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl.c b/wolfssl.c index f011491b..10ecd6b0 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -973,9 +973,9 @@ static void shutdown_connection(WOLFSSL *ssl, const char *type) return; } ret = wolfSSL_shutdown(ssl); + shutdown_attempts++; if (WOLFSSL_SUCCESS != ret) { - shutdown_attempts++; log_error(LOG_LEVEL_CONNECT, "Failed to shutdown %s connection " "on socket %d. Attempts so far: %d, ret: %d", type, fd, shutdown_attempts, ret); -- 2.39.2 From b0a88373c964ed31e953edc68b75d657b85c3e69 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Mon, 1 Apr 2024 17:19:06 +0200 Subject: [PATCH 16/16] wolfSSL: Use LIBWOLFSSL_VERSION_HEX to decide whether or not to use WOLFSSL_X509_V_OK As Roland pointed out, in older wolfSSL releases X509_V_OK is an enum so the previous commit 838bc3c0e did not work as expected there. --- wolfssl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wolfssl.c b/wolfssl.c index 10ecd6b0..7f6c9646 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -1201,10 +1201,10 @@ extern int create_server_ssl_connection(struct client_state *csp) { long verify_result = wolfSSL_get_error(ssl, connect_ret); -#ifdef X509_V_OK - if (verify_result == X509_V_OK) -#else +#if LIBWOLFSSL_VERSION_HEX > 0x05005004 if (verify_result == WOLFSSL_X509_V_OK) +#else + if (verify_result == X509_V_OK) #endif { ret = 0; -- 2.39.2