X-Git-Url: http://www.privoxy.org/gitweb/misc.html?a=blobdiff_plain;f=openssl.c;h=39f465310a07ba4e0cfadf167cccdc22bcdcb0d8;hb=8fbaec9db37a4b73ae23727e60ddac591d2fc911;hp=723820bf0d0c6579933fa3ae4eb91d8c1197c2df;hpb=b987797ccc0276de1f36b8175ce105950d5e97eb;p=privoxy.git
diff --git a/openssl.c b/openssl.c
index 723820bf..39f46531 100644
--- a/openssl.c
+++ b/openssl.c
@@ -3,11 +3,12 @@
* File : $Source: /cvsroot/ijbswa/current/openssl.c,v $
*
* Purpose : File with TLS/SSL extension. Contains methods for
- * creating, using and closing TLS/SSL connections.
+ * creating, using and closing TLS/SSL connections
+ * using OpenSSL (or LibreSSL).
*
* Copyright : Written by and Copyright (c) 2020 Maxim Antonov
* Copyright (C) 2017 Vaclav Svec. FIT CVUT.
- * Copyright (C) 2018-2020 by Fabian Keil
+ * Copyright (C) 2018-2022 by Fabian Keil
*
* This program is free software; you can redistribute it
* and/or modify it under the terms of the GNU General
@@ -37,6 +38,13 @@
#include
#include
#include
+#ifdef _WIN32
+/* https://www.openssl.org/docs/faq.html
+ Iâve compiled a program under Windows and it crashes: Why?
+ tl,dr: because it needs this include:
+*/
+#include
+#endif /* _WIN32 */
#include "config.h"
#include "project.h"
@@ -55,13 +63,13 @@
#define CERTIFICATE_AUTHORITY_KEY "keyid:always"
#define CERTIFICATE_ALT_NAME_PREFIX "DNS:"
#define CERTIFICATE_VERSION 2
-#define VALID_DATETIME_FMT "%Y%m%d%H%M%SZ"
+#define VALID_DATETIME_FMT "%y%m%d%H%M%SZ"
#define VALID_DATETIME_BUFLEN 16
-static int generate_webpage_certificate(struct client_state *csp);
+static int generate_host_certificate(struct client_state *csp);
static void free_client_ssl_structures(struct client_state *csp);
static void free_server_ssl_structures(struct client_state *csp);
-static int ssl_store_cert(struct client_state *csp, X509* crt);
+static int ssl_store_cert(struct client_state *csp, X509 *crt);
static void log_ssl_errors(int debuglevel, const char* fmt, ...) __attribute__((format(printf, 2, 3)));
static int ssl_inited = 0;
@@ -152,19 +160,27 @@ extern size_t is_ssl_pending(struct ssl_attr *ssl_attr)
extern int ssl_send_data(struct ssl_attr *ssl_attr, const unsigned char *buf, size_t len)
{
BIO *bio = ssl_attr->openssl_attr.bio;
+ SSL *ssl;
int ret = 0;
int pos = 0; /* Position of unsent part in buffer */
+ int fd = -1;
if (len == 0)
{
return 0;
}
+ if (BIO_get_ssl(bio, &ssl) == 1)
+ {
+ fd = SSL_get_fd(ssl);
+ }
+
while (pos < len)
{
int send_len = (int)len - pos;
- log_error(LOG_LEVEL_WRITING, "TLS: %N", send_len, buf+pos);
+ log_error(LOG_LEVEL_WRITING, "TLS on socket %d: %N",
+ fd, send_len, buf+pos);
/*
* Sending one part of the buffer
@@ -176,7 +192,7 @@ extern int ssl_send_data(struct ssl_attr *ssl_attr, const unsigned char *buf, si
if (!BIO_should_retry(bio))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Sending data over TLS/SSL failed");
+ "Sending data on socket %d over TLS/SSL failed", fd);
return -1;
}
}
@@ -207,7 +223,10 @@ extern int ssl_send_data(struct ssl_attr *ssl_attr, const unsigned char *buf, si
extern int ssl_recv_data(struct ssl_attr *ssl_attr, unsigned char *buf, size_t max_length)
{
BIO *bio = ssl_attr->openssl_attr.bio;
+ SSL *ssl;
int ret = 0;
+ int fd = -1;
+
memset(buf, 0, max_length);
/*
@@ -218,15 +237,21 @@ extern int ssl_recv_data(struct ssl_attr *ssl_attr, unsigned char *buf, size_t m
ret = BIO_read(bio, buf, (int)max_length);
} while (ret <= 0 && BIO_should_retry(bio));
+ if (BIO_get_ssl(bio, &ssl) == 1)
+ {
+ fd = SSL_get_fd(ssl);
+ }
+
if (ret < 0)
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Receiving data over TLS/SSL failed");
+ "Receiving data on socket %d over TLS/SSL failed", fd);
return -1;
}
- log_error(LOG_LEVEL_RECEIVED, "TLS: %N", ret, buf);
+ log_error(LOG_LEVEL_RECEIVED, "TLS from socket %d: %N",
+ fd, ret, buf);
return ret;
}
@@ -236,27 +261,26 @@ extern int ssl_recv_data(struct ssl_attr *ssl_attr, unsigned char *buf, size_t m
*
* Function : ssl_store_cert
*
- * Description : This is a callback function for certificate verification.
- * It's called once for each certificate in the server's
- * certificate trusted chain and prepares information about
- * the certificate. The information can be used to inform
- * the user about invalid certificates.
+ * Description : This function is called once for each certificate in the
+ * server's certificate trusted chain and prepares
+ * information about the certificate. The information can
+ * be used to inform the user about invalid certificates.
*
* Parameters :
* 1 : csp = Current client state (buffers, headers, etc...)
- * 2 : crt = certificate from trusted chain
+ * 2 : crt = certificate from trusted chain
*
* Returns : 0 on success and negative value on error
*
*********************************************************************/
-static int ssl_store_cert(struct client_state *csp, X509* crt)
+static int ssl_store_cert(struct client_state *csp, X509 *crt)
{
- long len = 0;
+ long len;
struct certs_chain *last = &(csp->server_certs_chain);
int ret = 0;
BIO *bio = BIO_new(BIO_s_mem());
EVP_PKEY *pkey = NULL;
- char *bio_mem_data = 0;
+ char *bio_mem_data = NULL;
char *encoded_text;
long l;
const ASN1_INTEGER *bs;
@@ -267,7 +291,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
if (!bio)
{
- log_ssl_errors(LOG_LEVEL_ERROR, "BIO_new_mem_buf() failed");
+ log_ssl_errors(LOG_LEVEL_ERROR, "BIO_new() failed");
return -1;
}
@@ -285,34 +309,37 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
last->next = malloc_or_die(sizeof(struct certs_chain));
last->next->next = NULL;
memset(last->next->info_buf, 0, sizeof(last->next->info_buf));
- memset(last->next->file_buf, 0, sizeof(last->next->file_buf));
+ last->next->file_buf = NULL;
/*
* Saving certificate file into buffer
*/
if (!PEM_write_bio_X509(bio, crt))
{
- log_ssl_errors(LOG_LEVEL_ERROR, "PEM_write_X509() failed");
+ log_ssl_errors(LOG_LEVEL_ERROR, "PEM_write_bio_X509() failed");
ret = -1;
goto exit;
}
len = BIO_get_mem_data(bio, &bio_mem_data);
- if (len > (sizeof(last->file_buf) - 1))
+ last->file_buf = malloc((size_t)len + 1);
+ if (last->file_buf == NULL)
{
log_error(LOG_LEVEL_ERROR,
- "X509 PEM cert len %d is larger then buffer len %s",
- len, sizeof(last->file_buf) - 1);
- len = sizeof(last->file_buf) - 1;
+ "Failed to allocate %lu bytes to store the X509 PEM certificate",
+ len + 1);
+ ret = -1;
+ goto exit;
}
strncpy(last->file_buf, bio_mem_data, (size_t)len);
+ last->file_buf[len] = '\0';
BIO_free(bio);
bio = BIO_new(BIO_s_mem());
if (!bio)
{
- log_ssl_errors(LOG_LEVEL_ERROR, "BIO_new_mem_buf() failed");
+ log_ssl_errors(LOG_LEVEL_ERROR, "BIO_new() failed");
ret = -1;
goto exit;
}
@@ -342,7 +369,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
if (BIO_puts(bio, "serial number : ") <= 0)
{
- log_ssl_errors(LOG_LEVEL_ERROR, "BIO_write() for serial failed");
+ log_ssl_errors(LOG_LEVEL_ERROR, "BIO_puts() for serial failed");
ret = -1;
goto exit;
}
@@ -371,7 +398,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
ul = (unsigned long)l;
neg = "";
}
- if (BIO_printf(bio, " %s%lu (%s0x%lx)\n", neg, ul, neg, ul) <= 0)
+ if (BIO_printf(bio, "%s%lu (%s0x%lx)\n", neg, ul, neg, ul) <= 0)
{
log_ssl_errors(LOG_LEVEL_ERROR, "BIO_printf() for serial failed");
ret = -1;
@@ -380,6 +407,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
}
else
{
+ int i;
if (bs->type == V_ASN1_NEG_INTEGER)
{
if (BIO_puts(bio, " (Negative)") < 0)
@@ -389,7 +417,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
goto exit;
}
}
- for (int i = 0; i < bs->length; i++)
+ for (i = 0; i < bs->length; i++)
{
if (BIO_printf(bio, "%02x%c", bs->data[i],
((i + 1 == bs->length) ? '\n' : ':')) <= 0)
@@ -462,7 +490,7 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
tsig_alg = X509_get0_tbs_sigalg(crt);
if (!i2a_ASN1_OBJECT(bio, tsig_alg->algorithm))
{
- log_ssl_errors(LOG_LEVEL_ERROR, "i2a_ASN1_OBJECT() for signed using on failed");
+ log_ssl_errors(LOG_LEVEL_ERROR, "i2a_ASN1_OBJECT() for signed using failed");
ret = -1;
goto exit;
}
@@ -483,8 +511,12 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
case EVP_PKEY_DSA:
ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "DSA key size", EVP_PKEY_bits(pkey));
break;
+ case EVP_PKEY_EC:
+ ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "EC key size", EVP_PKEY_bits(pkey));
+ break;
default:
- ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "non-RSA/DSA key size", EVP_PKEY_bits(pkey));
+ ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "non-RSA/DSA/EC key size",
+ EVP_PKEY_bits(pkey));
break;
}
if (ret <= 0)
@@ -637,6 +669,13 @@ static int ssl_store_cert(struct client_state *csp, X509* crt)
BIO_write(bio, &zero, 1);
len = BIO_get_mem_data(bio, &bio_mem_data);
+ if (len <= 0)
+ {
+ log_error(LOG_LEVEL_ERROR, "BIO_get_mem_data() returned %ld "
+ "while gathering certificate information", len);
+ ret = -1;
+ goto exit;
+ }
encoded_text = html_encode(bio_mem_data);
if (encoded_text == NULL)
{
@@ -673,7 +712,7 @@ exit:
* Parameters :
* 1 : csp = Current client state (buffers, headers, etc...)
*
- * Returns : 1 => Error while creating hash
+ * Returns : -1 => Error while creating hash
* 0 => Hash created successfully
*
*********************************************************************/
@@ -719,10 +758,9 @@ extern int create_client_ssl_connection(struct client_state *csp)
struct ssl_attr *ssl_attr = &csp->ssl_client_attr;
/* Paths to certificates file and key file */
char *key_file = NULL;
- char *ca_file = NULL;
char *cert_file = NULL;
int ret = 0;
- SSL* ssl;
+ SSL *ssl;
/*
* Initializing OpenSSL structures for TLS/SSL connection
@@ -743,7 +781,6 @@ extern int create_client_ssl_connection(struct client_state *csp)
/*
* Preparing paths to certificates files and key file
*/
- ca_file = csp->config->ca_cert_file;
cert_file = make_certs_path(csp->config->certificate_directory,
(const char *)csp->http->hash_of_host_hex, CERT_FILE_TYPE);
key_file = make_certs_path(csp->config->certificate_directory,
@@ -760,17 +797,16 @@ extern int create_client_ssl_connection(struct client_state *csp)
* certificate and key inconsistence must be locked.
*/
privoxy_mutex_lock(&certificate_mutex);
+ ret = generate_host_certificate(csp);
+ privoxy_mutex_unlock(&certificate_mutex);
- ret = generate_webpage_certificate(csp);
if (ret < 0)
{
log_error(LOG_LEVEL_ERROR,
- "Generate_webpage_certificate failed: %d", ret);
- privoxy_mutex_unlock(&certificate_mutex);
+ "generate_host_certificate() failed: %d", ret);
ret = -1;
goto exit;
}
- privoxy_mutex_unlock(&certificate_mutex);
if (!(ssl_attr->openssl_attr.ctx = SSL_CTX_new(SSLv23_server_method())))
{
@@ -821,6 +857,18 @@ extern int create_client_ssl_connection(struct client_state *csp)
goto exit;
}
+ if (csp->config->cipher_list != NULL)
+ {
+ if (!SSL_set_cipher_list(ssl, csp->config->cipher_list))
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "Setting the cipher list '%s' for the client connection failed",
+ csp->config->cipher_list);
+ ret = -1;
+ goto exit;
+ }
+ }
+
/*
* Handshake with client
*/
@@ -835,7 +883,9 @@ extern int create_client_ssl_connection(struct client_state *csp)
goto exit;
}
- log_error(LOG_LEVEL_CONNECT, "Client successfully connected over TLS/SSL");
+ log_error(LOG_LEVEL_CONNECT, "Client successfully connected over %s (%s).",
+ SSL_get_version(ssl), SSL_get_cipher_name(ssl));
+
csp->ssl_with_client_is_opened = 1;
ret = 0;
@@ -871,6 +921,7 @@ exit:
extern void close_client_ssl_connection(struct client_state *csp)
{
struct ssl_attr *ssl_attr = &csp->ssl_client_attr;
+ SSL *ssl;
if (csp->ssl_with_client_is_opened == 0)
{
@@ -881,6 +932,20 @@ extern void close_client_ssl_connection(struct client_state *csp)
* Notifying the peer that the connection is being closed.
*/
BIO_ssl_shutdown(ssl_attr->openssl_attr.bio);
+ if (BIO_get_ssl(ssl_attr->openssl_attr.bio, &ssl) != 1)
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "BIO_get_ssl() failed in close_client_ssl_connection()");
+ }
+ else
+ {
+ /*
+ * Pretend we received a shutdown alert so
+ * the BIO_free_all() call later on returns
+ * quickly.
+ */
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ }
free_client_ssl_structures(csp);
csp->ssl_with_client_is_opened = 0;
}
@@ -930,6 +995,7 @@ static void free_client_ssl_structures(struct client_state *csp)
extern void close_server_ssl_connection(struct client_state *csp)
{
struct ssl_attr *ssl_attr = &csp->ssl_server_attr;
+ SSL *ssl;
if (csp->ssl_with_server_is_opened == 0)
{
@@ -940,6 +1006,20 @@ extern void close_server_ssl_connection(struct client_state *csp)
* Notifying the peer that the connection is being closed.
*/
BIO_ssl_shutdown(ssl_attr->openssl_attr.bio);
+ if (BIO_get_ssl(ssl_attr->openssl_attr.bio, &ssl) != 1)
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "BIO_get_ssl() failed in close_server_ssl_connection()");
+ }
+ else
+ {
+ /*
+ * Pretend we received a shutdown alert so
+ * the BIO_free_all() call later on returns
+ * quickly.
+ */
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ }
free_server_ssl_structures(csp);
csp->ssl_with_server_is_opened = 0;
}
@@ -1015,6 +1095,18 @@ extern int create_server_ssl_connection(struct client_state *csp)
goto exit;
}
+ if (csp->config->cipher_list != NULL)
+ {
+ if (!SSL_set_cipher_list(ssl, csp->config->cipher_list))
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "Setting the cipher list '%s' for the server connection failed",
+ csp->config->cipher_list);
+ ret = -1;
+ goto exit;
+ }
+ }
+
/*
* Set the hostname to check against the received server certificate
*/
@@ -1069,10 +1161,16 @@ extern int create_server_ssl_connection(struct client_state *csp)
goto exit;
}
+ /*
+ * XXX: Do we really have to do this always?
+ * Probably it's sufficient to do if the verification fails
+ * in which case we're sending the certificates to the client.
+ */
chain = SSL_get_peer_cert_chain(ssl);
if (chain)
{
- for (int i = 0; i < sk_X509_num(chain); i++)
+ int i;
+ for (i = 0; i < sk_X509_num(chain); i++)
{
if (ssl_store_cert(csp, sk_X509_value(chain, i)) != 0)
{
@@ -1094,14 +1192,16 @@ extern int create_server_ssl_connection(struct client_state *csp)
else
{
csp->server_cert_verification_result = verify_result;
- log_error(LOG_LEVEL_ERROR, "SSL_get_verify_result failed: %s",
- X509_verify_cert_error_string(verify_result));
+ log_error(LOG_LEVEL_ERROR,
+ "X509 certificate verification for %s failed: %s",
+ csp->http->hostport, X509_verify_cert_error_string(verify_result));
ret = -1;
goto exit;
}
}
- log_error(LOG_LEVEL_CONNECT, "Server successfully connected over TLS/SSL");
+ log_error(LOG_LEVEL_CONNECT, "Server successfully connected over %s (%s).",
+ SSL_get_version(ssl), SSL_get_cipher_name(ssl));
/*
* Server certificate chain is valid, so we can clean
@@ -1208,8 +1308,8 @@ static void log_ssl_errors(int debuglevel, const char* fmt, ...)
extern int ssl_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
const unsigned char *src, size_t slen)
{
- *olen = 4 * ((slen/3) + ((slen%3) ? 1 : 0)) + 1;
- if (*olen < dlen)
+ *olen = 4 * ((slen/3) + ((slen%3) ? 1 : 0)) + 1;
+ if (*olen > dlen)
{
return ENOBUFS;
}
@@ -1394,26 +1494,16 @@ exit:
static int generate_key(struct client_state *csp, char **key_buf)
{
int ret = 0;
- char* key_file_path = NULL;
- BIGNUM *exp = BN_new();
- RSA *rsa = RSA_new();
- EVP_PKEY *key = EVP_PKEY_new();
-
- if (exp == NULL || rsa == NULL || key == NULL)
- {
- log_ssl_errors(LOG_LEVEL_ERROR, "RSA key memory allocation failure");
- ret = -1;
- goto exit;
- }
-
- BN_set_word(exp, RSA_KEY_PUBLIC_EXPONENT);
+ char* key_file_path;
+ BIGNUM *exp;
+ RSA *rsa;
+ EVP_PKEY *key;
key_file_path = make_certs_path(csp->config->certificate_directory,
(char *)csp->http->hash_of_host_hex, KEY_FILE_TYPE);
if (key_file_path == NULL)
{
- ret = -1;
- goto exit;
+ return -1;
}
/*
@@ -1421,7 +1511,24 @@ static int generate_key(struct client_state *csp, char **key_buf)
*/
if (file_exists(key_file_path) == 1)
{
- ret = 0;
+ freez(key_file_path);
+ return 0;
+ }
+
+ exp = BN_new();
+ rsa = RSA_new();
+ key = EVP_PKEY_new();
+ if (exp == NULL || rsa == NULL || key == NULL)
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR, "RSA key memory allocation failure");
+ ret = -1;
+ goto exit;
+ }
+
+ if (BN_set_word(exp, RSA_KEY_PUBLIC_EXPONENT) != 1)
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR, "Setting RSA key exponent failed");
+ ret = -1;
goto exit;
}
@@ -1487,7 +1594,7 @@ exit:
* pointer to certificate instance otherwise
*
*********************************************************************/
-static X509* ssl_certificate_load(const char *cert_path)
+static X509 *ssl_certificate_load(const char *cert_path)
{
X509 *cert = NULL;
FILE *cert_f = NULL;
@@ -1533,8 +1640,6 @@ static int ssl_certificate_is_invalid(const char *cert_file)
if (!(cert = ssl_certificate_load(cert_file)))
{
- log_ssl_errors(LOG_LEVEL_ERROR,
- "Error reading certificate file %s", cert_file);
return 1;
}
@@ -1543,6 +1648,7 @@ static int ssl_certificate_is_invalid(const char *cert_file)
{
log_ssl_errors(LOG_LEVEL_ERROR,
"Error checking certificate %s validity", cert_file);
+ ret = -1;
}
X509_free(cert);
@@ -1563,7 +1669,7 @@ static int ssl_certificate_is_invalid(const char *cert_file)
* 3 : nid = OpenSSL NID
* 4 : value = extension value
*
- * Returns : 0 => Error while setting extensuon data
+ * Returns : 0 => Error while setting extension data
* 1 => It worked
*
*********************************************************************/
@@ -1625,7 +1731,7 @@ static int set_subject_alternative_name(X509 *cert, X509 *issuer, const char *ho
/*********************************************************************
*
- * Function : generate_webpage_certificate
+ * Function : generate_host_certificate
*
* Description : Creates certificate file in presetted directory.
* If certificate already exists, no other certificate
@@ -1641,7 +1747,7 @@ static int set_subject_alternative_name(X509 *cert, X509 *issuer, const char *ho
* 1 => Certificate created
*
*********************************************************************/
-static int generate_webpage_certificate(struct client_state *csp)
+static int generate_host_certificate(struct client_state *csp)
{
char *key_buf = NULL; /* Buffer for created key */
X509 *issuer_cert = NULL;
@@ -1659,6 +1765,8 @@ static int generate_webpage_certificate(struct client_state *csp)
cert_options cert_opt;
char cert_valid_from[VALID_DATETIME_BUFLEN];
char cert_valid_to[VALID_DATETIME_BUFLEN];
+ const char *common_name;
+ enum { CERT_PARAM_COMMON_NAME_MAX = 64 };
/* Paths to keys and certificates needed to create certificate */
cert_opt.issuer_key = NULL;
@@ -1680,6 +1788,15 @@ static int generate_webpage_certificate(struct client_state *csp)
return -1;
}
+ if (enforce_sane_certificate_state(cert_opt.output_file,
+ cert_opt.subject_key))
+ {
+ freez(cert_opt.output_file);
+ freez(cert_opt.subject_key);
+
+ return -1;
+ }
+
if (file_exists(cert_opt.output_file) == 1)
{
/* The file exists, but is it valid? */
@@ -1760,13 +1877,20 @@ static int generate_webpage_certificate(struct client_state *csp)
subject_name = X509_NAME_new();
if (!subject_name)
{
- log_ssl_errors(LOG_LEVEL_ERROR, "RSA key memory allocation failure");
+ log_ssl_errors(LOG_LEVEL_ERROR, "X509 memory allocation failure");
ret = -1;
goto exit;
}
+ /*
+ * Make sure OpenSSL doesn't reject the common name due to its length.
+ * The clients should only care about the Subject Alternative Name anyway
+ * and we always use the real host name for that.
+ */
+ common_name = (strlen(csp->http->host) > CERT_PARAM_COMMON_NAME_MAX) ?
+ CGI_SITE_2_HOST : csp->http->host;
if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_COMMON_NAME_FCODE,
- MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+ MBSTRING_ASC, (void *)common_name, -1, -1, 0))
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
@@ -1775,20 +1899,20 @@ static int generate_webpage_certificate(struct client_state *csp)
goto exit;
}
if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORGANIZATION_FCODE,
- MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+ MBSTRING_ASC, (void *)common_name, -1, -1, 0))
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
- CERT_PARAM_COMMON_NAME_FCODE, csp->http->host);
+ CERT_PARAM_ORGANIZATION_FCODE, csp->http->host);
ret = -1;
goto exit;
}
if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORG_UNIT_FCODE,
- MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+ MBSTRING_ASC, (void *)common_name, -1, -1, 0))
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
- CERT_PARAM_COMMON_NAME_FCODE, csp->http->host);
+ CERT_PARAM_ORG_UNIT_FCODE, csp->http->host);
ret = -1;
goto exit;
}
@@ -1797,7 +1921,7 @@ static int generate_webpage_certificate(struct client_state *csp)
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
- CERT_PARAM_COMMON_NAME_FCODE, csp->http->host);
+ CERT_PARAM_COUNTRY_FCODE, CERT_PARAM_COUNTRY_CODE);
ret = -1;
goto exit;
}
@@ -1839,7 +1963,7 @@ static int generate_webpage_certificate(struct client_state *csp)
serial_num = BN_new();
if (!serial_num)
{
- log_error(LOG_LEVEL_ERROR, "generate_webpage_certificate: memory error");
+ log_error(LOG_LEVEL_ERROR, "generate_host_certificate: memory error");
ret = -1;
goto exit;
}
@@ -1868,7 +1992,7 @@ static int generate_webpage_certificate(struct client_state *csp)
goto exit;
}
- issuer_name = X509_get_issuer_name(issuer_cert);
+ issuer_name = X509_get_subject_name(issuer_cert);
/*
* Loading keys from file or from buffer
@@ -1939,7 +2063,7 @@ static int generate_webpage_certificate(struct client_state *csp)
if (!X509_set_pubkey(cert, loaded_subject_key))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Setting issuer name in signed certificate failed");
+ "Setting public key in signed certificate failed");
ret = -1;
goto exit;
}
@@ -1947,7 +2071,7 @@ static int generate_webpage_certificate(struct client_state *csp)
if (!X509_set_subject_name(cert, subject_name))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Setting issuer name in signed certificate failed");
+ "Setting subject name in signed certificate failed");
ret = -1;
goto exit;
}
@@ -2001,7 +2125,7 @@ static int generate_webpage_certificate(struct client_state *csp)
if (!X509_set1_notBefore(cert, asn_time))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Setting valid not befre in signed certificate failed");
+ "Setting valid not before in signed certificate failed");
ret = -1;
goto exit;
}
@@ -2017,7 +2141,7 @@ static int generate_webpage_certificate(struct client_state *csp)
if (!set_x509_ext(cert, issuer_cert, NID_subject_key_identifier, CERTIFICATE_SUBJECT_KEY))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Setting the Subject Key Identifie extension failed");
+ "Setting the Subject Key Identifier extension failed");
ret = -1;
goto exit;
}
@@ -2033,7 +2157,8 @@ static int generate_webpage_certificate(struct client_state *csp)
if (!host_is_ip_address(csp->http->host) &&
!set_subject_alternative_name(cert, issuer_cert, csp->http->host))
{
- log_ssl_errors(LOG_LEVEL_ERROR, "Setting the Subject Alt Nameextension failed");
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "Setting the Subject Alt Name extension failed");
ret = -1;
goto exit;
}
@@ -2127,6 +2252,7 @@ extern void ssl_crt_verify_info(char *buf, size_t size, struct client_state *csp
}
+#ifdef FEATURE_GRACEFUL_TERMINATION
/*********************************************************************
*
* Function : ssl_release
@@ -2142,12 +2268,18 @@ extern void ssl_release(void)
{
if (ssl_inited == 1)
{
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+#ifndef LIBRESSL_VERSION_NUMBER
+#ifndef OPENSSL_NO_COMP
SSL_COMP_free_compression_methods();
-
+#endif
+#endif
+#endif
CONF_modules_free();
CONF_modules_unload(1);
-
+#ifndef OPENSSL_NO_COMP
COMP_zlib_cleanup();
+#endif
ERR_free_strings();
EVP_cleanup();
@@ -2155,4 +2287,4 @@ extern void ssl_release(void)
CRYPTO_cleanup_all_ex_data();
}
}
-
+#endif /* def FEATURE_GRACEFUL_TERMINATION */