* not depend on particular TLS/SSL library.
*
* Copyright : Written by and Copyright (c) 2017 Vaclav Svec. FIT CVUT.
- * Copyright (C) 2018-2020 by Fabian Keil <fk@fabiankeil.de>
+ * Copyright (C) 2018-2021 by Fabian Keil <fk@fabiankeil.de>
*
* This program is free software; you can redistribute it
* and/or modify it under the terms of the GNU General
/* Cleaning buffers */
memset(csp->server_certs_chain.info_buf, 0,
sizeof(csp->server_certs_chain.info_buf));
- memset(csp->server_certs_chain.file_buf, 0,
- sizeof(csp->server_certs_chain.file_buf));
+ freez(csp->server_certs_chain.file_buf);
+
csp->server_certs_chain.next = NULL;
/* Freeing memory in whole linked list */
{
struct certs_chain *cert_for_free = cert;
cert = cert->next;
+
+ /* Cleaning buffers */
+ memset(cert_for_free->info_buf, 0, sizeof(cert_for_free->info_buf));
+ freez(cert_for_free->file_buf);
+
freez(cert_for_free);
}
}
/* Header of message with certificate information */
const char message_begin[] =
- "HTTP/1.1 200 OK\r\n"
+ "HTTP/1.1 403 Certificate validation failed\r\n"
"Content-Type: text/html\r\n"
"Connection: close\r\n\r\n"
"<!DOCTYPE html>\n"
"<p><a href=\"https://" CGI_SITE_2_HOST "/\">Privoxy</a> was unable "
"to securely connect to the destination server.</p>"
"<p>Reason: ";
- const char message_end[] = "</body></html>\r\n\r\n";
+ const char message_end[] = "</body></html>\n";
char reason[INVALID_CERT_INFO_BUF_SIZE];
memset(reason, 0, sizeof(reason));
}
strlcat(message, message_end, message_len);
+ if (0 == strcmpic(csp->http->gpc, "HEAD"))
+ {
+ /* Cut off body */
+ char *header_end = strstr(message, "\r\n\r\n");
+ if (header_end != NULL)
+ {
+ header_end[3] = '\0';
+ }
+ }
+
/*
* Sending final message to client
*/
log_error(LOG_LEVEL_CRUNCH, "Certificate error: %s: https://%s%s",
reason, csp->http->hostport, csp->http->path);
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s https://%s%s %s\" 200 %lu",
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s https://%s%s %s\" 403 %lu",
csp->ip_addr_str, csp->http->gpc, csp->http->hostport, csp->http->path,
csp->http->version, message_len-head_length);
}
-/*********************************************************************
- *
- * Function : host_is_ip_address
- *
- * Description : Checks whether or not a host is specified by
- * IP address. Does not actually validate the
- * address.
- *
- * Parameters :
- * 1 : host = The host name to check
- *
- * Returns : 1 => Yes
- * 0 => No
- *
- *********************************************************************/
-extern int host_is_ip_address(const char *host)
-{
- const char *p;
-
- if (NULL != strstr(host, ":"))
- {
- /* Assume an IPv6 address. */
- return 1;
- }
-
- for (p = host; *p; p++)
- {
- if ((*p != '.') && !privoxy_isdigit(*p))
- {
- /* Not a dot or digit so it can't be an IPv4 address. */
- return 0;
- }
- }
-
- /*
- * Host only consists of dots and digits so
- * assume that is an IPv4 address.
- */
- return 1;
-
-}
-
-
/*********************************************************************
*
* Function : enforce_sane_certificate_state