Fabian Keil [Wed, 27 May 2020 10:13:32 +0000 (12:13 +0200)]
Rename struct certs_chain member from text_buf to info_buf
Fabian Keil [Wed, 27 May 2020 08:15:24 +0000 (10:15 +0200)]
HTML-encode the certificate info shown in case of verification failures
We don't want to allow code injection through crafted certificates.
Sponsored by: Robert Klemme
Fabian Keil [Wed, 27 May 2020 10:00:31 +0000 (12:00 +0200)]
Bump copyright
Fabian Keil [Mon, 25 May 2020 16:42:54 +0000 (18:42 +0200)]
receive_and_send_encrypted_post_data(): Change two more log messages
... from LOG_LEVEL_HEADER to LOG_LEVEL_CONNECT.
Sponsored by: Robert Klemme
Fabian Keil [Thu, 28 May 2020 10:18:36 +0000 (12:18 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:22:00 +0000 (11:22 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:20:13 +0000 (11:20 +0200)]
Fix comment typo
Fabian Keil [Thu, 28 May 2020 09:19:57 +0000 (11:19 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:19:30 +0000 (11:19 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:19:08 +0000 (11:19 +0200)]
Fix typo
Fabian Keil [Thu, 28 May 2020 09:15:57 +0000 (11:15 +0200)]
Fix typo
Fabian Keil [Thu, 28 May 2020 09:15:47 +0000 (11:15 +0200)]
Fix typo
Fabian Keil [Thu, 28 May 2020 09:15:33 +0000 (11:15 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:14:25 +0000 (11:14 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:14:06 +0000 (11:14 +0200)]
Fix typo
Fabian Keil [Thu, 28 May 2020 09:13:53 +0000 (11:13 +0200)]
Fix typo
Fabian Keil [Thu, 28 May 2020 09:13:21 +0000 (11:13 +0200)]
Fix typo
Fabian Keil [Thu, 28 May 2020 09:13:10 +0000 (11:13 +0200)]
Fix typo
Fabian Keil [Thu, 28 May 2020 09:12:58 +0000 (11:12 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:12:34 +0000 (11:12 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:12:20 +0000 (11:12 +0200)]
Fix typo
Fabian Keil [Thu, 28 May 2020 09:12:05 +0000 (11:12 +0200)]
Fix typo
Fabian Keil [Thu, 28 May 2020 09:11:55 +0000 (11:11 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:11:40 +0000 (11:11 +0200)]
Fix typos
Fabian Keil [Thu, 28 May 2020 09:11:16 +0000 (11:11 +0200)]
Fix comment typos
Fabian Keil [Thu, 28 May 2020 09:11:01 +0000 (11:11 +0200)]
Fix comment typo
Fabian Keil [Thu, 28 May 2020 09:10:29 +0000 (11:10 +0200)]
Fix comment typo
Fabian Keil [Thu, 28 May 2020 09:02:27 +0000 (11:02 +0200)]
Fix comment typos
Fabian Keil [Thu, 28 May 2020 09:00:43 +0000 (11:00 +0200)]
Fix comment typos
Fabian Keil [Thu, 28 May 2020 08:59:21 +0000 (10:59 +0200)]
Fix typos
Fabian Keil [Mon, 25 May 2020 10:15:52 +0000 (12:15 +0200)]
Extend is_ssl_pending()'s description
... to note that it only considers data that has
already been received locally.
Sponsored by: Robert Klemme
Fabian Keil [Mon, 25 May 2020 10:07:56 +0000 (12:07 +0200)]
receive_and_send_encrypted_post_data(): Change return code to int to match reality
Sponsored by: Robert Klemme
Fabian Keil [Mon, 25 May 2020 10:05:28 +0000 (12:05 +0200)]
receive_and_send_encrypted_post_data(): Change a log message from LOG_LEVEL_HEADER to LOG_LEVEL_CONNECT
Sponsored by: Robert Klemme
Fabian Keil [Mon, 25 May 2020 10:01:57 +0000 (12:01 +0200)]
receive_and_send_encrypted_post_data(): Loop until no data is left
... if the content length is known.
Previously data that wasn't received yet was ignored
which could result in incomplete uploads.
Sponsored by: Robert Klemme
Fabian Keil [Sat, 16 May 2020 09:07:07 +0000 (11:07 +0200)]
Add www.vpncompare.co.uk as Bronze sponsor
Fabian Keil [Fri, 15 May 2020 18:56:44 +0000 (20:56 +0200)]
Spell out 'version' in the http_request struct
Fabian Keil [Fri, 15 May 2020 18:08:19 +0000 (20:08 +0200)]
When https inspecting, log the request later on
... once we have gathered the path.
Include the protocol to differentiate the log messages from those
for plain http (which currently don't include the protocol).
Sponsored by: Robert Klemme
Fabian Keil [Fri, 15 May 2020 12:08:58 +0000 (14:08 +0200)]
create_server_ssl_connection(): Free certificate chain when the handshake fails
Fixes a memory leak.
Sponsored by: Robert Klemme
Fabian Keil [Fri, 15 May 2020 10:52:30 +0000 (12:52 +0200)]
send_crunch_response(): Log the whole URL for inspected https requests
Sponsored by: Robert Klemme
Fabian Keil [Wed, 13 May 2020 09:53:12 +0000 (11:53 +0200)]
Log complete https request lines with LOG_LEVEL_CLF
... at the end of handle_established_connection().
Sponsored by: Robert Klemme
Fabian Keil [Fri, 15 May 2020 11:05:51 +0000 (13:05 +0200)]
Improve ssl_send_certificate_error()'s description
Sponsored by: Robert Klemme
Fabian Keil [Thu, 14 May 2020 11:51:52 +0000 (13:51 +0200)]
Simplify free_certificate_chain()
Sponsored by: Robert Klemme
Fabian Keil [Sat, 29 Feb 2020 20:13:58 +0000 (21:13 +0100)]
Simplify code in handle_established_connection()
Sponsored by: Robert Klemme
Fabian Keil [Wed, 4 Mar 2020 15:01:23 +0000 (16:01 +0100)]
ssl_verify_callback(): Log when mbedtls_pem_write_buffer() fails
Sponsored by: Robert Klemme
Fabian Keil [Tue, 12 May 2020 22:31:38 +0000 (00:31 +0200)]
Remove #16 'Filter SSL encrypted content as well' which is mostly implemented
Fabian Keil [Tue, 12 May 2020 11:45:59 +0000 (13:45 +0200)]
Add donor John Palkovic as contributor
Fabian Keil [Tue, 12 May 2020 10:57:26 +0000 (12:57 +0200)]
Bump copyright
Fabian Keil [Mon, 2 Mar 2020 11:15:05 +0000 (12:15 +0100)]
Allow to configure https-inspection and ignore-certificate-errors with the CGI editor
Sponsored by: Robert Klemme
Fabian Keil [Tue, 14 Apr 2020 12:15:56 +0000 (14:15 +0200)]
sed_https(): Update the last https header after running sed()
This is necessary because addtional header may have been added.
Fixes a crash triggered by an assertion.
Reported by: Nedžad Hrnjica
Sponsored by: Robert Klemme
Fabian Keil [Tue, 14 Apr 2020 12:09:31 +0000 (14:09 +0200)]
Fix a comment typo in sed_https()
Roland Rosenfeld [Sat, 4 Apr 2020 12:49:35 +0000 (14:49 +0200)]
Update to upstream git ec5b42 and to Debian version 3.0.28-3.
Fabian Keil [Thu, 12 Mar 2020 09:39:18 +0000 (10:39 +0100)]
Rebuild docs
Fabian Keil [Thu, 12 Mar 2020 09:36:02 +0000 (10:36 +0100)]
Remove www.vpnranks.com/ from the sponsor list
Fabian Keil [Fri, 6 Mar 2020 13:01:49 +0000 (14:01 +0100)]
Don't claim that contributors need ssh
It's only neede for committers.
Fabian Keil [Fri, 6 Mar 2020 12:37:11 +0000 (13:37 +0100)]
Replace obsolete CVS instructions with Git instructions
Fabian Keil [Fri, 6 Mar 2020 12:30:36 +0000 (13:30 +0100)]
Remove a reference to CVS, we use Git now
Fabian Keil [Fri, 6 Mar 2020 12:27:46 +0000 (13:27 +0100)]
Remove an obsolete comment
Fabian Keil [Fri, 6 Mar 2020 12:27:34 +0000 (13:27 +0100)]
Remove a reference to CVS, we use Git now
Fabian Keil [Tue, 10 Mar 2020 14:06:38 +0000 (15:06 +0100)]
Add a missing call to close_client_ssl_connection()
... to fix a memory leak.
Sponsored by: Robert Klemme
Fabian Keil [Tue, 3 Mar 2020 11:26:33 +0000 (12:26 +0100)]
process_encrypted_request(): Don't send an error response in case of unsupported protocols
client_protocol_is_unsupported() already takes care of that.
Sponsored by: Robert Klemme
Fabian Keil [Tue, 3 Mar 2020 11:21:32 +0000 (12:21 +0100)]
client_protocol_is_unsupported(): Send encrypted error message when necessary
Sponsored by: Robert Klemme
Fabian Keil [Tue, 3 Mar 2020 11:17:45 +0000 (12:17 +0100)]
process_encrypted_request(): Add more log messages in case of errors
Sponsored by: Robert Klemme
Fabian Keil [Tue, 3 Mar 2020 10:27:07 +0000 (11:27 +0100)]
handle_established_connection(): Remove superfluous calls to close_client_and_server_ssl_connections()
... in the !client_use_ssl(csp) paths.
Sponsored by: Robert Klemme
Fabian Keil [Tue, 3 Mar 2020 10:14:56 +0000 (11:14 +0100)]
handle_established_connection(): Adjust indentation after
054d756c1ca
No functional change.
Sponsored by: Robert Klemme
Fabian Keil [Tue, 3 Mar 2020 10:04:34 +0000 (11:04 +0100)]
send_https_request(): Don't call close_client_and_server_ssl_connections()
... inconsistenly. The caller already does it.
Sponsored by: Robert Klemme
Fabian Keil [Mon, 2 Mar 2020 15:45:22 +0000 (16:45 +0100)]
Add a missing call to close_client_and_server_ssl_connections()
Not calling it caused memory leaks.
Sponsored by: Robert Klemme
Fabian Keil [Mon, 2 Mar 2020 17:14:29 +0000 (18:14 +0100)]
decompress_iob(): Free the temporary buffer when the buffer limit is reached
... instead of leaking it.
Sponsored by: Robert Klemme
Fabian Keil [Mon, 2 Mar 2020 12:05:13 +0000 (13:05 +0100)]
free_csp_resources(): Destroy csp->client_tags
Fixes a memory leak when client tags are active.
Sponsored by: Robert Klemme
Fabian Keil [Mon, 2 Mar 2020 11:36:40 +0000 (12:36 +0100)]
unload_configfile(): Use unload_forward_spec() instead of doing the work itself
... poorly. Previously the socks user name and password were leaked.
Sponsored by: Robert Klemme
Fabian Keil [Mon, 2 Mar 2020 11:27:47 +0000 (12:27 +0100)]
unload_configfile(): free config->cors_allowed_origin
Fixes a small memory leak when reloading the config.
Sponsored by: Robert Klemme
Fabian Keil [Sun, 1 Mar 2020 15:40:01 +0000 (16:40 +0100)]
free_csp_resources(): Destroy csp->https_headers
Fixes a memory leak.
Sponsored by: Robert Klemme
Fabian Keil [Sun, 1 Mar 2020 14:31:24 +0000 (15:31 +0100)]
handle_established_connection(): Don't mess with csp->ssl_with_(server|client)_is_opened
This was a mismerge in
2111876638. The original code did
it in chat() were it doesn't hurt. Actually we don't need
to do it at all, as the variables are initialized to 0.
Zeroing the variables in handle_established_connection()
caused memory leaks as close_server_ssl_connection() and
close_client_ssl_connection() returned early,
Sponsored by: Robert Klemme
Fabian Keil [Sat, 29 Feb 2020 20:05:37 +0000 (21:05 +0100)]
handle_established_connection(): Remove pointless code
Sponsored by: Robert Klemme
Fabian Keil [Sun, 1 Mar 2020 08:53:34 +0000 (09:53 +0100)]
load_config(): Plug memory leaks
Sponsored by: Robert Klemme
root [Fri, 28 Feb 2020 08:16:49 +0000 (08:16 +0000)]
Set the "Subject Alt Name" extension to when generating certificates
This is apparently required for the certificates to
be accepted by Chromium-based browsers.
Based on a patch by Nedžad Hrnjica.
Sponsored by: Robert Klemme
Fabian Keil [Sat, 29 Feb 2020 08:49:39 +0000 (09:49 +0100)]
finish_http_response(): Plug memory leak with CORS enabled
Introduced in
9fd58c0d, not in any release.
Fixes CID 267166 "Resource leaks".
Fabian Keil [Fri, 28 Feb 2020 12:39:58 +0000 (13:39 +0100)]
get_certificate_serial(): Remove dead code
Fixes CID 267164 "Logically dead code".
Sponsored by: Robert Klemme
Fabian Keil [Fri, 28 Feb 2020 12:12:38 +0000 (13:12 +0100)]
handle_established_connection(): Remove pointless increments of n
Fixes CID267170 "Uninitialized scalar variable".
Sponsored by: Robert Klemme
Fabian Keil [Fri, 28 Feb 2020 07:42:05 +0000 (08:42 +0100)]
Only execute the dumb CONNECT method test when FEATURE_HTTPS_INSPECTION is unavailable
With FEATURE_HTTPS_INSPECTION the test is aborted with
a timeout because Privoxy is waiting for an encrypted
request which doesn't come.
Sponsored by: Robert Klemme
Fabian Keil [Fri, 28 Feb 2020 07:32:49 +0000 (08:32 +0100)]
Unblock 'ada*.'
Fabian Keil [Wed, 26 Feb 2020 07:50:27 +0000 (08:50 +0100)]
If the amount of encrypted POST data left is known, don't read more than this
Sponsored by: Robert Klemme
Fabian Keil [Thu, 27 Feb 2020 10:43:35 +0000 (11:43 +0100)]
generate_webpage_certificate(): Include the time in the serial number
... to make sure the serial number changes when the certificate
is regenerated.
Sponsored by: Robert Klemme
Fabian Keil [Thu, 27 Feb 2020 10:29:18 +0000 (11:29 +0100)]
generate_webpage_certificate(): Return earlier if a valid certificate already exists
If the certificate is no longer valid, clear the key file, too.
Sponsored by: Robert Klemme
Fabian Keil [Thu, 27 Feb 2020 09:55:07 +0000 (10:55 +0100)]
Generate the "valid from" and "valid to" date of certificates based on the current time
Previously certificates were always valid until 2040 which
seems a tad long.
Now the certificates are valid for 90 days.
Sponsored by: Robert Klemme
Fabian Keil [Thu, 27 Feb 2020 08:56:01 +0000 (09:56 +0100)]
Detect invalid certificates and create new ones
Currently certificates are considered valid if they can
be parsed and have a "valid to" date in the future.
Sponsored by: Robert Klemme
Fabian Keil [Wed, 26 Feb 2020 16:52:39 +0000 (17:52 +0100)]
Bump copyright
Fabian Keil [Wed, 26 Feb 2020 14:42:48 +0000 (15:42 +0100)]
sed_https(): Clear the existing tags before calling sed()
This makes sure tagging based on the encrypted client
headers works even if a tag has already been set based
on the unencrypted ones.
Sponsored by: Robert Klemme
Fabian Keil [Wed, 26 Feb 2020 14:35:28 +0000 (15:35 +0100)]
sed_https(): Unset CSP_FLAG_CLIENT_HEADER_PARSING_DONE
... to make sure we're applying client header taggers and filters.
Sponsored by: Robert Klemme
Fabian Keil [Wed, 26 Feb 2020 13:57:38 +0000 (14:57 +0100)]
ssl_send_certificate_error(): Don't sleep
Supposedly some clients once apon a time needed
the delay but it's unclear which. Let's see if
any show up.
Sponsored by: Robert Klemme
Fabian Keil [Wed, 26 Feb 2020 13:28:18 +0000 (14:28 +0100)]
ssl_send_certificate_error(): Be more precise
An invalid certificate is only one of the reasons
why the certificate verification may fail.
Sponsored by: Robert Klemme
Fabian Keil [Wed, 26 Feb 2020 13:02:48 +0000 (14:02 +0100)]
When logging that the certificate verifcation failed, mention the host
Sponsored by: Robert Klemme
Fabian Keil [Wed, 26 Feb 2020 09:07:05 +0000 (10:07 +0100)]
Only use certificate_mutex and rng_mutex when needed
Previously they were defined and initialized unconditionally.
Sponsored by: Robert Klemme
Fabian Keil [Wed, 26 Feb 2020 09:02:11 +0000 (10:02 +0100)]
Use a single mutex for the certificate generation
It is fast enough so there is no need to complicate
things with up to 65536 different mutexes.
Sponsored by: Robert Klemme
Fabian Keil [Wed, 26 Feb 2020 08:49:03 +0000 (09:49 +0100)]
Turn lack of md5 support in mbedTLS into a compile error
Previously the TLS code simply wouldn't work properly.
Sponsored by: Robert Klemme
Fabian Keil [Wed, 26 Feb 2020 08:07:57 +0000 (09:07 +0100)]
Remove #95 which is obsolete now that we support proper https inspection
Fabian Keil [Tue, 25 Feb 2020 21:18:37 +0000 (22:18 +0100)]
Rebuild config file
Sponsored by: Robert Klemme
Fabian Keil [Tue, 25 Feb 2020 21:13:48 +0000 (22:13 +0100)]
Rebuild docs
Sponsored by: Robert Klemme
Fabian Keil [Tue, 25 Feb 2020 21:07:41 +0000 (22:07 +0100)]
Rename +enable-https-filtering to +https-inspection
... which is more precise.
Sponsored by: Robert Klemme
Fabian Keil [Tue, 25 Feb 2020 20:51:59 +0000 (21:51 +0100)]
Rename FEATURE_HTTPS_FILTERING to FEATURE_HTTPS_INSPECTION
... which is more precise.
Sponsored by: Robert Klemme
Fabian Keil [Tue, 25 Feb 2020 19:45:19 +0000 (20:45 +0100)]
Note that enable-https-filtering{} has to be enabled based on the CONNECT request
Sponsored by: Robert Klemme