Gitweb links:
...log
http://git.netsurf-browser.org/netsurf.git/shortlog/0c34d06494afe217ace7460c66df800d457dd2e8
...commit
http://git.netsurf-browser.org/netsurf.git/commit/0c34d06494afe217ace7460c66df800d457dd2e8
...tree
http://git.netsurf-browser.org/netsurf.git/tree/0c34d06494afe217ace7460c66df800d457dd2e8
The branch, master has been updated
via 0c34d06494afe217ace7460c66df800d457dd2e8 (commit)
via 214478fc15a2b9ee67e19e08cf27657c0157037a (commit)
from a653e1e86eb5af1621de97603c33222315d2d2c3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commitdiff
http://git.netsurf-browser.org/netsurf.git/commit/?id=0c34d06494afe217ace7460c66df800d457dd2e8
commit 0c34d06494afe217ace7460c66df800d457dd2e8
Author: Vincent Sanders <[email protected]>
Commit: Vincent Sanders <[email protected]>
Keep the complete certificate chain from a fetch
Instead of extracting information from the X509 certificate chain in
the fetcher the entire chain is propagated in Distinguished Encoding
Rules (DER) format.
This allows all the information contained in a certificate chain to be
retained which can subsequently be presented to the user
diff --git a/content/content.h b/content/content.h
index 144a698..f8f8d32 100644
--- a/content/content.h
+++ b/content/content.h
@@ -44,7 +44,7 @@ struct object_params;
struct rect;
struct redraw_context;
struct llcache_query_msg;
-struct ssl_cert_info;
+struct cert_chain;
/** Status of a content */
typedef enum {
@@ -118,10 +118,7 @@ union content_msg_data {
* CONTENT_MSG_SSL_CERTS - The certificate chain from the
* underlying fetch
*/
- struct {
- const struct ssl_cert_info *certs; /**< The chain */
- size_t num; /**< The number of certs in the chain */
- } certs;
+ const struct cert_chain *chain;
/**
* CONTENT_MSG_ERROR - Error from content or underlying fetch
diff --git a/content/fetch.h b/content/fetch.h
index 9a81ece..9e80b26 100644
--- a/content/fetch.h
+++ b/content/fetch.h
@@ -75,10 +75,7 @@ typedef struct fetch_msg {
const char *realm;
} auth;
- struct {
- const struct ssl_cert_info *certs;
- size_t num_certs;
- } certs;
+ const struct cert_chain *chain;
} data;
} fetch_msg;
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index 0be33ae..83e92d8 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -149,7 +149,7 @@ struct curl_fetch_info {
struct curl_httppost *post_multipart; /**< Multipart post data, or 0.
*/
uint64_t last_progress_update; /**< Time of last progress update */
int cert_depth; /**< deepest certificate in use */
- struct cert_info cert_data[MAX_SSL_CERTS]; /**< HTTPS certificate data
*/
+ struct cert_info cert_data[MAX_CERT_DEPTH]; /**< HTTPS certificate data
*/
};
/** curl handle cache entry */
@@ -471,128 +471,37 @@ failed:
static void
fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
{
- int depth;
+ size_t depth;
BIO *mem;
- BUF_MEM *buf;
- const ASN1_INTEGER *asn1_num;
- BIGNUM *bignum;
- struct ssl_cert_info ssl_certs[MAX_SSL_CERTS];
+ BUF_MEM *buf[MAX_CERT_DEPTH];
+ struct cert_chain chain;
fetch_msg msg;
- struct cert_info *certs = f->cert_data;
- memset(ssl_certs, 0, sizeof(ssl_certs));
+ struct cert_info *certs;
+
+ memset(&chain, 0, sizeof(chain));
+
+ certs = f->cert_data;
+ chain.depth = f->cert_depth + 1; /* 0 indexed certificate depth */
- for (depth = 0; depth <= f->cert_depth; depth++) {
+ for (depth = 0; depth < chain.depth; depth++) {
if (certs[depth].cert == NULL) {
/* This certificate is missing, skip it */
- ssl_certs[depth].err = SSL_CERT_ERR_CERT_MISSING;
+ chain.certs[depth].err = SSL_CERT_ERR_CERT_MISSING;
continue;
}
- /* get certificate version */
- ssl_certs[depth].version = X509_get_version(certs[depth].cert);
-
- /* not before date */
- mem = BIO_new(BIO_s_mem());
- ASN1_TIME_print(mem, X509_get_notBefore(certs[depth].cert));
- BIO_get_mem_ptr(mem, &buf);
- (void) BIO_set_close(mem, BIO_NOCLOSE);
- BIO_free(mem);
- memcpy(ssl_certs[depth].not_before,
- buf->data,
- min(sizeof(ssl_certs[depth].not_before) - 1,
- (unsigned)buf->length));
-
ssl_certs[depth].not_before[min(sizeof(ssl_certs[depth].not_before) - 1,
- (unsigned)buf->length)] = 0;
- BUF_MEM_free(buf);
-
- /* not after date */
- mem = BIO_new(BIO_s_mem());
- ASN1_TIME_print(mem,
- X509_get_notAfter(certs[depth].cert));
- BIO_get_mem_ptr(mem, &buf);
- (void) BIO_set_close(mem, BIO_NOCLOSE);
- BIO_free(mem);
- memcpy(ssl_certs[depth].not_after,
- buf->data,
- min(sizeof(ssl_certs[depth].not_after) - 1,
- (unsigned)buf->length));
-
ssl_certs[depth].not_after[min(sizeof(ssl_certs[depth].not_after) - 1,
- (unsigned)buf->length)] = 0;
- BUF_MEM_free(buf);
-
- /* signature type */
- ssl_certs[depth].sig_type =
- X509_get_signature_type(certs[depth].cert);
-
- /* serial number */
- asn1_num = X509_get_serialNumber(certs[depth].cert);
- if (asn1_num != NULL) {
- bignum = ASN1_INTEGER_to_BN(asn1_num, NULL);
- if (bignum != NULL) {
- char *tmp = BN_bn2hex(bignum);
- if (tmp != NULL) {
- strncpy(ssl_certs[depth].serialnum,
- tmp,
-
sizeof(ssl_certs[depth].serialnum));
-
ssl_certs[depth].serialnum[sizeof(ssl_certs[depth].serialnum)-1] = '\0';
- OPENSSL_free(tmp);
- }
- BN_free(bignum);
- bignum = NULL;
- }
- }
-
- /* issuer name */
- mem = BIO_new(BIO_s_mem());
- X509_NAME_print_ex(mem,
- X509_get_issuer_name(certs[depth].cert),
- 0, XN_FLAG_SEP_CPLUS_SPC |
- XN_FLAG_DN_REV | XN_FLAG_FN_NONE);
- BIO_get_mem_ptr(mem, &buf);
- (void) BIO_set_close(mem, BIO_NOCLOSE);
- BIO_free(mem);
- memcpy(ssl_certs[depth].issuer,
- buf->data,
- min(sizeof(ssl_certs[depth].issuer) - 1,
- (unsigned) buf->length));
- ssl_certs[depth].issuer[min(sizeof(ssl_certs[depth].issuer) - 1,
- (unsigned) buf->length)] = 0;
- BUF_MEM_free(buf);
-
- /* subject */
- mem = BIO_new(BIO_s_mem());
- X509_NAME_print_ex(mem,
- X509_get_subject_name(certs[depth].cert),
- 0,
- XN_FLAG_SEP_CPLUS_SPC |
- XN_FLAG_DN_REV |
- XN_FLAG_FN_NONE);
- BIO_get_mem_ptr(mem, &buf);
- (void) BIO_set_close(mem, BIO_NOCLOSE);
- BIO_free(mem);
- memcpy(ssl_certs[depth].subject,
- buf->data,
- min(sizeof(ssl_certs[depth].subject) - 1,
- (unsigned)buf->length));
- ssl_certs[depth].subject[min(sizeof(ssl_certs[depth].subject) -
1,
- (unsigned) buf->length)] = 0;
- BUF_MEM_free(buf);
-
- /* type of certificate */
- ssl_certs[depth].cert_type =
- X509_certificate_type(certs[depth].cert,
-
X509_get_pubkey(certs[depth].cert));
-
/* error code (if any) */
switch (certs[depth].err) {
case X509_V_OK:
- ssl_certs[depth].err = SSL_CERT_ERR_OK;
+ chain.certs[depth].err = SSL_CERT_ERR_OK;
break;
+
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
/* fallthrough */
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
- ssl_certs[depth].err = SSL_CERT_ERR_BAD_ISSUER;
+ chain.certs[depth].err = SSL_CERT_ERR_BAD_ISSUER;
break;
+
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
/* fallthrough */
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
@@ -600,41 +509,66 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info
*f)
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
/* fallthrough */
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
- ssl_certs[depth].err = SSL_CERT_ERR_BAD_SIG;
+ chain.certs[depth].err = SSL_CERT_ERR_BAD_SIG;
break;
+
case X509_V_ERR_CERT_NOT_YET_VALID:
/* fallthrough */
case X509_V_ERR_CRL_NOT_YET_VALID:
- ssl_certs[depth].err = SSL_CERT_ERR_TOO_YOUNG;
+ chain.certs[depth].err = SSL_CERT_ERR_TOO_YOUNG;
break;
+
case X509_V_ERR_CERT_HAS_EXPIRED:
/* fallthrough */
case X509_V_ERR_CRL_HAS_EXPIRED:
- ssl_certs[depth].err = SSL_CERT_ERR_TOO_OLD;
+ chain.certs[depth].err = SSL_CERT_ERR_TOO_OLD;
break;
+
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- ssl_certs[depth].err = SSL_CERT_ERR_SELF_SIGNED;
+ chain.certs[depth].err = SSL_CERT_ERR_SELF_SIGNED;
break;
+
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
- ssl_certs[depth].err = SSL_CERT_ERR_CHAIN_SELF_SIGNED;
+ chain.certs[depth].err = SSL_CERT_ERR_CHAIN_SELF_SIGNED;
break;
+
case X509_V_ERR_CERT_REVOKED:
- ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
+ chain.certs[depth].err = SSL_CERT_ERR_REVOKED;
break;
+
case X509_V_ERR_HOSTNAME_MISMATCH:
- ssl_certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
+ chain.certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
break;
+
default:
- ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
+ chain.certs[depth].err = SSL_CERT_ERR_UNKNOWN;
break;
}
+
+ /*
+ * get certificate in Distinguished Encoding Rules (DER) format.
+ */
+ mem = BIO_new(BIO_s_mem());
+ i2d_X509_bio(mem, certs[depth].cert);
+ BIO_get_mem_ptr(mem, &buf[depth]);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+
+ chain.certs[depth].der = (uint8_t *)buf[depth]->data;
+ chain.certs[depth].der_length = buf[depth]->length;
}
msg.type = FETCH_CERTS;
- msg.data.certs.certs = ssl_certs;
- msg.data.certs.num_certs = depth;
+ msg.data.chain = &chain;
fetch_send_callback(&msg, f->fetch_handle);
+
+ /* release the openssl memory buffer */
+ for (depth = 0; depth < chain.depth; depth++) {
+ if (buf[depth] != NULL) {
+ BUF_MEM_free(buf[depth]);
+ }
+ }
}
@@ -667,7 +601,7 @@ fetch_curl_verify_callback(int verify_ok, X509_STORE_CTX
*x509_ctx)
fetch = X509_STORE_CTX_get_app_data(x509_ctx);
/* certificate chain is excessively deep so fail verification */
- if (depth >= MAX_SSL_CERTS) {
+ if (depth >= MAX_CERT_DEPTH) {
X509_STORE_CTX_set_error(x509_ctx,
X509_V_ERR_CERT_CHAIN_TOO_LONG);
return 0;
@@ -1098,8 +1032,11 @@ static void fetch_curl_free(void *vf)
curl_formfree(f->post_multipart);
}
- for (i = 0; i < MAX_SSL_CERTS && f->cert_data[i].cert; i++) {
- ns_X509_free(f->cert_data[i].cert);
+ /* free certificate data */
+ for (i = 0; i < MAX_CERT_DEPTH; i++) {
+ if (f->cert_data[i].cert != NULL) {
+ ns_X509_free(f->cert_data[i].cert);
+ }
}
free(f);
diff --git a/content/hlcache.c b/content/hlcache.c
index ec011ec..23dbc57 100644
--- a/content/hlcache.c
+++ b/content/hlcache.c
@@ -423,8 +423,10 @@ static nserror hlcache_migrate_ctx(hlcache_retrieval_ctx
*ctx,
* \param pw Pointer to client-specific data
* \return NSERROR_OK on success, appropriate error otherwise
*/
-static nserror hlcache_llcache_callback(llcache_handle *handle,
- const llcache_event *event, void *pw)
+static nserror
+hlcache_llcache_callback(llcache_handle *handle,
+ const llcache_event *event,
+ void *pw)
{
hlcache_retrieval_ctx *ctx = pw;
lwc_string *effective_type = NULL;
@@ -439,8 +441,7 @@ static nserror hlcache_llcache_callback(llcache_handle
*handle,
hlcache_event hlevent;
hlevent.type = CONTENT_MSG_SSL_CERTS;
- hlevent.data.certs.certs = event->data.certs.certs;
- hlevent.data.certs.num = event->data.certs.num;
+ hlevent.data.chain = event->data.chain;
ctx->handle->cb(ctx->handle, &hlevent, ctx->handle->pw);
}
diff --git a/content/llcache.c b/content/llcache.c
index 8a71f18..3a75bf9 100644
--- a/content/llcache.c
+++ b/content/llcache.c
@@ -36,6 +36,7 @@
#include <string.h>
#include <strings.h>
#include <nsutils/time.h>
+#include <nsutils/base64.h>
#include "netsurf/inttypes.h"
#include "utils/config.h"
@@ -175,8 +176,7 @@ struct llcache_object {
size_t source_len; /**< Byte length of source data */
size_t source_alloc; /**< Allocated size of source buffer */
- size_t ssl_cert_count; /**< The number of SSL certificates stored
*/
- struct ssl_cert_info *ssl_certs; /**< SSL certificate information if
count is non-zero */
+ struct cert_chain *chain; /**< Certificate chain from the fetch */
llcache_store_state store_state; /**< where the data for the object is
stored */
@@ -969,11 +969,7 @@ static nserror llcache_object_destroy(llcache_object
*object)
NSLOG(llcache, DEBUG, "Destroying object %p, %s", object,
nsurl_access(object->url));
- if (object->ssl_cert_count != 0) {
- free(object->ssl_certs);
- object->ssl_certs = NULL;
- object->ssl_cert_count = 0;
- }
+ cert_chain_free(object->chain);
if (object->source_data != NULL) {
if (object->store_state == LLCACHE_STATE_DISC) {
@@ -1240,6 +1236,13 @@ llcache_serialise_metadata(llcache_object *object,
char *op;
unsigned int hloop;
int use;
+ size_t cert_chain_depth;
+
+ if (object->chain != NULL) {
+ cert_chain_depth = object->chain->depth;
+ } else {
+ cert_chain_depth = 0;
+ }
allocsize = 10 + 1; /* object length */
@@ -1251,22 +1254,19 @@ llcache_serialise_metadata(llcache_object *object,
allocsize += 10 + 1; /* space for number of header entries */
- allocsize += 10 + 1; /* space for number of SSL certificates */
-
- allocsize += nsurl_length(object->url) + 1;
-
for (hloop = 0 ; hloop < object->num_headers ; hloop++) {
allocsize += strlen(object->headers[hloop].name) + 1;
allocsize += strlen(object->headers[hloop].value) + 1;
}
- for (hloop = 0; hloop < object->ssl_cert_count; hloop++) {
- allocsize += (10 + 1) * 4; /* version, sig_type, cert_type, err
*/
- allocsize += strlen(object->ssl_certs[hloop].not_before) + 1;
- allocsize += strlen(object->ssl_certs[hloop].not_after) + 1;
- allocsize += strlen(object->ssl_certs[hloop].serialnum) + 1;
- allocsize += strlen(object->ssl_certs[hloop].issuer) + 1;
- allocsize += strlen(object->ssl_certs[hloop].subject) + 1;
+ allocsize += nsurl_length(object->url) + 1;
+
+ /* space for number of DER formatted certificates */
+ allocsize += 10 + 1;
+
+ for (hloop = 0; hloop < cert_chain_depth; hloop++) {
+ allocsize += 10 + 1; /* error status */
+ allocsize += 4 * ((object->chain->certs[hloop].der_length + 2)
/ 3);
}
data = malloc(allocsize);
@@ -1351,8 +1351,8 @@ llcache_serialise_metadata(llcache_object *object,
datasize -= use;
}
- /* number of ssl certificates */
- use = snprintf(op, datasize, "%" PRIsizet, object->ssl_cert_count);
+ /* number of DER formatted ssl certificates */
+ use = snprintf(op, datasize, "%" PRIsizet, cert_chain_depth);
if (use < 0) {
goto operror;
}
@@ -1363,80 +1363,13 @@ llcache_serialise_metadata(llcache_object *object,
datasize -= use;
/* SSL certificates */
- for (hloop = 0; hloop < object->ssl_cert_count; hloop++) {
- struct ssl_cert_info *cert = &(object->ssl_certs[hloop]);
- /* Certificate version */
- use = snprintf(op, datasize, "%ld", cert->version);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* not_before */
- use = snprintf(op, datasize, "%s", cert->not_before);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* not_after */
- use = snprintf(op, datasize, "%s", cert->not_after);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* Signature type */
- use = snprintf(op, datasize, "%d", cert->sig_type);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* serialnum */
- use = snprintf(op, datasize, "%s", cert->serialnum);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* issuer */
- use = snprintf(op, datasize, "%s", cert->issuer);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* subject */
- use = snprintf(op, datasize, "%s", cert->subject);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* Certificate type */
- use = snprintf(op, datasize, "%d", cert->cert_type);
+ for (hloop = 0; hloop < cert_chain_depth; hloop++) {
+ size_t output_length;
+ nsuerror res;
+
+ /* Certificate error code */
+ use = snprintf(op, datasize, "%d",
+ (int)(object->chain->certs[hloop].err));
if (use < 0) {
goto operror;
}
@@ -1445,14 +1378,26 @@ llcache_serialise_metadata(llcache_object *object,
goto overflow;
op += use;
datasize -= use;
- /* Certificate error code */
- use = snprintf(op, datasize, "%d", (int)(cert->err));
- if (use < 0) {
- goto operror;
+
+ /* DER certificate data in base64 encoding */
+ if (object->chain->certs[hloop].der != NULL) {
+ output_length = datasize;
+ res = nsu_base64_encode(
+ object->chain->certs[hloop].der,
+ object->chain->certs[hloop].der_length,
+ (uint8_t *)op,
+ &output_length);
+ if (res != NSUERROR_OK) {
+ goto operror;
+ }
+ use = output_length;
+ } else {
+ use = 0;
}
- use++; /* does not count the null */
+ use++; /* allow for null */
if (use > datasize)
goto overflow;
+ *(op + output_length) = 0;
op += use;
datasize -= use;
}
@@ -1510,7 +1455,7 @@ llcache_process_metadata(llcache_object *object)
size_t num_headers;
size_t hloop;
size_t ssl_cert_count = 0;
- struct ssl_cert_info *ssl_certs = NULL;
+ struct cert_chain *chain = NULL;
NSLOG(llcache, INFO, "Retrieving metadata");
@@ -1642,7 +1587,7 @@ llcache_process_metadata(llcache_object *object)
goto skip_ssl_certificates;
}
- /* Next line is the number of SSL certificates*/
+ /* Next line is the number of DER base64 encoded certificates */
line++;
ln += lnsize + 1;
lnsize = strlen(ln);
@@ -1657,72 +1602,20 @@ llcache_process_metadata(llcache_object *object)
goto skip_ssl_certificates;
}
- ssl_certs = calloc(sizeof(struct ssl_cert_info), ssl_cert_count);
- if (ssl_certs == NULL) {
- res = NSERROR_NOMEM;
+ if (ssl_cert_count > MAX_CERT_DEPTH) {
+ res = NSERROR_INVALID;
+ goto format_error;
+ }
+
+ res = cert_chain_alloc(ssl_cert_count, &chain);
+ if (res != NSERROR_OK) {
goto format_error;
}
for (hloop = 0; hloop < ssl_cert_count; hloop++) {
- struct ssl_cert_info *cert = &ssl_certs[hloop];
int errcode;
- /* Certificate version */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- if ((lnsize < 1) || (sscanf(ln, "%ld", &cert->version) != 1)) {
- res = NSERROR_INVALID;
- goto format_error;
- }
- /* Not before */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->not_before, ln, lnsize);
- /* Not after */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->not_after, ln, lnsize);
- /* Signature type */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- if ((lnsize < 1) || (sscanf(ln, "%d", &cert->sig_type) != 1)) {
- res = NSERROR_INVALID;
- goto format_error;
- }
- /* Serial Number */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->serialnum, ln, lnsize);
- /* issuer */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->issuer, ln, lnsize);
- /* subject */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->subject, ln, lnsize);
- /* Certificate type */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- if ((lnsize < 1) || (sscanf(ln, "%d", &cert->cert_type) != 1)) {
- res = NSERROR_INVALID;
- goto format_error;
- }
+ nsuerror nsures;
+
/* Certificate error code */
line++;
ln += lnsize + 1;
@@ -1735,9 +1628,25 @@ llcache_process_metadata(llcache_object *object)
if (errcode < SSL_CERT_ERR_OK ||
errcode > SSL_CERT_ERR_MAX_KNOWN) {
/* Error with the cert code, assume UNKNOWN */
- cert->err = SSL_CERT_ERR_UNKNOWN;
+ chain->certs[hloop].err = SSL_CERT_ERR_UNKNOWN;
} else {
- cert->err = (ssl_cert_err)errcode;
+ chain->certs[hloop].err = (ssl_cert_err)errcode;
+ }
+
+ /* base64 encoded DER certificate data */
+ line++;
+ ln += lnsize + 1;
+ lnsize = strlen(ln);
+ remaining -= lnsize + 1;
+ if (lnsize > 0) {
+ nsures = nsu_base64_decode_alloc((const uint8_t *)ln,
+ lnsize,
+ &chain->certs[hloop].der,
+ &chain->certs[hloop].der_length);
+ if (nsures != NSUERROR_OK) {
+ res = NSERROR_NOMEM;
+ goto format_error;
+ }
}
}
@@ -1754,8 +1663,7 @@ skip_ssl_certificates:
object->cache.res_time = response_time;
object->cache.fin_time = completion_time;
- object->ssl_cert_count = ssl_cert_count;
- object->ssl_certs = ssl_certs;
+ object->chain = chain;
/* object stored in backing store */
object->store_state = LLCACHE_STATE_DISC;
@@ -1768,9 +1676,7 @@ format_error:
line, res);
guit->llcache->release(object->url, BACKING_STORE_META);
- if (ssl_certs != NULL) {
- free(ssl_certs);
- }
+ cert_chain_free(chain);
return res;
}
@@ -3173,21 +3079,15 @@ static void llcache_fetch_callback(const fetch_msg
*msg, void *p)
case FETCH_CERTS:
/* Certificate information from the fetch */
- /* Persist the data onto our object */
- object->ssl_certs = calloc(sizeof(struct ssl_cert_info),
- msg->data.certs.num_certs);
- if (object->ssl_certs != NULL) {
- object->ssl_cert_count = msg->data.certs.num_certs;
- memcpy(object->ssl_certs, msg->data.certs.certs,
- sizeof(struct ssl_cert_info) *
object->ssl_cert_count);
- }
-
- /* Now pass on the event */
- event.type = LLCACHE_EVENT_GOT_CERTS;
- event.data.certs.certs = msg->data.certs.certs;
- event.data.certs.num = msg->data.certs.num_certs;
+ /* Persist the chain onto our object */
+ error = cert_chain_dup(msg->data.chain, &object->chain);
+ if (error != NSERROR_OK) {
+ /* Now pass on the event */
+ event.type = LLCACHE_EVENT_GOT_CERTS;
+ event.data.chain = msg->data.chain;
- error = llcache_send_event_to_users(object, &event);
+ error = llcache_send_event_to_users(object, &event);
+ }
break;
/* Events requiring action */
@@ -3388,10 +3288,9 @@ static nserror
llcache_object_notify_users(llcache_object *object)
handle->state = LLCACHE_FETCH_HEADERS;
/* Emit any certificate data we hold */
- if (object->ssl_cert_count > 0) {
+ if (object->chain != NULL) {
event.type = LLCACHE_EVENT_GOT_CERTS;
- event.data.certs.certs = object->ssl_certs;
- event.data.certs.num = object->ssl_cert_count;
+ event.data.chain = object->chain;
error = handle->cb(handle, &event, handle->pw);
} else {
error = NSERROR_OK;
@@ -3613,16 +3512,12 @@ llcache_object_snapshot(llcache_object *object,
llcache_object **snapshot)
}
}
- if (object->ssl_cert_count != 0) {
- newobj->ssl_certs = calloc(sizeof(struct ssl_cert_info),
- object->ssl_cert_count);
- if (newobj->ssl_certs == NULL) {
+ if (object->chain != NULL) {
+ error = cert_chain_dup(object->chain, &newobj->chain);
+ if (error != NSERROR_OK) {
llcache_object_destroy(newobj);
- return NSERROR_NOMEM;
+ return error;
}
- memcpy(newobj->ssl_certs, object->ssl_certs,
- sizeof(struct ssl_cert_info) * object->ssl_cert_count);
- newobj->ssl_cert_count = object->ssl_cert_count;
}
newobj->fetch.state = LLCACHE_FETCH_COMPLETE;
@@ -3662,7 +3557,7 @@ total_object_size(llcache_object *object)
}
}
- tot += object->ssl_cert_count * sizeof(struct ssl_cert_info);
+ tot += cert_chain_size(object->chain);
return tot;
}
diff --git a/content/llcache.h b/content/llcache.h
index 8d2411e..514272f 100644
--- a/content/llcache.h
+++ b/content/llcache.h
@@ -30,7 +30,7 @@
#include "utils/errors.h"
#include "utils/nsurl.h"
-struct ssl_cert_info;
+struct cert_chain;
struct fetch_multipart_data;
/** Handle for low-level cache object */
@@ -83,26 +83,23 @@ typedef enum {
* and must be copied if it is desirable to retain.
*/
typedef struct {
- llcache_event_type type; /**< Type of event */
+ llcache_event_type type; /**< Type of event */
union {
struct {
- const uint8_t *buf; /**< Buffer of data */
- size_t len; /**< Length of buffer, in bytes */
- } data; /**< Received data */
+ const uint8_t *buf; /**< Buffer of data */
+ size_t len; /**< Byte length of buffer */
+ } data; /**< Received data */
struct {
- nserror code; /**< The error code */
- const char *msg; /**< Error message */
+ nserror code; /**< The error code */
+ const char *msg; /**< Error message */
} error;
- const char *progress_msg; /**< Progress message */
+ const char *progress_msg; /**< Progress message */
struct {
- nsurl *from; /**< Redirect origin */
- nsurl *to; /**< Redirect target */
- } redirect; /**< Fetch URL redirect occured */
- struct {
- const struct ssl_cert_info *certs; /**< The chain */
- size_t num; /**< Number of certs in chain */
- } certs;
- } data; /**< Event data */
+ nsurl *from; /**< Redirect origin */
+ nsurl *to; /**< Redirect target */
+ } redirect; /**< Fetch URL redirect occured */
+ const struct cert_chain *chain; /**< Certificate chain */
+ } data; /**< Event data */
} llcache_event;
/**
@@ -171,17 +168,17 @@ struct llcache_parameters {
size_t hysteresis; /**< The hysteresis around the target size */
/** The minimum lifetime to consider sending objects to backing store.*/
- int minimum_lifetime;
+ int minimum_lifetime;
/** The minimum bandwidth to allow the backing store to
* use in bytes/second
*/
- size_t minimum_bandwidth;
+ size_t minimum_bandwidth;
/** The maximum bandwidth to allow the backing store to use in
* bytes/second
*/
- size_t maximum_bandwidth;
+ size_t maximum_bandwidth;
/** The time quantum over which to calculate the bandwidth values
*/
diff --git a/desktop/browser_private.h b/desktop/browser_private.h
index 6e45052..41b8fef 100644
--- a/desktop/browser_private.h
+++ b/desktop/browser_private.h
@@ -89,13 +89,6 @@ struct browser_fetch_parameters {
bool parent_quirks; /**< Optional parent
quirks */
};
-/**
- * The SSL context for a fetch, as provided by the fetchers
- */
-struct browser_ssl_info {
- struct ssl_cert_info certs[MAX_SSL_CERTS]; /**< The certificate chain
*/
- size_t num; /**< The number of certificates in the chain */
-};
/**
* Browser window data.
@@ -113,9 +106,9 @@ struct browser_window {
struct browser_fetch_parameters current_parameters;
/**
- * The SSL information for the current content
+ * The certificate chain for the current content
*/
- struct browser_ssl_info current_ssl_info;
+ struct cert_chain *current_cert_chain;
/**
* Content handle of page in process of being loaded or NULL
@@ -129,9 +122,9 @@ struct browser_window {
struct browser_fetch_parameters loading_parameters;
/**
- * The SSL information for the loading content
+ * The certificate chain for the loading content
*/
- struct browser_ssl_info loading_ssl_info;
+ struct cert_chain *loading_cert_chain;
/**
* Favicon
diff --git a/desktop/browser_window.c b/desktop/browser_window.c
index 06f41dd..6defe01 100644
--- a/desktop/browser_window.c
+++ b/desktop/browser_window.c
@@ -743,9 +743,10 @@ static nserror browser_window_content_ready(struct
browser_window *bw)
browser_window__free_fetch_parameters(&bw->current_parameters);
bw->current_parameters = bw->loading_parameters;
memset(&bw->loading_parameters, 0,
sizeof(bw->loading_parameters));
- /* Transfer the SSL info */
- bw->current_ssl_info = bw->loading_ssl_info;
- bw->loading_ssl_info.num = 0;
+ /* Transfer the certificate chain */
+ cert_chain_free(bw->current_cert_chain);
+ bw->current_cert_chain = bw->loading_cert_chain;
+ bw->loading_cert_chain = NULL;
}
/* Format the new content to the correct dimensions */
@@ -1136,7 +1137,7 @@ browser_window__handle_bad_certs(struct browser_window
*bw,
nserror err;
/* Initially we don't know WHY the SSL cert was bad */
const char *reason = messages_get_sslcode(SSL_CERT_ERR_UNKNOWN);
- size_t n;
+ size_t depth;
memset(¶ms, 0, sizeof(params));
@@ -1151,12 +1152,14 @@ browser_window__handle_bad_certs(struct browser_window
*bw,
goto out;
}
- for (n = 0; n < bw->loading_ssl_info.num; ++n) {
- size_t idx = bw->loading_ssl_info.num - (n + 1);
- ssl_cert_err err = bw->loading_ssl_info.certs[idx].err;
- if (err != SSL_CERT_ERR_OK) {
- reason = messages_get_sslcode(err);
- break;
+ if (bw->loading_cert_chain != NULL) {
+ for (depth = 0; depth < bw->loading_cert_chain->depth; ++depth)
{
+ size_t idx = bw->loading_cert_chain->depth - (depth +
1);
+ ssl_cert_err err =
bw->loading_cert_chain->certs[idx].err;
+ if (err != SSL_CERT_ERR_OK) {
+ reason = messages_get_sslcode(err);
+ break;
+ }
}
}
@@ -1175,8 +1178,7 @@ browser_window__handle_bad_certs(struct browser_window
*bw,
}
err = guit->misc->cert_verify(url,
- bw->loading_ssl_info.certs,
- bw->loading_ssl_info.num,
+ bw->loading_cert_chain,
browser_window__handle_ssl_query_response,
bw);
@@ -1352,11 +1354,8 @@ browser_window_callback(hlcache_handle *c, const
hlcache_event *event, void *pw)
switch (event->type) {
case CONTENT_MSG_SSL_CERTS:
/* SSL certificate information has arrived, store it */
- assert(event->data.certs.num < MAX_SSL_CERTS);
- memcpy(&bw->loading_ssl_info.certs[0],
- event->data.certs.certs,
- sizeof(struct ssl_cert_info) * event->data.certs.num);
- bw->loading_ssl_info.num = event->data.certs.num;
+ cert_chain_free(bw->loading_cert_chain);
+ cert_chain_dup(event->data.chain, &bw->loading_cert_chain);
break;
case CONTENT_MSG_LOG:
@@ -3431,7 +3430,8 @@ navigate_internal_real(struct browser_window *bw,
fetch_is_post = (params->post_urlenc != NULL || params->post_multipart
!= NULL);
/* Clear SSL info for load */
- bw->loading_ssl_info.num = 0;
+ cert_chain_free(bw->loading_cert_chain);
+ bw->loading_cert_chain = NULL;
/* Set up retrieval parameters */
if (!(params->flags & BW_NAVIGATE_UNVERIFIABLE)) {
@@ -4707,17 +4707,17 @@ browser_window_page_info_state
browser_window_get_page_info_state(
}
/* Exported interface, documented in browser_window.h */
-nserror browser_window_get_ssl_chain(struct browser_window *bw, size_t *num,
- struct ssl_cert_info **chain)
+nserror
+browser_window_get_ssl_chain(struct browser_window *bw,
+ struct cert_chain **chain)
{
assert(bw != NULL);
- if (bw->current_ssl_info.num == 0) {
+ if (bw->current_cert_chain == NULL) {
return NSERROR_NOT_FOUND;
}
- *num = bw->current_ssl_info.num;
- *chain = &(bw->current_ssl_info.certs[0]);
+ *chain = bw->current_cert_chain;
return NSERROR_OK;
}
diff --git a/desktop/gui_factory.c b/desktop/gui_factory.c
index 8b52e54..7ef457a 100644
--- a/desktop/gui_factory.c
+++ b/desktop/gui_factory.c
@@ -639,8 +639,7 @@ static nserror gui_default_launch_url(struct nsurl *url)
static nserror gui_default_cert_verify(nsurl *url,
- const struct ssl_cert_info *certs,
- unsigned long num,
+ const struct cert_chain *chain,
nserror (*cb)(bool proceed, void *pw),
void *cbpw)
{
diff --git a/desktop/sslcert_viewer.c b/desktop/sslcert_viewer.c
index 4d87257..ec0fd34 100644
--- a/desktop/sslcert_viewer.c
+++ b/desktop/sslcert_viewer.c
@@ -52,6 +52,21 @@ enum sslcert_viewer_field {
typedef nserror (*response_cb)(bool proceed, void *pw);
/**
+ * ssl certificate information for certificate error message
+ */
+struct ssl_cert_info {
+ long version; /**< Certificate version */
+ char not_before[32]; /**< Valid from date */
+ char not_after[32]; /**< Valid to date */
+ int sig_type; /**< Signature type */
+ char serialnum[64]; /**< Serial number */
+ char issuer[256]; /**< Issuer details */
+ char subject[256]; /**< Subject details */
+ int cert_type; /**< Certificate type */
+ ssl_cert_err err; /**< Whatever is wrong with this certificate */
+};
+
+/**
* ssl certificate verification context.
*/
struct sslcert_session_data {
@@ -473,38 +488,183 @@ nserror sslcert_viewer_fini(struct sslcert_session_data
*ssl_d)
return err;
}
+#ifdef WITH_OPENSSL
+
+#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
+
+static nserror
+der_to_certinfo(const uint8_t *der,
+ size_t der_length,
+ struct ssl_cert_info *info)
+{
+ BIO *mem;
+ BUF_MEM *buf;
+ const ASN1_INTEGER *asn1_num;
+ BIGNUM *bignum;
+ X509 *cert; /**< Pointer to certificate */
+
+ if (der == NULL) {
+ return NSERROR_OK;
+ }
+
+ cert = d2i_X509(NULL, &der, der_length);
+ if (cert == NULL) {
+ return NSERROR_INVALID;
+ }
+
+ /* get certificate version */
+ info->version = X509_get_version(cert);
+
+ /* not before date */
+ mem = BIO_new(BIO_s_mem());
+ ASN1_TIME_print(mem, X509_get_notBefore(cert));
+ BIO_get_mem_ptr(mem, &buf);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+ memcpy(info->not_before,
+ buf->data,
+ min(sizeof(info->not_before) - 1, (unsigned)buf->length));
+ info->not_before[min(sizeof(info->not_before) - 1,
(unsigned)buf->length)] = 0;
+ BUF_MEM_free(buf);
+
+ /* not after date */
+ mem = BIO_new(BIO_s_mem());
+ ASN1_TIME_print(mem,
+ X509_get_notAfter(cert));
+ BIO_get_mem_ptr(mem, &buf);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+ memcpy(info->not_after,
+ buf->data,
+ min(sizeof(info->not_after) - 1, (unsigned)buf->length));
+ info->not_after[min(sizeof(info->not_after) - 1,
(unsigned)buf->length)] = 0;
+ BUF_MEM_free(buf);
+
+ /* signature type */
+ info->sig_type = X509_get_signature_type(cert);
+
+ /* serial number */
+ asn1_num = X509_get_serialNumber(cert);
+ if (asn1_num != NULL) {
+ bignum = ASN1_INTEGER_to_BN(asn1_num, NULL);
+ if (bignum != NULL) {
+ char *tmp = BN_bn2hex(bignum);
+ if (tmp != NULL) {
+ strncpy(info->serialnum,
+ tmp,
+ sizeof(info->serialnum));
+ info->serialnum[sizeof(info->serialnum)-1] =
'\0';
+ OPENSSL_free(tmp);
+ }
+ BN_free(bignum);
+ bignum = NULL;
+ }
+ }
+
+ /* issuer name */
+ mem = BIO_new(BIO_s_mem());
+ X509_NAME_print_ex(mem,
+ X509_get_issuer_name(cert),
+ 0, XN_FLAG_SEP_CPLUS_SPC |
+ XN_FLAG_DN_REV | XN_FLAG_FN_NONE);
+ BIO_get_mem_ptr(mem, &buf);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+ memcpy(info->issuer,
+ buf->data,
+ min(sizeof(info->issuer) - 1, (unsigned) buf->length));
+ info->issuer[min(sizeof(info->issuer) - 1, (unsigned) buf->length)] = 0;
+ BUF_MEM_free(buf);
+
+ /* subject */
+ mem = BIO_new(BIO_s_mem());
+ X509_NAME_print_ex(mem,
+ X509_get_subject_name(cert),
+ 0,
+ XN_FLAG_SEP_CPLUS_SPC |
+ XN_FLAG_DN_REV |
+ XN_FLAG_FN_NONE);
+ BIO_get_mem_ptr(mem, &buf);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+ memcpy(info->subject,
+ buf->data,
+ min(sizeof(info->subject) - 1, (unsigned)buf->length));
+ info->subject[min(sizeof(info->subject) - 1, (unsigned) buf->length)] =
0;
+ BUF_MEM_free(buf);
+
+ /* type of certificate */
+ info->cert_type = X509_certificate_type(cert, X509_get_pubkey(cert));
+
+ X509_free(cert);
+
+ return NSERROR_OK;
+}
+#else
+static nserror
+der_to_certinfo(uint8_t *der, size_t der_length, struct ssl_cert_info *info)
+{
+ return NSERROR_NOT_IMPLEMENTED;
+}
+#endif
+
+/* copy certificate data */
+static nserror
+convert_chain_to_cert_info(const struct cert_chain *chain,
+ struct ssl_cert_info **cert_info_out)
+{
+ struct ssl_cert_info *certs;
+ size_t depth;
+ nserror res;
+
+ certs = calloc(chain->depth, sizeof(struct ssl_cert_info));
+ if (certs == NULL) {
+ return NSERROR_NOMEM;
+ }
+
+ for (depth = 0; depth < chain->depth;depth++) {
+ res = der_to_certinfo(chain->certs[depth].der,
+ chain->certs[depth].der_length,
+ certs + depth);
+ if (res != NSERROR_OK) {
+ free(certs);
+ return res;
+ }
+ certs[depth].err = chain->certs[depth].err;
+ }
+
+ *cert_info_out = certs;
+ return NSERROR_OK;
+}
/* Exported interface, documented in sslcert_viewer.h */
nserror
-sslcert_viewer_create_session_data(unsigned long num,
- struct nsurl *url,
+sslcert_viewer_create_session_data(struct nsurl *url,
nserror (*cb)(bool proceed, void *pw),
void *cbpw,
- const struct ssl_cert_info *certs,
+ const struct cert_chain *chain,
struct sslcert_session_data **ssl_d)
{
struct sslcert_session_data *data;
-
+ nserror res;
assert(url != NULL);
- assert(certs != NULL);
+ assert(chain != NULL);
data = malloc(sizeof(struct sslcert_session_data));
if (data == NULL) {
*ssl_d = NULL;
return NSERROR_NOMEM;
}
-
- /* copy certificate data */
- data->certs = malloc(num * sizeof(struct ssl_cert_info));
- if (data->certs == NULL) {
+ res = convert_chain_to_cert_info(chain, &data->certs);
+ if (res != NSERROR_OK) {
free(data);
*ssl_d = NULL;
- return NSERROR_NOMEM;
+ return res;
}
- memcpy(data->certs, certs, num * sizeof(struct ssl_cert_info));
data->url = nsurl_ref(url);
- data->num = num;
+ data->num = chain->depth;
data->cb = cb;
data->cbpw = cbpw;
diff --git a/desktop/sslcert_viewer.h b/desktop/sslcert_viewer.h
index 6955e01..8542840 100644
--- a/desktop/sslcert_viewer.h
+++ b/desktop/sslcert_viewer.h
@@ -32,16 +32,15 @@ struct redraw_context;
struct core_window_callback_table;
struct rect;
struct nsurl;
-struct ssl_cert_info;
+struct cert_chain;
/**
* Create ssl certificate viewer session data.
*
- * \param num The number of certificates in the chain
* \param url Address of the page we're inspecting certificates of
* \param cb Low level cache callback
* \param cbpw Low level cache private data
- * \param certs The SSL certificates
+ * \param chain The SSL certificate chain
* \param ssl_d Updated to SSL certificate session data
* \return NSERROR_OK on success, appropriate error otherwise
*
@@ -49,8 +48,10 @@ struct ssl_cert_info;
* sslcert_viewer_fini destroys the session data.
*/
nserror sslcert_viewer_create_session_data(
- unsigned long num, struct nsurl *url, nserror (*cb)(bool
proceed, void *pw),
- void *cbpw, const struct ssl_cert_info *certs,
+ struct nsurl *url,
+ nserror (*cb)(bool proceed, void *pw),
+ void *cbpw,
+ const struct cert_chain *chain,
struct sslcert_session_data **ssl_d);
@@ -65,7 +66,8 @@ nserror sslcert_viewer_create_session_data(
* \return NSERROR_OK on success, appropriate error otherwise
*/
nserror sslcert_viewer_init(struct core_window_callback_table *cw_t,
- void *core_window_handle, struct sslcert_session_data *ssl_d);
+ void *core_window_handle,
+ struct sslcert_session_data *ssl_d);
/**
diff --git a/frontends/gtk/page_info.c b/frontends/gtk/page_info.c
index adc2dfa..1401fdc 100644
--- a/frontends/gtk/page_info.c
+++ b/frontends/gtk/page_info.c
@@ -52,6 +52,7 @@ struct nsgtk_crtvrfy_window {
struct sslcert_session_data *ssl_data;
};
+
/**
* destroy a previously created certificate view
*/
@@ -178,11 +179,14 @@ nserror nsgtk_page_info(struct browser_window *bw)
struct nsgtk_crtvrfy_window *ncwin;
nserror res;
- size_t num;
- struct ssl_cert_info *chain;
+ struct cert_chain *chain;
struct nsurl *url;
- browser_window_get_ssl_chain(bw, &num, &chain);
+ res = browser_window_get_ssl_chain(bw, &chain);
+ if (res != NSERROR_OK) {
+ NSLOG(netsurf, WARNING, "Unable to get certificate chain");
+ return NSERROR_INVALID;
+ }
url = browser_window_access_url(bw);
ncwin = malloc(sizeof(struct nsgtk_crtvrfy_window));
@@ -245,8 +249,8 @@ nserror nsgtk_page_info(struct browser_window *bw)
}
/* initialise certificate viewing interface */
- res = sslcert_viewer_create_session_data(num, url, dummy_cb, NULL,
chain,
- &ncwin->ssl_data);
+ res = sslcert_viewer_create_session_data(
+ url, dummy_cb, NULL, chain, &ncwin->ssl_data);
if (res != NSERROR_OK) {
g_object_unref(G_OBJECT(ncwin->dlg));
free(ncwin);
diff --git a/include/netsurf/browser_window.h b/include/netsurf/browser_window.h
index 7b2f652..e8faa18 100644
--- a/include/netsurf/browser_window.h
+++ b/include/netsurf/browser_window.h
@@ -42,7 +42,7 @@ struct form_control;
struct nsurl;
struct rect;
struct redraw_context;
-struct ssl_cert_info;
+struct cert_chain;
enum content_debug;
/**
@@ -784,11 +784,9 @@ browser_window_page_info_state
browser_window_get_page_info_state(
* If there is no chain available, this will return NSERROR_NOT_FOUND
*
* \param bw The browser window
- * \param num Pointer to be filled out with chain length
- * \param chain Pointer to be filled out with chain base
+ * \param chain Pointer to be filled out with certificate chain
* \return Whether or not the chain is available
*/
-nserror browser_window_get_ssl_chain(struct browser_window *bw, size_t *num,
- struct ssl_cert_info **chain);
+nserror browser_window_get_ssl_chain(struct browser_window *bw, struct
cert_chain **chain);
#endif
diff --git a/include/netsurf/misc.h b/include/netsurf/misc.h
index 8a79531..cc0b78d 100644
--- a/include/netsurf/misc.h
+++ b/include/netsurf/misc.h
@@ -27,7 +27,7 @@
struct form_control;
struct gui_window;
-struct ssl_cert_info;
+struct cert_chain;
struct nsurl;
/**
@@ -81,8 +81,7 @@ struct gui_misc_table {
* \return NSERROR_OK on sucess else error and cb never called
*/
nserror (*cert_verify)(struct nsurl *url,
- const struct ssl_cert_info *certs,
- unsigned long num,
+ const struct cert_chain *chain,
nserror (*cb)(bool proceed, void *pw),
void *cbpw);
diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h
index 0444678..1aaf485 100644
--- a/include/netsurf/ssl_certs.h
+++ b/include/netsurf/ssl_certs.h
@@ -48,22 +48,67 @@ typedef enum {
/** Always the max known ssl certificate error type */
#define SSL_CERT_ERR_MAX_KNOWN SSL_CERT_ERR_HOSTNAME_MISMATCH
+/** maximum number of X509 certificates in chain for TLS connection */
+#define MAX_CERT_DEPTH 10
+
/**
- * ssl certificate information for certificate error message
+ * X509 certificate chain
*/
-struct ssl_cert_info {
- long version; /**< Certificate version */
- char not_before[32]; /**< Valid from date */
- char not_after[32]; /**< Valid to date */
- int sig_type; /**< Signature type */
- char serialnum[64]; /**< Serial number */
- char issuer[256]; /**< Issuer details */
- char subject[256]; /**< Subject details */
- int cert_type; /**< Certificate type */
- ssl_cert_err err; /**< Whatever is wrong with this certificate */
+struct cert_chain {
+ /**
+ * the number of certificates in the chain
+ * */
+ size_t depth;
+ struct {
+ /**
+ * Whatever is wrong with this certificate
+ */
+ ssl_cert_err err;
+
+ /**
+ * data in Distinguished Encoding Rules (DER) format
+ */
+ uint8_t *der;
+
+ /**
+ * DER length
+ */
+ size_t der_length;
+ } certs[MAX_CERT_DEPTH];
};
-/** maximum number of X509 certificates in chain for TLS connection */
-#define MAX_SSL_CERTS 10
+/**
+ * create new certificate chain
+ *
+ * \param dpth the depth to set in the new chain.
+ * \param chain_out A pointer to recive the new chain.
+ * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
+ */
+nserror cert_chain_alloc(size_t depth, struct cert_chain **chain_out);
+
+/**
+ * duplicate a certificate chain
+ *
+ * \param src The certificate chain to copy from
+ * \param dst_out A pointer to recive the duplicated chain
+ * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
+ */
+nserror cert_chain_dup(const struct cert_chain *src, struct cert_chain
**dst_out);
+
+/**
+ * free a certificate chain
+ *
+ * \param chain The certificate chain to free
+ * \return NSERROR_OK on success
+ */
+nserror cert_chain_free(struct cert_chain *chain);
+
+/**
+ * total number of data bytes in a chain
+ *
+ * \param chain The chain to size
+ * \return the number of bytes used by the chain
+ */
+size_t cert_chain_size(const struct cert_chain *chain);
#endif /* NETSURF_SSL_CERTS_H_ */
diff --git a/utils/Makefile b/utils/Makefile
index 2f59501..e0fbd8e 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -13,6 +13,7 @@ S_UTILS := \
messages.c \
nsoption.c \
punycode.c \
+ ssl_certs.c \
talloc.c \
time.c \
url.c \
diff --git a/utils/ssl_certs.c b/utils/ssl_certs.c
new file mode 100644
index 0000000..7154561
--- /dev/null
+++ b/utils/ssl_certs.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright 2020 Vincent Sanders <[email protected]>
+ *
+ * This file is part of NetSurf, http://www.netsurf-browser.org/
+ *
+ * NetSurf is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * NetSurf is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * \file
+ * helpers for X509 certificate chains
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "utils/errors.h"
+#include "utils/log.h"
+
+#include "netsurf/ssl_certs.h"
+
+/*
+ * create new certificate chain
+ *
+ * exported interface documented in netsurf/ssl_certs.h
+ */
+nserror
+cert_chain_alloc(size_t depth, struct cert_chain **chain_out)
+{
+ struct cert_chain* chain;
+
+ chain = calloc(1, sizeof(struct cert_chain));
+ if (chain == NULL) {
+ return NSERROR_NOMEM;
+ }
+
+ chain->depth = depth;
+
+ *chain_out = chain;
+
+ return NSERROR_OK;
+}
+
+
+/*
+ * duplicate certificate chain
+ *
+ * exported interface documented in netsurf/ssl_certs.h
+ */
+nserror
+cert_chain_dup(const struct cert_chain *src, struct cert_chain **dst_out)
+{
+ struct cert_chain* dst;
+ size_t depth;
+ nserror res;
+
+ res = cert_chain_alloc(src->depth, &dst);
+ if (res != NSERROR_OK) {
+ return res;
+ }
+
+ for (depth = 0; depth < src->depth; depth++) {
+ dst->certs[depth].err = src->certs[depth].err;
+ dst->certs[depth].der_length = src->certs[depth].der_length;
+ if (src->certs[depth].der != NULL) {
+ dst->certs[depth].der =
malloc(src->certs[depth].der_length);
+ if (dst->certs[depth].der == NULL) {
+ cert_chain_free(dst);
+ return NSERROR_NOMEM;
+ }
+ memcpy(dst->certs[depth].der,
+ src->certs[depth].der,
+ src->certs[depth].der_length);
+ }
+
+ }
+
+ *dst_out = dst;
+ return NSERROR_OK;
+}
+
+
+/*
+ * free certificate chain
+ *
+ * exported interface documented in netsurf/ssl_certs.h
+ */
+nserror cert_chain_free(struct cert_chain* chain)
+{
+ size_t depth;
+
+ if (chain != NULL) {
+ for (depth = 0; depth < chain->depth; depth++) {
+ if (chain->certs[depth].der != NULL) {
+ free(chain->certs[depth].der);
+ }
+ }
+
+ free(chain);
+ }
+
+ return NSERROR_OK;
+}
+
+
+/*
+ * calculate storage used of certificate chain
+ *
+ * exported interface documented in netsurf/ssl_certs.h
+ */
+size_t cert_chain_size(const struct cert_chain *chain)
+{
+ size_t size = 0;
+ size_t depth;
+
+ if (chain != NULL) {
+ size += sizeof(struct cert_chain);
+
+ for (depth = 0; depth < chain->depth; depth++) {
+ if (chain->certs[depth].der != NULL) {
+ size += chain->certs[depth].der_length;
+ }
+ }
+ }
+
+ return size;
+}
commitdiff
http://git.netsurf-browser.org/netsurf.git/commit/?id=214478fc15a2b9ee67e19e08cf27657c0157037a
commit 214478fc15a2b9ee67e19e08cf27657c0157037a
Author: Vincent Sanders <[email protected]>
Commit: Vincent Sanders <[email protected]>
Improve some content documentation comments
diff --git a/content/content.h b/content/content.h
index 0dbd58d..144a698 100644
--- a/content/content.h
+++ b/content/content.h
@@ -100,67 +100,118 @@ struct content_rfc5988_link {
/** Extra data for some content_msg messages. */
union content_msg_data {
- /** CONTENT_MSG_LOG - Information for logging */
+ /**
+ * CONTENT_MSG_LOG - Information for logging
+ */
struct {
- browser_window_console_source src; /**< The source of the
logging */
- const char *msg; /**< The message to log */
- size_t msglen; /**< The length of that message */
- browser_window_console_flags flags; /**< The flags of the
logging */
+ /** The source of the logging */
+ browser_window_console_source src;
+ /** The message to log */
+ const char *msg;
+ /** The length of that message */
+ size_t msglen;
+ /** The flags of the logging */
+ browser_window_console_flags flags;
} log;
- /** CONTENT_MSG_SSL_CERTS - The certificate chain from the underlying
fetch */
+
+ /**
+ * CONTENT_MSG_SSL_CERTS - The certificate chain from the
+ * underlying fetch
+ */
struct {
const struct ssl_cert_info *certs; /**< The chain */
size_t num; /**< The number of certs in the chain */
} certs;
- /** CONTENT_MSG_ERROR - Error from content or underlying fetch */
+
+ /**
+ * CONTENT_MSG_ERROR - Error from content or underlying fetch
+ */
struct {
- nserror errorcode; /**< The error code to convey meaning */
- const char *errormsg; /**< The message.
- * if NSERROR_UNKNOWN then this is the
- * direct message, otherwise is some
- * kind of metadata (e.g. a message name
- * or somesuch) but always a nul
- * terminated string.
- */
+ /**
+ * The error code to convey meaning
+ */
+ nserror errorcode;
+ /**
+ * The message. if NSERROR_UNKNOWN then this is the direct
+ * message, otherwise is some kind of metadata (e.g. a
+ * message name or somesuch) but always a null terminated
+ * string.
+ */
+ const char *errormsg;
} errordata;
- /** CONTENT_MSG_REDIRECT - Redirect info */
+
+ /**
+ * CONTENT_MSG_REDIRECT - Redirect info
+ */
struct {
struct nsurl *from; /**< Redirect origin */
struct nsurl *to; /**< Redirect target */
} redirect; /**< Fetch URL redirect occured */
- /** CONTENT_MSG_REDRAW - Area of content which needs redrawing */
+
+ /**
+ * CONTENT_MSG_REDRAW - Area of content which needs redrawing
+ */
struct {
int x, y, width, height;
} redraw;
- /** CONTENT_MSG_REFRESH - Minimum delay */
+
+ /**
+ * CONTENT_MSG_REFRESH - Minimum delay
+ */
int delay;
- /** CONTENT_MSG_REFORMAT - Reformat should not cause a redraw */
+
+ /**
+ * CONTENT_MSG_REFORMAT - Reformat should not cause a redraw
+ */
bool background;
- /** CONTENT_MSG_STATUS - Status message update. If NULL, the content's
- * internal status text has been updated, and listener should use
- * content_get_status_message() */
+
+ /**
+ * CONTENT_MSG_STATUS - Status message update. If NULL, the
+ * content's internal status text has been updated, and
+ * listener should use content_get_status_message()
+ */
const char *explicit_status_text;
- /** CONTENT_MSG_DOWNLOAD - Low-level cache handle */
+
+ /**
+ * CONTENT_MSG_DOWNLOAD - Low-level cache handle
+ */
struct llcache_handle *download;
- /** CONTENT_MSG_RFC5988_LINK - rfc5988 link data */
+
+ /**
+ * CONTENT_MSG_RFC5988_LINK - rfc5988 link data
+ */
struct content_rfc5988_link *rfc5988_link;
- /** CONTENT_MSG_GETCTX - Javascript context */
+
+ /**
+ * CONTENT_MSG_GETCTX - Javascript context
+ */
struct jscontext **jscontext;
- /** CONTENT_MSG_GETDIMS - Get the viewport dimensions */
+
+ /**
+ * CONTENT_MSG_GETDIMS - Get the viewport dimensions
+ */
struct {
- /* TODO: Consider getting screen_width, screen_height too. */
+ /** \todo Consider getting screen_width, screen_height too. */
unsigned *viewport_width;
unsigned *viewport_height;
} getdims;
- /** CONTENT_MSG_SCROLL - Part of content to scroll to show */
+
+ /**
+ * CONTENT_MSG_SCROLL - Part of content to scroll to show
+ */
struct {
- /** if true, scroll to show area given by (x0, y0) and (x1,y1).
- * if false, scroll point (x0, y0) to top left of viewport */
+ /*
+ * if true, scroll to show area given by (x0, y0) and (x1,y1).
+ * if false, scroll point (x0, y0) to top left of viewport
+ */
bool area;
int x0, y0;
int x1, y1;
} scroll;
- /** CONTENT_MSG_DRAGSAVE - Drag save a content */
+
+ /**
+ * CONTENT_MSG_DRAGSAVE - Drag save a content
+ */
struct {
enum {
CONTENT_SAVE_ORIG,
@@ -171,19 +222,31 @@ union content_msg_data {
/** if NULL, save the content generating the message */
struct hlcache_handle *content;
} dragsave;
- /** CONTENT_MSG_SAVELINK - Save a URL */
+
+ /**
+ * CONTENT_MSG_SAVELINK - Save a URL
+ */
struct {
struct nsurl *url;
const char *title;
} savelink;
- /** CONTENT_MSG_POINTER - Mouse pointer to set */
+
+ /**
+ * CONTENT_MSG_POINTER - Mouse pointer to set
+ */
browser_pointer_shape pointer;
- /** CONTENT_MSG_SELECTION - Selection made or cleared */
+
+ /**
+ * CONTENT_MSG_SELECTION - Selection made or cleared
+ */
struct {
bool selection; /**< false for selection cleared */
bool read_only;
} selection;
- /** CONTENT_MSG_CARET - set caret position or, hide caret */
+
+ /**
+ * CONTENT_MSG_CARET - set caret position or, hide caret
+ */
struct {
enum {
CONTENT_CARET_SET_POS,
@@ -197,7 +260,10 @@ union content_msg_data {
const struct rect *clip; /**< Carret clip rect */
} pos; /**< With CONTENT_CARET_SET_POS */
} caret;
- /** CONTENT_MSG_DRAG - Drag start or end */
+
+ /**
+ * CONTENT_MSG_DRAG - Drag start or end
+ */
struct {
enum {
CONTENT_DRAG_NONE,
@@ -206,11 +272,17 @@ union content_msg_data {
} type;
const struct rect *rect;
} drag;
- /** CONTENT_MSG_SELECTMENU - Create select menu at pointer */
+
+ /**
+ * CONTENT_MSG_SELECTMENU - Create select menu at pointer
+ */
struct {
struct form_control *gadget;
} select_menu;
- /** CONTENT_MSG_GADGETCLICK - User clicked on a form gadget */
+
+ /**
+ * CONTENT_MSG_GADGETCLICK - User clicked on a form gadget
+ */
struct {
struct form_control *gadget;
} gadget_click;
diff --git a/content/fetch.h b/content/fetch.h
index 66be857..9a81ece 100644
--- a/content/fetch.h
+++ b/content/fetch.h
@@ -34,6 +34,9 @@ struct content;
struct fetch;
struct ssl_cert_info;
+/**
+ * Fetcher message types
+ */
typedef enum {
FETCH_PROGRESS,
FETCH_HEADER,
@@ -49,6 +52,9 @@ typedef enum {
FETCH_SSL_ERR
} fetch_msg_type;
+/**
+ * Fetcher message data
+ */
typedef struct fetch_msg {
fetch_msg_type type;
-----------------------------------------------------------------------
Summary of changes:
content/content.h | 155 +++++++++++++++------
content/fetch.h | 11 +-
content/fetchers/curl.c | 177 ++++++++---------------
content/hlcache.c | 9 +-
content/llcache.c | 285 ++++++++++++--------------------------
content/llcache.h | 35 +++--
desktop/browser_private.h | 15 +-
desktop/browser_window.c | 46 +++---
desktop/gui_factory.c | 3 +-
desktop/sslcert_viewer.c | 184 ++++++++++++++++++++++--
desktop/sslcert_viewer.h | 14 +-
frontends/gtk/page_info.c | 14 +-
include/netsurf/browser_window.h | 8 +-
include/netsurf/misc.h | 5 +-
include/netsurf/ssl_certs.h | 71 ++++++++--
utils/Makefile | 1 +
utils/ssl_certs.c | 138 ++++++++++++++++++
17 files changed, 706 insertions(+), 465 deletions(-)
create mode 100644 utils/ssl_certs.c
diff --git a/content/content.h b/content/content.h
index 0dbd58d..f8f8d32 100644
--- a/content/content.h
+++ b/content/content.h
@@ -44,7 +44,7 @@ struct object_params;
struct rect;
struct redraw_context;
struct llcache_query_msg;
-struct ssl_cert_info;
+struct cert_chain;
/** Status of a content */
typedef enum {
@@ -100,67 +100,115 @@ struct content_rfc5988_link {
/** Extra data for some content_msg messages. */
union content_msg_data {
- /** CONTENT_MSG_LOG - Information for logging */
+ /**
+ * CONTENT_MSG_LOG - Information for logging
+ */
struct {
- browser_window_console_source src; /**< The source of the
logging */
- const char *msg; /**< The message to log */
- size_t msglen; /**< The length of that message */
- browser_window_console_flags flags; /**< The flags of the
logging */
+ /** The source of the logging */
+ browser_window_console_source src;
+ /** The message to log */
+ const char *msg;
+ /** The length of that message */
+ size_t msglen;
+ /** The flags of the logging */
+ browser_window_console_flags flags;
} log;
- /** CONTENT_MSG_SSL_CERTS - The certificate chain from the underlying
fetch */
- struct {
- const struct ssl_cert_info *certs; /**< The chain */
- size_t num; /**< The number of certs in the chain */
- } certs;
- /** CONTENT_MSG_ERROR - Error from content or underlying fetch */
+
+ /**
+ * CONTENT_MSG_SSL_CERTS - The certificate chain from the
+ * underlying fetch
+ */
+ const struct cert_chain *chain;
+
+ /**
+ * CONTENT_MSG_ERROR - Error from content or underlying fetch
+ */
struct {
- nserror errorcode; /**< The error code to convey meaning */
- const char *errormsg; /**< The message.
- * if NSERROR_UNKNOWN then this is the
- * direct message, otherwise is some
- * kind of metadata (e.g. a message name
- * or somesuch) but always a nul
- * terminated string.
- */
+ /**
+ * The error code to convey meaning
+ */
+ nserror errorcode;
+ /**
+ * The message. if NSERROR_UNKNOWN then this is the direct
+ * message, otherwise is some kind of metadata (e.g. a
+ * message name or somesuch) but always a null terminated
+ * string.
+ */
+ const char *errormsg;
} errordata;
- /** CONTENT_MSG_REDIRECT - Redirect info */
+
+ /**
+ * CONTENT_MSG_REDIRECT - Redirect info
+ */
struct {
struct nsurl *from; /**< Redirect origin */
struct nsurl *to; /**< Redirect target */
} redirect; /**< Fetch URL redirect occured */
- /** CONTENT_MSG_REDRAW - Area of content which needs redrawing */
+
+ /**
+ * CONTENT_MSG_REDRAW - Area of content which needs redrawing
+ */
struct {
int x, y, width, height;
} redraw;
- /** CONTENT_MSG_REFRESH - Minimum delay */
+
+ /**
+ * CONTENT_MSG_REFRESH - Minimum delay
+ */
int delay;
- /** CONTENT_MSG_REFORMAT - Reformat should not cause a redraw */
+
+ /**
+ * CONTENT_MSG_REFORMAT - Reformat should not cause a redraw
+ */
bool background;
- /** CONTENT_MSG_STATUS - Status message update. If NULL, the content's
- * internal status text has been updated, and listener should use
- * content_get_status_message() */
+
+ /**
+ * CONTENT_MSG_STATUS - Status message update. If NULL, the
+ * content's internal status text has been updated, and
+ * listener should use content_get_status_message()
+ */
const char *explicit_status_text;
- /** CONTENT_MSG_DOWNLOAD - Low-level cache handle */
+
+ /**
+ * CONTENT_MSG_DOWNLOAD - Low-level cache handle
+ */
struct llcache_handle *download;
- /** CONTENT_MSG_RFC5988_LINK - rfc5988 link data */
+
+ /**
+ * CONTENT_MSG_RFC5988_LINK - rfc5988 link data
+ */
struct content_rfc5988_link *rfc5988_link;
- /** CONTENT_MSG_GETCTX - Javascript context */
+
+ /**
+ * CONTENT_MSG_GETCTX - Javascript context
+ */
struct jscontext **jscontext;
- /** CONTENT_MSG_GETDIMS - Get the viewport dimensions */
+
+ /**
+ * CONTENT_MSG_GETDIMS - Get the viewport dimensions
+ */
struct {
- /* TODO: Consider getting screen_width, screen_height too. */
+ /** \todo Consider getting screen_width, screen_height too. */
unsigned *viewport_width;
unsigned *viewport_height;
} getdims;
- /** CONTENT_MSG_SCROLL - Part of content to scroll to show */
+
+ /**
+ * CONTENT_MSG_SCROLL - Part of content to scroll to show
+ */
struct {
- /** if true, scroll to show area given by (x0, y0) and (x1,y1).
- * if false, scroll point (x0, y0) to top left of viewport */
+ /*
+ * if true, scroll to show area given by (x0, y0) and (x1,y1).
+ * if false, scroll point (x0, y0) to top left of viewport
+ */
bool area;
int x0, y0;
int x1, y1;
} scroll;
- /** CONTENT_MSG_DRAGSAVE - Drag save a content */
+
+ /**
+ * CONTENT_MSG_DRAGSAVE - Drag save a content
+ */
struct {
enum {
CONTENT_SAVE_ORIG,
@@ -171,19 +219,31 @@ union content_msg_data {
/** if NULL, save the content generating the message */
struct hlcache_handle *content;
} dragsave;
- /** CONTENT_MSG_SAVELINK - Save a URL */
+
+ /**
+ * CONTENT_MSG_SAVELINK - Save a URL
+ */
struct {
struct nsurl *url;
const char *title;
} savelink;
- /** CONTENT_MSG_POINTER - Mouse pointer to set */
+
+ /**
+ * CONTENT_MSG_POINTER - Mouse pointer to set
+ */
browser_pointer_shape pointer;
- /** CONTENT_MSG_SELECTION - Selection made or cleared */
+
+ /**
+ * CONTENT_MSG_SELECTION - Selection made or cleared
+ */
struct {
bool selection; /**< false for selection cleared */
bool read_only;
} selection;
- /** CONTENT_MSG_CARET - set caret position or, hide caret */
+
+ /**
+ * CONTENT_MSG_CARET - set caret position or, hide caret
+ */
struct {
enum {
CONTENT_CARET_SET_POS,
@@ -197,7 +257,10 @@ union content_msg_data {
const struct rect *clip; /**< Carret clip rect */
} pos; /**< With CONTENT_CARET_SET_POS */
} caret;
- /** CONTENT_MSG_DRAG - Drag start or end */
+
+ /**
+ * CONTENT_MSG_DRAG - Drag start or end
+ */
struct {
enum {
CONTENT_DRAG_NONE,
@@ -206,11 +269,17 @@ union content_msg_data {
} type;
const struct rect *rect;
} drag;
- /** CONTENT_MSG_SELECTMENU - Create select menu at pointer */
+
+ /**
+ * CONTENT_MSG_SELECTMENU - Create select menu at pointer
+ */
struct {
struct form_control *gadget;
} select_menu;
- /** CONTENT_MSG_GADGETCLICK - User clicked on a form gadget */
+
+ /**
+ * CONTENT_MSG_GADGETCLICK - User clicked on a form gadget
+ */
struct {
struct form_control *gadget;
} gadget_click;
diff --git a/content/fetch.h b/content/fetch.h
index 66be857..9e80b26 100644
--- a/content/fetch.h
+++ b/content/fetch.h
@@ -34,6 +34,9 @@ struct content;
struct fetch;
struct ssl_cert_info;
+/**
+ * Fetcher message types
+ */
typedef enum {
FETCH_PROGRESS,
FETCH_HEADER,
@@ -49,6 +52,9 @@ typedef enum {
FETCH_SSL_ERR
} fetch_msg_type;
+/**
+ * Fetcher message data
+ */
typedef struct fetch_msg {
fetch_msg_type type;
@@ -69,10 +75,7 @@ typedef struct fetch_msg {
const char *realm;
} auth;
- struct {
- const struct ssl_cert_info *certs;
- size_t num_certs;
- } certs;
+ const struct cert_chain *chain;
} data;
} fetch_msg;
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index 0be33ae..83e92d8 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -149,7 +149,7 @@ struct curl_fetch_info {
struct curl_httppost *post_multipart; /**< Multipart post data, or 0.
*/
uint64_t last_progress_update; /**< Time of last progress update */
int cert_depth; /**< deepest certificate in use */
- struct cert_info cert_data[MAX_SSL_CERTS]; /**< HTTPS certificate data
*/
+ struct cert_info cert_data[MAX_CERT_DEPTH]; /**< HTTPS certificate data
*/
};
/** curl handle cache entry */
@@ -471,128 +471,37 @@ failed:
static void
fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
{
- int depth;
+ size_t depth;
BIO *mem;
- BUF_MEM *buf;
- const ASN1_INTEGER *asn1_num;
- BIGNUM *bignum;
- struct ssl_cert_info ssl_certs[MAX_SSL_CERTS];
+ BUF_MEM *buf[MAX_CERT_DEPTH];
+ struct cert_chain chain;
fetch_msg msg;
- struct cert_info *certs = f->cert_data;
- memset(ssl_certs, 0, sizeof(ssl_certs));
+ struct cert_info *certs;
+
+ memset(&chain, 0, sizeof(chain));
+
+ certs = f->cert_data;
+ chain.depth = f->cert_depth + 1; /* 0 indexed certificate depth */
- for (depth = 0; depth <= f->cert_depth; depth++) {
+ for (depth = 0; depth < chain.depth; depth++) {
if (certs[depth].cert == NULL) {
/* This certificate is missing, skip it */
- ssl_certs[depth].err = SSL_CERT_ERR_CERT_MISSING;
+ chain.certs[depth].err = SSL_CERT_ERR_CERT_MISSING;
continue;
}
- /* get certificate version */
- ssl_certs[depth].version = X509_get_version(certs[depth].cert);
-
- /* not before date */
- mem = BIO_new(BIO_s_mem());
- ASN1_TIME_print(mem, X509_get_notBefore(certs[depth].cert));
- BIO_get_mem_ptr(mem, &buf);
- (void) BIO_set_close(mem, BIO_NOCLOSE);
- BIO_free(mem);
- memcpy(ssl_certs[depth].not_before,
- buf->data,
- min(sizeof(ssl_certs[depth].not_before) - 1,
- (unsigned)buf->length));
-
ssl_certs[depth].not_before[min(sizeof(ssl_certs[depth].not_before) - 1,
- (unsigned)buf->length)] = 0;
- BUF_MEM_free(buf);
-
- /* not after date */
- mem = BIO_new(BIO_s_mem());
- ASN1_TIME_print(mem,
- X509_get_notAfter(certs[depth].cert));
- BIO_get_mem_ptr(mem, &buf);
- (void) BIO_set_close(mem, BIO_NOCLOSE);
- BIO_free(mem);
- memcpy(ssl_certs[depth].not_after,
- buf->data,
- min(sizeof(ssl_certs[depth].not_after) - 1,
- (unsigned)buf->length));
-
ssl_certs[depth].not_after[min(sizeof(ssl_certs[depth].not_after) - 1,
- (unsigned)buf->length)] = 0;
- BUF_MEM_free(buf);
-
- /* signature type */
- ssl_certs[depth].sig_type =
- X509_get_signature_type(certs[depth].cert);
-
- /* serial number */
- asn1_num = X509_get_serialNumber(certs[depth].cert);
- if (asn1_num != NULL) {
- bignum = ASN1_INTEGER_to_BN(asn1_num, NULL);
- if (bignum != NULL) {
- char *tmp = BN_bn2hex(bignum);
- if (tmp != NULL) {
- strncpy(ssl_certs[depth].serialnum,
- tmp,
-
sizeof(ssl_certs[depth].serialnum));
-
ssl_certs[depth].serialnum[sizeof(ssl_certs[depth].serialnum)-1] = '\0';
- OPENSSL_free(tmp);
- }
- BN_free(bignum);
- bignum = NULL;
- }
- }
-
- /* issuer name */
- mem = BIO_new(BIO_s_mem());
- X509_NAME_print_ex(mem,
- X509_get_issuer_name(certs[depth].cert),
- 0, XN_FLAG_SEP_CPLUS_SPC |
- XN_FLAG_DN_REV | XN_FLAG_FN_NONE);
- BIO_get_mem_ptr(mem, &buf);
- (void) BIO_set_close(mem, BIO_NOCLOSE);
- BIO_free(mem);
- memcpy(ssl_certs[depth].issuer,
- buf->data,
- min(sizeof(ssl_certs[depth].issuer) - 1,
- (unsigned) buf->length));
- ssl_certs[depth].issuer[min(sizeof(ssl_certs[depth].issuer) - 1,
- (unsigned) buf->length)] = 0;
- BUF_MEM_free(buf);
-
- /* subject */
- mem = BIO_new(BIO_s_mem());
- X509_NAME_print_ex(mem,
- X509_get_subject_name(certs[depth].cert),
- 0,
- XN_FLAG_SEP_CPLUS_SPC |
- XN_FLAG_DN_REV |
- XN_FLAG_FN_NONE);
- BIO_get_mem_ptr(mem, &buf);
- (void) BIO_set_close(mem, BIO_NOCLOSE);
- BIO_free(mem);
- memcpy(ssl_certs[depth].subject,
- buf->data,
- min(sizeof(ssl_certs[depth].subject) - 1,
- (unsigned)buf->length));
- ssl_certs[depth].subject[min(sizeof(ssl_certs[depth].subject) -
1,
- (unsigned) buf->length)] = 0;
- BUF_MEM_free(buf);
-
- /* type of certificate */
- ssl_certs[depth].cert_type =
- X509_certificate_type(certs[depth].cert,
-
X509_get_pubkey(certs[depth].cert));
-
/* error code (if any) */
switch (certs[depth].err) {
case X509_V_OK:
- ssl_certs[depth].err = SSL_CERT_ERR_OK;
+ chain.certs[depth].err = SSL_CERT_ERR_OK;
break;
+
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
/* fallthrough */
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
- ssl_certs[depth].err = SSL_CERT_ERR_BAD_ISSUER;
+ chain.certs[depth].err = SSL_CERT_ERR_BAD_ISSUER;
break;
+
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
/* fallthrough */
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
@@ -600,41 +509,66 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info
*f)
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
/* fallthrough */
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
- ssl_certs[depth].err = SSL_CERT_ERR_BAD_SIG;
+ chain.certs[depth].err = SSL_CERT_ERR_BAD_SIG;
break;
+
case X509_V_ERR_CERT_NOT_YET_VALID:
/* fallthrough */
case X509_V_ERR_CRL_NOT_YET_VALID:
- ssl_certs[depth].err = SSL_CERT_ERR_TOO_YOUNG;
+ chain.certs[depth].err = SSL_CERT_ERR_TOO_YOUNG;
break;
+
case X509_V_ERR_CERT_HAS_EXPIRED:
/* fallthrough */
case X509_V_ERR_CRL_HAS_EXPIRED:
- ssl_certs[depth].err = SSL_CERT_ERR_TOO_OLD;
+ chain.certs[depth].err = SSL_CERT_ERR_TOO_OLD;
break;
+
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- ssl_certs[depth].err = SSL_CERT_ERR_SELF_SIGNED;
+ chain.certs[depth].err = SSL_CERT_ERR_SELF_SIGNED;
break;
+
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
- ssl_certs[depth].err = SSL_CERT_ERR_CHAIN_SELF_SIGNED;
+ chain.certs[depth].err = SSL_CERT_ERR_CHAIN_SELF_SIGNED;
break;
+
case X509_V_ERR_CERT_REVOKED:
- ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
+ chain.certs[depth].err = SSL_CERT_ERR_REVOKED;
break;
+
case X509_V_ERR_HOSTNAME_MISMATCH:
- ssl_certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
+ chain.certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
break;
+
default:
- ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
+ chain.certs[depth].err = SSL_CERT_ERR_UNKNOWN;
break;
}
+
+ /*
+ * get certificate in Distinguished Encoding Rules (DER) format.
+ */
+ mem = BIO_new(BIO_s_mem());
+ i2d_X509_bio(mem, certs[depth].cert);
+ BIO_get_mem_ptr(mem, &buf[depth]);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+
+ chain.certs[depth].der = (uint8_t *)buf[depth]->data;
+ chain.certs[depth].der_length = buf[depth]->length;
}
msg.type = FETCH_CERTS;
- msg.data.certs.certs = ssl_certs;
- msg.data.certs.num_certs = depth;
+ msg.data.chain = &chain;
fetch_send_callback(&msg, f->fetch_handle);
+
+ /* release the openssl memory buffer */
+ for (depth = 0; depth < chain.depth; depth++) {
+ if (buf[depth] != NULL) {
+ BUF_MEM_free(buf[depth]);
+ }
+ }
}
@@ -667,7 +601,7 @@ fetch_curl_verify_callback(int verify_ok, X509_STORE_CTX
*x509_ctx)
fetch = X509_STORE_CTX_get_app_data(x509_ctx);
/* certificate chain is excessively deep so fail verification */
- if (depth >= MAX_SSL_CERTS) {
+ if (depth >= MAX_CERT_DEPTH) {
X509_STORE_CTX_set_error(x509_ctx,
X509_V_ERR_CERT_CHAIN_TOO_LONG);
return 0;
@@ -1098,8 +1032,11 @@ static void fetch_curl_free(void *vf)
curl_formfree(f->post_multipart);
}
- for (i = 0; i < MAX_SSL_CERTS && f->cert_data[i].cert; i++) {
- ns_X509_free(f->cert_data[i].cert);
+ /* free certificate data */
+ for (i = 0; i < MAX_CERT_DEPTH; i++) {
+ if (f->cert_data[i].cert != NULL) {
+ ns_X509_free(f->cert_data[i].cert);
+ }
}
free(f);
diff --git a/content/hlcache.c b/content/hlcache.c
index ec011ec..23dbc57 100644
--- a/content/hlcache.c
+++ b/content/hlcache.c
@@ -423,8 +423,10 @@ static nserror hlcache_migrate_ctx(hlcache_retrieval_ctx
*ctx,
* \param pw Pointer to client-specific data
* \return NSERROR_OK on success, appropriate error otherwise
*/
-static nserror hlcache_llcache_callback(llcache_handle *handle,
- const llcache_event *event, void *pw)
+static nserror
+hlcache_llcache_callback(llcache_handle *handle,
+ const llcache_event *event,
+ void *pw)
{
hlcache_retrieval_ctx *ctx = pw;
lwc_string *effective_type = NULL;
@@ -439,8 +441,7 @@ static nserror hlcache_llcache_callback(llcache_handle
*handle,
hlcache_event hlevent;
hlevent.type = CONTENT_MSG_SSL_CERTS;
- hlevent.data.certs.certs = event->data.certs.certs;
- hlevent.data.certs.num = event->data.certs.num;
+ hlevent.data.chain = event->data.chain;
ctx->handle->cb(ctx->handle, &hlevent, ctx->handle->pw);
}
diff --git a/content/llcache.c b/content/llcache.c
index 8a71f18..3a75bf9 100644
--- a/content/llcache.c
+++ b/content/llcache.c
@@ -36,6 +36,7 @@
#include <string.h>
#include <strings.h>
#include <nsutils/time.h>
+#include <nsutils/base64.h>
#include "netsurf/inttypes.h"
#include "utils/config.h"
@@ -175,8 +176,7 @@ struct llcache_object {
size_t source_len; /**< Byte length of source data */
size_t source_alloc; /**< Allocated size of source buffer */
- size_t ssl_cert_count; /**< The number of SSL certificates stored
*/
- struct ssl_cert_info *ssl_certs; /**< SSL certificate information if
count is non-zero */
+ struct cert_chain *chain; /**< Certificate chain from the fetch */
llcache_store_state store_state; /**< where the data for the object is
stored */
@@ -969,11 +969,7 @@ static nserror llcache_object_destroy(llcache_object
*object)
NSLOG(llcache, DEBUG, "Destroying object %p, %s", object,
nsurl_access(object->url));
- if (object->ssl_cert_count != 0) {
- free(object->ssl_certs);
- object->ssl_certs = NULL;
- object->ssl_cert_count = 0;
- }
+ cert_chain_free(object->chain);
if (object->source_data != NULL) {
if (object->store_state == LLCACHE_STATE_DISC) {
@@ -1240,6 +1236,13 @@ llcache_serialise_metadata(llcache_object *object,
char *op;
unsigned int hloop;
int use;
+ size_t cert_chain_depth;
+
+ if (object->chain != NULL) {
+ cert_chain_depth = object->chain->depth;
+ } else {
+ cert_chain_depth = 0;
+ }
allocsize = 10 + 1; /* object length */
@@ -1251,22 +1254,19 @@ llcache_serialise_metadata(llcache_object *object,
allocsize += 10 + 1; /* space for number of header entries */
- allocsize += 10 + 1; /* space for number of SSL certificates */
-
- allocsize += nsurl_length(object->url) + 1;
-
for (hloop = 0 ; hloop < object->num_headers ; hloop++) {
allocsize += strlen(object->headers[hloop].name) + 1;
allocsize += strlen(object->headers[hloop].value) + 1;
}
- for (hloop = 0; hloop < object->ssl_cert_count; hloop++) {
- allocsize += (10 + 1) * 4; /* version, sig_type, cert_type, err
*/
- allocsize += strlen(object->ssl_certs[hloop].not_before) + 1;
- allocsize += strlen(object->ssl_certs[hloop].not_after) + 1;
- allocsize += strlen(object->ssl_certs[hloop].serialnum) + 1;
- allocsize += strlen(object->ssl_certs[hloop].issuer) + 1;
- allocsize += strlen(object->ssl_certs[hloop].subject) + 1;
+ allocsize += nsurl_length(object->url) + 1;
+
+ /* space for number of DER formatted certificates */
+ allocsize += 10 + 1;
+
+ for (hloop = 0; hloop < cert_chain_depth; hloop++) {
+ allocsize += 10 + 1; /* error status */
+ allocsize += 4 * ((object->chain->certs[hloop].der_length + 2)
/ 3);
}
data = malloc(allocsize);
@@ -1351,8 +1351,8 @@ llcache_serialise_metadata(llcache_object *object,
datasize -= use;
}
- /* number of ssl certificates */
- use = snprintf(op, datasize, "%" PRIsizet, object->ssl_cert_count);
+ /* number of DER formatted ssl certificates */
+ use = snprintf(op, datasize, "%" PRIsizet, cert_chain_depth);
if (use < 0) {
goto operror;
}
@@ -1363,80 +1363,13 @@ llcache_serialise_metadata(llcache_object *object,
datasize -= use;
/* SSL certificates */
- for (hloop = 0; hloop < object->ssl_cert_count; hloop++) {
- struct ssl_cert_info *cert = &(object->ssl_certs[hloop]);
- /* Certificate version */
- use = snprintf(op, datasize, "%ld", cert->version);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* not_before */
- use = snprintf(op, datasize, "%s", cert->not_before);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* not_after */
- use = snprintf(op, datasize, "%s", cert->not_after);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* Signature type */
- use = snprintf(op, datasize, "%d", cert->sig_type);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* serialnum */
- use = snprintf(op, datasize, "%s", cert->serialnum);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* issuer */
- use = snprintf(op, datasize, "%s", cert->issuer);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* subject */
- use = snprintf(op, datasize, "%s", cert->subject);
- if (use < 0) {
- goto operror;
- }
- use++; /* does not count the null */
- if (use > datasize)
- goto overflow;
- op += use;
- datasize -= use;
- /* Certificate type */
- use = snprintf(op, datasize, "%d", cert->cert_type);
+ for (hloop = 0; hloop < cert_chain_depth; hloop++) {
+ size_t output_length;
+ nsuerror res;
+
+ /* Certificate error code */
+ use = snprintf(op, datasize, "%d",
+ (int)(object->chain->certs[hloop].err));
if (use < 0) {
goto operror;
}
@@ -1445,14 +1378,26 @@ llcache_serialise_metadata(llcache_object *object,
goto overflow;
op += use;
datasize -= use;
- /* Certificate error code */
- use = snprintf(op, datasize, "%d", (int)(cert->err));
- if (use < 0) {
- goto operror;
+
+ /* DER certificate data in base64 encoding */
+ if (object->chain->certs[hloop].der != NULL) {
+ output_length = datasize;
+ res = nsu_base64_encode(
+ object->chain->certs[hloop].der,
+ object->chain->certs[hloop].der_length,
+ (uint8_t *)op,
+ &output_length);
+ if (res != NSUERROR_OK) {
+ goto operror;
+ }
+ use = output_length;
+ } else {
+ use = 0;
}
- use++; /* does not count the null */
+ use++; /* allow for null */
if (use > datasize)
goto overflow;
+ *(op + output_length) = 0;
op += use;
datasize -= use;
}
@@ -1510,7 +1455,7 @@ llcache_process_metadata(llcache_object *object)
size_t num_headers;
size_t hloop;
size_t ssl_cert_count = 0;
- struct ssl_cert_info *ssl_certs = NULL;
+ struct cert_chain *chain = NULL;
NSLOG(llcache, INFO, "Retrieving metadata");
@@ -1642,7 +1587,7 @@ llcache_process_metadata(llcache_object *object)
goto skip_ssl_certificates;
}
- /* Next line is the number of SSL certificates*/
+ /* Next line is the number of DER base64 encoded certificates */
line++;
ln += lnsize + 1;
lnsize = strlen(ln);
@@ -1657,72 +1602,20 @@ llcache_process_metadata(llcache_object *object)
goto skip_ssl_certificates;
}
- ssl_certs = calloc(sizeof(struct ssl_cert_info), ssl_cert_count);
- if (ssl_certs == NULL) {
- res = NSERROR_NOMEM;
+ if (ssl_cert_count > MAX_CERT_DEPTH) {
+ res = NSERROR_INVALID;
+ goto format_error;
+ }
+
+ res = cert_chain_alloc(ssl_cert_count, &chain);
+ if (res != NSERROR_OK) {
goto format_error;
}
for (hloop = 0; hloop < ssl_cert_count; hloop++) {
- struct ssl_cert_info *cert = &ssl_certs[hloop];
int errcode;
- /* Certificate version */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- if ((lnsize < 1) || (sscanf(ln, "%ld", &cert->version) != 1)) {
- res = NSERROR_INVALID;
- goto format_error;
- }
- /* Not before */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->not_before, ln, lnsize);
- /* Not after */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->not_after, ln, lnsize);
- /* Signature type */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- if ((lnsize < 1) || (sscanf(ln, "%d", &cert->sig_type) != 1)) {
- res = NSERROR_INVALID;
- goto format_error;
- }
- /* Serial Number */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->serialnum, ln, lnsize);
- /* issuer */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->issuer, ln, lnsize);
- /* subject */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- memcpy(&cert->subject, ln, lnsize);
- /* Certificate type */
- line++;
- ln += lnsize + 1;
- lnsize = strlen(ln);
- remaining -= lnsize + 1;
- if ((lnsize < 1) || (sscanf(ln, "%d", &cert->cert_type) != 1)) {
- res = NSERROR_INVALID;
- goto format_error;
- }
+ nsuerror nsures;
+
/* Certificate error code */
line++;
ln += lnsize + 1;
@@ -1735,9 +1628,25 @@ llcache_process_metadata(llcache_object *object)
if (errcode < SSL_CERT_ERR_OK ||
errcode > SSL_CERT_ERR_MAX_KNOWN) {
/* Error with the cert code, assume UNKNOWN */
- cert->err = SSL_CERT_ERR_UNKNOWN;
+ chain->certs[hloop].err = SSL_CERT_ERR_UNKNOWN;
} else {
- cert->err = (ssl_cert_err)errcode;
+ chain->certs[hloop].err = (ssl_cert_err)errcode;
+ }
+
+ /* base64 encoded DER certificate data */
+ line++;
+ ln += lnsize + 1;
+ lnsize = strlen(ln);
+ remaining -= lnsize + 1;
+ if (lnsize > 0) {
+ nsures = nsu_base64_decode_alloc((const uint8_t *)ln,
+ lnsize,
+ &chain->certs[hloop].der,
+ &chain->certs[hloop].der_length);
+ if (nsures != NSUERROR_OK) {
+ res = NSERROR_NOMEM;
+ goto format_error;
+ }
}
}
@@ -1754,8 +1663,7 @@ skip_ssl_certificates:
object->cache.res_time = response_time;
object->cache.fin_time = completion_time;
- object->ssl_cert_count = ssl_cert_count;
- object->ssl_certs = ssl_certs;
+ object->chain = chain;
/* object stored in backing store */
object->store_state = LLCACHE_STATE_DISC;
@@ -1768,9 +1676,7 @@ format_error:
line, res);
guit->llcache->release(object->url, BACKING_STORE_META);
- if (ssl_certs != NULL) {
- free(ssl_certs);
- }
+ cert_chain_free(chain);
return res;
}
@@ -3173,21 +3079,15 @@ static void llcache_fetch_callback(const fetch_msg
*msg, void *p)
case FETCH_CERTS:
/* Certificate information from the fetch */
- /* Persist the data onto our object */
- object->ssl_certs = calloc(sizeof(struct ssl_cert_info),
- msg->data.certs.num_certs);
- if (object->ssl_certs != NULL) {
- object->ssl_cert_count = msg->data.certs.num_certs;
- memcpy(object->ssl_certs, msg->data.certs.certs,
- sizeof(struct ssl_cert_info) *
object->ssl_cert_count);
- }
-
- /* Now pass on the event */
- event.type = LLCACHE_EVENT_GOT_CERTS;
- event.data.certs.certs = msg->data.certs.certs;
- event.data.certs.num = msg->data.certs.num_certs;
+ /* Persist the chain onto our object */
+ error = cert_chain_dup(msg->data.chain, &object->chain);
+ if (error != NSERROR_OK) {
+ /* Now pass on the event */
+ event.type = LLCACHE_EVENT_GOT_CERTS;
+ event.data.chain = msg->data.chain;
- error = llcache_send_event_to_users(object, &event);
+ error = llcache_send_event_to_users(object, &event);
+ }
break;
/* Events requiring action */
@@ -3388,10 +3288,9 @@ static nserror
llcache_object_notify_users(llcache_object *object)
handle->state = LLCACHE_FETCH_HEADERS;
/* Emit any certificate data we hold */
- if (object->ssl_cert_count > 0) {
+ if (object->chain != NULL) {
event.type = LLCACHE_EVENT_GOT_CERTS;
- event.data.certs.certs = object->ssl_certs;
- event.data.certs.num = object->ssl_cert_count;
+ event.data.chain = object->chain;
error = handle->cb(handle, &event, handle->pw);
} else {
error = NSERROR_OK;
@@ -3613,16 +3512,12 @@ llcache_object_snapshot(llcache_object *object,
llcache_object **snapshot)
}
}
- if (object->ssl_cert_count != 0) {
- newobj->ssl_certs = calloc(sizeof(struct ssl_cert_info),
- object->ssl_cert_count);
- if (newobj->ssl_certs == NULL) {
+ if (object->chain != NULL) {
+ error = cert_chain_dup(object->chain, &newobj->chain);
+ if (error != NSERROR_OK) {
llcache_object_destroy(newobj);
- return NSERROR_NOMEM;
+ return error;
}
- memcpy(newobj->ssl_certs, object->ssl_certs,
- sizeof(struct ssl_cert_info) * object->ssl_cert_count);
- newobj->ssl_cert_count = object->ssl_cert_count;
}
newobj->fetch.state = LLCACHE_FETCH_COMPLETE;
@@ -3662,7 +3557,7 @@ total_object_size(llcache_object *object)
}
}
- tot += object->ssl_cert_count * sizeof(struct ssl_cert_info);
+ tot += cert_chain_size(object->chain);
return tot;
}
diff --git a/content/llcache.h b/content/llcache.h
index 8d2411e..514272f 100644
--- a/content/llcache.h
+++ b/content/llcache.h
@@ -30,7 +30,7 @@
#include "utils/errors.h"
#include "utils/nsurl.h"
-struct ssl_cert_info;
+struct cert_chain;
struct fetch_multipart_data;
/** Handle for low-level cache object */
@@ -83,26 +83,23 @@ typedef enum {
* and must be copied if it is desirable to retain.
*/
typedef struct {
- llcache_event_type type; /**< Type of event */
+ llcache_event_type type; /**< Type of event */
union {
struct {
- const uint8_t *buf; /**< Buffer of data */
- size_t len; /**< Length of buffer, in bytes */
- } data; /**< Received data */
+ const uint8_t *buf; /**< Buffer of data */
+ size_t len; /**< Byte length of buffer */
+ } data; /**< Received data */
struct {
- nserror code; /**< The error code */
- const char *msg; /**< Error message */
+ nserror code; /**< The error code */
+ const char *msg; /**< Error message */
} error;
- const char *progress_msg; /**< Progress message */
+ const char *progress_msg; /**< Progress message */
struct {
- nsurl *from; /**< Redirect origin */
- nsurl *to; /**< Redirect target */
- } redirect; /**< Fetch URL redirect occured */
- struct {
- const struct ssl_cert_info *certs; /**< The chain */
- size_t num; /**< Number of certs in chain */
- } certs;
- } data; /**< Event data */
+ nsurl *from; /**< Redirect origin */
+ nsurl *to; /**< Redirect target */
+ } redirect; /**< Fetch URL redirect occured */
+ const struct cert_chain *chain; /**< Certificate chain */
+ } data; /**< Event data */
} llcache_event;
/**
@@ -171,17 +168,17 @@ struct llcache_parameters {
size_t hysteresis; /**< The hysteresis around the target size */
/** The minimum lifetime to consider sending objects to backing store.*/
- int minimum_lifetime;
+ int minimum_lifetime;
/** The minimum bandwidth to allow the backing store to
* use in bytes/second
*/
- size_t minimum_bandwidth;
+ size_t minimum_bandwidth;
/** The maximum bandwidth to allow the backing store to use in
* bytes/second
*/
- size_t maximum_bandwidth;
+ size_t maximum_bandwidth;
/** The time quantum over which to calculate the bandwidth values
*/
diff --git a/desktop/browser_private.h b/desktop/browser_private.h
index 6e45052..41b8fef 100644
--- a/desktop/browser_private.h
+++ b/desktop/browser_private.h
@@ -89,13 +89,6 @@ struct browser_fetch_parameters {
bool parent_quirks; /**< Optional parent
quirks */
};
-/**
- * The SSL context for a fetch, as provided by the fetchers
- */
-struct browser_ssl_info {
- struct ssl_cert_info certs[MAX_SSL_CERTS]; /**< The certificate chain
*/
- size_t num; /**< The number of certificates in the chain */
-};
/**
* Browser window data.
@@ -113,9 +106,9 @@ struct browser_window {
struct browser_fetch_parameters current_parameters;
/**
- * The SSL information for the current content
+ * The certificate chain for the current content
*/
- struct browser_ssl_info current_ssl_info;
+ struct cert_chain *current_cert_chain;
/**
* Content handle of page in process of being loaded or NULL
@@ -129,9 +122,9 @@ struct browser_window {
struct browser_fetch_parameters loading_parameters;
/**
- * The SSL information for the loading content
+ * The certificate chain for the loading content
*/
- struct browser_ssl_info loading_ssl_info;
+ struct cert_chain *loading_cert_chain;
/**
* Favicon
diff --git a/desktop/browser_window.c b/desktop/browser_window.c
index 06f41dd..6defe01 100644
--- a/desktop/browser_window.c
+++ b/desktop/browser_window.c
@@ -743,9 +743,10 @@ static nserror browser_window_content_ready(struct
browser_window *bw)
browser_window__free_fetch_parameters(&bw->current_parameters);
bw->current_parameters = bw->loading_parameters;
memset(&bw->loading_parameters, 0,
sizeof(bw->loading_parameters));
- /* Transfer the SSL info */
- bw->current_ssl_info = bw->loading_ssl_info;
- bw->loading_ssl_info.num = 0;
+ /* Transfer the certificate chain */
+ cert_chain_free(bw->current_cert_chain);
+ bw->current_cert_chain = bw->loading_cert_chain;
+ bw->loading_cert_chain = NULL;
}
/* Format the new content to the correct dimensions */
@@ -1136,7 +1137,7 @@ browser_window__handle_bad_certs(struct browser_window
*bw,
nserror err;
/* Initially we don't know WHY the SSL cert was bad */
const char *reason = messages_get_sslcode(SSL_CERT_ERR_UNKNOWN);
- size_t n;
+ size_t depth;
memset(¶ms, 0, sizeof(params));
@@ -1151,12 +1152,14 @@ browser_window__handle_bad_certs(struct browser_window
*bw,
goto out;
}
- for (n = 0; n < bw->loading_ssl_info.num; ++n) {
- size_t idx = bw->loading_ssl_info.num - (n + 1);
- ssl_cert_err err = bw->loading_ssl_info.certs[idx].err;
- if (err != SSL_CERT_ERR_OK) {
- reason = messages_get_sslcode(err);
- break;
+ if (bw->loading_cert_chain != NULL) {
+ for (depth = 0; depth < bw->loading_cert_chain->depth; ++depth)
{
+ size_t idx = bw->loading_cert_chain->depth - (depth +
1);
+ ssl_cert_err err =
bw->loading_cert_chain->certs[idx].err;
+ if (err != SSL_CERT_ERR_OK) {
+ reason = messages_get_sslcode(err);
+ break;
+ }
}
}
@@ -1175,8 +1178,7 @@ browser_window__handle_bad_certs(struct browser_window
*bw,
}
err = guit->misc->cert_verify(url,
- bw->loading_ssl_info.certs,
- bw->loading_ssl_info.num,
+ bw->loading_cert_chain,
browser_window__handle_ssl_query_response,
bw);
@@ -1352,11 +1354,8 @@ browser_window_callback(hlcache_handle *c, const
hlcache_event *event, void *pw)
switch (event->type) {
case CONTENT_MSG_SSL_CERTS:
/* SSL certificate information has arrived, store it */
- assert(event->data.certs.num < MAX_SSL_CERTS);
- memcpy(&bw->loading_ssl_info.certs[0],
- event->data.certs.certs,
- sizeof(struct ssl_cert_info) * event->data.certs.num);
- bw->loading_ssl_info.num = event->data.certs.num;
+ cert_chain_free(bw->loading_cert_chain);
+ cert_chain_dup(event->data.chain, &bw->loading_cert_chain);
break;
case CONTENT_MSG_LOG:
@@ -3431,7 +3430,8 @@ navigate_internal_real(struct browser_window *bw,
fetch_is_post = (params->post_urlenc != NULL || params->post_multipart
!= NULL);
/* Clear SSL info for load */
- bw->loading_ssl_info.num = 0;
+ cert_chain_free(bw->loading_cert_chain);
+ bw->loading_cert_chain = NULL;
/* Set up retrieval parameters */
if (!(params->flags & BW_NAVIGATE_UNVERIFIABLE)) {
@@ -4707,17 +4707,17 @@ browser_window_page_info_state
browser_window_get_page_info_state(
}
/* Exported interface, documented in browser_window.h */
-nserror browser_window_get_ssl_chain(struct browser_window *bw, size_t *num,
- struct ssl_cert_info **chain)
+nserror
+browser_window_get_ssl_chain(struct browser_window *bw,
+ struct cert_chain **chain)
{
assert(bw != NULL);
- if (bw->current_ssl_info.num == 0) {
+ if (bw->current_cert_chain == NULL) {
return NSERROR_NOT_FOUND;
}
- *num = bw->current_ssl_info.num;
- *chain = &(bw->current_ssl_info.certs[0]);
+ *chain = bw->current_cert_chain;
return NSERROR_OK;
}
diff --git a/desktop/gui_factory.c b/desktop/gui_factory.c
index 8b52e54..7ef457a 100644
--- a/desktop/gui_factory.c
+++ b/desktop/gui_factory.c
@@ -639,8 +639,7 @@ static nserror gui_default_launch_url(struct nsurl *url)
static nserror gui_default_cert_verify(nsurl *url,
- const struct ssl_cert_info *certs,
- unsigned long num,
+ const struct cert_chain *chain,
nserror (*cb)(bool proceed, void *pw),
void *cbpw)
{
diff --git a/desktop/sslcert_viewer.c b/desktop/sslcert_viewer.c
index 4d87257..ec0fd34 100644
--- a/desktop/sslcert_viewer.c
+++ b/desktop/sslcert_viewer.c
@@ -52,6 +52,21 @@ enum sslcert_viewer_field {
typedef nserror (*response_cb)(bool proceed, void *pw);
/**
+ * ssl certificate information for certificate error message
+ */
+struct ssl_cert_info {
+ long version; /**< Certificate version */
+ char not_before[32]; /**< Valid from date */
+ char not_after[32]; /**< Valid to date */
+ int sig_type; /**< Signature type */
+ char serialnum[64]; /**< Serial number */
+ char issuer[256]; /**< Issuer details */
+ char subject[256]; /**< Subject details */
+ int cert_type; /**< Certificate type */
+ ssl_cert_err err; /**< Whatever is wrong with this certificate */
+};
+
+/**
* ssl certificate verification context.
*/
struct sslcert_session_data {
@@ -473,38 +488,183 @@ nserror sslcert_viewer_fini(struct sslcert_session_data
*ssl_d)
return err;
}
+#ifdef WITH_OPENSSL
+
+#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
+
+static nserror
+der_to_certinfo(const uint8_t *der,
+ size_t der_length,
+ struct ssl_cert_info *info)
+{
+ BIO *mem;
+ BUF_MEM *buf;
+ const ASN1_INTEGER *asn1_num;
+ BIGNUM *bignum;
+ X509 *cert; /**< Pointer to certificate */
+
+ if (der == NULL) {
+ return NSERROR_OK;
+ }
+
+ cert = d2i_X509(NULL, &der, der_length);
+ if (cert == NULL) {
+ return NSERROR_INVALID;
+ }
+
+ /* get certificate version */
+ info->version = X509_get_version(cert);
+
+ /* not before date */
+ mem = BIO_new(BIO_s_mem());
+ ASN1_TIME_print(mem, X509_get_notBefore(cert));
+ BIO_get_mem_ptr(mem, &buf);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+ memcpy(info->not_before,
+ buf->data,
+ min(sizeof(info->not_before) - 1, (unsigned)buf->length));
+ info->not_before[min(sizeof(info->not_before) - 1,
(unsigned)buf->length)] = 0;
+ BUF_MEM_free(buf);
+
+ /* not after date */
+ mem = BIO_new(BIO_s_mem());
+ ASN1_TIME_print(mem,
+ X509_get_notAfter(cert));
+ BIO_get_mem_ptr(mem, &buf);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+ memcpy(info->not_after,
+ buf->data,
+ min(sizeof(info->not_after) - 1, (unsigned)buf->length));
+ info->not_after[min(sizeof(info->not_after) - 1,
(unsigned)buf->length)] = 0;
+ BUF_MEM_free(buf);
+
+ /* signature type */
+ info->sig_type = X509_get_signature_type(cert);
+
+ /* serial number */
+ asn1_num = X509_get_serialNumber(cert);
+ if (asn1_num != NULL) {
+ bignum = ASN1_INTEGER_to_BN(asn1_num, NULL);
+ if (bignum != NULL) {
+ char *tmp = BN_bn2hex(bignum);
+ if (tmp != NULL) {
+ strncpy(info->serialnum,
+ tmp,
+ sizeof(info->serialnum));
+ info->serialnum[sizeof(info->serialnum)-1] =
'\0';
+ OPENSSL_free(tmp);
+ }
+ BN_free(bignum);
+ bignum = NULL;
+ }
+ }
+
+ /* issuer name */
+ mem = BIO_new(BIO_s_mem());
+ X509_NAME_print_ex(mem,
+ X509_get_issuer_name(cert),
+ 0, XN_FLAG_SEP_CPLUS_SPC |
+ XN_FLAG_DN_REV | XN_FLAG_FN_NONE);
+ BIO_get_mem_ptr(mem, &buf);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+ memcpy(info->issuer,
+ buf->data,
+ min(sizeof(info->issuer) - 1, (unsigned) buf->length));
+ info->issuer[min(sizeof(info->issuer) - 1, (unsigned) buf->length)] = 0;
+ BUF_MEM_free(buf);
+
+ /* subject */
+ mem = BIO_new(BIO_s_mem());
+ X509_NAME_print_ex(mem,
+ X509_get_subject_name(cert),
+ 0,
+ XN_FLAG_SEP_CPLUS_SPC |
+ XN_FLAG_DN_REV |
+ XN_FLAG_FN_NONE);
+ BIO_get_mem_ptr(mem, &buf);
+ (void) BIO_set_close(mem, BIO_NOCLOSE);
+ BIO_free(mem);
+ memcpy(info->subject,
+ buf->data,
+ min(sizeof(info->subject) - 1, (unsigned)buf->length));
+ info->subject[min(sizeof(info->subject) - 1, (unsigned) buf->length)] =
0;
+ BUF_MEM_free(buf);
+
+ /* type of certificate */
+ info->cert_type = X509_certificate_type(cert, X509_get_pubkey(cert));
+
+ X509_free(cert);
+
+ return NSERROR_OK;
+}
+#else
+static nserror
+der_to_certinfo(uint8_t *der, size_t der_length, struct ssl_cert_info *info)
+{
+ return NSERROR_NOT_IMPLEMENTED;
+}
+#endif
+
+/* copy certificate data */
+static nserror
+convert_chain_to_cert_info(const struct cert_chain *chain,
+ struct ssl_cert_info **cert_info_out)
+{
+ struct ssl_cert_info *certs;
+ size_t depth;
+ nserror res;
+
+ certs = calloc(chain->depth, sizeof(struct ssl_cert_info));
+ if (certs == NULL) {
+ return NSERROR_NOMEM;
+ }
+
+ for (depth = 0; depth < chain->depth;depth++) {
+ res = der_to_certinfo(chain->certs[depth].der,
+ chain->certs[depth].der_length,
+ certs + depth);
+ if (res != NSERROR_OK) {
+ free(certs);
+ return res;
+ }
+ certs[depth].err = chain->certs[depth].err;
+ }
+
+ *cert_info_out = certs;
+ return NSERROR_OK;
+}
/* Exported interface, documented in sslcert_viewer.h */
nserror
-sslcert_viewer_create_session_data(unsigned long num,
- struct nsurl *url,
+sslcert_viewer_create_session_data(struct nsurl *url,
nserror (*cb)(bool proceed, void *pw),
void *cbpw,
- const struct ssl_cert_info *certs,
+ const struct cert_chain *chain,
struct sslcert_session_data **ssl_d)
{
struct sslcert_session_data *data;
-
+ nserror res;
assert(url != NULL);
- assert(certs != NULL);
+ assert(chain != NULL);
data = malloc(sizeof(struct sslcert_session_data));
if (data == NULL) {
*ssl_d = NULL;
return NSERROR_NOMEM;
}
-
- /* copy certificate data */
- data->certs = malloc(num * sizeof(struct ssl_cert_info));
- if (data->certs == NULL) {
+ res = convert_chain_to_cert_info(chain, &data->certs);
+ if (res != NSERROR_OK) {
free(data);
*ssl_d = NULL;
- return NSERROR_NOMEM;
+ return res;
}
- memcpy(data->certs, certs, num * sizeof(struct ssl_cert_info));
data->url = nsurl_ref(url);
- data->num = num;
+ data->num = chain->depth;
data->cb = cb;
data->cbpw = cbpw;
diff --git a/desktop/sslcert_viewer.h b/desktop/sslcert_viewer.h
index 6955e01..8542840 100644
--- a/desktop/sslcert_viewer.h
+++ b/desktop/sslcert_viewer.h
@@ -32,16 +32,15 @@ struct redraw_context;
struct core_window_callback_table;
struct rect;
struct nsurl;
-struct ssl_cert_info;
+struct cert_chain;
/**
* Create ssl certificate viewer session data.
*
- * \param num The number of certificates in the chain
* \param url Address of the page we're inspecting certificates of
* \param cb Low level cache callback
* \param cbpw Low level cache private data
- * \param certs The SSL certificates
+ * \param chain The SSL certificate chain
* \param ssl_d Updated to SSL certificate session data
* \return NSERROR_OK on success, appropriate error otherwise
*
@@ -49,8 +48,10 @@ struct ssl_cert_info;
* sslcert_viewer_fini destroys the session data.
*/
nserror sslcert_viewer_create_session_data(
- unsigned long num, struct nsurl *url, nserror (*cb)(bool
proceed, void *pw),
- void *cbpw, const struct ssl_cert_info *certs,
+ struct nsurl *url,
+ nserror (*cb)(bool proceed, void *pw),
+ void *cbpw,
+ const struct cert_chain *chain,
struct sslcert_session_data **ssl_d);
@@ -65,7 +66,8 @@ nserror sslcert_viewer_create_session_data(
* \return NSERROR_OK on success, appropriate error otherwise
*/
nserror sslcert_viewer_init(struct core_window_callback_table *cw_t,
- void *core_window_handle, struct sslcert_session_data *ssl_d);
+ void *core_window_handle,
+ struct sslcert_session_data *ssl_d);
/**
diff --git a/frontends/gtk/page_info.c b/frontends/gtk/page_info.c
index adc2dfa..1401fdc 100644
--- a/frontends/gtk/page_info.c
+++ b/frontends/gtk/page_info.c
@@ -52,6 +52,7 @@ struct nsgtk_crtvrfy_window {
struct sslcert_session_data *ssl_data;
};
+
/**
* destroy a previously created certificate view
*/
@@ -178,11 +179,14 @@ nserror nsgtk_page_info(struct browser_window *bw)
struct nsgtk_crtvrfy_window *ncwin;
nserror res;
- size_t num;
- struct ssl_cert_info *chain;
+ struct cert_chain *chain;
struct nsurl *url;
- browser_window_get_ssl_chain(bw, &num, &chain);
+ res = browser_window_get_ssl_chain(bw, &chain);
+ if (res != NSERROR_OK) {
+ NSLOG(netsurf, WARNING, "Unable to get certificate chain");
+ return NSERROR_INVALID;
+ }
url = browser_window_access_url(bw);
ncwin = malloc(sizeof(struct nsgtk_crtvrfy_window));
@@ -245,8 +249,8 @@ nserror nsgtk_page_info(struct browser_window *bw)
}
/* initialise certificate viewing interface */
- res = sslcert_viewer_create_session_data(num, url, dummy_cb, NULL,
chain,
- &ncwin->ssl_data);
+ res = sslcert_viewer_create_session_data(
+ url, dummy_cb, NULL, chain, &ncwin->ssl_data);
if (res != NSERROR_OK) {
g_object_unref(G_OBJECT(ncwin->dlg));
free(ncwin);
diff --git a/include/netsurf/browser_window.h b/include/netsurf/browser_window.h
index 7b2f652..e8faa18 100644
--- a/include/netsurf/browser_window.h
+++ b/include/netsurf/browser_window.h
@@ -42,7 +42,7 @@ struct form_control;
struct nsurl;
struct rect;
struct redraw_context;
-struct ssl_cert_info;
+struct cert_chain;
enum content_debug;
/**
@@ -784,11 +784,9 @@ browser_window_page_info_state
browser_window_get_page_info_state(
* If there is no chain available, this will return NSERROR_NOT_FOUND
*
* \param bw The browser window
- * \param num Pointer to be filled out with chain length
- * \param chain Pointer to be filled out with chain base
+ * \param chain Pointer to be filled out with certificate chain
* \return Whether or not the chain is available
*/
-nserror browser_window_get_ssl_chain(struct browser_window *bw, size_t *num,
- struct ssl_cert_info **chain);
+nserror browser_window_get_ssl_chain(struct browser_window *bw, struct
cert_chain **chain);
#endif
diff --git a/include/netsurf/misc.h b/include/netsurf/misc.h
index 8a79531..cc0b78d 100644
--- a/include/netsurf/misc.h
+++ b/include/netsurf/misc.h
@@ -27,7 +27,7 @@
struct form_control;
struct gui_window;
-struct ssl_cert_info;
+struct cert_chain;
struct nsurl;
/**
@@ -81,8 +81,7 @@ struct gui_misc_table {
* \return NSERROR_OK on sucess else error and cb never called
*/
nserror (*cert_verify)(struct nsurl *url,
- const struct ssl_cert_info *certs,
- unsigned long num,
+ const struct cert_chain *chain,
nserror (*cb)(bool proceed, void *pw),
void *cbpw);
diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h
index 0444678..1aaf485 100644
--- a/include/netsurf/ssl_certs.h
+++ b/include/netsurf/ssl_certs.h
@@ -48,22 +48,67 @@ typedef enum {
/** Always the max known ssl certificate error type */
#define SSL_CERT_ERR_MAX_KNOWN SSL_CERT_ERR_HOSTNAME_MISMATCH
+/** maximum number of X509 certificates in chain for TLS connection */
+#define MAX_CERT_DEPTH 10
+
/**
- * ssl certificate information for certificate error message
+ * X509 certificate chain
*/
-struct ssl_cert_info {
- long version; /**< Certificate version */
- char not_before[32]; /**< Valid from date */
- char not_after[32]; /**< Valid to date */
- int sig_type; /**< Signature type */
- char serialnum[64]; /**< Serial number */
- char issuer[256]; /**< Issuer details */
- char subject[256]; /**< Subject details */
- int cert_type; /**< Certificate type */
- ssl_cert_err err; /**< Whatever is wrong with this certificate */
+struct cert_chain {
+ /**
+ * the number of certificates in the chain
+ * */
+ size_t depth;
+ struct {
+ /**
+ * Whatever is wrong with this certificate
+ */
+ ssl_cert_err err;
+
+ /**
+ * data in Distinguished Encoding Rules (DER) format
+ */
+ uint8_t *der;
+
+ /**
+ * DER length
+ */
+ size_t der_length;
+ } certs[MAX_CERT_DEPTH];
};
-/** maximum number of X509 certificates in chain for TLS connection */
-#define MAX_SSL_CERTS 10
+/**
+ * create new certificate chain
+ *
+ * \param dpth the depth to set in the new chain.
+ * \param chain_out A pointer to recive the new chain.
+ * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
+ */
+nserror cert_chain_alloc(size_t depth, struct cert_chain **chain_out);
+
+/**
+ * duplicate a certificate chain
+ *
+ * \param src The certificate chain to copy from
+ * \param dst_out A pointer to recive the duplicated chain
+ * \return NSERROR_OK on success or NSERROR_NOMEM on memory exhaustion
+ */
+nserror cert_chain_dup(const struct cert_chain *src, struct cert_chain
**dst_out);
+
+/**
+ * free a certificate chain
+ *
+ * \param chain The certificate chain to free
+ * \return NSERROR_OK on success
+ */
+nserror cert_chain_free(struct cert_chain *chain);
+
+/**
+ * total number of data bytes in a chain
+ *
+ * \param chain The chain to size
+ * \return the number of bytes used by the chain
+ */
+size_t cert_chain_size(const struct cert_chain *chain);
#endif /* NETSURF_SSL_CERTS_H_ */
diff --git a/utils/Makefile b/utils/Makefile
index 2f59501..e0fbd8e 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -13,6 +13,7 @@ S_UTILS := \
messages.c \
nsoption.c \
punycode.c \
+ ssl_certs.c \
talloc.c \
time.c \
url.c \
diff --git a/utils/ssl_certs.c b/utils/ssl_certs.c
new file mode 100644
index 0000000..7154561
--- /dev/null
+++ b/utils/ssl_certs.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright 2020 Vincent Sanders <[email protected]>
+ *
+ * This file is part of NetSurf, http://www.netsurf-browser.org/
+ *
+ * NetSurf is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * NetSurf is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * \file
+ * helpers for X509 certificate chains
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "utils/errors.h"
+#include "utils/log.h"
+
+#include "netsurf/ssl_certs.h"
+
+/*
+ * create new certificate chain
+ *
+ * exported interface documented in netsurf/ssl_certs.h
+ */
+nserror
+cert_chain_alloc(size_t depth, struct cert_chain **chain_out)
+{
+ struct cert_chain* chain;
+
+ chain = calloc(1, sizeof(struct cert_chain));
+ if (chain == NULL) {
+ return NSERROR_NOMEM;
+ }
+
+ chain->depth = depth;
+
+ *chain_out = chain;
+
+ return NSERROR_OK;
+}
+
+
+/*
+ * duplicate certificate chain
+ *
+ * exported interface documented in netsurf/ssl_certs.h
+ */
+nserror
+cert_chain_dup(const struct cert_chain *src, struct cert_chain **dst_out)
+{
+ struct cert_chain* dst;
+ size_t depth;
+ nserror res;
+
+ res = cert_chain_alloc(src->depth, &dst);
+ if (res != NSERROR_OK) {
+ return res;
+ }
+
+ for (depth = 0; depth < src->depth; depth++) {
+ dst->certs[depth].err = src->certs[depth].err;
+ dst->certs[depth].der_length = src->certs[depth].der_length;
+ if (src->certs[depth].der != NULL) {
+ dst->certs[depth].der =
malloc(src->certs[depth].der_length);
+ if (dst->certs[depth].der == NULL) {
+ cert_chain_free(dst);
+ return NSERROR_NOMEM;
+ }
+ memcpy(dst->certs[depth].der,
+ src->certs[depth].der,
+ src->certs[depth].der_length);
+ }
+
+ }
+
+ *dst_out = dst;
+ return NSERROR_OK;
+}
+
+
+/*
+ * free certificate chain
+ *
+ * exported interface documented in netsurf/ssl_certs.h
+ */
+nserror cert_chain_free(struct cert_chain* chain)
+{
+ size_t depth;
+
+ if (chain != NULL) {
+ for (depth = 0; depth < chain->depth; depth++) {
+ if (chain->certs[depth].der != NULL) {
+ free(chain->certs[depth].der);
+ }
+ }
+
+ free(chain);
+ }
+
+ return NSERROR_OK;
+}
+
+
+/*
+ * calculate storage used of certificate chain
+ *
+ * exported interface documented in netsurf/ssl_certs.h
+ */
+size_t cert_chain_size(const struct cert_chain *chain)
+{
+ size_t size = 0;
+ size_t depth;
+
+ if (chain != NULL) {
+ size += sizeof(struct cert_chain);
+
+ for (depth = 0; depth < chain->depth; depth++) {
+ if (chain->certs[depth].der != NULL) {
+ size += chain->certs[depth].der_length;
+ }
+ }
+ }
+
+ return size;
+}
--
NetSurf Browser
_______________________________________________
netsurf-commits mailing list
[email protected]
http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/netsurf-commits-netsurf-browser.org
