Gitweb links: ...log http://git.netsurf-browser.org/netsurf.git/shortlog/3a8317fddb979f95ff7ae3a6c2f44f95fe1723c1 ...commit http://git.netsurf-browser.org/netsurf.git/commit/3a8317fddb979f95ff7ae3a6c2f44f95fe1723c1 ...tree http://git.netsurf-browser.org/netsurf.git/tree/3a8317fddb979f95ff7ae3a6c2f44f95fe1723c1
The branch, master has been updated via 3a8317fddb979f95ff7ae3a6c2f44f95fe1723c1 (commit) via 6f105c41c202c570a37cc0cca2ab15172b2dbbaf (commit) via 24dd16ddff6a284a98c1abb30dacbf23d8895f4f (commit) from f1e6690b25eacac268686b5ebf02a5f31ca918af (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commitdiff http://git.netsurf-browser.org/netsurf.git/commit/?id=3a8317fddb979f95ff7ae3a6c2f44f95fe1723c1 commit 3a8317fddb979f95ff7ae3a6c2f44f95fe1723c1 Author: Daniel Silverstone <dsilv...@digital-scurf.org> Commit: Daniel Silverstone <dsilv...@digital-scurf.org> fetch_curl_report_certs_upstream: Use new SSL_CERT_ERR_CERT_MISSING Signed-off-by: Daniel Silverstone <dsilv...@digital-scurf.org> diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index cb09ece..0be33ae 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -482,7 +482,11 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f) memset(ssl_certs, 0, sizeof(ssl_certs)); for (depth = 0; depth <= f->cert_depth; depth++) { - assert(certs[depth].cert != NULL); + if (certs[depth].cert == NULL) { + /* This certificate is missing, skip it */ + ssl_certs[depth].err = SSL_CERT_ERR_CERT_MISSING; + continue; + } /* get certificate version */ ssl_certs[depth].version = X509_get_version(certs[depth].cert); commitdiff http://git.netsurf-browser.org/netsurf.git/commit/?id=6f105c41c202c570a37cc0cca2ab15172b2dbbaf commit 6f105c41c202c570a37cc0cca2ab15172b2dbbaf Author: Daniel Silverstone <dsilv...@digital-scurf.org> Commit: Daniel Silverstone <dsilv...@digital-scurf.org> Add certificate-missing error code Signed-off-by: Daniel Silverstone <dsilv...@digital-scurf.org> diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h index dcd644e..0444678 100644 --- a/include/netsurf/ssl_certs.h +++ b/include/netsurf/ssl_certs.h @@ -42,6 +42,7 @@ typedef enum { SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */ SSL_CERT_ERR_REVOKED, /**< This certificate has been revoked */ SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not match the server */ + SSL_CERT_ERR_CERT_MISSING, /**< This certificate was missing from the chain, its data is useless */ } ssl_cert_err; /** Always the max known ssl certificate error type */ diff --git a/resources/FatMessages b/resources/FatMessages index f1cb870..c5cfd3e 100644 --- a/resources/FatMessages +++ b/resources/FatMessages @@ -1085,6 +1085,7 @@ en.all.SSLCertErrSelfSigned:The certificate is self signed. en.all.SSLCertErrChainSelfSigned:The certificate chain is self signed. en.all.SSLCertErrRevoked:The certificate has been revoked by the issuer. en.all.SSLCertErrHostnameMismatch:The certificate is for a different host than the server +en.all.SSLCertErrCertMissing:The certificate was missing from the chain. # Timeout error interface diff --git a/utils/messages.c b/utils/messages.c index 5525e18..418276e 100644 --- a/utils/messages.c +++ b/utils/messages.c @@ -445,6 +445,10 @@ const char *messages_get_sslcode(ssl_cert_err code) /* Common name is invalid */ return messages_get_ctx("SSLCertErrHostnameMismatch", messages_hash); + case SSL_CERT_ERR_CERT_MISSING: + /* Common name is invalid */ + return messages_get_ctx("SSLCertErrCertMissing", messages_hash); + } /* The switch has no default, so the compiler should tell us when we commitdiff http://git.netsurf-browser.org/netsurf.git/commit/?id=24dd16ddff6a284a98c1abb30dacbf23d8895f4f commit 24dd16ddff6a284a98c1abb30dacbf23d8895f4f Author: Daniel Silverstone <dsilv...@digital-scurf.org> Commit: Daniel Silverstone <dsilv...@digital-scurf.org> fetch_curl_verify_callback: Do depth update after check Signed-off-by: Daniel Silverstone <dsilv...@digital-scurf.org> diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index a1d7ee1..cb09ece 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -662,11 +662,6 @@ fetch_curl_verify_callback(int verify_ok, X509_STORE_CTX *x509_ctx) depth = X509_STORE_CTX_get_error_depth(x509_ctx); fetch = X509_STORE_CTX_get_app_data(x509_ctx); - /* record the max depth */ - if (depth > fetch->cert_depth) { - fetch->cert_depth = depth; - } - /* certificate chain is excessively deep so fail verification */ if (depth >= MAX_SSL_CERTS) { X509_STORE_CTX_set_error(x509_ctx, @@ -674,6 +669,11 @@ fetch_curl_verify_callback(int verify_ok, X509_STORE_CTX *x509_ctx) return 0; } + /* record the max depth */ + if (depth > fetch->cert_depth) { + fetch->cert_depth = depth; + } + /* save the certificate by incrementing the reference count and * keeping a pointer. */ ----------------------------------------------------------------------- Summary of changes: content/fetchers/curl.c | 16 ++++++++++------ include/netsurf/ssl_certs.h | 1 + resources/FatMessages | 1 + utils/messages.c | 4 ++++ 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index a1d7ee1..0be33ae 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -482,7 +482,11 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f) memset(ssl_certs, 0, sizeof(ssl_certs)); for (depth = 0; depth <= f->cert_depth; depth++) { - assert(certs[depth].cert != NULL); + if (certs[depth].cert == NULL) { + /* This certificate is missing, skip it */ + ssl_certs[depth].err = SSL_CERT_ERR_CERT_MISSING; + continue; + } /* get certificate version */ ssl_certs[depth].version = X509_get_version(certs[depth].cert); @@ -662,11 +666,6 @@ fetch_curl_verify_callback(int verify_ok, X509_STORE_CTX *x509_ctx) depth = X509_STORE_CTX_get_error_depth(x509_ctx); fetch = X509_STORE_CTX_get_app_data(x509_ctx); - /* record the max depth */ - if (depth > fetch->cert_depth) { - fetch->cert_depth = depth; - } - /* certificate chain is excessively deep so fail verification */ if (depth >= MAX_SSL_CERTS) { X509_STORE_CTX_set_error(x509_ctx, @@ -674,6 +673,11 @@ fetch_curl_verify_callback(int verify_ok, X509_STORE_CTX *x509_ctx) return 0; } + /* record the max depth */ + if (depth > fetch->cert_depth) { + fetch->cert_depth = depth; + } + /* save the certificate by incrementing the reference count and * keeping a pointer. */ diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h index dcd644e..0444678 100644 --- a/include/netsurf/ssl_certs.h +++ b/include/netsurf/ssl_certs.h @@ -42,6 +42,7 @@ typedef enum { SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */ SSL_CERT_ERR_REVOKED, /**< This certificate has been revoked */ SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not match the server */ + SSL_CERT_ERR_CERT_MISSING, /**< This certificate was missing from the chain, its data is useless */ } ssl_cert_err; /** Always the max known ssl certificate error type */ diff --git a/resources/FatMessages b/resources/FatMessages index f1cb870..c5cfd3e 100644 --- a/resources/FatMessages +++ b/resources/FatMessages @@ -1085,6 +1085,7 @@ en.all.SSLCertErrSelfSigned:The certificate is self signed. en.all.SSLCertErrChainSelfSigned:The certificate chain is self signed. en.all.SSLCertErrRevoked:The certificate has been revoked by the issuer. en.all.SSLCertErrHostnameMismatch:The certificate is for a different host than the server +en.all.SSLCertErrCertMissing:The certificate was missing from the chain. # Timeout error interface diff --git a/utils/messages.c b/utils/messages.c index 5525e18..418276e 100644 --- a/utils/messages.c +++ b/utils/messages.c @@ -445,6 +445,10 @@ const char *messages_get_sslcode(ssl_cert_err code) /* Common name is invalid */ return messages_get_ctx("SSLCertErrHostnameMismatch", messages_hash); + case SSL_CERT_ERR_CERT_MISSING: + /* Common name is invalid */ + return messages_get_ctx("SSLCertErrCertMissing", messages_hash); + } /* The switch has no default, so the compiler should tell us when we -- NetSurf Browser _______________________________________________ netsurf-commits mailing list netsurf-commits@netsurf-browser.org http://listmaster.pepperfish.net/cgi-bin/mailman/listinfo/netsurf-commits-netsurf-browser.org