Commit Graph

105 Commits

Author SHA1 Message Date
Daniel Silverstone
754e3f4f8c
curl: Pass cert chain on even if we get no headers
Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2020-05-04 18:29:46 +01:00
Michael Drake
0140d1e5b1 Curl fetcher: Guard against read of uninitialised value.
Fixes Coverity issue:

CID 1419830:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "buf[depth]".
2020-02-24 14:58:16 +00:00
Michael Drake
b8dc537bf8 Curl fetcher: Squash coverity warning.
CID 1419832:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "goto out;".
2020-02-24 14:31:02 +00:00
Daniel Silverstone
e6a5c090c9
curl: Implement SSL chain cache in cURL fetcher
Because cURL can do connection caching behind the scenes, we
need to have a cache for the SSL certificate chains which we
send onward on first header back from cURL.

This uses the new hashmap implementation to mean that we cache
chains on a hostname:port basis.

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2020-02-23 22:31:58 +00:00
Vincent Sanders
0c34d06494 Keep the complete certificate chain from a fetch
Instead of extracting information from the X509 certificate chain in
the fetcher the entire chain is propagated in Distinguished Encoding
Rules (DER) format.

This allows all the information contained in a certificate chain to be
retained which can subsequently be presented to the user
2020-02-23 16:23:50 +00:00
Daniel Silverstone
3a8317fddb
fetch_curl_report_certs_upstream: Use new SSL_CERT_ERR_CERT_MISSING
Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-12-03 09:42:14 +00:00
Daniel Silverstone
24dd16ddff
fetch_curl_verify_callback: Do depth update after check
Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-12-03 09:35:51 +00:00
Vincent Sanders
78aa34e5d7 remove user warnings from hotlist load and curl poll 2019-11-05 00:07:06 +00:00
Daniel Silverstone
a5766db2b9 fetchers/curl: Restrict AUTH to BASIC
cURL will prevent channel reuse if NTLM auth is enabled because
NTLM authenticates a channel not a request.  As such we were
unable to reuse curl handles since we handed off connection
reuse to curl instead of our own handle cache.  This mitigates
the effect, though curl authors are looking at fixing it upstream
too.

Fixes: #2707

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-10-21 10:03:46 +01:00
Vincent Sanders
c9296f79a8 Use curl API (versions after 7.56.0) to determine if openssl is in use 2019-10-01 21:23:35 +01:00
Vincent Sanders
0a3786fed2 Allow the curl fetcher to be built without openssl.
The curl fetcher can operate without openssl library being
 available, additionaly curl itself may be compiled with a
 different TLS library.

In either case this will simply cause the "unknown" error to be
 reported for all TLS failiures and page information to lack any
 certificate information.
2019-09-30 23:57:49 +01:00
Daniel Silverstone
44f3846727 SSL Error: Enable OpenSSL hostname verification
Since OpenSSL 1.0.2 there has been hostname verification support
which cURL doesn't turn on for some reason.  Turn it on so that
we get better hostname verification handling.

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-08-14 20:11:11 +01:00
Vincent Sanders
98f4525073 add common name ssl certificate error
This adds an ssl faliure code and explanation why curl fetcher
 does not currently set it.
2019-08-10 12:50:23 +01:00
Daniel Silverstone
1cf1ec55bc Support SSL verification through new about: handler
In doing this, also propagate why the certificates were bad
so that the page can display a reason.  We will need FatMessages
for all these.

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-08-06 13:15:23 +01:00
Daniel Silverstone
ddfa76b1fc curl.c: Don't use OpenSSL 1.1 only serialNumber fetcher
Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-08-05 22:03:42 +01:00
Daniel Silverstone
bfb1bb1192 Migrate SSL certificate storage to the browser window
* Fetchers now provide the certificates before headers
* This is propagated all the way to the browser window
* When a query occurs, we retrieve it from there and fire
  the query with those stored certificates.
* The serial number is a bignum, store it as hex.

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-08-05 18:12:47 +01:00
Daniel Silverstone
1f24336d6c curl: Change where we lodge inside_curl
Because we need to be slightly more careful now, lodge ourselves
`inside_curl` whenever we might be processing via the cURL messages
or similar.

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-08-02 15:02:45 +01:00
Daniel Silverstone
c9384d65f6 curl: Immediately abort fetchers when we can
Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-08-02 14:38:54 +01:00
Daniel Silverstone
3d80e825e1 content/fetchers/curl.c: Defer fetch start if inside cURL
In order to cope better with modern cURL which prevents making
cURL calls when inside a callback from within cURL, defer fetch
start when we are processing in `fetch_curl_data()`.

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
2019-06-05 19:51:47 +01:00
Vincent Sanders
13a5b8f74a make curl fetcher log debug using NSLOG
stop curl fetcher logging being special case to standard error and
 use the fetch catagory at DEBUG level instead.

The special suppress_curl_debug option is currently still obeyed
2019-05-28 11:16:49 +01:00
Michael Drake
65b16f4c54 Curl fetcher: Force HTTP1.1 to fix HTTP2 crash.
On ubuntu 19.4, curl is built with HTTP2 support, and we
segfault.

==18174== Invalid read of size 1
==18174==    at 0x4ACCE7D: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x4B054B1: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x4AD398A: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x4AD7A0B: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x4AE93EE: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x4AEA8A8: curl_multi_perform (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x1F2EF7: fetch_curl_poll (curl.c:1209)
==18174==    by 0x1EEC5C: fetcher_poll (fetch.c:271)
==18174==    by 0x2A1ED4: schedule_run (schedule.c:160)
==18174==    by 0x15F941: framebuffer_run (gui.c:596)
==18174==    by 0x15F941: main (gui.c:2206)
==18174==  Address 0x9de95a8 is 3,224 bytes inside a block of size 6,304 free'd
==18174==    at 0x483997B: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==18174==    by 0x4AD497B: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x4AE158C: curl_easy_cleanup (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x1F30DE: fetch_curl_cache_handle (curl.c:761)
==18174==    by 0x1F30DE: fetch_curl_stop (curl.c:840)
==18174==    by 0x1F30DE: fetch_curl_done (curl.c:1122)
==18174==    by 0x1F30DE: fetch_curl_poll (curl.c:1223)
==18174==    by 0x1EEC5C: fetcher_poll (fetch.c:271)
==18174==    by 0x2A1ED4: schedule_run (schedule.c:160)
==18174==    by 0x15F941: framebuffer_run (gui.c:596)
==18174==    by 0x15F941: main (gui.c:2206)
==18174==  Block was alloc'd at
==18174==    at 0x483AB35: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==18174==    by 0x4AE165F: curl_easy_duphandle (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x1F15EB: fetch_curl_get_handle (curl.c:738)
==18174==    by 0x1F15EB: fetch_curl_start (curl.c:750)
==18174==    by 0x1EEB22: fetch_dispatch_job (fetch.c:156)
==18174==    by 0x1EEB22: fetch_choose_and_dispatch (fetch.c:187)
==18174==    by 0x1EEB22: fetch_dispatch_jobs (fetch.c:247)
==18174==    by 0x1EF1BB: fetch_start (fetch.c:573)
==18174==    by 0x26C779: llcache_object_refetch (llcache.c:916)
==18174==    by 0x26D5E4: llcache_object_fetch (llcache.c:979)
==18174==    by 0x26D5E4: llcache_object_retrieve_from_cache (llcache.c:1767)
==18174==    by 0x26D5E4: llcache_object_retrieve (llcache.c:1865)
==18174==    by 0x26E42C: llcache_fetch_redirect (llcache.c:2110)
==18174==    by 0x26E42C: llcache_fetch_callback (llcache.c:2810)
==18174==    by 0x1F1295: fetch_curl_process_headers (curl.c:922)
==18174==    by 0x1F13A0: fetch_curl_data (curl.c:1324)
==18174==    by 0x4ACD4C3: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
==18174==    by 0x4AE00DA: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.5.0)
2019-05-06 17:12:14 +01:00
Michael Drake
97f9e2d9f5 Curl fetcher: Jiggle logging levels. 2018-08-09 16:43:37 +01:00
Michael Drake
ca0514ea92 Curl fetcher: Move poll logging from INFO to DEEPDEBUG. 2018-08-09 14:58:49 +01:00
John-Mark Bell
a8bf9b05aa HTTPS: restrict ciphersuites 2018-04-22 12:54:23 +00:00
John-Mark Bell
7d4349035d Explicitly re-enable TLS session tickets.
Libcurl disables this by default.
2018-04-22 12:24:56 +00:00
Daniel Silverstone
70b6ca4376 Force SSL session caching on, Ubuntu seems to have it off by default 2018-04-22 13:04:21 +01:00
Daniel Silverstone
5efc6407d3 Revert "Disable SSL session ID caching."
This reverts commit debe0e345b.
2018-04-22 12:58:39 +01:00
Vincent Sanders
75018632a9 Use coccinelle to change logging macro calls in c files
for F in $(git ls-files '*.c');do spatch --sp-file foo.cocci --in-place ${F};done

@@ expression E; @@
-LOG(E);
+NSLOG(netsurf, INFO, E);
@@ expression E, E1; @@
-LOG(E, E1);
+NSLOG(netsurf, INFO, E, E1);
@@ expression E, E1, E2; @@
-LOG(E, E1, E2);
+NSLOG(netsurf, INFO, E, E1, E2);
@@ expression E, E1, E2, E3; @@
-LOG(E, E1, E2, E3);
+NSLOG(netsurf, INFO, E, E1, E2, E3);
@@ expression E, E1, E2, E3, E4; @@
-LOG(E, E1, E2, E3, E4);
+NSLOG(netsurf, INFO, E, E1, E2, E3, E4);
@@ expression E, E1, E2, E3, E4, E5; @@
-LOG(E, E1, E2, E3, E4, E5);
+NSLOG(netsurf, INFO, E, E1, E2, E3, E4, E5);
@@ expression E, E1, E2, E3, E4, E5, E6; @@
-LOG(E, E1, E2, E3, E4, E5, E6);
+NSLOG(netsurf, INFO, E, E1, E2, E3, E4, E5, E6);
@@ expression E, E1, E2, E3, E4, E5, E6, E7; @@
-LOG(E, E1, E2, E3, E4, E5, E6, E7);
+NSLOG(netsurf, INFO, E, E1, E2, E3, E4, E5, E6, E7);
2017-09-06 18:45:27 +01:00
Vincent Sanders
3f88c12315 Fix OpenSSL X509 cert API detection
LibreSSL defines a OPENSSL_VERSION_NUMBER of 2.1 but only provides the
old OpenSSL 1.0.x API.
2016-11-21 18:29:23 +00:00
Vincent Sanders
e8a9e37445 fix openSSL 1.1.0 X509 certificate handling 2016-11-20 12:15:31 +00:00
Daniel Silverstone
a468b40990 Refactor the fdset acquisition into the fetchers to stop fetch.c including curl.h 2016-06-27 21:00:58 +01:00
Vincent Sanders
ab6c03f311 Fix handling of certificate chains
When processing a x509 certificate chain from openssl it is necessary
to allow teh entire chain to be processed rather than halting
processing at the first certificate with an error. This allows errors
with a certificate authority to be examined.
2016-06-27 13:39:07 +01:00
Vincent Sanders
527756cca0 move fetch header into public API 2016-05-30 11:29:39 +01:00
Vincent Sanders
fe7eb85614 move misc header into public API 2016-05-30 11:23:32 +01:00
Vincent Sanders
6a36d4ec2b remove all core usage of warn_user API 2016-04-26 12:50:16 +01:00
Vincent Sanders
7d9c9dba36 Split utils header into string functions and everything else
split out the string handling API from the rest of the utils header
and fix up all the fallout.
2016-04-21 22:36:21 +01:00
Vincent Sanders
798654f910 remove curl fetchers use of the wallclock API
The wallclock() API uses gettimeofday which can be affected by the the
systems clock being changed etc. The curl fetcher usage of this API is
to generate a timing delta and does not cope with the gettimeofday
issues.

This changes the fetcher to use the nsutils library monotonic time
function which does not suffer from the issues with gettimeofday.
2016-04-19 14:18:09 +01:00
Vincent Sanders
ade0cd8bb9 Reduce unecessary use of networking headers
The utility configuration header dragged in a number of bsd sockets
and related API as a side effect of setting up the configuration. By
splitting the header and API setup into a separate header only the
small number of places that need the functionality explitly include
it.
2016-04-17 13:42:28 +01:00
Michael Drake
4055ecf796 Tiny simplification of curl debug logging. 2016-01-21 09:27:27 +00:00
Michael Drake
401cc36924 Add extra logging to curl poll fn when not suppressing curl debug. 2015-11-11 10:39:12 +00:00
Daniel Silverstone
4d1ef3bac4 Add support for retrying timed-out cURL fetches.
This is an attempt to amelioriate the situation found in #2384 where
we see the cURL connect() failing to complete.  Based on the pcap
from the bug log, we believe that RISC OS is likely failing to signal
the completion of the connection to cURL.  As such, cURL times out.

This change permits retries of timed out connections in the hope that
a fresh socket FD might subsequently function correctly.  The defaults
chosen mean that the previous behaviour of 30 seconds before timeout
is reported will remain the same, but in that time we will make 3 separate
attempts to connect the socket.
2015-11-10 21:51:54 +00:00
Vincent Sanders
c105738fa3 Change LOG() macro to be varadic
This changes the LOG macro to be varadic removing the need for all
callsites to have double bracketing and allows for future improvement
on how we use the logging macros.

The callsites were changed with coccinelle and the changes checked by
hand. Compile tested for several frontends but not all.

A formatting annotation has also been added which allows the compiler
to check the parameters and types passed to the logging.
2015-05-28 16:08:46 +01:00
Vincent Sanders
a487f7e611 Move win32 window operations into their own module
This splits up a great deal of the win32 window code out from other
gui code. It also remove large quantities of unused and junk
variables and functions.
2015-03-12 23:48:53 +00:00
Vincent Sanders
669df172ec Fix my spelling of teh everywhere 2014-11-18 17:16:26 +00:00
Vincent Sanders
71d016aba5 Remove unecessary form debug
Additionaly we make the curl fetcher report errors instead of
uninitialised buffer.
2014-11-15 18:23:44 +00:00
Vincent Sanders
56bb1b03c5 Doxygen cleanups 2014-11-09 12:50:30 +00:00
Vincent Sanders
53f0f432dd update fetcher registration API to return an error code.
By using an error code return we can gracefully handle fetcher
registration faliures instead of just immediately aborting.

The curl handler was also cleaned up and documentation improved
as a side effect.
2014-10-25 17:15:23 +01:00
Vincent Sanders
d06df231bc Update the core to use the split operations table headers
Second in the series to decouple the core API usage from the frontends.
2014-10-16 22:33:43 +01:00
John-Mark Bell
b2242c57e1 HTTPS: disable all SSL versions; emit fallback SCSV on downgrade.
This removes all support for SSL and (with help from servers that
support the fallback SCSV) protects against inappropriate protocol
downgrade.
2014-10-15 12:02:25 +01:00
Vincent Sanders
02bbaa3e88 split version info into its own header and remove unnecessary nesurf.h includes
The netsurf.h header should *only* contain the registration, core
initialisation and finalisation methods. Version information is best
placed in its own header.

Also remove any unneeded inclusion of this header limiting it to
solely the places the relevant API is required.
2014-10-13 15:08:16 +01:00