Merge with main repo.

8 files changed, 54 insertions, 49 deletions

diff --git a/AUTHORS b/AUTHORS
index e8f0b466..b22eb755 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -87,3 +87,5 @@ Non-Dillo code:
 * src/md5.[ch] contain code by L. Peter Deutsch whose copyright is held by
   Aladdin Enterprises.
 * src/tipwin.cc contains code by Greg Ercolano.
+* src/IO/ssl.c contains code from wget whose copyright is held by the
+  Free Software Foundation.
diff --git a/ChangeLog b/ChangeLog
index 90dd3170..3ff1851a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -54,6 +54,13 @@ dillo-3.1 [not released yet]
    Patches: Johannes Hofmann
 +- Doxygen fixes.
    Patch: Jeremy Henty
++- Move HTTPS from dpi into the browser, enable SNI, add certificate hostname
+   checking from wget, check more locations for CA bundles and add
+   --with-ca-certs-file and --with-ca-certs-dir to configure, some improvement
+   to security warning popups, change cipher list from "ALL" to
+   "ALL:!aNULL:!eNULL:!LOW:!EXPORT40:!RC4", disable SSL3, disable TLS
+   compression, etc.
+   Patch: corvid, Benjamin Johnson
 
 -----------------------------------------------------------------------------
 
diff --git a/dillorc b/dillorc
index a2286613..9c783a03 100644
--- a/dillorc
+++ b/dillorc
@@ -166,10 +166,10 @@
 # You can enable multiple search_url strings at once and select from among
 # them at runtime, with the first being the default.
 # (the prefix serves to search from the Location Bar. e.g. "dd dillo image")
-search_url="dd DuckDuckGo http://duckduckgo.com/lite/?kp=-1&q=%s"
+search_url="dd DuckDuckGo (https) https://duckduckgo.com/lite/?kp=-1&q=%s"
 search_url="Wikipedia http://www.wikipedia.org/w/index.php?search=%s&go=Go"
 search_url="Free Dictionary http://www.thefreedictionary.com/%s"
-search_url="Startpage http://www.startpage.com/do/search?query=%s"
+search_url="Startpage (https) https://www.startpage.com/do/search?query=%s"
 search_url="Google http://www.google.com/search?ie=UTF-8&oe=UTF-8&q=%s"
 
 # If set, dillo will ask web servers to send pages in this language.
diff --git a/src/IO/http.c b/src/IO/http.c
index 5f97c0fd..e5c459ee 100644
--- a/src/IO/http.c
+++ b/src/IO/http.c
@@ -679,9 +679,11 @@ static void Http_dns_cb(int Status, Dlist *addr_list, void *data)
          }
       }
       if (clean_up) {
+         ChainLink *info = S->Info;
+
          Http_socket_free(SKey);
-         a_Chain_bfcb(OpAbort, S->Info, NULL, "Both");
-         dFree(S->Info);
+         a_Chain_bfcb(OpAbort, info, NULL, "Both");
+         dFree(info);
       }
    }
 }
diff --git a/src/IO/ssl.c b/src/IO/ssl.c
index 3c21960c..856d94b5 100644
--- a/src/IO/ssl.c
+++ b/src/IO/ssl.c
@@ -15,10 +15,10 @@
  * (at your option) any later version.
  *
  * As a special exception, permission is granted to link Dillo with the OpenSSL
- * project's "OpenSSL" library, and distribute the linked executables, without
- * including the source code for OpenSSL in the source distribution. You must
- * obey the GNU General Public License, version 3, in all respects for all of
- * the code used other than "OpenSSL".
+ * or LibreSSL library, and distribute the linked executables without
+ * including the source code for OpenSSL or LibreSSL in the source
+ * distribution. You must obey the GNU General Public License, version 3, in
+ * all respects for all of the code used other than OpenSSL or LibreSSL.
  */
 
 /* https://www.ssllabs.com/ssltest/viewMyClient.html */
@@ -466,7 +466,8 @@ static bool_t pattern_match (const char *pattern, const char *string)
   return *n == '\0';
 }
 
-static bool_t Ssl_check_cert_hostname(X509 *cert, const DilloUrl *url, int *choice)
+static bool_t Ssl_check_cert_hostname(X509 *cert, const DilloUrl *url,
+                                      int *choice)
 {
    dReturn_val_if_fail(cert && url, -1);
 
@@ -548,9 +549,9 @@ static bool_t Ssl_check_cert_hostname(X509 *cert, const DilloUrl *url, int *choi
       if (alt_name_checked == TRUE && i >= numaltnames)
         {
          success = FALSE;
-         msg = dStrconcat("no certificate subject alternative name matches"
+         msg = dStrconcat("No certificate subject alternative name matches"
                           " requested host name \n", host, NULL);
-         *choice = a_Dialog_choice("Dillo SSL",
+         *choice = a_Dialog_choice("Dillo SSL security warning",
             msg, "Continue", "Cancel", NULL);
          dFree(msg);
 
@@ -577,8 +578,9 @@ static bool_t Ssl_check_cert_hostname(X509 *cert, const DilloUrl *url, int *choi
       if (!pattern_match (common_name, host))
         {
           success = FALSE;
-         msg = dStrconcat("certificate common name ", common_name, " doesn't match requested host name ", host, NULL);
-         *choice = a_Dialog_choice("Dillo SSL",
+         msg = dStrconcat("Certificate common name ", common_name,
+                          " doesn't match requested host name ", host, NULL);
+         *choice = a_Dialog_choice("Dillo SSL security warning",
             msg, "Continue", "Cancel", NULL);
          dFree(msg);
 
@@ -620,8 +622,11 @@ static bool_t Ssl_check_cert_hostname(X509 *cert, const DilloUrl *url, int *choi
           if (strlen (common_name) != (size_t)ASN1_STRING_length (sdata))
             {
               success = FALSE;
-         msg = dStrconcat("certificate common name is invalid (contains a NUL character). This may be an indication that the host is not who it claims to be -- that is, not the real ", host, NULL);
-         *choice = a_Dialog_choice("Dillo SSL",
+         msg = dStrconcat("Certificate common name is invalid (contains a NUL "
+                          "character). This may be an indication that the "
+                          "host is not who it claims to be -- that is, not "
+                          "the real ", host, NULL);
+         *choice = a_Dialog_choice("Dillo SSL security warning",
             msg, "Continue", "Cancel", NULL);
          dFree(msg);
 
@@ -653,14 +658,14 @@ static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
    long st;
    char buf[4096], *cn, *msg;
    int choice = -1, ret = -1;
-   char *title = dStrconcat("Dillo SSL: ", URL_HOST(url), NULL);
+   char *title = dStrconcat("Dillo SSL security warning: ",URL_HOST(url),NULL);
    Server_t *srv = dList_find_custom(servers, url, Ssl_servers_cmp);
 
    remote_cert = SSL_get_peer_certificate(ssl);
    if (remote_cert == NULL){
       /* Inform user that remote system cannot be trusted */
       choice = a_Dialog_choice(title,
-         "The remote system is not presenting a certificate.\n"
+         "The remote system is not presenting a certificate. "
          "This site cannot be trusted. Sending data is not safe.",
          "Continue", "Cancel", NULL);
 
@@ -693,7 +698,7 @@ static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
             buf[cn_end - cn] = '\0';
          }
          msg = dStrconcat("The remote certificate is self-signed and "
-                          "untrusted.\nFor address: ", buf, NULL);
+                          "untrusted. For address: ", buf, NULL);
          choice = a_Dialog_choice(title,
             msg, "Continue", "Cancel", "Save Certificate", NULL);
          dFree(msg);
@@ -718,8 +723,8 @@ static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
       case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
       case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
          choice = a_Dialog_choice(title,
-            "The issuer for the remote certificate cannot be found\n"
-            "The authenticity of the remote certificate cannot be trusted",
+            "The issuer for the remote certificate cannot be found. "
+            "The authenticity of the remote certificate cannot be trusted.",
             "Continue", "Cancel", NULL);
 
          if (choice == 1) {
@@ -732,7 +737,7 @@ static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
       case X509_V_ERR_CERT_SIGNATURE_FAILURE:
       case X509_V_ERR_CRL_SIGNATURE_FAILURE:
          choice = a_Dialog_choice(title,
-            "The remote certificate signature could not be read\n"
+            "The remote certificate signature could not be read "
             "or is invalid and should not be trusted",
             "Continue", "Cancel", NULL);
 
@@ -743,10 +748,10 @@ static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
       case X509_V_ERR_CERT_NOT_YET_VALID:
       case X509_V_ERR_CRL_NOT_YET_VALID:
          choice = a_Dialog_choice(title,
-            "Part of the remote certificate is not yet valid\n"
-            "Certificates usually have a range of dates over which\n"
-            "they are to be considered valid, and the certificate\n"
-            "presented has a starting validity after today's date\n"
+            "Part of the remote certificate is not yet valid. "
+            "Certificates usually have a range of dates over which "
+            "they are to be considered valid, and the certificate "
+            "presented has a starting validity after today's date "
             "You should be cautious about using this site",
             "Continue", "Cancel", NULL);
 
@@ -757,8 +762,8 @@ static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
       case X509_V_ERR_CERT_HAS_EXPIRED:
       case X509_V_ERR_CRL_HAS_EXPIRED:
          choice = a_Dialog_choice(title,
-            "The remote certificate has expired.  The certificate\n"
-            "wasn't designed to last this long. You should avoid \n"
+            "The remote certificate has expired.  The certificate "
+            "wasn't designed to last this long. You should avoid "
             "this site.",
             "Continue", "Cancel", NULL);
          if (choice == 1) {
@@ -770,9 +775,9 @@ static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
       case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
       case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
          choice = a_Dialog_choice(title,
-            "There was an error in the certificate presented.\n"
-            "Some of the certificate data was improperly formatted\n"
-            "making it impossible to determine if the certificate\n"
+            "There was an error in the certificate presented. "
+            "Some of the certificate data was improperly formatted "
+            "making it impossible to determine if the certificate "
             "is valid.  You should not trust this certificate.",
             "Continue", "Cancel", NULL);
          if (choice == 1) {
@@ -785,9 +790,9 @@ static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
       case X509_V_ERR_CERT_REJECTED:
       case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
          choice = a_Dialog_choice(title,
-            "One of the certificates in the chain is being used\n"
-            "incorrectly (possibly due to configuration problems\n"
-            "with the remote system.  The connection should not\n"
+            "One of the certificates in the chain is being used "
+            "incorrectly (possibly due to configuration problems "
+            "with the remote system.  The connection should not "
             "be trusted",
             "Continue", "Cancel", NULL);
          if (choice == 1) {
@@ -798,8 +803,8 @@ static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
       case X509_V_ERR_AKID_SKID_MISMATCH:
       case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
          choice = a_Dialog_choice(title,
-            "Some of the information presented by the remote system\n"
-            "does not match other information presented\n"
+            "Some of the information presented by the remote system "
+            "does not match other information presented. "
             "This may be an attempt to eavesdrop on communications",
             "Continue", "Cancel", NULL);
          if (choice == 1) {
diff --git a/src/dialog.cc b/src/dialog.cc
index 2c2781b1..10988c98 100644
--- a/src/dialog.cc
+++ b/src/dialog.cc
@@ -354,7 +354,6 @@ int a_Dialog_choice(const char *title, const char *msg, ...)
    int gap = 8;
    int ww = 140 + n * 60, wh = 120;
    int bw = (ww - gap) / n - gap, bh = 45;
-   int ih = 50;
 
    Fl_Window *window = new Fl_Window(ww, wh, title);
    window->set_modal();
@@ -363,18 +362,8 @@ int a_Dialog_choice(const char *title, const char *msg, ...)
     ib->begin();
     window->resizable(ib);
 
-    /* '?' Icon */
-    Fl_Box *o = new Fl_Box(10, (wh - bh - ih) / 2, ih, ih);
-    o->box(FL_THIN_UP_BOX);
-    o->labelfont(FL_TIMES_BOLD);
-    o->labelsize(34);
-    o->color(FL_WHITE);
-    o->labelcolor(FL_BLUE);
-    o->label("?");
-    o->show();
-
     if (msg != NULL){
-       Fl_Box *box = new Fl_Box(60, 0, ww - 60, wh - bh, msg);
+       Fl_Box *box = new Fl_Box(0, 0, ww, wh - bh, msg);
        box->labelfont(FL_HELVETICA);
        box->labelsize(14);
        box->align(FL_ALIGN_WRAP);
diff --git a/src/tipwin.cc b/src/tipwin.cc
index 01d9a2f4..7cfa0844 100644
--- a/src/tipwin.cc
+++ b/src/tipwin.cc
@@ -41,7 +41,7 @@ TipWin::TipWin() : Fl_Menu_Window(1, 1)     // will autosize
 {
    bgcolor = fl_color_cube(FL_NUM_RED - 1, FL_NUM_GREEN - 1, FL_NUM_BLUE - 2);
    recent = 0;
-   strcpy(tip, "");
+   tip[0] = '\0';
    cur_widget = NULL;
    set_override(); // no border
    end();
diff --git a/src/uicmd.cc b/src/uicmd.cc
index 5225be75..9541a7df 100644
--- a/src/uicmd.cc
+++ b/src/uicmd.cc
@@ -933,7 +933,7 @@ static int UIcmd_save_file_check(const char *name)
       int ch;
       ds = dStr_sized_new(128);
       dStr_sprintf(ds,
-                  "The file:\n  %s (%d Bytes)\nalready exists. What do we do?",
+                  "The file: %s (%d Bytes) already exists. What do we do?",
                    name, (int)ss.st_size);
       ch = a_Dialog_choice("Dillo Save: File exists!", ds->str,
                            "Abort", "Continue", "Rename", NULL);