aboutsummaryrefslogtreecommitdiff
path: root/src/IO
diff options
context:
space:
mode:
Diffstat (limited to 'src/IO')
-rw-r--r--src/IO/IO.c21
-rw-r--r--src/IO/Makefile.am7
-rw-r--r--src/IO/Url.h5
-rw-r--r--src/IO/about.c4
-rw-r--r--src/IO/http.c439
-rw-r--r--src/IO/ssl.c1105
-rw-r--r--src/IO/ssl.h47
7 files changed, 1457 insertions, 171 deletions
diff --git a/src/IO/IO.c b/src/IO/IO.c
index 0addf486..e5c5fc79 100644
--- a/src/IO/IO.c
+++ b/src/IO/IO.c
@@ -21,6 +21,7 @@
#include "../klist.h"
#include "IO.h"
#include "iowatch.hh"
+#include "ssl.h"
/*
* Symbolic defines for shutdown() function
@@ -162,6 +163,7 @@ static bool_t IO_read(IOData_t *io)
ssize_t St;
bool_t ret = FALSE;
int io_key = io->Key;
+ void *conn = a_Ssl_connection(io->FD);
_MSG(" IO_read\n");
@@ -170,7 +172,8 @@ static bool_t IO_read(IOData_t *io)
io->Status = 0;
while (1) {
- St = read(io->FD, Buf, IOBufLen);
+ St = conn ? a_Ssl_read(conn, Buf, IOBufLen)
+ : read(io->FD, Buf, IOBufLen);
if (St > 0) {
dStr_append_l(io->Buf, Buf, St);
continue;
@@ -214,12 +217,14 @@ static bool_t IO_write(IOData_t *io)
{
ssize_t St;
bool_t ret = FALSE;
+ void *conn = a_Ssl_connection(io->FD);
_MSG(" IO_write\n");
io->Status = 0;
while (1) {
- St = write(io->FD, io->Buf->str, io->Buf->len);
+ St = conn ? a_Ssl_write(conn, io->Buf->str, io->Buf->len)
+ : write(io->FD, io->Buf->str, io->Buf->len);
if (St < 0) {
/* Error */
if (errno == EINTR) {
@@ -372,8 +377,8 @@ void a_IO_ccc(int Op, int Branch, int Dir, ChainLink *Info,
char *newline = memchr(io->Buf->str, '\n', io->Buf->len);
int msglen = newline ? newline - io->Buf->str : 2048;
- MSG_WARN("IO_write, closing with pending data not sent: "
- "\"%s\"\n", dStr_printable(io->Buf, msglen));
+ MSG("IO_write, closing with pending data not sent: \"%s\"\n",
+ dStr_printable(io->Buf, msglen));
}
/* close FD, remove from ValidIOs and remove its watch */
IO_close_fd(io, Op == OpEnd ? IO_StopWr : IO_StopRdWr);
@@ -381,7 +386,7 @@ void a_IO_ccc(int Op, int Branch, int Dir, ChainLink *Info,
dFree(Info);
break;
default:
- MSG_WARN("Unused CCC\n");
+ MSG_WARN("Unused CCC IO 1B\n");
break;
}
} else { /* 1 FWD */
@@ -395,7 +400,7 @@ void a_IO_ccc(int Op, int Branch, int Dir, ChainLink *Info,
dFree(Info);
break;
default:
- MSG_WARN("Unused CCC\n");
+ MSG_WARN("Unused CCC IO 1F\n");
break;
}
}
@@ -424,7 +429,7 @@ void a_IO_ccc(int Op, int Branch, int Dir, ChainLink *Info,
dFree(Info);
break;
default:
- MSG_WARN("Unused CCC\n");
+ MSG_WARN("Unused CCC IO 2B\n");
break;
}
} else { /* 2 FWD */
@@ -443,7 +448,7 @@ void a_IO_ccc(int Op, int Branch, int Dir, ChainLink *Info,
dFree(Info);
break;
default:
- MSG_WARN("Unused CCC\n");
+ MSG_WARN("Unused CCC IO 2F\n");
break;
}
}
diff --git a/src/IO/Makefile.am b/src/IO/Makefile.am
index c889dae8..ff600521 100644
--- a/src/IO/Makefile.am
+++ b/src/IO/Makefile.am
@@ -1,6 +1,9 @@
AM_CPPFLAGS = \
-I$(top_srcdir) \
- -DDILLO_BINDIR='"$(bindir)/"'
+ -DDILLO_BINDIR='"$(bindir)/"' \
+ -DCA_CERTS_FILE='"@CA_CERTS_FILE@"' \
+ -DCA_CERTS_DIR='"@CA_CERTS_DIR@"'
+
AM_CFLAGS = @LIBFLTK_CFLAGS@
AM_CXXFLAGS = @LIBFLTK_CXXFLAGS@
@@ -12,6 +15,8 @@ libDiof_a_SOURCES = \
about.c \
Url.h \
http.c \
+ ssl.h \
+ ssl.c \
dpi.c \
IO.c \
iowatch.cc \
diff --git a/src/IO/Url.h b/src/IO/Url.h
index d9333d67..3f5a559b 100644
--- a/src/IO/Url.h
+++ b/src/IO/Url.h
@@ -16,10 +16,7 @@ extern void a_Http_freeall(void);
int a_Http_init(void);
int a_Http_proxy_auth(void);
void a_Http_set_proxy_passwd(const char *str);
-char *a_Http_make_connect_str(const DilloUrl *url);
-const char *a_Http_get_proxy_urlstr();
-Dstr *a_Http_make_query_str(const DilloUrl *url, const DilloUrl *requester,
- int web_flags, bool_t use_proxy);
+void a_Http_connect_done(int fd, bool_t success);
void a_Http_ccc (int Op, int Branch, int Dir, ChainLink *Info,
void *Data1, void *Data2);
diff --git a/src/IO/about.c b/src/IO/about.c
index 0cc3b427..1fe6485b 100644
--- a/src/IO/about.c
+++ b/src/IO/about.c
@@ -236,6 +236,8 @@ const char *const AboutSplash=
" <tr>\n"
" <td>\n"
"<ul>\n"
+" <li> Read the <a href='http://www.dillo.org/dillo3-help.html'>help</a>,\n"
+" it's short.\n"
" <li> There's a\n"
" <a href='http://www.dillo.org/dillorc'>dillorc</a>\n"
" (readable config) file inside the tarball. It is well-commented\n"
@@ -248,6 +250,8 @@ const char *const AboutSplash=
" <li> Cookies are disabled by default for privacy. To log into certain\n"
" sites, you may need to <a href='http://www.dillo.org/Cookies.txt'>enable\n"
" cookies selectively</a>.\n"
+" <li> To stop third-party ads and tracking, you can use a\n"
+" ~/.dillo/<a href='http://www.dillo.org/domainrc'>domainrc</a>/ file.\n"
" <li> Frames, Java and Javascript are not supported.\n"
" <li> This release is mainly intended for <strong>developers</strong>\n"
" and <strong>advanced users</strong>.\n"
diff --git a/src/IO/http.c b/src/IO/http.c
index 49b3a3ac..5f97c0fd 100644
--- a/src/IO/http.c
+++ b/src/IO/http.c
@@ -27,6 +27,7 @@
#include <arpa/inet.h> /* for inet_ntop */
#include "IO.h"
+#include "ssl.h"
#include "Url.h"
#include "../msg.h"
#include "../klist.h"
@@ -48,22 +49,22 @@ D_STMT_START { \
#define _MSG_BW(web, root, ...)
-static const int HTTP_PORT = 80;
-
static const int HTTP_SOCKET_USE_PROXY = 0x1;
-static const int HTTP_SOCKET_QUEUED = 0x4;
-static const int HTTP_SOCKET_TO_BE_FREED = 0x8;
+static const int HTTP_SOCKET_QUEUED = 0x2;
+static const int HTTP_SOCKET_TO_BE_FREED = 0x4;
+static const int HTTP_SOCKET_SSL = 0x8;
-/* 'Url' and 'web' are just references (no need to deallocate them here). */
+/* 'web' is just a reference (no need to deallocate it here). */
typedef struct {
int SockFD;
- uint_t port; /* need a separate port in order to support PROXY */
+ uint_t connect_port;
uint_t flags;
DilloWeb *web; /* reference to client's web structure */
+ DilloUrl *url;
Dlist *addr_list; /* Holds the DNS answer */
- int Err; /* Holds the errno of the connect() call */
ChainLink *Info; /* Used for CCC asynchronous operations */
char *connected_to; /* Used for per-host connection limit */
+ Dstr *https_proxy_reply;
} SocketData_t;
/* Data structures and functions to queue sockets that need to be
@@ -81,11 +82,11 @@ typedef struct {
} FdMapEntry_t;
static void Http_socket_enqueue(HostConnection_t *hc, SocketData_t* sock);
-static SocketData_t* Http_socket_dequeue(HostConnection_t *hc);
static HostConnection_t *Http_host_connection_get(const char *host);
static void Http_host_connection_remove(HostConnection_t *hc);
-static int Http_connect_socket(ChainLink *Info);
-static void Http_send_query(ChainLink *Info, SocketData_t *S);
+static void Http_connect_socket(ChainLink *Info, HostConnection_t *hc);
+static char *Http_get_connect_str(const DilloUrl *url);
+static void Http_send_query(SocketData_t *S);
static void Http_socket_free(int SKey);
/*
@@ -170,7 +171,21 @@ static int Http_fd_map_cmp(const void *v1, const void *v2)
int fd = VOIDP2INT(v2);
const FdMapEntry_t *e = v1;
- return (fd == e->fd) ? 0 : 1;
+ return (fd != e->fd);
+}
+
+static void Http_fd_map_add_entry(SocketData_t *sd)
+{
+ FdMapEntry_t *e = dNew0(FdMapEntry_t, 1);
+ e->fd = sd->SockFD;
+ e->skey = VOIDP2INT(sd->Info->LocalKey);
+
+ if (dList_find_custom(fd_map, INT2VOIDP(e->fd), Http_fd_map_cmp)) {
+ MSG_ERR("FD ENTRY ALREADY FOUND FOR %d\n", e->fd);
+ assert(0);
+ }
+
+ dList_append(fd_map, e);
}
/*
@@ -183,42 +198,78 @@ static void Http_fd_map_remove_entry(int fd)
if (data) {
dList_remove_fast(fd_map, data);
dFree(data);
+ } else {
+ MSG("FD ENTRY NOT FOUND FOR %d\n", fd);
}
}
+void a_Http_connect_done(int fd, bool_t success)
+{
+ SocketData_t *sd;
+ FdMapEntry_t *fme = dList_find_custom(fd_map, INT2VOIDP(fd),
+ Http_fd_map_cmp);
+
+ if (fme && (sd = a_Klist_get_data(ValidSocks, fme->skey))) {
+ ChainLink *info = sd->Info;
+
+ if (success) {
+ a_Chain_bfcb(OpSend, info, &sd->SockFD, "FD");
+ Http_send_query(sd);
+ } else {
+ MSG_BW(sd->web, 1, "Could not establish connection.");
+ MSG("fd %d is done and failed\n", sd->SockFD);
+ dClose(fd);
+ Http_socket_free(VOIDP2INT(info->LocalKey)); /* free sd */
+ a_Chain_bfcb(OpAbort, info, NULL, "Both");
+ dFree(info);
+ }
+ } else {
+ MSG("**** but no luck with fme %p or sd\n", fme);
+ }
+}
+
+static void Http_socket_activate(HostConnection_t *hc, SocketData_t *sd)
+{
+ dList_remove(hc->queue, sd);
+ sd->flags &= ~HTTP_SOCKET_QUEUED;
+ hc->active_conns++;
+ sd->connected_to = hc->host;
+}
+
static void Http_connect_queued_sockets(HostConnection_t *hc)
{
SocketData_t *sd;
- while (hc->active_conns < prefs.http_max_conns &&
- (sd = Http_socket_dequeue(hc))) {
+ int i;
- sd->flags &= ~HTTP_SOCKET_QUEUED;
+ for (i = 0;
+ i < dList_length(hc->queue) && hc->active_conns < prefs.http_max_conns;
+ i++) {
+ sd = dList_nth_data(hc->queue, i);
- if (sd->flags & HTTP_SOCKET_TO_BE_FREED) {
- dFree(sd);
- } else if (a_Web_valid(sd->web)) {
- /* start connecting the socket */
- if (Http_connect_socket(sd->Info) < 0) {
- ChainLink *Info = sd->Info;
- MSG_BW(sd->web, 1, "ERROR: %s", dStrerror(sd->Err));
- a_Chain_bfcb(OpAbort, Info, NULL, "Both");
- Http_socket_free(VOIDP2INT(Info->LocalKey)); /* free sd */
- dFree(Info);
- } else {
- FdMapEntry_t *e = dNew0(FdMapEntry_t, 1);
+ if (!(sd->flags & HTTP_SOCKET_TO_BE_FREED)) {
+ int connect_ready = SSL_CONNECT_READY;
+
+ if (sd->flags & HTTP_SOCKET_SSL)
+ connect_ready = a_Ssl_connect_ready(sd->url);
- e->fd = sd->SockFD;
- e->skey = VOIDP2INT(sd->Info->LocalKey);
- dList_append(fd_map, e);
+ if (connect_ready == SSL_CONNECT_NEVER || !a_Web_valid(sd->web)) {
+ int SKey = VOIDP2INT(sd->Info->LocalKey);
- hc->active_conns++;
- a_Chain_bcb(OpSend, sd->Info, &sd->SockFD, "FD");
- a_Chain_fcb(OpSend, sd->Info, &sd->SockFD, "FD");
- Http_send_query(sd->Info, sd);
- sd->connected_to = hc->host;
+ Http_socket_free(SKey);
+ } else if (connect_ready == SSL_CONNECT_READY) {
+ i--;
+ Http_socket_activate(hc, sd);
+ Http_connect_socket(sd->Info, hc);
}
}
+ if (sd->flags & HTTP_SOCKET_TO_BE_FREED) {
+ dList_remove(hc->queue, sd);
+ dFree(sd);
+ i--;
+ }
}
+
+ _MSG("Queue %s len %d\n", hc->host, dList_length(hc->queue));
}
/*
@@ -231,18 +282,25 @@ static void Http_socket_free(int SKey)
if ((S = a_Klist_get_data(ValidSocks, SKey))) {
a_Klist_remove(ValidSocks, SKey);
+ dStr_free(S->https_proxy_reply, 1);
+
if (S->flags & HTTP_SOCKET_QUEUED) {
S->flags |= HTTP_SOCKET_TO_BE_FREED;
+ a_Url_free(S->url);
} else {
if (S->SockFD != -1)
Http_fd_map_remove_entry(S->SockFD);
+ a_Ssl_reset_server_state(S->url);
if (S->connected_to) {
+ a_Ssl_close_by_fd(S->SockFD);
+
HostConnection_t *hc = Http_host_connection_get(S->connected_to);
hc->active_conns--;
Http_connect_queued_sockets(hc);
if (hc->active_conns == 0)
Http_host_connection_remove(hc);
}
+ a_Url_free(S->url);
dFree(S);
}
}
@@ -300,23 +358,22 @@ static Dstr *Http_make_content_type(const DilloUrl *url)
/*
* Make the http query string
*/
-Dstr *a_Http_make_query_str(const DilloUrl *url, const DilloUrl *requester,
- int web_flags, bool_t use_proxy)
+static Dstr *Http_make_query_str(DilloWeb *web, bool_t use_proxy)
{
char *ptr, *cookies, *referer, *auth;
+ const DilloUrl *url = web->url;
Dstr *query = dStr_new(""),
*request_uri = dStr_new(""),
*proxy_auth = dStr_new("");
/* BUG: dillo doesn't actually understand application/xml yet */
const char *accept_hdr_value =
- web_flags & WEB_Image ? "image/png,image/*;q=0.8,*/*;q=0.5" :
- web_flags & WEB_Stylesheet ? "text/css,*/*;q=0.1" :
+ web->flags & WEB_Image ? "image/png,image/*;q=0.8,*/*;q=0.5" :
+ web->flags & WEB_Stylesheet ? "text/css,*/*;q=0.1" :
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
const char *connection_hdr_val =
- (prefs.http_persistent_conns == TRUE &&
- !dStrAsciiCasecmp(URL_SCHEME(url), "http")) ? "keep-alive" : "close";
+ (prefs.http_persistent_conns == TRUE) ? "keep-alive" : "close";
if (use_proxy) {
dStr_sprintfa(request_uri, "%s%s",
@@ -335,7 +392,7 @@ Dstr *a_Http_make_query_str(const DilloUrl *url, const DilloUrl *requester,
(URL_PATH_(url) || URL_QUERY_(url)) ? "" : "/");
}
- cookies = a_Cookies_get_query(url, requester);
+ cookies = a_Cookies_get_query(url, web->requester);
auth = a_Auth_get_auth_str(url, request_uri->str);
referer = Http_get_referer(url);
if (URL_FLAGS(url) & URL_Post) {
@@ -400,14 +457,13 @@ Dstr *a_Http_make_query_str(const DilloUrl *url, const DilloUrl *requester,
/*
* Create and submit the HTTP query to the IO engine
*/
-static void Http_send_query(ChainLink *Info, SocketData_t *S)
+static void Http_send_query(SocketData_t *S)
{
Dstr *query;
DataBuf *dbuf;
/* Create the query */
- query = a_Http_make_query_str(S->web->url, S->web->requester, S->web->flags,
- S->flags & HTTP_SOCKET_USE_PROXY);
+ query = Http_make_query_str(S->web, S->flags & HTTP_SOCKET_USE_PROXY);
dbuf = a_Chain_dbuf_new(query->str, query->len, 0);
/* actually this message is sent too early.
@@ -415,26 +471,49 @@ static void Http_send_query(ChainLink *Info, SocketData_t *S)
_MSG_BW(S->web, 1, "Sending query to %s...", URL_HOST_(S->web->url));
/* send query */
- a_Chain_bcb(OpSend, Info, dbuf, NULL);
+ a_Chain_bcb(OpSend, S->Info, dbuf, NULL);
dFree(dbuf);
dStr_free(query, 1);
}
/*
- * This function gets called after the DNS succeeds solving a hostname.
+ * Prepare an HTTPS connection. If necessary, tunnel it through a proxy.
+ * Then perform the SSL handshake.
+ */
+static void Http_connect_ssl(ChainLink *info)
+{
+ int SKey = VOIDP2INT(info->LocalKey);
+ SocketData_t *S = a_Klist_get_data(ValidSocks, SKey);
+
+ if (S->flags & HTTP_SOCKET_USE_PROXY) {
+ char *connect_str = Http_get_connect_str(S->url);
+ DataBuf *dbuf = a_Chain_dbuf_new(connect_str, strlen(connect_str), 0);
+
+ a_Chain_bfcb(OpSend, info, &S->SockFD, "FD");
+ S->https_proxy_reply = dStr_new(NULL);
+ a_Chain_bcb(OpSend, info, dbuf, NULL);
+
+ dFree(dbuf);
+ dFree(connect_str);
+ } else {
+ a_Ssl_handshake(S->SockFD, S->url);
+ }
+}
+
+/*
+ * This function is called after the DNS succeeds in solving a hostname.
* Task: Finish socket setup and start connecting the socket.
- * Return value: 0 on success; -1 on error.
*/
-static int Http_connect_socket(ChainLink *Info)
+static void Http_connect_socket(ChainLink *Info, HostConnection_t *hc)
{
int i, status;
+ SocketData_t *S;
+ DilloHost *dh;
#ifdef ENABLE_IPV6
struct sockaddr_in6 name;
#else
struct sockaddr_in name;
#endif
- SocketData_t *S;
- DilloHost *dh;
socklen_t socket_len = 0;
S = a_Klist_get_data(ValidSocks, VOIDP2INT(Info->LocalKey));
@@ -442,10 +521,11 @@ static int Http_connect_socket(ChainLink *Info)
/* TODO: iterate this address list until success, or end-of-list */
for (i = 0; (dh = dList_nth_data(S->addr_list, i)); ++i) {
if ((S->SockFD = socket(dh->af, SOCK_STREAM, IPPROTO_TCP)) < 0) {
- S->Err = errno;
MSG("Http_connect_socket ERROR: %s\n", dStrerror(errno));
continue;
}
+ Http_fd_map_add_entry(S);
+
/* set NONBLOCKING and close on exec. */
fcntl(S->SockFD, F_SETFL, O_NONBLOCK | fcntl(S->SockFD, F_GETFL));
fcntl(S->SockFD, F_SETFD, FD_CLOEXEC | fcntl(S->SockFD, F_GETFD));
@@ -459,10 +539,11 @@ static int Http_connect_socket(ChainLink *Info)
struct sockaddr_in *sin = (struct sockaddr_in *)&name;
socket_len = sizeof(struct sockaddr_in);
sin->sin_family = dh->af;
- sin->sin_port = S->port ? htons(S->port) : htons(HTTP_PORT);
+ sin->sin_port = htons(S->connect_port);
memcpy(&sin->sin_addr, dh->data, (size_t)dh->alen);
if (a_Web_valid(S->web) && (S->web->flags & WEB_RootUrl))
- MSG("Connecting to %s\n", inet_ntoa(sin->sin_addr));
+ MSG("Connecting to %s:%d\n", inet_ntoa(sin->sin_addr),
+ S->connect_port);
break;
}
#ifdef ENABLE_IPV6
@@ -472,36 +553,34 @@ static int Http_connect_socket(ChainLink *Info)
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&name;
socket_len = sizeof(struct sockaddr_in6);
sin6->sin6_family = dh->af;
- sin6->sin6_port =
- S->port ? htons(S->port) : htons(HTTP_PORT);
+ sin6->sin6_port = htons(S->connect_port);
memcpy(&sin6->sin6_addr, dh->data, dh->alen);
inet_ntop(dh->af, dh->data, buf, sizeof(buf));
if (a_Web_valid(S->web) && (S->web->flags & WEB_RootUrl))
- MSG("Connecting to %s\n", buf);
+ MSG("Connecting to %s:%d\n", buf, S->connect_port);
break;
}
#endif
}/*switch*/
-
MSG_BW(S->web, 1, "Contacting host...");
status = connect(S->SockFD, (struct sockaddr *)&name, socket_len);
if (status == -1 && errno != EINPROGRESS) {
- S->Err = errno;
- dClose(S->SockFD);
- MSG("Http_connect_socket ERROR: %s\n", dStrerror(S->Err));
+ MSG("Http_connect_socket ERROR: %s\n", dStrerror(errno));
+ a_Http_connect_done(S->SockFD, FALSE);
+ } else if (S->flags & HTTP_SOCKET_SSL) {
+ Http_connect_ssl(Info);
} else {
- return 0; /* Success */
+ a_Http_connect_done(S->SockFD, TRUE);
}
+ return;
}
-
- return -1;
}
/*
* Test proxy settings and check the no_proxy domains list
* Return value: whether to use proxy or not.
*/
-static int Http_must_use_proxy(const DilloUrl *url)
+static int Http_must_use_proxy(const char *hostname)
{
char *np, *p, *tok;
int ret = 0;
@@ -509,14 +588,13 @@ static int Http_must_use_proxy(const DilloUrl *url)
if (HTTP_Proxy) {
ret = 1;
if (prefs.no_proxy) {
- const char *host = URL_HOST(url);
- size_t host_len = strlen(host);
+ size_t host_len = strlen(hostname);
np = dStrdup(prefs.no_proxy);
for (p = np; (tok = dStrsep(&p, " ")); ) {
int start = host_len - strlen(tok);
- if (start >= 0 && dStrAsciiCasecmp(host + start, tok) == 0) {
+ if (start >= 0 && dStrAsciiCasecmp(hostname + start, tok) == 0) {
/* no_proxy token is suffix of host string */
ret = 0;
break;
@@ -525,21 +603,21 @@ static int Http_must_use_proxy(const DilloUrl *url)
dFree(np);
}
}
- _MSG("Http_must_use_proxy: %s\n %s\n", URL_STR(url), ret ? "YES":"NO");
+ _MSG("Http_must_use_proxy: %s\n %s\n", hostname, ret ? "YES":"NO");
return ret;
}
/*
* Return a new string for the request used to tunnel HTTPS through a proxy.
*/
-char *a_Http_make_connect_str(const DilloUrl *url)
+static char *Http_get_connect_str(const DilloUrl *url)
{
Dstr *dstr;
const char *auth1;
int auth_len;
char *auth2, *proxy_auth, *retstr;
- dReturn_val_if_fail(Http_must_use_proxy(url), NULL);
+ dReturn_val_if_fail(Http_must_use_proxy(URL_HOST(url)), NULL);
dstr = dStr_new("");
auth1 = URL_AUTHORITY(url);
@@ -571,14 +649,6 @@ char *a_Http_make_connect_str(const DilloUrl *url)
}
/*
- * Return URL string of HTTP proxy, if any
- */
-const char *a_Http_get_proxy_urlstr()
-{
- return HTTP_Proxy ? URL_STR(HTTP_Proxy) : NULL;
-}
-
-/*
* Callback function for the DNS resolver.
* Continue connecting the socket, or abort upon error condition.
* S->web is checked to assert the operation wasn't aborted while waiting.
@@ -586,34 +656,32 @@ const char *a_Http_get_proxy_urlstr()
static void Http_dns_cb(int Status, Dlist *addr_list, void *data)
{
int SKey = VOIDP2INT(data);
+ bool_t clean_up = TRUE;
SocketData_t *S;
HostConnection_t *hc;
S = a_Klist_get_data(ValidSocks, SKey);
if (S) {
- if (!a_Web_valid(S->web)) {
- a_Chain_bfcb(OpAbort, S->Info, NULL, "Both");
- dFree(S->Info);
+ const char *host = URL_HOST((S->flags & HTTP_SOCKET_USE_PROXY) ?
+ HTTP_Proxy : S->url);
+ if (a_Web_valid(S->web)) {
+ if (Status == 0 && addr_list) {
+
+ /* Successful DNS answer; save the IP */
+ S->addr_list = addr_list;
+ clean_up = FALSE;
+ hc = Http_host_connection_get(host);
+ Http_socket_enqueue(hc, S);
+ Http_connect_queued_sockets(hc);
+ } else {
+ /* DNS wasn't able to resolve the hostname */
+ MSG_BW(S->web, 0, "ERROR: DNS can't resolve %s", host);
+ }
+ }
+ if (clean_up) {
Http_socket_free(SKey);
-
- } else if (Status == 0 && addr_list) {
- /* Successful DNS answer; save the IP */
- S->addr_list = addr_list;
- S->flags |= HTTP_SOCKET_QUEUED;
- if (S->flags & HTTP_SOCKET_USE_PROXY)
- hc = Http_host_connection_get(URL_HOST(HTTP_Proxy));
- else
- hc = Http_host_connection_get(URL_HOST(S->web->url));
- Http_socket_enqueue(hc, S);
- Http_connect_queued_sockets(hc);
- } else {
- /* DNS wasn't able to resolve the hostname */
- MSG_BW(S->web, 0, "ERROR: DNS can't resolve %s",
- (S->flags & HTTP_SOCKET_USE_PROXY) ? URL_HOST_(HTTP_Proxy) :
- URL_HOST_(S->web->url));
a_Chain_bfcb(OpAbort, S->Info, NULL, "Both");
dFree(S->Info);
- Http_socket_free(SKey);
}
}
}
@@ -629,6 +697,7 @@ static int Http_get(ChainLink *Info, void *Data1)
{
SocketData_t *S;
char *hostname;
+ const DilloUrl *url;
S = a_Klist_get_data(ValidSocks, VOIDP2INT(Info->LocalKey));
/* Reference Web data */
@@ -637,18 +706,20 @@ static int Http_get(ChainLink *Info, void *Data1)
S->Info = Info;
/* Proxy support */
- if (Http_must_use_proxy(S->web->url)) {
- hostname = dStrdup(URL_HOST(HTTP_Proxy));
- S->port = URL_PORT(HTTP_Proxy);
+ if (Http_must_use_proxy(URL_HOST(S->web->url))) {
+ url = HTTP_Proxy;
S->flags |= HTTP_SOCKET_USE_PROXY;
} else {
- hostname = dStrdup(URL_HOST(S->web->url));
- S->port = URL_PORT(S->web->url);
- S->flags &= ~HTTP_SOCKET_USE_PROXY;
+ url = S->web->url;
}
+ hostname = dStrdup(URL_HOST(url));
+ S->connect_port = URL_PORT(url);
+ S->url = a_Url_dup(S->web->url);
+ if (!dStrAsciiCasecmp(URL_SCHEME(S->url), "https"))
+ S->flags |= HTTP_SOCKET_SSL;
/* Let the user know what we'll do */
- MSG_BW(S->web, 1, "DNS resolving %s", URL_HOST_(S->web->url));
+ MSG_BW(S->web, 1, "DNS resolving %s", hostname);
/* Let the DNS engine resolve the hostname, and when done,
* we'll try to connect the socket from the callback function */
@@ -659,43 +730,60 @@ static int Http_get(ChainLink *Info, void *Data1)
}
/*
+ * Can the old socket's fd be reused for the new socket?
+ *
+ * NOTE: old and new must come from the same HostConnection_t.
+ * This is not built to accept arbitrary sockets.
+ */
+static bool_t Http_socket_reuse_compatible(SocketData_t *old,
+ SocketData_t *new)
+{
+ if (a_Web_valid(new->web) &&
+ old->connect_port == new->connect_port &&
+ ((old->flags & HTTP_SOCKET_SSL) == (new->flags & HTTP_SOCKET_SSL)) &&
+ ((old->flags & HTTP_SOCKET_SSL) == 0 ||
+ (old->flags & HTTP_SOCKET_USE_PROXY) == 0 ||
+ ((URL_PORT(old->url) == URL_PORT(new->url)) &&
+ !dStrAsciiCasecmp(URL_HOST(old->url), URL_HOST(new->url)))))
+ return TRUE;
+ return FALSE;
+}
+
+/*
* If any entry in the socket data queue can reuse our connection, set it up
* and send off a new query.
*/
static void Http_socket_reuse(int SKey)
{
SocketData_t *new_sd, *old_sd = a_Klist_get_data(ValidSocks, SKey);
- HostConnection_t *hc = Http_host_connection_get(old_sd->connected_to);
- int i, n = dList_length(hc->queue);
- for (i = 0; i < n; i++) {
- new_sd = dList_nth_data(hc->queue, i);
-
- if (a_Web_valid(new_sd->web) && old_sd->port == new_sd->port) {
- new_sd->SockFD = old_sd->SockFD;
- Http_fd_map_remove_entry(old_sd->SockFD);
- a_Klist_remove(ValidSocks, SKey);
- dFree(old_sd);
-
- dList_remove(hc->queue, new_sd);
- new_sd->flags &= ~HTTP_SOCKET_QUEUED;
- FdMapEntry_t *e = dNew0(FdMapEntry_t, 1);
- e->fd = new_sd->SockFD;
- e->skey = VOIDP2INT(new_sd->Info->LocalKey);
- dList_append(fd_map, e);
-
- a_Chain_bcb(OpSend, new_sd->Info, &new_sd->SockFD, "FD");
- a_Chain_fcb(OpSend, new_sd->Info, &new_sd->SockFD, "FD");
- Http_send_query(new_sd->Info, new_sd);
- new_sd->connected_to = hc->host;
- return;
+ if (old_sd) {
+ HostConnection_t *hc = Http_host_connection_get(old_sd->connected_to);
+ int i, n = dList_length(hc->queue);
+
+ for (i = 0; i < n; i++) {
+ new_sd = dList_nth_data(hc->queue, i);
+
+ if (!(new_sd->flags & HTTP_SOCKET_TO_BE_FREED) &&
+ Http_socket_reuse_compatible(old_sd, new_sd)) {
+ const bool_t success = TRUE;
+
+ new_sd->SockFD = old_sd->SockFD;
+
+ old_sd->connected_to = NULL;
+ hc->active_conns--;
+ Http_socket_free(SKey);
+
+ MSG("Reusing fd %d for %s\n", new_sd->SockFD,URL_STR(new_sd->url));
+ Http_socket_activate(hc, new_sd);
+ Http_fd_map_add_entry(new_sd);
+ a_Http_connect_done(new_sd->SockFD, success);
+ return;
+ }
}
+ dClose(old_sd->SockFD);
+ Http_socket_free(SKey);
}
- dClose(old_sd->SockFD);
- Http_fd_map_remove_entry(old_sd->SockFD);
- a_Klist_remove(ValidSocks, SKey);
- hc->active_conns--;
- dFree(old_sd);
}
/*
@@ -705,8 +793,8 @@ void a_Http_ccc(int Op, int Branch, int Dir, ChainLink *Info,
void *Data1, void *Data2)
{
int SKey = VOIDP2INT(Info->LocalKey);
-
- (void)Data2; /* suppress unused parameter warning */
+ SocketData_t *sd;
+ DataBuf *dbuf;
dReturn_if_fail( a_Chain_check("a_Http_ccc", Op, Branch, Dir, Info) );
@@ -730,43 +818,81 @@ void a_Http_ccc(int Op, int Branch, int Dir, ChainLink *Info,
dFree(Info);
break;
case OpAbort:
- /* something bad happened... */
- a_Chain_bcb(OpAbort, Info, NULL, NULL);
+ MSG("ABORT 1B\n");
Http_socket_free(SKey);
+ a_Chain_bcb(OpAbort, Info, NULL, NULL);
dFree(Info);
break;
+ default:
+ MSG_WARN("Unused CCC 1B Op %d\n", Op);
+ break;
}
} else { /* 1 FWD */
- SocketData_t *sd;
/* HTTP send-query status branch */
switch (Op) {
case OpAbort:
+ MSG("ABORT 1F\n");
if ((sd = a_Klist_get_data(ValidSocks, SKey)))
- MSG_BW(sd->web, 1, "Can't get %s", URL_STR(sd->web->url));
- a_Chain_fcb(OpAbort, Info, NULL, "Both");
+ MSG_BW(sd->web, 1, "Can't get %s", URL_STR(sd->url));
Http_socket_free(SKey);
+ a_Chain_fcb(OpAbort, Info, NULL, "Both");
dFree(Info);
break;
default:
- MSG_WARN("Unused CCC\n");
+ MSG_WARN("Unused CCC 1F Op %d\n", Op);
break;
}
}
} else if (Branch == 2) {
if (Dir == FWD) {
+ sd = a_Klist_get_data(ValidSocks, SKey);
+ assert(sd);
/* Receiving from server */
switch (Op) {
case OpSend:
- /* Data1 = dbuf */
- a_Chain_fcb(OpSend, Info, Data1, "send_page_2eof");
+ if (sd->https_proxy_reply) {
+ dbuf = Data1;
+ dStr_append(sd->https_proxy_reply, dbuf->Buf);
+ if (strstr(sd->https_proxy_reply->str, "\r\n\r\n")) {
+ if (sd->https_proxy_reply->len >= 12 &&
+ sd->https_proxy_reply->str[9] == '2') {
+ /* e.g. "HTTP/1.1 200 Connection established[...]" */
+ MSG("CONNECT through proxy succeeded. Reply:\n%s\n",
+ sd->https_proxy_reply->str);
+ dStr_free(sd->https_proxy_reply, 1);
+ sd->https_proxy_reply = NULL;
+ a_Ssl_handshake(sd->SockFD, sd->url);
+ } else {
+ MSG_BW(sd->web, 1, "Can't connect through proxy to %s",
+ URL_HOST(sd->url));
+ MSG("CONNECT through proxy failed. Server sent:\n%s\n",
+ sd->https_proxy_reply->str);
+ Http_socket_free(SKey);
+ a_Chain_bfcb(OpAbort, Info, NULL, "Both");
+ dFree(Info);
+ }
+ }
+ } else {
+ /* Data1 = dbuf */
+ a_Chain_fcb(OpSend, Info, Data1, "send_page_2eof");
+ }
break;
case OpEnd:
- a_Chain_fcb(OpEnd, Info, NULL, NULL);
- Http_socket_free(SKey);
+ if (sd->https_proxy_reply) {
+ MSG("CONNECT through proxy failed. "
+ "Full reply not received:\n%s\n",
+ sd->https_proxy_reply->len ? sd->https_proxy_reply->str :
+ "(nothing)");
+ Http_socket_free(SKey);
+ a_Chain_bfcb(OpAbort, Info, NULL, "Both");
+ } else {
+ Http_socket_free(SKey);
+ a_Chain_fcb(OpEnd, Info, NULL, NULL);
+ }
dFree(Info);
break;
default:
- MSG_WARN("Unused CCC\n");
+ MSG_WARN("Unused CCC 2F Op %d\n", Op);
break;
}
} else { /* 2 BCK */
@@ -791,12 +917,13 @@ void a_Http_ccc(int Op, int Branch, int Dir, ChainLink *Info,
}
break;
case OpAbort:
+ Http_socket_free(SKey);
a_Chain_bcb(OpAbort, Info, NULL, NULL);
dFree(Info);
break;
- default:
- MSG_WARN("Unused CCC\n");
- break;
+ default:
+ MSG_WARN("Unused CCC 2B Op %d\n", Op);
+ break;
}
}
}
@@ -808,6 +935,8 @@ void a_Http_ccc(int Op, int Branch, int Dir, ChainLink *Info,
*/
static void Http_socket_enqueue(HostConnection_t *hc, SocketData_t* sock)
{
+ sock->flags |= HTTP_SOCKET_QUEUED;
+
if ((sock->web->flags & WEB_Image) == 0) {
int i, n = dList_length(hc->queue);
@@ -823,14 +952,6 @@ static void Http_socket_enqueue(HostConnection_t *hc, SocketData_t* sock)
dList_append(hc->queue, sock);
}
-static SocketData_t* Http_socket_dequeue(HostConnection_t *hc)
-{
- SocketData_t *sd = dList_nth_data(hc->queue, 0);
-
- dList_remove(hc->queue, sd);
- return sd;
-}
-
static HostConnection_t *Http_host_connection_get(const char *host)
{
int i;
@@ -867,8 +988,10 @@ static void Http_host_connection_remove_all()
while (dList_length(host_connections) > 0) {
hc = (HostConnection_t*) dList_nth_data(host_connections, 0);
- while ((sd = Http_socket_dequeue(hc)))
+ while ((sd = dList_nth_data(hc->queue, 0))) {
+ dList_remove(hc->queue, sd);
dFree(sd);
+ }
Http_host_connection_remove(hc);
}
dList_free(host_connections);
diff --git a/src/IO/ssl.c b/src/IO/ssl.c
new file mode 100644
index 00000000..3c21960c
--- /dev/null
+++ b/src/IO/ssl.c
@@ -0,0 +1,1105 @@
+/*
+ * File: ssl.c
+ *
+ * Copyright 2004 Garrett Kajmowicz <gkajmowi@tbaytel.net>
+ * (for some bits derived from the https dpi, e.g., certificate handling)
+ * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
+ * 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
+ * (for the certificate hostname checking from wget)
+ * Copyright (C) 2011 Benjamin Johnson <obeythepenguin@users.sourceforge.net>
+ * (for the https code offered from dplus browser that formed the basis...)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * As a special exception, permission is granted to link Dillo with the OpenSSL
+ * project's "OpenSSL" library, and distribute the linked executables, without
+ * including the source code for OpenSSL in the source distribution. You must
+ * obey the GNU General Public License, version 3, in all respects for all of
+ * the code used other than "OpenSSL".
+ */
+
+/* https://www.ssllabs.com/ssltest/viewMyClient.html */
+
+/*
+ * Using TLS in Applications: http://datatracker.ietf.org/wg/uta/documents/
+ * TLS: http://datatracker.ietf.org/wg/tls/documents/
+ */
+
+#include "config.h"
+#include "../msg.h"
+
+#ifndef ENABLE_SSL
+
+void a_Ssl_init()
+{
+ MSG("SSL: Disabled at compilation time.\n");
+}
+
+#else
+
+#include <assert.h>
+
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <ctype.h> /* tolower for wget stuff */
+#include <stdio.h>
+#include <errno.h>
+#include "../../dlib/dlib.h"
+#include "../dialog.hh"
+#include "../klist.h"
+#include "iowatch.hh"
+#include "ssl.h"
+#include "Url.h"
+
+#include <openssl/ssl.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h> /* for hostname checking */
+
+#define CERT_STATUS_NONE 0
+#define CERT_STATUS_RECEIVING 1
+#define CERT_STATUS_GOOD 2
+#define CERT_STATUS_BAD 3
+#define CERT_STATUS_USER_ACCEPTED 4
+
+typedef struct {
+ char *hostname;
+ int port;
+ int cert_status;
+} Server_t;
+
+typedef struct {
+ int fd;
+ int connkey;
+} FdMapEntry_t;
+
+/*
+ * Data type for SSL connection information
+ */
+typedef struct {
+ int fd;
+ DilloUrl *url;
+ SSL *ssl;
+ bool_t connecting;
+} Conn_t;
+
+/* List of active SSL connections */
+static Klist_t *conn_list = NULL;
+
+/*
+ * If ssl_context is still NULL, this corresponds to SSL being disabled.
+ */
+static SSL_CTX *ssl_context;
+static Dlist *servers;
+static Dlist *fd_map;
+
+static void Ssl_connect_cb(int fd, void *vssl);
+
+/*
+ * Compare by FD.
+ */
+static int Ssl_fd_map_cmp(const void *v1, const void *v2)
+{
+ int fd = VOIDP2INT(v2);
+ const FdMapEntry_t *e = v1;
+
+ return (fd != e->fd);
+}
+
+static void Ssl_fd_map_add_entry(int fd, int connkey)
+{
+ FdMapEntry_t *e = dNew0(FdMapEntry_t, 1);
+ e->fd = fd;
+ e->connkey = connkey;
+
+ if (dList_find_custom(fd_map, INT2VOIDP(e->fd), Ssl_fd_map_cmp)) {
+ MSG_ERR("SSL FD ENTRY ALREADY FOUND FOR %d\n", e->fd);
+ assert(0);
+ }
+
+ dList_append(fd_map, e);
+//MSG("ADD ENTRY %d %s\n", e->fd, URL_STR(sd->url));
+}
+
+/*
+ * Remove and free entry from fd_map.
+ */
+static void Ssl_fd_map_remove_entry(int fd)
+{
+ void *data = dList_find_custom(fd_map, INT2VOIDP(fd), Ssl_fd_map_cmp);
+
+//MSG("REMOVE ENTRY %d\n", fd);
+ if (data) {
+ dList_remove_fast(fd_map, data);
+ dFree(data);
+ } else {
+ MSG("SSL FD ENTRY NOT FOUND FOR %d\n", fd);
+ }
+}
+
+/*
+ * Return SSL connection information for a given file
+ * descriptor, or NULL if no SSL connection was found.
+ */
+void *a_Ssl_connection(int fd)
+{
+ Conn_t *conn;
+
+ if (fd_map) {
+ FdMapEntry_t *fme = dList_find_custom(fd_map, INT2VOIDP(fd),
+ Ssl_fd_map_cmp);
+
+ if (fme && (conn = a_Klist_get_data(conn_list, fme->connkey)))
+ return conn;
+ }
+ return NULL;
+}
+
+/*
+ * Add a new SSL connection information node.
+ */
+static int Ssl_conn_new(int fd, const DilloUrl *url, SSL *ssl)
+{
+ int key;
+
+ Conn_t *conn = dNew0(Conn_t, 1);
+ conn->fd = fd;
+ conn->url = a_Url_dup(url);
+ conn->ssl = ssl;
+ conn->connecting = TRUE;
+
+ key = a_Klist_insert(&conn_list, conn);
+
+ Ssl_fd_map_add_entry(fd, key);
+
+ return key;
+}
+
+/*
+ * Let's monitor for ssl alerts.
+ */
+static void Ssl_info_cb(const SSL *ssl, int where, int ret)
+{
+ if (where & SSL_CB_ALERT) {
+ MSG("SSL ALERT on %s: %s\n", (where & SSL_CB_READ) ? "read" : "write",
+ SSL_alert_desc_string_long(ret));
+ }
+}
+
+/*
+ * Load trusted certificates.
+ * This is like using SSL_CTX_load_verify_locations() but permitting more
+ * than one bundle and more than one directory. Due to the notoriously
+ * abysmal openssl documentation, this was worked out from reading discussion
+ * on the web and then reading openssl source to see what it normally does.
+ */
+static void Ssl_load_certificates()
+{
+ /* curl-7.37.1 says that the following bundle locations are used on "Debian
+ * systems", "Redhat and Mandriva", "old(er) Redhat", "FreeBSD", and
+ * "OpenBSD", respectively -- and that the /etc/ssl/certs/ path is needed on
+ * "SUSE". No doubt it's all changed some over time, but this gives us
+ * something to work with.
+ */
+ uint_t u;
+ char *userpath;
+ static const char *ca_files[] = {
+ "/etc/ssl/certs/ca-certificates.crt",
+ "/etc/pki/tls/certs/ca-bundle.crt",
+ "/usr/share/ssl/certs/ca-bundle.crt",
+ "/usr/local/share/certs/ca-root.crt",
+ "/etc/ssl/cert.pem",
+ CA_CERTS_FILE
+ };
+
+ static const char *ca_paths[] = {
+ "/etc/ssl/certs/",
+ CA_CERTS_DIR
+ };
+
+ X509_STORE *store = SSL_CTX_get_cert_store(ssl_context);
+ X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+
+ for (u = 0; u < sizeof(ca_files) / sizeof(ca_files[0]); u++) {
+ if (*ca_files[u])
+ X509_LOOKUP_load_file(lookup, ca_files[u], X509_FILETYPE_PEM);
+ }
+
+ lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
+ for (u = 0; u < sizeof(ca_paths)/sizeof(ca_paths[0]); u++) {
+ if (*ca_paths[u])
+ X509_LOOKUP_add_dir(lookup, ca_paths[u], X509_FILETYPE_PEM);
+ }
+
+ userpath = dStrconcat(dGethomedir(), "/.dillo/certs/", NULL);
+ X509_LOOKUP_add_dir(lookup, userpath, X509_FILETYPE_PEM);
+ dFree(userpath);
+
+ /* Clear out errors in the queue (file not found, etc.) */
+ while(ERR_get_error())
+ ;
+}
+
+/*
+ * Initialize the OpenSSL library.
+ */
+void a_Ssl_init(void)
+{
+ SSL_library_init();
+ SSL_load_error_strings();
+ if (RAND_status() != 1) {
+ /* The standard solution is to provide it with more entropy, but this
+ * involves knowing very well that you are doing exactly the right thing.
+ */
+ MSG_ERR("Disabling HTTPS: Insufficient entropy for openssl.\n");
+ return;
+ }
+
+ /* Create SSL context */
+ ssl_context = SSL_CTX_new(SSLv23_client_method());
+ if (ssl_context == NULL) {
+ MSG_ERR("Disabling HTTPS: Error creating SSL context.\n");
+ return;
+ }
+
+ SSL_CTX_set_info_callback(ssl_context, Ssl_info_cb);
+
+ /* Don't want: eNULL, which has no encryption; aNULL, which has no
+ * authentication; LOW, which as of 2014 use 64 or 56-bit encryption;
+ * EXPORT40, which uses 40-bit encryption; RC4, for which methods were
+ * found in 2013 to defeat it somewhat too easily.
+ */
+ SSL_CTX_set_cipher_list(ssl_context,
+ "ALL:!aNULL:!eNULL:!LOW:!EXPORT40:!RC4");
+
+ /* SSL2 has been known to be insecure forever, disabling SSL3 is in response
+ * to POODLE, and disabling compression is in response to CRIME.
+ */
+ SSL_CTX_set_options(ssl_context,
+ SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
+
+ /* This lets us deal with self-signed certificates */
+ SSL_CTX_set_verify(ssl_context, SSL_VERIFY_NONE, NULL);
+
+ Ssl_load_certificates();
+
+ fd_map = dList_new(20);
+ servers = dList_new(8);
+}
+
+/*
+ * Save certificate with a hashed filename.
+ * Return: 0 on success, 1 on failure.
+ */
+static int Ssl_save_certificate_home(X509 * cert)
+{
+ char buf[4096];
+
+ FILE * fp = NULL;
+ uint_t i = 0;
+ int ret = 1;
+
+ /* Attempt to create .dillo/certs blindly - check later */
+ snprintf(buf, 4096, "%s/.dillo/", dGethomedir());
+ mkdir(buf, 01777);
+ snprintf(buf, 4096, "%s/.dillo/certs/", dGethomedir());
+ mkdir(buf, 01777);
+
+ do {
+ snprintf(buf, 4096, "%s/.dillo/certs/%lx.%u",
+ dGethomedir(), X509_subject_name_hash(cert), i);
+
+ fp=fopen(buf, "r");
+ if (fp == NULL){
+ /* File name doesn't exist so we can use it safely */
+ fp=fopen(buf, "w");
+ if (fp == NULL){
+ MSG("Unable to open cert save file in home dir\n");
+ break;
+ } else {
+ PEM_write_X509(fp, cert);
+ fclose(fp);
+ MSG("Wrote certificate\n");
+ ret = 0;
+ break;
+ }
+ } else {
+ fclose(fp);
+ }
+ i++;
+ /* Don't loop too many times - just give up */
+ } while (i < 1024);
+
+ return ret;
+}
+
+/*
+ * Test whether a URL corresponds to a server.
+ */
+static int Ssl_servers_cmp(const void *v1, const void *v2)
+{
+ Server_t *s = (Server_t *)v1;
+ const DilloUrl *url = (const DilloUrl *)v2;
+ const char *host = URL_HOST(url);
+ int port = URL_PORT(url);
+
+ return (dStrAsciiCasecmp(s->hostname, host) || (port != s->port));
+}
+
+/*
+ * The purpose here is to permit a single initial connection to a server.
+ * Once we have the certificate, know whether we like it -- and whether the
+ * user accepts it -- HTTP can run through queued sockets as normal.
+ *
+ * Return: 1 means yes, 0 means not yet, -1 means never.
+ * TODO: Something clearer or different.
+ */
+int a_Ssl_connect_ready(const DilloUrl *url)
+{
+ Server_t *s;
+ int i, len;
+ const char *host = URL_HOST(url);
+ const int port = URL_PORT(url);
+ int ret = SSL_CONNECT_READY;
+
+ dReturn_val_if_fail(ssl_context, SSL_CONNECT_NEVER);
+
+ len = dList_length(servers);
+
+ for (i = 0; i < len; i++) {
+ s = dList_nth_data(servers, i);
+
+ if (!dStrAsciiCasecmp(s->hostname, host) && (port == s->port)) {
+ if (s->cert_status == CERT_STATUS_RECEIVING)
+ ret = SSL_CONNECT_NOT_YET;
+ else if (s->cert_status == CERT_STATUS_BAD)
+ ret = SSL_CONNECT_NEVER;
+
+ if (s->cert_status == CERT_STATUS_NONE)
+ s->cert_status = CERT_STATUS_RECEIVING;
+ return ret;
+ }
+ }
+ s = dNew(Server_t, 1);
+
+ s->port = port;
+ s->hostname = dStrdup(host);
+ s->cert_status = CERT_STATUS_RECEIVING;
+ dList_append(servers, s);
+ return ret;
+}
+
+/*
+ * Did we find problems with the certificate, and did the user proceed to
+ * reject the connection?
+ */
+static int Ssl_user_said_no(const DilloUrl *url)
+{
+ Server_t *s = dList_find_custom(servers, url, Ssl_servers_cmp);
+
+ if (!s)
+ return FALSE;
+
+ return s->cert_status == CERT_STATUS_BAD;
+}
+
+/*
+ * Did we find problems with the certificate, and did the user proceed to
+ * accept the connection anyway?
+ */
+static int Ssl_user_said_yes(const DilloUrl *url)
+{
+ Server_t *s = dList_find_custom(servers, url, Ssl_servers_cmp);
+
+ if (!s)
+ return FALSE;
+
+ return s->cert_status == CERT_STATUS_USER_ACCEPTED;
+}
+
+/******************** BEGINNING OF STUFF DERIVED FROM wget-1.16.3 */
+
+#define ASTERISK_EXCLUDES_DOT /* mandated by rfc2818 */
+
+/* Return true is STRING (case-insensitively) matches PATTERN, false
+ otherwise. The recognized wildcard character is "*", which matches
+ any character in STRING except ".". Any number of the "*" wildcard
+ may be present in the pattern.
+
+ This is used to match of hosts as indicated in rfc2818: "Names may
+ contain the wildcard character * which is considered to match any
+ single domain name component or component fragment. E.g., *.a.com
+ matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but
+ not bar.com [or foo.bar.com]."
+
+ If the pattern contain no wildcards, pattern_match(a, b) is
+ equivalent to !strcasecmp(a, b). */
+
+static bool_t pattern_match (const char *pattern, const char *string)
+{
+
+ const char *p = pattern, *n = string;
+ char c;
+ for (; (c = tolower (*p++)) != '\0'; n++)
+ if (c == '*')
+ {
+ for (c = tolower (*p); c == '*'; c = tolower (*++p))
+ ;
+ for (; *n != '\0'; n++)
+ if (tolower (*n) == c && pattern_match (p, n))
+ return TRUE;
+#ifdef ASTERISK_EXCLUDES_DOT
+ else if (*n == '.')
+ return FALSE;
+#endif
+ return c == '\0';
+ }
+ else
+ {
+ if (c != tolower (*n))
+ return FALSE;
+ }
+ return *n == '\0';
+}
+
+static bool_t Ssl_check_cert_hostname(X509 *cert, const DilloUrl *url, int *choice)
+{
+ dReturn_val_if_fail(cert && url, -1);
+
+ char *msg;
+ const char *host = URL_HOST(url);
+ GENERAL_NAMES *subjectAltNames;
+ bool_t success = TRUE, alt_name_checked = FALSE;;
+ char common_name[256];
+
+ /* Check that HOST matches the common name in the certificate.
+ #### The following remains to be done:
+
+ - When matching against common names, it should loop over all
+ common names and choose the most specific one, i.e. the last
+ one, not the first one, which the current code picks.
+
+ - Ensure that ASN1 strings from the certificate are encoded as
+ UTF-8 which can be meaningfully compared to HOST. */
+
+ subjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL);
+
+ if (subjectAltNames)
+ {
+ /* Test subject alternative names */
+
+ /* Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)?
+ * Signal it by host_in_octet_string. */
+ ASN1_OCTET_STRING *host_in_octet_string = a2i_IPADDRESS (host);
+
+ int numaltnames = sk_GENERAL_NAME_num (subjectAltNames);
+ int i;
+ for (i=0; i < numaltnames; i++)
+ {
+ const GENERAL_NAME *name =
+ sk_GENERAL_NAME_value (subjectAltNames, i);
+ if (name)
+ {
+ if (host_in_octet_string)
+ {
+ if (name->type == GEN_IPADD)
+ {
+ /* Check for ipAddress */
+ /* TODO: Should we convert between IPv4-mapped IPv6
+ * addresses and IPv4 addresses? */
+ alt_name_checked = TRUE;
+ if (!ASN1_STRING_cmp (host_in_octet_string,
+ name->d.iPAddress))
+ break;
+ }
+ }
+ else if (name->type == GEN_DNS)
+ {
+ /* dNSName should be IA5String (i.e. ASCII), however who
+ * does trust CA? Convert it into UTF-8 for sure. */
+ unsigned char *name_in_utf8 = NULL;
+
+ /* Check for dNSName */
+ alt_name_checked = TRUE;
+
+ if (0 <= ASN1_STRING_to_UTF8 (&name_in_utf8, name->d.dNSName))
+ {
+ /* Compare and check for NULL attack in ASN1_STRING */
+ if (pattern_match ((char *)name_in_utf8, host) &&
+ (strlen ((char *)name_in_utf8) ==
+ (size_t)ASN1_STRING_length (name->d.dNSName)))
+ {
+ OPENSSL_free (name_in_utf8);
+ break;
+ }
+ OPENSSL_free (name_in_utf8);
+ }
+ }
+ }
+ }
+ sk_GENERAL_NAME_pop_free(subjectAltNames, GENERAL_NAME_free);
+ if (host_in_octet_string)
+ ASN1_OCTET_STRING_free(host_in_octet_string);
+
+ if (alt_name_checked == TRUE && i >= numaltnames)
+ {
+ success = FALSE;
+ msg = dStrconcat("no certificate subject alternative name matches"
+ " requested host name \n", host, NULL);
+ *choice = a_Dialog_choice("Dillo SSL",
+ msg, "Continue", "Cancel", NULL);
+ dFree(msg);
+
+ switch (*choice){
+ case 1:
+ success = TRUE;
+ break;
+ case 2:
+ break;
+ default:
+ break;
+ }
+ }
+ }
+
+ if (alt_name_checked == FALSE)
+ {
+ /* Test commomName */
+ X509_NAME *xname = X509_get_subject_name(cert);
+ common_name[0] = '\0';
+ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
+ sizeof (common_name));
+
+ if (!pattern_match (common_name, host))
+ {
+ success = FALSE;
+ msg = dStrconcat("certificate common name ", common_name, " doesn't match requested host name ", host, NULL);
+ *choice = a_Dialog_choice("Dillo SSL",
+ msg, "Continue", "Cancel", NULL);
+ dFree(msg);
+
+ switch (*choice){
+ case 1:
+ success = TRUE;
+ break;
+ case 2:
+ break;
+ default:
+ break;
+ }
+ }
+ else
+ {
+ /* We now determine the length of the ASN1 string. If it
+ * differs from common_name's length, then there is a \0
+ * before the string terminates. This can be an instance of a
+ * null-prefix attack.
+ *
+ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
+ * */
+
+ int i = -1, j;
+ X509_NAME_ENTRY *xentry;
+ ASN1_STRING *sdata;
+
+ if (xname) {
+ for (;;)
+ {
+ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
+ if (j == -1) break;
+ i = j;
+ }
+ }
+
+ xentry = X509_NAME_get_entry(xname,i);
+ sdata = X509_NAME_ENTRY_get_data(xentry);
+ if (strlen (common_name) != (size_t)ASN1_STRING_length (sdata))
+ {
+ success = FALSE;
+ msg = dStrconcat("certificate common name is invalid (contains a NUL character). This may be an indication that the host is not who it claims to be -- that is, not the real ", host, NULL);
+ *choice = a_Dialog_choice("Dillo SSL",
+ msg, "Continue", "Cancel", NULL);
+ dFree(msg);
+
+ switch (*choice){
+ case 1:
+ success = TRUE;
+ break;
+ case 2:
+ break;
+ default:
+ break;
+ }
+ }
+ }
+ }
+ return success;
+}
+
+/******************** END OF STUFF DERIVED FROM wget-1.16.3 */
+
+/*
+ * Examine the certificate, and, if problems are detected, ask the user what
+ * to do.
+ * Return: -1 if connection should be canceled, or 0 if it should continue.
+ */
+static int Ssl_examine_certificate(SSL *ssl, const DilloUrl *url)
+{
+ X509 *remote_cert;
+ long st;
+ char buf[4096], *cn, *msg;
+ int choice = -1, ret = -1;
+ char *title = dStrconcat("Dillo SSL: ", URL_HOST(url), NULL);
+ Server_t *srv = dList_find_custom(servers, url, Ssl_servers_cmp);
+
+ remote_cert = SSL_get_peer_certificate(ssl);
+ if (remote_cert == NULL){
+ /* Inform user that remote system cannot be trusted */
+ choice = a_Dialog_choice(title,
+ "The remote system is not presenting a certificate.\n"
+ "This site cannot be trusted. Sending data is not safe.",
+ "Continue", "Cancel", NULL);
+
+ /* Abort on anything but "Continue" */
+ if (choice == 1){
+ ret = 0;
+ }
+
+ } else if (Ssl_check_cert_hostname(remote_cert, url, &choice)) {
+ /* Figure out if (and why) the remote system can't be trusted */
+ st = SSL_get_verify_result(ssl);
+ switch (st) {
+ case X509_V_OK:
+ ret = 0;
+ break;
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ /* Either self signed and untrusted */
+ /* Extract CN from certificate name information */
+ if ((cn = strstr(remote_cert->name, "/CN=")) == NULL) {
+ strcpy(buf, "(no CN given)");
+ } else {
+ char *cn_end;
+
+ cn += 4;
+
+ if ((cn_end = strstr(cn, "/")) == NULL )
+ cn_end = cn + strlen(cn);
+
+ strncpy(buf, cn, (size_t) (cn_end - cn));
+ buf[cn_end - cn] = '\0';
+ }
+ msg = dStrconcat("The remote certificate is self-signed and "
+ "untrusted.\nFor address: ", buf, NULL);
+ choice = a_Dialog_choice(title,
+ msg, "Continue", "Cancel", "Save Certificate", NULL);
+ dFree(msg);
+
+ switch (choice){
+ case 1:
+ ret = 0;
+ break;
+ case 2:
+ break;
+ case 3:
+ /* Save certificate to a file here and recheck the chain */
+ /* Potential security problems because we are writing
+ * to the filesystem */
+ Ssl_save_certificate_home(remote_cert);
+ ret = 1;
+ break;
+ default:
+ break;
+ }
+ break;
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+ case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+ choice = a_Dialog_choice(title,
+ "The issuer for the remote certificate cannot be found\n"
+ "The authenticity of the remote certificate cannot be trusted",
+ "Continue", "Cancel", NULL);
+
+ if (choice == 1) {
+ ret = 0;
+ }
+ break;
+
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+ case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+ case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+ choice = a_Dialog_choice(title,
+ "The remote certificate signature could not be read\n"
+ "or is invalid and should not be trusted",
+ "Continue", "Cancel", NULL);
+
+ if (choice == 1) {
+ ret = 0;
+ }
+ break;
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_CRL_NOT_YET_VALID:
+ choice = a_Dialog_choice(title,
+ "Part of the remote certificate is not yet valid\n"
+ "Certificates usually have a range of dates over which\n"
+ "they are to be considered valid, and the certificate\n"
+ "presented has a starting validity after today's date\n"
+ "You should be cautious about using this site",
+ "Continue", "Cancel", NULL);
+
+ if (choice == 1) {
+ ret = 0;
+ }
+ break;
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ case X509_V_ERR_CRL_HAS_EXPIRED:
+ choice = a_Dialog_choice(title,
+ "The remote certificate has expired. The certificate\n"
+ "wasn't designed to last this long. You should avoid \n"
+ "this site.",
+ "Continue", "Cancel", NULL);
+ if (choice == 1) {
+ ret = 0;
+ }
+ break;
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+ case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+ choice = a_Dialog_choice(title,
+ "There was an error in the certificate presented.\n"
+ "Some of the certificate data was improperly formatted\n"
+ "making it impossible to determine if the certificate\n"
+ "is valid. You should not trust this certificate.",
+ "Continue", "Cancel", NULL);
+ if (choice == 1) {
+ ret = 0;
+ }
+ break;
+ case X509_V_ERR_INVALID_CA:
+ case X509_V_ERR_INVALID_PURPOSE:
+ case X509_V_ERR_CERT_UNTRUSTED:
+ case X509_V_ERR_CERT_REJECTED:
+ case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+ choice = a_Dialog_choice(title,
+ "One of the certificates in the chain is being used\n"
+ "incorrectly (possibly due to configuration problems\n"
+ "with the remote system. The connection should not\n"
+ "be trusted",
+ "Continue", "Cancel", NULL);
+ if (choice == 1) {
+ ret = 0;
+ }
+ break;
+ case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+ case X509_V_ERR_AKID_SKID_MISMATCH:
+ case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+ choice = a_Dialog_choice(title,
+ "Some of the information presented by the remote system\n"
+ "does not match other information presented\n"
+ "This may be an attempt to eavesdrop on communications",
+ "Continue", "Cancel", NULL);
+ if (choice == 1) {
+ ret = 0;
+ }
+ break;
+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+ choice = a_Dialog_choice(title,
+ "Self signed certificate in certificate chain. The certificate "
+ "chain could be built up using the untrusted certificates but the "
+ "root could not be found locally.",
+ "Continue", "Cancel", NULL);
+ if (choice == 1) {
+ ret = 0;
+ }
+ break;
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+ choice = a_Dialog_choice(title,
+ "Unable to get local issuer certificate. The issuer certificate "
+ "of an untrusted certificate cannot be found.",
+ "Continue", "Cancel", NULL);
+ if (choice == 1) {
+ ret = 0;
+ }
+ break;
+ default: /* Need to add more options later */
+ snprintf(buf, 80,
+ "The remote certificate cannot be verified (code %ld)", st);
+ choice = a_Dialog_choice(title,
+ buf, "Continue", "Cancel", NULL);
+ /* abort on anything but "Continue" */
+ if (choice == 1){
+ ret = 0;
+ }
+ }
+ X509_free(remote_cert);
+ remote_cert = 0;
+ }
+ dFree(title);
+
+ if (choice == 2)
+ srv->cert_status = CERT_STATUS_BAD;
+ else if (choice == -1)
+ srv->cert_status = CERT_STATUS_GOOD;
+ else
+ srv->cert_status = CERT_STATUS_USER_ACCEPTED;
+
+ return ret;
+}
+
+/*
+ * If the connection was closed before we got the certificate, we need to
+ * reset state so that we'll try again.
+ */
+void a_Ssl_reset_server_state(const DilloUrl *url)
+{
+ if (servers) {
+ Server_t *s = dList_find_custom(servers, url, Ssl_servers_cmp);
+
+ if (s && s->cert_status == CERT_STATUS_RECEIVING)
+ s->cert_status = CERT_STATUS_NONE;
+ }
+}
+
+/*
+ * Close an open SSL connection.
+ */
+static void Ssl_close_by_key(int connkey)
+{
+ Conn_t *c;
+
+ if ((c = a_Klist_get_data(conn_list, connkey))) {
+ a_Ssl_reset_server_state(c->url);
+ if (c->connecting) {
+ a_IOwatch_remove_fd(c->fd, -1);
+ dClose(c->fd);
+ }
+ SSL_shutdown(c->ssl);
+ SSL_free(c->ssl);
+
+ a_Url_free(c->url);
+ Ssl_fd_map_remove_entry(c->fd);
+ a_Klist_remove(conn_list, connkey);
+ dFree(c);
+ }
+}
+
+/*
+ * Connect, set a callback if it's still not completed. If completed, check
+ * the certificate and report back to http.
+ */
+static void Ssl_connect(int fd, int connkey)
+{
+ int ret;
+ bool_t ongoing = FALSE, failed = TRUE;
+ Conn_t *conn;
+
+ if (!(conn = a_Klist_get_data(conn_list, connkey))) {
+ MSG("Ssl_connect: conn for fd %d not valid\n", fd);
+ return;
+ }
+
+ assert(!ERR_get_error());
+
+ ret = SSL_connect(conn->ssl);
+
+ if (ret <= 0) {
+ int err1_ret = SSL_get_error(conn->ssl, ret);
+ if (err1_ret == SSL_ERROR_WANT_READ ||
+ err1_ret == SSL_ERROR_WANT_WRITE) {
+ int want = err1_ret == SSL_ERROR_WANT_READ ? DIO_READ : DIO_WRITE;
+
+ _MSG("iowatching fd %d for ssl -- want %s\n", fd,
+ err1_ret == SSL_ERROR_WANT_READ ? "read" : "write");
+ a_IOwatch_remove_fd(fd, -1);
+ a_IOwatch_add_fd(fd, want, Ssl_connect_cb, INT2VOIDP(connkey));
+ ongoing = TRUE;
+ failed = FALSE;
+ } else if (err1_ret == SSL_ERROR_SYSCALL || err1_ret == SSL_ERROR_SSL) {
+ unsigned long err2_ret = ERR_get_error();
+
+ if (err2_ret) {
+ do {
+ MSG("SSL_connect() failed: %s\n",
+ ERR_error_string(err2_ret, NULL));
+ } while ((err2_ret = ERR_get_error()));
+ } else {
+ /* nothing in the error queue */
+ if (ret == 0) {
+ MSG("SSL connect error: \"an EOF was observed that violates "
+ "the protocol\"\n");
+ /*
+ * I presume we took too long on our side and the server grew
+ * impatient.
+ */
+ } else if (ret == -1) {
+ MSG("SSL connect error: %s\n", dStrerror(errno));
+
+ /* If the following can happen, I'll add code to handle it, but
+ * I don't want to add code blindly if it isn't getting used
+ */
+ assert(errno != EAGAIN && errno != EINTR);
+ } else {
+ MSG_ERR("According to the man page for SSL_get_error(), this "
+ "was not a possibility (ret %d).\n", ret);
+ }
+ }
+ } else {
+ MSG("SSL_get_error() returned %d on a connect.\n", err1_ret);
+ }
+ } else {
+ if (Ssl_user_said_yes(conn->url) ||
+ (Ssl_examine_certificate(conn->ssl, conn->url) != -1))
+ failed = FALSE;
+ }
+
+ /*
+ * If there were problems with the certificate, the connection may have
+ * been closed by the server if the user responded too slowly to a popup.
+ */
+
+ if (!ongoing) {
+ if (a_Klist_get_data(conn_list, connkey)) {
+ conn->connecting = FALSE;
+ if (failed) {
+ Ssl_close_by_key(connkey);
+ }
+ a_IOwatch_remove_fd(fd, DIO_READ|DIO_WRITE);
+ a_Http_connect_done(fd, failed ? FALSE : TRUE);
+ } else {
+ MSG("Connection disappeared. Too long with a popup popped up?\n");
+ }
+ }
+}
+
+static void Ssl_connect_cb(int fd, void *vconnkey)
+{
+ Ssl_connect(fd, VOIDP2INT(vconnkey));
+}
+
+/*
+ * Perform the SSL handshake on an open socket.
+ */
+void a_Ssl_handshake(int fd, const DilloUrl *url)
+{
+ SSL *ssl;
+ bool_t success = TRUE;
+ int connkey = -1;
+
+ if (!ssl_context)
+ success = FALSE;
+
+ if (success && Ssl_user_said_no(url)) {
+ success = FALSE;
+ }
+
+ assert(!ERR_get_error());
+
+ if (success && !(ssl = SSL_new(ssl_context))) {
+ unsigned long err_ret = ERR_get_error();
+ do {
+ MSG("SSL_new() failed: %s\n", ERR_error_string(err_ret, NULL));
+ } while ((err_ret = ERR_get_error()));
+ success = FALSE;
+ }
+
+ /* assign SSL connection to this file descriptor */
+ if (success && !SSL_set_fd(ssl, fd)) {
+ unsigned long err_ret = ERR_get_error();
+ do {
+ MSG("SSL_set_fd() failed: %s\n", ERR_error_string(err_ret, NULL));
+ } while ((err_ret = ERR_get_error()));
+ success = FALSE;
+ }
+
+ if (success)
+ connkey = Ssl_conn_new(fd, url, ssl);
+
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ /* Server Name Indication. From the openssl changelog, it looks like this
+ * came along in 2010.
+ */
+ if (success && !a_Url_host_is_ip(URL_HOST(url)))
+ SSL_set_tlsext_host_name(ssl, URL_HOST(url));
+#endif
+
+ if (!success) {
+ a_Ssl_reset_server_state(url);
+ a_Http_connect_done(fd, success);
+ } else {
+ Ssl_connect(fd, connkey);
+ }
+}
+
+/*
+ * Read data from an open SSL connection.
+ */
+int a_Ssl_read(void *conn, void *buf, size_t len)
+{
+ Conn_t *c = (Conn_t*)conn;
+ return SSL_read(c->ssl, buf, len);
+}
+
+/*
+ * Write data to an open SSL connection.
+ */
+int a_Ssl_write(void *conn, void *buf, size_t len)
+{
+ Conn_t *c = (Conn_t*)conn;
+ return SSL_write(c->ssl, buf, len);
+}
+
+void a_Ssl_close_by_fd(int fd)
+{
+ FdMapEntry_t *fme = dList_find_custom(fd_map, INT2VOIDP(fd),
+ Ssl_fd_map_cmp);
+
+ if (fme) {
+ Ssl_close_by_key(fme->connkey);
+ }
+}
+
+static void Ssl_servers_freeall()
+{
+ if (servers) {
+ Server_t *s;
+ int i, n = dList_length(servers);
+
+ for (i = 0; i < n; i++) {
+ s = (Server_t *) dList_nth_data(servers, i);
+ dFree(s->hostname);
+ dFree(s);
+ }
+ dList_free(servers);
+ }
+}
+
+static void Ssl_fd_map_remove_all()
+{
+ if (fd_map) {
+ FdMapEntry_t *fme;
+ int i, n = dList_length(fd_map);
+
+ for (i = 0; i < n; i++) {
+ fme = (FdMapEntry_t *) dList_nth_data(fd_map, i);
+ dFree(fme);
+ }
+ dList_free(fd_map);
+ }
+}
+
+/*
+ * Clean up the OpenSSL library
+ */
+void a_Ssl_freeall(void)
+{
+ if (ssl_context)
+ SSL_CTX_free(ssl_context);
+ Ssl_fd_map_remove_all();
+ Ssl_servers_freeall();
+}
+
+#endif /* ENABLE_SSL */
diff --git a/src/IO/ssl.h b/src/IO/ssl.h
new file mode 100644
index 00000000..f55479b2
--- /dev/null
+++ b/src/IO/ssl.h
@@ -0,0 +1,47 @@
+#ifndef __SSL_H__
+#define __SSL_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "../url.h"
+
+#define SSL_CONNECT_NEVER -1
+#define SSL_CONNECT_NOT_YET 0
+#define SSL_CONNECT_READY 1
+
+void a_Ssl_init();
+
+
+#ifdef ENABLE_SSL
+int a_Ssl_connect_ready(const DilloUrl *url);
+void a_Ssl_reset_server_state(const DilloUrl *url);
+
+/* Use to initiate a SSL connection. */
+void a_Ssl_handshake(int fd, const DilloUrl *url);
+
+void *a_Ssl_connection(int fd);
+
+void a_Ssl_freeall();
+
+void a_Ssl_close_by_fd(int fd);
+int a_Ssl_read(void *conn, void *buf, size_t len);
+int a_Ssl_write(void *conn, void *buf, size_t len);
+#else
+
+#define a_Ssl_connect_ready(url) SSL_CONNECT_NEVER
+#define a_Ssl_reset_server_state(url) ;
+#define a_Ssl_handshake(fd, url) ;
+#define a_Ssl_connection(fd) NULL
+#define a_Ssl_freeall() ;
+#define a_Ssl_close_by_fd(fd) ;
+#define a_Ssl_read(conn, buf, len) 0
+#define a_Ssl_write(conn, buf, len) 0
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __SSL_H__ */
+