| Age | Commit message (Collapse) | Author |
|---|
|
|
|
When a error causes the TLS connection to fail and stop, the conn struct
is free on Tls_close_by_key(), so writing to conn->in_connect is not
correct after that point. The solution is to only set the flag when the
it is still valid.
Reported-by: Alex <a1ex@dismail.de>
Link: https://lists.mailman3.com/hyperkitty/list/dillo-dev@mailman3.com/thread/TY2JYCIPC7IQ32U6VC7ZOV3FVFFOE5K3/
|
|
Reviewed-by: dogma
|
|
When a positive non-zero value is returned from SSL_read or SSL_write,
there is data read or written, so there is no need to check for errors.
Only in the case the return value is 0 or negative.
|
|
It may be returned when the server closes the connection, see:
https://www.openssl.org/docs/manmaster/man3/SSL_get_error.html
We simply handle it as if there was no error and return zero bytes read.
Fixes: https://github.com/dillo-browser/dillo/issues/175
|
|
It would be nice if X509_ALGOR could be made opaque at some point.
There is a somewhat clumsy accessor X509_ALGOR_get0() that allows
obtaining the ASN1_OBJECT sitting inside an X509_ALGOR. Use this
instead.
|
|
The function SSL_get_peer_certificate() is deprecated in 3.0.0, but
still defined as a compatibility macro.
Fixes: https://github.com/dillo-browser/dillo/issues/118
|
|
|
|
We cannot rely on the return value and the errno, the function
SSL_get_error() must be used to determine what happen and if we need to
retry again. A wrapper function translates the SSL error into a proper
errno value.
In the case a premature EOF is sent by the server, the error queue is
emptied before the error is returned.
Fixes: https://github.com/dillo-browser/dillo/issues/79
|
|
They may accidentally happen if a fd callback is still attached to the
connection socket while we wait in a FTLK dialog, causing another call
to Tls_connect() which will end up in an infinite loop.
|
|
Avoids calling the callback while the TLS dialog is opened, which was
causing and infinite loop of recursive calls to Tls_connect().
Fixes: https://github.com/dillo-browser/dillo/issues/49
|
|
Instead of just assert that there are no previous TLS errors, print the
error queue and then abort. It prevents the error queue to be emptied
before having a chance to see what error was stored.
|
|
The macro hides a return path and makes it more difficult to read the
condition as it is negated.
|
|
|
|
|
|
Before OpenSSL 3.0, the EVP_PKEY_get_id() was named EVP_PKEY_id().
|
|
The SSLv23_client_method() function is deprecated:
https://www.openssl.org/docs/man3.2/man3/SSLv23_client_method.html
|
|
Brings the previous OpenSSL implementation into src/IO/tls_openssl.c.
Now, the TLS functions have the implementation name as prefix, like
a_Tls_openssl_connect().
The generic interface at IO/tls.h hides the implementation which is
selected at configure time. The appropriate functions of that
implementation are called from IO/tls.c to IO/tls_<impl>.c. In this way,
support for more TLS libraries can easily be added.
In the case of mbedTLS, there are some incompatible changes from version
2 to 3, so we use some ifdefs to fix the differences.
|
