https.c

基于minigui的浏览器. 这是最新版本.

         "cmd=%s msg=%s alt1=%s alt2=%s",
         "dialog",
         "The remote system is NOT presenting a certificate.\n"
         "This site CAN NOT be trusted. Sending data is NOT SAFE.\n"
         "What do I do?",
         "Continue", "Cancel");
      sock_handler_write_str(sh, d_cmd, 1);
      g_free(d_cmd);

      /*Read the user's response*/
      response_number = dialog_get_answer_number();

      /*Abort on anything but "Continue"*/
      if (response_number == 1){
         retval = 0;
      }

   } else {
      /*Figure out if (and why) the remote system can't be trusted*/
      st = SSL_get_verify_result(ssl_connection);
      switch (st) {
      case X509_V_OK:      /*Everything is Kosher*/
         retval = 0;
         break;
      case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
         /*Either self signed and untrusted*/
         /*Extract CN from certificate name information*/
         cn = strstr(remote_cert->name, "/CN=") + 4;
         if (cn == NULL)
            break;

         if ((cn_end = strstr(cn, "/")) == NULL )
            cn_end = cn + strlen(cn);

         strncpy(buf, cn, (size_t) (cn_end - cn));

         /*Add terminating NULL*/
         buf[cn_end - cn] = 0;

         msg = g_strdup_printf("The remote certificate is self-signed and "
                               "untrusted.\nFor address: %s", buf);
         d_cmd = a_Dpip_build_cmd(
            "cmd=%s msg=%s alt1=%s alt2=%s alt3=%s",
            "dialog", msg, "Continue", "Cancel", "Trust Certificate");
         sock_handler_write_str(sh, d_cmd, 1);
         g_free(d_cmd);
         g_free(msg);

         response_number = dialog_get_answer_number();
         switch (response_number){
            case 1:
               retval = 0;
               break;
            case 2:
               break;
            case 3:
               /*Save certificate to a file here and recheck the chain*/
               /*Potential security problems because we are writing
                *to the filesystem*/
               save_certificate_home(remote_cert);
               retval = 1;
               break;
            default:
               break;
         }
         break;
      case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
      case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
         d_cmd = a_Dpip_build_cmd(
            "cmd=%s msg=%s alt1=%s alt2=%s",
            "dialog",
            "The issuer for the remote certificate cannot be found\n"
            "The authenticity of the remote certificate cannot be trusted",
            "Continue", "Cancel");
         sock_handler_write_str(sh, d_cmd, 1);
         g_free(d_cmd);

         response_number = dialog_get_answer_number();
         if (response_number == 1) {
            retval = 0;
         }
         break;

      case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
      case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
      case X509_V_ERR_CERT_SIGNATURE_FAILURE:
      case X509_V_ERR_CRL_SIGNATURE_FAILURE:
         d_cmd = a_Dpip_build_cmd(
            "cmd=%s msg=%s alt1=%s alt2=%s",
            "dialog",
            "The remote certificate signature could not be read\n"
            "or is invalid and should not be trusted",
            "Continue", "Cancel");
         sock_handler_write_str(sh, d_cmd, 1);
         g_free(d_cmd);

         response_number = dialog_get_answer_number();
         if (response_number == 1) {
            retval = 0;
         }
         break;
      case X509_V_ERR_CERT_NOT_YET_VALID:
      case X509_V_ERR_CRL_NOT_YET_VALID:
         d_cmd = a_Dpip_build_cmd(
            "cmd=%s msg=%s alt1=%s alt2=%s",
            "dialog",
            "Part of the remote certificate is not yet valid\n"
            "Certificates usually have a range of dates over which\n"
            "they are to be considered valid, and the certificate\n"
            "presented has a starting validity after today's date\n"
            "You should be cautious about using this site",
            "Continue", "Cancel");
         sock_handler_write_str(sh, d_cmd, 1);
         g_free(d_cmd);

         response_number = dialog_get_answer_number();
         if (response_number == 1) {
            retval = 0;
         }
         break;
      case X509_V_ERR_CERT_HAS_EXPIRED:
      case X509_V_ERR_CRL_HAS_EXPIRED:
         d_cmd = a_Dpip_build_cmd(
            "cmd=%s msg=%s alt1=%s alt2=%s",
            "dialog",
            "The remote certificate has expired.  The certificate\n"
            "wasn't designed to last this long. You should avoid \n"
            "this site.",
            "Continue", "Cancel");
         sock_handler_write_str(sh, d_cmd, 1);
         g_free(d_cmd);
         response_number = dialog_get_answer_number();
         if (response_number == 1) {
            retval = 0;
         }
         break;
      case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
      case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
      case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
      case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
         d_cmd = a_Dpip_build_cmd(
            "cmd=%s msg=%s alt1=%s alt2=%s",
            "dialog",
            "There was an error in the certificate presented.\n"
            "Some of the certificate data was improperly formatted\n"
            "making it impossible to determine if the certificate\n"
            "is valid.  You should not trust this certificate.",
            "Continue", "Cancel");
         sock_handler_write_str(sh, d_cmd, 1);
         g_free(d_cmd);
         response_number = dialog_get_answer_number();
         if (response_number == 1) {
            retval = 0;
         }
         break;
      case X509_V_ERR_INVALID_CA:
      case X509_V_ERR_INVALID_PURPOSE:
      case X509_V_ERR_CERT_UNTRUSTED:
      case X509_V_ERR_CERT_REJECTED:
      case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
         d_cmd = a_Dpip_build_cmd(
            "cmd=%s msg=%s alt1=%s alt2=%s",
            "dialog",
            "One of the certificates in the chain is being used\n"
            "incorrectly (possibly due to configuration problems\n"
            "with the remote system.  The connection should not\n"
            "be trusted",
            "Continue", "Cancel");
         sock_handler_write_str(sh, d_cmd, 1);
         g_free(d_cmd);
         response_number = dialog_get_answer_number();
         if (response_number == 1) {
            retval = 0;
         }
         break;
      case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
      case X509_V_ERR_AKID_SKID_MISMATCH:
      case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
         d_cmd = a_Dpip_build_cmd(
            "cmd=%s msg=%s alt1=%s alt2=%s",
            "dialog",
            "Some of the information presented by the remote system\n"
            "does not match other information presented\n"
            "This may be an attempt to evesdrop on communications",
            "Continue", "Cancel");
         sock_handler_write_str(sh, d_cmd, 1);
         g_free(d_cmd);
      default:             /*Need to add more options later*/
         msg = g_strdup_printf(
            "The remote certificate cannot be verified (code %ld)", st);
         d_cmd = a_Dpip_build_cmd(
            "cmd=%s msg=%s alt1=%s alt2=%s",
            "dialog", msg, "Continue", "Cancel");
         sock_handler_write_str(sh, d_cmd, 1);
         g_free(d_cmd);
         g_free(msg);
         response_number = dialog_get_answer_number();
         /*abort on anything but "Continue"*/
         if (response_number == 1){
            retval = 0;
         }
      }
      X509_free(remote_cert);
      remote_cert = 0;
   }

   return retval;
}

/*
 * Save certificate with a hashed filename.
 * Return: 0 on success, 1 on failure.
 */
static int save_certificate_home(X509 * cert)
{
   char buf[4096];

   FILE * fp = NULL;
   unsigned int i = 0;
   int retval = 1;

   /*Attempt to create .dillo/certs blindly - check later*/
   g_snprintf(buf,4096,"%s/.dillo/", g_get_home_dir());
   mkdir(buf, 01777);
   g_snprintf(buf,4096,"%s/.dillo/certs/", g_get_home_dir());
   mkdir(buf, 01777);

   do{
      g_snprintf(buf,4096,"%s/.dillo/certs/%lx.%u",
         g_get_home_dir(), X509_subject_name_hash(cert), i);

      fp=fopen(buf, "r");
      if (fp == NULL){
         /*File name doesn't exist so we can use it safely*/
         fp=fopen(buf, "w");
         if (fp == NULL){
            g_printerr("Unable to open cert save file in home dir\n");
            break;
         } else {
            PEM_write_X509(fp, cert);
            fclose(fp);
            g_printerr("Wrote certificate\n");
            retval = 0;
            break;
         }
      } else {
         fclose(fp);
      }
      i++;
      /*Don't loop too many times - just give up*/
   } while( i < 1024 );

   return retval;
}



#else


/*
 * Call this function to display an error message if SSL support
 * isn't available for some reason
 */
static void no_ssl_support(void)
{
   gchar *dpip_tag = NULL, *cmd = NULL, *url = NULL, *http_query = NULL;
   char *d_cmd;

   /* Read the dpi command from STDIN */
   dpip_tag = sock_handler_read(sh);

   g_printerr("{In https.filter.dpi}\n");
   g_printerr("no_ssl_support version\n");

   cmd = a_Dpip_get_attr(dpip_tag, strlen(dpip_tag), "cmd");
   url = a_Dpip_get_attr(dpip_tag, strlen(dpip_tag), "url");
   http_query = a_Dpip_get_attr(dpip_tag, strlen(dpip_tag), "query");

   g_printerr("{ cmd: %s}\n", cmd);
   g_printerr("{ url: %s}\n", url);
   g_printerr("{ http_query:\n%s}\n", http_query);

   g_printerr("{ sending dpip cmd...}\n");

   d_cmd = a_Dpip_build_cmd("cmd=%s url=%s", "start_send_page", url);
   sock_handler_write_str(sh, d_cmd, 1);
   g_free(d_cmd);

   g_printerr("{ dpip cmd sent.}\n");

   g_printerr("{ sending HTML...}\n");

   sock_handler_printf(sh, 1,
      "Content-type: text/html\n\n"
      "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>\n"
      "<html><body><pre>\n"
      "<b>Hi!\n\n"
      "  This is the https dpi that just got a request to send\n"
      "  the following HTTP query:\n{</b>\n"
      "<code>%s</code>\n"
      "<b>}</b>\n\n"
      "  <b>*** Dillo's prototype plugin for https support"
      " is disabled now ***</b>\n\n"
      "  If you want to test this <b>alpha</b> support code, just remove\n"
      "  line 65 from https.c, recompile and reinstall.\n\n"
      "  (beware that this https support is very limited now)\n\n"
      "  To use https and SSL, you must have \n"
      "  the OpenSSL development libraries installed.  Check your\n"
      "  O/S distribution provider, or check out\n"
      "  <a href=\"http://www.openssl.org\">www.openssl.org</a>\n\n"
      "  --\n"
      "</pre></body></html>\n",
      http_query
   );
   g_printerr("{ HTML content sent.}\n");

   g_free(cmd);
   g_free(url);
   g_free(http_query);
   g_free(dpip_tag);

   g_printerr("{ exiting https.dpi}\n");

}

#endif


/*---------------------------------------------------------------------------*/
int main(void)
{
   /* Initialize the SockHandler for this filter dpi */
   sh = sock_handler_new(STDIN_FILENO, STDOUT_FILENO, 8*1024);

#ifdef ENABLE_SSL
   yes_ssl_support();
#else
   no_ssl_support();
#endif

   /* Finish the SockHandler */
   sock_handler_close(sh);
   sock_handler_free(sh);

   g_free(root_url);

   g_printerr("{ exiting https.dpi}\n");

   return 0;
}