The wildcard specified in a certificates subject can only match a single
level of subdomains. Originally, this function could match multiple
levels of subdomains with a single "*.".
As an example, https://wrong.host.badssl.com/ should fail to load, as
the certificate provided by the server only specifies "*.badssl.com".
However this was correctly matching anyway. With this change this page
now correctly fails to load.
The `build_rsa_pre_master_secret` function originally called
`verify_chain_and_get_matching_certificate`, which verified the chain
and returned a certificate matching the specified hostname.
Since the first certificate in the chain should always be the one
matching with the hostname, we can simply use that one instead. This
means we can completely remove this method and just use `verify_chain`.
To make sure the hostname is still verified, `verify_chain` now also
checks that the first certificate in the chain matches the specified
hostname. If the hostname is empty, we currently fail the verification,
however this basically never happen, as the server name indication
extension is always used.
In this format the year is specified using two digits. In the case that
these digits are 50 or more, we should assume that the year is in
1950-1999. If it is 49 or less, the year is 2000-2049.
This is specified in RFC5280 section 4.1.2.5.1.
With this change the certificate chain sent by the server will actually
be verified, instead of just checking the names of the certificates.
To determine if a certificate is signed by a root certificate, the list
of root certificates is now a HashMap mapping from the unique identifier
string to the certificate. This allows us to take the issuer of a
certificate and easily check if it is a root certificate. If a
certificate is not signed by a root certificate, we will check that it
is signed by the next certificate in the chain.
This also removes the ad-hoc checking of certificate validity from
multiple places, and moves all checking to the verify_chain.
The CA certificates list now contains the actual certificate data for
approximatly a hundred certificate authorities. These certificates were
generated from https://mkcert.org, which uses the Mozilla CA certificate
list.
This also updates the code for reading the CA certificates.
The RSA key exchange was the only one actually verifying the validity of
the certificate chain supplied by the server. Now the DHE and ECDHE key
exchanges also check the certificate chain.
Each LibGL test can now be tested against a reference QOI image.
Initially, these images can be generated by setting `SAVE_OUTPUT` to
`true`, which will save a bunch of QOI images to `/home/anon`.
It's a bit cleaner to just rely on AK/IPv4Address' ability to determine
the validity of the given input. If a valid IP address is not returned,
then input will be processed as a hostname.
Taotao Gu has been fuzzing serenity libs with their own custom fuzzer.
They reported some issues it found privately, this overflow was found
in the JPGLoader using that fuzzer.
Reported-by: Taotao Gu <gutaotao1995@qq.com>
Similar reasoning to making Core::Stream::read() return Bytes, except
that every user of read_line() creates a StringView from the result, so
let's just return one right away.
A mistake I've repeatedly made is along these lines:
```c++
auto nread = TRY(source_file->read(buffer));
TRY(destination_file->write(buffer));
```
It's a little clunky to have to create a Bytes or StringView from the
buffer's data pointer and the nread, and easy to forget and just use
the buffer. So, this patch changes the read() function to return a
Bytes of the data that were just read.
The other read_foo() methods will be modified in the same way in
subsequent commits.
Fixes#13687
This is a normative change in the ECMA-262 spec. See:
e7979fd
Note that this implements a FIXME in InitializeTypedArrayFromTypedArray,
now that shared array buffers are no longer a concern there. We already
have test coverage for the now-handled case.
This is an editorial change in the ECMA-262 spec. See:
a90670d5
This also adds missing spec comments to the following prototypes which
were affected by this change:
Atomics.load
Atomics.store
%TypedArray%.prototype.slice
%TypedArray%.prototype.subarray
For example, when typing `cd <tab>`, the shell will show a list of
files in the current directory. This behavior is similar to typing `cd
./<tab>`.
It makes it easier to `cd` into directories without having to list them
first.
The paddle's movement is determined by the currently held keys. A key
is no longer considered held when a matching keyup_event() fires.
However, the event does not fire when the timer has stopped (e.g. due to
a game over condition), which can result in the paddle keeping its
former direction and moving on its own -- even after the player started
a new game. Therefore, any held keys will be cleared explicitly.
When the player runs into a game over condition, Game's timer is
stopped. In order for reset() to work properly, the timer has to be
started again. The condition is tracked via a new member variable,
`m_game_over`. To prevent confusion, game_over() has been renamed to
show_game_over_message().
The spec grammar for `text-decoration-line` is:
`none | [ underline || overline || line-through || blink ]`
Which means that it's either `none`, or any combination of the other
values. This patch makes that parse for `text-decoration-line` and
`text-decoration`, stores the results as a Vector, and adjusts
`paint_text_decoration()` to run as a loop over all the values that are
provided.
As noted, storing a Vector of values is a bit wasteful, as they could be
stored as flags in a single `u8`. But I was getting too confused trying
to do that in a nice way.
This fixes issues with carriage return sequences.
Before, using <CR><NUL> as the return sequence wouldn't work at all,
and when using <CR><LF> there was an extra newline after every newline.
After this patch, the behaviour should be closer to the Telnet RFC.
By the time that property() gets called, we've already given every
single property a value, so we can just return it. This simplifies a
lot of places that were manually handling a lack of value
unnecessarily.
