1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00

new urldata ssl layout and T. Bharath brought the new SSL cert verify function

This commit is contained in:
Daniel Stenberg 2000-10-30 11:53:40 +00:00
parent 09ba856e39
commit 0cff279063
7 changed files with 101 additions and 66 deletions

View File

@ -273,8 +273,8 @@ int GetLastResponse(int sockfd, char *buf,
break; break;
default: default:
#ifdef USE_SSLEAY #ifdef USE_SSLEAY
if (data->use_ssl) { if (data->ssl.use) {
keepon = SSL_read(data->ssl, ptr, 1); keepon = SSL_read(data->ssl.handle, ptr, 1);
} }
else { else {
#endif #endif

View File

@ -117,6 +117,9 @@ CURLcode curl_getinfo(CURL *curl, CURLINFO info, ...)
case CURLINFO_SPEED_UPLOAD: case CURLINFO_SPEED_UPLOAD:
*param_doublep = data->progress.ulspeed; *param_doublep = data->progress.ulspeed;
break; break;
case CURLINFO_SSL_VERIFYRESULT:
*param_longp = data->ssl.certverifyresult;
break;
default: default:
return CURLE_BAD_FUNCTION_ARGUMENT; return CURLE_BAD_FUNCTION_ARGUMENT;
} }

View File

@ -111,8 +111,8 @@ size_t sendf(int fd, struct UrlData *data, char *fmt, ...)
#ifndef USE_SSLEAY #ifndef USE_SSLEAY
bytes_written = swrite(fd, s, strlen(s)); bytes_written = swrite(fd, s, strlen(s));
#else /* USE_SSLEAY */ #else /* USE_SSLEAY */
if (data->use_ssl) { if (data->ssl.use) {
bytes_written = SSL_write(data->ssl, s, strlen(s)); bytes_written = SSL_write(data->ssl.handle, s, strlen(s));
} else { } else {
bytes_written = swrite(fd, s, strlen(s)); bytes_written = swrite(fd, s, strlen(s));
} }
@ -161,8 +161,8 @@ size_t ssend(int fd, struct connectdata *conn, void *mem, size_t len)
struct UrlData *data=conn->data; /* conn knows data, not vice versa */ struct UrlData *data=conn->data; /* conn knows data, not vice versa */
#ifdef USE_SSLEAY #ifdef USE_SSLEAY
if (data->use_ssl) { if (data->ssl.use) {
bytes_written = SSL_write(data->ssl, mem, len); bytes_written = SSL_write(data->ssl.handle, mem, len);
} }
else { else {
#endif #endif

View File

@ -94,10 +94,10 @@ int SSL_cert_stuff(struct UrlData *data,
*/ */
strcpy(global_passwd, data->cert_passwd); strcpy(global_passwd, data->cert_passwd);
/* Set passwd callback: */ /* Set passwd callback: */
SSL_CTX_set_default_passwd_cb(data->ctx, passwd_callback); SSL_CTX_set_default_passwd_cb(data->ssl.ctx, passwd_callback);
} }
if (SSL_CTX_use_certificate_file(data->ctx, if (SSL_CTX_use_certificate_file(data->ssl.ctx,
cert_file, cert_file,
SSL_FILETYPE_PEM) <= 0) { SSL_FILETYPE_PEM) <= 0) {
failf(data, "unable to set certificate file (wrong password?)\n"); failf(data, "unable to set certificate file (wrong password?)\n");
@ -106,14 +106,14 @@ int SSL_cert_stuff(struct UrlData *data,
if (key_file == NULL) if (key_file == NULL)
key_file=cert_file; key_file=cert_file;
if (SSL_CTX_use_PrivateKey_file(data->ctx, if (SSL_CTX_use_PrivateKey_file(data->ssl.ctx,
key_file, key_file,
SSL_FILETYPE_PEM) <= 0) { SSL_FILETYPE_PEM) <= 0) {
failf(data, "unable to set public key file\n"); failf(data, "unable to set public key file\n");
return(0); return(0);
} }
ssl=SSL_new(data->ctx); ssl=SSL_new(data->ssl.ctx);
x509=SSL_get_certificate(ssl); x509=SSL_get_certificate(ssl);
if (x509 != NULL) if (x509 != NULL)
@ -127,7 +127,7 @@ int SSL_cert_stuff(struct UrlData *data,
/* Now we know that a key and cert have been set against /* Now we know that a key and cert have been set against
* the SSL context */ * the SSL context */
if (!SSL_CTX_check_private_key(data->ctx)) { if (!SSL_CTX_check_private_key(data->ssl.ctx)) {
failf(data, "Private key does not match the certificate public key\n"); failf(data, "Private key does not match the certificate public key\n");
return(0); return(0);
} }
@ -140,7 +140,7 @@ int SSL_cert_stuff(struct UrlData *data,
#endif #endif
#if SSL_VERIFY_CERT #ifdef USE_SSLEAY
int cert_verify_callback(int ok, X509_STORE_CTX *ctx) int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
{ {
X509 *err_cert; X509 *err_cert;
@ -164,7 +164,7 @@ UrgSSLConnect (struct UrlData *data)
SSL_METHOD *req_method; SSL_METHOD *req_method;
/* mark this is being ssl enabled from here on out. */ /* mark this is being ssl enabled from here on out. */
data->use_ssl = 1; data->ssl.use = TRUE;
/* Lets get nice error messages */ /* Lets get nice error messages */
SSL_load_error_strings(); SSL_load_error_strings();
@ -195,7 +195,7 @@ UrgSSLConnect (struct UrlData *data)
/* Setup all the global SSL stuff */ /* Setup all the global SSL stuff */
SSLeay_add_ssl_algorithms(); SSLeay_add_ssl_algorithms();
switch(data->ssl_version) { switch(data->ssl.version) {
default: default:
req_method = SSLv23_client_method(); req_method = SSLv23_client_method();
break; break;
@ -207,9 +207,9 @@ UrgSSLConnect (struct UrlData *data)
break; break;
} }
data->ctx = SSL_CTX_new(req_method); data->ssl.ctx = SSL_CTX_new(req_method);
if(!data->ctx) { if(!data->ssl.ctx) {
failf(data, "SSL: couldn't create a context!"); failf(data, "SSL: couldn't create a context!");
return 1; return 1;
} }
@ -221,22 +221,31 @@ UrgSSLConnect (struct UrlData *data)
} }
} }
#if SSL_VERIFY_CERT if(data->ssl.verifypeer){
SSL_CTX_set_verify(data->ctx, SSL_CTX_set_verify(data->ssl.ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT| SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
SSL_VERIFY_CLIENT_ONCE, SSL_VERIFY_CLIENT_ONCE,
cert_verify_callback); cert_verify_callback);
#endif if (!SSL_CTX_load_verify_locations(data->ssl.ctx,
data->ssl.CAfile,
data->ssl.CApath)) {
failf(data,"error setting cerficate verify locations\n");
return 2;
}
}
else
SSL_CTX_set_verify(data->ssl.ctx, SSL_VERIFY_NONE, cert_verify_callback);
/* Lets make an SSL structure */ /* Lets make an SSL structure */
data->ssl = SSL_new (data->ctx); data->ssl.handle = SSL_new (data->ssl.ctx);
SSL_set_connect_state (data->ssl); SSL_set_connect_state (data->ssl.handle);
data->server_cert = 0x0; data->ssl.server_cert = 0x0;
/* pass the raw socket into the SSL layers */ /* pass the raw socket into the SSL layers */
SSL_set_fd (data->ssl, data->firstsocket); SSL_set_fd (data->ssl.handle, data->firstsocket);
err = SSL_connect (data->ssl); err = SSL_connect (data->ssl.handle);
if (-1 == err) { if (-1 == err) {
err = ERR_get_error(); err = ERR_get_error();
@ -244,8 +253,9 @@ UrgSSLConnect (struct UrlData *data)
return 10; return 10;
} }
/* Informational message */
infof (data, "SSL connection using %s\n", SSL_get_cipher (data->ssl)); infof (data, "SSL connection using %s\n",
SSL_get_cipher(data->ssl.handle));
/* Get server's certificate (note: beware of dynamic allocation) - opt */ /* Get server's certificate (note: beware of dynamic allocation) - opt */
/* major serious hack alert -- we should check certificates /* major serious hack alert -- we should check certificates
@ -253,14 +263,15 @@ UrgSSLConnect (struct UrlData *data)
* attack * attack
*/ */
data->server_cert = SSL_get_peer_certificate (data->ssl); data->ssl.server_cert = SSL_get_peer_certificate (data->ssl.handle);
if(!data->server_cert) { if(!data->ssl.server_cert) {
failf(data, "SSL: couldn't get peer certificate!"); failf(data, "SSL: couldn't get peer certificate!");
return 3; return 3;
} }
infof (data, "Server certificate:\n"); infof (data, "Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (data->server_cert), NULL, 0); str = X509_NAME_oneline (X509_get_subject_name (data->ssl.server_cert),
NULL, 0);
if(!str) { if(!str) {
failf(data, "SSL: couldn't get X509-subject!"); failf(data, "SSL: couldn't get X509-subject!");
return 4; return 4;
@ -268,7 +279,8 @@ UrgSSLConnect (struct UrlData *data)
infof(data, "\t subject: %s\n", str); infof(data, "\t subject: %s\n", str);
CRYPTO_free(str); CRYPTO_free(str);
str = X509_NAME_oneline (X509_get_issuer_name (data->server_cert), NULL, 0); str = X509_NAME_oneline (X509_get_issuer_name (data->ssl.server_cert),
NULL, 0);
if(!str) { if(!str) {
failf(data, "SSL: couldn't get X509-issuer name!"); failf(data, "SSL: couldn't get X509-issuer name!");
return 5; return 5;
@ -279,11 +291,14 @@ UrgSSLConnect (struct UrlData *data)
/* We could do all sorts of certificate verification stuff here before /* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */ deallocating the certificate. */
#if SSL_VERIFY_CERT if(data->ssl.verifypeer) {
infof(data, "Verify result: %d\n", SSL_get_verify_result(data->ssl)); data->ssl.certverifyresult=SSL_get_verify_result(data->ssl.handle);
#endif infof(data, "Verify result: %d\n", data->ssl.certverifyresult);
}
else
data->ssl.certverifyresult=0;
X509_free(data->server_cert); X509_free(data->ssl.server_cert);
#else /* USE_SSLEAY */ #else /* USE_SSLEAY */
/* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
(void) data; (void) data;

View File

@ -861,8 +861,9 @@ void telwrite(struct UrlData *data,
#ifndef USE_SSLEAY #ifndef USE_SSLEAY
bytes_written = swrite(data->firstsocket, outbuf, out_count); bytes_written = swrite(data->firstsocket, outbuf, out_count);
#else #else
if (data->use_ssl) { if (data->ssl.use) {
bytes_written = SSL_write(data->ssl, (char *)outbuf, out_count); bytes_written = SSL_write(data->ssl.handle, (char *)outbuf,
out_count);
} }
else { else {
bytes_written = swrite(data->firstsocket, outbuf, out_count); bytes_written = swrite(data->firstsocket, outbuf, out_count);
@ -918,8 +919,8 @@ CURLcode telnet(struct connectdata *conn)
#ifndef USE_SSLEAY #ifndef USE_SSLEAY
nread = sread (sockfd, buf, BUFSIZE - 1); nread = sread (sockfd, buf, BUFSIZE - 1);
#else #else
if (data->use_ssl) { if (data->ssl.use) {
nread = SSL_read (data->ssl, buf, BUFSIZE - 1); nread = SSL_read (data->ssl.handle, buf, BUFSIZE - 1);
} }
else { else {
nread = sread (sockfd, buf, BUFSIZE - 1); nread = sread (sockfd, buf, BUFSIZE - 1);

View File

@ -150,19 +150,19 @@ void curl_free(void)
void static urlfree(struct UrlData *data, bool totally) void static urlfree(struct UrlData *data, bool totally)
{ {
#ifdef USE_SSLEAY #ifdef USE_SSLEAY
if (data->use_ssl) { if (data->ssl.use) {
if(data->ssl) { if(data->ssl.handle) {
(void)SSL_shutdown(data->ssl); (void)SSL_shutdown(data->ssl.handle);
SSL_set_connect_state(data->ssl); SSL_set_connect_state(data->ssl.handle);
SSL_free (data->ssl); SSL_free (data->ssl.handle);
data->ssl = NULL; data->ssl.handle = NULL;
} }
if(data->ctx) { if(data->ssl.ctx) {
SSL_CTX_free (data->ctx); SSL_CTX_free (data->ssl.ctx);
data->ctx = NULL; data->ssl.ctx = NULL;
} }
data->use_ssl = FALSE; /* get back to ordinary socket usage */ data->ssl.use = FALSE; /* get back to ordinary socket usage */
} }
#endif /* USE_SSLEAY */ #endif /* USE_SSLEAY */
@ -380,7 +380,7 @@ CURLcode curl_setopt(CURL *curl, CURLoption option, ...)
break; break;
case CURLOPT_SSLVERSION: case CURLOPT_SSLVERSION:
data->ssl_version = va_arg(param, long); data->ssl.version = va_arg(param, long);
break; break;
case CURLOPT_COOKIEFILE: case CURLOPT_COOKIEFILE:
@ -522,6 +522,13 @@ CURLcode curl_setopt(CURL *curl, CURLoption option, ...)
data->krb4_level = va_arg(param, char *); data->krb4_level = va_arg(param, char *);
data->bits.krb4=data->krb4_level?TRUE:FALSE; data->bits.krb4=data->krb4_level?TRUE:FALSE;
break; break;
case CURLOPT_SSL_VERIFYPEER:
data->ssl.verifypeer = va_arg(param, long);
break;
case CURLOPT_CAINFO:
data->ssl.CAfile = va_arg(param, char *);
data->ssl.CApath = NULL; /*This does not work on windows.*/
break;
default: default:
/* unknown tag and its companion, just ignore: */ /* unknown tag and its companion, just ignore: */
return CURLE_READ_ERROR; /* correct this */ return CURLE_READ_ERROR; /* correct this */
@ -546,8 +553,8 @@ int GetLine(int sockfd, char *buf, struct UrlData *data)
(nread<BUFSIZE) && read_rc; (nread<BUFSIZE) && read_rc;
nread++, ptr++) { nread++, ptr++) {
#ifdef USE_SSLEAY #ifdef USE_SSLEAY
if (data->use_ssl) { if (data->ssl.use) {
read_rc = SSL_read(data->ssl, ptr, 1); read_rc = SSL_read(data->ssl.handle, ptr, 1);
} }
else { else {
#endif #endif
@ -593,8 +600,8 @@ CURLcode curl_write(CURLconnect *c_conn, char *buf, size_t amount,
data = conn->data; data = conn->data;
#ifdef USE_SSLEAY #ifdef USE_SSLEAY
if (data->use_ssl) { if (data->ssl.use) {
bytes_written = SSL_write(data->ssl, buf, amount); bytes_written = SSL_write(data->ssl.handle, buf, amount);
} }
else { else {
#endif #endif
@ -624,8 +631,8 @@ CURLcode curl_read(CURLconnect *c_conn, char *buf, size_t buffersize,
data = conn->data; data = conn->data;
#ifdef USE_SSLEAY #ifdef USE_SSLEAY
if (data->use_ssl) { if (data->ssl.use) {
nread = SSL_read (data->ssl, buf, buffersize); nread = SSL_read (data->ssl.handle, buf, buffersize);
} }
else { else {
#endif #endif

View File

@ -326,6 +326,21 @@ typedef enum {
CURLI_LAST CURLI_LAST
} CurlInterface; } CurlInterface;
struct ssldata {
bool use; /* use ssl encrypted communications TRUE/FALSE */
long version; /* what version the client wants to use */
long certverifyresult; /* result from the certificate verification */
bool verifypeer; /* set TRUE if this is desired */
char *CApath; /* DOES NOT WORK ON WINDOWS */
char *CAfile; /* cerficate to verify peer against */
#ifdef USE_SSLEAY
/* these ones requires specific SSL-types */
SSL_CTX* ctx;
SSL* handle;
X509* server_cert;
#endif /* USE_SSLEAY */
};
/* /*
* As of April 11, 2000 we're now trying to split up the urldata struct in * As of April 11, 2000 we're now trying to split up the urldata struct in
* three different parts: * three different parts:
@ -438,8 +453,6 @@ struct UrlData {
char *cookie; /* HTTP cookie string to send */ char *cookie; /* HTTP cookie string to send */
short use_ssl; /* use ssl encrypted communications */
char *newurl; /* This can only be set if a Location: was in the char *newurl; /* This can only be set if a Location: was in the
document headers */ document headers */
@ -451,12 +464,8 @@ struct UrlData {
struct CookieInfo *cookies; struct CookieInfo *cookies;
long ssl_version; /* what version the client wants to use */ struct ssldata ssl; /* this is for ssl-stuff */
#ifdef USE_SSLEAY
SSL_CTX* ctx;
SSL* ssl;
X509* server_cert;
#endif /* USE_SSLEAY */
long crlf; long crlf;
struct curl_slist *quote; /* before the transfer */ struct curl_slist *quote; /* before the transfer */
struct curl_slist *postquote; /* after the transfer */ struct curl_slist *postquote; /* after the transfer */