mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
SSL_INSECURE support and usage added
This commit is contained in:
parent
7172fa058a
commit
27a2e590cd
@ -197,6 +197,8 @@ typedef enum {
|
|||||||
CURLE_SEND_ERROR, /* 55 - failed sending network data */
|
CURLE_SEND_ERROR, /* 55 - failed sending network data */
|
||||||
CURLE_RECV_ERROR, /* 56 - failure in receiving network data */
|
CURLE_RECV_ERROR, /* 56 - failure in receiving network data */
|
||||||
CURLE_SHARE_IN_USE, /* 57 - share is in use */
|
CURLE_SHARE_IN_USE, /* 57 - share is in use */
|
||||||
|
CURLE_SSL_INSECURE, /* 58 - connect attempt without certificate
|
||||||
|
but SSL_INSECURE not explicitly allowed */
|
||||||
CURL_LAST /* never use! */
|
CURL_LAST /* never use! */
|
||||||
} CURLcode;
|
} CURLcode;
|
||||||
|
|
||||||
@ -571,6 +573,9 @@ typedef enum {
|
|||||||
/* Provide a CURLShare for mutexing non-ts data */
|
/* Provide a CURLShare for mutexing non-ts data */
|
||||||
CINIT(SHARE, OBJECTPOINT, 100),
|
CINIT(SHARE, OBJECTPOINT, 100),
|
||||||
|
|
||||||
|
/* Explicitly allow insecure SSL connects */
|
||||||
|
CINIT(SSL_INSECURE, LONG, 101),
|
||||||
|
|
||||||
CURLOPT_LASTENTRY /* the last unused */
|
CURLOPT_LASTENTRY /* the last unused */
|
||||||
} CURLoption;
|
} CURLoption;
|
||||||
|
|
||||||
|
@ -711,8 +711,7 @@ CURLcode ftp_cwd(struct connectdata *conn, char *path)
|
|||||||
CURLcode result;
|
CURLcode result;
|
||||||
|
|
||||||
FTPSENDF(conn, "CWD %s", path);
|
FTPSENDF(conn, "CWD %s", path);
|
||||||
nread = Curl_GetFTPResponse(
|
nread = Curl_GetFTPResponse(conn->data->state.buffer, conn, &ftpcode);
|
||||||
conn->data->state.buffer, conn, &ftpcode);
|
|
||||||
if (nread < 0)
|
if (nread < 0)
|
||||||
return CURLE_OPERATION_TIMEOUTED;
|
return CURLE_OPERATION_TIMEOUTED;
|
||||||
|
|
||||||
|
22
lib/url.c
22
lib/url.c
@ -1004,10 +1004,11 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
|
|||||||
break;
|
break;
|
||||||
case CURLOPT_CAPATH:
|
case CURLOPT_CAPATH:
|
||||||
/*
|
/*
|
||||||
* Set CA path info for SSL connection. Specify directory name of the CA certificates
|
* Set CA path info for SSL connection. Specify directory name of the CA
|
||||||
* which have been prepared using openssl c_rehash utility.
|
* certificates which have been prepared using openssl c_rehash utility.
|
||||||
*/
|
*/
|
||||||
data->set.ssl.CApath = va_arg(param, char *); /*This does not work on windows.*/
|
/* This does not work on windows. */
|
||||||
|
data->set.ssl.CApath = va_arg(param, char *);
|
||||||
break;
|
break;
|
||||||
case CURLOPT_TELNETOPTIONS:
|
case CURLOPT_TELNETOPTIONS:
|
||||||
/*
|
/*
|
||||||
@ -1048,6 +1049,10 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case CURLOPT_SSL_INSECURE:
|
||||||
|
data->set.ssl.allow_insecure = va_arg(param, long)?TRUE:FALSE;
|
||||||
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
/* unknown tag and its companion, just ignore: */
|
/* unknown tag and its companion, just ignore: */
|
||||||
return CURLE_FAILED_INIT; /* correct this */
|
return CURLE_FAILED_INIT; /* correct this */
|
||||||
@ -2035,6 +2040,17 @@ static CURLcode CreateConnection(struct SessionHandle *data,
|
|||||||
return CURLE_UNSUPPORTED_PROTOCOL;
|
return CURLE_UNSUPPORTED_PROTOCOL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(conn->protocol & PROT_SSL) {
|
||||||
|
/* If SSL is requested, require security level info */
|
||||||
|
|
||||||
|
if(!data->set.ssl.allow_insecure &&
|
||||||
|
!(data->set.ssl.CAfile || data->set.ssl.CApath)) {
|
||||||
|
failf(data, "Insecure SSL connect attempted without explicit permission granted");
|
||||||
|
return CURLE_SSL_INSECURE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/*************************************************************
|
/*************************************************************
|
||||||
* Figure out the remote port number
|
* Figure out the remote port number
|
||||||
*
|
*
|
||||||
|
@ -136,12 +136,15 @@ struct ssl_config_data {
|
|||||||
long version; /* what version the client wants to use */
|
long version; /* what version the client wants to use */
|
||||||
long certverifyresult; /* result from the certificate verification */
|
long certverifyresult; /* result from the certificate verification */
|
||||||
long verifypeer; /* set TRUE if this is desired */
|
long verifypeer; /* set TRUE if this is desired */
|
||||||
long verifyhost; /* 0: no verif, 1: check that CN exists, 2: CN must match hostname */
|
long verifyhost; /* 0: no verify
|
||||||
|
1: check that CN exists
|
||||||
|
2: CN must match hostname */
|
||||||
char *CApath; /* DOES NOT WORK ON WINDOWS */
|
char *CApath; /* DOES NOT WORK ON WINDOWS */
|
||||||
char *CAfile; /* cerficate to verify peer against */
|
char *CAfile; /* cerficate to verify peer against */
|
||||||
char *random_file; /* path to file containing "random" data */
|
char *random_file; /* path to file containing "random" data */
|
||||||
char *egdsocket; /* path to file containing the EGD daemon socket */
|
char *egdsocket; /* path to file containing the EGD daemon socket */
|
||||||
char *cipher_list; /* list of ciphers to use */
|
char *cipher_list; /* list of ciphers to use */
|
||||||
|
bool allow_insecure; /* allow connects without any CA certificate */
|
||||||
|
|
||||||
long numsessions; /* SSL session id cache size */
|
long numsessions; /* SSL session id cache size */
|
||||||
};
|
};
|
||||||
|
33
src/main.c
33
src/main.c
@ -365,6 +365,7 @@ static void help(void)
|
|||||||
puts(" -j/--junk-session-cookies Ignore session cookies read from file (H)\n"
|
puts(" -j/--junk-session-cookies Ignore session cookies read from file (H)\n"
|
||||||
" --interface <interface> Specify the interface to be used\n"
|
" --interface <interface> Specify the interface to be used\n"
|
||||||
" --krb4 <level> Enable krb4 with specified security level (F)\n"
|
" --krb4 <level> Enable krb4 with specified security level (F)\n"
|
||||||
|
" -k/--insecure Allow curl to connect to SSL sites without certs (H)\n"
|
||||||
" -K/--config Specify which config file to read\n"
|
" -K/--config Specify which config file to read\n"
|
||||||
" -l/--list-only List only names of an FTP directory (F)\n"
|
" -l/--list-only List only names of an FTP directory (F)\n"
|
||||||
" --limit-rate <rate> Limit how fast transfers to allow");
|
" --limit-rate <rate> Limit how fast transfers to allow");
|
||||||
@ -480,6 +481,7 @@ struct Configurable {
|
|||||||
bool nobuffer;
|
bool nobuffer;
|
||||||
bool globoff;
|
bool globoff;
|
||||||
bool use_httpget;
|
bool use_httpget;
|
||||||
|
bool insecure_ok; /* set TRUE to allow insecure SSL connects */
|
||||||
|
|
||||||
char *writeout; /* %-styled format string to output */
|
char *writeout; /* %-styled format string to output */
|
||||||
bool writeenv; /* write results to environment, if available */
|
bool writeenv; /* write results to environment, if available */
|
||||||
@ -1030,6 +1032,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
|
|||||||
{"i", "include", FALSE},
|
{"i", "include", FALSE},
|
||||||
{"I", "head", FALSE},
|
{"I", "head", FALSE},
|
||||||
{"j", "junk-session-cookies", FALSE},
|
{"j", "junk-session-cookies", FALSE},
|
||||||
|
{"k", "insecure", FALSE},
|
||||||
{"K", "config", TRUE},
|
{"K", "config", TRUE},
|
||||||
{"l", "list-only", FALSE},
|
{"l", "list-only", FALSE},
|
||||||
{"L", "location", FALSE},
|
{"L", "location", FALSE},
|
||||||
@ -1468,7 +1471,10 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
|
|||||||
return PARAM_BAD_USE;
|
return PARAM_BAD_USE;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case 'K':
|
case 'k': /* allow insecure SSL connects */
|
||||||
|
config->insecure_ok ^= TRUE;
|
||||||
|
break;
|
||||||
|
case 'K': /* parse config file */
|
||||||
res = parseconfig(nextarg, config);
|
res = parseconfig(nextarg, config);
|
||||||
config->configread = TRUE;
|
config->configread = TRUE;
|
||||||
if(res)
|
if(res)
|
||||||
@ -2792,6 +2798,9 @@ operate(struct Configurable *config, int argc, char *argv[])
|
|||||||
}
|
}
|
||||||
curl_easy_setopt(curl, CURLOPT_VERBOSE, config->conf&CONF_VERBOSE);
|
curl_easy_setopt(curl, CURLOPT_VERBOSE, config->conf&CONF_VERBOSE);
|
||||||
|
|
||||||
|
/* new in curl 7.10 */
|
||||||
|
curl_easy_setopt(curl, CURLOPT_SSL_INSECURE, config->insecure_ok);
|
||||||
|
|
||||||
res = curl_easy_perform(curl);
|
res = curl_easy_perform(curl);
|
||||||
|
|
||||||
if((config->progressmode == CURL_PROGRESS_BAR) &&
|
if((config->progressmode == CURL_PROGRESS_BAR) &&
|
||||||
@ -2814,8 +2823,28 @@ operate(struct Configurable *config, int argc, char *argv[])
|
|||||||
vms_show = VMSSTS_HIDE;
|
vms_show = VMSSTS_HIDE;
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
if((res!=CURLE_OK) && config->showerror)
|
if((res!=CURLE_OK) && config->showerror) {
|
||||||
|
switch(res) {
|
||||||
|
case CURLE_SSL_INSECURE:
|
||||||
|
/* Since this breaks how curl used to work, we need a slightly more
|
||||||
|
verbose and descriptive error here to educate people what is
|
||||||
|
happening and what to do to make it work. At least for a
|
||||||
|
while. */
|
||||||
|
fprintf(config->errors, "curl: (%d) %s\n%s", res,
|
||||||
|
errorbuffer,
|
||||||
|
" Since SSL doesn't offer any true security if you don't use a CA\n"
|
||||||
|
" certificate to verify the peer certificate with, you must either\n"
|
||||||
|
" provide one to make sure that the server really is the server you\n"
|
||||||
|
" think it is, or you must explicitly tell curl that insecure SSL\n"
|
||||||
|
" connects are fine.\n"
|
||||||
|
" Allow insecure SSL operations with -k/--insecure\n"
|
||||||
|
);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
|
fprintf(config->errors, "curl: (%d) %s\n", res, errorbuffer);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (outfile && !strequal(outfile, "-") && outs.stream)
|
if (outfile && !strequal(outfile, "-") && outs.stream)
|
||||||
|
Loading…
Reference in New Issue
Block a user