moparisthebest/wget
1
0
Fork 0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00
Code Issues Releases Wiki Activity

[svn] Simplify cert. verification. Allow SSL_write to perform partial writes.

Browse Source
This commit is contained in:
hniksic 2005-05-09 10:21:10 -07:00
parent ee18acce0a
commit 764e695fe1
2 changed files with 27 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/ChangeLog
View File

@ -1,3 +1,10 @@
2005-05-09 Hrvoje Niksic <hniksic@xemacs.org>
* openssl.c (verify_cert_callback): Renamed from verify_callback.
Always return the received "ok" value. Print the X509 name in
debug mode.
(ssl_init): Enable partial writes in SSL context.
2005-05-08 Hrvoje Niksic <hniksic@xemacs.org> 2005-05-08 Hrvoje Niksic <hniksic@xemacs.org>
* http.c (http_loop): Check for wildcards in the URL path * http.c (http_loop): Check for wildcards in the URL path

41
src/openssl.c
View File

@ -132,30 +132,22 @@ init_prng (void)
#endif #endif
} }
/* #### Someone should audit and document this. */ /* This function is called for additional (app-specific) verification
of the server certificate. We basically confirm the validity as
determined by OpenSSL.
#### Someone should audit this for correctness and document it
better. */
static int static int
verify_callback (int ok, X509_STORE_CTX *ctx) verify_cert_callback (int ok, X509_STORE_CTX *ctx)
{ {
char buf[256]; char buf[256];
/* #### Why are we not using the result of this call? */ X509 *cert = X509_STORE_CTX_get_current_cert (ctx);
X509_NAME_oneline (X509_get_subject_name (ctx->current_cert), X509_NAME_oneline (X509_get_subject_name (cert), buf, sizeof (buf));
buf, sizeof (buf)); /* #### Why are we not using the result of the above call? Are we
if (ok == 0) supposed to print it? */
{ DEBUGP (("verify_cert_callback: %s\n", buf));
switch (ctx->error)
{
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED:
/* This mean the CERT is not valid !!! */
ok = 0;
break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
/* Unsure if we should handle that this way */
ok = 1;
break;
}
}
return ok; return ok;
} }
@ -241,9 +233,12 @@ ssl_init ()
SSL_CTX_set_default_verify_paths (ssl_ctx); SSL_CTX_set_default_verify_paths (ssl_ctx);
SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory); SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
/* Specify whether the connect should fail if the verification of
the peer fails or if it should go ahead. */
SSL_CTX_set_verify (ssl_ctx, SSL_CTX_set_verify (ssl_ctx,
opt.check_cert ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, opt.check_cert ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
verify_callback); verify_cert_callback);
if (opt.cert_file) if (opt.cert_file)
if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file, if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file,
@ -256,6 +251,10 @@ ssl_init ()
!= 1) != 1)
goto error; goto error;
/* Since fd_write unconditionally assumes partial writes (and
handles them correctly), allow them in OpenSSL. */
SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
return 1; return 1;
error: error: