1
0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00

[svn] Cosmetic cleanup of SSL stuff.

This commit is contained in:
hniksic 2000-12-05 15:35:56 -08:00
parent ac5d0a9e4d
commit e754c99b46
4 changed files with 136 additions and 155 deletions

View File

@ -1,3 +1,14 @@
2000-12-06 Hrvoje Niksic <hniksic@arsdigita.com>
* gen_sslfunc.h: Use ansi2knr style function declarations.
* gen_sslfunc.c: Reformat according to the GNU coding standards.
More should be done.
* http.c (persistent_available_p): Place the cheap SSL test nearer
the top of the function.
(CLOSE_FINISH, CLOSE_INVALIDATE): Define only one version of each.
2000-12-03 Christian Fraenkel <christian.fraenkel@gmx.net> 2000-12-03 Christian Fraenkel <christian.fraenkel@gmx.net>
* Makefile.in: added gen_sslfunc object * Makefile.in: added gen_sslfunc object

View File

@ -30,61 +30,71 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
#include <sys/time.h> #include <sys/time.h>
#include "wget.h" #include "wget.h"
#include "connect.h" #include "connect.h"
int verify_callback(int ok, X509_STORE_CTX *ctx);
/* #### Shouldn't this be static? --hniksic */
int verify_callback PARAMS ((int, X509_STORE_CTX *));
/* Creates a SSL Context and sets some defaults for it */ /* Creates a SSL Context and sets some defaults for it */
int init_ssl(SSL_CTX **ctx) int
init_ssl (SSL_CTX **ctx)
{ {
SSL_METHOD *meth=NULL; SSL_METHOD *meth = NULL;
int verify=SSL_VERIFY_NONE; int verify = SSL_VERIFY_NONE;
SSL_library_init(); SSL_library_init ();
SSL_load_error_strings(); SSL_load_error_strings ();
SSLeay_add_all_algorithms(); SSLeay_add_all_algorithms ();
SSLeay_add_ssl_algorithms(); SSLeay_add_ssl_algorithms ();
meth = SSLv23_client_method(); meth = SSLv23_client_method ();
*ctx = SSL_CTX_new(meth); *ctx = SSL_CTX_new (meth);
SSL_CTX_set_verify(*ctx,verify,verify_callback); SSL_CTX_set_verify (*ctx, verify, verify_callback);
if (*ctx==NULL) return SSL_ERR_CTX_CREATION; if (*ctx == NULL) return SSL_ERR_CTX_CREATION;
return 0; /* Succeded */ return 0; /* Succeded */
} }
/* Sets up a SSL structure and performs the handshake on fd /* Sets up a SSL structure and performs the handshake on fd
Returns 0 if everything went right Returns 0 if everything went right
Returns 1 if something went wrong ----- TODO: More exit codes Returns 1 if something went wrong ----- TODO: More exit codes
*/ */
int connect_ssl (SSL **con, SSL_CTX *ctx, int fd) int
connect_ssl (SSL **con, SSL_CTX *ctx, int fd)
{ {
*con=(SSL *)SSL_new(ctx); *con = (SSL *)SSL_new (ctx);
SSL_set_fd(*con,fd); SSL_set_fd (*con, fd);
SSL_set_connect_state(*con); SSL_set_connect_state (*con);
SSL_connect(*con); SSL_connect (*con);
if ((*con)->state !=SSL_ST_OK) if ((*con)->state != SSL_ST_OK)
return 1; return 1;
return 0; return 0;
} }
void shutdown_ssl (SSL* con) void
shutdown_ssl (SSL* con)
{ {
SSL_shutdown(con); SSL_shutdown (con);
if (con != NULL) SSL_free(con); if (con != NULL)
SSL_free (con);
} }
void free_ssl_ctx (SSL_CTX * ctx) { void
SSL_CTX_free(ctx); free_ssl_ctx (SSL_CTX * ctx)
{
SSL_CTX_free (ctx);
} }
int verify_callback(int ok, X509_STORE_CTX *ctx){ int
char *s,buf[256]; verify_callback (int ok, X509_STORE_CTX *ctx)
s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,256); {
char *s, buf[256];
s = X509_NAME_oneline (X509_get_subject_name (ctx->current_cert), buf, 256);
if (ok == 0) { if (ok == 0) {
switch (ctx->error) { switch (ctx->error) {
case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
ok=1; ok = 1;
} }
} }
return(ok); return ok;
} }
/* SSL version of iread. Only exchanged read for SSL_read /* SSL version of iread. Only exchanged read for SSL_read
@ -98,7 +108,7 @@ ssl_iread (SSL *con, char *buf, int len)
{ {
int res; int res;
int fd; int fd;
BIO_get_fd(con->rbio,&fd); BIO_get_fd (con->rbio, &fd);
do do
{ {
#ifdef HAVE_SELECT #ifdef HAVE_SELECT
@ -138,7 +148,7 @@ ssl_iwrite (SSL *con, char *buf, int len)
{ {
int res = 0; int res = 0;
int fd; int fd;
BIO_get_fd(con->rbio,&fd); BIO_get_fd (con->rbio, &fd);
/* `write' may write less than LEN bytes, thus the outward loop /* `write' may write less than LEN bytes, thus the outward loop
keeps trying it until all was written, or an error occurred. The keeps trying it until all was written, or an error occurred. The
inner loop is reserved for the usual EINTR f*kage, and the inner loop is reserved for the usual EINTR f*kage, and the

View File

@ -21,11 +21,11 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
# include <openssl/ssl.h> # include <openssl/ssl.h>
#endif #endif
int init_ssl(SSL_CTX **ctx); int init_ssl PARAMS ((SSL_CTX **));
int connect_ssl (SSL **con, SSL_CTX *ctx, int fd); int connect_ssl PARAMS ((SSL **, SSL_CTX *, int));
void shutdown_ssl (SSL* con); void shutdown_ssl PARAMS ((SSL*));
void free_ssl_ctx (SSL_CTX * ctx); void free_ssl_ctx PARAMS ((SSL_CTX *));
int verify_callback(int ok, X509_STORE_CTX *ctx); int verify_callback PARAMS ((int, X509_STORE_CTX *));
int ssl_iread (SSL *con, char *buf, int len); int ssl_iread PARAMS ((SSL *, char *, int));
int ssl_iwrite (SSL *con, char *buf, int len); int ssl_iwrite PARAMS ((SSL *, char *, int));

View File

@ -311,11 +311,11 @@ invalidate_persistent (void)
If a previous connection was persistent, it is closed. */ If a previous connection was persistent, it is closed. */
static void static void
#ifndef HAVE_SSL register_persistent (const char *host, unsigned short port, int fd
register_persistent (const char *host, unsigned short port, int fd) #ifdef HAVE_SSL
#else , SSL *ssl
register_persistent (const char *host, unsigned short port, int fd, SSL* ssl) #endif
#endif /* HAVE_SSL */ )
{ {
int success; int success;
@ -335,9 +335,11 @@ register_persistent (const char *host, unsigned short port, int fd, SSL* ssl)
different host, and try to register a persistent different host, and try to register a persistent
connection to that one. */ connection to that one. */
#ifdef HAVE_SSL #ifdef HAVE_SSL
/* the ssl disconnect has to take place before the closing of pc_last_fd */ /* The ssl disconnect has to take place before the closing
if (pc_last_ssl) shutdown_ssl(pc_last_ssl); of pc_last_fd. */
#endif /* HAVE_SSL */ if (pc_last_ssl)
shutdown_ssl(pc_last_ssl);
#endif
CLOSE (pc_last_fd); CLOSE (pc_last_fd);
invalidate_persistent (); invalidate_persistent ();
} }
@ -351,9 +353,9 @@ register_persistent (const char *host, unsigned short port, int fd, SSL* ssl)
pc_last_fd = fd; pc_last_fd = fd;
pc_active_p = 1; pc_active_p = 1;
#ifdef HAVE_SSL #ifdef HAVE_SSL
pc_last_ssl=ssl; pc_last_ssl = ssl;
pc_active_ssl= ssl ? 1 : 0; pc_active_ssl = ssl ? 1 : 0;
#endif /* HAVE_SSL */ #endif
DEBUGP (("Registered fd %d for persistent reuse.\n", fd)); DEBUGP (("Registered fd %d for persistent reuse.\n", fd));
} }
@ -361,11 +363,11 @@ register_persistent (const char *host, unsigned short port, int fd, SSL* ssl)
connecting to HOST:PORT. */ connecting to HOST:PORT. */
static int static int
#ifndef HAVE_SSL persistent_available_p (const char *host, unsigned short port
persistent_available_p (const char *host, unsigned short port) #ifdef HAVE_SSL
#else int ssl
persistent_available_p (const char *host, unsigned short port,int ssl) #endif
#endif /* HAVE_SSL */ )
{ {
unsigned char this_host[4]; unsigned char this_host[4];
/* First, check whether a persistent connection is active at all. */ /* First, check whether a persistent connection is active at all. */
@ -375,6 +377,15 @@ persistent_available_p (const char *host, unsigned short port,int ssl)
(HOST, PORT) ordered pair. */ (HOST, PORT) ordered pair. */
if (port != pc_last_port) if (port != pc_last_port)
return 0; return 0;
#ifdef HAVE_SSL
/* Second, a): check if current connection is (not) ssl, too. This
test is unlikely to fail because HTTP and HTTPS typicaly use
different ports. Yet it is possible, or so I [Christian
Fraenkel] have been told, to run HTTPS and HTTP simultaneus on
the same port. */
if (ssl != pc_active_ssl)
return 0;
#endif /* HAVE_SSL */
if (!store_hostaddress (this_host, host)) if (!store_hostaddress (this_host, host))
return 0; return 0;
if (memcmp (pc_last_host, this_host, 4)) if (memcmp (pc_last_host, this_host, 4))
@ -394,18 +405,18 @@ persistent_available_p (const char *host, unsigned short port,int ssl)
invalidate_persistent (); invalidate_persistent ();
return 0; return 0;
} }
#ifdef HAVE_SSL
/* Fourth: check if current connection is (not) ssl, too.
This test is unlikely to fail because HTTP and HTTPS
typicaly use different ports. Yet it is possible (or so
I have been told) to run HTTPS and HTTP simultaneus on
the same port. */
if (ssl!=pc_active_ssl)
return 0;
#endif /* HAVE_SSL */
return 1; return 1;
} }
#ifdef HAVE_SSL
# define SHUTDOWN_SSL(ssl) do { \
if (ssl) \
shutdown_ssl (ssl); \
} while (0)
#else
# define SHUTDOWN_SSL(ssl)
#endif
/* The idea behind these two CLOSE macros is to distinguish between /* The idea behind these two CLOSE macros is to distinguish between
two cases: one when the job we've been doing is finished, and we two cases: one when the job we've been doing is finished, and we
want to close the connection and leave, and two when something is want to close the connection and leave, and two when something is
@ -421,10 +432,10 @@ persistent_available_p (const char *host, unsigned short port,int ssl)
`pc_active_p && (fd) == pc_last_fd' is "we're *now* using an `pc_active_p && (fd) == pc_last_fd' is "we're *now* using an
active, registered connection". */ active, registered connection". */
#ifndef HAVE_SSL
#define CLOSE_FINISH(fd) do { \ #define CLOSE_FINISH(fd) do { \
if (!keep_alive) \ if (!keep_alive) \
{ \ { \
SHUTDOWN_SSL (ssl); \
CLOSE (fd); \ CLOSE (fd); \
if (pc_active_p && (fd) == pc_last_fd) \ if (pc_active_p && (fd) == pc_last_fd) \
invalidate_persistent (); \ invalidate_persistent (); \
@ -432,30 +443,11 @@ persistent_available_p (const char *host, unsigned short port,int ssl)
} while (0) } while (0)
#define CLOSE_INVALIDATE(fd) do { \ #define CLOSE_INVALIDATE(fd) do { \
SHUTDOWN_SSL (ssl); \
CLOSE (fd); \ CLOSE (fd); \
if (pc_active_p && (fd) == pc_last_fd) \ if (pc_active_p && (fd) == pc_last_fd) \
invalidate_persistent (); \ invalidate_persistent (); \
} while (0) } while (0)
#else
#define CLOSE_FINISH(fd,ssl) do { \
if (!keep_alive) \
{ \
if (ssl) shutdown_ssl(ssl); \
CLOSE (fd); \
if (pc_active_p && (fd) == pc_last_fd) \
invalidate_persistent (); \
} \
} while (0)
#define CLOSE_INVALIDATE(fd,ssl) do { \
if (ssl) shutdown_ssl(ssl); \
CLOSE (fd); \
if (pc_active_p && (fd) == pc_last_fd) \
invalidate_persistent (); \
} while (0)
#endif /* HAVE_SSL */
struct http_stat struct http_stat
{ {
@ -525,8 +517,8 @@ gethttp (struct urlinfo *u, struct http_stat *hs, int *dt)
int auth_tried_already; int auth_tried_already;
struct rbuf rbuf; struct rbuf rbuf;
#ifdef HAVE_SSL #ifdef HAVE_SSL
static SSL_CTX *ssl_ctx=NULL; static SSL_CTX *ssl_ctx = NULL;
SSL *ssl=NULL; SSL *ssl = NULL;
#endif /* HAVE_SSL */ #endif /* HAVE_SSL */
/* Whether this connection will be kept alive after the HTTP request /* Whether this connection will be kept alive after the HTTP request
@ -542,7 +534,8 @@ gethttp (struct urlinfo *u, struct http_stat *hs, int *dt)
#ifdef HAVE_SSL #ifdef HAVE_SSL
/* initialize ssl_ctx on first run */ /* initialize ssl_ctx on first run */
if (!ssl_ctx) init_ssl(&ssl_ctx); if (!ssl_ctx)
init_ssl (&ssl_ctx);
#endif /* HAVE_SSL */ #endif /* HAVE_SSL */
if (!(*dt & HEAD_ONLY)) if (!(*dt & HEAD_ONLY))
@ -579,11 +572,13 @@ gethttp (struct urlinfo *u, struct http_stat *hs, int *dt)
/* First: establish the connection. */ /* First: establish the connection. */
if (inhibit_keep_alive if (inhibit_keep_alive
||
#ifndef HAVE_SSL #ifndef HAVE_SSL
|| !persistent_available_p (u->host, u->port)) !persistent_available_p (u->host, u->port)
#else #else
|| !persistent_available_p (u->host, u->port, (u->proto==URLHTTPS ? 1 : 0))) !persistent_available_p (u->host, u->port, (u->proto==URLHTTPS ? 1 : 0))
#endif /* HAVE_SSL */ #endif /* HAVE_SSL */
)
{ {
logprintf (LOG_VERBOSE, _("Connecting to %s:%hu... "), u->host, u->port); logprintf (LOG_VERBOSE, _("Connecting to %s:%hu... "), u->host, u->port);
err = make_connection (&sock, u->host, u->port); err = make_connection (&sock, u->host, u->port);
@ -620,7 +615,9 @@ gethttp (struct urlinfo *u, struct http_stat *hs, int *dt)
break; break;
} }
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (u->proto==URLHTTPS) if (connect_ssl(&ssl,ssl_ctx,sock)!=0) { if (u->proto == URLHTTPS)
if (connect_ssl (&ssl, ssl_ctx,sock) != 0)
{
logputs (LOG_VERBOSE, "\n"); logputs (LOG_VERBOSE, "\n");
logprintf (LOG_NOTQUIET, _("Unable to establish SSL connection.\n")); logprintf (LOG_NOTQUIET, _("Unable to establish SSL connection.\n"));
CLOSE (sock); CLOSE (sock);
@ -798,23 +795,17 @@ Accept: %s\r\n\
/* Send the request to server. */ /* Send the request to server. */
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (u->proto==URLHTTPS) { if (u->proto == URLHTTPS)
num_written = ssl_iwrite (ssl, request, strlen (request)); num_written = ssl_iwrite (ssl, request, strlen (request));
} else { else
#endif /* HAVE_SSL */ #endif /* HAVE_SSL */
num_written = iwrite (sock, request, strlen (request)); num_written = iwrite (sock, request, strlen (request));
#ifdef HAVE_SSL
}
#endif /* HAVE_SSL */
if (num_written < 0) if (num_written < 0)
{ {
logprintf (LOG_VERBOSE, _("Failed writing HTTP request: %s.\n"), logprintf (LOG_VERBOSE, _("Failed writing HTTP request: %s.\n"),
strerror (errno)); strerror (errno));
#ifndef HAVE_SSL
CLOSE_INVALIDATE (sock); CLOSE_INVALIDATE (sock);
#else
CLOSE_INVALIDATE (sock,ssl);
#endif /* HAVE_SSL */
return WRITEFAILED; return WRITEFAILED;
} }
logprintf (LOG_VERBOSE, _("%s request sent, awaiting response... "), logprintf (LOG_VERBOSE, _("%s request sent, awaiting response... "),
@ -827,9 +818,10 @@ Accept: %s\r\n\
/* Before reading anything, initialize the rbuf. */ /* Before reading anything, initialize the rbuf. */
rbuf_initialize (&rbuf, sock); rbuf_initialize (&rbuf, sock);
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (u->proto == URLHTTPS) { if (u->proto == URLHTTPS)
rbuf.ssl=ssl; rbuf.ssl = ssl;
} else { rbuf.ssl=NULL; } else
rbuf.ssl = NULL;
#endif /* HAVE_SSL */ #endif /* HAVE_SSL */
all_headers = NULL; all_headers = NULL;
all_length = 0; all_length = 0;
@ -865,11 +857,7 @@ Accept: %s\r\n\
FREE_MAYBE (type); FREE_MAYBE (type);
FREE_MAYBE (hs->newloc); FREE_MAYBE (hs->newloc);
FREE_MAYBE (all_headers); FREE_MAYBE (all_headers);
#ifndef HAVE_SSL
CLOSE_INVALIDATE (sock); CLOSE_INVALIDATE (sock);
#else
CLOSE_INVALIDATE (sock,ssl);
#endif /* HAVE_SSL */
return HEOF; return HEOF;
} }
else if (status == HG_ERROR) else if (status == HG_ERROR)
@ -881,11 +869,7 @@ Accept: %s\r\n\
FREE_MAYBE (type); FREE_MAYBE (type);
FREE_MAYBE (hs->newloc); FREE_MAYBE (hs->newloc);
FREE_MAYBE (all_headers); FREE_MAYBE (all_headers);
#ifndef HAVE_SSL
CLOSE_INVALIDATE (sock); CLOSE_INVALIDATE (sock);
#else
CLOSE_INVALIDATE (sock,ssl);
#endif /* HAVE_SSL */
return HERR; return HERR;
} }
@ -1038,11 +1022,7 @@ Accept: %s\r\n\
FREE_MAYBE (type); FREE_MAYBE (type);
type = NULL; type = NULL;
FREEHSTAT (*hs); FREEHSTAT (*hs);
#ifndef HAVE_SSL
CLOSE_FINISH (sock); CLOSE_FINISH (sock);
#else
CLOSE_FINISH (sock,ssl);
#endif /* HAVE_SSL */
if (auth_tried_already) if (auth_tried_already)
{ {
/* If we have tried it already, then there is not point /* If we have tried it already, then there is not point
@ -1118,11 +1098,7 @@ Accept: %s\r\n\
FREE_MAYBE (type); FREE_MAYBE (type);
FREE_MAYBE (hs->newloc); FREE_MAYBE (hs->newloc);
FREE_MAYBE (all_headers); FREE_MAYBE (all_headers);
#ifndef HAVE_SSL
CLOSE_INVALIDATE (sock); CLOSE_INVALIDATE (sock);
#else
CLOSE_INVALIDATE (sock,ssl);
#endif /* HAVE_SSL */
return RANGEERR; return RANGEERR;
} }
@ -1152,11 +1128,7 @@ Accept: %s\r\n\
_("Location: %s%s\n"), _("Location: %s%s\n"),
hs->newloc ? hs->newloc : _("unspecified"), hs->newloc ? hs->newloc : _("unspecified"),
hs->newloc ? _(" [following]") : ""); hs->newloc ? _(" [following]") : "");
#ifndef HAVE_SSL
CLOSE_FINISH (sock); CLOSE_FINISH (sock);
#else
CLOSE_FINISH (sock,ssl);
#endif /* HAVE_SSL */
FREE_MAYBE (type); FREE_MAYBE (type);
FREE_MAYBE (all_headers); FREE_MAYBE (all_headers);
return NEWLOCATION; return NEWLOCATION;
@ -1197,11 +1169,7 @@ Accept: %s\r\n\
hs->res = 0; hs->res = 0;
FREE_MAYBE (type); FREE_MAYBE (type);
FREE_MAYBE (all_headers); FREE_MAYBE (all_headers);
#ifndef HAVE_SSL
CLOSE_FINISH (sock); CLOSE_FINISH (sock);
#else
CLOSE_FINISH (sock,ssl);
#endif /* HAVE_SSL */
return RETRFINISHED; return RETRFINISHED;
} }
@ -1215,11 +1183,7 @@ Accept: %s\r\n\
if (!fp) if (!fp)
{ {
logprintf (LOG_NOTQUIET, "%s: %s\n", u->local, strerror (errno)); logprintf (LOG_NOTQUIET, "%s: %s\n", u->local, strerror (errno));
#ifndef HAVE_SSL
CLOSE_FINISH (sock); CLOSE_FINISH (sock);
#else
CLOSE_FINISH (sock,ssl);
#endif /* HAVE_SSL */
FREE_MAYBE (all_headers); FREE_MAYBE (all_headers);
return FOPENERR; return FOPENERR;
} }
@ -1259,11 +1223,7 @@ Accept: %s\r\n\
hs->res = -2; hs->res = -2;
} }
FREE_MAYBE (all_headers); FREE_MAYBE (all_headers);
#ifndef HAVE_SSL
CLOSE_FINISH (sock); CLOSE_FINISH (sock);
#else
CLOSE_FINISH (sock,ssl);
#endif /* HAVE_SSL */
if (hs->res == -2) if (hs->res == -2)
return FWRITEERR; return FWRITEERR;
return RETRFINISHED; return RETRFINISHED;