aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/ftp.c4
-rw-r--r--lib/getinfo.c3
-rw-r--r--lib/sendf.c8
-rw-r--r--lib/ssluse.c77
-rw-r--r--lib/telnet.c9
-rw-r--r--lib/url.c41
-rw-r--r--lib/urldata.h25
7 files changed, 101 insertions, 66 deletions
diff --git a/lib/ftp.c b/lib/ftp.c
index ea984a6c7..3469c33b1 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -273,8 +273,8 @@ int GetLastResponse(int sockfd, char *buf,
break;
default:
#ifdef USE_SSLEAY
- if (data->use_ssl) {
- keepon = SSL_read(data->ssl, ptr, 1);
+ if (data->ssl.use) {
+ keepon = SSL_read(data->ssl.handle, ptr, 1);
}
else {
#endif
diff --git a/lib/getinfo.c b/lib/getinfo.c
index 177af976e..dbcaa1b07 100644
--- a/lib/getinfo.c
+++ b/lib/getinfo.c
@@ -117,6 +117,9 @@ CURLcode curl_getinfo(CURL *curl, CURLINFO info, ...)
case CURLINFO_SPEED_UPLOAD:
*param_doublep = data->progress.ulspeed;
break;
+ case CURLINFO_SSL_VERIFYRESULT:
+ *param_longp = data->ssl.certverifyresult;
+ break;
default:
return CURLE_BAD_FUNCTION_ARGUMENT;
}
diff --git a/lib/sendf.c b/lib/sendf.c
index 4984bd7f5..447a47390 100644
--- a/lib/sendf.c
+++ b/lib/sendf.c
@@ -111,8 +111,8 @@ size_t sendf(int fd, struct UrlData *data, char *fmt, ...)
#ifndef USE_SSLEAY
bytes_written = swrite(fd, s, strlen(s));
#else /* USE_SSLEAY */
- if (data->use_ssl) {
- bytes_written = SSL_write(data->ssl, s, strlen(s));
+ if (data->ssl.use) {
+ bytes_written = SSL_write(data->ssl.handle, s, strlen(s));
} else {
bytes_written = swrite(fd, s, strlen(s));
}
@@ -161,8 +161,8 @@ size_t ssend(int fd, struct connectdata *conn, void *mem, size_t len)
struct UrlData *data=conn->data; /* conn knows data, not vice versa */
#ifdef USE_SSLEAY
- if (data->use_ssl) {
- bytes_written = SSL_write(data->ssl, mem, len);
+ if (data->ssl.use) {
+ bytes_written = SSL_write(data->ssl.handle, mem, len);
}
else {
#endif
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 7933fc29e..c9adc270f 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -94,10 +94,10 @@ int SSL_cert_stuff(struct UrlData *data,
*/
strcpy(global_passwd, data->cert_passwd);
/* Set passwd callback: */
- SSL_CTX_set_default_passwd_cb(data->ctx, passwd_callback);
+ SSL_CTX_set_default_passwd_cb(data->ssl.ctx, passwd_callback);
}
- if (SSL_CTX_use_certificate_file(data->ctx,
+ if (SSL_CTX_use_certificate_file(data->ssl.ctx,
cert_file,
SSL_FILETYPE_PEM) <= 0) {
failf(data, "unable to set certificate file (wrong password?)\n");
@@ -106,14 +106,14 @@ int SSL_cert_stuff(struct UrlData *data,
if (key_file == NULL)
key_file=cert_file;
- if (SSL_CTX_use_PrivateKey_file(data->ctx,
+ if (SSL_CTX_use_PrivateKey_file(data->ssl.ctx,
key_file,
SSL_FILETYPE_PEM) <= 0) {
failf(data, "unable to set public key file\n");
return(0);
}
- ssl=SSL_new(data->ctx);
+ ssl=SSL_new(data->ssl.ctx);
x509=SSL_get_certificate(ssl);
if (x509 != NULL)
@@ -127,7 +127,7 @@ int SSL_cert_stuff(struct UrlData *data,
/* Now we know that a key and cert have been set against
* the SSL context */
- if (!SSL_CTX_check_private_key(data->ctx)) {
+ if (!SSL_CTX_check_private_key(data->ssl.ctx)) {
failf(data, "Private key does not match the certificate public key\n");
return(0);
}
@@ -140,7 +140,7 @@ int SSL_cert_stuff(struct UrlData *data,
#endif
-#if SSL_VERIFY_CERT
+#ifdef USE_SSLEAY
int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
{
X509 *err_cert;
@@ -164,7 +164,7 @@ UrgSSLConnect (struct UrlData *data)
SSL_METHOD *req_method;
/* mark this is being ssl enabled from here on out. */
- data->use_ssl = 1;
+ data->ssl.use = TRUE;
/* Lets get nice error messages */
SSL_load_error_strings();
@@ -195,7 +195,7 @@ UrgSSLConnect (struct UrlData *data)
/* Setup all the global SSL stuff */
SSLeay_add_ssl_algorithms();
- switch(data->ssl_version) {
+ switch(data->ssl.version) {
default:
req_method = SSLv23_client_method();
break;
@@ -207,9 +207,9 @@ UrgSSLConnect (struct UrlData *data)
break;
}
- data->ctx = SSL_CTX_new(req_method);
+ data->ssl.ctx = SSL_CTX_new(req_method);
- if(!data->ctx) {
+ if(!data->ssl.ctx) {
failf(data, "SSL: couldn't create a context!");
return 1;
}
@@ -221,22 +221,31 @@ UrgSSLConnect (struct UrlData *data)
}
}
-#if SSL_VERIFY_CERT
- SSL_CTX_set_verify(data->ctx,
- SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
- SSL_VERIFY_CLIENT_ONCE,
- cert_verify_callback);
-#endif
+ if(data->ssl.verifypeer){
+ SSL_CTX_set_verify(data->ssl.ctx,
+ SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
+ SSL_VERIFY_CLIENT_ONCE,
+ cert_verify_callback);
+ if (!SSL_CTX_load_verify_locations(data->ssl.ctx,
+ data->ssl.CAfile,
+ data->ssl.CApath)) {
+ failf(data,"error setting cerficate verify locations\n");
+ return 2;
+ }
+ }
+ else
+ SSL_CTX_set_verify(data->ssl.ctx, SSL_VERIFY_NONE, cert_verify_callback);
+
/* Lets make an SSL structure */
- data->ssl = SSL_new (data->ctx);
- SSL_set_connect_state (data->ssl);
+ data->ssl.handle = SSL_new (data->ssl.ctx);
+ SSL_set_connect_state (data->ssl.handle);
- data->server_cert = 0x0;
+ data->ssl.server_cert = 0x0;
/* pass the raw socket into the SSL layers */
- SSL_set_fd (data->ssl, data->firstsocket);
- err = SSL_connect (data->ssl);
+ SSL_set_fd (data->ssl.handle, data->firstsocket);
+ err = SSL_connect (data->ssl.handle);
if (-1 == err) {
err = ERR_get_error();
@@ -244,8 +253,9 @@ UrgSSLConnect (struct UrlData *data)
return 10;
}
-
- infof (data, "SSL connection using %s\n", SSL_get_cipher (data->ssl));
+ /* Informational message */
+ infof (data, "SSL connection using %s\n",
+ SSL_get_cipher(data->ssl.handle));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
/* major serious hack alert -- we should check certificates
@@ -253,14 +263,15 @@ UrgSSLConnect (struct UrlData *data)
* attack
*/
- data->server_cert = SSL_get_peer_certificate (data->ssl);
- if(!data->server_cert) {
+ data->ssl.server_cert = SSL_get_peer_certificate (data->ssl.handle);
+ if(!data->ssl.server_cert) {
failf(data, "SSL: couldn't get peer certificate!");
return 3;
}
infof (data, "Server certificate:\n");
- str = X509_NAME_oneline (X509_get_subject_name (data->server_cert), NULL, 0);
+ str = X509_NAME_oneline (X509_get_subject_name (data->ssl.server_cert),
+ NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-subject!");
return 4;
@@ -268,7 +279,8 @@ UrgSSLConnect (struct UrlData *data)
infof(data, "\t subject: %s\n", str);
CRYPTO_free(str);
- str = X509_NAME_oneline (X509_get_issuer_name (data->server_cert), NULL, 0);
+ str = X509_NAME_oneline (X509_get_issuer_name (data->ssl.server_cert),
+ NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-issuer name!");
return 5;
@@ -279,11 +291,14 @@ UrgSSLConnect (struct UrlData *data)
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
-#if SSL_VERIFY_CERT
- infof(data, "Verify result: %d\n", SSL_get_verify_result(data->ssl));
-#endif
+ if(data->ssl.verifypeer) {
+ data->ssl.certverifyresult=SSL_get_verify_result(data->ssl.handle);
+ infof(data, "Verify result: %d\n", data->ssl.certverifyresult);
+ }
+ else
+ data->ssl.certverifyresult=0;
- X509_free(data->server_cert);
+ X509_free(data->ssl.server_cert);
#else /* USE_SSLEAY */
/* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
(void) data;
diff --git a/lib/telnet.c b/lib/telnet.c
index 486d69ded..e8fa874ac 100644
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -861,8 +861,9 @@ void telwrite(struct UrlData *data,
#ifndef USE_SSLEAY
bytes_written = swrite(data->firstsocket, outbuf, out_count);
#else
- if (data->use_ssl) {
- bytes_written = SSL_write(data->ssl, (char *)outbuf, out_count);
+ if (data->ssl.use) {
+ bytes_written = SSL_write(data->ssl.handle, (char *)outbuf,
+ out_count);
}
else {
bytes_written = swrite(data->firstsocket, outbuf, out_count);
@@ -918,8 +919,8 @@ CURLcode telnet(struct connectdata *conn)
#ifndef USE_SSLEAY
nread = sread (sockfd, buf, BUFSIZE - 1);
#else
- if (data->use_ssl) {
- nread = SSL_read (data->ssl, buf, BUFSIZE - 1);
+ if (data->ssl.use) {
+ nread = SSL_read (data->ssl.handle, buf, BUFSIZE - 1);
}
else {
nread = sread (sockfd, buf, BUFSIZE - 1);
diff --git a/lib/url.c b/lib/url.c
index c941e99e3..76b8f4e8d 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -150,19 +150,19 @@ void curl_free(void)
void static urlfree(struct UrlData *data, bool totally)
{
#ifdef USE_SSLEAY
- if (data->use_ssl) {
- if(data->ssl) {
- (void)SSL_shutdown(data->ssl);
- SSL_set_connect_state(data->ssl);
+ if (data->ssl.use) {
+ if(data->ssl.handle) {
+ (void)SSL_shutdown(data->ssl.handle);
+ SSL_set_connect_state(data->ssl.handle);
- SSL_free (data->ssl);
- data->ssl = NULL;
+ SSL_free (data->ssl.handle);
+ data->ssl.handle = NULL;
}
- if(data->ctx) {
- SSL_CTX_free (data->ctx);
- data->ctx = NULL;
+ if(data->ssl.ctx) {
+ SSL_CTX_free (data->ssl.ctx);
+ data->ssl.ctx = NULL;
}
- data->use_ssl = FALSE; /* get back to ordinary socket usage */
+ data->ssl.use = FALSE; /* get back to ordinary socket usage */
}
#endif /* USE_SSLEAY */
@@ -380,7 +380,7 @@ CURLcode curl_setopt(CURL *curl, CURLoption option, ...)
break;
case CURLOPT_SSLVERSION:
- data->ssl_version = va_arg(param, long);
+ data->ssl.version = va_arg(param, long);
break;
case CURLOPT_COOKIEFILE:
@@ -522,6 +522,13 @@ CURLcode curl_setopt(CURL *curl, CURLoption option, ...)
data->krb4_level = va_arg(param, char *);
data->bits.krb4=data->krb4_level?TRUE:FALSE;
break;
+ case CURLOPT_SSL_VERIFYPEER:
+ data->ssl.verifypeer = va_arg(param, long);
+ break;
+ case CURLOPT_CAINFO:
+ data->ssl.CAfile = va_arg(param, char *);
+ data->ssl.CApath = NULL; /*This does not work on windows.*/
+ break;
default:
/* unknown tag and its companion, just ignore: */
return CURLE_READ_ERROR; /* correct this */
@@ -546,8 +553,8 @@ int GetLine(int sockfd, char *buf, struct UrlData *data)
(nread<BUFSIZE) && read_rc;
nread++, ptr++) {
#ifdef USE_SSLEAY
- if (data->use_ssl) {
- read_rc = SSL_read(data->ssl, ptr, 1);
+ if (data->ssl.use) {
+ read_rc = SSL_read(data->ssl.handle, ptr, 1);
}
else {
#endif
@@ -593,8 +600,8 @@ CURLcode curl_write(CURLconnect *c_conn, char *buf, size_t amount,
data = conn->data;
#ifdef USE_SSLEAY
- if (data->use_ssl) {
- bytes_written = SSL_write(data->ssl, buf, amount);
+ if (data->ssl.use) {
+ bytes_written = SSL_write(data->ssl.handle, buf, amount);
}
else {
#endif
@@ -624,8 +631,8 @@ CURLcode curl_read(CURLconnect *c_conn, char *buf, size_t buffersize,
data = conn->data;
#ifdef USE_SSLEAY
- if (data->use_ssl) {
- nread = SSL_read (data->ssl, buf, buffersize);
+ if (data->ssl.use) {
+ nread = SSL_read (data->ssl.handle, buf, buffersize);
}
else {
#endif
diff --git a/lib/urldata.h b/lib/urldata.h
index 5b5da4d1f..12046bfda 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -326,6 +326,21 @@ typedef enum {
CURLI_LAST
} CurlInterface;
+struct ssldata {
+ bool use; /* use ssl encrypted communications TRUE/FALSE */
+ long version; /* what version the client wants to use */
+ long certverifyresult; /* result from the certificate verification */
+ bool verifypeer; /* set TRUE if this is desired */
+ char *CApath; /* DOES NOT WORK ON WINDOWS */
+ char *CAfile; /* cerficate to verify peer against */
+#ifdef USE_SSLEAY
+ /* these ones requires specific SSL-types */
+ SSL_CTX* ctx;
+ SSL* handle;
+ X509* server_cert;
+#endif /* USE_SSLEAY */
+};
+
/*
* As of April 11, 2000 we're now trying to split up the urldata struct in
* three different parts:
@@ -438,8 +453,6 @@ struct UrlData {
char *cookie; /* HTTP cookie string to send */
- short use_ssl; /* use ssl encrypted communications */
-
char *newurl; /* This can only be set if a Location: was in the
document headers */
@@ -451,12 +464,8 @@ struct UrlData {
struct CookieInfo *cookies;
- long ssl_version; /* what version the client wants to use */
-#ifdef USE_SSLEAY
- SSL_CTX* ctx;
- SSL* ssl;
- X509* server_cert;
-#endif /* USE_SSLEAY */
+ struct ssldata ssl; /* this is for ssl-stuff */
+
long crlf;
struct curl_slist *quote; /* before the transfer */
struct curl_slist *postquote; /* after the transfer */