diff options
Diffstat (limited to 'lib/ssluse.c')
-rw-r--r-- | lib/ssluse.c | 218 |
1 files changed, 110 insertions, 108 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index 9def3e805..789175735 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -64,6 +64,7 @@ static int passwd_callback(char *buf, int num, int verify static int cert_stuff(struct UrlData *data, + struct connectdata *conn, char *cert_file, char *key_file) { @@ -78,10 +79,10 @@ int cert_stuff(struct UrlData *data, */ strcpy(global_passwd, data->cert_passwd); /* Set passwd callback: */ - SSL_CTX_set_default_passwd_cb(data->ssl.ctx, passwd_callback); + SSL_CTX_set_default_passwd_cb(conn->ssl.ctx, passwd_callback); } - if (SSL_CTX_use_certificate_file(data->ssl.ctx, + if (SSL_CTX_use_certificate_file(conn->ssl.ctx, cert_file, SSL_FILETYPE_PEM) <= 0) { failf(data, "unable to set certificate file (wrong password?)\n"); @@ -90,14 +91,14 @@ int cert_stuff(struct UrlData *data, if (key_file == NULL) key_file=cert_file; - if (SSL_CTX_use_PrivateKey_file(data->ssl.ctx, + if (SSL_CTX_use_PrivateKey_file(conn->ssl.ctx, key_file, SSL_FILETYPE_PEM) <= 0) { failf(data, "unable to set public key file\n"); return(0); } - ssl=SSL_new(data->ssl.ctx); + ssl=SSL_new(conn->ssl.ctx); x509=SSL_get_certificate(ssl); if (x509 != NULL) @@ -111,7 +112,7 @@ int cert_stuff(struct UrlData *data, /* Now we know that a key and cert have been set against * the SSL context */ - if (!SSL_CTX_check_private_key(data->ssl.ctx)) { + if (!SSL_CTX_check_private_key(conn->ssl.ctx)) { failf(data, "Private key does not match the certificate public key\n"); return(0); } @@ -141,22 +142,23 @@ int cert_verify_callback(int ok, X509_STORE_CTX *ctx) /* ====================================================== */ int -Curl_SSLConnect (struct UrlData *data) +Curl_SSLConnect(struct connectdata *conn) { #ifdef USE_SSLEAY - int err; - char * str; - SSL_METHOD *req_method; + struct UrlData *data = conn->data; + int err; + char * str; + SSL_METHOD *req_method; - /* mark this is being ssl enabled from here on out. */ - data->ssl.use = TRUE; + /* mark this is being ssl enabled from here on out. */ + conn->ssl.use = TRUE; - /* Lets get nice error messages */ - SSL_load_error_strings(); + /* Lets get nice error messages */ + SSL_load_error_strings(); #ifdef HAVE_RAND_STATUS - /* RAND_status() was introduced in OpenSSL 0.9.5 */ - if(0 == RAND_status()) + /* RAND_status() was introduced in OpenSSL 0.9.5 */ + if(0 == RAND_status()) #endif { /* We need to seed the PRNG properly! */ @@ -177,116 +179,116 @@ Curl_SSLConnect (struct UrlData *data) #endif } - /* Setup all the global SSL stuff */ - SSLeay_add_ssl_algorithms(); - - switch(data->ssl.version) { - default: - req_method = SSLv23_client_method(); - break; - case 2: - req_method = SSLv2_client_method(); - break; - case 3: - req_method = SSLv3_client_method(); - break; - } + /* Setup all the global SSL stuff */ + SSLeay_add_ssl_algorithms(); + + switch(data->ssl.version) { + default: + req_method = SSLv23_client_method(); + break; + case 2: + req_method = SSLv2_client_method(); + break; + case 3: + req_method = SSLv3_client_method(); + break; + } - data->ssl.ctx = SSL_CTX_new(req_method); + conn->ssl.ctx = SSL_CTX_new(req_method); - if(!data->ssl.ctx) { - failf(data, "SSL: couldn't create a context!"); - return 1; - } + if(!conn->ssl.ctx) { + failf(data, "SSL: couldn't create a context!"); + return 1; + } - if(data->cert) { - if (!cert_stuff(data, data->cert, data->cert)) { - failf(data, "couldn't use certificate!\n"); - return 2; - } + if(data->cert) { + if (!cert_stuff(data, conn, data->cert, data->cert)) { + failf(data, "couldn't use certificate!\n"); + return 2; } + } - if(data->ssl.verifypeer){ - SSL_CTX_set_verify(data->ssl.ctx, - SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT| - SSL_VERIFY_CLIENT_ONCE, - cert_verify_callback); - if (!SSL_CTX_load_verify_locations(data->ssl.ctx, - data->ssl.CAfile, - data->ssl.CApath)) { - failf(data,"error setting cerficate verify locations\n"); - return 2; - } + if(data->ssl.verifypeer){ + SSL_CTX_set_verify(conn->ssl.ctx, + SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT| + SSL_VERIFY_CLIENT_ONCE, + cert_verify_callback); + if (!SSL_CTX_load_verify_locations(conn->ssl.ctx, + data->ssl.CAfile, + data->ssl.CApath)) { + failf(data,"error setting cerficate verify locations\n"); + return 2; } - else - SSL_CTX_set_verify(data->ssl.ctx, SSL_VERIFY_NONE, cert_verify_callback); + } + else + SSL_CTX_set_verify(conn->ssl.ctx, SSL_VERIFY_NONE, cert_verify_callback); - /* Lets make an SSL structure */ - data->ssl.handle = SSL_new (data->ssl.ctx); - SSL_set_connect_state (data->ssl.handle); + /* Lets make an SSL structure */ + conn->ssl.handle = SSL_new (conn->ssl.ctx); + SSL_set_connect_state (conn->ssl.handle); - data->ssl.server_cert = 0x0; + conn->ssl.server_cert = 0x0; - /* pass the raw socket into the SSL layers */ - SSL_set_fd (data->ssl.handle, data->firstsocket); - err = SSL_connect (data->ssl.handle); + /* pass the raw socket into the SSL layers */ + SSL_set_fd (conn->ssl.handle, conn->firstsocket); + err = SSL_connect (conn->ssl.handle); - if (-1 == err) { - err = ERR_get_error(); - failf(data, "SSL: %s", ERR_error_string(err, NULL)); - return 10; - } + if (-1 == err) { + err = ERR_get_error(); + failf(data, "SSL: %s", ERR_error_string(err, NULL)); + return 10; + } - /* Informational message */ - infof (data, "SSL connection using %s\n", - SSL_get_cipher(data->ssl.handle)); + /* Informational message */ + infof (data, "SSL connection using %s\n", + SSL_get_cipher(conn->ssl.handle)); - /* Get server's certificate (note: beware of dynamic allocation) - opt */ - /* major serious hack alert -- we should check certificates - * to authenticate the server; otherwise we risk man-in-the-middle - * attack - */ - - data->ssl.server_cert = SSL_get_peer_certificate (data->ssl.handle); - if(!data->ssl.server_cert) { - failf(data, "SSL: couldn't get peer certificate!"); - return 3; - } - infof (data, "Server certificate:\n"); + /* Get server's certificate (note: beware of dynamic allocation) - opt */ + /* major serious hack alert -- we should check certificates + * to authenticate the server; otherwise we risk man-in-the-middle + * attack + */ + + conn->ssl.server_cert = SSL_get_peer_certificate (conn->ssl.handle); + if(!conn->ssl.server_cert) { + failf(data, "SSL: couldn't get peer certificate!"); + return 3; + } + infof (data, "Server certificate:\n"); - str = X509_NAME_oneline (X509_get_subject_name (data->ssl.server_cert), - NULL, 0); - if(!str) { - failf(data, "SSL: couldn't get X509-subject!"); - return 4; - } - infof(data, "\t subject: %s\n", str); - CRYPTO_free(str); - - str = X509_NAME_oneline (X509_get_issuer_name (data->ssl.server_cert), - NULL, 0); - if(!str) { - failf(data, "SSL: couldn't get X509-issuer name!"); - return 5; - } - infof(data, "\t issuer: %s\n", str); - CRYPTO_free(str); + str = X509_NAME_oneline (X509_get_subject_name (conn->ssl.server_cert), + NULL, 0); + if(!str) { + failf(data, "SSL: couldn't get X509-subject!"); + return 4; + } + infof(data, "\t subject: %s\n", str); + CRYPTO_free(str); + + str = X509_NAME_oneline (X509_get_issuer_name (conn->ssl.server_cert), + NULL, 0); + if(!str) { + failf(data, "SSL: couldn't get X509-issuer name!"); + return 5; + } + infof(data, "\t issuer: %s\n", str); + CRYPTO_free(str); - /* We could do all sorts of certificate verification stuff here before - deallocating the certificate. */ + /* We could do all sorts of certificate verification stuff here before + deallocating the certificate. */ - if(data->ssl.verifypeer) { - data->ssl.certverifyresult=SSL_get_verify_result(data->ssl.handle); - infof(data, "Verify result: %d\n", data->ssl.certverifyresult); - } - else - data->ssl.certverifyresult=0; + if(data->ssl.verifypeer) { + data->ssl.certverifyresult=SSL_get_verify_result(conn->ssl.handle); + infof(data, "Verify result: %d\n", data->ssl.certverifyresult); + } + else + data->ssl.certverifyresult=0; - X509_free(data->ssl.server_cert); + X509_free(conn->ssl.server_cert); #else /* USE_SSLEAY */ - /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ - (void) data; + /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ + (void) data; #endif - return 0; + return 0; } |