2
Copyright (C) 2000 Free Software Foundation, Inc.
3
Contributed by Christian Fraenkel.
5
This file is part of GNU Wget.
7
GNU Wget is free software; you can redistribute it and/or modify
8
it under the terms of the GNU General Public License as published by
9
the Free Software Foundation; either version 2 of the License, or
10
(at your option) any later version.
12
GNU Wget is distributed in the hope that it will be useful,
13
but WITHOUT ANY WARRANTY; without even the implied warranty of
14
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
GNU General Public License for more details.
17
You should have received a copy of the GNU General Public License
18
along with Wget; if not, write to the Free Software
19
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21
In addition, as a special exception, the Free Software Foundation
22
gives permission to link the code of its release of Wget with the
23
OpenSSL project's "OpenSSL" library (or with modified versions of it
24
that use the same license as the "OpenSSL" library), and distribute
25
the linked executables. You must obey the GNU General Public License
26
in all respects for all of the code used other than "OpenSSL". If you
27
modify this file, you may extend this exception to your version of the
28
file, but you are not obligated to do so. If you do not wish to do
29
so, delete this exception statement from your version. */
46
#include <openssl/bio.h>
47
#include <openssl/crypto.h>
48
#include <openssl/x509.h>
49
#include <openssl/ssl.h>
50
#include <openssl/err.h>
51
#include <openssl/pem.h>
52
#include <openssl/rand.h>
66
/* It is likely that older versions of OpenSSL will fail on
67
non-Linux machines because this code is unable to seed the PRNG
68
on older versions of the library. */
70
#if SSLEAY_VERSION_NUMBER >= 0x00905100
74
/* First, seed from a file specified by the user. This will be
75
$RANDFILE, if set, or ~/.rnd. */
76
RAND_file_name (rand_file, sizeof (rand_file));
78
/* Seed at most 16k (value borrowed from curl) from random file. */
79
RAND_load_file (rand_file, 16384);
84
/* Get random data from EGD if opt.sslegdsock was set. */
85
if (opt.sslegdsock && *opt.sslegdsock)
86
RAND_egd (opt.sslegdsock);
92
/* Under Windows, we can try to seed the PRNG using screen content.
93
This may or may not work, depending on whether we'll calling Wget
101
/* Still not enough randomness, presumably because neither random
102
file nor EGD have been available. Use the stupidest possible
103
method -- seed OpenSSL's PRNG with the system's PRNG. This is
104
insecure in the cryptographic sense, but people who care about
105
security will use /dev/random or their own source of randomness
108
while (RAND_status () == 0 && maxrand-- > 0)
110
unsigned char rnd = random_number (256);
111
RAND_seed (&rnd, sizeof (rnd));
114
if (RAND_status () == 0)
116
logprintf (LOG_NOTQUIET,
117
_("Could not seed OpenSSL PRNG; disabling SSL.\n"));
118
scheme_disable (SCHEME_HTTPS);
120
#endif /* SSLEAY_VERSION_NUMBER >= 0x00905100 */
124
verify_callback (int ok, X509_STORE_CTX *ctx)
127
s = X509_NAME_oneline (X509_get_subject_name (ctx->current_cert), buf, 256);
129
switch (ctx->error) {
130
case X509_V_ERR_CERT_NOT_YET_VALID:
131
case X509_V_ERR_CERT_HAS_EXPIRED:
132
/* This mean the CERT is not valid !!! */
135
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
136
/* Unsure if we should handle that this way */
144
/* pass all ssl errors to DEBUGP
145
returns the number of printed errors */
147
ssl_printerrors (void)
150
unsigned long curerr = 0;
152
memset(errbuff, 0, sizeof(errbuff));
153
while ( 0 != (curerr = ERR_get_error ()))
155
DEBUGP (("OpenSSL: %s\n", ERR_error_string (curerr, errbuff)));
161
/* Creates a SSL Context and sets some defaults for it */
163
init_ssl (SSL_CTX **ctx)
165
SSL_METHOD *meth = NULL;
169
SSL_load_error_strings ();
170
SSLeay_add_all_algorithms ();
171
SSLeay_add_ssl_algorithms ();
172
switch (opt.sslprotocol)
175
meth = SSLv23_client_method ();
178
meth = SSLv2_client_method ();
181
meth = SSLv3_client_method ();
184
meth = TLSv1_client_method ();
190
return SSLERRCTXCREATE;
193
*ctx = SSL_CTX_new (meth);
197
return SSLERRCTXCREATE;
199
/* Can we validate the server Cert ? */
200
if (opt.sslcadir != NULL || opt.sslcafile != NULL)
202
SSL_CTX_load_verify_locations (*ctx, opt.sslcafile, opt.sslcadir);
210
if (!opt.sslcheckcert)
212
/* check cert but ignore error, do not break handshake on error */
213
verify = SSL_VERIFY_NONE;
219
logprintf (LOG_NOTQUIET, "Warrining validation of Server Cert not possible!\n");
220
verify = SSL_VERIFY_NONE;
224
/* break handshake if server cert is not valid but allow NO-Cert mode */
225
verify = SSL_VERIFY_PEER;
229
SSL_CTX_set_verify (*ctx, verify, verify_callback);
231
if (opt.sslcertfile != NULL || opt.sslcertkey != NULL)
234
if (!opt.sslcerttype)
235
ssl_cert_type = SSL_FILETYPE_PEM;
237
ssl_cert_type = SSL_FILETYPE_ASN1;
239
if (opt.sslcertkey == NULL)
240
opt.sslcertkey = opt.sslcertfile;
241
if (opt.sslcertfile == NULL)
242
opt.sslcertfile = opt.sslcertkey;
244
if (SSL_CTX_use_certificate_file (*ctx, opt.sslcertfile, ssl_cert_type) <= 0)
247
return SSLERRCERTFILE;
249
if (SSL_CTX_use_PrivateKey_file (*ctx, opt.sslcertkey , ssl_cert_type) <= 0)
252
return SSLERRCERTKEY;
256
return 0; /* Succeded */
260
shutdown_ssl (SSL* con)
264
if (0==SSL_shutdown (con))
269
/* Sets up a SSL structure and performs the handshake on fd
270
Returns 0 if everything went right
271
Returns 1 if something went wrong ----- TODO: More exit codes
274
connect_ssl (SSL **con, SSL_CTX *ctx, int fd)
276
if (NULL == (*con = SSL_new (ctx)))
281
if (!SSL_set_fd (*con, fd))
286
SSL_set_connect_state (*con);
287
switch (SSL_connect (*con))
290
return (*con)->state != SSL_ST_OK;
306
free_ssl_ctx (SSL_CTX * ctx)
311
/* SSL version of iread. Only exchanged read for SSL_read Read at
312
most LEN bytes from FD, storing them to BUF. */
315
ssl_iread (SSL *con, char *buf, int len)
318
BIO_get_fd (con->rbio, &fd);
320
if (opt.read_timeout && !SSL_pending (con))
321
if (select_fd (fd, opt.read_timeout, 0) <= 0)
325
res = SSL_read (con, buf, len);
326
while (res == -1 && errno == EINTR);
331
/* SSL version of iwrite. Only exchanged write for SSL_write Write
332
LEN bytes from BUF to FD. */
335
ssl_iwrite (SSL *con, char *buf, int len)
338
BIO_get_fd (con->rbio, &fd);
339
/* `write' may write less than LEN bytes, thus the outward loop
340
keeps trying it until all was written, or an error occurred. The
341
inner loop is reserved for the usual EINTR f*kage, and the
342
innermost loop deals with the same during select(). */
346
if (opt.read_timeout)
347
if (select_fd (fd, opt.read_timeout, 1) <= 0)
351
res = SSL_write (con, buf, len);
352
while (res == -1 && errno == EINTR);
360
#endif /* HAVE_SSL */