#include "setup.h"
#include <string.h>
#include <stdlib.h>
#include "urldata.h"
#include "sendf.h"
#include "formdata.h"
#ifdef USE_SSLEAY
#include <openssl/rand.h>
static char global_passwd[64];
static int passwd_callback(char *buf, int num, int verify
#if OPENSSL_VERSION_NUMBER >= 0x00904100L
, void *userdata
#endif
)
{
if(verify)
fprintf(stderr, "%s\n", buf);
else {
if(num > strlen(global_passwd)) {
strcpy(buf, global_passwd);
return strlen(buf);
}
}
return 0;
}
static
bool seed_enough(struct connectdata *conn,
int nread)
{
#ifdef HAVE_RAND_STATUS
if(RAND_status())
return TRUE;
#else
if(nread > 500)
return TRUE;
#endif
return FALSE;
}
static
int random_the_seed(struct connectdata *conn)
{
char *buf = conn->data->buffer;
int nread=0;
struct UrlData *data=conn->data;
#ifndef RANDOM_FILE
if(data->ssl.random_file)
#define RANDOM_FILE ""
#endif
{
nread += RAND_load_file((data->ssl.random_file?
data->ssl.random_file:RANDOM_FILE),
16384);
if(seed_enough(conn, nread))
return nread;
}
#if defined(HAVE_RAND_EGD)
#ifndef EGD_SOCKET
if(data->ssl.egdsocket)
#define EGD_SOCKET ""
#endif
{
int ret = RAND_egd(data->ssl.egdsocket?data->ssl.egdsocket:EGD_SOCKET);
if(-1 != ret) {
nread += ret;
if(seed_enough(conn, nread))
return nread;
}
}
#endif
#ifdef HAVE_RAND_SCREEN
RAND_screen();
nread = 100;
#else
{
int len;
char *area = Curl_FormBoundary();
if(!area)
return 3;
len = strlen(area);
RAND_seed(area, len);
free(area);
}
#endif
buf[0]=0;
RAND_file_name(buf, BUFSIZE);
if ( buf[0] ) {
nread += RAND_load_file(buf, 16384);
if(seed_enough(conn, nread))
return nread;
}
infof(conn->data, "Your connection is using a weak random seed!\n");
return nread;
}
static
int cert_stuff(struct connectdata *conn,
char *cert_file,
char *key_file)
{
struct UrlData *data = conn->data;
if (cert_file != NULL) {
SSL *ssl;
X509 *x509;
if(data->cert_passwd) {
strcpy(global_passwd, data->cert_passwd);
SSL_CTX_set_default_passwd_cb(conn->ssl.ctx, passwd_callback);
}
if (SSL_CTX_use_certificate_file(conn->ssl.ctx,
cert_file,
SSL_FILETYPE_PEM) <= 0) {
failf(data, "unable to set certificate file (wrong password?)\n");
return(0);
}
if (key_file == NULL)
key_file=cert_file;
if (SSL_CTX_use_PrivateKey_file(conn->ssl.ctx,
key_file,
SSL_FILETYPE_PEM) <= 0) {
failf(data, "unable to set public key file\n");
return(0);
}
ssl=SSL_new(conn->ssl.ctx);
x509=SSL_get_certificate(ssl);
if (x509 != NULL)
EVP_PKEY_copy_parameters(X509_get_pubkey(x509),
SSL_get_privatekey(ssl));
SSL_free(ssl);
if (!SSL_CTX_check_private_key(conn->ssl.ctx)) {
failf(data, "Private key does not match the certificate public key\n");
return(0);
}
memset(global_passwd, 0, sizeof(global_passwd));
}
return(1);
}
static
int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
{
X509 *err_cert;
char buf[256];
err_cert=X509_STORE_CTX_get_current_cert(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
return 1;
}
#endif
int
Curl_SSLConnect(struct connectdata *conn)
{
#ifdef USE_SSLEAY
struct UrlData *data = conn->data;
int err;
char * str;
SSL_METHOD *req_method;
conn->ssl.use = TRUE;
SSL_load_error_strings();
random_the_seed(conn);
SSLeay_add_ssl_algorithms();
switch(data->ssl.version) {
default:
req_method = SSLv23_client_method();
break;
case 2:
req_method = SSLv2_client_method();
break;
case 3:
req_method = SSLv3_client_method();
break;
}
conn->ssl.ctx = SSL_CTX_new(req_method);
if(!conn->ssl.ctx) {
failf(data, "SSL: couldn't create a context!");
return 1;
}
if(data->cert) {
if (!cert_stuff(conn, data->cert, data->cert)) {
failf(data, "couldn't use certificate!\n");
return 2;
}
}
if(data->ssl.verifypeer){
SSL_CTX_set_verify(conn->ssl.ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
SSL_VERIFY_CLIENT_ONCE,
cert_verify_callback);
if (!SSL_CTX_load_verify_locations(conn->ssl.ctx,
data->ssl.CAfile,
data->ssl.CApath)) {
failf(data,"error setting cerficate verify locations\n");
return 2;
}
}
else
SSL_CTX_set_verify(conn->ssl.ctx, SSL_VERIFY_NONE, cert_verify_callback);
conn->ssl.handle = SSL_new (conn->ssl.ctx);
SSL_set_connect_state (conn->ssl.handle);
conn->ssl.server_cert = 0x0;
SSL_set_fd (conn->ssl.handle, conn->firstsocket);
err = SSL_connect (conn->ssl.handle);
if (-1 == err) {
err = ERR_get_error();
failf(data, "SSL: %s", ERR_error_string(err, NULL));
return 10;
}
infof (data, "SSL connection using %s\n",
SSL_get_cipher(conn->ssl.handle));
conn->ssl.server_cert = SSL_get_peer_certificate (conn->ssl.handle);
if(!conn->ssl.server_cert) {
failf(data, "SSL: couldn't get peer certificate!");
return 3;
}
infof (data, "Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (conn->ssl.server_cert),
NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-subject!");
return 4;
}
infof(data, "\t subject: %s\n", str);
CRYPTO_free(str);
str = X509_NAME_oneline (X509_get_issuer_name (conn->ssl.server_cert),
NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-issuer name!");
return 5;
}
infof(data, "\t issuer: %s\n", str);
CRYPTO_free(str);
if(data->ssl.verifypeer) {
data->ssl.certverifyresult=SSL_get_verify_result(conn->ssl.handle);
infof(data, "Verify result: %d\n", data->ssl.certverifyresult);
}
else
data->ssl.certverifyresult=0;
X509_free(conn->ssl.server_cert);
#else
(void) conn;
#endif
return 0;
}