Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/usr.bin/ftp Add cert verification, together with an environm...



details:   https://anonhg.NetBSD.org/src/rev/d019c7371595
branches:  trunk
changeset: 369743:d019c7371595
user:      christos <christos%NetBSD.org@localhost>
date:      Tue Aug 30 08:51:28 2022 +0000

description:
Add cert verification, together with an environment variable "NO_CERT_VERIFY",
to turn it off.

diffstat:

 usr.bin/ftp/ftp.1 |   6 ++++--
 usr.bin/ftp/ssl.c |  23 +++++++++++++++++++++--
 2 files changed, 25 insertions(+), 4 deletions(-)

diffs (86 lines):

diff -r e61bebe348f0 -r d019c7371595 usr.bin/ftp/ftp.1
--- a/usr.bin/ftp/ftp.1 Tue Aug 30 08:48:41 2022 +0000
+++ b/usr.bin/ftp/ftp.1 Tue Aug 30 08:51:28 2022 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: ftp.1,v 1.146 2021/04/25 09:09:55 lukem Exp $
+.\"    $NetBSD: ftp.1,v 1.147 2022/08/30 08:51:28 christos Exp $
 .\"
 .\" Copyright (c) 1996-2021 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -57,7 +57,7 @@
 .\"
 .\"    @(#)ftp.1       8.3 (Berkeley) 10/9/94
 .\"
-.Dd April 25, 2021
+.Dd August 29, 2022
 .Dt FTP 1
 .Os
 .Sh NAME
@@ -2320,6 +2320,8 @@
 An alternate location of the
 .Pa .netrc
 file.
+.It Ev NO_CERT_VERIFY
+Don't verify SSL certificates.
 .It Ev PAGER
 Used by various commands to display files.
 Defaults to
diff -r e61bebe348f0 -r d019c7371595 usr.bin/ftp/ssl.c
--- a/usr.bin/ftp/ssl.c Tue Aug 30 08:48:41 2022 +0000
+++ b/usr.bin/ftp/ssl.c Tue Aug 30 08:51:28 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ssl.c,v 1.10 2021/06/03 10:23:33 lukem Exp $   */
+/*     $NetBSD: ssl.c,v 1.11 2022/08/30 08:51:28 christos Exp $        */
 
 /*-
  * Copyright (c) 1998-2004 Dag-Erling Coïdan Smørgrav
@@ -34,7 +34,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: ssl.c,v 1.10 2021/06/03 10:23:33 lukem Exp $");
+__RCSID("$NetBSD: ssl.c,v 1.11 2022/08/30 08:51:28 christos Exp $");
 #endif
 
 #include <errno.h>
@@ -587,7 +587,9 @@
 {
        SSL *ssl;
        SSL_CTX *ctx;
+       X509_VERIFY_PARAM *param;
        int ret, ssl_err;
+       int verify = getenv("NO_CERT_VERIFY") == NULL;
 
        /* Init the SSL library and context */
        if (!SSL_library_init()){
@@ -599,6 +601,10 @@
 
        ctx = SSL_CTX_new(SSLv23_client_method());
        SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+       if (verify) {
+               SSL_CTX_set_default_verify_paths(ctx);
+               SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+       }
 
        ssl = SSL_new(ctx);
        if (ssl == NULL){
@@ -606,6 +612,19 @@
                SSL_CTX_free(ctx);
                return NULL;
        }
+
+       if (verify) {
+               param = SSL_get0_param(ssl);
+               if (!X509_VERIFY_PARAM_set1_host(param, servername,
+                   strlen(servername))) {
+                       fprintf(ttyout, "SSL verification setup failed\n");
+                       return NULL;
+               }
+
+               /* Enable peer verification, (using the default callback) */
+               SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+       }
+
        SSL_set_fd(ssl, sock);
        if (!SSL_set_tlsext_host_name(ssl, __UNCONST(servername))) {
                fprintf(ttyout, "SSL hostname setting failed\n");



Home | Main Index | Thread Index | Old Index