Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.bin/ftp Add cert verification, together with an environm...
details: https://anonhg.NetBSD.org/src/rev/d019c7371595
branches: trunk
changeset: 369743:d019c7371595
user: christos <christos%NetBSD.org@localhost>
date: Tue Aug 30 08:51:28 2022 +0000
description:
Add cert verification, together with an environment variable "NO_CERT_VERIFY",
to turn it off.
diffstat:
usr.bin/ftp/ftp.1 | 6 ++++--
usr.bin/ftp/ssl.c | 23 +++++++++++++++++++++--
2 files changed, 25 insertions(+), 4 deletions(-)
diffs (86 lines):
diff -r e61bebe348f0 -r d019c7371595 usr.bin/ftp/ftp.1
--- a/usr.bin/ftp/ftp.1 Tue Aug 30 08:48:41 2022 +0000
+++ b/usr.bin/ftp/ftp.1 Tue Aug 30 08:51:28 2022 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: ftp.1,v 1.146 2021/04/25 09:09:55 lukem Exp $
+.\" $NetBSD: ftp.1,v 1.147 2022/08/30 08:51:28 christos Exp $
.\"
.\" Copyright (c) 1996-2021 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -57,7 +57,7 @@
.\"
.\" @(#)ftp.1 8.3 (Berkeley) 10/9/94
.\"
-.Dd April 25, 2021
+.Dd August 29, 2022
.Dt FTP 1
.Os
.Sh NAME
@@ -2320,6 +2320,8 @@
An alternate location of the
.Pa .netrc
file.
+.It Ev NO_CERT_VERIFY
+Don't verify SSL certificates.
.It Ev PAGER
Used by various commands to display files.
Defaults to
diff -r e61bebe348f0 -r d019c7371595 usr.bin/ftp/ssl.c
--- a/usr.bin/ftp/ssl.c Tue Aug 30 08:48:41 2022 +0000
+++ b/usr.bin/ftp/ssl.c Tue Aug 30 08:51:28 2022 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ssl.c,v 1.10 2021/06/03 10:23:33 lukem Exp $ */
+/* $NetBSD: ssl.c,v 1.11 2022/08/30 08:51:28 christos Exp $ */
/*-
* Copyright (c) 1998-2004 Dag-Erling Coïdan Smørgrav
@@ -34,7 +34,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: ssl.c,v 1.10 2021/06/03 10:23:33 lukem Exp $");
+__RCSID("$NetBSD: ssl.c,v 1.11 2022/08/30 08:51:28 christos Exp $");
#endif
#include <errno.h>
@@ -587,7 +587,9 @@
{
SSL *ssl;
SSL_CTX *ctx;
+ X509_VERIFY_PARAM *param;
int ret, ssl_err;
+ int verify = getenv("NO_CERT_VERIFY") == NULL;
/* Init the SSL library and context */
if (!SSL_library_init()){
@@ -599,6 +601,10 @@
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+ if (verify) {
+ SSL_CTX_set_default_verify_paths(ctx);
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+ }
ssl = SSL_new(ctx);
if (ssl == NULL){
@@ -606,6 +612,19 @@
SSL_CTX_free(ctx);
return NULL;
}
+
+ if (verify) {
+ param = SSL_get0_param(ssl);
+ if (!X509_VERIFY_PARAM_set1_host(param, servername,
+ strlen(servername))) {
+ fprintf(ttyout, "SSL verification setup failed\n");
+ return NULL;
+ }
+
+ /* Enable peer verification, (using the default callback) */
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+ }
+
SSL_set_fd(ssl, sock);
if (!SSL_set_tlsext_host_name(ssl, __UNCONST(servername))) {
fprintf(ttyout, "SSL hostname setting failed\n");
Home |
Main Index |
Thread Index |
Old Index