Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.bin/ftp Add option sslnoverify to control validation of ...
details: https://anonhg.NetBSD.org/src/rev/0f79777d26d5
branches: trunk
changeset: 373742:0f79777d26d5
user: mlelstv <mlelstv%NetBSD.org@localhost>
date: Sat Feb 25 12:07:25 2023 +0000
description:
Add option sslnoverify to control validation of SSL certificates.
Add netrc processing to fetch-mode (URL on command line) to enable options and autologin
via netrc.
Fix SSL cleanup in some error paths.
Certificate validation is now enabled by default. Set FTPSSLNOVERIFY=1 in environment
or configure a corresponding init macro via netrc to not validate certs (required if
you haven't installed a required CA certificate for OpenSSL).
Discussed with lukem@ on icb.
diffstat:
usr.bin/ftp/cmdtab.c | 25 +++++++++++++------------
usr.bin/ftp/extern.h | 5 +++--
usr.bin/ftp/fetch.c | 45 +++++++++++++++++++++++++++++++++++++++++----
usr.bin/ftp/ftp.1 | 15 +++++++++------
usr.bin/ftp/main.c | 7 ++++---
usr.bin/ftp/ssl.c | 16 +++++++++++++---
usr.bin/ftp/util.c | 26 +++++++++++++++++++++++---
usr.bin/ftp/version.h | 6 +++---
8 files changed, 109 insertions(+), 36 deletions(-)
diffs (truncated from 394 to 300 lines):
diff -r 4d1eba60c4df -r 0f79777d26d5 usr.bin/ftp/cmdtab.c
--- a/usr.bin/ftp/cmdtab.c Sat Feb 25 11:59:12 2023 +0000
+++ b/usr.bin/ftp/cmdtab.c Sat Feb 25 12:07:25 2023 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: cmdtab.c,v 1.52 2012/12/22 16:57:09 christos Exp $ */
+/* $NetBSD: cmdtab.c,v 1.53 2023/02/25 12:07:25 mlelstv Exp $ */
/*-
- * Copyright (c) 1996-2009 The NetBSD Foundation, Inc.
+ * Copyright (c) 1996-2023 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
@@ -63,7 +63,7 @@
#if 0
static char sccsid[] = "@(#)cmdtab.c 8.4 (Berkeley) 10/9/94";
#else
-__RCSID("$NetBSD: cmdtab.c,v 1.52 2012/12/22 16:57:09 christos Exp $");
+__RCSID("$NetBSD: cmdtab.c,v 1.53 2023/02/25 12:07:25 mlelstv Exp $");
#endif
#endif /* not lint */
@@ -295,13 +295,14 @@
};
struct option optiontab[] = {
- { "anonpass", NULL },
- { "ftp_proxy", NULL },
- { "http_proxy", NULL },
- { "https_proxy",NULL },
- { "no_proxy", NULL },
- { "pager", NULL },
- { "prompt", NULL },
- { "rprompt", NULL },
- { NULL, NULL },
+ { "anonpass", NULL },
+ { "ftp_proxy", NULL },
+ { "http_proxy", NULL },
+ { "https_proxy", NULL },
+ { "no_proxy", NULL },
+ { "pager", NULL },
+ { "prompt", NULL },
+ { "rprompt", NULL },
+ { "sslnoverify" ,NULL },
+ { NULL, NULL },
};
diff -r 4d1eba60c4df -r 0f79777d26d5 usr.bin/ftp/extern.h
--- a/usr.bin/ftp/extern.h Sat Feb 25 11:59:12 2023 +0000
+++ b/usr.bin/ftp/extern.h Sat Feb 25 12:07:25 2023 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: extern.h,v 1.82 2019/06/22 23:40:53 christos Exp $ */
+/* $NetBSD: extern.h,v 1.83 2023/02/25 12:07:25 mlelstv Exp $ */
/*-
- * Copyright (c) 1996-2009 The NetBSD Foundation, Inc.
+ * Copyright (c) 1996-2023 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
@@ -243,6 +243,7 @@
int ftp_connect(int, const struct sockaddr *, socklen_t, int);
int ftp_listen(int, int);
int ftp_poll(struct pollfd *, int, int);
+int ftp_truthy(const char *, const char *, int);
#ifndef SMALL
void *ftp_malloc(size_t);
StringList *ftp_sl_init(void);
diff -r 4d1eba60c4df -r 0f79777d26d5 usr.bin/ftp/fetch.c
--- a/usr.bin/ftp/fetch.c Sat Feb 25 11:59:12 2023 +0000
+++ b/usr.bin/ftp/fetch.c Sat Feb 25 12:07:25 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: fetch.c,v 1.235 2022/09/11 20:49:27 christos Exp $ */
+/* $NetBSD: fetch.c,v 1.236 2023/02/25 12:07:25 mlelstv Exp $ */
/*-
* Copyright (c) 1997-2015 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: fetch.c,v 1.235 2022/09/11 20:49:27 christos Exp $");
+__RCSID("$NetBSD: fetch.c,v 1.236 2023/02/25 12:07:25 mlelstv Exp $");
#endif /* not lint */
/*
@@ -617,13 +617,15 @@
sigjmp_buf httpabort;
static int
-ftp_socket(const struct urlinfo *ui, void **ssl)
+ftp_socket(const struct urlinfo *ui, void **ssl, struct authinfo *auth)
{
struct addrinfo hints, *res, *res0 = NULL;
int error;
int s;
const char *host = ui->host;
const char *port = ui->port;
+ char *fuser = NULL, *pass = NULL, *facct = NULL;
+ int n;
if (ui->utype != HTTPS_URL_T)
ssl = NULL;
@@ -688,6 +690,28 @@
continue;
}
+ if (ruserpass("", &fuser, &pass, &facct) < 0) {
+ close(s);
+ s = -1;
+ continue;
+ }
+
+ if (autologin) {
+ if (fuser != NULL && auth->user == NULL)
+ auth->user = ftp_strdup(fuser);
+ if (pass != NULL && auth->pass == NULL)
+ auth->pass = ftp_strdup(pass);
+ }
+
+ for (n = 0; n < macnum; ++n) {
+ if (!strcmp("init", macros[n].mac_name)) {
+ (void)strlcpy(line, "$init", sizeof(line));
+ makeargv();
+ domacro(margc, margv);
+ break;
+ }
+ }
+
#ifdef WITH_SSL
if (ssl) {
if ((*ssl = fetch_start_ssl(s, host)) == NULL) {
@@ -699,6 +723,15 @@
#endif
break;
}
+
+ FREEPTR(fuser);
+ if (pass != NULL)
+ memset(pass, 0, strlen(pass));
+ FREEPTR(pass);
+ if (facct != NULL)
+ memset(facct, 0, strlen(facct));
+ FREEPTR(facct);
+
if (res0)
freeaddrinfo(res0);
return s;
@@ -1484,6 +1517,10 @@
}
} else { /* ftp:// or http:// URLs */
int hasleading;
+ static char hostnamebuf[MAXHOSTNAMELEN];
+
+ (void)strlcpy(hostnamebuf, ui.host, sizeof(hostnamebuf));
+ hostname = hostnamebuf;
if (penv == NULL) {
#ifdef WITH_SSL
@@ -1517,7 +1554,7 @@
}
} /* ! EMPTYSTRING(penv) */
- s = ftp_socket(&ui, &ssl);
+ s = ftp_socket(&ui, &ssl, &wauth);
if (s < 0) {
warnx("Can't connect to `%s:%s'", ui.host, ui.port);
goto cleanup_fetch_url;
diff -r 4d1eba60c4df -r 0f79777d26d5 usr.bin/ftp/ftp.1
--- a/usr.bin/ftp/ftp.1 Sat Feb 25 11:59:12 2023 +0000
+++ b/usr.bin/ftp/ftp.1 Sat Feb 25 12:07:25 2023 +0000
@@ -1,6 +1,6 @@
-.\" $NetBSD: ftp.1,v 1.147 2022/08/30 08:51:28 christos Exp $
+.\" $NetBSD: ftp.1,v 1.148 2023/02/25 12:07:25 mlelstv Exp $
.\"
-.\" Copyright (c) 1996-2021 The NetBSD Foundation, Inc.
+.\" Copyright (c) 1996-2023 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
@@ -57,7 +57,7 @@
.\"
.\" @(#)ftp.1 8.3 (Berkeley) 10/9/94
.\"
-.Dd August 29, 2022
+.Dd February 25, 2023
.Dt FTP 1
.Os
.Sh NAME
@@ -1382,7 +1382,7 @@
.Ar value
are not given, display all of the options and their values.
The currently supported options are:
-.Bl -tag -width "https_proxy" -offset indent
+.Bl -tag -width "sslnoverify" -offset indent
.It Cm anonpass
Defaults to
.Ev $FTPANONPASS
@@ -1407,6 +1407,9 @@
.It Cm rprompt
Defaults to
.Ev $FTPRPROMPT .
+.It Cm sslnoverify
+Defaults to
+.Ev $FTPSSLNOVERIFY .
.El
.It Ic site Op Ar arg ...
The arguments specified are sent, verbatim, to the remote
@@ -2312,6 +2315,8 @@
.Tn HTTP
User-Agent
header.
+.It Ev FTPSSLNOVERIFY
+Set to 1 to not verify SSL certificates.
.It Ev HOME
For default location of a
.Pa .netrc
@@ -2320,8 +2325,6 @@
An alternate location of the
.Pa .netrc
file.
-.It Ev NO_CERT_VERIFY
-Don't verify SSL certificates.
.It Ev PAGER
Used by various commands to display files.
Defaults to
diff -r 4d1eba60c4df -r 0f79777d26d5 usr.bin/ftp/main.c
--- a/usr.bin/ftp/main.c Sat Feb 25 11:59:12 2023 +0000
+++ b/usr.bin/ftp/main.c Sat Feb 25 12:07:25 2023 +0000
@@ -1,7 +1,7 @@
-/* $NetBSD: main.c,v 1.128 2021/10/09 09:07:20 lukem Exp $ */
+/* $NetBSD: main.c,v 1.129 2023/02/25 12:07:25 mlelstv Exp $ */
/*-
- * Copyright (c) 1996-2015 The NetBSD Foundation, Inc.
+ * Copyright (c) 1996-2023 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
@@ -98,7 +98,7 @@
#if 0
static char sccsid[] = "@(#)main.c 8.6 (Berkeley) 10/9/94";
#else
-__RCSID("$NetBSD: main.c,v 1.128 2021/10/09 09:07:20 lukem Exp $");
+__RCSID("$NetBSD: main.c,v 1.129 2023/02/25 12:07:25 mlelstv Exp $");
#endif
#endif /* not lint */
@@ -512,6 +512,7 @@
setupoption("pager", getenv("PAGER"), DEFAULTPAGER);
setupoption("prompt", getenv("FTPPROMPT"), DEFAULTPROMPT);
setupoption("rprompt", getenv("FTPRPROMPT"), DEFAULTRPROMPT);
+ setupoption("sslnoverify", getenv("FTPSSLNOVERIFY"), "");
free(anonpass);
diff -r 4d1eba60c4df -r 0f79777d26d5 usr.bin/ftp/ssl.c
--- a/usr.bin/ftp/ssl.c Sat Feb 25 11:59:12 2023 +0000
+++ b/usr.bin/ftp/ssl.c Sat Feb 25 12:07:25 2023 +0000
@@ -1,9 +1,10 @@
-/* $NetBSD: ssl.c,v 1.12 2022/09/12 15:10:31 christos Exp $ */
+/* $NetBSD: ssl.c,v 1.13 2023/02/25 12:07:25 mlelstv Exp $ */
/*-
* Copyright (c) 1998-2004 Dag-Erling Coïdan Smørgrav
* Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg%NetBSD.org@localhost>
* Copyright (c) 2015 Thomas Klausner <wiz%NetBSD.org@localhost>
+ * Copyright (c) 2023 Michael van Elst <mlelstv%NetBSD.org@localhost>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -34,7 +35,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: ssl.c,v 1.12 2022/09/12 15:10:31 christos Exp $");
+__RCSID("$NetBSD: ssl.c,v 1.13 2023/02/25 12:07:25 mlelstv Exp $");
#endif
#include <errno.h>
@@ -63,6 +64,11 @@
#include "ssl.h"
+#include <stringlist.h>
+#include <histedit.h>
+#include <sys/poll.h>
+#include "extern.h"
+
extern int quit_time, verbose, ftp_debug;
extern FILE *ttyout;
@@ -589,7 +595,7 @@
SSL_CTX *ctx;
X509_VERIFY_PARAM *param;
int ret, ssl_err;
- int verify = 0; // getenv("NO_CERT_VERIFY") == NULL;
+ int verify = !ftp_truthy("sslnoverify", getoptionvalue("sslnoverify"), 0);
/* Init the SSL library and context */
if (!SSL_library_init()){
Home |
Main Index |
Thread Index |
Old Index