1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
/* https.c
* HTTPS protocol client implementation
* (c) 2002 Mikulas Patocka
* This file is a part of the Links program, released under GPL.
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
#include "links.h"
#ifndef PATH_MAX
#define PATH_MAX 255
#endif
#ifdef HAVE_SSL
#define VERIFY_DEPTH 10
SSL_CTX *context = NULL;
static int verify_cert(int code, X509_STORE_CTX *context)
{
int error, depth;
error = X509_STORE_CTX_get_error(context);
depth = X509_STORE_CTX_get_error_depth(context);
if (depth > VERIFY_DEPTH) {
error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
code = 0;
}
if (!code) {
/* Judge self signed certificates as acceptable. */
if (error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
code = 1;
} else {
fprintf(stderr, "Verification failure: %s\n",
X509_verify_cert_error_string(error));
if (depth > VERIFY_DEPTH) {
fprintf(stderr, "Excessive depth %d, set depth %d.\n",
depth, VERIFY_DEPTH);
}
}
}
return code;
} /* verify_cert */
SSL *getSSL(void)
{
if (!context) {
SSL_METHOD *m;
char f_randfile[PATH_MAX];
const char *f = RAND_file_name(f_randfile, sizeof(f_randfile));
if (f && RAND_egd(f)<0) {
/* Not an EGD, so read and write to it */
if (RAND_load_file(f_randfile, -1))
RAND_write_file(f_randfile);
}
SSLeay_add_ssl_algorithms();
m = SSLv23_client_method();
if (!m) return NULL;
context = SSL_CTX_new(m);
if (!context) return NULL;
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_ALL);
SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_default_verify_paths(context);
SSL_CTX_set_verify(context, SSL_VERIFY_PEER, verify_cert);
/* needed for systems without /dev/random, but obviously kills security. */
/*{
char pool[32768];
int i;
struct timeval tv;
gettimeofday(&tv, NULL);
for (i = 0; i < sizeof pool; i++) pool[i] = random() ^ tv.tv_sec ^ tv.tv_usec;
RAND_add(pool, sizeof pool, sizeof pool);
}*/
}
return (SSL_new(context));
}
void ssl_finish(void)
{
if (context) SSL_CTX_free(context);
}
void https_func(struct connection *c)
{
c->ssl = (void *)-1;
http_func(c);
}
#else
void https_func(struct connection *c)
{
setcstate(c, S_NO_SSL);
abort_connection(c);
}
#endif
|
