generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

multiple connection support initial commit

Browse Source
This commit is contained in:
Daniel Stenberg
2001-02-20 17:35:51 +00:00
parent 5f3d63ed5b
commit a1d6ad2610
20 changed files with 1601 additions and 1133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

212
lib/ssluse.c
View File

@@ -64,6 +64,7 @@ static int passwd_callback(char *buf, int num, int verify
static
int cert_stuff(struct UrlData *data,
struct connectdata *conn,
char *cert_file,
char *key_file)
{
@@ -78,10 +79,10 @@ int cert_stuff(struct UrlData *data,
*/
strcpy(global_passwd, data->cert_passwd);
/* Set passwd callback: */
SSL_CTX_set_default_passwd_cb(data->ssl.ctx, passwd_callback);
SSL_CTX_set_default_passwd_cb(conn->ssl.ctx, passwd_callback);
}
if (SSL_CTX_use_certificate_file(data->ssl.ctx,
if (SSL_CTX_use_certificate_file(conn->ssl.ctx,
cert_file,
SSL_FILETYPE_PEM) <= 0) {
failf(data, "unable to set certificate file (wrong password?)\n");
@@ -90,14 +91,14 @@ int cert_stuff(struct UrlData *data,
if (key_file == NULL)
key_file=cert_file;
if (SSL_CTX_use_PrivateKey_file(data->ssl.ctx,
if (SSL_CTX_use_PrivateKey_file(conn->ssl.ctx,
key_file,
SSL_FILETYPE_PEM) <= 0) {
failf(data, "unable to set public key file\n");
return(0);
}
ssl=SSL_new(data->ssl.ctx);
ssl=SSL_new(conn->ssl.ctx);
x509=SSL_get_certificate(ssl);
if (x509 != NULL)
@@ -111,7 +112,7 @@ int cert_stuff(struct UrlData *data,
/* Now we know that a key and cert have been set against
* the SSL context */
if (!SSL_CTX_check_private_key(data->ssl.ctx)) {
if (!SSL_CTX_check_private_key(conn->ssl.ctx)) {
failf(data, "Private key does not match the certificate public key\n");
return(0);
}
@@ -141,22 +142,23 @@ int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
/* ====================================================== */
int
Curl_SSLConnect (struct UrlData *data)
Curl_SSLConnect(struct connectdata *conn)
{
#ifdef USE_SSLEAY
int err;
char * str;
SSL_METHOD *req_method;
struct UrlData *data = conn->data;
int err;
char * str;
SSL_METHOD *req_method;
/* mark this is being ssl enabled from here on out. */
data->ssl.use = TRUE;
/* mark this is being ssl enabled from here on out. */
conn->ssl.use = TRUE;
/* Lets get nice error messages */
SSL_load_error_strings();
/* Lets get nice error messages */
SSL_load_error_strings();
#ifdef HAVE_RAND_STATUS
/* RAND_status() was introduced in OpenSSL 0.9.5 */
if(0 == RAND_status())
/* RAND_status() was introduced in OpenSSL 0.9.5 */
if(0 == RAND_status())
#endif
{
/* We need to seed the PRNG properly! */
@@ -177,116 +179,116 @@ Curl_SSLConnect (struct UrlData *data)
#endif
}
/* Setup all the global SSL stuff */
SSLeay_add_ssl_algorithms();
/* Setup all the global SSL stuff */
SSLeay_add_ssl_algorithms();
switch(data->ssl.version) {
default:
req_method = SSLv23_client_method();
break;
case 2:
req_method = SSLv2_client_method();
break;
case 3:
req_method = SSLv3_client_method();
break;
}
switch(data->ssl.version) {
default:
req_method = SSLv23_client_method();
break;
case 2:
req_method = SSLv2_client_method();
break;
case 3:
req_method = SSLv3_client_method();
break;
}
data->ssl.ctx = SSL_CTX_new(req_method);
conn->ssl.ctx = SSL_CTX_new(req_method);
if(!data->ssl.ctx) {
failf(data, "SSL: couldn't create a context!");
return 1;
}
if(!conn->ssl.ctx) {
failf(data, "SSL: couldn't create a context!");
return 1;
}
if(data->cert) {
if (!cert_stuff(data, data->cert, data->cert)) {
failf(data, "couldn't use certificate!\n");
return 2;
}
if(data->cert) {
if (!cert_stuff(data, conn, data->cert, data->cert)) {
failf(data, "couldn't use certificate!\n");
return 2;
}
}
if(data->ssl.verifypeer){
SSL_CTX_set_verify(data->ssl.ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
SSL_VERIFY_CLIENT_ONCE,
cert_verify_callback);
if (!SSL_CTX_load_verify_locations(data->ssl.ctx,
data->ssl.CAfile,
data->ssl.CApath)) {
failf(data,"error setting cerficate verify locations\n");
return 2;
}
if(data->ssl.verifypeer){
SSL_CTX_set_verify(conn->ssl.ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
SSL_VERIFY_CLIENT_ONCE,
cert_verify_callback);
if (!SSL_CTX_load_verify_locations(conn->ssl.ctx,
data->ssl.CAfile,
data->ssl.CApath)) {
failf(data,"error setting cerficate verify locations\n");
return 2;
}
else
SSL_CTX_set_verify(data->ssl.ctx, SSL_VERIFY_NONE, cert_verify_callback);
}
else
SSL_CTX_set_verify(conn->ssl.ctx, SSL_VERIFY_NONE, cert_verify_callback);
/* Lets make an SSL structure */
data->ssl.handle = SSL_new (data->ssl.ctx);
SSL_set_connect_state (data->ssl.handle);
/* Lets make an SSL structure */
conn->ssl.handle = SSL_new (conn->ssl.ctx);
SSL_set_connect_state (conn->ssl.handle);
data->ssl.server_cert = 0x0;
conn->ssl.server_cert = 0x0;
/* pass the raw socket into the SSL layers */
SSL_set_fd (data->ssl.handle, data->firstsocket);
err = SSL_connect (data->ssl.handle);
/* pass the raw socket into the SSL layers */
SSL_set_fd (conn->ssl.handle, conn->firstsocket);
err = SSL_connect (conn->ssl.handle);
if (-1 == err) {
err = ERR_get_error();
failf(data, "SSL: %s", ERR_error_string(err, NULL));
return 10;
}
if (-1 == err) {
err = ERR_get_error();
failf(data, "SSL: %s", ERR_error_string(err, NULL));
return 10;
}
/* Informational message */
infof (data, "SSL connection using %s\n",
SSL_get_cipher(data->ssl.handle));
/* Informational message */
infof (data, "SSL connection using %s\n",
SSL_get_cipher(conn->ssl.handle));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
/* major serious hack alert -- we should check certificates
* to authenticate the server; otherwise we risk man-in-the-middle
* attack
*/
/* Get server's certificate (note: beware of dynamic allocation) - opt */
/* major serious hack alert -- we should check certificates
* to authenticate the server; otherwise we risk man-in-the-middle
* attack
*/
data->ssl.server_cert = SSL_get_peer_certificate (data->ssl.handle);
if(!data->ssl.server_cert) {
failf(data, "SSL: couldn't get peer certificate!");
return 3;
}
infof (data, "Server certificate:\n");
conn->ssl.server_cert = SSL_get_peer_certificate (conn->ssl.handle);
if(!conn->ssl.server_cert) {
failf(data, "SSL: couldn't get peer certificate!");
return 3;
}
infof (data, "Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (data->ssl.server_cert),
NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-subject!");
return 4;
}
infof(data, "\t subject: %s\n", str);
CRYPTO_free(str);
str = X509_NAME_oneline (X509_get_subject_name (conn->ssl.server_cert),
NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-subject!");
return 4;
}
infof(data, "\t subject: %s\n", str);
CRYPTO_free(str);
str = X509_NAME_oneline (X509_get_issuer_name (data->ssl.server_cert),
NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-issuer name!");
return 5;
}
infof(data, "\t issuer: %s\n", str);
CRYPTO_free(str);
str = X509_NAME_oneline (X509_get_issuer_name (conn->ssl.server_cert),
NULL, 0);
if(!str) {
failf(data, "SSL: couldn't get X509-issuer name!");
return 5;
}
infof(data, "\t issuer: %s\n", str);
CRYPTO_free(str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
if(data->ssl.verifypeer) {
data->ssl.certverifyresult=SSL_get_verify_result(data->ssl.handle);
infof(data, "Verify result: %d\n", data->ssl.certverifyresult);
}
else
data->ssl.certverifyresult=0;
if(data->ssl.verifypeer) {
data->ssl.certverifyresult=SSL_get_verify_result(conn->ssl.handle);
infof(data, "Verify result: %d\n", data->ssl.certverifyresult);
}
else
data->ssl.certverifyresult=0;
X509_free(data->ssl.server_cert);
X509_free(conn->ssl.server_cert);
#else /* USE_SSLEAY */
/* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
(void) data;
/* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */
(void) data;
#endif
return 0;
return 0;
}