2 Copyright (C) 2000 Free Software Foundation, Inc.
3 Contributed by Christian Fraenkel.
5 This file is part of GNU Wget.
7 GNU Wget is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 GNU Wget is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with Wget; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
31 #include <openssl/bio.h>
32 #include <openssl/crypto.h>
33 #include <openssl/x509.h>
34 #include <openssl/ssl.h>
35 #include <openssl/err.h>
36 #include <openssl/pem.h>
37 #include <openssl/rand.h>
46 static int verify_callback PARAMS ((int, X509_STORE_CTX *));
51 #if SSLEAY_VERSION_NUMBER >= 0x00905100
52 if (RAND_status () == 0)
59 /* gets random data from egd if opt.sslegdsock was set */
60 if (opt.sslegdsock != NULL)
61 RAND_egd(opt.sslegdsock);
62 /* gets the file ~/.rnd or $RANDFILE if set */
63 RAND_file_name(rand_file, 256);
64 if (rand_file != NULL)
66 /* Seed as much as 1024 bytes from RAND_file_name */
67 RAND_load_file(rand_file, 1024);
69 /* Seed in time (mod_ssl does this) */
70 RAND_seed((unsigned char *)&t, sizeof(time_t));
71 /* Initialize system's random number generator */
72 RAND_bytes((unsigned char *)&seed, sizeof(long));
74 while (RAND_status () == 0)
76 /* Repeatedly seed the PRNG using the system's random number
77 generator until it has been seeded with enough data. */
79 RAND_seed((unsigned char *)&l, sizeof(long));
81 if (rand_file != NULL)
83 /* Write a rand_file */
84 RAND_write_file(rand_file);
87 #endif /* SSLEAY_VERSION_NUMBER >= 0x00905100 */
92 /* Creates a SSL Context and sets some defaults for it */
94 init_ssl (SSL_CTX **ctx)
96 SSL_METHOD *meth = NULL;
97 int verify = SSL_VERIFY_NONE;
99 SSL_load_error_strings ();
100 SSLeay_add_all_algorithms ();
101 SSLeay_add_ssl_algorithms ();
102 meth = SSLv23_client_method ();
103 *ctx = SSL_CTX_new (meth);
104 SSL_CTX_set_verify (*ctx, verify, verify_callback);
105 if (*ctx == NULL) return SSLERRCTXCREATE;
108 if (SSL_CTX_use_certificate_file (*ctx, opt.sslcertfile,
109 SSL_FILETYPE_PEM) <= 0)
110 return SSLERRCERTFILE;
111 if (opt.sslcertkey == NULL)
112 opt.sslcertkey=opt.sslcertfile;
113 if (SSL_CTX_use_PrivateKey_file (*ctx, opt.sslcertkey,
114 SSL_FILETYPE_PEM) <= 0)
115 return SSLERRCERTKEY;
118 return 0; /* Succeded */
121 /* Sets up a SSL structure and performs the handshake on fd
122 Returns 0 if everything went right
123 Returns 1 if something went wrong ----- TODO: More exit codes
126 connect_ssl (SSL **con, SSL_CTX *ctx, int fd)
128 *con = (SSL *)SSL_new (ctx);
129 SSL_set_fd (*con, fd);
130 SSL_set_connect_state (*con);
132 if ((*con)->state != SSL_ST_OK)
134 /*while((SSLerror=ERR_get_error())!=0)
135 printf("%s\n", ERR_error_string(SSLerror,NULL));*/
141 shutdown_ssl (SSL* con)
149 free_ssl_ctx (SSL_CTX * ctx)
155 verify_callback (int ok, X509_STORE_CTX *ctx)
158 s = X509_NAME_oneline (X509_get_subject_name (ctx->current_cert), buf, 256);
160 switch (ctx->error) {
161 case X509_V_ERR_CERT_NOT_YET_VALID:
162 case X509_V_ERR_CERT_HAS_EXPIRED:
163 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
170 /* pass all ssl errors to DEBUGP
171 returns the number of printed errors */
173 ssl_printerrors (void)
176 unsigned long curerr = 0;
178 memset(errbuff, 0, sizeof(errbuff));
179 for (curerr = ERR_get_error (); curerr; curerr = ERR_get_error ())
181 DEBUGP (("OpenSSL: %s\n", ERR_error_string (curerr, errbuff)));
187 /* SSL version of iread. Only exchanged read for SSL_read
188 Read at most LEN bytes from FD, storing them to BUF. This is
189 virtually the same as read(), but takes care of EINTR braindamage
190 and uses select() to timeout the stale connections (a connection is
191 stale if more than OPT.TIMEOUT time is spent in select() or
194 ssl_iread (SSL *con, char *buf, int len)
198 BIO_get_fd (con->rbio, &fd);
207 res = select_fd (fd, opt.timeout, 0);
209 while (res == -1 && errno == EINTR);
212 /* Set errno to ETIMEDOUT on timeout. */
214 /* #### Potentially evil! */
220 res = SSL_read (con, buf, len);
222 while (res == -1 && errno == EINTR);
227 /* SSL version of iwrite. Only exchanged write for SSL_write
228 Write LEN bytes from BUF to FD. This is similar to iread(), but
229 doesn't bother with select(). Unlike iread(), it makes sure that
230 all of BUF is actually written to FD, so callers needn't bother
231 with checking that the return value equals to LEN. Instead, you
232 should simply check for -1. */
234 ssl_iwrite (SSL *con, char *buf, int len)
238 BIO_get_fd (con->rbio, &fd);
239 /* `write' may write less than LEN bytes, thus the outward loop
240 keeps trying it until all was written, or an error occurred. The
241 inner loop is reserved for the usual EINTR f*kage, and the
242 innermost loop deals with the same during select(). */
252 res = select_fd (fd, opt.timeout, 1);
254 while (res == -1 && errno == EINTR);
257 /* Set errno to ETIMEDOUT on timeout. */
259 /* #### Potentially evil! */
265 res = SSL_write (con, buf, len);
267 while (res == -1 && errno == EINTR);
275 #endif /* HAVE_SSL */