1 1.20 christos /* $NetBSD: ssl.c,v 1.20 2024/09/25 16:53:58 christos Exp $ */ 2 1.1 christos 3 1.1 christos /*- 4 1.1 christos * Copyright (c) 1998-2004 Dag-Erling Codan Smrgrav 5 1.1 christos * Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg (at) NetBSD.org> 6 1.3 wiz * Copyright (c) 2015 Thomas Klausner <wiz (at) NetBSD.org> 7 1.13 mlelstv * Copyright (c) 2023 Michael van Elst <mlelstv (at) NetBSD.org> 8 1.1 christos * All rights reserved. 9 1.1 christos * 10 1.1 christos * Redistribution and use in source and binary forms, with or without 11 1.1 christos * modification, are permitted provided that the following conditions 12 1.1 christos * are met: 13 1.1 christos * 1. Redistributions of source code must retain the above copyright 14 1.1 christos * notice, this list of conditions and the following disclaimer 15 1.1 christos * in this position and unchanged. 16 1.1 christos * 2. Redistributions in binary form must reproduce the above copyright 17 1.1 christos * notice, this list of conditions and the following disclaimer in the 18 1.1 christos * documentation and/or other materials provided with the distribution. 19 1.1 christos * 3. The name of the author may not be used to endorse or promote products 20 1.1 christos * derived from this software without specific prior written permission 21 1.1 christos * 22 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 1.1 christos * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 1.1 christos * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 1.1 christos * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 1.1 christos * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 27 1.1 christos * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 28 1.1 christos * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 29 1.1 christos * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 30 1.1 christos * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 31 1.1 christos * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 1.1 christos * 33 1.1 christos * $FreeBSD: common.c,v 1.53 2007/12/19 00:26:36 des Exp $ 34 1.1 christos */ 35 1.1 christos 36 1.1 christos #include <sys/cdefs.h> 37 1.1 christos #ifndef lint 38 1.20 christos __RCSID("$NetBSD: ssl.c,v 1.20 2024/09/25 16:53:58 christos Exp $"); 39 1.1 christos #endif 40 1.1 christos 41 1.15 lukem #include <err.h> 42 1.10 lukem #include <errno.h> 43 1.10 lukem #include <fcntl.h> 44 1.10 lukem #include <stdarg.h> 45 1.10 lukem #include <stdio.h> 46 1.10 lukem #include <stdlib.h> 47 1.10 lukem #include <string.h> 48 1.1 christos #include <time.h> 49 1.1 christos #include <unistd.h> 50 1.1 christos 51 1.1 christos #include <sys/param.h> 52 1.1 christos #include <sys/uio.h> 53 1.1 christos 54 1.1 christos #include <netinet/tcp.h> 55 1.1 christos #include <netinet/in.h> 56 1.10 lukem 57 1.10 lukem #ifdef WITH_SSL 58 1.1 christos #include <openssl/crypto.h> 59 1.1 christos #include <openssl/x509.h> 60 1.1 christos #include <openssl/pem.h> 61 1.1 christos #include <openssl/ssl.h> 62 1.1 christos #include <openssl/err.h> 63 1.10 lukem #endif 64 1.1 christos 65 1.1 christos #include "ssl.h" 66 1.14 lukem #include "ftp_var.h" 67 1.13 mlelstv 68 1.1 christos extern int quit_time, verbose, ftp_debug; 69 1.1 christos extern FILE *ttyout; 70 1.1 christos 71 1.1 christos struct fetch_connect { 72 1.1 christos int sd; /* file/socket descriptor */ 73 1.1 christos char *buf; /* buffer */ 74 1.1 christos size_t bufsize; /* buffer size */ 75 1.1 christos size_t bufpos; /* position of buffer */ 76 1.1 christos size_t buflen; /* length of buffer contents */ 77 1.1 christos struct { /* data cached after an 78 1.1 christos interrupted read */ 79 1.1 christos char *buf; 80 1.1 christos size_t size; 81 1.1 christos size_t pos; 82 1.1 christos size_t len; 83 1.1 christos } cache; 84 1.1 christos int issock; 85 1.1 christos int iserr; 86 1.1 christos int iseof; 87 1.10 lukem #ifdef WITH_SSL 88 1.1 christos SSL *ssl; /* SSL handle */ 89 1.10 lukem #endif 90 1.1 christos }; 91 1.1 christos 92 1.1 christos /* 93 1.1 christos * Write a vector to a connection w/ timeout 94 1.1 christos * Note: can modify the iovec. 95 1.1 christos */ 96 1.1 christos static ssize_t 97 1.1 christos fetch_writev(struct fetch_connect *conn, struct iovec *iov, int iovcnt) 98 1.1 christos { 99 1.15 lukem struct timeval timeout, now, delta; 100 1.1 christos ssize_t len, total; 101 1.8 christos int fd = conn->sd; 102 1.15 lukem int rv, timeout_secs; 103 1.15 lukem struct pollfd pfd[1]; 104 1.1 christos 105 1.15 lukem pfd[0].fd = fd; 106 1.15 lukem pfd[0].events = POLLOUT; 107 1.15 lukem gettimeofday(&timeout, NULL); 108 1.15 lukem timeout.tv_sec += quit_time; 109 1.1 christos 110 1.1 christos total = 0; 111 1.1 christos while (iovcnt > 0) { 112 1.15 lukem if (quit_time > 0) { /* enforce timeout */ 113 1.15 lukem do { 114 1.15 lukem (void)gettimeofday(&now, NULL); 115 1.15 lukem timersub(&timeout, &now, &delta); 116 1.20 christos timeout_secs = (int)(delta.tv_sec * 1000 117 1.20 christos + delta.tv_usec / 1000); 118 1.15 lukem if (timeout_secs < 0) 119 1.15 lukem timeout_secs = 0; 120 1.15 lukem rv = ftp_poll(pfd, 1, timeout_secs); 121 1.15 lukem /* loop until poll !EINTR && !EAGAIN */ 122 1.15 lukem } while (rv == -1 && (errno == EINTR || errno == EAGAIN)); 123 1.15 lukem if (rv == -1) 124 1.15 lukem return -1; 125 1.15 lukem if (rv == 0) { 126 1.1 christos errno = ETIMEDOUT; 127 1.1 christos return -1; 128 1.1 christos } 129 1.1 christos } 130 1.1 christos errno = 0; 131 1.10 lukem #ifdef WITH_SSL 132 1.1 christos if (conn->ssl != NULL) 133 1.20 christos len = SSL_write(conn->ssl, iov->iov_base, (int)iov->iov_len); 134 1.1 christos else 135 1.10 lukem #endif 136 1.8 christos len = writev(fd, iov, iovcnt); 137 1.1 christos if (len == 0) { 138 1.1 christos /* we consider a short write a failure */ 139 1.1 christos /* XXX perhaps we shouldn't in the SSL case */ 140 1.1 christos errno = EPIPE; 141 1.1 christos return -1; 142 1.1 christos } 143 1.1 christos if (len < 0) { 144 1.8 christos if (errno == EINTR || errno == EAGAIN) 145 1.1 christos continue; 146 1.1 christos return -1; 147 1.1 christos } 148 1.1 christos total += len; 149 1.1 christos while (iovcnt > 0 && len >= (ssize_t)iov->iov_len) { 150 1.1 christos len -= iov->iov_len; 151 1.1 christos iov++; 152 1.1 christos iovcnt--; 153 1.1 christos } 154 1.1 christos if (iovcnt > 0) { 155 1.1 christos iov->iov_len -= len; 156 1.1 christos iov->iov_base = (char *)iov->iov_base + len; 157 1.1 christos } 158 1.1 christos } 159 1.1 christos return total; 160 1.1 christos } 161 1.1 christos 162 1.8 christos static ssize_t 163 1.8 christos fetch_write(const void *str, size_t len, struct fetch_connect *conn) 164 1.1 christos { 165 1.1 christos struct iovec iov[1]; 166 1.1 christos 167 1.1 christos iov[0].iov_base = (char *)__UNCONST(str); 168 1.1 christos iov[0].iov_len = len; 169 1.1 christos return fetch_writev(conn, iov, 1); 170 1.1 christos } 171 1.1 christos 172 1.1 christos /* 173 1.1 christos * Send a formatted line; optionally echo to terminal 174 1.1 christos */ 175 1.1 christos int 176 1.1 christos fetch_printf(struct fetch_connect *conn, const char *fmt, ...) 177 1.1 christos { 178 1.1 christos va_list ap; 179 1.1 christos size_t len; 180 1.1 christos char *msg; 181 1.20 christos ssize_t r; 182 1.1 christos 183 1.1 christos va_start(ap, fmt); 184 1.1 christos len = vasprintf(&msg, fmt, ap); 185 1.1 christos va_end(ap); 186 1.1 christos 187 1.1 christos if (msg == NULL) { 188 1.1 christos errno = ENOMEM; 189 1.1 christos return -1; 190 1.1 christos } 191 1.1 christos 192 1.8 christos r = fetch_write(msg, len, conn); 193 1.1 christos free(msg); 194 1.20 christos return (int)r; 195 1.1 christos } 196 1.1 christos 197 1.1 christos int 198 1.1 christos fetch_fileno(struct fetch_connect *conn) 199 1.1 christos { 200 1.1 christos 201 1.1 christos return conn->sd; 202 1.1 christos } 203 1.1 christos 204 1.1 christos int 205 1.1 christos fetch_error(struct fetch_connect *conn) 206 1.1 christos { 207 1.1 christos 208 1.1 christos return conn->iserr; 209 1.1 christos } 210 1.1 christos 211 1.1 christos static void 212 1.1 christos fetch_clearerr(struct fetch_connect *conn) 213 1.1 christos { 214 1.1 christos 215 1.1 christos conn->iserr = 0; 216 1.1 christos } 217 1.1 christos 218 1.1 christos int 219 1.1 christos fetch_flush(struct fetch_connect *conn) 220 1.1 christos { 221 1.1 christos 222 1.1 christos if (conn->issock) { 223 1.8 christos int fd = conn->sd; 224 1.8 christos int v; 225 1.1 christos #ifdef TCP_NOPUSH 226 1.1 christos v = 0; 227 1.8 christos setsockopt(fd, IPPROTO_TCP, TCP_NOPUSH, &v, sizeof(v)); 228 1.1 christos #endif 229 1.1 christos v = 1; 230 1.8 christos setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &v, sizeof(v)); 231 1.1 christos } 232 1.1 christos return 0; 233 1.1 christos } 234 1.1 christos 235 1.1 christos /*ARGSUSED*/ 236 1.1 christos struct fetch_connect * 237 1.1 christos fetch_open(const char *fname, const char *fmode) 238 1.1 christos { 239 1.1 christos struct fetch_connect *conn; 240 1.1 christos int fd; 241 1.1 christos 242 1.1 christos fd = open(fname, O_RDONLY); /* XXX: fmode */ 243 1.1 christos if (fd < 0) 244 1.1 christos return NULL; 245 1.1 christos 246 1.1 christos if ((conn = calloc(1, sizeof(*conn))) == NULL) { 247 1.1 christos close(fd); 248 1.1 christos return NULL; 249 1.1 christos } 250 1.1 christos 251 1.1 christos conn->sd = fd; 252 1.1 christos conn->issock = 0; 253 1.1 christos return conn; 254 1.1 christos } 255 1.1 christos 256 1.1 christos /*ARGSUSED*/ 257 1.1 christos struct fetch_connect * 258 1.1 christos fetch_fdopen(int sd, const char *fmode) 259 1.1 christos { 260 1.1 christos struct fetch_connect *conn; 261 1.2 christos #if defined(SO_NOSIGPIPE) || defined(TCP_NOPUSH) 262 1.1 christos int opt = 1; 263 1.2 christos #endif 264 1.1 christos 265 1.1 christos if ((conn = calloc(1, sizeof(*conn))) == NULL) 266 1.1 christos return NULL; 267 1.1 christos 268 1.1 christos conn->sd = sd; 269 1.1 christos conn->issock = 1; 270 1.1 christos fcntl(sd, F_SETFD, FD_CLOEXEC); 271 1.2 christos #ifdef SO_NOSIGPIPE 272 1.1 christos setsockopt(sd, SOL_SOCKET, SO_NOSIGPIPE, &opt, sizeof(opt)); 273 1.2 christos #endif 274 1.1 christos #ifdef TCP_NOPUSH 275 1.1 christos setsockopt(sd, IPPROTO_TCP, TCP_NOPUSH, &opt, sizeof(opt)); 276 1.1 christos #endif 277 1.1 christos return conn; 278 1.1 christos } 279 1.1 christos 280 1.1 christos int 281 1.1 christos fetch_close(struct fetch_connect *conn) 282 1.1 christos { 283 1.8 christos if (conn == NULL) 284 1.8 christos return 0; 285 1.1 christos 286 1.8 christos fetch_flush(conn); 287 1.10 lukem #ifdef WITH_SSL 288 1.8 christos SSL_free(conn->ssl); 289 1.10 lukem #endif 290 1.8 christos close(conn->sd); 291 1.8 christos free(conn->cache.buf); 292 1.8 christos free(conn->buf); 293 1.8 christos free(conn); 294 1.8 christos return 0; 295 1.1 christos } 296 1.1 christos 297 1.8 christos #define FETCH_WRITE_WAIT -3 298 1.1 christos #define FETCH_READ_WAIT -2 299 1.1 christos #define FETCH_READ_ERROR -1 300 1.1 christos 301 1.10 lukem #ifdef WITH_SSL 302 1.1 christos static ssize_t 303 1.1 christos fetch_ssl_read(SSL *ssl, void *buf, size_t len) 304 1.1 christos { 305 1.20 christos int rlen; 306 1.20 christos rlen = SSL_read(ssl, buf, (int)len); 307 1.8 christos if (rlen >= 0) 308 1.8 christos return rlen; 309 1.1 christos 310 1.8 christos switch (SSL_get_error(ssl, rlen)) { 311 1.8 christos case SSL_ERROR_WANT_READ: 312 1.8 christos return FETCH_READ_WAIT; 313 1.8 christos case SSL_ERROR_WANT_WRITE: 314 1.8 christos return FETCH_WRITE_WAIT; 315 1.8 christos default: 316 1.1 christos ERR_print_errors_fp(ttyout); 317 1.1 christos return FETCH_READ_ERROR; 318 1.1 christos } 319 1.1 christos } 320 1.10 lukem #endif /* WITH_SSL */ 321 1.1 christos 322 1.1 christos static ssize_t 323 1.1 christos fetch_nonssl_read(int sd, void *buf, size_t len) 324 1.1 christos { 325 1.1 christos ssize_t rlen; 326 1.1 christos 327 1.1 christos rlen = read(sd, buf, len); 328 1.8 christos if (rlen == -1) { 329 1.15 lukem if (errno == EINTR || errno == EAGAIN) 330 1.1 christos return FETCH_READ_WAIT; 331 1.1 christos return FETCH_READ_ERROR; 332 1.1 christos } 333 1.1 christos return rlen; 334 1.1 christos } 335 1.1 christos 336 1.1 christos /* 337 1.1 christos * Cache some data that was read from a socket but cannot be immediately 338 1.1 christos * returned because of an interrupted system call. 339 1.1 christos */ 340 1.1 christos static int 341 1.1 christos fetch_cache_data(struct fetch_connect *conn, char *src, size_t nbytes) 342 1.1 christos { 343 1.1 christos 344 1.1 christos if (conn->cache.size < nbytes) { 345 1.1 christos char *tmp = realloc(conn->cache.buf, nbytes); 346 1.1 christos if (tmp == NULL) 347 1.1 christos return -1; 348 1.1 christos 349 1.1 christos conn->cache.buf = tmp; 350 1.1 christos conn->cache.size = nbytes; 351 1.1 christos } 352 1.1 christos 353 1.1 christos memcpy(conn->cache.buf, src, nbytes); 354 1.1 christos conn->cache.len = nbytes; 355 1.1 christos conn->cache.pos = 0; 356 1.1 christos return 0; 357 1.1 christos } 358 1.1 christos 359 1.8 christos static int 360 1.8 christos fetch_wait(struct fetch_connect *conn, ssize_t rlen, struct timeval *timeout) 361 1.8 christos { 362 1.8 christos struct timeval now, delta; 363 1.8 christos int fd = conn->sd; 364 1.15 lukem int rv, timeout_secs; 365 1.15 lukem struct pollfd pfd[1]; 366 1.15 lukem 367 1.15 lukem pfd[0].fd = fd; 368 1.15 lukem if (rlen == FETCH_READ_WAIT) { 369 1.15 lukem pfd[0].events = POLLIN; 370 1.15 lukem } else if (rlen == FETCH_WRITE_WAIT) { 371 1.15 lukem pfd[0].events = POLLOUT; 372 1.15 lukem } else { 373 1.15 lukem pfd[0].events = 0; 374 1.15 lukem } 375 1.8 christos 376 1.15 lukem do { 377 1.8 christos if (quit_time > 0) { 378 1.8 christos gettimeofday(&now, NULL); 379 1.8 christos timersub(timeout, &now, &delta); 380 1.20 christos timeout_secs = (int)(delta.tv_sec * 1000 381 1.20 christos + delta.tv_usec / 1000); 382 1.15 lukem if (timeout_secs < 0) 383 1.15 lukem timeout_secs = 0; 384 1.15 lukem } else { 385 1.15 lukem timeout_secs = INFTIM; 386 1.8 christos } 387 1.8 christos errno = 0; 388 1.15 lukem rv = ftp_poll(pfd, 1, timeout_secs); 389 1.15 lukem /* loop until poll !EINTR && !EAGAIN */ 390 1.15 lukem } while (rv == -1 && (errno == EINTR || errno == EAGAIN)); 391 1.15 lukem if (rv == 0) { /* poll timeout */ 392 1.15 lukem fprintf(ttyout, "\r\n%s: transfer aborted" 393 1.15 lukem " because stalled for %lu sec.\r\n", 394 1.15 lukem getprogname(), (unsigned long)quit_time); 395 1.15 lukem errno = ETIMEDOUT; 396 1.15 lukem conn->iserr = ETIMEDOUT; 397 1.15 lukem return -1; 398 1.15 lukem } 399 1.15 lukem if (rv == -1) { /* poll error */ 400 1.15 lukem conn->iserr = errno; 401 1.15 lukem return -1; 402 1.8 christos } 403 1.8 christos return 0; 404 1.8 christos } 405 1.8 christos 406 1.7 christos size_t 407 1.1 christos fetch_read(void *ptr, size_t size, size_t nmemb, struct fetch_connect *conn) 408 1.1 christos { 409 1.1 christos ssize_t rlen, total; 410 1.1 christos size_t len; 411 1.1 christos char *start, *buf; 412 1.8 christos struct timeval timeout; 413 1.1 christos 414 1.1 christos if (quit_time > 0) { 415 1.1 christos gettimeofday(&timeout, NULL); 416 1.1 christos timeout.tv_sec += quit_time; 417 1.1 christos } 418 1.1 christos 419 1.1 christos total = 0; 420 1.1 christos start = buf = ptr; 421 1.1 christos len = size * nmemb; 422 1.1 christos 423 1.1 christos if (conn->cache.len > 0) { 424 1.1 christos /* 425 1.1 christos * The last invocation of fetch_read was interrupted by a 426 1.1 christos * signal after some data had been read from the socket. Copy 427 1.1 christos * the cached data into the supplied buffer before trying to 428 1.1 christos * read from the socket again. 429 1.1 christos */ 430 1.1 christos total = (conn->cache.len < len) ? conn->cache.len : len; 431 1.1 christos memcpy(buf, conn->cache.buf, total); 432 1.1 christos 433 1.1 christos conn->cache.len -= total; 434 1.1 christos conn->cache.pos += total; 435 1.1 christos len -= total; 436 1.1 christos buf += total; 437 1.1 christos } 438 1.1 christos 439 1.1 christos while (len > 0) { 440 1.1 christos /* 441 1.1 christos * The socket is non-blocking. Instead of the canonical 442 1.15 lukem * poll() -> read(), we do the following: 443 1.1 christos * 444 1.1 christos * 1) call read() or SSL_read(). 445 1.1 christos * 2) if an error occurred, return -1. 446 1.1 christos * 3) if we received data but we still expect more, 447 1.1 christos * update our counters and loop. 448 1.1 christos * 4) if read() or SSL_read() signaled EOF, return. 449 1.1 christos * 5) if we did not receive any data but we're not at EOF, 450 1.15 lukem * call poll(). 451 1.1 christos * 452 1.1 christos * In the SSL case, this is necessary because if we 453 1.1 christos * receive a close notification, we have to call 454 1.1 christos * SSL_read() one additional time after we've read 455 1.1 christos * everything we received. 456 1.1 christos * 457 1.1 christos * In the non-SSL case, it may improve performance (very 458 1.1 christos * slightly) when reading small amounts of data. 459 1.1 christos */ 460 1.10 lukem #ifdef WITH_SSL 461 1.1 christos if (conn->ssl != NULL) 462 1.1 christos rlen = fetch_ssl_read(conn->ssl, buf, len); 463 1.1 christos else 464 1.10 lukem #endif 465 1.1 christos rlen = fetch_nonssl_read(conn->sd, buf, len); 466 1.8 christos switch (rlen) { 467 1.8 christos case 0: 468 1.7 christos conn->iseof = 1; 469 1.8 christos return total; 470 1.8 christos case FETCH_READ_ERROR: 471 1.7 christos conn->iserr = errno; 472 1.15 lukem if (errno == EINTR || errno == EAGAIN) 473 1.1 christos fetch_cache_data(conn, start, total); 474 1.7 christos return 0; 475 1.8 christos case FETCH_READ_WAIT: 476 1.8 christos case FETCH_WRITE_WAIT: 477 1.8 christos if (fetch_wait(conn, rlen, &timeout) == -1) 478 1.7 christos return 0; 479 1.8 christos break; 480 1.8 christos default: 481 1.8 christos len -= rlen; 482 1.8 christos buf += rlen; 483 1.8 christos total += rlen; 484 1.8 christos break; 485 1.1 christos } 486 1.1 christos } 487 1.1 christos return total; 488 1.1 christos } 489 1.1 christos 490 1.1 christos #define MIN_BUF_SIZE 1024 491 1.1 christos 492 1.1 christos /* 493 1.1 christos * Read a line of text from a connection w/ timeout 494 1.1 christos */ 495 1.1 christos char * 496 1.1 christos fetch_getln(char *str, int size, struct fetch_connect *conn) 497 1.1 christos { 498 1.1 christos size_t tmpsize; 499 1.7 christos size_t len; 500 1.1 christos char c; 501 1.1 christos 502 1.1 christos if (conn->buf == NULL) { 503 1.1 christos if ((conn->buf = malloc(MIN_BUF_SIZE)) == NULL) { 504 1.1 christos errno = ENOMEM; 505 1.1 christos conn->iserr = 1; 506 1.1 christos return NULL; 507 1.1 christos } 508 1.1 christos conn->bufsize = MIN_BUF_SIZE; 509 1.1 christos } 510 1.1 christos 511 1.1 christos if (conn->iserr || conn->iseof) 512 1.1 christos return NULL; 513 1.1 christos 514 1.1 christos if (conn->buflen - conn->bufpos > 0) 515 1.1 christos goto done; 516 1.1 christos 517 1.1 christos conn->buf[0] = '\0'; 518 1.1 christos conn->bufpos = 0; 519 1.1 christos conn->buflen = 0; 520 1.1 christos do { 521 1.1 christos len = fetch_read(&c, sizeof(c), 1, conn); 522 1.1 christos if (len == 0) { 523 1.7 christos if (conn->iserr) 524 1.7 christos return NULL; 525 1.7 christos if (conn->iseof) 526 1.7 christos break; 527 1.7 christos abort(); 528 1.1 christos } 529 1.1 christos conn->buf[conn->buflen++] = c; 530 1.1 christos if (conn->buflen == conn->bufsize) { 531 1.1 christos char *tmp = conn->buf; 532 1.1 christos tmpsize = conn->bufsize * 2 + 1; 533 1.1 christos if ((tmp = realloc(tmp, tmpsize)) == NULL) { 534 1.1 christos errno = ENOMEM; 535 1.1 christos conn->iserr = 1; 536 1.1 christos return NULL; 537 1.1 christos } 538 1.1 christos conn->buf = tmp; 539 1.1 christos conn->bufsize = tmpsize; 540 1.1 christos } 541 1.1 christos } while (c != '\n'); 542 1.1 christos 543 1.1 christos if (conn->buflen == 0) 544 1.1 christos return NULL; 545 1.1 christos done: 546 1.1 christos tmpsize = MIN(size - 1, (int)(conn->buflen - conn->bufpos)); 547 1.1 christos memcpy(str, conn->buf + conn->bufpos, tmpsize); 548 1.1 christos str[tmpsize] = '\0'; 549 1.1 christos conn->bufpos += tmpsize; 550 1.1 christos return str; 551 1.1 christos } 552 1.1 christos 553 1.1 christos int 554 1.1 christos fetch_getline(struct fetch_connect *conn, char *buf, size_t buflen, 555 1.1 christos const char **errormsg) 556 1.1 christos { 557 1.1 christos size_t len; 558 1.1 christos int rv; 559 1.1 christos 560 1.20 christos if (fetch_getln(buf, (int)buflen, conn) == NULL) { 561 1.1 christos if (conn->iseof) { /* EOF */ 562 1.1 christos rv = -2; 563 1.1 christos if (errormsg) 564 1.1 christos *errormsg = "\nEOF received"; 565 1.1 christos } else { /* error */ 566 1.1 christos rv = -1; 567 1.1 christos if (errormsg) 568 1.1 christos *errormsg = "Error encountered"; 569 1.1 christos } 570 1.1 christos fetch_clearerr(conn); 571 1.1 christos return rv; 572 1.1 christos } 573 1.1 christos len = strlen(buf); 574 1.1 christos if (buf[len - 1] == '\n') { /* clear any trailing newline */ 575 1.1 christos buf[--len] = '\0'; 576 1.1 christos } else if (len == buflen - 1) { /* line too long */ 577 1.20 christos for (;;) { 578 1.1 christos char c; 579 1.7 christos size_t rlen = fetch_read(&c, sizeof(c), 1, conn); 580 1.7 christos if (rlen == 0 || c == '\n') 581 1.1 christos break; 582 1.1 christos } 583 1.1 christos if (errormsg) 584 1.19 lukem *errormsg = "Input line is too long (specify -b > 16384)"; 585 1.1 christos fetch_clearerr(conn); 586 1.1 christos return -3; 587 1.1 christos } 588 1.1 christos if (errormsg) 589 1.1 christos *errormsg = NULL; 590 1.20 christos return (int)len; 591 1.1 christos } 592 1.1 christos 593 1.10 lukem #ifdef WITH_SSL 594 1.15 lukem /* 595 1.15 lukem * Start the SSL/TLS negotiation. 596 1.15 lukem * Socket fcntl flags are temporarily updated to include O_NONBLOCK; 597 1.15 lukem * these will not be reverted on connection failure. 598 1.15 lukem * Returns pointer to allocated SSL structure on success, 599 1.15 lukem * or NULL upon failure. 600 1.15 lukem */ 601 1.1 christos void * 602 1.3 wiz fetch_start_ssl(int sock, const char *servername) 603 1.1 christos { 604 1.15 lukem SSL *ssl = NULL; 605 1.15 lukem SSL_CTX *ctx = NULL; 606 1.11 christos X509_VERIFY_PARAM *param; 607 1.15 lukem int ret, ssl_err, flags, rv, timeout_secs; 608 1.13 mlelstv int verify = !ftp_truthy("sslnoverify", getoptionvalue("sslnoverify"), 0); 609 1.15 lukem struct timeval timeout, now, delta; 610 1.15 lukem struct pollfd pfd[1]; 611 1.1 christos 612 1.1 christos /* Init the SSL library and context */ 613 1.1 christos if (!SSL_library_init()){ 614 1.15 lukem warnx("SSL library init failed"); 615 1.15 lukem goto cleanup_start_ssl; 616 1.1 christos } 617 1.1 christos 618 1.1 christos SSL_load_error_strings(); 619 1.1 christos 620 1.1 christos ctx = SSL_CTX_new(SSLv23_client_method()); 621 1.1 christos SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 622 1.11 christos if (verify) { 623 1.11 christos SSL_CTX_set_default_verify_paths(ctx); 624 1.11 christos SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); 625 1.11 christos } 626 1.1 christos 627 1.1 christos ssl = SSL_new(ctx); 628 1.1 christos if (ssl == NULL){ 629 1.15 lukem warnx("SSL context creation failed"); 630 1.15 lukem goto cleanup_start_ssl; 631 1.1 christos } 632 1.11 christos 633 1.11 christos if (verify) { 634 1.11 christos param = SSL_get0_param(ssl); 635 1.11 christos if (!X509_VERIFY_PARAM_set1_host(param, servername, 636 1.11 christos strlen(servername))) { 637 1.15 lukem warnx("SSL verification setup failed"); 638 1.15 lukem goto cleanup_start_ssl; 639 1.11 christos } 640 1.11 christos 641 1.11 christos /* Enable peer verification, (using the default callback) */ 642 1.11 christos SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); 643 1.11 christos } 644 1.16 christos #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF 645 1.16 christos SSL_set_options(ssl, SSL_OP_IGNORE_UNEXPECTED_EOF); 646 1.16 christos #endif 647 1.11 christos 648 1.15 lukem /* save current socket flags */ 649 1.15 lukem if ((flags = fcntl(sock, F_GETFL, 0)) == -1) { 650 1.15 lukem warn("Can't %s socket flags for SSL connect to `%s'", 651 1.15 lukem "save", servername); 652 1.15 lukem goto cleanup_start_ssl; 653 1.15 lukem } 654 1.15 lukem /* set non-blocking connect */ 655 1.15 lukem if (fcntl(sock, F_SETFL, flags | O_NONBLOCK) == -1) { 656 1.15 lukem warn("Can't set socket non-blocking for SSL connect to `%s'", 657 1.15 lukem servername); 658 1.15 lukem goto cleanup_start_ssl; 659 1.15 lukem } 660 1.15 lukem 661 1.15 lukem /* NOTE: we now must restore socket flags on successful connection */ 662 1.15 lukem 663 1.15 lukem (void)gettimeofday(&timeout, NULL); /* setup SSL_connect() timeout */ 664 1.15 lukem timeout.tv_sec += (quit_time > 0) ? quit_time: 60; 665 1.15 lukem /* without -q, default to 60s */ 666 1.15 lukem 667 1.1 christos SSL_set_fd(ssl, sock); 668 1.5 joerg if (!SSL_set_tlsext_host_name(ssl, __UNCONST(servername))) { 669 1.15 lukem warnx("SSL hostname setting failed"); 670 1.15 lukem goto cleanup_start_ssl; 671 1.3 wiz } 672 1.15 lukem pfd[0].fd = sock; 673 1.15 lukem pfd[0].events = 0; 674 1.15 lukem while ((ret = SSL_connect(ssl)) <= 0) { 675 1.1 christos ssl_err = SSL_get_error(ssl, ret); 676 1.15 lukem DPRINTF("%s: SSL_connect() ret=%d ssl_err=%d\n", 677 1.15 lukem __func__, ret, ssl_err); 678 1.15 lukem if (ret == 0) { /* unsuccessful handshake */ 679 1.15 lukem ERR_print_errors_fp(ttyout); 680 1.15 lukem goto cleanup_start_ssl; 681 1.15 lukem } 682 1.15 lukem if (ssl_err == SSL_ERROR_WANT_READ) { 683 1.15 lukem pfd[0].events = POLLIN; 684 1.15 lukem } else if (ssl_err == SSL_ERROR_WANT_WRITE) { 685 1.15 lukem pfd[0].events = POLLOUT; 686 1.15 lukem } else { 687 1.1 christos ERR_print_errors_fp(ttyout); 688 1.15 lukem goto cleanup_start_ssl; 689 1.15 lukem } 690 1.15 lukem (void)gettimeofday(&now, NULL); 691 1.15 lukem timersub(&timeout, &now, &delta); 692 1.20 christos timeout_secs = (int)(delta.tv_sec * 1000 693 1.20 christos + delta.tv_usec / 1000); 694 1.15 lukem if (timeout_secs < 0) 695 1.15 lukem timeout_secs = 0; 696 1.15 lukem rv = ftp_poll(pfd, 1, timeout_secs); 697 1.15 lukem if (rv == 0) { /* poll for SSL_connect() timed out */ 698 1.15 lukem fprintf(ttyout, "Timeout establishing SSL connection to `%s'\n", 699 1.15 lukem servername); 700 1.15 lukem goto cleanup_start_ssl; 701 1.15 lukem } else if (rv == -1 && errno != EINTR && errno != EAGAIN) { 702 1.15 lukem warn("Error polling for SSL connect to `%s'", servername); 703 1.15 lukem goto cleanup_start_ssl; 704 1.1 christos } 705 1.1 christos } 706 1.1 christos 707 1.15 lukem if (fcntl(sock, F_SETFL, flags) == -1) { 708 1.15 lukem /* restore socket flags */ 709 1.15 lukem warn("Can't %s socket flags for SSL connect to `%s'", 710 1.15 lukem "restore", servername); 711 1.15 lukem goto cleanup_start_ssl; 712 1.15 lukem } 713 1.15 lukem 714 1.1 christos if (ftp_debug && verbose) { 715 1.1 christos X509 *cert; 716 1.1 christos X509_NAME *name; 717 1.1 christos char *str; 718 1.1 christos 719 1.1 christos fprintf(ttyout, "SSL connection established using %s\n", 720 1.1 christos SSL_get_cipher(ssl)); 721 1.1 christos cert = SSL_get_peer_certificate(ssl); 722 1.1 christos name = X509_get_subject_name(cert); 723 1.1 christos str = X509_NAME_oneline(name, 0, 0); 724 1.1 christos fprintf(ttyout, "Certificate subject: %s\n", str); 725 1.1 christos free(str); 726 1.1 christos name = X509_get_issuer_name(cert); 727 1.1 christos str = X509_NAME_oneline(name, 0, 0); 728 1.1 christos fprintf(ttyout, "Certificate issuer: %s\n", str); 729 1.1 christos free(str); 730 1.1 christos } 731 1.1 christos 732 1.1 christos return ssl; 733 1.15 lukem 734 1.15 lukem cleanup_start_ssl: 735 1.15 lukem if (ssl) 736 1.15 lukem SSL_free(ssl); 737 1.15 lukem if (ctx) 738 1.15 lukem SSL_CTX_free(ctx); 739 1.15 lukem return NULL; 740 1.1 christos } 741 1.10 lukem #endif /* WITH_SSL */ 742 1.1 christos 743 1.1 christos 744 1.1 christos void 745 1.1 christos fetch_set_ssl(struct fetch_connect *conn, void *ssl) 746 1.1 christos { 747 1.10 lukem #ifdef WITH_SSL 748 1.1 christos conn->ssl = ssl; 749 1.10 lukem #endif 750 1.1 christos } 751
Indexes created Wed Sep 24 05:09:52 GMT 2025