CVS commit: src/usr.bin/ftp

Christos Zoulas Tue, 30 Aug 2022 01:51:35 -0700

Module Name:    src
Committed By:   christos
Date:           Tue Aug 30 08:51:28 UTC 2022


Modified Files:
        src/usr.bin/ftp: ftp.1 ssl.c

Log Message:
Add cert verification, together with an environment variable "NO_CERT_VERIFY",
to turn it off.


To generate a diff of this commit:
cvs rdiff -u -r1.146 -r1.147 src/usr.bin/ftp/ftp.1
cvs rdiff -u -r1.10 -r1.11 src/usr.bin/ftp/ssl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.bin/ftp/ftp.1
diff -u src/usr.bin/ftp/ftp.1:1.146 src/usr.bin/ftp/ftp.1:1.147
--- src/usr.bin/ftp/ftp.1:1.146	Sun Apr 25 05:09:55 2021
+++ src/usr.bin/ftp/ftp.1	Tue Aug 30 04:51:28 2022
@@ -1,4 +1,4 @@
-.\" 	$NetBSD: ftp.1,v 1.146 2021/04/25 09:09:55 lukem Exp $
+.\" 	$NetBSD: ftp.1,v 1.147 2022/08/30 08:51:28 christos Exp $
 .\"
 .\" Copyright (c) 1996-2021 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -57,7 +57,7 @@
 .\"
 .\"	@(#)ftp.1	8.3 (Berkeley) 10/9/94
 .\"
-.Dd April 25, 2021
+.Dd August 29, 2022
 .Dt FTP 1
 .Os
 .Sh NAME
@@ -2320,6 +2320,8 @@ file, if one exists.
 An alternate location of the
 .Pa .netrc
 file.
+.It Ev NO_CERT_VERIFY
+Don't verify SSL certificates.
 .It Ev PAGER
 Used by various commands to display files.
 Defaults to

Index: src/usr.bin/ftp/ssl.c
diff -u src/usr.bin/ftp/ssl.c:1.10 src/usr.bin/ftp/ssl.c:1.11
--- src/usr.bin/ftp/ssl.c:1.10	Thu Jun  3 06:23:33 2021
+++ src/usr.bin/ftp/ssl.c	Tue Aug 30 04:51:28 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: ssl.c,v 1.10 2021/06/03 10:23:33 lukem Exp $	*/
+/*	$NetBSD: ssl.c,v 1.11 2022/08/30 08:51:28 christos Exp $	*/
 
 /*-
  * Copyright (c) 1998-2004 Dag-Erling Coïdan Smørgrav
@@ -34,7 +34,7 @@
 
 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: ssl.c,v 1.10 2021/06/03 10:23:33 lukem Exp $");
+__RCSID("$NetBSD: ssl.c,v 1.11 2022/08/30 08:51:28 christos Exp $");
 #endif
 
 #include <errno.h>
@@ -587,7 +587,9 @@ fetch_start_ssl(int sock, const char *se
 {
 	SSL *ssl;
 	SSL_CTX *ctx;
+	X509_VERIFY_PARAM *param;
 	int ret, ssl_err;
+	int verify = getenv("NO_CERT_VERIFY") == NULL;
 
 	/* Init the SSL library and context */
 	if (!SSL_library_init()){
@@ -599,6 +601,10 @@ fetch_start_ssl(int sock, const char *se
 
 	ctx = SSL_CTX_new(SSLv23_client_method());
 	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+	if (verify) {
+		SSL_CTX_set_default_verify_paths(ctx);
+		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+	}
 
 	ssl = SSL_new(ctx);
 	if (ssl == NULL){
@@ -606,6 +612,19 @@ fetch_start_ssl(int sock, const char *se
 		SSL_CTX_free(ctx);
 		return NULL;
 	}
+
+	if (verify) {
+		param = SSL_get0_param(ssl);
+		if (!X509_VERIFY_PARAM_set1_host(param, servername,
+		    strlen(servername))) {
+			fprintf(ttyout, "SSL verification setup failed\n");
+			return NULL;
+		}
+
+		/* Enable peer verification, (using the default callback) */
+		SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+	}
+
 	SSL_set_fd(ssl, sock);
 	if (!SSL_set_tlsext_host_name(ssl, __UNCONST(servername))) {
 		fprintf(ttyout, "SSL hostname setting failed\n");

CVS commit: src/usr.bin/ftp

Reply via email to