Module Name: src Committed By: christos Date: Tue Aug 30 08:51:28 UTC 2022
Modified Files: src/usr.bin/ftp: ftp.1 ssl.c Log Message: Add cert verification, together with an environment variable "NO_CERT_VERIFY", to turn it off. To generate a diff of this commit: cvs rdiff -u -r1.146 -r1.147 src/usr.bin/ftp/ftp.1 cvs rdiff -u -r1.10 -r1.11 src/usr.bin/ftp/ssl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/usr.bin/ftp/ftp.1 diff -u src/usr.bin/ftp/ftp.1:1.146 src/usr.bin/ftp/ftp.1:1.147 --- src/usr.bin/ftp/ftp.1:1.146 Sun Apr 25 05:09:55 2021 +++ src/usr.bin/ftp/ftp.1 Tue Aug 30 04:51:28 2022 @@ -1,4 +1,4 @@ -.\" $NetBSD: ftp.1,v 1.146 2021/04/25 09:09:55 lukem Exp $ +.\" $NetBSD: ftp.1,v 1.147 2022/08/30 08:51:28 christos Exp $ .\" .\" Copyright (c) 1996-2021 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -57,7 +57,7 @@ .\" .\" @(#)ftp.1 8.3 (Berkeley) 10/9/94 .\" -.Dd April 25, 2021 +.Dd August 29, 2022 .Dt FTP 1 .Os .Sh NAME @@ -2320,6 +2320,8 @@ file, if one exists. An alternate location of the .Pa .netrc file. +.It Ev NO_CERT_VERIFY +Don't verify SSL certificates. .It Ev PAGER Used by various commands to display files. Defaults to Index: src/usr.bin/ftp/ssl.c diff -u src/usr.bin/ftp/ssl.c:1.10 src/usr.bin/ftp/ssl.c:1.11 --- src/usr.bin/ftp/ssl.c:1.10 Thu Jun 3 06:23:33 2021 +++ src/usr.bin/ftp/ssl.c Tue Aug 30 04:51:28 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: ssl.c,v 1.10 2021/06/03 10:23:33 lukem Exp $ */ +/* $NetBSD: ssl.c,v 1.11 2022/08/30 08:51:28 christos Exp $ */ /*- * Copyright (c) 1998-2004 Dag-Erling Coïdan Smørgrav @@ -34,7 +34,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: ssl.c,v 1.10 2021/06/03 10:23:33 lukem Exp $"); +__RCSID("$NetBSD: ssl.c,v 1.11 2022/08/30 08:51:28 christos Exp $"); #endif #include <errno.h> @@ -587,7 +587,9 @@ fetch_start_ssl(int sock, const char *se { SSL *ssl; SSL_CTX *ctx; + X509_VERIFY_PARAM *param; int ret, ssl_err; + int verify = getenv("NO_CERT_VERIFY") == NULL; /* Init the SSL library and context */ if (!SSL_library_init()){ @@ -599,6 +601,10 @@ fetch_start_ssl(int sock, const char *se ctx = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); + if (verify) { + SSL_CTX_set_default_verify_paths(ctx); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + } ssl = SSL_new(ctx); if (ssl == NULL){ @@ -606,6 +612,19 @@ fetch_start_ssl(int sock, const char *se SSL_CTX_free(ctx); return NULL; } + + if (verify) { + param = SSL_get0_param(ssl); + if (!X509_VERIFY_PARAM_set1_host(param, servername, + strlen(servername))) { + fprintf(ttyout, "SSL verification setup failed\n"); + return NULL; + } + + /* Enable peer verification, (using the default callback) */ + SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); + } + SSL_set_fd(ssl, sock); if (!SSL_set_tlsext_host_name(ssl, __UNCONST(servername))) { fprintf(ttyout, "SSL hostname setting failed\n");