summaryrefslogtreecommitdiffstats
path: root/src/openssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/openssl.c')
-rw-r--r--src/openssl.c1260
1 files changed, 1260 insertions, 0 deletions
diff --git a/src/openssl.c b/src/openssl.c
new file mode 100644
index 0000000..d6099ba
--- /dev/null
+++ b/src/openssl.c
@@ -0,0 +1,1260 @@
+/* SSL support via OpenSSL library.
+ Copyright (C) 2000-2012, 2015, 2018-2020 Free Software Foundation,
+ Inc.
+ Originally contributed by Christian Fraenkel.
+
+This file is part of GNU Wget.
+
+GNU Wget is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+GNU Wget is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with Wget. If not, see <http://www.gnu.org/licenses/>.
+
+Additional permission under GNU GPL version 3 section 7
+
+If you modify this program, or any covered work, by linking or
+combining it with the OpenSSL project's OpenSSL library (or a
+modified version of that library), containing parts covered by the
+terms of the OpenSSL or SSLeay licenses, the Free Software Foundation
+grants you additional permission to convey the resulting work.
+Corresponding Source for a non-source form of such a combination
+shall include the source code for the parts of OpenSSL used as well
+as that of the covered work. */
+
+#include "wget.h"
+
+#include <assert.h>
+#include <errno.h>
+#include <unistd.h>
+#include <string.h>
+#include <xalloc.h>
+
+#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/bio.h>
+#if OPENSSL_VERSION_NUMBER >= 0x00907000
+#include <openssl/conf.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
+#endif
+
+#include <sys/ioctl.h>
+
+#include "utils.h"
+#include "connect.h"
+#include "ptimer.h"
+#include "url.h"
+#include "ssl.h"
+
+#include <fcntl.h>
+
+#ifdef WINDOWS
+# include <w32sock.h>
+#endif
+
+/* Application-wide SSL context. This is common to all SSL
+ connections. */
+static SSL_CTX *ssl_ctx;
+
+/* Initialize the SSL's PRNG using various methods. */
+
+static void
+init_prng (void)
+{
+ char namebuf[256];
+ const char *random_file;
+
+ /* Seed from a file specified by the user. This will be the file
+ specified with --random-file, $RANDFILE, if set, or ~/.rnd, if it
+ exists. */
+ if (opt.random_file)
+ random_file = opt.random_file;
+ else
+ {
+ /* Get the random file name using RAND_file_name. */
+ namebuf[0] = '\0';
+ random_file = RAND_file_name (namebuf, sizeof (namebuf));
+ if (!file_exists_p (random_file, NULL))
+ random_file = NULL;
+ }
+
+ if (random_file && *random_file)
+ /* Seed at most 16k (apparently arbitrary value borrowed from
+ curl) from random file. */
+ {
+ int _err = RAND_load_file (random_file, 16384);
+ if(_err == -1)
+ /* later the thread error queue will be cleared */
+ if ( (_err = ERR_peek_last_error ()) )
+ logprintf (LOG_VERBOSE, "WARNING: Could not load random file: %s, %s\n", opt.random_file, ERR_reason_error_string(_err));
+ }
+
+#ifdef HAVE_RAND_EGD
+ /* Get random data from EGD if opt.egd_file was used. */
+ if (opt.egd_file && *opt.egd_file)
+ RAND_egd (opt.egd_file);
+#endif
+
+#ifdef WINDOWS
+ /* Under Windows, we can try to seed the PRNG using screen content.
+ This may or may not work, depending on whether we'll calling Wget
+ interactively. */
+
+ RAND_screen ();
+ if (RAND_status ())
+ return;
+#endif
+
+#if 0 /* don't do this by default */
+ {
+ int maxrand = 500;
+
+ /* Still not random enough, presumably because neither /dev/random
+ nor EGD were available. Try to seed OpenSSL's PRNG with libc
+ PRNG. This is cryptographically weak and defeats the purpose
+ of using OpenSSL, which is why it is highly discouraged. */
+
+ logprintf (LOG_NOTQUIET, _("WARNING: using a weak random seed.\n"));
+
+ while (RAND_status () == 0 && maxrand-- > 0)
+ {
+ unsigned char rnd = random_number (256);
+ RAND_seed (&rnd, sizeof (rnd));
+ }
+ }
+#endif
+}
+
+/* Print errors in the OpenSSL error stack. */
+
+static void
+print_errors (void)
+{
+ unsigned long err;
+ while ((err = ERR_get_error ()) != 0)
+ logprintf (LOG_NOTQUIET, "OpenSSL: %s\n", ERR_error_string (err, NULL));
+}
+
+/* Convert keyfile type as used by options.h to a type as accepted by
+ SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey_file.
+
+ (options.h intentionally doesn't use values from openssl/ssl.h so
+ it doesn't depend specifically on OpenSSL for SSL functionality.) */
+
+static int
+key_type_to_ssl_type (enum keyfile_type type)
+{
+ switch (type)
+ {
+ case keyfile_pem:
+ return SSL_FILETYPE_PEM;
+ case keyfile_asn1:
+ return SSL_FILETYPE_ASN1;
+ default:
+ abort ();
+ }
+}
+
+/* SSL has been initialized */
+static int ssl_true_initialized = 0;
+
+/* Create an SSL Context and set default paths etc. Called the first
+ time an HTTP download is attempted.
+
+ Returns true on success, false otherwise. */
+
+bool
+ssl_init (void)
+{
+ SSL_METHOD const *meth;
+ long ssl_options = 0;
+ char *ciphers_string = NULL;
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ int ssl_proto_version = 0;
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x00907000
+ if (ssl_true_initialized == 0)
+ {
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ OPENSSL_init_ssl (OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
+#else
+ OPENSSL_config (NULL);
+#endif
+ ssl_true_initialized = 1;
+ }
+#endif
+
+ if (ssl_ctx)
+ /* The SSL has already been initialized. */
+ return true;
+
+ /* Init the PRNG. If that fails, bail out. */
+ init_prng ();
+ if (RAND_status () != 1)
+ {
+ logprintf (LOG_NOTQUIET,
+ _("Could not seed PRNG; consider using --random-file.\n"));
+ goto error;
+ }
+
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ SSL_library_init ();
+ SSL_load_error_strings ();
+ SSLeay_add_all_algorithms ();
+ SSLeay_add_ssl_algorithms ();
+#endif
+
+ switch (opt.secure_protocol)
+ {
+#if !defined OPENSSL_NO_SSL2 && OPENSSL_VERSION_NUMBER < 0x10100000L
+ case secure_protocol_sslv2:
+ meth = SSLv2_client_method ();
+ break;
+#endif
+
+#ifndef OPENSSL_NO_SSL3_METHOD
+ case secure_protocol_sslv3:
+ meth = SSLv3_client_method ();
+ break;
+#endif
+
+ case secure_protocol_auto:
+ case secure_protocol_pfs:
+ meth = SSLv23_client_method ();
+ ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ break;
+ case secure_protocol_tlsv1:
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ meth = TLS_client_method();
+ ssl_proto_version = TLS1_VERSION;
+#else
+ meth = TLSv1_client_method ();
+#endif
+ break;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10001000
+ case secure_protocol_tlsv1_1:
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ meth = TLS_client_method();
+ ssl_proto_version = TLS1_1_VERSION;
+#else
+ meth = TLSv1_1_client_method ();
+#endif
+ break;
+
+ case secure_protocol_tlsv1_2:
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ meth = TLS_client_method();
+ ssl_proto_version = TLS1_2_VERSION;
+#else
+ meth = TLSv1_2_client_method ();
+#endif
+ break;
+
+ case secure_protocol_tlsv1_3:
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) && defined TLS1_3_VERSION
+ meth = TLS_client_method();
+ ssl_proto_version = TLS1_3_VERSION;
+#else
+ logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLS 1.3\n"));
+ goto error;
+#endif
+ break;
+#else
+ case secure_protocol_tlsv1_1:
+ logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
+ goto error;
+
+ case secure_protocol_tlsv1_2:
+ logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
+ goto error;
+
+#endif
+
+ default:
+ logprintf (LOG_NOTQUIET, _("OpenSSL: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
+ logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));
+ abort ();
+ }
+
+ /* The type cast below accommodates older OpenSSL versions (0.9.8)
+ where SSL_CTX_new() is declared without a "const" argument. */
+ ssl_ctx = SSL_CTX_new ((SSL_METHOD *)meth);
+ if (!ssl_ctx)
+ goto error;
+
+ if (ssl_options)
+ SSL_CTX_set_options (ssl_ctx, ssl_options);
+
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
+ !defined(LIBRESSL_VERSION_NUMBER) && \
+ !defined(OPENSSL_IS_BORINGSSL))
+ SSL_CTX_set_post_handshake_auth (ssl_ctx, 1);
+#endif
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ if (ssl_proto_version)
+ SSL_CTX_set_min_proto_version(ssl_ctx, ssl_proto_version);
+#endif
+
+ /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
+ *
+ * Rules:
+ * 1. --ciphers overrides everything
+ * 2. We allow RSA key exchange by default (secure_protocol_auto)
+ * 3. We disallow RSA key exchange if PFS was requested (secure_protocol_pfs)
+ */
+ if (!opt.tls_ciphers_string)
+ {
+ if (opt.secure_protocol == secure_protocol_auto)
+ ciphers_string = "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK";
+ else if (opt.secure_protocol == secure_protocol_pfs)
+ ciphers_string = "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK:!kRSA";
+ }
+ else
+ {
+ ciphers_string = opt.tls_ciphers_string;
+ }
+
+ if (ciphers_string && !SSL_CTX_set_cipher_list(ssl_ctx, ciphers_string))
+ {
+ logprintf(LOG_NOTQUIET, _("OpenSSL: Invalid cipher list: %s\n"), ciphers_string);
+ goto error;
+ }
+
+ SSL_CTX_set_default_verify_paths (ssl_ctx);
+ SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
+
+#ifdef X509_V_FLAG_PARTIAL_CHAIN
+ /* Set X509_V_FLAG_PARTIAL_CHAIN to allow the client to anchor trust in
+ * a non-self-signed certificate. This defies RFC 4158 (Path Building)
+ * which defines a trust anchor in terms of a self-signed certificate.
+ * However, it substantially reduces attack surface by pruning the tree
+ * of unneeded trust points. For example, the cross-certified
+ * Let's Encrypt X3 CA, which protects gnu.org and appears as an
+ * intermediate CA to clients, can be used as a trust anchor without
+ * the entire IdentTrust PKI.
+ */
+ X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+ if (param)
+ {
+ /* We only want X509_V_FLAG_PARTIAL_CHAIN, but the OpenSSL docs
+ * say to use X509_V_FLAG_TRUSTED_FIRST also. It looks like
+ * X509_V_FLAG_TRUSTED_FIRST applies to a collection of trust
+ * anchors and not a single trust anchor.
+ */
+ (void) X509_VERIFY_PARAM_set_flags (param, X509_V_FLAG_TRUSTED_FIRST | X509_V_FLAG_PARTIAL_CHAIN);
+ if (SSL_CTX_set1_param (ssl_ctx, param) == 0)
+ logprintf(LOG_NOTQUIET, _("OpenSSL: Failed set trust to partial chain\n"));
+ /* We continue on error */
+ X509_VERIFY_PARAM_free (param);
+ }
+ else
+ {
+ logprintf(LOG_NOTQUIET, _("OpenSSL: Failed to allocate verification param\n"));
+ /* We continue on error */
+ }
+#endif
+
+ if (opt.crl_file)
+ {
+ X509_STORE *store = SSL_CTX_get_cert_store (ssl_ctx);
+ X509_LOOKUP *lookup;
+
+ if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ()))
+ || (!X509_load_crl_file (lookup, opt.crl_file, X509_FILETYPE_PEM)))
+ goto error;
+
+ X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+ }
+
+ /* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the
+ certificate is invalid. We verify the certificate separately in
+ ssl_check_certificate, which provides much better diagnostics
+ than examining the error stack after a failed SSL_connect. */
+ SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
+
+ /* Use the private key from the cert file unless otherwise specified. */
+ if (opt.cert_file && !opt.private_key)
+ {
+ opt.private_key = xstrdup (opt.cert_file);
+ opt.private_key_type = opt.cert_type;
+ }
+
+ /* Use cert from private key file unless otherwise specified. */
+ if (opt.private_key && !opt.cert_file)
+ {
+ opt.cert_file = xstrdup (opt.private_key);
+ opt.cert_type = opt.private_key_type;
+ }
+
+ if (opt.cert_file)
+ if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file,
+ key_type_to_ssl_type (opt.cert_type))
+ != 1)
+ goto error;
+ if (opt.private_key)
+ if (SSL_CTX_use_PrivateKey_file (ssl_ctx, opt.private_key,
+ key_type_to_ssl_type (opt.private_key_type))
+ != 1)
+ goto error;
+
+ /* Since fd_write unconditionally assumes partial writes (and
+ handles them correctly), allow them in OpenSSL. */
+ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+
+ /* The OpenSSL library can handle renegotiations automatically, so
+ tell it to do so. */
+ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY);
+
+ return true;
+
+ error:
+ if (ssl_ctx)
+ SSL_CTX_free (ssl_ctx);
+ print_errors ();
+ return false;
+}
+
+void
+ssl_cleanup (void)
+{
+}
+
+struct openssl_transport_context
+{
+ SSL *conn; /* SSL connection handle */
+ SSL_SESSION *sess; /* SSL session info */
+ char *last_error; /* last error printed with openssl_errstr */
+};
+
+typedef int (*ssl_fn_t)(SSL *, void *, int);
+
+#ifdef OPENSSL_RUN_WITHTIMEOUT
+
+struct scwt_context
+{
+ SSL *ssl;
+ int result;
+};
+
+static void
+ssl_connect_with_timeout_callback(void *arg)
+{
+ struct scwt_context *ctx = (struct scwt_context *)arg;
+ ctx->result = SSL_connect(ctx->ssl);
+}
+
+static int
+ssl_connect_with_timeout(int fd _GL_UNUSED, SSL *conn, double timeout)
+{
+ struct scwt_context scwt_ctx;
+ scwt_ctx.ssl = conn;
+ errno = 0;
+ if (run_with_timeout(timeout, ssl_connect_with_timeout_callback,
+ &scwt_ctx))
+ {
+ errno = ETIMEDOUT;
+ return -1;
+ }
+ return scwt_ctx.result;
+}
+
+struct openssl_read_args
+{
+ int fd;
+ struct openssl_transport_context *ctx;
+ ssl_fn_t fn;
+ char *buf;
+ int bufsize;
+ int retval;
+};
+
+static void
+openssl_read_peek_callback(void *arg)
+{
+ struct openssl_read_args *args = (struct openssl_read_args *) arg;
+ struct openssl_transport_context *ctx = args->ctx;
+ ssl_fn_t fn = args->fn;
+ SSL *conn = ctx->conn;
+ char *buf = args->buf;
+ int bufsize = args->bufsize;
+ int ret;
+
+ do
+ {
+ ret = fn (conn, buf, bufsize);
+ }
+ while (ret == -1 && SSL_get_error (conn, ret) == SSL_ERROR_SYSCALL && errno == EINTR);
+ args->retval = ret;
+}
+
+static int
+openssl_read_peek (int fd, char *buf, int bufsize, void *arg, double timeout, ssl_fn_t fn)
+{
+ struct openssl_transport_context *ctx = arg;
+ int ret = SSL_pending (ctx->conn);
+
+ if (ret)
+ ret = fn (ctx->conn, buf, MIN (bufsize, ret));
+ else
+ {
+ struct openssl_read_args args;
+ args.fd = fd;
+ args.buf = buf;
+ args.bufsize = bufsize;
+ args.fn = fn;
+ args.ctx = ctx;
+
+ if (timeout == -1)
+ timeout = opt.read_timeout;
+
+ if (run_with_timeout(timeout, openssl_read_peek_callback, &args))
+ {
+ errno = ETIMEDOUT;
+ ret = -1;
+ }
+ else
+ ret = args.retval;
+ }
+ return ret;
+}
+
+#else /* OPENSSL_RUN_WITHTIMEOUT */
+
+#ifdef F_GETFL
+#define NONBLOCK_DECL int flags = 0;
+#define FD_SET_NONBLOCKED(_fd) \
+ flags = fcntl (_fd, F_GETFL, 0); \
+ if (flags < 0) \
+ return flags; \
+ if (fcntl (_fd, F_SETFL, flags | O_NONBLOCK)) \
+ return -1;
+#define FD_SET_BLOCKED(_fd) \
+ if (fcntl (_fd, F_SETFL, flags) < 0) \
+ return -1;
+#else
+#define NONBLOCK_DECL
+#define FD_SET_NONBLOCKED(_fd) \
+ {\
+ const int one = 1;\
+ if (ioctl (_fd, FIONBIO, &one) < 0)\
+ return -1;\
+ }
+#define FD_SET_BLOCKED(_fd) \
+ {\
+ const int zero = 0;\
+ if (ioctl (_fd, FIONBIO, &zero) < 0)\
+ return -1;\
+ }
+#endif /* F_GETFL */
+
+#define TIMER_INIT(_fd, _ret, _timeout) \
+ { \
+ NONBLOCK_DECL \
+ int timed_out = 0; \
+ FD_SET_NONBLOCKED(_fd) \
+ struct ptimer *timer = ptimer_new (); \
+ if (timer == NULL) \
+ _ret = -1; \
+ else \
+ { \
+ double next_timeout = _timeout;
+
+#define TIMER_FREE(_fd) \
+ ptimer_destroy (timer); \
+ } \
+ FD_SET_BLOCKED(_fd) \
+ if (timed_out) \
+ { \
+ errno = ETIMEDOUT; \
+ } \
+ }
+
+#define TIMER_WAIT(_fd, _conn, _ret, _timeout) \
+ { \
+ int wait_for; \
+ int err = SSL_get_error(_conn, _ret); \
+ if (err == SSL_ERROR_WANT_READ) \
+ wait_for = WAIT_FOR_READ; \
+ else if (err == SSL_ERROR_WANT_WRITE) \
+ wait_for = WAIT_FOR_WRITE; \
+ else \
+ break; \
+ err = select_fd_nb (_fd, next_timeout, wait_for); \
+ if (err <= 0) \
+ { \
+ if (err == 0) \
+timedout: \
+ timed_out = 1; \
+ _ret = -1; \
+ break; \
+ } \
+ next_timeout = _timeout - ptimer_measure (timer); \
+ if (next_timeout <= 0) \
+ goto timedout; \
+ }
+
+static int
+ssl_connect_with_timeout(int fd, SSL *conn, double timeout)
+{
+ int ret;
+
+ errno = 0;
+ if (timeout == 0)
+ ret = SSL_connect(conn);
+ else
+ {
+ TIMER_INIT(fd, ret, timeout)
+ ERR_clear_error();
+ while( (ret = SSL_connect(conn)) < 0 )
+ TIMER_WAIT(fd, conn, ret, timeout)
+ TIMER_FREE(fd)
+ }
+
+ return ret;
+}
+
+static int
+openssl_read_peek (int fd, char *buf, int bufsize, void *arg, double timeout, ssl_fn_t fn)
+{
+ struct openssl_transport_context *ctx = arg;
+ int ret = SSL_pending (ctx->conn);
+
+ if (timeout == -1)
+ timeout = opt.read_timeout;
+ /* If we have data available for immediate read, simply return that,
+ or do blocked read when timeout == 0 */
+ if (ret || timeout == 0)
+ do
+ {
+ ret = fn (ctx->conn, buf, (ret ? MIN (bufsize, ret) : bufsize));
+ }
+ while (ret == -1 && SSL_get_error (ctx->conn, ret) == SSL_ERROR_SYSCALL && errno == EINTR);
+ else
+ {
+ TIMER_INIT(fd, ret, timeout)
+ while( (ret = fn (ctx->conn, buf, bufsize)) <= 0 )
+ TIMER_WAIT(fd, ctx->conn, ret, timeout)
+ TIMER_FREE(fd)
+ }
+
+ return ret;
+}
+
+#endif /* OPENSSL_RUN_WITHTIMEOUT */
+
+static int
+openssl_read (int fd, char *buf, int bufsize, void *arg, double timeout)
+{
+ return openssl_read_peek (fd, buf, bufsize, arg, timeout, SSL_read);
+}
+
+static int
+openssl_write (int fd _GL_UNUSED, char *buf, int bufsize, void *arg)
+{
+ int ret = 0;
+ struct openssl_transport_context *ctx = arg;
+ SSL *conn = ctx->conn;
+ do
+ ret = SSL_write (conn, buf, bufsize);
+ while (ret == -1 && SSL_get_error (conn, ret) == SSL_ERROR_SYSCALL && errno == EINTR);
+ return ret;
+}
+
+static int
+openssl_poll (int fd, double timeout, int wait_for, void *arg)
+{
+ struct openssl_transport_context *ctx = arg;
+ SSL *conn = ctx->conn;
+ if ((wait_for & WAIT_FOR_READ) && SSL_pending (conn))
+ return 1;
+ /* if (timeout == 0)
+ return 1; */
+ if (timeout == -1)
+ timeout = opt.read_timeout;
+ return select_fd (fd, timeout, wait_for);
+}
+
+static int
+openssl_peek (int fd, char *buf, int bufsize, void *arg, double timeout)
+{
+ return openssl_read_peek (fd, buf, bufsize, arg, timeout, SSL_peek);
+}
+
+static const char *
+openssl_errstr (int fd _GL_UNUSED, void *arg)
+{
+ struct openssl_transport_context *ctx = arg;
+ unsigned long errcode;
+ char *errmsg = NULL;
+ int msglen = 0;
+
+ /* If there are no SSL-specific errors, just return NULL. */
+ if ((errcode = ERR_get_error ()) == 0)
+ return NULL;
+
+ /* Get rid of previous contents of ctx->last_error, if any. */
+ xfree (ctx->last_error);
+
+ /* Iterate over OpenSSL's error stack and accumulate errors in the
+ last_error buffer, separated by "; ". This is better than using
+ a static buffer, which *always* takes up space (and has to be
+ large, to fit more than one error message), whereas these
+ allocations are only performed when there is an actual error. */
+
+ for (;;)
+ {
+ const char *str = ERR_error_string (errcode, NULL);
+ int len = strlen (str);
+
+ /* Allocate space for the existing message, plus two more chars
+ for the "; " separator and one for the terminating \0. */
+ errmsg = xrealloc (errmsg, msglen + len + 2 + 1);
+ memcpy (errmsg + msglen, str, len);
+ msglen += len;
+
+ /* Get next error and bail out if there are no more. */
+ errcode = ERR_get_error ();
+ if (errcode == 0)
+ break;
+
+ errmsg[msglen++] = ';';
+ errmsg[msglen++] = ' ';
+ }
+ errmsg[msglen] = '\0';
+
+ /* Store the error in ctx->last_error where openssl_close will
+ eventually find it and free it. */
+ ctx->last_error = errmsg;
+
+ return errmsg;
+}
+
+static void
+openssl_close (int fd, void *arg)
+{
+ struct openssl_transport_context *ctx = arg;
+ SSL *conn = ctx->conn;
+
+ SSL_shutdown (conn);
+ SSL_free (conn);
+ xfree (ctx->last_error);
+ xfree (ctx);
+
+ close (fd);
+
+ DEBUGP (("Closed %d/SSL 0x%0*lx\n", fd, PTR_FORMAT (conn)));
+}
+
+/* openssl_transport is the singleton that describes the SSL transport
+ methods provided by this file. */
+
+static struct transport_implementation openssl_transport = {
+ openssl_read, openssl_write, openssl_poll,
+ openssl_peek, openssl_errstr, openssl_close
+};
+
+static const char *
+_sni_hostname(const char *hostname)
+{
+ size_t len = strlen(hostname);
+
+ char *sni_hostname = xmemdup(hostname, len + 1);
+
+ /* Remove trailing dot(s) to fix #47408.
+ * Regarding RFC 6066 (SNI): The hostname is represented as a byte
+ * string using ASCII encoding without a trailing dot. */
+ while (len && sni_hostname[--len] == '.')
+ sni_hostname[len] = 0;
+
+ return sni_hostname;
+}
+
+/* Perform the SSL handshake on file descriptor FD, which is assumed
+ to be connected to an SSL server. The SSL handle provided by
+ OpenSSL is registered with the file descriptor FD using
+ fd_register_transport, so that subsequent calls to fd_read,
+ fd_write, etc., will use the corresponding SSL functions.
+
+ Returns true on success, false on failure. */
+
+bool
+ssl_connect_wget (int fd, const char *hostname, int *continue_session)
+{
+ SSL *conn;
+ struct openssl_transport_context *ctx;
+
+ DEBUGP (("Initiating SSL handshake.\n"));
+
+ assert (ssl_ctx != NULL);
+ conn = SSL_new (ssl_ctx);
+ if (!conn)
+ goto error;
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+ /* If the SSL library was built with support for ServerNameIndication
+ then use it whenever we have a hostname. If not, don't, ever. */
+ if (! is_valid_ip_address (hostname))
+ {
+ const char *sni_hostname = _sni_hostname(hostname);
+
+ long rc = SSL_set_tlsext_host_name (conn, sni_hostname);
+ xfree(sni_hostname);
+
+ if (rc == 0)
+ {
+ DEBUGP (("Failed to set TLS server-name indication."));
+ goto error;
+ }
+ }
+#endif
+
+ if (continue_session)
+ {
+ /* attempt to resume a previous SSL session */
+ ctx = (struct openssl_transport_context *) fd_transport_context (*continue_session);
+ if (!ctx || !ctx->sess || !SSL_set_session (conn, ctx->sess))
+ goto error;
+ }
+
+#ifndef FD_TO_SOCKET
+# define FD_TO_SOCKET(X) (X)
+#endif
+ if (!SSL_set_fd (conn, FD_TO_SOCKET (fd)))
+ goto error;
+ SSL_set_connect_state (conn);
+
+ /* Re-seed the PRNG before the SSL handshake */
+ init_prng ();
+ if (RAND_status () != 1)
+ {
+ logprintf(LOG_NOTQUIET,
+ _("WARNING: Could not seed PRNG. Consider using --random-file.\n"));
+ goto error;
+ }
+
+ if (ssl_connect_with_timeout(fd, conn, opt.read_timeout) <= 0
+ || !SSL_is_init_finished(conn))
+ goto timedout;
+
+ ctx = xnew0 (struct openssl_transport_context);
+ ctx->conn = conn;
+ ctx->sess = SSL_get0_session (conn);
+ if (!ctx->sess)
+ logprintf (LOG_NOTQUIET, "WARNING: Could not save SSL session data for socket %d\n", fd);
+
+ /* Register FD with Wget's transport layer, i.e. arrange that our
+ functions are used for reading, writing, and polling. */
+ fd_register_transport (fd, &openssl_transport, ctx);
+ DEBUGP (("Handshake successful; connected socket %d to SSL handle 0x%0*lx\n",
+ fd, PTR_FORMAT (conn)));
+
+ ERR_clear_error ();
+ return true;
+
+ timedout:
+ if (errno == ETIMEDOUT)
+ DEBUGP (("SSL handshake timed out.\n"));
+ else
+ error:
+ DEBUGP (("SSL handshake failed.\n"));
+ print_errors ();
+ if (conn)
+ SSL_free (conn);
+ return false;
+}
+
+#define ASTERISK_EXCLUDES_DOT /* mandated by rfc2818 */
+
+/* Return true is STRING (case-insensitively) matches PATTERN, false
+ otherwise. The recognized wildcard character is "*", which matches
+ any character in STRING except ".". Any number of the "*" wildcard
+ may be present in the pattern.
+
+ This is used to match of hosts as indicated in rfc2818: "Names may
+ contain the wildcard character * which is considered to match any
+ single domain name component or component fragment. E.g., *.a.com
+ matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but
+ not bar.com [or foo.bar.com]."
+
+ If the pattern contain no wildcards, pattern_match(a, b) is
+ equivalent to !strcasecmp(a, b). */
+
+static bool
+pattern_match (const char *pattern, const char *string)
+{
+ const char *p = pattern, *n = string;
+ char c;
+ for (; (c = c_tolower (*p++)) != '\0'; n++)
+ if (c == '*')
+ {
+ for (c = c_tolower (*p); c == '*'; c = c_tolower (*++p))
+ ;
+ for (; *n != '\0'; n++)
+ if (c_tolower (*n) == c && pattern_match (p, n))
+ return true;
+#ifdef ASTERISK_EXCLUDES_DOT
+ else if (*n == '.')
+ return false;
+#endif
+ return c == '\0';
+ }
+ else
+ {
+ if (c != c_tolower (*n))
+ return false;
+ }
+ return *n == '\0';
+}
+
+static char *_get_rfc2253_formatted (X509_NAME *name)
+{
+ int len;
+ char *out = NULL;
+ BIO* b;
+
+ if ((b = BIO_new (BIO_s_mem ())))
+ {
+ if (X509_NAME_print_ex (b, name, 0, XN_FLAG_RFC2253) >= 0
+ && (len = BIO_number_written (b)) > 0)
+ {
+ out = xmalloc (len + 1);
+ BIO_read (b, out, len);
+ out[len] = 0;
+ }
+ BIO_free (b);
+ }
+
+ return out ? out : xstrdup("");
+}
+
+/*
+ * Heavily modified from:
+ * https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
+ */
+static bool
+pkp_pin_peer_pubkey (X509* cert, const char *pinnedpubkey)
+{
+ /* Scratch */
+ int len1 = 0, len2 = 0;
+ char *buff1 = NULL, *temp = NULL;
+
+ /* Result is returned to caller */
+ bool result = false;
+
+ /* if a path wasn't specified, don't pin */
+ if (!pinnedpubkey)
+ return true;
+
+ if (!cert)
+ return result;
+
+ /* Begin Gyrations to get the subjectPublicKeyInfo */
+ /* Thanks to Viktor Dukhovni on the OpenSSL mailing list */
+
+ /* https://groups.google.com/group/mailing.openssl.users/browse_thread
+ /thread/d61858dae102c6c7 */
+ len1 = i2d_X509_PUBKEY (X509_get_X509_PUBKEY (cert), NULL);
+ if (len1 < 1)
+ goto cleanup; /* failed */
+
+ /* https://www.openssl.org/docs/crypto/buffer.html */
+ buff1 = temp = OPENSSL_malloc (len1);
+ if (!buff1)
+ goto cleanup; /* failed */
+
+ /* https://www.openssl.org/docs/crypto/d2i_X509.html */
+ len2 = i2d_X509_PUBKEY (X509_get_X509_PUBKEY (cert), (unsigned char **) &temp);
+
+ /*
+ * These checks are verifying we got back the same values as when we
+ * sized the buffer. It's pretty weak since they should always be the
+ * same. But it gives us something to test.
+ */
+ if ((len1 != len2) || !temp || ((temp - buff1) != len1))
+ goto cleanup; /* failed */
+
+ /* End Gyrations */
+
+ /* The one good exit point */
+ result = wg_pin_peer_pubkey (pinnedpubkey, buff1, len1);
+
+ cleanup:
+ /* https://www.openssl.org/docs/crypto/buffer.html */
+ if (NULL != buff1)
+ OPENSSL_free (buff1);
+
+ return result;
+}
+
+/* Verify the validity of the certificate presented by the server.
+ Also check that the "common name" of the server, as presented by
+ its certificate, corresponds to HOST. (HOST typically comes from
+ the URL and is what the user thinks he's connecting to.)
+
+ This assumes that ssl_connect_wget has successfully finished, i.e. that
+ the SSL handshake has been performed and that FD is connected to an
+ SSL handle.
+
+ If opt.check_cert is true (the default), this returns 1 if the
+ certificate is valid, 0 otherwise. If opt.check_cert is 0, the
+ function always returns 1, but should still be called because it
+ warns the user about any problems with the certificate. */
+
+bool
+ssl_check_certificate (int fd, const char *host)
+{
+ X509 *cert;
+ GENERAL_NAMES *subjectAltNames;
+ char common_name[256];
+ long vresult;
+ bool success = true;
+ bool alt_name_checked = false;
+ bool pinsuccess = opt.pinnedpubkey == NULL;
+
+ /* If the user has specified --no-check-cert, we still want to warn
+ him about problems with the server's certificate. */
+ const char *severity = opt.check_cert ? _("ERROR") : _("WARNING");
+
+ struct openssl_transport_context *ctx = fd_transport_context (fd);
+ SSL *conn = ctx->conn;
+ assert (conn != NULL);
+
+ /* The user explicitly said to not check for the certificate. */
+ if (opt.check_cert == CHECK_CERT_QUIET && pinsuccess)
+ return success;
+
+ cert = SSL_get_peer_certificate (conn);
+ if (!cert)
+ {
+ logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"),
+ severity, quotearg_style (escape_quoting_style, host));
+ success = false;
+ goto no_cert; /* must bail out since CERT is NULL */
+ }
+
+ IF_DEBUG
+ {
+ char *subject = _get_rfc2253_formatted (X509_get_subject_name (cert));
+ char *issuer = _get_rfc2253_formatted (X509_get_issuer_name (cert));
+ DEBUGP (("certificate:\n subject: %s\n issuer: %s\n",
+ quotearg_n_style (0, escape_quoting_style, subject),
+ quotearg_n_style (1, escape_quoting_style, issuer)));
+ xfree (subject);
+ xfree (issuer);
+ }
+
+ vresult = SSL_get_verify_result (conn);
+ if (vresult != X509_V_OK)
+ {
+ char *issuer = _get_rfc2253_formatted (X509_get_issuer_name (cert));
+ logprintf (LOG_NOTQUIET,
+ _("%s: cannot verify %s's certificate, issued by %s:\n"),
+ severity, quotearg_n_style (0, escape_quoting_style, host),
+ quote_n (1, issuer));
+ xfree(issuer);
+
+ /* Try to print more user-friendly (and translated) messages for
+ the frequent verification errors. */
+ switch (vresult)
+ {
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+ logprintf (LOG_NOTQUIET,
+ _(" Unable to locally verify the issuer's authority.\n"));
+ break;
+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ logprintf (LOG_NOTQUIET,
+ _(" Self-signed certificate encountered.\n"));
+ break;
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n"));
+ break;
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ logprintf (LOG_NOTQUIET, _(" Issued certificate has expired.\n"));
+ break;
+ default:
+ /* For the less frequent error strings, simply provide the
+ OpenSSL error message. */
+ logprintf (LOG_NOTQUIET, " %s\n",
+ X509_verify_cert_error_string (vresult));
+ }
+ success = false;
+ /* Fall through, so that the user is warned about *all* issues
+ with the cert (important with --no-check-certificate.) */
+ }
+
+ /* Check that HOST matches the common name in the certificate.
+ #### The following remains to be done:
+
+ - When matching against common names, it should loop over all
+ common names and choose the most specific one, i.e. the last
+ one, not the first one, which the current code picks.
+
+ - Ensure that ASN1 strings from the certificate are encoded as
+ UTF-8 which can be meaningfully compared to HOST. */
+
+ subjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL);
+
+ if (subjectAltNames)
+ {
+ /* Test subject alternative names */
+
+ /* SNI hostname must not have a trailing dot */
+ const char *sni_hostname = _sni_hostname(host);
+
+ /* Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)?
+ * Signal it by host_in_octet_string. */
+ ASN1_OCTET_STRING *host_in_octet_string = a2i_IPADDRESS (sni_hostname);
+
+ int numaltnames = sk_GENERAL_NAME_num (subjectAltNames);
+ int i;
+ for (i=0; i < numaltnames; i++)
+ {
+ const GENERAL_NAME *name =
+ sk_GENERAL_NAME_value (subjectAltNames, i);
+ if (name)
+ {
+ if (host_in_octet_string)
+ {
+ if (name->type == GEN_IPADD)
+ {
+ /* Check for ipAddress */
+ /* TODO: Should we convert between IPv4-mapped IPv6
+ * addresses and IPv4 addresses? */
+ alt_name_checked = true;
+ if (!ASN1_STRING_cmp (host_in_octet_string,
+ name->d.iPAddress))
+ break;
+ }
+ }
+ else if (name->type == GEN_DNS)
+ {
+ /* dNSName should be IA5String (i.e. ASCII), however who
+ * does trust CA? Convert it into UTF-8 for sure. */
+ unsigned char *name_in_utf8 = NULL;
+
+ /* Check for dNSName */
+ alt_name_checked = true;
+
+ if (0 <= ASN1_STRING_to_UTF8 (&name_in_utf8, name->d.dNSName))
+ {
+ /* Compare and check for NULL attack in ASN1_STRING */
+ if (pattern_match ((char *)name_in_utf8, sni_hostname) &&
+ (strlen ((char *)name_in_utf8) ==
+ (size_t) ASN1_STRING_length (name->d.dNSName)))
+ {
+ OPENSSL_free (name_in_utf8);
+ break;
+ }
+ OPENSSL_free (name_in_utf8);
+ }
+ }
+ }
+ }
+ sk_GENERAL_NAME_pop_free(subjectAltNames, GENERAL_NAME_free);
+ if (host_in_octet_string)
+ ASN1_OCTET_STRING_free(host_in_octet_string);
+
+ if (alt_name_checked == true && i >= numaltnames)
+ {
+ logprintf (LOG_NOTQUIET,
+ _("%s: no certificate subject alternative name matches\n"
+ "\trequested host name %s.\n"),
+ severity, quote_n (1, sni_hostname));
+ success = false;
+ }
+
+ xfree(sni_hostname);
+ }
+
+ if (alt_name_checked == false)
+ {
+ /* Test commomName */
+ X509_NAME *xname = X509_get_subject_name(cert);
+ common_name[0] = '\0';
+ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
+ sizeof (common_name));
+
+ if (!pattern_match (common_name, host))
+ {
+ logprintf (LOG_NOTQUIET, _("\
+ %s: certificate common name %s doesn't match requested host name %s.\n"),
+ severity, quote_n (0, common_name), quote_n (1, host));
+ success = false;
+ }
+ else
+ {
+ /* We now determine the length of the ASN1 string. If it
+ * differs from common_name's length, then there is a \0
+ * before the string terminates. This can be an instance of a
+ * null-prefix attack.
+ *
+ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
+ * */
+
+ int i = -1, j;
+ X509_NAME_ENTRY *xentry;
+ ASN1_STRING *sdata;
+
+ if (xname) {
+ for (;;)
+ {
+ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
+ if (j == -1) break;
+ i = j;
+ }
+ }
+
+ xentry = X509_NAME_get_entry(xname,i);
+ sdata = X509_NAME_ENTRY_get_data(xentry);
+ if (strlen (common_name) != (size_t) ASN1_STRING_length (sdata))
+ {
+ logprintf (LOG_NOTQUIET, _("\
+ %s: certificate common name is invalid (contains a NUL character).\n\
+ This may be an indication that the host is not who it claims to be\n\
+ (that is, it is not the real %s).\n"),
+ severity, quote (host));
+ success = false;
+ }
+ }
+ }
+
+ pinsuccess = pkp_pin_peer_pubkey (cert, opt.pinnedpubkey);
+ if (!pinsuccess)
+ {
+ logprintf (LOG_ALWAYS, _("The public key does not match pinned public key!\n"));
+ success = false;
+ }
+
+
+ if (success)
+ DEBUGP (("X509 certificate successfully verified and matches host %s\n",
+ quotearg_style (escape_quoting_style, host)));
+ X509_free (cert);
+
+ no_cert:
+ if (opt.check_cert == CHECK_CERT_ON && !success)
+ logprintf (LOG_NOTQUIET, _("\
+To connect to %s insecurely, use `--no-check-certificate'.\n"),
+ quotearg_style (escape_quoting_style, host));
+
+ /* never return true if pinsuccess fails */
+ return !pinsuccess ? false : (opt.check_cert == CHECK_CERT_ON ? success : true);
+}
+
+/*
+ * vim: tabstop=2 shiftwidth=2 softtabstop=2
+ */