? libfetch-ssl-verification.diff
? ssl.diff
Index: ftp.1
===================================================================
RCS file: /cvsroot/src/usr.bin/ftp/ftp.1,v
retrieving revision 1.146
diff -u -p -u -r1.146 ftp.1
--- ftp.1 25 Apr 2021 09:09:55 -0000 1.146
+++ ftp.1 29 Aug 2022 14:55:35 -0000
@@ -57,7 +57,7 @@
.\"
.\" @(#)ftp.1 8.3 (Berkeley) 10/9/94
.\"
-.Dd April 25, 2021
+.Dd August 29, 2022
.Dt FTP 1
.Os
.Sh NAME
@@ -2320,6 +2320,8 @@ file, if one exists.
An alternate location of the
.Pa .netrc
file.
+.It Ev NO_CERT_VERIFY
+Don't verify SSL certificates.
.It Ev PAGER
Used by various commands to display files.
Defaults to
Index: ssl.c
===================================================================
RCS file: /cvsroot/src/usr.bin/ftp/ssl.c,v
retrieving revision 1.10
diff -u -p -u -r1.10 ssl.c
--- ssl.c 3 Jun 2021 10:23:33 -0000 1.10
+++ ssl.c 29 Aug 2022 14:55:35 -0000
@@ -587,7 +587,9 @@ fetch_start_ssl(int sock, const char *se
{
SSL *ssl;
SSL_CTX *ctx;
+ X509_VERIFY_PARAM *param;
int ret, ssl_err;
+ int verify = getenv("NO_CERT_VERIFY") == NULL;
/* Init the SSL library and context */
if (!SSL_library_init()){
@@ -599,6 +601,10 @@ fetch_start_ssl(int sock, const char *se
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+ if (verify) {
+ SSL_CTX_set_default_verify_paths(ctx);
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+ }
ssl = SSL_new(ctx);
if (ssl == NULL){
@@ -606,6 +612,19 @@ fetch_start_ssl(int sock, const char *se
SSL_CTX_free(ctx);
return NULL;
}
+
+ if (verify) {
+ param = SSL_get0_param(ssl);
+ if (!X509_VERIFY_PARAM_set1_host(param, servername,
+ strlen(servername))) {
+ fprintf(ttyout, "SSL verification setup failed\n");
+ return NULL;
+ }
+
+ /* Enable peer verification, (using the default callback) */
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+ }
+
SSL_set_fd(ssl, sock);
if (!SSL_set_tlsext_host_name(ssl, __UNCONST(servername))) {
fprintf(ttyout, "SSL hostname setting failed\n");