int
connect_to_ip (const ip_address *ip, int port, const char *print)
{
struct sockaddr_storage ss;
struct sockaddr *sa = (struct sockaddr *)&ss;
int sock;
/* If PRINT is non-NULL, print the "Connecting to..." line, with
PRINT being the host name we're connecting to. */
if (print)
{
const char *txt_addr = print_address (ip);
if (print && 0 != strcmp (print, txt_addr))
logprintf (LOG_VERBOSE, _("Connecting to %s|%s|:%d... "),
escnonprint (print), txt_addr, port);
else
logprintf (LOG_VERBOSE, _("Connecting to %s:%d... "), txt_addr, port);
}
/* Store the sockaddr info to SA. */
sockaddr_set_data (sa, ip, port);
/* Create the socket of the family appropriate for the address. */
sock = socket (sa->sa_family, SOCK_STREAM, 0);
if (sock < 0)
goto err;
#if defined(ENABLE_IPV6) && defined(IPV6_V6ONLY)
if (opt.ipv6_only) {
int on = 1;
/* In case of error, we will go on anyway... */
int err = setsockopt (sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof (on));
IF_DEBUG
if (err < 0)
DEBUGP (("Failed setting IPV6_V6ONLY: %s", strerror (errno)));
}
struct address_list *
lookup_host (const char *host, int flags)
{
struct address_list *al;
int silent = flags & LH_SILENT;
int use_cache;
int numeric_address = 0;
double timeout = opt.dns_timeout;
#ifndef ENABLE_IPV6
/* If we're not using getaddrinfo, first check if HOST specifies a
numeric IPv4 address. Some implementations of gethostbyname
(e.g. the Ultrix one and possibly Winsock) don't accept
dotted-decimal IPv4 addresses. */
{
uint32_t addr_ipv4 = (uint32_t)inet_addr (host);
if (addr_ipv4 != (uint32_t) -1)
{
/* No need to cache host->addr relation, just return the
address. */
char *vec[2];
vec[0] = (char *)&addr_ipv4;
vec[1] = NULL;
return address_list_from_ipv4_addresses (vec);
}
}
#else /* ENABLE_IPV6 */
/* If we're using getaddrinfo, at least check whether the address is
already numeric, in which case there is no need to print the
"Resolving..." output. (This comes at no additional cost since
the is_valid_ipv*_address are already required for
url_parse.) */
{
const char *end = host + strlen (host);
if (is_valid_ipv4_address (host, end) || is_valid_ipv6_address (host, end))
numeric_address = 1;
}
#endif
/* Cache is normally on, but can be turned off with --no-dns-cache.
Don't cache passive lookups under IPv6. */
use_cache = opt.dns_cache;
#ifdef ENABLE_IPV6
if ((flags & LH_BIND) || numeric_address)
use_cache = 0;
#endif
/* Try to find the host in the cache so we don't need to talk to the
resolver. If LH_REFRESH is requested, remove HOST from the cache
instead. */
if (use_cache)
{
if (!(flags & LH_REFRESH))
{
al = cache_query (host);
if (al)
return al;
}
else
cache_remove (host);
}
/* No luck with the cache; resolve HOST. */
if (!silent && !numeric_address)
logprintf (LOG_VERBOSE, _("Resolving %s... "), escnonprint (host));
#ifdef ENABLE_IPV6
{
int err;
struct addrinfo hints, *res;
xzero (hints);
hints.ai_socktype = SOCK_STREAM;
if (opt.ipv4_only)
hints.ai_family = AF_INET;
else if (opt.ipv6_only)
hints.ai_family = AF_INET6;
else
/* We tried using AI_ADDRCONFIG, but removed it because: it
misinterprets IPv6 loopbacks, it is broken on AIX 5.1, and
it's unneeded since we sort the addresses anyway. */
hints.ai_family = AF_UNSPEC;
if (flags & LH_BIND)
hints.ai_flags |= AI_PASSIVE;
#ifdef AI_NUMERICHOST
if (numeric_address)
{
/* Where available, the AI_NUMERICHOST hint can prevent costly
access to DNS servers. */
hints.ai_flags |= AI_NUMERICHOST;
timeout = 0; /* no timeout needed when "resolving"
numeric hosts -- avoid setting up
signal handlers and such. */
}
#endif
err = getaddrinfo_with_timeout (host, NULL, &hints, &res, timeout);
if (err != 0 || res == NULL)
{
if (!silent)
logprintf (LOG_VERBOSE, _("failed: %s.\n"),
err != EAI_SYSTEM ? gai_strerror (err) : strerror (errno));
return NULL;
}
al = address_list_from_addrinfo (res);
freeaddrinfo (res);
if (!al)
{
logprintf (LOG_VERBOSE,
_("failed: No IPv4/IPv6 addresses for host.\n"));
return NULL;
}
/* Reorder addresses so that IPv4 ones (or IPv6 ones, as per
--prefer-family) come first. Sorting is stable so the order of
the addresses with the same family is undisturbed. */
if (al->count > 1 && opt.prefer_family != prefer_none)
stable_sort (al->addresses, al->count, sizeof (ip_address),
opt.prefer_family == prefer_ipv4
? cmp_prefer_ipv4 : cmp_prefer_ipv6);
}
#else /* not ENABLE_IPV6 */
{
struct hostent *hptr = gethostbyname_with_timeout (host, timeout);
if (!hptr)
{
if (!silent)
{
if (errno != ETIMEDOUT)
logprintf (LOG_VERBOSE, _("failed: %s.\n"),
host_errstr (h_errno));
else
logputs (LOG_VERBOSE, _("failed: timed out.\n"));
}
return NULL;
}
/* Do older systems have h_addr_list? */
al = address_list_from_ipv4_addresses (hptr->h_addr_list);
}
#endif /* not ENABLE_IPV6 */
/* Print the addresses determined by DNS lookup, but no more than
three. */
if (!silent && !numeric_address)
{
int i;
int printmax = al->count <= 3 ? al->count : 3;
for (i = 0; i < printmax; i++)
{
logprintf (LOG_VERBOSE, "%s",
pretty_print_address (al->addresses + i));
if (i < printmax - 1)
logputs (LOG_VERBOSE, ", ");
}
if (printmax != al->count)
logputs (LOG_VERBOSE, ", ...");
logputs (LOG_VERBOSE, "\n");
}
/* Cache the lookup information. */
if (use_cache)
cache_store (host, al);
return al;
}
bool
ssl_check_certificate (int fd, const char *host)
{
X509 *cert;
char common_name[256];
long vresult;
bool success = true;
/* If the user has specified --no-check-cert, we still want to warn
him about problems with the server's certificate. */
const char *severity = opt.check_cert ? _("ERROR") : _("WARNING");
struct openssl_transport_context *ctx = fd_transport_context (fd);
SSL *conn = ctx->conn;
assert (conn != NULL);
cert = SSL_get_peer_certificate (conn);
if (!cert)
{
logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"),
severity, escnonprint (host));
success = false;
goto no_cert; /* must bail out since CERT is NULL */
}
IF_DEBUG
{
char *subject = X509_NAME_oneline (X509_get_subject_name (cert), 0, 0);
char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0);
DEBUGP (("certificate:\n subject: %s\n issuer: %s\n",
escnonprint (subject), escnonprint (issuer)));
OPENSSL_free (subject);
OPENSSL_free (issuer);
}
vresult = SSL_get_verify_result (conn);
if (vresult != X509_V_OK)
{
char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0);
logprintf (LOG_NOTQUIET,
_("%s: cannot verify %s's certificate, issued by `%s':\n"),
severity, escnonprint (host), escnonprint (issuer));
/* Try to print more user-friendly (and translated) messages for
the frequent verification errors. */
switch (vresult)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
logprintf (LOG_NOTQUIET,
_(" Unable to locally verify the issuer's authority.\n"));
break;
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n"));
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n"));
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
logprintf (LOG_NOTQUIET, _(" Issued certificate has expired.\n"));
break;
default:
/* For the less frequent error strings, simply provide the
OpenSSL error message. */
logprintf (LOG_NOTQUIET, " %s\n",
X509_verify_cert_error_string (vresult));
}
success = false;
/* Fall through, so that the user is warned about *all* issues
with the cert (important with --no-check-certificate.) */
}
/* Check that HOST matches the common name in the certificate.
#### The following remains to be done:
- It should use dNSName/ipAddress subjectAltName extensions if
available; according to rfc2818: "If a subjectAltName extension
of type dNSName is present, that MUST be used as the identity."
- When matching against common names, it should loop over all
common names and choose the most specific one, i.e. the last
one, not the first one, which the current code picks.
- Ensure that ASN1 strings from the certificate are encoded as
UTF-8 which can be meaningfully compared to HOST. */
common_name[0] = '\0';
X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
NID_commonName, common_name, sizeof (common_name));
if (!pattern_match (common_name, host))
{
logprintf (LOG_NOTQUIET, _("\
%s: certificate common name `%s' doesn't match requested host name `%s'.\n"),
severity, escnonprint (common_name), escnonprint (host));
success = false;
}
