/* * socket.c -- socket library functions * * Copyright 1998 by Eric S. Raymond. * For license terms, see the file COPYING in this directory. */ #include "config.h" #include #include #include #include /* isspace() */ #ifdef HAVE_MEMORY_H #include #endif /* HAVE_MEMORY_H */ #include #include #ifndef HAVE_NET_SOCKET_H #include #else #include #endif #include #include #ifdef HAVE_ARPA_INET_H #include #endif #include #if defined(STDC_HEADERS) #include #endif #if defined(HAVE_UNISTD_H) #include #endif #if defined(HAVE_STDARG_H) #include #else #include #endif #if TIME_WITH_SYS_TIME # include # include #else # if HAVE_SYS_TIME_H # include # else # include # endif #endif #include "socket.h" #include "fetchmail.h" #include "getaddrinfo.h" #include "i18n.h" #include "sdump.h" /* Defines to allow BeOS and Cygwin to play nice... */ #ifdef __BEOS__ static char peeked; #define fm_close(a) closesocket(a) #define fm_write(a,b,c) send(a,b,c,0) #define fm_peek(a,b,c) recv(a,b,c,0) #define fm_read(a,b,c) recv(a,b,c,0) #else #define fm_close(a) close(a) #define fm_write(a,b,c) write(a,b,c) #define fm_peek(a,b,c) recv(a,b,c, MSG_PEEK) #ifdef __CYGWIN__ #define fm_read(a,b,c) cygwin_read(a,b,c) static ssize_t cygwin_read(int sock, void *buf, size_t count); #else /* ! __CYGWIN__ */ #define fm_read(a,b,c) read(a,b,c) #endif /* __CYGWIN__ */ #endif /* We need to define h_errno only if it is not already */ #ifndef h_errno # if !HAVE_DECL_H_ERRNO extern int h_errno; # endif #endif /* ndef h_errno */ #ifdef HAVE_SOCKETPAIR static char *const *parse_plugin(const char *plugin, const char *host, const char *service) { char **argvec; const char *c, *p; char *cp, *plugin_copy; unsigned int plugin_copy_len; unsigned int plugin_offset = 0, plugin_copy_offset = 0; unsigned int i, s = 2 * sizeof(char*), host_count = 0, service_count = 0; unsigned int plugin_len = strlen(plugin); unsigned int host_len = strlen(host); unsigned int service_len = strlen(service); for (c = p = plugin; *c; c++) { if (isspace((unsigned char)*c) && !isspace((unsigned char)*p)) s += sizeof(char*); if (*p == '%' && *c == 'h') host_count++; if (*p == '%' && *c == 'p') service_count++; p = c; } plugin_copy_len = plugin_len + host_len * host_count + service_len * service_count; plugin_copy = (char *)malloc(plugin_copy_len + 1); if (!plugin_copy) { report(stderr, GT_("fetchmail: malloc failed\n")); return NULL; } while (plugin_copy_offset < plugin_copy_len) { if ((plugin[plugin_offset] == '%') && (plugin[plugin_offset + 1] == 'h')) { strcpy(plugin_copy + plugin_copy_offset, host); plugin_offset += 2; plugin_copy_offset += host_len; } else if ((plugin[plugin_offset] == '%') && (plugin[plugin_offset + 1] == 'p')) { strcpy(plugin_copy + plugin_copy_offset, service); plugin_offset += 2; plugin_copy_offset += service_len; } else { plugin_copy[plugin_copy_offset] = plugin[plugin_offset]; plugin_offset++; plugin_copy_offset++; } } plugin_copy[plugin_copy_len] = 0; argvec = (char **)malloc(s); if (!argvec) { free(plugin_copy); report(stderr, GT_("fetchmail: malloc failed\n")); return NULL; } memset(argvec, 0, s); for (p = cp = plugin_copy, i = 0; *cp; cp++) { if ((!isspace((unsigned char)*cp)) && (cp == p ? 1 : isspace((unsigned char)*p))) { argvec[i] = cp; i++; } p = cp; } for (cp = plugin_copy; *cp; cp++) { if (isspace((unsigned char)*cp)) *cp = 0; } return argvec; } static int handle_plugin(const char *host, const char *service, const char *plugin) /* get a socket mediated through a given external command */ { int fds[2]; char *const *argvec; /* * The author of this code, Felix von Leitner , says: * he chose socketpair() instead of pipe() because socketpair creates * bidirectional sockets while allegedly some pipe() implementations don't. */ if (socketpair(AF_UNIX,SOCK_STREAM,0,fds)) { report(stderr, GT_("fetchmail: socketpair failed\n")); return -1; } switch (fork()) { case -1: /* error */ report(stderr, GT_("fetchmail: fork failed\n")); return -1; case 0: /* child */ /* fds[1] is the parent's end; close it for proper EOF ** detection */ (void) close(fds[1]); if ( (dup2(fds[0],0) == -1) || (dup2(fds[0],1) == -1) ) { report(stderr, GT_("dup2 failed\n")); _exit(EXIT_FAILURE); } /* fds[0] is now connected to 0 and 1; close it */ (void) close(fds[0]); if (outlevel >= O_VERBOSE) report(stderr, GT_("running %s (host %s service %s)\n"), plugin, host, service); argvec = parse_plugin(plugin,host,service); if (argvec == NULL) _exit(EXIT_FAILURE); execvp(*argvec, argvec); report(stderr, GT_("execvp(%s) failed\n"), *argvec); _exit(EXIT_FAILURE); break; default: /* parent */ /* NOP */ break; } /* fds[0] is the child's end; close it for proper EOF detection */ (void) close(fds[0]); return fds[1]; } #endif /* HAVE_SOCKETPAIR */ /** Set socket to SO_KEEPALIVE. \return 0 for 
From James.Stevens@jrcs.co.uk  Mon Aug 25 18:11:36 1997
Return-Path: <James.Stevens@jrcs.co.uk>
Received: from locke.ccil.org (snark [10.0.2.15])
	by snark.thyrsus.com (8.8.5/8.8.5) with ESMTP id SAA10394
	for <esr@snark.thyrsus.com>; Mon, 25 Aug 1997 18:11:34 -0400
Received: (from slist@localhost)
	by locke.ccil.org (8.8.5/8.8.5) id GAA17071
	for esr; Mon, 18 Aug 1997 06:17:07 -0500 (EST)
Resent-Date: Mon, 18 Aug 1997 06:17:07 -0500 (EST)
X-Authentication-Warning: locke.ccil.org: slist set sender to fetchmail-friends-request@ccil.org using -f
X-NiNLog: [James.Stevens@jrcs.co.uk] [<fetchmail-friends@locke.ccil.org>] [199708180955.KAA04988]
Message-ID: <33F81C2D.AB822BBB@jrcs.co.uk>
Date: Mon, 18 Aug 1997 10:55:57 +0100
From: James Stevens <James.Stevens@jrcs.co.uk>
Reply-To: James.Stevens@jrcs.co.uk
Organization: JRCS Ltd
X-Mailer: Mozilla 4.01 [en] (Win95; I)
MIME-Version: 1.0
To: "fetchmail-friends@locke.ccil.org" <fetchmail-friends@locke.ccil.org>
Subject: A Little Tip...
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Resent-Message-ID: <"lhVgRB.A.FFE.bxC-z"@locke.ccil.org>
Resent-From: fetchmail-friends@ccil.org
X-Mailing-List: <fetchmail-friends@ccil.org> archive/latest/725
X-Loop: fetchmail-friends@ccil.org
Precedence: list
Resent-Sender: fetchmail-friends-request@ccil.org
Status: RO

Seeing Eric tip us that we could run a "fetchmail -quit" in the
"ip-down" script, I thougt it would be neat to run a fetchmail
collection in the "ip-up" script. That way mail is collected
automatically every time I am connecting to Internet for whatever reason
(I use "diald" to automatically manage my connection).

However, it did not work. It hung right after the POP3 login. I tracked
this down to the fact that the "pppd" masks a wide range of signals and
this means a time-out does not kick in. As I run the "ip-up" script in
"bash" this masking is inheritied by "fetchmail".

So, I wrote a silly little "C" program that unmasks all signals and then
runs a command of you choice (in this case fetchmail). This is the code
for that program :-

#include <stdio.h>
#include <signal.h>

main(int argc,char * argv[])
{
sigset_t set;

    if (argc>1)
        {
        sigfillset(&set);
        sigprocmask(SIG_UNBLOCK,&set,NULL);
        system(argv[1]);
        }
}

I call it "allsigs". So, now in my "ip-up" I have the line :-

allsigs "fetchmail -f /etc/fetahmail"

Note the quotes as "allsigs" only looks at argv[1]. I guess this
unmasking of all signals could be added into "fetchmail" ?

James
generated by cgit v1.2.3 (git 2.46.0) at 2026-06-10 10:48:20 +0000
ithout actually reading it */ { int n; char ch; #ifdef SSL_ENABLE SSL *ssl; #endif #ifdef SSL_ENABLE if( NULL != ( ssl = SSLGetContext( sock ) ) ) { n = SSL_peek(ssl, &ch, 1); if (n < 0) { (void)SSL_get_error(ssl, n); return -1; } if( 0 == n ) { /* This code really needs to implement a "hold back" * to simulate a functioning SSL_peek()... sigh... * Has to be coordinated with the read code above. * Next on the list todo... */ /* SSL_peek says 0... Does that mean no data or did the connection blow up? If we got an error then bail! */ if(0 != SSL_get_error(ssl, n)) { return -1; } /* Haven't seen this case actually occur, but... if the problem in SockRead can occur, this should be possible... Just not sure what to do here. This should be a safe "punt" the "peek" but don't "punt" the "session"... */ return 0; /* Give him a '\0' character */ } } else #endif /* SSL_ENABLE */ n = fm_peek(sock, &ch, 1); if (n == -1) return -1; #ifdef __BEOS__ peeked = ch; #endif return(ch); } #ifdef SSL_ENABLE static char *_ssl_server_cname = NULL; static int _check_fp; static char *_check_digest; static char *_server_label; static int _depth0ck; static int _firstrun; static int _prev_err; static int _verify_ok; SSL *SSLGetContext( int sock ) { if( sock < 0 || (unsigned)sock > FD_SETSIZE ) return NULL; if( _ctx[sock] == NULL ) return NULL; return _ssl_context[sock]; } /* ok_return (preverify_ok) is 1 if this stage of certificate verification passed, or 0 if it failed. This callback lets us display informative errors, and perform additional validation (e.g. CN matches) */ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) { #define SSLverbose (((outlevel) >= O_DEBUG) || ((outlevel) >= O_VERBOSE && (depth) == 0)) char buf[257]; X509 *x509_cert; int err, depth, i; unsigned char digest[EVP_MAX_MD_SIZE]; char text[EVP_MAX_MD_SIZE * 3 + 1], *tp, *te; const EVP_MD *digest_tp; unsigned int dsz, esz; X509_NAME *subj, *issuer; char *tt; x509_cert = X509_STORE_CTX_get_current_cert(ctx); err = X509_STORE_CTX_get_error(ctx); depth = X509_STORE_CTX_get_error_depth(ctx); subj = X509_get_subject_name(x509_cert); issuer = X509_get_issuer_name(x509_cert); if (outlevel >= O_VERBOSE) { if (depth == 0 && SSLverbose) report(stdout, GT_("Server certificate:\n")); else { if (_firstrun) { _firstrun = 0; if (SSLverbose) report(stdout, GT_("Certificate chain, from root to peer, starting at depth %d:\n"), depth); } else { if (SSLverbose) report(stdout, GT_("Certificate at depth %d:\n"), depth); } } if (SSLverbose) { if ((i = X509_NAME_get_text_by_NID(issuer, NID_organizationName, buf, sizeof(buf))) != -1) { report(stdout, GT_("Issuer Organization: %s\n"), (tt = sdump(buf, i))); xfree(tt); if ((size_t)i >= sizeof(buf) - 1) report(stdout, GT_("Warning: Issuer Organization Name too long (possibly truncated).\n")); } else report(stdout, GT_("Unknown Organization\n")); if ((i = X509_NAME_get_text_by_NID(issuer, NID_commonName, buf, sizeof(buf))) != -1) { report(stdout, GT_("Issuer CommonName: %s\n"), (tt = sdump(buf, i))); xfree(tt); if ((size_t)i >= sizeof(buf) - 1) report(stdout, GT_("Warning: Issuer CommonName too long (possibly truncated).\n")); } else report(stdout, GT_("Unknown Issuer CommonName\n")); } } if ((i = X509_NAME_get_text_by_NID(subj, NID_commonName, buf, sizeof(buf))) != -1) { if (SSLverbose) { report(stdout, GT_("Subject CommonName: %s\n"), (tt = sdump(buf, i))); xfree(tt); } if ((size_t)i >= sizeof(buf) - 1) { /* Possible truncation. In this case, this is a DNS name, so this * is really bad. We do not tolerate this even in the non-strict case. */ report(stderr, GT_("Bad certificate: Subject CommonName too long!\n")); return (0); } if ((size_t)i > strlen(buf)) { /* Name contains embedded NUL characters, so we complain. This is likely * a certificate spoofing attack. */ report(stderr, GT_("Bad certificate: Subject CommonName contains NUL, aborting!\n")); return 0; } } if (depth == 0) { /* peer certificate */ if (!_depth0ck) { _depth0ck = 1; } if ((i = X509_NAME_get_text_by_NID(subj, NID_commonName, buf, sizeof(buf))) != -1) { if (_ssl_server_cname != NULL) { char *p1 = buf; char *p2 = _ssl_server_cname; int matched = 0; STACK_OF(GENERAL_NAME) *gens; /* RFC 2595 section 2.4: find a matching name * first find a match among alternative names */ gens = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL); if (gens) { int j, r; for (j = 0, r = sk_GENERAL_NAME_num(gens); j < r; ++j) { const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, j); if (gn->type == GEN_DNS) { char *pp1 = (char *)gn->d.ia5->data; char *pp2 = _ssl_server_cname; if (outlevel >= O_VERBOSE) { report(stdout, GT_("Subject Alternative Name: %s\n"), (tt = sdump(pp1, (size_t)gn->d.ia5->length))); xfree(tt); } /* Name contains embedded NUL characters, so we complain. This * is likely a certificate spoofing attack. */ if ((size_t)gn->d.ia5->length != strlen(pp1)) { report(stderr, GT_("Bad certificate: Subject Alternative Name contains NUL, aborting!\n")); sk_GENERAL_NAME_free(gens); return 0; } if (name_match(pp1, pp2)) { matched = 1; } } } GENERAL_NAMES_free(gens); } if (name_match(p1, p2)) { matched = 1; } if (!matched) { if (strict || SSLverbose) { report(stderr, GT_("Server CommonName mismatch: %s != %s\n"), (tt = sdump(buf, i)), _ssl_server_cname ); xfree(tt); } ok_return = 0; } } else if (ok_return) { report(stderr, GT_("Server name not set, could not verify certificate!\n")); if (strict) return (0); } } else { if (outlevel >= O_VERBOSE) report(stdout, GT_("Unknown Server CommonName\n")); if (ok_return && strict) { report(stderr, GT_("Server name not specified in certificate!\n")); return (0); } } /* Print the finger print. Note that on errors, we might print it more than once * normally; we kluge around that by using a global variable. */ if (_check_fp == 1) { unsigned dp; _check_fp = -1; digest_tp = EVP_md5(); if (digest_tp == NULL) { report(stderr, GT_("EVP_md5() failed!\n")); return (0); } if (!X509_digest(x509_cert, digest_tp, digest, &dsz)) { report(stderr, GT_("Out of memory!\n")); return (0); } tp = text; te = text + sizeof(text); for (dp = 0; dp < dsz; dp++) { esz = snprintf(tp, te - tp, dp > 0 ? ":%02X" : "%02X", digest[dp]); if (esz >= (size_t)(te - tp)) { report(stderr, GT_("Digest text buffer too small!\n")); return (0); } tp += esz; } if (outlevel > O_NORMAL) report(stdout, GT_("%s key fingerprint: %s\n"), _server_label, text); if (_check_digest != NULL) { if (strcasecmp(text, _check_digest) == 0) { if (outlevel > O_NORMAL) report(stdout, GT_("%s fingerprints match.\n"), _server_label); } else { report(stderr, GT_("%s fingerprints do not match!\n"), _server_label); return (0); } } /* if (_check_digest != NULL) */ } /* if (_check_fp) */ } /* if (depth == 0 && !_depth0ck) */ if (err != X509_V_OK && err != _prev_err && !(_check_fp != 0 && _check_digest && !strict)) { char *tmp; int did_rep_err = 0; _prev_err = err; report(stderr, GT_("Server certificate verification error: %s\n"), X509_verify_cert_error_string(err)); /* We gave the error code, but maybe we can add some more details for debugging */ switch (err) { /* actually we do not want to lump these together, but * since OpenSSL flipped the meaning of these error * codes in the past, and they do hardly make a * practical difference because servers need not provide * the root signing certificate, we don't bother telling * users the difference: */ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: X509_NAME_oneline(issuer, buf, sizeof(buf)); buf[sizeof(buf) - 1] = '\0'; report(stderr, GT_("Broken certification chain at: %s\n"), (tmp = sdump(buf, strlen(buf)))); xfree(tmp); report(stderr, GT_( "This could mean that the server did not provide the intermediate CA's certificate(s), " "which is nothing fetchmail could do anything about. For details, " "please see the README.SSL-SERVER document that ships with fetchmail.\n")); did_rep_err = 1; /* FALLTHROUGH */ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: if (!did_rep_err) { X509_NAME_oneline(issuer, buf, sizeof(buf)); buf[sizeof(buf) - 1] = '\0'; report(stderr, GT_("Missing trust anchor certificate: %s\n"), (tmp = sdump(buf, strlen(buf)))); xfree(tmp); } report(stderr, GT_( "This could mean that the root CA's signing certificate is not in the " "trusted CA certificate location, or that c_rehash needs to be run " "on the certificate directory. For details, please " "see the documentation of --sslcertpath and --sslcertfile in the manual page.\n")); break; default: break; } } /* * If not in strict checking mode (--sslcertck), override this * and pretend that verification had succeeded. */ _verify_ok &= ok_return; if (!strict) ok_return = 1; return (ok_return); } static int SSL_nock_verify_callback( int ok_return, X509_STORE_CTX *ctx ) { return SSL_verify_callback(ok_return, ctx, 0); } static int SSL_ck_verify_callback( int ok_return, X509_STORE_CTX *ctx ) { return SSL_verify_callback(ok_return, ctx, 1); } /* get commonName from certificate set in file. * commonName is stored in buffer namebuffer, limited with namebufferlen */ static const char *SSLCertGetCN(const char *mycert, char *namebuffer, size_t namebufferlen) { const char *ret = NULL; BIO *certBio = NULL; X509 *x509_cert = NULL; X509_NAME *certname = NULL; if (namebuffer && namebufferlen > 0) { namebuffer[0] = 0x00; certBio = BIO_new_file(mycert,"r"); if (certBio) { x509_cert = PEM_read_bio_X509(certBio,NULL,NULL,NULL); BIO_free(certBio); } if (x509_cert) { certname = X509_get_subject_name(x509_cert); if (certname && X509_NAME_get_text_by_NID(certname, NID_commonName, namebuffer, namebufferlen) > 0) ret = namebuffer; X509_free(x509_cert); } } return ret; } /* performs initial SSL handshake over the connected socket * uses SSL *ssl global variable, which is currently defined * in this file */ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck, char *cacertfile, char *certpath, char *fingerprint, char *servercname, char *label, char **remotename) { struct stat randstat; int i; long sslopts = SSL_OP_ALL; SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); /* see Debian Bug#576430 and manpage */ if (stat("/dev/random", &randstat) && stat("/dev/urandom", &randstat)) { /* Neither /dev/random nor /dev/urandom are present, so add entropy to the SSL PRNG a hard way. */ for (i = 0; i < 10000 && ! RAND_status (); ++i) { char buf[4]; struct timeval tv; gettimeofday (&tv, 0); buf[0] = tv.tv_usec & 0xF; buf[2] = (tv.tv_usec & 0xF0) >> 4; buf[3] = (tv.tv_usec & 0xF00) >> 8; buf[1] = (tv.tv_usec & 0xF000) >> 12; RAND_add (buf, sizeof buf, 0.1); } } if( sock < 0 || (unsigned)sock > FD_SETSIZE ) { report(stderr, GT_("File descriptor out of range for SSL") ); return( -1 ); } /* Make sure a connection referring to an older context is not left */ _ssl_context[sock] = NULL; if(myproto) { if(!strcasecmp("ssl2",myproto)) { #if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); #else report(stderr, GT_("Your operating system does not support SSLv2.\n")); return -1; #endif } else if(!strcasecmp("ssl3",myproto)) { _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); } else if(!strcasecmp("tls1",myproto)) { _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); } else if (!strcasecmp("ssl23",myproto)) { myproto = NULL; } else { report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); myproto = NULL; } } if(!myproto) { _ctx[sock] = SSL_CTX_new(SSLv23_client_method()); } if(_ctx[sock] == NULL) { ERR_print_errors_fp(stderr); return(-1); } { char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE"); if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp)) sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; } SSL_CTX_set_options(_ctx[sock], sslopts); if (certck) { SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); } else { /* In this case, we do not fail if verification fails. However, * we provide the callback for output and possible fingerprint * checks. */ SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_nock_verify_callback); } /* Check which trusted X.509 CA certificate store(s) to load */ { char *tmp; int want_default_cacerts = 0; /* Load user locations if any is given */ if (certpath || cacertfile) SSL_CTX_load_verify_locations(_ctx[sock], cacertfile, certpath); else want_default_cacerts = 1; tmp = getenv("FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS"); if (want_default_cacerts || (tmp && tmp[0])) { SSL_CTX_set_default_verify_paths(_ctx[sock]); } } _ssl_context[sock] = SSL_new(_ctx[sock]); if(_ssl_context[sock] == NULL) { ERR_print_errors_fp(stderr); SSL_CTX_free(_ctx[sock]); _ctx[sock] = NULL; return(-1); } /* This static is for the verify callback */ _ssl_server_cname = servercname; _server_label = label; _check_fp = 1; _check_digest = fingerprint; _depth0ck = 0; _firstrun = 1; _verify_ok = 1; _prev_err = -1; if( mycert || mykey ) { /* Ok... He has a certificate file defined, so lets declare it. If * he does NOT have a separate certificate and private key file then * assume that it's a combined key and certificate file. */ char buffer[256]; if( !mykey ) mykey = mycert; if( !mycert ) mycert = mykey; if ((!*remotename || !**remotename) && SSLCertGetCN(mycert, buffer, sizeof(buffer))) { free(*remotename); *remotename = xstrdup(buffer); } SSL_use_certificate_file(_ssl_context[sock], mycert, SSL_FILETYPE_PEM); SSL_use_RSAPrivateKey_file(_ssl_context[sock], mykey, SSL_FILETYPE_PEM); } if (SSL_set_fd(_ssl_context[sock], sock) == 0 || SSL_connect(_ssl_context[sock]) < 1) { ERR_print_errors_fp(stderr); SSL_free( _ssl_context[sock] ); _ssl_context[sock] = NULL; SSL_CTX_free(_ctx[sock]); _ctx[sock] = NULL; return(-1); } /* Paranoia: was the callback not called as we expected? */ if (!_depth0ck) { report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n")); if (fingerprint != NULL || certck) { if( NULL != SSLGetContext( sock ) ) { /* Clean up the SSL stack */ SSL_shutdown( _ssl_context[sock] ); SSL_free( _ssl_context[sock] ); _ssl_context[sock] = NULL; SSL_CTX_free(_ctx[sock]); _ctx[sock] = NULL; } return(-1); } } if (!certck && !fingerprint && (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK || !_verify_ok)) { report(stderr, GT_("Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)\n")); } return(0); } #endif int SockClose(int sock) /* close a socket gracefully */ { #ifdef SSL_ENABLE if( NULL != SSLGetContext( sock ) ) { /* Clean up the SSL stack */ SSL_shutdown( _ssl_context[sock] ); SSL_free( _ssl_context[sock] ); _ssl_context[sock] = NULL; SSL_CTX_free(_ctx[sock]); _ctx[sock] = NULL; } #endif /* if there's an error closing at this point, not much we can do */ return(fm_close(sock)); /* this is guarded */ } #ifdef __CYGWIN__ /* * Workaround Microsoft Winsock recv/WSARecv(..., MSG_PEEK) bug. * See http://sources.redhat.com/ml/cygwin/2001-08/msg00628.html * for more details. */ static ssize_t cygwin_read(int sock, void *buf, size_t count) { char *bp = (char *)buf; size_t n = 0; if ((n = read(sock, bp, count)) == (size_t)-1) return(-1); if (n != count) { size_t n2 = 0; if (outlevel >= O_VERBOSE) report(stdout, GT_("Cygwin socket read retry\n")); n2 = read(sock, bp + n, count - n); if (n2 == (size_t)-1 || n + n2 != count) { report(stderr, GT_("Cygwin socket read retry failed!\n")); return(-1); } } return count; } #endif /* __CYGWIN__ */