aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2017-02-03 14:59:45 +0000
committerVsevolod Stakhov <vsevolod@highsecure.ru>2017-02-03 14:59:45 +0000
commit78e0800beb28669360e37d78de06abf31df9dcac (patch)
treeb603504c5a0bca50225f98353f6c11a158789732
parentc0e76d49b5133638cee11846a1fc79d8929c865a (diff)
downloadrspamd-78e0800beb28669360e37d78de06abf31df9dcac.tar.gz
rspamd-78e0800beb28669360e37d78de06abf31df9dcac.zip
[Minor] Allow to disable ssl verification if needed
-rw-r--r--src/libutil/http.c3
-rw-r--r--src/libutil/http.h13
-rw-r--r--src/libutil/ssl_util.c7
-rw-r--r--src/libutil/ssl_util.h2
-rw-r--r--src/lua/lua_http.c14
5 files changed, 30 insertions, 9 deletions
diff --git a/src/libutil/http.c b/src/libutil/http.c
index 1a8a4b953..47c1836d3 100644
--- a/src/libutil/http.c
+++ b/src/libutil/http.c
@@ -2183,7 +2183,8 @@ rspamd_http_connection_write_message_common (struct rspamd_http_connection *conn
rspamd_ssl_connection_free (priv->ssl);
}
- priv->ssl = rspamd_ssl_connection_new (priv->ssl_ctx, base);
+ priv->ssl = rspamd_ssl_connection_new (priv->ssl_ctx, base,
+ !(msg->flags & RSPAMD_HTTP_FLAG_SSL_NOVERIFY));
g_assert (priv->ssl != NULL);
if (!rspamd_ssl_connect_fd (priv->ssl, fd, host, &priv->ev,
diff --git a/src/libutil/http.h b/src/libutil/http.h
index 9f3861865..a28a6b389 100644
--- a/src/libutil/http.h
+++ b/src/libutil/http.h
@@ -67,15 +67,18 @@ struct rspamd_storage_shmem {
* Body has been set for a message
*/
#define RSPAMD_HTTP_FLAG_HAS_BODY (1 << 5)
-
+/**
+ * Do not verify server's certificate
+ */
+#define RSPAMD_HTTP_FLAG_SSL_NOVERIFY (1 << 6)
/**
* Options for HTTP connection
*/
enum rspamd_http_options {
- RSPAMD_HTTP_BODY_PARTIAL = 0x1, /**< Call body handler on all body data portions */
- RSPAMD_HTTP_CLIENT_SIMPLE = 0x2, /**< Read HTTP client reply automatically */
- RSPAMD_HTTP_CLIENT_ENCRYPTED = 0x4, /**< Encrypt data for client */
- RSPAMD_HTTP_CLIENT_SHARED = 0x8, /**< Store reply in shared memory */
+ RSPAMD_HTTP_BODY_PARTIAL = 0x1, /**< Call body handler on all body data portions *///!< RSPAMD_HTTP_BODY_PARTIAL
+ RSPAMD_HTTP_CLIENT_SIMPLE = 0x2, /**< Read HTTP client reply automatically */ //!< RSPAMD_HTTP_CLIENT_SIMPLE
+ RSPAMD_HTTP_CLIENT_ENCRYPTED = 0x4, /**< Encrypt data for client */ //!< RSPAMD_HTTP_CLIENT_ENCRYPTED
+ RSPAMD_HTTP_CLIENT_SHARED = 0x8, /**< Store reply in shared memory */ //!< RSPAMD_HTTP_CLIENT_SHARED
};
typedef int (*rspamd_http_body_handler_t) (struct rspamd_http_connection *conn,
diff --git a/src/libutil/ssl_util.c b/src/libutil/ssl_util.c
index 3dc34e66a..a2106ff2b 100644
--- a/src/libutil/ssl_util.c
+++ b/src/libutil/ssl_util.c
@@ -34,6 +34,7 @@ struct rspamd_ssl_connection {
ssl_next_read,
ssl_next_write
} state;
+ gboolean verify_peer;
SSL *ssl;
gchar *hostname;
struct event *ev;
@@ -373,7 +374,7 @@ rspamd_ssl_event_handler (gint fd, short what, gpointer ud)
if (ret == 1) {
event_del (c->ev);
/* Verify certificate */
- if (rspamd_ssl_peer_verify (c)) {
+ if ((!c->verify_peer) || rspamd_ssl_peer_verify (c)) {
c->state = ssl_conn_connected;
c->handler (fd, EV_WRITE, c->handler_data);
}
@@ -435,7 +436,8 @@ rspamd_ssl_event_handler (gint fd, short what, gpointer ud)
}
struct rspamd_ssl_connection *
-rspamd_ssl_connection_new (gpointer ssl_ctx, struct event_base *ev_base)
+rspamd_ssl_connection_new (gpointer ssl_ctx, struct event_base *ev_base,
+ gboolean verify_peer)
{
struct rspamd_ssl_connection *c;
@@ -443,6 +445,7 @@ rspamd_ssl_connection_new (gpointer ssl_ctx, struct event_base *ev_base)
c = g_slice_alloc0 (sizeof (*c));
c->ssl = SSL_new (ssl_ctx);
c->ev_base = ev_base;
+ c->verify_peer = verify_peer;
return c;
}
diff --git a/src/libutil/ssl_util.h b/src/libutil/ssl_util.h
index 64e6a413e..73a940e00 100644
--- a/src/libutil/ssl_util.h
+++ b/src/libutil/ssl_util.h
@@ -30,7 +30,7 @@ typedef void (*rspamd_ssl_error_handler_t)(gpointer d, GError *err);
* @return opaque connection data
*/
struct rspamd_ssl_connection * rspamd_ssl_connection_new (gpointer ssl_ctx,
- struct event_base *ev_base);
+ struct event_base *ev_base, gboolean verify_peer);
/**
* Connects SSL session using the specified (connected) FD
diff --git a/src/lua/lua_http.c b/src/lua/lua_http.c
index 2213d8aae..4952f3404 100644
--- a/src/lua/lua_http.c
+++ b/src/lua/lua_http.c
@@ -56,6 +56,7 @@ static const struct luaL_reg httplib_m[] = {
};
#define RSPAMD_LUA_HTTP_FLAG_TEXT (1 << 0)
+#define RSPAMD_LUA_HTTP_FLAG_NOVERIFY (1 << 0)
struct lua_http_cbdata {
lua_State *L;
@@ -260,6 +261,10 @@ lua_http_make_connection (struct lua_http_cbdata *cbd)
rspamd_http_message_set_peer_key (cbd->msg, cbd->peer_pk);
}
+ if (cbd->flags & RSPAMD_LUA_HTTP_FLAG_NOVERIFY) {
+ cbd->msg->flags |= RSPAMD_HTTP_FLAG_SSL_NOVERIFY;
+ }
+
rspamd_http_connection_write_message (cbd->conn, cbd->msg,
cbd->host, cbd->mime_type, cbd, fd,
&cbd->tv, cbd->ev_base);
@@ -548,6 +553,15 @@ lua_http_request (lua_State *L)
}
lua_pop (L, 1);
+
+ lua_pushstring (L, "no_ssl_verify");
+ lua_gettable (L, 1);
+
+ if (!!lua_toboolean (L, -1)) {
+ flags |= RSPAMD_LUA_HTTP_FLAG_NOVERIFY;
+ }
+
+ lua_pop (L, 1);
}
else {
msg_err ("http request has bad params");