xref: /freebsd/lib/libfetch/common.c (revision 792bbaba989533a1fc93823df1720c8c4aaf0442)
1 /*-
2  * Copyright (c) 1998-2016 Dag-Erling Smørgrav
3  * Copyright (c) 2013 Michael Gmelin <freebsd@grem.de>
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer
11  *    in this position and unchanged.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. The name of the author may not be used to endorse or promote products
16  *    derived from this software without specific prior written permission
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 __FBSDID("$FreeBSD$");
32 
33 #include <sys/param.h>
34 #include <sys/socket.h>
35 #include <sys/time.h>
36 #include <sys/uio.h>
37 
38 #include <netinet/in.h>
39 
40 #include <ctype.h>
41 #include <errno.h>
42 #include <fcntl.h>
43 #include <netdb.h>
44 #include <poll.h>
45 #include <pwd.h>
46 #include <stdarg.h>
47 #include <stdlib.h>
48 #include <stdio.h>
49 #include <string.h>
50 #include <unistd.h>
51 
52 #ifdef WITH_SSL
53 #include <openssl/x509v3.h>
54 #endif
55 
56 #include "fetch.h"
57 #include "common.h"
58 
59 
60 /*** Local data **************************************************************/
61 
62 /*
63  * Error messages for resolver errors
64  */
65 static struct fetcherr netdb_errlist[] = {
66 #ifdef EAI_NODATA
67 	{ EAI_NODATA,	FETCH_RESOLV,	"Host not found" },
68 #endif
69 	{ EAI_AGAIN,	FETCH_TEMP,	"Transient resolver failure" },
70 	{ EAI_FAIL,	FETCH_RESOLV,	"Non-recoverable resolver failure" },
71 	{ EAI_NONAME,	FETCH_RESOLV,	"No address record" },
72 	{ -1,		FETCH_UNKNOWN,	"Unknown resolver error" }
73 };
74 
75 /* End-of-Line */
76 static const char ENDL[2] = "\r\n";
77 
78 
79 /*** Error-reporting functions ***********************************************/
80 
81 /*
82  * Map error code to string
83  */
84 static struct fetcherr *
85 fetch_finderr(struct fetcherr *p, int e)
86 {
87 	while (p->num != -1 && p->num != e)
88 		p++;
89 	return (p);
90 }
91 
92 /*
93  * Set error code
94  */
95 void
96 fetch_seterr(struct fetcherr *p, int e)
97 {
98 	p = fetch_finderr(p, e);
99 	fetchLastErrCode = p->cat;
100 	snprintf(fetchLastErrString, MAXERRSTRING, "%s", p->string);
101 }
102 
103 /*
104  * Set error code according to errno
105  */
106 void
107 fetch_syserr(void)
108 {
109 	switch (errno) {
110 	case 0:
111 		fetchLastErrCode = FETCH_OK;
112 		break;
113 	case EPERM:
114 	case EACCES:
115 	case EROFS:
116 	case EAUTH:
117 	case ENEEDAUTH:
118 		fetchLastErrCode = FETCH_AUTH;
119 		break;
120 	case ENOENT:
121 	case EISDIR: /* XXX */
122 		fetchLastErrCode = FETCH_UNAVAIL;
123 		break;
124 	case ENOMEM:
125 		fetchLastErrCode = FETCH_MEMORY;
126 		break;
127 	case EBUSY:
128 	case EAGAIN:
129 		fetchLastErrCode = FETCH_TEMP;
130 		break;
131 	case EEXIST:
132 		fetchLastErrCode = FETCH_EXISTS;
133 		break;
134 	case ENOSPC:
135 		fetchLastErrCode = FETCH_FULL;
136 		break;
137 	case EADDRINUSE:
138 	case EADDRNOTAVAIL:
139 	case ENETDOWN:
140 	case ENETUNREACH:
141 	case ENETRESET:
142 	case EHOSTUNREACH:
143 		fetchLastErrCode = FETCH_NETWORK;
144 		break;
145 	case ECONNABORTED:
146 	case ECONNRESET:
147 		fetchLastErrCode = FETCH_ABORT;
148 		break;
149 	case ETIMEDOUT:
150 		fetchLastErrCode = FETCH_TIMEOUT;
151 		break;
152 	case ECONNREFUSED:
153 	case EHOSTDOWN:
154 		fetchLastErrCode = FETCH_DOWN;
155 		break;
156 default:
157 		fetchLastErrCode = FETCH_UNKNOWN;
158 	}
159 	snprintf(fetchLastErrString, MAXERRSTRING, "%s", strerror(errno));
160 }
161 
162 
163 /*
164  * Emit status message
165  */
166 void
167 fetch_info(const char *fmt, ...)
168 {
169 	va_list ap;
170 
171 	va_start(ap, fmt);
172 	vfprintf(stderr, fmt, ap);
173 	va_end(ap);
174 	fputc('\n', stderr);
175 }
176 
177 
178 /*** Network-related utility functions ***************************************/
179 
180 /*
181  * Return the default port for a scheme
182  */
183 int
184 fetch_default_port(const char *scheme)
185 {
186 	struct servent *se;
187 
188 	if ((se = getservbyname(scheme, "tcp")) != NULL)
189 		return (ntohs(se->s_port));
190 	if (strcasecmp(scheme, SCHEME_FTP) == 0)
191 		return (FTP_DEFAULT_PORT);
192 	if (strcasecmp(scheme, SCHEME_HTTP) == 0)
193 		return (HTTP_DEFAULT_PORT);
194 	return (0);
195 }
196 
197 /*
198  * Return the default proxy port for a scheme
199  */
200 int
201 fetch_default_proxy_port(const char *scheme)
202 {
203 	if (strcasecmp(scheme, SCHEME_FTP) == 0)
204 		return (FTP_DEFAULT_PROXY_PORT);
205 	if (strcasecmp(scheme, SCHEME_HTTP) == 0)
206 		return (HTTP_DEFAULT_PROXY_PORT);
207 	return (0);
208 }
209 
210 
211 /*
212  * Create a connection for an existing descriptor.
213  */
214 conn_t *
215 fetch_reopen(int sd)
216 {
217 	conn_t *conn;
218 	int opt = 1;
219 
220 	/* allocate and fill connection structure */
221 	if ((conn = calloc(1, sizeof(*conn))) == NULL)
222 		return (NULL);
223 	fcntl(sd, F_SETFD, FD_CLOEXEC);
224 	setsockopt(sd, SOL_SOCKET, SO_NOSIGPIPE, &opt, sizeof opt);
225 	conn->sd = sd;
226 	++conn->ref;
227 	return (conn);
228 }
229 
230 
231 /*
232  * Bump a connection's reference count.
233  */
234 conn_t *
235 fetch_ref(conn_t *conn)
236 {
237 
238 	++conn->ref;
239 	return (conn);
240 }
241 
242 
243 /*
244  * Resolve an address
245  */
246 struct addrinfo *
247 fetch_resolve(const char *addr, int port, int af)
248 {
249 	char hbuf[256], sbuf[8];
250 	struct addrinfo hints, *res;
251 	const char *sep, *host, *service;
252 	int err, len;
253 
254 	/* split address if necessary */
255 	err = EAI_SYSTEM;
256 	if ((sep = strchr(addr, ':')) != NULL) {
257 		len = snprintf(hbuf, sizeof(hbuf),
258 		    "%.*s", (int)(sep - addr), addr);
259 		if (len < 0)
260 			return (NULL);
261 		if (len >= (int)sizeof(hbuf)) {
262 			errno = ENAMETOOLONG;
263 			fetch_syserr();
264 			return (NULL);
265 		}
266 		host = hbuf;
267 		service = sep + 1;
268 	} else if (port != 0) {
269 		if (port < 1 || port > 65535) {
270 			errno = EINVAL;
271 			fetch_syserr();
272 			return (NULL);
273 		}
274 		if (snprintf(sbuf, sizeof(sbuf), "%d", port) < 0) {
275 			fetch_syserr();
276 			return (NULL);
277 		}
278 		host = addr;
279 		service = sbuf;
280 	} else {
281 		host = addr;
282 		service = NULL;
283 	}
284 
285 	/* resolve */
286 	memset(&hints, 0, sizeof(hints));
287 	hints.ai_family = af;
288 	hints.ai_socktype = SOCK_STREAM;
289 	hints.ai_flags = AI_ADDRCONFIG;
290 	if ((err = getaddrinfo(host, service, &hints, &res)) != 0) {
291 		netdb_seterr(err);
292 		return (NULL);
293 	}
294 	return (res);
295 }
296 
297 
298 
299 /*
300  * Bind a socket to a specific local address
301  */
302 int
303 fetch_bind(int sd, int af, const char *addr)
304 {
305 	struct addrinfo *cliai, *ai;
306 	int err;
307 
308 	if ((cliai = fetch_resolve(addr, 0, af)) == NULL)
309 		return (-1);
310 	for (ai = cliai; ai != NULL; ai = ai->ai_next)
311 		if ((err = bind(sd, ai->ai_addr, ai->ai_addrlen)) == 0)
312 			break;
313 	if (err != 0)
314 		fetch_syserr();
315 	freeaddrinfo(cliai);
316 	return (err == 0 ? 0 : -1);
317 }
318 
319 
320 /*
321  * Establish a TCP connection to the specified port on the specified host.
322  */
323 conn_t *
324 fetch_connect(const char *host, int port, int af, int verbose)
325 {
326 	struct addrinfo *cais = NULL, *sais = NULL, *cai, *sai;
327 	const char *bindaddr;
328 	conn_t *conn = NULL;
329 	int err = 0, sd = -1;
330 
331 	DEBUG(fprintf(stderr, "---> %s:%d\n", host, port));
332 
333 	/* resolve server address */
334 	if (verbose)
335 		fetch_info("resolving server address: %s:%d", host, port);
336 	if ((sais = fetch_resolve(host, port, af)) == NULL)
337 		goto fail;
338 
339 	/* resolve client address */
340 	bindaddr = getenv("FETCH_BIND_ADDRESS");
341 	if (bindaddr != NULL && *bindaddr != '\0') {
342 		if (verbose)
343 			fetch_info("resolving client address: %s", bindaddr);
344 		if ((cais = fetch_resolve(bindaddr, 0, af)) == NULL)
345 			goto fail;
346 	}
347 
348 	/* try each server address in turn */
349 	for (err = 0, sai = sais; sai != NULL; sai = sai->ai_next) {
350 		/* open socket */
351 		if ((sd = socket(sai->ai_family, SOCK_STREAM, 0)) < 0)
352 			goto syserr;
353 		/* attempt to bind to client address */
354 		for (err = 0, cai = cais; cai != NULL; cai = cai->ai_next) {
355 			if (cai->ai_family != sai->ai_family)
356 				continue;
357 			if ((err = bind(sd, cai->ai_addr, cai->ai_addrlen)) == 0)
358 				break;
359 		}
360 		if (err != 0) {
361 			if (verbose)
362 				fetch_info("failed to bind to %s", bindaddr);
363 			goto syserr;
364 		}
365 		/* attempt to connect to server address */
366 		if ((err = connect(sd, sai->ai_addr, sai->ai_addrlen)) == 0)
367 			break;
368 		/* clean up before next attempt */
369 		close(sd);
370 		sd = -1;
371 	}
372 	if (err != 0) {
373 		if (verbose)
374 			fetch_info("failed to connect to %s:%s", host, port);
375 		goto syserr;
376 	}
377 
378 	if ((conn = fetch_reopen(sd)) == NULL)
379 		goto syserr;
380 	if (cais != NULL)
381 		freeaddrinfo(cais);
382 	if (sais != NULL)
383 		freeaddrinfo(sais);
384 	return (conn);
385 syserr:
386 	fetch_syserr();
387 	goto fail;
388 fail:
389 	if (sd >= 0)
390 		close(sd);
391 	if (cais != NULL)
392 		freeaddrinfo(cais);
393 	if (sais != NULL)
394 		freeaddrinfo(sais);
395 	return (NULL);
396 }
397 
398 #ifdef WITH_SSL
399 /*
400  * Convert characters A-Z to lowercase (intentionally avoid any locale
401  * specific conversions).
402  */
403 static char
404 fetch_ssl_tolower(char in)
405 {
406 	if (in >= 'A' && in <= 'Z')
407 		return (in + 32);
408 	else
409 		return (in);
410 }
411 
412 /*
413  * isalpha implementation that intentionally avoids any locale specific
414  * conversions.
415  */
416 static int
417 fetch_ssl_isalpha(char in)
418 {
419 	return ((in >= 'A' && in <= 'Z') || (in >= 'a' && in <= 'z'));
420 }
421 
422 /*
423  * Check if passed hostnames a and b are equal.
424  */
425 static int
426 fetch_ssl_hname_equal(const char *a, size_t alen, const char *b,
427     size_t blen)
428 {
429 	size_t i;
430 
431 	if (alen != blen)
432 		return (0);
433 	for (i = 0; i < alen; ++i) {
434 		if (fetch_ssl_tolower(a[i]) != fetch_ssl_tolower(b[i]))
435 			return (0);
436 	}
437 	return (1);
438 }
439 
440 /*
441  * Check if domain label is traditional, meaning that only A-Z, a-z, 0-9
442  * and '-' (hyphen) are allowed. Hyphens have to be surrounded by alpha-
443  * numeric characters. Double hyphens (like they're found in IDN a-labels
444  * 'xn--') are not allowed. Empty labels are invalid.
445  */
446 static int
447 fetch_ssl_is_trad_domain_label(const char *l, size_t len, int wcok)
448 {
449 	size_t i;
450 
451 	if (!len || l[0] == '-' || l[len-1] == '-')
452 		return (0);
453 	for (i = 0; i < len; ++i) {
454 		if (!isdigit(l[i]) &&
455 		    !fetch_ssl_isalpha(l[i]) &&
456 		    !(l[i] == '*' && wcok) &&
457 		    !(l[i] == '-' && l[i - 1] != '-'))
458 			return (0);
459 	}
460 	return (1);
461 }
462 
463 /*
464  * Check if host name consists only of numbers. This might indicate an IP
465  * address, which is not a good idea for CN wildcard comparison.
466  */
467 static int
468 fetch_ssl_hname_is_only_numbers(const char *hostname, size_t len)
469 {
470 	size_t i;
471 
472 	for (i = 0; i < len; ++i) {
473 		if (!((hostname[i] >= '0' && hostname[i] <= '9') ||
474 		    hostname[i] == '.'))
475 			return (0);
476 	}
477 	return (1);
478 }
479 
480 /*
481  * Check if the host name h passed matches the pattern passed in m which
482  * is usually part of subjectAltName or CN of a certificate presented to
483  * the client. This includes wildcard matching. The algorithm is based on
484  * RFC6125, sections 6.4.3 and 7.2, which clarifies RFC2818 and RFC3280.
485  */
486 static int
487 fetch_ssl_hname_match(const char *h, size_t hlen, const char *m,
488     size_t mlen)
489 {
490 	int delta, hdotidx, mdot1idx, wcidx;
491 	const char *hdot, *mdot1, *mdot2;
492 	const char *wc; /* wildcard */
493 
494 	if (!(h && *h && m && *m))
495 		return (0);
496 	if ((wc = strnstr(m, "*", mlen)) == NULL)
497 		return (fetch_ssl_hname_equal(h, hlen, m, mlen));
498 	wcidx = wc - m;
499 	/* hostname should not be just dots and numbers */
500 	if (fetch_ssl_hname_is_only_numbers(h, hlen))
501 		return (0);
502 	/* only one wildcard allowed in pattern */
503 	if (strnstr(wc + 1, "*", mlen - wcidx - 1) != NULL)
504 		return (0);
505 	/*
506 	 * there must be at least two more domain labels and
507 	 * wildcard has to be in the leftmost label (RFC6125)
508 	 */
509 	mdot1 = strnstr(m, ".", mlen);
510 	if (mdot1 == NULL || mdot1 < wc || (mlen - (mdot1 - m)) < 4)
511 		return (0);
512 	mdot1idx = mdot1 - m;
513 	mdot2 = strnstr(mdot1 + 1, ".", mlen - mdot1idx - 1);
514 	if (mdot2 == NULL || (mlen - (mdot2 - m)) < 2)
515 		return (0);
516 	/* hostname must contain a dot and not be the 1st char */
517 	hdot = strnstr(h, ".", hlen);
518 	if (hdot == NULL || hdot == h)
519 		return (0);
520 	hdotidx = hdot - h;
521 	/*
522 	 * host part of hostname must be at least as long as
523 	 * pattern it's supposed to match
524 	 */
525 	if (hdotidx < mdot1idx)
526 		return (0);
527 	/*
528 	 * don't allow wildcards in non-traditional domain names
529 	 * (IDN, A-label, U-label...)
530 	 */
531 	if (!fetch_ssl_is_trad_domain_label(h, hdotidx, 0) ||
532 	    !fetch_ssl_is_trad_domain_label(m, mdot1idx, 1))
533 		return (0);
534 	/* match domain part (part after first dot) */
535 	if (!fetch_ssl_hname_equal(hdot, hlen - hdotidx, mdot1,
536 	    mlen - mdot1idx))
537 		return (0);
538 	/* match part left of wildcard */
539 	if (!fetch_ssl_hname_equal(h, wcidx, m, wcidx))
540 		return (0);
541 	/* match part right of wildcard */
542 	delta = mdot1idx - wcidx - 1;
543 	if (!fetch_ssl_hname_equal(hdot - delta, delta,
544 	    mdot1 - delta, delta))
545 		return (0);
546 	/* all tests succeeded, it's a match */
547 	return (1);
548 }
549 
550 /*
551  * Get numeric host address info - returns NULL if host was not an IP
552  * address. The caller is responsible for deallocation using
553  * freeaddrinfo(3).
554  */
555 static struct addrinfo *
556 fetch_ssl_get_numeric_addrinfo(const char *hostname, size_t len)
557 {
558 	struct addrinfo hints, *res;
559 	char *host;
560 
561 	host = (char *)malloc(len + 1);
562 	memcpy(host, hostname, len);
563 	host[len] = '\0';
564 	memset(&hints, 0, sizeof(hints));
565 	hints.ai_family = PF_UNSPEC;
566 	hints.ai_socktype = SOCK_STREAM;
567 	hints.ai_protocol = 0;
568 	hints.ai_flags = AI_NUMERICHOST;
569 	/* port is not relevant for this purpose */
570 	if (getaddrinfo(host, "443", &hints, &res) != 0)
571 		res = NULL;
572 	free(host);
573 	return res;
574 }
575 
576 /*
577  * Compare ip address in addrinfo with address passes.
578  */
579 static int
580 fetch_ssl_ipaddr_match_bin(const struct addrinfo *lhost, const char *rhost,
581     size_t rhostlen)
582 {
583 	const void *left;
584 
585 	if (lhost->ai_family == AF_INET && rhostlen == 4) {
586 		left = (void *)&((struct sockaddr_in*)(void *)
587 		    lhost->ai_addr)->sin_addr.s_addr;
588 #ifdef INET6
589 	} else if (lhost->ai_family == AF_INET6 && rhostlen == 16) {
590 		left = (void *)&((struct sockaddr_in6 *)(void *)
591 		    lhost->ai_addr)->sin6_addr;
592 #endif
593 	} else
594 		return (0);
595 	return (!memcmp(left, (const void *)rhost, rhostlen) ? 1 : 0);
596 }
597 
598 /*
599  * Compare ip address in addrinfo with host passed. If host is not an IP
600  * address, comparison will fail.
601  */
602 static int
603 fetch_ssl_ipaddr_match(const struct addrinfo *laddr, const char *r,
604     size_t rlen)
605 {
606 	struct addrinfo *raddr;
607 	int ret;
608 	char *rip;
609 
610 	ret = 0;
611 	if ((raddr = fetch_ssl_get_numeric_addrinfo(r, rlen)) == NULL)
612 		return 0; /* not a numeric host */
613 
614 	if (laddr->ai_family == raddr->ai_family) {
615 		if (laddr->ai_family == AF_INET) {
616 			rip = (char *)&((struct sockaddr_in *)(void *)
617 			    raddr->ai_addr)->sin_addr.s_addr;
618 			ret = fetch_ssl_ipaddr_match_bin(laddr, rip, 4);
619 #ifdef INET6
620 		} else if (laddr->ai_family == AF_INET6) {
621 			rip = (char *)&((struct sockaddr_in6 *)(void *)
622 			    raddr->ai_addr)->sin6_addr;
623 			ret = fetch_ssl_ipaddr_match_bin(laddr, rip, 16);
624 #endif
625 		}
626 
627 	}
628 	freeaddrinfo(raddr);
629 	return (ret);
630 }
631 
632 /*
633  * Verify server certificate by subjectAltName.
634  */
635 static int
636 fetch_ssl_verify_altname(STACK_OF(GENERAL_NAME) *altnames,
637     const char *host, struct addrinfo *ip)
638 {
639 	const GENERAL_NAME *name;
640 	size_t nslen;
641 	int i;
642 	const char *ns;
643 
644 	for (i = 0; i < sk_GENERAL_NAME_num(altnames); ++i) {
645 #if OPENSSL_VERSION_NUMBER < 0x10000000L
646 		/*
647 		 * This is a workaround, since the following line causes
648 		 * alignment issues in clang:
649 		 * name = sk_GENERAL_NAME_value(altnames, i);
650 		 * OpenSSL explicitly warns not to use those macros
651 		 * directly, but there isn't much choice (and there
652 		 * shouldn't be any ill side effects)
653 		 */
654 		name = (GENERAL_NAME *)SKM_sk_value(void, altnames, i);
655 #else
656 		name = sk_GENERAL_NAME_value(altnames, i);
657 #endif
658 		ns = (const char *)ASN1_STRING_data(name->d.ia5);
659 		nslen = (size_t)ASN1_STRING_length(name->d.ia5);
660 
661 		if (name->type == GEN_DNS && ip == NULL &&
662 		    fetch_ssl_hname_match(host, strlen(host), ns, nslen))
663 			return (1);
664 		else if (name->type == GEN_IPADD && ip != NULL &&
665 		    fetch_ssl_ipaddr_match_bin(ip, ns, nslen))
666 			return (1);
667 	}
668 	return (0);
669 }
670 
671 /*
672  * Verify server certificate by CN.
673  */
674 static int
675 fetch_ssl_verify_cn(X509_NAME *subject, const char *host,
676     struct addrinfo *ip)
677 {
678 	ASN1_STRING *namedata;
679 	X509_NAME_ENTRY *nameentry;
680 	int cnlen, lastpos, loc, ret;
681 	unsigned char *cn;
682 
683 	ret = 0;
684 	lastpos = -1;
685 	loc = -1;
686 	cn = NULL;
687 	/* get most specific CN (last entry in list) and compare */
688 	while ((lastpos = X509_NAME_get_index_by_NID(subject,
689 	    NID_commonName, lastpos)) != -1)
690 		loc = lastpos;
691 
692 	if (loc > -1) {
693 		nameentry = X509_NAME_get_entry(subject, loc);
694 		namedata = X509_NAME_ENTRY_get_data(nameentry);
695 		cnlen = ASN1_STRING_to_UTF8(&cn, namedata);
696 		if (ip == NULL &&
697 		    fetch_ssl_hname_match(host, strlen(host), cn, cnlen))
698 			ret = 1;
699 		else if (ip != NULL && fetch_ssl_ipaddr_match(ip, cn, cnlen))
700 			ret = 1;
701 		OPENSSL_free(cn);
702 	}
703 	return (ret);
704 }
705 
706 /*
707  * Verify that server certificate subjectAltName/CN matches
708  * hostname. First check, if there are alternative subject names. If yes,
709  * those have to match. Only if those don't exist it falls back to
710  * checking the subject's CN.
711  */
712 static int
713 fetch_ssl_verify_hname(X509 *cert, const char *host)
714 {
715 	struct addrinfo *ip;
716 	STACK_OF(GENERAL_NAME) *altnames;
717 	X509_NAME *subject;
718 	int ret;
719 
720 	ret = 0;
721 	ip = fetch_ssl_get_numeric_addrinfo(host, strlen(host));
722 	altnames = X509_get_ext_d2i(cert, NID_subject_alt_name,
723 	    NULL, NULL);
724 
725 	if (altnames != NULL) {
726 		ret = fetch_ssl_verify_altname(altnames, host, ip);
727 	} else {
728 		subject = X509_get_subject_name(cert);
729 		if (subject != NULL)
730 			ret = fetch_ssl_verify_cn(subject, host, ip);
731 	}
732 
733 	if (ip != NULL)
734 		freeaddrinfo(ip);
735 	if (altnames != NULL)
736 		GENERAL_NAMES_free(altnames);
737 	return (ret);
738 }
739 
740 /*
741  * Configure transport security layer based on environment.
742  */
743 static void
744 fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
745 {
746 	long ssl_ctx_options;
747 
748 	ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET;
749 	if (getenv("SSL_ALLOW_SSL3") == NULL)
750 		ssl_ctx_options |= SSL_OP_NO_SSLv3;
751 	if (getenv("SSL_NO_TLS1") != NULL)
752 		ssl_ctx_options |= SSL_OP_NO_TLSv1;
753 	if (getenv("SSL_NO_TLS1_1") != NULL)
754 		ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
755 	if (getenv("SSL_NO_TLS1_2") != NULL)
756 		ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
757 	if (verbose)
758 		fetch_info("SSL options: %lx", ssl_ctx_options);
759 	SSL_CTX_set_options(ctx, ssl_ctx_options);
760 }
761 
762 
763 /*
764  * Configure peer verification based on environment.
765  */
766 #define LOCAL_CERT_FILE	"/usr/local/etc/ssl/cert.pem"
767 #define BASE_CERT_FILE	"/etc/ssl/cert.pem"
768 static int
769 fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
770 {
771 	X509_LOOKUP *crl_lookup;
772 	X509_STORE *crl_store;
773 	const char *ca_cert_file, *ca_cert_path, *crl_file;
774 
775 	if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
776 		ca_cert_file = getenv("SSL_CA_CERT_FILE");
777 		if (ca_cert_file == NULL &&
778 		    access(LOCAL_CERT_FILE, R_OK) == 0)
779 			ca_cert_file = LOCAL_CERT_FILE;
780 		if (ca_cert_file == NULL &&
781 		    access(BASE_CERT_FILE, R_OK) == 0)
782 			ca_cert_file = BASE_CERT_FILE;
783 		ca_cert_path = getenv("SSL_CA_CERT_PATH");
784 		if (verbose) {
785 			fetch_info("Peer verification enabled");
786 			if (ca_cert_file != NULL)
787 				fetch_info("Using CA cert file: %s",
788 				    ca_cert_file);
789 			if (ca_cert_path != NULL)
790 				fetch_info("Using CA cert path: %s",
791 				    ca_cert_path);
792 			if (ca_cert_file == NULL && ca_cert_path == NULL)
793 				fetch_info("Using OpenSSL default "
794 				    "CA cert file and path");
795 		}
796 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
797 		    fetch_ssl_cb_verify_crt);
798 		if (ca_cert_file != NULL || ca_cert_path != NULL)
799 			SSL_CTX_load_verify_locations(ctx, ca_cert_file,
800 			    ca_cert_path);
801 		else
802 			SSL_CTX_set_default_verify_paths(ctx);
803 		if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) {
804 			if (verbose)
805 				fetch_info("Using CRL file: %s", crl_file);
806 			crl_store = SSL_CTX_get_cert_store(ctx);
807 			crl_lookup = X509_STORE_add_lookup(crl_store,
808 			    X509_LOOKUP_file());
809 			if (crl_lookup == NULL ||
810 			    !X509_load_crl_file(crl_lookup, crl_file,
811 				X509_FILETYPE_PEM)) {
812 				fprintf(stderr,
813 				    "Could not load CRL file %s\n",
814 				    crl_file);
815 				return (0);
816 			}
817 			X509_STORE_set_flags(crl_store,
818 			    X509_V_FLAG_CRL_CHECK |
819 			    X509_V_FLAG_CRL_CHECK_ALL);
820 		}
821 	}
822 	return (1);
823 }
824 
825 /*
826  * Configure client certificate based on environment.
827  */
828 static int
829 fetch_ssl_setup_client_certificate(SSL_CTX *ctx, int verbose)
830 {
831 	const char *client_cert_file, *client_key_file;
832 
833 	if ((client_cert_file = getenv("SSL_CLIENT_CERT_FILE")) != NULL) {
834 		client_key_file = getenv("SSL_CLIENT_KEY_FILE") != NULL ?
835 		    getenv("SSL_CLIENT_KEY_FILE") : client_cert_file;
836 		if (verbose) {
837 			fetch_info("Using client cert file: %s",
838 			    client_cert_file);
839 			fetch_info("Using client key file: %s",
840 			    client_key_file);
841 		}
842 		if (SSL_CTX_use_certificate_chain_file(ctx,
843 			client_cert_file) != 1) {
844 			fprintf(stderr,
845 			    "Could not load client certificate %s\n",
846 			    client_cert_file);
847 			return (0);
848 		}
849 		if (SSL_CTX_use_PrivateKey_file(ctx, client_key_file,
850 			SSL_FILETYPE_PEM) != 1) {
851 			fprintf(stderr,
852 			    "Could not load client key %s\n",
853 			    client_key_file);
854 			return (0);
855 		}
856 	}
857 	return (1);
858 }
859 
860 /*
861  * Callback for SSL certificate verification, this is called on server
862  * cert verification. It takes no decision, but informs the user in case
863  * verification failed.
864  */
865 int
866 fetch_ssl_cb_verify_crt(int verified, X509_STORE_CTX *ctx)
867 {
868 	X509 *crt;
869 	X509_NAME *name;
870 	char *str;
871 
872 	str = NULL;
873 	if (!verified) {
874 		if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL &&
875 		    (name = X509_get_subject_name(crt)) != NULL)
876 			str = X509_NAME_oneline(name, 0, 0);
877 		fprintf(stderr, "Certificate verification failed for %s\n",
878 		    str != NULL ? str : "no relevant certificate");
879 		OPENSSL_free(str);
880 	}
881 	return (verified);
882 }
883 
884 #endif
885 
886 /*
887  * Enable SSL on a connection.
888  */
889 int
890 fetch_ssl(conn_t *conn, const struct url *URL, int verbose)
891 {
892 #ifdef WITH_SSL
893 	int ret, ssl_err;
894 	X509_NAME *name;
895 	char *str;
896 
897 	/* Init the SSL library and context */
898 	if (!SSL_library_init()){
899 		fprintf(stderr, "SSL library init failed\n");
900 		return (-1);
901 	}
902 
903 	SSL_load_error_strings();
904 
905 	conn->ssl_meth = SSLv23_client_method();
906 	conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
907 	SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
908 
909 	fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose);
910 	if (!fetch_ssl_setup_peer_verification(conn->ssl_ctx, verbose))
911 		return (-1);
912 	if (!fetch_ssl_setup_client_certificate(conn->ssl_ctx, verbose))
913 		return (-1);
914 
915 	conn->ssl = SSL_new(conn->ssl_ctx);
916 	if (conn->ssl == NULL) {
917 		fprintf(stderr, "SSL context creation failed\n");
918 		return (-1);
919 	}
920 	SSL_set_fd(conn->ssl, conn->sd);
921 
922 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
923 	if (!SSL_set_tlsext_host_name(conn->ssl,
924 	    __DECONST(struct url *, URL)->host)) {
925 		fprintf(stderr,
926 		    "TLS server name indication extension failed for host %s\n",
927 		    URL->host);
928 		return (-1);
929 	}
930 #endif
931 	while ((ret = SSL_connect(conn->ssl)) == -1) {
932 		ssl_err = SSL_get_error(conn->ssl, ret);
933 		if (ssl_err != SSL_ERROR_WANT_READ &&
934 		    ssl_err != SSL_ERROR_WANT_WRITE) {
935 			ERR_print_errors_fp(stderr);
936 			return (-1);
937 		}
938 	}
939 	conn->ssl_cert = SSL_get_peer_certificate(conn->ssl);
940 
941 	if (conn->ssl_cert == NULL) {
942 		fprintf(stderr, "No server SSL certificate\n");
943 		return (-1);
944 	}
945 
946 	if (getenv("SSL_NO_VERIFY_HOSTNAME") == NULL) {
947 		if (verbose)
948 			fetch_info("Verify hostname");
949 		if (!fetch_ssl_verify_hname(conn->ssl_cert, URL->host)) {
950 			fprintf(stderr,
951 			    "SSL certificate subject doesn't match host %s\n",
952 			    URL->host);
953 			return (-1);
954 		}
955 	}
956 
957 	if (verbose) {
958 		fetch_info("%s connection established using %s",
959 		    SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl));
960 		name = X509_get_subject_name(conn->ssl_cert);
961 		str = X509_NAME_oneline(name, 0, 0);
962 		fetch_info("Certificate subject: %s", str);
963 		OPENSSL_free(str);
964 		name = X509_get_issuer_name(conn->ssl_cert);
965 		str = X509_NAME_oneline(name, 0, 0);
966 		fetch_info("Certificate issuer: %s", str);
967 		OPENSSL_free(str);
968 	}
969 
970 	return (0);
971 #else
972 	(void)conn;
973 	(void)verbose;
974 	fprintf(stderr, "SSL support disabled\n");
975 	return (-1);
976 #endif
977 }
978 
979 #define FETCH_READ_WAIT		-2
980 #define FETCH_READ_ERROR	-1
981 #define FETCH_READ_DONE		 0
982 
983 #ifdef WITH_SSL
984 static ssize_t
985 fetch_ssl_read(SSL *ssl, char *buf, size_t len)
986 {
987 	ssize_t rlen;
988 	int ssl_err;
989 
990 	rlen = SSL_read(ssl, buf, len);
991 	if (rlen < 0) {
992 		ssl_err = SSL_get_error(ssl, rlen);
993 		if (ssl_err == SSL_ERROR_WANT_READ ||
994 		    ssl_err == SSL_ERROR_WANT_WRITE) {
995 			return (FETCH_READ_WAIT);
996 		} else {
997 			ERR_print_errors_fp(stderr);
998 			return (FETCH_READ_ERROR);
999 		}
1000 	}
1001 	return (rlen);
1002 }
1003 #endif
1004 
1005 static ssize_t
1006 fetch_socket_read(int sd, char *buf, size_t len)
1007 {
1008 	ssize_t rlen;
1009 
1010 	rlen = read(sd, buf, len);
1011 	if (rlen < 0) {
1012 		if (errno == EAGAIN || (errno == EINTR && fetchRestartCalls))
1013 			return (FETCH_READ_WAIT);
1014 		else
1015 			return (FETCH_READ_ERROR);
1016 	}
1017 	return (rlen);
1018 }
1019 
1020 /*
1021  * Read a character from a connection w/ timeout
1022  */
1023 ssize_t
1024 fetch_read(conn_t *conn, char *buf, size_t len)
1025 {
1026 	struct timeval now, timeout, delta;
1027 	struct pollfd pfd;
1028 	ssize_t rlen;
1029 	int deltams;
1030 
1031 	if (fetchTimeout > 0) {
1032 		gettimeofday(&timeout, NULL);
1033 		timeout.tv_sec += fetchTimeout;
1034 	}
1035 
1036 	deltams = INFTIM;
1037 	memset(&pfd, 0, sizeof pfd);
1038 	pfd.fd = conn->sd;
1039 	pfd.events = POLLIN | POLLERR;
1040 
1041 	for (;;) {
1042 		/*
1043 		 * The socket is non-blocking.  Instead of the canonical
1044 		 * poll() -> read(), we do the following:
1045 		 *
1046 		 * 1) call read() or SSL_read().
1047 		 * 2) if we received some data, return it.
1048 		 * 3) if an error occurred, return -1.
1049 		 * 4) if read() or SSL_read() signaled EOF, return.
1050 		 * 5) if we did not receive any data but we're not at EOF,
1051 		 *    call poll().
1052 		 *
1053 		 * In the SSL case, this is necessary because if we
1054 		 * receive a close notification, we have to call
1055 		 * SSL_read() one additional time after we've read
1056 		 * everything we received.
1057 		 *
1058 		 * In the non-SSL case, it may improve performance (very
1059 		 * slightly) when reading small amounts of data.
1060 		 */
1061 #ifdef WITH_SSL
1062 		if (conn->ssl != NULL)
1063 			rlen = fetch_ssl_read(conn->ssl, buf, len);
1064 		else
1065 #endif
1066 			rlen = fetch_socket_read(conn->sd, buf, len);
1067 		if (rlen >= 0) {
1068 			break;
1069 		} else if (rlen == FETCH_READ_ERROR) {
1070 			fetch_syserr();
1071 			return (-1);
1072 		}
1073 		// assert(rlen == FETCH_READ_WAIT);
1074 		if (fetchTimeout > 0) {
1075 			gettimeofday(&now, NULL);
1076 			if (!timercmp(&timeout, &now, >)) {
1077 				errno = ETIMEDOUT;
1078 				fetch_syserr();
1079 				return (-1);
1080 			}
1081 			timersub(&timeout, &now, &delta);
1082 			deltams = delta.tv_sec * 1000 +
1083 			    delta.tv_usec / 1000;;
1084 		}
1085 		errno = 0;
1086 		pfd.revents = 0;
1087 		if (poll(&pfd, 1, deltams) < 0) {
1088 			if (errno == EINTR && fetchRestartCalls)
1089 				continue;
1090 			fetch_syserr();
1091 			return (-1);
1092 		}
1093 	}
1094 	return (rlen);
1095 }
1096 
1097 
1098 /*
1099  * Read a line of text from a connection w/ timeout
1100  */
1101 #define MIN_BUF_SIZE 1024
1102 
1103 int
1104 fetch_getln(conn_t *conn)
1105 {
1106 	char *tmp;
1107 	size_t tmpsize;
1108 	ssize_t len;
1109 	char c;
1110 
1111 	if (conn->buf == NULL) {
1112 		if ((conn->buf = malloc(MIN_BUF_SIZE)) == NULL) {
1113 			errno = ENOMEM;
1114 			return (-1);
1115 		}
1116 		conn->bufsize = MIN_BUF_SIZE;
1117 	}
1118 
1119 	conn->buf[0] = '\0';
1120 	conn->buflen = 0;
1121 
1122 	do {
1123 		len = fetch_read(conn, &c, 1);
1124 		if (len == -1)
1125 			return (-1);
1126 		if (len == 0)
1127 			break;
1128 		conn->buf[conn->buflen++] = c;
1129 		if (conn->buflen == conn->bufsize) {
1130 			tmp = conn->buf;
1131 			tmpsize = conn->bufsize * 2 + 1;
1132 			if ((tmp = realloc(tmp, tmpsize)) == NULL) {
1133 				errno = ENOMEM;
1134 				return (-1);
1135 			}
1136 			conn->buf = tmp;
1137 			conn->bufsize = tmpsize;
1138 		}
1139 	} while (c != '\n');
1140 
1141 	conn->buf[conn->buflen] = '\0';
1142 	DEBUG(fprintf(stderr, "<<< %s", conn->buf));
1143 	return (0);
1144 }
1145 
1146 
1147 /*
1148  * Write to a connection w/ timeout
1149  */
1150 ssize_t
1151 fetch_write(conn_t *conn, const char *buf, size_t len)
1152 {
1153 	struct iovec iov;
1154 
1155 	iov.iov_base = __DECONST(char *, buf);
1156 	iov.iov_len = len;
1157 	return fetch_writev(conn, &iov, 1);
1158 }
1159 
1160 /*
1161  * Write a vector to a connection w/ timeout
1162  * Note: can modify the iovec.
1163  */
1164 ssize_t
1165 fetch_writev(conn_t *conn, struct iovec *iov, int iovcnt)
1166 {
1167 	struct timeval now, timeout, delta;
1168 	struct pollfd pfd;
1169 	ssize_t wlen, total;
1170 	int deltams;
1171 
1172 	memset(&pfd, 0, sizeof pfd);
1173 	if (fetchTimeout) {
1174 		pfd.fd = conn->sd;
1175 		pfd.events = POLLOUT | POLLERR;
1176 		gettimeofday(&timeout, NULL);
1177 		timeout.tv_sec += fetchTimeout;
1178 	}
1179 
1180 	total = 0;
1181 	while (iovcnt > 0) {
1182 		while (fetchTimeout && pfd.revents == 0) {
1183 			gettimeofday(&now, NULL);
1184 			if (!timercmp(&timeout, &now, >)) {
1185 				errno = ETIMEDOUT;
1186 				fetch_syserr();
1187 				return (-1);
1188 			}
1189 			timersub(&timeout, &now, &delta);
1190 			deltams = delta.tv_sec * 1000 +
1191 			    delta.tv_usec / 1000;
1192 			errno = 0;
1193 			pfd.revents = 0;
1194 			if (poll(&pfd, 1, deltams) < 0) {
1195 				/* POSIX compliance */
1196 				if (errno == EAGAIN)
1197 					continue;
1198 				if (errno == EINTR && fetchRestartCalls)
1199 					continue;
1200 				return (-1);
1201 			}
1202 		}
1203 		errno = 0;
1204 #ifdef WITH_SSL
1205 		if (conn->ssl != NULL)
1206 			wlen = SSL_write(conn->ssl,
1207 			    iov->iov_base, iov->iov_len);
1208 		else
1209 #endif
1210 			wlen = writev(conn->sd, iov, iovcnt);
1211 		if (wlen == 0) {
1212 			/* we consider a short write a failure */
1213 			/* XXX perhaps we shouldn't in the SSL case */
1214 			errno = EPIPE;
1215 			fetch_syserr();
1216 			return (-1);
1217 		}
1218 		if (wlen < 0) {
1219 			if (errno == EINTR && fetchRestartCalls)
1220 				continue;
1221 			return (-1);
1222 		}
1223 		total += wlen;
1224 		while (iovcnt > 0 && wlen >= (ssize_t)iov->iov_len) {
1225 			wlen -= iov->iov_len;
1226 			iov++;
1227 			iovcnt--;
1228 		}
1229 		if (iovcnt > 0) {
1230 			iov->iov_len -= wlen;
1231 			iov->iov_base = __DECONST(char *, iov->iov_base) + wlen;
1232 		}
1233 	}
1234 	return (total);
1235 }
1236 
1237 
1238 /*
1239  * Write a line of text to a connection w/ timeout
1240  */
1241 int
1242 fetch_putln(conn_t *conn, const char *str, size_t len)
1243 {
1244 	struct iovec iov[2];
1245 	int ret;
1246 
1247 	DEBUG(fprintf(stderr, ">>> %s\n", str));
1248 	iov[0].iov_base = __DECONST(char *, str);
1249 	iov[0].iov_len = len;
1250 	iov[1].iov_base = __DECONST(char *, ENDL);
1251 	iov[1].iov_len = sizeof(ENDL);
1252 	if (len == 0)
1253 		ret = fetch_writev(conn, &iov[1], 1);
1254 	else
1255 		ret = fetch_writev(conn, iov, 2);
1256 	if (ret == -1)
1257 		return (-1);
1258 	return (0);
1259 }
1260 
1261 
1262 /*
1263  * Close connection
1264  */
1265 int
1266 fetch_close(conn_t *conn)
1267 {
1268 	int ret;
1269 
1270 	if (--conn->ref > 0)
1271 		return (0);
1272 #ifdef WITH_SSL
1273 	if (conn->ssl) {
1274 		SSL_shutdown(conn->ssl);
1275 		SSL_set_connect_state(conn->ssl);
1276 		SSL_free(conn->ssl);
1277 		conn->ssl = NULL;
1278 	}
1279 	if (conn->ssl_ctx) {
1280 		SSL_CTX_free(conn->ssl_ctx);
1281 		conn->ssl_ctx = NULL;
1282 	}
1283 	if (conn->ssl_cert) {
1284 		X509_free(conn->ssl_cert);
1285 		conn->ssl_cert = NULL;
1286 	}
1287 #endif
1288 	ret = close(conn->sd);
1289 	free(conn->buf);
1290 	free(conn);
1291 	return (ret);
1292 }
1293 
1294 
1295 /*** Directory-related utility functions *************************************/
1296 
1297 int
1298 fetch_add_entry(struct url_ent **p, int *size, int *len,
1299     const char *name, struct url_stat *us)
1300 {
1301 	struct url_ent *tmp;
1302 
1303 	if (*p == NULL) {
1304 		*size = 0;
1305 		*len = 0;
1306 	}
1307 
1308 	if (*len >= *size - 1) {
1309 		tmp = realloc(*p, (*size * 2 + 1) * sizeof(**p));
1310 		if (tmp == NULL) {
1311 			errno = ENOMEM;
1312 			fetch_syserr();
1313 			return (-1);
1314 		}
1315 		*size = (*size * 2 + 1);
1316 		*p = tmp;
1317 	}
1318 
1319 	tmp = *p + *len;
1320 	snprintf(tmp->name, PATH_MAX, "%s", name);
1321 	memcpy(&tmp->stat, us, sizeof(*us));
1322 
1323 	(*len)++;
1324 	(++tmp)->name[0] = 0;
1325 
1326 	return (0);
1327 }
1328 
1329 
1330 /*** Authentication-related utility functions ********************************/
1331 
1332 static const char *
1333 fetch_read_word(FILE *f)
1334 {
1335 	static char word[1024];
1336 
1337 	if (fscanf(f, " %1023s ", word) != 1)
1338 		return (NULL);
1339 	return (word);
1340 }
1341 
1342 /*
1343  * Get authentication data for a URL from .netrc
1344  */
1345 int
1346 fetch_netrc_auth(struct url *url)
1347 {
1348 	char fn[PATH_MAX];
1349 	const char *word;
1350 	char *p;
1351 	FILE *f;
1352 
1353 	if ((p = getenv("NETRC")) != NULL) {
1354 		if (snprintf(fn, sizeof(fn), "%s", p) >= (int)sizeof(fn)) {
1355 			fetch_info("$NETRC specifies a file name "
1356 			    "longer than PATH_MAX");
1357 			return (-1);
1358 		}
1359 	} else {
1360 		if ((p = getenv("HOME")) != NULL) {
1361 			struct passwd *pwd;
1362 
1363 			if ((pwd = getpwuid(getuid())) == NULL ||
1364 			    (p = pwd->pw_dir) == NULL)
1365 				return (-1);
1366 		}
1367 		if (snprintf(fn, sizeof(fn), "%s/.netrc", p) >= (int)sizeof(fn))
1368 			return (-1);
1369 	}
1370 
1371 	if ((f = fopen(fn, "r")) == NULL)
1372 		return (-1);
1373 	while ((word = fetch_read_word(f)) != NULL) {
1374 		if (strcmp(word, "default") == 0) {
1375 			DEBUG(fetch_info("Using default .netrc settings"));
1376 			break;
1377 		}
1378 		if (strcmp(word, "machine") == 0 &&
1379 		    (word = fetch_read_word(f)) != NULL &&
1380 		    strcasecmp(word, url->host) == 0) {
1381 			DEBUG(fetch_info("Using .netrc settings for %s", word));
1382 			break;
1383 		}
1384 	}
1385 	if (word == NULL)
1386 		goto ferr;
1387 	while ((word = fetch_read_word(f)) != NULL) {
1388 		if (strcmp(word, "login") == 0) {
1389 			if ((word = fetch_read_word(f)) == NULL)
1390 				goto ferr;
1391 			if (snprintf(url->user, sizeof(url->user),
1392 				"%s", word) > (int)sizeof(url->user)) {
1393 				fetch_info("login name in .netrc is too long");
1394 				url->user[0] = '\0';
1395 			}
1396 		} else if (strcmp(word, "password") == 0) {
1397 			if ((word = fetch_read_word(f)) == NULL)
1398 				goto ferr;
1399 			if (snprintf(url->pwd, sizeof(url->pwd),
1400 				"%s", word) > (int)sizeof(url->pwd)) {
1401 				fetch_info("password in .netrc is too long");
1402 				url->pwd[0] = '\0';
1403 			}
1404 		} else if (strcmp(word, "account") == 0) {
1405 			if ((word = fetch_read_word(f)) == NULL)
1406 				goto ferr;
1407 			/* XXX not supported! */
1408 		} else {
1409 			break;
1410 		}
1411 	}
1412 	fclose(f);
1413 	return (0);
1414  ferr:
1415 	fclose(f);
1416 	return (-1);
1417 }
1418 
1419 /*
1420  * The no_proxy environment variable specifies a set of domains for
1421  * which the proxy should not be consulted; the contents is a comma-,
1422  * or space-separated list of domain names.  A single asterisk will
1423  * override all proxy variables and no transactions will be proxied
1424  * (for compatibility with lynx and curl, see the discussion at
1425  * <http://curl.haxx.se/mail/archive_pre_oct_99/0009.html>).
1426  */
1427 int
1428 fetch_no_proxy_match(const char *host)
1429 {
1430 	const char *no_proxy, *p, *q;
1431 	size_t h_len, d_len;
1432 
1433 	if ((no_proxy = getenv("NO_PROXY")) == NULL &&
1434 	    (no_proxy = getenv("no_proxy")) == NULL)
1435 		return (0);
1436 
1437 	/* asterisk matches any hostname */
1438 	if (strcmp(no_proxy, "*") == 0)
1439 		return (1);
1440 
1441 	h_len = strlen(host);
1442 	p = no_proxy;
1443 	do {
1444 		/* position p at the beginning of a domain suffix */
1445 		while (*p == ',' || isspace((unsigned char)*p))
1446 			p++;
1447 
1448 		/* position q at the first separator character */
1449 		for (q = p; *q; ++q)
1450 			if (*q == ',' || isspace((unsigned char)*q))
1451 				break;
1452 
1453 		d_len = q - p;
1454 		if (d_len > 0 && h_len >= d_len &&
1455 		    strncasecmp(host + h_len - d_len,
1456 			p, d_len) == 0) {
1457 			/* domain name matches */
1458 			return (1);
1459 		}
1460 
1461 		p = q + 1;
1462 	} while (*q);
1463 
1464 	return (0);
1465 }
1466