xref: /titanic_50/usr/src/lib/libpkg/common/pkgweb.c (revision 4656d4747c8743290bfbe910c64cd75eb4e4af8d)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
 * Use is subject to license terms.
 */

/* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
/* All Rights Reserved */


#include <stdio.h>
#include <limits.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <pkglocs.h>
#include <locale.h>
#include <libintl.h>
#include <libgen.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/statvfs.h>
#include <sys/types.h>
#include <fcntl.h>
#include <dirent.h>
#include <boot_http.h>
#include <errno.h>
#include <ctype.h>
#include <openssl/pkcs7.h>
#include <openssl/ocsp.h>
#include <openssl/pkcs12.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
#include "pkglib.h"
#include "pkglibmsgs.h"
#include "pkglocale.h"
#include "keystore.h"
#include "pkgweb.h"
#include "pkgerr.h"
#include "p12lib.h"

/* fixed format when making an OCSP request */
#define	OCSP_REQUEST_FORMAT \
	"POST %s HTTP/1.0\r\n" \
	"Content-Type: application/ocsp-request\r\n" \
	"Content-Length: %d\r\n\r\n"

/*
 * no security is afforded by using this phrase to "encrypt" CA certificates,
 * but it might aid in debugging and has to be non-null
 */
#define	WEB_CA_PHRASE		"schizophrenic"

/* This one needs the ': ' at the end */
#define	CONTENT_TYPE_HDR	"Content-Type"
#define	CONTENT_DISPOSITION_HDR	"Content-Disposition"
#define	CONTENT_OCSP_RESP	"application/ocsp-response"
#define	CONTENT_LENGTH_HDR	"Content-Length"
#define	LAST_MODIFIED_HDR	"Last-Modified"
#define	OCSP_BUFSIZ	1024

/*
 * default amount of time that is allowed for error when checking
 * OCSP response validity.
 * For example, if this is set to 5 minutes, then if a response
 * is issued that is valid from 12:00 to 1:00, then we will
 * accept it if the local time is between 11:55 and 1:05.
 * This takes care of not-quite-synchronized server and client clocks.
 */
#define	OCSP_VALIDITY_PERIOD	(5 * 60)

/* this value is defined by getpassphrase(3c) manpage */
#define	MAX_PHRASELEN		257

/* Max length of "enter password again" prompt message */
#define	MAX_VERIFY_MSGLEN	1024

/* local prototypes */
static boolean_t remove_dwnld_file(char *);
static boolean_t get_ENV_proxyport(PKG_ERR *, ushort_t *);
static boolean_t make_link(char *, char *);
static WebStatus web_send_request(PKG_ERR *, int, int, int);
static boolean_t web_eval_headers(PKG_ERR *);
static WebStatus web_get_file(PKG_ERR *, char *, int, char **);
static boolean_t ck_dwnld_dir_space(PKG_ERR *, char *, ulong_t);
static WebStatus web_connect(PKG_ERR *);
static boolean_t web_setup(PKG_ERR *);
static boolean_t check_dwnld_dir(PKG_ERR *, char *);
static boolean_t parse_url_proxy(PKG_ERR *, char *, char *, ushort_t);
static boolean_t web_disconnect(void);
static char *get_unique_filename(char *, char *);
static boolean_t get_ENV_proxy(PKG_ERR *, char **);
static char *condense_lastmodified(char *);
static int web_verify(int, X509_STORE_CTX *);
static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
static boolean_t get_ocsp_uri(X509 *, char **);
static OCSPStatus ocsp_verify(PKG_ERR *, X509 *, X509 *, char *, url_hport_t *,
    STACK_OF(X509) *);
static char	*get_time_string(ASN1_GENERALIZEDTIME *);
static char	*write_ca_file(PKG_ERR *, char *, STACK_OF(X509) *, char *);
static boolean_t _get_random_info(void *, int);
static boolean_t	init_session(void);
static void	progress_setup(int, ulong_t);
static void	progress_report(int, ulong_t);
static void	progress_finish(int);
static char	*replace_token(char *, char, char);
static void	dequote(char *);
static void	trim(char *);


/*
 * structure used to hold data passed back to the
 * X509 verify callback routine in validate_signature()
 */
typedef struct {
	url_hport_t	*proxy;
	PKG_ERR		*err;
	STACK_OF(X509)	*cas;
} verify_cb_data_t;

/* Progress bar variables */
static ulong_t const_increment, const_divider, completed, const_completed;

/* current network backoff wait period */
static int cur_backoff = 0;

/* download session context handle */
static WEB_SESSION *ps;

static int	webpkg_install = 0;
static char	*prompt = NULL;
static char	*passarg = NULL;


/* ~~~~~~~~~~~~~~ Public Functions ~~~~~~~~~~~~~~~~~~~ */

/*
 * Name:		set_prompt
 * Description:	Specifies the prompt to use with the pkglib
 *		passphrase callback routine.
 *
 * Arguments:	newprompt - The prompt to display
 *
 * Returns :	NONE
 */
void
set_passphrase_prompt(char *newprompt)
{
	prompt = newprompt;
}

/*
 * Name:		set_passarg
 * Description:	Specifies the passphrase retrieval method
 *		 to use with the pkglib
 *		passphrase callback routine.
 *
 * Arguments:	newpassarg - The new password retrieval arg
 *
 * Returns :	NONE
 */
void
set_passphrase_passarg(char *newpassarg)
{
	passarg = newpassarg;
}

/*
 * Name:		get_proxy_port
 * Description:	Resolves proxy specification
 *
 * Arguments:	err - where to record any errors.
 *     		proxy - Location to store result - if *proxy is not
 *		null, then it will be validated, but not changed
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 *		on success, *proxy and *port are set to either
 *		the user-supplied proxy and port, or the
 *		ones found in the environment variables
 *		HTTPPROXY and/or HTTPROXYPORT
 */
boolean_t
get_proxy_port(PKG_ERR *err, char **proxy, ushort_t *port)
{
	if (*proxy != NULL) {
		if (!path_valid(*proxy)) {
			/* bad proxy supplied */
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_BAD_PROXY), *proxy);
			return (B_FALSE);
		}
		if (!get_ENV_proxyport(err, port)) {
			/* env set, but bad */
			return (B_FALSE);
		}
	} else {
		if (!get_ENV_proxy(err, proxy)) {
			/* environment variable set, but bad */
			return (B_FALSE);
		}
		if ((*proxy != NULL) && !path_valid(*proxy)) {
			/* env variable set, but bad */
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_BAD_PROXY), *proxy);
			return (B_FALSE);
		}
		if (!get_ENV_proxyport(err, port)) {
			/* env variable set, but bad */
			return (B_FALSE);
		}
	}
	return (B_TRUE);
}

/*
 * Name:		path_valid
 * Description:	Checks a string for being a valid path
 *
 * Arguments:	path - path to validate
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise.
 *		B_FALSE means path was null, too long (>PATH_MAX),
 *		or too short (<1)
 */
boolean_t
path_valid(char *path)
{
	if (path == NULL) {
		return (B_FALSE);
	} else if (strlen(path) > PATH_MAX) {
		return (B_FALSE);
	} else if (strlen(path) >= 1) {
		return (B_TRUE);
	} else {
		/* path < 1 */
		return (B_FALSE);
	}
}

/*
 * Name:		web_cleanup
 * Description:	Deletes temp files, closes, frees memory taken
 *		by 'ps' static structure
 *
 * Arguments:	none
 *
 * Returns :	none
 */
void
web_cleanup(void)
{
	PKG_ERR *err;

	if (ps == NULL)
		return;

	err = pkgerr_new();

	if (ps->keystore) {
		(void) close_keystore(err, ps->keystore, NULL);
	}

	ps->keystore = NULL;

	pkgerr_free(err);

	if (ps->uniqfile) {
		(void) remove_dwnld_file(ps->uniqfile);
		free(ps->uniqfile);
		ps->uniqfile = NULL;
	}
	if (ps->link) {
		(void) remove_dwnld_file(ps->link);
		free(ps->link);
		ps->link = NULL;
	}
	if (ps->dwnld_dir) {
	    (void) rmdir(ps->dwnld_dir);
	    ps->dwnld_dir = NULL;
	}
	if (ps->errstr) {
	    free(ps->errstr);
	    ps->errstr = NULL;
	}

	if (ps->content) {
	    free(ps->content);
	    ps->content = NULL;
	}

	if (ps->resp) {
		http_free_respinfo(ps->resp);
		ps->resp = NULL;
	}

	if (ps) {
	    free(ps);
	    ps = NULL;
	}
}

/*
 * Name:		web_session_control
 * Description:	Downloads an arbitrary URL and saves to disk.
 *
 * Arguments:	err - where to record any errors.
 *     		url - URL pointing to content to download - can be
 *			http:// or https://
 *		dwnld_dir - Directory to download into
 *		keystore - keystore to use for accessing trusted
 *			certs when downloading using SSL
 *		proxy - HTTP proxy to use, or NULL for no proxy
 *		proxy_port - HTTP proxy port to use, ignored
 *			if proxy is NULL
 *		passarg - method to retrieve password
 *		retries - # of times to retry download before
 *			giving up
 *		timeout - how long to wait before retrying,
 *			when download is interrupted
 *		nointeract - if non-zero, do not output
 *			download progress to screen
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 */
boolean_t
web_session_control(PKG_ERR *err, char *url, char *dwnld_dir,
    keystore_handle_t keystore, char *proxy, ushort_t proxy_port,
    int retries, int timeout, int nointeract, char **fname)
{
	int i;
	boolean_t ret = B_TRUE;
	boolean_t retrieved = B_FALSE;

	if (!init_session()) {
	    ret = B_FALSE;
	    goto cleanup;
	}

	if (!parse_url_proxy(err, url, proxy, proxy_port)) {
		ret = B_FALSE;
		goto cleanup;
	}

	ps->timeout = timeout;

	if (keystore != NULL)
		ps->keystore = keystore;

	if (dwnld_dir != NULL)
		ps->dwnld_dir = xstrdup(dwnld_dir);
	else {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_NO_DWNLD_DIR));
		ret = B_FALSE;
		goto cleanup;
	}

	if (!check_dwnld_dir(err, dwnld_dir)) {
		ret = B_FALSE;
		goto cleanup;
	}

	for (i = 0; i < retries && !retrieved; i++) {
		if (!web_setup(err)) {
			ret = B_FALSE;
			goto cleanup;
		}

		switch (web_connect(err)) {
		    /* time out and wait a little bit for these failures */
		case WEB_OK:
		    /* were able to connect */
			reset_backoff();
			break;
		case WEB_TIMEOUT:
			echo_out(nointeract, gettext(MSG_DWNLD_TIMEOUT));
			(void) web_disconnect();
			backoff();
			continue;

		case WEB_CONNREFUSED:
			echo_out(nointeract, gettext(MSG_DWNLD_CONNREF),
			    ps->url.hport.hostname);
			(void) web_disconnect();
			backoff();
			continue;
		case WEB_HOSTDOWN:
			echo_out(nointeract, gettext(MSG_DWNLD_HOSTDWN),
			    ps->url.hport.hostname);
			(void) web_disconnect();
			backoff();
			continue;

		default:
			/* every other failure is a hard failure, so bail */
			ret = B_FALSE;
			goto cleanup;
		}

		switch (web_send_request(err, HTTP_REQ_TYPE_HEAD,
				ps->data.cur_pos, ps->data.content_length)) {
		case WEB_OK:
		    /* were able to connect */
			reset_backoff();
			break;
		case WEB_TIMEOUT:
			echo_out(nointeract, gettext(MSG_DWNLD_TIMEOUT));
			(void) web_disconnect();
			backoff();
			continue;

		case WEB_CONNREFUSED:
			echo_out(nointeract, gettext(MSG_DWNLD_CONNREF),
			    ps->url.hport.hostname);
			(void) web_disconnect();
			backoff();
			continue;
		case WEB_HOSTDOWN:
			echo_out(nointeract, gettext(MSG_DWNLD_HOSTDWN),
			    ps->url.hport.hostname);
			(void) web_disconnect();
			backoff();
			continue;
		default:
			/* every other case is failure, so bail */
			ret = B_FALSE;
			goto cleanup;
		}

		if (!web_eval_headers(err)) {
			ret = B_FALSE;
			goto cleanup;
		}

		switch (web_get_file(err, dwnld_dir, nointeract, fname)) {
		case WEB_OK:
			/* were able to retrieve file */
			retrieved = B_TRUE;
			reset_backoff();
			break;

		case WEB_TIMEOUT:
			echo_out(nointeract, gettext(MSG_DWNLD_TIMEOUT));
			(void) web_disconnect();
			backoff();
			continue;

		case WEB_CONNREFUSED:
			echo_out(nointeract, gettext(MSG_DWNLD_CONNREF),
			    ps->url.hport.hostname);
			(void) web_disconnect();
			backoff();
			continue;
		case WEB_HOSTDOWN:
			echo_out(nointeract, gettext(MSG_DWNLD_HOSTDWN),
			    ps->url.hport.hostname);
			(void) web_disconnect();
			backoff();
			continue;
		default:
			/* every other failure is a hard failure, so bail */
			ret = B_FALSE;
			goto cleanup;
		}
	}

	if (!retrieved) {
		/* max retries attempted */
		pkgerr_add(err, PKGERR_WEB,
		    gettext(ERR_DWNLD_FAILED), retries);
		ret = B_FALSE;
	}
cleanup:
	(void) web_disconnect();
	if (!ret) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_DWNLD), url);
	}
	return (ret);
}

/*
 * Name:		get_signature
 * Description:	retrieves signature from signed package.
 *
 * Arguments:	err - where to record any errors.
 *		ids_name - name of package stream, for error reporting
 *     		devp - Device on which package resides that we
 *		result - where to store resulting PKCS7 signature
 *
 * Returns :	B_TRUE - package is signed and signature returned OR
 *		package is not signed, in which case result is NULL
 *
 *		B_FALSE - there were problems accessing signature,
 *		and it is unknown whether it is signed or not.  Errors
 *		recorded in 'err'.
 */
boolean_t
get_signature(PKG_ERR *err, char *ids_name, struct pkgdev *devp, PKCS7 **result)
{
	char path[PATH_MAX];
	int len, fd = -1;
	struct stat buf;
	FILE *fp = NULL;
	boolean_t	ret = B_TRUE;
	BIO	*sig_in = NULL;
	PKCS7	*p7 = NULL;

	/*
	 * look for signature.  If one was in the stream,
	 * it is now extracted
	 */
	if (((len = snprintf(path, PATH_MAX, "%s/%s", devp->dirname,
	    SIGNATURE_FILENAME)) >= PATH_MAX) || (len < 0)) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_LEN), ids_name);
		ret = B_FALSE;
		goto cleanup;
	}

	if ((fd = open(path, O_RDONLY|O_NONBLOCK)) == -1) {
		/*
		 * only if the signature is non-existant
		 * do we "pass"
		 */
		if (errno != ENOENT) {
			pkgerr_add(err, PKGERR_WEB, gettext(ERR_OPENSIG),
			    strerror(errno));
			ret = B_FALSE;
			goto cleanup;
		}
	} else {
		/* found sig file.  parse it. */
		if (fstat(fd, &buf) == -1) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_OPENSIG), strerror(errno));
			ret = B_FALSE;
			goto cleanup;
		}

		if (!S_ISREG(buf.st_mode)) {
			pkgerr_add(err, PKGERR_WEB, gettext(ERR_OPENSIG),
			    (gettext(ERR_NOT_REG)));
			ret = B_FALSE;
			goto cleanup;
		}

		if ((fp = fdopen(fd, "r")) == NULL) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_OPENSIG), strerror(errno));
			ret = B_FALSE;
			goto cleanup;
		}

		/*
		 * read in signature.  If it's invalid, we
		 * punt, unless we're ignoring it
		 */
		if ((sig_in = BIO_new_fp(fp, BIO_NOCLOSE)) == NULL) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_OPENSIG), strerror(errno));
			goto cleanup;
		}

		if ((p7 = PEM_read_bio_PKCS7(sig_in,
		    NULL, NULL, NULL)) == NULL) {
			pkgerr_add(err, PKGERR_WEB, gettext(ERR_CORRUPTSIG),
			    ids_name);
			ret = B_FALSE;
			goto cleanup;
		}
		*result = p7;
		p7 = NULL;
	}

cleanup:
	if (sig_in)
		(void) BIO_free(sig_in);
	if (fp)
		(void) fclose(fp);
	if (fd != -1)
		(void) close(fd);
	if (p7)
		(void) PKCS7_free(p7);

	return (ret);
}

/*
 * Name:		echo_out
 * Description:	Conditionally output a message to stdout
 *
 * Arguments:	nointeract - if non-zero, do not output anything
 *		fmt - print format
 *		... - print arguments
 *
 * Returns :	none
 */
/*PRINTFLIKE2*/
void
echo_out(int nointeract, char *fmt, ...)
{
	va_list ap;

	va_start(ap, fmt);

	if (nointeract)
		return;

	(void) vfprintf(stdout, fmt, ap);

	va_end(ap);

	(void) putc('\n', stdout);
}

/*
 * Name:		strip_port
 * Description:	Returns "port" portion of a "hostname:port" string
 *
 * Arguments:	proxy - full "hostname:port" string pointer
 *
 * Returns :	the "port" portion of a "hostname:port" string,
 *		converted to a decimal integer, or (int)0
 *		if string contains no :port suffix.
 */
ushort_t
strip_port(char *proxy)
{
	char *tmp_port;

	if ((tmp_port = strpbrk(proxy, ":")) != NULL)
		return (atoi(tmp_port));
	else
		return (0);
}

/*
 * Name:		set_web_install
 * Description:	Sets flag indicating we are doing a web-based install
 *
 * Arguments:	none
 *
 * Returns :	none
 */
void
set_web_install(void)
{
	webpkg_install++;
}

/*
 * Name:		is_web_install
 * Description:	Determines whether we are doing a web-based install
 *
 * Arguments:	none
 *
 * Returns :	non-zero if we are doing a web-based install, 0 otherwise
 */
int
is_web_install(void)
{
	return (webpkg_install);
}

/* ~~~~~~~~~~~~~~ Private Functions ~~~~~~~~~~~~~~~~~~~ */

/*
 * Name:		web_disconnect
 * Description:	Disconnects connection to web server
 *
 * Arguments:	none
 *
 * Returns :	B_TRUE - successful disconnect, B_FALSE otherwise
 *		Temp certificiate files are deleted,
 *		if one was used to initiate the connection
 *		(such as when using SSL)
 */
static boolean_t
web_disconnect(void)
{
	if (ps->certfile) {
		(void) unlink(ps->certfile);
	}
	if (http_srv_disconnect(ps->hps) == 0)
		if (http_srv_close(ps->hps) == 0)
			return (B_TRUE);

	return (B_FALSE);
}

/*
 * Name:		check_dwnld_dir
 * Description:	Creates temp download directory
 *
 * Arguments:	err - where to record any errors.
 *     		dwnld_dir - name of directory to create
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 *		on success, directory is created with
 *		safe permissions
 */
static boolean_t
check_dwnld_dir(PKG_ERR *err, char *dwnld_dir)
{
	DIR *dirp;

	/*
	 * Check the directory passed in. If it doesn't exist, create it
	 * with strict permissions
	 */
	if ((dirp = opendir(dwnld_dir)) == NULL) {
		if (mkdir(dwnld_dir, 0744) == -1) {
			pkgerr_add(err, PKGERR_WEB, gettext(MSG_NOTEMP),
			    dwnld_dir);
			return (B_FALSE);
		}
	}
	if (dirp) {
		(void) closedir(dirp);
	}
	return (B_TRUE);
}

/*
 * Name:		ds_validate_signature
 * Description:	Validates signature found in a package datastream
 *
 * Arguments:	err - where to record any errors.
 *		pkgdev - Package context handle of package to verify
 *		pkgs - Null-terminated List of package name to verify
 *		ids_name - Pathname to stream to validate
 *		p7 - PKCS7 signature decoded from stream header
 *		cas - List of trusted CA certificates
 *		proxy - Proxy to use when doing online validation (OCSP)
 *		nointeract - if non-zero, do not output to screen
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 *		success means signature was completely validated,
 *		and contents of stream checked against signature.
 */
boolean_t
ds_validate_signature(PKG_ERR *err, struct pkgdev *pkgdev, char **pkgs,
    char *ids_name, PKCS7 *p7, STACK_OF(X509) *cas,
    url_hport_t *proxy, int nointeract)
{
	BIO			 *p7_bio;
	boolean_t		ret = B_TRUE;

	/* make sure it's a Signed PKCS7 message */
	if (!PKCS7_type_is_signed(p7)) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_CORRUPTSIG_TYPE),
		    ids_name);
		ret = B_FALSE;
		goto cleanup;
	}

	/* initialize PKCS7 object to be filled in */
	if (!PKCS7_get_detached(p7)) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_CORRUPTSIG_DT),
		    ids_name);
		ret = B_FALSE;
		goto cleanup;
	}

	/* dump header and packages into BIO to calculate the message digest */
	if ((p7_bio = PKCS7_dataInit(p7, NULL)) == NULL) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_CORRUPTSIG),
		    ids_name);
		ret = B_FALSE;
		goto cleanup;
	}

	if ((BIO_ds_dump_header(err, p7_bio) != 0) ||
	    (BIO_ds_dump(err, ids_name, p7_bio) != 0)) {
		ret = B_FALSE;
		goto cleanup;
	}
	(void) BIO_flush(p7_bio);

	/* validate the stream and its signature */
	if (!validate_signature(err, ids_name, p7_bio, p7, cas,
	    proxy, nointeract)) {
		ret = B_FALSE;
		goto cleanup;
	}

	/* reset device stream (really bad performance for tapes) */
	(void) ds_close(1);
	(void) ds_init(ids_name, pkgs, pkgdev->norewind);

cleanup:
	return (ret);
}


/*
 * Name:		validate_signature
 * Description:	Validates signature of an arbitrary stream of bits
 *
 * Arguments:	err - where to record any errors.
 *		name - Descriptive name of object being validated,
 *			for good error reporting messages
 *		indata - BIO object to read stream bits from
 *		p7 - PKCS7 signature of stream
 *		cas - List of trusted CA certificates
 *		proxy - Proxy to use when doing online validation (OCSP)
 *		nointeract - if non-zero, do not output to screen
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 *		success means signature was completely validated,
 *		and contents of stream checked against signature.
 */
boolean_t
validate_signature(PKG_ERR *err, char *name, BIO *indata, PKCS7 *p7,
    STACK_OF(X509) *cas, url_hport_t *proxy, int nointeract)
{
	STACK_OF(PKCS7_SIGNER_INFO) *sec_sinfos = NULL;

	PKCS7_SIGNER_INFO	*signer = NULL;
	X509_STORE		*sec_truststore = NULL;
	X509_STORE_CTX		*ctx = NULL;
	X509			*signer_cert = NULL, *issuer = NULL;
	STACK_OF(X509)		*chaincerts = NULL;
	int			i, k;
	unsigned long		errcode;
	const char		*err_data = NULL;
	const char		*err_reason = NULL;
	char			*err_string;
	int			err_flags;
	verify_cb_data_t	verify_data;
	char			*signer_sname;
	char			*signer_iname;
	PKCS7_ISSUER_AND_SERIAL	*ias;
	boolean_t		ret = B_TRUE;

	/* only support signed PKCS7 signatures */
	if (!PKCS7_type_is_signed(p7)) {
	    PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_WRONG_PKCS7_TYPE);
	    ret = B_FALSE;
	    goto cleanup;
	}

	/* initialize temporary internal trust store used for verification */
	sec_truststore = X509_STORE_new();

	for (i = 0; i < sk_X509_num(cas); i++) {
		if (X509_STORE_add_cert(sec_truststore,
		    sk_X509_value(cas, i)) == 0) {
			pkgerr_add(err, PKGERR_VERIFY, gettext(ERR_MEM));
			ret = B_FALSE;
			goto cleanup;
		}
	}

	/* get signers from the signature */
	if ((sec_sinfos = PKCS7_get_signer_info(p7)) == NULL) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_CORRUPTSIG), name);
		ret = B_FALSE;
		goto cleanup;
	}

	/* verify each signer found in the PKCS7 signature */
	for (k = 0; k < sk_PKCS7_SIGNER_INFO_num(sec_sinfos); k++) {
		signer = sk_PKCS7_SIGNER_INFO_value(sec_sinfos, k);
		signer_cert = PKCS7_cert_from_signer_info(p7, signer);
		signer_sname = get_subject_display_name(signer_cert);
		signer_iname = get_issuer_display_name(signer_cert);

		echo_out(nointeract, gettext(MSG_VERIFY), signer_sname);

		/* find the issuer of the current cert */
		chaincerts = p7->d.sign->cert;
		ias = signer->issuer_and_serial;
		issuer = X509_find_by_issuer_and_serial(chaincerts,
		    ias->issuer, ias->serial);

		/* were we not able to find the issuer cert */
		if (issuer == NULL) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_VERIFY_ISSUER),
			    signer_iname, signer_sname);
			ret = B_FALSE;
			goto cleanup;
		}

		/* Lets verify */
		if ((ctx = X509_STORE_CTX_new()) == NULL) {
			pkgerr_add(err, PKGERR_VERIFY, gettext(ERR_MEM));
			ret = B_FALSE;
			goto cleanup;
		}
		(void) X509_STORE_CTX_init(ctx, sec_truststore,
		    issuer, chaincerts);
		(void) X509_STORE_CTX_set_purpose(ctx,
		    X509_PURPOSE_ANY);

		/* callback will perform OCSP on certificates with OCSP data */
		X509_STORE_CTX_set_verify_cb(ctx, web_verify);

		/* pass needed data into callback through the app_data handle */
		verify_data.proxy = proxy;
		verify_data.cas = cas;
		verify_data.err = err;
		(void) X509_STORE_CTX_set_app_data(ctx, &verify_data);

		/* first verify the certificate chain */
		i = X509_verify_cert(ctx);
		if (i <= 0 && ctx->error != X509_V_ERR_CERT_HAS_EXPIRED) {
			signer_sname =
			    get_subject_display_name(ctx->current_cert);
			signer_iname =
			    get_issuer_display_name(ctx->current_cert);
			/* if the verify context holds an error, print it */
			if (ctx->error != X509_V_OK) {
				pkgerr_add(err, PKGERR_VERIFY,
				    gettext(ERR_VERIFY_SIG), signer_sname,
				    signer_iname,
			    (char *)X509_verify_cert_error_string(ctx->error));
			} else {
				/* some other error.  print them all. */
				while ((errcode = ERR_get_error_line_data(NULL,
				    NULL, &err_data, &err_flags)) != 0) {
					size_t errsz;
					err_reason =
					    ERR_reason_error_string(errcode);
					if (err_reason == NULL) {
						err_reason =
						    gettext(ERR_SIG_INT);
					}

					if (!(err_flags & ERR_TXT_STRING)) {
						err_data =
						    gettext(ERR_SIG_INT);
					}
					errsz = strlen(err_reason) +
					    strlen(err_data) + 3;
					err_string = xmalloc(errsz);
					(void) snprintf(err_string, errsz,
					    "%s: %s", err_reason, err_data);
					pkgerr_add(err, PKGERR_VERIFY,
					    gettext(ERR_VERIFY_SIG),
					    signer_sname, signer_iname,
					    err_string);
					free(err_string);
				}
			}
			ret = B_FALSE;
			goto cleanup;
		}

		/* now verify the signature */
		i = PKCS7_signatureVerify(indata, p7, signer, issuer);

		if (i <= 0) {
			/* print out any OpenSSL-specific errors */
			signer_sname =
			    get_subject_display_name(ctx->current_cert);
			signer_iname =
			    get_subject_display_name(ctx->current_cert);
			while ((errcode = ERR_get_error_line_data(NULL,
			    NULL, &err_data, &err_flags)) != 0) {
				err_reason =
				    ERR_reason_error_string(errcode);
				if (err_reason == NULL) {
					err_reason =
					    gettext(ERR_SIG_INT);
				}

				if (!(err_flags & ERR_TXT_STRING)) {
					err_data =
					    gettext(ERR_SIG_INT);
				}
				pkgerr_add(err, PKGERR_VERIFY,
				    gettext(ERR_VERIFY_SIG), signer_sname,
				    signer_iname, err_reason);
				pkgerr_add(err, PKGERR_VERIFY,
				    gettext(ERR_VERIFY_SIG), signer_sname,
				    signer_iname, err_data);
			}
			ret = B_FALSE;
			goto cleanup;
		}

		echo_out(nointeract, gettext(MSG_VERIFY_OK), signer_sname);
	}

	/* signature(s) verified successfully */
cleanup:
	if (ctx)
		X509_STORE_CTX_cleanup(ctx);
	return (ret);
}

/*
 * Name:		web_verify
 * Description:	Callback used by PKCS7_dataVerify when
 *		verifying a certificate chain.
 *
 * Arguments:	err - where to record any errors.
 *     		ctx - The context handle of the current verification operation
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 *		if it's '0' (not OK) we simply return it, since the
 *		verification operation has already determined that the
 *		cert is invalid.  if 'ok' is non-zero, then we do our
 *		checks, and return 0 or 1 based on if the cert is
 *		invalid or valid.
 */
static int
web_verify(int ok, X509_STORE_CTX *ctx)
{
	X509	*curr_cert;
	X509	*curr_issuer;
	char	*uri;
	url_hport_t	*proxy;
	PKG_ERR	*err = NULL;
	STACK_OF(X509) *cas;
	if (!ok) {
		/* don't override a verify failure */
		return (ok);
	}


	/* get app data supplied through callback context */
	err = ((verify_cb_data_t *)X509_STORE_CTX_get_app_data(ctx))->err;
	proxy = ((verify_cb_data_t *)X509_STORE_CTX_get_app_data(ctx))->proxy;
	cas = ((verify_cb_data_t *)X509_STORE_CTX_get_app_data(ctx))->cas;

	/* Check revocation status */
	curr_cert = X509_STORE_CTX_get_current_cert(ctx);

	/* this shouldn't happen */
	if (curr_cert == NULL) {
		pkgerr_add(err, PKGERR_INTERNAL, gettext(ERR_PKG_INTERNAL),
		    __FILE__, __LINE__);
		return (0);
	}

	/* don't perform OCSP unless cert has required OCSP extensions */
	if (get_ocsp_uri(curr_cert, &uri)) {
		if (get_issuer(&curr_issuer, ctx, curr_cert) <= 0) {
			/* no issuer! */
			pkgerr_add(err, PKGERR_INTERNAL,
			    gettext(ERR_PKG_INTERNAL),
			    __FILE__, __LINE__);
			return (0);
		}

		/*
		 * ok we have the current cert
		 * and its issuer.  Do the OCSP check
		 */

		/*
		 * OCSP extensions are, by, RFC 2459, never critical
		 * extensions, therefore, we only fail if we were able
		 * to explicitly contact an OCSP responder, and that
		 * responder did not indicate the cert was valid.  We
		 * also fail if user-supplied data could not be parsed
		 * or we run out of memory.  We succeeed for "soft"
		 * failures, such as not being able to connect to the
		 * OCSP responder, or trying to use if the OCSP URI
		 * indicates SSL must be used (which we do not
		 * support)
		 */
		switch (ocsp_verify(err, curr_cert, curr_issuer,
		    uri, proxy, cas)) {
		case OCSPMem:		/* Ran out of memory */
		case OCSPInternal:	/* Some internal error */
		case OCSPVerify:	/* OCSP responder indicated fail */
			return (0);
		}
		/* all other cases are success, or soft failures */
		pkgerr_clear(err);
	}

	return (ok);
}

/*
 * Name:		get_time_string
 * Description:	Generates a human-readable string from an ASN1_GENERALIZED_TIME
 *
 * Arguments:	intime - The time to convert
 *
 * Returns :	A pointer to a static string representing the passed-in time.
 */
static char
*get_time_string(ASN1_GENERALIZEDTIME *intime)
{

	static char	time[ATTR_MAX];
	BIO		*mem;
	char	*p;

	if (intime == NULL) {
		return (NULL);
	}
	if ((mem = BIO_new(BIO_s_mem())) == NULL) {
		return (NULL);
	}

	if (ASN1_GENERALIZEDTIME_print(mem, intime) == 0) {
		(void) BIO_free(mem);
		return (NULL);
	}

	if (BIO_gets(mem, time, ATTR_MAX) <= 0) {
		(void) BIO_free(mem);
		return (NULL);
	}

	(void) BIO_free(mem);

	/* trim the end of the string */
	for (p = time + strlen(time) - 1; isspace(*p); p--) {
		*p = '\0';
	}

	return (time);
}

/*
 * Name:		get_ocsp_uri
 * Description:	Examines an X509 certificate and retrieves the embedded
 *		OCSP Responder URI if one exists.
 *
 * Arguments:	cert - The cert to inspect
 *     		uri - pointer where the newly-allocated URI is placed, if found
 *
 * Returns :	Success if the URI was found.  Appropriate status otherwise.
 */
static boolean_t
get_ocsp_uri(X509 *cert, char **uri)
{
	AUTHORITY_INFO_ACCESS		*aia;
	ACCESS_DESCRIPTION		*ad;
	int				i;

	if (getenv("PKGWEB_TEST_OCSP")) {
		*uri = xstrdup(getenv("PKGWEB_TEST_OCSP"));
		return (B_TRUE);
	}

	/* get the X509v3 extension holding the OCSP URI */
	if ((aia = X509_get_ext_d2i(cert, NID_info_access,
	    NULL, NULL)) != NULL) {
		for (i = 0; i < sk_ACCESS_DESCRIPTION_num(aia); i++) {
			ad = sk_ACCESS_DESCRIPTION_value(aia, i);
			if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
				if (ad->location->type == GEN_URI) {
					*uri =
		    xstrdup((char *)ASN1_STRING_data(ad->location->d.ia5));
					return (B_TRUE);
				}
			}
		}
	}

	/* no URI was found */
	return (B_FALSE);
}

/*
 * Name:		ocsp_verify
 * Description:	Attempts to contact an OCSP Responder and ascertain the validity
 *		of an X509 certificate.
 *
 * Arguments:	err - Error object to add error messages to
 *		cert - The cert to validate
 *		issuer - The certificate of the issuer of 'cert'
 *     		uri - The OCSP Responder URI
 *		cas - The trusted CA certificates used to verify the
 *		signed OCSP response
 * Returns :	Success - The OCSP Responder reported a 'good'
 *		status for the cert otherwise, appropriate
 *		error is returned.
 */
static OCSPStatus
ocsp_verify(PKG_ERR *err, X509 *cert, X509 *issuer,
    char *uri, url_hport_t *proxy, STACK_OF(X509) *cas)
{
	OCSP_CERTID		*id;
	OCSP_REQUEST		*req;
	OCSP_RESPONSE		*resp;
	OCSP_BASICRESP		*bs;
	BIO			*cbio, *mem;
	char			ocspbuf[OCSP_BUFSIZ];
	char *host = NULL, *portstr = NULL, *path = "/", *p, *q, *r;
	int		port, status, reason;
	int	len, retval, respcode, use_ssl = 0;
	ASN1_GENERALIZEDTIME	*rev, *thisupd, *nextupd;
	char	*subjname;
	time_t			currtime;
	char			currtimestr[ATTR_MAX];
	unsigned long		errcode;
	const char		*err_reason;

	subjname = get_subject_display_name(cert);

	/* parse the URI into its constituent parts */
	if (OCSP_parse_url(uri, &host, &portstr, &path, &use_ssl) == NULL) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_OCSP_PARSE), uri);
		return (OCSPParse);
	}

	/* we don't currently support SSL-based OCSP Responders */
	if (use_ssl) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_OCSP_UNSUP), uri);
		return (OCSPUnsupported);
	}

	/* default port if none specified */
	if (portstr == NULL) {
		port = (int)URL_DFLT_SRVR_PORT;
	} else {
		port = (int)strtoul(portstr, &r, 10);
		if (*r != '\0') {
			pkgerr_add(err, PKGERR_PARSE,
			    gettext(ERR_OCSP_PARSE), uri);
			return (OCSPParse);
		}
	}

	/* allocate new request structure */
	if ((req = OCSP_REQUEST_new()) == NULL) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_MEM));
		return (OCSPMem);
	}

	/* convert cert and issuer fields into OCSP request data */
	if ((id = OCSP_cert_to_id(NULL, cert, issuer)) == NULL) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_PKG_INTERNAL),
		    __FILE__, __LINE__);
		return (OCSPInternal);
	}

	/* fill out request structure with request data */
	if ((OCSP_request_add0_id(req, id)) == NULL) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_PKG_INTERNAL),
		    __FILE__, __LINE__);
		return (OCSPInternal);
	}

	/* add nonce */
	(void) OCSP_request_add1_nonce(req, NULL, -1);

	/* connect to host, or proxy */
	if (proxy != NULL) {
		if ((cbio = BIO_new_connect(proxy->hostname)) == NULL) {
			pkgerr_add(err, PKGERR_PARSE, gettext(ERR_MEM));
			return (OCSPMem);
		}

		/*
		 * BIO_set_conn_int_port takes an int *, so let's give it one
		 * rather than an ushort_t *
		 */
		port = proxy->port;
		(void) BIO_set_conn_int_port(cbio, &port);
		if (BIO_do_connect(cbio) <= 0) {
			pkgerr_add(err, PKGERR_PARSE,
			    gettext(ERR_OCSP_CONNECT),
			    proxy->hostname, port);
			return (OCSPConnect);
		}
	} else {
		if ((cbio = BIO_new_connect(host)) == NULL) {
			pkgerr_add(err, PKGERR_PARSE, gettext(ERR_MEM));
			return (OCSPMem);
		}

		(void) BIO_set_conn_int_port(cbio, &port);
		if (BIO_do_connect(cbio) <= 0) {
			pkgerr_add(err, PKGERR_PARSE,
			    gettext(ERR_OCSP_CONNECT),
			    host, port);
			return (OCSPConnect);
		}
	}

	/* calculate length of binary request data */
	len = i2d_OCSP_REQUEST(req, NULL);

	/* send the request headers */
	if (proxy != NULL) {
		retval = BIO_printf(cbio, OCSP_REQUEST_FORMAT, uri, len);
	} else {
		retval = BIO_printf(cbio, OCSP_REQUEST_FORMAT, path, len);
	}

	if (retval <= 0) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_OCSP_SEND), host);
		return (OCSPRequest);
	}

	/* send the request binary data */
	if (i2d_OCSP_REQUEST_bio(cbio, req) <= 0) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_OCSP_SEND), host);
		return (OCSPRequest);
	}

	/*
	 * read the response into a memory BIO, so we can 'gets'
	 * (socket bio's don't support BIO_gets)
	 */
	if ((mem = BIO_new(BIO_s_mem())) == NULL) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_MEM));
		return (OCSPMem);
	}

	while ((len = BIO_read(cbio, ocspbuf, OCSP_BUFSIZ))) {
		if (len < 0) {
			pkgerr_add(err, PKGERR_PARSE,
			    gettext(ERR_OCSP_READ), host);
			return (OCSPRequest);
		}
		if (BIO_write(mem, ocspbuf, len) != len) {
			pkgerr_add(err, PKGERR_PARSE, gettext(ERR_MEM));
			return (OCSPMem);
		}
	}

	/* now get the first line of the response */
	if (BIO_gets(mem, ocspbuf, OCSP_BUFSIZ) <= 0) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_OCSP_RESP_PARSE));
		return (OCSPRequest);
	}

	/* parse the header response */
	/* it should look like "HTTP/x.x 200 OK" */

	/* skip past the protocol info */
	for (p = ocspbuf; (*p != '\0') && !isspace(*p); p++)
		continue;

	/* skip past whitespace betwen protocol and start of response code */
	while ((*p != '\0') && isspace(*p)) {
		p++;
	}

	if (*p == '\0') {
		/* premature end */
		pkgerr_add(err, PKGERR_PARSE,
		    gettext(ERR_OCSP_RESP_PARSE), ocspbuf);
		return (OCSPRequest);
	}

	/* find end of response code */
	for (q = p; (*q != NULL) && !isspace(*q); q++)
		continue;

	/* mark end of response code */
	*q++ = '\0';

	/* parse response code */
	respcode = strtoul(p, &r, 10);
	if (*r != '\0') {
		pkgerr_add(err, PKGERR_PARSE,
		    gettext(ERR_OCSP_RESP_PARSE), ocspbuf);
		return (OCSPRequest);
	}

	/* now find beginning of the response string */
	while ((*q != NULL) && isspace(*q)) {
		q++;
	}

	/* trim whitespace from end of message */
	for (r = (q + strlen(q) - 1); isspace(*r); r--) {
		*r = '\0';
	}

	/* response must be OK */
	if (respcode != 200) {
		pkgerr_add(err, PKGERR_PARSE,
		    gettext(ERR_OCSP_RESP_NOTOK), 200,
		    respcode, q);
		return (OCSPRequest);
	}

	/* read headers, looking for content-type or a blank line */
	while (BIO_gets(mem, ocspbuf, OCSP_BUFSIZ) > 0) {

		/* if we get a content type, make sure it's the right type */
		if (ci_strneq(ocspbuf, CONTENT_TYPE_HDR,
		    strlen(CONTENT_TYPE_HDR))) {

			/* look for the delimiting : */
			p = strchr(ocspbuf + strlen(CONTENT_TYPE_HDR), ':');

			if (p == NULL) {
				pkgerr_add(err, PKGERR_PARSE,
				    gettext(ERR_OCSP_RESP_PARSE), ocspbuf);
				return (OCSPResponder);
			}

			/* skip over ':' */
			p++;

			/* find beginning of the content type */
			while ((*p != NULL) && isspace(*p)) {
				p++;
			}

			if (!ci_strneq(p, CONTENT_OCSP_RESP,
			    strlen(CONTENT_OCSP_RESP))) {
				/* response is not right type */
				pkgerr_add(err, PKGERR_PARSE,
				    gettext(ERR_OCSP_RESP_TYPE),
				    p, CONTENT_OCSP_RESP);
				return (OCSPResponder);
			}

			/* continue with next header line */
			continue;
		}

		/* scan looking for a character */
		for (p = ocspbuf; (*p != '\0') && isspace(*p); p++) {
			continue;
		}
		/*
		 * if we got to the end of the line with
		 *  no chars, then this is a blank line
		 */
		if (*p == '\0') {
			break;
		}
	}


	if (*p != '\0') {
		/* last line was not blank */
		pkgerr_add(err, PKGERR_PARSE,
		    gettext(ERR_OCSP_RESP_PARSE), ocspbuf);
		return (OCSPResponder);
	}

	/* now read in the binary response */
	if ((resp = d2i_OCSP_RESPONSE_bio(mem, NULL)) == NULL) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_OCSP_READ), host);
		return (OCSPResponder);
	}

	/* free temp BIOs */
	(void) BIO_free(mem);
	(void) BIO_free_all(cbio);
	cbio = NULL;

	/* make sure request was successful */
	if (OCSP_response_status(resp) != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_OCSP_RESP_NOTOK),
		    OCSP_RESPONSE_STATUS_SUCCESSFUL,
		    OCSP_response_status(resp),
		    OCSP_response_status_str(OCSP_response_status(resp)));
		return (OCSPResponder);
	}

	/* parse binary response into internal structure */
	if ((bs = OCSP_response_get1_basic(resp)) == NULL) {
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_OCSP_READ), host);
		return (OCSPParse);
	}

	/*
	 * From here to the end of the code, the return values
	 * should be hard failures
	 */

	/* verify the response, warn if no nonce */
	if (OCSP_check_nonce(req, bs) <= 0) {
		logerr(pkg_gt(WRN_OCSP_RESP_NONCE));
	}

	if (OCSP_basic_verify(bs, cas, NULL, OCSP_TRUSTOTHER) <= 0) {
		while ((errcode = ERR_get_error()) != NULL) {
			err_reason = ERR_reason_error_string(errcode);
			if (err_reason == NULL) {
				err_reason =
				    gettext(ERR_SIG_INT);
			}
			pkgerr_add(err, PKGERR_PARSE, (char *)err_reason);
		}
		pkgerr_add(err, PKGERR_PARSE, gettext(ERR_OCSP_VERIFY_FAIL),
		    uri);
		return (OCSPVerify);
	}

	/* check the validity of our certificate */
	if (OCSP_resp_find_status(bs, id, &status, &reason,
	    &rev, &thisupd, &nextupd) == NULL) {
		pkgerr_add(err, PKGERR_PARSE,
		    gettext(ERR_OCSP_VERIFY_NO_STATUS), subjname);
		return (OCSPVerify);
	}

	if ((currtime = time(NULL)) == (time_t)-1) {
		pkgerr_add(err, PKGERR_PARSE,
		    gettext(ERR_OCSP_VERIFY_NOTIME));
		return (OCSPVerify);
	}

	(void) strlcpy(currtimestr, ctime(&currtime), ATTR_MAX);

	/* trim end */
	for (r = currtimestr + strlen(currtimestr) - 1;
		isspace(*r); r--) {
		*r = '\0';
	}

	if (!OCSP_check_validity(thisupd, nextupd,
	    OCSP_VALIDITY_PERIOD, -1)) {
		if (nextupd != NULL) {
			pkgerr_add(err, PKGERR_PARSE,
			    gettext(ERR_OCSP_VERIFY_VALIDITY),
			    get_time_string(thisupd), get_time_string(nextupd),
			    currtimestr);
		} else {
			pkgerr_add(err, PKGERR_PARSE,
			    gettext(ERR_OCSP_VERIFY_VALIDITY),
			    get_time_string(thisupd),
			    currtimestr);
		}
		return (OCSPVerify);
	}

	if (status != V_OCSP_CERTSTATUS_GOOD) {
		pkgerr_add(err, PKGERR_PARSE,
		    gettext(ERR_OCSP_VERIFY_STATUS), subjname,
		    OCSP_cert_status_str(status));
		return (OCSPVerify);
	}

	/* everythign checks out */
	return (OCSPSuccess);
}

/*
 * Name:		get_issuer
 * Description:	Attempts to find the issuing certificate for a given certificate
 *		This will look in both the list of trusted certificates found in
 *		the X509_STORE_CTX structure, as well as the list of untrusted
 *		chain certificates found in the X509_STORE_CTX structure.
 * Arguments:
 *		issuer - The resulting issuer cert is placed here, if found
 *		ctx - The current verification context
 *		x - The certificate whose issuer we are looking for
 * Returns :	Success - The issuer cert was found and placed in *issuer.
 *		otherwise, appropriate error is returned.
 */
static int
get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
	int		i, ok;

	/*
	 * first look in the list of trusted
	 * certs, using the context's method to do so
	 */
	if ((ok = ctx->get_issuer(issuer, ctx, x)) > 0) {
		return (ok);
	}

	if (ctx->untrusted != NULL) {
		/* didn't find it in trusted certs, look through untrusted */
		for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
			if (X509_check_issued(sk_X509_value(ctx->untrusted, i),
			    x) == X509_V_OK) {
				*issuer = sk_X509_value(ctx->untrusted, i);
				return (1);
			}
		}
	}
	*issuer = NULL;
	return (0);
}

/*
 * Name:		parse_url_proxy
 * Description:	Parses URL and optional proxy specification, populates static
 *		'ps' structure
 *
 * Arguments:	err - where to record any errors.
 *		url - URL to parse
 *		proxy - proxy to parse, or NULL for no proxy
 *		proxy_port - Default proxy port to use if no proxy
 *		port specified in 'proxy'
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 *		on success, 'ps->url' and 'ps->proxy' are populated
 *		with parsed data.
 */
static boolean_t
parse_url_proxy(PKG_ERR *err, char *url, char *proxy, ushort_t proxy_port)
{
	boolean_t ret = B_TRUE;
	if (!path_valid(url)) {
		ret = B_FALSE;
		goto cleanup;
	}

	if (url_parse(url, &ps->url) != URL_PARSE_SUCCESS) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_PARSE_URL), url);
		ret = B_FALSE;
		goto cleanup;
	}

	if (proxy != NULL) {
		if (url_parse_hostport(proxy, &ps->proxy, proxy_port)
				!= URL_PARSE_SUCCESS) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_BAD_PROXY), proxy);
			ret = B_FALSE;
			goto cleanup;
		}
	}

cleanup:
	return (ret);
}

/*
 * Name:		web_setup
 * Description:	Initializes http library settings
 *
 * Arguments:	err - where to record any errors.
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 */
static boolean_t
web_setup(PKG_ERR *err)
{
	boolean_t ret = B_TRUE;
	static boolean_t keepalive = B_TRUE;

	if ((ps->hps = http_srv_init(&ps->url)) == NULL) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_INIT_SESS), ps->url);
		ret = B_FALSE;
		goto cleanup;
	}

	if (getenv("WEBPKG_DEBUG") != NULL) {
		http_set_verbose(B_TRUE);
	}

	if (ps->proxy.hostname[0] != '\0' &&
			http_set_proxy(ps->hps, &ps->proxy) != 0) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_INIT_SESS), ps->url);
		ret = B_FALSE;
		goto cleanup;
	}
	if (http_set_keepalive(ps->hps, keepalive) != 0) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_INIT_SESS), ps->url);
		ret = B_FALSE;
		goto cleanup;
	}
	if (http_set_socket_read_timeout(ps->hps, ps->timeout) != 0) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_INIT_SESS), ps->url);
		ret = B_FALSE;
		goto cleanup;
	}
	if (http_set_random_file(ps->hps, RANDOM) != 0) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_INIT_SESS), ps->url);
		ret = B_FALSE;
		goto cleanup;
	}

	(void) http_set_p12_format(B_TRUE);

cleanup:
	return (ret);
}

/*
 * Name:		web_connect
 * Description:	Makes connection with URL stored in static 'ps' structure.
 *
 * Arguments:	err - where to record any errors.
 *
 * Returns :   	WEB_OK - connection successful
 *		WEB_VERIFY_SETUP - Unable to complete necessary
 *			SSL setup
 *		WEB_CONNREFUSED - Connection was refused to web site
 *		WEB_HOSTDOWN - Host was not responding to request
 *		WEB_NOCONNECT - Some other connection failure
 */
static WebStatus
web_connect(PKG_ERR *err)
{
	STACK_OF(X509)  *sec_cas = NULL;
	char *path;
	WebStatus ret = WEB_OK;
	ulong_t		errcode;
	uint_t		errsrc;
	int		my_errno = 0;
	const char		*libhttperr = NULL;

	if (ps->url.https == B_TRUE) {
		/* get CA certificates */
		if (find_ca_certs(err, ps->keystore, &sec_cas) != 0) {
			ret = WEB_VERIFY_SETUP;
			goto cleanup;
		}

		if (sk_X509_num(sec_cas) < 1) {
			/* no trusted websites */
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_KEYSTORE_NOTRUST));
			ret = WEB_VERIFY_SETUP;
			goto cleanup;
		}

		/*
		 * write out all CA certs to temp file.  libwanboot should
		 * have an interface for giving it a list of trusted certs
		 * through an in-memory structure, but currently that does
		 * not exist
		 */
		if ((path = write_ca_file(err, ps->dwnld_dir, sec_cas,
		    WEB_CA_PHRASE)) == NULL) {
			ret = WEB_VERIFY_SETUP;
			goto cleanup;
		}

		ps->certfile = path;
		if (http_set_password(ps->hps, WEB_CA_PHRASE) != 0) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_HTTPS_PASSWD));
			ret = WEB_VERIFY_SETUP;
			goto cleanup;
		}

		if (http_set_certificate_authority_file(path) != 0) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_HTTPS_CA));
			ret = WEB_VERIFY_SETUP;
			goto cleanup;
		}
	}

	if (http_srv_connect(ps->hps) != 0) {
		while ((errcode = http_get_lasterr(ps->hps, &errsrc)) != 0) {
			/* Have an error - is it EINTR? */
			if (errsrc == ERRSRC_SYSTEM) {
				my_errno = errcode;
				break;
			} else if (libhttperr == NULL) {
				/* save the first non-system error message */
				libhttperr = http_errorstr(errsrc, errcode);
			}
		}
		switch (my_errno) {
		case EINTR:
		case ETIMEDOUT:
				/* Timed out.  Try, try again */
			ret = WEB_TIMEOUT;
			break;
		case ECONNREFUSED:
			ret = WEB_CONNREFUSED;
			break;
		case EHOSTDOWN:
			ret = WEB_HOSTDOWN;
			break;
		default:
				/* some other fatal error */
			ret = WEB_NOCONNECT;
			if (libhttperr == NULL) {
				pkgerr_add(err, PKGERR_WEB,
				    gettext(ERR_INIT_CONN),
				    ps->url.hport.hostname);
			} else {
				pkgerr_add(err, PKGERR_WEB,
				    gettext(ERR_HTTP), libhttperr);
			}
			break;
		}
	}
cleanup:
	return (ret);
}

/*
 * Name:		write_ca_file
 * Description:	Writes out a PKCS12 file containing all trusted certs
 *		found in keystore recorded in static 'ps' structure
 *
 *		This routine is used because the libwanboot library's
 *		HTTPS routines cannot accept trusted certificates
 *		through an in-memory structure, when initiating an
 *		SSL connection.  They must be in a PKCS12, which is
 *		admittedly a poor interface.
 *
 * Arguments:	err - where to record any errors.
 *     		tmpdir - Directory to write certificate file in
 *		cacerts - Certs to write out
 *		passwd - password used to encrypt certs
 *
 * Returns :	path to resulting file, if successfullly written,
 *		otherwise NULL.
 */
static char
*write_ca_file(PKG_ERR *err, char *tmpdir, STACK_OF(X509) *cacerts,
    char *passwd)
{
	int fd, len;
	FILE *fp;
	PKCS12	*p12 = NULL;
	char *ret = NULL;
	static char tmp_file[PATH_MAX] = "";
	struct stat buf;

	if (!path_valid(tmpdir)) {
		pkgerr_add(err, PKGERR_WEB, gettext(MSG_NOTEMP), tmpdir);
		goto cleanup;
	}

	/* mkstemp replaces XXXXXX with a unique string */
	if (((len = snprintf(tmp_file, PATH_MAX, "%s/%sXXXXXX", tmpdir,
	    "cert")) < 0) ||
	    (len >= PATH_MAX)) {
		pkgerr_add(err, PKGERR_WEB, gettext(MSG_NOTEMP), tmpdir);
		goto cleanup;
	}

	if ((fd = mkstemp(tmp_file)) == -1) {
		pkgerr_add(err, PKGERR_WEB, gettext(MSG_NOTMPFIL), tmp_file);
		goto cleanup;
	}

	if (fstat(fd, &buf) == -1) {
		pkgerr_add(err, PKGERR_WEB, gettext(MSG_NOTMPFIL), tmp_file);
		goto cleanup;
	}

	if (!S_ISREG(buf.st_mode)) {
		pkgerr_add(err, PKGERR_WEB, gettext(MSG_NOTMPFIL), tmp_file);
		goto cleanup;
	}

	if ((fp = fdopen(fd, "w")) == NULL) {
		pkgerr_add(err, PKGERR_WEB, gettext(MSG_NOTMPFIL), tmp_file);
		goto cleanup;
	}

	if ((p12 = sunw_PKCS12_create(passwd, NULL, NULL, cacerts)) == NULL) {
		pkgerr_add(err, PKGERR_WEB,
		    gettext(ERR_KEYSTORE_FORM), tmp_file);
		goto cleanup;
	}

	if (i2d_PKCS12_fp(fp, p12) == 0) {
		pkgerr_add(err, PKGERR_WEB,
		    gettext(ERR_KEYSTORE_FORM), tmp_file);
		goto cleanup;
	}

	(void) fflush(fp);
	(void) fclose(fp);
	(void) close(fd);
	fp = NULL;
	fd = -1;
	ret = tmp_file;

cleanup:
	if (p12 != NULL)
		PKCS12_free(p12);
	if (fp != NULL)
		(void) fclose(fp);
	if (fd != -1) {
		(void) close(fd);
		(void) unlink(tmp_file);
	}

	return (ret);
}

/*
 * Name:		web_send_request
 * Description:	Sends an HTTP request for a file to the
 *		web server being communicated with in the static
 *		'ps' structure
 *
 * Arguments:	err - where to record any errors.
 *		request_type - HTTP_REQ_TYPE_HEAD to send an HTTP HEAD request,
 *		or HTTP_REQ_TYPE_GET to send an HTTP GET request
 *		cp -
 * Returns :   	WEB_OK - request sent successfully
 *		WEB_CONNREFUSED - Connection was refused to web site
 *		WEB_HOSTDOWN - Host was not responding to request
 *		WEB_NOCONNECT - Some other connection failure
 */
static WebStatus
web_send_request(PKG_ERR *err, int request_type, int cp, int ep)
{
	WebStatus ret = WEB_OK;
	ulong_t		errcode;
	uint_t		errsrc;
	int		my_errno = 0;
	const char		*libhttperr = NULL;
	switch (request_type) {
	case HTTP_REQ_TYPE_HEAD:
		if ((http_head_request(ps->hps, ps->url.abspath)) != 0) {
			while ((errcode = http_get_lasterr(ps->hps,
			    &errsrc)) != 0) {
				/* Have an error - is it EINTR? */
			    if (errsrc == ERRSRC_SYSTEM) {
				    my_errno = errcode;
				    break;
			    } else if (libhttperr == NULL) {
				    /* save first non-system error message */
				    libhttperr =
					http_errorstr(errsrc, errcode);
			    }
			}
			switch (my_errno) {
			    case EINTR:
			case ETIMEDOUT:
				/* Timed out.  Try, try again */
				ret = WEB_TIMEOUT;
				break;
			case ECONNREFUSED:
				ret = WEB_CONNREFUSED;
				break;
			case EHOSTDOWN:
				ret = WEB_HOSTDOWN;
				break;
			default:
				/* some other fatal error */
				ret = WEB_NOCONNECT;
				if (libhttperr == NULL) {
					pkgerr_add(err, PKGERR_WEB,
					    gettext(ERR_INIT_CONN),
					    ps->url.hport.hostname);
				} else {
					pkgerr_add(err, PKGERR_WEB,
					    gettext(ERR_HTTP), libhttperr);
				}
				break;
			}
			goto cleanup;
			}
		break;

	case HTTP_REQ_TYPE_GET:
		if (cp && ep) {
			if (http_get_range_request(ps->hps, ps->url.abspath,
			    cp, ep - cp) != 0) {
				while ((errcode = http_get_lasterr(ps->hps,
				    &errsrc)) != 0) {
					/* Have an error - is it EINTR? */
					if (errsrc == ERRSRC_SYSTEM) {
						my_errno = errcode;
						break;
					} else {
						/*
						 * save first non-system
						 * error message
						 */
						libhttperr =
						    http_errorstr(errsrc,
							errcode);
					}
				}
				switch (my_errno) {
				case EINTR:
				case ETIMEDOUT:
					/* Timed out.  Try, try again */
					ret = WEB_TIMEOUT;
					break;
				case ECONNREFUSED:
					ret = WEB_CONNREFUSED;
					break;
				case EHOSTDOWN:
					ret = WEB_HOSTDOWN;
					break;
				default:
					/* some other fatal error */
					ret = WEB_NOCONNECT;
					if (libhttperr == NULL) {
						pkgerr_add(err, PKGERR_WEB,
						    gettext(ERR_INIT_CONN),
						    ps->url.hport.hostname);
					} else {
						pkgerr_add(err, PKGERR_WEB,
						    gettext(ERR_HTTP),
						    libhttperr);
					}
					break;
				}
				goto cleanup;
			}

			if (!web_eval_headers(err)) {
				ret = WEB_NOCONNECT;
				goto cleanup;
			}
		} else {
			if ((http_get_request(ps->hps, ps->url.abspath))
					!= 0) {
				while ((errcode = http_get_lasterr(ps->hps,
				    &errsrc)) != 0) {
					/* Have an error - is it EINTR? */
					if (errsrc == ERRSRC_SYSTEM) {
						my_errno = errcode;
						break;
					} else {
						/*
						 * save the first non-system
						 * error message
						 */
						libhttperr =
						    http_errorstr(errsrc,
							errcode);
					}
				}
				switch (my_errno) {
				case EINTR:
				case ETIMEDOUT:
					/* Timed out.  Try, try again */
					ret = WEB_TIMEOUT;
					break;
				case ECONNREFUSED:
					ret = WEB_CONNREFUSED;
					break;
				case EHOSTDOWN:
					ret = WEB_HOSTDOWN;
					break;
				default:
					/* some other fatal error */
					ret = WEB_NOCONNECT;
					if (libhttperr == NULL) {
						pkgerr_add(err, PKGERR_WEB,
						    gettext(ERR_INIT_CONN),
						    ps->url.hport.hostname);
					} else {
						pkgerr_add(err, PKGERR_WEB,
						    gettext(ERR_HTTP),
						    libhttperr);
					}
					break;
				}
				goto cleanup;
			}

			if (!web_eval_headers(err)) {
				ret = WEB_NOCONNECT;
				goto cleanup;
			}
		}
		break;
	default:
		pkgerr_add(err, PKGERR_INTERNAL, gettext(ERR_PKG_INTERNAL),
		    __FILE__, __LINE__);
	}

cleanup:
	return (ret);
}

/*
 * Name:		web_eval_headers
 * Description:	Evaluates HTTP headers returned during an HTTP request.
 *		This must be called before calling
 *		http_get_header_value().
 *
 * Arguments:	err - where to record any errors.
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 */
static boolean_t
web_eval_headers(PKG_ERR *err)
{
	const char *http_err;
	ulong_t herr;
	uint_t errsrc;

	if (http_process_headers(ps->hps, &ps->resp) != 0) {
		if ((ps->resp != NULL) && (ps->resp->statusmsg != NULL)) {
			pkgerr_add(err, PKGERR_WEB, gettext(ERR_HTTP),
			    ps->resp->statusmsg);
		}

		herr = http_get_lasterr(ps->hps, &errsrc);
		http_err = http_errorstr(errsrc, herr);
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_HTTP),
		    http_err);
		return (B_FALSE);
	}
	return (B_TRUE);
}

/*
 * Name:		web_get_file
 * Description:	Downloads the file URL from the website, all of
 *		which are recorded in the static 'ps' struct
 *
 * Arguments:	err - where to record any errors.
 *		dwnld_dir - Directory to download file into
 *		device - Where to store path to resulting
 *			file
 *		nointeract - if non-zero, do not output
 *		progress
 *		fname - name of downloaded file link in the dwnld_dir
 *
 * Returns :   	WEB_OK - download successful
 *		WEB_CONNREFUSED - Connection was refused to web site
 *		WEB_HOSTDOWN - Host was not responding to request
 *		WEB_GET_FAIL - Unable to initialize download
 *		state (temp file creation, header parsing, etc)
 *		WEB_NOCONNECT - Some other connection failure
 */
static WebStatus
web_get_file(PKG_ERR *err, char *dwnld_dir, int nointeract, char **fname)
{
	int		i, fd;
	int		n = 0;
	ulong_t		abs_pos = 0;
	char		*head_val = NULL;
	char		*lastmod_val = NULL;
	char		*bname = NULL;
	struct stat	status;
	WebStatus	ret = WEB_OK;
	WebStatus	req_ret;
	ulong_t		errcode;
	uint_t		errsrc;
	int		my_errno = 0;
	const char	*libhttperr = NULL;
	char		*disp;
	char		tmp_file[PATH_MAX];
	int		len;

	ps->data.prev_cont_length =
	ps->data.content_length =
	ps->data.cur_pos = 0;

	if ((head_val = http_get_header_value(ps->hps,
	    CONTENT_LENGTH_HDR)) != NULL) {
		ps->data.content_length = atol(head_val);
	} else {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_NO_HEAD_VAL),
		    CONTENT_LENGTH_HDR);
		ret = WEB_GET_FAIL;
		goto cleanup;
	}

	free(head_val);
	head_val = NULL;

	if ((head_val = http_get_header_value(ps->hps,
	    CONTENT_DISPOSITION_HDR)) != NULL) {
		/* "inline; parm=val; parm=val */
		if ((disp = strtok(head_val, "; \t\n\f\r")) != NULL) {
			/* disp = "inline" */
			while ((disp = strtok(NULL, "; \t\n\f\r")) != NULL) {
				/* disp = "parm=val" */
				if (ci_strneq(disp, "filename=", 9)) {
					bname = xstrdup(basename(disp + 9));
					trim(bname);
					dequote(bname);
				}
			}
		}
		free(head_val);
		head_val = NULL;
	}

	if (bname == NULL) {
		/*
		 * couldn't determine filename from header value,
		 * so take basename of URL
		 */
		if ((bname = get_endof_string(ps->url.abspath, '/')) == NULL) {
			/* URL is bad */
			pkgerr_add(err, PKGERR_PARSE,
			    gettext(ERR_PARSE_URL), ps->url.abspath);
			ret = WEB_GET_FAIL;
			goto cleanup;
		}
	}

	*fname = bname;

	if ((head_val = http_get_header_value(ps->hps, LAST_MODIFIED_HDR))
			!= NULL) {

		if ((lastmod_val = condense_lastmodified(head_val)) == NULL) {
			pkgerr_add(err, PKGERR_WEB, gettext(ERR_BAD_HEAD_VAL),
			    LAST_MODIFIED_HDR, head_val);
			ret = WEB_GET_FAIL;
			goto cleanup;
		}
		free(head_val);
		head_val = NULL;

		if ((ps->uniqfile = get_unique_filename(dwnld_dir,
		    lastmod_val)) == NULL) {
			pkgerr_add(err, PKGERR_WEB, gettext(ERR_OPEN_TMP));
			ret = WEB_GET_FAIL;
			goto cleanup;
		}

		free(lastmod_val);
		lastmod_val = NULL;

		if ((fd = open(ps->uniqfile,
		    O_NONBLOCK|O_RDWR|O_APPEND|O_CREAT|O_EXCL,
		    640)) == -1) {

			/*
			 * A partial downloaded file
			 * already exists, so open it.
			 */
			if ((fd = open(ps->uniqfile,
			    O_NONBLOCK|O_RDWR|O_APPEND)) != -1) {
				if (fstat(fd, &status) == -1 ||
				    !S_ISREG(status.st_mode)) {
					pkgerr_add(err, PKGERR_WEB,
					    gettext(ERR_DWNLD_NO_CONT),
					    ps->uniqfile);
					ret = WEB_GET_FAIL;
					goto cleanup;
				} else {
					echo_out(nointeract,
					    gettext(MSG_DWNLD_PART),
					    ps->uniqfile,
					    status.st_size);
					ps->data.prev_cont_length =
					    status.st_size;
				}
			} else {
				/* unable to open partial file */
				pkgerr_add(err, PKGERR_WEB,
				    gettext(ERR_DWNLD_NO_CONT),
				    ps->uniqfile);
				ret = WEB_GET_FAIL;
				goto cleanup;
			}
		}
	} else {
		/*
		 * no "Last-Modified" header, so this file is not eligible for
		 * spooling and "resuming last download" operations
		 */
		ps->spool = B_FALSE;

		/* mkstemp replaces XXXXXX with a unique string */
		if (((len = snprintf(tmp_file, PATH_MAX,
		    "%s/%sXXXXXX", dwnld_dir, "stream")) < 0) ||
		    (len >= PATH_MAX)) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(MSG_NOTEMP), dwnld_dir);
			ret = WEB_GET_FAIL;
			goto cleanup;
		}

		if ((fd = mkstemp(tmp_file)) == -1) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(MSG_NOTMPFIL), tmp_file);
			ret = WEB_GET_FAIL;
			goto cleanup;
		}

		if (fstat(fd, &status) == -1 ||
		    !S_ISREG(status.st_mode)) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_DWNLD_NO_CONT),
			    ps->uniqfile);
			ret = WEB_GET_FAIL;
			goto cleanup;
		}

		ps->data.prev_cont_length = 0;
		ps->uniqfile = xstrdup(tmp_file);
	}

	/* File has already been completely downloaded */
	if (ps->data.prev_cont_length == ps->data.content_length) {
		echo_out(nointeract, gettext(MSG_DWNLD_PREV), ps->uniqfile);
		ps->data.cur_pos = ps->data.prev_cont_length;
		if (!make_link(dwnld_dir, bname)) {
			pkgerr_add(err, PKGERR_WEB, gettext(MSG_NOTEMP),
			    dwnld_dir);
			ret = WEB_GET_FAIL;
			goto cleanup;
		}
		/* we're done, so cleanup and return success */
		goto cleanup;
	} else if (ps->data.prev_cont_length != 0) {
		ps->data.cur_pos = ps->data.prev_cont_length;
	}

	if (!ck_dwnld_dir_space(err, dwnld_dir,
	    (ps->data.prev_cont_length != 0) ?
	    (ps->data.content_length - ps->data.cur_pos) :
	    ps->data.content_length)) {
		ret = WEB_GET_FAIL;
		goto cleanup;
	}

	if ((req_ret = web_send_request(err, HTTP_REQ_TYPE_GET,
	    ps->data.cur_pos, ps->data.content_length)) != WEB_OK) {
		ret = req_ret;
		goto cleanup;
	}

	if (ps->data.prev_cont_length != 0)
		echo_out(nointeract, gettext(MSG_DWNLD_CONT));
	else
		echo_out(nointeract, gettext(MSG_DWNLD));

	progress_setup(nointeract, ps->data.content_length);

	/* Download the file a BLOCK at a time */
	while (ps->data.cur_pos < ps->data.content_length) {
		progress_report(nointeract, abs_pos);
		i = ((ps->data.content_length - ps->data.cur_pos) < BLOCK) ?
		    (ps->data.content_length - ps->data.cur_pos)
				: BLOCK;
		if ((n = http_read_body(ps->hps, ps->content, i)) <= 0) {
			while ((errcode = http_get_lasterr(ps->hps,
			    &errsrc)) != 0) {
				/* Have an error - is it EINTR? */
				if (errsrc == ERRSRC_SYSTEM) {
					my_errno = errcode;
					break;
				} else {
					/*
					 * save first non-system
					 * error message
					 */
					libhttperr =
					    http_errorstr(errsrc, errcode);
				}
			}
			switch (my_errno) {
			case EINTR:
			case ETIMEDOUT:
				/* Timed out.  Try, try again */
				ret = WEB_TIMEOUT;
				break;
			case ECONNREFUSED:
				ret = WEB_CONNREFUSED;
				break;
			case EHOSTDOWN:
				ret = WEB_HOSTDOWN;
				break;
			default:
				/* some other fatal error */
				ret = WEB_NOCONNECT;
				if (libhttperr == NULL) {
					pkgerr_add(err, PKGERR_WEB,
					    gettext(ERR_INIT_CONN),
					    ps->url.hport.hostname);
				} else {
					pkgerr_add(err, PKGERR_WEB,
					    gettext(ERR_HTTP), libhttperr);
				}
				break;
			}
			goto cleanup;
		}
		if ((n = write(fd, ps->content, n)) == 0) {
			pkgerr_add(err, PKGERR_WEB, gettext(ERR_WRITE),
			    ps->uniqfile, strerror(errno));
			ret = WEB_GET_FAIL;
			goto cleanup;
		}
		ps->data.cur_pos += n;
		abs_pos += n;
	}

	progress_finish(nointeract);
	echo_out(nointeract, gettext(MSG_DWNLD_COMPLETE));

	if (!make_link(dwnld_dir, bname)) {
		pkgerr_add(err, PKGERR_WEB, gettext(MSG_NOTEMP),
		    dwnld_dir);
		ret = WEB_GET_FAIL;
		goto cleanup;
	}

cleanup:
	sync();
	if (fd != -1) {
		(void) close(fd);
	}

	if (head_val != NULL)
		free(head_val);

	if (lastmod_val != NULL)
		free(lastmod_val);

	return (ret);
}

/*
 * Name:		make_link
 * Description:	Create new link to file being downloaded
 *
 * Arguments:	dwnld_dir - directory in which downloaded file exists
 *		bname - name of link
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 */
static boolean_t
make_link(char *dwnld_dir, char *bname)
{
	int len;

	if ((ps->link = (char *)xmalloc(PATH_MAX)) == NULL)
		return (B_FALSE);
	if (((len = snprintf(ps->link, PATH_MAX, "%s/%s",
	    dwnld_dir, bname)) < 0) ||
	    len >= PATH_MAX)
		return (B_FALSE);

	(void) link(ps->uniqfile, ps->link);

	return (B_TRUE);
}

/*
 * Name:		get_startof_string
 * Description:	searches string for token, returns a newly-allocated
 *		substring of the given string up to, but not
 *		including, token.  for example
 *		get_startof_string("abcd", 'c') will return "ab"
 *
 * Arguments:	path - path to split
 *     		token - character to split on
 *
 * Returns :	substring of 'path', up to, but not including,
 *		token, if token appears in path.  Otherwise,
 *		returns NULL.
 */
char *
get_startof_string(char *path, char token)
{
	char *p, *p2;

	if (path == NULL)
		return (NULL);

	p = xstrdup(path);

	p2 = strchr(p, token);
	if (p2 == NULL) {
		free(p);
		return (NULL);
	} else {
		*p2 = '\0';
		return (p);
	}
}

/*
 * Name:		get_endof_string
 * Description:	searches string for token, returns a
 *		newly-allocated substring of the given string,
 *		starting at character following token, to end of
 *		string.
 *
 *		for example get_end_string("abcd", 'c')
 *		will return "d"
 *
 * Arguments:	path - path to split
 *     		token - character to split on
 *
 * Returns :	substring of 'path', beginning at character
 *		following token, to end of string, if
 *		token appears in path.  Otherwise,
 * returns NULL.
 */
char *
get_endof_string(char *path, char token)
{
	char *p, *p2;

	if (path == NULL)
		return (NULL);

	p = xstrdup(path);

	if ((p2 = strrchr(p, token)) == NULL) {
		return (NULL);
	}

	return (p2 + 1);
}

/*
 * Name:		progress_setup
 * Description:	Initialize session for reporting progress
 *
 * Arguments:	nointeract - if non-zero, do not do anything
 *		ulong_t - size of job to report progress for
 *
 * Returns :	none
 */
static void
progress_setup(int nointeract, ulong_t size_of_load)
{
	ulong_t divisor;
	ulong_t term_width = TERM_WIDTH;

	if (nointeract)
		return;

	if (size_of_load > MED_DWNLD && size_of_load < LARGE_DWNLD)
		divisor = MED_DIVISOR;
	else if (size_of_load > LARGE_DWNLD) {
		term_width = TERM_WIDTH - 8;
		divisor = LARGE_DIVISOR;
	} else
		divisor = SMALL_DIVISOR;

	const_increment = size_of_load / term_width;
	const_divider = size_of_load / divisor;
	const_completed = 100 / divisor;
}

/*
 * Name:		progress_report
 * Description:	Report progress for current progress context,
 *		to stderr
 *
 * Arguments:	nointeract - if non-zero, do not do anything
 *		position - how far along in the job to report.
 *		This should be <= size used during progress_setup
 *
 * Returns :	none
 */
static void
progress_report(int nointeract, ulong_t position)
{
	static ulong_t increment;
	static ulong_t divider;

	if (nointeract)
		return;

	if (position == 0) {
		increment = const_increment;
		divider = const_divider;
	}
	if (position > increment && position < divider) {
		(void) putc('.', stderr);
		increment += const_increment;
	} else if (position > divider) {
		completed += const_completed;
		(void) fprintf(stderr, "%ld%c", completed, '%');
		increment += const_increment;
		divider += const_divider;
	}
}

/*
 * Name:		progress_finish
 * Description:	Finalize session for reporting progress.
 *		"100%" is reported to screen
 *
 * Arguments:	nointeract - if non-zero, do not do anything
 *
 * Returns :	none
 */
static void
progress_finish(int nointeract)
{
	if (nointeract)
		return;

	(void) fprintf(stderr, "%d%c\n", 100, '%');
}

/*
 * Name:		init_session
 * Description:	Initializes static 'ps' structure with default
 *		values
 *
 * Arguments:	none
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 */
static boolean_t
init_session(void)
{
	if ((ps = (WEB_SESSION *)
		xmalloc(sizeof (WEB_SESSION))) == NULL) {
		return (B_FALSE);
	}
	(void) memset(ps, 0, sizeof (*ps));

	if ((ps->content = (char *)xmalloc(BLOCK)) == NULL) {
		return (B_FALSE);
	}

	(void) memset(ps->content, 0, BLOCK);

	ps->data.cur_pos = 0UL;
	ps->data.content_length = 0UL;
	ps->url.https = B_FALSE;
	ps->uniqfile = NULL;
	ps->link = NULL;
	ps->dwnld_dir = NULL;
	ps->spool = B_TRUE;
	ps->errstr = NULL;
	ps->keystore = NULL;

	return (B_TRUE);
}

/*
 * Name:		ck_downld_dir_space
 * Description:	Verify enough space exists in directory to hold file
 *
 * Arguments:	err - where to record any errors.
 *     		dwnld_dir - Directory to check available space in
 *		bytes_needed - How many bytes are need
 *
 * Returns :	B_TRUE - enough space exists in dwnld_dir to hold
 *		bytes_needed bytes, otherwise B_FALSE
 */
static boolean_t
ck_dwnld_dir_space(PKG_ERR *err, char *dwnld_dir, ulong_t bytes_needed)
{
	u_longlong_t bytes_avail;
	u_longlong_t block_pad;
	struct statvfs64 status;

	if (statvfs64(dwnld_dir, &status)) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_TMPDIR), dwnld_dir);
		return (B_FALSE);
	}

	block_pad = (status.f_frsize ? status.f_frsize : status.f_bsize);
	bytes_avail = status.f_bavail * block_pad;

	if ((((u_longlong_t)bytes_needed) + block_pad) > bytes_avail) {
		pkgerr_add(err, PKGERR_WEB, gettext(ERR_DISK_SPACE),
		    dwnld_dir,
		    (((u_longlong_t)bytes_needed) + block_pad) / 1024ULL,
		    bytes_avail / 1024ULL);
		return (B_FALSE);
	}

	return (B_TRUE);
}

/*
 * Description:
 *    This function returns a unique file name based on the parts of the
 *    URI. This is done to enable partially downloaded files to be resumed.
 * Arguments:
 *    dir - The directory that should contain the filename.
 *    last_modified - A string representing the date of last modification,
 *	used as part of generating unique name
 * Returns:
 *    A valid filename or NULL.
 */

static char *
get_unique_filename(char *dir, char *last_modified)
{
	char *buf, *buf2, *beg_str;
	int len;

	if ((buf = (char *)xmalloc(PATH_MAX)) == NULL) {
		return (NULL);
	}
	if ((buf2 = (char *)xmalloc(PATH_MAX)) == NULL) {
		return (NULL);
	}

	/* prepare strings for being cat'ed onto */
	buf[0] = buf2[0] = '\0';
	/*
	 * No validation of the path is done here. We just construct the path
	 * and it must be validated later
	 */

	if (dir) {
		if (((len = snprintf(buf2, PATH_MAX, "%s/", dir)) < 0) ||
		    (len >= PATH_MAX))
			return (NULL);
	} else {
		return (NULL);
	}

	if (ps->url.abspath)
		if (strlcat(buf, ps->url.abspath, PATH_MAX) >= PATH_MAX)
			return (NULL);
	if (ps->url.hport.hostname)
		if (isdigit((int)ps->url.hport.hostname[0])) {
			if (strlcat(buf, ps->url.hport.hostname, PATH_MAX)
					>= PATH_MAX)
				return (NULL);
		} else {
			if ((beg_str =
				get_startof_string(ps->url.hport.hostname, '.'))
					!= NULL)
				if (strlcat(buf, beg_str, PATH_MAX) >= PATH_MAX)
					return (NULL);
		}
	if (last_modified != NULL)
		if (strlcat(buf, last_modified, PATH_MAX) >= PATH_MAX)
			return (NULL);

	if ((buf = replace_token(buf, '/', '_')) != NULL) {
		if (strlcat(buf2, buf, PATH_MAX) >= PATH_MAX) {
			return (NULL);
		} else {
			if (buf) free(buf);
			return (buf2);
		}
	} else {
		if (buf) free(buf);
		if (buf2) free(buf2);
		return (NULL);
	}
}

/*
 * Description:
 *    Removes token(s) consisting of one character from any path.
 * Arguments:
 *    path  - The path to search for the token in.
 *    token - The token to search for
 * Returns:
 *    The path with all tokens removed or NULL.
 */
static char *
replace_token(char *path, char oldtoken, char newtoken)
{
	char *newpath, *p;

	if ((path == NULL) || (oldtoken == '\0') || (newtoken == '\0')) {
		return (NULL);
	}

	newpath = xstrdup(path);

	for (p = newpath; *p != '\0'; p++) {
		if (*p == oldtoken) {
			*p = newtoken;
		}
	}

	return (newpath);
}

/*
 * Name:        trim
 * Description: Trims whitespace from a string
 *              has been registered)
 * Scope:       private
 * Arguments:   string  - string to trim.  It is assumed
 *              this string is writable up to it's entire
 *              length.
 * Returns:     none
 */
static void
trim(char *str)
{
	int len, i;
	if (str == NULL) {
		return;
	}

	len = strlen(str);
	/* strip from front */
	while (isspace(*str)) {
		for (i = 0; i < len; i++) {
			str[i] = str[i+1];
		}
	}

	/* strip from back */
	len = strlen(str);
	while (isspace(str[len-1])) {
		len--;
	}
	str[len] = '\0';
}

/*
 * Description:
 *    Resolves double quotes
 * Arguments:
 *    str  - The string to resolve
 * Returns:
 *    None
 */
static void
dequote(char *str)
{
	char *cp;

	if ((str == NULL) || (str[0] != '"')) {
		/* no quotes */
		return;
	}

	/* remove first quote */
	(void) memmove(str, str + 1, strlen(str) - 1);

	/*
	 * scan string looking for ending quote.
	 * escaped quotes like \" don't count
	 */
	cp = str;

	while (*cp != '\0') {
		switch (*cp) {
		case '\\':
			/* found an escaped character */
			/* make sure end of string is not '\' */
			if (*++cp != '\0') {
				cp++;
			}
			break;

		case '"':
			*cp = '\0';
			break;
		default:
			cp++;
		}
	}
}

/*
 * Name:		get_ENV_proxy
 * Description:	Retrieves setting of proxy env variable
 *
 * Arguments:	err - where to record any errors.
 *		proxy - where to store proxy
 *
 * Returns :	B_TRUE - http proxy was found and valid, stored in proxy
 *		B_FALSE - error, errors recorded in err
 */
static boolean_t
get_ENV_proxy(PKG_ERR *err, char **proxy)
{
	char *buf;

	if ((buf = getenv("HTTPPROXY")) != NULL) {
		if (!path_valid(buf)) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_ILL_ENV), "HTTPPROXY", buf);
			return (B_FALSE);
		} else {
			*proxy = buf;
			return (B_TRUE);
		}
	} else {
		/* try the other env variable */
		if ((buf = getenv("http_proxy")) != NULL) {
			if (!path_valid(buf)) {
				pkgerr_add(err, PKGERR_WEB,
				    gettext(ERR_ILL_ENV), "http_proxy", buf);
				return (B_FALSE);
			}
			if (!strneq(buf, "http://", 7)) {
				pkgerr_add(err, PKGERR_WEB,
				    gettext(ERR_ILL_ENV), "http_proxy", buf);
				return (B_FALSE);
			}

			/* skip over the http:// part of the proxy "url" */
			    *proxy = buf + 7;
			    return (B_TRUE);
		}
	}

	/* either the env variable(s) were set and valid, or not set */
	return (B_TRUE);
}

/*
 * Name:		get_ENV_proxyport
 * Description:	Retrieves setting of PROXYPORT env variable
 *
 * Arguments:	err - where to record any errors.
 *		port - where to store resulting port
 *
 * Returns :	B_TRUE - string found in PROXYPORT variable, converted
 *		to decimal integer, if it exists
 *		and is valid.  Or, PROXYPORT not set, port set to 1.
 *		B_FALSE - env variable set, but invalid
 *			(not a number for example)
 */
static boolean_t
get_ENV_proxyport(PKG_ERR *err, ushort_t *port)
{
	char *buf;
	ushort_t	newport;
	buf = getenv("HTTPPROXYPORT");
	if (buf != NULL) {
		if (!path_valid(buf)) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_ILL_ENV), "HTTPPROXYPORT", buf);
			return (B_FALSE);
		}
		if ((newport = atoi(buf)) == 0) {
			pkgerr_add(err, PKGERR_WEB,
			    gettext(ERR_ILL_ENV), "HTTPPROXYPORT", buf);
			return (B_FALSE);
		}
		*port = newport;
		return (B_TRUE);
	} else {
		*port = 1;
		return (B_TRUE);
	}
}

/*
 * Name:		remove_dwnld_file
 * Description:	Removes newly-downloaded file if completely downloaded.
 *
 * Arguments:	path - path to file to remove
 *
 * Returns :	B_TRUE - success, B_FALSE otherwise
 *		if it's '0' (not OK) we simply return it, since the
 *		verification operation has already determined that the
 *		cert is invalid.  if 'ok' is non-zero, then we do our
 *		checks, and return 0 or 1 based on if the cert is
 *		invalid or valid.
 */
static boolean_t
remove_dwnld_file(char *path)
{
	if (path && path != NULL) {
		/*
		 * Only remove the downloaded file if it has been completely
		 * downloaded, or is not eligible for spooling
		 */
		if ((!ps->spool) ||
		    (ps->data.cur_pos  >= ps->data.content_length)) {
			(void) unlink(path);
		}
	} else {
		return (B_FALSE);
	}
	return (B_TRUE);
}

/*
 * Name:		condense_lastmodifided
 * Description:	generates a substring of a last-modified string,
 *		and removes colons.
 *
 * Arguments:	last_modified - string of the form
 *		"Wed, 23 Oct 2002 21:59:45 GMT"
 *
 * Returns :
 *		new string, consisting of hours/minutes/seconds only,
 *		sans any colons.
 */
char *
condense_lastmodified(char *last_modified)
{
	char *p, *p2;

	/*
	 * Last-Modified: Wed, 23 Oct 2002 21:59:45 GMT
	 * Strip the hours, minutes and seconds, without the ':'s, from
	 * the above string, void of the ':".
	 */

	if (last_modified == NULL)
		return (NULL);

	if ((p = xstrdup(last_modified)) == NULL)
		return (NULL);
	p2 = (strstr(p, ":") - 2);
	p2[8] = '\0';
	return (replace_token(p2, ':', '_'));
}

/*
 * Name:		backoff
 * Description:	sleeps for a certain # of seconds after a network
 *		failure.
 * Scope:	public
 * Arguments:	none
 * Returns:	none
 */
void
backoff()
{
	static boolean_t initted = B_FALSE;
	int backoff;
	long seed;

	if (!initted) {
		/* seed the rng */
		(void) _get_random_info(&seed, sizeof (seed));
		srand48(seed);
		initted = B_TRUE;
	}

	backoff = (int)(drand48() * (double)cur_backoff);
	(void) sleep(backoff);
	if (cur_backoff < MAX_BACKOFF) {
		/*
		 * increase maximum time we might wait
		 * next time so as to fall off over
		 * time.
		 */
		cur_backoff *= BACKOFF_FACTOR;
	}
}

/*
 * Name:		reset_backoff
 * Description:	notifies the backoff service that whatever was
 *		being backoff succeeded.
 * Scope:	public
 * Arguments:	none
 * Returns:	none
 */
void
reset_backoff()
{
	cur_backoff = MIN_BACKOFF;
}

/*
 * Name:	_get_random_info
 * Description:	generate an amount of random bits.  Currently
 *		only a small amount (a long long) can be
 *		generated at one time.
 * Scope:	private
 * Arguments:	buf	- [RO, *RW] (char *)
 *			  Buffer to copy bits into
 *		size	- amount to copy
 * Returns:	B_TRUE on success, B_FALSE otherwise.  The buffer is filled
 *		with the amount of bytes of random data specified.
 */
static boolean_t
_get_random_info(void *buf, int size)
{
	struct timeval tv;
	typedef struct {
		long low_time;
		long hostid;
	} randomness;
	randomness r;

	/* if the RANDOM file exists, use it */
	if (access(RANDOM, R_OK) == 0) {
		if ((RAND_load_file(RANDOM, 1024 * 1024)) > 0) {
			if (RAND_bytes((uchar_t *)buf, size) == 1) {
				/* success */
				return (B_TRUE);
			}
		}
	}

	/* couldn't use RANDOM file, so fallback to time of day and hostid */
	(void) gettimeofday(&tv, (struct timezone *)0);

	/* Wouldn't it be nice if we could hash these */
	r.low_time = tv.tv_usec;
	r.hostid = gethostid();

	if (sizeof (r) < size) {
		/*
		 * Can't copy correctly
		 */
		return (B_FALSE);
	}
	(void) memcpy(buf, &r, size);
	return (B_TRUE);
}

/*
 * Name:		pkg_passphrase_cb
 * Description:	Default callback that applications can use when
 *		a passphrase is needed.  This routine collects
 *		a passphrase from the user using the given
 *		passphrase retrieval method set with
 *		set_passphrase_passarg().  If the method
 *		indicates an interactive prompt, then the
 *		prompt set with set_passphrase_prompt()
 *		is displayed.
 *
 * Arguments:	buf	- Buffer to copy passphrase into
 *		size	- Max amount to copy to buf
 *		rw	- Whether this passphrase is needed
 *			to read something off disk, or
 *			write something to disk.  Applications
 *			typically want to ask twice when getting
 *			a passphrase for writing something.
 *		data	- application-specific data.  In this
 *			callback, data is a pointer to
 *			a keystore_passphrase_data structure.
 *
 * Returns:	Length of passphrase collected, or -1 on error.
 *		Errors recorded in 'err' object in the *data.
 */
int
pkg_passphrase_cb(char *buf, int size, int rw, void *data)
{
	BIO		*pwdbio = NULL;
	char		passphrase_copy[MAX_PHRASELEN + 1];
	PKG_ERR		*err;
	int		passlen;
	char		*ws;
	char		prompt_copy[MAX_VERIFY_MSGLEN];
	char		*passphrase;
	char		*arg;

	err = ((keystore_passphrase_data *)data)->err;

	if (passarg == NULL) {
		arg = "console";
	} else {
		arg = passarg;
	}

	/* default method of collecting password is by prompting */
	if (ci_streq(arg, "console")) {
		if ((passphrase = getpassphrase(prompt)) == NULL) {
			pkgerr_add(err, PKGERR_BADPASS,
			    gettext(MSG_NOPASS), arg);
			return (-1);
		}

		if (rw) {
			/*
			 * if the password is being supplied for
			 * writing something to disk, verify it first
			 */

			/* make a copy (getpassphrase overwrites) */
			(void) strlcpy(passphrase_copy, passphrase,
			    MAX_PHRASELEN + 1);

			if (((passlen = snprintf(prompt_copy,
					MAX_VERIFY_MSGLEN, "%s: %s",
					gettext(MSG_PASSWD_AGAIN),
					prompt)) < 0) ||
			    (passlen >= (MAX_PHRASELEN + 1))) {
				pkgerr_add(err, PKGERR_BADPASS,
				    gettext(MSG_NOPASS), arg);
				return (-1);
			}

			if ((passphrase =
			    getpassphrase(prompt_copy)) == NULL) {
				pkgerr_add(err, PKGERR_BADPASS,
				    gettext(MSG_NOPASS), arg);
				return (-1);
			}

			if (!streq(passphrase_copy, passphrase)) {
				pkgerr_add(err, PKGERR_READ,
				    gettext(MSG_PASSWD_NOMATCH));
				return (-1);
			}
		}
	} else if (ci_strneq(arg, "pass:", 5)) {
		passphrase = arg + 5;
	} else if (ci_strneq(arg, "env:", 4)) {
		passphrase = getenv(arg + 4);
	} else if (ci_strneq(arg, "file:", 5)) {

		/* open file for reading */
		if ((pwdbio = BIO_new_file(arg + 5, "r")) == NULL) {
			pkgerr_add(err, PKGERR_EXIST,
			    gettext(MSG_PASSWD_FILE), arg + 5);
			return (-1);
		}

		/* read first line */
		if (((passlen = BIO_gets(pwdbio, buf, size)) < 1) ||
		    (passlen > size)) {
			pkgerr_add(err, PKGERR_READ, gettext(MSG_PASSWD_FILE),
			    arg + 5);
			return (-1);
		}
		BIO_free_all(pwdbio);
		pwdbio = NULL;

		if (passlen == size) {
			/*
			 * password was maximum length, so there is
			 * no null terminator. null-terminate it
			 */
			buf[size - 1] = '\0';
		}

		/* first newline found is end of passwd, so nuke it */
		if ((ws = strchr(buf, '\n')) != NULL) {
			*ws = '\0';
		}
		return (strlen(buf));
	} else {
		/* unrecognized passphrase */
		pkgerr_add(err, PKGERR_BADPASS,
		    gettext(MSG_BADPASSARG), arg);
		return (-1);
	}

	if (passphrase == NULL) {
		/* unable to collect passwd from given source */
		pkgerr_add(err, PKGERR_BADPASS,
		    gettext(MSG_NOPASS), arg);
		return (-1);
	}

	(void) strlcpy(buf, passphrase, size);
	return (strlen(buf));
}