+2005-04-26 Hrvoje Niksic <hniksic@xemacs.org>
+
+ * gen_sslfunc.c (ssl_init): Use default locations for loading the
+ certificate bundles.
+ (ssl_init_prng): Disable the cryptographically weak PRNG
+ initialization fallback.
+
+ * init.c: Renamed SSL command-line arguments and wgetrc commands.
+ (defaults): Check the server certificate by default.
+
2005-04-26 Hrvoje Niksic <hniksic@xemacs.org>
* cookies.c (cookie_handle_set_cookie): Delete the part of the
-/* SSL support.
- Copyright (C) 2000 Free Software Foundation, Inc.
- Contributed by Christian Fraenkel.
+/* SSL support via OpenSSL library.
+ Copyright (C) 2000-2005 Free Software Foundation, Inc.
+ Originally contributed by Christian Fraenkel.
This file is part of GNU Wget.
#if SSLEAY_VERSION_NUMBER >= 0x00905100
char rand_file[256];
- int maxrand = 500;
/* First, seed from a file specified by the user. This will be
$RANDFILE, if set, or ~/.rnd. */
if (RAND_status ())
return;
- /* Get random data from EGD if opt.sslegdsock was set. */
- if (opt.sslegdsock && *opt.sslegdsock)
- RAND_egd (opt.sslegdsock);
+ /* Get random data from EGD if opt.egd_file was set. */
+ if (opt.egd_file && *opt.egd_file)
+ RAND_egd (opt.egd_file);
if (RAND_status ())
return;
return;
#endif
- /* Still not enough randomness, most likely because neither
- /dev/random nor EGD were available. Resort to a simple and
- stupid method -- seed OpenSSL's PRNG with libc PRNG. This is
- cryptographically weak, but people who care about strong
- cryptography should install /dev/random (default on Linux) or
- specify their own source of randomness anyway. */
+#if 0 /* don't do this by default */
+ {
+ int maxrand = 500;
- logprintf (LOG_VERBOSE, _("Warning: using a weak random seed.\n"));
+ /* Still not random enough, presumably because neither /dev/random
+ nor EGD were available. Try to seed OpenSSL's PRNG with libc
+ PRNG. This is cryptographically weak and defeats the purpose
+ of using OpenSSL, which is why it is highly discouraged. */
+
+ logprintf (LOG_VERBOSE, _("WARNING: using a weak random seed.\n"));
+
+ while (RAND_status () == 0 && maxrand-- > 0)
+ {
+ unsigned char rnd = random_number (256);
+ RAND_seed (&rnd, sizeof (rnd));
+ }
+ }
+#endif
- while (RAND_status () == 0 && maxrand-- > 0)
- {
- unsigned char rnd = random_number (256);
- RAND_seed (&rnd, sizeof (rnd));
- }
#endif /* SSLEAY_VERSION_NUMBER >= 0x00905100 */
}
verify_callback (int ok, X509_STORE_CTX *ctx)
{
char *s, buf[256];
- s = X509_NAME_oneline (X509_get_subject_name (ctx->current_cert), buf, 256);
- if (ok == 0) {
- switch (ctx->error) {
- case X509_V_ERR_CERT_NOT_YET_VALID:
- case X509_V_ERR_CERT_HAS_EXPIRED:
- /* This mean the CERT is not valid !!! */
- ok = 0;
- break;
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- /* Unsure if we should handle that this way */
- ok = 1;
- break;
+ s = X509_NAME_oneline (X509_get_subject_name (ctx->current_cert),
+ buf, sizeof (buf));
+ if (ok == 0)
+ {
+ switch (ctx->error)
+ {
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ /* This mean the CERT is not valid !!! */
+ ok = 0;
+ break;
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ /* Unsure if we should handle that this way */
+ ok = 1;
+ break;
+ }
}
- }
return ok;
}
ssl_init ()
{
SSL_METHOD *meth = NULL;
- int verify;
- int can_validate;
if (ssl_ctx)
return 0;
SSL_load_error_strings ();
SSLeay_add_all_algorithms ();
SSLeay_add_ssl_algorithms ();
- switch (opt.sslprotocol)
+ switch (opt.secure_protocol)
{
- default:
- meth = SSLv23_client_method ();
- break;
- case 1 :
- meth = SSLv2_client_method ();
- break;
- case 2 :
- meth = SSLv3_client_method ();
- break;
- case 3 :
- meth = TLSv1_client_method ();
- break;
+ case secure_protocol_auto:
+ meth = SSLv23_client_method ();
+ break;
+ case secure_protocol_sslv2:
+ meth = SSLv2_client_method ();
+ break;
+ case secure_protocol_sslv3:
+ meth = SSLv3_client_method ();
+ break;
+ case secure_protocol_tlsv1:
+ meth = TLSv1_client_method ();
+ break;
}
if (meth == NULL)
{
ssl_print_errors ();
return SSLERRCTXCREATE;
}
- /* Can we validate the server Cert ? */
- if (opt.sslcadir != NULL || opt.sslcafile != NULL)
- {
- SSL_CTX_load_verify_locations (ssl_ctx, opt.sslcafile, opt.sslcadir);
- can_validate = 1;
- }
- else
- {
- can_validate = 0;
- }
- if (!opt.sslcheckcert)
- {
- /* check cert but ignore error, do not break handshake on error */
- verify = SSL_VERIFY_NONE;
- }
- else
+ SSL_CTX_set_default_verify_paths (ssl_ctx);
+ SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
+ SSL_CTX_set_verify (ssl_ctx,
+ opt.check_cert ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
+ verify_callback);
+
+ if (opt.cert_file != NULL || opt.cert_key != NULL)
{
- if (!can_validate)
- {
- logputs (LOG_NOTQUIET,
- _("Warning: validation of server certificate not possible!\n"));
- verify = SSL_VERIFY_NONE;
- }
- else
+ int ssl_cert_type;
+ switch (opt.cert_type)
{
- /* break handshake if server cert is not valid but allow
- NO-Cert mode */
- verify = SSL_VERIFY_PEER;
+ case cert_type_pem:
+ ssl_cert_type = SSL_FILETYPE_PEM;
+ break;
+ case cert_type_asn1:
+ ssl_cert_type = SSL_FILETYPE_ASN1;
+ break;
}
- }
- SSL_CTX_set_verify (ssl_ctx, verify, verify_callback);
+#if 0 /* what was this supposed to achieve? */
+ if (opt.cert_key == NULL)
+ opt.cert_key = opt.cert_file;
+ if (opt.cert_file == NULL)
+ opt.cert_file = opt.cert_key;
+#endif
- if (opt.sslcertfile != NULL || opt.sslcertkey != NULL)
- {
- int ssl_cert_type;
- if (!opt.sslcerttype)
- ssl_cert_type = SSL_FILETYPE_PEM;
- else
- ssl_cert_type = SSL_FILETYPE_ASN1;
-
- if (opt.sslcertkey == NULL)
- opt.sslcertkey = opt.sslcertfile;
- if (opt.sslcertfile == NULL)
- opt.sslcertfile = opt.sslcertkey;
-
- if (SSL_CTX_use_certificate_file (ssl_ctx, opt.sslcertfile,
- ssl_cert_type) <= 0)
+ if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file,
+ ssl_cert_type) != 1)
{
ssl_print_errors ();
return SSLERRCERTFILE;
}
- if (SSL_CTX_use_PrivateKey_file (ssl_ctx, opt.sslcertkey,
- ssl_cert_type) <= 0)
+ if (SSL_CTX_use_PrivateKey_file (ssl_ctx, opt.cert_key,
+ ssl_cert_type) != 1)
{
ssl_print_errors ();
return SSLERRCERTKEY;
/* try without certfile */
logprintf (LOG_NOTQUIET,
_("Failed to load certificates from %s\n"),
- opt.sslcertfile);
+ opt.cert_file);
logprintf (LOG_NOTQUIET,
_("Trying without the specified certificate\n"));
break;
case SSLERRCERTKEY:
logprintf (LOG_NOTQUIET,
_("Failed to get certificate key from %s\n"),
- opt.sslcertkey);
+ opt.cert_key);
logprintf (LOG_NOTQUIET,
_("Trying without the specified certificate\n"));
break;
CMD_DECLARE (cmd_time);
CMD_DECLARE (cmd_vector);
+#ifdef HAVE_SSL
+CMD_DECLARE (cmd_spec_cert_type);
+#endif
CMD_DECLARE (cmd_spec_dirstruct);
CMD_DECLARE (cmd_spec_header);
CMD_DECLARE (cmd_spec_htmlify);
CMD_DECLARE (cmd_spec_progress);
CMD_DECLARE (cmd_spec_recursive);
CMD_DECLARE (cmd_spec_restrict_file_names);
+#ifdef HAVE_SSL
+CMD_DECLARE (cmd_spec_secure_protocol);
+#endif
CMD_DECLARE (cmd_spec_timeout);
CMD_DECLARE (cmd_spec_useragent);
{ "backups", &opt.backups, cmd_number },
{ "base", &opt.base_href, cmd_string },
{ "bindaddress", &opt.bind_address, cmd_string },
+#ifdef HAVE_SSL
+ { "cacertificate", &opt.ca_cert, cmd_file },
+#endif
{ "cache", &opt.allow_cache, cmd_boolean },
+#ifdef HAVE_SSL
+ { "cadirectory", &opt.ca_directory, cmd_directory },
+ { "certificate", &opt.cert_file, cmd_file },
+ { "certificatekey", &opt.cert_key, cmd_file },
+ { "certificatetype", &opt.cert_type, cmd_spec_cert_type },
+ { "checkcertificate", &opt.check_cert, cmd_boolean },
+#endif
{ "connecttimeout", &opt.connect_timeout, cmd_time },
{ "continue", &opt.always_rest, cmd_boolean },
{ "convertlinks", &opt.convert_links, cmd_boolean },
{ "dotspacing", &opt.dot_spacing, cmd_number },
{ "dotstyle", &opt.dot_style, cmd_string },
#ifdef HAVE_SSL
- { "egdfile", &opt.sslegdsock, cmd_file },
+ { "egdfile", &opt.egd_file, cmd_file },
#endif
{ "excludedirectories", &opt.excludes, cmd_directory_vector },
{ "excludedomains", &opt.exclude_domains, cmd_vector },
{ "robots", &opt.use_robots, cmd_boolean },
{ "savecookies", &opt.cookies_output, cmd_file },
{ "saveheaders", &opt.save_headers, cmd_boolean },
+#ifdef HAVE_SSL
+ { "secureprotocol", &opt.secure_protocol, cmd_spec_secure_protocol },
+#endif
{ "serverresponse", &opt.server_response, cmd_boolean },
{ "spanhosts", &opt.spanhost, cmd_boolean },
{ "spider", &opt.spider, cmd_boolean },
-#ifdef HAVE_SSL
- { "sslcadir", &opt.sslcadir, cmd_directory },
- { "sslcafile", &opt.sslcafile, cmd_file },
- { "sslcertfile", &opt.sslcertfile, cmd_file },
- { "sslcertkey", &opt.sslcertkey, cmd_file },
- { "sslcerttype", &opt.sslcerttype, cmd_number },
- { "sslcheckcert", &opt.sslcheckcert, cmd_number },
- { "sslprotocol", &opt.sslprotocol, cmd_number },
-#endif /* HAVE_SSL */
{ "strictcomments", &opt.strict_comments, cmd_boolean },
{ "timeout", NULL, cmd_spec_timeout },
{ "timestamping", &opt.timestamping, cmd_boolean },
opt.dns_cache = 1;
opt.ftp_pasv = 1;
+#ifdef HAVE_SSL
+ opt.check_cert = 1;
+#endif
+
/* The default for file name restriction defaults to the OS type. */
#if !defined(WINDOWS) && !defined(__CYGWIN__)
opt.restrict_files_os = restrict_unix;
options specially. */
static int check_user_specified_header PARAMS ((const char *));
+/* Forward decl */
+struct decode_item {
+ const char *name;
+ int code;
+};
+static int decode_string PARAMS ((const char *, const struct decode_item *,
+ int, int *));
+
+#ifdef HAVE_SSL
+static int
+cmd_spec_cert_type (const char *com, const char *val, void *closure)
+{
+ static const struct decode_item choices[] = {
+ { "pem", cert_type_pem },
+ { "asn1", cert_type_asn1 },
+ };
+ int ok = decode_string (val, choices, countof (choices), closure);
+ if (!ok)
+ fprintf (stderr, _("%s: %s: Invalid value `%s'.\n"), exec_name, com, val);
+ return ok;
+}
+#endif
static int
cmd_spec_dirstruct (const char *com, const char *val, void *closure)
static int
cmd_spec_prefer_family (const char *com, const char *val, void *closure)
{
- if (0 == strcasecmp (val, "ipv4"))
- {
- opt.prefer_family = prefer_ipv4;
- return 1;
- }
- else if (0 == strcasecmp (val, "ipv6"))
- {
- opt.prefer_family = prefer_ipv6;
- return 1;
- }
- else if (0 == strcasecmp (val, "none"))
- {
- opt.prefer_family = prefer_none;
- return 1;
- }
- fprintf (stderr, _("%s: %s: Invalid preferred family `%s'.\n"),
- exec_name, com, val);
- return 0;
+ static const struct decode_item choices[] = {
+ { "IPv4", prefer_ipv4 },
+ { "IPv6", prefer_ipv6 },
+ { "none", prefer_none },
+ };
+ int ok = decode_string (val, choices, countof (choices),
+ (int *) &opt.prefer_family);
+ if (!ok)
+ fprintf (stderr, _("%s: %s: Invalid value `%s'.\n"), exec_name, com, val);
+ return ok;
}
/* Set progress.type to VAL, but verify that it's a valid progress
return 1;
}
+#ifdef HAVE_SSL
+static int
+cmd_spec_secure_protocol (const char *com, const char *val, void *closure)
+{
+ static const struct decode_item choices[] = {
+ { "auto", secure_protocol_auto },
+ { "sslv2", secure_protocol_sslv2 },
+ { "sslv3", secure_protocol_sslv3 },
+ { "tlsv1", secure_protocol_tlsv1 },
+ };
+ int ok = decode_string (val, choices, countof (choices), closure);
+ if (!ok)
+ fprintf (stderr, _("%s: %s: Invalid value `%s'.\n"), exec_name, com, val);
+ return ok;
+}
+#endif
+
/* Set all three timeout values. */
static int
return 1;
}
+/* Verify that the user-specified header in S is valid. It must
+ contain a colon preceded by non-white-space characters and must not
+ contain newlines. */
+
static int
check_user_specified_header (const char *s)
{
return 0;
return 1;
}
+
+/* Decode VAL into a number, according to ITEMS. */
+
+static int
+decode_string (const char *val, const struct decode_item *items, int itemcount,
+ int *place)
+{
+ int i;
+ for (i = 0; i < itemcount; i++)
+ if (0 == strcasecmp (val, items[i].name))
+ {
+ *place = items[i].code;
+ return 1;
+ }
+ return 0;
+}
+
\f
void cleanup_html_url PARAMS ((void));
void http_cleanup PARAMS ((void));
{ "backups", 0, OPT_BOOLEAN, "backups", -1 },
{ "base", 'B', OPT_VALUE, "base", -1 },
{ "bind-address", 0, OPT_VALUE, "bindaddress", -1 },
+ { IF_SSL ("ca-certificate"), 0, OPT_VALUE, "cacertificate", -1 },
+ { IF_SSL ("ca-directory"), 0, OPT_VALUE, "cadirectory", -1 },
{ "cache", 0, OPT_BOOLEAN, "cache", -1 },
+ { IF_SSL ("certificate"), 0, OPT_VALUE, "certificate", -1 },
+ { IF_SSL ("certificate-key"), 0, OPT_VALUE, "certificatekey", -1 },
+ { IF_SSL ("certificate-type"), 0, OPT_VALUE, "certificatetype", -1 },
+ { IF_SSL ("check-certificate"), 0, OPT_BOOLEAN, "checkcertificate", -1 },
{ "clobber", 0, OPT__CLOBBER, NULL, optional_argument },
{ "connect-timeout", 0, OPT_VALUE, "connecttimeout", -1 },
{ "continue", 'c', OPT_BOOLEAN, "continue", -1 },
{ "progress", 0, OPT_VALUE, "progress", -1 },
{ "protocol-directories", 0, OPT_BOOLEAN, "protocoldirectories", -1 },
{ "proxy", 0, OPT_BOOLEAN, "useproxy", -1 },
- { "_proxy-compat", 'Y', OPT_VALUE, "useproxy", -1 }, /* back-compatible */
+ { "proxy__compat", 'Y', OPT_VALUE, "useproxy", -1 }, /* back-compatible */
{ "proxy-passwd", 0, OPT_VALUE, "proxypasswd", -1 },
{ "proxy-user", 0, OPT_VALUE, "proxyuser", -1 },
{ "quiet", 'q', OPT_BOOLEAN, "quiet", -1 },
{ "retry-connrefused", 0, OPT_BOOLEAN, "retryconnrefused", -1 },
{ "save-cookies", 0, OPT_VALUE, "savecookies", -1 },
{ "save-headers", 0, OPT_BOOLEAN, "saveheaders", -1 },
+ { IF_SSL ("secure-protocol"), 0, OPT_VALUE, "secureprotocol", -1 },
{ "server-response", 'S', OPT_BOOLEAN, "serverresponse", -1 },
{ "span-hosts", 'H', OPT_BOOLEAN, "spanhosts", -1 },
{ "spider", 0, OPT_BOOLEAN, "spider", -1 },
- { IF_SSL ("sslcadir"), 0, OPT_VALUE, "sslcadir", -1 },
- { IF_SSL ("sslcafile"), 0, OPT_VALUE, "sslcafile", -1 },
- { IF_SSL ("sslcertfile"), 0, OPT_VALUE, "sslcertfile", -1 },
- { IF_SSL ("sslcertkey"), 0, OPT_VALUE, "sslcertkey", -1 },
- { IF_SSL ("sslcerttype"), 0, OPT_VALUE, "sslcerttype", -1 },
- { IF_SSL ("sslcheckcert"), 0, OPT_VALUE, "sslcheckcert", -1 },
- { IF_SSL ("sslprotocol"), 0, OPT_VALUE, "sslprotocol", -1 },
{ "strict-comments", 0, OPT_BOOLEAN, "strictcomments", -1 },
{ "timeout", 'T', OPT_VALUE, "timeout", -1 },
{ "timestamping", 'N', OPT_BOOLEAN, "timestamping", -1 },
#ifdef HAVE_SSL
N_("\
-HTTPS (SSL) options:\n"),
+HTTPS (SSL/TLS) options:\n"),
N_("\
- --sslcertfile=FILE optional client certificate.\n"),
+ --secure-protocol=PR choose SSL protocol, one of auto, SSLv2, SSLv3,\n\
+ and TLSv1.\n"),
N_("\
- --sslcertkey=KEYFILE optional keyfile for this certificate.\n"),
+ --no-check-certificate don't validate the server's certificate.\n"),
N_("\
- --sslcadir=DIR dir where hash list of CA's are stored.\n"),
+ --certificate=FILE client certificate file.\n"),
N_("\
- --sslcafile=FILE file with bundle of CA's.\n"),
+ --certificate-key=FILE optional key file for this certificate.\n"),
N_("\
- --sslcerttype=0/1 Client-Cert type 0=PEM (default) / 1=ASN1 (DER).\n"),
+ --certificate-type=TYPE client certificate type, PEM or ASN1.\n"),
N_("\
- --sslcheckcert=0/1 Check the server cert against given CA.\n"),
+ --sslcadir=DIR dir where hash list of CA's are stored.\n"),
N_("\
- --sslprotocol=0-3 choose SSL protocol; 0=automatic,\n\
- 1=SSLv2 2=SSLv3 3=TLSv1.\n"),
+ --sslcafile=FILE file with bundle of CA's.\n"),
N_("\
- --egd-file=FILE file name of the EGD socket.\n"),
+ --egd-file=FILE file name of the EGD socket.\n"),
"\n",
#endif /* HAVE_SSL */
int page_requisites; /* Whether we need to download all files
necessary to display a page properly. */
char *bind_address; /* What local IP address to bind to. */
+
#ifdef HAVE_SSL
- char *sslcadir; /* CA directory (hash files) */
- char *sslcafile; /* CA File to use */
- char *sslcertfile; /* external client cert to use. */
- char *sslcertkey; /* the keyfile for this certificate
+ enum {
+ secure_protocol_auto,
+ secure_protocol_sslv2,
+ secure_protocol_sslv3,
+ secure_protocol_tlsv1
+ } secure_protocol; /* type of secure protocol to use. */
+ int check_cert; /* whether to validate the server's cert */
+ char *cert_file; /* external client certificate to use. */
+ char *cert_key; /* the keyfile for this certificate
(if not internal) included in the
certfile. */
- int sslcerttype; /* 0 = PEM / 1=ASN1 (DER) */
- int sslcheckcert; /* 0 do not check / 1 check server cert */
- char *sslegdsock; /* optional socket of the egd daemon */
- int sslprotocol; /* 0 = auto / 1 = v2 / 2 = v3 / 3 = TLSv1 */
+ enum {
+ cert_type_pem,
+ cert_type_asn1
+ } cert_type; /* type of client certificate */
+
+ char *ca_directory; /* CA directory (hash files) */
+ char *ca_cert; /* CA certificate file to use */
+
+
+ char *egd_file; /* file name of the egd daemon socket */
#endif /* HAVE_SSL */
int cookies; /* whether cookies are used. */