[svn] Commit IPv6 support by Thomas Lussnig.

[wget] / src / gen_sslfunc.c

diff --git a/src/gen_sslfunc.c b/src/gen_sslfunc.c
index be5e31e20801e2c41fe7f5b0ad3c60673aebd273..da84492d5fdb968bac917375af55dd1d52f6181c 100644 (file)
--- a/src/gen_sslfunc.c
+++ b/src/gen_sslfunc.c
@@ -24,6 +24,14 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */
 
 #include <assert.h>
 #include <errno.h>
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+#ifdef HAVE_STRING_H
+# include <string.h>
+#else
+# include <strings.h>
+#endif
 
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
@@ -31,9 +39,12 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
+#include <openssl/rand.h>
 
 #include "wget.h"
+#include "utils.h"
 #include "connect.h"
+#include "url.h"
 
 #ifndef errno
 extern int errno;
@@ -41,6 +52,66 @@ extern int errno;
 
 static int verify_callback PARAMS ((int, X509_STORE_CTX *));
 
+void
+ssl_init_prng (void)
+{
+  /* It is likely that older versions of OpenSSL will fail on
+     non-Linux machines because this code is unable to seed the PRNG
+     on older versions of the library.  */
+
+#if SSLEAY_VERSION_NUMBER >= 0x00905100
+  char rand_file[256];
+  int maxrand = 500;
+
+  /* First, seed from a file specified by the user.  This will be
+     $RANDFILE, if set, or ~/.rnd.  */
+  RAND_file_name (rand_file, sizeof (rand_file));
+  if (rand_file)
+    /* Seed at most 16k (value borrowed from curl) from random file. */
+    RAND_load_file (rand_file, 16384);
+
+  if (RAND_status ())
+    return;
+
+  /* Get random data from EGD if opt.sslegdsock was set.  */
+  if (opt.sslegdsock && *opt.sslegdsock)
+    RAND_egd (opt.sslegdsock);
+
+  if (RAND_status ())
+    return;
+
+#ifdef WINDOWS
+  /* Under Windows, we can try to seed the PRNG using screen content.
+     This may or may not work, depending on whether we'll calling Wget
+     interactively.  */
+
+  RAND_screen ();
+  if (RAND_status ())
+    return;
+#endif
+
+  /* Still not enough randomness, presumably because neither random
+     file nor EGD have been available.  Use the stupidest possible
+     method -- seed OpenSSL's PRNG with the system's PRNG.  This is
+     insecure in the cryptographic sense, but people who care about
+     security will use /dev/random or their own source of randomness
+     anyway.  */
+
+  while (RAND_status () == 0 && maxrand-- > 0)
+    {
+      unsigned char rnd = random_number (256);
+      RAND_seed (&rnd, sizeof (rnd));
+    }
+
+  if (RAND_status () == 0)
+    {
+      logprintf (LOG_NOTQUIET,
+                _("Could not seed OpenSSL PRNG; disabling SSL.\n"));
+      scheme_disable (SCHEME_HTTPS);
+    }
+#endif /* SSLEAY_VERSION_NUMBER >= 0x00905100 */
+}
+
 /* Creates a SSL Context and sets some defaults for it */
 uerr_t
 init_ssl (SSL_CTX **ctx)
@@ -54,7 +125,8 @@ init_ssl (SSL_CTX **ctx)
   meth = SSLv23_client_method ();
   *ctx = SSL_CTX_new (meth);
   SSL_CTX_set_verify (*ctx, verify, verify_callback);
-  if (*ctx == NULL) return SSLERRCTXCREATE;
+  if (*ctx == NULL) 
+    return SSLERRCTXCREATE;
   if (opt.sslcertfile)
     {
       if (SSL_CTX_use_certificate_file (*ctx, opt.sslcertfile,
@@ -82,6 +154,9 @@ connect_ssl (SSL **con, SSL_CTX *ctx, int fd)
   SSL_connect (*con);  
   if ((*con)->state != SSL_ST_OK)
     return 1;
+  /*while((SSLerror=ERR_get_error())!=0)
+    printf("%s\n", ERR_error_string(SSLerror,NULL));*/
+
   return 0;
 }
 
@@ -147,9 +222,8 @@ ssl_iread (SSL *con, char *buf, int len)
   do
     {
 #ifdef HAVE_SELECT
-      if (opt.timeout)
+      if (opt.timeout && !SSL_pending (con))
        {
-         
          do
            {
              res = select_fd (fd, opt.timeout, 0);