The GNU TLS backend loads default root certificates.

[wget] / src / gnutls.c

diff --git a/src/gnutls.c b/src/gnutls.c
index 30ed5e17f7d81cabae04e6075f23935fa0eb4468..adba856044e4f0eaa9bf9fc8906671c849d6e8c2 100644 (file)
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -37,6 +37,7 @@ as that of the covered work.  */
 #endif
 #include <string.h>
 #include <stdio.h>
+#include <dirent.h>
 #include <stdlib.h>
 
 #include <gnutls/gnutls.h>
@@ -47,6 +48,10 @@ as that of the covered work.  */
 #include "url.h"
 #include "ssl.h"
 
+#ifdef WIN32
+# include "w32sock.h"
+#endif
+
 /* Note: some of the functions private to this file have names that
    begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be
    confused with actual gnutls functions -- such as the gnutls_read
@@ -57,8 +62,42 @@ static gnutls_certificate_credentials credentials;
 bool
 ssl_init ()
 {
+  const char *ca_directory;
+  DIR *dir;
+
   gnutls_global_init ();
   gnutls_certificate_allocate_credentials (&credentials);
+
+  ca_directory = opt.ca_directory ? opt.ca_directory : "/etc/ssl/certs";
+
+  dir = opendir (ca_directory);
+  if (dir == NULL)
+    {
+      if (opt.ca_directory)
+        logprintf (LOG_NOTQUIET, _("ERROR: Cannot open directory %s.\n"),
+                   opt.ca_directory);
+    }
+  else
+    {
+      struct dirent *dent;
+      while ((dent = readdir (dir)) != NULL)
+        {
+          struct stat st;
+          char *ca_file;
+          asprintf (&ca_file, "%s/%s", ca_directory, dent->d_name);
+
+          stat (ca_file, &st);
+
+          if (S_ISREG (st.st_mode))
+            gnutls_certificate_set_x509_trust_file (credentials, ca_file,
+                                                    GNUTLS_X509_FMT_PEM);
+
+          free (ca_file);
+        }
+
+      closedir (dir);
+    }
+
   if (opt.ca_cert)
     gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert,
                                             GNUTLS_X509_FMT_PEM);
@@ -192,11 +231,42 @@ ssl_connect_wget (int fd)
   struct wgnutls_transport_context *ctx;
   gnutls_session session;
   int err;
+  int allowed_protocols[4] = {0, 0, 0, 0};
   gnutls_init (&session, GNUTLS_CLIENT);
   gnutls_set_default_priority (session);
   gnutls_certificate_type_set_priority (session, cert_type_priority);
   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials);
-  gnutls_transport_set_ptr (session, (gnutls_transport_ptr) fd);
+#ifndef FD_TO_SOCKET
+# define FD_TO_SOCKET(X) (X)
+#endif
+  gnutls_transport_set_ptr (session, (gnutls_transport_ptr) FD_TO_SOCKET (fd));
+
+  err = 0;
+  switch (opt.secure_protocol)
+    {
+    case secure_protocol_auto:
+      break;
+    case secure_protocol_sslv2:
+    case secure_protocol_sslv3:
+      allowed_protocols[0] = GNUTLS_SSL3;
+      err = gnutls_protocol_set_priority (session, allowed_protocols);
+      break;
+    case secure_protocol_tlsv1:
+      allowed_protocols[0] = GNUTLS_TLS1_0;
+      allowed_protocols[1] = GNUTLS_TLS1_1;
+      allowed_protocols[2] = GNUTLS_TLS1_2;
+      err = gnutls_protocol_set_priority (session, allowed_protocols);
+      break;
+    default:
+      abort ();
+    }
+  if (err < 0)
+    {
+      logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
+      gnutls_deinit (session);
+      return false;
+    }
+
   err = gnutls_handshake (session);
   if (err < 0)
     {
@@ -204,6 +274,7 @@ ssl_connect_wget (int fd)
       gnutls_deinit (session);
       return false;
     }
+
   ctx = xnew0 (struct wgnutls_transport_context);
   ctx->session = session;
   fd_register_transport (fd, &wgnutls_transport, ctx);