X-Git-Url: http://sjero.net/git/?p=wget;a=blobdiff_plain;f=src%2Fgnutls.c;h=2b13875fb87c75966efaf41e92ca9eb6e42133a1;hp=e4b0fc2ea026bf731486169009f1ed38d883e790;hb=0b4c04b5836badc480b4bfb90a5bbf0ec897afc5;hpb=127036d3ec956c1d5f7e9c206a1a74d65c0f9be8 diff --git a/src/gnutls.c b/src/gnutls.c index e4b0fc2e..2b13875f 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -1,5 +1,5 @@ /* SSL support via GnuTLS library. - Copyright (C) 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software + Copyright (C) 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Free Software Foundation, Inc. This file is part of GNU Wget. @@ -54,14 +54,30 @@ as that of the covered work. */ # include "w32sock.h" #endif +#include "host.h" + +static int +key_type_to_gnutls_type (enum keyfile_type type) +{ + switch (type) + { + case keyfile_pem: + return GNUTLS_X509_FMT_PEM; + case keyfile_asn1: + return GNUTLS_X509_FMT_DER; + default: + abort (); + } +} + /* Note: some of the functions private to this file have names that begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be confused with actual gnutls functions -- such as the gnutls_read preprocessor macro. */ -static gnutls_certificate_credentials credentials; +static gnutls_certificate_credentials_t credentials; bool -ssl_init () +ssl_init (void) { /* Becomes true if GnuTLS is initialized. */ static bool ssl_initialized = false; @@ -108,6 +124,36 @@ ssl_init () closedir (dir); } + /* Use the private key from the cert file unless otherwise specified. */ + if (opt.cert_file && !opt.private_key) + { + opt.private_key = opt.cert_file; + opt.private_key_type = opt.cert_type; + } + /* Use the cert from the private key file unless otherwise specified. */ + if (!opt.cert_file && opt.private_key) + { + opt.cert_file = opt.private_key; + opt.cert_type = opt.private_key_type; + } + + if (opt.cert_file && opt.private_key) + { + int type; + if (opt.private_key_type != opt.cert_type) + { + /* GnuTLS can't handle this */ + logprintf (LOG_NOTQUIET, _("ERROR: GnuTLS requires the key and the \ +cert to be of the same type.\n")); + } + + type = key_type_to_gnutls_type (opt.private_key_type); + + gnutls_certificate_set_x509_key_file (credentials, opt.cert_file, + opt.private_key, + type); + } + if (opt.ca_cert) gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert, GNUTLS_X509_FMT_PEM); @@ -119,7 +165,7 @@ ssl_init () struct wgnutls_transport_context { - gnutls_session session; /* GnuTLS session handle */ + gnutls_session_t session; /* GnuTLS session handle */ int last_error; /* last error returned by read/write/... */ /* Since GnuTLS doesn't support the equivalent to recv(..., @@ -160,9 +206,13 @@ wgnutls_read_timeout (int fd, char *buf, int bufsize, void *arg, double timeout) do { - double next_timeout = timeout - ptimer_measure (timer); - if (timeout && next_timeout < 0) - break; + double next_timeout; + if (timeout > 0.0) + { + next_timeout = timeout - ptimer_measure (timer); + if (next_timeout < 0.0) + break; + } ret = GNUTLS_E_AGAIN; if (timeout == 0 || gnutls_record_check_pending (ctx->session) @@ -171,15 +221,13 @@ wgnutls_read_timeout (int fd, char *buf, int bufsize, void *arg, double timeout) if (timeout) { #ifdef F_GETFL - ret = fcntl (fd, F_SETFL, flags | O_NONBLOCK); - if (ret < 0) - return ret; + if (fcntl (fd, F_SETFL, flags | O_NONBLOCK)) + break; #else /* XXX: Assume it was blocking before. */ const int one = 1; - ret = ioctl (fd, FIONBIO, &one); - if (ret < 0) - return ret; + if (ioctl (fd, FIONBIO, &one) < 0) + break; #endif } @@ -187,16 +235,13 @@ wgnutls_read_timeout (int fd, char *buf, int bufsize, void *arg, double timeout) if (timeout) { - int status; #ifdef F_GETFL - status = fcntl (fd, F_SETFL, flags); - if (status < 0) - return status; + if (fcntl (fd, F_SETFL, flags) < 0) + break; #else const int zero = 0; - status = ioctl (fd, FIONBIO, &zero); - if (status < 0) - return status; + if (ioctl (fd, FIONBIO, &zero) < 0) + break; #endif } } @@ -217,11 +262,7 @@ wgnutls_read_timeout (int fd, char *buf, int bufsize, void *arg, double timeout) static int wgnutls_read (int fd, char *buf, int bufsize, void *arg) { -#ifdef F_GETFL - int flags = 0; -#endif int ret = 0; - struct ptimer *timer; struct wgnutls_transport_context *ctx = arg; if (ctx->peeklen) @@ -330,18 +371,26 @@ static struct transport_implementation wgnutls_transport = }; bool -ssl_connect_wget (int fd) +ssl_connect_wget (int fd, const char *hostname) { struct wgnutls_transport_context *ctx; - gnutls_session session; + gnutls_session_t session; int err; gnutls_init (&session, GNUTLS_CLIENT); + + /* We set the server name but only if it's not an IP address. */ + if (! is_valid_ip_address (hostname)) + { + gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname, + strlen (hostname)); + } + gnutls_set_default_priority (session); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials); #ifndef FD_TO_SOCKET # define FD_TO_SOCKET(X) (X) #endif - gnutls_transport_set_ptr (session, (gnutls_transport_ptr) FD_TO_SOCKET (fd)); + gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) FD_TO_SOCKET (fd)); err = 0; #if HAVE_GNUTLS_PRIORITY_SET_DIRECT @@ -448,8 +497,8 @@ ssl_check_certificate (int fd, const char *host) if (gnutls_certificate_type_get (ctx->session) == GNUTLS_CRT_X509) { time_t now = time (NULL); - gnutls_x509_crt cert; - const gnutls_datum *cert_list; + gnutls_x509_crt_t cert; + const gnutls_datum_t *cert_list; unsigned int cert_list_size; if ((err = gnutls_x509_crt_init (&cert)) < 0)