X-Git-Url: http://sjero.net/git/?p=wget;a=blobdiff_plain;f=src%2Fgnutls.c;h=9e5c733b4c90c536ac46e4b6e3dfe0d5180220f0;hp=05cd0df169bfd468e4d1e23219c43f50b2298585;hb=2f6aa1d7417df1dfc58597777686fbd77179b9fd;hpb=1c7493b83ed8cecbbf1f70ef6bf834f94c5fcd43
diff --git a/src/gnutls.c b/src/gnutls.c
index 05cd0df1..9e5c733b 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -1,11 +1,12 @@
/* SSL support via GnuTLS library.
- Copyright (C) 2005-2006 Free Software Foundation, Inc.
+ Copyright (C) 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+ Foundation, Inc.
This file is part of GNU Wget.
GNU Wget is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
-the Free Software Foundation; either version 2 of the License, or
+the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
GNU Wget is distributed in the hope that it will be useful,
@@ -14,38 +15,41 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
-along with Wget; if not, write to the Free Software Foundation, Inc.,
-51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+along with Wget. If not, see .
-In addition, as a special exception, the Free Software Foundation
-gives permission to link the code of its release of Wget with the
-OpenSSL project's "OpenSSL" library (or with modified versions of it
-that use the same license as the "OpenSSL" library), and distribute
-the linked executables. You must obey the GNU General Public License
-in all respects for all of the code used other than "OpenSSL". If you
-modify this file, you may extend this exception to your version of the
-file, but you are not obligated to do so. If you do not wish to do
-so, delete this exception statement from your version. */
+Additional permission under GNU GPL version 3 section 7
-#include
+If you modify this program, or any covered work, by linking or
+combining it with the OpenSSL project's OpenSSL library (or a
+modified version of that library), containing parts covered by the
+terms of the OpenSSL or SSLeay licenses, the Free Software Foundation
+grants you additional permission to convey the resulting work.
+Corresponding Source for a non-source form of such a combination
+shall include the source code for the parts of OpenSSL used as well
+as that of the covered work. */
+
+#include "wget.h"
#include
#include
-#ifdef HAVE_UNISTD_H
-# include
-#endif
+#include
#include
#include
+#include
+#include
#include
#include
-#include "wget.h"
#include "utils.h"
#include "connect.h"
#include "url.h"
#include "ssl.h"
+#ifdef WIN32
+# include "w32sock.h"
+#endif
+
/* Note: some of the functions private to this file have names that
begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be
confused with actual gnutls functions -- such as the gnutls_read
@@ -56,24 +60,59 @@ static gnutls_certificate_credentials credentials;
bool
ssl_init ()
{
+ const char *ca_directory;
+ DIR *dir;
+
gnutls_global_init ();
gnutls_certificate_allocate_credentials (&credentials);
+
+ ca_directory = opt.ca_directory ? opt.ca_directory : "/etc/ssl/certs";
+
+ dir = opendir (ca_directory);
+ if (dir == NULL)
+ {
+ if (opt.ca_directory)
+ logprintf (LOG_NOTQUIET, _("ERROR: Cannot open directory %s.\n"),
+ opt.ca_directory);
+ }
+ else
+ {
+ struct dirent *dent;
+ while ((dent = readdir (dir)) != NULL)
+ {
+ struct stat st;
+ char *ca_file;
+ asprintf (&ca_file, "%s/%s", ca_directory, dent->d_name);
+
+ stat (ca_file, &st);
+
+ if (S_ISREG (st.st_mode))
+ gnutls_certificate_set_x509_trust_file (credentials, ca_file,
+ GNUTLS_X509_FMT_PEM);
+
+ free (ca_file);
+ }
+
+ closedir (dir);
+ }
+
if (opt.ca_cert)
gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert,
- GNUTLS_X509_FMT_PEM);
+ GNUTLS_X509_FMT_PEM);
return true;
}
-struct wgnutls_transport_context {
- gnutls_session session; /* GnuTLS session handle */
- int last_error; /* last error returned by read/write/... */
+struct wgnutls_transport_context
+{
+ gnutls_session session; /* GnuTLS session handle */
+ int last_error; /* last error returned by read/write/... */
/* Since GnuTLS doesn't support the equivalent to recv(...,
MSG_PEEK) or SSL_peek(), we have to do it ourselves. Peeked data
is stored to PEEKBUF, and wgnutls_read checks that buffer before
actually reading. */
char peekbuf[512];
- int peekstart, peeklen;
+ int peeklen;
};
#ifndef MIN
@@ -83,19 +122,18 @@ struct wgnutls_transport_context {
static int
wgnutls_read (int fd, char *buf, int bufsize, void *arg)
{
- int ret;
+ int ret = 0;
struct wgnutls_transport_context *ctx = arg;
if (ctx->peeklen)
{
/* If we have any peek data, simply return that. */
int copysize = MIN (bufsize, ctx->peeklen);
- memcpy (buf, ctx->peekbuf + ctx->peekstart, copysize);
+ memcpy (buf, ctx->peekbuf, copysize);
ctx->peeklen -= copysize;
if (ctx->peeklen != 0)
- ctx->peekstart += copysize;
- else
- ctx->peekstart = 0;
+ memmove (ctx->peekbuf, ctx->peekbuf + copysize, ctx->peeklen);
+
return copysize;
}
@@ -105,6 +143,7 @@ wgnutls_read (int fd, char *buf, int bufsize, void *arg)
if (ret < 0)
ctx->last_error = ret;
+
return ret;
}
@@ -124,31 +163,49 @@ wgnutls_write (int fd, char *buf, int bufsize, void *arg)
static int
wgnutls_poll (int fd, double timeout, int wait_for, void *arg)
{
- return 1;
+ struct wgnutls_transport_context *ctx = arg;
+ return ctx->peeklen || gnutls_record_check_pending (ctx->session)
+ || select_fd (fd, timeout, wait_for);
}
static int
wgnutls_peek (int fd, char *buf, int bufsize, void *arg)
{
- int ret;
+ int ret = 0;
struct wgnutls_transport_context *ctx = arg;
-
- /* We don't support peeks following peeks: the reader must drain all
- peeked data before the next peek. */
- assert (ctx->peeklen == 0);
+ int offset = MIN (bufsize, ctx->peeklen);
if (bufsize > sizeof ctx->peekbuf)
bufsize = sizeof ctx->peekbuf;
- do
- ret = gnutls_record_recv (ctx->session, buf, bufsize);
- while (ret == GNUTLS_E_INTERRUPTED);
+ if (ctx->peeklen)
+ memcpy (buf, ctx->peekbuf, offset);
- if (ret >= 0)
+ if (bufsize > offset)
{
- memcpy (ctx->peekbuf, buf, ret);
- ctx->peeklen = ret;
+ do
+ {
+ ret = gnutls_record_recv (ctx->session, buf + offset,
+ bufsize - offset);
+ }
+ while (ret == GNUTLS_E_INTERRUPTED);
+
+ if (ret < 0)
+ {
+ if (offset)
+ ret = 0;
+ else
+ return ret;
+ }
+
+ if (ret > 0)
+ {
+ memcpy (ctx->peekbuf + offset, buf + offset,
+ ret);
+ ctx->peeklen += ret;
+ }
}
- return ret;
+
+ return offset + ret;
}
static const char *
@@ -165,23 +222,20 @@ wgnutls_close (int fd, void *arg)
/*gnutls_bye (ctx->session, GNUTLS_SHUT_RDWR);*/
gnutls_deinit (ctx->session);
xfree (ctx);
-#ifndef WINDOWS
close (fd);
-#else
- closesocket (fd);
-#endif
}
/* gnutls_transport is the singleton that describes the SSL transport
methods provided by this file. */
-static struct transport_implementation wgnutls_transport = {
+static struct transport_implementation wgnutls_transport =
+{
wgnutls_read, wgnutls_write, wgnutls_poll,
wgnutls_peek, wgnutls_errstr, wgnutls_close
};
bool
-ssl_connect (int fd)
+ssl_connect_wget (int fd)
{
static const int cert_type_priority[] = {
GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0
@@ -189,11 +243,42 @@ ssl_connect (int fd)
struct wgnutls_transport_context *ctx;
gnutls_session session;
int err;
+ int allowed_protocols[4] = {0, 0, 0, 0};
gnutls_init (&session, GNUTLS_CLIENT);
gnutls_set_default_priority (session);
gnutls_certificate_type_set_priority (session, cert_type_priority);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials);
- gnutls_transport_set_ptr (session, (gnutls_transport_ptr) fd);
+#ifndef FD_TO_SOCKET
+# define FD_TO_SOCKET(X) (X)
+#endif
+ gnutls_transport_set_ptr (session, (gnutls_transport_ptr) FD_TO_SOCKET (fd));
+
+ err = 0;
+ switch (opt.secure_protocol)
+ {
+ case secure_protocol_auto:
+ break;
+ case secure_protocol_sslv2:
+ case secure_protocol_sslv3:
+ allowed_protocols[0] = GNUTLS_SSL3;
+ err = gnutls_protocol_set_priority (session, allowed_protocols);
+ break;
+ case secure_protocol_tlsv1:
+ allowed_protocols[0] = GNUTLS_TLS1_0;
+ allowed_protocols[1] = GNUTLS_TLS1_1;
+ allowed_protocols[2] = GNUTLS_TLS1_2;
+ err = gnutls_protocol_set_priority (session, allowed_protocols);
+ break;
+ default:
+ abort ();
+ }
+ if (err < 0)
+ {
+ logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
+ gnutls_deinit (session);
+ return false;
+ }
+
err = gnutls_handshake (session);
if (err < 0)
{
@@ -201,6 +286,7 @@ ssl_connect (int fd)
gnutls_deinit (session);
return false;
}
+
ctx = xnew0 (struct wgnutls_transport_context);
ctx->session = session;
fd_register_transport (fd, &wgnutls_transport, ctx);
@@ -224,27 +310,27 @@ ssl_check_certificate (int fd, const char *host)
if (err < 0)
{
logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"),
- severity, escnonprint (host));
+ severity, quotearg_style (escape_quoting_style, host));
success = false;
goto out;
}
if (status & GNUTLS_CERT_INVALID)
{
- logprintf (LOG_NOTQUIET, _("%s: The certificate of `%s' is not trusted.\n"),
- severity, escnonprint (host));
+ logprintf (LOG_NOTQUIET, _("%s: The certificate of %s is not trusted.\n"),
+ severity, quote (host));
success = false;
}
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
{
- logprintf (LOG_NOTQUIET, _("%s: The certificate of `%s' hasn't got a known issuer.\n"),
- severity, escnonprint (host));
+ logprintf (LOG_NOTQUIET, _("%s: The certificate of %s hasn't got a known issuer.\n"),
+ severity, quote (host));
success = false;
}
if (status & GNUTLS_CERT_REVOKED)
{
- logprintf (LOG_NOTQUIET, _("%s: The certificate of `%s' has been revoked.\n"),
- severity, escnonprint (host));
+ logprintf (LOG_NOTQUIET, _("%s: The certificate of %s has been revoked.\n"),
+ severity, quote (host));
success = false;
}
@@ -256,45 +342,45 @@ ssl_check_certificate (int fd, const char *host)
unsigned int cert_list_size;
if ((err = gnutls_x509_crt_init (&cert)) < 0)
- {
- logprintf (LOG_NOTQUIET, _("Error initializing X509 certificate: %s\n"),
- gnutls_strerror (err));
- success = false;
- goto out;
- }
+ {
+ logprintf (LOG_NOTQUIET, _("Error initializing X509 certificate: %s\n"),
+ gnutls_strerror (err));
+ success = false;
+ goto out;
+ }
cert_list = gnutls_certificate_get_peers (ctx->session, &cert_list_size);
if (!cert_list)
- {
- logprintf (LOG_NOTQUIET, _("No certificate found\n"));
- success = false;
- goto out;
- }
+ {
+ logprintf (LOG_NOTQUIET, _("No certificate found\n"));
+ success = false;
+ goto out;
+ }
err = gnutls_x509_crt_import (cert, cert_list, GNUTLS_X509_FMT_DER);
if (err < 0)
- {
- logprintf (LOG_NOTQUIET, _("Error parsing certificate: %s\n"),
- gnutls_strerror (err));
- success = false;
- goto out;
- }
+ {
+ logprintf (LOG_NOTQUIET, _("Error parsing certificate: %s\n"),
+ gnutls_strerror (err));
+ success = false;
+ goto out;
+ }
if (now < gnutls_x509_crt_get_activation_time (cert))
- {
- logprintf (LOG_NOTQUIET, _("The certificate has not yet been activated\n"));
- success = false;
- }
+ {
+ logprintf (LOG_NOTQUIET, _("The certificate has not yet been activated\n"));
+ success = false;
+ }
if (now >= gnutls_x509_crt_get_expiration_time (cert))
- {
- logprintf (LOG_NOTQUIET, _("The certificate has expired\n"));
- success = false;
- }
+ {
+ logprintf (LOG_NOTQUIET, _("The certificate has expired\n"));
+ success = false;
+ }
if (!gnutls_x509_crt_check_hostname (cert, host))
- {
- logprintf (LOG_NOTQUIET,
- _("The certificate's owner does not match hostname '%s'\n"),
- host);
- success = false;
- }
+ {
+ logprintf (LOG_NOTQUIET,
+ _("The certificate's owner does not match hostname %s\n"),
+ quote (host));
+ success = false;
+ }
gnutls_x509_crt_deinit (cert);
}