X-Git-Url: http://sjero.net/git/?p=wget;a=blobdiff_plain;f=src%2Fgnutls.c;h=9e5c733b4c90c536ac46e4b6e3dfe0d5180220f0;hp=57d4ad5c5dca739673df569f3adbc3ccf63fd68e;hb=2f6aa1d7417df1dfc58597777686fbd77179b9fd;hpb=2c772204111e678b7715937052c3e7217a42e1ad diff --git a/src/gnutls.c b/src/gnutls.c index 57d4ad5c..9e5c733b 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -1,5 +1,6 @@ /* SSL support via GnuTLS library. - Copyright (C) 2005, 2006, 2007, 2008 Free Software Foundation, Inc. + Copyright (C) 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software + Foundation, Inc. This file is part of GNU Wget. @@ -31,11 +32,11 @@ as that of the covered work. */ #include #include -#ifdef HAVE_UNISTD_H -# include -#endif +#include #include #include +#include +#include #include #include @@ -45,6 +46,10 @@ as that of the covered work. */ #include "url.h" #include "ssl.h" +#ifdef WIN32 +# include "w32sock.h" +#endif + /* Note: some of the functions private to this file have names that begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be confused with actual gnutls functions -- such as the gnutls_read @@ -55,15 +60,50 @@ static gnutls_certificate_credentials credentials; bool ssl_init () { + const char *ca_directory; + DIR *dir; + gnutls_global_init (); gnutls_certificate_allocate_credentials (&credentials); + + ca_directory = opt.ca_directory ? opt.ca_directory : "/etc/ssl/certs"; + + dir = opendir (ca_directory); + if (dir == NULL) + { + if (opt.ca_directory) + logprintf (LOG_NOTQUIET, _("ERROR: Cannot open directory %s.\n"), + opt.ca_directory); + } + else + { + struct dirent *dent; + while ((dent = readdir (dir)) != NULL) + { + struct stat st; + char *ca_file; + asprintf (&ca_file, "%s/%s", ca_directory, dent->d_name); + + stat (ca_file, &st); + + if (S_ISREG (st.st_mode)) + gnutls_certificate_set_x509_trust_file (credentials, ca_file, + GNUTLS_X509_FMT_PEM); + + free (ca_file); + } + + closedir (dir); + } + if (opt.ca_cert) gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert, GNUTLS_X509_FMT_PEM); return true; } -struct wgnutls_transport_context { +struct wgnutls_transport_context +{ gnutls_session session; /* GnuTLS session handle */ int last_error; /* last error returned by read/write/... */ @@ -72,7 +112,7 @@ struct wgnutls_transport_context { is stored to PEEKBUF, and wgnutls_read checks that buffer before actually reading. */ char peekbuf[512]; - int peekstart, peeklen; + int peeklen; }; #ifndef MIN @@ -82,19 +122,18 @@ struct wgnutls_transport_context { static int wgnutls_read (int fd, char *buf, int bufsize, void *arg) { - int ret; + int ret = 0; struct wgnutls_transport_context *ctx = arg; if (ctx->peeklen) { /* If we have any peek data, simply return that. */ int copysize = MIN (bufsize, ctx->peeklen); - memcpy (buf, ctx->peekbuf + ctx->peekstart, copysize); + memcpy (buf, ctx->peekbuf, copysize); ctx->peeklen -= copysize; if (ctx->peeklen != 0) - ctx->peekstart += copysize; - else - ctx->peekstart = 0; + memmove (ctx->peekbuf, ctx->peekbuf + copysize, ctx->peeklen); + return copysize; } @@ -104,6 +143,7 @@ wgnutls_read (int fd, char *buf, int bufsize, void *arg) if (ret < 0) ctx->last_error = ret; + return ret; } @@ -123,31 +163,49 @@ wgnutls_write (int fd, char *buf, int bufsize, void *arg) static int wgnutls_poll (int fd, double timeout, int wait_for, void *arg) { - return 1; + struct wgnutls_transport_context *ctx = arg; + return ctx->peeklen || gnutls_record_check_pending (ctx->session) + || select_fd (fd, timeout, wait_for); } static int wgnutls_peek (int fd, char *buf, int bufsize, void *arg) { - int ret; + int ret = 0; struct wgnutls_transport_context *ctx = arg; - - /* We don't support peeks following peeks: the reader must drain all - peeked data before the next peek. */ - assert (ctx->peeklen == 0); + int offset = MIN (bufsize, ctx->peeklen); if (bufsize > sizeof ctx->peekbuf) bufsize = sizeof ctx->peekbuf; - do - ret = gnutls_record_recv (ctx->session, buf, bufsize); - while (ret == GNUTLS_E_INTERRUPTED); + if (ctx->peeklen) + memcpy (buf, ctx->peekbuf, offset); - if (ret >= 0) + if (bufsize > offset) { - memcpy (ctx->peekbuf, buf, ret); - ctx->peeklen = ret; + do + { + ret = gnutls_record_recv (ctx->session, buf + offset, + bufsize - offset); + } + while (ret == GNUTLS_E_INTERRUPTED); + + if (ret < 0) + { + if (offset) + ret = 0; + else + return ret; + } + + if (ret > 0) + { + memcpy (ctx->peekbuf + offset, buf + offset, + ret); + ctx->peeklen += ret; + } } - return ret; + + return offset + ret; } static const char * @@ -164,23 +222,20 @@ wgnutls_close (int fd, void *arg) /*gnutls_bye (ctx->session, GNUTLS_SHUT_RDWR);*/ gnutls_deinit (ctx->session); xfree (ctx); -#ifndef WINDOWS close (fd); -#else - closesocket (fd); -#endif } /* gnutls_transport is the singleton that describes the SSL transport methods provided by this file. */ -static struct transport_implementation wgnutls_transport = { +static struct transport_implementation wgnutls_transport = +{ wgnutls_read, wgnutls_write, wgnutls_poll, wgnutls_peek, wgnutls_errstr, wgnutls_close }; bool -ssl_connect (int fd) +ssl_connect_wget (int fd) { static const int cert_type_priority[] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 @@ -188,11 +243,42 @@ ssl_connect (int fd) struct wgnutls_transport_context *ctx; gnutls_session session; int err; + int allowed_protocols[4] = {0, 0, 0, 0}; gnutls_init (&session, GNUTLS_CLIENT); gnutls_set_default_priority (session); gnutls_certificate_type_set_priority (session, cert_type_priority); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials); - gnutls_transport_set_ptr (session, (gnutls_transport_ptr) fd); +#ifndef FD_TO_SOCKET +# define FD_TO_SOCKET(X) (X) +#endif + gnutls_transport_set_ptr (session, (gnutls_transport_ptr) FD_TO_SOCKET (fd)); + + err = 0; + switch (opt.secure_protocol) + { + case secure_protocol_auto: + break; + case secure_protocol_sslv2: + case secure_protocol_sslv3: + allowed_protocols[0] = GNUTLS_SSL3; + err = gnutls_protocol_set_priority (session, allowed_protocols); + break; + case secure_protocol_tlsv1: + allowed_protocols[0] = GNUTLS_TLS1_0; + allowed_protocols[1] = GNUTLS_TLS1_1; + allowed_protocols[2] = GNUTLS_TLS1_2; + err = gnutls_protocol_set_priority (session, allowed_protocols); + break; + default: + abort (); + } + if (err < 0) + { + logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err)); + gnutls_deinit (session); + return false; + } + err = gnutls_handshake (session); if (err < 0) { @@ -200,6 +286,7 @@ ssl_connect (int fd) gnutls_deinit (session); return false; } + ctx = xnew0 (struct wgnutls_transport_context); ctx->session = session; fd_register_transport (fd, &wgnutls_transport, ctx); @@ -223,7 +310,7 @@ ssl_check_certificate (int fd, const char *host) if (err < 0) { logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"), - severity, escnonprint (host)); + severity, quotearg_style (escape_quoting_style, host)); success = false; goto out; } @@ -231,19 +318,19 @@ ssl_check_certificate (int fd, const char *host) if (status & GNUTLS_CERT_INVALID) { logprintf (LOG_NOTQUIET, _("%s: The certificate of %s is not trusted.\n"), - severity, quote (escnonprint (host))); + severity, quote (host)); success = false; } if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { logprintf (LOG_NOTQUIET, _("%s: The certificate of %s hasn't got a known issuer.\n"), - severity, quote (escnonprint (host))); + severity, quote (host)); success = false; } if (status & GNUTLS_CERT_REVOKED) { logprintf (LOG_NOTQUIET, _("%s: The certificate of %s has been revoked.\n"), - severity, quote (escnonprint (host))); + severity, quote (host)); success = false; } @@ -290,8 +377,8 @@ ssl_check_certificate (int fd, const char *host) if (!gnutls_x509_crt_check_hostname (cert, host)) { logprintf (LOG_NOTQUIET, - _("The certificate's owner does not match hostname '%s'\n"), - host); + _("The certificate's owner does not match hostname %s\n"), + quote (host)); success = false; } gnutls_x509_crt_deinit (cert);