X-Git-Url: http://sjero.net/git/?p=wget;a=blobdiff_plain;f=src%2Fgnutls.c;h=dfff00cf5bf6e0ffc950fc55f885ddc466b9b726;hp=3c4c5b4cf6f8383e9be5a13fa30b988343c4217c;hb=d23ce97885e46d191eec452d1786d97a781dcdbf;hpb=eb483c9f259028f9d40ef5c693b85ab82fe9ade0 diff --git a/src/gnutls.c b/src/gnutls.c index 3c4c5b4c..dfff00cf 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -1,5 +1,5 @@ /* SSL support via GnuTLS library. - Copyright (C) 2005, 2006, 2007, 2008, 2009, 2010 Free Software + Copyright (C) 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. This file is part of GNU Wget. @@ -32,19 +32,20 @@ as that of the covered work. */ #include #include -#ifdef HAVE_UNISTD_H -# include -#endif +#include #include #include +#include #include #include #include +#include #include "utils.h" #include "connect.h" #include "url.h" +#include "ptimer.h" #include "ssl.h" #ifdef WIN32 @@ -57,19 +58,55 @@ as that of the covered work. */ preprocessor macro. */ static gnutls_certificate_credentials credentials; - bool ssl_init () { + const char *ca_directory; + DIR *dir; + gnutls_global_init (); gnutls_certificate_allocate_credentials (&credentials); + gnutls_certificate_set_verify_flags(credentials, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); + + ca_directory = opt.ca_directory ? opt.ca_directory : "/etc/ssl/certs"; + + dir = opendir (ca_directory); + if (dir == NULL) + { + if (opt.ca_directory) + logprintf (LOG_NOTQUIET, _("ERROR: Cannot open directory %s.\n"), + opt.ca_directory); + } + else + { + struct dirent *dent; + while ((dent = readdir (dir)) != NULL) + { + struct stat st; + char *ca_file; + asprintf (&ca_file, "%s/%s", ca_directory, dent->d_name); + + stat (ca_file, &st); + + if (S_ISREG (st.st_mode)) + gnutls_certificate_set_x509_trust_file (credentials, ca_file, + GNUTLS_X509_FMT_PEM); + + free (ca_file); + } + + closedir (dir); + } + if (opt.ca_cert) gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert, GNUTLS_X509_FMT_PEM); return true; } -struct wgnutls_transport_context { +struct wgnutls_transport_context +{ gnutls_session session; /* GnuTLS session handle */ int last_error; /* last error returned by read/write/... */ @@ -85,10 +122,94 @@ struct wgnutls_transport_context { # define MIN(i, j) ((i) <= (j) ? (i) : (j)) #endif + +static int +wgnutls_read_timeout (int fd, char *buf, int bufsize, void *arg, double timeout) +{ +#ifdef F_GETFL + int flags = 0; +#endif + int ret = 0; + struct ptimer *timer; + struct wgnutls_transport_context *ctx = arg; + int timed_out = 0; + + if (timeout) + { +#ifdef F_GETFL + flags = fcntl (fd, F_GETFL, 0); + if (flags < 0) + return flags; +#endif + timer = ptimer_new (); + if (timer == 0) + return -1; + } + + do + { + double next_timeout = timeout - ptimer_measure (timer); + if (timeout && next_timeout < 0) + break; + + ret = GNUTLS_E_AGAIN; + if (timeout == 0 || gnutls_record_check_pending (ctx->session) + || select_fd (fd, next_timeout, WAIT_FOR_READ)) + { + if (timeout) + { +#ifdef F_GETFL + ret = fcntl (fd, F_SETFL, flags | O_NONBLOCK); + if (ret < 0) + return ret; +#else + /* XXX: Assume it was blocking before. */ + const int one = 1; + ret = ioctl (fd, FIONBIO, &one); + if (ret < 0) + return ret; +#endif + } + + ret = gnutls_record_recv (ctx->session, buf, bufsize); + + if (timeout) + { + int status; +#ifdef F_GETFL + status = fcntl (fd, F_SETFL, flags); + if (status < 0) + return status; +#else + const int zero = 0; + status = ioctl (fd, FIONBIO, &zero); + if (status < 0) + return status; +#endif + } + } + + timed_out = timeout && ptimer_measure (timer) >= timeout; + } + while (ret == GNUTLS_E_INTERRUPTED || (ret == GNUTLS_E_AGAIN && !timed_out)); + + if (timeout) + ptimer_destroy (timer); + + if (timeout && timed_out && ret == GNUTLS_E_AGAIN) + errno = ETIMEDOUT; + + return ret; +} + static int wgnutls_read (int fd, char *buf, int bufsize, void *arg) { +#ifdef F_GETFL + int flags = 0; +#endif int ret = 0; + struct ptimer *timer; struct wgnutls_transport_context *ctx = arg; if (ctx->peeklen) @@ -103,12 +224,10 @@ wgnutls_read (int fd, char *buf, int bufsize, void *arg) return copysize; } - do - ret = gnutls_record_recv (ctx->session, buf, bufsize); - while (ret == GNUTLS_E_INTERRUPTED); - + ret = wgnutls_read_timeout (fd, buf, bufsize, arg, opt.read_timeout); if (ret < 0) ctx->last_error = ret; + return ret; } @@ -119,7 +238,7 @@ wgnutls_write (int fd, char *buf, int bufsize, void *arg) struct wgnutls_transport_context *ctx = arg; do ret = gnutls_record_send (ctx->session, buf, bufsize); - while (ret == GNUTLS_E_INTERRUPTED); + while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); if (ret < 0) ctx->last_error = ret; return ret; @@ -136,30 +255,40 @@ wgnutls_poll (int fd, double timeout, int wait_for, void *arg) static int wgnutls_peek (int fd, char *buf, int bufsize, void *arg) { - int ret = 0; + int read = 0; struct wgnutls_transport_context *ctx = arg; - int offset = ctx->peeklen; - + int offset = MIN (bufsize, ctx->peeklen); if (bufsize > sizeof ctx->peekbuf) bufsize = sizeof ctx->peekbuf; - if (offset) + if (ctx->peeklen) memcpy (buf, ctx->peekbuf, offset); - do + if (bufsize > offset) { - if (gnutls_record_check_pending (ctx->session) - || select_fd (fd, 0, WAIT_FOR_READ)) - ret = gnutls_record_recv (ctx->session, buf + offset, bufsize - offset); - } - while (ret == GNUTLS_E_INTERRUPTED); + if (gnutls_record_check_pending (ctx->session) <= 0 + && select_fd (fd, 0.0, WAIT_FOR_READ) <= 0) + read = 0; + else + read = wgnutls_read_timeout (fd, buf + offset, bufsize - offset, + ctx, opt.read_timeout); + if (read < 0) + { + if (offset) + read = 0; + else + return read; + } - if (ret > 0) - { - memcpy (ctx->peekbuf + offset, buf + offset, ret); - ctx->peeklen += ret; + if (read > 0) + { + memcpy (ctx->peekbuf + offset, buf + offset, + read); + ctx->peeklen += read; + } } - return ctx->peeklen; + + return offset + read; } static const char * @@ -182,7 +311,8 @@ wgnutls_close (int fd, void *arg) /* gnutls_transport is the singleton that describes the SSL transport methods provided by this file. */ -static struct transport_implementation wgnutls_transport = { +static struct transport_implementation wgnutls_transport = +{ wgnutls_read, wgnutls_write, wgnutls_poll, wgnutls_peek, wgnutls_errstr, wgnutls_close }; @@ -190,16 +320,11 @@ static struct transport_implementation wgnutls_transport = { bool ssl_connect_wget (int fd) { - static const int cert_type_priority[] = { - GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 - }; struct wgnutls_transport_context *ctx; gnutls_session session; int err; - int allowed_protocols[4] = {0, 0, 0, 0}; gnutls_init (&session, GNUTLS_CLIENT); gnutls_set_default_priority (session); - gnutls_certificate_type_set_priority (session, cert_type_priority); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials); #ifndef FD_TO_SOCKET # define FD_TO_SOCKET(X) (X) @@ -207,6 +332,23 @@ ssl_connect_wget (int fd) gnutls_transport_set_ptr (session, (gnutls_transport_ptr) FD_TO_SOCKET (fd)); err = 0; +#if HAVE_GNUTLS_PRIORITY_SET_DIRECT + switch (opt.secure_protocol) + { + case secure_protocol_auto: + break; + case secure_protocol_sslv2: + case secure_protocol_sslv3: + err = gnutls_priority_set_direct (session, "NORMAL:-VERS-TLS-ALL", NULL); + break; + case secure_protocol_tlsv1: + err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL); + break; + default: + abort (); + } +#else + int allowed_protocols[4] = {0, 0, 0, 0}; switch (opt.secure_protocol) { case secure_protocol_auto: @@ -216,15 +358,19 @@ ssl_connect_wget (int fd) allowed_protocols[0] = GNUTLS_SSL3; err = gnutls_protocol_set_priority (session, allowed_protocols); break; + case secure_protocol_tlsv1: allowed_protocols[0] = GNUTLS_TLS1_0; allowed_protocols[1] = GNUTLS_TLS1_1; allowed_protocols[2] = GNUTLS_TLS1_2; err = gnutls_protocol_set_priority (session, allowed_protocols); break; + default: abort (); } +#endif + if (err < 0) { logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));