+2001-02-08 Christian Fraenkel <christian.fraenkel@gmx.net>
+
+ * gen_sslfunc.c: verify_callback is now static
+
+ * gen_sslfunc.c (init_ssl): load certificate if specified
+
+ * gen_sslfunc.c (ssl_printerr): new function
+
+ * init.c: added new --sslcertfile and --sslcertkey switches
+
+ * main.c: ditto
+
+ * options.h: ditto
+
+ * http.c (gethttp): abort when init_ssl fails
+
2001-01-23 Herold Heiko <Heiko.Herold@previnet.it>
* mswindows.h: Include <malloc.h>; it's needed for alloca().
#include <openssl/err.h>
#include <openssl/pem.h>
-#define SSL_ERR_CTX_CREATION -2
-
#include "wget.h"
#include "connect.h"
extern int errno;
#endif
-/* #### Shouldn't this be static? --hniksic */
-int verify_callback PARAMS ((int, X509_STORE_CTX *));
+static int verify_callback PARAMS ((int, X509_STORE_CTX *));
/* Creates a SSL Context and sets some defaults for it */
-int
+uerr_t
init_ssl (SSL_CTX **ctx)
{
SSL_METHOD *meth = NULL;
meth = SSLv23_client_method ();
*ctx = SSL_CTX_new (meth);
SSL_CTX_set_verify (*ctx, verify, verify_callback);
- if (*ctx == NULL) return SSL_ERR_CTX_CREATION;
+ if (*ctx == NULL) return SSLERRCTXCREATE;
+ if (opt.sslcertfile)
+ {
+ if (SSL_CTX_use_certificate_file (*ctx, opt.sslcertfile,
+ SSL_FILETYPE_PEM) <= 0)
+ return SSLERRCERTFILE;
+ if (opt.sslcertkey == NULL)
+ opt.sslcertkey=opt.sslcertfile;
+ if (SSL_CTX_use_PrivateKey_file (*ctx, opt.sslcertkey,
+ SSL_FILETYPE_PEM) <= 0)
+ return SSLERRCERTKEY;
+ }
return 0; /* Succeded */
}
return ok;
}
+/* pass all ssl errors to DEBUGP
+ returns the number of printed errors */
+int
+ssl_printerrors (void)
+{
+ int ocerr = 0;
+ unsigned long curerr = 0;
+ char errbuff[1024];
+ memset(errbuff, 0, sizeof(errbuff));
+ for (curerr = ERR_get_error (); curerr; curerr = ERR_get_error ())
+ {
+ DEBUGP (("OpenSSL: %s\n", ERR_error_string (curerr, errbuff)));
+ ++ocerr;
+ }
+ return ocerr;
+}
+
/* SSL version of iread. Only exchanged read for SSL_read
Read at most LEN bytes from FD, storing them to BUF. This is
virtually the same as read(), but takes care of EINTR braindamage
int verify_callback PARAMS ((int, X509_STORE_CTX *));
int ssl_iread PARAMS ((SSL *, char *, int));
int ssl_iwrite PARAMS ((SSL *, char *, int));
+int ssl_printerrors PARAMS ((void));
int inhibit_keep_alive;
#ifdef HAVE_SSL
-/* initialize ssl_ctx on first run */
+ /* initialize ssl_ctx on first run */
if (!ssl_ctx)
- init_ssl (&ssl_ctx);
+ {
+ err=init_ssl (&ssl_ctx);
+ if (err != 0)
+ {
+ switch (err)
+ {
+ case SSLERRCTXCREATE:
+ /* this is fatal */
+ logprintf (LOG_NOTQUIET, _("Failed to set up an SSL context\n"));
+ ssl_printerrors ();
+ return err;
+ case SSLERRCERTFILE:
+ /* try without certfile */
+ logprintf (LOG_NOTQUIET,
+ _("Failed to load certificates from %s\n"),
+ opt.sslcertfile);
+ ssl_printerrors ();
+ logprintf (LOG_NOTQUIET,
+ _("Trying without the specified certificate\n"));
+ break;
+ case SSLERRCERTKEY:
+ logprintf (LOG_NOTQUIET,
+ _("Failed to get certificate key from %s\n"),
+ opt.sslcertkey);
+ ssl_printerrors ();
+ logprintf (LOG_NOTQUIET,
+ _("Trying without the specified certificate\n"));
+ break;
+ default:
+ break;
+ }
+ }
+ }
#endif /* HAVE_SSL */
if (!(*dt & HEAD_ONLY))
printwhat (count, opt.ntry);
continue;
break;
- case HOSTERR: case CONREFUSED: case PROXERR: case AUTHFAILED:
+ case HOSTERR: case CONREFUSED: case PROXERR: case AUTHFAILED:
+ case SSLERRCTXCREATE:
/* Fatal errors just return from the function. */
FREEHSTAT (hstat);
xfree (filename_plus_orig_suffix); /* must precede every return! */
{ "simplehostcheck", &opt.simple_check, cmd_boolean },
{ "spanhosts", &opt.spanhost, cmd_boolean },
{ "spider", &opt.spider, cmd_boolean },
+#ifdef HAVE_SSL
+ { "sslcertfile", &opt.sslcertfile, cmd_string },
+ { "sslcertkey", &opt.sslcertkey, cmd_string },
+#endif /* HAVE_SSL */
{ "timeout", &opt.timeout, cmd_time },
{ "timestamping", &opt.timestamping, cmd_boolean },
{ "tries", &opt.ntry, cmd_number_inf },
FREE_MAYBE (opt.http_user);
FREE_MAYBE (opt.http_passwd);
FREE_MAYBE (opt.user_header);
+#ifdef HAVE_SSL
+ FREE_MAYBE (opt.sslcertkey);
+ FREE_MAYBE (opt.sslcertfile);
+#endif /* HAVE_SSL */
}
-i, --input-file=FILE download URLs found in FILE.\n\
-F, --force-html treat input file as HTML.\n\
-B, --base=URL prepends URL to relative links in -F -i file.\n\
+ --sslcertfile=FILE optional client certificate.\n\
+ --sslcertkey=KEYFILE optional keyfile for this certificate.\n\
\n"), _("\
Download:\n\
--bind-address=ADDRESS bind to ADDRESS (hostname or IP) on local host.\n\
{ "user-agent", required_argument, NULL, 'U' },
{ "referer", required_argument, NULL, 129 },
{ "use-proxy", required_argument, NULL, 'Y' },
+#ifdef HAVE_SSL
+ { "sslcertfile", required_argument, NULL, 132},
+ { "sslcertkey", required_argument, NULL, 133},
+#endif /* HAVE_SSL */
{ "wait", required_argument, NULL, 'w' },
{ "waitretry", required_argument, NULL, 24 },
{ 0, 0, 0, 0 }
case 129:
setval ("referer", optarg);
break;
+#ifdef HAVE_SSL
+ case 132:
+ setval ("sslcertfile", optarg);
+ break;
+ case 133:
+ setval ("sslcertkey", optarg);
+ break;
+#endif /* HAVE_SSL */
case 'A':
setval ("accept", optarg);
break;
necessary to display a page properly. */
struct sockaddr_in *bind_address; /* What local IP address to bind to. */
+
+#ifdef HAVE_SSL
+ char *sslcertfile; /* external client cert to use. */
+ char *sslcertkey; /* the keyfile for this certificate
+ (if not internal) included in the
+ certfile. */
+#endif /* HAVE_SSL */
};
#ifndef OPTIONS_DEFINED_HERE
FTPINVPASV, FTPNOPASV,
RETRFINISHED, READERR, TRYLIMEXC, URLBADPATTERN,
FILEBADFILE, RANGEERR, RETRBADPATTERN, RETNOTSUP,
- ROBOTSOK, NOROBOTS, PROXERR, AUTHFAILED, QUOTEXC, WRITEFAILED
+ ROBOTSOK, NOROBOTS, PROXERR, AUTHFAILED, QUOTEXC, WRITEFAILED,
+ SSLERRCERTFILE,SSLERRCERTKEY,SSLERRCTXCREATE
} uerr_t;
typedef unsigned char boolean;