Add support for TLS SNI

diff --git a/NEWS b/NEWS
index 5b8d8a635ff2e35c22b9f2456128574f12656dca..8404090992fb9d96bf7449cb2916d5d564026a5e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,8 @@ Please send GNU Wget bug reports to <bug-wget@gnu.org>.
 ** Accept the --bit option.
 
 ** Enable client certificates when GNU TLS is used.
+
+** Add support for TLS Server Name Indication.
 \f
 * Changes in Wget 1.13.4
 

diff --git a/src/ChangeLog b/src/ChangeLog
index 65e881e78599bf2b5b2deee2f955850e92f3e4de..86d0dd13735afb1316358f02f2fb87db9452f577 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,11 @@
+2009-06-14  Phil Pennock  <mutt-dev@spodhuis.org> (tiny change)
+       * host.h: Declare `is_valid_ip_address'.
+       * host.c (is_valid_ip_address): New function.
+       * http.c (gethttp): Specify the hostname to ssl_connect_wget.
+       * gnutls.c (ssl_connect_wget): Specify the server name.
+       * openssl.c (ssl_connect_wget): Likewise.
+       * ssl.h: Change method signature for ssl_connect_wget.
+
 2012-04-13  Tim Ruehsen  <tim.ruehsen@gmx.de> (tiny change)
 
        * warc.c (warc_load_cdx_dedup_file): Fix a memory leak by freeing

diff --git a/src/gnutls.c b/src/gnutls.c
index 291da895d1de58dd7f5b9d34e1f2931a328e6bc3..cbd5e1da38f7b1dc43ab59c0c6d91c709aaa6db7 100644 (file)
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -54,6 +54,8 @@ as that of the covered work.  */
 # include "w32sock.h"
 #endif
 
+#include "host.h"
+
 static int
 key_type_to_gnutls_type (enum keyfile_type type)
 {
@@ -369,12 +371,20 @@ static struct transport_implementation wgnutls_transport =
 };
 
 bool
-ssl_connect_wget (int fd)
+ssl_connect_wget (int fd, const char *hostname)
 {
   struct wgnutls_transport_context *ctx;
   gnutls_session session;
   int err;
   gnutls_init (&session, GNUTLS_CLIENT);
+
+  /* We set the server name but only if it's not an IP address. */
+  if (! is_valid_ip_address (hostname))
+    {
+      gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
+                             strlen (hostname));
+    }
+
   gnutls_set_default_priority (session);
   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials);
 #ifndef FD_TO_SOCKET

diff --git a/src/host.c b/src/host.c
index 86f107a302bc57ae0f2767a806f09d3978424e9a..86bf83b3dfe04ccb6abcfeaa7ea5656248691ae0 100644 (file)
--- a/src/host.c
+++ b/src/host.c
@@ -1,6 +1,6 @@
 /* Host name resolution and matching.
    Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-   2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
+   2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Free Software Foundation,
    Inc.
 
 This file is part of GNU Wget.
@@ -914,3 +914,18 @@ host_cleanup (void)
       host_name_addresses_map = NULL;
     }
 }
+
+bool
+is_valid_ip_address (const char *name)
+{
+  const char *endp;
+
+  endp = name + strlen(name);
+  if (is_valid_ipv4_address (name, endp))
+    return true;
+#ifdef ENABLE_IPV6
+  if (is_valid_ipv6_address (name, endp))
+    return true;
+#endif
+  return false;
+}

diff --git a/src/host.h b/src/host.h
index 3f4a02a2f6d6511dea50c14c165418c8fcac54ef..3f27ea0f64e10b6de6c575fecee0640e5a488509 100644 (file)
--- a/src/host.h
+++ b/src/host.h
@@ -1,6 +1,6 @@
 /* Declarations for host.c
    Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-   2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
+   2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Free Software Foundation,
    Inc.
 
 This file is part of GNU Wget.
@@ -98,6 +98,8 @@ const char *print_address (const ip_address *);
 bool is_valid_ipv6_address (const char *, const char *);
 #endif
 
+bool is_valid_ip_address (const char *name);
+
 bool accept_domain (struct url *);
 bool sufmatch (const char **, const char *);
 

diff --git a/src/http.c b/src/http.c
index 61001f3b0c6142eb40d2eb07ac36946ed72f984e..87d3748c8fc5c9e6a608ceba526403736fd8a3db 100644 (file)
--- a/src/http.c
+++ b/src/http.c
@@ -1,6 +1,6 @@
 /* HTTP support.
    Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
-   2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
+   2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Free Software Foundation,
    Inc.
 
 This file is part of GNU Wget.
@@ -2082,7 +2082,7 @@ gethttp (struct url *u, struct http_stat *hs, int *dt, struct url *proxy,
 
       if (conn->scheme == SCHEME_HTTPS)
         {
-          if (!ssl_connect_wget (sock))
+          if (!ssl_connect_wget (sock, u->host))
             {
               fd_close (sock);
               return CONSSLERR;

diff --git a/src/openssl.c b/src/openssl.c
index bc37491561228a750040b9e2361cbc75bacec1e1..f976455fa553d10feb009f280326550585edcbfd 100644 (file)
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -1,6 +1,6 @@
 /* SSL support via OpenSSL library.
    Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
-   2009, 2010, 2011 Free Software Foundation, Inc.
+   2009, 2010, 2011, 2012 Free Software Foundation, Inc.
    Originally contributed by Christian Fraenkel.
 
 This file is part of GNU Wget.
@@ -395,7 +395,7 @@ static struct transport_implementation openssl_transport = {
    Returns true on success, false on failure.  */
 
 bool
-ssl_connect_wget (int fd)
+ssl_connect_wget (int fd, const char *hostname)
 {
   SSL *conn;
   struct openssl_transport_context *ctx;
@@ -406,6 +406,19 @@ ssl_connect_wget (int fd)
   conn = SSL_new (ssl_ctx);
   if (!conn)
     goto error;
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+  /* If the SSL library was build with support for ServerNameIndication
+     then use it whenever we have a hostname.  If not, don't, ever. */
+  if (! is_valid_ip_address (hostname))
+    {
+      if (! SSL_set_tlsext_host_name (conn, hostname))
+       {
+       DEBUGP (("Failed to set TLS server-name indication."));
+       goto error;
+       }
+    }
+#endif
+
 #ifndef FD_TO_SOCKET
 # define FD_TO_SOCKET(X) (X)
 #endif

diff --git a/src/ssl.h b/src/ssl.h
index 0532c4021588939df64dc4dcf0ee4feb5c1e29ba..e365c4f48bb98547f97ffe55226a9e8fc4063f84 100644 (file)
--- a/src/ssl.h
+++ b/src/ssl.h
@@ -1,6 +1,6 @@
 /* SSL support.
    Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
-   2009, 2010, 2011 Free Software Foundation, Inc.
+   2009, 2010, 2011, 2012 Free Software Foundation, Inc.
    Originally contributed by Christian Fraenkel.
 
 This file is part of GNU Wget.
@@ -33,7 +33,7 @@ as that of the covered work.  */
 #define GEN_SSLFUNC_H
 
 bool ssl_init (void);
-bool ssl_connect_wget (int);
+bool ssl_connect_wget (int, const char *);
 bool ssl_check_certificate (int, const char *);
 
 #endif /* GEN_SSLFUNC_H */