summaryrefslogtreecommitdiff
path: root/src/gnutls.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/gnutls.c')
-rw-r--r--src/gnutls.c89
1 files changed, 69 insertions, 20 deletions
diff --git a/src/gnutls.c b/src/gnutls.c
index 4f0fa96..604a46e 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -30,7 +30,6 @@ as that of the covered work. */
#include "wget.h"
-#include <assert.h>
#include <errno.h>
#include <unistd.h>
#include <string.h>
@@ -123,9 +122,10 @@ ssl_init (void)
while ((dent = readdir (dir)) != NULL)
{
struct stat st;
- char ca_file[dirlen + strlen(dent->d_name) + 2];
+ size_t ca_file_length = dirlen + strlen(dent->d_name) + 2;
+ char *ca_file = alloca(ca_file_length);
- snprintf (ca_file, sizeof(ca_file), "%s/%s", ca_directory, dent->d_name);
+ snprintf (ca_file, ca_file_length, "%s/%s", ca_directory, dent->d_name);
if (stat (ca_file, &st) != 0)
continue;
@@ -139,8 +139,7 @@ ssl_init (void)
hash_table_put (inode_map, (void *)(intptr_t) st.st_ino, NULL);
if ((rc = gnutls_certificate_set_x509_trust_file (credentials, ca_file,
GNUTLS_X509_FMT_PEM)) <= 0)
- logprintf (LOG_NOTQUIET, _("ERROR: Failed to open cert %s: (%d).\n"),
- ca_file, rc);
+ DEBUGP (("WARNING: Failed to open cert %s: (%d).\n", ca_file, rc));
else
ncerts += rc;
}
@@ -150,6 +149,36 @@ ssl_init (void)
}
}
+ if (opt.ca_cert)
+ {
+ int rc;
+
+ ncerts = 0;
+
+ if ((rc = gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert,
+ GNUTLS_X509_FMT_PEM)) <= 0)
+ logprintf (LOG_NOTQUIET, _ ("ERROR: Failed to open cert %s: (%d).\n"),
+ opt.ca_cert, rc);
+ else
+ {
+ ncerts += rc;
+ logprintf (LOG_NOTQUIET, _ ("Loaded CA certificate '%s'\n"), opt.ca_cert);
+ }
+ }
+
+ if (opt.crl_file)
+ {
+ int rc;
+
+ if ((rc = gnutls_certificate_set_x509_crl_file (credentials, opt.crl_file, GNUTLS_X509_FMT_PEM)) <= 0)
+ {
+ logprintf (LOG_NOTQUIET, _("ERROR: Failed to load CRL file '%s': (%d)\n"), opt.crl_file, rc);
+ return false;
+ }
+
+ logprintf (LOG_NOTQUIET, _ ("Loaded CRL file '%s'\n"), opt.crl_file);
+ }
+
DEBUGP (("Certificates loaded: %d\n", ncerts));
/* Use the private key from the cert file unless otherwise specified. */
@@ -182,10 +211,6 @@ cert to be of the same type.\n"));
type);
}
- if (opt.ca_cert)
- gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert,
- GNUTLS_X509_FMT_PEM);
-
ssl_initialized = true;
return true;
@@ -204,11 +229,6 @@ struct wgnutls_transport_context
int peeklen;
};
-#ifndef MIN
-# define MIN(i, j) ((i) <= (j) ? (i) : (j))
-#endif
-
-
static int
wgnutls_read_timeout (int fd, char *buf, int bufsize, void *arg, double timeout)
{
@@ -407,10 +427,11 @@ ssl_connect_wget (int fd, const char *hostname)
#endif
struct wgnutls_transport_context *ctx;
gnutls_session_t session;
- int err,alert;
- gnutls_init (&session, GNUTLS_CLIENT);
+ int err;
const char *str;
+ gnutls_init (&session, GNUTLS_CLIENT);
+
/* We set the server name but only if it's not an IP address. */
if (! is_valid_ip_address (hostname))
{
@@ -429,26 +450,40 @@ ssl_connect_wget (int fd, const char *hostname)
gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) FD_TO_SOCKET (fd));
#endif
- err = 0;
#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
switch (opt.secure_protocol)
{
case secure_protocol_auto:
+ err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL);
break;
+
case secure_protocol_sslv2:
case secure_protocol_sslv3:
err = gnutls_priority_set_direct (session, "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0", NULL);
break;
+
case secure_protocol_tlsv1:
err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
break;
+
+ case secure_protocol_tlsv1_1:
+ err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:-VERS-TLS1.0", NULL);
+ break;
+
+ case secure_protocol_tlsv1_2:
+ err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1", NULL);
+ break;
+
case secure_protocol_pfs:
- err = gnutls_priority_set_direct (session, "PFS", NULL);
+ err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL);
if (err != GNUTLS_E_SUCCESS)
/* fallback if PFS is not available */
- err = gnutls_priority_set_direct (session, "NORMAL:-RSA", NULL);
+ err = gnutls_priority_set_direct (session, "NORMAL:-RSA:-VERS-SSL3.0", NULL);
break;
+
default:
+ logprintf (LOG_NOTQUIET, _("GnuTLS: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
+ logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));
abort ();
}
#else
@@ -457,6 +492,7 @@ ssl_connect_wget (int fd, const char *hostname)
{
case secure_protocol_auto:
break;
+
case secure_protocol_sslv2:
case secure_protocol_sslv3:
allowed_protocols[0] = GNUTLS_SSL3;
@@ -470,7 +506,20 @@ ssl_connect_wget (int fd, const char *hostname)
err = gnutls_protocol_set_priority (session, allowed_protocols);
break;
+ case secure_protocol_tlsv1_1:
+ allowed_protocols[0] = GNUTLS_TLS1_1;
+ allowed_protocols[1] = GNUTLS_TLS1_2;
+ err = gnutls_protocol_set_priority (session, allowed_protocols);
+ break;
+
+ case secure_protocol_tlsv1_2:
+ allowed_protocols[0] = GNUTLS_TLS1_2;
+ err = gnutls_protocol_set_priority (session, allowed_protocols);
+ break;
+
default:
+ logprintf (LOG_NOTQUIET, _("GnuTLS: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
+ logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));
abort ();
}
#endif
@@ -534,7 +583,7 @@ ssl_connect_wget (int fd, const char *hostname)
if (err == GNUTLS_E_WARNING_ALERT_RECEIVED ||
err == GNUTLS_E_FATAL_ALERT_RECEIVED)
{
- alert = gnutls_alert_get (session);
+ gnutls_alert_description_t alert = gnutls_alert_get (session);
str = gnutls_alert_get_name (alert);
if (str == NULL)
str = "(unknown)";