From 007bee88d8edf999f4d477274cdcd4ae65a484c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Mon, 24 Nov 2014 12:05:26 +0100
Subject: [PATCH] GnuTLS support for --secure-protocol=TLSv1_1|TLSv1_2

The code seemed to be forgotten.
Also added a message before aborting Wget in such a case.
---
 src/ChangeLog |  8 ++++++++
 src/gnutls.c  | 32 ++++++++++++++++++++++++++++++--
 src/openssl.c | 16 ++++++++++++----
 3 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 47d568b4..f412fcad 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,11 @@
+2014-11-26  Tim Ruehsen <tim.ruehsen@gmx.de>
+
+	* gnutls.c (ssl_connect_wget): Implement missing code for
+	--secure-protocol=TLSv1_1|TLSv1_2, print message before abort()
+	for missing protocol implementations.
+	* openssl.c (ssl_init): Print message before abort() for
+	missing protocol implementations.
+
 2014-11-26  Tim Ruehsen <tim.ruehsen@gmx.de>
 
 	* recur.c: Add space after function names
diff --git a/src/gnutls.c b/src/gnutls.c
index 080b5a04..0757cfc8 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -432,7 +432,7 @@ ssl_connect_wget (int fd, const char *hostname)
 #endif
   struct wgnutls_transport_context *ctx;
   gnutls_session_t session;
-  int err,alert;
+  int err;
   const char *str;
 
   gnutls_init (&session, GNUTLS_CLIENT);
@@ -461,20 +461,34 @@ ssl_connect_wget (int fd, const char *hostname)
     case secure_protocol_auto:
       err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL);
       break;
+
     case secure_protocol_sslv2:
     case secure_protocol_sslv3:
       err = gnutls_priority_set_direct (session, "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0", NULL);
       break;
+
     case secure_protocol_tlsv1:
       err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
       break;
+
+    case secure_protocol_tlsv1_1:
+      err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:-VERS-TLS1.0", NULL);
+      break;
+
+    case secure_protocol_tlsv1_2:
+      err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1", NULL);
+      break;
+
     case secure_protocol_pfs:
       err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL);
       if (err != GNUTLS_E_SUCCESS)
         /* fallback if PFS is not available */
         err = gnutls_priority_set_direct (session, "NORMAL:-RSA:-VERS-SSL3.0", NULL);
       break;
+
     default:
+      logprintf (LOG_NOTQUIET, _("GnuTLS: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
+      logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));
       abort ();
     }
 #else
@@ -483,6 +497,7 @@ ssl_connect_wget (int fd, const char *hostname)
     {
     case secure_protocol_auto:
       break;
+
     case secure_protocol_sslv2:
     case secure_protocol_sslv3:
       allowed_protocols[0] = GNUTLS_SSL3;
@@ -496,7 +511,20 @@ ssl_connect_wget (int fd, const char *hostname)
       err = gnutls_protocol_set_priority (session, allowed_protocols);
       break;
 
+    case secure_protocol_tlsv1_1:
+      allowed_protocols[0] = GNUTLS_TLS1_1;
+      allowed_protocols[1] = GNUTLS_TLS1_2;
+      err = gnutls_protocol_set_priority (session, allowed_protocols);
+      break;
+
+    case secure_protocol_tlsv1_2:
+      allowed_protocols[0] = GNUTLS_TLS1_2;
+      err = gnutls_protocol_set_priority (session, allowed_protocols);
+      break;
+
     default:
+      logprintf (LOG_NOTQUIET, _("GnuTLS: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
+      logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));
       abort ();
     }
 #endif
@@ -560,7 +588,7 @@ ssl_connect_wget (int fd, const char *hostname)
           if (err == GNUTLS_E_WARNING_ALERT_RECEIVED ||
               err == GNUTLS_E_FATAL_ALERT_RECEIVED)
             {
-              alert = gnutls_alert_get (session);
+              gnutls_alert_description_t alert = gnutls_alert_get (session);
               str = gnutls_alert_get_name (alert);
               if (str == NULL)
                 str = "(unknown)";
diff --git a/src/openssl.c b/src/openssl.c
index 3a2ee5fb..1ad6bccd 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -210,32 +210,40 @@ ssl_init (void)
       meth = SSLv2_client_method ();
       break;
 #endif
+
 #ifndef OPENSSL_NO_SSL3
     case secure_protocol_sslv3:
       meth = SSLv3_client_method ();
       break;
 #endif
+
     case secure_protocol_auto:
     case secure_protocol_pfs:
     case secure_protocol_tlsv1:
       meth = TLSv1_client_method ();
       break;
+
 #if OPENSSL_VERSION_NUMBER >= 0x10001000
     case secure_protocol_tlsv1_1:
       meth = TLSv1_1_client_method ();
       break;
+
     case secure_protocol_tlsv1_2:
       meth = TLSv1_2_client_method ();
       break;
 #else
     case secure_protocol_tlsv1_1:
-		logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
-		goto error;
+      logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
+      goto error;
+
     case secure_protocol_tlsv1_2:
-		logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
-		goto error;
+      logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
+      goto error;
 #endif
+
     default:
+      logprintf (LOG_NOTQUIET, _("OpenSSL: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
+      logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));
       abort ();
     }