moparisthebest/wget
1
0
Fork 0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00
Code Issues Releases Wiki Activity

GnuTLS support for --secure-protocol=TLSv1_1|TLSv1_2

Browse Source 
The code seemed to be forgotten.
Also added a message before aborting Wget in such a case.
This commit is contained in:
Tim Rühsen 2014-11-24 12:05:26 +01:00
parent d87fdecd55
commit 007bee88d8
3 changed files with 50 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/ChangeLog
View File

@ -1,3 +1,11 @@
2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de>
* gnutls.c (ssl_connect_wget): Implement missing code for
--secure-protocol=TLSv1_1|TLSv1_2, print message before abort()
for missing protocol implementations.
* openssl.c (ssl_init): Print message before abort() for
missing protocol implementations.
2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de> 2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de>
* recur.c: Add space after function names * recur.c: Add space after function names

32
src/gnutls.c
View File

@ -432,7 +432,7 @@ ssl_connect_wget (int fd, const char *hostname)
#endif #endif
struct wgnutls_transport_context *ctx; struct wgnutls_transport_context *ctx;
gnutls_session_t session; gnutls_session_t session;
int err,alert; int err;
const char *str; const char *str;
gnutls_init (&session, GNUTLS_CLIENT); gnutls_init (&session, GNUTLS_CLIENT);
@ -461,20 +461,34 @@ ssl_connect_wget (int fd, const char *hostname)
case secure_protocol_auto: case secure_protocol_auto:
err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL); err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0", NULL);
break; break;
case secure_protocol_sslv2: case secure_protocol_sslv2:
case secure_protocol_sslv3: case secure_protocol_sslv3:
err = gnutls_priority_set_direct (session, "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0", NULL); err = gnutls_priority_set_direct (session, "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0", NULL);
break; break;
case secure_protocol_tlsv1: case secure_protocol_tlsv1:
err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL); err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0", NULL);
break; break;
case secure_protocol_tlsv1_1:
err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:-VERS-TLS1.0", NULL);
break;
case secure_protocol_tlsv1_2:
err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1", NULL);
break;
case secure_protocol_pfs: case secure_protocol_pfs:
err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL); err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL);
if (err != GNUTLS_E_SUCCESS) if (err != GNUTLS_E_SUCCESS)
/* fallback if PFS is not available */ /* fallback if PFS is not available */
err = gnutls_priority_set_direct (session, "NORMAL:-RSA:-VERS-SSL3.0", NULL); err = gnutls_priority_set_direct (session, "NORMAL:-RSA:-VERS-SSL3.0", NULL);
break; break;
default: default:
logprintf (LOG_NOTQUIET, _("GnuTLS: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));
abort (); abort ();
} }
#else #else
@ -483,6 +497,7 @@ ssl_connect_wget (int fd, const char *hostname)
{ {
case secure_protocol_auto: case secure_protocol_auto:
break; break;
case secure_protocol_sslv2: case secure_protocol_sslv2:
case secure_protocol_sslv3: case secure_protocol_sslv3:
allowed_protocols[0] = GNUTLS_SSL3; allowed_protocols[0] = GNUTLS_SSL3;
@ -496,7 +511,20 @@ ssl_connect_wget (int fd, const char *hostname)
err = gnutls_protocol_set_priority (session, allowed_protocols); err = gnutls_protocol_set_priority (session, allowed_protocols);
break; break;
case secure_protocol_tlsv1_1:
allowed_protocols[0] = GNUTLS_TLS1_1;
allowed_protocols[1] = GNUTLS_TLS1_2;
err = gnutls_protocol_set_priority (session, allowed_protocols);
break;
case secure_protocol_tlsv1_2:
allowed_protocols[0] = GNUTLS_TLS1_2;
err = gnutls_protocol_set_priority (session, allowed_protocols);
break;
default: default:
logprintf (LOG_NOTQUIET, _("GnuTLS: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));
abort (); abort ();
} }
#endif #endif
@ -560,7 +588,7 @@ ssl_connect_wget (int fd, const char *hostname)
if (err == GNUTLS_E_WARNING_ALERT_RECEIVED || if (err == GNUTLS_E_WARNING_ALERT_RECEIVED ||
err == GNUTLS_E_FATAL_ALERT_RECEIVED) err == GNUTLS_E_FATAL_ALERT_RECEIVED)
{ {
alert = gnutls_alert_get (session); gnutls_alert_description_t alert = gnutls_alert_get (session);
str = gnutls_alert_get_name (alert); str = gnutls_alert_get_name (alert);
if (str == NULL) if (str == NULL)
str = "(unknown)"; str = "(unknown)";

16
src/openssl.c
View File

@ -210,32 +210,40 @@ ssl_init (void)
meth = SSLv2_client_method (); meth = SSLv2_client_method ();
break; break;
#endif #endif
#ifndef OPENSSL_NO_SSL3 #ifndef OPENSSL_NO_SSL3
case secure_protocol_sslv3: case secure_protocol_sslv3:
meth = SSLv3_client_method (); meth = SSLv3_client_method ();
break; break;
#endif #endif
case secure_protocol_auto: case secure_protocol_auto:
case secure_protocol_pfs: case secure_protocol_pfs:
case secure_protocol_tlsv1: case secure_protocol_tlsv1:
meth = TLSv1_client_method (); meth = TLSv1_client_method ();
break; break;
#if OPENSSL_VERSION_NUMBER >= 0x10001000 #if OPENSSL_VERSION_NUMBER >= 0x10001000
case secure_protocol_tlsv1_1: case secure_protocol_tlsv1_1:
meth = TLSv1_1_client_method (); meth = TLSv1_1_client_method ();
break; break;
case secure_protocol_tlsv1_2: case secure_protocol_tlsv1_2:
meth = TLSv1_2_client_method (); meth = TLSv1_2_client_method ();
break; break;
#else #else
case secure_protocol_tlsv1_1: case secure_protocol_tlsv1_1:
logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n")); logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
goto error; goto error;
case secure_protocol_tlsv1_2: case secure_protocol_tlsv1_2:
logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n")); logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
goto error; goto error;
#endif #endif
default: default:
logprintf (LOG_NOTQUIET, _("OpenSSL: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));
abort (); abort ();
} }