Added --crl-file to load a Certificate Revocation List (CRL) file

Reported-by: Noël Köthe <noel@debian.org>

doc/ChangeLog

@@ -1,3 +1,7 @@
+2014-11-06  Tim Ruehsen  <tim.ruehsen@gmx.de>
+
+	* wget.texi: added description for --crl-file
+
 2014-10-28  Giuseppe Scrivano  <gscrivan@redhat.com>
 
 	* Makefile.am: Replace $FOO with @VAR@.

doc/wget.texi

@@ -1725,6 +1725,11 @@ it allows Wget to fetch certificates on demand.
 Without this option Wget looks for CA certificates at the
 system-specified locations, chosen at OpenSSL installation time.
 
+@cindex SSL CRL, certificate revocation list
+@item --crl-file=@var{file}
+Specifies a CRL file in @var{file}.  This is needed for certificates
+that have been revocated by the CAs.
+
 @cindex entropy, specifying source of
 @cindex randomness, specifying source of
 @item --random-file=@var{file}

src/ChangeLog

@@ -1,3 +1,11 @@
+2014-11-06  Tim Ruehsen  <tim.ruehsen@gmx.de>
+
+	* init.c, main.c, options.h: added new option --crl-file
+	 for specifying a CRL (Certificate Revocation List) file.
+	* gnutls.c: load CRL file given by --crl-file
+
+	Reported-by: Noël Köthe <noel@debian.org>
+
 2014-11-09  Darshit Shah  <darnir@gmail.com>
 
 	* http.c (gethttps): Honour keep-alive when server responds with a 416 Range

src/gnutls.c

@@ -149,6 +149,36 @@ ssl_init (void)
         }
     }
 
+  if (opt.ca_cert)
+    {
+      int rc;
+
+      ncerts = 0;
+
+      if ((rc = gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert,
+                                                        GNUTLS_X509_FMT_PEM)) <= 0)
+        logprintf (LOG_NOTQUIET, _ ("ERROR: Failed to open cert %s: (%d).\n"),
+                   opt.ca_cert, rc);
+      else
+        {
+          ncerts += rc;
+          logprintf (LOG_NOTQUIET, _ ("Loaded CA certificate '%s'\n"), opt.ca_cert);
+        }
+    }
+
+  if (opt.crl_file)
+    {
+      int rc;
+
+      if ((rc = gnutls_certificate_set_x509_crl_file (credentials, opt.crl_file, GNUTLS_X509_FMT_PEM)) <= 0)
+        {
+          logprintf (LOG_NOTQUIET, _("ERROR: Failed to load CRL file '%s': (%d)\n"), opt.crl_file, rc);
+          return false;
+        }
+
+      logprintf (LOG_NOTQUIET, _ ("Loaded CRL file '%s'\n"), opt.crl_file);
+    }
+
   DEBUGP (("Certificates loaded: %d\n", ncerts));
 
   /* Use the private key from the cert file unless otherwise specified. */
@@ -181,10 +211,6 @@ cert to be of the same type.\n"));
                                             type);
     }
 
-  if (opt.ca_cert)
-    gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert,
-                                            GNUTLS_X509_FMT_PEM);
-
   ssl_initialized = true;
 
   return true;

src/init.c

@@ -91,6 +91,7 @@ CMD_DECLARE (cmd_number_inf);
 CMD_DECLARE (cmd_string);
 CMD_DECLARE (cmd_string_uppercase);
 CMD_DECLARE (cmd_file);
+CMD_DECLARE (cmd_file_once);
 CMD_DECLARE (cmd_directory);
 CMD_DECLARE (cmd_time);
 CMD_DECLARE (cmd_vector);
@@ -158,6 +159,9 @@ static const struct {
   { "continue",         &opt.always_rest,       cmd_boolean },
   { "convertlinks",     &opt.convert_links,     cmd_boolean },
   { "cookies",          &opt.cookies,           cmd_boolean },
+#ifdef HAVE_SSL
+  { "crlfile",      &opt.crl_file,          cmd_file_once },
+#endif
   { "cutdirs",          &opt.cut_dirs,          cmd_number },
   { "debug",            &opt.debug,             cmd_boolean },
   { "defaultpage",      &opt.default_page,      cmd_string },
@@ -1026,6 +1030,20 @@ cmd_file (const char *com _GL_UNUSED, const char *val, void *place)
   return true;
 }
 
+/* like cmd_file, but insist on just a single option usage */
+static bool
+cmd_file_once (const char *com _GL_UNUSED, const char *val, void *place)
+{
+  if (*(char **)place)
+    {
+      fprintf (stderr, _("%s: %s must only be used once\n"),
+               exec_name, com);
+      return false;
+    }
+
+  return cmd_file(com, val, place);
+}
+
 /* Like cmd_file, but strips trailing '/' characters.  */
 static bool
 cmd_directory (const char *com, const char *val, void *place)
@@ -1780,6 +1798,7 @@ cleanup (void)
   xfree_null (opt.private_key);
   xfree_null (opt.ca_directory);
   xfree_null (opt.ca_cert);
+  xfree_null (opt.crl_file);
   xfree_null (opt.random_file);
   xfree_null (opt.egd_file);
 # endif

src/main.c

@@ -175,6 +175,7 @@ static struct cmdline_option option_data[] =
     { "content-disposition", 0, OPT_BOOLEAN, "contentdisposition", -1 },
     { "content-on-error", 0, OPT_BOOLEAN, "contentonerror", -1 },
     { "cookies", 0, OPT_BOOLEAN, "cookies", -1 },
+    { IF_SSL ("crl-file"), 0, OPT_VALUE, "crlfile", -1 },
     { "cut-dirs", 0, OPT_VALUE, "cutdirs", -1 },
     { "debug", 'd', OPT_BOOLEAN, "debug", -1 },
     { "default-page", 0, OPT_VALUE, "defaultpage", -1 },
@@ -652,6 +653,8 @@ HTTPS (SSL/TLS) options:\n"),
        --ca-certificate=FILE       file with the bundle of CA's.\n"),
     N_("\
        --ca-directory=DIR          directory where hash list of CA's is stored.\n"),
+    N_("\
+       --crl-file=FILE             file with bundle of CRL's.\n"),
     N_("\
        --random-file=FILE          file with random data for seeding the SSL PRNG.\n"),
     N_("\

src/options.h

@@ -218,6 +218,7 @@ struct options
 
   char *ca_directory;           /* CA directory (hash files) */
   char *ca_cert;                /* CA certificate file to use */
+  char *crl_file;               /* file with CRLs */
 
   char *random_file;            /* file with random data to seed the PRNG */
   char *egd_file;               /* file name of the egd daemon socket */