From e4a8fe84e2b813b65d91aec29298eecabe4850a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= Date: Thu, 6 Nov 2014 17:53:44 +0100 Subject: [PATCH] Added --crl-file to load a Certificate Revocation List (CRL) file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Noël Köthe --- doc/ChangeLog | 4 ++++ doc/wget.texi | 5 +++++ src/ChangeLog | 8 ++++++++ src/gnutls.c | 34 ++++++++++++++++++++++++++++++---- src/init.c | 19 +++++++++++++++++++ src/main.c | 3 +++ src/options.h | 1 + 7 files changed, 70 insertions(+), 4 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index d071efd1..4cd67ef3 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,7 @@ +2014-11-06 Tim Ruehsen + + * wget.texi: added description for --crl-file + 2014-10-28 Giuseppe Scrivano * Makefile.am: Replace $FOO with @VAR@. diff --git a/doc/wget.texi b/doc/wget.texi index d7a4c949..a5fd285a 100644 --- a/doc/wget.texi +++ b/doc/wget.texi @@ -1725,6 +1725,11 @@ it allows Wget to fetch certificates on demand. Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time. +@cindex SSL CRL, certificate revocation list +@item --crl-file=@var{file} +Specifies a CRL file in @var{file}. This is needed for certificates +that have been revocated by the CAs. + @cindex entropy, specifying source of @cindex randomness, specifying source of @item --random-file=@var{file} diff --git a/src/ChangeLog b/src/ChangeLog index 0c41b1ed..8c58aeeb 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,11 @@ +2014-11-06 Tim Ruehsen + + * init.c, main.c, options.h: added new option --crl-file + for specifying a CRL (Certificate Revocation List) file. + * gnutls.c: load CRL file given by --crl-file + + Reported-by: Noël Köthe + 2014-11-09 Darshit Shah * http.c (gethttps): Honour keep-alive when server responds with a 416 Range diff --git a/src/gnutls.c b/src/gnutls.c index 230ae9aa..1744245b 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -149,6 +149,36 @@ ssl_init (void) } } + if (opt.ca_cert) + { + int rc; + + ncerts = 0; + + if ((rc = gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert, + GNUTLS_X509_FMT_PEM)) <= 0) + logprintf (LOG_NOTQUIET, _ ("ERROR: Failed to open cert %s: (%d).\n"), + opt.ca_cert, rc); + else + { + ncerts += rc; + logprintf (LOG_NOTQUIET, _ ("Loaded CA certificate '%s'\n"), opt.ca_cert); + } + } + + if (opt.crl_file) + { + int rc; + + if ((rc = gnutls_certificate_set_x509_crl_file (credentials, opt.crl_file, GNUTLS_X509_FMT_PEM)) <= 0) + { + logprintf (LOG_NOTQUIET, _("ERROR: Failed to load CRL file '%s': (%d)\n"), opt.crl_file, rc); + return false; + } + + logprintf (LOG_NOTQUIET, _ ("Loaded CRL file '%s'\n"), opt.crl_file); + } + DEBUGP (("Certificates loaded: %d\n", ncerts)); /* Use the private key from the cert file unless otherwise specified. */ @@ -181,10 +211,6 @@ cert to be of the same type.\n")); type); } - if (opt.ca_cert) - gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert, - GNUTLS_X509_FMT_PEM); - ssl_initialized = true; return true; diff --git a/src/init.c b/src/init.c index ef1dc8d7..6c09744f 100644 --- a/src/init.c +++ b/src/init.c @@ -91,6 +91,7 @@ CMD_DECLARE (cmd_number_inf); CMD_DECLARE (cmd_string); CMD_DECLARE (cmd_string_uppercase); CMD_DECLARE (cmd_file); +CMD_DECLARE (cmd_file_once); CMD_DECLARE (cmd_directory); CMD_DECLARE (cmd_time); CMD_DECLARE (cmd_vector); @@ -158,6 +159,9 @@ static const struct { { "continue", &opt.always_rest, cmd_boolean }, { "convertlinks", &opt.convert_links, cmd_boolean }, { "cookies", &opt.cookies, cmd_boolean }, +#ifdef HAVE_SSL + { "crlfile", &opt.crl_file, cmd_file_once }, +#endif { "cutdirs", &opt.cut_dirs, cmd_number }, { "debug", &opt.debug, cmd_boolean }, { "defaultpage", &opt.default_page, cmd_string }, @@ -1026,6 +1030,20 @@ cmd_file (const char *com _GL_UNUSED, const char *val, void *place) return true; } +/* like cmd_file, but insist on just a single option usage */ +static bool +cmd_file_once (const char *com _GL_UNUSED, const char *val, void *place) +{ + if (*(char **)place) + { + fprintf (stderr, _("%s: %s must only be used once\n"), + exec_name, com); + return false; + } + + return cmd_file(com, val, place); +} + /* Like cmd_file, but strips trailing '/' characters. */ static bool cmd_directory (const char *com, const char *val, void *place) @@ -1780,6 +1798,7 @@ cleanup (void) xfree_null (opt.private_key); xfree_null (opt.ca_directory); xfree_null (opt.ca_cert); + xfree_null (opt.crl_file); xfree_null (opt.random_file); xfree_null (opt.egd_file); # endif diff --git a/src/main.c b/src/main.c index 4fefe049..29788473 100644 --- a/src/main.c +++ b/src/main.c @@ -175,6 +175,7 @@ static struct cmdline_option option_data[] = { "content-disposition", 0, OPT_BOOLEAN, "contentdisposition", -1 }, { "content-on-error", 0, OPT_BOOLEAN, "contentonerror", -1 }, { "cookies", 0, OPT_BOOLEAN, "cookies", -1 }, + { IF_SSL ("crl-file"), 0, OPT_VALUE, "crlfile", -1 }, { "cut-dirs", 0, OPT_VALUE, "cutdirs", -1 }, { "debug", 'd', OPT_BOOLEAN, "debug", -1 }, { "default-page", 0, OPT_VALUE, "defaultpage", -1 }, @@ -652,6 +653,8 @@ HTTPS (SSL/TLS) options:\n"), --ca-certificate=FILE file with the bundle of CA's.\n"), N_("\ --ca-directory=DIR directory where hash list of CA's is stored.\n"), + N_("\ + --crl-file=FILE file with bundle of CRL's.\n"), N_("\ --random-file=FILE file with random data for seeding the SSL PRNG.\n"), N_("\ diff --git a/src/options.h b/src/options.h index 3346c91a..b9951265 100644 --- a/src/options.h +++ b/src/options.h @@ -218,6 +218,7 @@ struct options char *ca_directory; /* CA directory (hash files) */ char *ca_cert; /* CA certificate file to use */ + char *crl_file; /* file with CRLs */ char *random_file; /* file with random data to seed the PRNG */ char *egd_file; /* file name of the egd daemon socket */