[packages/wget.git] / wget-ssl-timeout.patch

From ae80fd2ec75fafdbec9895b9d973f2966209d588 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Sun, 05 May 2013 05:16:58 +0000
Subject: gnutls: do not abort on non-fatal alerts during handshake

Signed-off-by: mancha <mancha1@hush.com>
---
(limited to 'src/gnutls.c')

diff --git a/src/gnutls.c b/src/gnutls.c
index 769b005..54422fc 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -376,8 +376,9 @@ ssl_connect_wget (int fd, const char *hostname)
 {
   struct wgnutls_transport_context *ctx;
   gnutls_session_t session;
-  int err;
+  int err,alert;
   gnutls_init (&session, GNUTLS_CLIENT);
+  const char *str;
 
   /* We set the server name but only if it's not an IP address. */
   if (! is_valid_ip_address (hostname))
@@ -440,10 +441,28 @@ ssl_connect_wget (int fd, const char *hostname)
       return false;
     }
 
-  err = gnutls_handshake (session);
+  /* We don't stop the handshake process for non-fatal errors */
+  do
+    {
+      err = gnutls_handshake (session);
+      if (err < 0)
+        {
+          logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
+          if (err == GNUTLS_E_WARNING_ALERT_RECEIVED ||
+              err == GNUTLS_E_FATAL_ALERT_RECEIVED)
+            {
+              alert = gnutls_alert_get (session);
+              str = gnutls_alert_get_name (alert);
+              if (str == NULL)
+                str = "(unknown)";
+              logprintf (LOG_NOTQUIET, "GnuTLS: received alert [%d]: %s\n", alert, str);
+            }
+        }
+    }
+  while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0);
+
   if (err < 0)
     {
-      logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
       gnutls_deinit (session);
       return false;
     }
--
cgit v0.9.0.2
From 91f0f99e9a607cc72cd5dc8aa1f57a299f30948e Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <tim.ruehsen@gmx.de>
Date: Thu, 11 Jul 2013 12:29:20 +0000
Subject: gnutls: honor connect timeout

---
diff --git a/src/gnutls.c b/src/gnutls.c
index 54422fc..06f9020 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -374,6 +374,9 @@ static struct transport_implementation wgnutls_transport =
 bool
 ssl_connect_wget (int fd, const char *hostname)
 {
+#ifdef F_GETFL
+  int flags = 0;
+#endif
   struct wgnutls_transport_context *ctx;
   gnutls_session_t session;
   int err,alert;
@@ -441,11 +444,54 @@ ssl_connect_wget (int fd, const char *hostname)
       return false;
     }
 
+  if (opt.connect_timeout)
+    {
+#ifdef F_GETFL
+      flags = fcntl (fd, F_GETFL, 0);
+      if (flags < 0)
+        return flags;
+      if (fcntl (fd, F_SETFL, flags | O_NONBLOCK))
+        return -1;
+#else
+      /* XXX: Assume it was blocking before.  */
+      const int one = 1;
+      if (ioctl (fd, FIONBIO, &one) < 0)
+        return -1;
+#endif
+    }
+
   /* We don't stop the handshake process for non-fatal errors */
   do
     {
       err = gnutls_handshake (session);
-      if (err < 0)
+
+      if (opt.connect_timeout && err == GNUTLS_E_AGAIN)
+        {
+          if (gnutls_record_get_direction (session))
+            {
+              /* wait for writeability */
+              err = select_fd (fd, opt.connect_timeout, WAIT_FOR_WRITE);
+            }
+          else
+            {
+              /* wait for readability */
+              err = select_fd (fd, opt.connect_timeout, WAIT_FOR_READ);
+            }
+
+          if (err <= 0)
+            {
+              if (err == 0)
+                {
+                  errno = ETIMEDOUT;
+                  err = -1;
+                }
+              break;
+            }
+
+          if (err <= 0)
+            break;
+        }
+      else if (err < 0)
         {
           logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
           if (err == GNUTLS_E_WARNING_ALERT_RECEIVED ||
@@ -461,6 +507,18 @@ ssl_connect_wget (int fd, const char *hostname)
     }
   while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0);
 
+  if (opt.connect_timeout)
+    {
+#ifdef F_GETFL
+      if (fcntl (fd, F_SETFL, flags) < 0)
+        return -1;
+#else
+      const int zero = 0;
+      if (ioctl (fd, FIONBIO, &zero) < 0)
+        return -1;
+#endif
+    }
+
   if (err < 0)
     {
       gnutls_deinit (session);
--
cgit v0.9.0.2
From b8f036d16c508efde5bacfab9a96d8b6c6aeeeb2 Mon Sep 17 00:00:00 2001
From: Karsten Hopp <karsten@redhat.com>
Date: Thu, 11 Jul 2013 09:27:35 +0000
Subject: Fix timeout option when used with SSL

Previously wget didn't honor the --timeout option if the remote host did
not answer SSL handshake

Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
diff --git a/src/openssl.c b/src/openssl.c
index 3924e41..e2eec4f 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -251,24 +251,50 @@ ssl_init (void)
   return false;
 }
 
-struct openssl_transport_context {
+struct openssl_transport_context
+{
   SSL *conn;                    /* SSL connection handle */
   char *last_error;             /* last error printed with openssl_errstr */
 };
 
-static int
-openssl_read (int fd, char *buf, int bufsize, void *arg)
+struct openssl_read_args
 {
-  int ret;
-  struct openssl_transport_context *ctx = arg;
+  int fd;
+  struct openssl_transport_context *ctx;
+  char *buf;
+  int bufsize;
+  int retval;
+};
+
+static void openssl_read_callback(void *arg)
+{
+  struct openssl_read_args *args = (struct openssl_read_args *) arg;
+  struct openssl_transport_context *ctx = args->ctx;
   SSL *conn = ctx->conn;
+  char *buf = args->buf;
+  int bufsize = args->bufsize;
+  int ret;
+
   do
     ret = SSL_read (conn, buf, bufsize);
-  while (ret == -1
-         && SSL_get_error (conn, ret) == SSL_ERROR_SYSCALL
+  while (ret == -1 && SSL_get_error (conn, ret) == SSL_ERROR_SYSCALL
          && errno == EINTR);
+  args->retval = ret;
+}
 
-  return ret;
+static int
+openssl_read (int fd, char *buf, int bufsize, void *arg)
+{
+  struct openssl_read_args args;
+  args.fd = fd;
+  args.buf = buf;
+  args.bufsize = bufsize;
+  args.ctx = (struct openssl_transport_context*) arg;
+
+  if (run_with_timeout(opt.read_timeout, openssl_read_callback, &args)) {
+    return -1;
+  }
+  return args.retval;
 }
 
 static int
@@ -386,6 +412,19 @@ static struct transport_implementation openssl_transport = {
   openssl_peek, openssl_errstr, openssl_close
 };
 
+struct scwt_context
+{
+  SSL *ssl;
+  int result;
+};
+
+static void
+ssl_connect_with_timeout_callback(void *arg)
+{
+  struct scwt_context *ctx = (struct scwt_context *)arg;
+  ctx->result = SSL_connect(ctx->ssl);
+}
+
 /* Perform the SSL handshake on file descriptor FD, which is assumed
    to be connected to an SSL server.  The SSL handle provided by
    OpenSSL is registered with the file descriptor FD using
@@ -398,6 +437,7 @@ bool
 ssl_connect_wget (int fd, const char *hostname)
 {
   SSL *conn;
+  struct scwt_context scwt_ctx;
   struct openssl_transport_context *ctx;
 
   DEBUGP (("Initiating SSL handshake.\n"));
@@ -425,7 +465,14 @@ ssl_connect_wget (int fd, const char *hostname)
   if (!SSL_set_fd (conn, FD_TO_SOCKET (fd)))
     goto error;
   SSL_set_connect_state (conn);
-  if (SSL_connect (conn) <= 0 || conn->state != SSL_ST_OK)
+
+  scwt_ctx.ssl = conn;
+  if (run_with_timeout(opt.read_timeout, ssl_connect_with_timeout_callback,
+                       &scwt_ctx)) {
+    DEBUGP (("SSL handshake timed out.\n"));
+    goto timeout;
+  }
+  if (scwt_ctx.result <= 0 || conn->state != SSL_ST_OK)
     goto error;
 
   ctx = xnew0 (struct openssl_transport_context);
@@ -441,6 +488,7 @@ ssl_connect_wget (int fd, const char *hostname)
  error:
   DEBUGP (("SSL handshake failed.\n"));
   print_errors ();
+ timeout:
   if (conn)
     SSL_free (conn);
   return false;
--
cgit v0.9.0.2
From 3b6a3e84a013b53b03a8965e91aa0e9478c77841 Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <tim.ruehsen@gmx.de>
Date: Thu, 26 Dec 2013 20:17:07 +0000
Subject: fix GnuTLS connect timeout

---
diff --git a/src/gnutls.c b/src/gnutls.c
index 9b4b1ec..4f0fa96 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -526,8 +526,7 @@ ssl_connect_wget (int fd, const char *hostname)
               break;
             }
 
-          if (err <= 0)
-            break;
+           err = GNUTLS_E_AGAIN;
         }
       else if (err < 0)
         {
@@ -543,7 +542,7 @@ ssl_connect_wget (int fd, const char *hostname)
             }
         }
     }
-  while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0);
+  while (err && gnutls_error_is_fatal (err) == 0);
 
   if (opt.connect_timeout)
     {
--
cgit v0.9.0.2
Commit	Line	Data
7ed1e997 AM	1	From ae80fd2ec75fafdbec9895b9d973f2966209d588 Mon Sep 17 00:00:00 2001
	2	From: mancha <mancha1@hush.com>
	3	Date: Sun, 05 May 2013 05:16:58 +0000
	4	Subject: gnutls: do not abort on non-fatal alerts during handshake
	5
	6	Signed-off-by: mancha <mancha1@hush.com>
	7	---
	8	(limited to 'src/gnutls.c')
	9
	10	diff --git a/src/gnutls.c b/src/gnutls.c
	11	index 769b005..54422fc 100644
	12	--- a/src/gnutls.c
	13	+++ b/src/gnutls.c
	14	@@ -376,8 +376,9 @@ ssl_connect_wget (int fd, const char *hostname)
	15	{
	16	struct wgnutls_transport_context *ctx;
	17	gnutls_session_t session;
	18	- int err;
	19	+ int err,alert;
	20	gnutls_init (&session, GNUTLS_CLIENT);
	21	+ const char *str;
	22
	23	/* We set the server name but only if it's not an IP address. */
	24	if (! is_valid_ip_address (hostname))
	25	@@ -440,10 +441,28 @@ ssl_connect_wget (int fd, const char *hostname)
	26	return false;
	27	}
	28
	29	- err = gnutls_handshake (session);
	30	+ /* We don't stop the handshake process for non-fatal errors */
	31	+ do
	32	+ {
	33	+ err = gnutls_handshake (session);
	34	+ if (err < 0)
	35	+ {
	36	+ logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
	37	+ if (err == GNUTLS_E_WARNING_ALERT_RECEIVED \|\|
	38	+ err == GNUTLS_E_FATAL_ALERT_RECEIVED)
	39	+ {
	40	+ alert = gnutls_alert_get (session);
	41	+ str = gnutls_alert_get_name (alert);
	42	+ if (str == NULL)
	43	+ str = "(unknown)";
	44	+ logprintf (LOG_NOTQUIET, "GnuTLS: received alert [%d]: %s\n", alert, str);
	45	+ }
	46	+ }
	47	+ }
	48	+ while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0);
	49	+
	50	if (err < 0)
	51	{
	52	- logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
	53	gnutls_deinit (session);
	54	return false;
	55	}
	56	--
	57	cgit v0.9.0.2
	58	From 91f0f99e9a607cc72cd5dc8aa1f57a299f30948e Mon Sep 17 00:00:00 2001
	59	From: Tim Ruehsen <tim.ruehsen@gmx.de>
	60	Date: Thu, 11 Jul 2013 12:29:20 +0000
	61	Subject: gnutls: honor connect timeout
	62
	63	---
	64	diff --git a/src/gnutls.c b/src/gnutls.c
65	index 54422fc..06f9020 100644
66	--- a/src/gnutls.c
67	+++ b/src/gnutls.c
68	@@ -374,6 +374,9 @@ static struct transport_implementation wgnutls_transport =
69	bool
70	ssl_connect_wget (int fd, const char *hostname)
71	{
72	+#ifdef F_GETFL
73	+ int flags = 0;
74	+#endif
75	struct wgnutls_transport_context *ctx;
76	gnutls_session_t session;
77	int err,alert;
78	@@ -441,11 +444,54 @@ ssl_connect_wget (int fd, const char *hostname)
79	return false;
80	}
81
82	+ if (opt.connect_timeout)
83	+ {
84	+#ifdef F_GETFL
85	+ flags = fcntl (fd, F_GETFL, 0);
86	+ if (flags < 0)
87	+ return flags;
88	+ if (fcntl (fd, F_SETFL, flags \| O_NONBLOCK))
89	+ return -1;
90	+#else
91	+ /* XXX: Assume it was blocking before. */
92	+ const int one = 1;
93	+ if (ioctl (fd, FIONBIO, &one) < 0)
94	+ return -1;
95	+#endif
96	+ }
97	+
98	/* We don't stop the handshake process for non-fatal errors */
99	do
100	{
101	err = gnutls_handshake (session);
102	- if (err < 0)
103	+
104	+ if (opt.connect_timeout && err == GNUTLS_E_AGAIN)
105	+ {
106	+ if (gnutls_record_get_direction (session))
107	+ {
108	+ /* wait for writeability */
109	+ err = select_fd (fd, opt.connect_timeout, WAIT_FOR_WRITE);
110	+ }
111	+ else
112	+ {
113	+ /* wait for readability */
114	+ err = select_fd (fd, opt.connect_timeout, WAIT_FOR_READ);
115	+ }
116	+
117	+ if (err <= 0)
118	+ {
119	+ if (err == 0)
120	+ {
121	+ errno = ETIMEDOUT;
122	+ err = -1;
123	+ }
124	+ break;
125	+ }
126	+
127	+ if (err <= 0)
128	+ break;
129	+ }
130	+ else if (err < 0)
131	{
132	logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err));
133	if (err == GNUTLS_E_WARNING_ALERT_RECEIVED \|\|
134	@@ -461,6 +507,18 @@ ssl_connect_wget (int fd, const char *hostname)
135	}
136	while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0);
137
138	+ if (opt.connect_timeout)
139	+ {
140	+#ifdef F_GETFL
141	+ if (fcntl (fd, F_SETFL, flags) < 0)
142	+ return -1;
143	+#else
144	+ const int zero = 0;
145	+ if (ioctl (fd, FIONBIO, &zero) < 0)
146	+ return -1;
147	+#endif
148	+ }
149	+
150	if (err < 0)
151	{
152	gnutls_deinit (session);
153	--
154	cgit v0.9.0.2
155	From b8f036d16c508efde5bacfab9a96d8b6c6aeeeb2 Mon Sep 17 00:00:00 2001
156	From: Karsten Hopp <karsten@redhat.com>
157	Date: Thu, 11 Jul 2013 09:27:35 +0000
158	Subject: Fix timeout option when used with SSL
159
160	Previously wget didn't honor the --timeout option if the remote host did
161	not answer SSL handshake
162
163	Signed-off-by: Tomas Hozza <thozza@redhat.com>
164	---
165	diff --git a/src/openssl.c b/src/openssl.c
166	index 3924e41..e2eec4f 100644
167	--- a/src/openssl.c
168	+++ b/src/openssl.c
169	@@ -251,24 +251,50 @@ ssl_init (void)
170	return false;
171	}
172
173	-struct openssl_transport_context {
174	+struct openssl_transport_context
175	+{
176	SSL conn; / SSL connection handle */
177	char last_error; / last error printed with openssl_errstr */
178	};
179
180	-static int
181	-openssl_read (int fd, char buf, int bufsize, void arg)
182	+struct openssl_read_args
183	{
184	- int ret;
185	- struct openssl_transport_context *ctx = arg;
186	+ int fd;
187	+ struct openssl_transport_context *ctx;
188	+ char *buf;
189	+ int bufsize;
190	+ int retval;
191	+};
192	+
193	+static void openssl_read_callback(void *arg)
194	+{
195	+ struct openssl_read_args args = (struct openssl_read_args ) arg;
196	+ struct openssl_transport_context *ctx = args->ctx;
197	SSL *conn = ctx->conn;
198	+ char *buf = args->buf;
199	+ int bufsize = args->bufsize;
200	+ int ret;
201	+
202	do
203	ret = SSL_read (conn, buf, bufsize);
204	- while (ret == -1
205	- && SSL_get_error (conn, ret) == SSL_ERROR_SYSCALL
206	+ while (ret == -1 && SSL_get_error (conn, ret) == SSL_ERROR_SYSCALL
207	&& errno == EINTR);
208	+ args->retval = ret;
209	+}
210
211	- return ret;
212	+static int
213	+openssl_read (int fd, char buf, int bufsize, void arg)
214	+{
215	+ struct openssl_read_args args;
216	+ args.fd = fd;
217	+ args.buf = buf;
218	+ args.bufsize = bufsize;
219	+ args.ctx = (struct openssl_transport_context*) arg;
220	+
221	+ if (run_with_timeout(opt.read_timeout, openssl_read_callback, &args)) {
222	+ return -1;
223	+ }
224	+ return args.retval;
225	}
226
227	static int
228	@@ -386,6 +412,19 @@ static struct transport_implementation openssl_transport = {
229	openssl_peek, openssl_errstr, openssl_close
230	};
231
232	+struct scwt_context
233	+{
234	+ SSL *ssl;
235	+ int result;
236	+};
237	+
238	+static void
239	+ssl_connect_with_timeout_callback(void *arg)
240	+{
241	+ struct scwt_context ctx = (struct scwt_context )arg;
242	+ ctx->result = SSL_connect(ctx->ssl);
243	+}
244	+
245	/* Perform the SSL handshake on file descriptor FD, which is assumed
246	to be connected to an SSL server. The SSL handle provided by
247	OpenSSL is registered with the file descriptor FD using
248	@@ -398,6 +437,7 @@ bool
249	ssl_connect_wget (int fd, const char *hostname)
250	{
251	SSL *conn;
252	+ struct scwt_context scwt_ctx;
253	struct openssl_transport_context *ctx;
254
255	DEBUGP (("Initiating SSL handshake.\n"));
256	@@ -425,7 +465,14 @@ ssl_connect_wget (int fd, const char *hostname)
257	if (!SSL_set_fd (conn, FD_TO_SOCKET (fd)))
258	goto error;
259	SSL_set_connect_state (conn);
260	- if (SSL_connect (conn) <= 0 \|\| conn->state != SSL_ST_OK)
261	+
262	+ scwt_ctx.ssl = conn;
263	+ if (run_with_timeout(opt.read_timeout, ssl_connect_with_timeout_callback,
264	+ &scwt_ctx)) {
265	+ DEBUGP (("SSL handshake timed out.\n"));
266	+ goto timeout;
267	+ }
268	+ if (scwt_ctx.result <= 0 \|\| conn->state != SSL_ST_OK)
269	goto error;
270
271	ctx = xnew0 (struct openssl_transport_context);
272	@@ -441,6 +488,7 @@ ssl_connect_wget (int fd, const char *hostname)
273	error:
274	DEBUGP (("SSL handshake failed.\n"));
275	print_errors ();
276	+ timeout:
277	if (conn)
278	SSL_free (conn);
279	return false;
280	--
281	cgit v0.9.0.2
5423feff AM	282	From 3b6a3e84a013b53b03a8965e91aa0e9478c77841 Mon Sep 17 00:00:00 2001
	283	From: Tim Ruehsen <tim.ruehsen@gmx.de>
	284	Date: Thu, 26 Dec 2013 20:17:07 +0000
	285	Subject: fix GnuTLS connect timeout
	286
	287	---
	288	diff --git a/src/gnutls.c b/src/gnutls.c
	289	index 9b4b1ec..4f0fa96 100644
	290	--- a/src/gnutls.c
	291	+++ b/src/gnutls.c
	292	@@ -526,8 +526,7 @@ ssl_connect_wget (int fd, const char *hostname)
	293	break;
	294	}
	295
	296	- if (err <= 0)
	297	- break;
	298	+ err = GNUTLS_E_AGAIN;
	299	}
	300	else if (err < 0)
	301	{
	302	@@ -543,7 +542,7 @@ ssl_connect_wget (int fd, const char *hostname)
	303	}
	304	}
	305	}
	306	- while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0);
	307	+ while (err && gnutls_error_is_fatal (err) == 0);
	308
	309	if (opt.connect_timeout)
	310	{
	311	--
	312	cgit v0.9.0.2