]>
Commit | Line | Data |
---|---|---|
7ed1e997 AM |
1 | From ae80fd2ec75fafdbec9895b9d973f2966209d588 Mon Sep 17 00:00:00 2001 |
2 | From: mancha <mancha1@hush.com> | |
3 | Date: Sun, 05 May 2013 05:16:58 +0000 | |
4 | Subject: gnutls: do not abort on non-fatal alerts during handshake | |
5 | ||
6 | Signed-off-by: mancha <mancha1@hush.com> | |
7 | --- | |
8 | (limited to 'src/gnutls.c') | |
9 | ||
10 | diff --git a/src/gnutls.c b/src/gnutls.c | |
11 | index 769b005..54422fc 100644 | |
12 | --- a/src/gnutls.c | |
13 | +++ b/src/gnutls.c | |
14 | @@ -376,8 +376,9 @@ ssl_connect_wget (int fd, const char *hostname) | |
15 | { | |
16 | struct wgnutls_transport_context *ctx; | |
17 | gnutls_session_t session; | |
18 | - int err; | |
19 | + int err,alert; | |
20 | gnutls_init (&session, GNUTLS_CLIENT); | |
21 | + const char *str; | |
22 | ||
23 | /* We set the server name but only if it's not an IP address. */ | |
24 | if (! is_valid_ip_address (hostname)) | |
25 | @@ -440,10 +441,28 @@ ssl_connect_wget (int fd, const char *hostname) | |
26 | return false; | |
27 | } | |
28 | ||
29 | - err = gnutls_handshake (session); | |
30 | + /* We don't stop the handshake process for non-fatal errors */ | |
31 | + do | |
32 | + { | |
33 | + err = gnutls_handshake (session); | |
34 | + if (err < 0) | |
35 | + { | |
36 | + logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err)); | |
37 | + if (err == GNUTLS_E_WARNING_ALERT_RECEIVED || | |
38 | + err == GNUTLS_E_FATAL_ALERT_RECEIVED) | |
39 | + { | |
40 | + alert = gnutls_alert_get (session); | |
41 | + str = gnutls_alert_get_name (alert); | |
42 | + if (str == NULL) | |
43 | + str = "(unknown)"; | |
44 | + logprintf (LOG_NOTQUIET, "GnuTLS: received alert [%d]: %s\n", alert, str); | |
45 | + } | |
46 | + } | |
47 | + } | |
48 | + while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0); | |
49 | + | |
50 | if (err < 0) | |
51 | { | |
52 | - logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err)); | |
53 | gnutls_deinit (session); | |
54 | return false; | |
55 | } | |
56 | -- | |
57 | cgit v0.9.0.2 | |
58 | From 91f0f99e9a607cc72cd5dc8aa1f57a299f30948e Mon Sep 17 00:00:00 2001 | |
59 | From: Tim Ruehsen <tim.ruehsen@gmx.de> | |
60 | Date: Thu, 11 Jul 2013 12:29:20 +0000 | |
61 | Subject: gnutls: honor connect timeout | |
62 | ||
63 | --- | |
64 | diff --git a/src/gnutls.c b/src/gnutls.c | |
65 | index 54422fc..06f9020 100644 | |
66 | --- a/src/gnutls.c | |
67 | +++ b/src/gnutls.c | |
68 | @@ -374,6 +374,9 @@ static struct transport_implementation wgnutls_transport = | |
69 | bool | |
70 | ssl_connect_wget (int fd, const char *hostname) | |
71 | { | |
72 | +#ifdef F_GETFL | |
73 | + int flags = 0; | |
74 | +#endif | |
75 | struct wgnutls_transport_context *ctx; | |
76 | gnutls_session_t session; | |
77 | int err,alert; | |
78 | @@ -441,11 +444,54 @@ ssl_connect_wget (int fd, const char *hostname) | |
79 | return false; | |
80 | } | |
81 | ||
82 | + if (opt.connect_timeout) | |
83 | + { | |
84 | +#ifdef F_GETFL | |
85 | + flags = fcntl (fd, F_GETFL, 0); | |
86 | + if (flags < 0) | |
87 | + return flags; | |
88 | + if (fcntl (fd, F_SETFL, flags | O_NONBLOCK)) | |
89 | + return -1; | |
90 | +#else | |
91 | + /* XXX: Assume it was blocking before. */ | |
92 | + const int one = 1; | |
93 | + if (ioctl (fd, FIONBIO, &one) < 0) | |
94 | + return -1; | |
95 | +#endif | |
96 | + } | |
97 | + | |
98 | /* We don't stop the handshake process for non-fatal errors */ | |
99 | do | |
100 | { | |
101 | err = gnutls_handshake (session); | |
102 | - if (err < 0) | |
103 | + | |
104 | + if (opt.connect_timeout && err == GNUTLS_E_AGAIN) | |
105 | + { | |
106 | + if (gnutls_record_get_direction (session)) | |
107 | + { | |
108 | + /* wait for writeability */ | |
109 | + err = select_fd (fd, opt.connect_timeout, WAIT_FOR_WRITE); | |
110 | + } | |
111 | + else | |
112 | + { | |
113 | + /* wait for readability */ | |
114 | + err = select_fd (fd, opt.connect_timeout, WAIT_FOR_READ); | |
115 | + } | |
116 | + | |
117 | + if (err <= 0) | |
118 | + { | |
119 | + if (err == 0) | |
120 | + { | |
121 | + errno = ETIMEDOUT; | |
122 | + err = -1; | |
123 | + } | |
124 | + break; | |
125 | + } | |
126 | + | |
127 | + if (err <= 0) | |
128 | + break; | |
129 | + } | |
130 | + else if (err < 0) | |
131 | { | |
132 | logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err)); | |
133 | if (err == GNUTLS_E_WARNING_ALERT_RECEIVED || | |
134 | @@ -461,6 +507,18 @@ ssl_connect_wget (int fd, const char *hostname) | |
135 | } | |
136 | while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0); | |
137 | ||
138 | + if (opt.connect_timeout) | |
139 | + { | |
140 | +#ifdef F_GETFL | |
141 | + if (fcntl (fd, F_SETFL, flags) < 0) | |
142 | + return -1; | |
143 | +#else | |
144 | + const int zero = 0; | |
145 | + if (ioctl (fd, FIONBIO, &zero) < 0) | |
146 | + return -1; | |
147 | +#endif | |
148 | + } | |
149 | + | |
150 | if (err < 0) | |
151 | { | |
152 | gnutls_deinit (session); | |
153 | -- | |
154 | cgit v0.9.0.2 | |
155 | From b8f036d16c508efde5bacfab9a96d8b6c6aeeeb2 Mon Sep 17 00:00:00 2001 | |
156 | From: Karsten Hopp <karsten@redhat.com> | |
157 | Date: Thu, 11 Jul 2013 09:27:35 +0000 | |
158 | Subject: Fix timeout option when used with SSL | |
159 | ||
160 | Previously wget didn't honor the --timeout option if the remote host did | |
161 | not answer SSL handshake | |
162 | ||
163 | Signed-off-by: Tomas Hozza <thozza@redhat.com> | |
164 | --- | |
165 | diff --git a/src/openssl.c b/src/openssl.c | |
166 | index 3924e41..e2eec4f 100644 | |
167 | --- a/src/openssl.c | |
168 | +++ b/src/openssl.c | |
169 | @@ -251,24 +251,50 @@ ssl_init (void) | |
170 | return false; | |
171 | } | |
172 | ||
173 | -struct openssl_transport_context { | |
174 | +struct openssl_transport_context | |
175 | +{ | |
176 | SSL *conn; /* SSL connection handle */ | |
177 | char *last_error; /* last error printed with openssl_errstr */ | |
178 | }; | |
179 | ||
180 | -static int | |
181 | -openssl_read (int fd, char *buf, int bufsize, void *arg) | |
182 | +struct openssl_read_args | |
183 | { | |
184 | - int ret; | |
185 | - struct openssl_transport_context *ctx = arg; | |
186 | + int fd; | |
187 | + struct openssl_transport_context *ctx; | |
188 | + char *buf; | |
189 | + int bufsize; | |
190 | + int retval; | |
191 | +}; | |
192 | + | |
193 | +static void openssl_read_callback(void *arg) | |
194 | +{ | |
195 | + struct openssl_read_args *args = (struct openssl_read_args *) arg; | |
196 | + struct openssl_transport_context *ctx = args->ctx; | |
197 | SSL *conn = ctx->conn; | |
198 | + char *buf = args->buf; | |
199 | + int bufsize = args->bufsize; | |
200 | + int ret; | |
201 | + | |
202 | do | |
203 | ret = SSL_read (conn, buf, bufsize); | |
204 | - while (ret == -1 | |
205 | - && SSL_get_error (conn, ret) == SSL_ERROR_SYSCALL | |
206 | + while (ret == -1 && SSL_get_error (conn, ret) == SSL_ERROR_SYSCALL | |
207 | && errno == EINTR); | |
208 | + args->retval = ret; | |
209 | +} | |
210 | ||
211 | - return ret; | |
212 | +static int | |
213 | +openssl_read (int fd, char *buf, int bufsize, void *arg) | |
214 | +{ | |
215 | + struct openssl_read_args args; | |
216 | + args.fd = fd; | |
217 | + args.buf = buf; | |
218 | + args.bufsize = bufsize; | |
219 | + args.ctx = (struct openssl_transport_context*) arg; | |
220 | + | |
221 | + if (run_with_timeout(opt.read_timeout, openssl_read_callback, &args)) { | |
222 | + return -1; | |
223 | + } | |
224 | + return args.retval; | |
225 | } | |
226 | ||
227 | static int | |
228 | @@ -386,6 +412,19 @@ static struct transport_implementation openssl_transport = { | |
229 | openssl_peek, openssl_errstr, openssl_close | |
230 | }; | |
231 | ||
232 | +struct scwt_context | |
233 | +{ | |
234 | + SSL *ssl; | |
235 | + int result; | |
236 | +}; | |
237 | + | |
238 | +static void | |
239 | +ssl_connect_with_timeout_callback(void *arg) | |
240 | +{ | |
241 | + struct scwt_context *ctx = (struct scwt_context *)arg; | |
242 | + ctx->result = SSL_connect(ctx->ssl); | |
243 | +} | |
244 | + | |
245 | /* Perform the SSL handshake on file descriptor FD, which is assumed | |
246 | to be connected to an SSL server. The SSL handle provided by | |
247 | OpenSSL is registered with the file descriptor FD using | |
248 | @@ -398,6 +437,7 @@ bool | |
249 | ssl_connect_wget (int fd, const char *hostname) | |
250 | { | |
251 | SSL *conn; | |
252 | + struct scwt_context scwt_ctx; | |
253 | struct openssl_transport_context *ctx; | |
254 | ||
255 | DEBUGP (("Initiating SSL handshake.\n")); | |
256 | @@ -425,7 +465,14 @@ ssl_connect_wget (int fd, const char *hostname) | |
257 | if (!SSL_set_fd (conn, FD_TO_SOCKET (fd))) | |
258 | goto error; | |
259 | SSL_set_connect_state (conn); | |
260 | - if (SSL_connect (conn) <= 0 || conn->state != SSL_ST_OK) | |
261 | + | |
262 | + scwt_ctx.ssl = conn; | |
263 | + if (run_with_timeout(opt.read_timeout, ssl_connect_with_timeout_callback, | |
264 | + &scwt_ctx)) { | |
265 | + DEBUGP (("SSL handshake timed out.\n")); | |
266 | + goto timeout; | |
267 | + } | |
268 | + if (scwt_ctx.result <= 0 || conn->state != SSL_ST_OK) | |
269 | goto error; | |
270 | ||
271 | ctx = xnew0 (struct openssl_transport_context); | |
272 | @@ -441,6 +488,7 @@ ssl_connect_wget (int fd, const char *hostname) | |
273 | error: | |
274 | DEBUGP (("SSL handshake failed.\n")); | |
275 | print_errors (); | |
276 | + timeout: | |
277 | if (conn) | |
278 | SSL_free (conn); | |
279 | return false; | |
280 | -- | |
281 | cgit v0.9.0.2 | |
5423feff AM |
282 | From 3b6a3e84a013b53b03a8965e91aa0e9478c77841 Mon Sep 17 00:00:00 2001 |
283 | From: Tim Ruehsen <tim.ruehsen@gmx.de> | |
284 | Date: Thu, 26 Dec 2013 20:17:07 +0000 | |
285 | Subject: fix GnuTLS connect timeout | |
286 | ||
287 | --- | |
288 | diff --git a/src/gnutls.c b/src/gnutls.c | |
289 | index 9b4b1ec..4f0fa96 100644 | |
290 | --- a/src/gnutls.c | |
291 | +++ b/src/gnutls.c | |
292 | @@ -526,8 +526,7 @@ ssl_connect_wget (int fd, const char *hostname) | |
293 | break; | |
294 | } | |
295 | ||
296 | - if (err <= 0) | |
297 | - break; | |
298 | + err = GNUTLS_E_AGAIN; | |
299 | } | |
300 | else if (err < 0) | |
301 | { | |
302 | @@ -543,7 +542,7 @@ ssl_connect_wget (int fd, const char *hostname) | |
303 | } | |
304 | } | |
305 | } | |
306 | - while (err == GNUTLS_E_WARNING_ALERT_RECEIVED && gnutls_error_is_fatal (err) == 0); | |
307 | + while (err && gnutls_error_is_fatal (err) == 0); | |
308 | ||
309 | if (opt.connect_timeout) | |
310 | { | |
311 | -- | |
312 | cgit v0.9.0.2 |