[wget/f17] Fixed TLS SNI Support in wget (#836822)
Tomas Hozza
thozza at fedoraproject.org
Tue Oct 9 08:51:13 UTC 2012
commit b6cacbd2ab7accbf594895c7ba64a0f731bf0289
Author: Tomas Hozza <thozza at redhat.com>
Date: Tue Oct 9 09:47:32 2012 +0200
Fixed TLS SNI Support in wget (#836822)
wget-1.13.4-tls_sni_support.patch | 134 +++++++++++++++++++++++++++++++++++++
wget.spec | 8 ++-
2 files changed, 141 insertions(+), 1 deletions(-)
---
diff --git a/wget-1.13.4-tls_sni_support.patch b/wget-1.13.4-tls_sni_support.patch
new file mode 100644
index 0000000..c4f8a4b
--- /dev/null
+++ b/wget-1.13.4-tls_sni_support.patch
@@ -0,0 +1,134 @@
+diff -up wget-1.13.4/src/gnutls.c.tls_sni_support wget-1.13.4/src/gnutls.c
+--- wget-1.13.4/src/gnutls.c.tls_sni_support 2011-09-04 14:06:22.000000000 +0200
++++ wget-1.13.4/src/gnutls.c 2012-10-09 09:35:04.476172748 +0200
+@@ -54,6 +54,8 @@ as that of the covered work. */
+ # include "w32sock.h"
+ #endif
+
++#include "host.h"
++
+ /* Note: some of the functions private to this file have names that
+ begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be
+ confused with actual gnutls functions -- such as the gnutls_read
+@@ -320,13 +322,21 @@ static struct transport_implementation w
+ };
+
+ bool
+-ssl_connect_wget (int fd)
++ssl_connect_wget (int fd, const char *hostname)
+ {
+ struct wgnutls_transport_context *ctx;
+ gnutls_session session;
+ int err;
+ gnutls_init (&session, GNUTLS_CLIENT);
+ gnutls_set_default_priority (session);
++
++ /* We set the server name but only if it's not an IP address. */
++ if (! is_ip_address (hostname))
++ {
++ gnutls_server_name_set (session, GNUTLS_NAME_DNS,
++ hostname, strlen(hostname));
++ }
++
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials);
+ #ifndef FD_TO_SOCKET
+ # define FD_TO_SOCKET(X) (X)
+diff -up wget-1.13.4/src/host.c.tls_sni_support wget-1.13.4/src/host.c
+--- wget-1.13.4/src/host.c.tls_sni_support 2011-08-06 23:22:39.000000000 +0200
++++ wget-1.13.4/src/host.c 2012-10-09 09:32:48.245355889 +0200
+@@ -914,3 +914,19 @@ host_cleanup (void)
+ host_name_addresses_map = NULL;
+ }
+ }
++
++/* Determine whether or not a hostname is an IP address that we recognise. */
++bool
++is_ip_address (const char *name)
++{
++ const char *endp;
++
++ endp = name + strlen(name);
++ if (is_valid_ipv4_address (name, endp))
++ return true;
++#ifdef ENABLE_IPV6
++ if (is_valid_ipv6_address (name, endp))
++ return true;
++#endif
++ return false;
++}
+diff -up wget-1.13.4/src/host.h.tls_sni_support wget-1.13.4/src/host.h
+--- wget-1.13.4/src/host.h.tls_sni_support 2011-01-01 13:12:35.000000000 +0100
++++ wget-1.13.4/src/host.h 2012-10-09 09:32:48.246355887 +0200
+@@ -103,4 +103,6 @@ bool sufmatch (const char **, const char
+
+ void host_cleanup (void);
+
++bool is_ip_address (const char *);
++
+ #endif /* HOST_H */
+diff -up wget-1.13.4/src/http.c.tls_sni_support wget-1.13.4/src/http.c
+--- wget-1.13.4/src/http.c.tls_sni_support 2011-09-07 12:58:01.000000000 +0200
++++ wget-1.13.4/src/http.c 2012-10-09 09:37:07.532007301 +0200
+@@ -1909,7 +1909,7 @@ gethttp (struct url *u, struct http_stat
+
+ if (conn->scheme == SCHEME_HTTPS)
+ {
+- if (!ssl_connect_wget (sock))
++ if (!ssl_connect_wget (sock, u->host))
+ {
+ fd_close (sock);
+ return CONSSLERR;
+diff -up wget-1.13.4/src/openssl.c.tls_sni_support wget-1.13.4/src/openssl.c
+--- wget-1.13.4/src/openssl.c.tls_sni_support 2012-10-09 09:32:48.000000000 +0200
++++ wget-1.13.4/src/openssl.c 2012-10-09 09:39:05.382848841 +0200
+@@ -50,6 +50,8 @@ as that of the covered work. */
+ # include <w32sock.h>
+ #endif
+
++#include "host.h"
++
+ /* Application-wide SSL context. This is common to all SSL
+ connections. */
+ static SSL_CTX *ssl_ctx;
+@@ -433,7 +435,7 @@ ssl_connect_with_timeout_callback(void *
+ Returns true on success, false on failure. */
+
+ bool
+-ssl_connect_wget (int fd)
++ssl_connect_wget (int fd, const char *hostname)
+ {
+ SSL *conn;
+ struct scwt_context scwt_ctx;
+@@ -445,6 +447,20 @@ ssl_connect_wget (int fd)
+ conn = SSL_new (ssl_ctx);
+ if (!conn)
+ goto error;
++
++#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
++ /* If the SSL library was build with support for ServerNameIndication
++ then use it whenever we have a hostname. If not, don't, ever. */
++ if (! is_ip_address (hostname))
++ {
++ if (! SSL_set_tlsext_host_name (conn, hostname))
++ {
++ DEBUGP (("Failed to set TLS server-name indication."));
++ goto error;
++ }
++ }
++#endif
++
+ #ifndef FD_TO_SOCKET
+ # define FD_TO_SOCKET(X) (X)
+ #endif
+diff -up wget-1.13.4/src/ssl.h.tls_sni_support wget-1.13.4/src/ssl.h
+--- wget-1.13.4/src/ssl.h.tls_sni_support 2011-01-01 13:12:35.000000000 +0100
++++ wget-1.13.4/src/ssl.h 2012-10-09 09:39:38.848803841 +0200
+@@ -33,7 +33,7 @@ as that of the covered work. */
+ #define GEN_SSLFUNC_H
+
+ bool ssl_init (void);
+-bool ssl_connect_wget (int);
++bool ssl_connect_wget (int, const char *);
+ bool ssl_check_certificate (int, const char *);
+
+ #endif /* GEN_SSLFUNC_H */
diff --git a/wget.spec b/wget.spec
index 2b5785f..1b690b9 100644
--- a/wget.spec
+++ b/wget.spec
@@ -1,7 +1,7 @@
Summary: A utility for retrieving files using the HTTP or FTP protocols
Name: wget
Version: 1.13.4
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv3+
Group: Applications/Internet
Url: http://www.gnu.org/software/wget/
@@ -10,6 +10,8 @@ Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.bz2
Patch1: wget-rh-modified.patch
Patch2: wget-1.12-path.patch
Patch3: openssl-1.13.4-sslreadtimeout.patch
+# Upstream Bug: http://savannah.gnu.org/bugs/?26786
+Patch4: wget-1.13.4-tls_sni_support.patch
Provides: webclient
Provides: bundled(gnulib)
@@ -32,6 +34,7 @@ support for Proxy servers, and configurability.
%patch1 -p0
%patch2 -p1
%patch3 -p1 -b .sslreadtimeout
+%patch4 -p1 -b .tls_sni_support
%build
if pkg-config openssl ; then
@@ -68,6 +71,9 @@ rm -rf $RPM_BUILD_ROOT
%{_infodir}/*
%changelog
+* Tue Oct 09 2012 Tomas Hozza <thozza at redhat.com> 1.13.4-6
+- Fixed TLS SNI Support in wget (#836822)
+
* Thu Sep 27 2012 Tomas Hozza <thozza at redhat.com> 1.13.4-5
- Rebuild in Koji
More information about the scm-commits
mailing list