[wget/f16] Fixed TLS SNI Support in wget (#836822)
Tomas Hozza
thozza at fedoraproject.org
Tue Oct 9 08:51:08 UTC 2012
commit 57a9ac07b8dcf8924c82f2a1141d2a11c61d5e25
Author: Tomas Hozza <thozza at redhat.com>
Date: Tue Oct 9 10:48:16 2012 +0200
Fixed TLS SNI Support in wget (#836822)
wget-1.12-tls_sni_support.patch | 129 +++++++++++++++++++++++++++++++++++++++
wget.spec | 13 +++-
2 files changed, 139 insertions(+), 3 deletions(-)
---
diff --git a/wget-1.12-tls_sni_support.patch b/wget-1.12-tls_sni_support.patch
new file mode 100644
index 0000000..96ef9a5
--- /dev/null
+++ b/wget-1.12-tls_sni_support.patch
@@ -0,0 +1,129 @@
+diff -up wget-1.12/src/gnutls.c.tls_sni_support wget-1.12/src/gnutls.c
+--- wget-1.12/src/gnutls.c.tls_sni_support 2009-09-22 04:59:33.000000000 +0200
++++ wget-1.12/src/gnutls.c 2012-10-09 10:25:56.250371562 +0200
+@@ -45,6 +45,7 @@ as that of the covered work. */
+ #include "connect.h"
+ #include "url.h"
+ #include "ssl.h"
++#include "host.h"
+
+ /* Note: some of the functions private to this file have names that
+ begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be
+@@ -181,7 +182,7 @@ static struct transport_implementation w
+ };
+
+ bool
+-ssl_connect (int fd)
++ssl_connect (int fd, const char *hostname)
+ {
+ static const int cert_type_priority[] = {
+ GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0
+@@ -191,6 +192,12 @@ ssl_connect (int fd)
+ int err;
+ gnutls_init (&session, GNUTLS_CLIENT);
+ gnutls_set_default_priority (session);
++ /* We set the server name but only if it's not an IP address. */
++ if (! is_ip_address (hostname))
++ {
++ gnutls_server_name_set (session, GNUTLS_NAME_DNS,
++ hostname, strlen(hostname));
++ }
+ gnutls_certificate_type_set_priority (session, cert_type_priority);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials);
+ gnutls_transport_set_ptr (session, (gnutls_transport_ptr) fd);
+diff -up wget-1.12/src/host.c.tls_sni_support wget-1.12/src/host.c
+--- wget-1.12/src/host.c.tls_sni_support 2009-09-22 05:00:05.000000000 +0200
++++ wget-1.12/src/host.c 2012-10-09 10:21:19.617514313 +0200
+@@ -904,3 +904,19 @@ host_cleanup (void)
+ host_name_addresses_map = NULL;
+ }
+ }
++
++/* Determine whether or not a hostname is an IP address that we recognise. */
++bool
++is_ip_address (const char *name)
++{
++ const char *endp;
++
++ endp = name + strlen(name);
++ if (is_valid_ipv4_address (name, endp))
++ return true;
++#ifdef ENABLE_IPV6
++ if (is_valid_ipv6_address (name, endp))
++ return true;
++#endif
++ return false;
++}
+diff -up wget-1.12/src/host.h.tls_sni_support wget-1.12/src/host.h
+--- wget-1.12/src/host.h.tls_sni_support 2009-09-04 18:31:54.000000000 +0200
++++ wget-1.12/src/host.h 2012-10-09 10:21:19.617514313 +0200
+@@ -102,4 +102,6 @@ bool sufmatch (const char **, const char
+
+ void host_cleanup (void);
+
++bool is_ip_address (const char *);
++
+ #endif /* HOST_H */
+diff -up wget-1.12/src/http.c.tls_sni_support wget-1.12/src/http.c
+--- wget-1.12/src/http.c.tls_sni_support 2009-09-22 05:02:18.000000000 +0200
++++ wget-1.12/src/http.c 2012-10-09 10:21:19.618514313 +0200
+@@ -1762,7 +1762,7 @@ gethttp (struct url *u, struct http_stat
+
+ if (conn->scheme == SCHEME_HTTPS)
+ {
+- if (!ssl_connect_wget (sock))
++ if (!ssl_connect_wget (sock, u->host))
+ {
+ fd_close (sock);
+ return CONSSLERR;
+diff -up wget-1.12/src/openssl.c.tls_sni_support wget-1.12/src/openssl.c
+--- wget-1.12/src/openssl.c.tls_sni_support 2012-10-09 10:21:19.000000000 +0200
++++ wget-1.12/src/openssl.c 2012-10-09 10:28:49.889226106 +0200
+@@ -47,6 +47,7 @@ as that of the covered work. */
+ #include "connect.h"
+ #include "url.h"
+ #include "ssl.h"
++#include "host.h"
+
+ /* Application-wide SSL context. This is common to all SSL
+ connections. */
+@@ -390,7 +391,7 @@ static struct transport_implementation o
+ Returns true on success, false on failure. */
+
+ bool
+-ssl_connect_wget (int fd)
++ssl_connect_wget (int fd, const char *hostname)
+ {
+ SSL *conn;
+ struct openssl_transport_context *ctx;
+@@ -401,6 +402,18 @@ ssl_connect_wget (int fd)
+ conn = SSL_new (ssl_ctx);
+ if (!conn)
+ goto error;
++ #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
++ /* If the SSL library was build with support for ServerNameIndication
++ then use it whenever we have a hostname. If not, don't, ever. */
++ if (! is_ip_address (hostname))
++ {
++ if (! SSL_set_tlsext_host_name (conn, hostname))
++ {
++ DEBUGP (("Failed to set TLS server-name indication."));
++ goto error;
++ }
++ }
++#endif
+ if (!SSL_set_fd (conn, fd))
+ goto error;
+ SSL_set_connect_state (conn);
+diff -up wget-1.12/src/ssl.h.tls_sni_support wget-1.12/src/ssl.h
+--- wget-1.12/src/ssl.h.tls_sni_support 2009-09-04 18:31:54.000000000 +0200
++++ wget-1.12/src/ssl.h 2012-10-09 10:21:19.620514313 +0200
+@@ -33,7 +33,7 @@ as that of the covered work. */
+ #define GEN_SSLFUNC_H
+
+ bool ssl_init (void);
+-bool ssl_connect_wget (int);
++bool ssl_connect_wget (int, const char *);
+ bool ssl_check_certificate (int, const char *);
+
+ #endif /* GEN_SSLFUNC_H */
diff --git a/wget.spec b/wget.spec
index 530207b..fd0600a 100644
--- a/wget.spec
+++ b/wget.spec
@@ -1,16 +1,19 @@
Summary: A utility for retrieving files using the HTTP or FTP protocols
Name: wget
Version: 1.12
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv3+
Group: Applications/Internet
Url: http://www.gnu.org/software/wget/
Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.bz2
+
Patch1: wget-rh-modified.patch
Patch2: wget-1.12-path.patch
-
# http://bzr.savannah.gnu.org/lh/wget/trunk/revision/2317
Patch3: wget-1.12-certificate-subjectAltName.patch
+# Upstream Bug: http://savannah.gnu.org/bugs/?26786
+Patch4: wget-1.12-tls_sni_support.patch
+
Provides: webclient
Requires(post): /sbin/install-info
Requires(preun): /sbin/install-info
@@ -30,7 +33,8 @@ support for Proxy servers, and configurability.
%setup -q
%patch1 -p1
%patch2 -p1
-%patch3 -p0
+%patch3 -p0 -b .cert_altNames
+%patch4 -p1 -b .tls_sni_support
%build
if pkg-config openssl ; then
@@ -67,6 +71,9 @@ rm -rf $RPM_BUILD_ROOT
%{_infodir}/*
%changelog
+* Tue Oct 09 2012 Tomas Hozza <thozza at redhat.com> - 1.12-5
+- Fixed TLS SNI Support in wget (#836822)
+
* Thu Jun 23 2011 Volker Fröhlich <volker27 at gmx.at> - 1.12-4
- Applied patch to accept subjectAltNames in X509 certificates (#674186)
- New URL (#658969)
More information about the scm-commits
mailing list