GnuTLS

2007-12-10 Thread Hrvoje Niksic 
If GnuTLS support will not be ready for the 1.11 release, may I
suggest that we not advertise it in NEWS?  After all, it's badly
broken in that it doesn't support certificate validation, which is one
of the most important features of an SSL client.  It also doesn't
support many of our SSL command-line options, which makes Wget almost
broken, https-wise, under GnuTLS.  IMO announcing such unfinished work
brings more harm than good in a stable release.

GnuTLS support in Wget

2006-04-03 Thread Hrvoje Niksic 
Is there any interest in finishing the GnuTLS support in Wget?  The
support currently available in the repository can be tested using
`./configure --with-ssl=gnutls'.  It should enable you to download
from SSL servers using --no-check-certificate, but it is not yet
finished.  Specifically, and in decreasing order of importance:

* Certificate validation appears to be broken.  At least I don't know
  how to make GnuTLS use the certificates installed on my system.  As
  a workaround, you can use --no-check-certificate, but this would
  have to be fixed in order to advocate GnuTLS support.

* Wget's SSL/TLS-related options have not been implemented, except for
  --no-check-certificate.  Those options were designed for OpenSSL, so
  they don't map to GnuTLS functionality as cleanly, but they should be
  managable -- Wget is not the only program ported from OpenSSL to
  GnuTLS.

* http-ntlm.c uses OpenSSL functions for DES and MD4.  Both should be
  available in libgcrypt, which GnuTLS itself uses.

In other words, the hard part, hooking GnuTLS into Wget, has already
been done.  What remains is one afternoon of work for someone who
understands the GnuTLS API.

GnuTLS support

2005-07-05 Thread Hrvoje Niksic 
I invite you to try out the GnuTLS support in the Wget repository.  It
is still very rudimentary (no fancy SSL options), but the basics seem
to work.

Patches that enhance this would be very welcome, as my experience with
SSL in general and GnuTLS in particular is very limited.

FIX GNUTLS patch

2002-05-27 Thread Thomas Lussnig 

Hi,
there was an small mistake in the error handling from the first patch.

This is working now correct :-)

cu thomas


/* SSL support.
   Copyright (C) 2000 Free Software Foundation, Inc.
   Contributed by Christian Fraenkel.

This file is part of GNU Wget.

GNU Wget is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

GNU Wget is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Wget; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

In addition, as a special exception, the Free Software Foundation
gives permission to link the code of its release of Wget with the
OpenSSL project's OpenSSL library (or with modified versions of it
that use the same license as the OpenSSL library), and distribute
the linked executables.  You must obey the GNU General Public License
in all respects for all of the code used other than OpenSSL.  If you
modify this file, you may extend this exception to your version of the
file, but you are not obligated to do so.  If you do not wish to do
so, delete this exception statement from your version.  */

#include config.h

#ifdef HAVE_SSL

#include assert.h
#include errno.h
#ifdef HAVE_UNISTD_H
# include unistd.h
#endif
#ifdef HAVE_STRING_H
# include string.h
#else
# include strings.h
#endif

#include gnutls.h

#include wget.h
#include utils.h
#include connect.h
#include url.h

#ifndef errno
extern int errno;
#endif



void
ssl_init_prng (void)
{
return;
}

/* pass all ssl errors to DEBUGP
   returns the number of printed errors 

TODO:
- save in static int last error
 */
int
ssl_printerrors (void) 
{
  return 0;
}

/* GNUTLS_CERTIFICATE_CLIENT_CREDENTIALS is already an pointer */
typedef void SSL_CTX;
typedef void SSL;


/* Creates a SSL Context and sets some defaults for it */
uerr_t
init_ssl (SSL_CTX **ctx)
{{{
  GNUTLS_CERTIFICATE_CREDENTIALS *xcred = (GNUTLS_CERTIFICATE_CREDENTIALS*)ctx;
  int x509ctype;
  if (!opt.sslcerttype)
x509ctype = GNUTLS_X509_FMT_PEM;
  else
x509ctype = GNUTLS_X509_FMT_DER;

  if (gnutls_global_init()  0)
{
   xcred = NULL;
   return -1;
}
if (gnutls_certificate_allocate_sc(xcred)  0)
  {
   xcred = NULL;
   return -1;
  }

if (opt.sslcafile)
  {
if (0  gnutls_certificate_set_x509_trust_file(*xcred, opt.sslcafile, 
x509ctype))
  {
return -1;
  }
  }
if (opt.sslcertkey != NULL  opt.sslcertkey != NULL)
  {
if (0  gnutls_certificate_set_x509_key_file(*xcred, opt.sslcertfile, 
opt.sslcertkey, x509ctype))
  {
if (0  gnutls_anon_allocate_client_sc(xcred))
  {
return -1;
  }
  }
  }
 //  switch (opt.sslprotocol)
 //  if (!opt.sslcheckcert)
  return 0; /* Succeded */
}}}

void
shutdown_ssl (SSL* con)
{{{
  int ret;
  GNUTLS_STATE state = (GNUTLS_STATE)con;
  if (con == NULL)
return;
  do
ret = gnutls_bye(state, GNUTLS_SHUT_RDWR);
  while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
  gnutls_deinit(state);
}}}

static int cipher_priority[16] = { GNUTLS_CIPHER_RIJNDAEL_128_CBC,
   GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR,
   GNUTLS_CIPHER_TWOFISH_128_CBC, 0 };
int kx_priority[16] = { GNUTLS_KX_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_DHE_RSA,
   GNUTLS_KX_SRP, GNUTLS_KX_ANON_DH, 0 };
int comp_priority[16]  = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL  , 0 };
int protocol_priority[16]  = { GNUTLS_TLS1 , GNUTLS_SSL3   , 0 };
int mac_priority[16]   = { GNUTLS_MAC_SHA  , GNUTLS_MAC_MD5, 0 };
/* GNUTLS_CRT_OPENPGP unused in wget currently */
int cert_type_priority[16] = { GNUTLS_CRT_X509 , GNUTLS_CRT_OPENPGP, 0 };


/* Sets up a SSL structure and performs the handshake on fd 
   Returns 0 if everything went right
   Returns 1 if something went wrong - TODO: More exit codes
*/
int
connect_ssl (SSL **con, SSL_CTX *ctx, int fd) 
{{{
  int ret;
  int alert;
  GNUTLS_CERTIFICATE_CREDENTIALS xcred = (GNUTLS_CERTIFICATE_CREDENTIALS)ctx;
  GNUTLS_CERTIFICATE_CREDENTIALS anon_cred;
  GNUTLS_STATE *state = (GNUTLS_STATE*)con;
  gnutls_init   ( state, GNUTLS_CLIENT);
  gnutls_cipher_set_priority(*state, cipher_priority);
  gnutls_compression_set_priority   (*state, comp_priority);
  gnutls_kx_set_priority(*state, kx_priority);
  gnutls_kx_set_priority(*state, kx_priority);
  gnutls_protocol_set_priority  (*state, protocol_priority);
  gnutls_mac_set_priority   (*state, mac_priority);
  gnutls_cert_type_set_priority (*state,