summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander M Pickering <alex@cogarr.net>2024-11-15 15:25:07 -0600
committerAlexander M Pickering <alex@cogarr.net>2024-11-15 15:25:07 -0600
commitbc6461083054d76abde9c33702c068ee0bf6a0d7 (patch)
tree22240226deefb1cd5b1d253a0f8aadf96f4ecccf
parenteb78f40c0fd152da107d558e5234a80cf62e066d (diff)
downloadbusybox-w32-packaging-bug/ssl_work.tar.gz
busybox-w32-packaging-bug/ssl_work.tar.bz2
busybox-w32-packaging-bug/ssl_work.zip
rename and reorganizebug/ssl_work
-rwxr-xr-xinit2
-rw-r--r--libressl.patch678
-rw-r--r--libressl2.patch405
3 files changed, 162 insertions, 923 deletions
diff --git a/init b/init
index b7ba829..348c86b 100755
--- a/init
+++ b/init
@@ -13,7 +13,7 @@ mv libcrypto.a /usr/x86_64-w64-mingw32/lib
13 13
14cd busybox-w32 14cd busybox-w32
15cp /root/busybox-w32-packaging/config .config 15cp /root/busybox-w32-packaging/config .config
16git apply /root/busybox-w32-packaging/libressl2.patch 16git apply /root/busybox-w32-packaging/libressl.patch
17# For some reason this code only causes errors on -O0 17# For some reason this code only causes errors on -O0
18if [ -n "$ZERO_PATCH" ]; then 18if [ -n "$ZERO_PATCH" ]; then
19 git apply /root/busybox-w32-packaging/zero.patch 19 git apply /root/busybox-w32-packaging/zero.patch
diff --git a/libressl.patch b/libressl.patch
index 564d620..00d5d4b 100644
--- a/libressl.patch
+++ b/libressl.patch
@@ -12,18 +12,10 @@ index bc1453e12..69f76cbb3 100644
12 void tls_run_copy_loop(tls_state_t *tls, unsigned flags) FAST_FUNC; 12 void tls_run_copy_loop(tls_state_t *tls, unsigned flags) FAST_FUNC;
13 13
14diff --git a/networking/ssl_client.c b/networking/ssl_client.c 14diff --git a/networking/ssl_client.c b/networking/ssl_client.c
15index 757745896..653b6f48e 100644 15index 757745896..38163440f 100644
16--- a/networking/ssl_client.c 16--- a/networking/ssl_client.c
17+++ b/networking/ssl_client.c 17+++ b/networking/ssl_client.c
18@@ -24,6 +24,7 @@ 18@@ -69,7 +69,7 @@ int ssl_client_main(int argc UNUSED_PARAM, char **argv)
19 //usage:#define ssl_client_full_usage ""
20
21 #include "libbb.h"
22+#include <tls.h>
23
24 int ssl_client_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
25 int ssl_client_main(int argc UNUSED_PARAM, char **argv)
26@@ -69,7 +70,7 @@ int ssl_client_main(int argc UNUSED_PARAM, char **argv)
27 } 19 }
28 #endif 20 #endif
29 21
@@ -32,34 +24,8 @@ index 757745896..653b6f48e 100644
32 24
33 BUILD_BUG_ON(TLSLOOP_EXIT_ON_LOCAL_EOF != 1); 25 BUILD_BUG_ON(TLSLOOP_EXIT_ON_LOCAL_EOF != 1);
34 tls_run_copy_loop(tls, /*flags*/ opt & 1); 26 tls_run_copy_loop(tls, /*flags*/ opt & 1);
35diff --git a/networking/ssl_helper-wolfssl/ssl_helper.c b/networking/ssl_helper-wolfssl/ssl_helper.c
36index 38b7b56c6..834912a68 100644
37--- a/networking/ssl_helper-wolfssl/ssl_helper.c
38+++ b/networking/ssl_helper-wolfssl/ssl_helper.c
39@@ -160,10 +160,10 @@ WOLFSSL *prepare(int sockfd)
40
41 method = wolfTLSv1_1_client_method();
42 if (method == NULL)
43- err_sys("out of memory");
44+ err_sys("out of memory 3");
45 ctx = wolfSSL_CTX_new(method);
46 if (ctx == NULL)
47- err_sys("out of memory");
48+ err_sys("out of memory 2");
49 // if (cipherList)
50 // if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
51 // err_sys("client can't set cipher list 1");
52@@ -279,7 +279,7 @@ WOLFSSL *prepare(int sockfd)
53
54 ssl = wolfSSL_new(ctx);
55 if (ssl == NULL)
56- err_sys("out of memory");
57+ err_sys("out of memory 1");
58
59 //#ifdef HAVE_SESSION_TICKET
60 // wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
61diff --git a/networking/tls.c b/networking/tls.c 27diff --git a/networking/tls.c b/networking/tls.c
62index 9f1dd67ec..7e8da6df2 100644 28index 9f1dd67ec..60e1afe99 100644
63--- a/networking/tls.c 29--- a/networking/tls.c
64+++ b/networking/tls.c 30+++ b/networking/tls.c
65@@ -2221,6 +2221,7 @@ static void send_client_finished(tls_state_t *tls) 31@@ -2221,6 +2221,7 @@ static void send_client_finished(tls_state_t *tls)
@@ -76,8 +42,8 @@ index 9f1dd67ec..7e8da6df2 100644
76 42
77- /*send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) */ 43- /*send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) */
78- /* need to hash _all_ server replies first, up to ServerHelloDone */ 44- /* need to hash _all_ server replies first, up to ServerHelloDone */
79+ //send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) 45+ //send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) /
80+ //need to hash _all_ server replies first, up to ServerHelloDone 46+ // need to hash _all_ server replies first, up to ServerHelloDone /
81 len = tls_xread_handshake_block(tls, 4); 47 len = tls_xread_handshake_block(tls, 4);
82 } 48 }
83 49
@@ -87,18 +53,18 @@ index 9f1dd67ec..7e8da6df2 100644
87 send_change_cipher_spec(tls); 53 send_change_cipher_spec(tls);
88- /* from now on we should send encrypted */ 54- /* from now on we should send encrypted */
89- /* tls->write_seq64_be = 0; - already is */ 55- /* tls->write_seq64_be = 0; - already is */
90+ // from now on we should send encrypted 56+ // from now on we should send encrypted /
91+ // tls->write_seq64_be = 0; - already is 57+ // tls->write_seq64_be = 0; - already is /
92 tls->flags |= ENCRYPT_ON_WRITE; 58 tls->flags |= ENCRYPT_ON_WRITE;
93 59
94 send_client_finished(tls); 60 send_client_finished(tls);
95 61
96- /* Get CHANGE_CIPHER_SPEC */ 62- /* Get CHANGE_CIPHER_SPEC */
97+ // Get CHANGE_CIPHER_SPEC 63+ // Get CHANGE_CIPHER_SPEC /
98 len = tls_xread_record(tls, "switch to encrypted traffic"); 64 len = tls_xread_record(tls, "switch to encrypted traffic");
99 if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0) 65 if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0)
100 bad_record_die(tls, "switch to encrypted traffic", len); 66 bad_record_die(tls, "switch to encrypted traffic", len);
101@@ -2327,29 +2328,29 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni) 67@@ -2327,29 +2328,30 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
102 } else 68 } else
103 if (!(tls->flags & ENCRYPTION_AESGCM)) { 69 if (!(tls->flags & ENCRYPTION_AESGCM)) {
104 unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE; 70 unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE;
@@ -107,6 +73,7 @@ index 9f1dd67ec..7e8da6df2 100644
107- */ 73- */
108+ // all incoming packets now should be encrypted and have 74+ // all incoming packets now should be encrypted and have
109+ // at least IV + (MAC padded to blocksize): 75+ // at least IV + (MAC padded to blocksize):
76+ //
110 tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE); 77 tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE);
111 } else { 78 } else {
112 tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE; 79 tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE;
@@ -114,16 +81,16 @@ index 9f1dd67ec..7e8da6df2 100644
114 dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read); 81 dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read);
115 82
116- /* Get (encrypted) FINISHED from the server */ 83- /* Get (encrypted) FINISHED from the server */
117+ // Get (encrypted) FINISHED from the server 84+ // Get (encrypted) FINISHED from the server /
118 len = tls_xread_record(tls, "'server finished'"); 85 len = tls_xread_record(tls, "'server finished'");
119 if (len < 4 || tls->inbuf[RECHDR_LEN] != HANDSHAKE_FINISHED) 86 if (len < 4 || tls->inbuf[RECHDR_LEN] != HANDSHAKE_FINISHED)
120 bad_record_die(tls, "'server finished'", len); 87 bad_record_die(tls, "'server finished'", len);
121 dbg("<< FINISHED\n"); 88 dbg("<< FINISHED\n");
122- /* application data can be sent/received */ 89- /* application data can be sent/received */
123+ // application data can be sent/received 90+ // application data can be sent/received /
124 91
125- /* free handshake data */ 92- /* free handshake data */
126+ // free handshake data 93+ // free handshake data /
127 psRsaKey_clear(&tls->hsd->server_rsa_pub_key); 94 psRsaKey_clear(&tls->hsd->server_rsa_pub_key);
128 // if (PARANOIA) 95 // if (PARANOIA)
129 // memset(tls->hsd, 0, tls->hsd->hsd_size); 96 // memset(tls->hsd, 0, tls->hsd->hsd_size);
@@ -135,41 +102,34 @@ index 9f1dd67ec..7e8da6df2 100644
135 static void tls_xwrite(tls_state_t *tls, int len) 102 static void tls_xwrite(tls_state_t *tls, int len)
136 { 103 {
137diff --git a/networking/wget.c b/networking/wget.c 104diff --git a/networking/wget.c b/networking/wget.c
138index 6a64836fb..918ad6812 100644 105index 6a64836fb..4a5b4c9f0 100644
139--- a/networking/wget.c 106--- a/networking/wget.c
140+++ b/networking/wget.c 107+++ b/networking/wget.c
141@@ -169,7 +169,11 @@ 108@@ -1,4 +1,3 @@
142 //usage: "\n -Y on/off Use proxy" 109-/* vi: set sw=4 ts=4: */
143 110 /*
144 #include "libbb.h" 111 * wget - retrieve a file using HTTP or FTP
145- 112 *
146+#include <string.h> 113@@ -460,6 +459,49 @@ static FILE *open_socket(len_and_sockaddr *lsa)
147+#include <errno.h> 114 return fp;
148+#include <tls.h> 115 }
149+#include <stdarg.h>
150+#include <stdio.h>
151 #if 0
152 # define log_io(...) bb_error_msg(__VA_ARGS__)
153 # define SENDFMT(fp, fmt, ...) \
154@@ -354,6 +358,39 @@ static ALWAYS_INLINE void progress_meter(int flag UNUSED_PARAM) {}
155 #endif
156
157 116
158+#if ENABLE_PLATFORM_MINGW32 117+#if ENABLE_PLATFORM_MINGW32
159+/* Use windows installed certificates for wget */ 118+/* Use windows installed certificates for wget */
160+#include <openssl/ssl.h> 119+#include <openssl/ssl.h>
161+#include <openssl/x509.h> 120+#include <openssl/x509.h>
162+#include <wincrypt.h> 121+#include <wincrypt.h>
163+void gather_certificates(struct tls_config *cfg) 122+char* gather_certificates(struct tls_config *cfg)
164+{ 123+{
165+ printf("Gathering certificates\n"); 124+ FILE *pemfile;
125+ pemfile = tmpfile();
166+ HCERTSTORE dstore; 126+ HCERTSTORE dstore;
167+ dstore = CertOpenSystemStore(0,"CA"); 127+ dstore = CertOpenSystemStore(0,"ROOT");
168+ size_t numcerts; 128+ size_t numcerts;
169+ if(!dstore) 129+ if(!dstore)
170+ bb_error_msg_and_die("Error opening 'CA' cert store"); 130+ bb_error_msg_and_die("Error opening 'CA' cert store");
171+ X509_STORE *store = X509_STORE_new();
172+ PCCERT_CONTEXT ctx = NULL; 131+ PCCERT_CONTEXT ctx = NULL;
132+ size_t certs_len;
173+ for(;;) 133+ for(;;)
174+ { 134+ {
175+ ctx = CertEnumCertificatesInStore(dstore,ctx); 135+ ctx = CertEnumCertificatesInStore(dstore,ctx);
@@ -178,223 +138,121 @@ index 6a64836fb..918ad6812 100644
178+ char *dcert = ctx->pbCertEncoded; 138+ char *dcert = ctx->pbCertEncoded;
179+ size_t dcert_len = ctx->cbCertEncoded; 139+ size_t dcert_len = ctx->cbCertEncoded;
180+ X509 *x509cert; 140+ X509 *x509cert;
181+ x509cert = d2i_X509(NULL,dcert,dcert_len); 141+ x509cert = d2i_X509(NULL,&dcert,dcert_len);
182+ if(x509cert == NULL) 142+ if(x509cert == NULL)
183+ bb_error_msg_and_die("Failed to convert cert"); 143+ bb_error_msg_and_die("Failed to convert cert");
184+ X509_STORE_add_cert(store,x509cert); 144+ if(!PEM_write_X509(pemfile, x509cert))
145+ bb_error_msg_and_die("Failed to write cert");
185+ X509_free(x509cert); 146+ X509_free(x509cert);
186+ } 147+ }
187+ CertCloseStore(store, CERT_CLOSE_STORE_CHECK_FLAG); 148+ CertCloseStore(dstore, CERT_CLOSE_STORE_CHECK_FLAG);
149+ size_t pemsize = ftell(pemfile);
150+ char *pemmem = (char*)malloc(pemsize);
151+ if(pemmem == NULL)
152+ bb_error_msg_and_die("out of memory");
153+ rewind(pemfile);
154+ if(fread(pemmem, sizeof(char), pemsize, pemfile) != pemsize)
155+ bb_error_msg_and_die("Failed to read temp ca pem file");
156+ tls_config_set_ca_mem(cfg, pemmem, pemsize);
188+} 157+}
189+
190+#endif 158+#endif
191 /* IPv6 knows scoped address types i.e. link and site local addresses. Link
192 * local addresses can have a scope identifier to specify the
193 * interface/link an address is valid on (e.g. fe80::1%eth0). This scope
194@@ -482,18 +519,45 @@ static char* sanitize_string(char *s)
195 return s;
196 }
197
198+static char tlsgets_trim_sanitize(struct tls *ctx, const char *fmt)
199+{
200+ printf("wget tlsgets_trim_sanitize 1\n");
201+ char c;
202+ char *buf_ptr;
203+ ssize_t len = TLS_WANT_POLLIN;
204+ while(len == TLS_WANT_POLLIN)
205+ len = tls_read(ctx,G.wget_buf, sizeof(G.wget_buf));
206+ if(len == -1)
207+ bb_error_msg_and_die("tls read error: %s", tls_error(ctx));
208+ printf("Read %zd bytes\n", len);
209+ printf("Data Read: %s\n",G.wget_buf);
210+ buf_ptr = strchrnul(G.wget_buf, '\n');
211+ c = *buf_ptr;
212+ sanitize_string(G.wget_buf);
213+ log_io("< %s", G.wget_buf);
214+ if (fmt && (option_mask32 & WGET_OPT_SERVER_RESPONSE))
215+ fprintf(stderr, fmt, G.wget_buf);
216+ return c;
217+}
218+ 159+
219 /* Returns '\n' if it was seen, else '\0'. Trims at first '\r' or '\n' */ 160 /* We balk at any control chars in other side's messages.
220 static char fgets_trim_sanitize(FILE *fp, const char *fmt) 161 * This prevents nasty surprises (e.g. ESC sequences) in "Location:" URLs
221 { 162 * and error messages.
222 char c; 163@@ -689,6 +731,9 @@ static void reset_beg_range_to_zero(void)
223 char *buf_ptr;
224
225+ printf("wget fgets_trim_sanitize 1\n");
226 set_alarm();
227- if (fgets(G.wget_buf, sizeof(G.wget_buf), fp) == NULL)
228- bb_simple_perror_msg_and_die("error getting response");
229+ printf("wget fgets_trim_sanitize 2\n");
230+ printf("wget_buf: %d\n",sizeof(G.wget_buf));
231+ if (fgets(G.wget_buf, sizeof(G.wget_buf), fp) == NULL){
232+ bb_error_msg_and_die("error getting response: %d %s",errno, strerror(errno));
233+ }
234 clear_alarm();
235
236+ printf("wget fgets_trim_sanitize 3\n");
237 buf_ptr = strchrnul(G.wget_buf, '\n');
238+ printf("wget fgets_trim_sanitize 4\n");
239 c = *buf_ptr;
240 #if 1
241 /* Disallow any control chars: trim at first char < 0x20 */
242@@ -504,10 +568,12 @@ static char fgets_trim_sanitize(FILE *fp, const char *fmt)
243 *buf_ptr = '\0';
244 #endif
245
246+ printf("wget fgets_trim_sanitize 7\n");
247 log_io("< %s", G.wget_buf);
248
249 if (fmt && (option_mask32 & WGET_OPT_SERVER_RESPONSE))
250 fprintf(stderr, fmt, G.wget_buf);
251+ printf("wget fgets_trim_sanitize 8\n");
252
253 return c;
254 }
255@@ -636,6 +702,46 @@ static void parse_url(const char *src_url, struct host_info *h)
256 */
257 }
258
259+static int tls_sanitized_hdr(struct tls *ctx, char* start, char **header, char **value)
260+{
261+ printf("wget tls_sanitized_hdr 1\n");
262+ printf("wget_buf was: %s\n",G.wget_buf);
263+ char c;
264+ char *s;
265+ //c = tlsgets_trim_sanitize(ctx, " %s\n");
266+ if(*start =='\n'){
267+ printf("Found end of headers\n");
268+ return 0;
269+ }
270+ if(G.wget_buf[0] == '\0')
271+ return -1;
272+ printf("While getting header, buf was: %s\n", G.wget_buf);
273+ *header = G.wget_buf;
274+ /* Convert to lowercase */
275+ for(s = G.wget_buf; isalnum(*s) || *s == '-' || *s == '.' || *s == '_'; ++s)
276+ *s |= 0x20;
277+ /* Find seperator */
278+ if(*s != ':')
279+ bb_error_msg_and_die("Bad header line: %s", G.wget_buf);
280+ *s++ = '\0';
281+ s = skip_whitespace(s);
282+ *value = s;
283+ s = strchr(s,'\n');
284+ if(*s == NULL) {
285+ printf("Buffer too small!\n");
286+ while (tls_read(ctx, &c, sizeof(char)) == 1 && c != '\n')
287+ /*Consume the rest of the header */;
288+ }
289+ if (c != '\n'){
290+ printf("buffer too small!\n");
291+ while (tls_read(ctx,&c,sizeof(char)) == 1 && c != EOF && c != '\n')
292+ /* Rats! The buffer isn't big enough to hold the entire header value */
293+ printf(".");
294+ }
295+ printf("wget tls_sanitized_hdr 2\n");
296+ return hdrval;
297+}
298+
299 static char *get_sanitized_hdr(FILE *fp)
300 {
301 char *s, *hdrval;
302@@ -689,6 +795,7 @@ static void reset_beg_range_to_zero(void)
303 } 164 }
304 165
305 #if ENABLE_FEATURE_WGET_OPENSSL 166 #if ENABLE_FEATURE_WGET_OPENSSL
306+# if !ENABLE_PLATFORM_MINGW32 167+#include <tls.h>
168+#include <winsock2.h>
169+/*
307 static int spawn_https_helper_openssl(const char *host, unsigned port) 170 static int spawn_https_helper_openssl(const char *host, unsigned port)
308 { 171 {
309 char *allocated = NULL; 172 char *allocated = NULL;
310@@ -777,6 +884,38 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) 173@@ -698,7 +743,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
174 IF_FEATURE_WGET_HTTPS(volatile int child_failed = 0;)
175
176 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) != 0)
177- /* Kernel can have AF_UNIX support disabled */
178+ // Kernel can have AF_UNIX support disabled /
179 bb_simple_perror_msg_and_die("socketpair");
180
181 if (!strchr(host, ':'))
182@@ -709,18 +754,18 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
183 fflush_all();
184 pid = xvfork();
185 if (pid == 0) {
186- /* Child */
187+ // Child /
188 char *argv[13];
189 char **argp;
190
191 close(sp[0]);
192 xmove_fd(sp[1], 0);
193 xdup2(0, 1);
194- /*
195- * openssl s_client -quiet -connect www.kernel.org:443 2>/dev/null
196- * It prints some debug stuff on stderr, don't know how to suppress it.
197- * Work around by dev-nulling stderr. We lose all error messages :(
198- */
199+ //
200+ // openssl s_client -quiet -connect www.kernel.org:443 2>/dev/null
201+ // It prints some debug stuff on stderr, don't know how to suppress it.
202+ // Work around by dev-nulling stderr. We lose all error messages :(
203+ //
204 xmove_fd(2, 3);
205 xopen("/dev/null", O_RDWR);
206 memset(&argv, 0, sizeof(argv));
207@@ -729,18 +774,18 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
208 argv[2] = (char*)"-quiet";
209 argv[3] = (char*)"-connect";
210 argv[4] = (char*)host;
211- /*
212- * Per RFC 6066 Section 3, the only permitted values in the
213- * TLS server_name (SNI) field are FQDNs (DNS hostnames).
214- * IPv4 and IPv6 addresses, port numbers are not allowed.
215- */
216+ //
217+ // Per RFC 6066 Section 3, the only permitted values in the
218+ // TLS server_name (SNI) field are FQDNs (DNS hostnames).
219+ // IPv4 and IPv6 addresses, port numbers are not allowed.
220+ //
221 argp = &argv[5];
222 if (!is_ip_address(servername)) {
223 *argp++ = (char*)"-servername"; //[5]
224 *argp++ = (char*)servername; //[6]
225 }
226 if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
227- /* Abort on bad server certificate */
228+ // Abort on bad server certificate /
229 *argp++ = (char*)"-verify"; //[7]
230 *argp++ = (char*)"100"; //[8]
231 *argp++ = (char*)"-verify_return_error"; //[9]
232@@ -762,10 +807,10 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
233 # else
234 bb_perror_msg_and_die("can't execute '%s'", argv[0]);
235 # endif
236- /* notreached */
237+ // notreached /
238 }
239
240- /* Parent */
241+ // Parent /
242 free(servername);
243 free(allocated);
244 close(sp[1]);
245@@ -777,6 +822,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
311 # endif 246 # endif
312 return sp[0]; 247 return sp[0];
313 } 248 }
314+# else 249+*/
315+#include <tls.h>
316+#include <winsock2.h>
317+static int spawn_https_helper_openssl(const char *host, unsigned port)
318+{
319+ char* allocated = NULL;
320+ char *servername, *cmd;
321+ int sp[2];
322+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) != 0)
323+ bb_simple_perror_msg_and_die("socketpair");
324+
325+ if(!strchr(host,":"))
326+ host = allocated = xasprintf("%s:%u",host,port);
327+ servername = xstrdup(host);
328+ fflush_all();
329+
330+ struct tls *ctx = tls_client();
331+ if(ctx == NULL)
332+ bb_error_msg_and_die("Out of memory 1");
333+ struct tls_config *config = tls_config_new();
334+ if(config == NULL)
335+ bb_error_msg_and_die("Out of memory 2");
336+ if(tls_configure(ctx,config) != 0)
337+ bb_error_msg_and_die("Failed to configure client");
338+ tls_connect_fds(ctx, sp[0], sp[1], servername);
339+ tls_config_free(config);
340+ free(allocated);
341+ free(servername);
342+ printf("Connected sp %s\n");
343+ return sp[0];
344+}
345+# endif
346 #endif 250 #endif
347 251
348 #if ENABLE_FEATURE_WGET_HTTPS 252 #if ENABLE_FEATURE_WGET_HTTPS
349@@ -1151,6 +1290,7 @@ static void download_one_url(const char *url) 253@@ -1230,26 +1276,51 @@ static void download_one_url(const char *url)
350 server.user = NULL;
351 target.user = NULL;
352
353+ printf("wget download_one_url 1\n");
354 parse_url(url, &target);
355
356 /* Use the proxy if necessary */
357@@ -1172,6 +1312,7 @@ static void download_one_url(const char *url)
358 server.host = target.host;
359 }
360 }
361+ printf("wget download_one_url 2\n");
362
363 if (ENABLE_FEATURE_IPV6)
364 strip_ipv6_scope_id(target.host);
365@@ -1191,6 +1332,7 @@ static void download_one_url(const char *url)
366 G.fname_out = fname_out_alloc = xstrdup(G.fname_out);
367 }
368 }
369+ printf("wget download_one_url 3\n");
370 #if ENABLE_FEATURE_WGET_STATUSBAR
371 G.curfile = bb_get_last_path_component_nostrip(G.fname_out);
372 #endif
373@@ -1206,15 +1348,19 @@ static void download_one_url(const char *url)
374 * We are not sure it exists on remote side */
375 }
376
377+ printf("wget download_one_url 4\n");
378 redir_limit = 16;
379 resolve_lsa:
380+ printf("wget download_one_url 5\n");
381 lsa = xhost2sockaddr(server.host, server.port);
382 if (!(option_mask32 & WGET_OPT_QUIET)) {
383 char *s = xmalloc_sockaddr2dotted(&lsa->u.sa);
384 fprintf(stderr, "Connecting to %s (%s)\n", server.host, s);
385 free(s);
386 }
387+ printf("wget download_one_url 6\n");
388 establish_session:
389+ printf("wget download_one_url 7\n");
390 /*G.content_len = 0; - redundant, got_clen = 0 is enough */
391 G.got_clen = 0;
392 G.chunked = 0;
393@@ -1229,37 +1375,64 @@ static void download_one_url(const char *url)
394
395 /* Open socket to http(s) server */ 254 /* Open socket to http(s) server */
396 #if ENABLE_FEATURE_WGET_OPENSSL 255 #if ENABLE_FEATURE_WGET_OPENSSL
397+ printf("wget download_one_url 8\n");
398 /* openssl (and maybe internal TLS) support is configured */ 256 /* openssl (and maybe internal TLS) support is configured */
399+ struct tls *ctx; 257+ struct tls *ctx;
400 if (server.protocol == P_HTTPS) { 258 if (server.protocol == P_HTTPS) {
@@ -402,21 +260,21 @@ index 6a64836fb..918ad6812 100644
402 * Inconvenient API since we can't give it an open fd 260 * Inconvenient API since we can't give it an open fd
403 */ 261 */
404- int fd = spawn_https_helper_openssl(server.host, server.port); 262- int fd = spawn_https_helper_openssl(server.host, server.port);
405-# if ENABLE_FEATURE_WGET_HTTPS 263+ //int fd = spawn_https_helper_openssl(server.host, server.port);
264 # if ENABLE_FEATURE_WGET_HTTPS
406- if (fd < 0) { /* no openssl? try internal */ 265- if (fd < 0) { /* no openssl? try internal */
407- sfp = open_socket(lsa); 266- sfp = open_socket(lsa);
408- spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0); 267- spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0);
409- goto socket_opened; 268- goto socket_opened;
410+ printf("wget download_one_url 9\n"); 269- }
411+ //int fd = spawn_https_helper_openssl(server.host, server.port); 270+ char *allocated, *servername, *host, *pemmem;
412+ char *allocated, *servername, *p, *host; 271+ struct tls_config *config;
413+ if(!strchr(server.host, ":")) 272+ if(!strchr(server.host, ':'))
414+ host = allocated = xasprintf("%s:%u", server.host, server.port); 273+ host = allocated = xasprintf("%s:%u", server.host, server.port);
415+ servername = xstrdup(host); 274+ servername = xstrdup(host);
416+ ctx = tls_client(); 275+ ctx = tls_client();
417+ if(ctx == NULL) 276+ if(ctx == NULL)
418+ bb_error_msg_and_die("Out of memory 1"); 277+ bb_error_msg_and_die("Out of memory 1");
419+ struct tls_config *config;
420+ config = tls_config_new(); 278+ config = tls_config_new();
421+ if(config == NULL) 279+ if(config == NULL)
422+ bb_error_msg_and_die("Out of memory 2"); 280+ bb_error_msg_and_die("Out of memory 2");
@@ -424,287 +282,73 @@ index 6a64836fb..918ad6812 100644
424+ bb_error_msg_and_die("Failed to set ca path"); 282+ bb_error_msg_and_die("Failed to set ca path");
425+ if(tls_config_set_ca_file(config, "cert.pem") != 0) 283+ if(tls_config_set_ca_file(config, "cert.pem") != 0)
426+ bb_error_msg_and_die("Failed to set ca file"); 284+ bb_error_msg_and_die("Failed to set ca file");
285+ gather_certificates(config);
427+ if(tls_configure(ctx,config) != 0) 286+ if(tls_configure(ctx,config) != 0)
428+ bb_error_msg_and_die("Failed to configure client"); 287+ bb_error_msg_and_die("Failed to configure client");
429+ sfp = tmpfile(); 288+ sfp = tmpfile();
430+ dfp = tmpfile(); 289+ dfp = tmpfile();
431+ printf("TLS connection to %s\n", server.host);
432+ if(tls_connect(ctx, servername, NULL) != 0) 290+ if(tls_connect(ctx, servername, NULL) != 0)
433+ bb_error_msg_and_die("Failed to connect: %s", tls_error(ctx)); 291+ bb_error_msg_and_die("Failed to connect: %s", tls_error(ctx));
292+ free(pemmem);
434+ tls_config_free(config); 293+ tls_config_free(config);
435+ free(allocated); 294+ free(allocated);
436+ free(servername); 295+ free(servername);
437+ printf("wget download_one_url 10\n");
438+ printf("wget download_one_url 13\n");
439+ //sfp = fdopen(fd, "r+"); 296+ //sfp = fdopen(fd, "r+");
440+ if (!sfp){ 297+ if (!sfp)
441+ bb_error_msg_and_die("Error opening fd: %s",strerror(errno)); 298+ bb_error_msg_and_die("Error opening fd: %s",strerror(errno));
442 } 299 # else
443-# else 300 /* We don't check for exec("openssl") failure in this case */
444- /* We don't check for exec("openssl") failure in this case */ 301 # endif
445-# endif
446- sfp = fdopen(fd, "r+"); 302- sfp = fdopen(fd, "r+");
447- if (!sfp) 303- if (!sfp)
448- bb_die_memory_exhausted(); 304- bb_die_memory_exhausted();
449+ printf("wget download_one_url 14\n"); 305+ //sfp = fdopen(fd, "r+");
306+ //if (!sfp)
307+ // bb_die_memory_exhausted();
450 goto socket_opened; 308 goto socket_opened;
451 } 309 }
452- sfp = open_socket(lsa); 310- sfp = open_socket(lsa);
453+ printf("wget download_one_url 15\n");
454+ //sfp = open_socket(lsa); 311+ //sfp = open_socket(lsa);
455 socket_opened: 312 socket_opened:
456 #elif ENABLE_FEATURE_WGET_HTTPS 313 #elif ENABLE_FEATURE_WGET_HTTPS
457 /* Only internal TLS support is configured */ 314 /* Only internal TLS support is configured */
458+ printf("wget download_one_url 16\n"); 315@@ -1353,7 +1424,35 @@ static void download_one_url(const char *url)
459 sfp = open_socket(lsa);
460 if (server.protocol == P_HTTPS)
461 spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0);
462 #else
463+ printf("wget download_one_url 17\n");
464 /* ssl (https) support is not configured */
465 sfp = open_socket(lsa);
466 #endif
467+ printf("wget download_one_url 18\n");
468 /* Send HTTP request */
469 if (use_proxy) {
470 SENDFMT(sfp, "GET %s://%s/%s HTTP/1.1\r\n",
471@@ -1270,6 +1443,7 @@ static void download_one_url(const char *url)
472 (option_mask32 & WGET_OPT_POST) ? "POST" : "GET",
473 target.path);
474 }
475+ printf("wget download_one_url 19\n");
476 if (!USR_HEADER_HOST)
477 SENDFMT(sfp, "Host: %s\r\n", target.host);
478 if (!USR_HEADER_USER_AGENT)
479@@ -1280,6 +1454,7 @@ static void download_one_url(const char *url)
480 */
481 SENDFMT(sfp, "Connection: close\r\n");
482
483+ printf("wget download_one_url 20\n");
484 #if ENABLE_FEATURE_WGET_AUTHENTICATION
485 if (target.user && !USR_HEADER_AUTH) {
486 SENDFMT(sfp, "Proxy-Authorization: Basic %s\r\n"+6,
487@@ -1291,6 +1466,7 @@ static void download_one_url(const char *url)
488 }
489 #endif
490
491+ printf("wget download_one_url 21\n");
492 if (G.beg_range != 0 && !USR_HEADER_RANGE)
493 SENDFMT(sfp, "Range: bytes=%"OFF_FMT"u-\r\n", G.beg_range);
494
495@@ -1300,6 +1476,7 @@ static void download_one_url(const char *url)
496 fputs(G.extra_headers, sfp);
497 }
498
499+ printf("wget download_one_url 22\n");
500 if (option_mask32 & WGET_OPT_POST_FILE) {
501 int fd = xopen_stdin(G.post_file);
502 G.post_data = xmalloc_read(fd, NULL);
503@@ -1314,15 +1491,18 @@ static void download_one_url(const char *url)
504 );
505 }
506 # if ENABLE_PLATFORM_MINGW32
507+ printf("wget download_one_url 23\n");
508 if (!USR_HEADER_CONTENT_LENGTH)
509 SENDFMT(sfp, "Content-Length: %u\r\n",
510 (int)strlen(G.post_data)
511 );
512+ printf("wget download_one_url 24\n");
513 SENDFMT(sfp,
514 "\r\n"
515 "%s",
516 G.post_data
517 );
518+ printf("wget download_one_url 25\n");
519 } else
520 # else
521 SENDFMT(sfp,
522@@ -1338,6 +1518,7 @@ static void download_one_url(const char *url)
523 SENDFMT(sfp, "\r\n");
524 }
525
526+ printf("wget download_one_url 26\n");
527 fflush(sfp);
528
529 /* Tried doing this unconditionally.
530@@ -1345,31 +1526,55 @@ static void download_one_url(const char *url)
531 */
532 #if SSL_SUPPORTED
533 if (target.protocol == P_HTTPS) {
534+ printf("wget download_one_url 26-2\n");
535 /* If we use SSL helper, keeping our end of the socket open for writing
536 * makes our end (i.e. the same fd!) readable (EAGAIN instead of EOF)
537 * even after child closes its copy of the fd.
538 * This helps:
539 */
540 shutdown(fileno(sfp), SHUT_WR); 316 shutdown(fileno(sfp), SHUT_WR);
541+ printf("wget download_one_url 26-3\n");
542 } 317 }
543 #endif 318 #endif
544- 319-
545+
546+ //How much data did we actually get? 320+ //How much data did we actually get?
547+ size_t wlen = ftell(sfp); 321+ size_t wlen, bufsize;
548+ char *outbuf = (char*)malloc(sizeof(char) * wlen); 322+ wlen = ftell(sfp);
323+ bufsize = 4096;
324+ char buf[bufsize];
325+ char *outbuf;
326+ outbuf = (char*)malloc(sizeof(char) * wlen);
549+ rewind(sfp); 327+ rewind(sfp);
550+ if(fread(outbuf, sizeof(char), wlen, sfp) < wlen) 328+ rewind(dfp);
551+ bb_error_msg_and_die("Failed to read tmpfile: %s\n", strerror(errno)); 329+ if(fread(outbuf, sizeof(char), wlen, sfp) < wlen)
330+ bb_error_msg_and_die("Failed to read tmpfile: %s", strerror(errno));
552+ if(tls_write(ctx, outbuf, wlen) < wlen) 331+ if(tls_write(ctx, outbuf, wlen) < wlen)
553+ bb_error_msg_and_die("Failed to write:%s\n",tls_error(ctx)); 332+ bb_error_msg_and_die("Failed to write:%s",tls_error(ctx));
554+ 333+ ssize_t len;
555+ printf("About to seek\n"); 334+ len = TLS_WANT_POLLIN;
556+ fseek(dfp,0,SEEK_END); 335+ while(len == TLS_WANT_POLLIN || len > 0){
557+ printf("Done seeking...\n"); 336+ len = tls_read(ctx, buf, bufsize);
558+ long dflen = ftell(dfp); 337+ if(len == -1)
559+ printf("wget download_one_url dflen: %ld\n", dflen); 338+ bb_error_msg_and_die("Failed tls read: %s", tls_error(ctx));
560+ long sflen = ftell(sfp); 339+ if (len != TLS_WANT_POLLIN){
561+ printf("wget download_one_url sflen: %ld\n", sflen); 340+ wlen = fwrite(buf, sizeof(char), len, dfp);
341+ if(wlen != len)
342+ bb_error_msg_and_die("Failed to write to tempfile: (%zu) (%zd) %s", wlen, len, strerror(errno));
343+ }
344+ }
345+ if(len == -1)
346+ bb_error_msg_and_die("tls read error: %s", tls_error(ctx));
562+ rewind(dfp); 347+ rewind(dfp);
563+ sfp = dfp; 348+ sfp = dfp;
564 /* 349 /*
565 * Retrieve HTTP response line and check for "200" status code. 350 * Retrieve HTTP response line and check for "200" status code.
566 */ 351 */
567 read_response:
568- fgets_trim_sanitize(sfp, " %s\n");
569+ printf("wget download_one_url 27\n");
570+ tlsgets_trim_sanitize(ctx, " %s\n");
571+ printf("wget download_one_url 27-1\n");
572
573 str = G.wget_buf;
574+ printf("wget_buf was: %s\n",G.wget_buf);
575 str = skip_non_whitespace(str);
576 str = skip_whitespace(str);
577 // FIXME: no error check
578 // xatou wouldn't work: "200 OK"
579 status = atoi(str);
580+ printf("Status was: %d\n",status);
581 switch (status) {
582 case 0:
583 case 100:
584- while (get_sanitized_hdr(sfp) != NULL)
585+ while (tls_sanitized_hdr(ctx) != NULL)
586 /* eat all remaining headers */;
587 goto read_response;
588
589@@ -1441,7 +1646,13 @@ However, in real world it was observed that some web servers
590 /*
591 * Retrieve HTTP headers.
592 */
593- while ((str = get_sanitized_hdr(sfp)) != NULL) {
594+ printf("wget download_one_url 28\n");
595+ printf("At this point wget_buf is: %s\n",G.wget_buf);
596+ str = strchr(str,'\n');
597+ char *header, *value;
598+ while (tls_sanitized_hdr(ctx, str, &header, &value) > 0) {
599+ printf("wget Retreiving the next part of the headers\n");
600+ printf("wget str was: %s\n", str);
601 static const char keywords[] ALIGN1 =
602 "content-length\0""transfer-encoding\0""location\0";
603 enum {
604@@ -1453,6 +1664,7 @@ However, in real world it was observed that some web servers
605
606 /* strip trailing whitespace */
607 char *s = strchrnul(str, '\0') - 1;
608+ printf("Stripping whitespace at %s\n", s);
609 while (s >= str && (*s == ' ' || *s == '\t')) {
610 *s = '\0';
611 s--;
612@@ -1460,6 +1672,7 @@ However, in real world it was observed that some web servers
613 key = index_in_strings(keywords, G.wget_buf) + 1;
614 if (key == KEY_content_length) {
615 G.content_len = BB_STRTOOFF(str, NULL, 10);
616+ printf("Got content length: %jd\n", G.content_len);
617 if (G.content_len < 0 || errno) {
618 bb_error_msg_and_die("content-length %s is garbage", str);
619 }
620@@ -1469,6 +1682,7 @@ However, in real world it was observed that some web servers
621 if (key == KEY_transfer_encoding) {
622 if (strcmp(str_tolower(str), "chunked") != 0)
623 bb_error_msg_and_die("transfer encoding '%s' is not supported", str);
624+ printf("Got transfer encodeing: chunked\n");
625 G.chunked = 1;
626 }
627 if (key == KEY_location && status >= 300) {
628@@ -1494,9 +1708,11 @@ However, in real world it was observed that some web servers
629 goto resolve_lsa;
630 } /* else: lsa stays the same: we use proxy */
631 }
632+ printf("Got location header: %s\n",target.path);
633 goto establish_session;
634 }
635 }
636+ printf("wget download_one_url 29\n");
637 // if (status >= 300)
638 // bb_error_msg_and_die("bad redirection (no Location: header from server)");
639
640@@ -1514,6 +1730,7 @@ However, in real world it was observed that some web servers
641
642 free(lsa);
643
644+ printf("wget download_one_url 30\n");
645 if (!(option_mask32 & WGET_OPT_SPIDER)) {
646 if (G.output_fd < 0)
647 G.output_fd = xopen(G.fname_out, G.o_flags);
648@@ -1536,6 +1753,7 @@ However, in real world it was observed that some web servers
649 /* ftpcmd("QUIT", NULL, sfp); - why bother? */
650 }
651 #endif
652+ printf("wget download_one_url 31\n");
653 fclose(sfp);
654
655 free(server.allocated);
656@@ -1544,11 +1762,13 @@ However, in real world it was observed that some web servers
657 free(target.user);
658 free(fname_out_alloc);
659 free(redirected_path);
660+ printf("wget download_one_url 32\n");
661 }
662
663 int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
664 int wget_main(int argc UNUSED_PARAM, char **argv)
665 {
666+ printf("wget main 1\n");
667 #if ENABLE_FEATURE_WGET_LONG_OPTIONS
668 static const char wget_longopts[] ALIGN1 =
669 /* name, has_arg, val */
670@@ -1590,6 +1810,7 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0")
671 #endif
672
673 INIT_G();
674+ printf("wget main 2\n");
675
676 #if ENABLE_FEATURE_WGET_TIMEOUT
677 G.timeout_seconds = 900;
678@@ -1626,6 +1847,8 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0")
679 IF_FEATURE_WGET_LONG_OPTIONS(, &G.post_data)
680 IF_FEATURE_WGET_LONG_OPTIONS(, &G.post_file)
681 );
682+
683+ printf("wget main 3\n");
684 #if 0 /* option bits debug */
685 if (option_mask32 & WGET_OPT_RETRIES) bb_error_msg("-t NUM");
686 if (option_mask32 & WGET_OPT_nsomething) bb_error_msg("-nsomething");
687@@ -1670,6 +1893,7 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0")
688 }
689 #endif
690
691+ printf("wget main 4\n");
692 G.output_fd = -1;
693 G.o_flags = O_WRONLY | O_CREAT | O_TRUNC | O_EXCL;
694 if (G.fname_out) { /* -O FILE ? */
695@@ -1691,8 +1915,11 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0")
696 }
697 }
698
699- while (*argv)
700+ printf("wget main 5\n");
701+ while (*argv) {
702+ printf("wget main 5-%s\n",argv);
703 download_one_url(*argv++);
704+ }
705
706 if (G.output_fd >= 0)
707 xclose(G.output_fd);
708diff --git a/scripts/trylink b/scripts/trylink 352diff --git a/scripts/trylink b/scripts/trylink
709index 2456252a3..6186284f1 100755 353index 2456252a3..6186284f1 100755
710--- a/scripts/trylink 354--- a/scripts/trylink
diff --git a/libressl2.patch b/libressl2.patch
deleted file mode 100644
index be030ab..0000000
--- a/libressl2.patch
+++ /dev/null
@@ -1,405 +0,0 @@
1diff --git a/include/libbb.h b/include/libbb.h
2index bc1453e12..69f76cbb3 100644
3--- a/include/libbb.h
4+++ b/include/libbb.h
5@@ -962,7 +962,7 @@ static inline tls_state_t *new_tls_state(void)
6 tls_state_t *tls = xzalloc(sizeof(*tls));
7 return tls;
8 }
9-void tls_handshake(tls_state_t *tls, const char *sni) FAST_FUNC;
10+//void tls_handshake(tls_state_t *tls, const char *sni) FAST_FUNC;
11 #define TLSLOOP_EXIT_ON_LOCAL_EOF (1 << 0)
12 void tls_run_copy_loop(tls_state_t *tls, unsigned flags) FAST_FUNC;
13
14diff --git a/networking/ssl_client.c b/networking/ssl_client.c
15index 757745896..38163440f 100644
16--- a/networking/ssl_client.c
17+++ b/networking/ssl_client.c
18@@ -69,7 +69,7 @@ int ssl_client_main(int argc UNUSED_PARAM, char **argv)
19 }
20 #endif
21
22- tls_handshake(tls, sni);
23+ //tls_handshake(tls, sni);
24
25 BUILD_BUG_ON(TLSLOOP_EXIT_ON_LOCAL_EOF != 1);
26 tls_run_copy_loop(tls, /*flags*/ opt & 1);
27diff --git a/networking/tls.c b/networking/tls.c
28index 9f1dd67ec..60e1afe99 100644
29--- a/networking/tls.c
30+++ b/networking/tls.c
31@@ -2221,6 +2221,7 @@ static void send_client_finished(tls_state_t *tls)
32 xwrite_encrypted(tls, sizeof(*record), RECORD_TYPE_HANDSHAKE);
33 }
34
35+/*
36 void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
37 {
38 // Client RFC 5246 Server
39@@ -2291,8 +2292,8 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
40 // defined in Section 7.4.2."
41 // (i.e. the same format as server certs)
42
43- /*send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) */
44- /* need to hash _all_ server replies first, up to ServerHelloDone */
45+ //send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) /
46+ // need to hash _all_ server replies first, up to ServerHelloDone /
47 len = tls_xread_handshake_block(tls, 4);
48 }
49
50@@ -2308,13 +2309,13 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
51 send_client_key_exchange(tls);
52
53 send_change_cipher_spec(tls);
54- /* from now on we should send encrypted */
55- /* tls->write_seq64_be = 0; - already is */
56+ // from now on we should send encrypted /
57+ // tls->write_seq64_be = 0; - already is /
58 tls->flags |= ENCRYPT_ON_WRITE;
59
60 send_client_finished(tls);
61
62- /* Get CHANGE_CIPHER_SPEC */
63+ // Get CHANGE_CIPHER_SPEC /
64 len = tls_xread_record(tls, "switch to encrypted traffic");
65 if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0)
66 bad_record_die(tls, "switch to encrypted traffic", len);
67@@ -2327,29 +2328,30 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
68 } else
69 if (!(tls->flags & ENCRYPTION_AESGCM)) {
70 unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE;
71- /* all incoming packets now should be encrypted and have
72- * at least IV + (MAC padded to blocksize):
73- */
74+ // all incoming packets now should be encrypted and have
75+ // at least IV + (MAC padded to blocksize):
76+ //
77 tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE);
78 } else {
79 tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE;
80 }
81 dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read);
82
83- /* Get (encrypted) FINISHED from the server */
84+ // Get (encrypted) FINISHED from the server /
85 len = tls_xread_record(tls, "'server finished'");
86 if (len < 4 || tls->inbuf[RECHDR_LEN] != HANDSHAKE_FINISHED)
87 bad_record_die(tls, "'server finished'", len);
88 dbg("<< FINISHED\n");
89- /* application data can be sent/received */
90+ // application data can be sent/received /
91
92- /* free handshake data */
93+ // free handshake data /
94 psRsaKey_clear(&tls->hsd->server_rsa_pub_key);
95 // if (PARANOIA)
96 // memset(tls->hsd, 0, tls->hsd->hsd_size);
97 free(tls->hsd);
98 tls->hsd = NULL;
99 }
100+*/
101
102 static void tls_xwrite(tls_state_t *tls, int len)
103 {
104diff --git a/networking/wget.c b/networking/wget.c
105index 6a64836fb..03de9336c 100644
106--- a/networking/wget.c
107+++ b/networking/wget.c
108@@ -1,4 +1,3 @@
109-/* vi: set sw=4 ts=4: */
110 /*
111 * wget - retrieve a file using HTTP or FTP
112 *
113@@ -460,6 +459,56 @@ static FILE *open_socket(len_and_sockaddr *lsa)
114 return fp;
115 }
116
117+#if ENABLE_PLATFORM_MINGW32
118+/* Use windows installed certificates for wget */
119+#include <openssl/ssl.h>
120+#include <openssl/x509.h>
121+#include <wincrypt.h>
122+void gather_certificates(struct tls_config *cfg)
123+{
124+ printf("Gathering certificates\n");
125+ FILE *pemfile;
126+ pemfile = tmpfile();
127+ HCERTSTORE dstore;
128+ dstore = CertOpenSystemStore(0,"ROOT");
129+ size_t numcerts;
130+ if(!dstore)
131+ bb_error_msg_and_die("Error opening 'CA' cert store");
132+ PCCERT_CONTEXT ctx = NULL;
133+ size_t certs_len;
134+ printf("About to start looping\n");
135+ for(;;)
136+ {
137+ printf("About to start top of the loop\n");
138+ ctx = CertEnumCertificatesInStore(dstore,ctx);
139+ if(!ctx)
140+ break;
141+ char *dcert = ctx->pbCertEncoded;
142+ size_t dcert_len = ctx->cbCertEncoded;
143+ X509 *x509cert;
144+ x509cert = d2i_X509(NULL,&dcert,dcert_len);
145+ if(x509cert == NULL)
146+ bb_error_msg_and_die("Failed to convert cert");
147+ if(!PEM_write_X509(pemfile, x509cert))
148+ bb_error_msg_and_die("Failed to write cert");
149+ X509_free(x509cert);
150+ printf("Bottom of the loop\n");
151+ }
152+ printf("Out of the loop\n");
153+ CertCloseStore(dstore, CERT_CLOSE_STORE_CHECK_FLAG);
154+ size_t pemsize = ftell(pemfile);
155+ char *pemmem = (char*)malloc(pemsize);
156+ if(pemmem == NULL)
157+ bb_error_msg_and_die("out of memory");
158+ rewind(pemfile);
159+ if(fread(pemmem, sizeof(char), pemsize, pemfile) != pemsize)
160+ bb_error_msg_and_die("Failed to read temp ca pem file");
161+ printf("About to set ca, it is: %s\n",pemmem);
162+ tls_config_set_ca_mem(cfg, pemmem, pemsize);
163+ printf("Done configuring ca\n");
164+}
165+#endif
166+
167 /* We balk at any control chars in other side's messages.
168 * This prevents nasty surprises (e.g. ESC sequences) in "Location:" URLs
169 * and error messages.
170@@ -689,6 +738,9 @@ static void reset_beg_range_to_zero(void)
171 }
172
173 #if ENABLE_FEATURE_WGET_OPENSSL
174+#include <tls.h>
175+#include <winsock2.h>
176+/*
177 static int spawn_https_helper_openssl(const char *host, unsigned port)
178 {
179 char *allocated = NULL;
180@@ -698,7 +750,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
181 IF_FEATURE_WGET_HTTPS(volatile int child_failed = 0;)
182
183 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) != 0)
184- /* Kernel can have AF_UNIX support disabled */
185+ // Kernel can have AF_UNIX support disabled /
186 bb_simple_perror_msg_and_die("socketpair");
187
188 if (!strchr(host, ':'))
189@@ -709,18 +761,18 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
190 fflush_all();
191 pid = xvfork();
192 if (pid == 0) {
193- /* Child */
194+ // Child /
195 char *argv[13];
196 char **argp;
197
198 close(sp[0]);
199 xmove_fd(sp[1], 0);
200 xdup2(0, 1);
201- /*
202- * openssl s_client -quiet -connect www.kernel.org:443 2>/dev/null
203- * It prints some debug stuff on stderr, don't know how to suppress it.
204- * Work around by dev-nulling stderr. We lose all error messages :(
205- */
206+ //
207+ // openssl s_client -quiet -connect www.kernel.org:443 2>/dev/null
208+ // It prints some debug stuff on stderr, don't know how to suppress it.
209+ // Work around by dev-nulling stderr. We lose all error messages :(
210+ //
211 xmove_fd(2, 3);
212 xopen("/dev/null", O_RDWR);
213 memset(&argv, 0, sizeof(argv));
214@@ -729,18 +781,18 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
215 argv[2] = (char*)"-quiet";
216 argv[3] = (char*)"-connect";
217 argv[4] = (char*)host;
218- /*
219- * Per RFC 6066 Section 3, the only permitted values in the
220- * TLS server_name (SNI) field are FQDNs (DNS hostnames).
221- * IPv4 and IPv6 addresses, port numbers are not allowed.
222- */
223+ //
224+ // Per RFC 6066 Section 3, the only permitted values in the
225+ // TLS server_name (SNI) field are FQDNs (DNS hostnames).
226+ // IPv4 and IPv6 addresses, port numbers are not allowed.
227+ //
228 argp = &argv[5];
229 if (!is_ip_address(servername)) {
230 *argp++ = (char*)"-servername"; //[5]
231 *argp++ = (char*)servername; //[6]
232 }
233 if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
234- /* Abort on bad server certificate */
235+ // Abort on bad server certificate /
236 *argp++ = (char*)"-verify"; //[7]
237 *argp++ = (char*)"100"; //[8]
238 *argp++ = (char*)"-verify_return_error"; //[9]
239@@ -762,10 +814,10 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
240 # else
241 bb_perror_msg_and_die("can't execute '%s'", argv[0]);
242 # endif
243- /* notreached */
244+ // notreached /
245 }
246
247- /* Parent */
248+ // Parent /
249 free(servername);
250 free(allocated);
251 close(sp[1]);
252@@ -777,6 +829,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
253 # endif
254 return sp[0];
255 }
256+*/
257 #endif
258
259 #if ENABLE_FEATURE_WGET_HTTPS
260@@ -1230,26 +1283,52 @@ static void download_one_url(const char *url)
261 /* Open socket to http(s) server */
262 #if ENABLE_FEATURE_WGET_OPENSSL
263 /* openssl (and maybe internal TLS) support is configured */
264+ struct tls *ctx;
265 if (server.protocol == P_HTTPS) {
266 /* openssl-based helper
267 * Inconvenient API since we can't give it an open fd
268 */
269- int fd = spawn_https_helper_openssl(server.host, server.port);
270+ //int fd = spawn_https_helper_openssl(server.host, server.port);
271 # if ENABLE_FEATURE_WGET_HTTPS
272- if (fd < 0) { /* no openssl? try internal */
273- sfp = open_socket(lsa);
274- spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0);
275- goto socket_opened;
276- }
277+ char *allocated, *servername, *host;
278+ struct tls_config *config;
279+ if(!strchr(server.host, ':'))
280+ host = allocated = xasprintf("%s:%u", server.host, server.port);
281+ servername = xstrdup(host);
282+ ctx = tls_client();
283+ if(ctx == NULL)
284+ bb_error_msg_and_die("Out of memory 1");
285+ config = tls_config_new();
286+ if(config == NULL)
287+ bb_error_msg_and_die("Out of memory 2");
288+ if(tls_config_set_ca_path(config, "certs") != 0)
289+ bb_error_msg_and_die("Failed to set ca path");
290+ if(tls_config_set_ca_file(config, "cert.pem") != 0)
291+ bb_error_msg_and_die("Failed to set ca file");
292+ gather_certificates(config);
293+ if(tls_configure(ctx,config) != 0)
294+ bb_error_msg_and_die("Failed to configure client");
295+ sfp = tmpfile();
296+ dfp = tmpfile();
297+ printf("TLS connection to %s\n", server.host);
298+ if(tls_connect(ctx, servername, NULL) != 0)
299+ bb_error_msg_and_die("Failed to connect: %s", tls_error(ctx));
300+ tls_config_free(config);
301+ free(allocated);
302+ free(servername);
303+ printf("wget download_one_url 13\n");
304+ //sfp = fdopen(fd, "r+");
305+ if (!sfp)
306+ bb_error_msg_and_die("Error opening fd: %s",strerror(errno));
307 # else
308 /* We don't check for exec("openssl") failure in this case */
309 # endif
310- sfp = fdopen(fd, "r+");
311- if (!sfp)
312- bb_die_memory_exhausted();
313+ //sfp = fdopen(fd, "r+");
314+ //if (!sfp)
315+ // bb_die_memory_exhausted();
316 goto socket_opened;
317 }
318- sfp = open_socket(lsa);
319+ //sfp = open_socket(lsa);
320 socket_opened:
321 #elif ENABLE_FEATURE_WGET_HTTPS
322 /* Only internal TLS support is configured */
323@@ -1353,7 +1432,41 @@ static void download_one_url(const char *url)
324 shutdown(fileno(sfp), SHUT_WR);
325 }
326 #endif
327-
328+ printf("wget download_one_url 14\n");
329+ //How much data did we actually get?
330+ size_t wlen, bufsize;
331+ wlen = ftell(sfp);
332+ bufsize = 4096;
333+ char buf[bufsize];
334+ char *outbuf;
335+ outbuf = (char*)malloc(sizeof(char) * wlen);
336+ rewind(sfp);
337+ rewind(dfp);
338+ if(fread(outbuf, sizeof(char), wlen, sfp) < wlen)
339+ bb_error_msg_and_die("Failed to read tmpfile: %s", strerror(errno));
340+ if(tls_write(ctx, outbuf, wlen) < wlen)
341+ bb_error_msg_and_die("Failed to write:%s",tls_error(ctx));
342+ ssize_t len;
343+ printf("wget download_one_url about to read\n");
344+ len = TLS_WANT_POLLIN;
345+ while(len == TLS_WANT_POLLIN || len > 0){
346+ printf("This loop through the read, len is %zd\n", len);
347+ len = tls_read(ctx, buf, bufsize);
348+ printf("After tls read\n");
349+ if(len == -1)
350+ bb_error_msg_and_die("Failed tls read: %s", tls_error(ctx));
351+ if (len != TLS_WANT_POLLIN){
352+ printf("Read from %zd bytes from tls: %s\n", len, buf);
353+ wlen = fwrite(buf, sizeof(char), len, dfp);
354+ if(wlen != len)
355+ bb_error_msg_and_die("Failed to write to tempfile: (%zu) (%zd) %s", wlen, len, strerror(errno));
356+ }
357+ }
358+ if(len == -1)
359+ bb_error_msg_and_die("tls read error: %s", tls_error(ctx));
360+ rewind(dfp);
361+ sfp = dfp;
362+ printf("wget download_one_url 15\n");
363 /*
364 * Retrieve HTTP response line and check for "200" status code.
365 */
366@@ -1514,6 +1627,7 @@ However, in real world it was observed that some web servers
367
368 free(lsa);
369
370+ printf("wget download_one_url 16\n");
371 if (!(option_mask32 & WGET_OPT_SPIDER)) {
372 if (G.output_fd < 0)
373 G.output_fd = xopen(G.fname_out, G.o_flags);
374diff --git a/scripts/trylink b/scripts/trylink
375index 2456252a3..6186284f1 100755
376--- a/scripts/trylink
377+++ b/scripts/trylink
378@@ -84,7 +84,8 @@ A_FILES="$6"
379 # a real utmp library in LDLIBS, dropping it "works" but resulting binary
380 # does not work properly).
381 LDLIBS="$7"
382-CONFIG_EXTRA_LDLIBS="$8"
383+shift 7
384+CONFIG_EXTRA_LDLIBS="$@"
385
386 # The --sort-section option is not supported by older versions of ld
387 SORT_SECTION="-Wl,--sort-section,alignment"
388diff --git a/win32/mingw.c b/win32/mingw.c
389index 87e7ca602..7bad3e4fa 100644
390--- a/win32/mingw.c
391+++ b/win32/mingw.c
392@@ -1214,11 +1214,13 @@ elevation_state(void)
393 return elevated | (enabled << 1);
394 }
395
396+/*
397 int getuid(void)
398 {
399 return elevation_state() == (ELEVATED_PRIVILEGE | ADMIN_ENABLED) ?
400 0 : DEFAULT_UID;
401 }
402+*/
403
404 struct passwd *getpwnam(const char *name)
405 {