summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander M Pickering <alex@cogarr.net>2024-11-15 15:26:21 -0600
committerAlexander M Pickering <alex@cogarr.net>2024-11-15 15:26:21 -0600
commitf8cdb9c7ce4a40db8763b3cd7f629bc0bd51d605 (patch)
tree22240226deefb1cd5b1d253a0f8aadf96f4ecccf
parentacd7ce751ab071d2fd2a4897e198b5ba86ef069f (diff)
downloadbusybox-w32-packaging-f8cdb9c7ce4a40db8763b3cd7f629bc0bd51d605.tar.gz
busybox-w32-packaging-f8cdb9c7ce4a40db8763b3cd7f629bc0bd51d605.tar.bz2
busybox-w32-packaging-f8cdb9c7ce4a40db8763b3cd7f629bc0bd51d605.zip
Fix the libressl patch.
Add SSL authentication to wget; use certificates from the Windows Certificate Store.
-rw-r--r--libressl.patch566
1 files changed, 169 insertions, 397 deletions
diff --git a/libressl.patch b/libressl.patch
index 9778341..00d5d4b 100644
--- a/libressl.patch
+++ b/libressl.patch
@@ -12,18 +12,10 @@ index bc1453e12..69f76cbb3 100644
12 void tls_run_copy_loop(tls_state_t *tls, unsigned flags) FAST_FUNC; 12 void tls_run_copy_loop(tls_state_t *tls, unsigned flags) FAST_FUNC;
13 13
14diff --git a/networking/ssl_client.c b/networking/ssl_client.c 14diff --git a/networking/ssl_client.c b/networking/ssl_client.c
15index 757745896..653b6f48e 100644 15index 757745896..38163440f 100644
16--- a/networking/ssl_client.c 16--- a/networking/ssl_client.c
17+++ b/networking/ssl_client.c 17+++ b/networking/ssl_client.c
18@@ -24,6 +24,7 @@ 18@@ -69,7 +69,7 @@ int ssl_client_main(int argc UNUSED_PARAM, char **argv)
19 //usage:#define ssl_client_full_usage ""
20
21 #include "libbb.h"
22+#include <tls.h>
23
24 int ssl_client_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
25 int ssl_client_main(int argc UNUSED_PARAM, char **argv)
26@@ -69,7 +70,7 @@ int ssl_client_main(int argc UNUSED_PARAM, char **argv)
27 } 19 }
28 #endif 20 #endif
29 21
@@ -32,34 +24,8 @@ index 757745896..653b6f48e 100644
32 24
33 BUILD_BUG_ON(TLSLOOP_EXIT_ON_LOCAL_EOF != 1); 25 BUILD_BUG_ON(TLSLOOP_EXIT_ON_LOCAL_EOF != 1);
34 tls_run_copy_loop(tls, /*flags*/ opt & 1); 26 tls_run_copy_loop(tls, /*flags*/ opt & 1);
35diff --git a/networking/ssl_helper-wolfssl/ssl_helper.c b/networking/ssl_helper-wolfssl/ssl_helper.c
36index 38b7b56c6..834912a68 100644
37--- a/networking/ssl_helper-wolfssl/ssl_helper.c
38+++ b/networking/ssl_helper-wolfssl/ssl_helper.c
39@@ -160,10 +160,10 @@ WOLFSSL *prepare(int sockfd)
40
41 method = wolfTLSv1_1_client_method();
42 if (method == NULL)
43- err_sys("out of memory");
44+ err_sys("out of memory 3");
45 ctx = wolfSSL_CTX_new(method);
46 if (ctx == NULL)
47- err_sys("out of memory");
48+ err_sys("out of memory 2");
49 // if (cipherList)
50 // if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
51 // err_sys("client can't set cipher list 1");
52@@ -279,7 +279,7 @@ WOLFSSL *prepare(int sockfd)
53
54 ssl = wolfSSL_new(ctx);
55 if (ssl == NULL)
56- err_sys("out of memory");
57+ err_sys("out of memory 1");
58
59 //#ifdef HAVE_SESSION_TICKET
60 // wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session");
61diff --git a/networking/tls.c b/networking/tls.c 27diff --git a/networking/tls.c b/networking/tls.c
62index 9f1dd67ec..7e8da6df2 100644 28index 9f1dd67ec..60e1afe99 100644
63--- a/networking/tls.c 29--- a/networking/tls.c
64+++ b/networking/tls.c 30+++ b/networking/tls.c
65@@ -2221,6 +2221,7 @@ static void send_client_finished(tls_state_t *tls) 31@@ -2221,6 +2221,7 @@ static void send_client_finished(tls_state_t *tls)
@@ -76,8 +42,8 @@ index 9f1dd67ec..7e8da6df2 100644
76 42
77- /*send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) */ 43- /*send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) */
78- /* need to hash _all_ server replies first, up to ServerHelloDone */ 44- /* need to hash _all_ server replies first, up to ServerHelloDone */
79+ //send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) 45+ //send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) /
80+ //need to hash _all_ server replies first, up to ServerHelloDone 46+ // need to hash _all_ server replies first, up to ServerHelloDone /
81 len = tls_xread_handshake_block(tls, 4); 47 len = tls_xread_handshake_block(tls, 4);
82 } 48 }
83 49
@@ -87,18 +53,18 @@ index 9f1dd67ec..7e8da6df2 100644
87 send_change_cipher_spec(tls); 53 send_change_cipher_spec(tls);
88- /* from now on we should send encrypted */ 54- /* from now on we should send encrypted */
89- /* tls->write_seq64_be = 0; - already is */ 55- /* tls->write_seq64_be = 0; - already is */
90+ // from now on we should send encrypted 56+ // from now on we should send encrypted /
91+ // tls->write_seq64_be = 0; - already is 57+ // tls->write_seq64_be = 0; - already is /
92 tls->flags |= ENCRYPT_ON_WRITE; 58 tls->flags |= ENCRYPT_ON_WRITE;
93 59
94 send_client_finished(tls); 60 send_client_finished(tls);
95 61
96- /* Get CHANGE_CIPHER_SPEC */ 62- /* Get CHANGE_CIPHER_SPEC */
97+ // Get CHANGE_CIPHER_SPEC 63+ // Get CHANGE_CIPHER_SPEC /
98 len = tls_xread_record(tls, "switch to encrypted traffic"); 64 len = tls_xread_record(tls, "switch to encrypted traffic");
99 if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0) 65 if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0)
100 bad_record_die(tls, "switch to encrypted traffic", len); 66 bad_record_die(tls, "switch to encrypted traffic", len);
101@@ -2327,29 +2328,29 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni) 67@@ -2327,29 +2328,30 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni)
102 } else 68 } else
103 if (!(tls->flags & ENCRYPTION_AESGCM)) { 69 if (!(tls->flags & ENCRYPTION_AESGCM)) {
104 unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE; 70 unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE;
@@ -107,6 +73,7 @@ index 9f1dd67ec..7e8da6df2 100644
107- */ 73- */
108+ // all incoming packets now should be encrypted and have 74+ // all incoming packets now should be encrypted and have
109+ // at least IV + (MAC padded to blocksize): 75+ // at least IV + (MAC padded to blocksize):
76+ //
110 tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE); 77 tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE);
111 } else { 78 } else {
112 tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE; 79 tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE;
@@ -114,16 +81,16 @@ index 9f1dd67ec..7e8da6df2 100644
114 dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read); 81 dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read);
115 82
116- /* Get (encrypted) FINISHED from the server */ 83- /* Get (encrypted) FINISHED from the server */
117+ // Get (encrypted) FINISHED from the server 84+ // Get (encrypted) FINISHED from the server /
118 len = tls_xread_record(tls, "'server finished'"); 85 len = tls_xread_record(tls, "'server finished'");
119 if (len < 4 || tls->inbuf[RECHDR_LEN] != HANDSHAKE_FINISHED) 86 if (len < 4 || tls->inbuf[RECHDR_LEN] != HANDSHAKE_FINISHED)
120 bad_record_die(tls, "'server finished'", len); 87 bad_record_die(tls, "'server finished'", len);
121 dbg("<< FINISHED\n"); 88 dbg("<< FINISHED\n");
122- /* application data can be sent/received */ 89- /* application data can be sent/received */
123+ // application data can be sent/received 90+ // application data can be sent/received /
124 91
125- /* free handshake data */ 92- /* free handshake data */
126+ // free handshake data 93+ // free handshake data /
127 psRsaKey_clear(&tls->hsd->server_rsa_pub_key); 94 psRsaKey_clear(&tls->hsd->server_rsa_pub_key);
128 // if (PARANOIA) 95 // if (PARANOIA)
129 // memset(tls->hsd, 0, tls->hsd->hsd_size); 96 // memset(tls->hsd, 0, tls->hsd->hsd_size);
@@ -135,41 +102,34 @@ index 9f1dd67ec..7e8da6df2 100644
135 static void tls_xwrite(tls_state_t *tls, int len) 102 static void tls_xwrite(tls_state_t *tls, int len)
136 { 103 {
137diff --git a/networking/wget.c b/networking/wget.c 104diff --git a/networking/wget.c b/networking/wget.c
138index 6a64836fb..13474abe4 100644 105index 6a64836fb..4a5b4c9f0 100644
139--- a/networking/wget.c 106--- a/networking/wget.c
140+++ b/networking/wget.c 107+++ b/networking/wget.c
141@@ -169,7 +169,11 @@ 108@@ -1,4 +1,3 @@
142 //usage: "\n -Y on/off Use proxy" 109-/* vi: set sw=4 ts=4: */
143 110 /*
144 #include "libbb.h" 111 * wget - retrieve a file using HTTP or FTP
145- 112 *
146+#include <string.h> 113@@ -460,6 +459,49 @@ static FILE *open_socket(len_and_sockaddr *lsa)
147+#include <errno.h> 114 return fp;
148+#include <tls.h> 115 }
149+#include <stdarg.h>
150+#include <stdio.h>
151 #if 0
152 # define log_io(...) bb_error_msg(__VA_ARGS__)
153 # define SENDFMT(fp, fmt, ...) \
154@@ -354,6 +358,39 @@ static ALWAYS_INLINE void progress_meter(int flag UNUSED_PARAM) {}
155 #endif
156
157 116
158+#if ENABLE_PLATFORM_MINGW32 117+#if ENABLE_PLATFORM_MINGW32
159+/* Use windows installed certificates for wget */ 118+/* Use windows installed certificates for wget */
160+#include <openssl/ssl.h> 119+#include <openssl/ssl.h>
161+#include <openssl/x509.h> 120+#include <openssl/x509.h>
162+#include <wincrypt.h> 121+#include <wincrypt.h>
163+void gather_certificates(struct tls_config *cfg) 122+char* gather_certificates(struct tls_config *cfg)
164+{ 123+{
165+ printf("Gathering certificates\n"); 124+ FILE *pemfile;
125+ pemfile = tmpfile();
166+ HCERTSTORE dstore; 126+ HCERTSTORE dstore;
167+ dstore = CertOpenSystemStore(0,"CA"); 127+ dstore = CertOpenSystemStore(0,"ROOT");
168+ size_t numcerts; 128+ size_t numcerts;
169+ if(!dstore) 129+ if(!dstore)
170+ bb_error_msg_and_die("Error opening 'CA' cert store"); 130+ bb_error_msg_and_die("Error opening 'CA' cert store");
171+ X509_STORE *store = X509_STORE_new();
172+ PCCERT_CONTEXT ctx = NULL; 131+ PCCERT_CONTEXT ctx = NULL;
132+ size_t certs_len;
173+ for(;;) 133+ for(;;)
174+ { 134+ {
175+ ctx = CertEnumCertificatesInStore(dstore,ctx); 135+ ctx = CertEnumCertificatesInStore(dstore,ctx);
@@ -178,153 +138,121 @@ index 6a64836fb..13474abe4 100644
178+ char *dcert = ctx->pbCertEncoded; 138+ char *dcert = ctx->pbCertEncoded;
179+ size_t dcert_len = ctx->cbCertEncoded; 139+ size_t dcert_len = ctx->cbCertEncoded;
180+ X509 *x509cert; 140+ X509 *x509cert;
181+ x509cert = d2i_X509(NULL,dcert,dcert_len); 141+ x509cert = d2i_X509(NULL,&dcert,dcert_len);
182+ if(x509cert == NULL) 142+ if(x509cert == NULL)
183+ bb_error_msg_and_die("Failed to convert cert"); 143+ bb_error_msg_and_die("Failed to convert cert");
184+ X509_STORE_add_cert(store,x509cert); 144+ if(!PEM_write_X509(pemfile, x509cert))
145+ bb_error_msg_and_die("Failed to write cert");
185+ X509_free(x509cert); 146+ X509_free(x509cert);
186+ } 147+ }
187+ CertCloseStore(store, CERT_CLOSE_STORE_CHECK_FLAG); 148+ CertCloseStore(dstore, CERT_CLOSE_STORE_CHECK_FLAG);
149+ size_t pemsize = ftell(pemfile);
150+ char *pemmem = (char*)malloc(pemsize);
151+ if(pemmem == NULL)
152+ bb_error_msg_and_die("out of memory");
153+ rewind(pemfile);
154+ if(fread(pemmem, sizeof(char), pemsize, pemfile) != pemsize)
155+ bb_error_msg_and_die("Failed to read temp ca pem file");
156+ tls_config_set_ca_mem(cfg, pemmem, pemsize);
188+} 157+}
189+
190+#endif 158+#endif
191 /* IPv6 knows scoped address types i.e. link and site local addresses. Link 159+
192 * local addresses can have a scope identifier to specify the 160 /* We balk at any control chars in other side's messages.
193 * interface/link an address is valid on (e.g. fe80::1%eth0). This scope 161 * This prevents nasty surprises (e.g. ESC sequences) in "Location:" URLs
194@@ -488,26 +525,35 @@ static char fgets_trim_sanitize(FILE *fp, const char *fmt) 162 * and error messages.
195 char c; 163@@ -689,6 +731,9 @@ static void reset_beg_range_to_zero(void)
196 char *buf_ptr;
197
198+ printf("wget fgets_trim_sanitize 1\n");
199 set_alarm();
200- if (fgets(G.wget_buf, sizeof(G.wget_buf), fp) == NULL)
201- bb_simple_perror_msg_and_die("error getting response");
202+ printf("wget fgets_trim_sanitize 2\n");
203+ if (fgets(G.wget_buf, sizeof(G.wget_buf), fp) == NULL){
204+ bb_error_msg_and_die("error getting response: %s",strerror(errno));
205+ }
206 clear_alarm();
207
208+ printf("wget fgets_trim_sanitize 3\n");
209 buf_ptr = strchrnul(G.wget_buf, '\n');
210+ printf("wget fgets_trim_sanitize 4\n");
211 c = *buf_ptr;
212 #if 1
213 /* Disallow any control chars: trim at first char < 0x20 */
214+ printf("wget fgets_trim_sanitize 5\n");
215 sanitize_string(G.wget_buf);
216+ printf("wget fgets_trim_sanitize 6\n");
217 #else
218 *buf_ptr = '\0';
219 buf_ptr = strchrnul(G.wget_buf, '\r');
220 *buf_ptr = '\0';
221 #endif
222
223+ printf("wget fgets_trim_sanitize 7\n");
224 log_io("< %s", G.wget_buf);
225
226 if (fmt && (option_mask32 & WGET_OPT_SERVER_RESPONSE))
227 fprintf(stderr, fmt, G.wget_buf);
228+ printf("wget fgets_trim_sanitize 8\n");
229
230 return c;
231 }
232@@ -689,6 +735,7 @@ static void reset_beg_range_to_zero(void)
233 } 164 }
234 165
235 #if ENABLE_FEATURE_WGET_OPENSSL 166 #if ENABLE_FEATURE_WGET_OPENSSL
236+# if !ENABLE_PLATFORM_MINGW32 167+#include <tls.h>
168+#include <winsock2.h>
169+/*
237 static int spawn_https_helper_openssl(const char *host, unsigned port) 170 static int spawn_https_helper_openssl(const char *host, unsigned port)
238 { 171 {
239 char *allocated = NULL; 172 char *allocated = NULL;
240@@ -777,6 +824,38 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) 173@@ -698,7 +743,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
174 IF_FEATURE_WGET_HTTPS(volatile int child_failed = 0;)
175
176 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) != 0)
177- /* Kernel can have AF_UNIX support disabled */
178+ // Kernel can have AF_UNIX support disabled /
179 bb_simple_perror_msg_and_die("socketpair");
180
181 if (!strchr(host, ':'))
182@@ -709,18 +754,18 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
183 fflush_all();
184 pid = xvfork();
185 if (pid == 0) {
186- /* Child */
187+ // Child /
188 char *argv[13];
189 char **argp;
190
191 close(sp[0]);
192 xmove_fd(sp[1], 0);
193 xdup2(0, 1);
194- /*
195- * openssl s_client -quiet -connect www.kernel.org:443 2>/dev/null
196- * It prints some debug stuff on stderr, don't know how to suppress it.
197- * Work around by dev-nulling stderr. We lose all error messages :(
198- */
199+ //
200+ // openssl s_client -quiet -connect www.kernel.org:443 2>/dev/null
201+ // It prints some debug stuff on stderr, don't know how to suppress it.
202+ // Work around by dev-nulling stderr. We lose all error messages :(
203+ //
204 xmove_fd(2, 3);
205 xopen("/dev/null", O_RDWR);
206 memset(&argv, 0, sizeof(argv));
207@@ -729,18 +774,18 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
208 argv[2] = (char*)"-quiet";
209 argv[3] = (char*)"-connect";
210 argv[4] = (char*)host;
211- /*
212- * Per RFC 6066 Section 3, the only permitted values in the
213- * TLS server_name (SNI) field are FQDNs (DNS hostnames).
214- * IPv4 and IPv6 addresses, port numbers are not allowed.
215- */
216+ //
217+ // Per RFC 6066 Section 3, the only permitted values in the
218+ // TLS server_name (SNI) field are FQDNs (DNS hostnames).
219+ // IPv4 and IPv6 addresses, port numbers are not allowed.
220+ //
221 argp = &argv[5];
222 if (!is_ip_address(servername)) {
223 *argp++ = (char*)"-servername"; //[5]
224 *argp++ = (char*)servername; //[6]
225 }
226 if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) {
227- /* Abort on bad server certificate */
228+ // Abort on bad server certificate /
229 *argp++ = (char*)"-verify"; //[7]
230 *argp++ = (char*)"100"; //[8]
231 *argp++ = (char*)"-verify_return_error"; //[9]
232@@ -762,10 +807,10 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
233 # else
234 bb_perror_msg_and_die("can't execute '%s'", argv[0]);
235 # endif
236- /* notreached */
237+ // notreached /
238 }
239
240- /* Parent */
241+ // Parent /
242 free(servername);
243 free(allocated);
244 close(sp[1]);
245@@ -777,6 +822,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port)
241 # endif 246 # endif
242 return sp[0]; 247 return sp[0];
243 } 248 }
244+# else 249+*/
245+#include <tls.h>
246+#include <winsock2.h>
247+static int spawn_https_helper_openssl(const char *host, unsigned port)
248+{
249+ char* allocated = NULL;
250+ char *servername, *cmd;
251+ int sp[2];
252+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) != 0)
253+ bb_simple_perror_msg_and_die("socketpair");
254+
255+ if(!strchr(host,":"))
256+ host = allocated = xasprintf("%s:%u",host,port);
257+ servername = xstrdup(host);
258+ fflush_all();
259+
260+ struct tls *ctx = tls_client();
261+ if(ctx == NULL)
262+ bb_error_msg_and_die("Out of memory 1");
263+ struct tls_config *config = tls_config_new();
264+ if(config == NULL)
265+ bb_error_msg_and_die("Out of memory 2");
266+ if(tls_configure(ctx,config) != 0)
267+ bb_error_msg_and_die("Failed to configure client");
268+ tls_connect_fds(ctx, sp[0], sp[1], servername);
269+ tls_config_free(config);
270+ free(allocated);
271+ free(servername);
272+ printf("Connected sp %s\n");
273+ return sp[0];
274+}
275+# endif
276 #endif 250 #endif
277 251
278 #if ENABLE_FEATURE_WGET_HTTPS 252 #if ENABLE_FEATURE_WGET_HTTPS
279@@ -1151,6 +1230,7 @@ static void download_one_url(const char *url) 253@@ -1230,26 +1276,51 @@ static void download_one_url(const char *url)
280 server.user = NULL;
281 target.user = NULL;
282
283+ printf("wget download_one_url 1\n");
284 parse_url(url, &target);
285
286 /* Use the proxy if necessary */
287@@ -1172,6 +1252,7 @@ static void download_one_url(const char *url)
288 server.host = target.host;
289 }
290 }
291+ printf("wget download_one_url 2\n");
292
293 if (ENABLE_FEATURE_IPV6)
294 strip_ipv6_scope_id(target.host);
295@@ -1191,6 +1272,7 @@ static void download_one_url(const char *url)
296 G.fname_out = fname_out_alloc = xstrdup(G.fname_out);
297 }
298 }
299+ printf("wget download_one_url 3\n");
300 #if ENABLE_FEATURE_WGET_STATUSBAR
301 G.curfile = bb_get_last_path_component_nostrip(G.fname_out);
302 #endif
303@@ -1206,15 +1288,19 @@ static void download_one_url(const char *url)
304 * We are not sure it exists on remote side */
305 }
306
307+ printf("wget download_one_url 4\n");
308 redir_limit = 16;
309 resolve_lsa:
310+ printf("wget download_one_url 5\n");
311 lsa = xhost2sockaddr(server.host, server.port);
312 if (!(option_mask32 & WGET_OPT_QUIET)) {
313 char *s = xmalloc_sockaddr2dotted(&lsa->u.sa);
314 fprintf(stderr, "Connecting to %s (%s)\n", server.host, s);
315 free(s);
316 }
317+ printf("wget download_one_url 6\n");
318 establish_session:
319+ printf("wget download_one_url 7\n");
320 /*G.content_len = 0; - redundant, got_clen = 0 is enough */
321 G.got_clen = 0;
322 G.chunked = 0;
323@@ -1229,37 +1315,61 @@ static void download_one_url(const char *url)
324
325 /* Open socket to http(s) server */ 254 /* Open socket to http(s) server */
326 #if ENABLE_FEATURE_WGET_OPENSSL 255 #if ENABLE_FEATURE_WGET_OPENSSL
327+ printf("wget download_one_url 8\n");
328 /* openssl (and maybe internal TLS) support is configured */ 256 /* openssl (and maybe internal TLS) support is configured */
329+ struct tls *ctx; 257+ struct tls *ctx;
330 if (server.protocol == P_HTTPS) { 258 if (server.protocol == P_HTTPS) {
@@ -332,251 +260,95 @@ index 6a64836fb..13474abe4 100644
332 * Inconvenient API since we can't give it an open fd 260 * Inconvenient API since we can't give it an open fd
333 */ 261 */
334- int fd = spawn_https_helper_openssl(server.host, server.port); 262- int fd = spawn_https_helper_openssl(server.host, server.port);
335-# if ENABLE_FEATURE_WGET_HTTPS 263+ //int fd = spawn_https_helper_openssl(server.host, server.port);
264 # if ENABLE_FEATURE_WGET_HTTPS
336- if (fd < 0) { /* no openssl? try internal */ 265- if (fd < 0) { /* no openssl? try internal */
337- sfp = open_socket(lsa); 266- sfp = open_socket(lsa);
338- spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0); 267- spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0);
339- goto socket_opened; 268- goto socket_opened;
340+ printf("wget download_one_url 9\n"); 269- }
341+ //int fd = spawn_https_helper_openssl(server.host, server.port); 270+ char *allocated, *servername, *host, *pemmem;
342+ char *allocated, *servername, *p, *host; 271+ struct tls_config *config;
343+ if(!strchr(server.host, ":")) 272+ if(!strchr(server.host, ':'))
344+ host = allocated = xasprintf("%s:%u", server.host, server.port); 273+ host = allocated = xasprintf("%s:%u", server.host, server.port);
345+ servername = xstrdup(host); 274+ servername = xstrdup(host);
346+ ctx = tls_client(); 275+ ctx = tls_client();
347+ if(ctx == NULL) 276+ if(ctx == NULL)
348+ bb_error_msg_and_die("Out of memory 1"); 277+ bb_error_msg_and_die("Out of memory 1");
349+ struct tls_config *config;
350+ config = tls_config_new(); 278+ config = tls_config_new();
351+ if(config == NULL) 279+ if(config == NULL)
352+ bb_error_msg_and_die("Out of memory 2"); 280+ bb_error_msg_and_die("Out of memory 2");
353+ if(tls_config_set_ca_path(config, "certs") != 0) 281+ if(tls_config_set_ca_path(config, "certs") != 0)
282+ bb_error_msg_and_die("Failed to set ca path");
283+ if(tls_config_set_ca_file(config, "cert.pem") != 0)
354+ bb_error_msg_and_die("Failed to set ca file"); 284+ bb_error_msg_and_die("Failed to set ca file");
285+ gather_certificates(config);
355+ if(tls_configure(ctx,config) != 0) 286+ if(tls_configure(ctx,config) != 0)
356+ bb_error_msg_and_die("Failed to configure client"); 287+ bb_error_msg_and_die("Failed to configure client");
357+ sfp = tmpfile(); 288+ sfp = tmpfile();
358+ dfp = tmpfile(); 289+ dfp = tmpfile();
359+ if(tls_connect_fds(ctx, dfp, sfp, servername) != 0) 290+ if(tls_connect(ctx, servername, NULL) != 0)
360+ bb_error_msg_and_die("Failed to connect: %s", tls_error(ctx)); 291+ bb_error_msg_and_die("Failed to connect: %s", tls_error(ctx));
292+ free(pemmem);
361+ tls_config_free(config); 293+ tls_config_free(config);
362+ free(allocated); 294+ free(allocated);
363+ free(servername); 295+ free(servername);
364+ printf("wget download_one_url 10\n");
365+ printf("wget download_one_url 13\n");
366+ //sfp = fdopen(fd, "r+"); 296+ //sfp = fdopen(fd, "r+");
367+ if (!sfp){ 297+ if (!sfp)
368+ bb_error_msg_and_die("Error opening fd: %s",strerror(errno)); 298+ bb_error_msg_and_die("Error opening fd: %s",strerror(errno));
369 } 299 # else
370-# else 300 /* We don't check for exec("openssl") failure in this case */
371- /* We don't check for exec("openssl") failure in this case */ 301 # endif
372-# endif
373- sfp = fdopen(fd, "r+"); 302- sfp = fdopen(fd, "r+");
374- if (!sfp) 303- if (!sfp)
375- bb_die_memory_exhausted(); 304- bb_die_memory_exhausted();
376+ printf("wget download_one_url 14\n"); 305+ //sfp = fdopen(fd, "r+");
306+ //if (!sfp)
307+ // bb_die_memory_exhausted();
377 goto socket_opened; 308 goto socket_opened;
378 } 309 }
379- sfp = open_socket(lsa); 310- sfp = open_socket(lsa);
380+ printf("wget download_one_url 15\n");
381+ //sfp = open_socket(lsa); 311+ //sfp = open_socket(lsa);
382 socket_opened: 312 socket_opened:
383 #elif ENABLE_FEATURE_WGET_HTTPS 313 #elif ENABLE_FEATURE_WGET_HTTPS
384 /* Only internal TLS support is configured */ 314 /* Only internal TLS support is configured */
385+ printf("wget download_one_url 16\n"); 315@@ -1353,7 +1424,35 @@ static void download_one_url(const char *url)
386 sfp = open_socket(lsa);
387 if (server.protocol == P_HTTPS)
388 spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0);
389 #else
390+ printf("wget download_one_url 17\n");
391 /* ssl (https) support is not configured */
392 sfp = open_socket(lsa);
393 #endif
394+ printf("wget download_one_url 18\n");
395 /* Send HTTP request */
396 if (use_proxy) {
397 SENDFMT(sfp, "GET %s://%s/%s HTTP/1.1\r\n",
398@@ -1270,6 +1380,7 @@ static void download_one_url(const char *url)
399 (option_mask32 & WGET_OPT_POST) ? "POST" : "GET",
400 target.path);
401 }
402+ printf("wget download_one_url 19\n");
403 if (!USR_HEADER_HOST)
404 SENDFMT(sfp, "Host: %s\r\n", target.host);
405 if (!USR_HEADER_USER_AGENT)
406@@ -1280,6 +1391,7 @@ static void download_one_url(const char *url)
407 */
408 SENDFMT(sfp, "Connection: close\r\n");
409
410+ printf("wget download_one_url 20\n");
411 #if ENABLE_FEATURE_WGET_AUTHENTICATION
412 if (target.user && !USR_HEADER_AUTH) {
413 SENDFMT(sfp, "Proxy-Authorization: Basic %s\r\n"+6,
414@@ -1291,6 +1403,7 @@ static void download_one_url(const char *url)
415 }
416 #endif
417
418+ printf("wget download_one_url 21\n");
419 if (G.beg_range != 0 && !USR_HEADER_RANGE)
420 SENDFMT(sfp, "Range: bytes=%"OFF_FMT"u-\r\n", G.beg_range);
421
422@@ -1300,6 +1413,7 @@ static void download_one_url(const char *url)
423 fputs(G.extra_headers, sfp);
424 }
425
426+ printf("wget download_one_url 22\n");
427 if (option_mask32 & WGET_OPT_POST_FILE) {
428 int fd = xopen_stdin(G.post_file);
429 G.post_data = xmalloc_read(fd, NULL);
430@@ -1314,15 +1428,18 @@ static void download_one_url(const char *url)
431 );
432 }
433 # if ENABLE_PLATFORM_MINGW32
434+ printf("wget download_one_url 23\n");
435 if (!USR_HEADER_CONTENT_LENGTH)
436 SENDFMT(sfp, "Content-Length: %u\r\n",
437 (int)strlen(G.post_data)
438 );
439+ printf("wget download_one_url 24\n");
440 SENDFMT(sfp,
441 "\r\n"
442 "%s",
443 G.post_data
444 );
445+ printf("wget download_one_url 25\n");
446 } else
447 # else
448 SENDFMT(sfp,
449@@ -1338,6 +1455,7 @@ static void download_one_url(const char *url)
450 SENDFMT(sfp, "\r\n");
451 }
452
453+ printf("wget download_one_url 26\n");
454 fflush(sfp);
455
456 /* Tried doing this unconditionally.
457@@ -1345,27 +1463,38 @@ static void download_one_url(const char *url)
458 */
459 #if SSL_SUPPORTED
460 if (target.protocol == P_HTTPS) {
461+ printf("wget download_one_url 26-2\n");
462 /* If we use SSL helper, keeping our end of the socket open for writing
463 * makes our end (i.e. the same fd!) readable (EAGAIN instead of EOF)
464 * even after child closes its copy of the fd.
465 * This helps:
466 */
467 shutdown(fileno(sfp), SHUT_WR); 316 shutdown(fileno(sfp), SHUT_WR);
468+ printf("wget download_one_url 26-3\n");
469 } 317 }
470 #endif 318 #endif
471 319-
320+ //How much data did we actually get?
321+ size_t wlen, bufsize;
322+ wlen = ftell(sfp);
323+ bufsize = 4096;
324+ char buf[bufsize];
325+ char *outbuf;
326+ outbuf = (char*)malloc(sizeof(char) * wlen);
327+ rewind(sfp);
328+ rewind(dfp);
329+ if(fread(outbuf, sizeof(char), wlen, sfp) < wlen)
330+ bb_error_msg_and_die("Failed to read tmpfile: %s", strerror(errno));
331+ if(tls_write(ctx, outbuf, wlen) < wlen)
332+ bb_error_msg_and_die("Failed to write:%s",tls_error(ctx));
333+ ssize_t len;
334+ len = TLS_WANT_POLLIN;
335+ while(len == TLS_WANT_POLLIN || len > 0){
336+ len = tls_read(ctx, buf, bufsize);
337+ if(len == -1)
338+ bb_error_msg_and_die("Failed tls read: %s", tls_error(ctx));
339+ if (len != TLS_WANT_POLLIN){
340+ wlen = fwrite(buf, sizeof(char), len, dfp);
341+ if(wlen != len)
342+ bb_error_msg_and_die("Failed to write to tempfile: (%zu) (%zd) %s", wlen, len, strerror(errno));
343+ }
344+ }
345+ if(len == -1)
346+ bb_error_msg_and_die("tls read error: %s", tls_error(ctx));
472+ rewind(dfp); 347+ rewind(dfp);
473+ sfp = dfp; 348+ sfp = dfp;
474 /* 349 /*
475 * Retrieve HTTP response line and check for "200" status code. 350 * Retrieve HTTP response line and check for "200" status code.
476 */ 351 */
477 read_response:
478+ printf("wget download_one_url 27\n");
479 fgets_trim_sanitize(sfp, " %s\n");
480+ printf("wget download_one_url 27-1\n");
481
482 str = G.wget_buf;
483+ printf("wget download_one_url 27-2\n");
484 str = skip_non_whitespace(str);
485+ printf("wget download_one_url 27-3\n");
486 str = skip_whitespace(str);
487+ printf("wget download_one_url 27-4\n");
488 // FIXME: no error check
489 // xatou wouldn't work: "200 OK"
490+ printf("wget download_one_url 27-5\n");
491 status = atoi(str);
492+ printf("wget download_one_url 27-6\n");
493 switch (status) {
494 case 0:
495 case 100:
496@@ -1441,6 +1570,7 @@ However, in real world it was observed that some web servers
497 /*
498 * Retrieve HTTP headers.
499 */
500+ printf("wget download_one_url 28\n");
501 while ((str = get_sanitized_hdr(sfp)) != NULL) {
502 static const char keywords[] ALIGN1 =
503 "content-length\0""transfer-encoding\0""location\0";
504@@ -1497,6 +1627,7 @@ However, in real world it was observed that some web servers
505 goto establish_session;
506 }
507 }
508+ printf("wget download_one_url 29\n");
509 // if (status >= 300)
510 // bb_error_msg_and_die("bad redirection (no Location: header from server)");
511
512@@ -1514,6 +1645,7 @@ However, in real world it was observed that some web servers
513
514 free(lsa);
515
516+ printf("wget download_one_url 30\n");
517 if (!(option_mask32 & WGET_OPT_SPIDER)) {
518 if (G.output_fd < 0)
519 G.output_fd = xopen(G.fname_out, G.o_flags);
520@@ -1536,6 +1668,7 @@ However, in real world it was observed that some web servers
521 /* ftpcmd("QUIT", NULL, sfp); - why bother? */
522 }
523 #endif
524+ printf("wget download_one_url 31\n");
525 fclose(sfp);
526
527 free(server.allocated);
528@@ -1544,11 +1677,13 @@ However, in real world it was observed that some web servers
529 free(target.user);
530 free(fname_out_alloc);
531 free(redirected_path);
532+ printf("wget download_one_url 32\n");
533 }
534
535 int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
536 int wget_main(int argc UNUSED_PARAM, char **argv)
537 {
538+ printf("wget main 1\n");
539 #if ENABLE_FEATURE_WGET_LONG_OPTIONS
540 static const char wget_longopts[] ALIGN1 =
541 /* name, has_arg, val */
542@@ -1590,6 +1725,7 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0")
543 #endif
544
545 INIT_G();
546+ printf("wget main 2\n");
547
548 #if ENABLE_FEATURE_WGET_TIMEOUT
549 G.timeout_seconds = 900;
550@@ -1626,6 +1762,8 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0")
551 IF_FEATURE_WGET_LONG_OPTIONS(, &G.post_data)
552 IF_FEATURE_WGET_LONG_OPTIONS(, &G.post_file)
553 );
554+
555+ printf("wget main 3\n");
556 #if 0 /* option bits debug */
557 if (option_mask32 & WGET_OPT_RETRIES) bb_error_msg("-t NUM");
558 if (option_mask32 & WGET_OPT_nsomething) bb_error_msg("-nsomething");
559@@ -1670,6 +1808,7 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0")
560 }
561 #endif
562
563+ printf("wget main 4\n");
564 G.output_fd = -1;
565 G.o_flags = O_WRONLY | O_CREAT | O_TRUNC | O_EXCL;
566 if (G.fname_out) { /* -O FILE ? */
567@@ -1691,8 +1830,11 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0")
568 }
569 }
570
571- while (*argv)
572+ printf("wget main 5\n");
573+ while (*argv) {
574+ printf("wget main 5-%s\n",argv);
575 download_one_url(*argv++);
576+ }
577
578 if (G.output_fd >= 0)
579 xclose(G.output_fd);
580diff --git a/scripts/trylink b/scripts/trylink 352diff --git a/scripts/trylink b/scripts/trylink
581index 2456252a3..6186284f1 100755 353index 2456252a3..6186284f1 100755
582--- a/scripts/trylink 354--- a/scripts/trylink