diff options
author | Alexander M Pickering <alex@cogarr.net> | 2024-11-15 15:26:21 -0600 |
---|---|---|
committer | Alexander M Pickering <alex@cogarr.net> | 2024-11-15 15:26:21 -0600 |
commit | f8cdb9c7ce4a40db8763b3cd7f629bc0bd51d605 (patch) | |
tree | 22240226deefb1cd5b1d253a0f8aadf96f4ecccf | |
parent | acd7ce751ab071d2fd2a4897e198b5ba86ef069f (diff) | |
download | busybox-w32-packaging-f8cdb9c7ce4a40db8763b3cd7f629bc0bd51d605.tar.gz busybox-w32-packaging-f8cdb9c7ce4a40db8763b3cd7f629bc0bd51d605.tar.bz2 busybox-w32-packaging-f8cdb9c7ce4a40db8763b3cd7f629bc0bd51d605.zip |
Fix the libressl patch.
Add SSL authentication to wget; use certificates
from the Windows Certificate Store.
-rw-r--r-- | libressl.patch | 566 |
1 files changed, 169 insertions, 397 deletions
diff --git a/libressl.patch b/libressl.patch index 9778341..00d5d4b 100644 --- a/libressl.patch +++ b/libressl.patch | |||
@@ -12,18 +12,10 @@ index bc1453e12..69f76cbb3 100644 | |||
12 | void tls_run_copy_loop(tls_state_t *tls, unsigned flags) FAST_FUNC; | 12 | void tls_run_copy_loop(tls_state_t *tls, unsigned flags) FAST_FUNC; |
13 | 13 | ||
14 | diff --git a/networking/ssl_client.c b/networking/ssl_client.c | 14 | diff --git a/networking/ssl_client.c b/networking/ssl_client.c |
15 | index 757745896..653b6f48e 100644 | 15 | index 757745896..38163440f 100644 |
16 | --- a/networking/ssl_client.c | 16 | --- a/networking/ssl_client.c |
17 | +++ b/networking/ssl_client.c | 17 | +++ b/networking/ssl_client.c |
18 | @@ -24,6 +24,7 @@ | 18 | @@ -69,7 +69,7 @@ int ssl_client_main(int argc UNUSED_PARAM, char **argv) |
19 | //usage:#define ssl_client_full_usage "" | ||
20 | |||
21 | #include "libbb.h" | ||
22 | +#include <tls.h> | ||
23 | |||
24 | int ssl_client_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; | ||
25 | int ssl_client_main(int argc UNUSED_PARAM, char **argv) | ||
26 | @@ -69,7 +70,7 @@ int ssl_client_main(int argc UNUSED_PARAM, char **argv) | ||
27 | } | 19 | } |
28 | #endif | 20 | #endif |
29 | 21 | ||
@@ -32,34 +24,8 @@ index 757745896..653b6f48e 100644 | |||
32 | 24 | ||
33 | BUILD_BUG_ON(TLSLOOP_EXIT_ON_LOCAL_EOF != 1); | 25 | BUILD_BUG_ON(TLSLOOP_EXIT_ON_LOCAL_EOF != 1); |
34 | tls_run_copy_loop(tls, /*flags*/ opt & 1); | 26 | tls_run_copy_loop(tls, /*flags*/ opt & 1); |
35 | diff --git a/networking/ssl_helper-wolfssl/ssl_helper.c b/networking/ssl_helper-wolfssl/ssl_helper.c | ||
36 | index 38b7b56c6..834912a68 100644 | ||
37 | --- a/networking/ssl_helper-wolfssl/ssl_helper.c | ||
38 | +++ b/networking/ssl_helper-wolfssl/ssl_helper.c | ||
39 | @@ -160,10 +160,10 @@ WOLFSSL *prepare(int sockfd) | ||
40 | |||
41 | method = wolfTLSv1_1_client_method(); | ||
42 | if (method == NULL) | ||
43 | - err_sys("out of memory"); | ||
44 | + err_sys("out of memory 3"); | ||
45 | ctx = wolfSSL_CTX_new(method); | ||
46 | if (ctx == NULL) | ||
47 | - err_sys("out of memory"); | ||
48 | + err_sys("out of memory 2"); | ||
49 | // if (cipherList) | ||
50 | // if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS) | ||
51 | // err_sys("client can't set cipher list 1"); | ||
52 | @@ -279,7 +279,7 @@ WOLFSSL *prepare(int sockfd) | ||
53 | |||
54 | ssl = wolfSSL_new(ctx); | ||
55 | if (ssl == NULL) | ||
56 | - err_sys("out of memory"); | ||
57 | + err_sys("out of memory 1"); | ||
58 | |||
59 | //#ifdef HAVE_SESSION_TICKET | ||
60 | // wolfSSL_set_SessionTicket_cb(ssl, sessionTicketCB, (void*)"initial session"); | ||
61 | diff --git a/networking/tls.c b/networking/tls.c | 27 | diff --git a/networking/tls.c b/networking/tls.c |
62 | index 9f1dd67ec..7e8da6df2 100644 | 28 | index 9f1dd67ec..60e1afe99 100644 |
63 | --- a/networking/tls.c | 29 | --- a/networking/tls.c |
64 | +++ b/networking/tls.c | 30 | +++ b/networking/tls.c |
65 | @@ -2221,6 +2221,7 @@ static void send_client_finished(tls_state_t *tls) | 31 | @@ -2221,6 +2221,7 @@ static void send_client_finished(tls_state_t *tls) |
@@ -76,8 +42,8 @@ index 9f1dd67ec..7e8da6df2 100644 | |||
76 | 42 | ||
77 | - /*send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) */ | 43 | - /*send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) */ |
78 | - /* need to hash _all_ server replies first, up to ServerHelloDone */ | 44 | - /* need to hash _all_ server replies first, up to ServerHelloDone */ |
79 | + //send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) | 45 | + //send_empty_client_cert(tls); - WRONG (breaks handshake hash calc) / |
80 | + //need to hash _all_ server replies first, up to ServerHelloDone | 46 | + // need to hash _all_ server replies first, up to ServerHelloDone / |
81 | len = tls_xread_handshake_block(tls, 4); | 47 | len = tls_xread_handshake_block(tls, 4); |
82 | } | 48 | } |
83 | 49 | ||
@@ -87,18 +53,18 @@ index 9f1dd67ec..7e8da6df2 100644 | |||
87 | send_change_cipher_spec(tls); | 53 | send_change_cipher_spec(tls); |
88 | - /* from now on we should send encrypted */ | 54 | - /* from now on we should send encrypted */ |
89 | - /* tls->write_seq64_be = 0; - already is */ | 55 | - /* tls->write_seq64_be = 0; - already is */ |
90 | + // from now on we should send encrypted | 56 | + // from now on we should send encrypted / |
91 | + // tls->write_seq64_be = 0; - already is | 57 | + // tls->write_seq64_be = 0; - already is / |
92 | tls->flags |= ENCRYPT_ON_WRITE; | 58 | tls->flags |= ENCRYPT_ON_WRITE; |
93 | 59 | ||
94 | send_client_finished(tls); | 60 | send_client_finished(tls); |
95 | 61 | ||
96 | - /* Get CHANGE_CIPHER_SPEC */ | 62 | - /* Get CHANGE_CIPHER_SPEC */ |
97 | + // Get CHANGE_CIPHER_SPEC | 63 | + // Get CHANGE_CIPHER_SPEC / |
98 | len = tls_xread_record(tls, "switch to encrypted traffic"); | 64 | len = tls_xread_record(tls, "switch to encrypted traffic"); |
99 | if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0) | 65 | if (len != 1 || memcmp(tls->inbuf, rec_CHANGE_CIPHER_SPEC, 6) != 0) |
100 | bad_record_die(tls, "switch to encrypted traffic", len); | 66 | bad_record_die(tls, "switch to encrypted traffic", len); |
101 | @@ -2327,29 +2328,29 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni) | 67 | @@ -2327,29 +2328,30 @@ void FAST_FUNC tls_handshake(tls_state_t *tls, const char *sni) |
102 | } else | 68 | } else |
103 | if (!(tls->flags & ENCRYPTION_AESGCM)) { | 69 | if (!(tls->flags & ENCRYPTION_AESGCM)) { |
104 | unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE; | 70 | unsigned mac_blocks = (unsigned)(TLS_MAC_SIZE(tls) + AES_BLOCK_SIZE-1) / AES_BLOCK_SIZE; |
@@ -107,6 +73,7 @@ index 9f1dd67ec..7e8da6df2 100644 | |||
107 | - */ | 73 | - */ |
108 | + // all incoming packets now should be encrypted and have | 74 | + // all incoming packets now should be encrypted and have |
109 | + // at least IV + (MAC padded to blocksize): | 75 | + // at least IV + (MAC padded to blocksize): |
76 | + // | ||
110 | tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE); | 77 | tls->min_encrypted_len_on_read = AES_BLOCK_SIZE + (mac_blocks * AES_BLOCK_SIZE); |
111 | } else { | 78 | } else { |
112 | tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE; | 79 | tls->min_encrypted_len_on_read = 8 + AES_BLOCK_SIZE; |
@@ -114,16 +81,16 @@ index 9f1dd67ec..7e8da6df2 100644 | |||
114 | dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read); | 81 | dbg("min_encrypted_len_on_read: %u\n", tls->min_encrypted_len_on_read); |
115 | 82 | ||
116 | - /* Get (encrypted) FINISHED from the server */ | 83 | - /* Get (encrypted) FINISHED from the server */ |
117 | + // Get (encrypted) FINISHED from the server | 84 | + // Get (encrypted) FINISHED from the server / |
118 | len = tls_xread_record(tls, "'server finished'"); | 85 | len = tls_xread_record(tls, "'server finished'"); |
119 | if (len < 4 || tls->inbuf[RECHDR_LEN] != HANDSHAKE_FINISHED) | 86 | if (len < 4 || tls->inbuf[RECHDR_LEN] != HANDSHAKE_FINISHED) |
120 | bad_record_die(tls, "'server finished'", len); | 87 | bad_record_die(tls, "'server finished'", len); |
121 | dbg("<< FINISHED\n"); | 88 | dbg("<< FINISHED\n"); |
122 | - /* application data can be sent/received */ | 89 | - /* application data can be sent/received */ |
123 | + // application data can be sent/received | 90 | + // application data can be sent/received / |
124 | 91 | ||
125 | - /* free handshake data */ | 92 | - /* free handshake data */ |
126 | + // free handshake data | 93 | + // free handshake data / |
127 | psRsaKey_clear(&tls->hsd->server_rsa_pub_key); | 94 | psRsaKey_clear(&tls->hsd->server_rsa_pub_key); |
128 | // if (PARANOIA) | 95 | // if (PARANOIA) |
129 | // memset(tls->hsd, 0, tls->hsd->hsd_size); | 96 | // memset(tls->hsd, 0, tls->hsd->hsd_size); |
@@ -135,41 +102,34 @@ index 9f1dd67ec..7e8da6df2 100644 | |||
135 | static void tls_xwrite(tls_state_t *tls, int len) | 102 | static void tls_xwrite(tls_state_t *tls, int len) |
136 | { | 103 | { |
137 | diff --git a/networking/wget.c b/networking/wget.c | 104 | diff --git a/networking/wget.c b/networking/wget.c |
138 | index 6a64836fb..13474abe4 100644 | 105 | index 6a64836fb..4a5b4c9f0 100644 |
139 | --- a/networking/wget.c | 106 | --- a/networking/wget.c |
140 | +++ b/networking/wget.c | 107 | +++ b/networking/wget.c |
141 | @@ -169,7 +169,11 @@ | 108 | @@ -1,4 +1,3 @@ |
142 | //usage: "\n -Y on/off Use proxy" | 109 | -/* vi: set sw=4 ts=4: */ |
143 | 110 | /* | |
144 | #include "libbb.h" | 111 | * wget - retrieve a file using HTTP or FTP |
145 | - | 112 | * |
146 | +#include <string.h> | 113 | @@ -460,6 +459,49 @@ static FILE *open_socket(len_and_sockaddr *lsa) |
147 | +#include <errno.h> | 114 | return fp; |
148 | +#include <tls.h> | 115 | } |
149 | +#include <stdarg.h> | ||
150 | +#include <stdio.h> | ||
151 | #if 0 | ||
152 | # define log_io(...) bb_error_msg(__VA_ARGS__) | ||
153 | # define SENDFMT(fp, fmt, ...) \ | ||
154 | @@ -354,6 +358,39 @@ static ALWAYS_INLINE void progress_meter(int flag UNUSED_PARAM) {} | ||
155 | #endif | ||
156 | |||
157 | 116 | ||
158 | +#if ENABLE_PLATFORM_MINGW32 | 117 | +#if ENABLE_PLATFORM_MINGW32 |
159 | +/* Use windows installed certificates for wget */ | 118 | +/* Use windows installed certificates for wget */ |
160 | +#include <openssl/ssl.h> | 119 | +#include <openssl/ssl.h> |
161 | +#include <openssl/x509.h> | 120 | +#include <openssl/x509.h> |
162 | +#include <wincrypt.h> | 121 | +#include <wincrypt.h> |
163 | +void gather_certificates(struct tls_config *cfg) | 122 | +char* gather_certificates(struct tls_config *cfg) |
164 | +{ | 123 | +{ |
165 | + printf("Gathering certificates\n"); | 124 | + FILE *pemfile; |
125 | + pemfile = tmpfile(); | ||
166 | + HCERTSTORE dstore; | 126 | + HCERTSTORE dstore; |
167 | + dstore = CertOpenSystemStore(0,"CA"); | 127 | + dstore = CertOpenSystemStore(0,"ROOT"); |
168 | + size_t numcerts; | 128 | + size_t numcerts; |
169 | + if(!dstore) | 129 | + if(!dstore) |
170 | + bb_error_msg_and_die("Error opening 'CA' cert store"); | 130 | + bb_error_msg_and_die("Error opening 'CA' cert store"); |
171 | + X509_STORE *store = X509_STORE_new(); | ||
172 | + PCCERT_CONTEXT ctx = NULL; | 131 | + PCCERT_CONTEXT ctx = NULL; |
132 | + size_t certs_len; | ||
173 | + for(;;) | 133 | + for(;;) |
174 | + { | 134 | + { |
175 | + ctx = CertEnumCertificatesInStore(dstore,ctx); | 135 | + ctx = CertEnumCertificatesInStore(dstore,ctx); |
@@ -178,153 +138,121 @@ index 6a64836fb..13474abe4 100644 | |||
178 | + char *dcert = ctx->pbCertEncoded; | 138 | + char *dcert = ctx->pbCertEncoded; |
179 | + size_t dcert_len = ctx->cbCertEncoded; | 139 | + size_t dcert_len = ctx->cbCertEncoded; |
180 | + X509 *x509cert; | 140 | + X509 *x509cert; |
181 | + x509cert = d2i_X509(NULL,dcert,dcert_len); | 141 | + x509cert = d2i_X509(NULL,&dcert,dcert_len); |
182 | + if(x509cert == NULL) | 142 | + if(x509cert == NULL) |
183 | + bb_error_msg_and_die("Failed to convert cert"); | 143 | + bb_error_msg_and_die("Failed to convert cert"); |
184 | + X509_STORE_add_cert(store,x509cert); | 144 | + if(!PEM_write_X509(pemfile, x509cert)) |
145 | + bb_error_msg_and_die("Failed to write cert"); | ||
185 | + X509_free(x509cert); | 146 | + X509_free(x509cert); |
186 | + } | 147 | + } |
187 | + CertCloseStore(store, CERT_CLOSE_STORE_CHECK_FLAG); | 148 | + CertCloseStore(dstore, CERT_CLOSE_STORE_CHECK_FLAG); |
149 | + size_t pemsize = ftell(pemfile); | ||
150 | + char *pemmem = (char*)malloc(pemsize); | ||
151 | + if(pemmem == NULL) | ||
152 | + bb_error_msg_and_die("out of memory"); | ||
153 | + rewind(pemfile); | ||
154 | + if(fread(pemmem, sizeof(char), pemsize, pemfile) != pemsize) | ||
155 | + bb_error_msg_and_die("Failed to read temp ca pem file"); | ||
156 | + tls_config_set_ca_mem(cfg, pemmem, pemsize); | ||
188 | +} | 157 | +} |
189 | + | ||
190 | +#endif | 158 | +#endif |
191 | /* IPv6 knows scoped address types i.e. link and site local addresses. Link | 159 | + |
192 | * local addresses can have a scope identifier to specify the | 160 | /* We balk at any control chars in other side's messages. |
193 | * interface/link an address is valid on (e.g. fe80::1%eth0). This scope | 161 | * This prevents nasty surprises (e.g. ESC sequences) in "Location:" URLs |
194 | @@ -488,26 +525,35 @@ static char fgets_trim_sanitize(FILE *fp, const char *fmt) | 162 | * and error messages. |
195 | char c; | 163 | @@ -689,6 +731,9 @@ static void reset_beg_range_to_zero(void) |
196 | char *buf_ptr; | ||
197 | |||
198 | + printf("wget fgets_trim_sanitize 1\n"); | ||
199 | set_alarm(); | ||
200 | - if (fgets(G.wget_buf, sizeof(G.wget_buf), fp) == NULL) | ||
201 | - bb_simple_perror_msg_and_die("error getting response"); | ||
202 | + printf("wget fgets_trim_sanitize 2\n"); | ||
203 | + if (fgets(G.wget_buf, sizeof(G.wget_buf), fp) == NULL){ | ||
204 | + bb_error_msg_and_die("error getting response: %s",strerror(errno)); | ||
205 | + } | ||
206 | clear_alarm(); | ||
207 | |||
208 | + printf("wget fgets_trim_sanitize 3\n"); | ||
209 | buf_ptr = strchrnul(G.wget_buf, '\n'); | ||
210 | + printf("wget fgets_trim_sanitize 4\n"); | ||
211 | c = *buf_ptr; | ||
212 | #if 1 | ||
213 | /* Disallow any control chars: trim at first char < 0x20 */ | ||
214 | + printf("wget fgets_trim_sanitize 5\n"); | ||
215 | sanitize_string(G.wget_buf); | ||
216 | + printf("wget fgets_trim_sanitize 6\n"); | ||
217 | #else | ||
218 | *buf_ptr = '\0'; | ||
219 | buf_ptr = strchrnul(G.wget_buf, '\r'); | ||
220 | *buf_ptr = '\0'; | ||
221 | #endif | ||
222 | |||
223 | + printf("wget fgets_trim_sanitize 7\n"); | ||
224 | log_io("< %s", G.wget_buf); | ||
225 | |||
226 | if (fmt && (option_mask32 & WGET_OPT_SERVER_RESPONSE)) | ||
227 | fprintf(stderr, fmt, G.wget_buf); | ||
228 | + printf("wget fgets_trim_sanitize 8\n"); | ||
229 | |||
230 | return c; | ||
231 | } | ||
232 | @@ -689,6 +735,7 @@ static void reset_beg_range_to_zero(void) | ||
233 | } | 164 | } |
234 | 165 | ||
235 | #if ENABLE_FEATURE_WGET_OPENSSL | 166 | #if ENABLE_FEATURE_WGET_OPENSSL |
236 | +# if !ENABLE_PLATFORM_MINGW32 | 167 | +#include <tls.h> |
168 | +#include <winsock2.h> | ||
169 | +/* | ||
237 | static int spawn_https_helper_openssl(const char *host, unsigned port) | 170 | static int spawn_https_helper_openssl(const char *host, unsigned port) |
238 | { | 171 | { |
239 | char *allocated = NULL; | 172 | char *allocated = NULL; |
240 | @@ -777,6 +824,38 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) | 173 | @@ -698,7 +743,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) |
174 | IF_FEATURE_WGET_HTTPS(volatile int child_failed = 0;) | ||
175 | |||
176 | if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) != 0) | ||
177 | - /* Kernel can have AF_UNIX support disabled */ | ||
178 | + // Kernel can have AF_UNIX support disabled / | ||
179 | bb_simple_perror_msg_and_die("socketpair"); | ||
180 | |||
181 | if (!strchr(host, ':')) | ||
182 | @@ -709,18 +754,18 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) | ||
183 | fflush_all(); | ||
184 | pid = xvfork(); | ||
185 | if (pid == 0) { | ||
186 | - /* Child */ | ||
187 | + // Child / | ||
188 | char *argv[13]; | ||
189 | char **argp; | ||
190 | |||
191 | close(sp[0]); | ||
192 | xmove_fd(sp[1], 0); | ||
193 | xdup2(0, 1); | ||
194 | - /* | ||
195 | - * openssl s_client -quiet -connect www.kernel.org:443 2>/dev/null | ||
196 | - * It prints some debug stuff on stderr, don't know how to suppress it. | ||
197 | - * Work around by dev-nulling stderr. We lose all error messages :( | ||
198 | - */ | ||
199 | + // | ||
200 | + // openssl s_client -quiet -connect www.kernel.org:443 2>/dev/null | ||
201 | + // It prints some debug stuff on stderr, don't know how to suppress it. | ||
202 | + // Work around by dev-nulling stderr. We lose all error messages :( | ||
203 | + // | ||
204 | xmove_fd(2, 3); | ||
205 | xopen("/dev/null", O_RDWR); | ||
206 | memset(&argv, 0, sizeof(argv)); | ||
207 | @@ -729,18 +774,18 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) | ||
208 | argv[2] = (char*)"-quiet"; | ||
209 | argv[3] = (char*)"-connect"; | ||
210 | argv[4] = (char*)host; | ||
211 | - /* | ||
212 | - * Per RFC 6066 Section 3, the only permitted values in the | ||
213 | - * TLS server_name (SNI) field are FQDNs (DNS hostnames). | ||
214 | - * IPv4 and IPv6 addresses, port numbers are not allowed. | ||
215 | - */ | ||
216 | + // | ||
217 | + // Per RFC 6066 Section 3, the only permitted values in the | ||
218 | + // TLS server_name (SNI) field are FQDNs (DNS hostnames). | ||
219 | + // IPv4 and IPv6 addresses, port numbers are not allowed. | ||
220 | + // | ||
221 | argp = &argv[5]; | ||
222 | if (!is_ip_address(servername)) { | ||
223 | *argp++ = (char*)"-servername"; //[5] | ||
224 | *argp++ = (char*)servername; //[6] | ||
225 | } | ||
226 | if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { | ||
227 | - /* Abort on bad server certificate */ | ||
228 | + // Abort on bad server certificate / | ||
229 | *argp++ = (char*)"-verify"; //[7] | ||
230 | *argp++ = (char*)"100"; //[8] | ||
231 | *argp++ = (char*)"-verify_return_error"; //[9] | ||
232 | @@ -762,10 +807,10 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) | ||
233 | # else | ||
234 | bb_perror_msg_and_die("can't execute '%s'", argv[0]); | ||
235 | # endif | ||
236 | - /* notreached */ | ||
237 | + // notreached / | ||
238 | } | ||
239 | |||
240 | - /* Parent */ | ||
241 | + // Parent / | ||
242 | free(servername); | ||
243 | free(allocated); | ||
244 | close(sp[1]); | ||
245 | @@ -777,6 +822,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) | ||
241 | # endif | 246 | # endif |
242 | return sp[0]; | 247 | return sp[0]; |
243 | } | 248 | } |
244 | +# else | 249 | +*/ |
245 | +#include <tls.h> | ||
246 | +#include <winsock2.h> | ||
247 | +static int spawn_https_helper_openssl(const char *host, unsigned port) | ||
248 | +{ | ||
249 | + char* allocated = NULL; | ||
250 | + char *servername, *cmd; | ||
251 | + int sp[2]; | ||
252 | + if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) != 0) | ||
253 | + bb_simple_perror_msg_and_die("socketpair"); | ||
254 | + | ||
255 | + if(!strchr(host,":")) | ||
256 | + host = allocated = xasprintf("%s:%u",host,port); | ||
257 | + servername = xstrdup(host); | ||
258 | + fflush_all(); | ||
259 | + | ||
260 | + struct tls *ctx = tls_client(); | ||
261 | + if(ctx == NULL) | ||
262 | + bb_error_msg_and_die("Out of memory 1"); | ||
263 | + struct tls_config *config = tls_config_new(); | ||
264 | + if(config == NULL) | ||
265 | + bb_error_msg_and_die("Out of memory 2"); | ||
266 | + if(tls_configure(ctx,config) != 0) | ||
267 | + bb_error_msg_and_die("Failed to configure client"); | ||
268 | + tls_connect_fds(ctx, sp[0], sp[1], servername); | ||
269 | + tls_config_free(config); | ||
270 | + free(allocated); | ||
271 | + free(servername); | ||
272 | + printf("Connected sp %s\n"); | ||
273 | + return sp[0]; | ||
274 | +} | ||
275 | +# endif | ||
276 | #endif | 250 | #endif |
277 | 251 | ||
278 | #if ENABLE_FEATURE_WGET_HTTPS | 252 | #if ENABLE_FEATURE_WGET_HTTPS |
279 | @@ -1151,6 +1230,7 @@ static void download_one_url(const char *url) | 253 | @@ -1230,26 +1276,51 @@ static void download_one_url(const char *url) |
280 | server.user = NULL; | ||
281 | target.user = NULL; | ||
282 | |||
283 | + printf("wget download_one_url 1\n"); | ||
284 | parse_url(url, &target); | ||
285 | |||
286 | /* Use the proxy if necessary */ | ||
287 | @@ -1172,6 +1252,7 @@ static void download_one_url(const char *url) | ||
288 | server.host = target.host; | ||
289 | } | ||
290 | } | ||
291 | + printf("wget download_one_url 2\n"); | ||
292 | |||
293 | if (ENABLE_FEATURE_IPV6) | ||
294 | strip_ipv6_scope_id(target.host); | ||
295 | @@ -1191,6 +1272,7 @@ static void download_one_url(const char *url) | ||
296 | G.fname_out = fname_out_alloc = xstrdup(G.fname_out); | ||
297 | } | ||
298 | } | ||
299 | + printf("wget download_one_url 3\n"); | ||
300 | #if ENABLE_FEATURE_WGET_STATUSBAR | ||
301 | G.curfile = bb_get_last_path_component_nostrip(G.fname_out); | ||
302 | #endif | ||
303 | @@ -1206,15 +1288,19 @@ static void download_one_url(const char *url) | ||
304 | * We are not sure it exists on remote side */ | ||
305 | } | ||
306 | |||
307 | + printf("wget download_one_url 4\n"); | ||
308 | redir_limit = 16; | ||
309 | resolve_lsa: | ||
310 | + printf("wget download_one_url 5\n"); | ||
311 | lsa = xhost2sockaddr(server.host, server.port); | ||
312 | if (!(option_mask32 & WGET_OPT_QUIET)) { | ||
313 | char *s = xmalloc_sockaddr2dotted(&lsa->u.sa); | ||
314 | fprintf(stderr, "Connecting to %s (%s)\n", server.host, s); | ||
315 | free(s); | ||
316 | } | ||
317 | + printf("wget download_one_url 6\n"); | ||
318 | establish_session: | ||
319 | + printf("wget download_one_url 7\n"); | ||
320 | /*G.content_len = 0; - redundant, got_clen = 0 is enough */ | ||
321 | G.got_clen = 0; | ||
322 | G.chunked = 0; | ||
323 | @@ -1229,37 +1315,61 @@ static void download_one_url(const char *url) | ||
324 | |||
325 | /* Open socket to http(s) server */ | 254 | /* Open socket to http(s) server */ |
326 | #if ENABLE_FEATURE_WGET_OPENSSL | 255 | #if ENABLE_FEATURE_WGET_OPENSSL |
327 | + printf("wget download_one_url 8\n"); | ||
328 | /* openssl (and maybe internal TLS) support is configured */ | 256 | /* openssl (and maybe internal TLS) support is configured */ |
329 | + struct tls *ctx; | 257 | + struct tls *ctx; |
330 | if (server.protocol == P_HTTPS) { | 258 | if (server.protocol == P_HTTPS) { |
@@ -332,251 +260,95 @@ index 6a64836fb..13474abe4 100644 | |||
332 | * Inconvenient API since we can't give it an open fd | 260 | * Inconvenient API since we can't give it an open fd |
333 | */ | 261 | */ |
334 | - int fd = spawn_https_helper_openssl(server.host, server.port); | 262 | - int fd = spawn_https_helper_openssl(server.host, server.port); |
335 | -# if ENABLE_FEATURE_WGET_HTTPS | 263 | + //int fd = spawn_https_helper_openssl(server.host, server.port); |
264 | # if ENABLE_FEATURE_WGET_HTTPS | ||
336 | - if (fd < 0) { /* no openssl? try internal */ | 265 | - if (fd < 0) { /* no openssl? try internal */ |
337 | - sfp = open_socket(lsa); | 266 | - sfp = open_socket(lsa); |
338 | - spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0); | 267 | - spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0); |
339 | - goto socket_opened; | 268 | - goto socket_opened; |
340 | + printf("wget download_one_url 9\n"); | 269 | - } |
341 | + //int fd = spawn_https_helper_openssl(server.host, server.port); | 270 | + char *allocated, *servername, *host, *pemmem; |
342 | + char *allocated, *servername, *p, *host; | 271 | + struct tls_config *config; |
343 | + if(!strchr(server.host, ":")) | 272 | + if(!strchr(server.host, ':')) |
344 | + host = allocated = xasprintf("%s:%u", server.host, server.port); | 273 | + host = allocated = xasprintf("%s:%u", server.host, server.port); |
345 | + servername = xstrdup(host); | 274 | + servername = xstrdup(host); |
346 | + ctx = tls_client(); | 275 | + ctx = tls_client(); |
347 | + if(ctx == NULL) | 276 | + if(ctx == NULL) |
348 | + bb_error_msg_and_die("Out of memory 1"); | 277 | + bb_error_msg_and_die("Out of memory 1"); |
349 | + struct tls_config *config; | ||
350 | + config = tls_config_new(); | 278 | + config = tls_config_new(); |
351 | + if(config == NULL) | 279 | + if(config == NULL) |
352 | + bb_error_msg_and_die("Out of memory 2"); | 280 | + bb_error_msg_and_die("Out of memory 2"); |
353 | + if(tls_config_set_ca_path(config, "certs") != 0) | 281 | + if(tls_config_set_ca_path(config, "certs") != 0) |
282 | + bb_error_msg_and_die("Failed to set ca path"); | ||
283 | + if(tls_config_set_ca_file(config, "cert.pem") != 0) | ||
354 | + bb_error_msg_and_die("Failed to set ca file"); | 284 | + bb_error_msg_and_die("Failed to set ca file"); |
285 | + gather_certificates(config); | ||
355 | + if(tls_configure(ctx,config) != 0) | 286 | + if(tls_configure(ctx,config) != 0) |
356 | + bb_error_msg_and_die("Failed to configure client"); | 287 | + bb_error_msg_and_die("Failed to configure client"); |
357 | + sfp = tmpfile(); | 288 | + sfp = tmpfile(); |
358 | + dfp = tmpfile(); | 289 | + dfp = tmpfile(); |
359 | + if(tls_connect_fds(ctx, dfp, sfp, servername) != 0) | 290 | + if(tls_connect(ctx, servername, NULL) != 0) |
360 | + bb_error_msg_and_die("Failed to connect: %s", tls_error(ctx)); | 291 | + bb_error_msg_and_die("Failed to connect: %s", tls_error(ctx)); |
292 | + free(pemmem); | ||
361 | + tls_config_free(config); | 293 | + tls_config_free(config); |
362 | + free(allocated); | 294 | + free(allocated); |
363 | + free(servername); | 295 | + free(servername); |
364 | + printf("wget download_one_url 10\n"); | ||
365 | + printf("wget download_one_url 13\n"); | ||
366 | + //sfp = fdopen(fd, "r+"); | 296 | + //sfp = fdopen(fd, "r+"); |
367 | + if (!sfp){ | 297 | + if (!sfp) |
368 | + bb_error_msg_and_die("Error opening fd: %s",strerror(errno)); | 298 | + bb_error_msg_and_die("Error opening fd: %s",strerror(errno)); |
369 | } | 299 | # else |
370 | -# else | 300 | /* We don't check for exec("openssl") failure in this case */ |
371 | - /* We don't check for exec("openssl") failure in this case */ | 301 | # endif |
372 | -# endif | ||
373 | - sfp = fdopen(fd, "r+"); | 302 | - sfp = fdopen(fd, "r+"); |
374 | - if (!sfp) | 303 | - if (!sfp) |
375 | - bb_die_memory_exhausted(); | 304 | - bb_die_memory_exhausted(); |
376 | + printf("wget download_one_url 14\n"); | 305 | + //sfp = fdopen(fd, "r+"); |
306 | + //if (!sfp) | ||
307 | + // bb_die_memory_exhausted(); | ||
377 | goto socket_opened; | 308 | goto socket_opened; |
378 | } | 309 | } |
379 | - sfp = open_socket(lsa); | 310 | - sfp = open_socket(lsa); |
380 | + printf("wget download_one_url 15\n"); | ||
381 | + //sfp = open_socket(lsa); | 311 | + //sfp = open_socket(lsa); |
382 | socket_opened: | 312 | socket_opened: |
383 | #elif ENABLE_FEATURE_WGET_HTTPS | 313 | #elif ENABLE_FEATURE_WGET_HTTPS |
384 | /* Only internal TLS support is configured */ | 314 | /* Only internal TLS support is configured */ |
385 | + printf("wget download_one_url 16\n"); | 315 | @@ -1353,7 +1424,35 @@ static void download_one_url(const char *url) |
386 | sfp = open_socket(lsa); | ||
387 | if (server.protocol == P_HTTPS) | ||
388 | spawn_ssl_client(server.host, fileno(sfp), /*flags*/ 0); | ||
389 | #else | ||
390 | + printf("wget download_one_url 17\n"); | ||
391 | /* ssl (https) support is not configured */ | ||
392 | sfp = open_socket(lsa); | ||
393 | #endif | ||
394 | + printf("wget download_one_url 18\n"); | ||
395 | /* Send HTTP request */ | ||
396 | if (use_proxy) { | ||
397 | SENDFMT(sfp, "GET %s://%s/%s HTTP/1.1\r\n", | ||
398 | @@ -1270,6 +1380,7 @@ static void download_one_url(const char *url) | ||
399 | (option_mask32 & WGET_OPT_POST) ? "POST" : "GET", | ||
400 | target.path); | ||
401 | } | ||
402 | + printf("wget download_one_url 19\n"); | ||
403 | if (!USR_HEADER_HOST) | ||
404 | SENDFMT(sfp, "Host: %s\r\n", target.host); | ||
405 | if (!USR_HEADER_USER_AGENT) | ||
406 | @@ -1280,6 +1391,7 @@ static void download_one_url(const char *url) | ||
407 | */ | ||
408 | SENDFMT(sfp, "Connection: close\r\n"); | ||
409 | |||
410 | + printf("wget download_one_url 20\n"); | ||
411 | #if ENABLE_FEATURE_WGET_AUTHENTICATION | ||
412 | if (target.user && !USR_HEADER_AUTH) { | ||
413 | SENDFMT(sfp, "Proxy-Authorization: Basic %s\r\n"+6, | ||
414 | @@ -1291,6 +1403,7 @@ static void download_one_url(const char *url) | ||
415 | } | ||
416 | #endif | ||
417 | |||
418 | + printf("wget download_one_url 21\n"); | ||
419 | if (G.beg_range != 0 && !USR_HEADER_RANGE) | ||
420 | SENDFMT(sfp, "Range: bytes=%"OFF_FMT"u-\r\n", G.beg_range); | ||
421 | |||
422 | @@ -1300,6 +1413,7 @@ static void download_one_url(const char *url) | ||
423 | fputs(G.extra_headers, sfp); | ||
424 | } | ||
425 | |||
426 | + printf("wget download_one_url 22\n"); | ||
427 | if (option_mask32 & WGET_OPT_POST_FILE) { | ||
428 | int fd = xopen_stdin(G.post_file); | ||
429 | G.post_data = xmalloc_read(fd, NULL); | ||
430 | @@ -1314,15 +1428,18 @@ static void download_one_url(const char *url) | ||
431 | ); | ||
432 | } | ||
433 | # if ENABLE_PLATFORM_MINGW32 | ||
434 | + printf("wget download_one_url 23\n"); | ||
435 | if (!USR_HEADER_CONTENT_LENGTH) | ||
436 | SENDFMT(sfp, "Content-Length: %u\r\n", | ||
437 | (int)strlen(G.post_data) | ||
438 | ); | ||
439 | + printf("wget download_one_url 24\n"); | ||
440 | SENDFMT(sfp, | ||
441 | "\r\n" | ||
442 | "%s", | ||
443 | G.post_data | ||
444 | ); | ||
445 | + printf("wget download_one_url 25\n"); | ||
446 | } else | ||
447 | # else | ||
448 | SENDFMT(sfp, | ||
449 | @@ -1338,6 +1455,7 @@ static void download_one_url(const char *url) | ||
450 | SENDFMT(sfp, "\r\n"); | ||
451 | } | ||
452 | |||
453 | + printf("wget download_one_url 26\n"); | ||
454 | fflush(sfp); | ||
455 | |||
456 | /* Tried doing this unconditionally. | ||
457 | @@ -1345,27 +1463,38 @@ static void download_one_url(const char *url) | ||
458 | */ | ||
459 | #if SSL_SUPPORTED | ||
460 | if (target.protocol == P_HTTPS) { | ||
461 | + printf("wget download_one_url 26-2\n"); | ||
462 | /* If we use SSL helper, keeping our end of the socket open for writing | ||
463 | * makes our end (i.e. the same fd!) readable (EAGAIN instead of EOF) | ||
464 | * even after child closes its copy of the fd. | ||
465 | * This helps: | ||
466 | */ | ||
467 | shutdown(fileno(sfp), SHUT_WR); | 316 | shutdown(fileno(sfp), SHUT_WR); |
468 | + printf("wget download_one_url 26-3\n"); | ||
469 | } | 317 | } |
470 | #endif | 318 | #endif |
471 | 319 | - | |
320 | + //How much data did we actually get? | ||
321 | + size_t wlen, bufsize; | ||
322 | + wlen = ftell(sfp); | ||
323 | + bufsize = 4096; | ||
324 | + char buf[bufsize]; | ||
325 | + char *outbuf; | ||
326 | + outbuf = (char*)malloc(sizeof(char) * wlen); | ||
327 | + rewind(sfp); | ||
328 | + rewind(dfp); | ||
329 | + if(fread(outbuf, sizeof(char), wlen, sfp) < wlen) | ||
330 | + bb_error_msg_and_die("Failed to read tmpfile: %s", strerror(errno)); | ||
331 | + if(tls_write(ctx, outbuf, wlen) < wlen) | ||
332 | + bb_error_msg_and_die("Failed to write:%s",tls_error(ctx)); | ||
333 | + ssize_t len; | ||
334 | + len = TLS_WANT_POLLIN; | ||
335 | + while(len == TLS_WANT_POLLIN || len > 0){ | ||
336 | + len = tls_read(ctx, buf, bufsize); | ||
337 | + if(len == -1) | ||
338 | + bb_error_msg_and_die("Failed tls read: %s", tls_error(ctx)); | ||
339 | + if (len != TLS_WANT_POLLIN){ | ||
340 | + wlen = fwrite(buf, sizeof(char), len, dfp); | ||
341 | + if(wlen != len) | ||
342 | + bb_error_msg_and_die("Failed to write to tempfile: (%zu) (%zd) %s", wlen, len, strerror(errno)); | ||
343 | + } | ||
344 | + } | ||
345 | + if(len == -1) | ||
346 | + bb_error_msg_and_die("tls read error: %s", tls_error(ctx)); | ||
472 | + rewind(dfp); | 347 | + rewind(dfp); |
473 | + sfp = dfp; | 348 | + sfp = dfp; |
474 | /* | 349 | /* |
475 | * Retrieve HTTP response line and check for "200" status code. | 350 | * Retrieve HTTP response line and check for "200" status code. |
476 | */ | 351 | */ |
477 | read_response: | ||
478 | + printf("wget download_one_url 27\n"); | ||
479 | fgets_trim_sanitize(sfp, " %s\n"); | ||
480 | + printf("wget download_one_url 27-1\n"); | ||
481 | |||
482 | str = G.wget_buf; | ||
483 | + printf("wget download_one_url 27-2\n"); | ||
484 | str = skip_non_whitespace(str); | ||
485 | + printf("wget download_one_url 27-3\n"); | ||
486 | str = skip_whitespace(str); | ||
487 | + printf("wget download_one_url 27-4\n"); | ||
488 | // FIXME: no error check | ||
489 | // xatou wouldn't work: "200 OK" | ||
490 | + printf("wget download_one_url 27-5\n"); | ||
491 | status = atoi(str); | ||
492 | + printf("wget download_one_url 27-6\n"); | ||
493 | switch (status) { | ||
494 | case 0: | ||
495 | case 100: | ||
496 | @@ -1441,6 +1570,7 @@ However, in real world it was observed that some web servers | ||
497 | /* | ||
498 | * Retrieve HTTP headers. | ||
499 | */ | ||
500 | + printf("wget download_one_url 28\n"); | ||
501 | while ((str = get_sanitized_hdr(sfp)) != NULL) { | ||
502 | static const char keywords[] ALIGN1 = | ||
503 | "content-length\0""transfer-encoding\0""location\0"; | ||
504 | @@ -1497,6 +1627,7 @@ However, in real world it was observed that some web servers | ||
505 | goto establish_session; | ||
506 | } | ||
507 | } | ||
508 | + printf("wget download_one_url 29\n"); | ||
509 | // if (status >= 300) | ||
510 | // bb_error_msg_and_die("bad redirection (no Location: header from server)"); | ||
511 | |||
512 | @@ -1514,6 +1645,7 @@ However, in real world it was observed that some web servers | ||
513 | |||
514 | free(lsa); | ||
515 | |||
516 | + printf("wget download_one_url 30\n"); | ||
517 | if (!(option_mask32 & WGET_OPT_SPIDER)) { | ||
518 | if (G.output_fd < 0) | ||
519 | G.output_fd = xopen(G.fname_out, G.o_flags); | ||
520 | @@ -1536,6 +1668,7 @@ However, in real world it was observed that some web servers | ||
521 | /* ftpcmd("QUIT", NULL, sfp); - why bother? */ | ||
522 | } | ||
523 | #endif | ||
524 | + printf("wget download_one_url 31\n"); | ||
525 | fclose(sfp); | ||
526 | |||
527 | free(server.allocated); | ||
528 | @@ -1544,11 +1677,13 @@ However, in real world it was observed that some web servers | ||
529 | free(target.user); | ||
530 | free(fname_out_alloc); | ||
531 | free(redirected_path); | ||
532 | + printf("wget download_one_url 32\n"); | ||
533 | } | ||
534 | |||
535 | int wget_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; | ||
536 | int wget_main(int argc UNUSED_PARAM, char **argv) | ||
537 | { | ||
538 | + printf("wget main 1\n"); | ||
539 | #if ENABLE_FEATURE_WGET_LONG_OPTIONS | ||
540 | static const char wget_longopts[] ALIGN1 = | ||
541 | /* name, has_arg, val */ | ||
542 | @@ -1590,6 +1725,7 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0") | ||
543 | #endif | ||
544 | |||
545 | INIT_G(); | ||
546 | + printf("wget main 2\n"); | ||
547 | |||
548 | #if ENABLE_FEATURE_WGET_TIMEOUT | ||
549 | G.timeout_seconds = 900; | ||
550 | @@ -1626,6 +1762,8 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0") | ||
551 | IF_FEATURE_WGET_LONG_OPTIONS(, &G.post_data) | ||
552 | IF_FEATURE_WGET_LONG_OPTIONS(, &G.post_file) | ||
553 | ); | ||
554 | + | ||
555 | + printf("wget main 3\n"); | ||
556 | #if 0 /* option bits debug */ | ||
557 | if (option_mask32 & WGET_OPT_RETRIES) bb_error_msg("-t NUM"); | ||
558 | if (option_mask32 & WGET_OPT_nsomething) bb_error_msg("-nsomething"); | ||
559 | @@ -1670,6 +1808,7 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0") | ||
560 | } | ||
561 | #endif | ||
562 | |||
563 | + printf("wget main 4\n"); | ||
564 | G.output_fd = -1; | ||
565 | G.o_flags = O_WRONLY | O_CREAT | O_TRUNC | O_EXCL; | ||
566 | if (G.fname_out) { /* -O FILE ? */ | ||
567 | @@ -1691,8 +1830,11 @@ IF_DESKTOP( "no-parent\0" No_argument "\xf0") | ||
568 | } | ||
569 | } | ||
570 | |||
571 | - while (*argv) | ||
572 | + printf("wget main 5\n"); | ||
573 | + while (*argv) { | ||
574 | + printf("wget main 5-%s\n",argv); | ||
575 | download_one_url(*argv++); | ||
576 | + } | ||
577 | |||
578 | if (G.output_fd >= 0) | ||
579 | xclose(G.output_fd); | ||
580 | diff --git a/scripts/trylink b/scripts/trylink | 352 | diff --git a/scripts/trylink b/scripts/trylink |
581 | index 2456252a3..6186284f1 100755 | 353 | index 2456252a3..6186284f1 100755 |
582 | --- a/scripts/trylink | 354 | --- a/scripts/trylink |