From d1c0fce6820b91accbf37d4a3056c007293d4049 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim Rühsen?= <address@hidden>
Date: Thu, 6 Nov 2014 17:53:44 +0100
Subject: [PATCH] Added --crl-file to load a Certificate Revocation List (CRL)
 file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported-by: Noël Köthe <address@hidden>
---
 doc/ChangeLog |  4 ++++
 doc/wget.texi |  5 +++++
 src/ChangeLog |  8 ++++++++
 src/gnutls.c  | 11 +++++++++++
 src/init.c    | 19 +++++++++++++++++++
 src/main.c    |  3 +++
 src/options.h |  1 +
 7 files changed, 51 insertions(+)

diff --git a/doc/ChangeLog b/doc/ChangeLog
index d071efd..4cd67ef 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,7 @@
+2014-11-06  Tim Ruehsen  <address@hidden>
+
+	* wget.texi: added description for --crl-file
+
 2014-10-28  Giuseppe Scrivano  <address@hidden>

 	* Makefile.am: Replace $FOO with @address@hidden
diff --git a/doc/wget.texi b/doc/wget.texi
index d7a4c94..a5fd285 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -1725,6 +1725,11 @@ it allows Wget to fetch certificates on demand.
 Without this option Wget looks for CA certificates at the
 system-specified locations, chosen at OpenSSL installation time.

address@hidden SSL CRL, certificate revocation list
address@hidden address@hidden
+Specifies a CRL file in @var{file}.  This is needed for certificates
+that have been revocated by the CAs.
+
 @cindex entropy, specifying source of
 @cindex randomness, specifying source of
 @item address@hidden
diff --git a/src/ChangeLog b/src/ChangeLog
index 6193075..1e68d91 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,11 @@
+2014-11-06  Tim Ruehsen  <address@hidden>
+
+	* init.c, main.c, options.h: added new option --crl-file
+	  for specifying a CRL (Certificate Revocation List) file.
+	* gnutls.c: load CRL file given by --crl-file
+
+	Reported-by: Noël Köthe <address@hidden>
+
 2014-11-04  Tim Ruehsen  <address@hidden>

 	* iri.c (do_conversion): fix quote() misuse
diff --git a/src/gnutls.c b/src/gnutls.c
index 230ae9a..4f9bda0 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -149,6 +149,17 @@ ssl_init (void)
         }
     }

+  if (opt.crl_file)
+    {
+      int rc;
+
+      if ((rc = gnutls_certificate_set_x509_crl_file (credentials, opt.crl_file, GNUTLS_X509_FMT_PEM)) <= 0)
+        {
+          logprintf (LOG_NOTQUIET, _("ERROR: Failed to load CRL file '%s': (%d)\n"), opt.crl_file, rc);
+          return false;
+        }
+    }
+
   DEBUGP (("Certificates loaded: %d\n", ncerts));

   /* Use the private key from the cert file unless otherwise specified. */
diff --git a/src/init.c b/src/init.c
index ef1dc8d..6c09744 100644
--- a/src/init.c
+++ b/src/init.c
@@ -91,6 +91,7 @@ CMD_DECLARE (cmd_number_inf);
 CMD_DECLARE (cmd_string);
 CMD_DECLARE (cmd_string_uppercase);
 CMD_DECLARE (cmd_file);
+CMD_DECLARE (cmd_file_once);
 CMD_DECLARE (cmd_directory);
 CMD_DECLARE (cmd_time);
 CMD_DECLARE (cmd_vector);
@@ -158,6 +159,9 @@ static const struct {
   { "continue",         &opt.always_rest,       cmd_boolean },
   { "convertlinks",     &opt.convert_links,     cmd_boolean },
   { "cookies",          &opt.cookies,           cmd_boolean },
+#ifdef HAVE_SSL
+  { "crlfile",      &opt.crl_file,          cmd_file_once },
+#endif
   { "cutdirs",          &opt.cut_dirs,          cmd_number },
   { "debug",            &opt.debug,             cmd_boolean },
   { "defaultpage",      &opt.default_page,      cmd_string },
@@ -1026,6 +1030,20 @@ cmd_file (const char *com _GL_UNUSED, const char *val, void *place)
   return true;
 }

+/* like cmd_file, but insist on just a single option usage */
+static bool
+cmd_file_once (const char *com _GL_UNUSED, const char *val, void *place)
+{
+  if (*(char **)place)
+    {
+      fprintf (stderr, _("%s: %s must only be used once\n"),
+               exec_name, com);
+      return false;
+    }
+
+  return cmd_file(com, val, place);
+}
+
 /* Like cmd_file, but strips trailing '/' characters.  */
 static bool
 cmd_directory (const char *com, const char *val, void *place)
@@ -1780,6 +1798,7 @@ cleanup (void)
   xfree_null (opt.private_key);
   xfree_null (opt.ca_directory);
   xfree_null (opt.ca_cert);
+  xfree_null (opt.crl_file);
   xfree_null (opt.random_file);
   xfree_null (opt.egd_file);
 # endif
diff --git a/src/main.c b/src/main.c
index 4fefe04..2978847 100644
--- a/src/main.c
+++ b/src/main.c
@@ -175,6 +175,7 @@ static struct cmdline_option option_data[]      { "content-disposition", 0, OPT_BOOLEAN, "contentdisposition", -1 },
     { "content-on-error", 0, OPT_BOOLEAN, "contentonerror", -1 },
     { "cookies", 0, OPT_BOOLEAN, "cookies", -1 },
+    { IF_SSL ("crl-file"), 0, OPT_VALUE, "crlfile", -1 },
     { "cut-dirs", 0, OPT_VALUE, "cutdirs", -1 },
     { "debug", 'd', OPT_BOOLEAN, "debug", -1 },
     { "default-page", 0, OPT_VALUE, "defaultpage", -1 },
@@ -653,6 +654,8 @@ HTTPS (SSL/TLS) options:\n"),
     N_("\
        --ca-directory=DIR          directory where hash list of CA's is stored.\n"),
     N_("\
+       --crl-file=FILE             file with bundle of CRL's.\n"),
+    N_("\
        --random-file=FILE          file with random data for seeding the SSL PRNG.\n"),
     N_("\
        --egd-file=FILE             file naming the EGD socket with random data.\n"),
diff --git a/src/options.h b/src/options.h
index 3346c91..b995126 100644
--- a/src/options.h
+++ b/src/options.h
@@ -218,6 +218,7 @@ struct options

   char *ca_directory;           /* CA directory (hash files) */
   char *ca_cert;                /* CA certificate file to use */
+  char *crl_file;               /* file with CRLs */

   char *random_file;            /* file with random data to seed the PRNG */
   char *egd_file;               /* file name of the egd daemon socket */
--
2.1.3