From cad9490216b71e3776550bf8da14e01d3d2edc56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim Rühsen?= Date: Thu, 6 Nov 2014 17:53:44 +0100 Subject: [PATCH] Added --crl-file to load a Certificate Revocation List (CRL) file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Noël Köthe --- doc/ChangeLog | 4 ++++ doc/wget.texi | 5 +++++ src/ChangeLog | 8 ++++++++ src/gnutls.c | 8 ++++++++ src/init.c | 4 ++++ src/main.c | 3 +++ src/options.h | 1 + 7 files changed, 33 insertions(+) diff --git a/doc/ChangeLog b/doc/ChangeLog index d071efd..4cd67ef 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,7 @@ +2014-11-06 Tim Ruehsen + + * wget.texi: added description for --crl-file + 2014-10-28 Giuseppe Scrivano * Makefile.am: Replace $FOO with @address@hidden diff --git a/doc/wget.texi b/doc/wget.texi index d7a4c94..a5fd285 100644 --- a/doc/wget.texi +++ b/doc/wget.texi @@ -1725,6 +1725,11 @@ it allows Wget to fetch certificates on demand. Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time. address@hidden SSL CRL, certificate revocation list address@hidden address@hidden +Specifies a CRL file in @var{file}. This is needed for certificates +that have been revocated by the CAs. + @cindex entropy, specifying source of @cindex randomness, specifying source of @item address@hidden diff --git a/src/ChangeLog b/src/ChangeLog index 6193075..6822fbb 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,11 @@ +2014-11-06 Tim Ruehsen + + * init.c, main.c, options.h: added new option --crl-file + for specifying a CRL (Certificate Revocation List) file. + * gnutls.c: load CRL file given by --crl-file + + Reported-by: Noël Köthe + 2014-11-04 Tim Ruehsen * iri.c (do_conversion): fix quote() misuse diff --git a/src/gnutls.c b/src/gnutls.c index 230ae9a..78da567 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -149,6 +149,14 @@ ssl_init (void) } } + if (opt.crl_file) + { + int rc; + + if ((rc = gnutls_certificate_set_x509_crl_file (credentials, opt.crl_file, GNUTLS_X509_FMT_PEM)) <= 0) + logprintf (LOG_NOTQUIET, _("ERROR: Failed to load CRL file '%s': (%d)\n"), opt.crl_file, rc); + } + DEBUGP (("Certificates loaded: %d\n", ncerts)); /* Use the private key from the cert file unless otherwise specified. */ diff --git a/src/init.c b/src/init.c index ef1dc8d..ef8c18f 100644 --- a/src/init.c +++ b/src/init.c @@ -158,6 +158,9 @@ static const struct { { "continue", &opt.always_rest, cmd_boolean }, { "convertlinks", &opt.convert_links, cmd_boolean }, { "cookies", &opt.cookies, cmd_boolean }, +#ifdef HAVE_SSL + { "crlfile", &opt.crl_file, cmd_file }, +#endif { "cutdirs", &opt.cut_dirs, cmd_number }, { "debug", &opt.debug, cmd_boolean }, { "defaultpage", &opt.default_page, cmd_string }, @@ -1780,6 +1783,7 @@ cleanup (void) xfree_null (opt.private_key); xfree_null (opt.ca_directory); xfree_null (opt.ca_cert); + xfree_null (opt.crl_file); xfree_null (opt.random_file); xfree_null (opt.egd_file); # endif diff --git a/src/main.c b/src/main.c index 4fefe04..2978847 100644 --- a/src/main.c +++ b/src/main.c @@ -175,6 +175,7 @@ static struct cmdline_option option_data[] { "content-disposition", 0, OPT_BOOLEAN, "contentdisposition", -1 }, { "content-on-error", 0, OPT_BOOLEAN, "contentonerror", -1 }, { "cookies", 0, OPT_BOOLEAN, "cookies", -1 }, + { IF_SSL ("crl-file"), 0, OPT_VALUE, "crlfile", -1 }, { "cut-dirs", 0, OPT_VALUE, "cutdirs", -1 }, { "debug", 'd', OPT_BOOLEAN, "debug", -1 }, { "default-page", 0, OPT_VALUE, "defaultpage", -1 }, @@ -653,6 +654,8 @@ HTTPS (SSL/TLS) options:\n"), N_("\ --ca-directory=DIR directory where hash list of CA's is stored.\n"), N_("\ + --crl-file=FILE file with bundle of CRL's.\n"), + N_("\ --random-file=FILE file with random data for seeding the SSL PRNG.\n"), N_("\ --egd-file=FILE file naming the EGD socket with random data.\n"), diff --git a/src/options.h b/src/options.h index 3346c91..b995126 100644 --- a/src/options.h +++ b/src/options.h @@ -218,6 +218,7 @@ struct options char *ca_directory; /* CA directory (hash files) */ char *ca_cert; /* CA certificate file to use */ + char *crl_file; /* file with CRLs */ char *random_file; /* file with random data to seed the PRNG */ char *egd_file; /* file name of the egd daemon socket */ -- 2.1.3