diff --git a/SOURCES/wget-1.14-add-openssl-tlsv11-tlsv12-support.patch b/SOURCES/wget-1.14-add-openssl-tlsv11-tlsv12-support.patch new file mode 100644 index 0000000..634cb97 --- /dev/null +++ b/SOURCES/wget-1.14-add-openssl-tlsv11-tlsv12-support.patch @@ -0,0 +1,122 @@ +diff --git a/doc/wget.texi b/doc/wget.texi +index 118fce9..3bd8dd7 100644 +--- a/doc/wget.texi ++++ b/doc/wget.texi +@@ -1555,16 +1555,17 @@ without SSL support, none of these options are available. + @cindex SSL protocol, choose + @item --secure-protocol=@var{protocol} + Choose the secure protocol to be used. Legal values are @samp{auto}, +-@samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}. If @samp{auto} is used, +-the SSL library is given the liberty of choosing the appropriate +-protocol automatically, which is achieved by sending an SSLv2 greeting +-and announcing support for SSLv3 and TLSv1. This is the default. +- +-Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use +-of the corresponding protocol. This is useful when talking to old and +-buggy SSL server implementations that make it hard for OpenSSL to +-choose the correct protocol version. Fortunately, such servers are +-quite rare. ++@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1} and ++@samp{TLSv1_2}. If @samp{auto} is used, the SSL library is given the ++liberty of choosing the appropriate protocol automatically, which is ++achieved by sending a SSLv2 greeting and announcing support for SSLv3 ++and TLSv1. This is the default. ++ ++Specifying @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1} or ++@samp{TLSv1_2} forces the use of the corresponding protocol. This is ++useful when talking to old and buggy SSL server implementations that ++make it hard for the underlying SSL library to choose the correct ++protocol version. Fortunately, such servers are quite rare. + + @cindex SSL certificate, check + @item --no-check-certificate +diff --git a/src/init.c b/src/init.c +index 4cee677..f160bec 100644 +--- a/src/init.c ++++ b/src/init.c +@@ -1488,6 +1488,8 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place) + { "sslv2", secure_protocol_sslv2 }, + { "sslv3", secure_protocol_sslv3 }, + { "tlsv1", secure_protocol_tlsv1 }, ++ { "tlsv1_1", secure_protocol_tlsv1_1 }, ++ { "tlsv1_2", secure_protocol_tlsv1_2 }, + }; + int ok = decode_string (val, choices, countof (choices), place); + if (!ok) +diff --git a/src/main.c b/src/main.c +index 9cbad9f..3d50dad 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -625,7 +625,7 @@ HTTP options:\n"), + HTTPS (SSL/TLS) options:\n"), + N_("\ + --secure-protocol=PR choose secure protocol, one of auto, SSLv2,\n\ +- SSLv3, and TLSv1.\n"), ++ SSLv3, TLSv1, TLSv1_1 and TLSv1_2.\n"), + N_("\ + --no-check-certificate don't validate the server's certificate.\n"), + N_("\ +diff --git a/src/openssl.c b/src/openssl.c +index b3c31ce..141a8a3 100644 +--- a/src/openssl.c ++++ b/src/openssl.c +@@ -40,6 +40,9 @@ as that of the covered work. */ + #include + #include + #include ++#if OPENSSL_VERSION_NUMBER >= 0x00907000 ++#include ++#endif + + #include "utils.h" + #include "connect.h" +@@ -176,6 +179,12 @@ ssl_init (void) + goto error; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x00907000 ++ OPENSSL_load_builtin_modules(); ++ ENGINE_load_builtin_engines(); ++ CONF_modules_load_file(NULL, NULL, ++ CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE); ++#endif + SSL_library_init (); + SSL_load_error_strings (); + SSLeay_add_all_algorithms (); +@@ -197,6 +206,21 @@ ssl_init (void) + case secure_protocol_tlsv1: + meth = TLSv1_client_method (); + break; ++#if OPENSSL_VERSION_NUMBER >= 0x10001000 ++ case secure_protocol_tlsv1_1: ++ meth = TLSv1_1_client_method (); ++ break; ++ case secure_protocol_tlsv1_2: ++ meth = TLSv1_2_client_method (); ++ break; ++#else ++ case secure_protocol_tlsv1_1: ++ logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n")); ++ goto error; ++ case secure_protocol_tlsv1_2: ++ logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n")); ++ goto error; ++#endif + default: + abort (); + } +diff --git a/src/options.h b/src/options.h +index 326123a..575e647 100644 +--- a/src/options.h ++++ b/src/options.h +@@ -200,7 +200,9 @@ struct options + secure_protocol_auto, + secure_protocol_sslv2, + secure_protocol_sslv3, +- secure_protocol_tlsv1 ++ secure_protocol_tlsv1, ++ secure_protocol_tlsv1_1, ++ secure_protocol_tlsv1_2 + } secure_protocol; /* type of secure protocol to use. */ + bool check_cert; /* whether to validate the server's cert */ + char *cert_file; /* external client certificate to use. */ diff --git a/SOURCES/wget-1.14-fix-synchronization-in-Test-proxied-https-auth.patch b/SOURCES/wget-1.14-fix-synchronization-in-Test-proxied-https-auth.patch new file mode 100644 index 0000000..b0a3f87 --- /dev/null +++ b/SOURCES/wget-1.14-fix-synchronization-in-Test-proxied-https-auth.patch @@ -0,0 +1,164 @@ +From 082e7194605e99f0e50f8909fcaf10adee747cc8 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Fri, 5 May 2017 13:46:11 +0200 +Subject: [PATCH] Fix client/server synchronization in + Test-proxied-https-auth.px test + +Combination of upstream commits vithout adding support for Valgrind: +3eff3ad69a46364475e1f4abdf9412cfa87e3d6c +2303793a626158627bdb2ac255e0f58697682b24 + +Signed-off-by: Tomas Hozza +--- + tests/Test-proxied-https-auth.px | 82 +++++++++++++++++++++++----------------- + 1 file changed, 48 insertions(+), 34 deletions(-) + +diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px +index 1de5357..e1a6c44 100755 +--- a/tests/Test-proxied-https-auth.px ++++ b/tests/Test-proxied-https-auth.px +@@ -1,4 +1,6 @@ + #!/usr/bin/env perl ++# Simulate a tunneling proxy to a HTTPS URL that needs authentication. ++# Use two connections (Connection: close) + + use strict; + use warnings; +@@ -39,31 +41,33 @@ sub get_request { + } + + sub do_server { +- my $alrm = alarm 10; +- ++ my ($synch_callback) = @_; + my $s = $SOCKET; + my $conn; + my $rqst; + my $rspn; ++ ++ my %options = ( ++ SSL_server => 1, ++ SSL_passwd_cb => sub { return "Hello"; }); ++ $options{SSL_cert_file} = $cert_path if ($cert_path); ++ $options{SSL_key_file} = $key_path if ($key_path); ++ my @options = %options; ++ ++ # sync with the parent ++ $synch_callback->(); ++ ++ # Simulate a HTTPS proxy server with tunneling. ++ + for my $expect_inner_auth (0, 1) { + $conn = $s->accept; + $rqst = $conn->get_request; +- +- # TODO: expect no auth the first time, request it, expect it the second +- # time. +- + die "Method not CONNECT\n" if ($rqst->method ne 'CONNECT'); + $rspn = HTTP::Response->new(200, 'OK'); + $conn->send_response($rspn); + +- my %options = ( +- SSL_server => 1, +- SSL_passwd_cb => sub { return "Hello"; }); +- +- $options{SSL_cert_file} = $cert_path if ($cert_path); +- $options{SSL_key_file} = $key_path if ($key_path); +- +- my @options = %options; ++ # Now switch from plain to SSL (for simulating a transparent tunnel ++ # to an HTTPS server). + + $conn = IO::Socket::SSL->new_from_fd($conn->fileno, @options) + or die "Couldn't initiate SSL"; +@@ -74,14 +78,10 @@ sub do_server { + unless ($expect_inner_auth) { + die "Early proxied auth\n" if $rqst->header('Authorization'); + +- # TODO: handle non-persistent connection here. + $rspn = HTTP::Response->new(401, 'Unauthorized', [ + 'WWW-Authenticate' => 'Basic realm="gondor"', + Connection => 'close' + ]); +- $rspn->protocol('HTTP/1.0'); +- print $rspn->as_string; +- print $conn $rspn->as_string; + } else { + die "No proxied auth\n" unless $rqst->header('Authorization'); + +@@ -89,41 +89,55 @@ sub do_server { + 'Content-Type' => 'text/plain', + 'Connection' => 'close', + ], "foobarbaz\n"); +- $rspn->protocol('HTTP/1.0'); +- print "=====\n"; +- print $rspn->as_string; +- print "\n=====\n"; +- print $conn $rspn->as_string; + } ++ ++ $rspn->protocol('HTTP/1.0'); ++ print STDERR "=====\n"; ++ print STDERR $rspn->as_string; ++ print STDERR "\n=====\n"; ++ print $conn $rspn->as_string; ++ + $conn->close; + } ++ + undef $conn; + undef $s; +- alarm $alrm; + } + + sub fork_server { +- my $pid = fork; +- die "Couldn't fork" if ($pid < 0); +- return $pid if $pid; ++ pipe(FROM_CHILD, TO_PARENT) or die "Cannot create pipe!"; ++ select((select(TO_PARENT), $| = 1)[0]); ++ ++ my $pid = fork(); ++ if ($pid < 0) { ++ die "Cannot fork"; ++ } elsif ($pid == 0) { ++ # child ++ close FROM_CHILD; ++ do_server(sub { print TO_PARENT "SYNC\n"; close TO_PARENT }); ++ exit 0; ++ } else { ++ # parent ++ close TO_PARENT; ++ chomp(my $line = ); ++ close FROM_CHILD; ++ } + +- &do_server; +- exit; ++ return $pid; + } + +-system ('rm -f needs-auth.txt'); ++unlink "needs-auth.txt"; + my $pid = &fork_server; + +-sleep 1; + my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee" + . " --password=Dodgson -e https_proxy=localhost:{{port}}" + . " --no-check-certificate" + . " https://no.such.domain/needs-auth.txt"; + $cmdline =~ s/{{port}}/$SOCKET->sockport()/e; + +-my $code = system($cmdline); +-system ('rm -f needs-auth.txt'); ++my $code = system($cmdline . " 2>&1") >> 8; ++unlink "needs-auth.txt"; + + warn "Got code: $code\n" if $code; + kill ('TERM', $pid); +-exit ($code >> 8); ++exit ($code != 0); +-- +2.7.4 + diff --git a/SPECS/wget.spec b/SPECS/wget.spec index 49393b6..1cd541a 100644 --- a/SPECS/wget.spec +++ b/SPECS/wget.spec @@ -1,7 +1,7 @@ Summary: A utility for retrieving files using the HTTP or FTP protocols Name: wget Version: 1.14 -Release: 13%{?dist} +Release: 15%{?dist} License: GPLv3+ Group: Applications/Internet Url: http://www.gnu.org/software/wget/ @@ -28,6 +28,12 @@ Patch16: wget-1.14-CVE-2016-4971.patch # Test-ftp-iri-fallback test to fail. This additional change makes # Test-ftp-iri-fallback test pass again. Patch17: wget-1.14-support-non-ASCII-characters.patch +Patch18: wget-1.14-add-openssl-tlsv11-tlsv12-support.patch +# Fix for randomly failing unit test +# combination of upstream commits without the support for Valgrind +# commit 3eff3ad69a46364475e1f4abdf9412cfa87e3d6c +# commit 2303793a626158627bdb2ac255e0f58697682b24 +Patch19: wget-1.14-fix-synchronization-in-Test-proxied-https-auth.patch Provides: webclient Provides: bundled(gnulib) @@ -66,6 +72,8 @@ support for Proxy servers, and configurability. %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 -b tls11_tls12 +%patch19 -p1 -b test_synch_fix %build if pkg-config openssl ; then @@ -105,6 +113,13 @@ make check %{_infodir}/* %changelog +* Fri May 05 2017 Tomas Hozza - 1.14-15 +- Added TLSv1_1 and TLSv1_2 as secure-protocol values to help (#1439811) +- Fixed synchronization in randomly failing unit test Test-proxied-https-auth (#1448440) + +* Wed Apr 12 2017 Tomas Hozza - 1.14-14 +- TLS v1.1 and v1.2 can now be specified with --secure-protocol option (#1439811) + * Mon Jun 20 2016 Tomas Hozza - 1.14-13 - Fix CVE-2016-4971 (#1345778) - Added support for non-ASCII URLs (Related: CVE-2016-4971)