Bug#737328: wheezy-pu: package wget/1.13.4-3

[Noël Köthe <noel@debian.org>]

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: wheezy
Severity: normal

Hello,

the wget version 1.13.4-3 in wheezy is lacking the TLS
Server Name Indication feature (SNI,
https://en.wikipedia.org/wiki/Server_Name_Indication ).
The feature was included in wget 1.14.
I was asked to add SNI to wget in wheezy by DSA and some other users.

A testing URL is https://sni.velox.ch/

Attached you find the debdiff.

Is it OK to upload this wget_1.13.4-3+deb7u1 package to
stable-proposed-updates?

Thanks.

Regards

	Noël

diff -Nru wget-1.13.4/debian/changelog wget-1.13.4/debian/changelog
--- wget-1.13.4/debian/changelog	2012-04-09 19:48:37.000000000 +0200
+++ wget-1.13.4/debian/changelog	2014-02-01 19:34:19.000000000 +0100
@@ -1,3 +1,12 @@
+wget (1.13.4-3+deb7u1) stable-proposed-updates; urgency=low
+
+  * backported TLS Server Name Indication (SNI) to stable 
+    (patches/wget-tls-sni) from wget 1.14
+    http://git.savannah.gnu.org/cgit/wget.git/commit/?id=fd582e454378db9a1e218acf79f24fbe042bed98
+    closes: #653267
+
+ -- Noël Köthe <noel@debian.org>  Sat,  1 Feb 2014 20:29:14 +0100
+
 wget (1.13.4-3) unstable; urgency=low
 
   [ Daniel Kahn Gillmor ]
diff -Nru wget-1.13.4/debian/patches/series wget-1.13.4/debian/patches/series
--- wget-1.13.4/debian/patches/series	2012-04-09 19:38:06.000000000 +0200
+++ wget-1.13.4/debian/patches/series	2014-01-27 21:28:04.000000000 +0100
@@ -4,3 +4,4 @@
 wget-passive_ftp-default
 debian-changes-1.13-1
 gnutls-client-cert
+wget-tls-sni
diff -Nru wget-1.13.4/debian/patches/wget-tls-sni wget-1.13.4/debian/patches/wget-tls-sni
--- wget-1.13.4/debian/patches/wget-tls-sni	1970-01-01 01:00:00.000000000 +0100
+++ wget-1.13.4/debian/patches/wget-tls-sni	2014-01-27 21:33:46.000000000 +0100
@@ -0,0 +1,178 @@
+From fd582e454378db9a1e218acf79f24fbe042bed98 Mon Sep 17 00:00:00 2001
+From: Phil Pennock <mutt-dev@spodhuis.org>
+Date: Fri, 13 Apr 2012 23:58:46 +0200
+Subject: [PATCH] Add support for TLS SNI
+
+diff --git a/src/gnutls.c b/src/gnutls.c
+index 291da89..cbd5e1d 100644
+--- a/src/gnutls.c
++++ b/src/gnutls.c
+@@ -54,6 +54,8 @@ as that of the covered work.  */
+ # include "w32sock.h"
+ #endif
+ 
++#include "host.h"
++
+ static int
+ key_type_to_gnutls_type (enum keyfile_type type)
+ {
+@@ -369,12 +371,20 @@ static struct transport_implementation wgnutls_transport =
+ };
+ 
+ bool
+-ssl_connect_wget (int fd)
++ssl_connect_wget (int fd, const char *hostname)
+ {
+   struct wgnutls_transport_context *ctx;
+   gnutls_session session;
+   int err;
+   gnutls_init (&session, GNUTLS_CLIENT);
++
++  /* We set the server name but only if it's not an IP address. */
++  if (! is_valid_ip_address (hostname))
++    {
++      gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
++			      strlen (hostname));
++    }
++
+   gnutls_set_default_priority (session);
+   gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, credentials);
+ #ifndef FD_TO_SOCKET
+diff --git a/src/host.c b/src/host.c
+index 86f107a..86bf83b 100644
+--- a/src/host.c
++++ b/src/host.c
+@@ -1,6 +1,6 @@
+ /* Host name resolution and matching.
+    Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+-   2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
++   2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Free Software Foundation,
+    Inc.
+ 
+ This file is part of GNU Wget.
+@@ -914,3 +914,18 @@ host_cleanup (void)
+       host_name_addresses_map = NULL;
+     }
+ }
++
++bool
++is_valid_ip_address (const char *name)
++{
++  const char *endp;
++
++  endp = name + strlen(name);
++  if (is_valid_ipv4_address (name, endp))
++    return true;
++#ifdef ENABLE_IPV6
++  if (is_valid_ipv6_address (name, endp))
++    return true;
++#endif
++  return false;
++}
+diff --git a/src/host.h b/src/host.h
+index 3f4a02a..3f27ea0 100644
+--- a/src/host.h
++++ b/src/host.h
+@@ -1,6 +1,6 @@
+ /* Declarations for host.c
+    Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+-   2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
++   2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Free Software Foundation,
+    Inc.
+ 
+ This file is part of GNU Wget.
+@@ -98,6 +98,8 @@ const char *print_address (const ip_address *);
+ bool is_valid_ipv6_address (const char *, const char *);
+ #endif
+ 
++bool is_valid_ip_address (const char *name);
++
+ bool accept_domain (struct url *);
+ bool sufmatch (const char **, const char *);
+ 
+diff --git a/src/http.c b/src/http.c
+index 61001f3..87d3748 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -1,6 +1,6 @@
+ /* HTTP support.
+    Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+-   2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation,
++   2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 Free Software Foundation,
+    Inc.
+ 
+ This file is part of GNU Wget.
+@@ -2082,7 +2082,7 @@ gethttp (struct url *u, struct http_stat *hs, int *dt, struct url *proxy,
+ 
+       if (conn->scheme == SCHEME_HTTPS)
+         {
+-          if (!ssl_connect_wget (sock))
++          if (!ssl_connect_wget (sock, u->host))
+             {
+               fd_close (sock);
+               return CONSSLERR;
+diff --git a/src/openssl.c b/src/openssl.c
+index bc37491..f976455 100644
+--- a/src/openssl.c
++++ b/src/openssl.c
+@@ -1,6 +1,6 @@
+ /* SSL support via OpenSSL library.
+    Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
+-   2009, 2010, 2011 Free Software Foundation, Inc.
++   2009, 2010, 2011, 2012 Free Software Foundation, Inc.
+    Originally contributed by Christian Fraenkel.
+ 
+ This file is part of GNU Wget.
+@@ -395,7 +395,7 @@ static struct transport_implementation openssl_transport = {
+    Returns true on success, false on failure.  */
+ 
+ bool
+-ssl_connect_wget (int fd)
++ssl_connect_wget (int fd, const char *hostname)
+ {
+   SSL *conn;
+   struct openssl_transport_context *ctx;
+@@ -406,6 +406,19 @@ ssl_connect_wget (int fd)
+   conn = SSL_new (ssl_ctx);
+   if (!conn)
+     goto error;
++#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
++  /* If the SSL library was build with support for ServerNameIndication
++     then use it whenever we have a hostname.  If not, don't, ever. */
++  if (! is_valid_ip_address (hostname))
++    {
++      if (! SSL_set_tlsext_host_name (conn, hostname))
++	{
++	DEBUGP (("Failed to set TLS server-name indication."));
++	goto error;
++	}
++    }
++#endif
++
+ #ifndef FD_TO_SOCKET
+ # define FD_TO_SOCKET(X) (X)
+ #endif
+diff --git a/src/ssl.h b/src/ssl.h
+index 0532c40..e365c4f 100644
+--- a/src/ssl.h
++++ b/src/ssl.h
+@@ -1,6 +1,6 @@
+ /* SSL support.
+    Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
+-   2009, 2010, 2011 Free Software Foundation, Inc.
++   2009, 2010, 2011, 2012 Free Software Foundation, Inc.
+    Originally contributed by Christian Fraenkel.
+ 
+ This file is part of GNU Wget.
+@@ -33,7 +33,7 @@ as that of the covered work.  */
+ #define GEN_SSLFUNC_H
+ 
+ bool ssl_init (void);
+-bool ssl_connect_wget (int);
++bool ssl_connect_wget (int, const char *);
+ bool ssl_check_certificate (int, const char *);
+ 
+ #endif /* GEN_SSLFUNC_H */
+-- 
+1.8.5.3
+

Attachment: signature.asc
Description: This is a digitally signed message part