From a7fd8ce385907c2edca62e88967051b9c6968640 Mon Sep 17 00:00:00 2001
From: Karsten Hopp <karsten@redhat.com>
Date: May 29 2012 10:35:45 +0000
Subject: fix timeout if http server doesn't answer to SSL handshake


---

diff --git a/openssl-1.13.4-sslreadtimeout.patch b/openssl-1.13.4-sslreadtimeout.patch
new file mode 100644
index 0000000..3ab0a8c
--- /dev/null
+++ b/openssl-1.13.4-sslreadtimeout.patch
@@ -0,0 +1,107 @@
+diff -up wget-1.13.4/src/openssl.c.sslreadtimeout wget-1.13.4/src/openssl.c
+--- wget-1.13.4/src/openssl.c.sslreadtimeout	2011-08-29 10:01:24.000000000 +0200
++++ wget-1.13.4/src/openssl.c	2012-05-29 12:30:42.000000000 +0200
+@@ -254,19 +254,47 @@ struct openssl_transport_context {
+   char *last_error;             /* last error printed with openssl_errstr */
+ };
+ 
+-static int
+-openssl_read (int fd, char *buf, int bufsize, void *arg)
++struct openssl_read_args {
++  int fd;
++  struct openssl_transport_context *ctx;
++  char *buf;
++  int bufsize;
++  int retval;
++};
++
++static void openssl_read_callback(void *arg)
+ {
+-  int ret;
+-  struct openssl_transport_context *ctx = arg;
++  struct openssl_read_args *args = (struct openssl_read_args *) arg;
++  struct openssl_transport_context *ctx = args->ctx;
+   SSL *conn = ctx->conn;
++  char *buf = args->buf;
++  int bufsize = args->bufsize;
++
++  int ret;
++
+   do
+     ret = SSL_read (conn, buf, bufsize);
+   while (ret == -1
+          && SSL_get_error (conn, ret) == SSL_ERROR_SYSCALL
+          && errno == EINTR);
+ 
+-  return ret;
++  args->retval = ret;
++}
++
++static int
++openssl_read (int fd, char *buf, int bufsize, void *arg)
++{
++  struct openssl_read_args args;
++  args.fd = fd;
++  args.buf = buf;
++  args.bufsize = bufsize;
++  args.ctx = (struct openssl_transport_context*) arg;
++
++  if (run_with_timeout(opt.read_timeout, openssl_read_callback, &args)) {
++    return -1;
++  }
++  
++  return args.retval;
+ }
+ 
+ static int
+@@ -384,6 +412,18 @@ static struct transport_implementation o
+   openssl_peek, openssl_errstr, openssl_close
+ };
+ 
++struct scwt_context {
++  SSL *ssl;
++  int result;
++};
++
++static void
++ssl_connect_with_timeout_callback(void *arg)
++{
++  struct scwt_context *ctx = (struct scwt_context *)arg;
++  ctx->result = SSL_connect(ctx->ssl);
++}
++
+ /* Perform the SSL handshake on file descriptor FD, which is assumed
+    to be connected to an SSL server.  The SSL handle provided by
+    OpenSSL is registered with the file descriptor FD using
+@@ -396,6 +436,7 @@ bool
+ ssl_connect_wget (int fd)
+ {
+   SSL *conn;
++  struct scwt_context scwt_ctx;
+   struct openssl_transport_context *ctx;
+ 
+   DEBUGP (("Initiating SSL handshake.\n"));
+@@ -410,7 +451,14 @@ ssl_connect_wget (int fd)
+   if (!SSL_set_fd (conn, FD_TO_SOCKET (fd)))
+     goto error;
+   SSL_set_connect_state (conn);
+-  if (SSL_connect (conn) <= 0 || conn->state != SSL_ST_OK)
++  
++  scwt_ctx.ssl = conn;
++  if (run_with_timeout(opt.read_timeout, ssl_connect_with_timeout_callback, 
++                       &scwt_ctx)) {
++    DEBUGP (("SSL handshake timed out.\n"));
++    goto timeout;
++  }
++  if (scwt_ctx.result <= 0 || conn->state != SSL_ST_OK)
+     goto error;
+ 
+   ctx = xnew0 (struct openssl_transport_context);
+@@ -426,6 +474,7 @@ ssl_connect_wget (int fd)
+  error:
+   DEBUGP (("SSL handshake failed.\n"));
+   print_errors ();
++ timeout:
+   if (conn)
+     SSL_free (conn);
+   return false;
diff --git a/wget.spec b/wget.spec
index 1f89a09..da8f004 100644
--- a/wget.spec
+++ b/wget.spec
@@ -1,13 +1,14 @@
 Summary: A utility for retrieving files using the HTTP or FTP protocols
 Name: wget
 Version: 1.13.4
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv3+
 Group: Applications/Internet
 Url: http://www.gnu.org/software/wget/
 Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.bz2
 Patch1: wget-rh-modified.patch
 Patch2: wget-1.12-path.patch
+Patch3: openssl-1.13.4-sslreadtimeout.patch
 
 # http://bzr.savannah.gnu.org/lh/wget/trunk/revision/2317
 #Patch3: wget-1.12-certificate-subjectAltName.patch
@@ -31,7 +32,7 @@ support for Proxy servers, and configurability.
 %setup -q
 %patch1 -p0
 %patch2 -p1
-#%patch3 -p0
+%patch3 -p1 -b .sslreadtimeout
 
 %build
 if pkg-config openssl ; then
@@ -68,6 +69,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_infodir}/*
 
 %changelog
+* Tue May 29 2012 Karsten Hopp <karsten@redhat.com> 1.13.4-4
+- fix timeout if http server doesn't answer to SSL handshake
+
 * Tue May 15 2012 Karsten Hopp <karsten@redhat.com> 1.13.4-3
 - add virtual provides per https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries