2008-11-08 Tatsuhiro Tsujikawa <t-tujikawa@users.sourceforge.net>

Introduced TLSContext that holds TLS related data that can be
	shared with multiple SSL connections.
	* src/DownloadEngineFactory.cc
	* src/LibgnutlsTLSContext.cc
	* src/LibgnutlsTLSContext.h
	* src/LibsslTLSContext.cc
	* src/LibsslTLSContext.h
	* src/Makefile.am
	* src/SocketCore.cc
	* src/SocketCore.h
	* src/TLSContext.h
	* src/message.h

ChangeLog

@@ -1,3 +1,18 @@
+2008-11-08  Tatsuhiro Tsujikawa  <t-tujikawa@users.sourceforge.net>
+
+	Introduced TLSContext that holds TLS related data that can be shared
+	with multiple SSL connections.
+	* src/DownloadEngineFactory.cc
+	* src/LibgnutlsTLSContext.cc
+	* src/LibgnutlsTLSContext.h
+	* src/LibsslTLSContext.cc
+	* src/LibsslTLSContext.h
+	* src/Makefile.am
+	* src/SocketCore.cc
+	* src/SocketCore.h
+	* src/TLSContext.h
+	* src/message.h	
+
 2008-11-08  Tatsuhiro Tsujikawa  <t-tujikawa@users.sourceforge.net>
 
 	Fixed the bug that the DiskWriter of the first FileEntry whose

src/DownloadEngineFactory.cc

@@ -54,6 +54,10 @@
 #include "TimedHaltCommand.h"
 #include "DownloadResult.h"
 #include "ServerStatMan.h"
+#ifdef ENABLE_SSL
+# include "SocketCore.h"
+# include "TLSContext.h"
+#endif // ENABLE_SSL
 
 namespace aria2 {
 
@@ -81,6 +85,12 @@ DownloadEngineFactory::newDownloadEngine(Option* op,
 
   DownloadEngineHandle e(new DownloadEngine());
   e->option = op;
+
+#ifdef ENABLE_SSL
+  SharedHandle<TLSContext> tlsContext(new TLSContext());
+  SocketCore::setTLSContext(tlsContext);
+#endif
+
   RequestGroupManHandle
     requestGroupMan(new RequestGroupMan(workingSet, MAX_CONCURRENT_DOWNLOADS,
 					op));

src/LibgnutlsTLSContext.cc

@@ -0,0 +1,109 @@
+/* <!-- copyright */
+/*
+ * aria2 - The high speed download utility
+ *
+ * Copyright (C) 2006 Tatsuhiro Tsujikawa
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ */
+/* copyright --> */
+#include "LibgnutlsTLSContext.h"
+#include "LogFactory.h"
+#include "Logger.h"
+#include "StringFormat.h"
+#include "message.h"
+
+namespace aria2 {
+
+TLSContext::TLSContext():_certCred(0), _logger(LogFactory::getInstance())
+{
+  int r = gnutls_certificate_allocate_credentials(&_certCred);
+  if(r == GNUTLS_E_SUCCESS) {
+    _good = true;
+  } else {
+    _good =false;
+    _logger->error("gnutls_certificate_allocate_credentials() failed."
+		   " Cause: %s", gnutls_strerror(r));
+  }
+}
+
+TLSContext::~TLSContext()
+{
+  if(_certCred) {
+    gnutls_certificate_free_credentials(_certCred);
+  }
+}
+
+bool TLSContext::good() const
+{
+  return _good;
+}
+
+bool TLSContext::bad() const
+{
+  return !_good;
+}
+
+void TLSContext::addClientKeyFile(const std::string& certfile,
+				  const std::string& keyfile)
+  throw(DlAbortEx)
+{
+  int ret = gnutls_certificate_set_x509_key_file(_certCred,
+						 certfile.c_str(),
+						 keyfile.c_str(),
+						 GNUTLS_X509_FMT_PEM);
+  if(ret != GNUTLS_E_SUCCESS) {
+    throw DlAbortEx
+      (StringFormat("Failed to load client certificate from %s and"
+		    " private key from %s. Cause: %s",
+		    certfile.c_str(), keyfile.c_str(),
+		    gnutls_strerror(ret)).str());
+  }
+}
+
+void TLSContext::addTrustedCACertFile(const std::string& certfile)
+  throw(DlAbortEx)
+{
+  int ret = gnutls_certificate_set_x509_trust_file(_certCred,
+						   certfile.c_str(),
+						   GNUTLS_X509_FMT_PEM);
+  if(ret < 0) {
+    throw DlAbortEx
+      (StringFormat
+       (MSG_LOADING_TRUSTED_CA_CERT_FAILED,
+	certfile.c_str(), gnutls_strerror(ret)).str());
+  }
+  _logger->info("%d certificate(s) were imported.", ret);
+}
+
+gnutls_certificate_credentials_t TLSContext::getCertCred() const
+{
+  return _certCred;
+}
+
+} // namespace aria2

src/LibgnutlsTLSContext.h

@@ -0,0 +1,78 @@
+/* <!-- copyright */
+/*
+ * aria2 - The high speed download utility
+ *
+ * Copyright (C) 2006 Tatsuhiro Tsujikawa
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ */
+/* copyright --> */
+#ifndef _D_LIBGNUTLS_TLS_CONTEXT_H_
+#define _D_LIBGNUTLS_TLS_CONTEXT_H_
+
+#include "common.h"
+
+#include <string>
+
+#include <gnutls/gnutls.h>
+
+#include "DlAbortEx.h"
+
+namespace aria2 {
+
+class Logger;
+
+class TLSContext {
+private:
+  gnutls_certificate_credentials_t _certCred;
+
+  bool _good;
+
+  Logger* _logger;
+public:
+  TLSContext();
+
+  ~TLSContext();
+
+  // private key `keyfile' must be decrypted.
+  void addClientKeyFile(const std::string& certfile,
+			const std::string& keyfile) throw(DlAbortEx);
+
+  // certfile can contain multiple certificates.
+  void addTrustedCACertFile(const std::string& certfile) throw(DlAbortEx);
+
+  bool good() const;
+
+  bool bad() const;
+
+  gnutls_certificate_credentials_t getCertCred() const;
+};
+
+} // namespace aria2
+
+#endif // _D_LIBGNUTLS_TLS_CONTEXT_H_

src/LibsslTLSContext.cc

@@ -0,0 +1,109 @@
+/* <!-- copyright */
+/*
+ * aria2 - The high speed download utility
+ *
+ * Copyright (C) 2006 Tatsuhiro Tsujikawa
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ */
+/* copyright --> */
+#include "LibsslTLSContext.h"
+
+#include <openssl/err.h>
+
+#include "LogFactory.h"
+#include "Logger.h"
+#include "StringFormat.h"
+#include "message.h"
+
+namespace aria2 {
+
+TLSContext::TLSContext():_sslCtx(0), _logger(LogFactory::getInstance())
+{
+  _sslCtx = SSL_CTX_new(SSLv23_client_method());
+  if(_sslCtx) {
+    _good = true;
+  } else {
+    _good = false;
+    _logger->error("SSL_CTX_new() failed. Cause: %s",
+		   ERR_error_string(ERR_get_error(), 0));
+  }
+  SSL_CTX_set_mode(_sslCtx, SSL_MODE_AUTO_RETRY);
+}
+
+TLSContext::~TLSContext()
+{
+  SSL_CTX_free(_sslCtx);
+}
+
+bool TLSContext::good() const
+{
+  return _good;
+}
+
+bool TLSContext::bad() const
+{
+  return !_good;
+}
+
+void TLSContext::addClientKeyFile(const std::string& certfile,
+				  const std::string& keyfile)
+  throw(DlAbortEx)
+{
+  if(SSL_CTX_use_PrivateKey_file(_sslCtx, keyfile.c_str(),
+				 SSL_FILETYPE_PEM) != 1) {
+    throw DlAbortEx
+      (StringFormat
+       ("Failed to load client private key from %s. Cause: %s",
+	keyfile.c_str(), ERR_error_string(ERR_get_error(), 0)).str());
+  }
+  if(SSL_CTX_use_certificate_chain_file(_sslCtx, certfile.c_str()) != 1) {
+    throw DlAbortEx
+      (StringFormat
+       ("Failed to load client certificate from %s. Cause: %s",
+	certfile.c_str(), ERR_error_string(ERR_get_error(), 0)).str());
+  }
+}
+
+void TLSContext::addTrustedCACertFile(const std::string& certfile)
+  throw(DlAbortEx)
+{
+  if(SSL_CTX_load_verify_locations(_sslCtx, certfile.c_str(), 0) != 1) {
+    throw DlAbortEx
+      (StringFormat
+       (MSG_LOADING_TRUSTED_CA_CERT_FAILED,
+	certfile.c_str(), ERR_error_string(ERR_get_error(), 0)).str());
+  }
+}
+
+SSL_CTX* TLSContext::getSSLCtx() const
+{
+  return _sslCtx;
+}
+
+} // namespace aria2

src/LibsslTLSContext.h

@@ -0,0 +1,78 @@
+/* <!-- copyright */
+/*
+ * aria2 - The high speed download utility
+ *
+ * Copyright (C) 2006 Tatsuhiro Tsujikawa
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ */
+/* copyright --> */
+#ifndef _D_LIBSSL_TLS_CONTEXT_H_
+#define _D_LIBSSL_TLS_CONTEXT_H_
+
+#include "common.h"
+
+#include <string>
+
+# include <openssl/ssl.h>
+
+#include "DlAbortEx.h"
+
+namespace aria2 {
+
+class Logger;
+
+class TLSContext {
+private:
+  SSL_CTX* _sslCtx;
+
+  bool _good;
+
+  Logger* _logger;
+public:
+  TLSContext();
+
+  ~TLSContext();
+
+  // private key `keyfile' must be decrypted.
+  void addClientKeyFile(const std::string& certfile,
+			const std::string& keyfile) throw(DlAbortEx);
+
+  // certfile can contain multiple certificates.
+  void addTrustedCACertFile(const std::string& certfile) throw(DlAbortEx);
+
+  bool good() const;
+
+  bool bad() const;
+
+  SSL_CTX* getSSLCtx() const;
+};
+
+} // namespace aria2
+
+#endif // _D_LIBSSL_TLS_CONTEXT_H_

src/Makefile.am

@@ -194,6 +194,18 @@ SRCS =  Socket.h\
 	SocketBuffer.cc SocketBuffer.h\
 	OptionHandlerException.cc OptionHandlerException.h
 
+if ENABLE_SSL
+SRCS += TLSContext.h
+endif # ENABLE_SSL
+
+if HAVE_LIBGNUTLS
+SRCS += LibgnutlsTLSContext.cc LibgnutlsTLSContext.h
+endif # HAVE_LIBGNUTLS
+
+if HAVE_LIBSSL
+SRCS += LibsslTLSContext.cc LibsslTLSContext.h
+endif # HAVE_LIBSSL
+
 if HAVE_LIBZ
 SRCS += GZipDecoder.cc GZipDecoder.h
 endif # HAVE_LIBZ

src/Makefile.in

@@ -35,10 +35,13 @@ build_triplet = @build@
 host_triplet = @host@
 target_triplet = @target@
 bin_PROGRAMS = aria2c$(EXEEXT)
-@HAVE_LIBZ_TRUE@am__append_1 = GZipDecoder.cc GZipDecoder.h
-@HAVE_SQLITE3_TRUE@am__append_2 = Sqlite3MozCookieParser.cc Sqlite3MozCookieParser.h
-@ENABLE_ASYNC_DNS_TRUE@am__append_3 = AsyncNameResolver.cc AsyncNameResolver.h
-@ENABLE_MESSAGE_DIGEST_TRUE@am__append_4 = IteratableChunkChecksumValidator.cc IteratableChunkChecksumValidator.h\
+@ENABLE_SSL_TRUE@am__append_1 = TLSContext.h
+@HAVE_LIBGNUTLS_TRUE@am__append_2 = LibgnutlsTLSContext.cc LibgnutlsTLSContext.h
+@HAVE_LIBSSL_TRUE@am__append_3 = LibsslTLSContext.cc LibsslTLSContext.h
+@HAVE_LIBZ_TRUE@am__append_4 = GZipDecoder.cc GZipDecoder.h
+@HAVE_SQLITE3_TRUE@am__append_5 = Sqlite3MozCookieParser.cc Sqlite3MozCookieParser.h
+@ENABLE_ASYNC_DNS_TRUE@am__append_6 = AsyncNameResolver.cc AsyncNameResolver.h
+@ENABLE_MESSAGE_DIGEST_TRUE@am__append_7 = IteratableChunkChecksumValidator.cc IteratableChunkChecksumValidator.h\
 @ENABLE_MESSAGE_DIGEST_TRUE@	IteratableChecksumValidator.cc IteratableChecksumValidator.h\
 @ENABLE_MESSAGE_DIGEST_TRUE@	CheckIntegrityCommand.cc CheckIntegrityCommand.h\
 @ENABLE_MESSAGE_DIGEST_TRUE@	ChecksumCheckIntegrityEntry.cc ChecksumCheckIntegrityEntry.h\
@@ -47,7 +50,7 @@ bin_PROGRAMS = aria2c$(EXEEXT)
 @ENABLE_MESSAGE_DIGEST_TRUE@	Checksum.h\
 @ENABLE_MESSAGE_DIGEST_TRUE@	ChunkChecksum.h
 
-@ENABLE_BITTORRENT_TRUE@am__append_5 = MetaEntry.h\
+@ENABLE_BITTORRENT_TRUE@am__append_8 = MetaEntry.h\
 @ENABLE_BITTORRENT_TRUE@	Data.cc Data.h\
 @ENABLE_BITTORRENT_TRUE@	Dictionary.cc Dictionary.h\
 @ENABLE_BITTORRENT_TRUE@	List.cc List.h\
@@ -223,7 +226,7 @@ bin_PROGRAMS = aria2c$(EXEEXT)
 @ENABLE_BITTORRENT_TRUE@	BtLeecherStateChoke.cc BtLeecherStateChoke.h\
 @ENABLE_BITTORRENT_TRUE@	BtSeederStateChoke.cc BtSeederStateChoke.h
 
-@ENABLE_METALINK_TRUE@am__append_6 = Metalinker.cc Metalinker.h\
+@ENABLE_METALINK_TRUE@am__append_9 = Metalinker.cc Metalinker.h\
 @ENABLE_METALINK_TRUE@	MetalinkEntry.cc MetalinkEntry.h\
 @ENABLE_METALINK_TRUE@	MetalinkResource.cc MetalinkResource.h\
 @ENABLE_METALINK_TRUE@	MetalinkProcessor.h\
@@ -252,17 +255,17 @@ bin_PROGRAMS = aria2c$(EXEEXT)
 @ENABLE_METALINK_TRUE@	MetalinkPostDownloadHandler.cc MetalinkPostDownloadHandler.h\
 @ENABLE_METALINK_TRUE@	MetalinkHelper.cc MetalinkHelper.h
 
-@ENABLE_LIBXML2_TRUE@am__append_7 = XML2SAXMetalinkProcessor.cc XML2SAXMetalinkProcessor.h
-@ENABLE_LIBEXPAT_TRUE@am__append_8 = ExpatMetalinkProcessor.cc ExpatMetalinkProcessor.h
-@HAVE_ASCTIME_R_FALSE@am__append_9 = asctime_r.c asctime_r.h
-@HAVE_BASENAME_FALSE@am__append_10 = libgen.c libgen.h
-@HAVE_GETADDRINFO_FALSE@am__append_11 = getaddrinfo.c getaddrinfo.h
-@HAVE_GAI_STRERROR_FALSE@am__append_12 = gai_strerror.c gai_strerror.h
-@HAVE_GETTIMEOFDAY_FALSE@am__append_13 = gettimeofday.c gettimeofday.h
-@HAVE_INET_ATON_FALSE@am__append_14 = inet_aton.c inet_aton.h
-@HAVE_LOCALTIME_R_FALSE@am__append_15 = localtime_r.c localtime_r.h
-@HAVE_STRPTIME_FALSE@am__append_16 = strptime.c strptime.h
-@HAVE_TIMEGM_FALSE@am__append_17 = timegm.c timegm.h
+@ENABLE_LIBXML2_TRUE@am__append_10 = XML2SAXMetalinkProcessor.cc XML2SAXMetalinkProcessor.h
+@ENABLE_LIBEXPAT_TRUE@am__append_11 = ExpatMetalinkProcessor.cc ExpatMetalinkProcessor.h
+@HAVE_ASCTIME_R_FALSE@am__append_12 = asctime_r.c asctime_r.h
+@HAVE_BASENAME_FALSE@am__append_13 = libgen.c libgen.h
+@HAVE_GETADDRINFO_FALSE@am__append_14 = getaddrinfo.c getaddrinfo.h
+@HAVE_GAI_STRERROR_FALSE@am__append_15 = gai_strerror.c gai_strerror.h
+@HAVE_GETTIMEOFDAY_FALSE@am__append_16 = gettimeofday.c gettimeofday.h
+@HAVE_INET_ATON_FALSE@am__append_17 = inet_aton.c inet_aton.h
+@HAVE_LOCALTIME_R_FALSE@am__append_18 = localtime_r.c localtime_r.h
+@HAVE_STRPTIME_FALSE@am__append_19 = strptime.c strptime.h
+@HAVE_TIMEGM_FALSE@am__append_20 = timegm.c timegm.h
 subdir = src
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in alloca.c
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -415,10 +418,11 @@ am__libaria2c_a_SOURCES_DIST = Socket.h SocketCore.cc SocketCore.h \
 	ServerStatURISelector.h NsCookieParser.cc NsCookieParser.h \
 	CookieStorage.cc CookieStorage.h SocketBuffer.cc \
 	SocketBuffer.h OptionHandlerException.cc \
-	OptionHandlerException.h GZipDecoder.cc GZipDecoder.h \
-	Sqlite3MozCookieParser.cc Sqlite3MozCookieParser.h \
-	AsyncNameResolver.cc AsyncNameResolver.h \
-	IteratableChunkChecksumValidator.cc \
+	OptionHandlerException.h TLSContext.h LibgnutlsTLSContext.cc \
+	LibgnutlsTLSContext.h LibsslTLSContext.cc LibsslTLSContext.h \
+	GZipDecoder.cc GZipDecoder.h Sqlite3MozCookieParser.cc \
+	Sqlite3MozCookieParser.h AsyncNameResolver.cc \
+	AsyncNameResolver.h IteratableChunkChecksumValidator.cc \
 	IteratableChunkChecksumValidator.h \
 	IteratableChecksumValidator.cc IteratableChecksumValidator.h \
 	CheckIntegrityCommand.cc CheckIntegrityCommand.h \
@@ -574,16 +578,19 @@ am__libaria2c_a_SOURCES_DIST = Socket.h SocketCore.cc SocketCore.h \
 	gai_strerror.h gettimeofday.c gettimeofday.h inet_aton.c \
 	inet_aton.h localtime_r.c localtime_r.h strptime.c strptime.h \
 	timegm.c timegm.h
-@HAVE_LIBZ_TRUE@am__objects_1 = GZipDecoder.$(OBJEXT)
-@HAVE_SQLITE3_TRUE@am__objects_2 = Sqlite3MozCookieParser.$(OBJEXT)
-@ENABLE_ASYNC_DNS_TRUE@am__objects_3 = AsyncNameResolver.$(OBJEXT)
-@ENABLE_MESSAGE_DIGEST_TRUE@am__objects_4 = IteratableChunkChecksumValidator.$(OBJEXT) \
+am__objects_1 =
+@HAVE_LIBGNUTLS_TRUE@am__objects_2 = LibgnutlsTLSContext.$(OBJEXT)
+@HAVE_LIBSSL_TRUE@am__objects_3 = LibsslTLSContext.$(OBJEXT)
+@HAVE_LIBZ_TRUE@am__objects_4 = GZipDecoder.$(OBJEXT)
+@HAVE_SQLITE3_TRUE@am__objects_5 = Sqlite3MozCookieParser.$(OBJEXT)
+@ENABLE_ASYNC_DNS_TRUE@am__objects_6 = AsyncNameResolver.$(OBJEXT)
+@ENABLE_MESSAGE_DIGEST_TRUE@am__objects_7 = IteratableChunkChecksumValidator.$(OBJEXT) \
 @ENABLE_MESSAGE_DIGEST_TRUE@	IteratableChecksumValidator.$(OBJEXT) \
 @ENABLE_MESSAGE_DIGEST_TRUE@	CheckIntegrityCommand.$(OBJEXT) \
 @ENABLE_MESSAGE_DIGEST_TRUE@	ChecksumCheckIntegrityEntry.$(OBJEXT) \
 @ENABLE_MESSAGE_DIGEST_TRUE@	messageDigest.$(OBJEXT) \
 @ENABLE_MESSAGE_DIGEST_TRUE@	MessageDigestHelper.$(OBJEXT)
-@ENABLE_BITTORRENT_TRUE@am__objects_5 = Data.$(OBJEXT) \
+@ENABLE_BITTORRENT_TRUE@am__objects_8 = Data.$(OBJEXT) \
 @ENABLE_BITTORRENT_TRUE@	Dictionary.$(OBJEXT) List.$(OBJEXT) \
 @ENABLE_BITTORRENT_TRUE@	MetaFileUtil.$(OBJEXT) \
 @ENABLE_BITTORRENT_TRUE@	BencodeVisitor.$(OBJEXT) \
@@ -695,7 +702,7 @@ am__libaria2c_a_SOURCES_DIST = Socket.h SocketCore.cc SocketCore.h \
 @ENABLE_BITTORRENT_TRUE@	MSEHandshake.$(OBJEXT) \
 @ENABLE_BITTORRENT_TRUE@	BtLeecherStateChoke.$(OBJEXT) \
 @ENABLE_BITTORRENT_TRUE@	BtSeederStateChoke.$(OBJEXT)
-@ENABLE_METALINK_TRUE@am__objects_6 = Metalinker.$(OBJEXT) \
+@ENABLE_METALINK_TRUE@am__objects_9 = Metalinker.$(OBJEXT) \
 @ENABLE_METALINK_TRUE@	MetalinkEntry.$(OBJEXT) \
 @ENABLE_METALINK_TRUE@	MetalinkResource.$(OBJEXT) \
 @ENABLE_METALINK_TRUE@	MetalinkProcessorFactory.$(OBJEXT) \
@@ -721,20 +728,20 @@ am__libaria2c_a_SOURCES_DIST = Socket.h SocketCore.cc SocketCore.h \
 @ENABLE_METALINK_TRUE@	Metalink2RequestGroup.$(OBJEXT) \
 @ENABLE_METALINK_TRUE@	MetalinkPostDownloadHandler.$(OBJEXT) \
 @ENABLE_METALINK_TRUE@	MetalinkHelper.$(OBJEXT)
-@ENABLE_LIBXML2_TRUE@am__objects_7 =  \
+@ENABLE_LIBXML2_TRUE@am__objects_10 =  \
 @ENABLE_LIBXML2_TRUE@	XML2SAXMetalinkProcessor.$(OBJEXT)
-@ENABLE_LIBEXPAT_TRUE@am__objects_8 =  \
+@ENABLE_LIBEXPAT_TRUE@am__objects_11 =  \
 @ENABLE_LIBEXPAT_TRUE@	ExpatMetalinkProcessor.$(OBJEXT)
-@HAVE_ASCTIME_R_FALSE@am__objects_9 = asctime_r.$(OBJEXT)
-@HAVE_BASENAME_FALSE@am__objects_10 = libgen.$(OBJEXT)
-@HAVE_GETADDRINFO_FALSE@am__objects_11 = getaddrinfo.$(OBJEXT)
-@HAVE_GAI_STRERROR_FALSE@am__objects_12 = gai_strerror.$(OBJEXT)
-@HAVE_GETTIMEOFDAY_FALSE@am__objects_13 = gettimeofday.$(OBJEXT)
-@HAVE_INET_ATON_FALSE@am__objects_14 = inet_aton.$(OBJEXT)
-@HAVE_LOCALTIME_R_FALSE@am__objects_15 = localtime_r.$(OBJEXT)
-@HAVE_STRPTIME_FALSE@am__objects_16 = strptime.$(OBJEXT)
-@HAVE_TIMEGM_FALSE@am__objects_17 = timegm.$(OBJEXT)
-am__objects_18 = SocketCore.$(OBJEXT) Command.$(OBJEXT) \
+@HAVE_ASCTIME_R_FALSE@am__objects_12 = asctime_r.$(OBJEXT)
+@HAVE_BASENAME_FALSE@am__objects_13 = libgen.$(OBJEXT)
+@HAVE_GETADDRINFO_FALSE@am__objects_14 = getaddrinfo.$(OBJEXT)
+@HAVE_GAI_STRERROR_FALSE@am__objects_15 = gai_strerror.$(OBJEXT)
+@HAVE_GETTIMEOFDAY_FALSE@am__objects_16 = gettimeofday.$(OBJEXT)
+@HAVE_INET_ATON_FALSE@am__objects_17 = inet_aton.$(OBJEXT)
+@HAVE_LOCALTIME_R_FALSE@am__objects_18 = localtime_r.$(OBJEXT)
+@HAVE_STRPTIME_FALSE@am__objects_19 = strptime.$(OBJEXT)
+@HAVE_TIMEGM_FALSE@am__objects_20 = timegm.$(OBJEXT)
+am__objects_21 = SocketCore.$(OBJEXT) Command.$(OBJEXT) \
 	AbstractCommand.$(OBJEXT) \
 	InitiateConnectionCommandFactory.$(OBJEXT) \
 	DownloadCommand.$(OBJEXT) \
@@ -813,8 +820,9 @@ am__objects_18 = SocketCore.$(OBJEXT) Command.$(OBJEXT) \
 	$(am__objects_8) $(am__objects_9) $(am__objects_10) \
 	$(am__objects_11) $(am__objects_12) $(am__objects_13) \
 	$(am__objects_14) $(am__objects_15) $(am__objects_16) \
-	$(am__objects_17)
-am_libaria2c_a_OBJECTS = $(am__objects_18)
+	$(am__objects_17) $(am__objects_18) $(am__objects_19) \
+	$(am__objects_20)
+am_libaria2c_a_OBJECTS = $(am__objects_21)
 libaria2c_a_OBJECTS = $(am_libaria2c_a_OBJECTS)
 am__installdirs = "$(DESTDIR)$(bindir)"
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
@@ -1142,7 +1150,8 @@ SRCS = Socket.h SocketCore.cc SocketCore.h BinaryStream.h Command.cc \
 	$(am__append_6) $(am__append_7) $(am__append_8) \
 	$(am__append_9) $(am__append_10) $(am__append_11) \
 	$(am__append_12) $(am__append_13) $(am__append_14) \
-	$(am__append_15) $(am__append_16) $(am__append_17)
+	$(am__append_15) $(am__append_16) $(am__append_17) \
+	$(am__append_18) $(am__append_19) $(am__append_20)
 noinst_LIBRARIES = libaria2c.a
 libaria2c_a_SOURCES = $(SRCS)
 aria2c_LDADD = libaria2c.a @LIBINTL@ @ALLOCA@ @LIBGNUTLS_LIBS@\
@@ -1416,6 +1425,8 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/IteratableChecksumValidator.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/IteratableChunkChecksumValidator.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/LanguageMetalinkParserState.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/LibgnutlsTLSContext.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/LibsslTLSContext.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/List.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/LogFactory.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/MSEHandshake.Po@am__quote@

src/SocketCore.cc

@@ -46,6 +46,9 @@
 #include "StringFormat.h"
 #include "Util.h"
 #include "LogFactory.h"
+#ifdef ENABLE_SSL
+# include "TLSContext.h"
+#endif // ENABLE_SSL
 
 #ifndef __MINGW32__
 # define SOCKET_ERRNO (errno)
@@ -67,6 +70,8 @@
 
 namespace aria2 {
 
+SharedHandle<TLSContext> SocketCore::_tlsContext;
+
 SocketCore::SocketCore(int sockType):_sockType(sockType), sockfd(-1)  {
   init();
 }
@@ -92,12 +97,10 @@ void SocketCore::init()
 
 #ifdef HAVE_LIBSSL
   // for SSL
-  sslCtx = NULL;
   ssl = NULL;
 #endif // HAVE_LIBSSL
 #ifdef HAVE_LIBGNUTLS
   sslSession = NULL;
-  sslXcred = NULL;
   peekBufMax = 4096;
   peekBuf = 0;
   peekBufLength = 0;
@@ -318,13 +321,11 @@ void SocketCore::closeConnection()
   // for SSL
   if(secure) {
     SSL_free(ssl);
-    SSL_CTX_free(sslCtx);
   }
 #endif // HAVE_LIBSSL
 #ifdef HAVE_LIBGNUTLS
   if(secure) {
     gnutls_deinit(sslSession);
-    gnutls_certificate_free_credentials(sslXcred);
   }
 #endif // HAVE_LIBGNUTLS
 }
@@ -710,16 +711,9 @@ void SocketCore::prepareSecureConnection()
 {
   if(!secure) {
 #ifdef HAVE_LIBSSL
-  // for SSL
-    sslCtx = SSL_CTX_new(SSLv23_client_method());
-    if(sslCtx == NULL) {
-      throw DlAbortEx
-	(StringFormat(EX_SSL_INIT_FAILURE,
-		      ERR_error_string(ERR_get_error(), 0)).str());
-    }
-    SSL_CTX_set_mode(sslCtx, SSL_MODE_AUTO_RETRY);
-    ssl = SSL_new(sslCtx);
-    if(ssl == NULL) {
+    // for SSL
+    ssl = SSL_new(_tlsContext->getSSLCtx());
+    if(!ssl) {
       throw DlAbortEx
 	(StringFormat(EX_SSL_INIT_FAILURE,
 		      ERR_error_string(ERR_get_error(), 0)).str());
@@ -736,12 +730,12 @@ void SocketCore::prepareSecureConnection()
     };
     // while we do not support X509 certificate, most web servers require
     // X509 stuff.
-    gnutls_certificate_allocate_credentials (&sslXcred);
     gnutls_init(&sslSession, GNUTLS_CLIENT);
     gnutls_set_default_priority(sslSession);
     gnutls_kx_set_priority(sslSession, cert_type_priority);
     // put the x509 credentials to the current session
-    gnutls_credentials_set(sslSession, GNUTLS_CRD_CERTIFICATE, sslXcred);
+    gnutls_credentials_set(sslSession, GNUTLS_CRD_CERTIFICATE,
+			   _tlsContext->getCertCred());
     gnutls_transport_set_ptr(sslSession, (gnutls_transport_ptr_t)sockfd);
 #endif // HAVE_LIBGNUTLS
     secure = 1;
@@ -928,4 +922,9 @@ bool SocketCore::wantWrite() const
   return _wantWrite;
 }
 
+void SocketCore::setTLSContext(const SharedHandle<TLSContext>& tlsContext)
+{
+  _tlsContext = tlsContext;
+}
+
 } // namespace aria2

src/SocketCore.h

@@ -54,12 +54,15 @@
 # include <gnutls/gnutls.h>
 #endif // HAVE_LIBGNUTLS
 
+#include "SharedHandle.h"
 #include "a2io.h"
 #include "a2netcompat.h"
 #include "a2time.h"
 
 namespace aria2 {
 
+class TLSContext;
+
 class SocketCore {
   friend bool operator==(const SocketCore& s1, const SocketCore& s2);
   friend bool operator!=(const SocketCore& s1, const SocketCore& s2);
@@ -85,16 +88,18 @@ private:
   bool _wantRead;
   bool _wantWrite;
 
+#if ENABLE_SSL
+  static SharedHandle<TLSContext> _tlsContext;
+#endif
+
 #ifdef HAVE_LIBSSL
   // for SSL
-  SSL_CTX* sslCtx;
   SSL* ssl;
 
   int sslHandleEAGAIN(int ret);
 #endif // HAVE_LIBSSL
 #ifdef HAVE_LIBGNUTLS
   gnutls_session_t sslSession;
-  gnutls_certificate_credentials_t sslXcred;
   char* peekBuf;
   size_t peekBufLength;
   size_t peekBufMax;
@@ -317,6 +322,8 @@ public:
    * readData() or writeData() and the socket needs to write more data.
    */
   bool wantWrite() const;
+
+  static void setTLSContext(const SharedHandle<TLSContext>& tlsContext);
 };
 
 } // namespace aria2

src/TLSContext.h

@@ -0,0 +1,46 @@
+/* <!-- copyright */
+/*
+ * aria2 - The high speed download utility
+ *
+ * Copyright (C) 2006 Tatsuhiro Tsujikawa
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * In addition, as a special exception, the copyright holders give
+ * permission to link the code of portions of this program with the
+ * OpenSSL library under certain conditions as described in each
+ * individual source file, and distribute linked combinations
+ * including the two.
+ * You must obey the GNU General Public License in all respects
+ * for all of the code used other than OpenSSL.  If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so.  If you
+ * do not wish to do so, delete this exception statement from your
+ * version.  If you delete this exception statement from all source
+ * files in the program, then also delete it here.
+ */
+/* copyright --> */
+#ifndef _D_TLS_CONTEXT_H_
+#define _D_TLS_CONTEXT_H_
+
+#include "common.h"
+
+#ifdef HAVE_LIBSSL
+# include "LibsslTLSContext.h"
+#elif HAVE_LIBGNUTLS
+# include "LibgnutlsTLSContext.h"
+#endif // HAVE_LIBGNUTLS
+
+#endif // _D_TLS_CONTEXT_H_

src/message.h

@@ -157,6 +157,8 @@
 #define MSG_ESTABLISHING_CONNECTION_FAILED \
   _("Failed to establish connection, cause: %s")
 #define MSG_NETWORK_PROBLEM _("Network problem has occurred. cause:%s")
+#define MSG_LOADING_TRUSTED_CA_CERT_FAILED \
+  _("Failed to load trusted CA certificates from %s. Cause: %s")
 
 #define EX_TIME_OUT _("Timeout.")
 #define EX_INVALID_CHUNK_SIZE _("Invalid chunk size.")