Search
j0ke.net Open Build Service
>
Projects
>
ha
>
csync2
> csync2-1.34-gnutls.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File csync2-1.34-gnutls.patch of Package csync2
Fixes build with >=net-libs/gnutls-2.7.1 http://bugs.gentoo.org/show_bug.cgi?id=274213 --- conn.c +++ conn.c @@ -32,7 +32,7 @@ #ifdef HAVE_LIBGNUTLS_OPENSSL # include <gnutls/gnutls.h> -# include <gnutls/openssl.h> +# include <gnutls/x509.h> #endif int conn_fd_in = -1; @@ -42,9 +42,8 @@ #ifdef HAVE_LIBGNUTLS_OPENSSL int csync_conn_usessl = 0; -SSL_METHOD *conn_ssl_meth; -SSL_CTX *conn_ssl_ctx; -SSL *conn_ssl; +static gnutls_session_t conn_tls_session; +static gnutls_certificate_credentials_t conn_x509_cred; #endif int conn_open(const char *peername) @@ -112,41 +111,104 @@ #ifdef HAVE_LIBGNUTLS_OPENSSL -char *ssl_keyfile = ETCDIR "/csync2_ssl_key.pem"; -char *ssl_certfile = ETCDIR "/csync2_ssl_cert.pem"; +static void ssl_log(int level, const char* msg) +{ csync_debug(level, "%s", msg); } + +static const char *ssl_keyfile = ETCDIR "/csync2_ssl_key.pem"; +static const char *ssl_certfile = ETCDIR "/csync2_ssl_cert.pem"; int conn_activate_ssl(int server_role) { - static int sslinit = 0; + gnutls_alert_description_t alrt; + int err; if (csync_conn_usessl) return 0; - if (!sslinit) { - SSL_load_error_strings(); - SSL_library_init(); - sslinit=1; + gnutls_global_init(); + gnutls_global_set_log_function(ssl_log); + gnutls_global_set_log_level(10); + + gnutls_certificate_allocate_credentials(&conn_x509_cred); + + err = gnutls_certificate_set_x509_key_file(conn_x509_cred, ssl_certfile, ssl_keyfile, GNUTLS_X509_FMT_PEM); + if(err != GNUTLS_E_SUCCESS) { + gnutls_certificate_free_credentials(conn_x509_cred); + gnutls_global_deinit(); + + csync_fatal( + "SSL: failed to use key file %s and/or certificate file %s: %s (%s)\n", + ssl_keyfile, + ssl_certfile, + gnutls_strerror(err), + gnutls_strerror_name(err) + ); } - conn_ssl_meth = (server_role ? SSLv23_server_method : SSLv23_client_method)(); - conn_ssl_ctx = SSL_CTX_new(conn_ssl_meth); - - if (SSL_CTX_use_PrivateKey_file(conn_ssl_ctx, ssl_keyfile, SSL_FILETYPE_PEM) <= 0) - csync_fatal("SSL: failed to use key file %s.\n", ssl_keyfile); - - if (SSL_CTX_use_certificate_file(conn_ssl_ctx, ssl_certfile, SSL_FILETYPE_PEM) <= 0) - csync_fatal("SSL: failed to use certificate file %s.\n", ssl_certfile); + if(server_role) { + gnutls_certificate_free_cas(conn_x509_cred); - if (! (conn_ssl = SSL_new(conn_ssl_ctx)) ) - csync_fatal("Creating a new SSL handle failed.\n"); - - gnutls_certificate_server_set_request(conn_ssl->gnutls_state, GNUTLS_CERT_REQUIRE); + if(gnutls_certificate_set_x509_trust_file(conn_x509_cred, ssl_certfile, GNUTLS_X509_FMT_PEM) < 1) { + gnutls_certificate_free_credentials(conn_x509_cred); + gnutls_global_deinit(); + + csync_fatal( + "SSL: failed to use certificate file %s as CA.\n", + ssl_certfile + ); + } + } else + gnutls_certificate_free_ca_names(conn_x509_cred); - SSL_set_rfd(conn_ssl, conn_fd_in); - SSL_set_wfd(conn_ssl, conn_fd_out); + gnutls_init(&conn_tls_session, (server_role ? GNUTLS_SERVER : GNUTLS_CLIENT)); + gnutls_priority_set_direct(conn_tls_session, "PERFORMANCE", NULL); + gnutls_credentials_set(conn_tls_session, GNUTLS_CRD_CERTIFICATE, conn_x509_cred); + + if(server_role) { + gnutls_certificate_send_x509_rdn_sequence(conn_tls_session, 0); + gnutls_certificate_server_set_request(conn_tls_session, GNUTLS_CERT_REQUIRE); + } - if ( (server_role ? SSL_accept : SSL_connect)(conn_ssl) < 1 ) - csync_fatal("Establishing SSL connection failed.\n"); + gnutls_transport_set_ptr2( + conn_tls_session, + (gnutls_transport_ptr_t)conn_fd_in, + (gnutls_transport_ptr_t)conn_fd_out + ); + + err = gnutls_handshake(conn_tls_session); + switch(err) { + case GNUTLS_E_SUCCESS: + break; + + case GNUTLS_E_WARNING_ALERT_RECEIVED: + alrt = gnutls_alert_get(conn_tls_session); + fprintf( + csync_debug_out, + "SSL: warning alert received from peer: %d (%s).\n", + alrt, gnutls_alert_get_name(alrt) + ); + break; + + case GNUTLS_E_FATAL_ALERT_RECEIVED: + alrt = gnutls_alert_get(conn_tls_session); + fprintf( + csync_debug_out, + "SSL: fatal alert received from peer: %d (%s).\n", + alrt, gnutls_alert_get_name(alrt) + ); + + default: + gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR); + gnutls_deinit(conn_tls_session); + gnutls_certificate_free_credentials(conn_x509_cred); + gnutls_global_deinit(); + + csync_fatal( + "SSL: handshake failed: %s (%s)\n", + gnutls_strerror(err), + gnutls_strerror_name(err) + ); + } csync_conn_usessl = 1; @@ -155,15 +217,15 @@ int conn_check_peer_cert(const char *peername, int callfatal) { - const X509 *peercert; + const gnutls_datum_t *peercerts; + unsigned npeercerts; int i, cert_is_ok = -1; if (!csync_conn_usessl) return 1; - peercert = SSL_get_peer_certificate(conn_ssl); - - if (!peercert || peercert->size <= 0) { + peercerts = gnutls_certificate_get_peers(conn_tls_session, &npeercerts); + if(peercerts == NULL || npeercerts == 0) { if (callfatal) csync_fatal("Peer did not provide an SSL X509 cetrificate.\n"); csync_debug(1, "Peer did not provide an SSL X509 cetrificate.\n"); @@ -171,11 +233,11 @@ } { - char certdata[peercert->size*2 + 1]; + char certdata[2*peercerts[0].size + 1]; - for (i=0; i<peercert->size; i++) - sprintf(certdata+i*2, "%02X", peercert->data[i]); - certdata[peercert->size*2] = 0; + for (i=0; i<peercerts[0].size; i++) + sprintf(&certdata[2*i], "%02X", peercerts[0].data[i]); + certdata[2*i] = 0; SQL_BEGIN("Checking peer x509 certificate.", "SELECT certdata FROM x509_cert WHERE peername = '%s'", @@ -222,7 +284,12 @@ if ( !conn_clisok ) return -1; #ifdef HAVE_LIBGNUTLS_OPENSSL - if ( csync_conn_usessl ) SSL_free(conn_ssl); + if ( csync_conn_usessl ) { + gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR); + gnutls_deinit(conn_tls_session); + gnutls_certificate_free_credentials(conn_x509_cred); + gnutls_global_deinit(); + } #endif if ( conn_fd_in != conn_fd_out) close(conn_fd_in); @@ -239,7 +306,7 @@ { #ifdef HAVE_LIBGNUTLS_OPENSSL if (csync_conn_usessl) - return SSL_read(conn_ssl, buf, count); + return gnutls_record_recv(conn_tls_session, buf, count); else #endif return read(conn_fd_in, buf, count); @@ -251,7 +318,7 @@ #ifdef HAVE_LIBGNUTLS_OPENSSL if (csync_conn_usessl) - return SSL_write(conn_ssl, buf, count); + return gnutls_record_send(conn_tls_session, buf, count); else #endif { --- configure.ac +++ configure.ac @@ -17,11 +17,10 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Process this file with autoconf to produce a configure script. -AC_INIT(csync2, 1.34, clifford@clifford.at) +AC_INIT([csync2], [1.34], clifford@clifford.at) AM_INIT_AUTOMAKE AC_CONFIG_SRCDIR(csync2.c) -AM_CONFIG_HEADER(config.h) # Use /etc and /var instead of $prefix/... test "$localstatedir" = '${prefix}/var' && localstatedir=/var @@ -32,6 +31,7 @@ AC_PROG_INSTALL AC_PROG_YACC AM_PROG_LEX +PKG_PROG_PKG_CONFIG # Check for librsync. AC_ARG_WITH([librsync-source], @@ -58,19 +58,10 @@ if test "$enable_gnutls" != no then - - # Check for gnuTLS. - AM_PATH_LIBGNUTLS(1.0.0, , [ AC_MSG_ERROR([[gnutls not found; install gnutls, gnutls-openssl and libtasn1 packages for your system or run configure with --disable-gnutls]]) ]) - - # This is a bloody hack for fedora core - CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS" - LIBS="$LIBS $LIBGNUTLS_LIBS -ltasn1" - - # Check gnuTLS SSL compatibility lib. - AC_CHECK_LIB([gnutls-openssl], [SSL_new], , [AC_MSG_ERROR([[gnutls-openssl not found; install gnutls, gnutls-openssl and libtasn1 packages for your system or run configure with --disable-gnutls]])]) - + PKG_CHECK_MODULES([LIBGNUTLS], [gnutls] , [AC_DEFINE(HAVE_LIBGNUTLS_OPENSSL, 1, [Define to 1 if GnuTLS is available])]) fi +AM_CONFIG_HEADER([config.h]) AC_CONFIG_FILES([Makefile]) AC_OUTPUT --- Makefile.am +++ Makefile.am @@ -24,6 +24,8 @@ csync2_SOURCES = action.c cfgfile_parser.y cfgfile_scanner.l check.c \ checktxt.c csync2.c daemon.c db.c error.c getrealfn.c \ groups.c rsync.c update.c urlencode.c conn.c prefixsubst.c +csync2_LDADD = @LIBGNUTLS_LIBS@ +csync2_CFLAGS = @LIBGNUTLS_CFLAGS@ AM_YFLAGS = -d BUILT_SOURCES = cfgfile_parser.h
