Search
j0ke.net Open Build Service
>
Projects
>
ha
>
csync2
> csync2-1.34-no-gnutls.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File csync2-1.34-no-gnutls.patch of Package csync2 (Revision 37)
Currently displaying revision
37
,
show latest
--- conn.c.orig 2010-07-27 18:38:31.000000000 +0200 +++ conn.c 2010-07-29 00:05:56.005317177 +0200 @@ -30,20 +30,21 @@ #include <netdb.h> #include <errno.h> -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL # include <gnutls/gnutls.h> -# include <gnutls/x509.h> +# include <gnutls/openssl.h> #endif int conn_fd_in = -1; int conn_fd_out = -1; int conn_clisok = 0; -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL int csync_conn_usessl = 0; -static gnutls_session_t conn_tls_session; -static gnutls_certificate_credentials_t conn_x509_cred; +SSL_METHOD *conn_ssl_meth; +SSL_CTX *conn_ssl_ctx; +SSL *conn_ssl; #endif @@ -108,7 +109,7 @@ conn_fd_out = conn_fd_in; conn_clisok = 1; -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL csync_conn_usessl = 0; #endif return 0; @@ -121,7 +122,7 @@ conn_fd_in = infd; conn_fd_out = outfd; conn_clisok = 1; -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL csync_conn_usessl = 0; #endif @@ -135,106 +136,43 @@ } -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL -static void ssl_log(int level, const char* msg) -{ csync_debug(level, "%s", msg); } - -static const char *ssl_keyfile = ETCDIR "/csync2_ssl_key.pem"; -static const char *ssl_certfile = ETCDIR "/csync2_ssl_cert.pem"; +char *ssl_keyfile = ETCDIR "/csync2_ssl_key.pem"; +char *ssl_certfile = ETCDIR "/csync2_ssl_cert.pem"; int conn_activate_ssl(int server_role) { - gnutls_alert_description_t alrt; - int err; + static int sslinit = 0; if (csync_conn_usessl) return 0; - gnutls_global_init(); - gnutls_global_set_log_function(ssl_log); - gnutls_global_set_log_level(10); - - gnutls_certificate_allocate_credentials(&conn_x509_cred); - - err = gnutls_certificate_set_x509_key_file(conn_x509_cred, ssl_certfile, ssl_keyfile, GNUTLS_X509_FMT_PEM); - if(err != GNUTLS_E_SUCCESS) { - gnutls_certificate_free_credentials(conn_x509_cred); - gnutls_global_deinit(); - - csync_fatal( - "SSL: failed to use key file %s and/or certificate file %s: %s (%s)\n", - ssl_keyfile, - ssl_certfile, - gnutls_strerror(err), - gnutls_strerror_name(err) - ); + if (!sslinit) { + SSL_load_error_strings(); + SSL_library_init(); + sslinit=1; } - if(server_role) { - gnutls_certificate_free_cas(conn_x509_cred); + conn_ssl_meth = (server_role ? SSLv23_server_method : SSLv23_client_method)(); + conn_ssl_ctx = SSL_CTX_new(conn_ssl_meth); - if(gnutls_certificate_set_x509_trust_file(conn_x509_cred, ssl_certfile, GNUTLS_X509_FMT_PEM) < 1) { - gnutls_certificate_free_credentials(conn_x509_cred); - gnutls_global_deinit(); - - csync_fatal( - "SSL: failed to use certificate file %s as CA.\n", - ssl_certfile - ); - } - } else - gnutls_certificate_free_ca_names(conn_x509_cred); + if (SSL_CTX_use_PrivateKey_file(conn_ssl_ctx, ssl_keyfile, SSL_FILETYPE_PEM) <= 0) + csync_fatal("SSL: failed to use key file %s.\n", ssl_keyfile); - gnutls_init(&conn_tls_session, (server_role ? GNUTLS_SERVER : GNUTLS_CLIENT)); - gnutls_priority_set_direct(conn_tls_session, "PERFORMANCE", NULL); - gnutls_credentials_set(conn_tls_session, GNUTLS_CRD_CERTIFICATE, conn_x509_cred); - - if(server_role) { - gnutls_certificate_send_x509_rdn_sequence(conn_tls_session, 0); - gnutls_certificate_server_set_request(conn_tls_session, GNUTLS_CERT_REQUIRE); - } + if (SSL_CTX_use_certificate_file(conn_ssl_ctx, ssl_certfile, SSL_FILETYPE_PEM) <= 0) + csync_fatal("SSL: failed to use certificate file %s.\n", ssl_certfile); - gnutls_transport_set_ptr2( - conn_tls_session, - (gnutls_transport_ptr_t)conn_fd_in, - (gnutls_transport_ptr_t)conn_fd_out - ); - - err = gnutls_handshake(conn_tls_session); - switch(err) { - case GNUTLS_E_SUCCESS: - break; - - case GNUTLS_E_WARNING_ALERT_RECEIVED: - alrt = gnutls_alert_get(conn_tls_session); - fprintf( - csync_debug_out, - "SSL: warning alert received from peer: %d (%s).\n", - alrt, gnutls_alert_get_name(alrt) - ); - break; - - case GNUTLS_E_FATAL_ALERT_RECEIVED: - alrt = gnutls_alert_get(conn_tls_session); - fprintf( - csync_debug_out, - "SSL: fatal alert received from peer: %d (%s).\n", - alrt, gnutls_alert_get_name(alrt) - ); - - default: - gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR); - gnutls_deinit(conn_tls_session); - gnutls_certificate_free_credentials(conn_x509_cred); - gnutls_global_deinit(); - - csync_fatal( - "SSL: handshake failed: %s (%s)\n", - gnutls_strerror(err), - gnutls_strerror_name(err) - ); - } + if (! (conn_ssl = SSL_new(conn_ssl_ctx)) ) + csync_fatal("Creating a new SSL handle failed.\n"); + + gnutls_certificate_server_set_request(conn_ssl->gnutls_state, GNUTLS_CERT_REQUIRE); + + SSL_set_rfd(conn_ssl, conn_fd_in); + SSL_set_wfd(conn_ssl, conn_fd_out); + + if ( (server_role ? SSL_accept : SSL_connect)(conn_ssl) < 1 ) + csync_fatal("Establishing SSL connection failed.\n"); csync_conn_usessl = 1; @@ -243,15 +181,15 @@ int conn_check_peer_cert(const char *peername, int callfatal) { - const gnutls_datum_t *peercerts; - unsigned npeercerts; + const X509 *peercert; int i, cert_is_ok = -1; if (!csync_conn_usessl) return 1; - peercerts = gnutls_certificate_get_peers(conn_tls_session, &npeercerts); - if(peercerts == NULL || npeercerts == 0) { + peercert = SSL_get_peer_certificate(conn_ssl); + + if (!peercert || peercert->size <= 0) { if (callfatal) csync_fatal("Peer did not provide an SSL X509 cetrificate.\n"); csync_debug(1, "Peer did not provide an SSL X509 cetrificate.\n"); @@ -259,11 +197,11 @@ } { - char certdata[2*peercerts[0].size + 1]; + char certdata[peercert->size*2 + 1]; - for (i=0; i<peercerts[0].size; i++) - sprintf(&certdata[2*i], "%02X", peercerts[0].data[i]); - certdata[2*i] = 0; + for (i=0; i<peercert->size; i++) + sprintf(certdata+i*2, "%02X", peercert->data[i]); + certdata[peercert->size*2] = 0; SQL_BEGIN("Checking peer x509 certificate.", "SELECT certdata FROM x509_cert WHERE peername = '%s'", @@ -309,13 +247,8 @@ { if ( !conn_clisok ) return -1; -#ifdef HAVE_LIBGNUTLS - if ( csync_conn_usessl ) { - gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR); - gnutls_deinit(conn_tls_session); - gnutls_certificate_free_credentials(conn_x509_cred); - gnutls_global_deinit(); - } +#ifdef HAVE_LIBGNUTLS_OPENSSL + if ( csync_conn_usessl ) SSL_free(conn_ssl); #endif if ( conn_fd_in != conn_fd_out) close(conn_fd_in); @@ -330,9 +263,9 @@ static inline int READ(void *buf, size_t count) { -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL if (csync_conn_usessl) - return gnutls_record_recv(conn_tls_session, buf, count); + return SSL_read(conn_ssl, buf, count); else #endif return read(conn_fd_in, buf, count); @@ -342,9 +275,9 @@ { static int n, total; -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL if (csync_conn_usessl) - return gnutls_record_send(conn_tls_session, buf, count); + return SSL_write(conn_ssl, buf, count); else #endif { --- configure.ac.orig 2010-07-28 23:18:32.781227600 +0200 +++ configure.ac 2010-07-28 23:20:13.573091044 +0200 @@ -80,9 +80,12 @@ # Check for gnuTLS. AM_PATH_LIBGNUTLS(1.0.0, , [ AC_MSG_ERROR([[gnutls not found; install gnutls, gnutls-openssl and libtasn1 packages for your system or run configure with --disable-gnutls]]) ]) - ## This is a bloody hack for fedora core + # This is a bloody hack for fedora core CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS" LIBS="$LIBS $LIBGNUTLS_LIBS -ltasn1" + + # Check gnuTLS SSL compatibility lib. + AC_CHECK_LIB([gnutls-openssl], [SSL_new], , [AC_MSG_ERROR([[gnutls-openssl not found; install gnutls, gnutls-openssl and libtasn1 packages for your system or run configure with --disable-gnutls]])]) fi AM_CONDITIONAL([HAVE_LIBGNUTLS], [test "$enable_gnutls" != no ]) --- csync2.c.orig 2010-07-29 00:47:50.621986517 +0200 +++ csync2.c 2010-07-29 00:49:01.145848649 +0200 @@ -539,7 +539,7 @@ para = cmd ? strtok(0, "\t \r\n") : 0; if (cmd && !strcasecmp(cmd, "ssl")) { -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL conn_printf("OK (activating_ssl).\n"); conn_activate_ssl(1); --- csync2.h.orig 2010-07-29 00:47:58.418811787 +0200 +++ csync2.h 2010-07-29 00:48:42.729878322 +0200 @@ -359,7 +359,7 @@ extern int csync_compare_mode; -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL extern int csync_conn_usessl; #endif --- daemon.c.orig 2010-07-29 00:48:03.918017929 +0200 +++ daemon.c 2010-07-29 00:48:29.129850262 +0200 @@ -597,7 +597,7 @@ cmd_error = "Identification failed!"; break; } -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGNUTLS_OPENSSL if (!csync_conn_usessl) { struct csync_nossl *t; for (t = csync_nossl; t; t=t->next) { --- update.c.orig 2010-07-29 00:48:08.826859601 +0200 +++ update.c 2010-07-29 00:48:17.422015333 +0200 @@ -70,7 +70,7 @@ if ( conn_open(peername) ) return -1; if ( use_ssl ) { -#if HAVE_LIBGNUTLS +#if HAVE_LIBGNUTLS_OPENSSL conn_printf("SSL\n"); if ( read_conn_status(0, peername) ) { csync_debug(1, "SSL command failed.\n");