From e8687e3d59ba411ee1ed143c8726ab9449bbbe57 Mon Sep 17 00:00:00 2001 From: Adam Dickmeiss Date: Wed, 4 Jun 2008 15:46:07 +0200 Subject: [PATCH] Started work on using GNU TLS as an alterantive to OpenSSL. --- configure.ac | 37 +++++++++++++++++++++++++++++++++++- src/comstack.c | 12 ++++++++++-- src/tcpip.c | 57 ++++++++++++++++++++++++++++++++++++++------------------ 3 files changed, 85 insertions(+), 21 deletions(-) diff --git a/configure.ac b/configure.ac index 6d2b5b7..84c1bf3 100644 --- a/configure.ac +++ b/configure.ac @@ -56,15 +56,16 @@ if test "$checkBoth" = "1"; then fi AC_CHECK_FUNC([gethostbyname], ,[AC_CHECK_LIB(nsl, main, [LIBS="$LIBS -lnsl"])]) dnl + dnl ------ OpenSSL AC_SUBST([SSL_CFLAGS]) AC_SUBST([SSL_LIBS]) openssl=default +sslver=no AC_ARG_WITH([openssl], [ --with-openssl[=PREFIX] OpenSSL library in PREFIX], [openssl=$withval]) SSL_CFLAGS="" SSL_LIBPATH="" if test "$openssl" != "no"; then - sslver=no if test "$openssl" != "yes" -a "$openssl" != "default"; then if test -x $openssl/bin/pkg-config; then if $openssl/bin/pkg-config --exists openssl; then @@ -121,6 +122,40 @@ if test "$openssl" != "no"; then fi fi fi +dnl ------ GNU TLS +gnutls=no +AC_ARG_WITH([gnutls], [ --with-gnutls[=PREFIX] GNU TLS library in PREFIX], [gnutls=$withval]) +if test "$gnutls" != "no" -a "$sslver" = "no"; then + gnutlsver=no + if test "$gnutls" != "yes" -a "$gnutls" != "default"; then + if test -x $gnutls/bin/pkg-config; then + if $gnutls/bin/pkg-config --exists gnutls; then + SSL_CFLAGS=`$gnutls/bin/pkg-config --cflags gnutls` + SSL_LIBS="`$gnutls/bin/pkg-config --libs gnutls` -lgnutls-openssl" + gnutlsver=`$gnutls/bin/pkg-config --modversion gnutls` + fi + fi + else + if test "$pkgconfigpath" != "NONE"; then + if $pkgconfigpath --exists gnutls; then + SSL_CFLAGS=`$pkgconfigpath --cflags gnutls` + SSL_LIBS="`$pkgconfigpath --libs gnutls` -lgnutls-openssl" + gnutlsver=`$pkgconfigpath --modversion gnutls` + fi + fi + fi + AC_MSG_CHECKING([for GNU TLS]) + if test "$gnutlsver" != "no"; then + SSL_CFLAGS="-DHAVE_GNUTLS_H=1 $SSL_CFLAGS" + AC_MSG_RESULT([$gnutlsver]) + else + SSL_CFLAGS="" + AC_MSG_RESULT([None]) + if test "$gnutls" != "default"; then + AC_MSG_ERROR([GNU TLS development libraries missing]) + fi + fi +fi dnl dnl ------ GNU Readline READLINE_SHARED_LIBADD="" diff --git a/src/comstack.c b/src/comstack.c index 0623457..0020c97 100644 --- a/src/comstack.c +++ b/src/comstack.c @@ -22,6 +22,14 @@ #define strncasecmp _strnicmp #endif +#if HAVE_GNUTLS_H +#define ENABLE_SSL 1 +#endif + +#if HAVE_OPENSSL_SSL_H +#define ENABLE_SSL 1 +#endif + static const char *cs_errlist[] = { "No error or unspecified error", @@ -98,7 +106,7 @@ static int cs_parse_host(const char *uri, const char **host, } else if (strncmp (uri, "ssl:", 4) == 0) { -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL *t = ssl_type; *host = uri + 4; *proto = PROTO_Z3950; @@ -126,7 +134,7 @@ static int cs_parse_host(const char *uri, const char **host, } else if (strncmp(uri, "https:", 6) == 0) { -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL *t = ssl_type; *host = uri + 6; while (**host == '/') diff --git a/src/tcpip.c b/src/tcpip.c index b992319..24e205a 100644 --- a/src/tcpip.c +++ b/src/tcpip.c @@ -48,9 +48,15 @@ #include #endif +#if HAVE_GNUTLS_H +#include +#define ENABLE_SSL 1 +#endif + #if HAVE_OPENSSL_SSL_H #include #include +#define ENABLE_SSL 1 #endif #include @@ -71,7 +77,7 @@ static int tcpip_listen(COMSTACK h, char *raddr, int *addrlen, void *cd); static int tcpip_set_blocking(COMSTACK p, int blocking); -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL static int ssl_get(COMSTACK h, char **buf, int *bufsize); static int ssl_put(COMSTACK h, char *buf, int size); #endif @@ -106,7 +112,7 @@ typedef struct tcpip_state struct sockaddr_in addr; /* returned by cs_straddr */ #endif char buf[128]; /* returned by cs_addrstr */ -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL SSL_CTX *ctx; /* current CTX. */ SSL_CTX *ctx_alloc; /* If =ctx it is owned by CS. If 0 it is not owned */ SSL *ssl; @@ -185,7 +191,7 @@ COMSTACK tcpip_type(int s, int flags, int protocol, void *vp) p->stackerr = 0; p->user = 0; -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL sp->ctx = sp->ctx_alloc = 0; sp->ssl = 0; strcpy(sp->cert_fname, "yaz.pem"); @@ -234,7 +240,7 @@ COMSTACK yaz_tcpip_create(int s, int flags, int protocol, } -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL COMSTACK ssl_type(int s, int flags, int protocol, void *vp) { @@ -505,7 +511,7 @@ int tcpip_connect(COMSTACK h, void *address) */ int tcpip_rcvconnect(COMSTACK h) { -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL tcpip_state *sp = (tcpip_state *)h->cprivate; #endif TRC(fprintf(stderr, "tcpip_rcvconnect\n")); @@ -517,13 +523,13 @@ int tcpip_rcvconnect(COMSTACK h) h->cerrno = CSOUTSTATE; return -1; } -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL if (h->type == ssl_type && !sp->ctx) { SSL_library_init(); SSL_load_error_strings(); - sp->ctx = sp->ctx_alloc = SSL_CTX_new (SSLv23_method()); + sp->ctx = sp->ctx_alloc = SSL_CTX_new (SSLv23_client_method()); if (!sp->ctx) { h->cerrno = CSERRORSSL; @@ -609,13 +615,13 @@ static int tcpip_bind(COMSTACK h, void *address, int mode) } #endif -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL if (h->type == ssl_type && !sp->ctx) { SSL_library_init(); SSL_load_error_strings(); - sp->ctx = sp->ctx_alloc = SSL_CTX_new (SSLv23_method()); + sp->ctx = sp->ctx_alloc = SSL_CTX_new (SSLv23_server_method()); if (!sp->ctx) { h->cerrno = CSERRORSSL; @@ -627,25 +633,38 @@ static int tcpip_bind(COMSTACK h, void *address, int mode) if (sp->ctx_alloc) { int res; - res = SSL_CTX_use_certificate_chain_file(sp->ctx, sp->cert_fname); + res = SSL_CTX_use_certificate_file(sp->ctx, sp->cert_fname, + SSL_FILETYPE_PEM); if (res <= 0) { +#if HAVE_OPENSSL_SSL_H ERR_print_errors_fp(stderr); +#else + fprintf(stderr, " SSL_CTX_use_certificate_file %s failed\n", + sp->cert_fname); +#endif exit (2); } res = SSL_CTX_use_PrivateKey_file (sp->ctx, sp->cert_fname, SSL_FILETYPE_PEM); if (res <= 0) { +#if HAVE_OPENSSL_SSL_H ERR_print_errors_fp(stderr); +#else + fprintf(stderr, " SSL_CTX_use_certificate_file %s failed\n", + sp->cert_fname); +#endif exit (3); } +#if HAVE_OPENSSL_SSL_H res = SSL_CTX_check_private_key (sp->ctx); if (res <= 0) { ERR_print_errors_fp(stderr); exit(5); } +#endif } TRC (fprintf (stderr, "ssl_bind\n")); } @@ -817,7 +836,7 @@ COMSTACK tcpip_accept(COMSTACK h) cnew->state = CS_ST_ACCEPT; h->state = CS_ST_IDLE; -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL state->ctx = st->ctx; state->ctx_alloc = 0; state->ssl = st->ssl; @@ -833,7 +852,7 @@ COMSTACK tcpip_accept(COMSTACK h) } if (h->state == CS_ST_ACCEPT) { -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL tcpip_state *state = (tcpip_state *)h->cprivate; if (state->ctx) { @@ -1001,7 +1020,7 @@ int tcpip_get(COMSTACK h, char **buf, int *bufsize) } -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL /* * Return: -1 error, >1 good, len of buffer, ==1 incomplete buffer, * 0=connection closed. @@ -1155,7 +1174,7 @@ int tcpip_put(COMSTACK h, char *buf, int size) } -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL /* * Returns 1, 0 or -1 * In nonblocking mode, you must call again with same buffer while @@ -1216,7 +1235,7 @@ int tcpip_close(COMSTACK h) TRC(fprintf(stderr, "tcpip_close\n")); if (h->iofile != -1) { -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL if (sp->ssl) { SSL_shutdown (sp->ssl); @@ -1230,7 +1249,7 @@ int tcpip_close(COMSTACK h) } if (sp->altbuf) xfree(sp->altbuf); -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL if (sp->ssl) { TRC (fprintf(stderr, "SSL_free\n")); @@ -1301,7 +1320,7 @@ char *tcpip_addrstr(COMSTACK h) sprintf(buf, "http:%s", r); else sprintf(buf, "tcp:%s", r); -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL if (sp->ctx) { if (h->protocol == PROTO_HTTP) @@ -1337,7 +1356,7 @@ int static tcpip_set_blocking(COMSTACK p, int flags) return 1; } -#if HAVE_OPENSSL_SSL_H +#if ENABLE_SSL int cs_set_ssl_ctx(COMSTACK cs, void *ctx) { struct tcpip_state *sp; @@ -1376,6 +1395,7 @@ int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len) if (ssl) { X509 *server_cert = SSL_get_peer_certificate (ssl); +#if HAVE_OPENSSL_SSL_H if (server_cert) { BIO *bio = BIO_new(BIO_s_mem()); @@ -1388,6 +1408,7 @@ int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len) BIO_free(bio); return 1; } +#endif } return 0; } -- 1.7.10.4