Overview

File csync2-1.34-no-gnutls.patch of Package csync2

--- conn.c.orig	2010-07-27 18:38:31.000000000 +0200
+++ conn.c	2010-07-29 00:05:56.005317177 +0200
@@ -30,20 +30,21 @@
 #include <netdb.h>
 #include <errno.h>
 
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 #  include <gnutls/gnutls.h>
-#  include <gnutls/x509.h>
+#  include <gnutls/openssl.h>
 #endif
 
 int conn_fd_in  = -1;
 int conn_fd_out = -1;
 int conn_clisok = 0;
 
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 int csync_conn_usessl = 0;
 
-static gnutls_session_t conn_tls_session;
-static gnutls_certificate_credentials_t conn_x509_cred;
+SSL_METHOD *conn_ssl_meth;
+SSL_CTX *conn_ssl_ctx;
+SSL *conn_ssl;
 #endif
 
 
@@ -108,7 +109,7 @@
 
 	conn_fd_out = conn_fd_in;
 	conn_clisok = 1;
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 	csync_conn_usessl = 0;
 #endif
 	return 0;
@@ -121,7 +122,7 @@
 	conn_fd_in  = infd;
 	conn_fd_out = outfd;
 	conn_clisok = 1;
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 	csync_conn_usessl = 0;
 #endif
 
@@ -135,106 +136,43 @@
 }
 
 
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 
-static void ssl_log(int level, const char* msg)
-{ csync_debug(level, "%s", msg); }
-
-static const char *ssl_keyfile = ETCDIR "/csync2_ssl_key.pem";
-static const char *ssl_certfile = ETCDIR "/csync2_ssl_cert.pem";
+char *ssl_keyfile = ETCDIR "/csync2_ssl_key.pem";
+char *ssl_certfile = ETCDIR "/csync2_ssl_cert.pem";
 
 int conn_activate_ssl(int server_role)
 {
-	gnutls_alert_description_t alrt;
-	int err;
+	static int sslinit = 0;
 
 	if (csync_conn_usessl)
 		return 0;
 
-	gnutls_global_init();
-	gnutls_global_set_log_function(ssl_log);
-	gnutls_global_set_log_level(10);
-
-	gnutls_certificate_allocate_credentials(&conn_x509_cred);
-
-	err = gnutls_certificate_set_x509_key_file(conn_x509_cred, ssl_certfile, ssl_keyfile, GNUTLS_X509_FMT_PEM);
-	if(err != GNUTLS_E_SUCCESS) {
-		gnutls_certificate_free_credentials(conn_x509_cred);
-		gnutls_global_deinit();
-
-		csync_fatal(
-			"SSL: failed to use key file %s and/or certificate file %s: %s (%s)\n",
-			ssl_keyfile,
-			ssl_certfile,
-			gnutls_strerror(err),
-			gnutls_strerror_name(err)
-		);
+	if (!sslinit) {
+		SSL_load_error_strings();
+		SSL_library_init();
+		sslinit=1;
 	}
 
-	if(server_role) {
-		gnutls_certificate_free_cas(conn_x509_cred);
+	conn_ssl_meth = (server_role ? SSLv23_server_method : SSLv23_client_method)();
+	conn_ssl_ctx = SSL_CTX_new(conn_ssl_meth);
 
-		if(gnutls_certificate_set_x509_trust_file(conn_x509_cred, ssl_certfile, GNUTLS_X509_FMT_PEM) < 1) {
-			gnutls_certificate_free_credentials(conn_x509_cred);
-			gnutls_global_deinit();
-
-			csync_fatal(
-				"SSL: failed to use certificate file %s as CA.\n",
-				ssl_certfile
-			);
-		}
-	} else
-		gnutls_certificate_free_ca_names(conn_x509_cred);
+	if (SSL_CTX_use_PrivateKey_file(conn_ssl_ctx, ssl_keyfile, SSL_FILETYPE_PEM) <= 0)
+		csync_fatal("SSL: failed to use key file %s.\n", ssl_keyfile);
 
-	gnutls_init(&conn_tls_session, (server_role ? GNUTLS_SERVER : GNUTLS_CLIENT));
-	gnutls_priority_set_direct(conn_tls_session, "PERFORMANCE", NULL);
-	gnutls_credentials_set(conn_tls_session, GNUTLS_CRD_CERTIFICATE, conn_x509_cred);
-
-	if(server_role) {
-		gnutls_certificate_send_x509_rdn_sequence(conn_tls_session, 0);
-		gnutls_certificate_server_set_request(conn_tls_session, GNUTLS_CERT_REQUIRE);
-	}
+	if (SSL_CTX_use_certificate_file(conn_ssl_ctx, ssl_certfile, SSL_FILETYPE_PEM) <= 0)
+		csync_fatal("SSL: failed to use certificate file %s.\n", ssl_certfile);
 
-	gnutls_transport_set_ptr2(
-		conn_tls_session,
-		(gnutls_transport_ptr_t)conn_fd_in,
-		(gnutls_transport_ptr_t)conn_fd_out
-	);
-
-	err = gnutls_handshake(conn_tls_session);
-	switch(err) {
-	case GNUTLS_E_SUCCESS:
-		break;
-
-	case GNUTLS_E_WARNING_ALERT_RECEIVED:
-		alrt = gnutls_alert_get(conn_tls_session);
-		fprintf(
-			csync_debug_out,
-			"SSL: warning alert received from peer: %d (%s).\n",
-			alrt, gnutls_alert_get_name(alrt)
-		);
-		break;
-
-	case GNUTLS_E_FATAL_ALERT_RECEIVED:
-		alrt = gnutls_alert_get(conn_tls_session);
-		fprintf(
-			csync_debug_out,
-			"SSL: fatal alert received from peer: %d (%s).\n",
-			alrt, gnutls_alert_get_name(alrt)
-		);
-
-	default:
-		gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR);
-		gnutls_deinit(conn_tls_session);
-		gnutls_certificate_free_credentials(conn_x509_cred);
-		gnutls_global_deinit();
-
-		csync_fatal(
-			"SSL: handshake failed: %s (%s)\n",
-			gnutls_strerror(err),
-			gnutls_strerror_name(err)
-		);
-	}
+	if (! (conn_ssl = SSL_new(conn_ssl_ctx)) )
+		csync_fatal("Creating a new SSL handle failed.\n");
+
+	gnutls_certificate_server_set_request(conn_ssl->gnutls_state, GNUTLS_CERT_REQUIRE);
+
+	SSL_set_rfd(conn_ssl, conn_fd_in);
+	SSL_set_wfd(conn_ssl, conn_fd_out);
+
+	if ( (server_role ? SSL_accept : SSL_connect)(conn_ssl) < 1 )
+		csync_fatal("Establishing SSL connection failed.\n");
 
 	csync_conn_usessl = 1;
 
@@ -243,15 +181,15 @@
 
 int conn_check_peer_cert(const char *peername, int callfatal)
 {
-	const gnutls_datum_t *peercerts;
-	unsigned npeercerts;
+	const X509 *peercert;
 	int i, cert_is_ok = -1;
 
 	if (!csync_conn_usessl)
 		return 1;
 
-	peercerts = gnutls_certificate_get_peers(conn_tls_session, &npeercerts);
-	if(peercerts == NULL || npeercerts == 0) {
+	peercert = SSL_get_peer_certificate(conn_ssl);
+
+	if (!peercert || peercert->size <= 0) {
 		if (callfatal)
 			csync_fatal("Peer did not provide an SSL X509 cetrificate.\n");
 		csync_debug(1, "Peer did not provide an SSL X509 cetrificate.\n");
@@ -259,11 +197,11 @@
 	}
 
 	{
-		char certdata[2*peercerts[0].size + 1];
+		char certdata[peercert->size*2 + 1];
 
-		for (i=0; i<peercerts[0].size; i++)
-			sprintf(&certdata[2*i], "%02X", peercerts[0].data[i]);
-		certdata[2*i] = 0;
+		for (i=0; i<peercert->size; i++)
+			sprintf(certdata+i*2, "%02X", peercert->data[i]);
+		certdata[peercert->size*2] = 0;
 
 		SQL_BEGIN("Checking peer x509 certificate.",
 			"SELECT certdata FROM x509_cert WHERE peername = '%s'",
@@ -309,13 +247,8 @@
 {
 	if ( !conn_clisok ) return -1;
 
-#ifdef HAVE_LIBGNUTLS
-	if ( csync_conn_usessl ) {
-		gnutls_bye(conn_tls_session, GNUTLS_SHUT_RDWR);
-		gnutls_deinit(conn_tls_session);
-		gnutls_certificate_free_credentials(conn_x509_cred);
-		gnutls_global_deinit();
-	}
+#ifdef HAVE_LIBGNUTLS_OPENSSL
+	if ( csync_conn_usessl ) SSL_free(conn_ssl);
 #endif
 
 	if ( conn_fd_in != conn_fd_out) close(conn_fd_in);
@@ -330,9 +263,9 @@
 
 static inline int READ(void *buf, size_t count)
 {
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 	if (csync_conn_usessl)
-		return gnutls_record_recv(conn_tls_session, buf, count);
+		return SSL_read(conn_ssl, buf, count);
 	else
 #endif
 		return read(conn_fd_in, buf, count);
@@ -342,9 +275,9 @@
 {
 	static int n, total;
 
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 	if (csync_conn_usessl)
-		return gnutls_record_send(conn_tls_session, buf, count);
+		return SSL_write(conn_ssl, buf, count);
 	else
 #endif
 	{
--- configure.ac.orig	2010-07-28 23:18:32.781227600 +0200
+++ configure.ac	2010-07-28 23:20:13.573091044 +0200
@@ -80,9 +80,12 @@
 	# Check for gnuTLS.
 	AM_PATH_LIBGNUTLS(1.0.0, , [ AC_MSG_ERROR([[gnutls not found; install gnutls, gnutls-openssl and libtasn1 packages for your system or run configure with --disable-gnutls]]) ])
 
-	## This is a bloody hack for fedora core
+	# This is a bloody hack for fedora core
 	CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
 	LIBS="$LIBS $LIBGNUTLS_LIBS -ltasn1"
+
+	# Check gnuTLS SSL compatibility lib.
+	AC_CHECK_LIB([gnutls-openssl], [SSL_new], , [AC_MSG_ERROR([[gnutls-openssl not found; install gnutls, gnutls-openssl and libtasn1 packages for your system or run configure with --disable-gnutls]])])
 fi
 AM_CONDITIONAL([HAVE_LIBGNUTLS], [test "$enable_gnutls" != no ])
 
--- csync2.c.orig	2010-07-29 00:47:50.621986517 +0200
+++ csync2.c	2010-07-29 00:49:01.145848649 +0200
@@ -539,7 +539,7 @@
 		para = cmd ? strtok(0, "\t \r\n") : 0;
 
 		if (cmd && !strcasecmp(cmd, "ssl")) {
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 			conn_printf("OK (activating_ssl).\n");
 			conn_activate_ssl(1);
 
--- csync2.h.orig	2010-07-29 00:47:58.418811787 +0200
+++ csync2.h	2010-07-29 00:48:42.729878322 +0200
@@ -359,7 +359,7 @@
 
 extern int csync_compare_mode;
 
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 extern int csync_conn_usessl;
 #endif
 
--- daemon.c.orig	2010-07-29 00:48:03.918017929 +0200
+++ daemon.c	2010-07-29 00:48:29.129850262 +0200
@@ -597,7 +597,7 @@
 				cmd_error = "Identification failed!";
 				break;
 			}
-#ifdef HAVE_LIBGNUTLS
+#ifdef HAVE_LIBGNUTLS_OPENSSL
 			if (!csync_conn_usessl) {
 				struct csync_nossl *t;
 				for (t = csync_nossl; t; t=t->next) {
--- update.c.orig	2010-07-29 00:48:08.826859601 +0200
+++ update.c	2010-07-29 00:48:17.422015333 +0200
@@ -70,7 +70,7 @@
 	if ( conn_open(peername) ) return -1;
 
 	if ( use_ssl ) {
-#if HAVE_LIBGNUTLS
+#if HAVE_LIBGNUTLS_OPENSSL
 		conn_printf("SSL\n");
 		if ( read_conn_status(0, peername) ) {
 			csync_debug(1, "SSL command failed.\n");
openSUSE Build Service is sponsored by
Places