PATCH: optionally use gnutls instead of openssl in base

gnustep-dev
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PATCH: optionally use gnutls instead of openssl in base

From:	Derek Zhou
Subject:	PATCH: optionally use gnutls instead of openssl in base
Date:	Thu, 14 Jun 2007 23:31:55 -0700
User-agent:	Mutt/1.5.13 (2006-08-11)
Look like the corporate email server ate my email, let me send again.
This patch add gnutls support to GSSSLHandle. One can use "./configure 
--enable-gnutls" to enable it; the default is still openssl. 
Caveats:
* Server side is untested. Lack a good test case. Client side should 
work.
* the handshake may block. Again, I don't have a good testcase.   

Derek Zhou

Index: SSL/config.h.in
===================================================================
--- SSL/config.h.in     (revision 25255)
+++ SSL/config.h.in     (working copy)
@@ -53,3 +53,6 @@
 
 /* Define if you have the <utime.h> header file.  */
 #undef HAVE_UTIME_H
+
+/* Define if using the openssl library for ssl/tls socket operations */
+#undef USE_OPENSSL
Index: SSL/GSSSLHandle.m
===================================================================
--- SSL/GSSSLHandle.m   (revision 25255)
+++ SSL/GSSSLHandle.m   (working copy)
@@ -42,6 +42,7 @@
 #define GNUSTEP_BASE_SOCKET_MESSAGE (WM_USER + 1)
 #endif
 
+#ifdef USE_OPENSSL
   /* Because openssl uses `id' as variable name sometime,
      while it is an Objective-C reserved keyword. */
   #define id id_x_
@@ -49,6 +50,9 @@
   #include <openssl/rand.h>
   #include <openssl/err.h>
   #undef id
+#else /* use gnutls */
+#include <gnutls/gnutls.h>
+#endif
 
 #include <Foundation/Foundation.h>
 
@@ -80,6 +84,7 @@
 #include <unistd.h>
 #endif
 
+#ifdef USE_OPENSSL
 static NSString*
 sslError(int err)
 {
@@ -121,12 +126,18 @@
     }
   return str;
 }
+#endif
 
-
 @interface     GSSSLHandle : GSFileHandle <GCFinalization>
 {
+#ifdef USE_OPENSSL
   SSL_CTX      *ctx;
   SSL          *ssl;
+#else  /* use gnutls */
+  gnutls_session_t session;
+  gnutls_certificate_credentials_t xcred;
+  BOOL xcredAllocated;
+#endif
   BOOL         connected;
 }
 
@@ -143,6 +154,7 @@
 {
   if (self == [GSSSLHandle class])
     {
+#ifdef USE_OPENSSL
       SSL_library_init();
 
       /*
@@ -156,6 +168,9 @@
          inf = [[[NSProcessInfo processInfo] globallyUniqueString] UTF8String];
          RAND_seed(inf, strlen(inf));
        }
+#else  /* use gnutls */
+      gnutls_global_init ();
+#endif
     }
 }
 
@@ -175,7 +190,11 @@
 {
   if (connected)
     {
+#ifdef USE_OPENSSL
       return SSL_read(ssl, buf, len);
+#else  /* use gnutls */
+      return gnutls_record_recv(session, buf, len);
+#endif
     }
   return [super read: buf length: len];
 }
@@ -196,6 +215,7 @@
       return NO;
     }
 
+#ifdef USE_OPENSSL
   /*
    * Ensure we have a context and handle to connect with.
    */
@@ -207,6 +227,18 @@
     {
       ssl = SSL_new(ctx);
     }
+#else  /* use gnutls */
+  if (!xcredAllocated)
+    {
+      gnutls_certificate_allocate_credentials (&xcred);
+      xcredAllocated = YES;
+    }
+  gnutls_init (&session, GNUTLS_SERVER);
+  gnutls_set_default_priority (session);
+  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+  gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
+#endif
+#ifdef USE_OPENSSL
   /*
    * Set non-blocking so accept won't hang if remote end goes wrong.
    */
@@ -279,8 +311,21 @@
          return NO;
        }
     }
+  RELEASE(self);
+#else  /* use gnutls */
+  /*
+   * Don't know how to do non-blocking handshake, I'll do the blocking for now
+   */
+  gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) descriptor);
+  ret = gnutls_handshake (session);
+  if (ret != 0)
+    {
+      NSLog(@"Failed to do TLS handshake  - %s", gnutls_strerror(ret));
+      gnutls_deinit(session);
+      return NO;
+    }
+#endif
   connected = YES;
-  RELEASE(self);
   return YES;
 }
 
@@ -300,6 +345,7 @@
       return NO;
     }
 
+#ifdef USE_OPENSSL
   /*
    * Ensure we have a context and handle to connect with.
    */
@@ -311,6 +357,17 @@
     {
       ssl = SSL_new(ctx);
     }
+#else  /* use gnutls */
+  if (!xcredAllocated)
+    {
+      gnutls_certificate_allocate_credentials (&xcred);
+      xcredAllocated = YES;
+    }
+  gnutls_init (&session, GNUTLS_CLIENT);
+  gnutls_set_default_priority (session);
+  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+#endif
+#ifdef USE_OPENSSL
   RETAIN(self);                // Don't get destroyed during runloop
   /*
    * Set non-blocking so accept won't hang if remote end goes wrong.
@@ -383,13 +440,27 @@
          return NO;
        }
     }
+  RELEASE(self);
+#else  /* use gnutls */
+  /*
+   * Don't know how to do non-blocking handshake, I'll do the blocking for now
+   */
+  gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) descriptor);
+  ret = gnutls_handshake (session);
+  if (ret != 0)
+    {
+      NSLog(@"Failed to do TLS handshake  - %s", gnutls_strerror(ret));
+      gnutls_deinit(session);
+      return NO;
+    }
+#endif
   connected = YES;
-  RELEASE(self);
   return YES;
 }
 
 - (void) sslDisconnect
 {
+#ifdef USE_OPENSSL
   if (ssl != 0)
     {
       if (connected == YES)
@@ -405,6 +476,18 @@
       SSL_CTX_free(ctx);
       ctx = 0;
     }
+#else  /* use gnutls */
+  if (connected == YES)
+    {
+      gnutls_bye(session, GNUTLS_SHUT_RDWR);
+      gnutls_deinit(session);
+    }
+  if (xcredAllocated)
+    {
+      gnutls_certificate_free_credentials(xcred);
+      xcredAllocated = NO;
+    }
+#endif
   connected = NO;
 }
 
@@ -419,6 +502,7 @@
       NSLog(@"Attempt to set ssl certificate for a standard file");
       return;
     }
+#ifdef USE_OPENSSL
   /*
    * Ensure we have a context to set the certificate for.
    */
@@ -426,11 +510,23 @@
     {
       ctx = SSL_CTX_new(SSLv23_method());
     }
+#else  /* use gnutls */
+  if (!xcredAllocated)
+    {
+      gnutls_certificate_allocate_credentials (&xcred);
+      xcredAllocated = YES;
+    }
+#endif
   if ([PEMpasswd length] > 0)
     {
+#ifdef USE_OPENSSL
       SSL_CTX_set_default_passwd_cb_userdata(ctx,
        (char*)[PEMpasswd UTF8String]);
+#else  /* use gnutls */
+      /* don't know what to do here */
+#endif
     }
+#ifdef USE_OPENSSL
   if ([certFile length] > 0)
     {
       ret = SSL_CTX_use_certificate_file(ctx, [certFile UTF8String],
@@ -451,13 +547,28 @@
            privateKey, sslError(ERR_get_error()));
        }
     }
+#else  /* use gnutls */
+  ret = gnutls_certificate_set_x509_key_file (xcred, 
+                                              [certFile UTF8String], 
+                                              [privateKey UTF8String],
+                                              GNUTLS_X509_FMT_PEM);
+  if (ret!=0)
+    {
+      NSLog(@"Failed to set certificqte/private key file to %@/%@ - %s",
+           certFile, privateKey, gnutls_strerror(ret));
+    }
+#endif
 }
 
 - (int) write: (const void*)buf length: (int)len
 {
   if (connected)
     {
+#ifdef USE_OPENSSL
       return SSL_write(ssl, buf, len);
+#else  /* use gnutls */
+      return gnutls_record_send(session, buf, len);
+#endif
     }
   return [super write: buf length: len];
 }
Index: SSL/configure.ac
===================================================================
--- SSL/configure.ac    (revision 25255)
+++ SSL/configure.ac    (working copy)
@@ -123,21 +123,27 @@
     SSLLIBS="${library_flags}"
 fi
 
+AC_ARG_ENABLE(openssl,
+  [  --enable-openssl          Enable use of openssl library],,
+  enable_openssl=yes)
+
+AC_ARG_ENABLE(gnutls,
+  [  --enable-gnutls   Enable use of gnutls library],,
+  enable_gnutls=no)
+
+AC_ARG_ENABLE(openssl,
+  [  --disable-openssl Disable support for openssl in URL classes],,
+  enable_openssl=yes)
 #--------------------------------------------------------------------
 # Check OpenSSL for HTTPS support.
 #--------------------------------------------------------------------
-AC_ARG_ENABLE(openssl,
-  [  --disable-openssl         Disable support for openssl in URL classes],,
-  enable_openssl=yes)
 AC_ARG_WITH(openssl-include,
-  [  --with-openssl-include=PATH  include path for openssl headers],
+  [  --with-openssl-include=PATH  include path for openssl/gnutls headers],
   openssl_incdir="$withval", openssl_incdir="no")
 AC_ARG_WITH(openssl-library,
-  [  --with-openssl-library=PATH  library path for openssl libraries],
+  [  --with-openssl-library=PATH  library path for openssl/gnutls libraries],
   openssl_libdir="$withval", openssl_libdir="no")
 
-cppflags_temp="$CPPFLAGS"
-
 if test "$openssl_incdir" != "no"; then
   CPPFLAGS="$CPPFLAGS -I$openssl_incdir"
   SSLFLAGS="-I$openssl_incdir"
@@ -152,10 +158,26 @@
   SSLLIBS=
 fi
 
-if test $enable_openssl = yes; then
-  ssl_ok=no
-  AC_CHECK_HEADERS(openssl/ssl.h)
-  if test $ac_cv_header_openssl_ssl_h = yes; then
+AC_CHECK_HEADER(openssl/ssl.h, have_openssl=yes, have_openssl=no)
+AC_CHECK_HEADER(gnutls/gnutls.h, have_gnutls=yes, have_gnutls=no)
+if test $have_openssl = no; then
+  enable_openssl=no
+  # If we don't have openssl but do have gnutls, use gnutls
+  if test $have_gnutls = yes; then
+    enable_gnutls=yes
+  fi
+fi
+if test $have_gnutls = no; then
+  enable_gnutls=no
+fi
+
+ssl_ok=no
+if test $enable_gnutls = yes; then
+   AC_CHECK_LIB(gnutls, gnutls_init)
+   if test $ac_cv_lib_gnutls_gnutls_init = yes; then
+     ssl_ok=yes
+   fi
+elif test $enable_openssl = yes; then
     AC_CHECK_LIB(crypto, CRYPTO_malloc)
     if test $ac_cv_lib_crypto_CRYPTO_malloc = yes; then
       # ssl needs socket on Solaris
@@ -164,23 +186,20 @@
       AC_CHECK_LIB(cipher,des_setkey)
       if test $ac_cv_lib_ssl_ssl2_clear = yes; then
         ssl_ok=yes
+        AC_DEFINE(USE_OPENSSL,1,
+          [Define if using the openssl library for ssl/tls socket operations])
       fi
     fi
-  fi
-  if test $ssl_ok = no; then
-    AC_MSG_WARN(SSL bundle will not be built: Could not find openssl libraries)
-  fi
-else
-  AC_MSG_WARN(SSL bundle will not be built: Openssl disabled by user)
 fi
+if test $ssl_ok = no; then
+    AC_MSG_WARN(SSL bundle will not be built)
+fi
 HAVE_OPENSSL=$ssl_ok
 SSLLIBS="$SSLLIBS $LIBS"
 AC_SUBST(HAVE_OPENSSL)
 AC_SUBST(SSLFLAGS)
 AC_SUBST(SSLLIBS)
 
-CPPFLAGS="$cppflags_temp";
-
 #--------------------------------------------------------------------
 # Write the Makefiles
 #--------------------------------------------------------------------
Index: configure.ac
===================================================================
--- configure.ac        (revision 25255)
+++ configure.ac        (working copy)
@@ -2147,13 +2147,19 @@
 # help file.
 #--------------------------------------------------------------------
 AC_ARG_ENABLE(openssl,
+  [  --enable-openssl           Enable use of openssl library],,
+  enable_openssl=yes)
+AC_ARG_ENABLE(gnutls,
+  [  --enable-gnutls            Enable use of gnutls library],,
+  enable_gnutls=no)
+AC_ARG_ENABLE(openssl,
   [  --disable-openssl         Disable support for openssl in URL classes],,
   enable_openssl=yes)
 AC_ARG_WITH(openssl-include,
-  [  --with-openssl-include=PATH  include path for openssl headers],
+  [  --with-openssl-include=PATH  include path for openssl/gnutls headers],
   openssl_incdir="$withval", openssl_incdir="no")
 AC_ARG_WITH(openssl-library,
-  [  --with-openssl-library=PATH  library path for openssl libraries],
+  [  --with-openssl-library=PATH  library path for openssl/gnutls libraries],
   openssl_libdir="$withval", openssl_libdir="no")
 
 AC_CONFIG_SUBDIRS(Source/mframe SSL)
[Prev in Thread]
Current Thread
[Next in Thread]
PATCH: optionally use gnutls instead of openssl in base, Derek Zhou <=
Next by Date: Button Cell Images
Next by thread: Button Cell Images
Index(es):
- Date
- Thread