X-Git-Url: https://mattmccutchen.net/rsync/rsync-patches.git/blobdiff_plain/a6587818c397ffbdfc336e77d5021efb103debf9..cb0d2e2b200e6610054021db977334088f9bd04f:/openssl-support.diff diff --git a/openssl-support.diff b/openssl-support.diff index 4e265b1..d703d35 100644 --- a/openssl-support.diff +++ b/openssl-support.diff @@ -20,7 +20,7 @@ this implementation are: #starttls - And, if the server allows SSL, it replies with + And, if the daemon allows SSL, it replies with @RSYNCD: starttls @@ -37,61 +37,61 @@ All warnings apply; I don't do C programming all that often, so I can't say if I've left any cleanup/compatibility errors in the code. ---- orig/Makefile.in 2004-08-13 07:18:58 -+++ Makefile.in 2004-07-03 20:22:28 -@@ -39,7 +39,7 @@ OBJS3=progress.o pipe.o +--- orig/Makefile.in 2005-11-07 04:29:00 ++++ Makefile.in 2004-10-08 20:17:06 +@@ -38,7 +38,7 @@ OBJS3=progress.o pipe.o DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o authenticate.o popt_OBJS=popt/findme.o popt/popt.o popt/poptconfig.o \ popt/popthelp.o popt/poptparse.o -OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@ +OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@ @SSL_OBJS@ - TLS_OBJ = tls.o syscall.o lib/permstring.o + TLS_OBJ = tls.o syscall.o lib/compat.o lib/snprintf.o lib/permstring.o + +--- orig/cleanup.c 2005-11-10 16:58:36 ++++ cleanup.c 2005-01-10 10:43:22 +@@ -22,6 +22,9 @@ + #include "rsync.h" ---- orig/cleanup.c 2004-07-29 16:08:03 -+++ cleanup.c 2004-07-03 20:22:28 -@@ -24,6 +24,9 @@ extern int io_error; - extern int keep_partial; - extern int log_got_error; -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL +extern int use_ssl; +#endif - - /** - * Close all open sockets and files, allowing a (somewhat) graceful + extern int keep_partial; + extern int log_got_error; + extern char *partial_dir; @@ -97,6 +100,11 @@ void _exit_cleanup(int code, const char signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL + if (use_ssl) + end_tls(); +#endif + if (verbose > 3) { rprintf(FINFO,"_exit_cleanup(code=%d, file=%s, line=%d): entered\n", - code, file, line); ---- orig/clientserver.c 2004-08-02 02:29:16 -+++ clientserver.c 2004-07-03 20:22:28 -@@ -46,6 +46,9 @@ extern int io_timeout; + code, safe_fname(file), line); +--- orig/clientserver.c 2005-10-24 21:04:44 ++++ clientserver.c 2005-04-09 17:39:57 +@@ -44,6 +44,9 @@ extern int io_timeout; extern int orig_umask; extern int no_detach; extern int default_af_hint; -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL +extern int use_ssl; +#endif extern char *bind_address; - extern struct exclude_list_struct server_exclude_list; - extern char *exclude_path_prefix; -@@ -94,8 +97,18 @@ int start_socket_client(char *host, char + extern struct filter_list_struct server_filter_list; + extern char *config_file; +@@ -101,8 +104,18 @@ int start_socket_client(char *host, char exit_cleanup(RERR_SOCKETIO); ret = start_inband_exchange(user, path, fd, fd, argc); -+ if (ret < 0) ++ if (ret) + return ret; + -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL + if (use_ssl) { + int f_in = get_tls_rfd(); + int f_out = get_tls_wfd(); @@ -99,16 +99,16 @@ can't say if I've left any cleanup/compatibility errors in the code. + } +#endif -- return ret < 0? ret : client_run(fd, fd, -1, argc, argv); +- return ret ? ret : client_run(fd, fd, -1, argc, argv); + return client_run(fd, fd, -1, argc, argv); } int start_inband_exchange(char *user, char *path, int f_in, int f_out, -@@ -150,6 +163,33 @@ int start_inband_exchange(char *user, ch - if (protocol_version > remote_protocol) - protocol_version = remote_protocol; +@@ -163,6 +176,33 @@ int start_inband_exchange(char *user, ch + if (verbose > 1) + print_child_argv(sargs); -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL + if (use_ssl) { + io_printf(f_out, "#starttls\n"); + while (1) { @@ -117,7 +117,7 @@ can't say if I've left any cleanup/compatibility errors in the code. + return -1; + } + if (strncmp(line, "@ERROR", 6) == 0) { -+ rprintf(FERROR, "rsync: ssl connection denied\n"); ++ rprintf(FERROR, "%s\n", line); + return -1; + } + if (strcmp(line, "@RSYNCD: starttls") == 0) { @@ -138,29 +138,29 @@ can't say if I've left any cleanup/compatibility errors in the code. p = strchr(path,'/'); if (p) *p = 0; io_printf(f_out, "%s\n", path); -@@ -178,6 +218,10 @@ int start_inband_exchange(char *user, ch +@@ -191,6 +231,10 @@ int start_inband_exchange(char *user, ch * server to terminate the listing of modules. * We don't want to go on and transfer * anything; just exit. */ -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL + if (use_ssl) + end_tls(); +#endif exit(0); } -@@ -185,6 +229,10 @@ int start_inband_exchange(char *user, ch +@@ -198,6 +242,10 @@ int start_inband_exchange(char *user, ch rprintf(FERROR, "%s\n", line); /* This is always fatal; the server will now * close the socket. */ -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL + if (use_ssl) + end_tls(); +#endif - return RERR_STARTCLIENT; - } else { - rprintf(FINFO,"%s\n", line); -@@ -497,6 +545,7 @@ static void send_listing(int fd) + return -1; + } + +@@ -668,6 +716,7 @@ static void send_listing(int fd) io_printf(fd,"@RSYNCD: EXIT\n"); } @@ -168,7 +168,17 @@ can't say if I've left any cleanup/compatibility errors in the code. /* this is called when a connection is established to a client and we want to start talking. The setup of the system is done from here */ -@@ -555,6 +604,20 @@ int start_daemon(int f_in, int f_out) +@@ -717,6 +766,9 @@ int start_daemon(int f_in, int f_out) + if (protocol_version > remote_protocol) + protocol_version = remote_protocol; + ++#if HAVE_OPENSSL ++retry: ++#endif + line[0] = 0; + if (!read_line(f_in, line, sizeof line - 1)) + return -1; +@@ -726,6 +778,20 @@ int start_daemon(int f_in, int f_out) return -1; } @@ -182,16 +192,16 @@ can't say if I've left any cleanup/compatibility errors in the code. + } + f_in = get_tls_rfd(); + f_out = get_tls_wfd(); -+ continue; ++ goto retry; + } +#endif + if (*line == '#') { /* it's some sort of command that I don't understand */ io_printf(f_out, "@ERROR: Unknown command '%s'\n", line); ---- orig/configure.in 2004-08-13 07:18:59 +--- orig/configure.in 2005-09-24 17:40:30 +++ configure.in 2004-07-03 20:22:28 -@@ -271,6 +271,21 @@ yes +@@ -293,6 +293,21 @@ yes AC_SEARCH_LIBS(getaddrinfo, inet6) fi @@ -213,91 +223,13 @@ can't say if I've left any cleanup/compatibility errors in the code. AC_MSG_CHECKING([whether to call shutdown on all sockets]) case $host_os in *cygwin* ) AC_MSG_RESULT(yes) ---- orig/main.c 2004-09-18 01:49:33 -+++ main.c 2004-07-15 02:40:51 -@@ -56,6 +56,9 @@ extern int write_batch; - extern int batch_fd; - extern int batch_gen_fd; - extern int filesfrom_fd; -+#ifdef HAVE_OPENSSL -+extern int use_ssl; -+#endif - extern pid_t cleanup_child_pid; - extern char *files_from; - extern char *remote_filesfrom_file; -@@ -761,18 +764,32 @@ static int start_client(int argc, char * - pid_t pid; - int f_in,f_out; - int rc; -+ int url_prefix = strlen(URL_PREFIX); - - /* Don't clobber argv[] so that ps(1) can still show the right - * command line. */ - if ((rc = copy_argv(argv))) - return rc; - -+ if (strncasecmp(URL_PREFIX, argv[0], url_prefix) != 0 && !read_batch) { -+#ifdef HAVE_OPENSSL -+ url_prefix = strlen(SSL_URL_PREFIX); -+ if (strncasecmp(SSL_URL_PREFIX, argv[0], url_prefix) != 0) -+ url_prefix = 0; -+ else { -+ if (!use_ssl) -+ init_tls(); -+ use_ssl = 1; -+ } -+#else -+ url_prefix = 0; -+#endif -+ } - /* rsync:// always uses rsync server over direct socket connection */ -- if (strncasecmp(URL_PREFIX, argv[0], strlen(URL_PREFIX)) == 0 -- && !read_batch) { -+ if (url_prefix) { - char *host, *path; - -- host = argv[0] + strlen(URL_PREFIX); -+ host = argv[0] + url_prefix; - p = strchr(host,'/'); - if (p) { - *p = '\0'; -@@ -825,12 +842,27 @@ static int start_client(int argc, char * - argv++; - } else { /* source is local */ - am_sender = 1; -+ url_prefix = strlen(URL_PREFIX); -+ if (strncasecmp(URL_PREFIX, argv[0], url_prefix) != 0) { -+#ifdef HAVE_OPENSSL -+ url_prefix = strlen(SSL_URL_PREFIX); -+ if (strncasecmp(SSL_URL_PREFIX, argv[0], url_prefix) != 0) -+ url_prefix = 0; -+ else { -+ if (!use_ssl) -+ init_tls(); -+ use_ssl = 1; -+ } -+#else -+ url_prefix = 0; -+#endif -+ } - - /* rsync:// destination uses rsync server over direct socket */ -- if (strncasecmp(URL_PREFIX, argv[argc-1], strlen(URL_PREFIX)) == 0) { -+ if (url_prefix) { - char *host, *path; - -- host = argv[argc-1] + strlen(URL_PREFIX); -+ host = argv[argc-1] + url_prefix; - p = strchr(host,'/'); - if (p) { - *p = '\0'; ---- orig/options.c 2004-09-20 05:10:48 -+++ options.c 2004-07-16 20:19:50 -@@ -135,6 +135,14 @@ int quiet = 0; +--- orig/options.c 2005-11-15 07:01:03 ++++ options.c 2005-11-15 07:10:33 +@@ -162,6 +162,14 @@ int log_format_has_o_or_i = 0; int always_checksum = 0; int list_only = 0; -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL +int use_ssl = 0; +char *ssl_cert_path = NULL; +char *ssl_key_path = NULL; @@ -308,7 +240,7 @@ can't say if I've left any cleanup/compatibility errors in the code. #define MAX_BATCH_NAME_LEN 256 /* Must be less than MAXPATHLEN-13 */ char *batch_name = NULL; -@@ -154,6 +162,7 @@ static void print_rsync_version(enum log +@@ -190,6 +198,7 @@ static void print_rsync_version(enum log char const *hardlinks = "no "; char const *links = "no "; char const *ipv6 = "no "; @@ -316,18 +248,18 @@ can't say if I've left any cleanup/compatibility errors in the code. STRUCT_STAT *dumstat; #ifdef HAVE_SOCKETPAIR -@@ -176,6 +185,10 @@ static void print_rsync_version(enum log +@@ -212,6 +221,10 @@ static void print_rsync_version(enum log ipv6 = ""; #endif -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL + ssl = ""; +#endif + rprintf(f, "%s version %s protocol version %d\n", RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION); rprintf(f, -@@ -189,10 +202,10 @@ static void print_rsync_version(enum log +@@ -225,10 +238,10 @@ static void print_rsync_version(enum log /* Note that this field may not have type ino_t. It depends * on the complicated interaction between largefile feature * macros. */ @@ -335,66 +267,65 @@ can't say if I've left any cleanup/compatibility errors in the code. + rprintf(f, " %sinplace, %sIPv6, %d-bit system inums, %d-bit internal inums, %sssl\n", have_inplace, ipv6, (int) (sizeof dumstat->st_ino * 8), -- (int) (sizeof (uint64) * 8)); -+ (int) (sizeof (uint64) * 8), ssl); +- (int) (sizeof (int64) * 8)); ++ (int) (sizeof (int64) * 8), ssl); #ifdef MAINTAINER_MODE rprintf(f, " panic action: \"%s\"\n", get_panic_action()); -@@ -308,6 +321,13 @@ void usage(enum logcode F) +@@ -363,6 +376,13 @@ void usage(enum logcode F) rprintf(F," -4, --ipv4 prefer IPv4\n"); rprintf(F," -6, --ipv6 prefer IPv6\n"); #endif -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL + rprintf(F," --ssl allow socket connections to use SSL\n"); -+ rprintf(F," --ssl-cert=FILE path to server's SSL certificate\n"); -+ rprintf(F," --ssl-key=FILE path to server's SSL private key\n"); ++ rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n"); ++ rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n"); + rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n"); + rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n"); +#endif - rprintf(F," -h, --help show this help screen\n"); + rprintf(F," --version print version number\n"); + rprintf(F," --help show this help screen\n"); - rprintf(F,"\n"); -@@ -319,7 +339,7 @@ void usage(enum logcode F) - enum {OPT_VERSION = 1000, OPT_SENDER, OPT_EXCLUDE, OPT_EXCLUDE_FROM, - OPT_DELETE_AFTER, OPT_DELETE_EXCLUDED, OPT_LINK_DEST, - OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, -- OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_TIMEOUT, -+ OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_TIMEOUT, OPT_USE_SSL, +@@ -375,6 +395,7 @@ enum {OPT_VERSION = 1000, OPT_DAEMON, OP + OPT_FILTER, OPT_COMPARE_DEST, OPT_COPY_DEST, OPT_LINK_DEST, OPT_HELP, + OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, OPT_MIN_SIZE, + OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_ONLY_WRITE_BATCH, OPT_MAX_SIZE, ++ OPT_USE_SSL, OPT_REFUSED_BASE = 9000}; static struct poptOption long_options[] = { -@@ -408,6 +428,13 @@ static struct poptOption long_options[] - {"ipv4", '4', POPT_ARG_VAL, &default_af_hint, AF_INET, 0, 0 }, - {"ipv6", '6', POPT_ARG_VAL, &default_af_hint, AF_INET6, 0, 0 }, - #endif -+#ifdef HAVE_OPENSSL -+ {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0}, -+ {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0}, -+ {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0}, +@@ -503,6 +524,13 @@ static struct poptOption long_options[] + {"checksum-seed", 0, POPT_ARG_INT, &checksum_seed, 0, 0, 0 }, + {"server", 0, POPT_ARG_NONE, &am_server, 0, 0, 0 }, + {"sender", 0, POPT_ARG_NONE, 0, OPT_SENDER, 0, 0 }, ++#if HAVE_OPENSSL ++ {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0}, ++ {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0}, ++ {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0}, + {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0}, -+ {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0}, ++ {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0}, +#endif - {0,0,0,0, 0, 0, 0} - }; - -@@ -616,6 +643,12 @@ int parse_arguments(int *argc, const cha - return 0; - #endif + /* All the following options switch us into daemon-mode option-parsing. */ + {"config", 0, POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 }, + {"daemon", 0, POPT_ARG_NONE, 0, OPT_DAEMON, 0, 0 }, +@@ -997,6 +1025,12 @@ int parse_arguments(int *argc, const cha + basis_dir[basis_dir_cnt++] = (char *)arg; + break; + case OPT_USE_SSL: -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL + use_ssl = 1; +#endif + break; + default: /* A large opt value means that set_refuse_options() - * turned this option off (opt-BASE is its index). */ -@@ -807,6 +840,17 @@ int parse_arguments(int *argc, const cha - if (do_progress && !verbose) - verbose = 1; + * turned this option off. */ +@@ -1274,6 +1308,17 @@ int parse_arguments(int *argc, const cha + if (delay_updates && !partial_dir) + partial_dir = partialdir_for_delayupdate; -+#ifdef HAVE_OPENSSL ++#if HAVE_OPENSSL + if (use_ssl) { + if (init_tls()) { + snprintf(err_buf, sizeof(err_buf), @@ -405,11 +336,42 @@ can't say if I've left any cleanup/compatibility errors in the code. + } +#endif + - if (bwlimit) { - bwlimit_writemax = (size_t)bwlimit * 128; - if (bwlimit_writemax < 512) ---- orig/rsync.h 2004-08-03 15:41:32 -+++ rsync.h 2004-07-03 20:22:28 + if (inplace) { + #ifdef HAVE_FTRUNCATE + if (partial_dir) { +@@ -1664,11 +1709,28 @@ char *check_for_hostspec(char *s, char * + { + char *p; + int not_host; ++ int url_prefix_len = sizeof URL_PREFIX - 1; + +- if (port_ptr && strncasecmp(URL_PREFIX, s, strlen(URL_PREFIX)) == 0) { ++ if (!port_ptr) ++ url_prefix_len = 0; ++ else if (strncasecmp(URL_PREFIX, s, url_prefix_len) != 0) { ++#if HAVE_OPENSSL ++ url_prefix_len = sizeof SSL_URL_PREFIX - 1; ++ if (strncasecmp(SSL_URL_PREFIX, s, url_prefix_len) != 0) ++ url_prefix_len = 0; ++ else { ++ if (!use_ssl) ++ init_tls(); ++ use_ssl = 1; ++ } ++#else ++ url_prefix_len = 0; ++#endif ++ } ++ if (url_prefix_len) { + char *path; + int hostlen; +- s += strlen(URL_PREFIX); ++ s += url_prefix_len; + if ((p = strchr(s, '/')) != NULL) { + hostlen = p - s; + path = p + 1; +--- orig/rsync.h 2005-11-12 20:31:04 ++++ rsync.h 2004-10-08 21:01:33 @@ -32,6 +32,7 @@ #define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock" @@ -418,8 +380,8 @@ can't say if I've left any cleanup/compatibility errors in the code. #define BACKUP_SUFFIX "~" -@@ -329,6 +330,11 @@ enum msgcode { - #define uint64 unsigned off_t +@@ -410,6 +411,11 @@ enum msgcode { + # define SIZEOF_INT64 SIZEOF_OFF_T #endif +#if HAVE_OPENSSL @@ -430,8 +392,8 @@ can't say if I've left any cleanup/compatibility errors in the code. /* Starting from protocol version 26, we always use 64-bit * ino_t and dev_t internally, even if this platform does not * allow files to have 64-bit inums. That's because the ---- orig/ssl.c 2004-07-02 21:44:19 -+++ ssl.c 2004-07-02 21:44:19 +--- orig/ssl.c 2004-10-08 19:37:22 ++++ ssl.c 2004-10-08 19:37:22 @@ -0,0 +1,366 @@ +/* -*- c-file-style: "linux" -*- + * ssl.c: operations for negotiating SSL rsync connections. @@ -455,7 +417,7 @@ can't say if I've left any cleanup/compatibility errors in the code. + +#include "rsync.h" + -+#ifdef HAVE_SYS_SELECT_H ++#if HAVE_SYS_SELECT_H +#include +#else +#include @@ -489,7 +451,7 @@ can't say if I've left any cleanup/compatibility errors in the code. + */ +static int default_password_cb(char *buf, int n, UNUSED(int f), UNUSED(void *u)) +{ -+ if (ssl_key_passwd == NULL || n < strlen(ssl_key_passwd)) ++ if (ssl_key_passwd == NULL || n < (int)strlen(ssl_key_passwd)) + return 0; + strncpy(buf, ssl_key_passwd, n-1); + return strlen(ssl_key_passwd); @@ -498,7 +460,7 @@ can't say if I've left any cleanup/compatibility errors in the code. +/** + * If verbose, this method traces the status of the SSL handshake. + */ -+static void info_callback(SSL *ssl, int cb, int val) ++static void info_callback(const SSL *ssl, int cb, int val) +{ + char buf[128]; + char *cbs; @@ -551,7 +513,7 @@ can't say if I've left any cleanup/compatibility errors in the code. + if (verbose > 2) { + rprintf(FLOG, "SSL: info_callback(%p,%s,%d)\n", ssl, cbs, val); + if (cb == SSL_CB_HANDSHAKE_DONE) { -+ SSL_CIPHER_description(SSL_get_current_cipher(ssl), ++ SSL_CIPHER_description(SSL_get_current_cipher((SSL*)ssl), + buf, sizeof buf); + rprintf(FLOG, "SSL: cipher: %s", buf); + }