X-Git-Url: https://mattmccutchen.net/rsync/rsync-patches.git/blobdiff_plain/ce06af288fe81757e5ce516551f3362a8aeec488..refs/heads/master:/openssl-support.diff diff --git a/openssl-support.diff b/openssl-support.diff index 9ec481c..daa419b 100644 --- a/openssl-support.diff +++ b/openssl-support.diff @@ -1,7 +1,4 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -Hi. +Casey Marshall wrote: I've been hacking together a way to use rsync with OpenSSL, and have attached my current patch against a recent CVS tree. The details of @@ -15,7 +12,7 @@ this implementation are: #starttls - And, if the server allows SSL, it replies with + And, if the daemon allows SSL, it replies with @RSYNCD: starttls @@ -31,74 +28,72 @@ this implementation are: All warnings apply; I don't do C programming all that often, so I can't say if I've left any cleanup/compatibility errors in the code. -Also: refers to the (now gone) -smart-questions document on tuxedo.org, which should now be catb.org. - -Cheers, +To use this patch, run these commands for a successful build: -- -- -Casey Marshall || rsdio@metastatic.org ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.2.1 (GNU/Linux) -Comment: Processed by Mailcrypt 3.5.7 + patch -p1 10) { -@@ -97,6 +100,11 @@ void _exit_cleanup(int code, const char + extern int keep_partial; + extern int got_xfer_error; + extern int protocol_version; +@@ -137,6 +140,14 @@ NORETURN void _exit_cleanup(int code, const char *file, int line) + who_am_i(), code, file, line); + } - signal(SIGUSR1, SIG_IGN); - signal(SIGUSR2, SIG_IGN); -+ +#ifdef HAVE_OPENSSL -+ if (use_ssl) -+ end_tls(); ++ /* FALLTHROUGH */ ++#include "case_N.h" ++ ++ if (use_ssl) ++ end_tls(); +#endif ++ + /* FALLTHROUGH */ + #include "case_N.h" - if (verbose > 3) - rprintf(FINFO,"_exit_cleanup(code=%d, file=%s, line=%d): entered\n", ---- clientserver.c 14 Apr 2004 23:33:34 -0000 1.121 -+++ clientserver.c 25 Apr 2004 18:37:23 -0000 -@@ -46,6 +46,9 @@ extern int io_timeout; - extern int orig_umask; - extern int no_detach; - extern int default_af_hint; +diff --git a/clientserver.c b/clientserver.c +--- a/clientserver.c ++++ b/clientserver.c +@@ -30,6 +30,9 @@ extern int am_sender; + extern int am_server; + extern int am_daemon; + extern int am_root; +#ifdef HAVE_OPENSSL +extern int use_ssl; +#endif - extern char *bind_address; - extern struct exclude_list_struct server_exclude_list; - extern char *exclude_path_prefix; -@@ -93,8 +96,18 @@ int start_socket_client(char *host, char - exit_cleanup(RERR_SOCKETIO); + extern int rsync_port; + extern int protect_args; + extern int ignore_errors; +@@ -133,8 +136,18 @@ int start_socket_client(char *host, int remote_argc, char *remote_argv[], + #endif - ret = start_inband_exchange(user, path, fd, fd, argc); -+ if (ret < 0) + ret = start_inband_exchange(fd, fd, user, remote_argc, remote_argv); ++ if (ret) + return ret; + +#ifdef HAVE_OPENSSL @@ -109,30 +104,29 @@ LEvhhkUglOm3xMyrdJT4u9Q= + } +#endif -- return ret < 0? ret : client_run(fd, fd, -1, argc, argv); +- return ret ? ret : client_run(fd, fd, -1, argc, argv); + return client_run(fd, fd, -1, argc, argv); } - int start_inband_exchange(char *user, char *path, int f_in, int f_out, int argc) -@@ -145,6 +158,33 @@ int start_inband_exchange(char *user, ch - if (protocol_version > remote_protocol) - protocol_version = remote_protocol; + static int exchange_protocols(int f_in, int f_out, char *buf, size_t bufsiz, int am_client) +@@ -277,6 +290,32 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char + if (DEBUG_GTE(CMD, 1)) + print_child_argv("sending daemon args:", sargs); +#ifdef HAVE_OPENSSL + if (use_ssl) { + io_printf(f_out, "#starttls\n"); + while (1) { -+ if (!read_line(f_in, line, sizeof(line)-1)) { ++ if (!read_line_old(f_in, line, sizeof line)) { + rprintf(FERROR, "rsync: did not receive reply to #starttls\n"); + return -1; + } + if (strncmp(line, "@ERROR", 6) == 0) { -+ rprintf(FERROR, "rsync: ssl connection denied\n"); ++ rprintf(FERROR, "%s\n", line); + return -1; + } -+ if (strcmp(line, "@RSYNCD: starttls") == 0) { ++ if (strcmp(line, "@RSYNCD: starttls") == 0) + break; -+ } + rprintf(FINFO, "%s\n", line); + } + if (start_tls(f_in, f_out)) { @@ -145,10 +139,10 @@ LEvhhkUglOm3xMyrdJT4u9Q= + } +#endif + - p = strchr(path,'/'); - if (p) *p = 0; - io_printf(f_out, "%s\n", path); -@@ -172,6 +212,10 @@ int start_inband_exchange(char *user, ch + io_printf(f_out, "%.*s\n", modlen, modname); + + /* Old servers may just drop the connection here, +@@ -302,6 +341,10 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char * server to terminate the listing of modules. * We don't want to go on and transfer * anything; just exit. */ @@ -159,62 +153,53 @@ LEvhhkUglOm3xMyrdJT4u9Q= exit(0); } -@@ -179,6 +223,10 @@ int start_inband_exchange(char *user, ch - rprintf(FERROR,"%s\n", line); +@@ -309,6 +352,10 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char + rprintf(FERROR, "%s\n", line); /* This is always fatal; the server will now * close the socket. */ +#ifdef HAVE_OPENSSL + if (use_ssl) + end_tls(); +#endif - return RERR_STARTCLIENT; - } else { - rprintf(FINFO,"%s\n", line); -@@ -485,6 +533,7 @@ static void send_listing(int fd) - io_printf(fd,"@RSYNCD: EXIT\n"); - } - -+ - /* this is called when a connection is established to a client - and we want to start talking. The setup of the system is done from - here */ -@@ -543,6 +592,20 @@ int start_daemon(int f_in, int f_out) - send_listing(f_out); return -1; } -+ -+#if HAVE_OPENSSL -+ if (use_ssl && strcmp(line, "#starttls") == 0) { -+ io_printf(f_out, "@RSYNCD: starttls\n"); -+ if (start_tls(f_in, f_out)) { -+ rprintf(FLOG, "SSL connection failed: %s\n", -+ get_ssl_error()); -+ return -1; -+ } -+ f_in = get_tls_rfd(); -+ f_out = get_tls_wfd(); -+ continue; -+ } -+#endif - if (*line == '#') { - /* it's some sort of command that I don't understand */ ---- config.h.in 9 Apr 2004 18:09:30 -0000 1.89 -+++ config.h.in 25 Apr 2004 18:37:23 -0000 -@@ -167,6 +167,9 @@ - /* */ - #undef HAVE_OFF64_T +@@ -1028,6 +1075,9 @@ int start_daemon(int f_in, int f_out) + if (exchange_protocols(f_in, f_out, line, sizeof line, 0) < 0) + return -1; -+/* true if you want to use SSL. */ -+#undef HAVE_OPENSSL -+ - /* Define to 1 if you have the `readlink' function. */ - #undef HAVE_READLINK ++#ifdef HAVE_OPENSSL ++retry: ++#endif + line[0] = 0; + if (!read_line_old(f_in, line, sizeof line)) + return -1; +@@ -1039,6 +1089,20 @@ int start_daemon(int f_in, int f_out) + return -1; + } ---- configure.in 17 Apr 2004 18:40:16 -0000 1.191 -+++ configure.in 25 Apr 2004 18:37:23 -0000 -@@ -266,6 +266,21 @@ yes - AC_SEARCH_LIBS(getaddrinfo, inet6) ++#ifdef HAVE_OPENSSL ++ if (use_ssl && strcmp(line, "#starttls") == 0) { ++ io_printf(f_out, "@RSYNCD: starttls\n"); ++ if (start_tls(f_in, f_out)) { ++ rprintf(FLOG, "SSL connection failed: %s\n", ++ get_ssl_error()); ++ return -1; ++ } ++ f_in = get_tls_rfd(); ++ f_out = get_tls_wfd(); ++ goto retry; ++ } ++#endif ++ + if (*line == '#') { + /* it's some sort of command that I don't understand */ + io_printf(f_out, "@ERROR: Unknown command '%s'\n", line); +diff --git a/configure.in b/configure.in +--- a/configure.in ++++ b/configure.in +@@ -318,6 +318,21 @@ if test x"$enable_locale" != x"no"; then + AC_DEFINE(CONFIG_LOCALE) fi +AC_ARG_ENABLE(openssl, @@ -235,86 +220,10 @@ LEvhhkUglOm3xMyrdJT4u9Q= AC_MSG_CHECKING([whether to call shutdown on all sockets]) case $host_os in *cygwin* ) AC_MSG_RESULT(yes) ---- main.c 10 Feb 2004 03:54:47 -0000 1.192 -+++ main.c 25 Apr 2004 18:37:23 -0000 -@@ -51,6 +51,9 @@ extern int rsync_port; - extern int read_batch; - extern int write_batch; - extern int filesfrom_fd; -+#ifdef HAVE_OPENSSL -+extern int use_ssl; -+#endif - extern pid_t cleanup_child_pid; - extern char *files_from; - extern char *remote_filesfrom_file; -@@ -701,17 +704,32 @@ static int start_client(int argc, char * - pid_t pid; - int f_in,f_out; - int rc; -+ int url_prefix = strlen(URL_PREFIX); - - /* Don't clobber argv[] so that ps(1) can still show the right - * command line. */ - if ((rc = copy_argv(argv))) - return rc; - -+ if (strncasecmp(URL_PREFIX, argv[0], url_prefix) != 0) { -+#ifdef HAVE_OPENSSL -+ url_prefix = strlen(SSL_URL_PREFIX); -+ if (strncasecmp(SSL_URL_PREFIX, argv[0], url_prefix) != 0) -+ url_prefix = 0; -+ else { -+ if (!use_ssl) -+ init_tls(); -+ use_ssl = 1; -+ } -+#else -+ url_prefix = 0; -+#endif -+ } - /* rsync:// always uses rsync server over direct socket connection */ -- if (strncasecmp(URL_PREFIX, argv[0], strlen(URL_PREFIX)) == 0) { -+ if (url_prefix) { - char *host, *path; - -- host = argv[0] + strlen(URL_PREFIX); -+ host = argv[0] + url_prefix; - p = strchr(host,'/'); - if (p) { - *p = 0; -@@ -760,12 +778,27 @@ static int start_client(int argc, char * - argv++; - } else { - am_sender = 1; -+ url_prefix = strlen(URL_PREFIX); -+ if (strncasecmp(URL_PREFIX, argv[0], url_prefix) != 0) { -+#ifdef HAVE_OPENSSL -+ url_prefix = strlen(SSL_URL_PREFIX); -+ if (strncasecmp(SSL_URL_PREFIX, argv[0], url_prefix) != 0) -+ url_prefix = 0; -+ else { -+ if (!use_ssl) -+ init_tls(); -+ use_ssl = 1; -+ } -+#else -+ url_prefix = 0; -+#endif -+ } - - /* rsync:// destination uses rsync server over direct socket */ -- if (strncasecmp(URL_PREFIX, argv[argc-1], strlen(URL_PREFIX)) == 0) { -+ if (url_prefix) { - char *host, *path; - -- host = argv[argc-1] + strlen(URL_PREFIX); -+ host = argv[argc-1] + url_prefix; - p = strchr(host,'/'); - if (p) { - *p = 0; ---- options.c 17 Apr 2004 17:07:23 -0000 1.147 -+++ options.c 25 Apr 2004 18:37:24 -0000 -@@ -130,6 +130,14 @@ int quiet = 0; +diff --git a/options.c b/options.c +--- a/options.c ++++ b/options.c +@@ -191,6 +191,14 @@ int logfile_format_has_o_or_i = 0; int always_checksum = 0; int list_only = 0; @@ -326,103 +235,151 @@ LEvhhkUglOm3xMyrdJT4u9Q= +char *ssl_ca_path = NULL; +#endif + - #define FIXED_CHECKSUM_SEED 32761 - #define MAX_BATCH_PREFIX_LEN 256 /* Must be less than MAXPATHLEN-13 */ - char *batch_prefix = NULL; -@@ -142,13 +150,13 @@ static int modify_window_set; - * address, or a hostname. **/ - char *bind_address; + #define MAX_BATCH_NAME_LEN 256 /* Must be less than MAXPATHLEN-13 */ + char *batch_name = NULL; -- - static void print_rsync_version(enum logcode f) - { - char const *got_socketpair = "no "; - char const *hardlinks = "no "; +@@ -567,6 +575,7 @@ static void print_rsync_version(enum logcode f) char const *links = "no "; + char const *iconv = "no "; char const *ipv6 = "no "; + char const *ssl = "no "; STRUCT_STAT *dumstat; - #ifdef HAVE_SOCKETPAIR -@@ -167,6 +175,10 @@ static void print_rsync_version(enum log - ipv6 = ""; + #if SUBPROTOCOL_VERSION != 0 +@@ -600,6 +609,9 @@ static void print_rsync_version(enum logcode f) + #ifdef CAN_SET_SYMLINK_TIMES + symtimes = ""; #endif - +#ifdef HAVE_OPENSSL + ssl = ""; +#endif -+ - rprintf(f, "%s version %s protocol version %d\n", - RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION); - rprintf(f, -@@ -180,10 +192,10 @@ static void print_rsync_version(enum log - /* Note that this field may not have type ino_t. It depends - * on the complicated interaction between largefile feature - * macros. */ -- rprintf(f, " %sIPv6, %d-bit system inums, %d-bit internal inums\n", -+ rprintf(f, " %sIPv6, %d-bit system inums, %d-bit internal inums, %sssl\n", - ipv6, - (int) (sizeof dumstat->st_ino * 8), -- (int) (sizeof (uint64) * 8)); -+ (int) (sizeof (uint64) * 8), ssl); + + rprintf(f, "%s version %s protocol version %d%s\n", + RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION, subprotocol); +@@ -613,8 +625,8 @@ static void print_rsync_version(enum logcode f) + (int)(sizeof (int64) * 8)); + rprintf(f, " %ssocketpairs, %shardlinks, %ssymlinks, %sIPv6, batchfiles, %sinplace,\n", + got_socketpair, hardlinks, links, ipv6, have_inplace); +- rprintf(f, " %sappend, %sACLs, %sxattrs, %siconv, %ssymtimes\n", +- have_inplace, acls, xattrs, iconv, symtimes); ++ rprintf(f, " %sappend, %sACLs, %sxattrs, %siconv, %ssymtimes, %sSSL\n", ++ have_inplace, acls, xattrs, iconv, symtimes, ssl); + #ifdef MAINTAINER_MODE - rprintf(f, " panic action: \"%s\"\n", - get_panic_action()); -@@ -295,6 +307,13 @@ void usage(enum logcode F) - rprintf(F," -4 prefer IPv4\n"); - rprintf(F," -6 prefer IPv6\n"); + rprintf(f, "Panic Action: \"%s\"\n", get_panic_action()); +@@ -785,6 +797,13 @@ void usage(enum logcode F) #endif + rprintf(F," -4, --ipv4 prefer IPv4\n"); + rprintf(F," -6, --ipv6 prefer IPv6\n"); +#ifdef HAVE_OPENSSL + rprintf(F," --ssl allow socket connections to use SSL\n"); -+ rprintf(F," --ssl-cert=FILE path to server's SSL certificate\n"); -+ rprintf(F," --ssl-key=FILE path to server's SSL private key\n"); ++ rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n"); ++ rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n"); + rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n"); + rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n"); +#endif + rprintf(F," --version print version number\n"); + rprintf(F,"(-h) --help show this help (-h works with no other options)\n"); + +@@ -798,7 +817,7 @@ enum {OPT_VERSION = 1000, OPT_DAEMON, OPT_SENDER, OPT_EXCLUDE, OPT_EXCLUDE_FROM, + OPT_FILTER, OPT_COMPARE_DEST, OPT_COPY_DEST, OPT_LINK_DEST, OPT_HELP, + OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, OPT_MIN_SIZE, OPT_CHMOD, + OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_ONLY_WRITE_BATCH, OPT_MAX_SIZE, +- OPT_NO_D, OPT_APPEND, OPT_NO_ICONV, OPT_INFO, OPT_DEBUG, ++ OPT_NO_D, OPT_APPEND, OPT_NO_ICONV, OPT_INFO, OPT_DEBUG, OPT_USE_SSL, + OPT_USERMAP, OPT_GROUPMAP, OPT_CHOWN, OPT_BWLIMIT, + OPT_SERVER, OPT_REFUSED_BASE = 9000}; + +@@ -1013,6 +1032,13 @@ static struct poptOption long_options[] = { + {"checksum-seed", 0, POPT_ARG_INT, &checksum_seed, 0, 0, 0 }, + {"server", 0, POPT_ARG_NONE, 0, OPT_SERVER, 0, 0 }, + {"sender", 0, POPT_ARG_NONE, 0, OPT_SENDER, 0, 0 }, ++#ifdef HAVE_OPENSSL ++ {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0}, ++ {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0}, ++ {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0}, ++ {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0}, ++ {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0}, ++#endif + /* All the following options switch us into daemon-mode option-parsing. */ + {"config", 0, POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 }, + {"daemon", 0, POPT_ARG_NONE, 0, OPT_DAEMON, 0, 0 }, +@@ -1040,6 +1066,13 @@ static void daemon_usage(enum logcode F) + rprintf(F," -v, --verbose increase verbosity\n"); + rprintf(F," -4, --ipv4 prefer IPv4\n"); + rprintf(F," -6, --ipv6 prefer IPv6\n"); ++#ifdef HAVE_OPENSSL ++ rprintf(F," --ssl allow socket connections to use SSL\n"); ++ rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n"); ++ rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n"); ++ rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n"); ++ rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n"); ++#endif + rprintf(F," --help show this help screen\n"); rprintf(F,"\n"); - -@@ -305,7 +324,7 @@ void usage(enum logcode F) - enum {OPT_VERSION = 1000, OPT_SENDER, OPT_EXCLUDE, OPT_EXCLUDE_FROM, - OPT_DELETE_AFTER, OPT_DELETE_EXCLUDED, OPT_LINK_DEST, - OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, -- OPT_READ_BATCH, OPT_WRITE_BATCH, -+ OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_USE_SSL, - OPT_REFUSED_BASE = 9000}; - - static struct poptOption long_options[] = { -@@ -390,6 +409,13 @@ static struct poptOption long_options[] - {0, '4', POPT_ARG_VAL, &default_af_hint, AF_INET, 0, 0 }, - {0, '6', POPT_ARG_VAL, &default_af_hint, AF_INET6, 0, 0 }, - #endif +@@ -1065,6 +1098,13 @@ static struct poptOption long_daemon_options[] = { + {"protocol", 0, POPT_ARG_INT, &protocol_version, 0, 0, 0 }, + {"server", 0, POPT_ARG_NONE, &am_server, 0, 0, 0 }, + {"temp-dir", 'T', POPT_ARG_STRING, &tmpdir, 0, 0, 0 }, +#ifdef HAVE_OPENSSL -+ {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0}, -+ {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0}, -+ {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0}, ++ {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0}, ++ {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0}, ++ {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0}, + {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0}, -+ {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0}, ++ {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0}, +#endif - {0,0,0,0, 0, 0, 0} - }; + {"verbose", 'v', POPT_ARG_NONE, 0, 'v', 0, 0 }, + {"no-verbose", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 }, + {"no-v", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 }, +@@ -1360,6 +1400,12 @@ int parse_arguments(int *argc_p, const char ***argv_p) + verbose++; + break; -@@ -584,6 +610,12 @@ int parse_arguments(int *argc, const cha ++#ifdef HAVE_OPENSSL ++ case OPT_USE_SSL: ++ use_ssl = 1; ++ break; ++#endif ++ + default: + rprintf(FERROR, + "rsync: %s: %s (in daemon mode)\n", +@@ -1386,6 +1432,17 @@ int parse_arguments(int *argc_p, const char ***argv_p) + exit_cleanup(RERR_SYNTAX); + } + ++#ifdef HAVE_OPENSSL ++ if (use_ssl) { ++ if (init_tls()) { ++ snprintf(err_buf, sizeof(err_buf), ++ "Openssl error: %s\n", ++ get_ssl_error()); ++ return 0; ++ } ++ } ++#endif ++ + *argv_p = argv = poptGetArgs(pc); + *argc_p = argc = count_args(argv); + am_starting_up = 0; +@@ -1764,6 +1821,12 @@ int parse_arguments(int *argc_p, const char ***argv_p) return 0; #endif -+ case OPT_USE_SSL: +#ifdef HAVE_OPENSSL ++ case OPT_USE_SSL: + use_ssl = 1; -+#endif + break; ++#endif + default: /* A large opt value means that set_refuse_options() - * turned this option off (opt-BASE is its index). */ -@@ -722,6 +754,17 @@ int parse_arguments(int *argc, const cha + * turned this option off. */ +@@ -2160,6 +2223,17 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (delay_updates && !partial_dir) + partial_dir = tmp_partialdir; - if (do_progress && !verbose) - verbose = 1; -+ +#ifdef HAVE_OPENSSL + if (use_ssl) { + if (init_tls()) { @@ -433,51 +390,62 @@ LEvhhkUglOm3xMyrdJT4u9Q= + } + } +#endif - - if (files_from) { - char *colon; ---- proto.h 22 Apr 2004 09:58:09 -0000 1.189 -+++ proto.h 25 Apr 2004 18:37:24 -0000 -@@ -209,6 +209,12 @@ void start_accept_loop(int port, int (*f - void set_socket_options(int fd, char *options); - void become_daemon(void); - int sock_exec(const char *prog); -+int init_tls(void); -+char *get_ssl_error(void); -+int get_tls_rfd(void); -+int get_tls_wfd(void); -+int start_tls(int f_in, int f_out); -+void end_tls(void); - int do_unlink(char *fname); - int do_symlink(char *fname1, char *fname2); - int do_link(char *fname1, char *fname2); ---- rsync.h 22 Apr 2004 09:58:24 -0000 1.198 -+++ rsync.h 25 Apr 2004 18:37:24 -0000 -@@ -32,6 +32,7 @@ ++ + if (inplace) { + #ifdef HAVE_FTRUNCATE + if (partial_dir) { +@@ -2750,9 +2824,18 @@ char *check_for_hostspec(char *s, char **host_ptr, int *port_ptr) + { + char *path; + +- if (port_ptr && strncasecmp(URL_PREFIX, s, strlen(URL_PREFIX)) == 0) { +- *host_ptr = parse_hostspec(s + strlen(URL_PREFIX), &path, port_ptr); +- if (*host_ptr) { ++ if (port_ptr) { ++ int url_prefix_len; ++ if (strncasecmp(URL_PREFIX, s, sizeof URL_PREFIX - 1) == 0) ++ url_prefix_len = sizeof URL_PREFIX - 1; ++ else if (strncasecmp(SSL_URL_PREFIX, s, sizeof SSL_URL_PREFIX - 1) == 0) { ++ if (!use_ssl) ++ init_tls(); ++ use_ssl = 1; ++ url_prefix_len = sizeof SSL_URL_PREFIX - 1; ++ } else ++ url_prefix_len = 0; ++ if (url_prefix_len && (*host_ptr = parse_hostspec(s + url_prefix_len, &path, port_ptr))) { + if (!*port_ptr) + *port_ptr = RSYNC_PORT; + return path; +diff --git a/rsync.h b/rsync.h +--- a/rsync.h ++++ b/rsync.h +@@ -31,6 +31,7 @@ #define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock" #define URL_PREFIX "rsync://" +#define SSL_URL_PREFIX "rsyncs://" - #define BACKUP_SUFFIX "~" + #define SYMLINK_PREFIX "/rsyncd-munged/" /* This MUST have a trailing slash! */ + #define SYMLINK_PREFIX_LEN ((int)sizeof SYMLINK_PREFIX - 1) +@@ -581,6 +582,11 @@ typedef unsigned int size_t; + # define SIZEOF_INT64 SIZEOF_OFF_T + #endif -@@ -321,6 +322,11 @@ enum msgcode { - #else - /* As long as it gets... */ - #define uint64 unsigned off_t -+#endif -+ -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL +#include +#include - #endif - - /* Starting from protocol version 26, we always use 64-bit ---- /dev/null 1 Jan 1970 00:00:00 -0000 -+++ ssl.c 25 Apr 2004 18:37:24 -0000 -@@ -0,0 +1,366 @@ ++#endif ++ + struct hashtable { + void *nodes; + int32 size, entries; +diff --git a/ssl.c b/ssl.c +new file mode 100644 +--- /dev/null ++++ b/ssl.c +@@ -0,0 +1,369 @@ +/* -*- c-file-style: "linux" -*- -+ * ssl.c: operations for negotiating SSL rsync connections. ++ * ssl.c: operations for negotiating SSL rsync connections. + * + * Copyright (C) 2003 Casey Marshall + * @@ -485,12 +453,12 @@ LEvhhkUglOm3xMyrdJT4u9Q= + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. -+ * ++ * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. -+ * ++ * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. @@ -509,7 +477,6 @@ LEvhhkUglOm3xMyrdJT4u9Q= + +#define BUF_SIZE 1024 + -+extern int verbose; +extern int am_daemon; +extern int am_server; + @@ -525,6 +492,10 @@ LEvhhkUglOm3xMyrdJT4u9Q= +static int ssl_running; +static int ssl_pid = -1; + ++#ifdef HAVE_SIGACTION ++static struct sigaction sigact; ++#endif ++ +/** + * A non-interactive callback to be passed to SSL_CTX_set_default_password_cb, + * which merely copies the value of ssl_key_passwd into buf. This is @@ -532,7 +503,7 @@ LEvhhkUglOm3xMyrdJT4u9Q= + */ +static int default_password_cb(char *buf, int n, UNUSED(int f), UNUSED(void *u)) +{ -+ if (ssl_key_passwd == NULL || n < strlen(ssl_key_passwd)) ++ if (ssl_key_passwd == NULL || n < (int)strlen(ssl_key_passwd)) + return 0; + strncpy(buf, ssl_key_passwd, n-1); + return strlen(ssl_key_passwd); @@ -541,7 +512,7 @@ LEvhhkUglOm3xMyrdJT4u9Q= +/** + * If verbose, this method traces the status of the SSL handshake. + */ -+static void info_callback(SSL *ssl, int cb, int val) ++static void info_callback(const SSL *ssl, int cb, int val) +{ + char buf[128]; + char *cbs; @@ -591,10 +562,10 @@ LEvhhkUglOm3xMyrdJT4u9Q= + cbs = buf; + break; + } -+ if (verbose > 2) { ++ if (DEBUG_GTE(CONNECT, 1)) { + rprintf(FLOG, "SSL: info_callback(%p,%s,%d)\n", ssl, cbs, val); + if (cb == SSL_CB_HANDSHAKE_DONE) { -+ SSL_CIPHER_description(SSL_get_current_cipher(ssl), ++ SSL_CIPHER_description(SSL_get_current_cipher((SSL*)ssl), + buf, sizeof buf); + rprintf(FLOG, "SSL: cipher: %s", buf); + } @@ -713,7 +684,7 @@ LEvhhkUglOm3xMyrdJT4u9Q= + return 0; + } + -+ signal(SIGUSR1, tls_sigusr1); ++ SIGACTION(SIGUSR1, tls_sigusr1); + ssl = SSL_new(ssl_ctx); + if (!ssl) + goto closed;