X-Git-Url: https://mattmccutchen.net/rsync/rsync-patches.git/blobdiff_plain/e621c04178420f97bdfed06deda8ac5276dad594..6240d1e484dd4e3cc4d0dad8d47d58193354784e:/openssl-support.diff diff --git a/openssl-support.diff b/openssl-support.diff index 526e4f0..101cdae 100644 --- a/openssl-support.diff +++ b/openssl-support.diff @@ -1,12 +1,4 @@ -After applying this patch, run these commands for a successful build: - - autoconf - autoheader - ./configure - make proto - make - -Casey Marshall writes: +Casey Marshall wrote: I've been hacking together a way to use rsync with OpenSSL, and have attached my current patch against a recent CVS tree. The details of @@ -20,7 +12,7 @@ this implementation are: #starttls - And, if the server allows SSL, it replies with + And, if the daemon allows SSL, it replies with @RSYNCD: starttls @@ -36,9 +28,15 @@ this implementation are: All warnings apply; I don't do C programming all that often, so I can't say if I've left any cleanup/compatibility errors in the code. +To use this patch, run these commands for a successful build: + + patch -p1 3) { - rprintf(FINFO,"_exit_cleanup(code=%d, file=%s, line=%d): entered\n", - code, safe_fname(file), line); ---- orig/clientserver.c 2005-03-01 03:39:32 -+++ clientserver.c 2004-10-08 20:44:59 -@@ -45,6 +45,9 @@ extern int select_timeout; - extern int orig_umask; - extern int no_detach; - extern int default_af_hint; -+#if HAVE_OPENSSL + /* FALLTHROUGH */ + #include "case_N.h" + +--- old/clientserver.c ++++ new/clientserver.c +@@ -29,6 +29,9 @@ extern int am_sender; + extern int am_server; + extern int am_daemon; + extern int am_root; ++#ifdef HAVE_OPENSSL +extern int use_ssl; +#endif - extern char *bind_address; - extern struct filter_list_struct server_filter_list; - extern char *config_file; -@@ -99,8 +102,18 @@ int start_socket_client(char *host, char - exit_cleanup(RERR_SOCKETIO); + extern int rsync_port; + extern int ignore_errors; + extern int kluge_around_eof; +@@ -112,8 +115,18 @@ int start_socket_client(char *host, int + set_socket_options(fd, sockopts); - ret = start_inband_exchange(user, path, fd, fd, argc); -+ if (ret < 0) + ret = start_inband_exchange(fd, fd, user, remote_argc, remote_argv); ++ if (ret) + return ret; -+ -+#if HAVE_OPENSSL + +- return ret ? ret : client_run(fd, fd, -1, argc, argv); ++#ifdef HAVE_OPENSSL + if (use_ssl) { + int f_in = get_tls_rfd(); + int f_out = get_tls_wfd(); + return client_run(f_in, f_out, -1, argc, argv); + } +#endif - -- return ret < 0? ret : client_run(fd, fd, -1, argc, argv); ++ + return client_run(fd, fd, -1, argc, argv); } - int start_inband_exchange(char *user, char *path, int f_in, int f_out, -@@ -161,6 +174,33 @@ int start_inband_exchange(char *user, ch + static int exchange_protocols(int f_in, int f_out, char *buf, size_t bufsiz, int am_client) +@@ -244,6 +257,32 @@ int start_inband_exchange(int f_in, int if (verbose > 1) - print_child_argv(sargs); + print_child_argv("sending daemon args:", sargs); -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL + if (use_ssl) { + io_printf(f_out, "#starttls\n"); + while (1) { -+ if (!read_line(f_in, line, sizeof(line)-1)) { ++ if (!read_line_old(f_in, line, sizeof line)) { + rprintf(FERROR, "rsync: did not receive reply to #starttls\n"); + return -1; + } @@ -120,9 +121,8 @@ can't say if I've left any cleanup/compatibility errors in the code. + rprintf(FERROR, "%s\n", line); + return -1; + } -+ if (strcmp(line, "@RSYNCD: starttls") == 0) { ++ if (strcmp(line, "@RSYNCD: starttls") == 0) + break; -+ } + rprintf(FINFO, "%s\n", line); + } + if (start_tls(f_in, f_out)) { @@ -135,54 +135,46 @@ can't say if I've left any cleanup/compatibility errors in the code. + } +#endif + - p = strchr(path,'/'); - if (p) *p = 0; + p = strchr(path, '/'); + if (p) *p = '\0'; io_printf(f_out, "%s\n", path); -@@ -189,6 +229,10 @@ int start_inband_exchange(char *user, ch +@@ -272,6 +311,10 @@ int start_inband_exchange(int f_in, int * server to terminate the listing of modules. * We don't want to go on and transfer * anything; just exit. */ -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL + if (use_ssl) + end_tls(); +#endif exit(0); } -@@ -196,6 +240,10 @@ int start_inband_exchange(char *user, ch +@@ -279,6 +322,10 @@ int start_inband_exchange(int f_in, int rprintf(FERROR, "%s\n", line); /* This is always fatal; the server will now * close the socket. */ -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL + if (use_ssl) + end_tls(); +#endif - return RERR_STARTCLIENT; - } else { - rprintf(FINFO,"%s\n", line); -@@ -549,6 +597,7 @@ static void send_listing(int fd) - io_printf(fd,"@RSYNCD: EXIT\n"); - } + return -1; + } -+ - /* this is called when a connection is established to a client - and we want to start talking. The setup of the system is done from - here */ -@@ -598,6 +647,9 @@ int start_daemon(int f_in, int f_out) - if (protocol_version > remote_protocol) - protocol_version = remote_protocol; +@@ -807,6 +854,9 @@ int start_daemon(int f_in, int f_out) + if (exchange_protocols(f_in, f_out, line, sizeof line, 0) < 0) + return -1; -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL +retry: +#endif line[0] = 0; - if (!read_line(f_in, line, sizeof line - 1)) + if (!read_line_old(f_in, line, sizeof line)) return -1; -@@ -607,6 +659,20 @@ int start_daemon(int f_in, int f_out) +@@ -818,6 +868,20 @@ int start_daemon(int f_in, int f_out) return -1; } -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL + if (use_ssl && strcmp(line, "#starttls") == 0) { + io_printf(f_out, "@RSYNCD: starttls\n"); + if (start_tls(f_in, f_out)) { @@ -199,10 +191,10 @@ can't say if I've left any cleanup/compatibility errors in the code. if (*line == '#') { /* it's some sort of command that I don't understand */ io_printf(f_out, "@ERROR: Unknown command '%s'\n", line); ---- orig/configure.in 2005-03-16 02:19:29 -+++ configure.in 2004-07-03 20:22:28 -@@ -271,6 +271,21 @@ yes - AC_SEARCH_LIBS(getaddrinfo, inet6) +--- old/configure.in ++++ new/configure.in +@@ -290,6 +290,21 @@ if test x"$enable_locale" != x"no"; then + AC_DEFINE(CONFIG_LOCALE) fi +AC_ARG_ENABLE(openssl, @@ -223,13 +215,13 @@ can't say if I've left any cleanup/compatibility errors in the code. AC_MSG_CHECKING([whether to call shutdown on all sockets]) case $host_os in *cygwin* ) AC_MSG_RESULT(yes) ---- orig/options.c 2005-03-28 20:56:55 -+++ options.c 2005-03-01 01:34:42 -@@ -157,6 +157,14 @@ int log_format_has_o_or_i = 0; +--- old/options.c ++++ new/options.c +@@ -182,6 +182,14 @@ int logfile_format_has_o_or_i = 0; int always_checksum = 0; int list_only = 0; -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL +int use_ssl = 0; +char *ssl_cert_path = NULL; +char *ssl_key_path = NULL; @@ -240,93 +232,149 @@ can't say if I've left any cleanup/compatibility errors in the code. #define MAX_BATCH_NAME_LEN 256 /* Must be less than MAXPATHLEN-13 */ char *batch_name = NULL; -@@ -181,6 +189,7 @@ static void print_rsync_version(enum log - char const *hardlinks = "no "; +@@ -221,6 +229,7 @@ static void print_rsync_version(enum log char const *links = "no "; + char const *iconv = "no "; char const *ipv6 = "no "; + char const *ssl = "no "; STRUCT_STAT *dumstat; - #ifdef HAVE_SOCKETPAIR -@@ -203,6 +212,10 @@ static void print_rsync_version(enum log - ipv6 = ""; + #if SUBPROTOCOL_VERSION != 0 +@@ -250,6 +259,9 @@ static void print_rsync_version(enum log + #ifdef ICONV_OPTION + iconv = ""; #endif - -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL + ssl = ""; +#endif -+ - rprintf(f, "%s version %s protocol version %d\n", - RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION); - rprintf(f, -@@ -216,10 +229,10 @@ static void print_rsync_version(enum log - /* Note that this field may not have type ino_t. It depends - * on the complicated interaction between largefile feature - * macros. */ -- rprintf(f, " %sinplace, %sIPv6, %d-bit system inums, %d-bit internal inums\n", -+ rprintf(f, " %sinplace, %sIPv6, %d-bit system inums, %d-bit internal inums, %sssl\n", - have_inplace, ipv6, - (int) (sizeof dumstat->st_ino * 8), -- (int) (sizeof (int64) * 8)); -+ (int) (sizeof (int64) * 8), ssl); + + rprintf(f, "%s version %s protocol version %d%s\n", + RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION, subprotocol); +@@ -263,8 +275,8 @@ static void print_rsync_version(enum log + (int)(sizeof (int64) * 8)); + rprintf(f, " %ssocketpairs, %shardlinks, %ssymlinks, %sIPv6, batchfiles, %sinplace,\n", + got_socketpair, hardlinks, links, ipv6, have_inplace); +- rprintf(f, " %sappend, %sACLs, %sxattrs, %siconv\n", +- have_inplace, acls, xattrs, iconv); ++ rprintf(f, " %sappend, %sACLs, %sxattrs, %siconv, %sSSL\n", ++ have_inplace, acls, xattrs, iconv, ssl); + #ifdef MAINTAINER_MODE - rprintf(f, " panic action: \"%s\"\n", - get_panic_action()); -@@ -350,6 +363,13 @@ void usage(enum logcode F) + rprintf(f, "Panic Action: \"%s\"\n", get_panic_action()); +@@ -425,6 +437,13 @@ void usage(enum logcode F) + #endif rprintf(F," -4, --ipv4 prefer IPv4\n"); rprintf(F," -6, --ipv6 prefer IPv6\n"); - #endif -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL + rprintf(F," --ssl allow socket connections to use SSL\n"); -+ rprintf(F," --ssl-cert=FILE path to server's SSL certificate\n"); -+ rprintf(F," --ssl-key=FILE path to server's SSL private key\n"); ++ rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n"); ++ rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n"); + rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n"); + rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n"); +#endif - rprintf(F," -h, --help show this help screen\n"); + rprintf(F," --version print version number\n"); + rprintf(F,"(-h) --help show this help (-h works with no other options)\n"); - rprintf(F,"\nUse \"rsync --daemon --help\" to see the daemon-mode command-line options.\n"); -@@ -360,7 +380,7 @@ void usage(enum logcode F) - enum {OPT_VERSION = 1000, OPT_DAEMON, OPT_SENDER, OPT_EXCLUDE, OPT_EXCLUDE_FROM, - OPT_FILTER, OPT_COMPARE_DEST, OPT_COPY_DEST, OPT_LINK_DEST, - OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, -- OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_TIMEOUT, OPT_MAX_SIZE, -+ OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_TIMEOUT, OPT_MAX_SIZE, OPT_USE_SSL, - OPT_REFUSED_BASE = 9000}; +@@ -438,7 +457,7 @@ enum {OPT_VERSION = 1000, OPT_DAEMON, OP + OPT_FILTER, OPT_COMPARE_DEST, OPT_COPY_DEST, OPT_LINK_DEST, OPT_HELP, + OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, OPT_MIN_SIZE, OPT_CHMOD, + OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_ONLY_WRITE_BATCH, OPT_MAX_SIZE, +- OPT_NO_D, OPT_APPEND, ++ OPT_NO_D, OPT_APPEND, OPT_USE_SSL, + OPT_SERVER, OPT_REFUSED_BASE = 9000}; static struct poptOption long_options[] = { -@@ -459,6 +479,13 @@ static struct poptOption long_options[] - {"ipv4", '4', POPT_ARG_VAL, &default_af_hint, AF_INET, 0, 0 }, - {"ipv6", '6', POPT_ARG_VAL, &default_af_hint, AF_INET6, 0, 0 }, - #endif -+#if HAVE_OPENSSL +@@ -623,6 +642,13 @@ static struct poptOption long_options[] + {"checksum-seed", 0, POPT_ARG_INT, &checksum_seed, 0, 0, 0 }, + {"server", 0, POPT_ARG_NONE, 0, OPT_SERVER, 0, 0 }, + {"sender", 0, POPT_ARG_NONE, 0, OPT_SENDER, 0, 0 }, ++#ifdef HAVE_OPENSSL + {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0}, + {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0}, + {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0}, + {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0}, + {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0}, +#endif - /* All these options switch us into daemon-mode option-parsing. */ - {"address", 0, POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 }, + /* All the following options switch us into daemon-mode option-parsing. */ {"config", 0, POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 }, -@@ -863,6 +890,12 @@ int parse_arguments(int *argc, const cha - basis_dir[basis_dir_cnt++] = (char *)arg; - break; + {"daemon", 0, POPT_ARG_NONE, 0, OPT_DAEMON, 0, 0 }, +@@ -648,6 +674,13 @@ static void daemon_usage(enum logcode F) + rprintf(F," -v, --verbose increase verbosity\n"); + rprintf(F," -4, --ipv4 prefer IPv4\n"); + rprintf(F," -6, --ipv6 prefer IPv6\n"); ++#ifdef HAVE_OPENSSL ++ rprintf(F," --ssl allow socket connections to use SSL\n"); ++ rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n"); ++ rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n"); ++ rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n"); ++ rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n"); ++#endif + rprintf(F," --help show this help screen\n"); + + rprintf(F,"\n"); +@@ -672,6 +705,13 @@ static struct poptOption long_daemon_opt + {"protocol", 0, POPT_ARG_INT, &protocol_version, 0, 0, 0 }, + {"server", 0, POPT_ARG_NONE, &am_server, 0, 0, 0 }, + {"temp-dir", 'T', POPT_ARG_STRING, &tmpdir, 0, 0, 0 }, ++#ifdef HAVE_OPENSSL ++ {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0}, ++ {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0}, ++ {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0}, ++ {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0}, ++ {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0}, ++#endif + {"verbose", 'v', POPT_ARG_NONE, 0, 'v', 0, 0 }, + {"no-verbose", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 }, + {"no-v", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 }, +@@ -946,6 +986,12 @@ int parse_arguments(int *argc_p, const c + verbose++; + break; ++#ifdef HAVE_OPENSSL ++ case OPT_USE_SSL: ++ use_ssl = 1; ++ break; ++#endif ++ + default: + rprintf(FERROR, + "rsync: %s: %s (in daemon mode)\n", +@@ -969,6 +1015,17 @@ int parse_arguments(int *argc_p, const c + exit_cleanup(RERR_SYNTAX); + } + ++#ifdef HAVE_OPENSSL ++ if (use_ssl) { ++ if (init_tls()) { ++ snprintf(err_buf, sizeof(err_buf), ++ "Openssl error: %s\n", ++ get_ssl_error()); ++ return 0; ++ } ++ } ++#endif ++ + *argv_p = argv = poptGetArgs(pc); + *argc_p = argc = count_args(argv); + am_starting_up = 0; +@@ -1221,6 +1278,12 @@ int parse_arguments(int *argc_p, const c + return 0; + #endif + ++#ifdef HAVE_OPENSSL + case OPT_USE_SSL: -+#if HAVE_OPENSSL + use_ssl = 1; -+#endif + break; ++#endif + default: /* A large opt value means that set_refuse_options() * turned this option off. */ -@@ -1112,6 +1145,17 @@ int parse_arguments(int *argc, const cha +@@ -1536,6 +1599,17 @@ int parse_arguments(int *argc_p, const c if (delay_updates && !partial_dir) - partial_dir = partialdir_for_delayupdate; + partial_dir = tmp_partialdir; -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL + if (use_ssl) { + if (init_tls()) { + snprintf(err_buf, sizeof(err_buf), @@ -340,17 +388,17 @@ can't say if I've left any cleanup/compatibility errors in the code. if (inplace) { #ifdef HAVE_FTRUNCATE if (partial_dir) { -@@ -1479,11 +1523,28 @@ char *check_for_hostspec(char *s, char * - { +@@ -2011,10 +2085,27 @@ char *check_for_hostspec(char *s, char * char *p; int not_host; + int hostlen; + int url_prefix_len = sizeof URL_PREFIX - 1; - if (port_ptr && strncasecmp(URL_PREFIX, s, strlen(URL_PREFIX)) == 0) { + if (!port_ptr) + url_prefix_len = 0; + else if (strncasecmp(URL_PREFIX, s, url_prefix_len) != 0) { -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL + url_prefix_len = sizeof SSL_URL_PREFIX - 1; + if (strncasecmp(SSL_URL_PREFIX, s, url_prefix_len) != 0) + url_prefix_len = 0; @@ -365,15 +413,14 @@ can't say if I've left any cleanup/compatibility errors in the code. + } + if (url_prefix_len) { char *path; - int hostlen; - s += strlen(URL_PREFIX); + s += url_prefix_len; if ((p = strchr(s, '/')) != NULL) { hostlen = p - s; path = p + 1; ---- orig/rsync.h 2005-03-28 20:56:55 -+++ rsync.h 2004-10-08 21:01:33 -@@ -32,6 +32,7 @@ +--- old/rsync.h ++++ new/rsync.h +@@ -31,6 +31,7 @@ #define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock" #define URL_PREFIX "rsync://" @@ -381,21 +428,21 @@ can't say if I've left any cleanup/compatibility errors in the code. #define BACKUP_SUFFIX "~" -@@ -411,6 +412,11 @@ enum msgcode { +@@ -500,6 +501,11 @@ enum msgcode { # define SIZEOF_INT64 SIZEOF_OFF_T #endif -+#if HAVE_OPENSSL ++#ifdef HAVE_OPENSSL +#include +#include +#endif + - /* Starting from protocol version 26, we always use 64-bit - * ino_t and dev_t internally, even if this platform does not - * allow files to have 64-bit inums. That's because the ---- orig/ssl.c 2004-10-08 19:37:22 -+++ ssl.c 2004-10-08 19:37:22 -@@ -0,0 +1,366 @@ + struct hashtable { + void *nodes; + int32 size, entries; +--- old/ssl.c ++++ new/ssl.c +@@ -0,0 +1,370 @@ +/* -*- c-file-style: "linux" -*- + * ssl.c: operations for negotiating SSL rsync connections. + * @@ -418,7 +465,7 @@ can't say if I've left any cleanup/compatibility errors in the code. + +#include "rsync.h" + -+#if HAVE_SYS_SELECT_H ++#ifdef HAVE_SYS_SELECT_H +#include +#else +#include @@ -445,6 +492,10 @@ can't say if I've left any cleanup/compatibility errors in the code. +static int ssl_running; +static int ssl_pid = -1; + ++#ifdef HAVE_SIGACTION ++static struct sigaction sigact; ++#endif ++ +/** + * A non-interactive callback to be passed to SSL_CTX_set_default_password_cb, + * which merely copies the value of ssl_key_passwd into buf. This is @@ -633,7 +684,7 @@ can't say if I've left any cleanup/compatibility errors in the code. + return 0; + } + -+ signal(SIGUSR1, tls_sigusr1); ++ SIGACTION(SIGUSR1, tls_sigusr1); + ssl = SSL_new(ssl_ctx); + if (!ssl) + goto closed;