[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PATCH: optional use gnutls instead of openssl
From: |
Derek Zhou |
Subject: |
PATCH: optional use gnutls instead of openssl |
Date: |
Thu, 14 Jun 2007 11:21:58 -0700 |
Use --enable-gnutls to use gnutls instead of openssl. The default is
still openssl.
Caveats:
* Server side is not tested, lack a good tstcase. Client side should be
fine.
* handshake may block. Again I don't have a good test case so I would
rather not write code that may not work.
Derek
Index: SSL/config.h.in
===================================================================
--- SSL/config.h.in (revision 25255)
+++ SSL/config.h.in (working copy)
@@ -53,3 +53,6 @@
/* Define if you have the <utime.h> header file. */
#undef HAVE_UTIME_H
+
+/* Define if using the openssl library for ssl/tls socket operations */
+#undef USE_OPENSSL
Index: SSL/GSSSLHandle.m
===================================================================
--- SSL/GSSSLHandle.m (revision 25255)
+++ SSL/GSSSLHandle.m (working copy)
@@ -42,6 +42,7 @@
#define GNUSTEP_BASE_SOCKET_MESSAGE (WM_USER + 1)
#endif
+#ifdef USE_OPENSSL
/* Because openssl uses `id' as variable name sometime,
while it is an Objective-C reserved keyword. */
#define id id_x_
@@ -49,6 +50,9 @@
#include <openssl/rand.h>
#include <openssl/err.h>
#undef id
+#else /* use gnutls */
+#include <gnutls/gnutls.h>
+#endif
#include <Foundation/Foundation.h>
@@ -80,6 +84,7 @@
#include <unistd.h>
#endif
+#ifdef USE_OPENSSL
static NSString*
sslError(int err)
{
@@ -121,12 +126,18 @@
}
return str;
}
+#endif
-
@interface GSSSLHandle : GSFileHandle <GCFinalization>
{
+#ifdef USE_OPENSSL
SSL_CTX *ctx;
SSL *ssl;
+#else /* use gnutls */
+ gnutls_session_t session;
+ gnutls_certificate_credentials_t xcred;
+ BOOL xcredAllocated;
+#endif
BOOL connected;
}
@@ -143,6 +154,7 @@
{
if (self == [GSSSLHandle class])
{
+#ifdef USE_OPENSSL
SSL_library_init();
/*
@@ -156,6 +168,9 @@
inf = [[[NSProcessInfo processInfo] globallyUniqueString] UTF8String];
RAND_seed(inf, strlen(inf));
}
+#else /* use gnutls */
+ gnutls_global_init ();
+#endif
}
}
@@ -175,7 +190,11 @@
{
if (connected)
{
+#ifdef USE_OPENSSL
return SSL_read(ssl, buf, len);
+#else /* use gnutls */
+ return gnutls_record_recv(session, buf, len);
+#endif
}
return [super read: buf length: len];
}
@@ -196,6 +215,7 @@
return NO;
}
+#ifdef USE_OPENSSL
/*
* Ensure we have a context and handle to connect with.
*/
@@ -207,6 +227,18 @@
{
ssl = SSL_new(ctx);
}
+#else /* use gnutls */
+ if (!xcredAllocated)
+ {
+ gnutls_certificate_allocate_credentials (&xcred);
+ xcredAllocated = YES;
+ }
+ gnutls_init (&session, GNUTLS_SERVER);
+ gnutls_set_default_priority (session);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST);
+#endif
+#ifdef USE_OPENSSL
/*
* Set non-blocking so accept won't hang if remote end goes wrong.
*/
@@ -279,8 +311,21 @@
return NO;
}
}
+ RELEASE(self);
+#else /* use gnutls */
+ /*
+ * Don't know how to do non-blocking handshake, I'll do the blocking for now
+ */
+ gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) descriptor);
+ ret = gnutls_handshake (session);
+ if (ret != 0)
+ {
+ NSLog(@"Failed to do TLS handshake - %s", gnutls_strerror(ret));
+ gnutls_deinit(session);
+ return NO;
+ }
+#endif
connected = YES;
- RELEASE(self);
return YES;
}
@@ -300,6 +345,7 @@
return NO;
}
+#ifdef USE_OPENSSL
/*
* Ensure we have a context and handle to connect with.
*/
@@ -311,6 +357,17 @@
{
ssl = SSL_new(ctx);
}
+#else /* use gnutls */
+ if (!xcredAllocated)
+ {
+ gnutls_certificate_allocate_credentials (&xcred);
+ xcredAllocated = YES;
+ }
+ gnutls_init (&session, GNUTLS_CLIENT);
+ gnutls_set_default_priority (session);
+ gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+#endif
+#ifdef USE_OPENSSL
RETAIN(self); // Don't get destroyed during runloop
/*
* Set non-blocking so accept won't hang if remote end goes wrong.
@@ -383,13 +440,27 @@
return NO;
}
}
+ RELEASE(self);
+#else /* use gnutls */
+ /*
+ * Don't know how to do non-blocking handshake, I'll do the blocking for now
+ */
+ gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) descriptor);
+ ret = gnutls_handshake (session);
+ if (ret != 0)
+ {
+ NSLog(@"Failed to do TLS handshake - %s", gnutls_strerror(ret));
+ gnutls_deinit(session);
+ return NO;
+ }
+#endif
connected = YES;
- RELEASE(self);
return YES;
}
- (void) sslDisconnect
{
+#ifdef USE_OPENSSL
if (ssl != 0)
{
if (connected == YES)
@@ -405,6 +476,18 @@
SSL_CTX_free(ctx);
ctx = 0;
}
+#else /* use gnutls */
+ if (connected == YES)
+ {
+ gnutls_bye(session, GNUTLS_SHUT_RDWR);
+ gnutls_deinit(session);
+ }
+ if (xcredAllocated)
+ {
+ gnutls_certificate_free_credentials(xcred);
+ xcredAllocated = NO;
+ }
+#endif
connected = NO;
}
@@ -419,6 +502,7 @@
NSLog(@"Attempt to set ssl certificate for a standard file");
return;
}
+#ifdef USE_OPENSSL
/*
* Ensure we have a context to set the certificate for.
*/
@@ -426,11 +510,23 @@
{
ctx = SSL_CTX_new(SSLv23_method());
}
+#else /* use gnutls */
+ if (!xcredAllocated)
+ {
+ gnutls_certificate_allocate_credentials (&xcred);
+ xcredAllocated = YES;
+ }
+#endif
if ([PEMpasswd length] > 0)
{
+#ifdef USE_OPENSSL
SSL_CTX_set_default_passwd_cb_userdata(ctx,
(char*)[PEMpasswd UTF8String]);
+#else /* use gnutls */
+ /* don't know what to do here */
+#endif
}
+#ifdef USE_OPENSSL
if ([certFile length] > 0)
{
ret = SSL_CTX_use_certificate_file(ctx, [certFile UTF8String],
@@ -451,13 +547,28 @@
privateKey, sslError(ERR_get_error()));
}
}
+#else /* use gnutls */
+ ret = gnutls_certificate_set_x509_key_file (xcred,
+ [certFile UTF8String],
+ [privateKey UTF8String],
+ GNUTLS_X509_FMT_PEM);
+ if (ret!=0)
+ {
+ NSLog(@"Failed to set certificqte/private key file to %@/%@ - %s",
+ certFile, privateKey, gnutls_strerror(ret));
+ }
+#endif
}
- (int) write: (const void*)buf length: (int)len
{
if (connected)
{
+#ifdef USE_OPENSSL
return SSL_write(ssl, buf, len);
+#else /* use gnutls */
+ return gnutls_record_send(session, buf, len);
+#endif
}
return [super write: buf length: len];
}
Index: SSL/configure.ac
===================================================================
--- SSL/configure.ac (revision 25255)
+++ SSL/configure.ac (working copy)
@@ -123,21 +123,27 @@
SSLLIBS="${library_flags}"
fi
+AC_ARG_ENABLE(openssl,
+ [ --enable-openssl Enable use of openssl library],,
+ enable_openssl=yes)
+
+AC_ARG_ENABLE(gnutls,
+ [ --enable-gnutls Enable use of gnutls library],,
+ enable_gnutls=no)
+
+AC_ARG_ENABLE(openssl,
+ [ --disable-openssl Disable support for openssl in URL classes],,
+ enable_openssl=yes)
#--------------------------------------------------------------------
# Check OpenSSL for HTTPS support.
#--------------------------------------------------------------------
-AC_ARG_ENABLE(openssl,
- [ --disable-openssl Disable support for openssl in URL classes],,
- enable_openssl=yes)
AC_ARG_WITH(openssl-include,
- [ --with-openssl-include=PATH include path for openssl headers],
+ [ --with-openssl-include=PATH include path for openssl/gnutls headers],
openssl_incdir="$withval", openssl_incdir="no")
AC_ARG_WITH(openssl-library,
- [ --with-openssl-library=PATH library path for openssl libraries],
+ [ --with-openssl-library=PATH library path for openssl/gnutls libraries],
openssl_libdir="$withval", openssl_libdir="no")
-cppflags_temp="$CPPFLAGS"
-
if test "$openssl_incdir" != "no"; then
CPPFLAGS="$CPPFLAGS -I$openssl_incdir"
SSLFLAGS="-I$openssl_incdir"
@@ -152,10 +158,26 @@
SSLLIBS=
fi
-if test $enable_openssl = yes; then
- ssl_ok=no
- AC_CHECK_HEADERS(openssl/ssl.h)
- if test $ac_cv_header_openssl_ssl_h = yes; then
+AC_CHECK_HEADER(openssl/ssl.h, have_openssl=yes, have_openssl=no)
+AC_CHECK_HEADER(gnutls/gnutls.h, have_gnutls=yes, have_gnutls=no)
+if test $have_openssl = no; then
+ enable_openssl=no
+ # If we don't have openssl but do have gnutls, use gnutls
+ if test $have_gnutls = yes; then
+ enable_gnutls=yes
+ fi
+fi
+if test $have_gnutls = no; then
+ enable_gnutls=no
+fi
+
+ssl_ok=no
+if test $enable_gnutls = yes; then
+ AC_CHECK_LIB(gnutls, gnutls_init)
+ if test $ac_cv_lib_gnutls_gnutls_init = yes; then
+ ssl_ok=yes
+ fi
+elif test $enable_openssl = yes; then
AC_CHECK_LIB(crypto, CRYPTO_malloc)
if test $ac_cv_lib_crypto_CRYPTO_malloc = yes; then
# ssl needs socket on Solaris
@@ -164,23 +186,20 @@
AC_CHECK_LIB(cipher,des_setkey)
if test $ac_cv_lib_ssl_ssl2_clear = yes; then
ssl_ok=yes
+ AC_DEFINE(USE_OPENSSL,1,
+ [Define if using the openssl library for ssl/tls socket operations])
fi
fi
- fi
- if test $ssl_ok = no; then
- AC_MSG_WARN(SSL bundle will not be built: Could not find openssl libraries)
- fi
-else
- AC_MSG_WARN(SSL bundle will not be built: Openssl disabled by user)
fi
+if test $ssl_ok = no; then
+ AC_MSG_WARN(SSL bundle will not be built)
+fi
HAVE_OPENSSL=$ssl_ok
SSLLIBS="$SSLLIBS $LIBS"
AC_SUBST(HAVE_OPENSSL)
AC_SUBST(SSLFLAGS)
AC_SUBST(SSLLIBS)
-CPPFLAGS="$cppflags_temp";
-
#--------------------------------------------------------------------
# Write the Makefiles
#--------------------------------------------------------------------
Index: configure.ac
===================================================================
--- configure.ac (revision 25255)
+++ configure.ac (working copy)
@@ -2147,13 +2147,19 @@
# help file.
#--------------------------------------------------------------------
AC_ARG_ENABLE(openssl,
+ [ --enable-openssl Enable use of openssl library],,
+ enable_openssl=yes)
+AC_ARG_ENABLE(gnutls,
+ [ --enable-gnutls Enable use of gnutls library],,
+ enable_gnutls=no)
+AC_ARG_ENABLE(openssl,
[ --disable-openssl Disable support for openssl in URL classes],,
enable_openssl=yes)
AC_ARG_WITH(openssl-include,
- [ --with-openssl-include=PATH include path for openssl headers],
+ [ --with-openssl-include=PATH include path for openssl/gnutls headers],
openssl_incdir="$withval", openssl_incdir="no")
AC_ARG_WITH(openssl-library,
- [ --with-openssl-library=PATH library path for openssl libraries],
+ [ --with-openssl-library=PATH library path for openssl/gnutls libraries],
openssl_libdir="$withval", openssl_libdir="no")
AC_CONFIG_SUBDIRS(Source/mframe SSL)
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- PATCH: optional use gnutls instead of openssl,
Derek Zhou <=