Commit b4a49975bc0a53555face96f5e0a970e6ac34943 - librelp

Merge tag 'upstream/1.2.5' Upstream version 1.2.5 Michael Biebl 10 years ago

6 changed file(s) with 127 addition(s) and 29 deletion(s). Raw diff Collapse all Expand all

-0

ChangeLog less more

	0	----------------------------------------------------------------------
	1	Version 1.2.5 - 2014-03-20
	2	- permit to use anonymous TLS on platforms where GnuTLS misses
	3	certificate verification function. This permits to use at least
	4	anon TLS on platforms like RHEL and CENTOS 6.
0	5	----------------------------------------------------------------------
1	6	Version 1.2.4 - 2014-03-17
2	7	- correct API/ABI change in 1.2.3

-0

config.h.in less more

17	17
18	18	/* Define to 1 if you have the `epoll_create1' function. */
19	19	#undef HAVE_EPOLL_CREATE1
	20
	21	/* do we have gnutls_certificate_set_verify_function */
	22	#undef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION
20	23
21	24	/* Define to 1 if you have the <inttypes.h> header file. */
22	25	#undef HAVE_INTTYPES_H

+70

-24

configure less more

0	0	#! /bin/sh
1	1	# Guess values for system-dependent variables and create Makefiles.
2		# Generated by GNU Autoconf 2.69 for librelp 1.2.4.
	2	# Generated by GNU Autoconf 2.69 for librelp 1.2.5.
3	3	#
4	4	# Report bugs to <rgerhards@adiscon.com>.
5	5	#

589	589	# Identity of this package.
590	590	PACKAGE_NAME='librelp'
591	591	PACKAGE_TARNAME='librelp'
592		PACKAGE_VERSION='1.2.4'
593		PACKAGE_STRING='librelp 1.2.4'
	592	PACKAGE_VERSION='1.2.5'
	593	PACKAGE_STRING='librelp 1.2.5'
594	594	PACKAGE_BUGREPORT='rgerhards@adiscon.com'
595	595	PACKAGE_URL=''
596	596

1322	1322	# Omit some internal or obsolete options to make the list less imposing.
1323	1323	# This message is too long to be a string in the A/UX 3.1 sh.
1324	1324	cat <<_ACEOF
1325		\`configure' configures librelp 1.2.4 to adapt to many kinds of systems.
	1325	\`configure' configures librelp 1.2.5 to adapt to many kinds of systems.
1326	1326
1327	1327	Usage: $0 [OPTION]... [VAR=VALUE]...
1328	1328

1392	1392
1393	1393	if test -n "$ac_init_help"; then
1394	1394	case $ac_init_help in
1395		short \| recursive ) echo "Configuration of librelp 1.2.4:";;
	1395	short \| recursive ) echo "Configuration of librelp 1.2.5:";;
1396	1396	esac
1397	1397	cat <<\_ACEOF
1398	1398

1507	1507	test -n "$ac_init_help" && exit $ac_status
1508	1508	if $ac_init_version; then
1509	1509	cat <<\_ACEOF
1510		librelp configure 1.2.4
	1510	librelp configure 1.2.5
1511	1511	generated by GNU Autoconf 2.69
1512	1512
1513	1513	Copyright (C) 2012 Free Software Foundation, Inc.

2033	2033	This file contains any messages produced by compilers while
2034	2034	running configure, to aid debugging if configure makes a mistake.
2035	2035
2036		It was created by librelp $as_me 1.2.4, which was
	2036	It was created by librelp $as_me 1.2.5, which was
2037	2037	generated by GNU Autoconf 2.69. Invocation command line was
2038	2038
2039	2039	$ $0 $@

2896	2896
2897	2897	# Define the identity of the package.
2898	2898	PACKAGE='librelp'
2899		VERSION='1.2.4'
	2899	VERSION='1.2.5'
2900	2900
2901	2901
2902	2902	cat >>confdefs.h <<_ACEOF

2969	2969
2970	2970	# Define the identity of the package.
2971	2971	PACKAGE='librelp'
2972		VERSION='1.2.4'
	2972	VERSION='1.2.5'
2973	2973
2974	2974
2975	2975	cat >>confdefs.h <<_ACEOF

12618	12618	pkg_cv_GNUTLS_CFLAGS="$GNUTLS_CFLAGS"
12619	12619	elif test -n "$PKG_CONFIG"; then
12620	12620	if test -n "$PKG_CONFIG" && \
12621		{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gnutls >= 2.9.10\""; } >&5
12622		($PKG_CONFIG --exists --print-errors "gnutls >= 2.9.10") 2>&5
	12621	{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gnutls >= 2.0.0\""; } >&5
	12622	($PKG_CONFIG --exists --print-errors "gnutls >= 2.0.0") 2>&5
12623	12623	ac_status=$?
12624	12624	$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
12625	12625	test $ac_status = 0; }; then
12626		pkg_cv_GNUTLS_CFLAGS=`$PKG_CONFIG --cflags "gnutls >= 2.9.10" 2>/dev/null`
	12626	pkg_cv_GNUTLS_CFLAGS=`$PKG_CONFIG --cflags "gnutls >= 2.0.0" 2>/dev/null`
12627	12627	test "x$?" != "x0" && pkg_failed=yes
12628	12628	else
12629	12629	pkg_failed=yes

12635	12635	pkg_cv_GNUTLS_LIBS="$GNUTLS_LIBS"
12636	12636	elif test -n "$PKG_CONFIG"; then
12637	12637	if test -n "$PKG_CONFIG" && \
12638		{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gnutls >= 2.9.10\""; } >&5
12639		($PKG_CONFIG --exists --print-errors "gnutls >= 2.9.10") 2>&5
	12638	{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gnutls >= 2.0.0\""; } >&5
	12639	($PKG_CONFIG --exists --print-errors "gnutls >= 2.0.0") 2>&5
12640	12640	ac_status=$?
12641	12641	$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
12642	12642	test $ac_status = 0; }; then
12643		pkg_cv_GNUTLS_LIBS=`$PKG_CONFIG --libs "gnutls >= 2.9.10" 2>/dev/null`
	12643	pkg_cv_GNUTLS_LIBS=`$PKG_CONFIG --libs "gnutls >= 2.0.0" 2>/dev/null`
12644	12644	test "x$?" != "x0" && pkg_failed=yes
12645	12645	else
12646	12646	pkg_failed=yes

12661	12661	_pkg_short_errors_supported=no
12662	12662	fi
12663	12663	if test $_pkg_short_errors_supported = yes; then
12664		GNUTLS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gnutls >= 2.9.10" 2>&1`
	12664	GNUTLS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gnutls >= 2.0.0" 2>&1`
12665	12665	else
12666		GNUTLS_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gnutls >= 2.9.10" 2>&1`
	12666	GNUTLS_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gnutls >= 2.0.0" 2>&1`
12667	12667	fi
12668	12668	# Put the nasty error message in config.log where it belongs
12669	12669	echo "$GNUTLS_PKG_ERRORS" >&5
12670	12670
12671		as_fn_error $? "Package requirements (gnutls >= 2.9.10) were not met:
	12671	as_fn_error $? "Package requirements (gnutls >= 2.0.0) were not met:
12672	12672
12673	12673	$GNUTLS_PKG_ERRORS
12674	12674

12703	12703
12704	12704	$as_echo "#define ENABLE_TLS 1" >>confdefs.h
12705	12705
12706		fi
	12706	# Check if we have support for proper cert validation
	12707	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have gnutls_certificate_set_verify_function" >&5
	12708	$as_echo_n "checking if we have gnutls_certificate_set_verify_function... " >&6; }
	12709	save_CFLAGS="$CFLAGS"
	12710	CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
	12711	save_LIBS="$LIBS"
	12712	LIBS="$LIBS $GNUTLS_LIBS"
	12713	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
	12714	/* end confdefs.h. */
	12715
	12716	#include <gnutls/gnutls.h>
	12717	#include <gnutls/x509.h>
	12718
	12719	int
	12720	main ()
	12721	{
	12722
	12723	gnutls_certificate_set_verify_function(NULL, NULL);
	12724
	12725	;
	12726	return 0;
	12727	}
	12728	_ACEOF
	12729	if ac_fn_c_try_link "$LINENO"; then :
	12730
	12731	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
	12732	$as_echo "yes" >&6; }
	12733
	12734	$as_echo "#define HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION 1" >>confdefs.h
	12735
	12736	have_gnutls_certificate_set_verify_function=yes
	12737
	12738	else
	12739
	12740	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no; authentication disabled" >&5
	12741	$as_echo "no; authentication disabled" >&6; }
	12742	have_gnutls_certificate_set_verify_function=no
	12743
	12744
	12745	fi
	12746	rm -f core conftest.err conftest.$ac_objext \
	12747	conftest$ac_exeext conftest.$ac_ext
	12748	CFLAGS="$save_CFLAGS"
	12749	LIBS="$save_LIBS"
	12750	fi
	12751
12707	12752
12708	12753	# debug mode settings
12709	12754	# Check whether --enable-debug was given.

13275	13320	# report actual input values of CONFIG_FILES etc. instead of their
13276	13321	# values after options handling.
13277	13322	ac_log="
13278		This file was extended by librelp $as_me 1.2.4, which was
	13323	This file was extended by librelp $as_me 1.2.5, which was
13279	13324	generated by GNU Autoconf 2.69. Invocation command line was
13280	13325
13281	13326	CONFIG_FILES = $CONFIG_FILES

13341	13386	cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1
13342	13387	ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
13343	13388	ac_cs_version="\\
13344		librelp config.status 1.2.4
	13389	librelp config.status 1.2.5
13345	13390	configured by $0, generated by GNU Autoconf 2.69,
13346	13391	with options \\"\$ac_cs_config\\"
13347	13392

15115	15160	echo "*****************************************************"
15116	15161	echo "librelp will be compiled with the following settings:"
15117	15162	echo
15118		echo "Debug mode enabled: $enable_debug"
15119		echo "TLS enabled: $enable_tls"
15120
	15163	echo "Debug mode enabled: $enable_debug"
	15164	echo "TLS enabled: $enable_tls"
	15165	echo "TLS authentication supported: $have_gnutls_certificate_set_verify_function"
	15166

+29

-4

configure.ac less more

1	1	# Process this file with autoconf to produce a configure script.
2	2
3	3	AC_PREREQ(2.61)
4		AC_INIT([librelp], [1.2.4], [rgerhards@adiscon.com])
	4	AC_INIT([librelp], [1.2.5], [rgerhards@adiscon.com])
5	5	AM_INIT_AUTOMAKE
6	6	AM_INIT_AUTOMAKE
7	7	m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])

57	57	[enable_tls="yes"]
58	58	)
59	59	if test "$enable_tls" = "yes"; then
60		PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.9.10)
	60	PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.0.0)
61	61	AC_DEFINE(ENABLE_TLS, 1, [Defined if TLS support is enabled])
	62	# Check if we have support for proper cert validation
	63	AC_MSG_CHECKING(if we have gnutls_certificate_set_verify_function)
	64	save_CFLAGS="$CFLAGS"
	65	CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
	66	save_LIBS="$LIBS"
	67	LIBS="$LIBS $GNUTLS_LIBS"
	68	AC_TRY_LINK(
	69	[
	70	#include <gnutls/gnutls.h>
	71	#include <gnutls/x509.h>
	72	], [
	73	gnutls_certificate_set_verify_function(NULL, NULL);
	74	],[
	75	AC_MSG_RESULT(yes)
	76	AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION, 1, [do we have gnutls_certificate_set_verify_function])
	77	have_gnutls_certificate_set_verify_function=yes
	78	],[
	79	AC_MSG_RESULT(no; authentication disabled)
	80	have_gnutls_certificate_set_verify_function=no
	81	]
	82	)
	83	CFLAGS="$save_CFLAGS"
	84	LIBS="$save_LIBS"
62	85	fi
	86
63	87
64	88	# debug mode settings
65	89	AC_ARG_ENABLE(debug,

90	114	echo "*****************************************************"
91	115	echo "librelp will be compiled with the following settings:"
92	116	echo
93		echo "Debug mode enabled: $enable_debug"
94		echo "TLS enabled: $enable_tls"
	117	echo "Debug mode enabled: $enable_debug"
	118	echo "TLS enabled: $enable_tls"
	119	echo "TLS authentication supported: $have_gnutls_certificate_set_verify_function"
95	120

-1

src/librelp.h less more

150	150	#define RELP_RET_ERR_INVAL RELPERR_BASE + 41 /*< some parameter is invalid (like EINVAL) /
151	151	#define RELP_RET_ERR_EPOLL_CTL RELPERR_BASE + 42 /*< epoll_ctl() failed /
152	152	#define RELP_RET_ERR_INTERNAL RELPERR_BASE + 43 /*< internal error in librelp (bug) /
153		#define RELP_RET_WRN_NO_KEEPALIVE RELPERR_BASE + 44/*< KEEPALIVE cannot be enabled /
	153	#define RELP_RET_WRN_NO_KEEPALIVE RELPERR_BASE + 44 /*< KEEPALIVE cannot be enabled /
154	154	#define RELP_RET_ERR_NO_TLS RELPERR_BASE + 45 /*< librelp compiled without TLS support /
	155	#define RELP_RET_ERR_NO_TLS_AUTH RELPERR_BASE + 46 /*< platform does not provide TLS auth support /
155	156
156	157	/* some macros to work with librelp error codes */
157	158	#define CHKRet(code) if((iRet = code) != RELP_RET_OK) goto finalize_it

+18

-0

src/tcp.c less more

2	2	* Copyright 2008-2014 by Rainer Gerhards and Adiscon GmbH.
3	3	*
4	4	* This file is part of librelp.
	5	*
	6	* Note: gnutls_certificate_set_verify_function is problematic, as it
	7	* is not available in old GnuTLS versions, but rather important
	8	* for verifying certificates correctly.
5	9	*
6	10	* Librelp is free software: you can redistribute it and/or modify
7	11	* it under the terms of the GNU General Public License as published by

61	65
62	66	#ifdef ENABLE_TLS
63	67	/* forward definitions */
	68	#ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION
64	69	static int relpTcpVerifyCertificateCallback(gnutls_session_t session);
	70	#endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */
65	71	static relpRetVal relpTcpPermittedPeerWildcardCompile(tcpPermittedPeerEntry_t *pEtry);
66	72
67	73	/* helper to free permittedPeer structure */

750	756	}
751	757
752	758	#ifdef ENABLE_TLS
	759	#ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION
753	760	/* Convert a fingerprint to printable data. The function must be provided a
754	761	* sufficiently large buffer. 512 bytes shall always do.
755	762	*/

804	811	}
805	812	return r;
806	813	}
	814	#endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */
807	815
808	816	/* add a wildcard entry to this permitted peer. Entries are always
809	817	* added at the tail of the list. pszStr and lenStr identify the wildcard

931	939	LEAVE_RELPFUNC;
932	940	}
933	941
	942	#ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION
934	943	/* check a peer against a wildcard entry. This is a more lengthy
935	944	* operation.
936	945	*/

1232	1241	gnutls_x509_crt_deinit(cert);
1233	1242	return r;
1234	1243	}
	1244	#endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */
1235	1245
1236	1246	#if 0 /* enable if needed for debugging */
1237	1247	static void logFunction(int level, const char *msg)

1270	1280	}
1271	1281	gnutls_anon_set_server_dh_params(pThis->anoncredSrv, pThis->dh_params);
1272	1282	} else {
	1283	# ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION
1273	1284	r = gnutls_certificate_allocate_credentials(&pThis->xcred);
1274	1285	if(chkGnutlsCode(pThis, "Failed to allocate certificate credentials", RELP_RET_ERR_TLS_SETUP, r)) {
1275	1286	ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP);

1291	1302	if(pThis->authmode == eRelpAuthMode_None)
1292	1303	pThis->authmode = eRelpAuthMode_Fingerprint;
1293	1304	gnutls_certificate_set_verify_function(pThis->xcred, relpTcpVerifyCertificateCallback);
	1305	# else /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */
	1306	ABORT_FINALIZE(RELP_RET_ERR_NO_TLS_AUTH);
	1307	# endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */
1294	1308	}
1295	1309	finalize_it:
1296	1310	LEAVE_RELPFUNC;

1605	1619	ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP);
1606	1620	}
1607	1621	} else {
	1622	# ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION
1608	1623	r = gnutls_certificate_allocate_credentials(&pThis->xcred);
1609	1624	if(chkGnutlsCode(pThis, "Failed to allocate certificate credentials", RELP_RET_ERR_TLS_SETUP, r)) {
1610	1625	ABORT_FINALIZE(RELP_RET_ERR_TLS_SETUP);

1632	1647	if(pThis->authmode == eRelpAuthMode_None)
1633	1648	pThis->authmode = eRelpAuthMode_Fingerprint;
1634	1649	gnutls_certificate_set_verify_function(pThis->xcred, relpTcpVerifyCertificateCallback);
	1650	# else /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */
	1651	ABORT_FINALIZE(RELP_RET_ERR_NO_TLS_AUTH);
	1652	# endif /* #ifdef HAVE_GNUTLS_CERTIFICATE_SET_VERIFY_FUNCTION */
1635	1653	}
1636	1654
1637	1655	gnutls_transport_set_ptr(pThis->session, (gnutls_transport_ptr_t) pThis->sock);