From: ueno Date: Thu, 11 Jan 2001 18:43:04 +0000 (+0000) Subject: hoge. X-Git-Url: http://git.chise.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a6862eeb343c629c488af17d8250c084a019cb3;p=elisp%2Fstarttls.git hoge. --- diff --git a/Makefile.am b/Makefile.am index 3a4c44a..ecf39e1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5,5 +5,5 @@ EXTRA_DIST = starttls.el addrinfo.h basename.c getaddrinfo.c bin_PROGRAMS= starttls lisp_LISP = starttls.el -starttls_SOURCES = starttls.c getopt.c getopt.h getopt1.c +starttls_SOURCES = starttls.c diff --git a/acinclude.m4 b/acinclude.m4 new file mode 100644 index 0000000..90ef457 --- /dev/null +++ b/acinclude.m4 @@ -0,0 +1,163 @@ +dnl Autoconf macros for libgcrypt +dnl $id$ + +# Configure paths for GCRYPT +# Shamelessly stolen from the one of XDELTA by Owen Taylor +# Werner Koch 99-12-09 + +dnl AM_PATH_GCRYPT([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]]) +dnl Test for gcrypt, and define GCRYPT_CFLAGS and GCRYPT_LIBS +dnl +AC_DEFUN(AM_PATH_GCRYPT, +[dnl +dnl Get the cflags and libraries from the libgcrypt-config script +dnl +AC_ARG_WITH(gcrypt-prefix, + [ --with-gcrypt-prefix=PFX Prefix where gcrypt is installed (optional)], + gcrypt_config_prefix="$withval", gcrypt_config_prefix="") +AC_ARG_ENABLE(gcrypttest, + [ --disable-gcrypttest Do not try to compile and run a test gcrypt program], + , enable_gcrypttest=yes) + + if test x$gcrypt_config_prefix != x ; then + gcrypt_config_args="$gcrypt_config_args --prefix=$gcrypt_config_prefix" + if test x${GCRYPT_CONFIG+set} != xset ; then + GCRYPT_CONFIG=$gcrypt_config_prefix/bin/libgcrypt-config + fi + fi + + AC_PATH_PROG(GCRYPT_CONFIG, libgcrypt-config, no) + min_gcrypt_version=ifelse([$1], ,1.1.0,$1) + AC_MSG_CHECKING(for gcrypt - version >= $min_gcrypt_version) + no_gcrypt="" + if test "$GCRYPT_CONFIG" = "no" ; then + no_gcrypt=yes + else + GCRYPT_CFLAGS=`$GCRYPT_CONFIG $gcrypt_config_args --cflags` + GCRYPT_LIBS=`$GCRYPT_CONFIG $gcrypt_config_args --libs` + gcrypt_config_version=`$GCRYPT_CONFIG $gcrypt_config_args --version` + if test "x$enable_gcrypttest" = "xyes" ; then + ac_save_CFLAGS="$CFLAGS" + ac_save_LIBS="$LIBS" + CFLAGS="$CFLAGS $GCRYPT_CFLAGS" + LIBS="$LIBS $GCRYPT_LIBS" +dnl +dnl Now check if the installed gcrypt is sufficiently new. Also sanity +dnl checks the results of libgcrypt-config to some extent +dnl + rm -f conf.gcrypttest + AC_TRY_RUN([ +#include +#include +#include +#include + +int +main () +{ + system ("touch conf.gcrypttest"); + + if( strcmp( gcry_check_version(NULL), "$gcrypt_config_version" ) ) + { + printf("\n*** 'libgcrypt-config --version' returned %s, but GCRYPT (%s)\n", + "$gcrypt_config_version", gcry_check_version(NULL) ); + printf("*** was found! If libgcrypt-config was correct, then it is best\n"); + printf("*** to remove the old version of GCRYPT. You may also be able to fix the error\n"); + printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n"); + printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n"); + printf("*** required on your system.\n"); + printf("*** If libgcrypt-config was wrong, set the environment variable GCRYPT_CONFIG\n"); + printf("*** to point to the correct copy of libgcrypt-config, and remove the file config.cache\n"); + printf("*** before re-running configure\n"); + } + else if ( strcmp(gcry_check_version(NULL), GCRYPT_VERSION ) ) + { + printf("\n*** GCRYPT header file (version %s) does not match\n", GCRYPT_VERSION); + printf("*** library (version %s)\n", gcry_check_version(NULL) ); + } + else + { + if ( gcry_check_version( "$min_gcrypt_version" ) ) + { + return 0; + } + else + { + printf("no\n*** An old version of GCRYPT (%s) was found.\n", + gcry_check_version(NULL) ); + printf("*** You need a version of GCRYPT newer than %s. The latest version of\n", + "$min_gcrypt_version" ); + printf("*** GCRYPT is always available from ftp://ftp.gnupg.org/pub/gcrypt/gnupg.\n"); + printf("*** (It is distributed along with GnuPG).\n"); + printf("*** \n"); + printf("*** If you have already installed a sufficiently new version, this error\n"); + printf("*** probably means that the wrong copy of the libgcrypt-config shell script is\n"); + printf("*** being found. The easiest way to fix this is to remove the old version\n"); + printf("*** of GCRYPT, but you can also set the GCRYPT_CONFIG environment to point to the\n"); + printf("*** correct copy of libgcrypt-config. (In this case, you will have to\n"); + printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n"); + printf("*** so that the correct libraries are found at run-time))\n"); + } + } + return 1; +} +],, no_gcrypt=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"]) + CFLAGS="$ac_save_CFLAGS" + LIBS="$ac_save_LIBS" + fi + fi + if test "x$no_gcrypt" = x ; then + AC_MSG_RESULT(yes) + ifelse([$2], , :, [$2]) + else + if test -f conf.gcrypttest ; then + : + else + AC_MSG_RESULT(no) + fi + if test "$GCRYPT_CONFIG" = "no" ; then + echo "*** The libgcrypt-config script installed by GCRYPT could not be found" + echo "*** If GCRYPT was installed in PREFIX, make sure PREFIX/bin is in" + echo "*** your path, or set the GCRYPT_CONFIG environment variable to the" + echo "*** full path to libgcrypt-config." + else + if test -f conf.gcrypttest ; then + : + else + echo "*** Could not run gcrypt test program, checking why..." + CFLAGS="$CFLAGS $GCRYPT_CFLAGS" + LIBS="$LIBS $GCRYPT_LIBS" + AC_TRY_LINK([ +#include +#include +#include +#include +], [ return !!gcry_check_version(NULL); ], + [ echo "*** The test program compiled, but did not run. This usually means" + echo "*** that the run-time linker is not finding GCRYPT or finding the wrong" + echo "*** version of GCRYPT. If it is not finding GCRYPT, you'll need to set your" + echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point" + echo "*** to the installed location Also, make sure you have run ldconfig if that" + echo "*** is required on your system" + echo "***" + echo "*** If you have an old version installed, it is best to remove it, although" + echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" + echo "***" ], + [ echo "*** The test program failed to compile or link. See the file config.log for the" + echo "*** exact error that occured. This usually means GCRYPT was incorrectly installed" + echo "*** or that you have moved GCRYPT since it was installed. In the latter case, you" + echo "*** may want to edit the libgcrypt-config script: $GCRYPT_CONFIG" ]) + CFLAGS="$ac_save_CFLAGS" + LIBS="$ac_save_LIBS" + fi + fi + GCRYPT_CFLAGS="" + GCRYPT_LIBS="" + ifelse([$3], , :, [$3]) + fi + AC_SUBST(GCRYPT_CFLAGS) + AC_SUBST(GCRYPT_LIBS) + rm -f conf.gcrypttest +]) + +dnl *-*wedit:notab*-* Please keep this as the last line. diff --git a/configure.in b/configure.in index 83c9ed4..2be539a 100644 --- a/configure.in +++ b/configure.in @@ -11,6 +11,18 @@ AC_PROG_RANLIB AC_CHECK_HEADERS(libgen.h sys/select.h socks.h) +AM_PATH_GCRYPT(1.1.1a,, + AC_MSG_ERROR([[ +*** +*** libgcrypt was not found. You may want to get it from +*** ftp://ftp.gnupg.org/pub/gcrypt/alpha/gnupg/ +*** +]])) + +LIBS="$LIBS $GCRYPT_LIBS" +AC_CHECK_HEADERS(gnutls.h) +AC_CHECK_LIB(gnutls, gnutls_init) + AC_CHECK_LIB(nsl, gethostbyname) AC_CHECK_LIB(socket, socket) AC_CHECK_TYPE(fd_set, int) @@ -42,16 +54,4 @@ yes ], ac_cv_ni_nofqdn=yes, ac_cv_ni_nofqdn=no)]) test "$ac_cv_ni_nofqdn" = "yes" || AC_DEFINE(NEED_ADDRINFO_H) -AC_ARG_WITH(openssl,[ --with-openssl=PATH use OpenSSL from PATH]) - -if test -n "$with_openssl"; then - CPPFLAGS="${CPPFLAGS} -I${with_openssl}/include" - LDFLAGS="${LDFLAGS} -L${with_openssl}/lib" -fi - -AC_CHECK_HEADER(openssl/ssl.h, [ - AC_CHECK_LIB(crypto, BIO_accept, LIBS="-lcrypto ${LIBS}") - AC_CHECK_LIB(ssl, SSL_CTX_new, LIBS="-lssl ${LIBS}")], - AC_MSG_ERROR([OpenSSL not installed - please install first])) - AC_OUTPUT(Makefile) diff --git a/starttls.c b/starttls.c index 27ef839..ea60698 100644 --- a/starttls.c +++ b/starttls.c @@ -29,15 +29,9 @@ #include #include #include - #include - -#include -#include -#include -#include -#include -#include +#include +#include #ifdef HAVE_SOCKS_H #include @@ -57,82 +51,45 @@ #include #include #include -#define _GNU_SOURCE -#include - -static SSL_CTX *tls_ctx = NULL; -static SSL *tls_conn = NULL; -static int tls_fd; - -static char *opt_cert_file = NULL, *opt_key_file = NULL; -static int opt_verify = 0; - -static int -tls_ssl_ctx_new (cert_file, key_file) - const char *cert_file, *key_file; -{ - SSL_load_error_strings (); - SSLeay_add_ssl_algorithms (); - - tls_ctx = SSL_CTX_new (TLSv1_client_method()); - if (!tls_ctx) - return -1; - - SSL_CTX_set_options (tls_ctx, SSL_OP_ALL /* Work around all known bugs */); - - if (cert_file) - { - if (SSL_CTX_use_certificate_file (tls_ctx, cert_file, - SSL_FILETYPE_PEM) <= 0) - return -1; - if (!key_file) - key_file = cert_file; - if (SSL_CTX_use_PrivateKey_file (tls_ctx, key_file, - SSL_FILETYPE_PEM) <= 0) - return -1; - if (!SSL_CTX_check_private_key (tls_ctx)) - return -1; - } - - SSL_CTX_set_verify (tls_ctx, SSL_VERIFY_NONE, NULL); - return 0; -} +static int starttls_connect (const char *, const char *); +static void tls_negotiate (int); +static ssize_t tls_write (int, const void *, size_t); +static ssize_t tls_read (int, void *, size_t); +static int tls_close (int); +static int raw_is_fatal_error (int); +static void usage (char *); -static int -tls_ssl_new(ctx, s) - SSL_CTX *ctx; - int s; +static GNUTLS_STATE tls_state; +typedef struct { - SSL_SESSION *session; - SSL_CIPHER *cipher; - X509 *peer; - - tls_conn = (SSL *) SSL_new (ctx); - if (!tls_conn) - return -1; - SSL_clear(tls_conn); - - if (!SSL_set_fd (tls_conn, s)) - return -1; - - SSL_set_connect_state (tls_conn); - - if (SSL_connect (tls_conn) <= 0) - { - session = SSL_get_session (tls_conn); - if (session) - SSL_CTX_remove_session (ctx, session); - if (tls_conn!=NULL) - SSL_free (tls_conn); - return -1; - } - - return 0; -} + ssize_t (*write) (int, const void *, size_t); + ssize_t (*read) (int, void *, size_t); + int (*close) (int); + int (*is_fatal_error) (int); +} starttls_functions_t; + +static starttls_functions_t tls_functions = + { + tls_write, + tls_read, + tls_close, + gnutls_is_fatal_error + }; + +static starttls_functions_t raw_functions = + { + write, + read, + close, + raw_is_fatal_error + }; + +static starttls_functions_t *starttls_functions; +static int starttls_fd; static int -tls_connect (hostname, service) +starttls_connect (hostname, service) const char *hostname, *service; { struct protoent *proto; @@ -168,30 +125,75 @@ tls_connect (hostname, service) return server; } +static ssize_t +tls_write (fd, buf, count) + int fd; + const void *buf; + size_t count; +{ + return gnutls_write (fd, tls_state, (char *)buf, count); +} + +static ssize_t +tls_read (fd, buf, count) + int fd; + void *buf; + size_t count; +{ + return gnutls_read (fd, tls_state, buf, count); +} + +static int +tls_close(fd) + int fd; +{ + gnutls_close(fd, tls_state); + gnutls_deinit(&tls_state); +} + +static int +raw_is_fatal_error (error) + int error; +{ + return (error < 0 ? 1 : 0); +} + static void tls_negotiate (sig) int sig; { - if (tls_ssl_ctx_new (opt_cert_file, opt_key_file) == -1) - return; - - (void) tls_ssl_new (tls_ctx, tls_fd); /* Negotiation has done. */ + int error; + + gnutls_init (&tls_state, GNUTLS_CLIENT); + gnutls_set_current_version (tls_state, GNUTLS_TLS1); + gnutls_set_cipher_priority (tls_state, 4, GNUTLS_3DES, GNUTLS_TWOFISH, + GNUTLS_RIJNDAEL, GNUTLS_ARCFOUR); + gnutls_set_compression_priority (tls_state, 2, GNUTLS_ZLIB, GNUTLS_NULL_COMPRESSION); + gnutls_set_kx_priority (tls_state, 3, GNUTLS_KX_ANON_DH, GNUTLS_KX_DHE_DSS, + GNUTLS_KX_DHE_RSA); + gnutls_set_mac_priority (tls_state, 2, GNUTLS_MAC_SHA, GNUTLS_MAC_MD5); + error = gnutls_handshake(starttls_fd, tls_state); + + if (error < 0) + { + starttls_functions->close (starttls_fd); + gnutls_perror (error); + exit (-1); + } + else + starttls_functions = &tls_functions; } static void usage (progname) - const char *progname; + char *progname; { printf ("%s (%s) %s\n" - "Copyright (C) 1999 Free Software Foundation, Inc.\n" + "Copyright (C) 2001 Free Software Foundation, Inc.\n" "This program comes with ABSOLUTELY NO WARRANTY.\n" "This is free software, and you are welcome to redistribute it\n" "under certain conditions. See the file COPYING for details.\n\n" - "Usage: %s [options] host port\n\n" - "Options:\n\n" - " --cert-file [file] specify certificate file\n" - " --key-file [file] specify private key file\n" - " --verify [level] set verification level\n", + "Usage: %s host port\n\n", progname, PACKAGE, VERSION, progname); } @@ -206,49 +208,17 @@ main (argc, argv) char buffer[BUFSIZ], *retry; struct sigaction act; - int this_option_optind = optind ? optind : 1; - int option_index = 0, c; - static struct option long_options[] = - { - {"cert-file", 1, 0, 'c'}, - {"key-file", 1, 0, 'k'}, - {"verify", 1, 0, 'v'}, - {0, 0, 0, 0} - }; - - while (1) - { - c = getopt_long (argc, argv, "c:k:v:f", long_options, &option_index); - if (c == -1) - break; - - switch (c) - { - case 'c': - opt_cert_file = optarg; - break; - case 'k': - opt_key_file = optarg; - break; - case 'v': - opt_verify = atoi (optarg); - break; - default: - usage (basename (argv[0])); - return 1; - } - } - - if (optind+2 != argc) + if (argc != 3) { - usage (basename (argv[0])); + usage ((char *)basename (argv[0])); return 1; } - tls_fd = tls_connect (argv[optind], argv[optind+1]); - if (tls_fd < 0) + starttls_functions = &raw_functions; + starttls_fd = starttls_connect (argv[1], argv[2]); + if (starttls_fd < 0) { - perror ("tls_connect"); + perror ("starttls_connect"); return 1; } @@ -260,9 +230,9 @@ main (argc, argv) while (1) { - FD_SET (tls_fd, &readfds); + FD_SET (starttls_fd, &readfds); FD_SET (in, &readfds); - if (select (tls_fd+1, &readfds, NULL, NULL, NULL) == -1 + if (select (starttls_fd+1, &readfds, NULL, NULL, NULL) == -1 && errno != EINTR ) { perror ("select"); @@ -276,26 +246,21 @@ main (argc, argv) goto finish; for (retry = buffer; nbuffer > 0; nbuffer -= wrote, retry += wrote) { - FD_SET (tls_fd, &writefds); - if (select (tls_fd+1, NULL, &writefds, NULL, NULL) == -1) + FD_SET (starttls_fd, &writefds); + if (select (starttls_fd+1, NULL, &writefds, NULL, NULL) == -1) { perror ("select"); return 1; } - if (tls_conn) - wrote = SSL_write (tls_conn, retry, nbuffer); - else - wrote = write (tls_fd, retry, nbuffer); - if (wrote < 0) goto finish; + wrote = starttls_functions->write (starttls_fd, retry, nbuffer); + if (starttls_functions->is_fatal_error (wrote)) + goto finish; } } - if (FD_ISSET (tls_fd, &readfds)) + if (FD_ISSET (starttls_fd, &readfds)) { - if (tls_conn) - nbuffer = SSL_read (tls_conn, buffer, sizeof buffer -1); - else - nbuffer = read (tls_fd, buffer, sizeof buffer -1); - if (nbuffer == 0) + nbuffer = starttls_functions->read (starttls_fd, buffer, sizeof buffer -1); + if (starttls_functions->is_fatal_error (nbuffer)) goto finish; for (retry = buffer; nbuffer > 0; nbuffer -= wrote, retry += wrote) { @@ -312,8 +277,8 @@ main (argc, argv) } finish: - close (in); - close (out); + shutdown(starttls_fd, SHUT_RDWR); + starttls_functions->close (starttls_fd); return 0; }