Merge branch 'master' into yaz-728
authorAdam Dickmeiss <adam@indexdata.dk>
Thu, 23 Jan 2014 13:00:51 +0000 (14:00 +0100)
committerAdam Dickmeiss <adam@indexdata.dk>
Thu, 23 Jan 2014 13:00:51 +0000 (14:00 +0100)
Conflicts:
configure.ac

configure.ac
doc/comstack.xml
doc/installation.xml
doc/introduction.xml
include/yaz/comstack.h
src/comstack.c
src/tcpip.c

index f4a79c6..c85286f 100644 (file)
@@ -59,6 +59,26 @@ if test "$checkBoth" = "1"; then
     AC_CHECK_FUNC([accept], , [LIBS=$oldLibs])
 fi
 AC_CHECK_FUNC([gethostbyname], ,[AC_CHECK_LIB(nsl, main, [LIBS="$LIBS -lnsl"])])
+dnl ------ libgcrypt
+libgcryptpath=NONE
+AC_ARG_WITH(libgcrypt, [ --with-libgcrypt=DIR  use libgcrypt-config in DIR],[libgcryptpath=$withval])
+if test "$libgcryptpath" != "no"; then
+    if test "$libgcryptpath" = "NONE"; then
+       AC_PATH_PROG([libgcrypt],[libgcrypt-config],[NONE])
+    else
+       libgcrypt=$libgcryptpath/libgcrypt-config
+    fi
+    AC_MSG_CHECKING([for libgcrypt])
+    if "$libgcrypt" --version >/dev/null 2>&1; then
+       LIBS="$LIBS `$libgcrypt --libs`"
+       CFLAGS="$CFLAGS `$libgcrypt --cflags`"
+       libgcryptversion=`$libgcrypt --version`
+       AC_MSG_RESULT([$libgcryptversion])
+       AC_DEFINE([HAVE_GCRYPT_H],[1],[Define to 1 if libgcrypt is present])
+    else
+       AC_MSG_RESULT([no])
+    fi
+fi
 dnl ------ memcached
 memcached=default
 AC_ARG_WITH([memcached], [  --with-memcached        Memcached library], [memcached=$withval])
@@ -68,75 +88,12 @@ if test "$memcached" != "no"; then
        AC_CHECK_HEADERS([libmemcached/memcached.h])
     fi
 fi
-dnl ------ OpenSSL
+dnl ------ GNU TLS
 AC_SUBST([SSL_CFLAGS])
 AC_SUBST([SSL_LIBS])
-openssl=no
-sslver=no
-AC_ARG_WITH([openssl], [  --with-openssl[=PREFIX]   OpenSSL library in PREFIX], [openssl=$withval])
-SSL_CFLAGS=""
-SSL_LIBPATH=""
-if test "$openssl" != "no"; then
-    if test "$openssl" != "yes" -a "$openssl" != "default"; then
-       if test -x $openssl/bin/pkg-config; then
-           if $openssl/bin/pkg-config --exists openssl; then
-               SSL_CFLAGS=`$openssl/bin/pkg-config --cflags openssl`
-               SSL_LIBS="`$openssl/bin/pkg-config --libs openssl`"
-               sslver=`$openssl/bin/pkg-config --modversion openssl`
-           fi
-       fi
-       if test "$sslver" = "no"; then
-           SSL_CFLAGS="-I$openssl/include -I$openssl/include/openssl"
-           SSL_LIBPATH="-L$openssl/lib"
-       fi
-    else
-       if test "$pkgconfigpath" != "NONE"; then
-           if $pkgconfigpath --exists openssl; then
-               SSL_CFLAGS=`$pkgconfigpath --cflags openssl`
-               SSL_LIBS="`$pkgconfigpath --libs openssl`"
-               sslver=`$pkgconfigpath --modversion openssl`
-           fi
-       fi
-       if test "$sslver" = "no"; then
-           SSL_CFLAGS="-I/usr/include/openssl"
-       fi
-    fi
-    if test "$sslver" = "no"; then
-       xLIBS="$LIBS";
-       xCPPFLAGS="$CPPFLAGS";
-       CPPFLAGS="$CPPFLAGS ${SSL_CFLAGS} ${SSL_LIBPATH}"
-       SSL_LIBS="${SSL_LIBPATH}"
-       AC_CHECK_LIB([crypto],[main])
-       if test "$ac_cv_lib_crypto_main" = "yes"; then
-           SSL_LIBS="${SSL_LIBS} -lcrypto"
-       fi
-       AC_CHECK_LIB([ssl],[SSL_new])
-       if test "$ac_cv_lib_ssl_SSL_new" = "yes"; then
-           AC_CHECK_HEADER([openssl/ssl.h],[sslver=yes])
-           SSL_LIBS="${SSL_LIBS} -lssl"
-       fi
-       if test "$sslver" != "yes"; then
-           SSL_LIBS=""
-       fi
-        LIBS="$xLIBS"
-       CPPFLAGS="$xCPPFLAGS"
-    fi
-    AC_MSG_CHECKING([for SSL])
-    if test "$sslver" != "no"; then
-       AC_DEFINE([HAVE_OPENSSL_SSL_H],[1],[Define to 1 if OpenSSL is present])
-       AC_MSG_RESULT([$sslver])
-    else
-       SSL_CFLAGS=""
-       AC_MSG_RESULT([None])
-       if test "$openssl" != "default"; then
-           AC_MSG_ERROR([OpenSSL development libraries missing])
-       fi
-    fi
-fi
-dnl ------ GNU TLS
 gnutls=default
 AC_ARG_WITH([gnutls], [  --with-gnutls[=PREFIX]    GNU TLS library in PREFIX], [gnutls=$withval])
-if test "$gnutls" != "no" -a "$sslver" = "no"; then
+if test "$gnutls" != "no"; then
     gnutlsver=no
     if test "$gnutls" != "yes" -a "$gnutls" != "default"; then
        if test -x $gnutls/bin/pkg-config; then
index 632cb9c..436d84a 100644 (file)
     function <function>cs_create</function>. The third parameter
     <parameter>vp</parameter> is a pointer to &comstack; stack type
     specific values.
-    For SSL (ssl_type) <parameter>vp</parameter> is an already create
-    OpenSSL CTX. For TCP/IP and UNIX <parameter>vp</parameter>
-    is unused (can be set to <literal>NULL</literal>.
+    Parameter <parameter>vp</parameter> is reserved for future use.
+    Set it to <literal>NULL</literal>.
    </para>
 
   </sect1>
index 32ae63f..c9f216e 100644 (file)
       </varlistentry>
 
       <varlistentry><term>
-        <literal>--with-openssl</literal>[=<replaceable>prefix</replaceable>]
-       </term>
-       <listitem><para>&yaz; will be linked with the OpenSSL libraries and
-         an SSL COMSTACK will be provided. If OpenSSL is enabled, GNU TLS
-         is automatically disabled.
-        </para></listitem>
-      </varlistentry>
-
-      <varlistentry><term>
         <literal>--with-icu</literal>[=<replaceable>prefix</replaceable>]
        </term>
        <listitem><para>&yaz; will be linked the
index dd93b10..5ba265f 100644 (file)
@@ -36,8 +36,7 @@
      </para></listitem>
     <listitem><para>
       Secure Socket Layer support using
-      <ulink url="&url.gnutls;">GNU TLS</ulink> or
-      <ulink url="&url.openssl;">OpenSSL</ulink>.
+      <ulink url="&url.gnutls;">GNU TLS</ulink>.
       If enabled, &yaz; uses HTTPS transport (for SOAP) or
       "Secure BER" (for Z39.50).
      </para></listitem>
index b516c96..d5a2c8e 100644 (file)
@@ -126,10 +126,22 @@ YAZ_EXPORT COMSTACK cs_create_host_proxy(const char *vhost,
 YAZ_EXPORT void cs_get_host_args(const char *type_and_host, const char **args);
 YAZ_EXPORT int cs_complete_auto_head(const char *buf, int len);
 YAZ_EXPORT int cs_complete_auto(const char *buf, int len);
-YAZ_EXPORT void *cs_get_ssl(COMSTACK cs);
-YAZ_EXPORT int cs_set_ssl_ctx(COMSTACK cs, void *ctx);
+YAZ_EXPORT void *cs_get_ssl(COMSTACK cs)
+#ifdef __GNUC__
+    __attribute__ ((deprecated))
+#endif
+    ;
+YAZ_EXPORT int cs_set_ssl_ctx(COMSTACK cs, void *ctx)
+#ifdef __GNUC__
+    __attribute__ ((deprecated))
+#endif
+    ;
 YAZ_EXPORT int cs_set_ssl_certificate_file(COMSTACK cs, const char *fname);
-YAZ_EXPORT int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len);
+YAZ_EXPORT int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len)
+#ifdef __GNUC__
+    __attribute__ ((deprecated))
+#endif
+    ;
 YAZ_EXPORT void cs_set_max_recv_bytes(COMSTACK cs, int max_recv_bytes);
 YAZ_EXPORT void cs_print_session_info(COMSTACK cs);
 
index f3f35c2..dfab102 100644 (file)
 #define ENABLE_SSL 1
 #endif
 
-#if HAVE_OPENSSL_SSL_H
-#define ENABLE_SSL 1
-#endif
-
 static const char *cs_errlist[] =
 {
     "No error or unspecified error",
index 95cd26a..610e6ce 100644 (file)
 #define ENABLE_SSL 1
 #endif
 
-#if HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#define ENABLE_SSL 1
-#endif
-
 #include <yaz/comstack.h>
 #include <yaz/tcpip.h>
 #include <yaz/errno.h>
@@ -133,11 +127,6 @@ typedef struct tcpip_state
     struct tcpip_cred_ptr *cred_ptr;
     gnutls_session_t session;
     char cert_fname[256];
-#elif HAVE_OPENSSL_SSL_H
-    SSL_CTX *ctx;       /* current CTX. */
-    SSL_CTX *ctx_alloc; /* If =ctx it is owned by CS. If 0 it is not owned */
-    SSL *ssl;
-    char cert_fname[256];
 #endif
     char *connect_request_buf;
     int connect_request_len;
@@ -215,10 +204,6 @@ COMSTACK tcpip_type(int s, int flags, int protocol, void *vp)
     sp->cred_ptr = 0;
     sp->session = 0;
     strcpy(sp->cert_fname, "yaz.pem");
-#elif HAVE_OPENSSL_SSL_H
-    sp->ctx = sp->ctx_alloc = 0;
-    sp->ssl = 0;
-    strcpy(sp->cert_fname, "yaz.pem");
 #endif
 
 #if HAVE_GETADDRINFO
@@ -288,8 +273,6 @@ COMSTACK ssl_type(int s, int flags, int protocol, void *vp)
 
 #if HAVE_GNUTLS_H
     sp->session = (gnutls_session_t) vp;
-#elif HAVE_OPENSSL_SSL_H
-    sp->ctx = (SSL_CTX *) vp;  /* may be NULL */
 #endif
     /* note: we don't handle already opened socket in SSL mode - yet */
     return p;
@@ -299,22 +282,7 @@ COMSTACK ssl_type(int s, int flags, int protocol, void *vp)
 #if ENABLE_SSL
 static int ssl_check_error(COMSTACK h, tcpip_state *sp, int res)
 {
-#if HAVE_OPENSSL_SSL_H
-    int err = SSL_get_error(sp->ssl, res);
-    TRC(fprintf(stderr, "got err=%d\n", err));
-    if (err == SSL_ERROR_WANT_READ)
-    {
-        TRC(fprintf(stderr, " -> SSL_ERROR_WANT_READ\n"));
-        h->io_pending = CS_WANT_READ;
-        return 1;
-    }
-    if (err == SSL_ERROR_WANT_WRITE)
-    {
-        TRC(fprintf(stderr, " -> SSL_ERROR_WANT_WRITE\n"));
-        h->io_pending = CS_WANT_WRITE;
-        return 1;
-    }
-#elif HAVE_GNUTLS_H
+#if HAVE_GNUTLS_H
     TRC(fprintf(stderr, "ssl_check_error error=%d fatal=%d msg=%s\n",
                 res,
                 gnutls_error_is_fatal(res),
@@ -625,36 +593,6 @@ int tcpip_rcvconnect(COMSTACK h)
             return -1;
         }
     }
-#elif HAVE_OPENSSL_SSL_H
-    if (h->type == ssl_type && !sp->ctx)
-    {
-        SSL_library_init();
-        SSL_load_error_strings();
-
-        sp->ctx = sp->ctx_alloc = SSL_CTX_new(SSLv23_client_method());
-        if (!sp->ctx)
-        {
-            h->cerrno = CSERRORSSL;
-            return -1;
-        }
-    }
-    if (sp->ctx)
-    {
-        int res;
-
-        if (!sp->ssl)
-        {
-            sp->ssl = SSL_new(sp->ctx);
-            SSL_set_fd(sp->ssl, h->iofile);
-        }
-        res = SSL_connect(sp->ssl);
-        if (res <= 0)
-        {
-            if (ssl_check_error(h, sp, res))
-                return 1;
-            return -1;
-        }
-    }
 #endif
     h->event = CS_DATA;
     h->state = CS_ST_DATAXFER;
@@ -697,51 +635,6 @@ static int tcpip_bind(COMSTACK h, void *address, int mode)
             return -1;
         }
     }
-#elif HAVE_OPENSSL_SSL_H
-    if (h->type == ssl_type && !sp->ctx)
-    {
-        SSL_library_init();
-        SSL_load_error_strings();
-
-        sp->ctx = sp->ctx_alloc = SSL_CTX_new(SSLv23_server_method());
-        if (!sp->ctx)
-        {
-            h->cerrno = CSERRORSSL;
-            return -1;
-        }
-    }
-    if (sp->ctx)
-    {
-        if (sp->ctx_alloc)
-        {
-            int res;
-            res = SSL_CTX_use_certificate_file(sp->ctx, sp->cert_fname,
-                                               SSL_FILETYPE_PEM);
-            if (res <= 0)
-            {
-                ERR_print_errors_fp(stderr);
-                exit(2);
-            }
-            res = SSL_CTX_use_PrivateKey_file(sp->ctx, sp->cert_fname,
-                                               SSL_FILETYPE_PEM);
-            if (res <= 0)
-            {
-                ERR_print_errors_fp(stderr);
-                exit(3);
-            }
-            res = SSL_CTX_check_private_key(sp->ctx);
-            if (res <= 0)
-            {
-                ERR_print_errors_fp(stderr);
-                exit(5);
-            }
-        }
-        TRC(fprintf(stderr, "ssl_bind\n"));
-    }
-    else
-    {
-        TRC(fprintf(stderr, "tcpip_bind\n"));
-    }
 #else
     TRC(fprintf(stderr, "tcpip_bind\n"));
 #endif
@@ -954,15 +847,6 @@ COMSTACK tcpip_accept(COMSTACK h)
                                      (gnutls_transport_ptr_t)
                                      (size_t) cnew->iofile);
         }
-#elif HAVE_OPENSSL_SSL_H
-        state->ctx = st->ctx;
-        state->ctx_alloc = 0;
-        state->ssl = st->ssl;
-        if (state->ctx)
-        {
-            state->ssl = SSL_new(state->ctx);
-            SSL_set_fd(state->ssl, cnew->iofile);
-        }
 #endif
         state->connect_request_buf = 0;
         state->connect_response_buf = 0;
@@ -988,25 +872,6 @@ COMSTACK tcpip_accept(COMSTACK h)
             }
             TRC(fprintf(stderr, "SSL_accept complete. gnutls\n"));
         }
-#elif HAVE_OPENSSL_SSL_H
-        tcpip_state *state = (tcpip_state *)h->cprivate;
-        if (state->ctx)
-        {
-            int res;
-            errno = 0;
-            res = SSL_accept(state->ssl);
-            TRC(fprintf(stderr, "SSL_accept res=%d\n", res));
-            if (res <= 0)
-            {
-                if (ssl_check_error(h, state, res))
-                {
-                    return h;
-                }
-                cs_close(h);
-                return 0;
-            }
-            TRC(fprintf(stderr, "SSL_accept complete\n"));
-        }
 #endif
     }
     else
@@ -1375,11 +1240,6 @@ void tcpip_close(COMSTACK h)
 #if HAVE_GNUTLS_H
         if (sp->session)
             gnutls_bye(sp->session, GNUTLS_SHUT_WR);
-#elif HAVE_OPENSSL_SSL_H
-        if (sp->ssl)
-        {
-            SSL_shutdown(sp->ssl);
-        }
 #endif
 #ifdef WIN32
         closesocket(h->iofile);
@@ -1407,15 +1267,6 @@ void tcpip_close(COMSTACK h)
         }
         sp->cred_ptr = 0;
     }
-#elif HAVE_OPENSSL_SSL_H
-    if (sp->ssl)
-    {
-        TRC(fprintf(stderr, "SSL_free\n"));
-        SSL_free(sp->ssl);
-    }
-    sp->ssl = 0;
-    if (sp->ctx_alloc)
-        SSL_CTX_free(sp->ctx_alloc);
 #endif
 #if HAVE_GETADDRINFO
     if (sp->ai)
@@ -1485,14 +1336,6 @@ const char *tcpip_addrstr(COMSTACK h)
         else
             sprintf(buf, "ssl:%s", r);
     }
-#elif HAVE_OPENSSL_SSL_H
-    if (sp->ctx)
-    {
-        if (h->protocol == PROTO_HTTP)
-            sprintf(buf, "https:%s", r);
-        else
-            sprintf(buf, "ssl:%s", r);
-    }
 #endif
     return buf;
 }
@@ -1630,45 +1473,12 @@ void cs_print_session_info(COMSTACK cs)
 
         }
     }
-#elif HAVE_OPENSSL_SSL_H
-    if (cs->type == ssl_type)
-    {
-        struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate;
-        SSL *ssl = (SSL *) sp->ssl;
-        if (ssl)
-        {
-            X509 *server_cert = SSL_get_peer_certificate(ssl);
-            if (server_cert)
-            {
-                char *pem_buf;
-                int pem_len;
-                BIO *bio = BIO_new(BIO_s_mem());
-
-                /* get PEM buffer in memory */
-                PEM_write_bio_X509(bio, server_cert);
-                pem_len = BIO_get_mem_data(bio, &pem_buf);
-                fwrite(pem_buf, pem_len, 1, stdout);
-
-                /* print all info on screen .. */
-                X509_print_fp(stdout, server_cert);
-                BIO_free(bio);
-
-                X509_free(server_cert);
-            }
-        }
-    }
 #endif
 }
 
 void *cs_get_ssl(COMSTACK cs)
 {
-#if HAVE_OPENSSL_SSL_H
-    if (cs && cs->type == ssl_type)
-    {
-        struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate;
-        return sp->ssl;
-    }
-#endif
+    /* doesn't do anything for GNUTLS */
     return 0;
 }
 
@@ -1677,12 +1487,7 @@ int cs_set_ssl_ctx(COMSTACK cs, void *ctx)
 #if ENABLE_SSL
     if (cs && cs->type == ssl_type)
     {
-#if HAVE_OPENSSL_SSL_H
-        struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate;
-        if (sp->ctx_alloc)
-            return 0;
-        sp->ctx = (SSL_CTX *) ctx;
-#endif
+        /* doesn't do anything for GNUTLS */
         return 1;
     }
 #endif
@@ -1705,25 +1510,7 @@ int cs_set_ssl_certificate_file(COMSTACK cs, const char *fname)
 
 int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len)
 {
-#if HAVE_OPENSSL_SSL_H
-    SSL *ssl = (SSL *) cs_get_ssl(cs);
-    if (ssl)
-    {
-        X509 *server_cert = SSL_get_peer_certificate(ssl);
-        if (server_cert)
-        {
-            BIO *bio = BIO_new(BIO_s_mem());
-            char *pem_buf;
-            /* get PEM buffer in memory */
-            PEM_write_bio_X509(bio, server_cert);
-            *len = BIO_get_mem_data(bio, &pem_buf);
-            *buf = (char *) xmalloc(*len);
-            memcpy(*buf, pem_buf, *len);
-            BIO_free(bio);
-            return 1;
-        }
-    }
-#endif
+    /* doesn't do anything for GNUTLS */
     return 0;
 }