From c1f23597ea64485e2362d658f3653211202cc6a8 Mon Sep 17 00:00:00 2001 From: Adam Dickmeiss Date: Thu, 23 Jan 2014 13:10:49 +0100 Subject: [PATCH] Remove SSL via OpenSSL support YAZ-732 Also deprecate three functions from comstack that aren't working with GnuTLS: cs_get_ssl, cs_set_ssl_ctx, cs_get_peer_certificate_x509. --- configure.ac | 68 +-------------- doc/comstack.xml | 5 +- doc/installation.xml | 9 -- doc/introduction.xml | 3 +- include/yaz/comstack.h | 18 +++- src/comstack.c | 4 - src/tcpip.c | 221 +----------------------------------------------- 7 files changed, 24 insertions(+), 304 deletions(-) diff --git a/configure.ac b/configure.ac index 1be1a8b..8eb9e8c 100644 --- a/configure.ac +++ b/configure.ac @@ -60,76 +60,12 @@ if test "$checkBoth" = "1"; then fi AC_CHECK_FUNC([gethostbyname], ,[AC_CHECK_LIB(nsl, main, [LIBS="$LIBS -lnsl"])]) dnl - -dnl ------ OpenSSL +dnl ------ GNU TLS AC_SUBST([SSL_CFLAGS]) AC_SUBST([SSL_LIBS]) -openssl=no -sslver=no -AC_ARG_WITH([openssl], [ --with-openssl[=PREFIX] OpenSSL library in PREFIX], [openssl=$withval]) -SSL_CFLAGS="" -SSL_LIBPATH="" -if test "$openssl" != "no"; then - if test "$openssl" != "yes" -a "$openssl" != "default"; then - if test -x $openssl/bin/pkg-config; then - if $openssl/bin/pkg-config --exists openssl; then - SSL_CFLAGS=`$openssl/bin/pkg-config --cflags openssl` - SSL_LIBS="`$openssl/bin/pkg-config --libs openssl`" - sslver=`$openssl/bin/pkg-config --modversion openssl` - fi - fi - if test "$sslver" = "no"; then - SSL_CFLAGS="-I$openssl/include -I$openssl/include/openssl" - SSL_LIBPATH="-L$openssl/lib" - fi - else - if test "$pkgconfigpath" != "NONE"; then - if $pkgconfigpath --exists openssl; then - SSL_CFLAGS=`$pkgconfigpath --cflags openssl` - SSL_LIBS="`$pkgconfigpath --libs openssl`" - sslver=`$pkgconfigpath --modversion openssl` - fi - fi - if test "$sslver" = "no"; then - SSL_CFLAGS="-I/usr/include/openssl" - fi - fi - if test "$sslver" = "no"; then - xLIBS="$LIBS"; - xCPPFLAGS="$CPPFLAGS"; - CPPFLAGS="$CPPFLAGS ${SSL_CFLAGS} ${SSL_LIBPATH}" - SSL_LIBS="${SSL_LIBPATH}" - AC_CHECK_LIB([crypto],[main]) - if test "$ac_cv_lib_crypto_main" = "yes"; then - SSL_LIBS="${SSL_LIBS} -lcrypto" - fi - AC_CHECK_LIB([ssl],[SSL_new]) - if test "$ac_cv_lib_ssl_SSL_new" = "yes"; then - AC_CHECK_HEADER([openssl/ssl.h],[sslver=yes]) - SSL_LIBS="${SSL_LIBS} -lssl" - fi - if test "$sslver" != "yes"; then - SSL_LIBS="" - fi - LIBS="$xLIBS" - CPPFLAGS="$xCPPFLAGS" - fi - AC_MSG_CHECKING([for SSL]) - if test "$sslver" != "no"; then - AC_DEFINE([HAVE_OPENSSL_SSL_H],[1],[Define to 1 if OpenSSL is present]) - AC_MSG_RESULT([$sslver]) - else - SSL_CFLAGS="" - AC_MSG_RESULT([None]) - if test "$openssl" != "default"; then - AC_MSG_ERROR([OpenSSL development libraries missing]) - fi - fi -fi -dnl ------ GNU TLS gnutls=default AC_ARG_WITH([gnutls], [ --with-gnutls[=PREFIX] GNU TLS library in PREFIX], [gnutls=$withval]) -if test "$gnutls" != "no" -a "$sslver" = "no"; then +if test "$gnutls" != "no"; then gnutlsver=no if test "$gnutls" != "yes" -a "$gnutls" != "default"; then if test -x $gnutls/bin/pkg-config; then diff --git a/doc/comstack.xml b/doc/comstack.xml index 632cb9c..436d84a 100644 --- a/doc/comstack.xml +++ b/doc/comstack.xml @@ -491,9 +491,8 @@ function cs_create. The third parameter vp is a pointer to &comstack; stack type specific values. - For SSL (ssl_type) vp is an already create - OpenSSL CTX. For TCP/IP and UNIX vp - is unused (can be set to NULL. + Parameter vp is reserved for future use. + Set it to NULL. diff --git a/doc/installation.xml b/doc/installation.xml index 32ae63f..c9f216e 100644 --- a/doc/installation.xml +++ b/doc/installation.xml @@ -299,15 +299,6 @@ - --with-openssl[=prefix] - - &yaz; will be linked with the OpenSSL libraries and - an SSL COMSTACK will be provided. If OpenSSL is enabled, GNU TLS - is automatically disabled. - - - - --with-icu[=prefix] &yaz; will be linked the diff --git a/doc/introduction.xml b/doc/introduction.xml index dd93b10..5ba265f 100644 --- a/doc/introduction.xml +++ b/doc/introduction.xml @@ -36,8 +36,7 @@ Secure Socket Layer support using - GNU TLS or - OpenSSL. + GNU TLS. If enabled, &yaz; uses HTTPS transport (for SOAP) or "Secure BER" (for Z39.50). diff --git a/include/yaz/comstack.h b/include/yaz/comstack.h index b516c96..d5a2c8e 100644 --- a/include/yaz/comstack.h +++ b/include/yaz/comstack.h @@ -126,10 +126,22 @@ YAZ_EXPORT COMSTACK cs_create_host_proxy(const char *vhost, YAZ_EXPORT void cs_get_host_args(const char *type_and_host, const char **args); YAZ_EXPORT int cs_complete_auto_head(const char *buf, int len); YAZ_EXPORT int cs_complete_auto(const char *buf, int len); -YAZ_EXPORT void *cs_get_ssl(COMSTACK cs); -YAZ_EXPORT int cs_set_ssl_ctx(COMSTACK cs, void *ctx); +YAZ_EXPORT void *cs_get_ssl(COMSTACK cs) +#ifdef __GNUC__ + __attribute__ ((deprecated)) +#endif + ; +YAZ_EXPORT int cs_set_ssl_ctx(COMSTACK cs, void *ctx) +#ifdef __GNUC__ + __attribute__ ((deprecated)) +#endif + ; YAZ_EXPORT int cs_set_ssl_certificate_file(COMSTACK cs, const char *fname); -YAZ_EXPORT int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len); +YAZ_EXPORT int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len) +#ifdef __GNUC__ + __attribute__ ((deprecated)) +#endif + ; YAZ_EXPORT void cs_set_max_recv_bytes(COMSTACK cs, int max_recv_bytes); YAZ_EXPORT void cs_print_session_info(COMSTACK cs); diff --git a/src/comstack.c b/src/comstack.c index f3f35c2..dfab102 100644 --- a/src/comstack.c +++ b/src/comstack.c @@ -25,10 +25,6 @@ #define ENABLE_SSL 1 #endif -#if HAVE_OPENSSL_SSL_H -#define ENABLE_SSL 1 -#endif - static const char *cs_errlist[] = { "No error or unspecified error", diff --git a/src/tcpip.c b/src/tcpip.c index 95cd26a..610e6ce 100644 --- a/src/tcpip.c +++ b/src/tcpip.c @@ -63,12 +63,6 @@ #define ENABLE_SSL 1 #endif -#if HAVE_OPENSSL_SSL_H -#include -#include -#define ENABLE_SSL 1 -#endif - #include #include #include @@ -133,11 +127,6 @@ typedef struct tcpip_state struct tcpip_cred_ptr *cred_ptr; gnutls_session_t session; char cert_fname[256]; -#elif HAVE_OPENSSL_SSL_H - SSL_CTX *ctx; /* current CTX. */ - SSL_CTX *ctx_alloc; /* If =ctx it is owned by CS. If 0 it is not owned */ - SSL *ssl; - char cert_fname[256]; #endif char *connect_request_buf; int connect_request_len; @@ -215,10 +204,6 @@ COMSTACK tcpip_type(int s, int flags, int protocol, void *vp) sp->cred_ptr = 0; sp->session = 0; strcpy(sp->cert_fname, "yaz.pem"); -#elif HAVE_OPENSSL_SSL_H - sp->ctx = sp->ctx_alloc = 0; - sp->ssl = 0; - strcpy(sp->cert_fname, "yaz.pem"); #endif #if HAVE_GETADDRINFO @@ -288,8 +273,6 @@ COMSTACK ssl_type(int s, int flags, int protocol, void *vp) #if HAVE_GNUTLS_H sp->session = (gnutls_session_t) vp; -#elif HAVE_OPENSSL_SSL_H - sp->ctx = (SSL_CTX *) vp; /* may be NULL */ #endif /* note: we don't handle already opened socket in SSL mode - yet */ return p; @@ -299,22 +282,7 @@ COMSTACK ssl_type(int s, int flags, int protocol, void *vp) #if ENABLE_SSL static int ssl_check_error(COMSTACK h, tcpip_state *sp, int res) { -#if HAVE_OPENSSL_SSL_H - int err = SSL_get_error(sp->ssl, res); - TRC(fprintf(stderr, "got err=%d\n", err)); - if (err == SSL_ERROR_WANT_READ) - { - TRC(fprintf(stderr, " -> SSL_ERROR_WANT_READ\n")); - h->io_pending = CS_WANT_READ; - return 1; - } - if (err == SSL_ERROR_WANT_WRITE) - { - TRC(fprintf(stderr, " -> SSL_ERROR_WANT_WRITE\n")); - h->io_pending = CS_WANT_WRITE; - return 1; - } -#elif HAVE_GNUTLS_H +#if HAVE_GNUTLS_H TRC(fprintf(stderr, "ssl_check_error error=%d fatal=%d msg=%s\n", res, gnutls_error_is_fatal(res), @@ -625,36 +593,6 @@ int tcpip_rcvconnect(COMSTACK h) return -1; } } -#elif HAVE_OPENSSL_SSL_H - if (h->type == ssl_type && !sp->ctx) - { - SSL_library_init(); - SSL_load_error_strings(); - - sp->ctx = sp->ctx_alloc = SSL_CTX_new(SSLv23_client_method()); - if (!sp->ctx) - { - h->cerrno = CSERRORSSL; - return -1; - } - } - if (sp->ctx) - { - int res; - - if (!sp->ssl) - { - sp->ssl = SSL_new(sp->ctx); - SSL_set_fd(sp->ssl, h->iofile); - } - res = SSL_connect(sp->ssl); - if (res <= 0) - { - if (ssl_check_error(h, sp, res)) - return 1; - return -1; - } - } #endif h->event = CS_DATA; h->state = CS_ST_DATAXFER; @@ -697,51 +635,6 @@ static int tcpip_bind(COMSTACK h, void *address, int mode) return -1; } } -#elif HAVE_OPENSSL_SSL_H - if (h->type == ssl_type && !sp->ctx) - { - SSL_library_init(); - SSL_load_error_strings(); - - sp->ctx = sp->ctx_alloc = SSL_CTX_new(SSLv23_server_method()); - if (!sp->ctx) - { - h->cerrno = CSERRORSSL; - return -1; - } - } - if (sp->ctx) - { - if (sp->ctx_alloc) - { - int res; - res = SSL_CTX_use_certificate_file(sp->ctx, sp->cert_fname, - SSL_FILETYPE_PEM); - if (res <= 0) - { - ERR_print_errors_fp(stderr); - exit(2); - } - res = SSL_CTX_use_PrivateKey_file(sp->ctx, sp->cert_fname, - SSL_FILETYPE_PEM); - if (res <= 0) - { - ERR_print_errors_fp(stderr); - exit(3); - } - res = SSL_CTX_check_private_key(sp->ctx); - if (res <= 0) - { - ERR_print_errors_fp(stderr); - exit(5); - } - } - TRC(fprintf(stderr, "ssl_bind\n")); - } - else - { - TRC(fprintf(stderr, "tcpip_bind\n")); - } #else TRC(fprintf(stderr, "tcpip_bind\n")); #endif @@ -954,15 +847,6 @@ COMSTACK tcpip_accept(COMSTACK h) (gnutls_transport_ptr_t) (size_t) cnew->iofile); } -#elif HAVE_OPENSSL_SSL_H - state->ctx = st->ctx; - state->ctx_alloc = 0; - state->ssl = st->ssl; - if (state->ctx) - { - state->ssl = SSL_new(state->ctx); - SSL_set_fd(state->ssl, cnew->iofile); - } #endif state->connect_request_buf = 0; state->connect_response_buf = 0; @@ -988,25 +872,6 @@ COMSTACK tcpip_accept(COMSTACK h) } TRC(fprintf(stderr, "SSL_accept complete. gnutls\n")); } -#elif HAVE_OPENSSL_SSL_H - tcpip_state *state = (tcpip_state *)h->cprivate; - if (state->ctx) - { - int res; - errno = 0; - res = SSL_accept(state->ssl); - TRC(fprintf(stderr, "SSL_accept res=%d\n", res)); - if (res <= 0) - { - if (ssl_check_error(h, state, res)) - { - return h; - } - cs_close(h); - return 0; - } - TRC(fprintf(stderr, "SSL_accept complete\n")); - } #endif } else @@ -1375,11 +1240,6 @@ void tcpip_close(COMSTACK h) #if HAVE_GNUTLS_H if (sp->session) gnutls_bye(sp->session, GNUTLS_SHUT_WR); -#elif HAVE_OPENSSL_SSL_H - if (sp->ssl) - { - SSL_shutdown(sp->ssl); - } #endif #ifdef WIN32 closesocket(h->iofile); @@ -1407,15 +1267,6 @@ void tcpip_close(COMSTACK h) } sp->cred_ptr = 0; } -#elif HAVE_OPENSSL_SSL_H - if (sp->ssl) - { - TRC(fprintf(stderr, "SSL_free\n")); - SSL_free(sp->ssl); - } - sp->ssl = 0; - if (sp->ctx_alloc) - SSL_CTX_free(sp->ctx_alloc); #endif #if HAVE_GETADDRINFO if (sp->ai) @@ -1485,14 +1336,6 @@ const char *tcpip_addrstr(COMSTACK h) else sprintf(buf, "ssl:%s", r); } -#elif HAVE_OPENSSL_SSL_H - if (sp->ctx) - { - if (h->protocol == PROTO_HTTP) - sprintf(buf, "https:%s", r); - else - sprintf(buf, "ssl:%s", r); - } #endif return buf; } @@ -1630,45 +1473,12 @@ void cs_print_session_info(COMSTACK cs) } } -#elif HAVE_OPENSSL_SSL_H - if (cs->type == ssl_type) - { - struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate; - SSL *ssl = (SSL *) sp->ssl; - if (ssl) - { - X509 *server_cert = SSL_get_peer_certificate(ssl); - if (server_cert) - { - char *pem_buf; - int pem_len; - BIO *bio = BIO_new(BIO_s_mem()); - - /* get PEM buffer in memory */ - PEM_write_bio_X509(bio, server_cert); - pem_len = BIO_get_mem_data(bio, &pem_buf); - fwrite(pem_buf, pem_len, 1, stdout); - - /* print all info on screen .. */ - X509_print_fp(stdout, server_cert); - BIO_free(bio); - - X509_free(server_cert); - } - } - } #endif } void *cs_get_ssl(COMSTACK cs) { -#if HAVE_OPENSSL_SSL_H - if (cs && cs->type == ssl_type) - { - struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate; - return sp->ssl; - } -#endif + /* doesn't do anything for GNUTLS */ return 0; } @@ -1677,12 +1487,7 @@ int cs_set_ssl_ctx(COMSTACK cs, void *ctx) #if ENABLE_SSL if (cs && cs->type == ssl_type) { -#if HAVE_OPENSSL_SSL_H - struct tcpip_state *sp = (struct tcpip_state *) cs->cprivate; - if (sp->ctx_alloc) - return 0; - sp->ctx = (SSL_CTX *) ctx; -#endif + /* doesn't do anything for GNUTLS */ return 1; } #endif @@ -1705,25 +1510,7 @@ int cs_set_ssl_certificate_file(COMSTACK cs, const char *fname) int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len) { -#if HAVE_OPENSSL_SSL_H - SSL *ssl = (SSL *) cs_get_ssl(cs); - if (ssl) - { - X509 *server_cert = SSL_get_peer_certificate(ssl); - if (server_cert) - { - BIO *bio = BIO_new(BIO_s_mem()); - char *pem_buf; - /* get PEM buffer in memory */ - PEM_write_bio_X509(bio, server_cert); - *len = BIO_get_mem_data(bio, &pem_buf); - *buf = (char *) xmalloc(*len); - memcpy(*buf, pem_buf, *len); - BIO_free(bio); - return 1; - } - } -#endif + /* doesn't do anything for GNUTLS */ return 0; } -- 1.7.10.4