Hidetaka Iwai
tyuyu****@sings*****
2005年 9月 18日 (日) 16:07:03 JST
岩井@札幌 です。 Hidetaka Iwai <tyuyu****@sings*****> wrote: Message-ID: <20050****@sings*****> > 私も gnutls を使用することに賛成します。今週末はなんとか時間が取れると > 思いますので、ちょっとコードを見てみます。 パッチを書いてみました。とりあえず動作はしますが、以下の問題点がありま す... 一人で抱えていても仕方ないので ML に投げます 1. kz_http_read_chars で gnutls_record_recv が最後に必ず GNUTLS_E_UNEXPECTED_PACKET_LENGTH を返す 2. 証明書を検証するコードを書いていない # 神降臨希望... regards, -- Hidetaka Iwai tyuyu****@sings***** -------------- next part -------------- Index: configure.in =================================================================== RCS file: /cvsroot/kazehakase/kazehakase/configure.in,v retrieving revision 1.130 diff -u -r1.130 configure.in --- configure.in 6 Sep 2005 01:07:10 -0000 1.130 +++ configure.in 18 Sep 2005 06:59:43 -0000 @@ -307,16 +307,28 @@ AM_CONDITIONAL(ENABLE_GTK_WEBCORE, test x"$enable_gtk_webcore" = "xyes") dnl ************************************************************** -dnl Check for openssl +dnl Check for openssl +dnl ************************************************************** +dnl AC_ARG_ENABLE(ssl, [ --disable-ssl +dnl Disable OpenSSL suport],, +dnl disable_ssl=no) +dnl if test x"$disable_ssl" = "xno"; then +dnl PKG_CHECK_MODULES(SSL, openssl) +dnl AC_SUBST(SSL_CFLAGS) +dnl AC_SUBST(SSL_LIBS) +dnl AC_DEFINE(USE_SSL, 1, [Define using openssl]) +dnl fi +dnl AM_CONDITIONAL(ENABLE_SSL, test x"$disable_ssl" = "xno") + +dnl ************************************************************** +dnl Check for GNU TLS dnl ************************************************************** AC_ARG_ENABLE(ssl, [ --disable-ssl - Disable OpenSSL suport],, + Disable GNU TLS suport],, disable_ssl=no) if test x"$disable_ssl" = "xno"; then - PKG_CHECK_MODULES(SSL, openssl) - AC_SUBST(SSL_CFLAGS) - AC_SUBST(SSL_LIBS) - AC_DEFINE(USE_SSL, 1, [Define using openssl]) + AM_PATH_LIBGNUTLS(1.0.0,,AC_MSG_WARN([[libgnutls was not found.]])) + AC_DEFINE(USE_SSL, 1, [Define using GNU TLS]) fi AM_CONDITIONAL(ENABLE_SSL, test x"$disable_ssl" = "xno") Index: src/net/Makefile.am =================================================================== RCS file: /cvsroot/kazehakase/kazehakase/src/net/Makefile.am,v retrieving revision 1.18 diff -u -r1.18 Makefile.am --- src/net/Makefile.am 12 Jul 2005 07:57:11 -0000 1.18 +++ src/net/Makefile.am 18 Sep 2005 07:00:51 -0000 @@ -4,7 +4,7 @@ INCLUDES = \ $(GTK_CFLAGS) \ - $(SSL_CFLAGS) \ + $(LIBGNUTLS_CFLAGS) \ -I$(top_builddir)/src \ -I$(top_srcdir)/src \ -I$(top_srcdir)/src/bookmarks \ @@ -28,7 +28,7 @@ ipv6.c ipv6.h \ gnet-private.h gnet-private.c \ gnet.h - + libkznet_la_LIBADD = \ - $(SSL_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(ZLIB_LIBS) Index: src/net/kz-http.c =================================================================== RCS file: /cvsroot/kazehakase/kazehakase/src/net/kz-http.c,v retrieving revision 1.76 diff -u -r1.76 kz-http.c --- src/net/kz-http.c 4 Aug 2005 10:13:15 -0000 1.76 +++ src/net/kz-http.c 18 Sep 2005 07:00:53 -0000 @@ -3,7 +3,7 @@ /* * Copyright (C) 2003 Hiroyuki Ikezoe * Copyright (C) 2003 Takuro Ashie - * Copyright (C) 2004 Hidetaka Iwai + * Copyright (C) 2004-2005 Hidetaka Iwai * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -32,7 +32,7 @@ #include <unistd.h> #ifdef USE_SSL -#include <openssl/ssl.h> +#include <gnutls/gnutls.h> #endif #include "gobject-utils.h" @@ -71,10 +71,12 @@ #ifdef USE_SSL typedef struct _KzSSL { - SSL *ssl; - SSL_CTX *ctx; + gnutls_session session; } KzSSL; +static gnutls_certificate_credentials xcred; +static const int cert_type_priority[] = { GNUTLS_CRT_X509, + 0 }; #endif typedef struct _AuthParam @@ -257,6 +259,13 @@ _("The Path of the URI"), NULL, G_PARAM_READWRITE)); + +#ifdef USE_SSL + /* initialize gnutls. this function should be called once. */ + gnutls_global_init (); + gnutls_certificate_allocate_credentials (&xcred); +#endif + g_type_class_add_private (object_class, sizeof(KzHTTPPrivate)); } @@ -654,20 +663,28 @@ while (len > 0 && f) { int ret; - ret = SSL_read(priv->kz_ssl->ssl, pos, len); + ret = gnutls_record_recv (priv->kz_ssl->session, pos, len); - switch (SSL_get_error(priv->kz_ssl->ssl, ret)) + if (ret > 0) { - case SSL_ERROR_NONE: pos += ret; len -= ret; - break; - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: - break; - default: + } + else if (ret == 0) + { + /* EOF */ + f = FALSE; + + } + else if ((ret == GNUTLS_E_INTERRUPTED) || + (ret == GNUTLS_E_AGAIN)) + { + /* read again */ + continue; + } + else { + gnutls_perror (ret); f = FALSE; - break; } } *bytes_read = count - len; @@ -715,8 +732,7 @@ tmp = g_string_new(NULL); while (TRUE) { - l = SSL_read(priv->kz_ssl->ssl, &c, 1); - + l = gnutls_record_recv (priv->kz_ssl->session, &c, 1); if (l > 0) { tmp = g_string_append_c(tmp, c); @@ -730,16 +746,14 @@ { break; } + else if ((l == GNUTLS_E_INTERRUPTED) || + (l == GNUTLS_E_AGAIN)) + { + continue; + } else { - int e; - e = SSL_get_error(priv->kz_ssl->ssl, l); - - if (e == SSL_ERROR_WANT_READ || - e == SSL_ERROR_NONE) - { - continue; - } + gnutls_perror (l); iostatus = G_IO_STATUS_ERROR; break; } @@ -1158,18 +1172,22 @@ while (len > 0) { int ret; - ret = SSL_write(priv->kz_ssl->ssl, pos, len); + ret = gnutls_record_send (priv->kz_ssl->session, pos, len); - switch (SSL_get_error(priv->kz_ssl->ssl, ret)) + if(ret > 0) { - case SSL_ERROR_NONE: - pos += ret; + pos += ret; len -= ret; - break; - case SSL_ERROR_WANT_WRITE: - case SSL_ERROR_WANT_READ: - break; - default: + } + else if ((ret == GNUTLS_E_INTERRUPTED) || + (ret == GNUTLS_E_AGAIN)) + { + /* write again */ + continue; + } + else + { + gnutls_perror (ret); break; } } @@ -1483,47 +1501,32 @@ ssl_init (KzSSL *kz_ssl, GIOChannel *channel) { gint fd; - int ret; - gboolean f = TRUE; - char *str; - BIO *bio; - X509 *server_cert; - - SSL_library_init(); - OpenSSL_add_all_algorithms(); - SSL_load_error_strings(); + gint ret; - kz_ssl->ctx = SSL_CTX_new(SSLv23_client_method()); + /* initialize TLS session */ + gnutls_init (&kz_ssl->session, GNUTLS_CLIENT); - /* - SSL_CTX_load_verify_locations(kz_ssl->ctx, NULL, "/home/zoe/.kazehakase"); - */ - kz_ssl->ssl = SSL_new(kz_ssl->ctx); - if (!kz_ssl->ssl) - return; + gnutls_set_default_priority (kz_ssl->session); + gnutls_certificate_type_set_priority (kz_ssl->session, cert_type_priority); - SSL_CTX_set_mode(kz_ssl->ctx, SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + gnutls_credentials_set (kz_ssl->session, GNUTLS_CRD_CERTIFICATE, xcred); fd = g_io_channel_unix_get_fd(channel); - bio = BIO_new_socket(fd, BIO_NOCLOSE); - SSL_set_fd(kz_ssl->ssl, fd); - SSL_set_bio(kz_ssl->ssl, bio, bio); - BIO_set_nbio(bio, 1); + gnutls_transport_set_ptr (kz_ssl->session, (gnutls_transport_ptr) fd); - while (f) + do { - ret = SSL_connect(kz_ssl->ssl); - switch (SSL_get_error(kz_ssl->ssl, ret)) - { - case SSL_ERROR_WANT_READ: - continue; - break; - default: - f = FALSE; - break; - } + ret = gnutls_handshake (kz_ssl->session); + } + while ((ret == GNUTLS_E_AGAIN) || (ret == GNUTLS_E_INTERRUPTED)); + + if (ret < 0) + { + gnutls_perror(ret); + return; } - + +#if 0 server_cert = SSL_get_peer_certificate(kz_ssl->ssl); if (!server_cert) @@ -1544,6 +1547,7 @@ { } */ +#endif } static void @@ -1552,9 +1556,8 @@ if (!kz_ssl) return; - SSL_shutdown(kz_ssl->ssl); - SSL_free(kz_ssl->ssl); - SSL_CTX_free(kz_ssl->ctx); + gnutls_bye (kz_ssl->session, GNUTLS_SHUT_RDWR); + gnutls_deinit (kz_ssl->session); } #endif -------------- next part -------------- テキスト形式以外の添付ファイルを保管しました... ファイル名: 無し 型: application/pgp-signature サイズ: 189 バイト 説明: 無し 下載