[Kazehakase-devel 2378] Re: Please allow the redistribution of binary linking with OpenSSL

Back to archive index

Hidetaka Iwai tyuyu****@sings*****
2005年 9月 18日 (日) 16:07:03 JST


岩井@札幌 です。

Hidetaka Iwai <tyuyu****@sings*****> wrote:
Message-ID: <20050****@sings*****>

> 私も gnutls を使用することに賛成します。今週末はなんとか時間が取れると
> 思いますので、ちょっとコードを見てみます。

パッチを書いてみました。とりあえず動作はしますが、以下の問題点がありま
す... 一人で抱えていても仕方ないので ML に投げます

1. kz_http_read_chars で gnutls_record_recv が最後に必ず
   GNUTLS_E_UNEXPECTED_PACKET_LENGTH を返す
2. 証明書を検証するコードを書いていない

# 神降臨希望...

regards,
--
 Hidetaka Iwai
 tyuyu****@sings*****
-------------- next part --------------
Index: configure.in
===================================================================
RCS file: /cvsroot/kazehakase/kazehakase/configure.in,v
retrieving revision 1.130
diff -u -r1.130 configure.in
--- configure.in	6 Sep 2005 01:07:10 -0000	1.130
+++ configure.in	18 Sep 2005 06:59:43 -0000
@@ -307,16 +307,28 @@
 AM_CONDITIONAL(ENABLE_GTK_WEBCORE, test x"$enable_gtk_webcore" = "xyes")
 
 dnl **************************************************************
-dnl Check for openssl
+dnl Check for openssl 
+dnl **************************************************************
+dnl AC_ARG_ENABLE(ssl, [  --disable-ssl
+dnl 			  Disable OpenSSL suport],,
+dnl			  disable_ssl=no)
+dnl if test x"$disable_ssl" = "xno"; then
+dnl   PKG_CHECK_MODULES(SSL, openssl)
+dnl   AC_SUBST(SSL_CFLAGS)
+dnl   AC_SUBST(SSL_LIBS)
+dnl   AC_DEFINE(USE_SSL, 1, [Define using openssl])
+dnl fi
+dnl AM_CONDITIONAL(ENABLE_SSL, test x"$disable_ssl" = "xno")
+
+dnl **************************************************************
+dnl Check for GNU TLS
 dnl **************************************************************
 AC_ARG_ENABLE(ssl, [  --disable-ssl
-			  Disable OpenSSL suport],,
+ 			  Disable GNU TLS suport],,
 			  disable_ssl=no)
 if test x"$disable_ssl" = "xno"; then
-  PKG_CHECK_MODULES(SSL, openssl)
-  AC_SUBST(SSL_CFLAGS)
-  AC_SUBST(SSL_LIBS)
-  AC_DEFINE(USE_SSL, 1, [Define using openssl])
+   AM_PATH_LIBGNUTLS(1.0.0,,AC_MSG_WARN([[libgnutls was not found.]]))
+   AC_DEFINE(USE_SSL, 1, [Define using GNU TLS])
 fi
 AM_CONDITIONAL(ENABLE_SSL, test x"$disable_ssl" = "xno")
 
Index: src/net/Makefile.am
===================================================================
RCS file: /cvsroot/kazehakase/kazehakase/src/net/Makefile.am,v
retrieving revision 1.18
diff -u -r1.18 Makefile.am
--- src/net/Makefile.am	12 Jul 2005 07:57:11 -0000	1.18
+++ src/net/Makefile.am	18 Sep 2005 07:00:51 -0000
@@ -4,7 +4,7 @@
 
 INCLUDES = \
 	$(GTK_CFLAGS) \
-	$(SSL_CFLAGS) \
+	$(LIBGNUTLS_CFLAGS) \
 	-I$(top_builddir)/src \
 	-I$(top_srcdir)/src \
 	-I$(top_srcdir)/src/bookmarks \
@@ -28,7 +28,7 @@
 	ipv6.c ipv6.h \
 	gnet-private.h gnet-private.c \
 	gnet.h
-	
+
 libkznet_la_LIBADD = \
-	$(SSL_LIBS) \
+	$(LIBGNUTLS_LIBS) \
 	$(ZLIB_LIBS)
Index: src/net/kz-http.c
===================================================================
RCS file: /cvsroot/kazehakase/kazehakase/src/net/kz-http.c,v
retrieving revision 1.76
diff -u -r1.76 kz-http.c
--- src/net/kz-http.c	4 Aug 2005 10:13:15 -0000	1.76
+++ src/net/kz-http.c	18 Sep 2005 07:00:53 -0000
@@ -3,7 +3,7 @@
 /*
  *  Copyright (C) 2003 Hiroyuki Ikezoe
  *  Copyright (C) 2003 Takuro Ashie
- *  Copyright (C) 2004 Hidetaka Iwai
+ *  Copyright (C) 2004-2005 Hidetaka Iwai
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -32,7 +32,7 @@
 #include <unistd.h>
 
 #ifdef USE_SSL
-#include <openssl/ssl.h>
+#include <gnutls/gnutls.h>
 #endif
 
 #include "gobject-utils.h"
@@ -71,10 +71,12 @@
 #ifdef USE_SSL
 typedef struct _KzSSL
 {
-	SSL      *ssl;
-	SSL_CTX  *ctx;
+	gnutls_session session;
 } KzSSL;
 
+static gnutls_certificate_credentials xcred;
+static const int cert_type_priority[] = { GNUTLS_CRT_X509,
+					  0 };
 #endif
 
 typedef struct _AuthParam
@@ -257,6 +259,13 @@
 			_("The Path of the URI"),
 			NULL,
 			G_PARAM_READWRITE));
+
+#ifdef USE_SSL
+        /* initialize gnutls. this function should be called once. */
+	gnutls_global_init ();
+	gnutls_certificate_allocate_credentials (&xcred);
+#endif
+
 	g_type_class_add_private (object_class, sizeof(KzHTTPPrivate));
 }
 
@@ -654,20 +663,28 @@
 		while (len > 0 && f)
 		{
 			int ret;
-			ret = SSL_read(priv->kz_ssl->ssl, pos, len);
+			ret = gnutls_record_recv (priv->kz_ssl->session, pos, len);
 
-			switch (SSL_get_error(priv->kz_ssl->ssl, ret))
+			if (ret > 0)
 			{
-			case SSL_ERROR_NONE:
 				pos += ret;
 				len -= ret;
-				break;
-			case SSL_ERROR_WANT_READ:
-			case SSL_ERROR_WANT_WRITE:
-				break;
-			default:
+			}
+			else if (ret == 0)
+			{
+                        /* EOF */
+				f = FALSE;
+
+			}
+			else if ((ret == GNUTLS_E_INTERRUPTED) ||
+				 (ret == GNUTLS_E_AGAIN))
+			{
+                        /* read again */
+				continue;
+			}
+			else {
+				gnutls_perror (ret);
 				f = FALSE;
-				break;
 			}
 		}
 		*bytes_read = count - len;
@@ -715,8 +732,7 @@
 		tmp = g_string_new(NULL);
 		while (TRUE)
 		{
-			l = SSL_read(priv->kz_ssl->ssl, &c, 1);	
-
+			l = gnutls_record_recv (priv->kz_ssl->session, &c, 1);
 			if (l > 0)
 			{
 				tmp = g_string_append_c(tmp, c);
@@ -730,16 +746,14 @@
 			{
 				break;
 			}
+			else if ((l == GNUTLS_E_INTERRUPTED) ||
+				 (l == GNUTLS_E_AGAIN))
+			{
+				continue;
+			}
 			else
 			{
-				int e;
-				e = SSL_get_error(priv->kz_ssl->ssl, l);
-				
-				if (e == SSL_ERROR_WANT_READ ||
-				    e == SSL_ERROR_NONE)
-				{
-					continue;
-				}
+				gnutls_perror (l);
 				iostatus = G_IO_STATUS_ERROR;
 				break;
 			}
@@ -1158,18 +1172,22 @@
 		while (len > 0)
 		{
 			int ret;
-			ret = SSL_write(priv->kz_ssl->ssl, pos, len);
+			ret = gnutls_record_send (priv->kz_ssl->session, pos, len);
 
-			switch (SSL_get_error(priv->kz_ssl->ssl, ret))
+			if(ret > 0)
 			{
-			case SSL_ERROR_NONE:
-				pos += ret;	
+				pos += ret;
 				len -= ret;
-				break;
-			case SSL_ERROR_WANT_WRITE:
-			case SSL_ERROR_WANT_READ:
-				break;
-			default:
+			}
+			else if ((ret == GNUTLS_E_INTERRUPTED) ||
+				 (ret == GNUTLS_E_AGAIN))
+			{
+                                /* write again */
+				continue;
+			}
+			else
+			{
+				gnutls_perror (ret);
 				break;
 			}
 		}
@@ -1483,47 +1501,32 @@
 ssl_init (KzSSL *kz_ssl, GIOChannel *channel)
 {
 	gint fd;
-	int ret;
-	gboolean f = TRUE;
-	char *str;
-	BIO *bio;
-	X509 *server_cert;
-
-	SSL_library_init();
-	OpenSSL_add_all_algorithms();
-	SSL_load_error_strings();
+	gint ret;
 
-	kz_ssl->ctx = SSL_CTX_new(SSLv23_client_method());
+        /* initialize TLS session */
+	gnutls_init (&kz_ssl->session, GNUTLS_CLIENT);
 
-	/*
-	SSL_CTX_load_verify_locations(kz_ssl->ctx, NULL, "/home/zoe/.kazehakase");
-	*/
-	kz_ssl->ssl = SSL_new(kz_ssl->ctx);
-	if (!kz_ssl->ssl)
-		return;
+	gnutls_set_default_priority (kz_ssl->session);
+	gnutls_certificate_type_set_priority (kz_ssl->session, cert_type_priority);
 
-	SSL_CTX_set_mode(kz_ssl->ctx, SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+	gnutls_credentials_set (kz_ssl->session, GNUTLS_CRD_CERTIFICATE, xcred);
 
 	fd = g_io_channel_unix_get_fd(channel);
-	bio = BIO_new_socket(fd, BIO_NOCLOSE);
-	SSL_set_fd(kz_ssl->ssl, fd);
-	SSL_set_bio(kz_ssl->ssl, bio, bio);
-	BIO_set_nbio(bio, 1);
+	gnutls_transport_set_ptr (kz_ssl->session, (gnutls_transport_ptr) fd);
 
-	while (f)
+	do
 	{
-		ret = SSL_connect(kz_ssl->ssl);
-		switch (SSL_get_error(kz_ssl->ssl, ret))
-		{
-		case SSL_ERROR_WANT_READ:
-			continue;
-			break;
-		default:
-			f = FALSE;
-			break;
-		}
+		ret = gnutls_handshake (kz_ssl->session);
+	}
+	while ((ret == GNUTLS_E_AGAIN) || (ret == GNUTLS_E_INTERRUPTED));
+
+	if (ret < 0)
+	{
+		gnutls_perror(ret);
+		return;
 	}
-				
+
+#if 0
 	server_cert = SSL_get_peer_certificate(kz_ssl->ssl);
 
 	if (!server_cert)
@@ -1544,6 +1547,7 @@
 	{
 	}
 	*/
+#endif
 }
 
 static void
@@ -1552,9 +1556,8 @@
 	if (!kz_ssl)
 		return;
 
-	SSL_shutdown(kz_ssl->ssl);
-	SSL_free(kz_ssl->ssl);
-	SSL_CTX_free(kz_ssl->ctx);
+	gnutls_bye (kz_ssl->session, GNUTLS_SHUT_RDWR);
+	gnutls_deinit (kz_ssl->session);
 }
 
 #endif
-------------- next part --------------
テキスト形式以外の添付ファイルを保管しました...
ファイル名: 無し
型:         application/pgp-signature
サイズ:     189 バイト
説明:       無し
下載 


Kazehakase-devel メーリングリストの案内
Back to archive index