From 8f17d299778f01052a1fe9acf2cd759e75cd407c Mon Sep 17 00:00:00 2001 From: Alan Antonuk Date: Tue, 13 Oct 2015 22:18:47 -0700 Subject: Lib: remove unmaintained SSL backends gnutls, polarssl, and cyassl SSL backends are not maintained, and likely quite broken, remove them. --- CMakeLists.txt | 19 +-- Makefile.am | 13 -- configure.ac | 27 +--- librabbitmq/CMakeLists.txt | 43 ++---- librabbitmq/amqp_cyassl.c | 270 --------------------------------- librabbitmq/amqp_gnutls.c | 362 -------------------------------------------- librabbitmq/amqp_polarssl.c | 362 -------------------------------------------- m4/polarssl.m4 | 75 --------- 8 files changed, 20 insertions(+), 1151 deletions(-) delete mode 100644 librabbitmq/amqp_cyassl.c delete mode 100644 librabbitmq/amqp_gnutls.c delete mode 100644 librabbitmq/amqp_polarssl.c delete mode 100644 m4/polarssl.m4 diff --git a/CMakeLists.txt b/CMakeLists.txt index 51be981..f0e8c87 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -263,25 +263,8 @@ option(BUILD_API_DOCS "Build Doxygen API docs" ${DOXYGEN_FOUND}) option(ENABLE_SSL_SUPPORT "Enable SSL support" ON) option(ENABLE_THREAD_SAFETY "Enable thread safety when using OpenSSL" ${Threads_FOUND}) -set(SSL_ENGINE "OpenSSL" CACHE STRING "SSL Backend to use, valid options: OpenSSL, cyaSSL, GnuTLS, PolarSSL") -mark_as_advanced(SSL_ENGINE) - if (ENABLE_SSL_SUPPORT) - if (SSL_ENGINE STREQUAL "OpenSSL") - find_package(OpenSSL 0.9.8 REQUIRED) - - elseif (SSL_ENGINE STREQUAL "cyaSSL") - find_package(cyaSSL REQUIRED) - - elseif (SSL_ENGINE STREQUAL "GnuTLS") - find_package(GnuTLS REQUIRED) - - elseif (SSL_ENGINE STREQUAL "PolarSSL") - find_package(PolarSSL REQUIRED) - - else() - message(FATAL_ERROR "Unsupported SSL_ENGINE ${SSL_ENGINE}, valid engines: OpenSSL, cyaSSL, GnuTLS, or PolarSSL") - endif() + find_package(OpenSSL 0.9.8 REQUIRED) endif() if (NOT BUILD_SHARED_LIBS AND NOT BUILD_STATIC_LIBS) diff --git a/Makefile.am b/Makefile.am index ee8b4a5..bd86733 100644 --- a/Makefile.am +++ b/Makefile.am @@ -40,15 +40,6 @@ librabbitmq_librabbitmq_la_SOURCES = \ librabbitmq/amqp_time.h \ librabbitmq/amqp_url.c - -if SSL_CYASSL -librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp_cyassl.c -endif - -if SSL_GNUTLS -librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp_gnutls.c -endif - if SSL_OPENSSL librabbitmq_librabbitmq_la_SOURCES += \ librabbitmq/amqp_hostcheck.c \ @@ -59,10 +50,6 @@ librabbitmq_librabbitmq_la_CFLAGS += -Wno-deprecated-declarations endif endif -if SSL_POLARSSL -librabbitmq_librabbitmq_la_SOURCES += librabbitmq/amqp_polarssl.c -endif - if OS_UNIX librabbitmq_librabbitmq_la_SOURCES += librabbitmq/unix/threads.h librabbitmq_librabbitmq_la_CFLAGS += -I$(top_srcdir)/librabbitmq/unix diff --git a/configure.ac b/configure.ac index 49163b7..c439dbb 100644 --- a/configure.ac +++ b/configure.ac @@ -130,30 +130,19 @@ AX_HAVE_POLL([AC_DEFINE([HAVE_POLL], [], ["Have poll()"])], # Configure SSL/TLS AC_ARG_WITH([ssl], - [AS_HELP_STRING([--with-ssl=@<:@cyassl/gnutls/no/openssl/polarssl/yes@:>@], - [enable SSL/TLS support @<:@default=openssl@:>@])], - [AS_CASE([$withval], - [yes], [with_ssl=openssl], - [*], [with_ssl=$withval])], - [with_ssl=openssl]) - -AS_IF([test "x$with_ssl" = "xcyassl"], - [PKG_CHECK_MODULES([SSL], [libcyassl],, [with_ssl=no])], - [test "x$with_ssl" = "xgnutls"], - [PKG_CHECK_MODULES([SSL], [gnutls],, [with_ssl=no])], - [test "x$with_ssl" = "xopenssl"], + [AS_HELP_STRING([--with-ssl=@<:@no/openssl/yes@:>@], + [enable SSL/TLS support @<:@default=openssl@:>@])], + [AS_CASE([$withval], + [yes], [with_ssl=openssl], + [*], [with_ssl=$withval])], + [with_ssl=openssl]) + +AS_IF([test "x$with_ssl" = "xopenssl"], [PKG_CHECK_MODULES([SSL], [openssl >= 0.9.8], [ssl_pkg_required=openssl], [with_ssl=no])], - [test "x$with_ssl" = "xpolarssl"], - [AX_LIB_POLARSSL([SSL_CFLAGS=$POLARSSL_CFLAGS - SSL_LIBS=$POLARSSL_LIBS], - [with_ssl=no])], [test "x$with_ssl" = "xno"],, [AC_MSG_ERROR([unknown SSL/TLS implementation: $with_ssl])]) -AM_CONDITIONAL([SSL_CYASSL], [test "x$with_ssl" = "xcyassl"]) -AM_CONDITIONAL([SSL_GNUTLS], [test "x$with_ssl" = "xgnutls"]) AM_CONDITIONAL([SSL_OPENSSL], [test "x$with_ssl" = "xopenssl"]) -AM_CONDITIONAL([SSL_POLARSSL], [test "x$with_ssl" = "xpolarssl"]) AM_CONDITIONAL([SSL], [test "x$with_ssl" != "xno"]) AS_IF([test "x$with_ssl" != "xno"], [AC_DEFINE([WITH_SSL], [1], [Define to 1 if SSL/TLS is enabled.])]) diff --git a/librabbitmq/CMakeLists.txt b/librabbitmq/CMakeLists.txt index 3c86094..103742a 100644 --- a/librabbitmq/CMakeLists.txt +++ b/librabbitmq/CMakeLists.txt @@ -80,38 +80,17 @@ if (ENABLE_SSL_SUPPORT) add_definitions(-DWITH_SSL=1) set(AMQP_SSL_SOCKET_H_PATH amqp_ssl_socket.h) - if (SSL_ENGINE STREQUAL "OpenSSL") - set(AMQP_SSL_SRCS ${AMQP_SSL_SOCKET_H_PATH} - amqp_openssl.c - amqp_hostcheck.c - amqp_hostcheck.h - ) - include_directories(${OPENSSL_INCLUDE_DIR}) - set(AMQP_SSL_LIBS ${OPENSSL_LIBRARIES}) - if (APPLE) - # Apple has deprecated OpenSSL in 10.7+. This disables that warning. - set_source_files_properties(${AMQP_SSL_SRCS} - PROPERTIES COMPILE_FLAGS -Wno-deprecated-declarations) - endif() - - elseif (SSL_ENGINE STREQUAL "cyaSSL") - set(AMQP_SSL_SRCS ${AMQP_SSL_SOCKET_H_PATH} amqp_cyassl.c) - include_directories(${CYASSL_INCLUDE_DIR}) - set(AMQP_SSL_LIBS ${CYASSL_LIBRARIES}) - - elseif (SSL_ENGINE STREQUAL "GnuTLS") - set(AMQP_SSL_SRCS ${AMQP_SSL_SOCKET_H_PATH} amqp_gnutls.c) - include_directories(${GNUTLS_INCLUDE_DIR}) - add_definitions(${GNUTLS_DEFINITIONS}) - set(AMQP_SSL_LIBS ${GNUTLS_LIBRARIES}) - - elseif (SSL_ENGINE STREQUAL "PolarSSL") - set(AMQP_SSL_SRCS ${AMQP_SSL_SOCKET_H_PATH} amqp_polarssl.c) - include_directories(${POLARSSL_INCLUDE_DIR}) - set(AMQP_SSL_LIBS ${POLARSSL_LIBRARIES}) - - else() - message(FATAL_ERROR "Unknown SSL_ENGINE ${SSL_ENGINE}") + set(AMQP_SSL_SRCS ${AMQP_SSL_SOCKET_H_PATH} + amqp_openssl.c + amqp_hostcheck.c + amqp_hostcheck.h + ) + include_directories(${OPENSSL_INCLUDE_DIR}) + set(AMQP_SSL_LIBS ${OPENSSL_LIBRARIES}) + if (APPLE) + # Apple has deprecated OpenSSL in 10.7+. This disables that warning. + set_source_files_properties(${AMQP_SSL_SRCS} + PROPERTIES COMPILE_FLAGS -Wno-deprecated-declarations) endif() if (ENABLE_THREAD_SAFETY) diff --git a/librabbitmq/amqp_cyassl.c b/librabbitmq/amqp_cyassl.c deleted file mode 100644 index 05ce12e..0000000 --- a/librabbitmq/amqp_cyassl.c +++ /dev/null @@ -1,270 +0,0 @@ -/* vim:set ft=c ts=2 sw=2 sts=2 et cindent: */ -/* - * Copyright 2012-2013 Michael Steinert - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "amqp_ssl_socket.h" -#include "amqp_private.h" -#include -#include -#include - -#ifndef AMQP_USE_UNTESTED_SSL_BACKEND -# error This SSL backend is alpha quality and likely contains errors.\ - -DAMQP_USE_UNTESTED_SSL_BACKEND to use this backend -#endif - -struct amqp_ssl_socket_t { - const struct amqp_socket_class_t *klass; - CYASSL_CTX *ctx; - CYASSL *ssl; - int sockfd; - char *buffer; - size_t length; - int last_error; -}; - -static ssize_t -amqp_ssl_socket_send(void *base, - const void *buf, - size_t len, - AMQP_UNUSED int flags) -{ - int status; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - - self->last_error = 0; - status = CyaSSL_write(self->ssl, buf, len); - if (status <= 0) { - self->last_error = AMQP_STATUS_SSL_ERROR; - } - - return status; -} - -static ssize_t -amqp_ssl_socket_writev(void *base, - const struct iovec *iov, - int iovcnt) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - ssize_t written = -1; - char *bufferp; - size_t bytes; - int i; - self->last_error = 0; - bytes = 0; - for (i = 0; i < iovcnt; ++i) { - bytes += iov[i].iov_len; - } - if (self->length < bytes) { - free(self->buffer); - self->buffer = malloc(bytes); - if (!self->buffer) { - self->length = 0; - self->last_error = AMQP_STATUS_NO_MEMORY; - goto exit; - } - self->length = bytes; - } - bufferp = self->buffer; - for (i = 0; i < iovcnt; ++i) { - memcpy(bufferp, iov[i].iov_base, iov[i].iov_len); - bufferp += iov[i].iov_len; - } - written = amqp_ssl_socket_send(self, self->buffer, bytes, 0); -exit: - return written; -} - -static ssize_t -amqp_ssl_socket_recv(void *base, - void *buf, - size_t len, - AMQP_UNUSED int flags) -{ - int status; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - - self->last_error = 0; - status = CyaSSL_read(self->ssl, buf, len); - if (status <= 0) { - self->last_error = AMQP_STATUS_SSL_ERROR; - } - - return status; -} - -static int -amqp_ssl_socket_get_sockfd(void *base) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - return self->sockfd; -} - -static int -amqp_ssl_socket_close(void *base) -{ - int status = -1; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - if (self->sockfd >= 0) { - status = amqp_os_socket_close(self->sockfd); - } - if (self) { - CyaSSL_free(self->ssl); - CyaSSL_CTX_free(self->ctx); - free(self->buffer); - free(self); - } - return status; -} - -static int -amqp_ssl_socket_error(void *base) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - return self->last_error; -} - -char * -amqp_ssl_error_string(AMQP_UNUSED int err) -{ - return strdup("A ssl socket error occurred."); -} - -static int -amqp_ssl_socket_open(void *base, const char *host, int port, struct timeval *timeout) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - int status; - self->last_error = 0; - - self->ssl = CyaSSL_new(self->ctx); - if (NULL == self->ssl) { - self->last_error = AMQP_STATUS_SSL_ERROR; - return -1; - } - - self->sockfd = amqp_open_socket_noblock(host, port, timeout); - if (0 > self->sockfd) { - self->last_error = - self->sockfd; - return -1; - } - CyaSSL_set_fd(self->ssl, self->sockfd); - status = CyaSSL_connect(self->ssl); - if (SSL_SUCCESS != status) { - self->last_error = AMQP_STATUS_SSL_ERROR; - return -1; - } - return 0; -} - -static const struct amqp_socket_class_t amqp_ssl_socket_class = { - amqp_ssl_socket_writev, /* writev */ - amqp_ssl_socket_send, /* send */ - amqp_ssl_socket_recv, /* recv */ - amqp_ssl_socket_open, /* open */ - amqp_ssl_socket_close, /* close */ - amqp_ssl_socket_error, /* error */ - amqp_ssl_socket_get_sockfd /* get_sockfd */ -}; - -amqp_socket_t * -amqp_ssl_socket_new(void) -{ - struct amqp_ssl_socket_t *self = calloc(1, sizeof(*self)); - if (!self) { - goto error; - } - CyaSSL_Init(); - self->ctx = CyaSSL_CTX_new(CyaSSLv23_client_method()); - if (!self->ctx) { - goto error; - } - self->klass = &amqp_ssl_socket_class; - return (amqp_socket_t *)self; -error: - amqp_socket_close((amqp_socket_t *)self); - return NULL; -} - -int -amqp_ssl_socket_set_cacert(amqp_socket_t *base, - const char *cacert) -{ - int status; - struct amqp_ssl_socket_t *self; - if (base->klass != &amqp_ssl_socket_class) { - amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); - } - self = (struct amqp_ssl_socket_t *)base; - status = CyaSSL_CTX_load_verify_locations(self->ctx, cacert, NULL); - if (SSL_SUCCESS != status) { - return -1; - } - return 0; -} - -int -amqp_ssl_socket_set_key(amqp_socket_t *base, - const char *cert, - const char *key) -{ - int status; - struct amqp_ssl_socket_t *self; - if (base->klass != &amqp_ssl_socket_class) { - amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); - } - self = (struct amqp_ssl_socket_t *)base; - status = CyaSSL_CTX_use_PrivateKey_file(self->ctx, key, - SSL_FILETYPE_PEM); - if (SSL_SUCCESS != status) { - return -1; - } - status = CyaSSL_CTX_use_certificate_chain_file(self->ctx, cert); - return 0; -} - -int -amqp_ssl_socket_set_key_buffer(AMQP_UNUSED amqp_socket_t *base, - AMQP_UNUSED const char *cert, - AMQP_UNUSED const void *key, - AMQP_UNUSED size_t n) -{ - amqp_abort("%s is not implemented for CyaSSL", __func__); - return -1; -} - -void -amqp_ssl_socket_set_verify(AMQP_UNUSED amqp_socket_t *base, - AMQP_UNUSED amqp_boolean_t verify) -{ - /* noop for CyaSSL */ -} - -void -amqp_set_initialize_ssl_library(AMQP_UNUSED amqp_boolean_t do_initialize) -{ -} diff --git a/librabbitmq/amqp_gnutls.c b/librabbitmq/amqp_gnutls.c deleted file mode 100644 index f18d427..0000000 --- a/librabbitmq/amqp_gnutls.c +++ /dev/null @@ -1,362 +0,0 @@ -/* vim:set ft=c ts=2 sw=2 sts=2 et cindent: */ -/* - * Copyright 2012-2013 Michael Steinert - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "amqp_ssl_socket.h" -#include "amqp_private.h" -#include -#include -#include -#include - -#ifndef AMQP_USE_UNTESTED_SSL_BACKEND -# error This SSL backend is alpha quality and likely contains errors.\ - -DAMQP_USE_UNTESTED_SSL_BACKEND to use this backend -#endif - -struct amqp_ssl_socket_t { - const struct amqp_socket_class_t *klass; - gnutls_session_t session; - gnutls_certificate_credentials_t credentials; - int sockfd; - char *host; - char *buffer; - size_t length; - int last_error; -}; - -static ssize_t -amqp_ssl_socket_send(void *base, - const void *buf, - size_t len, - AMQP_UNUSED int flags) -{ - ssize_t status; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - - self->last_error = 0; - status = gnutls_record_send(self->session, buf, len); - if (status < 0) { - self->last_error = AMQP_STATUS_SSL_ERROR; - } - return status; -} - -static ssize_t -amqp_ssl_socket_writev(void *base, - const struct iovec *iov, - int iovcnt) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - ssize_t written = -1; - char *bufferp; - size_t bytes; - int i; - self->last_error = 0; - bytes = 0; - for (i = 0; i < iovcnt; ++i) { - bytes += iov[i].iov_len; - } - if (self->length < bytes) { - free(self->buffer); - self->buffer = malloc(bytes); - if (!self->buffer) { - self->length = 0; - self->last_error = AMQP_STATUS_NO_MEMORY; - goto exit; - } - self->length = 0; - } - bufferp = self->buffer; - for (i = 0; i < iovcnt; ++i) { - memcpy(bufferp, iov[i].iov_base, iov[i].iov_len); - bufferp += iov[i].iov_len; - } - written = amqp_ssl_socket_send(self, self->buffer, bytes, 0); -exit: - return written; -} - -static ssize_t -amqp_ssl_socket_recv(void *base, - void *buf, - size_t len, - AMQP_UNUSED int flags) -{ - ssize_t status; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - - self->last_error = 0; - status = gnutls_record_recv(self->session, buf, len); - if (status < 0) { - self->last_error = AMQP_STATUS_SSL_ERROR; - } - - return status; -} - -static int -amqp_ssl_socket_open(void *base, const char *host, int port, struct timeval *timeout) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - int status; - self->last_error = 0; - - free(self->host); - self->host = strdup(host); - if (NULL == self->host) { - self->last_error = AMQP_STATUS_NO_MEMORY; - return -1; - } - - self->sockfd = amqp_open_socket_noblock(host, port, timeout); - if (0 > self->sockfd) { - self->last_error = -self->sockfd; - return -1; - } - gnutls_transport_set_ptr(self->session, - (gnutls_transport_ptr_t)self->sockfd); - do { - status = gnutls_handshake(self->session); - } while (status < 0 && !gnutls_error_is_fatal(status)); - - if (gnutls_error_is_fatal(status)) { - self->last_error = AMQP_STATUS_SSL_ERROR; - } - - return status; -} - -static int -amqp_ssl_socket_close(void *base) -{ - int status = -1; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - if (self->sockfd >= 0) { - status = amqp_os_socket_close(self->sockfd); - } - if (self) { - gnutls_deinit(self->session); - gnutls_certificate_free_credentials(self->credentials); - free(self->host); - free(self->buffer); - free(self); - } - return status; -} - -static int -amqp_ssl_socket_error(void *base) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - return self->last_error; -} - -char * -amqp_ssl_error_string(AMQP_UNUSED int err) -{ - return strdup("A SSL error occurred"); -} - -static int -amqp_ssl_socket_get_sockfd(void *base) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - return self->sockfd; -} - -static int -amqp_ssl_verify(gnutls_session_t session) -{ - int ret; - unsigned int status, size; - const gnutls_datum_t *list; - gnutls_x509_crt_t cert = NULL; - struct amqp_ssl_socket_t *self = gnutls_session_get_ptr(session); - ret = gnutls_certificate_verify_peers2(session, &status); - if (0 > ret) { - goto error; - } - if (status & GNUTLS_CERT_INVALID) { - goto error; - } - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) { - goto error; - } - if (status & GNUTLS_CERT_REVOKED) { - goto error; - } - if (status & GNUTLS_CERT_EXPIRED) { - goto error; - } - if (status & GNUTLS_CERT_NOT_ACTIVATED) { - goto error; - } - if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) { - goto error; - } - if (gnutls_x509_crt_init(&cert) < 0) { - goto error; - } - list = gnutls_certificate_get_peers(session, &size); - if (!list) { - goto error; - } - ret = gnutls_x509_crt_import(cert, &list[0], GNUTLS_X509_FMT_DER); - if (0 > ret) { - goto error; - } - if (!gnutls_x509_crt_check_hostname(cert, self->host)) { - goto error; - } - gnutls_x509_crt_deinit(cert); - return 0; -error: - if (cert) { - gnutls_x509_crt_deinit (cert); - } - return GNUTLS_E_CERTIFICATE_ERROR; -} - -static const struct amqp_socket_class_t amqp_ssl_socket_class = { - amqp_ssl_socket_writev, /* writev */ - amqp_ssl_socket_send, /* send */ - amqp_ssl_socket_recv, /* recv */ - amqp_ssl_socket_open, /* open */ - amqp_ssl_socket_close, /* close */ - amqp_ssl_socket_error, /* error */ - amqp_ssl_socket_get_sockfd /* get_sockfd */ -}; - -amqp_socket_t * -amqp_ssl_socket_new(void) -{ - struct amqp_ssl_socket_t *self = calloc(1, sizeof(*self)); - const char *error; - int status; - if (!self) { - goto error; - } - gnutls_global_init(); - status = gnutls_init(&self->session, GNUTLS_CLIENT); - if (GNUTLS_E_SUCCESS != status) { - goto error; - } - status = gnutls_certificate_allocate_credentials(&self->credentials); - if (GNUTLS_E_SUCCESS != status) { - goto error; - } - gnutls_certificate_set_verify_function(self->credentials, - amqp_ssl_verify); - status = gnutls_credentials_set(self->session, GNUTLS_CRD_CERTIFICATE, - self->credentials); - if (GNUTLS_E_SUCCESS != status) { - goto error; - } - gnutls_session_set_ptr(self->session, self); - status = gnutls_priority_set_direct(self->session, "NORMAL", &error); - if (GNUTLS_E_SUCCESS != status) { - goto error; - } - self->klass = &amqp_ssl_socket_class; - return (amqp_socket_t *)self; -error: - amqp_socket_close((amqp_socket_t *)self); - return NULL; -} - -int -amqp_ssl_socket_set_cacert(amqp_socket_t *base, - const char *cacert) -{ - int status; - struct amqp_ssl_socket_t *self; - if (base->klass != &amqp_ssl_socket_class) { - amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); - } - self = (struct amqp_ssl_socket_t *)base; - status = gnutls_certificate_set_x509_trust_file(self->credentials, - cacert, - GNUTLS_X509_FMT_PEM); - if (0 > status) { - return -1; - } - return 0; -} - -int -amqp_ssl_socket_set_key(amqp_socket_t *base, - const char *cert, - const char *key) -{ - int status; - struct amqp_ssl_socket_t *self; - if (base->klass != &amqp_ssl_socket_class) { - amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); - } - self = (struct amqp_ssl_socket_t *)base; - status = gnutls_certificate_set_x509_key_file(self->credentials, - cert, - key, - GNUTLS_X509_FMT_PEM); - if (0 > status) { - return -1; - } - return 0; -} - -int -amqp_ssl_socket_set_key_buffer(AMQP_UNUSED amqp_socket_t *base, - AMQP_UNUSED const char *cert, - AMQP_UNUSED const void *key, - AMQP_UNUSED size_t n) -{ - amqp_abort("%s is not implemented for GnuTLS", __func__); - return -1; -} - -void -amqp_ssl_socket_set_verify(amqp_socket_t *base, - amqp_boolean_t verify) -{ - struct amqp_ssl_socket_t *self; - if (base->klass != &amqp_ssl_socket_class) { - amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); - } - self = (struct amqp_ssl_socket_t *)base; - if (verify) { - gnutls_certificate_set_verify_function(self->credentials, - amqp_ssl_verify); - } else { - gnutls_certificate_set_verify_function(self->credentials, - NULL); - } -} - -void -amqp_set_initialize_ssl_library(AMQP_UNUSED amqp_boolean_t do_initialize) -{ -} diff --git a/librabbitmq/amqp_polarssl.c b/librabbitmq/amqp_polarssl.c deleted file mode 100644 index bae3141..0000000 --- a/librabbitmq/amqp_polarssl.c +++ /dev/null @@ -1,362 +0,0 @@ -/* vim:set ft=c ts=2 sw=2 sts=2 et cindent: */ -/* - * Copyright 2012-2013 Michael Steinert - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER - * DEALINGS IN THE SOFTWARE. - */ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include "amqp_ssl_socket.h" -#include "amqp_private.h" -#include -#include -#include -#include -#include -#include -#include - -#ifndef AMQP_USE_UNTESTED_SSL_BACKEND -# error This SSL backend is alpha quality and likely contains errors.\ - -DAMQP_USE_UNTESTED_SSL_BACKEND to use this backend -#endif - -struct amqp_ssl_socket_t { - const struct amqp_socket_class_t *klass; - int sockfd; - entropy_context *entropy; - ctr_drbg_context *ctr_drbg; - x509_cert *cacert; - rsa_context *key; - x509_cert *cert; - ssl_context *ssl; - ssl_session *session; - char *buffer; - size_t length; - int last_error; -}; - -static ssize_t -amqp_ssl_socket_send(void *base, - const void *buf, - size_t len, - AMQP_UNUSED int flags) -{ - ssize_t status; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - - self->last_error = 0; - status = ssl_write(self->ssl, buf, len); - if (status < 0) { - self->last_error = AMQP_STATUS_SSL_ERROR; - } - - return status; -} - -static ssize_t -amqp_ssl_socket_writev(void *base, - const struct iovec *iov, - int iovcnt) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - ssize_t written = -1; - char *bufferp; - size_t bytes; - int i; - self->last_error = 0; - bytes = 0; - for (i = 0; i < iovcnt; ++i) { - bytes += iov[i].iov_len; - } - if (self->length < bytes) { - free(self->buffer); - self->buffer = malloc(bytes); - if (!self->buffer) { - self->length = 0; - self->last_error = AMQP_STATUS_NO_MEMORY; - goto exit; - } - self->length = bytes; - } - bufferp = self->buffer; - for (i = 0; i < iovcnt; ++i) { - memcpy(bufferp, iov[i].iov_base, iov[i].iov_len); - bufferp += iov[i].iov_len; - } - written = amqp_ssl_socket_send(self, (const unsigned char *)self->buffer, - bytes, 0); -exit: - return written; -} - -static ssize_t -amqp_ssl_socket_recv(void *base, - void *buf, - size_t len, - AMQP_UNUSED int flags) -{ - ssize_t status; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - - self->last_error = 0; - status = ssl_read(self->ssl, buf, len); - if (status < 0) { - self->last_error = AMQP_STATUS_SSL_ERROR; - } - - return status; -} - -static int -amqp_ssl_socket_open(void *base, const char *host, int port, struct timeval *timeout) -{ - int status; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - self->last_error = 0; - - if (timeout && (timeout->tv_sec != 0 || timeout->tv_usec != 0)) { - /* We don't support PolarSSL for now because it uses its own connect() wrapper - * It is not too hard to implement net_connect() with noblock support, - * but then we will have to maintain that piece of code and keep it synced with main PolarSSL code base - */ - return AMQP_STATUS_INVALID_PARAMETER; - } - - status = net_connect(&self->sockfd, host, port); - if (status) { - /* This isn't quite right. We should probably translate between - * POLARSSL_ERR_* to our internal error codes - */ - self->last_error = AMQP_STATUS_SSL_ERROR; - return -1; - } - if (self->cacert) { - ssl_set_ca_chain(self->ssl, self->cacert, NULL, host); - } - ssl_set_bio(self->ssl, net_recv, &self->sockfd, - net_send, &self->sockfd); - if (self->key && self->cert) { - ssl_set_own_cert(self->ssl, self->cert, self->key); - } - while (0 != (status = ssl_handshake(self->ssl))) { - switch (status) { - case POLARSSL_ERR_NET_WANT_READ: - case POLARSSL_ERR_NET_WANT_WRITE: - continue; - default: - self->last_error = AMQP_STATUS_SSL_ERROR; - break; - } - } - return status; -} - -static int -amqp_ssl_socket_close(void *base) -{ - int status = -1; - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - if (self) { - free(self->entropy); - free(self->ctr_drbg); - x509_free(self->cacert); - free(self->cacert); - rsa_free(self->key); - free(self->key); - x509_free(self->cert); - free(self->cert); - ssl_free(self->ssl); - free(self->ssl); - free(self->session); - free(self->buffer); - if (self->sockfd >= 0) { - net_close(self->sockfd); - status = 0; - } - free(self); - } - return status; -} - -static int -amqp_ssl_socket_error(AMQP_UNUSED void *user_data) -{ - return AMQP_STATUS_SSL_ERROR; -} - -char * -amqp_ssl_error_string(AMQP_UNUSED int err) -{ - return strdup("A SSL socket error occurred"); -} - -static int -amqp_ssl_socket_get_sockfd(void *base) -{ - struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; - return self->sockfd; -} - -static const struct amqp_socket_class_t amqp_ssl_socket_class = { - amqp_ssl_socket_writev, /* writev */ - amqp_ssl_socket_send, /* send */ - amqp_ssl_socket_recv, /* recv */ - amqp_ssl_socket_open, /* open */ - amqp_ssl_socket_close, /* close */ - amqp_ssl_socket_error, /* error */ - amqp_ssl_socket_get_sockfd /* get_sockfd */ -}; - -amqp_socket_t * -amqp_ssl_socket_new(void) -{ - struct amqp_ssl_socket_t *self = calloc(1, sizeof(*self)); - int status; - if (!self) { - goto error; - } - self->entropy = calloc(1, sizeof(*self->entropy)); - if (!self->entropy) { - goto error; - } - self->sockfd = -1; - entropy_init(self->entropy); - self->ctr_drbg = calloc(1, sizeof(*self->ctr_drbg)); - if (!self->ctr_drbg) { - goto error; - } - status = ctr_drbg_init(self->ctr_drbg, entropy_func, self->entropy, - NULL, 0); - if (status) { - goto error; - } - self->ssl = calloc(1, sizeof(*self->ssl)); - if (!self->ssl) { - goto error; - } - status = ssl_init(self->ssl); - if (status) { - goto error; - } - ssl_set_endpoint(self->ssl, SSL_IS_CLIENT); - ssl_set_rng(self->ssl, ctr_drbg_random, self->ctr_drbg); - ssl_set_ciphersuites(self->ssl, ssl_default_ciphersuites); - ssl_set_authmode(self->ssl, SSL_VERIFY_REQUIRED); - self->session = calloc(1, sizeof(*self->session)); - if (!self->session) { - goto error; - } -#if POLARSSL_VERSION_NUMBER >= 0x01020000 - ssl_set_session(self->ssl, self->session); -#else - ssl_set_session(self->ssl, 0, 0, self->session); -#endif - - self->klass = &amqp_ssl_socket_class; - return (amqp_socket_t *)self; -error: - amqp_socket_close((amqp_socket_t *)self); - return NULL; -} - -int -amqp_ssl_socket_set_cacert(amqp_socket_t *base, - const char *cacert) -{ - int status; - struct amqp_ssl_socket_t *self; - if (base->klass != &amqp_ssl_socket_class) { - amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); - } - self = (struct amqp_ssl_socket_t *)base; - self->cacert = calloc(1, sizeof(*self->cacert)); - if (!self->cacert) { - return -1; - } - status = x509parse_crtfile(self->cacert, cacert); - if (status) { - return -1; - } - return 0; -} - -int -amqp_ssl_socket_set_key(amqp_socket_t *base, - const char *cert, - const char *key) -{ - int status; - struct amqp_ssl_socket_t *self; - if (base->klass != &amqp_ssl_socket_class) { - amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); - } - self = (struct amqp_ssl_socket_t *)base; - self->key = calloc(1, sizeof(*self->key)); - if (!self->key) { - return -1; - } - status = x509parse_keyfile(self->key, key, NULL); - if (status) { - return -1; - } - self->cert = calloc(1, sizeof(*self->cert)); - if (!self->cert) { - return -1; - } - status = x509parse_crtfile(self->cert, cert); - if (status) { - return -1; - } - return 0; -} - -int -amqp_ssl_socket_set_key_buffer(AMQP_UNUSED amqp_socket_t *base, - AMQP_UNUSED const char *cert, - AMQP_UNUSED const void *key, - AMQP_UNUSED size_t n) -{ - amqp_abort("%s is not implemented for PolarSSL", __func__); - return -1; -} - -void -amqp_ssl_socket_set_verify(amqp_socket_t *base, - amqp_boolean_t verify) -{ - struct amqp_ssl_socket_t *self; - if (base->klass != &amqp_ssl_socket_class) { - amqp_abort("<%p> is not of type amqp_ssl_socket_t", base); - } - self = (struct amqp_ssl_socket_t *)base; - if (verify) { - ssl_set_authmode(self->ssl, SSL_VERIFY_REQUIRED); - } else { - ssl_set_authmode(self->ssl, SSL_VERIFY_NONE); - } -} - -void -amqp_set_initialize_ssl_library(AMQP_UNUSED amqp_boolean_t do_initialize) -{ -} diff --git a/m4/polarssl.m4 b/m4/polarssl.m4 deleted file mode 100644 index 2c87bbd..0000000 --- a/m4/polarssl.m4 +++ /dev/null @@ -1,75 +0,0 @@ -# polarssl.m4 - Check for PolarSSL -# -# Copyright 2012 Michael Steinert -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and associated documentation files (the -# "Software"), to deal in the Software without restriction, including -# without limitation the rights to use, copy, modify, merge, publish, -# distribute, sublicense, and/or sell copies of the Software, and to -# permit persons to whom the Software is furnished to do so, subject to -# the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT -# SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, -# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR -# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR -# THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -#serial 1 - -# _AX_LIB_POLARSSL -# ---------------- -# Check for the PolarSSL library and header file. If found the cache variable -# ax_cv_have_polarssl will be set to yes. -AC_DEFUN([_AX_LIB_POLARSSL], -[dnl -ax_cv_have_polarssl=no -_ax_polarssl_h=no -_ax_polarssl_lib=no -AC_ARG_VAR([POLARSSL_CFLAGS], - [C compiler flags for PolarSSL, overriding defaults]) -AC_ARG_VAR([POLARSSL_LIBS], [linker flags for PolarSSL, overriding defaults]) -AC_CHECK_HEADERS([polarssl/ssl.h], - [_ax_polarssl_h=yes],, - [$POLARSSL_CFLAGS]) -AS_IF([test "x$POLARSSL_LIBS" = "x"], - [AC_CHECK_LIB([polarssl], [entropy_init], - [POLARSSL_LIBS=-lpolarssl - _ax_polarssl_lib=yes])], - [_ax_polarssl_cflags=$CFLAGS - CFLAGS="$POLARSSL_CFLAGS $CFLAGS" - _ax_polarssl_ldflags=$LDFLAGS - LDFLAGS="$POLARSSL_LIBS $LDFLAGS" - AC_MSG_CHECKING([for libpolarssl]) - AC_TRY_LINK([#include ], - [entropy_init(NULL)], - [AC_MSG_RESULT([$POLARSSL_LIBS]) - _ax_polarssl_lib=yes], - [AC_MSG_RESULT([no])]) - CFLAGS=$_ax_polarssl_cflags - LDFLAGS=$_ax_polarssl_ldflags]) -AS_IF([test "x$_ax_polarssl_h" = "xyes" && \ - test "x$_ax_polarssl_lib" = "xyes"], - [ax_cv_have_polarssl=yes]) -])dnl - -# AX_LIB_POLARSSL([ACTION-IF-TRUE], [ACTION-IF-FALSE]) -# ------------------------------------------------ -# Check if PolarSSL is installed. If found the variable ax_have_polarssl will -# be set to yes. -# ACTION-IF-TRUE: commands to execute if PolarSSL is installed -# ACTION-IF-FALSE: commands to execute if PoloarSSL is not installed -AC_DEFUN([AX_LIB_POLARSSL], -[dnl -AC_CACHE_VAL([ax_cv_have_polarssl], [_AX_LIB_POLARSSL]) -ax_have_polarssl=$ax_cv_have_polarssl -AS_IF([test "x$ax_have_polarssl" = "xyes"], - [AC_DEFINE([HAVE_POLARSSL], [1], [Define to 1 if PolarSSL is available.]) - $1], [$2]) -])dnl -- cgit v1.2.1