1
0
mirror of https://github.com/irssi/irssi.git synced 2024-11-03 04:27:19 -05:00
irssi/debian/patches/06gnutls-support.dpatch

594 lines
16 KiB
Plaintext
Raw Normal View History

#! /bin/sh /usr/share/dpatch/dpatch-run
## 06gnutls-support.dpatch by David Pashley <david@davidpashley.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad --exclude=CVS --exclude=.svn ./configure.in /tmp/dpep-work.Xa2n5L/irssi/configure.in
--- ./configure.in 2005-07-17 16:00:49.000000000 +0300
+++ /tmp/dpep-work.Xa2n5L/irssi/configure.in 2005-07-17 16:46:18.000000000 +0300
@@ -222,7 +222,11 @@
AC_ARG_ENABLE(ssl,
[ --disable-ssl Disable Secure Sockets Layer support],,
enable_ssl=yes)
-
+if test "$enable_ssl" = "yes"; then
+ AM_PATH_LIBGNUTLS(1.0.16, have_gnutls="true", have_gnutls="false")
+ AC_DEFINE(HAVE_GNUTLS,, Build with GNUTLS support)
+fi
+AM_CONDITIONAL(HAVE_GNUTLS, test "x$have_gnutls" = "xtrue")
dnl **
dnl ** just some generic stuff...
dnl **
diff -urNad --exclude=CVS --exclude=.svn ./src/core/Makefile.am /tmp/dpep-work.Xa2n5L/irssi/src/core/Makefile.am
--- ./src/core/Makefile.am 2005-07-17 16:00:43.000000000 +0300
+++ /tmp/dpep-work.Xa2n5L/irssi/src/core/Makefile.am 2005-07-17 16:46:18.000000000 +0300
@@ -7,6 +7,12 @@
-DSYSCONFDIR=\""$(sysconfdir)"\" \
-DMODULEDIR=\""$(libdir)/irssi/modules"\"
+#if HAVE_OPENSSL
+#SSL = network-openssl.c
+#else
+SSL = network-gnutls.c
+#endif
+
libcore_a_SOURCES = \
args.c \
channels.c \
@@ -30,7 +36,7 @@
net-nonblock.c \
net-sendbuffer.c \
network.c \
- network-openssl.c \
+ $(SSL) \
nicklist.c \
nickmatch-cache.c \
pidwait.c \
diff -urNad --exclude=CVS --exclude=.svn ./src/core/network-gnutls.c /tmp/dpep-work.Xa2n5L/irssi/src/core/network-gnutls.c
--- ./src/core/network-gnutls.c 1970-01-01 02:00:00.000000000 +0200
+++ /tmp/dpep-work.Xa2n5L/irssi/src/core/network-gnutls.c 2005-07-17 16:46:18.000000000 +0300
@@ -0,0 +1,514 @@
+/*
+ network-ssl.c : SSL support
+
+ Copyright (C) 2002 vjt
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
+
+#include "module.h"
+#include "network.h"
+#include "misc.h"
+
+#define HAVE_GNUTLS
+
+#ifdef HAVE_GNUTLS
+
+#include <gnutls/gnutls.h>
+#include <gnutls/extra.h>
+#include <gnutls/x509.h>
+
+/* ssl i/o channel object */
+typedef struct
+{
+ GIOChannel pad;
+ gint fd;
+ GIOChannel *giochan;
+ gnutls_session session;
+ unsigned int got_cert:1;
+ unsigned int verify:1;
+ unsigned int have_handshaked:1;
+ gnutls_anon_client_credentials anon_cred;
+ gnutls_certificate_credentials xcred;
+} GIOSSLChannel;
+
+static void irssi_ssl_free(GIOChannel *handle)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ g_io_channel_unref(chan->giochan);
+ gnutls_bye(chan->session, GNUTLS_SHUT_RDWR);
+ gnutls_deinit(chan->session);
+ g_free(chan);
+}
+
+/*static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, X509 *cert)
+{
+ if (SSL_get_verify_result(ssl) != X509_V_OK) {
+ unsigned char md[EVP_MAX_MD_SIZE];
+ unsigned int n;
+ char *str;
+
+ g_warning("Could not verify SSL servers certificate:");
+ if ((str = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0)) == NULL)
+ g_warning(" Could not get subject-name from peer certificate");
+ else {
+ g_warning(" Subject : %s", str);
+ free(str);
+ }
+ if ((str = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0)) == NULL)
+ g_warning(" Could not get issuer-name from peer certificate");
+ else {
+ g_warning(" Issuer : %s", str);
+ free(str);
+ }
+ if (! X509_digest(cert, EVP_md5(), md, &n))
+ g_warning(" Could not get fingerprint from peer certificate");
+ else {
+ char hex[] = "0123456789ABCDEF";
+ char fp[EVP_MAX_MD_SIZE*3];
+ if (n < sizeof(fp)) {
+ unsigned int i;
+ for (i = 0; i < n; i++) {
+ fp[i*3+0] = hex[(md[i] >> 4) & 0xF];
+ fp[i*3+1] = hex[(md[i] >> 0) & 0xF];
+ fp[i*3+2] = i == n - 1 ? '\0' : ':';
+ }
+ g_warning(" MD5 Fingerprint : %s", fp);
+ }
+ }
+ return FALSE;
+ }
+ return TRUE;
+}
+*/
+
+int irssi_ssl_handshake(GIOChannel *handle) {
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ int ret;
+ while(1) {
+ fd_set fds_read;
+ fd_set fds_write;
+ struct timeval timeout={1,0};
+
+ ret = gnutls_handshake(chan->session);
+
+ if((ret != GNUTLS_E_AGAIN) &&
+ (ret != GNUTLS_E_INTERRUPTED))
+ break;
+
+ FD_ZERO(&fds_read);
+ FD_ZERO(&fds_write);
+
+ FD_SET(chan->fd, &fds_read);
+ FD_SET(chan->fd, &fds_write);
+ select(chan->fd+1, &fds_read, &fds_write, NULL, &timeout);
+ }
+ if (ret < 0) {
+ g_warning( "*** Handshake failed: %s", gnutls_strerror(ret));
+ if (ret == GNUTLS_E_FATAL_ALERT_RECEIVED) {
+ g_warning( "*** alert: %s", gnutls_alert_get_name (gnutls_alert_get (chan->session)));
+ }
+
+
+ } else {
+ chan->have_handshaked = 1;
+ g_warning("- Handshake was completed");
+ }
+
+ return ret;
+
+}
+#if GLIB_MAJOR_VERSION < 2
+
+#ifdef G_CAN_INLINE
+G_INLINE_FUNC
+#else
+static
+#endif
+GIOError ssl_errno(gint e)
+{
+ switch(e)
+ {
+ case EINVAL:
+ return G_IO_ERROR_INVAL;
+ case EINTR:
+ case EAGAIN:
+ return G_IO_ERROR_AGAIN;
+ default:
+ return G_IO_ERROR_INVAL;
+ }
+ /*UNREACH*/
+ return G_IO_ERROR_INVAL;
+}
+
+static GIOError irssi_ssl_cert_step(GIOSSLChannel *chan)
+{
+ g_warning("irssi_ssl_cert_step");
+ /*UNREACH*/
+ return G_IO_ERROR_INVAL;
+}
+
+static GIOError irssi_ssl_read(GIOChannel *handle, gchar *buf, guint len, guint *ret)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ gint err;
+
+ err = gnutls_record_recv(chan->session, buf, len);
+ if(err < 0) {
+ *ret = 0;
+ return ssl_errno(errno);
+ } else {
+ *ret = err;
+ return G_IO_ERROR_NONE;
+ }
+ /*UNREACH*/
+ return -1;
+}
+
+static GIOError irssi_ssl_write(GIOChannel *handle, gchar *buf, guint len, guint *ret)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ gint err;
+
+
+ err = gnutls_record_send(chan->session, buf, len);
+ if(err < 0)
+ {
+ *ret = 0;
+ return ssl_errno(errno);
+ }
+ else
+ {
+ *ret = err;
+ return G_IO_ERROR_NONE;
+ }
+ /*UNREACH*/
+ return G_IO_ERROR_INVAL;
+}
+
+static GIOError irssi_ssl_seek(GIOChannel *handle, gint offset, GSeekType type)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ GIOError e;
+ e = g_io_channel_seek(chan->giochan, offset, type);
+ return (e == G_IO_ERROR_NONE) ? G_IO_ERROR_NONE : G_IO_ERROR_INVAL;
+}
+
+static void irssi_ssl_close(GIOChannel *handle)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ g_io_channel_close(chan->giochan);
+}
+
+static guint irssi_ssl_create_watch(GIOChannel *handle, gint priority, GIOCondition cond,
+ GIOFunc func, gpointer data, GDestroyNotify notify)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+
+ return chan->giochan->funcs->io_add_watch(handle, priority, cond, func, data, notify);
+}
+
+/* ssl function pointers */
+static GIOFuncs irssi_ssl_channel_funcs =
+{
+ irssi_ssl_read,
+ irssi_ssl_write,
+ irssi_ssl_seek,
+ irssi_ssl_close,
+ irssi_ssl_create_watch,
+ irssi_ssl_free
+};
+
+#else /* GLIB_MAJOR_VERSION < 2 */
+
+#ifdef G_CAN_INLINE
+G_INLINE_FUNC
+#else
+static
+#endif
+GIOStatus ssl_errno(gint e)
+{
+ switch(e)
+ {
+ case EINVAL:
+ return G_IO_STATUS_ERROR;
+ case EINTR:
+ case EAGAIN:
+ return G_IO_STATUS_AGAIN;
+ default:
+ return G_IO_STATUS_ERROR;
+ }
+ /*UNREACH*/
+ return G_IO_STATUS_ERROR;
+}
+
+static GIOStatus irssi_ssl_cert_step(GIOSSLChannel *chan)
+{
+ g_warning("irssi_ssl_cert_step");
+ /*UNREACH*/
+ return G_IO_STATUS_ERROR;
+}
+
+static GIOStatus irssi_ssl_read(GIOChannel *handle, gchar *buf, guint len, guint *ret, GError **gerr)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ gint err;
+ if (!chan->have_handshaked) {
+ irssi_ssl_handshake(handle);
+ }
+
+
+ err = gnutls_record_recv(chan->session, buf, len);
+ if(err < 0)
+ {
+ *ret = 0;
+ return ssl_errno(errno);
+ }
+ else
+ {
+ *ret = err;
+ return G_IO_STATUS_NORMAL;
+ }
+ /*UNREACH*/
+ return G_IO_STATUS_ERROR;
+}
+
+static GIOStatus irssi_ssl_write(GIOChannel *handle, const gchar *buf, gsize len, gsize *ret, GError **gerr)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ gint err;
+
+ if (!chan->have_handshaked) {
+ irssi_ssl_handshake(handle);
+ }
+
+
+ err = gnutls_record_send(chan->session, buf, len);
+ if(err < 0)
+ {
+ *ret = 0;
+ return ssl_errno(errno);
+ }
+ else
+ {
+ *ret = err;
+ return G_IO_STATUS_NORMAL;
+ }
+ /*UNREACH*/
+ return G_IO_STATUS_ERROR;
+}
+
+static GIOStatus irssi_ssl_seek(GIOChannel *handle, gint64 offset, GSeekType type, GError **gerr)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ GIOError e;
+ e = g_io_channel_seek(chan->giochan, offset, type);
+ return (e == G_IO_ERROR_NONE) ? G_IO_STATUS_NORMAL : G_IO_STATUS_ERROR;
+}
+
+static GIOStatus irssi_ssl_close(GIOChannel *handle, GError **gerr)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+ g_io_channel_close(chan->giochan);
+
+ return G_IO_STATUS_NORMAL;
+}
+
+static GSource *irssi_ssl_create_watch(GIOChannel *handle, GIOCondition cond)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+
+ return chan->giochan->funcs->io_create_watch(handle, cond);
+}
+
+static GIOStatus irssi_ssl_set_flags(GIOChannel *handle, GIOFlags flags, GError **gerr)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+
+ return chan->giochan->funcs->io_set_flags(handle, flags, gerr);
+}
+
+static GIOFlags irssi_ssl_get_flags(GIOChannel *handle)
+{
+ GIOSSLChannel *chan = (GIOSSLChannel *)handle;
+
+ return chan->giochan->funcs->io_get_flags(handle);
+}
+
+static GIOFuncs irssi_ssl_channel_funcs = {
+ irssi_ssl_read,
+ irssi_ssl_write,
+ irssi_ssl_seek,
+ irssi_ssl_close,
+ irssi_ssl_create_watch,
+ irssi_ssl_free,
+ irssi_ssl_set_flags,
+ irssi_ssl_get_flags
+};
+
+#endif
+
+static void tls_log_func(int level, const char *str)
+{
+
+ g_warning( "|<%d>| %s", level, g_strchomp(str));
+}
+
+static gboolean irssi_ssl_init(void)
+{
+ g_warning("irssi_ssl_init");
+ int ret;
+ if ((ret = gnutls_global_init())) {
+ g_warning( "failed to init gnutls: %s", gnutls_strerror(ret));
+ return FALSE;
+ }
+ gnutls_global_set_log_function(tls_log_func);
+ gnutls_global_set_log_level(0);
+
+ return TRUE;
+
+}
+
+int is_socket_connected(int fd) {
+ fd_set fds_write;
+ struct timeval timeout={0,0};
+ FD_ZERO(&fds_write);
+ FD_SET(fd, &fds_write);
+ select(fd+1, 0, &fds_write, NULL, &timeout);
+
+ struct sockaddr s;
+ socklen_t s_len;
+ if (getpeername(fd,&s,&s_len) == -1 && errno == ENOTCONN) {
+ char ch;
+ read(fd,&ch,1);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+
+/*static*/ GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, const char *mycert, const char *mypkey, const char *cafile, const char *capath, gboolean verify)
+{
+ g_warning("irssi_ssl_get_iochannel");
+ GIOSSLChannel *chan;
+ GIOChannel *gchan;
+ int ret, fd;
+ gnutls_session session;
+
+
+ gnutls_anon_client_credentials anon_cred;
+ gnutls_certificate_credentials xcred;
+
+ int protocol_priority[] = { GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };
+ int kx_priority[] =
+ { GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA,
+ GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP,
+ /* Do not use anonymous authentication, unless you know what that means */
+ GNUTLS_KX_RSA_EXPORT, GNUTLS_KX_ANON_DH, 0
+ };
+ int cipher_priority[] =
+ { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128,
+ GNUTLS_CIPHER_ARCFOUR_40, 0
+ };
+ int comp_priority[] = { GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
+ int mac_priority[] =
+ { GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, GNUTLS_MAC_RMD160, 0 };
+ int cert_type_priority[] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 };
+
+
+ g_return_val_if_fail(handle != NULL, NULL);
+
+ if(!irssi_ssl_init())
+ return NULL;
+
+ fd = g_io_channel_unix_get_fd(handle);
+//if(!(fd = g_io_channel_unix_get_fd(handle)) || !is_socket_connected(fd)) {
+// return NULL;
+// }
+
+ g_warning ("irssi_ssl_get_iochannel sanity checks complete");
+
+
+ gnutls_certificate_allocate_credentials(&xcred);
+ gnutls_certificate_set_verify_flags(xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+ gnutls_anon_allocate_client_credentials(&anon_cred);
+ if (cafile) {
+ /* sets the trusted cas file */
+ if ((ret = gnutls_certificate_set_x509_trust_file(xcred, cafile, GNUTLS_X509_FMT_PEM)) < 0) {
+ g_warning( "gnutls_certificate_set_x509_trust_file failed: %s", gnutls_strerror(ret));
+ }
+ }
+
+ /* Initialize TLS session */
+ if (gnutls_init(&session, GNUTLS_CLIENT) < 0 ) {
+ g_warning( "gnutls_init failed: %s", gnutls_strerror(ret));
+ }
+
+ gnutls_certificate_type_set_priority(session, cert_type_priority);
+ gnutls_cipher_set_priority(session, cipher_priority);
+ gnutls_compression_set_priority(session, comp_priority);
+ gnutls_kx_set_priority(session, kx_priority);
+ gnutls_protocol_set_priority(session, protocol_priority);
+ gnutls_mac_set_priority(session, mac_priority);
+
+ gnutls_dh_set_prime_bits(session, 512);
+
+ gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred);
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+
+ /* connect to the peer */
+ gnutls_transport_set_ptr(session, (gnutls_transport_ptr) fd);
+
+
+ chan = g_new0(GIOSSLChannel, 1);
+ chan->fd = fd;
+ chan->giochan = handle;
+ chan->session = session;
+ //chan->got_cert = cert != NULL;
+ chan->verify = verify;
+ chan->anon_cred = anon_cred;
+ chan->xcred = xcred;
+
+ gchan = (GIOChannel *)chan;
+ gchan->funcs = &irssi_ssl_channel_funcs;
+ g_io_channel_init(gchan);
+
+ /* Perform the TLS handshake */
+ return gchan;
+}
+
+GIOChannel *net_connect_ip_ssl(IPADDR *ip, int port, IPADDR *my_ip, const char *cert, const char *pkey, const char *cafile, const char *capath, gboolean verify)
+{
+ GIOChannel *handle, *ssl_handle;
+
+ handle = net_connect_ip(ip, port, my_ip);
+ ssl_handle = irssi_ssl_get_iochannel(handle, cert, pkey, cafile, capath, verify);
+ if (ssl_handle == NULL)
+ g_io_channel_unref(handle);
+ return ssl_handle;
+}
+
+#else /* HAVE_OPENSSL */
+
+GIOChannel *net_connect_ip_ssl(IPADDR *ip, int port, IPADDR *my_ip, const char *cert, const char *pkey, const char *cafile, const char *capath, gboolean verify)
+{
+ g_warning("Connection failed: SSL support not enabled in this build.");
+ errno = ENOSYS;
+ return NULL;
+}
+
+#endif /* ! HAVE_OPENSSL */
diff -urNad --exclude=CVS --exclude=.svn ./src/fe-none/Makefile.am /tmp/dpep-work.Xa2n5L/irssi/src/fe-none/Makefile.am
--- ./src/fe-none/Makefile.am 2005-07-17 16:00:41.000000000 +0300
+++ /tmp/dpep-work.Xa2n5L/irssi/src/fe-none/Makefile.am 2005-07-17 16:46:18.000000000 +0300
@@ -12,7 +12,8 @@
@COMMON_NOUI_LIBS@ \
@PERL_LINK_LIBS@ \
@PERL_LINK_FLAGS@ \
- @PROG_LIBS@
+ @PROG_LIBS@ \
+ -lgnutls
botti_SOURCES = \
irssi.c
diff -urNad --exclude=CVS --exclude=.svn ./src/fe-text/Makefile.am /tmp/dpep-work.Xa2n5L/irssi/src/fe-text/Makefile.am
--- ./src/fe-text/Makefile.am 2005-07-17 16:00:44.000000000 +0300
+++ /tmp/dpep-work.Xa2n5L/irssi/src/fe-text/Makefile.am 2005-07-17 16:46:18.000000000 +0300
@@ -21,7 +21,9 @@
@PERL_FE_LINK_LIBS@ \
@PERL_LINK_FLAGS@ \
@PROG_LIBS@ \
- @TEXTUI_LIBS@
+ @TEXTUI_LIBS@ \
+ -lgnutls
+
tparm_sources = \
tparm.c