From: Wayne Davison <wayne@opencoder.net>
Date: Mon, 15 Jun 2020 17:27:05 +0000 (-0700)
Subject: Add preliminary gnutls support.
X-Git-Tag: v3.2.0pre2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6273153c5f7aa615c69f20c25708390ca1048d3a;p=thirdparty%2Frsync.git

Add preliminary gnutls support.
---

diff --git a/NEWS.md b/NEWS.md
index 32163f8a..84d855d7 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -88,9 +88,12 @@ Protocol: 31 (unchanged)
 
  - Added the `--write-devices` option based on the long-standing patch.
 
- - Added openssl support to the rsync-ssl script, which is now installed by
-   default.  This script was unified with the stunnel-rsync helper script to
-   simplify packaging.
+ - Added openssl & preliminary gnutls support to the rsync-ssl script, which is
+   now installed by default.  This was unified with the old stunnel-rsync
+   helper script to simplify packaging.  Note that the script accepts the use
+   of --type=gnutls for gnutls testing, but does not look for gnutls-cli on the
+   path yet.  The use of type=gnutls will not work right until gnutls-cli no
+   longer drops data.
 
  - Rsync was enhanced to set the `RSYNC_PORT` environment variable when running
    a daemon-over-rsh script. Its value is the user-specified port number (set
@@ -145,9 +148,9 @@ Protocol: 31 (unchanged)
  - Tweak auxilliary doc file names, such as: README.md, INSTALL.md, NEWS.md, &
    OLDNEWS.md.
 
- - The rsync-ssl script wants to run either openssl or stunnel4, so consider
-   adding a dependency for openssl (though it's probably fine to just let it
-   complain about being unable to find either program and let the user decide
+ - The rsync-ssl script wants to run openssl or stunnel4, so consider adding a
+   dependency for one of those options (though it's probably fine to just let
+   it complain about being unable to find the program and let the user decide
    if they want to install one or the other).
 
  - If you packaged rsync + rsync-ssl + rsync-ssl-daemon as separate packages,
diff --git a/rsync-ssl b/rsync-ssl
index f520d5dd..4e066ade 100755
--- a/rsync-ssl
+++ b/rsync-ssl
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# This script supports using openssl or stunnel to secure an rsync daemon connection.
+# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection.
 
 # By default this script takes rsync args and hands them off to the actual
 # rsync command with an --rsh option that makes it open an SSL connection to an
@@ -35,6 +35,9 @@ function rsync_ssl_helper {
 	if [[ "$found" == */openssl ]]; then
 	    RSYNC_SSL_TYPE=openssl
 	    RSYNC_SSL_OPENSSL="$found"
+	elif [[ "$found" == */gnutls-cli ]]; then
+	    RSYNC_SSL_TYPE=gnutls
+	    RSYNC_SSL_GNUTLS="$found"
 	else
 	    RSYNC_SSL_TYPE=stunnel
 	    RSYNC_SSL_STUNNEL="$found"
@@ -48,6 +51,12 @@ function rsync_ssl_helper {
 	    fi
 	    optsep=' '
 	    ;;
+	gnutls)
+	    if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then
+		RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1
+	    fi
+	    optsep=' '
+	    ;;
 	stunnel)
 	    if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
 		RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
@@ -62,14 +71,18 @@ function rsync_ssl_helper {
 
     if [[ -z "$RSYNC_SSL_CERT" ]]; then
 	certopt=""
+	gnutls_cert_opt=""
     else
 	certopt="cert$optsep$RSYNC_SSL_CERT"
+	gnutls_cert_opt="--x509keyfile=$RSYNC_SSL_CERT"
     fi
 
     if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
 	# RSYNC_SSL_CA_CERT unset - default CA set AND verify:
 	# openssl:
 	caopt="-verify_return_error -verify 4"
+	# gnutls:
+	gnutls_opts=""
 	# stunnel:
 	# Since there is no way of using the default CA certificate collection,
 	# we cannot do any verification. Thus, stunnel should really only be
@@ -80,6 +93,8 @@ function rsync_ssl_helper {
 	# RSYNC_SSL_CA_CERT set but empty -do NO verifications:
 	# openssl:
 	caopt="-verify 1"
+	# gnutls:
+	gnutls_opts="--insecure"
 	# stunnel:
 	cafile=""
 	verify="verifyChain = no"
@@ -87,6 +102,8 @@ function rsync_ssl_helper {
 	# RSYNC_SSL_CA_CERT set - use CA AND verify:
 	# openssl:
 	caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+	# gnutls:
+	gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT"
 	# stunnel:
 	cafile="CAfile = $RSYNC_SSL_CA_CERT"
 	verify="verifyChain = yes"
@@ -113,6 +130,8 @@ function rsync_ssl_helper {
 
     if [[ $RSYNC_SSL_TYPE == openssl ]]; then
 	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+    elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+	exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
     else
 	# devzero@web.de came up with this no-tmpfile calling syntax:
 	exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
diff --git a/rsync-ssl.1.md b/rsync-ssl.1.md
index ff4913c2..74321593 100644
--- a/rsync-ssl.1.md
+++ b/rsync-ssl.1.md
@@ -44,6 +44,9 @@ The ssl helper scripts are affected by the following environment variables:
 0.  `RSYNC_SSL_OPENSSL` Specifies the openssl executable to run when the
     connection type is set to openssl.  If unspecified, the $PATH is searched
     for "openssl".
+0.  `RSYNC_SSL_GNUTLS` Specifies the gnutls-cli executable to run when the
+    connection type is set to gnutls.  If unspecified, the $PATH is searched
+    for "gnutls-cli".
 0.  `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the
     connection type is set to stunnel.  If unspecified, the $PATH is searched
     first for "stunnel4" and then for "stunnel".
@@ -66,6 +69,11 @@ connection against the CA certificate collection, so it only encrypts the
 connection without any cert validation unless you have specified the
 certificate environment options.
 
+This script also supports a `--type=gnutls` option, but at the time of this
+release the gnutls-cli command was dropping output, making it unusable.  If
+that bug has been fixed in your version, feel free to put gnutls into the
+RSYNC_SSL_TYPE environment variable if you want to make its use the default.
+
 # BUGS
 
 Please report bugs! See the web site at <http://rsync.samba.org/>.