Merge pull request #104 from alorbach/openssl

initial implementation of openssl

.lgtm.yml

@@ -0,0 +1,6 @@
+extraction:
+  cpp:
+    configure:
+      command:
+        - autoreconf -fvi
+        - ./configure --enable-tls-openssl

.travis.yml

@@ -35,8 +35,18 @@ script:
 #  - export CFLAGS="-g -fsanitize=address"
   - autoreconf -fvi
   - ./configure --enable-tls
-  - make
-  - make distcheck V=0
+  - make -j2
+  - make check
+  - cat tests/test-suite.log
+#  - make distcheck V=0
+  # and now with openssl
+  - make clean
+  - ./configure --enable-tls-openssl
+  - make -j2
+  - make check
+  - cat tests/test-suite.log
+#  - make distcheck V=0
+
 #  - cat /home/travis/build/rsyslog/librelp/librelp-1.2.16.master/_build/tests/test-suite.log
 #  - sudo make install
 # now we use the rsyslog testbench for testing. This also means we need to

configure.ac

@@ -66,6 +66,8 @@ fi
 
 AC_PROG_LIBTOOL
 
+PKG_PROG_PKG_CONFIG
+
 if test "$GCC" = "yes"
 then
 	m4_ifdef([AX_IS_RELEASE], [
@@ -120,14 +122,45 @@ AC_CHECK_FUNCS([strerror_r strdup epoll_create epoll_create1])
 
 # enable TLS (may not be possible on platforms with too-old GnuTLS)
 AC_ARG_ENABLE(tls,
-        [AS_HELP_STRING([--enable-tls],[Enable TLS support @<:@default=yes@:>@])],
+        [AS_HELP_STRING([--enable-tls],[Enable TLS support @<:@default=no@:>@])],
         [case "${enableval}" in
          yes) enable_tls="yes" ;;
           no) enable_tls="no" ;;
            *) AC_MSG_ERROR(bad value ${enableval} for --enable-tls) ;;
          esac],
         [enable_tls="yes"]
 )
+# enable Openssl TLS  
+AC_ARG_ENABLE(tls-openssl,
+        [AS_HELP_STRING([--enable-tls-openssl],[Enable OpenSSL TLS support @<:@default=yes@:>@])],
+        [case "${enableval}" in
+         yes) enable_tls_openssl="yes" ;;
+          no) enable_tls_openssl="no" ;;
+           *) AC_MSG_ERROR(bad value ${enableval} for --enable-tls-openssl) ;;
+         esac],
+        [enable_tls_openssl="no"]
+)
+
+if test "$enable_tls_openssl" = "yes"; then
+	PKG_CHECK_MODULES(OPENSSL, openssl)
+	AC_DEFINE([ENABLE_TLS_OPENSSL], [1], [Indicator that openssl is present])
+	save_CFLAGS="$CFLAGS"
+	CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
+	save_LIBS="$LIBS"
+	LIBS="$LIBS $OPENSSL_LIBS"
+
+	# Make sure GNUTLS is disabled
+	if test "$enable_tls" = "yes"; then
+		AC_MSG_WARN([Cannot compile GNUTLS and OpenSSL at the same time. Disabling gnutls. ])
+
+		# Disable GNUTLS
+		enable_tls="no"
+		have_gnutls_certificate_set_verify_function="no"
+	fi
+
+fi
+AM_CONDITIONAL(ENABLE_TLS_OPENSSL, test x$enable_tls_openssl = xyes)
+
 if test "$enable_tls" = "yes"; then
 	PKG_CHECK_MODULES(GNUTLS, gnutls >= 2.0.0)
         AC_DEFINE(ENABLE_TLS, 1, [Defined if TLS support is enabled])
@@ -156,7 +189,6 @@ if test "$enable_tls" = "yes"; then
 	LIBS="$save_LIBS"
 fi
 
-
 # debug mode settings
 AC_ARG_ENABLE(debug,
         [AS_HELP_STRING([--enable-debug],[Enable debug mode @<:@default=no@:>@])],
@@ -176,20 +208,16 @@ fi
 
 # valgrind
 AC_ARG_ENABLE(valgrind,
-        [AS_HELP_STRING([--enable-valgrind],[Enable valgrind tests@<:@default=no@:>@])],
+        [AS_HELP_STRING([--enable-valgrind],[Enable valgrind tests@<:@default=yes@:>@])],
         [case "${enableval}" in
          yes) enable_valgrind="yes" ;;
           no) enable_valgrind="no" ;;
            *) AC_MSG_ERROR(bad value ${enableval} for --enable-valgrind) ;;
          esac],
-        [enable_valgrind="no"]
+        [enable_valgrind="yes"]
 )
 if test "$enable_valgrind" = "yes"; then
         AC_CHECK_PROG(VALGRIND, [valgrind], [valgrind], [no])
-
-        if test "x$VALGRIND" = "xno"; then
-                AC_MSG_ERROR([valgrind is missing but forced with --enable-valgrind. Either install valgrind or remove the option!])
-        fi
 fi
 AM_CONDITIONAL([HAVE_VALGRIND], test "$enable_valgrind" == "yes")
 
@@ -206,8 +234,9 @@ AC_OUTPUT
 echo "*****************************************************"
 echo "librelp will be compiled with the following settings:"
 echo
-echo "run valgrind in testbench:     $enable_valgrind"
-echo "Debug mode enabled:            $enable_debug"
-echo "TLS enabled:                   $enable_tls"
-echo "TLS authentication supported:  $have_gnutls_certificate_set_verify_function"
+echo "run valgrind in testbench:       $enable_valgrind"
+echo "Debug mode enabled:              $enable_debug"
+echo "GNUTLS enabled:                  $enable_tls"
+echo "GNUTLS authentication supported: $have_gnutls_certificate_set_verify_function"
+echo "OPENSSL enabled:                 $enable_tls_openssl"
 

devtools/run-configure.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 printf "running configure with\nCC:\t$CC\nCFLAGS:\t$CFLAGS\n"
 autoreconf -fvi
-./configure --enable-tls
+./configure $PROJ_CONFIGURE_OPTIONS

devtools/travis-run-compile-tests.sh

@@ -10,12 +10,48 @@ DO_IN_CONTAINER="$PROJ_HOME/devtools/devcontainer.sh"
 printf "\n\n============ STEP: check code style ================\n\n\n"
 $DO_IN_CONTAINER devtools/check-codestyle.sh
 
+
+echo ==================== compile using gnutls ====================
+export PROJ_CONFIGURE_OPTIONS=--enable-tls
+
+
 printf "\n\n============ STEP: run static analyzer ================\n\n\n"
 $DO_IN_CONTAINER devtools/run-static-analyzer.sh
 
 # #################### newer compilers ####################
 
+printf "\n\n============ STEP: gcc-7 compile test ================\n\n\n"
+export CC=gcc-7
+export CFLAGS=
+$DO_IN_CONTAINER devtools/run-configure.sh
+$DO_IN_CONTAINER make check TESTS=""
+
+$DO_IN_CONTAINER make clean
+printf "\n\n============ STEP: clang-5.0 compile test ================\n\n\n"
+export CC=clang-5.0
+export CFLAGS=
+$DO_IN_CONTAINER devtools/run-configure.sh
+$DO_IN_CONTAINER make check TESTS=""
+
+exit 0
+
+# #################### older style compile tests####################
+$DO_IN_CONTAINER make clean
+printf "\n\n============ STEP: testing alpine build  ================\n\n\n"
+$PROJ_HOME/tests/travis/docker-alpine.sh
+
+
+
+echo ==================== compile using openssl ====================
+export PROJ_CONFIGURE_OPTIONS=--enable-tls-openssl
+
+
+printf "\n\n============ STEP: run static analyzer ================\n\n\n"
 $DO_IN_CONTAINER make clean
+$DO_IN_CONTAINER devtools/run-static-analyzer.sh
+
+# #################### newer compilers ####################
+
 printf "\n\n============ STEP: gcc-7 compile test ================\n\n\n"
 export CC=gcc-7
 export CFLAGS=

src/Makefile.am

@@ -44,8 +44,8 @@ librelp_la_SOURCES = \
 	cserverclose.c \
 	dbllinklist.h \
 	cmdif.h
-librelp_la_CPPFLAGS = $(AM_CLFAGS) $(PTHREADS_CFLAGS) $(GNUTLS_CFLAGS) $(WARN_CFLAGS)
-librelp_la_LIBADD = $(rt_libs) $(GNUTLS_LIBS)
+librelp_la_CPPFLAGS = $(AM_CLFAGS) $(PTHREADS_CFLAGS) $(GNUTLS_CFLAGS) $(OPENSSL_CFLAGS) $(WARN_CFLAGS)
+librelp_la_LIBADD = $(rt_libs) $(GNUTLS_LIBS) $(OPENSSL_LIBS)
 # info on version-info:
 # http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
 librelp_la_LDFLAGS = -version-info 4:0:4

src/relp.c

@@ -56,12 +56,12 @@ relpEngineCallOnGenericErr(relpEngine_t *pThis, char *eobj, relpRetVal ecode, ch
 {
 	va_list ap;
 	char emsg[1024];
-	
+
 	va_start(ap, fmt);
 	vsnprintf(emsg, sizeof(emsg), fmt, ap);
 	emsg[sizeof(emsg)/sizeof(char) - 1] = '\0'; /* just to be on the safe side... */
 	va_end(ap);
-	
+
 	pThis->dbgprint("librelp: generic error: ecode %d, eobj %s,"
 		"emsg '%s'\n", ecode, eobj, emsg);
 	if(pThis->onGenericErr != NULL) {
@@ -692,7 +692,7 @@ handleSessIO(relpEngine_t *pThis, epolld_t *epd)
 {
 	relpEngSessLst_t *pSessEtry;
 	relpTcp_t *pTcp;
-#	ifdef ENABLE_TLS
+#	if defined(ENABLE_TLS) || defined(ENABLE_TLS_OPENSSL)
 	relpRetVal localRet;
 #	endif
 
@@ -704,7 +704,7 @@ handleSessIO(relpEngine_t *pThis, epolld_t *epd)
 		} else if(relpTcpRtryOp(pTcp) == relpTCP_RETRY_recv) {
 			doRecv(pThis, pSessEtry, epd->sock);
 		} else {
-#			ifdef ENABLE_TLS
+#			if defined(ENABLE_TLS) || defined(ENABLE_TLS_OPENSSL)
 				localRet = relpTcpRtryHandshake(pTcp);
 				if(localRet != RELP_RET_OK) {
 					pThis->dbgprint("relp session %d handshake iRet %d, tearing it down\n",
@@ -715,7 +715,7 @@ handleSessIO(relpEngine_t *pThis, epolld_t *epd)
 					pThis->dbgprint("librelp error: handshake retry requested in "
 							"non-TLS mode");
 
-#			endif /* #ifdef ENABLE_TLS */
+#			endif /* #ifdef ENABLE_TLS | ENABLE_TLS_OPENSSL*/
 		}
 	} else {
 		if(doRecv(pThis, pSessEtry, epd->sock) == RELP_RET_OK) {
@@ -748,7 +748,7 @@ engineEventLoopRun(relpEngine_t *pThis)
 		 */
 		for(pSessEtry = pThis->pSessLstRoot ; pSessEtry != NULL ; pSessEtry = pSessEtry->pNext) {
 			sock = relpSessGetSock(pSessEtry->pSess);
-#			ifdef ENABLE_TLS
+#			if defined(ENABLE_TLS) || defined(ENABLE_TLS_OPENSSL)
 			if(relpSessTcpRequiresRtry(pSessEtry->pSess)) {
 				pThis->dbgprint("librelp: retry op requested for sock %d\n", sock);
 				if(relpTcpGetRtryDirection(pSessEtry->pSess->pTcp) == 0) {
@@ -757,7 +757,7 @@ engineEventLoopRun(relpEngine_t *pThis)
 					epoll_set_events(pThis, pSessEtry, sock, EPOLLOUT);
 				}
 			} else
-#			endif /* #ifdef ENABLE_TLS */
+#			endif /* #ifdef ENABLE_TLS | ENABLE_TLS_OPENSSL */
 			{
 				/* now check if a send request is outstanding and, if so, add it */
 				if(relpSendqIsEmpty(pSessEtry->pSess->pSendq)) {
@@ -834,7 +834,7 @@ engineEventLoopRun(relpEngine_t *pThis)
 		/* Add all sessions for reception and sending (they all have just one socket) */
 		for(pSessEtry = pThis->pSessLstRoot ; pSessEtry != NULL ; pSessEtry = pSessEtry->pNext) {
 			sock = relpSessGetSock(pSessEtry->pSess);
-#			ifdef ENABLE_TLS
+#			if defined(ENABLE_TLS) || defined(ENABLE_TLS_OPENSSL)
 			if(relpSessTcpRequiresRtry(pSessEtry->pSess)) {
 				pThis->dbgprint("librelp: retry op requested for sock %d\n", sock);
 				if(relpTcpGetRtryDirection(pSessEtry->pSess->pTcp) == 0) {
@@ -843,7 +843,7 @@ engineEventLoopRun(relpEngine_t *pThis)
 					FD_SET(sock, &writefds);
 				}
 			} else
-#			endif /* #ifdef ENABLE_TLS */
+#			endif /* #ifdef ENABLE_TLS | ENABLE_TLS_OPENSSL*/
 			{
 				FD_SET(sock, &readfds);
 				/* now check if a send request is outstanding and, if so, add it */
@@ -877,7 +877,7 @@ engineEventLoopRun(relpEngine_t *pThis)
 			}
 			continue;
 		}
-	
+
 		/* and then start again with the servers (new connection request) */
 		for(pSrvEtry = pThis->pSrvLstRoot ; nfds && pSrvEtry != NULL ; pSrvEtry = pSrvEtry->pNext) {
 			for(iSocks = 1 ; nfds && iSocks <= relpSrvGetNumLstnSocks(pSrvEtry->pSrv) ; ++iSocks) {
@@ -905,7 +905,7 @@ engineEventLoopRun(relpEngine_t *pThis)
 						doRecv(pThis, pSessEtry, sock);
 						--nfds; /* indicate we have processed one */
 					} else {
-#						ifdef ENABLE_TLS
+#						if defined(ENABLE_TLS) || defined(ENABLE_TLS_OPENSSL)
 							localRet = relpTcpRtryHandshake(pSessEtry->pSess->pTcp);
 							if(localRet != RELP_RET_OK) {
 								pThis->dbgprint("relp session %d handshake "
@@ -917,7 +917,7 @@ engineEventLoopRun(relpEngine_t *pThis)
 							pThis->dbgprint("librelp error: handshake retry "
 									"requested in non-TLS mode");
 
-#						endif /* #ifdef ENABLE_TLS */
+#						endif /* #ifdef ENABLE_TLS | ENABLE_TLS_OPENSSL */
 					}
 				}
 			} else {

src/relpsess.c

@@ -171,6 +171,7 @@ relpSessDestruct(relpSess_t **ppThis)
 	free(pThis->srvAddr);
 	free(pThis->clientIP);
 	free(pThis->pristring);
+	free(pThis->caCertFile);
 	free(pThis->ownCertFile);
 	free(pThis->privKeyFile);
 	relpSessFreePermittedPeers(pThis);
@@ -457,7 +458,7 @@ relpSessGetUnacked(relpSess_t *pThis, relpSendbuf_t **ppSendbuf, relpTxnr_t txnr
 	ENTER_RELPFUNC;
 	RELPOBJ_assert(pThis, Sess);
 	assert(ppSendbuf != NULL);
-	
+
 	for(  pUnackedEtry = pThis->pUnackedLstRoot
 	    ; pUnackedEtry != NULL && pUnackedEtry->pSendbuf->txnr != txnr
 	    ; pUnackedEtry = pUnackedEtry->pNext)
@@ -960,7 +961,7 @@ relpSessSetPermittedPeers(relpSess_t *pThis, relpPermittedPeers_t *pPeers)
 	ENTER_RELPFUNC;
 	int i;
 	RELPOBJ_assert(pThis, Sess);
-	
+
 	relpSessFreePermittedPeers(pThis);
 	if(pPeers->nmemb != 0) {
 		if((pThis->permittedPeers.name =
@@ -1028,7 +1029,7 @@ relpSessSetGnuTLSPriString(relpSess_t *pThis, char *pristr)
 {
 	ENTER_RELPFUNC;
 	RELPOBJ_assert(pThis, Sess);
-	
+
 	free(pThis->pristring);
 	if(pristr == NULL) {
 		pThis->pristring = NULL;
@@ -1045,7 +1046,7 @@ relpSessSetCACert(relpSess_t *pThis, char *cert)
 {
 	ENTER_RELPFUNC;
 	RELPOBJ_assert(pThis, Sess);
-	
+
 	free(pThis->caCertFile);
 	if(cert == NULL) {
 		pThis->caCertFile = NULL;
@@ -1062,7 +1063,7 @@ relpSessSetOwnCert(relpSess_t *pThis, char *cert)
 {
 	ENTER_RELPFUNC;
 	RELPOBJ_assert(pThis, Sess);
-	
+
 	free(pThis->ownCertFile);
 	if(cert == NULL) {
 		pThis->ownCertFile = NULL;
@@ -1079,7 +1080,7 @@ relpSessSetPrivKey(relpSess_t *pThis, char *cert)
 {
 	ENTER_RELPFUNC;
 	RELPOBJ_assert(pThis, Sess);
-	
+
 	free(pThis->privKeyFile);
 	if(cert == NULL) {
 		pThis->privKeyFile = NULL;

src/relpsrv.c

@@ -338,22 +338,22 @@ relpRetVal
 relpSrvEnableTLS2(relpSrv_t __attribute__((unused)) *pThis)
 {
 	ENTER_RELPFUNC;
-#ifdef ENABLE_TLS
+#if defined(ENABLE_TLS) || defined(ENABLE_TLS_OPENSSL)
 	pThis->bEnableTLS = 1;
 #else
 	iRet = RELP_RET_ERR_NO_TLS;
-#endif /* #ifdef ENABLE_TLS */
+#endif /* #ifdef ENABLE_TLS | ENABLE_TLS_OPENSSL */
 	LEAVE_RELPFUNC;
 }
 relpRetVal
 relpSrvEnableTLSZip2(relpSrv_t __attribute__((unused)) *pThis)
 {
 	ENTER_RELPFUNC;
-#ifdef ENABLE_TLS
+#if defined(ENABLE_TLS) || defined(ENABLE_TLS_OPENSSL)
 	pThis->bEnableTLSZip = 1;
 #else
 	iRet = RELP_RET_ERR_NO_TLS;
-#endif /* #ifdef ENABLE_TLS */
+#endif /* #ifdef ENABLE_TLS | ENABLE_TLS_OPENSSL */
 	LEAVE_RELPFUNC;
 }
 void