From 212eff980670e893f22a73dacb99653662200fa5 Mon Sep 17 00:00:00 2001 From: Andres Mejia Date: Thu, 5 Aug 2010 22:05:14 -0400 Subject: [PATCH] Supply patch to converts gpac from using openssl to using gnutls. Currently builds but untested otherwise and thus remains disabled during build. --- debian/patches/gnutls-conversion.patch | 484 +++++++++++++++++++++++++ 1 file changed, 484 insertions(+) create mode 100644 debian/patches/gnutls-conversion.patch diff --git a/debian/patches/gnutls-conversion.patch b/debian/patches/gnutls-conversion.patch new file mode 100644 index 0000000..5ecdc71 --- /dev/null +++ b/debian/patches/gnutls-conversion.patch @@ -0,0 +1,484 @@ +Patch to convert from OpenSSL to GnuTLS. +========================================================================== +diff --git a/applications/mp4box/Makefile b/applications/mp4box/Makefile +index d3c03fa..9d1ddfa 100644 +--- a/applications/mp4box/Makefile ++++ b/applications/mp4box/Makefile +@@ -36,7 +36,7 @@ else + EXT= + PROG=MP4Box + #LINKFLAGS+=-lgpac_static $(EXTRALIBS) $(GPAC_SH_FLAGS) -lz +-LINKFLAGS+=-lgpac -lz $(OGL_LIBS) ++LINKFLAGS+=-lgpac -lz $(OGL_LIBS) $(GNUTLS_LIBS) + endif + + +diff --git a/applications/mp4client/Makefile b/applications/mp4client/Makefile +index 688d328..67a910c 100644 +--- a/applications/mp4client/Makefile ++++ b/applications/mp4client/Makefile +@@ -4,7 +4,7 @@ vpath %.c $(SRC_PATH)/applications/mp4client + + CFLAGS= $(OPTFLAGS) -I$(SRC_PATH)/include + +-LINKLIBS=$(OGL_LIBS) ++LINKLIBS=$(OGL_LIBS) $(GNUTLS_LIBS) + + ifeq ($(DEBUGBUILD), yes) + CFLAGS+=-g +diff --git a/applications/osmo4_wx/Makefile b/applications/osmo4_wx/Makefile +index a0841d7..3430c2d 100644 +--- a/applications/osmo4_wx/Makefile ++++ b/applications/osmo4_wx/Makefile +@@ -41,7 +41,7 @@ SRCS := $(OBJS:.o=.cpp) + all: $(PROG) + + Osmo4$(EXE): $(OBJS) +- $(CC) $(LDFLAGS) -o ../../bin/gcc/$@ $(OBJS) -L../../bin/gcc -lgpac $(WX_LFLAGS) -lz ++ $(CC) $(LDFLAGS) -o ../../bin/gcc/$@ $(OBJS) -L../../bin/gcc -lgpac $(WX_LFLAGS) -lz $(GNUTLS_LIBS) + + %.o: %.cpp + $(CXX) $(CFLAGS) $(INSTALL_FLAGS) $(WX_CFLAGS) -c -o $@ $< +diff --git a/applications/testapps/mp42ts/Makefile b/applications/testapps/mp42ts/Makefile +index 53c5fb1..9b2b9f8 100644 +--- a/applications/testapps/mp42ts/Makefile ++++ b/applications/testapps/mp42ts/Makefile +@@ -27,7 +27,7 @@ else + EXT= + PROG=mp42ts + #LINKFLAGS+=-lgpac_static $(EXTRALIBS) $(GPAC_SH_FLAGS) -lz $(OGL_LIBS) +-LINKFLAGS+=-lgpac $(OGL_LIBS) ++LINKFLAGS+=-lgpac $(OGL_LIBS) $(GNUTLS_LIBS) + endif + + +diff --git a/applications/testapps/mp4_streamer/Makefile b/applications/testapps/mp4_streamer/Makefile +index 2628096..25af208 100644 +--- a/applications/testapps/mp4_streamer/Makefile ++++ b/applications/testapps/mp4_streamer/Makefile +@@ -27,7 +27,7 @@ else + EXT= + PROG=mp4_streamer + #LINKFLAGS+=-lgpac_static $(EXTRALIBS) $(GPAC_SH_FLAGS) -lz $(OGL_LIBS) +-LINKFLAGS+=-lgpac $(OGL_LIBS) ++LINKFLAGS+=-lgpac $(OGL_LIBS) $(GNUTLS_LIBS) + endif + + +diff --git a/configure b/configure +index 3dce906..397e60c 100755 +--- a/configure ++++ b/configure +@@ -77,7 +77,7 @@ has_opengl="no" + disable_opengl="no" + has_tinygl="no" + enable_tinygl="no" +-has_ssl="no" ++has_gnutls="no" + has_ipv6="no" + has_dvb4linux="no" + has_xmlrpc="no" +@@ -162,7 +162,7 @@ echo " --disable-opengl disable OpenGL support" + echo " --enable-tinygl enable TinyGL support" + echo " --enable-joystick enable joystick support" + echo " --enable-renoir enable renoir 3D support" +-echo " --disable-ssl disable OpenSSL support" ++echo " --disable-gnutls disable GnuTLS support" + echo " --enable-amr-nb-fixed enable AMR NB fixed-point decoder" + echo " --enable-amr-nb enable AMR NB library" + echo " --enable-amr-wb enable AMR WB library" +@@ -559,23 +559,18 @@ fi + + + +-#look for OpenSSL support ++#look for GnuTLS support + cat > $TMPC << EOF +-#include +-#include +-#include +-#include ++#include ++#include ++#include + int main( void ) { return 0; } + EOF + +-if test "$win32" = "yes" ; then +-LINK_SSL="-lssleay32 -leay32" +-else +-LINK_SSL="-lssl -lcrypto" +-fi ++LINK_GNUTLS="-lgnutls" + +-if $cc -o $TMPO $TMPC $LINK_SSL 2> /dev/null ; then +-has_ssl="yes" ++if $cc -o $TMPO $TMPC $LINK_GNUTLS 2> /dev/null ; then ++has_gnutls="yes" + fi + + +@@ -1044,7 +1039,7 @@ for opt do + ;; + --enable-tinygl) enable_tinygl="yes" + ;; +- --disable-ssl) has_ssl="no" ++ --disable-gnutls) has_gnutls="no" + ;; + --use-faad=*) has_faad=${opt#--use-faad=} + ;; +@@ -1347,7 +1342,7 @@ echo "SDL Version too old - please upgrade for SDL support" + fi + echo "OpenGL support: $has_opengl" + echo "TinyGL support: $has_tinygl" +-echo "OpenSSL support: $has_ssl" ++echo "GnuTLS support: $has_gnutls" + + echo "Mozilla XUL/GECKO support: $has_xul" + +@@ -1598,10 +1593,10 @@ if test "$has_tinygl" = "yes" ; then + echo "#define GPAC_USE_TINYGL" >> $TMPH + fi + +-echo "HAS_OPENSSL=$has_ssl" >> config.mak +-if test "$has_ssl" = "yes" ; then +- echo "SSL_LIBS=$LINK_SSL" >> config.mak +- echo "#define GPAC_HAS_SSL" >> $TMPH ++echo "HAS_GNUTLS=$has_gnutls" >> config.mak ++if test "$has_gnutls" = "yes" ; then ++ echo "GNUTLS_LIBS=$LINK_GNUTLS" >> config.mak ++ echo "#define GPAC_HAS_GNUTLS" >> $TMPH + fi + + echo "CONFIG_SDL=$has_sdl" >> config.mak +diff --git a/include/gpac/download.h b/include/gpac/download.h +index 89ccf6e..cb4dd76 100644 +--- a/include/gpac/download.h ++++ b/include/gpac/download.h +@@ -36,7 +36,7 @@ + * \brief File Downloader objects + * + * This section documents the file downloading tools the GPAC framework. Currently HTTP is supported, HTTPS is under testing but may not be supported +- *depending on GPAC compilation options (HTTPS in GPAC needs OpenSSL installed on the system). ++ *depending on GPAC compilation options (HTTPS in GPAC needs GnuTLS installed on the system). + * + * @{ + */ +diff --git a/include/gpac/network.h b/include/gpac/network.h +index 0e2bb23..65c6765 100644 +--- a/include/gpac/network.h ++++ b/include/gpac/network.h +@@ -348,7 +348,7 @@ GF_Err gf_sk_receive_wait(GF_Socket *sock, char *buffer, u32 length, u32 start_f + /*! + *\brief gets socket handle + * +- *Gets the socket low-level handle as used by OpenSSL. ++ *Gets the socket low-level handle as used by GnuTLS. + *\param sock the socket object + *\return the socket handle + */ +diff --git a/src/utils/downloader.c b/src/utils/downloader.c +index dcb8b13..9692853 100644 +--- a/src/utils/downloader.c ++++ b/src/utils/downloader.c +@@ -33,11 +33,13 @@ + #include + + +-#ifdef GPAC_HAS_SSL +-#include +-#include +-#include +-#include ++#ifdef GPAC_HAS_GNUTLS ++#include ++#include ++#include ++#include ++#include ++GCRY_THREAD_OPTION_PTHREAD_IMPL; + #endif + + +@@ -49,7 +51,7 @@ static void gf_dm_connect(GF_DownloadSession *sess); + /*internal flags*/ + enum + { +- GF_DOWNLOAD_SESSION_USE_SSL = 1<<10, ++ GF_DOWNLOAD_SESSION_USE_GNUTLS = 1<<10, + GF_DOWNLOAD_SESSION_THREAD_DEAD = 1<<11, + GF_DOWNLOAD_IS_ICY = 1<<12, + }; +@@ -99,8 +101,8 @@ struct __gf_download_session + char *init_data; + u32 init_data_size; + +-#ifdef GPAC_HAS_SSL +- SSL *ssl; ++#ifdef GPAC_HAS_GNUTLS ++ gnutls_session_t gnutls_session; + #endif + + void (*do_requests)(struct __gf_download_session *); +@@ -124,86 +126,29 @@ struct __gf_download_manager + GF_Config *cfg; + GF_List *sessions; + +-#ifdef GPAC_HAS_SSL +- SSL_CTX *ssl_ctx; ++#ifdef GPAC_HAS_GNUTLS ++ int gnutls_initialized; + #endif + + }; + +-#ifdef GPAC_HAS_SSL ++#ifdef GPAC_HAS_GNUTLS + +-static void init_prng (void) ++static int gnutls_lib_init(GF_DownloadManager *dm, u32 mode) + { +- char namebuf[256]; +- const char *random_file; +- +- if (RAND_status ()) return; ++ if (!dm) return 0; + +- namebuf[0] = '\0'; +- random_file = RAND_file_name (namebuf, sizeof (namebuf)); ++ /* The GnuTLS library has already been initialized. */ ++ if (dm->gnutls_initialized) return 1; + +- if (random_file && *random_file) +- RAND_load_file(random_file, 16384); +- +- if (RAND_status ()) return; ++ /* Activate multi-thread support in libgcrypt via pthread */ ++ gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); + +-#ifdef WIN32 +- RAND_screen (); +- if (RAND_status ()) +- return; +-#endif +-} ++ /* Initialize the library */ ++ gnutls_global_init(); ++ dm->gnutls_initialized = 1; + +-static int ssl_init(GF_DownloadManager *dm, u32 mode) +-{ +- SSL_METHOD *meth; +- +- if (!dm) return 0; +- /* The SSL has already been initialized. */ +- if (dm->ssl_ctx) return 1; +- /* Init the PRNG. If that fails, bail out. */ +- init_prng(); +- if (RAND_status() != 1) goto error; +- SSL_library_init(); +- SSL_load_error_strings(); +- SSLeay_add_all_algorithms(); +- SSLeay_add_ssl_algorithms(); +- +- switch (mode) { +- case 0: +- meth = SSLv23_client_method(); +- break; +- case 1: +- meth = SSLv2_client_method(); +- break; +- case 2: +- meth = SSLv3_client_method(); +- break; +- case 3: +- meth = TLSv1_client_method(); +- break; +- default: +- goto error; +- } +- +- dm->ssl_ctx = SSL_CTX_new(meth); +- if (!dm->ssl_ctx) goto error; +- SSL_CTX_set_default_verify_paths(dm->ssl_ctx); +- SSL_CTX_load_verify_locations (dm->ssl_ctx, NULL, NULL); +- /* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the +- certificate is invalid. We verify the certificate separately in +- ssl_check_certificate, which provides much better diagnostics +- than examining the error stack after a failed SSL_connect. */ +- SSL_CTX_set_verify(dm->ssl_ctx, SSL_VERIFY_NONE, NULL); +- +- /* Since fd_write unconditionally assumes partial writes (and handles them correctly), +- allow them in OpenSSL. */ +- SSL_CTX_set_mode(dm->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + return 1; +-error: +- if (dm->ssl_ctx) SSL_CTX_free(dm->ssl_ctx); +- dm->ssl_ctx = NULL; +- return 0; + } + + #endif +@@ -220,7 +165,7 @@ static Bool gf_dm_is_local(GF_DownloadManager *dm, const char *url) + static Bool gf_dm_can_handle_url(GF_DownloadManager *dm, const char *url) + { + if (!strnicmp(url, "http://", 7)) return 1; +-#ifdef GPAC_HAS_SSL ++#ifdef GPAC_HAS_GNUTLS + if (!strnicmp(url, "https://", 8)) return 1; + #endif + return 0; +@@ -292,11 +237,10 @@ void gf_dm_configure_cache(GF_DownloadSession *sess) + + static void gf_dm_disconnect(GF_DownloadSession *sess) + { +-#ifdef GPAC_HAS_SSL +- if (sess->ssl) { +- SSL_shutdown(sess->ssl); +- SSL_free(sess->ssl); +- sess->ssl = NULL; ++#ifdef GPAC_HAS_GNUTLS ++ if (sess->gnutls_session) { ++ gnutls_bye(sess->gnutls_session, GNUTLS_SHUT_RDWR); ++ sess->gnutls_session = NULL; + } + #endif + if (sess->sock) { +@@ -385,10 +329,10 @@ static GF_Err gf_dm_setup_from_url(GF_DownloadSession *sess, char *url) + else if (!strnicmp(url, "https://", 8)) { + url += 8; + sess->port = 443; +-#ifndef GPAC_HAS_SSL ++#ifndef GPAC_HAS_GNUTLS + return GF_NOT_SUPPORTED; + #endif +- sess->flags |= GF_DOWNLOAD_SESSION_USE_SSL; ++ sess->flags |= GF_DOWNLOAD_SESSION_USE_GNUTLS; + sess->do_requests = http_do_requests; + } + else if (!strnicmp(url, "ftp://", 6)) { +@@ -539,9 +483,9 @@ static GF_Err gf_dm_read_data(GF_DownloadSession *sess, char *data, u32 data_siz + { + GF_Err e; + +-#ifdef GPAC_HAS_SSL +- if (sess->ssl) { +- u32 size = SSL_read(sess->ssl, data, data_size); ++#ifdef GPAC_HAS_GNUTLS ++ if (sess->gnutls_session) { ++ u32 size = gnutls_record_recv(sess->gnutls_session, data, data_size); + e = GF_OK; + data[size] = 0; + if (!size) e = GF_IP_NETWORK_EMPTY; +@@ -554,7 +498,7 @@ static GF_Err gf_dm_read_data(GF_DownloadSession *sess, char *data, u32 data_siz + } + + +-#ifdef GPAC_HAS_SSL ++#ifdef GPAC_HAS_GNUTLS + /*pattern comp taken from wget*/ + #define ASTERISK_EXCLUDES_DOT /* mandated by rfc2818 */ + +@@ -650,32 +594,30 @@ static void gf_dm_connect(GF_DownloadSession *sess) + gf_sk_set_buffer_size(sess->sock, 0, GF_DOWNLOAD_BUFFER_SIZE); + gf_dm_configure_cache(sess); + +-#ifdef GPAC_HAS_SSL ++#ifdef GPAC_HAS_GNUTLS + /*socket is connected, configure SSL layer*/ +- if (!sess->ssl && sess->dm->ssl_ctx && (sess->flags & GF_DOWNLOAD_SESSION_USE_SSL)) { ++ if (!sess->gnutls_session && sess->dm->gnutls_initialized && ++ (sess->flags & GF_DOWNLOAD_SESSION_USE_GNUTLS)) { + int ret; + long vresult; +- char common_name[256]; +- X509 *cert; + Bool success = 1; +- +- sess->ssl = SSL_new(sess->dm->ssl_ctx); +- SSL_set_fd(sess->ssl, gf_sk_get_handle(sess->sock)); +- SSL_set_connect_state(sess->ssl); +- ret = SSL_connect(sess->ssl); ++ const gnutls_datum_t *cert_list; ++ int cert_list_size = 0; ++ gnutls_x509_crt_t x509_cert; ++ gnutls_x509_dn_t *x509_dn; ++ ++ gnutls_init(sess->gnutls_session, GNUTLS_CLIENT); ++ gnutls_transport_set_ptr(sess->gnutls_session, gf_sk_get_handle(sess->sock)); ++ ret = gnutls_handshake(sess->gnutls_session); + assert(ret>0); + +- cert = SSL_get_peer_certificate(sess->ssl); ++ cert_list = gnutls_certificate_get_peers(sess->gnutls_session, &cert_list_size); + /*if we have a cert, check it*/ +- if (cert) { +- vresult = SSL_get_verify_result(sess->ssl); +- if (vresult != X509_V_OK) success = 0; +- else { +- common_name[0] = 0; +- X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, common_name, sizeof (common_name)); +- if (!pattern_match(common_name, sess->server_name)) success = 0; +- } +- X509_free(cert); ++ if (cert_list) { ++ gnutls_x509_crt_init(&x509_cert); ++ gnutls_x509_crt_import(x509_cert, &cert_list[0], GNUTLS_X509_FMT_DER); ++ if (!gnutls_x509_crt_check_hostname(x509_cert, sess->server_name)) success = 0; ++ gnutls_x509_crt_deinit(x509_cert); + + if (!success) { + gf_dm_disconnect(sess); +@@ -741,8 +683,8 @@ GF_DownloadManager *gf_dm_new(GF_Config *cfg) + dm->cache_directory = strdup(opt); + } + } +-#ifdef GPAC_HAS_SSL +- ssl_init(dm, 0); ++#ifdef GPAC_HAS_GNUTLS ++ gnutls_lib_init(dm, 0); + #endif + return dm; + } +@@ -768,8 +710,11 @@ void gf_dm_del(GF_DownloadManager *dm) + + free(dm->cache_directory); + +-#ifdef GPAC_HAS_SSL +- if (dm->ssl_ctx) SSL_CTX_free(dm->ssl_ctx); ++#ifdef GPAC_HAS_GNUTLS ++ if (dm->gnutls_initialized) { ++ gnutls_global_deinit; ++ dm->gnutls_initialized = 0; ++ } + #endif + + free(dm); +@@ -1162,10 +1107,10 @@ void http_do_requests(GF_DownloadSession *sess) + fclose(profile); + } + +-#ifdef GPAC_HAS_SSL +- if (sess->ssl) { ++#ifdef GPAC_HAS_GNUTLS ++ if (sess->gnutls_session) { + e = GF_IP_NETWORK_FAILURE; +- if (!SSL_write(sess->ssl, tmp_buf, len+par.size)) e = GF_OK; ++ if (!gnutls_record_send(sess->gnutls_session, tmp_buf, len+par.size)) e = GF_OK; + } else + #endif + e = gf_sk_send(sess->sock, tmp_buf, len+par.size); +@@ -1174,10 +1119,10 @@ void http_do_requests(GF_DownloadSession *sess) + free(tmp_buf); + } else { + +-#ifdef GPAC_HAS_SSL +- if (sess->ssl) { ++#ifdef GPAC_HAS_GNUTLS ++ if (sess->gnutls_session) { + e = GF_IP_NETWORK_FAILURE; +- if (!SSL_write(sess->ssl, sHTTP, strlen(sHTTP))) e = GF_OK; ++ if (!gnutls_record_send(sess->gnutls_session, sHTTP, strlen(sHTTP))) e = GF_OK; + } else + #endif + e = gf_sk_send(sess->sock, sHTTP, strlen(sHTTP)); -- 2.30.2