--- /dev/null
+Patch to convert from OpenSSL to GnuTLS.
+==========================================================================
+diff --git a/applications/mp4box/Makefile b/applications/mp4box/Makefile
+index d3c03fa..9d1ddfa 100644
+--- a/applications/mp4box/Makefile
++++ b/applications/mp4box/Makefile
+@@ -36,7 +36,7 @@ else
+ EXT=
+ PROG=MP4Box
+ #LINKFLAGS+=-lgpac_static $(EXTRALIBS) $(GPAC_SH_FLAGS) -lz
+-LINKFLAGS+=-lgpac -lz $(OGL_LIBS)
++LINKFLAGS+=-lgpac -lz $(OGL_LIBS) $(GNUTLS_LIBS)
+ endif
+
+
+diff --git a/applications/mp4client/Makefile b/applications/mp4client/Makefile
+index 688d328..67a910c 100644
+--- a/applications/mp4client/Makefile
++++ b/applications/mp4client/Makefile
+@@ -4,7 +4,7 @@ vpath %.c $(SRC_PATH)/applications/mp4client
+
+ CFLAGS= $(OPTFLAGS) -I$(SRC_PATH)/include
+
+-LINKLIBS=$(OGL_LIBS)
++LINKLIBS=$(OGL_LIBS) $(GNUTLS_LIBS)
+
+ ifeq ($(DEBUGBUILD), yes)
+ CFLAGS+=-g
+diff --git a/applications/osmo4_wx/Makefile b/applications/osmo4_wx/Makefile
+index a0841d7..3430c2d 100644
+--- a/applications/osmo4_wx/Makefile
++++ b/applications/osmo4_wx/Makefile
+@@ -41,7 +41,7 @@ SRCS := $(OBJS:.o=.cpp)
+ all: $(PROG)
+
+ Osmo4$(EXE): $(OBJS)
+- $(CC) $(LDFLAGS) -o ../../bin/gcc/$@ $(OBJS) -L../../bin/gcc -lgpac $(WX_LFLAGS) -lz
++ $(CC) $(LDFLAGS) -o ../../bin/gcc/$@ $(OBJS) -L../../bin/gcc -lgpac $(WX_LFLAGS) -lz $(GNUTLS_LIBS)
+
+ %.o: %.cpp
+ $(CXX) $(CFLAGS) $(INSTALL_FLAGS) $(WX_CFLAGS) -c -o $@ $<
+diff --git a/applications/testapps/mp42ts/Makefile b/applications/testapps/mp42ts/Makefile
+index 53c5fb1..9b2b9f8 100644
+--- a/applications/testapps/mp42ts/Makefile
++++ b/applications/testapps/mp42ts/Makefile
+@@ -27,7 +27,7 @@ else
+ EXT=
+ PROG=mp42ts
+ #LINKFLAGS+=-lgpac_static $(EXTRALIBS) $(GPAC_SH_FLAGS) -lz $(OGL_LIBS)
+-LINKFLAGS+=-lgpac $(OGL_LIBS)
++LINKFLAGS+=-lgpac $(OGL_LIBS) $(GNUTLS_LIBS)
+ endif
+
+
+diff --git a/applications/testapps/mp4_streamer/Makefile b/applications/testapps/mp4_streamer/Makefile
+index 2628096..25af208 100644
+--- a/applications/testapps/mp4_streamer/Makefile
++++ b/applications/testapps/mp4_streamer/Makefile
+@@ -27,7 +27,7 @@ else
+ EXT=
+ PROG=mp4_streamer
+ #LINKFLAGS+=-lgpac_static $(EXTRALIBS) $(GPAC_SH_FLAGS) -lz $(OGL_LIBS)
+-LINKFLAGS+=-lgpac $(OGL_LIBS)
++LINKFLAGS+=-lgpac $(OGL_LIBS) $(GNUTLS_LIBS)
+ endif
+
+
+diff --git a/configure b/configure
+index 3dce906..397e60c 100755
+--- a/configure
++++ b/configure
+@@ -77,7 +77,7 @@ has_opengl="no"
+ disable_opengl="no"
+ has_tinygl="no"
+ enable_tinygl="no"
+-has_ssl="no"
++has_gnutls="no"
+ has_ipv6="no"
+ has_dvb4linux="no"
+ has_xmlrpc="no"
+@@ -162,7 +162,7 @@ echo " --disable-opengl disable OpenGL support"
+ echo " --enable-tinygl enable TinyGL support"
+ echo " --enable-joystick enable joystick support"
+ echo " --enable-renoir enable renoir 3D support"
+-echo " --disable-ssl disable OpenSSL support"
++echo " --disable-gnutls disable GnuTLS support"
+ echo " --enable-amr-nb-fixed enable AMR NB fixed-point decoder"
+ echo " --enable-amr-nb enable AMR NB library"
+ echo " --enable-amr-wb enable AMR WB library"
+@@ -559,23 +559,18 @@ fi
+
+
+
+-#look for OpenSSL support
++#look for GnuTLS support
+ cat > $TMPC << EOF
+-#include <openssl/ssl.h>
+-#include <openssl/x509.h>
+-#include <openssl/err.h>
+-#include <openssl/rand.h>
++#include <gnutls/gnutls.h>
++#include <gnutls/x509.h>
++#include <gcrypt.h>
+ int main( void ) { return 0; }
+ EOF
+
+-if test "$win32" = "yes" ; then
+-LINK_SSL="-lssleay32 -leay32"
+-else
+-LINK_SSL="-lssl -lcrypto"
+-fi
++LINK_GNUTLS="-lgnutls"
+
+-if $cc -o $TMPO $TMPC $LINK_SSL 2> /dev/null ; then
+-has_ssl="yes"
++if $cc -o $TMPO $TMPC $LINK_GNUTLS 2> /dev/null ; then
++has_gnutls="yes"
+ fi
+
+
+@@ -1044,7 +1039,7 @@ for opt do
+ ;;
+ --enable-tinygl) enable_tinygl="yes"
+ ;;
+- --disable-ssl) has_ssl="no"
++ --disable-gnutls) has_gnutls="no"
+ ;;
+ --use-faad=*) has_faad=${opt#--use-faad=}
+ ;;
+@@ -1347,7 +1342,7 @@ echo "SDL Version too old - please upgrade for SDL support"
+ fi
+ echo "OpenGL support: $has_opengl"
+ echo "TinyGL support: $has_tinygl"
+-echo "OpenSSL support: $has_ssl"
++echo "GnuTLS support: $has_gnutls"
+
+ echo "Mozilla XUL/GECKO support: $has_xul"
+
+@@ -1598,10 +1593,10 @@ if test "$has_tinygl" = "yes" ; then
+ echo "#define GPAC_USE_TINYGL" >> $TMPH
+ fi
+
+-echo "HAS_OPENSSL=$has_ssl" >> config.mak
+-if test "$has_ssl" = "yes" ; then
+- echo "SSL_LIBS=$LINK_SSL" >> config.mak
+- echo "#define GPAC_HAS_SSL" >> $TMPH
++echo "HAS_GNUTLS=$has_gnutls" >> config.mak
++if test "$has_gnutls" = "yes" ; then
++ echo "GNUTLS_LIBS=$LINK_GNUTLS" >> config.mak
++ echo "#define GPAC_HAS_GNUTLS" >> $TMPH
+ fi
+
+ echo "CONFIG_SDL=$has_sdl" >> config.mak
+diff --git a/include/gpac/download.h b/include/gpac/download.h
+index 89ccf6e..cb4dd76 100644
+--- a/include/gpac/download.h
++++ b/include/gpac/download.h
+@@ -36,7 +36,7 @@
+ * \brief File Downloader objects
+ *
+ * This section documents the file downloading tools the GPAC framework. Currently HTTP is supported, HTTPS is under testing but may not be supported
+- *depending on GPAC compilation options (HTTPS in GPAC needs OpenSSL installed on the system).
++ *depending on GPAC compilation options (HTTPS in GPAC needs GnuTLS installed on the system).
+ *
+ * @{
+ */
+diff --git a/include/gpac/network.h b/include/gpac/network.h
+index 0e2bb23..65c6765 100644
+--- a/include/gpac/network.h
++++ b/include/gpac/network.h
+@@ -348,7 +348,7 @@ GF_Err gf_sk_receive_wait(GF_Socket *sock, char *buffer, u32 length, u32 start_f
+ /*!
+ *\brief gets socket handle
+ *
+- *Gets the socket low-level handle as used by OpenSSL.
++ *Gets the socket low-level handle as used by GnuTLS.
+ *\param sock the socket object
+ *\return the socket handle
+ */
+diff --git a/src/utils/downloader.c b/src/utils/downloader.c
+index dcb8b13..9692853 100644
+--- a/src/utils/downloader.c
++++ b/src/utils/downloader.c
+@@ -33,11 +33,13 @@
+ #include <gpac/crypt.h>
+
+
+-#ifdef GPAC_HAS_SSL
+-#include <openssl/ssl.h>
+-#include <openssl/x509.h>
+-#include <openssl/err.h>
+-#include <openssl/rand.h>
++#ifdef GPAC_HAS_GNUTLS
++#include <gnutls/gnutls.h>
++#include <gnutls/x509.h>
++#include <gcrypt.h>
++#include <errno.h>
++#include <pthread.h>
++GCRY_THREAD_OPTION_PTHREAD_IMPL;
+ #endif
+
+
+@@ -49,7 +51,7 @@ static void gf_dm_connect(GF_DownloadSession *sess);
+ /*internal flags*/
+ enum
+ {
+- GF_DOWNLOAD_SESSION_USE_SSL = 1<<10,
++ GF_DOWNLOAD_SESSION_USE_GNUTLS = 1<<10,
+ GF_DOWNLOAD_SESSION_THREAD_DEAD = 1<<11,
+ GF_DOWNLOAD_IS_ICY = 1<<12,
+ };
+@@ -99,8 +101,8 @@ struct __gf_download_session
+ char *init_data;
+ u32 init_data_size;
+
+-#ifdef GPAC_HAS_SSL
+- SSL *ssl;
++#ifdef GPAC_HAS_GNUTLS
++ gnutls_session_t gnutls_session;
+ #endif
+
+ void (*do_requests)(struct __gf_download_session *);
+@@ -124,86 +126,29 @@ struct __gf_download_manager
+ GF_Config *cfg;
+ GF_List *sessions;
+
+-#ifdef GPAC_HAS_SSL
+- SSL_CTX *ssl_ctx;
++#ifdef GPAC_HAS_GNUTLS
++ int gnutls_initialized;
+ #endif
+
+ };
+
+-#ifdef GPAC_HAS_SSL
++#ifdef GPAC_HAS_GNUTLS
+
+-static void init_prng (void)
++static int gnutls_lib_init(GF_DownloadManager *dm, u32 mode)
+ {
+- char namebuf[256];
+- const char *random_file;
+-
+- if (RAND_status ()) return;
++ if (!dm) return 0;
+
+- namebuf[0] = '\0';
+- random_file = RAND_file_name (namebuf, sizeof (namebuf));
++ /* The GnuTLS library has already been initialized. */
++ if (dm->gnutls_initialized) return 1;
+
+- if (random_file && *random_file)
+- RAND_load_file(random_file, 16384);
+-
+- if (RAND_status ()) return;
++ /* Activate multi-thread support in libgcrypt via pthread */
++ gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+
+-#ifdef WIN32
+- RAND_screen ();
+- if (RAND_status ())
+- return;
+-#endif
+-}
++ /* Initialize the library */
++ gnutls_global_init();
++ dm->gnutls_initialized = 1;
+
+-static int ssl_init(GF_DownloadManager *dm, u32 mode)
+-{
+- SSL_METHOD *meth;
+-
+- if (!dm) return 0;
+- /* The SSL has already been initialized. */
+- if (dm->ssl_ctx) return 1;
+- /* Init the PRNG. If that fails, bail out. */
+- init_prng();
+- if (RAND_status() != 1) goto error;
+- SSL_library_init();
+- SSL_load_error_strings();
+- SSLeay_add_all_algorithms();
+- SSLeay_add_ssl_algorithms();
+-
+- switch (mode) {
+- case 0:
+- meth = SSLv23_client_method();
+- break;
+- case 1:
+- meth = SSLv2_client_method();
+- break;
+- case 2:
+- meth = SSLv3_client_method();
+- break;
+- case 3:
+- meth = TLSv1_client_method();
+- break;
+- default:
+- goto error;
+- }
+-
+- dm->ssl_ctx = SSL_CTX_new(meth);
+- if (!dm->ssl_ctx) goto error;
+- SSL_CTX_set_default_verify_paths(dm->ssl_ctx);
+- SSL_CTX_load_verify_locations (dm->ssl_ctx, NULL, NULL);
+- /* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the
+- certificate is invalid. We verify the certificate separately in
+- ssl_check_certificate, which provides much better diagnostics
+- than examining the error stack after a failed SSL_connect. */
+- SSL_CTX_set_verify(dm->ssl_ctx, SSL_VERIFY_NONE, NULL);
+-
+- /* Since fd_write unconditionally assumes partial writes (and handles them correctly),
+- allow them in OpenSSL. */
+- SSL_CTX_set_mode(dm->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+ return 1;
+-error:
+- if (dm->ssl_ctx) SSL_CTX_free(dm->ssl_ctx);
+- dm->ssl_ctx = NULL;
+- return 0;
+ }
+
+ #endif
+@@ -220,7 +165,7 @@ static Bool gf_dm_is_local(GF_DownloadManager *dm, const char *url)
+ static Bool gf_dm_can_handle_url(GF_DownloadManager *dm, const char *url)
+ {
+ if (!strnicmp(url, "http://", 7)) return 1;
+-#ifdef GPAC_HAS_SSL
++#ifdef GPAC_HAS_GNUTLS
+ if (!strnicmp(url, "https://", 8)) return 1;
+ #endif
+ return 0;
+@@ -292,11 +237,10 @@ void gf_dm_configure_cache(GF_DownloadSession *sess)
+
+ static void gf_dm_disconnect(GF_DownloadSession *sess)
+ {
+-#ifdef GPAC_HAS_SSL
+- if (sess->ssl) {
+- SSL_shutdown(sess->ssl);
+- SSL_free(sess->ssl);
+- sess->ssl = NULL;
++#ifdef GPAC_HAS_GNUTLS
++ if (sess->gnutls_session) {
++ gnutls_bye(sess->gnutls_session, GNUTLS_SHUT_RDWR);
++ sess->gnutls_session = NULL;
+ }
+ #endif
+ if (sess->sock) {
+@@ -385,10 +329,10 @@ static GF_Err gf_dm_setup_from_url(GF_DownloadSession *sess, char *url)
+ else if (!strnicmp(url, "https://", 8)) {
+ url += 8;
+ sess->port = 443;
+-#ifndef GPAC_HAS_SSL
++#ifndef GPAC_HAS_GNUTLS
+ return GF_NOT_SUPPORTED;
+ #endif
+- sess->flags |= GF_DOWNLOAD_SESSION_USE_SSL;
++ sess->flags |= GF_DOWNLOAD_SESSION_USE_GNUTLS;
+ sess->do_requests = http_do_requests;
+ }
+ else if (!strnicmp(url, "ftp://", 6)) {
+@@ -539,9 +483,9 @@ static GF_Err gf_dm_read_data(GF_DownloadSession *sess, char *data, u32 data_siz
+ {
+ GF_Err e;
+
+-#ifdef GPAC_HAS_SSL
+- if (sess->ssl) {
+- u32 size = SSL_read(sess->ssl, data, data_size);
++#ifdef GPAC_HAS_GNUTLS
++ if (sess->gnutls_session) {
++ u32 size = gnutls_record_recv(sess->gnutls_session, data, data_size);
+ e = GF_OK;
+ data[size] = 0;
+ if (!size) e = GF_IP_NETWORK_EMPTY;
+@@ -554,7 +498,7 @@ static GF_Err gf_dm_read_data(GF_DownloadSession *sess, char *data, u32 data_siz
+ }
+
+
+-#ifdef GPAC_HAS_SSL
++#ifdef GPAC_HAS_GNUTLS
+ /*pattern comp taken from wget*/
+ #define ASTERISK_EXCLUDES_DOT /* mandated by rfc2818 */
+
+@@ -650,32 +594,30 @@ static void gf_dm_connect(GF_DownloadSession *sess)
+ gf_sk_set_buffer_size(sess->sock, 0, GF_DOWNLOAD_BUFFER_SIZE);
+ gf_dm_configure_cache(sess);
+
+-#ifdef GPAC_HAS_SSL
++#ifdef GPAC_HAS_GNUTLS
+ /*socket is connected, configure SSL layer*/
+- if (!sess->ssl && sess->dm->ssl_ctx && (sess->flags & GF_DOWNLOAD_SESSION_USE_SSL)) {
++ if (!sess->gnutls_session && sess->dm->gnutls_initialized &&
++ (sess->flags & GF_DOWNLOAD_SESSION_USE_GNUTLS)) {
+ int ret;
+ long vresult;
+- char common_name[256];
+- X509 *cert;
+ Bool success = 1;
+-
+- sess->ssl = SSL_new(sess->dm->ssl_ctx);
+- SSL_set_fd(sess->ssl, gf_sk_get_handle(sess->sock));
+- SSL_set_connect_state(sess->ssl);
+- ret = SSL_connect(sess->ssl);
++ const gnutls_datum_t *cert_list;
++ int cert_list_size = 0;
++ gnutls_x509_crt_t x509_cert;
++ gnutls_x509_dn_t *x509_dn;
++
++ gnutls_init(sess->gnutls_session, GNUTLS_CLIENT);
++ gnutls_transport_set_ptr(sess->gnutls_session, gf_sk_get_handle(sess->sock));
++ ret = gnutls_handshake(sess->gnutls_session);
+ assert(ret>0);
+
+- cert = SSL_get_peer_certificate(sess->ssl);
++ cert_list = gnutls_certificate_get_peers(sess->gnutls_session, &cert_list_size);
+ /*if we have a cert, check it*/
+- if (cert) {
+- vresult = SSL_get_verify_result(sess->ssl);
+- if (vresult != X509_V_OK) success = 0;
+- else {
+- common_name[0] = 0;
+- X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, common_name, sizeof (common_name));
+- if (!pattern_match(common_name, sess->server_name)) success = 0;
+- }
+- X509_free(cert);
++ if (cert_list) {
++ gnutls_x509_crt_init(&x509_cert);
++ gnutls_x509_crt_import(x509_cert, &cert_list[0], GNUTLS_X509_FMT_DER);
++ if (!gnutls_x509_crt_check_hostname(x509_cert, sess->server_name)) success = 0;
++ gnutls_x509_crt_deinit(x509_cert);
+
+ if (!success) {
+ gf_dm_disconnect(sess);
+@@ -741,8 +683,8 @@ GF_DownloadManager *gf_dm_new(GF_Config *cfg)
+ dm->cache_directory = strdup(opt);
+ }
+ }
+-#ifdef GPAC_HAS_SSL
+- ssl_init(dm, 0);
++#ifdef GPAC_HAS_GNUTLS
++ gnutls_lib_init(dm, 0);
+ #endif
+ return dm;
+ }
+@@ -768,8 +710,11 @@ void gf_dm_del(GF_DownloadManager *dm)
+
+ free(dm->cache_directory);
+
+-#ifdef GPAC_HAS_SSL
+- if (dm->ssl_ctx) SSL_CTX_free(dm->ssl_ctx);
++#ifdef GPAC_HAS_GNUTLS
++ if (dm->gnutls_initialized) {
++ gnutls_global_deinit;
++ dm->gnutls_initialized = 0;
++ }
+ #endif
+
+ free(dm);
+@@ -1162,10 +1107,10 @@ void http_do_requests(GF_DownloadSession *sess)
+ fclose(profile);
+ }
+
+-#ifdef GPAC_HAS_SSL
+- if (sess->ssl) {
++#ifdef GPAC_HAS_GNUTLS
++ if (sess->gnutls_session) {
+ e = GF_IP_NETWORK_FAILURE;
+- if (!SSL_write(sess->ssl, tmp_buf, len+par.size)) e = GF_OK;
++ if (!gnutls_record_send(sess->gnutls_session, tmp_buf, len+par.size)) e = GF_OK;
+ } else
+ #endif
+ e = gf_sk_send(sess->sock, tmp_buf, len+par.size);
+@@ -1174,10 +1119,10 @@ void http_do_requests(GF_DownloadSession *sess)
+ free(tmp_buf);
+ } else {
+
+-#ifdef GPAC_HAS_SSL
+- if (sess->ssl) {
++#ifdef GPAC_HAS_GNUTLS
++ if (sess->gnutls_session) {
+ e = GF_IP_NETWORK_FAILURE;
+- if (!SSL_write(sess->ssl, sHTTP, strlen(sHTTP))) e = GF_OK;
++ if (!gnutls_record_send(sess->gnutls_session, sHTTP, strlen(sHTTP))) e = GF_OK;
+ } else
+ #endif
+ e = gf_sk_send(sess->sock, sHTTP, strlen(sHTTP));
projects / gpac.git / commitdiff