[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] /srv/bzr/gnash/trunk r11080: add the beginnings of SSL su
|
From: |
rob |
|
Subject: |
[Gnash-commit] /srv/bzr/gnash/trunk r11080: add the beginnings of SSL support. |
|
Date: |
Thu, 11 Jun 2009 11:14:37 -0600 |
|
User-agent: |
Bazaar (1.13.1) |
------------------------------------------------------------
revno: 11080
committer: address@hidden
branch nick: trunk
timestamp: Thu 2009-06-11 11:14:37 -0600
message:
add the beginnings of SSL support.
added:
libnet/sslclient.cpp
libnet/sslclient.h
modified:
Makefile.am
configure.ac
libcore/ClassHierarchy.cpp
libnet/Makefile.am
libnet/network.h
plugin/mozilla-sdk/include/nptypes.h
------------------------------------------------------------
revno: 11029.1.1
committer: address@hidden
branch nick: ssl
timestamp: Mon 2009-06-08 08:20:58 -0600
message:
add files for SSL support in libnet.
added:
libnet/sslclient.cpp
libnet/sslclient.h
------------------------------------------------------------
revno: 11029.1.2
committer: address@hidden
branch nick: ssl
timestamp: Mon 2009-06-08 08:21:20 -0600
message:
build SSL support.
modified:
libnet/Makefile.am
------------------------------------------------------------
revno: 11029.1.3
committer: address@hidden
branch nick: ssl
timestamp: Mon 2009-06-08 08:21:46 -0600
message:
add options to enable SSL, and set thre cert and pem key paths.
modified:
configure.ac
------------------------------------------------------------
revno: 11029.1.4
committer: address@hidden
branch nick: ssl
timestamp: Wed 2009-06-10 18:19:32 -0600
message:
find and dump SSL flags and lib.
modified:
Makefile.am
configure.ac
------------------------------------------------------------
revno: 11029.1.5
committer: address@hidden
branch nick: ssl
timestamp: Wed 2009-06-10 18:20:08 -0600
message:
add SSL flags and lib.
modified:
libnet/Makefile.am
------------------------------------------------------------
revno: 11029.1.6
committer: address@hidden
branch nick: ssl
timestamp: Wed 2009-06-10 20:45:01 -0600
message:
add constant for SSL port.
modified:
libnet/network.h
------------------------------------------------------------
revno: 11029.1.7
committer: address@hidden
branch nick: ssl
timestamp: Wed 2009-06-10 20:45:38 -0600
message:
add initial support for SSL encrypted network connections.
modified:
libnet/sslclient.cpp
libnet/sslclient.h
------------------------------------------------------------
revno: 11029.1.8
committer: address@hidden
branch nick: ssl
timestamp: Wed 2009-06-10 21:08:00 -0600
message:
only build ssl files if SSL builds are enabled.
modified:
libnet/Makefile.am
=== modified file 'Makefile.am'
--- a/Makefile.am 2009-06-11 10:37:51 +0000
+++ b/Makefile.am 2009-06-11 17:14:37 +0000
@@ -351,11 +351,15 @@
@echo " Media handler: $(MEDIA_CONFIG)"
@echo " Renderer engine: $(RENDERER_CONFIG)"
+if BUILD_SSL
+ @echo " SSL_CFLAGS is $(SSL_CFLAGS)"
+ @echo " SSL_LIBS is $(SSL_LIBS)"
+endif
if BUILD_GTK_GUI
if HAVE_XV
@echo " Supported GUI: GTK (+XVideo)"
else
- @echo " Supported GUI: GTK"
+ @echo " Supported GUI: GTK"
endif
endif
if BUILD_HILDON_GUI
=== modified file 'configure.ac'
--- a/configure.ac 2009-06-11 10:37:51 +0000
+++ b/configure.ac 2009-06-11 17:14:37 +0000
@@ -495,6 +495,31 @@
AM_CONDITIONAL(SDKINSTALL, test x$sdkinstall = xyes)
+dnl Enable using OpenSSL with libnet.
+AC_ARG_ENABLE(ssl,
+ AC_HELP_STRING([--enable-ssl], [Enable using OpenSSL directly]),
+[case "${enableval}" in
+ yes) build_ssl=yes ;;
+ no) build_ssl=no ;;
+ *) AC_MSG_ERROR([bad value ${enableval} for --enable-openssl option]) ;;
+esac], build_ssl=no)
+
+with_cert=
+with_pem=
+AM_CONDITIONAL(BUILD_SSL, test x"${build_ssl}" = xyes)
+AC_ARG_WITH(cert,
+ AC_HELP_STRING([--with-cert],
+ [cert file for SSL]),
+ with_cert=${withval})
+AC_ARG_WITH(pem,
+ AC_HELP_STRING([--with-pe,],
+ [pem file for SSL]),
+ with_pem=${withval})
+
+if test x"${build_ssl}" = xyes; then
+ GNASH_PKG_FIND(ssl, [openssl/ssl.h], [OpenSSL library], SSL_library_init)
+fi
+
dnl The class file is an optional file that if it is specified at configure
time
dnl with --with-classfile=, then only those classes are compiled and built
into the
dnl class library used for Gnash. THis is designed for small systems that
execute the
@@ -1200,6 +1225,7 @@
GNASH_PATH_MYSQL
fi
+
dnl -----------------------------------------------------------
dnl Verify dependencies for requested GUIs are met, and
dnl disable build of the GUIS for which deps are NOT met
@@ -3256,6 +3282,18 @@
echo " ERROR: No Python development package is installed, but it's
enabled." >&3
fi
fi
+if test x${build_ssl} = xyes; then
+ if test x"${has_ssl}" = xyes; then
+ if test x"${SSL_CFLAGS}" = xyes; then
+ echo " SSL flags are: default"
+ else
+ echo " SSL flags are: $SSL_CFLAGS"
+ fi
+ echo " SSL libs are: $SSL_LIBS"
+ else
+ echo " ERROR: No SSL development package is installed, but it's
enabled." >&3
+ fi
+fi
if test x"${build_all_as3}" = x"yes"; then
echo " Building the entire ActionScript class libary"
=== modified file 'libcore/ClassHierarchy.cpp'
--- a/libcore/ClassHierarchy.cpp 2009-06-11 15:37:15 +0000
+++ b/libcore/ClassHierarchy.cpp 2009-06-11 17:14:37 +0000
@@ -319,13 +319,13 @@
NSV::NS_FLASH_TEXT, 5 },
{ video_class_init, NSV::CLASS_VIDEO, NSV::CLASS_OBJECT,
NSV::NS_FLASH_MEDIA, 6 },
- { camera_class_init, NSV::CLASS_CAMERA, NSV::CLASS_OBJECT,
- NSV::NS_FLASH_MEDIA, 6 },
- { microphone_class_init, NSV::CLASS_MICROPHONE, NSV::CLASS_OBJECT,
- NSV::NS_FLASH_MEDIA, 6 },
- { sharedobject_class_init, NSV::CLASS_SHARED_OBJECT, NSV::CLASS_OBJECT,
+ { camera_class_init, NSV::CLASS_CAMERA, NSV::CLASS_OBJECT,
+ NSV::NS_FLASH_MEDIA, 6 },
+ { microphone_class_init, NSV::CLASS_MICROPHONE, NSV::CLASS_OBJECT,
+ NSV::NS_FLASH_MEDIA, 6 },
+ { sharedobject_class_init, NSV::CLASS_SHARED_OBJECT, NSV::CLASS_OBJECT,
NSV::NS_FLASH_NET, 6 },
- { loadvars_class_init, NSV::CLASS_LOAD_VARS, NSV::CLASS_OBJECT,
NS_GLOBAL, 6 },
+ { loadvars_class_init, NSV::CLASS_LOAD_VARS, NSV::CLASS_OBJECT, NS_GLOBAL,
6 },
{ LocalConnection_as::init, NSV::CLASS_LOCALCONNECTION, NSV::CLASS_OBJECT,
NSV::NS_FLASH_NET, 6 },
{ customactions_class_init, NSV::CLASS_CUSTOM_ACTIONS, NSV::CLASS_OBJECT,
=== modified file 'libnet/Makefile.am'
--- a/libnet/Makefile.am 2009-03-09 15:39:25 +0000
+++ b/libnet/Makefile.am 2009-06-11 03:08:00 +0000
@@ -28,6 +28,7 @@
$(LIBLTDL) \
$(GLIB_LIBS) \
$(CURL_LIBS) \
+ $(SSL_LIBS) \
$(LIBADD_DL) \
$(BOOST_LIBS) \
$(PTHREAD_LIBS)
@@ -39,6 +40,7 @@
-I$(top_srcdir)/libbase \
-I$(top_srcdir)/libcore \
-DLOCALEDIR=\"$(localedir)\" \
+ $(SSL_CFLAGS) \
$(CURL_CFLAGS) \
$(BOOST_CFLAGS) \
$(PTHREAD_CFLAGS)
@@ -71,6 +73,11 @@
diskstream.cpp \
cache.cpp
+if BUILD_SSL
+libgnashnet_la_SOURCES += sslclient.cpp
+noinst_HEADERS += sslclient.h
+endif
+
if WIN32
AM_LDFLAGS += -no-undefined
endif
=== modified file 'libnet/network.h'
--- a/libnet/network.h 2009-06-07 21:14:22 +0000
+++ b/libnet/network.h 2009-06-11 02:45:01 +0000
@@ -66,6 +66,7 @@
const short RTMPT_PORT = 80;
const short RTMPTE_PORT = 80;
const short RTMPTS_PORT = 443;
+const short SSL_PORT = 4433;
#ifdef __OS2__
typedef int socklen_t;
=== added file 'libnet/sslclient.cpp'
--- a/libnet/sslclient.cpp 1970-01-01 00:00:00 +0000
+++ b/libnet/sslclient.cpp 2009-06-11 02:45:38 +0000
@@ -0,0 +1,262 @@
+// ssl.cpp: HyperText Transport Protocol handler for Cygnal, for Gnash.
+//
+// Copyright (C) 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc.
+//
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, write to the Free Software
+// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+//
+
+#ifdef HAVE_CONFIG_H
+#include "gnashconfig.h"
+#endif
+
+#include <boost/thread/mutex.hpp>
+#include <boost/shared_ptr.hpp>
+#include <boost/shared_array.hpp>
+#include <boost/scoped_array.hpp>
+#include <boost/cstdint.hpp>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string>
+#include <iostream>
+#include <cstring>
+#include <sstream>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <algorithm>
+
+#include "GnashSystemIOHeaders.h" // read()
+#include "sslclient.h"
+#include "amf.h"
+#include "element.h"
+#include "cque.h"
+#include "log.h"
+#include "network.h"
+#include "utility.h"
+#include "buffer.h"
+#include "diskstream.h"
+#include "cache.h"
+
+#ifdef HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+
+// Not POSIX, so best not rely on it if possible.
+#ifndef PATH_MAX
+# define PATH_MAX 1024
+#endif
+
+#if defined(_WIN32) || defined(WIN32)
+# define __PRETTY_FUNCTION__ __FUNCDNAME__
+# include <winsock2.h>
+# include <direct.h>
+#else
+# include <unistd.h>
+# include <sys/param.h>
+#endif
+
+using namespace gnash;
+using namespace std;
+
+static boost::mutex stl_mutex;
+
+// This is static in this file, instead of being a private variable in
+// the SSLCLient class, is so it's accessible from the C function callback,
+// which can't access the private data of the class.
+static std::string password;
+
+namespace gnash
+{
+
+SSLClient::SSLClient()
+ : _need_server_auth(true)
+{
+ GNASH_REPORT_FUNCTION;
+}
+
+SSLClient::~SSLClient()
+{
+ GNASH_REPORT_FUNCTION;
+}
+
+// Read bytes from the already opened SSL connection
+size_t
+SSLClient::sslRead(SSL &ssl, amf::Buffer &buf, size_t length)
+{
+ GNASH_REPORT_FUNCTION;
+}
+
+// Write bytes to the already opened SSL connection
+size_t
+SSLClient::sslWrite(SSL &ssl, amf::Buffer &buf, size_t length)
+{
+ GNASH_REPORT_FUNCTION;
+}
+
+// Setup the Context for this connection
+size_t
+SSLClient::sslSetupCTX(SSL &ssl)
+{
+ GNASH_REPORT_FUNCTION;
+ SSL_METHOD *meth;
+ SSL_library_init();
+ SSL_load_error_strings();
+
+ if (!_bio_error) {
+ _bio_error.reset(BIO_new_fp(stderr, BIO_NOCLOSE));
+ }
+
+ // create the context
+ meth=SSLv23_method();
+ _ctx.reset(SSL_CTX_new(meth));
+
+
+ // Load our keys and certificates
+ if(!(SSL_CTX_use_certificate_chain_file(_ctx.get(), _keyfile.c_str()))) {
+ log_error("Can't read certificate file %s!", _keyfile);
+ }
+
+ SSL_CTX_set_default_passwd_cb(_ctx.get(), password_cb);
+ if(!(SSL_CTX_use_PrivateKey_file(_ctx.get(), _keyfile.c_str(),
+ SSL_FILETYPE_PEM))) {
+ log_error("Can't read key file %s!", _keyfile);
+ }
+
+ // Load the CAs we trust
+ if(!(SSL_CTX_load_verify_locations(_ctx.get(), CA_LIST, 0))) {
+ log_error("Can't read CA list!");
+ }
+
+#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
+ SSL_CTX_set_verify_depth(_ctx.get() ,1);
+#endif
+
+}
+
+// Shutdown the Context for this connection
+size_t
+SSLClient::sslShutdown(SSL &ssl)
+{
+ GNASH_REPORT_FUNCTION;
+
+ SSL_CTX_free(_ctx.get());
+
+ closeNet();
+}
+
+// sslConnect() is how the client connects to the server
+size_t
+SSLClient::sslConnect(std::string &hostname)
+{
+ GNASH_REPORT_FUNCTION;
+
+ if (!_ctx) {
+ sslSetupCTX(*_ssl);
+ }
+
+ _ssl.reset(SSL_new(_ctx.get()));
+
+ if (createClient(hostname, SSL_PORT) == false) {
+ log_error("Can't connect to RTMP server %s", hostname);
+ return(-1);
+ }
+
+ _bio.reset(BIO_new_socket(getFileFd(), BIO_NOCLOSE));
+ if (SSL_connect(_ssl.get()) <= 0) {
+ log_error("Can't connect to SSL server %s", hostname);
+ return(-1);
+ }
+
+ if (_need_server_auth) {
+ checkCert(hostname);
+ }
+
+ return 0;
+}
+
+// sslAccept() is how the server waits for connections for clients
+size_t
+SSLClient::sslAccept(SSL &ssl)
+{
+ GNASH_REPORT_FUNCTION;
+}
+
+bool
+SSLClient::checkCert(std::string &hostname)
+{
+ GNASH_REPORT_FUNCTION;
+
+ if (!_ssl) {
+ return false;
+ }
+
+ X509 *peer;
+ char peer_CN[256];
+
+ if (SSL_get_verify_result(_ssl.get()) !=X509_V_OK) {
+ log_error("Certificate doesn't verify");
+ }
+
+ // Check the cert chain. The chain length
+ // is automatically checked by OpenSSL when
+ // we set the verify depth in the ctx
+
+ // Check the common name
+ peer = SSL_get_peer_certificate(_ssl.get());
+ X509_NAME_get_text_by_NID (X509_get_subject_name(peer),
+ NID_commonName, peer_CN, 256);
+
+ if (strcasecmp(peer_CN, hostname.c_str())) {
+ log_error("Common name doesn't match host name");
+ }
+
+ return true;
+}
+
+void
+SSLClient::dump() {
+// GNASH_REPORT_FUNCTION;
+
+ boost::mutex::scoped_lock lock(stl_mutex);
+
+ log_debug (_("==== The SSL header breaks down as follows: ===="));
+}
+
+extern "C" {
+// This is the callback required when setting up the password.
+int
+password_cb(char *buf, int size, int rwflag,
+ void *userdata)
+{
+ GNASH_REPORT_FUNCTION;
+
+ if(size < password.size()) {
+ log_error("The buffer for the password needs to be %d bytes larger",
+ password.size() - size);
+ return(0);
+ }
+
+ std::copy(password.c_str(), password.c_str(), buf);
+ return(password.size());
+}
+} // end of extern C
+
+} // end of gnash namespace
+
+
+// local Variables:
+// mode: C++
+// indent-tabs-mode: t
+// End:
=== added file 'libnet/sslclient.h'
--- a/libnet/sslclient.h 1970-01-01 00:00:00 +0000
+++ b/libnet/sslclient.h 2009-06-11 02:45:38 +0000
@@ -0,0 +1,104 @@
+//
+// Copyright (C) 2007, 2008, 2009 Free Software Foundation, Inc.
+//
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, write to the Free Software
+// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+//
+
+#ifndef GNASH_LIBNET_SSL_H
+#define GNASH_LIBNET_SSL_H
+
+#ifdef HAVE_CONFIG_H
+#include "gnashconfig.h"
+#endif
+
+#include <string>
+#include <map>
+#include <vector>
+#include <boost/shared_ptr.hpp>
+#include <boost/shared_array.hpp>
+#include <boost/scoped_array.hpp>
+#include <boost/cstdint.hpp>
+#include <sstream>
+
+#ifdef HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#endif
+
+#include "cque.h"
+#include "network.h"
+#include "buffer.h"
+
+namespace gnash
+{
+
+const char *CA_LIST = "root.pem";
+const char *HOST = "localhost";
+const char *RANDOM = "random.pem";
+
+class DSOEXPORT SSLClient : public gnash::Network
+{
+public:
+ SSLClient();
+ ~SSLClient();
+
+ // Read bytes from the already opened SSL connection
+ size_t sslRead(SSL &ssl, amf::Buffer &buf, size_t length);
+
+ // Write bytes to the already opened SSL connection
+ size_t sslWrite(SSL &ssl, amf::Buffer &buf, size_t length);
+
+ // Setup the Context for this connection
+ size_t sslSetupCTX(SSL &ssl);
+
+ // Shutdown the Context for this connection
+ size_t sslShutdown(SSL &ssl);
+
+ // sslConnect() is how the client connects to the server
+ size_t sslConnect(std::string &hostname);
+
+ // sslAccept() is how the server waits for connections for clients
+ size_t sslAccept(SSL &ssl);
+
+ void dump();
+
+ private:
+ // Check a certificate
+ bool checkCert(std::string &hostname);
+
+ boost::scoped_ptr<SSL> _ssl;
+ boost::scoped_ptr<SSL_CTX> _ctx;
+ boost::scoped_ptr<BIO> _bio;
+ boost::scoped_ptr<BIO> _bio_error;
+ std::string _keyfile;
+ bool _need_server_auth;
+};
+
+extern "C" {
+ // This is the callback required when setting up the password
+ int password_cb(char *buf, int size, int rwflag, void *userdata);
+}
+
+
+} // end of gnash namespace
+
+// end of _SSL_H_
+#endif
+
+
+// local Variables:
+// mode: C++
+// indent-tabs-mode: t
+// End:
=== modified file 'plugin/mozilla-sdk/include/nptypes.h'
--- a/plugin/mozilla-sdk/include/nptypes.h 2009-02-25 22:33:03 +0000
+++ b/plugin/mozilla-sdk/include/nptypes.h 2009-06-11 17:14:37 +0000
@@ -42,7 +42,7 @@
#ifndef __cplusplus
typedef int bool;
#endif
-#elif defined(bsdi) || defined(FREEBSD) || defined(OPENBSD)
+#elif defined(bsdi) || defined(FREEBSD) || defined(OPENBSD) ||
defined(LINUX_HOST)
/*
* BSD/OS, FreeBSD, and OpenBSD ship sys/types.h that define int32_t and
* u_int32_t.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gnash-commit] /srv/bzr/gnash/trunk r11080: add the beginnings of SSL support.,
rob <=