Change the rsync-ssl helper script

The new rsh-ssl-rsync helper script (replacing stunnel-rsync) supports
openssl in addition to stunnel.  The RSYNC_SSL_TYPE environment variable
can be set to specify which type of connection to use, and the first arg
to rsync-ssl can be --type=stunnel or --type=openssl to override the env
var or the default of "stunnel".  The helper script now looks for
stunnel4 or stunnel on the PATH at runtime instead of having configure
look for it at compile time.

Author: WayneD

.gitignore

@@ -25,7 +25,6 @@ aclocal.m4
 /gmon.out
 /rsync
 /rsync-ssl
-/stunnel-rsync
 /stunnel-rsyncd.conf
 /shconfig
 /testdir

Makefile.in

@@ -63,7 +63,7 @@ CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash.
 	$(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@
 @OBJ_RESTORE@
 
-all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsync stunnel-rsyncd.conf @MAKE_MAN@
+all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsyncd.conf @MAKE_MAN@
 
 install: all
 	-${MKDIR_P} ${DESTDIR}${bindir}
@@ -73,10 +73,10 @@ install: all
 	if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi
 	if test -f rsyncd.conf.5; then ${INSTALLMAN} -m 644 rsyncd.conf.5 ${DESTDIR}${mandir}/man5; fi
 
-install-ssl-client: rsync-ssl stunnel-rsync
+install-ssl-client: rsync-ssl
 	-${MKDIR_P} ${DESTDIR}${bindir}
 	${INSTALLCMD} -m 755 rsync-ssl ${DESTDIR}${bindir}
-	${INSTALLCMD} -m 755 stunnel-rsync ${DESTDIR}${bindir}
+	${INSTALLCMD} -m 755 rsh-ssl-rsync ${DESTDIR}${bindir}
 
 install-ssl-daemon: stunnel-rsyncd.conf
 	-${MKDIR_P} ${DESTDIR}/etc/stunnel
@@ -198,10 +198,6 @@ rsync-ssl: $(srcdir)/rsync-ssl.in Makefile
 	sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/rsync-ssl.in >rsync-ssl
 	@chmod +x rsync-ssl
 
-stunnel-rsync: $(srcdir)/stunnel-rsync.in Makefile
-	sed 's;\@stunnel4\@;$(stunnel4);g' <$(srcdir)/stunnel-rsync.in >stunnel-rsync
-	@chmod +x stunnel-rsync
-
 stunnel-rsyncd.conf: $(srcdir)/stunnel-rsyncd.conf.in Makefile
 	sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/stunnel-rsyncd.conf.in >stunnel-rsyncd.conf
 
@@ -239,7 +235,7 @@ cleantests:
 # the source directory.
 distclean: clean
 	rm -f Makefile config.h config.status
-	rm -f rsync-ssl stunnel-rsync stunnel-rsyncd.conf
+	rm -f rsync-ssl stunnel-rsyncd.conf
 	rm -f lib/dummy popt/dummy zlib/dummy
 	rm -f $(srcdir)/Makefile $(srcdir)/config.h $(srcdir)/config.status
 	rm -f $(srcdir)/lib/dummy $(srcdir)/popt/dummy $(srcdir)/zlib/dummy

configure.ac

@@ -974,9 +974,6 @@ AC_SUBST(BUILD_POPT)
 AC_SUBST(BUILD_ZLIB)
 AC_SUBST(MAKE_MAN)
 
-AC_PATH_PROG([STUNNEL], [stunnel], [stunnel], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
-AC_PATH_PROG([STUNNEL4], [stunnel4], [$STUNNEL], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
-
 AC_CHECK_FUNCS(_acl __acl _facl __facl)
 #################################################
 # check for ACL support

packaging/lsb/rsync.spec

@@ -84,7 +84,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %files ssl-client
 %{_prefix}/bin/rsync-ssl
-%{_prefix}/bin/stunnel-rsync
+%{_prefix}/bin/rsh-ssl-rsync
 
 %files ssl-daemon
 %config(noreplace) /etc/stunnel/rsyncd.conf

rsh-ssl-rsync

@@ -0,0 +1,113 @@
+#!/bin/bash
+# This must be called as (note the trailing dot):
+#
+#    rsh-ssl-rsync HOSTNAME rsync --server --daemon .
+#
+# ... which is typically done via the rsync-ssl script, which results in something like this:
+#
+#    rsync --rsh=rsh-ssl-rsync -aiv HOSTNAME::module [ARGS]
+#
+# This SSL setup based on the files by:  http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that an stunnel connection requires at least version 4.x of stunnel.
+
+# The environment can override our defaults using RSYNC_SSL_* variables
+
+if [[ -z "$RSYNC_SSL_TYPE" ]]; then
+    RSYNC_SSL_TYPE=stunnel
+fi
+
+case "$RSYNC_SSL_TYPE" in
+    stunnel)
+	if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+	    IFS_SAVE="$IFS"
+	    IFS=:
+	    for prog in stunnel4 stunnel; do
+		for dir in $PATH; do
+		    [[ -z "$dir" ]] && dir=.
+		    if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
+			RSYNC_SSL_STUNNEL="$dir/$prog"
+			break 2
+		    fi
+		done
+	    done
+	    IFS="$IFS_SAVE"
+	fi
+	if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+	    echo "Failed to find stunnel on your path." 1>&2
+	    echo "Maybe export RSYNC_SSL_STUNNEL=/path or RSYNC_SSL_TYPE=openssl." 1>&2
+	    exit 1
+	fi
+	optsep=' = '
+	;;
+    openssl)
+	optsep=' '
+	;;
+    *)
+	echo "The RSYNC_SSL_TYPE is not set to a known type: $RSYNC_SSL_TYPE" 1>&2
+	exit 1
+	;;
+esac
+
+if [[ -z "$RSYNC_SSL_CERT" ]]; then
+    certopt=""
+else
+    certopt="cert$optsep$RSYNC_SSL_CERT"
+fi
+
+if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
+    # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
+    # openssl:
+    caopt="-verify_return_error -verify 4"
+    # stunnel:
+    cafile=""
+    verify=0
+elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
+    # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
+    # openssl:
+    caopt="-verify 1"
+    # stunnel:
+    cafile=""
+    verify=0
+else
+    # RSYNC_SSL_CA_CERT set - use CA AND verify:
+    # openssl:
+    caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+    # stunnel:
+    cafile="CAfile = $RSYNC_SSL_CA_CERT"
+    verify=3
+fi
+
+port="${RSYNC_PORT:-0}"
+if [[ "$port" == 0 ]]; then
+    port="${RSYNC_SSL_PORT:-874}"
+fi
+
+# If the user specified USER@HOSTNAME::module, then rsync passes us
+# the -l USER option too, so we must be prepared to ignore it.
+if [[ "$1" == "-l" ]]; then
+    shift 2
+fi
+
+hostname="$1"
+shift
+
+if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
+    echo "Usage: rsync-ssl-helper HOSTNAME rsync --server --daemon ." 1>&2
+    exit 1
+fi
+
+if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+    exec openssl s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+else
+    # devzero@web.de came up with this no-tmpfile calling syntax:
+    exec stunnel -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+verify = $verify
+$certopt
+$cafile
+EOF
+fi

rsync-ssl.in

@@ -1,12 +1,20 @@
 #!/bin/bash
-# This script supports using stunnel to secure an rsync daemon connection.
-# Note that this requires at least version 4.x of stunnel.
+# This script supports using stunnel or openssl to secure an rsync daemon connection.
+# The first option can be --type=stunnel or --type=openssl to choose your connection
+# type (overriding any $RSYNC_SSL_TYPE default value).
+
+if [[ "$1" == --type=* ]]; then
+    export RSYNC_SSL_TYPE="${1/--type=/}"
+    shift
+fi
+
 case "$@" in
 *rsync://*) ;;
 *::*) ;;
 *)
-    echo "You must use rsync-ssl with a daemon-style hostname." 0>&1
+    echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
     exit 1
     ;;
 esac
-exec @bindir@/rsync --rsh=@bindir@/stunnel-rsync "${@}"
+
+exec @bindir@/rsync --rsh=@bindir@/rsh-ssl-rsync "${@}"

stunnel-rsync.in

@@ -4,7 +4,7 @@ foreground = no
 pid = /var/run/stunnel-rsyncd.pid
 socket = l:TCP_NODELAY=1
 socket = r:TCP_NODELAY=1
-compression = rle
+#compression = rle
 # This must be root for rsync to use chroot -- rsync will drop permissions:
 setuid = root
 setgid = root
@@ -18,7 +18,7 @@ client = no
 
 # To allow anyone to try an ssl connection, use this:
 verify = 0
-CAfile = /etc/ssl/ca-bundle.pem
+CAfile = /etc/ssl/certs/ca-certificates.crt
 
 # To allow only cert-authorized clients, use something like this instead of the above:
 #verify = 3