Adding upstream version 3.2.7.upstream/3.2.7

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 198 insertions, 0 deletions

diff --git a/rsync-ssl b/rsync-ssl
new file mode 100755
index 0000000..56ee7df
--- /dev/null
+++ b/rsync-ssl
@@ -0,0 +1,198 @@
+#!/usr/bin/env bash
+
+# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection.
+
+# By default this script takes rsync args and hands them off to the actual
+# rsync command with an --rsh option that makes it open an SSL connection to an
+# rsync daemon.  See the rsync-ssl manpage for usage details and env variables.
+
+# When the first arg is --HELPER, we are being used by rsync as an --rsh helper
+# script, and the args are (note the trailing dot):
+#
+#    rsync-ssl --HELPER HOSTNAME rsync --server --daemon .
+#
+# --HELPER is not a user-facing option, so it is not documented in the manpage.
+
+# The first SSL setup was based on:  http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that an stunnel connection requires at least version 4.x of stunnel.
+
+function rsync_ssl_run {
+    case "$*" in
+    *rsync://*) ;;
+    *::*) ;;
+    *)
+	echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
+	exit 1
+	;;
+    esac
+
+    exec rsync --rsh="$0 --HELPER" "${@}"
+}
+
+function rsync_ssl_helper {
+    if [[ -z "$RSYNC_SSL_TYPE" ]]; then
+	found=`path_search openssl stunnel4 stunnel` || exit 1
+	if [[ "$found" == */openssl ]]; then
+	    RSYNC_SSL_TYPE=openssl
+	    RSYNC_SSL_OPENSSL="$found"
+	elif [[ "$found" == */gnutls-cli ]]; then
+	    RSYNC_SSL_TYPE=gnutls
+	    RSYNC_SSL_GNUTLS="$found"
+	else
+	    RSYNC_SSL_TYPE=stunnel
+	    RSYNC_SSL_STUNNEL="$found"
+	fi
+    fi
+
+    case "$RSYNC_SSL_TYPE" in
+	openssl)
+	    if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then
+		RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1
+	    fi
+	    optsep=' '
+	    ;;
+	gnutls)
+	    if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then
+		RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1
+	    fi
+	    optsep=' '
+	    ;;
+	stunnel)
+	    if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+		RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
+	    fi
+	    optsep=' = '
+	    ;;
+	*)
+	    echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2
+	    exit 1
+	    ;;
+    esac
+
+    if [[ -z "$RSYNC_SSL_CERT" ]]; then
+	certopt=""
+	gnutls_cert_opt=""
+    else
+	certopt="-cert$optsep$RSYNC_SSL_CERT"
+	gnutls_cert_opt="--x509certfile=$RSYNC_SSL_CERT"
+    fi
+
+    if [[ -z "$RSYNC_SSL_KEY" ]]; then
+	keyopt=""
+	gnutls_key_opt=""
+    else
+	keyopt="-key$optsep$RSYNC_SSL_KEY"
+	gnutls_key_opt="--x509keyfile=$RSYNC_SSL_KEY"
+    fi
+
+    if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
+	# RSYNC_SSL_CA_CERT unset - default CA set AND verify:
+	# openssl:
+	caopt="-verify_return_error -verify 4"
+	# gnutls:
+	gnutls_opts=""
+	# stunnel:
+	# Since there is no way of using the default CA certificate collection,
+	# we cannot do any verification. Thus, stunnel should really only be
+	# used if nothing else is available.
+	cafile=""
+	verify=""
+    elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
+	# RSYNC_SSL_CA_CERT set but empty -do NO verifications:
+	# openssl:
+	caopt="-verify 1"
+	# gnutls:
+	gnutls_opts="--insecure"
+	# stunnel:
+	cafile=""
+	verify="verifyChain = no"
+    else
+	# RSYNC_SSL_CA_CERT set - use CA AND verify:
+	# openssl:
+	caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+	# gnutls:
+	gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT"
+	# stunnel:
+	cafile="CAfile = $RSYNC_SSL_CA_CERT"
+	verify="verifyChain = yes"
+    fi
+
+    port="${RSYNC_PORT:-0}"
+    if [[ "$port" == 0 ]]; then
+	port="${RSYNC_SSL_PORT:-874}"
+    fi
+
+    # If the user specified USER@HOSTNAME::module, then rsync passes us
+    # the -l USER option too, so we must be prepared to ignore it.
+    if [[ "$1" == "-l" ]]; then
+	shift 2
+    fi
+
+    hostname="$1"
+    shift
+
+    if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
+	echo "Usage: rsync-ssl --HELPER HOSTNAME rsync --server --daemon ." 1>&2
+	exit 1
+    fi
+
+    if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt $keyopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+    elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+	exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_key_opt $gnutls_opts $hostname:$port
+    else
+	# devzero@web.de came up with this no-tmpfile calling syntax:
+	exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+$verify
+$certopt
+$cafile
+EOF
+    fi
+}
+
+function path_search {
+    IFS_SAVE="$IFS"
+    IFS=:
+    for prog in "${@}"; do
+	for dir in $PATH; do
+	    [[ -z "$dir" ]] && dir=.
+	    if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
+		echo "$dir/$prog"
+		IFS="$IFS_SAVE"
+		return 0
+	    fi
+	done
+    done
+
+    IFS="$IFS_SAVE"
+    echo "Failed to find on your path: $*" 1>&2
+    echo "See the rsync-ssl manpage for configuration assistance." 1>&2
+    return 1
+}
+
+if [[ "$#" == 0 ]]; then
+    echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2
+    echo "The SSL_TYPE can be openssl or stunnel"
+    exit 1
+fi
+
+if [[ "$1" = --help || "$1" = -h ]]; then
+    exec rsync --help
+fi
+
+if [[ "$1" == --HELPER ]]; then
+    shift
+    rsync_ssl_helper "${@}"
+fi
+
+if [[ "$1" == --type=* ]]; then
+    export RSYNC_SSL_TYPE="${1/--type=/}"
+    shift
+fi
+
+rsync_ssl_run "${@}"