x86-64 AVX2 assemby implemenation of get_checksum1() (#174)

[rsync.git] / rsync-ssl

#!/usr/bin/env bash

# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection.

# By default this script takes rsync args and hands them off to the actual
# rsync command with an --rsh option that makes it open an SSL connection to an
# rsync daemon.  See the rsync-ssl manpage for usage details and env variables.

# When the first arg is --HELPER, we are being used by rsync as an --rsh helper
# script, and the args are (note the trailing dot):
#
#    rsync-ssl --HELPER HOSTNAME rsync --server --daemon .
#
# --HELPER is not a user-facing option, so it is not documented in the manpage.

# The first SSL setup was based on:  http://dozzie.jarowit.net/trac/wiki/RsyncSSL
# Note that an stunnel connection requires at least version 4.x of stunnel.

function rsync_ssl_run {
    case "$*" in
    *rsync://*) ;;
    *::*) ;;
    *)
        echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
        exit 1
        ;;
    esac

    exec rsync --rsh="$0 --HELPER" "${@}"
}

function rsync_ssl_helper {
    if [[ -z "$RSYNC_SSL_TYPE" ]]; then
        found=`path_search openssl stunnel4 stunnel` || exit 1
        if [[ "$found" == */openssl ]]; then
            RSYNC_SSL_TYPE=openssl
            RSYNC_SSL_OPENSSL="$found"
        elif [[ "$found" == */gnutls-cli ]]; then
            RSYNC_SSL_TYPE=gnutls
            RSYNC_SSL_GNUTLS="$found"
        else
            RSYNC_SSL_TYPE=stunnel
            RSYNC_SSL_STUNNEL="$found"
        fi
    fi

    case "$RSYNC_SSL_TYPE" in
        openssl)
            if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then
                RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1
            fi
            optsep=' '
            ;;
        gnutls)
            if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then
                RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1
            fi
            optsep=' '
            ;;
        stunnel)
            if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
                RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
            fi
            optsep=' = '
            ;;
        *)
            echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2
            exit 1
            ;;
    esac

    if [[ -z "$RSYNC_SSL_CERT" ]]; then
        certopt=""
        gnutls_cert_opt=""
    else
        certopt="-cert$optsep$RSYNC_SSL_CERT"
        gnutls_cert_opt="--x509certfile=$RSYNC_SSL_CERT"
    fi

    if [[ -z "$RSYNC_SSL_KEY" ]]; then
        keyopt=""
        gnutls_key_opt=""
    else
        keyopt="-key$optsep$RSYNC_SSL_KEY"
        gnutls_key_opt="--x509keyfile=$RSYNC_SSL_KEY"
    fi

    if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
        # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
        # openssl:
        caopt="-verify_return_error -verify 4"
        # gnutls:
        gnutls_opts=""
        # stunnel:
        # Since there is no way of using the default CA certificate collection,
        # we cannot do any verification. Thus, stunnel should really only be
        # used if nothing else is available.
        cafile=""
        verify=""
    elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
        # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
        # openssl:
        caopt="-verify 1"
        # gnutls:
        gnutls_opts="--insecure"
        # stunnel:
        cafile=""
        verify="verifyChain = no"
    else
        # RSYNC_SSL_CA_CERT set - use CA AND verify:
        # openssl:
        caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
        # gnutls:
        gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT"
        # stunnel:
        cafile="CAfile = $RSYNC_SSL_CA_CERT"
        verify="verifyChain = yes"
    fi

    port="${RSYNC_PORT:-0}"
    if [[ "$port" == 0 ]]; then
        port="${RSYNC_SSL_PORT:-874}"
    fi

    # If the user specified USER@HOSTNAME::module, then rsync passes us
    # the -l USER option too, so we must be prepared to ignore it.
    if [[ "$1" == "-l" ]]; then
        shift 2
    fi

    hostname="$1"
    shift

    if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
        echo "Usage: rsync-ssl --HELPER HOSTNAME rsync --server --daemon ." 1>&2
        exit 1
    fi

    if [[ $RSYNC_SSL_TYPE == openssl ]]; then
        exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt $keyopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
    elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
        exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_key_opt $gnutls_opts $hostname:$port
    else
        # devzero@web.de came up with this no-tmpfile calling syntax:
        exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
foreground = yes
debug = crit
connect = $hostname:$port
client = yes
TIMEOUTclose = 0
$verify
$certopt
$cafile
EOF
    fi
}

function path_search {
    IFS_SAVE="$IFS"
    IFS=:
    for prog in "${@}"; do
        for dir in $PATH; do
            [[ -z "$dir" ]] && dir=.
            if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
                echo "$dir/$prog"
                IFS="$IFS_SAVE"
                return 0
            fi
        done
    done

    IFS="$IFS_SAVE"
    echo "Failed to find on your path: $*" 1>&2
    echo "See the rsync-ssl manpage for configuration assistance." 1>&2
    return 1
}

if [[ "$#" == 0 ]]; then
    echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2
    echo "The SSL_TYPE can be openssl or stunnel"
    exit 1
fi

if [[ "$1" = --help || "$1" = -h ]]; then
    exec rsync --help
fi

if [[ "$1" == --HELPER ]]; then
    shift
    rsync_ssl_helper "${@}"
fi

if [[ "$1" == --type=* ]]; then
    export RSYNC_SSL_TYPE="${1/--type=/}"
    shift
fi

rsync_ssl_run "${@}"