Add safety check for local --remove-source-files.

[rsync.git] / rsync-ssl

diff --git a/rsync-ssl b/rsync-ssl
index f520d5ddc03df96f0a6deb0e6bbaf8a0f9185835..56ee7dfe0129b8bbffd7f77f3561d4667a34d723 100755 (executable)
--- a/rsync-ssl
+++ b/rsync-ssl
@@ -1,6 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
-# This script supports using openssl or stunnel to secure an rsync daemon connection.
+# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection.
 
 # By default this script takes rsync args and hands them off to the actual
 # rsync command with an --rsh option that makes it open an SSL connection to an
@@ -35,6 +35,9 @@ function rsync_ssl_helper {
        if [[ "$found" == */openssl ]]; then
            RSYNC_SSL_TYPE=openssl
            RSYNC_SSL_OPENSSL="$found"
+       elif [[ "$found" == */gnutls-cli ]]; then
+           RSYNC_SSL_TYPE=gnutls
+           RSYNC_SSL_GNUTLS="$found"
        else
            RSYNC_SSL_TYPE=stunnel
            RSYNC_SSL_STUNNEL="$found"
@@ -48,6 +51,12 @@ function rsync_ssl_helper {
            fi
            optsep=' '
            ;;
+       gnutls)
+           if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then
+               RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1
+           fi
+           optsep=' '
+           ;;
        stunnel)
            if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
                RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
@@ -62,14 +71,26 @@ function rsync_ssl_helper {
 
     if [[ -z "$RSYNC_SSL_CERT" ]]; then
        certopt=""
+       gnutls_cert_opt=""
+    else
+       certopt="-cert$optsep$RSYNC_SSL_CERT"
+       gnutls_cert_opt="--x509certfile=$RSYNC_SSL_CERT"
+    fi
+
+    if [[ -z "$RSYNC_SSL_KEY" ]]; then
+       keyopt=""
+       gnutls_key_opt=""
     else
-       certopt="cert$optsep$RSYNC_SSL_CERT"
+       keyopt="-key$optsep$RSYNC_SSL_KEY"
+       gnutls_key_opt="--x509keyfile=$RSYNC_SSL_KEY"
     fi
 
     if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
        # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
        # openssl:
        caopt="-verify_return_error -verify 4"
+       # gnutls:
+       gnutls_opts=""
        # stunnel:
        # Since there is no way of using the default CA certificate collection,
        # we cannot do any verification. Thus, stunnel should really only be
@@ -80,6 +101,8 @@ function rsync_ssl_helper {
        # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
        # openssl:
        caopt="-verify 1"
+       # gnutls:
+       gnutls_opts="--insecure"
        # stunnel:
        cafile=""
        verify="verifyChain = no"
@@ -87,6 +110,8 @@ function rsync_ssl_helper {
        # RSYNC_SSL_CA_CERT set - use CA AND verify:
        # openssl:
        caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+       # gnutls:
+       gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT"
        # stunnel:
        cafile="CAfile = $RSYNC_SSL_CA_CERT"
        verify="verifyChain = yes"
@@ -112,7 +137,9 @@ function rsync_ssl_helper {
     fi
 
     if [[ $RSYNC_SSL_TYPE == openssl ]]; then
-       exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+       exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt $keyopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+    elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+       exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_key_opt $gnutls_opts $hostname:$port
     else
        # devzero@web.de came up with this no-tmpfile calling syntax:
        exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-