[Pkg-openldap-devel] r631 - in openldap/trunk-2.1: debian include
libraries/libldap
Steve Langasek
vorlon at costa.debian.org
Thu Mar 2 11:46:28 UTC 2006
Author: vorlon
Date: 2006-03-02 11:46:27 +0000 (Thu, 02 Mar 2006)
New Revision: 631
Modified:
openldap/trunk-2.1/debian/changelog
openldap/trunk-2.1/debian/control
openldap/trunk-2.1/include/ldap_pvt_gnutls.h
openldap/trunk-2.1/libraries/libldap/gnutls.c
openldap/trunk-2.1/libraries/libldap/tls.c
Log:
Build against libgnutls12. Update the gnutls patch accordingly; no
compatibility for libgnutls11 is provided, the APIs have changed
enough that a baseline of gnutls 1.2 is now assumed.
Also fix several minor bugs in the gnutls patch that manifested as
compiler warnings.
Modified: openldap/trunk-2.1/debian/changelog
===================================================================
--- openldap/trunk-2.1/debian/changelog 2006-02-26 23:14:40 UTC (rev 630)
+++ openldap/trunk-2.1/debian/changelog 2006-03-02 11:46:27 UTC (rev 631)
@@ -1,3 +1,13 @@
+openldap2 (2.1.30-13) UNRELEASED; urgency=low
+
+ * Build against libgnutls12. Update the gnutls patch accordingly; no
+ compatibility for libgnutls11 is provided, the APIs have changed
+ enough that a baseline of gnutls 1.2 is now assumed.
+ * Fix several minor bugs in the gnutls patch that manifested as
+ compiler warnings
+
+ -- Steve Langasek <vorlon at debian.org> Tue, 28 Feb 2006 00:44:46 -0800
+
openldap2 (2.1.30-12) unstable; urgency=low
* [l10n] Vietnamese translations by Clytie Siddall (closes: #316603).
Modified: openldap/trunk-2.1/debian/control
===================================================================
--- openldap/trunk-2.1/debian/control 2006-02-26 23:14:40 UTC (rev 630)
+++ openldap/trunk-2.1/debian/control 2006-03-02 11:46:27 UTC (rev 631)
@@ -3,7 +3,7 @@
Priority: optional
Maintainer: Torsten Landschoff <torsten at debian.org>
Uploaders: Roland Bauerschmidt <rb at debian.org>, Stephen Frost <sfrost at debian.org>, Steve Langasek <vorlon at debian.org>
-Build-Depends: libdb4.2-dev, libwrap0-dev, libiodbc2-dev, libsasl2-dev (>= 2.1.3-1), dpkg-dev (>= 1.7.1), libncurses5-dev, autoconf2.13, debconf-utils, libgnutls11-dev, libgcrypt11-dev, debhelper (>= 4.1.16), libltdl3-dev (>= 1.4.3), libslp-dev, po-debconf
+Build-Depends: libdb4.2-dev, libwrap0-dev, libiodbc2-dev, libsasl2-dev (>= 2.1.3-1), dpkg-dev (>= 1.7.1), libncurses5-dev, autoconf2.13, debconf-utils, libgnutls-dev, libgcrypt11-dev, debhelper (>= 4.1.16), libltdl3-dev (>= 1.4.3), libslp-dev, po-debconf
Build-Conflicts: libbind-dev, bind-dev
Standards-Version: 3.6.1
Modified: openldap/trunk-2.1/include/ldap_pvt_gnutls.h
===================================================================
--- openldap/trunk-2.1/include/ldap_pvt_gnutls.h 2006-02-26 23:14:40 UTC (rev 630)
+++ openldap/trunk-2.1/include/ldap_pvt_gnutls.h 2006-03-02 11:46:27 UTC (rev 631)
@@ -86,8 +86,8 @@
typedef to the GNUTLS equivalent. */
#define STACK_OF(x) x##_st
-typedef struct DSTRUCT X509_NAME_st;
-typedef gnutls_x509_dn X509_NAME;
+typedef struct gnutls_certificate_credentials_st X509_NAME_st;
+typedef char X509_NAME;
typedef gnutls_datum X509;
typedef struct bio_decl BIO;
@@ -123,7 +123,7 @@
} SSL_METHOD;
typedef struct SSL_CTX {
- gnutls_certificate_credentials creds;
+ gnutls_certificate_credentials_t creds;
SSL_METHOD *method;
int verify_mode;
int (*verify_callback)(int, X509_STORE_CTX *);
@@ -212,10 +212,10 @@
int SSL_CTX_load_verify_locations( SSL_CTX *ctx, const char *CAfile,
const char *CApath );
int SSL_CTX_set_default_verify_paths( SSL_CTX *ctx );
-int SSL_CTX_set_session_id_context( SSL_CTX *ctx, const unsigned char *sid_ctx,
+int SSL_CTX_set_session_id_context( SSL_CTX *ctx, const char *sid_ctx,
unsigned int sid_ctx_len );
void SSL_CTX_set_client_CA_list( SSL_CTX *ctx,
- gnutls_certificate_credentials calist );
+ gnutls_certificate_credentials_t calist );
void SSL_CTX_set_verify( SSL_CTX *ctx, int mode,
int (*verify_callback)(int, X509_STORE_CTX *) );
Modified: openldap/trunk-2.1/libraries/libldap/gnutls.c
===================================================================
--- openldap/trunk-2.1/libraries/libldap/gnutls.c 2006-02-26 23:14:40 UTC (rev 630)
+++ openldap/trunk-2.1/libraries/libldap/gnutls.c 2006-03-02 11:46:27 UTC (rev 631)
@@ -39,6 +39,7 @@
#ifdef HAVE_GNUTLS_GNUTLS_H
#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
#include <gcrypt.h>
#include "ldap_pvt_gnutls.h"
@@ -122,38 +123,80 @@
X509_NAME *
X509_get_subject_name( const X509 *x )
{
+ gnutls_x509_crt_t cert;
X509_NAME *dn = NULL;
+ size_t bufsize = 0;
if (!x)
return NULL;
- if (!(dn = malloc(sizeof(*dn))))
+ if (gnutls_x509_crt_init(&cert))
return NULL;
- if (gnutls_x509_extract_certificate_dn( x, dn )) {
+ if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER )) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ gnutls_x509_crt_get_dn( cert, NULL, &bufsize );
+
+ if (bufsize <= 0) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ if (!(dn = malloc(bufsize))) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ if (gnutls_x509_crt_get_dn( cert, dn, &bufsize )) {
free(dn);
+ gnutls_x509_crt_deinit(cert);
return NULL;
}
+ gnutls_x509_crt_deinit(cert);
return dn;
}
X509_NAME *
X509_get_issuer_name( const X509 *x )
{
+ gnutls_x509_crt_t cert;
X509_NAME *dn = NULL;
+ size_t bufsize = 0;
if (!x)
return NULL;
- if (!(dn = malloc(sizeof(*dn))))
+ if (gnutls_x509_crt_init(&cert))
return NULL;
- if (gnutls_x509_extract_certificate_issuer_dn( x, dn )) {
+ if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER )) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ gnutls_x509_crt_get_issuer_dn( cert, NULL, &bufsize );
+
+ if (bufsize <= 0) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ if (!(dn = malloc(bufsize))) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ if (gnutls_x509_crt_get_issuer_dn( cert, dn, &bufsize )) {
free(dn);
+ gnutls_x509_crt_deinit(cert);
return NULL;
}
+ gnutls_x509_crt_deinit(cert);
return dn;
}
@@ -164,23 +207,13 @@
return NULL;
if (!buf) {
- buflen = strlen(dn->country)
- + strlen(dn->state_or_province_name)
- + strlen(dn->locality_name)
- + strlen(dn->organization)
- + strlen(dn->organizational_unit_name)
- + strlen(dn->common_name) + strlen(dn->email)
- + 33;
+ buflen = strlen(dn) + 1;
buf = (char *)malloc(buflen);
}
if (!buf)
return NULL;
- snprintf(buf, buflen, "C=%s, ST=%s, L=%s, O=%s, OU=%s, CN=%s/Email=%s",
- dn->country, dn->state_or_province_name, dn->locality_name,
- dn->organization, dn->organizational_unit_name,
- dn->common_name, dn->email);
- buf[buflen-1] = '\0';
+ strncpy(buf, dn, buflen);
return buf;
}
@@ -323,7 +356,7 @@
}
int
-SSL_CTX_set_session_id_context( SSL_CTX *ctx, const unsigned char *sid_ctx,
+SSL_CTX_set_session_id_context( SSL_CTX *ctx, const char *sid_ctx,
unsigned int sid_ctx_len )
{
return 1;
@@ -331,7 +364,7 @@
void
SSL_CTX_set_client_CA_list( SSL_CTX *ctx,
- gnutls_certificate_credentials calist )
+ gnutls_certificate_credentials_t calist )
{
if (!ctx)
return;
@@ -367,7 +400,7 @@
static const char cache_name[] = "/var/run/slapd/params_cache_rsa";
gnutls_rsa_params rsa_params = NULL;
int cache_fd;
- int bits = RSA_BITS;
+ unsigned int bits = RSA_BITS;
gnutls_datum m, e, d, p, q, u;
int read_ok = 0;
@@ -418,11 +451,11 @@
/* Not able to read from the file so we generate new parameters */
gnutls_error = gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
- if (gnutls_error < 0) return gnutls_error;
+ if (gnutls_error < 0) return NULL;
/* gnutls_rsa_params_export_raw will allocate the memory for the params */
gnutls_error = gnutls_rsa_params_export_raw(rsa_params, &m, &e, &d, &p, &q, &u, &bits);
- if (gnutls_error < 0) return gnutls_error;
+ if (gnutls_error < 0) return NULL;
sprintf(temp_cache_name, "%s-%d", cache_name, (int) getpid());
/* Ignore errors... Not everybody has /var/run/slapd/ world writeable... */
@@ -461,7 +494,8 @@
{
static const char cache_name[] = "/var/run/slapd/params_cache_dh";
gnutls_dh_params dh_params = NULL;
- int cache_fd, bits = DH_BITS;
+ int cache_fd;
+ unsigned int bits = DH_BITS;
gnutls_datum prime, generator;
int read_ok = 0;
@@ -501,10 +535,10 @@
char temp_cache_name[sizeof(cache_name) + 10];
gnutls_error = gnutls_dh_params_generate2(dh_params, DH_BITS);
- if (gnutls_error < 0) return gnutls_error;
+ if (gnutls_error < 0) return NULL;
gnutls_error = gnutls_dh_params_export_raw(dh_params, &prime, &generator, &bits);
- if (gnutls_error < 0) return gnutls_error;
+ if (gnutls_error < 0) return NULL;
sprintf(temp_cache_name, "%s-%d", cache_name, (int) getpid());
/* Ignore errors... Not everybody has /var/run/slapd/ world writeable... */
@@ -616,7 +650,7 @@
static int
SSL_do_handshake( SSL *ssl, gnutls_connection_end end )
{
- int cert_list_length;
+ unsigned int cert_list_length;
int ret;
const gnutls_datum *cert_list;
X509_STORE_CTX *x509_store;
@@ -812,7 +846,7 @@
X509 *
SSL_get_peer_certificate( SSL *ssl )
{
- int list_size = 0;
+ unsigned int list_size = 0;
if (!ssl) {
gnutls_error = GNUTLS_E_INVALID_SESSION;
Modified: openldap/trunk-2.1/libraries/libldap/tls.c
===================================================================
--- openldap/trunk-2.1/libraries/libldap/tls.c 2006-02-26 23:14:40 UTC (rev 630)
+++ openldap/trunk-2.1/libraries/libldap/tls.c 2006-03-02 11:46:27 UTC (rev 631)
@@ -34,6 +34,7 @@
#ifdef HAVE_GNUTLS_GNUTLS_H
#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
#include "ldap_pvt_gnutls.h"
#elif defined(HAVE_OPENSSL_SSL_H)
#include <openssl/ssl.h>
@@ -1057,25 +1058,40 @@
ldap_pvt_tls_get_peer_hostname( void *s )
{
X509 *x;
+ char buf[2048], *p;
#ifdef HAVE_GNUTLS_GNUTLS_H
- X509_NAME xn;
+ gnutls_x509_crt_t cert;
+ size_t bufsize = sizeof(buf);
#else
X509_NAME *xn;
+ int ret;
#endif
- char buf[2048], *p;
- int ret;
x = tls_get_cert((SSL *)s);
if (!x) return NULL;
#ifdef HAVE_GNUTLS_GNUTLS_H
- if (gnutls_x509_extract_certificate_dn( x, &xn ))
+ if (gnutls_x509_crt_init(&cert)) {
+ X509_free(x);
+ return NULL;
+ }
+
+ if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER ))
{
X509_free(x);
+ gnutls_x509_crt_deinit(cert);
return NULL;
}
- p = LDAP_STRDUP(xn.common_name);
+ if (gnutls_x509_crt_get_dn_by_oid( cert, GNUTLS_OID_X520_COMMON_NAME,
+ 0, 0, buf, &bufsize ))
+ {
+ X509_free(x);
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ gnutls_x509_crt_deinit(cert);
#else
xn = X509_get_subject_name(x);
@@ -1085,8 +1101,8 @@
return NULL;
}
+#endif
p = LDAP_STRDUP(buf);
-#endif
X509_free(x);
return p;
}
@@ -1107,6 +1123,7 @@
int ntype = IS_DNS;
#ifdef HAVE_GNUTLS_GNUTLS_H
int tlsret, alttype;
+ gnutls_x509_crt_t cert;
#endif
#ifdef LDAP_PF_INET6
struct in6_addr addr;
@@ -1156,6 +1173,18 @@
#ifdef HAVE_GNUTLS_GNUTLS_H
name_len = strlen(name);
+ if (gnutls_x509_crt_init(&cert)) {
+ X509_free(x);
+ return ret;
+ }
+
+ if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER ))
+ {
+ X509_free(x);
+ gnutls_x509_crt_deinit(cert);
+ return ret;
+ }
+
/* XXX: we /could/ use gnutls_x509_check_certificates_hostname()
here, but it only checks hostnames -- not IPs. */
if (ntype == IS_DNS)
@@ -1171,8 +1200,8 @@
/* FIXME: do we care about GNUTLS_E_SHORT_MEMORY_BUFFER errors? */
do {
char buffer[512];
- int sl = sizeof(buffer);
- tlsret = gnutls_x509_extract_certificate_subject_alt_name(x, i++, buffer, &sl);
+ size_t sl = sizeof(buffer);
+ tlsret = gnutls_x509_crt_get_subject_alt_name(cert, i++, buffer, &sl, NULL);
if (tlsret != alttype || sl <= 0)
continue;
@@ -1307,14 +1336,17 @@
#endif /* HAVE_GNUTLS_GNUTLS_H */
if (ret != LDAP_SUCCESS) {
- X509_NAME *xn;
char buf[2048];
+#ifdef HAVE_GNUTLS_GNUTLS_H
+ size_t bufsize = sizeof(buf);
+ if (gnutls_x509_crt_get_dn_by_oid( cert, GNUTLS_OID_X520_COMMON_NAME,
+ 0, 0, buf, &bufsize ))
+#else
+ X509_NAME *xn;
+
xn = X509_get_subject_name(x);
-#ifdef HAVE_GNUTLS_GNUTLS_H
- buf[sizeof(buf)-1] = '\0';
- if (!xn || !strncpy(buf, xn->common_name, sizeof(buf)-1))
-#else
+
if( X509_NAME_get_text_by_NID( xn, NID_commonName,
buf, sizeof(buf)) == -1)
#endif
@@ -1347,6 +1379,10 @@
ret = LDAP_SUCCESS;
}
}
+
+#ifdef HAVE_GNUTLS_GNUTLS_H
+ gnutls_x509_crt_deinit(cert);
+#endif
X509_free(x);
return ret;
}
More information about the Pkg-openldap-devel
mailing list