[Pkg-openldap-devel] [openldap] 01/05: Build against libgnutls12. Update the gnutls patch accordingly; no compatibility for libgnutls11 is provided, the APIs have changed enough that a baseline of gnutls 1.2 is now assumed.
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Thu Oct 10 05:33:57 UTC 2013
This is an automated email from the git hooks/post-receive script.
tjaalton-guest pushed a commit to annotated tag 2.1.30-13
in repository openldap.
commit 129f127e9a834c6f4bfd5526128a1cbe0bf1f0c3
Author: Steve Langasek <vorlon at debian.org>
Date: Thu Mar 2 11:46:27 2006 +0000
Build against libgnutls12. Update the gnutls patch accordingly; no
compatibility for libgnutls11 is provided, the APIs have changed
enough that a baseline of gnutls 1.2 is now assumed.
Also fix several minor bugs in the gnutls patch that manifested as
compiler warnings.
---
debian/changelog | 10 ++++++
debian/control | 2 +-
include/ldap_pvt_gnutls.h | 10 +++---
libraries/libldap/gnutls.c | 86 ++++++++++++++++++++++++++++++--------------
libraries/libldap/tls.c | 62 +++++++++++++++++++++++++-------
5 files changed, 125 insertions(+), 45 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index cff61e6..eeaf556 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+openldap2 (2.1.30-13) UNRELEASED; urgency=low
+
+ * Build against libgnutls12. Update the gnutls patch accordingly; no
+ compatibility for libgnutls11 is provided, the APIs have changed
+ enough that a baseline of gnutls 1.2 is now assumed.
+ * Fix several minor bugs in the gnutls patch that manifested as
+ compiler warnings
+
+ -- Steve Langasek <vorlon at debian.org> Tue, 28 Feb 2006 00:44:46 -0800
+
openldap2 (2.1.30-12) unstable; urgency=low
* [l10n] Vietnamese translations by Clytie Siddall (closes: #316603).
diff --git a/debian/control b/debian/control
index 191abe3..afcdd6d 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
Priority: optional
Maintainer: Torsten Landschoff <torsten at debian.org>
Uploaders: Roland Bauerschmidt <rb at debian.org>, Stephen Frost <sfrost at debian.org>, Steve Langasek <vorlon at debian.org>
-Build-Depends: libdb4.2-dev, libwrap0-dev, libiodbc2-dev, libsasl2-dev (>= 2.1.3-1), dpkg-dev (>= 1.7.1), libncurses5-dev, autoconf2.13, debconf-utils, libgnutls11-dev, libgcrypt11-dev, debhelper (>= 4.1.16), libltdl3-dev (>= 1.4.3), libslp-dev, po-debconf
+Build-Depends: libdb4.2-dev, libwrap0-dev, libiodbc2-dev, libsasl2-dev (>= 2.1.3-1), dpkg-dev (>= 1.7.1), libncurses5-dev, autoconf2.13, debconf-utils, libgnutls-dev, libgcrypt11-dev, debhelper (>= 4.1.16), libltdl3-dev (>= 1.4.3), libslp-dev, po-debconf
Build-Conflicts: libbind-dev, bind-dev
Standards-Version: 3.6.1
diff --git a/include/ldap_pvt_gnutls.h b/include/ldap_pvt_gnutls.h
index 34f3775..1114195 100644
--- a/include/ldap_pvt_gnutls.h
+++ b/include/ldap_pvt_gnutls.h
@@ -86,8 +86,8 @@ typedef struct X509_STORE_CTX {
typedef to the GNUTLS equivalent. */
#define STACK_OF(x) x##_st
-typedef struct DSTRUCT X509_NAME_st;
-typedef gnutls_x509_dn X509_NAME;
+typedef struct gnutls_certificate_credentials_st X509_NAME_st;
+typedef char X509_NAME;
typedef gnutls_datum X509;
typedef struct bio_decl BIO;
@@ -123,7 +123,7 @@ typedef struct
} SSL_METHOD;
typedef struct SSL_CTX {
- gnutls_certificate_credentials creds;
+ gnutls_certificate_credentials_t creds;
SSL_METHOD *method;
int verify_mode;
int (*verify_callback)(int, X509_STORE_CTX *);
@@ -212,10 +212,10 @@ int SSL_CTX_set_cipher_list( SSL_CTX *ctx, char *ciphersuite );
int SSL_CTX_load_verify_locations( SSL_CTX *ctx, const char *CAfile,
const char *CApath );
int SSL_CTX_set_default_verify_paths( SSL_CTX *ctx );
-int SSL_CTX_set_session_id_context( SSL_CTX *ctx, const unsigned char *sid_ctx,
+int SSL_CTX_set_session_id_context( SSL_CTX *ctx, const char *sid_ctx,
unsigned int sid_ctx_len );
void SSL_CTX_set_client_CA_list( SSL_CTX *ctx,
- gnutls_certificate_credentials calist );
+ gnutls_certificate_credentials_t calist );
void SSL_CTX_set_verify( SSL_CTX *ctx, int mode,
int (*verify_callback)(int, X509_STORE_CTX *) );
diff --git a/libraries/libldap/gnutls.c b/libraries/libldap/gnutls.c
index f72901e..52ee182 100644
--- a/libraries/libldap/gnutls.c
+++ b/libraries/libldap/gnutls.c
@@ -39,6 +39,7 @@
#ifdef HAVE_GNUTLS_GNUTLS_H
#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
#include <gcrypt.h>
#include "ldap_pvt_gnutls.h"
@@ -122,38 +123,80 @@ void X509_free(void *ptr) {
X509_NAME *
X509_get_subject_name( const X509 *x )
{
+ gnutls_x509_crt_t cert;
X509_NAME *dn = NULL;
+ size_t bufsize = 0;
if (!x)
return NULL;
- if (!(dn = malloc(sizeof(*dn))))
+ if (gnutls_x509_crt_init(&cert))
return NULL;
- if (gnutls_x509_extract_certificate_dn( x, dn )) {
+ if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER )) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ gnutls_x509_crt_get_dn( cert, NULL, &bufsize );
+
+ if (bufsize <= 0) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ if (!(dn = malloc(bufsize))) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ if (gnutls_x509_crt_get_dn( cert, dn, &bufsize )) {
free(dn);
+ gnutls_x509_crt_deinit(cert);
return NULL;
}
+ gnutls_x509_crt_deinit(cert);
return dn;
}
X509_NAME *
X509_get_issuer_name( const X509 *x )
{
+ gnutls_x509_crt_t cert;
X509_NAME *dn = NULL;
+ size_t bufsize = 0;
if (!x)
return NULL;
- if (!(dn = malloc(sizeof(*dn))))
+ if (gnutls_x509_crt_init(&cert))
return NULL;
- if (gnutls_x509_extract_certificate_issuer_dn( x, dn )) {
+ if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER )) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ gnutls_x509_crt_get_issuer_dn( cert, NULL, &bufsize );
+
+ if (bufsize <= 0) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ if (!(dn = malloc(bufsize))) {
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ if (gnutls_x509_crt_get_issuer_dn( cert, dn, &bufsize )) {
free(dn);
+ gnutls_x509_crt_deinit(cert);
return NULL;
}
+ gnutls_x509_crt_deinit(cert);
return dn;
}
@@ -164,23 +207,13 @@ X509_NAME_oneline( X509_NAME *dn, char *buf, int buflen )
return NULL;
if (!buf) {
- buflen = strlen(dn->country)
- + strlen(dn->state_or_province_name)
- + strlen(dn->locality_name)
- + strlen(dn->organization)
- + strlen(dn->organizational_unit_name)
- + strlen(dn->common_name) + strlen(dn->email)
- + 33;
+ buflen = strlen(dn) + 1;
buf = (char *)malloc(buflen);
}
if (!buf)
return NULL;
- snprintf(buf, buflen, "C=%s, ST=%s, L=%s, O=%s, OU=%s, CN=%s/Email=%s",
- dn->country, dn->state_or_province_name, dn->locality_name,
- dn->organization, dn->organizational_unit_name,
- dn->common_name, dn->email);
- buf[buflen-1] = '\0';
+ strncpy(buf, dn, buflen);
return buf;
}
@@ -323,7 +356,7 @@ SSL_CTX_set_default_verify_paths( SSL_CTX *ctx )
}
int
-SSL_CTX_set_session_id_context( SSL_CTX *ctx, const unsigned char *sid_ctx,
+SSL_CTX_set_session_id_context( SSL_CTX *ctx, const char *sid_ctx,
unsigned int sid_ctx_len )
{
return 1;
@@ -331,7 +364,7 @@ SSL_CTX_set_session_id_context( SSL_CTX *ctx, const unsigned char *sid_ctx,
void
SSL_CTX_set_client_CA_list( SSL_CTX *ctx,
- gnutls_certificate_credentials calist )
+ gnutls_certificate_credentials_t calist )
{
if (!ctx)
return;
@@ -367,7 +400,7 @@ tls_gnutls_need_rsa_params(void)
static const char cache_name[] = "/var/run/slapd/params_cache_rsa";
gnutls_rsa_params rsa_params = NULL;
int cache_fd;
- int bits = RSA_BITS;
+ unsigned int bits = RSA_BITS;
gnutls_datum m, e, d, p, q, u;
int read_ok = 0;
@@ -418,11 +451,11 @@ tls_gnutls_need_rsa_params(void)
/* Not able to read from the file so we generate new parameters */
gnutls_error = gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
- if (gnutls_error < 0) return gnutls_error;
+ if (gnutls_error < 0) return NULL;
/* gnutls_rsa_params_export_raw will allocate the memory for the params */
gnutls_error = gnutls_rsa_params_export_raw(rsa_params, &m, &e, &d, &p, &q, &u, &bits);
- if (gnutls_error < 0) return gnutls_error;
+ if (gnutls_error < 0) return NULL;
sprintf(temp_cache_name, "%s-%d", cache_name, (int) getpid());
/* Ignore errors... Not everybody has /var/run/slapd/ world writeable... */
@@ -461,7 +494,8 @@ tls_gnutls_need_dh_params(void)
{
static const char cache_name[] = "/var/run/slapd/params_cache_dh";
gnutls_dh_params dh_params = NULL;
- int cache_fd, bits = DH_BITS;
+ int cache_fd;
+ unsigned int bits = DH_BITS;
gnutls_datum prime, generator;
int read_ok = 0;
@@ -501,10 +535,10 @@ tls_gnutls_need_dh_params(void)
char temp_cache_name[sizeof(cache_name) + 10];
gnutls_error = gnutls_dh_params_generate2(dh_params, DH_BITS);
- if (gnutls_error < 0) return gnutls_error;
+ if (gnutls_error < 0) return NULL;
gnutls_error = gnutls_dh_params_export_raw(dh_params, &prime, &generator, &bits);
- if (gnutls_error < 0) return gnutls_error;
+ if (gnutls_error < 0) return NULL;
sprintf(temp_cache_name, "%s-%d", cache_name, (int) getpid());
/* Ignore errors... Not everybody has /var/run/slapd/ world writeable... */
@@ -616,7 +650,7 @@ SSL_free( SSL *ssl )
static int
SSL_do_handshake( SSL *ssl, gnutls_connection_end end )
{
- int cert_list_length;
+ unsigned int cert_list_length;
int ret;
const gnutls_datum *cert_list;
X509_STORE_CTX *x509_store;
@@ -812,7 +846,7 @@ SSL_get_certificate( SSL *ssl )
X509 *
SSL_get_peer_certificate( SSL *ssl )
{
- int list_size = 0;
+ unsigned int list_size = 0;
if (!ssl) {
gnutls_error = GNUTLS_E_INVALID_SESSION;
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index ddbb697..1e5bfd1 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -34,6 +34,7 @@
#ifdef HAVE_GNUTLS_GNUTLS_H
#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
#include "ldap_pvt_gnutls.h"
#elif defined(HAVE_OPENSSL_SSL_H)
#include <openssl/ssl.h>
@@ -1057,25 +1058,40 @@ char *
ldap_pvt_tls_get_peer_hostname( void *s )
{
X509 *x;
+ char buf[2048], *p;
#ifdef HAVE_GNUTLS_GNUTLS_H
- X509_NAME xn;
+ gnutls_x509_crt_t cert;
+ size_t bufsize = sizeof(buf);
#else
X509_NAME *xn;
-#endif
- char buf[2048], *p;
int ret;
+#endif
x = tls_get_cert((SSL *)s);
if (!x) return NULL;
#ifdef HAVE_GNUTLS_GNUTLS_H
- if (gnutls_x509_extract_certificate_dn( x, &xn ))
+ if (gnutls_x509_crt_init(&cert)) {
+ X509_free(x);
+ return NULL;
+ }
+
+ if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER ))
{
X509_free(x);
+ gnutls_x509_crt_deinit(cert);
return NULL;
}
- p = LDAP_STRDUP(xn.common_name);
+ if (gnutls_x509_crt_get_dn_by_oid( cert, GNUTLS_OID_X520_COMMON_NAME,
+ 0, 0, buf, &bufsize ))
+ {
+ X509_free(x);
+ gnutls_x509_crt_deinit(cert);
+ return NULL;
+ }
+
+ gnutls_x509_crt_deinit(cert);
#else
xn = X509_get_subject_name(x);
@@ -1085,8 +1101,8 @@ ldap_pvt_tls_get_peer_hostname( void *s )
return NULL;
}
- p = LDAP_STRDUP(buf);
#endif
+ p = LDAP_STRDUP(buf);
X509_free(x);
return p;
}
@@ -1107,6 +1123,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
int ntype = IS_DNS;
#ifdef HAVE_GNUTLS_GNUTLS_H
int tlsret, alttype;
+ gnutls_x509_crt_t cert;
#endif
#ifdef LDAP_PF_INET6
struct in6_addr addr;
@@ -1156,6 +1173,18 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
#ifdef HAVE_GNUTLS_GNUTLS_H
name_len = strlen(name);
+ if (gnutls_x509_crt_init(&cert)) {
+ X509_free(x);
+ return ret;
+ }
+
+ if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER ))
+ {
+ X509_free(x);
+ gnutls_x509_crt_deinit(cert);
+ return ret;
+ }
+
/* XXX: we /could/ use gnutls_x509_check_certificates_hostname()
here, but it only checks hostnames -- not IPs. */
if (ntype == IS_DNS)
@@ -1171,8 +1200,8 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
/* FIXME: do we care about GNUTLS_E_SHORT_MEMORY_BUFFER errors? */
do {
char buffer[512];
- int sl = sizeof(buffer);
- tlsret = gnutls_x509_extract_certificate_subject_alt_name(x, i++, buffer, &sl);
+ size_t sl = sizeof(buffer);
+ tlsret = gnutls_x509_crt_get_subject_alt_name(cert, i++, buffer, &sl, NULL);
if (tlsret != alttype || sl <= 0)
continue;
@@ -1307,14 +1336,17 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
#endif /* HAVE_GNUTLS_GNUTLS_H */
if (ret != LDAP_SUCCESS) {
- X509_NAME *xn;
char buf[2048];
-
- xn = X509_get_subject_name(x);
#ifdef HAVE_GNUTLS_GNUTLS_H
- buf[sizeof(buf)-1] = '\0';
- if (!xn || !strncpy(buf, xn->common_name, sizeof(buf)-1))
+ size_t bufsize = sizeof(buf);
+
+ if (gnutls_x509_crt_get_dn_by_oid( cert, GNUTLS_OID_X520_COMMON_NAME,
+ 0, 0, buf, &bufsize ))
#else
+ X509_NAME *xn;
+
+ xn = X509_get_subject_name(x);
+
if( X509_NAME_get_text_by_NID( xn, NID_commonName,
buf, sizeof(buf)) == -1)
#endif
@@ -1347,6 +1379,10 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
ret = LDAP_SUCCESS;
}
}
+
+#ifdef HAVE_GNUTLS_GNUTLS_H
+ gnutls_x509_crt_deinit(cert);
+#endif
X509_free(x);
return ret;
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git
More information about the Pkg-openldap-devel
mailing list