[Pkg-openldap-devel] [openldap] 01/05: Build against libgnutls12. Update the gnutls patch accordingly; no compatibility for libgnutls11 is provided, the APIs have changed enough that a baseline of gnutls 1.2 is now assumed.

Timo Aaltonen tjaalton-guest at alioth.debian.org
Thu Oct 10 05:33:57 UTC 2013


This is an automated email from the git hooks/post-receive script.

tjaalton-guest pushed a commit to annotated tag 2.1.30-13
in repository openldap.

commit 129f127e9a834c6f4bfd5526128a1cbe0bf1f0c3
Author: Steve Langasek <vorlon at debian.org>
Date:   Thu Mar 2 11:46:27 2006 +0000

    Build against libgnutls12.  Update the gnutls patch accordingly; no
    compatibility for libgnutls11 is provided, the APIs have changed
    enough that a baseline of gnutls 1.2 is now assumed.
    
    Also fix several minor bugs in the gnutls patch that manifested as
    compiler warnings.
---
 debian/changelog           |   10 ++++++
 debian/control             |    2 +-
 include/ldap_pvt_gnutls.h  |   10 +++---
 libraries/libldap/gnutls.c |   86 ++++++++++++++++++++++++++++++--------------
 libraries/libldap/tls.c    |   62 +++++++++++++++++++++++++-------
 5 files changed, 125 insertions(+), 45 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index cff61e6..eeaf556 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+openldap2 (2.1.30-13) UNRELEASED; urgency=low
+
+  * Build against libgnutls12.  Update the gnutls patch accordingly; no
+    compatibility for libgnutls11 is provided, the APIs have changed
+    enough that a baseline of gnutls 1.2 is now assumed.
+  * Fix several minor bugs in the gnutls patch that manifested as
+    compiler warnings
+
+ -- Steve Langasek <vorlon at debian.org>  Tue, 28 Feb 2006 00:44:46 -0800
+
 openldap2 (2.1.30-12) unstable; urgency=low
 
   * [l10n] Vietnamese translations by Clytie Siddall (closes: #316603).
diff --git a/debian/control b/debian/control
index 191abe3..afcdd6d 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
 Priority: optional
 Maintainer: Torsten Landschoff <torsten at debian.org>
 Uploaders: Roland Bauerschmidt <rb at debian.org>, Stephen Frost <sfrost at debian.org>, Steve Langasek <vorlon at debian.org>
-Build-Depends: libdb4.2-dev, libwrap0-dev, libiodbc2-dev, libsasl2-dev (>= 2.1.3-1), dpkg-dev (>= 1.7.1), libncurses5-dev, autoconf2.13, debconf-utils, libgnutls11-dev, libgcrypt11-dev, debhelper (>= 4.1.16), libltdl3-dev (>= 1.4.3), libslp-dev, po-debconf
+Build-Depends: libdb4.2-dev, libwrap0-dev, libiodbc2-dev, libsasl2-dev (>= 2.1.3-1), dpkg-dev (>= 1.7.1), libncurses5-dev, autoconf2.13, debconf-utils, libgnutls-dev, libgcrypt11-dev, debhelper (>= 4.1.16), libltdl3-dev (>= 1.4.3), libslp-dev, po-debconf
 Build-Conflicts: libbind-dev, bind-dev
 Standards-Version: 3.6.1
 
diff --git a/include/ldap_pvt_gnutls.h b/include/ldap_pvt_gnutls.h
index 34f3775..1114195 100644
--- a/include/ldap_pvt_gnutls.h
+++ b/include/ldap_pvt_gnutls.h
@@ -86,8 +86,8 @@ typedef struct X509_STORE_CTX {
    typedef to the GNUTLS equivalent. */
 #define STACK_OF(x) x##_st
 
-typedef struct DSTRUCT X509_NAME_st;
-typedef gnutls_x509_dn X509_NAME;
+typedef struct gnutls_certificate_credentials_st X509_NAME_st;
+typedef char X509_NAME;
 typedef gnutls_datum X509;
 
 typedef struct bio_decl BIO;
@@ -123,7 +123,7 @@ typedef struct
 } SSL_METHOD;
 
 typedef struct SSL_CTX {
-	gnutls_certificate_credentials creds;
+	gnutls_certificate_credentials_t creds;
 	SSL_METHOD *method;
 	int verify_mode;
 	int (*verify_callback)(int, X509_STORE_CTX *);
@@ -212,10 +212,10 @@ int SSL_CTX_set_cipher_list( SSL_CTX *ctx, char *ciphersuite );
 int SSL_CTX_load_verify_locations( SSL_CTX *ctx, const char *CAfile,
                                    const char *CApath );
 int SSL_CTX_set_default_verify_paths( SSL_CTX *ctx );
-int SSL_CTX_set_session_id_context( SSL_CTX *ctx, const unsigned char *sid_ctx,
+int SSL_CTX_set_session_id_context( SSL_CTX *ctx, const char *sid_ctx,
                                     unsigned int sid_ctx_len );
 void SSL_CTX_set_client_CA_list( SSL_CTX *ctx,
-                                 gnutls_certificate_credentials calist );
+                                 gnutls_certificate_credentials_t calist );
 void SSL_CTX_set_verify( SSL_CTX *ctx, int mode,
                          int (*verify_callback)(int, X509_STORE_CTX *) );
 
diff --git a/libraries/libldap/gnutls.c b/libraries/libldap/gnutls.c
index f72901e..52ee182 100644
--- a/libraries/libldap/gnutls.c
+++ b/libraries/libldap/gnutls.c
@@ -39,6 +39,7 @@
 #ifdef HAVE_GNUTLS_GNUTLS_H
 
 #include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
 #include <gcrypt.h>
 #include "ldap_pvt_gnutls.h"
 
@@ -122,38 +123,80 @@ void X509_free(void *ptr) {
 X509_NAME *
 X509_get_subject_name( const X509 *x )
 {
+	gnutls_x509_crt_t cert;
 	X509_NAME *dn = NULL;
+	size_t bufsize = 0;
 
 	if (!x)
 		return NULL;
 
-	if (!(dn = malloc(sizeof(*dn))))
+	if (gnutls_x509_crt_init(&cert))
 		return NULL;
 
-	if (gnutls_x509_extract_certificate_dn( x, dn )) {
+	if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER )) {
+		gnutls_x509_crt_deinit(cert);
+		return NULL;
+	}
+
+	gnutls_x509_crt_get_dn( cert, NULL, &bufsize );
+
+	if (bufsize <= 0) {
+		gnutls_x509_crt_deinit(cert);
+		return NULL;
+	}
+
+	if (!(dn = malloc(bufsize))) {
+		gnutls_x509_crt_deinit(cert);
+		return NULL;
+	}
+
+	if (gnutls_x509_crt_get_dn( cert, dn, &bufsize )) {
 		free(dn);
+		gnutls_x509_crt_deinit(cert);
 		return NULL;
 	}
 
+	gnutls_x509_crt_deinit(cert);
 	return dn;
 }
 
 X509_NAME *
 X509_get_issuer_name( const X509 *x )
 {
+	gnutls_x509_crt_t cert;
 	X509_NAME *dn = NULL;
+	size_t bufsize = 0;
 
 	if (!x)
 		return NULL;
 
-	if (!(dn = malloc(sizeof(*dn))))
+	if (gnutls_x509_crt_init(&cert))
 		return NULL;
 
-	if (gnutls_x509_extract_certificate_issuer_dn( x, dn )) {
+	if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER )) {
+		gnutls_x509_crt_deinit(cert);
+		return NULL;
+	}
+
+	gnutls_x509_crt_get_issuer_dn( cert, NULL, &bufsize );
+
+	if (bufsize <= 0) {
+		gnutls_x509_crt_deinit(cert);
+		return NULL;
+	}
+
+	if (!(dn = malloc(bufsize))) {
+		gnutls_x509_crt_deinit(cert);
+		return NULL;
+	}
+
+	if (gnutls_x509_crt_get_issuer_dn( cert, dn, &bufsize )) {
 		free(dn);
+		gnutls_x509_crt_deinit(cert);
 		return NULL;
 	}
 
+	gnutls_x509_crt_deinit(cert);
 	return dn;
 }
 
@@ -164,23 +207,13 @@ X509_NAME_oneline( X509_NAME *dn, char *buf, int buflen )
 		return NULL;
 
 	if (!buf) {
-		buflen = strlen(dn->country)
-		         + strlen(dn->state_or_province_name)
-		         + strlen(dn->locality_name)
-		         + strlen(dn->organization)
-		         + strlen(dn->organizational_unit_name)
-		         + strlen(dn->common_name) + strlen(dn->email)
-		         + 33;
+		buflen = strlen(dn) + 1;
 		buf = (char *)malloc(buflen);
 	}
 	if (!buf)
 		return NULL;
 
-	snprintf(buf, buflen, "C=%s, ST=%s, L=%s, O=%s, OU=%s, CN=%s/Email=%s",
-	         dn->country, dn->state_or_province_name, dn->locality_name,
-	         dn->organization, dn->organizational_unit_name,
-	         dn->common_name, dn->email);
-	buf[buflen-1] = '\0';
+	strncpy(buf, dn, buflen);
 	return buf;
 }
 
@@ -323,7 +356,7 @@ SSL_CTX_set_default_verify_paths( SSL_CTX *ctx )
 }
 
 int
-SSL_CTX_set_session_id_context( SSL_CTX *ctx, const unsigned char *sid_ctx,
+SSL_CTX_set_session_id_context( SSL_CTX *ctx, const char *sid_ctx,
                                 unsigned int sid_ctx_len )
 {
 	return 1;
@@ -331,7 +364,7 @@ SSL_CTX_set_session_id_context( SSL_CTX *ctx, const unsigned char *sid_ctx,
 
 void
 SSL_CTX_set_client_CA_list( SSL_CTX *ctx,
-                            gnutls_certificate_credentials calist )
+                            gnutls_certificate_credentials_t calist )
 {
 	if (!ctx)
 		return;
@@ -367,7 +400,7 @@ tls_gnutls_need_rsa_params(void)
 	static const char cache_name[] = "/var/run/slapd/params_cache_rsa";
 	gnutls_rsa_params rsa_params = NULL;
 	int cache_fd;
-	int bits = RSA_BITS;
+	unsigned int bits = RSA_BITS;
 	gnutls_datum m, e, d, p, q, u;
 	int read_ok = 0;
 
@@ -418,11 +451,11 @@ tls_gnutls_need_rsa_params(void)
 
 		/* Not able to read from the file so we generate new parameters */
 		gnutls_error = gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
-		if (gnutls_error < 0) return gnutls_error;
+		if (gnutls_error < 0) return NULL;
 
 		/* gnutls_rsa_params_export_raw will allocate the memory for the params */
 		gnutls_error = gnutls_rsa_params_export_raw(rsa_params, &m, &e, &d, &p, &q, &u, &bits);
-		if (gnutls_error < 0) return gnutls_error;
+		if (gnutls_error < 0) return NULL;
 		sprintf(temp_cache_name, "%s-%d", cache_name, (int) getpid());
 
 		/* Ignore errors... Not everybody has /var/run/slapd/ world writeable... */
@@ -461,7 +494,8 @@ tls_gnutls_need_dh_params(void)
 {
 	static const char cache_name[] = "/var/run/slapd/params_cache_dh";
 	gnutls_dh_params dh_params = NULL;
-	int cache_fd, bits = DH_BITS;
+	int cache_fd;
+	unsigned int bits = DH_BITS;
 	gnutls_datum prime, generator;
 	int read_ok = 0;
 
@@ -501,10 +535,10 @@ tls_gnutls_need_dh_params(void)
 		char temp_cache_name[sizeof(cache_name) + 10];
 
 		gnutls_error = gnutls_dh_params_generate2(dh_params, DH_BITS);
-		if (gnutls_error < 0) return gnutls_error;
+		if (gnutls_error < 0) return NULL;
 
 		gnutls_error = gnutls_dh_params_export_raw(dh_params, &prime, &generator, &bits);
-		if (gnutls_error < 0) return gnutls_error;
+		if (gnutls_error < 0) return NULL;
 		sprintf(temp_cache_name, "%s-%d", cache_name, (int) getpid());
 
 		/* Ignore errors... Not everybody has /var/run/slapd/ world writeable... */
@@ -616,7 +650,7 @@ SSL_free( SSL *ssl )
 static int
 SSL_do_handshake( SSL *ssl, gnutls_connection_end end )
 {
-	int cert_list_length;
+	unsigned int cert_list_length;
 	int ret;
 	const gnutls_datum *cert_list;
 	X509_STORE_CTX *x509_store;
@@ -812,7 +846,7 @@ SSL_get_certificate( SSL *ssl )
 X509 *
 SSL_get_peer_certificate( SSL *ssl )
 {
-	int list_size = 0;
+	unsigned int list_size = 0;
 
 	if (!ssl) {
 		gnutls_error = GNUTLS_E_INVALID_SESSION;
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index ddbb697..1e5bfd1 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -34,6 +34,7 @@
 
 #ifdef HAVE_GNUTLS_GNUTLS_H
 #include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
 #include "ldap_pvt_gnutls.h"
 #elif defined(HAVE_OPENSSL_SSL_H)
 #include <openssl/ssl.h>
@@ -1057,25 +1058,40 @@ char *
 ldap_pvt_tls_get_peer_hostname( void *s )
 {
 	X509 *x;
+	char buf[2048], *p;
 #ifdef HAVE_GNUTLS_GNUTLS_H
-	X509_NAME xn;
+	gnutls_x509_crt_t cert;
+	size_t bufsize = sizeof(buf);
 #else
 	X509_NAME *xn;
-#endif
-	char buf[2048], *p;
 	int ret;
+#endif
 
 	x = tls_get_cert((SSL *)s);
 	if (!x) return NULL;
 	
 #ifdef HAVE_GNUTLS_GNUTLS_H
-	if (gnutls_x509_extract_certificate_dn( x, &xn ))
+	if (gnutls_x509_crt_init(&cert)) {
+		X509_free(x);
+		return NULL;
+	}
+
+	if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER ))
 	{
 		X509_free(x);
+		gnutls_x509_crt_deinit(cert);
 		return NULL;
 	}
 
-	p = LDAP_STRDUP(xn.common_name);
+	if (gnutls_x509_crt_get_dn_by_oid( cert, GNUTLS_OID_X520_COMMON_NAME,
+	                                   0, 0, buf, &bufsize ))
+	{
+		X509_free(x);
+		gnutls_x509_crt_deinit(cert);
+		return NULL;
+	}
+
+	gnutls_x509_crt_deinit(cert);
 #else
 	xn = X509_get_subject_name(x);
 
@@ -1085,8 +1101,8 @@ ldap_pvt_tls_get_peer_hostname( void *s )
 		return NULL;
 	}
 
-	p = LDAP_STRDUP(buf);
 #endif
+	p = LDAP_STRDUP(buf);
 	X509_free(x);
 	return p;
 }
@@ -1107,6 +1123,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
 	int ntype = IS_DNS;
 #ifdef HAVE_GNUTLS_GNUTLS_H
 	int tlsret, alttype;
+	gnutls_x509_crt_t cert;
 #endif
 #ifdef LDAP_PF_INET6
 	struct in6_addr addr;
@@ -1156,6 +1173,18 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
 #ifdef HAVE_GNUTLS_GNUTLS_H
         name_len = strlen(name);
 
+	if (gnutls_x509_crt_init(&cert)) {
+		X509_free(x);
+		return ret;
+	}
+
+	if (gnutls_x509_crt_import( cert, x, GNUTLS_X509_FMT_DER ))
+	{
+		X509_free(x);
+		gnutls_x509_crt_deinit(cert);
+		return ret;
+	}
+
 	/* XXX: we /could/ use gnutls_x509_check_certificates_hostname()
 	   here, but it only checks hostnames -- not IPs. */
 	if (ntype == IS_DNS)
@@ -1171,8 +1200,8 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
 	/* FIXME: do we care about GNUTLS_E_SHORT_MEMORY_BUFFER errors? */
 	do {
           char buffer[512];
-          int sl = sizeof(buffer);
-          tlsret = gnutls_x509_extract_certificate_subject_alt_name(x, i++, buffer, &sl);
+          size_t sl = sizeof(buffer);
+          tlsret = gnutls_x509_crt_get_subject_alt_name(cert, i++, buffer, &sl, NULL);
 
           if (tlsret != alttype || sl <= 0)
             continue;
@@ -1307,14 +1336,17 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
 #endif /* HAVE_GNUTLS_GNUTLS_H */
 
 	if (ret != LDAP_SUCCESS) {
-		X509_NAME *xn;
 		char buf[2048];
-
-		xn = X509_get_subject_name(x);
 #ifdef HAVE_GNUTLS_GNUTLS_H
-		buf[sizeof(buf)-1] = '\0';
-		if (!xn || !strncpy(buf, xn->common_name, sizeof(buf)-1))
+		size_t bufsize = sizeof(buf);
+
+		if (gnutls_x509_crt_get_dn_by_oid( cert, GNUTLS_OID_X520_COMMON_NAME,
+		                                   0, 0, buf, &bufsize ))
 #else
+		X509_NAME *xn;
+
+		xn = X509_get_subject_name(x);
+
 		if( X509_NAME_get_text_by_NID( xn, NID_commonName,
 			buf, sizeof(buf)) == -1)
 #endif
@@ -1347,6 +1379,10 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
 			ret = LDAP_SUCCESS;
 		}
 	}
+
+#ifdef HAVE_GNUTLS_GNUTLS_H
+	gnutls_x509_crt_deinit(cert);
+#endif
 	X509_free(x);
 	return ret;
 }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git



More information about the Pkg-openldap-devel mailing list