#define DH_BITS (1024)
+#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
+#define HAVE_CIPHERSUITES 1
+#else
+#undef HAVE_CIPHERSUITES
+#endif
+
+#ifndef HAVE_CIPHERSUITES
+/* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
+ * kludge them ourselves.
+ */
typedef struct tls_cipher_suite {
const char *name;
gnutls_kx_algorithm_t kx;
gnutls_mac_algorithm_t mac;
gnutls_protocol_t version;
} tls_cipher_suite;
+#endif
typedef struct tlsg_ctx {
struct ldapoptions *lo;
gnutls_dh_params_t dh_params;
unsigned long verify_depth;
int refcount;
+#ifdef HAVE_CIPHERSUITES
+ gnutls_priority_t prios;
+#else
int *kx_list;
int *cipher_list;
int *mac_list;
+#endif
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_t ref_mutex;
#endif
struct berval peer_der_dn;
} tlsg_session;
+#ifndef HAVE_CIPHERSUITES
static tls_cipher_suite *tlsg_ciphers;
static int tlsg_n_ciphers;
+#endif
static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
static int tlsg_cert_verify( tlsg_session *s );
{
gnutls_global_init();
+#ifndef HAVE_CIPHERSUITES
/* GNUtls cipher suite handling: The library ought to parse suite
* names for us, but it doesn't. It will return a list of suite names
* that it supports, so we can do parsing ourselves. It ought to tell
&tlsg_ciphers[i].version );
}
}
+#endif
return 0;
}
static void
tlsg_destroy( void )
{
+#ifndef HAVE_CIPHERSUITES
LDAP_FREE( tlsg_ciphers );
tlsg_ciphers = NULL;
tlsg_n_ciphers = 0;
-
+#endif
gnutls_global_deinit();
}
return NULL;
}
ctx->refcount = 1;
+#ifdef HAVE_CIPHERSUITES
+ gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
+#endif
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
#endif
#endif
if ( refcount )
return;
+#ifdef HAVE_CIPHERSUITES
+ gnutls_priority_deinit( c->prios );
+#else
LDAP_FREE( c->kx_list );
+#endif
gnutls_certificate_free_credentials( c->cred );
ber_memfree ( c );
}
session->ctx = c;
gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
+#ifdef HAVE_CIPHERSUITES
+ gnutls_priority_set( session->session, c->prios );
+#else
gnutls_set_default_priority( session->session );
if ( c->kx_list ) {
gnutls_kx_set_priority( session->session, c->kx_list );
gnutls_cipher_set_priority( session->session, c->cipher_list );
gnutls_mac_set_priority( session->session, c->mac_list );
}
+#endif
if ( c->cred )
gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
{
+#ifdef HAVE_CIPHERSUITES
+ const char *err;
+ return gnutls_priority_init( &ctx->prios, suites, &err );
+#else
char *ptr, *end;
int i, j, len, num;
int *list, nkx = 0, ncipher = 0, nmac = 0;
ctx->cipher_list = cipher;
ctx->mac_list = mac;
return 0;
+#endif
}
/*
projects / openldap / commitdiff