From: Howard Chu Date: Mon, 26 Jan 2009 03:21:16 +0000 (+0000) Subject: ITS#5887 add native support for cipher suites for GnuTLS >= 2.2.0 X-Git-Tag: ACLCHECK_0~953 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=255895125148704f4219868b295d6f69dfdcd68a;p=openldap ITS#5887 add native support for cipher suites for GnuTLS >= 2.2.0 --- diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c index 8f499e6966..1d2935f332 100644 --- a/libraries/libldap/tls_g.c +++ b/libraries/libldap/tls_g.c @@ -49,6 +49,16 @@ #define DH_BITS (1024) +#if LIBGNUTLS_VERSION_NUMBER >= 0x020200 +#define HAVE_CIPHERSUITES 1 +#else +#undef HAVE_CIPHERSUITES +#endif + +#ifndef HAVE_CIPHERSUITES +/* Versions prior to 2.2.0 didn't handle cipher suites, so we had to + * kludge them ourselves. + */ typedef struct tls_cipher_suite { const char *name; gnutls_kx_algorithm_t kx; @@ -56,6 +66,7 @@ typedef struct tls_cipher_suite { gnutls_mac_algorithm_t mac; gnutls_protocol_t version; } tls_cipher_suite; +#endif typedef struct tlsg_ctx { struct ldapoptions *lo; @@ -63,9 +74,13 @@ typedef struct tlsg_ctx { gnutls_dh_params_t dh_params; unsigned long verify_depth; int refcount; +#ifdef HAVE_CIPHERSUITES + gnutls_priority_t prios; +#else int *kx_list; int *cipher_list; int *mac_list; +#endif #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_t ref_mutex; #endif @@ -77,8 +92,10 @@ typedef struct tlsg_session { struct berval peer_der_dn; } tlsg_session; +#ifndef HAVE_CIPHERSUITES static tls_cipher_suite *tlsg_ciphers; static int tlsg_n_ciphers; +#endif static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ); static int tlsg_cert_verify( tlsg_session *s ); @@ -148,6 +165,7 @@ tlsg_init( void ) { gnutls_global_init(); +#ifndef HAVE_CIPHERSUITES /* GNUtls cipher suite handling: The library ought to parse suite * names for us, but it doesn't. It will return a list of suite names * that it supports, so we can do parsing ourselves. It ought to tell @@ -174,6 +192,7 @@ tlsg_init( void ) &tlsg_ciphers[i].version ); } } +#endif return 0; } @@ -183,10 +202,11 @@ tlsg_init( void ) static void tlsg_destroy( void ) { +#ifndef HAVE_CIPHERSUITES LDAP_FREE( tlsg_ciphers ); tlsg_ciphers = NULL; tlsg_n_ciphers = 0; - +#endif gnutls_global_deinit(); } @@ -203,6 +223,9 @@ tlsg_ctx_new ( struct ldapoptions *lo ) return NULL; } ctx->refcount = 1; +#ifdef HAVE_CIPHERSUITES + gnutls_priority_init( &ctx->prios, "NORMAL", NULL ); +#endif #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_init( &ctx->ref_mutex ); #endif @@ -240,7 +263,11 @@ tlsg_ctx_free ( tls_ctx *ctx ) #endif if ( refcount ) return; +#ifdef HAVE_CIPHERSUITES + gnutls_priority_deinit( c->prios ); +#else LDAP_FREE( c->kx_list ); +#endif gnutls_certificate_free_credentials( c->cred ); ber_memfree ( c ); } @@ -323,12 +350,16 @@ tlsg_session_new ( tls_ctx * ctx, int is_server ) session->ctx = c; gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT ); +#ifdef HAVE_CIPHERSUITES + gnutls_priority_set( session->session, c->prios ); +#else gnutls_set_default_priority( session->session ); if ( c->kx_list ) { gnutls_kx_set_priority( session->session, c->kx_list ); gnutls_cipher_set_priority( session->session, c->cipher_list ); gnutls_mac_set_priority( session->session, c->mac_list ); } +#endif if ( c->cred ) gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred ); @@ -645,6 +676,10 @@ tlsg_session_strength( tls_session *session ) static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ) { +#ifdef HAVE_CIPHERSUITES + const char *err; + return gnutls_priority_init( &ctx->prios, suites, &err ); +#else char *ptr, *end; int i, j, len, num; int *list, nkx = 0, ncipher = 0, nmac = 0; @@ -719,6 +754,7 @@ tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ) ctx->cipher_list = cipher; ctx->mac_list = mac; return 0; +#endif } /*