From 76075bb5445f3e4021b0c3b444ea0eaf599a3fdd Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 4 May 2016 16:32:30 +0100 Subject: [PATCH 1/1] TLS: support older GnuTLS versions --- src/src/tls-gnu.c | 9 +++++++-- src/src/tlscert-gnu.c | 26 +++++++++++++------------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 522bb9026..45ee1017a 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -42,6 +42,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries). /* needed to disable PKCS11 autoload unless requested */ #if GNUTLS_VERSION_NUMBER >= 0x020c00 # include +# define SUPPORT_PARAM_TO_PK_BITS #endif #if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP) # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile" @@ -728,8 +729,12 @@ if ((rc = gnutls_x509_crt_init(&cert))) goto err; where = US"generating pkey"; if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA, +#ifdef SUPPORT_PARAM_TO_PK_BITS gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW), - 0))) /* _to_pk_bits() Since: 2.12.0 */ +#else + 1024, +#endif + 0))) goto err; where = US"configuring cert"; @@ -1508,7 +1513,7 @@ else int sep = 0; const uschar * list = state->exp_tls_verify_cert_hostnames; uschar * name; - while (name = string_nextinlist(&list, &sep, NULL, 0)) + while ((name = string_nextinlist(&list, &sep, NULL, 0))) if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name)) break; if (!name) diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c index 80b6fb142..296398ae9 100644 --- a/src/src/tlscert-gnu.c +++ b/src/src/tlscert-gnu.c @@ -142,12 +142,12 @@ uschar * cp = NULL; int ret; size_t siz = 0; -if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) +if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) != GNUTLS_E_SHORT_MEMORY_BUFFER) return g_err("gi0", __FUNCTION__, ret); cp = store_get(siz); -if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) < 0) +if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) < 0) return g_err("gi1", __FUNCTION__, ret); return mod ? tls_field_from_dn(cp, mod) : cp; @@ -183,7 +183,7 @@ if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert, return g_err("gs0", __FUNCTION__, ret); for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--) - sprintf(dp, "%.2x", *sp); + sprintf(CS dp, "%.2x", *sp); for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */ return string_copy(sp); } @@ -197,16 +197,16 @@ uschar * cp3; size_t len = 0; int ret; -if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len)) +if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER) return g_err("gs0", __FUNCTION__, ret); cp1 = store_get(len*4+1); -if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0) +if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len) != 0) return g_err("gs1", __FUNCTION__, ret); for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++) - sprintf(cp3, "%.2x ", *cp1); + sprintf(CS cp3, "%.2x ", *cp1); cp3[-1]= '\0'; return cp2; @@ -217,7 +217,7 @@ tls_cert_signature_algorithm(void * cert, uschar * mod) { gnutls_sign_algorithm_t algo = gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert); -return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo)); +return algo < 0 ? NULL : string_copy(US gnutls_sign_get_name(algo)); } uschar * @@ -227,12 +227,12 @@ uschar * cp = NULL; int ret; size_t siz = 0; -if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) +if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) != GNUTLS_E_SHORT_MEMORY_BUFFER) return g_err("gs0", __FUNCTION__, ret); cp = store_get(siz); -if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) < 0) +if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) < 0) return g_err("gs1", __FUNCTION__, ret); return mod ? tls_field_from_dn(cp, mod) : cp; @@ -255,14 +255,14 @@ unsigned int crit; int ret; ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert, - oid, idx, cp1, &siz, &crit); + oid, idx, CS cp1, &siz, &crit); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) return g_err("ge0", __FUNCTION__, ret); cp1 = store_get(siz*4 + 1); ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert, - oid, idx, cp1, &siz, &crit); + oid, idx, CS cp1, &siz, &crit); if (ret < 0) return g_err("ge1", __FUNCTION__, ret); @@ -270,7 +270,7 @@ if (ret < 0) /* just dump for now */ for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++) - sprintf(cp3, "%.2x ", *cp1); + sprintf(CS cp3, "%.2x ", *cp1); cp3[-1]= '\0'; return cp2; @@ -458,7 +458,7 @@ if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0) return g_err("gf1", __FUNCTION__, ret); for (cp3 = cp2 = cp+siz; cp < cp2; cp++, cp3+=2) - sprintf(cp3, "%02X",*cp); + sprintf(CS cp3, "%02X",*cp); return cp2; } -- 2.30.2