ITS#5887 add native support for cipher suites for GnuTLS >= 2.2.0

2026-02-03 20:40:05 -05:00 · 2009-01-26 03:21:16 +00:00 · 2009-01-26 03:21:16 +00:00 · 2558951251
commit 2558951251
parent 29bf788d1e
1 changed files with 37 additions and 1 deletions
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@ -49,6 +49,16 @@

 #define DH_BITS	(1024)

+#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
+#define	HAVE_CIPHERSUITES	1
+#else
+#undef HAVE_CIPHERSUITES
+#endif
+
+#ifndef HAVE_CIPHERSUITES
+/* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
+ * kludge them ourselves.
+ */
 typedef struct tls_cipher_suite {
 	const char *name;
 	gnutls_kx_algorithm_t kx;
@ -56,6 +66,7 @@ typedef struct tls_cipher_suite {
 	gnutls_mac_algorithm_t mac;
 	gnutls_protocol_t version;
 } tls_cipher_suite;
+#endif

 typedef struct tlsg_ctx {
 	struct ldapoptions *lo;
@ -63,9 +74,13 @@ typedef struct tlsg_ctx {
 	gnutls_dh_params_t dh_params;
 	unsigned long verify_depth;
 	int refcount;
+#ifdef HAVE_CIPHERSUITES
+	gnutls_priority_t prios;
+#else
 	int *kx_list;
 	int *cipher_list;
 	int *mac_list;
+#endif
 #ifdef LDAP_R_COMPILE
 	ldap_pvt_thread_mutex_t ref_mutex;
 #endif
@ -77,8 +92,10 @@ typedef struct tlsg_session {
 	struct berval peer_der_dn;
 } tlsg_session;

+#ifndef HAVE_CIPHERSUITES
 static tls_cipher_suite *tlsg_ciphers;
 static int tlsg_n_ciphers;
+#endif

 static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
 static int tlsg_cert_verify( tlsg_session *s );
@ -148,6 +165,7 @@ tlsg_init( void )
 {
 	gnutls_global_init();

+#ifndef HAVE_CIPHERSUITES
 	/* GNUtls cipher suite handling: The library ought to parse suite
 	 * names for us, but it doesn't. It will return a list of suite names
 	 * that it supports, so we can do parsing ourselves. It ought to tell
@ -174,6 +192,7 @@ tlsg_init( void )
 				&tlsg_ciphers[i].version );
 		}
 	}
+#endif
 	return 0;
 }

@ -183,10 +202,11 @@ tlsg_init( void )
 static void
 tlsg_destroy( void )
 {
+#ifndef HAVE_CIPHERSUITES
 	LDAP_FREE( tlsg_ciphers );
 	tlsg_ciphers = NULL;
 	tlsg_n_ciphers = 0;
-
+#endif
 	gnutls_global_deinit();
 }

@ -203,6 +223,9 @@ tlsg_ctx_new ( struct ldapoptions *lo )
 			return NULL;
 		}
 		ctx->refcount = 1;
+#ifdef HAVE_CIPHERSUITES
+		gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
+#endif
 #ifdef LDAP_R_COMPILE
 		ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
 #endif
@ -240,7 +263,11 @@ tlsg_ctx_free ( tls_ctx *ctx )
 #endif
 	if ( refcount )
 		return;
+#ifdef HAVE_CIPHERSUITES
+	gnutls_priority_deinit( c->prios );
+#else
 	LDAP_FREE( c->kx_list );
+#endif
 	gnutls_certificate_free_credentials( c->cred );
 	ber_memfree ( c );
 }
@ -323,12 +350,16 @@ tlsg_session_new ( tls_ctx * ctx, int is_server )

 	session->ctx = c;
 	gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
+#ifdef HAVE_CIPHERSUITES
+	gnutls_priority_set( session->session, c->prios );
+#else
 	gnutls_set_default_priority( session->session );
 	if ( c->kx_list ) {
 		gnutls_kx_set_priority( session->session, c->kx_list );
 		gnutls_cipher_set_priority( session->session, c->cipher_list );
 		gnutls_mac_set_priority( session->session, c->mac_list );
 	}
+#endif
 	if ( c->cred )
 		gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
 	
@ -645,6 +676,10 @@ tlsg_session_strength( tls_session *session )
 static int
 tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
 {
+#ifdef HAVE_CIPHERSUITES
+	const char *err;
+	return gnutls_priority_init( &ctx->prios, suites, &err );
+#else
 	char *ptr, *end;
 	int i, j, len, num;
 	int *list, nkx = 0, ncipher = 0, nmac = 0;
@ -719,6 +754,7 @@ tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
 	ctx->cipher_list = cipher;
 	ctx->mac_list = mac;
 	return 0;
+#endif
 }

 /*