| Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | From 21674039db99d1067e9df4df04d965297d62c6af Mon Sep 17 00:00:00 2001 |
| 2 | From: Rainer Gerhards <rgerhards@adiscon.com> |
| 3 | Date: Mon, 18 May 2015 09:36:02 +0200 |
| 4 | Subject: [PATCH] use gnutls_certificate_type_set_priority() only if available |
| 5 | |
| 6 | The gnutls_certificate_type_set_priority function is deprecated |
| 7 | and not available in recent GnuTLS versions. However, there is no |
| 8 | doc how to properly replace it with gnutls_priority_set_direct. |
| 9 | A lot of folks have simply removed it, when they also called |
| 10 | gnutls_set_default_priority. This is what we now also do. If |
| 11 | this causes problems or someone has an idea of how to replace |
| 12 | the deprecated function in a better way, please let us know! |
| 13 | In any case, we use it as long as it is available and let |
| 14 | not insult us by the deprecation warnings. |
| 15 | |
| 16 | Upstream-Status: Backport |
| 17 | Signed-off-by: Tudor Florea <tudor.florea@enea.com> |
| 18 | |
| 19 | --- |
| 20 | configure.ac | 1 + |
| 21 | runtime/nsd_gtls.c | 18 ++++++++++++++++-- |
| 22 | 2 files changed, 17 insertions(+), 2 deletions(-) |
| 23 | |
| 24 | diff --git a/configure.ac b/configure.ac |
| 25 | index 56835fb..1c2be01 100644 |
| 26 | --- a/configure.ac |
| 27 | +++ b/configure.ac |
| 28 | @@ -765,6 +765,7 @@ if test "x$enable_gnutls" = "xyes"; then |
| 29 | AC_DEFINE([ENABLE_GNUTLS], [1], [Indicator that GnuTLS is present]) |
| 30 | AC_CHECK_LIB(gnutls, gnutls_global_init) |
| 31 | AC_CHECK_FUNCS(gnutls_certificate_set_retrieve_function,,) |
| 32 | + AC_CHECK_FUNCS(gnutls_certificate_type_set_priority,,) |
| 33 | fi |
| 34 | AM_CONDITIONAL(ENABLE_GNUTLS, test x$enable_gnutls = xyes) |
| 35 | |
| 36 | diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c |
| 37 | index e127834..4b6aab1 100644 |
| 38 | --- a/runtime/nsd_gtls.c |
| 39 | +++ b/runtime/nsd_gtls.c |
| 40 | @@ -1658,8 +1658,9 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host) |
| 41 | nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; |
| 42 | int sock; |
| 43 | int gnuRet; |
| 44 | - /* TODO: later? static const int cert_type_priority[3] = { GNUTLS_CRT_X509, GNUTLS_CRT_OPENPGP, 0 };*/ |
| 45 | +# if HAVE_GNUTLS_CERTIFICATE_TYPE_SET_PRIORITY |
| 46 | static const int cert_type_priority[2] = { GNUTLS_CRT_X509, 0 }; |
| 47 | +# endif |
| 48 | DEFiRet; |
| 49 | |
| 50 | ISOBJ_TYPE_assert(pThis, nsd_gtls); |
| 51 | @@ -1688,14 +1689,27 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host) |
| 52 | gnutls_certificate_set_retrieve_function(xcred, gtlsClientCertCallback); |
| 53 | # else |
| 54 | gnutls_certificate_client_set_retrieve_function(xcred, gtlsClientCertCallback); |
| 55 | -# endif |
| 56 | +# endif |
| 57 | } else if(iRet != RS_RET_CERTLESS) { |
| 58 | FINALIZE; /* we have an error case! */ |
| 59 | } |
| 60 | |
| 61 | /* Use default priorities */ |
| 62 | CHKgnutls(gnutls_set_default_priority(pThis->sess)); |
| 63 | +# if HAVE_GNUTLS_CERTIFICATE_TYPE_SET_PRIORITY |
| 64 | + /* The gnutls_certificate_type_set_priority function is deprecated |
| 65 | + * and not available in recent GnuTLS versions. However, there is no |
| 66 | + * doc how to properly replace it with gnutls_priority_set_direct. |
| 67 | + * A lot of folks have simply removed it, when they also called |
| 68 | + * gnutls_set_default_priority. This is what we now also do. If |
| 69 | + * this causes problems or someone has an idea of how to replace |
| 70 | + * the deprecated function in a better way, please let us know! |
| 71 | + * In any case, we use it as long as it is available and let |
| 72 | + * not insult us by the deprecation warnings. |
| 73 | + * 2015-05-18 rgerhards |
| 74 | + */ |
| 75 | CHKgnutls(gnutls_certificate_type_set_priority(pThis->sess, cert_type_priority)); |
| 76 | +# endif |
| 77 | |
| 78 | /* put the x509 credentials to the current session */ |
| 79 | CHKgnutls(gnutls_credentials_set(pThis->sess, GNUTLS_CRD_CERTIFICATE, xcred)); |