rpms
/
neon
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'da2f7ddcd0'
${ noResults }
neon/neon-0.29.6-gnutls3.patch

141 lines
5.9 KiB
Raw Normal View History Unescape

fix build with gnutls3 - patch by Bartosz Brachaczek
12 years ago
diff -up neon-0.29.6/macros/neon.m4.gnutls3 neon-0.29.6/macros/neon.m4
--- neon-0.29.6/macros/neon.m4.gnutls3 2011-05-03 14:14:56.000000000 +0200
+++ neon-0.29.6/macros/neon.m4 2013-02-25 09:25:30.373456383 +0100
@@ -982,12 +982,13 @@ gnutls)
# Check for functions in later releases
NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \
gnutls_sign_callback_set \
+ gnutls_certificate_get_issuer \
gnutls_certificate_get_x509_cas \
- gnutls_certificate_verify_peers2])
+ gnutls_x509_crt_sign2])
- # fail if gnutls_certificate_verify_peers2 is not found
- if test x${ac_cv_func_gnutls_certificate_verify_peers2} != xyes; then
- AC_MSG_ERROR([GnuTLS version predates gnutls_certificate_verify_peers2, newer version required])
+ # fail if gnutls_x509_crt_sign2 is not found (it was introduced in 1.2.0, which is required)
+ if test x${ac_cv_func_gnutls_x509_crt_sign2} != xyes; then
+ AC_MSG_ERROR([GnuTLS version predates gnutls_x509_crt_sign2, newer version required (at least 1.2.0)])
fi
# Check for iconv support if using the new RDN access functions:
diff -up neon-0.29.6/src/ne_gnutls.c.gnutls3 neon-0.29.6/src/ne_gnutls.c
--- neon-0.29.6/src/ne_gnutls.c.gnutls3 2011-05-03 14:07:08.000000000 +0200
+++ neon-0.29.6/src/ne_gnutls.c 2013-02-25 09:25:30.375456392 +0100
@@ -83,7 +83,7 @@ struct ne_ssl_certificate_s {
};
struct ne_ssl_client_cert_s {
- gnutls_pkcs12 p12;
+ gnutls_pkcs12_t p12;
int decrypted; /* non-zero if successfully decrypted. */
int keyless;
ne_ssl_certificate cert;
@@ -692,7 +692,7 @@ void ne_ssl_context_destroy(ne_ssl_conte
ne_free(ctx);
}
-#ifdef HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS
+#if !defined(HAVE_GNUTLS_CERTIFICATE_GET_ISSUER) && defined(HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS)
/* Return the issuer of the given certificate, or NULL if none can be
* found. */
static gnutls_x509_crt find_issuer(gnutls_x509_crt *ca_list,
@@ -747,20 +747,29 @@ static ne_ssl_certificate *make_peers_ch
}
}
-#ifdef HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS
+#if defined(HAVE_GNUTLS_CERTIFICATE_GET_ISSUER) || defined(HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS)
/* GnuTLS only returns the peers which were *sent* by the server
* in the Certificate list during the handshake. Fill in the
* complete chain manually against the certs we trust: */
if (current->issuer == NULL) {
gnutls_x509_crt issuer;
+
+#ifndef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
gnutls_x509_crt *ca_list;
unsigned int num_cas;
gnutls_certificate_get_x509_cas(crd, &ca_list, &num_cas);
+#endif
do {
/* Look up the issuer. */
+#ifndef HAVE_GNUTLS_CERTIFICATE_GET_ISSUER
issuer = find_issuer(ca_list, num_cas, current->subject);
+#else
+ if (gnutls_certificate_get_issuer(crd, current->subject, &issuer, 0))
+ issuer = NULL;
+#endif
+
if (issuer) {
issuer = x509_crt_copy(issuer);
cert = populate_cert(ne_calloc(sizeof *cert), issuer);
@@ -1032,11 +1041,11 @@ static int read_to_datum(const char *fil
/* Parses a PKCS#12 structure and loads the certificate, private key
* and friendly name if possible. Returns zero on success, non-zero
* on error. */
-static int pkcs12_parse(gnutls_pkcs12 p12, gnutls_x509_privkey *pkey,
+static int pkcs12_parse(gnutls_pkcs12_t p12, gnutls_x509_privkey *pkey,
gnutls_x509_crt *x5, char **friendly_name,
const char *password)
{
- gnutls_pkcs12_bag bag = NULL;
+ gnutls_pkcs12_bag_t bag = NULL;
int i, j, ret = 0;
for (i = 0; ret == 0; ++i) {
@@ -1051,7 +1060,7 @@ static int pkcs12_parse(gnutls_pkcs12 p1
gnutls_pkcs12_bag_decrypt(bag, password);
for (j = 0; ret == 0 && j < gnutls_pkcs12_bag_get_count(bag); ++j) {
- gnutls_pkcs12_bag_type type;
+ gnutls_pkcs12_bag_type_t type;
gnutls_datum data;
if (friendly_name && *friendly_name == NULL) {
@@ -1121,7 +1130,7 @@ ne_ssl_client_cert *ne_ssl_clicert_read(
{
int ret;
gnutls_datum data;
- gnutls_pkcs12 p12;
+ gnutls_pkcs12_t p12;
ne_ssl_client_cert *cc;
char *friendly_name = NULL;
gnutls_x509_crt cert = NULL;
diff -up neon-0.29.6/src/ne_socket.c.gnutls3 neon-0.29.6/src/ne_socket.c
--- neon-0.29.6/src/ne_socket.c.gnutls3 2010-10-09 18:07:17.000000000 +0200
+++ neon-0.29.6/src/ne_socket.c 2013-02-25 09:25:30.376456395 +0100
@@ -721,9 +721,11 @@ static ssize_t error_gnutls(ne_socket *s
_("SSL alert received: %s"),
gnutls_alert_get_name(gnutls_alert_get(sock->ssl)));
break;
+#if GNUTLS_VERSION_MAJOR > 2 || (GNUTLS_VERSION_MAJOR == 2 && GNUTLS_VERSION_MINOR >= 99)
+ case GNUTLS_E_PREMATURE_TERMINATION:
+#else
case GNUTLS_E_UNEXPECTED_PACKET_LENGTH:
- /* It's not exactly an API guarantee but this error will
- * always mean a premature EOF. */
+#endif
ret = NE_SOCK_TRUNC;
set_error(sock, _("Secure connection truncated"));
break;
@@ -1678,6 +1680,8 @@ int ne_sock_accept_ssl(ne_socket *sock,
NE_DEBUG(NE_DBG_SSL, "ssl: Server reused session.\n");
}
#elif defined(HAVE_GNUTLS)
+ unsigned int verify_status;
+
gnutls_init(&ssl, GNUTLS_SERVER);
gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
gnutls_set_default_priority(ssl);
@@ -1697,7 +1701,7 @@ int ne_sock_accept_ssl(ne_socket *sock,
if (ret < 0) {
return error_gnutls(sock, ret);
}
- if (ctx->verify && gnutls_certificate_verify_peers(ssl)) {
+ if (ctx->verify && (gnutls_certificate_verify_peers2(ssl, &verify_status) || verify_status)) {
set_error(sock, _("Client certificate verification failed"));
return NE_SOCK_ERROR;
}