Check for gnutls_pkcs12_simple_parse() in GnuTLS

Our modifications made it upstream...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/configure.ac b/configure.ac
index 3c42cb7..ec3101b 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -198,6 +198,11 @@ elif test "$with_gnutls" = "shibboleet"; then
     fi
     with_openssl=no
     ssl_library=gnutls
+    oldlibs="$LIBS"
+    LIBS="$LIBS $GNUTLS_LIBS"
+    AC_CHECK_FUNC(gnutls_pkcs12_simple_parse,
+                [AC_DEFINE(HAVE_GNUTLS_PKCS12_SIMPLE_PARSE, 1)], [])
+    LIBS="$oldLIBS"
 elif test "$with_gnutls" != "" && test "$with_gnutls" != "no"; then
     AC_MSG_ERROR([Values other than 'yes' or 'no' for --with-gnutls are not supported])
 fi

diff --git a/gnutls.c b/gnutls.c
index a12cf6e..638cc04 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -264,8 +264,11 @@ static int load_datum(struct openconnect_info *vpninfo,
        return 0;
 }
 
-/* Pull in our local copy of GnuTLS's parse_pkcs12() function, for now */
+#ifndef HAVE_GNUTLS_PKCS12_SIMPLE_PARSE
+/* If we're using a version of GnuTLS from before this was 
+   exported, pull in our local copy. */
 #include "gnutls_pkcs12.c"
+#endif
 
 /* A non-zero, non-error return to make load_certificate() continue and
    interpreting the file as other types */
@@ -339,8 +342,8 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo,
                return ret;
        }
 
-       err = parse_pkcs12(vpninfo->https_cred, p12, pass, key, cert,
-                          extra_certs, nr_extra_certs, crl);
+       err = gnutls_pkcs12_simple_parse(vpninfo->https_cred, p12, pass, key,
+                                        cert, extra_certs, nr_extra_certs, crl);
        gnutls_pkcs12_deinit(p12);
        if (err) {
                vpn_progress(vpninfo, PRG_ERR,

diff --git a/gnutls_pkcs12.c b/gnutls_pkcs12.c
index 393a838..0d788cb 100644 (file)
--- a/gnutls_pkcs12.c
+++ b/gnutls_pkcs12.c
@@ -1,14 +1,8 @@
 /*
- * Ick. This is (or at least started off as) a straight copy of
- * parse_pkcs12() from GnuTLS lib/gnutls_x509.c, as of commit ID
- * 77670476814c078bbad56ce8772b192a3b5736b6 on the gnutls_2_12_x
- * branch.
- *
- * We need to *see* the cert so that we can check its expiry, and
- * we'll also want to get all the other certs in the PKCS#12 file
- * rather than only the leaf node. Hopefully these changes can be
- * merged back into GnuTLS as soon as possible, it can be made a
- * public function, and this copy can die.
+ * This is (now) gnutls_pkcs12_simple_parse() from GnuTLS 3.1, although
+ * it was actually taken from parse_pkcs12() in GnuTLS 2.12.x (where it
+ * was under LGPLv2.1) and modified locally. The modifications were
+ * accepted back into GnuTLS in commit 9a43e8fa.
  */
 #define opaque unsigned char
 #define gnutls_assert() do {} while(0)
@@ -40,14 +34,14 @@
 
 
 static int
-parse_pkcs12 (gnutls_certificate_credentials_t res,
-              gnutls_pkcs12_t p12,
-              const char *password,
-              gnutls_x509_privkey_t * key,
-              gnutls_x509_crt_t * cert,
-              gnutls_x509_crt_t ** extra_certs_ret,
-              unsigned int * extra_certs_ret_len,
-              gnutls_x509_crl_t * crl)
+gnutls_pkcs12_simple_parse (gnutls_certificate_credentials_t res,
+                           gnutls_pkcs12_t p12,
+                           const char *password,
+                           gnutls_x509_privkey_t * key,
+                           gnutls_x509_crt_t * cert,
+                           gnutls_x509_crt_t ** extra_certs_ret,
+                           unsigned int * extra_certs_ret_len,
+                           gnutls_x509_crl_t * crl)
 {
   gnutls_pkcs12_bag_t bag = NULL;
   gnutls_x509_crt_t *extra_certs = NULL;