From 911605689b3e7c525624db398e908fb87827c2dd Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Thu, 7 Jun 2012 13:21:07 +0100 Subject: [PATCH] Check for gnutls_pkcs12_simple_parse() in GnuTLS Our modifications made it upstream... Signed-off-by: David Woodhouse --- configure.ac | 5 +++++ gnutls.c | 9 ++++++--- gnutls_pkcs12.c | 30 ++++++++++++------------------ 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/configure.ac b/configure.ac index 3c42cb7..ec3101b 100644 --- a/configure.ac +++ b/configure.ac @@ -198,6 +198,11 @@ elif test "$with_gnutls" = "shibboleet"; then fi with_openssl=no ssl_library=gnutls + oldlibs="$LIBS" + LIBS="$LIBS $GNUTLS_LIBS" + AC_CHECK_FUNC(gnutls_pkcs12_simple_parse, + [AC_DEFINE(HAVE_GNUTLS_PKCS12_SIMPLE_PARSE, 1)], []) + LIBS="$oldLIBS" elif test "$with_gnutls" != "" && test "$with_gnutls" != "no"; then AC_MSG_ERROR([Values other than 'yes' or 'no' for --with-gnutls are not supported]) fi diff --git a/gnutls.c b/gnutls.c index a12cf6e..638cc04 100644 --- a/gnutls.c +++ b/gnutls.c @@ -264,8 +264,11 @@ static int load_datum(struct openconnect_info *vpninfo, return 0; } -/* Pull in our local copy of GnuTLS's parse_pkcs12() function, for now */ +#ifndef HAVE_GNUTLS_PKCS12_SIMPLE_PARSE +/* If we're using a version of GnuTLS from before this was + exported, pull in our local copy. */ #include "gnutls_pkcs12.c" +#endif /* A non-zero, non-error return to make load_certificate() continue and interpreting the file as other types */ @@ -339,8 +342,8 @@ static int load_pkcs12_certificate(struct openconnect_info *vpninfo, return ret; } - err = parse_pkcs12(vpninfo->https_cred, p12, pass, key, cert, - extra_certs, nr_extra_certs, crl); + err = gnutls_pkcs12_simple_parse(vpninfo->https_cred, p12, pass, key, + cert, extra_certs, nr_extra_certs, crl); gnutls_pkcs12_deinit(p12); if (err) { vpn_progress(vpninfo, PRG_ERR, diff --git a/gnutls_pkcs12.c b/gnutls_pkcs12.c index 393a838..0d788cb 100644 --- a/gnutls_pkcs12.c +++ b/gnutls_pkcs12.c @@ -1,14 +1,8 @@ /* - * Ick. This is (or at least started off as) a straight copy of - * parse_pkcs12() from GnuTLS lib/gnutls_x509.c, as of commit ID - * 77670476814c078bbad56ce8772b192a3b5736b6 on the gnutls_2_12_x - * branch. - * - * We need to *see* the cert so that we can check its expiry, and - * we'll also want to get all the other certs in the PKCS#12 file - * rather than only the leaf node. Hopefully these changes can be - * merged back into GnuTLS as soon as possible, it can be made a - * public function, and this copy can die. + * This is (now) gnutls_pkcs12_simple_parse() from GnuTLS 3.1, although + * it was actually taken from parse_pkcs12() in GnuTLS 2.12.x (where it + * was under LGPLv2.1) and modified locally. The modifications were + * accepted back into GnuTLS in commit 9a43e8fa. */ #define opaque unsigned char #define gnutls_assert() do {} while(0) @@ -40,14 +34,14 @@ static int -parse_pkcs12 (gnutls_certificate_credentials_t res, - gnutls_pkcs12_t p12, - const char *password, - gnutls_x509_privkey_t * key, - gnutls_x509_crt_t * cert, - gnutls_x509_crt_t ** extra_certs_ret, - unsigned int * extra_certs_ret_len, - gnutls_x509_crl_t * crl) +gnutls_pkcs12_simple_parse (gnutls_certificate_credentials_t res, + gnutls_pkcs12_t p12, + const char *password, + gnutls_x509_privkey_t * key, + gnutls_x509_crt_t * cert, + gnutls_x509_crt_t ** extra_certs_ret, + unsigned int * extra_certs_ret_len, + gnutls_x509_crl_t * crl) { gnutls_pkcs12_bag_t bag = NULL; gnutls_x509_crt_t *extra_certs = NULL; -- 2.7.4