GnuTLS: Fix build bit various GnuTLS versions

This fixes some build issues in GnuTLS wrapper to be compatible with
at least following GnuTLS versions: 2.2.5, 2.4.3, 2.6.6, 2.8.6,
2.10.5, 2.12.11, 3.0.3.
This commit is contained in:
Jouni Malinen 2011-09-25 19:32:28 +03:00
parent 5c47af9a7a
commit e655e1f512

View file

@ -1,6 +1,6 @@
/* /*
* SSL/TLS interface functions for GnuTLS * SSL/TLS interface functions for GnuTLS
* Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
@ -35,12 +35,8 @@ int gnutls_ia_verify_endphase(gnutls_session_t session, char *checksum);
#include "tls.h" #include "tls.h"
#ifndef TLS_RANDOM_SIZE #define WPA_TLS_RANDOM_SIZE 32
#define TLS_RANDOM_SIZE 32 #define WPA_TLS_MASTER_SIZE 48
#endif
#ifndef TLS_MASTER_SIZE
#define TLS_MASTER_SIZE 48
#endif
#if LIBGNUTLS_VERSION_NUMBER < 0x010302 #if LIBGNUTLS_VERSION_NUMBER < 0x010302
@ -77,9 +73,9 @@ typedef struct {
gnutls_mac_algorithm_t write_mac_algorithm; gnutls_mac_algorithm_t write_mac_algorithm;
gnutls_compression_method_t write_compression_algorithm; gnutls_compression_method_t write_compression_algorithm;
cipher_suite_st current_cipher_suite; cipher_suite_st current_cipher_suite;
opaque master_secret[TLS_MASTER_SIZE]; opaque master_secret[WPA_TLS_MASTER_SIZE];
opaque client_random[TLS_RANDOM_SIZE]; opaque client_random[WPA_TLS_RANDOM_SIZE];
opaque server_random[TLS_RANDOM_SIZE]; opaque server_random[WPA_TLS_RANDOM_SIZE];
/* followed by stuff we are not interested in */ /* followed by stuff we are not interested in */
} security_parameters_st; } security_parameters_st;
@ -131,7 +127,7 @@ struct tls_connection {
u8 *session_keys; u8 *session_keys;
size_t session_keys_len; size_t session_keys_len;
u8 inner_secret[TLS_MASTER_SIZE]; u8 inner_secret[WPA_TLS_MASTER_SIZE];
#endif /* GNUTLS_IA */ #endif /* GNUTLS_IA */
}; };
@ -285,8 +281,12 @@ static ssize_t tls_push_func(gnutls_transport_ptr ptr, const void *buf,
static int tls_gnutls_init_session(struct tls_global *global, static int tls_gnutls_init_session(struct tls_global *global,
struct tls_connection *conn) struct tls_connection *conn)
{ {
#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
const char *err;
#else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */
const int cert_types[2] = { GNUTLS_CRT_X509, 0 }; const int cert_types[2] = { GNUTLS_CRT_X509, 0 };
const int protos[2] = { GNUTLS_TLS1, 0 }; const int protos[2] = { GNUTLS_TLS1, 0 };
#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */
int ret; int ret;
ret = gnutls_init(&conn->session, ret = gnutls_init(&conn->session,
@ -301,6 +301,15 @@ static int tls_gnutls_init_session(struct tls_global *global,
if (ret < 0) if (ret < 0)
goto fail; goto fail;
#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
ret = gnutls_priority_set_direct(conn->session, "NORMAL:-VERS-SSL3.0",
&err);
if (ret < 0) {
wpa_printf(MSG_ERROR, "GnuTLS: Priority string failure at "
"'%s'", err);
goto fail;
}
#else /* LIBGNUTLS_VERSION_NUMBER >= 0x020200 */
ret = gnutls_certificate_type_set_priority(conn->session, cert_types); ret = gnutls_certificate_type_set_priority(conn->session, cert_types);
if (ret < 0) if (ret < 0)
goto fail; goto fail;
@ -308,6 +317,7 @@ static int tls_gnutls_init_session(struct tls_global *global,
ret = gnutls_protocol_set_priority(conn->session, protos); ret = gnutls_protocol_set_priority(conn->session, protos);
if (ret < 0) if (ret < 0)
goto fail; goto fail;
#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020200 */
gnutls_transport_set_pull_function(conn->session, tls_pull_func); gnutls_transport_set_pull_function(conn->session, tls_pull_func);
gnutls_transport_set_push_function(conn->session, tls_push_func); gnutls_transport_set_push_function(conn->session, tls_push_func);
@ -597,11 +607,13 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5); conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
} }
#if LIBGNUTLS_VERSION_NUMBER >= 0x020800
if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) { if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
gnutls_certificate_set_verify_flags( gnutls_certificate_set_verify_flags(
conn->xcred, conn->xcred,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS); GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
} }
#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020800 */
} }
if (params->client_cert && params->private_key) { if (params->client_cert && params->private_key) {
@ -729,11 +741,13 @@ int tls_global_set_params(void *tls_ctx,
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5); GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
} }
#if LIBGNUTLS_VERSION_NUMBER >= 0x020800
if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) { if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
gnutls_certificate_set_verify_flags( gnutls_certificate_set_verify_flags(
global->xcred, global->xcred,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS); GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
} }
#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020800 */
} }
if (params->client_cert && params->private_key) { if (params->client_cert && params->private_key) {
@ -822,10 +836,11 @@ int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
os_memset(keys, 0, sizeof(*keys)); os_memset(keys, 0, sizeof(*keys));
#if LIBGNUTLS_VERSION_NUMBER < 0x020c00
#ifdef GNUTLS_INTERNAL_STRUCTURE_HACK #ifdef GNUTLS_INTERNAL_STRUCTURE_HACK
sec = &conn->session->security_parameters; sec = &conn->session->security_parameters;
keys->master_key = sec->master_secret; keys->master_key = sec->master_secret;
keys->master_key_len = TLS_MASTER_SIZE; keys->master_key_len = WPA_TLS_MASTER_SIZE;
keys->client_random = sec->client_random; keys->client_random = sec->client_random;
keys->server_random = sec->server_random; keys->server_random = sec->server_random;
#else /* GNUTLS_INTERNAL_STRUCTURE_HACK */ #else /* GNUTLS_INTERNAL_STRUCTURE_HACK */
@ -835,16 +850,19 @@ int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
(u8 *) gnutls_session_get_server_random(conn->session); (u8 *) gnutls_session_get_server_random(conn->session);
/* No access to master_secret */ /* No access to master_secret */
#endif /* GNUTLS_INTERNAL_STRUCTURE_HACK */ #endif /* GNUTLS_INTERNAL_STRUCTURE_HACK */
#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020c00 */
#ifdef GNUTLS_IA #ifdef GNUTLS_IA
gnutls_ia_extract_inner_secret(conn->session, gnutls_ia_extract_inner_secret(conn->session,
(char *) conn->inner_secret); (char *) conn->inner_secret);
keys->inner_secret = conn->inner_secret; keys->inner_secret = conn->inner_secret;
keys->inner_secret_len = TLS_MASTER_SIZE; keys->inner_secret_len = WPA_TLS_MASTER_SIZE;
#endif /* GNUTLS_IA */ #endif /* GNUTLS_IA */
keys->client_random_len = TLS_RANDOM_SIZE; #if LIBGNUTLS_VERSION_NUMBER < 0x020c00
keys->server_random_len = TLS_RANDOM_SIZE; keys->client_random_len = WPA_TLS_RANDOM_SIZE;
keys->server_random_len = WPA_TLS_RANDOM_SIZE;
#endif /* LIBGNUTLS_VERSION_NUMBER < 0x020c00 */
return 0; return 0;
} }
@ -883,11 +901,13 @@ static int tls_connection_verify_peer(struct tls_connection *conn,
if (conn->verify_peer && (status & GNUTLS_CERT_INVALID)) { if (conn->verify_peer && (status & GNUTLS_CERT_INVALID)) {
wpa_printf(MSG_INFO, "TLS: Peer certificate not trusted"); wpa_printf(MSG_INFO, "TLS: Peer certificate not trusted");
*err = GNUTLS_A_INTERNAL_ERROR;
if (status & GNUTLS_CERT_INSECURE_ALGORITHM) { if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
wpa_printf(MSG_INFO, "TLS: Certificate uses insecure " wpa_printf(MSG_INFO, "TLS: Certificate uses insecure "
"algorithm"); "algorithm");
*err = GNUTLS_A_INSUFFICIENT_SECURITY; *err = GNUTLS_A_INSUFFICIENT_SECURITY;
} }
#if LIBGNUTLS_VERSION_NUMBER >= 0x020800
if (status & GNUTLS_CERT_NOT_ACTIVATED) { if (status & GNUTLS_CERT_NOT_ACTIVATED) {
wpa_printf(MSG_INFO, "TLS: Certificate not yet " wpa_printf(MSG_INFO, "TLS: Certificate not yet "
"activated"); "activated");
@ -897,6 +917,7 @@ static int tls_connection_verify_peer(struct tls_connection *conn,
wpa_printf(MSG_INFO, "TLS: Certificate expired"); wpa_printf(MSG_INFO, "TLS: Certificate expired");
*err = GNUTLS_A_CERTIFICATE_EXPIRED; *err = GNUTLS_A_CERTIFICATE_EXPIRED;
} }
#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020800 */
return -1; return -1;
} }