# HG changeset patch # User Sebastien Decugis # Date 1371623937 -28800 # Node ID 33ad82ffbdde8e2cdca45c0d97f8dff96698a0e3 # Parent 5d0d300a7cd9626a176b27f74d7255b42b24992f Make GNU TLS 3.x mandatory since we want to support DTLS. Removed the old compatibility code. diff -r 5d0d300a7cd9 -r 33ad82ffbdde cmake/Modules/FindGnuTLS.cmake --- a/cmake/Modules/FindGnuTLS.cmake Tue Jun 18 17:05:44 2013 +0800 +++ b/cmake/Modules/FindGnuTLS.cmake Wed Jun 19 14:38:57 2013 +0800 @@ -1,13 +1,11 @@ # - Find gnutls -# Find the native GNUTLS includes and library +# Find the native GNUTLS includes and library. Version 3.0.0 at least is required # # GNUTLS_FOUND - True if gnutls found. # GNUTLS_INCLUDE_DIR - where to find gnutls.h, etc. # GNUTLS_LIBRARIES - List of libraries when using gnutls. -# GNUTLS_VERSION_210 - true if GnuTLS version is >= 2.10.0 (does not require additional separate gcrypt initialization) -# GNUTLS_VERSION_212 - true if GnuTLS version is >= 2.12.0 (supports gnutls_transport_set_vec_push_function) -# GNUTLS_VERSION_300 - true if GnuTLS version is >= 3.00.0 (x509 verification functions changed) # GNUTLS_VERSION_310 - true if GnuTLS version is >= 3.01.0 (stabilization branch with new APIs) +# GNUTLS_VERSION_322 - true if GnuTLS version is >= 3.2.2 (DTLS over SCTP improvements) if (GNUTLS_INCLUDE_DIR AND GNUTLS_LIBRARIES) set(GNUTLS_FIND_QUIETLY TRUE) @@ -46,19 +44,17 @@ IF( NOT( "${GNUTLS_VERSION_TEST_FOR}" STREQUAL "${GNUTLS_LIBRARY}" )) INCLUDE (CheckLibraryExists) MESSAGE(STATUS "Checking GNUTLS version") - UNSET(GNUTLS_VERSION_210) - UNSET(GNUTLS_VERSION_210 CACHE) - UNSET(GNUTLS_VERSION_212) - UNSET(GNUTLS_VERSION_212 CACHE) - UNSET(GNUTLS_VERSION_300) - UNSET(GNUTLS_VERSION_300 CACHE) UNSET(GNUTLS_VERSION_310) UNSET(GNUTLS_VERSION_310 CACHE) + UNSET(GNUTLS_VERSION_322) + UNSET(GNUTLS_VERSION_322 CACHE) GET_FILENAME_COMPONENT(GNUTLS_PATH ${GNUTLS_LIBRARY} PATH) - CHECK_LIBRARY_EXISTS(gnutls gnutls_hash ${GNUTLS_PATH} GNUTLS_VERSION_210) - CHECK_LIBRARY_EXISTS(gnutls gnutls_transport_set_vec_push_function ${GNUTLS_PATH} GNUTLS_VERSION_212) CHECK_LIBRARY_EXISTS(gnutls gnutls_x509_trust_list_verify_crt ${GNUTLS_PATH} GNUTLS_VERSION_300) + IF(!GNUTLS_VERSION_300) + MESSAGE(FATAL_ERROR "GnuTLS found but version is too old, need 3.x at least for DTLS support") + ENDIF(!GNUTLS_VERSION_300) CHECK_LIBRARY_EXISTS(gnutls gnutls_handshake_set_timeout ${GNUTLS_PATH} GNUTLS_VERSION_310) + CHECK_LIBRARY_EXISTS(gnutls gnutls_handshake_set_hook_function ${GNUTLS_PATH} GNUTLS_VERSION_322) SET( GNUTLS_VERSION_TEST_FOR ${GNUTLS_LIBRARY} CACHE INTERNAL "Version the test was made against" ) ENDIF (NOT( "${GNUTLS_VERSION_TEST_FOR}" STREQUAL "${GNUTLS_LIBRARY}" )) ENDIF(GNUTLS_FOUND) diff -r 5d0d300a7cd9 -r 33ad82ffbdde include/freeDiameter/freeDiameter-host.h.in --- a/include/freeDiameter/freeDiameter-host.h.in Tue Jun 18 17:05:44 2013 +0800 +++ b/include/freeDiameter/freeDiameter-host.h.in Wed Jun 19 14:38:57 2013 +0800 @@ -60,10 +60,8 @@ #cmakedefine DIAMID_IDNA_REJECT #cmakedefine DISABLE_PEER_EXPIRY #cmakedefine WORKAROUND_ACCEPT_INVALID_VSAI -#cmakedefine GNUTLS_VERSION_210 -#cmakedefine GNUTLS_VERSION_212 -#cmakedefine GNUTLS_VERSION_300 #cmakedefine GNUTLS_VERSION_310 +#cmakedefine GNUTLS_VERSION_322 #cmakedefine ERRORS_ON_TODO #cmakedefine DEBUG diff -r 5d0d300a7cd9 -r 33ad82ffbdde include/freeDiameter/libfdcore.h --- a/include/freeDiameter/libfdcore.h Tue Jun 18 17:05:44 2013 +0800 +++ b/include/freeDiameter/libfdcore.h Wed Jun 19 14:38:57 2013 +0800 @@ -44,9 +44,7 @@ #include #include #include -#ifdef GNUTLS_VERSION_300 #include -#endif /* GNUTLS_VERSION_300 */ /* GNUTLS version */ @@ -169,9 +167,7 @@ /* GNUTLS server credential(s) */ gnutls_certificate_credentials_t credentials; /* contains local cert + trust anchors */ - #ifdef GNUTLS_VERSION_300 gnutls_x509_trust_list_t trustlist; /* the logic to check local certificate has changed */ - #endif /* GNUTLS_VERSION_300 */ } cnf_sec_data; diff -r 5d0d300a7cd9 -r 33ad82ffbdde libfdcore/cnxctx.c --- a/libfdcore/cnxctx.c Tue Jun 18 17:05:44 2013 +0800 +++ b/libfdcore/cnxctx.c Wed Jun 19 14:38:57 2013 +0800 @@ -631,7 +631,6 @@ } -#ifdef GNUTLS_VERSION_300 /* The pull_timeout function for gnutls */ static int fd_cnx_s_select (struct cnxctx * conn, unsigned int ms) { @@ -646,7 +645,6 @@ return select (conn->cc_socket + 1, &rfds, NULL, NULL, &tv); } -#endif /* GNUTLS_VERSION_300 */ /* A recv-like function, taking a cnxctx object instead of socket as entry. We use it to quickly react to timeouts without traversing GNUTLS wrapper each time */ ssize_t fd_cnx_s_recv(struct cnxctx * conn, void *buffer, size_t length) @@ -709,17 +707,6 @@ return ret; } -/* Send, for older GNUTLS */ -#ifndef GNUTLS_VERSION_212 -static ssize_t fd_cnx_s_send(struct cnxctx * conn, const void *buffer, size_t length) -{ - struct iovec iov; - iov.iov_base = (void *)buffer; - iov.iov_len = length; - return fd_cnx_s_sendv(conn, &iov, 1); -} -#endif /* GNUTLS_VERSION_212 */ - #define ALIGNOF(t) ((char *)(&((struct { char c; t _h; } *)0)->_h) - (char *)0) /* Could use __alignof__(t) on some systems but this is more portable probably */ #define PMDL_PADDED(len) ( ((len) + ALIGNOF(struct fd_msg_pmdl) - 1) & ~(ALIGNOF(struct fd_msg_pmdl) - 1) ) @@ -1176,232 +1163,6 @@ return 0; } -#ifndef GNUTLS_VERSION_300 - -/* Verify remote credentials after successful handshake (return 0 if OK, EINVAL otherwise) */ -int fd_tls_verify_credentials(gnutls_session_t session, struct cnxctx * conn, int verbose) -{ - int i, ret = 0; - unsigned int gtret; - const gnutls_datum_t *cert_list; - unsigned int cert_list_size; - gnutls_x509_crt_t cert; - time_t now; - - TRACE_ENTRY("%p %d", conn, verbose); - CHECK_PARAMS(conn); - - /* Trace the session information -- http://www.gnu.org/software/gnutls/manual/gnutls.html#Obtaining-session-information */ - #ifdef DEBUG - if (verbose) { - const char *tmp; - gnutls_kx_algorithm_t kx; - gnutls_credentials_type_t cred; - - LOG_A("TLS Session information for connection '%s':", conn->cc_id); - - /* print the key exchange's algorithm name */ - GNUTLS_TRACE( kx = gnutls_kx_get (session) ); - GNUTLS_TRACE( tmp = gnutls_kx_get_name (kx) ); - LOG_A("\t - Key Exchange: %s", tmp); - - /* Check the authentication type used and switch - * to the appropriate. */ - GNUTLS_TRACE( cred = gnutls_auth_get_type (session) ); - switch (cred) - { - case GNUTLS_CRD_IA: - LOG_A("\t - TLS/IA session"); - break; - - case GNUTLS_CRD_PSK: - /* This returns NULL in server side. */ - if (gnutls_psk_client_get_hint (session) != NULL) - LOG_A("\t - PSK authentication. PSK hint '%s'", - gnutls_psk_client_get_hint (session)); - /* This returns NULL in client side. */ - if (gnutls_psk_server_get_username (session) != NULL) - LOG_A("\t - PSK authentication. Connected as '%s'", - gnutls_psk_server_get_username (session)); - break; - - case GNUTLS_CRD_ANON: /* anonymous authentication */ - LOG_A("\t - Anonymous DH using prime of %d bits", - gnutls_dh_get_prime_bits (session)); - break; - - case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */ - /* Check if we have been using ephemeral Diffie-Hellman. */ - if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { - LOG_A("\t - Ephemeral DH using prime of %d bits", - gnutls_dh_get_prime_bits (session)); - } - break; -#ifdef ENABLE_SRP - case GNUTLS_CRD_SRP: - LOG_A("\t - SRP session with username %s", - gnutls_srp_server_get_username (session)); - break; -#endif /* ENABLE_SRP */ - - default: - fd_log_debug("\t - Different type of credentials for the session (%d).", cred); - break; - - } - - /* print the protocol's name (ie TLS 1.0) */ - tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); - LOG_A("\t - Protocol: %s", tmp); - - /* print the certificate type of the peer. ie X.509 */ - tmp = gnutls_certificate_type_get_name (gnutls_certificate_type_get (session)); - LOG_A("\t - Certificate Type: %s", tmp); - - /* print the compression algorithm (if any) */ - tmp = gnutls_compression_get_name (gnutls_compression_get (session)); - LOG_A("\t - Compression: %s", tmp); - - /* print the name of the cipher used. ie 3DES. */ - tmp = gnutls_cipher_get_name (gnutls_cipher_get (session)); - LOG_A("\t - Cipher: %s", tmp); - - /* Print the MAC algorithms name. ie SHA1 */ - tmp = gnutls_mac_get_name (gnutls_mac_get (session)); - LOG_A("\t - MAC: %s", tmp); - } - #endif /* DEBUG */ - - /* First, use built-in verification */ - CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, >ret), return EINVAL ); - if (gtret) { - if (TRACE_BOOL(INFO)) { - fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); - if (gtret & GNUTLS_CERT_INVALID) - fd_log_debug(" - The certificate is not trusted (unknown CA? expired?)"); - if (gtret & GNUTLS_CERT_REVOKED) - fd_log_debug(" - The certificate has been revoked."); - if (gtret & GNUTLS_CERT_SIGNER_NOT_FOUND) - fd_log_debug(" - The certificate hasn't got a known issuer."); - if (gtret & GNUTLS_CERT_SIGNER_NOT_CA) - fd_log_debug(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); - if (gtret & GNUTLS_CERT_INSECURE_ALGORITHM) - fd_log_debug(" - The certificate signature uses a weak algorithm."); - } - return EINVAL; - } - - /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */ - if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) - return EINVAL; - - GNUTLS_TRACE( cert_list = gnutls_certificate_get_peers (session, &cert_list_size) ); - if (cert_list == NULL) - return EINVAL; - - now = time(NULL); - - #ifdef DEBUG - char serial[40]; - char dn[128]; - size_t size; - unsigned int algo, bits; - time_t expiration_time, activation_time; - - LOG_D("TLS Certificate information for connection '%s' (%d certs provided):", conn->cc_id, cert_list_size); - for (i = 0; i < cert_list_size; i++) - { - - CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); - CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); - - LOG_A(" Certificate %d info:", i); - - GNUTLS_TRACE( expiration_time = gnutls_x509_crt_get_expiration_time (cert) ); - GNUTLS_TRACE( activation_time = gnutls_x509_crt_get_activation_time (cert) ); - - LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Certificate is valid since: %.24s", ctime (&activation_time)); - LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Certificate expires: %.24s", ctime (&expiration_time)); - - /* Print the serial number of the certificate. */ - size = sizeof (serial); - gnutls_x509_crt_get_serial (cert, serial, &size); - - { - int j; - char buf[1024]; - snprintf(buf, sizeof(buf), "\t - Certificate serial number: "); - for (j = 0; j < size; j++) { - snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), "%02hhx", serial[j]); - } - LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "%s", buf); - } - - /* Extract some of the public key algorithm's parameters */ - GNUTLS_TRACE( algo = gnutls_x509_crt_get_pk_algorithm (cert, &bits) ); - LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Certificate public key: %s", - gnutls_pk_algorithm_get_name (algo)); - - /* Print the version of the X.509 certificate. */ - LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Certificate version: #%d", - gnutls_x509_crt_get_version (cert)); - - size = sizeof (dn); - GNUTLS_TRACE( gnutls_x509_crt_get_dn (cert, dn, &size) ); - LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - DN: %s", dn); - - size = sizeof (dn); - GNUTLS_TRACE( gnutls_x509_crt_get_issuer_dn (cert, dn, &size) ); - LOG( i ? FD_LOG_ANNOYING : FD_LOG_DEBUG, "\t - Issuer's DN: %s", dn); - - GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) ); - } - #endif /* DEBUG */ - - /* Check validity of all the certificates */ - for (i = 0; i < cert_list_size; i++) - { - time_t deadline; - - CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); - CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); - - GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(cert) ); - if ((deadline != (time_t)-1) && (deadline < now)) { - if (TRACE_BOOL(INFO)) { - fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); - fd_log_debug(" - The certificate %d in the chain is expired", i); - } - ret = EINVAL; - } - - GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(cert) ); - if ((deadline != (time_t)-1) && (deadline > now)) { - if (TRACE_BOOL(INFO)) { - fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); - fd_log_debug(" - The certificate %d in the chain is not yet activated", i); - } - ret = EINVAL; - } - - if ((i == 0) && (conn->cc_tls_para.cn)) { - if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { - if (TRACE_BOOL(INFO)) { - fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :", conn->cc_socket, conn->cc_remid, conn->cc_id); - fd_log_debug(" - The certificate hostname does not match '%s'", conn->cc_tls_para.cn); - } - ret = EINVAL; - } - } - - GNUTLS_TRACE( gnutls_x509_crt_deinit (cert) ); - } - - return ret; -} - -#else /* GNUTLS_VERSION_300 */ - /* Verify remote credentials DURING handshake (return gnutls status) */ int fd_tls_verify_credentials_2(gnutls_session_t session) { @@ -1635,8 +1396,6 @@ return 0; } -#endif /* GNUTLS_VERSION_300 */ - static int fd_cnx_may_dtls(struct cnxctx * conn) { #ifndef DISABLE_SCTP if ((conn->cc_proto == IPPROTO_SCTP) && (conn->cc_tls_para.algo == ALGO_HANDSHAKE_DEFAULT)) @@ -1689,24 +1448,14 @@ /* Set the transport pointer passed to push & pull callbacks */ GNUTLS_TRACE( gnutls_transport_set_ptr( conn->cc_tls_para.session, (gnutls_transport_ptr_t) conn ) ); - #ifdef GNUTLS_VERSION_300 GNUTLS_TRACE( gnutls_transport_set_pull_timeout_function( conn->cc_tls_para.session, (void *)fd_cnx_s_select ) ); - #endif /* GNUTLS_VERSION_300 */ GNUTLS_TRACE( gnutls_transport_set_pull_function(conn->cc_tls_para.session, (void *)fd_cnx_s_recv) ); - #ifndef GNUTLS_VERSION_212 - GNUTLS_TRACE( gnutls_transport_set_push_function(conn->cc_tls_para.session, (void *)fd_cnx_s_send) ); - #else /* GNUTLS_VERSION_212 */ GNUTLS_TRACE( gnutls_transport_set_vec_push_function(conn->cc_tls_para.session, (void *)fd_cnx_s_sendv) ); - #endif /* GNUTLS_VERSION_212 */ } else { CHECK_FCT( fd_sctp_dtls_settransport(conn->cc_tls_para.session, conn) ); } } - /* additional initialization for gnutls 3.x */ - #ifdef GNUTLS_VERSION_300 - /* the verify function has already been set in the global initialization in config.c */ - /* fd_tls_verify_credentials_2 uses the connection */ gnutls_session_set_ptr (conn->cc_tls_para.session, (void *) conn); @@ -1715,8 +1464,6 @@ CHECK_GNUTLS_DO( gnutls_server_name_set (conn->cc_tls_para.session, GNUTLS_NAME_DNS, conn->cc_tls_para.cn, strlen(conn->cc_tls_para.cn)), /* ignore failure */); } - #endif /* GNUTLS_VERSION_300 */ - #ifdef GNUTLS_VERSION_310 GNUTLS_TRACE( gnutls_handshake_set_timeout( conn->cc_tls_para.session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)); #endif /* GNUTLS_VERSION_310 */ @@ -1737,15 +1484,6 @@ return EINVAL; } ); - #ifndef GNUTLS_VERSION_300 - /* Now verify the remote credentials are valid -- only simple tests here */ - CHECK_FCT_DO( fd_tls_verify_credentials(conn->cc_tls_para.session, conn, 1), - { - CHECK_GNUTLS_DO( gnutls_bye(conn->cc_tls_para.session, GNUTLS_SHUT_RDWR), ); - fd_cnx_markerror(conn); - return EINVAL; - }); - #endif /* GNUTLS_VERSION_300 */ } /* Multi-stream TLS: handshake other streams as well */ diff -r 5d0d300a7cd9 -r 33ad82ffbdde libfdcore/cnxctx.h --- a/libfdcore/cnxctx.h Tue Jun 18 17:05:44 2013 +0800 +++ b/libfdcore/cnxctx.h Wed Jun 19 14:38:57 2013 +0800 @@ -111,9 +111,6 @@ /* TLS */ int fd_tls_rcvthr_core(struct cnxctx * conn, gnutls_session_t session, int dtls); int fd_tls_prepare(gnutls_session_t * session, int mode, int dtls, char * priority, void * alt_creds); -#ifndef GNUTLS_VERSION_300 -int fd_tls_verify_credentials(gnutls_session_t session, struct cnxctx * conn, int verbose); -#endif /* GNUTLS_VERSION_300 */ ssize_t fd_tls_send_handle_error(struct cnxctx * conn, gnutls_session_t session, void * data, size_t sz); /* TCP */ diff -r 5d0d300a7cd9 -r 33ad82ffbdde libfdcore/config.c --- a/libfdcore/config.c Tue Jun 18 17:05:44 2013 +0800 +++ b/libfdcore/config.c Wed Jun 19 14:38:57 2013 +0800 @@ -74,9 +74,7 @@ /* TLS parameters */ CHECK_GNUTLS_DO( gnutls_certificate_allocate_credentials (&fd_g_config->cnf_sec_data.credentials), return ENOMEM ); CHECK_GNUTLS_DO( gnutls_dh_params_init (&fd_g_config->cnf_sec_data.dh_cache), return ENOMEM ); -#ifdef GNUTLS_VERSION_300 CHECK_GNUTLS_DO( gnutls_x509_trust_list_init(&fd_g_config->cnf_sec_data.trustlist, 0), return ENOMEM ); -#endif /* GNUTLS_VERSION_300 */ return 0; } @@ -186,7 +184,6 @@ return 0; } -#ifdef GNUTLS_VERSION_300 /* inspired from GnuTLS manual */ static int fd_conf_print_details_func (gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl, @@ -229,11 +226,7 @@ return 0; } -#endif /* GNUTLS_VERSION_300 */ -#ifndef GNUTLS_VERSION_300 -GCC_DIAG_OFF("-Wdeprecated-declarations") -#endif /* !GNUTLS_VERSION_300 */ /* Parse the configuration file (using the yacc parser) */ int fd_conf_parse() { @@ -391,11 +384,7 @@ CHECK_MALLOC( certs = calloc(cert_max, sizeof(gnutls_x509_crt_t)) ); CHECK_GNUTLS_DO( gnutls_x509_crt_list_import(certs, &cert_max, &certfile, GNUTLS_X509_FMT_PEM, - #ifdef GNUTLS_VERSION_300 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED - #else /* GNUTLS_VERSION_300 */ - 0 - #endif /* GNUTLS_VERSION_300 */ ), { TRACE_ERROR("Failed to import the data from file '%s'", fd_g_config->cnf_sec_data.cert_file); @@ -408,9 +397,7 @@ /* Now, verify the list against the local CA and CRL */ - #ifdef GNUTLS_VERSION_300 - - /* We use the trust list for this purpose */ + /* We use the trust list for this purpose */ { unsigned int output; @@ -459,72 +446,6 @@ } - - #else /* GNUTLS_VERSION_300 */ - - /* GnuTLS 2.x way of checking certificates */ - { - gnutls_x509_crt_t * CA_list; - int CA_list_length; - - gnutls_x509_crl_t * CRL_list; - int CRL_list_length; - - unsigned int verify; - time_t now; - GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) ); - GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) ); - CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify), - { - TRACE_ERROR("Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file); - return EINVAL; - } ); - - if (verify) { - fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); - if (verify & GNUTLS_CERT_INVALID) - TRACE_ERROR(" - The certificate is not trusted (unknown CA? expired?)"); - if (verify & GNUTLS_CERT_REVOKED) - TRACE_ERROR(" - The certificate has been revoked."); - if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND) - TRACE_ERROR(" - The certificate hasn't got a known issuer."); - if (verify & GNUTLS_CERT_SIGNER_NOT_CA) - TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); - if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) - TRACE_ERROR(" - The certificate signature uses a weak algorithm."); - return EINVAL; - } - - /* Check the local Identity is valid with the certificate */ - if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid)) { - TRACE_ERROR("TLS: Local certificate '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); - TRACE_ERROR(" - The certificate hostname does not match '%s'", fd_g_config->cnf_diamid); - return EINVAL; - } - - /* Check validity of all the certificates in the chain */ - now = time(NULL); - for (i = 0; i < cert_max; i++) - { - time_t deadline; - - GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(certs[i]) ); - if ((deadline != (time_t)-1) && (deadline < now)) { - TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); - TRACE_ERROR(" - The certificate %d in the chain is expired", i); - return EINVAL; - } - - GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(certs[i]) ); - if ((deadline != (time_t)-1) && (deadline > now)) { - TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); - TRACE_ERROR(" - The certificate %d in the chain is not yet activated", i); - return EINVAL; - } - } - } - #endif /* GNUTLS_VERSION_300 */ - /* Everything checked OK, free the certificate list */ for (i = 0; i < cert_max; i++) { @@ -532,10 +453,8 @@ } free(certs); - #ifdef GNUTLS_VERSION_300 /* Use certificate verification during the handshake */ gnutls_certificate_set_verify_function (fd_g_config->cnf_sec_data.credentials, fd_tls_verify_credentials_2); - #endif /* GNUTLS_VERSION_300 */ } @@ -596,9 +515,6 @@ return 0; } -#ifndef GNUTLS_VERSION_300 -GCC_DIAG_ON("-Wdeprecated-declarations") -#endif /* !GNUTLS_VERSION_300 */ /* Destroy contents of fd_g_config structure */ @@ -610,9 +526,7 @@ return 0; /* Free the TLS parameters */ -#ifdef GNUTLS_VERSION_300 gnutls_x509_trust_list_deinit(fd_g_config->cnf_sec_data.trustlist, 1); -#endif /* GNUTLS_VERSION_300 */ gnutls_priority_deinit(fd_g_config->cnf_sec_data.prio_cache); gnutls_dh_params_deinit(fd_g_config->cnf_sec_data.dh_cache); gnutls_certificate_free_credentials(fd_g_config->cnf_sec_data.credentials); diff -r 5d0d300a7cd9 -r 33ad82ffbdde libfdcore/core.c --- a/libfdcore/core.c Tue Jun 18 17:05:44 2013 +0800 +++ b/libfdcore/core.c Wed Jun 19 14:38:57 2013 +0800 @@ -43,11 +43,6 @@ static struct fd_config g_conf; struct fd_config * fd_g_config = NULL; -/* gcrypt functions to support posix threads */ -#ifndef GNUTLS_VERSION_210 -GCRY_THREAD_OPTION_PTHREAD_IMPL; -#endif /* GNUTLS_VERSION_210 */ - /* Thread that process incoming events on the main queue -- and terminates the framework when requested */ static pthread_t core_runner = (pthread_t)NULL; @@ -188,20 +183,12 @@ LOG_N("libfdproto '%s' initialized.", fd_libproto_version); /* Initialize gcrypt and gnutls */ - #ifndef GNUTLS_VERSION_210 - GNUTLS_TRACE( (void) gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread) ); - GNUTLS_TRACE( (void) gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0) ); - #endif /* GNUTLS_VERSION_210 */ CHECK_GNUTLS_DO( gnutls_global_init(), return EINVAL ); if ( ! gnutls_check_version(GNUTLS_VERSION) ) { TRACE_ERROR( "The GNUTLS library is too old; found '%s', need '" GNUTLS_VERSION "'", gnutls_check_version(NULL)); return EINVAL; } else { - #ifdef GNUTLS_VERSION_210 TRACE_DEBUG(INFO, "libgnutls '%s' initialized.", gnutls_check_version(NULL) ); - #else /* GNUTLS_VERSION_210 */ - TRACE_DEBUG(INFO, "libgnutls '%s', libgcrypt '%s', initialized.", gnutls_check_version(NULL), gcry_check_version(NULL) ); - #endif /* GNUTLS_VERSION_210 */ } /* Initialize the config with default values */ diff -r 5d0d300a7cd9 -r 33ad82ffbdde libfdcore/fdcore-internal.h --- a/libfdcore/fdcore-internal.h Tue Jun 18 17:05:44 2013 +0800 +++ b/libfdcore/fdcore-internal.h Wed Jun 19 14:38:57 2013 +0800 @@ -359,9 +359,7 @@ int fd_cnx_recv_setaltfifo(struct cnxctx * conn, struct fifo * alt_fifo); /* send FDEVP_CNX_MSG_RECV event to the fifo list */ int fd_cnx_send(struct cnxctx * conn, unsigned char * buf, size_t len); void fd_cnx_destroy(struct cnxctx * conn); -#ifdef GNUTLS_VERSION_300 int fd_tls_verify_credentials_2(gnutls_session_t session); -#endif /* GNUTLS_VERSION_300 */ /* Internal calls of the hook mechanism */ void fd_hook_call(enum fd_hook_type type, struct msg * msg, struct fd_peer * peer, void * other, struct fd_msg_pmdl * pmdl); diff -r 5d0d300a7cd9 -r 33ad82ffbdde libfdcore/fdd.y --- a/libfdcore/fdd.y Tue Jun 18 17:05:44 2013 +0800 +++ b/libfdcore/fdd.y Wed Jun 19 14:38:57 2013 +0800 @@ -562,7 +562,7 @@ yyerror (&yylloc, conf, "Error on file name"); YYERROR; } - #ifdef GNUTLS_VERSION_300 + { /* We import these CA in the trust list */ gnutls_x509_crt_t * calist; @@ -580,7 +580,7 @@ CHECK_GNUTLS_DO( gnutls_x509_trust_list_add_cas (fd_g_config->cnf_sec_data.trustlist, calist, cacount, 0), { yyerror (&yylloc, conf, "Error saving CA in trust list."); YYERROR; } ); } - #endif /* GNUTLS_VERSION_300 */ + fclose(fd); conf->cnf_sec_data.ca_file = $3; CHECK_GNUTLS_DO( conf->cnf_sec_data.ca_file_nr += gnutls_certificate_set_x509_trust_file( @@ -602,7 +602,7 @@ yyerror (&yylloc, conf, "Error on file name"); YYERROR; } - #ifdef GNUTLS_VERSION_300 + { /* We import these CRL in the trust list */ gnutls_x509_crl_t * crllist; @@ -621,7 +621,7 @@ 0), { yyerror (&yylloc, conf, "Error importing CRL in trust list."); YYERROR; } ); } - #endif /* GNUTLS_VERSION_300 */ + fclose(fd); conf->cnf_sec_data.crl_file = $3; CHECK_GNUTLS_DO( gnutls_certificate_set_x509_crl_file( diff -r 5d0d300a7cd9 -r 33ad82ffbdde libfdcore/sctp3436.c --- a/libfdcore/sctp3436.c Tue Jun 18 17:05:44 2013 +0800 +++ b/libfdcore/sctp3436.c Wed Jun 19 14:38:57 2013 +0800 @@ -163,7 +163,6 @@ /* push / pull */ /*************************************************************/ -#ifdef GNUTLS_VERSION_300 /* Check if data is available for gnutls on a given context */ static int sctp3436_pull_timeout(gnutls_transport_ptr_t tr, unsigned int ms) { @@ -192,24 +191,8 @@ return ret; } -#endif /* GNUTLS_VERSION_300 */ /* Send data over the connection, called by gnutls */ -#ifndef GNUTLS_VERSION_212 -static ssize_t sctp3436_push(gnutls_transport_ptr_t tr, const void * data, size_t len) -{ - struct sctp3436_ctx * ctx = (struct sctp3436_ctx *) tr; - struct iovec iov; - - TRACE_ENTRY("%p %p %zd", tr, data, len); - CHECK_PARAMS_DO( tr && data, { errno = EINVAL; return -1; } ); - - iov.iov_base = (void *)data; - iov.iov_len = len; - - return fd_sctp_sendstrv(ctx->parent, ctx->strid, &iov, 1); -} -#else /* GNUTLS_VERSION_212 */ static ssize_t sctp3436_pushv(gnutls_transport_ptr_t tr, const giovec_t * iov, int iovcnt) { struct sctp3436_ctx * ctx = (struct sctp3436_ctx *) tr; @@ -219,7 +202,6 @@ return fd_sctp_sendstrv(ctx->parent, ctx->strid, (const struct iovec *)iov, iovcnt); } -#endif /* GNUTLS_VERSION_212 */ /* Retrieve data received on a stream and already demultiplexed */ static ssize_t sctp3436_pull(gnutls_transport_ptr_t tr, void * buf, size_t len) @@ -270,36 +252,18 @@ } /* Set the parameters of a session to use the appropriate fifo and stream information */ -#ifndef GNUTLS_VERSION_300 -GCC_DIAG_OFF("-Wdeprecated-declarations") -#endif /* !GNUTLS_VERSION_300 */ static void set_sess_transport(gnutls_session_t session, struct sctp3436_ctx *ctx) { /* Set the transport pointer passed to push & pull callbacks */ GNUTLS_TRACE( gnutls_transport_set_ptr( session, (gnutls_transport_ptr_t) ctx ) ); - /* Reset the low water value, since we don't use sockets */ -#ifndef GNUTLS_VERSION_300 - /* starting version 2.12, this call is not needed */ - GNUTLS_TRACE( gnutls_transport_set_lowat( session, 0 ) ); -#else /* GNUTLS_VERSION_300 */ - /* but in 3.0 we have to provide the pull_timeout callback */ + /* Set the push and pull callbacks */ GNUTLS_TRACE( gnutls_transport_set_pull_timeout_function( session, sctp3436_pull_timeout ) ); -#endif /* GNUTLS_VERSION_300 */ - - /* Set the push and pull callbacks */ GNUTLS_TRACE( gnutls_transport_set_pull_function(session, sctp3436_pull) ); -#ifndef GNUTLS_VERSION_212 - GNUTLS_TRACE( gnutls_transport_set_push_function(session, sctp3436_push) ); -#else /* GNUTLS_VERSION_212 */ GNUTLS_TRACE( gnutls_transport_set_vec_push_function(session, sctp3436_pushv) ); -#endif /* GNUTLS_VERSION_212 */ return; } -#ifndef GNUTLS_VERSION_300 -GCC_DIAG_ON("-Wdeprecated-declarations") -#endif /* !GNUTLS_VERSION_300 */ /*************************************************************/ /* Session resuming support */ @@ -531,12 +495,6 @@ CHECK_GNUTLS_DO( gnutls_handshake( ctx->session ), return NULL); GNUTLS_TRACE( resumed = gnutls_session_is_resumed(ctx->session) ); - #ifndef GNUTLS_VERSION_300 - if (!resumed) { - /* Check the credentials here also */ - CHECK_FCT_DO( fd_tls_verify_credentials(ctx->session, ctx->parent, 0), return NULL ); - } - #endif /* GNUTLS_VERSION_300 */ if (TRACE_BOOL(FULL)) { if (resumed) { fd_log_debug("Session was resumed successfully on stream %hu (conn: '%s')", ctx->strid, fd_cnx_getid(ctx->parent)); @@ -619,10 +577,6 @@ /* Set credentials and priority */ CHECK_FCT( fd_tls_prepare(&conn->cc_sctp3436_data.array[i].session, conn->cc_tls_para.mode, 0, priority, alt_creds) ); - /* additional initialization for gnutls 3.x */ - #ifdef GNUTLS_VERSION_300 - /* the verify function has already been set in the global initialization in config.c */ - /* fd_tls_verify_credentials_2 uses the connection */ gnutls_session_set_ptr (conn->cc_sctp3436_data.array[i].session, (void *) conn); @@ -631,8 +585,6 @@ CHECK_GNUTLS_DO( gnutls_server_name_set (conn->cc_sctp3436_data.array[i].session, GNUTLS_NAME_DNS, conn->cc_tls_para.cn, strlen(conn->cc_tls_para.cn)), /* ignore failure */); } - #endif /* GNUTLS_VERSION_300 */ - #ifdef GNUTLS_VERSION_310 GNUTLS_TRACE( gnutls_handshake_set_timeout( conn->cc_sctp3436_data.array[i].session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)); #endif /* GNUTLS_VERSION_310 */ diff -r 5d0d300a7cd9 -r 33ad82ffbdde libfdcore/sctp_dtls.c --- a/libfdcore/sctp_dtls.c Tue Jun 18 17:05:44 2013 +0800 +++ b/libfdcore/sctp_dtls.c Wed Jun 19 14:38:57 2013 +0800 @@ -511,25 +511,12 @@ return fd_sctp_sendstrv(conn, stream, (const struct iovec *)iov, iovcnt); } -#ifndef GNUTLS_VERSION_212 -/* compatibility wrapper for older GNUTLS that does not support the vector_push */ -static ssize_t sctp_dtls_push(gnutls_transport_ptr_t tr, const void * data, size_t len) -{ - giovec_t iov; - iov.iov_base = (void *)data; - iov.iov_len = len; - return sctp_dtls_pushv(tr, &iov, 1); -} -#endif /* GNUTLS_VERSION_212 */ - -#ifdef GNUTLS_VERSION_300 /* Check if data is available for gnutls on a given connection. */ static int sctp_dtls_pull_timeout(gnutls_transport_ptr_t tr, unsigned int ms) { struct cnxctx * conn = (struct cnxctx *)tr; return chunk_select(conn, ms); } -#endif /* GNUTLS_VERSION_300 */ /* This function returns only ordered data to the upper layer */ @@ -565,38 +552,20 @@ /***************************************************************************************************/ /* Set the parameters of a session to use the cnxctx object */ -#ifndef GNUTLS_VERSION_300 -GCC_DIAG_OFF("-Wdeprecated-declarations") -#endif /* !GNUTLS_VERSION_300 */ int fd_sctp_dtls_settransport(gnutls_session_t session, struct cnxctx * conn) { /* Set the transport pointer passed to push & pull callbacks */ GNUTLS_TRACE( gnutls_transport_set_ptr( session, (gnutls_transport_ptr_t) conn ) ); - /* Reset the low water value, since we don't use sockets */ -#ifndef GNUTLS_VERSION_300 - /* starting version 2.12, this call is not needed */ - GNUTLS_TRACE( gnutls_transport_set_lowat( session, 0 ) ); -#else /* GNUTLS_VERSION_300 */ - /* but in 3.0 we have to provide the pull_timeout callback */ + /* in 3.0 we have to provide the pull_timeout callback */ GNUTLS_TRACE( gnutls_transport_set_pull_timeout_function( session, sctp_dtls_pull_timeout ) ); -#endif /* GNUTLS_VERSION_300 */ /* Set the push and pull callbacks */ GNUTLS_TRACE( gnutls_transport_set_pull_function(session, sctp_dtls_pull) ); -#ifndef GNUTLS_VERSION_212 - GNUTLS_TRACE( gnutls_transport_set_push_function(session, sctp_dtls_push) ); -#else /* GNUTLS_VERSION_212 */ GNUTLS_TRACE( gnutls_transport_set_vec_push_function(session, sctp_dtls_pushv) ); -#endif /* GNUTLS_VERSION_212 */ return 0; } -#ifndef GNUTLS_VERSION_300 -GCC_DIAG_ON("-Wdeprecated-declarations") -#endif /* !GNUTLS_VERSION_300 */ - - /* Set additional session parameters before handshake. The GNUTLS_DATAGRAM is already set in fd_tls_prepare */ @@ -610,10 +579,10 @@ GNUTLS_TRACE( gnutls_dtls_set_timeouts(session, 70000, 60000)); /* Set retrans > total so that there is no retransmission, since SCTP is reliable */ -#ifdef GNUTLS_VERSION_320 +#ifdef GNUTLS_VERSION_322 TODO("Disable replay protection"); TODO("Register hook on the Finish message to change SCTP_AUTH active key on the socket"); -#endif /* GNUTLS_VERSION_320 */ +#endif /* GNUTLS_VERSION_322 */ return 0; diff -r 5d0d300a7cd9 -r 33ad82ffbdde tests/testcnx.c --- a/tests/testcnx.c Tue Jun 18 17:05:44 2013 +0800 +++ b/tests/testcnx.c Wed Jun 19 14:38:57 2013 +0800 @@ -614,7 +614,6 @@ GNUTLS_X509_FMT_PEM), ); CHECK( 1, ret ); - #ifdef GNUTLS_VERSION_300 { /* We import these CA in the trust list */ gnutls_x509_crt_t * calist; @@ -631,9 +630,6 @@ /* Use certificate verification during the handshake */ gnutls_certificate_set_verify_function (fd_g_config->cnf_sec_data.credentials, fd_tls_verify_credentials_2); - #endif /* GNUTLS_VERSION_300 */ - - /* Set the server credentials (in config) */ CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_key_mem( fd_g_config->cnf_sec_data.credentials, &server_cert,