Browse Source

[mod_gnutls] workaround gnutls API breakage, and prepare for future ones

Change-Id: I1b97aa31fd1a7adb0107761d05bf81a4509e9fc9
master
Stefan Bühler 3 years ago
parent
commit
3d2880258d
3 changed files with 35 additions and 35 deletions
  1. +2
    -2
      src/modules/gnutls_filter.c
  2. +13
    -13
      src/modules/gnutls_ocsp.c
  3. +20
    -20
      src/modules/mod_gnutls.c

+ 2
- 2
src/modules/gnutls_filter.c View File

@@ -193,7 +193,7 @@ static void f_abort_gnutls(liGnuTLSFilter *f) {
static void f_close_with_alert(liGnuTLSFilter *f, int r) {
if (f->closing || f->aborted) return;

if (GNUTLS_E_SUCCESS != gnutls_alert_send_appropriate(f->session, r)) {
if (GNUTLS_E_SUCCESS > gnutls_alert_send_appropriate(f->session, r)) {
f_abort_gnutls(f);
return;
}
@@ -276,7 +276,7 @@ static gboolean do_gnutls_handshake(liGnuTLSFilter *f, gboolean writing) {
LI_FORCE_ASSERT(!f->initial_handshaked_finished);

r = gnutls_handshake(f->session);
if (GNUTLS_E_SUCCESS == r) {
if (GNUTLS_E_SUCCESS <= r) {
f->initial_handshaked_finished = 1;
li_stream_acquire(&f->plain_source);
li_stream_acquire(&f->plain_drain);


+ 13
- 13
src/modules/gnutls_ocsp.c View File

@@ -39,7 +39,7 @@ static int get_entry(liServer *srv, ocsp_response_cert_entry* entry, gnutls_ocsp

if (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE == r) return r;

if (GNUTLS_E_SUCCESS != r) {
if (GNUTLS_E_SUCCESS > r) {
ERROR(srv, "Couldn't retrieve OCSP response information for entry %u (%s): %s",
ndx,
gnutls_strerror_name(r), gnutls_strerror(r));
@@ -79,13 +79,13 @@ static gboolean add_response(liServer *srv, liGnuTLSOCSP *ocsp, gnutls_datum_t*
response.resp_data = *der_data;
der_data->data = NULL; der_data->size = 0;

if (GNUTLS_E_SUCCESS != (r = gnutls_ocsp_resp_init(&response.resp))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_ocsp_resp_init(&response.resp))) {
ERROR(srv, "gnutls_ocsp_resp_init (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error;
}

if (GNUTLS_E_SUCCESS != (r = gnutls_ocsp_resp_import(response.resp, &response.resp_data))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_ocsp_resp_import(response.resp, &response.resp_data))) {
ERROR(srv, "gnutls_ocsp_resp_import (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error;
@@ -97,7 +97,7 @@ static gboolean add_response(liServer *srv, liGnuTLSOCSP *ocsp, gnutls_datum_t*

r = get_entry(srv, &entry, response.resp, i);
if (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE == r) break; /* got them all */
if (GNUTLS_E_SUCCESS != r) goto error;
if (GNUTLS_E_SUCCESS > r) goto error;

g_array_append_vals(response.certificates, &entry, 1);

@@ -133,20 +133,20 @@ static int ctx_ocsp_response(gnutls_session_t session, void* ptr, gnutls_datum_t
size_t serial_size = ocsp->max_serial_length;

crt_datum = gnutls_certificate_get_ours(session); /* memory is NOT owned */
if (GNUTLS_E_SUCCESS != (r = gnutls_x509_crt_init(&crt))) goto cleanup;
if (GNUTLS_E_SUCCESS != (r = gnutls_x509_crt_import(crt, crt_datum, GNUTLS_X509_FMT_DER))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_x509_crt_init(&crt))) goto cleanup;
if (GNUTLS_E_SUCCESS > (r = gnutls_x509_crt_import(crt, crt_datum, GNUTLS_X509_FMT_DER))) {
gnutls_x509_crt_deinit(crt);
goto cleanup;
}

;
if (GNUTLS_E_SUCCESS != (r = gnutls_x509_crt_get_serial(crt, serial.data, &serial_size))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_x509_crt_get_serial(crt, serial.data, &serial_size))) {
gnutls_x509_crt_deinit(crt);
goto cleanup;
}
serial.size = serial_size;

if (GNUTLS_E_SUCCESS != (r = gnutls_x509_crt_get_raw_issuer_dn(crt, &issuer_name))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_x509_crt_get_raw_issuer_dn(crt, &issuer_name))) {
gnutls_x509_crt_deinit(crt);
goto cleanup;
}
@@ -164,7 +164,7 @@ static int ctx_ocsp_response(gnutls_session_t session, void* ptr, gnutls_datum_t
if (serial.size != entry->serial.size
|| 0 != memcmp(serial.data, entry->serial.data, serial.size)) continue;

if (GNUTLS_E_SUCCESS != (r = gnutls_hash_fast(entry->digest, issuer_name.data, issuer_name.size, issuer_name_hash))) goto cleanup;
if (GNUTLS_E_SUCCESS > (r = gnutls_hash_fast(entry->digest, issuer_name.data, issuer_name.size, issuer_name_hash))) goto cleanup;

if (0 != memcmp(issuer_name_hash, entry->issuer_name_hash.data, entry->issuer_name_hash.size)) continue;

@@ -217,7 +217,7 @@ gboolean li_gnutls_ocsp_add(liServer *srv, liGnuTLSOCSP *ocsp, const char* filen
gnutls_datum_t* der_data;
gboolean result = FALSE;

if (GNUTLS_E_SUCCESS != (r = gnutls_load_file(filename, &file))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_load_file(filename, &file))) {
ERROR(srv, "Failed to load OCSP file '%s' (%s): %s",
filename,
gnutls_strerror_name(r), gnutls_strerror(r));
@@ -228,7 +228,7 @@ gboolean li_gnutls_ocsp_add(liServer *srv, liGnuTLSOCSP *ocsp, const char* filen
if (file.size > 20 && 0 == memcmp(file.data, CONST_STR_LEN("-----BEGIN "))) {
r = gnutls_pem_base64_decode_alloc("OCSP RESPONSE", &file, &decoded);

if (GNUTLS_E_SUCCESS != r) {
if (GNUTLS_E_SUCCESS > r) {
ERROR(srv, "gnutls_pem_base64_decode_alloc failed to decode OCSP RESPONSE from '%s' (%s): %s",
filename,
gnutls_strerror_name(r), gnutls_strerror(r));
@@ -256,7 +256,7 @@ gboolean li_gnutls_ocsp_search(liServer *srv, liGnuTLSOCSP *ocsp, const char* fi
gnutls_datum_t decoded = { NULL, 0 };
gboolean result = FALSE;

if (GNUTLS_E_SUCCESS != (r = gnutls_load_file(filename, &file))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_load_file(filename, &file))) {
ERROR(srv, "Failed to load OCSP file '%s' (%s): %s",
filename,
gnutls_strerror_name(r), gnutls_strerror(r));
@@ -265,7 +265,7 @@ gboolean li_gnutls_ocsp_search(liServer *srv, liGnuTLSOCSP *ocsp, const char* fi

r = gnutls_pem_base64_decode_alloc("OCSP RESPONSE", &file, &decoded);

if (GNUTLS_E_SUCCESS == r) {
if (GNUTLS_E_SUCCESS <= r) {
result = add_response(srv, ocsp, &decoded);
if (!result) {
ERROR(srv, "Failed loading OCSP response from '%s'", filename);


+ 20
- 20
src/modules/mod_gnutls.c View File

@@ -123,7 +123,7 @@ static gnutls_certificate_credentials_t creds_from_gstring(mod_context *ctx, GSt

if (NULL == str) return NULL;

if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_allocate_credentials(&creds))) return NULL;
if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_allocate_credentials(&creds))) return NULL;

pemfile.data = (unsigned char*) str->str;
pemfile.size = str->len;
@@ -132,7 +132,7 @@ static gnutls_certificate_credentials_t creds_from_gstring(mod_context *ctx, GSt
gnutls_certificate_set_pin_function(creds, pin_callback, ctx->pin);
#endif

if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_mem(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_set_x509_key_mem(creds, &pemfile, &pemfile, GNUTLS_X509_FMT_PEM))) {
goto error_free_creds;
}

@@ -256,21 +256,21 @@ static mod_context *mod_gnutls_context_new(liServer *srv) {
mod_context *ctx = g_slice_new0(mod_context);
int r;

if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_allocate_credentials(&ctx->server_cert))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_allocate_credentials(&ctx->server_cert))) {
ERROR(srv, "gnutls_certificate_allocate_credentials failed(%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error0;
}

if (GNUTLS_E_SUCCESS != (r = gnutls_priority_init(&ctx->server_priority, "NORMAL", NULL))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&ctx->server_priority, "NORMAL", NULL))) {
ERROR(srv, "gnutls_priority_init('NORMAL') failed(%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error1;
}

if (GNUTLS_E_SUCCESS != (r = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL:-CIPHER-ALL:+ARCFOUR-128", NULL))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL:-CIPHER-ALL:+ARCFOUR-128", NULL))) {
int r1;
if (GNUTLS_E_SUCCESS != (r1 = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL", NULL))) {
if (GNUTLS_E_SUCCESS > (r1 = gnutls_priority_init(&ctx->server_priority_beast, "NORMAL", NULL))) {
ERROR(srv, "gnutls_priority_init('NORMAL') failed(%s): %s",
gnutls_strerror_name(r1), gnutls_strerror(r1));
goto error2;
@@ -281,7 +281,7 @@ static mod_context *mod_gnutls_context_new(liServer *srv) {
}

#ifdef HAVE_SESSION_TICKET
if (GNUTLS_E_SUCCESS != (r = gnutls_session_ticket_key_generate(&ctx->ticket_key))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_session_ticket_key_generate(&ctx->ticket_key))) {
ERROR(srv, "gnutls_session_ticket_key_generate failed(%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error3;
@@ -531,7 +531,7 @@ static gboolean mod_gnutls_con_new(liConnection *con, int fd) {
gnutls_session_t session;
int r;

if (GNUTLS_E_SUCCESS != (r = gnutls_init(&session, GNUTLS_SERVER))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_init(&session, GNUTLS_SERVER))) {
ERROR(srv, "gnutls_init (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
return FALSE;
@@ -539,12 +539,12 @@ static gboolean mod_gnutls_con_new(liConnection *con, int fd) {

mod_gnutls_context_acquire(ctx);

if (GNUTLS_E_SUCCESS != (r = gnutls_priority_set(session, ctx->server_priority))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_priority_set(session, ctx->server_priority))) {
ERROR(srv, "gnutls_priority_set (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto fail;
}
if (GNUTLS_E_SUCCESS != (r = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->server_cert))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctx->server_cert))) {
ERROR(srv, "gnutls_credentials_set (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto fail;
@@ -558,7 +558,7 @@ static gboolean mod_gnutls_con_new(liConnection *con, int fd) {
}

#ifdef HAVE_SESSION_TICKET
if (GNUTLS_E_SUCCESS != (r = gnutls_session_ticket_enable_server(session, &ctx->ticket_key))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_session_ticket_enable_server(session, &ctx->ticket_key))) {
ERROR(srv, "gnutls_session_ticket_enable_server (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto fail;
@@ -703,7 +703,7 @@ static gboolean creds_add_pemfile(liServer *srv, mod_context *ctx, gnutls_certif
return FALSE;
}

if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_set_x509_key_file(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_set_x509_key_file(creds, certfile, keyfile, GNUTLS_X509_FMT_PEM))) {
ERROR(srv, "gnutls_certificate_set_x509_key_file failed(certfile '%s', keyfile '%s', PEM) (%s): %s",
certfile, keyfile,
gnutls_strerror_name(r), gnutls_strerror(r));
@@ -891,7 +891,7 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
}

if (NULL != sni_fallback_pemfile) {
if (GNUTLS_E_SUCCESS != (r = gnutls_certificate_allocate_credentials(&ctx->sni_fallback_cert))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_certificate_allocate_credentials(&ctx->sni_fallback_cert))) {
ERROR(srv, "gnutls_certificate_allocate_credentials failed(%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error_free_ctx;
@@ -933,7 +933,7 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
GError *error = NULL;
gnutls_datum_t pkcs3_params;

if (GNUTLS_E_SUCCESS != (r = gnutls_dh_params_init(&ctx->dh_params))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_dh_params_init(&ctx->dh_params))) {
ERROR(srv, "gnutls_dh_params_init failed (%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error_free_ctx;
@@ -951,14 +951,14 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
r = gnutls_dh_params_import_pkcs3(ctx->dh_params, &pkcs3_params, GNUTLS_X509_FMT_PEM);
g_free(contents);

if (GNUTLS_E_SUCCESS != r) {
if (GNUTLS_E_SUCCESS > r) {
ERROR(srv, "couldn't load dh parameters from file '%s' (%s): %s",
dh_params_file,
gnutls_strerror_name(r), gnutls_strerror(r));
goto error_free_ctx;
}
} else {
if (GNUTLS_E_SUCCESS != (r = load_dh_params_4096(&ctx->dh_params))) {
if (GNUTLS_E_SUCCESS > (r = load_dh_params_4096(&ctx->dh_params))) {
ERROR(srv, "couldn't load dh parameters(%s): %s",
gnutls_strerror_name(r), gnutls_strerror(r));
goto error_free_ctx;
@@ -977,7 +977,7 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
gnutls_priority_t prio;
GString *s = srv->main_worker->tmp_str;

if (GNUTLS_E_SUCCESS != (r = gnutls_priority_init(&prio, priority, &errpos))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&prio, priority, &errpos))) {
ERROR(srv, "gnutls_priority_init failed(priority '%s', error at '%s') (%s): %s",
priority, errpos,
gnutls_strerror_name(r), gnutls_strerror(r));
@@ -990,7 +990,7 @@ static gboolean gnutls_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
if (protect_against_beast) {
g_string_assign(s, priority);
g_string_append_len(s, CONST_STR_LEN(":-CIPHER-ALL:+ARCFOUR-128"));
if (GNUTLS_E_SUCCESS != (r = gnutls_priority_init(&prio, s->str, &errpos))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_priority_init(&prio, s->str, &errpos))) {
ERROR(srv, "gnutls_priority_init failed(priority '%s', error at '%s') (%s): %s",
s->str, errpos,
gnutls_strerror_name(r), gnutls_strerror(r));
@@ -1145,8 +1145,8 @@ static int load_dh_params_4096(gnutls_dh_params_t *dh_params) {
int r;
gnutls_dh_params_t params;

if (GNUTLS_E_SUCCESS != (r = gnutls_dh_params_init(&params))) return r;
if (GNUTLS_E_SUCCESS != (r = gnutls_dh_params_import_raw(params, &prime, &generator))) {
if (GNUTLS_E_SUCCESS > (r = gnutls_dh_params_init(&params))) return r;
if (GNUTLS_E_SUCCESS > (r = gnutls_dh_params_import_raw(params, &prime, &generator))) {
gnutls_dh_params_deinit(params);
return r;
}


Loading…
Cancel
Save