Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: dev

[Bug 1095] Uses (soon to be) deprecated GnuTLS functions

 

 

exim dev RSS feed   Index | Next | Previous | View Threaded


pdp at exim

Sep 24, 2011, 12:32 AM

Post #1 of 2 (259 views)
Permalink
[Bug 1095] Uses (soon to be) deprecated GnuTLS functions

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1095




--- Comment #2 from Phil Pennock <pdp [at] exim> 2011-09-24 08:32:17 ---
I've applied Andreas's fix in the "gnutls_fixes" branch.

At this point, having seriously looked at the GnuTLS implementation and how
we're having to hardcode all sorts of available ciphers, I think that our
current code limits the ability of the library to automatically supply us with
new ciphersuites and protocols as GnuTLS provides them and this is a bad thing.

If anyone volunteers to work to more recent GnuTLS APIs, I'm happy to endorse
drastic changes. We can easily drop support for ancient releases of GnuTLS,
switch to modern APIs, etc.

I'd *like* us to keep any current options exposed to Exim, because we try hard
to avoid backwards-incompatible changes, but if that's not possible then I'll
even voice my support for dropping some options and adding big warnings to the
upgrade notes. (We'd actually accept the options and log that they're
meaningless now).


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


git at exim

Oct 3, 2011, 5:17 AM

Post #2 of 2 (237 views)
Permalink
[Bug 1095] Uses (soon to be) deprecated GnuTLS functions [In reply to]

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1095

Git Commit <git [at] exim> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git [at] exim




--- Comment #3 from Git Commit <git [at] exim> 2011-10-03 13:17:06 ---
Git commit:
http://git.exim.org/exim.git/commitdiff/89f897c3fdb4c1342b3e9b9f6cb33cd0f869e2aa

commit 89f897c3fdb4c1342b3e9b9f6cb33cd0f869e2aa
Author: Phil Pennock <pdp [at] exim>
AuthorDate: Sat Sep 24 03:09:44 2011 -0400
Commit: Phil Pennock <pdp [at] exim>
CommitDate: Sat Sep 24 03:09:44 2011 -0400

Pull Andreas Metzler's fix for gnutls_certificate_verify_peers (bug 1095)
---
doc/doc-txt/ChangeLog | 2 ++
src/src/tls-gnu.c | 8 ++++----
2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c1362b1..e581360 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -114,6 +114,8 @@ PP/09 Handle IPv6 addresses with SPF.

PP/10 GnuTLS: support TLS 1.2 & 1.1.
Bugzilla 1156.
+ Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler].
+ Bugzilla 1095.


Exim version 4.76
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 4de9d4f..6b80637 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -235,10 +235,10 @@ Returns: TRUE/FALSE
static BOOL
verify_certificate(gnutls_session session, const char **error)
{
-int verify;
+int rc;
uschar *dn_string = US"";
const gnutls_datum *cert;
-unsigned int cert_size = 0;
+unsigned int verify, cert_size = 0;

*error = NULL;

@@ -262,7 +262,7 @@ if (cert != NULL)
dn_string = string_copy_malloc(buff);
}

- verify = gnutls_certificate_verify_peers(session);
+ rc = gnutls_certificate_verify_peers2(session, &verify);
}
else
{
@@ -274,7 +274,7 @@ else
/* Handle the result of verification. INVALID seems to be set as well
as REVOKED, but leave the test for both. */

-if ((verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
+if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
{
tls_certificate_verified = FALSE;
if (*error == NULL) *error = ((verify & GNUTLS_CERT_REVOKED) != 0)?


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

exim dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.