Changeset 81018a4 in mod_gnutls


Ignore:
Timestamp:
Jul 23, 2019, 2:33:41 AM (16 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
556783e
Parents:
65c84e5
Message:

Remove compatibility code for GnuTLS version before 3.6.3

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • configure.ac

    r65c84e5 r81018a4  
    133133# openssl is needed as the responder for OCSP tests
    134134AC_PATH_PROG([OPENSSL], [openssl], [no])
    135 # OCSP checks with gnutls-cli from GnuTLS versions before 3.3.23,
    136 # 3.4.12, or 3.5.1 (on the respective 3.x branch) fail if intermediate
    137 # CAs cannot be status checked, even if there are no intermediate CAs
    138 # like in the mod_gnutls test suite where end entity certificates are
    139 # directly issued by a root CA.
    140 AC_MSG_CHECKING([for gnutls-cli version supporting OCSP for EE under root CA])
    141 AC_PREPROC_IFELSE(
    142         [AC_LANG_SOURCE([[#include "gnutls/gnutls.h"
    143                         #if GNUTLS_VERSION_NUMBER < 0x030317
    144                         #error
    145                         #elif GNUTLS_VERSION_NUMBER >= 0x030400 && GNUTLS_VERSION_NUMBER < 0x03040c
    146                         #error
    147                         #elif GNUTLS_VERSION_NUMBER == 0x030500
    148                         #error
    149                         #endif
    150                         ]])],
    151         [gnutls_ocsp_ok="yes"],
    152         [gnutls_ocsp_ok="no"],
    153 )
    154 AC_MSG_RESULT([$gnutls_ocsp_ok])
    155 AM_CONDITIONAL([ENABLE_OCSP_TEST], [test "${OPENSSL}" != "no" && test "${gnutls_ocsp_ok}" = "yes"])
     135AM_CONDITIONAL([ENABLE_OCSP_TEST], [test "${OPENSSL}" != "no"])
    156136
    157137dnl Enable test namespaces? Default is "yes".
  • src/gnutls_cache.c

    r65c84e5 r81018a4  
    5252/** Maximum length of the hex string representation of a GnuTLS
    5353 * session ID: two characters per byte, plus one more for `\0` */
    54 #if GNUTLS_VERSION_NUMBER >= 0x030400
    5554#define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID_SIZE * 2) + 1)
    56 #else
    57 #define GNUTLS_SESSION_ID_STRING_LEN ((GNUTLS_MAX_SESSION_ID * 2) + 1)
    58 #endif
    5955
    6056#ifdef APLOG_USE_MODULE
  • src/gnutls_hooks.c

    r65c84e5 r81018a4  
    7373{
    7474    /* Free session ticket master key */
    75 #if GNUTLS_VERSION_NUMBER >= 0x030400
    7675    gnutls_memset(session_ticket_key.data, 0, session_ticket_key.size);
    77 #endif
    7876    gnutls_free(session_ticket_key.data);
    7977    session_ticket_key.data = NULL;
     
    420418
    421419
    422 #if GNUTLS_VERSION_NUMBER >= 0x030506
    423 #define HAVE_KNOWN_DH_GROUPS 1
    424 #endif
    425 #ifdef HAVE_KNOWN_DH_GROUPS
    426420/**
    427421 * Try to estimate a GnuTLS security parameter based on the given
     
    450444    return gnutls_pk_bits_to_sec_param(pk_algo, bits);
    451445}
    452 #else
    453 /** ffdhe2048 DH group as defined in RFC 7919, Appendix A.1. This is
    454  * the default DH group if mod_gnutls is compiled agains a GnuTLS
    455  * version that does not provide known DH groups based on security
    456  * parameters (before 3.5.6). */
    457 static const char FFDHE2048_PKCS3[] =
    458     "-----BEGIN DH PARAMETERS-----\n"
    459     "MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
    460     "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
    461     "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
    462     "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
    463     "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
    464     "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICAQA=\n"
    465     "-----END DH PARAMETERS-----\n";
    466 const gnutls_datum_t default_dh_params = {
    467     (void *) FFDHE2048_PKCS3,
    468     sizeof(FFDHE2048_PKCS3)
    469 };
    470 #endif
    471446
    472447
     
    488463        ap_get_module_config(server->module_config, &gnutls_module);
    489464
    490 #ifdef HAVE_KNOWN_DH_GROUPS
    491465    gnutls_sec_param_t seclevel = GNUTLS_SEC_PARAM_UNKNOWN;
    492466    if (sc->privkey_x509)
     
    522496        return HTTP_UNAUTHORIZED;
    523497    }
    524 #else
    525     int ret = gnutls_dh_params_init(&sc->dh_params);
    526     if (ret < 0)
    527     {
    528         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    529                      "%s: Failed to initialize DH params structure: "
    530                      "%s (%d)", __func__, gnutls_strerror(ret), ret);
    531         return HTTP_UNAUTHORIZED;
    532     }
    533     ret = gnutls_dh_params_import_pkcs3(sc->dh_params, &default_dh_params,
    534                                         GNUTLS_X509_FMT_PEM);
    535     if (ret < 0)
    536     {
    537         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    538                      "%s: Failed to import default DH params: %s (%d)",
    539                      __func__, gnutls_strerror(ret), ret);
    540         return HTTP_UNAUTHORIZED;
    541     }
    542 
    543     gnutls_certificate_set_dh_params(sc->certs, sc->dh_params);
    544     gnutls_anon_set_server_dh_params(sc->anon_creds, sc->dh_params);
    545 #endif
    546498
    547499    return OK;
     
    13621314                                         gnutls_mac_get(ctxt->session)));
    13631315
    1364 #if GNUTLS_VERSION_NUMBER >= 0x030600
    13651316    /* Compression support has been removed since GnuTLS 3.6.0 */
    13661317    apr_table_setn(env, "SSL_COMPRESS_METHOD", "NULL");
    1367 #else
    1368     apr_table_setn(env, "SSL_COMPRESS_METHOD",
    1369             gnutls_compression_get_name(gnutls_compression_get(ctxt->session)));
    1370 #endif
    13711318
    13721319#ifdef ENABLE_SRP
Note: See TracChangeset for help on using the changeset viewer.