[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-mailutils] update GnuTLS usage
|
From: |
Simon Josefsson |
|
Subject: |
Re: [bug-mailutils] update GnuTLS usage |
|
Date: |
Fri, 23 Mar 2012 12:27:44 +0100 |
|
User-agent: |
Gnus/5.130004 (Ma Gnus v0.4) Emacs/24.0.94 (gnu/linux) |
I forgot to update the manual, here is an updated patch.
/Simon
>From 5c393fb9902f5a9816dc7d1085887e9628167165 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <address@hidden>
Date: Fri, 23 Mar 2012 12:15:42 +0100
Subject: [PATCH] Update GnuTLS priority handling. Improve error handling.
* tls.h (mu_tls_module_config): Add priority_string.
* libmu_cfg/tls.c (tls_settings): Initialize priority_string.
(mu_tls_param): Add priority-string.
* tls.c (prepare_client_session): Use modern GnuTLS priority
string API. Check return codes.
* doc/texinfo/programs.texi (TLS Statement): Mention priority-string.
---
doc/texinfo/programs.texi | 2 +
include/mailutils/tls.h | 2 +
libmu_auth/tls.c | 52 +++++++++++++++++++++++++++++---------------
libmu_cfg/tls.c | 6 ++++-
4 files changed, 43 insertions(+), 19 deletions(-)
diff --git a/doc/texinfo/programs.texi b/doc/texinfo/programs.texi
index aaa66f5..60a9710 100644
--- a/doc/texinfo/programs.texi
+++ b/doc/texinfo/programs.texi
@@ -2037,6 +2037,8 @@ tls @{
ssl-key @var{file};
# @r{Specify trusted CAs file.}
ssl-cafile @var{file};
+ # @r{Specify TLS priority string (by default "DEFAULT").}
+ priority-string @var{string};
@}
@end example
diff --git a/include/mailutils/tls.h b/include/mailutils/tls.h
index 054d1e4..7e0fd53 100644
--- a/include/mailutils/tls.h
+++ b/include/mailutils/tls.h
@@ -37,6 +37,8 @@ struct mu_tls_module_config
char *ssl_cafile;
int ssl_cafile_safety_checks;
+
+ char *priority_string;
};
extern int mu_tls_module_init (enum mu_gocs_op, void *);
diff --git a/libmu_auth/tls.c b/libmu_auth/tls.c
index dd60560..11b9903 100644
--- a/libmu_auth/tls.c
+++ b/libmu_auth/tls.c
@@ -426,24 +426,35 @@ static int
prepare_client_session (mu_stream_t stream)
{
struct _mu_tls_stream *sp = (struct _mu_tls_stream *) stream;
- int rc;
mu_transport_t transport[2];
- static int protocol_priority[] = {GNUTLS_TLS1, GNUTLS_SSL3, 0};
- static int kx_priority[] = {GNUTLS_KX_RSA, 0};
- static int cipher_priority[] = {GNUTLS_CIPHER_3DES_CBC,
- GNUTLS_CIPHER_ARCFOUR_128,
- 0};
- static int comp_priority[] = {GNUTLS_COMP_NULL, 0};
- static int mac_priority[] = {GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0};
-
- gnutls_init (&sp->session, GNUTLS_CLIENT);
- gnutls_protocol_set_priority (sp->session, protocol_priority);
- gnutls_cipher_set_priority (sp->session, cipher_priority);
- gnutls_compression_set_priority (sp->session, comp_priority);
- gnutls_kx_set_priority (sp->session, kx_priority);
- gnutls_mac_set_priority (sp->session, mac_priority);
-
- gnutls_certificate_allocate_credentials (&x509_cred);
+ int rc;
+
+ rc = gnutls_init (&sp->session, GNUTLS_CLIENT);
+ if (rc < 0)
+ {
+ sp->tls_err = rc;
+ return -1;
+ }
+
+ if (mu_tls_module_config.priority_string)
+ rc = gnutls_priority_set_direct (sp->session,
+ mu_tls_module_config.priority_string,
+ NULL);
+ else
+ rc = gnutls_set_default_priority (sp->session);
+ if (rc < 0)
+ {
+ sp->tls_err = rc;
+ return -1;
+ }
+
+ rc = gnutls_certificate_allocate_credentials (&x509_cred);
+ if (rc < 0)
+ {
+ sp->tls_err = rc;
+ return -1;
+ }
+
if (mu_tls_module_config.ssl_cafile)
{
rc = gnutls_certificate_set_x509_trust_file (x509_cred,
@@ -456,7 +467,12 @@ prepare_client_session (mu_stream_t stream)
}
}
- gnutls_credentials_set (sp->session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+ rc = gnutls_credentials_set (sp->session, GNUTLS_CRD_CERTIFICATE, x509_cred);
+ if (rc < 0)
+ {
+ sp->tls_err = rc;
+ return -1;
+ }
mu_stream_ioctl (stream, MU_IOCTL_TRANSPORT, MU_IOCTL_OP_GET, transport);
gnutls_transport_set_ptr2 (sp->session,
diff --git a/libmu_cfg/tls.c b/libmu_cfg/tls.c
index 94edcb8..b85b3de 100644
--- a/libmu_cfg/tls.c
+++ b/libmu_cfg/tls.c
@@ -44,7 +44,8 @@ static struct mu_tls_module_config tls_settings = {
SSL_KEY_FILE_CHECKS, /* Stringent safety checks for keys */
NULL, /* CA file */
- SSL_CA_FILE_CHECKS
+ SSL_CA_FILE_CHECKS,
+ NULL /* GnuTLS Priority string */
};
static int
@@ -114,6 +115,9 @@ static struct mu_cfg_param mu_tls_param[] = {
cb_safety_checks,
N_("Configure safety checks for SSL certificate authority file. See above
for a description of <arg>."),
N_("arg: list") },
+ { "priority-string", mu_cfg_string, &tls_settings.priority_string, 0, NULL,
+ N_("Specify TLS priority string (by default \"DEFAULT\")."),
+ N_("string") },
{ NULL }
};
--
1.7.2.5