eet: add support for GnuTLS 3.x

SVN revision: 67785
author: Cedric BAIL <cedric.bail@free.fr> 2012-02-09 10:30:04 +0000
committer: Cedric BAIL <cedric.bail@free.fr> 2012-02-09 10:30:04 +0000
commit: fc61cc3e5bf38954a719b9fa78e473cdc845e3bb (patch)
tree: ea019a06aff97750a749162987bf5ddeb139d319
parent: 583d6df1a93c39094de9819761b7ee02a5297d17 (diff)
download: eet-fc61cc3e5bf38954a719b9fa78e473cdc845e3bb.tar.gz
4 files changed, 146 insertions, 52 deletions
diff --git a/ChangeLog b/ChangeLog
index 795d102..1ecc86f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -547,21 +547,25 @@
         noticable quality losses in the chase for speed. It will use
         IFAST for quality less than 60 when encoding
 
-2011-12-02 Carsten Haitzler (The Rasterman)
+2011-12-02  Carsten Haitzler (The Rasterman)
 
         1.1.0 release
-        
+
 2011-12-02  Mike Blumenkrantz
 
         * added eet_file_get to return the filename of an Eet_File
         * Eet_File filenames are now stringshared
         * added mempool allocators
 
-2011-12-29 Carsten Haitzler (The Rasterman)
+2011-12-29  Carsten Haitzler (The Rasterman)
 
         * increase eet_connection packet size to 1Mb - more reasonable.
 
-2012-01-07 Boris Faure (billiob)
+2012-01-07  Boris Faure (billiob)
 
         * make eet tool write to standard output if no output file given.
-        
+
+2012-02-09  Cedric Bail
+
+	* add support for GNUTLS 3.x.
+
diff --git a/NEWS b/NEWS
index cccda15..29f0b57 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ Additions:
 Improvements:
 
     * most allocations moved to mempools
+    * support GNUTLS 3.x
 
 Eet 1.5.0
 
diff --git a/configure.ac b/configure.ac
index 220e2a1..30e2d38 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-y##--##--##--##--##--##--##--##--##--##--##--##--##--##--##--##--##
+##--##--##--##--##--##--##--##--##--##--##--##--##--##--##--##--##
 ##--##--##--##--##--##--##--##--##--##--##--##--##--##--##--##--##
 m4_define([v_maj], [1])
 m4_define([v_min], [5])
@@ -110,39 +110,6 @@ else
    AC_DEFINE(EET_OLD_EET_FILE_FORMAT, 0, [support old eet file format])
 fi
 
-# Gnutls support
-
-AC_ARG_ENABLE([gnutls],
-   [AC_HELP_STRING([--disable-gnutls], [disable gnutls eet support])],
-   [want_gnutls=$enableval]
-)
-AC_MSG_CHECKING([whether to use Gnutls])
-AC_MSG_RESULT([${want_gnutls}])
-
-# Specific GNUTLS improvement
-
-new_gnutls_api="yes"
-AC_ARG_ENABLE(new-gnutls-api,
-   [AC_HELP_STRING(
-      [--disable-new-gnutls-api],
-      [enable use of gnutls_x509_crt_verify_hash. [[default=enable]]]
-    )],
-   [new_gnutls_api=$enableval]
-)
-AC_MSG_CHECKING([whether to use gnutls_x509_crt_verify_hash])
-AC_MSG_RESULT([${new_gnutls_api}])
-
-if test "x${new_gnutls_api}" = "xyes" ; then
-   AC_CHECK_LIB(gnutls, gnutls_x509_crt_verify_hash,
-                [ new_gnutls_api="yes" ],
-		[ new_gnutls_api="no" ]
-		)
-
-   if test "x${new_gnutls_api}" = "xyes"; then
-      AC_DEFINE(EET_USE_NEW_GNUTLS_API, 1, [use gnutls_x509_crt_verify_hash])
-   fi
-fi
-
 # Openssl support
 
 AC_ARG_ENABLE([openssl],
@@ -267,6 +234,15 @@ AC_SUBST(EET_LIBS)
 PKG_CHECK_MODULES(EINA, [eina >= 1.1.0])
 requirement_eet="eina >= 1.1.0 ${requirement_eet}"
 
+# Gnutls support
+
+AC_ARG_ENABLE([gnutls],
+   [AC_HELP_STRING([--disable-gnutls], [disable gnutls eet support])],
+   [want_gnutls=$enableval]
+)
+AC_MSG_CHECKING([whether to use Gnutls])
+AC_MSG_RESULT([${want_gnutls}])
+
 # Gnutls library
 have_gnutls="no"
 if test "x${want_gnutls}" = "xyes" || test "x${want_gnutls}" = "xauto" ; then
@@ -287,6 +263,76 @@ if test "x${want_gnutls}" = "xyes" || test "x${want_gnutls}" = "xauto" ; then
    fi
 fi
 
+# Specific GNUTLS improvement
+
+new_gnutls_api="yes"
+AC_ARG_ENABLE(new-gnutls-api,
+   [AC_HELP_STRING(
+      [--disable-new-gnutls-api],
+      [enable use of gnutls_x509_crt_verify_hash. [[default=enable]]]
+    )],
+   [new_gnutls_api=$enableval]
+)
+AC_MSG_CHECKING([whether to use gnutls_x509_crt_verify_hash])
+AC_MSG_RESULT([${new_gnutls_api}])
+
+if test "x${new_gnutls_api}" = "xyes" ; then
+   tmp_CFLAGS="${CFLAGS}"
+   tmp_LIBS="${LIBS}"
+   CFLAGS="${GNUTLS_CFLAGS}"
+   LIBS="${GNUTLS_LIBS}"
+   AC_CHECK_LIB(gnutls, gnutls_x509_crt_verify_hash,
+                [ new_gnutls_api="yes" ],
+		[ new_gnutls_api="no" ]
+		)
+   CFLAGS="${tmp_CFLAGS}"
+   LIBS="${tmp_LIBS}"
+
+   if test "x${new_gnutls_api}" = "xyes"; then
+      AC_DEFINE(EET_USE_NEW_GNUTLS_API, 1, [use gnutls_x509_crt_verify_hash])
+   fi
+fi
+
+use_gnutls_privkey_sign_data="no"
+if test "x${want_gnutls}" = "xyes" -o "x${want_gnutls}" = "xauto"; then
+   tmp_CFLAGS="${CFLAGS}"
+   tmp_LIBS="${LIBS}"
+   CFLAGS="${GNUTLS_CFLAGS}"
+   LIBS="${GNUTLS_LIBS}"
+   AC_CHECK_LIB(gnutls, gnutls_privkey_sign_data,
+   		[ use_gnutls_privkey_sign_data="yes" ],
+   		[ use_gnutls_privkey_sign_data="no" ]
+		)
+   CFLAGS="${tmp_CFLAGS}"
+   LIBS="${tmp_LIBS}"
+
+   if test "x${use_gnutls_privkey_sign_data}" = "xyes"; then
+      AC_DEFINE(EET_USE_NEW_PRIVKEY_SIGN_DATA, 1, [use gnutls_privkey_sign_data])
+   fi
+fi
+AC_MSG_CHECKING([whether to use gnutls_privkey_sign_data])
+AC_MSG_RESULT([${use_gnutls_privkey_sign_data}])
+
+use_gnutls_pubkey_verify_hash="no"
+if test "x${want_gnutls}" = "xyes" -o "x${want_gnutls}" = "xauto"; then
+   tmp_CFLAGS="${CFLAGS}"
+   tmp_LIBS="${LIBS}"
+   CFLAGS="${GNUTLS_CFLAGS}"
+   LIBS="${GNUTLS_LIBS}"
+   AC_CHECK_LIB(gnutls, gnutls_pubkey_verify_hash,
+   		[ use_gnutls_pubkey_verify_hash="yes" ],
+   		[ use_gnutls_pubkey_verify_hash="no" ]
+		)
+   CFLAGS="${tmp_CFLAGS}"
+   LIBS="${tmp_LIBS}"
+
+   if test "x${use_gnutls_pubkey_verify_hash}" = "xyes"; then
+      AC_DEFINE(EET_USE_NEW_PUBKEY_VERIFY_HASH, 1, [use gnutls_pubkey_verify_hash])
+   fi
+fi
+AC_MSG_CHECKING([whether to use gnutls_pubkey_verify_hash])
+AC_MSG_RESULT([${use_gnutls_pubkey_verify_hash}])
+
 # Openssl library
 have_openssl="no"
 if test "x${want_openssl}" = "xyes" || test "x${want_openssl}" = "xauto" ; then
diff --git a/src/lib/eet_cipher.c b/src/lib/eet_cipher.c
index 37a0899..0d4203b 100644
--- a/src/lib/eet_cipher.c
+++ b/src/lib/eet_cipher.c
@@ -56,6 +56,9 @@ void *alloca(size_t);
 
 #ifdef HAVE_CIPHER
 # ifdef HAVE_GNUTLS
+#  if defined EET_USE_NEW_PUBKEY_VERIFY_HASH || defined EET_USE_NEW_PRIVKEY_SIGN_DATA
+#   include <gnutls/abstract.h>
+#  endif
 #  include <gnutls/x509.h>
 #  include <gcrypt.h>
 # else /* ifdef HAVE_GNUTLS */
@@ -497,6 +500,10 @@ eet_identity_sign(FILE    *fp,
    gnutls_datum_t datum = { NULL, 0 };
    size_t sign_len = 0;
    size_t cert_len = 0;
+#ifdef EET_USE_NEW_PRIVKEY_SIGN_DATA
+   gnutls_datum_t signum = { NULL, 0 };
+   gnutls_privkey_t privkey;
+#endif
 # else /* ifdef HAVE_GNUTLS */
    EVP_MD_CTX md_ctx;
    unsigned int sign_len = 0;
@@ -528,6 +535,28 @@ eet_identity_sign(FILE    *fp,
    datum.size = st_buf.st_size;
 
    /* Get the signature length */
+#ifdef EET_USE_NEW_PRIVKEY_SIGN_DATA
+   if (gnutls_privkey_init(&privkey) < 0)
+     {
+        err = EET_ERROR_SIGNATURE_FAILED;
+        goto on_error;
+     }
+
+   if (gnutls_privkey_import_x509(privkey, key->private_key, 0) < 0)
+     {
+        err = EET_ERROR_SIGNATURE_FAILED;
+        goto on_error;
+     }
+
+   if (gnutls_privkey_sign_data(privkey, GNUTLS_DIG_SHA1, 0, &datum, &signum) < 0)
+     {
+        err = EET_ERROR_SIGNATURE_FAILED;
+        goto on_error;
+     }
+
+   sign = signum.data;
+   sign_len = signum.size;
+#else
    if (gnutls_x509_privkey_sign_data(key->private_key, GNUTLS_DIG_SHA1, 0,
                                      &datum, sign, &sign_len) &&
        !sign_len)
@@ -550,6 +579,7 @@ eet_identity_sign(FILE    *fp,
 
         goto on_error;
      }
+#endif
 
    /* Get the certificate length */
    if (gnutls_x509_crt_export(key->certificate, GNUTLS_X509_FMT_DER, cert,
@@ -696,6 +726,10 @@ eet_identity_check(const void   *data_base,
    gnutls_datum_t datum;
    gnutls_datum_t signature;
 #  if EET_USE_NEW_GNUTLS_API
+#  if EET_USE_NEW_PUBKEY_VERIFY_HASH
+   gnutls_pubkey_t pubkey;
+   gnutls_digest_algorithm_t hash_algo;
+#  endif
    unsigned char *hash;
    gcry_md_hd_t md;
    int err;
@@ -724,28 +758,32 @@ eet_identity_check(const void   *data_base,
 
    hash = gcry_md_read(md, GCRY_MD_SHA1);
    if (!hash)
-     {
-        gcry_md_close(md);
-        return NULL;
-     }
+     goto on_error;
 
    datum.size = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
    datum.data = hash;
 
+#  ifdef EET_USE_NEW_PUBKEY_VERIFY_HASH
+   if (gnutls_pubkey_init(&pubkey) < 0)
+     goto on_error;
+
+   if (gnutls_pubkey_import_x509(pubkey, cert, 0) < 0)
+     goto on_error;
+
+   if (gnutls_pubkey_get_verify_algorithm(pubkey, &signature, &hash_algo) < 0)
+     goto on_error;
+
+   if (gnutls_pubkey_verify_hash(pubkey, 0, &datum, &signature) < 0)
+     goto on_error;
+#  else
    if (!gnutls_x509_crt_verify_hash(cert, 0, &datum, &signature))
-     {
-        gcry_md_close(md);
-        return NULL;
-     }
+     goto on_error;
+#  endif
 
    if (sha1)
      {
         *sha1 = malloc(datum.size);
-        if (!*sha1)
-          {
-             gcry_md_close(md);
-             return NULL;
-          }
+        if (!*sha1) goto on_error;
 
         memcpy(*sha1, hash, datum.size);
         *sha1_length = datum.size;
@@ -818,6 +856,11 @@ eet_identity_check(const void   *data_base,
      *raw_signature_length = sign_len;
 
    return cert_der;
+# ifdef HAVE_GNUTLS
+ on_error:
+   gcry_md_close(md);
+   return NULL;
+# endif
 #else /* ifdef HAVE_SIGNATURE */
    data_base = NULL;
    data_length = 0;
author	Cedric BAIL <cedric.bail@free.fr>	2012-02-09 10:30:04 +0000
committer	Cedric BAIL <cedric.bail@free.fr>	2012-02-09 10:30:04 +0000
commit	fc61cc3e5bf38954a719b9fa78e473cdc845e3bb (patch)
tree	ea019a06aff97750a749162987bf5ddeb139d319
parent	583d6df1a93c39094de9819761b7ee02a5297d17 (diff)
download	eet-fc61cc3e5bf38954a719b9fa78e473cdc845e3bb.tar.gz