From e15d2a793bc864f2e56e8fabf8c4d6d02a7f3b00 Mon Sep 17 00:00:00 2001
From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date: Sun, 29 Dec 2019 12:49:16 +0300
Subject: serv: support building with OCSP disabled

Support gnutls-serv when building GnuTLS with OCSP API disabled.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
---
 src/Makefile.am |  7 +++++--
 src/serv.c      | 27 +++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 92762fa88a..2677fbd221 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -82,13 +82,13 @@ else
 LIBOPTS = $(LIBOPTS_LDADD)
 endif
 
-bin_PROGRAMS = psktool gnutls-cli-debug certtool
+bin_PROGRAMS = psktool gnutls-cli-debug certtool gnutls-serv
 if ENABLE_SRP
 bin_PROGRAMS += srptool
 endif
 
 if ENABLE_OCSP
-bin_PROGRAMS += ocsptool gnutls-serv 
+bin_PROGRAMS += ocsptool
 if ENABLE_ANON
 bin_PROGRAMS += gnutls-cli
 endif
@@ -140,6 +140,8 @@ noinst_LTLIBRARIES += libcmd-ocsp.la
 libcmd_ocsp_la_SOURCES = ocsptool-args.def
 nodist_libcmd_ocsp_la_SOURCES = ocsptool-args.h ocsptool-args.c
 
+endif
+
 gnutls_serv_SOURCES =		\
   list.h serv.c			\
   udp-serv.c udp-serv.h		\
@@ -153,6 +155,7 @@ noinst_LTLIBRARIES += libcmd-serv.la
 libcmd_serv_la_SOURCES = serv-args.def
 nodist_libcmd_serv_la_SOURCES = serv-args.c serv-args.h
 
+if ENABLE_OCSP
 if ENABLE_ANON
 
 BENCHMARK_SRCS = benchmark-cipher.c benchmark.c benchmark.h benchmark-tls.c
diff --git a/src/serv.c b/src/serv.c
index de5691261f..a4dd445da8 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -121,7 +121,9 @@ static void tcp_server(const char *name, int port);
 /* These are global */
 gnutls_srp_server_credentials_t srp_cred = NULL;
 gnutls_psk_server_credentials_t psk_cred = NULL;
+#ifdef ENABLE_ANON
 gnutls_anon_server_credentials_t dh_cred = NULL;
+#endif
 gnutls_certificate_credentials_t cert_cred = NULL;
 
 const int ssl_session_cache = 2048;
@@ -384,7 +386,9 @@ gnutls_session_t initialize_session(int dtls)
 	int ret;
 	unsigned i;
 	const char *err;
+#ifdef ENABLE_ALPN
 	gnutls_datum_t alpn[MAX_ALPN_PROTOCOLS];
+#endif
 	unsigned alpn_size;
 	unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH | GNUTLS_ENABLE_RAWPK;
 
@@ -443,6 +447,12 @@ gnutls_session_t initialize_session(int dtls)
 		}
 	}
 
+#ifndef ENABLE_ALPN
+	if (alpn_protos_size != 0) {
+		fprintf(stderr, "ALPN is not supported\n");
+		exit(1);
+	}
+#else
 	alpn_size = MIN(MAX_ALPN_PROTOCOLS,alpn_protos_size);
 	for (i=0;i<alpn_size;i++) {
 		alpn[i].data = (void*)alpn_protos[i];
@@ -454,8 +464,11 @@ gnutls_session_t initialize_session(int dtls)
 		fprintf(stderr, "Error setting ALPN protocols: %s\n", gnutls_strerror(ret));
 		exit(1);
 	}
+#endif
 
+#ifdef ENABLE_ANON
 	gnutls_credentials_set(session, GNUTLS_CRD_ANON, dh_cred);
+#endif
 
 	if (srp_cred != NULL)
 		gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred);
@@ -705,11 +718,13 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length,
 		}
 #endif
 
+#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
 		if (kx_alg == GNUTLS_KX_DHE_RSA || kx_alg == GNUTLS_KX_DHE_DSS) {
 			snprintf(tmp_buffer, tmp_buffer_size,
 				 "Ephemeral DH using prime of <b>%d</b> bits.<br>\n",
 				 gnutls_dh_get_prime_bits(session));
 		}
+#endif
 
 		tmp = gnutls_compression_get_name(gnutls_compression_get(session));
 		if (tmp == NULL)
@@ -1256,6 +1271,12 @@ int main(int argc, char **argv)
 			"Warning: no private key and certificate pairs were set.\n");
 	}
 
+#ifndef ENABLE_OCSP
+	if (HAVE_OPT(IGNORE_OCSP_RESPONSE_ERRORS) || ocsp_responses_size != 0) {
+		fprintf(stderr, "OCSP is not supported!\n");
+			exit(1);
+	}
+#else
 	/* OCSP status-request TLS extension */
 	if (HAVE_OPT(IGNORE_OCSP_RESPONSE_ERRORS))
 		gnutls_certificate_set_flags(cert_cred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
@@ -1271,13 +1292,19 @@ int main(int argc, char **argv)
 			exit(1);
 		}
 	}
+#endif
 
 	if (use_static_dh_params) {
+#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
 		ret = gnutls_certificate_set_known_dh_params(cert_cred, GNUTLS_SEC_PARAM_MEDIUM);
 		if (ret < 0) {
 			fprintf(stderr, "Error while setting DH parameters: %s\n", gnutls_strerror(ret));
 			exit(1);
 		}
+#else
+		fprintf(stderr, "Setting DH parameters is not supported\n");
+		exit(1);
+#endif
 	} else {
 		gnutls_certificate_set_params_function(cert_cred, get_params);
 	}
-- 
cgit v1.2.1


From 99f4ce1ec5e88a13a115547252c4395426f59cb6 Mon Sep 17 00:00:00 2001
From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date: Sun, 29 Dec 2019 12:49:16 +0300
Subject: cli: support building with OCSP and ANON disabled

Support gnutls-cli when building GnuTLS with OCSP and ANON
authentication API disabled.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
---
 src/Makefile.am     | 15 +++++----------
 src/benchmark-tls.c | 20 ++++++++++++++++++++
 src/cli.c           | 30 +++++++++++++++++++++++++++---
 3 files changed, 52 insertions(+), 13 deletions(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 2677fbd221..94b701a512 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -82,16 +82,13 @@ else
 LIBOPTS = $(LIBOPTS_LDADD)
 endif
 
-bin_PROGRAMS = psktool gnutls-cli-debug certtool gnutls-serv
+bin_PROGRAMS = psktool gnutls-cli-debug certtool gnutls-serv gnutls-cli
 if ENABLE_SRP
 bin_PROGRAMS += srptool
 endif
 
 if ENABLE_OCSP
 bin_PROGRAMS += ocsptool
-if ENABLE_ANON
-bin_PROGRAMS += gnutls-cli
-endif
 endif
 
 if ENABLE_DANE
@@ -155,14 +152,14 @@ noinst_LTLIBRARIES += libcmd-serv.la
 libcmd_serv_la_SOURCES = serv-args.def
 nodist_libcmd_serv_la_SOURCES = serv-args.c serv-args.h
 
-if ENABLE_OCSP
-if ENABLE_ANON
-
 BENCHMARK_SRCS = benchmark-cipher.c benchmark.c benchmark.h benchmark-tls.c
 
 gnutls_cli_SOURCES = cli.c common.h common.c \
-	socket.c socket.h ocsptool-common.c inline_cmds.h \
+	socket.c socket.h inline_cmds.h \
 	$(BENCHMARK_SRCS)
+if ENABLE_OCSP
+gnutls_cli_SOURCES += ocsptool-common.c
+endif
 gnutls_cli_LDADD = ../lib/libgnutls.la -lm
 if ENABLE_DANE
 gnutls_cli_LDADD += ../libdane/libgnutls-dane.la
@@ -173,8 +170,6 @@ gnutls_cli_LDADD += $(LIBSOCKET) $(GETADDRINFO_LIB) $(LIB_CLOCK_GETTIME) \
 noinst_LTLIBRARIES += libcmd-cli.la
 libcmd_cli_la_SOURCES = cli-args.def
 nodist_libcmd_cli_la_SOURCES = cli-args.c cli-args.h
-endif
-endif
 
 gnutls_cli_debug_SOURCES = cli-debug.c tests.h tests.c \
 		socket.c socket.h common.h common.c
diff --git a/src/benchmark-tls.c b/src/benchmark-tls.c
index 14a3d190cc..c9564e049f 100644
--- a/src/benchmark-tls.c
+++ b/src/benchmark-tls.c
@@ -292,7 +292,9 @@ static void test_ciphersuite(const char *cipher_prio, int size)
 	const char *name;
 
 	/* Init server */
+#ifdef ENABLE_ANON
 	gnutls_anon_allocate_server_credentials(&s_anoncred);
+#endif
 	gnutls_certificate_allocate_credentials(&s_certcred);
 
 	gnutls_certificate_set_x509_key_mem(s_certcred, &server_cert,
@@ -313,7 +315,9 @@ static void test_ciphersuite(const char *cipher_prio, int size)
 		fprintf(stderr, "Error in %s\n", str);
 		exit(1);
 	}
+#ifdef ENABLE_ANON
 	gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
+#endif
 	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, s_certcred);
 	gnutls_transport_set_push_function(server, server_push);
 	gnutls_transport_set_pull_function(server, server_pull);
@@ -321,7 +325,9 @@ static void test_ciphersuite(const char *cipher_prio, int size)
 	reset_buffers();
 
 	/* Init client */
+#ifdef ENABLE_ANON
 	gnutls_anon_allocate_client_credentials(&c_anoncred);
+#endif
 	gnutls_certificate_allocate_credentials(&c_certcred);
 	gnutls_init(&client, GNUTLS_CLIENT);
 
@@ -330,7 +336,9 @@ static void test_ciphersuite(const char *cipher_prio, int size)
 		fprintf(stderr, "Error in %s\n", str);
 		exit(1);
 	}
+#ifdef ENABLE_ANON
 	gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
+#endif
 	gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, c_certcred);
 	gnutls_transport_set_push_function(client, client_push);
 	gnutls_transport_set_pull_function(client, client_pull);
@@ -386,8 +394,10 @@ static void test_ciphersuite(const char *cipher_prio, int size)
 	gnutls_deinit(client);
 	gnutls_deinit(server);
 
+#ifdef ENABLE_ANON
 	gnutls_anon_free_client_credentials(c_anoncred);
 	gnutls_anon_free_server_credentials(s_anoncred);
+#endif
 }
 
 static
@@ -448,7 +458,9 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk)
 
 	/* Init server */
 	gnutls_certificate_allocate_credentials(&s_certcred);
+#ifdef ENABLE_ANON
 	gnutls_anon_allocate_server_credentials(&s_anoncred);
+#endif
 
 	ret = 0;
 	if (pk == GNUTLS_PK_RSA_PSS)
@@ -485,7 +497,9 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk)
 	}
 
 	/* Init client */
+#ifdef ENABLE_ANON
 	gnutls_anon_allocate_client_credentials(&c_anoncred);
+#endif
 	gnutls_certificate_allocate_credentials(&c_certcred);
 
 	start_benchmark(&st);
@@ -505,8 +519,10 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk)
 			fprintf(stderr, "Error in setting priority: %s\n", gnutls_strerror(ret));
 			exit(1);
 		}
+#ifdef ENABLE_ANON
 		gnutls_credentials_set(server, GNUTLS_CRD_ANON,
 				       s_anoncred);
+#endif
 		gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
 				       s_certcred);
 		gnutls_transport_set_push_function(server, server_push);
@@ -523,8 +539,10 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk)
 			fprintf(stderr, "Error in setting priority: %s\n", gnutls_strerror(ret));
 			exit(1);
 		}
+#ifdef ENABLE_ANON
 		gnutls_credentials_set(client, GNUTLS_CRD_ANON,
 				       c_anoncred);
+#endif
 		gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
 				       c_certcred);
 
@@ -580,8 +598,10 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk)
 	printf(" - avg. handshake time: %.2f %s\n - standard deviation: %.2f %s\n\n",
 	       avg, scale, sqrt(svar), scale);
 
+#ifdef ENABLE_ANON
 	gnutls_anon_free_client_credentials(c_anoncred);
 	gnutls_anon_free_server_credentials(s_anoncred);
+#endif
 }
 
 void benchmark_tls(int debug_level, int ciphers)
diff --git a/src/cli.c b/src/cli.c
index 4f4a26c89f..26b6f74099 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -389,6 +389,11 @@ static int cert_verify_callback(gnutls_session_t session)
 		try_save_cert(session);
 	}
 
+#ifndef ENABLE_OCSP
+	if (HAVE_OPT(SAVE_OCSP) || HAVE_OPT(OCSP)) {
+		fprintf(stderr, "OCSP is not supported!\n");
+	}
+#else
 	rc = gnutls_ocsp_status_request_get(session, &oresp);
 	if (rc < 0) {
 		oresp.data = NULL;
@@ -403,6 +408,7 @@ static int cert_verify_callback(gnutls_session_t session)
 			fclose(fp);
 		}
 	}
+#endif
 
 	print_cert_info(session, verbose, print_cert);
 
@@ -413,7 +419,9 @@ static int cert_verify_callback(gnutls_session_t session)
 			    (stdout, "*** PKI verification of server certificate failed...\n");
 			if (!insecure && !ssh)
 				return -1;
-		} else if (ENABLED_OPT(OCSP) && gnutls_ocsp_status_request_is_checked(session, 0) == 0) {	/* off-line verification succeeded. Try OCSP */
+		}
+#ifdef ENABLE_OCSP
+		else if (ENABLED_OPT(OCSP) && gnutls_ocsp_status_request_is_checked(session, 0) == 0) {	/* off-line verification succeeded. Try OCSP */
 			rc = cert_verify_ocsp(session);
 			if (rc == -1) {
 				log_msg
@@ -425,6 +433,7 @@ static int cert_verify_callback(gnutls_session_t session)
 			else
 				log_msg(stdout, "*** OCSP: verified %d certificate(s).\n", rc);
 		}
+#endif
 	}
 
 	if (dane) {		/* try DANE auth */
@@ -677,10 +686,21 @@ gnutls_session_t init_tls_session(const char *host)
 					       host, strlen(host));
 	}
 
-	if (HAVE_OPT(DH_BITS))
+	if (HAVE_OPT(DH_BITS)) {
+#if defined(ENABLE_DHE) || defined(ENABLE_ANON)
 		gnutls_dh_set_prime_bits(session, OPT_VALUE_DH_BITS);
+#else
+		fprintf(stderr, "Setting DH parameters is not supported\n");
+		exit(1);
+#endif
+	}
+
 
 	if (HAVE_OPT(ALPN)) {
+#ifndef ENABLE_ALPN
+		fprintf(stderr, "ALPN is not supported\n");
+		exit(1);
+#else
 		unsigned proto_n = STACKCT_OPT(ALPN);
 		char **protos = (void *) STACKLST_OPT(ALPN);
 
@@ -696,6 +716,7 @@ gnutls_session_t init_tls_session(const char *host)
 			p[i].size = strlen(protos[i]);
 		}
 		gnutls_alpn_set_protocols(session, p, proto_n, 0);
+#endif
 	}
 
 	gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred);
@@ -1135,6 +1156,7 @@ int do_inline_command_processing(char *buffer_ptr, size_t curr_bytes,
 static void
 print_other_info(gnutls_session_t session)
 {
+#ifdef ENABLE_OCSP
 	int ret;
 	gnutls_datum_t oresp;
 
@@ -1175,7 +1197,7 @@ print_other_info(gnutls_session_t session)
 			gnutls_free(p.data);
 		}
 	}
-
+#endif
 }
 
 int main(int argc, char **argv)
@@ -1961,6 +1983,7 @@ static void init_global_tls_stuff(void)
  * -1: certificate chain could not be checked fully
  * >=0: number of certificates verified ok
  */
+#ifdef ENABLE_OCSP
 static int cert_verify_ocsp(gnutls_session_t session)
 {
 	gnutls_x509_crt_t cert, issuer;
@@ -2057,3 +2080,4 @@ cleanup:
 		return -1;
 	return ok >= 1 ? (int) ok : -1;
 }
+#endif
-- 
cgit v1.2.1


From 5735694983629143ef29eaf54472916ad1fb7805 Mon Sep 17 00:00:00 2001
From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Date: Sun, 29 Dec 2019 12:52:21 +0300
Subject: cli: fix building with GOST disabled

Fix building gnutls-cli (benchmark part) with GOST keys support being
disabled.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
---
 src/benchmark-tls.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/benchmark-tls.c b/src/benchmark-tls.c
index c9564e049f..2c062a6ee7 100644
--- a/src/benchmark-tls.c
+++ b/src/benchmark-tls.c
@@ -486,10 +486,12 @@ static void test_ciphersuite_kx(const char *cipher_prio, unsigned pk)
 		ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_ed25519_cert,
 						    &server_ed25519_key,
 						    GNUTLS_X509_FMT_PEM);
+#ifdef ENABLE_GOST
 	else if (pk == GNUTLS_PK_GOST_12_256)
 		ret = gnutls_certificate_set_x509_key_mem(s_certcred, &server_gost12_256_cert,
 						    &server_gost12_256_key,
 						    GNUTLS_X509_FMT_PEM);
+#endif
 	if (ret < 0) {
 		fprintf(stderr, "Error in %d: %s\n", __LINE__,
 			gnutls_strerror(ret));
-- 
cgit v1.2.1