(ITS#7877) please make gcrypt optional with newer gnutls - openldap-bugs

20 Jun 2014

Full_Name: Ryan Tandy
Version: HEAD
OS: Debian unstable
URL: 
Submission from: (NULL) (142.32.208.235)
Debian bug report: https://bugs.debian.org/745231
Quoting Andreas Metzler:
"given that gmp has been dual-licensed LGPLv3+/GPLv2+ it should be possible to
switch openldap over to the newer version of gnutls.
Upstream's 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 lets the Debian package
build successfully (including testsuite).
However even with patch there is still some work to be done.
libraries/libldap/tls_g.c has some gcrypt related code that should be simply
unnecessary with gnutls3, therefore it should not link against libgcrypt either.
(Except for contrib/slapd-modules/smbk5pwd/smbk5pwd.c)."
The following changes make gcrypt optional for libldap. For versions where both
nettle and gcrypt are supported, I assume the default since no mechanism is
provided for detecting which is actually in use. Tested with GnuTLS 2.8.6 and
3.2.15.

--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -43,10 +43,17 @@
#include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
-#include <gcrypt.h>
#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
 #define        HAVE_CIPHERSUITES       1
+#else
+#undef HAVE_CIPHERSUITES
+#endif
+
+/* gnutls >= 2.11.1 no longer uses gcrypt by default */
+#if LIBGNUTLS_VERSION_NUMBER < 0x020b01
+#include <gcrypt.h>
+#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
 /* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt
1.4.x
  * but that dependency isn't reflected in their configure script, resulting in
  * build errors on older gcrypt. So, if they have a working build environment,
@@ -54,9 +61,10 @@
  */
 #define HAVE_GCRYPT_RAND       1
 #else
-#undef HAVE_CIPHERSUITES
 #undef HAVE_GCRYPT_RAND
 #endif
+#endif
+
#ifndef HAVE_CIPHERSUITES
 /* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
@@ -143,6 +151,7 @@ tlsg_mutex_unlock( void **lock )
        return ldap_pvt_thread_mutex_unlock( *lock );
 }
+#if GNUTLS_VERSION_NUMBER <= 0x020b00
 static struct gcry_thread_cbs tlsg_thread_cbs = {
        GCRY_THREAD_OPTION_USER,
        NULL,
@@ -158,6 +167,16 @@ tlsg_thr_init( void )
 {
        gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs);
 }
+#else
+static void
+tlsg_thr_init( void )
+{
+       gnutls_global_set_mutex (tlsg_mutex_init,
+               tlsg_mutex_destroy,
+               tlsg_mutex_lock,
+               tlsg_mutex_unlock);
+}
+#endif
 #endif /* LDAP_R_COMPILE */
/*
I have not looked at smbk5pwd yet.

    