s4 with older GNUTLS

[Matthias Dieter Wallnöfer]

I need the attached patch to make s4 work with an older GNUTLS library,
which does not provide any gnutls_priority...() calls.

Cheers,
Matthias
-------------- next part --------------
commit 6ef5a0514a7a4713edaae2c13c2fb5576e15893f
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Sat Aug 8 21:26:51 2015 +0200

    s4:lib/tls - fix it on older GNUTLS libraries
    
    GNUTLS < 3 does not provide gnutls_priority_set_direct(). The only workaround is
    the fallback to gnutls_set_default_priority(), which existed since the beginning.
    
    GNUTLS documentation: http://gnutls.org/manual/html_node/Core-TLS-API.html#Core-TLS-API
    Similar situation in the IM client Pidgin: https://developer.pidgin.im/ticket/14365

diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index 2fe4ff7..23dc119 100644
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -597,7 +597,10 @@ struct socket_context *tls_init_client(struct socket_context *socket_ctx,
 	gnutls_certificate_set_x509_trust_file(tls->xcred, ca_path, GNUTLS_X509_FMT_PEM);
 	TLSCHECK(gnutls_init(&tls->session, GNUTLS_CLIENT));
 	TLSCHECK(gnutls_set_default_priority(tls->session));
+#if GNUTLS_VERSION_MAJOR >= 3
 	gnutls_priority_set_direct(tls->session, "NORMAL:+CTYPE-OPENPGP", NULL);
+#endif
+
 	TLSCHECK(gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, tls->xcred));
 
 	talloc_set_destructor(tls, tls_destructor);
diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index 188a3b8..c37c677 100644
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -1011,6 +1011,7 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
+#if GNUTLS_VERSION_MAJOR >= 3
 	ret = gnutls_priority_set_direct(tlss->tls_session,
 					 tls_params->tls_priority,
 					 &error_pos);
@@ -1020,6 +1021,15 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
 		tevent_req_error(req, EINVAL);
 		return tevent_req_post(req, ev);
 	}
+#else
+	ret = gnutls_set_default_priority(tlss->tls_session);
+	if (ret != GNUTLS_E_SUCCESS) {
+		DEBUG(0,("TLS %s - %s.\n",
+			 __location__, gnutls_strerror(ret)));
+		tevent_req_error(req, EINVAL);
+		return tevent_req_post(req, ev);
+	}
+#endif
 
 	ret = gnutls_credentials_set(tlss->tls_session,
 				     GNUTLS_CRD_CERTIFICATE,
@@ -1283,6 +1293,7 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
+#if GNUTLS_VERSION_MAJOR >= 3
 	ret = gnutls_priority_set_direct(tlss->tls_session,
 					 tlsp->tls_priority,
 					 &error_pos);
@@ -1292,6 +1303,15 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx,
 		tevent_req_error(req, EINVAL);
 		return tevent_req_post(req, ev);
 	}
+#else
+	ret = gnutls_set_default_priority(tlss->tls_session);
+	if (ret != GNUTLS_E_SUCCESS) {
+		DEBUG(0,("TLS %s - %s.\n",
+			 __location__, gnutls_strerror(ret)));
+		tevent_req_error(req, EINVAL);
+		return tevent_req_post(req, ev);
+	}
+#endif
 
 	ret = gnutls_credentials_set(tlss->tls_session, GNUTLS_CRD_CERTIFICATE,
 				     tlsp->x509_cred);