Accepting request 122231 from Base:System

- backport gnutls_certificate_set_x509_system_trust() from git and add support for trust store directories (bnc#761634) (forwarded request 122019 from lnussel) OBS-URL: https://build.opensuse.org/request/show/122231 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=47
2012-05-25 15:33:18 +00:00 · 2012-05-25 15:33:18 +00:00 · 39516d919c
commit 39516d919c
parent 75d3eb044c
4 changed files with 421 additions and 0 deletions
--- a/gnutls-implement-trust-store-dir.diff
+++ b/gnutls-implement-trust-store-dir.diff
@ -0,0 +1,156 @@
 From 513244e20eb057b37edfe326c164935758772a0f Mon Sep 17 00:00:00 2001
 From: Ludwig Nussel <ludwig.nussel@suse.de>
 Date: Tue, 8 May 2012 15:47:02 +0200
 Subject: [PATCH gnutls] implement trust store dir
 ---
 configure.ac      |   18 ++++++++++++-
 lib/gnutls_x509.c |   72 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 1 deletions(-)
 Index: gnutls-3.0.19/configure.ac
 ===================================================================
 --- gnutls-3.0.19.orig/configure.ac
 +++ gnutls-3.0.19/configure.ac
@@ -296,13 +296,23 @@ AC_ARG_WITH([default-trust-store-file],
   [AS_HELP_STRING([--with-default-trust-store-file=FILE],
     [use the given file default trust store])])
 -if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then
 +AC_ARG_WITH([default-trust-store-dir],
 +  [AS_HELP_STRING([--with-default-trust-store-dir=DIR],
 +     [use the given directory default trust store])])
 +
 +if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x \
 +	 -a "x$with_default_trust_store_dir" = x; then
   # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
   for i in \
 +    /etc/ssl/certs \
     /etc/ssl/certs/ca-certificates.crt \
     /etc/pki/tls/cert.pem \
     /usr/local/share/certs/ca-root-nss.crt
     do
 +    if test -d $i; then
 +      with_default_trust_store_dir="$i"
 +      break
 +    fi
     if test -e $i; then
       with_default_trust_store_file="$i"
       break
@@ -315,6 +325,11 @@ if test "x$with_default_trust_store_file
     ["$with_default_trust_store_file"], [use the given file default trust store])
 fi
 +if test "x$with_default_trust_store_dir" != x; then
 +  AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR],
 +    ["$with_default_trust_store_dir"], [use the given directory default trust store])
 +fi
 +
 dnl Guile bindings.
 opt_guile_bindings=yes
 AC_MSG_CHECKING([whether building Guile bindings])
@@ -550,6 +565,7 @@ if features are disabled)
   Anon auth support:$ac_enable_anon
   Trust store pkcs: $with_default_trust_store_pkcs11
   Trust store file: $with_default_trust_store_file
 +  Trust store dir:  $with_default_trust_store_dir
 ])
 AC_MSG_NOTICE([Optional applications:
 Index: gnutls-3.0.19/lib/gnutls_x509.c
 ===================================================================
 --- gnutls-3.0.19.orig/lib/gnutls_x509.c
 +++ gnutls-3.0.19/lib/gnutls_x509.c
@@ -36,6 +36,7 @@
 #include <gnutls_pk.h>
 #include <gnutls_str.h>
 #include <debug.h>
 +#include <dirent.h>
 #include <x509_b64.h>
 #include <gnutls_x509.h>
 #include "x509/common.h"
@@ -1618,6 +1619,72 @@ _gnutls_certificate_set_x509_system_trus
 }
 #endif
 +#ifdef DEFAULT_TRUST_STORE_DIR
 +static int
 +_gnutls_certificate_set_x509_system_trust_dir (gnutls_certificate_credentials_t cred)
 +{
 +  DIR* dir;
 +  struct dirent* buf, *de;
 +  int ret, r = 0;
 +  gnutls_datum_t cas;
 +  size_t size;
 +  char cafile[PATH_MAX];
 +
 +  dir = opendir(DEFAULT_TRUST_STORE_DIR);
 +  if (dir == NULL)
 +    {
 +      gnutls_assert ();
 +      return GNUTLS_E_FILE_ERROR;
 +    }
 +
 +  buf = alloca(offsetof(struct dirent, d_name) + pathconf(DEFAULT_TRUST_STORE_DIR, _PC_NAME_MAX) + 1);
 +
 +  while (1)
 +    {
 +      if (readdir_r(dir, buf, &de))
 +	{
 +	  gnutls_assert();
 +	  break;
 +	}
 +      if (de == NULL)
 +	{
 +	  break;
 +	}
 +      if (strlen(de->d_name) < 4 || strcmp(de->d_name+strlen(de->d_name)-4, ".pem"))
 +	{
 +	  continue;
 +	}
 +
 +      strcpy(cafile, DEFAULT_TRUST_STORE_DIR "/");
 +      strncat(cafile, de->d_name, sizeof(cafile)-strlen(cafile)-1);
 +      cas.data = (void*)read_binary_file (cafile, &size);
 +      if (cas.data == NULL)
 +	{
 +	  gnutls_assert ();
 +	  continue;
 +	}
 +
 +      cas.size = size;
 +
 +      ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM);
 +
 +      free (cas.data);
 +
 +      if (ret < 0)
 +	{
 +	  gnutls_assert ();
 +	}
 +      else
 +	{
 +	  r += ret;
 +	}
 +    }
 +  closedir(dir);
 +
 +  return r;
 +}
 +#endif
 +
 /**
  * gnutls_certificate_set_x509_system_trust:
  * @cred: is a #gnutls_certificate_credentials_t structure.
@@ -1640,6 +1707,11 @@ gnutls_certificate_set_x509_system_trust
   if (ret > 0)
     r += ret;
 #endif
 +#ifdef DEFAULT_TRUST_STORE_DIR
 +  ret = _gnutls_certificate_set_x509_system_trust_dir(cred);
 +  if (ret > 0)
 +    r += ret;
 +#endif
   return r;
 }
--- a/gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff
+++ b/gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff
@ -0,0 +1,250 @@
 From d5633875724fe383adb4e994fc72bd7c64acb197 Mon Sep 17 00:00:00 2001
 From: Ludwig Nussel <ludwig.nussel@suse.de>
 Date: Tue, 8 May 2012 16:28:25 +0200
 Subject: [PATCH gnutls] introduce gnutls_certificate_set_x509_system_trust
 gnutls_certificate_set_x509_system_trust() imports the trusted root CA's
 from a compile time defined location. That way applications don't
 need to know.
 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 ---
 configure.ac                    |   37 ++++++++++++++++++++++++++
 doc/Makefile.am                 |    1 +
 doc/manpages/Makefile.am        |    1 +
 lib/gnutls_x509.c               |   55 +++++++++++++++++++++++++++++++++++++++
 lib/includes/gnutls/gnutls.h.in |    3 ++
 lib/libgnutls.map               |    5 +++
 src/cli.c                       |   29 +++++++++-----------
 7 files changed, 115 insertions(+), 16 deletions(-)
 Index: gnutls-3.0.19/configure.ac
 ===================================================================
 --- gnutls-3.0.19.orig/configure.ac
 +++ gnutls-3.0.19/configure.ac
@@ -280,6 +280,41 @@ AC_PROG_LN_S
 AC_LIBTOOL_WIN32_DLL
 AC_PROG_LIBTOOL
 +AC_ARG_WITH([default-trust-store-pkcs11],
 +  [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
 +    [use the given pkcs11 uri as default trust store])])
 +
 +if test "x$with_default_trust_store_pkcs11" != x; then
 +  if test "x$with_p11_kit" = xno; then
 +    AC_MSG_ERROR([cannot use pkcs11 store without p11-kit])
 +  fi
 +  AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_PKCS11],
 +    ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default trust store])
 +fi
 +
 +AC_ARG_WITH([default-trust-store-file],
 +  [AS_HELP_STRING([--with-default-trust-store-file=FILE],
 +    [use the given file default trust store])])
 +
 +if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then
 +  # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
 +  for i in \
 +    /etc/ssl/certs/ca-certificates.crt \
 +    /etc/pki/tls/cert.pem \
 +    /usr/local/share/certs/ca-root-nss.crt
 +    do
 +    if test -e $i; then
 +      with_default_trust_store_file="$i"
 +      break
 +    fi
 +  done
 +fi
 +
 +if test "x$with_default_trust_store_file" != x; then
 +  AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE],
 +    ["$with_default_trust_store_file"], [use the given file default trust store])
 +fi
 +
 dnl Guile bindings.
 opt_guile_bindings=yes
 AC_MSG_CHECKING([whether building Guile bindings])
@@ -513,6 +548,8 @@ if features are disabled)
   SRP support:      $ac_enable_srp
   PSK support:      $ac_enable_psk
   Anon auth support:$ac_enable_anon
 +  Trust store pkcs: $with_default_trust_store_pkcs11
 +  Trust store file: $with_default_trust_store_file
 ])
 AC_MSG_NOTICE([Optional applications:
 Index: gnutls-3.0.19/doc/Makefile.am
 ===================================================================
 --- gnutls-3.0.19.orig/doc/Makefile.am
 +++ gnutls-3.0.19/doc/Makefile.am
@@ -717,6 +717,7 @@ FUNCS += functions/gnutls_certificate_fr
 FUNCS += functions/gnutls_certificate_set_dh_params
 FUNCS += functions/gnutls_certificate_set_verify_flags
 FUNCS += functions/gnutls_certificate_set_verify_limits
 +FUNCS += functions/gnutls_certificate_set_x509_system_trust
 FUNCS += functions/gnutls_certificate_set_x509_trust_file
 FUNCS += functions/gnutls_certificate_set_x509_trust_mem
 FUNCS += functions/gnutls_certificate_set_x509_crl_file
 Index: gnutls-3.0.19/doc/manpages/Makefile.am
 ===================================================================
 --- gnutls-3.0.19.orig/doc/manpages/Makefile.am
 +++ gnutls-3.0.19/doc/manpages/Makefile.am
@@ -314,6 +314,7 @@ APIMANS += gnutls_certificate_free_crls.
 APIMANS += gnutls_certificate_set_dh_params.3
 APIMANS += gnutls_certificate_set_verify_flags.3
 APIMANS += gnutls_certificate_set_verify_limits.3
 +APIMANS += gnutls_certificate_set_x509_system_trust.3
 APIMANS += gnutls_certificate_set_x509_trust_file.3
 APIMANS += gnutls_certificate_set_x509_trust_mem.3
 APIMANS += gnutls_certificate_set_x509_crl_file.3
 Index: gnutls-3.0.19/lib/gnutls_x509.c
 ===================================================================
 --- gnutls-3.0.19.orig/lib/gnutls_x509.c
 +++ gnutls-3.0.19/lib/gnutls_x509.c
@@ -1588,6 +1588,61 @@ gnutls_certificate_set_x509_trust_file (
   return ret;
 }
 +#ifdef DEFAULT_TRUST_STORE_FILE
 +static int
 +_gnutls_certificate_set_x509_system_trust_file (gnutls_certificate_credentials_t cred)
 +{
 +  int ret;
 +  gnutls_datum_t cas;
 +  size_t size;
 +
 +  cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size);
 +  if (cas.data == NULL)
 +    {
 +      gnutls_assert ();
 +      return GNUTLS_E_FILE_ERROR;
 +    }
 +
 +  cas.size = size;
 +
 +  ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM);
 +
 +  free (cas.data);
 +
 +  if (ret < 0)
 +    {
 +      gnutls_assert ();
 +    }
 +
 +  return ret;
 +}
 +#endif
 +
 +/**
 + * gnutls_certificate_set_x509_system_trust:
 + * @cred: is a #gnutls_certificate_credentials_t structure.
 + *
 + * This function adds the system's default trusted CAs in order to
 + * verify client or server certificates.
 + *
 + **/
 +int
 +gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
 +{
 +  int ret, r = 0;
 +#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
 +  ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11);
 +  if (ret > 0)
 +    r += ret;
 +#endif
 +#ifdef DEFAULT_TRUST_STORE_FILE
 +  ret = _gnutls_certificate_set_x509_system_trust_file(cred);
 +  if (ret > 0)
 +    r += ret;
 +#endif
 +  return r;
 +}
 +
 static int
 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist, 
                    const char * input_crl, unsigned int input_crl_size)
 Index: gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in
 ===================================================================
 --- gnutls-3.0.19.orig/lib/includes/gnutls/gnutls.h.in
 +++ gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in
@@ -1100,6 +1100,9 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(
                                              unsigned int max_depth);
   int
 +    gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred);
 +
 +  int
     gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t
                                             cred, const char *cafile,
                                             gnutls_x509_crt_fmt_t type);
 Index: gnutls-3.0.19/lib/libgnutls.map
 ===================================================================
 --- gnutls-3.0.19.orig/lib/libgnutls.map
 +++ gnutls-3.0.19/lib/libgnutls.map
@@ -788,6 +788,11 @@ GNUTLS_3_0_0 {
 	gnutls_session_get_random;
 } GNUTLS_2_12;
 +GNUTLS_3_0_0_SUSE {
 +  global:
 +	gnutls_certificate_set_x509_system_trust;
 +} GNUTLS_3_0_0;
 +
 GNUTLS_PRIVATE {
   global:
     # Internal symbols needed by libgnutls-extra:
 Index: gnutls-3.0.19/src/cli.c
 ===================================================================
 --- gnutls-3.0.19.orig/src/cli.c
 +++ gnutls-3.0.19/src/cli.c
@@ -479,9 +479,6 @@ cert_verify_callback (gnutls_session_t s
   int ssh = ENABLED_OPT(TOFU);
   const char* txt_service;
 -  if (!x509_cafile && !pgp_keyring)
 -    return 0;
 -    
   rc = cert_verify(session, hostname);
   if (rc == 0)
     {
@@ -1184,11 +1181,6 @@ const char* rest = NULL;
   if (HAVE_OPT(X509CAFILE))
     x509_cafile = OPT_ARG(X509CAFILE);
 -  else
 -    {
 -      if (access(DEFAULT_CA_FILE, R_OK) == 0)
 -        x509_cafile = DEFAULT_CA_FILE;
 -    }
   if (HAVE_OPT(X509CRLFILE))
     x509_crlfile = OPT_ARG(X509CRLFILE);
@@ -1419,15 +1411,20 @@ init_global_tls_stuff (void)
     {
       ret = gnutls_certificate_set_x509_trust_file (xcred,
                                                     x509_cafile, x509ctype);
 -      if (ret < 0)
 -        {
 -          fprintf (stderr, "Error setting the x509 trust file\n");
 -        }
 -      else
 -        {
 -          printf ("Processed %d CA certificate(s).\n", ret);
 -        }
     }
 +  else
 +    {
 +      ret = gnutls_certificate_set_x509_system_trust (xcred);
 +    }
 +  if (ret < 0)
 +    {
 +      fprintf (stderr, "Error setting the x509 trust file\n");
 +    }
 +  else
 +    {
 +      printf ("Processed %d CA certificate(s).\n", ret);
 +    }
 +
   if (x509_crlfile != NULL)
     {
       ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile,
--- a/gnutls.changes
+++ b/gnutls.changes
@ -1,3 +1,9 @@
 -------------------------------------------------------------------
 Thu May 24 07:45:31 UTC 2012 - lnussel@suse.de
 - backport gnutls_certificate_set_x509_system_trust() from git and
  add support for trust store directories (bnc#761634)
 -------------------------------------------------------------------
 Mon May 21 15:35:00 UTC 2012 - lnussel@suse.de
--- a/gnutls.spec
+++ b/gnutls.spec
@ -29,6 +29,11 @@ Group:          Productivity/Networking/Security
 Url:            http://www.gnutls.org/
 Source0:        http://ftp.gnu.org/gnu/gnutls/%{name}-%{version}.tar.xz
 Source1:        baselibs.conf
 # upstream, will be officially available in some future gnutls
 # version and can be removed then -- lnussel
 Patch0:         gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff
 # suse specific, add support for certificate directories -- lnussel
 Patch1:         gnutls-implement-trust-store-dir.diff
 BuildRequires:  automake
 BuildRequires:  gcc-c++
 BuildRequires:  libidn-devel
@ -119,14 +124,18 @@ Files needed for software development using gnutls.
 %prep
 %setup -q
 %patch0 -p1
 %patch1 -p1
 echo %{_includedir}/%{name}/abstract.h
 %build
 autoreconf
 %configure \
        --disable-static \
        --with-pic \
        --disable-rpath \
        --disable-silent-rules \
 	--with-default-trust-store-dir=/etc/ssl/certs \
        --with-sysroot=/%{?_sysroot}
 make %{?_smp_mflags}