From 76f004feafd93e2f44376c450fb071589cf33f14a51384ed971ca32bf766138a Mon Sep 17 00:00:00 2001
From: Stephan Kulow <coolo@suse.com>
Date: Mon, 29 Jul 2013 15:41:34 +0000
Subject: [PATCH] Accepting request 184447 from Base:System

- revert to using certificate directory again until gnutls
  understands the trust bits in pkcs11. Otherwise it would use
  blacklisted certificates. (forwarded request 184442 from lnussel)

OBS-URL: https://build.opensuse.org/request/show/184447
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=61
---
 gnutls-implement-trust-store-dir.diff | 154 ++++++++++++++++++++++++++
 gnutls.changes                        |   7 ++
 gnutls.spec                           |   4 +-
 3 files changed, 164 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-implement-trust-store-dir.diff

diff --git a/gnutls-implement-trust-store-dir.diff b/gnutls-implement-trust-store-dir.diff
new file mode 100644
index 0000000..e7fb953
--- /dev/null
+++ b/gnutls-implement-trust-store-dir.diff
@@ -0,0 +1,154 @@
+Index: gnutls-3.2.1/configure.ac
+===================================================================
+--- gnutls-3.2.1.orig/configure.ac
++++ gnutls-3.2.1/configure.ac
+@@ -398,6 +398,25 @@ if test "$with_default_trust_store_file"
+   with_default_trust_store_file=""
+ fi
+ 
++AC_ARG_WITH([default-trust-store-dir],
++  [AS_HELP_STRING([--with-default-trust-store-dir=DIRECTORY],
++    [use the given directory as default trust store])], with_default_trust_store_dir="$withval",
++  [if test "$build" = "$host" ; then
++  for i in \
++    /etc/ssl/certs/
++    do
++    if test -e $i ; then
++      with_default_trust_store_dir="$i"
++      break
++    fi
++  done
++  fi]
++)
++
++if test "$with_default_trust_store_dir" = "no";then
++  with_default_trust_store_dir=""
++fi
++
+ AC_ARG_WITH([default-crl-file],
+   [AS_HELP_STRING([--with-default-crl-file=FILE],
+     [use the given CRL file as default])])
+@@ -407,6 +426,11 @@ if test "x$with_default_trust_store_file
+     ["$with_default_trust_store_file"], [use the given file default trust store])
+ fi
+ 
++if test "x$with_default_trust_store_dir" != x; then
++  AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR],
++    ["$with_default_trust_store_dir"], [use the given directory default trust store])
++fi
++
+ if test "x$with_default_crl_file" != x; then
+   AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE],
+     ["$with_default_crl_file"], [use the given CRL file])
+@@ -683,6 +707,7 @@ AC_MSG_NOTICE([System files:
+ 
+   Trust store pkcs:     $with_default_trust_store_pkcs11
+   Trust store file:     $with_default_trust_store_file
++  Trust store dir:      $with_default_trust_store_dir
+   CRL file:             $with_default_crl_file
+   DNSSEC root key file: $unbound_root_key_file
+ ])
+Index: gnutls-3.2.1/lib/system.c
+===================================================================
+--- gnutls-3.2.1.orig/lib/system.c
++++ gnutls-3.2.1/lib/system.c
+@@ -385,7 +385,45 @@ const char *home_dir = getenv ("HOME");
+   return 0;
+ }
+ 
+-#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11))
++/* Used by both Android code and by Linux TRUST_STORE_DIR /etc/ssl/certs code */
++#if defined(DEFAULT_TRUST_STORE_DIR) || defined(ANDROID) || defined(__ANDROID__)
++# include <dirent.h>
++# include <unistd.h>
++static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, 
++	unsigned int tl_flags, unsigned int tl_vflags, unsigned type)
++{
++DIR * dirp;
++struct dirent *d;
++int ret;
++int r = 0;
++char path[GNUTLS_PATH_MAX];
++
++  dirp = opendir(dirname);
++  if (dirp != NULL) 
++    {
++      do
++        {
++      	  d = readdir(dirp);
++      	  if (d != NULL && d->d_type == DT_REG) 
++      	    {
++      	  	snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name);
++
++                ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags);
++                if (ret >= 0)
++                  r += ret;
++      	    }
++      	}
++      while(d != NULL);
++      closedir(dirp);
++    }
++    
++  return r;
++}
++#endif
++
++
++#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) || defined(DEFAULT_TRUST_STORE_DIR)
++
+ static
+ int
+ add_system_trust(gnutls_x509_trust_list_t list,
+@@ -413,6 +451,12 @@ add_system_trust(gnutls_x509_trust_list_
+     r += ret;
+ # endif
+ 
++# ifdef DEFAULT_TRUST_STORE_DIR
++  ret = load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, tl_vflags, GNUTLS_X509_FMT_PEM);
++  if (ret > 0)
++    r += ret;
++# endif
++
+   return r;
+ }
+ #elif defined(_WIN32)
+@@ -466,39 +510,6 @@ int add_system_trust(gnutls_x509_trust_l
+   return r;
+ }
+ #elif defined(ANDROID) || defined(__ANDROID__)
+-# include <dirent.h>
+-# include <unistd.h>
+-static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, 
+-	unsigned int tl_flags, unsigned int tl_vflags, unsigned type)
+-{
+-DIR * dirp;
+-struct dirent *d;
+-int ret;
+-int r = 0;
+-char path[GNUTLS_PATH_MAX];
+-
+-  dirp = opendir(dirname);
+-  if (dirp != NULL) 
+-    {
+-      do
+-        {
+-      	  d = readdir(dirp);
+-      	  if (d != NULL && d->d_type == DT_REG) 
+-      	    {
+-      	  	snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name);
+-
+-                ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags);
+-                if (ret >= 0)
+-                  r += ret;
+-      	    }
+-      	}
+-      while(d != NULL);
+-      closedir(dirp);
+-    }
+-    
+-  return r;
+-}
+-
+ static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type)
+ {
+ DIR * dirp;
diff --git a/gnutls.changes b/gnutls.changes
index 126dde4..4f23ab5 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Jul 26 12:45:45 UTC 2013 - lnussel@suse.de
+
+- revert to using certificate directory again until gnutls
+  understands the trust bits in pkcs11. Otherwise it would use
+  blacklisted certificates.
+
 -------------------------------------------------------------------
 Mon Jul  8 15:12:59 UTC 2013 - schwab@suse.de
 
diff --git a/gnutls.spec b/gnutls.spec
index 3622bd5..29b1d75 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -46,6 +46,7 @@ Patch4:         gnutls-32bit.patch
 
 # Disable elliptic curves for reasons. - meissner&cfarrell
 Patch5:         gnutls-3.2.1-noecc.patch
+Patch6:         gnutls-implement-trust-store-dir.diff
 
 BuildRequires:  automake
 BuildRequires:  gcc-c++
@@ -147,6 +148,7 @@ Files needed for software development using gnutls.
 %patch3
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 %build
 autoreconf -if
@@ -158,7 +160,7 @@ autoreconf -if
         --with-pic \
         --disable-rpath \
         --disable-silent-rules \
-	--with-default-trust-store-pkcs11=pkcs11: \
+	--with-default-trust-store-dir=/var/lib/ca-certificates/pem \
 	--disable-ecdhe \
         --with-sysroot=/%{?_sysroot}
 %__make %{?_smp_mflags}