Accepting request 184447 from Base:System
- revert to using certificate directory again until gnutls understands the trust bits in pkcs11. Otherwise it would use blacklisted certificates. (forwarded request 184442 from lnussel) OBS-URL: https://build.opensuse.org/request/show/184447 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=61
This commit is contained in:
parent
38c4e94a77
commit
76f004feaf
154
gnutls-implement-trust-store-dir.diff
Normal file
154
gnutls-implement-trust-store-dir.diff
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
Index: gnutls-3.2.1/configure.ac
|
||||||
|
===================================================================
|
||||||
|
--- gnutls-3.2.1.orig/configure.ac
|
||||||
|
+++ gnutls-3.2.1/configure.ac
|
||||||
|
@@ -398,6 +398,25 @@ if test "$with_default_trust_store_file"
|
||||||
|
with_default_trust_store_file=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
+AC_ARG_WITH([default-trust-store-dir],
|
||||||
|
+ [AS_HELP_STRING([--with-default-trust-store-dir=DIRECTORY],
|
||||||
|
+ [use the given directory as default trust store])], with_default_trust_store_dir="$withval",
|
||||||
|
+ [if test "$build" = "$host" ; then
|
||||||
|
+ for i in \
|
||||||
|
+ /etc/ssl/certs/
|
||||||
|
+ do
|
||||||
|
+ if test -e $i ; then
|
||||||
|
+ with_default_trust_store_dir="$i"
|
||||||
|
+ break
|
||||||
|
+ fi
|
||||||
|
+ done
|
||||||
|
+ fi]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+if test "$with_default_trust_store_dir" = "no";then
|
||||||
|
+ with_default_trust_store_dir=""
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
AC_ARG_WITH([default-crl-file],
|
||||||
|
[AS_HELP_STRING([--with-default-crl-file=FILE],
|
||||||
|
[use the given CRL file as default])])
|
||||||
|
@@ -407,6 +426,11 @@ if test "x$with_default_trust_store_file
|
||||||
|
["$with_default_trust_store_file"], [use the given file default trust store])
|
||||||
|
fi
|
||||||
|
|
||||||
|
+if test "x$with_default_trust_store_dir" != x; then
|
||||||
|
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR],
|
||||||
|
+ ["$with_default_trust_store_dir"], [use the given directory default trust store])
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
if test "x$with_default_crl_file" != x; then
|
||||||
|
AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE],
|
||||||
|
["$with_default_crl_file"], [use the given CRL file])
|
||||||
|
@@ -683,6 +707,7 @@ AC_MSG_NOTICE([System files:
|
||||||
|
|
||||||
|
Trust store pkcs: $with_default_trust_store_pkcs11
|
||||||
|
Trust store file: $with_default_trust_store_file
|
||||||
|
+ Trust store dir: $with_default_trust_store_dir
|
||||||
|
CRL file: $with_default_crl_file
|
||||||
|
DNSSEC root key file: $unbound_root_key_file
|
||||||
|
])
|
||||||
|
Index: gnutls-3.2.1/lib/system.c
|
||||||
|
===================================================================
|
||||||
|
--- gnutls-3.2.1.orig/lib/system.c
|
||||||
|
+++ gnutls-3.2.1/lib/system.c
|
||||||
|
@@ -385,7 +385,45 @@ const char *home_dir = getenv ("HOME");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11))
|
||||||
|
+/* Used by both Android code and by Linux TRUST_STORE_DIR /etc/ssl/certs code */
|
||||||
|
+#if defined(DEFAULT_TRUST_STORE_DIR) || defined(ANDROID) || defined(__ANDROID__)
|
||||||
|
+# include <dirent.h>
|
||||||
|
+# include <unistd.h>
|
||||||
|
+static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list,
|
||||||
|
+ unsigned int tl_flags, unsigned int tl_vflags, unsigned type)
|
||||||
|
+{
|
||||||
|
+DIR * dirp;
|
||||||
|
+struct dirent *d;
|
||||||
|
+int ret;
|
||||||
|
+int r = 0;
|
||||||
|
+char path[GNUTLS_PATH_MAX];
|
||||||
|
+
|
||||||
|
+ dirp = opendir(dirname);
|
||||||
|
+ if (dirp != NULL)
|
||||||
|
+ {
|
||||||
|
+ do
|
||||||
|
+ {
|
||||||
|
+ d = readdir(dirp);
|
||||||
|
+ if (d != NULL && d->d_type == DT_REG)
|
||||||
|
+ {
|
||||||
|
+ snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name);
|
||||||
|
+
|
||||||
|
+ ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags);
|
||||||
|
+ if (ret >= 0)
|
||||||
|
+ r += ret;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ while(d != NULL);
|
||||||
|
+ closedir(dirp);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return r;
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) || defined(DEFAULT_TRUST_STORE_DIR)
|
||||||
|
+
|
||||||
|
static
|
||||||
|
int
|
||||||
|
add_system_trust(gnutls_x509_trust_list_t list,
|
||||||
|
@@ -413,6 +451,12 @@ add_system_trust(gnutls_x509_trust_list_
|
||||||
|
r += ret;
|
||||||
|
# endif
|
||||||
|
|
||||||
|
+# ifdef DEFAULT_TRUST_STORE_DIR
|
||||||
|
+ ret = load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, tl_vflags, GNUTLS_X509_FMT_PEM);
|
||||||
|
+ if (ret > 0)
|
||||||
|
+ r += ret;
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
#elif defined(_WIN32)
|
||||||
|
@@ -466,39 +510,6 @@ int add_system_trust(gnutls_x509_trust_l
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
#elif defined(ANDROID) || defined(__ANDROID__)
|
||||||
|
-# include <dirent.h>
|
||||||
|
-# include <unistd.h>
|
||||||
|
-static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list,
|
||||||
|
- unsigned int tl_flags, unsigned int tl_vflags, unsigned type)
|
||||||
|
-{
|
||||||
|
-DIR * dirp;
|
||||||
|
-struct dirent *d;
|
||||||
|
-int ret;
|
||||||
|
-int r = 0;
|
||||||
|
-char path[GNUTLS_PATH_MAX];
|
||||||
|
-
|
||||||
|
- dirp = opendir(dirname);
|
||||||
|
- if (dirp != NULL)
|
||||||
|
- {
|
||||||
|
- do
|
||||||
|
- {
|
||||||
|
- d = readdir(dirp);
|
||||||
|
- if (d != NULL && d->d_type == DT_REG)
|
||||||
|
- {
|
||||||
|
- snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name);
|
||||||
|
-
|
||||||
|
- ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags);
|
||||||
|
- if (ret >= 0)
|
||||||
|
- r += ret;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- while(d != NULL);
|
||||||
|
- closedir(dirp);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return r;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type)
|
||||||
|
{
|
||||||
|
DIR * dirp;
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jul 26 12:45:45 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- revert to using certificate directory again until gnutls
|
||||||
|
understands the trust bits in pkcs11. Otherwise it would use
|
||||||
|
blacklisted certificates.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jul 8 15:12:59 UTC 2013 - schwab@suse.de
|
Mon Jul 8 15:12:59 UTC 2013 - schwab@suse.de
|
||||||
|
|
||||||
|
@ -46,6 +46,7 @@ Patch4: gnutls-32bit.patch
|
|||||||
|
|
||||||
# Disable elliptic curves for reasons. - meissner&cfarrell
|
# Disable elliptic curves for reasons. - meissner&cfarrell
|
||||||
Patch5: gnutls-3.2.1-noecc.patch
|
Patch5: gnutls-3.2.1-noecc.patch
|
||||||
|
Patch6: gnutls-implement-trust-store-dir.diff
|
||||||
|
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -147,6 +148,7 @@ Files needed for software development using gnutls.
|
|||||||
%patch3
|
%patch3
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
|
%patch6 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -if
|
autoreconf -if
|
||||||
@ -158,7 +160,7 @@ autoreconf -if
|
|||||||
--with-pic \
|
--with-pic \
|
||||||
--disable-rpath \
|
--disable-rpath \
|
||||||
--disable-silent-rules \
|
--disable-silent-rules \
|
||||||
--with-default-trust-store-pkcs11=pkcs11: \
|
--with-default-trust-store-dir=/var/lib/ca-certificates/pem \
|
||||||
--disable-ecdhe \
|
--disable-ecdhe \
|
||||||
--with-sysroot=/%{?_sysroot}
|
--with-sysroot=/%{?_sysroot}
|
||||||
%__make %{?_smp_mflags}
|
%__make %{?_smp_mflags}
|
||||||
|
Loading…
Reference in New Issue
Block a user