From b90a9251ea43a24ce49347b0a0301c729f6b1450a3808695b65b41ce7c224bf6 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Fri, 5 Jul 2013 18:37:07 +0000 Subject: [PATCH] Accepting request 182304 from Base:System - use pkcs11 interface to fetch the system's CA certificates (fate#314991). Add patch gnutls-3.2.1-pkcs11.diff to fix doing that, obsoletes gnutls-implement-trust-store-dir.diff. (forwarded request 182303 from lnussel) OBS-URL: https://build.opensuse.org/request/show/182304 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=59 --- gnutls-3.2.1-pkcs11.diff | 28 +++++ gnutls-implement-trust-store-dir.diff | 154 -------------------------- gnutls.changes | 7 ++ gnutls.spec | 7 +- 4 files changed, 39 insertions(+), 157 deletions(-) create mode 100644 gnutls-3.2.1-pkcs11.diff delete mode 100644 gnutls-implement-trust-store-dir.diff diff --git a/gnutls-3.2.1-pkcs11.diff b/gnutls-3.2.1-pkcs11.diff new file mode 100644 index 0000000..8b2d063 --- /dev/null +++ b/gnutls-3.2.1-pkcs11.diff @@ -0,0 +1,28 @@ +From 9008620a9c452fb33942f0f8ee03a44fdf277475 Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Thu, 4 Jul 2013 16:15:03 +0200 +Subject: [PATCH] pkcs11: Use the correct attribute length for CKA_TRUSTED + +CKA_TRUSTED is a CK_BBOOL value in PKCS#11. Since object searches +are done with the attribute byte values, we need to get the length +exactly right. +--- + lib/pkcs11.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/pkcs11.c b/lib/pkcs11.c +index 27ea3f4..3da3b92 100644 +--- a/lib/pkcs11.c ++++ b/lib/pkcs11.c +@@ -2201,7 +2201,7 @@ find_objs (struct pkcs11_session_info* sinfo, + struct ck_attribute *attr; + ck_object_class_t class = (ck_object_class_t)-1; + ck_certificate_type_t type = (ck_certificate_type_t)-1; +- unsigned int trusted; ++ unsigned char trusted; + unsigned long category; + ck_rv_t rv; + ck_object_handle_t obj; +-- +1.8.3.1 + diff --git a/gnutls-implement-trust-store-dir.diff b/gnutls-implement-trust-store-dir.diff deleted file mode 100644 index e7fb953..0000000 --- a/gnutls-implement-trust-store-dir.diff +++ /dev/null @@ -1,154 +0,0 @@ -Index: gnutls-3.2.1/configure.ac -=================================================================== ---- gnutls-3.2.1.orig/configure.ac -+++ gnutls-3.2.1/configure.ac -@@ -398,6 +398,25 @@ if test "$with_default_trust_store_file" - with_default_trust_store_file="" - fi - -+AC_ARG_WITH([default-trust-store-dir], -+ [AS_HELP_STRING([--with-default-trust-store-dir=DIRECTORY], -+ [use the given directory as default trust store])], with_default_trust_store_dir="$withval", -+ [if test "$build" = "$host" ; then -+ for i in \ -+ /etc/ssl/certs/ -+ do -+ if test -e $i ; then -+ with_default_trust_store_dir="$i" -+ break -+ fi -+ done -+ fi] -+) -+ -+if test "$with_default_trust_store_dir" = "no";then -+ with_default_trust_store_dir="" -+fi -+ - AC_ARG_WITH([default-crl-file], - [AS_HELP_STRING([--with-default-crl-file=FILE], - [use the given CRL file as default])]) -@@ -407,6 +426,11 @@ if test "x$with_default_trust_store_file - ["$with_default_trust_store_file"], [use the given file default trust store]) - fi - -+if test "x$with_default_trust_store_dir" != x; then -+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR], -+ ["$with_default_trust_store_dir"], [use the given directory default trust store]) -+fi -+ - if test "x$with_default_crl_file" != x; then - AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE], - ["$with_default_crl_file"], [use the given CRL file]) -@@ -683,6 +707,7 @@ AC_MSG_NOTICE([System files: - - Trust store pkcs: $with_default_trust_store_pkcs11 - Trust store file: $with_default_trust_store_file -+ Trust store dir: $with_default_trust_store_dir - CRL file: $with_default_crl_file - DNSSEC root key file: $unbound_root_key_file - ]) -Index: gnutls-3.2.1/lib/system.c -=================================================================== ---- gnutls-3.2.1.orig/lib/system.c -+++ gnutls-3.2.1/lib/system.c -@@ -385,7 +385,45 @@ const char *home_dir = getenv ("HOME"); - return 0; - } - --#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) -+/* Used by both Android code and by Linux TRUST_STORE_DIR /etc/ssl/certs code */ -+#if defined(DEFAULT_TRUST_STORE_DIR) || defined(ANDROID) || defined(__ANDROID__) -+# include -+# include -+static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, -+ unsigned int tl_flags, unsigned int tl_vflags, unsigned type) -+{ -+DIR * dirp; -+struct dirent *d; -+int ret; -+int r = 0; -+char path[GNUTLS_PATH_MAX]; -+ -+ dirp = opendir(dirname); -+ if (dirp != NULL) -+ { -+ do -+ { -+ d = readdir(dirp); -+ if (d != NULL && d->d_type == DT_REG) -+ { -+ snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); -+ -+ ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags); -+ if (ret >= 0) -+ r += ret; -+ } -+ } -+ while(d != NULL); -+ closedir(dirp); -+ } -+ -+ return r; -+} -+#endif -+ -+ -+#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) || defined(DEFAULT_TRUST_STORE_DIR) -+ - static - int - add_system_trust(gnutls_x509_trust_list_t list, -@@ -413,6 +451,12 @@ add_system_trust(gnutls_x509_trust_list_ - r += ret; - # endif - -+# ifdef DEFAULT_TRUST_STORE_DIR -+ ret = load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, tl_vflags, GNUTLS_X509_FMT_PEM); -+ if (ret > 0) -+ r += ret; -+# endif -+ - return r; - } - #elif defined(_WIN32) -@@ -466,39 +510,6 @@ int add_system_trust(gnutls_x509_trust_l - return r; - } - #elif defined(ANDROID) || defined(__ANDROID__) --# include --# include --static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, -- unsigned int tl_flags, unsigned int tl_vflags, unsigned type) --{ --DIR * dirp; --struct dirent *d; --int ret; --int r = 0; --char path[GNUTLS_PATH_MAX]; -- -- dirp = opendir(dirname); -- if (dirp != NULL) -- { -- do -- { -- d = readdir(dirp); -- if (d != NULL && d->d_type == DT_REG) -- { -- snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); -- -- ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags); -- if (ret >= 0) -- r += ret; -- } -- } -- while(d != NULL); -- closedir(dirp); -- } -- -- return r; --} -- - static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type) - { - DIR * dirp; diff --git a/gnutls.changes b/gnutls.changes index 542714d..a6c8165 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Jul 4 16:15:14 UTC 2013 - lnussel@suse.de + +- use pkcs11 interface to fetch the system's CA certificates + (fate#314991). Add patch gnutls-3.2.1-pkcs11.diff to fix doing + that, obsoletes gnutls-implement-trust-store-dir.diff. + ------------------------------------------------------------------- Thu Jun 27 13:44:12 UTC 2013 - meissner@suse.com diff --git a/gnutls.spec b/gnutls.spec index 533b35f..81eee78 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -32,8 +32,9 @@ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.x Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig Source2: %name.keyring Source3: baselibs.conf -# suse specific, add support for certificate directories -- lnussel/meissner -Patch1: gnutls-implement-trust-store-dir.diff +# https://gitorious.org/gnutls/gnutls/commit/7613c3251430a212fe5d6001863045f20eca7563 +# PATCH-UPSTREAM lnussel@suse.de -- fix reading ca-certificates # via pkcs11 interface +Patch1: gnutls-3.2.1-pkcs11.diff Patch2: automake-1.12.patch # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test @@ -155,7 +156,7 @@ autoreconf -if --with-pic \ --disable-rpath \ --disable-silent-rules \ - --with-default-trust-store-dir=/etc/ssl/certs \ + --with-default-trust-store-pkcs11=pkcs11: \ --disable-ecdhe \ --with-sysroot=/%{?_sysroot} %__make %{?_smp_mflags}