pool/gnutls
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gnutls/gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff
Stephan Kulow 39516d919c Accepting request 122231 from Base:System 
- backport gnutls_certificate_set_x509_system_trust() from git and
  add support for trust store directories (bnc#761634) (forwarded request 122019 from lnussel)

OBS-URL: https://build.opensuse.org/request/show/122231
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=47
2012-05-25 15:33:18 +00:00

251 lines
8.1 KiB
Diff
Raw Blame History

From d5633875724fe383adb4e994fc72bd7c64acb197 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Tue, 8 May 2012 16:28:25 +0200
Subject: [PATCH gnutls] introduce gnutls_certificate_set_x509_system_trust
gnutls_certificate_set_x509_system_trust() imports the trusted root CA's
from a compile time defined location. That way applications don't
need to know.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
configure.ac | 37 ++++++++++++++++++++++++++
doc/Makefile.am | 1 +
doc/manpages/Makefile.am | 1 +
lib/gnutls_x509.c | 55 +++++++++++++++++++++++++++++++++++++++
lib/includes/gnutls/gnutls.h.in | 3 ++
lib/libgnutls.map | 5 +++
src/cli.c | 29 +++++++++-----------
7 files changed, 115 insertions(+), 16 deletions(-)
Index: gnutls-3.0.19/configure.ac
===================================================================
--- gnutls-3.0.19.orig/configure.ac
+++ gnutls-3.0.19/configure.ac
@@ -280,6 +280,41 @@ AC_PROG_LN_S
AC_LIBTOOL_WIN32_DLL
AC_PROG_LIBTOOL
+AC_ARG_WITH([default-trust-store-pkcs11],
+ [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
+ [use the given pkcs11 uri as default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" != x; then
+ if test "x$with_p11_kit" = xno; then
+ AC_MSG_ERROR([cannot use pkcs11 store without p11-kit])
+ fi
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_PKCS11],
+ ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default trust store])
+fi
+
+AC_ARG_WITH([default-trust-store-file],
+ [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+ [use the given file default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then
+ # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
+ for i in \
+ /etc/ssl/certs/ca-certificates.crt \
+ /etc/pki/tls/cert.pem \
+ /usr/local/share/certs/ca-root-nss.crt
+ do
+ if test -e $i; then
+ with_default_trust_store_file="$i"
+ break
+ fi
+ done
+fi
+
+if test "x$with_default_trust_store_file" != x; then
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE],
+ ["$with_default_trust_store_file"], [use the given file default trust store])
+fi
+
dnl Guile bindings.
opt_guile_bindings=yes
AC_MSG_CHECKING([whether building Guile bindings])
@@ -513,6 +548,8 @@ if features are disabled)
SRP support: $ac_enable_srp
PSK support: $ac_enable_psk
Anon auth support:$ac_enable_anon
+ Trust store pkcs: $with_default_trust_store_pkcs11
+ Trust store file: $with_default_trust_store_file
])
AC_MSG_NOTICE([Optional applications:
Index: gnutls-3.0.19/doc/Makefile.am
===================================================================
--- gnutls-3.0.19.orig/doc/Makefile.am
+++ gnutls-3.0.19/doc/Makefile.am
@@ -717,6 +717,7 @@ FUNCS += functions/gnutls_certificate_fr
FUNCS += functions/gnutls_certificate_set_dh_params
FUNCS += functions/gnutls_certificate_set_verify_flags
FUNCS += functions/gnutls_certificate_set_verify_limits
+FUNCS += functions/gnutls_certificate_set_x509_system_trust
FUNCS += functions/gnutls_certificate_set_x509_trust_file
FUNCS += functions/gnutls_certificate_set_x509_trust_mem
FUNCS += functions/gnutls_certificate_set_x509_crl_file
Index: gnutls-3.0.19/doc/manpages/Makefile.am
===================================================================
--- gnutls-3.0.19.orig/doc/manpages/Makefile.am
+++ gnutls-3.0.19/doc/manpages/Makefile.am
@@ -314,6 +314,7 @@ APIMANS += gnutls_certificate_free_crls.
APIMANS += gnutls_certificate_set_dh_params.3
APIMANS += gnutls_certificate_set_verify_flags.3
APIMANS += gnutls_certificate_set_verify_limits.3
+APIMANS += gnutls_certificate_set_x509_system_trust.3
APIMANS += gnutls_certificate_set_x509_trust_file.3
APIMANS += gnutls_certificate_set_x509_trust_mem.3
APIMANS += gnutls_certificate_set_x509_crl_file.3
Index: gnutls-3.0.19/lib/gnutls_x509.c
===================================================================
--- gnutls-3.0.19.orig/lib/gnutls_x509.c
+++ gnutls-3.0.19/lib/gnutls_x509.c
@@ -1588,6 +1588,61 @@ gnutls_certificate_set_x509_trust_file (
return ret;
}
+#ifdef DEFAULT_TRUST_STORE_FILE
+static int
+_gnutls_certificate_set_x509_system_trust_file (gnutls_certificate_credentials_t cred)
+{
+ int ret;
+ gnutls_datum_t cas;
+ size_t size;
+
+ cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size);
+ if (cas.data == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_FILE_ERROR;
+ }
+
+ cas.size = size;
+
+ ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM);
+
+ free (cas.data);
+
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ }
+
+ return ret;
+}
+#endif
+
+/**
+ * gnutls_certificate_set_x509_system_trust:
+ * @cred: is a #gnutls_certificate_credentials_t structure.
+ *
+ * This function adds the system's default trusted CAs in order to
+ * verify client or server certificates.
+ *
+ **/
+int
+gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
+{
+ int ret, r = 0;
+#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
+ ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11);
+ if (ret > 0)
+ r += ret;
+#endif
+#ifdef DEFAULT_TRUST_STORE_FILE
+ ret = _gnutls_certificate_set_x509_system_trust_file(cred);
+ if (ret > 0)
+ r += ret;
+#endif
+ return r;
+}
+
static int
parse_pem_crl_mem (gnutls_x509_trust_list_t tlist,
const char * input_crl, unsigned int input_crl_size)
Index: gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in
===================================================================
--- gnutls-3.0.19.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in
@@ -1100,6 +1100,9 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(
unsigned int max_depth);
int
+ gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred);
+
+ int
gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t
cred, const char *cafile,
gnutls_x509_crt_fmt_t type);
Index: gnutls-3.0.19/lib/libgnutls.map
===================================================================
--- gnutls-3.0.19.orig/lib/libgnutls.map
+++ gnutls-3.0.19/lib/libgnutls.map
@@ -788,6 +788,11 @@ GNUTLS_3_0_0 {
gnutls_session_get_random;
} GNUTLS_2_12;
+GNUTLS_3_0_0_SUSE {
+ global:
+ gnutls_certificate_set_x509_system_trust;
+} GNUTLS_3_0_0;
+
GNUTLS_PRIVATE {
global:
# Internal symbols needed by libgnutls-extra:
Index: gnutls-3.0.19/src/cli.c
===================================================================
--- gnutls-3.0.19.orig/src/cli.c
+++ gnutls-3.0.19/src/cli.c
@@ -479,9 +479,6 @@ cert_verify_callback (gnutls_session_t s
int ssh = ENABLED_OPT(TOFU);
const char* txt_service;
- if (!x509_cafile && !pgp_keyring)
- return 0;
-
rc = cert_verify(session, hostname);
if (rc == 0)
{
@@ -1184,11 +1181,6 @@ const char* rest = NULL;
if (HAVE_OPT(X509CAFILE))
x509_cafile = OPT_ARG(X509CAFILE);
- else
- {
- if (access(DEFAULT_CA_FILE, R_OK) == 0)
- x509_cafile = DEFAULT_CA_FILE;
- }
if (HAVE_OPT(X509CRLFILE))
x509_crlfile = OPT_ARG(X509CRLFILE);
@@ -1419,15 +1411,20 @@ init_global_tls_stuff (void)
{
ret = gnutls_certificate_set_x509_trust_file (xcred,
x509_cafile, x509ctype);
- if (ret < 0)
- {
- fprintf (stderr, "Error setting the x509 trust file\n");
- }
- else
- {
- printf ("Processed %d CA certificate(s).\n", ret);
- }
}
+ else
+ {
+ ret = gnutls_certificate_set_x509_system_trust (xcred);
+ }
+ if (ret < 0)
+ {
+ fprintf (stderr, "Error setting the x509 trust file\n");
+ }
+ else
+ {
+ printf ("Processed %d CA certificate(s).\n", ret);
+ }
+
if (x509_crlfile != NULL)
{
ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile,
Reference in New Issue View Git Blame Copy Permalink