From 9a001442672322624562d2d1f3215819e3afb222a9588c921cb48fb763c00c6c Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 25 Jun 2012 11:57:45 +0000 Subject: [PATCH] Accepting request 125757 from Base:System - Updated to version 3.0.20: libgnutls: Corrected bug which prevented the parsing of handshake packets spanning multiple records. libgnutls: Check key identifiers when checking for an issuer. libgnutls: Added gnutls_pubkey_verify_hash2() libgnutls: Added gnutls_certificate_set_x509_system_trust() that loads the trusted CA certificates from system locations (e.g. trusted storage in windows and CA bundle files in other systems). certtool: Added support for the URI subject alternative name type in certtool. certtool: Increase to 128 the maximum number of distinct options (e.g. dns_names) allowed. gnutls-cli: If --print-cert is given, print the certificate, even on verification failure. ** API and ABI modifications: gnutls_pk_to_sign: Added gnutls_pubkey_verify_hash2: Added gnutls_certificate_set_x509_system_trust: Added OBS-URL: https://build.opensuse.org/request/show/125757 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=50 --- gnutls-3.0.19.tar.xz | 3 - gnutls-3.0.20.tar.xz | 3 + gnutls-implement-trust-store-dir.diff | 62 +++-- ...tls_certificate_set_x509_system_trust.diff | 250 ------------------ gnutls.changes | 29 ++ gnutls.spec | 6 +- 6 files changed, 72 insertions(+), 281 deletions(-) delete mode 100644 gnutls-3.0.19.tar.xz create mode 100644 gnutls-3.0.20.tar.xz delete mode 100644 gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff diff --git a/gnutls-3.0.19.tar.xz b/gnutls-3.0.19.tar.xz deleted file mode 100644 index 1471040..0000000 --- a/gnutls-3.0.19.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d9a436ea8718c38a564812e465c883f4f37ddc8c80c6f8bee54819e6e4089c37 -size 5035160 diff --git a/gnutls-3.0.20.tar.xz b/gnutls-3.0.20.tar.xz new file mode 100644 index 0000000..da115f0 --- /dev/null +++ b/gnutls-3.0.20.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7e3f431a43e5366ff5a9b7646d2a79892a905237ef18cb147b945ec99012686d +size 4426520 diff --git a/gnutls-implement-trust-store-dir.diff b/gnutls-implement-trust-store-dir.diff index 982bdb9..e2cd85a 100644 --- a/gnutls-implement-trust-store-dir.diff +++ b/gnutls-implement-trust-store-dir.diff @@ -1,26 +1,30 @@ -From 513244e20eb057b37edfe326c164935758772a0f Mon Sep 17 00:00:00 2001 +From a6cef9220ae251e3b8f8d663c5fa7f888e3176d8 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Tue, 8 May 2012 15:47:02 +0200 Subject: [PATCH gnutls] implement trust store dir --- configure.ac | 18 ++++++++++++- - lib/gnutls_x509.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 89 insertions(+), 1 deletions(-) + lib/gnutls_x509.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 90 insertions(+), 2 deletions(-) -Index: gnutls-3.0.19/configure.ac -=================================================================== ---- gnutls-3.0.19.orig/configure.ac -+++ gnutls-3.0.19/configure.ac -@@ -296,13 +296,23 @@ AC_ARG_WITH([default-trust-store-file], +diff --git a/configure.ac b/configure.ac +index f826704..d099e05 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -296,17 +296,27 @@ AC_ARG_WITH([default-trust-store-file], [AS_HELP_STRING([--with-default-trust-store-file=FILE], [use the given file default trust store])]) --if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then +AC_ARG_WITH([default-trust-store-dir], + [AS_HELP_STRING([--with-default-trust-store-dir=DIR], + [use the given directory default trust store])]) + + AC_ARG_WITH([default-crl-file], + [AS_HELP_STRING([--with-default-crl-file=FILE], + [use the given CRL file as default])]) + +-if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then +if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x \ + -a "x$with_default_trust_store_dir" = x; then # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html @@ -37,7 +41,7 @@ Index: gnutls-3.0.19/configure.ac if test -e $i; then with_default_trust_store_file="$i" break -@@ -315,6 +325,11 @@ if test "x$with_default_trust_store_file +@@ -319,6 +329,11 @@ if test "x$with_default_trust_store_file" != x; then ["$with_default_trust_store_file"], [use the given file default trust store]) fi @@ -46,21 +50,21 @@ Index: gnutls-3.0.19/configure.ac + ["$with_default_trust_store_dir"], [use the given directory default trust store]) +fi + - dnl Guile bindings. - opt_guile_bindings=yes - AC_MSG_CHECKING([whether building Guile bindings]) -@@ -550,6 +565,7 @@ if features are disabled) - Anon auth support:$ac_enable_anon + if test "x$with_default_crl_file" != x; then + AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE], + ["$with_default_crl_file"], [use the given CRL file]) +@@ -560,6 +575,7 @@ if features are disabled) + Trust store pkcs: $with_default_trust_store_pkcs11 Trust store file: $with_default_trust_store_file + Trust store dir: $with_default_trust_store_dir + CRL file: $with_default_crl_file ]) - AC_MSG_NOTICE([Optional applications: -Index: gnutls-3.0.19/lib/gnutls_x509.c -=================================================================== ---- gnutls-3.0.19.orig/lib/gnutls_x509.c -+++ gnutls-3.0.19/lib/gnutls_x509.c +diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c +index 71e0d69..87eaa0c 100644 +--- a/lib/gnutls_x509.c ++++ b/lib/gnutls_x509.c @@ -36,6 +36,7 @@ #include #include @@ -69,7 +73,7 @@ Index: gnutls-3.0.19/lib/gnutls_x509.c #include #include #include "x509/common.h" -@@ -1618,6 +1619,72 @@ _gnutls_certificate_set_x509_system_trus +@@ -1692,6 +1693,72 @@ set_x509_system_trust_file (gnutls_certificate_credentials_t cred) } #endif @@ -142,10 +146,19 @@ Index: gnutls-3.0.19/lib/gnutls_x509.c /** * gnutls_certificate_set_x509_system_trust: * @cred: is a #gnutls_certificate_credentials_t structure. -@@ -1640,6 +1707,11 @@ gnutls_certificate_set_x509_system_trust - if (ret > 0) +@@ -1710,7 +1777,7 @@ set_x509_system_trust_file (gnutls_certificate_credentials_t cred) + int + gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred) + { +-#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) ++#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) && !defined(DEFAULT_TRUST_STORE_DIR) + int r = GNUTLS_E_UNIMPLEMENTED_FEATURE; + #else + int ret, r = 0; +@@ -1728,6 +1795,11 @@ gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred) r += ret; #endif + +#ifdef DEFAULT_TRUST_STORE_DIR + ret = _gnutls_certificate_set_x509_system_trust_dir(cred); + if (ret > 0) @@ -154,3 +167,6 @@ Index: gnutls-3.0.19/lib/gnutls_x509.c return r; } +-- +1.7.7 + diff --git a/gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff b/gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff deleted file mode 100644 index 4a07563..0000000 --- a/gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff +++ /dev/null @@ -1,250 +0,0 @@ -From d5633875724fe383adb4e994fc72bd7c64acb197 Mon Sep 17 00:00:00 2001 -From: Ludwig Nussel -Date: Tue, 8 May 2012 16:28:25 +0200 -Subject: [PATCH gnutls] introduce gnutls_certificate_set_x509_system_trust - -gnutls_certificate_set_x509_system_trust() imports the trusted root CA's -from a compile time defined location. That way applications don't -need to know. - -Signed-off-by: Nikos Mavrogiannopoulos ---- - configure.ac | 37 ++++++++++++++++++++++++++ - doc/Makefile.am | 1 + - doc/manpages/Makefile.am | 1 + - lib/gnutls_x509.c | 55 +++++++++++++++++++++++++++++++++++++++ - lib/includes/gnutls/gnutls.h.in | 3 ++ - lib/libgnutls.map | 5 +++ - src/cli.c | 29 +++++++++----------- - 7 files changed, 115 insertions(+), 16 deletions(-) - -Index: gnutls-3.0.19/configure.ac -=================================================================== ---- gnutls-3.0.19.orig/configure.ac -+++ gnutls-3.0.19/configure.ac -@@ -280,6 +280,41 @@ AC_PROG_LN_S - AC_LIBTOOL_WIN32_DLL - AC_PROG_LIBTOOL - -+AC_ARG_WITH([default-trust-store-pkcs11], -+ [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI], -+ [use the given pkcs11 uri as default trust store])]) -+ -+if test "x$with_default_trust_store_pkcs11" != x; then -+ if test "x$with_p11_kit" = xno; then -+ AC_MSG_ERROR([cannot use pkcs11 store without p11-kit]) -+ fi -+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_PKCS11], -+ ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default trust store]) -+fi -+ -+AC_ARG_WITH([default-trust-store-file], -+ [AS_HELP_STRING([--with-default-trust-store-file=FILE], -+ [use the given file default trust store])]) -+ -+if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then -+ # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html -+ for i in \ -+ /etc/ssl/certs/ca-certificates.crt \ -+ /etc/pki/tls/cert.pem \ -+ /usr/local/share/certs/ca-root-nss.crt -+ do -+ if test -e $i; then -+ with_default_trust_store_file="$i" -+ break -+ fi -+ done -+fi -+ -+if test "x$with_default_trust_store_file" != x; then -+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE], -+ ["$with_default_trust_store_file"], [use the given file default trust store]) -+fi -+ - dnl Guile bindings. - opt_guile_bindings=yes - AC_MSG_CHECKING([whether building Guile bindings]) -@@ -513,6 +548,8 @@ if features are disabled) - SRP support: $ac_enable_srp - PSK support: $ac_enable_psk - Anon auth support:$ac_enable_anon -+ Trust store pkcs: $with_default_trust_store_pkcs11 -+ Trust store file: $with_default_trust_store_file - ]) - - AC_MSG_NOTICE([Optional applications: -Index: gnutls-3.0.19/doc/Makefile.am -=================================================================== ---- gnutls-3.0.19.orig/doc/Makefile.am -+++ gnutls-3.0.19/doc/Makefile.am -@@ -717,6 +717,7 @@ FUNCS += functions/gnutls_certificate_fr - FUNCS += functions/gnutls_certificate_set_dh_params - FUNCS += functions/gnutls_certificate_set_verify_flags - FUNCS += functions/gnutls_certificate_set_verify_limits -+FUNCS += functions/gnutls_certificate_set_x509_system_trust - FUNCS += functions/gnutls_certificate_set_x509_trust_file - FUNCS += functions/gnutls_certificate_set_x509_trust_mem - FUNCS += functions/gnutls_certificate_set_x509_crl_file -Index: gnutls-3.0.19/doc/manpages/Makefile.am -=================================================================== ---- gnutls-3.0.19.orig/doc/manpages/Makefile.am -+++ gnutls-3.0.19/doc/manpages/Makefile.am -@@ -314,6 +314,7 @@ APIMANS += gnutls_certificate_free_crls. - APIMANS += gnutls_certificate_set_dh_params.3 - APIMANS += gnutls_certificate_set_verify_flags.3 - APIMANS += gnutls_certificate_set_verify_limits.3 -+APIMANS += gnutls_certificate_set_x509_system_trust.3 - APIMANS += gnutls_certificate_set_x509_trust_file.3 - APIMANS += gnutls_certificate_set_x509_trust_mem.3 - APIMANS += gnutls_certificate_set_x509_crl_file.3 -Index: gnutls-3.0.19/lib/gnutls_x509.c -=================================================================== ---- gnutls-3.0.19.orig/lib/gnutls_x509.c -+++ gnutls-3.0.19/lib/gnutls_x509.c -@@ -1588,6 +1588,61 @@ gnutls_certificate_set_x509_trust_file ( - return ret; - } - -+#ifdef DEFAULT_TRUST_STORE_FILE -+static int -+_gnutls_certificate_set_x509_system_trust_file (gnutls_certificate_credentials_t cred) -+{ -+ int ret; -+ gnutls_datum_t cas; -+ size_t size; -+ -+ cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size); -+ if (cas.data == NULL) -+ { -+ gnutls_assert (); -+ return GNUTLS_E_FILE_ERROR; -+ } -+ -+ cas.size = size; -+ -+ ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM); -+ -+ free (cas.data); -+ -+ if (ret < 0) -+ { -+ gnutls_assert (); -+ } -+ -+ return ret; -+} -+#endif -+ -+/** -+ * gnutls_certificate_set_x509_system_trust: -+ * @cred: is a #gnutls_certificate_credentials_t structure. -+ * -+ * This function adds the system's default trusted CAs in order to -+ * verify client or server certificates. -+ * -+ **/ -+int -+gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred) -+{ -+ int ret, r = 0; -+#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11) -+ ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11); -+ if (ret > 0) -+ r += ret; -+#endif -+#ifdef DEFAULT_TRUST_STORE_FILE -+ ret = _gnutls_certificate_set_x509_system_trust_file(cred); -+ if (ret > 0) -+ r += ret; -+#endif -+ return r; -+} -+ - static int - parse_pem_crl_mem (gnutls_x509_trust_list_t tlist, - const char * input_crl, unsigned int input_crl_size) -Index: gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in -=================================================================== ---- gnutls-3.0.19.orig/lib/includes/gnutls/gnutls.h.in -+++ gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in -@@ -1100,6 +1100,9 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get( - unsigned int max_depth); - - int -+ gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred); -+ -+ int - gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t - cred, const char *cafile, - gnutls_x509_crt_fmt_t type); -Index: gnutls-3.0.19/lib/libgnutls.map -=================================================================== ---- gnutls-3.0.19.orig/lib/libgnutls.map -+++ gnutls-3.0.19/lib/libgnutls.map -@@ -788,6 +788,11 @@ GNUTLS_3_0_0 { - gnutls_session_get_random; - } GNUTLS_2_12; - -+GNUTLS_3_0_0_SUSE { -+ global: -+ gnutls_certificate_set_x509_system_trust; -+} GNUTLS_3_0_0; -+ - GNUTLS_PRIVATE { - global: - # Internal symbols needed by libgnutls-extra: -Index: gnutls-3.0.19/src/cli.c -=================================================================== ---- gnutls-3.0.19.orig/src/cli.c -+++ gnutls-3.0.19/src/cli.c -@@ -479,9 +479,6 @@ cert_verify_callback (gnutls_session_t s - int ssh = ENABLED_OPT(TOFU); - const char* txt_service; - -- if (!x509_cafile && !pgp_keyring) -- return 0; -- - rc = cert_verify(session, hostname); - if (rc == 0) - { -@@ -1184,11 +1181,6 @@ const char* rest = NULL; - - if (HAVE_OPT(X509CAFILE)) - x509_cafile = OPT_ARG(X509CAFILE); -- else -- { -- if (access(DEFAULT_CA_FILE, R_OK) == 0) -- x509_cafile = DEFAULT_CA_FILE; -- } - - if (HAVE_OPT(X509CRLFILE)) - x509_crlfile = OPT_ARG(X509CRLFILE); -@@ -1419,15 +1411,20 @@ init_global_tls_stuff (void) - { - ret = gnutls_certificate_set_x509_trust_file (xcred, - x509_cafile, x509ctype); -- if (ret < 0) -- { -- fprintf (stderr, "Error setting the x509 trust file\n"); -- } -- else -- { -- printf ("Processed %d CA certificate(s).\n", ret); -- } - } -+ else -+ { -+ ret = gnutls_certificate_set_x509_system_trust (xcred); -+ } -+ if (ret < 0) -+ { -+ fprintf (stderr, "Error setting the x509 trust file\n"); -+ } -+ else -+ { -+ printf ("Processed %d CA certificate(s).\n", ret); -+ } -+ - if (x509_crlfile != NULL) - { - ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile, diff --git a/gnutls.changes b/gnutls.changes index 59ae2b0..b5335b1 100644 --- a/gnutls.changes +++ b/gnutls.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Thu Jun 21 08:02:43 UTC 2012 - meissner@suse.com + +- Updated to version 3.0.20: + libgnutls: Corrected bug which prevented the parsing of + handshake packets spanning multiple records. + + libgnutls: Check key identifiers when checking for an issuer. + + libgnutls: Added gnutls_pubkey_verify_hash2() + + libgnutls: Added gnutls_certificate_set_x509_system_trust() + that loads the trusted CA certificates from system locations + (e.g. trusted storage in windows and CA bundle files in other systems). + + certtool: Added support for the URI subject alternative + name type in certtool. + + certtool: Increase to 128 the maximum number of distinct options + (e.g. dns_names) allowed. + + gnutls-cli: If --print-cert is given, print the certificate, + even on verification failure. + + ** API and ABI modifications: + gnutls_pk_to_sign: Added + gnutls_pubkey_verify_hash2: Added + gnutls_certificate_set_x509_system_trust: Added + ------------------------------------------------------------------- Tue May 29 12:51:59 UTC 2012 - puzel@suse.com diff --git a/gnutls.spec b/gnutls.spec index ccd1bb2..887b71c 100644 --- a/gnutls.spec +++ b/gnutls.spec @@ -21,7 +21,7 @@ %define gnutls_ossl_sover 27 Name: gnutls -Version: 3.0.19 +Version: 3.0.20 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-3.0+ ; GPL-3.0+ @@ -29,9 +29,6 @@ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ Source0: http://ftp.gnu.org/gnu/gnutls/%{name}-%{version}.tar.xz Source1: baselibs.conf -# upstream, will be officially available in some future gnutls -# version and can be removed then -- lnussel -Patch0: gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff # suse specific, add support for certificate directories -- lnussel Patch1: gnutls-implement-trust-store-dir.diff Patch2: automake-1.12.patch @@ -126,7 +123,6 @@ Files needed for software development using gnutls. %prep %setup -q -%patch0 -p1 %patch1 -p1 %patch2 -p1 echo %{_includedir}/%{name}/abstract.h