rpm/gnutls
SHA256
1
0
Fork 0
forked from pool/gnutls
Code Pull Requests Activity

Accepting request 125757 from Base:System

Browse Source 
- Updated to version 3.0.20:
  libgnutls: Corrected bug which prevented the parsing of
  handshake packets spanning multiple records.
  libgnutls: Check key identifiers when checking for an issuer.
  libgnutls: Added gnutls_pubkey_verify_hash2()
  libgnutls: Added gnutls_certificate_set_x509_system_trust()
  that loads the trusted CA certificates from system locations
  (e.g. trusted storage in windows and CA bundle files in other systems).
  certtool: Added support for the URI subject alternative
  name type in certtool.
  certtool: Increase to 128 the maximum number of distinct options
  (e.g. dns_names) allowed.
  gnutls-cli: If --print-cert is given, print the certificate, 
  even on verification failure.
  ** API and ABI modifications:
  gnutls_pk_to_sign: Added
  gnutls_pubkey_verify_hash2: Added
  gnutls_certificate_set_x509_system_trust: Added

OBS-URL: https://build.opensuse.org/request/show/125757
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnutls?expand=0&rev=50
This commit is contained in:
Stephan Kulow 2012-06-25 11:57:45 +00:00 committed by Git OBS Bridge
parent f6968e4069
commit 9a00144267
6 changed files with 72 additions and 281 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnutls-3.0.19.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d9a436ea8718c38a564812e465c883f4f37ddc8c80c6f8bee54819e6e4089c37
size 5035160

3
gnutls-3.0.20.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7e3f431a43e5366ff5a9b7646d2a79892a905237ef18cb147b945ec99012686d
size 4426520

62
gnutls-implement-trust-store-dir.diff
View File

@ -1,26 +1,30 @@
From 513244e20eb057b37edfe326c164935758772a0f Mon Sep 17 00:00:00 2001 From a6cef9220ae251e3b8f8d663c5fa7f888e3176d8 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de> From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Tue, 8 May 2012 15:47:02 +0200 Date: Tue, 8 May 2012 15:47:02 +0200
Subject: [PATCH gnutls] implement trust store dir Subject: [PATCH gnutls] implement trust store dir
--- ---
configure.ac | 18 ++++++++++++- configure.ac | 18 ++++++++++++-
lib/gnutls_x509.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++ lib/gnutls_x509.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 89 insertions(+), 1 deletions(-) 2 files changed, 90 insertions(+), 2 deletions(-)
Index: gnutls-3.0.19/configure.ac diff --git a/configure.ac b/configure.ac
=================================================================== index f826704..d099e05 100644
--- gnutls-3.0.19.orig/configure.ac --- a/configure.ac
+++ gnutls-3.0.19/configure.ac +++ b/configure.ac
@@ -296,13 +296,23 @@ AC_ARG_WITH([default-trust-store-file], @@ -296,17 +296,27 @@ AC_ARG_WITH([default-trust-store-file],
[AS_HELP_STRING([--with-default-trust-store-file=FILE], [AS_HELP_STRING([--with-default-trust-store-file=FILE],
[use the given file default trust store])]) [use the given file default trust store])])
-if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then
+AC_ARG_WITH([default-trust-store-dir], +AC_ARG_WITH([default-trust-store-dir],
+ [AS_HELP_STRING([--with-default-trust-store-dir=DIR], + [AS_HELP_STRING([--with-default-trust-store-dir=DIR],
+ [use the given directory default trust store])]) + [use the given directory default trust store])])
+ +
AC_ARG_WITH([default-crl-file],
[AS_HELP_STRING([--with-default-crl-file=FILE],
[use the given CRL file as default])])
-if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then
+if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x \ +if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x \
+ -a "x$with_default_trust_store_dir" = x; then + -a "x$with_default_trust_store_dir" = x; then
# auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
@ -37,7 +41,7 @@ Index: gnutls-3.0.19/configure.ac
if test -e $i; then if test -e $i; then
with_default_trust_store_file="$i" with_default_trust_store_file="$i"
break break
@@ -315,6 +325,11 @@ if test "x$with_default_trust_store_file @@ -319,6 +329,11 @@ if test "x$with_default_trust_store_file" != x; then
["$with_default_trust_store_file"], [use the given file default trust store]) ["$with_default_trust_store_file"], [use the given file default trust store])
fi fi
@ -46,21 +50,21 @@ Index: gnutls-3.0.19/configure.ac
+ ["$with_default_trust_store_dir"], [use the given directory default trust store]) + ["$with_default_trust_store_dir"], [use the given directory default trust store])
+fi +fi
+ +
dnl Guile bindings. if test "x$with_default_crl_file" != x; then
opt_guile_bindings=yes AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE],
AC_MSG_CHECKING([whether building Guile bindings]) ["$with_default_crl_file"], [use the given CRL file])
@@ -550,6 +565,7 @@ if features are disabled) @@ -560,6 +575,7 @@ if features are disabled)
Anon auth support:$ac_enable_anon
Trust store pkcs: $with_default_trust_store_pkcs11 Trust store pkcs: $with_default_trust_store_pkcs11
Trust store file: $with_default_trust_store_file Trust store file: $with_default_trust_store_file
+ Trust store dir: $with_default_trust_store_dir + Trust store dir: $with_default_trust_store_dir
CRL file: $with_default_crl_file
]) ])
AC_MSG_NOTICE([Optional applications: diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
Index: gnutls-3.0.19/lib/gnutls_x509.c index 71e0d69..87eaa0c 100644
=================================================================== --- a/lib/gnutls_x509.c
--- gnutls-3.0.19.orig/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c
+++ gnutls-3.0.19/lib/gnutls_x509.c
@@ -36,6 +36,7 @@ @@ -36,6 +36,7 @@
#include <gnutls_pk.h> #include <gnutls_pk.h>
#include <gnutls_str.h> #include <gnutls_str.h>
@ -69,7 +73,7 @@ Index: gnutls-3.0.19/lib/gnutls_x509.c
#include <x509_b64.h> #include <x509_b64.h>
#include <gnutls_x509.h> #include <gnutls_x509.h>
#include "x509/common.h" #include "x509/common.h"
@@ -1618,6 +1619,72 @@ _gnutls_certificate_set_x509_system_trus @@ -1692,6 +1693,72 @@ set_x509_system_trust_file (gnutls_certificate_credentials_t cred)
} }
#endif #endif
@ -142,10 +146,19 @@ Index: gnutls-3.0.19/lib/gnutls_x509.c
/** /**
* gnutls_certificate_set_x509_system_trust: * gnutls_certificate_set_x509_system_trust:
* @cred: is a #gnutls_certificate_credentials_t structure. * @cred: is a #gnutls_certificate_credentials_t structure.
@@ -1640,6 +1707,11 @@ gnutls_certificate_set_x509_system_trust @@ -1710,7 +1777,7 @@ set_x509_system_trust_file (gnutls_certificate_credentials_t cred)
if (ret > 0) int
gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
{
-#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE)
+#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) && !defined(DEFAULT_TRUST_STORE_DIR)
int r = GNUTLS_E_UNIMPLEMENTED_FEATURE;
#else
int ret, r = 0;
@@ -1728,6 +1795,11 @@ gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
r += ret; r += ret;
#endif #endif
+#ifdef DEFAULT_TRUST_STORE_DIR +#ifdef DEFAULT_TRUST_STORE_DIR
+ ret = _gnutls_certificate_set_x509_system_trust_dir(cred); + ret = _gnutls_certificate_set_x509_system_trust_dir(cred);
+ if (ret > 0) + if (ret > 0)
@ -154,3 +167,6 @@ Index: gnutls-3.0.19/lib/gnutls_x509.c
return r; return r;
} }
--
1.7.7

250
gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff
View File

@ -1,250 +0,0 @@
From d5633875724fe383adb4e994fc72bd7c64acb197 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Tue, 8 May 2012 16:28:25 +0200
Subject: [PATCH gnutls] introduce gnutls_certificate_set_x509_system_trust
gnutls_certificate_set_x509_system_trust() imports the trusted root CA's
from a compile time defined location. That way applications don't
need to know.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
configure.ac | 37 ++++++++++++++++++++++++++
doc/Makefile.am | 1 +
doc/manpages/Makefile.am | 1 +
lib/gnutls_x509.c | 55 +++++++++++++++++++++++++++++++++++++++
lib/includes/gnutls/gnutls.h.in | 3 ++
lib/libgnutls.map | 5 +++
src/cli.c | 29 +++++++++-----------
7 files changed, 115 insertions(+), 16 deletions(-)
Index: gnutls-3.0.19/configure.ac
===================================================================
--- gnutls-3.0.19.orig/configure.ac
+++ gnutls-3.0.19/configure.ac
@@ -280,6 +280,41 @@ AC_PROG_LN_S
AC_LIBTOOL_WIN32_DLL
AC_PROG_LIBTOOL
+AC_ARG_WITH([default-trust-store-pkcs11],
+ [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
+ [use the given pkcs11 uri as default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" != x; then
+ if test "x$with_p11_kit" = xno; then
+ AC_MSG_ERROR([cannot use pkcs11 store without p11-kit])
+ fi
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_PKCS11],
+ ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default trust store])
+fi
+
+AC_ARG_WITH([default-trust-store-file],
+ [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+ [use the given file default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then
+ # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
+ for i in \
+ /etc/ssl/certs/ca-certificates.crt \
+ /etc/pki/tls/cert.pem \
+ /usr/local/share/certs/ca-root-nss.crt
+ do
+ if test -e $i; then
+ with_default_trust_store_file="$i"
+ break
+ fi
+ done
+fi
+
+if test "x$with_default_trust_store_file" != x; then
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE],
+ ["$with_default_trust_store_file"], [use the given file default trust store])
+fi
+
dnl Guile bindings.
opt_guile_bindings=yes
AC_MSG_CHECKING([whether building Guile bindings])
@@ -513,6 +548,8 @@ if features are disabled)
SRP support: $ac_enable_srp
PSK support: $ac_enable_psk
Anon auth support:$ac_enable_anon
+ Trust store pkcs: $with_default_trust_store_pkcs11
+ Trust store file: $with_default_trust_store_file
])
AC_MSG_NOTICE([Optional applications:
Index: gnutls-3.0.19/doc/Makefile.am
===================================================================
--- gnutls-3.0.19.orig/doc/Makefile.am
+++ gnutls-3.0.19/doc/Makefile.am
@@ -717,6 +717,7 @@ FUNCS += functions/gnutls_certificate_fr
FUNCS += functions/gnutls_certificate_set_dh_params
FUNCS += functions/gnutls_certificate_set_verify_flags
FUNCS += functions/gnutls_certificate_set_verify_limits
+FUNCS += functions/gnutls_certificate_set_x509_system_trust
FUNCS += functions/gnutls_certificate_set_x509_trust_file
FUNCS += functions/gnutls_certificate_set_x509_trust_mem
FUNCS += functions/gnutls_certificate_set_x509_crl_file
Index: gnutls-3.0.19/doc/manpages/Makefile.am
===================================================================
--- gnutls-3.0.19.orig/doc/manpages/Makefile.am
+++ gnutls-3.0.19/doc/manpages/Makefile.am
@@ -314,6 +314,7 @@ APIMANS += gnutls_certificate_free_crls.
APIMANS += gnutls_certificate_set_dh_params.3
APIMANS += gnutls_certificate_set_verify_flags.3
APIMANS += gnutls_certificate_set_verify_limits.3
+APIMANS += gnutls_certificate_set_x509_system_trust.3
APIMANS += gnutls_certificate_set_x509_trust_file.3
APIMANS += gnutls_certificate_set_x509_trust_mem.3
APIMANS += gnutls_certificate_set_x509_crl_file.3
Index: gnutls-3.0.19/lib/gnutls_x509.c
===================================================================
--- gnutls-3.0.19.orig/lib/gnutls_x509.c
+++ gnutls-3.0.19/lib/gnutls_x509.c
@@ -1588,6 +1588,61 @@ gnutls_certificate_set_x509_trust_file (
return ret;
}
+#ifdef DEFAULT_TRUST_STORE_FILE
+static int
+_gnutls_certificate_set_x509_system_trust_file (gnutls_certificate_credentials_t cred)
+{
+ int ret;
+ gnutls_datum_t cas;
+ size_t size;
+
+ cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size);
+ if (cas.data == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_FILE_ERROR;
+ }
+
+ cas.size = size;
+
+ ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM);
+
+ free (cas.data);
+
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ }
+
+ return ret;
+}
+#endif
+
+/**
+ * gnutls_certificate_set_x509_system_trust:
+ * @cred: is a #gnutls_certificate_credentials_t structure.
+ *
+ * This function adds the system's default trusted CAs in order to
+ * verify client or server certificates.
+ *
+ **/
+int
+gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
+{
+ int ret, r = 0;
+#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
+ ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11);
+ if (ret > 0)
+ r += ret;
+#endif
+#ifdef DEFAULT_TRUST_STORE_FILE
+ ret = _gnutls_certificate_set_x509_system_trust_file(cred);
+ if (ret > 0)
+ r += ret;
+#endif
+ return r;
+}
+
static int
parse_pem_crl_mem (gnutls_x509_trust_list_t tlist,
const char * input_crl, unsigned int input_crl_size)
Index: gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in
===================================================================
--- gnutls-3.0.19.orig/lib/includes/gnutls/gnutls.h.in
+++ gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in
@@ -1100,6 +1100,9 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(
unsigned int max_depth);
int
+ gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred);
+
+ int
gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t
cred, const char *cafile,
gnutls_x509_crt_fmt_t type);
Index: gnutls-3.0.19/lib/libgnutls.map
===================================================================
--- gnutls-3.0.19.orig/lib/libgnutls.map
+++ gnutls-3.0.19/lib/libgnutls.map
@@ -788,6 +788,11 @@ GNUTLS_3_0_0 {
gnutls_session_get_random;
} GNUTLS_2_12;
+GNUTLS_3_0_0_SUSE {
+ global:
+ gnutls_certificate_set_x509_system_trust;
+} GNUTLS_3_0_0;
+
GNUTLS_PRIVATE {
global:
# Internal symbols needed by libgnutls-extra:
Index: gnutls-3.0.19/src/cli.c
===================================================================
--- gnutls-3.0.19.orig/src/cli.c
+++ gnutls-3.0.19/src/cli.c
@@ -479,9 +479,6 @@ cert_verify_callback (gnutls_session_t s
int ssh = ENABLED_OPT(TOFU);
const char* txt_service;
- if (!x509_cafile && !pgp_keyring)
- return 0;
-
rc = cert_verify(session, hostname);
if (rc == 0)
{
@@ -1184,11 +1181,6 @@ const char* rest = NULL;
if (HAVE_OPT(X509CAFILE))
x509_cafile = OPT_ARG(X509CAFILE);
- else
- {
- if (access(DEFAULT_CA_FILE, R_OK) == 0)
- x509_cafile = DEFAULT_CA_FILE;
- }
if (HAVE_OPT(X509CRLFILE))
x509_crlfile = OPT_ARG(X509CRLFILE);
@@ -1419,15 +1411,20 @@ init_global_tls_stuff (void)
{
ret = gnutls_certificate_set_x509_trust_file (xcred,
x509_cafile, x509ctype);
- if (ret < 0)
- {
- fprintf (stderr, "Error setting the x509 trust file\n");
- }
- else
- {
- printf ("Processed %d CA certificate(s).\n", ret);
- }
}
+ else
+ {
+ ret = gnutls_certificate_set_x509_system_trust (xcred);
+ }
+ if (ret < 0)
+ {
+ fprintf (stderr, "Error setting the x509 trust file\n");
+ }
+ else
+ {
+ printf ("Processed %d CA certificate(s).\n", ret);
+ }
+
if (x509_crlfile != NULL)
{
ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile,

29
gnutls.changes
View File

@ -1,3 +1,32 @@
-------------------------------------------------------------------
Thu Jun 21 08:02:43 UTC 2012 - meissner@suse.com
- Updated to version 3.0.20:
libgnutls: Corrected bug which prevented the parsing of
handshake packets spanning multiple records.
libgnutls: Check key identifiers when checking for an issuer.
libgnutls: Added gnutls_pubkey_verify_hash2()
libgnutls: Added gnutls_certificate_set_x509_system_trust()
that loads the trusted CA certificates from system locations
(e.g. trusted storage in windows and CA bundle files in other systems).
certtool: Added support for the URI subject alternative
name type in certtool.
certtool: Increase to 128 the maximum number of distinct options
(e.g. dns_names) allowed.
gnutls-cli: If --print-cert is given, print the certificate,
even on verification failure.
** API and ABI modifications:
gnutls_pk_to_sign: Added
gnutls_pubkey_verify_hash2: Added
gnutls_certificate_set_x509_system_trust: Added
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 29 12:51:59 UTC 2012 - puzel@suse.com Tue May 29 12:51:59 UTC 2012 - puzel@suse.com

6
gnutls.spec
View File

@ -21,7 +21,7 @@
%define gnutls_ossl_sover 27 %define gnutls_ossl_sover 27
Name: gnutls Name: gnutls
Version: 3.0.19 Version: 3.0.20
Release: 0 Release: 0
Summary: The GNU Transport Layer Security Library Summary: The GNU Transport Layer Security Library
License: LGPL-3.0+ ; GPL-3.0+ License: LGPL-3.0+ ; GPL-3.0+
@ -29,9 +29,6 @@ Group: Productivity/Networking/Security
Url: http://www.gnutls.org/ Url: http://www.gnutls.org/
Source0: http://ftp.gnu.org/gnu/gnutls/%{name}-%{version}.tar.xz Source0: http://ftp.gnu.org/gnu/gnutls/%{name}-%{version}.tar.xz
Source1: baselibs.conf Source1: baselibs.conf
# upstream, will be officially available in some future gnutls
# version and can be removed then -- lnussel
Patch0: gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff
# suse specific, add support for certificate directories -- lnussel # suse specific, add support for certificate directories -- lnussel
Patch1: gnutls-implement-trust-store-dir.diff Patch1: gnutls-implement-trust-store-dir.diff
Patch2: automake-1.12.patch Patch2: automake-1.12.patch
@ -126,7 +123,6 @@ Files needed for software development using gnutls.
%prep %prep
%setup -q %setup -q
%patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
echo %{_includedir}/%{name}/abstract.h echo %{_includedir}/%{name}/abstract.h