gnutls: backport upstream --with-ca-path implementation
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
parent
9ea72dda91
commit
c31e6bb7c0
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=gnurl
|
||||
PKG_VERSION:=7.40.0
|
||||
PKG_RELEASE:=4
|
||||
PKG_RELEASE:=5
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||
PKG_SOURCE_URL:=https://gnunet.org/sites/default/files
|
||||
|
@ -53,6 +53,7 @@ CONFIGURE_ARGS += \
|
|||
--with-gnutls="$(STAGING_DIR)/usr" \
|
||||
--with-libidn="$(STAGING_DIR)/usr" \
|
||||
--with-zlib="$(STAGING_DIR)/usr" \
|
||||
--with-ca-path="/etc/ssl/certs/" \
|
||||
--enable-shared \
|
||||
--enable-static \
|
||||
--without-axtls \
|
||||
|
|
|
@ -0,0 +1,100 @@
|
|||
From 5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 Mon Sep 17 00:00:00 2001
|
||||
From: Alessandro Ghedini <alessandro@ghedini.me>
|
||||
Date: Sun, 8 Mar 2015 20:11:06 +0100
|
||||
Subject: [PATCH] gtls: add support for CURLOPT_CAPATH
|
||||
|
||||
---
|
||||
acinclude.m4 | 4 ++--
|
||||
docs/libcurl/opts/CURLOPT_CAPATH.3 | 5 ++---
|
||||
lib/vtls/gtls.c | 22 ++++++++++++++++++++++
|
||||
lib/vtls/gtls.h | 3 +++
|
||||
4 files changed, 29 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/acinclude.m4 b/acinclude.m4
|
||||
index 6ed7ffb..ca01869 100644
|
||||
--- a/acinclude.m4
|
||||
+++ b/acinclude.m4
|
||||
@@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
|
||||
capath="no"
|
||||
elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
|
||||
dnl --with-ca-path given
|
||||
- if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
|
||||
- AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL])
|
||||
+ if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
|
||||
+ AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL])
|
||||
fi
|
||||
capath="$want_capath"
|
||||
ca="no"
|
||||
diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3
|
||||
index 642953d..6695f9f 100644
|
||||
--- a/docs/libcurl/opts/CURLOPT_CAPATH.3
|
||||
+++ b/docs/libcurl/opts/CURLOPT_CAPATH.3
|
||||
@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
|
||||
.SH EXAMPLE
|
||||
TODO
|
||||
.SH AVAILABILITY
|
||||
-This option is OpenSSL-specific and does nothing if libcurl is built to use
|
||||
-GnuTLS. NSS-powered libcurl provides the option only for backward
|
||||
-compatibility.
|
||||
+This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS
|
||||
+backend provides the option only for backward compatibility.
|
||||
.SH RETURN VALUE
|
||||
Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or
|
||||
CURLE_OUT_OF_MEMORY if there was insufficient heap space.
|
||||
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||
index 05aef19..c792540 100644
|
||||
--- a/lib/vtls/gtls.c
|
||||
+++ b/lib/vtls/gtls.c
|
||||
@@ -97,6 +97,10 @@ static bool gtls_inited = FALSE;
|
||||
# if (GNUTLS_VERSION_NUMBER >= 0x03020d)
|
||||
# define HAS_OCSP
|
||||
# endif
|
||||
+
|
||||
+# if (GNUTLS_VERSION_NUMBER >= 0x030306)
|
||||
+# define HAS_CAPATH
|
||||
+# endif
|
||||
#endif
|
||||
|
||||
#ifdef HAS_OCSP
|
||||
@@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn,
|
||||
rc, data->set.ssl.CAfile);
|
||||
}
|
||||
|
||||
+#ifdef HAS_CAPATH
|
||||
+ if(data->set.ssl.CApath) {
|
||||
+ /* set the trusted CA cert directory */
|
||||
+ rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
|
||||
+ data->set.ssl.CApath,
|
||||
+ GNUTLS_X509_FMT_PEM);
|
||||
+ if(rc < 0) {
|
||||
+ infof(data, "error reading ca cert file %s (%s)\n",
|
||||
+ data->set.ssl.CAfile, gnutls_strerror(rc));
|
||||
+ if(data->set.ssl.verifypeer)
|
||||
+ return CURLE_SSL_CACERT_BADFILE;
|
||||
+ }
|
||||
+ else
|
||||
+ infof(data, "found %d certificates in %s\n",
|
||||
+ rc, data->set.ssl.CApath);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if(data->set.ssl.CRLfile) {
|
||||
/* set the CRL list file */
|
||||
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
|
||||
diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h
|
||||
index c3867e5..af1cb5b 100644
|
||||
--- a/lib/vtls/gtls.h
|
||||
+++ b/lib/vtls/gtls.h
|
||||
@@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void);
|
||||
/* Set the API backend definition to GnuTLS */
|
||||
#define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
|
||||
|
||||
+/* this backend supports the CAPATH option */
|
||||
+#define have_curlssl_ca_path 1
|
||||
+
|
||||
/* API setup for GnuTLS */
|
||||
#define curlssl_init Curl_gtls_init
|
||||
#define curlssl_cleanup Curl_gtls_cleanup
|
||||
--
|
||||
2.4.4
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
From 2c30fa7eb71b24f05b55ff03d6c81fc8572a6f4d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Golle <daniel@makrotopia.org>
|
||||
Date: Mon, 29 Jun 2015 18:36:01 +0200
|
||||
Subject: [PATCH] gnutls: use default system trust storage if no other CA is
|
||||
set
|
||||
|
||||
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
||||
---
|
||||
lib/vtls/gtls.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
--- a/lib/vtls/gtls.c
|
||||
+++ b/lib/vtls/gtls.c
|
||||
@@ -420,6 +420,27 @@ gtls_connect_step1(struct connectdata *c
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
|
||||
+ if(
|
||||
+#ifdef USE_TLS_SRP
|
||||
+ data->set.ssl.authtype != CURL_TLSAUTH_SRP &&
|
||||
+#endif
|
||||
+#ifdef HAS_CAPATH
|
||||
+ !data->set.ssl.CApath &&
|
||||
+#endif
|
||||
+ !data->set.ssl.CAfile) {
|
||||
+ /* add default system trust on supported systems */
|
||||
+ rc = gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
|
||||
+
|
||||
+ if(rc < 0) {
|
||||
+ infof(data, "error importing system trust storage (%s)\n",
|
||||
+ gnutls_strerror(rc));
|
||||
+ if(data->set.ssl.verifypeer)
|
||||
+ return CURLE_SSL_CACERT;
|
||||
+ }
|
||||
+ else
|
||||
+ infof(data, "found %d certificates in system trust storage\n", rc);
|
||||
+ }
|
||||
+
|
||||
#ifdef USE_TLS_SRP
|
||||
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
|
||||
infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
|
Loading…
Reference in New Issue