Hello community, here is the log from the commit of package gnutls.1658 for openSUSE:12.2:Update checked in at 2013-05-17 19:05:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/gnutls.1658 (Old) and /work/SRC/openSUSE:12.2:Update/.gnutls.1658.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls.1658" Changes: -------- New Changes file: --- /dev/null 2013-05-15 01:32:43.420028506 +0200 +++ /work/SRC/openSUSE:12.2:Update/.gnutls.1658.new/gnutls.changes 2013-05-17 19:06:01.000000000 +0200 @@ -0,0 +1,1130 @@ +------------------------------------------------------------------- +Thu May 2 14:28:15 UTC 2013 - [email protected] + +- Fix bug[ bnc#802651] CVE-2013-1619( gnutls): Luck-13 issue + Add patch file: CVE-2013-1619.patch + +------------------------------------------------------------------- +Sun Jul 1 20:00:33 UTC 2012 - [email protected] + +- merge am-1.12 patches into 1 + +------------------------------------------------------------------- +Sat Jun 30 17:24:48 UTC 2012 - [email protected] + +- fix 12.2 builds. + * replace depreciated am_prog_mkdir_p with ac_prog_mkdir_p. + +------------------------------------------------------------------- +Thu Jun 21 08:02:43 UTC 2012 - [email protected] + +- Updated to version 3.0.20: + libgnutls: Corrected bug which prevented the parsing of + handshake packets spanning multiple records. + + libgnutls: Check key identifiers when checking for an issuer. + + libgnutls: Added gnutls_pubkey_verify_hash2() + + libgnutls: Added gnutls_certificate_set_x509_system_trust() + that loads the trusted CA certificates from system locations + (e.g. trusted storage in windows and CA bundle files in other systems). + + certtool: Added support for the URI subject alternative + name type in certtool. + + certtool: Increase to 128 the maximum number of distinct options + (e.g. dns_names) allowed. + + gnutls-cli: If --print-cert is given, print the certificate, + even on verification failure. + + ** API and ABI modifications: + gnutls_pk_to_sign: Added + gnutls_pubkey_verify_hash2: Added + gnutls_certificate_set_x509_system_trust: Added + +------------------------------------------------------------------- +Tue May 29 12:51:59 UTC 2012 - [email protected] + +- fix build with automake-1.12 + - add: automake-1.12.patch + +------------------------------------------------------------------- +Thu May 24 07:45:31 UTC 2012 - [email protected] + +- backport gnutls_certificate_set_x509_system_trust() from git and + add support for trust store directories (bnc#761634) + +------------------------------------------------------------------- +Mon May 21 15:35:00 UTC 2012 - [email protected] + +- add version and release to gnutls-devel provides + +------------------------------------------------------------------- +Mon May 21 11:33:29 UTC 2012 - [email protected] + +- let libgnutls-devel also provide gnutls-devel + +------------------------------------------------------------------- +Sun May 13 02:44:30 UTC 2012 - [email protected] + +- Update to version 3.0.19: + + libgnutls: + - When decoding a PKCS #11 URL the pin-source field + is assumed to be a file that stores the pin. Based on patch + by David Smith. + - gnutls_record_check_pending() no longer + returns unprocessed data, and thus ensure the non-blocking + of the next call to gnutls_record_recv(). + - Added strict tests in Diffie-Hellman and + SRP key exchange public keys. + - in ECDSA and DSA TLS 1.2 authentication be less + strict in hash selection, and allow a stronger hash to + be used than the appropriate, to improve interoperability + with openssl. + + tests: + - Disabled floating point test, and corrections + in pkcs12 decoding tests. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.18: + + certtool: + - Avoid a Y2K38 bug when generating certificates. + Patch by Robert Millan. + + libgnutls: + - Make sure that GNUTLS_E_PREMATURE_TERMINATION + - is returned on premature termination (and added unit test). + - Fixes for W64 API. Patch by B. Scott Michel. + - Corrected VIA padlock detection for old + VIA processors. Reported by Kris Karas. + - Updated assembler files. + - Time in generated certificates is stored + as GeneralizedTime instead of UTCTime (which only stores + 2 digits of a year). + + minitasn1: + - Upgraded to libtasn1 version 2.13 (pre-release). + + API and ABI modifications: + - gnutls_x509_crt_set_private_key_usage_period: Added + - gnutls_x509_crt_get_private_key_usage_period: Added + - gnutls_x509_crq_set_private_key_usage_period: Added + - gnutls_x509_crq_get_private_key_usage_period: Added + - gnutls_session_get_random: Added +- Changes from version 3.0.17: + + command line apps: + - Always link with local libopts. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.16: + + minitasn1: + - Upgraded to libtasn1 version 2.12 (pre-release). + + libgnutls: + - Corrected SRP-RSA ciphersuites when used under TLS 1.2. + - included assembler files for MacOSX. + + p11tool: + - Small fixes in handling of the --private command + line option. + + certtool: + - The template option allows for setting the domain + component (DC) option of the distinguished name, and the ocsp_uri + as well as the ca_issuers_uri options. + + API and ABI modifications: + - gnutls_x509_crt_set_authority_info_access: Added +- Changes from version 3.0.15: + + test suite: + - Only run under valgrind in the development + system (the full git repository) + + command line apps: + - Link with local libopts if the installed is an old one. + + libgnutls: + - Eliminate double free during SRP + authentication. Reported by Peter Penzov. + - Corrections in record packet parsing. + Reported by Matthew Hall. + - Cryptodev updates and fixes. + - Corrected issue with select() that affected + FreeBSD. This prevented establishing DTLS sessions. + Reported by Andreas Metzler. + - Corrected rehandshake and resumption + operations in DTLS. Reported by Sean Buckheister. + - PKCS #11 objects that do not have ID + no longer crash listing. Reported by Sven Geggus. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.14: + + command line apps: + - Included libopts doesn't get installed by default. + + libgnutls: + - Eliminate double free on wrongly formatted + certificate list. Reported by Remi Gacogne. + - cryptodev code corrected, updated to account + for hashes and GCM mode. + Eliminated memory leak in PCKS #11 initialization. + Report and fix by Sam Varshavchik. + + API and ABI modifications: + - No changes since last version. +- Changes from version 3.0.13: + + gnutls-cli: + - added the --ocsp option which will verify + the peer's certificate with OCSP. + - added the --tofu and if specified, gnutls-cli + will use an ssh-style authentication method. + - if no --x509cafile is provided a default is + assumed (/etc/ssl/certs/ca-certificates.crt), if it exists. + + ocsptool: + - Added --ask parameter, to verify a certificate's + status from an ocsp server. + + command line apps: + - Use gnu autogen (libopts) to parse command + line arguments and template files. + + tests: + - Added stress test for DTLS packet losses and + out-of-order receival. Contributed by Sean Buckheister. + + libgnutls: + - Several updates and corrections in the DTLS + DTLS lost packet handling and retransmission timeouts. + Report and patches by Sean Buckheister. + - Added new functions to easily allow the usage of + a trust on first use (SSH-style) authentication. + - SUITEB128 and SUITEB192 priority strings account + for the RFC6460 requirements. + - Added new security parameter GNUTLS_SEC_PARAM_LEGACY + to account for security level of 96-bits. + - In client side if server does not advertise any + known CAs and only a single certificate is set in the credentials, + sent that one. + - Added functions to parse authority key identifiers + when stored as a 'general name' and serial combo. ++++ 933 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.gnutls.1658.new/gnutls.changes New: ---- CVE-2013-1619.patch automake-1.12.patch baselibs.conf gnutls-3.0.20.tar.xz gnutls-implement-trust-store-dir.diff gnutls.changes gnutls.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ # # spec file for package gnutls # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define gnutls_sover 28 %define gnutlsxx_sover 28 %define gnutls_ossl_sover 27 Name: gnutls Version: 3.0.20 Release: 0 Summary: The GNU Transport Layer Security Library License: LGPL-3.0+ ; GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ Source0: http://ftp.gnu.org/gnu/gnutls/%{name}-%{version}.tar.xz Source1: baselibs.conf # suse specific, add support for certificate directories -- lnussel Patch1: gnutls-implement-trust-store-dir.diff Patch2: automake-1.12.patch Patch3: CVE-2013-1619.patch BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel BuildRequires: libnettle-devel >= 2.2 BuildRequires: libtasn1-devel BuildRequires: libtool BuildRequires: p11-kit-devel >= 0.11 BuildRequires: pkg-config BuildRequires: xz BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build # bug437293 %ifarch ppc64 Obsoletes: gnutls-64bit %endif %description The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library License: LGPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutls%{gnutls_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutlsxx%{gnutlsxx_sover} Summary: The GNU Transport Layer Security Library License: LGPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutlsxx%{gnutlsxx_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-openssl%{gnutls_ossl_sover} Summary: The GNU Transport Layer Security Library License: GPL-3.0+ Group: Productivity/Networking/Security %description -n libgnutls-openssl%{gnutls_ossl_sover} The GnuTLS project aims to develop a library that provides a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards of the IETF's TLS working group. %package -n libgnutls-devel Summary: Development package for gnutls License: LGPL-3.0+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: glibc-devel Requires: libgnutls%{gnutls_sover} = %{version} Provides: gnutls-devel = %{version}-%{release} %description -n libgnutls-devel Files needed for software development using gnutls. %package -n libgnutlsxx-devel Summary: Development package for gnutls License: LGPL-3.0+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: libgnutls-devel = %{version} Requires: libgnutlsxx%{gnutlsxx_sover} = %{version} Requires: libstdc++-devel %description -n libgnutlsxx-devel Files needed for software development using gnutls. %package -n libgnutls-openssl-devel Summary: Development package for gnutls License: GPL-3.0+ Group: Development/Libraries/C and C++ Requires: libgnutls-devel = %{version} Requires: libgnutls-openssl%{gnutls_ossl_sover} = %{version} %description -n libgnutls-openssl-devel Files needed for software development using gnutls. %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 echo %{_includedir}/%{name}/abstract.h %build autoreconf -i %configure \ --disable-static \ --with-pic \ --disable-rpath \ --disable-silent-rules \ --with-default-trust-store-dir=/etc/ssl/certs \ --with-sysroot=/%{?_sysroot} make %{?_smp_mflags} # 17-ago-2011, Test suite passes in factory, just not #in the build system due to some broken code requiring both networking #and fixes. #make check %install %make_install rm -rf doc/examples/.deps doc/examples/.libs doc/examples/*.{o,lo,la} doc/examples/Makefile{,.in} find doc/examples -perm -111 -exec rm {} \; rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot # Do not package static libs and libtool files rm -f %{buildroot}%{_libdir}/*.la %find_lang libgnutls --all-name %clean rm -rf %{buildroot} %post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig %post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig %post -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %postun -n libgnutls-openssl%{gnutls_ossl_sover} -p /sbin/ldconfig %post -n libgnutls-devel %install_info --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %install_info --info-dir=%{_infodir} %{_infodir}/pkcs11-vision.png.gz %postun -n libgnutls-devel %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnutls.info.gz %install_info_delete --info-dir=%{_infodir} %{_infodir}/pkcs11-vision.png.gz %files -f libgnutls.lang %defattr(-, root, root) %doc THANKS README NEWS ChangeLog COPYING AUTHORS doc/TODO %{_bindir}/certtool %{_bindir}/crywrap %{_bindir}/gnutls-cli %{_bindir}/gnutls-cli-debug %{_bindir}/gnutls-serv %{_bindir}/ocsptool %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %defattr(-,root,root) %{_libdir}/libgnutls.so.%{gnutls_sover}* %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) %{_libdir}/libgnutls-openssl.so.%{gnutls_ossl_sover}* %files -n libgnutlsxx%{gnutlsxx_sover} %defattr(-,root,root) %{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}* %files -n libgnutls-devel %defattr(-, root, root) %dir %{_includedir}/%{name} %{_includedir}/%{name}/abstract.h %{_includedir}/%{name}/crypto.h %{_includedir}/%{name}/compat.h %{_includedir}/%{name}/dtls.h %{_includedir}/%{name}/gnutls.h %{_includedir}/%{name}/openpgp.h %{_includedir}/%{name}/ocsp.h %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/x509.h %{_libdir}/libgnutls.so %{_libdir}/pkgconfig/gnutls.pc %{_mandir}/man3/* %{_infodir}/*.* %doc doc/examples doc/gnutls.html doc/*.png doc/gnutls.pdf doc/reference/html/* %files -n libgnutlsxx-devel %defattr(-, root, root) %{_libdir}/libgnutlsxx.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/gnutlsxx.h %files -n libgnutls-openssl-devel %defattr(-, root, root) %{_libdir}/libgnutls-openssl.so %dir %{_includedir}/%{name} %{_includedir}/%{name}/openssl.h %changelog ++++++ CVE-2013-1619.patch ++++++ Index: gnutls-3.0.20/lib/gnutls_cipher.c =================================================================== --- gnutls-3.0.20.orig/lib/gnutls_cipher.c +++ gnutls-3.0.20/lib/gnutls_cipher.c @@ -426,6 +426,36 @@ compressed_to_ciphertext (gnutls_session return length; } +static void dummy_wait(record_parameters_st * params, gnutls_datum_t* plaintext, + unsigned pad_failed, unsigned int pad, unsigned total) +{ + /* this hack is only needed on CBC ciphers */ + if (_gnutls_cipher_is_block (params->cipher_algorithm) == CIPHER_BLOCK) + { + unsigned len; + + /* force an additional hash compression function evaluation to prevent timing + * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. + */ + if (pad_failed == 0 && pad > 0) + { + len = _gnutls_get_hash_block_len(params->mac_algorithm); + if (len > 0) + { + /* This is really specific to the current hash functions. + * It should be removed once a protocol fix is in place. + */ + if ((pad+total) % len > len-9 && total % len <= len-9) + { + if (len < plaintext->size) + _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, len); + else + _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, plaintext->size); + } + } + } + } +} /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. * Returns the actual compressed packet size. @@ -439,10 +469,12 @@ ciphertext_to_compressed (gnutls_session uint64* sequence) { uint8_t tag[MAX_HASH_SIZE]; - uint8_t pad; + unsigned int pad = 0, i; int length, length_to_decrypt; uint16_t blocksize; - int ret, i, pad_failed = 0; + int ret; + unsigned int tmp_pad_failed = 0; + unsigned int pad_failed = 0; uint8_t preamble[MAX_PREAMBLE_SIZE]; unsigned int preamble_size; unsigned int ver = gnutls_protocol_get_version (session); @@ -523,7 +555,7 @@ ciphertext_to_compressed (gnutls_session ciphertext->data += blocksize; } - if (ciphertext->size < tag_size) + if (ciphertext->size < tag_size+1) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); /* we don't use the auth_cipher interface here, since @@ -536,42 +568,31 @@ ciphertext_to_compressed (gnutls_session ciphertext->data, ciphertext->size)) < 0) return gnutls_assert_val(ret); - pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */ - - - if ((int) pad > (int) ciphertext->size - tag_size) - { - gnutls_assert (); - _gnutls_record_log - ("REC[%p]: Short record length %d > %d - %d (under attack?)\n", - session, pad, ciphertext->size, tag_size); - /* We do not fail here. We check below for the - * the pad_failed. If zero means success. - */ - pad_failed = GNUTLS_E_DECRYPTION_FAILED; - pad %= blocksize; - } - length = ciphertext->size - tag_size - pad; + pad = ciphertext->data[ciphertext->size - 1]; /* pad */ - /* Check the pading bytes (TLS 1.x) + /* Check the pading bytes (TLS 1.x). + * Note that we access all 256 bytes of ciphertext for padding check + * because there is a timing channel in that memory access (in certain CPUs). */ if (ver != GNUTLS_SSL3) - for (i = 2; i < pad; i++) + for (i = 2; i <= MIN(256, ciphertext->size); i++) { - if (ciphertext->data[ciphertext->size - i] != - ciphertext->data[ciphertext->size - 1]) - pad_failed = GNUTLS_E_DECRYPTION_FAILED; + tmp_pad_failed |= (ciphertext->data[ciphertext->size - i] != pad); + pad_failed |= ((i<= (1+pad)) & (tmp_pad_failed)); } - if (length < 0) + if (pad_failed != 0 || (1+pad > ((int) ciphertext->size - tag_size))) { - /* Setting a proper length to prevent timing differences in - * processing of records with invalid encryption. + /* We do not fail here. We check below for the + * the pad_failed. If zero means success. */ - length = ciphertext->size - tag_size; + pad_failed = 1; + pad = 0; } + length = ciphertext->size - tag_size - pad - 1; + /* Pass the type, version, length and compressed through * MAC. */ @@ -595,14 +616,14 @@ ciphertext_to_compressed (gnutls_session if (ret < 0) return gnutls_assert_val(ret); - /* This one was introduced to avoid a timing attack against the TLS - * 1.0 protocol. - */ - /* HMAC was not the same. - */ if (memcmp (tag, &ciphertext->data[length], tag_size) != 0 || pad_failed != 0) - return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + { + gnutls_datum compressed = {compress_data, compress_size}; + /* HMAC was not the same. */ + dummy_wait(params, &compressed, pad_failed, pad, length+preamble_size); + return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + } /* copy the decrypted stuff to compress_data. */ if (compress_size < length) Index: gnutls-3.0.20/lib/gnutls_hash_int.h =================================================================== --- gnutls-3.0.20.orig/lib/gnutls_hash_int.h +++ gnutls-3.0.20/lib/gnutls_hash_int.h @@ -176,4 +176,25 @@ inline static int IS_SHA(gnutls_digest_a return 0; } +/* We shouldn't need to know that, but a work-around in decoding + * TLS record padding requires that. + */ +inline static size_t +_gnutls_get_hash_block_len (gnutls_digest_algorithm_t algo) +{ + switch (algo) + { + case GNUTLS_DIG_MD5: + case GNUTLS_DIG_SHA1: + case GNUTLS_DIG_RMD160: + case GNUTLS_DIG_SHA256: + case GNUTLS_DIG_SHA384: + case GNUTLS_DIG_SHA512: + case GNUTLS_DIG_SHA224: + return 64; + default: + return 0; + } +} + #endif /* GNUTLS_HASH_INT_H */ ++++++ automake-1.12.patch ++++++ Index: gnutls-3.0.20/configure.ac =================================================================== --- gnutls-3.0.20.orig/configure.ac 2012-07-01 21:50:17.000000000 +0200 +++ gnutls-3.0.20/configure.ac 2012-07-01 21:50:17.977499968 +0200 @@ -37,6 +37,7 @@ dnl Checks for programs. AC_PROG_CC AM_PROG_AS AC_PROG_CXX +AM_PROG_AR gl_EARLY # For includes/gnutls/gnutls.h.in. Index: gnutls-3.0.20/aclocal.m4 =================================================================== --- gnutls-3.0.20.orig/aclocal.m4 2012-06-05 19:10:14.000000000 +0200 +++ gnutls-3.0.20/aclocal.m4 2012-07-01 21:53:42.821893323 +0200 @@ -529,7 +529,7 @@ AM_MISSING_PROG(AUTOHEADER, autoheader) AM_MISSING_PROG(MAKEINFO, makeinfo) AC_REQUIRE([AM_PROG_INSTALL_SH])dnl AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl -AC_REQUIRE([AM_PROG_MKDIR_P])dnl +AC_REQUIRE([AC_PROG_MKDIR_P])dnl # We need awk for the "check" target. The system "awk" is bad on # some platforms. AC_REQUIRE([AC_PROG_AWK])dnl @@ -773,10 +773,10 @@ fi # serial 1 -# AM_PROG_MKDIR_P +# AC_PROG_MKDIR_P # --------------- # Check for `mkdir -p'. -AC_DEFUN([AM_PROG_MKDIR_P], +AC_DEFUN([AC_PROG_MKDIR_P], [AC_PREREQ([2.60])dnl AC_REQUIRE([AC_PROG_MKDIR_P])dnl dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P, Index: gnutls-3.0.20/gl/m4/gnulib-common.m4 =================================================================== --- gnutls-3.0.20.orig/gl/m4/gnulib-common.m4 2012-06-05 19:07:51.000000000 +0200 +++ gnutls-3.0.20/gl/m4/gnulib-common.m4 2012-07-01 21:53:42.821893323 +0200 @@ -301,7 +301,7 @@ m4_ifdef([AC_PROG_MKDIR_P], [ AC_SUBST([MKDIR_P])])], [ dnl For autoconf < 2.60: Backport of AC_PROG_MKDIR_P. AC_DEFUN_ONCE([AC_PROG_MKDIR_P], - [AC_REQUIRE([AM_PROG_MKDIR_P])dnl defined by automake + [AC_REQUIRE([AC_PROG_MKDIR_P])dnl defined by automake MKDIR_P='$(mkdir_p)' AC_SUBST([MKDIR_P])])]) Index: gnutls-3.0.20/m4/po.m4 =================================================================== --- gnutls-3.0.20.orig/m4/po.m4 2011-11-08 22:07:12.000000000 +0100 +++ gnutls-3.0.20/m4/po.m4 2012-07-01 21:53:42.822893277 +0200 @@ -24,7 +24,7 @@ AC_DEFUN([AM_PO_SUBDIRS], [ AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AC_PROG_INSTALL])dnl - AC_REQUIRE([AM_PROG_MKDIR_P])dnl defined by automake + AC_REQUIRE([AC_PROG_MKDIR_P])dnl defined by automake AC_REQUIRE([AM_NLS])dnl dnl Release version of the gettext macros. This is used to ensure that ++++++ baselibs.conf ++++++ libgnutls28 obsoletes "gnutls-<targettype>" libgnutls-devel requires -libgnutls-<targettype> requires "libgnutls28-<targettype> = <version>" ++++++ gnutls-implement-trust-store-dir.diff ++++++ >From a6cef9220ae251e3b8f8d663c5fa7f888e3176d8 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <[email protected]> Date: Tue, 8 May 2012 15:47:02 +0200 Subject: [PATCH gnutls] implement trust store dir --- configure.ac | 18 ++++++++++++- lib/gnutls_x509.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 90 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index f826704..d099e05 100644 --- a/configure.ac +++ b/configure.ac @@ -296,17 +296,27 @@ AC_ARG_WITH([default-trust-store-file], [AS_HELP_STRING([--with-default-trust-store-file=FILE], [use the given file default trust store])]) +AC_ARG_WITH([default-trust-store-dir], + [AS_HELP_STRING([--with-default-trust-store-dir=DIR], + [use the given directory default trust store])]) + AC_ARG_WITH([default-crl-file], [AS_HELP_STRING([--with-default-crl-file=FILE], [use the given CRL file as default])]) -if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then +if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x \ + -a "x$with_default_trust_store_dir" = x; then # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html for i in \ + /etc/ssl/certs \ /etc/ssl/certs/ca-certificates.crt \ /etc/pki/tls/cert.pem \ /usr/local/share/certs/ca-root-nss.crt do + if test -d $i; then + with_default_trust_store_dir="$i" + break + fi if test -e $i; then with_default_trust_store_file="$i" break @@ -319,6 +329,11 @@ if test "x$with_default_trust_store_file" != x; then ["$with_default_trust_store_file"], [use the given file default trust store]) fi +if test "x$with_default_trust_store_dir" != x; then + AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR], + ["$with_default_trust_store_dir"], [use the given directory default trust store]) +fi + if test "x$with_default_crl_file" != x; then AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE], ["$with_default_crl_file"], [use the given CRL file]) @@ -560,6 +575,7 @@ if features are disabled) Trust store pkcs: $with_default_trust_store_pkcs11 Trust store file: $with_default_trust_store_file + Trust store dir: $with_default_trust_store_dir CRL file: $with_default_crl_file ]) diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 71e0d69..87eaa0c 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -36,6 +36,7 @@ #include <gnutls_pk.h> #include <gnutls_str.h> #include <debug.h> +#include <dirent.h> #include <x509_b64.h> #include <gnutls_x509.h> #include "x509/common.h" @@ -1692,6 +1693,72 @@ set_x509_system_trust_file (gnutls_certificate_credentials_t cred) } #endif +#ifdef DEFAULT_TRUST_STORE_DIR +static int +_gnutls_certificate_set_x509_system_trust_dir (gnutls_certificate_credentials_t cred) +{ + DIR* dir; + struct dirent* buf, *de; + int ret, r = 0; + gnutls_datum_t cas; + size_t size; + char cafile[PATH_MAX]; + + dir = opendir(DEFAULT_TRUST_STORE_DIR); + if (dir == NULL) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; + } + + buf = alloca(offsetof(struct dirent, d_name) + pathconf(DEFAULT_TRUST_STORE_DIR, _PC_NAME_MAX) + 1); + + while (1) + { + if (readdir_r(dir, buf, &de)) + { + gnutls_assert(); + break; + } + if (de == NULL) + { + break; + } + if (strlen(de->d_name) < 4 || strcmp(de->d_name+strlen(de->d_name)-4, ".pem")) + { + continue; + } + + strcpy(cafile, DEFAULT_TRUST_STORE_DIR "/"); + strncat(cafile, de->d_name, sizeof(cafile)-strlen(cafile)-1); + cas.data = (void*)read_binary_file (cafile, &size); + if (cas.data == NULL) + { + gnutls_assert (); + continue; + } + + cas.size = size; + + ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM); + + free (cas.data); + + if (ret < 0) + { + gnutls_assert (); + } + else + { + r += ret; + } + } + closedir(dir); + + return r; +} +#endif + /** * gnutls_certificate_set_x509_system_trust: * @cred: is a #gnutls_certificate_credentials_t structure. @@ -1710,7 +1777,7 @@ set_x509_system_trust_file (gnutls_certificate_credentials_t cred) int gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred) { -#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) +#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) && !defined(DEFAULT_TRUST_STORE_DIR) int r = GNUTLS_E_UNIMPLEMENTED_FEATURE; #else int ret, r = 0; @@ -1728,6 +1795,11 @@ gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred) r += ret; #endif +#ifdef DEFAULT_TRUST_STORE_DIR + ret = _gnutls_certificate_set_x509_system_trust_dir(cred); + if (ret > 0) + r += ret; +#endif return r; } -- 1.7.7 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
