Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2013-07-01 15:54:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls" Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2013-04-26 15:50:27.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2013-07-01 15:54:45.000000000 +0200 @@ -1,0 +2,279 @@ +Thu Jun 27 13:44:12 UTC 2013 - [email protected] + +- Disable all ECC algorithms. + +- gnutls-32bit.patch: upstream patch to make test + work with 32bit time_t. + +- gnutls-implement-trust-store-dir.diff + + currently not yet forward ported. + +- Updated to GnuTLS 3.2.1 + ** libgnutls: Allow ECC when in SSL 3.0 to work-around a bug in certain + openssl versions. + ** libgnutls: Fixes in interrupted function resumption. Report + and patch by Tim Kosse. + ** libgnutls: Corrected issue when receiving client hello verify + requests in DTLS. + ** libgnutls: Fixes in DTLS record overhead size calculations. + ** libgnutls: gnutls_handshake_get_last_in() was fixed. Reported by + Mann Ern Kang. +- Updated to GnuTLS 3.2.0 + ** libgnutls: Use nettle's elliptic curve implementation. + ** libgnutls: Added Salsa20 cipher + ** libgnutls: Added UMAC-96 and UMAC-128 + ** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96. + As they are not standardized they are defined using private ciphersuite numbers. + ** libgnutls: Added support for DTLS 1.2. + ** libgnutls: Added support for the Application Layer Protocol + Negotiation (ALPN) extension. + ** libgnutls: Removed support for the RSA-EXPORT ciphersuites. + ** libgnutls: Avoid linking to librt (that also avoids unnecessary + linking to pthreads if p11-kit isn't used). + +- Updated to GnuTLS 3.1.10 (released 2013-03-22) + ** certtool: When generating PKCS #12 files use by default the + ARCFOUR (RC4) cipher to be compatible with devices that don't + support AES with PKCS #12. + ** libgnutls: Load CA certificates in android 4.x systems. + ** libgnutls: Optimized CA certificate loading. + ** libgnutls: Private keys are overwritten on deinitialization. + ** libgnutls: PKCS #11 slots are scanned only when needed, not + on initialization. This speeds up gnutls initialization when smart + cards are present. + ** libgnutls: Corrected issue in the (deprecated) external key + signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen. + ** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by + Joke de Buhr. + ** libgnutls-dane: Updated DANE verification options. + ** configure: Trust store file must be explicitly set or unset when + cross compiling. +- Updated to GnuTLS 3.1.9 (released 2013-02-27) + ** certtool: Option --to-p12 will now ask for a password to generate + a PKCS #12 file from an encrypted key file. Reported by Yan Fiz. + ** libgnutls: Corrected issue in gnutls_pubkey_verify_data(). + ** libgnutls: Corrected parsing issue in XMPP within a subject + alternative name. Reported by James Cloos. + ** libgnutls: gnutls_pkcs11_reinit() will reinitialize all PKCS #11 + modules, and not only the ones loaded via p11-kit. + ** libgnutls: Added function to check whether the private key is + still available (inserted). + ** libgnutls: Try to detect fork even during nonce generation. + +- Updated to GnuTLS 3.1.8 (released 2013-02-10) + ** libgnutls: Fixed issue in gnutls_x509_privkey_import2() which didn't return + GNUTLS_E_DECRYPTION_FAILED in all cases, and affect certtool operation + with encrypted keys. Reported by Yan Fiz. + ** libgnutls: The minimum DH bits accepted by priorities NORMAL and + PERFORMANCE was set to previous defaults 727 bits. Reported by Diego + Elio Petteno. + ** libgnutls: Corrected issue which prevented gnutls_pubkey_verify_hash() + to operate with long keys. Reported by Erik A Jensen. + +- Updated to GnuTLS 3.1.7 (released 2013-02-04) + ** certtool: Added option "dn" which allows to directly set the DN + in a template from an RFC4514 string. + ** danetool: Added options: --dlv and --insecure. Suggested by Paul Wouters. + ** libgnutls-xssl: Added a new library to simplify GnuTLS usage. + ** libgnutls-dane: Added function to specify a DLV file. + ** libgnutls: Heartbeat code was made optional. + ** libgnutls: Fixes in server side of DTLS-0.9. + ** libgnutls: DN variable 'T' was expanded to 'title'. + ** libgnutls: Fixes in record padding parsing to prevent a timing attack. + Issue reported by Kenny Paterson and Nadhem Alfardan. + ** libgnutls: Added functions to directly set the DN in a certificate + or request from an RFC4514 string. + ** libgnutls: Optimizations in the random generator. The re-seeding of + it is now explicitly done on every session deinit. + ** libgnutls: Simplified the DTLS sliding window implementation. + ** libgnutls: The minimum DH bits accepted by a client are now set + by the specified priority string. The current values correspond to the + previous defaults (727 bits), except for the SECURE128 and SECURE192 + strings which increase the minimum to 1248 and 1776 respectively. + ** libgnutls: Added the gnutls_record_cork() and uncork API to enable + buffering in sending application data. + ** libgnutls: Removed default random padding, and added a length-hiding interface + instead. Both the server and the client must support this extension. Whether + length-hiding can be used on a given session can be checked using + gnutls_record_can_use_length_hiding(). Contributed by Alfredo Pironti. + ** libgnutls: Added the experimental %NEW_PADDING priority string. It enables + a new padding mechanism in TLS allowing arbitrary padding in TLS records + in all ciphersuites, which makes length-hiding more efficient and solves + the issues with timing attacks on CBC ciphersuites. + ** libgnutls: Corrected gnutls_cipher_decrypt2() when used with AEAD + ciphers (i.e., AES-GCM). Reported by William McGovern. + +- Updated to GnuTLS 3.1.6 (released 2013-01-02) + ** libgnutls: Fixed record padding parsing issue. Reported by Kenny + Patterson and Nadhem Alfardan. + ** libgnutls: Several updates in the ASN.1 string handling subsystem. + ** libgnutls: gnutls_x509_crt_get_policy() allows for a list of zero + policy qualifiers. + ** libgnutls: Ignore heartbeat messages when received out-of-order, + instead of issuing an error. + ** libgnutls: Stricter RSA PKCS #1 1.5 encoding and decoding. Reported + by Kikuchi Masashi. + ** libgnutls: TPM support is disabled by default because GPL programs + cannot link with it. Use --with-tpm to enable it. + ** libgnutls-guile: Fixed parallel compilation issue. + ** gnutls-cli: It will try to connect to all possible returned addresses + before failing. + +- Updated to GnuTLS 3.1.5 (released 2012-11-24) + ** libgnutls: Added functions to parse the certificates policies + extension. + ** libgnutls: Handle BMPString (UCS-2) encoding in the Distinguished + Name by translating it to UTF-8 (works on windows or systems with + iconv). + ** libgnutls: Added PKCS #11 key generation function that returns the + public key on generation. + ** libgnutls: Corrected bug in priority string parsing, that mostly + affected combined levels. Patch by Tim Kosse. + ** certtool: The --pubkey-info option can be combined with the + --load-privkey or --load-request to print the corresponding public keys. + ** certtool: It is able to set certificate policies via a template. + ** certtool: Added --hex-numbers option which prints big numbers in + an easier to parse format. + ** p11tool: After key generation, outputs the public key (useful in + tokens that do not store the public key). + ** danetool: It is being built even without libgnutls-dane (the + --check functionality is disabled though). + +- Updated to GnuTLS 3.1.4 (released 2012-11-10) + ** libgnutls: gnutls_certificate_verify_peers2() will set flags depending on + the available revocation data validity. + ** libgnutls: Added gnutls_certificate_verification_status_print(), + a function to print the verification status code in human readable text. + ** libgnutls: Added priority string %VERIFY_DISABLE_CRL_CHECKS. + ** libgnutls: Simplified certificate verification by adding + gnutls_certificate_verify_peers3(). + ** libgnutls: Added support for extension to establish keys for SRTP. + Contributed by Martin Storsjo. + ** libgnutls: The X.509 verification functions check the key + usage bits and pathlen constraints and on failure output + GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE. + ** libgnutls: gnutls_x509_crl_verify() includes the time checks. + ** libgnutls: Added verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN + and made GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN the default. + ** libgnutls: Always tolerate key usage violation errors from the side + of the peer, but also notify via an audit message. + ** gnutls-cli: Added --local-dns option. + ** danetool: Corrected bug that prevented loading PEM files. + ** danetool: Added --check option to allow querying and verifying + a site's DANE data. + ** libgnutls-dane: Added pkg-config file for the library. + +- Updated to GnuTLS 3.1.3 (released 2012-10-12) + ** libgnutls: Added support for the OCSP Certificate Status + extension. + ** libgnutls: gnutls_certificate_verify_peers2() will use the OCSP + certificate status extension in verification. + ** libgnutls: Bug fixes in gnutls_x509_privkey_import_openssl(). + ** libgnutls: Increased maximum password length in the PKCS #12 + functions. + ** libgnutls: Fixed the receipt of session tickets during session resumption. + Reported by danblack at http://savannah.gnu.org/support/?108146 + ** libgnutls: Added functions to export structures in an allocated buffer. + ** libgnutls: Added gnutls_ocsp_resp_check_crt() to check whether the OCSP + response corresponds to the given certificate. + ** libgnutls: In client side gnutls_init() enables the session ticket and + OCSP certificate status request extensions by default. The flag + GNUTLS_NO_EXTENSIONS can be used to prevent that. + ** libgnutls: Several updates in the OpenPGP code. The generating code + is fully RFC6091 compliant and RFC5081 support is only supported in client + mode. + ** libgnutls-dane: Added. It is a library to provide DANE with DNSSEC + certificate verification. + ** gnutls-cli: Added --dane option to enable DANE certificate verification. + ** danetool: Added tool to generate DANE TLSA Resource Records (RR). + +- Updated to GnuTLS 3.1.2 (released 2012-09-26) + ** libgnutls: Fixed bug in gnutls_x509_trust_list_add_system_trust() + and gnutls_x509_trust_list_add_trust_mem() that prevented the loading + of certificates in the windows platform. + ** libgnutls: Corrected bug in OpenPGP subpacket encoding. + ** libgnutls: Added support for DTLS/TLS heartbeats by Olga Smolenchuk. + (the work was done during Google Summer of Code). ++++ 82 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/gnutls/gnutls.changes ++++ and /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes Old: ---- gnutls-3.0.28.tar.xz New: ---- gnutls-3.2.1-noecc.patch gnutls-3.2.1.tar.xz gnutls-3.2.1.tar.xz.sig gnutls-32bit.patch gnutls.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.g3weyr/_old 2013-07-01 15:54:46.000000000 +0200 +++ /var/tmp/diff_new_pack.g3weyr/_new 2013-07-01 15:54:46.000000000 +0200 @@ -21,25 +21,38 @@ %define gnutls_ossl_sover 27 Name: gnutls -Version: 3.0.28 +Version: 3.2.1 Release: 0 Summary: The GNU Transport Layer Security Library -License: LGPL-3.0+ and GPL-3.0+ +License: LGPL-2.1+ and GPL-3.0+ Group: Productivity/Networking/Security Url: http://www.gnutls.org/ -Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/%{name}-%{version}.tar.xz -Source1: baselibs.conf -# suse specific, add support for certificate directories -- lnussel +Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz +# signature is checked by source services. +Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig +Source2: %name.keyring +Source3: baselibs.conf +# suse specific, add support for certificate directories -- lnussel/meissner Patch1: gnutls-implement-trust-store-dir.diff + Patch2: automake-1.12.patch # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch [email protected] -- skip a failing test Patch3: gnutls-3.0.26-skip-test-fwrite.patch + +# https://gitorious.org/gnutls/gnutls/commit/b12040aeab5fbaf02677571db1d8bf1995bd5ee0?format=patch +# PATCH-UPSTREAM gnutls-32bit.patch [email protected] -- avoid dates after 2037 with 32bit time_t +Patch4: gnutls-32bit.patch + +# Disable elliptic curves for reasons. - meissner&cfarrell +Patch5: gnutls-3.2.1-noecc.patch + BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel -BuildRequires: libnettle-devel >= 2.2 +BuildRequires: libnettle-devel >= 2.7 BuildRequires: libtasn1-devel >= 2.14 BuildRequires: libtool +BuildRequires: valgrind %if %suse_version >= 1230 BuildRequires: makeinfo %endif @@ -60,7 +73,7 @@ %package -n libgnutls%{gnutls_sover} Summary: The GNU Transport Layer Security Library -License: LGPL-3.0+ +License: LGPL-2.1+ Group: Productivity/Networking/Security %description -n libgnutls%{gnutls_sover} @@ -70,7 +83,7 @@ %package -n libgnutlsxx%{gnutlsxx_sover} Summary: The GNU Transport Layer Security Library -License: LGPL-3.0+ +License: LGPL-2.1+ Group: Productivity/Networking/Security %description -n libgnutlsxx%{gnutlsxx_sover} @@ -92,7 +105,7 @@ %package -n libgnutls-devel Summary: Development package for gnutls -License: LGPL-3.0+ +License: LGPL-2.1+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: glibc-devel @@ -104,7 +117,7 @@ %package -n libgnutlsxx-devel Summary: Development package for gnutls -License: LGPL-3.0+ +License: LGPL-2.1+ Group: Development/Libraries/C and C++ PreReq: %install_info_prereq Requires: libgnutls-devel = %{version} @@ -128,19 +141,22 @@ %prep %setup -q -%patch1 +%patch1 -p1 %patch2 -p1 %patch3 -echo %{_includedir}/%{name}/abstract.h +%patch4 -p1 +%patch5 -p1 %build autoreconf -if +# echde explicitly disabled - meissner&cfarrell %configure \ --disable-static \ --with-pic \ --disable-rpath \ --disable-silent-rules \ --with-default-trust-store-dir=/etc/ssl/certs \ + --disable-ecdhe \ --with-sysroot=/%{?_sysroot} %__make %{?_smp_mflags} @@ -200,11 +216,13 @@ %{_bindir}/psktool %{_bindir}/p11tool %{_bindir}/srptool +%{_bindir}/danetool %{_mandir}/man1/* %files -n libgnutls%{gnutls_sover} %defattr(-,root,root) %{_libdir}/libgnutls.so.%{gnutls_sover}* +%{_libdir}/libgnutls-xssl.so.* %files -n libgnutls-openssl%{gnutls_ossl_sover} %defattr(-,root,root) @@ -227,7 +245,10 @@ %{_includedir}/%{name}/pkcs11.h %{_includedir}/%{name}/pkcs12.h %{_includedir}/%{name}/x509.h +%{_includedir}/%{name}/tpm.h +%{_includedir}/%{name}/xssl.h %{_libdir}/libgnutls.so +%{_libdir}/libgnutls-xssl.so %{_libdir}/pkgconfig/gnutls.pc %{_mandir}/man3/* %{_infodir}/*.* ++++++ automake-1.12.patch ++++++ --- /var/tmp/diff_new_pack.g3weyr/_old 2013-07-01 15:54:46.000000000 +0200 +++ /var/tmp/diff_new_pack.g3weyr/_new 2013-07-01 15:54:46.000000000 +0200 @@ -1,20 +1,8 @@ -Index: gnutls-3.0.20/configure.ac +Index: gnutls-3.2.1/aclocal.m4 =================================================================== ---- gnutls-3.0.20.orig/configure.ac 2012-07-01 21:50:17.000000000 +0200 -+++ gnutls-3.0.20/configure.ac 2012-07-01 21:50:17.977499968 +0200 -@@ -37,6 +37,7 @@ dnl Checks for programs. - AC_PROG_CC - AM_PROG_AS - AC_PROG_CXX -+AM_PROG_AR - gl_EARLY - - # For includes/gnutls/gnutls.h.in. -Index: gnutls-3.0.20/aclocal.m4 -=================================================================== ---- gnutls-3.0.20.orig/aclocal.m4 2012-06-05 19:10:14.000000000 +0200 -+++ gnutls-3.0.20/aclocal.m4 2012-07-01 21:53:42.821893323 +0200 -@@ -529,7 +529,7 @@ AM_MISSING_PROG(AUTOHEADER, autoheader) +--- gnutls-3.2.1.orig/aclocal.m4 ++++ gnutls-3.2.1/aclocal.m4 +@@ -517,7 +517,7 @@ AM_MISSING_PROG(AUTOHEADER, autoheader) AM_MISSING_PROG(MAKEINFO, makeinfo) AC_REQUIRE([AM_PROG_INSTALL_SH])dnl AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl @@ -23,7 +11,7 @@ # We need awk for the "check" target. The system "awk" is bad on # some platforms. AC_REQUIRE([AC_PROG_AWK])dnl -@@ -773,10 +773,10 @@ fi +@@ -761,10 +761,10 @@ fi # serial 1 @@ -36,11 +24,11 @@ [AC_PREREQ([2.60])dnl AC_REQUIRE([AC_PROG_MKDIR_P])dnl dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P, -Index: gnutls-3.0.20/gl/m4/gnulib-common.m4 +Index: gnutls-3.2.1/gl/m4/gnulib-common.m4 =================================================================== ---- gnutls-3.0.20.orig/gl/m4/gnulib-common.m4 2012-06-05 19:07:51.000000000 +0200 -+++ gnutls-3.0.20/gl/m4/gnulib-common.m4 2012-07-01 21:53:42.821893323 +0200 -@@ -301,7 +301,7 @@ m4_ifdef([AC_PROG_MKDIR_P], [ +--- gnutls-3.2.1.orig/gl/m4/gnulib-common.m4 ++++ gnutls-3.2.1/gl/m4/gnulib-common.m4 +@@ -303,7 +303,7 @@ m4_ifdef([AC_PROG_MKDIR_P], [ AC_SUBST([MKDIR_P])])], [ dnl For autoconf < 2.60: Backport of AC_PROG_MKDIR_P. AC_DEFUN_ONCE([AC_PROG_MKDIR_P], @@ -48,11 +36,11 @@ + [AC_REQUIRE([AC_PROG_MKDIR_P])dnl defined by automake MKDIR_P='$(mkdir_p)' AC_SUBST([MKDIR_P])])]) - -Index: gnutls-3.0.20/m4/po.m4 + ]) +Index: gnutls-3.2.1/m4/po.m4 =================================================================== ---- gnutls-3.0.20.orig/m4/po.m4 2011-11-08 22:07:12.000000000 +0100 -+++ gnutls-3.0.20/m4/po.m4 2012-07-01 21:53:42.822893277 +0200 +--- gnutls-3.2.1.orig/m4/po.m4 ++++ gnutls-3.2.1/m4/po.m4 @@ -24,7 +24,7 @@ AC_DEFUN([AM_PO_SUBDIRS], [ AC_REQUIRE([AC_PROG_MAKE_SET])dnl ++++++ gnutls-3.2.1-noecc.patch ++++++ ++++ 711 lines (skipped) ++++++ gnutls-3.0.28.tar.xz -> gnutls-3.2.1.tar.xz ++++++ ++++ 443978 lines of diff (skipped) ++++++ gnutls-32bit.patch ++++++ >From b12040aeab5fbaf02677571db1d8bf1995bd5ee0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos <[email protected]> Date: Sun, 2 Jun 2013 12:10:06 +0200 Subject: [PATCH] Avoid comparing the expiration date to prevent false positive error in 32-bit systems. --- tests/cert-tests/pem-decoding | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/cert-tests/pem-decoding b/tests/cert-tests/pem-decoding index fe769ec..f8c6372 100755 --- a/tests/cert-tests/pem-decoding +++ b/tests/cert-tests/pem-decoding @@ -61,7 +61,9 @@ if test "$rc" != "0"; then exit $rc fi -diff $srcdir/complex-cert.pem tmp-pem.pem +cat $srcdir/complex-cert.pem |grep -v "Not After:" >tmp1 +cat $srcdir/tmp-pem.pem |grep -v "Not After:" >tmp2 +diff tmp1 tmp2 rc=$? if test "$rc" != "0"; then @@ -69,6 +71,6 @@ if test "$rc" != "0"; then exit $rc fi -rm -f tmp-pem.pem +rm -f tmp-pem.pem tmp1 tmp2 exit 0 -- 1.7.1 ++++++ gnutls-implement-trust-store-dir.diff ++++++ --- /var/tmp/diff_new_pack.g3weyr/_old 2013-07-01 15:54:50.000000000 +0200 +++ /var/tmp/diff_new_pack.g3weyr/_new 2013-07-01 15:54:50.000000000 +0200 @@ -1,33 +1,34 @@ -From a6cef9220ae251e3b8f8d663c5fa7f888e3176d8 Mon Sep 17 00:00:00 2001 -From: Ludwig Nussel <[email protected]> -Date: Tue, 8 May 2012 15:47:02 +0200 -Subject: [PATCH gnutls] implement trust store dir - -(since updated as some parts were introduced upstream) - ---- - configure.ac | 18 ++++++++++++- - lib/gnutls_x509.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 90 insertions(+), 2 deletions(-) - -Index: configure.ac +Index: gnutls-3.2.1/configure.ac =================================================================== ---- configure.ac.orig 2012-11-08 23:05:32.000000000 +0000 -+++ configure.ac 2012-11-16 23:18:51.000000000 +0000 -@@ -301,9 +301,11 @@ AC_ARG_WITH([default-crl-file], +--- gnutls-3.2.1.orig/configure.ac ++++ gnutls-3.2.1/configure.ac +@@ -398,6 +398,25 @@ if test "$with_default_trust_store_file" + with_default_trust_store_file="" + fi + ++AC_ARG_WITH([default-trust-store-dir], ++ [AS_HELP_STRING([--with-default-trust-store-dir=DIRECTORY], ++ [use the given directory as default trust store])], with_default_trust_store_dir="$withval", ++ [if test "$build" = "$host" ; then ++ for i in \ ++ /etc/ssl/certs/ ++ do ++ if test -e $i ; then ++ with_default_trust_store_dir="$i" ++ break ++ fi ++ done ++ fi] ++) ++ ++if test "$with_default_trust_store_dir" = "no";then ++ with_default_trust_store_dir="" ++fi ++ + AC_ARG_WITH([default-crl-file], [AS_HELP_STRING([--with-default-crl-file=FILE], [use the given CRL file as default])]) - --if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then -+if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x \ -+ -a "x$with_default_trust_store_dir" = x; then - # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html - for i in \ -+ /etc/ssl/certs \ - /etc/ssl/certs/ca-certificates.crt \ - /etc/pki/tls/cert.pem \ - /usr/local/share/certs/ca-root-nss.crt \ -@@ -321,6 +323,11 @@ if test "x$with_default_trust_store_file +@@ -407,6 +426,11 @@ if test "x$with_default_trust_store_file ["$with_default_trust_store_file"], [use the given file default trust store]) fi @@ -39,117 +40,115 @@ if test "x$with_default_crl_file" != x; then AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE], ["$with_default_crl_file"], [use the given CRL file]) -@@ -562,6 +569,7 @@ if features are disabled) +@@ -683,6 +707,7 @@ AC_MSG_NOTICE([System files: - Trust store pkcs: $with_default_trust_store_pkcs11 - Trust store file: $with_default_trust_store_file -+ Trust store dir: $with_default_trust_store_dir - CRL file: $with_default_crl_file + Trust store pkcs: $with_default_trust_store_pkcs11 + Trust store file: $with_default_trust_store_file ++ Trust store dir: $with_default_trust_store_dir + CRL file: $with_default_crl_file + DNSSEC root key file: $unbound_root_key_file ]) - -Index: lib/gnutls_x509.c +Index: gnutls-3.2.1/lib/system.c =================================================================== ---- lib/gnutls_x509.c.orig 2012-09-22 01:01:26.000000000 +0100 -+++ lib/gnutls_x509.c 2012-11-16 23:16:31.000000000 +0000 -@@ -36,6 +36,7 @@ - #include <gnutls_pk.h> - #include <gnutls_str.h> - #include <debug.h> -+#include <dirent.h> - #include <x509_b64.h> - #include <gnutls_x509.h> - #include "x509/common.h" -@@ -1694,6 +1695,72 @@ set_x509_system_trust_file (gnutls_certi +--- gnutls-3.2.1.orig/lib/system.c ++++ gnutls-3.2.1/lib/system.c +@@ -385,7 +385,45 @@ const char *home_dir = getenv ("HOME"); + return 0; } - #endif -+#ifdef DEFAULT_TRUST_STORE_DIR -+static int -+_gnutls_certificate_set_x509_system_trust_dir (gnutls_certificate_credentials_t cred) +-#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) ++/* Used by both Android code and by Linux TRUST_STORE_DIR /etc/ssl/certs code */ ++#if defined(DEFAULT_TRUST_STORE_DIR) || defined(ANDROID) || defined(__ANDROID__) ++# include <dirent.h> ++# include <unistd.h> ++static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, ++ unsigned int tl_flags, unsigned int tl_vflags, unsigned type) +{ -+ DIR* dir; -+ struct dirent* buf, *de; -+ int ret, r = 0; -+ gnutls_datum_t cas; -+ size_t size; -+ char cafile[PATH_MAX]; -+ -+ dir = opendir(DEFAULT_TRUST_STORE_DIR); -+ if (dir == NULL) -+ { -+ gnutls_assert (); -+ return GNUTLS_E_FILE_ERROR; -+ } -+ -+ buf = alloca(offsetof(struct dirent, d_name) + pathconf(DEFAULT_TRUST_STORE_DIR, _PC_NAME_MAX) + 1); ++DIR * dirp; ++struct dirent *d; ++int ret; ++int r = 0; ++char path[GNUTLS_PATH_MAX]; + -+ while (1) ++ dirp = opendir(dirname); ++ if (dirp != NULL) + { -+ if (readdir_r(dir, buf, &de)) -+ { -+ gnutls_assert(); -+ break; -+ } -+ if (de == NULL) -+ { -+ break; -+ } -+ if (strlen(de->d_name) < 4 || strcmp(de->d_name+strlen(de->d_name)-4, ".pem")) -+ { -+ continue; -+ } -+ -+ strcpy(cafile, DEFAULT_TRUST_STORE_DIR "/"); -+ strncat(cafile, de->d_name, sizeof(cafile)-strlen(cafile)-1); -+ cas.data = (void*)read_binary_file (cafile, &size); -+ if (cas.data == NULL) -+ { -+ gnutls_assert (); -+ continue; -+ } -+ -+ cas.size = size; -+ -+ ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM); -+ -+ free (cas.data); -+ -+ if (ret < 0) -+ { -+ gnutls_assert (); -+ } -+ else -+ { -+ r += ret; -+ } ++ do ++ { ++ d = readdir(dirp); ++ if (d != NULL && d->d_type == DT_REG) ++ { ++ snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); ++ ++ ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags); ++ if (ret >= 0) ++ r += ret; ++ } ++ } ++ while(d != NULL); ++ closedir(dirp); + } -+ closedir(dir); -+ ++ + return r; +} +#endif + - /** - * gnutls_certificate_set_x509_system_trust: - * @cred: is a #gnutls_certificate_credentials_t structure. -@@ -1712,7 +1779,7 @@ set_x509_system_trust_file (gnutls_certi ++ ++#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) || defined(DEFAULT_TRUST_STORE_DIR) ++ + static int - gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred) - { --#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) -+#if !defined(_WIN32) && !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) && !defined(DEFAULT_TRUST_STORE_DIR) - int r = GNUTLS_E_UNIMPLEMENTED_FEATURE; - #else - int ret, r = 0; -@@ -1730,6 +1797,11 @@ gnutls_certificate_set_x509_system_trust + add_system_trust(gnutls_x509_trust_list_t list, +@@ -413,6 +451,12 @@ add_system_trust(gnutls_x509_trust_list_ r += ret; - #endif + # endif -+#ifdef DEFAULT_TRUST_STORE_DIR -+ ret = _gnutls_certificate_set_x509_system_trust_dir(cred); ++# ifdef DEFAULT_TRUST_STORE_DIR ++ ret = load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, tl_vflags, GNUTLS_X509_FMT_PEM); + if (ret > 0) + r += ret; -+#endif ++# endif ++ return r; } - + #elif defined(_WIN32) +@@ -466,39 +510,6 @@ int add_system_trust(gnutls_x509_trust_l + return r; + } + #elif defined(ANDROID) || defined(__ANDROID__) +-# include <dirent.h> +-# include <unistd.h> +-static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, +- unsigned int tl_flags, unsigned int tl_vflags, unsigned type) +-{ +-DIR * dirp; +-struct dirent *d; +-int ret; +-int r = 0; +-char path[GNUTLS_PATH_MAX]; +- +- dirp = opendir(dirname); +- if (dirp != NULL) +- { +- do +- { +- d = readdir(dirp); +- if (d != NULL && d->d_type == DT_REG) +- { +- snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); +- +- ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags); +- if (ret >= 0) +- r += ret; +- } +- } +- while(d != NULL); +- closedir(dirp); +- } +- +- return r; +-} +- + static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type) + { + DIR * dirp; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
