Hello community, here is the log from the commit of package gnutls for openSUSE:Factory checked in at 2012-05-25 17:33:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnutls (Old) and /work/SRC/openSUSE:Factory/.gnutls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnutls", Maintainer is "g...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/gnutls/gnutls.changes 2012-05-22 10:11:30.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gnutls.new/gnutls.changes 2012-05-25 17:33:20.000000000 +0200 @@ -1,0 +2,6 @@ +Thu May 24 07:45:31 UTC 2012 - lnus...@suse.de + +- backport gnutls_certificate_set_x509_system_trust() from git and + add support for trust store directories (bnc#761634) + +------------------------------------------------------------------- New: ---- gnutls-implement-trust-store-dir.diff gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnutls.spec ++++++ --- /var/tmp/diff_new_pack.dh5WfK/_old 2012-05-25 17:33:24.000000000 +0200 +++ /var/tmp/diff_new_pack.dh5WfK/_new 2012-05-25 17:33:24.000000000 +0200 @@ -29,6 +29,11 @@ Url: http://www.gnutls.org/ Source0: http://ftp.gnu.org/gnu/gnutls/%{name}-%{version}.tar.xz Source1: baselibs.conf +# upstream, will be officially available in some future gnutls +# version and can be removed then -- lnussel +Patch0: gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff +# suse specific, add support for certificate directories -- lnussel +Patch1: gnutls-implement-trust-store-dir.diff BuildRequires: automake BuildRequires: gcc-c++ BuildRequires: libidn-devel @@ -119,14 +124,18 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 echo %{_includedir}/%{name}/abstract.h %build +autoreconf %configure \ --disable-static \ --with-pic \ --disable-rpath \ --disable-silent-rules \ + --with-default-trust-store-dir=/etc/ssl/certs \ --with-sysroot=/%{?_sysroot} make %{?_smp_mflags} ++++++ gnutls-implement-trust-store-dir.diff ++++++ >From 513244e20eb057b37edfe326c164935758772a0f Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nus...@suse.de> Date: Tue, 8 May 2012 15:47:02 +0200 Subject: [PATCH gnutls] implement trust store dir --- configure.ac | 18 ++++++++++++- lib/gnutls_x509.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+), 1 deletions(-) Index: gnutls-3.0.19/configure.ac =================================================================== --- gnutls-3.0.19.orig/configure.ac +++ gnutls-3.0.19/configure.ac @@ -296,13 +296,23 @@ AC_ARG_WITH([default-trust-store-file], [AS_HELP_STRING([--with-default-trust-store-file=FILE], [use the given file default trust store])]) -if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then +AC_ARG_WITH([default-trust-store-dir], + [AS_HELP_STRING([--with-default-trust-store-dir=DIR], + [use the given directory default trust store])]) + +if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x \ + -a "x$with_default_trust_store_dir" = x; then # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html for i in \ + /etc/ssl/certs \ /etc/ssl/certs/ca-certificates.crt \ /etc/pki/tls/cert.pem \ /usr/local/share/certs/ca-root-nss.crt do + if test -d $i; then + with_default_trust_store_dir="$i" + break + fi if test -e $i; then with_default_trust_store_file="$i" break @@ -315,6 +325,11 @@ if test "x$with_default_trust_store_file ["$with_default_trust_store_file"], [use the given file default trust store]) fi +if test "x$with_default_trust_store_dir" != x; then + AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR], + ["$with_default_trust_store_dir"], [use the given directory default trust store]) +fi + dnl Guile bindings. opt_guile_bindings=yes AC_MSG_CHECKING([whether building Guile bindings]) @@ -550,6 +565,7 @@ if features are disabled) Anon auth support:$ac_enable_anon Trust store pkcs: $with_default_trust_store_pkcs11 Trust store file: $with_default_trust_store_file + Trust store dir: $with_default_trust_store_dir ]) AC_MSG_NOTICE([Optional applications: Index: gnutls-3.0.19/lib/gnutls_x509.c =================================================================== --- gnutls-3.0.19.orig/lib/gnutls_x509.c +++ gnutls-3.0.19/lib/gnutls_x509.c @@ -36,6 +36,7 @@ #include <gnutls_pk.h> #include <gnutls_str.h> #include <debug.h> +#include <dirent.h> #include <x509_b64.h> #include <gnutls_x509.h> #include "x509/common.h" @@ -1618,6 +1619,72 @@ _gnutls_certificate_set_x509_system_trus } #endif +#ifdef DEFAULT_TRUST_STORE_DIR +static int +_gnutls_certificate_set_x509_system_trust_dir (gnutls_certificate_credentials_t cred) +{ + DIR* dir; + struct dirent* buf, *de; + int ret, r = 0; + gnutls_datum_t cas; + size_t size; + char cafile[PATH_MAX]; + + dir = opendir(DEFAULT_TRUST_STORE_DIR); + if (dir == NULL) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; + } + + buf = alloca(offsetof(struct dirent, d_name) + pathconf(DEFAULT_TRUST_STORE_DIR, _PC_NAME_MAX) + 1); + + while (1) + { + if (readdir_r(dir, buf, &de)) + { + gnutls_assert(); + break; + } + if (de == NULL) + { + break; + } + if (strlen(de->d_name) < 4 || strcmp(de->d_name+strlen(de->d_name)-4, ".pem")) + { + continue; + } + + strcpy(cafile, DEFAULT_TRUST_STORE_DIR "/"); + strncat(cafile, de->d_name, sizeof(cafile)-strlen(cafile)-1); + cas.data = (void*)read_binary_file (cafile, &size); + if (cas.data == NULL) + { + gnutls_assert (); + continue; + } + + cas.size = size; + + ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM); + + free (cas.data); + + if (ret < 0) + { + gnutls_assert (); + } + else + { + r += ret; + } + } + closedir(dir); + + return r; +} +#endif + /** * gnutls_certificate_set_x509_system_trust: * @cred: is a #gnutls_certificate_credentials_t structure. @@ -1640,6 +1707,11 @@ gnutls_certificate_set_x509_system_trust if (ret > 0) r += ret; #endif +#ifdef DEFAULT_TRUST_STORE_DIR + ret = _gnutls_certificate_set_x509_system_trust_dir(cred); + if (ret > 0) + r += ret; +#endif return r; } ++++++ gnutls-introduce-gnutls_certificate_set_x509_system_trust.diff ++++++ >From d5633875724fe383adb4e994fc72bd7c64acb197 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nus...@suse.de> Date: Tue, 8 May 2012 16:28:25 +0200 Subject: [PATCH gnutls] introduce gnutls_certificate_set_x509_system_trust gnutls_certificate_set_x509_system_trust() imports the trusted root CA's from a compile time defined location. That way applications don't need to know. Signed-off-by: Nikos Mavrogiannopoulos <n...@gnutls.org> --- configure.ac | 37 ++++++++++++++++++++++++++ doc/Makefile.am | 1 + doc/manpages/Makefile.am | 1 + lib/gnutls_x509.c | 55 +++++++++++++++++++++++++++++++++++++++ lib/includes/gnutls/gnutls.h.in | 3 ++ lib/libgnutls.map | 5 +++ src/cli.c | 29 +++++++++----------- 7 files changed, 115 insertions(+), 16 deletions(-) Index: gnutls-3.0.19/configure.ac =================================================================== --- gnutls-3.0.19.orig/configure.ac +++ gnutls-3.0.19/configure.ac @@ -280,6 +280,41 @@ AC_PROG_LN_S AC_LIBTOOL_WIN32_DLL AC_PROG_LIBTOOL +AC_ARG_WITH([default-trust-store-pkcs11], + [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI], + [use the given pkcs11 uri as default trust store])]) + +if test "x$with_default_trust_store_pkcs11" != x; then + if test "x$with_p11_kit" = xno; then + AC_MSG_ERROR([cannot use pkcs11 store without p11-kit]) + fi + AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_PKCS11], + ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default trust store]) +fi + +AC_ARG_WITH([default-trust-store-file], + [AS_HELP_STRING([--with-default-trust-store-file=FILE], + [use the given file default trust store])]) + +if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then + # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html + for i in \ + /etc/ssl/certs/ca-certificates.crt \ + /etc/pki/tls/cert.pem \ + /usr/local/share/certs/ca-root-nss.crt + do + if test -e $i; then + with_default_trust_store_file="$i" + break + fi + done +fi + +if test "x$with_default_trust_store_file" != x; then + AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE], + ["$with_default_trust_store_file"], [use the given file default trust store]) +fi + dnl Guile bindings. opt_guile_bindings=yes AC_MSG_CHECKING([whether building Guile bindings]) @@ -513,6 +548,8 @@ if features are disabled) SRP support: $ac_enable_srp PSK support: $ac_enable_psk Anon auth support:$ac_enable_anon + Trust store pkcs: $with_default_trust_store_pkcs11 + Trust store file: $with_default_trust_store_file ]) AC_MSG_NOTICE([Optional applications: Index: gnutls-3.0.19/doc/Makefile.am =================================================================== --- gnutls-3.0.19.orig/doc/Makefile.am +++ gnutls-3.0.19/doc/Makefile.am @@ -717,6 +717,7 @@ FUNCS += functions/gnutls_certificate_fr FUNCS += functions/gnutls_certificate_set_dh_params FUNCS += functions/gnutls_certificate_set_verify_flags FUNCS += functions/gnutls_certificate_set_verify_limits +FUNCS += functions/gnutls_certificate_set_x509_system_trust FUNCS += functions/gnutls_certificate_set_x509_trust_file FUNCS += functions/gnutls_certificate_set_x509_trust_mem FUNCS += functions/gnutls_certificate_set_x509_crl_file Index: gnutls-3.0.19/doc/manpages/Makefile.am =================================================================== --- gnutls-3.0.19.orig/doc/manpages/Makefile.am +++ gnutls-3.0.19/doc/manpages/Makefile.am @@ -314,6 +314,7 @@ APIMANS += gnutls_certificate_free_crls. APIMANS += gnutls_certificate_set_dh_params.3 APIMANS += gnutls_certificate_set_verify_flags.3 APIMANS += gnutls_certificate_set_verify_limits.3 +APIMANS += gnutls_certificate_set_x509_system_trust.3 APIMANS += gnutls_certificate_set_x509_trust_file.3 APIMANS += gnutls_certificate_set_x509_trust_mem.3 APIMANS += gnutls_certificate_set_x509_crl_file.3 Index: gnutls-3.0.19/lib/gnutls_x509.c =================================================================== --- gnutls-3.0.19.orig/lib/gnutls_x509.c +++ gnutls-3.0.19/lib/gnutls_x509.c @@ -1588,6 +1588,61 @@ gnutls_certificate_set_x509_trust_file ( return ret; } +#ifdef DEFAULT_TRUST_STORE_FILE +static int +_gnutls_certificate_set_x509_system_trust_file (gnutls_certificate_credentials_t cred) +{ + int ret; + gnutls_datum_t cas; + size_t size; + + cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size); + if (cas.data == NULL) + { + gnutls_assert (); + return GNUTLS_E_FILE_ERROR; + } + + cas.size = size; + + ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM); + + free (cas.data); + + if (ret < 0) + { + gnutls_assert (); + } + + return ret; +} +#endif + +/** + * gnutls_certificate_set_x509_system_trust: + * @cred: is a #gnutls_certificate_credentials_t structure. + * + * This function adds the system's default trusted CAs in order to + * verify client or server certificates. + * + **/ +int +gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred) +{ + int ret, r = 0; +#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11) + ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11); + if (ret > 0) + r += ret; +#endif +#ifdef DEFAULT_TRUST_STORE_FILE + ret = _gnutls_certificate_set_x509_system_trust_file(cred); + if (ret > 0) + r += ret; +#endif + return r; +} + static int parse_pem_crl_mem (gnutls_x509_trust_list_t tlist, const char * input_crl, unsigned int input_crl_size) Index: gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in =================================================================== --- gnutls-3.0.19.orig/lib/includes/gnutls/gnutls.h.in +++ gnutls-3.0.19/lib/includes/gnutls/gnutls.h.in @@ -1100,6 +1100,9 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get( unsigned int max_depth); int + gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred); + + int gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred, const char *cafile, gnutls_x509_crt_fmt_t type); Index: gnutls-3.0.19/lib/libgnutls.map =================================================================== --- gnutls-3.0.19.orig/lib/libgnutls.map +++ gnutls-3.0.19/lib/libgnutls.map @@ -788,6 +788,11 @@ GNUTLS_3_0_0 { gnutls_session_get_random; } GNUTLS_2_12; +GNUTLS_3_0_0_SUSE { + global: + gnutls_certificate_set_x509_system_trust; +} GNUTLS_3_0_0; + GNUTLS_PRIVATE { global: # Internal symbols needed by libgnutls-extra: Index: gnutls-3.0.19/src/cli.c =================================================================== --- gnutls-3.0.19.orig/src/cli.c +++ gnutls-3.0.19/src/cli.c @@ -479,9 +479,6 @@ cert_verify_callback (gnutls_session_t s int ssh = ENABLED_OPT(TOFU); const char* txt_service; - if (!x509_cafile && !pgp_keyring) - return 0; - rc = cert_verify(session, hostname); if (rc == 0) { @@ -1184,11 +1181,6 @@ const char* rest = NULL; if (HAVE_OPT(X509CAFILE)) x509_cafile = OPT_ARG(X509CAFILE); - else - { - if (access(DEFAULT_CA_FILE, R_OK) == 0) - x509_cafile = DEFAULT_CA_FILE; - } if (HAVE_OPT(X509CRLFILE)) x509_crlfile = OPT_ARG(X509CRLFILE); @@ -1419,15 +1411,20 @@ init_global_tls_stuff (void) { ret = gnutls_certificate_set_x509_trust_file (xcred, x509_cafile, x509ctype); - if (ret < 0) - { - fprintf (stderr, "Error setting the x509 trust file\n"); - } - else - { - printf ("Processed %d CA certificate(s).\n", ret); - } } + else + { + ret = gnutls_certificate_set_x509_system_trust (xcred); + } + if (ret < 0) + { + fprintf (stderr, "Error setting the x509 trust file\n"); + } + else + { + printf ("Processed %d CA certificate(s).\n", ret); + } + if (x509_crlfile != NULL) { ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile, -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
