[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-50-gd563387
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-50-gd563387 |
|
Date: |
Wed, 09 May 2012 14:28:14 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=d5633875724fe383adb4e994fc72bd7c64acb197
The branch, master has been updated
via d5633875724fe383adb4e994fc72bd7c64acb197 (commit)
via 30ad4976249aa9e402eb27081ade06928f3066f0 (commit)
from 69bd80373777e841090de2d7c4090090f20d2667 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d5633875724fe383adb4e994fc72bd7c64acb197
Author: Ludwig Nussel <address@hidden>
Date: Tue May 8 16:28:25 2012 +0200
introduce gnutls_certificate_set_x509_system_trust
gnutls_certificate_set_x509_system_trust() imports the trusted root CA's
from a compile time defined location. That way applications don't
need to know.
Signed-off-by: Nikos Mavrogiannopoulos <address@hidden>
commit 30ad4976249aa9e402eb27081ade06928f3066f0
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 9 08:17:18 2012 +0200
This patch fixes following kind of issue with automake 1.12
| automake: warnings are treated as errors
| /.../automake-1.12/am/ltlibrary.am: warning: 'libgnutls.la': linking
libtool libraries using a non-POSIX
| /.../automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in
'configure.ac'
Patch by: Nitin A Kamble <address@hidden>
-----------------------------------------------------------------------
Summary of changes:
configure.ac | 42 +++++++++++++++++++++++++++++
doc/Makefile.am | 1 +
doc/manpages/Makefile.am | 1 +
lib/gnutls_x509.c | 55 +++++++++++++++++++++++++++++++++++++++
lib/includes/gnutls/gnutls.h.in | 3 ++
lib/libgnutls.map | 5 +++
src/cli.c | 29 +++++++++-----------
7 files changed, 120 insertions(+), 16 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1bca7e9..507bdbe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,6 +36,11 @@ AC_MSG_RESULT([***
dnl Checks for programs.
AC_PROG_CC
AM_PROG_AS
+
+# automake 1.12 seems to require this, but automake 1.11 doesn't recognize it
+m4_pattern_allow([AM_PROG_AR])
+AM_PROG_AR
+
AC_PROG_CXX
gl_EARLY
@@ -280,6 +285,41 @@ AC_PROG_LN_S
AC_LIBTOOL_WIN32_DLL
AC_PROG_LIBTOOL
+AC_ARG_WITH([default-trust-store-pkcs11],
+ [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
+ [use the given pkcs11 uri as default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" != x; then
+ if test "x$with_p11_kit" = xno; then
+ AC_MSG_ERROR([cannot use pkcs11 store without p11-kit])
+ fi
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_PKCS11],
+ ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default
trust store])
+fi
+
+AC_ARG_WITH([default-trust-store-file],
+ [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+ [use the given file default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" = x -a
"x$with_default_trust_store_file" = x; then
+ # auto detect
http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
+ for i in \
+ /etc/ssl/certs/ca-certificates.crt \
+ /etc/pki/tls/cert.pem \
+ /usr/local/share/certs/ca-root-nss.crt
+ do
+ if test -e $i; then
+ with_default_trust_store_file="$i"
+ break
+ fi
+ done
+fi
+
+if test "x$with_default_trust_store_file" != x; then
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE],
+ ["$with_default_trust_store_file"], [use the given file default trust
store])
+fi
+
dnl Guile bindings.
opt_guile_bindings=yes
AC_MSG_CHECKING([whether building Guile bindings])
@@ -513,6 +553,8 @@ if features are disabled)
SRP support: $ac_enable_srp
PSK support: $ac_enable_psk
Anon auth support:$ac_enable_anon
+ Trust store pkcs: $with_default_trust_store_pkcs11
+ Trust store file: $with_default_trust_store_file
])
AC_MSG_NOTICE([Optional applications:
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 7928971..f92cd0d 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -717,6 +717,7 @@ FUNCS += functions/gnutls_certificate_free_crls
FUNCS += functions/gnutls_certificate_set_dh_params
FUNCS += functions/gnutls_certificate_set_verify_flags
FUNCS += functions/gnutls_certificate_set_verify_limits
+FUNCS += functions/gnutls_certificate_set_x509_system_trust
FUNCS += functions/gnutls_certificate_set_x509_trust_file
FUNCS += functions/gnutls_certificate_set_x509_trust_mem
FUNCS += functions/gnutls_certificate_set_x509_crl_file
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 0886d25..04f0eae 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -314,6 +314,7 @@ APIMANS += gnutls_certificate_free_crls.3
APIMANS += gnutls_certificate_set_dh_params.3
APIMANS += gnutls_certificate_set_verify_flags.3
APIMANS += gnutls_certificate_set_verify_limits.3
+APIMANS += gnutls_certificate_set_x509_system_trust.3
APIMANS += gnutls_certificate_set_x509_trust_file.3
APIMANS += gnutls_certificate_set_x509_trust_mem.3
APIMANS += gnutls_certificate_set_x509_crl_file.3
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 3275395..2b28edd 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -1588,6 +1588,61 @@ gnutls_certificate_set_x509_trust_file
(gnutls_certificate_credentials_t cred,
return ret;
}
+#ifdef DEFAULT_TRUST_STORE_FILE
+static int
+_gnutls_certificate_set_x509_system_trust_file
(gnutls_certificate_credentials_t cred)
+{
+ int ret;
+ gnutls_datum_t cas;
+ size_t size;
+
+ cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size);
+ if (cas.data == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_FILE_ERROR;
+ }
+
+ cas.size = size;
+
+ ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM);
+
+ free (cas.data);
+
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ }
+
+ return ret;
+}
+#endif
+
+/**
+ * gnutls_certificate_set_x509_system_trust:
+ * @cred: is a #gnutls_certificate_credentials_t structure.
+ *
+ * This function adds the system's default trusted CAs in order to
+ * verify client or server certificates.
+ *
+ **/
+int
+gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t
cred)
+{
+ int ret, r = 0;
+#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
+ ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11);
+ if (ret > 0)
+ r += ret;
+#endif
+#ifdef DEFAULT_TRUST_STORE_FILE
+ ret = _gnutls_certificate_set_x509_system_trust_file(cred);
+ if (ret > 0)
+ r += ret;
+#endif
+ return r;
+}
+
static int
parse_pem_crl_mem (gnutls_x509_trust_list_t tlist,
const char * input_crl, unsigned int input_crl_size)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 035f638..e9d92fd 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1100,6 +1100,9 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t
session);
unsigned int max_depth);
int
+ gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t
cred);
+
+ int
gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t
cred, const char *cafile,
gnutls_x509_crt_fmt_t type);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 3193848..1a913dd 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -788,6 +788,11 @@ GNUTLS_3_0_0 {
gnutls_session_get_random;
} GNUTLS_2_12;
+GNUTLS_3_0_1 {
+ global:
+ gnutls_certificate_set_x509_system_trust;
+} GNUTLS_3_0_0;
+
GNUTLS_PRIVATE {
global:
# Internal symbols needed by libgnutls-extra:
diff --git a/src/cli.c b/src/cli.c
index 1cdc1df..cea0992 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -479,9 +479,6 @@ cert_verify_callback (gnutls_session_t session)
int ssh = ENABLED_OPT(TOFU);
const char* txt_service;
- if (!x509_cafile && !pgp_keyring)
- return 0;
-
rc = cert_verify(session, hostname);
if (rc == 0)
{
@@ -1184,11 +1181,6 @@ const char* rest = NULL;
if (HAVE_OPT(X509CAFILE))
x509_cafile = OPT_ARG(X509CAFILE);
- else
- {
- if (access(DEFAULT_CA_FILE, R_OK) == 0)
- x509_cafile = DEFAULT_CA_FILE;
- }
if (HAVE_OPT(X509CRLFILE))
x509_crlfile = OPT_ARG(X509CRLFILE);
@@ -1419,15 +1411,20 @@ init_global_tls_stuff (void)
{
ret = gnutls_certificate_set_x509_trust_file (xcred,
x509_cafile, x509ctype);
- if (ret < 0)
- {
- fprintf (stderr, "Error setting the x509 trust file\n");
- }
- else
- {
- printf ("Processed %d CA certificate(s).\n", ret);
- }
}
+ else
+ {
+ ret = gnutls_certificate_set_x509_system_trust (xcred);
+ }
+ if (ret < 0)
+ {
+ fprintf (stderr, "Error setting the x509 trust file\n");
+ }
+ else
+ {
+ printf ("Processed %d CA certificate(s).\n", ret);
+ }
+
if (x509_crlfile != NULL)
{
ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile,
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-50-gd563387,
Nikos Mavrogiannopoulos <=