On Sun, Mar 08, 2015 at 08:38:10PM +0100, Alessandro Ghedini wrote: > Hello, > > newer GnuTLS versions (>= 3.3.6) make it possible to use a directory instead > of > a certificate bundle like OpenSSL, so let's do it! > > There is a problem with the "have_curlssl_ca_path" define though, since in the > case of GnuTLS it should be defined only with newer GnuTLS versions, but it's > not possible to do it from gtls.h, so how to solve this? Should I convert that > define to "bool Curl_XXX_ca_path(void)" functions? > > Anyway, see attached patch (which defines have_curlssl_ca_path > unconditionally).
*Now* see the attached patch (this time for real!) -.-" Cheers
From a2ab3a0a44b74f81551bb7504b3ca1a080bf0a1a Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini <[email protected]> Date: Sun, 8 Mar 2015 20:11:06 +0100 Subject: [PATCH] gtls: add support for CURLOPT_CAPATH --- acinclude.m4 | 4 ++-- docs/libcurl/opts/CURLOPT_CAPATH.3 | 5 ++--- lib/vtls/gtls.c | 22 ++++++++++++++++++++++ lib/vtls/gtls.h | 3 +++ 4 files changed, 29 insertions(+), 5 deletions(-) diff --git a/acinclude.m4 b/acinclude.m4 index 6ed7ffb..ca01869 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), capath="no" elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then dnl --with-ca-path given - if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then - AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL]) + if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then + AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL]) fi capath="$want_capath" ca="no" diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3 index 642953d..6695f9f 100644 --- a/docs/libcurl/opts/CURLOPT_CAPATH.3 +++ b/docs/libcurl/opts/CURLOPT_CAPATH.3 @@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc. .SH EXAMPLE TODO .SH AVAILABILITY -This option is OpenSSL-specific and does nothing if libcurl is built to use -GnuTLS. NSS-powered libcurl provides the option only for backward -compatibility. +This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS +backend provides the option only for backward compatibility. .SH RETURN VALUE Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or CURLE_OUT_OF_MEMORY if there was insufficient heap space. diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 05aef19..c792540 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -97,6 +97,10 @@ static bool gtls_inited = FALSE; # if (GNUTLS_VERSION_NUMBER >= 0x03020d) # define HAS_OCSP # endif + +# if (GNUTLS_VERSION_NUMBER >= 0x030306) +# define HAS_CAPATH +# endif #endif #ifdef HAS_OCSP @@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn, rc, data->set.ssl.CAfile); } +#ifdef HAS_CAPATH + if(data->set.ssl.CApath) { + /* set the trusted CA cert directory */ + rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred, + data->set.ssl.CApath, + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + infof(data, "error reading ca cert file %s (%s)\n", + data->set.ssl.CAfile, gnutls_strerror(rc)); + if(data->set.ssl.verifypeer) + return CURLE_SSL_CACERT_BADFILE; + } + else + infof(data, "found %d certificates in %s\n", + rc, data->set.ssl.CApath); + } +#endif + if(data->set.ssl.CRLfile) { /* set the CRL list file */ rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred, diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index c3867e5..af1cb5b 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void); /* Set the API backend definition to GnuTLS */ #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS +/* this backend supports the CAPATH option */ +#define have_curlssl_ca_path 1 + /* API setup for GnuTLS */ #define curlssl_init Curl_gtls_init #define curlssl_cleanup Curl_gtls_cleanup -- 2.1.4
signature.asc
Description: Digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
