diff options
Diffstat (limited to 'gnu/packages/patches/curl-support-capath-on-gnutls.patch')
| -rw-r--r-- | gnu/packages/patches/curl-support-capath-on-gnutls.patch | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/gnu/packages/patches/curl-support-capath-on-gnutls.patch b/gnu/packages/patches/curl-support-capath-on-gnutls.patch new file mode 100644 index 0000000000..d05dd021e8 --- /dev/null +++ b/gnu/packages/patches/curl-support-capath-on-gnutls.patch @@ -0,0 +1,102 @@ +This patch adds support for CURLOPT_CAPATH to the GnuTLS backend. + +From 5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 Mon Sep 17 00:00:00 2001 +From: Alessandro Ghedini <alessandro@ghedini.me> +Date: Sun, 8 Mar 2015 20:11:06 +0100 +Subject: [PATCH] gtls: add support for CURLOPT_CAPATH + +--- + acinclude.m4 | 4 ++-- + docs/libcurl/opts/CURLOPT_CAPATH.3 | 5 ++--- + lib/vtls/gtls.c | 22 ++++++++++++++++++++++ + lib/vtls/gtls.h | 3 +++ + 4 files changed, 29 insertions(+), 5 deletions(-) + +diff --git a/acinclude.m4 b/acinclude.m4 +index 6ed7ffb..ca01869 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), + capath="no" + elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then + dnl --with-ca-path given +- if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then +- AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL]) ++ if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then ++ AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL]) + fi + capath="$want_capath" + ca="no" +diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3 +index 642953d..6695f9f 100644 +--- a/docs/libcurl/opts/CURLOPT_CAPATH.3 ++++ b/docs/libcurl/opts/CURLOPT_CAPATH.3 +@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc. + .SH EXAMPLE + TODO + .SH AVAILABILITY +-This option is OpenSSL-specific and does nothing if libcurl is built to use +-GnuTLS. NSS-powered libcurl provides the option only for backward +-compatibility. ++This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS ++backend provides the option only for backward compatibility. + .SH RETURN VALUE + Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or + CURLE_OUT_OF_MEMORY if there was insufficient heap space. +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 05aef19..c792540 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -97,6 +97,10 @@ static bool gtls_inited = FALSE; + # if (GNUTLS_VERSION_NUMBER >= 0x03020d) + # define HAS_OCSP + # endif ++ ++# if (GNUTLS_VERSION_NUMBER >= 0x030306) ++# define HAS_CAPATH ++# endif + #endif + + #ifdef HAS_OCSP +@@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn, + rc, data->set.ssl.CAfile); + } + ++#ifdef HAS_CAPATH ++ if(data->set.ssl.CApath) { ++ /* set the trusted CA cert directory */ ++ rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred, ++ data->set.ssl.CApath, ++ GNUTLS_X509_FMT_PEM); ++ if(rc < 0) { ++ infof(data, "error reading ca cert file %s (%s)\n", ++ data->set.ssl.CAfile, gnutls_strerror(rc)); ++ if(data->set.ssl.verifypeer) ++ return CURLE_SSL_CACERT_BADFILE; ++ } ++ else ++ infof(data, "found %d certificates in %s\n", ++ rc, data->set.ssl.CApath); ++ } ++#endif ++ + if(data->set.ssl.CRLfile) { + /* set the CRL list file */ + rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred, +diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h +index c3867e5..af1cb5b 100644 +--- a/lib/vtls/gtls.h ++++ b/lib/vtls/gtls.h +@@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void); + /* Set the API backend definition to GnuTLS */ + #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS + ++/* this backend supports the CAPATH option */ ++#define have_curlssl_ca_path 1 ++ + /* API setup for GnuTLS */ + #define curlssl_init Curl_gtls_init + #define curlssl_cleanup Curl_gtls_cleanup +-- +2.2.1 + |