unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob 0094a1b525d79c661503a90c98148d5fcf762a8e 3755 bytes (raw)
name: gnu/packages/patches/curl-enable_capath.patch 	 # note: path name is non-authoritative(*)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
 
Following patch allows to use --with-ca-path for curl built against GnuTLS.


From 5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 Mon Sep 17 00:00:00 2001
From: Alessandro Ghedini <alessandro@ghedini.me>
Date: Sun, 8 Mar 2015 20:11:06 +0100
Subject: [PATCH] gtls: add support for CURLOPT_CAPATH

---
 acinclude.m4                       |  4 ++--
 docs/libcurl/opts/CURLOPT_CAPATH.3 |  5 ++---
 lib/vtls/gtls.c                    | 22 ++++++++++++++++++++++
 lib/vtls/gtls.h                    |  3 +++
 4 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/acinclude.m4 b/acinclude.m4
index 6ed7ffb..ca01869 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
     capath="no"
   elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
     dnl --with-ca-path given
-    if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
-      AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL])
+    if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
+      AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL])
     fi
     capath="$want_capath"
     ca="no"
diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3
index 642953d..6695f9f 100644
--- a/docs/libcurl/opts/CURLOPT_CAPATH.3
+++ b/docs/libcurl/opts/CURLOPT_CAPATH.3
@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
 .SH EXAMPLE
 TODO
 .SH AVAILABILITY
-This option is OpenSSL-specific and does nothing if libcurl is built to use
-GnuTLS. NSS-powered libcurl provides the option only for backward
-compatibility.
+This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS
+backend provides the option only for backward compatibility.
 .SH RETURN VALUE
 Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or
 CURLE_OUT_OF_MEMORY if there was insufficient heap space.
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 05aef19..c792540 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -97,6 +97,10 @@ static bool gtls_inited = FALSE;
 #  if (GNUTLS_VERSION_NUMBER >= 0x03020d)
 #    define HAS_OCSP
 #  endif
+
+#  if (GNUTLS_VERSION_NUMBER >= 0x030306)
+#    define HAS_CAPATH
+#  endif
 #endif
 
 #ifdef HAS_OCSP
@@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn,
             rc, data->set.ssl.CAfile);
   }
 
+#ifdef HAS_CAPATH
+  if(data->set.ssl.CApath) {
+    /* set the trusted CA cert directory */
+    rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
+                                                data->set.ssl.CApath,
+                                                GNUTLS_X509_FMT_PEM);
+    if(rc < 0) {
+      infof(data, "error reading ca cert file %s (%s)\n",
+            data->set.ssl.CAfile, gnutls_strerror(rc));
+      if(data->set.ssl.verifypeer)
+        return CURLE_SSL_CACERT_BADFILE;
+    }
+    else
+      infof(data, "found %d certificates in %s\n",
+            rc, data->set.ssl.CApath);
+  }
+#endif
+
   if(data->set.ssl.CRLfile) {
     /* set the CRL list file */
     rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h
index c3867e5..af1cb5b 100644
--- a/lib/vtls/gtls.h
+++ b/lib/vtls/gtls.h
@@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void);
 /* Set the API backend definition to GnuTLS */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
 
+/* this backend supports the CAPATH option */
+#define have_curlssl_ca_path 1
+
 /* API setup for GnuTLS */
 #define curlssl_init Curl_gtls_init
 #define curlssl_cleanup Curl_gtls_cleanup
-- 
2.2.1


debug log:

solving 0094a1b ...
found 0094a1b in https://yhetil.org/guix-devel/1427495627-26598-1-git-send-email-sleep_walker@gnu.org/ ||
	https://yhetil.org/guix-devel/1427019636-24875-1-git-send-email-sleep_walker@gnu.org/

applying [1/1] https://yhetil.org/guix-devel/1427495627-26598-1-git-send-email-sleep_walker@gnu.org/
diff --git a/gnu/packages/patches/curl-enable_capath.patch b/gnu/packages/patches/curl-enable_capath.patch
new file mode 100644
index 0000000..0094a1b

1:66: trailing whitespace.
 
1:71: trailing whitespace.
 
1:100: trailing whitespace.
 
1:107: trailing whitespace.
-- 
Checking patch gnu/packages/patches/curl-enable_capath.patch...
1:109: new blank line at EOF.
+
Applied patch gnu/packages/patches/curl-enable_capath.patch cleanly.
warning: 5 lines add whitespace errors.

skipping https://yhetil.org/guix-devel/1427019636-24875-1-git-send-email-sleep_walker@gnu.org/ for 0094a1b
index at:
100644 0094a1b525d79c661503a90c98148d5fcf762a8e	gnu/packages/patches/curl-enable_capath.patch

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).