gnutls: backport upstream --with-ca-path implementation

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

3 files changed, 102 insertions, 42 deletions

diff --git a/net/gnurl/Makefile b/net/gnurl/Makefile
index d077e023e..c63b1ffbb 100644
--- a/net/gnurl/Makefile
+++ b/net/gnurl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gnurl
 PKG_VERSION:=7.40.0
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://gnunet.org/sites/default/files
@@ -53,6 +53,7 @@ CONFIGURE_ARGS += \
 	--with-gnutls="$(STAGING_DIR)/usr" \
 	--with-libidn="$(STAGING_DIR)/usr" \
 	--with-zlib="$(STAGING_DIR)/usr" \
+	--with-ca-path="/etc/ssl/certs/" \
 	--enable-shared \
 	--enable-static \
 	--without-axtls \
diff --git a/net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch b/net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch
new file mode 100644
index 000000000..37d862f01
--- /dev/null
+++ b/net/gnurl/patches/010-backport-gtls-add-support-for-CURLOPT_CAPATH.patch
@@ -0,0 +1,100 @@
+From 5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 Mon Sep 17 00:00:00 2001
+From: Alessandro Ghedini <alessandro@ghedini.me>
+Date: Sun, 8 Mar 2015 20:11:06 +0100
+Subject: [PATCH] gtls: add support for CURLOPT_CAPATH
+
+---
+ acinclude.m4                       |  4 ++--
+ docs/libcurl/opts/CURLOPT_CAPATH.3 |  5 ++---
+ lib/vtls/gtls.c                    | 22 ++++++++++++++++++++++
+ lib/vtls/gtls.h                    |  3 +++
+ 4 files changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/acinclude.m4 b/acinclude.m4
+index 6ed7ffb..ca01869 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
+     capath="no"
+   elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
+     dnl --with-ca-path given
+-    if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
+-      AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL])
++    if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
++      AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL])
+     fi
+     capath="$want_capath"
+     ca="no"
+diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3
+index 642953d..6695f9f 100644
+--- a/docs/libcurl/opts/CURLOPT_CAPATH.3
++++ b/docs/libcurl/opts/CURLOPT_CAPATH.3
+@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
+ .SH EXAMPLE
+ TODO
+ .SH AVAILABILITY
+-This option is OpenSSL-specific and does nothing if libcurl is built to use
+-GnuTLS. NSS-powered libcurl provides the option only for backward
+-compatibility.
++This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS
++backend provides the option only for backward compatibility.
+ .SH RETURN VALUE
+ Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or
+ CURLE_OUT_OF_MEMORY if there was insufficient heap space.
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 05aef19..c792540 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -97,6 +97,10 @@ static bool gtls_inited = FALSE;
+ #  if (GNUTLS_VERSION_NUMBER >= 0x03020d)
+ #    define HAS_OCSP
+ #  endif
++
++#  if (GNUTLS_VERSION_NUMBER >= 0x030306)
++#    define HAS_CAPATH
++#  endif
+ #endif
+ 
+ #ifdef HAS_OCSP
+@@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn,
+             rc, data->set.ssl.CAfile);
+   }
+ 
++#ifdef HAS_CAPATH
++  if(data->set.ssl.CApath) {
++    /* set the trusted CA cert directory */
++    rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
++                                                data->set.ssl.CApath,
++                                                GNUTLS_X509_FMT_PEM);
++    if(rc < 0) {
++      infof(data, "error reading ca cert file %s (%s)\n",
++            data->set.ssl.CAfile, gnutls_strerror(rc));
++      if(data->set.ssl.verifypeer)
++        return CURLE_SSL_CACERT_BADFILE;
++    }
++    else
++      infof(data, "found %d certificates in %s\n",
++            rc, data->set.ssl.CApath);
++  }
++#endif
++
+   if(data->set.ssl.CRLfile) {
+     /* set the CRL list file */
+     rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
+diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h
+index c3867e5..af1cb5b 100644
+--- a/lib/vtls/gtls.h
++++ b/lib/vtls/gtls.h
+@@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void);
+ /* Set the API backend definition to GnuTLS */
+ #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
+ 
++/* this backend supports the CAPATH option */
++#define have_curlssl_ca_path 1
++
+ /* API setup for GnuTLS */
+ #define curlssl_init Curl_gtls_init
+ #define curlssl_cleanup Curl_gtls_cleanup
+-- 
+2.4.4
+
diff --git a/net/gnurl/patches/300-fix-gnutls-system-trust.patch b/net/gnurl/patches/300-fix-gnutls-system-trust.patch
deleted file mode 100644
index 463ec29b6..000000000
--- a/net/gnurl/patches/300-fix-gnutls-system-trust.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 2c30fa7eb71b24f05b55ff03d6c81fc8572a6f4d Mon Sep 17 00:00:00 2001
-From: Daniel Golle <daniel@makrotopia.org>
-Date: Mon, 29 Jun 2015 18:36:01 +0200
-Subject: [PATCH] gnutls: use default system trust storage if no other CA is
- set
-
-Signed-off-by: Daniel Golle <daniel@makrotopia.org>
----
- lib/vtls/gtls.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -420,6 +420,27 @@ gtls_connect_step1(struct connectdata *c
-     return CURLE_SSL_CONNECT_ERROR;
-   }
- 
-+  if(
-+#ifdef USE_TLS_SRP
-+      data->set.ssl.authtype != CURL_TLSAUTH_SRP &&
-+#endif
-+#ifdef HAS_CAPATH
-+     !data->set.ssl.CApath &&
-+#endif
-+     !data->set.ssl.CAfile) {
-+    /* add default system trust on supported systems */
-+    rc = gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
-+
-+    if(rc < 0) {
-+      infof(data, "error importing system trust storage (%s)\n",
-+            gnutls_strerror(rc));
-+      if(data->set.ssl.verifypeer)
-+        return CURLE_SSL_CACERT;
-+    }
-+    else
-+      infof(data, "found %d certificates in system trust storage\n", rc);
-+  }
-+
- #ifdef USE_TLS_SRP
-   if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
-     infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);