|
@ -0,0 +1,100 @@ |
|
|
|
|
|
From 5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 Mon Sep 17 00:00:00 2001 |
|
|
|
|
|
From: Alessandro Ghedini <alessandro@ghedini.me> |
|
|
|
|
|
Date: Sun, 8 Mar 2015 20:11:06 +0100 |
|
|
|
|
|
Subject: [PATCH] gtls: add support for CURLOPT_CAPATH |
|
|
|
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
acinclude.m4 | 4 ++-- |
|
|
|
|
|
docs/libcurl/opts/CURLOPT_CAPATH.3 | 5 ++--- |
|
|
|
|
|
lib/vtls/gtls.c | 22 ++++++++++++++++++++++ |
|
|
|
|
|
lib/vtls/gtls.h | 3 +++ |
|
|
|
|
|
4 files changed, 29 insertions(+), 5 deletions(-) |
|
|
|
|
|
|
|
|
|
|
|
diff --git a/acinclude.m4 b/acinclude.m4
|
|
|
|
|
|
index 6ed7ffb..ca01869 100644
|
|
|
|
|
|
--- a/acinclude.m4
|
|
|
|
|
|
+++ b/acinclude.m4
|
|
|
|
|
|
@@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
|
|
|
|
|
|
capath="no" |
|
|
|
|
|
elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then |
|
|
|
|
|
dnl --with-ca-path given |
|
|
|
|
|
- if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
|
|
|
|
|
|
- AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL])
|
|
|
|
|
|
+ if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
|
|
|
|
|
|
+ AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL])
|
|
|
|
|
|
fi |
|
|
|
|
|
capath="$want_capath" |
|
|
|
|
|
ca="no" |
|
|
|
|
|
diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3
|
|
|
|
|
|
index 642953d..6695f9f 100644
|
|
|
|
|
|
--- a/docs/libcurl/opts/CURLOPT_CAPATH.3
|
|
|
|
|
|
+++ b/docs/libcurl/opts/CURLOPT_CAPATH.3
|
|
|
|
|
|
@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
|
|
|
|
|
|
.SH EXAMPLE |
|
|
|
|
|
TODO |
|
|
|
|
|
.SH AVAILABILITY |
|
|
|
|
|
-This option is OpenSSL-specific and does nothing if libcurl is built to use
|
|
|
|
|
|
-GnuTLS. NSS-powered libcurl provides the option only for backward
|
|
|
|
|
|
-compatibility.
|
|
|
|
|
|
+This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS
|
|
|
|
|
|
+backend provides the option only for backward compatibility.
|
|
|
|
|
|
.SH RETURN VALUE |
|
|
|
|
|
Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or |
|
|
|
|
|
CURLE_OUT_OF_MEMORY if there was insufficient heap space. |
|
|
|
|
|
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
|
|
|
|
|
index 05aef19..c792540 100644
|
|
|
|
|
|
--- a/lib/vtls/gtls.c
|
|
|
|
|
|
+++ b/lib/vtls/gtls.c
|
|
|
|
|
|
@@ -97,6 +97,10 @@ static bool gtls_inited = FALSE;
|
|
|
|
|
|
# if (GNUTLS_VERSION_NUMBER >= 0x03020d) |
|
|
|
|
|
# define HAS_OCSP |
|
|
|
|
|
# endif |
|
|
|
|
|
+
|
|
|
|
|
|
+# if (GNUTLS_VERSION_NUMBER >= 0x030306)
|
|
|
|
|
|
+# define HAS_CAPATH
|
|
|
|
|
|
+# endif
|
|
|
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
|
|
#ifdef HAS_OCSP |
|
|
|
|
|
@@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn,
|
|
|
|
|
|
rc, data->set.ssl.CAfile); |
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
+#ifdef HAS_CAPATH
|
|
|
|
|
|
+ if(data->set.ssl.CApath) {
|
|
|
|
|
|
+ /* set the trusted CA cert directory */
|
|
|
|
|
|
+ rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
|
|
|
|
|
|
+ data->set.ssl.CApath,
|
|
|
|
|
|
+ GNUTLS_X509_FMT_PEM);
|
|
|
|
|
|
+ if(rc < 0) {
|
|
|
|
|
|
+ infof(data, "error reading ca cert file %s (%s)\n",
|
|
|
|
|
|
+ data->set.ssl.CAfile, gnutls_strerror(rc));
|
|
|
|
|
|
+ if(data->set.ssl.verifypeer)
|
|
|
|
|
|
+ return CURLE_SSL_CACERT_BADFILE;
|
|
|
|
|
|
+ }
|
|
|
|
|
|
+ else
|
|
|
|
|
|
+ infof(data, "found %d certificates in %s\n",
|
|
|
|
|
|
+ rc, data->set.ssl.CApath);
|
|
|
|
|
|
+ }
|
|
|
|
|
|
+#endif
|
|
|
|
|
|
+
|
|
|
|
|
|
if(data->set.ssl.CRLfile) { |
|
|
|
|
|
/* set the CRL list file */ |
|
|
|
|
|
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred, |
|
|
|
|
|
diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h
|
|
|
|
|
|
index c3867e5..af1cb5b 100644
|
|
|
|
|
|
--- a/lib/vtls/gtls.h
|
|
|
|
|
|
+++ b/lib/vtls/gtls.h
|
|
|
|
|
|
@@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void);
|
|
|
|
|
|
/* Set the API backend definition to GnuTLS */ |
|
|
|
|
|
#define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS |
|
|
|
|
|
|
|
|
|
|
|
+/* this backend supports the CAPATH option */
|
|
|
|
|
|
+#define have_curlssl_ca_path 1
|
|
|
|
|
|
+
|
|
|
|
|
|
/* API setup for GnuTLS */ |
|
|
|
|
|
#define curlssl_init Curl_gtls_init |
|
|
|
|
|
#define curlssl_cleanup Curl_gtls_cleanup |
|
|
|
|
|
--
|
|
|
|
|
|
2.4.4 |
|
|
|
|
|
|