gtls: add support for CURLOPT_CAPATH

This commit is contained in:
Alessandro Ghedini 2015-03-08 20:11:06 +01:00 committed by Daniel Stenberg
parent 0f24df6e54
commit 5a1614cecd
4 changed files with 29 additions and 5 deletions

View File

@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
capath="no" capath="no"
elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
dnl --with-ca-path given dnl --with-ca-path given
if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL]) AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL])
fi fi
capath="$want_capath" capath="$want_capath"
ca="no" ca="no"

View File

@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
.SH EXAMPLE .SH EXAMPLE
TODO TODO
.SH AVAILABILITY .SH AVAILABILITY
This option is OpenSSL-specific and does nothing if libcurl is built to use This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS
GnuTLS. NSS-powered libcurl provides the option only for backward backend provides the option only for backward compatibility.
compatibility.
.SH RETURN VALUE .SH RETURN VALUE
Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or
CURLE_OUT_OF_MEMORY if there was insufficient heap space. CURLE_OUT_OF_MEMORY if there was insufficient heap space.

View File

@ -97,6 +97,10 @@ static bool gtls_inited = FALSE;
# if (GNUTLS_VERSION_NUMBER >= 0x03020d) # if (GNUTLS_VERSION_NUMBER >= 0x03020d)
# define HAS_OCSP # define HAS_OCSP
# endif # endif
# if (GNUTLS_VERSION_NUMBER >= 0x030306)
# define HAS_CAPATH
# endif
#endif #endif
#ifdef HAS_OCSP #ifdef HAS_OCSP
@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn,
rc, data->set.ssl.CAfile); rc, data->set.ssl.CAfile);
} }
#ifdef HAS_CAPATH
if(data->set.ssl.CApath) {
/* set the trusted CA cert directory */
rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
data->set.ssl.CApath,
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
data->set.ssl.CAfile, gnutls_strerror(rc));
if(data->set.ssl.verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
else
infof(data, "found %d certificates in %s\n",
rc, data->set.ssl.CApath);
}
#endif
if(data->set.ssl.CRLfile) { if(data->set.ssl.CRLfile) {
/* set the CRL list file */ /* set the CRL list file */
rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred, rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,

View File

@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void);
/* Set the API backend definition to GnuTLS */ /* Set the API backend definition to GnuTLS */
#define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
/* this backend supports the CAPATH option */
#define have_curlssl_ca_path 1
/* API setup for GnuTLS */ /* API setup for GnuTLS */
#define curlssl_init Curl_gtls_init #define curlssl_init Curl_gtls_init
#define curlssl_cleanup Curl_gtls_cleanup #define curlssl_cleanup Curl_gtls_cleanup