diff options
author | Michal Marek <mmarek@suse.cz> | 2008-03-20 08:09:23 +0000 |
---|---|---|
committer | Michal Marek <mmarek@suse.cz> | 2008-03-20 08:09:23 +0000 |
commit | 86cbb23282bee426439fc969d09a462acac0abe9 (patch) | |
tree | 5b97fda383c39a16038479d6c168e45e65abed4a | |
parent | e9a460411fcbf28c9e8b4e6afba4a7d1efa8bde2 (diff) |
- Added --with-ca-path=DIRECTORY configure option to use an openSSL CApath by
default instead of a ca bundle. The configure script will also look for a
ca path if no ca bundle is found and no option given.
- Fixed detection of previously installed curl-ca-bundle.crt
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | RELEASE-NOTES | 2 | ||||
-rw-r--r-- | acinclude.m4 | 98 | ||||
-rw-r--r-- | configure.ac | 4 | ||||
-rw-r--r-- | lib/Makefile.am | 5 | ||||
-rw-r--r-- | lib/easy.c | 6 | ||||
-rw-r--r-- | lib/url.c | 6 |
7 files changed, 102 insertions, 26 deletions
@@ -6,6 +6,13 @@ Changelog +Michal Marek (20 Mar 2008) +- Added --with-ca-path=DIRECTORY configure option to use an openSSL CApath by + default instead of a ca bundle. The configure script will also look for a + ca path if no ca bundle is found and no option given. + +- Fixed detection of previously installed curl-ca-bundle.crt + Daniel Fandrich (18 Mar 2008) - Added test 626 to reproduce an infinite loop when given an invalid SFTP quote command reported by Vincent Le Normand, and fixed it. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 281bd59eb..6fc9c3def 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -22,6 +22,8 @@ This release includes the following changes: currently only works in C mode) o curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() and curl_multi_setopt() uses are now checked to use exactly three arguments + o --with-ca-path=DIR configure option allows to set an openSSL CApath instead + of a default ca bundle. This release includes the following bugfixes: diff --git a/acinclude.m4 b/acinclude.m4 index 5b6a98e0a..bdfb6cea1 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -2500,41 +2500,97 @@ dnl regarding the paths this will scan: dnl /etc/ssl/certs/ca-certificates.crt Debian systems dnl /etc/pki/tls/certs/ca-bundle.crt Redhat and Mandriva dnl /usr/share/ssl/certs/ca-bundle.crt old(er) Redhat +dnl /etc/ssl/certs/ (ca path) SUSE AC_DEFUN([CURL_CHECK_CA_BUNDLE], [ - AC_MSG_CHECKING([default CA cert bundle]) + AC_MSG_CHECKING([default CA cert bundle/path]) AC_ARG_WITH(ca-bundle, AC_HELP_STRING([--with-ca-bundle=FILE], [File name to use as CA bundle]) AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]), - [ ca="$withval" ], [ - dnl the path we previously would have installed the curl ca bundle - dnl to, and thus we now check for an already existing cert in that place - dnl in case we find no other - if test "x$prefix" != xNONE; then - cac="\${prefix}/share/curl/curl-ca-bundle.crt" - else - cac="$ac_default_prefix/share/curl/curl-ca-bundle.crt" + want_ca="$withval" + if test "x$want_ca" = "xyes"; then + AC_MSG_ERROR([--with-ca-bundle=FILE requires a path to the CA bundle]) fi - - for a in /etc/ssl/certs/ca-certificates.crt \ - /etc/pki/tls/certs/ca-bundle.crt \ - /usr/share/ssl/certs/ca-bundle.crt \ - "$cac"; do - if test -f $a; then - ca="$a" - break + ], + [ want_ca="unset" ]) + AC_ARG_WITH(ca-path, +AC_HELP_STRING([--with-ca-path=DIRECTORY], [Directory to use as CA path]) +AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]), + [ + want_capath="$withval" + if test "x$want_capath" = "xyes"; then + AC_MSG_ERROR([--with-ca-path=DIRECTORY requires a path to the CA path directory]) + fi + ], + [ want_capath="unset"]) + + if test "x$want_ca" != "xno" -a "x$want_ca" != "xunset" -a \ + "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then + dnl both given + AC_MSG_ERROR([Can't specify both --with-ca-bundle and --with-ca-path.]) + elif test "x$want_ca" != "xno" -a "x$want_ca" != "xunset"; then + dnl --with-ca-bundle given + ca="$want_ca" + capath="no" + elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then + dnl --with-ca-path given + if test "x$OPENSSL_ENABLED" != "x1"; then + AC_MSG_ERROR([--with-ca-path only works with openSSL]) + fi + capath="$want_capath" + ca="no" + else + dnl neither of --with-ca-* given + dnl first try autodetecting a CA bundle , then a CA path + dnl both autodetections can be skipped by --without-ca-* + ca="no" + capath="no" + if test "x$want_ca" = "xunset"; then + dnl the path we previously would have installed the curl ca bundle + dnl to, and thus we now check for an already existing cert in that place + dnl in case we find no other + if test "x$prefix" != xNONE; then + cac="${prefix}/share/curl/curl-ca-bundle.crt" + else + cac="$ac_default_prefix/share/curl/curl-ca-bundle.crt" fi - done - ] - ) + + for a in /etc/ssl/certs/ca-certificates.crt \ + /etc/pki/tls/certs/ca-bundle.crt \ + /usr/share/ssl/certs/ca-bundle.crt \ + "$cac"; do + if test -f "$a"; then + ca="$a" + break + fi + done + fi + if test "x$want_capath" = "xunset" -a "x$ca" = "xno" -a \ + "x$OPENSSL_ENABLED" = "x1"; then + for a in /etc/ssl/certs/; do + if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then + capath="$a" + break + fi + done + fi + fi + + if test "x$ca" != "xno"; then CURL_CA_BUNDLE='"'$ca'"' AC_SUBST(CURL_CA_BUNDLE) + AC_MSG_RESULT([$ca]) + elif test "x$capath" != "xno"; then + CURL_CA_PATH="\"$capath\"" + AC_SUBST(CURL_CA_PATH) + AC_MSG_RESULT([$capath (capath)]) + else + AC_MSG_RESULT([no]) fi - AC_MSG_RESULT([$ca]) ]) diff --git a/configure.ac b/configure.ac index 6c532c889..7a944431a 100644 --- a/configure.ac +++ b/configure.ac @@ -1618,6 +1618,7 @@ dnl ********************************************************************** CURL_CHECK_CA_BUNDLE AM_CONDITIONAL(CABUNDLE, test x$ca != xno) +AM_CONDITIONAL(CAPATH, test x$capath != xno) dnl ********************************************************************** dnl Check for the presence of IDN libraries and headers @@ -2488,7 +2489,8 @@ AC_MSG_NOTICE([Configured to build curl/libcurl: Built-in manual: ${curl_manual_msg} Verbose errors: ${curl_verbose_msg} SSPI support: ${curl_sspi_msg} - ca cert path: ${ca} + ca cert bundle: ${ca} + ca cert path: ${capath} LDAP support: ${curl_ldap_msg} LDAPS support: ${curl_ldaps_msg} ]) diff --git a/lib/Makefile.am b/lib/Makefile.am index f342946a6..350931df0 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -113,6 +113,11 @@ if CABUNDLE else echo '#undef CURL_CA_BUNDLE /* unknown default path */' >> $@ endif +if CAPATH + echo '#define CURL_CA_PATH @CURL_CA_PATH@' >> $@ +else + echo '#undef CURL_CA_PATH /* unknown default path */' >>$@ +endif # this hook is mainly for non-unix systems to build even if configure # isn't run diff --git a/lib/easy.c b/lib/easy.c index cfa6c41b1..93b5095a1 100644 --- a/lib/easy.c +++ b/lib/easy.c @@ -745,9 +745,11 @@ void curl_easy_reset(CURL *curl) */ data->set.ssl.verifypeer = TRUE; data->set.ssl.verifyhost = 2; -#ifdef CURL_CA_BUNDLE - /* This is our prefered CA cert bundle since install time */ + /* This is our prefered CA cert bundle/path since install time */ +#if defined(CURL_CA_BUNDLE) (void) curl_easy_setopt(curl, CURLOPT_CAINFO, (char *) CURL_CA_BUNDLE); +#elif defined(CURL_CA_PATH) + (void) curl_easy_setopt(curl, CURLOPT_CAPATH, (char *) CURL_CA_PATH); #endif data->set.ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth @@ -746,10 +746,12 @@ CURLcode Curl_open(struct SessionHandle **curl) data->set.ssl.verifypeer = TRUE; data->set.ssl.verifyhost = 2; data->set.ssl.sessionid = TRUE; /* session ID caching enabled by default */ -#ifdef CURL_CA_BUNDLE - /* This is our preferred CA cert bundle since install time */ + /* This is our preferred CA cert bundle/path since install time */ +#if defined(CURL_CA_BUNDLE) res = setstropt(&data->set.str[STRING_SSL_CAFILE], (char *) CURL_CA_BUNDLE); +#elif defined(CURL_CA_PATH) + res = setstropt(&data->set.str[STRING_SSL_CAPATH], (char *) CURL_CA_PATH); #endif } |