CAC modules

Mike Miller mtmiller at ieee.org
Thu Jul 19 01:10:42 EDT 2012 

On Wed, Jul 18, 2012 at 09:43:38PM +0100, David Woodhouse wrote:
> Newer versions of GnuTLS (3.0.20+) have a function which adds the
> "system" trust file, gnutls_certificate_set_x509_system_trust(). But
> your GnuTLS is older than that, so the OpenConnect code just falls back
> to adding /etc/pki/tls/certs/ca-bundle.crt manually. And that isn't
> where it is on your distribution.
> 
> I suppose we ought to add some magic in the configure script to *find*
> the file in the appropriate location. In the meantime, Mike may wish to
> patch it to change the hard-coded location. Sorry, I knew that was wrong
> when I did it, but it was part of the *first* commit adding GnuTLS
> support (which didn't actually use it to do any verification yet anyway)
> and I meant to come back to revisit it... but forgot.

Good catch both of you, I'll fix my Debian and Ubuntu builds to use the
correct ca-certificates path.

So how about something like this for the configure script? Could
probably use some polishing but I think it's functionally correct.

>From a460a7672f6a011b54e5ffc60bc8372ed9a43d0e Mon Sep 17 00:00:00 2001
From: Mike Miller <mtmiller at ieee.org>
Date: Thu, 19 Jul 2012 00:47:32 -0400
Subject: [PATCH] Check for system CA certificate file for GnuTLS

Look in certain well-known system paths for the default file to give to
gnutls_certificate_set_x509_trust_file() if required.  Auto-detection is
based on the GnuTLS configure script.

Signed-off-by: Mike Miller <mtmiller at ieee.org>
---
 configure.ac |   32 ++++++++++++++++++++++++++++++++
 gnutls.c     |    2 +-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index c067276..30ed5c8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -179,6 +179,10 @@ if test "$USE_NLS" = "yes"; then
 fi
 AM_CONDITIONAL(USE_NLS, [test "$USE_NLS" = "yes"])
 
+AC_ARG_WITH([system-cafile],
+	    AS_HELP_STRING([--with-system-cafile],
+			   [Location of the default system CA certificate file]))
+
 # We will use GnuTLS if it's requested, and if GnuTLS doesn't have DTLS
 # support then we'll *also* use OpenSSL for that, but it appears *only*
 # only in the openconnect executable and not the library (hence shouldn't
@@ -209,6 +213,34 @@ if test "$with_gnutls" = "yes"; then
 		 [AC_DEFINE(HAVE_GNUTLS_DTLS_SET_DATA_MTU, 1)], [])
     AC_CHECK_FUNC(gnutls_certificate_set_x509_system_trust,
 		 [AC_DEFINE(HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST, 1)], [])
+    if test "$ac_cv_func_gnutls_certificate_set_x509_system_trust" != "yes"; then
+	# We will need to tell GnuTLS the path to the system CA file.
+	if test "$with_system_cafile" = "yes" || test "$with_system_cafile" = ""; then
+	    # Auto-detect path to the system CA file, based on GnuTLS.
+	    with_system_cafile=
+	    for i in \
+		/etc/ssl/certs/ca-certificates.crt \
+		/etc/pki/tls/cert.pem \
+		/usr/local/share/certs/ca-root-nss.crt
+		do
+		if test -e $i; then
+		    with_system_cafile="$i"
+		    break
+		fi
+	    done
+	elif test "$with_system_cafile" = "no"; then
+	    AC_MSG_ERROR([You cannot disable the system CA certificate file.])
+	fi
+	if test "$with_system_cafile" = ""; then
+	    AC_MSG_ERROR([Unable to find a standard system CA certificate file.]
+    [Your GnuTLS requires a path to a CA certificate store. Most distributions]
+    [ship with a CA certificate file in a standard location. None of the known]
+    [standard locations exist on your system. You should provide a]
+    [--with-system-cafile= argument to this configure script, giving the full]
+    [path to a default CA certificate file for GnuTLS to use.])
+	fi
+	AC_DEFINE_UNQUOTED([DEFAULT_SYSTEM_CAFILE], ["$with_system_cafile"])
+    fi
     AC_CHECK_FUNC(gnutls_pkcs12_simple_parse,
 		 [AC_DEFINE(HAVE_GNUTLS_PKCS12_SIMPLE_PARSE, 1)], [])
     AC_CHECK_FUNC(gnutls_certificate_set_key,
diff --git a/gnutls.c b/gnutls.c
index 42f709a..d9e550d 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1751,7 +1751,7 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 		gnutls_certificate_set_x509_system_trust(vpninfo->https_cred);
 #else
 		gnutls_certificate_set_x509_trust_file(vpninfo->https_cred,
-						       "/etc/pki/tls/certs/ca-bundle.crt",
+						       DEFAULT_SYSTEM_CAFILE,
 						       GNUTLS_X509_FMT_PEM);
 #endif
 		gnutls_certificate_set_verify_function (vpninfo->https_cred,
-- 
1.7.10.4

More information about the openconnect-devel mailing list