gnurl: fall-back on default system trust store

If no explicit CA file is given, gnurl fails to setup HTTPS connections
as it doesn't looks for certificates in /etc/ssl/certs/ in any way.
Fix that by utilizing GnuTLS' gnutls_certificate_set_x509_system_trust
as a fall-back if neither CA file, CA path nor SRP is declared.

Reported upstream: https://github.com/bagder/curl/issues/330
Fix suggested upstream: https://github.com/bagder/curl/pull/331

Signed-off-by: Daniel Golle <redacted>

diff --git a/net/gnurl/Makefile b/net/gnurl/Makefile
index e1415de219a07343b8d264654188b2321d3ea2d6..d077e023e3dcff594e9f07d1b64933e17dcfb6bf 100644 (file)
--- a/net/gnurl/Makefile
+++ b/net/gnurl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gnurl
 PKG_VERSION:=7.40.0
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://gnunet.org/sites/default/files

diff --git a/net/gnurl/patches/300-fix-gnutls-system-trust.patch b/net/gnurl/patches/300-fix-gnutls-system-trust.patch
new file mode 100644 (file)
index 0000000..463ec29
--- /dev/null
+++ b/net/gnurl/patches/300-fix-gnutls-system-trust.patch
@@ -0,0 +1,41 @@
+From 2c30fa7eb71b24f05b55ff03d6c81fc8572a6f4d Mon Sep 17 00:00:00 2001
+From: Daniel Golle <daniel@makrotopia.org>
+Date: Mon, 29 Jun 2015 18:36:01 +0200
+Subject: [PATCH] gnutls: use default system trust storage if no other CA is
+ set
+
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+---
+ lib/vtls/gtls.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -420,6 +420,27 @@ gtls_connect_step1(struct connectdata *c
+     return CURLE_SSL_CONNECT_ERROR;
+   }
+ 
++  if(
++#ifdef USE_TLS_SRP
++      data->set.ssl.authtype != CURL_TLSAUTH_SRP &&
++#endif
++#ifdef HAS_CAPATH
++     !data->set.ssl.CApath &&
++#endif
++     !data->set.ssl.CAfile) {
++    /* add default system trust on supported systems */
++    rc = gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
++
++    if(rc < 0) {
++      infof(data, "error importing system trust storage (%s)\n",
++            gnutls_strerror(rc));
++      if(data->set.ssl.verifypeer)
++        return CURLE_SSL_CACERT;
++    }
++    else
++      infof(data, "found %d certificates in system trust storage\n", rc);
++  }
++
+ #ifdef USE_TLS_SRP
+   if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+     infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);