ITS#8155 Support cacertdir with GnuTLS

9282e6ed · Ryan Tandy · fc8a7b25 · 9282e6ed · 9282e6ed · 9282e6ed
Commit 9282e6ed authored May 14, 2020 by Ryan Tandy
--- a/configure.in
+++ b/configure.in
@@ -1206,10 +1206,10 @@ if test $ol_link_tls = no ; then
 		if test $ac_cv_header_gnutls_gnutls_h = yes ; then
 			AC_PREPROC_IFELSE([AC_LANG_SOURCE(
 				[[#include <gnutls/gnutls.h>]
-[#if GNUTLS_VERSION_NUMBER < 0x030202]
-[#error "GnuTLS 3.2.2 or newer required"]
+[#if GNUTLS_VERSION_NUMBER < 0x030306]
+[#error "GnuTLS is too old"]
 [#endif]])],
-					, [AC_MSG_FAILURE([GnuTLS is too old])])
+					, [AC_MSG_FAILURE([GnuTLS 3.3.6 or newer required])])

 			AC_CHECK_LIB(gnutls, gnutls_init,
 				[have_gnutls=yes], [have_gnutls=no])

--- a/doc/guide/admin/appendix-recommended-versions.sdf
+++ b/doc/guide/admin/appendix-recommended-versions.sdf
@@ -16,7 +16,7 @@ H2: Dependency Versions
 Feature|Software|Version
 {{TERM[expand]TLS}}:
 |{{PRD:OpenSSL}}|0.9.7+
-|{{PRD:GnuTLS}}|2.12.0
+|{{PRD:GnuTLS}}|3.3.6+
 {{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
 {{TERM[expand]Kerberos}}:
 |{{PRD:Heimdal}}|Version

--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -322,7 +322,6 @@ certificates in separate individual files. The
 .B TLS_CACERT
 is always used before
 .B TLS_CACERTDIR.
-This parameter is ignored with GnuTLS.
 .TP
 .B TLS_CERT <filename>
 Specifies the file that contains the client certificate.

--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -877,8 +877,7 @@ will recognize.
 Specifies the path of a directory that contains Certificate Authority
 certificates in separate individual files. Usually only one of this
 or the olcTLSCACertificateFile is defined. If both are specified, both
-locations will be used. This directive is not supported
-when using GnuTLS.
+locations will be used.
 .TP
 .B olcTLSCertificateFile: <filename>
 Specifies the file that contains the

--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1111,8 +1111,7 @@ appended to the file; the order is not significant.
 .B TLSCACertificatePath <path>
 Specifies the path of a directory that contains Certificate Authority
 certificates in separate individual files. Usually only one of this
-or the TLSCACertificateFile is used. This directive is not supported
-when using GnuTLS.
+or the TLSCACertificateFile is used.
 .TP
 .B TLSCertificateFile <filename>
 Specifies the file that contains the

--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -195,8 +195,20 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 	}

 	if (lo->ldo_tls_cacertdir != NULL) {
-		Debug0( LDAP_DEBUG_ANY,
-		       "TLS: warning: cacertdir not implemented for gnutls\n" );
+		rc = gnutls_certificate_set_x509_trust_dir(
+			ctx->cred,
+			lt->lt_cacertdir,
+			GNUTLS_X509_FMT_PEM );
+		if ( rc > 0 ) {
+			Debug2( LDAP_DEBUG_TRACE,
+				"TLS: loaded %d CA certificates from directory `%s'.\n",
+				rc, lt->lt_cacertdir );
+		} else {
+			Debug1( LDAP_DEBUG_ANY,
+				"TLS: warning: no certificate found in CA certificate directory `%s'.\n",
+				lt->lt_cacertdir );
+			/* only warn, no return */
+		}
 	}

 	if (lo->ldo_tls_cacertfile != NULL) {