- Added --with-ca-path=DIRECTORY configure option to use an openSSL CApath by

                                  Changelog

Michal Marek (20 Mar 2008)

- Added --with-ca-path=DIRECTORY configure option to use an openSSL CApath by

  default instead of a ca bundle. The configure script will also look for a

  ca path if no ca bundle is found and no option given.

- Fixed detection of previously installed curl-ca-bundle.crt

Daniel Fandrich (18 Mar 2008)

- Added test 626 to reproduce an infinite loop when given an invalid

  SFTP quote command reported by Vincent Le Normand, and fixed it.

   currently only works in C mode)

 o curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() and

   curl_multi_setopt() uses are now checked to use exactly three arguments

 o --with-ca-path=DIR configure option allows to set an openSSL CApath instead

   of a default ca bundle.

This release includes the following bugfixes:

dnl /etc/ssl/certs/ca-certificates.crt Debian systems

dnl /etc/pki/tls/certs/ca-bundle.crt Redhat and Mandriva

dnl /usr/share/ssl/certs/ca-bundle.crt old(er) Redhat

dnl /etc/ssl/certs/ (ca path) SUSE

AC_DEFUN([CURL_CHECK_CA_BUNDLE], [

  AC_MSG_CHECKING([default CA cert bundle])

  AC_MSG_CHECKING([default CA cert bundle/path])

  AC_ARG_WITH(ca-bundle,

AC_HELP_STRING([--with-ca-bundle=FILE], [File name to use as CA bundle])

AC_HELP_STRING([--without-ca-bundle], [Don't use a default CA bundle]),

  [ ca="$withval" ],

  [

    want_ca="$withval"

    if test "x$want_ca" = "xyes"; then

      AC_MSG_ERROR([--with-ca-bundle=FILE requires a path to the CA bundle])

    fi

  ],

  [ want_ca="unset" ])

  AC_ARG_WITH(ca-path,

AC_HELP_STRING([--with-ca-path=DIRECTORY], [Directory to use as CA path])

AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),

  [

    want_capath="$withval"

    if test "x$want_capath" = "xyes"; then

      AC_MSG_ERROR([--with-ca-path=DIRECTORY requires a path to the CA path directory])

    fi

  ],

  [ want_capath="unset"])

  if test "x$want_ca" != "xno" -a "x$want_ca" != "xunset" -a \

          "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then

    dnl both given

    AC_MSG_ERROR([Can't specify both --with-ca-bundle and --with-ca-path.])

  elif test "x$want_ca" != "xno" -a "x$want_ca" != "xunset"; then

    dnl --with-ca-bundle given

    ca="$want_ca"

    capath="no"

  elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then

    dnl --with-ca-path given

    if test "x$OPENSSL_ENABLED" != "x1"; then

      AC_MSG_ERROR([--with-ca-path only works with openSSL])

    fi

    capath="$want_capath"

    ca="no"

  else

    dnl neither of --with-ca-* given

    dnl first try autodetecting a CA bundle , then a CA path

    dnl both autodetections can be skipped by --without-ca-*

    ca="no"

    capath="no"

    if test "x$want_ca" = "xunset"; then

      dnl the path we previously would have installed the curl ca bundle

      dnl to, and thus we now check for an already existing cert in that place

      dnl in case we find no other

      if test "x$prefix" != xNONE; then

      cac="\${prefix}/share/curl/curl-ca-bundle.crt"

        cac="${prefix}/share/curl/curl-ca-bundle.crt"

      else

        cac="$ac_default_prefix/share/curl/curl-ca-bundle.crt"

      fi

               /etc/pki/tls/certs/ca-bundle.crt \

               /usr/share/ssl/certs/ca-bundle.crt \

               "$cac"; do

      if test -f $a; then

        if test -f "$a"; then

          ca="$a"

          break

        fi

      done

    ]

  )

    fi

    if test "x$want_capath" = "xunset" -a "x$ca" = "xno" -a \

            "x$OPENSSL_ENABLED" = "x1"; then

      for a in /etc/ssl/certs/; do

        if test -d "$a" && ls "$a"/[[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]].0 >/dev/null 2>/dev/null; then

          capath="$a"

          break

        fi

      done

    fi

  fi

  if test "x$ca" != "xno"; then

    CURL_CA_BUNDLE='"'$ca'"'

    AC_SUBST(CURL_CA_BUNDLE)

  fi

    AC_MSG_RESULT([$ca])

  elif test "x$capath" != "xno"; then

    CURL_CA_PATH="\"$capath\""

    AC_SUBST(CURL_CA_PATH)

    AC_MSG_RESULT([$capath (capath)])

  else

    AC_MSG_RESULT([no])

  fi

])

CURL_CHECK_CA_BUNDLE

AM_CONDITIONAL(CABUNDLE, test x$ca != xno)

AM_CONDITIONAL(CAPATH, test x$capath != xno)

dnl **********************************************************************

dnl Check for the presence of IDN libraries and headers

  Built-in manual: ${curl_manual_msg}

  Verbose errors:  ${curl_verbose_msg}

  SSPI support:    ${curl_sspi_msg}

  ca cert path:    ${ca}

  ca cert bundle:  ${ca}

  ca cert path:    ${capath}

  LDAP support:    ${curl_ldap_msg}

  LDAPS support:   ${curl_ldaps_msg}

])

else

	echo '#undef CURL_CA_BUNDLE /* unknown default path */' >> $@

endif

if CAPATH

	echo '#define CURL_CA_PATH @CURL_CA_PATH@' >> $@

else

	echo '#undef CURL_CA_PATH /* unknown default path */' >>$@

endif

# this hook is mainly for non-unix systems to build even if configure

# isn't run