From d6e94070ddb015e73573a620234a8929f8aaac16 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Wed, 1 Dec 2010 13:49:39 -0500 Subject: [PATCH] Add GTlsConnection:use-system-certdb This can be set FALSE if you don't want to validate certificates against the system database. --- docs/reference/gio/gio-sections.txt | 2 ++ gio/gdummytlsbackend.c | 3 +- gio/gio.symbols | 2 ++ gio/gtlsconnection.c | 70 +++++++++++++++++++++++++++++++++++++ gio/gtlsconnection.h | 4 +++ 5 files changed, 80 insertions(+), 1 deletion(-) diff --git a/docs/reference/gio/gio-sections.txt b/docs/reference/gio/gio-sections.txt index 3a78935..bcff388 100644 --- a/docs/reference/gio/gio-sections.txt +++ b/docs/reference/gio/gio-sections.txt @@ -3064,6 +3064,8 @@ g_tls_connection_get_require_close_notify GTlsRehandshakeMode g_tls_connection_set_rehandshake_mode g_tls_connection_get_rehandshake_mode +g_tls_connection_set_use_system_certdb +g_tls_connection_get_use_system_certdb g_tls_connection_handshake g_tls_connection_handshake_async diff --git a/gio/gdummytlsbackend.c b/gio/gdummytlsbackend.c index fd55aa9..f2d7186 100644 --- a/gio/gdummytlsbackend.c +++ b/gio/gdummytlsbackend.c @@ -184,6 +184,7 @@ enum PROP_BASE_IO_STREAM, PROP_REQUIRE_CLOSE_NOTIFY, PROP_REHANDSHAKE_MODE, + PROP_USE_SYSTEM_CERTDB, PROP_VALIDATION_FLAGS, PROP_SERVER_IDENTITY, PROP_USE_SSL3, @@ -243,12 +244,12 @@ g_dummy_tls_connection_class_init (GDummyTlsConnectionClass *connection_class) g_object_class_override_property (gobject_class, PROP_BASE_IO_STREAM, "base-io-stream"); g_object_class_override_property (gobject_class, PROP_REQUIRE_CLOSE_NOTIFY, "require-close-notify"); g_object_class_override_property (gobject_class, PROP_REHANDSHAKE_MODE, "rehandshake-mode"); + g_object_class_override_property (gobject_class, PROP_USE_SYSTEM_CERTDB, "use-system-certdb"); g_object_class_override_property (gobject_class, PROP_VALIDATION_FLAGS, "validation-flags"); g_object_class_override_property (gobject_class, PROP_SERVER_IDENTITY, "server-identity"); g_object_class_override_property (gobject_class, PROP_USE_SSL3, "use-ssl3"); g_object_class_override_property (gobject_class, PROP_ACCEPTED_CAS, "accepted-cas"); g_object_class_override_property (gobject_class, PROP_AUTHENTICATION_MODE, "authentication-mode"); - } static void diff --git a/gio/gio.symbols b/gio/gio.symbols index b7077ee..d5af410 100644 --- a/gio/gio.symbols +++ b/gio/gio.symbols @@ -2043,6 +2043,7 @@ g_tls_connection_get_certificate g_tls_connection_get_peer_certificate g_tls_connection_get_rehandshake_mode g_tls_connection_get_require_close_notify +g_tls_connection_get_use_system_certdb g_tls_connection_get_type G_GNUC_CONST g_tls_connection_handshake g_tls_connection_handshake_async @@ -2051,6 +2052,7 @@ g_tls_connection_set_certificate g_tls_connection_set_peer_certificate g_tls_connection_set_rehandshake_mode g_tls_connection_set_require_close_notify +g_tls_connection_set_use_system_certdb #endif #endif diff --git a/gio/gtlsconnection.c b/gio/gtlsconnection.c index e55f6f5..4ea9211 100644 --- a/gio/gtlsconnection.c +++ b/gio/gtlsconnection.c @@ -84,6 +84,7 @@ enum { PROP_BASE_IO_STREAM, PROP_REQUIRE_CLOSE_NOTIFY, PROP_REHANDSHAKE_MODE, + PROP_USE_SYSTEM_CERTDB, PROP_CERTIFICATE, PROP_PEER_CERTIFICATE }; @@ -119,6 +120,23 @@ g_tls_connection_class_init (GTlsConnectionClass *klass) G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS)); /** + * GTlsConnection:use-system-certdb: + * + * Whether or not the system certificate database will be used to + * verify peer certificates. See + * g_tls_connection_set_use_system_certdb(). + * + * Since: 2.28 + */ + g_object_class_install_property (gobject_class, PROP_USE_SYSTEM_CERTDB, + g_param_spec_boolean ("use-system-certdb", + P_("Use system certificate database"), + P_("Whether to verify peer certificates against the system certificate database"), + TRUE, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS)); + /** * GTlsConnection:require-close-notify: * * Whether or not proper TLS close notification is required. @@ -132,6 +150,7 @@ g_tls_connection_class_init (GTlsConnectionClass *klass) P_("Whether to require proper TLS close notification"), TRUE, G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | G_PARAM_STATIC_STRINGS)); /** * GTlsConnection:rehandshake-mode: @@ -148,6 +167,7 @@ g_tls_connection_class_init (GTlsConnectionClass *klass) G_TYPE_TLS_REHANDSHAKE_MODE, G_TLS_REHANDSHAKE_SAFELY, G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | G_PARAM_STATIC_STRINGS)); /** * GTlsConnection:certificate: @@ -343,6 +363,56 @@ g_tls_connection_set_property (GObject *object, } /** + * g_tls_connection_set_use_system_certdb: + * @conn: a #GTlsConnection + * @use_system_certdb: whether to use the system certificate database + * + * Sets whether @conn uses the system certificate database to verify + * peer certificates. This is %TRUE by default. If set to %FALSE, then + * peer certificate validation will always set the + * %G_TLS_CERTIFICATE_UNKNOWN_CA error (meaning + * #GTlsConnection::accept-certificate will always be emitted on + * client-side connections, unless that bit is not set in + * #GTlsClientConnection:validation-flags). + * + * Since: 2.28 + */ +void +g_tls_connection_set_use_system_certdb (GTlsConnection *conn, + gboolean use_system_certdb) +{ + g_return_if_fail (G_IS_TLS_CONNECTION (conn)); + + g_object_set (G_OBJECT (conn), + "use-system-certdb", use_system_certdb, + NULL); +} + +/** + * g_tls_connection_get_use_system_certdb: + * @conn: a #GTlsConnection + * + * Gets whether @conn uses the system certificate database to verify + * peer certificates. See g_tls_connection_set_use_system_certdb(). + * + * Return value: whether @conn uses the system certificate database + * + * Since: 2.28 + */ +gboolean +g_tls_connection_get_use_system_certdb (GTlsConnection *conn) +{ + gboolean use_system_certdb; + + g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), TRUE); + + g_object_get (G_OBJECT (conn), + "use-system-certdb", &use_system_certdb, + NULL); + return use_system_certdb; +} + +/** * g_tls_connection_set_certificate: * @conn: a #GTlsConnection * @certificate: the certificate to use for @conn diff --git a/gio/gtlsconnection.h b/gio/gtlsconnection.h index 86f1f68..4b835a3 100644 --- a/gio/gtlsconnection.h +++ b/gio/gtlsconnection.h @@ -85,6 +85,10 @@ struct _GTlsConnectionClass GType g_tls_connection_get_type (void) G_GNUC_CONST; +void g_tls_connection_set_use_system_certdb (GTlsConnection *conn, + gboolean use_system_certdb); +gboolean g_tls_connection_get_use_system_certdb (GTlsConnection *conn); + void g_tls_connection_set_certificate (GTlsConnection *conn, GTlsCertificate *certificate); GTlsCertificate *g_tls_connection_get_certificate (GTlsConnection *conn); -- 2.7.4