[vlc-commits] gnutls: use system X.509 trust
Rémi Denis-Courmont
git at videolan.org
Sat Sep 29 18:02:16 CEST 2012
vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Thu Sep 27 21:40:41 2012 +0300| [ca7d4cbd3647a6a75103dc122779518feba30296] | committer: Rémi Denis-Courmont
gnutls: use system X.509 trust
GnuTLS system trust supports more systems, and supports Linux and
Windows better, than the old custom code.
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=ca7d4cbd3647a6a75103dc122779518feba30296
---
modules/misc/Modules.am | 2 +-
modules/misc/gnutls.c | 55 +++++++++++------------------------------------
2 files changed, 13 insertions(+), 44 deletions(-)
diff --git a/modules/misc/Modules.am b/modules/misc/Modules.am
index aa92fa8..4512e1d 100644
--- a/modules/misc/Modules.am
+++ b/modules/misc/Modules.am
@@ -16,7 +16,7 @@ libgnutls_plugin_la_SOURCES = gnutls.c dhparams.h
libgnutls_plugin_la_CFLAGS = $(AM_CFLAGS) $(GNUTLS_CFLAGS)
libgnutls_plugin_la_LIBADD = $(AM_LIBADD) $(GNUTLS_LIBS)
if HAVE_WIN32
-libgnutls_plugin_la_LIBADD += -lcrypt32 $(SOCKET_LIBS)
+libgnutls_plugin_la_LIBADD += $(SOCKET_LIBS)
endif
EXTRA_LTLIBRARIES += libgnutls_plugin.la
libvlc_LTLIBRARIES += $(LTLIBgnutls)
diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c
index 3416d8e..c4c0583 100644
--- a/modules/misc/gnutls.c
+++ b/modules/misc/gnutls.c
@@ -32,9 +32,7 @@
#include <sys/stat.h>
#ifdef WIN32
-# include <windows.h>
# include <io.h>
-# include <wincrypt.h>
#else
# include <unistd.h>
#endif
@@ -49,6 +47,10 @@
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
+#if (GNUTLS_VERSION_NUMBER < 0x030014)
+# define gnutls_certificate_set_x509_system_trust(c) \
+ (c, GNUTLS_E_UNIMPLEMENTED_FEATURE)
+#endif
#include "dhparams.h"
@@ -118,7 +120,7 @@ static int gnutls_Init (vlc_object_t *p_this)
goto error;
}
- const char *psz_version = gnutls_check_version ("2.0.0");
+ const char *psz_version = gnutls_check_version ("3.0.20");
if (psz_version == NULL)
{
msg_Err (p_this, "unsupported GnuTLS version");
@@ -459,36 +461,6 @@ static void gnutls_x509_AddPath (vlc_object_t *obj,
gnutls_x509_AddFD (obj, cred, fd, priv, 5);
}
-#else /* WIN32 */
-static int
-gnutls_loadOSCAList (vlc_object_t *p_this,
- gnutls_certificate_credentials cred)
-{
- HCERTSTORE hCertStore = CertOpenSystemStoreA((HCRYPTPROV)NULL, "ROOT");
- if (!hCertStore)
- {
- msg_Warn (p_this, "could not open the Cert SystemStore");
- return VLC_EGENERIC;
- }
-
- PCCERT_CONTEXT pCertContext = CertEnumCertificatesInStore(hCertStore, NULL);
- while( pCertContext )
- {
- gnutls_datum data = {
- .data = pCertContext->pbCertEncoded,
- .size = pCertContext->cbCertEncoded,
- };
-
- if(!gnutls_certificate_set_x509_trust_mem(cred, &data, GNUTLS_X509_FMT_DER))
- {
- msg_Warn (p_this, "cannot add x509 credential");
- return VLC_EGENERIC;
- }
-
- pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext);
- }
- return VLC_SUCCESS;
-}
#endif /* WIN32 */
/**
@@ -520,6 +492,13 @@ static int OpenClient (vlc_tls_t *session, int fd, const char *hostname)
goto error;
}
+ val = gnutls_certificate_set_x509_system_trust (sys->x509_cred);
+ if (val < 0)
+ msg_Err (session, "cannot load trusted Certificate Authorities: %s",
+ gnutls_strerror (val));
+ else
+ msg_Dbg (session, "loaded %d trusted CAs", val);
+
#ifndef WIN32
char *userdir = config_GetUserDir (VLC_DATA_DIR);
if (userdir != NULL)
@@ -534,16 +513,6 @@ static int OpenClient (vlc_tls_t *session, int fd, const char *hostname)
gnutls_x509_AddPath (VLC_OBJECT(session), sys->x509_cred, path, true);
free (userdir);
}
-
- const char *confdir = config_GetConfDir ();
- {
- char path[strlen (confdir)
- + sizeof ("/ssl/certs/ca-certificates.crt")];
- sprintf (path, "%s/ssl/certs/ca-certificates.crt", confdir);
- gnutls_x509_AddPath (VLC_OBJECT(session), sys->x509_cred, path, false);
- }
-#else /* WIN32 */
- gnutls_loadOSCAList (VLC_OBJECT(session), sys->x509_cred);
#endif
gnutls_certificate_set_verify_flags (sys->x509_cred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
More information about the vlc-commits
mailing list