This property indicates whether to look into the system
CA database when validating certificates in a TLS connection.
This property defaults to TRUE, but is automatically set to
FALSE when SpiceSession:ca-file is set.
---
gtk/spice-option.c | 8 ++++++++
gtk/spice-session-priv.h | 3 +++
gtk/spice-session.c | 46 +++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/gtk/spice-option.c b/gtk/spice-option.c
index 5f7c803..f07e9be 100644
--- a/gtk/spice-option.c
+++ b/gtk/spice-option.c
@@ -216,6 +216,7 @@ GOptionGroup* spice_get_option_group(void)
**/
void spice_set_session_option(SpiceSession *session)
{
+ gboolean use_system_ca_file = FALSE;
g_return_if_fail(SPICE_IS_SESSION(session));
if (ca_file == NULL) {
@@ -223,6 +224,9 @@ void spice_set_session_option(SpiceSession *session)
if (!homedir)
homedir = g_get_home_dir();
ca_file = g_strdup_printf("%s/.spicec/spice_truststore.pem", homedir);
+ /* If --spice-ca-file was not used, we want to keep using the
+ * system CA database if needed */
+ use_system_ca_file = TRUE;
}
if (disable_effects) {
@@ -241,6 +245,10 @@ void spice_set_session_option(SpiceSession *session)
g_object_set(session, "color-depth", color_depth, NULL);
if (ca_file)
g_object_set(session, "ca-file", ca_file, NULL);
+ /* Setting SpiceSession:ca-file may change the value of
+ * SpiceSession:use_system_ca_file, so these 2 properties should not
+ * be set in a single call */
+ g_object_set(session, "use-system-ca-file", use_system_ca_file, NULL);
if (host_subject)
g_object_set(session, "cert-subject", host_subject, NULL);
if (smartcard) {
diff --git a/gtk/spice-session-priv.h b/gtk/spice-session-priv.h
index 55fee47..b13e1ee 100644
--- a/gtk/spice-session-priv.h
+++ b/gtk/spice-session-priv.h
@@ -39,6 +39,8 @@ struct _SpiceSessionPrivate {
char *tls_port;
char *password;
char *ca_file;
+ /* Whether to use SPICE_SYSTEM_CA_FILE as a trust store or not */
+ gboolean use_system_ca_file;
char *ciphers;
GByteArray *pubkey;
GByteArray *ca;
@@ -140,6 +142,7 @@ const gchar* spice_session_get_host(SpiceSession *session);
const gchar* spice_session_get_cert_subject(SpiceSession *session);
const gchar* spice_session_get_ciphers(SpiceSession *session);
const gchar* spice_session_get_ca_file(SpiceSession *session);
+gboolean spice_session_get_use_system_ca_file(SpiceSession *session);
void spice_session_get_ca(SpiceSession *session, guint8 **ca, guint *size);
void spice_session_set_caches_hints(SpiceSession *session,
diff --git a/gtk/spice-session.c b/gtk/spice-session.c
index 79a13de..60526fe 100644
--- a/gtk/spice-session.c
+++ b/gtk/spice-session.c
@@ -108,7 +108,8 @@ enum {
PROP_NAME,
PROP_CA,
PROP_PROXY,
- PROP_SECURE_CHANNELS
+ PROP_SECURE_CHANNELS,
+ PROP_USE_SYSTEM_CA_FILE
};
/* signals */
@@ -501,6 +502,9 @@ static void spice_session_get_property(GObject *gobject,
case PROP_PROXY:
g_value_take_string(value, spice_proxy_to_string(s->proxy));
break;
+ case PROP_USE_SYSTEM_CA_FILE:
+ g_value_set_boolean(value, s->use_system_ca_file);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
break;
@@ -536,6 +540,9 @@ static void spice_session_set_property(GObject *gobject,
case PROP_CA_FILE:
g_free(s->ca_file);
s->ca_file = g_value_dup_string(value);
+ if (s->use_system_ca_file) {
+ g_object_set(gobject, "use-system-ca-file", FALSE, NULL);
+ }
break;
case PROP_CIPHERS:
g_free(s->ciphers);
@@ -619,10 +626,16 @@ static void spice_session_set_property(GObject *gobject,
case PROP_CA:
g_clear_pointer(&s->ca, g_byte_array_unref);
s->ca = g_value_dup_boxed(value);
+ if (s->use_system_ca_file) {
+ g_object_set(gobject, "use-system-ca-file", FALSE, NULL);
+ }
break;
case PROP_PROXY:
update_proxy(session, g_value_get_string(value));
break;
+ case PROP_USE_SYSTEM_CA_FILE:
+ s->use_system_ca_file = g_value_get_boolean(value);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec);
break;
@@ -720,6 +733,27 @@ static void spice_session_class_init(SpiceSessionClass *klass)
G_PARAM_STATIC_STRINGS));
/**
+ * SpiceSession:use-system-ca-file:
+ *
+ * When this property is set to %TRUE, the system certificate database
+ * will be used when verifying the certificate used by the remote host
+ * in a TLS connection.
+ *
+ * If this is set to %FALSE, only the file specified in
+ * #SpiceSession:ca-file will be used to check the remote certificate.
+ *
+ **/
+ g_object_class_install_property
+ (gobject_class, PROP_USE_SYSTEM_CA_FILE,
+ g_param_spec_boolean("use-system-ca-file",
+ "Use system CA file",
+ "Use the system certificate database",
+ TRUE,
+ G_PARAM_READWRITE |
+ G_PARAM_CONSTRUCT |
+ G_PARAM_STATIC_STRINGS));
+
+ /**
* SpiceSession:ciphers:
*
**/
@@ -2082,6 +2116,16 @@ const gchar* spice_session_get_ca_file(SpiceSession *session)
}
G_GNUC_INTERNAL
+gboolean spice_session_get_use_system_ca_file(SpiceSession *session)
+{
+ SpiceSessionPrivate *s = SPICE_SESSION_GET_PRIVATE(session);
+
+ g_return_val_if_fail(s != NULL, FALSE);
+ return s->use_system_ca_file;
+
+}
+
+G_GNUC_INTERNAL
void spice_session_get_caches(SpiceSession *session,
display_cache **images,
SpiceGlzDecoderWindow **glz_window)
--
1.8.4.2
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel