From dcc13c1d2f220dd1c8df9a667755f94592a957bc Mon Sep 17 00:00:00 2001 From: Nicolas Dufresne Date: Wed, 1 Feb 2012 16:27:38 -0500 Subject: [PATCH] Remove wocky_tls_session_add_crl This is unused by Gabble, unsupported by GIO. Correct usage of such a feature would be system whide, not really per-applications. --- .gitignore | 2 - tests/Makefile.am | 5 +--- tests/certs/ca-0-crl.cfg | 2 - tests/certs/ca-0-crl.pem | 13 ----------- tests/certs/crl/c5d5c0da.r0 | 1 - tests/certs/crl/ca-0-crl.pem | 13 ----------- tests/wocky-connector-test.c | 49 ------------------------------------------ wocky/wocky-openssl.c | 33 ++++++++------------------- wocky/wocky-tls-connector.c | 14 +----------- wocky/wocky-tls-handler.c | 39 --------------------------------- wocky/wocky-tls-handler.h | 3 -- wocky/wocky-tls.c | 49 ++++++++++++----------------------------- wocky/wocky-tls.h | 1 - 13 files changed, 27 insertions(+), 197 deletions(-) delete mode 100644 tests/certs/ca-0-crl.cfg delete mode 100644 tests/certs/ca-0-crl.pem delete mode 120000 tests/certs/crl/c5d5c0da.r0 delete mode 100644 tests/certs/crl/ca-0-crl.pem diff --git a/.gitignore b/.gitignore index 12c3c8d..5f396cd 100644 --- a/.gitignore +++ b/.gitignore @@ -87,7 +87,6 @@ tests/*report.xml # tests/certs/ca-0-key.pem # tests/certs/exp-cert.pem # keep these hanging around as we'd have # tests/certs/new-cert.pem # to build-dep on datefudge otherwise -# tests/certs/ca-0-crl.pem # tests/certs/ca-1-cert.pem # tests/certs/ca-1-key.pem # tests/certs/ca-2-cert.pem @@ -107,7 +106,6 @@ tests/*report.xml tests/certtool tests/tardis # tests/certs/cas/* -# tests/certs/crl/* examples/wocky-register examples/wocky-receive-messages diff --git a/tests/Makefile.am b/tests/Makefile.am index 0a0e3ed..d6c0d84 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -16,7 +16,6 @@ NEW_CERT := $(CERT_DIR)/new-cert.pem TLS_KEY := $(CERT_DIR)/tls-key.pem TLS_CERT := $(CERT_DIR)/tls-cert.pem CA_DIR := $(CERT_DIR)/cas -CRL_DIR := $(CERT_DIR)/crl UNKNOWN_KEY := $(CERT_DIR)/unknown-key.pem UNKNOWN_CERT := $(CERT_DIR)/unknown-cert.pem LIBWOCKY := $(top_builddir)/wocky/libwocky.la @@ -344,7 +343,5 @@ EXTRA_DIST = $(SUPPRESSIONS) \ $(wildcard $(srcdir)/certs/*.cfg) \ $(wildcard $(srcdir)/certs/*.pem) \ $(wildcard $(srcdir)/certs/cas/*.pem) \ - $(wildcard $(srcdir)/certs/cas/*.0) \ - $(wildcard $(srcdir)/certs/crl/*.pem) \ - $(wildcard $(srcdir)/certs/crl/*.r0) + $(wildcard $(srcdir)/certs/cas/*.0) diff --git a/tests/certs/ca-0-crl.cfg b/tests/certs/ca-0-crl.cfg deleted file mode 100644 index 1ba1001..0000000 --- a/tests/certs/ca-0-crl.cfg +++ /dev/null @@ -1,2 +0,0 @@ -expiration_days = 10220 -crl_next_update = 10220 diff --git a/tests/certs/ca-0-crl.pem b/tests/certs/ca-0-crl.pem deleted file mode 100644 index 9d8333f..0000000 --- a/tests/certs/ca-0-crl.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN X509 CRL----- -MIIB+DCB4wIBATALBgkqhkiG9w0BAQUwbDELMAkGA1UEBhMCVUsxEjAQBgNVBAoT -CUNvbGxhYm9yYTEZMBcGA1UECxMQV29ja3kgVGVzdCBTdWl0ZTERMA8GA1UECBMI -Q29uZnVzZWQxGzAZBgNVBAMTEldvY2t5IFhNUFAgTGlicmFyeRcNMTAxMDAxMTM0 -ODU1WhcNMzgwOTI0MTM0ODU1WjAUMBICAQsXDTEwMTAwMTEzNDg1NVqgLzAtMB8G -A1UdIwQYMBaAFEkwJgiMmtZpzYvAzA5cAo5KH6aMMAoGA1UdFAQDAgEAMAsGCSqG -SIb3DQEBBQOCAQEAq1NAKBtQyP3SxIDOhkSUhWhyRw5sSWbDLunzOfa+LnNUqZHb -WWzKNnok2xJnaNPLQHUdPp00Oz0FYaXWsbYDWWlEI5KxkCFkbalU0+rAUoXpCuAf -hbBDDBnd2pVQpwwS+w6EBxwezq0LUyg8QcmStEV2aGd5gvyfN9f4UnA5wLL3FGQu -DEhHxIzlfvfSI57536eoWkawq+cekDN+kwy08o1t/RXuM8+Su1AIYEHnOp8HpDyG -2mXgoOV5ZYwCPkZy/SlCTI9FK6tbmKUUj39DK6QGk3+vgRKET/hYw+cU8FPsaQ6K -LQmLVOHS+o6drp1869JhiJktfhxMEw8bRgta0Q== ------END X509 CRL----- diff --git a/tests/certs/crl/c5d5c0da.r0 b/tests/certs/crl/c5d5c0da.r0 deleted file mode 120000 index f0c8057..0000000 --- a/tests/certs/crl/c5d5c0da.r0 +++ /dev/null @@ -1 +0,0 @@ -ca-0-crl.pem \ No newline at end of file diff --git a/tests/certs/crl/ca-0-crl.pem b/tests/certs/crl/ca-0-crl.pem deleted file mode 100644 index 9d8333f..0000000 --- a/tests/certs/crl/ca-0-crl.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN X509 CRL----- -MIIB+DCB4wIBATALBgkqhkiG9w0BAQUwbDELMAkGA1UEBhMCVUsxEjAQBgNVBAoT -CUNvbGxhYm9yYTEZMBcGA1UECxMQV29ja3kgVGVzdCBTdWl0ZTERMA8GA1UECBMI -Q29uZnVzZWQxGzAZBgNVBAMTEldvY2t5IFhNUFAgTGlicmFyeRcNMTAxMDAxMTM0 -ODU1WhcNMzgwOTI0MTM0ODU1WjAUMBICAQsXDTEwMTAwMTEzNDg1NVqgLzAtMB8G -A1UdIwQYMBaAFEkwJgiMmtZpzYvAzA5cAo5KH6aMMAoGA1UdFAQDAgEAMAsGCSqG -SIb3DQEBBQOCAQEAq1NAKBtQyP3SxIDOhkSUhWhyRw5sSWbDLunzOfa+LnNUqZHb -WWzKNnok2xJnaNPLQHUdPp00Oz0FYaXWsbYDWWlEI5KxkCFkbalU0+rAUoXpCuAf -hbBDDBnd2pVQpwwS+w6EBxwezq0LUyg8QcmStEV2aGd5gvyfN9f4UnA5wLL3FGQu -DEhHxIzlfvfSI57536eoWkawq+cekDN+kwy08o1t/RXuM8+Su1AIYEHnOp8HpDyG -2mXgoOV5ZYwCPkZy/SlCTI9FK6tbmKUUj39DK6QGk3+vgRKET/hYw+cU8FPsaQ6K -LQmLVOHS+o6drp1869JhiJktfhxMEw8bRgta0Q== ------END X509 CRL----- diff --git a/tests/wocky-connector-test.c b/tests/wocky-connector-test.c index 663cc49..975df5d 100644 --- a/tests/wocky-connector-test.c +++ b/tests/wocky-connector-test.c @@ -2684,18 +2684,6 @@ test_t tests[] = { "moose@tomato-juice.org", "something", PLAIN, TLS }, { "tomato-juice.org", 0, XMPP_V1 } } }, - { "/connector/cert-verification/tls/crl/fail", - QUIET, - { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_REVOKED, -1 }, - { { TLS, NULL }, - { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, - { "moose", "something" }, - PORT_XMPP, CERT_REVOKED }, - { "weasel-juice.org", PORT_XMPP, "thud.org", REACHABLE, UNREACHABLE }, - { PLAINTEXT_OK, - { "moose@weasel-juice.org", "something", PLAIN, TLS }, - { NULL, 0, XMPP_V1 } } }, - { "/connector/cert-verification/tls/expired/fail", QUIET, { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_EXPIRED, -1 }, @@ -2812,18 +2800,6 @@ test_t tests[] = { "moose@tomato-juice.org", "something", PLAIN, TLS }, { "tomato-juice.org", 0, XMPP_V1, OLD_SSL } } }, - { "/connector/cert-verification/ssl/crl/fail", - QUIET, - { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_REVOKED, -1 }, - { { TLS, NULL }, - { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, - { "moose", "something" }, - PORT_XMPP, CERT_REVOKED }, - { "weasel-juice.org", PORT_XMPP, "thud.org", REACHABLE, UNREACHABLE }, - { PLAINTEXT_OK, - { "moose@weasel-juice.org", "something", PLAIN, TLS }, - { NULL, 0, XMPP_V1, OLD_SSL } } }, - { "/connector/cert-verification/ssl/expired/fail", QUIET, { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_EXPIRED, -1 }, @@ -2922,18 +2898,6 @@ test_t tests[] = { "moose@tomato-juice.org", "something", PLAIN, TLS }, { "tomato-juice.org", 0, XMPP_V1, STARTTLS, CERT_CHECK_LENIENT } } }, - { "/connector/cert-nonverification/tls/crl/fail", - QUIET, - { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_REVOKED, -1 }, - { { TLS, NULL }, - { SERVER_PROBLEM_NO_PROBLEM, CONNECTOR_OK }, - { "moose", "something" }, - PORT_XMPP, CERT_REVOKED }, - { "weasel-juice.org", PORT_XMPP, "thud.org", REACHABLE, UNREACHABLE }, - { PLAINTEXT_OK, - { "moose@weasel-juice.org", "something", PLAIN, TLS }, - { NULL, 0, XMPP_V1, STARTTLS, CERT_CHECK_LENIENT } } }, - { "/connector/cert-nonverification/tls/expired/ok", QUIET, { S_NO_ERROR, }, @@ -3032,18 +2996,6 @@ test_t tests[] = { "moose@tomato-juice.org", "something", PLAIN, TLS }, { "tomato-juice.org", 0, XMPP_V1, OLD_SSL, CERT_CHECK_LENIENT } } }, - { "/connector/cert-nonverification/ssl/crl/fail", - QUIET, - { S_WOCKY_TLS_CERT_ERROR, WOCKY_TLS_CERT_REVOKED, -1 }, - { { TLS, NULL }, - { SERVER_PROBLEM_NO_PROBLEM, { XMPP_PROBLEM_OLD_SSL, OK, OK, OK, OK } }, - { "moose", "something" }, - PORT_XMPP, CERT_REVOKED }, - { "weasel-juice.org", PORT_XMPP, "thud.org", REACHABLE, UNREACHABLE }, - { PLAINTEXT_OK, - { "moose@weasel-juice.org", "something", PLAIN, TLS }, - { NULL, 0, XMPP_V1, OLD_SSL, CERT_CHECK_LENIENT } } }, - { "/connector/cert-nonverification/ssl/expired/ok", QUIET, { S_NO_ERROR, }, @@ -3376,7 +3328,6 @@ run_test (gpointer data) NULL); wocky_tls_handler_add_ca (handler, ca); - wocky_tls_handler_add_crl (handler, TLS_CRL_DIR); g_object_unref (handler); diff --git a/wocky/wocky-openssl.c b/wocky/wocky-openssl.c index 320af7a..0bb1970 100644 --- a/wocky/wocky-openssl.c +++ b/wocky/wocky-openssl.c @@ -752,29 +752,29 @@ wocky_tls_session_handshake (WockyTLSSession *session, } /* ************************************************************************* */ -/* adding CA certificates and CRL lists for peer certificate verification */ -static void -add_ca_or_crl (WockyTLSSession *session, - const gchar *path, - const gchar *label) +/* adding CA certificates lists for peer certificate verification */ + +void +wocky_tls_session_add_ca (WockyTLSSession *session, + const gchar *path) { gboolean ok = FALSE; if (!g_file_test (path, G_FILE_TEST_EXISTS)) { - DEBUG ("%s file or path '%s' not accessible", label, path); + DEBUG ("CA file or path '%s' not accessible", path); return; } if (g_file_test (path, G_FILE_TEST_IS_DIR)) { - DEBUG ("Loading %s directory", label); + DEBUG ("Loading CA directory"); ok = SSL_CTX_load_verify_locations (session->ctx, NULL, path); } if (g_file_test (path, G_FILE_TEST_IS_REGULAR)) { - DEBUG ("Loading %s file", label); + DEBUG ("Loading CA file"); ok = SSL_CTX_load_verify_locations (session->ctx, path, NULL); } @@ -783,25 +783,12 @@ add_ca_or_crl (WockyTLSSession *session, gulong e, f; for (f = e = ERR_get_error (); e != 0; e = ERR_get_error ()) f = e; - DEBUG ("%s '%s' failed: %s", label, path, ERR_error_string (f, NULL)); + DEBUG ("CA '%s' failed: %s", path, ERR_error_string (f, NULL)); } else - DEBUG ("%s '%s' loaded", label, path); -} - -void -wocky_tls_session_add_ca (WockyTLSSession *session, - const gchar *path) -{ - add_ca_or_crl (session, path, "CA"); + DEBUG ("CA '%s' loaded", path); } -void -wocky_tls_session_add_crl (WockyTLSSession *session, - const gchar *path) -{ - add_ca_or_crl (session, path, "CRL"); -} /* ************************************************************************* */ void diff --git a/wocky/wocky-tls-connector.c b/wocky/wocky-tls-connector.c index 9cb3bf7..035f3a3 100644 --- a/wocky/wocky-tls-connector.c +++ b/wocky/wocky-tls-connector.c @@ -175,25 +175,13 @@ add_ca (gpointer data, } static void -add_crl (gpointer data, - gpointer user_data) -{ - WockyTLSSession *session = user_data; - const gchar *path = data; - - wocky_tls_session_add_crl (session, path); -} - -static void prepare_session (WockyTLSConnector *self) { - GSList *cas, *crls; + GSList *cas; cas = wocky_tls_handler_get_cas (self->priv->handler); - crls = wocky_tls_handler_get_crls (self->priv->handler); g_slist_foreach (cas, add_ca, self->priv->session); - g_slist_foreach (crls, add_crl, self->priv->session); } static void diff --git a/wocky/wocky-tls-handler.c b/wocky/wocky-tls-handler.c index e55aa1b..256514c 100644 --- a/wocky/wocky-tls-handler.c +++ b/wocky/wocky-tls-handler.c @@ -50,7 +50,6 @@ struct _WockyTLSHandlerPrivate { gboolean ignore_ssl_errors; GSList *cas; - GSList *crls; }; static void @@ -102,12 +101,6 @@ wocky_tls_handler_finalize (GObject *object) g_slist_free (self->priv->cas); } - if (self->priv->crls != NULL) - { - g_slist_foreach (self->priv->crls, (GFunc) g_free, NULL); - g_slist_free (self->priv->crls); - } - G_OBJECT_CLASS (wocky_tls_handler_parent_class)->finalize (object); } @@ -318,30 +311,6 @@ wocky_tls_handler_add_ca (WockyTLSHandler *self, return abspath != NULL; } -/** - * wocky_tls_handler_add_crl: - * @self: a #WockyTLSHandler instance - * @path: a path to a directory or file containing PEM encoded CRLs - * - * This function does not descend subdirectories automatically. - * - * Returns: a #gboolean indicating whether the path was resolved. - * Does not indicate that there was actually a file or directory there - * or that any CRLs were actually found. The CRLs won't actually be loaded - * until just before the TLS session setup is attempted. - */ -gboolean -wocky_tls_handler_add_crl (WockyTLSHandler *self, - const gchar *path) -{ - gchar *abspath = wocky_absolutize_path (path); - - if (abspath != NULL) - self->priv->crls = g_slist_prepend (self->priv->crls, abspath); - - return abspath != NULL; -} - GSList * wocky_tls_handler_get_cas (WockyTLSHandler *self) { @@ -349,11 +318,3 @@ wocky_tls_handler_get_cas (WockyTLSHandler *self) return self->priv->cas; } - -GSList * -wocky_tls_handler_get_crls (WockyTLSHandler *self) -{ - g_assert (WOCKY_IS_TLS_HANDLER (self)); - - return self->priv->crls; -} diff --git a/wocky/wocky-tls-handler.h b/wocky/wocky-tls-handler.h index 1fb7f76..315f86d 100644 --- a/wocky/wocky-tls-handler.h +++ b/wocky/wocky-tls-handler.h @@ -101,11 +101,8 @@ gboolean wocky_tls_handler_verify_finish (WockyTLSHandler *self, gboolean wocky_tls_handler_add_ca (WockyTLSHandler *self, const gchar *path); -gboolean wocky_tls_handler_add_crl (WockyTLSHandler *self, - const gchar *path); GSList *wocky_tls_handler_get_cas (WockyTLSHandler *self); -GSList *wocky_tls_handler_get_crls (WockyTLSHandler *self); G_END_DECLS diff --git a/wocky/wocky-tls.c b/wocky/wocky-tls.c index 069551d..90fe5be 100644 --- a/wocky/wocky-tls.c +++ b/wocky/wocky-tls.c @@ -528,24 +528,20 @@ wocky_tls_session_handshake (WockyTLSSession *session, } /* ************************************************************************* */ -/* adding CA certificates and CRL lists for peer certificate verification */ -typedef int (*add_certfile) (gnutls_certificate_credentials_t res, - const char *file, - gnutls_x509_crt_fmt_t type); +/* adding CA certificates lists for peer certificate verification */ -static void -add_certfiles (gnutls_certificate_credentials cred, - const gchar *thing, - add_certfile add) +void +wocky_tls_session_add_ca (WockyTLSSession *session, + const gchar *ca_path) { int n = 0; struct stat target; - DEBUG ("checking %s", thing); + DEBUG ("adding CA CERT path '%s'", (gchar *) ca_path); - if (stat (thing, &target) != 0) + if (stat (ca_path, &target) != 0) { - DEBUG ("ca/crl file '%s': stat failed)", thing); + DEBUG ("CA file '%s': stat failed)", ca_path); return; } @@ -554,47 +550,32 @@ add_certfiles (gnutls_certificate_credentials cred, DIR *dir; struct dirent *entry; - if ((dir = opendir (thing)) == NULL) + if ((dir = opendir (ca_path)) == NULL) return; for (entry = readdir (dir); entry != NULL; entry = readdir (dir)) { struct stat file; - gchar *path = g_build_path ("/", thing, entry->d_name, NULL); + gchar *path = g_build_path ("/", ca_path, entry->d_name, NULL); if ((stat (path, &file) == 0) && S_ISREG (file.st_mode)) - n += add (cred, path, GNUTLS_X509_FMT_PEM); + n += gnutls_certificate_set_x509_trust_file ( + session->gnutls_cert_cred, path, GNUTLS_X509_FMT_PEM); g_free (path); } - DEBUG ("+ %s: %d certs from dir", thing, n); + DEBUG ("+ %s: %d certs from dir", ca_path, n); closedir (dir); } else if (S_ISREG (target.st_mode)) { - n = add (cred, thing, GNUTLS_X509_FMT_PEM); - DEBUG ("+ %s: %d certs from file", thing, n); + n = gnutls_certificate_set_x509_trust_file (session->gnutls_cert_cred, + ca_path, GNUTLS_X509_FMT_PEM); + DEBUG ("+ %s: %d certs from file", ca_path, n); } } -void -wocky_tls_session_add_ca (WockyTLSSession *session, - const gchar *path) -{ - DEBUG ("adding CA CERT path '%s'", (gchar *) path); - add_certfiles (session->gnutls_cert_cred, path, - gnutls_certificate_set_x509_trust_file); -} - -void -wocky_tls_session_add_crl (WockyTLSSession *session, - const gchar *path) -{ - DEBUG ("adding CRL path '%s'", (gchar *) path); - add_certfiles (session->gnutls_cert_cred, path, - gnutls_certificate_set_x509_crl_file); -} /* ************************************************************************* */ void diff --git a/wocky/wocky-tls.h b/wocky/wocky-tls.h index 9b08c8a..7ed561f 100644 --- a/wocky/wocky-tls.h +++ b/wocky/wocky-tls.h @@ -103,7 +103,6 @@ wocky_tls_session_handshake_finish (WockyTLSSession *session, GError **error); void wocky_tls_session_add_ca (WockyTLSSession *session, const gchar *path); -void wocky_tls_session_add_crl (WockyTLSSession *session, const gchar *path); WockyTLSSession *wocky_tls_session_new (GIOStream *stream); -- 1.7.7.6