rpms / empathy

Clone
Source Code
GIT

Blame SOURCES/empathy-fix-certificate-validation.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta
  1.   2cf4bbb22209c1cddd8366fa6102e181fcdd29de
  2.   SOURCES
  3.   empathy-fix-certificate-validation.patch
Blob History Raw
2cf4bb 
From 7712a50a4c3dfecda6b6401ba5a9dff52a583ecb Mon Sep 17 00:00:00 2001
c51fd9 
From: Debarshi Ray <debarshir@gnome.org>
c51fd9 
Date: Wed, 15 Mar 2017 20:23:43 +0100
c51fd9 
Subject: [PATCH 1/5] tls-verifier: Handle GNUTLS_CERT_REVOKED
c51fd9
c51fd9 
... by mapping it to TP_TLS_CERTIFICATE_REJECT_REASON_REVOKED.
c51fd9
c51fd9 
https://bugzilla.gnome.org/show_bug.cgi?id=780160
c51fd9 
---
c51fd9 
 libempathy/empathy-tls-verifier.c | 2 ++
c51fd9 
 1 file changed, 2 insertions(+)
c51fd9
c51fd9 
diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c
c51fd9 
index fcbc559b3f97..8f80b4372de1 100644
c51fd9 
--- a/libempathy/empathy-tls-verifier.c
c51fd9 
+++ b/libempathy/empathy-tls-verifier.c
c51fd9 
@@ -98,6 +98,8 @@ verification_output_to_reason (gint res,
c51fd9 
         *reason = TP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
c51fd9 
       else if (verify_output & GNUTLS_CERT_EXPIRED)
c51fd9 
         *reason = TP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
c51fd9 
+      else if (verify_output & GNUTLS_CERT_REVOKED)
c51fd9 
+        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_REVOKED;
c51fd9 
       else
c51fd9 
         *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
c51fd9
c51fd9 
--
2cf4bb 
2.14.4
c51fd9
c51fd9
2cf4bb 
From 8c5dc77f406308b77b4a6c7274ff8096091267a6 Mon Sep 17 00:00:00 2001
c51fd9 
From: Debarshi Ray <debarshir@gnome.org>
c51fd9 
Date: Mon, 20 Mar 2017 19:20:11 +0100
c51fd9 
Subject: [PATCH 2/5] tests: Fix comment
c51fd9
c51fd9 
The existing comment was mistakenly copied from
c51fd9 
test_certificate_verify_success_with_full_chain.
c51fd9
c51fd9 
This test case is about a certificate that has been pinned against a
c51fd9 
specific peer. The mock TLS connection doesn't have the full chain,
c51fd9 
but just the leaf-level certificate that has been pinned.
c51fd9
c51fd9 
https://bugzilla.gnome.org/show_bug.cgi?id=780160
c51fd9 
---
c51fd9 
 tests/empathy-tls-test.c | 4 ++--
c51fd9 
 1 file changed, 2 insertions(+), 2 deletions(-)
c51fd9
c51fd9 
diff --git a/tests/empathy-tls-test.c b/tests/empathy-tls-test.c
c51fd9 
index 91b05761f9b9..0752e1b328c5 100644
c51fd9 
--- a/tests/empathy-tls-test.c
c51fd9 
+++ b/tests/empathy-tls-test.c
c51fd9 
@@ -654,8 +654,8 @@ test_certificate_verify_success_with_pinned (Test *test,
c51fd9 
   };
c51fd9
c51fd9 
   /*
c51fd9 
-   * In this test the mock TLS connection has a full certificate
c51fd9 
-   * chain. We look for an anchor certificate in the chain.
c51fd9 
+   * In this test the mock TLS connection has a certificate that has
c51fd9 
+   * been pinned for the test-server.empathy.gnome.org peer.
c51fd9 
    */
c51fd9
c51fd9 
   test->mock = mock_tls_certificate_new_and_register (test->dbus,
c51fd9 
--
2cf4bb 
2.14.4
c51fd9
c51fd9
2cf4bb 
From 6fe06a78a7538cefa2333b180d58b330325796ab Mon Sep 17 00:00:00 2001
c51fd9 
From: Debarshi Ray <debarshir@gnome.org>
c51fd9 
Date: Mon, 20 Mar 2017 19:31:39 +0100
c51fd9 
Subject: [PATCH 3/5] tests: Actually test that hostnames of pinned
c51fd9 
 certificates are verified
c51fd9
c51fd9 
This test case is about ensuring that a pinned certificate won't be
c51fd9 
validated if the wrong hostname is used.
c51fd9
c51fd9 
If we don't add the pinned certificate to our database, then checks for
c51fd9 
pinning are going to fail regardless of the hostname being used. The
c51fd9 
correct certificate-hostname pair needs to be in the database to ensure
c51fd9 
that the hostnames are being matched as advertised.
c51fd9
c51fd9 
https://bugzilla.gnome.org/show_bug.cgi?id=780160
c51fd9 
---
c51fd9 
 tests/empathy-tls-test.c | 3 ++-
c51fd9 
 1 file changed, 2 insertions(+), 1 deletion(-)
c51fd9
c51fd9 
diff --git a/tests/empathy-tls-test.c b/tests/empathy-tls-test.c
c51fd9 
index 0752e1b328c5..422909e7cc2a 100644
c51fd9 
--- a/tests/empathy-tls-test.c
c51fd9 
+++ b/tests/empathy-tls-test.c
c51fd9 
@@ -695,7 +695,8 @@ test_certificate_verify_pinned_wrong_host (Test *test,
c51fd9 
   test->mock = mock_tls_certificate_new_and_register (test->dbus,
c51fd9 
           "server-cert.cer", NULL);
c51fd9
c51fd9 
-  /* Note that we're not adding any place to find root certs */
c51fd9 
+  /* We add the collabora directory with the collabora root */
c51fd9 
+  add_certificate_to_mock (test, "server-cert.cer", "test-server.empathy.gnome.org");
c51fd9
c51fd9 
   ensure_certificate_proxy (test);
c51fd9
c51fd9 
--
2cf4bb 
2.14.4
c51fd9
c51fd9
2cf4bb 
From f07492434449bcdd74a61aa74596884ef5700d88 Mon Sep 17 00:00:00 2001
c51fd9 
From: Debarshi Ray <debarshir@gnome.org>
c51fd9 
Date: Wed, 15 Mar 2017 20:24:08 +0100
c51fd9 
Subject: [PATCH 4/5] tls-verifier: Use GIO to verify the chain of TLS
c51fd9 
 certificates
c51fd9
c51fd9 
Gcr has its own hand rolled code to complete the certificate chain and
c51fd9 
validate it, which predates the equivalent functionality in GIO. These
c51fd9 
days, GIO's GnuTLS backend is a better option because it defers to
c51fd9 
GnuTLS to do the right thing. It benefits automatically from any
c51fd9 
improvements made to GnuTLS itself.
c51fd9
c51fd9 
However, GIO doesn't support certificate pinning. Gcr continues to
c51fd9 
provide that feature.
c51fd9
c51fd9 
Note:
c51fd9
c51fd9 
(a) We don't set "certificate-hostname" when we encounter
c51fd9 
TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH. The resulting loss
c51fd9 
of verbosity in EmpathyTLSDialog is balanced by no longer relying on a
c51fd9 
specific encryption library.
c51fd9
c51fd9 
(b) glib-networking doesn't differentiate between
c51fd9 
GNUTLS_CERT_SIGNER_NOT_FOUND and GNUTLS_CERT_SIGNER_NOT_CA. Hence, we
c51fd9 
club them together as TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED and we
c51fd9 
no longer return TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED.
c51fd9
c51fd9 
(c) Unlike Gcr, GnuTLS doesn't seem to provide a way to load a PKCS#11
c51fd9 
module that's built into the code, as opposed to being a shared object.
c51fd9 
This makes it hard for us to load our mock PKCS#11 module. Therefore,
c51fd9 
we have disabled the test case that relies on using PKCS#11 storage to
c51fd9 
complete the certificate chain.
c51fd9
c51fd9 
Bump required GLib version to 2.48. We really do need 2.48 because we
c51fd9 
rely on the improvements to GIO's GnuTLS backend.
c51fd9
c51fd9 
https://bugzilla.gnome.org/show_bug.cgi?id=780160
c51fd9 
---
c51fd9 
 configure.ac                      |   6 +-
c51fd9 
 libempathy/empathy-tls-verifier.c | 419 ++++++++++++++++++--------------------
c51fd9 
 libempathy/empathy-tls-verifier.h |   3 +
c51fd9 
 tests/empathy-tls-test.c          |  35 +++-
c51fd9 
 4 files changed, 232 insertions(+), 231 deletions(-)
c51fd9
c51fd9 
diff --git a/configure.ac b/configure.ac
c51fd9 
index a427eba3af56..cd6f371de799 100644
c51fd9 
--- a/configure.ac
c51fd9 
+++ b/configure.ac
c51fd9 
@@ -37,9 +37,9 @@ AC_COPYRIGHT([
c51fd9 
 FOLKS_REQUIRED=0.9.5
c51fd9 
 GNUTLS_REQUIRED=2.8.5
c51fd9
c51fd9 
-GLIB_REQUIRED=2.37.6
c51fd9 
-AC_DEFINE(GLIB_VERSION_MIN_REQUIRED, GLIB_VERSION_2_30, [Ignore post 2.30 deprecations])
c51fd9 
-AC_DEFINE(GLIB_VERSION_MAX_ALLOWED, GLIB_VERSION_2_38, [Prevent post 2.38 APIs])
c51fd9 
+GLIB_REQUIRED=2.48.0
c51fd9 
+AC_DEFINE(GLIB_VERSION_MIN_REQUIRED, GLIB_VERSION_2_48, [Ignore post 2.48 deprecations])
c51fd9 
+AC_DEFINE(GLIB_VERSION_MAX_ALLOWED, GLIB_VERSION_2_48, [Prevent post 2.48 APIs])
c51fd9
c51fd9 
 GTK_REQUIRED=3.9.4
c51fd9 
 AC_DEFINE(GDK_VERSION_MIN_REQUIRED, GDK_VERSION_3_8, [Ignore post 3.8 deprecations])
c51fd9 
diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c
c51fd9 
index 8f80b4372de1..a8306bb569ea 100644
c51fd9 
--- a/libempathy/empathy-tls-verifier.c
c51fd9 
+++ b/libempathy/empathy-tls-verifier.c
c51fd9 
@@ -1,7 +1,9 @@
c51fd9 
 /*
c51fd9 
  * empathy-tls-verifier.c - Source for EmpathyTLSVerifier
c51fd9 
  * Copyright (C) 2010 Collabora Ltd.
c51fd9 
+ * Copyright (C) 2017 Red Hat, Inc.
c51fd9 
  * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
c51fd9 
+ * @author Debarshi Ray <debarshir@gnome.org>
c51fd9 
  * @author Stef Walter <stefw@collabora.co.uk>
c51fd9 
  *
c51fd9 
  * This library is free software; you can redistribute it and/or
c51fd9 
@@ -43,6 +45,8 @@ enum {
c51fd9 
 };
c51fd9
c51fd9 
 typedef struct {
c51fd9 
+  GTlsCertificate *g_certificate;
c51fd9 
+  GTlsDatabase *database;
c51fd9 
   TpTLSCertificate *certificate;
c51fd9 
   gchar *hostname;
c51fd9 
   gchar **reference_identities;
c51fd9 
@@ -53,135 +57,86 @@ typedef struct {
c51fd9 
   gboolean dispose_run;
c51fd9 
 } EmpathyTLSVerifierPriv;
c51fd9
c51fd9 
-static gboolean
c51fd9 
-verification_output_to_reason (gint res,
c51fd9 
-    guint verify_output,
c51fd9 
-    TpTLSCertificateRejectReason *reason)
c51fd9 
+static GTlsCertificate *
c51fd9 
+tls_certificate_new_from_der (GPtrArray *data, GError **error)
c51fd9 
 {
c51fd9 
-  gboolean retval = TRUE;
c51fd9 
+  GTlsBackend *tls_backend;
c51fd9 
+  GTlsCertificate *cert = NULL;
c51fd9 
+  GTlsCertificate *issuer = NULL;
c51fd9 
+  GTlsCertificate *retval = NULL;
c51fd9 
+  GType tls_certificate_type;
c51fd9 
+  gint i;
c51fd9
c51fd9 
-  g_assert (reason != NULL);
c51fd9 
+  g_return_val_if_fail (error == NULL || *error == NULL, NULL);
c51fd9
c51fd9 
-  if (res != GNUTLS_E_SUCCESS)
c51fd9 
-    {
c51fd9 
-      retval = FALSE;
c51fd9 
+  tls_backend = g_tls_backend_get_default ();
c51fd9 
+  tls_certificate_type = g_tls_backend_get_certificate_type (tls_backend);
c51fd9
c51fd9 
-      /* the certificate is not structurally valid */
c51fd9 
-      switch (res)
c51fd9 
-        {
c51fd9 
-        case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
c51fd9 
-          *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
c51fd9 
-          break;
c51fd9 
-        case GNUTLS_E_CONSTRAINT_ERROR:
c51fd9 
-          *reason = TP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
c51fd9 
-          break;
c51fd9 
-        default:
c51fd9 
-          *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
c51fd9 
-          break;
c51fd9 
-        }
c51fd9 
-
c51fd9 
-      goto out;
c51fd9 
+  for (i = (gint) data->len - 1; i >= 0; --i)
c51fd9 
+    {
c51fd9 
+      GArray *cert_data;
c51fd9 
+
c51fd9 
+      cert_data = g_ptr_array_index (data, i);
c51fd9 
+      cert = g_initable_new (tls_certificate_type,
c51fd9 
+          NULL,
c51fd9 
+          error,
c51fd9 
+          "certificate", (GByteArray *) cert_data,
c51fd9 
+          "issuer", issuer,
c51fd9 
+          NULL);
c51fd9 
+
c51fd9 
+      if (cert == NULL)
c51fd9 
+        goto out;
c51fd9 
+
c51fd9 
+      g_clear_object (&issuer);
c51fd9 
+      issuer = g_object_ref (cert);
c51fd9 
+      g_clear_object (&cert);
c51fd9 
     }
c51fd9
c51fd9 
-  /* the certificate is structurally valid, check for other errors. */
c51fd9 
-  if (verify_output & GNUTLS_CERT_INVALID)
c51fd9 
-    {
c51fd9 
-      retval = FALSE;
c51fd9 
-
c51fd9 
-      if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)
c51fd9 
-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
c51fd9 
-      else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)
c51fd9 
-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
c51fd9 
-      else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)
c51fd9 
-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
c51fd9 
-      else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)
c51fd9 
-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
c51fd9 
-      else if (verify_output & GNUTLS_CERT_EXPIRED)
c51fd9 
-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
c51fd9 
-      else if (verify_output & GNUTLS_CERT_REVOKED)
c51fd9 
-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_REVOKED;
c51fd9 
-      else
c51fd9 
-        *reason = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
c51fd9 
+  g_assert_null (cert);
c51fd9 
+  g_assert_true (G_IS_TLS_CERTIFICATE (issuer));
c51fd9
c51fd9 
-      goto out;
c51fd9 
-    }
c51fd9 
+  retval = g_object_ref (issuer);
c51fd9
c51fd9 
  out:
c51fd9 
+  g_clear_object (&cert);
c51fd9 
+  g_clear_object (&issuer);
c51fd9 
   return retval;
c51fd9 
 }
c51fd9
c51fd9 
-static void
c51fd9 
-build_certificate_list_for_gnutls (GcrCertificateChain *chain,
c51fd9 
-        gnutls_x509_crt_t **list,
c51fd9 
-        guint *n_list,
c51fd9 
-        gnutls_x509_crt_t **anchors,
c51fd9 
-        guint *n_anchors)
c51fd9 
+static TpTLSCertificateRejectReason
c51fd9 
+verification_output_to_reason (GTlsCertificateFlags flags)
c51fd9 
 {
c51fd9 
-  GcrCertificate *cert;
c51fd9 
-  guint idx, length;
c51fd9 
-  gnutls_x509_crt_t *retval;
c51fd9 
-  gnutls_x509_crt_t gcert;
c51fd9 
-  gnutls_datum_t datum;
c51fd9 
-  gsize n_data;
c51fd9 
-
c51fd9 
-  g_assert (list);
c51fd9 
-  g_assert (n_list);
c51fd9 
-  g_assert (anchors);
c51fd9 
-  g_assert (n_anchors);
c51fd9 
+  TpTLSCertificateRejectReason retval;
c51fd9
c51fd9 
-  *list = *anchors = NULL;
c51fd9 
-  *n_list = *n_anchors = 0;
c51fd9 
+  g_assert (flags != 0);
c51fd9
c51fd9 
-  length = gcr_certificate_chain_get_length (chain);
c51fd9 
-  retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * length);
c51fd9 
-
c51fd9 
-  /* Convert the main body of the chain to gnutls */
c51fd9 
-  for (idx = 0; idx < length; ++idx)
c51fd9 
-    {
c51fd9 
-      cert = gcr_certificate_chain_get_certificate (chain, idx);
c51fd9 
-      datum.data = (gpointer)gcr_certificate_get_der_data (cert, &n_data);
c51fd9 
-      datum.size = n_data;
c51fd9 
-
c51fd9 
-      gnutls_x509_crt_init (&gcert);
c51fd9 
-      if (gnutls_x509_crt_import (gcert, &datum, GNUTLS_X509_FMT_DER) < 0)
c51fd9 
-        g_return_if_reached ();
c51fd9 
-
c51fd9 
-      retval[idx] = gcert;
c51fd9 
-    }
c51fd9 
-
c51fd9 
-  *list = retval;
c51fd9 
-  *n_list = length;
c51fd9 
-
c51fd9 
-  /* See if we have an anchor */
c51fd9 
-  if (gcr_certificate_chain_get_status (chain) ==
c51fd9 
-          GCR_CERTIFICATE_CHAIN_ANCHORED)
c51fd9 
+  switch (flags)
c51fd9 
     {
c51fd9 
-      cert = gcr_certificate_chain_get_anchor (chain);
c51fd9 
-      g_return_if_fail (cert);
c51fd9 
-
c51fd9 
-      datum.data = (gpointer)gcr_certificate_get_der_data (cert, &n_data);
c51fd9 
-      datum.size = n_data;
c51fd9 
-
c51fd9 
-      gnutls_x509_crt_init (&gcert);
c51fd9 
-      if (gnutls_x509_crt_import (gcert, &datum, GNUTLS_X509_FMT_DER) < 0)
c51fd9 
-        g_return_if_reached ();
c51fd9 
-
c51fd9 
-      retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * 1);
c51fd9 
-      retval[0] = gcert;
c51fd9 
-      *anchors = retval;
c51fd9 
-      *n_anchors = 1;
c51fd9 
+      case G_TLS_CERTIFICATE_UNKNOWN_CA:
c51fd9 
+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
c51fd9 
+        break;
c51fd9 
+      case G_TLS_CERTIFICATE_BAD_IDENTITY:
c51fd9 
+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH;
c51fd9 
+        break;
c51fd9 
+      case G_TLS_CERTIFICATE_NOT_ACTIVATED:
c51fd9 
+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
c51fd9 
+        break;
c51fd9 
+      case G_TLS_CERTIFICATE_EXPIRED:
c51fd9 
+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
c51fd9 
+        break;
c51fd9 
+      case G_TLS_CERTIFICATE_REVOKED:
c51fd9 
+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_REVOKED;
c51fd9 
+        break;
c51fd9 
+      case G_TLS_CERTIFICATE_INSECURE:
c51fd9 
+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
c51fd9 
+        break;
c51fd9 
+      case G_TLS_CERTIFICATE_GENERIC_ERROR:
c51fd9 
+      default:
c51fd9 
+        retval = TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
c51fd9 
+        break;
c51fd9 
     }
c51fd9 
-}
c51fd9
c51fd9 
-static void
c51fd9 
-free_certificate_list_for_gnutls (gnutls_x509_crt_t *list,
c51fd9 
-        guint n_list)
c51fd9 
-{
c51fd9 
-  guint idx;
c51fd9 
-
c51fd9 
-  for (idx = 0; idx < n_list; idx++)
c51fd9 
-    gnutls_x509_crt_deinit (list[idx]);
c51fd9 
-  g_free (list);
c51fd9 
+  return retval;
c51fd9 
 }
c51fd9
c51fd9 
 static void
c51fd9 
@@ -193,6 +148,7 @@ complete_verification (EmpathyTLSVerifier *self)
c51fd9
c51fd9 
   g_simple_async_result_complete_in_idle (priv->verify_result);
c51fd9
c51fd9 
+  g_clear_object (&priv->g_certificate);
c51fd9 
   tp_clear_object (&priv->verify_result);
c51fd9 
 }
c51fd9
c51fd9 
@@ -209,6 +165,7 @@ abort_verification (EmpathyTLSVerifier *self,
c51fd9 
       reason);
c51fd9 
   g_simple_async_result_complete_in_idle (priv->verify_result);
c51fd9
c51fd9 
+  g_clear_object (&priv->g_certificate);
c51fd9 
   tp_clear_object (&priv->verify_result);
c51fd9 
 }
c51fd9
c51fd9 
@@ -221,142 +178,137 @@ debug_certificate (GcrCertificate *cert)
c51fd9 
 }
c51fd9
c51fd9 
 static void
c51fd9 
-debug_certificate_chain (GcrCertificateChain *chain)
c51fd9 
+verify_chain_cb (GObject *object,
c51fd9 
+        GAsyncResult *res,
c51fd9 
+        gpointer user_data)
c51fd9 
 {
c51fd9 
-    GEnumClass *enum_class;
c51fd9 
-    GEnumValue *enum_value;
c51fd9 
-    gint idx, length;
c51fd9 
-    GcrCertificate *cert;
c51fd9 
-
c51fd9 
-    enum_class = G_ENUM_CLASS
c51fd9 
-            (g_type_class_peek (GCR_TYPE_CERTIFICATE_CHAIN_STATUS));
c51fd9 
-    enum_value = g_enum_get_value (enum_class,
c51fd9 
-            gcr_certificate_chain_get_status (chain));
c51fd9 
-    length = gcr_certificate_chain_get_length (chain);
c51fd9 
-    DEBUG ("Certificate chain: length %u status %s",
c51fd9 
-            length, enum_value ? enum_value->value_nick : "XXX");
c51fd9 
-
c51fd9 
-    for (idx = 0; idx < length; ++idx)
c51fd9 
-      {
c51fd9 
-        cert = gcr_certificate_chain_get_certificate (chain, idx);
c51fd9 
-        debug_certificate (cert);
c51fd9 
-      }
c51fd9 
-}
c51fd9 
+  GError *error = NULL;
c51fd9
c51fd9 
-static void
c51fd9 
-perform_verification (EmpathyTLSVerifier *self,
c51fd9 
-        GcrCertificateChain *chain)
c51fd9 
-{
c51fd9 
-  gboolean ret = FALSE;
c51fd9 
-  TpTLSCertificateRejectReason reason =
c51fd9 
-    TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
c51fd9 
-  gnutls_x509_crt_t *list, *anchors;
c51fd9 
-  guint n_list, n_anchors;
c51fd9 
-  guint verify_output;
c51fd9 
-  gint res;
c51fd9 
+  GTlsCertificateFlags flags;
c51fd9 
+  GTlsDatabase *tls_database = G_TLS_DATABASE (object);
c51fd9 
   gint i;
c51fd9 
-  gboolean matched = FALSE;
c51fd9 
+  EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (user_data);
c51fd9 
   EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
c51fd9
c51fd9 
-  DEBUG ("Performing verification");
c51fd9 
-  debug_certificate_chain (chain);
c51fd9 
-
c51fd9 
-  list = anchors = NULL;
c51fd9 
-  n_list = n_anchors = 0;
c51fd9 
-
c51fd9 
-  /*
c51fd9 
-   * If the first certificate is an pinned certificate then we completely
c51fd9 
-   * ignore the rest of the verification process.
c51fd9 
+  /* FIXME: g_tls_database_verify_chain doesn't set the GError if the
c51fd9 
+   * certificate chain couldn't be verified. See:
c51fd9 
+   * https://bugzilla.gnome.org/show_bug.cgi?id=780310
c51fd9 
    */
c51fd9 
-  if (gcr_certificate_chain_get_status (chain) == GCR_CERTIFICATE_CHAIN_PINNED)
c51fd9 
+  flags = g_tls_database_verify_chain_finish (tls_database, res, &error);
c51fd9 
+  if (flags != 0)
c51fd9 
     {
c51fd9 
-      DEBUG ("Found pinned certificate for %s", priv->hostname);
c51fd9 
-      complete_verification (self);
c51fd9 
-      goto out;
c51fd9 
-  }
c51fd9 
-
c51fd9 
-  build_certificate_list_for_gnutls (chain, &list, &n_list,
c51fd9 
-          &anchors, &n_anchors);
c51fd9 
-  if (list == NULL || n_list == 0) {
c51fd9 
-      g_warn_if_reached ();
c51fd9 
-      abort_verification (self, TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN);
c51fd9 
-      goto out;
c51fd9 
-  }
c51fd9 
+      TpTLSCertificateRejectReason reason;
c51fd9
c51fd9 
-  verify_output = 0;
c51fd9 
-  res = gnutls_x509_crt_list_verify (list, n_list, anchors, n_anchors,
c51fd9 
-           NULL, 0, 0, &verify_output);
c51fd9 
-  ret = verification_output_to_reason (res, verify_output, &reason);
c51fd9 
+      /* We don't pass the identity to g_tls_database_verify. */
c51fd9 
+      g_assert_false (flags & G_TLS_CERTIFICATE_BAD_IDENTITY);
c51fd9
c51fd9 
-  DEBUG ("Certificate verification gave result %d with reason %u", ret,
c51fd9 
+      reason = verification_output_to_reason (flags);
c51fd9 
+      DEBUG ("Certificate verification gave flags %d with reason %u",
c51fd9 
+          (gint) flags,
c51fd9 
           reason);
c51fd9
c51fd9 
-  if (!ret) {
c51fd9 
       abort_verification (self, reason);
c51fd9 
+      g_clear_error (&error);
c51fd9 
       goto out;
c51fd9 
-  }
c51fd9 
+    }
c51fd9
c51fd9 
-  /* now check if the certificate matches one of the reference identities. */
c51fd9 
-  if (priv->reference_identities != NULL)
c51fd9 
+  for (i = 0; priv->reference_identities[i] != NULL; i++)
c51fd9 
     {
c51fd9 
-      for (i = 0, matched = FALSE; priv->reference_identities[i] != NULL; ++i)
c51fd9 
-        {
c51fd9 
-          if (gnutls_x509_crt_check_hostname (list[0],
c51fd9 
-                  priv->reference_identities[i]) == 1)
c51fd9 
-            {
c51fd9 
-              matched = TRUE;
c51fd9 
-              break;
c51fd9 
-            }
c51fd9 
-        }
c51fd9 
+      GSocketConnectable *identity = NULL;
c51fd9 
+
c51fd9 
+      identity = g_network_address_new (priv->reference_identities[i], 0);
c51fd9 
+      flags = g_tls_certificate_verify (priv->g_certificate, identity, NULL);
c51fd9 
+
c51fd9 
+      g_object_unref (identity);
c51fd9 
+      if (flags == 0)
c51fd9 
+        break;
c51fd9 
     }
c51fd9
c51fd9 
-  if (!matched)
c51fd9 
+  if (flags != 0)
c51fd9 
     {
c51fd9 
-      gchar *certified_hostname;
c51fd9 
+      TpTLSCertificateRejectReason reason;
c51fd9 
+
c51fd9 
+      g_assert_cmpint (flags, ==, G_TLS_CERTIFICATE_BAD_IDENTITY);
c51fd9 
+
c51fd9 
+      reason = verification_output_to_reason (flags);
c51fd9 
+      DEBUG ("Certificate verification gave flags %d with reason %u",
c51fd9 
+          (gint) flags,
c51fd9 
+          reason);
c51fd9
c51fd9 
-      certified_hostname = empathy_get_x509_certificate_hostname (list[0]);
c51fd9 
-      tp_asv_set_string (priv->details,
c51fd9 
-          "expected-hostname", priv->hostname);
c51fd9 
-      tp_asv_set_string (priv->details,
c51fd9 
-          "certificate-hostname", certified_hostname);
c51fd9 
+      /* FIXME: We don't set "certificate-hostname" because
c51fd9 
+       * GTlsCertificate doesn't expose the hostname used in the
c51fd9 
+       * certificate. We will temporarily lose some verbosity in
c51fd9 
+       * EmpathyTLSDialog, but that's balanced by no longer
c51fd9 
+       * relying on a specific encryption library.
c51fd9 
+       */
c51fd9 
+      tp_asv_set_string (priv->details, "expected-hostname", priv->hostname);
c51fd9
c51fd9 
-      DEBUG ("Hostname mismatch: got %s but expected %s",
c51fd9 
-          certified_hostname, priv->hostname);
c51fd9 
+      DEBUG ("Hostname mismatch: expected %s", priv->hostname);
c51fd9
c51fd9 
-      g_free (certified_hostname);
c51fd9 
-      abort_verification (self,
c51fd9 
-              TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH);
c51fd9 
+      abort_verification (self, reason);
c51fd9 
       goto out;
c51fd9 
     }
c51fd9
c51fd9 
-  DEBUG ("Hostname matched");
c51fd9 
+  DEBUG ("Verified certificate chain");
c51fd9 
   complete_verification (self);
c51fd9
c51fd9 
- out:
c51fd9 
-  free_certificate_list_for_gnutls (list, n_list);
c51fd9 
-  free_certificate_list_for_gnutls (anchors, n_anchors);
c51fd9 
+out:
c51fd9 
+  /* Matches ref when starting verify chain */
c51fd9 
+  g_object_unref (self);
c51fd9 
 }
c51fd9
c51fd9 
 static void
c51fd9 
-perform_verification_cb (GObject *object,
c51fd9 
-        GAsyncResult *res,
c51fd9 
-        gpointer user_data)
c51fd9 
+is_certificate_pinned_cb (GObject *object,
c51fd9 
+    GAsyncResult *res,
c51fd9 
+    gpointer user_data)
c51fd9 
 {
c51fd9 
   GError *error = NULL;
c51fd9 
-
c51fd9 
-  GcrCertificateChain *chain = GCR_CERTIFICATE_CHAIN (object);
c51fd9 
+  GPtrArray *cert_data;
c51fd9 
   EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (user_data);
c51fd9 
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
c51fd9 
+
c51fd9 
+  if (gcr_trust_is_certificate_pinned_finish (res, &error))
c51fd9 
+    {
c51fd9 
+      DEBUG ("Found pinned certificate for %s", priv->hostname);
c51fd9 
+      complete_verification (self);
c51fd9 
+      goto out;
c51fd9 
+    }
c51fd9 
+
c51fd9 
+  /* error is set only when there is an actual failure. It won't be
c51fd9 
+   * set, if it successfully determined that the ceritificate was not
c51fd9 
+   * pinned. */
c51fd9 
+  if (error != NULL)
c51fd9 
+    {
c51fd9 
+      DEBUG ("Failed to determine if certificate is pinned: %s",
c51fd9 
+          error->message);
c51fd9 
+      g_clear_error (&error);
c51fd9 
+    }
c51fd9
c51fd9 
-  /* Even if building the chain fails, try verifying what we have */
c51fd9 
-  if (!gcr_certificate_chain_build_finish (chain, res, &error))
c51fd9 
+  cert_data = tp_tls_certificate_get_cert_data (priv->certificate);
c51fd9 
+  priv->g_certificate = tls_certificate_new_from_der (cert_data, &error);
c51fd9 
+  if (error != NULL)
c51fd9 
     {
c51fd9 
-      DEBUG ("Building of certificate chain failed: %s", error->message);
c51fd9 
+      DEBUG ("Verification of certificate chain failed: %s", error->message);
c51fd9 
+
c51fd9 
+      abort_verification (self, TP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN);
c51fd9 
       g_clear_error (&error);
c51fd9 
+      goto out;
c51fd9 
     }
c51fd9
c51fd9 
-  perform_verification (self, chain);
c51fd9 
+  DEBUG ("Performing verification");
c51fd9 
+
c51fd9 
+  g_tls_database_verify_chain_async (priv->database,
c51fd9 
+      priv->g_certificate,
c51fd9 
+      G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER,
c51fd9 
+      NULL,
c51fd9 
+      NULL,
c51fd9 
+      G_TLS_DATABASE_VERIFY_NONE,
c51fd9 
+      NULL,
c51fd9 
+      verify_chain_cb,
c51fd9 
+      g_object_ref (self));
c51fd9
c51fd9 
-  /* Matches ref when staring chain build */
c51fd9 
+out:
c51fd9 
+  /* Matches ref when starting is certificate pinned */
c51fd9 
   g_object_unref (self);
c51fd9 
 }
c51fd9
c51fd9 
@@ -420,6 +372,8 @@ empathy_tls_verifier_dispose (GObject *object)
c51fd9
c51fd9 
   priv->dispose_run = TRUE;
c51fd9
c51fd9 
+  g_clear_object (&priv->g_certificate);
c51fd9 
+  g_clear_object (&priv->database);
c51fd9 
   tp_clear_object (&priv->certificate);
c51fd9
c51fd9 
   G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object);
c51fd9 
@@ -443,10 +397,14 @@ static void
c51fd9 
 empathy_tls_verifier_init (EmpathyTLSVerifier *self)
c51fd9 
 {
c51fd9 
   EmpathyTLSVerifierPriv *priv;
c51fd9 
+  GTlsBackend *tls_backend;
c51fd9
c51fd9 
   priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
c51fd9 
       EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv);
c51fd9 
   priv->details = tp_asv_new (NULL, NULL);
c51fd9 
+
c51fd9 
+  tls_backend = g_tls_backend_get_default ();
c51fd9 
+  priv->database = g_tls_backend_get_default_database (tls_backend);
c51fd9 
 }
c51fd9
c51fd9 
 static void
c51fd9 
@@ -503,16 +461,15 @@ empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
c51fd9 
     GAsyncReadyCallback callback,
c51fd9 
     gpointer user_data)
c51fd9 
 {
c51fd9 
-  GcrCertificateChain *chain;
c51fd9 
   GcrCertificate *cert;
c51fd9 
   GPtrArray *cert_data;
c51fd9 
   GArray *data;
c51fd9 
-  guint idx;
c51fd9 
   EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
c51fd9
c51fd9 
   DEBUG ("Starting verification");
c51fd9
c51fd9 
   g_return_if_fail (priv->verify_result == NULL);
c51fd9 
+  g_return_if_fail (priv->g_certificate == NULL);
c51fd9
c51fd9 
   cert_data = tp_tls_certificate_get_cert_data (priv->certificate);
c51fd9 
   g_return_if_fail (cert_data);
c51fd9 
@@ -520,19 +477,22 @@ empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
c51fd9 
   priv->verify_result = g_simple_async_result_new (G_OBJECT (self),
c51fd9 
       callback, user_data, NULL);
c51fd9
c51fd9 
-  /* Create a certificate chain */
c51fd9 
-  chain = gcr_certificate_chain_new ();
c51fd9 
-  for (idx = 0; idx < cert_data->len; ++idx) {
c51fd9 
-    data = g_ptr_array_index (cert_data, idx);
c51fd9 
-    cert = gcr_simple_certificate_new ((guchar *) data->data, data->len);
c51fd9 
-    gcr_certificate_chain_add (chain, cert);
c51fd9 
-    g_object_unref (cert);
c51fd9 
-  }
c51fd9 
+  /* The first certificate in the chain is for the host */
c51fd9 
+  data = g_ptr_array_index (cert_data, 0);
c51fd9 
+  cert = gcr_simple_certificate_new ((gpointer) data->data,
c51fd9 
+      (gsize) data->len);
c51fd9 
+
c51fd9 
+  DEBUG ("Checking if certificate is pinned:");
c51fd9 
+  debug_certificate (cert);
c51fd9
c51fd9 
-  gcr_certificate_chain_build_async (chain, GCR_PURPOSE_SERVER_AUTH, priv->hostname, 0,
c51fd9 
-          NULL, perform_verification_cb, g_object_ref (self));
c51fd9 
+  gcr_trust_is_certificate_pinned_async (cert,
c51fd9 
+      GCR_PURPOSE_SERVER_AUTH,
c51fd9 
+      priv->hostname,
c51fd9 
+      NULL,
c51fd9 
+      is_certificate_pinned_cb,
c51fd9 
+      g_object_ref (self));
c51fd9
c51fd9 
-  g_object_unref (chain);
c51fd9 
+  g_object_unref (cert);
c51fd9 
 }
c51fd9
c51fd9 
 gboolean
c51fd9 
@@ -567,6 +527,21 @@ empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
c51fd9 
   return TRUE;
c51fd9 
 }
c51fd9
c51fd9 
+void empathy_tls_verifier_set_database (EmpathyTLSVerifier *self,
c51fd9 
+    GTlsDatabase *database)
c51fd9 
+{
c51fd9 
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
c51fd9 
+
c51fd9 
+  g_return_if_fail (EMPATHY_IS_TLS_VERIFIER (self));
c51fd9 
+  g_return_if_fail (G_IS_TLS_DATABASE (database));
c51fd9 
+
c51fd9 
+  if (database == priv->database)
c51fd9 
+    return;
c51fd9 
+
c51fd9 
+  g_clear_object (&priv->database);
c51fd9 
+  priv->database = g_object_ref (database);
c51fd9 
+}
c51fd9 
+
c51fd9 
 void
c51fd9 
 empathy_tls_verifier_store_exception (EmpathyTLSVerifier *self)
c51fd9 
 {
c51fd9 
diff --git a/libempathy/empathy-tls-verifier.h b/libempathy/empathy-tls-verifier.h
c51fd9 
index c25d9756cb02..f9bf54a612f2 100644
c51fd9 
--- a/libempathy/empathy-tls-verifier.h
c51fd9 
+++ b/libempathy/empathy-tls-verifier.h
c51fd9 
@@ -72,6 +72,9 @@ gboolean empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
c51fd9 
     GHashTable **details,
c51fd9 
     GError **error);
c51fd9
c51fd9 
+void empathy_tls_verifier_set_database (EmpathyTLSVerifier *self,
c51fd9 
+    GTlsDatabase *database);
c51fd9 
+
c51fd9 
 void empathy_tls_verifier_store_exception (EmpathyTLSVerifier *self);
c51fd9
c51fd9 
 G_END_DECLS
c51fd9 
diff --git a/tests/empathy-tls-test.c b/tests/empathy-tls-test.c
c51fd9 
index 422909e7cc2a..b8f9ffcbb9af 100644
c51fd9 
--- a/tests/empathy-tls-test.c
c51fd9 
+++ b/tests/empathy-tls-test.c
c51fd9 
@@ -270,6 +270,7 @@ mock_tls_certificate_new_and_register (TpDBusDaemon *dbus,
c51fd9
c51fd9 
 typedef struct {
c51fd9 
   GMainLoop *loop;
c51fd9 
+  GTlsDatabase *database;
c51fd9 
   TpDBusDaemon *dbus;
c51fd9 
   const gchar *dbus_name;
c51fd9 
   MockTLSCertificate *mock;
c51fd9 
@@ -283,9 +284,18 @@ setup (Test *test, gconstpointer data)
c51fd9 
   GError *error = NULL;
c51fd9 
   GckModule *module;
c51fd9 
   const gchar *trust_uris[2] = { MOCK_SLOT_ONE_URI, NULL };
c51fd9 
+  gchar *path = NULL;
c51fd9
c51fd9 
   test->loop = g_main_loop_new (NULL, FALSE);
c51fd9
c51fd9 
+  path = g_build_filename (g_getenv ("EMPATHY_SRCDIR"),
c51fd9 
+      "tests",
c51fd9 
+      "certificates",
c51fd9 
+      "certificate-authority.pem",
c51fd9 
+      NULL);
c51fd9 
+  test->database = g_tls_file_database_new (path, &error);
c51fd9 
+  g_assert_no_error (error);
c51fd9 
+
c51fd9 
   test->dbus = tp_dbus_daemon_dup (&error);
c51fd9 
   g_assert_no_error (error);
c51fd9
c51fd9 
@@ -301,6 +311,8 @@ setup (Test *test, gconstpointer data)
c51fd9 
   gcr_pkcs11_set_modules (NULL);
c51fd9 
   gcr_pkcs11_add_module (module);
c51fd9 
   gcr_pkcs11_set_trust_lookup_uris (trust_uris);
c51fd9 
+
c51fd9 
+  g_free (path);
c51fd9 
 }
c51fd9
c51fd9 
 static void
c51fd9 
@@ -325,6 +337,8 @@ teardown (Test *test, gconstpointer data)
c51fd9 
     g_object_unref (test->cert);
c51fd9 
   test->cert = NULL;
c51fd9
c51fd9 
+  g_clear_object (&test->database);
c51fd9 
+
c51fd9 
   g_main_loop_unref (test->loop);
c51fd9 
   test->loop = NULL;
c51fd9
c51fd9 
@@ -418,6 +432,8 @@ test_certificate_mock_basics (Test *test,
c51fd9 
   g_assert (test->mock->state == TP_TLS_CERTIFICATE_STATE_ACCEPTED);
c51fd9 
 }
c51fd9
c51fd9 
+#if 0
c51fd9 
+
c51fd9 
 static void
c51fd9 
 test_certificate_verify_success_with_pkcs11_lookup (Test *test,
c51fd9 
         gconstpointer data G_GNUC_UNUSED)
c51fd9 
@@ -459,6 +475,8 @@ test_certificate_verify_success_with_pkcs11_lookup (Test *test,
c51fd9 
   g_object_unref (verifier);
c51fd9 
 }
c51fd9
c51fd9 
+#endif
c51fd9 
+
c51fd9 
 static void
c51fd9 
 test_certificate_verify_success_with_full_chain (Test *test,
c51fd9 
         gconstpointer data G_GNUC_UNUSED)
c51fd9 
@@ -486,6 +504,7 @@ test_certificate_verify_success_with_full_chain (Test *test,
c51fd9
c51fd9 
   verifier = empathy_tls_verifier_new (test->cert, "test-server.empathy.gnome.org",
c51fd9 
       reference_identities);
c51fd9 
+  empathy_tls_verifier_set_database (verifier, test->database);
c51fd9 
   empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
c51fd9 
   g_main_loop_run (test->loop);
c51fd9 
   empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
c51fd9 
@@ -525,9 +544,9 @@ test_certificate_verify_root_not_found (Test *test,
c51fd9 
   empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
c51fd9 
       NULL, &error);
c51fd9
c51fd9 
-  /* And it should say we're self-signed (oddly enough) */
c51fd9 
+  /* And it should say we're untrusted */
c51fd9 
   g_assert_error (error, G_IO_ERROR,
c51fd9 
-      TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED);
c51fd9 
+      TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED);
c51fd9
c51fd9 
   g_clear_error (&error);
c51fd9 
   g_object_unref (verifier);
c51fd9 
@@ -560,9 +579,9 @@ test_certificate_verify_root_not_anchored (Test *test,
c51fd9 
   empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
c51fd9 
       NULL, &error);
c51fd9
c51fd9 
-  /* And it should say we're self-signed (oddly enough) */
c51fd9 
+  /* And it should say we're untrusted */
c51fd9 
   g_assert_error (error, G_IO_ERROR,
c51fd9 
-      TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED);
c51fd9 
+      TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED);
c51fd9
c51fd9 
   g_clear_error (&error);
c51fd9 
   g_object_unref (verifier);
c51fd9 
@@ -590,6 +609,7 @@ test_certificate_verify_identities_invalid (Test *test,
c51fd9
c51fd9 
   verifier = empathy_tls_verifier_new (test->cert, "invalid.host.name",
c51fd9 
       reference_identities);
c51fd9 
+  empathy_tls_verifier_set_database (verifier, test->database);
c51fd9 
   empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
c51fd9 
   g_main_loop_run (test->loop);
c51fd9
c51fd9 
@@ -627,6 +647,7 @@ test_certificate_verify_uses_reference_identities (Test *test,
c51fd9 
   /* Should be using the reference_identities and not host name for checks */
c51fd9 
   verifier = empathy_tls_verifier_new (test->cert, "test-server.empathy.gnome.org",
c51fd9 
       reference_identities);
c51fd9 
+  empathy_tls_verifier_set_database (verifier, test->database);
c51fd9 
   empathy_tls_verifier_verify_async (verifier, fetch_callback_result, test);
c51fd9 
   g_main_loop_run (test->loop);
c51fd9
c51fd9 
@@ -708,9 +729,9 @@ test_certificate_verify_pinned_wrong_host (Test *test,
c51fd9 
   empathy_tls_verifier_verify_finish (verifier, test->result, &reason,
c51fd9 
       NULL, &error);
c51fd9
c51fd9 
-  /* And it should say we're self-signed */
c51fd9 
+  /* And it should say we're untrusted */
c51fd9 
   g_assert_error (error, G_IO_ERROR,
c51fd9 
-      TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED);
c51fd9 
+      TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED);
c51fd9
c51fd9 
   g_clear_error (&error);
c51fd9 
   g_object_unref (verifier);
c51fd9 
@@ -727,8 +748,10 @@ main (int argc,
c51fd9
c51fd9 
   g_test_add ("/tls/certificate_basics", Test, NULL,
c51fd9 
           setup, test_certificate_mock_basics, teardown);
c51fd9 
+#if 0
c51fd9 
   g_test_add ("/tls/certificate_verify_success_with_pkcs11_lookup", Test, NULL,
c51fd9 
           setup, test_certificate_verify_success_with_pkcs11_lookup, teardown);
c51fd9 
+#endif
c51fd9 
   g_test_add ("/tls/certificate_verify_success_with_full_chain", Test, NULL,
c51fd9 
           setup, test_certificate_verify_success_with_full_chain, teardown);
c51fd9 
   g_test_add ("/tls/certificate_verify_root_not_found", Test, NULL,
c51fd9 
--
2cf4bb 
2.14.4
c51fd9
c51fd9
2cf4bb 
From a5ef984c6219070253f382d41101de9f904563c6 Mon Sep 17 00:00:00 2001
c51fd9 
From: Debarshi Ray <debarshir@gnome.org>
c51fd9 
Date: Thu, 16 Mar 2017 19:50:40 +0100
c51fd9 
Subject: [PATCH 5/5] Remove the GnuTLS dependency
c51fd9
c51fd9 
GIO, backed by glib-networking, has everything that we need.
c51fd9
c51fd9 
https://bugzilla.gnome.org/show_bug.cgi?id=780160
c51fd9 
---
c51fd9 
 configure.ac               |  2 --
c51fd9 
 libempathy/empathy-utils.c | 35 -----------------------------------
c51fd9 
 libempathy/empathy-utils.h |  3 ---
c51fd9 
 src/empathy-auth-client.c  |  2 --
c51fd9 
 tests/empathy-tls-test.c   |  2 --
c51fd9 
 5 files changed, 44 deletions(-)
c51fd9
c51fd9 
diff --git a/configure.ac b/configure.ac
c51fd9 
index cd6f371de799..a1cd48687e27 100644
c51fd9 
--- a/configure.ac
c51fd9 
+++ b/configure.ac
c51fd9 
@@ -35,7 +35,6 @@ AC_COPYRIGHT([
c51fd9
c51fd9 
 # Hardp deps
c51fd9 
 FOLKS_REQUIRED=0.9.5
c51fd9 
-GNUTLS_REQUIRED=2.8.5
c51fd9
c51fd9 
 GLIB_REQUIRED=2.48.0
c51fd9 
 AC_DEFINE(GLIB_VERSION_MIN_REQUIRED, GLIB_VERSION_2_48, [Ignore post 2.48 deprecations])
c51fd9 
@@ -219,7 +218,6 @@ PKG_CHECK_MODULES(EMPATHY,
c51fd9 
    gio-2.0 >= $GLIB_REQUIRED
c51fd9 
    gio-unix-2.0 >= $GLIB_REQUIRED
c51fd9 
    libsecret-1 >= $LIBSECRET_REQUIRED
c51fd9 
-   gnutls >= $GNUTLS_REQUIRED
c51fd9 
    gmodule-export-2.0
c51fd9 
    gobject-2.0
c51fd9 
    gsettings-desktop-schemas
c51fd9 
diff --git a/libempathy/empathy-utils.c b/libempathy/empathy-utils.c
c51fd9 
index e8349373639f..88e28b8dd92b 100644
c51fd9 
--- a/libempathy/empathy-utils.c
c51fd9 
+++ b/libempathy/empathy-utils.c
c51fd9 
@@ -20,10 +20,6 @@
c51fd9 
  * Authors: Richard Hult <richard@imendio.com>
c51fd9 
  *          Martyn Russell <martyn@imendio.com>
c51fd9 
  *          Xavier Claessens <xclaesse@gmail.com>
c51fd9 
- *
c51fd9 
- * Some snippets are taken from GnuTLS 2.8.6, which is distributed under the
c51fd9 
- * same GNU Lesser General Public License 2.1 (or later) version. See
c51fd9 
- * empathy_get_x509_certified_hostname ().
c51fd9 
  */
c51fd9
c51fd9 
 #include "config.h"
2cf4bb 
@@ -648,37 +644,6 @@ empathy_folks_persona_is_interesting (FolksPersona *persona)
2cf4bb 
   return TRUE;
c51fd9 
 }
c51fd9
2cf4bb 
-gchar *
c51fd9 
-empathy_get_x509_certificate_hostname (gnutls_x509_crt_t cert)
c51fd9 
-{
c51fd9 
-  gchar dns_name[256];
c51fd9 
-  gsize dns_name_size;
c51fd9 
-  gint idx;
c51fd9 
-  gint res = 0;
c51fd9 
-
c51fd9 
-  /* this snippet is taken from GnuTLS.
c51fd9 
-   * see gnutls/lib/x509/rfc2818_hostname.c
c51fd9 
-   */
c51fd9 
-  for (idx = 0; res >= 0; idx++)
c51fd9 
-    {
c51fd9 
-      dns_name_size = sizeof (dns_name);
c51fd9 
-      res = gnutls_x509_crt_get_subject_alt_name (cert, idx,
c51fd9 
-          dns_name, &dns_name_size, NULL);
c51fd9 
-
c51fd9 
-      if (res == GNUTLS_SAN_DNSNAME || res == GNUTLS_SAN_IPADDRESS)
c51fd9 
-        return g_strndup (dns_name, dns_name_size);
c51fd9 
-    }
c51fd9 
-
c51fd9 
-  dns_name_size = sizeof (dns_name);
c51fd9 
-  res = gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME,
c51fd9 
-      0, 0, dns_name, &dns_name_size);
c51fd9 
-
c51fd9 
-  if (res >= 0)
c51fd9 
-    return g_strndup (dns_name, dns_name_size);
c51fd9 
-
c51fd9 
-  return NULL;
c51fd9 
-}
c51fd9 
-
2cf4bb 
 gchar *
c51fd9 
 empathy_format_currency (gint amount,
c51fd9 
     guint scale,
c51fd9 
diff --git a/libempathy/empathy-utils.h b/libempathy/empathy-utils.h
c51fd9 
index a9ff0d89060d..deb3ae87b7aa 100644
c51fd9 
--- a/libempathy/empathy-utils.h
c51fd9 
+++ b/libempathy/empathy-utils.h
c51fd9 
@@ -27,7 +27,6 @@
c51fd9
c51fd9 
 #include <glib.h>
c51fd9 
 #include <glib-object.h>
c51fd9 
-#include <gnutls/x509.h>
c51fd9 
 #include <libxml/tree.h>
c51fd9 
 #include <folks/folks.h>
c51fd9 
 #include <folks/folks-telepathy.h>
c51fd9 
@@ -85,8 +84,6 @@ gboolean empathy_connection_can_group_personas (TpConnection *connection,
c51fd9 
 						FolksIndividual *individual);
c51fd9 
 gboolean empathy_folks_persona_is_interesting (FolksPersona *persona);
c51fd9
c51fd9 
-gchar * empathy_get_x509_certificate_hostname (gnutls_x509_crt_t cert);
c51fd9 
-
c51fd9 
 gchar *empathy_format_currency (gint amount,
c51fd9 
     guint scale,
c51fd9 
     const gchar *currency);
c51fd9 
diff --git a/src/empathy-auth-client.c b/src/empathy-auth-client.c
c51fd9 
index 3ee478d3e29c..6b6482d4b23d 100644
c51fd9 
--- a/src/empathy-auth-client.c
c51fd9 
+++ b/src/empathy-auth-client.c
c51fd9 
@@ -22,7 +22,6 @@
c51fd9 
 #include "config.h"
c51fd9
c51fd9 
 #include <glib/gi18n.h>
c51fd9 
-#include <gnutls/gnutls.h>
c51fd9
c51fd9 
 #include "empathy-auth-factory.h"
c51fd9 
 #include "empathy-bad-password-dialog.h"
c51fd9 
@@ -297,7 +296,6 @@ main (int argc,
c51fd9 
   g_option_context_free (context);
c51fd9
c51fd9 
   empathy_gtk_init ();
c51fd9 
-  gnutls_global_init ();
c51fd9 
   g_set_application_name (_("Empathy authentication client"));
c51fd9
c51fd9 
   /* Make empathy and empathy-auth-client appear as the same app in
c51fd9 
diff --git a/tests/empathy-tls-test.c b/tests/empathy-tls-test.c
c51fd9 
index b8f9ffcbb9af..9b62ae4e0ec7 100644
c51fd9 
--- a/tests/empathy-tls-test.c
c51fd9 
+++ b/tests/empathy-tls-test.c
c51fd9 
@@ -1,6 +1,5 @@
c51fd9 
 #include "config.h"
c51fd9
c51fd9 
-#include <gnutls/gnutls.h>
c51fd9 
 #include <telepathy-glib/telepathy-glib.h>
c51fd9 
 #include <telepathy-glib/telepathy-glib-dbus.h>
c51fd9
c51fd9 
@@ -744,7 +743,6 @@ main (int argc,
c51fd9 
   int result;
c51fd9
c51fd9 
   test_init (argc, argv);
c51fd9 
-  gnutls_global_init ();
c51fd9
c51fd9 
   g_test_add ("/tls/certificate_basics", Test, NULL,
c51fd9 
           setup, test_certificate_mock_basics, teardown);
c51fd9 
--
2cf4bb 
2.14.4
c51fd9

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation