debian/0000775000000000000000000000000012656124021007167 5ustar debian/control0000664000000000000000000000637212656124117010610 0ustar # This file is autogenerated. DO NOT EDIT! # # Modifications should be made to debian/control.in instead. # This file is regenerated automatically in the clean target. Source: glib-networking Section: libs Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian GNOME Maintainers Uploaders: Andreas Henriksson , Debian GNOME Maintainers , Emilio Pozuelo Monfort , Martin Pitt Build-Depends: debhelper (>= 8.1.3), cdbs (>= 0.4.93), dh-autoreconf, gnome-pkg-tools, libglib2.0-dev (>= 2.39.3), libgnutls-dev (>= 2.12.8), libp11-kit-dev (>= 0.8), libproxy-dev (>= 0.4), gsettings-desktop-schemas-dev, ca-certificates, intltool (>= 0.41.1-2) Build-Conflicts: glib-networking XS-Testsuite: autopkgtest Vcs-Svn: svn://svn.debian.org/pkg-gnome/desktop/unstable/glib-networking Vcs-Browser: http://svn.debian.org/viewpkg-gnome/desktop/unstable/glib-networking Standards-Version: 3.9.5 Package: glib-networking Architecture: any Multi-Arch: same Depends: ${misc:Depends}, ${shlibs:Depends}, glib-networking-services (>= ${source:Version}), glib-networking-services (<< ${source:Version}.1~), glib-networking-common (= ${source:Version}), gsettings-desktop-schemas Breaks: libglib2.0-0 (<< 2.30.1-2) Description: network-related giomodules for GLib This package contains various network related extensions for the GIO library. Package: glib-networking-services Architecture: any Multi-Arch: foreign Depends: ${misc:Depends}, ${shlibs:Depends}, glib-networking-common (= ${source:Version}) Recommends: glib-networking Breaks: glib-networking (<< 2.30.1-2) Replaces: glib-networking (<< 2.30.1-2) Description: network-related giomodules for GLib - D-Bus services This package contains D-Bus services that are used by the GIO network extensions in glib-networking, for actions that need to be done in a separate process. Package: glib-networking-common Architecture: all Multi-Arch: foreign Depends: ${misc:Depends} Recommends: glib-networking Breaks: glib-networking (<< 2.30.1-2) Replaces: glib-networking (<< 2.30.1-2) Description: network-related giomodules for GLib - data files This package contains data files and translations for the GIO network extensions in glib-networking. Package: glib-networking-dbg Architecture: any Priority: extra Section: debug Depends: ${misc:Depends}, ${shlibs:Depends}, glib-networking (= ${binary:Version}) Description: network-related giomodules for GLib - debugging symbols This package contains the debugging symbols for the GIO extensions and D-Bus services in glib-networking. Package: glib-networking-tests Section: misc Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, glib-networking (= ${binary:Version}), ca-certificates Description: network-related giomodules for GLib - installed tests This package contains test programs, designed to be run as part of a regression testsuite. debian/glib-networking-common.install0000664000000000000000000000002111703210752015137 0ustar usr/share/locale debian/control.in0000664000000000000000000000564312656124054011215 0ustar Source: glib-networking Section: libs Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian GNOME Maintainers Uploaders: @GNOME_TEAM@ Build-Depends: debhelper (>= 8.1.3), cdbs (>= 0.4.93), dh-autoreconf, gnome-pkg-tools, libglib2.0-dev (>= 2.39.3), libgnutls-dev (>= 2.12.8), libp11-kit-dev (>= 0.8), libproxy-dev (>= 0.4), gsettings-desktop-schemas-dev, ca-certificates, intltool (>= 0.41.1-2) Build-Conflicts: glib-networking XS-Testsuite: autopkgtest Vcs-Svn: svn://svn.debian.org/pkg-gnome/desktop/unstable/glib-networking Vcs-Browser: http://svn.debian.org/viewpkg-gnome/desktop/unstable/glib-networking Standards-Version: 3.9.5 Package: glib-networking Architecture: any Multi-Arch: same Depends: ${misc:Depends}, ${shlibs:Depends}, glib-networking-services (>= ${source:Version}), glib-networking-services (<< ${source:Version}.1~), glib-networking-common (= ${source:Version}), gsettings-desktop-schemas Breaks: libglib2.0-0 (<< 2.30.1-2) Description: network-related giomodules for GLib This package contains various network related extensions for the GIO library. Package: glib-networking-services Architecture: any Multi-Arch: foreign Depends: ${misc:Depends}, ${shlibs:Depends}, glib-networking-common (= ${source:Version}) Recommends: glib-networking Breaks: glib-networking (<< 2.30.1-2) Replaces: glib-networking (<< 2.30.1-2) Description: network-related giomodules for GLib - D-Bus services This package contains D-Bus services that are used by the GIO network extensions in glib-networking, for actions that need to be done in a separate process. Package: glib-networking-common Architecture: all Multi-Arch: foreign Depends: ${misc:Depends} Recommends: glib-networking Breaks: glib-networking (<< 2.30.1-2) Replaces: glib-networking (<< 2.30.1-2) Description: network-related giomodules for GLib - data files This package contains data files and translations for the GIO network extensions in glib-networking. Package: glib-networking-dbg Architecture: any Priority: extra Section: debug Depends: ${misc:Depends}, ${shlibs:Depends}, glib-networking (= ${binary:Version}) Description: network-related giomodules for GLib - debugging symbols This package contains the debugging symbols for the GIO extensions and D-Bus services in glib-networking. Package: glib-networking-tests Section: misc Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, glib-networking (= ${binary:Version}), ca-certificates Description: network-related giomodules for GLib - installed tests This package contains test programs, designed to be run as part of a regression testsuite. debian/glib-networking.install0000664000000000000000000000003311703210752013654 0ustar usr/lib/*/gio/modules/*.so debian/changelog0000664000000000000000000002510712656124021011046 0ustar glib-networking (2.40.0-1ubuntu0.1) trusty-security; urgency=medium * debian/patches/alt-cert-chains.patch: backport upstream fix to add alternate chains support. This will allow the future removal of 1024-bit RSA keys from the ca-certificates package. -- Marc Deslauriers Mon, 08 Feb 2016 09:37:05 -0500 glib-networking (2.40.0-1) experimental; urgency=medium [ Martin Pitt ] * Add xauth test depends, it is only a recommends of xvfb. [ Andreas Henriksson ] * New upstream release. -- Andreas Henriksson Mon, 24 Mar 2014 22:28:24 +0100 glib-networking (2.39.90-1) experimental; urgency=medium * New upstream release. -- Andreas Henriksson Tue, 18 Feb 2014 19:56:24 +0100 glib-networking (2.39.3-1) experimental; urgency=medium * New upstream development release. * debian/control.in: + Bump glib build dependency. + Standards-Version is 3.9.5, no changes needed. -- Emilio Pozuelo Monfort Sun, 16 Feb 2014 18:51:31 +0100 glib-networking (2.38.2-1) unstable; urgency=low [ Vincent Cheng ] * Add missing entries in debian/copyright. (Closes: #725998) [ Iain Lane ] * Use dh-autoreconf to update libtool.m4 for new ports. [ Emilio Pozuelo Monfort ] * New upstream release. * Upload to unstable. -- Emilio Pozuelo Monfort Sat, 15 Feb 2014 12:59:52 +0100 glib-networking (2.38.1-1) experimental; urgency=low * debian/control{,.in}: Add XS-Testsuite header * New upstream release + glibpacrunner: Don't crash if there is an internal libproxy error. + tls/tests: Fix installed tests to not accidentally depend on having the source tree still exist. * debian/control: Have the tests depend on ca-certificates. -- Iain Lane Thu, 17 Oct 2013 16:01:40 +0100 glib-networking (2.38.0-1) experimental; urgency=low * New upstream release * debian/control: Build-Depend on GLib >= 2.38 and libproxy >= 0.4 (test failures with 0.3) * Build & package installed tests * Add autopkgtest to run the installed tests -- Iain Lane Wed, 25 Sep 2013 11:45:34 +0000 glib-networking (2.36.1-2) unstable; urgency=low * Merge experimental branch, upload to unstable. * Bump Standards-Version to 3.9.4, no changes necessary. -- Martin Pitt Wed, 08 May 2013 07:04:53 +0200 glib-networking (2.36.1-1) experimental; urgency=low * New upstream release. -- Iain Lane Tue, 23 Apr 2013 11:28:54 +0100 glib-networking (2.36.0-1) experimental; urgency=low * New upstream release. -- Emilio Pozuelo Monfort Mon, 25 Mar 2013 16:04:44 +0100 glib-networking (2.35.9-1) experimental; urgency=low * New upstream release. -- Emilio Pozuelo Monfort Tue, 05 Mar 2013 18:39:07 +0100 glib-networking (2.35.8-1) experimental; urgency=low * New upstream release. + debian/control.in: - Update build dependencies. -- Emilio Pozuelo Monfort Sat, 23 Feb 2013 19:31:23 +0100 glib-networking (2.34.0-1) experimental; urgency=low * New upstream release. + debian/control.in: - Update build dependencies. -- Emilio Pozuelo Monfort Tue, 23 Oct 2012 16:50:01 +0200 glib-networking (2.33.14-1) experimental; urgency=low * New upstream release. * Bump Build-Depends on libglib2.0-dev to (>= 2.33.14) so we don't pick up the version from unstable. This will also generate a tight enough dependency. -- Michael Biebl Thu, 20 Sep 2012 21:12:58 +0200 glib-networking (2.33.12-1) experimental; urgency=low * New upstream version, matching glib 2.33.12. * debian/control.in: Bump glib build dependency to >= 2.33.12. * debian/control.in: Switch Vcs-* to experimental branch. * debian/watch: Watch for unstable versions while we are tracking the 2.34 development versions. -- Martin Pitt Thu, 06 Sep 2012 05:55:23 +0200 glib-networking (2.32.3-1) unstable; urgency=low * New upstream release. -- Michael Biebl Tue, 15 May 2012 20:31:34 +0200 glib-networking (2.32.1-1) unstable; urgency=low * New upstream release: - gnutls: added /etc/ssl/ca-bundle.pem to the list of files to check for to use as the default CA list. (This is what openSUSE uses; not relevant for Debian/Ubuntu). - Translation updates. * debian/copyright: Rewrite to use copyright 1.0 format. * debian/control.in: Bump Standards-Version to 3.9.3. -- Martin Pitt Mon, 16 Apr 2012 23:43:39 +0200 glib-networking (2.32.0-2) unstable; urgency=low * Upload to unstable. -- Michael Biebl Fri, 30 Mar 2012 08:53:25 +0200 glib-networking (2.32.0-1) experimental; urgency=low * New upstream release. -- Michael Biebl Tue, 27 Mar 2012 02:08:13 +0200 glib-networking (2.31.22-1) experimental; urgency=low * New upstream development release. * Bump Build-Depends on cdbs and debhelper for multiarch support. -- Michael Biebl Tue, 20 Mar 2012 02:56:17 +0100 glib-networking (2.31.20-1) experimental; urgency=low * New upstream development release. * debian/control.in: Update Build-Depends. * debian/rules: Explicitly enable libproxy and gnutls support for more reliable build results. * Enable PKCS#11 support. -- Michael Biebl Thu, 08 Mar 2012 09:48:53 +0100 glib-networking (2.30.2-1) unstable; urgency=low * New upstream release. * Instead of removing files via debian/rules, just be a bit more specific what we want to install in debian/glib-networking-services.install. -- Michael Biebl Sun, 15 Jan 2012 13:21:18 +0100 glib-networking (2.30.1-3) unstable; urgency=low * Upload to unstable. -- Michael Biebl Fri, 18 Nov 2011 21:41:27 +0100 glib-networking (2.30.1-2) experimental; urgency=low * Break pre-multiarch glib (for modules path transition). * glib-networking autodetects the path, no change needed. * Split glib-networking for multiarch support: - glib-networking contains the gio modules (m-a: same). - g-n-services contains the D-Bus services (m-a: foreign). - g-n-common contains the data. * Add build-conflict about glib-networking itself (fails the test suite). -- Josselin Mouette Sun, 13 Nov 2011 16:32:49 +0100 glib-networking (2.30.1-1) experimental; urgency=low * New upstream bug fix release. -- Martin Pitt Fri, 21 Oct 2011 12:02:55 +0200 glib-networking (2.30.0-1) experimental; urgency=low * New upstream release. * debian/control: - Bump Build-Depends on libglib2.0-dev to (>= 2.29.18). - Set pkg-gnome-maintainers@lists.alioth.debian.org as Maintainer. * Remove patches, all merged upstream: - debian/patches/01_tls_small_keys.patch - debian/patches/02_gerror_crash.patch - debian/patches/03_tls_compat.patch - debian/patches/04_rehandshake.patch - debian/patches/05_virtualhosts.patch - debian/patches/06_gnutls3.patch * debian/copyright: - Update FSF address. * debian/watch: - Track .xz tarballs. -- Michael Biebl Sun, 16 Oct 2011 19:18:55 +0200 glib-networking (2.28.7-2) unstable; urgency=low * Include a handful of changes from upstream git to improve TLS support. + 01_tls_small_keys.patch: allow small TLS keys that some embedded servers use. + 02_gerror_crash.patch: fix a crash when passed a NULL GError. + 03_tls_compat.patch: use %COMPAT in the protocol lists to handle some broken servers. Closes: #636911. + 04_rehandshake.patch: handle rehandshake requests. + 05_virtualhosts.patch: don’t reuse sessions for different virtual hosts on the same IP, some broken servers don’t like that. + 06_gnutls3.patch: support GnuTLS 3.x, in case the transition starts soon. * Require an intltool version with working quilt support. -- Josselin Mouette Fri, 23 Sep 2011 20:30:16 +0200 glib-networking (2.28.7-1) unstable; urgency=low * New upstream release. * debian/control.in: Fix Vcs-* path for experimental → unstable. * debian/control.in: Bump Standards-Version to 3.9.2 (no changes necessary). * debian/watch: Fix syntax to actually recognize the current version. * debian/watch: Fetch bzip2 tarballs. * debian/rules: Remove unnecessary *.la files. -- Martin Pitt Wed, 25 May 2011 07:48:14 +0200 glib-networking (2.28.6.1-1) unstable; urgency=low * New upstream bugfix release * debian/patches/Only-set-GTLS-errors-when-errors-have-occurred.patch - Removed, fixed upstream * debian/patches/work-around-intltool-issue.patch - Remove, no longer necessary -- Sjoerd Simons Tue, 26 Apr 2011 22:23:37 +0100 glib-networking (2.28.6-1) unstable; urgency=low * New upstream release * debian/patches/Only-set-GTLS-errors-when-errors-have-occurred.patch - Added. Only reports errors when sending if errors occurred * debian/patches/work-around-intltool-issue.patch - Added. Work around intltool discovering translations in applied patched (Debian bug #560704) -- Sjoerd Simons Tue, 26 Apr 2011 19:10:10 +0100 glib-networking (2.28.4-2) unstable; urgency=low [ Rodrigo Moya ] * debian/rules: - Remove *.a files in the correct arch-specific dir [ Sebastian Dröge ] * debian/control.in: + Add debug package. -- Sebastian Dröge Thu, 14 Apr 2011 14:06:31 +0200 glib-networking (2.28.4-1) unstable; urgency=low * New upstream stable release. + debian/control.in: - Build-depend on gsettings-desktop-schemas-dev, depend on gsettings-desktop-schemas. -- Emilio Pozuelo Monfort Sat, 26 Mar 2011 08:48:49 +0000 glib-networking (2.28.0-1) unstable; urgency=low * New upstream stable release. -- Emilio Pozuelo Monfort Tue, 22 Feb 2011 20:21:29 +0000 glib-networking (2.27.90-1) experimental; urgency=low * New upstream release. + debian/control.in: - Bump libglib2.0-dev build requirement. -- Emilio Pozuelo Monfort Sat, 08 Jan 2011 01:58:58 +0000 glib-networking (2.27.5-1) experimental; urgency=low * New upstream release. + debian/control.in: - Bump libglib2.0-dev build requirement. -- Emilio Pozuelo Monfort Thu, 23 Dec 2010 01:50:21 +0000 glib-networking (2.27.4-1) experimental; urgency=low * Initial release. Closes: #607409. -- Emilio Pozuelo Monfort Sat, 18 Dec 2010 01:03:19 +0000 debian/source/0000775000000000000000000000000012314121601010457 5ustar debian/source/format0000664000000000000000000000001411503003564011673 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000211503003564010363 0ustar 8 debian/patches/0000775000000000000000000000000012656124041010620 5ustar debian/patches/alt-cert-chains.patch0000664000000000000000000003102712656124041014622 0ustar Backport of: From e9b2cc734d2d6c695d8c88fb82e499e60d7e44e8 Mon Sep 17 00:00:00 2001 From: Carlos Garcia Campos Date: Wed, 26 Aug 2015 17:24:16 +0200 Subject: gnutls: Build the certificate chain recursively instead of using a loop We are currently checking every certificate in the chain and also looking for an issuer in the database for the last certificate of the chain. Now build_certificate_chain is called recursively so that for all issuers that fail, we also try to find an issuer in the database, instead of just for the last one. Pinned certificates are now handled by the caller since they are done only once for the first certificate. This fixes the case of fbcdn-dragon-a.akamaihd.net for which all the certificates in the chain are not anchored, but we can find an issuer in the database for the second certificate that is anchored. https://bugzilla.gnome.org/show_bug.cgi?id=750457 --- tls/gnutls/gtlsdatabase-gnutls.c | 211 +++++++++++++++++++-------------------- 1 file changed, 101 insertions(+), 110 deletions(-) Index: glib-networking-2.40.0/tls/gnutls/gtlsdatabase-gnutls.c =================================================================== --- glib-networking-2.40.0.orig/tls/gnutls/gtlsdatabase-gnutls.c 2016-02-08 09:35:54.840963980 -0500 +++ glib-networking-2.40.0/tls/gnutls/gtlsdatabase-gnutls.c 2016-02-08 09:36:49.293541238 -0500 @@ -32,12 +32,14 @@ G_DEFINE_ABSTRACT_TYPE (GTlsDatabaseGnutls, g_tls_database_gnutls, G_TYPE_TLS_DATABASE); +#define BUILD_CERTIFICATE_CHAIN_RECURSION_LIMIT 10 + enum { STATUS_FAILURE, STATUS_INCOMPLETE, STATUS_SELFSIGNED, - STATUS_PINNED, STATUS_ANCHORED, + STATUS_RECURSION_LIMIT_REACHED }; static void @@ -55,137 +57,111 @@ static gint build_certificate_chain (GTlsDatabaseGnutls *self, - GTlsCertificateGnutls *chain, + GTlsCertificateGnutls *certificate, + GTlsCertificateGnutls *previous, + gboolean certificate_is_from_db, + guint recursion_depth, const gchar *purpose, GSocketConnectable *identity, GTlsInteraction *interaction, - GTlsDatabaseVerifyFlags flags, GCancellable *cancellable, GTlsCertificateGnutls **anchor, GError **error) { - - GTlsCertificateGnutls *certificate; - GTlsCertificateGnutls *previous; GTlsCertificate *issuer; - gboolean certificate_is_from_db; + gint status; - g_assert (anchor); - g_assert (chain); - g_assert (purpose); - g_assert (error); - g_assert (!*error); + if (recursion_depth++ > BUILD_CERTIFICATE_CHAIN_RECURSION_LIMIT) + return STATUS_RECURSION_LIMIT_REACHED; - /* - * Remember that the first certificate never changes in the chain. - * When we find a self-signed, pinned or anchored certificate, all - * issuers are truncated from the chain. - */ - - *anchor = NULL; - previous = NULL; - certificate = chain; - certificate_is_from_db = FALSE; + if (g_cancellable_set_error_if_cancelled (cancellable, error)) + return STATUS_FAILURE; - /* First check for pinned certificate */ + /* Look up whether this certificate is an anchor */ if (g_tls_database_gnutls_lookup_assertion (self, certificate, - G_TLS_DATABASE_GNUTLS_PINNED_CERTIFICATE, + G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE, purpose, identity, cancellable, error)) { g_tls_certificate_gnutls_set_issuer (certificate, NULL); - return STATUS_PINNED; + *anchor = certificate; + return STATUS_ANCHORED; } else if (*error) { return STATUS_FAILURE; } - for (;;) + /* Is it self-signed? */ + if (is_self_signed (certificate)) { - if (g_cancellable_set_error_if_cancelled (cancellable, error)) - return STATUS_FAILURE; - - /* Look up whether this certificate is an anchor */ - if (g_tls_database_gnutls_lookup_assertion (self, certificate, - G_TLS_DATABASE_GNUTLS_ANCHORED_CERTIFICATE, - purpose, identity, cancellable, error)) - { - g_tls_certificate_gnutls_set_issuer (certificate, NULL); - *anchor = certificate; - return STATUS_ANCHORED; - } - else if (*error) - { - return STATUS_FAILURE; - } - - /* Is it self-signed? */ - if (is_self_signed (certificate)) + /* + * Since at this point we would fail with 'self-signed', can we replace + * this certificate with one from the database and do better? + */ + if (previous && !certificate_is_from_db) { - /* - * Since at this point we would fail with 'self-signed', can we replace - * this certificate with one from the database and do better? - */ - if (previous && !certificate_is_from_db) + issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self), + G_TLS_CERTIFICATE (previous), + interaction, + G_TLS_DATABASE_LOOKUP_NONE, + cancellable, error); + if (*error) { - issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self), - G_TLS_CERTIFICATE (previous), - interaction, - G_TLS_DATABASE_LOOKUP_NONE, - cancellable, error); - if (*error) - { - return STATUS_FAILURE; - } - else if (issuer) - { - /* Replaced with certificate in the db, restart step again with this certificate */ - g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE); - g_tls_certificate_gnutls_set_issuer (previous, G_TLS_CERTIFICATE_GNUTLS (issuer)); - certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); - certificate_is_from_db = TRUE; - continue; - } + return STATUS_FAILURE; } + else if (issuer) + { + /* Replaced with certificate in the db, restart step again with this certificate */ + g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE); + certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); + g_tls_certificate_gnutls_set_issuer (previous, certificate); + g_object_unref (issuer); - g_tls_certificate_gnutls_set_issuer (certificate, NULL); - return STATUS_SELFSIGNED; + return build_certificate_chain (self, certificate, previous, TRUE, recursion_depth, + purpose, identity, interaction, cancellable, anchor, error); + } } - previous = certificate; + g_tls_certificate_gnutls_set_issuer (certificate, NULL); + return STATUS_SELFSIGNED; + } - /* Bring over the next certificate in the chain */ - issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (certificate)); - if (issuer) - { - g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE); - certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); - certificate_is_from_db = FALSE; - } + previous = certificate; + + /* Bring over the next certificate in the chain */ + issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (certificate)); + if (issuer) + { + g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE); + certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); - /* Search for the next certificate in chain */ - else + status = build_certificate_chain (self, certificate, previous, FALSE, recursion_depth, + purpose, identity, interaction, cancellable, anchor, error); + if (status != STATUS_INCOMPLETE) { - issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self), - G_TLS_CERTIFICATE (certificate), - interaction, - G_TLS_DATABASE_LOOKUP_NONE, - cancellable, error); - if (*error) - return STATUS_FAILURE; - else if (!issuer) - return STATUS_INCOMPLETE; - - /* Found a certificate in chain, use for next step */ - g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE); - g_tls_certificate_gnutls_set_issuer (certificate, G_TLS_CERTIFICATE_GNUTLS (issuer)); - certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); - certificate_is_from_db = TRUE; - g_object_unref (issuer); + return status; } } - g_assert_not_reached (); + /* Search for the next certificate in chain */ + issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (self), + G_TLS_CERTIFICATE (certificate), + interaction, + G_TLS_DATABASE_LOOKUP_NONE, + cancellable, error); + if (*error) + return STATUS_FAILURE; + + if (!issuer) + return STATUS_INCOMPLETE; + + g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (issuer), STATUS_FAILURE); + g_tls_certificate_gnutls_set_issuer (certificate, G_TLS_CERTIFICATE_GNUTLS (issuer)); + certificate = G_TLS_CERTIFICATE_GNUTLS (issuer); + g_object_unref (issuer); + + return build_certificate_chain (self, certificate, previous, TRUE, recursion_depth, + purpose, identity, interaction, cancellable, anchor, error); } static GTlsCertificateFlags @@ -250,33 +226,49 @@ { GTlsDatabaseGnutls *self; GTlsCertificateFlags result; + GTlsCertificateGnutls *certificate; GError *err = NULL; GTlsCertificateGnutls *anchor; guint gnutls_result; gnutls_x509_crt_t *certs, *anchors; guint certs_length, anchors_length; gint status, gerr; + guint recursion_depth = 0; g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (chain), G_TLS_CERTIFICATE_GENERIC_ERROR); + g_assert (purpose); self = G_TLS_DATABASE_GNUTLS (database); - anchor = NULL; + certificate = G_TLS_CERTIFICATE_GNUTLS (chain); - status = build_certificate_chain (self, G_TLS_CERTIFICATE_GNUTLS (chain), purpose, - identity, interaction, flags, cancellable, &anchor, &err); - if (status == STATUS_FAILURE) + /* First check for pinned certificate */ + if (g_tls_database_gnutls_lookup_assertion (self, certificate, + G_TLS_DATABASE_GNUTLS_PINNED_CERTIFICATE, + purpose, identity, cancellable, &err)) + { + /* + * A pinned certificate is verified on its own, without any further + * verification. + */ + g_tls_certificate_gnutls_set_issuer (certificate, NULL); + return 0; + } + + if (err) { g_propagate_error (error, err); return G_TLS_CERTIFICATE_GENERIC_ERROR; } - /* - * A pinned certificate is verified on its own, without any further - * verification. - */ - if (status == STATUS_PINNED) - return 0; + anchor = NULL; + status = build_certificate_chain (self, certificate, NULL, FALSE, recursion_depth, + purpose, identity, interaction, cancellable, &anchor, &err); + if (status == STATUS_FAILURE) + { + g_propagate_error (error, err); + return G_TLS_CERTIFICATE_GENERIC_ERROR; + } if (g_cancellable_set_error_if_cancelled (cancellable, error)) return G_TLS_CERTIFICATE_GENERIC_ERROR; debian/patches/series0000664000000000000000000000002612656122777012051 0ustar alt-cert-chains.patch debian/glib-networking-tests.install0000664000000000000000000000010212220545126015012 0ustar usr/share/installed-tests usr/lib/glib-networking/installed-tests debian/copyright0000664000000000000000000000445412243727350011137 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Source: http://ftp.gnome.org/pub/GNOME/sources/glib-networking/ Files: * Copyright: 2009-2010 Red Hat, Inc. 2010 Collabora, Ltd. License: LGPL-2+ Files: po/bg.po po/eo.po po/sl.po po/sv.po po/th.po po/tr.po Copyright: 2011-2013 Free Software Foundation License: LGPL-2+ Files: po/fi.po Copyright: 2011 Tommi Vainikainen License: LGPL-2+ Files: po/te.po Copyright: 2011-2012 Swecha Telugu Localisation team License: LGPL-2+ Files: po/vi.po Copyright: 2011 Free Software Foundation License: LGPL-2+ Files: tls/tests/mock-pkcs11.* Copyright: 2010 Stefan Walter 2011 Collabora Ltd. License: LGPL-2.1+ License: LGPL-2+ This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU Lesser General Public License along with this library. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/ LGPL-2". License: LGPL-2.1+ This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. . This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU Lesser General Public License along with this library. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/ LGPL-2.1". debian/watch0000664000000000000000000000016411646342666010240 0ustar version=3 http://ftp.gnome.org/pub/GNOME/sources/glib-networking/([\d\.]+[02468])/ \ glib-networking-(.*)\.tar\.xz debian/glib-networking-services.install0000664000000000000000000000007012220545126015477 0ustar usr/lib/glib-networking/glib-pacrunner usr/share/dbus-1 debian/tests/0000775000000000000000000000000012314121601010321 5ustar debian/tests/control0000664000000000000000000000017712306035076011744 0ustar Tests: installed-tests Restrictions: allow-stderr Depends: glib-networking-tests, dbus-x11, xvfb, xauth, gnome-desktop-testing debian/tests/installed-tests0000775000000000000000000000041412220545126013375 0ustar #!/bin/sh # autopkgtest check: Run the installed-tests to verify glib works correctly # (C) 2013 Canonical Ltd. # Author: Iain Lane set -e export XDG_RUNTIME_DIR=$ADTTMP dbus-launch xvfb-run -a gnome-desktop-testing-runner glib-networking debian/rules0000775000000000000000000000141112254313752010251 0ustar #!/usr/bin/make -f include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/rules/utils.mk include /usr/share/cdbs/1/class/gnome.mk include /usr/share/cdbs/1/rules/autoreconf.mk include /usr/share/gnome-pkg-tools/1/rules/uploaders.mk include /usr/share/gnome-pkg-tools/1/rules/gnome-get-source.mk DEB_MAKE_CHECK_TARGET = check DEB_CONFIGURE_EXTRA_FLAGS += --disable-static \ --with-libproxy \ --with-gnutls \ --with-pkcs11 \ --enable-installed-tests \ --enable-always-build-tests \ # Don't strip translations from the installed tests; makes them environment dependent. DEB_DH_TRANSLATIONS_ARGS = -Xinstalled-tests