gtlsbackend: add support for setting the default TLS database

There are many cases where a default TLS database is not able to be defined within the constraints of a system. For example glib-networking (or glib-openssl) cannot retrieve the default certificate store on iOS or Android and need to be initialized from a cert file of certificates bundled with the application. Previously GStreamer was relying on a custom patch to glib-networking to populate the default database from the file pointed to by the CA_CERTIFICATES environment variable however the mechanism that enabled this was recently remove from glib-networking. Adding a more generic g_tls_backend_set_default_database() API allows application developers to override the default database using their own certificates as well as allowing equivalent functionality on Android/iOS (or others) as on the default database handling Linux. Fixes https://gitlab.gnome.org/GNOME/glib-networking/issues/35
2025-09-27 17:52:58 +02:00 · 2018-08-16 23:25:29 +10:00
parent 6545e7558c
commit b84951eb6f
8 changed files with 265 additions and 7 deletions
--- a/gio/gtlsbackend.c
+++ b/gio/gtlsbackend.c
@@ -21,6 +21,7 @@
 #include "glib.h"

 #include "gtlsbackend.h"
+#include "gtlsdatabase.h"
 #include "gdummytlsbackend.h"
 #include "gioenumtypes.h"
 #include "giomodule-priv.h"
@@ -84,6 +85,9 @@

 G_DEFINE_INTERFACE (GTlsBackend, g_tls_backend, G_TYPE_OBJECT)

+static GTlsDatabase *default_database;
+G_LOCK_DEFINE_STATIC (default_database_lock);
+
 static void
 g_tls_backend_default_init (GTlsBackendInterface *iface)
 {
@@ -161,13 +165,50 @@ g_tls_backend_supports_dtls (GTlsBackend *backend)
 GTlsDatabase *
 g_tls_backend_get_default_database (GTlsBackend *backend)
 {
+  GTlsDatabase *db;
+
  g_return_val_if_fail (G_IS_TLS_BACKEND (backend), NULL);

  /* This method was added later, so accept the (remote) possibility it can be NULL */
  if (!G_TLS_BACKEND_GET_INTERFACE (backend)->get_default_database)
    return NULL;

-  return G_TLS_BACKEND_GET_INTERFACE (backend)->get_default_database (backend);
+  G_LOCK (default_database_lock);
+
+  if (!default_database)
+    default_database = G_TLS_BACKEND_GET_INTERFACE (backend)->get_default_database (backend);
+  db = default_database ? g_object_ref (default_database) : NULL;
+  G_UNLOCK (default_database_lock);
+
+  return db;
+}
+
+/**
+ * g_tls_backend_set_default_database:
+ * @backend: the #GTlsBackend
+ * @database: (nullable): the #GTlsDatabase
+ *
+ * Set the default #GTlsDatabase used to verify TLS connections
+ *
+ * Any subsequent call to g_tls_backend_get_default_database() will return
+ * the database set in this call.  Existing databases and connections are not
+ * modified.
+ *
+ * Setting a %NULL default database will reset to using the system default
+ * database as if g_tls_backend_set_default_database() had never been called.
+ *
+ * Since: 2.60
+ */
+void
+g_tls_backend_set_default_database (GTlsBackend  *backend,
+                                    GTlsDatabase *database)
+{
+  g_return_if_fail (G_IS_TLS_BACKEND (backend));
+  g_return_if_fail (database == NULL || G_IS_TLS_DATABASE (database));
+
+  G_LOCK (default_database_lock);
+  g_set_object (&default_database, database);
+  G_UNLOCK (default_database_lock);
 }

 /**