[gnutls-devel] GnuTLS | lib/system/certs.c: Add support for SSL_CERT_DIR, SSL_CERT_FILE (!1541)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Feb 23 08:53:02 CET 2022



Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1541 was reviewed by Daiki Ueno

--
  
Daiki Ueno started a new discussion on lib/system/certs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1541#note_852052219

> +
> +# if defined(ANDROID) || defined(__ANDROID__)
> +#  define DEFAULT_TRUST_STORE_DIR "/system/etc/security/cacerts/"

What about moving this out of the outer `#if` block:
```c
#if defined(ANDROID) || defined(__ANDROID__)
# define DEFAULT_TRUST_STORE_DIR "/system/etc/security/cacerts/"
#endif

#if defined(DEFAULT_TRUST_STORE_DIR) || defined(DEFAULT_TRUST_STORE_FILE) || \
  (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11))
...
#endif
```
That way `defined(ANDROID) || defined(__ANDROID__)` is checked at the single place, though `load_revoked_certs` below might need to be conditionalized as well.

--
  
Daiki Ueno started a new discussion on lib/system/certs.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1541#note_852052246

> -	if (ret > 0)
> -		r += ret;
> +	if (r == 0) {

What is the intention behind this check? Besides the fact that `r` is always 0 here, the following code also has this check, so I wonder if it was to make the trust store implementations (PKCS#11, SSL_CERT_DIR, SSL_CERT_FILE, default trust dir) mutually exclusive. In that case do we need to calculate the sum?


-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1541
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220223/be3de4fe/attachment.html>


More information about the Gnutls-devel mailing list