[gtk-vnc] Add support for using GNUTLS system trust DB

[Daniel P. Berrange <dberrange src gnome org>]

commit f3a5ae9d4b182d5dd45e1b02de34ac666387123e
Author: Daniel P. Berrange <berrange redhat com>
Date:   Tue Aug 16 10:29:30 2016 +0100

    Add support for using GNUTLS system trust DB
    
    If using GNUTLS >= 3.0.0, we can fallback to using the
    system trust DB, if no explicit CA cert is provided.
    
    If an explicit CA is provided, we do *NOT* enable the
    system trust, because we don't want to allow arbitrary
    public CAs to issue bogus certs for VNC servers using
    a dedicated CA.
    
    Resolves: bz#759817
    Signed-off-by: Daniel P. Berrange <berrange redhat com>

 src/vncconnection.c |   25 ++++++++++++++++++-------
 1 files changed, 18 insertions(+), 7 deletions(-)
---
diff --git a/src/vncconnection.c b/src/vncconnection.c
index ab21d5d..9e7647e 100644
--- a/src/vncconnection.c
+++ b/src/vncconnection.c
@@ -1348,8 +1348,19 @@ static gnutls_certificate_credentials_t vnc_connection_tls_initialize_cert_cred(
             return NULL;
         }
     } else {
-        VNC_DEBUG("No CA certificate provided");
+#if GNUTLS_VERSION_NUMBER >= 0x030000
+        VNC_DEBUG("No CA certificate provided; trying the system trust store instead");
+
+        if ((ret = gnutls_certificate_set_x509_system_trust(x509_cred)) < 0) {
+            VNC_DEBUG("Cannot load system trust: %s", gnutls_strerror(ret));
+            return NULL;
+        }
+
+        VNC_DEBUG("Using the system trust store and CRL");
+#else
+        VNC_DEBUG("No CA certificate provided and system trust not supported");
         return NULL;
+#endif
     }
 
     if (priv->cred_x509_cert && priv->cred_x509_key) {
@@ -3457,15 +3468,15 @@ static gboolean vnc_connection_has_credentials(gpointer data)
     if (priv->want_cred_password && !priv->cred_password)
         return FALSE;
     /*
-     * For x509 we require a minimum of the CA cert.
-     * Anything else is a bonus - though the server
-     * may reject auth if it decides it wants a client
-     * cert. We can't express that based on auth type
-     * alone though - we'll merely find out when TLS
-     * negotiation takes place.
+     * For x509 we require a minimum of the CA cert
+     * if using GNUTLS < 3.0. With newer GNUTLS we'll
+     * fallback to the system trust, so don't need to
+     * explicitly check for a CA cert.
      */
+#if GNUTLS_VERSION_NUMBER < 0x030000
     if (priv->want_cred_x509 && !priv->cred_x509_cacert)
         return FALSE;
+#endif
     return TRUE;
 }