[glib-networking/mcatanzaro/accept-certificate-null: 3/3] Don't emit accept-certificate with NULL GTlsCertificate

From: Ignacio Casal Quinteiro <icq src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib-networking/mcatanzaro/accept-certificate-null: 3/3] Don't emit accept-certificate with NULL GTlsCertificate
Date: Thu, 2 Jan 2020 08:38:01 +0000 (UTC)
commit 80cb859072630674217b869319303947b4a4c3cb
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Sun Dec 29 18:09:05 2019 -0600

    Don't emit accept-certificate with NULL GTlsCertificate
    
    The certificate parameter of accept-certificate is not nullable, so it's
    wrong for us to emit accept-certificate with it NULL, but there's
    currently no code to prevent this from happening. Instead, a NULL
    certificate should mean the connection is automatically rejected if we
    are a client connection or a server connection using
    G_TLS_AUTHENTICATION_REQUIRED, or accepted for server connections using
    G_TLS_AUTHENTICATION_NONE or G_TLS_AUTHENTICATION_REQUESTED. Our
    existing test client-auth-request-none is sufficient to test that this
    works properly if we add one more assertion.

 tls/base/gtlsconnection-base.c | 62 ++++++++++++++++++++++++++----------------
 tls/tests/connection.c         |  3 ++
 2 files changed, 41 insertions(+), 24 deletions(-)
---
diff --git a/tls/base/gtlsconnection-base.c b/tls/base/gtlsconnection-base.c
index 6a885d1..93cfc8e 100644
--- a/tls/base/gtlsconnection-base.c
+++ b/tls/base/gtlsconnection-base.c
@@ -1319,38 +1319,52 @@ accept_or_reject_peer_certificate (gpointer user_data)
 
   update_peer_certificate_and_compute_errors (tls);
 
-  if (G_IS_TLS_CLIENT_CONNECTION (tls) && priv->peer_certificate)
+  if (priv->peer_certificate)
     {
-      GTlsCertificateFlags validation_flags;
+      if (G_IS_TLS_CLIENT_CONNECTION (tls))
+        {
+          GTlsCertificateFlags validation_flags;
 
-      if (!g_tls_connection_base_is_dtls (tls))
-        validation_flags =
-          g_tls_client_connection_get_validation_flags (G_TLS_CLIENT_CONNECTION (tls));
-      else
-        validation_flags =
-          g_dtls_client_connection_get_validation_flags (G_DTLS_CLIENT_CONNECTION (tls));
+          if (!g_tls_connection_base_is_dtls (tls))
+            validation_flags =
+              g_tls_client_connection_get_validation_flags (G_TLS_CLIENT_CONNECTION (tls));
+          else
+            validation_flags =
+              g_dtls_client_connection_get_validation_flags (G_DTLS_CLIENT_CONNECTION (tls));
 
-      if ((priv->peer_certificate_errors & validation_flags) == 0)
-        accepted = TRUE;
-    }
+          if ((priv->peer_certificate_errors & validation_flags) == 0)
+            accepted = TRUE;
+        }
 
-  if (!accepted)
-    {
-      gboolean sync_handshake_in_progress;
+      if (!accepted)
+        {
+          gboolean sync_handshake_in_progress;
 
-      g_mutex_lock (&priv->op_mutex);
-      sync_handshake_in_progress = priv->sync_handshake_in_progress;
-      g_mutex_unlock (&priv->op_mutex);
+          g_mutex_lock (&priv->op_mutex);
+          sync_handshake_in_progress = priv->sync_handshake_in_progress;
+          g_mutex_unlock (&priv->op_mutex);
 
-      if (sync_handshake_in_progress)
-        g_main_context_pop_thread_default (priv->handshake_context);
+          if (sync_handshake_in_progress)
+            g_main_context_pop_thread_default (priv->handshake_context);
 
-      accepted = g_tls_connection_emit_accept_certificate (G_TLS_CONNECTION (tls),
-                                                           priv->peer_certificate,
-                                                           priv->peer_certificate_errors);
+          accepted = g_tls_connection_emit_accept_certificate (G_TLS_CONNECTION (tls),
+                                                               priv->peer_certificate,
+                                                               priv->peer_certificate_errors);
 
-      if (sync_handshake_in_progress)
-        g_main_context_push_thread_default (priv->handshake_context);
+          if (sync_handshake_in_progress)
+            g_main_context_push_thread_default (priv->handshake_context);
+        }
+    }
+  else if (G_IS_TLS_SERVER_CONNECTION (tls))
+    {
+      GTlsAuthenticationMode mode = 0;
+
+      g_object_get (tls,
+                    "authentication-mode", &mode,
+                    NULL);
+
+      if (mode != G_TLS_AUTHENTICATION_REQUIRED)
+        accepted = TRUE;
     }
 
   priv->peer_certificate_accepted = accepted;
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index 86e425f..b900062 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -211,6 +211,9 @@ on_accept_certificate (GTlsConnection       *conn,
                        gpointer              user_data)
 {
   TestConnection *test = user_data;
+
+  g_assert_true (G_IS_TLS_CERTIFICATE (cert));
+
   return errors == test->accept_flags;
 }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]