[glib-networking/mcatanzaro/tls-thread] progress
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/mcatanzaro/tls-thread] progress
- Date: Tue, 7 Jan 2020 04:17:41 +0000 (UTC)
commit 250c1c526f15b9d6460fe030db6be08a50395538
Author: Michael Catanzaro <mcatanzaro gnome org>
Date: Mon Jan 6 22:17:38 2020 -0600
progress
tls/base/gtlsconnection-base.c | 2 +-
tls/base/gtlsoperationsthread-base.c | 39 +++--------
tls/base/gtlsoperationsthread-base.h | 9 ---
tls/gnutls/gtlsoperationsthread-gnutls.c | 20 +++---
tls/openssl/gtlsbio.c | 104 +++++----------------------
tls/openssl/gtlsbio.h | 16 +----
tls/openssl/gtlsclientconnection-openssl.c | 76 +++-----------------
tls/openssl/gtlsconnection-openssl.c | 109 +----------------------------
tls/openssl/gtlsconnection-openssl.h | 8 ---
tls/openssl/gtlsdatabase-openssl.c | 93 ------------------------
tls/openssl/gtlsdatabase-openssl.h | 4 --
tls/openssl/gtlsoperationsthread-openssl.c | 101 ++++++++++++++++++++------
12 files changed, 125 insertions(+), 456 deletions(-)
---
diff --git a/tls/base/gtlsconnection-base.c b/tls/base/gtlsconnection-base.c
index 9734038..2e1ee3f 100644
--- a/tls/base/gtlsconnection-base.c
+++ b/tls/base/gtlsconnection-base.c
@@ -1095,7 +1095,7 @@ g_tls_connection_base_condition_wait (GDatagramBased *datagram_based,
/* Convert from microseconds to milliseconds. */
if (timeout != -1)
- timeout = timeout / 1000;
+ timeout /= 1000;
start_time = g_get_monotonic_time ();
diff --git a/tls/base/gtlsoperationsthread-base.c b/tls/base/gtlsoperationsthread-base.c
index ba10240..4effd9d 100644
--- a/tls/base/gtlsoperationsthread-base.c
+++ b/tls/base/gtlsoperationsthread-base.c
@@ -365,26 +365,16 @@ has_performed_successful_posthandshake_op (GTlsOperationsThreadBase *self)
return ret;
}
-void
-g_tls_operations_thread_base_push_io (GTlsOperationsThreadBase *self,
- GIOCondition direction,
- GCancellable *cancellable)
-{
- /* FIXME: this is weird, can't we get rid of it on OpenSSL side? */
- if (G_TLS_OPERATIONS_THREAD_BASE_GET_CLASS (self)->push_io)
- {
- G_TLS_OPERATIONS_THREAD_BASE_GET_CLASS (self)->push_io (self, direction, cancellable);
- }
-}
-
-static GTlsOperationStatus
-g_tls_operations_thread_base_real_pop_io (GTlsOperationsThreadBase *self,
- GIOCondition direction,
- gboolean success,
- GError *op_error /* owned */,
- GError **error)
+GTlsOperationStatus
+g_tls_operations_thread_base_pop_io (GTlsOperationsThreadBase *self,
+ GIOCondition direction,
+ gboolean success,
+ GError *op_error /* owned */,
+ GError **error)
{
- /* This function MAY or MAY NOT set error when it fails! */
+ /* This function MAY or MAY NOT set error when it fails!
+ * FIXME: that is confusing.
+ */
if (success)
{
@@ -444,17 +434,6 @@ g_tls_operations_thread_base_real_pop_io (GTlsOperationsThreadBase *self,
return G_TLS_OPERATION_ERROR;
}
-GTlsOperationStatus
-g_tls_operations_thread_base_pop_io (GTlsOperationsThreadBase *self,
- GIOCondition direction,
- gboolean success,
- GError *op_error,
- GError **error)
-{
- return G_TLS_OPERATIONS_THREAD_BASE_GET_CLASS (self)->pop_io (self, direction,
- success, op_error, error);
-}
-
static HandshakeContext *
handshake_context_new (GTlsVerifyCertificateFunc verify_callback,
gpointer user_data)
diff --git a/tls/base/gtlsoperationsthread-base.h b/tls/base/gtlsoperationsthread-base.h
index 71f9662..3f4fdca 100644
--- a/tls/base/gtlsoperationsthread-base.h
+++ b/tls/base/gtlsoperationsthread-base.h
@@ -63,15 +63,6 @@ struct _GTlsOperationsThreadBaseClass
void (*set_server_identity) (GTlsOperationsThreadBase *self,
const gchar *server_identity);
- void (*push_io) (GTlsOperationsThreadBase *self,
- GIOCondition direction,
- GCancellable *cancellable);
- GTlsOperationStatus (*pop_io) (GTlsOperationsThreadBase *self,
- GIOCondition direction,
- gboolean success,
- GError *op_error,
- GError **error);
-
GTlsOperationStatus (*handshake_fn) (GTlsOperationsThreadBase *self,
HandshakeContext *context,
GTlsCertificate *own_certificate,
diff --git a/tls/gnutls/gtlsoperationsthread-gnutls.c b/tls/gnutls/gtlsoperationsthread-gnutls.c
index 2565e02..7970283 100644
--- a/tls/gnutls/gtlsoperationsthread-gnutls.c
+++ b/tls/gnutls/gtlsoperationsthread-gnutls.c
@@ -122,16 +122,12 @@ is_server (GTlsOperationsThreadGnutls *self)
static void
begin_gnutls_io (GTlsOperationsThreadGnutls *self,
- GIOCondition direction,
GCancellable *cancellable)
{
g_assert (!self->op_error);
g_assert (!self->op_cancellable);
self->op_cancellable = cancellable;
-
- g_tls_operations_thread_base_push_io (G_TLS_OPERATIONS_THREAD_BASE (self),
- direction, cancellable);
}
static GTlsOperationStatus
@@ -308,8 +304,8 @@ end_gnutls_io (GTlsOperationsThreadGnutls *self,
return G_TLS_OPERATION_ERROR;
}
-#define BEGIN_GNUTLS_IO(self, direction, cancellable) \
- begin_gnutls_io (self, direction, cancellable); \
+#define BEGIN_GNUTLS_IO(self, cancellable) \
+ begin_gnutls_io (self, cancellable); \
do {
#define END_GNUTLS_IO(self, direction, ret, status, errmsg, err) \
@@ -642,7 +638,7 @@ g_tls_operations_thread_gnutls_handshake (GTlsOperationsThreadBase *base,
self->handshaking = TRUE;
self->handshake_context = context;
- BEGIN_GNUTLS_IO (self, G_IO_IN | G_IO_OUT, cancellable);
+ BEGIN_GNUTLS_IO (self, cancellable);
ret = gnutls_handshake (self->session);
END_GNUTLS_IO (self, G_IO_IN | G_IO_OUT, ret, status,
_("Error performing TLS handshake"), error);
@@ -683,7 +679,7 @@ g_tls_operations_thread_gnutls_read (GTlsOperationsThreadBase *base,
GTlsOperationStatus status;
gssize ret;
- BEGIN_GNUTLS_IO (self, G_IO_IN, cancellable);
+ BEGIN_GNUTLS_IO (self, cancellable);
ret = gnutls_record_recv (self->session, buffer, size);
END_GNUTLS_IO (self, G_IO_IN, ret, status, _("Error reading data from TLS socket"), error);
@@ -729,7 +725,7 @@ g_tls_operations_thread_gnutls_read_message (GTlsOperationsThreadBase *base,
gssize ret;
gnutls_packet_t packet = { 0, };
- BEGIN_GNUTLS_IO (self, G_IO_IN, cancellable);
+ BEGIN_GNUTLS_IO (self, cancellable);
/* Receive the entire datagram (zero-copy). */
ret = gnutls_record_recv_packet (self->session, &packet);
@@ -761,7 +757,7 @@ g_tls_operations_thread_gnutls_write (GTlsOperationsThreadBase *base,
GTlsOperationStatus status;
gssize ret;
- BEGIN_GNUTLS_IO (self, G_IO_OUT, cancellable);
+ BEGIN_GNUTLS_IO (self, cancellable);
ret = gnutls_record_send (self->session, buffer, size);
END_GNUTLS_IO (self, G_IO_OUT, ret, status, _("Error writing data to TLS socket"), error);
@@ -824,7 +820,7 @@ g_tls_operations_thread_gnutls_write_message (GTlsOperationsThreadBase *base,
}
}
- BEGIN_GNUTLS_IO (self, G_IO_OUT, cancellable);
+ BEGIN_GNUTLS_IO (self, cancellable);
ret = gnutls_record_uncork (self->session, 0 /* flags */);
END_GNUTLS_IO (self, G_IO_OUT, ret, status, _("Error writing data to TLS socket"), error);
@@ -841,7 +837,7 @@ g_tls_operations_thread_gnutls_close (GTlsOperationsThreadBase *base,
GTlsOperationStatus status;
int ret;
- BEGIN_GNUTLS_IO (self, G_IO_IN | G_IO_OUT, cancellable);
+ BEGIN_GNUTLS_IO (self, cancellable);
ret = gnutls_bye (self->session, GNUTLS_SHUT_WR);
END_GNUTLS_IO (self, G_IO_IN | G_IO_OUT, ret, status, _("Error performing TLS close: %s"), error);
diff --git a/tls/openssl/gtlsbio.c b/tls/openssl/gtlsbio.c
index 710cb57..d1856f2 100644
--- a/tls/openssl/gtlsbio.c
+++ b/tls/openssl/gtlsbio.c
@@ -29,12 +29,8 @@
typedef struct {
GIOStream *io_stream;
- GCancellable *read_cancellable;
- GCancellable *write_cancellable;
- gboolean read_blocking;
- gboolean write_blocking;
- GError **read_error;
- GError **write_error;
+ GCancellable *cancellable;
+ GError **error;
} GTlsBio;
static void
@@ -42,6 +38,8 @@ free_gbio (gpointer user_data)
{
GTlsBio *bio = (GTlsBio *)user_data;
+ g_assert (!cancellable);
+
g_object_unref (bio->io_stream);
g_free (bio);
}
@@ -143,7 +141,6 @@ gtls_bio_write (BIO *bio,
{
GTlsBio *gbio;
gssize written;
- GError *error = NULL;
if (
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
@@ -163,16 +160,14 @@ gtls_bio_write (BIO *bio,
BIO_clear_retry_flags (bio);
written = g_pollable_stream_write (g_io_stream_get_output_stream (gbio->io_stream),
in, inl,
- gbio->write_blocking,
- gbio->write_cancellable,
- &error);
+ FALSE,
+ gbio->cancellable,
+ &gbio->error);
if (written == -1)
{
if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK))
BIO_set_retry_write (bio);
-
- g_propagate_error (gbio->write_error, error);
}
return written;
@@ -185,7 +180,6 @@ gtls_bio_read (BIO *bio,
{
GTlsBio *gbio;
gssize read;
- GError *error = NULL;
if (
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
@@ -205,16 +199,14 @@ gtls_bio_read (BIO *bio,
BIO_clear_retry_flags (bio);
read = g_pollable_stream_read (g_io_stream_get_input_stream (gbio->io_stream),
out, outl,
- gbio->read_blocking,
- gbio->read_cancellable,
- &error);
+ FALSE,
+ gbio->cancellable,
+ &gbio->error);
if (read == -1)
{
if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK))
BIO_set_retry_read (bio);
-
- g_propagate_error (gbio->read_error, error);
}
return read;
@@ -303,72 +295,8 @@ g_tls_bio_new (GIOStream *io_stream)
}
void
-g_tls_bio_set_read_cancellable (BIO *bio,
- GCancellable *cancellable)
-{
- GTlsBio *gbio;
-
- g_return_if_fail (bio);
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
- gbio = (GTlsBio *)bio->ptr;
-#else
- gbio = BIO_get_data (bio);
-#endif
- gbio->read_cancellable = cancellable;
-}
-
-void
-g_tls_bio_set_read_blocking (BIO *bio,
- gboolean blocking)
-{
- GTlsBio *gbio;
-
- g_return_if_fail (bio);
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
- gbio = (GTlsBio *)bio->ptr;
-#else
- gbio = BIO_get_data (bio);
-#endif
- gbio->read_blocking = blocking;
-}
-
-void
-g_tls_bio_set_read_error (BIO *bio,
- GError **error)
-{
- GTlsBio *gbio;
-
- g_return_if_fail (bio);
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
- gbio = (GTlsBio *)bio->ptr;
-#else
- gbio = BIO_get_data (bio);
-#endif
- gbio->read_error = error;
-}
-
-void
-g_tls_bio_set_write_cancellable (BIO *bio,
- GCancellable *cancellable)
-{
- GTlsBio *gbio;
-
- g_return_if_fail (bio);
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
- gbio = (GTlsBio *)bio->ptr;
-#else
- gbio = BIO_get_data (bio);
-#endif
- gbio->write_cancellable = cancellable;
-}
-
-void
-g_tls_bio_set_write_blocking (BIO *bio,
- gboolean blocking)
+g_tls_bio_set_cancellable (BIO *bio,
+ GCancellable *cancellable)
{
GTlsBio *gbio;
@@ -379,12 +307,12 @@ g_tls_bio_set_write_blocking (BIO *bio,
#else
gbio = BIO_get_data (bio);
#endif
- gbio->write_blocking = blocking;
+ gbio->cancellable = cancellable;
}
void
-g_tls_bio_set_write_error (BIO *bio,
- GError **error)
+g_tls_bio_set_error (BIO *bio,
+ GError **error)
{
GTlsBio *gbio;
@@ -395,5 +323,5 @@ g_tls_bio_set_write_error (BIO *bio,
#else
gbio = BIO_get_data (bio);
#endif
- gbio->write_error = error;
+ gbio->error = error;
}
diff --git a/tls/openssl/gtlsbio.h b/tls/openssl/gtlsbio.h
index 09dccd3..f2122dd 100644
--- a/tls/openssl/gtlsbio.h
+++ b/tls/openssl/gtlsbio.h
@@ -32,22 +32,10 @@ G_BEGIN_DECLS
BIO *g_tls_bio_new (GIOStream *io_stream);
-void g_tls_bio_set_read_cancellable (BIO *bio,
+void g_tls_bio_set_cancellable (BIO *bio,
GCancellable *cancellable);
-void g_tls_bio_set_read_blocking (BIO *bio,
- gboolean blocking);
-
-void g_tls_bio_set_read_error (BIO *bio,
- GError **error);
-
-void g_tls_bio_set_write_cancellable (BIO *bio,
- GCancellable *cancellable);
-
-void g_tls_bio_set_write_blocking (BIO *bio,
- gboolean blocking);
-
-void g_tls_bio_set_write_error (BIO *bio,
+void g_tls_bio_set_error (BIO *bio,
GError **error);
void g_tls_bio_wait_available (BIO *bio,
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index 5b31590..d11013e 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -47,13 +47,9 @@ struct _GTlsClientConnectionOpenssl
GTlsCertificateFlags validation_flags;
GSocketConnectable *server_identity;
gboolean use_ssl3;
- gboolean session_data_override;
-
- GBytes *session_id;
- GBytes *session_data;
STACK_OF (X509_NAME) *ca_list;
- gboolean ca_list_changed;
+ gboolean ca_list_changed; /* FIXME: unused? */
};
enum
@@ -83,8 +79,6 @@ g_tls_client_connection_openssl_finalize (GObject *object)
GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
g_clear_object (&openssl->server_identity);
- g_clear_pointer (&openssl->session_id, g_bytes_unref);
- g_clear_pointer (&openssl->session_data, g_bytes_unref);
G_OBJECT_CLASS (g_tls_client_connection_openssl_parent_class)->finalize (object);
}
@@ -102,9 +96,9 @@ get_server_identity (GTlsClientConnectionOpenssl *openssl)
static void
g_tls_client_connection_openssl_get_property (GObject *object,
- guint prop_id,
- GValue *value,
- GParamSpec *pspec)
+ guint prop_id,
+ GValue *value,
+ GParamSpec *pspec)
{
GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
GList *accepted_cas;
@@ -158,9 +152,9 @@ g_tls_client_connection_openssl_get_property (GObject *object,
static void
g_tls_client_connection_openssl_set_property (GObject *object,
- guint prop_id,
- const GValue *value,
- GParamSpec *pspec)
+ guint prop_id,
+ const GValue *value,
+ GParamSpec *pspec)
{
GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
const gchar *hostname;
@@ -176,7 +170,8 @@ g_tls_client_connection_openssl_set_property (GObject *object,
g_object_unref (openssl->server_identity);
openssl->server_identity = g_value_dup_object (value);
- // FIXME: should allow unsetting server identity on op thread, and for GnuTLS too
+ // FIXME: this only sets the server identinty.
+ // We must also allow unsetting server identity on op thread, and for GnuTLS too
hostname = get_server_identity (openssl);
if (hostname)
{
@@ -197,57 +192,6 @@ g_tls_client_connection_openssl_set_property (GObject *object,
}
}
-static GTlsCertificateFlags
-verify_ocsp_response (GTlsClientConnectionOpenssl *openssl,
- GTlsCertificate *peer_certificate)
-{
-#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
- SSL *ssl = NULL;
- OCSP_RESPONSE *resp = NULL;
- GTlsDatabase *database;
- long len = 0;
- unsigned char *p = NULL;
-
- ssl = g_tls_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (openssl));
- len = SSL_get_tlsext_status_ocsp_resp (ssl, &p);
- /* Soft fail in case of no response is the best we can do
- * FIXME: this makes it security theater, why bother with OCSP at all? */
- if (!p)
- return 0;
-
- resp = d2i_OCSP_RESPONSE (NULL, (const unsigned char **)&p, len);
- if (!resp)
- return G_TLS_CERTIFICATE_GENERIC_ERROR;
-
- database = g_tls_connection_get_database (G_TLS_CONNECTION (openssl));
-
- /* If there's no database, then G_TLS_CERTIFICATE_UNKNOWN_CA must be flagged,
- * and this function is only called if there are no flags.
- */
- g_assert (database);
-
- return g_tls_database_openssl_verify_ocsp_response (G_TLS_DATABASE_OPENSSL (database),
- peer_certificate,
- resp);
-#else
- return 0;
-#endif
-}
-
-// FIXME FIXME: looks important
-static GTlsCertificateFlags
-g_tls_client_connection_openssl_verify_peer_certificate (GTlsConnectionBase *tls,
- GTlsCertificate *certificate,
- GTlsCertificateFlags flags)
-{
- GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (tls);
-
- if (flags == 0)
- flags = verify_ocsp_response (openssl, certificate);
-
- return flags;
-}
-
static void
g_tls_client_connection_openssl_class_init (GTlsClientConnectionOpensslClass *klass)
{
@@ -259,8 +203,6 @@ g_tls_client_connection_openssl_class_init (GTlsClientConnectionOpensslClass *kl
gobject_class->get_property = g_tls_client_connection_openssl_get_property;
gobject_class->set_property = g_tls_client_connection_openssl_set_property;
- base_class->verify_peer_certificate = g_tls_client_connection_openssl_verify_peer_certificate;
-
g_object_class_override_property (gobject_class, PROP_VALIDATION_FLAGS, "validation-flags");
g_object_class_override_property (gobject_class, PROP_SERVER_IDENTITY, "server-identity");
g_object_class_override_property (gobject_class, PROP_USE_SSL3, "use-ssl3");
diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index 8260232..cc403f2 100644
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -28,6 +28,8 @@
#include "config.h"
#include "glib.h"
+/* FIXME: audit includes throughout the project */
+
#include <errno.h>
#include <stdarg.h>
#include "openssl-include.h"
@@ -43,7 +45,6 @@
typedef struct _GTlsConnectionOpensslPrivate
{
- BIO *bio;
} GTlsConnectionOpensslPrivate;
static GInitableIface *g_tls_connection_openssl_parent_initable_iface;
@@ -107,63 +108,6 @@ g_tls_connection_openssl_retrieve_peer_certificate (GTlsConnectionBase *tls)
return G_TLS_CERTIFICATE (chain);
}
-/* FIXME: move to op thread? */
-static void
-g_tls_connection_openssl_push_io (GTlsConnectionBase *tls,
- GIOCondition direction,
- gint64 timeout,
- GCancellable *cancellable)
-{
- GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
- GTlsConnectionOpensslPrivate *priv;
- GError **error;
-
- priv = g_tls_connection_openssl_get_instance_private (openssl);;
-
- /* FIXME: need to support timeout > 0
- * This will require changes in GTlsBio
- */
-
- if (direction & G_IO_IN)
- {
- error = g_tls_connection_base_get_read_error (tls);
- g_tls_bio_set_read_cancellable (priv->bio, cancellable);
- g_tls_bio_set_read_blocking (priv->bio, timeout == -1);
- g_clear_error (error);
- g_tls_bio_set_read_error (priv->bio, error);
- }
-
- if (direction & G_IO_OUT)
- {
- error = g_tls_connection_base_get_write_error (tls);
- g_tls_bio_set_write_cancellable (priv->bio, cancellable);
- g_tls_bio_set_write_blocking (priv->bio, timeout == -1);
- g_clear_error (error);
- g_tls_bio_set_write_error (priv->bio, error);
- }
-}
-
-static GTlsOperationStatus
-g_tls_connection_openssl_pop_io (GTlsConnectionBase *tls,
- GIOCondition direction,
- gboolean success,
- GError **error)
-{
- GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
- GTlsConnectionOpensslPrivate *priv;
-
- priv = g_tls_connection_openssl_get_instance_private (openssl);
-
- if (direction & G_IO_IN)
- g_tls_bio_set_read_cancellable (priv->bio, NULL);
-
- if (direction & G_IO_OUT)
- g_tls_bio_set_write_cancellable (priv->bio, NULL);
-
- return G_TLS_CONNECTION_BASE_CLASS (g_tls_connection_openssl_parent_class)->pop_io (tls, direction,
- success, error);
-}
-
static void
g_tls_connection_openssl_class_init (GTlsConnectionOpensslClass *klass)
{
@@ -172,44 +116,13 @@ g_tls_connection_openssl_class_init (GTlsConnectionOpensslClass *klass)
base_class->create_op_thread = g_tls_connection_openssl_create_op_thread;
/* FIXME: remove */
base_class->retrieve_peer_certificate =
g_tls_connection_openssl_retrieve_peer_certificate;
- base_class->push_io = g_tls_connection_openssl_push_io; /* FIXME: move
to op thread */
- base_class->pop_io = g_tls_connection_openssl_pop_io;
}
-static int data_index = -1;
-
static gboolean
g_tls_connection_openssl_initable_init (GInitable *initable,
GCancellable *cancellable,
GError **error)
{
- GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (initable);
- GTlsConnectionOpensslPrivate *priv;
- GTlsConnectionBase *tls = G_TLS_CONNECTION_BASE (initable);
- GIOStream *base_io_stream;
- SSL *ssl;
-
- g_object_get (tls,
- "base-io-stream", &base_io_stream,
- NULL);
- g_return_val_if_fail (base_io_stream, FALSE);
-
- priv = g_tls_connection_openssl_get_instance_private (openssl);
-
- ssl = g_tls_connection_openssl_get_ssl (openssl);
- g_assert (ssl);
-
- if (data_index == -1) {
- data_index = SSL_get_ex_new_index (0, (void *)"gtlsconnection", NULL, NULL, NULL);
- }
- SSL_set_ex_data (ssl, data_index, openssl);
-
- priv->bio = g_tls_bio_new (base_io_stream);
-
- SSL_set_bio (ssl, priv->bio, priv->bio);
-
- g_object_unref (base_io_stream);
-
return g_tls_connection_openssl_parent_initable_iface->init (initable, cancellable, error);
}
@@ -225,21 +138,3 @@ static void
g_tls_connection_openssl_init (GTlsConnectionOpenssl *openssl)
{
}
-
-// FIXME: remove
-SSL *
-g_tls_connection_openssl_get_ssl (GTlsConnectionOpenssl *openssl)
-{
- g_return_val_if_fail (G_IS_TLS_CONNECTION_OPENSSL (openssl), NULL);
-
- return G_TLS_CONNECTION_OPENSSL_GET_CLASS (openssl)->get_ssl (openssl);
-}
-
-// FIXME: remove
-GTlsConnectionOpenssl *
-g_tls_connection_openssl_get_connection_from_ssl (SSL *ssl)
-{
- g_return_val_if_fail (ssl, NULL);
-
- return SSL_get_ex_data (ssl, data_index);
-}
diff --git a/tls/openssl/gtlsconnection-openssl.h b/tls/openssl/gtlsconnection-openssl.h
index 6635b70..b71263f 100644
--- a/tls/openssl/gtlsconnection-openssl.h
+++ b/tls/openssl/gtlsconnection-openssl.h
@@ -39,14 +39,6 @@ G_DECLARE_DERIVABLE_TYPE (GTlsConnectionOpenssl, g_tls_connection_openssl, G, TL
struct _GTlsConnectionOpensslClass
{
GTlsConnectionBaseClass parent_class;
-
- /* FIXME: remove this */
- SSL *(*get_ssl) (GTlsConnectionOpenssl *connection);
};
-/* FIXME: remove this */
-SSL *g_tls_connection_openssl_get_ssl (GTlsConnectionOpenssl *connection);
-
-GTlsConnectionOpenssl *g_tls_connection_openssl_get_connection_from_ssl (SSL *ssl);
-
G_END_DECLS
diff --git a/tls/openssl/gtlsdatabase-openssl.c b/tls/openssl/gtlsdatabase-openssl.c
index 232bcef..61d607d 100644
--- a/tls/openssl/gtlsdatabase-openssl.c
+++ b/tls/openssl/gtlsdatabase-openssl.c
@@ -270,96 +270,3 @@ g_tls_database_openssl_new (GError **error)
return g_initable_new (G_TYPE_TLS_DATABASE_OPENSSL, NULL, error, NULL);
}
-
-GTlsCertificateFlags
-g_tls_database_openssl_verify_ocsp_response (GTlsDatabaseOpenssl *self,
- GTlsCertificate *chain,
- OCSP_RESPONSE *resp)
-{
- GTlsCertificateFlags errors = 0;
-#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
- !defined(OPENSSL_NO_OCSP)
- GTlsDatabaseOpensslPrivate *priv;
- STACK_OF(X509) *chain_openssl = NULL;
- OCSP_BASICRESP *basic_resp = NULL;
- int ocsp_status = 0;
- int i;
-
- ocsp_status = OCSP_response_status (resp);
- if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
- {
- errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
- goto end;
- }
-
- basic_resp = OCSP_response_get1_basic (resp);
- if (basic_resp == NULL)
- {
- errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
- goto end;
- }
-
- chain_openssl = convert_certificate_chain_to_openssl (G_TLS_CERTIFICATE_OPENSSL (chain));
- priv = g_tls_database_openssl_get_instance_private (self);
- if ((chain_openssl == NULL) ||
- (priv->store == NULL))
- {
- errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
- goto end;
- }
-
- if (OCSP_basic_verify (basic_resp, chain_openssl, priv->store, 0) <= 0)
- {
- errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
- goto end;
- }
-
- for (i = 0; i < OCSP_resp_count (basic_resp); i++)
- {
- OCSP_SINGLERESP *single_resp = OCSP_resp_get0 (basic_resp, i);
- ASN1_GENERALIZEDTIME *revocation_time = NULL;
- ASN1_GENERALIZEDTIME *this_update_time = NULL;
- ASN1_GENERALIZEDTIME *next_update_time = NULL;
- int crl_reason = 0;
- int cert_status = 0;
-
- if (single_resp == NULL)
- continue;
-
- cert_status = OCSP_single_get0_status (single_resp,
- &crl_reason,
- &revocation_time,
- &this_update_time,
- &next_update_time);
- if (!OCSP_check_validity (this_update_time,
- next_update_time,
- 300L,
- -1L))
- {
- errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
- goto end;
- }
-
- switch (cert_status)
- {
- case V_OCSP_CERTSTATUS_GOOD:
- break;
- case V_OCSP_CERTSTATUS_REVOKED:
- errors = G_TLS_CERTIFICATE_REVOKED;
- goto end;
- case V_OCSP_CERTSTATUS_UNKNOWN:
- errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
- goto end;
- }
- }
-
-end:
- if (basic_resp)
- OCSP_BASICRESP_free (basic_resp);
-
- if (resp)
- OCSP_RESPONSE_free (resp);
-
-#endif
- return errors;
-}
diff --git a/tls/openssl/gtlsdatabase-openssl.h b/tls/openssl/gtlsdatabase-openssl.h
index f3203c0..092fdee 100644
--- a/tls/openssl/gtlsdatabase-openssl.h
+++ b/tls/openssl/gtlsdatabase-openssl.h
@@ -46,8 +46,4 @@ struct _GTlsDatabaseOpensslClass
GTlsDatabaseOpenssl *g_tls_database_openssl_new (GError **error);
-GTlsCertificateFlags g_tls_database_openssl_verify_ocsp_response (GTlsDatabaseOpenssl *self,
- GTlsCertificate *chain,
- OCSP_RESPONSE *resp);
-
G_END_DECLS
diff --git a/tls/openssl/gtlsoperationsthread-openssl.c b/tls/openssl/gtlsoperationsthread-openssl.c
index e316541..ee4ae2e 100644
--- a/tls/openssl/gtlsoperationsthread-openssl.c
+++ b/tls/openssl/gtlsoperationsthread-openssl.c
@@ -40,10 +40,13 @@ struct _GTlsOperationsThreadOpenssl {
GTlsOperationsThreadType thread_type;
+ BIO *bio;
SSL_SESSION *session;
SSL *ssl;
SSL_CTX *ssl_ctx;
+ gboolean handshaking;
+ gboolean ever_handshaked;
gboolean shutting_down;
};
@@ -93,24 +96,36 @@ g_tls_operations_thread_openssl_set_server_identity (GTlsOperationsThreadBase *b
#endif
}
+static void
+begin_openssl_io (GTlsOperationsThreadOpenssl *self,
+ GCancellable *cancellable)
+{
+ g_tls_bio_set_cancellable (self->bio, cancellable);
+
+ /* FIXME: where exactly to store errors? */
+#if 0
+ error = g_tls_connection_base_get_read_error (tls);
+ g_clear_error (error);
+ g_tls_bio_set_read_error (priv->bio, error);
+#endif
+}
+
static GTlsOperationStatus
end_openssl_io (GTlsOperationsThreadOpenssl *self,
GIOCondition direction,
int ret,
GError **error,
- const char *err_prefix,
- const char *err_str)
+ const char *err_prefix)
{
- GTlsConnectionBase *tls;
int err_code, err, err_lib, reason;
GError *my_error = NULL;
GTlsOperationStatus status;
- tls = g_tls_operations_thread_base_get_connection (G_TLS_OPERATIONS_THREAD_BASE (self));
+ g_tls_bio_set_cancellable (self->bio, NULL);
- err_code = SSL_get_error (self->ssl, ret);
+ status = g_tls_operations_thread_base_pop_io (self, direction, ret > 0, &my_error);
- status = g_tls_connection_base_pop_io (tls, direction, ret > 0, &my_error);
+ err_code = SSL_get_error (self->ssl, ret);
if (err_code == SSL_ERROR_ZERO_RETURN)
return G_TLS_OPERATION_SUCCESS;
@@ -136,7 +151,7 @@ end_openssl_io (GTlsOperationsThreadOpenssl *self,
err_lib = ERR_GET_LIB (err);
reason = ERR_GET_REASON (err);
- if (g_tls_connection_base_is_handshaking (tls) && !g_tls_connection_base_ever_handshaked (tls))
+ if (self->handshaking && !self->ever_handshaked)
{
if (reason == SSL_R_BAD_PACKET_LENGTH ||
reason == SSL_R_UNKNOWN_ALERT_TYPE ||
@@ -208,25 +223,34 @@ end_openssl_io (GTlsOperationsThreadOpenssl *self,
g_message ("end_openssl_io %s: %d, %d, %d", G_IS_TLS_CLIENT_CONNECTION (tls) ? "client" : "server",
err_code, err_lib, reason);
if (error && !*error)
- *error = g_error_new (G_TLS_ERROR, G_TLS_ERROR_MISC, "%s: %s", err_prefix, err_str);
+ {
+ char error_str[256];
+ ERR_error_string_n (SSL_get_error (self->ssl, ret), error_str, sizeof (error_str));
+ *error = g_error_new (G_TLS_ERROR, G_TLS_ERROR_MISC, "%s: %s", err_prefix, err_str);
+ }
return G_TLS_OPERATION_ERROR;
}
-#define BEGIN_OPENSSL_IO(self, direction, cancellable) \
- do { \
- char error_str[256]; \
- g_tls_connection_base_push_io (g_tls_operations_thread_base_get_connection (G_TLS_OPERATIONS_THREAD_BASE
(self)), \
- direction, 0, cancellable);
+#define BEGIN_OPENSSL_IO(self, cancellable) \
+ do { \
+ begin_openssl_io (self, cancellable);
#define END_OPENSSL_IO(self, direction, ret, status, errmsg, err) \
- ERR_error_string_n (SSL_get_error (self->ssl, ret), error_str, sizeof (error_str)); \
- status = end_openssl_io (self, direction, ret, err, errmsg, error_str); \
+ status = end_openssl_io (self, direction, ret, err, errmsg); \
} while (status == G_TLS_OPERATION_TRY_AGAIN);
static GTlsOperationStatus
g_tls_operations_thread_openssl_handshake (GTlsOperationsThreadBase *base,
+ HandshakeContext *context,
+ GTlsCertificate *own_certificate,
+ const gchar **advertised_protocols,
+ GTlsAuthenticationMode auth_mode,
gint64 timeout,
+ gchar **negotiated_protocol,
+ GList **accepted_cas,
+ GTlsCertificate **peer_certificate,
+ gboolean *session_resumed,
GCancellable *cancellable,
GError **error)
{
@@ -234,21 +258,45 @@ g_tls_operations_thread_openssl_handshake (GTlsOperationsThreadBase *base,
GTlsOperationStatus status;
int ret;
- /* FIXME: doesn't respect timeout */
+ /* TODO: No support yet for client authentication. */
+ g_assert (!own_certificate);
- BEGIN_OPENSSL_IO (self, G_IO_IN | G_IO_OUT, cancellable);
+ /* TODO: No support yet for ALPN. */
+ g_assert (!advertised_protocols);
+
+ /* FIXME: Doesn't respect timeout. */
+
+ self->handshake_context = context;
+ self->handshaking = TRUE;
+
+ BEGIN_OPENSSL_IO (self, cancellable);
ret = SSL_do_handshake (ssl);
END_OPENSSL_IO (self, G_IO_IN | G_IO_OUT, ret, status,
_("Error performing TLS handshake"), error);
- /* FIXME: sabotage */
-#if 0
+ self->handshake_context = NULL;
+ self->handshaking = FALSE;
+
+ if (status == G_TLS_OPERATION_SUCCESS)
+ self->ever_handshaked = TRUE;
+
+ /* FIXME: this is really too late to be performing certificate verification.
+ * We should be doing it during the handshake.
+ */
if (ret > 0)
{
+ /* FIXME */
if (!g_tls_connection_base_handshake_thread_verify_certificate (G_TLS_CONNECTION_BASE (openssl)))
return G_TLS_OPERATION_ERROR;
}
-#endif
+
+ /* TODO: No support yet for ALPN. */
+ *negotiated_protocol = NULL;
+
+ /* FIXME FIXME FIXME: accepted CAs and peer_certificate */
+
+ /* TODO: No support yet for session resumption. */
+ *session_resumed = FALSE;
return status;
}
@@ -265,7 +313,7 @@ g_tls_operations_thread_openssl_read (GTlsOperationsThreadBase *base,
GTlsOperationStatus status;
gssize ret;
- BEGIN_OPENSSL_IO (self, G_IO_OUT, cancellable);
+ BEGIN_OPENSSL_IO (self, cancellable);
ret = SSL_read (self->ssl, buffer, size);
END_OPENSSL_IO (self, G_IO_OUT, ret, status,
_("Error reading data from TLS socket"), error);
@@ -287,7 +335,7 @@ g_tls_operations_thread_openssl_write (GTlsOperationsThreadBase *base,
GTlsOperationStatus status;
gssize ret;
- BEGIN_OPENSSL_IO (self, G_IO_OUT, cancellable);
+ BEGIN_OPENSSL_IO (self, cancellable);
ret = SSL_write (self->ssl, buffer, size);
END_OPENSSL_IO (self, G_IO_OUT, ret, status,
_("Error writing data to TLS socket"), error);
@@ -306,7 +354,7 @@ g_tls_operations_thread_openssl_close (GTlsOperationsThreadBase *base,
self->shutting_down = TRUE;
- BEGIN_OPENSSL_IO (self, G_IO_IN | G_IO_OUT, cancellable);
+ BEGIN_OPENSSL_IO (self, cancellable);
ret = SSL_shutdown (self->ssl);
/* Note it is documented that getting 0 is correct when shutting down since
* it means it will close the write direction
@@ -454,6 +502,7 @@ g_tls_operations_thread_openssl_initable_init (GInitable *initable,
GError **error)
{
GTlsOperationsThreadOpenssl *self = G_TLS_OPERATIONS_THREAD_OPENSSL (initable);
+ GIOStream *base_iostream = NULL;
long options;
const char *hostname;
GTlsCertificate *cert; /* FIXME: remove, become part of handshake op? */
@@ -462,8 +511,10 @@ g_tls_operations_thread_openssl_initable_init (GInitable *initable,
return FALSE;
g_object_get (self,
+ "base-io-stream", &base_iostream,
"thread-type", &self->thread_type,
NULL);
+ g_assert (base_iostream);
self->session = SSL_SESSION_new ();
self->ssl_ctx = SSL_CTX_new (is_client (self) ? SSLv23_client_method () : SSLv23_server_method ());
@@ -554,6 +605,10 @@ g_tls_operations_thread_openssl_initable_init (GInitable *initable,
return FALSE;
}
+ self->bio = g_tls_bio_new (base_iostream);
+ SSL_set_bio (ssl, self->bio, self->bio);
+ g_object_unref (base_io_stream);
+
if (data_index == -1)
data_index = SSL_get_ex_new_index (0, (void *)"gtlsoperationsthread", NULL, NULL, NULL);
SSL_set_ex_data (self->ssl, data_index, self);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
