[glib-networking/mcatanzaro/tls-thread] progress
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/mcatanzaro/tls-thread] progress
- Date: Wed, 8 Jan 2020 22:49:05 +0000 (UTC)
commit e0c196831c832cdff1e007b3e0bba8d986aa6863
Author: Michael Catanzaro <mcatanzaro gnome org>
Date: Wed Jan 8 16:48:57 2020 -0600
progress
tls/base/gtlsoperationsthread-base.c | 2 -
tls/openssl/gtlsbio.c | 10 ++--
tls/openssl/gtlscertificate-openssl.c | 2 +-
tls/openssl/gtlsclientconnection-openssl.c | 94 ++++++++++++++----------------
tls/openssl/gtlsoperationsthread-openssl.c | 61 ++++++++++++++++++-
tls/openssl/gtlsserverconnection-openssl.c | 47 ---------------
6 files changed, 107 insertions(+), 109 deletions(-)
---
diff --git a/tls/base/gtlsoperationsthread-base.c b/tls/base/gtlsoperationsthread-base.c
index 4effd9d..8f89cd6 100644
--- a/tls/base/gtlsoperationsthread-base.c
+++ b/tls/base/gtlsoperationsthread-base.c
@@ -1660,8 +1660,6 @@ g_tls_operations_thread_base_class_init (GTlsOperationsThreadBaseClass *klass)
gobject_class->get_property = g_tls_operations_thread_base_get_property;
gobject_class->set_property = g_tls_operations_thread_base_set_property;
- klass->pop_io = g_tls_operations_thread_base_real_pop_io;
-
signals[REQUEST_CERTIFICATE] =
g_signal_new ("operations-thread-request-certificate",
G_TYPE_TLS_OPERATIONS_THREAD_BASE,
diff --git a/tls/openssl/gtlsbio.c b/tls/openssl/gtlsbio.c
index d1856f2..74bf2d0 100644
--- a/tls/openssl/gtlsbio.c
+++ b/tls/openssl/gtlsbio.c
@@ -38,7 +38,7 @@ free_gbio (gpointer user_data)
{
GTlsBio *bio = (GTlsBio *)user_data;
- g_assert (!cancellable);
+ g_assert (!bio->cancellable);
g_object_unref (bio->io_stream);
g_free (bio);
@@ -162,11 +162,11 @@ gtls_bio_write (BIO *bio,
in, inl,
FALSE,
gbio->cancellable,
- &gbio->error);
+ gbio->error);
if (written == -1)
{
- if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK))
+ if (g_error_matches (*gbio->error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK))
BIO_set_retry_write (bio);
}
@@ -201,11 +201,11 @@ gtls_bio_read (BIO *bio,
out, outl,
FALSE,
gbio->cancellable,
- &gbio->error);
+ gbio->error);
if (read == -1)
{
- if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK))
+ if (g_error_matches (*gbio->error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK))
BIO_set_retry_read (bio);
}
diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
index 9bc52f0..b0e1ed8 100644
--- a/tls/openssl/gtlscertificate-openssl.c
+++ b/tls/openssl/gtlscertificate-openssl.c
@@ -601,7 +601,7 @@ end:
return ret;
}
-GTlsCertificate *
+GTlsCertificateOpenssl *
g_tls_certificate_openssl_build_chain (X509 *x,
STACK_OF (X509) *chain)
{
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index d11013e..aace8b3 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -48,8 +48,7 @@ struct _GTlsClientConnectionOpenssl
GSocketConnectable *server_identity;
gboolean use_ssl3;
- STACK_OF (X509_NAME) *ca_list;
- gboolean ca_list_changed; /* FIXME: unused? */
+ GList *accepted_cas;
};
enum
@@ -73,16 +72,6 @@ G_DEFINE_TYPE_WITH_CODE (GTlsClientConnectionOpenssl, g_tls_client_connection_op
G_IMPLEMENT_INTERFACE (G_TYPE_TLS_CLIENT_CONNECTION,
g_tls_client_connection_openssl_client_connection_interface_init))
-static void
-g_tls_client_connection_openssl_finalize (GObject *object)
-{
- GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
-
- g_clear_object (&openssl->server_identity);
-
- G_OBJECT_CLASS (g_tls_client_connection_openssl_parent_class)->finalize (object);
-}
-
static const gchar *
get_server_identity (GTlsClientConnectionOpenssl *openssl)
{
@@ -94,6 +83,24 @@ get_server_identity (GTlsClientConnectionOpenssl *openssl)
return NULL;
}
+static void
+g_tls_client_connection_openssl_set_accepted_cas (GTlsConnectionBase *tls,
+ GList *accepted_cas)
+{
+ GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (tls);
+
+ if (openssl->accepted_cas)
+ g_list_free_full (openssl->accepted_cas, (GDestroyNotify)g_byte_array_unref);
+
+ openssl->accepted_cas = g_steal_pointer (&accepted_cas);
+}
+
+static void
+g_tls_client_connection_openssl_copy_session_state (GTlsClientConnection *conn,
+ GTlsClientConnection *source)
+{
+}
+
static void
g_tls_client_connection_openssl_get_property (GObject *object,
guint prop_id,
@@ -101,8 +108,6 @@ g_tls_client_connection_openssl_get_property (GObject *object,
GParamSpec *pspec)
{
GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
- GList *accepted_cas;
- gint i;
switch (prop_id)
{
@@ -119,30 +124,7 @@ g_tls_client_connection_openssl_get_property (GObject *object,
break;
case PROP_ACCEPTED_CAS:
- accepted_cas = NULL;
- if (openssl->ca_list)
- {
- for (i = 0; i < sk_X509_NAME_num (openssl->ca_list); ++i)
- {
- int size;
-
- size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), NULL);
- if (size > 0)
- {
- unsigned char *ca;
-
- ca = g_malloc (size);
- size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &ca);
- if (size > 0)
- accepted_cas = g_list_prepend (accepted_cas, g_byte_array_new_take (
- ca, size));
- else
- g_free (ca);
- }
- }
- accepted_cas = g_list_reverse (accepted_cas);
- }
- g_value_set_pointer (value, accepted_cas);
+ g_value_set_pointer (value, g_list_copy (openssl->accepted_cas));
break;
default:
@@ -192,35 +174,45 @@ g_tls_client_connection_openssl_set_property (GObject *object,
}
}
+static void
+g_tls_client_connection_openssl_finalize (GObject *object)
+{
+ GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
+
+ g_clear_object (&openssl->server_identity);
+
+ if (openssl->accepted_cas)
+ {
+ g_list_free_full (openssl->accepted_cas, (GDestroyNotify)g_byte_array_unref);
+ openssl->accepted_cas = NULL;
+ }
+
+ G_OBJECT_CLASS (g_tls_client_connection_openssl_parent_class)->finalize (object);
+}
+
+static void
+g_tls_client_connection_openssl_init (GTlsClientConnectionOpenssl *openssl)
+{
+}
+
static void
g_tls_client_connection_openssl_class_init (GTlsClientConnectionOpensslClass *klass)
{
GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
GTlsConnectionBaseClass *base_class = G_TLS_CONNECTION_BASE_CLASS (klass);
- GTlsConnectionOpensslClass *openssl_class = G_TLS_CONNECTION_OPENSSL_CLASS (klass);
gobject_class->finalize = g_tls_client_connection_openssl_finalize;
gobject_class->get_property = g_tls_client_connection_openssl_get_property;
gobject_class->set_property = g_tls_client_connection_openssl_set_property;
+ base_class->set_accepted_cas = g_tls_client_connection_openssl_set_accepted_cas;
+
g_object_class_override_property (gobject_class, PROP_VALIDATION_FLAGS, "validation-flags");
g_object_class_override_property (gobject_class, PROP_SERVER_IDENTITY, "server-identity");
g_object_class_override_property (gobject_class, PROP_USE_SSL3, "use-ssl3");
g_object_class_override_property (gobject_class, PROP_ACCEPTED_CAS, "accepted-cas");
}
-static void
-g_tls_client_connection_openssl_init (GTlsClientConnectionOpenssl *openssl)
-{
-}
-
-
-static void
-g_tls_client_connection_openssl_copy_session_state (GTlsClientConnection *conn,
- GTlsClientConnection *source)
-{
-}
-
static void
g_tls_client_connection_openssl_client_connection_interface_init (GTlsClientConnectionInterface *iface)
{
diff --git a/tls/openssl/gtlsoperationsthread-openssl.c b/tls/openssl/gtlsoperationsthread-openssl.c
index 7a5707f..bb33834 100644
--- a/tls/openssl/gtlsoperationsthread-openssl.c
+++ b/tls/openssl/gtlsoperationsthread-openssl.c
@@ -27,8 +27,6 @@
#include "config.h"
#include "gtlsoperationsthread-openssl.h"
-#include "gtlsconnection-openssl.h"
-
#include <glib/gi18n-lib.h>
#define DEFAULT_CIPHER_LIST "HIGH:!DSS:!aNULL@STRENGTH"
@@ -45,6 +43,9 @@ struct _GTlsOperationsThreadOpenssl {
SSL *ssl;
SSL_CTX *ssl_ctx;
+ STACK_OF (X509_NAME) *ca_list;
+ gboolean ca_list_changed;
+
/* Valid only during current operation. */
GTlsCertificate *op_own_certificate;
@@ -270,6 +271,17 @@ get_peer_certificate (GTlsOperationsThreadOpenssl *self)
return G_TLS_CERTIFICATE (chain);
}
+static int
+verify_callback (int preverify_ok,
+ X509_STORE_CTX *ctx)
+{
+ /* FIXME: The server connection currently accepts any client certificate.
+ * We should emit accept-certificate here and reject the certificate unless
+ * the callback returns TRUE.
+ */
+ return 1;
+}
+
static GTlsOperationStatus
g_tls_operations_thread_openssl_handshake (GTlsOperationsThreadBase *base,
HandshakeContext *context,
@@ -296,6 +308,28 @@ g_tls_operations_thread_openssl_handshake (GTlsOperationsThreadBase *base,
/* FIXME: Doesn't respect timeout. */
+ if (is_server (self))
+ {
+ int req_mode = 0;
+
+ switch (openssl->authentication_mode)
+ {
+ case G_TLS_AUTHENTICATION_REQUIRED:
+ req_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+ break;
+ case G_TLS_AUTHENTICATION_REQUESTED:
+ req_mode = SSL_VERIFY_PEER;
+ break;
+ case G_TLS_AUTHENTICATION_NONE:
+ default:
+ req_mode = SSL_VERIFY_NONE;
+ break;
+
+ SSL_set_verify (self->ssl, req_mode, server_verify_callback);
+ SSL_set_verify_depth (self->ssl, 0);
+ }
+
+
self->handshake_context = context;
self->handshaking = TRUE;
@@ -328,7 +362,28 @@ g_tls_operations_thread_openssl_handshake (GTlsOperationsThreadBase *base,
/* TODO: No support yet for ALPN. */
*negotiated_protocol = NULL;
- /* FIXME FIXME FIXME: accepted CAs */
+ if (self->ca_list)
+ {
+ for (i = 0; i < sk_X509_NAME_num (openssl->ca_list); ++i)
+ {
+ int size;
+
+ size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), NULL);
+ if (size > 0)
+ {
+ unsigned char *ca;
+
+ ca = g_malloc (size);
+ size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &ca);
+ if (size > 0)
+ *accepted_cas = g_list_prepend (*accepted_cas,
+ g_byte_array_new_take (ca, size));
+ else
+ g_free (ca);
+ }
+ }
+ *accepted_cas = g_list_reverse (*accepted_cas);
+ }
/* TODO: No support yet for session resumption. */
*session_resumed = FALSE;
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index ead2b8a..ecd60f3 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -97,49 +97,6 @@ g_tls_server_connection_openssl_set_property (GObject *object,
}
}
-static int
-verify_callback (int preverify_ok,
- X509_STORE_CTX *ctx)
-{
- return 1;
-}
-
-static void
-g_tls_server_connection_openssl_prepare_handshake (GTlsConnectionBase *tls,
- gchar **advertised_protocols)
-{
- GTlsServerConnectionOpenssl *openssl = G_TLS_SERVER_CONNECTION_OPENSSL (tls);
- GTlsConnectionBaseClass *base_class = G_TLS_CONNECTION_BASE_CLASS
(g_tls_server_connection_openssl_parent_class);
- int req_mode = 0;
-
- switch (openssl->authentication_mode)
- {
- case G_TLS_AUTHENTICATION_REQUIRED:
- req_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
- break;
- case G_TLS_AUTHENTICATION_REQUESTED:
- req_mode = SSL_VERIFY_PEER;
- break;
- case G_TLS_AUTHENTICATION_NONE:
- default:
- req_mode = SSL_VERIFY_NONE;
- break;
- }
-
- SSL_set_verify (openssl->ssl, req_mode, verify_callback);
- /* FIXME: is this ok? */
- SSL_set_verify_depth (openssl->ssl, 0);
-
- if (base_class->prepare_handshake)
- base_class->prepare_handshake (tls, advertised_protocols);
-}
-
-static SSL *
-g_tls_server_connection_openssl_get_ssl (GTlsConnectionOpenssl *connection)
-{
- return G_TLS_SERVER_CONNECTION_OPENSSL (connection)->ssl;
-}
-
#if OPENSSL_VERSION_NUMBER < 0x10002000L
static gboolean
ssl_ctx_set_certificate (SSL_CTX *ssl_ctx,
@@ -283,10 +240,6 @@ g_tls_server_connection_openssl_class_init (GTlsServerConnectionOpensslClass *kl
gobject_class->get_property = g_tls_server_connection_openssl_get_property;
gobject_class->set_property = g_tls_server_connection_openssl_set_property;
- base_class->prepare_handshake = g_tls_server_connection_openssl_prepare_handshake;
-
- connection_class->get_ssl = g_tls_server_connection_openssl_get_ssl;
-
g_object_class_override_property (gobject_class, PROP_AUTHENTICATION_MODE, "authentication-mode");
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
