[glib-networking/mcatanzaro/tls-thread] progress
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/mcatanzaro/tls-thread] progress
- Date: Wed, 8 Jan 2020 23:25:10 +0000 (UTC)
commit 6a868411c9e44013d477110f45c75744f9e55f1b
Author: Michael Catanzaro <mcatanzaro gnome org>
Date: Wed Jan 8 17:23:39 2020 -0600
progress
tls/gnutls/gtlsoperationsthread-gnutls.c | 18 +--
tls/openssl/gtlsclientconnection-openssl.c | 2 +-
tls/openssl/gtlsoperationsthread-openssl.c | 231 ++++++++++++++++++++++-------
tls/openssl/gtlsserverconnection-openssl.c | 147 +-----------------
4 files changed, 188 insertions(+), 210 deletions(-)
---
diff --git a/tls/gnutls/gtlsoperationsthread-gnutls.c b/tls/gnutls/gtlsoperationsthread-gnutls.c
index 7970283..7e7f279 100644
--- a/tls/gnutls/gtlsoperationsthread-gnutls.c
+++ b/tls/gnutls/gtlsoperationsthread-gnutls.c
@@ -1162,14 +1162,14 @@ get_own_certificate_internals (GTlsOperationsThreadGnutls *self,
}
static int
-retrieve_certificate_cb (gnutls_session_t session,
- const gnutls_datum_t *req_ca_rdn,
- int nreqs,
- const gnutls_pk_algorithm_t *pk_algos,
- int pk_algos_length,
- gnutls_pcert_st **pcert,
- unsigned int *pcert_length,
- gnutls_privkey_t *pkey)
+retrieve_own_certificate_cb (gnutls_session_t session,
+ const gnutls_datum_t *req_ca_rdn,
+ int nreqs,
+ const gnutls_pk_algorithm_t *pk_algos,
+ int pk_algos_length,
+ gnutls_pcert_st **pcert,
+ unsigned int *pcert_length,
+ gnutls_privkey_t *pkey)
{
GTlsOperationsThreadGnutls *self = gnutls_transport_get_ptr (session);
GByteArray *dn;
@@ -1347,7 +1347,7 @@ g_tls_operations_thread_gnutls_initable_init (GInitable *initable,
gnutls_strerror (ret));
return FALSE;
}
- gnutls_certificate_set_retrieve_function2 (self->creds, retrieve_certificate_cb);
+ gnutls_certificate_set_retrieve_function2 (self->creds, retrieve_own_certificate_cb);
gnutls_init (&self->session, self->init_flags);
diff --git a/tls/openssl/gtlsclientconnection-openssl.c b/tls/openssl/gtlsclientconnection-openssl.c
index aace8b3..f5f9724 100644
--- a/tls/openssl/gtlsclientconnection-openssl.c
+++ b/tls/openssl/gtlsclientconnection-openssl.c
@@ -224,7 +224,7 @@ g_tls_client_connection_openssl_initable_init (GInitable *initable,
GCancellable *cancellable,
GError **error)
{
- GTlsClientConnectionOpenssl *client;
+ GTlsClientConnectionOpenssl *client = G_TLS_CLIENT_CONNECTION_OPENSSL (initable);
GTlsOperationsThreadBase *thread;
const gchar *hostname;
diff --git a/tls/openssl/gtlsoperationsthread-openssl.c b/tls/openssl/gtlsoperationsthread-openssl.c
index bb33834..6e2491a 100644
--- a/tls/openssl/gtlsoperationsthread-openssl.c
+++ b/tls/openssl/gtlsoperationsthread-openssl.c
@@ -27,6 +27,9 @@
#include "config.h"
#include "gtlsoperationsthread-openssl.h"
+#include "gtlsbio.h"
+#include "gtlscertificate-openssl.h"
+
#include <glib/gi18n-lib.h>
#define DEFAULT_CIPHER_LIST "HIGH:!DSS:!aNULL@STRENGTH"
@@ -48,6 +51,7 @@ struct _GTlsOperationsThreadOpenssl {
/* Valid only during current operation. */
GTlsCertificate *op_own_certificate;
+ GError *op_error;
gboolean handshaking;
gboolean ever_handshaked;
@@ -75,6 +79,17 @@ is_server (GTlsOperationsThreadOpenssl *self)
return self->thread_type == G_TLS_OPERATIONS_THREAD_SERVER;
}
+static GTlsCertificate *
+g_tls_operations_thread_openssl_copy_certificate (GTlsOperationsThreadBase *base,
+ GTlsCertificate *cert)
+{
+ /* FIXME: need a real copy to avoid sharing the certificate across threads.
+ * Copy must copy private key. Must copy ENTIRE CHAIN including issuers.
+ */
+
+ return cert ? g_object_ref (cert) : NULL;
+}
+
static void
g_tls_operations_thread_openssl_set_server_identity (GTlsOperationsThreadBase *base,
const gchar *server_identity)
@@ -106,12 +121,8 @@ begin_openssl_io (GTlsOperationsThreadOpenssl *self,
{
g_tls_bio_set_cancellable (self->bio, cancellable);
- /* FIXME: where exactly to store errors? */
-#if 0
- error = g_tls_connection_base_get_read_error (tls);
- g_clear_error (error);
- g_tls_bio_set_read_error (priv->bio, error);
-#endif
+ g_assert (!self->op_error);
+ g_tls_bio_set_error (self->bio, &self->op_error);
}
static GTlsOperationStatus
@@ -127,7 +138,10 @@ end_openssl_io (GTlsOperationsThreadOpenssl *self,
g_tls_bio_set_cancellable (self->bio, NULL);
- status = g_tls_operations_thread_base_pop_io (self, direction, ret > 0, &my_error);
+ status = g_tls_operations_thread_base_pop_io (G_TLS_OPERATIONS_THREAD_BASE (self),
+ direction, ret > 0,
+ g_steal_pointer (&self->op_error),
+ &my_error);
err_code = SSL_get_error (self->ssl, ret);
@@ -224,13 +238,13 @@ end_openssl_io (GTlsOperationsThreadOpenssl *self,
g_propagate_error (error, my_error);
else
/* FIXME: this is just for debug */
- g_message ("end_openssl_io %s: %d, %d, %d", G_IS_TLS_CLIENT_CONNECTION (tls) ? "client" : "server",
err_code, err_lib, reason);
+ g_message ("end_openssl_io %s: %d, %d, %d", is_client (self) ? "client" : "server", err_code, err_lib,
reason);
if (error && !*error)
{
char error_str[256];
ERR_error_string_n (SSL_get_error (self->ssl, ret), error_str, sizeof (error_str));
- *error = g_error_new (G_TLS_ERROR, G_TLS_ERROR_MISC, "%s: %s", err_prefix, err_str);
+ *error = g_error_new (G_TLS_ERROR, G_TLS_ERROR_MISC, "%s: %s", err_prefix, error_str);
}
return G_TLS_OPERATION_ERROR;
@@ -244,13 +258,131 @@ end_openssl_io (GTlsOperationsThreadOpenssl *self,
status = end_openssl_io (self, direction, ret, err, errmsg); \
} while (status == G_TLS_OPERATION_TRY_AGAIN);
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
+static gboolean
+ssl_set_certificate (SSL *ssl,
+ GTlsCertificate *cert,
+ GError **error)
+{
+ EVP_PKEY *key;
+ X509 *x;
+ GTlsCertificate *issuer;
+
+ key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
+
+ if (!key)
+ {
+ g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+ _("Certificate has no private key"));
+ return FALSE;
+ }
+
+ /* Note, order is important. If a certificate has been set previously,
+ * OpenSSL requires that the new certificate is set _before_ the new
+ * private key is set.
+ */
+ x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert));
+ if (SSL_use_certificate (ssl, x) <= 0)
+ {
+ g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+ _("There is a problem with the certificate: %s"),
+ ERR_error_string (ERR_get_error (), NULL));
+ return FALSE;
+ }
+
+ if (SSL_use_PrivateKey (ssl, key) <= 0)
+ {
+ g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+ _("There is a problem with the certificate private key: %s"),
+ ERR_error_string (ERR_get_error (), NULL));
+ return FALSE;
+ }
+
+ if (SSL_clear_chain_certs (ssl) == 0)
+ g_warning ("There was a problem clearing the chain certificates: %s",
+ ERR_error_string (ERR_get_error (), NULL));
+
+ /* Add all the issuers to create the full certificate chain */
+ for (issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (cert));
+ issuer;
+ issuer = g_tls_certificate_get_issuer (issuer))
+ {
+ X509 *issuer_x;
+
+ issuer_x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (issuer));
+
+ /* Be careful here and duplicate the certificate since the ssl object
+ * will take the ownership
+ */
+ if (SSL_add1_chain_cert (ssl, issuer_x) == 0)
+ g_warning ("There was a problem adding the chain certificate: %s",
+ ERR_error_string (ERR_get_error (), NULL));
+ }
+
+ return TRUE;
+}
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+static gboolean
+ssl_ctx_set_certificate (SSL_CTX *ssl_ctx,
+ GTlsCertificate *cert,
+ GError **error)
+{
+ EVP_PKEY *key;
+ X509 *x;
+ GTlsCertificate *issuer;
+
+ key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
+
+ if (!key)
+ {
+ g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+ _("Certificate has no private key"));
+ return FALSE;
+ }
+
+ if (SSL_CTX_use_PrivateKey (ssl_ctx, key) <= 0)
+ {
+ g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+ _("There is a problem with the certificate private key: %s"),
+ ERR_error_string (ERR_get_error (), NULL));
+ return FALSE;
+ }
+
+ x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert));
+ if (SSL_CTX_use_certificate (ssl_ctx, x) <= 0)
+ {
+ g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
+ _("There is a problem with the certificate: %s"),
+ ERR_error_string (ERR_get_error (), NULL));
+ return FALSE;
+ }
+
+ /* Add all the issuers to create the full certificate chain */
+ for (issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (cert));
+ issuer;
+ issuer = g_tls_certificate_get_issuer (issuer))
+ {
+ X509 *issuer_x;
+
+ /* Be careful here and duplicate the certificate since the context
+ * will take the ownership
+ */
+ issuer_x = X509_dup (g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (issuer)));
+ if (!SSL_CTX_add_extra_chain_cert (ssl_ctx, issuer_x))
+ g_warning ("There was a problem adding the extra chain certificate: %s",
+ ERR_error_string (ERR_get_error (), NULL));
+ }
+}
+#endif
+
static GTlsCertificate *
get_peer_certificate (GTlsOperationsThreadOpenssl *self)
{
X509 *peer;
STACK_OF (X509) *certs;
GTlsCertificateOpenssl *chain;
- SSL *ssl;
peer = SSL_get_peer_certificate (self->ssl);
if (!peer)
@@ -272,8 +404,8 @@ get_peer_certificate (GTlsOperationsThreadOpenssl *self)
}
static int
-verify_callback (int preverify_ok,
- X509_STORE_CTX *ctx)
+server_verify_callback (int preverify_ok,
+ X509_STORE_CTX *ctx)
{
/* FIXME: The server connection currently accepts any client certificate.
* We should emit accept-certificate here and reject the certificate unless
@@ -298,21 +430,31 @@ g_tls_operations_thread_openssl_handshake (GTlsOperationsThreadBase *base,
{
GTlsOperationsThreadOpenssl *self = G_TLS_OPERATIONS_THREAD_OPENSSL (base);
GTlsOperationStatus status;
- gboolean accepted = FALSE;
int ret;
+ /* FIXME: The handshake doesn't respect timeout. */
+
self->op_own_certificate = own_certificate;
+ if (is_server (self) && self->op_own_certificate)
+ {
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
+ if (!ssl_set_certificate (self->ssl, self->op_own_certificate, error))
+ return G_TLS_OPERATION_ERROR;
+#else
+ if (!ssl_ctx_set_certificate (server->ssl_ctx, self->op_own_certificate, error))
+ return G_TLS_OPERATION_ERROR;
+#endif
+ }
+
/* TODO: No support yet for ALPN. */
g_assert (!advertised_protocols);
- /* FIXME: Doesn't respect timeout. */
-
if (is_server (self))
{
int req_mode = 0;
- switch (openssl->authentication_mode)
+ switch (auth_mode)
{
case G_TLS_AUTHENTICATION_REQUIRED:
req_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
@@ -324,21 +466,19 @@ g_tls_operations_thread_openssl_handshake (GTlsOperationsThreadBase *base,
default:
req_mode = SSL_VERIFY_NONE;
break;
+ }
SSL_set_verify (self->ssl, req_mode, server_verify_callback);
SSL_set_verify_depth (self->ssl, 0);
}
-
- self->handshake_context = context;
self->handshaking = TRUE;
BEGIN_OPENSSL_IO (self, cancellable);
- ret = SSL_do_handshake (ssl);
+ ret = SSL_do_handshake (self->ssl);
END_OPENSSL_IO (self, G_IO_IN | G_IO_OUT, ret, status,
_("Error performing TLS handshake"), error);
- self->handshake_context = NULL;
self->handshaking = FALSE;
if (status == G_TLS_OPERATION_SUCCESS)
@@ -364,17 +504,17 @@ g_tls_operations_thread_openssl_handshake (GTlsOperationsThreadBase *base,
if (self->ca_list)
{
- for (i = 0; i < sk_X509_NAME_num (openssl->ca_list); ++i)
+ for (int i = 0; i < sk_X509_NAME_num (self->ca_list); ++i)
{
int size;
- size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), NULL);
+ size = i2d_X509_NAME (sk_X509_NAME_value (self->ca_list, i), NULL);
if (size > 0)
{
unsigned char *ca;
ca = g_malloc (size);
- size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &ca);
+ size = i2d_X509_NAME (sk_X509_NAME_value (self->ca_list, i), &ca);
if (size > 0)
*accepted_cas = g_list_prepend (*accepted_cas,
g_byte_array_new_take (ca, size));
@@ -522,25 +662,24 @@ ssl_info_callback (const SSL *ssl,
#endif
static int
-retrieve_certificate_cb (SSL *ssl,
- X509 **x509,
- EVP_PKEY **pkey)
+retrieve_own_certificate_cb (SSL *ssl,
+ X509 **x509,
+ EVP_PKEY **pkey)
{
GTlsOperationsThreadOpenssl *self;
- GTlsCertificate *cert;
gboolean had_ca_list;
self = SSL_get_ex_data (ssl, data_index);
had_ca_list = self->ca_list != NULL;
- self->ca_list = SSL_get_client_CA_list (client->ssl);
+ self->ca_list = SSL_get_client_CA_list (self->ssl);
self->ca_list_changed = self->ca_list || had_ca_list;
if (self->op_own_certificate)
{
EVP_PKEY *key;
- key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
+ key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (self->op_own_certificate));
/* increase ref count */
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
CRYPTO_add (&key->references, 1, CRYPTO_LOCK_EVP_PKEY);
@@ -549,7 +688,7 @@ retrieve_certificate_cb (SSL *ssl,
#endif
*pkey = key;
- *x509 = X509_dup (g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert)));
+ *x509 = X509_dup (g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL
(self->op_own_certificate)));
return 1;
}
@@ -569,6 +708,7 @@ g_tls_operations_thread_openssl_finalize (GObject *object)
SSL_SESSION_free (self->session);
g_assert (!self->op_own_certificate);
+ g_assert (!self->op_error);
G_OBJECT_CLASS (g_tls_operations_thread_openssl_parent_class)->finalize (object);
}
@@ -581,8 +721,6 @@ g_tls_operations_thread_openssl_initable_init (GInitable *initable,
GTlsOperationsThreadOpenssl *self = G_TLS_OPERATIONS_THREAD_OPENSSL (initable);
GIOStream *base_iostream = NULL;
long options;
- const char *hostname;
- GTlsCertificate *cert; /* FIXME: remove, become part of handshake op? */
if (!g_tls_operations_thread_openssl_parent_initable_iface->init (initable, cancellable, error))
return FALSE;
@@ -631,17 +769,17 @@ g_tls_operations_thread_openssl_initable_init (GInitable *initable,
SSL_CTX_set_options (self->ssl_ctx, options);
SSL_CTX_clear_options (self->ssl_ctx, SSL_OP_LEGACY_SERVER_CONNECT);
- SSL_CTX_set_client_cert_cb (self->ssl_ctx, retrieve_certificate_cb);
+ SSL_CTX_set_client_cert_cb (self->ssl_ctx, retrieve_own_certificate_cb);
}
SSL_CTX_add_session (self->ssl_ctx, self->session);
#ifdef SSL_CTX_set1_sigalgs_list
- set_signature_algorithm_list (server);
+ set_signature_algorithm_list (self);
#endif
#ifdef SSL_CTX_set1_curves_list
- set_curve_list (server);
+ set_curve_list (self);
#endif
if (is_server (self))
@@ -664,13 +802,6 @@ g_tls_operations_thread_openssl_initable_init (GInitable *initable,
SSL_CTX_set_info_callback (self->ssl_ctx, ssl_info_callback);
#endif
-
- cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (initable));
-
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
- if (cert && !ssl_ctx_set_certificate (server->ssl_ctx, cert, error))
- return FALSE;
-#endif
}
self->ssl = SSL_new (self->ssl_ctx);
@@ -683,25 +814,17 @@ g_tls_operations_thread_openssl_initable_init (GInitable *initable,
}
self->bio = g_tls_bio_new (base_iostream);
- SSL_set_bio (ssl, self->bio, self->bio);
- g_object_unref (base_io_stream);
+ SSL_set_bio (self->ssl, self->bio, self->bio);
+ g_object_unref (base_iostream);
if (data_index == -1)
data_index = SSL_get_ex_new_index (0, (void *)"gtlsoperationsthread", NULL, NULL, NULL);
SSL_set_ex_data (self->ssl, data_index, self);
if (is_client (self))
- {
- SSL_set_connect_state (client->ssl);
- }
+ SSL_set_connect_state (self->ssl);
else
- {
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
- if (cert && !ssl_set_certificate (server->ssl, cert, error))
- return FALSE;
-#endif
- SSL_set_accept_state (server->ssl);
- }
+ SSL_set_accept_state (self->ssl);
return TRUE;
}
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index ecd60f3..4e98a73 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -97,145 +97,10 @@ g_tls_server_connection_openssl_set_property (GObject *object,
}
}
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
-static gboolean
-ssl_ctx_set_certificate (SSL_CTX *ssl_ctx,
- GTlsCertificate *cert,
- GError **error)
-{
- EVP_PKEY *key;
- X509 *x;
- GTlsCertificate *issuer;
-
- key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
-
- if (!key)
- {
- g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
- _("Certificate has no private key"));
- return FALSE;
- }
-
- if (SSL_CTX_use_PrivateKey (ssl_ctx, key) <= 0)
- {
- g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
- _("There is a problem with the certificate private key: %s"),
- ERR_error_string (ERR_get_error (), NULL));
- return FALSE;
- }
-
- x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert));
- if (SSL_CTX_use_certificate (ssl_ctx, x) <= 0)
- {
- g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
- _("There is a problem with the certificate: %s"),
- ERR_error_string (ERR_get_error (), NULL));
- return FALSE;
- }
-
- /* Add all the issuers to create the full certificate chain */
- for (issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (cert));
- issuer;
- issuer = g_tls_certificate_get_issuer (issuer))
- {
- X509 *issuer_x;
-
- /* Be careful here and duplicate the certificate since the context
- * will take the ownership
- */
- issuer_x = X509_dup (g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (issuer)));
- if (!SSL_CTX_add_extra_chain_cert (ssl_ctx, issuer_x))
- g_warning ("There was a problem adding the extra chain certificate: %s",
- ERR_error_string (ERR_get_error (), NULL));
- }
-}
-#endif
-
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
-static gboolean
-ssl_set_certificate (SSL *ssl,
- GTlsCertificate *cert,
- GError **error)
-{
- EVP_PKEY *key;
- X509 *x;
- GTlsCertificate *issuer;
-
- key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
-
- if (!key)
- {
- g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
- _("Certificate has no private key"));
- return FALSE;
- }
-
- /* Note, order is important. If a certificate has been set previously,
- * OpenSSL requires that the new certificate is set _before_ the new
- * private key is set. */
- x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert));
- if (SSL_use_certificate (ssl, x) <= 0)
- {
- g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
- _("There is a problem with the certificate: %s"),
- ERR_error_string (ERR_get_error (), NULL));
- return FALSE;
- }
-
- if (SSL_use_PrivateKey (ssl, key) <= 0)
- {
- g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
- _("There is a problem with the certificate private key: %s"),
- ERR_error_string (ERR_get_error (), NULL));
- return FALSE;
- }
-
- if (SSL_clear_chain_certs (ssl) == 0)
- g_warning ("There was a problem clearing the chain certificates: %s",
- ERR_error_string (ERR_get_error (), NULL));
-
- /* Add all the issuers to create the full certificate chain */
- for (issuer = g_tls_certificate_get_issuer (G_TLS_CERTIFICATE (cert));
- issuer;
- issuer = g_tls_certificate_get_issuer (issuer))
- {
- X509 *issuer_x;
-
- issuer_x = g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (issuer));
-
- /* Be careful here and duplicate the certificate since the ssl object
- * will take the ownership
- */
- if (SSL_add1_chain_cert (ssl, issuer_x) == 0)
- g_warning ("There was a problem adding the chain certificate: %s",
- ERR_error_string (ERR_get_error (), NULL));
- }
-
- return TRUE;
-}
-
-static void
-on_certificate_changed (GObject *object,
- GParamSpec *spec,
- gpointer user_data)
-{
- SSL *ssl;
- GTlsCertificate *cert;
-
- ssl = g_tls_server_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (object));
- cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (object));
-
- if (ssl && cert)
- ssl_set_certificate (ssl, cert, NULL);
-}
-#endif
-
static void
g_tls_server_connection_openssl_class_init (GTlsServerConnectionOpensslClass *klass)
{
GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
- GTlsConnectionBaseClass *base_class = G_TLS_CONNECTION_BASE_CLASS (klass);
- GTlsConnectionOpensslClass *connection_class = G_TLS_CONNECTION_OPENSSL_CLASS (klass);
gobject_class->get_property = g_tls_server_connection_openssl_get_property;
gobject_class->set_property = g_tls_server_connection_openssl_set_property;
@@ -258,17 +123,7 @@ g_tls_server_connection_openssl_initable_init (GInitable *initable,
GCancellable *cancellable,
GError **error)
{
- GTlsServerConnectionOpenssl *server = G_TLS_SERVER_CONNECTION_OPENSSL (initable);
-
- if (!g_tls_server_connection_openssl_parent_initable_iface->init (initable, cancellable, error))
- return FALSE;
-
-// FIXME: remove this
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L || defined (LIBRESSL_VERSION_NUMBER)
- g_signal_connect (server, "notify::certificate", G_CALLBACK (on_certificate_changed), NULL);
-#endif
-
- return TRUE;
+ return g_tls_server_connection_openssl_parent_initable_iface->init (initable, cancellable, error);
}
static void
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
