[glib-networking/mcatanzaro/accept-certificate-null: 3/3] Don't emit accept-certificate with NULL GTlsCertificate
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/mcatanzaro/accept-certificate-null: 3/3] Don't emit accept-certificate with NULL GTlsCertificate
- Date: Mon, 30 Dec 2019 00:51:01 +0000 (UTC)
commit ec3c3cd701c96df2d6ec09da7c3cb3c3a6fdfe1f
Author: Michael Catanzaro <mcatanzaro gnome org>
Date: Sun Dec 29 18:09:05 2019 -0600
Don't emit accept-certificate with NULL GTlsCertificate
The certificate parameter of accept-certificate is not nullable, so it's
wrong for us to emit accept-certificate with it NULL, but there's
currently no code to prevent this from happening. Instead, a NULL
certificate should mean the connection is automatically rejected if we
are a client connection or a server connection using
G_TLS_AUTHENTICATION_REQUIRED, or accepted for server connections using
G_TLS_AUTHENTICATION_NONE or G_TLS_AUTHENTICATION_REQUESTED. Our
existing test client-auth-request-none is sufficient to test that this
works properly if we add one more assertion.
tls/base/gtlsconnection-base.c | 62 ++++++++++++++++++++++++++----------------
tls/tests/connection.c | 3 ++
2 files changed, 41 insertions(+), 24 deletions(-)
---
diff --git a/tls/base/gtlsconnection-base.c b/tls/base/gtlsconnection-base.c
index 6a885d1..93cfc8e 100644
--- a/tls/base/gtlsconnection-base.c
+++ b/tls/base/gtlsconnection-base.c
@@ -1319,38 +1319,52 @@ accept_or_reject_peer_certificate (gpointer user_data)
update_peer_certificate_and_compute_errors (tls);
- if (G_IS_TLS_CLIENT_CONNECTION (tls) && priv->peer_certificate)
+ if (priv->peer_certificate)
{
- GTlsCertificateFlags validation_flags;
+ if (G_IS_TLS_CLIENT_CONNECTION (tls))
+ {
+ GTlsCertificateFlags validation_flags;
- if (!g_tls_connection_base_is_dtls (tls))
- validation_flags =
- g_tls_client_connection_get_validation_flags (G_TLS_CLIENT_CONNECTION (tls));
- else
- validation_flags =
- g_dtls_client_connection_get_validation_flags (G_DTLS_CLIENT_CONNECTION (tls));
+ if (!g_tls_connection_base_is_dtls (tls))
+ validation_flags =
+ g_tls_client_connection_get_validation_flags (G_TLS_CLIENT_CONNECTION (tls));
+ else
+ validation_flags =
+ g_dtls_client_connection_get_validation_flags (G_DTLS_CLIENT_CONNECTION (tls));
- if ((priv->peer_certificate_errors & validation_flags) == 0)
- accepted = TRUE;
- }
+ if ((priv->peer_certificate_errors & validation_flags) == 0)
+ accepted = TRUE;
+ }
- if (!accepted)
- {
- gboolean sync_handshake_in_progress;
+ if (!accepted)
+ {
+ gboolean sync_handshake_in_progress;
- g_mutex_lock (&priv->op_mutex);
- sync_handshake_in_progress = priv->sync_handshake_in_progress;
- g_mutex_unlock (&priv->op_mutex);
+ g_mutex_lock (&priv->op_mutex);
+ sync_handshake_in_progress = priv->sync_handshake_in_progress;
+ g_mutex_unlock (&priv->op_mutex);
- if (sync_handshake_in_progress)
- g_main_context_pop_thread_default (priv->handshake_context);
+ if (sync_handshake_in_progress)
+ g_main_context_pop_thread_default (priv->handshake_context);
- accepted = g_tls_connection_emit_accept_certificate (G_TLS_CONNECTION (tls),
- priv->peer_certificate,
- priv->peer_certificate_errors);
+ accepted = g_tls_connection_emit_accept_certificate (G_TLS_CONNECTION (tls),
+ priv->peer_certificate,
+ priv->peer_certificate_errors);
- if (sync_handshake_in_progress)
- g_main_context_push_thread_default (priv->handshake_context);
+ if (sync_handshake_in_progress)
+ g_main_context_push_thread_default (priv->handshake_context);
+ }
+ }
+ else if (G_IS_TLS_SERVER_CONNECTION (tls))
+ {
+ GTlsAuthenticationMode mode = 0;
+
+ g_object_get (tls,
+ "authentication-mode", &mode,
+ NULL);
+
+ if (mode != G_TLS_AUTHENTICATION_REQUIRED)
+ accepted = TRUE;
}
priv->peer_certificate_accepted = accepted;
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index 6bb4585..ed69f42 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -211,6 +211,9 @@ on_accept_certificate (GTlsConnection *conn,
gpointer user_data)
{
TestConnection *test = user_data;
+
+ g_assert_true (G_IS_TLS_CERTIFICATE (cert));
+
return errors == test->accept_flags;
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]