Bug 31447 - port wocky to gio TLS
Summary: port wocky to gio TLS
Status: NEW
Alias: None
Product: Wocky
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: Telepathy bugs list
QA Contact: Telepathy bugs list
URL: http://git.collabora.co.uk/?p=user/ni...
Whiteboard:
Keywords: patch
Depends on: 45515
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-07 12:13 UTC by Dan Winship
Modified: 2016-02-21 19:35 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments
wocky-tls: specify peername at session creation time (12.43 KB, patch)
2010-11-07 12:13 UTC, Dan Winship
Details | Splinter Review
wocky-tls: Merge WockyTLSSession and WockyTLSConnection together (22.21 KB, patch)
2010-11-07 12:13 UTC, Dan Winship
Details | Splinter Review
wocky-connector-test.c: don't turn off O_NONBLOCK on the server socket (1.37 KB, patch)
2010-11-07 12:13 UTC, Dan Winship
Details | Splinter Review
wocky-test-stream: implement GPollableIOStream (4.61 KB, patch)
2010-11-07 12:13 UTC, Dan Winship
Details | Splinter Review
wocky-tls: port to gio TLS (60.31 KB, patch)
2010-11-07 12:13 UTC, Dan Winship
Details | Splinter Review
hack around a test that doesn't pass with current (master) glib (805 bytes, patch)
2010-11-07 12:13 UTC, Dan Winship
Details | Splinter Review
wocky-test-stream: implement GPollableInput/OutputStream (5.26 KB, patch)
2010-12-20 14:56 UTC, Dan Winship
Details | Splinter Review
wocky-tls: port to gio TLS (61.12 KB, patch)
2010-12-20 14:58 UTC, Dan Winship
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Winship 2010-11-07 12:13:10 UTC
gio TLS support (https://bugzilla.gnome.org/show_bug.cgi?id=588189) is
getting close to being done. I was using wocky as a test case since it
was already gio-based, and had crazy awesome regression tests.

So here are my patches. You will probably want to fix things up a
little more than this (eg, getting rid of the wocky types that are now
just typedefs), but it's a start.

gio doesn't yet support some of the things that wocky-tls did... yell if
any of these are huge problems. Also, consider this an invitation to
review the gio tls code (or at least API) to see if there's anything
awful about it...
Comment 1 Dan Winship 2010-11-07 12:13:13 UTC
Created attachment 40090 [details] [review]
wocky-tls: specify peername at session creation time

This is how gio TLS does it, among other reasons because it lets you
use the SNI extension to tell the server which certificate it should
present.
Comment 2 Dan Winship 2010-11-07 12:13:16 UTC
Created attachment 40091 [details] [review]
wocky-tls: Merge WockyTLSSession and WockyTLSConnection together

to match gio TLS, and because there's not much use in the separation
anyway
Comment 3 Dan Winship 2010-11-07 12:13:19 UTC
Created attachment 40092 [details] [review]
wocky-connector-test.c: don't turn off O_NONBLOCK on the server socket

This is not expected to work, and ends up causing deadlocks under gio
TLS.

There doesn't seem to be any point to it anyway... maybe a leftover
from old code? Or maybe it's only needed for the openssl version
Comment 4 Dan Winship 2010-11-07 12:13:21 UTC
Created attachment 40093 [details] [review]
wocky-test-stream: implement GPollableIOStream

GTlsConnection can only wrap streams that implement GPollableIOStream,
so implement that here to make some of the test cases work.
Comment 5 Dan Winship 2010-11-07 12:13:24 UTC
Created attachment 40094 [details] [review]
wocky-tls: port to gio TLS

A few minor things, marked DANWFIXME, are unimplemented
Comment 6 Dan Winship 2010-11-07 12:13:27 UTC
Created attachment 40095 [details] [review]
hack around a test that doesn't pass with current (master) glib
Comment 7 Dan Winship 2010-12-20 14:56:26 UTC
Created attachment 41319 [details] [review]
wocky-test-stream: implement GPollableInput/OutputStream

update to match the API that actually landed in glib
Comment 8 Dan Winship 2010-12-20 14:58:22 UTC
Created attachment 41320 [details] [review]
wocky-tls: port to gio TLS

port to the API that actually landed

this patch suffers a bit from the lack of GTlsDatabase, which will be fixed in glib very soon. Some of the ickiness is also caused by trying to force various error cases to return the exact same error that the old code did, even when there's another suitable-ish error it could have returned instead.
Comment 9 Nicolas Dufresne 2010-12-21 08:53:05 UTC
Review of attachment 40095 [details] [review]:

This one does not apply after Will commit 01811a4a6ed0ac6ad5f9439d12560d787c97570d, Will is reducing the number of ping and increasing the delays which makes me think this patch is no longer required.
Comment 10 Nicolas Dufresne 2011-01-04 16:08:15 UTC
Setting URL field to my branch. I've rebased this work against latest Wocky, made GIO another backend (along with GnuTLS and OpenSSL) and ported OpenSSL to new WockyTLS API.

http://git.collabora.co.uk/?p=user/nicolas/wocky.git;a=shortlog;h=refs/heads/gio-tls
Comment 11 Mikhail Zabaluev 2011-10-08 06:11:33 UTC
Is there a gio plugin for OpenSSL?
Comment 12 Nicolas Dufresne 2011-10-08 13:01:53 UTC
(In reply to comment #11)
> Is there a gio plugin for OpenSSL?

Not that I know, but it should be fairly straight forward to take Wocky's bakend and build a GIO plugin.
Comment 13 Simon McVittie 2012-01-31 11:19:08 UTC
19:18 < stormer> smcv: for you information, this branch only miss the CRL 
                 support, which was not yet in the GIO API at the time
Comment 14 Dan Winship 2012-02-01 06:31:17 UTC
(In reply to comment #13)
> 19:18 < stormer> smcv: for you information, this branch only miss the CRL 
>                  support, which was not yet in the GIO API at the time

The current theory is that there is not going to be any API for dealing with CRLs, because in general, if you are aware of a CRL, you want it to apply to all applications on the system, so it makes sense for CRLs to be handled in a system-administration-y way (like the default CA list), not on a per-app basis.
Comment 15 Nicolas Dufresne 2012-02-01 12:29:19 UTC
(In reply to comment #14)
> The current theory is that there is not going to be any API for dealing with
> CRLs, because in general, if you are aware of a CRL, you want it to apply to
> all applications on the system, so it makes sense for CRLs to be handled in a
> system-administration-y way (like the default CA list), not on a per-app basis.

I agree, also after digging, we don't actually use that "wocky_tls_session_add_crl" anywhere in Gabble, we simply have a unit test covering it. I'll ask Sjoerd if that can be removed or made optional in Wocky API.
Comment 16 Nicolas Dufresne 2012-03-30 15:21:17 UTC
Branch updated and ready for review (passes all tests now). Note, I''ve moved back the peername to the call to _verify as we now do all the check manually in the gio-tls implementation.
Comment 17 Nicolas Dufresne 2012-07-17 17:42:06 UTC
Anyone to review this ?
Comment 18 Simon McVittie 2012-07-17 18:17:27 UTC
(In reply to comment #17)
> Anyone to review this ?

I'll try to get to it soon, but it would be great if a TLS expert (Vivek?) could have a look.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.