glib-networking issueshttps://gitlab.gnome.org/GNOME/glib-networking/-/issues2024-02-16T15:18:58Zhttps://gitlab.gnome.org/GNOME/glib-networking/-/issues/220Review safety of update_credentials_cb() in gtlsconnection-gnutls.c2024-02-16T15:18:58ZMichael CatanzaroReview safety of update_credentials_cb() in gtlsconnection-gnutls.cgnutls_credentials_set(3) says:
> In order to minimize memory usage, and share credentials between several threads gnutls keeps a pointer to
> cred, and not the whole cred structure. Thus you will have to keep the structure allocated...gnutls_credentials_set(3) says:
> In order to minimize memory usage, and share credentials between several threads gnutls keeps a pointer to
> cred, and not the whole cred structure. Thus you will have to keep the structure allocated until you call
> gnutls_deinit().
GTlsConnectionGnutls attempts to comply with this by storing the gnutls_certificate_credentials_t in its priv struct to keep it around for the life of the GTlsConnectionGnutls. However, update_credentials_cb() in gtlsconnection-gnutls.c improperly frees it and creates a new one. This isn't safe, and I don't know what to do about it.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/219openssh test failure in connection-openssl-tls1.2 and connection-openssl2024-01-09T19:30:49ZKhem Rajopenssh test failure in connection-openssl-tls1.2 and connection-opensslWith latest archlinux, when openssl support is enabled these two tests are failing
\`meson setup -Denvironment_proxy=enabled -Dgnome_proxy=disabled -Dgnutls=enabled -Dlibproxy=disabled -Dopenssl=enabled -Dinstalled_tests=true ..\`
```p...With latest archlinux, when openssl support is enabled these two tests are failing
\`meson setup -Denvironment_proxy=enabled -Dgnome_proxy=disabled -Dgnutls=enabled -Dlibproxy=disabled -Dopenssl=enabled -Dinstalled_tests=true ..\`
```plaintext
not ok /tls/openssl/connection/unclean-close-by-server - GLib-Net:ERROR:../tls/tests/connection.c:2374:test_unclean_close_by_server: assertion failed (test->read_error == (g-tls-error-quark, 6)): Error reading data from TLS socket: error:00000005:lib(0)::reason(5) (g-tls-error-quark, 1)
Bail out!
stderr:
**
GLib-Net:ERROR:../tls/tests/connection.c:2374:test_unclean_close_by_server: assertion failed (test->read_error == (g-tls-error-quark, 6)): Error reading data from TLS socket: error:00000005:lib(0)::reason(5) (g-tls-error-quark, 1)
――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
8/9 connection-gnutls-tls1.2 OK 6.37s
9/9 connection-gnutls OK 6.80s
Summary of Failures:
6/9 connection-openssl-tls1.2 FAIL 1.54s killed by signal 6 SIGABRT
7/9 connection-openssl FAIL 1.73s killed by signal 6 SIGABRT
Ok: 7
Expected Fail: 0
Fail: 2
Unexpected Pass: 0
Skipped: 0
Timeout: 0
```https://gitlab.gnome.org/GNOME/glib-networking/-/issues/211Tests fail if gnutls built without p11-kit, _or_ glib-networking should manda...2023-06-06T13:49:31ZRoss BurtonTests fail if gnutls built without p11-kit, _or_ glib-networking should mandate p11-kitIf I've built gnutls without p11-kit then glib-networking's tests fail to link as `gnutls_pkcs11_init` and `gnutls_pkcs11_add_provider` are not part of gnutls. Deleting those lines from the test suite predictable makes the tests fail.
S...If I've built gnutls without p11-kit then glib-networking's tests fail to link as `gnutls_pkcs11_init` and `gnutls_pkcs11_add_provider` are not part of gnutls. Deleting those lines from the test suite predictable makes the tests fail.
So, should:
a) glib-networking detect if `gnutls_pkcs11_add_provider` exists (or another way of determining this), and skip the tests which fail if PKCS#11 isn't enable in gnutls, _or_
b) Check that PKCS#11 is enabled in gnutls and refuse to build if it isn'thttps://gitlab.gnome.org/GNOME/glib-networking/-/issues/204Enhance meaningless "An unexpected TLS packet was received"2023-01-04T14:50:29ZMilan CrhaEnhance meaningless "An unexpected TLS packet was received"When you try to connect to `https://apidata.googleusercontent.com:80/` you get an error:
>> An unexpected TLS packet was received
that error is meaningless to (not only) ordinary people. In this particular case, with this URL, the erro...When you try to connect to `https://apidata.googleusercontent.com:80/` you get an error:
>> An unexpected TLS packet was received
that error is meaningless to (not only) ordinary people. In this particular case, with this URL, the error is:
> The server does not support TLS connection on port 80
which does make much more sense.
Is there a way to detect such cases and report them this way?https://gitlab.gnome.org/GNOME/glib-networking/-/issues/200Segfault during TLS handshake on a server connection without private key2022-10-13T07:29:49ZSebastian DrögeSegfault during TLS handshake on a server connection without private keySee https://gitlab.com/gnutls/gnutls/-/issues/1412 for the GnuTLS part of this, but I think glib-networking should also catch this somewhere and make it a handshake error.
`g_tls_server_connection_gnutls_initable_init()` is already chec...See https://gitlab.com/gnutls/gnutls/-/issues/1412 for the GnuTLS part of this, but I think glib-networking should also catch this somewhere and make it a handshake error.
`g_tls_server_connection_gnutls_initable_init()` is already checking if a private key exists but this doesn't catch the situation here of course.
Valgrind reports for the GLib testcase (same as for the plain GnuTLS testcase of course):
```
==429172== Invalid read of size 4
==429172== at 0x5D6517D: _gnutls_privkey_compatible_with_sig (privkey.c:1966)
==429172== by 0x5DFAD22: _gnutls_session_get_sign_algo (signature.c:381)
==429172== by 0x5E084BC: cert_select_sign_algorithm (cert.c:1591)
==429172== by 0x5E0B308: _gnutls_select_server_cert (cert.c:1643)
==429172== by 0x5E1678D: _gnutls_figure_common_ciphersuite (ciphersuites.c:1526)
==429172== by 0x5D2F1C1: _gnutls_server_select_suite (handshake.c:1158)
==429172== by 0x5D31FBC: read_client_hello (handshake.c:862)
==429172== by 0x5D31FBC: _gnutls_recv_handshake (handshake.c:1641)
==429172== by 0x5D35368: handshake_server (handshake.c:3496)
==429172== by 0x5D35368: gnutls_handshake (handshake.c:2886)
==429172== by 0x4862234: g_tls_connection_gnutls_handshake_thread_handshake (gtlsconnection-gnutls.c:968)
==429172== by 0x486807D: handshake_thread (gtlsconnection-base.c:1564)
==429172== by 0x493E322: g_task_thread_pool_thread (gtask.c:1454)
==429172== by 0x4B534F9: g_thread_pool_thread_proxy (gthreadpool.c:352)
==429172== Address 0x4 is not stack'd, malloc'd or (recently) free'd
```
GLib testcase:
```cpp
#include <gio/gio.h>
static gboolean on_incoming_connection(GSocketService *service,
GSocketConnection *connection,
GObject *source_object,
gpointer user_data) {
GTlsServerConnection *server_connection = G_TLS_SERVER_CONNECTION(
g_tls_server_connection_new(G_IO_STREAM(connection), NULL, NULL));
GTlsCertificate *cert = g_tls_certificate_new_from_file("cert.pem", NULL);
g_tls_connection_set_certificate(G_TLS_CONNECTION(server_connection), cert);
g_object_unref(cert);
g_tls_connection_handshake(G_TLS_CONNECTION(server_connection), NULL, NULL);
return TRUE;
}
int main(int argc, char **argv) {
GSocketService *service = g_socket_service_new();
GInetAddress *inet;
GSocketAddress *addr;
inet = g_inet_address_new_from_string("127.0.0.1");
addr = g_inet_socket_address_new(inet, 5556);
g_object_unref(inet);
g_socket_listener_add_address(G_SOCKET_LISTENER(service), addr,
G_SOCKET_TYPE_STREAM, G_SOCKET_PROTOCOL_TCP,
NULL, NULL, NULL);
g_object_unref(addr);
g_signal_connect(service, "incoming", G_CALLBACK(on_incoming_connection),
NULL);
GMainLoop *loop = g_main_loop_new(NULL, FALSE);
g_main_loop_run(loop);
return 0;
}
```https://gitlab.gnome.org/GNOME/glib-networking/-/issues/197Bring back GnuTLS TLS 1.2 session resumption2022-09-07T15:17:49ZMichael CatanzaroBring back GnuTLS TLS 1.2 session resumptionI removed support for TLS 1.2 session resumption in https://gitlab.gnome.org/GNOME/glib-networking/-/commit/3dbc0817d83fa5d233b55b64438e6617bcba8b52, but TLS 1.2 will be around for a long time to come. !221 adds a separate TLS session ca...I removed support for TLS 1.2 session resumption in https://gitlab.gnome.org/GNOME/glib-networking/-/commit/3dbc0817d83fa5d233b55b64438e6617bcba8b52, but TLS 1.2 will be around for a long time to come. !221 adds a separate TLS session cache for TLS 1.3 vs. 1.2 and it should be very little code for GnuTLS to make use of it.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/196GnuTLS server connections should (probably) support session resumption2022-09-07T15:17:49ZMichael CatanzaroGnuTLS server connections should (probably) support session resumptionGnuTLS server connections should (probably) support session resumption
In practice, glib-networking is probably not used very much for servers, but it would be nice to do, and would allow us to test session resumption properly like we d...GnuTLS server connections should (probably) support session resumption
In practice, glib-networking is probably not used very much for servers, but it would be nice to do, and would allow us to test session resumption properly like we do for the OpenSSL backend using the tests added in !221.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/193automatic proxy URL of file:///path/to/symlink doesn't work2023-04-11T20:43:54ZBrian J. Murrellautomatic proxy URL of file:///path/to/symlink doesn't workIf I configure GNOME's proxy to use an automatic proxy PAC URL and I enter a ```file:///``` URL to a (valid) symlink, GNOME proxy doesn't use the PAC file. [libproxy](https://github.com/libproxy/libproxy) will follow the symlink though.If I configure GNOME's proxy to use an automatic proxy PAC URL and I enter a ```file:///``` URL to a (valid) symlink, GNOME proxy doesn't use the PAC file. [libproxy](https://github.com/libproxy/libproxy) will follow the symlink though.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/182Remove WPAD support2024-01-10T17:17:40ZMichael CatanzaroRemove WPAD supportMoving this from https://bugzilla.redhat.com/show_bug.cgi?id=2024330, we should remove support for Web Proxy Autodiscovery since it's very risky.
Note that we would still support Web Proxy Autoconfig, which many corporations require. Yo...Moving this from https://bugzilla.redhat.com/show_bug.cgi?id=2024330, we should remove support for Web Proxy Autodiscovery since it's very risky.
Note that we would still support Web Proxy Autoconfig, which many corporations require. You would just be required to manually provide the PAC address.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/175openssl: several build issues with version 2.70.02022-02-12T10:56:02ZIgnacio Casal Quinteiroopenssl: several build issues with version 2.70.0This is the output when building on Centos 7:
```
FAILED: tls/openssl/c471d3e@@gioopenssl@sha/gtlsbackend-openssl.c.o
cc -Itls/openssl/c471d3e@@gioopenssl@sha -Itls/openssl -I../tls/openssl -I. -I../ -Itls/base -I../tls/base -I/tmp/bui...This is the output when building on Centos 7:
```
FAILED: tls/openssl/c471d3e@@gioopenssl@sha/gtlsbackend-openssl.c.o
cc -Itls/openssl/c471d3e@@gioopenssl@sha -Itls/openssl -I../tls/openssl -I. -I../ -Itls/base -I../tls/base -I/tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0 -I/tmp/build-artifacts.sh-dOreK/build/inst/lib/glib-2.0/include -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -std=c99 -O2 -g -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="GLib-Net"' -DG_LOG_USE_STRUCTURED '-DLOCALE_DIR="/tmp/build-artifacts.sh-dOreK/build/inst/share/locale"' -DG_DISABLE_DEPRECATED -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_70 -Werror=declaration-after-statement -Werror=implicit-function-declaration -fstack-protector -g -O2 -fno-strict-aliasing -Wformat -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsbackend-openssl.c.o' -MF 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsbackend-openssl.c.o.d' -o 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsbackend-openssl.c.o' -c ../tls/openssl/gtlsbackend-openssl.c
In file included from /tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0/gio/gnetworking.h:40:0,
from ../tls/openssl/openssl-include.h:34,
from ../tls/openssl/gtlsbackend-openssl.c:32:
/usr/include/resolv.h:75:9: error: unknown type name 'u_char'
const u_char **__query,
^
/usr/include/resolv.h:77:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:82:9: error: unknown type name 'u_char'
const u_char *__query,
^
/usr/include/resolv.h:84:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:107:2: error: unknown type name 'u_long'
u_long options; /* option flags - see below. */
^
/usr/include/resolv.h:112:2: error: unknown type name 'u_short'
u_short id; /* current message id */
^
/usr/include/resolv.h:116:2: error: unknown type name 'u_long'
u_long pfcode; /* RES_PRF_ flags - see below. */
^
/usr/include/resolv.h:126:2: error: unknown type name 'res_send_qhook'
res_send_qhook __glibc_unused_qhook;
^
/usr/include/resolv.h:127:2: error: unknown type name 'res_send_rhook'
res_send_rhook __glibc_unused_rhook;
^
/usr/include/resolv.h:130:2: error: unknown type name 'u_int'
u_int _flags; /* PRIVATE: see below */
^
[5/23] Compiling C object 'tls/openssl/c471d3e@@gioopenssl@sha/openssl-module.c.o'.
[6/23] Compiling C object 'tls/base/af60d8f@@tlsbase@sta/gtlsinputstream.c.o'.
[7/23] Compiling C object 'tls/openssl/c471d3e@@gioopenssl@sha/gtlscertificate-openssl.c.o'.
FAILED: tls/openssl/c471d3e@@gioopenssl@sha/gtlscertificate-openssl.c.o
cc -Itls/openssl/c471d3e@@gioopenssl@sha -Itls/openssl -I../tls/openssl -I. -I../ -Itls/base -I../tls/base -I/tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0 -I/tmp/build-artifacts.sh-dOreK/build/inst/lib/glib-2.0/include -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -std=c99 -O2 -g -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="GLib-Net"' -DG_LOG_USE_STRUCTURED '-DLOCALE_DIR="/tmp/build-artifacts.sh-dOreK/build/inst/share/locale"' -DG_DISABLE_DEPRECATED -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_70 -Werror=declaration-after-statement -Werror=implicit-function-declaration -fstack-protector -g -O2 -fno-strict-aliasing -Wformat -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ 'tls/openssl/c471d3e@@gioopenssl@sha/gtlscertificate-openssl.c.o' -MF 'tls/openssl/c471d3e@@gioopenssl@sha/gtlscertificate-openssl.c.o.d' -o 'tls/openssl/c471d3e@@gioopenssl@sha/gtlscertificate-openssl.c.o' -c ../tls/openssl/gtlscertificate-openssl.c
In file included from /tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0/gio/gnetworking.h:40:0,
from ../tls/openssl/openssl-include.h:34,
from ../tls/openssl/gtlscertificate-openssl.c:29:
/usr/include/resolv.h:75:9: error: unknown type name 'u_char'
const u_char **__query,
^
/usr/include/resolv.h:77:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:82:9: error: unknown type name 'u_char'
const u_char *__query,
^
/usr/include/resolv.h:84:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:107:2: error: unknown type name 'u_long'
u_long options; /* option flags - see below. */
^
/usr/include/resolv.h:112:2: error: unknown type name 'u_short'
u_short id; /* current message id */
^
/usr/include/resolv.h:116:2: error: unknown type name 'u_long'
u_long pfcode; /* RES_PRF_ flags - see below. */
^
/usr/include/resolv.h:126:2: error: unknown type name 'res_send_qhook'
res_send_qhook __glibc_unused_qhook;
^
/usr/include/resolv.h:127:2: error: unknown type name 'res_send_rhook'
res_send_rhook __glibc_unused_rhook;
^
/usr/include/resolv.h:130:2: error: unknown type name 'u_int'
u_int _flags; /* PRIVATE: see below */
^
../tls/openssl/gtlscertificate-openssl.c: In function 'get_subject_alt_names':
../tls/openssl/gtlscertificate-openssl.c:118:15: error: implicit declaration of function 'ASN1_STRING_get0_data' [-Werror=implicit-function-declaration]
san = ASN1_STRING_get0_data (value->d.ip);
^
../tls/openssl/gtlscertificate-openssl.c:118:19: warning: assignment makes pointer from integer without a cast [enabled by default]
san = ASN1_STRING_get0_data (value->d.ip);
^
../tls/openssl/gtlscertificate-openssl.c:128:19: warning: assignment makes pointer from integer without a cast [enabled by default]
san = ASN1_STRING_get0_data (value->d.ia5);
^
../tls/openssl/gtlscertificate-openssl.c: In function 'g_tls_certificate_openssl_get_property':
../tls/openssl/gtlscertificate-openssl.c:283:7: error: implicit declaration of function 'X509_get0_notBefore' [-Werror=implicit-function-declaration]
time_asn1 = X509_get0_notBefore (openssl->cert);
^
../tls/openssl/gtlscertificate-openssl.c:283:17: warning: assignment makes pointer from integer without a cast [enabled by default]
time_asn1 = X509_get0_notBefore (openssl->cert);
^
../tls/openssl/gtlscertificate-openssl.c:284:7: error: implicit declaration of function 'ASN1_TIME_to_tm' [-Werror=implicit-function-declaration]
ASN1_TIME_to_tm (time_asn1, &time_tm);
^
../tls/openssl/gtlscertificate-openssl.c:292:7: error: implicit declaration of function 'X509_get0_notAfter' [-Werror=implicit-function-declaration]
time_asn1 = X509_get0_notAfter (openssl->cert);
^
../tls/openssl/gtlscertificate-openssl.c:292:17: warning: assignment makes pointer from integer without a cast [enabled by default]
time_asn1 = X509_get0_notAfter (openssl->cert);
^
cc1: some warnings being treated as errors
[8/23] Compiling C object 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsconnection-openssl.c.o'.
FAILED: tls/openssl/c471d3e@@gioopenssl@sha/gtlsconnection-openssl.c.o
cc -Itls/openssl/c471d3e@@gioopenssl@sha -Itls/openssl -I../tls/openssl -I. -I../ -Itls/base -I../tls/base -I/tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0 -I/tmp/build-artifacts.sh-dOreK/build/inst/lib/glib-2.0/include -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -std=c99 -O2 -g -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="GLib-Net"' -DG_LOG_USE_STRUCTURED '-DLOCALE_DIR="/tmp/build-artifacts.sh-dOreK/build/inst/share/locale"' -DG_DISABLE_DEPRECATED -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_70 -Werror=declaration-after-statement -Werror=implicit-function-declaration -fstack-protector -g -O2 -fno-strict-aliasing -Wformat -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsconnection-openssl.c.o' -MF 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsconnection-openssl.c.o.d' -o 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsconnection-openssl.c.o' -c ../tls/openssl/gtlsconnection-openssl.c
In file included from /tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0/gio/gnetworking.h:40:0,
from ../tls/openssl/openssl-include.h:34,
from ../tls/openssl/gtlsconnection-openssl.c:31:
/usr/include/resolv.h:75:9: error: unknown type name 'u_char'
const u_char **__query,
^
/usr/include/resolv.h:77:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:82:9: error: unknown type name 'u_char'
const u_char *__query,
^
/usr/include/resolv.h:84:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:107:2: error: unknown type name 'u_long'
u_long options; /* option flags - see below. */
^
/usr/include/resolv.h:112:2: error: unknown type name 'u_short'
u_short id; /* current message id */
^
/usr/include/resolv.h:116:2: error: unknown type name 'u_long'
u_long pfcode; /* RES_PRF_ flags - see below. */
^
/usr/include/resolv.h:126:2: error: unknown type name 'res_send_qhook'
res_send_qhook __glibc_unused_qhook;
^
/usr/include/resolv.h:127:2: error: unknown type name 'res_send_rhook'
res_send_rhook __glibc_unused_rhook;
^
/usr/include/resolv.h:130:2: error: unknown type name 'u_int'
u_int _flags; /* PRIVATE: see below */
^
../tls/openssl/gtlsconnection-openssl.c: In function 'glib_protocol_version_from_openssl':
../tls/openssl/gtlsconnection-openssl.c:533:10: error: 'TLS1_3_VERSION' undeclared (first use in this function)
case TLS1_3_VERSION:
^
../tls/openssl/gtlsconnection-openssl.c:533:10: note: each undeclared identifier is reported only once for each function it appears in
../tls/openssl/gtlsconnection-openssl.c: In function 'g_tls_connection_openssl_complete_handshake':
../tls/openssl/gtlsconnection-openssl.c:573:3: error: implicit declaration of function 'SSL_SESSION_get_protocol_version' [-Werror=implicit-function-declaration]
*protocol_version = glib_protocol_version_from_openssl (SSL_SESSION_get_protocol_version (session));
^
../tls/openssl/gtlsconnection-openssl.c: In function 'perform_rehandshake':
../tls/openssl/gtlsconnection-openssl.c:581:23: warning: unused variable 'tls' [-Wunused-variable]
GTlsConnectionBase *tls = user_data;
^
cc1: some warnings being treated as errors
[9/23] Compiling C object 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsdatabase-openssl.c.o'.
FAILED: tls/openssl/c471d3e@@gioopenssl@sha/gtlsdatabase-openssl.c.o
cc -Itls/openssl/c471d3e@@gioopenssl@sha -Itls/openssl -I../tls/openssl -I. -I../ -Itls/base -I../tls/base -I/tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0 -I/tmp/build-artifacts.sh-dOreK/build/inst/lib/glib-2.0/include -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -std=c99 -O2 -g -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="GLib-Net"' -DG_LOG_USE_STRUCTURED '-DLOCALE_DIR="/tmp/build-artifacts.sh-dOreK/build/inst/share/locale"' -DG_DISABLE_DEPRECATED -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_70 -Werror=declaration-after-statement -Werror=implicit-function-declaration -fstack-protector -g -O2 -fno-strict-aliasing -Wformat -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsdatabase-openssl.c.o' -MF 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsdatabase-openssl.c.o.d' -o 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsdatabase-openssl.c.o' -c ../tls/openssl/gtlsdatabase-openssl.c
In file included from /tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0/gio/gnetworking.h:40:0,
from ../tls/openssl/openssl-include.h:34,
from ../tls/openssl/gtlscertificate-openssl.h:29,
from ../tls/openssl/gtlsdatabase-openssl.h:30,
from ../tls/openssl/gtlsdatabase-openssl.c:28:
/usr/include/resolv.h:75:9: error: unknown type name 'u_char'
const u_char **__query,
^
/usr/include/resolv.h:77:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:82:9: error: unknown type name 'u_char'
const u_char *__query,
^
/usr/include/resolv.h:84:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:107:2: error: unknown type name 'u_long'
u_long options; /* option flags - see below. */
^
/usr/include/resolv.h:112:2: error: unknown type name 'u_short'
u_short id; /* current message id */
^
/usr/include/resolv.h:116:2: error: unknown type name 'u_long'
u_long pfcode; /* RES_PRF_ flags - see below. */
^
/usr/include/resolv.h:126:2: error: unknown type name 'res_send_qhook'
res_send_qhook __glibc_unused_qhook;
^
/usr/include/resolv.h:127:2: error: unknown type name 'res_send_rhook'
res_send_rhook __glibc_unused_rhook;
^
/usr/include/resolv.h:130:2: error: unknown type name 'u_int'
u_int _flags; /* PRIVATE: see below */
^
[10/23] Compiling C object 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsbio.c.o'.
FAILED: tls/openssl/c471d3e@@gioopenssl@sha/gtlsbio.c.o
cc -Itls/openssl/c471d3e@@gioopenssl@sha -Itls/openssl -I../tls/openssl -I. -I../ -Itls/base -I../tls/base -I/tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0 -I/tmp/build-artifacts.sh-dOreK/build/inst/lib/glib-2.0/include -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -std=c99 -O2 -g -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="GLib-Net"' -DG_LOG_USE_STRUCTURED '-DLOCALE_DIR="/tmp/build-artifacts.sh-dOreK/build/inst/share/locale"' -DG_DISABLE_DEPRECATED -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_70 -Werror=declaration-after-statement -Werror=implicit-function-declaration -fstack-protector -g -O2 -fno-strict-aliasing -Wformat -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsbio.c.o' -MF 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsbio.c.o.d' -o 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsbio.c.o' -c ../tls/openssl/gtlsbio.c
In file included from /tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0/gio/gnetworking.h:40:0,
from ../tls/openssl/openssl-include.h:34,
from ../tls/openssl/gtlsbio.h:29,
from ../tls/openssl/gtlsbio.c:26:
/usr/include/resolv.h:75:9: error: unknown type name 'u_char'
const u_char **__query,
^
/usr/include/resolv.h:77:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:82:9: error: unknown type name 'u_char'
const u_char *__query,
^
/usr/include/resolv.h:84:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:107:2: error: unknown type name 'u_long'
u_long options; /* option flags - see below. */
^
/usr/include/resolv.h:112:2: error: unknown type name 'u_short'
u_short id; /* current message id */
^
/usr/include/resolv.h:116:2: error: unknown type name 'u_long'
u_long pfcode; /* RES_PRF_ flags - see below. */
^
/usr/include/resolv.h:126:2: error: unknown type name 'res_send_qhook'
res_send_qhook __glibc_unused_qhook;
^
/usr/include/resolv.h:127:2: error: unknown type name 'res_send_rhook'
res_send_rhook __glibc_unused_rhook;
^
/usr/include/resolv.h:130:2: error: unknown type name 'u_int'
u_int _flags; /* PRIVATE: see below */
^
[11/23] Compiling C object 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsclientconnection-openssl.c.o'.
FAILED: tls/openssl/c471d3e@@gioopenssl@sha/gtlsclientconnection-openssl.c.o
cc -Itls/openssl/c471d3e@@gioopenssl@sha -Itls/openssl -I../tls/openssl -I. -I../ -Itls/base -I../tls/base -I/tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0 -I/tmp/build-artifacts.sh-dOreK/build/inst/lib/glib-2.0/include -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -std=c99 -O2 -g -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="GLib-Net"' -DG_LOG_USE_STRUCTURED '-DLOCALE_DIR="/tmp/build-artifacts.sh-dOreK/build/inst/share/locale"' -DG_DISABLE_DEPRECATED -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_70 -Werror=declaration-after-statement -Werror=implicit-function-declaration -fstack-protector -g -O2 -fno-strict-aliasing -Wformat -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsclientconnection-openssl.c.o' -MF 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsclientconnection-openssl.c.o.d' -o 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsclientconnection-openssl.c.o' -c ../tls/openssl/gtlsclientconnection-openssl.c
In file included from /tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0/gio/gnetworking.h:40:0,
from ../tls/openssl/openssl-include.h:34,
from ../tls/openssl/gtlsclientconnection-openssl.c:32:
/usr/include/resolv.h:75:9: error: unknown type name 'u_char'
const u_char **__query,
^
/usr/include/resolv.h:77:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:82:9: error: unknown type name 'u_char'
const u_char *__query,
^
/usr/include/resolv.h:84:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:107:2: error: unknown type name 'u_long'
u_long options; /* option flags - see below. */
^
/usr/include/resolv.h:112:2: error: unknown type name 'u_short'
u_short id; /* current message id */
^
/usr/include/resolv.h:116:2: error: unknown type name 'u_long'
u_long pfcode; /* RES_PRF_ flags - see below. */
^
/usr/include/resolv.h:126:2: error: unknown type name 'res_send_qhook'
res_send_qhook __glibc_unused_qhook;
^
/usr/include/resolv.h:127:2: error: unknown type name 'res_send_rhook'
res_send_rhook __glibc_unused_rhook;
^
/usr/include/resolv.h:130:2: error: unknown type name 'u_int'
u_int _flags; /* PRIVATE: see below */
^
[12/23] Compiling C object 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsserverconnection-openssl.c.o'.
FAILED: tls/openssl/c471d3e@@gioopenssl@sha/gtlsserverconnection-openssl.c.o
cc -Itls/openssl/c471d3e@@gioopenssl@sha -Itls/openssl -I../tls/openssl -I. -I../ -Itls/base -I../tls/base -I/tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0 -I/tmp/build-artifacts.sh-dOreK/build/inst/lib/glib-2.0/include -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -std=c99 -O2 -g -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="GLib-Net"' -DG_LOG_USE_STRUCTURED '-DLOCALE_DIR="/tmp/build-artifacts.sh-dOreK/build/inst/share/locale"' -DG_DISABLE_DEPRECATED -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_70 -Werror=declaration-after-statement -Werror=implicit-function-declaration -fstack-protector -g -O2 -fno-strict-aliasing -Wformat -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsserverconnection-openssl.c.o' -MF 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsserverconnection-openssl.c.o.d' -o 'tls/openssl/c471d3e@@gioopenssl@sha/gtlsserverconnection-openssl.c.o' -c ../tls/openssl/gtlsserverconnection-openssl.c
In file included from /tmp/build-artifacts.sh-dOreK/build/inst/include/glib-2.0/gio/gnetworking.h:40:0,
from ../tls/openssl/openssl-include.h:34,
from ../tls/openssl/gtlsconnection-openssl.h:31,
from ../tls/openssl/gtlsserverconnection-openssl.h:29,
from ../tls/openssl/gtlsserverconnection-openssl.c:28:
/usr/include/resolv.h:75:9: error: unknown type name 'u_char'
const u_char **__query,
^
/usr/include/resolv.h:77:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:82:9: error: unknown type name 'u_char'
const u_char *__query,
^
/usr/include/resolv.h:84:9: error: unknown type name 'u_char'
u_char *__ans,
^
/usr/include/resolv.h:107:2: error: unknown type name 'u_long'
u_long options; /* option flags - see below. */
^
/usr/include/resolv.h:112:2: error: unknown type name 'u_short'
u_short id; /* current message id */
^
/usr/include/resolv.h:116:2: error: unknown type name 'u_long'
u_long pfcode; /* RES_PRF_ flags - see below. */
^
/usr/include/resolv.h:126:2: error: unknown type name 'res_send_qhook'
res_send_qhook __glibc_unused_qhook;
^
/usr/include/resolv.h:127:2: error: unknown type name 'res_send_rhook'
res_send_rhook __glibc_unused_rhook;
^
/usr/include/resolv.h:130:2: error: unknown type name 'u_int'
u_int _flags; /* PRIVATE: see below */
^
```https://gitlab.gnome.org/GNOME/glib-networking/-/issues/173Not re-reading proxy.pac2021-09-28T20:58:10ZBrian J. MurrellNot re-reading proxy.pacI am using GNOME 3.38 on Fedora 30 which has glib-networking-2.66.0-1.fc33.x86_64.
I have configured GNOME to use a proxy PAC file. However whenever I make changes to that file, they are not reflected in usage or tests that I do to con...I am using GNOME 3.38 on Fedora 30 which has glib-networking-2.66.0-1.fc33.x86_64.
I have configured GNOME to use a proxy PAC file. However whenever I make changes to that file, they are not reflected in usage or tests that I do to confirm the proxy pac file. I use the following program to test the proxy configuration:
```
#!/usr/bin/python3
import gi
from gi.repository import Gio
proxyResolver = Gio.ProxyResolver.get_default()
print(proxyResolver)
for url in [...]:
uris = proxyResolver.lookup(url, None)
print(url, ": ", uris)
```
What is the canonical way of making GLib re-read the proxy pac, that DOES NOT include resetting (disconnecting, reconnecting) networking altogether? This machine is remote and I cannot afford to have a networking reset fail and take the machine offline.
Surely there has to be a less intrusive way to force GLib to re-read the proxy PAC file. Frankly, it seems like something that should be watched with an inotify so that changes to the file are detected and consumed transparently.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/161Implement g_tls_database_verify_chain_async()2021-05-12T08:06:48ZMichael CatanzaroImplement g_tls_database_verify_chain_async()g_tls_database_verify_chain_async() has been public API since glib 2.30, but it always returns NULL because we never implemented it. O_Og_tls_database_verify_chain_async() has been public API since glib 2.30, but it always returns NULL because we never implemented it. O_Ohttps://gitlab.gnome.org/GNOME/glib-networking/-/issues/158GNUTLS_E_UNEXPECTED_PACKET_LENGTH returned inappropriately?2021-06-04T19:06:22ZAbderrahim KitouniGNUTLS_E_UNEXPECTED_PACKET_LENGTH returned inappropriately?I'm having flatpak and ostree stop quite often when downloading large things, with the following error
```
Error reading data from TLS socket: Error decoding the received TLS packet.
```
I've tracked this down to glib-networking (used v...I'm having flatpak and ostree stop quite often when downloading large things, with the following error
```
Error reading data from TLS socket: Error decoding the received TLS packet.
```
I've tracked this down to glib-networking (used via libsoup) converting `GNUTLS_E_UNEXPECTED_PACKET_LENGTH` to `G_TLS_ERROR_MISC` which ostree considers to be a fatal error (and doesn't retry).
But to me, "unexpected packet length" sounds like something that would be caused by a "connection reset" or similar network error, which should be retried.
How can things be improved in glib-networking (and possibly ostree) to fix this?https://gitlab.gnome.org/GNOME/glib-networking/-/issues/155Support DANE2020-12-17T18:04:10ZJohn Scottjscott@posteo.netSupport DANEI tried running Epiphany on Debian Bullseye with the Unbound+DNSSEC-Trigger validating resolver, which sets the 'ad' bit when the DNS is trusted. I tried navigating to debian.org which has DANE configured, but Epiphany still complained t...I tried running Epiphany on Debian Bullseye with the Unbound+DNSSEC-Trigger validating resolver, which sets the 'ad' bit when the DNS is trusted. I tried navigating to debian.org which has DANE configured, but Epiphany still complained that it couldn't make the HTTPS connection due to not finding a trusted certificate authority in the chain.
There are a few options to solve this:
1. Use a library like libunbound or the getdns API to do validated DNS queries. This enables using DANE even when the client doesn't have a validating resolver. This is probably the least suitable idea.
2. Expose GnuTLS's DANE functionality by chaining the various TLS options it supports up the stack (libsoup, webkit2gtk, Epiphany). I'm not sure whether GnuTLS's functionality works like libunbound, or if it merely piggybacks on the system resolver. The latter is totally fine, IMHO.
3. Allow Epiphany to handle the TLS details of whether to support DANE/TOFU/certificate authorities/raw public keys/PKCS#11/etc. by setting up options for GnuTLS itself (basically let Epiphany and everything else in the stack make its own GnuTLS context with its preferences, which is more future-proof), and just hand it to GnuTLS.
4. Use GLib or some other helper to do the TLSA queries, check the 'ad' (authenticated) bit, check the fingerprint in whichever component it's most appropriate in, and compare the string against the certificate fingerprint.
It seems CURL hasn't yet figured out a model for how they want to do DANE, but their circumstance is a little different:
* CURL and c-ares are designed to run "everywhere," and one of CURL's most prominent features is that it's a wrapper around many other TLS libraries. This seems different from libsoup, which seems to support GnuTLS only (which in this case is a good thing; that permits libsoup users tweaking GnuTLS to their liking).
As compared to any other browser or ecosystem, I think Epiphany and the WebKitGTK+ stack appears to be capable of accommodating DANE and other advanced TLS features well.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/149Allow installation to external directory2020-09-22T19:47:57ZMaartenAllow installation to external directoryHello,
The meson build script will always install the modules to a default `gio_module_dir`.
I'm currently creating a glib-networking package for conan (= a c/c++ package manager).
This requires packaging glib-networking separately from...Hello,
The meson build script will always install the modules to a default `gio_module_dir`.
I'm currently creating a glib-networking package for conan (= a c/c++ package manager).
This requires packaging glib-networking separately from glib. In a completely different directory tree.
The patch here below add a `gio_module_dir` option to override the default.
It is based on the 2.65.1 release.
Thanks
```patch
--- meson.build
+++ meson.build
@@ -57,12 +57,15 @@
gmodule_dep = dependency('gmodule-2.0',
fallback: ['glib', 'libgmodule_dep'])
-if glib_dep.type_name() == 'internal'
- glib_proj = subproject('glib')
- gio_module_dir = glib_proj.get_variable('glib_giomodulesdir')
-else
- gio_module_dir = gio_dep.get_pkgconfig_variable('giomoduledir',
- define_variable: ['libdir', join_paths(prefix, libdir)])
+gio_module_dir = get_option('gio_module_dir')
+if gio_module_dir == ''
+ if glib_dep.type_name() == 'internal'
+ glib_proj = subproject('glib')
+ gio_module_dir = glib_proj.get_variable('glib_giomodulesdir')
+ else
+ gio_module_dir = gio_dep.get_pkgconfig_variable('giomoduledir',
+ define_variable: ['libdir', join_paths(prefix, libdir)])
+ endif
endif
assert(gio_module_dir != '', 'GIO_MODULE_DIR is missing from gio-2.0.pc')
--- meson_options.txt
+++ meson_options.txt
@@ -7,3 +7,4 @@ option('libproxy', type: 'feature', value: 'auto', description: 'support for lib
option('gnome_proxy', type: 'feature', value: 'auto', description: 'support for GNOME desktop proxy configuration')
option('installed_tests', type: 'boolean', value: false, description: 'enable installed tests')
option('static_modules', type: 'boolean', value: false, description: 'build static modules')
+option('gio_module_dir', type: 'string', description: 'Override installation directory of gio modules')
```https://gitlab.gnome.org/GNOME/glib-networking/-/issues/145OpenSSL: Download missing certificates using Authority Information Access ext...2021-09-10T14:27:24ZMichael CatanzaroOpenSSL: Download missing certificates using Authority Information Access extensionWe need to implement #96, but for OpenSSL.We need to implement #96, but for OpenSSL.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/144OpenSSL tests fail intermittently at read-after-close and client_auth_fail te...2021-09-10T14:27:24ZRuslan MarchenkoOpenSSL tests fail intermittently at read-after-close and client_auth_fail tests return missing-cert on closureAfter unlocking all tests for openssl Win32 tests started failing at on_input_read_finish:g_assert_nonnull (line); that is - returns empty result intermittently if server written and closed its side.
Also on Win32 client_auth_fail set o...After unlocking all tests for openssl Win32 tests started failing at on_input_read_finish:g_assert_nonnull (line); that is - returns empty result intermittently if server written and closed its side.
Also on Win32 client_auth_fail set of tests are failing because close finishes with server-needs-cert error. need to investigate why it differs from linux and how to align the behaviour.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/143Resolve code duplication between GTlsClientConnectionOpenssl/GTlsServerConnec...2020-09-22T18:18:05ZMichael CatanzaroResolve code duplication between GTlsClientConnectionOpenssl/GTlsServerConnectionOpensslThe following discussion from !128 should be addressed:
- [ ] @mcatanzaro started a [discussion](https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/128#note_859084):
> Looks like this function is identical between cli...The following discussion from !128 should be addressed:
- [ ] @mcatanzaro started a [discussion](https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/128#note_859084):
> Looks like this function is identical between client/server classes, so it should move to the parent class, right? (Don't fix it in this MR, since it's unrelated; we can just create a new issue so we don't forget.)https://gitlab.gnome.org/GNOME/glib-networking/-/issues/142OpenSSL error reporting during handshake2020-09-22T21:33:39ZRuslan MarchenkoOpenSSL error reporting during handshakeThere are various conditions when TLS handshake is aborted due to cipher mismatch, certificate mismatch, protocol mismatch, missing prereqs. you-name-it. GIO-TLS expects this to be reported on server side as NOT_TLS (tls never succeeded)...There are various conditions when TLS handshake is aborted due to cipher mismatch, certificate mismatch, protocol mismatch, missing prereqs. you-name-it. GIO-TLS expects this to be reported on server side as NOT_TLS (tls never succeeded). OpenSSL on server side reports this spuriously and intermittently as either broken-pipe or no_error - which depends on whether server was able to terminate connection with Alert (and then it;s no-error - business as usual) or client bails first (and then it's broken-pipe as server is unable to deliver queued alert).
This corner case needs to be polished to re-align with existing error reporting. Potentially need to try to pop more errors from the queue, or vice versa - peek and re-queue locally to be able to report later.https://gitlab.gnome.org/GNOME/glib-networking/-/issues/139g_tls_certificate_verify() does not detect expired certificate without a CA2020-09-04T20:17:17ZMartin Pittg_tls_certificate_verify() does not detect expired certificate without a CAThe [documentation](https://developer.gnome.org/gio/stable/GTlsCertificate.html#g-tls-certificate-verify) of this function sounds like it should be able to detect some aspects of bad certificates even without specifying a trusted_ca; in ...The [documentation](https://developer.gnome.org/gio/stable/GTlsCertificate.html#g-tls-certificate-verify) of this function sounds like it should be able to detect some aspects of bad certificates even without specifying a trusted_ca; in particular: `G_TLS_CERTIFICATE_NOT_ACTIVATED`, `G_TLS_CERTIFICATE_EXPIRED`, or `G_TLS_CERTIFICATE_INSECURE`.
But that's not the case. A simple reproducer [glib-networking-tls-verify.c](/uploads/619f4f435fa836230f0170f84496cd71/glib-networking-tls-verify.c) on a expired certificate returns 0, i.e. "no errors":
```
gcc -g -O0 -Wall `pkg-config --cflags --libs gio-2.0` glib-networking-tls-verify.c
curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/tls/ca/alice-expired.pem
./a.out alice-expired.pem
```
This says
g_tls_certificate_verify == 0
but it should return the code for `G_TLS_CERTIFICATE_EXPIRED`.
glib2-2.64.3-2.fc32.x86_64 with no special configuration, i. e. I assume that's using the GnuTLS backend.